@networkpro/web 1.24.5 → 1.25.1

package/.github/workflows/branch-guard.yml

@@ -24,14 +24,30 @@ jobs:
     steps:
       - name: Check commit source
         run: |
-          # Only trigger warning if commit wasn't from a merge or bot
-          if [[ "${{ github.event.head_commit.message }}" != *"Merge pull request"* ]] && \
-             [[ "${{ github.actor }}" != "dependabot[bot]" ]]; then
-            echo "::warning ::⚠️ Direct commit to ${GITHUB_REF##*/} by $GITHUB_ACTOR."
-            echo "### ⚠️ Direct Commit Detected" >> $GITHUB_STEP_SUMMARY
-            echo "A commit was pushed directly to \`${GITHUB_REF##*/}\` by **${GITHUB_ACTOR}**." >> $GITHUB_STEP_SUMMARY
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "💡 It's recommended to use pull requests for traceability and CI validation." >> $GITHUB_STEP_SUMMARY
-          else
-            echo "✅ Merge or bot commit detected — no action needed."
+          commit_msg="${{ github.event.head_commit.message }}"
+          actor="${{ github.actor }}"
+          branch="${GITHUB_REF##*/}"
+
+          echo "📝 Commit message: $commit_msg"
+          echo "👤 Actor: $actor"
+          echo "🌿 Branch: $branch"
+
+          # Define known safe patterns (merge or bot commits)
+          if echo "$commit_msg" | grep -Eq "Merge pull request|See merge request|Merge branch|(#\d+)$"; then
+            echo "✅ Merge-related commit detected — no warning."
+            exit 0
           fi
+
+          if [[ "$actor" == "dependabot[bot]" ]] || [[ "$actor" == "renovate[bot]" ]] || [[ "$actor" == "github-actions[bot]" ]]; then
+            echo "🤖 Bot commit detected — skipping warning."
+            exit 0
+          fi
+
+          # Otherwise, warn for direct commits
+          echo "::warning ::⚠️ Direct commit to $branch by $actor."
+          {
+            echo "### ⚠️ Direct Commit Detected"
+            echo "A commit was pushed directly to \`$branch\` by **$actor**."
+            echo ""
+            echo "💡 It's recommended to use pull requests for traceability and CI validation."
+          } >> $GITHUB_STEP_SUMMARY

package/CHANGELOG.md

@@ -22,6 +22,98 @@ This project attempts to follow [Keep a Changelog](https://keepachangelog.com/en
 
