v0.9.7: privacy policy + terms + global footer

CHANGELOG.md

@@ -8,6 +8,13 @@ Every version listed here must correspond to a slice in [`PLAN.md`](./PLAN.md) w
 
 ---
 
+## [0.9.7] — 2026-05-28
+
+### Added
+- **Privacy Policy and Terms of Service.** Plain-language legal pages at `/privacy` and `/terms`, linked from a new site-wide footer.
+
+---
+
 ## [0.9.6] — 2026-05-28
 
 ### Added

PLAN.md

@@ -45,7 +45,7 @@
 | **v0.9.4** | DB pool size env-tunable + real back-nav spinner fix | ✅ shipped |
 | **v0.9.5** | Security review + hardening (OAuth scope ↓ `read:user`, HTTP security headers) | ✅ shipped |
 | **v0.9.6** | Load-test harness (warm /analyze; full 100 RPS run = operator step) | ✅ shipped |
-| **v0.9.7** | Privacy policy + terms (legal docs) | pending |
+| **v0.9.7** | Privacy policy + terms + global footer | ✅ shipped |
 | **v1.0.0** | Public launch | pending |
 
 ---
@@ -688,11 +688,20 @@ The narrative-mode CHECK constraint was a third drift in the same family — the
 
 ---
 
-## v0.9.7 — Legal docs (deferred)
+## v0.9.7 — Privacy + Terms (shipped 2026-05-28)
 
-**Goal:** Privacy policy + terms in `docs/legal/`. Link from frontend footer.
+**Goal:** Plain-language Privacy Policy + Terms of Service pages, linked from a new global footer.
 
-**Exit criteria:** TBD when the slice begins.
+**Delivered:** Static TSX pages `/privacy` + `/terms` (shared `LegalProse` wrapper), a global `SiteFooter`, content grounded in the app's real data practices (GitHub `read:user`, Neon, Upstash, Groq, Sentry, PostHog), India governing law, 13+, contact shaansatsangi.cse@gmail.com. Not legal advice — flagged for professional review before launch.
+
+**Design spec:** [`docs/superpowers/specs/2026-05-28-v0.9.7-legal-docs-design.md`](./docs/superpowers/specs/2026-05-28-v0.9.7-legal-docs-design.md).
+**Sub-plan:** [`docs/superpowers/plans/2026-05-28-v0.9.7-legal-docs.md`](./docs/superpowers/plans/2026-05-28-v0.9.7-legal-docs.md).
+
+**Exit criteria:**
+- [x] `/privacy` + `/terms` render via `LegalProse`; metadata + "Last updated 2026-05-28".
+- [x] Global `SiteFooter` links both (+ GitHub); landing hero intact; mobile verified.
+- [x] Smoke tests pass (3); frontend lint/tsc/test/build clean.
+- [x] Docs ritual + version bump to 0.9.7; tag + release.
 
 ---
 

README.md

@@ -43,7 +43,7 @@ Engineering insight first. AI flavor second. Scoring is deterministic and explai
 
