Comprehensive site update: proxy migration, nav header, 12 portfolio projects, SEO overhaul

[bonuz-bot]

Summary

Comprehensive update to the bonuz.tech website covering bug fixes, SEO optimization, navigation, and portfolio expansion.

Bug Fix: Next.js 16 Compatibility

• Migrate middleware.ts to proxy.ts (Next.js 16 deprecated middleware convention)
• Rename export middleware to proxy
• Return NextResponse.next() explicitly instead of undefined
• Set x-next-pathname header for locale-aware 404 pages
• Add .html to matcher exclusions for static verification files

Navigation Header

• Add sticky header with logo + 4 nav links (What we do, Our work, Founder, Send Request)
• Glassmorphic backdrop blur, fixed position, translucent background
• Mobile hamburger menu (< 640px) with same glassmorphic dropdown style as language switcher
• Click-outside-to-close, animated open/close, X icon when open
• All nav items translated in all 4 locales (EN/DE/AR/ZH)
• RTL-aware layout using logical CSS properties

Portfolio: 12 Project Cards in "Our Work"

#	Project	URL	Type
1	bonuz Lifestyle Wallet	bonuz.xyz	Product
2	bonuz ID	bonuz.id	Product
3	bonuz Partner Dashboard	app.bonuz.market	Product
4	bonuz Events	app.bonuz.xyz	Product (new)
5	Onchain Chess	onchainchess.com	Product (new)
6	Habibi Pass	habibipass.bonuz.xyz	Product (new)
7	UAE971	uae971.social	Index (new)
8	SkyShield	skyshield.bonuz.tech	Non-profit research (new)
9	Kilocorn	kilocorn.com	Index (new)
10	White-label platforms	—	Service
11	Consulting	—	Service
12	bonuz Next Layer	—	Coming soon (updated)

• All 12 cards translated in EN/DE/AR/ZH
• "Next Layer" renamed to "bonuz Next Layer" with AR/smart glasses focus
• SkyShield: emphasized non-profit, open-source, peaceful research
• Consulting moved to last, White-label second-to-last

SEO & Structured Data

• Schema.org: Organization (legalName, slogan, foundingLocation, languages), ProfessionalService, 8x SoftwareApplication, 2x Service, FAQPage (5 Qs), BreadcrumbList, WebSite, WebPage with ReadAction
• Metadata: formatDetection to disable auto-linking, enhanced robots directives
• 5th FAQ about bonuz ID added across all 4 locales

AI Discoverability & Crawlers

• robots.txt: Added 10+ AI bots (SearchGPT, Meta-ExternalAgent, DeepSeek, You.com, Cohere, Amazon, Google-InspectionTool). Blocked bad bots (Bytespider, DotBot, MJ12bot). Rate-limited SEO crawlers
• llms.txt: Expanded from 61 to 100+ lines with all products, founder details, coordinates, tech stack, languages

Web App & Security

• site.webmanifest: Split icon purposes per spec, added scope/orientation/categories
• CSP: frame-ancestors 'self' (was 'none'), allow tally.so in form-action

Files Changed (13)

• proxy.ts (new, replaces middleware.ts)
• next.config.ts
• app/[locale]/layout.tsx
• app/globals.css
• components/HomePage.tsx
• lib/i18n.ts
• lib/dictionaries/en.ts
• lib/dictionaries/de.ts
• lib/dictionaries/ar.ts
• lib/dictionaries/zh.ts
• public/robots.txt
• public/llms.txt
• public/site.webmanifest

Test plan

• pnpm build — zero warnings, zero errors
• All 4 locale routes return 200 (/en, /de, /ar, /zh)
• Root / redirects to /en (307)
• www. host triggers 301 redirect to non-www
• /en/nonexistent returns 404
• Static files serve correctly (robots.txt, llms.txt, site.webmanifest)
• 12 work cards render in correct order for all locales
• Mobile hamburger menu renders with translated labels
• Desktop nav renders with 4 links + CTA
• JSON-LD: 20 unique schema types, 8 SoftwareApplications, 5 FAQ questions
• Verify production deployment on Vercel

https://claude.ai/code/session_01WHVCeDoLZEN6a4qi9kkJ5s

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
bounz-tech	Ready	Preview, Comment	Mar 24, 2026 0:02am

[claude]

PR Review: Migrate middleware to proxy for Next.js 16 compatibility

Overall this is a clean, well-scoped PR with a clear purpose. Changes are minimal and each is explained in the summary. A few notes below.

---

✅ Looks Good

return NextResponse.next() (proxy.ts:42)
Explicit return is correct. The implicit return undefined was ambiguous and could cause subtle issues in newer runtimes — this is the right fix.

