@networkpro/web 1.26.2 → 1.26.4

package/.env.codex

@@ -0,0 +1,10 @@
+# Build + code-path semantics
+ENV_MODE=production
+PUBLIC_ENV_MODE=production
+
+# Explicit signal this is not real prod
+CODEX=true
+PUBLIC_CODEX=true
+
+# Analytics / telemetry stub
+PUBLIC_POSTHOG_KEY=DUMMY

package/.github/workflows/build-and-publish.yml

@@ -45,7 +45,7 @@ jobs:
       - name: Upgrade npm
         run: |
           corepack enable
-          npm install -g npm@11.7.0
+          npm install -g npm@11.8.0
 
       - name: Install Node.js dependencies
         run: npm ci
@@ -130,7 +130,7 @@ jobs:
       - name: Upgrade npm
         run: |
           corepack enable
-          npm install -g npm@11.7.0
+          npm install -g npm@11.8.0
 
       - name: Install Node.js dependencies
         run: npm ci
@@ -186,7 +186,7 @@ jobs:
       - name: Upgrade npm
         run: |
           corepack enable
-          npm install -g npm@11.7.0
+          npm install -g npm@11.8.0
 
       - name: Install Node.js dependencies
         run: npm ci

package/.github/workflows/check-security-txt-expiry.yml

@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Check security.txt expiration
         run: |

package/.github/workflows/lighthouse.yml

@@ -49,7 +49,7 @@ jobs:
       - name: Upgrade npm
         run: |
           corepack enable
-          npm install -g npm@11.7.0
+          npm install -g npm@11.8.0
 
       - name: Clean previous Lighthouse reports
         run: |
@@ -152,7 +152,7 @@ jobs:
         run: ls -al .lighthouseci
 
       - name: Upload full .lighthouseci output
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
           name: lighthouse-reports
           path: .lighthouseci/

package/.github/workflows/playwright.yml

@@ -41,7 +41,7 @@ jobs:
       - name: Upgrade npm
         run: |
           corepack enable
-          npm install -g npm@11.7.0
+          npm install -g npm@11.8.0
 
       - name: Install Node.js dependencies
         run: npm ci
@@ -57,7 +57,7 @@ jobs:
 
       - name: Upload Playwright report
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
           name: playwright-report
           path: playwright-report/

package/.github/workflows/publish-test.yml

@@ -40,15 +40,15 @@ jobs:
           cache: npm
           cache-dependency-path: package-lock.json
 
-      #- name: Show Node.js and npm versions
-      #  run: |
-      #    echo "Node.js version: $(node -v)"
-      #    echo "npm version: $(npm -v)"
+      - name: Show Node.js and npm versions
+        run: |
+          echo "Node.js version: $(node -v)"
+          echo "npm version: $(npm -v)"
 
       - name: Upgrade npm
         run: |
           corepack enable
-          npm install -g npm@11.7.0
+          npm install -g npm@11.8.0
 
       - name: Install Node.js dependencies
         run: npm ci
@@ -126,15 +126,15 @@ jobs:
           cache: npm
           cache-dependency-path: package-lock.json
 
-      #- name: Show Node.js and npm versions
-      #  run: |
-      #    echo "Node.js version: $(node -v)"
-      #    echo "npm version: $(npm -v)"
+      - name: Show Node.js and npm versions
+        run: |
+          echo "Node.js version: $(node -v)"
+          echo "npm version: $(npm -v)"
 
       - name: Upgrade npm
         run: |
           corepack enable
-          npm install -g npm@11.7.0
+          npm install -g npm@11.8.0
 
       - name: Install Node.js dependencies
         run: npm ci
@@ -187,15 +187,15 @@ jobs:
           cache: npm
           cache-dependency-path: package-lock.json
 
-      #- name: Show Node.js and npm versions
-      #  run: |
-      #    echo "Node.js version: $(node -v)"
-      #    echo "npm version: $(npm -v)"
+      - name: Show Node.js and npm versions
+        run: |
+          echo "Node.js version: $(node -v)"
+          echo "npm version: $(npm -v)"
 
       - name: Upgrade npm
         run: |
           corepack enable
-          npm install -g npm@11.7.0
+          npm install -g npm@11.8.0
 
       - name: Install Node.js dependencies
         run: npm ci

package/.github/workflows/secret-scan.yml

@@ -96,7 +96,7 @@ jobs:
       # ---------------------------------------------------------------------
       - name: Create issue for detected secrets
         if: failure() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository)
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |

package/.github/workflows/templates/publish.template.yml

@@ -53,7 +53,7 @@ jobs:
       - name: Upgrade npm
         run: |
           corepack enable
-          npm install -g npm@11.7.0
+          npm install -g npm@11.8.0
 
       - name: Install Node.js dependencies
         run: npm ci
@@ -134,7 +134,7 @@ jobs:
       - name: Upgrade npm
         run: |
           corepack enable
-          npm install -g npm@11.7.0
+          npm install -g npm@11.8.0
 
