jekyll-theme-zer0 1.12.2 → 1.13.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fbc99ee38514486f868b91a616bcfece9ab588d4c27c18f358592c12bac98225
-  data.tar.gz: 864ff57c952cfb6c6761ab4b140545401f762bb8485d192c48a31ffee1e9ab65
+  metadata.gz: 8ad83858a690a41ecdcffeb9d1666bdb477c74f5dc0e203bc0059a56e7ed68a2
+  data.tar.gz: 88b906b270107cc25861394ff63b9772b9b1758c39315a2758bbe45f42ec00cc
 SHA512:
-  metadata.gz: ad7d6da5e0c707aa5ea232e5d3a714bbd0ed3955cc220d950dec7103715665a4e9a799f9a028e2eb57e1f161b0bf286dd39a5d145110f0a2936067405a698aae
-  data.tar.gz: b5428a640a6a5aee60e170d4c69780e3538704575a9a1ff2d23d26c9583429f0e2ad1da79185906260e75a60092f4d88b139e01fa2b7cf954fa9a77258f2879b
+  metadata.gz: a24b1b809afaff0913078bbdbf5ba74799c757d330203ef54f0bccc21e8d4fe82920430ce3d981a540bcea0ac89f8e31b1284eb92db60d0f89c3986b16891126
+  data.tar.gz: 01dd7a1a0ae1ab4f82936db64ecd509280c76714e80ae55be46c0f67dbca6c59efd5f7590960d11f46237380b6b680873f816e6bb72845d7726c24137b57e4c6

data/CHANGELOG.md

@@ -1,34 +1,54 @@
 # Changelog
 
-## [1.12.2] - 2026-06-10
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [1.13.1] - 2026-06-11
 
 ### Changed
 - Version bump: patch release
 
 ### Commits in this release
-- 846bd9ff chore(backlog): plan the Zer0-Mistake Quality Framework (roadmap v1.13, T-012–T-015) (#133)
-- 33a727c0 docs: expand CLAUDE.md into a comprehensive Claude Code guide (#131)
+- 583fa997 fix(infra): sanitize sensitive config keys before DOM injection (T-009) (#141)
 
+### Security
+- **Admin config page sanitization (T-009)**: the hidden `<pre id="cfg-full-yaml">` element on the admin config page now has values masked for keys matching `api_key`, `secret`, `password`, `token`, and `phc_` (PostHog) prefixes via a new `sanitize_config_yaml` Liquid filter (`_plugins/sanitize_config_filter.rb`); the corresponding Playwright regression guard (`test/visual/security.spec.js`) is promoted from `test.fixme` to a live test
 
-## [1.12.1] - 2026-06-10
+## [1.13.0] - 2026-06-11
 
 ### Changed
-- Version bump: patch release
+- Version bump: minor release
 
 ### Commits in this release
-- 0c04f703 fix: repair failing test suites, validator crashes, and roadmap/changelog drift (#132)
-
+- cee6f379 feat(ci): gate PRs on the full canonical test entrypoint (T-012) (#138)
 
-All notable changes to this project will be documented in this file.
+### Added
+- **CI gate parity (T-012)**: the `ci.yml` test job now runs every non-Playwright theme suite (core, deployment, quality, installation, installer, site_generation, obsidian) plus the canonical `./scripts/bin/test` script suites (lib unit, theme validate, integration, installer e2e) on every code PR — previously only `core,quality,installation` gated, which is how three suites rotted unnoticed before PR #132; a "Gate Coverage — What Enforces What" table in `.github/workflows/README.md` now documents the controls contract
 
-The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
-and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+### Fixed
+- **Release changelog path**: `version-bump.yml` now inserts release entries via the shared `update_changelog_file` library instead of an inline `head`/`tail` prepend that duplicated (and regressed) the insertion logic — the 1.12.1 release had pushed the file preamble below its entry and stranded the pending `[Unreleased]` notes; both repaired in this file
 
-## [Unreleased]
+## [1.12.2] - 2026-06-10
 
 ### Added
 - **Zer0-Mistake Quality Framework (planning)**: new roadmap milestone v1.13 and backlog tasks T-012–T-015 to close the gap between the repo's quality gates and what CI enforces — CI gate parity with the canonical `./scripts/bin/test` entrypoint (whose integration suites previously rotted unnoticed), re-armed pixel-snapshot and docs link-check gates, and a locale-independence regression guard; coverage baseline task T-005 repointed at the new milestone
 
