chore: remove website/marketing code from public repo

[darshgupta-wisdm]

Summary

• Removed all marketing pages from apps/web/app/(marketing)/
• Removed all landing components from apps/web/components/landing/
• Removed DotGrid.tsx and sitemap.ts
• Homepage (/) now redirects to /login

Why

The public orekoapp/oreko repo should only contain app code. The website/marketing code is preserved in oreko-pro.

Test plan

• Verify / redirects to /login
• Confirm no broken imports from deleted components

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
quote-software	Ready	Preview, Comment	Apr 1, 2026 5:08am

[paresh011]

PR Review Summary

Author: darshgupta-wisdm | +1 / -3,024 | 31 files changed | Vercel deploy: Ready

This is a cleanup PR that removes all marketing/website pages from the public repo (preserved in oreko-pro), redirecting / to /login for unauthenticated users.

---

Verdict: Looks good, with 2 issues to address

Issue 1: Missing redirect for unauthenticated users (Bug)

The new page.tsx logic is:

const session = await auth();
if (session?.user?.id) {
  redirect('/dashboard');
}
redirect('/login');

This works, but the old code rendered a landing page for unauthenticated users. Now every visit to / hits the auth check then redirects. That's fine for the intent, but make sure /login actually exists and handles unauthenticated users properly — otherwise you get a redirect loop if /login itself redirects to /.

Issue 2: Remaining imports of deleted components

Verify there are no other files importing from:

• @/components/landing (barrel export deleted)
• @/components/DotGrid (deleted)

The PR only modifies files within (marketing)/ and components/landing/, but any other page or layout importing these will break at build time. The Vercel deploy succeeded, so this is likely fine — but worth confirming.

Minor: robots.ts sitemap removal

The sitemap reference was removed along with sitemap.ts — this is correct and consistent.

---

What's done well

• Clean deletion — no half-measures, all marketing pages and components removed
• Redirect logic is simple and correct
• PR description is clear with rationale
• Vercel preview deployed successfully

---

Recommendation: Approve after confirming no redirect loop between / and /login. If /login is a standalone page that doesn't redirect unauthenticated users back to /, this is ready to merge.

🤖 Reviewed with Claude Code

[paresh011]

Full Review Report — PR #27

chore: remove website/marketing code from public repo
Reviewed by: 6 parallel agents (Security, Architecture, Standards, Performance, Accessibility, Code Health)

---

Verdict: APPROVE with required follow-ups

The deletion scope is clean — no broken imports, Vercel preview deploys successfully. However, 5 issues should be addressed before or shortly after merge.

---

CRITICAL (1)

C1. Orphaned static assets — apps/web/public/images/landing/ (9 files)

The entire public/images/landing/ directory with 9 PNG files remains:

• hero-screenshot.png
• feature-clients.png, feature-dashboard.png, feature-invoices.png, feature-quote-builder.png, feature-quotes-list.png, feature-rate-cards.png, feature-settings.png, feature-templates.png

These were exclusively used by the deleted marketing components. They ship to production as public assets, increasing deploy size for no reason.

Action: Delete apps/web/public/images/landing/ in this PR.

---

IMPORTANT (4)

I1. Dead dependencies — gsap and motion in package.json

• gsap: ^3.14.2 — only used by deleted DotGrid.tsx
• motion: ^12.38.0 — only used by deleted animated-demo.tsx and hero-section.tsx

Confirmed zero remaining usages via code search. These add unnecessary weight to node_modules and potentially to the client bundle if tree-shaking doesn't fully eliminate them.

Action: Remove both from apps/web/package.json.

I2. Stale marketingRoutes allowlist in middleware — apps/web/lib/auth/config.ts

Line ~35 in authConfig.callbacks.authorized:

const marketingRoutes = ['/', '/pricing', '/features', '/about', '/blog', '/careers', '/changelog', '/contact', '/cookies', '/docs', '/privacy', '/terms'];

These routes no longer exist but the middleware still bypasses auth for them. While harmless (they'll 404), this is misleading dead code and could mask future security issues if a route like /pricing is accidentally re-created.

