This was, by some measure, the most productive week of the year so far. Two long-running engineering arcs converged in the same seven days — the comprehensive build of our new company website on Azure crossed into feature-complete, and a major enterprise e-commerce client engagement entered its production cutover. Forty-nine items shipped to Done across three projects.
The headline activity was the company website rebuild — a move away from a managed WordPress estate towards a stack we control end-to-end. The architecture: Azure Static Web Apps (Free tier, North Europe) for the static side, paired with a bundled .NET 8 isolated-worker Azure Functions backend, fronted by Cloudflare Turnstile for bot protection and Resend for transactional email. Repository layout, branch protection, GitHub Actions deployment workflow, and the staticwebapp.config.json — carrying the full route table, security headers, and a tight Content Security Policy with reporting endpoint enabled — all landed in the first half of the week.
On the backend, three Azure Functions went in to spec. A ContactFunction implementing the full validation chain — size limits → JSON shape → schema → honeypot → in-memory per-IP rate limiting → Turnstile verification → Resend send. A CspReportFunction to capture browser CSP violation reports as a piece of operational observability. And a HealthFunction returning a BUILD_VERSION value injected at deploy time, so post-merge smoke tests resolve to a meaningful version rather than a placeholder. Input hardening went in across all three — 32 KB request limits, JsonSerializerOptions with MaxDepth=8 and UnmappedMemberHandling=Disallow, strict content-type checks, ten-second HttpClient timeouts. Submission audit logs persist to Azure Table Storage with automated 12-month deletion — retention without manual housekeeping. Application Insights is wired up with a 5xx alert rule on /api/contact, routed off-domain.
Local development was moved off project-tree files entirely, onto dotnet user-secrets stored outside the repository and outside the working tree — out of reach of casual editor previews, screen-shares, and AI-assistant context windows. A small but pointed defence in depth.
On the frontend: client-side journal filtering, the Turnstile widget on the contact page (loaded only on that page, so the home page stays at zero third-party fetches), the contact form submit handler with proper ARIA live regions and focus management, and the full statutory page set — privacy notice, accessibility statement, and Companies Act 2006 footer disclosures (full registered company name, Companies House number, registered office address, ICO registration, VAT number). Page metadata, OG images, favicons, web app manifest, robots.txt, and sitemap.xml all in place. Geist is self-hosted to remove the Google Fonts third-party fetch entirely.
Email deliverability turned out to be the quietly satisfying piece. We added the company domain to Resend, merged the Resend SPF include into the existing M365 SPF record at the DNS level (a single record, two include: directives — because RFC 7208 forbids multiple SPF records on the same name, and getting that merge wrong is exactly the kind of mistake that breaks outbound mail for weeks before anyone notices), added the DKIM CNAME and DMARC TXT records, and verified domain ownership in Resend so we can send from noreply@thecodeabides.co.uk in production. M365 outbound DKIM signing was verified end-to-end alongside.
— On a productive week —Two long-running arcs, converging in a single week — and dependency hygiene, statutory compliance, observability, and email deliverability all held to the same standard.
The compliance side received the same care. A Record of Processing Activities document was drafted for UK GDPR Article 30, alongside a DPIA-screening decision, a Legitimate Interests Assessment covering Cloudflare Turnstile, and a Transfer Risk Assessment for the US data transfers via Resend and Cloudflare. Engineering excellence and legal compliance, both treated with the same rigour. Phase 4 — Resend custom domain verification — closed out as a complete epic milestone, marking real progress towards launch.
Alongside the website build, the enterprise e-commerce client engagement reached its production cutover threshold. Earlier in the week we completed the remaining npm package upgrades on the GCP-hosted services — finishing the multi-service dependency-hygiene programme that started the previous sprint — then ran a full cutover dry-run, and kicked off the live cutover itself before the week was out. The kind of high-stakes, carefully choreographed deployment work that distinguishes proper engineering from hope-for-the-best release management.
For one of our retained clients, two further small enhancements landed: a title designation field on a registration form, and another web-form data cleanup pass — polishing public-facing surface area without ever needing to ship anything dramatic.
Looking ahead, the cutover of our own website is the remaining piece. The cutover ticket itself, lowering DNS TTLs to give us a tight rollback window, adding the custom domain to the SWA resource to capture the validation target, and the GoDaddy domain-ownership hardening pre-flight are all queued. Then a 7-day live observation window before decommissioning the old IONOS hosting. Functional and accessibility audits — manual keyboard and screen-reader testing, Lighthouse, axe DevTools, WAVE — are queued, along with security-headers grading, performance testing, and a final pre-cutover sanity check on the deployed Application Settings. Then Phase 7 itself: the DNS cutover.
Forty-nine items to Done. Two major projects driving towards production. A new company website that is properly engineered, statutorily compliant, and observability-instrumented from day one — and a major client engagement well into its own production cutover alongside. Not a bad bookmark for one week of practice.