The server was drowning and nobody could see it.
Laravel Nightwatch went live in this session — real observability, not just error logs — and within minutes it told a story the dashboard never would have. A bot army on AWS was hammering /webhook/twilio/subscription on repeat. Every hit spun up a PHP worker, burned through the queue, and slowed everything else down. Meanwhile, the Jobber sync that ran every three hours was firing 9,400 database queries per cycle. Not because it needed to — because it was checking every record individually, even the ones that hadn't changed since last Tuesday.
The fixes were structural, not cosmetic. Cloudflare WAF rules now block any webhook request that doesn't carry the right signature header — Twilio needs X-Twilio-Signature, Stripe needs Stripe-Signature, Jobber needs X-Jobber-Hmac-SHA256. No header, no entry. The bot IPs got blocked outright. And the Jobber sync switched to incremental mode: an updatedSince filter that only pulls what's changed, batch upserts instead of one-at-a-time saves, pre-loaded ID maps that eliminate redundant lookups. Nine thousand queries became near zero for unchanged data.
But the session didn't stop at the server layer. It reshaped what the platform looks like in your hand.
The client list — the first thing you see when you open THDCRM on a phone — had been a table pretending to be mobile. Now it's a stacked card deck, each client a card you tap to expand. Visual signals live on the cards themselves: an indigo ring means they're a subscriber, a red border means something's overdue, an amber pulse means a site issue needs attention, a green dot means they're online right now. Site favicons appear inline. The whole thing feels physical, like flipping through index cards on a desk, except the cards are alive with status.
The navigation got the same treatment. The hamburger icon — that universal symbol of "I didn't know where to put things" — became the THDCRM logo, pixel-matched to its overlay position. Behind it, a two-tab grid menu: Main for client-facing work, Admin for infrastructure and fleet tools. Context-aware quick actions appear when you're viewing a specific client. The tab you were last on persists in localStorage, because small courtesies compound.
Shopify joined the platform properly in the same session. The broken standalone dashboard page got removed. The provision dialog grew a Shopify-specific flow — store name instead of server config, no PHP version picker. The site detail page shows a Shopify tab now, but only when the site is actually a Shopify store. When there's no API token yet, the empty state says exactly what to do: "Run First Audit" and "Add API Token." No guessing.
The Keybox — where credentials live — expanded to handle the reality that not everything is a username and password. API keys, access tokens, key files, PEM certificates, JSON credentials — each type gets its own form shape. The Shopify dashboard auto-detects a keybox entry named "Shopify" and syncs the token without asking.
And the audit report cards that had been large score circles on desktop became table rows on mobile — compact, scannable, the information density that a small screen demands.
Nightwatch was the unlock. Not because observability is novel, but because you can't fix what you can't see. The Twilio bot spam and the Jobber query storm were both invisible from the application layer. They looked like "the server is slow sometimes." It took a tool that watches from outside the application to say: no, this is specific, this is measurable, and this is fixable right now.