# 07B Compliance / Policy Pre-launch Recheck — Subnautica2Maps Clean Rerun > Date: 2026-05-20 > Task: t_1c11ff7d > Reviewer: 墨盾 ⚖️ > Project: subnautica2maps > Keyword: subnautica 2 map > Target market: US/en > Production URL checked: https://subnautica2maps.com > Source commit checked: a25cd5953d5bb9c10f0870044e76f9abdb888aa0 > Legal note: This is a practical product compliance and risk-control review, not formal legal advice. For final trademark, copyright, privacy, or dispute-risk decisions, consult a licensed attorney. ## 1. 结论先行 Verdict: BLOCK_FOR_PUBLIC_LAUNCH / audit delivered. 站点已经具备基础 fan-made/no-affiliation、Privacy、Terms、Legal/DMCA、Contact、Cookie Policy、source/confidence 方向和 analytics raw-coordinate guard。作为内部 preview / limited review 可以继续。 但不建议现在进入正式 public launch / GSC 提交 / 冷启动分发。P0 未过点集中在: 1. 正式域名已是 `subnautica2maps.com`,但 footer/legal/contact 仍使用 `hello@subnautica2maps.pages.dev`、`support@subnautica2maps.pages.dev`,且 `dig MX subnautica2maps.com` 未查到 MX;不满足正式域名邮箱 P0。 2. sitemap.xml 与 robots.txt 仍指向 `https://subnautica2maps.pages.dev/...`,不是正式域名;这会把索引权重和法律页 canonical 口径带偏。 3. Privacy / Terms 内容过薄,缺少运营主体、可用联系邮箱、数据保留期限、用户权利/删除请求、第三方服务完整列表、年龄限制等基础条款。 4. `/resources/*`、`/biomes/*` live 页面返回 200 但显示 default title + `noindex`,同时 sitemap 又列出这些 URL;存在“sitemap 收录 noindex/thin route”的上线 gate 冲突。 5. 商标/域名残余风险仍高:`subnautica2maps.com` 包含完整 Subnautica mark。当前 no-affiliation 已做,但还需要正式域名邮箱、法律页主体和 sitemap/canonical 统一后,才适合公开提交。 ## 2. Inputs read / clean rerun boundary 已读取本轮 clean rerun 父产物,不读取旧 PRD、旧设计、旧 seed data、旧 dist、旧 repo: - PRD v1: `/root/.hermes/kanban/boards/site-factory/workspaces/t_43537dda/reports/site-pipeline/site-rerun-subnautica2maps-20260520-clean/subnautica2maps/03-prd-v1.md` - 02B compliance: `/root/.hermes/kanban/boards/site-factory/workspaces/t_f461f687/reports/site-pipeline/site-rerun-subnautica2maps-20260520-clean/subnautica2maps/02b-compliance.md` - 05A frontend handoff: `/root/.hermes/reports/site-pipeline/site-rerun-subnautica2maps-20260520-clean/subnautica2maps/05a-public-reference-frontend.md` - Repo inspected: `/root/projects/subnautica2maps` - Live checked: `https://subnautica2maps.com/`, `/map/`, `/privacy/`, `/terms/`, `/legal/`, `/contact/`, `/cookie-policy/`, `/refund-policy`, `/sitemap.xml`, `/robots.txt`, `/api/events`, `/api/health` ## 3. skill_contract_check | Contract item | Required input | Required output | Hard constraint | Acceptance item | Evidence | |---|---|---|---|---|---| | PRD / parent artifact review | PRD v1, 02B, 05A metadata | Final compliance recheck | Use only clean rerun artifacts | Parent gates reflected | Read paths listed in section 2 | | Production legal page scan | Production URL and legal routes | Privacy/Terms/Legal/Contact/Cookie status | Legal pages must be accessible from footer | `/privacy`, `/terms`, `/legal`, `/contact`, `/cookie-policy` return 200 and footer links exist | curl 200 for all five; footer links found | | Footer legal disclosure | Live footer | No-affiliation / trademark risk status | Full no-affiliation visible sitewide | Footer includes fan-made/no-affiliation and policy links | Live footer text: “not affiliated with, endorsed by, sponsored by, or approved...” | | Cookie / analytics disclosure | Live HTML, headers, cookie scan, analytics code | Cookie banner decision | PP/Cookie must match actual stack | No Set-Cookie, no GA/Clarity/ads observed; /api/events disclosed | `curl -I` no Set-Cookie; only first-party scripts observed | | Analytics privacy | `/api/events`, worker code | P0 event and raw-coordinate check | Do not send/store raw current coordinates | All required event names accepted; raw coordinate props rejected | `/api/events` accepted 13 required events; rejected `{x,y,z,coordinates}` with `disallowed_property` | | Fan-made / IP boundary | Live pages + source code | IP/trademark risk rating | No official/approved/partner/certified/endorsed as official claim | No official-looking logo; favicon is self-made SVG; disclaimers visible | `public/assets/icon.svg` is generic compass/grid; live disclaimers present | | Asset/content inventory | Data manifest, visible marker pages | Public-reference data posture | No official/competitor asset copy; source attribution required | Dataset shows source URLs, source/confidence/index policy fields | `public/data/manifest.json`, `markers.public.v20260520.json`, map visible source