Stack

What this site is actually built on.

Verified from the repo, not from memory. Every layer below is in production today across wojciech.io and its subdomains. If a tool is on this page, it pays rent.

Architecture

npm-workspaces monorepo. Astro 6 on Cloudflare Pages. Seven surfaces, seven Pages projects: wojciech.io, app, growthhub, academy, notch, subscribe, dev. Shared packages: @wojciech/tokens, @wojciech/ui, @wojciech/mdx-components.

Astro 6 + MDX
Cloudflare Pages (7 projects)
npm workspaces (apps/* + packages/*)
@wojciech/tokens · @wojciech/ui · @wojciech/mdx-components

Frontend

Tailwind CSS 4 driven by CSS custom-prop tokens. Geist for type. Lenis + Motion for motion. Pagefind for static search. Satori + resvg-js for OG.

Tailwind CSS 4 (@tailwindcss/vite)
CSS custom-property tokens
Geist Sans · Geist Mono
Lenis · Motion
Pagefind static search
Satori + resvg-js (dynamic OG)

Backend & infra

Cloudflare Pages Functions for gated surfaces. Wrangler for Workers (growthhub cron). Terraform manages Pages projects and domains. Node 24 in CI.

Cloudflare Pages Functions
Cloudflare Workers (growthhub-cron)
Terraform (cloudflare_pages_project + _domain)
WAF rules tracked in repo
Node 24

Content & i18n

Astro content collections for insights, work, testimonials. Eight languages for CV and SEO surfaces. Seven fully translated locale homepages (de, dk, no, jp, it, es, pl) on top of EN.

Astro content collections (insights, work, testimonials)
MDX articles + custom components
8 langs: en, pl, de, dk, no, jp, it, es
Locale-prefixed routing via src/pages/[locale]

Analytics (consent-gated)

Cloudflare Web Analytics runs anonymously by default. Everything else loads only after explicit consent.

Cloudflare Web Analytics (anonymous)
GA4 (lazy after consent)
Mixpanel EU
Sentry EU
PostHog EU

Testing

Vitest for units and coverage. Playwright (Chromium + WebKit) for smoke, SEO, hreflang, axe a11y, broken-link checks, critical paths, meta and asset probes. Daily smoke against production.

Vitest (unit + coverage)
Playwright (Chromium + WebKit)
a11y/axe automation
Daily production smoke
Lighthouse CI weekly

CI/CD

CI runs on every push and PR. Deploy runs only on CI success via workflow_run, deploying site and subdomains in parallel through Wrangler. Commitlint enforced. Release Please is run manually, not on push.

GitHub Actions (ci.yml + deploy.yml)
workflow_run gate (no green CI, no deploy)
Wrangler parallel deploy across surfaces
Commitlint required
Release Please (manual)

Security

Branch protection on main with required checks. Secrets only in Cloudflare environment. Strict CSP, HSTS preload, X-Frame-Options DENY, sandboxed Permissions-Policy. Auth gates use HMAC-SHA256 signed cookies with timing-safe compares and rate limiting.

gitleaks · npm audit (high) · Semgrep · CodeQL
content-guard (pre-commit + CI + weekly cron)
sensitive-path-guard on PRs
CSP, HSTS preload, XFO DENY, Permissions-Policy
HMAC-SHA256 signed cookies, timing-safe
Per-IP rate limit on auth endpoints

Resilience

Azure Static Web Apps holds a weekly cold-standby copy. Failover is operator-triggered via workflow_dispatch (auto-detects health, then flips DNS via the Cloudflare API). Rollback is a non-destructive git revert. BetterStack drives the smoke probes.

Azure Static Web Apps (cold standby)
Manual failover (workflow_dispatch)
Non-destructive git-revert rollback
BetterStack uptime + incident webhook

Working method

Claude Code implements. Codex reviews. GPT-5.5 Thinking handles strategy and go/no-go calls. Claude Design owns visuals. Handoff is strategy, docs, code, review, accept, merge once docs and code agree.

Claude Code (implementation)
Codex (review)
GPT-5.5 Thinking (strategy)
Claude Design (visual)

Next step

Want to see a piece of this in action?

If something on the page is interesting in context of what you are building, write me and we will look at it together.

Get in touch Read insights