Technical Standards
The build standard is explicit.
This checklist keeps HMX Zone builds honest: fewer hidden assumptions, cleaner handoff, and verification that can be repeated.
Public site
- One public header/footer/skip link/main landmark per route.
- Root layout owns providers only; the public route group owns public chrome.
- Admin routes do not inherit public chrome.
Funnel
- Step 1 saves a partial lead with Turnstile, honeypot, rate limiting, and consent.
- Step 2 updates the same lead and redirects to the booking page.
- Booked status is verified by signed Cal.com webhook only.
Security
- Supabase service-role keys stay server-only.
- Turnstile, RLS, admin auth, CSP, and rate limits are not weakened for convenience.
- Secret scans and environment validation run before launch.
Content
- No fake testimonials, fake metrics, unsupported guarantees, or fabricated proof.
- Proof is redacted, owned, public-safe, or clearly labeled as a diagram.
- Public package pages do not show checkout-style price cards.
Verification
- Lint, typecheck, build, route QA, UI QA, SEO audit, secret scan, and performance baseline are recorded.
- External checks are marked blocked when production, Supabase, Cal.com, Cloudflare, Resend, Sentry, or analytics access is missing.