@networkpro/web 1.25.5 → 1.25.6

package/.github/workflows/probely-scan.yml

@@ -21,31 +21,50 @@ jobs:
 
     env:
       PROBELY_API_KEY: ${{ secrets.PROBELY_API_KEY }}
-      TARGET_ID: 3by8xa6kzArN
-      API_BASE: https://api.probely.com/v2 # Always include /v2
+      TARGET_ID: ${{ secrets.PROBELY_TARGET_ID }}
+      API_BASE: https://api.probely.com
       MAX_WAIT_MINUTES: 60 # configurable
 
     steps:
       - name: Start Probely Scan
         id: start-scan
         run: |
+          curl_retry() {
+            curl --fail-with-body --retry 3 --retry-delay 5 --retry-max-time 30 "$@"
+          }
+
           echo "🧪 Triggering Probely scan for target $TARGET_ID ..."
-          response=$(curl -s -X POST "$API_BASE/targets/$TARGET_ID/scans/" \
+
+          response_file=$(mktemp)
+          http_code=$(curl_retry -s -w "%{http_code}" -o "$response_file" -X POST "$API_BASE/targets/$TARGET_ID/scan_now/" \
             -H "Authorization: JWT $PROBELY_API_KEY" \
             -H "Content-Type: application/json" \
             -d '{}')
 
-          echo "Raw API response:"
-          echo "$response" | jq .
+          echo "🌐 HTTP status: $http_code"
+          echo "📄 Raw API response:"
+          cat "$response_file"
+
+          if [ "$http_code" -ne 201 ]; then
+            echo "::error ::Unexpected HTTP response from Probely API: $http_code"
+            exit 1
+          fi
+
+          if ! jq . "$response_file" >/dev/null 2>&1; then
+            echo "::error ::Invalid JSON response from Probely API."
+            cat "$response_file"
+            exit 1
+          fi
 
-          scan_id=$(echo "$response" | jq -r '.id // empty')
+          jq . "$response_file"
+          scan_id=$(jq -r '.id // empty' "$response_file")
 
           if [ -z "$scan_id" ]; then
-            echo "::error ::Failed to start scan — check API key, target ID, or base URL."
+            echo "::error ::Scan ID not found in response. Check API key, target ID, or base URL."
             exit 1
           fi
 
-          echo "scan_id=$scan_id" >> $GITHUB_ENV
+          echo "scan_id=$scan_id" >> "$GITHUB_ENV"
           echo "✅ Scan started with ID: $scan_id"
 
       - name: Wait for Scan Completion
@@ -53,7 +72,7 @@ jobs:
           echo "⏳ Waiting for scan $scan_id to complete..."
           elapsed=0
           while [ $elapsed -lt $((MAX_WAIT_MINUTES * 60)) ]; do
-            status=$(curl -s "$API_BASE/scans/$scan_id/" \
+            status=$(curl --fail-with-body -s "$API_BASE/targets/$TARGET_ID/scans/$scan_id/" \
               -H "Authorization: JWT $PROBELY_API_KEY" | jq -r '.status // empty')
 
             echo "⏱️  Status: $status (elapsed $elapsed sec)"
@@ -78,18 +97,19 @@ jobs:
       - name: Download Probely HTML Report
         run: |
           echo "📥 Downloading report for scan $scan_id ..."
-          curl -s "$API_BASE/scans/$scan_id/report/" \
+          curl -s "$API_BASE/targets/$TARGET_ID/scans/$scan_id/endpoints/" \
             -H "Authorization: JWT $PROBELY_API_KEY" \
-            -o probely-report.html
+            -o probely-scan-coverage.csv
 
-          if [ ! -s probely-report.html ]; then
+          if [ ! -s probely-scan-coverage.csv ]; then
             echo "::error ::Report file is empty or missing."
             exit 1
           fi
-          echo "✅ Report saved as probely-report.html"
+          echo "✅ Report saved as probely-scan-coverage.csv"
 
       - name: Upload report artifact
         uses: actions/upload-artifact@v5
         with:
-          name: probely-report
-          path: probely-report.html
+          name: probely-scan-coverage
+          path: probely-scan-coverage.csv
+# cspell:ignore mktemp

package/.vscode/settings.json

@@ -41,40 +41,5 @@
   "css.customData": [
     ".vscode/customData.json" // Path to your custom data file
   ],
-  "markdown.validate.enabled": false,
-  "markdown.validate.ignoredLinks": [
-    "#bugs",
-    "#features",
-    "#top",
-    "#ownership",
-    "#trademark",
-    "#branding",
-    "#licensed-material",
-    "#licenses",
-    "#dlnotes",
-    "#cc-by",
-    "#gnu-gpl",
-    "#third-party",
-    "#prohibited-uses",
-    "#disclaimer",
-    "#contact",
-    "#revisions",
-    "#pledge",
-    "#standards",
-    "#response",
-    "#enforce",
-    "#attribute",
-    "#version",
-    "#structure",
-    "#getting-started",
-    "#configuration",
-    "#sw-utilities",
-    "#cspreport",
-    "#testing",
-    "#toolchain",
-    "#toolconfig",
-    "#scripts",
-    "#license",
-    "#questions"
-  ]
+  "markdown.validate.enabled": false
 }

package/CHANGELOG.md

@@ -22,6 +22,35 @@ This project attempts to follow [Keep a Changelog](https://keepachangelog.com/en
 
