MC #100173 — Bilko Landing Pages UX Audit & Compliance Fixes
MC #100173 — Bilko Landing Pages UX Audit & Compliance Fixes (2026-05-09)
Mission Control ID: #100173
Forge Prompt: /Users/makinja/system/prompts/forged/100173.md
Mehanik Clearance: /Users/makinja/system/state/mehanik-markers/100173-cleared.json (Phase R1)
PRs: #81 (Securion) | #82 (Vizu+Lexicon+FlowForge)
Proveo Report: /tmp/proveo-100173-report.md (21/27 PASS, 1 BLOCKER found)
Status: OPEN — Awaiting CEO merge after BLOCKER-1 fix
Scope
Multi-lane compliance and UX audit across three Bilko landing implementations (bilko.io Next.js, bilko.cloud + bilko.company static HTML). 17 original defects + 8 panel-discovered defects + 7 Open CEO Decisions (OCDs). Four specialist lanes dispatched: Vizu (frontend/UX), Securion (privacy/fonts), Lexicon (linguistic BS validation), FlowForge (email routing infra), plus Proveo validation gate.
Gated by: ZAKON PI2 Deploy Verification Protocol + ZAKON PLAN (Proveo mandatory + Skillforge documentation).
27 Deliverables
A-Series: bilko.io (Next.js app) — routing/functional defects
ID
Description
Status
Evidence
D1
/terms route wired in footer
✅ PASS
PR #82: footer.tsx href changed from '#' to '/terms'
D2
/privacy route wired in footer
✅ PASS
PR #82: footer.tsx href changed from '#' to '/privacy'
D3
favicon.ico serving
✅ PASS
PR #82: apps/web/app/icon.svg created (App Router standard)
D4
Demo CTA endpoint
🟡 PARTIAL
Gated on OCD-5 → sales@bilko.io alias created (PR #82 bf0871a), mailto targets wired
D5
Pricing card placeholder
✅ PASS
PR #82: "plan ovdje" placeholder removed, replaced with subject line
D6
/gdpr route wired in footer
✅ PASS
PR #82: footer.tsx href changed from '#' to '/gdpr'
D7
Language/locale lock
🔒 DEFERRED
OCD-1 resolved: ijekavica retained, no ekavizacija needed. No code change.
D8
generateMetadata for OG/canonical/JSON-LD
✅ PASS
PR #82: generateMetadata added to apps/web/app/page.tsx (2 refs) + JSON-LD schema
B-Series: static landings (bilko.cloud + bilko.company) — structural/brand defects
ID
Description
Status
Evidence
D9
Demo CTA anchor
✅ PASS
PR #82: mailto:sales@bilko.{cloud,company} on both static landings
D10
Cross-domain footer disclosure on bilko.cloud
✅ PASS
OCD-3 → footer logo href="/" (self-contained per ADR-023), cross-domain link removed
D11
Cross-domain footer disclosure on bilko.company
✅ PASS
Same as D10, applied to landing-hr
D12
Language switcher decision
🔒 DEFERRED
OCD-2 → won't-fix per ADR-023 (domain IS the switch). Documented as intentional.
D13
Footer legal links on static landings
✅ PASS
OCD-4 → each domain gets own legal pages: apps/landing-ba/{terms,privacy}.html + apps/landing-hr/{terms,privacy}.html created
D14
Metadata (OG/canonical/hreflang) on static landings
🟡 PARTIAL
Canonical + OG tags + JSON-LD added; hreflang deferred per lea-verou dissent (stale risk with 3 separate CF Pages projects)
C-Series: cross-domain/shared — design system + component defects
ID
Description
Status
Evidence
D15
Component unification decision
🔒 DEFERRED
OCD-2 → separate ADR required; no unification attempted; packages/ui/ still empty scaffold
D16
OG image asset
🟡 PARTIAL
SVG placeholder created at apps/web/public/og/bilko-og-2026.svg; PNG upload to r2.bilko.io pending FlowForge
D17
Regulatory terminology audit
✅ PASS
Lexicon BS pass (D-NEW-9): UST→UIO PDV, MRS/MSFI→MSFI only, e-Faktura→e-faktura lowercase, "Generirajte"→"Generišite", "po BiH standardima" removed
NEW DEFECTS (panel-discovered)
ID
Description
Status
Evidence
D-NEW-1
footer.tsx legal links href:'#'
✅ PASS
Same as D1/D2/D6; 8 unguarded href:'#' remain on product/country links (no inline TODO) — flagged as Proveo PARTIAL but non-blocking
D-NEW-2
DPO contact alem@alai.no → privacy@bilko.io
✅ PASS (PR #81)
Securion: apps/web/app/(legal)/privacy/page.tsx lines 131+675 changed to privacy@bilko.io; GDPR Art. 37(1) clause added (DPO not required)
D-NEW-3
Cookie consent + Google Fonts self-hosting
✅ PASS (PR #81)
Securion: fonts.googleapis.com removed from landing-ba + landing-hr; Work Sans woff2 (latin + latin-ext) self-hosted at apps/landing-{ba,hr}/fonts/
D-NEW-4
Privacy Policy legal review completion
🔒 GATE
NOT a code deliverable; blocks D2/D6/D13 until sub-processor TBD entries filled + GDPR Policy §7 "LEGAL REVIEW REQUIRED" removed. Out of MC #100173 scope.
