Add compliance pages, sitemap/robots, forgot-password flow, security headers, and route protections

[support371]

Motivation

• Surface privacy and trust materials and machine-readable routing info via dedicated cookie-policy, trust-center, sitemap.xml, and robots.txt endpoints for compliance and SEO.
• Harden production defaults by adding strict security headers and a limited Content-Security-Policy as a report-only directive.
• Provide a safe, rate-limited forgot-password API and user-facing recovery page that do not leak account existence.
• Improve route hygiene by explicitly marking public/protected/admin routes and updating footer navigation for a dedicated cookie policy.

Description

• Added security and privacy headers in next.config.js, including Strict-Transport-Security, Permissions-Policy, and a Content-Security-Policy-Report-Only entry, and added a redirect from /blog to /resources.
• Implemented a rate-limited, audit-logged forgot-password API at src/app/api/auth/forgot-password/route.ts which returns a safe, non-enumerating response.
• Added pages and routes: src/app/cookie-policy/page.tsx, src/app/trust-center/page.tsx, src/app/forgot-password/page.tsx, src/app/robots.txt/route.ts, and src/app/sitemap.xml/route.ts.
• Updated routing and navigation: changed footer cookie link in src/components/Footer.tsx, added cookie-policy and trust-center to src/lib/siteRoutes.ts, removed the legacy redirect that previously forwarded /trust-center, and extended src/proxy.ts to expand protected and admin route prefixes while marking the new compliance pages as public.
• Added a lightweight production readiness test file src/__tests__/production-readiness.test.ts to assert presence of key pages, proxy protections, and footer linkage.

Testing

• Ran unit tests with vitest including the new production-readiness.test.ts, and all tests completed successfully.

---

Codex Task

Summary by Sourcery

Add public-facing compliance and trust pages, production security headers, and protected route definitions alongside a non-enumerating forgot-password flow.

New Features:

• Introduce dedicated Cookie Policy and Trust Center pages and expose them via site routing, footer navigation, sitemap, and robots metadata.
• Add a user-facing forgot-password page and corresponding API endpoint that supports secure, rate-limited account recovery without revealing account existence.
• Provide sitemap.xml and robots.txt endpoints to surface key marketing and compliance pages to search engines.

Enhancements:

• Expand proxy protection rules to cover additional application, account, billing, and community routes while explicitly marking new compliance routes as always public.
• Strengthen default response headers with HSTS, permissions policy, and a report-only content security policy, and add a redirect from /blog to /resources for canonical content routing.

Tests:

• Add a production readiness test suite to assert availability of critical pages, route protections, and legal footer links.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
gem-enterprise	Error		Jun 28, 2026 1:42pm
gem-enterprise-in	Error		Jun 28, 2026 1:42pm
gem-enterprise-jx	Error		Jun 28, 2026 1:42pm
gem-enterprise-xf	Error		Jun 28, 2026 1:42pm
project-dtrl6	Error		Jun 28, 2026 1:42pm
support371-gem-enterprise	Error		Jun 28, 2026 1:42pm
v0-continue-conversation	Error		Jun 28, 2026 1:42pm
v0-continue-conversation-3875	Error		Jun 28, 2026 1:42pm
v0-deployment-alignment-task	Error		Jun 28, 2026 1:42pm
v0-image-analysis	Error		Jun 28, 2026 1:42pm
v0-my-website	Error		Jun 28, 2026 1:42pm
v0-v0-geraldhoeven-4141-ff89f7f-5	Error		Jun 28, 2026 1:42pm

[vercel]

Deployment failed with the following error:

The `vercel.json` schema validation failed with the following message: should NOT have additional property `_buildNote`

Learn More: https://vercel.com/docs/concepts/projects/project-configuration

[sourcery-ai]

Reviewer's Guide

Implements new compliance-focused public pages, a rate-limited forgot-password flow, security/SEO infrastructure (headers, sitemap, robots), and expanded route protections, plus a production readiness test to assert these behaviors.

