This page covers how DomiDo prevents user errors, handles them when they occur, and helps people recover. The picture spans eight categories: pre-validation, confirmation dialogs, undo support, auto-save, network resilience, data-loss prevention, timeout handling, and concurrent operations. Each category lists the design's current response. The shared principle is that errors should be caught before they become commitments, that reversible actions should always remain reversible inside a clear window, that destructive actions require an explicit confirmation proportionate to the damage, and that no operation should leave a user in an ambiguous state — every error message identifies the problem precisely and offers a constructive next step.
Validation happens early so users do not invest in actions that will fail. The file-upload screen runs client-side format and size checks before any upload begins. The credit-sufficiency gate on the Mode Selector card states the total cost of the AI mode and warns when the balance is low. The 3D generation step re-checks the balance before five credits are spent so a user cannot lose fifteen to thirty minutes of projection approvals only to discover they cannot fund the next step. The cart pre-validates the United Kingdom delivery region before redirecting to Stripe. Form fields validate on blur and re-validate on every keystroke once the field has been touched once and failed. Date inputs and address inputs use platform-native pickers and autocomplete to avoid format errors.
Reversible actions use an undo toast; irreversible actions use an explicit confirmation. Pre-order cancellation prompts a confirmation dialog with an optional reason field. Account deletion requires typing "DELETE" as confirmation — the strongest pattern available, with the dialog explaining that the action removes every personal record. Subscription downgrades show the date the change takes effect and what will be lost. Refunds and order-cancellations on the admin surface require confirmation. The "Delete design" action prompts a confirmation that names the design. Destructive operations follow a three-tier pattern: swipe-with-undo for small reversible actions, confirm-dialog for medium-impact actions, and type-to-confirm for the most consequential.
Removing a cart item shows an Undo toast for five seconds before committing. Unliking a design, unfollowing a designer, and removing from a collection each show a three-second Undo toast. Dismissing a notification and archiving an admin order each show a five-second Undo toast. The toast carries dark text on a white background with a gold "Undo" link of forty-four pixels minimum hit area and a subtle countdown progress bar. Tapping Undo cancels the pending server call and restores the previous state with a brief animation. A second undoable action commits the first immediately and replaces the toast.
The AI-mode prompt text auto-saves to local storage on every change with a two-second debounce so a user can leave the screen and return without losing their work. Projection configuration and design customisation parameters auto-save on change with a one-and-a-half-second debounce. Admin settings auto-save with a three-second debounce. Profile editing requires an explicit Save action. Each auto-saved context shows a quiet status: a spinner with "Saving..." while in flight, a check with "Saved" that fades after two seconds, and an X with "Couldn't save" and a Retry link if it fails. Failed saves auto-retry three times with exponential backoff before falling back to manual retry. Offline edits queue locally with a "Saved locally" indicator and synchronise on reconnect. Conflict resolution is last-write-wins with the server timestamp.
Every network operation has an explicit retry strategy. The file upload retries three times with exponential backoff (one, two, four seconds) before showing a manual-retry option. The Server-Sent Events connection reconnects transparently with exponential backoff; after five seconds of disconnection a quiet "Reconnecting..." indicator appears. The third-party logistics order submission retries silently every fifteen minutes for up to twenty-four hours; an admin alert fires after three failures; the order surfaces as "Fulfilment Error" on the customer's Order Detail with a clear "Order being processed manually" message. Context-specific offline screens replace generic ones. The Cart says "Your cart is saved" and the items remain interactive offline. The Gallery says "Load cached designs" with a list of recently viewed items. The Account requires sign-in when reconnected if the session has expired. The Assembly Viewer is fully usable offline once the design's package is cached — assembly instructions, the 3D model, and the Bill of Materials.
