euparliamentmonitor 0.8.59 → 0.9.0

package/README.md

@@ -136,7 +136,7 @@ The published site is the audience-facing companion to this npm/TypeScript packa
 
 **MCP Server Integration**: The project uses the
 [European-Parliament-MCP-Server](https://github.com/Hack23/European-Parliament-MCP-Server)
-v1.2.21 for accessing real EU Parliament data via the Model Context Protocol.
+v1.3.0 for accessing real EU Parliament data via the Model Context Protocol.
 
 - **MCP Server Status**: ✅ Fully operational — 60+ EP data tools available
   (feeds, direct lookups, analytical tools, intelligence correlation)
@@ -432,7 +432,7 @@ import type { ArticleCategory, LanguageCode } from 'euparliamentmonitor/types';
 
 ## 🔌 Data Sources
 
-**Primary — European Parliament MCP Server** ([Hack23/European-Parliament-MCP-Server](https://github.com/Hack23/European-Parliament-MCP-Server) v1.2.21+, fully operational):
+**Primary — European Parliament MCP Server** ([Hack23/European-Parliament-MCP-Server](https://github.com/Hack23/European-Parliament-MCP-Server) v1.3.0+, fully operational):
 
 - 🗳️ Plenary sessions, voting records, roll-call votes
 - 📜 Adopted texts, motions, resolutions, urgency files

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "euparliamentmonitor",
-  "version": "0.8.59",
+  "version": "0.9.0",
   "type": "module",
   "description": "European Parliament Intelligence Platform - Monitor political activity with systematic transparency",
   "main": "scripts/index.js",
@@ -33,6 +33,14 @@
     "./generators/*": {
       "import": "./scripts/generators/*.js",
       "types": "./scripts/generators/*.d.ts"
+    },
+    "./workflows": {
+      "import": "./scripts/workflows/index.js",
+      "types": "./scripts/workflows/index.d.ts"
+    },
+    "./workflows/*": {
+      "import": "./scripts/workflows/*.js",
+      "types": "./scripts/workflows/*.d.ts"
     }
   },
   "files": [
@@ -157,7 +165,7 @@
     "husky": "9.1.7",
     "jscpd": "4.0.9",
     "knip": "^6.7.0",
-    "lint-staged": "16.4.0",
+    "lint-staged": "17.0.2",
     "mermaid": "11.14.0",
     "papaparse": "5.5.3",
     "prettier": "3.8.3",
@@ -171,7 +179,7 @@
     "node": ">=26"
   },
   "dependencies": {
-    "european-parliament-mcp-server": "1.2.21",
+    "european-parliament-mcp-server": "1.3.0",
     "markdown-it": "^14.1.1",
     "markdown-it-anchor": "^9.2.0",
     "markdown-it-attrs": "^4.3.1",
@@ -183,6 +191,8 @@
   },
   "overrides": {
     "flatted": ">=3.4.2",
-    "path-to-regexp": ">=8.4.0"
+    "path-to-regexp": ">=8.4.0",
+    "ip-address": ">=10.1.1",
+    "uuid": ">=11.1.1"
   }
 }

package/scripts/aggregator/article-meta.d.ts

@@ -23,7 +23,7 @@ export interface ArticleMeta {
     readonly keyDates: readonly string[];
     /** Key actors / political groups identified by the artifacts. */
     readonly keyActors: readonly string[];
-    /** Optional IMF / WorldBank macro hook surfaced as a sidebar callout. */
+    /** Optional IMF economic-context macro hook surfaced as a sidebar callout. Empty string when absent. */
     readonly macroContext: string;
     /**
      * Run-relative paths of every artifact whose content fed into this meta

package/scripts/aggregator/article-metadata.js

@@ -324,7 +324,6 @@ export function isGenericHeading(heading, articleType, date) {
             return true;
     }
     // The bare `${human} — <anything>` with nothing extra is also generic.
-    // eslint-disable-next-line security/detect-non-literal-regexp -- `human` derives from a sanitised slug via escapeRegex
     const trailingDateOnly = new RegExp(`^${escapeRegex(human)}\\s*[—–-]\\s*[\\d-]+$`, 'u');
     if (trailingDateOnly.test(normalized)) {
         return true;

