Conversation
GitHub Actions runners default to Node 24 starting June 2nd, 2026. The previously-pinned versions (checkout@v4, setup-node@v4, wrangler-action@v3) all ran on Node 20 and produced deprecation warnings on every workflow run. Latest stable versions, all native to Node 24: - actions/checkout v4 → v6 (v6.0.2, published 2026-01-09) - actions/setup-node v4 → v6 (v6.4.0, published 2026-04-20) - cloudflare/wrangler-action v3 → v4 (v4.0.0, published 2026-05-12) Behavior expected unchanged; this is purely a runtime-version migration. CI on this PR verifies the bumped versions work cleanly before merging. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ge (#39) Closes three deployment-confidence gaps that the recent prod cutover (PR #37) made visible. # 1. Build with NEXT_PUBLIC_SHOW_FULL_SITE='true' in wrangler-smoke CI previously built without the env var, so the / → /home redirect codepath (production behavior) was never exercised in CI. Now matches the deploy.yml build mode. Readiness probe switched from / (now 307) to /home (always 200) so wrangler-dev startup detection still works. # 2. Extend wrangler-smoke route coverage Old coverage: POST /api/waitlist + GET /crisis (2 routes). New coverage adds 4 routes: - GET / → 307 with location: /home - GET /home → 200 + 'Mindfulness with meaning' body marker - GET /download → 200 + 'Coming soon' marker, NOT 'graphic needed' (catches if the page regresses to the pre-#36 placeholder badges) - GET /privacy/multi-state → 200 + 'Multi-State' body marker Each follows the existing /crisis assertion pattern. # 3. Post-deploy smoke against live URL (deploy.yml) Catches the failure mode CI cannot reach: DNS misconfig, custom-domain unbound, SSL broken, deploy succeeded-but-routed-wrong. After the wrangler-action deploy command succeeds: - Branch-aware URL (main → being.fyi, preview → workers.dev) - 15s sleep for Cloudflare edge propagation - Cache-busted curl on /home (200), /download (Coming soon marker), /privacy (Strict-Transport-Security header) - FAIL exits the workflow loudly so an alert fires Note on the 'Coming soon' assertion: temporary marker tied to pre-launch state. When the app launches and /download swaps to real app-store badges, update this assertion or replace with a durable marker like the H1 text. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The /features page made detection / auto-trigger / clinical claims
that compliance + crisis agents both flagged as inconsistent with
Being's consumer-wellness positioning per regulatory-applicability.md
§FDA. Apple/TestFlight reviewers may visit the live site; "Auto-detects
severe depression (PHQ-9 ≥20)" + "Crisis support triggered
automatically" is exactly the language FDA uses to define a Software
as a Medical Device.
Rewrites (19 + 2 follow-ups from agent re-review):
# Removed: SaMD-adjacent detection / trigger claims
- "Auto-detects severe depression (PHQ-9 ≥20)" →
"Flags elevated scores (PHQ-9 ≥20) and surfaces crisis resources"
- "Auto-detects severe anxiety (GAD-7 ≥15)" → same for GAD-7
- "Crisis support triggered automatically" / "Integrated with crisis
protocols" → "Always one tap from 988 and Crisis Text Line"
- "Auto-triggered on PHQ-9 ≥20 or GAD-7 ≥15" (Crisis Support section) →
"Surfaced immediately when self-assessment scores are elevated"
# Shifted: clinical register → consumer wellness register
- Section title: "Mental Health Self-Monitoring" → "Mood & Wellbeing Tracking"
- "Standardized self-assessments" / "mental health patterns" →
"Research-based reflection tools" / "mood and wellbeing patterns"
- Card headers: "PHQ-9 (Depression)" → "PHQ-9 Mood Self-Assessment"
(same pattern for GAD-7)
- "monitoring depression symptoms" → "tracking mood patterns over time"
- "monitor anxiety symptoms" → "tracking anxious thought and feeling patterns"
- Privacy: "mental health data" → "wellbeing data" (consistency)
- "Military-grade encryption" → "AES-256 encryption" (drop empty-marketing
phrase, keep concrete claim)
- Hero: "modern mental health science" → "modern wellbeing research"
- CTA: "evidence-based self-monitoring tools" → "research-based
self-reflection tools"
# Safety additions
- Crisis Text Line added: previously the 988 callout said "One tap to
connect" implying only the call mode. Now: "Call 988 or text HOME to
741741" — both modes named explicitly.
- 988 callout restyled from solid bg-info (bright blue + white text) to
bg-crisis-bg + crisis-text + crisis-border tokens (muted, on-brand,
consistent with the design system's crisis token family — matches
what the audit recommended for cross-site unification of 988
treatment).
- Section title "24/7 Crisis Support" → "24/7 Crisis Resource Access"
(Being surfaces links to 24/7 resources; doesn't itself provide
support — precision per crisis-agent re-review).
- PHQ-9 description: dropped "scores remain comparable to those you
might see from a healthcare provider" — both agents flagged this as
a new SaMD-adjacent claim on the rewrite. Now: "self-reported scores
stay consistent, letting you track your own patterns."
# Out of scope (raise with app team)
- Verify the app actually surfaces crisis resources at PHQ-9 ≥20 /
GAD-7 ≥15 (else FTC §5 issue).
- Handle PHQ-9 item 9 ≥1 independently of total score (real product
safety design concern: total-only thresholds miss self-harm
ideation at lower totals).
- Verify "Crisis button always visible in app" + "Less than 3 seconds
from any screen to 988" are literally true.
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Production hotfix
Three commits since the last preview → main merge (#37):
Why this is a hotfix
The currently-live /features page on being.fyi makes claims that compliance + crisis agents flagged as inconsistent with Being's wellness-app positioning:
That's exactly the FDA's definition of medical-device software ("identifies a clinical condition and takes action"). The wellness exemption Being relies on under `regulatory-applicability.md` §FDA collapses when the marketing copy makes detection/auto-trigger claims. Apple/TestFlight reviewers may be looking at the live site right now.
PR #40 rewrites the page to consumer-wellness register (see its description for the full 21-item change list). Compliance + crisis agents independently re-reviewed and confirmed the rewrite passes.
Bonus included: CI hardening (#38, #39)
These landed on preview hours ago and have been smoking the preview deploy successfully. Going to main:
Pre-merge gates (already verified)
Post-merge automatic smoke
The post-deploy smoke step (added in #39) will run after deploy.yml completes here, hitting being.fyi:
If any of those fail, the workflow fails loudly. If all pass, the hotfix is verified live.
Manual additional check after merge (5 sec)
```bash
curl -s https://being.fyi/features | grep -c "Auto-detects" # expect 0
curl -s https://being.fyi/features | grep -q "Flags elevated scores" && echo "fixed"
```
Out of scope — needs app-team raise
Three operational claims on the website should also be true in the app:
Website is now compliant; app behavior should match.
🤖 Generated with Claude Code