       - name: Install Node.js dependencies
         run: npm ci
@@ -190,7 +190,7 @@ jobs:
       - name: Upgrade npm
         run: |
           corepack enable
-          npm install -g npm@11.7.0
+          npm install -g npm@11.8.0
 
       - name: Install Node.js dependencies
         run: npm ci

package/.vscode/settings.json

@@ -41,5 +41,6 @@
   "css.customData": [
     ".vscode/customData.json" // Path to your custom data file
   ],
-  "markdown.validate.enabled": false
+  "markdown.validate.enabled": false,
+  "chatgpt.openOnStartup": false
 }

package/AGENTS.md

@@ -0,0 +1,182 @@
+# AGENTS.md
+
+This file defines **operational guidance for automated agents** (e.g., Codex,
+Claude Code, CI bots) working in this repository. It is intentionally
+tool-neutral.
+
+For deeper project context, architecture notes, and AI-specific guidance, see
+`CLAUDE.md`.
+
+---
+
+## Purpose
+
+Agents are welcome here to accelerate development, testing, and maintenance —
+**without compromising security, privacy, or deployment correctness**.
+
+This repo has intentionally strict security controls (CSP, audit mode behavior,
+analytics gating) and a multi-environment deployment model. Agents must treat
+these as **invariants** unless a human explicitly approves changes.
+
+---
+
+## Agent workflow (persona)
+
+- Prefer minimal diffs; avoid sweeping refactors unless requested.
+- Be explicit about tradeoffs and risks; don’t guess about CI/deploy behavior.
+- Preserve behavior by default; if a change alters behavior, call it out explicitly.
+- Preserve invariants: env detection, CSP, audit-mode guarantees, analytics gating.
+- If unsure, ask a single targeted question or leave a TODO rather than inventing.
+- Optimize for reproducibility: commands that work locally and in CI.
+
+---
+
+## Quick Commands
+
+Use these commands as the “happy path” for local and CI-like validation:
+
+### Development
+
+- `npm run dev` — start dev server
+- `npm run dev:audit` — dev server in audit mode (hardened CSP, no analytics)
+- `npm run preview` — preview production build locally
+
+### Build
+
+- `npm run build` — production build
+- `npm run build:audit` — audit build (hardened CSP)
+
+### Tests
+
+- `npm run test:all` — unit tests (client + server)
+- `npm run test:e2e` — Playwright E2E tests (with 1 retry)
+- `npm run lhci:run` — Lighthouse CI audits
+
+### Lint / Format
+
+- `npm run lint:all`
+- `npm run lint:fix`
+- `npm run format:fix`
+
+### Full Verification
+
+- `npm run checkout` (alias: `npm run verify`)
+
+---
+
+## Guardrails (Strict, but Practical)
+
+### Environment and security invariants
+
+Agents MUST NOT change the following without explicit human approval:
+
+- **Environment detection logic** (notably `src/lib/utils/env.js`) or introduce
+  new environment modes.
+- **Content Security Policy** generation/behavior (`src/hooks.server.js`) in a
+  way that weakens enforcement.
+- **Audit-mode guarantees**: audit must remain hardened (no analytics, no
+  external reporting, strict CSP).
+- **Analytics gating**: tracking must remain consent-based and
+  environment-aware.
+- **Service worker exclusions**: analytics domains must not be cached; SW bypass
+  behavior must remain intact.
+
+If a task requires touching any of the above, stop and ask for confirmation.
+
+### Deployment and CI/CD accuracy
+
+Agents MUST NOT invent deployment behavior. The current model is:
+
+- **Production**: Vercel builds/deploys on merges to `master` (Vercel-managed).
+- **Audit**: Netlify deploy driven by a branch-scoped GitHub Actions workflow
+  (`audit-netlify` branch only).
+
+If a change would affect build/deploy behavior, document assumptions and ask for
+confirmation.
+
+If referencing a workflow/config, point to the exact file path and branch it lives on.
+
+### Secrets and sensitive data
+
+- Do **not** commit secrets, tokens, keys, or credentials.
+- `.env*` files must remain purpose-separated. Only non-sensitive, commit-safe
+  env files belong in git.
+- If secrets are required for a task, request them via the tool’s secret
+  mechanism and use placeholders in committed files.
+
+---
+
+## Allowed Agent Work
+
+Agents MAY do the following without additional approval (assuming guardrails are
+respected):
+
+- Explain code and architecture; summarize behavior and risks.
+- Implement **incremental** features or routes that follow existing patterns.
+- Fix bugs and reduce flakiness in tests using minimal, targeted changes.
+  - For SPA E2E tests, prefer URL polling + page-ready assertions over navigation lifecycle waits.
+- Add/extend unit tests or E2E tests consistent with current test architecture.
+- Refactor for clarity **without changing behavior** (especially in security/env
+  paths).
+- Improve documentation, comments, and JSDoc.
+- Propose dependency updates, with a short rationale and any expected impact.
+
+---
+
+## Sensitive Areas (Ask Before Major Changes)
+
+These areas are high-impact. Changes are allowed, but require extra care and
+usually a quick human check:
+
+- `src/lib/utils/env.js` (environment resolution)
+- `src/hooks.server.js` (CSP / security headers)
+- `src/service-worker.js` and SW registration logic
+- `src/lib/stores/posthog.js` and analytics init/gating
+- Auth, redirects, proxy/relay routes under `src/routes/relay-*`
+- Build tooling (`vite.config.js`, `svelte.config.js`, CI workflows, deploy
+  scripts)
+
+When editing these, prefer:
+
+- minimal diffs
+- explicit control flow
+- comments describing intent and risk
+
+---
+
+## What “Done” Means for Agent Work
+
+Before claiming a task is complete, agents should:
+
+1. Ensure changes are minimal and aligned with existing patterns.
+2. Run (or at least recommend running) appropriate checks:
+   - `npm run lint:all`
+   - `npm run test:all`
+   - `npm run test:e2e` (if UI/routes are affected)
+   - `npm run build` (if build/runtime behavior is affected)
+3. Include a short summary:
+   - what changed
+   - why it changed
+   - risk/impact (especially CSP/env/analytics)
+   - any follow-ups or TODOs
+
+If tests are flaky, call it out explicitly and propose stabilization steps
+rather than masking failures.
+
+---
+
+## Notes for Cloud / Ephemeral Runners
+
+Many agents run in ephemeral environments. To keep builds reproducible:
+
+- Do not assume local files exist unless they are committed.
+- Prefer deterministic commands (`npm ci` when appropriate to lockfile policy).
+- Avoid relying on interactive prompts.
+- If environment variables are required, document them and provide safe defaults
+  where possible.
+
+---
+
+## References
+
+- `CLAUDE.md` — authoritative AI guidance and deeper repository context.