 ---
 
+## [1.25.6] - 2025-11-04
+
+### Security
+
+- Hardened `Content-Security-Policy (CSP)` in `hooks.server.js`:
+  - Environment-specific policies for `production`, `audit`, `dev`, and `test`
+  - Added real CSP reporting endpoint (`csp.netwk.pro`) in production
+  - Report-only mode enabled in non-prod for safer diagnostics
+- Added `/api/mock-csp` endpoint to capture and log CSP violation reports in non-prod environments
+
+### Changed
+
+- Updated `README.md` with detailed explanation of the CSP enforcement strategy and future nonce-based roadmap
+- Moved inline styles from `Badges.svelte` and `Logo.svelte` to external stylesheet (`default.css`)
+- Regenerated `global.min.css` using LightningCSS to reflect updated external styles
+- Bumped project version to `v1.25.6`
+- Updated dependencies:
+  - `@eslint/js` `^9.39.0` → `^9.39.1`
+  - `eslint` `^9.39.0` → `^9.39.1`
+  - `eslint-plugin-jsdoc` `^61.1.11` → `^61.1.12`
+  - `svelte` `5.43.2` → `5.43.3`
+  - `posthog-js` `^1.284.0` → `^1.285.1`
+
+### Fixed
+
+- Updated `probely-scan.yml` GitHub workflow to utilize the correct API endpoint and cURL requests.
+
+---
+
 ## [1.25.5] - 2025-11-03
 
 ### Added
@@ -1702,7 +1731,8 @@ This enables analytics filtering and CSP hardening for the audit environment.
 
 <!-- Link references -->
 
-[Unreleased]: https://github.com/netwk-pro/netwk-pro.github.io/compare/v1.25.5...HEAD
+[Unreleased]: https://github.com/netwk-pro/netwk-pro.github.io/compare/v1.25.6...HEAD
+[1.25.6]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.6
 [1.25.5]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.5
 [1.25.4]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.4
 [1.25.3]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.3

package/README.md

@@ -173,23 +173,55 @@ This project includes custom runtime configuration files for enhancing security,
 
 ### 🔐 `hooks.server.js`
 
-Located at `src/hooks.server.js`, this file is responsible for injecting dynamic security headers. It includes:
+Located at `src/hooks.server.js`, this file dynamically injects security headers depending on the environment. It includes:
+
+- A **Content Security Policy (CSP)** with environment-based directives:
+  - **Production/Audit**: Enforced, hardened CSP
+  - **Test/Dev**: Uses `Content-Security-Policy-Report-Only` for safe diagnostics
+- A **Permissions Policy** that disables nonessential browser APIs
+- Standard HTTP security headers:
+  - `X-Content-Type-Options`
+  - `X-Frame-Options`
+  - `Referrer-Policy`
+  - `Strict-Transport-Security` (in non-test environments)
 
-- A Content Security Policy (CSP) configured with relaxed directives to permit inline scripts and styles (`'unsafe-inline'`)
-- A Permissions Policy to explicitly disable unnecessary browser APIs
-- Standard security headers such as `X-Content-Type-Options`, `X-Frame-Options`, and `Referrer-Policy`
+---
+
+### ⚙️ CSP Behavior by Environment
+
+| Environment  | Header                                | Analytics Enabled | CSP Reporting |
+| ------------ | ------------------------------------- | ----------------- | ------------- |
+| `production` | `Content-Security-Policy`             | ✅ Yes            | ✅ Yes        |
+| `audit`      | `Content-Security-Policy`             | ❌ No             | ❌ No         |
+| `dev`        | `Content-Security-Policy-Report-Only` | ❌ No             | ✅ Yes (mock) |
+| `test`       | `Content-Security-Policy-Report-Only` | ❌ No             | ✅ Yes (mock) |
+
+---
+
+### 🧪 Reporting & Debugging
 
-> ℹ️ A stricter CSP (excluding `'unsafe-inline'`) was attempted but reverted due to framework-level and third-party script compatibility issues. The current policy allows inline scripts to ensure stability across SvelteKit and analytics features such as PostHog.
+- In **non-production environments**, CSP headers are set to `report-only` mode.
+- Violations are POSTed to `/api/mock-csp`, which logs reports to the console.
+- In **production**, violations are sent to a real CSP collection endpoint (`https://csp.netwk.pro/.netlify/functions/csp-report`).
+
+---
+
+### ⚠️ Current Trade-Off
+
+> Due to limitations in PostHog and certain SvelteKit internals, the current policy allows `'unsafe-inline'` for scripts and styles. A strict CSP using nonces was previously attempted but blocked critical functionality.
+
+---
 
-#### Future Improvements
+### 📈 Future Improvements (Strict CSP Plan)
 
-To implement a strict nonce-based CSP in the future:
+To move toward a strict, nonce-based CSP:
 
-1. Add nonce generation and injection logic in `hooks.server.js`
-2. Update all inline `<script>` tags (e.g. in `app.html`) to include `nonce="__cspNonce__"`
-3. Ensure any analytics libraries or dynamic scripts support nonced or external loading
+1. Ensure **all inline scripts** are updated to include injected nonces (`nonce="%nonce%"`)
+2. Confirm **PostHog** or future analytics platforms support nonced or external scripts/stylesheets
+3. Review and refactor any components that rely on dynamic `style=` or `<style>` blocks without support for CSP nonces
+4. Move third-party scripts out of inline `<script>` tags where possible
 
-Note: Strict CSP adoption may require restructuring third-party integrations and deeper framework coordination.
+> ℹ️ Nonce-based CSP is the most secure long-term path but requires cooperation from all dependencies — and possibly upstream fixes to analytics tooling or SvelteKit itself.
 
