fix(suggestions): render structured suggestions correctly + docs sync

ScoreBreakdown rendered `<li>{suggestion}</li>` directly. when the LLM
returned StructuredSuggestion objects (with summary/details/impact/
platforms) instead of plain strings, svelte's text interpolation fell
back to String(obj) and shipped "[object Object]" to the page. fixed
with type-narrowing helpers (same pattern report.ts and ScoreDashboard
already use); structured suggestions now show their summary plus a
nested list of their details.

ScoreDashboard had the same class of bug in its non-deduplicated path
at the !structured fallback (`<p>{suggestion}</p>`). hardened with a
typeof guard so any malformed value renders empty rather than
"[object Object]".

JobDescriptionInput's debounced parser ran inside a fire-and-forget
async IIFE with no .catch(); a transient parser failure would surface
as an unhandled promise rejection. wrapped in try/catch with a
console.warn so the scan flow stays unaffected.

docs:
- api/rate-limits: documents the new 429 body shape (retryAfter field
  + reason discriminator) and the Retry-After header
- api/endpoints: documents the _cached response field, the in-memory
  cache behavior, and lists the new auxiliary endpoints (/healthz,
  /robots.txt, /sitemap.xml, /api/og, /share, /api/csp-report)
- pnpm build:docs run; static/docs refreshed

dry-tested via curl: /healthz, /robots.txt, /sitemap.xml, /api/og
(magic bytes valid + correct cache-control), /share, rate limiter
(11th request 429 with retry-after: 60), and a full LLM cache-hit
round-trip (46s -> 81ms, 573x). 183 tests + lint + typecheck + build
all green.

Author: sunnypatell

docs/src/content/docs/api/endpoints.md

@@ -103,20 +103,35 @@ Extract structured requirements from a job description without scoring a resume.
 			"suggestions": ["Add AWS and CI/CD keywords to match Workday's exact matching"]
 		}
 	],
-	"_provider": "gemini",
-	"_fallback": false
+	"_provider": "gemma-3-27b",
+	"_fallback": false,
+	"_cached": false
 }
 ```
 
 ### Response Fields
 
-| Field                    | Type     | Description                             |
-| ------------------------ | -------- | --------------------------------------- |
-| `results`                | array    | Array of 6 platform scoring objects     |
-| `results[].system`       | string   | Platform name                           |
-| `results[].overallScore` | number   | 0-100 weighted composite score          |
-| `results[].passesFilter` | boolean  | Whether resume passes initial screening |
-| `results[].breakdown`    | object   | Per-dimension scores and details        |
-| `results[].suggestions`  | string[] | Platform-specific improvement tips      |
-| `_provider`              | string   | Which LLM provider handled the request  |
-| `_fallback`              | boolean  | Whether a fallback provider was used    |
+| Field                    | Type                       | Description                                                                                                |
+| ------------------------ | -------------------------- | ---------------------------------------------------------------------------------------------------------- |
+| `results`                | array                      | Array of 6 platform scoring objects                                                                        |
+| `results[].system`       | string                     | Platform name                                                                                              |
+| `results[].overallScore` | number                     | 0-100 weighted composite score                                                                             |
+| `results[].passesFilter` | boolean                    | Whether resume passes initial screening                                                                    |
+| `results[].breakdown`    | object                     | Per-dimension scores and details                                                                           |
+| `results[].suggestions`  | string \| StructuredItem[] | Platform-specific improvement tips. May be plain strings (rule-based) or structured objects (LLM-enhanced) |
+| `_provider`              | string                     | Which LLM provider handled the request (e.g. `gemma-3-27b`, `groq-llama-3.3-70b`)                          |
+| `_fallback`              | boolean                    | `true` when all providers failed and the client must fall back to local rule-based scoring                 |
+| `_cached`                | boolean                    | `true` when the response was served from the in-memory result cache (sub-100ms, zero LLM cost)             |
+
+The server keeps a SHA-256 keyed in-memory LRU of recent prompts (200 entries, 24h TTL). Identical input hits the cache and returns instantly — the `_cached` flag tells you whether the response was a hit. The cache lives per Vercel instance; cold starts begin empty.
+
+## Auxiliary Endpoints
+
+| Path                | Method | Purpose                                                                                |
+| ------------------- | ------ | -------------------------------------------------------------------------------------- |
+| `/healthz`          | GET    | Liveness probe — JSON `{ status, timestamp }`. For uptime monitors                     |
+| `/robots.txt`       | GET    | Dynamic; the `Sitemap:` URL tracks the deployment origin                               |
+| `/sitemap.xml`      | GET    | Dynamic; lists public routes (`/`, `/scanner`, `/about`) with `lastmod` and `priority` |
+| `/api/og`           | GET    | Edge-cached PNG (`@vercel/og`) for share previews. Query: `score`, `pass`, `total`, optional `delta` |
+| `/share`            | GET    | Branded share landing page; reads the same query params and emits `og:image` pointing at `/api/og`     |
+| `/api/csp-report`   | POST   | Receives Content-Security-Policy violation reports for the report-only header set by `hooks.server.ts` |

docs/src/content/docs/api/rate-limits.md

@@ -32,18 +32,28 @@ Cache-Control: no-store
 
 ## Handling Rate Limits
 
-When you receive a `429` response:
+When you receive a `429` response, the body distinguishes which window was hit and the response includes a `Retry-After` header set to the seconds-until-reset for that window:
+
+```http
+HTTP/1.1 429 Too Many Requests
+Retry-After: 60
+Content-Type: application/json
+```
 
