@reddoorla/maintenance 0.29.0 → 0.30.0

package/dist/cli/bin.js

@@ -134,6 +134,7 @@ function mapRow(rec) {
     a11yViolations: f["A11y Violations"] ?? null,
     depsDrifted: f["Deps Drifted"] ?? null,
     depsMajorBehind: f["Deps Major Behind"] ?? null,
+    depsOutdated: f["Deps Outdated"] ?? null,
     securityVulnsCritical: f["Security Vulns Critical"] ?? null,
     securityVulnsHigh: f["Security Vulns High"] ?? null,
     securityVulnsModerate: f["Security Vulns Moderate"] ?? null,
@@ -179,6 +180,9 @@ async function updateDepsCounts(base, recordId, counts) {
     "Deps Drifted": counts.drifted,
     "Deps Major Behind": counts.majorBehind
   };
+  if (counts.outdated !== null) {
+    fields["Deps Outdated"] = counts.outdated;
+  }
   await base(WEBSITES_TABLE).update([{ id: recordId, fields }]);
 }
 async function updateSecurityCounts(base, recordId, counts) {
@@ -212,23 +216,25 @@ function fromAirtableBase(base, opts = {}) {
       );
     }
     const websites = await listWebsites(base);
-    return websites.filter((w) => w.maintenanceFreq !== "None" || w.testingFreq !== "None").map((w) => {
+    return websites.filter((w) => AUDITABLE_STATUSES.has(w.status ?? "") && w.url.length > 0).map((w) => {
       const slug = siteSlug(w.name);
       const site = {
         path: `${workdir}/${slug}`,
         name: slug,
+        deployedUrl: w.url,
         meta: { airtableRowId: w.id, displayName: w.name }
       };
-      if (w.url) site.repoUrl = w.url;
       if (w.gitRepo) site.gitRepo = w.gitRepo;
       return site;
     });
   };
 }
+var AUDITABLE_STATUSES;
 var init_airtable = __esm({
   "src/inventory/airtable.ts"() {
     "use strict";
     init_websites();
+    AUDITABLE_STATUSES = /* @__PURE__ */ new Set(["maintenance", "launch period"]);
   }
 });
 
@@ -240,7 +246,7 @@ __export(lighthouse_airtable_exports, {
   resolveSlugFromCwd: () => resolveSlugFromCwd
 });
 import { readFile as readFile7 } from "fs/promises";
-import { join as join8 } from "path";
+import { join as join9 } from "path";
 function hasRealScores(result) {
   if (result.audit !== "lighthouse") return false;
   const details = result.details ?? {};
@@ -265,7 +271,7 @@ function lighthouseScoresFromResult(result) {
 }
 async function resolveSlugFromCwd(cwd) {
   try {
-    const pkgPath = join8(cwd, "package.json");
+    const pkgPath = join9(cwd, "package.json");
     const raw = await readFile7(pkgPath, "utf-8");
     const pkg = JSON.parse(raw);
     if (!pkg.name) throw new Error("package.json has no 'name' field");
@@ -308,16 +314,19 @@ var init_a11y_airtable = __esm({
 // src/audits/deps-airtable.ts
 function hasDepsCounts(result) {
   if (result.audit !== "deps") return false;
-  return Array.isArray(result.details);
+  const d = result.details;
+  return Array.isArray(d?.entries);
 }
 function depsCountsFromResult(result) {
   if (result.audit !== "deps") {
     throw new Error(`Expected a 'deps' AuditResult, got '${result.audit}'`);
   }
-  const entries = result.details ?? [];
+  const details = result.details ?? {};
+  const entries = details.entries ?? [];
   const drifted = entries.filter((e) => e.drift !== "same").length;
   const majorBehind = entries.filter((e) => e.drift === "major").length;
-  return { drifted, majorBehind };
+  const outdated = details.outdated?.outdated ?? null;
+  return { drifted, majorBehind, outdated };
 }
 var init_deps_airtable = __esm({
   "src/audits/deps-airtable.ts"() {
@@ -348,7 +357,9 @@ var init_security_airtable = __esm({
 // src/audits/write-audits-to-airtable.ts
 var write_audits_to_airtable_exports = {};
 __export(write_audits_to_airtable_exports, {
-  writeAuditsToAirtable: () => writeAuditsToAirtable
+  formatFleetWriteSummary: () => formatFleetWriteSummary,
+  writeAuditsToAirtable: () => writeAuditsToAirtable,
+  writeFleetAuditsToAirtable: () => writeFleetAuditsToAirtable
 });
 async function writeAuditsToAirtable(args) {
   const { base, websites, slug, results } = args;
@@ -397,6 +408,38 @@ async function writeAuditsToAirtable(args) {
   }
   return { siteName: target.name, writes };
 }
+function formatFleetWriteSummary(result) {
+  const wrote = result.written.length;
+  const failed = result.failed.length;
+  const total = wrote + failed;
+  let out = `\u2192 wrote ${wrote} site(s) to Airtable`;
+  if (failed > 0) {
+    out += `
+\u26A0 ${failed} site(s) not written: ${result.failed.map((f) => `${f.slug} (${f.error})`).join("; ")}`;
+  }
+  out += `
+FLEET_WRITE_SUMMARY wrote=${wrote} failed=${failed} total=${total}`;
+  return out;
+}
+async function writeFleetAuditsToAirtable(args) {
+  const { base, websites, results } = args;
+  const bySlug = /* @__PURE__ */ new Map();
+  for (const r of results) {
+    const arr = bySlug.get(r.site) ?? [];
+    arr.push(r);
+    bySlug.set(r.site, arr);
+  }
+  const written = [];
+  const failed = [];
+  for (const [slug, siteResults] of bySlug) {
+    try {
+      written.push(await writeAuditsToAirtable({ base, websites, slug, results: siteResults }));
+    } catch (e) {
+      failed.push({ slug, error: e.message });
+    }
+  }
+  return { written, failed };
+}
 var init_write_audits_to_airtable = __esm({
   "src/audits/write-audits-to-airtable.ts"() {
     "use strict";
@@ -524,18 +567,18 @@ var init_reports = __esm({
 // src/reports/maintenance-email/assets/index.ts
 import { readFile as readFile13 } from "fs/promises";
 import { existsSync as existsSync3 } from "fs";
-import { dirname as dirname4, join as join23 } from "path";
+import { dirname as dirname4, join as join24 } from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
 function resolveAssetsDir() {
   if (cachedAssetsDir) return cachedAssetsDir;
   let dir = dirname4(fileURLToPath2(import.meta.url));
   while (true) {
-    const srcCandidate = join23(dir, "src", "reports", "maintenance-email", "assets", "check.png");
+    const srcCandidate = join24(dir, "src", "reports", "maintenance-email", "assets", "check.png");
     if (existsSync3(srcCandidate)) {
       cachedAssetsDir = dirname4(srcCandidate);
       return cachedAssetsDir;
     }
-    const distCandidate = join23(dir, "dist", "reports", "maintenance-email", "assets", "check.png");
+    const distCandidate = join24(dir, "dist", "reports", "maintenance-email", "assets", "check.png");
     if (existsSync3(distCandidate)) {
       cachedAssetsDir = dirname4(distCandidate);
       return cachedAssetsDir;
@@ -552,8 +595,8 @@ function resolveAssetsDir() {
 async function loadBundledImages() {
   const assetsDir = resolveAssetsDir();
   const [check, blurred] = await Promise.all([
-    readFile13(join23(assetsDir, "check.png")),
-    readFile13(join23(assetsDir, "blurredTests.jpg"))
+    readFile13(join24(assetsDir, "check.png")),
+    readFile13(join24(assetsDir, "blurredTests.jpg"))
   ]);
   return {
     check: {
@@ -769,7 +812,7 @@ function buildMjml(data) {
         <mj-text font-family="helvetica, sans-serif" font-size="24px" font-weight="300" line-height="30px">Just hit reply.</mj-text>
         <mj-text font-family="helvetica, sans-serif" font-size="24px" font-weight="300" padding-top="0px" line-height="30px" padding-bottom="36px">We're here to help in any way we can.</mj-text>
         <mj-divider border-width="1px" border-style="solid" border-color="#CCCCCC" padding="0" />
-        <mj-text color="#757575" font-family="helvetica, sans-serif" font-size="12px" font-weight="300" padding-top="24px" line-height="20px" font-style="italic">Copyright ${(/* @__PURE__ */ new Date()).getFullYear()} Reddoor Creative, LLC. All rights reserved.</mj-text>
+        <mj-text color="#757575" font-family="helvetica, sans-serif" font-size="12px" font-weight="300" padding-top="24px" line-height="20px" font-style="italic">Copyright ${(/* @__PURE__ */ new Date()).getUTCFullYear()} Reddoor Creative, LLC. All rights reserved.</mj-text>
         <mj-text color="#757575" font-family="helvetica, sans-serif" font-size="12px" font-weight="700" line-height="16px" padding-top="0" padding-bottom="0px">Our mailing address is:</mj-text>
         <mj-text color="#757575" font-family="helvetica, sans-serif" font-size="12px" font-weight="300" line-height="16px" padding-top="0" padding-bottom="0px">Reddoor Creative, LLC</mj-text>
         <mj-text color="#757575" font-family="helvetica, sans-serif" font-size="12px" font-weight="300" line-height="16px" padding-top="0" padding-bottom="0px">29027 Dapper Dan</mj-text>
@@ -924,6 +967,14 @@ __export(orchestrate_exports, {
 function monthYear(d) {
   return `${MONTHS2[d.getUTCMonth()]} ${d.getUTCFullYear()}`;
 }
+function toInlineAttachment(a) {
+  return {
+    filename: a.filename,
+    content: Buffer.from(a.bytes).toString("base64"),
+    contentType: a.contentType,
+    inlineContentId: a.cid
+  };
+}
 async function sendApprovedReports(options = {}) {
   const base = openBase(readAirtableConfig());
   const client = options.resend ?? defaultResendClient();
@@ -955,7 +1006,9 @@ async function sendOne(client, base, site, report) {
     throw new Error(`Site '${site.name}' has no Header image set on the Websites row`);
   }
   if (!report.lighthouse) {
-    throw new Error(`Report ${report.reportId} has no Lighthouse scores`);
+    throw new Error(
+      `Report ${report.reportId} has no Lighthouse scores \u2014 all four cells (Lighthouse \u2014 Performance / Accessibility / Best Practices / SEO) must be numeric on the Reports row; one non-numeric or blank cell nulls all four`
+    );
   }
   const original = await fetchAttachmentBytes(site.headerImage.url);
   const header = await prepareHeaderImage(original.bytes);
@@ -991,7 +1044,7 @@ async function sendOne(client, base, site, report) {
   for (const addr of to) {
     if (!isProbablyEmail(addr)) {
       throw new Error(
-        `Site '${site.name}' recipient is malformed: ${addr} \u2014 fix Report recipients (To) or point of contact in Airtable`
+        `Site '${site.name}' recipient is malformed: ${addr} \u2014 use a bare address only (no \`Name <addr>\` display-name syntax); fix Report recipients (To) or point of contact in Airtable`
       );
     }
   }
@@ -1012,27 +1065,27 @@ async function sendOne(client, base, site, report) {
     subject,
     html,
     attachments: [
-      {
+      toInlineAttachment({
+        bytes: header.bytes,
         filename: `${cidName}.jpg`,
-        content: Buffer.from(header.bytes).toString("base64"),
         contentType: header.contentType,
-        inlineContentId: cidName
-      },
+        cid: cidName
+      }),
       // Bundled images referenced via cid:rd-check-png / cid:rd-blurred-tests-jpg
       // in the template. Attached inline so the email is self-contained — no
       // external CDN dependency, no image-blocked broken icons in webmail.
-      {
+      toInlineAttachment({
+        bytes: bundled.check.bytes,
         filename: bundled.check.filename,
-        content: Buffer.from(bundled.check.bytes).toString("base64"),
         contentType: bundled.check.contentType,
-        inlineContentId: bundled.check.cid
-      },
-      {
+        cid: bundled.check.cid
+      }),
+      toInlineAttachment({
+        bytes: bundled.blurred.bytes,
         filename: bundled.blurred.filename,
-        content: Buffer.from(bundled.blurred.bytes).toString("base64"),
         contentType: bundled.blurred.contentType,
-        inlineContentId: bundled.blurred.cid
-      }
+        cid: bundled.blurred.cid
+      })
     ],
     // Stable across retries of the same row — if Airtable stamping fails after a
     // successful Resend, the next --send-ready replays with the same key and
@@ -1110,36 +1163,74 @@ import { Listr } from "listr2";
 
 // src/audits/util/spawn.ts
 import { spawn } from "child_process";
-var defaultSpawn = (cmd, args, opts = {}) => new Promise((resolve11, reject) => {
-  const streaming = opts.streaming === true;
-  const child = spawn(cmd, [...args], {
-    cwd: opts.cwd,
-    env: opts.env ?? process.env,
-    stdio: streaming ? ["ignore", "inherit", "inherit"] : ["ignore", "pipe", "pipe"]
-  });
-  let stdout = "";
-  let stderr = "";
-  if (!streaming) {
-    child.stdout?.on("data", (chunk) => stdout += String(chunk));
-    child.stderr?.on("data", (chunk) => stderr += String(chunk));
-  }
-  const timer = opts.timeoutMs ? setTimeout(() => {
-    child.kill("SIGTERM");
-    reject(new Error(`spawn timeout after ${opts.timeoutMs}ms: ${cmd}`));
-  }, opts.timeoutMs) : void 0;
-  child.on("error", (err) => {
-    if (timer) clearTimeout(timer);
-    reject(err);
-  });
-  child.on("close", (code) => {
-    if (timer) clearTimeout(timer);
-    resolve11({ code: code ?? -1, stdout, stderr });
+var TRUNCATION_MARKER = "\n\u2026[output truncated]";
+function makeSpawn(internals = {}) {
+  const spawnImpl = internals.spawnImpl ?? spawn;
+  const killImpl = internals.killImpl ?? ((pid, sig) => process.kill(pid, sig));
+  const killGraceMs = internals.killGraceMs ?? 5e3;
+  const maxOutputBytes = internals.maxOutputBytes ?? 10 * 1024 * 1024;
+  return (cmd, args, opts = {}) => new Promise((resolve11, reject) => {
+    const streaming = opts.streaming === true;
+    const child = spawnImpl(cmd, [...args], {
+      cwd: opts.cwd,
+      env: opts.env ?? process.env,
+      stdio: streaming ? ["ignore", "inherit", "inherit"] : ["ignore", "pipe", "pipe"],
+      // Detach ONLY when a timeout can fire: the child then leads its own
+      // process group, so the timeout can kill the WHOLE tree (vite, and
+      // Chromium under lhci/playwright) via process.kill(-pid), not just the
+      // npx/pnpm wrapper. Without it, killing the wrapper orphaned the
+      // grandchildren — a zombie vite squatting its port, Chrome left running.
+      // We do NOT detach timeout-less streaming calls (pnpm install/up):
+      // detaching gains nothing there (no timeout → no group-kill) and would
+      // break terminal Ctrl-C, which only reaches the foreground group — i.e.
+      // it would re-orphan the very children this guards. We never unref() the
+      // child since we still await it.
+      detached: opts.timeoutMs !== void 0
+    });
+    const cap = (acc, chunk) => {
+      if (acc.length >= maxOutputBytes) return acc;
+      const next = acc + chunk;
+      return next.length > maxOutputBytes ? next.slice(0, maxOutputBytes) + TRUNCATION_MARKER : next;
+    };
+    let stdout = "";
+    let stderr = "";
+    if (!streaming) {
+      child.stdout?.on("data", (chunk) => stdout = cap(stdout, String(chunk)));
+      child.stderr?.on("data", (chunk) => stderr = cap(stderr, String(chunk)));
+    }
+    const killGroup = (sig) => {
+      if (child.pid === void 0) return;
+      try {
+        killImpl(-child.pid, sig);
+      } catch {
+      }
+    };
+    let killTimer;
+    const timer = opts.timeoutMs ? setTimeout(() => {
+      killGroup("SIGTERM");
+      killTimer = setTimeout(() => killGroup("SIGKILL"), killGraceMs);
+      killTimer.unref();
+      reject(new Error(`spawn timeout after ${opts.timeoutMs}ms: ${cmd}`));
+    }, opts.timeoutMs) : void 0;
+    const clearTimers = () => {
+      if (timer) clearTimeout(timer);
+      if (killTimer) clearTimeout(killTimer);
+    };
+    child.on("error", (err) => {
+      clearTimers();
+      reject(err);
+    });
+    child.on("close", (code) => {
+      clearTimers();
+      resolve11({ code: code ?? -1, stdout, stderr });
+    });
   });
-});
+}
+var defaultSpawn = makeSpawn();
 
 // src/audits/deps.ts
 import { readFile } from "fs/promises";
-import { join as join2 } from "path";
+import { join as join3 } from "path";
 
 // src/util/site.ts
 function siteLabel(site) {
@@ -1185,6 +1276,47 @@ var baselineVersions = {
   "@zerodevx/svelte-img": "^2.1.2"
 };
 
