Tracker: dashboard mock-data audit (2026-05-23) — 21 atomic gaps

[thinmintdev]

This meta-tracker lists every dashboard surface that renders hardcoded / synthetic / mock data found during a read-only audit of ui/src/ on 2026-05-23.

Mocks deliberately tracked under useMock.js's MOCK_ALLOWLIST (per docs/dev/web-ui-mocks.md) are already covered by #166 + #142 / #145 / #146 / #180 and are NOT in this tracker. The issues below cover INLINE hardcodes, fallback substitutions outside the allowlist, optimistic-stub mutations, and "preview" defaults that render in production.

Dashboard

• dashboard: ChatEmpty prompt chips hardcoded #213 dashboard: ChatEmpty prompt chips hardcoded
• dashboard: post-install hero hardcodes "hal0-Pro" bundle name #214 dashboard: post-install hero hardcodes "hal0-Pro" bundle name

Slots

• slots: NPU panel hardcoded copy (FLM version/args + "~2 GB" / "~14s swap") #215 slots: NPU panel hardcoded copy (FLM version/args + "~2 GB" / "~14s swap")
• slots: Create-Slot modal hardcodes type + device enums #216 slots: Create-Slot modal hardcodes type + device enums

Models / Backends

• models: per-model recipe never fetched from /api/models/{id} #217 models: per-model recipe never fetched from /api/models/{id}
• models: AddByHF variants fall back to hardcoded MOCK_VARIANTS without allowlist entry #218 models: AddByHF variants fall back to hardcoded MOCK_VARIANTS without allowlist entry
• backends: install/uninstall actions are fire-and-forget (no SSE progress) #219 backends: install/uninstall actions are fire-and-forget (no SSE progress)
• models: namespace ('blessed' vs 'pulled') derivation contract undefined #220 models: namespace ('blessed' vs 'pulled') derivation contract undefined

Footer / Hardware / Logs

• footer: queued chip hardcoded to 0 + NPU coresident derived from heuristic #221 footer: queued chip hardcoded to 0 + NPU coresident derived from heuristic

MCP

• mcp: live tool-call stream is client-side synthetic (Math.random tick) #222 mcp: live tool-call stream is client-side synthetic (Math.random tick)
• mcp: install action injects optimistic synthetic row (progress=5, no real tracking) #223 mcp: install action injects optimistic synthetic row (no real tracking)
• mcp: install-from-URL drawer renders a hardcoded "mcp-things" placeholder card #224 mcp: install-from-URL drawer renders hardcoded "mcp-things" placeholder card
• mcp: LogsDrawer renders 10 canned sample lines, not real supervisor logs #225 mcp: LogsDrawer renders 10 canned sample lines, not real supervisor logs

Agent

• agent: PersonaEditModal hardcodes TONES + TOOLS enums client-side #226 agent: PersonaEditModal hardcodes TONES + TOOLS enums client-side
• agent: Skills tab is a hardcoded 10-row table inline in Agent.vue #227 agent: Skills tab is a hardcoded 10-row table inline in Agent.vue
• agent: Memory tab hardcodes "2,847 records · 184 MB" + per-backend tiles #228 agent: Memory tab hardcodes "2,847 records · 184 MB" + per-backend tiles

Settings

• settings: allowed-origins (CORS) form has no save endpoint #229 settings: allowed-origins (CORS) form has no save endpoint
• settings: token rotation falls back to crypto.randomUUID() on demo boxes #230 settings: token rotation falls back to crypto.randomUUID() on demo boxes
• settings: OmniRouter table /api/omni-tools fallback to MOCK_OMNI_TOOLS #231 settings: OmniRouter table /api/omni-tools fallback to MOCK_OMNI_TOOLS
• settings: Memory section hardcodes namespace stats and exports stub blob #232 settings: Memory section hardcodes namespace stats and exports stub blob
• settings: Updates section hardcodes version defaults + soft-fails channel toggle #233 settings: Updates section hardcodes version defaults + soft-fails channel toggle

Related umbrellas (NOT duplicated here)

