Skip to content

Final production-readiness remediation: trust, routes, contact, KYC, and headers#144

Merged
support371 merged 20 commits into
mainfrom
fix/final-production-readiness-2026-07-09
Jul 9, 2026
Merged

Final production-readiness remediation: trust, routes, contact, KYC, and headers#144
support371 merged 20 commits into
mainfrom
fix/final-production-readiness-2026-07-09

Conversation

@support371

@support371 support371 commented Jul 9, 2026

Copy link
Copy Markdown
Owner

Purpose

This pull request implements the highest-impact fixes from the final production-readiness review before public business launch.

Changes

  • Replaces unsupported 24/7, real-time, guaranteed-response, and certified-global-operations homepage language with controlled-launch and contract-defined wording.
  • Converts /intel and /intel/news from unverified live-feed presentation to clearly labelled preview/source-aggregation experiences.
  • Adds a site-wide controlled-launch disclosure and canonical www metadata base.
  • Marks the Community Hub as fictional demonstration data and applies noindex/nofollow until real records replace mock data.
  • Adds working detail pages for all six /services/:slug links, removing current 404 conversion failures.
  • Makes all genuine contact enquiries durable by storing them before reporting success; SMTP becomes notification-only rather than the system of record.
  • Fails KYC document intake closed and removes the misleading browser-only upload screen until private storage, malware scanning, access auditing, and retention controls are operational.
  • Enforces a baseline Content Security Policy, denies framing, removes the framework identification header, and adds COOP/CORP headers.
  • Expands the sitemap for active service and store routes.

Important operational effect

Identity and financial document upload remains intentionally unavailable after this change. It must not be re-enabled until a tested private object-storage pipeline is connected.

Verification required

  • CI lint, tests, type-check, and Next.js production build
  • Vercel preview route checks
  • Contact submission persistence using the connected production-like database
  • Security-header verification
  • Service detail route verification

Manual dependencies after merge

  • Configure and test SMTP/admin recipient variables if not already configured.
  • Select and connect the private KYC document-storage and malware-scanning provider.
  • Replace Community Hub mock records with verified production data before indexing.
  • Supply evidence and owners for any future SLA, staffing, certification, monitoring, recovery, or jurisdictional claims.

Summary by Sourcery

Align public-facing pages, intelligence routes, KYC flows, and service descriptions with a controlled production launch, disable misleading document intake, and harden headers and sitemap for production.

New Features:

  • Introduce service detail pages for all /services/:slug routes with scoped capabilities and activation requirements.
  • Add a global production-launch disclosure banner and updated homepage content emphasizing controlled, contract-defined service activation.
  • Convert intel and news pages into clearly labeled threat-intelligence and sourced-news previews instead of implying live, analyst-curated feeds.

Bug Fixes:

  • Ensure contact submissions are durably stored in the database before sending notification emails so enquiries are not lost.
  • Remove the non-functional KYC document upload UI and replace the KYC documents API with an explicit failure response to prevent the appearance of successful uploads.

Enhancements:

  • Revise marketing copy, stats, and imagery alt text across the homepage and services pages to avoid unsupported guarantees and clarify eligibility, scope, and limitations.
  • Update Community Hub layout metadata and add an on-page notice to mark all hub content as fictional demonstration data, with noindex/nofollow robots directives.
  • Strengthen security headers by disabling the powered-by header, enforcing a baseline Content Security Policy, denying framing, and enabling COOP/CORP.
  • Expand the sitemap.xml to include active services, intel news, and store routes for better discovery of production-ready pages.

Build:

  • Adjust Next.js configuration to remove the framework identification header and apply stricter security headers (CSP, X-Frame-Options, COOP, CORP).

Documentation:

  • Clarify on-page disclosures around intelligence, news aggregation, community data, KYC document handling, and service availability so users understand these are previews or scoped services, not guaranteed live operations.