+// src/audits/deps-outdated.ts
+import { stat } from "fs/promises";
+import { join as join2 } from "path";
+async function exists(path) {
+  try {
+    await stat(path);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function majorOf(version2) {
+  const head = version2.replace(/^[\^~]/, "").split(".")[0] ?? "0";
+  const n = Number.parseInt(head, 10);
+  return Number.isNaN(n) ? 0 : n;
+}
+async function scanOutdated(sitePath, spawn2) {
+  if (!await exists(join2(sitePath, "pnpm-lock.yaml"))) return null;
+  try {
+    if (!await exists(join2(sitePath, "node_modules"))) {
+      const install = await spawn2("pnpm", ["install", "--frozen-lockfile"], {
+        cwd: sitePath,
+        timeoutMs: 18e4
+      });
+      if (install.code !== 0) return null;
+    }
+    const res = await spawn2("pnpm", ["outdated", "--json"], {
+      cwd: sitePath,
+      timeoutMs: 6e4
+    });
+    const parsed = JSON.parse(res.stdout || "{}");
+    const entries = Object.values(parsed);
+    return {
+      outdated: entries.length,
+      major: entries.filter((e) => e.current && e.latest && majorOf(e.latest) > majorOf(e.current)).length
+    };
+  } catch {
+    return null;
+  }
+}
+
 // src/audits/deps.ts
 function stripCaret(range) {
   return range.replace(/^[\^~]/, "");
@@ -1206,7 +1338,7 @@ function compareSemver(actual, baseline) {
   return "same";
 }
 async function depsAudit(ctx) {
-  const pkgPath = join2(ctx.site.path, "package.json");
+  const pkgPath = join3(ctx.site.path, "package.json");
   let pkgRaw;
   try {
     pkgRaw = await readFile(pkgPath, "utf-8");
@@ -1224,35 +1356,37 @@ async function depsAudit(ctx) {
     ...pkg.dependencies ?? {},
     ...pkg.devDependencies ?? {}
   };
-  const details = [];
+  const entries = [];
   for (const [name, baseline] of Object.entries(baselineVersions)) {
     const actual = installed[name];
     if (!actual) continue;
-    details.push({
+    entries.push({
       pkg: name,
       baseline,
       actual,
       drift: compareSemver(actual, baseline)
     });
   }
-  const anyMajor = details.some((d) => d.drift === "major");
-  const anyMinor = details.some((d) => d.drift === "minor");
-  const anyNewer = details.some((d) => d.drift === "newer");
+  const anyMajor = entries.some((d) => d.drift === "major");
+  const anyMinor = entries.some((d) => d.drift === "minor");
+  const anyNewer = entries.some((d) => d.drift === "newer");
   const status = anyMajor ? "fail" : anyMinor || anyNewer ? "warn" : "pass";
-  const summary = status === "pass" ? `all ${details.length} tracked deps in line with baseline` : status === "warn" ? `${details.filter((d) => d.drift !== "same").length} of ${details.length} tracked deps drifted` : `${details.filter((d) => d.drift === "major").length} deps lagging by a major version`;
+  const driftSummary = status === "pass" ? `all ${entries.length} tracked deps in line with baseline` : status === "warn" ? `${entries.filter((d) => d.drift !== "same").length} of ${entries.length} tracked deps drifted` : `${entries.filter((d) => d.drift === "major").length} deps lagging by a major version`;
+  const outdated = await scanOutdated(ctx.site.path, ctx.spawn ?? defaultSpawn);
+  const summary = outdated ? `${driftSummary}; ${outdated.outdated} outdated install(s) (${outdated.major} major)` : driftSummary;
   return {
     audit: "deps",
     site: siteLabel(ctx.site),
     status,
     summary,
-    details
+    details: { entries, outdated }
   };
 }
 
 // src/audits/lint.ts
 import { existsSync } from "fs";
 import { readFile as readFile2 } from "fs/promises";
-import { join as join3 } from "path";
+import { join as join4 } from "path";
 import { ESLint } from "eslint";
 import { check as prettierCheck, resolveConfig as prettierResolveConfig } from "prettier";
 import { glob } from "tinyglobby";
@@ -1263,7 +1397,7 @@ async function listFiles(cwd) {
 }
 async function lintAudit(ctx) {
   const { site } = ctx;
-  const configPath = join3(site.path, "eslint.config.js");
+  const configPath = join4(site.path, "eslint.config.js");
   if (!existsSync(configPath)) {
     return {
       audit: "lint",
@@ -1283,7 +1417,7 @@ async function lintAudit(ctx) {
   const eslintWarnings = eslintResults.reduce((n, r) => n + r.warningCount, 0);
   const prettierUnformatted = [];
   for (const rel of relFiles) {
-    const absForResolve = join3(site.path, rel);
+    const absForResolve = join4(site.path, rel);
     const source = await readFile2(absForResolve, "utf-8");
     const options = await prettierResolveConfig(absForResolve) ?? {};
     const ok = await prettierCheck(source, { ...options, filepath: absForResolve });
@@ -1447,7 +1581,7 @@ async function securityAudit(ctx) {
 // src/audits/lighthouse.ts
 import { readFile as readFile4, writeFile, mkdtemp, rm, readdir } from "fs/promises";
 import { tmpdir } from "os";
-import { join as join5 } from "path";
+import { join as join6 } from "path";
 
 // src/configs/lighthouse.ts
 var lighthouseConfig = {
@@ -1482,11 +1616,11 @@ var lighthouseConfig = {
 
 // src/audits/util/site-config.ts
 import { readFile as readFile3 } from "fs/promises";
-import { join as join4 } from "path";
+import { join as join5 } from "path";
 async function readSiteConfig(sitePath) {
   let raw;
   try {
-    raw = await readFile3(join4(sitePath, "package.json"), "utf-8");
+    raw = await readFile3(join5(sitePath, "package.json"), "utf-8");
   } catch {
     return {};
   }
@@ -1547,7 +1681,7 @@ async function readLhrEntries(resultsDir) {
   const entries = [];
   for (const f of files) {
     if (!f.startsWith("lhr-") || !f.endsWith(".json")) continue;
-    const lhr = await readJsonMaybe(join5(resultsDir, f));
+    const lhr = await readJsonMaybe(join6(resultsDir, f));
     if (!lhr || !lhr.categories) continue;
     const summary = {};
     for (const [k, v] of Object.entries(lhr.categories)) {
@@ -1583,10 +1717,35 @@ function categoryFromAssertion(a) {
 function messageForAssertion(a) {
   return `${a.name} ${a.operator} ${a.expected} (actual: ${a.actual.toFixed(2)})`;
 }
-async function lighthouseAudit(ctx) {
-  const spawn2 = ctx.spawn ?? defaultSpawn;
-  const site = ctx.site;
-  const label = siteLabel(site);
+async function parseLhciResults(resultsDir, label, raw) {
+  const manifest = await readLhrEntries(resultsDir);
+  if (manifest.length === 0) {
+    return {
+      audit: "lighthouse",
+      site: label,
+      status: "fail",
+      summary: `lighthouse: no lhr-*.json written (exit ${raw.code})${raw.stderr ? ` \u2014 ${raw.stderr.slice(0, 200)}` : ""}`
+    };
+  }
+  const assertionResults = await readJsonMaybe(join6(resultsDir, "assertion-results.json")) ?? [];
+  const failed = assertionResults.filter((a) => !a.passed);
+  const assertions = failed.map((a) => ({
+    category: categoryFromAssertion(a),
+    level: a.level,
+    message: messageForAssertion(a)
+  }));
+  const anyError = assertions.some((a) => a.level === "error");
+  const anyWarn = assertions.some((a) => a.level === "warn");
+  const status = anyError ? "fail" : anyWarn ? "warn" : "pass";
+  const normalized = {
+    summary: averageSummaries(manifest),
+    assertionsFailed: failed.length,
+    assertions
+  };
+  const summary = status === "pass" ? "lighthouse: all categories passing" : `lighthouse: ${failed.length} assertion(s) failed`;
+  return { audit: "lighthouse", site: label, status, summary, details: normalized };
+}
+async function checkoutLighthouse(spawn2, site, label) {
   const siteCfg = await readSiteConfig(site.path);
   const port = await findFreePort();
   const baseUrl = siteCfg.lighthouseUrl ?? lighthouseConfig.ci.collect.url[0];
@@ -1601,19 +1760,15 @@ async function lighthouseAudit(ctx) {
       }
     }
   };
-  const configDir = await mkdtemp(join5(tmpdir(), "reddoor-lhci-"));
-  const configPath = join5(configDir, "lighthouserc.json");
+  const configDir = await mkdtemp(join6(tmpdir(), "reddoor-lhci-"));
+  const configPath = join6(configDir, "lighthouserc.json");
   await writeFile(configPath, JSON.stringify(resolvedConfig), "utf-8");
-  const resultsDir = join5(site.path, ".lighthouseci");
+  const resultsDir = join6(site.path, ".lighthouseci");
   await rm(resultsDir, { recursive: true, force: true });
   let raw;
   try {
     raw = await spawn2("npx", ["--yes", "@lhci/cli", "autorun", `--config=${configPath}`], {
       cwd: site.path,
-      // lhci autorun boots the site's dev server, downloads Chrome on first
-      // use, and runs the audit — easily 2–3 min on a cold tree. The shared
-      // 30 s default in runAudits is fine for deps/lint/security but starves
-      // lhci.
       timeoutMs: 5 * 6e4
     });
   } catch (err) {
@@ -1630,43 +1785,64 @@ async function lighthouseAudit(ctx) {
     throw err;
   }
   await rm(configDir, { recursive: true, force: true });
-  const manifest = await readLhrEntries(resultsDir);
-  if (manifest.length === 0) {
-    return {
-      audit: "lighthouse",
-      site: label,
-      status: "fail",
-      summary: `lighthouse: no lhr-*.json written (exit ${raw.code})${raw.stderr ? ` \u2014 ${raw.stderr.slice(0, 200)}` : ""}`
-    };
-  }
-  const assertionResults = await readJsonMaybe(join5(resultsDir, "assertion-results.json")) ?? [];
-  const failed = assertionResults.filter((a) => !a.passed);
-  const assertions = failed.map((a) => ({
-    category: categoryFromAssertion(a),
-    level: a.level,
-    message: messageForAssertion(a)
-  }));
-  const anyError = assertions.some((a) => a.level === "error");
-  const anyWarn = assertions.some((a) => a.level === "warn");
-  const status = anyError ? "fail" : anyWarn ? "warn" : "pass";
-  const normalized = {
-    summary: averageSummaries(manifest),
-    assertionsFailed: failed.length,
-    assertions
-  };
-  const summary = status === "pass" ? "lighthouse: all categories passing" : `lighthouse: ${failed.length} assertion(s) failed`;
-  return {
-    audit: "lighthouse",
-    site: label,
-    status,
-    summary,
-    details: normalized
+  return parseLhciResults(resultsDir, label, raw);
+}
+async function deployedLighthouse(spawn2, deployedUrl, label) {
+  const workDir = await mkdtemp(join6(tmpdir(), "reddoor-lh-deployed-"));
+  const resolvedConfig = {
+    ci: {
+      // Deliberately NOT spread from lighthouseConfig.ci.collect: deployed mode
+      // must omit startServerCommand and the dev-server settings entirely.
+      collect: {
+        url: [deployedUrl],
+        // 3 runs to damp Lighthouse's run-to-run variance; parseLhciResults
+        // averages the lhr files. (Median is a tracked future refinement.)
+        numberOfRuns: 3,
+        settings: { preset: "desktop", skipAudits: ["uses-http2"] }
+      },
+      assert: lighthouseConfig.ci.assert,
+      upload: { target: "filesystem", outputDir: join6(workDir, "lhci-report") }
+    }
   };
+  const configPath = join6(workDir, "lighthouserc.json");
+  await writeFile(configPath, JSON.stringify(resolvedConfig), "utf-8");
+  const resultsDir = join6(workDir, ".lighthouseci");
+  let raw;
+  try {
+    raw = await spawn2("npx", ["--yes", "@lhci/cli", "autorun", `--config=${configPath}`], {
+      cwd: workDir,
+      // No dev-server boot: ~30s/run × 3 + first-use Chrome download headroom.
+      timeoutMs: 3 * 6e4
+    });
+  } catch (err) {
+    await rm(workDir, { recursive: true, force: true });
+    const e = err;
+    if (e.code === "ENOENT" || /ENOENT/.test(String(err))) {
+      return {
+        audit: "lighthouse",
+        site: label,
+        status: "skip",
+        summary: "npx/@lhci/cli not available"
+      };
+    }
+    throw err;
+  }
+  try {
+    return await parseLhciResults(resultsDir, label, raw);
+  } finally {
+    await rm(workDir, { recursive: true, force: true });
+  }
+}
+async function lighthouseAudit(ctx) {
+  const spawn2 = ctx.spawn ?? defaultSpawn;
+  const site = ctx.site;
+  const label = siteLabel(site);
+  return site.deployedUrl ? deployedLighthouse(spawn2, site.deployedUrl, label) : checkoutLighthouse(spawn2, site, label);
 }
 
 // src/audits/a11y.ts
 import { readFile as readFile5, writeFile as writeFile2, mkdtemp as mkdtemp2, rm as rm2 } from "fs/promises";
-import { join as join6 } from "path";
+import { join as join7 } from "path";
 
 // src/configs/playwright-a11y.ts
 import { defineConfig, devices } from "@playwright/test";
@@ -1832,14 +2008,14 @@ async function a11yAudit(ctx) {
   const spawn2 = ctx.spawn ?? defaultSpawn;
   const site = ctx.site;
   const label = siteLabel(site);
-  const specDir = await mkdtemp2(join6(site.path, ".reddoor-a11y-spec-"));
-  const specPath = join6(specDir, "a11y.spec.ts");
+  const specDir = await mkdtemp2(join7(site.path, ".reddoor-a11y-spec-"));
+  const specPath = join7(specDir, "a11y.spec.ts");
   await writeFile2(specPath, buildSpec(), "utf-8");
   const port = await findFreePort();
-  const configPath = join6(specDir, "playwright.config.ts");
+  const configPath = join7(specDir, "playwright.config.ts");
   await writeFile2(configPath, buildPlaywrightConfig(port, site.path), "utf-8");
-  const resultsPath = join6(site.path, RESULTS_REL);
-  await rm2(join6(site.path, ".reddoor-a11y"), { recursive: true, force: true });
+  const resultsPath = join7(site.path, RESULTS_REL);
+  await rm2(join7(site.path, ".reddoor-a11y"), { recursive: true, force: true });
   let raw;
   try {
     raw = await spawn2(
@@ -1961,6 +2137,8 @@ function validate(raw) {
     const site = { path: e.path };
     if (typeof e.name === "string") site.name = e.name;
     if (typeof e.repoUrl === "string") site.repoUrl = e.repoUrl;
+    if (typeof e.gitRepo === "string") site.gitRepo = e.gitRepo;
+    if (typeof e.deployedUrl === "string") site.deployedUrl = e.deployedUrl;
     if (typeof e.meta === "object" && e.meta !== null) {
       site.meta = e.meta;
     }
@@ -2014,8 +2192,8 @@ async function resolveSites(input) {
 }
 
