i18ntk 2.5.0 → 2.6.0

package/CHANGELOG.md

@@ -0,0 +1,366 @@
+# CHANGELOG
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [2.6.0] - 2026-05-03
+
+### Security
+- **CRITICAL**: Fixed 8+ silent-write failures where `safeWriteFileSync` was called without basePath parameter across `utils/config.js`, `utils/config-helper.js`, `utils/secure-errors.js`, and `main/i18ntk-scanner.js`.
+- Replaced all raw `fs` calls (`readdirSync`, `statSync`, `mkdirSync`, `unlinkSync`, `rmSync`) with `SecurityUtils` wrappers in `main/i18ntk-validate.js`, `main/i18ntk-scanner.js`, `main/manage/commands/FixerCommand.js`, and `utils/secure-errors.js`.
+- Fixed path traversal checks in `security.js` and `config-manager.js` — replaced fragile `path.sep`-based comparison with robust `startsWith('..')` prefix check.
+- Hardened `utils/i18n-helper.js` fallback `SecurityUtils` implementation with path containment checks.
+- Fixed `SecurityUtils.safeParseJSON` reference leak — deep-clones objects instead of returning caller's reference.
+
+### Fixed
+- Fixed `main/i18ntk-analyze.js` `this.adminAuth` reference error (local variable was not assigned to instance property).
+- Fixed `main/i18ntk-validate.js` `ExitCodes.CONFIG_ERROR` referenced before declaration.
+- Fixed `main/i18ntk-scanner.js` `fs.readdirSync(projectRoot, { recursive: true })` removed (unsupported in older Node.js).
+- Fixed `main/i18ntk-scanner.js` raw `fs.readdirSync`/`fs.statSync`/`fs.mkdirSync` in `scanDirectory` and `generateReport`.
+- Fixed `main/i18ntk-validate.js` raw `fs.readdirSync`/`fs.mkdirSync`/`fs.unlinkSync` in `getAvailableLanguages`, `getLanguageFiles`, and validation report cleanup.
+- Fixed `utils/secure-errors.js` `safeWriteFileSync` missing basePath and raw `fs.mkdirSync`.
+- Fixed `main/manage/commands/FixerCommand.js` `cleanupOldBackups` using raw `fs.rmSync` without path validation.
+- Fixed `runtime/enhanced.js` process event handler leak (multiple instances) and missing `setInterval.unref()`.
+- Fixed `utils/setup-enforcer.js` async Promise executor anti-pattern.
+- Fixed `utils/config-manager.js` stale `process.cwd()` capture at module load time.
+- Fixed `utils/config-manager.js` `ensureProjectSettingsDir` being a no-op.
+- Fixed `utils/config-helper.js` 7 `safeWriteFileSync` calls missing basePath in `initializeSourceFiles`.
+- Fixed `utils/env-manager.js` `getBoolean` comparison against non-boolean values.
+- Fixed `utils/admin-auth.js` `uncaughtException` handler wrong parameter format.
+
+### Added
+- `SecurityUtils.safeUnlinkSync(filePath, basePath)` — safely delete a file.
+- `SecurityUtils.safeRmdirSync(dirPath, basePath)` — safely remove a directory.
+
+### Changed
+- `configManager.resolvePaths`, `configManager.toRelative`, and config lock path now dynamically resolve via `getUserProjectRoot()`/`getProjectConfigPath()`.
+- `configManager.CONFIG_PATH` is now a getter that dynamically returns the project config path.
+- `configManager.migrateLegacyIfNeeded` exported for testability.
+
+### TypeScript
+- Fixed `runtime/i18ntk.d.ts` `BasicI18nRuntime.translate` and `t` return types from `Promise<string>` to `string`.
+
+### Scripts
+- Fixed `scripts/build-public-package.js` and `scripts/reset-release-state.js` `npm_execpath` fallback for missing env var.
+- Fixed `scripts/lint-locales.js` BOM handling and try-catch for `fs.readdirSync`.
+
+## [2.5.1] - 2026-04-29
+
+### Security
+- Fixed `AdminAuth.verifyPin()` to fail closed when admin config is missing, disabled, or malformed instead of returning success.
+- Fixed auth-required checks to fail closed when settings require admin PIN protection but the admin config is unusable.
