Skip to content

feat(site): debug pass, SEO overhaul, and API rate limiting#111

Merged
marinom2 merged 1 commit into
mainfrom
feat/site-debug-seo-ratelimit
Jun 11, 2026
Merged

feat(site): debug pass, SEO overhaul, and API rate limiting#111
marinom2 merged 1 commit into
mainfrom
feat/site-debug-seo-ratelimit

Conversation

@marinom2

@marinom2 marinom2 commented Jun 11, 2026

Copy link
Copy Markdown
Owner

First of three PRs from the full-repo review (38-agent sweep, 22 confirmed critical/high findings).

Broken funnels fixed

  • /api/download now resolves releases per product tag family: desktop installers from the newest v* release, the wallet zip from the newest wallet-v* release (new ?product=wallet form). The wallet release had hijacked releases/latest, sending every desktop download to a page with no installers.
  • /wallet downloads through the resolver instead of a latest/download URL that would 404 after the next desktop release.

Review findings fixed

  • Connect button: Ethereum (chain 1) accepted, it is registered on purpose for the bridge's inbound leg; previously the nav demanded a destructive switch mid-bridge.
  • /wallet page: the four shipped features (worker hub, AI chat, DAO, swap+bridge) were still marked Soon; now Live with accurate copy.
  • /wallet/privacy: discloses the AI-chat gateway proxy (lightnode.app pass-through, ciphertext only) and the relay WebSocket; drops the removed notifications permission; adds block-explorer APIs.
  • DAO panels: epoch guards kill stale-response races on chain switches; voters panel distinguishes RPC failure from genuinely no votes; governor-drift stops rescanning full history on every visit.
  • Bridge: native-side Max reserves gas, unknown balances render as dashes instead of fake zeros, executeBridge decomposed.
  • Economics: static inputs labeled as estimates instead of "live".
  • /worker/[address]: ops panel desktop-gated like /dashboard, errors humanized and cleared on refetch.
  • API routes: net param allowlisted (no more internal TypeErrors), upstream error messages no longer leaked to clients, sdk-demo job id shape-checked before query interpolation, stale comments and contradictory paging docs corrected.
  • Homepage: hero/h1 now server-rendered (was blank until JS mounted), CTAs balanced across both tracks, stale version pins removed from copy, button-in-anchor nesting fixed via asChild.

SEO

  • Root metadata rewritten to the dual-track positioning with an og image (1200x630, brand mesh + wordmark); the old worker-only title was inherited by ~20 routes.
  • Per-route metadata for every client page (new metadata-only layouts), full sitemap (27 routes, was 3), PWA manifest refreshed, /learn double-branding fixed, AppKit metadata icon 404 fixed.

Security

  • middleware.ts adds in-memory sliding-window rate limiting on all /api/* routes (30/min on the gateway proxy, DAO scans, operator preview; 120/min default), keyed by IP + path class, with unit tests. Closes the project's own no-rate-limit gap.

Verification

  • typecheck clean, 507 unit tests green, production build clean (35/35 pages).
  • Headless renders of / and /wallet verified after the changes.

@marinom2
feat(site): debug pass, SEO overhaul, and API rate limiting
591c2bf 
Funnels: /api/download resolves releases per product tag family (desktop v*,
wallet wallet-v*), so a wallet release can no longer hijack the desktop
download, and /wallet pulls its zip through the same resolver instead of a
latest/download URL that 404s when a desktop release lands.

Fixes from the full-repo review: connect button accepts Ethereum (bridge leg)
instead of fighting it with a switch prompt; wallet page flips shipped
features from Soon to Live and the privacy policy discloses the AI-chat
gateway proxy and relay accurately (and drops the removed notifications
permission); DAO/bridge/economics panels get stale-response epoch guards,
tri-state error rendering, a gas-reserving native Max, honest static-estimate
labels, and no more duplicate governor scans; worker pages gate ops behind
the desktop shell and humanize errors; leaderboard skeletons no longer link
to a dead route; API routes validate the net param, stop leaking upstream
error internals, and the sdk-demo job id is shape-checked before reaching
the subgraph query; homepage hero renders server-side, CTAs balance the two
tracks, version pins are gone from marketing copy; AppKit metadata points at
a real icon.

SEO: dual-track root metadata with og image (public/og.png), per-route
metadata for every client page, full sitemap (27 routes, was 3), refreshed
PWA manifest, double-branding fixed on /learn.

Security: in-memory sliding-window rate limiting middleware over /api/*,
tightest on the gateway proxy, DAO scans, and operator preview, with unit
tests.
@marinom2 marinom2 merged commit 50839fe into main Jun 11, 2026
1 of 2 checks passed
@vercel

vercel Bot commented Jun 11, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
lightnode Building Building Preview, Comment Jun 11, 2026 9:00pm

Request Review

@marinom2 marinom2 deleted the feat/site-debug-seo-ratelimit branch June 11, 2026 21:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@marinom2