labels | | Index/noindex+sitemap policy | sitemap, robots, live pages | SEO/legal gate status | No thin/noindex pages in sitemap; canonical should match production domain | Not passed | sitemap and robots point to pages.dev; resources/biomes return noindex while listed in sitemap | | Domain/Cloudflare/email P0 | DNS/header checks | Domain readiness status | Formal domain must have hello@/support@ and CF posture evidence | Not passed | `dig +short MX subnautica2maps.com` returned empty; headers show CSP/security, but no MX evidence | | Refund/payment | PRD + live routes | Refund policy decision | No payment in P0; refund page required only if payment exists | Passed for no-payment P0 | `/refund-policy` returns 404; no payment/Stripe observed; acceptable because no payment route | ## 4. Live page status | URL | HTTP | Compliance read | |---|---:|---| | `/` | 200 | Fan-made notice visible; no official/complete claims observed; footer links legal pages. | | `/map/` | 200 | Search/filter/detail/source display exists; route coordinates described as local; Game8 source link visible. | | `/privacy/` | 200 | Exists, but too thin for public launch. Missing operator, retention, rights, precise contact, age, third-party list depth. | | `/terms/` | 200 | Exists, but too thin. Missing governing terms depth, user obligations, IP ownership/permissions, limitation, contact, termination. | | `/legal/` | 200 | Contains DMCA/contact concept, but uses pages.dev emails and says aliases must be changed before public domain launch. | | `/contact/` | 200 | Same issue: pages.dev emails, not formal domain-routed aliases. | | `/cookie-policy/` | 200 | Exists and broadly consistent with no ads/no checkout/no cross-site account cookies. | | `/refund-policy` | 404 | Acceptable only because no payment route exists in P0. If support/donation/Stripe appears, this becomes P0. | | `/sitemap.xml` | 200 | Fails production-domain gate: all loc entries are `https://subnautica2maps.pages.dev/...`. | | `/robots.txt` | 200 | Fails production-domain gate: sitemap points to `https://subnautica2maps.pages.dev/sitemap.xml`. | ## 5. P0 findings ### P0-1 — Formal domain email not ready Evidence: - Live footer: `Contact: hello@subnautica2maps.pages.dev · support@subnautica2maps.pages.dev` - `/legal/`: says pages.dev emails are preview only and “Before public domain launch, these must become domain-routed aliases on the final domain.” - DNS check: `dig +short MX subnautica2maps.com` returned empty. Risk: - Legal/DMCA/privacy contact is not credible for the formal public domain. - The task hard constraint requires `hello@domain/support@domain` for formal domain. Fix: - Configure MX/email routing for `subnautica2maps.com`. - Replace footer/legal/contact/privacy with at least: - `hello@subnautica2maps.com` - `support@subnautica2maps.com` - Recommended: `privacy@subnautica2maps.com`, `dmca@subnautica2maps.com` - Verify by sending/receiving test email or provider routing evidence. ### P0-2 — Sitemap / robots / canonical still use pages.dev Evidence: - `/sitemap.xml` contains `https://subnautica2maps.pages.dev/`, `/map/`, legal pages, resources and biomes. - `/robots.txt` contains `Sitemap: https://subnautica2maps.pages.dev/sitemap.xml`. - Source: `src/app/layout.tsx` has `metadataBase: new URL('https://subnautica2maps.pages.dev')`. - Source: `src/app/sitemap.ts` has `const base='https://subnautica2maps.pages.dev'`. - Source: `src/app/robots.ts` points sitemap to pages.dev. Risk: - Production `subnautica2maps.com` launch would send search engines to the wrong canonical host. - Legal pages and brand disclaimers become fragmented across pages.dev/custom domain. Fix: - Set metadataBase/sitemap/robots to `https://subnautica2maps.com` for production. - Keep pages.dev preview either noindex or not submitted. - Re-smoke `/sitemap.xml`, `/robots.txt`, canonical tags after deploy. ### P0-3 — Privacy / Terms are placeholders, not launch-grade policies Evidence: - `/privacy/` has only a short paragraph on Cloudflare logs, `/api/events`, route coordinates local, localStorage, no login/payment. - Missing operator name/address, precise contact, retention, rights/deletion request, third parties, cookies/localStorage detail, children/age, cross-border transfer, updates. - `/terms/` has only public-reference/no warranty and no-affiliation statement. Risk: - The pages exist but do