Designing for Trust — White Paper

Abstract

Most consulting and nonprofit websites operate as digital brochures: thin, templated, functionally equivalent to their competitors' sites, and structurally indistinguishable from a Squarespace demo. This is a problem when the product being sold is trust: the argument for why an organization should hand millions of dollars in funding decisions, strategic pivots, or compliance-sensitive procurement to a consulting firm begins before the first engagement call.

This white paper documents the design and technical architecture of the Elysian Trust website (elysiantrust.org) as a case study in treating a marketing website itself as a trust-building instrument. The site comprises 21 HTML pages, approximately 19,000 lines of hand-authored HTML, CSS, and JavaScript, 100,000+ words of original copy, four serverless backend functions, three structured readiness assessments with 164 total form fields, a strict Content-Security-Policy implementation, WCAG 2.1 Level AA conformance, and approximately 100 JSON-LD structured data instances. All built without a single third-party framework, page builder, or CMS dependency.

We frame the site through seven design principles, walk through the economics of agency-equivalent delivery ($95K–$150K at mid-market rates, up to $400K+ at premium-agency rates), identify six distinct user archetypes and what the site signals to each, and close with implications for mission-driven organizations deciding where to invest their digital infrastructure budget.

The thesis is simple: quality of construction, when made visible, compounds into institutional credibility. This paper makes that thesis concrete.

1. Introduction: Why Websites Are Trust Instruments

When a program officer at a major foundation reviews a grant application from a new consulting partner, they will almost certainly visit the firm's website before responding. When a nonprofit executive director evaluates which advisor to retain for a capital campaign, the website is often the first (and most honest) encounter they have with the firm's actual capabilities. When a federal contracting officer scopes a vendor for a small-business set-aside, the firm's public web presence is part of the due diligence file.

In each case, the website does not merely describe the firm. It is a demonstration, in miniature, of how the firm works: how carefully it thinks, how completely it follows through, how much it cares about the details that only professionals notice. The website is submitting evidence on the firm's behalf before a single human conversation begins.

This paper is written from the premise that most consulting and nonprofit-sector firms (including very competent ones) are under-using their website as a trust instrument. They have templates. They have photos. They have bullet lists of services. They do not have a signal of trust. This is the gap this case study addresses.

2. The Problem Space: What's Broken About Most Consulting Websites

Five patterns describe the vast majority of websites in the nonprofit-adjacent consulting space. Each is a missed opportunity for the firm that runs the site.

2.1 The Overuse of Templates

Wix, Squarespace, Webflow, and WordPress templates have recognizable fingerprints: block-style hero sections, identical "About / Services / Contact" information architecture, stock photography of diverse teams in collaborative meetings, and CTA buttons that all use the same rounded corners and shadow depths. A trained eye (which includes most program officers, procurement officers, and sophisticated board members) recognizes the template immediately. The message received: if they are unwilling to put the necessary effort into their own brand, why would they take the time to effectively build mine?

2.2 Plugin Dependencies

Sites built on CMS platforms typically accumulate 20–50 third-party plugins over their lifetime: contact forms, newsletter signups, analytics scripts, popup widgets, cookie banners, chat tools, fonts, icons. Each plugin is a separate vendor with its own data-collection policies, its own update cadence, and its own failure modes. Visitors encounter slower page loads; firms encounter escalating subscription costs ($50–$500 per month per plugin, compounding over years); and the site's security posture degrades with every dependency added.

2.3 Lack of Identity

Most consulting websites collapse into the same ten paragraphs. Phrases like "Our proven methodology delivers measurable impact," "Our team brings a track record of excellence," and "Schedule a discovery call to explore how we can help" populate thousands of firm sites. The irony is that these claims are usually true. Real firms do bring expertise and do deliver outcomes. But when every firm in a sector makes the same true claim, the claim carries no weight. A sophisticated reader who finishes a site knowing nothing but these phrases cannot distinguish the firm from fifty others making identical assertions. The difference between a replaceable firm and a specific one is almost never the presence of these phrases. It is what surrounds them: named methodology, published pricing, case detail, principal voice, visible evidence of how decisions actually get made. Generic firms stop at the phrases. Dedicated firms earn them.

