Add privacy, terms, and contact pages with SMTP-backed form

New public routes /privacy, /terms, /contact rendered with the existing
landing.css shell so they share a coherent header/footer with /login.
Footer of the landing page now links to all three plus Sign in.

The contact page is a form rather than a mailto: link so the email
address isn't exposed to scrapers. Submissions are validated (5-5000
chars, optional reply-email), guarded by an offscreen honeypot and a
per-IP 3/hour rate limit, then sent to Gmail via stdlib net/smtp using
an app password. Reply-To is set to the visitor's email so replies
reach them. If SMTP_USER/SMTP_PASS are blank (local dev) the handler
logs the submission instead of sending so the form is testable without
credentials.

Also tightens 8 slog calls to match the codebase's "msg = short noun
phrase, state implied by level, structured data in kv pairs" style.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: James McHugh

.env.example

@@ -14,3 +14,11 @@ SESSION_KEY=replace_with_64_random_hex_chars
 # Optional: shortcut to bypass Google OAuth in local dev. If set,
 # /auth/login auto-creates this user and signs them in. NEVER set in prod.
 DEV_USER_EMAIL=
+
+# Gmail SMTP for the /contact form. Generate an app password at
+# https://myaccount.google.com/apppasswords (2-Step Verification must be on).
+# Leave SMTP_USER/SMTP_PASS blank in local dev to log submissions to stdout
+# instead of sending. CONTACT_TO_EMAIL is optional - defaults to SMTP_USER.
+SMTP_USER=
+SMTP_PASS=
+CONTACT_TO_EMAIL=

auth.go

@@ -117,6 +117,22 @@ func handleLoginPage(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
+func renderMarketingPage(w http.ResponseWriter, name string) {
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	if err := templates.ExecuteTemplate(w, name, nil); err != nil {
+		slog.Error("marketing template", "name", name, "error", err)
+		http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+	}
+}
+
+func handlePrivacyPage(w http.ResponseWriter, r *http.Request) {
+	renderMarketingPage(w, "privacy.html")
+}
+
+func handleTermsPage(w http.ResponseWriter, r *http.Request) {
+	renderMarketingPage(w, "terms.html")
+}
+
 func handleAuthLogin(w http.ResponseWriter, r *http.Request) {
 	// Local-dev shortcut: skip Google entirely, log in as DEV_USER_EMAIL.
 	if oauthCfg.devEmail != "" {
@@ -215,7 +231,7 @@ func handleAuthCallback(w http.ResponseWriter, r *http.Request) {
 
 	user, err := upsertUser(r.Context(), claims.Sub, claims.Email, claims.Name)
 	if err != nil {
-		slog.Error("upsertUser", "error", err)
+		slog.Error("upsert user", "error", err)
 		http.Error(w, "Internal Server Error", http.StatusInternalServerError)
 		return
 	}

