@ibalzam/codejitsu-core 0.4.0 → 0.5.0

package/modules/audit/src/http/runner.mjs

@@ -0,0 +1,185 @@
+import { pass, fail, warn, info, summarize } from '../util.mjs';
+
+/**
+ * HTTP-tier audit. Hits a live URL (production or staging) and verifies:
+ *   - HTTPS + HTTP→HTTPS redirect
+ *   - Security headers
+ *   - 404 behavior (custom styled page, correct status)
+ *   - Broken internal links (bounded same-origin crawl)
+ *
+ * Uses Node's native fetch (no deps). Caller supplies the base URL.
+ */
+export async function runHttp(ctx) {
+  const { liveUrl } = ctx;
+  if (!liveUrl) return [];
+
+  const results = [];
+  const base = new URL(liveUrl);
+  const origin = base.origin;
+
+  // ─── SSL / HTTP→HTTPS ──────────────────────────────────────────────────
+  if (base.protocol !== 'https:') {
+    results.push(fail(`Base URL is not HTTPS: ${liveUrl}`));
+  } else {
+    results.push(pass('Base URL is HTTPS'));
+    const httpUrl = `http://${base.host}${base.pathname}`;
+    try {
+      const r = await fetchWithTimeout(httpUrl, { redirect: 'manual' });
+      if (r.status >= 300 && r.status < 400) {
+        const location = r.headers.get('location') ?? '';
+        if (location.startsWith('https://')) {
+          results.push(pass(`HTTP → HTTPS redirect (${r.status} to ${location})`));
+        } else {
+          results.push(warn(`HTTP redirects but not to HTTPS`, `${r.status} → ${location}`));
+        }
+      } else {
+        results.push(fail(`HTTP did not redirect (status ${r.status})`));
+      }
+    } catch (err) {
+      results.push(warn(`Could not test HTTP→HTTPS redirect`, err.message));
+    }
+  }
+
+  // ─── Security headers ──────────────────────────────────────────────────
+  let homeResponse;
+  try {
+    homeResponse = await fetchWithTimeout(origin + '/');
+  } catch (err) {
+    results.push(fail(`Could not fetch ${origin}/`, err.message));
+    return results;
+  }
+
+  if (!homeResponse.ok) {
+    results.push(fail(`Homepage returned ${homeResponse.status}`));
+  } else {
+    results.push(pass(`Homepage returns ${homeResponse.status} ${homeResponse.statusText}`));
+  }
+
+  const headers = homeResponse.headers;
+  const securityHeaders = [
+    { key: 'strict-transport-security', label: 'HSTS', severity: 'fail' },
+    { key: 'content-security-policy', label: 'Content-Security-Policy', severity: 'warn' },
+    { key: 'x-frame-options', label: 'X-Frame-Options', severity: 'warn' },
+    { key: 'x-content-type-options', label: 'X-Content-Type-Options (nosniff)', severity: 'warn' },
+    { key: 'referrer-policy', label: 'Referrer-Policy', severity: 'warn' },
+    { key: 'permissions-policy', label: 'Permissions-Policy', severity: 'info' },
+  ];
+
+  for (const h of securityHeaders) {
+    const value = headers.get(h.key);
+    if (value) {
+      results.push(pass(`${h.label}: ${value.slice(0, 70)}${value.length > 70 ? '…' : ''}`));
+    } else if (h.severity === 'fail') {
+      results.push(fail(`${h.label} header missing`));
+    } else if (h.severity === 'warn') {
+      results.push(warn(`${h.label} header missing`));
+    } else {
+      results.push(info(`${h.label} header missing`));
+    }
+  }
+
+  // ─── 404 behavior ──────────────────────────────────────────────────────
+  const probe = `${origin}/__codejitsu_audit_probe_${Date.now()}/`;
+  try {
+    const r = await fetchWithTimeout(probe);
+    if (r.status === 404) {