 ---
 
+## [1.25.1]
+
+### Added
+
+- Introduced new **environment diagnostics endpoint** at `src/routes/api/env-check/+server.js`.
+  - Returns resolved build and runtime environment data for verification.
+  - Useful for confirming `ENV_MODE` / `PUBLIC_ENV_MODE` propagation on Vercel builds.
+  - Helps troubleshoot environment mismatches between build-time and client-side contexts.
+
+### Changed
+
+- **vite.config.js**
+  - Enhanced configuration to log build mode and environment variables during bundling.
+  - Prints `mode`, `ENV_MODE`, `PUBLIC_ENV_MODE`, and `NODE_ENV` to aid CI/CD debugging.
+  - Uses color-coded console output for clear visibility in build logs.
+- **env.js**
+  - Simplified and stabilized environment detection logic for better cross-environment consistency.
+  - Removed redundant imports and corrected handling of static vs dynamic `BUILD_ENV_MODE`.
+  - Improved comments and type annotations for maintainability and IDE autocompletion.
+
+### Developer Experience
+
+- Build logs now clearly display environment information before bundling.
+- `env-check` API endpoint provides real-time environment inspection without rebuilding.
+
+---
+
+## [1.25.0]
+
+### Added
+
+- Introduced unified environment detection utility (`src/lib/utils/env.js`) with full **JSDoc typing**.
+  - Normalizes `process.env` and `import.meta.env` usage across SSR (Node) and client contexts.
+  - Safely handles browser environments where `process` is undefined.
+  - Provides standardized flags for:
+    - `isDev`, `isProd`, `isAudit`, `isCI`, and `isTest`
+  - Enables consistent environment checks across analytics, CSP, and runtime logic.
+
+- Added hybrid **environment + host-based analytics guard** in `src/lib/stores/posthog.js`.
+  - Automatically disables PostHog tracking in `audit` mode or when hostname matches `*.audit.netwk.pro`.
+  - Prevents analytics initialization during development and test contexts.
+  - Uses the shared `detectEnvironment()` utility for centralized logic.
+  - Improves runtime logging for environment-specific behavior.
+
+### Changed
+
+- Updated `hooks.server.js` to include a dedicated **audit environment block** for Content Security Policy (CSP).
+  - Hardened audit CSP by removing all analytics-related sources (`posthog.com`, `posthog-assets.com`).
+  - Redirects CSP violation reporting to the mock endpoint (`/api/mock-csp`) in audit mode.
+  - Preserves full HSTS and other production security headers for audit deployments.
+  - Added clear separation between `test`, `audit`, and `prod` security policies.
+  - Improved console debugging for environment detection (`NODE_ENV`, `ENV_MODE`).
+
+- Refactored **environment detection logic** for improved reliability across client and server contexts.
+  - Added unified environment resolver at `src/lib/utils/env.js` to standardize detection for `dev`, `prod`, `audit`, `ci`, and `test` modes.
+  - Ensures consistent handling of both `process.env.*` (Node/SSR) and `import.meta.env.*` (Vite/client) variables.
+  - Prevents mismatched behavior between browser-side analytics (`posthog.js`) and server-side policies (`hooks.server.js`).
+  - Automatically falls back to `'unknown'` if no explicit mode is set, avoiding build-time exceptions.
+
+- Refactored **Branch Guard** workflow (`.github/workflows/branch-guard.yml`) for improved accuracy and reduced noise.
+  - Adjusted detection logic to **ignore merge commits**, Dependabot updates, and automated actions.
+  - Ensures workflow warnings are shown **only for true direct commits** to protected branches (`master`, `main`).
+  - Simplified step output and summary formatting for clearer reporting in the Actions log and job summary.
+  - Maintains lightweight permissions (`contents: read`) and executes entirely without repository writes.
+  - Improves reliability of branch protection monitoring without affecting CI or merge operations.
+
+### Fixed
+
+- Resolved client-side crash in browser environments caused by `process.env` being undefined.
+  - Implemented defensive checks in `env.js` for `process` availability.
+  - Eliminated reference errors during client-side initialization of analytics.
+
+### Developer Experience
+
+- Simplified future configuration by consolidating environment checks into a single typed utility.
+- Improved maintainability and Vercel compatibility by ensuring `.env.audit` and `PUBLIC_ENV_MODE` variables propagate correctly to both client and server environments.
+
+### Developer Notes
+
+- When deploying audit builds, ensure Vercel environment variables include:
+
+```bash
+ENV_MODE=audit
+PUBLIC_ENV_MODE=audit
+```
+
+This enables analytics filtering and CSP hardening for the audit environment.
+
+- Audit deployments retain full HTTPS and security headers but omit telemetry and external CSP reporting.
+
+---
+
 ## [1.24.5]
 
 ### Added
@@ -54,6 +146,9 @@ This project attempts to follow [Keep a Changelog](https://keepachangelog.com/en
 
 - For instructions on installing and configuring the new dependencies, please see the **[Editor Configuration](https://github.com/netwk-pro/netwk-pro.github.io/wiki/Editor-Configuration#automation)** section of the [Wiki](https://github.com/netwk-pro/netwk-pro.github.io/wiki).
 
