@networkpro/web 1.24.2 → 1.24.5

package/.github/workflows/branch-guard.yml

@@ -0,0 +1,37 @@
+# .github/workflows/branch-guard.yml
+#
+# Copyright © 2025 Network Pro Strategies (Network Pro™)
+# SPDX-License-Identifier: CC-BY-4.0 OR GPL-3.0-or-later
+# This file is part of Network Pro
+#
+# Warns if commits are pushed directly to master/main instead of via PR.
+# Does NOT block the commit — it just posts a workflow summary and log warning.
+
+name: Branch Guard
+
+on:
+  push:
+    branches:
+      - master
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  warn-direct-commit:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Check commit source
+        run: |
+          # Only trigger warning if commit wasn't from a merge or bot
+          if [[ "${{ github.event.head_commit.message }}" != *"Merge pull request"* ]] && \
+             [[ "${{ github.actor }}" != "dependabot[bot]" ]]; then
+            echo "::warning ::⚠️ Direct commit to ${GITHUB_REF##*/} by $GITHUB_ACTOR."
+            echo "### ⚠️ Direct Commit Detected" >> $GITHUB_STEP_SUMMARY
+            echo "A commit was pushed directly to \`${GITHUB_REF##*/}\` by **${GITHUB_ACTOR}**." >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "💡 It's recommended to use pull requests for traceability and CI validation." >> $GITHUB_STEP_SUMMARY
+          else
+            echo "✅ Merge or bot commit detected — no action needed."
+          fi

package/.github/workflows/build-and-publish.yml

@@ -58,6 +58,10 @@ jobs:
       - name: Install jq
         run: sudo apt-get install -y jq
 
+      - name: Run npm audit
+        run: npm audit --audit-level=moderate
+        continue-on-error: true
+
       - name: Run JSDoc lint check
         id: jsdoc_lint
         continue-on-error: true

package/.github/workflows/probely-scan.yml

@@ -0,0 +1,95 @@
+# .github/workflows/probely-scan.yml
+#
+# Copyright © 2025 Network Pro Strategies (Network Pro™)
+# SPDX-License-Identifier: CC-BY-4.0 OR GPL-3.0-or-later
+# This file is part of Network Pro
+
+name: Weekly DAST Scan (Probely)
+
+on:
+  schedule:
+    - cron: '0 9 * * 2' # Every Tuesday, 9 AM UTC
+  workflow_dispatch:
+
+jobs:
+  dast-scan:
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      actions: read
+      id-token: none
+
+    env:
+      PROBELY_API_KEY: ${{ secrets.PROBELY_API_KEY }}
+      TARGET_ID: 3by8xa6kzArN
+      API_BASE: https://api.probely.com/v2 # Always include /v2
+      MAX_WAIT_MINUTES: 60 # configurable
+
+    steps:
+      - name: Start Probely Scan
+        id: start-scan
+        run: |
+          echo "🧪 Triggering Probely scan for target $TARGET_ID ..."
+          response=$(curl -s -X POST "$API_BASE/targets/$TARGET_ID/scans/" \
+            -H "Authorization: JWT $PROBELY_API_KEY" \
+            -H "Content-Type: application/json" \
+            -d '{}')
+
+          echo "Raw API response:"
+          echo "$response" | jq .
+
+          scan_id=$(echo "$response" | jq -r '.id // empty')
+
+          if [ -z "$scan_id" ]; then
+            echo "::error ::Failed to start scan — check API key, target ID, or base URL."
+            exit 1
+          fi
+
+          echo "scan_id=$scan_id" >> $GITHUB_ENV
+          echo "✅ Scan started with ID: $scan_id"
+
+      - name: Wait for Scan Completion
+        run: |
+          echo "⏳ Waiting for scan $scan_id to complete..."
+          elapsed=0
+          while [ $elapsed -lt $((MAX_WAIT_MINUTES * 60)) ]; do
+            status=$(curl -s "$API_BASE/scans/$scan_id/" \
+              -H "Authorization: JWT $PROBELY_API_KEY" | jq -r '.status // empty')
+
+            echo "⏱️  Status: $status (elapsed $elapsed sec)"
+
+            if [ "$status" = "completed" ]; then
+              echo "✅ Scan completed successfully."
+              break
+            elif [ "$status" = "failed" ]; then
+              echo "::error ::Scan failed."
+              exit 1
+            fi
+
+            sleep 60
+            elapsed=$((elapsed + 60))
+          done
+
+          if [ "$status" != "completed" ]; then
+            echo "::error ::Scan did not complete in time ($MAX_WAIT_MINUTES min timeout)."
+            exit 1
+          fi
+
+      - name: Download Probely HTML Report
+        run: |
+          echo "📥 Downloading report for scan $scan_id ..."
+          curl -s "$API_BASE/scans/$scan_id/report/" \
+            -H "Authorization: JWT $PROBELY_API_KEY" \
+            -o probely-report.html
+
+          if [ ! -s probely-report.html ]; then
+            echo "::error ::Report file is empty or missing."
+            exit 1
+          fi
+          echo "✅ Report saved as probely-report.html"
+
+      - name: Upload report artifact
+        uses: actions/upload-artifact@v5
+        with:
+          name: probely-report
+          path: probely-report.html