 &nbsp;
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@networkpro/web",
   "private": false,
-  "version": "1.25.5",
+  "version": "1.25.6",
   "description": "Locking Down Networks, Unlocking Confidence™ | Security, Networking, Privacy — Network Pro Strategies",
   "keywords": [
     "advisory",
@@ -85,13 +85,13 @@
   },
   "dependencies": {
     "dompurify": "^3.3.0",
-    "posthog-js": "^1.284.0",
+    "posthog-js": "^1.285.1",
     "semver": "^7.7.3",
-    "svelte": "5.43.2"
+    "svelte": "5.43.3"
   },
   "devDependencies": {
     "@eslint/compat": "^1.4.1",
-    "@eslint/js": "^9.39.0",
+    "@eslint/js": "^9.39.1",
     "@lhci/cli": "^0.15.1",
     "@playwright/test": "^1.56.1",
     "@sveltejs/adapter-vercel": "^6.1.1",
@@ -102,9 +102,9 @@
     "@vitest/coverage-v8": "3.2.4",
     "autoprefixer": "^10.4.21",
     "browserslist": "^4.27.0",
-    "eslint": "^9.39.0",
+    "eslint": "^9.39.1",
     "eslint-config-prettier": "^10.1.8",
-    "eslint-plugin-jsdoc": "^61.1.11",
+    "eslint-plugin-jsdoc": "^61.1.12",
     "eslint-plugin-svelte": "^3.13.0",
     "globals": "^16.5.0",
     "jsdom": "26.1.0",

package/src/hooks.server.js

@@ -16,27 +16,15 @@ export async function handle({ event, resolve }) {
   const response = await resolve(event);
 
   const env = detectEnvironment(event.url.hostname);
-  const { isAudit, isDebug, isTest, isProd, mode, effective } = env;
+  const { isAudit, isDebug, isTest, isProd } = env;
 
-  // Show logs in dev only
-  if (isDebug) {
-    console.log('[CSP Debug ENV]', {
-      mode,
-      effective,
-      hostname: event.url.hostname,
-      isAudit,
-      isTest,
-      isProd,
-    });
-  }
-
-  // Determine report URI
   const reportUri =
     isProd && !isTest && !isAudit
       ? 'https://csp.netwk.pro/.netlify/functions/csp-report'
       : '/api/mock-csp';
 
-  // Base hardened policy
+  console.log('[CSP] Report URI set to:', reportUri);
+
   const cspDirectives = [
     "default-src 'self';",
     "script-src 'self' 'unsafe-inline' https://us.i.posthog.com https://us-assets.i.posthog.com;",
@@ -69,8 +57,10 @@ export async function handle({ event, resolve }) {
     cspDirectives[4] = "connect-src 'self';";
   }
 
-  // 📋 Attach CSP report directives ONLY in production
-  if (isProd && !isAudit && !isTest) {
+  // 📋 Add reporting for environments that support it
+  const shouldReport = !isAudit && !isTest;
+
+  if (shouldReport) {
     cspDirectives.push(`report-uri ${reportUri};`, 'report-to csp-endpoint;');
 
     response.headers.set(
@@ -84,8 +74,20 @@ export async function handle({ event, resolve }) {
     );
   }
 
-  // ✅ Apply final CSP
-  response.headers.set('Content-Security-Policy', cspDirectives.join(' '));
+  // ✅ Apply CSP — enforce in prod or audit, report-only in dev/test
+  const cspHeader =
+    (isProd || isAudit) && !isTest
+      ? 'Content-Security-Policy'
+      : 'Content-Security-Policy-Report-Only';
+
+  response.headers.set(cspHeader, cspDirectives.join(' '));
+
+  // Log applied CSP headers in debug/audit/test
+  if (isDebug || isAudit) {
+    console.info(`[CSP] Applied header: ${cspHeader}`);
+    console.info(`[CSP] Policy:`, cspDirectives.join(' '));
+    console.info(`[CSP] Reporting to: ${reportUri}`);
+  }
 
   // Standard security headers
   response.headers.set(

package/src/lib/components/Badges.svelte

@@ -29,8 +29,6 @@ This file is part of Network Pro.
    * @property {string} src - The source URL of the badge image.
    * @property {string} alt - The alt text for the badge image.
    * @property {string} [class] - The CSS class for styling the badge (optional).
-   * @property {string} width - The width of the badge (CSS value).
-   * @property {string} height - The height of the badge (CSS value).
    */
 
   /**
@@ -42,15 +40,13 @@ This file is part of Network Pro.
       href: ccbyLink,
       src: ccBadge,
       alt: 'Creative Commons BY',
-      width: '160px',
-      height: '24px',
+      class: 'badge badge--cc',
     },
     {
       href: gplLink,
       src: gplBadge,
       alt: 'GPL 3.0 or Later',
-      width: '120px',
-      height: '24px',
+      class: 'badge badge--gpl',
     },
   ];
 </script>
@@ -68,8 +64,7 @@ This file is part of Network Pro.
                 loading="lazy"
                 src={badge.src}
                 alt={badge.alt}
-                style:width={badge.width}
-                style:height={badge.height} />
+                class={badge.class} />
             </a>
           </td>
         {/each}

package/src/lib/components/Logo.svelte

@@ -7,9 +7,12 @@ This file is part of Network Pro.
 ========================================================================== -->
 
 <script>
+  import { CONSTANTS } from '$lib';
   // Import logo images
   import { logoPng, logoWbp } from '$lib';
 
+  const { COMPANY_INFO } = CONSTANTS;
+
   /**
    * Decoding mode for the image.
    * @type {"sync" | "async" | "auto"}
@@ -23,16 +26,16 @@ This file is part of Network Pro.
   export let loading = 'eager';
 
