Add compliance pages, sitemap/robots, forgot-password flow, security headers, and route protections

[support371]

Motivation

• Surface privacy and trust materials and machine-readable routing info via dedicated cookie-policy, trust-center, sitemap.xml, and robots.txt endpoints for compliance and SEO.
• Harden production defaults by adding strict security headers and a limited Content-Security-Policy as a report-only directive.
• Provide a safe, rate-limited forgot-password API and user-facing recovery page that do not leak account existence.
• Improve route hygiene by explicitly marking public/protected/admin routes and updating footer navigation for a dedicated cookie policy.

Description

• Added security and privacy headers in next.config.js, including Strict-Transport-Security, Permissions-Policy, and a Content-Security-Policy-Report-Only entry, and added a redirect from /blog to /resources.
• Implemented a rate-limited, audit-logged forgot-password API at src/app/api/auth/forgot-password/route.ts which returns a safe, non-enumerating response.
• Added pages and routes: src/app/cookie-policy/page.tsx, src/app/trust-center/page.tsx, src/app/forgot-password/page.tsx, src/app/robots.txt/route.ts, and src/app/sitemap.xml/route.ts.
• Updated routing and navigation: changed footer cookie link in src/components/Footer.tsx, added cookie-policy and trust-center to src/lib/siteRoutes.ts, removed the legacy redirect that previously forwarded /trust-center, and extended src/proxy.ts to expand protected and admin route prefixes while marking the new compliance pages as public.
• Added a lightweight production readiness test file src/__tests__/production-readiness.test.ts to assert presence of key pages, proxy protections, and footer linkage.

Testing

• Ran unit tests with vitest including the new production-readiness.test.ts, and all tests completed successfully.

---

Codex Task

Summary by Sourcery

Introduce compliance-focused public pages, secure account recovery, and stricter security/SEO defaults.

New Features:

• Add public cookie policy and trust center pages with legal/compliance content.
• Expose sitemap.xml and robots.txt endpoints to describe public and disallowed routes for crawlers.
• Provide a user-facing forgot-password page and corresponding API endpoint for account recovery.

Enhancements:

• Expand protected and admin route prefixes while explicitly marking new compliance pages as always public in the proxy.
• Update footer navigation and canonical route metadata to surface the cookie policy and trust center pages.
• Add security-related HTTP headers, including HSTS, Permissions-Policy, and a report-only Content Security Policy.
• Introduce a permanent redirect from /blog to /resources for consolidated content routing.

Tests:

• Add a production readiness test suite to verify key public pages, route protections, and footer links.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
gem-enterprise	Error		Jun 28, 2026 1:43pm
gem-enterprise-in	Error		Jun 28, 2026 1:43pm
gem-enterprise-jx	Error		Jun 28, 2026 1:43pm
gem-enterprise-xf	Error		Jun 28, 2026 1:43pm
project-dtrl6	Error		Jun 28, 2026 1:43pm
support371-gem-enterprise	Error		Jun 28, 2026 1:43pm
v0-continue-conversation	Error		Jun 28, 2026 1:43pm
v0-continue-conversation-3875	Error		Jun 28, 2026 1:43pm
v0-deployment-alignment-task	Error		Jun 28, 2026 1:43pm
v0-image-analysis	Error		Jun 28, 2026 1:43pm
v0-my-website	Error		Jun 28, 2026 1:43pm
v0-v0-geraldhoeven-4141-ff89f7f-5	Error		Jun 28, 2026 1:43pm

[vercel]

Deployment failed with the following error:

The `vercel.json` schema validation failed with the following message: should NOT have additional property `_buildNote`

Learn More: https://vercel.com/docs/concepts/projects/project-configuration

[sourcery-ai]

Reviewer's Guide

Adds new compliance-focused public pages, security headers, sitemap/robots endpoints, a non-enumerating forgot-password flow with rate limiting and audit logging, and extends proxy route protections and tests to cover these behaviors.

