fix: comprehensive privacy engine and accessibility improvements

10-iteration automated review cycle covering bitcoin privacy auditor
and UI/UX reviewer agents. Key changes:

Privacy engine:
- Add OFAC sanctions check to pre-send destination flow
- Fix cluster analysis self-reuse bug (was following payment recipients as change)
- Expand CoinJoin cross-heuristic suppression from 5 to 9 finding types
- Recalibrate address reuse penalties and batch payment edge case
- Remove overly generic wallet fingerprint signals (nLockTime=0, nVersion)
- Add WabiSabi multi-tier denomination detection
- Fix spending analysis counting CoinJoin outputs as counterparties
- Wire AbortSignal through entire API layer (fetch retry, rate limiter, pagination)
- Add cancellable sleep to fetchWithRetry, immediately re-throw AbortError
- Case-insensitive OFAC bech32 matching, stricter address validation regex
- Correct methodology page impact ranges for H6, H7, H8, H9, H12, H15

Accessibility:
- Add skip-to-content link, aria-live phase announcements
- Add focus trap in ApiSettings panel with focus restore
- Remove all focus:outline-none overrides (12 instances)
- Fix text contrast (eliminate muted/30, muted/40; upgrade muted/50 on content)
- Add 44px touch targets on action bars, toggles, triggers, dismiss buttons
- Add prefers-reduced-motion support (CSS + JS)
- Fix 320px mobile overflow in PreSendResultPanel and TxSummary

UI polish:
- Make ConnectionBadge tappable with tooltip on mobile
- Fix TipToast/InstallPrompt overlap (stack vertically)
- Remove duplicate "100% client-side" from footer
- Replace all em dashes with hyphens across codebase and docs
- Remove onion.md from tracking, add to .gitignore

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: Copexit

.gitignore

@@ -44,3 +44,4 @@ ROADMAP.md
 claw_braindump.md
 screenshots/
 cex_braindump.md
+onion.md

README.md

@@ -14,7 +14,7 @@ In April 2024, [OXT.me](https://oxt.me) and [KYCP.org](https://kycp.org) went of
 
 As of today, there is no publicly available tool that combines entropy estimation, wallet fingerprinting detection, CoinJoin pattern recognition, and dust attack warnings in a single interface. **am-i.exposed** fills that gap.
 
-For the full technical deep-dive — every heuristic, scoring weight, academic reference, threat model, and competitor analysis — see [`privacy_engine.md`](./privacy_engine.md).
+For the full technical deep-dive  - every heuristic, scoring weight, academic reference, threat model, and competitor analysis  - see [`privacy_engine.md`](./privacy_engine.md).
 
 ## How it works
 
@@ -28,7 +28,7 @@ For the full technical deep-dive — every heuristic, scoring weight, academic r
 **Your queries are not fully private.** Analysis runs client-side, but your browser makes API requests to [mempool.space](https://mempool.space) to fetch blockchain data. Their servers can see your IP address and which addresses/transactions you look up.
 
 For stronger privacy:
-- Use **Tor Browser** — the tool auto-detects Tor and routes API requests through the mempool.space `.onion` endpoint
+- Use **Tor Browser**  - the tool auto-detects Tor and routes API requests through the mempool.space `.onion` endpoint
 - Use a **trusted, no-log VPN**
 - **Wait** before querying a recent transaction (timing correlation is a real risk)
 
@@ -38,11 +38,11 @@ There is no am-i.exposed backend. No analytics. No cookies. No tracking. The sta
 
 | Grade | Score | Meaning |
 |-------|-------|---------|
-| A+ | 90-100 | Excellent — you know what you're doing |
-| B | 75-89 | Good — minor issues |
-| C | 50-74 | Fair — notable concerns |
-| D | 25-49 | Poor — significant exposure |
-| F | 0-24 | Critical — you might as well use Venmo |
+| A+ | 90-100 | Excellent  - you know what you're doing |
+| B | 75-89 | Good  - minor issues |
+| C | 50-74 | Fair  - notable concerns |
+| D | 25-49 | Poor  - significant exposure |
+| F | 0-24 | Critical  - you might as well use Venmo |
 
 Scoring starts at a base of 70. Each heuristic applies a positive or negative modifier. The sum is clamped to 0-100. Only CoinJoin participation, Taproot usage, and high entropy can raise the score. Everything else can only lower it.
 
