Add compliance pages, sitemap/robots, forgot-password flow, security headers, and route protections

[support371]

Motivation

• Surface privacy and trust materials and machine-readable routing info via dedicated cookie-policy, trust-center, sitemap.xml, and robots.txt endpoints for compliance and SEO.
• Harden production defaults by adding strict security headers and a limited Content-Security-Policy as a report-only directive.
• Provide a safe, rate-limited forgot-password API and user-facing recovery page that do not leak account existence.
• Improve route hygiene by explicitly marking public/protected/admin routes and updating footer navigation for a dedicated cookie policy.

Description

• Added security and privacy headers in next.config.js, including Strict-Transport-Security, Permissions-Policy, and a Content-Security-Policy-Report-Only entry, and added a redirect from /blog to /resources.
• Implemented a rate-limited, audit-logged forgot-password API at src/app/api/auth/forgot-password/route.ts which returns a safe, non-enumerating response.
• Added pages and routes: src/app/cookie-policy/page.tsx, src/app/trust-center/page.tsx, src/app/forgot-password/page.tsx, src/app/robots.txt/route.ts, and src/app/sitemap.xml/route.ts.
• Updated routing and navigation: changed footer cookie link in src/components/Footer.tsx, added cookie-policy and trust-center to src/lib/siteRoutes.ts, removed the legacy redirect that previously forwarded /trust-center, and extended src/proxy.ts to expand protected and admin route prefixes while marking the new compliance pages as public.
• Added a lightweight production readiness test file src/__tests__/production-readiness.test.ts to assert presence of key pages, proxy protections, and footer linkage.

Testing

• Ran unit tests with vitest including the new production-readiness.test.ts, and all tests completed successfully.

---

Codex Task

Summary by Sourcery

Introduce compliance and recovery pages, strengthen security defaults, and tighten route protections for public vs protected areas.

New Features:

• Add dedicated cookie policy and trust center pages and expose them in canonical routing and footer navigation.
• Add a user-facing forgot-password recovery page backed by a non-enumerating reset flow.
• Expose machine-readable sitemap.xml and robots.txt endpoints that reflect public and protected routes.

Enhancements:

• Expand protected and admin route prefixes while explicitly marking compliance and recovery endpoints as always public.
• Add stricter security and privacy headers, including HSTS, permissions policy, and a report-only content security policy.
• Add a redirect from /blog to /resources and remove the legacy trust-center redirect in favor of the new canonical page.

Tests:

• Introduce a production readiness test suite to assert presence of key pages, footer linkage, and proxy protections.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
gem-enterprise	Error		Jun 28, 2026 1:43pm
gem-enterprise-in	Error		Jun 28, 2026 1:43pm
gem-enterprise-jx	Error		Jun 28, 2026 1:43pm
gem-enterprise-xf	Error		Jun 28, 2026 1:43pm
project-dtrl6	Error		Jun 28, 2026 1:43pm
support371-gem-enterprise	Error		Jun 28, 2026 1:43pm
v0-continue-conversation	Error		Jun 28, 2026 1:43pm
v0-continue-conversation-3875	Error		Jun 28, 2026 1:43pm
v0-deployment-alignment-task	Error		Jun 28, 2026 1:43pm
v0-image-analysis	Error		Jun 28, 2026 1:43pm
v0-my-website	Error		Jun 28, 2026 1:43pm
v0-v0-geraldhoeven-4141-ff89f7f-5	Error		Jun 28, 2026 1:43pm

[vercel]

Deployment failed with the following error:

The `vercel.json` schema validation failed with the following message: should NOT have additional property `_buildNote`

Learn More: https://vercel.com/docs/concepts/projects/project-configuration

[sourcery-ai]

Reviewer's Guide

This PR adds compliance-focused public pages, security headers, sitemap/robots endpoints, a safe forgot-password flow, and expands route protection and production readiness tests across the app and proxy layer.