@vercel

vercel Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
support371-gem-enterprise Ready Ready Preview, Comment, Open in v0 Jul 9, 2026 5:20pm
11 Skipped Deployments
Project Deployment Actions Updated (UTC)
gem-enterprise Ignored Ignored Preview Jul 9, 2026 5:20pm
gem-enterprise-in Ignored Ignored Preview Jul 9, 2026 5:20pm
gem-enterprise-jx Ignored Ignored Preview Jul 9, 2026 5:20pm
gem-enterprise-xf Ignored Ignored Preview Jul 9, 2026 5:20pm
project-dtrl6 Ignored Ignored Preview Jul 9, 2026 5:20pm
v0-continue-conversation Ignored Ignored Preview Jul 9, 2026 5:20pm
v0-continue-conversation-3875 Ignored Ignored Preview Jul 9, 2026 5:20pm
v0-deployment-alignment-task Ignored Ignored Preview Jul 9, 2026 5:20pm
v0-image-analysis Ignored Ignored Preview Jul 9, 2026 5:20pm
v0-my-website Ignored Ignored Preview Jul 9, 2026 5:20pm
v0-v0-geraldhoeven-4141-ff89f7f-5 Ignored Ignored Preview Jul 9, 2026 5:20pm

@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

@sourcery-ai

sourcery-ai Bot commented Jul 9, 2026

Copy link
Copy Markdown

Reviewer's Guide

Hardens production readiness messaging, disables insecure KYC document intake, makes contact submissions durable before email, converts intel/news to a clearly labelled preview, adds service-detail routes, strengthens security headers/CSP, expands sitemap, and marks Community Hub data as fictional/noindex.

Sequence diagram for durable contact submission and notification

sequenceDiagram
  actor User
  participant ContactForm
  participant ContactAPI as api_contact_POST
  participant DB as db
  participant Mail as sendMail
  participant Audit as emitAuditLog

  User->>ContactForm: Submit contact form
  ContactForm->>ContactAPI: POST /api/contact {name,email,message,subject,website}
  ContactAPI->>ContactAPI: rateLimit(ipAddress)
  ContactAPI->>ContactAPI: zod schema.parse(body)
  ContactAPI->>DB: supportBooking.create({ userId, name, email, subject, notes, status })
  DB-->>ContactAPI: submission { id }
  alt session exists
    ContactAPI->>DB: supportTicket.create({ userId, subject, description, status, priority })
    DB-->>ContactAPI: ticket { id }
  else no session
    Note over ContactAPI: ticketId remains null
  end
  ContactAPI->>Mail: sendMail({ to, replyTo, subject, text })
  Mail-->>ContactAPI: { sent | reason | skipped }
  ContactAPI->>DB: supportBooking.update({ id, notes })
  ContactAPI->>Audit: emitAuditLog({ action: admin_action, resource: contact_message, resourceId: submission.id, metadata })
  Audit-->>ContactAPI: ok
  ContactAPI-->>ContactForm: 200 OK { ok: true, submissionId, ticketId }
  ContactForm-->>User: Show success message
Loading

Sequence diagram for fail-closed KYC document intake

sequenceDiagram
  actor User
  participant KYCUploadPage
  participant KYCDocAPI as api_kyc_documents_POST
  participant Auth as requireSession

  User->>KYCUploadPage: Visit /kyc/upload
  KYCUploadPage-->>User: Show fail-closed notice (no upload)

  User->>KYCUploadPage: Tries to submit (client or scripted)
  KYCUploadPage->>KYCDocAPI: POST /api/kyc/documents
  KYCDocAPI->>Auth: requireSession()
  Auth-->>KYCDocAPI: { ok: true, session }
  KYCDocAPI-->>KYCUploadPage: 503 Service Unavailable\n{\n  ok: false,\n  code: SECURE_DOCUMENT_UPLOAD_NOT_ACTIVE,\n  requirements: [\"private object storage\", ...]\n}
  KYCUploadPage-->>User: Prevent upload / suggest contact
Loading

