fix(prompt-production): harden routes, add forgot-password, cookie & trust pages, and security headers

[support371]

Motivation

• Close security, compliance, and SEO gaps for production by protecting private Hub/client/admin routes and restoring missing public/legal pages.
• Provide a working, rate-limited forgot-password flow that integrates with existing auth, audit, and DB helpers and avoids user-enumeration.
• Improve crawl hygiene and site trust signals by adding a dedicated Cookie Policy, Trust Center, robots.txt, sitemap.xml, and security headers.

Description

• Middleware/access: expanded protected route prefixes and admin-only prefixes in src/proxy.ts to enforce server-side routing rules for /community-hub/*, /account/*, /billing/*, /documents/*, /messages/*, /requests/*, and admin groups including /admin, /review, and /compliance/admin.
• Forgot-password: added a client page src/app/forgot-password/page.tsx and a rate-limited, Zod-validated API endpoint src/app/api/auth/forgot-password/route.ts that logs via emitAuditLog, performs DB lookup with anti-enumeration behavior, and returns a safe, non-revealing response.
• Legal & trust pages: added src/app/cookie-policy/page.tsx and src/app/trust-center/page.tsx, updated footer (src/components/Footer.tsx) and route registry (src/lib/siteRoutes.ts) to surface the new pages, and removed the stale legacy redirect for /trust-center.
• Security & SEO: added HSTS, Permissions-Policy, and a conservative Content-Security-Policy in next.config.js, added a permanent redirect /blog -> /resources, and added src/app/robots.txt/route.ts plus src/app/sitemap.xml/route.ts to control crawlers and publish canonical public routes.
• Tests & automation: added a lightweight production-readiness unit test src/__tests__/production-readiness.test.ts asserting presence of cookie/trust pages, middleware protections for Community Hub routes, and the footer Cookie Policy link.

Testing

• pnpm install --frozen-lockfile completed successfully.
• pnpm run db:generate completed successfully (Prisma client generated).
• pnpm build completed successfully and Next.js compiled and prerendered static pages.
• pnpm test (Vitest) passed: test suite ran and all tests passed (existing suite plus the new production-readiness test).

---

Codex Task

Summary by Sourcery

Strengthen production security and compliance by tightening protected routes, adding a secure forgot-password flow, publishing trust/legal pages, and configuring security/SEO headers and crawler controls.

New Features:

• Introduce a public forgot-password page and API endpoint that provide a non-enumerating account recovery flow.
• Add dedicated Cookie Policy and Trust Center pages and expose them via canonical routes and the footer.
• Publish sitemap.xml and robots.txt endpoints to define canonical public routes and crawler rules.

Enhancements:

• Expand middleware-protected and admin-only route prefixes to cover additional application, account, billing, document, messaging, request, and Community Hub paths.
• Add HSTS, Permissions-Policy, and Content-Security-Policy response headers and a permanent /blog to /resources redirect in Next.js config.

Tests:

• Add a production-readiness test to assert the presence of trust/legal pages, middleware protections, and footer links.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
gem-enterprise	Error		Jun 26, 2026 11:52am
gem-enterprise-in	Error		Jun 26, 2026 11:52am
gem-enterprise-jx	Error		Jun 26, 2026 11:52am
gem-enterprise-xf	Error		Jun 26, 2026 11:52am
project-dtrl6	Error		Jun 26, 2026 11:52am
support371-gem-enterprise	Error		Jun 26, 2026 11:52am
v0-continue-conversation	Error		Jun 26, 2026 11:52am
v0-continue-conversation-3875	Error		Jun 26, 2026 11:52am
v0-deployment-alignment-task	Error		Jun 26, 2026 11:52am
v0-image-analysis	Error		Jun 26, 2026 11:52am
v0-my-website	Error		Jun 26, 2026 11:52am
v0-v0-geraldhoeven-4141-ff89f7f-5	Error		Jun 26, 2026 11:52am

[vercel]

Deployment failed with the following error:

The `vercel.json` schema validation failed with the following message: should NOT have additional property `_buildNote`

Learn More: https://vercel.com/docs/concepts/projects/project-configuration

[sourcery-ai]

Reviewer's Guide

This PR hardens server-side route protection for app, account, community, and admin areas; implements a rate-limited, non-enumerating forgot-password flow; restores dedicated Cookie Policy and Trust Center pages; introduces SEO/crawl artifacts (robots.txt, sitemap.xml, blog redirect); and adds security headers plus a small production-readiness test to enforce key behaviors.