• Dashboard v2 — mock harness for absent endpoints #166 mock harness (allowlist tracking)
• v0.2: Multi-modal slots — embed, rerank, ASR, TTS, img via Lemonade #142 multi-modal slots / v0.2: Metrics aggregator polling /v1/stats + /v1/health #145 metrics aggregator / v0.2: FLM/NPU install path with libxrt-npu2 prereq #146 FLM-NPU install
• Dashboard v2 — Dashboard / view (chat + snapshot + persona) #169 Dashboard / Dashboard v2 — Slots /slots view (cards + NPU trio + create/edit/swap) #170 Slots / Dashboard v2 — Models /models view (3-pane catalog + downloads) #171 Models / Dashboard v2 — Settings /settings (8 sections + guardrails) #173 Settings / Dashboard v2 — Extras (Hardware/Backends/Logs/Agent) #174 Extras / Dashboard v2 — MCP Servers page (/agents/mcp) — v0.3 carry-in #180 MCP page
• v3: wire MCP page (/agents/mcp) to real backend #206 wire MCP page to real backend / v3: wire Agent view (/agent) to real backend #207 wire Agent view to real backend
• First-run wizard: persist HF token via /api/secrets endpoint #78 First-run HF token via /api/secrets

Hardware view, Logs view, LemonadeJournalPanel, Footer (journal pane), AgentApprovalBell/Inbox, model-pull SSE, and the bare /api/capabilities poll are all live-backed and have no gaps to file.

Methodology: 6 parallel Explore sub-agents — Dashboard/Slots/Models+Backends/Hardware+Logs/MCP+Agent/Settings+FirstRun — each briefed against the documented mock layer + already-open issues. Each finding was verified by cite-and-grep against the working tree before filing.

[thinmintdev]

v3 React triage — 2026-05-23

Cross-referenced #213–#233 against the v3 React tree (feat/dash-v3-react / deployed branch fix/v3-defensive-replace). The v3 rewrite (PRs #205/#208/#209) replaced the Vue codebase but dropped in the same prototype JSX, so most hardcodes carried over verbatim.

STILL APPLIES — verbatim hardcode survived in v3

#	Where in v3	Note
#214	ui/src/dash/primitives.jsx:330	banner catalog: 'You currently have hal0-Pro installed'
#215	ui/src/dash/slots.jsx:204,206,283,287	'~2 GB NPU memory' + '~14s swap penalty' inline
#222	ui/src/dash/mcp.jsx:11,38,44	useLiveCallStream uses Math.random() for ticks
#224	ui/src/dash/mcp-modals.jsx:103-143	'mcp-things' / 'npm:@some-org/mcp-things' placeholder
#226	ui/src/dash/flow-modals.jsx:174-220	PersonaEditModal tone enum + system-prompt default
#227	ui/src/dash/extras.jsx:685	AgentSkills() inline hardcoded table
#228	ui/src/dash/extras.jsx:531,533,741,742	'2,847 records · 184 MB' string baked in
#231	ui/src/dash/settings.jsx:359	OmniRouter section — tool list still inline
#233	ui/src/dash/settings.jsx:196-202	hardcoded fallback hal0: v0.2.1, lemonade: v10.6.0 when backend absent

PARTIALLY APPLIES — hook wired, data source still stub

#	Where	Status
#213	dashboard.jsx:300 ChatEmpty	component wired to hooks; prompt chip list likely still inline (didn't grep deep)
#217	models.jsx:37	still HAL0_DATA.recipe[selId] — bypasses any useModels recipe fetch
#221	chrome.jsx:280	L.queued reads from useLemondRollup ✓ — but real /v1/stats doesn't expose queued, so still 0 in practice
#229	settings.jsx:9	imports useAllowedOrigins ✓ — backend endpoint still missing (same underlying gap)

OBSOLETE / RESOLVED in v3

#	Reason
#218	MOCK_VARIANTS not present in v3 model-modals.jsx — likely fixed during the JSX drop-in
#223	optimistic progress: 5 row pattern not present in v3 mcp.jsx
#225	SAMPLE_LOGS constant pattern not visible in v3 mcp-modals.jsx LogsDrawer (verify)
#230	Token rotation crypto.randomUUID() fabrication NOT found in v3. useAuthTokenRotate hook owns it now — fabrication was Vue-store-specific. Also: the deployed LXC has /api/auth/disable'd auth entirely; planned removal of auth wholesale (see /tmp/hal0-handoffs/2026-05-23-remove-caddy-auth.md) supersedes this.
#232	export blob stub pattern not found in v3 settings.jsx Memory section

