@brainfish-ai/devdoc 0.1.48 → 0.1.50

package/renderer/app/api/domains/add/route.js

@@ -1,12 +1,18 @@
 import { NextResponse } from 'next/server';
-import { validateApiKey, addCustomDomain, isCustomDomainRegistered } from '@/lib/storage/blob';
-import { isValidDomain, normalizeDomain, getDnsInstructions } from '@/lib/docs/config';
+import { validateApiKey, addCustomDomain, isCustomDomainRegistered, updateCustomDomainStatus } from '@/lib/storage/blob';
+import { isValidDomain, normalizeDomain } from '@/lib/docs/config';
+import { addDomainToProject, isVercelIntegrationEnabled, formatVerificationInstructions, getDomainType } from '@/lib/vercel/domains';
 /**
  * POST /api/domains/add
  * 
  * Add a custom domain to a project.
  * Each project can have ONE custom domain (free).
  * 
+ * When Vercel integration is enabled (VERCEL_API_TOKEN + VERCEL_PROJECT_ID):
+ * - Domain is added to Vercel project
+ * - Real DNS verification instructions from Vercel are returned
+ * - SSL is provisioned automatically by Vercel after verification
+ * 
  * Headers:
  *   Authorization: Bearer <api_key>
  * 
@@ -18,10 +24,9 @@ import { isValidDomain, normalizeDomain, getDnsInstructions } from '@/lib/docs/c
  *     success: true,
  *     domain: "docs.example.com",
  *     status: "pending",
- *     verification: {
- *       cname: { name: "docs", value: "cname.devdoc-dns.com" },
- *       txt: { name: "_devdoc-verify.docs.example.com", value: "devdoc-verify=xxx" }
- *     }
+ *     verification: [
+ *       { type: "TXT", domain: "_vercel.docs.example.com", value: "vc-domain-verify=..." }
+ *     ]
  *   }
  */ export async function POST(request) {
     try {
@@ -63,7 +68,7 @@ import { isValidDomain, normalizeDomain, getDnsInstructions } from '@/lib/docs/c
                 status: 400
             });
         }
-        // Check if domain is already registered
+        // Check if domain is already registered in our registry
         const isRegistered = await isCustomDomainRegistered(customDomain);
         if (isRegistered) {
             return NextResponse.json({
@@ -72,42 +77,115 @@ import { isValidDomain, normalizeDomain, getDnsInstructions } from '@/lib/docs/c
                 status: 409
             });
         }
-        // Add the custom domain
-        const result = await addCustomDomain(projectSlug, customDomain);
-        if (!result.success) {
+        // Check if Vercel integration is enabled
+        if (isVercelIntegrationEnabled()) {
+            // Add domain to Vercel project
+            const vercelResult = await addDomainToProject(customDomain);
+            if (!vercelResult.success) {
+                return NextResponse.json({
+                    error: vercelResult.error,
+                    vercelError: vercelResult.vercelError
+                }, {
+                    status: 400
+                });
+            }
+            const vercelDomain = vercelResult.domain;
+            // Add to our internal registry with Vercel data
+            const result = await addCustomDomain(projectSlug, customDomain);
+            if (!result.success) {
+                // Rollback: Try to remove from Vercel if we couldn't add to registry
+                console.error('[Domains API] Failed to add to registry, domain added to Vercel:', customDomain);
+                return NextResponse.json({
+                    error: result.error
+                }, {
+                    status: 400
+                });
+            }
+            // Update with Vercel domain ID
+            await updateCustomDomainStatus(customDomain, vercelDomain.verified ? 'active' : 'pending', {
+                vercelDomainId: vercelDomain.projectId
+            });
+            // If Vercel already verified the domain (e.g., previously configured DNS)
+            if (vercelDomain.verified) {
+                return NextResponse.json({
+                    success: true,
+                    domain: customDomain,
+                    projectSlug,
+                    status: 'active',
+                    verified: true,
+                    message: 'Domain is already verified and active!'
+                });
+            }
+            // Format Vercel's verification instructions
+            const verification = vercelDomain.verification || [];
+            const { records, instructions } = formatVerificationInstructions(verification);