   /**
-   * CSS class for the logo image.
+   * Optional extra CSS classes for the logo image.
    * @type {string}
    */
-  export let className = 'logo';
+  export let className = '';
 
   /**
    * Alt text for the logo image.
    * @type {string}
    */
-  export let alt = 'Network Pro Strategies';
+  export let alt = COMPANY_INFO.NAME;
 
   /**
    * First part of the company slogan.
@@ -58,18 +61,6 @@ This file is part of Network Pro.
    */
   export let showTagline = true;
 
-  /**
-   * Width of the logo in pixels.
-   * @type {string}
-   */
-  export let width = '250px';
-
-  /**
-   * Height of the logo in pixels.
-   * @type {string}
-   */
-  export let height = '250px';
-
   /**
    * Fetch priority for the logo image.
    * @type {"high" | "low" | "auto"}
@@ -83,12 +74,10 @@ This file is part of Network Pro.
   <img
     {decoding}
     {loading}
-    class={className}
+    class={`logo${className ? ` ${className}` : ''}`}
     src={logoPng}
     {alt}
-    {fetchpriority}
-    style:width
-    style:height />
+    {fetchpriority} />
 </picture>
 
 {#if showSlogan}

package/src/lib/styles/css/default.css

@@ -396,6 +396,8 @@ footer .container {
 
 .logo {
   display: block;
+  width: var(--logo-width, 250px);
+  height: var(--logo-height, 250px);
   margin-left: auto;
   margin-right: auto;
 }
@@ -709,3 +711,16 @@ footer .container {
 #toc a:hover {
   text-decoration: underline;
 }
+
+.badge {
+  display: inline-block;
+  height: 24px;
+}
+
+.badge--cc {
+  width: 160px;
+}
+
+.badge--gpl {
+  width: 120px;
+}