+### Changed
+- Version bump: patch release
+
+### Commits in this release
+- 846bd9ff chore(backlog): plan the Zer0-Mistake Quality Framework (roadmap v1.13, T-012–T-015) (#133)
+- 33a727c0 docs: expand CLAUDE.md into a comprehensive Claude Code guide (#131)
+
+## [1.12.1] - 2026-06-10
+
+### Changed
+- Version bump: patch release
+- **Roadmap**: advanced to track the shipped gem — v1.9 marked completed, v1.10 (Roadmap Validation) and v1.11 (Continuous-Evolution Loop) recorded, v1.12 (Headless Endpoints) is the active milestone (closes backlog T-001, T-002)
+- **Changelog**: restored the Keep a Changelog preamble at the top of this file
+
 ### Fixed
 - **Tooling encoding**: `generate-roadmap.rb`, `sync-backlog.rb`, and `scripts/bin/validate` now read repo files as UTF-8 explicitly, fixing `invalid byte sequence in US-ASCII` crashes in environments without a UTF-8 locale (minimal containers, some CI runners) — `generate-roadmap.sh --check` and `validate --quick` both crashed in such environments
 - **Test suite**: repaired the three test suites that failed on `main`:
@@ -37,9 +57,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - `_layouts/search.html` given a front matter block so theme layout validation passes
 - **Changelog tooling**: `update_changelog_file` now folds any pending `## [Unreleased]` section into the new release entry and inserts before the first release heading (preserving the file preamble) — stale Unreleased blocks no longer accumulate mid-file; the eight historical stray blocks were folded into the releases that shipped them
 
-### Changed
-- **Roadmap**: advanced to track the shipped gem — v1.9 marked completed, v1.10 (Roadmap Validation) and v1.11 (Continuous-Evolution Loop) recorded, v1.12 (Headless Endpoints) is the active milestone (closes backlog T-001, T-002)
-- **Changelog**: restored the Keep a Changelog preamble at the top of this file
+### Commits in this release
+- 0c04f703 fix: repair failing test suites, validator crashes, and roadmap/changelog drift (#132)
 
 ## [1.12.0] - 2026-06-03
 

data/README.md

@@ -2,7 +2,7 @@
 title: zer0-mistakes
 sub-title: AI-Native Jekyll Theme
 description: AI-native Jekyll theme for GitHub Pages — Docker-first development, AI-powered installation, multi-agent integration (Copilot, Codex, Cursor, Claude), AI preview-image generation, and AIEO content optimization with Bootstrap 5.3.
-version: 1.12.2
+version: 1.13.1
 layout: landing
 tags:
   - jekyll
@@ -20,7 +20,7 @@ categories:
   - bootstrap
   - ai-tooling
 created: 2024-02-10T23:51:11.480Z
-lastmod: 2026-06-10T22:17:20.000Z
+lastmod: 2026-06-11T21:37:24.000Z
 draft: false
 permalink: /
 slug: zer0
@@ -909,7 +909,7 @@ git push origin feature/awesome-feature
 
 | Metric | Value |
 |--------|-------|
-| **Current Version** | 1.12.2 ([RubyGems](https://rubygems.org/gems/jekyll-theme-zer0), [CHANGELOG](/CHANGELOG)) |
+| **Current Version** | 1.13.1 ([RubyGems](https://rubygems.org/gems/jekyll-theme-zer0), [CHANGELOG](/CHANGELOG)) |
 | **Documented Features** | 43 ([Feature Registry](https://github.com/bamr87/zer0-mistakes/blob/main/_data/features.yml)) |
 | **Setup Time** | 2-5 minutes ([install.sh benchmarks](https://github.com/bamr87/zer0-mistakes/blob/main/install.sh)) |
 | **Documentation Pages** | 70+ ([browse docs](https://zer0-mistakes.com/pages/)) |
@@ -964,6 +964,6 @@ And these AI partners that make zer0-mistakes truly AI-native:
 
 **Built with ❤️ — and a little help from our AI partners — for the Jekyll community**
 
-**v1.12.2** • [Changelog](CHANGELOG.md) • [License](LICENSE) • [Contributing](CONTRIBUTING.md) • [AI Agent Guide](AGENTS.md)
+**v1.13.1** • [Changelog](CHANGELOG.md) • [License](LICENSE) • [Contributing](CONTRIBUTING.md) • [AI Agent Guide](AGENTS.md)
 
 

data/_data/backlog.yml

@@ -55,8 +55,8 @@
 
 meta:
   title: "zer0-mistakes Backlog"
-  updated: 2026-06-10
-  next_id: 16
+  updated: 2026-06-11
+  next_id: 18
 
 tasks:
   # --- Housekeeping (seeded so the loop has work on day one) ------------------
@@ -213,7 +213,7 @@ tasks:
 
