·Day 7 · building git-to-x in public
LinkedIn cross-posting, per-IP rate limits, and security-first open source prep
Published on𝕏
This week I shipped LinkedIn cross-posting and tightened security and safety across the product. You can now connect LinkedIn, toggle cross-posting, and have commits posted without exposing code. I also prepared the project for open sourcing and added protections so the public endpoints stay reliable.
What shipped
- –LinkedIn cross-posting: OAuth connect, secure token storage, a settings toggle, and a worker hook that posts without touching code diffs.
- –Safety: commit data is read via numbers-only GraphQL calls and commit stats are fetched without sending code diffs to our servers. The security page now lists exactly what fields we store — stats and metadata only.
- –Trust and docs: a security page with a clear landing safety section, stronger FAQ, support email (not a personal address), a published .env.example, and a self-hosting guide. The repo now has an AGPL-3.0 license and CONTRIBUTING/SECURITY files.
- –Reliability and rate limits: per-IP rate limiting for public unauthenticated endpoints, with a fail-open behavior on database errors so a limiter hiccup never returns 500. I also disabled automatic preview deploys triggered by git to avoid broken previews when production env vars are missing.
- –Analytics and session insight: removed PostHog and added Microsoft Clarity for session replay and heatmaps. GA4 is present but dormant until you set the environment ID.
- –Product polish: the onboarding CTA to "Post my first card now" is first-class and clarifies timing (posts run each morning). Small trust indicators were added under the main CTA to state open source, read-only access, and that code never leaves GitHub.
Why this matters for builders
If you ship often, you want a low-friction way to share progress without leaking code or losing reliability. The LinkedIn integration lets you reach a professional audience directly from the same workflow you already use. The GraphQL-only commit reads and explicit field list mean your repository contents never leave GitHub. Rate limits and fail-open behavior keep public pages available even when something in the stack hiccups.
What's next
I'll finish polishing the MCP (manual commit poster) server package and make MCP the primary onboarding path on the site. Follow along this week for the self-host install walkthrough and the first open-source release notes.
Watch git-to-x ship, day by day
1 person is following the build