 ## Status
 
-Pre-alpha. Latest shipped release is **v0.9.6** (a reusable load-test harness for the warm `/analyze` path; the full 100 RPS run is an operator step). v0.9.5 before it ran a full pre-launch security audit — no high/critical findings — tightening the GitHub OAuth scope to read-only and adding HTTP security headers; v0.9.4 made the DB connection pool size env-tunable and genuinely fixed the back-nav search spinner; v0.9.3 added deletable `/me` history with undo, a golden "creator" scorecard for the project's creator account, and a first (incomplete) attempt at the back-nav spinner fix. Live at https://skill-issue-tau.vercel.app — GitHub OAuth sign-in, Neon Postgres persistence, `/me` history, opt-in `/share/[slug]` public links. The AI narrative layer (Roast + Mentor) runs on **Groq** (`llama-3.3-70b-versatile`). v0.7.0 added Upstash Redis caching (warm `/analyze` ≤ 200 ms); v0.7.2 prod-certified the perf budget (CLS 0.080 → **0** structurally, perf 90 → 94, LCP 2,804 → 2,773 ms); v0.8.0 shipped Sentry (FE+BE), PostHog (events + web vitals), structlog JSON logging, on-voice 404, and a full axe a11y pass; v0.8.1 ships the nightly cron with bearer auth; v0.8.2 pairs it with the manual force-refresh button on `/me`; v0.8.3 hotfixes the empty-repo crash; v0.8.4 fixes the silent narrative misattribution; v0.8.5 closes the post-deploy-Sentry loop with a pre-merge CI gate; v0.8.6 closes v0.7.1's deferred share-page caching; v0.8.7 modernizes project config; v0.9.0 opens Beta hardening with bounded GH fan-out; v0.9.1 closes the /me N+1 + adds per-namespace Report cache versioning; v0.9.2 adds rate limiting (per-IP for anonymous, higher per-user caps for signed-in) on `/analyze` and `/narrative`; v0.9.3 adds deletable `/me` history with undo, attempts the back-nav search-spinner fix, and gilds the creator's scorecard. v0.9.4 makes the DB connection pool size env-tunable (defaults unchanged — RUM showed no pool exhaustion) and lands the real back-nav spinner fix (the v0.9.3 attempt addressed the wrong mechanism); v0.9.5 runs a full pre-launch security audit (no high/critical findings), tightens the OAuth scope to `read:user`, and adds HTTP security headers; v0.9.6 adds a reusable load-test harness for the warm `/analyze` path (the full 100 RPS run is an operator step). **v0.9.7 — privacy policy + terms** is next. See [`CHANGELOG.md`](./CHANGELOG.md) for shipped slices, [`PLAN.md`](./PLAN.md) for the full roadmap, and [`docs/PROGRESS_LOG.md`](./docs/PROGRESS_LOG.md) for the most recent session handoff.
+Pre-alpha. Latest shipped release is **v0.9.7** (a Privacy Policy and Terms of Service, linked from a new site-wide footer). v0.9.6 before it added a reusable load-test harness for the warm `/analyze` path (full 100 RPS run is an operator step); v0.9.5 ran a full pre-launch security audit — no high/critical findings — tightening the GitHub OAuth scope to read-only and adding HTTP security headers; v0.9.4 made the DB connection pool size env-tunable and genuinely fixed the back-nav search spinner; v0.9.3 added deletable `/me` history with undo, a golden "creator" scorecard for the project's creator account, and a first (incomplete) attempt at the back-nav spinner fix. Live at https://skill-issue-tau.vercel.app — GitHub OAuth sign-in, Neon Postgres persistence, `/me` history, opt-in `/share/[slug]` public links. The AI narrative layer (Roast + Mentor) runs on **Groq** (`llama-3.3-70b-versatile`). v0.7.0 added Upstash Redis caching (warm `/analyze` ≤ 200 ms); v0.7.2 prod-certified the perf budget (CLS 0.080 → **0** structurally, perf 90 → 94, LCP 2,804 → 2,773 ms); v0.8.0 shipped Sentry (FE+BE), PostHog (events + web vitals), structlog JSON logging, on-voice 404, and a full axe a11y pass; v0.8.1 ships the nightly cron with bearer auth; v0.8.2 pairs it with the manual force-refresh button on `/me`; v0.8.3 hotfixes the empty-repo crash; v0.8.4 fixes the silent narrative misattribution; v0.8.5 closes the post-deploy-Sentry loop with a pre-merge CI gate; v0.8.6 closes v0.7.1's deferred share-page caching; v0.8.7 modernizes project config; v0.9.0 opens Beta hardening with bounded GH fan-out; v0.9.1 closes the /me N+1 + adds per-namespace Report cache versioning; v0.9.2 adds rate limiting (per-IP for anonymous, higher per-user caps for signed-in) on `/analyze` and `/narrative`; v0.9.3 adds deletable `/me` history with undo, attempts the back-nav search-spinner fix, and gilds the creator's scorecard. v0.9.4 makes the DB connection pool size env-tunable (defaults unchanged — RUM showed no pool exhaustion) and lands the real back-nav spinner fix (the v0.9.3 attempt addressed the wrong mechanism); v0.9.5 runs a full pre-launch security audit (no high/critical findings), tightens the OAuth scope to `read:user`, and adds HTTP security headers; v0.9.6 adds a reusable load-test harness for the warm `/analyze` path (the full 100 RPS run is an operator step); v0.9.7 adds a Privacy Policy and Terms of Service, linked from a new global footer. **v1.0.0 — public launch** is next. See [`CHANGELOG.md`](./CHANGELOG.md) for shipped slices, [`PLAN.md`](./PLAN.md) for the full roadmap, and [`docs/PROGRESS_LOG.md`](./docs/PROGRESS_LOG.md) for the most recent session handoff.
 