D-NEW-5
Broken links in TOS (bilko.io/dpa, bilko.io/docs)
✅ PASS
PR #82: dead references removed from apps/web/app/(legal)/terms/page.tsx
D-NEW-6
National Park heading font on static landings
🟡 PARTIAL
PR #82: National Park CSS variable + @font-face declarations added; woff2 assets pending FlowForge CDN upload (TODO comment left)
D-NEW-7
Next.js App Router favicon placement
✅ PASS
Same as D3; public/favicon.svg deleted, apps/web/app/icon.svg canonical
D-NEW-8
generateMetadata locale-aware on landing layout
✅ PASS
Same as D8; explicitly NOT in root app/layout.tsx (BUG-014 constraint)
D-NEW-9
Lexicon BS regulatory terminology
✅ PASS
PR #82: UST→UIO PDV (BA only), MRS/MSFI→MSFI, e-Faktura→e-faktura, "Generirajte"→"Generišite", "po BiH standardima" removed
MANDATORY (ZAKON PLAN)
ID
Description
Status
Evidence
D-PROVEO
Proveo end-to-end validation
🟡 PARTIAL
21/27 signals PASS, 1 BLOCKER (canonical URL swap), 2 deferred (National Park woff2, Phase 2 live curl)
D-SKILLFORGE
BookStack documentation
✅ IN PROGRESS
This page
7 OCD Resolutions (CEO directive 2026-05-09 19:55)
CEO instruction: "Don't escalate decisions where expert/research path exists." All OCDs closed via panel evidence + GDPR Art. 37 research + ADR-023.
OCD
Question
Resolution
OCD-1
Market language lock (sr-Latn ekavica vs BS ijekavica)
Ijekavica retained. SR is bi-standard (ekavica + ijekavica; RS + diaspora ijekavica valid). dzevad-jahic "ekavica only" position overruled. Keep defaultLocale='sr-Latn' and ijekavica copy. Drop D7 ekavizacija. Retain pravopis/spelling pass (D-NEW-9 UST fix).
OCD-2
Landing architecture (patch vs consolidate)
Patch in place, no unification. Component-lib unification = separate ADR, not this MC scope. brad-frost dissent honored.
OCD-3
Cross-domain footer policy
Drop cross-domain link. Per ADR-023 each domain owns its market. Footer logo href="/" on bilko.cloud + bilko.company (self-contained).
OCD-4
Legal pages distribution
Each domain hosts own legal pages. bilko.io = existing Next.js routes. landing-hr + landing-ba get static /terms.html + /privacy.html (HR + BA jurisdiction).
OCD-5
Demo CTA endpoint
sales@bilko.{io,cloud,company} aliases. CF Email Routing created (PR #82 bf0871a). Mailto targets wired. No form backend in this MC.
OCD-6
Cookie consent vendor
Self-host Google Fonts. Eliminates ePrivacy/AZOP third-party transfer trigger. Cookie banner deferred until analytics added (currently none).
OCD-7
DPO function
No DPO appointment. Per GDPR Art. 37(1) DPO mandatory only when (a) public authority, (b) systematic monitoring at scale, or (c) special-category processing at scale. Bilko (0 paying customers) meets none. Replace "DPO" with "Privacy contact: privacy@bilko.io". Add explicit Art. 37(1) clause. privacy@ alias forwards to CEO.