   - id: T-009
     title: "Sanitize sensitive config keys from admin config-page DOM injection"
-    status: open
+    status: done
     priority: P1
     area: infra
     risk: standard
@@ -231,7 +231,7 @@ tasks:
       - "The visible config display in the admin UI is unaffected (only the raw hidden element is sanitised)."
     links: { issue: null, pr: null, roadmap: null }
     created: 2026-06-01
-    updated: 2026-06-01
+    updated: 2026-06-11
 
   - id: T-010
     title: "Complete v1.9 quickstart docs rewrite with getting-started guide and screenshots"
@@ -287,7 +287,7 @@ tasks:
 
   - id: T-012
     title: "CI gate parity: run the full canonical test entrypoint on PRs"
-    status: open
+    status: done
     priority: P1
     area: infra
     risk: standard
@@ -300,6 +300,13 @@ tasks:
       PR #132), the obsidian suite, and the installer e2e suites that
       `./scripts/bin/test` runs locally. PRs must gate on the same entrypoint
       contributors are told to run.
+      Done 2026-06-10: test job expanded to all seven non-Playwright theme
+      suites plus a `./scripts/bin/test` step; gate-coverage table added to
+      the workflows README. Canary experiment: a deliberately failing
+      integration test was committed and reverted on the implementing PR;
+      GitHub did not schedule the CI pipeline on the canary push, so the
+      gate failure was verified locally (`./scripts/bin/test` exit 1) and
+      the new gate is exercised for real by the PR's final CI run.
     acceptance:
       - "The `ci.yml` test job executes `./scripts/bin/test` (or an explicit suite list that includes lib, integration, obsidian, and installer e2e) on every code PR."
       - "A deliberately broken integration test fails CI in a draft PR experiment (then reverted)."
@@ -371,3 +378,50 @@ tasks:
     links: { issue: null, pr: null, roadmap: "1.13" }
     created: 2026-06-10
     updated: 2026-06-10
+
+  - id: T-016
+    title: "site_generation suite: fail on Jekyll build errors instead of warning"
+    status: open
+    priority: P2
+    area: tests
+    risk: standard
+    effort: S
+    source: audit
+    summary: >-
+      `test/test_site_generation.sh` downgrades `bundle exec jekyll build`
+      failures to a warning ("Don't fail the test for build issues (may be
+      environment)"), so the suite reports success even when every mode's
+      build fails — a masked gate discovered while implementing T-012. With
+      the suite now gating PRs in CI (working bundler guaranteed), build
+      failures should fail the suite; keep the skip only for genuinely
+      missing toolchain (no bundler).
+    acceptance:
+      - "A non-zero `jekyll build` exit fails the suite when bundler is available."
+      - "The bundler-missing path still skips with a warning (local minimal environments)."
+      - "Suite passes in CI and via `./test/test_runner.sh --suites site_generation` locally."
+    links: { issue: null, pr: null, roadmap: "1.13" }
+    created: 2026-06-10
+    updated: 2026-06-10
+
+  - id: T-017
+    title: "Fix yamllint violations in .github/workflows/version-bump.yml"
+    status: open
+    priority: P2
+    area: lint
+    risk: low
+    effort: S
+    source: audit
+    summary: >-
+      `.github/workflows/version-bump.yml` has ~30 trailing-space lines, two
+      indentation errors, and one brackets error that cause the `auto-version`
+      integration test (which runs yamllint) to fail in CI on every PR. Discovered
+      while babysitting PR #141 — the file was unchanged by that PR, confirming
+      the failures are pre-existing.
+    acceptance:
+      - "`yamllint -c .github/config/.yamllint.yml .github/workflows/version-bump.yml` exits 0."
+      - "`./scripts/test/integration/auto-version` passes the 'version-bump workflow syntax' check."
+      - "No functional change to the workflow logic."
+    links: { issue: null, pr: null, roadmap: null }
+    created: 2026-06-11
+    updated: 2026-06-11
+

data/_plugins/sanitize_config_filter.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+# File: sanitize_config_filter.rb
+# Path: _plugins/sanitize_config_filter.rb
+# Purpose: Liquid filter that masks sensitive key-value pairs in raw YAML
+#          before the content is injected into the DOM. Used by the admin
+#          config page to sanitize <pre id="cfg-full-yaml">.
+#
+# Masked patterns:
+#   Key names: api_key, apikey, secret, password, token (case-insensitive)
+#   Value prefix: phc_ (PostHog project API keys)
+
+module Jekyll
+  module SanitizeConfigFilter
+    # Matches YAML lines whose key name is a common secret identifier.
+    SENSITIVE_KEY_RE = /\A(\s*(?:api[_-]?key|secret|password|token)\s*:)/i.freeze
+    # Matches PostHog project API key values anywhere on a line.
+    PHC_VALUE_RE     = /phc_[A-Za-z0-9]+/.freeze
+
+    def sanitize_config_yaml(input)
+      return input unless input.is_a?(String)
+
+      input.each_line.map do |line|
+        if SENSITIVE_KEY_RE.match?(line)
+          # Keep the key name and colon; replace everything after with [REDACTED]
+          line.sub(/(:\s*).*$/, '\1[REDACTED]')
+        elsif PHC_VALUE_RE.match?(line)
+          line.gsub(PHC_VALUE_RE, '[REDACTED]')
+        else
+          line
+        end
+      end.join
+    end
+  end
+end
+
+Liquid::Template.register_filter(Jekyll::SanitizeConfigFilter)