package/CHANGELOG.md

@@ -24,6 +24,74 @@ version increments reflecting both user-visible and operational impact.
 
 ---
 
+## [1.26.4] - 2026-01-24
+
+### Added
+
+- Added `AGENTS.md` to provide operational, tool-neutral guidance for automated agents.
+
+### Changed
+
+- **Workflow tooling updates** to keep CI aligned with upstream releases:
+  - `npm` upgraded to `11.8.0` across build/test/publish workflows.
+  - `actions/checkout` `v5` → `v6`, `actions/upload-artifact` `v4` → `v6`, and `actions/github-script` `v7` → `v8`.
+  - Restored Node.js/npm version logging in `publish-test` workflow jobs.
+- **Documentation note added** in `CLAUDE.md` to point automation tools to `AGENTS.md`.
+- **Playwright E2E stabilization** (Firefox + SvelteKit SPA navigation):
+  - Updated the shared navigation helper (`tests/e2e/shared/helpers.js`) to prefer SPA-safe URL-change waiting (polling assertions) over navigation lifecycle events, improving Firefox stability.
+  - Strengthened the desktop “About link” test (`tests/e2e/app.spec.js`) with a stable `/about` page marker assertion (`"Security, with Intent"`) to reduce intermittent flakes.
+- Refreshed timestamp for root route in `static/sitemap.xml`.
+- Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.50.1**.
+- **Project version bumped** to `v1.26.4`.
+- Updated dependencies:
+  - `@sveltejs/adapter-vercel` `^6.3.0` → `^6.3.1`
+  - `@sveltejs/kit` `2.50.0` → `2.50.1`
+  - `@vitest/coverage-v8` `4.0.17` → `4.0.18`
+  - `svelte` `5.48.0` → `5.48.2`
+  - `vite-tsconfig-paths` `^6.0.4` → `^6.0.5`
+  - `vitest` `4.0.17` → `4.0.18`
+  - `@playwright/test` `^1.57.0` → `^1.58.0`
+  - `eslint-plugin-jsdoc` `^62.3.0` → `^62.4.1`
+  - `globals` `^17.0.0` → `^17.1.0`
+  - `playwright` `^1.57.0` → `^1.58.0`
+  - `posthog-js` `^1.334.0` → `^1.335.2`
+
+---
+
+## [1.26.3] - 2026-01-21
+
+### Added
+
+- **Codex-aware analytics guard** in `src/lib/stores/posthog.js` to explicitly skip PostHog initialization when the application is executed by automation or AI-assisted tooling.  
+  This prevents analytics side effects during non-interactive builds, cloud executions, and AI-driven analysis while preserving normal production behavior.
+- **`.env.codex` environment configuration** to support Codex and similar automation tools.  
+  This file defines a controlled, non-interactive execution context that mirrors production build semantics without enabling analytics or requiring secrets, enabling safe use of cloud-based AI and CI-style tooling.
+- **`CLAUDE.md` project guidance file** to provide persistent, repository-level instructions for Claude Code and other AI-assisted development tools.  
+  The file establishes clear expectations and constraints for AI usage, including:
+  - **AI guardrails** that prohibit changes to security posture, environment detection logic, deployment assumptions, or analytics behavior without explicit human approval.
+  - An explicit **Allowed AI Uses** section defining safe, permitted activities such as code comprehension, incremental feature development, bug fixing, testing, and documentation updates.
+
+### Changed
+
+- **Project version bumped** to `v1.26.3`.
+- **Dependency updates** to incorporate upstream fixes, improvements, and compatibility updates:
+  - `prettier` `3.8.0` → `3.8.1`
+  - `eslint-plugin-jsdoc` `^62.0.1` → `^62.3.0`
+  - `lightningcss` `^1.30.2` → `^1.31.1`
+  - `posthog-js` `^1.327.0` → `^1.334.0`
+  - `svelte` `5.46.4` → `5.48.0`
+
+### Security
+
+- **Updated transitive dependency override** to remediate a reported vulnerability:
+  - `tar` `7.5.3` → `7.5.6`  
+    _(addresses CVE-2026-23950)_
+- **Added transitive dependency override** to mitigate a reported vulnerability:
+  - `lodash` pinned to `4.17.23`  
+    _(addresses CVE-2025-13465)_
+
+---
+
 ## [1.26.2] - 2026-01-17
 
