feat(site): stage TrustedSite trustmark slot (opt-in prop) + setup doc; CSP/verification steps pre-documented

docs/trustedsite-setup.md

@@ -0,0 +1,41 @@
+# TrustedSite (Certified Secure) trustmark — setup steps
+
+TrustedSite (formerly McAfee SECURE) gives a free, embeddable "Certified Secure"
+trustmark after a daily malware/blocklist scan. The signup is an interactive
+SaaS onboarding (email + account + ToS) that must be done by a human; everything
+else is pre-staged here so finishing is ~2 minutes.
+
+## What's already staged
+1. **Trustmark mount point** in `site/src/components/TrustStrip.astro` — a
+   commented `<!-- TRUSTEDSITE_TRUSTMARK -->` slot + an opt-in `trustedsite` prop.
+2. **Verification-file location**: drop their `.html`/`.txt` verification file in
+   `site/public/` (served at the web root verbatim by Astro).
+3. This doc.
+
+## Steps for Justin
+1. Go to https://www.trustedsite.com/ → "Get Started" (free Certified Secure
+   tier). Sign up with `security@performancewest.net` (or your preferred inbox).
+2. Add site `performancewest.net`. Verify ownership — they offer either:
+   - **Meta tag**: copy the `<meta name="trustedsite-..." content="...">` →
+     paste into `site/src/layouts/Base.astro` `<head>` (next to the other
+     `<meta>` tags around line 33), **or**
+   - **File upload**: download their verification file → put it in
+     `site/public/` and redeploy. (Astro copies public/ to the web root.)
+3. After they finish the first scan (usually <24h) they give a **trustmark
+   snippet** (a small `<script>` + an `<a>`/`<img>`). Paste the script into
+   `Base.astro` `<head>` and the badge markup into the
+   `<!-- TRUSTEDSITE_TRUSTMARK -->` slot in `TrustStrip.astro`. Set the page(s)
+   to `<TrustStrip trustedsite />` if you want it gated to specific pages.
+4. **CSP update (REQUIRED)** — the trustmark loads from TrustedSite's CDN, so add
+   their host to the nginx CSP in `/etc/nginx/snippets/pw-security.conf` on the
+   prod host:
+   - `script-src`: add `https://cdn.ywxi.net https://www.trustedsite.com`
+   - `img-src` already allows `https:` (ok)
+   - `frame-src`: add `https://cdn.ywxi.net` if their seal uses an iframe
+   Then `sudo nginx -t && sudo systemctl reload nginx`.
+5. Redeploy the site (`./deploy.sh site`) and confirm the trustmark renders.
+
+## Notes
+- Keep it honest: only show the trustmark once the first scan passes.
+- The seal is reputation-sensitive; if a scan ever fails, TrustedSite hides it
+  automatically (no action needed from us).

site/src/components/TrustStrip.astro

@@ -15,9 +15,11 @@ export interface Props {
   variant?: "full" | "compact";
   /** Show the live "Verify" links (default true). */
   links?: boolean;
+  /** Opt in to render the TrustedSite "Certified Secure" trustmark slot. */
+  trustedsite?: boolean;
   class?: string;
 }
-const { variant = "full", links = true, class: extraClass = "" } = Astro.props;
+const { variant = "full", links = true, trustedsite = false, class: extraClass = "" } = Astro.props;
 const compact = variant === "compact";
 ---
 
@@ -70,6 +72,18 @@ const compact = variant === "compact";
         <span class="pw-trust__s">Compliant TLS (ImmuniWeb)</span>
       </div>
     </li>
+
+    {trustedsite && (
+      <li class="pw-trust__item pw-trust__trustedsite">
+        {/* TRUSTEDSITE_TRUSTMARK — paste the TrustedSite seal markup here after
+            account signup + first scan. See docs/trustedsite-setup.md.
+            Example:
+            <a href="https://www.trustedsite.com/verify?host=performancewest.net" target="_blank" rel="noopener">
+              <img src="https://cdn.ywxi.net/meter/performancewest.net/27.svg" alt="TrustedSite Certified Secure" height="36" />
+            </a>
+        */}
+      </li>
+    )}
   </ul>
 </section>