The phantom-payment recovery covers the worst-case Stripe failure. On Cart load the application checks for an incomplete Stripe checkout session younger than thirty minutes; if one exists, an amber banner offers "Complete Payment" (resume the session) and "Cancel" (expire the session). Older sessions auto-expire silently. This prevents duplicate charges when the redirect back from Stripe fails (app crash, network loss). The AI-mode resume path covers the second-worst case: the user abandons the projection workflow halfway through. The Design carries an "AI In Progress" status badge on My Designs with a Resume button that restores the projection workflow at the exact step where the user left off; every approved projection is preserved server-side. Every mutating action carries an idempotency key (a version-four universally unique identifier) so a network retry or a double-tap is safe. Every action button enters a Submitted state on tap that disables pointer events until the server responds. The server responds with the same outcome for the same idempotency key, even if the original request actually succeeded but the response was lost.
Every operation has a defined hard timeout with explicit user feedback. AI image generation times out at one hundred and twenty seconds; 3D model generation at one hundred and eighty; pipeline processing at three hundred; the Stripe checkout session at thirty minutes; file uploads at one hundred and twenty seconds; the Server-Sent Events connection at six hundred with transparent reconnection. The third-party logistics retry envelope is twenty-four hours. At fifty per cent of the timeout the user sees an elapsed-time counter. At eighty per cent a warning message appears: "This is taking longer than usual". At one hundred per cent the operation fails with explicit recovery actions tailored to the operation: "Try Again" for retryable failures, "Try Different Style" for AI failures, "Simplify Model" for pipeline failures that may relate to model complexity, "Try Different Provider" for 3D generation failures, "Save and notify me" for price-calculation errors.
Concurrent state changes are guarded against silent corruption. Order state machines reject illegal transitions (a delivered order cannot be cancelled; a refunded order cannot be re-shipped). The Bill of Materials calculation is server-authoritative; a stale client view is corrected on cart-add. Pre-order conversions check for cancellation, expiry, and card-update events before capturing funds. The cart reconciles with the server on every screen open so two devices editing the same cart converge to the server view rather than overwriting each other. Comments use an optimistic-with-server-reconcile pattern so the author sees their own comment immediately and the moderation result updates the badge later. Likes and follows use optimistic state with rollback on failure.
Every error message is written in plain language, identifies the problem precisely, and offers a constructive next step. Generic "Something went wrong" messages are never used in customer flows. Pipeline failures show stage-specific recovery messages with three actions — try again, upload a different file, or go home — and three suggestions (repair mesh, simplify, reduce triangles). AI generation failures distinguish a platform outage from a safety filter trigger and offer different recoveries for each. Three-dimensional generation failures refund credits and offer "Try Again", "Try Different Provider", or "Save and Exit". Price-calculation errors offer "Save design and notify me" rather than dead-ending the flow. The gallery search distinguishes "no results" from "search error". A WebGL initialisation failure on Design Review falls back to a Bill-of-Materials text summary so the user can still proceed.
Every empty state offers a friendly illustration, a brief explanation, and a clear next step. "No Designs Yet" offers the two creation buttons and a catalogue fallback. "No Orders Yet" surfaces the catalogue. "Empty Cart" shows recent design recommendations. "No Search Results" offers reformulation suggestions. The Gallery's launch-day empty state shows "Be the first to share" and surfaces curated seed content categorised by use case.
A user whose published design fails moderation sees a dedicated rejection screen with the reason, an appeal link, and an "Edit and Resubmit" action. The design remains in My Designs with a "Moderation Rejected" status badge so the user can return to it. A saved card approaching expiry triggers a notification on Pre-order Management with a seven-day countdown and an "Update Payment Method" call-to-action. The pre-order is not auto-cancelled within the grace period; updating the card restores the payment instrument and the pre-order proceeds.
The error and edge-case examination identified fifty-eight gaps across the eight categories: eleven pre-validation, eight confirmation, six undo support, six auto-save, nine network resilience, six data-loss prevention, six timeout handling, and six concurrent operations. Seven were Critical, twenty-one High, twenty-one Medium, and nine Low. Every gap is addressed by the design responses summarised above.