Full deployment history for this project.
Consolidate open PRs, compatible upgrades, and platform auth Validated locally and through a READY Vercel preview. Merge commit preserves every original PR head in ancestry.
chore: validate consolidated upgrades and platform auth
palette: improve markets page accessibility and consistency - Added sr-only labels to search and category inputs in /markets - Applied focus-visible styles to inputs and table links for better keyboard navigation - Added contextual aria-labels to market and category links in MarketTable - Updated MarketTable empty state to match the system's dashed-card pattern with an Activity icon - Verified accessibility improvements with Playwright screenshots and passed all lint/test checks Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
⚡ Bolt: Parallelize CLOB midpoint fetches Parallelize independent midpoint price fetches for market outcomes in `lib/clob-api.ts`. 💡 What: Replaced a sequential `for...of` loop with `Promise.all` in `fetchClobPrices`. 🎯 Why: Reduces latency from O(N * RTT) to O(RTT). Standard binary markets see a 2x speedup in cold-cache midpoint fetching. 📊 Impact: Expected ~50% reduction in wall-clock time for enriched market data retrieval. 🔬 Measurement: Verified with `pnpm test:run` (all 482 tests passed). Also added type-safe handling and narrowing for `Promise.all` results. Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
⚡ Bolt: Parallelize CLOB price fetching Optimized the `fetchClobPrices` function in `lib/clob-api.ts` to fetch midpoints for all outcomes in parallel using `Promise.all`. This reduces the total latency for a market with N outcomes from O(N * RTT) to O(RTT), significantly improving the response time for enriched feeds and market detail pages. Includes refined TypeScript type guards to ensure consistent data and type safety. Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
⚡ Bolt: Parallelize CLOB midpoint fetches Parallelize independent network requests in `fetchClobPrices` using `Promise.all` to reduce latency from O(N * RTT) to O(RTT). - Replaces sequential `for...of` loop with `Promise.all` - Flattens results with `flatMap` - Preserves error handling and null behavior - Passes existing unit tests in `tests/unit/clob-api.test.ts` Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
⚡ Bolt: parallelize CLOB price and book fetching This optimization parallelizes independent network requests in the CLOB API client. - In `fetchClobPrices`, midpoint price fetches for multiple token IDs are now performed in parallel using `Promise.all`, reducing latency from O(N * RTT) to O(1 * RTT). - In `fetchMarketOrderbook`, the fetching of outcome books and midpoint prices is now parallelized, further reducing the total round-trip time for full orderbook resolution. Expected Impact: - Reduces latency for multi-outcome markets (e.g. YES/NO) by ~50% in the CLOB data path. - Measurable speedup for any endpoint resolving full market orderbooks. Verified with `pnpm test` and integration suite. Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
🛡️ Sentinel: Harden input validation with centralized clamping This commit hardens the application's defense against Denial of Service (DoS) attacks by centralizing and standardizing input validation for numeric and string query parameters. - Updated `clampInt` and `clampFloat` in `lib/platform.ts` to truncate input strings to 10 characters before parsing, mitigating CPU exhaustion risks from extremely long numeric strings. - Added `clampString` utility to `lib/platform.ts` to enforce a default maximum length of 240 characters on untrusted string inputs. - Refactored several API routes (`/api/errors`, `/api/feed`, `/api/feed/atom`, `/api/feed/json`) to use these centralized utilities. - Updated integration tests to reflect the shift from explicit 400 errors to silent clamping for out-of-range parameters, improving system robustness. - Updated Sentinel's journal with learnings from this enhancement. Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
