Rework portal onboarding into role funnels and journeys

[JoaquinBN]

Reworks onboarding for Builders, Validators, and Community into role-specific funnels: each landing page adapts to signed-out, signed-in-without-role, and earned states, with dedicated step-by-step journey routes. Journeys now grant the role itself rather than points, so the previous farmable point grants are removed and points come only from verifiable tasks such as starring the boilerplate repo or posting on X. The Builder journey is connect GitHub plus star the boilerplate repo; the Community journey is five verified steps (link X, link Discord, follow, join, and a verified X post checked against the linked handle) that grant the Creator role; the Validator journey stays a single waitlist form and keeps the graduation reward. Linking GitHub now records a contribution like X and Discord, and Community membership is created only by completing the journey, so the previous automatic creation from contributions, POAP claims, and Discord XP is removed. Sidebar subsections stay locked until the relevant journey is complete, the profile shows in-progress roles with an owner-only badge, and the What's New dialog appears only to returning users.

Summary by CodeRabbit

• New Features

  • Added role-based onboarding journeys for builders, validators, and community members, with dedicated funnel/landing pages and step-by-step progress.
  • Introduced community onboarding with GitHub account linking and X post verification, then creator-role granting on completion.

• Bug Fixes

  • Improved gating so locked sections and creator access only unlock after the required journey steps are completed.
  • Ensured onboarding and reward flows are idempotent and updated role visibility/metrics to prevent unintended creator-role assignment.

• Tests

  • Added/updated coverage for builder and community journey flows, plus social-link and role-state behavior.

[coderabbitai]

📝 Walkthrough

Walkthrough

Builder and community onboarding now use role-specific funnel states, journey endpoints, a community post proof model with tweet verification, and updated frontend routing/profile surfaces. Several sync and import paths no longer create Creator profiles automatically.

Changes

Onboarding funnels and role gating

Layer / File(s)	Summary
Builder setup backend/contributions/migrations/0073_create_community_link_github.py, backend/social_tasks/migrations/0004_seed_builder_star_task.py, backend/tally/settings.py, backend/users/serializers.py, backend/users/views.py, backend/users/tests/test_builder_journey.py, backend/users/tests/test_social_link_rewards.py, backend/contributions/tests/test_is_submittable.py, backend/CLAUDE.md	Builder reward setup seeds the GitHub-link reward and star task, adds builder and role-start endpoints, exposes the GitHub link badge, and updates related tests and docs.
Community journey backend/creators/community_journey.py, backend/creators/migrations/0002_backfill_community_members.py, backend/creators/migrations/0003_communitypostproof.py, backend/creators/models.py, backend/social_tasks/sorsa_client.py, backend/users/views.py, backend/users/tests/test_community_journey.py	Community journey helpers, proof storage, tweet lookup, and community endpoints add five-step status tracking and Creator creation on completion.
Creator cleanup backend/community_xp/services.py, backend/community_xp/tests/test_mee6_sync.py, backend/leaderboard/models.py, backend/leaderboard/tests/test_stats.py, backend/poaps/management/commands/import_poap_archive.py, backend/poaps/signals.py	Community XP sync, leaderboard signals, and POAP import paths stop creating Creator profiles, and the related tests now assert no Creator side effects.
Shared role state CHANGELOG.md, frontend/src/lib/roleState.js, frontend/src/lib/auth.js, frontend/src/lib/api.js, frontend/src/tests/roleState.test.js, frontend/src/components/ProfileCompletionGuard.svelte, frontend/src/components/WhatsNewDialog.svelte, frontend/src/components/SocialLink.svelte, frontend/src/App.svelte	Shared role helpers, auth preselection, journey API methods, app routing, and related tests coordinate onboarding redirects and access checks.
Role landing shells frontend/src/components/funnel/BuilderLanding.svelte, frontend/src/components/funnel/CommunityLanding.svelte, frontend/src/components/funnel/ValidatorLanding.svelte, frontend/src/components/funnel/RoleFunnel.svelte, frontend/src/components/funnel/RoleLanding.svelte	Role-specific landing pages and the funnel shell render the builder, validator, and community entry states.
Journey pages frontend/src/components/social-tasks/SocialTaskCard.svelte, frontend/src/components/funnel/journeys/*, frontend/src/routes/BuilderJourney.svelte, frontend/src/routes/CommunityJourney.svelte, frontend/src/routes/ValidatorWaitlist.svelte	Journey cards and route pages render the builder, community, and validator step flows and task completion UI.
Profile surfaces frontend/src/components/profile/*, frontend/src/components/Sidebar.svelte, frontend/src/routes/Profile.svelte	Profile, sidebar, and header components derive in-progress role state, hide it from public sections, and route locked subsections through the funnels.

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~90+ minutes

Possibly related PRs

• genlayer-foundation/points#775: Adds the social-task and Sorsa verifier surface that this PR extends with builder and community journey flows.
• genlayer-foundation/points#831: Also modifies frontend route gating in frontend/src/App.svelte for role-related sections.
• genlayer-foundation/points#835: Also changes when Creator roles are assigned and how community-member logic interacts with leaderboard tests.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 32.43% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: onboarding was reworked into role-specific funnels and journeys.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch JoaquinBN/portal-funnel-rework

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 48

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@backend/contributions/migrations/0073_create_community_link_github.py`:
- Around line 21-28: The migration for ContributionType creation currently uses
Category.objects.filter(...).first(), which can silently set the category to
none if the builder category is missing. Update the migration logic around
builder_category and ContributionType.objects.update_or_create to fail closed by
explicitly checking that the builder Category exists before seeding
community-link-github, and raise an error if it does not. Keep the fix localized
to the migration so the Link GitHub Account contribution type is only created
when the builder category is present.

In `@backend/creators/community_journey.py`:
- Around line 94-127: The x_post step in step_states and journey_status is
currently marked done whenever community_post_proof exists, which can leave
Creator completion stale after an X relink. Update the x_post check to validate
that the stored proof still matches the currently linked X account before
returning done, using the current linked handle together with the proof
URL/verified author. Keep the completion logic in journey_status consistent so
the legacy join route in views does not treat an outdated proof as valid.
- Around line 69-76: The mention check in post_matches is too permissive because
it uses a substring match against genlayer_handle(), which can accept longer
handles like `@genlayerlabs`. Update the step 5 validation in post_matches to
require an exact `@handle` mention for the intended account, using a
boundary-aware match or tokenized mention parsing so only the precise handle
from genlayer_handle() passes while near matches fail.

In `@backend/creators/migrations/0002_backfill_community_members.py`:
- Around line 5-7: The historical backfill in 0002_backfill_community_members
must remain unchanged for databases that already ran it, so don’t turn it into a
no-op or alter its past behavior. Instead, add a new follow-up migration or
audited cleanup path alongside 0002_backfill_community_members to reconcile
previously auto-created Creator rows and align existing environments with the
new journey-completion-only rule. Keep the fix scoped so the migration history
stays stable while ensuring Creator role state is consistent across fresh and
existing databases.

In `@backend/creators/models.py`:
- Around line 29-31: `verified_at` on `CommunityPostProof` is only set on first
insert because it uses `auto_now_add=True`, so re-verification leaves the
timestamp stale even when `verify_community_post()` updates the record via
`update_or_create()`. Change `verified_at` to be explicitly assignable (for
example, a normal DateTimeField with a default) and ensure the re-verification
path in `verify_community_post()` updates it whenever `post_url` or `tweet_id`
is refreshed.