+      results.push(pass('Unknown URL returns 404'));
+      const body = await r.text();
+      const branded =
+        /pearl|workzen|veteran|profix|codejitsu/i.test(body) ||
+        body.includes('<head>') && body.length > 1000;
+      results.push(branded
+        ? pass('404 page is styled/branded')
+        : warn('404 page returned but may be unstyled', `Body size: ${body.length} bytes`));
+    } else {
+      results.push(fail(`Unknown URL returned ${r.status} (expected 404)`));
+    }
+  } catch (err) {
+    results.push(warn('Could not test 404 behavior', err.message));
+  }
+
+  // ─── Broken-link crawl (bounded) ───────────────────────────────────────
+  const crawlResults = await crawl(origin, 30);
+  if (crawlResults.broken.length === 0) {
+    results.push(pass(`Crawled ${crawlResults.visited} pages — no broken links`));
+  } else {
+    results.push(fail(
+      `${crawlResults.broken.length} broken links (crawled ${crawlResults.visited} pages)`,
+      crawlResults.broken
+    ));
+  }
+  if (crawlResults.redirected.length > 0) {
+    results.push(warn(
+      `${crawlResults.redirected.length} internal redirects (prefer direct links)`,
+      crawlResults.redirected.slice(0, 5)
+    ));
+  }
+
+  return results;
+}
+
+async function fetchWithTimeout(url, init = {}, timeoutMs = 10_000) {
+  const controller = new AbortController();
+  const t = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    return await fetch(url, { ...init, signal: controller.signal, headers: { 'User-Agent': 'codejitsu-audit/0.5' } });
+  } finally {
+    clearTimeout(t);
+  }
+}
+
+/**
+ * Bounded same-origin crawl. Starts at `origin/`, follows internal links
+ * (extracted from <a href>), stops at `max` pages. Returns broken links
+ * (4xx/5xx) and redirects encountered along the way.
+ */
+async function crawl(origin, max) {
+  const visited = new Set();
+  const queue = [origin + '/'];
+  const broken = [];
+  const redirected = [];
+
+  while (queue.length > 0 && visited.size < max) {
+    const url = queue.shift();
+    if (visited.has(url)) continue;
+    visited.add(url);
+
+    let response;
+    try {
+      response = await fetchWithTimeout(url, { redirect: 'manual' });
+    } catch (err) {
+      broken.push(`${url}: ${err.message}`);
+      continue;
+    }
+
+    if (response.status >= 400) {
+      broken.push(`${url}: ${response.status}`);
+      continue;
+    }
+    if (response.status >= 300 && response.status < 400) {
+      const location = response.headers.get('location') ?? '';
+      redirected.push(`${url} → ${response.status} → ${location}`);
+      continue;
+    }
+
+    const contentType = response.headers.get('content-type') ?? '';
+    if (!contentType.includes('text/html')) continue;
+
+    const body = await response.text();
+    for (const m of body.matchAll(/<a[^>]+href=["']([^"']+)["']/gi)) {
+      try {
+        const absolute = new URL(m[1], url).toString();
+        if (!absolute.startsWith(origin)) continue;          // external
+        if (absolute.includes('#')) continue;                 // skip anchors
+        if (/\.(?:webp|png|jpe?g|svg|pdf|woff2?|ico|css|js)(?:\?|$)/i.test(absolute)) continue;
+        if (!visited.has(absolute) && queue.length + visited.size < max) {
+          queue.push(absolute);
+        }
+      } catch {
+        // skip invalid URLs
+      }
+    }
+  }
+
+  return { visited: visited.size, broken, redirected };
+}

