Add compliance pages, sitemap/robots, forgot-password flow, security headers, and route protections

[support371]

Motivation

• Surface privacy and trust materials and machine-readable routing info via dedicated cookie-policy, trust-center, sitemap.xml, and robots.txt endpoints for compliance and SEO.
• Harden production defaults by adding strict security headers and a limited Content-Security-Policy as a report-only directive.
• Provide a safe, rate-limited forgot-password API and user-facing recovery page that do not leak account existence.
• Improve route hygiene by explicitly marking public/protected/admin routes and updating footer navigation for a dedicated cookie policy.

Description

• Added security and privacy headers in next.config.js, including Strict-Transport-Security, Permissions-Policy, and a Content-Security-Policy-Report-Only entry, and added a redirect from /blog to /resources.
• Implemented a rate-limited, audit-logged forgot-password API at src/app/api/auth/forgot-password/route.ts which returns a safe, non-enumerating response.
• Added pages and routes: src/app/cookie-policy/page.tsx, src/app/trust-center/page.tsx, src/app/forgot-password/page.tsx, src/app/robots.txt/route.ts, and src/app/sitemap.xml/route.ts.
• Updated routing and navigation: changed footer cookie link in src/components/Footer.tsx, added cookie-policy and trust-center to src/lib/siteRoutes.ts, removed the legacy redirect that previously forwarded /trust-center, and extended src/proxy.ts to expand protected and admin route prefixes while marking the new compliance pages as public.
• Added a lightweight production readiness test file src/__tests__/production-readiness.test.ts to assert presence of key pages, proxy protections, and footer linkage.

Testing

• Ran unit tests with vitest including the new production-readiness.test.ts, and all tests completed successfully.

---

Codex Task

Summary by Sourcery

Add new public compliance pages, a secure forgot-password flow, SEO-friendly sitemap/robots endpoints, stricter security headers, and expanded route protections for authenticated and admin areas.

New Features:

• Expose dedicated cookie policy and trust center pages and wire them into site navigation and routing.
• Provide a user-facing forgot-password page backed by a non-enumerating, rate-limited API endpoint.
• Serve sitemap.xml and robots.txt from the app with explicit allow/deny rules and sitemap discovery.

Enhancements:

• Tighten security defaults by adding HSTS, permissions policy, and a report-only content security policy header.
• Expand proxy route protection lists to cover additional authenticated and admin path prefixes while marking new compliance routes as always public.
• Add a permanent redirect from /blog to /resources and remove an obsolete trust-center legacy redirect.

Tests:

• Introduce a production readiness test suite to assert presence of key pages, route protections, and footer linkage.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
gem-enterprise	Error		Jun 28, 2026 1:42pm
gem-enterprise-in	Error		Jun 28, 2026 1:42pm
gem-enterprise-jx	Error		Jun 28, 2026 1:42pm
gem-enterprise-xf	Error		Jun 28, 2026 1:42pm
project-dtrl6	Error		Jun 28, 2026 1:42pm
support371-gem-enterprise	Error		Jun 28, 2026 1:42pm
v0-continue-conversation	Error		Jun 28, 2026 1:42pm
v0-continue-conversation-3875	Error		Jun 28, 2026 1:42pm
v0-deployment-alignment-task	Error		Jun 28, 2026 1:42pm
v0-image-analysis	Error		Jun 28, 2026 1:42pm
v0-my-website	Error		Jun 28, 2026 1:42pm
v0-v0-geraldhoeven-4141-ff89f7f-5	Error		Jun 28, 2026 1:42pm

[vercel]

Deployment failed with the following error:

The `vercel.json` schema validation failed with the following message: should NOT have additional property `_buildNote`

Learn More: https://vercel.com/docs/concepts/projects/project-configuration

[sourcery-ai]

Reviewer's Guide

Adds compliance-facing pages and machine-readable SEO endpoints, introduces a rate-limited forgot-password flow, hardens security headers, and tightens route protection and production readiness coverage.