2.4 The Accessibility Gap

WCAG 2.1 Level AA is the international accessibility standard recognized by U.S. federal procurement rules (Section 508), European Union Directive 2016/2102, and most major foundation technology requirements. It is absent from most nonprofit-sector websites. Template-built sites fail on contrast ratios, keyboard navigation, focus management, ARIA attribute coverage, and semantic structure. Beyond the ethical issue (excluding disabled users), this is a compliance signal: a firm that advises nonprofits on grant eligibility, federal contracting, or institutional governance cannot demonstrate compliance fluency if its own site fails to address the needs of a marginalized group.

2.5 The Shallow SEO Footprint

Most nonprofit-consulting sites have one JSON-LD Organization block in their homepage (sometimes none) and trust the platform to handle the rest. They rank for their firm name, but not for any topic their prospects actually search. Meta descriptions are autogenerated. OpenGraph images are missing. Structured breadcrumbs do not exist. Searchers and large-language-model systems alike simply treat the site as a black box of text.

Each of these five patterns is solvable with deliberate work. The Elysian Trust website solves all five. The rest of this paper describes how.

3. The Seven Design Principles Behind elysiantrust.org

3.1 Custom Jobs Deserve Custom Code

Every line of HTML, CSS, and JavaScript on our site is tailored to properly represent Elysian Trust. No Wix theme, no Webflow export, no Astro template, no boilerplate scaffolding. The custom codebase is 21 HTML files, approximately 19,000 lines of code total, structured, consistent, and auditable.

That said, the argument is not that tailored code is intrinsically better than using a framework. It is that the effect of custom code is visibly verifiable. Prospects who care enough to inspect our source code (as sophisticated buyers in this space often do) will recognize our dedication to the craft, our mastery of it, and the quality of its implementation. What they see is direct evidence of the peerless service we will provide.

3.2 Zero Frameworks, Zero Dependencies

Our site ships with no React, Vue, Angular, Next.js, Astro, or Svelte. No jQuery. No Bootstrap. No Tailwind-at-runtime (Tailwind is compiled to a single static CSS file at build time, with no runtime dependency). The only external scripts we load at runtime are Google Analytics, Google Fonts, and Cloudflare Web Analytics: three trusted platform-level services, each of which we scope through a strict Content-Security-Policy.

The practical benefit: our site loads quickly, updates reliably, has no supply-chain vulnerability through third-party package managers, and imposes no recurring subscription cost beyond hosting (which is approximately $0 on Cloudflare Pages for projects customized to this level). Over a five-year horizon, the total-cost-of-ownership delta between a framework-heavy site and ours is typically $5,000–$20,000 in avoided subscription fees alone, depending on the platform.

3.3 Accessibility as Architecture

We do not treat WCAG 2.1 Level AA conformance as a "checkbox step at the end of the project." It is structural to our work. Every interactive element has keyboard parity; every modal implements focus trapping and return-focus; every form field has an appropriate autocomplete token (satisfying WCAG 1.3.5 Identify Input Purpose); every animation respects prefers-reduced-motion; every decorative icon carries aria-hidden; every toggle publishes its pressed state via aria-pressed; every interactive state is announced through dynamic aria-label or aria-labelledby references.

Three vision-accessibility modes layer on top of the baseline: standard, color-safe for deuteranopia (via a red-green color-blind SVG filter applied to the entire page), and full monochrome grayscale. These are not accommodations we bolted on at the end; they are design decisions we made at the color-system layer, and we tested every service-page palette in all three modes during development.

The bottom line: we do not treat users with disabilities as an edge case. We treat them as an equal-priority audience whose experience is part of our site's quality definition from the start.

3.4 Security as Architecture

We implement a strict Content-Security-Policy (CSP) on our site that prohibits inline JavaScript execution, a class of defense that blocks the majority of cross-site scripting (XSS) attacks by design. To enable this, we refactored every inline <script> block and every inline onclick= handler across all 21 pages into external JavaScript files loaded with explicit allow-list entries. We extracted ninety-nine inline script blocks and one hundred sixty-four inline event handlers during this pass.

