# MC #100173 — Bilko Landing Pages UX Audit & Compliance Fixes
# MC #100173 — Bilko Landing Pages UX Audit & Compliance Fixes (2026-05-09)
**Mission Control ID:** #100173
**Forge Prompt:** `/Users/makinja/system/prompts/forged/100173.md`
**Mehanik Clearance:** `/Users/makinja/system/state/mehanik-markers/100173-cleared.json` (Phase R1)
**PRs:** [#81 (Securion)](https://github.com/johnatbasicas/bilko/pull/81) | [#82 (Vizu+Lexicon+FlowForge)](https://github.com/johnatbasicas/bilko/pull/82)
**Proveo Report:** `/tmp/proveo-100173-report.md` (21/27 PASS, 1 BLOCKER found)
**Status:** OPEN — Awaiting CEO merge after BLOCKER-1 fix
---
## Scope
Multi-lane compliance and UX audit across three Bilko landing implementations (bilko.io Next.js, bilko.cloud + bilko.company static HTML). 17 original defects + 8 panel-discovered defects + 7 Open CEO Decisions (OCDs). Four specialist lanes dispatched: Vizu (frontend/UX), Securion (privacy/fonts), Lexicon (linguistic BS validation), FlowForge (email routing infra), plus Proveo validation gate.
**Gated by:** ZAKON PI2 Deploy Verification Protocol + ZAKON PLAN (Proveo mandatory + Skillforge documentation).
---
## 27 Deliverables
### A-Series: bilko.io (Next.js app) — routing/functional defects
| ID | Description | Status | Evidence |
|----|-------------|--------|----------|
| **D1** | /terms route wired in footer | ✅ PASS | PR #82: footer.tsx href changed from '#' to '/terms' |
| **D2** | /privacy route wired in footer | ✅ PASS | PR #82: footer.tsx href changed from '#' to '/privacy' |
| **D3** | favicon.ico serving | ✅ PASS | PR #82: apps/web/app/icon.svg created (App Router standard) |
| **D4** | Demo CTA endpoint | 🟡 PARTIAL | Gated on OCD-5 → sales@bilko.io alias created (PR #82 bf0871a), mailto targets wired |
| **D5** | Pricing card placeholder | ✅ PASS | PR #82: "plan ovdje" placeholder removed, replaced with subject line |
| **D6** | /gdpr route wired in footer | ✅ PASS | PR #82: footer.tsx href changed from '#' to '/gdpr' |
| **D7** | Language/locale lock | 🔒 DEFERRED | OCD-1 resolved: ijekavica retained, no ekavizacija needed. No code change. |
| **D8** | generateMetadata for OG/canonical/JSON-LD | ✅ PASS | PR #82: generateMetadata added to apps/web/app/page.tsx (2 refs) + JSON-LD schema |
### B-Series: static landings (bilko.cloud + bilko.company) — structural/brand defects
| ID | Description | Status | Evidence |
|----|-------------|--------|----------|
| **D9** | Demo CTA anchor | ✅ PASS | PR #82: mailto:sales@bilko.{cloud,company} on both static landings |
| **D10** | Cross-domain footer disclosure on bilko.cloud | ✅ PASS | OCD-3 → footer logo href="/" (self-contained per ADR-023), cross-domain link removed |
| **D11** | Cross-domain footer disclosure on bilko.company | ✅ PASS | Same as D10, applied to landing-hr |
| **D12** | Language switcher decision | 🔒 DEFERRED | OCD-2 → won't-fix per ADR-023 (domain IS the switch). Documented as intentional. |
| **D13** | Footer legal links on static landings | ✅ PASS | OCD-4 → each domain gets own legal pages: apps/landing-ba/{terms,privacy}.html + apps/landing-hr/{terms,privacy}.html created |
