@networkpro/web 1.25.2 → 1.25.4

package/.env.template

@@ -5,7 +5,7 @@
 # Rename to `.env` (or `.env.local`) and customize as needed
 
 # Custom environment mode for scripts and tooling
-# One of: dev, test, ci, preview, prod
+# One of: dev, test, ci, preview, production
 ENV_MODE=dev
 
 # Optional: API keys or tokens for local dev (never commit real values)

package/CHANGELOG.md

@@ -22,7 +22,57 @@ This project attempts to follow [Keep a Changelog](https://keepachangelog.com/en
 
 ---
 
-## [1.25.2]
+## [1.25.4] - 2025-11-03
+
+### Added
+
+- `detectEnvironment()` now returns:
+  - `isDebug` boolean (true if `isDev` or `isTest`)
+  - `isLocalhost` (optional, in browser contexts)
+- Support for `PUBLIC_POSTHOG_PROJECT_KEY` using `import.meta.env`
+- Dynamic PostHog initialization (`initPostHog`) now uses env-based key injection
+- vite.config.js:
+  - `envPrefix: ['PUBLIC_']` added to expose public vars to client
+  - Console banner for `ENV_MODE`, `PUBLIC_ENV_MODE`, and audit-mode warning
+- CSP debug logs gated behind `isDebug` and server-only context
+- `.env.production` support via `--mode=production` guidance
+- Conditional `minify` flag for `lightningcssPlugin` based on `mode` (`production` or `audit`)
+
+### Changed
+
+- Environment detection (`env.js`) now respects hostname overrides and normalizes fallback logic for SSR/client consistency
+- Logs in `hooks.server.js` and PostHog analytics client are now gated by `isDebug` to avoid unnecessary noise in production
+- Better logging structure for PostHog initialization, including full `import.meta.env` dump in debug mode
+- Bumped project version to `v1.25.4`
+
+### Fixed
+
+- Broken or undefined env var behavior due to missing `envPrefix` in `vite.config.js`
+- Client-only `import.meta.env.PUBLIC_*` variables incorrectly resolving as `undefined` in production builds
+- CSP not reflecting audit context due to host-based detection mismatch
+
+### Developer Notes
+
+- `.env.production` is **now required** for full environment variable injection during `npm run build --mode=production` or Vercel deployments.
+  - Without it, `PUBLIC_` variables (e.g. `PUBLIC_POSTHOG_PROJECT_KEY`) may resolve as undefined in the client bundle.
+  - Local builds can still fall back to `.env` or `.env.development` by default.
+
+---
+
+## [1.25.3] - 2025-11-03
+
+### Changed
+
+- Updated `posthog.js` to display environmental context logs only in development and testing environments.
+- Bumped project version to `v1.25.3`.
+
+### Removed
+
+- Removed **Branch Guard** workflow (`.github/workflows/branch-guard.yml`), as it was resulting in mostly false positives.
+
+---
+
+## [1.25.2] - 2025-11-03
 
 ### Changed
 
@@ -46,7 +96,7 @@ This project attempts to follow [Keep a Changelog](https://keepachangelog.com/en
 
 ---
 
-## [1.25.1]
+## [1.25.1] - 2025-11-02
 
 ### Added
 
@@ -74,7 +124,7 @@ This project attempts to follow [Keep a Changelog](https://keepachangelog.com/en
 
 ---
 
-## [1.25.0]
+## [1.25.0] - 2025-11-02
 
 ### Added
 
@@ -1636,7 +1686,9 @@ This enables analytics filtering and CSP hardening for the audit environment.
 
 <!-- Link references -->
 
-[Unreleased]: https://github.com/netwk-pro/netwk-pro.github.io/compare/v1.25.2...HEAD
+[Unreleased]: https://github.com/netwk-pro/netwk-pro.github.io/compare/v1.25.4...HEAD
+[1.25.4]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.4
+[1.25.3]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.3
 [1.25.2]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.2
 [1.25.1]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.1
 [1.25.0]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.0