Sequence diagram for the new forgot-password flow

sequenceDiagram
  actor User
  participant ForgotPasswordPage
  participant ForgotPasswordAPI as api_auth_forgot_password_POST
  participant RateLimiter as rateLimit
  participant DB as db_user
  participant Audit as emitAuditLog

  User->>ForgotPasswordPage: submit()
  ForgotPasswordPage->>ForgotPasswordAPI: fetch /api/auth/forgot-password
  ForgotPasswordAPI->>ForgotPasswordAPI: getRequestContext
  ForgotPasswordAPI->>RateLimiter: rateLimit(ipAddress, key, windowMs, max)
  alt [rate limit exceeded]
    RateLimiter-->>ForgotPasswordAPI: limit.ok = false
    ForgotPasswordAPI->>Audit: emitAuditLog(flow: forgot_password, reason: rate_limited)
    ForgotPasswordAPI-->>ForgotPasswordPage: rateLimitedResponse(429)
    ForgotPasswordPage-->>User: [Too many requests message]
  else [within limit]
    ForgotPasswordAPI->>ForgotPasswordAPI: request.json()
    ForgotPasswordAPI->>ForgotPasswordAPI: forgotPasswordSchema.safeParse
    alt [invalid request]
      ForgotPasswordAPI-->>ForgotPasswordPage: NextResponse.json(error, 400)
      ForgotPasswordPage-->>User: [Error message]
    else [valid request]
      ForgotPasswordAPI->>DB: db.user.findUnique(email)
      DB-->>ForgotPasswordAPI: user | null
      ForgotPasswordAPI->>Audit: emitAuditLog(flow: forgot_password, accepted)
      ForgotPasswordAPI-->>ForgotPasswordPage: NextResponse.json(SAFE_RESPONSE)
      ForgotPasswordPage-->>User: [Non-enumerating success message]
    end
  end

Loading

File-Level Changes

Change	Details	Files
Introduce new public compliance pages for cookie policy and trust center and wire them into site routing/navigation.	Added /cookie-policy and /trust-center pages with static content, metadata, and styling consistent with the marketing site. Registered the new routes in canonicalRoutes with compliance metadata and marked them as public and canonical, with footer/nav display flags. Updated footer legal links to point the Cookie Policy link at the new /cookie-policy route instead of a privacy anchor. Removed the legacy redirect that previously forwarded /trust-center to /compliance-notice so the new page is directly addressable.	src/app/cookie-policy/page.tsx src/app/trust-center/page.tsx src/lib/siteRoutes.ts src/components/Footer.tsx
Tighten security and privacy headers and add a blog-to-resources redirect at the framework level.	Configured additional response headers including Strict-Transport-Security, Permissions-Policy, and a Content-Security-Policy-Report-Only directive for all routes served by Next. Defined a permanent redirect from /blog to /resources via Next.js redirects() instead of relying solely on legacy redirect config.	next.config.js
Extend proxy-based route protection to additional authenticated and admin paths while explicitly whitelisting new public endpoints.	Expanded the list of protected prefixes to cover account, billing, documents, messaging, requests, and community-hub subpaths. Extended admin prefixes to include /admin, /review, and /compliance/admin alongside existing /app/admin. Marked new compliance pages as always-public, alongside other public marketing and legal routes, ensuring they bypass auth gating. Kept /forgot-password in the public list so the new recovery flow is accessible unauthenticated.	src/proxy.ts
Add a non-enumerating, rate-limited forgot-password API and corresponding client page that surfaces safe feedback and handles expired tokens.	Implemented a POST /api/auth/forgot-password handler that validates input with zod, normalizes email, and returns a generic success response regardless of account existence. Integrated IP-based rate limiting for the forgot-password flow, returning a 429 with retry-after semantics and emitting audit logs on rate-limit events. Queried the user table by email and emitted structured audit logs for password-change attempts without leaking user enumeration details in the response. Built a client-side /forgot-password page with a form that calls the API, handles loading, error, and rate-limit states, and supports an expired/state=expired-token query param to show an expiry message. Ensured the UI copy explicitly notes that responses do not reveal account existence and provided a link back to /client-login.	src/app/api/auth/forgot-password/route.ts src/app/forgot-password/page.tsx
Expose machine-readable SEO and compliance metadata via robots.txt and sitemap.xml endpoints aligned with route protections.	Implemented a robots.txt route that sets a default base URL, disallows crawling of protected/app/admin/account/portal-related paths, and references the sitemap URL. Implemented a sitemap.xml route that lists key marketing and legal routes, including the new compliance pages, using either an environment-configured base URL or a default. Kept the disallow lists in robots and protected prefixes in the proxy broadly aligned to avoid exposing authenticated areas to crawlers.	src/app/robots.txt/route.ts src/app/sitemap.xml/route.ts

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	gem-enterprise	7a240ab	Jun 28 2026, 01:57 PM