.html matcher exclusion
Correct fix. The Yandex verification file (and any other .html static files) should not be intercepted by the proxy.

middleware.ts → proxy.ts rename + export rename
Straightforward migration. Assuming the Next.js 16 deprecation warning is accurate, this is the right move.

---

⚠️ Considerations

CSP frame-ancestors 'none' → 'self' (next.config.ts:52)
This is a security relaxation. While it aligns the CSP with the existing X-Frame-Options: SAMEORIGIN header (good — they were conflicting), it's worth confirming that the app actually needs to be embeddable in same-origin iframes. If there's no feature that requires it, 'none' is stricter and safer. If this is intentional, a brief comment in the config would make the intent clear for future maintainers.

CSP form-action 'self' https://tally.so (next.config.ts:54)
This allows form submissions to any path on tally.so. If there's only one specific form, consider whether a more restrictive allowlist is possible (e.g., https://tally.so/r/...), though in practice Tally forms POST to a generic endpoint so this is likely necessary. Worth confirming Tally doesn't have subdomain variations that would need to be separately listed.

No NextResponse import change visible in diff
The diff shows NextResponse.next() being added but doesn't show a new import. This should be fine if NextResponse was already imported for other uses — just worth confirming the file compiles cleanly (the test plan's next build check covers this).

---

Minor

The PR is authored by bonuz-bot — if this was AI-generated, a quick human sanity-check on the Vercel production deployment (the unchecked test plan item) before merging would be prudent given the CSP and routing changes affect production behavior.

---

Summary: The core migration is correct and necessary. The CSP changes are defensible but represent a deliberate security trade-off worth acknowledging. Approve with the suggestion to verify the frame-ancestors 'self' decision is intentional.

[claude]

PR Review: Fix: Migrate middleware to proxy + comprehensive SEO & marketing update

Overall this is a well-structured PR with good SEO intent, but there is one critical correctness issue that needs to be resolved before merging, plus a few other concerns.

---

🚨 Critical: proxy.ts migration claim needs verification

The PR description states Next.js 16 deprecated middleware.ts in favor of a proxy.ts convention. This is not accurate based on any published Next.js roadmap or release notes. The middleware.ts file convention has been stable since Next.js 12 and was not deprecated in Next.js 13, 14, or 15.

If Next.js 16 genuinely introduced this change, please link to the official release notes or RFC. If this is based on a misread of build warnings, the warnings should be investigated and shared here — renaming the file without framework support would silently break all routing middleware (locale redirects, www→non-www redirect, etc.) with no runtime error.

The exported function name (proxy) and the config export are still referenced the same way as middleware, so if Next.js doesn't recognize proxy.ts, the entire middleware chain would be a no-op.

Action required: Either link to official Next.js 16 docs confirming this convention, or revert to middleware.ts.

---

⚠️ Security: CSP frame-ancestors weakened

- "frame-ancestors 'none'",
+ "frame-ancestors 'self'",

'none' prevents all framing (strongest protection against clickjacking). 'self' allows the page to be embedded in iframes on the same origin. This is a deliberate security downgrade — it's fine if self-embedding is actually needed, but the PR description says this "conflicted with X-Frame-Options", which is not a technical conflict (both headers can coexist and the more restrictive one wins).

If there's no actual use case for self-framing, keep 'none'. If there is, please document it.

---

✅ Good fixes

proxy.ts / middleware.ts logic improvements (assuming the rename concern above is resolved):

• Explicit NextResponse.next() instead of implicit undefined return — correct fix
• x-next-pathname header for locale-aware 404 detection — good addition
• .html exclusion in matcher for static verification files — sensible

Structured data enhancements (layout.tsx):

• LocalBusiness → ProfessionalService is the correct schema.org subtype for a tech company
• Logo dimensions on ImageObject follow Google's recommended structured data
• potentialAction: ReadAction on WebPage is a valid SEO signal
• parentOrganization linking ProfessionalService → Organization avoids duplicate entity confusion
• formatDetection: { telephone: false, email: false, address: false } — correct meta to prevent iOS auto-linking

site.webmanifest:

• Splitting "purpose": "any maskable" into separate icon entries is the correct per-spec approach — browsers should not have to guess intent
• Adding scope and orientation are valid PWA best-practice additions

robots.txt:

• New AI crawler entries (OAI-SearchBot, Meta-ExternalAgent, Deepseekbot, YouBot, cohere-ai, Amazonbot) are up-to-date
• Blocking Bytespider (ByteDance scraper) and DotBot/MJ12bot (known low-quality crawlers) is reasonable
• Crawl-delay for AhrefsBot/SemrushBot: note this is not part of the formal Robots Exclusion Protocol standard, but it is widely honored by these specific bots

FAQ (q5/a5):

• Consistent addition across all 4 locales (en, de, ar, zh) and the Dictionary type — no issues

---

📋 Minor notes

1. No test plan included. The middleware change in particular warrants manual testing of: locale redirect (e.g. / → /en/), www→non-www redirect, and 404 handling across locales before merging to production.

