@networkpro/web 1.8.3 → 1.9.0

package/README.md

@@ -51,34 +51,41 @@ All infrastructure and data flows are designed with **maximum transparency, self
 ## 📁 Repository Structure
 
 ```bash
-.
-├── .github/workflows/     # CI workflows and automation
-├── .vscode/
-│   ├── customData.json    # Custom CSS data for FontAwesome icons
-│   ├── extensions.json    # Recommended VSCodium / VS Code extensions
-│   ├── extensions.jsonc   # Commented version of extensions.json for reference
-│   └── settings.json      # User settings for VSCodium / VS Code
-├── netlify/
-│   └── edge-functions/    # Netlify Edge Functions directory
-│       └── csp-report.js  # Edge Function to receive and log CSP violation reports
-├── scripts/               # General utility scripts
-├── src/
-│   ├── lib/               # Reusable components, styles, utilities
-│   ├── routes/            # SvelteKit routes (+page.svelte, +page.server.js)
-│   ├── hooks.client.ts    # Handles PWA install prompt and logs client errors
-│   ├── hooks.server.js    # Injects CSP headers and permissions policy
-│   ├── app.html           # SvelteKit entry HTML with CSP/meta/bootentry
-│   └── service-worker.js  # Custom Service Worker
-├── static/                # Static assets served at root
-│   ├── manifest.json      # Manifest file for PWA configuration
-│   ├── robots.txt         # Instructions for web robots
-│   └── sitemap.xml        # Sitemap for search engines
-├── tests/
-│   ├── e2e/               # End-to-end Playwright tests
-│   └── unit/              # Vite unit tests
-├── _redirects             # Netlify redirects
-├── netlify.toml           # Netlify configuration
-└── ...
+  .
+  ├── .github/
+  │   └── workflows/                # CI workflows (e.g. test, deploy)
+  ├── .vscode/
+  │   ├── customData.json           # Custom CSS IntelliSense (e.g. FontAwesome)
+  │   ├── extensions.json           # Recommended VS Code / VSCodium extensions
+  │   ├── extensions.jsonc          # Commented version of extensions.json
+  │   └── settings.json             # Workspace settings
+  ├── netlify/
+  │   ├── edge-functions/
+  │   │   └── csp-report.js         # Receives CSP violation reports
+  │   └── netlify.toml              # Netlify configuration
+  ├── scripts/                      # General-purpose utility scripts
+  ├── src/
+  │   ├── app.html                  # Entry HTML (CSP meta, bootstrapping)
+  │   ├── hooks.client.ts           # PWA install prompt & client-side logging
+  │   ├── hooks.server.js           # Injects CSP headers and permissions policy
+  │   ├── lib/                      # Components, utilities, types, styles
+  │   │   ├── components/           # Svelte components
+  │   │   ├── data/                 # Custom data (e.g. JSON, metadata, constants)
+  │   │   └── utils/                # Helper utilities
+  │   ├── routes/                   # SvelteKit pages (+page.svelte, +server.js)
+  │   └── service-worker.js         # Custom PWA service worker
+  ├── static/                       # Public assets served at site root
+  │   ├── disableSw.js              # Service worker bypass (via ?nosw param)
+  │   ├── manifest.json             # PWA metadata
+  │   ├── robots.txt                # SEO: allow/disallow crawlers
+  │   └── sitemap.xml               # SEO: full site map
+  ├── tests/
+  │   ├── e2e/                      # Playwright end-to-end tests
+  │   ├── internal/                 # Internal audit/test helpers
+  │   │   └── auditCoverage.test.js # Warns about untested source modules
+  │   └── unit/                     # Vitest unit tests
+  ├── _redirects                    # Netlify redirect rules
+  └── package.json                  # Project manifest (scripts, deps, etc.)
 ```
 
  
@@ -307,7 +314,7 @@ To use:
 https://netwk.pro/?nosw
 ```
 
-> 💡 `disableSw.js` is loaded from the static directory and runs early, ensuring the `__DISABLE_SW__` flag is available before service worker logic executes.