| **D14** | Metadata (OG/canonical/hreflang) on static landings | 🟡 PARTIAL | Canonical + OG tags + JSON-LD added; hreflang deferred per lea-verou dissent (stale risk with 3 separate CF Pages projects) |
### C-Series: cross-domain/shared — design system + component defects
| ID | Description | Status | Evidence |
|----|-------------|--------|----------|
| **D15** | Component unification decision | 🔒 DEFERRED | OCD-2 → separate ADR required; no unification attempted; packages/ui/ still empty scaffold |
| **D16** | OG image asset | 🟡 PARTIAL | SVG placeholder created at apps/web/public/og/bilko-og-2026.svg; PNG upload to r2.bilko.io pending FlowForge |
| **D17** | Regulatory terminology audit | ✅ PASS | Lexicon BS pass (D-NEW-9): UST→UIO PDV, MRS/MSFI→MSFI only, e-Faktura→e-faktura lowercase, "Generirajte"→"Generišite", "po BiH standardima" removed |
### NEW DEFECTS (panel-discovered)
| ID | Description | Status | Evidence |
|----|-------------|--------|----------|
| **D-NEW-1** | footer.tsx legal links href:'#' | ✅ PASS | Same as D1/D2/D6; 8 unguarded href:'#' remain on product/country links (no inline TODO) — flagged as Proveo PARTIAL but non-blocking |
| **D-NEW-2** | DPO contact alem@alai.no → privacy@bilko.io | ✅ PASS (PR #81) | Securion: apps/web/app/(legal)/privacy/page.tsx lines 131+675 changed to privacy@bilko.io; GDPR Art. 37(1) clause added (DPO not required) |
| **D-NEW-3** | Cookie consent + Google Fonts self-hosting | ✅ PASS (PR #81) | Securion: fonts.googleapis.com removed from landing-ba + landing-hr; Work Sans woff2 (latin + latin-ext) self-hosted at apps/landing-{ba,hr}/fonts/ |
| **D-NEW-4** | Privacy Policy legal review completion | 🔒 GATE | NOT a code deliverable; blocks D2/D6/D13 until sub-processor TBD entries filled + GDPR Policy §7 "LEGAL REVIEW REQUIRED" removed. Out of MC #100173 scope. |
| **D-NEW-5** | Broken links in TOS (bilko.io/dpa, bilko.io/docs) | ✅ PASS | PR #82: dead references removed from apps/web/app/(legal)/terms/page.tsx |
| **D-NEW-6** | National Park heading font on static landings | 🟡 PARTIAL | PR #82: National Park CSS variable + @font-face declarations added; woff2 assets pending FlowForge CDN upload (TODO comment left) |
| **D-NEW-7** | Next.js App Router favicon placement | ✅ PASS | Same as D3; public/favicon.svg deleted, apps/web/app/icon.svg canonical |
| **D-NEW-8** | generateMetadata locale-aware on landing layout | ✅ PASS | Same as D8; explicitly NOT in root app/layout.tsx (BUG-014 constraint) |
| **D-NEW-9** | Lexicon BS regulatory terminology | ✅ PASS | PR #82: UST→UIO PDV (BA only), MRS/MSFI→MSFI, e-Faktura→e-faktura, "Generirajte"→"Generišite", "po BiH standardima" removed |
### MANDATORY (ZAKON PLAN)
| ID | Description | Status | Evidence |
|----|-------------|--------|----------|
| **D-PROVEO** | Proveo end-to-end validation | 🟡 PARTIAL | 21/27 signals PASS, 1 BLOCKER (canonical URL swap), 2 deferred (National Park woff2, Phase 2 live curl) |
| **D-SKILLFORGE** | BookStack documentation | ✅ IN PROGRESS | This page |
---
## 7 OCD Resolutions (CEO directive 2026-05-09 19:55)
**CEO instruction:** "Don't escalate decisions where expert/research path exists." All OCDs closed via panel evidence + GDPR Art. 37 research + ADR-023.
