Add compliance pages, sitemap/robots, forgot-password flow, security headers, and route protections

[support371]

Motivation

• Surface privacy and trust materials and machine-readable routing info via dedicated cookie-policy, trust-center, sitemap.xml, and robots.txt endpoints for compliance and SEO.
• Harden production defaults by adding strict security headers and a limited Content-Security-Policy as a report-only directive.
• Provide a safe, rate-limited forgot-password API and user-facing recovery page that do not leak account existence.
• Improve route hygiene by explicitly marking public/protected/admin routes and updating footer navigation for a dedicated cookie policy.

Description

• Added security and privacy headers in next.config.js, including Strict-Transport-Security, Permissions-Policy, and a Content-Security-Policy-Report-Only entry, and added a redirect from /blog to /resources.
• Implemented a rate-limited, audit-logged forgot-password API at src/app/api/auth/forgot-password/route.ts which returns a safe, non-enumerating response.
• Added pages and routes: src/app/cookie-policy/page.tsx, src/app/trust-center/page.tsx, src/app/forgot-password/page.tsx, src/app/robots.txt/route.ts, and src/app/sitemap.xml/route.ts.
• Updated routing and navigation: changed footer cookie link in src/components/Footer.tsx, added cookie-policy and trust-center to src/lib/siteRoutes.ts, removed the legacy redirect that previously forwarded /trust-center, and extended src/proxy.ts to expand protected and admin route prefixes while marking the new compliance pages as public.
• Added a lightweight production readiness test file src/__tests__/production-readiness.test.ts to assert presence of key pages, proxy protections, and footer linkage.

Testing

• Ran unit tests with vitest including the new production-readiness.test.ts, and all tests completed successfully.

---

Codex Task

Summary by Sourcery

Add compliance-focused public pages, secure account recovery endpoints, and hardened routing and security defaults for production readiness.

New Features:

• Introduce dedicated cookie policy and trust center public pages with canonical routing and footer navigation.
• Expose sitemap.xml and robots.txt endpoints to publish canonical routes and disallow protected areas for SEO and compliance.
• Provide a user-facing forgot-password page backed by a non-enumerating recovery API endpoint.

Enhancements:

• Expand proxy protections by extending protected and admin route prefixes while explicitly marking new compliance and recovery routes as always-public.
• Strengthen default security headers with HSTS, permissions policy, and a report-only content security policy configuration.
• Add a permanent redirect from /blog to /resources to align legacy content with current information architecture.

Tests:

• Add a production readiness test suite to validate presence of key public pages, protected route coverage, and footer legal links.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
gem-enterprise	Error		Jun 28, 2026 1:42pm
gem-enterprise-in	Error		Jun 28, 2026 1:42pm
gem-enterprise-jx	Error		Jun 28, 2026 1:42pm
gem-enterprise-xf	Error		Jun 28, 2026 1:42pm
project-dtrl6	Error		Jun 28, 2026 1:42pm
support371-gem-enterprise	Error		Jun 28, 2026 1:42pm
v0-continue-conversation	Error		Jun 28, 2026 1:42pm
v0-continue-conversation-3875	Error		Jun 28, 2026 1:42pm
v0-deployment-alignment-task	Error		Jun 28, 2026 1:42pm
v0-image-analysis	Error		Jun 28, 2026 1:42pm
v0-my-website	Error		Jun 28, 2026 1:42pm
v0-v0-geraldhoeven-4141-ff89f7f-5	Error		Jun 28, 2026 1:42pm

[vercel]

Deployment failed with the following error:

The `vercel.json` schema validation failed with the following message: should NOT have additional property `_buildNote`

Learn More: https://vercel.com/docs/concepts/projects/project-configuration

[sourcery-ai]

Reviewer's Guide

Adds compliance-focused public pages, sitemap/robots endpoints, a secure forgot-password flow, stricter security headers, and expanded route protection plus a production readiness test to assert these behaviors.