🛡️ Sentinel: Fix DoS risk in query parameter parsing Implement input trimming and truncation to 10 characters before numeric parsing in clampInt and clampFloat utilities. Add clampString utility for safe string extraction. Apply these protections across public API routes to mitigate CPU exhaustion and memory risks from unbounded user inputs. - Enhanced lib/platform.ts with secure clamping utilities - Secured /api/analytics, /api/errors, /api/markets, and /api/feed routes - Added comprehensive unit tests in tests/unit/platform.test.ts - Verified via integration tests (rest-api.test.ts, feed-routes.test.ts) - Updated .jules/sentinel.md with critical learnings Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
🎨 Palette: Enhance Market Detail navigation and accessibility - Replace plain text "Markets" back link with a ghost button containing a ChevronLeft icon and -ml-2 alignment for better visual affordance. - Add "Back to Markets" aria-label to the back button. - Update "Open on Polymarket" external link to include "(opens in a new tab)" in its aria-label for screen reader accessibility. Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
🛡️ Sentinel: Harden numeric input parsing to prevent DoS This commit standardizes numeric input validation across the application to mitigate Denial of Service (DoS) risks and improve system robustness. Changes: - Hardened `clampInt` and `clampFloat` in `lib/platform.ts` with 10-char input truncation before parsing. - Refactored `api/feed`, `api/feed/json`, `api/feed/atom`, and `api/analytics` to use these secure utilities. - Updated integration tests to expect silent clamping instead of 400 errors for out-of-range parameters. - Added comprehensive unit tests for the hardened parsing logic. - Documented the vulnerability and prevention strategy in `.jules/sentinel.md`. This follows the "Defense in Depth" philosophy by ensuring all untrusted numeric string inputs are length-limited and range-clamped before processing. Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
🛡️ Sentinel: Fix potential DoS via unbounded numeric string parsing This change enhances the application's resilience against Denial of Service (DoS) attacks by ensuring all user-provided numeric query parameters are truncated to a maximum of 10 characters before being passed to parsing functions like `Number.parseInt` or `Number.parseFloat`. - Updated `clampInt` and `clampFloat` utilities in `lib/platform.ts` to include automatic 10-character truncation as a defense-in-depth measure. - Refactored `markets`, `feed`, `feed/json`, and `feed/atom` API routes to utilize these secure utilities for consistent input validation and range clamping. - Updated integration tests to align with the more robust clamping behavior. - Unified the input validation pattern across the core API surface. Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
🛡️ Sentinel: [MEDIUM] Fix inconsistent numeric DoS protections This PR implements length-based truncation for all user-provided numeric search parameters across the API to prevent Denial of Service (DoS) risks during parsing. 💡 Vulnerability: Mathematical parsing functions like `Number.parseInt` and `Number.parseFloat` can be susceptible to DoS attacks when processing excessively long string inputs (e.g., megabytes of digits), causing CPU exhaustion. 🔧 Fix: - Hardened `clampInt` and `clampFloat` utilities in `lib/platform.ts` to slice inputs to 10 characters before parsing. - Applied consistent `.slice(0, 10)` truncation to `limit`, `offset`, `min_volume`, and `hours` parameters in all relevant API routes: - `/api/feed` (RSS, Atom, JSON) - `/api/markets` and `/api/v1/markets` - `/api/analytics` - `/api/errors` - Updated `.jules/sentinel.md` with critical security learnings. ✅ Verification: - All unit and integration tests passed. - Linting is clean. - Manual inspection confirms logic integrity
Merge pull request #158 from mbarbine/copilot/merge-all-pull-requests Consolidate open PRs #147–#157 into a single merge-ready integration branch
chore: drop stray PR metadata file Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
update
🧪 Add test for fetchMarketBySlug caching behavior 🎯 What: Added a missing unit test to verify that fetchMarketBySlug correctly uses the in-memory cache and avoids calling the external Gamma API if the market is already cached. 📊 Coverage: Added coverage for the caching branch of fetchMarketBySlug, ensuring caching logic acts as expected and doesn't hit MSW handlers. ✨ Result: Improved test suite coverage and confidence in API caching functionality.
