deploy to prod

[JoaquinBN]

Summary by CodeRabbit

• New Features

  • Wall of Shame redesigned with operator grouping and detailed shame reason tracking.
  • Validator shame status now includes when shame periods began.

• Security & Access

  • Operators with hidden profiles no longer disclose names or avatars in Wall of Shame; identified by address only.
  • Search bar now requires authentication.
  • Contribution, user profile, and leaderboard data now require authentication to access.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: e08801e3-f664-4602-bad0-0eecabab1189

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dev

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 6

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

frontend/src/components/Sidebar.svelte (1)

716-755: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Missing Wall of Shame link in mobile sidebar.

The desktop validators submenu (lines 317-325) includes the new Wall of Shame link, but the mobile validators submenu (lines 716-755) does not. This creates an inconsistent navigation experience where mobile users cannot access the Wall of Shame page through the sidebar.

📱 Proposed fix to add Wall of Shame link to mobile sidebar

           Participants
         </a>
+        <a
+          href="/validators/wall-of-shame"
+          onclick={(e) => { e.preventDefault(); navigate('/validators/wall-of-shame'); }}
+          class="flex items-center border-l-[1.5px] px-3 py-2 text-[14px] font-medium text-black tracking-[0.28px] {
+            isActive('/validators/wall-of-shame') ? 'border-[`#387DE8`]' : 'border-[`#f5f5f5`]'
+          }"
+        >
+          Wall of Shame
+        </a>
         <a
           href="/validators/waitlist"
           onclick={(e) => { e.preventDefault(); navigate('/validators/waitlist'); }}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/src/components/Sidebar.svelte` around lines 716 - 755, The mobile
validators submenu (the block guarded by getActiveSection() === 'validator') is
missing the "Wall of Shame" link; add an <a> element matching the other mobile
validator links using href "/validators/wall-of-shame", onclick handler that
prevents default and calls navigate('/validators/wall-of-shame'), and the same
class logic that uses isActive('/validators/wall-of-shame') ? 'border-[`#387DE8`]'
: 'border-[`#f5f5f5`]'; place this new anchor alongside Contributions,
Leaderboard, Participants, and Waitlist in the same div so mobile and desktop
submenus are consistent.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@backend/api/metrics_views.py`:
- Line 22: Remove the explicit AllowAny overrides so the global IsAuthenticated
setting applies: locate the occurrences of the class attribute
permission_classes = [permissions.AllowAny] in backend/api/metrics_views.py
(there are four instances around the shown lines) and delete those lines (or
replace them with no permission_classes attribute) so the views no longer bypass
authentication; ensure you remove the exact attribute assignment to enforce the
global default.

In `@backend/contributions/migrations/0037_seed_featured_content.py`:
- Around line 39-103: The seed migration uses
FeaturedContent.objects.update_or_create(content_type=..., title=...) but the
model lacks a uniqueness constraint, risking MultipleObjectsReturned; add a
DB-level uniqueness constraint on (content_type, title) by updating the
FeaturedContent model (Meta.unique_together or Meta.constraints with
models.UniqueConstraint) and then create/apply a new migration so the database
enforces uniqueness; alternatively, if you prefer not to change the schema,
modify the migration 0037_seed_featured_content.py to use a truly-unique lookup
field (e.g., a unique slug or id) instead of content_type+title and ensure any
pre-existing duplicate rows are resolved before applying the constraint.

In `@backend/poaps/views.py`:
- Around line 325-330: The action decorated endpoint currently sets
permission_classes=[permissions.AllowAny], which exposes user-linked POAP claim
history; remove that explicit AllowAny and let the global authentication default
apply (i.e., delete the permission_classes argument) or replace it with an
appropriate restrictive permission such as permissions.IsAuthenticated or a
project-specific permission that prohibits unauthenticated access; update the
action decorator on the view method (the `@action`(...) for the
by-address/(?P<address>...)/poaps route in the POAP viewset) accordingly so the
endpoint no longer bypasses global auth.

In `@backend/projects/migrations/0002_ensure_project_participants_table.py`:
- Around line 4-12: The migration function ensure_project_participants_table
currently looks like it's adding a missing M2M definition, but Project in
0001_initial already defines the participants ManyToManyField; update the 0002
migration to clarify this by adding a short comment/docstring above
ensure_project_participants_table explaining that this migration is a defensive
idempotent safeguard (it inspects through_model = Project.participants.through
and table_name and only creates the table if missing) and that any missing table
should be investigated via migration history/state rather than treating
0001_initial as incomplete; keep the existing logic (table existence check and
schema_editor.create_model(through_model)) but add the explanatory note
referencing ensure_project_participants_table, Project.participants, and
through_model so future readers know why this guard exists.

In `@frontend/src/routes/WallOfShame.svelte`:
- Around line 281-284: The click handler currently calls
navigator.clipboard.writeText(...) but immediately calls showSuccess('Address
copied to clipboard!') without awaiting or handling failures; update the onclick
handler used in WallOfShame.svelte to await
navigator.clipboard.writeText(validator.operator_address || '') inside a
try/catch, call showSuccess only on successful resolution, and call an error
notifier (e.g., showError or a fallback alert) inside the catch block to surface
failures—reference the onclick handler, navigator.clipboard.writeText, and
showSuccess to locate and modify the code.

---

Outside diff comments:
In `@frontend/src/components/Sidebar.svelte`:
- Around line 716-755: The mobile validators submenu (the block guarded by
getActiveSection() === 'validator') is missing the "Wall of Shame" link; add an
<a> element matching the other mobile validator links using href
"/validators/wall-of-shame", onclick handler that prevents default and calls
navigate('/validators/wall-of-shame'), and the same class logic that uses
isActive('/validators/wall-of-shame') ? 'border-[`#387DE8`]' : 'border-[`#f5f5f5`]';
place this new anchor alongside Contributions, Leaderboard, Participants, and
Waitlist in the same div so mobile and desktop submenus are consistent.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 51f02e31-f3d5-40a0-bb68-c7d937077c49

📥 Commits

Reviewing files that changed from the base of the PR and between db4fdac and 20e146e.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (32)

• CHANGELOG.md
• backend/CLAUDE.md
• backend/api/metrics_views.py
• backend/contributions/migrations/0037_seed_featured_content.py
• backend/contributions/migrations/0051_zero_validator_waitlist_points.py
• backend/contributions/tests/test_highlights_api.py
• backend/contributions/tests/test_is_submittable.py
• backend/contributions/tests/test_public_explorer_filters.py
• backend/contributions/tests/test_submission_limits.py
• backend/contributions/views.py
• backend/ethereum_auth/tests.py
• backend/ethereum_auth/views.py
• backend/leaderboard/tests/test_stats.py
• backend/leaderboard/views.py
• backend/poaps/tests/test_poaps.py
• backend/poaps/views.py
• backend/projects/migrations/0002_ensure_project_participants_table.py
• backend/tally/settings.py
• backend/users/tests/test_email_security.py
• backend/users/views.py
• backend/validators/grafana_service.py
• backend/validators/migrations/0013_validatorwallet_shame_started_at.py
• backend/validators/models.py
• backend/validators/serializers.py
• backend/validators/tests/test_grafana_service.py
• backend/validators/views.py
• frontend/src/App.svelte
• frontend/src/components/Navbar.svelte
• frontend/src/components/Sidebar.svelte
• frontend/src/routes/Metrics.svelte
• frontend/src/routes/Overview.svelte
• frontend/src/routes/WallOfShame.svelte