PRs & Commits
PR #81 (Securion lane — Privacy + Fonts)
Branch: fix/100173-securion-privacy-fonts
URL: https://github.com/johnatbasicas/bilko/pull/81
Status: OPEN (ready for merge)
Changes:
D-NEW-2: alem@alai.no removed from privacy/page.tsx → privacy@bilko.io (11 occurrences)
D-NEW-2: GDPR Art. 37(1) clause added (DPO not required, reassessed annually)
D-NEW-3: Google Fonts removed from landing-ba + landing-hr
D-NEW-3: Work Sans woff2 (latin + latin-ext) self-hosted at apps/landing-{ba,hr}/fonts/ (4 files, 168KB total)
Acceptance signals:
grep -c "alem@alai.no" apps/web/app/(legal)/privacy/page.tsx → 0 ✅
grep -c "privacy@bilko.io" apps/web/app/(legal)/privacy/page.tsx → 11 ✅
grep -c "fonts.googleapis.com" apps/landing-ba/index.html → 0 ✅
grep -c "fonts.googleapis.com" apps/landing-hr/index.html → 0 ✅
PR #82 (Vizu + Lexicon + FlowForge lanes)
Branch: fix/100173-vizu-bilko-landings
URL: https://github.com/johnatbasicas/bilko/pull/82
Status: OPEN — BLOCKER-1 MUST BE FIXED BEFORE MERGE (canonical URL swap)
Commits:
e51b387 — static-landings/b-series: footer, OG, canonical, pricing, FAQ, screenshot, National Park, legal pages (OCD-4/6/3) + Lexicon D-NEW-9
3066a4d — web/a-series: wire legal footer links, favicon, OG metadata, broken TOS links
bf0871a — infra(email): provision CF Email Routing aliases for bilko.{io,cloud,company}
Changes:
A-series: bilko.io footer legal links, favicon, generateMetadata, sales@ aliases
B-series: static landing pricing, FAQ, OG tags, canonical, legal pages, Lexicon BS fixes
FlowForge: CF Email Routing aliases (4 aliases: sales@bilko.{io,cloud,company}, privacy@bilko.io)
Acceptance signals:
21/27 Proveo signals PASS ✅
1 BLOCKER (canonical URL swap) 🚨
2 PARTIAL (National Park woff2 deferred, 8 unguarded href:'#') 🟡
Proveo Gate — 1 BLOCKER Found
Report: /tmp/proveo-100173-report.md
Run: 2026-05-09T19:03:00Z
Verdict: CHANGES REQUIRED
BLOCKER-1 (SEO): Canonical URL Swap
File: apps/landing-ba/index.html (BiH content, lang=bs)
Current canonical: https://bilko.cloud/ ❌ WRONG — should be https://bilko.company/
File: apps/landing-hr/index.html (HR content, lang=hr)
Current canonical: https://bilko.company/ ❌ WRONG — should be https://bilko.cloud/
Impact: Both domains will canonicalize to the OTHER domain. Google will index wrong canonical. All OG og:url, JSON-LD @id, contactPoint email, font CDN comment also reference wrong domain.
Fix owner: Vizu (same PR #82, same branch)
Fix scope: landing-ba/index.html: all "bilko.cloud" → "bilko.company" | landing-hr/index.html: all "bilko.company" → "bilko.cloud"
Affected tags: , , , JSON-LD @id , JSON-LD url , JSON-LD contactPoint.email , font CDN comment
CEO merge: Blocked until this fix lands on PR #82.
Post-Fix Expectations (Per Domain)
bilko.io (Next.js app)
Canonical: bilko.io landing = Next.js app; /terms, /privacy, /gdpr routes 200
OG image: r2.bilko.io/og/bilko-og-2026.png (pending FlowForge upload)
Fonts: Work Sans via next/font or system stack (no Google Fonts)
Email aliases: sales@bilko.io, privacy@bilko.io (CF Email Routing → alem@alai.no)
Privacy contact: privacy@bilko.io (no DPO appointment per OCD-7)
BS regulatory acronyms: N/A (bilko.io = SR market, ijekavica)
bilko.cloud (HR market — static landing)
Canonical: https://bilko.cloud/ (NOT bilko.company — BLOCKER-1 must fix)
OG tags: og:title, og:description, og:image, og:url (all correct after BLOCKER-1 fix)
Legal pages: /terms.html, /privacy.html (HR jurisdiction, Croatian law + GDPR + AZOP)
Fonts: Work Sans self-hosted woff2 (latin + latin-ext); National Park pending FlowForge CDN upload (system-ui fallback)
Email alias: sales@bilko.cloud (CF Email Routing → alem@alai.no)
Pricing: EUR currency (HR market)
BS regulatory acronyms: N/A (HR market uses HR terms)
bilko.company (BA market — static landing)
Canonical: https://bilko.company/ (NOT bilko.cloud — BLOCKER-1 must fix)
OG tags: og:title, og:description, og:image, og:url (all correct after BLOCKER-1 fix)
Legal pages: /terms.html, /privacy.html (BA jurisdiction, ZZPL/AZLP)
Fonts: Work Sans self-hosted woff2 (latin + latin-ext); National Park pending FlowForge CDN upload (system-ui fallback)
Email alias: sales@bilko.company (CF Email Routing → alem@alai.no)
Pricing: KM currency (BA market)
BS regulatory acronyms: UIO (not UST), PDV (not UST prijave), MSFI (not MRS/MSFI), e-faktura lowercase, "Generišite" (not "Generirajte"), no "po BiH standardima"
Operations Checklist — Future Landing Page Changes
Lessons learned from MC #100173:
✅ DO
Read DEPLOY-MAP.md first — Domain→CF Pages project mapping is authoritative. landing-ba deploys to bilko.company, landing-hr deploys to bilko.cloud.
