A public guestbook where visitors can leave short messages without creating an account — moderated by an AI gatekeeper and a human approver before publication.
Visit the Guestbook to leave a message.
How It Works
The guestbook uses a two-stage moderation pipeline to keep submissions genuine while keeping the barrier to entry as low as possible:
- Submit: Visitors fill out a simple form — name, message, and optional location. No sign-up or email required.
- Bot protection: Cloudflare Turnstile runs invisibly to block automated submissions.
- AI gatekeeper: Each submission is classified by
gpt-4o-minivia the Vercel AI SDK. Obvious spam is auto-rejected; everything else goes to the human review queue. - Human review: The site owner approves, rejects, or edits-then-approves each entry via an admin moderation page.
- Published: Approved messages appear on the public guestbook page.
Design Principles
- Zero information leakage: Every submission — whether approved, rate-limited, or rejected — receives the same “Thank you!” response. Attackers can't probe the system for feedback.
- AI never auto-approves: The AI can reject with high confidence, but all non-rejected submissions go to the human queue. A human always has the final say on what goes public.
- Privacy-first: No email collected. IP addresses are salted and hashed (SHA-256) for rate limiting — the raw IP is never stored.
- Resilient: The system degrades gracefully under error conditions, ensuring legitimate visitors are never blocked by transient issues.
Abuse Protection
Multiple layers of throttling keep costs low and the moderation queue manageable:
- Cloudflare Turnstile: Invisible bot detection on every submission
- Rate limiting: Per-IP and global submission caps enforced server-side
- Circuit breaker: Graceful degradation if the AI endpoint is unavailable
- Kill switch: Submissions can be disabled instantly without a code deploy
Tech Stack
- Frontend: Next.js 15 App Router — Server Component for the page, Client Component for the form
- Bot protection: Cloudflare Turnstile (invisible mode, via
@marsidev/react-turnstile) - AI classification: Vercel AI SDK
generateObjectwithgpt-4o-miniand Zod structured output - Database: Supabase PostgreSQL with Row Level Security
- Rate limiting: Supabase RPC function (per-IP hourly + global daily)
- Notifications: Slack webhook (optional)
- Animation: Framer Motion spring animation on submission confirmation