+> 💡 `disableSw.js` is loaded via a `<script>` tag in `app.html` from the `static` directory. This ensures the `__DISABLE_SW__` flag is set before any service worker logic runs.
 
 &nbsp;
 
@@ -415,8 +422,14 @@ npm run test:coverage   # Collect code coverage reports
 npm run test:e2e        # Runs Playwright E2E tests (with one retry on failure)
 ```
 
+<!-- markdownlint-disable MD028 -->
+
+> The unit test suite includes a coverage audit (`auditCoverage.test.js`) that warns when source files in `src/` or `scripts/` do not have corresponding unit tests. This helps track test completeness without failing CI.
+
 > Playwright will retry failed tests once `(--retries=1)` to reduce false negatives from transient flakiness (network, render delay, etc.).
 
+<!-- markdownlint-enable MD028 -->
+
 Audit your app using Lighthouse:
 
 ```bash
@@ -550,14 +563,14 @@ The following CLI commands are available via `npm run <script>` or `pnpm run <sc
 
 ### ✅ Pre-check / Sync
 
-| Script        | Description                                                  |
-| ------------- | ------------------------------------------------------------ |
-| `prepare`     | Run SvelteKit sync                                           |
-| `check`       | Run SvelteKit sync and type check with `svelte-check`        |
-| `check:watch` | Watch mode for type checks                                   |
-| `check:node`  | Validate Node & npm versions match package.json `engines`    |
-| `checkout`    | Full local validation: check versions, test, lint, typecheck |
-| `verify`      | Alias for `checkout`                                         |
+| Script        | Description                                                                         |
+| ------------- | ----------------------------------------------------------------------------------- |
+| `prepare`     | Run SvelteKit sync                                                                  |
+| `check`       | Run SvelteKit sync and type check with `svelte-check`                               |
+| `check:watch` | Watch mode for type checks                                                          |
+| `check:node`  | Validate Node & npm versions match package.json `engines`                           |
+| `checkout`    | Full local validation: check versions, test (incl. audit coverage), lint, typecheck |
+| `verify`      | Alias for `checkout`                                                                |
 
 &nbsp;
 
@@ -577,15 +590,15 @@ The following CLI commands are available via `npm run <script>` or `pnpm run <sc
 
 <!-- markdownlint-enable MD024 -->
 
-| Script          | Description                                            |
-| --------------- | ------------------------------------------------------ |
-| `test`          | Alias for `test:all`                                   |
-| `test:all`      | Run both client and server test suites                 |
-| `test:client`   | Run client tests with Vitest                           |
-| `test:server`   | Run server-side tests with Vitest                      |
-| `test:watch`    | Watch mode for client tests                            |
-| `test:coverage` | Collect coverage from both client and server           |
-| `test:e2e`      | Runs E2E tests with up to 1 automatic retry on failure |
+| Script          | Description                                                   |
+| --------------- | ------------------------------------------------------------- |
+| `test`          | Alias for `test:all`                                          |
+| `test:all`      | Run both client and server test suites (incl. audit coverage) |
+| `test:client`   | Run client tests with Vitest                                  |
+| `test:server`   | Run server-side tests with Vitest                             |
+| `test:watch`    | Watch mode for client tests                                   |
+| `test:coverage` | Collect coverage from both client and server                  |
+| `test:e2e`      | Runs E2E tests with up to 1 automatic retry on failure        |
 
 &nbsp;
 
@@ -615,11 +628,11 @@ The following CLI commands are available via `npm run <script>` or `pnpm run <sc
 
 ### 📋 Audits / Validation
 
-| Script          | Description                                  |
-| --------------- | -------------------------------------------- |
