Adopt sister-site infrastructure baseline (Biome, Bun, Dependabot, dynamic sitemap/OG/RSS, CI)

[lwwmanning]

Summary

Massive overhaul of vortex.dev site infrastructure to improve developer experience and fix various shortcomings found along the way.

What changed

Phase 1 — Tooling foundation

• Bun-only: deleted `package-lock.json` (was tracked alongside `bun.lock` and drifting), added `.nvmrc` (22), pinned `packageManager: bun@1.3.13` and `engines: { node: '>=22', bun: '>=1.3.0' }`
• Biome replaces ESLint+Prettier: deleted `eslint.config.mjs`, `.prettierrc`; added `biome.json` ported from spiraldb (sans visualizer/iframe overrides)
• Dependabot replaces Renovate: deleted `renovate.json`; added `.github/dependabot.yml` with weekly Monday cadence, 14-day cooldown, grouped (react, content-pipeline, lint-format, minor-and-patch)
• Tighter tsconfig: `alwaysStrict`, `noUnusedLocals`, `noUnusedParameters`, `forceConsistentCasingInFileNames`
• Added `vercel.json` pinning install + build commands to bun
• Updated `.vscode/` settings/extensions to recommend Biome

Phase 2 — SEO/robustness parity

• Sitemap was a real bug: the old static `src/app/sitemap.xml` listed only `/` and `/blog` — every blog post URL was invisible to search crawlers. Dynamic `sitemap.ts` now emits 9 entries (root + /blog + 7 posts).
• Added `src/app/error.tsx` global error boundary
• Dynamic OG via `next/og`: `src/lib/og.tsx` + routes for `/`, `/blog`, `/blog/[slug]` (deleted static `opengraph-image.png`)
• RSS at `/rss/[type]` — `feed.xml` (RSS 2.0), `feed.json` (JSON Feed), `feed.atom` — using the `feed` package
• JSON-LD `Article` schema + reading-time on blog post pages (reading-time via velite's `s.metadata()`)
• Hardened security headers in `next.config.mjs`: `Strict-Transport-Security` (2y, preload), `Referrer-Policy`, `Permissions-Policy`, `frame-ancestors`, `base-uri`, `form-action`; `images.formats: ['image/avif', 'image/webp']`
• Consolidated `siteURL`/`siteName` into existing `src/lib/constants.ts` with sane local fallback

Phase 3 — Core CI

• `.github/workflows/ci.yml` — SHA-pinned actions; runs `check:ci` → `build` → `typecheck` → start server → `verify` (build before typecheck because velite + `#site/content` path alias requires `.velite/` to exist)
• `.github/workflows/claude.yml` — @claude mentions
• `.github/workflows/dependabot-auto-merge.yml` — patch+minor auto-merge, majors get a comment with diff
• `scripts/verify.ts` — adapted from spiraldb's: asserts sitemap structure (incl. blog post entries), robots.txt sanity, RSS feed integrity, OG image dimensions (1200×630 PNG via raw IHDR parse), canonicals, JSON-LD Article schema on posts, internal-link rot

Real bug fixed along the way

`src/app/api/subscribe/route.ts` instantiated `new Resend(process.env.RESEND_API_KEY)` at module load. The build collects page data by importing each route, and the Resend SDK throws when the env var is missing — so the build crashed without an API key. Now lazy-initialized inside the handler with a 503 fallback.

Why

The user maintains three Next.js marketing sites and wants them on one shared infra baseline so PR reviews, dependency updates, CI debugging, and tooling upgrades only have to be reasoned about once. willmanning.com and spiraldb.com had already converged; vortex.dev was the lagger.

Things a reviewer should know

• CSP keeps `'unsafe-eval'` (with a comment explaining why): `src/components/MDXRenderer.tsx` evaluates velite-emitted JSX strings via `new Function(code)` at runtime. Removing `'unsafe-eval'` breaks every blog post in production. `'unsafe-inline'` also remains for scripts/styles per the Next 16 limitation called out in willmanning's CSP.
• CI ordering is intentional: `build` runs before `typecheck` because the build is what populates `.velite/` (which the `#site/content` path alias resolves to) and `next-env.d.ts`. Running `tsc --noEmit` first would fail with module resolution errors. Sister sites differ here — willmanning runs typecheck first because it doesn't have velite.
• Repo settings still need a one-time touch (not in this PR):
  • Add `ANTHROPIC_API_KEY` repo secret for `claude.yml`
  • Settings → General → Pull Requests → enable "Allow auto-merge" for `dependabot-auto-merge.yml`
  • Branch protection on `main` with the `CI / Lint, build, verify` check marked Required (otherwise auto-merge fires before CI)
• Lighthouse + Playwright deferred to a follow-up per scoping discussion. willmanning's setup for both is ready to port.

Out-of-band side find

`src/content/blog/september.mdx` and `src/content/blog/september-2025.mdx` both exist. Likely a stale draft — flagging here, not deleting in this PR.

Test plan

• `bun install` clean
• `bun run check:ci` clean
• `bun run typecheck` clean (after build)
• `bun run build` clean
• `bun run verify` against local server: 15/15 passing (sitemap with all post URLs, robots, RSS xml/json/atom, OG dimensions on every page, canonicals, JSON-LD on every post, internal links)
• CI passes on this PR
• Manual: paste a blog post URL into opengraph.xyz — preview renders
• Manual: paste a blog post URL into Google's Rich Results Test — Article schema parses
• Manual: subscribe to `/rss/feed.xml` in a feed reader — feed validates with all 7 posts

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
vortex	Ready	Preview, Comment	May 4, 2026 5:13pm