In `@backend/creators/views.py`:
- Around line 43-52: Make the legacy join flow idempotent in the join view by
replacing the separate `hasattr(user, 'creator')` /
`Creator.objects.create(user=user)` path with `get_or_create()` on `Creator`, so
concurrent POSTs cannot race into a one-to-one violation. In the same `views.py`
handler, keep the existing “already a community member” response for the
existing record, and only call `update_user_leaderboard_entries(user)` when a
new `Creator` was actually created.

In `@backend/leaderboard/tests/test_stats.py`:
- Around line 279-282: The stats test is asserting creator_count for a POAP-only
user even though no Creator row exists, which can let the API over-report actual
Creator roles. Update the leaderboard stats implementation that backs this test
so creator_count is derived only from real Creator objects, or split the
POAP/community signal into a separately named metric while keeping creator_count
tied to the Creator model.

In `@backend/social_tasks/sorsa_client.py`:
- Around line 165-169: The tweet-info parsing in sorsa_client.py should validate
the user payload before accessing username, because the current
`data.get('user') or {}` pattern can still break if `user` is not a mapping and
raise an AttributeError instead of SorsaError. Update the logic around the
`full_text`/`username` extraction to explicitly check that `data["user"]` is a
dict-like mapping before dereferencing `username`, and raise `SorsaError` on
unexpected shapes so the caller’s retry/verification handling in the Sorsa flow
stays intact.

In `@backend/tally/settings.py`:
- Around line 263-267: The builder journey slug is currently
runtime-configurable in settings while complete_builder_journey depends on that
same value, which can drift from the seeded social task. Make
BUILDER_JOURNEY_TASK_SLUG a fixed constant matching the slug seeded by
0004_seed_builder_star_task, or add startup validation in settings/bootstrapping
to ensure the configured slug exists before requests are served. Use the
existing symbols GITHUB_REPO_TO_STAR, BUILDER_JOURNEY_TASK_SLUG, and
complete_builder_journey to keep the gate and migration in sync.

In `@backend/users/serializers.py`:
- Around line 570-574: Public profile responses from UserSerializer are exposing
in-progress owner-only funnel state via the new has_validator_welcome and
has_community_* fields. Update the public_profile handling in UserSerializer so
these SerializerMethodField booleans are excluded or forced absent for public
access, while preserving them for owner-only/profile edit flows; use the
existing public_profile gating logic around the serializer methods and any field
selection path that controls retrieve and by_address responses.

In `@backend/users/tests/test_community_journey.py`:
- Around line 85-87: The tweet fixtures in test_community_journey should stop
hardcoding `@genlayer` and instead derive the expected mention from
cj.genlayer_handle() so they match the configured GENLAYER_X_HANDLE. Update the
fixture methods used by the success and code_missing paths, such as good_tweet,
to build the tweet text from the helper that the verifier uses, so the
assertions stay correct under non-default handles.

In `@backend/users/tests/test_social_link_rewards.py`:
- Around line 51-60: The test fixture for the GitHub link reward is seeding the
wrong contribution category, so it won’t cover builder-routing behavior. Update
the setup in the social link rewards test where
ContributionType.objects.update_or_create creates community-link-github to use
the builder category instead of self.community, matching the production seed and
keeping the relevant leaderboard/routing assertions meaningful.

In `@backend/users/views.py`:
- Around line 418-445: The builder journey marker write is missing the same
bootstrap step used in start_role_journey(), so Contribution.objects.create()
can fail on a fresh database when no active GlobalLeaderboardMultiplier exists.
Before creating the 0-point builder welcome Contribution, ensure the builder
path looks up or creates the default active GlobalLeaderboardMultiplier (using
the same multiplier bootstrap logic as start_role_journey()) so this lightweight
marker can be saved reliably.
- Around line 495-521: The welcome-start flow in the user view is race-prone
because the `Contribution.objects.filter(...).exists()` check and the subsequent
`GlobalLeaderboardMultiplier.objects.create(...)` /
`Contribution.objects.create(...)` calls are not protected together. Update the
welcome-journey handler to run the idempotency check and both inserts inside a
single transaction, and use a locking/atomic pattern around the relevant
`Contribution` and `GlobalLeaderboardMultiplier` operations so concurrent
requests cannot create duplicate welcome contributions or duplicate default
multiplier rows.
- Around line 979-989: The community completion flow in the user view is
vulnerable to a race between the `hasattr(user, 'creator')` check and
`Creator.objects.create(user=user)`, which can cause duplicate requests to fail
with a 500 instead of returning the existing-member response. Update the
completion logic in the same view to make the `Creator` creation idempotent and
concurrency-safe, using a transaction and handling the one-to-one creation
conflict by reloading the existing `Creator`/user and returning the same 200
“already a community member” path. Keep the existing response shape in the
`update_user_leaderboard_entries` path and ensure the final success branch still
uses `fresh_user`/`self.get_serializer(...)` after a successful or recovered
creation.
- Around line 598-638: The builder completion flow in the relevant view method
should handle concurrent requests safely instead of turning a duplicate creation
into a 500. In the branch that calls Builder.objects.create(user=user), catch
the specific duplicate/one-to-one conflict and treat it as the same idempotent
success path already used when hasattr(user, 'builder') is true, then reuse the
existing serializer/response logic. Keep the existing Builder journey check and
update_user_leaderboard_entries call intact, but make the create path resilient
so near-simultaneous completions return the intended success response rather
than the generic exception handler.

In `@frontend/src/App.svelte`:
- Line 243: The /builders/resources route in App.svelte currently maps directly
to Resources and bypasses the same access control used by the locked sidebar.
Update the route registration so `/builders/resources` is wrapped with
requireRoleForRoute, matching the gating behavior already used for other
builder-only paths and preventing direct navigation from skipping the funnel.
Use the existing Resources route entry in App.svelte and the requireRoleForRoute
helper to keep the sidebar and route protection consistent.

In `@frontend/src/components/funnel/BuilderLanding.svelte`:
- Around line 227-848: The BuilderLanding.svelte styles are implemented as a
large custom stylesheet, but this component should use Tailwind utility classes
instead. Refactor the layout, spacing, typography, colors, and responsive rules
currently defined in the style block into utility classes on the relevant markup
in BuilderLanding, keeping the same visual structure while removing the bespoke
CSS. Focus on the main section/container classes such as builder-landing,
builder-hero, hero-copy, feature-grid, earn-banner, stack-grid, and final-cta
when migrating the styling.

In `@frontend/src/components/funnel/CommunityLanding.svelte`:
- Around line 129-135: The copy in the CommunityLanding section overpromises
points for every contribution, so update the points banner text to match the
actual funnel behavior: the role is granted on completion and only specific
verifiable tasks earn points. Adjust the heading and paragraph in the points
banner content in CommunityLanding.svelte, and make the same wording change for
the later matching copy near the referenced follow-up section so the messaging
is consistent.
- Around line 184-727: The current CommunityLanding component relies on a large
bespoke stylesheet instead of the shared Tailwind system. Refactor the styling
in CommunityLanding.svelte to use Tailwind utility classes in the markup,
removing the custom CSS rules for layout, spacing, colors, shadows, radii, and
typography. Replace hardcoded hex values with the existing primary color scale
and standard spacing tokens, and keep the structure of the hero, feature cards,
points banner, stack cards, and final CTA aligned with their existing component
sections.