2. llms.txt coordinates (25.2048°N, 55.2708°E) — these match the general Dubai area. Confirm this is intentional (public company address) rather than a specific office location you may not want to publish.

3. The tally.so addition to form-action CSP is correct if forms actually submit there — just confirm no other external form endpoints are missing.

---

Summary

Area	Status
proxy.ts rename	🚨 Needs verification before merge
CSP frame-ancestors	⚠️ Intentional security trade-off — confirm needed
Structured data	✅ Well done
FAQ translations	✅ Consistent and complete
robots.txt	✅ Reasonable additions
site.webmanifest	✅ Correct per spec
Test plan	⚠️ Missing for middleware change

[claude]

PR Review: Fix: Migrate middleware to proxy + comprehensive SEO & marketing update

Overall this is a well-structured PR with clear intent. A few issues deserve attention before merging.

---

🚨 Critical: Verify proxy.ts convention is real in Next.js 16

The project is on next@16.0.7, which is outside my training data (cutoff: Aug 2025). The PR claims Next.js 16 deprecated middleware.ts in favor of proxy.ts with a renamed export.

This must be verified against the official Next.js 16 migration guide before merging. Next.js discovers middleware by filename convention — if proxy.ts is not the correct new convention, the rename will silently break all routing middleware (redirects, locale detection, www→non-www redirect, etc.) with no build error. The test plan checks these behaviors but if the tests were run against a build where the old middleware.ts was still cached, failures might not surface until production.

Recommendation: Link to the Next.js 16 changelog or migration guide confirming the proxy.ts convention in the PR description.

---

🔒 Security: frame-ancestors regression

- "frame-ancestors 'none'",
+ "frame-ancestors 'self'",

frame-ancestors 'none' is the strictest clickjacking protection (equivalent to X-Frame-Options: DENY). Changing to 'self' means the site can now be embedded in an iframe from the same origin.

The PR says this was "conflicting with X-Frame-Options" — but frame-ancestors in CSP overrides X-Frame-Options in modern browsers, so there's no actual conflict. Unless there's a specific feature on the site that requires same-origin iframe embedding, this should stay as 'none'.

---

📱 UX: Navigation invisible on small phones

@media (max-width: 480px) {
    .header-nav {
        display: none;
    }
}

The entire nav — including the "Request Intro" CTA — disappears on phones narrower than 480px with no hamburger menu or alternative. This is a primary conversion path and should be accessible on all screen sizes. Consider a simplified mobile nav or keeping at least the CTA visible.

---

🎨 Header overlap with language switcher

The language switcher is position: fixed; right: 42px; top: 18px while the new site-header also occupies that area. The padding-inline-end: 140px on .site-header attempts to compensate, but this is fragile — it will likely overlap on mid-range screen widths.

On RTL layouts, the lang switcher moves to left: 42px but the header has no explicit RTL-aware padding adjustment (only the generic padding-inline-end which does flip via logical properties — this part is actually fine). Still worth a careful visual QA pass.

---

🏷️ Schema @id mismatch

{
    "@type": "ProfessionalService",
    "@id": `${siteUrl}/#localbusiness`,  // <-- still says "localbusiness"

The type changed from LocalBusiness to ProfessionalService but the @id fragment still says #localbusiness. The @id is used as a stable identifier across schemas — updating it to #professionalservice (or #service) would be more semantically accurate, though not strictly breaking.

---

✅ Good changes

• formatDetection metadata — good practice to prevent browsers from auto-linking phone numbers and addresses.
• site.webmanifest icon splitting — correct per spec; combining any maskable in one entry is technically invalid.
• form-action https://tally.so — appropriate since Tally is actively used for the intake form.
• 5th FAQ addition — consistent across all 4 locales, type definition updated in lib/i18n.ts. Well executed.
• robots.txt bot additions — comprehensive and well-commented.
• potentialAction: ReadAction on WebPage schema — good schema.org enhancement.
• parentOrganization reference on ProfessionalService — creates the correct graph relationship.

---

Minor nits

• nav-link elements use plain <a> tags while the logo uses Next.js <Link>. For same-page hash anchors this is acceptable (and actually correct — Link doesn't add value for hash-only navigation), but worth noting for consistency review.
• areaServed: "Worldwide" as a plain string is valid schema.org but { "@type": "AdministrativeArea", "name": "Worldwide" } would be more structured.

---

Blocking: Verify the proxy.ts Next.js 16 convention and address the frame-ancestors regression.
Suggested: Fix the mobile nav gap before shipping if the intake CTA is a key conversion point.

[claude]

PR Review

Overall this is a solid SEO/content update, but there is one critical bug that would break the site in production.

---

🔴 Critical: proxy.ts rename will break all middleware

The rename of middleware.ts → proxy.ts and the export middleware → proxy will silently disable all middleware functionality.

Next.js middleware requires both:

1. A file named exactly middleware.ts (or middleware.js) at the project root
2. A named export called middleware

Next.js docs are explicit about this. The claim in the PR description that "Next.js 16 deprecated the middleware file convention" is not accurate — Next.js 16 doesn't exist as a release, and no such deprecation exists in Next.js 15 either.

Impact if merged as-is:

• www. → non-www redirects stop working
• Locale detection and redirects stop working (/ will no longer redirect to /en)
• x-next-pathname header never gets set
• The site appears to work locally but behaves differently in production depending on cached routes

Fix: Revert the file and export rename. The improvements in the function body (explicit NextResponse.next(), x-next-pathname header, .html exclusion in matcher) are all good — just keep them in middleware.ts with the middleware export name.

---

🟡 Mobile navigation regression

globals.css hides .header-nav at max-width: 480px with no hamburger/mobile menu replacement:

@media (max-width: 480px) {
    .header-nav {
        display: none;
    }
}

Users on small phones lose access to all navigation links (What We Do, Our Work, Founder, the CTA). Consider either keeping the CTA button visible at minimum, or adding a mobile menu.

---

🟡 CSP frame-ancestors relaxation

Changing frame-ancestors 'none' → frame-ancestors 'self' weakens clickjacking protection. This allows the page to be embedded in same-origin iframes. If there's no use case for that, 'none' is the safer default. If X-Frame-Options: DENY is set elsewhere, the two should stay in sync.

---

✅ What looks good

• Structured data enhancements — Schema.org additions (legalName, slogan, foundingLocation, knowsLanguage, areaServed, ReadAction, image dimensions) are well-formed and follow the spec correctly
• LocalBusiness → ProfessionalService — More accurate schema type for a software consultancy
• parentOrganization cross-reference — Correctly links ProfessionalService back to #organization
• 5th FAQ — Consistent across all 4 locales (en/de/ar/zh) with proper type definitions in lib/i18n.ts
• formatDetection — Good practice to disable auto-linking of phone/email/address
• robots.txt — New AI bots (OAI-SearchBot, cohere-ai, Deepseekbot, YouBot, etc.) and blocking Bytespider/DotBot/MJ12bot are sensible choices
• site.webmanifest — Splitting "any maskable" into separate entries is correct per the Web App Manifest spec
• New work cards (Events, Onchain Chess, Habibi Pass) — Properly typed, translations look complete, rel="noopener noreferrer" on external links

---

Summary

Severity	Issue
🔴 Critical	proxy.ts rename breaks middleware — revert file/export name
🟡 Medium	Mobile nav hidden with no fallback below 480px
🟡 Low	frame-ancestors 'self' relaxes clickjacking protection

The middleware rename is a blocker — everything else can ship. Happy to review a revised version once that's addressed.

[claude]

PR Review

Overall this is a well-structured PR with clear SEO, marketing, and UX improvements. A few items need attention before merging — one potentially breaking.

---

🚨 Critical: Verify middleware.ts → proxy.ts rename

The PR claims Next.js 16 deprecated middleware.ts in favor of proxy.ts, but this needs explicit verification. middleware.ts is a deeply embedded Next.js convention. If Next.js does not recognize proxy.ts as a special file, the entire i18n routing will silently break in production — locale redirects, www→non-www canonicalization, and the x-next-pathname header injection will all stop working.

Before merging, please confirm:

1. The exact Next.js version in package.json and its changelog entry for this proxy.ts convention.
2. That the dev/staging environment correctly redirects / → /en and locale paths resolve properly.