 ---
 
@@ -76,7 +76,7 @@ cp .env.example .env        # then edit .env and add your GITHUB_TOKEN and OPENA
 uv run uvicorn app.main:app --reload --port 8000
 ```
 
-Verify: `curl http://localhost:8000/health` → `{"status":"ok","version":"0.9.6","db":"up"|"down","cache":"up"|"down"|"unconfigured"}`. The `db` field reports DB reachability when `DATABASE_URL` is configured; the `cache` field reports Upstash reachability (`unconfigured` when `UPSTASH_REDIS_REST_URL` isn't set — perfectly fine for local dev, the in-process fallback covers it).
+Verify: `curl http://localhost:8000/health` → `{"status":"ok","version":"0.9.7","db":"up"|"down","cache":"up"|"down"|"unconfigured"}`. The `db` field reports DB reachability when `DATABASE_URL` is configured; the `cache` field reports Upstash reachability (`unconfigured` when `UPSTASH_REDIS_REST_URL` isn't set — perfectly fine for local dev, the in-process fallback covers it).
 Hit the analyzer: `curl http://localhost:8000/analyze/octocat`.
 
 ### Frontend (`:3000`)

backend/app/settings.py

@@ -2,7 +2,7 @@
 
 from pydantic_settings import BaseSettings, SettingsConfigDict
 
-VERSION = "0.9.6"
+VERSION = "0.9.7"
 
 
 class Settings(BaseSettings):

backend/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "skill-issue-backend"
-version = "0.9.6"
+version = "0.9.7"
 description = "Skill Issue backend — FastAPI service that ingests a GitHub profile and returns a deterministic engineering report."
 readme = "README.md"
 authors = [

docs/PROGRESS_LOG.md

@@ -19,6 +19,35 @@ Format:
 
 ---
 
+## 2026-05-28 — Claude (Opus 4.7) — v0.9.7 shipped (privacy + terms)
+
+**Slice:** v0.9.7 — the final pre-1.0 slice. Privacy Policy + Terms of Service pages + a new global footer.
+
+**Done:**
+- **`/privacy` + `/terms`** — static TSX server-component pages (prerender as `○ Static`) using a shared `LegalProse`/`LegalSection` wrapper (`frontend/src/components/legal-prose.tsx`). Content is lightweight + honest, grounded in the app's real data flows (GitHub `read:user`, saved analyses in Neon, IP for rate-limiting, Upstash caches, Groq narrative, Sentry/PostHog) — India governing law, 13+, contact shaansatsangi.cse@gmail.com.
+- **Global `SiteFooter`** (`frontend/src/components/site-footer.tsx`) wired into `app/layout.tsx` (`mt-auto`, bottom of the flex-col body): Privacy · Terms · GitHub.
+- **3 smoke tests** (`legal-pages.test.tsx`): each page heading + contact/governing-law text + footer links. Frontend vitest 54 → 57.
+- `docs/legal/README.md` pointer (single source of truth = the TSX pages; no markdown duplicate to drift). Docs ritual + version bump to 0.9.7.
+
+**Decisions:**
+- **Static TSX over markdown** — no rendering dependency, full design control, SEO/PPR-friendly, single source of truth.
+- **Static footer year, not `new Date()`** — under Cache Components (`cacheComponents: true`), `new Date().getFullYear()` in a prerendered server component trips the Next 16 prerender guard (needs a Suspense boundary). The first implementer worked around it with a `"use client"` `CopyrightYear` + Suspense; simplified to a hardcoded `© 2026` (YAGNI — a client component + boundary for a constant is over-engineering; the legal pages already carry a dated "Last updated").
+- **Lightweight, India, 13+, contact shaansatsangi.cse@gmail.com** per the user's brainstorm answers. Operator = Shaan Satsangi (individual).
+- **Not legal advice** — drafts grounded in real practices; flagged for professional review before public launch.
+
+**Learned / surprises:**
+- **Next 16 + Cache Components blocks `new Date()` in prerendered server components** (and even a client component using it without a Suspense boundary above). For trivial dynamic values like a copyright year, a static constant is the clean fix rather than a Suspense+client dance.
+
+**Verified:**
+- Frontend `lint` + `tsc` clean; vitest 57 passed; `next build` clean with `/privacy` + `/terms` as `○ Static`. Backend untouched (290 still pass after the version bump).
+- Footer visual check (landing hero intact, mobile stacking): operator quick-confirm on prod after deploy.
+
+**Blocked / open:** professional legal review recommended before relying on the docs at public launch.
+
+**Next:** v1.0.0 — public launch.
+
+---
+
 ## 2026-05-28 — Claude (Opus 4.7) — v0.9.6 shipped (load-test harness)
 
 **Slice:** v0.9.6. Reusable backend load-test harness + runbook; the full 100 RPS validation run is an operator step (hardware-gated). Split from the original v0.9.5 "security review + load test"; legal docs are now v0.9.7.

docs/legal/README.md

@@ -0,0 +1,11 @@
+# Legal
+
+The Privacy Policy and Terms of Service are maintained as rendered pages (single
+source of truth — no markdown duplicate to drift):
+
+- Privacy Policy: [`frontend/src/app/privacy/page.tsx`](../../frontend/src/app/privacy/page.tsx) → `/privacy`
+- Terms of Service: [`frontend/src/app/terms/page.tsx`](../../frontend/src/app/terms/page.tsx) → `/terms`
+
+Last updated: 2026-05-28. Lightweight, plain-language drafts grounded in the
+app's actual data practices — **not legal advice**; have a professional review
+before relying on them.