-| `audit:scripts` | Check for untested utility scripts           |
-| `head:flatten`  | Flatten headers for Netlify                  |
-| `head:validate` | Validate headers file against project config |
+| Script           | Description                                          |
+| ---------------- | ---------------------------------------------------- |
+| `audit:coverage` | Warn about untested modules in `src/` and `scripts/` |
+| `head:flatten`   | Flatten headers for Netlify                          |
+| `head:validate`  | Validate headers file against project config         |
 
 &nbsp;
 

package/package.json

@@ -4,7 +4,7 @@
   "sideEffects": [
     "./.netlify/shims.js"
   ],
-  "version": "1.8.3",
+  "version": "1.9.0",
   "description": "Locking Down Networks, Unlocking Confidence | Security, Networking, Privacy — Network Pro Strategies",
   "keywords": [
     "advisory",
@@ -49,7 +49,7 @@
     "check:watch": "svelte-kit sync && svelte-check --tsconfig ./jsconfig.json --watch",
     "check:env": "node scripts/checkEnv.js",
     "check:node": "node scripts/checkNode.js",
-    "checkout": "npm run check:node && npm run test:all && npm run lint:all && npm run check && npm run audit:scripts",
+    "checkout": "npm run check:node && npm run test:all && npm run lint:all && npm run check",
     "verify": "npm run checkout",
     "delete": "rm -rf build .svelte-kit node_modules package-lock.json",
     "clean": "npm run delete && npm cache clean --force && npm install",
@@ -71,13 +71,13 @@
     "format:fix": "prettier --write .",
     "lhci": "lhci",
     "lhci:run": "lhci autorun --config=.lighthouserc.cjs",
-    "audit:scripts": "node scripts/auditScripts.js",
+    "audit:coverage": "vitest run tests/internal/auditCoverage.test.js",
     "head:flatten": "node scripts/flattenHeaders.js",
     "head:validate": "node scripts/validateHeaders.js",
     "postinstall": "npm run check:node"
   },
   "dependencies": {
-    "nodemailer": "^7.0.3",
+    "dompurify": "^3.2.6",
     "posthog-js": "^1.249.0",
     "semver": "^7.7.2",
     "svelte": "5.33.11"

package/scripts/generateTest.js

@@ -0,0 +1,61 @@
+#!/usr/bin/env node
+
+/* ==========================================================================
+scripts/generateTest.js
+
+Copyright © 2025 Network Pro Strategies (Network Pro™)
+SPDX-License-Identifier: CC-BY-4.0 OR GPL-3.0-or-later
+This file is part of Network Pro.
+========================================================================== */
+
+/**
+ * @file generateTest.js
+ * @description Auto-generates a *.test.js scaffold for utilities and
+ * components.
+ * @module scripts
+ * @author SunDevil311
+ * @updated 2025-06-01
+ */
+
+import fs from "fs";
+import path from "path";
+
+const [, , targetFile] = process.argv;
+
+if (!targetFile) {
+  console.error("Usage: node generateTest.js <path/to/yourFile.js>");
+  process.exit(1);
+}
+
+const absolutePath = path.resolve(targetFile);
+const parsed = path.parse(absolutePath);
+
+const testFileName = `${parsed.name}.test.js`;
+const testFilePath = path.join(
+  parsed.dir.replace("src", "tests/unit"),
+  testFileName,
+);
+
+// Example scaffold content
+const scaffold = `/**
+ * Unit tests for ${parsed.base}
+ */
+
+import { describe, it, expect } from "vitest";
+import * as Module from "${path.relative(path.dirname(testFilePath), absolutePath).replace(/\\/g, "/")}";
+
+describe("${parsed.name}", () => {
+  it("should have tests", () => {
+    expect(true).toBe(true);
+  });
+});
+`;
+
+fs.mkdirSync(path.dirname(testFilePath), { recursive: true });
+
+if (fs.existsSync(testFilePath)) {
+  console.warn(`Test file already exists at: ${testFilePath}`);
+} else {
+  fs.writeFileSync(testFilePath, scaffold);
+  console.log(`✅ Test scaffold created: ${testFilePath}`);
+}

package/src/lib/components/foss/FossItemContent.svelte

@@ -7,8 +7,11 @@ This file is part of Network Pro.
 ========================================================================== -->
 
 <script>
+  /* at-html is sanitized by DOMPurify */
   /* eslint-disable svelte/no-at-html-tags */
 
+  import { onMount } from "svelte";
+  import { sanitizeHtml } from "$lib/utils/purify.js";
   import FossFeatures from "$lib/components/foss/FossFeatures.svelte";
   // Import directly from $lib by way of image utility
   import { obtainiumPng, obtainiumWbp } from "$lib";
@@ -26,30 +29,9 @@ This file is part of Network Pro.