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@networkpro/web",
   "private": false,
-  "version": "1.25.2",
+  "version": "1.25.4",
   "description": "Locking Down Networks, Unlocking Confidence™ | Security, Networking, Privacy — Network Pro Strategies",
   "keywords": [
     "advisory",
@@ -38,7 +38,7 @@
     "dev:audit": "vite --mode audit",
     "start": "npm run dev",
     "dev:vercel": "vercel dev",
-    "build": "vite build",
+    "build": "vite build --mode production",
     "build:audit": "vite build --mode audit",
     "build:vercel": "vercel build",
     "preview": "vite preview",

package/src/hooks.server.js

@@ -16,16 +16,19 @@ export async function handle({ event, resolve }) {
   const response = await resolve(event);
 
   const env = detectEnvironment(event.url.hostname);
-  const { isAudit, isTest, isProd, mode, effective } = env;
-
-  console.log('[CSP Debug ENV]', {
-    mode,
-    effective,
-    hostname: event.url.hostname,
-    isAudit,
-    isTest,
-    isProd,
-  });
+  const { isAudit, isDebug, isTest, isProd, mode, effective } = env;
+
+  // Show logs in dev only
+  if (isDebug) {
+    console.log('[CSP Debug ENV]', {
+      mode,
+      effective,
+      hostname: event.url.hostname,
+      isAudit,
+      isTest,
+      isProd,
+    });
+  }
 
   // Determine report URI
   const reportUri =
@@ -49,7 +52,7 @@ export async function handle({ event, resolve }) {
   ];
 
   // 🧪 Looser CSP for local/CI test environments
-  if (isTest) {
+  if (isDebug) {
     cspDirectives[1] =
       "script-src 'self' 'unsafe-inline' 'unsafe-eval' http://localhost:* ws://localhost:*;";
     cspDirectives[2] = "style-src 'self' 'unsafe-inline' http://localhost:*;";

package/src/lib/stores/posthog.js

@@ -45,7 +45,8 @@ let ph = null;
 export async function initPostHog() {
   if (initialized || typeof window === 'undefined') return;
 
-  const { isAudit, isDev, isTest, mode, effective } = detectEnvironment();
+  const { isAudit, isDebug, isDev, isTest, mode, effective } =
+    detectEnvironment();
 
   // 🌐 Hybrid hostname + environment guard
   const host = window.location.hostname;
@@ -53,14 +54,16 @@ export async function initPostHog() {
   const effectiveAudit = isAudit || isAuditHost;
 
   // 🧭 Log environment context before any conditional logic
-  console.info('[PostHog ENV]', {
-    buildMode: mode,
-    effectiveMode: effective,
-    host,
-    effectiveAudit,
-    isDev,
-    isTest,
-  });
+  if (isDebug) {
+    console.info('[PostHog ENV]', {
+      buildMode: mode,
+      effectiveMode: effective,
+      host,
+      effectiveAudit,
+      isDev,
+      isTest,
+    });
+  }
 
   // 🚫 Skip analytics in audit context
   if (effectiveAudit) {
@@ -71,7 +74,7 @@ export async function initPostHog() {
   }
 
   // 🧱 Skip entirely in dev/test contexts
-  if (isDev || isTest) {
+  if (isDebug) {
     console.info('[PostHog] Skipping init in dev/test mode.');
     return;
   }
@@ -92,9 +95,17 @@ export async function initPostHog() {
     const posthogModule = await import('posthog-js');
     ph = posthogModule.default;
 
+    // ✅ Load public key from env
+    const key = import.meta.env.PUBLIC_POSTHOG_PROJECT_KEY;
+    //console.log('✅ Key in runtime:', key);
+
+    if (!key) {
+      console.warn('[PostHog] ⚠️ PUBLIC_POSTHOG_PROJECT_KEY is not set.');
+      return;
+    }
+
     // ✅ Initialize PostHog
-    // cspell:disable-next-line
-    ph.init('phc_Qshfo6AXzh4pS7aPigfqyeo4qj1qlyh7gDuHDeVMSR0', {
+    ph.init(key, {
       api_host: '/relay-MSR0/',
       ui_host: 'https://us.posthog.com',
       autocapture: true,

package/src/lib/utils/env.js

@@ -33,6 +33,8 @@ This file is part of Network Pro.
  * @property {boolean} isAudit
  * @property {boolean} isCI
  * @property {boolean} isTest
+ * @property {boolean} isDebug    - True in dev or test mode (but not prod/audit)
+ * @property {boolean} isLocalhost - True if running on localhost (client context only)
  */
 
 /**
@@ -51,7 +53,7 @@ export const BUILD_ENV_MODE =
  * @returns {EnvironmentInfo}
  */
 export function detectEnvironment(hostOverride) {
-  const mode = BUILD_ENV_MODE;
+  const mode = (BUILD_ENV_MODE || '').toLowerCase();
 
   // Determine host based on execution context
   const host =
@@ -59,22 +61,35 @@ export function detectEnvironment(hostOverride) {
     (typeof window !== 'undefined' ? window.location.hostname : '');
 
   const hostIsAudit = /(^|\.)audit\.netwk\.pro$/i.test(host);
+  const isLocalhost = /^localhost$|^127\.0\.0\.1$/.test(host);
 
   const isDev = ['development', 'dev'].includes(mode);
   const isProd = ['production', 'prod'].includes(mode);
   const isAudit = mode === 'audit' || hostIsAudit;
   const isCI = mode === 'ci';
   const isTest = mode === 'test';
+  const isDebug = isDev || isTest;
 
   const effective = hostIsAudit && !isAudit ? 'audit(host)' : mode;
 
-  if (typeof window === 'undefined') {
-    console.log('[detectEnvironment] Server-side build mode:', mode);
-    console.log('[detectEnvironment] Hostname:', host || '(none)');
+  if (typeof window === 'undefined' && isDebug) {
+    console.log('🧭 [env] Server-side build mode:', mode);
+    console.log('🧭 [env] Hostname:', host || '(none)');
+    console.log('🧭 [env] Raw env:', import.meta.env);
     if (hostIsAudit && mode !== 'audit') {
-      console.log('[detectEnvironment] Host suggests audit, overriding mode.');
+      console.log('[env] Host suggests audit, overriding mode.');
     }
   }
 
-  return { mode, effective, isDev, isProd, isAudit, isCI, isTest };
+  return {
+    mode,
+    effective,
+    isDev,
+    isProd,
+    isAudit,
+    isCI,
+    isTest,
+    isDebug,
+    isLocalhost,
+  };
 }

package/vite.config.js

@@ -48,6 +48,7 @@ export default defineConfig(({ mode }) => {
   // -----------------------------------------------------------------------
 
   return {
+    envPrefix: ['PUBLIC_'],
     plugins: [
       tsconfigPaths(),
       devtoolsJson({
@@ -57,7 +58,7 @@ export default defineConfig(({ mode }) => {
       }),
       sveltekit(),
       lightningcssPlugin({
-        minify: process.env.NODE_ENV === 'production',
+        minify: ['production', 'audit'].includes(mode),
         pruneUnusedFontFaceRules: true,
         pruneUnusedKeyframes: true,
         removeUnusedFontFaces: true,

package/.github/workflows/branch-guard.yml

@@ -1,53 +0,0 @@
-# .github/workflows/branch-guard.yml
-#
-# Copyright © 2025 Network Pro Strategies (Network Pro™)
-# SPDX-License-Identifier: CC-BY-4.0 OR GPL-3.0-or-later
-# This file is part of Network Pro
-#
-# Warns if commits are pushed directly to master/main instead of via PR.
-# Does NOT block the commit — it just posts a workflow summary and log warning.
-
-name: Branch Guard
-
-on:
-  push:
-    branches:
-      - master
-      - main
-
-permissions:
-  contents: read
-
-jobs:
-  warn-direct-commit:
-    runs-on: ubuntu-24.04
-    steps:
-      - name: Check commit source
-        run: |
-          commit_msg="${{ github.event.head_commit.message }}"
-          actor="${{ github.actor }}"
-          branch="${GITHUB_REF##*/}"
-
-          echo "📝 Commit message: $commit_msg"
-          echo "👤 Actor: $actor"
-          echo "🌿 Branch: $branch"
-
-          # Define known safe patterns (merge or bot commits)
-          if echo "$commit_msg" | grep -Eq "Merge pull request|See merge request|Merge branch|(#\d+)$"; then
-            echo "✅ Merge-related commit detected — no warning."
-            exit 0
-          fi
-
-          if [[ "$actor" == "dependabot[bot]" ]] || [[ "$actor" == "renovate[bot]" ]] || [[ "$actor" == "github-actions[bot]" ]]; then
-            echo "🤖 Bot commit detected — skipping warning."
-            exit 0
-          fi
-
-          # Otherwise, warn for direct commits
-          echo "::warning ::⚠️ Direct commit to $branch by $actor."
-          {
-            echo "### ⚠️ Direct Commit Detected"
-            echo "A commit was pushed directly to \`$branch\` by **$actor**."
-            echo ""
-            echo "💡 It's recommended to use pull requests for traceability and CI validation."
-          } >> $GITHUB_STEP_SUMMARY