package/scripts/aggregator/artifacts/index.d.ts

@@ -0,0 +1,11 @@
+/**
+ * @module Aggregator/Artifacts
+ * @description Public re-exports for the artifacts bounded context.
+ * Provides artifact ordering, sanitization, and type definitions.
+ */
+export type { ArtifactContent, CleanedArtifactWithPath, ResolvedSection } from './types.js';
+export type { ArtifactSection } from '../artifact-order.js';
+export { ARTIFACT_SECTIONS, MANIFEST_SECTION_ID, MANIFEST_SECTION_TITLE, SUPPLEMENTARY_SECTION_ID, SUPPLEMENTARY_SECTION_TITLE, TRADECRAFT_SECTION_ID, TRADECRAFT_SECTION_TITLE, } from '../artifact-order.js';
+export type { CleanArtifactOptions, CleanArtifactResult } from '../clean-artifact.js';
+export { cleanArtifact, dedupMermaid, demoteHeadings, githubBlobUrl, githubRawUrl, resolveLink, rewriteLinks, stripArtifactMetadataPreamble, stripBanners, stripFrontMatter, stripSpdxTags, } from '../clean-artifact.js';
+//# sourceMappingURL=index.d.ts.map

package/scripts/aggregator/artifacts/index.js

@@ -0,0 +1,5 @@
+// SPDX-FileCopyrightText: 2024-2026 Hack23 AB
+// SPDX-License-Identifier: Apache-2.0
+export { ARTIFACT_SECTIONS, MANIFEST_SECTION_ID, MANIFEST_SECTION_TITLE, SUPPLEMENTARY_SECTION_ID, SUPPLEMENTARY_SECTION_TITLE, TRADECRAFT_SECTION_ID, TRADECRAFT_SECTION_TITLE, } from '../artifact-order.js';
+export { cleanArtifact, dedupMermaid, demoteHeadings, githubBlobUrl, githubRawUrl, resolveLink, rewriteLinks, stripArtifactMetadataPreamble, stripBanners, stripFrontMatter, stripSpdxTags, } from '../clean-artifact.js';
+//# sourceMappingURL=index.js.map

package/scripts/aggregator/artifacts/types.d.ts

@@ -0,0 +1,46 @@
+/**
+ * @module Aggregator/Artifacts/Types
+ * @description Strict type definitions for the artifacts bounded context.
+ * Defines the shape of artifact content, section mappings, and sanitization
+ * options used throughout the aggregator pipeline.
+ */
+import type { CleanArtifactResult } from '../clean-artifact.js';
+/**
+ * Represents raw artifact content read from an analysis run directory.
+ * Carries the original Markdown body along with its provenance metadata.
+ */
+export interface ArtifactContent {
+    /** Run-relative path of the artifact (e.g. `intelligence/synthesis-summary.md`). */
+    readonly path: string;
+    /** Raw Markdown body as read from disk. */
+    readonly body: string;
+    /** Byte length of the raw content (before cleaning). */
+    readonly byteLength: number;
+}
+/**
+ * A {@link CleanArtifactResult} extended with provenance (the run-relative
+ * path of the source artifact). Use this type when you need to track which
+ * artifact produced a given cleaned output — e.g. for telemetry or
+ * source-mapping in `article-meta.json`.
+ *
+ * `CleanArtifactResult` is the raw return of `cleanArtifact()`;
+ * `CleanedArtifactWithPath` adds the origin path for pipeline bookkeeping.
+ */
+export interface CleanedArtifactWithPath extends CleanArtifactResult {
+    /** Run-relative path of the source artifact. */
+    readonly path: string;
+}
+/**
+ * Represents a fully resolved section in the aggregated article, mapping
+ * from the canonical section definition to the actual artifact paths found
+ * in the run directory.
+ */
+export interface ResolvedSection {
+    /** Stable section id used for HTML anchors. */
+    readonly id: string;
+    /** English section title. */
+    readonly title: string;
+    /** Ordered list of resolved artifact paths present in this section. */
+    readonly resolvedArtifacts: readonly string[];
+}
+//# sourceMappingURL=types.d.ts.map

package/scripts/aggregator/artifacts/types.js

@@ -0,0 +1,4 @@
+// SPDX-FileCopyrightText: 2024-2026 Hack23 AB
+// SPDX-License-Identifier: Apache-2.0
+export {};
+//# sourceMappingURL=types.js.map

