Changes
- src/app/mii/[id]/page.tsx — enable ISR (revalidate = 300), dedupe the two Prisma findUnique calls via React cache(), and remove auth() from the
render path so Cloudflare can cache the HTML.
- src/lib/rate-limit.ts — add a handleByIp() variant that skips the DB session lookup for anonymous reads.
- src/app/mii/[id]/image/route.ts — use handleByIp() and bump Cache-Control max-age from 60s to 24h for mii / qr-code / features (kept 60s on gallery
imageN since those aren't in your edit purge list).
- src/app/api/submit/route.ts — pin the Mii studio fetch hostname to studio.mii.nintendo.com (SSRF hardening).
- src/lib/auth.ts — reject Google sign-ins with email_verified: false.
Performance boost
- DB queries per Mii page + its images: ~8 → ~1 (−85%)
- /mii/[id] TTFB at the edge: ~24s → <100ms on cached hits
- Cloudflare cache window for stable image types: 60s → 24h (1440× longer)