+            // Add CNAME instruction for subdomains (Vercel may not always include it)
+            const domainType = getDomainType(customDomain);
+            const parts = customDomain.split('.');
+            const subdomain = parts.length > 2 ? parts[0] : '@';
+            const cnameInstruction = domainType === 'subdomain' ? `\nAlso add a CNAME record:\n   Name: ${subdomain}\n   Value: cname.vercel-dns.com` : `\nFor apex domains, add an A record:\n   Name: @\n   Value: 76.76.21.21`;
             return NextResponse.json({
-                error: result.error
-            }, {
-                status: 400
+                success: true,
+                domain: customDomain,
+                projectSlug,
+                status: 'pending',
+                verified: false,
+                verification: records,
+                instructions: [
+                    ...instructions,
+                    cnameInstruction
+                ],
+                vercelVerification: verification
+            });
+        } else {
+            // Fallback: No Vercel integration, use legacy behavior
+            console.warn('[Domains API] Vercel integration not configured, using legacy mode');
+            const result = await addCustomDomain(projectSlug, customDomain);
+            if (!result.success) {
+                return NextResponse.json({
+                    error: result.error
+                }, {
+                    status: 400
+                });
+            }
+            // Legacy hardcoded DNS instructions
+            const parts = customDomain.split('.');
+            const subdomain = parts.length > 2 ? parts[0] : '@';
+            return NextResponse.json({
+                success: true,
+                domain: customDomain,
+                projectSlug,
+                status: result.entry.status,
+                verified: false,
+                verification: [
+                    {
+                        type: 'CNAME',
+                        name: subdomain,
+                        value: 'cname.vercel-dns.com'
+                    },
+                    {
+                        type: 'TXT',
+                        name: `_devdoc-verify.${customDomain}`,
+                        value: result.entry.verificationToken || ''
+                    }
+                ],
+                instructions: [
+                    'Add the following DNS records to your domain:',
+                    '',
+                    '1. CNAME Record:',
+                    `   Name: ${subdomain}`,
+                    '   Value: cname.vercel-dns.com',
+                    '',
+                    '2. TXT Record (for verification):',
+                    `   Name: _devdoc-verify.${customDomain}`,
+                    `   Value: ${result.entry.verificationToken || ''}`,
+                    '',
+                    'After adding DNS records, run "devdoc domain verify" to verify.',
+                    '',
+                    'Note: Vercel integration not configured. Set VERCEL_API_TOKEN and VERCEL_PROJECT_ID for automatic SSL.'
+                ]
             });
         }
-        // Get DNS instructions
-        const dnsInstructions = getDnsInstructions(customDomain);
-        // Add verification token to TXT record
-        dnsInstructions.txt.value = result.entry.verificationToken || '';
-        return NextResponse.json({
-            success: true,
-            domain: customDomain,
-            projectSlug,
-            status: result.entry.status,
-            verification: {
-                cname: dnsInstructions.cname,
-                txt: dnsInstructions.txt
-            },
-            instructions: [
-                'Add the following DNS records to your domain:',
-                '',
-                `1. CNAME Record:`,
-                `   Name: ${dnsInstructions.cname.name}`,
-                `   Value: ${dnsInstructions.cname.value}`,
-                '',
-                `2. TXT Record (for verification):`,
-                `   Name: ${dnsInstructions.txt.name}`,
-                `   Value: ${dnsInstructions.txt.value}`,
-                '',
-                'After adding DNS records, run "devdoc domain verify" to verify.'
-            ]
-        });
     } catch (error) {
         console.error('[Domains API] Error adding domain:', error);
         const message = error instanceof Error ? error.message : String(error);