⚡ Optimize Date.now() overhead in markets route
Merge pull request #145 from mbarbine/fix-ip-spoofing-vulnerability-15947331289465584313 🔒 [security] Fix IP spoofing vulnerability in getClientIp
Merge pull request #139 from mbarbine/sentinel-dos-mcp-16352267850012769827 🛡️ Sentinel: [MEDIUM] Fix DoS risk in MCP string inputs
Merge branch 'main' into palette-recent-markets-ux-463324733562882776
Merge pull request #140 from mbarbine/bolt/optimize-emoji-lookup-11693902125624668059 ⚡ Bolt: Optimize emoji lookup with single-pass iteration
Merge pull request #135 from mbarbine/palette-error-state-ux-14992905809839380938 🎨 Palette: Improve error state UX for recent markets
Merge pull request #137 from mbarbine/bolt-optimize-markets-route-8406472046907981920 perf: filter markets before CLOB price batch fetch in `/api/markets`
Merge branch 'main' into bolt-optimize-markets-route-8406472046907981920
Merge pull request #136 from mbarbine/bolt-filter-before-clob-enrichment-12488674838004338506 ⚡ Bolt: Filter markets before fetching CLOB prices
Merge pull request #119 from mbarbine/sentinel/fix-xss-escapehtml-18426216374043960444 🛡️ Sentinel: [HIGH] Fix XSS via unescaped single quotes in RSS feeds
Merge branch 'main' into sentinel/fix-xss-escapehtml-18426216374043960444
Merge pull request #117 from mbarbine/sentinel/fix-sql-injection-interval-6161484765693062680 🛡️ Sentinel: [CRITICAL] Fix SQL injection vulnerability in INTERVAL clauses
Merge pull request #118 from mbarbine/sentinel/add-security-headers-14801645495576832921 🛡️ Sentinel: Add security headers
Merge pull request #116 from mbarbine/ux-focus-visible-styles-16503697459166524327 🎨 Palette: Add keyboard focus styles to top banner link
Merge pull request #114 from mbarbine/bolt-optimize-handle-get-related-markets-8426933036867120183 ⚡ Bolt: Optimize related markets endpoint via single-pass loop
Merge pull request #115 from mbarbine/palette-ux-enhancements-3122147101727865836 Add smooth scrolling and missing focus states
Merge pull request #113 from mbarbine/perf-optimize-top-movers-cache-6497083052491467543 ⚡ Optimize getTopPriceMovers with analytical query and caching
Merge branch 'main' into perf-optimize-top-movers-cache-6497083052491467543
Merge pull request #112 from mbarbine/fix-mcp-ip-spoofing-432165456507214120 fix: prevent IP spoofing in MCP route rate limiting
Merge pull request #111 from mbarbine/refactor-logging-structured-logger-9650706049948783396 chore: refactor logging to use structured logger across API routes an…
Merge pull request #106 from mbarbine/bolt-gettrending-sort-optimization-2661428746402949574 ⚡ Bolt: O(N) sort optimization in GetTrending API
Merge pull request #105 from mbarbine/sentinel/fix-cron-auth-bypass-398696299193142017 🛡️ Sentinel: [CRITICAL] Fix auth bypass in cron sync
Merge branch 'main' into sentinel/fix-cron-auth-bypass-398696299193142017
Merge pull request #103 from mbarbine/sentinel/fix-json-feed-xss-6283396741220953132 🛡️ Sentinel: [HIGH] Fix XSS vulnerability in JSON feed
Merge pull request #104 from mbarbine/bolt-mcp-search-optimizations-3470760371402380500 ⚡ Bolt: [performance improvement] Optimize MCP search_markets filtering
Merge branch 'main' into jules-7817610313128803506-fb4e8d79
Merge branch 'main' into jules-15429794825556002952-375c1774
Merge pull request #38 from mbarbine/jules-fix-duplicate-ratelimit-4312659532739387161 🛡️ Sentinel: [HIGH] Fix duplicate rate limit check crashing MCP endpoint
🛡️ Sentinel: [HIGH] Fix duplicate rate limit check crashing MCP endpoint Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🛡️ Sentinel: [High] Fix potential XSS via dangerouslySetInnerHTML without HTML escaping Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
Merge branch 'main' into jules-bolt-upsert-batching-13341397984068833097
⚡ Bolt: Batch Neon database inserts in upsertMarkets Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>