Add compliance pages, sitemap/robots, forgot-password flow, security headers, and route protections

[support371]

Motivation

• Surface privacy and trust materials and machine-readable routing info via dedicated cookie-policy, trust-center, sitemap.xml, and robots.txt endpoints for compliance and SEO.
• Harden production defaults by adding strict security headers and a limited Content-Security-Policy as a report-only directive.
• Provide a safe, rate-limited forgot-password API and user-facing recovery page that do not leak account existence.
• Improve route hygiene by explicitly marking public/protected/admin routes and updating footer navigation for a dedicated cookie policy.

Description

• Added security and privacy headers in next.config.js, including Strict-Transport-Security, Permissions-Policy, and a Content-Security-Policy-Report-Only entry, and added a redirect from /blog to /resources.
• Implemented a rate-limited, audit-logged forgot-password API at src/app/api/auth/forgot-password/route.ts which returns a safe, non-enumerating response.
• Added pages and routes: src/app/cookie-policy/page.tsx, src/app/trust-center/page.tsx, src/app/forgot-password/page.tsx, src/app/robots.txt/route.ts, and src/app/sitemap.xml/route.ts.
• Updated routing and navigation: changed footer cookie link in src/components/Footer.tsx, added cookie-policy and trust-center to src/lib/siteRoutes.ts, removed the legacy redirect that previously forwarded /trust-center, and extended src/proxy.ts to expand protected and admin route prefixes while marking the new compliance pages as public.
• Added a lightweight production readiness test file src/__tests__/production-readiness.test.ts to assert presence of key pages, proxy protections, and footer linkage.

Testing

• Ran unit tests with vitest including the new production-readiness.test.ts, and all tests completed successfully.

---

Codex Task

Summary by Sourcery

Introduce compliance-focused public pages, secure account recovery, and production-ready security defaults across routing and infrastructure.

New Features:

• Add public cookie policy and trust center pages with dedicated routing and footer navigation entries.
• Expose sitemap.xml and robots.txt endpoints to surface canonical public routes and disallow protected application areas.
• Provide a user-facing forgot-password page wired to a non-enumerating recovery flow.

Enhancements:

• Strengthen proxy-based route protections by expanding protected and admin path prefixes while explicitly marking new compliance pages as always public.
• Apply additional security headers in Next.js configuration, including HSTS, permissions policy, and a report-only content security policy, and add a redirect from /blog to /resources.
• Integrate audit logging and rate limiting into the forgot-password API to support safe recovery traffic patterns.

Tests:

• Add a production readiness test suite to validate presence of key public pages, route protections, and legal footer linkage.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
gem-enterprise	Error		Jun 28, 2026 1:42pm
gem-enterprise-in	Error		Jun 28, 2026 1:42pm
gem-enterprise-jx	Error		Jun 28, 2026 1:42pm
gem-enterprise-xf	Error		Jun 28, 2026 1:42pm
project-dtrl6	Error		Jun 28, 2026 1:42pm
support371-gem-enterprise	Error		Jun 28, 2026 1:42pm
v0-continue-conversation	Error		Jun 28, 2026 1:42pm
v0-continue-conversation-3875	Error		Jun 28, 2026 1:42pm
v0-deployment-alignment-task	Error		Jun 28, 2026 1:42pm
v0-image-analysis	Error		Jun 28, 2026 1:42pm
v0-my-website	Error		Jun 28, 2026 1:42pm
v0-v0-geraldhoeven-4141-ff89f7f-5	Error		Jun 28, 2026 1:42pm

[vercel]

Deployment failed with the following error:

The `vercel.json` schema validation failed with the following message: should NOT have additional property `_buildNote`

Learn More: https://vercel.com/docs/concepts/projects/project-configuration

[sourcery-ai]

Reviewer's Guide

Implements new compliance-facing pages and machine-readable endpoints, introduces a secure forgot-password flow, strengthens security headers and routing protections, and updates navigation and production readiness tests accordingly.

