@ibalzam/codejitsu-core 0.4.0 → 0.6.0

package/modules/audit/src/http/runner.mjs

@@ -0,0 +1,185 @@
+import { pass, fail, warn, info, summarize } from '../util.mjs';
+
+/**
+ * HTTP-tier audit. Hits a live URL (production or staging) and verifies:
+ *   - HTTPS + HTTP→HTTPS redirect
+ *   - Security headers
+ *   - 404 behavior (custom styled page, correct status)
+ *   - Broken internal links (bounded same-origin crawl)
+ *
+ * Uses Node's native fetch (no deps). Caller supplies the base URL.
+ */
+export async function runHttp(ctx) {
+  const { liveUrl } = ctx;
+  if (!liveUrl) return [];
+
+  const results = [];
+  const base = new URL(liveUrl);
+  const origin = base.origin;
+
+  // ─── SSL / HTTP→HTTPS ──────────────────────────────────────────────────
+  if (base.protocol !== 'https:') {
+    results.push(fail(`Base URL is not HTTPS: ${liveUrl}`));
+  } else {
+    results.push(pass('Base URL is HTTPS'));
+    const httpUrl = `http://${base.host}${base.pathname}`;
+    try {
+      const r = await fetchWithTimeout(httpUrl, { redirect: 'manual' });
+      if (r.status >= 300 && r.status < 400) {
+        const location = r.headers.get('location') ?? '';
+        if (location.startsWith('https://')) {
+          results.push(pass(`HTTP → HTTPS redirect (${r.status} to ${location})`));
+        } else {
+          results.push(warn(`HTTP redirects but not to HTTPS`, `${r.status} → ${location}`));
+        }
+      } else {
+        results.push(fail(`HTTP did not redirect (status ${r.status})`));
+      }
+    } catch (err) {
+      results.push(warn(`Could not test HTTP→HTTPS redirect`, err.message));
+    }
+  }
+
+  // ─── Security headers ──────────────────────────────────────────────────
+  let homeResponse;
+  try {
+    homeResponse = await fetchWithTimeout(origin + '/');
+  } catch (err) {
+    results.push(fail(`Could not fetch ${origin}/`, err.message));
+    return results;
+  }
+
+  if (!homeResponse.ok) {
+    results.push(fail(`Homepage returned ${homeResponse.status}`));
+  } else {
+    results.push(pass(`Homepage returns ${homeResponse.status} ${homeResponse.statusText}`));
+  }
+
+  const headers = homeResponse.headers;
+  const securityHeaders = [
+    { key: 'strict-transport-security', label: 'HSTS', severity: 'fail' },
+    { key: 'content-security-policy', label: 'Content-Security-Policy', severity: 'warn' },
+    { key: 'x-frame-options', label: 'X-Frame-Options', severity: 'warn' },
+    { key: 'x-content-type-options', label: 'X-Content-Type-Options (nosniff)', severity: 'warn' },
+    { key: 'referrer-policy', label: 'Referrer-Policy', severity: 'warn' },
+    { key: 'permissions-policy', label: 'Permissions-Policy', severity: 'info' },
+  ];
+
+  for (const h of securityHeaders) {
+    const value = headers.get(h.key);
+    if (value) {
+      results.push(pass(`${h.label}: ${value.slice(0, 70)}${value.length > 70 ? '…' : ''}`));
+    } else if (h.severity === 'fail') {
+      results.push(fail(`${h.label} header missing`));
+    } else if (h.severity === 'warn') {
+      results.push(warn(`${h.label} header missing`));
+    } else {
+      results.push(info(`${h.label} header missing`));
+    }
+  }
+
+  // ─── 404 behavior ──────────────────────────────────────────────────────
+  const probe = `${origin}/__codejitsu_audit_probe_${Date.now()}/`;
+  try {
+    const r = await fetchWithTimeout(probe);
+    if (r.status === 404) {
+      results.push(pass('Unknown URL returns 404'));
+      const body = await r.text();
+      const branded =
+        /pearl|workzen|veteran|profix|codejitsu/i.test(body) ||
+        body.includes('<head>') && body.length > 1000;
+      results.push(branded
+        ? pass('404 page is styled/branded')
+        : warn('404 page returned but may be unstyled', `Body size: ${body.length} bytes`));
+    } else {
+      results.push(fail(`Unknown URL returned ${r.status} (expected 404)`));
+    }
+  } catch (err) {
+    results.push(warn('Could not test 404 behavior', err.message));
+  }
+
+  // ─── Broken-link crawl (bounded) ───────────────────────────────────────
+  const crawlResults = await crawl(origin, 30);
+  if (crawlResults.broken.length === 0) {
+    results.push(pass(`Crawled ${crawlResults.visited} pages — no broken links`));
+  } else {
+    results.push(fail(
+      `${crawlResults.broken.length} broken links (crawled ${crawlResults.visited} pages)`,
+      crawlResults.broken
+    ));
+  }
+  if (crawlResults.redirected.length > 0) {
+    results.push(warn(
+      `${crawlResults.redirected.length} internal redirects (prefer direct links)`,
+      crawlResults.redirected.slice(0, 5)
+    ));
+  }
+
+  return results;
+}
+
+async function fetchWithTimeout(url, init = {}, timeoutMs = 10_000) {
+  const controller = new AbortController();
+  const t = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    return await fetch(url, { ...init, signal: controller.signal, headers: { 'User-Agent': 'codejitsu-audit/0.5' } });
+  } finally {
+    clearTimeout(t);
+  }
+}
+
+/**
+ * Bounded same-origin crawl. Starts at `origin/`, follows internal links
+ * (extracted from <a href>), stops at `max` pages. Returns broken links
+ * (4xx/5xx) and redirects encountered along the way.
+ */
+async function crawl(origin, max) {
+  const visited = new Set();
+  const queue = [origin + '/'];
+  const broken = [];
+  const redirected = [];
+
+  while (queue.length > 0 && visited.size < max) {
+    const url = queue.shift();
+    if (visited.has(url)) continue;
+    visited.add(url);
+
+    let response;
+    try {
+      response = await fetchWithTimeout(url, { redirect: 'manual' });
+    } catch (err) {
+      broken.push(`${url}: ${err.message}`);
+      continue;
+    }
+
+    if (response.status >= 400) {
+      broken.push(`${url}: ${response.status}`);
+      continue;
+    }
+    if (response.status >= 300 && response.status < 400) {
+      const location = response.headers.get('location') ?? '';
+      redirected.push(`${url} → ${response.status} → ${location}`);
+      continue;
+    }
+
+    const contentType = response.headers.get('content-type') ?? '';
+    if (!contentType.includes('text/html')) continue;
+
+    const body = await response.text();
+    for (const m of body.matchAll(/<a[^>]+href=["']([^"']+)["']/gi)) {
+      try {
+        const absolute = new URL(m[1], url).toString();
+        if (!absolute.startsWith(origin)) continue;          // external
+        if (absolute.includes('#')) continue;                 // skip anchors
+        if (/\.(?:webp|png|jpe?g|svg|pdf|woff2?|ico|css|js)(?:\?|$)/i.test(absolute)) continue;
+        if (!visited.has(absolute) && queue.length + visited.size < max) {
+          queue.push(absolute);
+        }
+      } catch {
+        // skip invalid URLs
+      }
+    }
+  }
+
+  return { visited: visited.size, broken, redirected };
+}

package/modules/audit/src/run.mjs

@@ -0,0 +1,168 @@
+import fs from 'fs';
+import path from 'path';
+import { loadConfig, isModuleEnabled } from '../../config/src/load.mjs';
+import { c } from '../../cli/src/format.mjs';
+import { runStructure } from './groups/structure.mjs';
+import { runLinks } from './groups/links.mjs';
+import { runSeo } from './groups/seo.mjs';
+import { runAi } from './groups/ai-discoverability.mjs';
+import { runAnalytics } from './groups/analytics.mjs';
+import { runForms } from './groups/forms.mjs';
+import { runContent } from './groups/content.mjs';
+import { runPerformance } from './groups/performance.mjs';
+import { runBlogQuality } from './groups/blog-quality.mjs';
+import { runHttp } from './http/runner.mjs';
+import { runA11y } from './a11y/runner.mjs';
+import { runAi as runAiTier } from './ai/runner.mjs';
+
+/**
+ * Pre-delivery audit. Static (against dist/) + optional tiers:
+ *   --live <url>   Hits the URL for security headers, redirects, 404, broken links.
+ *   --a11y         Runs axe-core against --live URL (requires @axe-core/cli).
+ *
+ * Reads codejitsu.config for module enablement + audit preferences.
+ *
+ * @param {object} [opts]
+ * @param {string} [opts.liveUrl]
+ * @param {boolean} [opts.a11y]
+ */
+export async function runAudit(opts = {}) {
+  const cwd = process.cwd();
+  const distDir = path.join(cwd, 'dist');
+
+  let config;
+  try {
+    config = await loadConfig(cwd);
+  } catch (err) {
+    console.error(c.red('✗ No codejitsu.config found.'));
+    console.error('  Run `codejitsu audit` from a Codejitsu site root.');
+    process.exit(1);
+  }
+
+  if (!fs.existsSync(distDir)) {
+    console.error(c.red('✗ No dist/ directory.'));
+    console.error('  Run `npm run build` first.');
+    process.exit(1);
+  }
+
+  // Index HTML files once; pass to all check groups.
+  const htmlFiles = collectHtmlFiles(distDir).map((file) => ({
+    relPath: path.relative(distDir, file),
+    fullPath: file,
+    content: fs.readFileSync(file, 'utf8'),
+  }));
+
+  // Index public assets for cross-reference checks.
+  const webpSet = new Set();
+  collectAssets(distDir).forEach((p) => {
+    if (p.toLowerCase().endsWith('.webp')) {
+      webpSet.add(path.relative(distDir, p).replace(/\.webp$/i, ''));
+    }
+  });
+
+  const ctx = {
+    cwd,
+    distDir,
+    config,
+    htmlFiles,
+    webpSet,
+    liveUrl: opts.liveUrl ?? null,
+    a11y: opts.a11y ?? false,
+    ai: opts.ai ?? false,
+    enabled: {
+      blog: isModuleEnabled(config, 'blog'),
+      seo: isModuleEnabled(config, 'seo'),
+      images: isModuleEnabled(config, 'images'),
+      llms: isModuleEnabled(config, 'llms'),
+      deploy: isModuleEnabled(config, 'deploy'),
+    },
+  };
+
+  const groups = [
+    { name: 'Structure & Build', run: runStructure },
+    { name: 'Links & URLs', run: runLinks },
+    { name: 'SEO', run: runSeo },
+    { name: 'AI Discoverability', run: runAi },
+    { name: 'Analytics & Tags', run: runAnalytics },
+    { name: 'Forms', run: runForms },
+    { name: 'Content & A11y', run: runContent },
+    { name: 'Performance', run: runPerformance },
+    { name: 'Blog Quality', run: runBlogQuality },
+  ];
+  if (ctx.liveUrl) {
+    groups.push({ name: `Live HTTP (${ctx.liveUrl})`, run: runHttp });
+  }
+  if (ctx.a11y) {
+    groups.push({ name: 'Accessibility (axe-core WCAG 2.1 AA)', run: runA11y });
+  }
+  if (ctx.ai) {
+    groups.push({ name: 'AI content review (claude -p)', run: runAiTier });
+  }
+
+  console.log(c.bold(`\nCodejitsu Audit · ${config.site.name} (${htmlFiles.length} pages)\n`));
+
+  let totals = { pass: 0, warn: 0, fail: 0, info: 0 };
+
+  for (const group of groups) {
+    const results = await group.run(ctx);
+    if (!results || results.length === 0) continue;
+    console.log(c.bold(`◉ ${group.name}`));
+    for (const r of results) {
+      printResult(r);
+      totals[r.status] = (totals[r.status] ?? 0) + 1;
+    }
+    console.log('');
+  }
+
+  const summary =
+    `${c.green(totals.pass + ' pass')}  ` +
+    `${c.yellow(totals.warn + ' warn')}  ` +
+    `${c.red(totals.fail + ' fail')}` +
+    (totals.info ? `  ${c.gray(totals.info + ' info')}` : '');
+  console.log(summary);
+
+  if (totals.fail > 0) process.exit(1);
+}
+
+function printResult(r) {
+  const icon =
+    r.status === 'pass' ? c.green('✓') :
+    r.status === 'warn' ? c.yellow('!') :
+    r.status === 'info' ? c.gray('i') :
+    c.red('✗');
+  console.log(`  ${icon} ${r.label}`);
+  if (r.detail) {
+    const lines = Array.isArray(r.detail) ? r.detail : [r.detail];
+    for (const line of lines.slice(0, 5)) {
+      console.log(`    ${c.gray(line)}`);
+    }
+    if (lines.length > 5) {
+      console.log(`    ${c.gray(`… (+${lines.length - 5} more)`)}`);
+    }
+  }
+}
+
+function collectHtmlFiles(distDir) {
+  const out = [];
+  (function walk(dir) {
+    for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+      const full = path.join(dir, entry.name);
+      if (entry.isDirectory()) walk(full);
+      else if (entry.name.endsWith('.html')) out.push(full);
+    }
+  })(distDir);
+  return out;
+}
+
+function collectAssets(distDir) {
+  const out = [];
+  (function walk(dir) {
+    if (!fs.existsSync(dir)) return;
+    for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+      const full = path.join(dir, entry.name);
+      if (entry.isDirectory()) walk(full);
+      else if (entry.isFile()) out.push(full);
+    }
+  })(distDir);
+  return out;
+}

package/modules/audit/src/util.mjs

@@ -0,0 +1,72 @@
+// Shared helpers used across audit check groups.
+
+export function pass(label, detail) {
+  return { status: 'pass', label, detail };
+}
+export function fail(label, detail) {
+  return { status: 'fail', label, detail };
+}
+export function warn(label, detail) {
+  return { status: 'warn', label, detail };
+}
+export function info(label, detail) {
+  return { status: 'info', label, detail };
+}
+
+/**
+ * Collapses a list of per-page issues into a single check result.
+ * If `issues` is empty → pass. Otherwise fail/warn with `issues.length` count
+ * and the first few examples.
+ */
+export function summarize(label, issues, severity = 'fail') {
+  if (issues.length === 0) return pass(label);
+  const result =
+    severity === 'fail' ? fail :
+    severity === 'warn' ? warn :
+    info;
+  return result(`${label} (${issues.length})`, issues);
+}
+
+/** Extract <title> innerHTML. */
+export function getTitle(html) {
+  return html.match(/<title>([^<]*)<\/title>/)?.[1] ?? null;
+}
+
+/** Get content of a `<meta name|property="X" content="...">` tag. */
+export function getMeta(html, key) {
+  const re = new RegExp(
+    `<meta\\s+(?:name|property)=["']${escapeRegex(key)}["']\\s+content=["']([^"']*)["']`,
+    'i'
+  );
+  return html.match(re)?.[1] ?? null;
+}
+
+/** Get href of a `<link rel="X">` tag. */
+export function getLinkHref(html, rel) {
+  const re = new RegExp(
+    `<link\\s+rel=["']${escapeRegex(rel)}["']\\s+href=["']([^"']*)["']`,
+    'i'
+  );
+  return html.match(re)?.[1] ?? null;
+}
+
+export function escapeRegex(s) {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
+/** Match all `<a href="...">` hrefs in HTML. */
+export function* anchorHrefs(html) {
+  const re = /<a[^>]+href=["']([^"']+)["'][^>]*>/gi;
+  let m;
+  while ((m = re.exec(html)) !== null) {
+    yield { href: m[1], full: m[0] };
+  }
+}
+
+export function isExternal(href, siteOrigin) {
+  if (href.startsWith('http://') || href.startsWith('https://')) {
+    return !href.startsWith(siteOrigin);
+  }
+  if (href.startsWith('//')) return true;
+  return false;
+}

package/modules/config/src/types.d.ts

@@ -14,7 +14,44 @@ export interface CodejitsuConfig {
     images?: ImagesConfig | false;
     llms?: LlmsConfig | false;
     deploy?: DeployConfig | false;
+    contact?: ContactConfig | false;
+    audit?: AuditConfig;
 }
+export interface ContactConfig {
+    enabled?: boolean;
+    emailjs: {
+        /** EmailJS service ID, e.g. 'service_abc123'. */
+        serviceId: string;
+        /** EmailJS template ID, e.g. 'template_xyz789'. Template variables must be {{name}}, {{email}}, {{phone}}, {{message}}. */
+        templateId: string;
+        /** EmailJS public key. Safe to ship to the browser. */
+        publicKey: string;
+    };
+    /** Optional reCAPTCHA v2 sitekey. If set, the modal renders a captcha widget and blocks submit until solved. */
+    recaptcha?: {
+        siteKey: string;
+    };
+}
+export interface AuditConfig {
+    /** Per-provider requirement. 'optional' = pass either way; 'required' = fail if absent; 'banned' = fail if present. */
+    analytics?: {
+        ga4?: AuditRequirement;
+        gtm?: AuditRequirement;
+        googleAds?: AuditRequirement;
+        ahrefs?: AuditRequirement;
+        hotjar?: AuditRequirement;
+    };
+    /** Site verification meta tags. true = required, false/missing = optional. */
+    verification?: {
+        googleSearchConsole?: boolean;
+        bingWebmaster?: boolean;
+    };
+    forms?: {
+        requireSpamProtection?: boolean;
+        requireConsent?: boolean;
+    };
+}
+export type AuditRequirement = 'required' | 'optional' | 'banned';
 export interface SiteConfig {
     /** Absolute site URL, no trailing slash. e.g. 'https://example.com'. */
     url: string;

package/modules/config/src/types.ts

@@ -15,8 +15,48 @@ export interface CodejitsuConfig {
   images?: ImagesConfig | false;
   llms?: LlmsConfig | false;
   deploy?: DeployConfig | false;
+  contact?: ContactConfig | false;
+  audit?: AuditConfig;
 }
 
