Can you build a page?

Can you design a frontend system whose state, data, rendering, interaction, failure, performance, security, accessibility, and operability remain coherent under real-world pressure?

This dashboard is dynamic and user-specific, but the shell and navigation can be server-rendered.
Metrics panels stream independently behind stable Suspense boundaries.
Filters live in URL state because users share dashboard views.
Chart rendering is client-only and virtualized where needed.
The application cache is keyed by tenant, user role, date range, and metric definition version.
Permission changes invalidate navigation and metric access.
Web Vitals, panel latency, backend dependency latency, and cache hit/miss are observed per route.

# Frontend System Design

## Product goal
- Who uses it?
- What decision/task does it support?
- What is unacceptable failure?

## Constraints
- Performance:
- Accessibility:
- Security:
- Browser/device:
- Network:
- Compliance:
- Team/maintenance:

## State model
- Source state:
- Derived state:
- Local state:
- URL state:
- Server/cache state:
- Workflow state:
- Persistence:

## Rendering model
- Route type:
- Server/client split:
- Streaming/hydration strategy:
- Critical UI path:

## Data model
- Data sources:
- Fetch graph:
- Cache keys:
- Invalidation:
- Consistency model:

## Interaction model
- Main user journeys:
- Keyboard/focus:
- Forms:
- Optimistic UI:
- Race conditions:

## Reliability model
- Loading states:
- Error boundaries:
- Retry/recovery:
- Offline/slow network:
- Data loss prevention:

## Security model
- Auth/authz:
- Sensitive data:
- Cache safety:
- Input handling:
- Third-party risk:

## Observability
- Metrics:
- Logs:
- Traces:
- User impact:
- Debug artifacts:

## Testing
- Unit:
- Integration:
- E2E:
- Accessibility:
- Performance:
- Security:

multiple metric cards
interactive charts
date range filters
tenant-specific data
role-based metric visibility
shareable dashboard URLs
slow analytics backend
export to CSV/PDF
mobile read-only mode
near-real-time refresh for some metrics

numbers must be trustworthy
users compare screenshots in meetings
filters must be reproducible
permission leaks are high severity
backend queries can be expensive
dashboards often become performance bottlenecks

A user must never see a metric they are not authorized to see.
A shared URL must reproduce the same filter state subject to current permissions.
A chart must indicate whether data is fresh, stale, partial, or failed.
A slow metric must not block the entire dashboard shell.
A filter change must not mix old and new metric results silently.

Authenticated dynamic shell.
Independent metric panels stream.
Charts hydrate only interactive portions.
Filters are client-interactive but URL-backed.

metric:{metricId}:tenant:{tenantId}:role:{roleHash}:range:{from}-{to}:grain:{grain}:definition:{metricDefinitionVersion}

Updated 2 minutes ago
Data delayed by 15 minutes
Partial data: 2 sources unavailable
Export uses data as of 10:30

filter state is canonicalized before URL update
invalid date ranges are rejected or normalized
old metric result is not displayed as if it matches new filters
pending state is visible
keyboard users can operate filter controls

unit: filter parser, cache key builder, metric view model
integration: panel loading/error/freshness states
contract: analytics API response shape and freshness metadata
E2E: share URL -> same filters -> authorized metrics only
accessibility: keyboard filters, chart summaries, focus after navigation
performance: chart render under large data, INP during filter change
security: role/tenant cache isolation test

case lifecycle states
role-based actions
task queues
case detail pages
document upload/review
comments and internal notes
assignment/escalation
audit trail
SLA timers
bulk operations
high compliance sensitivity

A transition visible in the UI must also be authorized and valid on the server.
A case view must reflect the user's current permission scope.
Draft form data must not be silently lost.
Audit-relevant user actions must be captured server-side.
Bulk operations must make partial success/failure explicit.
SLA and escalation indicators must use a consistent time source.

Queue can be server-rendered with URL filters and client table interactivity.
Case detail shell is server-rendered for permission correctness.
Action forms are client islands backed by server mutations.
Audit timeline can stream or paginate.

Button appears because status === 'Investigation'.