contact.go

@@ -0,0 +1,160 @@
+package main
+
+import (
+	"fmt"
+	"log/slog"
+	"net"
+	"net/http"
+	"net/smtp"
+	"os"
+	"strings"
+	"time"
+)
+
+// 3 submissions per hour per IP. Sits on top of the global 120/min limiter.
+var contactLimiter = newRateLimiter(3, time.Hour)
+
+type contactPageData struct {
+	Sent  bool
+	Error string
+}
+
+func handleContactPage(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	data := contactPageData{
+		Sent:  r.URL.Query().Get("sent") == "1",
+		Error: r.URL.Query().Get("error"),
+	}
+	if err := templates.ExecuteTemplate(w, "contact.html", data); err != nil {
+		slog.Error("contact template", "error", err)
+		http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+	}
+}
+
+func handleContactSubmit(w http.ResponseWriter, r *http.Request) {
+	ip, _, err := net.SplitHostPort(r.RemoteAddr)
+	if err != nil {
+		ip = r.RemoteAddr
+	}
+
+	if err := r.ParseForm(); err != nil {
+		http.Redirect(w, r, "/contact?error=invalid", http.StatusSeeOther)
+		return
+	}
+
+	// Honeypot: real users leave this blank; bots fill it in.
+	if r.PostForm.Get("website") != "" {
+		slog.Info("contact honeypot", "ip", ip)
+		// Pretend success so bots don't learn the trick.
+		http.Redirect(w, r, "/contact?sent=1", http.StatusSeeOther)
+		return
+	}
+
+	if !contactLimiter.allow(ip) {
+		slog.Warn("contact rate limit exceeded", "ip", ip)
+		http.Redirect(w, r, "/contact?error=rate", http.StatusSeeOther)
+		return
+	}
+
+	message := strings.TrimSpace(r.PostForm.Get("message"))
+	replyEmail := strings.TrimSpace(r.PostForm.Get("reply_email"))
+
+	if len(message) < 5 || len(message) > 5000 {
+		http.Redirect(w, r, "/contact?error=invalid", http.StatusSeeOther)
+		return
+	}
+	if replyEmail != "" && !looksLikeEmail(replyEmail) {
+		http.Redirect(w, r, "/contact?error=invalid", http.StatusSeeOther)
+		return
+	}
+
+	if err := sendContactEmail(replyEmail, message, ip); err != nil {
+		slog.Error("contact send", "error", err, "ip", ip)
+		http.Redirect(w, r, "/contact?error=smtp", http.StatusSeeOther)
+		return
+	}
+
+	http.Redirect(w, r, "/contact?sent=1", http.StatusSeeOther)
+}
+
+func looksLikeEmail(s string) bool {
+	at := strings.IndexByte(s, '@')
+	if at < 1 || at == len(s)-1 {
+		return false
+	}
+	if !strings.Contains(s[at+1:], ".") {
+		return false
+	}
+	if strings.ContainsAny(s, " \t\r\n<>") {
+		return false
+	}
+	return true
+}
+
+func sendContactEmail(replyEmail, message, ip string) error {
+	smtpUser := os.Getenv("SMTP_USER")
+	smtpPass := os.Getenv("SMTP_PASS")
+	to := os.Getenv("CONTACT_TO_EMAIL")
+	if to == "" {
+		to = smtpUser
+	}
+
+	// Local-dev shortcut: if SMTP isn't configured, log the message so the
+	// form is testable end-to-end without credentials.
+	if smtpUser == "" || smtpPass == "" {
+		slog.Info("contact form skipped",
+			"reason", "smtp not configured",
+			"reply_email", replyEmail, "ip", ip, "message", message)
+		return nil
+	}
+
+	subject := "Train contact"
+	if preview := firstLine(message); preview != "" {
+		subject = "Train contact: " + truncate(preview, 60)
+	}
+
+	replyTo := smtpUser
+	if replyEmail != "" {
+		replyTo = replyEmail
+	}
+
+	body := fmt.Sprintf(
+		"Reply email: %s\nIP: %s\nSubmitted: %s\n\n%s\n",
+		valueOrDash(replyEmail), ip, time.Now().UTC().Format(time.RFC3339), message,
+	)
+
+	msg := []byte(strings.Join([]string{
+		"From: Train <" + smtpUser + ">",
+		"To: " + to,
+		"Reply-To: " + replyTo,
+		"Subject: " + subject,
+		"MIME-Version: 1.0",
+		"Content-Type: text/plain; charset=UTF-8",
+		"",
+		body,
+	}, "\r\n"))
+
+	auth := smtp.PlainAuth("", smtpUser, smtpPass, "smtp.gmail.com")
+	return smtp.SendMail("smtp.gmail.com:587", auth, smtpUser, []string{to}, msg)
+}
+
+func firstLine(s string) string {
+	if i := strings.IndexAny(s, "\r\n"); i >= 0 {
+		return strings.TrimSpace(s[:i])
+	}
+	return strings.TrimSpace(s)
+}
+
+func truncate(s string, n int) string {
+	if len(s) <= n {
+		return s
+	}
+	return s[:n] + "..."
+}
+
+func valueOrDash(s string) string {
+	if s == "" {
+		return "(not provided)"
+	}
+	return s
+}