+> **Note:** Version `1.24.4` was merged but not tagged or released.  
+> Subsequent updates are reflected in `v1.24.5` and later.
+
 ---
 
 ## [1.24.4]
@@ -1515,7 +1610,9 @@ This project attempts to follow [Keep a Changelog](https://keepachangelog.com/en
 
 <!-- Link references -->
 
-[Unreleased]: https://github.com/netwk-pro/netwk-pro.github.io/compare/v1.24.5...HEAD
+[Unreleased]: https://github.com/netwk-pro/netwk-pro.github.io/compare/v1.25.1...HEAD
+[1.25.1]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.1
+[1.25.0]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.0
 [1.24.5]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.24.5
 [1.24.4]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.24.4
 [1.24.3]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.24.3

package/cspell.json

@@ -27,6 +27,7 @@
     "heliboard",
     "homescreen",
     "HREFTOP",
+    "HSTS",
     "Izzy",
     "Keybase",
     "keypair",

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@networkpro/web",
   "private": false,
-  "version": "1.24.5",
+  "version": "1.25.1",
   "description": "Locking Down Networks, Unlocking Confidence™ | Security, Networking, Privacy — Network Pro Strategies",
   "keywords": [
     "advisory",
@@ -35,9 +35,11 @@
   },
   "scripts": {
     "dev": "vite dev",
+    "dev:audit": "vite --mode audit",
     "start": "npm run dev",
     "dev:vercel": "vercel dev",
     "build": "vite build",
+    "build:audit": "vite build --mode audit",
     "build:vercel": "vercel build",
     "preview": "vite preview",
     "css:bundle": "node scripts/bundleCss.js",

package/src/hooks.server.js

@@ -6,33 +6,25 @@ SPDX-License-Identifier: CC-BY-4.0 OR GPL-3.0-or-later
 This file is part of Network Pro.
 ========================================================================== */
 
+import { detectEnvironment } from '$lib/utils/env.js';
+
 /**
  * SvelteKit server hook to set Content Security Policy (CSP) header.
  * @type {import('@sveltejs/kit').Handle}
  */
 export async function handle({ event, resolve }) {
-  // Create the response
   const response = await resolve(event);
 
-  // Determine environment flags
-  // Default to development policy if neither test nor prod
-  const isTestEnvironment =
-    process.env.NODE_ENV === 'development' ||
-    process.env.ENV_MODE === 'dev' ||
-    process.env.ENV_MODE === 'ci';
-  const isProdEnvironment =
-    process.env.NODE_ENV === 'production' || process.env.ENV_MODE === 'prod';
-
-  console.log('[CSP Debug] NODE_ENV:', process.env.NODE_ENV);
-  console.log('[CSP Debug] ENV_MODE:', process.env.ENV_MODE);
+  const { isAudit, isTest, isProd, effective, mode } = detectEnvironment();
+  console.log('[CSP Debug ENV]', { mode, effective, isProd, isAudit, isTest });
 
   // Determine report URI
   const reportUri =
-    isProdEnvironment && !isTestEnvironment
+    isProd && !isTest && !isAudit
       ? 'https://csp.netwk.pro/.netlify/functions/csp-report'
       : '/api/mock-csp';
 
-  // Construct base policy
+  // Base hardened policy
   const cspDirectives = [
     "default-src 'self';",
     "script-src 'self' 'unsafe-inline' https://us.i.posthog.com https://us-assets.i.posthog.com;",
@@ -45,40 +37,45 @@ export async function handle({ event, resolve }) {
     "object-src 'none';",
     "frame-ancestors 'none';",
     'upgrade-insecure-requests;',
-    // Report CSP violations to external endpoint hosted at csp.netwk.pro
-    `report-uri ${reportUri};`,
-    'report-to csp-endpoint;',
   ];
 
-  // Loosen up CSP for test environments (and allow local PostHog proxy)
-  if (isTestEnvironment) {
+  // 🧪 Looser CSP for local/CI test environments
+  if (isTest) {
     cspDirectives[1] =
       "script-src 'self' 'unsafe-inline' 'unsafe-eval' http://localhost:* ws://localhost:*;";
-    cspDirectives[2] =
-      "script-src-elem 'self' 'unsafe-inline' 'unsafe-eval' http://localhost:* ws://localhost:*;";
-    cspDirectives[3] = "style-src 'self' 'unsafe-inline' http://localhost:*;";
-    cspDirectives[4] = "img-src 'self' data: http://localhost:*;";
-    cspDirectives[5] =
+    cspDirectives[2] = "style-src 'self' 'unsafe-inline' http://localhost:*;";
+    cspDirectives[3] = "img-src 'self' data: http://localhost:*;";
+    cspDirectives[4] =
       "connect-src 'self' http://localhost:* ws://localhost:* https://us.i.posthog.com https://us-assets.i.posthog.com;";
   }
 
