Full deployment history for this project.
๐ก๏ธ Sentinel: [CRITICAL] Fix API key timing attack vulnerability Replaced strict equality (`!==`) with a custom constant-time bitwise comparison utility for verifying API keys in the matches route. This prevents timing attacks where an attacker could iteratively guess the secret in the Edge runtime. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
feat: enhance desktop crosshair and mobile controller UX - Implemented dynamic and customizable crosshairs for desktop players, pulling configuration directly from local storage settings. - Restyled mobile controls by enlarging buttons and positioning them for improved ergonomics. Replaced touch-sticking 'hover:' styles with reliable active states and touch ID refs. - Updated the comprehensive test suite to cover all new Crosshair and MobileController component logic. - Updated ROADMAP.md and README.md. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
๐จ Palette: Keyboard shortcut hints with Kbd Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
Fix timing attack vulnerability in API key verification Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
๐ก๏ธ Sentinel: [MEDIUM] Fix prototype pollution and unauthorized state modification in server update handler - Explicitly type-casts allowed properties (position, rotation, health, armor, currentWeapon, alive) - Validates arrays and checks for valid numbers before assigning updates - Prevents potential object injection and game logic bypass Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
๐ก๏ธ Sentinel: [MEDIUM] Fix information leakage in API errors ๐จ Severity: MEDIUM ๐ก Vulnerability: The MCP JSON-RPC POST endpoint (`app/api/mcp/route.ts`) was catching internal errors and returning the raw `err.message` directly to the client in a 500 response. This could leak sensitive internal details (e.g., file paths, database query syntax, or downstream API secrets) if a poorly handled error is thrown by an internal service. ๐ฏ Impact: Attackers could gain insight into internal system architecture or secrets via detailed error messages, aiding further attacks. ๐ง Fix: Updated the catch block to log the detailed error server-side (`console.error`) and return a generic "Internal server error" string to the client. โ Verification: Ran `pnpm test __tests__/app/api/mcp/route.test.ts` to ensure API route still functions correctly. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
Add focus visible rings to EndScreen component buttons Added standard application focus-visible classes to the "PLAY AGAIN" button and the "BACK TO MENU" link in the EndScreen component. This improves keyboard accessibility and matches the rest of the application styling for interactive elements. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
feat: Replace placeholder images with real assets in application layout and footer This commit replaces occurrences of generic image placeholders like `icon.svg` with actual assets like `icon-light-32x32.png` and `icon-dark-32x32.png`. It correctly wires them into `app/layout.tsx` metadata and `public/manifest.json`. It also updates the PlatphormNews logo reference in `components/layout/footer.tsx` to use the appropriate dark icon since the layout renders with a dark theme background. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
perf(bot): defer Math.sqrt() in AI hot loop Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
๐ก๏ธ Sentinel: [HIGH] Fix API Key timing attack vulnerability Adds a constant-time comparison function `secureCompare` in `app/api/v1/matches/route.ts` to verify the API key, preventing timing attacks that rely on early-exit string comparisons. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
๐จ Palette: Add focus styles to footer links Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
Merge pull request #147 from mbarbine/replace-placeholder-images-10538514663219873069 chore(ui): replace placeholder images with actual assets
perf: memoize players array in RemotePlayerManager To prevent redundant array allocations via Object.values() on every render cycle. In a React Three Fiber environment, this reduces Garbage Collection (GC) pressure and helps maintain a stable frame rate. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
Merge pull request #132 from mbarbine/palette-topbar-focus-states-8892643903050469052 ๐จ Palette: Add keyboard focus visible styles to top navigation
Merge pull request #131 from mbarbine/palette-a11y-search-input-9417106350856940185 ๐จ Palette: Add ARIA label to server search input
Merge pull request #130 from mbarbine/jules-12491201786318142243-8908297e feat: improve desktop crosshair and mobile controls UX
Merge pull request #128 from mbarbine/bolt-optimize-hitscan-zero-alloc-2334542899446304547 โก Bolt: Zero-allocation dynamic arrays for object pools in hot loops
Merge pull request #127 from mbarbine/palette-mobile-controller-aria-labels-726332500985160323 ๐จ Palette: Add ARIA labels to mobile action buttons
Merge pull request #124 from mbarbine/feature/mobile-controller-enhancement-11431411895021321089 โจ Enhance mobile player experience dramatically
Merge pull request #123 from mbarbine/fix/syntax-errors-playability-11148586911081719446-1525572646716149256 fix: resolve syntax error and undefined reference blocking gameplay
Merge pull request #120 from mbarbine/jules-1106902703048184406-84e89cd6 Fix blank screen issue when joining a game
Merge pull request #113 from mbarbine/chore-upgrade-packages-17521243225587005314 chore: Upgrade packages and add ServerList tests
Merge branch 'main' into chore-upgrade-packages-17521243225587005314
Merge pull request #114 from mbarbine/feature-enhance-game-loading-experience-11829663241561693172 โจ Enhance game loading experience
Merge pull request #90 from mbarbine/jules-3218924101000292214-9f64587e โก Bolt: Optimize Floating Debris Initialization
Merge branch 'main' into jules-3218924101000292214-9f64587e
Merge pull request #91 from mbarbine/jules-7615339296207156647-89789965 ๐งช Add test for SliderSetting optional props
Merge branch 'main' into jules-7615339296207156647-89789965
Merge pull request #89 from mbarbine/perf-optimize-debris-allocation-7229278190365265486 โก Bolt: Optimize FloatingDebris array instantiation
Merge pull request #88 from mbarbine/chore/fix-mcp-client-types-13250964057846726797 ๐งน [code health improvement] Fix unsafe type cast in McpClient.callToolJson
Merge pull request #86 from mbarbine/test-slider-setting-unit-step-3854168474975883060 ๐งช [testing improvement] Add test for SliderSetting advanced props
Merge pull request #87 from mbarbine/sec-fix-randomuuid-3833370607767928291 ๐ Replace Math.random() with crypto.randomUUID() for ID generation
Merge branch 'main' into sec-fix-randomuuid-3833370607767928291
Merge pull request #84 from mbarbine/jules-10957434666547943197-91b0e066 ๐ Sanitize JSON-LD strings to prevent XSS in dangerouslySetInnerHTML
Merge branch 'main' into jules-10957434666547943197-91b0e066
Merge pull request #85 from mbarbine/jules-12471463421806061248-66da53e0 ๐งน Extract magic numbers for glitch effect in AnimatedTitle
Merge pull request #83 from mbarbine/fix-xss-jsonld-10357719178708174158 ๐ Fix XSS vulnerability in JSON-LD script tags
Merge pull request #81 from mbarbine/fix-empty-catch-block-audio-engine-14863017407137284765 ๐งน [Fix empty catch block in audio engine]
Merge branch 'main' into fix-empty-catch-block-audio-engine-14863017407137284765
Merge pull request #80 from mbarbine/security-fix-insecure-uuid-kill-feed-9074607361620669976 ๐ Fix insecure UUID generation in kill feed
Merge pull request #79 from mbarbine/jules-codehealth-empty-catch-block-16139395372308531539 ๐งน [Code Health] Add error logging to empty catch block in settings-panel
Merge pull request #82 from mbarbine/fix-audio-catch-block-2351834909712948043 ๐งน Fix empty catch block in audio-engine