Problem
app/leaderboard/LeaderboardClient.tsx:77,166 calls Tenero directly from the browser:
const TENERO_API_BASE = \"https://api.tenero.io/v1/stacks\";
// ...
fetch(\`\${TENERO_API_BASE}/tokens/\${addr}\`)No `X-Api-Key` header → hits Tenero's unauthenticated public tier (100 req/min, 50k/month, shared IP). This is the client-side leak my colleague flagged: the broader server-side migration is in place (`lib/external/tenero-fetch.ts` + scheduler KV cache) but this last component still bypasses it.
Comment at `app/leaderboard/page.tsx:166-169` explicitly acknowledges "client calls Tenero directly per distinct token id" — this route was never built.
Proposal
Add a Next.js route handler:
```
GET /api/leaderboard/token-metadata?tokenIds=,,...
```
`LeaderboardClient.tsx` then calls this single endpoint for all distinct token IDs instead of N direct Tenero calls.
Acceptance
Related
Problem
app/leaderboard/LeaderboardClient.tsx:77,166calls Tenero directly from the browser:No `X-Api-Key` header → hits Tenero's unauthenticated public tier (100 req/min, 50k/month, shared IP). This is the client-side leak my colleague flagged: the broader server-side migration is in place (`lib/external/tenero-fetch.ts` + scheduler KV cache) but this last component still bypasses it.
Comment at `app/leaderboard/page.tsx:166-169` explicitly acknowledges "client calls Tenero directly per distinct token id" — this route was never built.
Proposal
Add a Next.js route handler:
```
GET /api/leaderboard/token-metadata?tokenIds=,,...
```
`LeaderboardClient.tsx` then calls this single endpoint for all distinct token IDs instead of N direct Tenero calls.
Acceptance
Related