In `@frontend/src/components/funnel/journeys/JourneyHeroCard.svelte`:
- Around line 226-232: The progress fill in JourneyHeroCard is forced visible by
the .progress-track span min-width, so a zero-step or 0% journey still appears
partially complete. Update the styling or binding around the progress track span
so the fill can collapse to zero width when progressPercent is 0, while still
preserving the minimum visible size only for non-zero progress states.
- Around line 103-409: The JourneyHeroCard styling is still implemented in a
large standalone <style> block instead of the shared Tailwind utility system.
Move the layout, spacing, typography, colors, borders, gradients, and responsive
behavior into the Svelte markup using Tailwind tokens/classes, and remove the
bespoke CSS rules from JourneyHeroCard.svelte. Use the existing component
structure and unique selectors like journey-hero, hero-content, progress-ring,
hero-role-badge, landing-button, and hero-action as the guide for mapping each
style to Tailwind utilities and shared design tokens.
- Around line 20-22: The JourneyHeroCard component currently exposes heroBadge
and badgeIcon* props, which should be renamed before this API spreads to
callers. Update the JourneyHeroCard Svelte component to use contribution-based
names throughout its surface and internal usage, and make sure any related
references in the component logic are renamed consistently so the new public API
does not contain the banned term.

In `@frontend/src/components/funnel/journeys/JourneyNotice.svelte`:
- Line 27: The visible dismiss “x” in JourneyNotice is inert and misleading
because the aria-hidden control has no interaction behavior. Remove the fake
close control from the notice markup, or replace it with a real dismiss button
in the JourneyNotice component that supports click and keyboard access and is
wired to actual dismiss state handling. Apply the same fix to the related
duplicated notice markup as well.
- Around line 30-89: The JourneyNotice.svelte component is using a
component-scoped stylesheet with hardcoded colors, spacing, and responsive
rules, which should be replaced with Tailwind-based styling. Move the styling
from the <style> block into the component markup by applying Tailwind utility
classes (or existing shared Tailwind component classes) on the journey-notice,
notice-icon, notice-dismiss, and notice-error elements. Keep the same visual
behavior and responsive adjustments, but remove the custom CSS so the component
follows the frontend/**/*.svelte styling guideline.

In `@frontend/src/components/funnel/journeys/JourneyStepRow.svelte`:
- Around line 3-9: The JourneyStepRow component is exposing the banned prop name
in its public API and markup. Rename the `badge` prop in the
JourneyStepRow.svelte component and update its usage throughout the component to
a neutral alternative such as `contributionLabel`, then adjust any callers that
pass `badge` so the new prop name is used consistently. Focus on the
JourneyStepRow component’s prop destructuring and the related rendered label
path so the public API no longer depends on the banned term.
- Around line 124-394: JourneyStepRow currently defines a large private
stylesheet with hardcoded colors, spacing, and typography, which conflicts with
the shared component styling guidelines. Move the row, index, state, action,
skeleton, and responsive styles into Tailwind utility classes used in the
JourneyStepRow Svelte markup, and keep the component aligned with the documented
spacing/color mapping. Use the existing JourneyStepRow structure and state
classes/flags to locate the affected markup, and remove the custom CSS block so
the reusable primitive relies on Tailwind only.

In `@frontend/src/components/funnel/journeys/JourneyUnlockCard.svelte`:
- Around line 30-117: JourneyUnlockCard.svelte still uses component-scoped CSS
with hardcoded sizes/colors, which should be converted to Tailwind utilities per
the Svelte styling guideline. Move the styling from the <style> block into the
markup for the unlock-card layout, lock-badge, unlock-icon, heading, text, and
unlock-label, using Tailwind classes to match the current appearance and
responsive behavior. Keep the existing component structure and identifiers like
unlock-card, lock-badge, unlock-icon, and unlock-label, but remove the custom
stylesheet once the utility classes fully replace it.

In `@frontend/src/components/funnel/RoleLanding.svelte`:
- Around line 24-32: The RoleLanding navigation flow currently swallows errors
from startRoleJourney() and still calls push(journeyPath(role)), which lets
users enter the journey without the durable started marker. Update the handler
in RoleLanding.svelte so that the navigation only happens after
startRoleJourney(role) succeeds; on failure, show a toast notification, keep the
user on the landing page, and still reset starting in the finally block. Use the
existing startRoleJourney, userStore.loadUser, and push/journeyPath(role) flow
as the place to apply the fix.

In `@frontend/src/components/funnel/ValidatorLanding.svelte`:
- Around line 209-829: The ValidatorLanding component still defines the full
layout in a local style block, which conflicts with the Tailwind-only styling
guideline. Remove the custom CSS in ValidatorLanding.svelte and recreate the
same sections using shared Tailwind utility classes and design tokens, keeping
the existing structure/components like role-landing, role-hero, comparison-grid,
stack-grid, and final-cta as the anchors for the refactor.
- Around line 4-6: The validator funnel state check in ValidatorLanding.svelte
is using a nonexistent waitlisted role, so waitlisted users fall through to the
normal CTA. Update the component’s role handling to align with roleFunnelState()
and the funnel contract by treating the waitlist as started (or the equivalent
emitted state), and make the conditional/labels in the validator landing flow
use the existing derived state symbols so the waitlist status renders correctly
instead of “Run a Node.”

In `@frontend/src/components/profile/RoleJourneyCard.svelte`:
- Around line 2-3: The CTA navigation in RoleJourneyCard should use a real
anchor instead of a click handler that calls push(), so update the
RoleJourneyCard.svelte CTA to render a styled <a href={ctaPath}> and remove the
direct push() usage. Keep the existing path helpers like journeyPath and
rolePath to build the target URL, and rely on the global SPA interceptor for
routing so the link preserves normal browser behavior.
- Around line 92-256: The RoleJourneyCard styling has drifted off the shared
Tailwind/design-token system by adding bespoke CSS for layout, colors, borders,
shadows, spacing, and button styling. Refactor the component markup in
RoleJourneyCard.svelte to use Tailwind utility classes and existing
design-token/shadow/border-radius patterns instead of the custom
.journey-reminder stylesheet. Keep the same structure around the
journey-reminder header, status, copy, and journey-reminder__button, but express
the styles through shared utilities so the profile card stays consistent with
other frontend components.

In `@frontend/src/components/ProfileCompletionGuard.svelte`:
- Around line 219-234: The new role selector in ProfileCompletionGuard.svelte is
using component-scoped CSS and inline hex colors instead of the project’s
Tailwind-based styling. Update the role option UI around the ROLE_OPTIONS
rendering and the selectRole-driven button state to use Tailwind utility classes
and existing theme color tokens/classes, and remove the custom CSS/inline color
styling from this selector so it matches the coding guidelines and the rest of
the component.
- Around line 22-28: The onboarding redirect in ProfileCompletionGuard should
not trust sessionStorage.onboardingRole directly, since it may be stale or
invalid. Normalize the stored value against ROLE_OPTIONS before setting
selectedRole and before calling rolePath(selectedRole), so the guard always
redirects to a known role instead of falling back to /. Update the logic around
the state initialization and the redirect path selection to use the validated
role value consistently.