Button appears because server policy says current user may perform transition X for case version Y.

type TransitionRequest = {
  caseId: string
  expectedVersion: number
  transition: 'request-info' | 'escalate' | 'approve-action'
  reason: string
  evidenceIds?: string[]
}

Reviewer A opens case at version 12.
Reviewer B escalates case to LegalReview, version 13.
Reviewer A attempts to reject using version 12.
Server rejects with conflict.
UI must reload and explain the case changed.

show conflict message
show what changed if available
preserve user's draft reason
reload allowed transitions
avoid duplicate side effects

20 cases selected
15 transitioned successfully
3 skipped due to permission
2 failed due to version conflict

type BulkResult = {
  total: number
  succeeded: CaseResult[]
  skipped: CaseResult[]
  failed: CaseResult[]
}

Bulk operation failed.

user action correlation ID -> server transition -> audit entry -> notification -> UI refresh

keyboard navigation for queues and case actions
clear focus after modal open/close
screen-reader accessible status changes
error summaries for long forms
semantic headings for case sections
table headers and sorting controls
visible focus indicators
no color-only SLA severity

unit: transition view model, permission mapping, SLA formatting
integration: action modal conflict handling, draft preservation
contract: workflow API allowed transitions and version conflict shape
E2E: assign -> investigate -> escalate -> audit visible
accessibility: modal focus trap, table keyboard navigation, error summary
security: unauthorized transition rejected server-side
performance: task queue virtualization with large result set

multiple users editing same document
presence indicators
comments
autosave
offline/poor network tolerance
conflict resolution
version history
large documents
keyboard-heavy interaction
low-latency typing

Typing must remain responsive under network variance.
Local edits must not disappear silently.
Remote edits must merge according to a defined model.
Document history must be recoverable.
Presence must be eventually correct but not treated as durable truth.
Autosave state must be visible.
Keyboard behavior must be predictable.

Mostly client-heavy interactive app.
Initial shell can be server-rendered.
Editor runtime is client-owned.
Expensive parsing/diffing can move to worker.

local edit applies synchronously
network send is asynchronous
ack updates save state, not typed content
heavy serialization/diffing moves off main thread
remote operations batch when safe
selection updates are throttled
presence does not block editing

Saved
Unsaved changes
Saving...
Offline - changes stored locally
Save failed - retrying
Conflict detected

unit: operation transform/merge, selection mapping, autosave state machine
property tests: random operation sequences preserve document invariants
integration: offline edit -> reconnect -> merge
E2E: two browser contexts editing same document
performance: typing latency under large document
accessibility: keyboard shortcuts, focus, screen reader labels
reliability: websocket reconnect/backoff/outbox replay

SEO-sensitive product/category pages
fast LCP
faceted search
cart drawer
checkout flow
localized currency/content
inventory and price changes
promotions
payment integration
analytics
high traffic spikes

Public content must load fast.
Price shown at checkout must be authoritative.
Inventory state must be clearly communicated.
Cart mutations must be idempotent.
Payment-sensitive flows must not leak secrets.
Analytics must not block purchase.
Localized price/content must be correct.

Do not let dynamic private data make the whole route slow if it can be isolated.

payment authorization failure
inventory changed
price changed
address invalid
session expired
network retry
duplicate submit
browser back button

type AddToCartRequest = {
  productId: string
  variantId: string
  quantity: number
  idempotencyKey: string
}

server validates cart
server validates price
server validates inventory
server validates payment session
server creates order once
server emits audit/order events

LCP of product/category pages
INP for filters/cart interaction
CLS from images/promos/fonts
search response latency
checkout input responsiveness
third-party script cost
analytics/payment provider loading

unit: price formatting, cart reducer, checkout state machine
integration: inventory changed during checkout, promo invalidation
E2E: browse -> add to cart -> checkout -> confirmation
performance: product LCP, filter INP, script budget
security: no public cache for cart/checkout, token handling
accessibility: forms, errors, keyboard, payment iframe integration
observability: conversion funnel errors, payment failure categories

search users/orders/cases
view/edit records
bulk actions
audit trail
role-based permissions
complex tables
filters
saved views
dangerous actions
high data density

Dangerous actions must require explicit confirmation and authorization.
Every privileged mutation must be auditable.
Search/filter state should be shareable and reproducible.
Bulk changes must show partial results.
PII exposure must follow role and purpose.
Tables must remain usable with keyboard and screen readers.

Authenticated dynamic shell.
Search result table may be server-driven or client-enhanced.
Bulk operations are mutation flows with explicit partial results.

/users?query=alice&status=active&role=reviewer&page=3&sort=createdAt.desc

type UserSearchParams = {
  query: string
  status: 'active' | 'disabled' | 'locked' | null
  role: string | null
  page: number
  sort: 'createdAt.desc' | 'createdAt.asc' | 'name.asc'
}

1. User opens action menu.
2. UI checks permission hint.
3. User opens confirmation modal.
4. Modal explains consequence.
5. User types reason or confirmation phrase if high risk.
6. Server validates authz and input.
7. Server performs mutation transactionally.
8. Server writes audit event.
9. UI invalidates record/search caches.
10. UI shows result and recovery path if available.

Select all 50 visible rows vs select all 12,384 matching query.

