Add privacy notice and harden deployment tooling#10
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Publish a globally linked privacy notice for runner submissions, operational logs, Invisible Turnstile, cookies, and optional browser CDNs, while making production deployment fail early unless it uses Node 22 and a fresh Python vendor sync.
Why
The production audit found no privacy notice despite session-scoped Invisible Turnstile. The first deployment attempt also exposed a tooling failure: Node 26 could not start Pywrangler's Pyodide interpreter, and a stale sync token allowed
python_modules/to remain empty until Cloudflare rejected the upload for missing FastAPI.What changed
/privacy, canonical/OG/JSON-LD metadata, sitemap coverage, global footer links, and a 1200×630 social card./privacyto deployment smoke checks and SEO/social-card gates.pywrangler sync --forcebefore deployment.Verification
make verify— 224 tests, browser contracts, 109 examples, SEO/cache, quality, Ruff, and generated checksscripts/format_examples.py --checkmake verify-python-version VERSION=3.13npm audit --audit-level=highgit diff --checkRisk
The content route is read-only and uses existing page/layout primitives. Deployment changes intentionally reject unsupported local Node versions; CI already runs Node 22. The forced vendor sync costs additional deploy time but prevents dependency-free Worker uploads.