 ```json
 {
-	"error": "rate limit exceeded. try again in 60 seconds."
+	"error": "rate limit exceeded: too many requests this minute. retry after 60s.",
+	"retryAfter": 60
 }
 ```
 
+The error string ends with either `too many requests this minute` (per-minute window) or `daily limit reached` (per-day window). The `retryAfter` field (seconds) and the `Retry-After` header always match; clients can use either.
+
 **Best practices:**
 
-- Implement exponential backoff in your client
-- Cache results locally to avoid redundant requests
+- Honor the `Retry-After` header — it is the exact reset window for the limit you tripped
+- Cache results locally to avoid redundant requests (the server also caches identical inputs in-memory; see the `_cached` flag in [endpoints](./endpoints))
+- Implement exponential backoff for transient 5xx errors (rate-limit 429s should use Retry-After directly)
 - For high-volume use, self-host with your own API keys
 
 ## Self-Hosted Limits

src/lib/components/scoring/ScoreBreakdown.svelte

@@ -1,11 +1,26 @@
 <script lang="ts">
-	import type { ScoreResult } from '$engine/scorer/types';
+	import type { ScoreResult, Suggestion, StructuredSuggestion } from '$engine/scorer/types';
 	import { getScoreColor, getScoreLabel } from '$engine/scorer/classification';
 
 	let { result }: { result: ScoreResult } = $props();
 
 	// toggles the expanded state for this breakdown
 	let expanded = $state(false);
+
+	// suggestions can be either a plain string (legacy/rule-based path) or a
+	// StructuredSuggestion object (LLM path). without narrowing, svelte's text
+	// interpolation falls back to String(obj) and renders "[object Object]"
+	function isStructured(s: Suggestion): s is StructuredSuggestion {
+		return typeof s === 'object' && s !== null && 'summary' in s;
+	}
+	function suggestionText(s: Suggestion): string {
+		if (typeof s === 'string') return s;
+		if (isStructured(s)) return s.summary;
+		return '';
+	}
+	function suggestionDetails(s: Suggestion): string[] {
+		return isStructured(s) ? s.details : [];
+	}
 </script>
 
 <div class="breakdown" class:expanded>
@@ -190,7 +205,20 @@
 					<h4>Suggestions for {result.system}</h4>
 					<ul class="suggestion-list">
 						{#each result.suggestions as suggestion}
-							<li>{suggestion}</li>
+							{@const text = suggestionText(suggestion)}
+							{@const details = suggestionDetails(suggestion)}
+							{#if text}
+								<li>
+									<span class="suggestion-text">{text}</span>
+									{#if details.length > 0}
+										<ul class="suggestion-detail-list">
+											{#each details as detail}
+												<li>{detail}</li>
+											{/each}
+										</ul>
+									{/if}
+								</li>
+							{/if}
 						{/each}
 					</ul>
 				</div>
@@ -427,4 +455,31 @@
 		color: var(--accent-cyan);
 		font-weight: bold;
 	}
+
+	.suggestion-text {
+		display: block;
+	}
+
+	.suggestion-detail-list {
+		list-style: none;
+		padding: 0;
+		margin: 0.4rem 0 0.2rem;
+		display: flex;
+		flex-direction: column;
+		gap: 0.2rem;
+	}
+
+	.suggestion-detail-list li {
+		font-size: 0.78rem;
+		color: var(--text-tertiary);
+		padding-left: 0.85rem;
+		line-height: 1.5;
+	}
+
+	.suggestion-detail-list li::before {
+		content: '·';
+		left: 0;
+		color: var(--text-tertiary);
+		opacity: 0.7;
+	}
 </style>

src/lib/components/scoring/ScoreDashboard.svelte

@@ -640,7 +640,11 @@
 											{/each}
 										</ul>
 									{:else if !structured}
-										<p>{suggestion}</p>
+										<!-- defensive: if suggestion is somehow a non-string non-structured
+										value (e.g. malformed LLM output), interpolating directly would
+										render "[object Object]" - same class as the bug fixed in
+										ScoreBreakdown. typeof guard keeps the render type-safe -->
+										<p>{typeof suggestion === 'string' ? suggestion : ''}</p>
 									{/if}
 									{#if example}
 										<div class="suggestion-example">

src/lib/components/upload/JobDescriptionInput.svelte

@@ -37,17 +37,24 @@
 		}
 		let cancelled = false;
 		(async () => {
-			const { parseJobDescription } = await import('$engine/job-parser');
-			if (cancelled) return;
-			const result = parseJobDescription(v);
-			if (cancelled) return;
-			parsed = {
-				extractedSkills: result.extractedSkills.slice(0, 12),
-				requiredSkills: result.requiredSkills,
-				experienceLevel: result.experienceLevel,
-				roleType: result.roleType,
-				industryContext: result.industryContext
-			};
+			try {
+				const { parseJobDescription } = await import('$engine/job-parser');
+				if (cancelled) return;
+				const result = parseJobDescription(v);
+				if (cancelled) return;
+				parsed = {
+					extractedSkills: result.extractedSkills.slice(0, 12),
+					requiredSkills: result.requiredSkills,
+					experienceLevel: result.experienceLevel,
+					roleType: result.roleType,
+					industryContext: result.industryContext
+				};
+			} catch (err) {
+				// preview is best-effort - if the parser throws (corrupt input,
+				// transient import failure), keep the previous parsed state and
+				// log so it's grep-able in console without breaking the scan flow
+				console.warn('[jd-preview] parse failed:', err);
+			}
 		})();
 		return () => {
 			cancelled = true;