In `@frontend/src/components/Sidebar.svelte`:
- Around line 128-132: The Sidebar link behavior still relies on openRoleSection
and onclick-based navigate calls, which leaves the locked subsection URL in href
and breaks open-in-new-tab/copy-link behavior. Update the affected anchors in
Sidebar.svelte to compute the final destination directly in href using the same
rolePath/journeyPath logic currently inside openRoleSection, and let the global
interceptor handle SPA navigation instead of invoking navigate from click
handlers.
- Around line 67-91: The community journey lock-state fetch in
loadCommunityJourneyLockState() can apply a stale async response after the
authenticated user or key has changed. Update Sidebar.svelte to associate each
request with the current communityJourneyKey (or equivalent request token) and
only write communityJourneyComplete when the returned response still matches the
latest key. Use the existing $effect block and loadCommunityJourneyLockState()
to guard against out-of-date responses before mutating state.

In `@frontend/src/components/SocialLink.svelte`:
- Around line 117-128: The GitHub linking flow in SocialLink.svelte is
swallowing the failure from journeyAPI.linkGithubAccount(), which can leave the
journey marker missing while still showing success. Update the then-handler
around userPromise so the GitHub reward path surfaces a retryable warning/error
via a toast or similar user-facing message instead of an empty catch, and keep
the successful OAuth link path intact by only treating the reward step as
best-effort. Use the existing platform === 'github' and !wasRefreshing branch,
and make sure the fallback for the final user state still works when the reward
call fails.

In `@frontend/src/routes/BuilderJourney.svelte`:
- Around line 733-1131: The BuilderJourney route still uses a large custom
<style> block instead of Tailwind utilities. Move the styling for the
.journey-page layout and its sections like .steps-card, .task-panel,
.network-item, .completion-panel, and .unlock-grid into the Svelte markup using
Tailwind class names, including responsive behavior now handled by the media
queries. Keep the component structure intact while replacing the hardcoded
spacing, colors, borders, and hover states with equivalent utility classes.
- Around line 23-37: The network setup in BuilderJourney.svelte is treating
Bradbury and Asimov as separate additions even though both use the same chainId,
which lets checkNetworks() satisfy both steps from one active chain. Fix this by
either assigning distinct chain IDs to BRADBURY_NETWORK and ASIMOV_NETWORK or
merging them into a single network/step, and update the related network-step
logic so each step maps to a truly unique chain.
- Around line 180-189: The BuilderJourney initialization flow is swallowing
errors in the onMount startBuilderJourney call, so replace the empty catch with
proper error handling. Update the onMount logic in BuilderJourney.svelte to
surface failures through a user-facing toast notification, while keeping the
existing userStore update/loadUser success path intact and using the
journeyAPI.startBuilderJourney symbol to locate the fix.

In `@frontend/src/routes/CommunityJourney.svelte`:
- Around line 79-82: The community journey initialization in onMount currently
swallows failures from startRoleJourney('community'), so handle this API call
with explicit try-catch instead of an empty catch. In CommunityJourney.svelte,
keep the userStore.loadUser refresh on success, and on failure surface a
user-facing toast notification with the error message so users know the journey
setup did not complete.
- Around line 478-784: The CommunityJourney route still defines a large
component-scoped <style> block, which violates the Tailwind-only styling
guideline. Move the styles from the JourneyPage layout and its sections (for
example journey-page, task-panel, x-post-panel, share-box, verify-card,
completion-panel, landing-button, unlock-section, and unlock-grid) into Tailwind
utility classes directly in the Svelte markup, keeping the same responsive
behavior and state styling via utility variants instead of custom CSS.
- Around line 174-183: The copy fallback in CommunityJourney.svelte currently
assumes document.execCommand('copy') always succeeds, so update the logic around
the textarea-based copy flow to check the return value from execCommand before
calling showSuccess. If it returns true, keep the success message; if it returns
false, surface an error instead, using the same copy helper/handler that
performs the fallback.

In `@frontend/src/routes/Profile.svelte`:
- Around line 123-140: The `communityInProgress` derived state in
`Profile.svelte` is incorrectly treating existing creators as in progress while
`journeyAPI.communityJourney()` is still loading. Update the
`participant?.creator` fallback branch so it only applies after the community
journey response has loaded or otherwise defaults creators to not in-progress
until `communityJourney` is resolved, keeping `ProfileHeader` from showing the
grey in-progress state prematurely.

In `@frontend/src/routes/ValidatorWaitlist.svelte`:
- Around line 90-92: The waitlist submission failure in ValidatorWaitlist.svelte
only updates inline error state and does not surface the API error through the
toast system. In the existing try-catch around the waitlist join flow, add a
toast notification in the catch block alongside the current error assignment and
loading reset so users get a visible failure message. Use the route’s waitlist
submission logic and its existing error handling path to keep the user-facing
feedback consistent with the app guideline.
- Around line 210-538: The ValidatorWaitlist.svelte route still uses a large
custom style block instead of Tailwind utilities, which violates the frontend
styling guideline. Replace the CSS for the journey layout by moving the styling
into the Svelte markup using Tailwind classes on the relevant elements such as
journey-page, steps-card, step-check-panel, graduation-grid, graduation-card,
contact-card, and landing-button. Preserve the current responsive behavior and
visual hierarchy by translating the media-query-driven layout into Tailwind
responsive variants rather than keeping custom CSS.
- Around line 85-92: The join flow in ValidatorWaitlist.svelte treats a failure
in sessionStorage.setItem as if startValidatorJourney failed, which incorrectly
shows “Failed to join waitlist” after the backend call already succeeded. Update
the success path around startValidatorJourney, userStore.loadUser, and replace
so the persistence write for journeySuccess is isolated from the mutation error
handling, and handle any storage exception without entering the main catch or
setting the join-failed error state.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 3254f750-ef8d-44a6-8fe1-d9f954d7b3b9

📥 Commits

Reviewing files that changed from the base of the PR and between 087e3ec and 914a656.

📒 Files selected for processing (53)

• CHANGELOG.md
• backend/CLAUDE.md
• backend/community_xp/services.py
• backend/community_xp/tests/test_mee6_sync.py
• backend/contributions/migrations/0073_create_community_link_github.py
• backend/contributions/tests/test_is_submittable.py
• backend/creators/community_journey.py
• backend/creators/migrations/0002_backfill_community_members.py
• backend/creators/migrations/0003_communitypostproof.py
• backend/creators/models.py
• backend/creators/utils.py
• backend/creators/views.py
• backend/leaderboard/models.py
• backend/leaderboard/tests/test_stats.py
• backend/poaps/management/commands/import_poap_archive.py
• backend/poaps/signals.py
• backend/social_tasks/migrations/0004_seed_builder_star_task.py
• backend/social_tasks/sorsa_client.py
• backend/tally/settings.py
• backend/users/serializers.py
• backend/users/tests/test_builder_journey.py
• backend/users/tests/test_community_journey.py
• backend/users/tests/test_social_link_rewards.py
• backend/users/views.py
• frontend/src/App.svelte
• frontend/src/components/ProfileCompletionGuard.svelte
• frontend/src/components/Sidebar.svelte
• frontend/src/components/SocialLink.svelte
• frontend/src/components/WhatsNewDialog.svelte
• frontend/src/components/funnel/BuilderLanding.svelte
• frontend/src/components/funnel/CommunityLanding.svelte
• frontend/src/components/funnel/RoleFunnel.svelte
• frontend/src/components/funnel/RoleLanding.svelte
• frontend/src/components/funnel/ValidatorLanding.svelte
• frontend/src/components/funnel/journeys/JourneyHeroCard.svelte
• frontend/src/components/funnel/journeys/JourneyNotice.svelte
• frontend/src/components/funnel/journeys/JourneyStepRow.svelte
• frontend/src/components/funnel/journeys/JourneyUnlockCard.svelte
• frontend/src/components/profile/CommunityProgressJourney.svelte
• frontend/src/components/profile/CommunityView.svelte
• frontend/src/components/profile/JourneyActions.svelte
• frontend/src/components/profile/ProfileHeader.svelte
• frontend/src/components/profile/ProgressJourney.svelte
• frontend/src/components/profile/RoleJourneyCard.svelte
• frontend/src/components/social-tasks/SocialTaskCard.svelte
• frontend/src/lib/api.js
• frontend/src/lib/auth.js
• frontend/src/lib/roleState.js
• frontend/src/routes/BuilderJourney.svelte
• frontend/src/routes/CommunityJourney.svelte
• frontend/src/routes/Profile.svelte
• frontend/src/routes/ValidatorWaitlist.svelte
• frontend/src/tests/roleState.test.js