package/modules/audit/src/run.mjs

@@ -0,0 +1,168 @@
+import fs from 'fs';
+import path from 'path';
+import { loadConfig, isModuleEnabled } from '../../config/src/load.mjs';
+import { c } from '../../cli/src/format.mjs';
+import { runStructure } from './groups/structure.mjs';
+import { runLinks } from './groups/links.mjs';
+import { runSeo } from './groups/seo.mjs';
+import { runAi } from './groups/ai-discoverability.mjs';
+import { runAnalytics } from './groups/analytics.mjs';
+import { runForms } from './groups/forms.mjs';
+import { runContent } from './groups/content.mjs';
+import { runPerformance } from './groups/performance.mjs';
+import { runBlogQuality } from './groups/blog-quality.mjs';
+import { runHttp } from './http/runner.mjs';
+import { runA11y } from './a11y/runner.mjs';
+import { runAi as runAiTier } from './ai/runner.mjs';
+
+/**
+ * Pre-delivery audit. Static (against dist/) + optional tiers:
+ *   --live <url>   Hits the URL for security headers, redirects, 404, broken links.
+ *   --a11y         Runs axe-core against --live URL (requires @axe-core/cli).
+ *
+ * Reads codejitsu.config for module enablement + audit preferences.
+ *
+ * @param {object} [opts]
+ * @param {string} [opts.liveUrl]
+ * @param {boolean} [opts.a11y]
+ */
+export async function runAudit(opts = {}) {
+  const cwd = process.cwd();
+  const distDir = path.join(cwd, 'dist');
+
+  let config;
+  try {
+    config = await loadConfig(cwd);
+  } catch (err) {
+    console.error(c.red('✗ No codejitsu.config found.'));
+    console.error('  Run `codejitsu audit` from a Codejitsu site root.');
+    process.exit(1);
+  }
+
+  if (!fs.existsSync(distDir)) {
+    console.error(c.red('✗ No dist/ directory.'));
+    console.error('  Run `npm run build` first.');
+    process.exit(1);
+  }
+
+  // Index HTML files once; pass to all check groups.
+  const htmlFiles = collectHtmlFiles(distDir).map((file) => ({
+    relPath: path.relative(distDir, file),
+    fullPath: file,
+    content: fs.readFileSync(file, 'utf8'),
+  }));
+
+  // Index public assets for cross-reference checks.
+  const webpSet = new Set();
+  collectAssets(distDir).forEach((p) => {
+    if (p.toLowerCase().endsWith('.webp')) {
+      webpSet.add(path.relative(distDir, p).replace(/\.webp$/i, ''));
+    }
+  });
+
+  const ctx = {
+    cwd,
+    distDir,
+    config,
+    htmlFiles,
+    webpSet,
+    liveUrl: opts.liveUrl ?? null,
+    a11y: opts.a11y ?? false,
+    ai: opts.ai ?? false,
+    enabled: {
+      blog: isModuleEnabled(config, 'blog'),
+      seo: isModuleEnabled(config, 'seo'),
+      images: isModuleEnabled(config, 'images'),
+      llms: isModuleEnabled(config, 'llms'),
+      deploy: isModuleEnabled(config, 'deploy'),
+    },
+  };
+
+  const groups = [
+    { name: 'Structure & Build', run: runStructure },
+    { name: 'Links & URLs', run: runLinks },
+    { name: 'SEO', run: runSeo },
+    { name: 'AI Discoverability', run: runAi },
+    { name: 'Analytics & Tags', run: runAnalytics },
+    { name: 'Forms', run: runForms },
+    { name: 'Content & A11y', run: runContent },
+    { name: 'Performance', run: runPerformance },
+    { name: 'Blog Quality', run: runBlogQuality },
+  ];
+  if (ctx.liveUrl) {
+    groups.push({ name: `Live HTTP (${ctx.liveUrl})`, run: runHttp });
+  }
+  if (ctx.a11y) {
+    groups.push({ name: 'Accessibility (axe-core WCAG 2.1 AA)', run: runA11y });
+  }
+  if (ctx.ai) {
+    groups.push({ name: 'AI content review (claude -p)', run: runAiTier });
+  }
+
+  console.log(c.bold(`\nCodejitsu Audit · ${config.site.name} (${htmlFiles.length} pages)\n`));
+
+  let totals = { pass: 0, warn: 0, fail: 0, info: 0 };
+
+  for (const group of groups) {
+    const results = await group.run(ctx);
+    if (!results || results.length === 0) continue;
+    console.log(c.bold(`◉ ${group.name}`));
+    for (const r of results) {
+      printResult(r);
+      totals[r.status] = (totals[r.status] ?? 0) + 1;
+    }
+    console.log('');
+  }
+
+  const summary =
+    `${c.green(totals.pass + ' pass')}  ` +
+    `${c.yellow(totals.warn + ' warn')}  ` +
+    `${c.red(totals.fail + ' fail')}` +
+    (totals.info ? `  ${c.gray(totals.info + ' info')}` : '');
+  console.log(summary);
+
+  if (totals.fail > 0) process.exit(1);
+}
+
+function printResult(r) {
+  const icon =
+    r.status === 'pass' ? c.green('✓') :
+    r.status === 'warn' ? c.yellow('!') :
+    r.status === 'info' ? c.gray('i') :
+    c.red('✗');
+  console.log(`  ${icon} ${r.label}`);
+  if (r.detail) {
+    const lines = Array.isArray(r.detail) ? r.detail : [r.detail];
+    for (const line of lines.slice(0, 5)) {
+      console.log(`    ${c.gray(line)}`);
+    }
+    if (lines.length > 5) {
+      console.log(`    ${c.gray(`… (+${lines.length - 5} more)`)}`);
+    }
+  }
+}
+
+function collectHtmlFiles(distDir) {
+  const out = [];
+  (function walk(dir) {
+    for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+      const full = path.join(dir, entry.name);
+      if (entry.isDirectory()) walk(full);
+      else if (entry.name.endsWith('.html')) out.push(full);
+    }
+  })(distDir);
+  return out;
+}
+
+function collectAssets(distDir) {
+  const out = [];
+  (function walk(dir) {
+    if (!fs.existsSync(dir)) return;
+    for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+      const full = path.join(dir, entry.name);
+      if (entry.isDirectory()) walk(full);
+      else if (entry.isFile()) out.push(full);
+    }
+  })(distDir);
+  return out;
+}