static/landing.css

@@ -918,6 +918,137 @@ a { color: inherit; text-decoration: none; }
 }
 .lp-foot a { color: var(--lp-ink-soft); }
 .lp-foot a:hover { color: var(--lp-ink); }
+.lp-foot__links {
+  display: flex;
+  flex-wrap: wrap;
+  gap: 1.25rem;
+}
+
+/* ========== prose pages (privacy / terms / contact) ========== */
+.lp-prose {
+  max-width: 44rem;
+  padding-top: 3rem;
+  padding-bottom: 4.5rem;
+  color: var(--lp-ink);
+}
+.lp-prose h1 {
+  font-size: 2rem;
+  letter-spacing: -0.02em;
+  margin: 0 0 0.4rem;
+}
+@media (min-width: 720px) {
+  .lp-prose h1 { font-size: 2.4rem; }
+}
+.lp-prose h2 {
+  font-size: 1.1rem;
+  letter-spacing: 0;
+  margin: 2rem 0 0.4rem;
+  color: var(--lp-ink);
+}
+.lp-prose p,
+.lp-prose li {
+  color: var(--lp-ink-soft);
+  line-height: 1.65;
+  font-size: 1rem;
+}
+.lp-prose ul {
+  padding-left: 1.25rem;
+  margin: 0.4rem 0 0.6rem;
+}
+.lp-prose li { margin: 0.2rem 0; }
+.lp-prose b { color: var(--lp-ink); font-weight: 600; }
+.lp-prose a {
+  color: var(--lp-ink);
+  border-bottom: 1px solid var(--lp-line);
+}
+.lp-prose a:hover { border-bottom-color: var(--lp-ink-soft); }
+.lp-prose .updated {
+  color: var(--lp-ink-mute);
+  font-size: 0.85rem;
+  margin: 0 0 1.5rem;
+}
+.lp-contact__email {
+  font-size: 1.25rem;
+  margin: 1.25rem 0 1.5rem;
+}
+
+/* ========== alert banners (form flash messages) ========== */
+.lp-alert {
+  margin: 1.5rem 0;
+  padding: 0.85rem 1rem;
+  border: 1px solid var(--lp-line);
+  border-left-width: 4px;
+  border-radius: 4px;
+  font-size: 0.95rem;
+  background: var(--lp-card);
+}
+.lp-alert--ok  { border-left-color: var(--lp-green); }
+.lp-alert--err { border-left-color: var(--lp-red); }
+
+/* ========== contact form ========== */
+.lp-form {
+  display: flex;
+  flex-direction: column;
+  gap: 1rem;
+  margin-top: 1.5rem;
+}
+.lp-form__field {
+  display: flex;
+  flex-direction: column;
+  gap: 0.35rem;
+}
+.lp-form__label {
+  font-size: 0.85rem;
+  color: var(--lp-ink-soft);
+  letter-spacing: 0.02em;
+}
+.lp-form__label em {
+  font-style: normal;
+  color: var(--lp-ink-mute);
+  font-weight: normal;
+}
+.lp-form input[type="email"],
+.lp-form input[type="text"],
+.lp-form textarea {
+  font: inherit;
+  font-size: 1rem;
+  color: var(--lp-ink);
+  background: var(--lp-card);
+  border: 1px solid var(--lp-line);
+  border-radius: 4px;
+  padding: 0.7rem 0.85rem;
+  width: 100%;
+  outline: none;
+  transition: border-color 120ms;
+  -webkit-appearance: none;
+  appearance: none;
+}
+.lp-form textarea {
+  resize: vertical;
+  min-height: 8rem;
+  line-height: 1.5;
+  font-family: inherit;
+}
+.lp-form input:focus,
+.lp-form textarea:focus {
+  border-color: var(--lp-blue-2);
+}
+.lp-form input::placeholder,
+.lp-form textarea::placeholder {
+  color: var(--lp-ink-mute);
+}
+.lp-form__submit {
+  align-self: flex-start;
+  margin-top: 0.4rem;
+}
+/* honeypot - kept in DOM but invisible to humans */
+.lp-form__hp {
+  position: absolute;
+  left: -10000px;
+  width: 1px;
+  height: 1px;
+  overflow: hidden;
+}
 
 /* ========== motion preference ========== */
 @media (prefers-reduced-motion: reduce) {