Additional security architecture:

HTTP Strict Transport Security (HSTS) with a 6-month max-age and includeSubDomains, enforcing HTTPS at the browser level.
Cloudflare Web Application Firewall rate-limiting on the three readiness-assessment API endpoints (five requests per ten seconds per source IP).
Honeypot field on all four public forms, silently rejecting submissions from naive bots without affecting the user experience.
Server-side input validation with per-field length caps (5,000 characters), email format regex, and required-field enforcement on every serverless endpoint.
CORS (Cross-Origin Resource Sharing) lock restricting form submissions to the production apex, the www subdomain, and preview URLs, blocking cross-origin abuse.
HTML-escaping of all user-submitted content when rendering it into the admin notification emails, defeating stored-XSS through the email-client attack surface.
X-Frame-Options: DENY and CSP frame-ancestors 'none', making our site non-embeddable and eliminating clickjacking as an attack class.
Permissions-Policy denying camera, microphone, geolocation, and FLoC access by default.

This is a level of architectural security usually associated with financial or healthcare sites. Applied to a marketing site like ours, it signals our commitment to implementation excellence.

3.5 SEO as Structured Storytelling

We embedded approximately 100 JSON-LD structured data instances across our site, including Organization schemas for Elysian Trust itself, Service schemas for each of our six core service lines (Grant Writing, Contract Procurement, Strategic Advisory, Leadership Training, Digital Infrastructure, Fractional Executive Consulting), BreadcrumbList schemas on every internal page, Article schemas on long-form content, Audience and ListItem schemas within our service catalogs, and Thing schemas on reference entities.

This structured data enables large-language-model systems (including those powering ChatGPT, Claude, Gemini, and Perplexity) to answer questions about Elysian Trust with accuracy, and it enables Google to render rich results (site breadcrumbs in SERP listings, expanded service descriptions, organizational knowledge-graph entries). It also enables future AI-mediated buyer-search flows (the ones that will increasingly define how B2B discovery happens over the next five years) to surface our firm reliably.

Every page on our site carries a canonical URL, a deliberately trimmed meta description (≤160 characters for SERP compatibility), full OpenGraph and Twitter Card tags, a 1200×630 social-share image, a sitemap.xml entry (or noindex directive where appropriate), and Google Analytics 4 event tracking on key conversion points.

3.6 Speed is a Valuable UX Asset

Our site's initial and subsequent page loads are a fraction of the industry standard. With no framework bundle to ship, no runtime CSS-in-JS computation, no virtual-DOM reconciliation, and static HTML served from Cloudflare's edge network (present in over 300 cities globally), our Time-To-First-Byte is typically under 200 milliseconds anywhere in North America or Western Europe. Our Lighthouse Core Web Vitals scores consistently land in the 90–100 range for performance, accessibility, best practices, and SEO.

Speed is not a vanity metric. Slow sites bounce prospects before the first meaningful read. For a firm like ours, whose prospects may be evaluating multiple vendors in a single sitting, sub-second paint is the difference between being considered and being disregarded.

3.7 Original Content is Paramount

Approximately 100,000 words of original copy populate our site: roughly the length of a short nonfiction book, written specifically for Elysian Trust's context. Every pricing explanation, every frequently-asked-question answer, every case-study narrative, every service-page argument has been written or curated for our site, by the people who actually deliver the work.

Our three readiness-assessment forms contain 164 total fields, each with custom help text, placeholder guidance, and validation logic. These are not contact forms; they are diagnostic instruments. A nonprofit executive who completes our Grant Readiness Assessment (GRA) receives a structured portrait of where they stand on seventeen dimensions of institutional readiness, before they have spent a dollar with us.

4. The Elysian Trust Build in Numbers

The following inventory is drawn directly from the site's own build-spec page, a living factual record that any prospect can verify in the public source code.