   /** @type {"lazy"} */
   const loading = "lazy";
 
-  /**
-   * @type {{
-   *   id: string,
-   *   title: string,
-   *   images: {
-   *     webp: string,
-   *     png: string
-   *   },
-   *   imgAlt: string,
-   *   headline: string,
-   *   headlineDescription: string,
-   *   detailsDescription: string,
-   *   features: any[],
-   *   notes: string[],
-   *   links: Array<{
-   *     label?: string,
-   *     href?: string,
-   *     imgAlt?: string,
-   *     downloadText?: string,
-   *     downloadHref?: string,
-   *     hideLabels?: boolean
-   *   }>
-   * }}
-   */
+  /// <reference path="$lib/types/fossTypes.js" />
+
+  /** @type {FossItem} */
   export let fossItem;
 
   /**
@@ -58,6 +40,18 @@ This file is part of Network Pro.
    * @type {boolean}
    */
   export let isFirst = false;
+
+  let safeHeadlineDescription = "";
+  let safeDetailsDescription = "";
+  /** @type {string[]} */
+  let safeNotes = [];
+
+  // Sanitize everything on mount
+  onMount(async () => {
+    safeHeadlineDescription = await sanitizeHtml(fossItem.headlineDescription);
+    safeDetailsDescription = await sanitizeHtml(fossItem.detailsDescription);
+    safeNotes = await Promise.all((fossItem.notes ?? []).map(sanitizeHtml));
+  });
 </script>
 
 <!-- BEGIN FOSS ITEMS -->
@@ -88,17 +82,21 @@ This file is part of Network Pro.
 
   <h3>{fossItem.headline}</h3>
 
-  <!-- Trusted input, from internal CMS -->
-  {@html fossItem.headlineDescription}
+  <!-- Sanitized input from DOMPurify -->
+  <div class="headline-description">
+    {@html safeHeadlineDescription}
+  </div>
 
   <FossFeatures features={fossItem.features} />
 
-  <!-- Trusted input, from internal CMS -->
-  {@html fossItem.detailsDescription}
+  <!-- Sanitized input from DOMPurify -->
+  <div class="details-description">
+    {@html safeDetailsDescription}
+  </div>
 
-  {#each fossItem.notes as note}
+  {#each safeNotes as note}
     <blockquote class="bquote">
-      <!-- Trusted input, from internal CMS -->
+      <!-- Sanitized input from DOMPurify -->
       {@html note}
     </blockquote>
   {/each}

package/src/lib/pages/AboutContent.svelte

@@ -8,6 +8,16 @@ This file is part of Network Pro.
 
 <script>
   import { pgpContact, pgpSupport, vcfSrc } from "$lib";
+  import { base } from "$app/paths";
+
+  // Log the base path to verify its value
+  //console.log("Base path:", base);
+
+  /**
+   * URL to the Contact Form route, using the base path
+   * @type {string}
+   */
+  const contactLink = `${base}/contact`;
 
   /**
    * Security attribute for external links
@@ -196,7 +206,7 @@ This file is part of Network Pro.
 <div class="spacer"></div>
 
 <p>
-  <a href="https://netwk.pro/contact" target="_self">Let's connect</a>
+  <a href={contactLink} target="_self">Let's connect</a>
   to discuss how we can help secure and strengthen your business today.
 </p>
 
@@ -236,8 +246,7 @@ This file is part of Network Pro.
                 type="application/pgp-keys"
                 download
                 target={tgtBlank}
-                >asc
-                <span class="fas fa-file-arrow-down"></span></a
+                >asc &nbsp;<span class="fas fa-file-arrow-down"></span></a
               ></strong>
           </p>
           <p
@@ -262,7 +271,7 @@ This file is part of Network Pro.
                 type="application/pgp-keys"
                 download
                 target={tgtBlank}
-                >asc <span class="fas fa-file-arrow-down"></span></a
+                >asc &nbsp;<span class="fas fa-file-arrow-down"></span></a
               ></strong>
           </p>
           <p
@@ -300,7 +309,8 @@ This file is part of Network Pro.
               type="text/vcard"
               download
               target={tgtBlank}>
-              <strong>vcf</strong>
+              <strong
+                >vcf &nbsp;<span class="fas fa-file-arrow-down"></span></strong>
             </a>
           </p>
         </td>

package/src/lib/pages/LicenseContent.svelte

@@ -218,7 +218,7 @@ This file is part of Network Pro.
       </ul>
     {:else if link.id === "cc-by"}
       <p class={constants.classSmall}>
-        Formats:
+        Download:
         <a
           href="/assets/license/CC-BY-4.0.html"
           download
@@ -321,7 +321,7 @@ This file is part of Network Pro.
       </code>
     {:else if link.id === "gnu-gpl"}
       <p class={constants.classSmall}>
-        Formats:
+        Download:
         <a
           href="/assets/license/COPYING.html"
           download

package/src/lib/types/fossTypes.js

@@ -0,0 +1,23 @@
+/**
+ * @typedef {object} FossLink
+ * @property {string} [label]
+ * @property {string} [href]
+ * @property {string} [imgAlt]
+ * @property {string} [downloadText]
+ * @property {string} [downloadHref]
+ * @property {boolean} [hideLabels]
+ */
+
+/**
+ * @typedef {object} FossItem
+ * @property {string} id
+ * @property {string} title
+ * @property {{ webp: string, png: string }} images
+ * @property {string} imgAlt
+ * @property {string} headline
+ * @property {string} headlineDescription
+ * @property {string} detailsDescription
+ * @property {Array<any>} features
+ * @property {Array<string>} notes
+ * @property {Array<FossLink>} links
+ */

package/src/lib/utils/purify.js

@@ -0,0 +1,74 @@
+/* ==========================================================================
+src/lib/utils/purify.js
+
+Copyright © 2025 Network Pro Strategies (Network Pro™)
+SPDX-License-Identifier: CC-BY-4.0 OR GPL-3.0-or-later
+This file is part of Network Pro.
+========================================================================== */
+
+/**
+ * @file purify.js
+ * @description Universal DOMPurify instance for SSR + client with safe build support.
+ * Secures untrusted HTML before injecting it into the DOM.
+ * @module src/lib/utils
+ * @author SunDevil311
+ * @updated 2025-06-01
+ */
+
+import createDOMPurify from "dompurify";
+
+/**
+ * @typedef {ReturnType<import('dompurify').default>} DOMPurifyInstance
+ */
+
+/** @type {import('dompurify').DOMPurify | null} */
+let DOMPurifyInstance = null;
+
+/** @type {import('jsdom').JSDOM['window'] | null} */
+let jsdomWindow = null;
+
+/**
+ * SSR-safe + Vite-compatible init of DOMPurify.
+ *
+ * Caches DOMPurify across multiple calls to improve performance in tests or SSR environments.
+ *
+ * @returns {Promise<DOMPurifyInstance>}
+ */
+export async function getDOMPurify() {
+  if (DOMPurifyInstance) return DOMPurifyInstance;
+
+  if (typeof window !== "undefined") {
+    // ✅ Client-side: use native window
+    DOMPurifyInstance = createDOMPurify(window);
+  } else {
+    // ✅ SSR: dynamically import jsdom to avoid bundling
+    const { JSDOM } = await import("jsdom");
+    jsdomWindow = jsdomWindow || new JSDOM("").window;
+    DOMPurifyInstance = createDOMPurify(jsdomWindow);
+  }
+
+  return DOMPurifyInstance;
+}
+
+/**
+ * Sanitizes HTML content to prevent XSS.
+ *
+ * @param {string} dirtyHtml
+ * @returns {Promise<string>} - A Promise resolving to sanitized HTML
+ */
+export async function sanitizeHtml(dirtyHtml) {
+  const DOMPurify = await getDOMPurify();
+  return DOMPurify.sanitize(dirtyHtml, {
+    USE_PROFILES: { html: true },
+    ALLOW_DATA_ATTR: false,
+    ALLOWED_URI_REGEXP: /^(?:(?:https?|mailto):)/i,
+  });
+}
+
+/**
+ * Optional helper to reset cache (for test isolation).