 ### Changed
@@ -2243,7 +2311,9 @@ This enables analytics filtering and CSP hardening for the audit environment.
 
 <!-- Link references -->
 
-[Unreleased]: https://github.com/netwk-pro/netwk-pro.github.io/compare/v1.26.2...HEAD
+[Unreleased]: https://github.com/netwk-pro/netwk-pro.github.io/compare/v1.26.4...HEAD
+[1.26.4]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.4
+[1.26.3]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.3
 [1.26.2]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.2
 [1.26.1]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.1
 [1.26.0]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.0

package/CLAUDE.md

@@ -0,0 +1,332 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+For tool-neutral operational guidance for automated agents (e.g., Codex, CI bots), see `AGENTS.md`.
+
+<!-- markdownlint-disable -->
+
+## Project Overview
+
+This is a **SvelteKit-based web presence** for Network Pro Strategies, deployed via Vercel. The codebase emphasizes security, privacy, and maintainability, and is distributed as both a production website and an npm package (`@networkpro/web`). It includes Progressive Web App (PWA) functionality with a custom service worker, strict Content Security Policy (CSP) configuration, and comprehensive testing.
+
+## AI Guardrails
+
+This repository may be worked on using AI-assisted tools (e.g., Claude Code). When doing so, the following guardrails apply:
+
+- **Do not introduce new environment modes** or alter environment-detection logic (`src/lib/utils/env.js`) without explicit human approval.
+- **Do not weaken security posture**: CSP rules, analytics gating, service worker exclusions, and audit-mode behavior must not be relaxed for convenience.
+- **Do not invent or assume CI/CD workflows**: Deployment behavior must match existing infrastructure (Vercel for production, Netlify for audit via branch-scoped workflow).
+- **Do not add or modify analytics, telemetry, or external network calls** without confirming consent and environment gating logic.
+- **Do not refactor for style or abstraction alone** if it obscures intent, security checks, or explicit control flow.
+- **Do not commit secrets or sensitive data**; environment files are strictly separated by purpose.
+- **Prefer explicit, readable code over "clever" optimizations**, especially in security- or environment-related paths.
+
+If a change would materially affect security, deployment behavior, environment resolution, or privacy guarantees, **pause and ask for confirmation** before proceeding.
+
+AI tools should treat this file (`CLAUDE.md`) as authoritative guidance and defer to existing documentation and code comments where conflicts arise.
+
+## Allowed AI Uses
+
+AI-assisted tools may be used in this repository for the following purposes:
+
+- **Code comprehension and explanation**: Explaining existing logic, security controls, environment detection, or architectural decisions.
+- **Incremental feature development**: Implementing new features or routes that follow established patterns and respect existing constraints.
+- **Bug fixing and debugging**: Identifying defects, edge cases, or test failures and proposing targeted fixes.
+- **Test creation and improvement**: Writing or extending unit tests, integration tests, and E2E tests consistent with existing testing architecture.
+- **Refactoring for clarity**: Improving readability, structure, or maintainability _without altering behavior, security posture, or environment semantics_.
+- **Documentation updates**: Improving README files, comments, JSDoc, and other documentation to better reflect current behavior.
+- **Dependency and configuration review**: Highlighting outdated dependencies, misconfigurations, or potential risks (without making changes unilaterally).
+- **Accessibility and standards compliance**: Suggesting improvements related to a11y, web standards, or best practices, subject to review.
+- **Clarifying questions**: Asking for confirmation when intent, risk, or trade-offs are unclear.
+
+AI output should be treated as **assistance, not authority**. All changes are subject to human review and approval.
+
+## Essential Commands
+
+### Development
+
+```bash
+npm run dev                # Start dev server
+npm run dev:audit          # Dev server in audit mode (hardened CSP, no analytics)
+npm run build              # Production build
+npm run build:audit        # Audit build (for testing hardened CSP)
+npm run preview            # Preview production build locally
+```
+
+### Testing
+
+```bash
+npm run test:all           # Run all unit tests (client + server)
+npm run test:client        # Run client-side unit tests (jsdom)
+npm run test:server        # Run server-side unit tests (node)
+npm run test:watch         # Watch mode for client tests
+npm run test:coverage      # Generate coverage reports
+npm run test:e2e           # Run Playwright E2E tests (with 1 retry)
+npm run lhci:run           # Run Lighthouse CI audits
+```
+
+### Linting & Formatting
+
+```bash
+npm run lint:all           # Run all linters (JS, CSS, Markdown, Prettier)
+npm run lint:fix           # Auto-fix ESLint issues
+npm run format:fix         # Auto-fix Prettier formatting
+npm run lint:css           # Lint CSS and Svelte styles
+npm run lint:md            # Lint Markdown files