package/renderer/app/api/domains/remove/route.js

@@ -1,11 +1,16 @@
 import { NextResponse } from 'next/server';
 import { validateApiKey, getProjectCustomDomain, removeCustomDomain } from '@/lib/storage/blob';
 import { normalizeDomain } from '@/lib/docs/config';
+import { removeDomain as vercelRemoveDomain, isVercelIntegrationEnabled } from '@/lib/vercel/domains';
 /**
  * DELETE /api/domains/remove
  * 
  * Remove a custom domain from a project.
  * 
+ * When Vercel integration is enabled:
+ * - Removes domain from Vercel project
+ * - Removes from internal registry
+ * 
  * Headers:
  *   Authorization: Bearer <api_key>
  * 
@@ -52,7 +57,17 @@ import { normalizeDomain } from '@/lib/docs/config';
             }
             customDomain = projectDomain.customDomain;
         }
-        // Remove the domain
+        // Remove from Vercel if integration is enabled
+        if (isVercelIntegrationEnabled()) {
+            const vercelResult = await vercelRemoveDomain(customDomain);
+            if (!vercelResult.success) {
+                // Log warning but continue - domain might not exist in Vercel
+                console.warn('[Domains API] Failed to remove from Vercel:', vercelResult.error);
+            } else {
+                console.log('[Domains API] Domain removed from Vercel:', customDomain);
+            }
+        }
+        // Remove from internal registry
         const result = await removeCustomDomain(customDomain, projectSlug);
         if (!result.success) {
             return NextResponse.json({
@@ -61,8 +76,6 @@ import { normalizeDomain } from '@/lib/docs/config';
                 status: 400
             });
         }
-        // TODO: In production, also remove from Vercel via API
-        // await vercelApi.removeDomain(customDomain)
         return NextResponse.json({
             success: true,
             message: `Domain ${customDomain} removed successfully`,

