Title: Domain search: make routes public, add TLD guard, surface provider errors

Prompt:

Make domain routes public
Ensure /api/domain/health, /api/domain/price, /api/domain/search are registered before any auth/requireUser middleware and are not wrapped by it.

// server/index.ts
// PUBLIC domain routes first
app.get("/api/domain/health", domainHealth);
app.get("/api/domain/price", domainPrice);
app.get("/api/domain/search", domainSearch);

// ...then auth-protected routes
app.use(requireUser); // (or whatever the auth gate is)


Return clear 400 for missing/invalid TLD
In domainPrice/domainSearch handlers:

const name = String(req.query.name||"").trim().toLowerCase();
if (!name.includes(".")) {
  return res.status(400).json({ error:"Unsupported TLD", message:"Add a TLD like .com, .net, .org, or .co." });
}


Surface provider error text
When OpenSRS responds non-200, include a short message for the client:

const txt = await r.text().catch(()=> "");
console.error("[opensrs] error", r.status, txt?.slice(0,300));
return res.status(502).json({ ok:false, provider:"OpenSRS", status:r.status, message: txt?.slice(0,200) || "Provider error" });


Client UX: TLD guard & multi-TLD helper
In DomainsPage.tsx before calling the API:

const q = query.trim().toLowerCase();
const hasDot = q.includes(".");
if (!hasDot) {
  toast.error("Add a TLD (e.g., novacore.com) or try .com, .net, .org, .co.");
  return;
}


(Optional: iterate over default TLDs and show a small results list.)

Diagnostics buttons
Keep /__qa/diag owner-accessible in prod; ensure versions/headers show on index.html to bust caches (Cache-Control: no-store).

Acceptance:

Hitting /api/domain/price?name=albedetest123.com returns 200 JSON (no auth required).

Searching novacore shows a friendly “Add a TLD…” toast instead of a red failure.

On real failures, toast shows provider message (e.g., “client not permitted from this IP”).

Why you saw “User not found”

That’s your auth middleware answering the domain endpoint in some code paths. Once the routes are moved above the auth gate, domain search will work for logged-out users too (as intended).