Sequence diagram for the new forgot-password flow

sequenceDiagram
  actor User
  participant ForgotPasswordPage
  participant ForgotPasswordAPI as forgot-password_POST
  participant RateLimiter as rateLimit
  participant DB as db_user_findUnique
  participant Audit as emitAuditLog

  User->>ForgotPasswordPage: submit()
  ForgotPasswordPage->>ForgotPasswordAPI: POST /api/auth/forgot-password
  ForgotPasswordAPI->>ForgotPasswordAPI: getRequestContext
  ForgotPasswordAPI->>RateLimiter: rateLimit(ipAddress)
  alt [rate limit exceeded]
    RateLimiter-->>ForgotPasswordAPI: limit.ok = false
    ForgotPasswordAPI->>Audit: emitAuditLog
    ForgotPasswordAPI-->>ForgotPasswordPage: rateLimitedResponse
    ForgotPasswordPage-->>User: show rate-limit message
  else [within limit]
    RateLimiter-->>ForgotPasswordAPI: limit.ok = true
    ForgotPasswordAPI->>ForgotPasswordAPI: request.json
    ForgotPasswordAPI->>ForgotPasswordAPI: forgotPasswordSchema.safeParse
    alt [invalid request]
      ForgotPasswordAPI-->>ForgotPasswordPage: NextResponse.json({ error }, 400)
      ForgotPasswordPage-->>User: show error message
    else [valid request]
      ForgotPasswordAPI->>DB: findUnique({ email })
      DB-->>ForgotPasswordAPI: user | null
      ForgotPasswordAPI->>Audit: emitAuditLog
      ForgotPasswordAPI-->>ForgotPasswordPage: NextResponse.json(SAFE_RESPONSE)
      ForgotPasswordPage-->>User: show generic success message
    end
  end

Loading

File-Level Changes

Change	Details	Files
Introduce new public compliance pages and wire them into routing and footer navigation.	Add canonical, public routes for cookie policy and trust center, categorized under compliance and visible in footer. Create cookie policy page with table-driven content describing cookie categories, purposes, and consent behavior. Create trust center page with security/compliance overview, responsible disclosure guidance, and vendor due diligence call-to-action. Update footer legal links so Cookie Policy points to dedicated /cookie-policy instead of a privacy fragment.	src/lib/siteRoutes.ts src/app/cookie-policy/page.tsx src/app/trust-center/page.tsx src/components/Footer.tsx
Expand route protection and align robots/sitemap outputs with protected vs public areas.	Broaden protected route prefixes to cover account, billing, documents, messaging, requests, and community hub subpaths. Expand admin prefixes to include /admin, /review, and /compliance/admin in addition to /app/admin. Mark new compliance pages and forgot-password as always public in proxy access rules. Generate robots.txt content with disallow rules for protected/admin paths and a sitemap pointer. Generate sitemap.xml listing key marketing and compliance routes using configurable base URL.	src/proxy.ts src/app/robots.txt/route.ts src/app/sitemap.xml/route.ts
Add stricter security headers and a redirect for legacy blog traffic at the Next.js config level.	Attach Strict-Transport-Security header with long max-age, subdomain coverage, and preload. Attach Permissions-Policy to explicitly disable sensitive browser features such as camera, microphone, geolocation, payment, USB, and browsing-topics. Attach a report-only Content-Security-Policy limiting core resource types while allowing Vercel analytics/insights domains. Define a permanent redirect from /blog to /resources in Next.js redirects instead of legacy redirect list.	next.config.js
Implement a safe, rate-limited forgot-password API and client page that avoid account enumeration.	Create a forgot-password page with a client-side form that posts email to the API, handles loading/success/error/rate-limit states, and supports expired-token messaging via query params. Implement POST handler that rate-limits by IP with a small window/max, returns a standard rate-limited response when exceeded, and logs audit events. Validate request body with zod, including email format and length constraints; return structured error details on validation failures. Perform a database lookup by normalized email, emit audit logs for attempted password changes with metadata including whether an account exists, and always return a non-enumerating safe success response.	src/app/forgot-password/page.tsx src/app/api/auth/forgot-password/route.ts
Clean up legacy routing and add a production readiness test scaffold.	Remove legacy redirect from /trust-center to /compliance-notice to allow new trust center route to be canonical. Add a production readiness test file that asserts presence of key pages, route protections, and footer links (content not shown in diff but referenced by description).	src/lib/siteRoutes.ts src/__tests__/production-readiness.test.ts

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	gem-enterprise	331052d	Jun 28 2026, 01:54 PM