Skip to content

feat: add /blog, /blog/:slug, /docs pages — public-shell wrapped#4

Merged
mastermanas805 merged 1 commit into
mainfrom
feat/blog-and-docs-pages
May 11, 2026
Merged

feat: add /blog, /blog/:slug, /docs pages — public-shell wrapped#4
mastermanas805 merged 1 commit into
mainfrom
feat/blog-and-docs-pages

Conversation

@mastermanas805
Copy link
Copy Markdown
Member

@mastermanas805 mastermanas805 commented May 11, 2026

Summary

The marketing nav links `/docs` and `/blog` existed since the rebrand but the routes weren't wired in `App.tsx` — clicking them 404'd. Users flagged "nothing is working on UI" → this fills the gap.

What landed

  • BlogPage at `/blog` — reverse-chronological index of `POSTS` (typed array in `src/content/posts.ts`)
  • BlogPostPage at `/blog/:slug` — detail view with backlink + footer
  • DocsPage at `/docs` — sticky-sidebar TOC + 8 sections (Quickstart, services, Deploy, Stacks, Claim, Auth, Tiers, OpenAPI)

Three seed blog posts cover this quarter's narratives. Every code snippet in /docs is a real curl against `api.instanode.dev` — no mocked examples.

Security posture (pre-commit scan)

Both BlogPostPage and DocsPage use a deliberately tiny markdown subset (`#`/`##`/`###` headings, paragraphs, bullet lists, fenced code, inline `code` and `bold`). No HTML pass-through, no link rewrites, no script tags. Every rendered node is a React element of a known type — XSS surface is zero by construction.

Scanned before commit for:

Category Hits
AES/JWT/Razorpay/Resend/OAuth secrets 0
Internal cluster FQDNs (`*.svc.cluster.local`) 1 (author-facing policy comment, not leaked content)
Production team/user IDs (mastermanas805) 0
JWT tokens (`eyJ...`) 0
Live pool tokens (`pool-`/`usr_pool`) 0
Cleartext connection URLs with creds 0
Internal-only refs (Dockerfile.debug, instant-customer-, etc) 0

Test plan

  • `npm run build` passes (tsc + vite)
  • Pre-commit security scan clean (above)
  • Visual check after deploy on `*.deployment.instanode.dev`

🤖 Generated with Claude Code

@mastermanas805 @claude
feat: add /blog, /blog/:slug, /docs pages — public-shell wrapped
f2ee1ca 
The marketing nav links /docs and /blog (PublicShell.tsx, MarketingPage.tsx)
existed since the rebrand sweep but the routes were never wired in App.tsx
— clicking them 404'd. Users (correctly) flagged: "nothing is working on UI".

This PR fills the gap.

## /blog and /blog/:slug

  - BlogPage      — reverse-chronological index, card layout
  - BlogPostPage  — single-post detail with backlink + footer

Content lives in src/content/posts.ts as a typed array of Post records.
Adding a post is editing one TS file — no CMS, no build step. Three seed
posts cover the narratives that drove this quarter:

  - "Why anonymous is the trial" — the pricing decision
  - "Strict-discipline shipping" — change → live test → PR → merge
  - "How /db/new dropped from 17s to under a second" — the pool

## /docs

  DocsPage with a sticky sidebar TOC and anchored sections. Eight sections
  cover the surface an agent or developer needs:

    Quickstart · The six services · Deploy · Stacks · Claim flow ·
    Authentication · Tiers and limits · Machine-readable API

  Every code snippet is a real, runnable curl against api.instanode.dev —
  no mocked examples. Sections link out to openapi.json for full reference.

## Security posture

Both BlogPostPage and DocsPage use a deliberately tiny markdown subset:
# / ## / ### headings, paragraphs, bullet lists, fenced code, inline `code`
and **bold**. No HTML pass-through, no link rewrites, no script tags.
Every rendered node is a React element of a known type — XSS surface is
zero by construction.

Pre-commit security scan (visible in PR description) checks for leaked
secrets, internal cluster hostnames, production team/user IDs, JWTs, live
pool tokens, cleartext credentials. The only hit was an author-facing
warning comment telling future contributors NOT to leak *.svc.cluster.local
— that string IS the policy guidance, not leaked content.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@mastermanas805 mastermanas805 merged commit 17653c7 into main May 11, 2026
@mastermanas805 mastermanas805 deleted the feat/blog-and-docs-pages branch May 11, 2026 10:51
@mastermanas805 mastermanas805 mentioned this pull request May 14, 2026
Merged
5 tasks
mastermanas805 added a commit that referenced this pull request May 14, 2026
@mastermanas805
docs: publish trust docs to correct repo (fix 404 on /docs/public/* +…
aa9b3c7 
… /.well-known/*) (#63)

PRs #3 and #4 on InstaNode-dev/web shipped these 7 files, but that repo
has no GitHub Pages config. The publishing surface for instanode.dev is
this repo (InstaNode-dev/instanode-web) — Pages source is main, path /,
CNAME instanode.dev. Vite copies public/ verbatim into dist/ which Pages
serves. Re-publishing the 7 files under public/docs/public/ + public/.well-known/
so the URLs Persona4 (InfoSec) and Persona2 (hobby dev) actually hit return 200.

Files (all from the original landed-but-wrong-repo PRs, content unchanged
except security.txt Expires bumped from 2027-05-13 → 2027-05-14):

  public/.well-known/pgp-key.txt          (4096-bit RSA, fpr E950B348C79A...)
  public/.well-known/security.txt         (RFC 9116)
  public/docs/public/dpa.md               (controller-to-processor DPA + SCCs)
  public/docs/public/subprocessors.md     (DigitalOcean, Razorpay, Brevo, etc.)
  public/docs/public/breach-notification.md  (72h commitment + template)
  public/docs/public/security.md          (bug-bounty intake + safe harbor)
  public/docs/public/trust-residency.md   (NYC3 today, EU on roadmap)

Verified locally: npm run build produces all 7 files under dist/ at the
correct paths.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mastermanas805