not satisfy basic pre-launch policy quality. - For US/en public site, lightweight is acceptable; placeholder-thin is not. Minimum fix: Privacy should include: - Operator: Nextfield Labs LLC, Wyoming, United States [confirm exact address if publishing]. - Contact: privacy/support email on final domain. - Data collected: Cloudflare logs/IP/device, first-party analytics events, localStorage progress, route coordinate processing local only, contact emails if user writes in. - Third parties: Cloudflare Pages/CDN/security; first-party `/api/events`; no GA/Clarity/ads/Stripe/auth in P0; external source links; YouTube only if later embedded. - Retention: event logs and server logs concrete period, e.g. 30-90 days; localStorage until user clears it. - User choices: clear localStorage, contact deletion/correction requests. - Children: not intended for children under 13. Terms should include: - Fan-made/no-affiliation and trademark attribution. - Public-reference/no warranty and Early Access data-change warning. - Allowed use / prohibited misuse. - User-submitted corrections only by email for P0; no license grant until UGC exists. - IP ownership and third-party trademark ownership. - Limitation of liability and service changes. - Contact. ### P0-4 — Sitemap contains noindex/thin public-reference pages Evidence: - Live `/resources/silver/`, `/resources/copper/`, `/resources/sulfur/`, `/biomes/shallows/`, `/biomes/graveyard/` return 200 but contain `` and default title text. - The same URLs are included in `/sitemap.xml`. - Source intended `resources/[slug]` and `biomes/[slug]` to be indexable, but live output behaves like fallback/noindex shell. Risk: - Violates PRD gate: “只索引真实有数据、有任务价值、有 source/update/confidence 的页面。” - Legal/compliance impact: public-reference/source/confidence claim is not reliably visible on those landing pages if route generation failed. Fix: - Either generate real resource/biome pages with visible source/confidence/fan-made warning and index them, or remove them from sitemap until ready. - Do not submit GSC sitemap while noindex URLs are listed. ### P0-5 — Domain trademark risk remains high Evidence: - Public domain is `subnautica2maps.com`, containing full `Subnautica` mark. - Mitigations present: no-affiliation visible; no official logo/key art observed; copy avoids “official map” as a claim. - Mitigations incomplete: formal legal pages/email/canonical not production-ready. Risk: - Even with descriptive fair-use posture, exact branded domain can look like an official map property. Fix: - If keeping this domain, do not use official visuals, do not bid paid ads on exact brand terms, keep no-affiliation visible in hero/footer/legal, and make policies production-grade before public distribution. - Safer long-term alternative remains a less brand-heavy domain, but current task can only gate this launch. ## 6. Passed / acceptable items 1. Fan-made/no-affiliation appears on homepage, map, legal pages, and footer. 2. No official logo/key art/favicon was observed; `public/assets/icon.svg` is generic grid/compass style. 3. No payment/auth/Stripe/login observed; refund page 404 is acceptable for no-payment P0. 4. Cookie posture is acceptable if stack remains Cloudflare + first-party `/api/events` + localStorage only. No Set-Cookie observed on homepage headers. 5. `/api/events` exists and accepts the required event taxonomy. 6. Raw current coordinates are blocked at ingestion when sent as `x/y/z/coordinates` properties. 7. Security headers observed: CSP, Permissions-Policy, Referrer-Policy, X-Content-Type-Options, Cloudflare serving over HTTPS. 8. Dataset has manifest and source URLs; markers contain source/confidence/index policy fields in repo. ## 7. Cookie / analytics decision Current decision: Cookie banner not required for this P0 build, if no GA/Clarity/ads/social pixels are added. Reason: - Observed first-party scripts only. - No homepage `Set-Cookie` header. - Cookie policy says no advertising cookies, checkout cookies, or cross-site account cookies. - `/api/events` is first-party and blocks disallowed raw coordinate properties. Required guard: - If GA, Clarity, ads pixels, embedded YouTube on core pages, social login, Stripe, or any cross-site tracking is added, implement Cookie Banner before loading non-essential scripts and update Privacy/Cookie Policy. ## 8. IP / asset / data boundary Current