Launch Day: Security Sweep, Error Boundaries & Performance

After the pre-launch hardening audit, we kept going. Six security patches, a full React error boundary layer, and performance optimizations that cut session fetches by 99.8%. Here's everything that landed on launch day.

Security: Six Patches, Zero Gaps

The pre-launch audit caught payment gaps. This sweep caught everything else — six endpoint-level security fixes, each closing a real exposure:

• Agent route ownership checks — Every agent CRUD endpoint now verifies the requesting user owns the agent. No more cross-tenant data access.
• Provision agent count — fail closed on DB errors — Previously, a database error during the agent count check would silently pass, letting users exceed their limits. Now it rejects.
• Bridge API auth — fail closed when unset — The bridge endpoint required BRIDGE_SECRET but returned 200 when the env var was missing. Now returns 401. No secret = no access.
• Checkout verify endpoint — auth added — The Stripe checkout verification route was publicly accessible. Added authentication middleware.
• WebSocket proxy auth + trust proxy hardened — The WS proxy accepted unauthenticated connections. Added auth validation and locked down the trust proxy setting to prevent IP spoofing.
• Dev fallback secrets removed — Development-mode fallback secrets were present in production code paths. Gated behindNODE_ENV=development checks.

React #310: Killed for Good

React error #310 — the hydration mismatch / component rendering order bug — was causing crashes on the dashboard and several routes. We tried three approaches:

1. First attempt — Removed redundant setState in the useCustomSession hook. Partial fix.
2. Second attempt — Reverted useCustomSessionto a simple fetch pattern. Reduced errors but didn't eliminate them.
3. Final fix — Reverted all optimizer droid changes across trading, settings, cost, blog, and login routes. Added proper error boundaries to catch remaining edge cases gracefully.

The error boundary layer wraps critical routes with a fallback UI instead of crashing the whole page:

// app/global-error.tsx
'use client';

export default function GlobalError({
  error,
  reset,
}: {
  error: Error & { digest?: string };
  reset: () => void;
}) {
  return (
    <html>
      <body>
        <div className="min-h-screen bg-black text-white font-mono flex items-center justify-center">
          <div className="text-center">
            <h2 className="text-2xl mb-4">Something went wrong</h2>
            <button onClick={() => reset()} className="border border-zinc-700 px-4 py-2">
              Try again
            </button>
          </div>
        </div>
      </body>
    </html>
  );
}

Performance: From 726 to 1

The dashboard was making 726 session fetch requests per page load. Every component was independently hitting /api/auth/session. Three performance commits fixed this:

• Session fetch caching— Shared the session fetch across all components via a single cached call. Reduced from 726 requests to ~1 per page load. That's a 99.8% reduction.
• Dashboard INP optimization — Debounced polling intervals, added useMemo for expensive calculations, lazy-loaded non-critical dashboard sections.
• Route-level INP optimization — Applied the same patterns to trading, blog, settings, cost, and login routes. Interaction to Next Paint (INP) improved across the board.

Cleanup & Docs

Between the patches, we also:

• Full codebase cleanup — removed dead code, old references, unused imports
• Purged all old Render and gateway URLs (77 requests were hitting dead endpoints)
• Fixed Borg links to point to /chat?session=main
• New /learn/advanced page with deep guides for power users
• New /learn/developers page with APIs, SDKs, code examples, and architecture
• npm audit: 0 vulnerabilities (was 18)

Launch Status

• ✅ 6 security patches deployed — all endpoints fail closed
• ✅ Error boundaries on all critical routes
• ✅ Session fetch: 726 → 1 per page load
• ✅ INP optimized across 5+ routes
• ✅ TypeScript clean — zero errors
• ✅ 0 npm vulnerabilities
• ✅ Codebase cleaned — no dead code
• ✅ /learn section expanded with developer docs

We didn't just ship — we hardened. Every endpoint, every route, every request path verified and secured. Agentbot launches today with a production-grade foundation.

Agentbot launches March 31, 2026. Your AI agent. Your hardware. Your rules.