+ */
+export function resetDOMPurifyCache() {
+  DOMPurifyInstance = null;
+  jsdomWindow = null;
+}

package/tests/internal/auditCoverage.test.js

@@ -0,0 +1,99 @@
+/* ==========================================================================
+tests/internal/auditCoverage.test.js
+
+Copyright © 2025 Network Pro Strategies (Network Pro™)
+SPDX-License-Identifier: CC-BY-4.0 OR GPL-3.0-or-later
+This file is part of Network Pro.
+========================================================================== */
+
+/**
+ * @file auditCoverage.test.js
+ * @description Scans all .js files in src/ and scripts/ for matching unit test
+ * @module tests/internal
+ * @author SunDevil311
+ * @updated 2025-06-01
+ */
+
+import fs from "fs";
+import path from "path";
+import { describe, expect, it } from "vitest";
+
+/**
+ * Recursively get all .js files in a directory
+ * @param {string} dir
+ * @param {object} [opts]
+ * @param {boolean} [opts.includeTests=false]
+ * @returns {string[]}
+ */
+function getAllJsFiles(dir, { includeTests = false } = {}) {
+  let results = [];
+  const list = fs.readdirSync(dir);
+  for (const file of list) {
+    const fullPath = path.join(dir, file);
+    const stat = fs.statSync(fullPath);
+    if (stat.isDirectory()) {
+      results = results.concat(getAllJsFiles(fullPath, { includeTests }));
+    } else if (file.endsWith(".js")) {
+      if (
+        !includeTests &&
+        (file.endsWith(".test.js") || file.endsWith(".spec.js"))
+      ) {
+        continue;
+      }
+      results.push(fullPath);
+    }
+  }
+  return results;
+}
+
+describe("auditCoverage", () => {
+  it("should have corresponding test files for all JS modules", () => {
+    const allowList = new Set([
+      "checkNode.js",
+      "auditScripts.js",
+      "vite.config.js",
+      "svelte.config.js",
+    ]);
+
+    const srcFiles = getAllJsFiles(path.resolve("src"));
+    const scriptsFiles = getAllJsFiles(path.resolve("scripts"));
+    const allFiles = [...srcFiles, ...scriptsFiles].map((f) =>
+      path
+        .relative(process.cwd(), f)
+        .replace(/\\/g, "/") // Normalize Windows slashes
+        .replace(/^src\//, "")
+        .replace(/^scripts\//, "")
+        .replace(/\.js$/, ""),
+    );
+
+    const testFiles = getAllJsFiles(path.resolve("tests/unit"), {
+      includeTests: true,
+    });
+
+    const testFilesNormalized = testFiles.map((f) =>
+      path
+        .relative(path.resolve("tests/unit"), f)
+        .replace(/\\/g, "/")
+        .replace(/\.test\.js$|\.spec\.js$/, ""),
+    );
+
+    const testedNames = new Set(testFilesNormalized);
+
+    const untested = allFiles.filter((file) => {
+      if (file.startsWith("tests/")) return false;
+      if ([...allowList].some((allowed) => file.endsWith(allowed)))
+        return false;
+      return !testedNames.has(file);
+    });
+
+    if (untested.length > 0) {
+      console.warn(
+        "\n[WARN] The following JS modules do not have corresponding tests:\n" +
+          untested.map((f) => `  - ${f}`).join("\n"),
+      );
+    }
+
+    // ✅ Always pass — warn only
+    expect(true).toBe(true);
+  });
+});

package/tests/unit/lib/utils/purify.test.js

@@ -0,0 +1,50 @@
+/* ==========================================================================
+tests/unit/lib/utils/purify.test.js
+
+Copyright © 2025 Network Pro Strategies (Network Pro™)
+SPDX-License-Identifier: CC-BY-4.0 OR GPL-3.0-or-later
+This file is part of Network Pro.