Category	Metric
HTML pages	21 (6 service pages, 3 case studies, 3 readiness assessments, plus homepage, about, services hub, methodology, portfolio, contact, funding record, privacy policy, and build-specification page)
Handwritten code	~19,000 lines total across HTML, CSS, and JavaScript
Original copy	~100,000 words
Serverless backend functions	4 (three Cloudflare Pages Functions for the readiness assessments + one Cloudflare Worker for the contact form)
Third-party frameworks	0
WCAG conformance level	2.1 Level AA
Vision-accessibility modes	3 (standard, deuteranopia-safe, monochrome)
Structured data instances	~100 JSON-LD entries across Organization, Service, BreadcrumbList, Article, Audience, Thing, and ListItem schemas
Security headers enforced	6 (Content-Security-Policy, HTTP Strict Transport Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy)
Assessment form fields	164 (across GRA, CRA, and FRA)
Service-color palettes	6 (each with dedicated dark-mode variants)

The site ships with zero ongoing subscription costs beyond Cloudflare Pages hosting (free at this scale). There are no Wix, Squarespace, Webflow, HubSpot Forms, Typeform, Mailchimp, or Calendly dependencies. Total annual operating cost, inclusive of domain renewal and optional paid tooling, is under $100.

5. Six Audiences, Six Viewpoints, Six Questions

A well-constructed website doesn't just speak to users; it speaks to specific people with specific questions. Here is what each of our core audiences should encounter when they arrive at elysiantrust.org.

5.1 The Executive Director of a Small Nonprofit

The Question: "Can these people help me win my next $250K grant?"

The View: A homepage whose hero reads "Strategic advisory, grant writing, contract procurement, digital infrastructure, and fractional executive consulting for mission-driven organizations." A clear service catalog. A funding record that proves Elysian Trust brings results. Three readiness assessments they can take anonymously, without a sales call, to see whether their organization is a candidate. Full business transparency at multiple levels. No popups, no live-chat widgets, no "subscribe to our newsletter" interruption. Just one simple thing, assurance through clarity.

The Answer: A realistic sense of whether Elysian is a fit, and if so, a concrete next step (the corresponding readiness assessment, or an imminent conversation via a strategy call).

5.2 The Program Officer at a Major Foundation

The Question: "If I recommend this firm to a grantee, will they represent the sector well?"

The View: Case studies demonstrating our depth in a myriad of contexts. A public funding record naming multiple federal agencies (NSF, NIH, HHS, HUD) and foundation categories. A methodology page articulating Elysian's approach to diagnostic-first consulting. A technical build that, if investigated, demonstrates the firm does not cut corners.

The Answer: This firm will not embarrass them in front of a grantee.

5.3 The Procurement Officer at a Federal or State Agency

The Question: "Does this vendor understand compliance expectations, could they meet our compliance posture if contracted, and can they execute?"

The View: Section 508 compatibility via full WCAG 2.1 AA conformance. HSTS, HTTPS enforcement, explicit security headers. Clear scope of services for federal, state, and local contracting. A Contract Procurement service page that speaks the language of solicitations, SAM registration, NAICS codes, and past-performance evaluation. A Contract Readiness Assessment the procurement officer can recommend to an incumbent or prospective awardee.

The Answer: Confidence that Elysian is a vendor who will not create compliance risk.

5.4 An Accessibility Advocate or Representative of a Marginalized/Under-Represented Group

The Question: "Is this a firm that deeply understands accessibility?"

The View: A vision-mode toggle in Elysian Trust's global navigation (not hidden in a footer) that offers standard, color-safe, and monochrome display modes. Correct semantic structure. Keyboard parity throughout. ARIA attributes applied where standard, absent where inappropriate. A build-specification page that documents the accessibility stack transparently.

The Answer: Evidence that accessibility was at the forefront of the design process. It was engineered in, not bolted on. Our team's lived experience with neurodivergence informs how we think about inclusive design, no matter the client.

5.5 The Technical Evaluator (CTO, IT Director, or Digital Program Lead)

The Question: "If I hire this firm for a digital-infrastructure engagement, what will they actually provide?"

The View: A Digital Infrastructure service page that clearly details Elysian Trust's specific deliverables (custom design + full codebase, CI/CD pipeline, contact backend, SEO architecture, tech stack audit, workflow automation). A publicly linked build-specification page documenting the meticulous attention that we apply to our work. Evidence of our inclusion-first and security-first architecture (CSP, HSTS, rate limiting, honeypot, input validation).

The Answer: Professional confidence that Elysian operates at an industry-defining level in every moment of their problem identification, solution planning, and resolution implementation.

