Comprehensive site audit + new portfolio entries

[MendeMatthias]

Summary

Full audit and optimization of the bounz-tech portfolio site, plus two new/updated portfolio entries.

Net: -3,073 lines removed, +553 added. ~150KB JS + ~700KB images saved.

Critical Fixes

• Fix proxy.ts — i18n locale detection, www-redirect, and Accept-Language routing were completely non-functional (exported function had wrong name)
• Remove unsafe-eval from CSP — was shipping to production, opening XSS attack surface
• Fix error/404 pages — now load CSS and have proper document structure

Performance

• Delete unused FloatingLines.tsx (541 lines) + remove three.js (~150KB JS saved)
• Remove 6 unused dependencies (lucide-react, class-variance-authority, clsx, tailwind-merge, shadcn, tw-animate-css)
• Lazy-load Galaxy via next/dynamic — OGL deferred from initial bundle
• Fix Galaxy WebGL context churn — array props no longer cause teardown/rebuild every render
• Compress images — og-image 803KB→247KB, manifest-512 457KB→281KB, manifest-192 77KB→55KB, apple-icon 67KB→48KB
• Clean ~120 lines of dead shadcn CSS variables and fix triple-conflicting body styles
• Optimize Google Fonts — only load weights 400/500/600 (was 300–700)

Security Hardening

• CSP: add object-src 'none', upgrade-insecure-requests, remove *.cloudinary.com wildcard
• HSTS: 2-year max-age + preload
• Add Cross-Origin-Opener-Policy: same-origin
• Expand Permissions-Policy (payment, usb, display-capture, etc.)
• Set poweredByHeader: false, reactStrictMode: true

SEO

• Add SkyShield + bonuz Next Layer to structured data (were in UI but missing from JSON-LD)
• Add operatingSystem and offers to all SoftwareApplication entries
• Add OpenGraph alternateLocale for multi-language social sharing
• Fix lang="zh" → lang="zh-Hans" per BCP 47
• Fix sitemap lastModified (was new Date() on every build)

Accessibility

• prefers-reduced-motion support in Galaxy (renders static frame instead of animating)
• Keyboard nav: Escape closes mobile menu and language switcher
• ARIA roles (menu/menuitem, listbox/option) on dropdowns
• aria-hidden="true" on decorative Galaxy canvases and SVG icons
• :focus-visible styles for all interactive elements
• Better footer link contrast (text-gray-400 instead of text-gray-500)

Code Quality

• Add explicit "use client" to Galaxy.tsx and SpotlightCard.tsx
• Refactor HomePage: 12 copy-pasted SpotlightCard blocks → data-driven .map()
• Add isLocale type guard to eliminate repeated as Locale casts

New Portfolio Entries

• bonuz Swapz — cross-chain token swap (all 4 languages + structured data)
• bonuz Events — improved description emphasizing the human layer, Dashboard connection, and ecosystem unity

Test plan

• Verify site loads correctly at /en, /ar, /de, /zh
• Confirm locale detection redirect works (visit / → redirects to detected locale)
• Check Galaxy animation renders and responds to mouse interaction
• Verify mobile menu opens/closes, Escape key works
• Verify language switcher works, Escape key closes it
• Confirm new Swapz card appears in Our Work grid and links to swapz.bonuz.market
• Confirm Events card has updated description
• Check 404 page renders with correct locale and styling
• Validate structured data via Google Rich Results Test
• Check security headers via securityheaders.com

https://claude.ai/code/session_014VsDh9GGvKR92QoNQBoYa6

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
bounz-tech	Ready	Preview, Comment	Apr 10, 2026 11:35pm

[claude]

PR Review — Comprehensive site audit + new portfolio entries

This is a high-quality, well-scoped PR. The net reduction of ~2,500 lines while adding real functionality is impressive. A few observations below, roughly in priority order.

---

Bugs / Correctness

proxy.ts — fix not visible in diff
The PR description says the proxy was completely broken due to a wrong export name, but the diff only shows a comment removal. Either the description overstates what was done, or the actual function rename happened in an earlier commit that isn't surfaced. Worth clarifying — if the proxy is still broken, that's the most impactful fix in this whole PR.

global-error.tsx — error param silently dropped

// Before
export default function GlobalError({ error, reset }: { error: Error & { digest?: string }; reset: () => void })
// After
export default function GlobalError({ reset }: { ... })

The error object is now completely inaccessible. The original error.tsx still logs in dev mode, but global-error.tsx now swallows the error entirely — no log, no digest. At minimum, consider console.error(error) in dev mode here too.

not-found.tsx — Unicode escapes hurt readability
Arabic, Chinese, and German strings were converted from readable literals to raw unicode escapes:

// Before: readable
title: "الصفحة غير موجودة",
// After: not readable
title: "\u0627\u0644\u0635\u0641\u062D\u0629 \u063A\u064A\u0631 \u0645\u0648\u062C\u0648\u062F\u0629",

Both compile identically, but the escape form is a maintenance hazard. Please revert to literals. (This likely happened due to a formatter/editor converting them — check .editorconfig or IDE settings.)

---

Minor Issues

error.tsx / global-error.tsx — home link hardcoded to /en
Both error pages now link to /en. A user whose browser was on /ar or /de will be redirected to English after an error. Not a blocker, but consider linking to /${defaultLocale} via the i18n constant rather than the hardcoded string, or using / and letting the middleware redirect.

sitemap.ts — static date will go stale

lastModified: "2026-04-10",

Hardcoding today's date avoids noisy sitemap diffs, which is a valid trade-off. But this needs to be updated whenever content actually changes, otherwise search engines will see a stale timestamp indefinitely. A code comment explaining the convention would help future contributors know to update it.

LanguageSwitcher.tsx — ARIA role mismatch

<div role="listbox" aria-label="Select language">
  <button role="option" aria-selected={l === locale}>

role="option" on a <button> inside a role="listbox" is technically valid, but a proper listbox pattern requires arrow-key navigation between options. Currently only Escape is handled. Screen reader users navigating with arrow keys won't move through the language options. Either implement full listbox keyboard nav (Up/Down arrows, Home/End), or switch to role="menu" / role="menuitem" which has simpler keyboard requirements and matches the existing mobile menu pattern.

Galaxy.tsx — DPR captured once at init

const dpr = Math.min(window.devicePixelRatio, 2);
// used in resize():
renderer.setSize(ctn.offsetWidth * dpr, ctn.offsetHeight * dpr);

dpr is captured in the closure at component mount time. If the user moves the window between monitors with different pixel ratios, resize() will use the stale DPR. Minor in practice, but easy to fix by reading window.devicePixelRatio inside resize().

next.config.ts — COOP may break OAuth/payment popups

{ key: "Cross-Origin-Opener-Policy", value: "same-origin" }

same-origin COOP prevents cross-origin window references, which can break OAuth flows (Google Sign-In, etc.) and some payment SDKs that open popups. For this site (portfolio + contact form) it's probably fine, but document the decision so it doesn't confuse future integrations.

---

What's Done Well

• Security: Removing unsafe-eval from CSP is the right call. The comment explaining why it was there but why it's now safe to remove would have been welcome, but the change itself is correct.
• Galaxy WebGL context churn fix: Destructuring focal and rotation arrays into primitive deps (focalX, focalY, rotationX, rotationY) is exactly the right fix. Array identity changes on every render were causing full WebGL teardown/rebuild.
• workItems data-driven refactor: Clean elimination of 12 nearly-identical JSX blocks. The WorkItemKey type constraint is a nice touch.
• isLocale type guard: Eliminates repeated as Locale casts with a proper narrowing function.
• prefers-reduced-motion: Rendering a static frame instead of animating is exactly the right accessibility behavior.
• BCP 47 zh-Hans fix: Correct — zh is not a valid BCP 47 subtag for Simplified Chinese.
• Font weight trim (300–700 → 400/500/600): Measurable network win with zero visual cost if weight 300 and 700 aren't used in the design.
• Image compression: Significant savings, especially og-image (803KB → 247KB).
• "use client" on Galaxy and SpotlightCard: Fixes a real SSR correctness issue.

---

Overall this is a solid, production-ready PR. The proxy concern is the one item worth confirming before merge. The ARIA listbox issue is worth addressing before or shortly after merge.