+```
+
+### Pre-commit Verification
+
+```bash
+npm run checkout           # Full verification (type-check, tests, linting)
+npm run verify             # Alias for checkout
+```
+
+### Single Test Execution
+
+```bash
+# Run a specific client test
+npx vitest run tests/unit/client/path/to/test.test.js
+
+# Run a specific server test
+npx vitest run tests/unit/server/path/to/test.test.js
+
+# Run a specific E2E test
+npx playwright test tests/e2e/app.spec.js
+```
+
+## Architecture & Key Patterns
+
+### Environment Management
+
+The project uses a sophisticated multi-environment setup with behavior controlled by `ENV_MODE` and `PUBLIC_ENV_MODE`:
+
+- **`development` / `dev`**: Local development with relaxed CSP, no analytics
+- **`production` / `prod`**: Full CSP enforcement, PostHog analytics enabled, CSP reporting to production endpoint
+- **`audit`**: Hardened environment for security testing—no analytics, no external connections, strict CSP
+- **`test`**: CI/test mode with relaxed CSP for automation
+- **`codex`**: Special mode for Claude Code development
+
+**Critical**: Environment detection happens in two places:
+
+1. **Build-time**: Via `import.meta.env.MODE` or `PUBLIC_ENV_MODE` (baked into bundle)
+2. **Runtime**: Via hostname detection in `src/lib/utils/env.js` (e.g., `audit.netwk.pro` triggers audit mode)
+
+The `detectEnvironment()` function in `src/lib/utils/env.js` unifies this logic and is used throughout the app.
+
+### Content Security Policy (CSP)
+
+CSP headers are dynamically generated in `src/hooks.server.js` based on environment:
+
+- **Production**: Strict CSP with `Content-Security-Policy` header, real CSP reporting endpoint
+- **Audit**: Hardened CSP with no analytics domains, no CSP reporting
+- **Dev/Test**: Report-only mode (`Content-Security-Policy-Report-Only`) for debugging
+
+**Current Trade-off**: The CSP allows `unsafe-inline` for scripts and styles due to PostHog and SvelteKit limitations. Moving to nonce-based CSP is a documented future goal (see README.md).
+
+**Probely Scanner Allowlisting**: The `hooks.server.js` includes logic to detect and bypass security checks for Probely DAST scanners using `isProbelyScanner()` from `src/lib/security/probely.js`.
+
+### Service Worker & PWA
+
+The service worker is defined in `src/service-worker.js` and handles:
+
+- Precaching of build artifacts and static files
+- Runtime caching strategies (cache-first, network-first)
+- Analytics domain blocking (PostHog never cached)
+- Cache versioning and cleanup
+
+**Registration**: `src/lib/registerServiceWorker.js` handles:
+
+- SW registration and update lifecycle
+- Cache cleanup (removes non-prefixed caches)
+- Install prompt support (`beforeinstallprompt` event)
+- Firefox localhost compatibility skip
+- `?nosw` query parameter bypass via `static/disableSw.js`
+
+### Route Structure
+
+- **`+page.svelte`**: Page component
+- **`+page.server.js`**: Server-side page load (metadata, redirects)
+- **`+layout.svelte`**: Root layout with analytics init, MetaTags, header/footer
+- **`+layout.js`**: Client-side layout load (pathname detection)
+- **`+server.js`**: API endpoints (e.g., `/api/mock-csp`, `/pgp/[key]`)
+
+**Special Routes**:
+
+- `/pgp/[key]/+server.js`: Dynamic PGP key serving with proper Content-Type headers
+- `/api/mock-csp/+server.js`: Mock CSP violation reporting endpoint for dev/test
+- `/relay-[slug]/[...catchall]/+server.js`: Dynamic redirect handler
+
+### Component Organization
+
+```
+src/lib/
+├── components/         # Reusable Svelte components
+│   ├── layout/        # Header, Footer
+│   └── foss/          # FOSS-specific components
+├── pages/             # Page-specific content components (e.g., AboutContent.svelte)
+├── data/              # Static data (fossData.js, pgpKeys.js)
+├── stores/            # Svelte stores (posthog.js, trackingPreferences.js)
+├── utils/             # Helper utilities (env.js, utm.js, purify.js)
+├── types/             # Type definitions and constants
+├── styles/            # Global CSS
+└── security/          # Security utilities (probely.js)
+```
+
+**Import Pattern**: Use `$lib` alias for all internal imports (configured in `jsconfig.json` via `vite-tsconfig-paths`).
+
+### Analytics & Tracking
+
+PostHog is initialized in `src/lib/stores/posthog.js` and conditionally loaded based on:
+
+- Environment (disabled in audit, test, dev)
+- User consent (tracked in `trackingPreferences.js` store)
+- Browser support
+
+**Key Functions**:
+
+- `initPostHog()`: Initializes PostHog with consent checking
+- `capture(event)`: Wrapper for PostHog event capture
+- `showReminder`: Svelte store for tracking consent banner state
+
+Analytics initialization happens in `src/lib/utils/initAnalytics.js`, called from `+layout.svelte`.
+
+### Testing Architecture
+
+**Unit Tests**: Split into client (jsdom) and server (node) contexts with separate Vitest configs:
+
+- `tests/unit/client/`: Browser-environment tests (components, client utils)
+- `tests/unit/server/`: Node-environment tests (server utils, API endpoints)
+- `tests/unit/server/internal/auditCoverage.test.js`: Warns about untested source files
+
+**E2E Tests**: Playwright tests in `tests/e2e/`:
+
+- `app.spec.js`: Desktop and mobile route tests
+- `mobile.spec.js`: Mobile-specific assertions