 // src/cli/fleet/clone-if-needed.ts
-import { stat, readdir as readdir2, mkdir } from "fs/promises";
-import { isAbsolute as isAbsolute2, join as join7 } from "path";
+import { stat as stat2, readdir as readdir2, mkdir } from "fs/promises";
+import { isAbsolute as isAbsolute2, join as join8 } from "path";
 function deriveNameFromRepoUrl(repoUrl) {
   const slash = repoUrl.split("/").pop() ?? repoUrl;
   return slash.replace(/\.git$/, "");
@@ -2040,7 +2218,7 @@ function assertSafeRepoUrl(repoUrl) {
 }
 async function isNonEmptyDir(path) {
   try {
-    const s = await stat(path);
+    const s = await stat2(path);
     if (!s.isDirectory()) return false;
     const entries = await readdir2(path);
     return entries.length > 0;
@@ -2048,21 +2226,33 @@ async function isNonEmptyDir(path) {
     return false;
   }
 }
+var GIT_REPO_RE = /^[\w.-]+\/[\w.-]+$/;
+function resolveCloneUrl(site) {
+  if (site.repoUrl) return site.repoUrl;
+  if (!site.gitRepo) return void 0;
+  if (!GIT_REPO_RE.test(site.gitRepo)) {
+    throw new Error(`unsafe gitRepo: expected "owner/repo" (got: ${JSON.stringify(site.gitRepo)})`);
+  }
+  return `https://github.com/${site.gitRepo}.git`;
+}
 async function cloneIfNeeded(site, opts) {
   if (await isNonEmptyDir(site.path)) return site;
-  if (!site.repoUrl) {
-    throw new Error(`site path does not exist (${site.path}) and no repoUrl is set \u2014 cannot clone`);
+  const repoUrl = resolveCloneUrl(site);
+  if (!repoUrl) {
+    throw new Error(
+      `site path does not exist (${site.path}) and no repoUrl or gitRepo is set \u2014 cannot clone`
+    );
   }
-  const name = site.name ?? deriveNameFromRepoUrl(site.repoUrl);
+  const name = site.name ?? deriveNameFromRepoUrl(repoUrl);
   assertSafeName(name);
-  assertSafeRepoUrl(site.repoUrl);
-  const target = join7(opts.workdir, name);
+  assertSafeRepoUrl(repoUrl);
+  const target = join8(opts.workdir, name);
   await mkdir(opts.workdir, { recursive: true });
   if (await isNonEmptyDir(target)) {
     return { ...site, name, path: target };
   }
   const spawn2 = opts.spawn ?? defaultSpawn;
-  const result = await spawn2("git", ["clone", "--", site.repoUrl, target], {
+  const result = await spawn2("git", ["clone", "--", repoUrl, target], {
     cwd: opts.workdir,
     timeoutMs: 5 * 6e4
   });
@@ -2106,7 +2296,17 @@ function formatDuration(ms) {
   const s = totalSeconds % 60;
   return `${m}m${s.toString().padStart(2, "0")}s`;
 }
-function buildAuditTasks(sites, which, results, renderer) {
+function parseConcurrency(value) {
+  if (value === void 0) return true;
+  const n = Number(value);
+  if (!Number.isInteger(n) || n < 1) {
+    throw Object.assign(new Error(`--concurrency must be a positive integer, got "${value}"`), {
+      exitCode: 2
+    });
+  }
+  return n;
+}
+function buildAuditTasks(sites, which, results, renderer, concurrency) {
   const singleSite = sites.length === 1;
   if (singleSite) {
     const site = sites[0];
@@ -2152,7 +2352,7 @@ function buildAuditTasks(sites, which, results, renderer) {
         }
       };
     }),
-    { concurrent: true, exitOnError: false, renderer }
+    { concurrent: concurrency, exitOnError: false, renderer }
   );
 }
 function formatWriteSummary(summary) {
@@ -2177,13 +2377,46 @@ ${lines.join("\n")}`;
 function rendererFor(json) {
   return json ? "silent" : "default";
 }
+function deployedUrlNotice(which, url, cwd) {
+  if (url === void 0) return null;
+  const others = which.filter((n) => n !== "lighthouse");
+  if (others.length === 0) return null;
+  return `note: --url only affects lighthouse; ${others.join(", ")} ran against the local checkout at ${cwd}`;
+}
+function auditNeedsCheckout(site, which) {
+  const deployedCapable = site.deployedUrl !== void 0 && which.every((n) => n === "lighthouse");
+  return !deployedCapable;
+}
+function applyDeployedUrl(sites, url) {
+  if (url === void 0) return sites;
+  if (sites.length !== 1) {
+    throw Object.assign(
+      new Error(`--url expects exactly one site, but ${sites.length} resolved.`),
+      { exitCode: 2 }
+    );
+  }
+  try {
+    new URL(url);
+  } catch {
+    throw Object.assign(new Error(`--url is not a valid URL: ${url}`), { exitCode: 2 });
+  }
+  return [{ ...sites[0], deployedUrl: url }];
+}
 async function runAuditCommand(site, opts) {
   const which = parseOnly(opts.only) ?? ALL_AUDIT_NAMES;
   const cwd = opts.cwd ? resolve2(opts.cwd) : process.cwd();
-  if (opts.writeAirtable !== void 0 && opts.fleet !== void 0) {
+  if (typeof opts.writeAirtable === "string" && opts.fleet !== void 0) {
+    throw Object.assign(
+      new Error(
+        "--write-airtable=<slug> is single-site; with --fleet each site's slug comes from the inventory. Use --write-airtable (no slug) + --fleet."
+      ),
+      { exitCode: 2 }
+    );
+  }
+  if (opts.url !== void 0 && opts.fleet !== void 0) {
     throw Object.assign(
       new Error(
-        "--write-airtable is not supported with --fleet. Each site has its own Airtable row; run per-site instead: `cd <site>/ && reddoor-maint audit --write-airtable`."
+        "--url is single-site only and cannot be combined with --fleet. Audit a single site instead."
       ),
       { exitCode: 2 }
     );
@@ -2194,51 +2427,70 @@ async function runAuditCommand(site, opts) {
     ...opts.workdir !== void 0 ? { workdir: opts.workdir } : {},
     cwd
   });
+  sites = applyDeployedUrl(sites, opts.url);
   if (opts.fleet) {
     const workdir = opts.workdir ?? `${process.env.HOME ?? ""}/.reddoor-maint/sites`;
-    sites = await Promise.all(sites.map((s) => cloneIfNeeded(s, { workdir })));
+    sites = await Promise.all(
+      sites.map(
+        (s) => auditNeedsCheckout(s, which) ? cloneIfNeeded(s, { workdir }) : Promise.resolve(s)
+      )
+    );
   }
   const results = [];
   const renderer = rendererFor(opts.json);
-  await buildAuditTasks(sites, which, results, renderer).run();
+  await buildAuditTasks(sites, which, results, renderer, parseConcurrency(opts.concurrency)).run();
   let output = opts.json ? JSON.stringify(results, null, 2) : formatTable(results);
   if (opts.writeAirtable !== void 0) {
     const { openBase: openBase2, readAirtableConfig: readAirtableConfig2 } = await Promise.resolve().then(() => (init_client(), client_exports));
     const { listWebsites: listWebsites2 } = await Promise.resolve().then(() => (init_websites(), websites_exports));
-    const { resolveSlugFromCwd: resolveSlugFromCwd2 } = await Promise.resolve().then(() => (init_lighthouse_airtable(), lighthouse_airtable_exports));
-    const { writeAuditsToAirtable: writeAuditsToAirtable2 } = await Promise.resolve().then(() => (init_write_audits_to_airtable(), write_audits_to_airtable_exports));
-    const slug = typeof opts.writeAirtable === "string" && opts.writeAirtable.length > 0 ? opts.writeAirtable : await resolveSlugFromCwd2(cwd);
-    let writeSummary = null;
-    await new Listr(
-      [
-        {
-          title: `Write to Airtable[${slug}]`,
-          task: async (_ctx, task) => {
-            const base = openBase2(readAirtableConfig2());
-            task.output = "loading Websites\u2026";
-            const websites = await listWebsites2(base);
-            task.output = "writing scores\u2026";
-            writeSummary = await writeAuditsToAirtable2({ base, websites, slug, results });
-            task.title = `Wrote to Websites[${writeSummary.siteName}] (${writeSummary.writes.length} audit type${writeSummary.writes.length === 1 ? "" : "s"})`;
+    if (opts.fleet !== void 0) {
+      const { writeFleetAuditsToAirtable: writeFleetAuditsToAirtable2, formatFleetWriteSummary: formatFleetWriteSummary2 } = await Promise.resolve().then(() => (init_write_audits_to_airtable(), write_audits_to_airtable_exports));
+      const base = openBase2(readAirtableConfig2());
+      const websites = await listWebsites2(base);
+      const fleetWrite = await writeFleetAuditsToAirtable2({ base, websites, results });
+      output += `
+
+${formatFleetWriteSummary2(fleetWrite)}`;
+    } else {
+      const { resolveSlugFromCwd: resolveSlugFromCwd2 } = await Promise.resolve().then(() => (init_lighthouse_airtable(), lighthouse_airtable_exports));
+      const { writeAuditsToAirtable: writeAuditsToAirtable2 } = await Promise.resolve().then(() => (init_write_audits_to_airtable(), write_audits_to_airtable_exports));
+      const slug = typeof opts.writeAirtable === "string" && opts.writeAirtable.length > 0 ? opts.writeAirtable : await resolveSlugFromCwd2(cwd);
+      let writeSummary = null;
+      await new Listr(
+        [
+          {
+            title: `Write to Airtable[${slug}]`,
+            task: async (_ctx, task) => {
+              const base = openBase2(readAirtableConfig2());
+              task.output = "loading Websites\u2026";
+              const websites = await listWebsites2(base);
+              task.output = "writing scores\u2026";
+              writeSummary = await writeAuditsToAirtable2({ base, websites, slug, results });
+              task.title = `Wrote to Websites[${writeSummary.siteName}] (${writeSummary.writes.length} audit type${writeSummary.writes.length === 1 ? "" : "s"})`;
+            }
           }
-        }
-      ],
-      { renderer }
-    ).run();
-    if (writeSummary) output += `
+        ],
+        { renderer }
+      ).run();
+      if (writeSummary) output += `
 
 ${formatWriteSummary(writeSummary)}`;
+    }
   }
+  const notice = deployedUrlNotice(which, opts.url, cwd);
+  if (notice && !opts.json) output += `
+
+${notice}`;
   return { output, code: auditExitCode(results, opts.failOnViolations === true) };
 }
 
 // src/cli/commands/sync-configs.ts
 import { readFile as readFile9 } from "fs/promises";
-import { join as join10, resolve as resolve3 } from "path";
+import { join as join11, resolve as resolve3 } from "path";
 
 // src/recipes/sync-configs.ts
 import { readFile as readFile8, writeFile as writeFile3, mkdir as mkdir2 } from "fs/promises";
-import { join as join9, dirname } from "path";
+import { join as join10, dirname } from "path";
 