package/scripts/aggregator/clean-artifact.js

@@ -194,7 +194,7 @@ export function stripSpdxTags(md) {
  */
 function advanceFenceState(line, inFence, fenceMarker) {
     const fenceMatch = /^(\s*)(```+|~~~+)(.*)$/.exec(line);
-    if (!fenceMatch || !fenceMatch[2])
+    if (!fenceMatch?.[2])
         return { inFence, fenceMarker, matched: false };
     const marker = fenceMatch[2];
     if (!inFence) {
@@ -224,7 +224,7 @@ function processHeadingLine(lines, index) {
         return { output: null, consumed: 2, h1Removed: true };
     }
     const atx = /^(\s*)(#{1,6})(\s.*)$/.exec(line);
-    if (!atx || !atx[2]) {
+    if (!atx?.[2]) {
         return { output: line, consumed: 1, h1Removed: false };
     }
     const level = atx[2].length;

package/scripts/aggregator/content/index.d.ts

@@ -0,0 +1,14 @@
+/**
+ * @module Aggregator/Content
+ * @description Public re-exports for the content extraction bounded context.
+ * Provides lead extraction, key takeaways synthesis, and intelligence guide
+ * generation.
+ */
+export type { ExtractedLead, SynthesisedTakeaway, KeyTakeawaysResult } from './types.js';
+export { extractExecutiveLead, extractLeadParagraph, trimToLeadSentence, MAX_LEAD_CHARS, } from '../lead-extractor.js';
+export type { Takeaway, BuildKeyTakeawaysOptions } from '../key-takeaways.js';
+export { buildKeyTakeaways, MIN_TAKEAWAYS, MAX_TAKEAWAYS, KEY_TAKEAWAYS_SECTION_ID, KEY_TAKEAWAYS_SECTION_TITLE, } from '../key-takeaways.js';
+export { buildReaderIntelligenceGuideHtml } from '../reader-intelligence-guide.js';
+export { READER_GUIDE_SECTION_ID, READER_GUIDE_SECTION_IDS, READER_GUIDE_SECTION_TITLE, } from '../reader-guide-constants.js';
+export type { TocSection, IncludedArtifact } from '../reader-guide-constants.js';
+//# sourceMappingURL=index.d.ts.map

package/scripts/aggregator/content/index.js

@@ -0,0 +1,7 @@
+// SPDX-FileCopyrightText: 2024-2026 Hack23 AB
+// SPDX-License-Identifier: Apache-2.0
+export { extractExecutiveLead, extractLeadParagraph, trimToLeadSentence, MAX_LEAD_CHARS, } from '../lead-extractor.js';
+export { buildKeyTakeaways, MIN_TAKEAWAYS, MAX_TAKEAWAYS, KEY_TAKEAWAYS_SECTION_ID, KEY_TAKEAWAYS_SECTION_TITLE, } from '../key-takeaways.js';
+export { buildReaderIntelligenceGuideHtml } from '../reader-intelligence-guide.js';
+export { READER_GUIDE_SECTION_ID, READER_GUIDE_SECTION_IDS, READER_GUIDE_SECTION_TITLE, } from '../reader-guide-constants.js';
+//# sourceMappingURL=index.js.map

package/scripts/aggregator/content/types.d.ts

@@ -0,0 +1,42 @@
+/**
+ * @module Aggregator/Content/Types
+ * @description Strict type definitions for the content extraction bounded
+ * context. Covers lead paragraph extraction, key takeaways synthesis,
+ * and section-to-artifact mapping.
+ */
+/**
+ * Extracted lead paragraph — the journalistic "nut graf" from the article.
+ */
+export interface ExtractedLead {
+    /** The extracted lead text (plain, no Markdown). */
+    readonly text: string;
+    /** Run-relative source artifact the lead was extracted from. */
+    readonly source: string;
+    /** Character length of the extracted lead. */
+    readonly length: number;
+}
+/**
+ * One synthesised key takeaway bullet ready for rendering.
+ */
+export interface SynthesisedTakeaway {
+    /** Bullet body in Markdown (trimmed; no leading `- `). */
+    readonly body: string;
+    /** Run-relative path of the source artifact. */
+    readonly source: string;
+}
+/**
+ * Structured representation of key-takeaways synthesis output.
+ *
+ * **Note:** The current `buildKeyTakeaways` function returns a plain `string`
+ * (the rendered Markdown block). This interface is a forward-looking contract
+ * for future structured consumers that need both the raw takeaway items and
+ * the rendered output. Use {@link Takeaway} (from `key-takeaways.ts`) for
+ * per-item typing when processing the raw bullets.
+ */
+export interface KeyTakeawaysResult {
+    /** Ordered list of synthesised takeaways (3–7 items). */
+    readonly takeaways: readonly SynthesisedTakeaway[];
+    /** Rendered Markdown block (empty string when below minimum threshold). */
+    readonly markdown: string;
+}
+//# sourceMappingURL=types.d.ts.map