+- `shared/helpers.js`: Shared test utilities (viewport helpers, element getters)
+
+**Coverage Audit**: The project includes a coverage audit that warns (but doesn't fail) when source files lack corresponding unit tests.
+
+## Configuration Files
+
+- **`svelte.config.js`**: SvelteKit config with Vercel adapter, prerender error handling
+- **`vite.config.js`**: Vite config with SvelteKit, LightningCSS, devtools-json plugins
+- **`vitest.config.client.js`**: Client-side unit test config (jsdom environment)
+- **`vitest.config.server.js`**: Server-side unit test config (node environment)
+- **`playwright.config.js`**: E2E test config (Chromium, Firefox, WebKit)
+- **`.lighthouserc.cjs`**: Lighthouse CI audit configuration
+- **`postcss.config.cjs`**: PostCSS with autoprefixer
+- **`vercel.json`**: Vercel deployment config
+
+## Development Workflows
+
+### Adding a New Route
+
+1. Create `src/routes/your-route/+page.svelte`
+2. Create `src/routes/your-route/+page.server.js` for metadata:
+   ```javascript
+   export function load() {
+     return {
+       meta: {
+         title: 'Your Page Title',
+         description: 'Your page description',
+       },
+     };
+   }
+   ```
+3. Add corresponding E2E test in `tests/e2e/app.spec.js`
+4. Update sitemap at `static/sitemap.xml` if needed
+
+### Adding a New Component
+
+1. Create component in `src/lib/components/YourComponent.svelte`
+2. Export from `src/lib/components/index.js` if it's shared
+3. Add unit test in `tests/unit/client/components/YourComponent.test.js`
+4. Use `$lib/components` alias for imports
+
+### Modifying CSP
+
+1. Edit `src/hooks.server.js` and update `cspDirectives` array
+2. Test in audit mode: `npm run dev:audit`
+3. Check CSP violations in browser console or `/api/mock-csp` logs
+4. Update tests if needed
+
+### Adding Analytics Events
+
+1. Import `capture` from `$lib/stores/posthog`
+2. Call `capture('event_name', { properties })` in client-side code
+3. Events are automatically gated by consent and environment checks
+
+## Important Constraints
+
+### Security Considerations
+
+- **Never commit sensitive data**: Use `.env` for local secrets, never `.env.template`
+- **CSP compliance**: All inline scripts/styles must work with `unsafe-inline` or be refactored for nonces
+- **Service worker**: Analytics domains (PostHog) are explicitly excluded from SW caching
+- **PGP keys**: `.asc` files in `static/pgp/` are served directly, not precached
+
+### Code Quality Standards
+
+- **No emojis** in commit messages or code comments unless explicitly requested
+- **Copyright headers** required on all source files
+- **ESLint + Prettier** enforced via pre-commit hooks
+- **Stylelint** for CSS/Svelte style validation
+- **JSDoc** required for exported functions
+
+### Build Requirements
+
+- **Node.js**: >= 22.0.0, < 25
+- **npm**: >= 10.0.0, < 12
+- Enforced via `engines` in `package.json` and `scripts/checkNode.js`
+
+### Testing Requirements
+
+- Unit tests should use appropriate environment (client vs. server)
+- E2E tests automatically retry once to reduce flakiness
+- Coverage audit warns about untested files but doesn't fail CI
+
+## Common Gotchas
+
+1. **Service Worker Caching**: Use `?nosw` query param to bypass SW for testing
+2. **Environment Detection**: Remember that `audit.netwk.pro` hostname overrides build mode
+3. **CSP Violations**: Check browser console in dev mode; violations are logged to `/api/mock-csp`
+4. **PostHog Initialization**: Happens asynchronously; use `$isInitialized` store to check status
+5. **Static Asset Imports**: Use Vite's `import` syntax (e.g., `import logo from '$lib/img/logo.png'`)
+6. **Prerendering**: Some routes are prerendered at build time; check `svelte.config.js` error handlers
+
+## Debugging Tips
+
+- **Enable debug mode**: Add `?debug=true` to URL for verbose console logs
+- **Disable service worker**: Add `?nosw` to URL to bypass SW caching
+- **Check environment**: Use `detectEnvironment()` in any file to see current env flags
+- **View CSP violations**: Check `/api/mock-csp` endpoint logs in dev mode
+- **Playwright UI mode**: Run `npx playwright test --ui` for interactive debugging
+
+## Deployment Environments
+
+- **Production**
+  - URL: `https://netwk.pro`
+  - Hosting: **Vercel**
+  - Deployment model: Automatic builds and deployments triggered by merges to `master`
+  - CI: Managed by Vercel (not GitHub Actions)
+
+- **Audit**
+  - URL: `https://audit.netwk.pro`
+  - Hosting: **Netlify**
+  - Purpose: Hardened security environment (strict CSP, no analytics, no external reporting)
+  - Deployment model:
+    - Built and deployed via a GitHub Actions workflow
+    - Workflow file: `.github/workflows/deploy-audit-netlify.yml`
+    - Workflow exists **only on the `audit-netlify` branch**
+    - Deployments are intentionally decoupled from production
+
+- **Preview**
+  - Hosting: Vercel
+  - Trigger: Pull requests and non-`master` branches
+  - Purpose: Ephemeral previews for review and testing
+
+**Note**: There is no single CI/CD pipeline shared by all environments. Production relies on Vercel’s native build system, while the audit environment uses a dedicated, branch-scoped GitHub Actions workflow.
+
+<!-- cspell:ignore prerender precached Prerendering prerendered -->