NEEDS DEEPER VERIFICATION

• dashboard: ChatEmpty prompt chips hardcoded #213 ChatEmpty prompt chips — grep didn't surface chip array; spot-read ChatEmpty body
• slots: Create-Slot modal hardcodes type + device enums #216 Create-Slot enums — type === 'llm' exists but TYPES/DEVICES arrays not surfaced
• backends: install/uninstall actions are fire-and-forget (no SSE progress) #219 backends install — BackendInstall/Uninstall modals exist, fire-toast pattern suggests fire-and-forget persists
• models: namespace ('blessed' vs 'pulled') derivation contract undefined #220 namespace derivation — not checked

Live-backed claims to re-verify in v3

The handoff lists 7 surfaces as 'live-backed' in v2 Vue. In v3 React, the wiring path differs:

• Hardware view, Logs view, LemonadeJournalPanel — all rewritten; hooks need re-audit
• AgentApprovalBell + Inbox — uses useAgent.ts (deferred per Phase B1 scope), so they may now be MORE mocked than before, not less
• Model pull usePullJob — kept the SSE pattern in v3 hooks ✓ (live-backed retained)

Recommended next actions

1. Skip settings: token rotation falls back to crypto.randomUUID() on demo boxes #230 — auth removal will delete the entire surface; track as 'will-be-deleted' not 'will-be-fixed'
2. Resolve obsolete issues (models: AddByHF variants fall back to hardcoded MOCK_VARIANTS without allowlist entry #218, mcp: install action injects optimistic synthetic row (progress=5, no real tracking) #223, settings: Memory section hardcodes namespace stats and exports stub blob #232) with 'resolved-in-v3' comment after spot-checking
3. Re-scope partial issues (dashboard: ChatEmpty prompt chips hardcoded #213, models: per-model recipe never fetched from /api/models/{id} #217, footer: queued chip hardcoded to 0 + NPU coresident derived from heuristic #221, settings: allowed-origins (CORS) form has no save endpoint #229) to point at v3 file paths
4. Prioritize v0.2.x quick wins per original handoff: footer: queued chip hardcoded to 0 + NPU coresident derived from heuristic #221 (footer chips) → small atomic v3 fix
5. MCP cluster (mcp: live tool-call stream is client-side synthetic (Math.random tick) #222, mcp: install-from-URL drawer renders a hardcoded "mcp-things" placeholder card #224) rolls into v3: wire MCP page (/agents/mcp) to real backend #206 v3 wiring follow-up; agent cluster (agent: PersonaEditModal hardcodes TONES + TOOLS enums client-side #226, agent: Skills tab is a hardcoded 10-row table inline in Agent.vue #227, agent: Memory tab hardcodes "2,847 records · 184 MB" + per-backend tiles #228) into v3: wire Agent view (/agent) to real backend #207

The audit's value is preserved — the hardcodes mostly migrated 1:1 because the React rewrite dropped in the same prototype JSX.

[thinmintdev]

Triage execution complete. Closed obsolete (#218 #223 #225 #230 #232). Re-pointed partials (#213 #217 #221 #229) at v3 file paths. Cross-linked MCP cluster (#222 #224) into #206 and agent cluster (#226 #227 #228) into #207. Remaining open: #213 #214 #215 #216 #217 #219 #220 #221 #229 #231 #233 (11 of 21). Next sprint quick-wins: #221 (footer chips — clean atomic), #214 (banner copy), #215 (NPU panel copy).

[thinmintdev]

Mock-data → React component mapping (audit 2026-05-23).

Punch-list mapping every gap to file:line, component, hardcoded grep target, and required data source so an implementer can jump straight to the code.