File-Level Changes

Change Details Files
Reframe homepage, services, and intelligence content to reflect controlled launch, scoped services, and non-live preview data instead of guaranteed 24/7 operations or real-time feeds.
  • Update homepage hero copy, stats, service cards, features, and CTAs to emphasize controlled activation, eligibility, and non-operational features.
  • Replace live-operations imagery alt text and labels with illustrative/demo wording and remove claims of continuous global monitoring.
  • Revise /intel and /intel/news pages to present static/example intelligence briefings and sourced news previews with reliance notices instead of live feeds and analyst-curated claims.
  • Adjust services index page copy to describe potential capabilities, scope, requirements, and limitations rather than SLAs, guarantees, or global recovery promises.
src/app/page.tsx
src/app/intel/page.tsx
src/app/intel/news/page.tsx
src/app/services/page.tsx
Disable KYC document upload flows and make the API explicitly fail closed until a secure private-storage pipeline is in place.
  • Remove client-side upload UI, drag-and-drop handlers, and submission logic from the KYC upload page and replace with a fail-closed disclosure and support paths.
  • Replace the /api/kyc/documents POST handler with a guarded endpoint that always returns 503 and a structured error indicating secure upload is not active and listing required safeguards.
  • Set KYC upload metadata robots to noindex/nofollow to avoid indexing a non-functional sensitive workflow.
src/app/kyc/upload/page.tsx
src/app/api/kyc/documents/route.ts
Ensure all genuine contact enquiries are persisted in the database before success is reported, making SMTP notification best-effort and not the system of record.
  • Extend contact POST handler to create a SupportBooking row for every non-honeypot submission, including unauthenticated users, with normalized subject and notes.
  • Optionally create a SupportTicket for authenticated users and record its ID on audit metadata without failing the request if ticket creation fails.
  • Integrate centralized sendMail helper, send admin/support notification email when configured, and record delivery status back on the SupportBooking.
  • Improve audit logging metadata for contact submissions and adjust error handling to return 503 when persistence fails.
src/app/api/contact/route.ts
Add structured service-detail pages for all /services/:slug routes and expand sitemap to include active service and store routes.
  • Create static service-detail route handler for each service slug with scoped capabilities, activation requirements, disclaimers, and assessment CTA.
  • Wire generateStaticParams and generateMetadata to support static generation and proper meta descriptions for each service detail page.
  • Update sitemap.xml route list to include all service slugs, intel/news, and active store subroutes for better discovery.
  • Adjust services index cards to link to the new /services/:slug detail pages with ‘Review scope and limitations’ CTAs.
src/app/services/[slug]/page.tsx
src/app/sitemap.xml/route.ts
src/app/services/page.tsx
Strengthen security headers and global layout metadata to reflect canonical www domain, controlled launch disclosure, and baseline CSP/COOP/CORP hardening.
  • Disable Next.js poweredByHeader and change X-Frame-Options to DENY, add full Content-Security-Policy (non-report-only) including frame-ancestors 'none', and set COOP/CORP headers.
  • Tighten Permissions-Policy and other security-related headers across all routes via next.config.js headers().
  • Update RootLayout metadataBase to canonical https://www.gemcybersecurityassist.com and align site-wide description with controlled, scoped services.
  • Inject a new ProductionDisclosure component into the non-portal root layout to show a controlled-launch trust notice on all public pages.
next.config.js
src/app/layout.tsx
src/components/ProductionDisclosure.tsx
Mark Community Hub as a fictional, controlled preview and prevent search indexing until real production data exists.
  • Update Community Hub layout metadata to rename to Community Preview, change description to explicitly mention sample data, and add robots noindex/nofollow/nocache.
  • Render a prominent alert banner on all Community Hub pages clarifying that profiles, organizations, events, and stats are fictional demonstration data only.
src/app/community-hub/layout.tsx

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • The service metadata is now duplicated between the /services listing and the new /services/[slug] detail pages; consider centralizing these definitions so scopes, titles, and requirements don’t drift over time.
  • The contact POST now persists enquiries via supportBooking and optionally supportTicket—double-check that your internal/admin tooling surfaces supportBooking records for follow-up, otherwise new public contacts may not be visible to operators.
  • The tightened Content Security Policy and X-Frame-Options=DENY are a good hardening step, but it’s worth validating that all current third-party scripts (e.g., Vercel analytics/insights) still function correctly under the new directives, particularly connect-src and frame-src.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- The service metadata is now duplicated between the /services listing and the new /services/[slug] detail pages; consider centralizing these definitions so scopes, titles, and requirements don’t drift over time.
- The contact POST now persists enquiries via supportBooking and optionally supportTicket—double-check that your internal/admin tooling surfaces supportBooking records for follow-up, otherwise new public contacts may not be visible to operators.
- The tightened Content Security Policy and X-Frame-Options=DENY are a good hardening step, but it’s worth validating that all current third-party scripts (e.g., Vercel analytics/insights) still function correctly under the new directives, particularly connect-src and frame-src.

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@vercel

vercel Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Deployment failed with the following error:

Resource is limited - try again in 24 hours (more than 100, code: "api-deployments-free-per-day").

Learn More: https://vercel.com/geraldhoeven-4141s-projects?upgradeToPro=build-rate-limit

@support371
support371 merged commit ce3c511 into main Jul 9, 2026
15 of 22 checks passed
@support371
support371 deleted the fix/final-production-readiness-2026-07-09 branch July 9, 2026 17:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant