@networkpro/web 1.26.3 → 1.26.5

package/.github/workflows/build-and-publish.yml

@@ -45,7 +45,7 @@ jobs:
       - name: Upgrade npm
         run: |
           corepack enable
-          npm install -g npm@11.7.0
+          npm install -g npm@11.8.0
 
       - name: Install Node.js dependencies
         run: npm ci
@@ -130,7 +130,7 @@ jobs:
       - name: Upgrade npm
         run: |
           corepack enable
-          npm install -g npm@11.7.0
+          npm install -g npm@11.8.0
 
       - name: Install Node.js dependencies
         run: npm ci
@@ -186,7 +186,7 @@ jobs:
       - name: Upgrade npm
         run: |
           corepack enable
-          npm install -g npm@11.7.0
+          npm install -g npm@11.8.0
 
       - name: Install Node.js dependencies
         run: npm ci

package/.github/workflows/check-security-txt-expiry.yml

@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Check security.txt expiration
         run: |

package/.github/workflows/deploy-audit-netlify.yml

@@ -0,0 +1,38 @@
+# .github/workflows/deploy-audit-netlify.yml
+#
+# Copyright © 2025 Network Pro Strategies (Network Pro™)
+# SPDX-License-Identifier: CC-BY-4.0 OR GPL-3.0-or-later
+# This file is part of Network Pro
+
+name: Deploy Audit to Netlify
+
+on:
+  push:
+    branches:
+      - audit-netlify
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+
+jobs:
+  deploy:
+    runs-on: ubuntu-24.04
+    env:
+      ENV_MODE: audit
+      PUBLIC_ENV_MODE: audit
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: actions/setup-node@v6
+        with:
+          node-version: 22
+          cache: npm
+          cache-dependency-path: package-lock.json
+
+      - name: Install Dependencies
+        run: npm ci
+
+      - name: Build in Audit Mode
+        run: npm run build:audit

package/.github/workflows/lighthouse.yml

@@ -49,7 +49,7 @@ jobs:
       - name: Upgrade npm
         run: |
           corepack enable
-          npm install -g npm@11.7.0
+          npm install -g npm@11.8.0
 
       - name: Clean previous Lighthouse reports
         run: |
@@ -152,7 +152,7 @@ jobs:
         run: ls -al .lighthouseci
 
       - name: Upload full .lighthouseci output
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
           name: lighthouse-reports
           path: .lighthouseci/

package/.github/workflows/playwright.yml

@@ -41,7 +41,7 @@ jobs:
       - name: Upgrade npm
         run: |
           corepack enable
-          npm install -g npm@11.7.0
+          npm install -g npm@11.8.0
 
       - name: Install Node.js dependencies
         run: npm ci
@@ -57,7 +57,7 @@ jobs:
 
       - name: Upload Playwright report
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
           name: playwright-report
           path: playwright-report/

package/.github/workflows/publish-test.yml

@@ -40,15 +40,15 @@ jobs:
           cache: npm
           cache-dependency-path: package-lock.json
 
-      #- name: Show Node.js and npm versions
-      #  run: |
-      #    echo "Node.js version: $(node -v)"
-      #    echo "npm version: $(npm -v)"
+      - name: Show Node.js and npm versions
+        run: |
+          echo "Node.js version: $(node -v)"
+          echo "npm version: $(npm -v)"
 
       - name: Upgrade npm
         run: |
           corepack enable
-          npm install -g npm@11.7.0
+          npm install -g npm@11.8.0
 
       - name: Install Node.js dependencies
         run: npm ci
@@ -126,15 +126,15 @@ jobs:
           cache: npm
           cache-dependency-path: package-lock.json
 
-      #- name: Show Node.js and npm versions
-      #  run: |
-      #    echo "Node.js version: $(node -v)"
-      #    echo "npm version: $(npm -v)"
+      - name: Show Node.js and npm versions
+        run: |
+          echo "Node.js version: $(node -v)"
+          echo "npm version: $(npm -v)"
 
       - name: Upgrade npm
         run: |
           corepack enable
-          npm install -g npm@11.7.0
+          npm install -g npm@11.8.0
 
       - name: Install Node.js dependencies
         run: npm ci
@@ -187,15 +187,15 @@ jobs:
           cache: npm
           cache-dependency-path: package-lock.json
 
-      #- name: Show Node.js and npm versions
-      #  run: |
-      #    echo "Node.js version: $(node -v)"
-      #    echo "npm version: $(npm -v)"
+      - name: Show Node.js and npm versions
+        run: |
+          echo "Node.js version: $(node -v)"
+          echo "npm version: $(npm -v)"
 
       - name: Upgrade npm
         run: |
           corepack enable
-          npm install -g npm@11.7.0
+          npm install -g npm@11.8.0
 
       - name: Install Node.js dependencies
         run: npm ci

package/.github/workflows/secret-scan.yml

@@ -96,7 +96,7 @@ jobs:
       # ---------------------------------------------------------------------
       - name: Create issue for detected secrets
         if: failure() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository)
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |

package/.github/workflows/templates/publish.template.yml

@@ -53,7 +53,7 @@ jobs:
       - name: Upgrade npm
         run: |
           corepack enable
-          npm install -g npm@11.7.0
+          npm install -g npm@11.8.0
 
       - name: Install Node.js dependencies
         run: npm ci
@@ -134,7 +134,7 @@ jobs:
       - name: Upgrade npm
         run: |
           corepack enable
-          npm install -g npm@11.7.0
+          npm install -g npm@11.8.0
 
       - name: Install Node.js dependencies
         run: npm ci
@@ -190,7 +190,7 @@ jobs:
       - name: Upgrade npm
         run: |
           corepack enable
-          npm install -g npm@11.7.0
+          npm install -g npm@11.8.0
 
       - name: Install Node.js dependencies
         run: npm ci

package/.vscode/settings.json

@@ -42,5 +42,5 @@
     ".vscode/customData.json" // Path to your custom data file
   ],
   "markdown.validate.enabled": false,
-  "chatgpt.openOnStartup": true
+  "chatgpt.openOnStartup": false
 }

package/AGENTS.md

@@ -0,0 +1,182 @@
+# AGENTS.md
+
+This file defines **operational guidance for automated agents** (e.g., Codex,
+Claude Code, CI bots) working in this repository. It is intentionally
+tool-neutral.
+
+For deeper project context, architecture notes, and AI-specific guidance, see
+`CLAUDE.md`.
+
+---
+
+## Purpose
+
+Agents are welcome here to accelerate development, testing, and maintenance —
+**without compromising security, privacy, or deployment correctness**.
+
+This repo has intentionally strict security controls (CSP, audit mode behavior,
+analytics gating) and a multi-environment deployment model. Agents must treat
+these as **invariants** unless a human explicitly approves changes.
+
+---
+
+## Agent workflow (persona)
+
+- Prefer minimal diffs; avoid sweeping refactors unless requested.
+- Be explicit about tradeoffs and risks; don’t guess about CI/deploy behavior.
+- Preserve behavior by default; if a change alters behavior, call it out explicitly.
+- Preserve invariants: env detection, CSP, audit-mode guarantees, analytics gating.
+- If unsure, ask a single targeted question or leave a TODO rather than inventing.
+- Optimize for reproducibility: commands that work locally and in CI.
+
+---
+
+## Quick Commands
+
+Use these commands as the “happy path” for local and CI-like validation:
+
+### Development
+
+- `npm run dev` — start dev server
+- `npm run dev:audit` — dev server in audit mode (hardened CSP, no analytics)
+- `npm run preview` — preview production build locally
+
+### Build
+
+- `npm run build` — production build
+- `npm run build:audit` — audit build (hardened CSP)
+
+### Tests
+
+- `npm run test:all` — unit tests (client + server)
+- `npm run test:e2e` — Playwright E2E tests (with 1 retry)
+- `npm run lhci:run` — Lighthouse CI audits
+
+### Lint / Format
+
+- `npm run lint:all`
+- `npm run lint:fix`
+- `npm run format:fix`
+
+### Full Verification
+
+- `npm run checkout` (alias: `npm run verify`)
+
+---
+
+## Guardrails (Strict, but Practical)
+
+### Environment and security invariants
+
+Agents MUST NOT change the following without explicit human approval:
+
+- **Environment detection logic** (notably `src/lib/utils/env.js`) or introduce
+  new environment modes.
+- **Content Security Policy** generation/behavior (`src/hooks.server.js`) in a
+  way that weakens enforcement.
+- **Audit-mode guarantees**: audit must remain hardened (no analytics, no
+  external reporting, strict CSP).
+- **Analytics gating**: tracking must remain consent-based and
+  environment-aware.
+- **Service worker exclusions**: analytics domains must not be cached; SW bypass
+  behavior must remain intact.
+
+If a task requires touching any of the above, stop and ask for confirmation.
+
+### Deployment and CI/CD accuracy
+
+Agents MUST NOT invent deployment behavior. The current model is:
+
+- **Production**: Vercel builds/deploys on merges to `master` (Vercel-managed).
+- **Audit**: Netlify deploy driven by a branch-scoped GitHub Actions workflow
+  (`audit-netlify` branch only).
+
+If a change would affect build/deploy behavior, document assumptions and ask for
+confirmation.
+
+If referencing a workflow/config, point to the exact file path and branch it lives on.
+
+### Secrets and sensitive data
+
+- Do **not** commit secrets, tokens, keys, or credentials.
+- `.env*` files must remain purpose-separated. Only non-sensitive, commit-safe
+  env files belong in git.
+- If secrets are required for a task, request them via the tool’s secret
+  mechanism and use placeholders in committed files.
+
+---
+
+## Allowed Agent Work
+
+Agents MAY do the following without additional approval (assuming guardrails are
+respected):
+
+- Explain code and architecture; summarize behavior and risks.
+- Implement **incremental** features or routes that follow existing patterns.
+- Fix bugs and reduce flakiness in tests using minimal, targeted changes.
+  - For SPA E2E tests, prefer URL polling + page-ready assertions over navigation lifecycle waits.
+- Add/extend unit tests or E2E tests consistent with current test architecture.
+- Refactor for clarity **without changing behavior** (especially in security/env
+  paths).
+- Improve documentation, comments, and JSDoc.
+- Propose dependency updates, with a short rationale and any expected impact.
+
+---
+
+## Sensitive Areas (Ask Before Major Changes)
+
+These areas are high-impact. Changes are allowed, but require extra care and
+usually a quick human check:
+
+- `src/lib/utils/env.js` (environment resolution)
+- `src/hooks.server.js` (CSP / security headers)
+- `src/service-worker.js` and SW registration logic
+- `src/lib/stores/posthog.js` and analytics init/gating
+- Auth, redirects, proxy/relay routes under `src/routes/relay-*`
+- Build tooling (`vite.config.js`, `svelte.config.js`, CI workflows, deploy
+  scripts)
+
+When editing these, prefer:
+
+- minimal diffs
+- explicit control flow
+- comments describing intent and risk
+
+---
+
+## What “Done” Means for Agent Work
+
+Before claiming a task is complete, agents should:
+
+1. Ensure changes are minimal and aligned with existing patterns.
+2. Run (or at least recommend running) appropriate checks:
+   - `npm run lint:all`
+   - `npm run test:all`
+   - `npm run test:e2e` (if UI/routes are affected)
+   - `npm run build` (if build/runtime behavior is affected)
+3. Include a short summary:
+   - what changed
+   - why it changed
+   - risk/impact (especially CSP/env/analytics)
+   - any follow-ups or TODOs
+
+If tests are flaky, call it out explicitly and propose stabilization steps
+rather than masking failures.
+
+---
+
+## Notes for Cloud / Ephemeral Runners
+
+Many agents run in ephemeral environments. To keep builds reproducible:
+
+- Do not assume local files exist unless they are committed.
+- Prefer deterministic commands (`npm ci` when appropriate to lockfile policy).
+- Avoid relying on interactive prompts.
+- If environment variables are required, document them and provide safe defaults
+  where possible.
+
+---
+
+## References
+
+- `CLAUDE.md` — authoritative AI guidance and deeper repository context.

package/CHANGELOG.md

@@ -24,6 +24,54 @@ version increments reflecting both user-visible and operational impact.
 
 ---
 
+## [1.26.5]
+
+### Added
+
+- `scripts/hooks/pre-push.sh`: `simple-git-hooks` pre-push guard to prevent accidental pushes directly to `master`/`main` while preserving the existing `npm run checkout` pre-push behavior.
+
+### Changed
+
+- `.github/workflows/deploy-audit-netlify.yml`: Added `workflow_dispatch` so the audit Netlify deployment can be triggered manually (e.g., when `audit-netlify` is already in sync and no new push occurs).
+- `package.json`: Updated `simple-git-hooks` configuration to run `bash scripts/hooks/pre-push.sh` on `pre-push` (alongside the existing `pre-commit` hook).
+- Bumped project version to `v1.26.5`.
+
+---
+
+## [1.26.4] - 2026-01-24
+
+### Added
+
+- Added `AGENTS.md` to provide operational, tool-neutral guidance for automated agents.
+
+### Changed
+
+- **Workflow tooling updates** to keep CI aligned with upstream releases:
+  - `npm` upgraded to `11.8.0` across build/test/publish workflows.
+  - `actions/checkout` `v5` → `v6`, `actions/upload-artifact` `v4` → `v6`, and `actions/github-script` `v7` → `v8`.
+  - Restored Node.js/npm version logging in `publish-test` workflow jobs.
+- **Documentation note added** in `CLAUDE.md` to point automation tools to `AGENTS.md`.
+- **Playwright E2E stabilization** (Firefox + SvelteKit SPA navigation):
+  - Updated the shared navigation helper (`tests/e2e/shared/helpers.js`) to prefer SPA-safe URL-change waiting (polling assertions) over navigation lifecycle events, improving Firefox stability.
+  - Strengthened the desktop “About link” test (`tests/e2e/app.spec.js`) with a stable `/about` page marker assertion (`"Security, with Intent"`) to reduce intermittent flakes.
+- Refreshed timestamp for root route in `static/sitemap.xml`.
+- Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.50.1**.
+- **Project version bumped** to `v1.26.4`.
+- Updated dependencies:
+  - `@sveltejs/adapter-vercel` `^6.3.0` → `^6.3.1`
+  - `@sveltejs/kit` `2.50.0` → `2.50.1`
+  - `@vitest/coverage-v8` `4.0.17` → `4.0.18`
+  - `svelte` `5.48.0` → `5.48.2`
+  - `vite-tsconfig-paths` `^6.0.4` → `^6.0.5`
+  - `vitest` `4.0.17` → `4.0.18`
+  - `@playwright/test` `^1.57.0` → `^1.58.0`
+  - `eslint-plugin-jsdoc` `^62.3.0` → `^62.4.1`
+  - `globals` `^17.0.0` → `^17.1.0`
+  - `playwright` `^1.57.0` → `^1.58.0`
+  - `posthog-js` `^1.334.0` → `^1.335.2`
+
+---
+
 ## [1.26.3] - 2026-01-21
 
 ### Added
@@ -2277,7 +2325,9 @@ This enables analytics filtering and CSP hardening for the audit environment.
 
 <!-- Link references -->
 
-[Unreleased]: https://github.com/netwk-pro/netwk-pro.github.io/compare/v1.26.3...HEAD
+[Unreleased]: https://github.com/netwk-pro/netwk-pro.github.io/compare/v1.26.5...HEAD
+[1.26.5]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.5
+[1.26.4]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.4
 [1.26.3]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.3
 [1.26.2]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.2
 [1.26.1]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.1

package/CLAUDE.md

@@ -2,6 +2,8 @@
 
 This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
 
+For tool-neutral operational guidance for automated agents (e.g., Codex, CI bots), see `AGENTS.md`.
+
 <!-- markdownlint-disable -->
 
 ## Project Overview

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@networkpro/web",
   "private": false,
-  "version": "1.26.3",
+  "version": "1.26.5",
   "description": "Locking Down Networks, Unlocking Confidence™ | Security, Networking, Privacy — Network Pro Strategies",
   "keywords": [
     "advocacy",
@@ -86,40 +86,40 @@
   },
   "simple-git-hooks": {
     "pre-commit": "if [ \"$CI\" = \"true\" ]; then exit 0; else npm run lint:all; fi",
-    "pre-push": "if [ \"$CI\" = \"true\" ]; then exit 0; else npm run checkout; fi"
+    "pre-push": "bash scripts/hooks/pre-push.sh"
   },
   "dependencies": {
     "dompurify": "^3.3.1",
-    "posthog-js": "^1.334.0",
+    "posthog-js": "^1.335.2",
     "semver": "^7.7.3",
-    "svelte": "5.48.0"
+    "svelte": "5.48.2"
   },
   "devDependencies": {
     "@eslint/compat": "^2.0.1",
     "@eslint/js": "^9.39.2",
     "@lhci/cli": "^0.15.1",
-    "@playwright/test": "^1.57.0",
+    "@playwright/test": "^1.58.0",
     "@sveltejs/adapter-netlify": "^5.2.4",
-    "@sveltejs/adapter-vercel": "^6.3.0",
-    "@sveltejs/kit": "2.50.0",
+    "@sveltejs/adapter-vercel": "^6.3.1",
+    "@sveltejs/kit": "2.50.1",
     "@sveltejs/vite-plugin-svelte": "^6.2.4",
     "@testing-library/jest-dom": "^6.9.1",
     "@testing-library/svelte": "^5.3.1",
-    "@vitest/coverage-v8": "4.0.17",
+    "@vitest/coverage-v8": "4.0.18",
     "autoprefixer": "^10.4.23",
     "browserslist": "^4.28.1",
     "eslint": "^9.39.2",
     "eslint-config-prettier": "^10.1.8",
-    "eslint-plugin-jsdoc": "^62.3.0",
+    "eslint-plugin-jsdoc": "^62.4.1",
     "eslint-plugin-svelte": "^3.14.0",
-    "globals": "^17.0.0",
+    "globals": "^17.1.0",
     "globby": "^16.1.0",
     "jsdom": "27.4.0",
     "lightningcss": "^1.31.1",
     "markdownlint": "^0.40.0",
     "markdownlint-cli2": "0.20.0",
     "npm-run-all": "^4.1.5",
-    "playwright": "^1.57.0",
+    "playwright": "^1.58.0",
     "postcss": "^8.5.6",
     "prettier": "3.8.1",
     "prettier-plugin-svelte": "^3.4.1",
@@ -135,8 +135,8 @@
     "vite": "^7.3.1",
     "vite-plugin-devtools-json": "^1.0.0",
     "vite-plugin-lightningcss": "^0.0.5",
-    "vite-tsconfig-paths": "^6.0.4",
-    "vitest": "4.0.17"
+    "vite-tsconfig-paths": "^6.0.5",
+    "vitest": "4.0.18"
   },
   "overrides": {
     "cookie": "^1.0.0",

package/scripts/hooks/pre-push.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+#
+# Copyright © 2025-2026 Network Pro Strategies (Network Pro™)
+# SPDX-License-Identifier: CC-BY-4.0 OR GPL-3.0-or-later
+# This file is part of Network Pro
+set -e
+
+# Don't run local hooks in CI
+[ "${CI:-}" = "true" ] && exit 0
+
+branch="$(git rev-parse --abbrev-ref HEAD)"
+if [[ "$branch" == "master" || "$branch" == "main" ]]; then
+  echo "❌ Refusing to push directly to $branch (use a PR)."
+  exit 1
+fi
+
+# Existing behavior
+npm run checkout

package/src/app.html

@@ -53,7 +53,7 @@
       content="bx4ham0zkpvzztzu213bhpt76m9siq" />
     <!-- cspell:enable -->
 
-    <meta name="generator" content="SvelteKit 2.50.0" />
+    <meta name="generator" content="SvelteKit 2.50.1" />
 
     <script src="/disableSw.js"></script>
 

package/static/sitemap.xml

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!-- Sitemap last updated 2026-01-11 -->
+<!-- Sitemap last updated 2026-01-24 -->
 
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
 
@@ -7,7 +7,7 @@
 
     <loc>https://netwk.pro</loc>
 
-    <lastmod>2026-01-10</lastmod>
+    <lastmod>2026-01-24</lastmod>
 
     <changefreq>weekly</changefreq>
 

package/tests/e2e/app.spec.js

@@ -69,7 +69,10 @@ test.describe('Desktop Tests', () => {
       timeout: 60000,
     });
 
-    await expect(page).toHaveURL(/\/about/);
+    // ✅ “ready” assertion to eliminate flake (SPA + Firefox)
+    await expect(
+      page.getByRole('heading', { name: 'Security, with Intent' }),
+    ).toBeVisible();
   });
 }); // End Desktop Tests
 

package/tests/e2e/shared/helpers.js

@@ -14,6 +14,8 @@ This file is part of Network Pro.
  * @updated 2025-11-12
  */
 
+import { expect } from '@playwright/test';
+
 const DEBUG_LOGS = false; // set to true to enable console logs
 
 /**
@@ -88,28 +90,28 @@ export function getFooter(page) {
 }
 
 /**
- * Click + wait for SPA or full navigation event.
+ * Clicks a locator and waits for a URL change (SPA-safe).
+ * This avoids relying on navigation lifecycle events (load/domcontentloaded),
+ * which can be flaky or aborted in SPA routing (notably in Firefox).
  *
  * @param {import('@playwright/test').Page} page
  * @param {import('@playwright/test').Locator} locator
- * @param {{ urlPattern?: string | RegExp, timeout?: number }} [options]
+ * @param {{ urlPattern?: RegExp, timeout?: number }} [options]
+ * @returns {Promise<void>}
  */
 export async function clickAndWaitForNavigation(page, locator, options = {}) {
   const { urlPattern = /\/.*/, timeout = 60000 } = options;
 
   await locator.scrollIntoViewIfNeeded();
-  await locator.waitFor({ state: 'visible', timeout: 60000 });
+  await locator.waitFor({ state: 'visible', timeout });
 
   const previousURL = page.url();
 
-  const [, newURL] = await Promise.all([
-    page.waitForURL(
-      (url) =>
-        url.toString() !== previousURL && urlPattern.test(url.toString()),
-      { timeout },
-    ),
-    locator.click().then(() => page.url()),
-  ]);
+  await locator.click();
+
+  // SPA-stable URL wait (polling) — does not depend on navigation lifecycle
+  await expect(page).toHaveURL(urlPattern, { timeout });
 
+  const newURL = page.url();
   console.log(`✅ Navigation from ${previousURL} → ${newURL}`);
 }