package/scripts/aggregator/content/types.js

@@ -0,0 +1,4 @@
+// SPDX-FileCopyrightText: 2024-2026 Hack23 AB
+// SPDX-License-Identifier: Apache-2.0
+export {};
+//# sourceMappingURL=types.js.map

package/scripts/aggregator/markdown/index.d.ts

@@ -0,0 +1,9 @@
+/**
+ * @module Aggregator/Markdown
+ * @description Public re-exports for the Markdown rendering bounded context.
+ * Provides markdown-it based HTML rendering with plugin support and
+ * TOC generation.
+ */
+export type { RenderOptions, RenderedMarkdown, TocEntry } from '../markdown-renderer.js';
+export { buildMarkdownIt, renderMarkdown } from '../markdown-renderer.js';
+//# sourceMappingURL=index.d.ts.map

package/scripts/aggregator/markdown/index.js

@@ -0,0 +1,4 @@
+// SPDX-FileCopyrightText: 2024-2026 Hack23 AB
+// SPDX-License-Identifier: Apache-2.0
+export { buildMarkdownIt, renderMarkdown } from '../markdown-renderer.js';
+//# sourceMappingURL=index.js.map

package/scripts/aggregator/markdown-renderer.js

@@ -185,14 +185,14 @@ function harvestToc(tokens) {
     const out = [];
     for (let i = 0; i < tokens.length; i++) {
         const token = tokens[i];
-        if (!token || token.type !== 'heading_open')
+        if (token?.type !== 'heading_open')
             continue;
         const level = Number.parseInt(token.tag.slice(1), 10);
         if (!Number.isFinite(level) || level < 2 || level > 6)
             continue;
         const slug = typeof token.attrGet === 'function' ? token.attrGet('id') : null;
         const inline = tokens[i + 1];
-        if (!inline || inline.type !== 'inline')
+        if (inline?.type !== 'inline')
             continue;
         const text = (inline.content ?? '').trim();
         out.push({ level, slug: slug ?? slugify(text), text });

package/scripts/aggregator/metadata/index.d.ts

@@ -0,0 +1,12 @@
+/**
+ * @module Aggregator/Metadata
+ * @description Public re-exports for the metadata bounded context.
+ * Provides article metadata building, SEO metadata resolution,
+ * and structured data contracts.
+ */
+export type { PerLanguageMetadata, ArticleMetaSidecar } from './types.js';
+export type { ArticleMeta, BuildArticleMetaOptions } from '../article-meta.js';
+export { buildArticleMeta } from '../article-meta.js';
+export type { ResolvedMetadataEntry, ResolvedMetadata } from '../article-metadata.js';
+export { resolveArticleMetadata, stripInlineMarkdown } from '../article-metadata.js';
+//# sourceMappingURL=index.d.ts.map

package/scripts/aggregator/metadata/index.js

@@ -0,0 +1,5 @@
+// SPDX-FileCopyrightText: 2024-2026 Hack23 AB
+// SPDX-License-Identifier: Apache-2.0
+export { buildArticleMeta } from '../article-meta.js';
+export { resolveArticleMetadata, stripInlineMarkdown } from '../article-metadata.js';
+//# sourceMappingURL=index.js.map