package/.github/workflows/secret-scan.yml

@@ -19,6 +19,8 @@ jobs:
       contents: read
       security-events: write
       issues: write
+    env:
+      CODEQL_ACTION_ANALYSIS_KEY: gitleaks
     steps:
       # ---------------------------------------------------------------------
       # Checkout the full repo history (needed for Gitleaks to scan all commits)

package/CHANGELOG.md

@@ -22,6 +22,85 @@ This project attempts to follow [Keep a Changelog](https://keepachangelog.com/en
 
 ---
 
+## [1.24.5]
+
+### Added
+
+- Introduced **Branch Guard workflow** (`.github/workflows/branch-guard.yml`) to automatically enforce branch protection policies.
+  - Ensures consistent branch naming conventions.
+  - Blocks direct pushes to protected branches (e.g., `master`, `main`, and `release/*`).
+  - Provides early validation for pull requests and feature branches to maintain repository integrity.
+- Introduced comprehensive pre-push checks for code consistency and style compliance.
+  - Added optional `simple-git-hooks` configuration to automate local linting before commits or pushes.
+  - Implemented `lint:all` script using `npm-run-all` for efficient, parallel execution of linters.
+  - Ensures **ESLint**, **Stylelint**, **Markdownlint**, and **Prettier** all run before code is committed, improving codebase hygiene and preventing formatting drift.
+  - Designed for **developer-side speed and reliability**, running linters in parallel while deferring `format` (Prettier) until after lint checks complete for safety.
+- Added **hybrid linting configuration**:
+  - Parallel execution for static lint tasks (`eslint`, `stylelint`, `markdownlint`).
+  - Sequential Prettier formatting step for deterministic, race-free execution.
+
+### Changed
+
+- Reorganized local linting commands for clarity and consistency, consolidating redundant sequential scripts into the `lint:all` aggregator.
+- Improved developer experience with faster pre-push validations and clearer script naming conventions.
+- Bumped project version to `v1.24.5`.
+
+### Developer Experience
+
+- Enhanced local development workflow by introducing **fast, parallel linting** and **optional pre-commit hooks**, reducing turnaround time for style and quality checks.
+- Simplified npm scripts for readability and maintainability by adopting `npm-run-all` as the central task runner.
+
+### Notes
+
+- For instructions on installing and configuring the new dependencies, please see the **[Editor Configuration](https://github.com/netwk-pro/netwk-pro.github.io/wiki/Editor-Configuration#automation)** section of the [Wiki](https://github.com/netwk-pro/netwk-pro.github.io/wiki).
+
+---
+
+## [1.24.4]
+
+### Documentation
+
+- Added a **Continuous Security & Dependency Checks** section to `README.md`, outlining the automated vulnerability and dependency analysis integrated into CI/CD workflows.
+
+### Added
+
+- Introduced **non-blocking** `npm audit` **step** in the `build-and-publish.yml` workflow to automatically detect known vulnerabilities during dependency installation.
+- Introduced **[Probely](https://probely.com/) Dynamic Application Security Testing (DAST)** integration via a new GitHub Actions workflow at `.github/workflows/probely-scan.yml`.
+  - Executes **weekly automated scans** of the `audit.netwk.pro` environment every Tuesday at 09:00 UTC.
+  - Authenticates securely using a scoped **API key** stored in GitHub Secrets (`PROBELY_API_KEY`).
+  - Polls the Probely API for scan completion and retrieves the full **HTML vulnerability report**.
+  - Uploads reports as workflow **artifacts** for maintainers to review.
+  - Includes a 60-minute timeout and supports manual triggering via `workflow_dispatch`.
+  - Configured for **read-only testing** against non-production environments to safely identify potential web and API vulnerabilities.
+  - Future updates will introduce automated issue creation and alerting for high-severity findings.
+
+### Changed
+
+- Updated `static/robots.txt` to exclude redirect routes and sensitive/internal endpoints (e.g., `/api`, `/relay-*`, `/consultation`, `/contact`, `/status`, etc.) from automated crawlers and vulnerability scanners.
+- Bumped project version to `v1.24.4`.
+
+### Security
+
+- Enhanced continuous security coverage through the addition of **Probely DAST** for dynamic web and API vulnerability testing.
+- Maintained and improved **GitLeaks** secret scanning across pull requests and scheduled full-history scans.
+- Together, these workflows now provide full-spectrum coverage across **SAST** (static analysis) and **DAST** (dynamic analysis) layers within the CI/CD pipeline.
+
+---
+
+## [1.24.3]
+
+### Changed
+
+- Bumped project version to `v1.24.3`.
+- Updated `.github/workflows/secret-scan.yml` to utilize a unique `CODEQL_ACTION_ANALYSIS_KEY` to avoid conflicts with CodeQL.
+- Updated `static/robots.txt` to disallow crawling of the `/api` route.
+
+### Fixed
+
+- Corrected naming of `static/7cbb39ce-750b-43da-83b8-8980e5554d4d.txt`.
+
+---
+
 ## [1.24.2]
 
 ### Added
@@ -88,6 +167,12 @@ This project attempts to follow [Keep a Changelog](https://keepachangelog.com/en
   - `globals` `^16.4.0` → `^16.5.0`
   - `posthog-js` `^1.282.0` → `^1.284.0`
 
+### Security
+
+- Added **automated SAST scanning** via GitLeaks to prevent secrets and credentials from being committed.
+- Implemented **security event reporting** via GitHub’s Code Scanning interface (SARIF upload supported).
+- Configured **automated notifications** for detected leaks via GitHub Issues and optional ntfy alerts.
+
 ---
 
 ## [1.23.0] - 2025-10-30
@@ -199,7 +284,7 @@ This project attempts to follow [Keep a Changelog](https://keepachangelog.com/en
 - Updated the text of `ServicesContent.svelte`.
 - Increased default Playwright test timeouts for navigation-sensitive suites (Desktop and Mobile) to improve stability under CI latency conditions.
 - Implemented `Promise.all()` pattern for combined click and navigation waits, reducing flakiness in route transition tests.
-- Updated the `'about' link` navigation tests in both Desktop and Mobile scenarios to include:
+- Updated the `about` link navigation tests in both Desktop and Mobile scenarios to include:
   - Explicit `page.waitForLoadState('domcontentloaded')` calls before assertions.
   - Extended per-suite timeouts (`90s`) using `test.setTimeout(90000)` for reliability on slower environments.
   - Added fallback `waitForURL('\*\*/about', { timeout: 60000 })` to ensure deterministic routing checks.
@@ -1430,7 +1515,10 @@ This project attempts to follow [Keep a Changelog](https://keepachangelog.com/en
 
 <!-- Link references -->
 
-[Unreleased]: https://github.com/netwk-pro/netwk-pro.github.io/compare/v1.24.2...HEAD
+[Unreleased]: https://github.com/netwk-pro/netwk-pro.github.io/compare/v1.24.5...HEAD
+[1.24.5]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.24.5
+[1.24.4]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.24.4
+[1.24.3]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.24.3
 [1.24.2]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.24.2
 [1.24.1]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.24.1
 [1.24.0]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.24.0

package/README.md

@@ -36,6 +36,7 @@ All infrastructure and data flows are designed with **maximum transparency, self
 - [Repository Structure](#structure)
 - [Getting Started](#getting-started)
 - [Configuration](#configuration)
+- [Security & Dependency Checks](#security)
 - [Service Worker Utilities](#sw-utilities)
 - [Debug Mode](#debug)
 - [CSP Report Handler](#cspreport)
@@ -190,8 +191,6 @@ To implement a strict nonce-based CSP in the future:
 
 Note: Strict CSP adoption may require restructuring third-party integrations and deeper framework coordination.
 
-> 💡 The `[headers]` block in `netlify.toml` has been deprecated — all headers are now set dynamically from within SvelteKit.
-
  
 
 ### 🧭 `hooks.client.ts`
@@ -208,6 +207,27 @@ Client-side PWA logic (such as handling the `beforeinstallprompt` event, checkin
 
 ---
 
+<section id="security">
+
+## 🧩 Continuous Security & Dependency Checks
+
+Network Pro&trade; automatically performs dependency and vulnerability checks as part of its CI/CD pipeline:
+
+- **GitLeaks Secret Scanning** — detects potential secrets and credentials in commits, pull requests, and full-history scans.
+- **CodeQL Analysis** — runs static code scanning to detect code-level vulnerabilities.
+- **Probely DAST Scans** — executes weekly external scans on the audit deployment (`audit.netwk.pro`) to identify web application vulnerabilities.
+- **npm Audit** — runs during the build phase to detect known vulnerabilities in installed dependencies (`npm audit --audit-level=moderate`).
+- **Dependabot** — automatically monitors and updates outdated dependencies via pull requests.
+- **ESLint, Prettier, etc. (Local)** — enforces code quality and consistency during local development before commits.
+
+Each tool is configured to run in a safe, non-production environment to ensure reliability and protect sensitive data.
+
+</section>
+
+<sub>[Back to top](#top)</sub>
+
+---
+
 <section id="sw-utilities">
 