 // src/recipes/sync-configs/templates.ts
 var eslint = {
@@ -2355,6 +2607,29 @@ var netlify = {
 [build.environment]
     NODE_VERSION = "22"
     COREPACK_INTEGRITY_KEYS = "0"
+
+# Baseline security headers for all responses. CSP is emitted per-response by
+# SvelteKit (see \`kit.csp\` in svelte.config.js) so it is intentionally omitted
+# here to avoid conflicting duplicates.
+[[headers]]
+    for = "/*"
+    [headers.values]
+        Strict-Transport-Security = "max-age=63072000; includeSubDomains; preload"
+        X-Content-Type-Options = "nosniff"
+        X-Frame-Options = "SAMEORIGIN"
+        Referrer-Policy = "strict-origin-when-cross-origin"
+        Permissions-Policy = "camera=(), microphone=(), geolocation=(), interest-cohort=()"
+        Cross-Origin-Opener-Policy = "same-origin"
+
+[[headers]]
+    for = "/favicon.png"
+    [headers.values]
+        Cache-Control = "public, max-age=31536000, immutable"
+
+[[headers]]
+    for = "/_app/immutable/*"
+    [headers.values]
+        Cache-Control = "public, max-age=31536000, immutable"
 `
 };
 var ALL_TEMPLATES = [
@@ -2576,9 +2851,14 @@ async function withRecipe(body) {
 // src/recipes/sync-configs.ts
 var GITIGNORE_CONFIG = "gitignore";
 var SVELTE_CONFIG = "svelte";
+var NETLIFY_CONFIG = "netlify";
 function isSvelteConfigCompliant(contents) {
   return contents.includes("createSvelteConfig") && contents.includes("@sveltejs/adapter-netlify");
 }
+var SECURITY_HEADER_RE = /Strict-Transport-Security|Content-Security-Policy|X-Frame-Options|X-Content-Type-Options|Referrer-Policy|Permissions-Policy|Cross-Origin-Opener-Policy/i;
+function isNetlifyConfigCompliant(contents) {
+  return contents.includes("[[headers]]") && SECURITY_HEADER_RE.test(contents);
+}
 var ALL_CONFIG_NAMES = [
   "lighthouse",
   "eslint",
@@ -2605,17 +2885,20 @@ async function readMaybe(path) {
 async function planTemplateDiffs(cwd, templates) {
   const diffs = [];
   for (const t of templates) {
-    const existing = await readMaybe(join9(cwd, t.path));
+    const existing = await readMaybe(join10(cwd, t.path));
     if (existing === t.contents) continue;
     if (t.config === SVELTE_CONFIG && existing !== null && isSvelteConfigCompliant(existing)) {
       continue;
     }
+    if (t.config === NETLIFY_CONFIG && existing !== null && isNetlifyConfigCompliant(existing)) {
+      continue;
+    }
     diffs.push(t);
   }
   return diffs;
 }
 async function planGitignore(cwd) {
-  const existing = await readMaybe(join9(cwd, ".gitignore"));
+  const existing = await readMaybe(join10(cwd, ".gitignore"));
   const merge = mergeGitignore(existing, CANONICAL_GITIGNORE_ENTRIES);
   const tracked = await listTrackedFiles(cwd);
   const toUntrack = findTrackedArtifacts(tracked, CANONICAL_GITIGNORE_ENTRIES);
@@ -2623,7 +2906,7 @@ async function planGitignore(cwd) {
   return { kind: "apply", content: merge.content, toUntrack, added: merge.added };
 }
 async function applyGitignore(cwd, plan) {
-  await writeFile3(join9(cwd, ".gitignore"), plan.content, "utf-8");
+  await writeFile3(join10(cwd, ".gitignore"), plan.content, "utf-8");
   if (plan.toUntrack.length > 0) {
     await removeFromIndex(cwd, plan.toUntrack);
   }
@@ -2646,7 +2929,7 @@ async function syncConfigs(site, opts = {}) {
     },
     apply: async ({ templateDiffs, gitignorePlan }, { commit: commit2 }) => {
       for (const t of templateDiffs) {
-        const dest = join9(site.path, t.path);
+        const dest = join10(site.path, t.path);
         await mkdir2(dirname(dest), { recursive: true });
         await writeFile3(dest, t.contents, "utf-8");
         await commit2(`chore: sync ${t.config} config from @reddoorla/maintenance`);
@@ -2677,7 +2960,7 @@ function parseOnly2(value) {
 async function dryPlanGitignore(cwd) {
   let existing;
   try {
-    existing = await readFile9(join10(cwd, ".gitignore"), "utf-8");
+    existing = await readFile9(join11(cwd, ".gitignore"), "utf-8");
   } catch {
     return "would create .gitignore";
   }
@@ -2692,7 +2975,7 @@ async function dryPlan(cwd, which) {
   for (const t of templateTargets) {
     let existing = "";
     try {
-      existing = await readFile9(join10(cwd, t.path), "utf-8");
+      existing = await readFile9(join11(cwd, t.path), "utf-8");
     } catch {
     }
     if (existing !== t.contents) lines.push(`would update ${t.path} (config: ${t.config})`);
@@ -2739,11 +3022,11 @@ async function runSyncConfigsCommand(site, opts) {
 import { resolve as resolve4 } from "path";
 
 // src/recipes/bump-deps.ts
-import { stat as stat2 } from "fs/promises";
-import { join as join11 } from "path";
-async function exists(path) {
+import { stat as stat3 } from "fs/promises";
+import { join as join12 } from "path";
+async function exists2(path) {
   try {
-    await stat2(path);
+    await stat3(path);
     return true;
   } catch {
     return false;
@@ -2769,10 +3052,10 @@ async function bumpDeps(site, opts = {}) {
     // land on top of whatever else was in the tree.
     checkTreeFirst: true,
     plan: async () => {
-      const hasPnpmLock = await exists(join11(site.path, "pnpm-lock.yaml"));
+      const hasPnpmLock = await exists2(join12(site.path, "pnpm-lock.yaml"));
       if (!hasPnpmLock) {
-        const hasNpmLock = await exists(join11(site.path, "package-lock.json"));
-        const hasYarnLock = await exists(join11(site.path, "yarn.lock"));
+        const hasNpmLock = await exists2(join12(site.path, "package-lock.json"));
+        const hasYarnLock = await exists2(join12(site.path, "yarn.lock"));
         if (hasNpmLock || hasYarnLock) {
           const competing = hasNpmLock ? "package-lock.json" : "yarn.lock";
           return {
@@ -2843,7 +3126,7 @@ import { resolve as resolve5 } from "path";
 
 // src/recipes/self-updating/index.ts
 import { mkdir as mkdir3, writeFile as writeFile4 } from "fs/promises";
-import { dirname as dirname2, join as join12 } from "path";
+import { dirname as dirname2, join as join13 } from "path";
 
 // src/github/config.ts
 function readGitHubConfig() {
@@ -3010,7 +3293,7 @@ async function selfUpdating(site, deps = {}) {
         const branch = branchName("self-updating");
         await createBranch(site.path, branch);
         for (const t of templates) {
-          const dest = join12(site.path, t.path);
+          const dest = join13(site.path, t.path);
           await mkdir3(dirname2(dest), { recursive: true });
           await writeFile4(dest, t.contents, "utf-8");
         }
@@ -3085,7 +3368,7 @@ async function runSelfUpdatingCommand(site, opts) {
 import { resolve as resolve6 } from "path";
 
 // src/recipes/svelte-5/index.ts
-import { join as join18 } from "path";
+import { join as join19 } from "path";
 
 // src/util/pkg.ts
 import { readFile as readFile10, writeFile as writeFile5 } from "fs/promises";
@@ -3134,7 +3417,7 @@ function bumpDep(pkg, name, version2, opts = {}) {
 }
 
 // src/recipes/svelte-5/step-bump-versions.ts
-import { join as join13 } from "path";
+import { join as join14 } from "path";
 var SVELTE_5_VERSIONS = {
   svelte: "^5.55.5",
   "@sveltejs/kit": "^2.59.0",
@@ -3147,7 +3430,7 @@ var SVELTE_5_VERSIONS = {
   "typescript-svelte-plugin": "^0.3.52"
 };
 async function bumpToSvelte5Versions(cwd) {
-  const pkgPath = join13(cwd, "package.json");
+  const pkgPath = join14(cwd, "package.json");
   const pkg = await readPackageJson(pkgPath);
   let next = pkg;
   for (const [name, version2] of Object.entries(SVELTE_5_VERSIONS)) {
@@ -3160,7 +3443,7 @@ async function bumpToSvelte5Versions(cwd) {
 
 // src/recipes/svelte-5/step-svelte-config.ts
 import { readFile as readFile11, writeFile as writeFile6 } from "fs/promises";
-import { join as join14 } from "path";
+import { join as join15 } from "path";
 var VITE_PLUGIN_PKG = "@sveltejs/vite-plugin-svelte";
 var IMPORT_FROM_VITE_PLUGIN = new RegExp(
   String.raw`^import\s+\{\s*([^}]+?)\s*\}\s+from\s+["']` + VITE_PLUGIN_PKG.replace(/[/]/g, "\\/") + String.raw`["'];?[ \t]*\n`,
@@ -3201,7 +3484,7 @@ function dropPreprocessKey(source) {
   return source.slice(0, m.index) + source.slice(tailIdx).replace(new RegExp(`^${indent}\\n`), "");
 }
 async function migrateSvelteConfig(cwd) {
-  const path = join14(cwd, "svelte.config.js");
+  const path = join15(cwd, "svelte.config.js");
   let src;
   try {
     src = await readFile11(path, "utf-8");
@@ -3238,9 +3521,9 @@ async function runSvelteMigrate(cwd, spawn2 = defaultSpawn) {
 }
 
 // src/recipes/svelte-5/step-tailwind-upgrade.ts
-import { join as join15 } from "path";
+import { join as join16 } from "path";
 async function upgradeTailwind(cwd, spawn2 = defaultSpawn) {
-  const pkg = await readPackageJson(join15(cwd, "package.json"));
+  const pkg = await readPackageJson(join16(cwd, "package.json"));
   const tailwindVersion = pkg.devDependencies?.tailwindcss ?? pkg.dependencies?.tailwindcss;
   if (!tailwindVersion) return { ran: false, reason: "tailwindcss not installed" };
   if (/^\^?4\./.test(tailwindVersion)) return { ran: false, reason: "already on tailwind 4.x" };
@@ -3262,7 +3545,7 @@ async function upgradeTailwind(cwd, spawn2 = defaultSpawn) {
 
 // src/recipes/svelte-5/step-gotchas.ts
 import { readFile as readFile12, writeFile as writeFile7 } from "fs/promises";
-import { join as join16 } from "path";
+import { join as join17 } from "path";
 import { glob as glob2 } from "tinyglobby";
 