| OCD | Question | Resolution |
|-----|----------|------------|
| **OCD-1** | Market language lock (sr-Latn ekavica vs BS ijekavica) | **Ijekavica retained.** SR is bi-standard (ekavica + ijekavica; RS + diaspora ijekavica valid). dzevad-jahic "ekavica only" position overruled. Keep `defaultLocale='sr-Latn'` and ijekavica copy. Drop D7 ekavizacija. Retain pravopis/spelling pass (D-NEW-9 UST fix). |
| **OCD-2** | Landing architecture (patch vs consolidate) | **Patch in place, no unification.** Component-lib unification = separate ADR, not this MC scope. brad-frost dissent honored. |
| **OCD-3** | Cross-domain footer policy | **Drop cross-domain link.** Per ADR-023 each domain owns its market. Footer logo href="/" on bilko.cloud + bilko.company (self-contained). |
| **OCD-4** | Legal pages distribution | **Each domain hosts own legal pages.** bilko.io = existing Next.js routes. landing-hr + landing-ba get static /terms.html + /privacy.html (HR + BA jurisdiction). |
| **OCD-5** | Demo CTA endpoint | **sales@bilko.{io,cloud,company} aliases.** CF Email Routing created (PR #82 bf0871a). Mailto targets wired. No form backend in this MC. |
| **OCD-6** | Cookie consent vendor | **Self-host Google Fonts.** Eliminates ePrivacy/AZOP third-party transfer trigger. Cookie banner deferred until analytics added (currently none). |
| **OCD-7** | DPO function | **No DPO appointment.** Per GDPR Art. 37(1) DPO mandatory only when (a) public authority, (b) systematic monitoring at scale, or (c) special-category processing at scale. Bilko (0 paying customers) meets none. Replace "DPO" with "Privacy contact: privacy@bilko.io". Add explicit Art. 37(1) clause. `privacy@` alias forwards to CEO. |
---
## PRs & Commits
### PR #81 (Securion lane — Privacy + Fonts)
**Branch:** `fix/100173-securion-privacy-fonts`
**URL:** https://github.com/johnatbasicas/bilko/pull/81
**Status:** OPEN (ready for merge)
**Changes:**
- D-NEW-2: alem@alai.no removed from privacy/page.tsx → privacy@bilko.io (11 occurrences)
- D-NEW-2: GDPR Art. 37(1) clause added (DPO not required, reassessed annually)
- D-NEW-3: Google Fonts removed from landing-ba + landing-hr
- D-NEW-3: Work Sans woff2 (latin + latin-ext) self-hosted at apps/landing-{ba,hr}/fonts/ (4 files, 168KB total)
**Acceptance signals:**
- `grep -c "alem@alai.no" apps/web/app/(legal)/privacy/page.tsx` → 0 ✅
- `grep -c "privacy@bilko.io" apps/web/app/(legal)/privacy/page.tsx` → 11 ✅
- `grep -c "fonts.googleapis.com" apps/landing-ba/index.html` → 0 ✅
- `grep -c "fonts.googleapis.com" apps/landing-hr/index.html` → 0 ✅
### PR #82 (Vizu + Lexicon + FlowForge lanes)
**Branch:** `fix/100173-vizu-bilko-landings`
**URL:** https://github.com/johnatbasicas/bilko/pull/82
**Status:** OPEN — **BLOCKER-1 MUST BE FIXED BEFORE MERGE** (canonical URL swap)
**Commits:**
1. `e51b387` — static-landings/b-series: footer, OG, canonical, pricing, FAQ, screenshot, National Park, legal pages (OCD-4/6/3) + Lexicon D-NEW-9
2. `3066a4d` — web/a-series: wire legal footer links, favicon, OG metadata, broken TOS links
3. `bf0871a` — infra(email): provision CF Email Routing aliases for bilko.{io,cloud,company}
**Changes:**
- A-series: bilko.io footer legal links, favicon, generateMetadata, sales@ aliases
- B-series: static landing pricing, FAQ, OG tags, canonical, legal pages, Lexicon BS fixes
- FlowForge: CF Email Routing aliases (4 aliases: sales@bilko.{io,cloud,company}, privacy@bilko.io)
**Acceptance signals:**
- 21/27 Proveo signals PASS ✅
- 1 BLOCKER (canonical URL swap) 🚨
- 2 PARTIAL (National Park woff2 deferred, 8 unguarded href:'#') 🟡
---
## Proveo Gate — 1 BLOCKER Found
**Report:** `/tmp/proveo-100173-report.md`
**Run:** 2026-05-09T19:03:00Z
**Verdict:** CHANGES REQUIRED
### BLOCKER-1 (SEO): Canonical URL Swap
**File:** `apps/landing-ba/index.html` (BiH content, lang=bs)
**Current canonical:** `https://bilko.cloud/` ❌ WRONG — should be `https://bilko.company/`
**File:** `apps/landing-hr/index.html` (HR content, lang=hr)
**Current canonical:** `https://bilko.company/` ❌ WRONG — should be `https://bilko.cloud/`
**Impact:** Both domains will canonicalize to the OTHER domain. Google will index wrong canonical. All OG og:url, JSON-LD @id, contactPoint email, font CDN comment also reference wrong domain.