package/renderer/app/api/domains/verify/route.js

@@ -1,6 +1,7 @@
 import { NextResponse } from 'next/server';
 import { validateApiKey, getProjectCustomDomain, getCustomDomainEntry, updateCustomDomainStatus } from '@/lib/storage/blob';
 import { normalizeDomain } from '@/lib/docs/config';
+import { verifyDomain as vercelVerifyDomain, getDomainConfig, isVercelIntegrationEnabled, formatVerificationInstructions } from '@/lib/vercel/domains';
 import dns from 'dns';
 import { promisify } from 'util';
 const resolveCname = promisify(dns.resolveCname);
@@ -9,7 +10,13 @@ const resolveTxt = promisify(dns.resolveTxt);
  * POST /api/domains/verify
  * 
  * Verify DNS configuration for a custom domain.
- * Checks CNAME and TXT records, then triggers SSL provisioning.
+ * 
+ * When Vercel integration is enabled:
+ * - Calls Vercel's verify endpoint directly
+ * - Vercel handles DNS verification and SSL provisioning
+ * 
+ * Legacy mode (no Vercel integration):
+ * - Checks CNAME and TXT records manually
  * 
  * Headers:
  *   Authorization: Bearer <api_key>
@@ -21,11 +28,9 @@ const resolveTxt = promisify(dns.resolveTxt);
  *   {
  *     success: true,
  *     domain: "docs.example.com",
- *     status: "dns_verified",
- *     checks: {
- *       cname: { found: true, value: "cname.devdoc-dns.com" },
- *       txt: { found: true, verified: true }
- *     }
+ *     status: "active",
+ *     verified: true,
+ *     message: "Domain verified! SSL will be provisioned automatically."
  *   }
  */ export async function POST(request) {
     try {
@@ -62,7 +67,7 @@ const resolveTxt = promisify(dns.resolveTxt);
             }
             customDomain = projectDomain.customDomain;
         }
-        // Get domain entry
+        // Get domain entry from our registry
         const domainEntry = await getCustomDomainEntry(customDomain);
         if (!domainEntry) {
             return NextResponse.json({
@@ -79,12 +84,74 @@ const resolveTxt = promisify(dns.resolveTxt);
                 status: 403
             });
         }
-        // Check DNS records
+        // Use Vercel integration if available
+        if (isVercelIntegrationEnabled()) {
+            // Call Vercel's verify endpoint
+            const verifyResult = await vercelVerifyDomain(customDomain);
+            if (!verifyResult.success) {
+                // Get current domain config to show what's needed
+                const configResult = await getDomainConfig(customDomain);
+                const verification = configResult.domain?.verification || [];
+                let instructions = [];
+                if (verification.length > 0) {
+                    const formatted = formatVerificationInstructions(verification);
+                    instructions = formatted.instructions;
+                }
+                return NextResponse.json({
+                    success: false,
+                    domain: customDomain,
+                    projectSlug,
+                    status: domainEntry.status,
+                    verified: false,
+                    message: verifyResult.error || 'DNS verification failed. Please check your DNS records.',
+                    verification: verification.map((v)=>({
+                            type: v.type,
+                            name: v.domain,
+                            value: v.value
+                        })),
+                    instructions
+                });
+            }
+            // Domain verified successfully
+            if (verifyResult.verified) {
+                // Update our registry to mark as active
+                await updateCustomDomainStatus(customDomain, 'active');
+                return NextResponse.json({
+                    success: true,
+                    domain: customDomain,
+                    projectSlug,
+                    status: 'active',
+                    verified: true,
+                    message: 'Domain verified! SSL certificate will be provisioned automatically by Vercel.'
+                });
+            } else {
+                // Vercel didn't verify yet, return what's needed
+                const verification = verifyResult.domain?.verification || [];
+                const { instructions } = formatVerificationInstructions(verification);
+                return NextResponse.json({
+                    success: false,
+                    domain: customDomain,
+                    projectSlug,
+                    status: 'pending',
+                    verified: false,
+                    message: 'DNS records not yet propagated. This can take up to 48 hours.',
+                    verification: verification.map((v)=>({
+                            type: v.type,
+                            name: v.domain,
+                            value: v.value
+                        })),
+                    instructions
+                });
+            }
+        }
+        // Legacy verification (no Vercel integration)
+        console.warn('[Domains API] Vercel integration not configured, using legacy DNS verification');
+        // Check DNS records manually
         const checks = {
             cname: {
                 found: false,
                 value: null,
-                expected: 'cname.devdoc-dns.com'
+                expected: 'cname.vercel-dns.com'
             },
             txt: {
                 found: false,
@@ -116,18 +183,15 @@ const resolveTxt = promisify(dns.resolveTxt);
         // TXT not found or DNS error
         }
         // Determine overall status
-        const cnameValid = checks.cname.found && checks.cname.value?.toLowerCase().includes('devdoc');
+        const cnameValid = checks.cname.found && checks.cname.value?.toLowerCase().includes('vercel');
         const txtValid = checks.txt.found && checks.txt.verified;
         let newStatus = domainEntry.status;
         let message = '';
         if (cnameValid && txtValid) {
-            // DNS is verified, update status
-            newStatus = 'dns_verified';
-            message = 'DNS verified! SSL certificate will be provisioned automatically (1-24 hours).';
-            await updateCustomDomainStatus(customDomain, 'dns_verified');
-        // In production, this would trigger Vercel API to add domain
-        // For now, we simulate SSL provisioning by updating status
-        // TODO: Integrate with Vercel Domains API
+            // DNS is verified
+            newStatus = 'active';
+            message = 'DNS verified! Domain is now active.';
+            await updateCustomDomainStatus(customDomain, 'active');
         } else if (cnameValid && !txtValid) {
             message = 'CNAME record found, but TXT verification record is missing or incorrect.';
         } else if (!cnameValid && txtValid) {
@@ -140,6 +204,7 @@ const resolveTxt = promisify(dns.resolveTxt);
             domain: customDomain,
             projectSlug,
             status: newStatus,
+            verified: cnameValid && txtValid,
             message,
             checks: {
                 cname: {