5.6 The Prospective Advisory Client (CEO, Founder, or Board Chair)

The Question: "Can these people help me navigate a strategic inflection point?"

The View: A Strategic Advisory service page with four transparent tier levels ($1K to $10K per month), each mapped to operational budget scale. A contact flow allowing the prospect to choose between, and directly schedule with, our principal partners: Polite D. Stewart, Jr. (Strategy & Institutional Development) and Nathaniel "Nth" Bar-Fields (Procurement & Policy) based on their individual focus areas.

The Answer: The rare experience of being offered transparent service options, low-friction booking/consultation, and an easily verifiable track record of excellence.

6. The Economics: What a Site Like This Actually Costs

This section summarizes the market-rate replacement value of the site, detailed in full in our internal value assessment.

6.1 The Agency-Level Commission Cost

Commissioning a site at this specification from a competent digital agency would bill between $95,000 and $150,000 at mid-market rates (regional U.S. agencies with senior staff at $125–$200 per hour blended), rising to $200,000–$400,000+ at top-tier premium agencies (NYC, SF, or LA firms with named partners). The replacement estimate breaks down across ten deliverable categories:

Category	Mid-market range
Design + brand system (21 pages, 6 palettes, dark mode)	$22,500 – $37,500
Frontend development (all pages, responsive, interactions)	$30,000 – $52,500
Three multi-step assessment forms (frontend + backend + Sheets integration)	$31,500 – $52,500
Contact form (Worker + KV + email API + honeypot + validation)	$5,250 – $8,750
Accessibility engineering (WCAG AA + vision modes + focus management)	$10,500 – $21,000
Security hardening (CSP + HSTS + rate limiting + inline-script refactor)	$8,750 – $17,500
SEO architecture (100+ JSON-LD instances + OpenGraph + sitemap + meta)	$6,000 – $12,000
JavaScript UX polish (animations, tooltips, modals, theme, vision, collapsibles)	$7,500 – $15,000
Content production (~100,000 words + 164 form fields with guidance)	$18,000 – $30,000
Project management + QA + iteration (15% overhead)	$21,000 – $37,000
Total mid-market range	$161,000 – $283,750

The public positioning on the Digital Infrastructure page ("$100K+") is deliberately conservative. The calibrated market value is higher. What Elysian Trust actually charges for a comparable engagement is, in practice, dramatically lower than the agency comparison, a delta made possible by the operational model that is detailed in Section 7.

6.2 Five-Year Total Cost of Ownership

Over a five-year horizon, a framework-heavy, CMS-based equivalent site would typically accumulate the following recurring costs:

Item	Annual	Five-year
Wix / Squarespace / Webflow platform	$360 – $1,200	$1,800 – $6,000
Contact-form service (Typeform, Jotform)	$240 – $600	$1,200 – $3,000
Email/CRM integration (HubSpot, Mailchimp)	$1,200 – $6,000	$6,000 – $30,000
Security plugins (if WordPress)	$200 – $800	$1,000 – $4,000
Accessibility remediation retainer	$2,000 – $10,000	$10,000 – $50,000
SEO plugin and optimization services	$1,000 – $5,000	$5,000 – $25,000
Domain, hosting, SSL	$100 – $500	$500 – $2,500
Five-year subscription drag	n/a	$25,500 – $120,500

The Elysian Trust site ships at zero subscription cost beyond hosting. The five-year saving, in addition to the upfront build cost differential, is substantial.

7. Our Operational Model: Why Elysian Trust's Delivery Is Faster Than The Agency Standard

A standard agency engagement at this specification runs four to six months, distributed across a designer, a frontend engineer, a backend engineer, a content strategist, a copywriter, an accessibility consultant, a security reviewer, an SEO specialist, and a project manager. Coordination overhead (status meetings, design reviews, stakeholder check-ins, scope adjustments) consumes between 30% and 50% of billable hours.

We built our entire site in approximately two weeks, with the entire core layout, hosting, and service portions live in the first 96 hours. And yes, we do mean the first consecutive 96 hours. And if necessary, we have the tracked hours to prove it as well. This was, and is, possible because our engagement model eliminates most of the unnecessarily convoluted coordination process that is generally inherent to standard agencies.

