← All releases

v0.5.0 — SEO foundation

Lamp's public surface is now SEO-ready: indexable pages carry full metadata, recovery flows are noindex by design, and the pgbouncer + per-worktree dev stack hardening makes parallel feature work practical.

  • Public pages (/, /login, /register) ship with <title>, meta description, canonical, Open Graph, Twitter cards, and (on landing) JSON-LD structured data via a shared seo-head partial.
  • New routes /robots.txt (whitelist policy — never publishes internal paths), /sitemap.xml, /llms.txt, and /favicon.ico cover the standard SEO + AI-crawler surface.
  • Auth-recovery routes (/forgot-password, /reset-password, /magic-link/*, /verify-email) now carry X-Robots-Tag: noindex, nofollow plus a <meta name="robots"> so search engines do not surface auth attack surface.
  • GET /reset-password and GET /verify-email without a token render the existing expired-link UX instead of leaking Axum's raw 400 framework error.
  • HSTS is enabled on release builds.
  • HAProxy strips its sticky-session cookie and the auto-private cache-control on /robots.txt, /sitemap.xml, /llms.txt, /favicon.ico, and /assets/* so a CDN can cache them per the backend's explicit per-route TTLs.
  • Per-worktree dev stack hardened: safekill_port helper skips OrbStack/Docker so port-cleanup loops no longer kill the docker daemon; set dotenv-load in the justfile lets per-worktree .env reach recipes; pgbouncer accepts wildcard databases so per-instance Postgres DBs need no further config.