Sequence diagram for the new forgot-password flow

sequenceDiagram
  actor User
  participant ForgotPasswordPage
  participant ForgotPasswordAPI as ForgotPasswordRoute
  participant RateLimiter
  participant AuditLog
  participant Database

  User->>ForgotPasswordPage: Submit email via form
  ForgotPasswordPage->>ForgotPasswordAPI: POST /api/auth/forgot-password (email)
  ForgotPasswordAPI->>RateLimiter: rateLimit(ipAddress, options)
  RateLimiter-->>ForgotPasswordAPI: limit.ok / retryAfterSeconds
  alt [rate limited]
    ForgotPasswordAPI->>AuditLog: emitAuditLog(failed_login)
    ForgotPasswordAPI->>ForgotPasswordPage: rateLimitedResponse(retryAfterSeconds)
  else [within limit]
    ForgotPasswordAPI->>ForgotPasswordAPI: request.json()
    ForgotPasswordAPI->>ForgotPasswordAPI: forgotPasswordSchema.safeParse(body)
    alt [invalid request]
      ForgotPasswordAPI->>ForgotPasswordPage: NextResponse.json({ error }, 400)
    else [valid request]
      ForgotPasswordAPI->>Database: db.user.findUnique({ where: { email } })
      Database-->>ForgotPasswordAPI: user | null
      ForgotPasswordAPI->>AuditLog: emitAuditLog(password_change)
      ForgotPasswordAPI->>ForgotPasswordPage: NextResponse.json(SAFE_RESPONSE)
    end
  end

  ForgotPasswordPage-->>User: Show success / error / rate-limit message

Loading

File-Level Changes

Change	Details	Files
Add public cookie policy and trust center pages and integrate them into routing/navigation.	Registered /cookie-policy and /trust-center as canonical, public routes with legal ownership metadata. Removed the legacy redirect from /trust-center to /compliance-notice to allow the new page to resolve directly. Updated footer legal links so Cookie Policy now points to the dedicated /cookie-policy route. Implemented a Cookie Policy page describing cookie categories, purposes, and consent behavior with presentational table UI. Implemented a Trust Center page outlining security, disclosure, data protection, and compliance mappings with call-to-action for vendor due diligence.	src/lib/siteRoutes.ts src/components/Footer.tsx src/app/cookie-policy/page.tsx src/app/trust-center/page.tsx
Introduce a secure, rate-limited forgot-password flow with a non-enumerating UX.	Added a client-side forgot-password page that posts email input to the API, handles loading/success/error/rate-limit states, and avoids revealing account existence. Hooked the forgot-password page into the public route allowlist so it is accessible without authentication. Implemented an API route that validates input with zod, applies IP-based rate limiting, and returns a safe, generic success message. Integrated audit logging for both rate-limited attempts and accepted/declined reset requests, including user context when available. Ensured the API does not leak user enumeration by always returning the same success payload when requests are valid.	src/app/forgot-password/page.tsx src/app/api/auth/forgot-password/route.ts src/proxy.ts
Tighten security and privacy via HTTP headers and CSP, and add a canonical blog redirect.	Configured global response headers to include HSTS, Permissions-Policy, and a CSP-Report-Only policy alongside existing security/privacy headers. Set CSP-Report-Only directives for scripts, styles, images, fonts, connections, framing, base URI, and form actions, scoped primarily to self and Vercel analytics endpoints. Added a permanent redirect from /blog to /resources via Next.js redirects instead of legacy routing metadata.	next.config.js src/lib/siteRoutes.ts
Define sitemap and robots endpoints aligned with public/protected routes and SEO needs.	Implemented a sitemap.xml route that emits XML for a curated list of primary marketing and compliance pages, using a configurable base URL. Implemented a robots.txt route that allows general crawling, explicitly disallows application/admin and community hub paths, and links to the sitemap URL. Reused the same base URL resolution logic in both endpoints, defaulting to the production domain when NEXT_PUBLIC_APP_URL is unset.	src/app/sitemap.xml/route.ts src/app/robots.txt/route.ts
Expand proxy-based route protection and mark compliance pages as always public.	Extended PROTECTED_PREFIXES to cover account, billing, documents, messages, requests, and community-hub subpaths requiring authentication. Extended ADMIN_PREFIXES to include /admin, /review, and /compliance/admin to ensure these paths are gated by admin access checks. Marked /cookie-policy and /trust-center as ALWAYS_PUBLIC so they bypass auth, matching their use as public legal/compliance pages.	src/proxy.ts
Add a production readiness test suite to assert key compliance, routing, and protection behaviors.	Introduced a new test file (contents not shown in diff) to verify presence of compliance pages, protected/admin route coverage, and footer linkage. Ensured this test is wired into the existing Vitest suite and passes alongside other tests.	src/__tests__/production-readiness.test.ts

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	gem-enterprise	368e426	Jun 28 2026, 01:48 PM