 ## ⚙️ Service Worker Utilities

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@networkpro/web",
   "private": false,
-  "version": "1.24.2",
+  "version": "1.24.5",
   "description": "Locking Down Networks, Unlocking Confidence™ | Security, Networking, Privacy — Network Pro Strategies",
   "keywords": [
     "advisory",
@@ -41,16 +41,16 @@
     "build:vercel": "vercel build",
     "preview": "vite preview",
     "css:bundle": "node scripts/bundleCss.js",
-    "prepare": "svelte-kit sync || echo ''",
+    "prepare": "svelte-kit sync && npx simple-git-hooks || echo ''",
     "check": "svelte-kit sync && svelte-check --tsconfig ./jsconfig.json",
     "check:watch": "svelte-kit sync && svelte-check --tsconfig ./jsconfig.json --watch",
     "type-check": "svelte-check --tsconfig ./jsconfig.json",
     "lint:types": "npm run type-check",
     "check:env": "node scripts/checkEnv.js",
     "check:node": "node scripts/checkNode.js",
-    "checkout": "npm run check:node && npm run test:all && npm run lint:all && npm run check",
+    "checkout": "npm-run-all check:node test:all lint:all check",
     "verify": "npm run checkout",
-    "delete": "rm -rf build .svelte-kit node_modules package-lock.json",
+    "delete": "rm -rf .svelte-kit node_modules package-lock.json",
     "clean": "npm run delete && npm cache clean --force && npm install",
     "upgrade": "ncu -u --format group --color",
     "check:updates": "ncu --format group --color",
@@ -69,14 +69,18 @@
     "lint:jsdoc": "eslint . --ext .js,.cjs,.mjs,.svelte --max-warnings=0",
     "lint:css": "stylelint \"**/*.{css,svelte}\" --ignore-path .stylelintignore",
     "lint:md": "npx markdownlint-cli2 \"**/*.{md,markdown}\" \"#node_modules/**\" \"#playwright-report/**\" \"#test-results/**\"",
-    "lint:all": "npm run lint && npm run lint:md && npm run lint:css && npm run format",
     "format": "prettier --check .",
     "format:fix": "prettier --write .",
+    "lint:all": "npm-run-all --parallel --print-label lint lint:md lint:css --sequential format",
     "lhci": "lhci",
     "lhci:run": "lhci autorun --config=.lighthouserc.cjs",
     "audit:coverage": "vitest run tests/internal/auditCoverage.test.js",
     "postinstall": "npm run check:node"
   },
+  "simple-git-hooks": {
+    "pre-commit": "if [ \"$CI\" = \"true\" ]; then exit 0; else npm run lint:all; fi",
+    "pre-push": "if [ \"$CI\" = \"true\" ]; then exit 0; else npm run checkout; fi"
+  },
   "dependencies": {
     "dompurify": "^3.3.0",
     "posthog-js": "^1.284.0",
@@ -105,10 +109,12 @@
     "lightningcss": "^1.30.2",
     "markdownlint": "^0.39.0",
     "markdownlint-cli2": "^0.18.1",
+    "npm-run-all": "^4.1.5",
     "playwright": "^1.56.1",
     "postcss": "^8.5.6",
     "prettier": "3.6.2",
     "prettier-plugin-svelte": "^3.4.0",
+    "simple-git-hooks": "^2.13.1",
     "stylelint": "^16.25.0",
     "stylelint-config-html": "^1.1.0",
     "stylelint-config-recommended": "^17.0.0",

package/static/robots.txt

@@ -17,12 +17,34 @@ Disallow: /coverage/
 Disallow: /build/
 Disallow: /.lighthouseci/
 
-# Disallow stub routes that redirect externally
+# --- Dynamic / redirect handlers
+Disallow: /relay-
+Disallow: /api/
+Disallow: /api/mock-csp
+
+# --- Stub and form routes
 Disallow: /contact
 Disallow: /privacy-rights
 Disallow: /consultation
 Disallow: /links
 Disallow: /posts
+Disallow: /privacy-rights
+
+# --- Error / system routes
+Disallow: /..404
+Disallow: /status
+
+# --- Optional: service utilities or PWA
+Disallow: /service-worker
+Disallow: /service-worker.js
+Disallow: /service-worker.d.ts
+
+# --- Futureproof catch-alls
+Disallow: /admin
+Disallow: /preview
+Disallow: /redirect
+Disallow: /mock-csp
+Disallow: /csp
 
 # Allow everything else
 Allow: /