@@ -55,11 +55,11 @@ Scoring starts at a base of 70. Each heuristic applies a positive or negative mo
 | **Round amount detection** | Round BTC/sat outputs that reveal payment vs change |
 | **Change detection** | Address type mismatch, unnecessary inputs, round-amount change, output ordering |
 | **Common input ownership (CIOH)** | Multi-input txs that link all your addresses to the same entity |
-| **CoinJoin detection** | Whirlpool, Wasabi/WabiSabi, and JoinMarket patterns — the only positive signal |
-| **Entropy estimation** | Simplified Boltzmann — how many valid input-output mappings exist |
+| **CoinJoin detection** | Whirlpool, Wasabi/WabiSabi, and JoinMarket patterns  - the only positive signal |
+| **Entropy estimation** | Simplified Boltzmann  - how many valid input-output mappings exist |
 | **Fee analysis** | Round fee rates and RBF signaling that narrow wallet identification |
 | **OP_RETURN metadata** | Permanent embedded data (Omni, OpenTimestamps, Runes, ASCII text) |
-| **Wallet fingerprinting** | nLockTime, nVersion, nSequence, BIP69 ordering, low-R signatures — identifies wallet software |
+| **Wallet fingerprinting** | nLockTime, nVersion, nSequence, BIP69 ordering, low-R signatures  - identifies wallet software |
 | **Script type mix** | Mixed address types across inputs/outputs that distinguish sender from recipient |
 | **Anonymity set estimation** | How large the set of indistinguishable participants is |
 | **Timing analysis** | Transaction patterns that correlate with off-chain behavior |
@@ -68,7 +68,7 @@ Scoring starts at a base of 70. Each heuristic applies a positive or negative mo
 
 | Heuristic | What it detects |
 |-----------|----------------|
-| **Address reuse** | The #1 privacy killer — harshest penalty in the model |
+| **Address reuse** | The #1 privacy killer  - harshest penalty in the model |
 | **UTXO set exposure** | Dust attack detection (<1000 sats), consolidation risk, UTXO count |
 | **Address type** | P2TR (Taproot) > P2WPKH (SegWit) > P2SH > P2PKH (Legacy) |
 | **Spending patterns** | How funds have moved through the address over time |
@@ -79,14 +79,14 @@ The engine doesn't run heuristics in isolation. CoinJoin detection suppresses CI
 
 ## Tech
 
-- **Next.js 16** static export — no server, hosted on GitHub Pages
-- **Client-side analysis** — heuristics run in your browser, not on a server
+- **Next.js 16** static export  - no server, hosted on GitHub Pages
+- **Client-side analysis**  - heuristics run in your browser, not on a server
 - **mempool.space API** primary, **Blockstream Esplora** fallback (mainnet only)
-- **Tor-aware** — auto-detects `.onion` and routes API requests through Tor
+- **Tor-aware**  - auto-detects `.onion` and routes API requests through Tor
 - **TypeScript** throughout
-- **Tailwind CSS 4** — dark theme
-- **PWA** — installable, works offline (after first load)
-- **bitcoinjs-lib** — raw transaction parsing for wallet fingerprinting
+- **Tailwind CSS 4**  - dark theme
+- **PWA**  - installable, works offline (after first load)
+- **bitcoinjs-lib**  - raw transaction parsing for wallet fingerprinting
 
 ## Development
 

TODO-custom-api.md

@@ -4,7 +4,7 @@
 Let advanced users point the tool at their own mempool.space instance (local or remote) instead of the public one. Privacy-conscious users run their own node + mempool and don't want to leak queries to mempool.space.
 
 ## UX
-- **NOT in your face** — this is for power users only
+- **NOT in your face**  - this is for power users only
 - Small gear/settings icon in the footer or header, or a collapsible "Advanced" section below the input
 - Clicking opens a minimal panel with a single text field: "Custom API endpoint"
 - Placeholder: `https://mempool.space/api` (the default)
@@ -16,18 +16,18 @@ Let advanced users point the tool at their own mempool.space instance (local or
 - Store in localStorage key: `ami-custom-api-url`
 - Validate: must be a URL, should respond to `/api/blocks/tip/height` (quick health check)
 - Pass through to the existing API client (`src/lib/api/client.ts` or `src/lib/api/mempool.ts`)
-- Fallback behavior: if custom endpoint fails, ask user — don't silently fall back to public (that would defeat the privacy purpose)
+- Fallback behavior: if custom endpoint fails, ask user  - don't silently fall back to public (that would defeat the privacy purpose)
 - Update CSP in layout.tsx to allow `connect-src` to any https origin when custom URL is set (or use a meta tag override)
 
 ## Examples of custom endpoints
-- `http://localhost:8999/api` — local mempool instance
-- `http://umbrel.local:3006/api` — Umbrel node
-- `https://mempool.mydomain.com/api` — self-hosted remote
-- `http://mempoolhqx4isw62xs7abwphsq7ldvnlk5.onion/api` — Tor
+- `http://localhost:8999/api`  - local mempool instance
+- `http://umbrel.local:3006/api`  - Umbrel node
+- `https://mempool.mydomain.com/api`  - self-hosted remote
+- `http://mempoolhqx4isw62xs7abwphsq7ldvnlk5.onion/api`  - Tor
 
 ## CSP consideration
 The current CSP only allows `connect-src` to mempool.space and blockstream.info. A custom URL needs to either:
-1. Relax CSP when custom URL is set (via JS, not meta tag — meta tags are static)
+1. Relax CSP when custom URL is set (via JS, not meta tag  - meta tags are static)
 2. Or remove the connect-src restriction entirely and rely on the user's judgment
 
 Option 2 is simpler and fine for a privacy tool aimed at technical users.