 // src/recipes/svelte-5/codemods/on-event-to-handler.ts
@@ -3608,7 +3891,7 @@ async function planGotchaCodemods(cwd) {
   const changes = [];
   const relPaths = await glob2(SVELTE_GLOBS, { cwd, ignore: IGNORE2, absolute: false });
   for (const rel of relPaths) {
-    const path = join16(cwd, rel);
+    const path = join17(cwd, rel);
     const before = await readFile12(path, "utf-8");
     const after = CODEMODS.reduce((s, fn) => fn(s), before);
     if (after !== before) changes.push({ rel, after });
@@ -3618,7 +3901,7 @@ async function planGotchaCodemods(cwd) {
 async function applyGotchaCodemods(cwd) {
   const changes = await planGotchaCodemods(cwd);
   for (const c of changes) {
-    await writeFile7(join16(cwd, c.rel), c.after, "utf-8");
+    await writeFile7(join17(cwd, c.rel), c.after, "utf-8");
   }
   return { filesChanged: changes.length };
 }
@@ -3642,7 +3925,7 @@ async function verifyMigration(cwd, spawn2 = defaultSpawn) {
 
 // src/recipes/svelte-5/step-summary.ts
 import { writeFile as writeFile8 } from "fs/promises";
-import { join as join17 } from "path";
+import { join as join18 } from "path";
 async function writeMigrationSummary(input) {
   const lines = [
     `# Svelte 4 \u2192 5 migration summary`,
@@ -3659,7 +3942,7 @@ async function writeMigrationSummary(input) {
     `- Verify Playwright a11y tests still pass.`
   ];
   const content = lines.join("\n") + "\n";
-  const path = join17(input.cwd, "MIGRATION_SVELTE_5.md");
+  const path = join18(input.cwd, "MIGRATION_SVELTE_5.md");
   await writeFile8(path, content, "utf-8");
   return path;
 }
@@ -3667,7 +3950,7 @@ async function writeMigrationSummary(input) {
 // src/recipes/svelte-5/index.ts
 async function alreadyOnSvelte5(cwd) {
   try {
-    const pkg = await readPackageJson(join18(cwd, "package.json"));
+    const pkg = await readPackageJson(join19(cwd, "package.json"));
     const v = pkg.devDependencies?.svelte ?? pkg.dependencies?.svelte;
     return !!v && /^\^?5\./.test(v);
   } catch {
@@ -3761,8 +4044,8 @@ async function runUpgradeCommand(upgradeName, site, opts = {}) {
 import { resolve as resolve7 } from "path";
 
 // src/recipes/convert-to-pnpm.ts
-import { rm as rm3, stat as stat3 } from "fs/promises";
-import { join as join19 } from "path";
+import { rm as rm3, stat as stat4 } from "fs/promises";
+import { join as join20 } from "path";
 
 // src/recipes/convert-to-pnpm/script-rewrites.ts
 function rewriteScriptForPnpm(script) {
@@ -3784,9 +4067,9 @@ function rewriteScriptsForPnpm(scripts) {
 
 // src/recipes/convert-to-pnpm.ts
 var DEFAULT_PNPM_VERSION = "10.33.1";
-async function exists2(path) {
+async function exists3(path) {
   try {
-    await stat3(path);
+    await stat4(path);
     return true;
   } catch {
     return false;
@@ -3795,18 +4078,18 @@ async function exists2(path) {
 async function convertToPnpm(site, opts = {}) {
   const spawn2 = opts.spawn ?? defaultSpawn;
   const pnpmVersion = opts.pnpmVersion ?? DEFAULT_PNPM_VERSION;
-  const pnpmLockPath = join19(site.path, "pnpm-lock.yaml");
-  const npmLockPath = join19(site.path, "package-lock.json");
-  const yarnLockPath = join19(site.path, "yarn.lock");
+  const pnpmLockPath = join20(site.path, "pnpm-lock.yaml");
+  const npmLockPath = join20(site.path, "package-lock.json");
+  const yarnLockPath = join20(site.path, "yarn.lock");
   return withRecipe({
     name: "convert-to-pnpm",
     site,
     plan: async () => {
-      if (await exists2(pnpmLockPath)) {
+      if (await exists3(pnpmLockPath)) {
         return { kind: "noop", notes: "site already has pnpm-lock.yaml" };
       }
-      const hasNpmLock = await exists2(npmLockPath);
-      const hasYarnLock = await exists2(yarnLockPath);
+      const hasNpmLock = await exists3(npmLockPath);
+      const hasYarnLock = await exists3(yarnLockPath);
       if (!hasNpmLock && !hasYarnLock) {
         return {
           kind: "noop",
@@ -3820,7 +4103,7 @@ async function convertToPnpm(site, opts = {}) {
       if (hasYarnLock) await rm3(yarnLockPath, { force: true });
       const sourceLock = hasNpmLock ? "package-lock.json" : "yarn.lock";
       await commit2(`chore(pnpm): remove ${sourceLock}`);
-      const pkgPath = join19(cwd, "package.json");
+      const pkgPath = join20(cwd, "package.json");
       const pkg = await readPackageJson(pkgPath);
       const next = { ...pkg, packageManager: `pnpm@${pnpmVersion}` };
       if (pkg.scripts && typeof pkg.scripts === "object") {
@@ -3833,7 +4116,7 @@ async function convertToPnpm(site, opts = {}) {
       }
       await writePackageJson(pkgPath, next);
       await commit2("chore(pnpm): pin packageManager + rewrite npm scripts");
-      await rm3(join19(cwd, "node_modules"), { recursive: true, force: true });
+      await rm3(join20(cwd, "node_modules"), { recursive: true, force: true });
       const installResult = await spawn2("pnpm", ["install"], { cwd, streaming: true });
       if (installResult.code !== 0) {
         return { kind: "failed", notes: `pnpm install failed (exit ${installResult.code})` };
@@ -3873,18 +4156,18 @@ async function runConvertToPnpmCommand(site, opts) {
 import { resolve as resolve8 } from "path";
 
 // src/recipes/onboard.ts
-import { stat as stat4 } from "fs/promises";
-import { join as join21 } from "path";
+import { stat as stat5 } from "fs/promises";
+import { join as join22 } from "path";
 
 // src/util/self-version.ts
 import { readFileSync as readFileSync2, existsSync as existsSync2 } from "fs";
 import { fileURLToPath } from "url";
-import { dirname as dirname3, join as join20 } from "path";
+import { dirname as dirname3, join as join21 } from "path";
 function selfPackageVersion(callerImportMetaUrl) {
   try {
     let dir = dirname3(fileURLToPath(callerImportMetaUrl));
     while (true) {
-      const candidate = join20(dir, "package.json");
+      const candidate = join21(dir, "package.json");
       if (existsSync2(candidate)) {
         const raw = readFileSync2(candidate, "utf-8");
         const pkg = JSON.parse(raw);
@@ -3936,9 +4219,9 @@ var AUDIT_DEPS = Object.fromEntries(
     })
   ])
 );
-async function exists3(path) {
+async function exists4(path) {
   try {
-    await stat4(path);
+    await stat5(path);
     return true;
   } catch {
     return false;
@@ -3955,13 +4238,13 @@ async function onboard(site, opts = {}) {
     name: "onboard",
     site,
     plan: async () => {
-      if (!await exists3(join21(site.path, "pnpm-lock.yaml"))) {
+      if (!await exists4(join22(site.path, "pnpm-lock.yaml"))) {
         return {
           kind: "failed",
           notes: "no pnpm-lock.yaml at site root \u2014 run convert-to-pnpm first"
         };
       }
-      const pkgPath = join21(site.path, "package.json");
+      const pkgPath = join22(site.path, "package.json");
       const pkg = await readPackageJson(pkgPath);
       const toAdd = [];
       if (!isDeclared(pkg, PACKAGE_NAME)) {
@@ -3984,7 +4267,7 @@ async function onboard(site, opts = {}) {
       return { kind: "apply", plan: { pkg, toAdd } };
     },
     apply: async ({ pkg, toAdd }, { commit: commit2, cwd }) => {
-      const pkgPath = join21(cwd, "package.json");
+      const pkgPath = join22(cwd, "package.json");
       let next = pkg;
       for (const dep of toAdd) {
         next = bumpDep(next, dep.name, dep.version);
@@ -4053,7 +4336,7 @@ import { resolve as resolve9 } from "path";
 
 // src/recipes/svelte-codemods.ts
 import { writeFile as writeFile9 } from "fs/promises";
-import { join as join22 } from "path";
+import { join as join23 } from "path";
 async function svelteCodemods(site) {
   return withRecipe({
     name: "svelte-codemods",
@@ -4067,7 +4350,7 @@ async function svelteCodemods(site) {
     },
     apply: async (changes, { commit: commit2, cwd }) => {
       for (const c of changes) {
-        await writeFile9(join22(cwd, c.rel), c.after, "utf-8");
+        await writeFile9(join23(cwd, c.rel), c.after, "utf-8");
       }
       await commit2(`refactor(svelte5): apply codemods (${changes.length} files)`);
       return { kind: "ok" };
@@ -4171,11 +4454,11 @@ import { dirname as dirname6 } from "path";
 
