Serve /blog and /llms.txt publicly instead of redirecting to login

[RhysSullivan]

On executor.sh the cloud worker only proxies an allow-list of paths to the marketing worker; everything else falls through to the auth gate. /blog and /llms.txt were not on the list, so unauthenticated visits got redirected to /login?returnTo=....

Session replays back this up: visitors landing on those login redirects bounced almost immediately (blog ~79%, llms.txt ~90% bounce, 0s median).

Changes

• Add /blog and /llms.txt to the marketing allow-list (apps/cloud/src/edge/marketing.ts).
• /blog already has marketing routes. llms.txt did not exist anywhere, so add a real one under apps/marketing/public/ (product summary + docs/source/community links, per the llms.txt convention) rather than allow-listing a 404.
• Export isMarketingPath (mirroring the sibling docs.ts) and cover the allow-list with a unit test, including a /blogger guard against a bare prefix match.

Verification

• apps/cloud/src/edge/marketing.test.ts: 15/15 pass.
• @executor-js/cloud typecheck: clean.
• Cannot exercise via local preview (the middleware only activates on host === "executor.sh" with the prod MARKETING binding); the unit test covers the routing. Worth a manual hit of /blog and /llms.txt after deploy.

[greptile-apps]

Greptile Summary

Adds /blog and /llms.txt to the marketing worker's path allow-list so unauthenticated visitors reach public content instead of being redirected to the login screen. A new llms.txt static file and a unit test for the exported isMarketingPath helper are included.

• /blog and /llms.txt are added to MARKETING_PATHS, the export of isMarketingPath mirrors the pattern from docs.ts, and the proxy logic in marketingMiddleware forwards them to the marketing worker unchanged.
• marketing.test.ts covers the full allow-list including the /blogger prefix-collision guard, using Effect Vitest per the project's testing standards.
• apps/marketing/public/llms.txt is a new static file with product/docs/source/community links in the llms.txt convention; it will be served by the Astro marketing worker at the path the allow-list now exposes.

Confidence Score: 5/5

Safe to merge; the change is additive and isolated to the marketing proxy allow-list with no impact on authenticated routes or the auth gate.

Two paths are added to a static allow-list, the proxy logic that handles them is unchanged, and the only new function export is the predicate that the new tests cover. The /blogger prefix-collision guard confirms the startsWith logic was correctly considered. No auth paths are touched and the marketing worker binding guards against accidental exposure in non-production environments.

No files require special attention. A manual smoke-test of /blog and /llms.txt on the production domain after deploy is still worth doing, as noted in the PR description, since the middleware only activates with the prod MARKETING binding.

Important Files Changed

Filename	Overview
apps/cloud/src/edge/marketing.ts	Adds /blog and /llms.txt to MARKETING_PATHS and exports isMarketingPath; the startsWith logic correctly prevents /blogger prefix collisions.
apps/cloud/src/edge/marketing.test.ts	New unit test file covering the full allow-list and key negative cases (/blogger guard); uses Effect Vitest as required by AGENTS.md.
apps/marketing/public/llms.txt	New static llms.txt with product description and relevant links; will be served by the Astro marketing worker once the allow-list change is deployed.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant C as Unauthenticated Visitor
    participant W as executor.sh Worker
    participant M as executor-marketing Worker

    Note over W: marketingMiddleware runs first

    C->>W: GET /blog/some-post
    W->>W: isMarketingPath("/blog/some-post") true
    W->>M: proxy request unchanged
    M-->>C: 200 Blog page

    C->>W: GET /llms.txt
    W->>W: isMarketingPath("/llms.txt") true
    W->>M: proxy request unchanged
    M-->>C: 200 llms.txt (static file)

    C->>W: GET /dashboard (not on allow-list)
    W->>W: isMarketingPath("/dashboard") false
    W->>W: next() falls through to auth gate
    W-->>C: "302 /login?returnTo=/dashboard"

Loading

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant C as Unauthenticated Visitor
    participant W as executor.sh Worker
    participant M as executor-marketing Worker

    Note over W: marketingMiddleware runs first

    C->>W: GET /blog/some-post
    W->>W: isMarketingPath("/blog/some-post") true
    W->>M: proxy request unchanged
    M-->>C: 200 Blog page

    C->>W: GET /llms.txt
    W->>W: isMarketingPath("/llms.txt") true
    W->>M: proxy request unchanged
    M-->>C: 200 llms.txt (static file)

    C->>W: GET /dashboard (not on allow-list)
    W->>W: isMarketingPath("/dashboard") false
    W->>W: next() falls through to auth gate
    W-->>C: "302 /login?returnTo=/dashboard"

Loading

_{Reviews (1): Last reviewed commit: "Serve /blog and /llms.txt publicly inste..." | Re-trigger Greptile}

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
✅ Deployment successful! View logs	executor-cloud	3b66c3e	Jun 29 2026, 02:10 AM

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	executor-marketing	3b66c3e	Commit Preview URL Branch Preview URL	Jun 29 2026, 02:10 AM

[github-actions]

Cloudflare preview

Torn down — the PR is closed.

[pkg-pr-new]

Open in StackBlitz

@executor-js/cli

npm i https://pkg.pr.new/@executor-js/cli@1201

@executor-js/config

npm i https://pkg.pr.new/@executor-js/config@1201

@executor-js/execution

npm i https://pkg.pr.new/@executor-js/execution@1201

@executor-js/sdk

npm i https://pkg.pr.new/@executor-js/sdk@1201

@executor-js/codemode-core

npm i https://pkg.pr.new/@executor-js/codemode-core@1201

@executor-js/runtime-quickjs

npm i https://pkg.pr.new/@executor-js/runtime-quickjs@1201

@executor-js/plugin-file-secrets

npm i https://pkg.pr.new/@executor-js/plugin-file-secrets@1201

@executor-js/plugin-graphql

npm i https://pkg.pr.new/@executor-js/plugin-graphql@1201

@executor-js/plugin-keychain

npm i https://pkg.pr.new/@executor-js/plugin-keychain@1201

@executor-js/plugin-mcp

npm i https://pkg.pr.new/@executor-js/plugin-mcp@1201

@executor-js/plugin-onepassword

npm i https://pkg.pr.new/@executor-js/plugin-onepassword@1201

@executor-js/plugin-openapi

npm i https://pkg.pr.new/@executor-js/plugin-openapi@1201

executor

npm i https://pkg.pr.new/executor@1201

commit: 3b66c3e