feat(analytics): CWA beacon on production (G B.3.5)#10
Merged
Conversation
Closes the CWA-beacon scope item from master plan §4.B.3 that was missed by the G B.3.2 implementation plan. The Datenschutz pages already disclose CWA behavior to users (Phase B.3.2.b commit 108a5ea); this commit makes the disclosure-vs-reality match. The beacon is gated on both isProduction() and a non-empty PUBLIC_CWA_TOKEN — local dev and staging emit nothing, avoiding non-production traffic pollution in the analytics dashboard. Verified locally: default npm run build emits no beacon; PUBLIC_ENVIRONMENT=production PUBLIC_CWA_TOKEN=<test> emits the script tag with the JSON token attribute as specified. Master plan §4.B.3 specified the gating as inline `import.meta.env.PUBLIC_ENVIRONMENT === 'production'`; this commit uses the existing isProduction() helper from src/lib/env.ts — identical behavior, idiomatic to the codebase, matches the isStaging() helper already imported by BaseLayout. PUBLIC_CWA_TOKEN secret added to the repo's GitHub Actions secrets ahead of this commit (manual step on Lars's side). The .env.example documentation block plus the deploy-production.yml env wiring document the contract for future operators. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
blackbrowed-labs
added a commit
that referenced
this pull request
May 12, 2026
Close five Pass 2 backlog rows in one commit; all touch the scripts/ verifier subtree or the verify-cloudflare-facts.yml workflow and all are cosmetic with zero behaviour change. - #17 cwa-retention.mjs: fix JSDoc Source URL drift (data-retention -> faq) so the header comment matches the sourceUrl constant set in G D.10.1. - #18 cwa-retention.mjs: drop dead NUMBER_WORDS entry `twentyfour` (regex never emits the concatenated form) and add `'twenty four'` (regex CAN emit the spaced form via `\s-?` alternation). - #19 dpf.mjs: correct spec section reference from sec 6.3 to the actual load-bearing sections sec 3.2 / 3.4 / 9.1 / 9.3. - #20 verify-cloudflare-facts.yml: PR-body reads naturally for both value-change and absent-from-list cases instead of forcing the DPF-shaped "went absent" framing onto CWA-style figure shifts. - #10 scripts/*.mjs: uniform "Run from the project root" docstring paragraph in build-headers.mjs, extract-tokens.mjs, and run-verifier.mjs (the three top-level scripts surviving after G D.11 deleted check-cloudflare-facts-freshness.mjs); check modules under scripts/checks/ already document the convention via their orchestrator. Perms uniform: no +x bit on any .mjs file. Verifier regression baseline (six MOCK_SCENARIO runs in --dry-run) re-verified post-edit; statuses unchanged. Refs: plans/active/pass-2/backlog.md #10, #17, #18, #19, #20
This was referenced May 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
BaseLayout.astro, gated on bothisProduction()(the existing helper fromsrc/lib/env.ts, which checksPUBLIC_ENVIRONMENT === 'production') and a non-emptyPUBLIC_CWA_TOKEN.PUBLIC_CWA_TOKEN: ${{ secrets.PUBLIC_CWA_TOKEN }}into the production deploy workflow's Build step env. Not wired into the staging workflow — the production-only gate is enforced both by the deploy-time secret absence and the runtimeisProduction()check..env.example.Closes the CWA-beacon scope item from master plan §4.B.3 that was missed by the G B.3.2 implementation plan. Datenschutz pages already disclose CWA behavior to users (commit
108a5ea); this PR makes the disclosure-vs-reality match.PUBLIC_CWA_TOKEN(valuedd0616e2e6254d0d9c8c608910b2c71a) was added as a GitHub Actions secret on the repo before this commit landed, so the very first production deploy after merge will have the beacon firing.Test plan
<script>absent (count 0)PUBLIC_ENVIRONMENT=production PUBLIC_CWA_TOKEN=<test>→ beacon present,data-cf-beaconJSON attribute correctcurl -sS https://blackbrowedlabs.com/ | grep beacon.min.jsreturns the script tag with the real token🤖 Generated with Claude Code