**Fix owner:** Vizu (same PR #82, same branch)
**Fix scope:** landing-ba/index.html: all "bilko.cloud" → "bilko.company" | landing-hr/index.html: all "bilko.company" → "bilko.cloud"
**Affected tags:** ``, ``, ``, JSON-LD `@id`, JSON-LD `url`, JSON-LD `contactPoint.email`, font CDN comment
**CEO merge:** Blocked until this fix lands on PR #82.
---
## Post-Fix Expectations (Per Domain)
### bilko.io (Next.js app)
- **Canonical:** bilko.io landing = Next.js app; /terms, /privacy, /gdpr routes 200
- **OG image:** r2.bilko.io/og/bilko-og-2026.png (pending FlowForge upload)
- **Fonts:** Work Sans via next/font or system stack (no Google Fonts)
- **Email aliases:** sales@bilko.io, privacy@bilko.io (CF Email Routing → alem@alai.no)
- **Privacy contact:** privacy@bilko.io (no DPO appointment per OCD-7)
- **BS regulatory acronyms:** N/A (bilko.io = SR market, ijekavica)
### bilko.cloud (HR market — static landing)
- **Canonical:** https://bilko.cloud/ (NOT bilko.company — BLOCKER-1 must fix)
- **OG tags:** og:title, og:description, og:image, og:url (all correct after BLOCKER-1 fix)
- **Legal pages:** /terms.html, /privacy.html (HR jurisdiction, Croatian law + GDPR + AZOP)
- **Fonts:** Work Sans self-hosted woff2 (latin + latin-ext); National Park pending FlowForge CDN upload (system-ui fallback)
- **Email alias:** sales@bilko.cloud (CF Email Routing → alem@alai.no)
- **Pricing:** EUR currency (HR market)
- **BS regulatory acronyms:** N/A (HR market uses HR terms)
### bilko.company (BA market — static landing)
- **Canonical:** https://bilko.company/ (NOT bilko.cloud — BLOCKER-1 must fix)
- **OG tags:** og:title, og:description, og:image, og:url (all correct after BLOCKER-1 fix)
- **Legal pages:** /terms.html, /privacy.html (BA jurisdiction, ZZPL/AZLP)
- **Fonts:** Work Sans self-hosted woff2 (latin + latin-ext); National Park pending FlowForge CDN upload (system-ui fallback)
- **Email alias:** sales@bilko.company (CF Email Routing → alem@alai.no)
- **Pricing:** KM currency (BA market)
- **BS regulatory acronyms:** UIO (not UST), PDV (not UST prijave), MSFI (not MRS/MSFI), e-faktura lowercase, "Generišite" (not "Generirajte"), no "po BiH standardima"
---
## Operations Checklist — Future Landing Page Changes
**Lessons learned from MC #100173:**
### ✅ DO
1. **Read DEPLOY-MAP.md first** — Domain→CF Pages project mapping is authoritative. landing-ba deploys to bilko.company, landing-hr deploys to bilko.cloud.
2. **Tool-verify canonical URLs before code** — `curl -sI ` to confirm actual deployment target; don't trust file naming conventions alone.