package/renderer/app/api/schema/route.js

@@ -6,10 +6,6 @@ import { getProjectContent } from '@/lib/storage/blob';
 const STARTER_PATH = process.env.STARTER_PATH || 'devdoc-docs';
 // Get the docs directory - respects STARTER_PATH for local development
 function getDocsDir() {
-    const projectSlug = process.env.BRAINFISH_PROJECT_SLUG;
-    if (projectSlug) {
-        return join(process.cwd(), '.devdoc', projectSlug);
-    }
     // Use STARTER_PATH (can be absolute or relative)
     if (isAbsolute(STARTER_PATH)) {
         return STARTER_PATH;
@@ -43,22 +39,27 @@ export async function GET(request) {
         });
     }
     try {
-        // Try blob storage first (for deployed projects)
-        const projectSlug = process.env.BRAINFISH_PROJECT_SLUG;
+        // Get project slug from middleware header (multi-tenant) or env var (single-tenant)
+        const projectSlug = request.headers.get('x-devdoc-project') || process.env.BRAINFISH_PROJECT_SLUG;
+        // Try blob storage first (for deployed/multi-tenant projects)
         if (projectSlug) {
             const projectContent = await getProjectContent(projectSlug);
-            if (projectContent?.files) {
-                const file = projectContent.files.find((f)=>f.path === path || f.path === `/${path}`);
-                if (file?.content) {
-                    return new NextResponse(file.content, {
+            // Check dedicated graphqlSchemas map first (like OpenAPI specs)
+            if (projectContent?.graphqlSchemas) {
+                const schemaContent = projectContent.graphqlSchemas[path] || projectContent.graphqlSchemas[path.replace(/^\//, '')] // Try without leading slash
+                ;
+                if (schemaContent) {
+                    return new NextResponse(schemaContent, {
                         headers: {
                             'Content-Type': 'text/plain'
                         }
                     });
                 }
+                // Log for debugging - schema not found
+                console.log('[Schema API] Schema not found in graphqlSchemas:', path, 'Available:', Object.keys(projectContent.graphqlSchemas));
             }
         }
-        // Try local filesystem
+        // Try local filesystem (for local development)
         const docsDir = getDocsDir();
         const fullPath = join(docsDir, path);
         if (!existsSync(fullPath)) {