Sequence diagram for the new forgot-password flow

sequenceDiagram
  actor User
  participant ForgotPasswordPage
  participant ForgotPasswordAPI as POST_api_auth_forgot_password
  participant RateLimiter as rateLimit
  participant AuditLog as emitAuditLog
  participant DB as db.user

  User->>ForgotPasswordPage: Submit form (submit)
  ForgotPasswordPage->>ForgotPasswordAPI: fetch /api/auth/forgot-password
  ForgotPasswordAPI->>ForgotPasswordAPI: getRequestContext
  ForgotPasswordAPI->>RateLimiter: rateLimit
  alt [rate limited]
    RateLimiter-->>ForgotPasswordAPI: limit
    ForgotPasswordAPI->>AuditLog: emitAuditLog (failed_login)
    ForgotPasswordAPI-->>ForgotPasswordPage: rateLimitedResponse (429)
    ForgotPasswordPage-->>User: Show rate limit message
  else [within limit]
    ForgotPasswordAPI->>ForgotPasswordAPI: request.json
    ForgotPasswordAPI->>ForgotPasswordAPI: forgotPasswordSchema.safeParse
    alt [invalid request]
      ForgotPasswordAPI-->>ForgotPasswordPage: NextResponse.json (400)
      ForgotPasswordPage-->>User: Show generic error
    else [valid request]
      ForgotPasswordAPI->>DB: db.user.findUnique
      DB-->>ForgotPasswordAPI: user | null
      ForgotPasswordAPI->>AuditLog: emitAuditLog (password_change)
      ForgotPasswordAPI-->>ForgotPasswordPage: NextResponse.json(SAFE_RESPONSE)
      ForgotPasswordPage-->>User: Show non-enumerating success message
    end
  end

Loading

File-Level Changes

Change	Details	Files
Add cookie policy and trust center as first-class public compliance pages and wire them into routing/nav.	Extend canonicalRoutes with /cookie-policy and /trust-center entries marked public, canonical, and footer-visible Create /cookie-policy page with table-based description of cookie categories, purposes, and consent behavior Create /trust-center page summarizing security, data protection, compliance mappings, and vendor due diligence workflow Update footer legal link to point Cookie Policy to the new /cookie-policy route Remove legacy redirect that previously forwarded /trust-center to /compliance-notice	src/lib/siteRoutes.ts src/app/cookie-policy/page.tsx src/app/trust-center/page.tsx src/components/Footer.tsx
Tighten route protections while explicitly marking public endpoints, and expose aligned rules via robots.txt and sitemap.xml.	Broaden PROTECTED_PREFIXES to cover additional application, account, billing, documents, messaging, requests, and community-hub paths Extend ADMIN_PREFIXES to include /admin, /review, and /compliance/admin Mark new compliance pages and forgot-password as ALWAYS_PUBLIC routes Add robots.txt route that disallows protected/admin paths and references the sitemap using the configured base URL Add sitemap.xml route that emits an XML sitemap including main marketing and compliance pages, sourced from a base URL env var with a default	src/proxy.ts src/app/robots.txt/route.ts src/app/sitemap.xml/route.ts
Strengthen default HTTP security headers and add a permanent redirect from /blog to /resources.	Configure Strict-Transport-Security with long max-age, subdomain coverage, and preload Set a restrictive Permissions-Policy disabling sensitive browser features by default Add a Content-Security-Policy-Report-Only header limiting key resource types while allowing Vercel analytics domains Introduce a redirect mapping /blog to /resources in Next.js redirects config	next.config.js
Introduce a non-enumerating, rate-limited forgot-password API and corresponding user-facing recovery page.	Implement POST /api/auth/forgot-password handler that validates input with zod, enforces per-IP rate limits, and returns a constant safe response regardless of account existence Integrate audit logging for rate-limit denials and successful/unsuccessful password reset requests including metadata Look up users by normalized email in the database and record acceptance status without leaking that fact to the client Build a client-side /forgot-password page with Suspense that posts to the API, handles rate-limit and error states, and uses neutral success messaging Wire the forgot-password page into the public routes list for unauthenticated access	src/app/api/auth/forgot-password/route.ts src/app/forgot-password/page.tsx src/proxy.ts

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	gem-enterprise	027653a	Jun 28 2026, 01:45 PM