+- Normalized admin session expiry handling by storing both `expires` and `expiresAt` and cleaning up both formats consistently.
+
+### Added
+- Added regression tests for admin PIN fail-closed behavior and session expiry cleanup.
+
+### Changed
+- Documented the public npm package staging flow introduced after `2.5.0`.
+
+## [2.5.0] - 2026-04-29
+
+### Security
+- Centralized environment-variable access behind the `utils/env-manager.js` allowlist.
+- Hardened `SecurityUtils.safeJoin()` and path validation against sibling-prefix containment bypasses.
+- Switched admin PIN hash verification to timing-safe comparison.
+- Fixed expired admin session cleanup and unref'd the cleanup timer so it does not keep CLI processes alive.
+- Expanded the release security scanner to inspect nested production source files.
+
+### Fixed
+- Fixed the manager fixer command so applied fixes are written to the same parsed object that is saved.
+- Fixed fixer writes for absolute source directories outside the current working directory.
+- Fixed debug-menu file reads to use `SecurityUtils` wrappers.
+- Fixed `secure-errors` to import its `SecurityUtils` dependency explicitly.
+
+### Changed
+- Updated package and documentation metadata to `2.5.0`.
+
+## [2.4.0] - 2026-04-16
+
+### Changed
+- Disabled npm registry update-check behavior in CLI startup paths.
+- Disabled manager-route backup execution (`i18ntk --command=backup`); standalone `i18ntk-backup` remains available.
+- Disabled setup prerequisite command probing via `PATH` inspection.
+- Updated README/docs/migration guides/environment variable documentation to reflect the above behavior.
+
+## [2.3.8] - 2026-04-13
+
+### Added
+- Added centralized structured logger with standardized prefixes and configurable levels (`error`, `warn`, `info`, `debug`).
+- Added opt-in JSON log output for CI/build pipelines via `JSON_LOG=true`.
+- Added missing-translation-key cache TTL (5 minutes) to prevent repeated key-miss spam.
+- Added build/worker logging utilities for percentage progress and pooled worker activity summaries.
+- Added test coverage for logger timing/progress/worker aggregation behavior.
+
+### Fixed
+- Fixed repeated default-configuration fallback output by emitting a single fallback notice per process.
+- Fixed recursive security/i18n logging interactions that could trigger repeated warning cascades.
+- Fixed false-positive security warnings for internal package/project absolute paths through internal root whitelisting.
+
+### Changed
+- Logging is now silent by default for non-critical output in production-like builds unless `DEBUG_MODE=true`.
+- Security warning reasons now use specific detection details instead of generic "dangerous patterns".
+- Updated package/docs/version metadata to `2.3.8`.
+
+## [2.3.7] - 2026-04-12
+
+### Fixed
+- Removed false-positive path traversal warnings for safe absolute project paths during framework builds.
+- Reduced repeated default-configuration console noise in multi-worker build environments.
+
+### Changed
+- Security event console logging is now fully opt-in via `I18NTK_ENABLE_SECURITY_LOGS=true` (or debug envs).
+- Config-manager diagnostic console logging is now fully opt-in via `I18NTK_ENABLE_LOGS=true` (or debug envs).
+- Updated docs to reflect new default-silent logging behavior and troubleshooting toggles.
+
+## [2.3.6] - 2026-04-12
+
+### Security
+- **Fixed path traversal vulnerability** in temporary file creation
+- **Added `safeJoin` function** for secure path construction
+- **Improved path validation** throughout the codebase
+
+### Fixed
+- Hardened settings reset and backup cleanup paths to reduce risk of broad/deep unintended file deletion.
+- Hardened backup command path handling to keep source/output/restore operations inside project boundaries by default.
+- Fixed backup-class async file operations to consistently use `fs.promises` APIs.
+
+### Changed
+- **Silent security logging by default**: Info-level messages suppressed, warnings/errors shown
+- **Debug mode**: Enable verbose logging with `I18N_DEBUG=true`
+- **Centralized security logging**: All security events use `SecurityUtils.logSecurityEvent()`
+- Made npm registry update checks explicit opt-in via `I18NTK_ENABLE_UPDATE_CHECK`.
+- Updated package/docs/version metadata to `2.3.6`.
