Project Primer: Guestbook

Origins

A public guestbook where visitors can leave short messages without creating an account. The project demonstrates a privacy-first moderation architecture, combining automated bot protection, AI-powered spam classification, and human review in a pipeline that reveals nothing about its internal decisions to the outside world.

Structure

The moderation pipeline has three stages:

1. Bot protection: Cloudflare Turnstile (invisible mode) filters automated submissions
2. AI classification: gpt-4o-mini via Vercel AI SDK's generateObject with Zod schema classifies messages as spam or legitimate
3. Human review: All non-spam messages enter an admin review queue; the site owner approves, rejects, or edits before publication

Key design decisions:

• Response obfuscation: Every submission — whether accepted, rate-limited, or rejected — receives the same "Thank you!" message, preventing information leakage
• Privacy: IP addresses are salted and hashed (SHA-256), never stored raw
• Rate limiting: Supabase RPC function enforces per-IP hourly and global daily caps
• Database: Supabase PostgreSQL with Row Level Security
• Optional Slack webhook notifications for new submissions

Related Projects

• AI Guide: Both use the Vercel AI SDK; the Guestbook's AI classification is a focused application of the same tooling
• De Selby on the CMD Line: Both demonstrate practical AI integration in web applications

Agent Guidance

• The privacy-first design is the standout feature: zero information leakage, hashed IPs, uniform responses
• Explain the three-stage moderation pipeline clearly — it's a textbook pattern for community content
• Technical highlights: Cloudflare Turnstile, Vercel AI SDK structured output, Supabase RLS, Framer Motion animations
• Common questions: "Do I need to sign up?" (no), "How is spam handled?" (AI classification + human review), "Is my data stored?" (messages stored in Supabase; IPs hashed, never raw)