package/modules/audit/src/util.mjs

@@ -0,0 +1,72 @@
+// Shared helpers used across audit check groups.
+
+export function pass(label, detail) {
+  return { status: 'pass', label, detail };
+}
+export function fail(label, detail) {
+  return { status: 'fail', label, detail };
+}
+export function warn(label, detail) {
+  return { status: 'warn', label, detail };
+}
+export function info(label, detail) {
+  return { status: 'info', label, detail };
+}
+
+/**
+ * Collapses a list of per-page issues into a single check result.
+ * If `issues` is empty → pass. Otherwise fail/warn with `issues.length` count
+ * and the first few examples.
+ */
+export function summarize(label, issues, severity = 'fail') {
+  if (issues.length === 0) return pass(label);
+  const result =
+    severity === 'fail' ? fail :
+    severity === 'warn' ? warn :
+    info;
+  return result(`${label} (${issues.length})`, issues);
+}
+
+/** Extract <title> innerHTML. */
+export function getTitle(html) {
+  return html.match(/<title>([^<]*)<\/title>/)?.[1] ?? null;
+}
+
+/** Get content of a `<meta name|property="X" content="...">` tag. */
+export function getMeta(html, key) {
+  const re = new RegExp(
+    `<meta\\s+(?:name|property)=["']${escapeRegex(key)}["']\\s+content=["']([^"']*)["']`,
+    'i'
+  );
+  return html.match(re)?.[1] ?? null;
+}
+
+/** Get href of a `<link rel="X">` tag. */
+export function getLinkHref(html, rel) {
+  const re = new RegExp(
+    `<link\\s+rel=["']${escapeRegex(rel)}["']\\s+href=["']([^"']*)["']`,
+    'i'
+  );
+  return html.match(re)?.[1] ?? null;
+}
+
+export function escapeRegex(s) {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
+/** Match all `<a href="...">` hrefs in HTML. */
+export function* anchorHrefs(html) {
+  const re = /<a[^>]+href=["']([^"']+)["'][^>]*>/gi;
+  let m;
+  while ((m = re.exec(html)) !== null) {
+    yield { href: m[1], full: m[0] };
+  }
+}
+
+export function isExternal(href, siteOrigin) {
+  if (href.startsWith('http://') || href.startsWith('https://')) {
+    return !href.startsWith(siteOrigin);
+  }
+  if (href.startsWith('//')) return true;
+  return false;
+}