+export interface ContactConfig {
+  enabled?: boolean;
+  emailjs: {
+    /** EmailJS service ID, e.g. 'service_abc123'. */
+    serviceId: string;
+    /** EmailJS template ID, e.g. 'template_xyz789'. Template variables must be {{name}}, {{email}}, {{phone}}, {{message}}. */
+    templateId: string;
+    /** EmailJS public key. Safe to ship to the browser. */
+    publicKey: string;
+  };
+  /** Optional reCAPTCHA v2 sitekey. If set, the modal renders a captcha widget and blocks submit until solved. */
+  recaptcha?: {
+    siteKey: string;
+  };
+}
+
+export interface AuditConfig {
+  /** Per-provider requirement. 'optional' = pass either way; 'required' = fail if absent; 'banned' = fail if present. */
+  analytics?: {
+    ga4?: AuditRequirement;
+    gtm?: AuditRequirement;
+    googleAds?: AuditRequirement;
+    ahrefs?: AuditRequirement;
+    hotjar?: AuditRequirement;
+  };
+  /** Site verification meta tags. true = required, false/missing = optional. */
+  verification?: {
+    googleSearchConsole?: boolean;
+    bingWebmaster?: boolean;
+  };
+  forms?: {
+    requireSpamProtection?: boolean;
+    requireConsent?: boolean;
+  };
+}
+
+export type AuditRequirement = 'required' | 'optional' | 'banned';
+
 export interface SiteConfig {
   /** Absolute site URL, no trailing slash. e.g. 'https://example.com'. */
   url: string;

