Production-ready overhaul: backend fixes, claim flow polish, SEO, mobile, nginx

Backend:
- Fix activity score (followersCount check), NIP-98 URL proto, wallet balance guard
- Add payment_hash to confirm response, spentTodaySats to stats
- Add idx_claims_ip_hash; security headers, graceful shutdown, periodic nonce cleanup

Frontend:
- Remove 8 legacy components; polish wizard (rules summary, profile card, confetti, share)
- Stats budget bar uses spentTodaySats; ErrorBoundary with reload

SEO & production:
- Full meta/OG/Twitter, favicon, JSON-LD, robots.txt, sitemap.xml
- Mobile CSS fixes; nginx static dist + gzip + cache + security headers
- Vite manualChunks; aria-labels, dynamic page titles

Made-with: Cursor

deploy/faucet.lnpulse.app.conf

@@ -1,35 +1,67 @@
 server {
     server_name faucet.lnpulse.app;
-    # No root; all locations are proxied.
 
-    # Increase body size if needed
     client_max_body_size 10M;
 
-    # Backend API
+    # Gzip compression
+    gzip on;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_min_length 256;
+    gzip_types
+        text/plain
+        text/css
+        text/xml
+        text/javascript
+        application/json
+        application/javascript
+        application/xml
+        application/rss+xml
+        image/svg+xml;
+
+    # Security headers
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "DENY" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
+
+    # Backend API — proxy to Node.js
     location /api/ {
         proxy_pass http://127.0.0.1:3001/;
         proxy_http_version 1.1;
-
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_read_timeout 30s;
+        proxy_connect_timeout 10s;
     }
 
     # Health check passthrough
-    location /health {
+    location = /health {
         proxy_pass http://127.0.0.1:3001/health;
         proxy_set_header Host $host;
     }
 
-    # Frontend (Vite preview server)
-    location / {
-        proxy_pass http://127.0.0.1:5173;
-        proxy_http_version 1.1;
+    # Static assets with hashed filenames — long-term cache
+    location /assets/ {
+        alias /var/www/faucet.lnpulse.app/dist/assets/;
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+        access_log off;
+    }
 
-        proxy_set_header Host $host;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "upgrade";
+    # Frontend — serve static files with SPA fallback
+    location / {
+        root /var/www/faucet.lnpulse.app/dist;
+        try_files $uri $uri/ /index.html;
+
+        # Short cache for HTML (re-validate on each visit)
+        location ~* \.html$ {
+            add_header Cache-Control "no-cache";
+        }
     }
 
     listen 443 ssl; # managed by Certbot
@@ -37,18 +69,14 @@ server {
     ssl_certificate_key /etc/letsencrypt/live/faucet.lnpulse.app/privkey.pem; # managed by Certbot
     include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
-
 }
+
 server {
     if ($host = faucet.lnpulse.app) {
         return 301 https://$host$request_uri;
     } # managed by Certbot
 
-
     listen 80;
     server_name faucet.lnpulse.app;
     return 404; # managed by Certbot
-
-
 }
-