One of our principals (Polite D. Stewart, Jr.) devised, designed, and developed the entire website, utilizing an AI coding partner (Claude) under his direct instruction and supervision to execute across all layers in parallel: design decisions, content writing, HTML authoring, JavaScript implementation, security refactoring, accessibility compliance, and SEO architecture.

The structural advantages compound:

No status meetings. Every hour billed is an hour of execution.
No handoff gaps. The same principal who writes the strategy writes the code that implements it. Intent is preserved end-to-end.
No scope-creep arbitration. Decisions are made in real time; the work proceeds.
No plugin dependency chains. Each capability is authored directly, so iteration is immediate.
No framework upgrade debt. There are no framework releases to chase.

The tradeoff is a narrower surface of engagements we choose to take on because each build is a bespoke entity. The benefit is that the engagements we do take on are delivered with an integrity of thought and implementation that very few agencies and independent developers can easily match.

This operational model is also what enables us to offer site-level builds to clients at price points that do not require agency-equivalent market rate. Our delivery cost will always be fundamentally different from comparison costs.

8. Important Considerations for Mission-Driven Organizations

Three important concepts to ponder for organizations considering their own digital-infrastructure investment.

8.1 Website Quality Disproportionately Matters for Mission-Driven Organizations

For a commercial-SaaS startup, its website can sometimes simply be a conversion funnel. Its job is to move visitors to a free trial or a service subscription. Quality matters, but the startup's product will carry the conversation once the trial begins.

For a nonprofit consulting firm, a foundation, or a mission-driven service organization, the website carries substantially more weight. The "product" is often a professional relationship along with services that are not easily quantified, and such relationships are built on perceived trustworthiness. Your website is the most publicly available evidence of how your organization thinks. It is evaluated differently, and it is harder to rescue with a good sales call if the first impression has already primed a prospect toward skepticism.

8.2 Trust Capital and Digital Capital Are Correlated

Organizations that invest in operational excellence internally (strong financial controls, thoughtful governance, structured reporting) almost always benefit from externalizing some of that excellence into their public surface. Their websites tend to be the first reasonable places to externalize. A nonprofit whose bylaws are current, whose audit is clean, and whose strategic plan is coherent is the kind of organization whose website should not look accidentally or hastily assembled.

Funders, procurement officers, and board candidates are increasingly sophisticated evaluators. Alignment between internal operating quality and external digital presentation is not a vanity display. It is a signal of trustworthiness, value, and dedication to your mission.

8.3 Digital Infrastructure as Institutional Signal

A website at the quality level documented in this paper is, in the strongest sense, a declaration of institutional seriousness. An organization whose website carries WCAG AA conformance, strict CSP, structured data, original content, and zero-subscription architecture is declaring:

We chose to invest in ourselves and our mission, rather than convenience that doesn't represent our full capability. You can draw pivotal conclusions about how we will handle future operational decisions based on the evidence provided.

For small and mid-sized nonprofits, such a signal is particularly valuable. It allows their organizations to compete, on first-impression terms, with larger peers that outspend them. It reduces the information asymmetry between their organizations and the funders, contractors, partners, and staff they are trying to attract.

9. Conclusion and Invitation

In this paper we have detailed and demonstrated that an organization's website, especially for mission-driven organizations and firms, is a trust instrument. We have used our own website as a case study to aid in that visual. We have documented our build transparently, priced it against agency norms, mapped its impact upon several audience types, and outlined the operational model that enables our delivery at velocity.

Three sentences summarize our thesis:

Quality of construction, when made visible, compounds into institutional credibility.
Most consulting websites are missing this signal because the firms running them treat their websites as an accessory rather than an artifact.
The cost of us (Elysian Trust) changing this for you is dramatically lower than the agency market would suggest.

We offer Digital Infrastructure engagements to mission-driven organizations interested in our builds. Readers of this white paper who would like to discuss an engagement, have their current site assessed by our principals, or simply compare notes on the state of nonprofit digital infrastructure are invited to:

Review our publicly available build specification at /build-spec.
Complete our Funding Readiness Assessment if a strategic-advisory conversation is the right starting point.
Book a no-obligation strategy call with Polite D. Stewart, Jr. directly.