-  response.headers.set(
-    'Report-To',
-    JSON.stringify({
-      group: 'csp-endpoint',
-      max_age: 10886400, // 18 weeks
-      endpoints: [
-        {
-          url: 'https://csp.netwk.pro/.netlify/functions/csp-report',
-        },
-      ],
-      include_subdomains: true,
-    }),
-  );
+  // 🧩 Hardened CSP for audit environment — no analytics, no CSP reporting
+  if (isAudit) {
+    cspDirectives[1] = "script-src 'self' 'unsafe-inline';";
+    cspDirectives[2] = "style-src 'self' 'unsafe-inline';";
+    cspDirectives[3] = "img-src 'self' data:;";
+    cspDirectives[4] = "connect-src 'self';";
+  }
+
+  // 📋 Attach CSP report directives ONLY in production
+  if (isProd && !isAudit && !isTest) {
+    cspDirectives.push(`report-uri ${reportUri};`, 'report-to csp-endpoint;');
 
+    response.headers.set(
+      'Report-To',
+      JSON.stringify({
+        group: 'csp-endpoint',
+        max_age: 10886400, // 18 weeks
+        endpoints: [{ url: reportUri }],
+        include_subdomains: true,
+      }),
+    );
+  }
+
+  // ✅ Apply final CSP
   response.headers.set('Content-Security-Policy', cspDirectives.join(' '));
 
-  // Set other security headers
+  // Standard security headers
   response.headers.set(
     'Permissions-Policy',
     [
@@ -103,10 +100,10 @@ export async function handle({ event, resolve }) {
   response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
   response.headers.set('X-Frame-Options', 'DENY');
 
-  if (process.env.ENV_MODE !== 'test' && process.env.ENV_MODE !== 'ci') {
+  if (!isTest) {
     response.headers.set(
       'Strict-Transport-Security',
-      'max-age=31536000; includeSubDomains;', // No preload here
+      'max-age=31536000; includeSubDomains;',
     );
   }
 
@@ -120,8 +117,5 @@ export async function handle({ event, resolve }) {
 export function handleError({ error, event }) {
   console.error('🔴 SSR Error in route:', event.url.pathname);
   console.error(error);
-
-  return {
-    message: 'A server-side error occurred',
-  };
+  return { message: 'A server-side error occurred' };
 }

package/src/lib/stores/posthog.js

@@ -15,6 +15,7 @@ import {
   remindUserToReconsent,
   trackingPreferences,
 } from '$lib/stores/trackingPreferences.js';
+import { detectEnvironment } from '$lib/utils/env.js';
 import { get, writable } from 'svelte/store';
 
 /**
@@ -38,24 +39,52 @@ let ph = null;
 /**
  * Initializes the PostHog analytics client if tracking is permitted.
  * Uses dynamic import to avoid SSR failures.
+ *
  * @returns {Promise<void>}
  */
 export async function initPostHog() {
   if (initialized || typeof window === 'undefined') return;
-  const isDev = import.meta.env.MODE === 'development';
-  if (isDev) {
-    console.info('[PostHog] Skipping init in development mode.');
+
+  const { isAudit, isDev, isTest, mode, effective } = detectEnvironment();
+
+  // 🌐 Hybrid hostname + environment guard
+  const host = window.location.hostname;
+  const isAuditHost = /(^|\.)audit\.netwk\.pro$/i.test(host);
+  const effectiveAudit = isAudit || isAuditHost;
+
+  // 🧭 Log environment context before any conditional logic
+  console.info('[PostHog ENV]', {
+    buildMode: mode,
+    effectiveMode: effective,
+    host,
+    effectiveAudit,
+    isDev,
+    isTest,
+  });
+
+  // 🚫 Skip analytics in audit context
+  if (effectiveAudit) {
+    console.info(
+      `[PostHog] Skipping analytics (${effective} mode, host: ${host}).`,
+    );
+    return;
+  }
+
+  // 🧱 Skip entirely in dev/test contexts
+  if (isDev || isTest) {
+    console.info('[PostHog] Skipping init in dev/test mode.');
     return;
   }
 