+
+## [2.3.4] - 2026-04-12
+
+### Fixed
+- Fixed runtime autosave behavior so configuration write failures no longer hard-throw through request/render paths.
+- Fixed config save race resilience by combining queued writes, cross-process lock files, and unique temp filenames per write.
+
+### Added
+- Added `I18NTK_DISABLE_AUTOSAVE` support to skip disk persistence and keep in-memory config in server/runtime environments.
+- Added config-manager concurrency regression test covering parallel `saveConfig` calls.
+
+### Changed
+- Updated package/docs/version metadata to `2.3.4`.
+- Updated support policy guidance to recommend upgrading from versions below `2.3.4`.
+
+## [2.3.3] - 2026-04-12
+
+### Fixed
+- Fixed production config persistence race across multiple Node processes by adding cross-process file locking for `.i18ntk-config` writes.
+- Fixed intermittent `ENOENT` during atomic config rename operations under concurrent production traffic.
+
+### Changed
+- Updated package/docs/version metadata to `2.3.3`.
+- Updated support policy guidance to recommend upgrading from versions below `2.3.3`.
+
+## [2.3.2] - 2026-04-12
+
+### Added
+- Added startup npm-registry version checks that warn when the installed CLI is behind the latest published `i18ntk` release.
+- Added support for checking all published semver versions up to the current latest tag to improve outdated-version detection reliability.
+
+### Fixed
+- Fixed fatal analyze-command startup failure in manager command flow caused by missing `validateSourceDir` import.
+
+### Changed
+- Updated package/docs/version metadata to `2.3.2`.
+- Updated support policy guidance to recommend upgrading from versions below `2.3.2`.
+
+## [2.3.1] - 2026-04-12
+
+### Fixed
+- Fixed package export-path fallback in `utils/i18n-helper` that could trigger build warnings in production bundlers (`i18ntk/resources/i18n/ui-locales/en.json` not exported).
+
+### Changed
+- Updated package/docs/version metadata to `2.3.1`.
+- Updated support policy guidance to recommend upgrading from versions below `2.3.1`.
+
+## [2.3.0] - 2026-04-12
+
+### Added
+- Added validation summary report output after validation runs.
+- Added init-time backup configuration prompt (default disabled, optional enable).
+
+### Fixed
+- Fixed backup recursion/pollution risk by moving automated fixer backups to a dedicated backup root.
+- Fixed backup retention behavior to keep 1 by default with enforced bounds up to 3.
+- Fixed language discovery in validate/fixer flows to ignore backup/report directories.
+
+### Changed
+- Updated package/docs/version metadata to `2.3.0`.
+- Updated support policy guidance to recommend upgrading from versions below `2.3.0`.
+
+## [2.2.0] - 2026-04-12
+
+### Added
+- Added an explicit upgrade/support notice in docs recommending upgrade from pre-`2.2.0` versions.
+- Added migration guide for `v2.2.0`.
+
+### Fixed
+- Fixed critical sizing workflow regressions.
+- Fixed critical usage-analysis workflow regressions.
+- Fixed runtime locale optimizer dependency path after publish-surface cleanup.
+
+### Changed
+- Reduced publish surface by excluding internal development scripts from npm package artifacts.
+- Excluded legacy fixed artifacts from package output (`main/manage/index-fixed.js`, `utils/security-fixed.js`).
+- Updated package/docs/version metadata to `2.2.0`.
+
+## [2.1.1] - 2026-04-11
+
+### Added
+- Version bump to 2.1.1 for release.
+- Added `SecurityUtils.debugLog` function for consistent debugging.
+
+### Fixed
+- Fixed `SecurityUtils.logSecurityEvent` calls missing `level` parameter in `i18ntk-usage` and `UsageService`.
+- Fixed `level.toLowerCase is not a function` error in usage analysis.
+- Fixed `SecurityUtils.debugLog is not a function` error in sizing analysis.
+
+### Changed
+- Updated package and release metadata to `2.1.1`.
+- Removed legacy `resources/i18n/ui-locales` path references (use `ui-locales/` instead).
+- Updated all UI locale loading to use `ui-locales/` directory.
+
+## [2.1.0] - 2026-04-11
+
+### Added
+- Added a v2.1.0 migration guide and updated release runbook references.