Appendix A: Technical Inventory

Full technical inventory is maintained at /build-spec and revised as the site evolves. Current scope summary:

Frontend

21 HTML pages, custom-authored
Tailwind CSS (compiled to static output.css; no runtime dependency)
Custom CSS utility classes (~229 lines in styles.css)
Material Symbols Outlined variable font (icons)
Inter variable font (typography)

JavaScript (all external files, CSP-compliant)

theme-vision-init.js: head-blocking theme and vision mode initialization
analytics-init.js: Google Analytics 4 dataLayer setup
ui-shared.js: theme toggle, mobile menu, booking modal, focus trap, vision eye toggle, delegated data-action router
smooth-nav.js: SPA-like page transitions
smooth-details.js: smooth progressive disclosure for <details> elements
tier-cards.js: animated Strategic Advisory tier cards
Page-specific modules for contact form, assessments, funding record, principal switcher, typewriter animation

Backend (Cloudflare Pages Functions + Worker)

functions/api/grant-assessment.js: GRA intake endpoint
functions/api/contract-assessment.js: CRA intake endpoint
functions/api/funding-assessment.js: FRA intake endpoint
External Cloudflare Worker: contact form intake, KV storage, Resend email
functions/lib/google-sheets.js: shared service-account JWT authentication and row-append logic

Infrastructure

Cloudflare Pages hosting (edge-deployed globally)
_headers configuration file with CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
_redirects configuration file with 301 redirects for filename renames and legacy URLs
sitemap.xml and robots.txt at appropriate scope

Accessibility

WCAG 2.1 Level AA conformance
Three vision modes (standard, deuteranopia, monochrome)
Full keyboard parity
Focus trap + return-focus on modals
prefers-reduced-motion support
22 autocomplete tokens on identity-purpose form fields (WCAG 1.3.5)
Comprehensive ARIA attribute coverage

Security

Strict CSP with no 'unsafe-inline' on script-src
HSTS at 6 months with includeSubDomains
Cloudflare WAF rate limiting on API endpoints
Honeypot on all 4 forms (client + server)
Server-side input validation and length caps
HTML-escaping of user content in email bodies
X-Frame-Options: DENY, frame-ancestors 'none', scoped form-action, object-src 'none'

SEO

~100 JSON-LD structured data instances
Canonical URLs on every page
OpenGraph + Twitter Card meta tags with 1200×630 social image
sitemap.xml + robots.txt
Google Analytics 4 event tracking
Meta descriptions ≤160 characters for SERP compatibility

Appendix B: Glossary of Terms

ARIA: Accessible Rich Internet Applications. A set of HTML attributes that communicate additional semantic information to assistive technologies (screen readers, etc.).

CORS: Cross-Origin Resource Sharing. Browser-level policy controlling which domains can make requests to a given server.

CSP: Content-Security-Policy. HTTP response header that restricts which scripts, styles, images, and other resources a page is allowed to load and execute.

HSTS: HTTP Strict Transport Security. Browser-level directive forcing HTTPS connections for a specified duration.

JSON-LD: JavaScript Object Notation for Linked Data. Structured-data format used for embedding machine-readable metadata into web pages; the preferred format for Google's structured-data ecosystem.

KV: Key-Value. A storage primitive. Cloudflare KV is a globally-distributed key-value store used in this site for contact form submission persistence.

Pages Function: Serverless JavaScript function deployed as part of a Cloudflare Pages project; runs at the edge in response to HTTP requests.

SERP: Search Engine Results Page. The page displayed by a search engine (e.g., Google) after a query.

Service account: A non-human identity used for authenticating server-to-server API calls (in this case, from the site's backend to Google Sheets).

WCAG 2.1 AA: Web Content Accessibility Guidelines version 2.1, Level AA. The most widely-adopted accessibility conformance standard. Level AA is the baseline for U.S. federal (Section 508), EU (Directive 2016/2102), and most foundation technology requirements.

Worker: Cloudflare Workers is a serverless execution platform. A Worker is a JavaScript function deployed to the Cloudflare edge, independent of any associated Pages project.

© 2026 Elysian Trust. This document is published openly for reference and discussion. Reproduction is permitted with attribution. Revisions to this document are tracked in the Elysian Trust site repository.