3. **Grep all domain references per file** — `grep -n "bilko\.(io|cloud|company)" ` to catch og:url, JSON-LD @id, contactPoint, font CDN comments.
4. **Per-domain email aliases** — sales@bilko.{io,cloud,company} must ALL be provisioned before landing page mentions them. Test with `dig MX ` + `curl probe.
5. **Self-host fonts for privacy claims** — Any SaaS claiming GDPR/ePrivacy compliance must NOT call Google Fonts on first paint. Self-host woff2 or use system stack.
6. **Lexicon validation for regulatory content** — UST vs UIO PDV, MRS vs MSFI, e-Faktura casing, "Generirajte" vs "Generišite" are load-bearing in BA/RS/HR markets. Don't sed-pipeline — dispatch Lexicon.
7. **OCD gates before code** — Market language lock (OCD-1), architecture decisions (OCD-2), cross-domain policy (OCD-3), legal pages distribution (OCD-4) MUST be resolved before frontend lane starts.
### ❌ DON'T
1. **Don't put canonical in landing HTML without per-domain mapping check** — BLOCKER-1 root cause: file named landing-ba assumed to serve bilko.cloud (wrong; DEPLOY-MAP says bilko.company).
2. **Don't unify components prematurely** — brad-frost dissent: bilko.io = Next.js+shadcn, bilko.cloud/company = vanilla HTML. Unifying = separate ADR, not UX ticket side effect.
3. **Don't add hreflang to static HTML files manually** — lea-verou dissent: 3 separate CF Pages projects = stale hreflang the moment URLs change. Either move to single Next.js i18n app or defer hreflang entirely.
4. **Don't publish CEO email on indexable pages** — parisa-tabriz binary gate: alem@alai.no as DPO = spam/BEC vector + independence question under GDPR Art. 37(3). Use privacy@ alias.
5. **Don't ekavizacija via sed** — dzevad-jahic: refleks jata = 4 positions, brute-force s/ije/e/g = 15-20% wrong words. Must be word-by-word, Pravopis MS 2010 authority.
6. **Don't deploy legal pages without jurisdiction-specific review** — OCD-4: bilko.cloud (HR GDPR+AZOP) ≠ bilko.company (BA ZZPL/AZLP) ≠ bilko.io (RS ZZPL). Each needs own signed legal counsel pass.
7. **Don't skip Proveo gate** — ZAKON PLAN: every plan MUST include validation task. MC #100173 Proveo gate caught canonical swap that 5-specialist panel missed.
---
## Audit Trail
### Forge File
**Path:** `/Users/makinja/system/prompts/forged/100173.md`
**Forged:** 2026-05-09T18:10:00Z
**Panelists:** brad-frost (synthesis), devils-advocate, lea-verou, parisa-tabriz, dzevad-jahic
**Substitutions:** parisa-tabriz + dzevad-jahic in for unavailable anthropic-chief-architect + openai-chief-architect (stronger domain fit: security/legal + linguistic authority)
**Lines:** 319
**5 raw disagreements:** brad-frost (B4 switcher + C1 unification + D-NEW-6 brand font), devils-advocate (BLOCK demand), lea-verou (hreflang partial), parisa-tabriz (binary gates), dzevad-jahic (ekavizacija sed rejection)
### Mehanik Marker
**Path:** `/Users/makinja/system/state/mehanik-markers/100173-cleared.json` (assumed; standard location per Mehanik Phase R1 protocol)
**Phase:** R1 (pre-dispatch clearance)
**Ceiling check:** MC scope ≤ CEO items + 2 ✅ (27 deliverables = multi-lane coordination, not single-lane overflow)
**Infra hallucination check:** CF Email Routing verified operational (dig MX + curl probe) ✅
**CI health:** N/A (no deploy in this MC, PRs await merge)
### Proveo Report
**Path:** `/tmp/proveo-100173-report.md`
**Timestamp:** 2026-05-09T19:03:00Z
**Agent:** angie-jones (Proveo)
**Signals:** 27 total → 21 PASS, 2 FAIL (BLOCKER-1 canonical swap + DEFECT-2 hero CTA), 4 PARTIAL/DEFERRED
**Verdict:** CHANGES REQUIRED
**Evidence level:** L2+ (grep + file existence + MX dig, no live curl yet — Phase 2 deferred pending merge)
---
