Full deployment history for this project.
šØ Palette: Enhance accessibility with ARIA attributes - Added `aria-label` attributes to social media icon links in `components/site-footer.tsx` (Twitter, Github, LinkedIn) so their destinations are clear to screen readers. - Added `aria-current="page"` conditionally to active navigation links in `components/dashboard-sidebar.tsx` to programmatically indicate the current active page. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
feat: add aria-current to dashboard sidebar active links Add `aria-current="page"` to the currently active navigation link in `components/dashboard-sidebar.tsx`. This improves accessibility by explicitly indicating to screen readers which page the user is currently viewing within the application. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
feat: add ARIA labels to social links in site footer - Added `aria-label`s to the icon-only links for Twitter, GitHub, and LinkedIn in `components/site-footer.tsx`. - Updated `.jules/palette.md` journal with learning about missing ARIA labels. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
š”ļø Sentinel: [HIGH] Fix XSS vulnerability in JSON-LD structured data - Sanitizes JSON-LD schemas injected via dangerouslySetInnerHTML by replacing `<` with `\u003c`. - Prevents Cross-Site Scripting (XSS) if the structured data payload contains unescaped HTML script tags. - Logs learning to .jules/sentinel.md - Removes debug file test_replace.js Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
š”ļø Sentinel: [HIGH] Fix XSS vulnerability in dangerouslySetInnerHTML šØ Severity: HIGH š” Vulnerability: Passing unsanitized `JSON.stringify` output to `<script type="application/ld+json">` using `dangerouslySetInnerHTML`. An attacker providing `</script><script>alert()</script>` via user input would execute arbitrary JavaScript, escaping the string and script tag. šÆ Impact: Cross-Site Scripting (XSS). š§ Fix: Sanitized the serialized JSON string by replacing `<` with its unicode sequence equivalent `\u003c`, guaranteeing it parses correctly but preventing the browser from prematurely evaluating `<script>` tag conclusions. ā Verification: `pnpm build` was used to verify correct parsing and type safety across affected files (`app/page.tsx`, `app/jobs/page.tsx`, `app/faq/page.tsx`). Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
Merge pull request #14 from mbarbine/sentinel-security-headers-1587186423641639204 š”ļø Sentinel: [MEDIUM] Add global security headers
š”ļø Sentinel: [MEDIUM] Add global security headers šØ Severity: MEDIUM š” Vulnerability: Missing default HTTP security headers (e.g., Strict-Transport-Security, X-Frame-Options) exposing the application to clickjacking, MIME-type sniffing, and XSS attacks. šÆ Impact: Attackers could potentially exploit missing headers to trick users into performing unintended actions or executing malicious scripts. š§ Fix: Configured `async headers()` in `next.config.mjs` to apply `Strict-Transport-Security`, `X-Frame-Options`, `X-Content-Type-Options`, `X-XSS-Protection`, and `Referrer-Policy` to all routes `/(.*)`. ā Verification: Verify the presence of these headers in the HTTP response of any application route using developer tools or curl. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
Merge pull request #13 from mbarbine/sentinel-api-security-fix-18180302000004789078 š”ļø Sentinel: [HIGH] Fix Missing CORS Headers on Public API Integrations
š”ļø Sentinel: [HIGH] Fix Missing CORS Headers on Public API Integrations - Add CORS preflight OPTIONS and headers to `/api/mcp`, `/api/network/graph`, `/api/health`, and `/api/docs`. - Enhance `/api/health` with a Supabase DB connection check and document status codes in `/api/docs`. - Update `/app/faq/page.tsx` documentation to list public API integration features. - Create `/tests/api.test.mjs` to comprehensively verify CORS headers and database health checks. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
Hi there, Jules here! I've completed the updates to the loading states. Here are the details of my changes: šØ Palette: Add loading spinners to async action buttons š” What: I added the existing `Spinner` component to several critical asynchronous action buttons across the application. When a user initiates an action, the button now displays a spinning icon alongside the loading text. - Sign In button (`app/auth/login/page.tsx`) - Create Account button (`app/auth/sign-up/page.tsx`) - Send Quote Request button (`app/dashboard/projects/new/page.tsx`) - Sign Out button (`components/dashboard-sidebar.tsx`) šÆ Why: To provide immediate visual feedback that an asynchronous task (like authenticating, processing a form, or logging out) is in progress. This reduces user uncertainty, makes the interface feel more responsive, and prevents repeated clicks during network latency. āæ Accessibility: The `Spinner` component uses an SVG with `role="status"` and `aria-label="Loading"`, improving context for screen reader us
perf(db): cache Supabase `getUser` and `getProfile` to deduplicate fetches Wrapped Supabase client instantiation and repetitive database requests (`getUser()` and `getProfile()`) using React's `cache()` in `lib/supabase/server.ts`. This ensures that when both `layout.tsx` and child pages `await` these functions during a single Server Component render pass, only one database roundtrip is executed per request. Cleaned up obsolete `createClient` imports across the application. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
Merge pull request #9 from mbarbine/jules-palette-a11y-aria-labels-1411642609376956617 šØ Palette: Add missing ARIA labels to icon-only buttons
Merge pull request #7 from mbarbine/nextjs-web-application-plan Fix vaul dependency conflict for React 19
Merge pull request #4 from mbarbine/update-gameport-pro-branding-1623772517146061356 Update GamePort Pro branding and Next.js version