Action: Remove deleted routes from the array. Keep '/' since page.tsx still handles it.

I3. Redundant auth() call in page.tsx

The middleware already runs authorized() for every route. The new page.tsx calls auth() again (a full session lookup) just to decide the redirect. Since middleware already allows / for everyone (via marketingRoutes), the auth check in page.tsx is the only gate — but this could be simplified:

• Option A: Remove / from marketingRoutes, let middleware redirect unauthenticated users to /login automatically. Then page.tsx becomes just redirect('/dashboard') (only authenticated users reach it).
• Option B: Keep current approach but acknowledge the double session check.

Option A is cleaner and faster (edge redirect vs server-side auth check).

I4. Legal pages removed — Privacy Policy, Terms, Cookie Policy

The deleted (marketing)/ pages included /privacy, /terms, and /cookies. These are legally required in most jurisdictions. The PR description says marketing code is preserved in oreko-pro, but users of the public app need access to these pages.

Action: Ensure legal pages are either (a) hosted on a separate domain and linked from the app, or (b) re-added as minimal standalone pages outside the marketing route group.

---

SUGGESTIONS (4)

#	Finding	Details
S1	Logo creates circular navigation	Auth layout's <Logo href="/" /> now redirects back to /login. Consider pointing it to /login directly or rendering as non-interactive on auth pages.
S2	/login indexable by search engines	With / redirecting to /login and robots.ts allowing /, crawlers will index the login page. Add noindex meta if the app is not meant to be discoverable.
S3	Sitemap returns 404	sitemap.ts was deleted. If any external service (Google Search Console) references it, they'll get 404s. Consider purging from Search Console.
S4	Spec file orphan	If specs/LANDING_PAGE_SPEC.md exists, it should be deleted alongside the code.

---

What's Done Well

• Clean deletion — all 29 files removed consistently, no half-measures
• No broken imports — Vercel preview confirms successful build
• Clear PR rationale — explains the app/marketing split with oreko-pro
• Correct robots.ts update — sitemap reference removed in sync with sitemap.ts deletion

---

Summary Table

Severity	Count	Action Required
CRITICAL	1	Delete orphaned images
IMPORTANT	4	Dead deps, stale middleware, redundant auth, legal pages
SUGGESTION	4	Logo link, SEO, sitemap, spec cleanup

---

🤖 Full review generated with Claude Code using WisdmLabs Engineering Plugin workflow

[darshgupta-wisdm]

Remaining item — I4 (Legal pages removed): Skipping for now. Flagging to Shubham to decide if legal pages (privacy/terms/cookies) need to live in the open source repo or only on the marketing site.

Fixes pushed:

• I3 — Clarified redundant auth() in dashboard layout (middleware handles protection, auth() kept for session data)
• S1 — Removed logo href on auth pages to prevent circular navigation
• S2 — Added noindex robots meta to login page
• S3 — Sitemap was already removed in this PR (correct behavior, returns empty valid response from Next.js)

[paresh011]

Review — Latest commit: fix: address PR review feedback (I3, S1, S2)

CI: Lint ✅ | Type Check ✅ | Unit Tests ✅ | Build pending

---

S1 — Logo circular navigation: ✅ Fixed

-<Logo href="/" />
+<Logo />

Logo now renders as non-interactive on auth pages. No more redirect loop.

S2 — Login page indexable by search engines: ✅ Fixed

+robots: { index: false, follow: false },

Login page is now noindex. Correct.

I3 — Redundant auth() call: ⚠️ Acknowledged, not fully resolved

The comment in (dashboard)/layout.tsx is a good clarification, but page.tsx still does a full auth() session lookup on every / hit even though middleware already ran. This is acceptable as a defensive guard — not a blocker.

---

Still open

#	Issue	Status
I4	Legal pages (Privacy, Terms, Cookies) have no replacement in the public app	Needs confirmation — are these served from oreko-pro? If yes, we're good. If not, minimal standalone pages should be added.

---

Verdict

Latest push looks good. Approve once I4 is clarified — confirm legal pages are accessible to users somewhere (either oreko-pro domain or re-added as standalone pages).

🤖 Reviewed with Claude Code