package/scripts/aggregator/metadata/types.d.ts

@@ -0,0 +1,28 @@
+/**
+ * @module Aggregator/Metadata/Types
+ * @description Strict type definitions for the metadata bounded context.
+ * Covers article metadata, SEO metadata, and structured data contracts.
+ */
+import type { LanguageCode } from '../../types/index.js';
+/**
+ * Per-language resolved metadata entry containing the title and
+ * description that will be rendered into HTML meta tags and
+ * structured data (JSON-LD).
+ */
+export interface PerLanguageMetadata {
+    /** Language code this entry is for. */
+    readonly lang: LanguageCode;
+    /** Resolved title for the article in this language. */
+    readonly title: string;
+    /** Resolved description for the article in this language. */
+    readonly description: string;
+}
+/**
+ * Complete article metadata sidecar shape (`article-meta.json`).
+ * This is a type alias for the canonical {@link ArticleMeta} interface
+ * defined in `article-meta.ts`. Use this name when referring to the
+ * sidecar contract in downstream consumers (HTML, RSS, sitemap, news
+ * indexes).
+ */
+export type { ArticleMeta as ArticleMetaSidecar } from '../article-meta.js';
+//# sourceMappingURL=types.d.ts.map

package/scripts/aggregator/metadata/types.js

@@ -0,0 +1,4 @@
+// SPDX-FileCopyrightText: 2024-2026 Hack23 AB
+// SPDX-License-Identifier: Apache-2.0
+export {};
+//# sourceMappingURL=types.js.map

package/scripts/constants/committee-indicator-map.js

@@ -1347,7 +1347,6 @@ export function getCategoryIndicators(category) {
     if (!Object.hasOwn(CATEGORY_INDICATOR_MAP, category)) {
         return getCategoryIndicators(ArticleCategory.BREAKING_NEWS);
     }
-    // eslint-disable-next-line security/detect-object-injection -- key validated via Object.hasOwn
     return CATEGORY_INDICATOR_MAP[category];
 }
 /**

package/scripts/constants/language-core.js

@@ -66,7 +66,6 @@ export const LANGUAGE_NAMES = {
  */
 export function getLocalizedString(map, lang) {
     const code = lang;
-    // eslint-disable-next-line security/detect-object-injection -- key validated via Object.hasOwn
     return Object.hasOwn(map, code) ? (map[code] ?? map.en) : map.en;
 }
 /**

package/scripts/generators/political-intelligence/copy.js

@@ -442,7 +442,6 @@ export const PI_COPY = (() => {
  * @returns Fully-populated {@link PICopy}
  */
 export function getPICopy(lang) {
-    // eslint-disable-next-line security/detect-object-injection
     const overrides = PI_COPY[lang] ?? {};
     return { ...DEFAULT_COPY, ...overrides };
 }