package/modules/config/src/types.d.ts

@@ -14,7 +14,28 @@ export interface CodejitsuConfig {
     images?: ImagesConfig | false;
     llms?: LlmsConfig | false;
     deploy?: DeployConfig | false;
+    audit?: AuditConfig;
 }
+export interface AuditConfig {
+    /** Per-provider requirement. 'optional' = pass either way; 'required' = fail if absent; 'banned' = fail if present. */
+    analytics?: {
+        ga4?: AuditRequirement;
+        gtm?: AuditRequirement;
+        googleAds?: AuditRequirement;
+        ahrefs?: AuditRequirement;
+        hotjar?: AuditRequirement;
+    };
+    /** Site verification meta tags. true = required, false/missing = optional. */
+    verification?: {
+        googleSearchConsole?: boolean;
+        bingWebmaster?: boolean;
+    };
+    forms?: {
+        requireSpamProtection?: boolean;
+        requireConsent?: boolean;
+    };
+}
+export type AuditRequirement = 'required' | 'optional' | 'banned';
 export interface SiteConfig {
     /** Absolute site URL, no trailing slash. e.g. 'https://example.com'. */
     url: string;

package/modules/config/src/types.ts

@@ -15,8 +15,31 @@ export interface CodejitsuConfig {
   images?: ImagesConfig | false;
   llms?: LlmsConfig | false;
   deploy?: DeployConfig | false;
+  audit?: AuditConfig;
 }
 
+export interface AuditConfig {
+  /** Per-provider requirement. 'optional' = pass either way; 'required' = fail if absent; 'banned' = fail if present. */
+  analytics?: {
+    ga4?: AuditRequirement;
+    gtm?: AuditRequirement;
+    googleAds?: AuditRequirement;
+    ahrefs?: AuditRequirement;
+    hotjar?: AuditRequirement;
+  };
+  /** Site verification meta tags. true = required, false/missing = optional. */
+  verification?: {
+    googleSearchConsole?: boolean;
+    bingWebmaster?: boolean;
+  };
+  forms?: {
+    requireSpamProtection?: boolean;
+    requireConsent?: boolean;
+  };
+}
+
+export type AuditRequirement = 'required' | 'optional' | 'banned';
+
 export interface SiteConfig {
   /** Absolute site URL, no trailing slash. e.g. 'https://example.com'. */
   url: string;

package/modules/llms/src/generate.mjs

@@ -198,6 +198,12 @@ async function generateContentScan({ config, cwd }) {
   const llms = config.llms;
   const scan = llms.contentScan ?? {};
 
+  // Date + draft field names come from the blog module config; CC schemas like
+  // pearl's use `pubDate` + `draft`, while simpler sites use `date` (+ no draft).
+  const blogCfg = config.blog && typeof config.blog === 'object' ? config.blog : {};
+  const dateField = blogCfg.dateField ?? 'date';
+  const draftField = blogCfg.draftField ?? null;
+
   const servicesDir = scan.servicesDir ? path.resolve(cwd, scan.servicesDir) : null;
   const locationsDir = scan.locationsDir ? path.resolve(cwd, scan.locationsDir) : null;
   const pagesDir = scan.pagesDir ? path.resolve(cwd, scan.pagesDir) : null;
@@ -205,10 +211,7 @@ async function generateContentScan({ config, cwd }) {
 
   const services = readContentDir(servicesDir);
   const locations = readContentDir(locationsDir);
-  const blogPosts = readBlogPosts(blogDir, 'pubDate', 'draft').concat(
-    // Also try 'date' field for fallback
-    blogDir && readBlogPosts(blogDir, 'date', 'draft').filter((p) => !p.pubDate) || []
-  );
+  const blogPosts = readBlogPosts(blogDir, dateField, draftField);
   const pages = pagesDir ? collectStaticPages(pagesDir) : [];
 
   const dynamicRoutes = scan.dynamicRoutes ?? [];
@@ -239,6 +242,7 @@ async function generateContentScan({ config, cwd }) {
     business: site.business,
     services,
     locations,
+    blogPosts: blogPosts.slice(0, llms.blogFullLimit ?? 20),
     aiGuidance: llms.aiGuidance,
     today: isoDate(),
   });
@@ -372,7 +376,7 @@ function renderContentScanConcise({ siteUrl, siteName, tagline, about, business,
   return lines.join('\n') + '\n';
 }
 