package/src/lib/styles/global.min.css

@@ -3,4 +3,4 @@ Copyright © 2025 Network Pro Strategies (Network Pro™)
 SPDX-License-Identifier: CC-BY-4.0 OR GPL-3.0-or-later
 This file is part of Network Pro.
 ========================================================================== */
-html{-webkit-text-size-adjust:100%}body{margin:0}main{display:block}h1{margin:.67em 0;font-size:2em}hr{box-sizing:content-box}pre{font-family:monospace;font-size:1em}a{background-color:#0000}abbr[title]{border-bottom:none;text-decoration:underline dotted}b,strong{font-weight:bolder}code,kbd,samp{font-family:monospace;font-size:1em}small{font-size:80%}sub,sup{vertical-align:baseline;font-size:75%;line-height:0;position:relative}sub{bottom:-.25em}sup{top:-.5em}img{border-style:none}button,input,optgroup,select,textarea{margin:0;font-family:inherit;font-size:100%;line-height:1.15}button,input{overflow:visible}button,select{text-transform:none}button,[type=button],[type=reset],[type=submit]{-webkit-appearance:button;appearance:button}button::-moz-focus-inner,[type=button]::-moz-focus-inner,[type=reset]::-moz-focus-inner,[type=submit]::-moz-focus-inner{border-style:none;padding:0}button:-moz-focusring,[type=button]:-moz-focusring,[type=reset]:-moz-focusring,[type=submit]:-moz-focusring{outline:1px dotted buttontext}fieldset{padding:.35em .75em .625em}legend{color:inherit;box-sizing:border-box;white-space:normal;max-width:100%;padding:0;display:table}progress{vertical-align:baseline}textarea{overflow:auto}[type=checkbox],[type=radio]{box-sizing:border-box;padding:0}[type=number]::-webkit-inner-spin-button,[type=number]::-webkit-outer-spin-button{height:auto}[type=search]{-webkit-appearance:textfield;appearance:textfield;outline-offset:-2px}[type=search]::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{font:inherit;-webkit-appearance:button}details{display:block}summary{display:list-item}template{display:none}html{color:#222;scroll-behavior:smooth;font-size:1em;line-height:1.4}::-moz-selection{text-shadow:none;background:#191919}::selection{text-shadow:none;background:#191919}hr{border:0;border-top:1px solid #ccc;height:1px;margin:1em 0;padding:0;display:block;overflow:visible}audio,canvas,iframe,img,svg,video{vertical-align:middle}fieldset{border:0;margin:0;padding:0}textarea{resize:vertical}body{color:#fafafa;background-color:#191919;margin:10px;font-family:Arial,Helvetica,sans-serif}a{text-decoration:none}a:link{color:#ffc627}a:hover,a:active{color:#ffc627;text-decoration:underline}a:focus{color:#111;background-color:#ffc627}a:visited,a:visited:hover{color:#cba557}a:visited:focus,a:visited:focus-visible{color:#111!important}.hidden,[hidden]{display:none!important}.visually-hidden{clip:rect(0,0,0,0);white-space:nowrap;border:0;width:1px;height:1px;margin:-1px;padding:0;position:absolute;overflow:hidden}.visually-hidden.focusable:active,.visually-hidden.focusable:focus{clip:auto;width:auto;height:auto;white-space:inherit;margin:0;position:static;overflow:visible}.invisible{visibility:hidden}.clearfix:before,.clearfix:after{content:"";display:table}.clearfix:after{clear:both}@media print{*,:before,:after{color:#000!important;box-shadow:none!important;text-shadow:none!important;background:#fff!important}a,a:visited{text-decoration:underline}a[href]:after{content:" (" attr(href)")"}abbr[title]:after{content:" (" attr(title)")"}a[href^=\#]:after,a[href^=javascript\:]:after{content:""}pre{white-space:pre-wrap!important}pre,blockquote{break-inside:avoid;border:1px solid #999}tr,img{break-inside:avoid}p,h2,h3{orphans:3;widows:3}h2,h3{break-after:avoid}}.full-width-section{background-position:50%;background-size:cover;width:100%;max-width:1920px;margin:0 auto}.container{max-width:1200px;margin:0 auto;padding:0 12px}.readable{max-width:900px;margin:0 auto}header,footer{width:100%}header .container,footer .container{max-width:1200px;margin:0 auto;padding:20px 12px}.gh{border-collapse:collapse;border-spacing:0;margin:0 auto}.gh td,.gh th{border-collapse:collapse;word-break:normal;padding:10px 5px;overflow:hidden}.gh .gh-tcell{text-align:center;vertical-align:middle}@media screen and (width<=767px){.gh,.gh col{width:auto!important}.gh-wrap{-webkit-overflow-scrolling:touch;margin:auto 0;overflow-x:auto}}.soc{border-collapse:collapse;border-spacing:0;margin:0 auto}.soc td,.soc th{border-collapse:collapse;word-break:normal;padding:8px;overflow:hidden}.soc .soc-fa{text-align:center;vertical-align:middle}@media screen and (width<=767px){.soc,.soc col{width:auto!important}.soc-wrap{-webkit-overflow-scrolling:touch;margin:auto 0;overflow-x:auto}}.foss{border-collapse:collapse;border-spacing:0}.foss td,.foss th{border-collapse:collapse;word-break:normal;padding:10px 5px;overflow:hidden}.foss .foss-cell{text-align:center;vertical-align:middle}@media screen and (width<=767px){.foss,.foss col{width:auto!important}.foss-wrap{-webkit-overflow-scrolling:touch;overflow-x:auto}}.bnav{text-align:center;border-collapse:collapse;border-spacing:0;margin:0 auto}.bnav td,.bnav th{text-align:center;vertical-align:middle;word-break:normal;border-style:none;padding:10px;font-size:.875rem;font-weight:700;line-height:1.125rem;overflow:hidden}.bnav .bnav-cell{text-align:center;vertical-align:middle;align-content:center}@media screen and (width<=767px){.bnav,.bnav col{width:auto!important}.bnav-wrap{-webkit-overflow-scrolling:touch;margin:auto 0;overflow-x:auto}}.bnav2{border-collapse:collapse;border-spacing:0;margin:0 auto}.bnav2 td{word-break:normal;border-style:none;padding:10px;font-size:.875rem;font-weight:700;line-height:1.125rem;overflow:hidden}.bnav2 th{word-break:normal;border-style:none;padding:12px;font-size:.875rem;line-height:1.125rem;overflow:hidden}.bnav2 .bnav2-cell{text-align:center;vertical-align:middle;align-content:center}@media screen and (width<=767px){.bnav2,.bnav2 col{width:auto!important}.bnav2-wrap{-webkit-overflow-scrolling:touch;margin:auto 0;overflow-x:auto}}.pgp{border-collapse:collapse;border-spacing:0;margin:0 auto}.pgp td{word-break:normal;border-style:none;padding:10px;font-size:.875rem;line-height:1.125rem;overflow:hidden}.pgp th{word-break:normal;border:1px solid #000;padding:10px;font-size:.875rem;line-height:1.125rem;overflow:hidden}.pgp .pgp-col1{text-align:right;vertical-align:middle;padding-right:1rem}.pgp .pgp-col2{text-align:left;vertical-align:middle;padding-left:1rem}@media screen and (width<=767px){.pgp,.pgp col{width:auto!important}.pgp-wrap{-webkit-overflow-scrolling:touch;margin:2rem 0 auto;overflow-x:auto}}#service-summary{color:#e6e6e6;margin-top:2rem;margin-bottom:2.5rem}.service-table{color:#e6e6e6;border-collapse:collapse;background-color:#191919;width:100%;font-size:.95rem}.service-table th,.service-table td{text-align:left;vertical-align:top;border-bottom:1px solid #333;padding:.75rem 1rem}.service-table th{color:#ffc627;text-transform:uppercase;background-color:#222;font-size:.85rem;font-weight:600}.service-table a{color:#ffc627;font-weight:500;text-decoration:none}.service-table a:hover{text-decoration:underline}.service-table tr:hover{background-color:#222;transition:background-color .3s,box-shadow .3s;box-shadow:0 0 10px 2px #ffc62740}.service-table