💤 Files with no reviewable changes (8)

• frontend/src/components/profile/JourneyActions.svelte
• frontend/src/components/profile/ProgressJourney.svelte
• backend/creators/utils.py
• backend/poaps/signals.py
• backend/poaps/management/commands/import_poap_archive.py
• frontend/src/components/profile/CommunityProgressJourney.svelte
• backend/leaderboard/models.py
• frontend/src/components/profile/CommunityView.svelte

[coderabbitai]

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Fail closed if the builder category is missing.

Category.objects.filter(...).first() lets this migration seed community-link-github with category=None. Because the foreign key is nullable, the migration would succeed while silently creating a misclassified contribution type that no longer behaves like a builder contribution.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@backend/contributions/migrations/0073_create_community_link_github.py` around
lines 21 - 28, The migration for ContributionType creation currently uses
Category.objects.filter(...).first(), which can silently set the category to
none if the builder category is missing. Update the migration logic around
builder_category and ContributionType.objects.update_or_create to fail closed by
explicitly checking that the builder Category exists before seeding
community-link-github, and raise an error if it does not. Keep the fix localized
to the migration so the Link GitHub Account contribution type is only created
when the builder category is present.

[coderabbitai]

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Require an exact @handle mention for step 5.

The current substring check accepts handles like @genlayerlabs when GENLAYER_X_HANDLE is genlayer, because @genlayer is contained inside the longer mention. That weakens the journey gate and can award Creator without tagging the intended account.

Suggested fix

 def post_matches(full_text: str, user):
     """Whether the tweet text contains the user's code and `@mentions` GenLayer.
     Returns (ok, error_code)."""
     text = (full_text or '').lower()
     if verification_code(user).lower() not in text:
         return False, 'code_missing'
-    if f'@{genlayer_handle()}' not in text:
+    handle_re = re.compile(
+        rf'(^|[^a-z0-9_])@{re.escape(genlayer_handle())}(?![a-z0-9_])'
+    )
+    if not handle_re.search(text):
         return False, 'tag_missing'
     return True, None

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	def post_matches(full_text: str, user):
	"""Whether the tweet text contains the user's code and @mentions GenLayer.
	Returns (ok, error_code)."""
	text = (full_text or '').lower()
	if verification_code(user).lower() not in text:
	return False, 'code_missing'
	if f'@{genlayer_handle()}' not in text:
	return False, 'tag_missing'
	def post_matches(full_text: str, user):
	"""Whether the tweet text contains the user's code and `@mentions` GenLayer.
	Returns (ok, error_code)."""
	text = (full_text or '').lower()
	if verification_code(user).lower() not in text:
	return False, 'code_missing'
	handle_re = re.compile(
	rf'(^|[^a-z0-9_])@{re.escape(genlayer_handle())}(?![a-z0-9_])'
	)
	if not handle_re.search(text):
	return False, 'tag_missing'

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@backend/creators/community_journey.py` around lines 69 - 76, The mention
check in post_matches is too permissive because it uses a substring match
against genlayer_handle(), which can accept longer handles like `@genlayerlabs`.
Update the step 5 validation in post_matches to require an exact `@handle` mention
for the intended account, using a boundary-aware match or tokenized mention
parsing so only the precise handle from genlayer_handle() passes while near
matches fail.

[coderabbitai]

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Don't mark step 5 complete from proof existence alone.

x_post flips to done as soon as community_post_proof exists. If someone verifies with one linked X account and then relinks to another, journey_status() still reports completion, and the legacy join route in backend/creators/views.py:13-58 will grant Creator without re-checking that the stored proof still belongs to the currently linked account. Compare the current linked handle against the proof URL/verified author before returning x_post: true.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@backend/creators/community_journey.py` around lines 94 - 127, The x_post step
in step_states and journey_status is currently marked done whenever
community_post_proof exists, which can leave Creator completion stale after an X
relink. Update the x_post check to validate that the stored proof still matches
the currently linked X account before returning done, using the current linked
handle together with the proof URL/verified author. Keep the completion logic in
journey_status consistent so the legacy join route in views does not treat an
outdated proof as valid.

[coderabbitai]

🗄️ Data Integrity & Integration | 🟠 Major | 🏗️ Heavy lift

Don’t rewrite the historical role backfill in place.

Existing databases that already ran this migration will keep the auto-created Creator rows, while fresh databases will not create them, producing environment-dependent role state. Add a new follow-up migration or audited cleanup path to reconcile previously auto-granted rows instead of changing this migration’s historical behavior. This conflicts with the PR objective that Creator roles are granted only through journey completion.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@backend/creators/migrations/0002_backfill_community_members.py` around lines
5 - 7, The historical backfill in 0002_backfill_community_members must remain
unchanged for databases that already ran it, so don’t turn it into a no-op or
alter its past behavior. Instead, add a new follow-up migration or audited
cleanup path alongside 0002_backfill_community_members to reconcile previously
auto-created Creator rows and align existing environments with the new
journey-completion-only rule. Keep the fix scoped so the migration history stays
stable while ensuring Creator role state is consistent across fresh and existing
databases.

[coderabbitai]

🗄️ Data Integrity & Integration | 🟡 Minor | ⚡ Quick win

Make verified_at reflect the latest successful verification.

verify_community_post() updates an existing CommunityPostProof with update_or_create(), but auto_now_add=True only sets this field on the first insert. After a user re-verifies a corrected post URL, post_url/tweet_id change while verified_at stays stale. If this timestamp is meant to describe the current proof, switch it to an explicit default and update it in the re-verification path too.

🧰 Tools

🪛 ast-grep (0.44.0)

[info] 29-29: use help_text to document model columns
Context: models.CharField(max_length=40, blank=True)
Note: [CWE-710] Improper Adherence to Coding Standards.

(model-help-text)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@backend/creators/models.py` around lines 29 - 31, `verified_at` on
`CommunityPostProof` is only set on first insert because it uses
`auto_now_add=True`, so re-verification leaves the timestamp stale even when
`verify_community_post()` updates the record via `update_or_create()`. Change
`verified_at` to be explicitly assignable (for example, a normal DateTimeField
with a default) and ensure the re-verification path in `verify_community_post()`
updates it whenever `post_url` or `tweet_id` is refreshed.

[coderabbitai]

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Guard community lock-state responses by request key.

loadCommunityJourneyLockState() writes communityJourneyComplete after an async request without confirming it still matches the current user/auth key. A stale response can unlock or lock the next user’s sidebar.

