Full deployment history for this project.
🛡️ Sentinel: [CRITICAL] Fix SSRF blocklist bypass for IPv6 in Webhooks
Fix SSRF bypass via IPv4-mapped IPv6 and integer IP encodings Implemented a robust `isPrivateOrLocal` validation function in the webhook subscription endpoint to catch and block URL bypass attempts involving: - IPv4-mapped IPv6 IPs (e.g. `[::ffff:169.254.169.254]`) - Integer IPs (e.g. `2852039166`) - Alternate encoding techniques for IPv6 Link/Unique Locals and Cloud metadata IPs Also updated `.jules/sentinel.md` documenting this CRITICAL learning to ensure developers aren't just relying on simple regex or string prefixes. Added robust tests to cover these edge cases.
⚡ Bolt: [performance] Defer Footer load with dynamic import Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🛡️ Sentinel: [CRITICAL] Fix Webhook DoS and SSRF bypass 🚨 Severity: CRITICAL 💡 Vulnerability: Found a CRITICAL Denial of Service via unbound in-memory arrays combined with rate-limiting bypass. Additionally, an SSRF bypass using `[::1]` for IPv6 loopback was discovered. 🎯 Impact: An attacker can exhaust server memory and crash the application. 🔧 Fix: Bounded the in-memory `subscribers` array and explicitly blocked `[::1]` to prevent SSRF bypasses via normalized IPv6 loopback. ✅ Verification: Ran `vitest` unit tests properly validating both the rate limiting array boundary and SSRF checks. Also verified with Next.js build. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
⚡ Bolt: Add sizes attribute to Next.js images Added `sizes` attribute to `next/image` components with `fill={true}` to prevent the browser from downloading unnecessary `100vw` size images. This improves LCP and reduces bandwidth significantly across gallery and hero sections. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
feat(a11y): Make interactive value cards accessible via keyboard Add role="button", tabIndex, onKeyDown, aria-expanded, aria-controls and focus-visible styles to the interactive Card elements in the Value section to ensure keyboard and screen reader accessibility. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🎨 Palette: Add ARIA label to gallery close button Adds `aria-label="Close image"` to the icon-only close button in the `GallerySection` lightbox to ensure it is accessible to screen readers. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🎨 Palette: Add ARIA label to gallery close button Adds `aria-label="Close image"` to the icon-only close button in the `GallerySection` lightbox to ensure it is accessible to screen readers. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
perf(ui): defer loading Footer component to reduce initial JS payload Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
feat(a11y): improve keyboard navigation and screen reader support in gallery Adds keyboard interactions (Enter, Space), `tabIndex`, `role="button"`, and `aria-label`s to gallery cards to make them navigable via keyboard and screen reader friendly. Also adds a missing `aria-label` to the icon-only Lightbox close button. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
refactor: convert client components to server components by using native CSS scroll padding - Replaced JS `window.scrollTo` in `Header`, `HeroSection`, and `Footer` with native CSS `scroll-padding-top` - Removed `"use client"` directives from `HeroSection` and `Footer`, converting them to Server Components - Maintained exact functionality of smooth scrolling to anchors with fixed header offset Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🎨 Palette: Improve Gallery Accessibility - Add `role="button"` and keyboard navigation to gallery image cards. - Add `focus-visible` styling to gallery cards. - Add `role="dialog"`, `aria-modal`, and `aria-label` to the lightbox. - Implement an `Escape` key listener to close the lightbox. - Added a critical learning to `.jules/palette.md` about ensuring full keyboard support for custom lightbox implementations. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🛡️ Sentinel: [CRITICAL/HIGH] Fix SSRF vulnerability in webhook subscriptions Added Cloud Metadata IPs (169.254.x.x) and IPv6 Unique Local Addresses (fc00::/7) to the SSRF blocklist in the webhook subscription endpoint. Documented the learning in .jules/sentinel.md and added tests. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
fix: replace insecure Math.random with crypto.randomBytes for webhook ID generation Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🛡️ Sentinel: [HIGH] Add rate limiting to webhook subscribe endpoint Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
Merge pull request #6 from mbarbine/sentinel-ssrf-mitigation-14987880943831039718 🛡️ Sentinel: [HIGH] Fix SSRF vulnerability in webhook subscription
feat(security): prevent SSRF in webhook subscriptions * Parse provided URL using `new URL()` to enforce only `http:` or `https:` protocols. * Added hostname validation to block local and private IP ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, ::1), and local hostnames (localhost, .local, .internal). * Updated `package.json` with `vitest` for test runner and added extensive unit tests to ensure URL validations and SSRF mitigations function correctly. * Updated OpenAPI documentation and README to outline SSRF protection. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
Merge pull request #5 from mbarbine/bolt-performance-optimization-dynamic-imports-4537187516108258279 ⚡ Bolt: [performance improvement] dynamically import client components below the fold
⚡ Bolt: [performance improvement] dynamically import client components below the fold Dynamically import ValueSection, GallerySection, and ShareSection using next/dynamic to split their JavaScript into separate chunks and reduce the initial page load payload size. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
Merge pull request #4 from mbarbine/copilot/update-favicon-og-image Replace placeholder favicon and static OG image with emoji-based SVG and dynamic next/og card
Merge pull request #4 from mbarbine/copilot/update-favicon-og-image Replace placeholder favicon and static OG image with emoji-based SVG and dynamic next/og card
chore: add tsconfig.tsbuildinfo to .gitignore Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
Merge pull request #3 from mbarbine/copilot/fix-404-not-found-error [WIP] Fix 404 not found error on website
Fix 404: create missing app/[locale]/page.tsx for next-intl routing Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
Initial plan: create missing app/[locale]/ files Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
Initial plan
Merge pull request #2 from mbarbine/copilot/fix-404-error-landing-page [WIP] Fix 404 error on website landing page
Merge pull request #1 from mbarbine/copilot/add-api-docs-and-sitemap Add README, emoji favicon, MCP registry references, and parent network API discovery
fix: correct @theme syntax in globals.css Fix missing closing brace and simplify Tailwind CSS theme block. Co-authored-by: Michael Barbine <3211492+mbarbine@users.noreply.github.com>