tr.selected{background-color:#222;border-left:4px solid #ffc627;transition:background-color .3s,border-left-color .3s}.service-table tr.selected:hover{background-color:#252525;box-shadow:0 0 12px 3px #ffc62759}@media (width<=768px){.service-table{font-size:.9rem}.service-table th,.service-table td{padding:.5rem}}.logo{margin-left:auto;margin-right:auto;display:block}.index-title1{text-align:center;font-style:italic;font-weight:700}.index-title2{letter-spacing:-.015em;text-align:center;font-variant:small-caps;font-size:1.25rem;line-height:1.625rem}.index1{letter-spacing:-.035em;text-align:center;font-style:italic;font-weight:700;line-height:2.125rem}.index2{letter-spacing:-.035em;text-align:center;font-variant:small-caps;font-size:1.5rem;line-height:1.75rem}.index3{letter-spacing:-.035em;text-align:center;font-size:1.5rem;line-height:1.75rem}.index4{letter-spacing:-.035em;text-align:center;font-size:1.5rem;line-height:1.75rem;text-decoration:underline}.subhead{letter-spacing:-.035em;font-variant:small-caps;font-size:1.5rem;line-height:1.75rem}.bold{font-weight:700}.emphasis{font-style:italic}.uline{text-decoration:underline}.bolditalic{font-style:italic;font-weight:700}.bquote{border-left:3px solid #9e9e9e;margin-left:30px;padding-left:10px;font-style:italic}.small-text{font-size:.75rem;line-height:1.125rem}.large-text-center{text-align:center;font-size:1.25rem;line-height:1.75rem}.prewrap{white-space:pre-wrap;display:block}.hr-styled{width:75%;margin:auto}.center-text{text-align:center}.copyright{text-align:center;font-size:.75rem;line-height:1.125rem}.gold{color:#ffc627}.visited{color:#cba557}.goldseparator{color:#ffc627;margin:0 .5rem}.center-nav{text-align:center;padding:5px;font-size:1rem;line-height:1.5rem}.block{overflow-wrap:break-word;resize:none;white-space:normal;word-break:normal;background:0 0;border:none;border-radius:0;outline:none;width:100%;font-family:monospace;font-size:.875rem;line-height:1.125rem}.full-width-section.centered{flex-direction:column;justify-content:center;min-height:80vh;display:flex}.fingerprint{white-space:pre-line;font-family:monospace;display:block}.pgp-image{width:150px;height:150px}.spacer{margin:2rem 0}.separator{margin:0 .5rem}.emoji{margin-right:8px}.headline{margin-bottom:4px;font-style:italic;font-weight:700;display:block}.label{font-family:inherit;font-weight:700}.description{font-family:inherit;font-style:normal;font-weight:400;display:inline}.sr-only{clip:rect(0,0,0,0);white-space:nowrap;border:0;width:1px;height:1px;margin:-1px;padding:0;position:absolute;overflow:hidden}.pgp-entry{flex-wrap:wrap;align-items:center;gap:2rem;margin-bottom:2rem;display:flex}.pgp-text{flex:2;min-width:250px}.pgp-qr{flex:1;min-width:150px}.obtainium-direct-label{margin:.25rem 0 .75rem;font-weight:700}.obtainium-manual-label{margin-top:.75rem;font-weight:700}.obtainium-img{width:185px;height:55px;margin-bottom:.25rem}.obtainium-margin{margin-left:4px}.obtainium-fa-down{color:#ffc627;margin-left:4px}.obtainium-icon{width:50px;height:50px}.proton-img{width:168px;height:24px}.redirect-text{text-align:center;margin-top:4rem}.redirect-content{text-align:center;margin-top:2rem;font-family:system-ui,sans-serif}.loading-spinner{border:4px solid #ddd;border-top-color:#ffc627;border-radius:50%;width:48px;height:48px;margin:2rem auto;animation:1s linear infinite spin}@keyframes spin{to{transform:rotate(360deg)}}.cc-link{text-decoration:none}.cc-img{vertical-align:text-bottom;margin-left:3px;display:inline-block;height:18px!important}#toc ul{padding-left:1.5rem;list-style-type:disc}#toc a{color:var(--color-primary,#ffc627);text-decoration:none}#toc a:hover{text-decoration:underline}
+html{-webkit-text-size-adjust:100%}body{margin:0}main{display:block}h1{margin:.67em 0;font-size:2em}hr{box-sizing:content-box}pre{font-family:monospace;font-size:1em}a{background-color:#0000}abbr[title]{border-bottom:none;text-decoration:underline dotted}b,strong{font-weight:bolder}code,kbd,samp{font-family:monospace;font-size:1em}small{font-size:80%}sub,sup{vertical-align:baseline;font-size:75%;line-height:0;position:relative}sub{bottom:-.25em}sup{top:-.5em}img{border-style:none}button,input,optgroup,select,textarea{margin:0;font-family:inherit;font-size:100%;line-height:1.15}button,input{overflow:visible}button,select{text-transform:none}button,[type=button],[type=reset],[type=submit]{-webkit-appearance:button;appearance:button}button::-moz-focus-inner,[type=button]::-moz-focus-inner,[type=reset]::-moz-focus-inner,[type=submit]::-moz-focus-inner{border-style:none;padding:0}button:-moz-focusring,[type=button]:-moz-focusring,[type=reset]:-moz-focusring,[type=submit]:-moz-focusring{outline:1px dotted buttontext}fieldset{padding:.35em .75em .625em}legend{color:inherit;box-sizing:border-box;white-space:normal;max-width:100%;padding:0;display:table}progress{vertical-align:baseline}textarea{overflow:auto}[type=checkbox],[type=radio]{box-sizing:border-box;padding:0}[type=number]::-webkit-inner-spin-button,[type=number]::-webkit-outer-spin-button{height:auto}[type=search]{-webkit-appearance:textfield;appearance:textfield;outline-offset:-2px}[type=search]::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{font:inherit;-webkit-appearance:button}details{display:block}summary{display:list-item}template{display:none}html{color:#222;scroll-behavior:smooth;font-size:1em;line-height:1.4}::-moz-selection{text-shadow:none;background:#191919}::selection{text-shadow:none;background:#191919}hr{border:0;border-top:1px solid #ccc;height:1px;margin:1em 0;padding:0;display:block;overflow:visible}audio,canvas,iframe,img,svg,video{vertical-align:middle}fieldset{border:0;margin:0;padding:0}textarea{resize:vertical}body{color:#fafafa;background-color:#191919;margin:10px;font-family:Arial,Helvetica,sans-serif}a{text-decoration:none}a:link{color:#ffc627}a:hover,a:active{color:#ffc627;text-decoration:underline}a:focus{color:#111;background-color:#ffc627}a:visited,a:visited:hover{color:#cba557}a:visited:focus,a:visited:focus-visible{color:#111!important}.hidden,[hidden]{display:none!important}.visually-hidden{clip:rect(0,0,0,0);white-space:nowrap;border:0;width:1px;height:1px;margin:-1px;padding:0;position:absolute;overflow:hidden}.visually-hidden.focusable:active,.visually-hidden.focusable:focus{clip:auto;width:auto;height:auto;white-space:inherit;margin:0;position:static;overflow:visible}.invisible{visibility:hidden}.clearfix:before,.clearfix:after{content:"";display:table}.clearfix:after{clear:both}@media print{*,:before,:after{color:#000!important;box-shadow:none!important;text-shadow:none!important;background:#fff!important}a,a:visited{text-decoration:underline}a[href]:after{content:" (" attr(href)")"}abbr[title]:after{content:" (" attr(title)")"}a[href^=\#]:after,a[href^=javascript\:]:after{content:""}pre{white-space:pre-wrap!important}pre,blockquote{break-inside:avoid;border:1px solid #999}tr,img{break-inside:avoid}p,h2,h3{orphans:3;widows:3}h2,h3{break-after:avoid}}.full-width-section{background-position:50%;background-size:cover;width:100%;max-width:1920px;margin:0 auto}.container{max-width:1200px;margin:0 auto;padding:0 12px}.readable{max-width:900px;margin:0 auto}header,footer{width:100%}header .container,footer .container{max-width:1200px;margin:0 auto;padding:20px 12px}.gh{border-collapse:collapse;border-spacing:0;margin:0 auto}.gh td,.gh th{border-collapse:collapse;word-break:normal;padding:10px 5px;overflow:hidden}.gh .gh-tcell{text-align:center;vertical-align:middle}@media screen and (width<=767px){.gh,.gh col{width:auto!important}.gh-wrap{-webkit-overflow-scrolling:touch;margin:auto 0;overflow-x:auto}}.soc{border-collapse:collapse;border-spacing:0;margin:0 auto}.soc td,.soc th{border-collapse:collapse;word-break:normal;padding:8px;overflow:hidden}.soc .soc-fa{text-align:center;vertical-align:middle}@media screen and (width<=767px){.soc,.soc col{width:auto!important}.soc-wrap{-webkit-overflow-scrolling:touch;margin:auto 0;overflow-x:auto}}.foss{border-collapse:collapse;border-spacing:0}.foss td,.foss th{border-collapse:collapse;word-break:normal;padding:10px 5px;overflow:hidden}.foss .foss-cell{text-align:center;vertical-align:middle}@media screen and (width<=767px){.foss,.foss col{width:auto!important}.foss-wrap{-webkit-overflow-scrolling:touch;overflow-x:auto}}.bnav{text-align:center;border-collapse:collapse;border-spacing:0;margin:0 auto}.bnav td,.bnav th{text-align:center;vertical-align:middle;word-break:normal;border-style:none;padding:10px;font-size:.875rem;font-weight:700;line-height:1.125rem;overflow:hidden}.bnav .bnav-cell{text-align:center;vertical-align:middle;align-content:center}@media screen and (width<=767px){.bnav,.bnav col{width:auto!important}.bnav-wrap{-webkit-overflow-scrolling:touch;margin:auto 0;overflow-x:auto}}.bnav2{border-collapse:collapse;border-spacing:0;margin:0 auto}.bnav2 td{word-break:normal;border-style:none;padding:10px;font-size:.875rem;font-weight:700;line-height:1.125rem;overflow:hidden}.bnav2 th{word-break:normal;border-style:none;padding:12px;font-size:.875rem;line-height:1.125rem;overflow:hidden}.bnav2 .bnav2-cell{text-align:center;vertical-align:middle;align-content:center}@media screen and (width<=767px){.bnav2,.bnav2 col{width:auto!important}.bnav2-wrap{-webkit-overflow-scrolling:touch;margin:auto 0;overflow-x:auto}}.pgp{border-collapse:collapse;border-spacing:0;margin:0 auto}.pgp td{word-break:normal;border-style:none;padding:10px;font-size:.875rem;line-height:1.125rem;overflow:hidden}.pgp th{word-break:normal;border:1px solid #000;padding:10px;font-size:.875rem;line-height:1.125rem;overflow:hidden}.pgp .pgp-col1{text-align:right;vertical-align:middle;padding-right:1rem}.pgp .pgp-col2{text-align:left;vertical-align:middle;padding-left:1rem}@media screen and (width<=767px){.pgp,.pgp col{width:auto!important}.pgp-wrap{-webkit-overflow-scrolling:touch;margin:2rem 0 auto;overflow-x:auto}}#service-summary{color:#e6e6e6;margin-top:2rem;margin-bottom:2.5rem}.service-table{color:#e6e6e6;border-collapse:collapse;background-color:#191919;width:100%;font-size:.95rem}.service-table th,.service-table td{text-align:left;vertical-align:top;border-bottom:1px solid #333;padding:.75rem 1rem}.service-table th{color:#ffc627;text-transform:uppercase;background-color:#222;font-size:.85rem;font-weight:600}.service-table a{color:#ffc627;font-weight:500;text-decoration:none}.service-table a:hover{text-decoration:underline}.service-table tr:hover{background-color:#222;transition:background-color .3s,box-shadow .3s;box-shadow:0 0 10px 2px #ffc62740}.service-table tr.selected{background-color:#222;border-left:4px solid #ffc627;transition:background-color .3s,border-left-color .3s}.service-table tr.selected:hover{background-color:#252525;box-shadow:0 0 12px 3px #ffc62759}@media (width<=768px){.service-table{font-size:.9rem}.service-table th,.service-table td{padding:.5rem}}.logo{width:var(--logo-width,250px);height:var(--logo-height,250px);margin-left:auto;margin-right:auto;display:block}.index-title1{text-align:center;font-style:italic;font-weight:700}.index-title2{letter-spacing:-.015em;text-align:center;font-variant:small-caps;font-size:1.25rem;line-height:1.625rem}.index1{letter-spacing:-.035em;text-align:center;font-style:italic;font-weight:700;line-height:2.125rem}.index2{letter-spacing:-.035em;text-align:center;font-variant:small-caps;font-size:1.5rem;line-height:1.75rem}.index3{letter-spacing:-.035em;text-align:center;font-size:1.5rem;line-height:1.75rem}.index4{letter-spacing:-.035em;text-align:center;font-size:1.5rem;line-height:1.75rem;text-decoration:underline}.subhead{letter-spacing:-.035em;font-variant:small-caps;font-size:1.5rem;line-height:1.75rem}.bold{font-weight:700}.emphasis{font-style:italic}.uline{text-decoration:underline}.bolditalic{font-style:italic;font-weight:700}.bquote{border-left:3px solid #9e9e9e;margin-left:30px;padding-left:10px;font-style:italic}.small-text{font-size:.75rem;line-height:1.125rem}.large-text-center{text-align:center;font-size:1.25rem;line-height:1.75rem}.prewrap{white-space:pre-wrap;display:block}.hr-styled{width:75%;margin:auto}.center-text{text-align:center}.copyright{text-align:center;font-size:.75rem;line-height:1.125rem}.gold{color:#ffc627}.visited{color:#cba557}.goldseparator{color:#ffc627;margin:0 .5rem}.center-nav{text-align:center;padding:5px;font-size:1rem;line-height:1.5rem}.block{overflow-wrap:break-word;resize:none;white-space:normal;word-break:normal;background:0 0;border:none;border-radius:0;outline:none;width:100%;font-family:monospace;font-size:.875rem;line-height:1.125rem}.full-width-section.centered{flex-direction:column;justify-content:center;min-height:80vh;display:flex}.fingerprint{white-space:pre-line;font-family:monospace;display:block}.pgp-image{width:150px;height:150px}.spacer{margin:2rem 0}.separator{margin:0 .5rem}.emoji{margin-right:8px}.headline{margin-bottom:4px;font-style:italic;font-weight:700;display:block}.label{font-family:inherit;font-weight:700}.description{font-family:inherit;font-style:normal;font-weight:400;display:inline}.sr-only{clip:rect(0,0,0,0);white-space:nowrap;border:0;width:1px;height:1px;margin:-1px;padding:0;position:absolute;overflow:hidden}.pgp-entry{flex-wrap:wrap;align-items:center;gap:2rem;margin-bottom:2rem;display:flex}.pgp-text{flex:2;min-width:250px}.pgp-qr{flex:1;min-width:150px}.obtainium-direct-label{margin:.25rem 0 .75rem;font-weight:700}.obtainium-manual-label{margin-top:.75rem;font-weight:700}.obtainium-img{width:185px;height:55px;margin-bottom:.25rem}.obtainium-margin{margin-left:4px}.obtainium-fa-down{color:#ffc627;margin-left:4px}.obtainium-icon{width:50px;height:50px}.proton-img{width:168px;height:24px}.redirect-text{text-align:center;margin-top:4rem}.redirect-content{text-align:center;margin-top:2rem;font-family:system-ui,sans-serif}.loading-spinner{border:4px solid #ddd;border-top-color:#ffc627;border-radius:50%;width:48px;height:48px;margin:2rem auto;animation:1s linear infinite spin}@keyframes spin{to{transform:rotate(360deg)}}.cc-link{text-decoration:none}.cc-img{vertical-align:text-bottom;margin-left:3px;display:inline-block;height:18px!important}#toc ul{padding-left:1.5rem;list-style-type:disc}#toc a{color:var(--color-primary,#ffc627);text-decoration:none}#toc a:hover{text-decoration:underline}.badge{height:24px;display:inline-block}.badge--cc{width:160px}.badge--gpl{width:120px}