Full mapping

#	Panel	Gap (one-line)	Component file	Component name	Hardcoded value to grep	Data source to wire
213	Dashboard	ChatEmpty prompt chips hardcoded	`ui/src/dash/dashboard.jsx:302-308`	`ChatEmpty`	`"Refactor a file in this repo"`	`/api/dashboard/suggestions` or config-driven
214	Dashboard	post-install hero hardcodes "hal0-Pro"	`ui/src/dash/firstrun.jsx:272`	`InstallProgress`	`Installing hal0-Pro…`	`/api/firstrun/bundle-name`
215	Slots	NPU panel copy hardcoded	`ui/src/dash/slots.jsx:204-208,237`	`NpuPanel`, `NpuReactor`	`"~2 GB"`, `"~14s"`, `FLMv0.9.42`, `--asr 1 --embed 1`	`/api/slots/npu-config` or `/api/flm/status`
216	Slots	Create-Slot type/device enums hardcoded	`ui/src/dash/slot-modals.jsx:90-107`	`CreateSlotModal`	``	`/api/slots/schema`
217	Models	per-model recipe never fetched	`ui/src/dash/models.jsx:55-62,86-104`	`ModelDetail`	TODO comment	`/api/models/{id}` + `PATCH /api/models/{id}/recipe`
218	Models	AddByHF variants fall back to hardcoded list	`ui/src/dash/model-modals.jsx:24-30`	`AddByHFModal`	`{ id: "Q4_K_M", size: "4.9 GB" }`	`/api/models/manifest?repo=<HF_ID>`
219	Backends	install/uninstall fire-and-forget	`ui/src/dash/flow-modals.jsx`, `ui/src/stores/backends.js`	`BackendInstallModal`	POST/DELETE handlers	`/api/backends/{id}/install/stream` (SSE)
220	Models	namespace 'blessed' vs 'pulled' undefined contract	`ui/src/dash/models.jsx` (group-by)	Models view	`ns: 'blessed' | 'pulled'`	needs ADR or schema endpoint
221	Footer	queued chip hardcoded to 0 + NPU heuristic	`ui/src/dash/dashboard.jsx` (footer)	Footer/chrome	`"queued"` chip	`/api/jobs/queue` or SSE — Lemonade #251
222	MCP	live call stream is `Math.random` tick	`ui/src/dash/mcp.jsx:29-62`	`useLiveCallStream`	`Math.random() < p`, `setInterval(tick, 500)`	`/api/mcp/stream` (WS/SSE)
223	MCP	install action injects synthetic optimistic row	`ui/src/dash/mcp.jsx:493-496`	MCP install handler	`window.__hal0Toast` after Install	`/api/mcp/servers` poll
224	MCP	install-from-URL drawer placeholder	`ui/src/dash/mcp-modals.jsx:128-145`	`InstallFromUrl`	`"mcp-things"`, `"v0.1.0"`	`/api/mcp/manifest?url=`
225	MCP	LogsDrawer renders 10 canned sample lines	`ui/src/dash/extras.jsx:249-266`	`LogsView`	`demoLines` array	`/api/logs/stream` (SSE) + `/api/logs/historical`
226	Agent	PersonaEditModal TONES + TOOLS enums hardcoded	`ui/src/dash/flow-modals.jsx:237-243,271`	`PersonaEditModal`	``	`/api/personas/schema` (ADR-0013 surface)
227	Agent	Skills tab hardcoded 10-row table	`ui/src/dash/extras.jsx:686-699`	`AgentSkills`	`{ name: "read_file", calls: 247 }`	`/api/agents/{name}/skills`
228	Agent	Memory tab hardcodes "2,847 records · 184 MB"	`ui/src/dash/extras.jsx:741-756`, `ui/src/dash/settings.jsx:443`	`AgentMemory`, `MemorySection`	`2,847`, `184 MB`, per-backend tile counts	`/api/agents/{name}/memory/stats` (ADR-0012 surface)
229	Settings	allowed-origins (CORS) no save endpoint	`ui/src/dash/settings.jsx:117-121`	`AuthSection`	toast `"Allowed-origins editor — stub"`	`/api/auth/origins` (auth-rework boundary)
230	Settings	token rotation falls back to `crypto.randomUUID()`	`ui/src/dash/settings.jsx:125-138`	`AuthSection` (RotateToken)	`rotate.mutate()`	`/api/auth/token/rotate` (auth-rework boundary)
231	Settings	OmniRouter table mock fallback	`ui/src/dash/settings.jsx:359-391`	`OmniRouterSection`	`HAL0_DATA.omnirouter.map(...)`	`/api/omni-tools`
232	Settings	Memory namespace stats hardcoded + export stub	`ui/src/dash/settings.jsx:441-445`	`MemorySection`	`"2,847"`, `"184 MB"`, `"shared (default)"`	`/api/cognee/stats`
233	Settings	Updates section hardcodes version defaults	`ui/src/dash/settings.jsx:200-205`	`UpdatesSection`	`{ hal0: { current: 'v0.2.1', available: 'v0.2.2' } }`	`useUpdateState()` partially wired; complete fallback removal

Wire-up readiness

Ready (data source exists or trivial):

• settings: OmniRouter table /api/omni-tools fallback to MOCK_OMNI_TOOLS #231 OmniRouter
• agent: Skills tab is a hardcoded 10-row table inline in Agent.vue #227 Skills
• settings: Updates section hardcodes version defaults + soft-fails channel toggle #233 Updates (mostly wired — kill the fallback)