package/renderer/app/api/suggestions/route.js

@@ -3,10 +3,22 @@ import { anthropic } from '@ai-sdk/anthropic';
 import { z } from 'zod';
 import crypto from 'crypto';
 import { CacheUtils } from '@/lib/cache';
+import { RateLimiter } from '@/lib/rate-limit';
 export const runtime = 'nodejs';
 // Cache TTL: 1 week in seconds
 const CACHE_TTL_SECONDS = 60 * 60 * 24 * 7 // 7 days
 ;
+// Rate limit configuration (can be overridden via env vars)
+// Set SUGGESTIONS_RATE_LIMIT_ENABLED=false to disable rate limiting
+const RATE_LIMIT_ENABLED = process.env.SUGGESTIONS_RATE_LIMIT_ENABLED !== 'false';
+const RATE_LIMIT_MAX = parseInt(process.env.SUGGESTIONS_RATE_LIMIT_MAX || '30', 10);
+const RATE_LIMIT_WINDOW = parseInt(process.env.SUGGESTIONS_RATE_LIMIT_WINDOW || '60', 10);
+// Create rate limiter with configurable values
+const suggestionsRateLimiter = new RateLimiter({
+    prefix: 'suggestions',
+    limit: RATE_LIMIT_MAX,
+    windowSeconds: RATE_LIMIT_WINDOW
+});
 const SuggestionsSchema = z.object({
     suggestions: z.array(z.object({
         title: z.string().describe('Short action phrase (2-4 words) like "Find endpoints" or "How do I"'),
@@ -22,10 +34,20 @@ const SuggestionsSchema = z.object({
     if (currentEndpointId) {
         // For specific endpoint: hash the endpoint details
         const endpoint = endpointIndex.find((e)=>e.id === currentEndpointId);
-        content = endpoint ? `endpoint:${endpoint.id}:${endpoint.name}:${endpoint.method}:${endpoint.path}` : `endpoint:${currentEndpointId}`;
+        if (endpoint) {
+            // Include GraphQL operation type in the cache key for better differentiation
+            const opType = endpoint.operationType || endpoint.method;
+            content = `endpoint:${endpoint.id}:${endpoint.name}:${opType}:${endpoint.path}`;
+        } else {
+            content = `endpoint:${currentEndpointId}`;
+        }
     } else {
         // For general API: hash based on endpoint count and first few endpoint signatures
-        const signature = endpointIndex.slice(0, 10).map((e)=>`${e.method}:${e.path}`).join('|');
+        const signature = endpointIndex.slice(0, 10).map((e)=>{
+            // Use operation type for GraphQL, method for REST
+            const opType = e.operationType || e.method;
+            return `${opType}:${e.name}`;
+        }).join('|');
         content = `general:${endpointIndex.length}:${signature}`;
     }
     const hash = crypto.createHash('sha256').update(content).digest('hex').slice(0, 16);
@@ -34,6 +56,30 @@ const SuggestionsSchema = z.object({
 function buildSuggestionPrompt(endpoints, currentEndpointId) {
     const currentEndpoint = currentEndpointId ? endpoints.find((e)=>e.id === currentEndpointId) : null;
     if (currentEndpoint) {
+        // Check if this is a GraphQL operation
+        const isGraphQL = currentEndpoint.type === 'graphql' || [
+            'query',
+            'mutation',
+            'subscription'
+        ].includes(currentEndpoint.operationType || '');
+        if (isGraphQL) {
+            const opType = currentEndpoint.operationType || 'operation';
+            return `You are helping users explore a GraphQL API. Generate 4 helpful question suggestions for the "${currentEndpoint.name}" ${opType}.
+
+GraphQL Operation details:
+- Name: ${currentEndpoint.name}
+- Type: ${opType}
+- Description: ${currentEndpoint.description || 'No description'}
+- Variables: ${currentEndpoint.parameters.join(', ') || 'None'}
+
+Generate questions that help users:
+1. Understand what this ${opType} does and when to use it
+2. Know what variables are required and their types
+3. See example GraphQL queries and responses
+4. Understand how to handle errors or edge cases
+
+Make questions specific to this GraphQL ${opType}, not generic.`;
+        }
         return `You are helping users explore an API. Generate 4 helpful question suggestions for the "${currentEndpoint.name}" endpoint.
 
 Endpoint details:
@@ -53,33 +99,75 @@ Generate questions that help users:
 Make questions specific to this endpoint, not generic.`;
     }
     // General suggestions based on the API
-    const methodCounts = endpoints.reduce((acc, e)=>{
+    // Separate GraphQL and REST endpoints
+    const graphqlEndpoints = endpoints.filter((e)=>e.type === 'graphql' || [
+            'query',
+            'mutation',
+            'subscription'
+        ].includes(e.operationType || ''));
+    const restEndpoints = endpoints.filter((e)=>e.type === 'rest' && ![
+            'query',
+            'mutation',
+            'subscription'
+        ].includes(e.operationType || ''));
+    const methodCounts = restEndpoints.reduce((acc, e)=>{
         acc[e.method] = (acc[e.method] || 0) + 1;
         return acc;
     }, {});
+    const graphqlCounts = graphqlEndpoints.reduce((acc, e)=>{
+        const opType = e.operationType || 'operation';
+        acc[opType] = (acc[opType] || 0) + 1;
+        return acc;
+    }, {});
     const categories = [
         ...new Set(endpoints.flatMap((e)=>e.tags))
     ].slice(0, 5);
-    return `You are helping users explore an API documentation. Generate 4 helpful starter question suggestions.
+    // Build API type description
+    const apiTypes = [];
+    if (restEndpoints.length > 0) apiTypes.push('REST');
+    if (graphqlEndpoints.length > 0) apiTypes.push('GraphQL');
+    return `You are helping users explore ${apiTypes.join(' and ')} API documentation. Generate 4 helpful starter question suggestions.
 
