Production readiness: security headers, global error boundary, JSON-LD, font display swap, schema tests

[Copilot]

Addresses a comprehensive production readiness audit identifying missing security hardening, error boundaries, structured data, and test coverage gaps.

Security Headers

Added 7 HTTP response headers via next.config.ts applied to all routes:

const securityHeaders = [
  { key: "X-Frame-Options", value: "DENY" },
  { key: "X-Content-Type-Options", value: "nosniff" },
  { key: "Referrer-Policy", value: "strict-origin-when-cross-origin" },
  { key: "Permissions-Policy", value: "camera=(), microphone=(), geolocation=(), interest-cohort=()" },
  { key: "Strict-Transport-Security", value: "max-age=63072000; includeSubDomains; preload" },
  { key: "Content-Security-Policy", value: "default-src 'self'; script-src 'self' 'unsafe-inline'; ..." },
  // ...
];

unsafe-eval explicitly excluded from CSP script-src.

Error Handling

• Added src/app/global-error.tsx — catches crashes in the root layout itself (e.g., <Header>, <Providers>). Uses inline styles since global CSS may not load when the root layout fails.

JSON-LD Structured Data

• layout.tsx: Person schema injected into <head> — name, jobTitle, email, GitHub, LinkedIn
• blog/[slug]/page.tsx: BlogPosting schema per article — headline, dates, author, optional image

Font Performance

Added display: "swap" to all three next/font/google declarations (Sora, Source Sans 3, JetBrains Mono), eliminating FOIT and improving CLS/FCP.

Tests

Added src/schemas/blog.test.ts with 9 unit tests covering Zod schema validation: valid payloads, slug format enforcement, URL validation for cover images, and currentSlug requirement on updates.

CI

• Added bun audit step before build for dependency vulnerability scanning
• Added NEXT_PUBLIC_APP_URL env var to the build step to satisfy env validation

Original prompt

You are a multi-disciplinary engineering team performing a production readiness audit on this codebase. You embody seven specialist perspectives simultaneously and apply each when its domain is relevant:

1. Backend Architect — Database schema, data access layer, API design, error handling, migrations, env management.
2. Frontend Developer — Component architecture, Server vs Client Component boundaries, performance (Core Web Vitals), responsive design, bundle optimization.
3. Security Engineer — STRIDE threat model, OWASP Top 10, input validation at every trust boundary, auth/authz enforcement, secrets handling, security headers, CSP, supply chain.
4. Code Reviewer — Correctness, maintainability, naming, duplication, test coverage. Prioritize as 🔴 blocker / 🟡 suggestion / 💭 nit.
5. Technical Writer — README accuracy, inline documentation, JSDoc/TSDoc coverage, onboarding clarity (5-second test), migration guides for breaking changes.
6. UX/Whimsy Designer — Accessible micro-interactions, error/empty/loading states with personality, dark/light theme implementation, motion respect (prefers-reduced-motion).
7. SEO Specialist — Metadata, structured data (JSON-LD), Open Graph/Twitter Cards, sitemap, robots.txt, canonical URLs, Core Web Vitals as ranking signals.

---

Project Context

This is a personal portfolio and blog built with:

• Next.js 16 (App Router), React 19, TypeScript 5.9
• Tailwind CSS 4, Drizzle ORM, LibSQL/Turso
• NextAuth (GitHub OAuth, single-admin model)
• Bun runtime, Zod validation, Shiki syntax highlighting
• Deployed on Vercel

The app is functionally complete. The goal is to identify every gap between current state and production-grade quality, then produce a prioritized remediation plan.

---

Audit Instructions

Phase 1 — Full Codebase Scan

Walk through every file in the project. For each area below, assess current state against the standard described. Note what exists, what's missing, and what's misconfigured.

Phase 2 — Findings Report

Produce findings organized by specialist domain. Each finding must include:

• Priority: 🔴 Blocker (ship-blocking) / 🟡 Should Fix (pre-launch) / 💭 Nice to Have (post-launch)
• Location: File path and line range
• Current State: What the code does now
• Expected State: What production-grade looks like
• Remediation: Concrete code change, config change, or new file needed
• Why: The principle or risk that makes this matter

Phase 3 — Prioritized TODO List

After all findings, produce a single consolidated TODO list grouped into three tiers:

1. 🔴 Ship Blockers — Security vulnerabilities, data loss risks, broken auth, missing error handling on critical paths, secrets exposure
2. 🟡 Pre-Launch — Missing validation, incomplete SEO, accessibility gaps, missing tests for important paths, performance issues, documentation gaps
3. 💭 Post-Launch — Code quality improvements, DX enhancements, advanced optimizations, whimsy/polish, nice-to-have features

Within each tier, order by effort (quick wins first).

---

Audit Checklist — Apply These Standards

TypeScript & Code Quality

• strict: true in tsconfig — no any, no as assertions, no ! non-null assertions
• noUncheckedIndexedAccess: true enabled
• Zod validation at every trust boundary (server actions, API routes, env vars)
• Type narrowing via .parse() or type guards, never as
• No barrel exports except components/ui/
• One component per file
• Absolute imports with @/* path alias
• Exact pinned dependency versions in package.json (no ^ or ~)
• bun.lock committed

Security

• Every server action checks auth AND validates input
• Data Access Layer uses server-only imports — never SELECT *
• No sensitive data passed through closures in server actions
• No dangerouslySetInnerHTML with user-controlled input
• Security headers configured (HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy)
• Rate limiting on mutation endpoints
• CORS configured for production domain only
• Env vars validated with Zod at startup — .env / .env.local in .gitignore
• No secrets in client bundles, logs, or error responses
• AUTH_SECRET is a dedicated random value, not derived from other secrets
• STRIDE threat model documented for auth flow, admin CRUD, and public API surface
• CI security scanning (SAST, dependency audit, secrets detection) configured or documented

Server/Client Component Architecture

• Server Components by default — "use client" only for interactivity, hooks, browser APIs
• "use client" boundary pushed as far down the component tree as possible
• No full DB records passed as props to client components
• Proper <Suspense> boundaries around slow data fetches

Database & Data Access

• Migrations are append-only and idempotent (`IF NO...

---

📍 Connect Copilot coding agent with Jira, Azure Boards or Linear to delegate work to Copilot in one click without leaving your project management tool.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
web-dev-blogsite	Ready	Preview, Comment	Mar 19, 2026 0:12am