package/scripts/generators/political-intelligence-descriptions.js

@@ -73,6 +73,9 @@ export const CURATED_DESCRIPTIONS = {
             zh: '欧盟范围选举分析方法论 — 预测、欧洲议会 361 席阈值及成员国层面的联盟数学，以及选民分群框架。',
         },
     },
+    'analysis/methodologies/analytical-supplementary-methodology.md': {
+        description: 'Optional deep-dive methodology — PESTLE, Wildcards, SWOT scoring, and Media Framing v2.0.',
+    },
     'analysis/methodologies/imf-indicator-mapping.md': {
         description: 'Canonical mapping of IMF WEO, Fiscal Monitor, IFS, BOP, ER and PCPS indicators to European Parliament Monitor article types — the primary source for economic, monetary, fiscal, trade and FDI context.',
         i18n: {
@@ -313,7 +316,7 @@ export const CURATED_DESCRIPTIONS = {
         description: 'MCP reliability audit — endpoint health and uptime report for every European Parliament MCP tool invocation during a workflow run.',
     },
     'analysis/templates/media-framing-analysis.md': {
-        description: 'Media framing analysis — maps how narratives spread across outlets and languages, comparing national-media framings of EP events.',
+        description: 'Media framing & influence-operations — DISARM TTPs, CIB detection, narrative-laundering, counter-resilience across EU-27.',
     },
     'analysis/templates/methodology-reflection.md': {
         description: 'Methodology reflection template — the final Step 10.5 artifact capturing lessons learned, protocol gaps and continuous-improvement notes for each run.',
@@ -1951,7 +1954,6 @@ function kindWord(relPath, lang) {
  * @returns The resolved string (never empty for well-formed records)
  */
 function getFromRecord(record, lang) {
-    // eslint-disable-next-line security/detect-object-injection
     return record[lang] ?? record.en;
 }
 /**
@@ -1968,7 +1970,6 @@ function getFromRecord(record, lang) {
  * @returns Fully localized description sentence
  */
 function buildGenericFallback(relPath, lang, title) {
-    // eslint-disable-next-line security/detect-object-injection
     const template = GENERIC_FALLBACK_I18N[lang] ?? GENERIC_FALLBACK_I18N.en;
     const kind = kindWord(relPath, lang);
     return template.replace('{title}', title).replace('{kind}', kind);
@@ -1996,10 +1997,14 @@ function buildGenericFallback(relPath, lang, title) {
 export function getCuratedDescription(relPath, lang, fallback = '') {
     // Normalise path separators so Windows callers don't silently miss entries.
     const key = relPath.replace(/\\/g, '/');
-    // eslint-disable-next-line security/detect-object-injection
+    // Guard against prototype-chain lookups for keys like __proto__ or constructor.
+    if (!Object.prototype.hasOwnProperty.call(CURATED_DESCRIPTIONS, key)) {
+        // No curated entry — build a localized fallback from the file's title.
+        const localizedTitle = getCuratedTitle(key, lang, fallback || stripEmojiAndPunct(key));
+        return buildGenericFallback(key, lang, localizedTitle);
+    }
     const entry = CURATED_DESCRIPTIONS[key];
     if (entry) {
-        // eslint-disable-next-line security/detect-object-injection
         const localized = entry.i18n?.[lang];
         if (localized)
             return localized;
@@ -2023,7 +2028,6 @@ export function getCuratedDescription(relPath, lang, fallback = '') {
  * @returns `true` when the curated table contains the file
  */
 export function hasCuratedDescription(relPath) {
-    // eslint-disable-next-line security/detect-object-injection
     return Object.prototype.hasOwnProperty.call(CURATED_DESCRIPTIONS, relPath.replace(/\\/g, '/'));
 }
 /**
@@ -2035,7 +2039,6 @@ export function hasCuratedDescription(relPath) {
  * @returns `true` when {@link CURATED_TITLES} contains the file
  */
 export function hasCuratedTitle(relPath) {
-    // eslint-disable-next-line security/detect-object-injection
     return Object.prototype.hasOwnProperty.call(CURATED_TITLES, relPath.replace(/\\/g, '/'));
 }
 /**
@@ -2062,27 +2065,20 @@ export function hasCuratedTitle(relPath) {
  */
 export function getCuratedTitle(relPath, lang, fallback) {
     const key = relPath.replace(/\\/g, '/');
-    // 1 + 2: curated title overlay
-    // eslint-disable-next-line security/detect-object-injection
-    const titleEntry = CURATED_TITLES[key];
-    if (titleEntry) {
-        // eslint-disable-next-line security/detect-object-injection
-        const localized = titleEntry[lang];
-        if (localized)
-            return localized;
-        if (titleEntry.en)
-            return titleEntry.en;
+    // 1 + 2: curated title overlay — guard against prototype-chain lookups
+    if (Object.prototype.hasOwnProperty.call(CURATED_TITLES, key)) {
+        const titleEntry = CURATED_TITLES[key];
+        if (titleEntry) {
+            // Prefer localized, then English overlay
+            return titleEntry[lang] ?? titleEntry.en ?? fallback;
+        }
     }
     // 3 + 4: historic colocated title on CURATED_DESCRIPTIONS entry
-    // eslint-disable-next-line security/detect-object-injection
-    const descEntry = CURATED_DESCRIPTIONS[key];
-    if (descEntry) {
-        // eslint-disable-next-line security/detect-object-injection
-        const localized = descEntry.titleI18n?.[lang];
-        if (localized)
-            return localized;
-        if (descEntry.title)
-            return descEntry.title;
+    if (Object.prototype.hasOwnProperty.call(CURATED_DESCRIPTIONS, key)) {
+        const descEntry = CURATED_DESCRIPTIONS[key];
+        if (descEntry) {
+            return descEntry.titleI18n?.[lang] ?? descEntry.title ?? fallback;
+        }
     }
     return fallback;
 }
@@ -2673,7 +2669,6 @@ export function parseRunSlug(slug) {
     const sorted = [...RUN_TYPE_SLUGS].sort((a, b) => b.length - a.length);
     for (const prefix of sorted) {
         if (lower === prefix || lower.startsWith(`${prefix}-`) || lower.startsWith(`${prefix}_`)) {
-            // eslint-disable-next-line security/detect-object-injection
             const canonical = RUN_TYPE_ALIASES[prefix];
             const tail = slug.slice(prefix.length).replace(/^[-_]+/, '');
             return { type: canonical, runId: tail };
@@ -2696,9 +2691,7 @@ export function parseRunSlug(slug) {
 export function getRunTypeInfo(slug, lang) {
     const { type, runId } = parseRunSlug(slug);
     if (type) {
-        // eslint-disable-next-line security/detect-object-injection
         const titleRecord = RUN_TYPE_TITLES[type];
-        // eslint-disable-next-line security/detect-object-injection
         const descRecord = RUN_TYPE_DESCRIPTIONS[type];
         const title = titleRecord ? getFromRecord(titleRecord, lang) : stripEmojiAndPunct(slug);
         const description = descRecord ? getFromRecord(descRecord, lang) : '';
@@ -2797,7 +2790,6 @@ function canonicalizeArtifactStem(stem) {
         'ai-voting-patterns': 'voting-patterns',
     };
     if (Object.prototype.hasOwnProperty.call(SYNONYMS, s)) {
-        // eslint-disable-next-line security/detect-object-injection
         const synonym = SYNONYMS[s];
         if (typeof synonym === 'string')
             return synonym;
@@ -3135,7 +3127,6 @@ export function getArtifactInfo(shortPath, lang) {
     //    and we still guard with `hasOwn` to block any prototype-key surprise.
     const feed = parseFeedPrefix(rawStem);
     if (feed && Object.prototype.hasOwnProperty.call(FEED_PREFIX_LABELS, feed.feed)) {
-        // eslint-disable-next-line security/detect-object-injection
         const entry = FEED_PREFIX_LABELS[feed.feed];
         if (entry) {
             return {
@@ -3152,7 +3143,6 @@ export function getArtifactInfo(shortPath, lang) {
     //    (e.g. a hypothetical `__proto__.md` file).
     const stemLower = stem.toLowerCase();
     if (Object.prototype.hasOwnProperty.call(ORPHAN_ARTIFACT_INFO, stemLower)) {
-        // eslint-disable-next-line security/detect-object-injection
         const orphan = ORPHAN_ARTIFACT_INFO[stemLower];
         if (orphan) {
             return {