Which roles can see PII?
Is sensitive data masked by default?
Are reads audited, or only writes?
Can support impersonate users?
Is impersonation visible and audited?
Are exports rate-limited and logged?
Does search expose records outside tenant/region/policy?

unit: URL parser, permission view model, bulk result reducer
integration: dangerous action modal + server rejection
E2E: search -> edit -> audit visible
accessibility: data table headers, keyboard row actions, focus after modal
security: unauthorized action hidden and server-rejected
performance: large search result interaction, virtualized table
privacy: sensitive fields masked by role

works offline
captures forms/photos/notes
syncs when online
handles conflicts
shows sync status
supports app updates
protects sensitive data on device
large forms
long sessions

User-entered data must not disappear because network changed.
Every local mutation must have durable local identity.
Sync must be idempotent.
Conflict resolution must be explicit.
The user must know what is synced, pending, failed, or conflicted.
Sensitive local data must be protected according to risk.
App updates must not break unsynced drafts.

Client-heavy app shell.
Service worker caches shell/assets.
IndexedDB stores durable local data.
Sync engine owns network reconciliation.

clientMutationId
entityId
operation type
payload
createdAt
attempt count
status
lastError
baseVersion if conflict detection is needed

Your inspection note conflicts with a newer server version.
Server value: ...
Your value: ...
Choose which to keep or edit manually.

Sync failed.

stale app shell
stale API cache
broken update lifecycle
multiple tabs with different app versions
cached auth-sensitive responses
hard-to-debug network behavior

cache static assets deliberately
avoid caching private API responses unless explicitly designed
version local schemas
migrate IndexedDB carefully
show update available state
protect unsynced data before activating breaking update

What sensitive data is stored locally?
Can it be encrypted?
How is session expiry handled offline?
Can a lost device retain data?
Are attachments stored safely?
Should data be wiped after logout?
Can screenshots/session replay capture sensitive fields?

unit: sync state machine, conflict resolver, local schema migration
integration: offline create -> reload -> still exists -> reconnect -> sync
E2E: network toggle during form submission
performance: large draft list and attachment queue
security: logout clears local sensitive data where required
reliability: app update with pending outbox
accessibility: sync status announcements and form error summaries

shareability
back/forward behavior
saved views
support/debug links
analytics segmentation

permissions
workflow transitions
price
inventory
payment/order creation
audit events
PII access
data export

last updated
sync status
partial results
pending mutations
stale/offline mode
source unavailable
conflict state

user
tenant
role
permission version
locale
currency
region
feature flag
experiment
resource version
query params
time range

virtualize large lists
batch expensive updates
avoid sync layout thrashing
move heavy compute to workers
limit chart point count
avoid unnecessary hydration
measure INP under CPU throttle

pristine
dirty
validating
valid
invalid
submitting
submitted
failed
conflicted
offline queued

Which route failed?
Which user journey was affected?
Was it client, server, cache, network, backend, or third-party?
How many users were impacted?
Can support correlate the user's report with logs/traces?
Can engineering reproduce from URL/state/event data safely?

What are the invariants?
Who owns the source of truth?
What can be stale, and how does the user know?
Which state belongs in URL, local memory, cache, server, or durable storage?
What is the rendering mode per route?
What is the critical path for first useful UI?
What happens under slow network and slow CPU?
What happens if one dependency fails?
What are the cache key dimensions?
What invalidates each cached result?
What is the authorization boundary?
What data crosses server/client boundaries?
How are long-running or retryable mutations handled?
How is accessibility verified?
How will production incidents be debugged?
What can go wrong after six months of feature growth?

6 metric cards
2 charts
date range filter
team filter
export CSV
one slow backend service
role-based metric visibility

route/rendering decision
state classification
cache key design
streaming boundaries
error boundaries
performance budget
a11y checklist
test plan
observability signals

Do not write component code until the design is complete.

caseId
current status
case version
allowed transitions
required reason
optional documents
role-based permissions

state machine
server action/API contract
validation strategy
conflict handling
cache invalidation
audit correlation
keyboard/focus design
tests

local schema
outbox model
sync state machine
retry/backoff policy
conflict resolution UI
service worker cache policy
app update behavior
data loss test cases

source of truth
invariants
latency
staleness
permission
failure blast radius
rendering cost
network cost
main-thread cost
user trust
operational recovery

1. Define the user task and unacceptable failures.
2. Write invariants before components.
3. Classify all state.
4. Identify source of truth for every state type.
5. Choose rendering mode per route/region.
6. Design server/client boundaries.
7. Design fetch graph and cache keys.
8. Define invalidation events.
9. Define loading/error/retry/offline behavior.
10. Define interaction and focus model.
11. Define accessibility requirements.
12. Define security boundaries.
13. Define performance budgets.
14. Define observability signals.
15. Define tests by risk.
16. Review failure modes.
17. Only then implement.

Part 035 — Capstone: Top 1% Frontend Engineer Operating Model