+========================================================================== */
+
+/**
+ * @file purify.test.js
+ * @description Unit test for src/lib/utils/purify.js
+ * @module tests/unit/lib/util
+ * @author SunDevil311
+ * @updated 2025-06-01
+ */
+
+import { describe, expect, it } from "vitest";
+import { sanitizeHtml } from "../../../../src/lib/utils/purify.js";
+
+describe("sanitizeHtml", () => {
+  it("removes dangerous tags like <script>", async () => {
+    const dirty = `<div>Hello <script>alert("XSS")</script> world!</div>`;
+    const clean = await sanitizeHtml(dirty);
+    expect(clean).toBe("<div>Hello  world!</div>");
+  }); // timeout in ms
+
+  it("preserves safe markup like <strong>", async () => {
+    const dirty = `<p>This is <strong>important</strong>.</p>`;
+    const clean = await sanitizeHtml(dirty);
+    expect(clean).toBe("<p>This is <strong>important</strong>.</p>");
+  });
+
+  it("removes dangerous attributes like onerror", async () => {
+    const dirty = `<img src="x" onerror="alert(1)">`;
+    const clean = await sanitizeHtml(dirty);
+    expect(clean).toBe('<img src="x">');
+  });
+
+  it("keeps valid external links", async () => {
+    const dirty = `<a href="https://example.com">Click</a>`;
+    const clean = await sanitizeHtml(dirty);
+    expect(clean).toBe('<a href="https://example.com">Click</a>');
+  });
+
+  it("blocks javascript: URLs", async () => {
+    const dirty = `<a href="javascript:alert('XSS')">bad</a>`;
+    const clean = await sanitizeHtml(dirty);
+    expect(clean).toBe("<a>bad</a>");
+  });
+});

package/vitest.config.client.js

@@ -26,10 +26,14 @@ export default defineConfig({
     name: "client",
     environment: "jsdom",
     clearMocks: true,
-    include: ["tests/unit/**/*.svelte.test.{js,mjs}"],
+    include: [
+      "tests/unit/**/*.test.{js,mjs,svelte}",
+      "tests/internal/**/*.test.{js,mjs,svelte}",
+    ],
     exclude: [],
     setupFiles: ["./vitest-setup-client.js"],
     reporters: ["default", "json"],
+    testTimeout: 10000,
     outputFile: {
       json: "./reports/client/results.json",
     },

package/vitest.config.server.js

@@ -26,6 +26,7 @@ export default defineConfig({
     include: ["tests/unit/**/*.test.{js,mjs}"],
     exclude: ["tests/unit/**/*.svelte.test.{js,mjs}"],
     reporters: ["default", "json"],
+    testTimeout: 10000,
     outputFile: {
       json: "./reports/server/results.json",
     },

package/tests/unit/auditScripts.test.js

@@ -1,43 +0,0 @@
-/* ==========================================================================
-tests/unit/auditScripts.test.js
-
-Copyright © 2025 Network Pro Strategies (Network Pro™)
-SPDX-License-Identifier: CC-BY-4.0 OR GPL-3.0-or-later
-This file is part of Network Pro.
-========================================================================== */
-
-/**
- * Unit test for scripts/auditScripts.js
- */
-
-import fs from "fs";
-import path from "path";
-import { describe, expect, it } from "vitest";
-
-describe("auditScripts.js", () => {
-  it("should identify untested scripts correctly", () => {
-    const scriptsDir = path.resolve("./scripts");
-    const testsDir = path.resolve("./tests");
-
-    const allowList = new Set(["checkNode.js", "auditScripts.js"]);
-
-    const scriptFiles = fs
-      .readdirSync(scriptsDir)
-      .filter((file) => file.endsWith(".js"));
-
-    const testFiles = fs
-      .readdirSync(testsDir)
-      .filter((file) => file.endsWith(".test.js") || file.endsWith(".spec.js"));
-
-    const testedModules = new Set(
-      testFiles.map((f) => f.replace(/\.test\.js$|\.spec\.js$/, "")),
-    );
-
-    const untested = scriptFiles.filter((file) => {
-      const base = file.replace(/\.js$/, "");
-      return !allowList.has(file) && !testedModules.has(base);
-    });
-
-    expect(untested).not.toContain("auditScripts.js");
-  });
-});