 API Overview:
-- Total endpoints: ${endpoints.length}
-- Methods: ${Object.entries(methodCounts).map(([m, c])=>`${m}: ${c}`).join(', ')}
+- Total operations: ${endpoints.length}
+${restEndpoints.length > 0 ? `- REST Methods: ${Object.entries(methodCounts).map(([m, c])=>`${m}: ${c}`).join(', ')}` : ''}
+${graphqlEndpoints.length > 0 ? `- GraphQL Operations: ${Object.entries(graphqlCounts).map(([m, c])=>`${m}: ${c}`).join(', ')}` : ''}
 - Categories: ${categories.join(', ') || 'General'}
 
-Sample endpoints:
-${endpoints.slice(0, 8).map((e)=>`- ${e.method} ${e.name}: ${e.description || 'No description'}`).join('\n')}
+Sample operations:
+${endpoints.slice(0, 8).map((e)=>{
+        if (e.type === 'graphql' || [
+            'query',
+            'mutation',
+            'subscription'
+        ].includes(e.operationType || '')) {
+            return `- [${e.operationType?.toUpperCase() || 'GRAPHQL'}] ${e.name}: ${e.description || 'No description'}`;
+        }
+        return `- [${e.method}] ${e.name}: ${e.description || 'No description'}`;
+    }).join('\n')}
 
 Generate questions that help users:
-1. Find the right endpoint for their use case
+1. Find the right operation for their use case
 2. Understand authentication/authorization
-3. Explore common operations (create, read, update, delete)
+3. Explore common operations (${graphqlEndpoints.length > 0 ? 'queries, mutations' : 'create, read, update, delete'})
 4. Get started quickly with the API
 
 Make questions specific to this API's capabilities.`;
 }
 export async function POST(req) {
     try {
+        // Rate limiting check (configurable via env vars)
+        if (RATE_LIMIT_ENABLED) {
+            const rateLimitResult = await suggestionsRateLimiter.check(req);
+            if (!rateLimitResult.success) {
+                console.log(`[Suggestions API] Rate limit exceeded for IP, count: ${rateLimitResult.count}/${rateLimitResult.limit}`);
+                return RateLimiter.tooManyRequestsResponse(rateLimitResult, 'Too many suggestion requests. Please wait before trying again.');
+            }
+            // Log rate limit status for monitoring (only on cache miss to reduce noise)
+            if (rateLimitResult.remaining < 5) {
+                console.log(`[Suggestions API] Rate limit warning: ${rateLimitResult.remaining} requests remaining`);
+            }
+        }
         const body = await req.json();
         const { endpointIndex, currentEndpointId } = body;
         // Generate hash-based cache key

package/renderer/app/globals.css

@@ -1266,4 +1266,37 @@ code[data-line-numbers] > [data-line]::before {
 .agent-suggestion-item {
   animation: suggestion-fade-in 0.2s ease-out forwards;
   animation-fill-mode: both;
+}
+
+/* Sandbox tabs styling */
+.sandbox-tabs {
+  background-color: hsl(240 10% 20%);
+  border-bottom: 1px solid hsl(240 10% 25%);
+}
+
+.sandbox-tab-active {
+  background-color: hsl(240 10% 14%);
+  color: hsl(0 0% 95%);
+}
+
+.sandbox-tab-inactive {
+  color: hsl(240 5% 65%);
+}
+
+.sandbox-tab-inactive:hover {
+  color: hsl(0 0% 90%);
+  background-color: hsl(240 10% 18%);
+}
+
+.sandbox-tab-indicator {
+  background-color: hsl(var(--primary));
+}
+
+.sandbox-tab-close {
+  color: hsl(240 5% 55%);
+}
+
+.sandbox-tab-close:hover {
+  color: hsl(0 0% 95%);
+  background-color: hsl(240 10% 25%);
 }