-function renderContentScanFull({ siteUrl, siteName, tagline, about, business, services, locations, aiGuidance, today }) {
+function renderContentScanFull({ siteUrl, siteName, tagline, about, business, services, locations, blogPosts, aiGuidance, today }) {
   const lines = [];
   lines.push(`# ${siteName} — Full Reference`);
   lines.push(`Last Updated: ${today}`, '');
@@ -431,6 +435,19 @@ function renderContentScanFull({ siteUrl, siteName, tagline, about, business, se
     lines.push('', '---', '');
   }
 
+  if (blogPosts && blogPosts.length) {
+    lines.push('## Blog Posts', '');
+    for (const post of blogPosts) {
+      lines.push(`### ${post.title}`, '');
+      if (post.date) lines.push(`**Published**: ${post.date}`);
+      if (post.author) lines.push(`**Author**: ${post.author}`);
+      if (post.tags?.length) lines.push(`**Tags**: ${post.tags.join(', ')}`);
+      lines.push(`**URL**: ${siteUrl}/blog/${post.slug}/`, '');
+      if (post.description) lines.push(post.description, '');
+      lines.push('---', '');
+    }
+  }
+
   lines.push(`## Optional`, '', `- Sitemap: ${siteUrl}/sitemap-index.xml`, '');
   if (aiGuidance) lines.push('## For AI Assistants', '', aiGuidance, '');
   return lines.join('\n') + '\n';

package/modules/rehype/CLAUDE.md

@@ -0,0 +1,64 @@
+# Rehype module — instructions for Claude
+
+When the user asks to **fix trailing-slash bugs in markdown content** (or pre-empt them across a Codejitsu site), wire up `rehypeTrailingSlash`.
+
+## What this module provides
+
+A single rehype plugin: `trailingSlash`. Runs during Astro's markdown→HTML conversion. Walks the HTML AST and rewrites internal `<a href="/foo">` to `<a href="/foo/">` (or vice versa with `policy: 'never'`).
+
+**Why this exists:** Astro's `trailingSlash: 'always'` config covers route resolution and `Astro.url.pathname` but does NOT touch href strings written by humans in markdown or `.astro` files. This plugin closes that gap for markdown-rendered HTML.
+
+It does **not** affect href strings inside `.astro` component source (Astro doesn't run rehype on those). Use the audit to catch those.
+
+## Wiring it into a site
+
+```ts
+// astro.config.mjs
+import { defineConfig } from 'astro/config';
+import trailingSlash from '@ibalzam/codejitsu-core/rehype/trailing-slash';
+
+export default defineConfig({
+  markdown: {
+    rehypePlugins: [trailingSlash],
+  },
+});
+```
+
+With explicit options:
+
+```ts
+rehypePlugins: [
+  [trailingSlash, { policy: 'always' }],
+],
+```
+
+## What it does NOT touch
+
+- External URLs (`http://`, `https://`, `//`)
+- `mailto:`, `tel:`, `javascript:`
+- Anchor-only links (`#section`)
+- Paths ending in a file extension (`.pdf`, `.html`, `.webp`, etc.)
+- Root path (`/`)
+
+## What it DOES touch
+
+- `<a href="/foo">` → `<a href="/foo/">`
+- `<a href="/foo?bar=1">` → `<a href="/foo/?bar=1">`
+- `<a href="/foo#section">` → `<a href="/foo/#section">`
+
+Preserves query strings and fragments. Path-only modification.
+
+## What must NOT be done
+
+- **Don't apply this to `.astro` component files** — the plugin runs on markdown rehype, not Astro components. If a `<a href="/foo">` lives in a `.astro` file, the plugin can't see it.
+- **Don't set `policy: 'never'` if `astro.config` has `trailingSlash: 'always'`** — they'd contradict each other. The audit will flag the inconsistency.
+- **Don't run this with `policy: 'preserve'` and expect anything to change** — that mode is a no-op (registered as a placeholder for symmetry).
+
+## Verify after wiring
+
+```bash
+npm run build
+npx codejitsu audit
+```
+
+The audit's "All internal links end with /" check should now report 0 markdown-level offenders. Component-level offenders (in `.astro` files) still surface — those must be fixed by hand.