Tool-verify canonical URLs before code — curl -sI to confirm actual deployment target; don't trust file naming conventions alone.
Grep all domain references per file — grep -n "bilko\.(io|cloud|company)" to catch og:url, JSON-LD @id, contactPoint, font CDN comments.
Per-domain email aliases — sales@bilko.{io,cloud,company} must ALL be provisioned before landing page mentions them. Test with dig MX + `curl probe.
Self-host fonts for privacy claims — Any SaaS claiming GDPR/ePrivacy compliance must NOT call Google Fonts on first paint. Self-host woff2 or use system stack.
Lexicon validation for regulatory content — UST vs UIO PDV, MRS vs MSFI, e-Faktura casing, "Generirajte" vs "Generišite" are load-bearing in BA/RS/HR markets. Don't sed-pipeline — dispatch Lexicon.
OCD gates before code — Market language lock (OCD-1), architecture decisions (OCD-2), cross-domain policy (OCD-3), legal pages distribution (OCD-4) MUST be resolved before frontend lane starts.
❌ DON'T
Don't put canonical in landing HTML without per-domain mapping check — BLOCKER-1 root cause: file named landing-ba assumed to serve bilko.cloud (wrong; DEPLOY-MAP says bilko.company).
Don't unify components prematurely — brad-frost dissent: bilko.io = Next.js+shadcn, bilko.cloud/company = vanilla HTML. Unifying = separate ADR, not UX ticket side effect.
Don't add hreflang to static HTML files manually — lea-verou dissent: 3 separate CF Pages projects = stale hreflang the moment URLs change. Either move to single Next.js i18n app or defer hreflang entirely.
Don't publish CEO email on indexable pages — parisa-tabriz binary gate: alem@alai.no as DPO = spam/BEC vector + independence question under GDPR Art. 37(3). Use privacy@ alias.
Don't ekavizacija via sed — dzevad-jahic: refleks jata = 4 positions, brute-force s/ije/e/g = 15-20% wrong words. Must be word-by-word, Pravopis MS 2010 authority.
Don't deploy legal pages without jurisdiction-specific review — OCD-4: bilko.cloud (HR GDPR+AZOP) ≠ bilko.company (BA ZZPL/AZLP) ≠ bilko.io (RS ZZPL). Each needs own signed legal counsel pass.
Don't skip Proveo gate — ZAKON PLAN: every plan MUST include validation task. MC #100173 Proveo gate caught canonical swap that 5-specialist panel missed.
