# Quickstart: DACH Trust, Datenschutz & Security Website Surface ## Goal Implement Spec 405 inside `apps/website` only by deepening the existing public trust route, preserving current route/localization contracts, and proving the result with website-only build and smoke checks. ## 1. Verify repo truth first Run from the repository root: ```bash git status --short --branch cat package.json cat pnpm-workspace.yaml cat apps/website/package.json find apps/website -maxdepth 3 -type f | sort | sed -n '1,240p' ``` Confirm: - the website package name is `@tenantatlas/website` - `WEBSITE_PORT` still defaults to `4321` - `/trust` already exists and remains the canonical trust route - no `apps/platform` file is required for the change ## 2. Review the existing trust implementation seams Inspect the current public shell before editing: ```bash sed -n '1,260p' apps/website/src/data_files/site-copy.ts sed -n '1,220p' apps/website/src/components/pages/TrustPage.astro sed -n '1,260p' apps/website/src/components/pages/HomePage.astro sed -n '1,200p' apps/website/src/i18n.ts sed -n '1,260p' apps/website/tests/smoke/public-routes.spec.ts sed -n '1,260p' apps/website/tests/smoke/smoke-helpers.ts ``` ## 3. Implement the content and page structure Expected edit targets: - `apps/website/src/data_files/site-copy.ts` - `apps/website/src/components/pages/TrustPage.astro` - `apps/website/src/components/pages/HomePage.astro` - navigation/footer inputs only if the current trust exposure needs adjustment - `apps/website/tests/smoke/public-routes.spec.ts` - `apps/website/tests/smoke/interaction.spec.ts` - `apps/website/tests/smoke/smoke-helpers.ts` Implementation guidance: 1. Expand trust copy for both `de` and `en`. 2. Keep `/trust` and `/en/trust` as the route pair. 3. Render claim-safe sections for hosting posture, privacy posture, document readiness, data categories, provider permissions, RBAC, auditability, retention, subprocessors, support access, and security handoff. 4. Use the six allowed claim statuses only. 5. Reuse `/contact` or a real `mailto:` destination for requests; do not create fake downloads. 6. Keep homepage trust discoverability lightweight and route users to the canonical trust page instead of duplicating the full content. ## 4. Run static scans before browser tests Use a targeted forbidden-claim scan: ```bash rg -n \ -e 'href=\"#\"' \ -e 'lorem ipsum' \ -e 'DSGVO-konform' \ -e 'DSGVO compliant' \ -e 'GDPR compliant' \ -e 'ISO certified' \ -e 'ISO 27001 certified' \ -e 'BSI certified' \ -e 'NIS2 compliant' \ -e 'hosted in Germany' \ -e 'in Deutschland gehostet' \ -e 'no customer data stored' \ -e 'keine Kundendaten' \ -e 'no personal data' \ -e 'keine personenbezogenen Daten' \ -e 'automatic restore' \ -e 'autonomous remediation' \ -e 'Google supported' \ -e 'AWS supported' \ apps/website/src apps/website/public apps/website/dist ``` Any intentional match must have a documented proof source or be rewritten. ## 5. Validate with website-only build and smoke coverage ```bash corepack pnpm build:website corepack pnpm --filter @tenantatlas/website test ``` If manual preview is needed: ```bash corepack pnpm dev:website ``` Then verify: - `/trust` loads on desktop and mobile - `/en/trust` mirrors the intended trust posture - homepage trust teaser links to the canonical trust route - footer/navigation trust links are real - no placeholder links remain - no false compliance/certification/provider claims are visible ## 6. Final scope check Before handing off, confirm that only website-facing files changed: ```bash git status --short -- apps/website apps/platform git diff --name-only git diff --check ``` Expected result: - `apps/website` files changed as planned - `apps/platform` untouched - no dependency, workspace-script, or build-contract drift