Sequence diagram for the new forgot-password flow

sequenceDiagram
  actor User
  participant ForgotPasswordPage
  participant ForgotPasswordAPI as POST_api_auth_forgot_password
  participant RateLimiter as rateLimit
  participant DB as db_user
  participant AuditLog as emitAuditLog

  User->>ForgotPasswordPage: Submit email
  ForgotPasswordPage->>ForgotPasswordAPI: fetch POST /api/auth/forgot-password

  ForgotPasswordAPI->>RateLimiter: rateLimit ipAddress
  RateLimiter-->>ForgotPasswordAPI: limit

  alt [rate limit exceeded]
    ForgotPasswordAPI->>AuditLog: emitAuditLog (flow: forgot_password, reason: rate_limited)
    ForgotPasswordAPI-->>ForgotPasswordPage: rateLimitedResponse (429, retryAfterSeconds)
    ForgotPasswordPage-->>User: Show rate-limit message
  else [within limit]
    ForgotPasswordAPI->>ForgotPasswordAPI: request.json
    ForgotPasswordAPI->>ForgotPasswordAPI: forgotPasswordSchema.safeParse
    alt [invalid request]
      ForgotPasswordAPI-->>ForgotPasswordPage: NextResponse.json (400, error)
      ForgotPasswordPage-->>User: Show generic error
    else [valid request]
      ForgotPasswordAPI->>DB: db.user.findUnique (email)
      DB-->>ForgotPasswordAPI: user | null
      ForgotPasswordAPI->>AuditLog: emitAuditLog (flow: forgot_password, accepted)
      ForgotPasswordAPI-->>ForgotPasswordPage: NextResponse.json (SAFE_RESPONSE)
      ForgotPasswordPage-->>User: Show non-enumerating success message
    end
  end

Loading

File-Level Changes

Change	Details	Files
Introduce new public compliance and recovery routes and update canonical routing/navigation metadata.	Add canonical public routes for cookie policy and trust center with compliance metadata and footer visibility Remove legacy redirect that previously forwarded /trust-center to /compliance-notice Ensure forgot-password, cookie-policy, and trust-center are classified as always-public in route protection config	src/lib/siteRoutes.ts src/proxy.ts
Harden security-related HTTP headers and add a permanent redirect for the blog URL.	Add Strict-Transport-Security, Permissions-Policy, and Content-Security-Policy-Report-Only headers to default responses Define a permanent redirect from /blog to /resources in Next.js redirect configuration	next.config.js
Implement user-facing forgot-password page that calls a non-enumerating, rate-limited backend API.	Add a client-side forgot-password form that handles success, error, and rate-limit states without revealing account existence Wire the form to POST to /api/auth/forgot-password and show generic messaging based on API responses	src/app/forgot-password/page.tsx
Add a secure, rate-limited forgot-password API with validation, audit logging, and safe responses.	Validate request body with zod and return structured errors for invalid JSON or invalid email Apply IP-based rate limiting with a 15-minute window and max attempts, returning standardized 429 responses Lookup user by email, emit audit logs for password-change flow, and always return a generic success payload without indicating account existence	src/app/api/auth/forgot-password/route.ts
Expose machine-readable robots.txt and sitemap.xml endpoints aligned with protected and public routes.	Generate robots.txt with a default base URL, disallowing key protected/app/account/community-hub routes and pointing to sitemap.xml Generate sitemap.xml listing key marketing, legal, and compliance routes using a configurable base app URL	src/app/robots.txt/route.ts src/app/sitemap.xml/route.ts
Add compliance content pages for cookie policy and trust center with basic structured content for legal and security messaging.	Implement a cookie policy page with tabular cookie categories, purposes, consent behavior, and session cookie details metadata Implement a trust center page describing security practices, responsible disclosure, data protection, compliance mappings, and due-diligence request flow	src/app/cookie-policy/page.tsx src/app/trust-center/page.tsx
Update footer legal navigation to point to the new cookie policy route instead of an anchored privacy link.	Change footer cookie policy link to /cookie-policy to match new canonical route	src/components/Footer.tsx
Add a production readiness test suite to assert presence of key pages and protections (file creation only in the diff shown).	Create a new test file intended to cover compliance pages, proxy protections, and footer linkage; specific assertions not shown in the diff	src/__tests__/production-readiness.test.ts

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	gem-enterprise	5981138	Jun 28 2026, 02:00 PM