 // src/reports/ga/config.ts
 init_credentials();
-import { dirname as dirname5, join as join24 } from "path";
+import { dirname as dirname5, join as join25 } from "path";
 function readGaConfig() {
   const subject = process.env.GA_SUBJECT?.trim();
   if (!subject) return null;
-  const keyPath = process.env.GA_SA_KEY_PATH?.trim() || join24(dirname5(defaultCredentialsPath()), "ga-service-account.json");
+  const keyPath = process.env.GA_SA_KEY_PATH?.trim() || join25(dirname5(defaultCredentialsPath()), "ga-service-account.json");
   return { subject, keyPath };
 }
 
@@ -4275,7 +4558,7 @@ async function fetchSearchPresence(q, periodStart, periodEnd) {
     });
     const pos = res.data.rows?.[0]?.position;
     if (typeof pos === "number") {
-      return { foundOnPage1: pos <= PAGE_1_MAX_POSITION, position: Math.round(pos) };
+      return { foundOnPage1: pos <= PAGE_1_MAX_POSITION, position: Math.max(1, Math.round(pos)) };
     }
   }
   return { foundOnPage1: false, position: null };
@@ -4304,8 +4587,14 @@ async function draftReportForSite(base, siteRow, reportType, options = {}) {
   const periodEnd = today;
   const completedOn = today;
   const lastTestedDate = reportType === "Maintenance" && siteRow.testingDay ? new Date(siteRow.testingDay) : null;
-  const gaUsers = base !== null ? await fetchGaUsers(siteRow, periodStart, periodEnd) : null;
-  const search = base !== null ? await fetchSearch(siteRow, periodStart, periodEnd) : null;
+  const gaResult = base !== null ? await fetchGaUsers(siteRow, periodStart, periodEnd) : NO_ENRICHMENT;
+  const searchResult = base !== null ? await fetchSearch(siteRow, periodStart, periodEnd) : NO_ENRICHMENT;
+  const gaUsers = gaResult.value;
+  const search = searchResult.value;
+  const softFailures = [
+    ...gaResult.softFailed ? ["ga"] : [],
+    ...searchResult.softFailed ? ["search"] : []
+  ];
   const cidName = `${slug}-header`;
   const { html } = await renderReportHtml({
     siteName: siteRow.name,
@@ -4324,7 +4613,7 @@ async function draftReportForSite(base, siteRow, reportType, options = {}) {
     const path = options.previewPath ?? `reports/${slug}/draft.html`;
     await mkdir4(dirname6(path), { recursive: true });
     await writeFile10(path, html, "utf-8");
-    return { reportRow: null, htmlPath: path, html };
+    return { reportRow: null, htmlPath: path, html, softFailures };
   }
   if (base === null) throw new Error("base required when previewOnly=false");
   const reportId = `${siteRow.name} \u2014 ${reportType} \u2014 ${periodEnd.toISOString().slice(0, 10)}`;
@@ -4344,27 +4633,29 @@ async function draftReportForSite(base, siteRow, reportType, options = {}) {
   const htmlFilename = `${slug}-${periodEnd.toISOString().slice(0, 10)}.html`;
   await uploadAttachment(created.id, "Rendered HTML", html, htmlFilename, "text/html");
   await setDraftReady(base, created.id, true);
-  return { reportRow: created, htmlPath: null, html };
+  return { reportRow: created, htmlPath: null, html, softFailures };
 }
+var NO_ENRICHMENT = { value: null, softFailed: false };
 async function fetchGaUsers(siteRow, periodStart, periodEnd) {
   const cfg = readGaConfig();
-  if (!cfg || !siteRow.ga4PropertyId) return null;
+  if (!cfg || !siteRow.ga4PropertyId) return NO_ENRICHMENT;
   try {
-    return await fetchPeriodUsers(
+    const value = await fetchPeriodUsers(
       { propertyId: siteRow.ga4PropertyId, subject: cfg.subject, keyPath: cfg.keyPath },
       periodStart,
       periodEnd
     );
+    return { value, softFailed: false };
   } catch (e) {
     console.warn(`\u26A0 GA skipped for ${siteRow.name}: ${e.message}`);
-    return null;
+    return { value: null, softFailed: true };
   }
 }
 async function fetchSearch(siteRow, periodStart, periodEnd) {
   const cfg = readGaConfig();
-  if (!cfg || !siteRow.searchQuery) return null;
+  if (!cfg || !siteRow.searchQuery) return NO_ENRICHMENT;
   try {
-    return await fetchSearchPresence(
+    const value = await fetchSearchPresence(
       {
         keyPath: cfg.keyPath,
         subject: cfg.subject,
@@ -4375,16 +4666,20 @@ async function fetchSearch(siteRow, periodStart, periodEnd) {
       periodStart,
       periodEnd
     );
+    return { value, softFailed: false };
   } catch (e) {
     console.warn(`\u26A0 Search presence skipped for ${siteRow.name}: ${e.message}`);
-    return null;
+    return { value: null, softFailed: true };
   }
 }
 async function derivePeriodStart(base, siteRow, reportType, today) {
   const prior = await listReportsForSite(base, siteRow.id);
   const sameType = prior.filter((r) => r.reportType === reportType && r.periodEnd).map((r) => r.periodEnd).sort();
   const latest = sameType[sameType.length - 1];
-  return latest ? new Date(latest) : daysAgo(today, 30);
+  if (!latest) return daysAgo(today, 30);
+  const start = new Date(latest);
+  start.setUTCDate(start.getUTCDate() + 1);
+  return start;
 }
 
 // src/cli/commands/report.ts
@@ -4417,14 +4712,21 @@ async function runDueDraft() {
   const due = findDueReports(websites, reports, /* @__PURE__ */ new Date());
   if (due.length === 0) return { output: "No reports due.", code: 0 };
   const lines = [];
+  let softFailedSites = 0;
   for (const item of due) {
     try {
       const result = await draftReportForSite(base, item.site, item.reportType);
       lines.push(`\u2713 drafted: ${result.reportRow?.reportId}`);
+      if (result.softFailures.length > 0) softFailedSites++;
     } catch (e) {
       lines.push(`\u2717 failed: ${item.site.name} ${item.reportType} \u2014 ${e.message}`);
     }
   }
+  if (softFailedSites > 0) {
+    lines.push(
+      `\u26A0 ${softFailedSites} site${softFailedSites === 1 ? "" : "s"} had GA/Search enrichment fail \u2014 drafted with blank analytics; check the logs above`
+    );
+  }
   return { output: lines.join("\n"), code: lines.some((l) => l.startsWith("\u2717")) ? 1 : 0 };
 }
 async function runSingleSiteDraft(slug, opts) {
@@ -4448,7 +4750,7 @@ import { resolve as resolve10 } from "path";
 
 // src/recipes/a11y-fixtures-page/index.ts
 import { access, mkdir as mkdir5, writeFile as writeFile11 } from "fs/promises";
-import { dirname as dirname7, join as join25 } from "path";
+import { dirname as dirname7, join as join26 } from "path";
 
 // src/recipes/a11y-fixtures-page/template.ts
 var A11Y_FIXTURES_PAGE_RELATIVE = "src/routes/dev/a11y-fixtures/+page.svelte";
@@ -4499,7 +4801,7 @@ async function fileExists(path) {
   }
 }
 async function a11yFixturesPage(site) {
-  const target = join25(site.path, A11Y_FIXTURES_PAGE_RELATIVE);
+  const target = join26(site.path, A11Y_FIXTURES_PAGE_RELATIVE);
   return withRecipe({
     name: "a11y-fixtures-page",
     site,
@@ -4607,12 +4909,12 @@ async function runInitCommand(site, opts) {
 
 // src/cli/version.ts
 import { readFileSync as readFileSync5, existsSync as existsSync4 } from "fs";
-import { dirname as dirname8, join as join26 } from "path";
+import { dirname as dirname8, join as join27 } from "path";
 function resolvePackageVersion(fromDir) {
   try {
     let dir = fromDir;
     while (true) {
-      const candidate = join26(dir, "package.json");
+      const candidate = join27(dir, "package.json");
       if (existsSync4(candidate)) {
         const raw = readFileSync5(candidate, "utf-8");
         const pkg = JSON.parse(raw);
@@ -4681,7 +4983,13 @@ cli.command("audit [site]", "Run audits against a site (default: cwd).").option(
 ).option("--workdir <path>", "Clone target for fleet mode (default ~/.reddoor-maint/sites)").option(
   "--write-airtable [slug]",
   "After lighthouse runs, write pScore/rScore/bpScore/seoScore + timestamp to the matching Websites row. Slug defaults to cwd's package.json#name."
-).option("--fail-on-violations", "Exit non-zero if any a11y violations are found (for CI gates)").action(
+).option("--fail-on-violations", "Exit non-zero if any a11y violations are found (for CI gates)").option(
+  "--url <url>",
+  "Audit this deployed URL with lighthouse (no dev server); single-site. Pair with --only lighthouse \u2014 other audits still use the local checkout."
+).option(
+  "--concurrency <n>",
+  "Max sites to audit in parallel in --fleet mode (default: all at once). Use 1 for sequential (CI)."
+).action(
   async (site, opts) => runOrExit(() => runAuditCommand(site, opts), opts)
 );
 cli.command("sync-configs [site]", "Sync canonical configs into a site.").option("--only <names>", "Comma-separated config names (e.g. eslint,prettier)").option("--dry", "Print diff without writing").option(