package/src/routes/api/mock-csp/+server.js

@@ -7,10 +7,19 @@ This file is part of Network Pro.
 ========================================================================== */
 
 /** @type {import('@sveltejs/kit').RequestHandler} */
-export async function POST({ request }) {
-  console.log('🔶 [Mock CSP] Report received during dev/CI');
+export async function OPTIONS() {
+  return new Response(null, {
+    status: 204,
+    headers: {
+      'Access-Control-Allow-Origin': '*',
+      'Access-Control-Allow-Methods': 'POST, OPTIONS',
+      'Access-Control-Allow-Headers': 'Content-Type',
+    },
+  });
+}
 
-  // Optional: read/validate body for debugging
+/** @type {import('@sveltejs/kit').RequestHandler} */
+export async function POST({ request }) {
   try {
     const data = await request.json();
     console.log('🔶 [Mock CSP] Payload:', data);
@@ -18,5 +27,12 @@ export async function POST({ request }) {
     console.warn('⚠️ [Mock CSP] No JSON body provided.');
   }
 
-  return new Response(null, { status: 204 });
+  return new Response(null, {
+    status: 204,
+    headers: {
+      'Access-Control-Allow-Origin': '*',
+      'Access-Control-Allow-Methods': 'POST, OPTIONS',
+      'Access-Control-Allow-Headers': 'Content-Type',
+    },
+  });
 }