How This Site Was Built

6 service pages (each with its own color palette), 3 case studies, 3 readiness assessments (GRA / CRA / FRA), homepage, about, services hub, methodology, portfolio, contact, funding record, privacy, plus the build-spec page you're reading. Every palette carries through dark-mode variants; three vision-accessibility modes layer on top — standard, color-safe for deuteranopia, and full monochrome grayscale.

~19,000 lines across HTML, CSS, and JavaScript. On top of that: ~100,000 words of original copy (order of magnitude: a short nonfiction book — every paragraph, pricing explanation, FAQ answer, and case narrative written specifically for this site, with no boilerplate or stock copy). 164 assessment form fields across the three readiness assessments, each with help text, placeholder guidance, and validation rules. Year-by-year funding record documenting $24.5M+ in publicly documented / publicly awarded funds; total delivered across Elysian Trust's principals' careers is $107M+ — $24.5M is the disclosable public subset.

• arrow_right3 Cloudflare Pages Functions (grant / contract / funding assessment endpoints) + 1 standalone Cloudflare Worker for the contact form
• arrow_rightGoogle Sheets persistence via service-account JWT authentication with custom JWT signing, OAuth2 token refresh, and append-row logic
• arrow_rightCloudflare KV storage for contact-form submissions
• arrow_rightResend API for transactional email with HTML-escaped message bodies
• arrow_rightAll credentials stored in Cloudflare environment variables; zero secrets in the repo

• arrow_rightNo React, Vue, Astro, or any third-party framework — every interaction hand-authored in vanilla JavaScript
• arrow_rightAll scripts live in external .js files; 99 inline <script> blocks and 164 inline event handlers were refactored out during the strict-CSP migration so the site ships with no 'unsafe-inline' on script-src
• arrow_rightA single delegated data-action / data-gtag-event router in ui-shared.js handles every click and submit event across the site
• arrow_right10+ modules total — theme-vision-init.js (head-blocking FOUC prevention), smooth-nav.js, smooth-details.js, tier-cards.js, plus page-specific handlers for each assessment, contact form, typewriter, and principal switcher
• arrow_rightProgressive enhancement throughout — every <details> collapsible still works if JavaScript is disabled

Most of these are not standard even at agency-tier builds:

• arrow_rightFocus management: modal focus trap, return-focus on close, visible gold focus rings
• arrow_rightThree vision modes: standard / color-safe (deuteranopia SVG filter) / full monochrome grayscale
• arrow_rightFull ARIA: aria-pressed on toggles, aria-expanded on dropdowns, aria-hidden, aria-modal, aria-labelledby, dynamic aria-label announcing current toggle state
• arrow_right22 autocomplete tokens on identity-purpose form fields (WCAG 1.3.5)
• arrow_rightprefers-reduced-motion disables every animation for users who need it
• arrow_rightSkip-to-main-content link, semantic heading hierarchy, keyboard parity on every interactive surface

• arrow_rightStrict Content-Security-Policy with no 'unsafe-inline' on script-src
• arrow_rightHSTS at 6 months with includeSubDomains; HTTPS enforced at the edge
• arrow_rightCloudflare WAF rate limiting on all API endpoints
• arrow_rightHoneypot field + server-side validation + 5000-char input caps on all 4 forms
• arrow_rightCORS scoped to production + preview origins only; email bodies HTML-escaped against stored-XSS
• arrow_rightX-Frame-Options: DENY + CSP frame-ancestors 'none', base-uri 'self', scoped form-action, object-src 'none'

• arrow_right~100 JSON-LD structured data instances (Organization, Service, BreadcrumbList, Article, Audience, Thing, ListItem)
• arrow_rightCanonical URLs on every page
• arrow_rightOpenGraph + Twitter Cards with a 1200×630 og:image for rich link previews
• arrow_rightsitemap.xml + robots.txt
• arrow_rightGoogle Analytics 4 event tracking on key interactions (book-a-call, assessment start, contact submit)
• arrow_rightMeta descriptions trimmed to ≤160 chars for SERP display

• arrow_rightCloudflare Pages edge deployment across the global network
• arrow_rightVersion-pinned immutable caching on static assets with query-string invalidation
• arrow_right301 redirect infrastructure via _redirects to preserve SEO across filename changes and legacy URLs
• arrow_rightSecurity headers via _headers (CSP, HSTS, Permissions-Policy, Referrer-Policy, X-Frame-Options, X-Content-Type-Options)
• arrow_rightnoindex, follow robots directive on assessment pages and this build-spec page
• arrow_rightGit-versioned on GitHub with granular commit history