Proposed fix

-  async function loadCommunityJourneyLockState() {
+  async function loadCommunityJourneyLockState(key) {
     try {
       const res = await journeyAPI.communityJourney();
+      if (key !== communityJourneyKey) return;
       communityJourneyComplete = Boolean(res.data?.is_member && res.data?.complete);
     } catch {
+      if (key !== communityJourneyKey) return;
       communityJourneyComplete = false;
     }
   }
@@
-    loadCommunityJourneyLockState();
+    loadCommunityJourneyLockState(key);
   });

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	async function loadCommunityJourneyLockState() {
	try {
	const res = await journeyAPI.communityJourney();
	communityJourneyComplete = Boolean(res.data?.is_member && res.data?.complete);
	} catch {
	communityJourneyComplete = false;
	}
	}
	$effect(() => {
	const user = $userStore.user;
	const key = $authState.isAuthenticated
	? `${user?.id || user?.address || ''}:${user?.creator ? 1 : 0}:${user?.has_community_welcome ? 1 : 0}:${user?.has_community_link_x ? 1 : 0}:${user?.has_community_link_discord ? 1 : 0}`
	: '';
	if (key === communityJourneyKey) return;
	communityJourneyKey = key;
	if (!$authState.isAuthenticated || !user?.creator) {
	communityJourneyComplete = false;
	return;
	}
	loadCommunityJourneyLockState();
	});
	async function loadCommunityJourneyLockState(key) {
	try {
	const res = await journeyAPI.communityJourney();
	if (key !== communityJourneyKey) return;
	communityJourneyComplete = Boolean(res.data?.is_member && res.data?.complete);
	} catch {
	if (key !== communityJourneyKey) return;
	communityJourneyComplete = false;
	}
	}
	$effect(() => {
	const user = $userStore.user;
	const key = $authState.isAuthenticated
	? `${user?.id || user?.address || ''}:${user?.creator ? 1 : 0}:${user?.has_community_welcome ? 1 : 0}:${user?.has_community_link_x ? 1 : 0}:${user?.has_community_link_discord ? 1 : 0}`
	: '';
	if (key === communityJourneyKey) return;
	communityJourneyKey = key;
	if (!$authState.isAuthenticated || !user?.creator) {
	communityJourneyComplete = false;
	return;
	}
	loadCommunityJourneyLockState(key);
	});

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/src/components/Sidebar.svelte` around lines 67 - 91, The community
journey lock-state fetch in loadCommunityJourneyLockState() can apply a stale
async response after the authenticated user or key has changed. Update
Sidebar.svelte to associate each request with the current communityJourneyKey
(or equivalent request token) and only write communityJourneyComplete when the
returned response still matches the latest key. Use the existing $effect block
and loadCommunityJourneyLockState() to guard against out-of-date responses
before mutating state.

[coderabbitai]

📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win

Use computed hrefs instead of click-handler navigation.

These links still expose the locked subsection in href and only redirect via onclick, so open-in-new-tab/copy-link bypasses the intended funnel nudge. Compute the destination in href and let the global link interceptor handle SPA navigation.

Proposed pattern

-  function openRoleSection(path, category) {
-    navigate(isRoleLocked(category) ? (category === 'community' ? journeyPath(category) : rolePath(category)) : path);
+  function roleSectionHref(path, category) {
+    return isRoleLocked(category)
+      ? (category === 'community' ? journeyPath(category) : rolePath(category))
+      : path;
   }

-              href="/builders/contributions"
-              onclick={(e) => { e.preventDefault(); openRoleSection('/builders/contributions', 'builder'); }}
+              href={roleSectionHref('/builders/contributions', 'builder')}

As per coding guidelines: “Use plain <a href="/path"> anchors for in-app navigation … instead of calling push() in click handlers.”

Also applies to: 309-331, 361-396, 426-448, 782-804, 827-862, 885-907

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/src/components/Sidebar.svelte` around lines 128 - 132, The Sidebar
link behavior still relies on openRoleSection and onclick-based navigate calls,
which leaves the locked subsection URL in href and breaks
open-in-new-tab/copy-link behavior. Update the affected anchors in
Sidebar.svelte to compute the final destination directly in href using the same
rolePath/journeyPath logic currently inside openRoleSection, and let the global
interceptor handle SPA navigation instead of invoking navigate from click
handlers.

Source: Coding guidelines

[coderabbitai]

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Don’t silently drop the GitHub journey marker.

If linkGithubAccount() fails, the OAuth link succeeds but the contribution/journey marker can remain missing, and the user only sees a success path. Surface a retryable error/warning instead of swallowing it.

Proposed fix

       userPromise.then(async (resolvedUser) => {
         let finalUser = resolvedUser;
+        let rewardFailed = false;
@@
           try {
             await journeyAPI.linkGithubAccount();
             finalUser = await getCurrentUser();
           } catch {
-            // Link still succeeded; the reward is retried next time it's called.
+            rewardFailed = true;
           }
         }
         if (shouldToast) {
+          if (rewardFailed) {
+            showError('GitHub account linked, but we could not record the contribution. Please try again.');
+          } else {
           const connData = finalUser?.[`${platform}_connection`];
@@
             showSuccess(`${platformLabel} account linked successfully!${username ? ` (@${username})` : ''}`);
           }
+          }
         }

As per coding guidelines: “Always handle API errors with try-catch blocks and provide user-facing error messages via toast notifications.”

Also applies to: 130-144

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/src/components/SocialLink.svelte` around lines 117 - 128, The GitHub
linking flow in SocialLink.svelte is swallowing the failure from
journeyAPI.linkGithubAccount(), which can leave the journey marker missing while
still showing success. Update the then-handler around userPromise so the GitHub
reward path surfaces a retryable warning/error via a toast or similar
user-facing message instead of an empty catch, and keep the successful OAuth
link path intact by only treating the reward step as best-effort. Use the
existing platform === 'github' and !wasRefreshing branch, and make sure the
fallback for the final user state still works when the reward call fails.

Source: Coding guidelines

[coderabbitai]

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Surface community journey initialization failures.

startRoleJourney('community') is an authenticated state-changing call, but errors are swallowed. Users can proceed with missing journey state and no toast.

As per coding guidelines, "frontend/**/{components,routes}/**/*.{ts,tsx,js,svelte}: Always handle API errors with try-catch blocks and provide user-facing error messages via toast notifications."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/src/routes/CommunityJourney.svelte` around lines 79 - 82, The
community journey initialization in onMount currently swallows failures from
startRoleJourney('community'), so handle this API call with explicit try-catch
instead of an empty catch. In CommunityJourney.svelte, keep the
userStore.loadUser refresh on success, and on failure surface a user-facing
toast notification with the error message so users know the journey setup did
not complete.

Source: Coding guidelines

[coderabbitai]

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Don't treat existing Creators as "journey in progress" while the status fetch is still loading.

Before journeyAPI.communityJourney() resolves, communityJourneyComplete is false, so the participant?.creator fallback makes communityInProgress true for every owner who already has the Creator role. That temporarily hides the normal community section and swaps the earned Community state in ProfileHeader for the grey in-progress version. Gate that branch on a loaded journey response, or default existing creators to not in-progress until the API proves otherwise.

Also applies to: 166-166, 637-640

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/src/routes/Profile.svelte` around lines 123 - 140, The
`communityInProgress` derived state in `Profile.svelte` is incorrectly treating
existing creators as in progress while `journeyAPI.communityJourney()` is still
loading. Update the `participant?.creator` fallback branch so it only applies
after the community journey response has loaded or otherwise defaults creators
to not in-progress until `communityJourney` is resolved, keeping `ProfileHeader`
from showing the grey in-progress state prematurely.

[coderabbitai]

Review continued from previous batch...