package/LICENSE.md

@@ -6,11 +6,11 @@ SPDX-License-Identifier: CC-BY-4.0 OR GPL-3.0-or-later
 This file is part of Network Pro.
 ====================================================================== -->
 
+<a name="top"></a>
+
 <sup>[SPDX-License-Identifier](https://spdx.dev/learn/handling-license-info/):
 `CC-BY-4.0 OR GPL-3.0-or-later`</sup>
 
-<a name="top"></a>
-
 # Legal, Copyright, and Licensing
 
 **Network Pro Strategies**  

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@networkpro/web",
   "private": false,
-  "version": "1.26.2",
+  "version": "1.26.4",
   "description": "Locking Down Networks, Unlocking Confidence™ | Security, Networking, Privacy — Network Pro Strategies",
   "keywords": [
     "advocacy",
@@ -43,6 +43,8 @@
     "build": "vite build --mode production",
     "build:audit": "vite build --mode audit",
     "build:vercel": "vercel build",
+    "build:codex": "vite build --mode codex",
+    "dev:codex": "vite dev --mode codex",
     "preview": "vite preview",
     "css:bundle": "node scripts/bundleCss.js",
     "prepare": "svelte-kit sync && npx simple-git-hooks || echo ''",
@@ -88,38 +90,38 @@
   },
   "dependencies": {
     "dompurify": "^3.3.1",
-    "posthog-js": "^1.327.0",
+    "posthog-js": "^1.335.2",
     "semver": "^7.7.3",
-    "svelte": "5.46.4"
+    "svelte": "5.48.2"
   },
   "devDependencies": {
     "@eslint/compat": "^2.0.1",
     "@eslint/js": "^9.39.2",
     "@lhci/cli": "^0.15.1",
-    "@playwright/test": "^1.57.0",
+    "@playwright/test": "^1.58.0",
     "@sveltejs/adapter-netlify": "^5.2.4",
-    "@sveltejs/adapter-vercel": "^6.3.0",
-    "@sveltejs/kit": "2.50.0",
+    "@sveltejs/adapter-vercel": "^6.3.1",
+    "@sveltejs/kit": "2.50.1",
     "@sveltejs/vite-plugin-svelte": "^6.2.4",
     "@testing-library/jest-dom": "^6.9.1",
     "@testing-library/svelte": "^5.3.1",
-    "@vitest/coverage-v8": "4.0.17",
+    "@vitest/coverage-v8": "4.0.18",
     "autoprefixer": "^10.4.23",
     "browserslist": "^4.28.1",
     "eslint": "^9.39.2",
     "eslint-config-prettier": "^10.1.8",
-    "eslint-plugin-jsdoc": "^62.0.1",
+    "eslint-plugin-jsdoc": "^62.4.1",
     "eslint-plugin-svelte": "^3.14.0",
-    "globals": "^17.0.0",
+    "globals": "^17.1.0",
     "globby": "^16.1.0",
     "jsdom": "27.4.0",
-    "lightningcss": "^1.30.2",
+    "lightningcss": "^1.31.1",
     "markdownlint": "^0.40.0",
     "markdownlint-cli2": "0.20.0",
     "npm-run-all": "^4.1.5",
-    "playwright": "^1.57.0",
+    "playwright": "^1.58.0",
     "postcss": "^8.5.6",
-    "prettier": "3.8.0",
+    "prettier": "3.8.1",
     "prettier-plugin-svelte": "^3.4.1",
     "simple-git-hooks": "^2.13.1",
     "stylelint": "^17.0.0",
@@ -133,15 +135,16 @@
     "vite": "^7.3.1",
     "vite-plugin-devtools-json": "^1.0.0",
     "vite-plugin-lightningcss": "^0.0.5",
-    "vite-tsconfig-paths": "^6.0.4",
-    "vitest": "4.0.17"
+    "vite-tsconfig-paths": "^6.0.5",
+    "vitest": "4.0.18"
   },
   "overrides": {
     "cookie": "^1.0.0",
     "glob": "^11.1.0",
     "js-yaml": "^4.1.1",
+    "lodash": "^4.17.23",
     "qs": "^6.14.1",
-    "tar": "^7.5.3",
+    "tar": "^7.5.6",
     "tmp": "^0.2.4"
   }
 }