+  // 🚀 Production analytics logic (with user consent)
   initialized = true;
 
   const { enabled } = get(trackingPreferences);
   trackingEnabled.set(enabled);
-  showReminder.set(get(remindUserToReconsent)); // use derived store instead
+  showReminder.set(get(remindUserToReconsent));
 
   if (!enabled) {
-    console.log('[PostHog] Tracking is disabled — skipping init.');
+    console.log('[PostHog] Tracking disabled — user opted out.');
     return;
   }
 
@@ -63,6 +92,7 @@ export async function initPostHog() {
     const posthogModule = await import('posthog-js');
     ph = posthogModule.default;
 
+    // ✅ Initialize PostHog
     // cspell:disable-next-line
     ph.init('phc_Qshfo6AXzh4pS7aPigfqyeo4qj1qlyh7gDuHDeVMSR0', {
       api_host: '/relay-MSR0/',

package/src/lib/utils/env.js

@@ -0,0 +1,81 @@
+/* ==========================================================================
+src/lib/utils/env.js
+
+Copyright © 2025 Network Pro Strategies (Network Pro™)
+SPDX-License-Identifier: CC-BY-4.0 OR GPL-3.0-or-later
+This file is part of Network Pro.
+========================================================================== */
+
+/**
+ * @file env.js
+ * @description Unified environment detection utility.
+ * Normalizes process.env and import.meta.env for consistent behavior
+ * across SvelteKit server (SSR), client (browser), and build-time contexts.
+ *
+ * Supports: dev, prod, ci, test, audit.
+ *
+ * @module src/lib/utils
+ * @author Scott Lopez
+ * @updated 2025-11-02
+ *
+ * @example
+ * import { detectEnvironment } from '$lib/utils/env.js';
+ * const { isAudit, isProd } = detectEnvironment();
+ * if (isAudit) console.log('Running in audit mode');
+ */
+
+/**
+ * @typedef {object} EnvironmentInfo
+ * @property {string} mode        - The build-time environment mode.
+ * @property {string} effective   - The environment actually being used (after host fallback).
+ * @property {boolean} isDev
+ * @property {boolean} isProd
+ * @property {boolean} isAudit
+ * @property {boolean} isCI
+ * @property {boolean} isTest
+ */
+
+/**
+ * Build-time mode injected by Vite.
+ * Always baked into the client bundle.
+ * Falls back to 'production' if nothing else is defined.
+ */
+export const BUILD_ENV_MODE =
+  import.meta.env.PUBLIC_ENV_MODE || import.meta.env.MODE || 'production';
+
+/**
+ * Detects the current environment, combining build-time
+ * and runtime (hostname-based) checks.
+ * Works safely in both Node and browser contexts.
+ *
+ * @returns {EnvironmentInfo}
+ */
+export function detectEnvironment() {
+  const mode = BUILD_ENV_MODE;
+
+  // Client-side fallback for audit/netwk environments
+  const host = typeof window !== 'undefined' ? window.location.hostname : '';
+
+  const hostIsAudit = /(^|\.)audit\.netwk\.pro$/i.test(host);
+
+  const isDev = ['development', 'dev'].includes(mode);
+  const isProd = ['production', 'prod'].includes(mode);
+  const isAudit = mode === 'audit' || hostIsAudit;
+  const isCI = mode === 'ci';
+  const isTest = mode === 'test';
+
+  // Prefer host-based detection if it disagrees with build-time
+  const effective = hostIsAudit && !isAudit ? 'audit(host)' : mode;
+
+  if (typeof window === 'undefined') {
+    // Only log on server / build to avoid client noise
+    console.log('[detectEnvironment] Build mode:', mode);
+    if (hostIsAudit && mode !== 'audit') {
+      console.log(
+        '[detectEnvironment] Host suggests audit, overriding build-time mode.',
+      );
+    }
+  }
+
+  return { mode, effective, isDev, isProd, isAudit, isCI, isTest };
+}