[coderabbitai]

🎯 Functional Correctness | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
python - <<'PY'
from pathlib import Path
import re

path = Path("frontend/src/routes/BuilderJourney.svelte")
text = path.read_text()
for name in ("BRADBURY_NETWORK", "ASIMOV_NETWORK", "STUDIO_NETWORK"):
    m = re.search(rf"const {name}\s*=\s*\{{.*?chainId:\s*'([^']+)'", text, re.S)
    print(f"{name}: {m.group(1) if m else 'not found'}")
PY

Repository: genlayer-foundation/points

Length of output: 235

---

Do not treat Bradbury and Asimov as separate network additions while they share 0x107D.

checkNetworks() marks both steps complete from a single active chain, so the Asimov step can be satisfied without adding a distinct Asimov RPC entry. Give them different chain IDs or collapse them into one step.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/src/routes/BuilderJourney.svelte` around lines 23 - 37, The network
setup in BuilderJourney.svelte is treating Bradbury and Asimov as separate
additions even though both use the same chainId, which lets checkNetworks()
satisfy both steps from one active chain. Fix this by either assigning distinct
chain IDs to BRADBURY_NETWORK and ASIMOV_NETWORK or merging them into a single
network/step, and update the related network-step logic so each step maps to a
truly unique chain.

[coderabbitai]

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Surface builder journey initialization failures.

This authenticated API call currently swallows failures, so users can continue without the server-side journey marker being created and get no actionable feedback.

As per coding guidelines, "frontend/**/{components,routes}/**/*.{ts,tsx,js,svelte}: Always handle API errors with try-catch blocks and provide user-facing error messages via toast notifications."

Proposed fix

   onMount(() => {
-    if (!user?.has_builder_welcome && !user?.builder) {
-      journeyAPI
-        .startBuilderJourney()
-        .then((res) => {
-          if (res.data?.user) userStore.updateUser(res.data.user);
-          else userStore.loadUser?.();
-        })
-        .catch(() => {});
-    }
+    startBuilderJourney();
     loadTasks({ showLoading: true });
   });
+
+  async function startBuilderJourney() {
+    if (user?.has_builder_welcome || user?.builder) return;
+    try {
+      const res = await journeyAPI.startBuilderJourney();
+      if (res.data?.user) userStore.updateUser(res.data.user);
+      else await userStore.loadUser?.();
+    } catch {
+      showWarning('Could not start your builder journey. Try refreshing in a moment.');
+    }
+  }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	onMount(() => {
	if (!user?.has_builder_welcome && !user?.builder) {
	journeyAPI
	.startBuilderJourney()
	.then((res) => {
	if (res.data?.user) userStore.updateUser(res.data.user);
	else userStore.loadUser?.();
	})
	.catch(() => {});
	}
	onMount(() => {
	startBuilderJourney();
	loadTasks({ showLoading: true });
	});
	async function startBuilderJourney() {
	if (user?.has_builder_welcome || user?.builder) return;
	try {
	const res = await journeyAPI.startBuilderJourney();
	if (res.data?.user) userStore.updateUser(res.data.user);
	else await userStore.loadUser?.();
	} catch {
	showWarning('Could not start your builder journey. Try refreshing in a moment.');
	}
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/src/routes/BuilderJourney.svelte` around lines 180 - 189, The
BuilderJourney initialization flow is swallowing errors in the onMount
startBuilderJourney call, so replace the empty catch with proper error handling.
Update the onMount logic in BuilderJourney.svelte to surface failures through a
user-facing toast notification, while keeping the existing userStore
update/loadUser success path intact and using the journeyAPI.startBuilderJourney
symbol to locate the fix.

Source: Coding guidelines

[coderabbitai]

📐 Maintainability & Code Quality | 🟠 Major | 🏗️ Heavy lift

Move this route styling to Tailwind utilities.

The new route relies on a large custom stylesheet with hardcoded spacing, colors, and responsive rules instead of Tailwind utility classes.

As per coding guidelines, "frontend/**/*.svelte: Use Tailwind CSS utility classes for styling instead of custom CSS."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/src/routes/BuilderJourney.svelte` around lines 733 - 1131, The
BuilderJourney route still uses a large custom <style> block instead of Tailwind
utilities. Move the styling for the .journey-page layout and its sections like
.steps-card, .task-panel, .network-item, .completion-panel, and .unlock-grid
into the Svelte markup using Tailwind class names, including responsive behavior
now handled by the media queries. Keep the component structure intact while
replacing the hardcoded spacing, colors, borders, and hover states with
equivalent utility classes.

Source: Coding guidelines

[coderabbitai]

🎯 Functional Correctness | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

MDN document.execCommand copy return value false unsuccessful

💡 Result:

When document.execCommand('copy') returns false, it indicates that the copy command was either unsupported by the browser or disabled [1][2]. The most common reason for this return value is that the command was not triggered by a user-initiated interaction (such as a click or keypress) [1][3]. For security and privacy reasons, browsers generally restrict clipboard access, requiring that such commands occur within the context of a trusted user event [3]. If you attempt to call this method from the browser's developer console or from a script that is not responding to a direct user action, it will typically return false [3]. Additionally, the command may return false or fail if: - There is no active text selection to copy [4][5][6]. - The browser implementation does not support the 'copy' command [1][7]. - The script lacks the necessary permissions [4]. Note that document.execCommand is considered a deprecated API [8]. For modern web applications, the Clipboard API (navigator.clipboard.writeText) is the recommended alternative, as it provides a more robust and asynchronous way to interact with the system clipboard. Because document.execCommand only returns true when invoked successfully during a user interaction, you cannot use it to reliably check for browser support before attempting the operation [1][2]. Instead, you should rely on established feature detection or the more modern Clipboard API [5][8].

Citations:

• 1: https://developer.mozilla.org/en-US/docs/Web/API/Document/execCommand
• 2: https://github.com/mdn/content/blob/main/files/en-us/web/api/document/execcommand/index.md
• 3: https://stackoverflow.com/questions/33321095/cannot-use-document-execcommandcopy-from-developer-console
• 4: https://developer.mozilla.org/en-US/docs/Web/API/Document/queryCommandEnabled
• 5: https://developer.chrome.com/blog/cut-and-copy-commands
• 6: https://stackoverflow.com/questions/35719922/find-out-why-querycommandenabled-returns-false
• 7: https://w3c.github.io/editing/docs/execCommand/
• 8: https://stackoverflow.com/questions/400212/how-do-i-copy-to-the-clipboard-in-javascript

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the target file and surrounding clipboard logic.
git ls-files 'frontend/src/routes/CommunityJourney.svelte'
wc -l frontend/src/routes/CommunityJourney.svelte
sed -n '140,220p' frontend/src/routes/CommunityJourney.svelte

# Find any other clipboard/toast handling in the file.
rg -n "execCommand|clipboard|showSuccess|showError" frontend/src/routes/CommunityJourney.svelte

Repository: genlayer-foundation/points

Length of output: 3241

---

Handle execCommand('copy') failures in the fallback
frontend/src/routes/CommunityJourney.svelte:174-183 — document.execCommand('copy') can return false, so the fallback still shows “Post text copied.” even when nothing was copied. Show success only when it returns true; otherwise surface an error.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/src/routes/CommunityJourney.svelte` around lines 174 - 183, The copy
fallback in CommunityJourney.svelte currently assumes
document.execCommand('copy') always succeeds, so update the logic around the
textarea-based copy flow to check the return value from execCommand before
calling showSuccess. If it returns true, keep the success message; if it returns
false, surface an error instead, using the same copy helper/handler that
performs the fallback.