package/modules/contact/CLAUDE.md

@@ -0,0 +1,164 @@
+# Contact module — instructions for Claude
+
+When the user asks to **add a contact form** (or quote modal, lead capture, "implement codejitsu/core/contact"), do the following.
+
+## What this module provides
+
+A single, accessible contact modal component that:
+
+- Renders a centered modal with optional left-side image
+- Configurable fields (name, email, phone, message) — each enabled/required
+- Configurable title, submit button text, thank-you toast
+- HTML5 validation + custom hidden honeypot
+- Optional Google reCAPTCHA v2
+- Submits via [EmailJS](https://www.emailjs.com/) (`emailjs.sendForm`)
+- Dispatches `codejitsu-contact-submitted` event on success (sites wire analytics)
+- Full focus trap, Esc to close, backdrop click, focus restoration
+
+One modal per page (per id). Triggered from any `<button data-codejitsu-contact-trigger>` element.
+
+## Wiring it into an Astro site
+
+### 1. Set up EmailJS
+
+(Site owner does this once, not Claude.) Sign up at https://www.emailjs.com/, create:
+- a service (e.g. Gmail, SMTP)
+- a template that uses these template variables: `{{name}}`, `{{email}}`, `{{phone}}`, `{{message}}`
+- copy the service ID, template ID, and public key
+
+### 1a. CRITICAL — reCAPTCHA on a static site only works if EmailJS verifies it
+
+The modal shows the reCAPTCHA widget client-side, but **without server-side
+verification of the token, the widget is theater**. A static site has no server
+to run the verification. EmailJS provides this verification as a service — you
+must enable it explicitly:
+
+1. EmailJS dashboard → **Email Templates** → your template → **Settings** tab
+2. Toggle **"Verify reCAPTCHA"** on
+3. Paste your reCAPTCHA **secret key** (NOT the sitekey — the secret key, found
+   alongside the sitekey in Google's reCAPTCHA admin)
+4. Save
+
+Now EmailJS rejects submissions with invalid tokens before sending the email.
+
+If you SKIP this step, leave reCAPTCHA out of the modal entirely. Use the
+honeypot (always on) + EmailJS rate limits as your spam defense. A
+non-verified reCAPTCHA widget is friction with no real benefit and breaks on
+localhost during dev.
+
+### 2. Drop the modal into a layout
+
+In a layout that wraps every page (e.g. `src/layouts/BaseLayout.astro`), import and place the component **once**, anywhere inside `<body>` (typically just before `</body>`):
+
+```astro
+---
+import ContactModal from '@ibalzam/codejitsu-core/contact/ContactModal.astro';
+import config from '../../codejitsu.config';
+---
+
+<!-- ... existing layout content ... -->
+
+<ContactModal
+  title="Get a Free Quote"
+  image={{ src: '/assets/images/contact.webp', alt: 'Our team' }}
+  fields={{
+    name:    { required: true },
+    email:   { required: true },
+    phone:   { required: true },
+    message: { required: false },
+  }}
+  submitText="Submit Quote Request"
+  thankYouMessage="Thanks! We'll be in touch within 24 hours."
+  emailjs={{
+    serviceId: config.contact.emailjs.serviceId,
+    templateId: config.contact.emailjs.templateId,
+    publicKey: config.contact.emailjs.publicKey,
+  }}
+  recaptcha={config.contact.recaptcha}
+/>
+```
+
+Pass the EmailJS keys via `codejitsu.config.ts` so they're declared once, not hardcoded in every layout.
+
+### 3. Add EmailJS keys to `codejitsu.config.ts`
+
+```ts
+import { defineConfig } from '@ibalzam/codejitsu-core/config';
+
+export default defineConfig({
+  // ...
+  contact: {
+    emailjs: {
+      serviceId: 'service_xxx',
+      templateId: 'template_xxx',
+      publicKey: 'xxx',          // safe to ship to browser (public)
+    },
+    recaptcha: {
+      siteKey: '6Lxxxxxxxxxxxxxxx',  // optional
+    },
+  },
+});
+```
+
+### 4. Add triggers anywhere
+
+Any clickable element with `data-codejitsu-contact-trigger`:
+
+```html
+<button data-codejitsu-contact-trigger>Get a quote</button>
+<a href="#contact" data-codejitsu-contact-trigger>Talk to us</a>
+```
+
+### 5. Optional: wire analytics
+
+The component dispatches a `codejitsu-contact-submitted` event on success. Add a listener for GA4 / Google Ads / etc.:
+
+```html
+<script is:inline>
+  window.addEventListener('codejitsu-contact-submitted', (e) => {
+    // e.detail = { modalId, formData: { name, email, phone, message } }
+    if (typeof gtag === 'function') {
+      gtag('event', 'conversion', { send_to: 'AW-XXXXXXXX/XXXXXX' });
+    }
+  });
+</script>
+```
+
+The component itself stays generic — no analytics inside it.
+
+## Theming
+
+The component uses Tailwind classes for layout and CSS variables for brand colors. Set on `:root` in your global CSS:
+
+```css
+:root {
+  --codejitsu-modal-accent: #YOUR_BRAND;        /* button bg + focus ring */
+  --codejitsu-modal-accent-hover: #DARKER;
+  --codejitsu-modal-on-accent: #ffffff;          /* text on the button */
+}
+```
+
+If you don't set them, defaults are blue (`#2563eb`).
+
+## What must NOT be done
+
+- **Don't put the modal in every page** — put it in a single layout that wraps all pages. Multiple instances per page break (duplicate DOM ids).
+- **Don't hardcode EmailJS keys in the component invocation.** Read from `codejitsu.config.ts` so rotating keys touches one file.
+- **Don't put `secretKey` or sensitive EmailJS values in the config.** Only the public key is safe to ship to the browser. EmailJS Service ID + Template ID + Public Key are all public.
+- **Don't disable the honeypot.** It's invisible to humans and catches a meaningful slice of bot submissions for free.
+- **Don't add analytics calls inside the modal.** Use the `codejitsu-contact-submitted` event from outside.
+- **Don't replace the focus trap or Esc handler with custom logic.** Both are accessibility-required.
+
+## Verify
+
+- [ ] Modal opens when trigger clicked (any `data-codejitsu-contact-trigger`)
+- [ ] Esc closes it
+- [ ] Backdrop click closes it
+- [ ] Tab cycles within the modal (focus trap)
+- [ ] Required fields show `*` and HTML5 validation fires on empty submit
+- [ ] Submit calls EmailJS and shows toast on success
+- [ ] On submit success, `codejitsu-contact-submitted` event fires
+- [ ] reCAPTCHA (if configured) blocks submit until completed
+- [ ] Honeypot field is visually hidden (off-screen) and not focusable
+
+Run `npx codejitsu audit` — the Forms group will detect the modal, count its fields, verify the JS submit hook is present.