data/scripts/lib/changelog.sh

@@ -331,27 +331,33 @@ update_changelog_file() {
         } > "${CHANGELOG_FILE}.tmp"
         mv "${CHANGELOG_FILE}.tmp" "$CHANGELOG_FILE"
 
-        # Append the pending notes to the new entry (if any are non-blank)
+        # Append the pending notes to the new entry (if any are non-blank),
+        # separated by a blank line so section headings don't collide.
         if [[ -n "${unreleased_body//[[:space:]]/}" ]]; then
             debug "Folding pending [Unreleased] notes into the new entry"
-            entry+=$'\n'"$(echo "$unreleased_body" | sed -e '/./,$!d')"$'\n'
+            entry="${entry%$'\n'}"$'\n\n'"$(echo "$unreleased_body" | sed -e '/./,$!d')"$'\n'
         fi
     fi
 
     # Insert the new entry before the first release heading so the file
     # header/preamble (title, Keep a Changelog blurb) stays at the top.
+    # Normalize the entry's trailing newlines first: callers that build the
+    # entry via command substitution (e.g. version-bump.yml's
+    # `"$(cat "$TEMP_FILE")"`) lose them, so guarantee exactly one blank
+    # line between the entry and the next release block here.
+    while [[ "$entry" == *$'\n' ]]; do entry="${entry%$'\n'}"; done
+
     local first_release
     first_release=$(grep -n '^## ' "$CHANGELOG_FILE" | head -1 | cut -d: -f1)
 
     {
         if [[ -n "$first_release" ]]; then
             head -n "$((first_release - 1))" "$CHANGELOG_FILE"
-            echo "$entry"
+            printf '%s\n\n' "$entry"
             tail -n +"$first_release" "$CHANGELOG_FILE"
         else
             cat "$CHANGELOG_FILE"
-            echo ""
-            echo "$entry"
+            printf '\n%s\n' "$entry"
         fi
     } > "${CHANGELOG_FILE}.tmp"
 

data/scripts/test/lib/test_changelog.sh

@@ -152,6 +152,15 @@ _v100_line=$(grep -n '^## \[1.0.0\]' CHANGELOG.md | cut -d: -f1)
 assert_true "[[ $_v101_line -lt $_v100_line ]]" "New entry inserted before previous release"
 assert_true "grep -q 'All notable changes' CHANGELOG.md" "Preamble preserved without Unreleased"
 
+# Case 3: entries passed via command substitution lose trailing newlines
+# (e.g. version-bump.yml's "$(cat "$TEMP_FILE")"); the insert must still
+# leave exactly one blank line before the next release block.
+printf '## [1.0.2] - 2026-06-11\n\n### Fixed\n- Another bug\n\n' > entry.txt
+update_changelog_file "$(cat entry.txt)" >/dev/null 2>&1
+_v101_line=$(grep -n '^## \[1.0.1\]' CHANGELOG.md | cut -d: -f1)
+assert_true "[[ -z \"\$(sed -n $((_v101_line - 1))p CHANGELOG.md)\" ]]" "Blank line separates entry from next release block"
+assert_true "[[ -n \"\$(sed -n $((_v101_line - 2))p CHANGELOG.md)\" ]]" "Exactly one blank line (no double spacing)"
+
 popd >/dev/null
 rm -rf "$_changelog_tmp"
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jekyll-theme-zer0
 version: !ruby/object:Gem::Version
-  version: 1.12.2
+  version: 1.13.1
 platform: ruby
 authors:
 - Amr Abdel
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-06-10 00:00:00.000000000 Z
+date: 2026-06-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jekyll
@@ -220,6 +220,7 @@ files:
 - _plugins/content_statistics_generator.rb
 - _plugins/obsidian_links.rb
 - _plugins/preview_image_generator.rb
+- _plugins/sanitize_config_filter.rb
 - _plugins/search_and_sitemap_generator.rb
 - _plugins/theme_version.rb
 - _sass/components/_back-to-top.scss