posture: conditional acceptable, with residual risk. What is acceptable: - Text-only descriptive use of Subnautica 2. - Visible no-affiliation disclaimer. - Self-made icon and grid map style. - Public-reference dataset with source URLs and confidence/index policy fields. What remains risky: - Domain contains full mark. - Source data heavily references Game8/IGN/Eurogamer/wiki public pages. It must remain citation/reference-backed, human-rewritten, and not a copied database or scraped competitor clone. - Some live routes intended for resources/biomes do not currently render the rich source/confidence content that would justify indexing. ## 9. Required remediation checklist ### P0 — before public launch / GSC / cold-start distribution - [ ] Configure and verify domain email routing for `hello@subnautica2maps.com` and `support@subnautica2maps.com`. - [ ] Prefer also configure `privacy@subnautica2maps.com` and `dmca@subnautica2maps.com`. - [ ] Replace all pages.dev contact emails in footer/legal/contact/privacy. - [ ] Update `metadataBase`, `sitemap.ts`, `robots.ts`, canonical tags to `https://subnautica2maps.com` for production. - [ ] Either fix `/resources/*` and `/biomes/*` to render full source/confidence/fan-made pages, or remove them from sitemap until ready. - [ ] Expand Privacy Policy to include operator, retention, user rights/deletion, third parties, localStorage/cookie details, children/age, contact. - [ ] Expand Terms to include accepted use, IP/trademark attribution, no warranty, data accuracy boundary, limitation, contact. - [ ] Re-run legal route smoke after deploy: `/privacy`, `/terms`, `/legal`, `/contact`, `/cookie-policy`, footer links, sitemap, robots, canonical. ### P1 — within first week after launch - [ ] Add a lightweight “Data sources / methodology” section linked from footer or map detail. - [ ] Add a correction workflow page explaining what evidence to include and prohibiting copied competitor/official data. - [ ] Add visible “last updated / game version / coverage limited” block near the map and resource pages. - [ ] Keep an asset inventory file listing icon, map base, marker icons, screenshots/videos used, license/source, and whether used in branding. ### P2 — later hardening - [ ] Consider migration to a lower-risk brand/domain if this becomes a serious long-term property. - [ ] If UGC/community submissions are added, add submission terms, license grant, moderation queue, noindex-by-default, and re-review. - [ ] If payment/supporter/ad-free is added, add refund/subscription terms and cookie consent where applicable. ## 10. Verification evidence Commands/evidence captured during recheck: - `curl -L -s -o /tmp/curl_body -w '%{http_code} ...' https://subnautica2maps.com/privacy` → 200. - `curl -L -s -o /tmp/curl_body -w '%{http_code} ...' https://subnautica2maps.com/terms` → 200. - `curl -L -s -o /tmp/curl_body -w '%{http_code} ...' https://subnautica2maps.com/legal` → 200. - `curl -L -s -o /tmp/curl_body -w '%{http_code} ...' https://subnautica2maps.com/contact` → 200. - `curl -L -s -o /tmp/curl_body -w '%{http_code} ...' https://subnautica2maps.com/cookie-policy` → 200. - `curl -L -s -o /tmp/curl_body -w '%{http_code} ...' https://subnautica2maps.com/refund-policy` → 404; acceptable for no-payment P0. - `curl -I https://subnautica2maps.com/` → no Set-Cookie observed; CSP and security headers present. - `curl https://subnautica2maps.com/sitemap.xml` → loc entries use `https://subnautica2maps.pages.dev/...`. - `curl https://subnautica2maps.com/robots.txt` → Sitemap points to `https://subnautica2maps.pages.dev/sitemap.xml`. - `dig +short MX subnautica2maps.com` → no MX output observed. - `/api/events` accepted: pageview, hero_cta_click, tool_start, tool_result, pricing_cta_click, map_search, marker_open, filter_apply, detail_open, position_set, route_calculate, progress_toggle, outbound_click. - `/api/events` rejected raw coordinate properties: `{x,y,z,coordinates}` with `disallowed_property`. ## 11. Acceptance checklist | Item | Status | Note | |---|---|---| | Privacy exists and footer linked | PASS_WITH_GAP | Exists but must be expanded before public launch. | | Terms exists and footer linked | PASS_WITH_GAP | Exists but must be expanded before public launch. | | Legal/DMCA/contact exists | PASS_WITH_GAP | Exists but still preview email / pages.dev. | | Cookie policy exists | PASS | Current no-cookie/no-ads posture acceptable. | | Refund policy | N/A | No payment in P0. | | Fan-made/no-affiliation visible | PASS | Visible sitewide. | | Trademark/domain risk mitigated | PARTIAL | Full mark in domain remains high risk. | | Official/competitor asset avoidance | PASS_WITH_RESIDUAL_RISK | No official visuals observed; public-reference data must stay citation/human-rewrite only. | | Analytics disclosure | PASS_WITH_GAP | Events disclosed; privacy page needs retention/provider details. | | Raw coordinate privacy | PASS | API blocks raw coordinate keys. | | Domain email | FAIL_P0 | No production MX/email evidence; live pages use pages.dev emails. | | Production sitemap/robots/canonical | FAIL_P0 | pages.dev still used. | | Index/noindex policy | FAIL_P0 | noindex resource/biome URLs are in sitemap. | | CF security evidence | PARTIAL | Headers good; dashboard-level SSL Full Strict / Always HTTPS / Bot Fight / Crawler Hints / cache TTL not independently verified. | ## 12. Metadata handoff fields ```json { "project_slug": "subnautica2maps", "selected_keyword": "subnautica 2 map", "compliance_verdict": "BLOCK_FOR_PUBLIC_LAUNCH", "production_url": "https://subnautica2maps.com", "source_commit_checked": "a25cd5953d5bb9c10f0870044e76f9abdb888aa0", "artifact_paths": [ "/root/.hermes/kanban/boards/site-factory/workspaces/t_1c11ff7d/reports/site-pipeline/site-rerun-subnautica2maps-20260520-clean/subnautica2maps/07b-compliance-recheck.md" ], "verification": { "legal_pages_http_200": true, "refund_policy_required": false, "no_set_cookie_observed_homepage": true, "api_events_required_taxonomy_ingests": true, "raw_coordinates_blocked_by_api": true, "sitemap_uses_production_domain": false, "robots_uses_production_sitemap": false, "domain_mx_observed": false, "resource_biome_sitemap_noindex_conflict": true }, "acceptance_checklist": { "skill_contract_check": true, "clean_rerun_parent_artifacts_only": true, "privacy_page_exists": true, "terms_page_exists": true, "legal_dmca_page_exists": true, "contact_page_exists": true, "cookie_policy_exists": true, "footer_legal_links_exist": true, "fan_made_no_affiliation_visible": true, "no_official_visual_assets_observed": true, "analytics_disclosure_present": true, "raw_coordinate_tracking_blocked": true, "domain_email_ready": false, "privacy_terms_launch_grade": false, "sitemap_robots_canonical_production_ready": false, "index_noindex_sitemap_policy_pass": false }, "residual_risk": [ "subnautica2maps.com contains the full Subnautica mark; confusion risk remains even with disclaimers.", "Public-reference dataset depends on third-party guide/wiki pages and must remain human-rewritten/citation-backed, not copied database output.", "Cloudflare dashboard settings were not independently verified from dashboard/API in this task." ], "blocking_risks": [ "No production-domain email/MX evidence for hello@subnautica2maps.com/support@subnautica2maps.com.", "Sitemap/robots/canonical still point to pages.dev instead of subnautica2maps.com.", "Privacy/Terms are too thin for public launch.", "Noindex/thin resource/biome routes are listed in sitemap." ], "next_inputs": [ "Email routing proof for hello@subnautica2maps.com and support@subnautica2maps.com.", "Post-fix deployment URL and commit SHA after sitemap/robots/canonical/legal page updates.", "Recheck evidence for resources/biomes pages: indexable rich content or removal from sitemap.", "Expanded Privacy and Terms copy with operator/contact/retention/rights/third-party details." ], "next_assignee_input": { "for_mojie_frontend": "Fix production metadataBase/sitemap/robots/canonical to subnautica2maps.com; replace pages.dev emails; expand Privacy/Terms; fix or remove resource/biome pages from sitemap; redeploy same commit and provide evidence.", "for_qa": "Do not pass launch QA until domain email, production sitemap/robots/canonical, legal page depth, and sitemap/noindex conflict are fixed and re-smoked.", "for_seo_launch": "Do not submit sitemap/GSC while sitemap points to pages.dev or contains noindex/thin resource/biome URLs.", "for_host": "Confirm production email routing and whether the high-risk branded domain is accepted despite full Subnautica mark." } } ``` ## 13. Final judgment Audit complete. Compliance gate is not cleared for public launch yet. Fix the four P0 items, then rerun 07B before GSC/cold-start distribution.