[coderabbitai]

📐 Maintainability & Code Quality | 🟠 Major | 🏗️ Heavy lift

Move this route styling to Tailwind utilities.

The route introduces a large component-scoped stylesheet instead of Tailwind utility classes.

As per coding guidelines, "frontend/**/*.svelte: Use Tailwind CSS utility classes for styling instead of custom CSS."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/src/routes/CommunityJourney.svelte` around lines 478 - 784, The
CommunityJourney route still defines a large component-scoped <style> block,
which violates the Tailwind-only styling guideline. Move the styles from the
JourneyPage layout and its sections (for example journey-page, task-panel,
x-post-panel, share-box, verify-card, completion-panel, landing-button,
unlock-section, and unlock-grid) into Tailwind utility classes directly in the
Svelte markup, keeping the same responsive behavior and state styling via
utility variants instead of custom CSS.

Source: Coding guidelines

[coderabbitai]

🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win

Do not let the success-message storage write fail the completed join.

If sessionStorage.setItem throws after startValidatorJourney() succeeds, the catch path reports “Failed to join waitlist” even though the backend mutation already happened.

Proposed fix

       await journeyAPI.startValidatorJourney();
       await userStore.loadUser?.();
-      sessionStorage.setItem('journeySuccess', 'Successfully joined Validator Waitlist!');
+      try {
+        sessionStorage.setItem('journeySuccess', 'Successfully joined Validator Waitlist!');
+      } catch {
+        // Non-critical: redirect still reflects the server-side waitlist state.
+      }
       replace('/validators');

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	try {
	await journeyAPI.startValidatorJourney();
	// Store success message and redirect to profile
	await userStore.loadUser?.();
	sessionStorage.setItem('journeySuccess', 'Successfully joined Validator Waitlist!');
	push(`/participant/${$authState.address}`);
	replace('/validators');
	} catch (err) {
	error = err.response?.data?.error || 'Failed to join waitlist';
	isJoiningWaitlist = false;
	try {
	await journeyAPI.startValidatorJourney();
	await userStore.loadUser?.();
	try {
	sessionStorage.setItem('journeySuccess', 'Successfully joined Validator Waitlist!');
	} catch {
	// Non-critical: redirect still reflects the server-side waitlist state.
	}
	replace('/validators');
	} catch (err) {
	error = err.response?.data?.error || 'Failed to join waitlist';
	isJoiningWaitlist = false;

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/src/routes/ValidatorWaitlist.svelte` around lines 85 - 92, The join
flow in ValidatorWaitlist.svelte treats a failure in sessionStorage.setItem as
if startValidatorJourney failed, which incorrectly shows “Failed to join
waitlist” after the backend call already succeeded. Update the success path
around startValidatorJourney, userStore.loadUser, and replace so the persistence
write for journeySuccess is isolated from the mutation error handling, and
handle any storage exception without entering the main catch or setting the
join-failed error state.

[coderabbitai]

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Show a toast when waitlist submission fails.

The route sets inline error state, but the app guideline requires API errors in routes to surface through the toast notification system too.

As per coding guidelines, "frontend/**/{components,routes}/**/*.{ts,tsx,js,svelte}: Always handle API errors with try-catch blocks and provide user-facing error messages via toast notifications."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/src/routes/ValidatorWaitlist.svelte` around lines 90 - 92, The
waitlist submission failure in ValidatorWaitlist.svelte only updates inline
error state and does not surface the API error through the toast system. In the
existing try-catch around the waitlist join flow, add a toast notification in
the catch block alongside the current error assignment and loading reset so
users get a visible failure message. Use the route’s waitlist submission logic
and its existing error handling path to keep the user-facing feedback consistent
with the app guideline.

Source: Coding guidelines

[coderabbitai]

📐 Maintainability & Code Quality | 🟠 Major | 🏗️ Heavy lift

Move this route styling to Tailwind utilities.

The new waitlist layout is implemented with a large custom <style> block instead of Tailwind utility classes.

As per coding guidelines, "frontend/**/*.svelte: Use Tailwind CSS utility classes for styling instead of custom CSS."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/src/routes/ValidatorWaitlist.svelte` around lines 210 - 538, The
ValidatorWaitlist.svelte route still uses a large custom style block instead of
Tailwind utilities, which violates the frontend styling guideline. Replace the
CSS for the journey layout by moving the styling into the Svelte markup using
Tailwind classes on the relevant elements such as journey-page, steps-card,
step-check-panel, graduation-grid, graduation-card, contact-card, and
landing-button. Preserve the current responsive behavior and visual hierarchy by
translating the media-query-driven layout into Tailwind responsive variants
rather than keeping custom CSS.

Source: Coding guidelines

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

backend/users/views.py (1)

769-783: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Handle malformed Sorsa tweet payloads before indexing.

tweet['username'] and tweet['full_text'] can raise if Sorsa returns an incomplete payload, turning a verification outage into a 500. Treat missing fields like verification_unavailable.

Proposed fix

+        if not isinstance(tweet, dict):
+            return Response(
+                {'error': 'verification_unavailable', 'message': 'Could not verify your post right now. Please try again shortly.'},
+                status=status.HTTP_503_SERVICE_UNAVAILABLE,
+            )
+
         # Authoritative author check (Sorsa) against the linked handle. Fail
         # closed: an absent/empty author must not pass the check.
-        author = (tweet['username'] or '').lower()
+        author = (tweet.get('username') or '').lower()
         if not author:
             return Response(
                 {'error': 'verification_unavailable', 'message': 'Could not verify your post right now. Please try again shortly.'},
                 status=status.HTTP_503_SERVICE_UNAVAILABLE,
             )
@@
-        ok, error_code = cj.post_matches(tweet['full_text'], user)
+        full_text = tweet.get('full_text') or ''
+        if not full_text:
+            return Response(
+                {'error': 'verification_unavailable', 'message': 'Could not verify your post right now. Please try again shortly.'},
+                status=status.HTTP_503_SERVICE_UNAVAILABLE,
+            )
+
+        ok, error_code = cj.post_matches(full_text, user)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@backend/users/views.py` around lines 769 - 783, The Sorsa verification path
in the tweet-checking logic can crash on incomplete payloads because it indexes
tweet['username'] and tweet['full_text'] directly. Update the verification flow
around the author check and cj.post_matches call to safely read these fields and
treat any missing or empty username/full_text as verification_unavailable
instead of letting a KeyError bubble up. Keep the fail-closed behavior in the
same verification branch, using the existing linked_handle check and Response
error handling to return the unavailable status consistently.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@backend/users/views.py`:
- Around line 769-783: The Sorsa verification path in the tweet-checking logic
can crash on incomplete payloads because it indexes tweet['username'] and
tweet['full_text'] directly. Update the verification flow around the author
check and cj.post_matches call to safely read these fields and treat any missing
or empty username/full_text as verification_unavailable instead of letting a
KeyError bubble up. Keep the fail-closed behavior in the same verification
branch, using the existing linked_handle check and Response error handling to
return the unavailable status consistently.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 85181076-9e6c-45da-939e-86aa2a0ee876

📥 Commits

Reviewing files that changed from the base of the PR and between 914a656 and 74fae02.

📒 Files selected for processing (3)

• backend/users/views.py
• frontend/src/components/funnel/CommunityLanding.svelte
• frontend/src/components/funnel/ValidatorLanding.svelte