dare.co.uk session report — 2026-05-07

TL;DR

Production picked up two security/perf wins (HSTS live, restructured _headers cache rules), and the repo moved out of ~/Downloads/ to escape macOS Downloads-folder TCC restrictions. 5 commits sit on staging ready for production — sitemap cleanup, DMCA policy migration, brand spelling polish — awaiting explicit auth to ff-merge into main. Worker plumbing for the voip.ms AI-voice callback is scaffolded behind a feature flag, off by default, ready to wire when the beta contract lands.

Shipped to production today

Change	How	Verification
HSTS enabled	Cloudflare dashboard → SSL/TLS → Edge Certificates	`strict-transport-security: max-age=15552000` (6 months, no `includeSubDomains`, no `preload`)
`_headers` restructured	Merged via GitHub PR #6 (`adeb5b00` → `310fe443`)	Cache headers now `max-age=3600, s-maxage=86400, stale-while-revalidate=604800` (was `max-age=0, must-revalidate`)

Security-header set on https://www.dare.co.uk/: - strict-transport-security: max-age=15552000 - x-frame-options: SAMEORIGIN - x-content-type-options: nosniff - referrer-policy: strict-origin-when-cross-origin - permissions-policy: geolocation=(), microphone=(), camera=()

Staged for promotion (5 commits, awaiting auth)

e486502e  Track dmca@ Google alias swap as a follow-up
e8d95435  Spell legal entity as DANIEL DARE LIMITED in DMCA agent block
621e960d  Anchor DARE entity in anti-spam policy intro
783a6eb2  Migrate DMCA policy content from legacy WP body
8028404d  Clean sitemap: drop dead URLs and Yoast XSL

Sitemap cleanup (Stage 1 of 3) — page-sitemap.xml down from 12 URLs to 6 (clean 200s only); dropped 7 dead/redirected entries (/forum/, /clients/, /clients-2/, /error-404/, /checkout/, /customer-dashboard/, /shop/) and added the missing /contact/. Yoast SEO attribution and the main-sitemap.xsl stylesheet removed across all three sitemap files. post-sitemap.xml (702 URLs) is unchanged in content, just metadata-cleaned. xmllint --noout clean.

DMCA policy migration — body content pulled from the legacy WP backup, anglicised, modernised HTML, brand-aligned. New Designated Copyright Agent block uses the Companies House registered office of DANIEL DARE LIMITED (no. 03078067, 7 Jardine House, Harrovian Business Village, Bessborough Road, Harrow, Middlesex HA1 3EX). Email routes to hello@dare.co.uk for now (see follow-ups). Counter-notice section added per 17 USC §512(g) best practice.

Anti-spam-policy parity — opening paragraph now anchors the entity (“DARE — the organisation behind dare.co.uk —”) to match the privacy-policy / dmca-policy convention.

Brand spelling polish — DMCA agent block now uses DANIEL DARE LIMITED (all caps, matching Companies House register and Dan’s preferred legal-entity casing).

Eyeball at https://staging-dare-co-uk.xlabs.workers.dev/dmca-policy/ before merging.

Worker scaffolding (not in this repo)

~/Downloads/dare-contact-worker.js — added a feature-flagged stub for the voip.ms AI-voice callback. Off by default (env.VOIPMS_AI_ENABLED !== 'true'). Activates only on pref === 'phone' and UK E.164 phone (mirroring the existing SMS gating). Currently logs the assembled call context; the single TODO block marks the insertion point for the real voip.ms beta API call.

Pre-code design decisions still owed (per CLAUDE.md): voip.ms beta API contract, prompt design (chat-Claude owns), call timing, failure fallback, cost ceiling, transfer-to-human flow, GDPR recording disclosure script.

Repo housekeeping

Repo moved ~/Downloads/dare-co-uk/ → ~/Code/dare-co-uk/ to escape macOS Downloads-folder TCC restrictions (was breaking shell + Claude Code’s bash sandbox). The worker source itself stays in ~/Downloads/ — only the repo moved.
CLAUDE.md updated for the new path under “Where files live”.
CLAUDE.md follow-up added for the dmca@dare.co.uk Google Workspace alias (deferred — hello@ works for now, swap when the alias is set up).

Decisions captured to memory

feedback_dare_brand_spelling.md — DARE all-caps for entity refs in body copy; DANIEL DARE LIMITED all-caps for legal-entity blocks (Companies House #03078067); domain stays lowercase dare.co.uk.
project_dare_hsts_rollout.md — HSTS settings, dashboard-only config (NOT in _headers file), conservative settings rationale (subdomain audit pending before includeSubDomains).

Decisions NOT to ship

DMCA aside on contact form — proposed a one-line “for copyright concerns, see our DMCA policy” footnote near the contact-form footer. Dropped after Dan flagged 30 years of zero DMCA requests as evidence the noise isn’t worth the signal. Working tree cleaned, no commit.

Open follow-ups

Merge staging → main — 5 commits queued. Hook is requiring per-batch auth phrase. Either say “yes, merge staging (e486502e) into main and push”, or add a Bash allow rule to ~/.claude/settings.json for repeatable promotion.
Friday traffic recompare — baseline from 2026-05-06: 10.36k req/day, 80.14% CDN, security layer, and DNS provider sitting in front of dare.co.uk.">CF cache / 14.81% origin / 5.05% mitigated. Recompare scheduled for tomorrow (2026-05-08). Origin-hit % should drop given the new edge-cache headers.
dmca@dare.co.uk Google Workspace alias — set up, then swap address in dmca-policy/index.html (single <a href="mailto:…"> line).
voip.ms beta integration — pre-code design decisions in chat-Claude before wiring the TODO in maybeFireAiVoiceCallback().
Stage 2 sitemap automation — programmatic generator script (scripts/build-sitemap.mjs) that walks the repo, parses _redirects, emits both sitemaps. ~30 min in a future session.
Stage 3 sitemap deploy hook — wire npm run sitemap into the predeploy step once Stage 2 is stable.

Generated 2026-05-07. Print to PDF via Cmd+P from a markdown viewer or VS Code preview.

Source: dare_session_report_2026-05-07.md · Rendered 2026-05-11 20:34