Sequence diagram for the new forgot-password flow

sequenceDiagram
  actor User
  participant ForgotPasswordPage
  participant ForgotPasswordAPI as POST_api_auth_forgot_password
  participant RateLimiter as rateLimit
  participant DB as db_user
  participant AuditLog as emitAuditLog

  User->>ForgotPasswordPage: Submit form (email)
  ForgotPasswordPage->>ForgotPasswordAPI: fetch /api/auth/forgot-password

  ForgotPasswordAPI->>ForgotPasswordAPI: getRequestContext
  ForgotPasswordAPI->>RateLimiter: rateLimit(ipAddress, options)
  RateLimiter-->>ForgotPasswordAPI: limit

  alt [rate limit exceeded]
    ForgotPasswordAPI->>AuditLog: emitAuditLog(action=failed_login)
    ForgotPasswordAPI->>ForgotPasswordAPI: rateLimitedResponse
    ForgotPasswordAPI-->>ForgotPasswordPage: 429 { retryAfterSeconds }
    ForgotPasswordPage-->>User: Show rate-limit message
  else [within limit]
    ForgotPasswordAPI->>ForgotPasswordAPI: request.json
    alt [invalid JSON or schema]
      ForgotPasswordAPI-->>ForgotPasswordPage: 400 { error }
      ForgotPasswordPage-->>User: Show validation error
    else [valid email]
      ForgotPasswordAPI->>DB: db.user.findUnique({ email })
      DB-->>ForgotPasswordAPI: user | null
      ForgotPasswordAPI->>AuditLog: emitAuditLog(action=password_change, metadata.accepted)
      ForgotPasswordAPI-->>ForgotPasswordPage: 200 { success, message }
      ForgotPasswordPage-->>User: Show generic success message
    end
  end

Loading

File-Level Changes

Change	Details	Files
Expand server-side route protection for authenticated and admin-only areas, while keeping new legal/trust routes public.	Broaden PROTECTED_PREFIXES to include account, billing, documents, messages, requests, and specific /community-hub subpaths that require authentication. Broaden ADMIN_PREFIXES to include /admin, /review, and /compliance/admin as admin-only routes in addition to /app/admin. Ensure Cookie Policy and Trust Center pages are always public by adding them to the ALWAYS_PUBLIC allowlist along with the forgot-password page.	src/proxy.ts
Add a rate-limited, Zod-validated forgot-password API and client page that avoid user enumeration while integrating with existing audit and DB helpers.	Introduce POST /api/auth/forgot-password endpoint that validates input via Zod, applies per-IP rate limiting, and emits audit logs on both rate-limit failures and successful processing. Implement anti-enumeration behavior by performing a user lookup but always returning a generic success message regardless of lookup result, with metadata capturing whether a valid active user was found. Add a client-side /forgot-password page that posts to the new API, handles loading/error/rate-limit/success states, supports an expired-link scenario via query param, and links back to the client login.	src/app/api/auth/forgot-password/route.ts src/app/forgot-password/page.tsx
Introduce dedicated Cookie Policy and Trust Center pages and wire them into navigation and canonical route metadata.	Add /cookie-policy page with static content describing cookie categories, purposes, consent behavior, and session cookie details, including Next metadata for title/description. Add /trust-center page with security/compliance overview, responsible disclosure info, compliance mappings, and a CTA for vendor due-diligence requests, including Next metadata. Register both routes as public, canonical compliance pages in the siteRoutes registry and mark them to appear in the footer and correct menu groups. Update footer legal links so Cookie Policy now points to the standalone /cookie-policy route instead of a privacy-page anchor and remove the legacy redirect that previously sent /trust-center to /compliance-notice.	src/app/cookie-policy/page.tsx src/app/trust-center/page.tsx src/lib/siteRoutes.ts src/components/Footer.tsx
Tighten security headers and add a redirect from /blog to /resources at the Next.js config level.	Attach Strict-Transport-Security (HSTS), Permissions-Policy, and a conservative Content-Security-Policy via headers defined in next.config.js, covering scripts, styles, images, fonts, connect-src, frame-ancestors, base-uri, and form-action. Add a permanent redirect rule to send /blog to /resources via the Next.js redirects() hook instead of handling it as a legacy redirect in siteRoutes.	next.config.js src/lib/siteRoutes.ts
Add robots.txt and sitemap.xml routes tailored to public marketing routes and protected app areas.	Implement /robots.txt route that allows general crawling but explicitly disallows app, admin, account, billing, documents, messages, requests, and authenticated community-hub subpaths, and advertises the sitemap URL using NEXT_PUBLIC_APP_URL when available. Implement /sitemap.xml route that returns a static list of canonical public marketing and legal URLs, using NEXT_PUBLIC_APP_URL (or the production domain default) as the base for entries.	src/app/robots.txt/route.ts src/app/sitemap.xml/route.ts
Introduce a production-readiness test to guard key security and trust assumptions.	Add a unit test that asserts the presence of cookie-policy and trust-center routes in the canonical route registry, verifies that Community Hub member routes are marked as protected in middleware, and ensures the footer renders a Cookie Policy link.	src/__tests__/production-readiness.test.ts

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	gem-enterprise	a0763eb	Jun 26 2026, 11:57 AM