fix: address expert review findings — CORS, middleware, session polling

Fixes based on 3-expert review consensus:
- Add DELETE to CORS allow_methods (was blocking dashboard app deletion)
- Add /api/auth/ to middleware public paths (prevent OAuth flow breakage)
- Add refetchInterval={300} to SessionProvider (auto-refresh approval)
- Fix TTL log default "2" → "72" to match actual default
- Fix _extract_hue regex to handle fractional oklch hue values
- Cap verification score at 100 (was possible to exceed)
- Fix cubic-bezier parsing to use regex extraction (safer for LLM output)
- Tighten middleware dot-check to match file extensions only

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: ComBba

agent/nodes/deployer.py

@@ -2080,6 +2080,7 @@ def _verify_live_url(live_url: str) -> dict:
             logger.warning("[DEPLOYER][VERIFY] Some assets failed to load")
 
     # ── Phase 4: Compute final score and verdict ──────────────────────
+    score = min(score, 100)
     result["verification_score"] = score
 
     if score >= 80:

agent/nodes/design_tokens.py

@@ -14,8 +14,8 @@
 
 def _extract_hue(oklch_str: str) -> int:
     """Extract hue value from an oklch() string."""
-    match = re.search(r"oklch\([^)]*\s+(\d+)\s*\)", str(oklch_str))
-    return int(match.group(1)) if match else 250
+    match = re.search(r"oklch\([^)]*\s+([\d.]+)\s*\)", str(oklch_str))
+    return int(float(match.group(1))) if match else 250
 
 
 def _make_scale(hue: int, chroma_base: float = 0.15, steps: int = 12) -> list[str]:

agent/nodes/motion_tokens.py

@@ -38,9 +38,10 @@ def generate_motion_tokens(design_system: dict) -> str:
         # Override easing from LLM if provided
         llm_easing = llm_motion.get("easing", "")
         if llm_easing and "cubic-bezier" in llm_easing:
-            # Convert cubic-bezier(a,b,c,d) to [a,b,c,d] for framer-motion
-            nums = llm_easing.replace("cubic-bezier(", "").replace(")", "")
-            intensity = {**intensity, "ease": f"[{nums}]"}
+            import re as _re
+            m = _re.search(r"cubic-bezier\(([^)]+)\)", llm_easing)
+            if m:
+                intensity = {**intensity, "ease": f"[{m.group(1)}]"}
     else:
         visual_dir = design_system.get("visual_direction", "dashboard")
         intensity = MOTION_INTENSITY.get(visual_dir, MOTION_INTENSITY["default"])

agent/server.py

@@ -614,7 +614,7 @@ async def lifespan(app: FastAPI):
         from .tools.digitalocean import _ttl_cleanup_loop
 
         _ttl_task = asyncio.create_task(_ttl_cleanup_loop())
-        logger.info("[TTL] App cleanup loop started (TTL=%sh)", os.environ.get("DEPLOY_APP_TTL_HOURS", "2"))
+        logger.info("[TTL] App cleanup loop started (TTL=%sh)", os.environ.get("DEPLOY_APP_TTL_HOURS", "72"))
 
     yield
 
@@ -642,7 +642,7 @@ async def lifespan(app: FastAPI):
 app.add_middleware(
     CORSMiddleware,
     allow_origins=_ALLOWED_ORIGINS,
-    allow_methods=["GET", "POST", "PUT", "OPTIONS"],
+    allow_methods=["GET", "POST", "PUT", "DELETE", "OPTIONS"],
     allow_headers=["Content-Type", "X-API-Key", "X-Vibedeploy-Ops-Token"],
     allow_credentials=False,
     max_age=600,

web/src/components/providers/session-provider.tsx

@@ -7,5 +7,5 @@ export function AuthSessionProvider({
 }: {
   children: React.ReactNode;
 }) {
-  return <SessionProvider>{children}</SessionProvider>;
+  return <SessionProvider refetchInterval={300}>{children}</SessionProvider>;
 }

web/src/middleware.ts

@@ -5,10 +5,11 @@ const publicPaths = ["/", "/demo"];
 function isPublicPath(pathname: string): boolean {
   if (publicPaths.includes(pathname)) return true;
   if (pathname.startsWith("/auth/")) return true;
+  if (pathname.startsWith("/api/auth/")) return true;
   if (pathname.startsWith("/_next/")) return true;
   if (pathname === "/favicon.ico") return true;
-  // Static assets (files with extensions)
-  if (pathname.includes(".")) return true;
+  // Static assets (files with extensions like .js, .css, .png)
+  if (/\.\w+$/.test(pathname)) return true;
   return false;
 }