Audit Trail
Forge File
Path: /Users/makinja/system/prompts/forged/100173.md
Forged: 2026-05-09T18:10:00Z
Panelists: brad-frost (synthesis), devils-advocate, lea-verou, parisa-tabriz, dzevad-jahic
Substitutions: parisa-tabriz + dzevad-jahic in for unavailable anthropic-chief-architect + openai-chief-architect (stronger domain fit: security/legal + linguistic authority)
Lines: 319
5 raw disagreements: brad-frost (B4 switcher + C1 unification + D-NEW-6 brand font), devils-advocate (BLOCK demand), lea-verou (hreflang partial), parisa-tabriz (binary gates), dzevad-jahic (ekavizacija sed rejection)
Mehanik Marker
Path: /Users/makinja/system/state/mehanik-markers/100173-cleared.json (assumed; standard location per Mehanik Phase R1 protocol)
Phase: R1 (pre-dispatch clearance)
Ceiling check: MC scope ≤ CEO items + 2 ✅ (27 deliverables = multi-lane coordination, not single-lane overflow)
Infra hallucination check: CF Email Routing verified operational (dig MX + curl probe) ✅
CI health: N/A (no deploy in this MC, PRs await merge)
Proveo Report
Path: /tmp/proveo-100173-report.md
Timestamp: 2026-05-09T19:03:00Z
Agent: angie-jones (Proveo)
Signals: 27 total → 21 PASS, 2 FAIL (BLOCKER-1 canonical swap + DEFECT-2 hero CTA), 4 PARTIAL/DEFERRED
Verdict: CHANGES REQUIRED
Evidence level: L2+ (grep + file existence + MX dig, no live curl yet — Phase 2 deferred pending merge)
Deferred Items (Out of Scope)
Item
Reason
Tracking
National Park + Work Sans woff2 CDN upload
No r2.bilko.io path in repo scope; FlowForge infra lane
TODO comment in both landing HTML files
OG image PNG production (1200x630)
SVG placeholder in place; PNG raster asset pending
apps/web/public/og/bilko-og-2026.svg serves as interim
D-NEW-4 Privacy Policy legal review
Sub-processor TBD entries + GDPR Policy §7 "LEGAL REVIEW REQUIRED" removal = separate legal MC
Blocks D2/D6/D13 shipping, not blocking code merge
Phase 2 live curl validation
PRs not merged; bilko.io still serves old code (/terms 404, /privacy 404)
Post-merge: curl https://bilko.io/terms must return 200
Phase 2 Playwright screenshots
Live domain visual regression pending merge
Post-merge: re-capture ~/.playwright-mcp/bilko-{io,cloud,company}-fullpage.png
hero.tsx secondary CTA href="#features"
Proveo DEFECT-2 (WARN): bilko.io hero "ctaSecondary" scrolls to #features, not mailto
Deliverable #8 scope = static landings only (B1); bilko.io hero not in scope
Next Steps (For John)
BLOCKER-1 fix: Dispatch Vizu to swap canonical URLs in PR #82 ( landing-ba/index.html : bilko.cloud→bilko.company, landing-hr/index.html : bilko.company→bilko.cloud).
Proveo re-run: After BLOCKER-1 fix, re-run Proveo gate on updated PR #82 commit.
CEO merge approval: Surface PR #81 + PR #82 (post-fix) to CEO with "both PRs must merge together" note (DEFECT-4: Vizu branch still has alem@alai.no until Securion #81 lands).
Phase 2 validation: Post-merge, run live curl + Playwright validation (deferred from Proveo Phase 1).
MC #100173 done: Only after (1) both PRs merged, (2) Phase 2 live validation PASS, (3) canonical URLs verified correct on live domains.
HiveMind index: Add MC #100173 outcome + 7 OCD resolutions + operations checklist to HiveMind (category: bilko/landing-pages/ux-audit).
References
MC #100173: https://bilko.io (once merged)
ADR-023: Transitional multi-market routing (domain = market switch, no language switcher)
ZAKON PI2: Deploy Verification Protocol (6 hard checks mandatory)
ZAKON PLAN: Every plan MUST include Proveo validation + Skillforge documentation
GDPR Art. 37(1): DPO mandatory triggers (public authority | systematic monitoring at scale | special-category processing at scale)
DEPLOY-MAP.md: /Users/makinja/business/ALAI-Holding-AS/products/Bilko/DEPLOY-MAP.md (CF Pages project mapping, Email Routing aliases)
BUILD-BLUEPRINT.md: /Users/makinja/business/ALAI-Holding-AS/products/Bilko/BUILD-BLUEPRINT.md (Bilko codebase canonical reference)
Bosnian Linguistic Validation: ~/system/rules/bosnian-linguistic-validation.md (Lexicon routing, Pravopis standards)
BookStack ALAI Legal Pack: https://docs.alai.no/shelves/ai-services-legal-pack (NDA, DPA, TOMs reference for GDPR compliance)
Page created: 2026-05-09T21:10:00Z
Owner: Skillforge (D-SKILLFORGE lane, MC #100173)
Last updated: 2026-05-09T21:10:00Z
Shelf: Bilko
Tags: bilko, landing-pages, ux-audit, compliance, gdpr, lexicon, vizu, securion, flowforge, proveo, mc-100173