Sequence diagram for the new forgot-password flow

sequenceDiagram
  actor User
  participant ForgotPasswordPage
  participant ForgotPasswordRoute
  participant RateLimiter
  participant Database
  participant AuditLogger

  User->>ForgotPasswordPage: Submit email
  ForgotPasswordPage->>ForgotPasswordRoute: POST /api/auth/forgot-password
  ForgotPasswordRoute->>ForgotPasswordRoute: getRequestContext(request)
  ForgotPasswordRoute->>RateLimiter: rateLimit(ipAddress, key, windowMs, max)
  alt [rate limit exceeded]
    RateLimiter-->>ForgotPasswordRoute: limit.ok = false
    ForgotPasswordRoute->>AuditLogger: emitAuditLog(flow=forgot_password, reason=rate_limited)
    ForgotPasswordRoute-->>ForgotPasswordPage: rateLimitedResponse(retryAfterSeconds)
    ForgotPasswordPage-->>User: Show rate-limit message
  else [within rate limit]
    RateLimiter-->>ForgotPasswordRoute: limit.ok = true
    ForgotPasswordRoute->>ForgotPasswordRoute: request.json()
    ForgotPasswordRoute->>ForgotPasswordRoute: forgotPasswordSchema.safeParse(body)
    alt [validation error]
      ForgotPasswordRoute-->>ForgotPasswordPage: 400 Invalid request
      ForgotPasswordPage-->>User: Show generic error
    else [valid email]
      ForgotPasswordRoute->>Database: db.user.findUnique({ where: { email } })
      Database-->>ForgotPasswordRoute: user | null
      ForgotPasswordRoute->>AuditLogger: emitAuditLog(flow=forgot_password, accepted=Boolean(user))
      ForgotPasswordRoute-->>ForgotPasswordPage: SAFE_RESPONSE
      ForgotPasswordPage-->>User: Show non-enumerating success message
    end
  end

Loading

File-Level Changes

Change	Details	Files
Introduce compliance and trust pages and wire them into routing and navigation.	Define new canonical routes for cookie policy and trust center, marking them public and visible in the footer/navigation metadata. Remove the legacy /trust-center redirect now that the path has a first-class page. Point the footer Cookie Policy link to the new /cookie-policy route.	src/lib/siteRoutes.ts src/components/Footer.tsx
Expand proxy protections for authenticated and admin-only areas while explicitly whitelisting new public endpoints.	Broaden protected URL prefixes to cover additional app, account, billing, document, messaging, request, and community-hub paths. Broaden admin prefixes to include generic /admin, /review, and /compliance/admin areas. Mark cookie policy, trust center, forgot-password, and other marketing/compliance routes as always-public to bypass auth gating.	src/proxy.ts
Harden default security headers and add an explicit blog-to-resources redirect.	Add HSTS, Permissions-Policy, and a report-only Content-Security-Policy header to the Next.js security headers configuration. Introduce a permanent redirect from /blog to /resources via the Next.js redirects API instead of legacy routes.	next.config.js
Implement a secure, rate-limited forgot-password API and client page that avoid account enumeration.	Add a client-side forgot-password form that posts email to the API, handles loading/success/error/rate-limit states, and avoids leaking account existence. Create a POST handler for /api/auth/forgot-password that validates input with zod, applies IP-based rate limiting, emits audit logs, and returns a generic success response regardless of account presence. Ensure rate limit breaches are logged and surfaced as 429 with retry-after metadata, and that invalid JSON / schema violations return structured 400 errors.	src/app/forgot-password/page.tsx src/app/api/auth/forgot-password/route.ts
Add machine-readable robots.txt and sitemap.xml endpoints aligned with public/protected routes.	Generate robots.txt with disallow rules for protected and admin paths and a sitemap pointer derived from a configurable base URL. Generate sitemap.xml listing key public marketing and compliance routes using a configurable base URL.	src/app/robots.txt/route.ts src/app/sitemap.xml/route.ts
Add static content pages for cookie policy and trust center with compliance-focused copy.	Implement a cookie policy page describing cookie categories, purposes, and consent behavior, including details of the gem_session cookie. Implement a trust center page summarizing security posture, responsible disclosure, data protection, subprocessor usage, and high-level compliance mappings, plus a CTA for vendor due diligence materials.	src/app/cookie-policy/page.tsx src/app/trust-center/page.tsx
Add a production readiness test suite to assert key compliance and routing invariants.	Introduce a test file that verifies presence of critical routes/pages, proxy protections, and footer link wiring for the new compliance materials.	src/__tests__/production-readiness.test.ts

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	gem-enterprise	96ebdef	Jun 28 2026, 01:51 PM