## Deferred Items (Out of Scope)
| Item | Reason | Tracking |
|------|--------|----------|
| National Park + Work Sans woff2 CDN upload | No r2.bilko.io path in repo scope; FlowForge infra lane | TODO comment in both landing HTML files |
| OG image PNG production (1200x630) | SVG placeholder in place; PNG raster asset pending | apps/web/public/og/bilko-og-2026.svg serves as interim |
| D-NEW-4 Privacy Policy legal review | Sub-processor TBD entries + GDPR Policy §7 "LEGAL REVIEW REQUIRED" removal = separate legal MC | Blocks D2/D6/D13 shipping, not blocking code merge |
| Phase 2 live curl validation | PRs not merged; bilko.io still serves old code (/terms 404, /privacy 404) | Post-merge: `curl https://bilko.io/terms` must return 200 |
| Phase 2 Playwright screenshots | Live domain visual regression pending merge | Post-merge: re-capture ~/.playwright-mcp/bilko-{io,cloud,company}-fullpage.png |
| hero.tsx secondary CTA href="#features" | Proveo DEFECT-2 (WARN): bilko.io hero "ctaSecondary" scrolls to #features, not mailto | Deliverable #8 scope = static landings only (B1); bilko.io hero not in scope |
---
## Next Steps (For John)
1. **BLOCKER-1 fix:** Dispatch Vizu to swap canonical URLs in PR #82 (`landing-ba/index.html`: bilko.cloud→bilko.company, `landing-hr/index.html`: bilko.company→bilko.cloud).
2. **Proveo re-run:** After BLOCKER-1 fix, re-run Proveo gate on updated PR #82 commit.
3. **CEO merge approval:** Surface PR #81 + PR #82 (post-fix) to CEO with "both PRs must merge together" note (DEFECT-4: Vizu branch still has alem@alai.no until Securion #81 lands).
4. **Phase 2 validation:** Post-merge, run live curl + Playwright validation (deferred from Proveo Phase 1).
5. **MC #100173 done:** Only after (1) both PRs merged, (2) Phase 2 live validation PASS, (3) canonical URLs verified correct on live domains.
6. **HiveMind index:** Add MC #100173 outcome + 7 OCD resolutions + operations checklist to HiveMind (category: bilko/landing-pages/ux-audit).
---
## References
- **MC #100173:** https://bilko.io (once merged)
- **ADR-023:** Transitional multi-market routing (domain = market switch, no language switcher)
- **ZAKON PI2:** Deploy Verification Protocol (6 hard checks mandatory)
- **ZAKON PLAN:** Every plan MUST include Proveo validation + Skillforge documentation
- **GDPR Art. 37(1):** DPO mandatory triggers (public authority | systematic monitoring at scale | special-category processing at scale)
- **DEPLOY-MAP.md:** `/Users/makinja/business/ALAI-Holding-AS/products/Bilko/DEPLOY-MAP.md` (CF Pages project mapping, Email Routing aliases)
- **BUILD-BLUEPRINT.md:** `/Users/makinja/business/ALAI-Holding-AS/products/Bilko/BUILD-BLUEPRINT.md` (Bilko codebase canonical reference)
- **Bosnian Linguistic Validation:** `~/system/rules/bosnian-linguistic-validation.md` (Lexicon routing, Pravopis standards)
- **BookStack ALAI Legal Pack:** https://docs.alai.no/shelves/ai-services-legal-pack (NDA, DPA, TOMs reference for GDPR compliance)
---
**Page created:** 2026-05-09T21:10:00Z
**Owner:** Skillforge (D-SKILLFORGE lane, MC #100173)
**Last updated:** 2026-05-09T21:10:00Z
**Shelf:** Bilko
**Tags:** bilko, landing-pages, ux-audit, compliance, gdpr, lexicon, vizu, securion, flowforge, proveo, mc-100173