package/src/routes/api/env-check/+server.js

@@ -0,0 +1,25 @@
+/* ==========================================================================
+src/routes/api/env-check/+server.js
+
+Copyright © 2025 Network Pro Strategies (Network Pro™)
+SPDX-License-Identifier: CC-BY-4.0 OR GPL-3.0-or-later
+This file is part of Network Pro.
+========================================================================== */
+
+/**
+ * @file Returns the current environment state (client + server vars)
+ * @type {import('@sveltejs/kit').RequestHandler}
+ */
+export async function GET() {
+  const data = {
+    NODE_ENV: process.env.NODE_ENV,
+    ENV_MODE: process.env.ENV_MODE,
+    PUBLIC_ENV_MODE: process.env.PUBLIC_ENV_MODE,
+    IMPORT_META_MODE: import.meta.env.MODE,
+    IMPORT_META_PUBLIC: import.meta.env.PUBLIC_ENV_MODE,
+  };
+
+  return new Response(JSON.stringify(data, null, 2), {
+    headers: { 'Content-Type': 'application/json' },
+  });
+}

package/src/service-worker.js

@@ -38,10 +38,11 @@ const IGNORE_PATHS = new Set([
   '/pgp/contact@s.neteng.pro.asc',
   '/pgp/github@sl.neteng.cc.asc',
   '/pgp/security@s.neteng.pro.asc',
-  '/pgp/support@neteng.pro.asc',
+  '/pgp/support@netwk.pro.asc',
   '/screenshots/desktop-foss.png',
   '/webfonts/fa-brands-400.ttf',
   '/webfonts/fa-solid-900.ttf',
+  '/7cbb39ce-750b-43da-83b8-8980e5554d4d.txt',
   '/robots.txt',
   '/sitemap.xml',
   '/CNAME',

package/vite.config.js

@@ -17,20 +17,42 @@ import tsconfigPaths from 'vite-tsconfig-paths'; // NEW: tsconfig/jsconfig alias
 // Compute absolute project root
 const projectRoot = fileURLToPath(new URL('.', import.meta.url));
 
-export default defineConfig({
-  plugins: [
-    tsconfigPaths(), // Insert before sveltekit()
-    devtoolsJson({
-      projectRoot: resolve(projectRoot), // Correct key name
-      normalizeForWindowsContainer: true, // optional, helps with path consistency on Windows or WSL
-      uuid: 'ad0db4f4-6172-4c1e-ae17-26b1bee53764',
-    }),
-    sveltekit(),
-    lightningcssPlugin({
-      minify: process.env.NODE_ENV === 'production',
-      pruneUnusedFontFaceRules: true,
-      pruneUnusedKeyframes: true,
-      removeUnusedFontFaces: true,
-    }),
-  ],
+export default defineConfig(({ mode }) => {
+  // --- 🧩 Log Build Environment Info -------------------------------------
+  console.log(
+    '\x1b[36m%s\x1b[0m',
+    '──────────────────────────────────────────────',
+  );
+  console.log('\x1b[33m%s\x1b[0m', `📦 Building Network Pro — mode: ${mode}`);
+  console.log(
+    '\x1b[36m%s\x1b[0m',
+    '──────────────────────────────────────────────',
+  );
+  console.log('ENV_MODE:', process.env.ENV_MODE);
+  console.log('PUBLIC_ENV_MODE:', process.env.PUBLIC_ENV_MODE);
+  console.log('NODE_ENV:', process.env.NODE_ENV);
+  console.log(
+    '\x1b[36m%s\x1b[0m',
+    '──────────────────────────────────────────────',
+  );
+
+  // -----------------------------------------------------------------------
+
+  return {
+    plugins: [
+      tsconfigPaths(),
+      devtoolsJson({
+        projectRoot: resolve(projectRoot),
+        normalizeForWindowsContainer: true,
+        uuid: 'ad0db4f4-6172-4c1e-ae17-26b1bee53764',
+      }),
+      sveltekit(),
+      lightningcssPlugin({
+        minify: process.env.NODE_ENV === 'production',
+        pruneUnusedFontFaceRules: true,
+        pruneUnusedKeyframes: true,
+        removeUnusedFontFaces: true,
+      }),
+    ],
+  };
 });