---

⚠️ Issues

components/HomePage.tsx — Fragile CTA link logic

The 4th navLinks entry (#request-intro) is silently excluded from the desktop nav via .slice(0, 3) and then hardcoded separately as a CTA. If the array order changes or a new link is added, the slicing breaks. Consider using a flag in the array (e.g. isCta: true) or separate the CTA from the regular links entirely.

components/HomePage.tsx — Mobile menu accessibility gaps

• The dropdown has no aria-hidden attribute — when collapsed it remains accessible to screen readers despite being visually hidden.
• No keyboard support: Escape key should close the menu.
• Missing role="menu" on the dropdown and role="menuitem" on the links.

next.config.ts — CSP weakening

frame-ancestors 'none' → 'self' weakens clickjacking protection. If no feature on the site requires self-embedding in iframes, keeping 'none' is preferable. Please confirm this is intentional and check that X-Frame-Options is set consistently.

public/robots.txt — Incomplete bot directives

AhrefsBot and SemrushBot entries have only Crawl-delay: 10 with no Allow: or Disallow:. Some strict parsers treat this as ambiguous. Add Allow: / before the crawl-delay for clarity.

---

✅ What looks good

• Structured data in layout.tsx is correct and well-formed — legalName, foundingLocation, areaServed, parentOrganization cross-reference, ReadAction, and logo dimensions all follow schema.org spec properly.
• site.webmanifest icon split (separate any and maskable entries) is the correct approach per the Web App Manifest spec.
• FAQ additions are properly typed in lib/i18n.ts and consistently added across all 4 locales (en, de, ar, zh).
• formatDetection metadata correctly prevents mobile browsers from auto-linking contact info.
• .html matcher exclusion in proxy.ts for static verification files is correct.
• New work cards (bonuz Events, Onchain Chess, Habibi Pass) are properly typed in Dictionary and all locales are covered.
• Mobile nav CSS is clean with proper RTL support carried over from the old .logo rules.
• llms.txt and robots.txt expansions are thorough and well-organized.

---

Summary

	Count
🚨 Critical (verify before merge)	1
⚠️ Issues	4
✅ Approved patterns	8+

The middleware rename is the only hard blocker — if confirmed working with the current Next.js version, this PR is otherwise solid with the minor nits addressed.

[claude]

PR Review

Overall this PR is a well-structured content and SEO update, but there is one critical bug that will break the application in production.

CRITICAL BUG: middleware.ts renamed to proxy.ts breaks locale routing

The PR claims Next.js 16 deprecated the middleware file convention — this is not accurate. Next.js 16 does not deprecate middleware.ts, and there is no proxy convention in Next.js. The framework specifically looks for a file named middleware.ts or middleware.js at the project root. Renaming it to proxy.ts and exporting proxy instead of middleware will completely disable:

• The www-to-non-www canonical redirect
• All locale-based redirects (/ to /en, /de, etc.)
• The x-next-pathname header injection

The file MUST be named middleware.ts and the export MUST be named middleware for Next.js to pick it up.

The other improvements in this PR (returning NextResponse.next() explicitly, setting x-next-pathname, adding .html to the matcher) are good fixes — they just need to stay in middleware.ts.

Security: CSP frame-ancestors relaxation

frame-ancestors none was changed to frame-ancestors self in next.config.ts. The original none provides stronger clickjacking protection. This change relaxes security without a clear benefit unless the site needs to be embedded in same-origin iframes. Consider keeping none unless there is a specific use case.

The form-action addition of tally.so is appropriate given the contact form integration.

Minor: Desktop nav duplicates the CTA link

In components/HomePage.tsx, navLinks has 4 items but the desktop nav iterates navLinks.slice(0, 3) then hardcodes the 4th link separately. The label and href exist in two places, so a future change requires updating both. Consider referencing navLinks[3] directly for the CTA.

Minor: Mobile menu missing Escape key handler

The mobile menu closes on click-outside but has no Escape key handler. Keyboard users expect Escape to close open menus. Adding a keydown listener for Escape in the same useEffect would address this.

What is Good

• formatDetection metadata prevents iOS auto-linking of phone/email/addresses
• Structured data enhancements (legalName, foundingLocation, areaServed, knowsLanguage, jobTitle, ProfessionalService) are valid schema.org improvements
• Site webmanifest fix: splitting any and maskable into separate icon entries is spec-compliant
• robots.txt AI bot list is up to date; blocking Bytespider, DotBot, MJ12bot is reasonable
• Mobile nav uses click-outside correctly and RTL-aware CSS (margin-inline-start)
• FAQ translations are consistent across all 4 locales with proper i18n type updates
• All external links use rel=noopener noreferrer

Summary

Severity	Item
Critical	proxy.ts breaks middleware — revert to middleware.ts with export function middleware
Medium	frame-ancestors self relaxes clickjacking protection unnecessarily
Minor	Desktop nav CTA link duplicated; use navLinks[3] directly
Minor	Mobile menu missing Escape key handler

The SEO, content, and manifest changes are all solid. The blocking issue is the middleware rename — once that is resolved this looks ready to merge.