package/src/app.html

@@ -53,7 +53,7 @@
       content="bx4ham0zkpvzztzu213bhpt76m9siq" />
     <!-- cspell:enable -->
 
-    <meta name="generator" content="SvelteKit 2.50.0" />
+    <meta name="generator" content="SvelteKit 2.50.1" />
 
     <script src="/disableSw.js"></script>
 

package/src/lib/stores/posthog.js

@@ -49,6 +49,15 @@ export async function initPostHog() {
   const { isAudit, isDebug, isDev, isTest, mode, effective } =
     detectEnvironment();
 
+  const isCodex =
+    import.meta.env.PUBLIC_CODEX === 'true' || import.meta.env.CODEX === 'true';
+
+  // 🤖 Skip analytics entirely in Codex environments
+  if (isCodex) {
+    console.info('[PostHog] Skipping analytics (Codex environment).');
+    return;
+  }
+
   // 🌐 Hybrid hostname + environment guard
   const host = window.location.hostname;
   const isAuditHost = /(^|\.)audit\.netwk\.pro$/i.test(host);

package/static/sitemap.xml

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!-- Sitemap last updated 2026-01-11 -->
+<!-- Sitemap last updated 2026-01-24 -->
 
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
 
@@ -7,7 +7,7 @@
 
     <loc>https://netwk.pro</loc>
 
-    <lastmod>2026-01-10</lastmod>
+    <lastmod>2026-01-24</lastmod>
 
     <changefreq>weekly</changefreq>
 

package/tests/e2e/app.spec.js

@@ -69,7 +69,10 @@ test.describe('Desktop Tests', () => {
       timeout: 60000,
     });
 
-    await expect(page).toHaveURL(/\/about/);
+    // ✅ “ready” assertion to eliminate flake (SPA + Firefox)
+    await expect(
+      page.getByRole('heading', { name: 'Security, with Intent' }),
+    ).toBeVisible();
   });
 }); // End Desktop Tests
 

package/tests/e2e/shared/helpers.js

@@ -14,6 +14,8 @@ This file is part of Network Pro.
  * @updated 2025-11-12
  */
 
+import { expect } from '@playwright/test';
+
 const DEBUG_LOGS = false; // set to true to enable console logs
 
 /**
@@ -88,28 +90,28 @@ export function getFooter(page) {
 }
 
 /**
- * Click + wait for SPA or full navigation event.
+ * Clicks a locator and waits for a URL change (SPA-safe).
+ * This avoids relying on navigation lifecycle events (load/domcontentloaded),
+ * which can be flaky or aborted in SPA routing (notably in Firefox).
  *
  * @param {import('@playwright/test').Page} page
  * @param {import('@playwright/test').Locator} locator
- * @param {{ urlPattern?: string | RegExp, timeout?: number }} [options]
+ * @param {{ urlPattern?: RegExp, timeout?: number }} [options]
+ * @returns {Promise<void>}
  */
 export async function clickAndWaitForNavigation(page, locator, options = {}) {
   const { urlPattern = /\/.*/, timeout = 60000 } = options;
 
   await locator.scrollIntoViewIfNeeded();
-  await locator.waitFor({ state: 'visible', timeout: 60000 });
+  await locator.waitFor({ state: 'visible', timeout });
 
   const previousURL = page.url();
 
-  const [, newURL] = await Promise.all([
-    page.waitForURL(
-      (url) =>
-        url.toString() !== previousURL && urlPattern.test(url.toString()),
-      { timeout },
-    ),
-    locator.click().then(() => page.url()),
-  ]);
+  await locator.click();
+
+  // SPA-stable URL wait (polling) — does not depend on navigation lifecycle
+  await expect(page).toHaveURL(urlPattern, { timeout });
 
+  const newURL = page.url();
   console.log(`✅ Navigation from ${previousURL} → ${newURL}`);
 }