package/scripts/generators/shared/html-escape.d.ts

@@ -0,0 +1,41 @@
+import type { AbsoluteUrl, RelativeFilePath, SafeHtmlString, SafeXmlString } from './types.js';
+/**
+ * HTML-entity-escape a raw string and brand the result as safe for HTML
+ * interpolation. Escapes `&`, `<`, `>`, `"`, and `'`.
+ *
+ * @param raw - Untrusted string (user input, file content, etc.)
+ * @returns Branded {@link SafeHtmlString} safe for use in HTML templates
+ */
+export declare function toSafeHtml(raw: string): SafeHtmlString;
+/**
+ * XML-entity-escape a raw string and brand the result as safe for XML
+ * interpolation. Escapes `&`, `<`, `>`, `"`, and `'`.
+ *
+ * @param raw - Untrusted string (user input, file content, etc.)
+ * @returns Branded {@link SafeXmlString} safe for use in XML templates
+ */
+export declare function toSafeXml(raw: string): SafeXmlString;
+/**
+ * Validate and brand a string as an absolute HTTPS URL.
+ * Validates using `new URL()` to ensure structural correctness, checks
+ * that the protocol is `https:`, and rejects characters that are unsafe
+ * in HTML attribute contexts (quotes, angle brackets, whitespace, control
+ * characters) to prevent attribute-injection/XSS.
+ *
+ * @param url - Candidate URL string
+ * @returns Branded {@link AbsoluteUrl}
+ * @throws {Error} when `url` is not a valid absolute HTTPS URL or
+ *   contains characters unsafe for HTML attribute interpolation
+ */
+export declare function toAbsoluteUrl(url: string): AbsoluteUrl;
+/**
+ * Normalize and brand a file path as a relative POSIX path.
+ * Strips leading slashes, converts backslashes to forward slashes, and
+ * rejects path-traversal sequences (`..`) to prevent directory escape.
+ *
+ * @param filePath - Raw file path
+ * @returns Branded {@link RelativeFilePath}
+ * @throws {Error} when the path contains `..` traversal segments
+ */
+export declare function toRelativeFilePath(filePath: string): RelativeFilePath;
+//# sourceMappingURL=html-escape.d.ts.map