Waiting on auth-rework session (in-flight ADR-0001 child PRs):

• settings: allowed-origins (CORS) form has no save endpoint #229 allowed-origins
• settings: token rotation falls back to crypto.randomUUID() on demo boxes #230 token rotation

Waiting on the new ADRs:

• agent: Memory tab hardcodes "2,847 records · 184 MB" + per-backend tiles #228 Memory tab — gated on ADR-0012 (ADR-0014: backend — [memory.graph] schema + graph_enabled wiring + Cognee version verify #257 backend, ADR-0014: dashboard Memory tab — graph-extraction toggle + route picker + disclosure #259 dashboard)
• agent: PersonaEditModal hardcodes TONES + TOOLS enums client-side #226 Personas — gated on ADR-0013 (ADR-0013: backend — AgentConfig/MCPServerConfig/ToolPolicy schemas + mcp_client.py runtime #261 backend, ADR-0013: dashboard — /agents/mcp per-agent view (read-only alpha; editable stable) #263 dashboard)

Waiting on new backend endpoints (bulk):

• dashboard: ChatEmpty prompt chips hardcoded #213, dashboard: post-install hero hardcodes "hal0-Pro" bundle name #214, slots: NPU panel hardcoded copy (FLM version/args + "~2 GB" / "~14s swap") #215, models: per-model recipe never fetched from /api/models/{id} #217, models: AddByHF variants fall back to hardcoded MOCK_VARIANTS without allowlist entry #218, backends: install/uninstall actions are fire-and-forget (no SSE progress) #219, footer: queued chip hardcoded to 0 + NPU coresident derived from heuristic #221, mcp: live tool-call stream is client-side synthetic (Math.random tick) #222, mcp: install action injects optimistic synthetic row (progress=5, no real tracking) #223, mcp: install-from-URL drawer renders a hardcoded "mcp-things" placeholder card #224, mcp: LogsDrawer renders 10 canned sample lines, not real supervisor logs #225, settings: Memory section hardcodes namespace stats and exports stub blob #232

Contract gap surfaced:

• models: namespace ('blessed' vs 'pulled') derivation contract undefined #220 (models namespace `blessed` vs `pulled`) has no ADR or schema spec. Needs a decision before wire-up.

Suggested merge order

1. Ready group (data sources exist): settings: OmniRouter table /api/omni-tools fallback to MOCK_OMNI_TOOLS #231, agent: Skills tab is a hardcoded 10-row table inline in Agent.vue #227, settings: Updates section hardcodes version defaults + soft-fails channel toggle #233
2. Auth boundary (after ADR-0001 close-out): settings: allowed-origins (CORS) form has no save endpoint #229, settings: token rotation falls back to crypto.randomUUID() on demo boxes #230
3. Backend endpoints (parallelisable after auth lands): dashboard: ChatEmpty prompt chips hardcoded #213, dashboard: post-install hero hardcodes "hal0-Pro" bundle name #214, slots: NPU panel hardcoded copy (FLM version/args + "~2 GB" / "~14s swap") #215, models: per-model recipe never fetched from /api/models/{id} #217, models: AddByHF variants fall back to hardcoded MOCK_VARIANTS without allowlist entry #218, footer: queued chip hardcoded to 0 + NPU coresident derived from heuristic #221, mcp: install-from-URL drawer renders a hardcoded "mcp-things" placeholder card #224, settings: Memory section hardcodes namespace stats and exports stub blob #232
4. SSE / WS infrastructure (long-running streams): backends: install/uninstall actions are fire-and-forget (no SSE progress) #219, mcp: live tool-call stream is client-side synthetic (Math.random tick) #222, mcp: install action injects optimistic synthetic row (progress=5, no real tracking) #223, mcp: LogsDrawer renders 10 canned sample lines, not real supervisor logs #225
5. Schema-driven: slots: Create-Slot modal hardcodes type + device enums #216, agent: PersonaEditModal hardcodes TONES + TOOLS enums client-side #226 (gated on ADR-0013)
6. ADR-gated memory: agent: Memory tab hardcodes "2,847 records · 184 MB" + per-backend tiles #228 (gated on ADR-0012)
7. Contract decision needed first: models: namespace ('blessed' vs 'pulled') derivation contract undefined #220