Priority Todo List

Default is ptw2026 — anyone who reads this repo knows it. Go to emn178.github.io/online-tools/sha256.html, hash your new PIN, and paste the result into pathtowork-dashboard.html where DASH_HASH is defined. One line.

All security fixes (PIN gate, hashed partner codes, rate limiting, XSS sanitization), the 404 page, sitemap, and cookie banner are only live once you drag the new ZIP into Netlify.

Open robots.txt and add: Sitemap: https://pathtowork.org/sitemap.xml. Without this, Google won't find the sitemap automatically.

Open the dashboard → Quick Links → click "Export Backup (JSON)". All your pilot, partner, waitlist, and call data lives only in your browser. One cache wipe = everything gone. Do this before deploying anything.

Right now after someone joins the waitlist, EmailJS + Firebase sends them to a generic page. In your EmailJS + Firebase settings, add a redirect URL pointing to a thank-you page (create one, or use landing.html#home for now).

You don't need the site fully open to start conversations. Reach out to someone you already have a relationship with — a pastor, a nonprofit director, a workforce coordinator. Offer a free pilot: no contract, no cost, just real feedback. This is the most important thing you can do right now.

Once a partner says yes, send them the Pilot Agreement PDF (in the dashboard under Legal). Even a free pilot should be in writing — it sets expectations, protects you, and makes the relationship feel official. Log them in the dashboard under Pilot Users.

Right now any partner or org you email sees whatever personal email you use. A pathtoworkadmin@gmail.com address costs ~$6/mo through Google Workspace and makes every outreach look legitimate. Do this before your first formal partner conversation.

Current codes PTW-REP-00001/2/3 are placeholders. For each real rep: hash their unique code at emn178.github.io/online-tools/sha256.html → add the hash to PARTNER_CODES in pathtowork-partner.html → redeploy.

A public-facing page where orgs can apply to become community partners — org name, type, contact, why they want to partner. Right now they can only email you. A form lets you screen at volume.

Partners and reps currently have to tell people their code verbally. Add URL param detection to the landing/app page so sharing a link auto-fills their code. Dramatically increases actual referral tracking.

After someone joins the waitlist, show them: "You're #247 on the list — here's what happens next." Include a share button. Increases word-of-mouth at the exact moment they're most excited.

A digest to send all active partners: referral counts, milestones, what's coming next, any changes to the program. Keeps partners engaged and referring between check-ins. Add to the email sequence in the portal.

Go to search.google.com/search-console → add pathtowork.org → submit sitemap.xml. Without this, Google indexes the site slowly and you miss organic traffic from people searching "career resources for veterans" etc.

Lets the assessment app be installed to a phone's home screen like a native app. Particularly important for your target population — rural areas, people without reliable data who need offline access.

launch-guide.html and sales-kit.html load Tailwind from a CDN without a Subresource Integrity hash. If the CDN is compromised, arbitrary JS could run. Add integrity="sha384-..." to lock the version.

The current Privacy Policy doesn't specify how long you keep waitlist emails, pilot data, or when you delete it. This is required for GDPR compliance and expected by enterprise org buyers who will review it.

Check color contrast on amber-on-dark text, add alt="" to decorative icons, verify keyboard tab order on forms. Your target population includes persons with disabilities — this matters more than it does for most startups.

Grab pathtocredit.org, pathtohome.org, pathtocare.org — the top 3 verticals at minimum. ~$12/year each. If you wait until you're ready to build them, they may be gone or cost $1,000+.

A single printable PDF to leave behind after in-person meetings with workforce boards and orgs: problem, solution, pricing tiers, contact. The pitch deck is too long for a leave-behind.

Track which pages convert, where users drop off, what drives waitlist signups. Do not use Google Analytics — it conflicts with your privacy positioning and requires a cookie banner consent flow. Plausible is $9/mo.

EmailJS + Firebase's paid tier adds double opt-in so only verified emails enter your list. Keeps your list clean before you start the email sequence. Worth it once you have 500+ signups.

"All systems operational" with a toggle for outages — same maintenance toggle pattern as the landing page. Useful once you have paying org clients who need to know if the platform is down.

Lets the app work without an internet connection. Meaningful for rural and shelter populations but requires a service worker + cache strategy. More involved than most items here — defer until after MVP validation.

Tracks what changed and when. Useful once you have partners and org clients who need to know about platform updates. Low urgency until you have contractual users.