+- Added stricter language-directory filtering in analysis paths to ignore backup/report folders.
+
+### Fixed
+- Fixed interactive menu command flow so it reliably returns to the main menu after command completion.
+- Fixed analysis progress output to report the correct processed-language count.
+- Fixed duplicate report-save output lines during analysis.
+- Fixed framework detection behavior to treat setup-complete projects as internally configured i18ntk projects.
+- Fixed false-positive security warnings for valid configuration fields like `dateFormat`, `timeFormat`, and `reportLanguage`.
+- Fixed locale-loading path fallback behavior to avoid noisy startup errors in global installs.
+
+### Changed
+- Synchronized and normalized UI locale keys across `resources/i18n/ui-locales` and `ui-locales`.
+- Updated package/release metadata to `2.1.0`.
+
+## [2.0.0] - 2026-01-01
+
+### Added
+- Added missing runtime translation keys across `init`, `fixer`, `sizing`, `summary`, `usage`, and settings import/export flows.
+- Added `SecurityUtils.safeParseJSON`, `SecurityUtils.safeReadFile`, and `SecurityUtils.safeWriteFile` compatibility APIs used by v2 command paths.
+- Added source-locale bootstrap behavior during `init` when the source language directory exists but has no translation files.
+
+### Fixed
+- Fixed initialization state detection to use project `.i18ntk-config` setup metadata as the v2 source of truth.
+- Fixed false setup-invalid states caused by BOM-encoded config files during setup checks.
+- Fixed config persistence risk by using atomic writes in `config-manager` save flow.
+- Fixed self-dependency metadata so the package remains zero-dependency in v2.
+
+### Changed
+- Updated package release metadata for the v2 line (`versionInfo`, deprecations, nextVersion).
+
+## [1.10.2] - 2025-08-23
+
+### 🚨 Critical Fix
+- **Fixed projectRoot default path**: Resetting settings now correctly restores `projectRoot` to `/` instead of `./`, ensuring fresh installs work out-of-the-box
+
+### 🆕 New Features
+- **Centralized Environment Variable Management**: Added comprehensive environment variable support with validation and security controls
+- **Enhanced Debug Logging**: Improved debug logging with environment variable support for better troubleshooting
+- **Secure Plugin Loading**: Added path sanitization for module loading to prevent security issues
+
+### 🔒 Security Enhancements
+- **Enhanced Path Validation**: Strengthened path validation and file operations security
+- **Secure Module Loading**: Added path sanitization for all plugin/module loading operations
+- **Environment Variable Security**: Implemented centralized environment variable management with security filtering
+
+### 🛠️ Improvements
+- **Refactored Configuration Handling**: Updated config system with integrated environment variable support
+- **Enhanced Logging System**: Improved debug logging capabilities with environment variable integration
+- **Better Error Handling**: Enhanced error messages and debugging information
+
+### 📚 Documentation
+- **Environment Variables Guide**: Added comprehensive documentation for all supported environment variables
+- **Migration Notes**: Added clear migration guidance for projectRoot path changes
+
+### 🔧 Technical Changes
+- **Package Version**: Updated to v1.10.2 across all files
+- **Security Patches**: Applied security improvements to path handling and file operations
+
+## [1.10.1] - 2025-08-22
+
+### Added
+- **New Terminal-Icons Utility**: Added `terminal-icons` utility for better emoji support in terminal output
+- **Enhanced UI Text Processing**: Improved text processing with terminal-safe fallbacks for special characters
+
+### Fixed
+- Fixed infinite setup loop issue (Hotfix)
+- Resolved version string update inconsistencies
+
+### Changed
+- Update version strings across all files from 1.9.1 to 1.10.1
+- Remove outdated package-lock.json and backup config
+
+## [1.10.0] - 2025-08-22
+
+### Added
+- **Enhanced Runtime API**: Improved framework-agnostic translation runtime with better TypeScript support
+- **Framework Detection**: Enhanced support for Next.js, Nuxt.js, and SvelteKit projects
+- **Reset Script**: Added `reset-for-publish.js` for clean package publishing
+- **Documentation**: Comprehensive updates for new features and improvements
+- **Configuration Persistence**: Fixed configuration changes not being saved to disk
+- **Caching System**: Added configuration caching to prevent redundant initialization
+
+### Fixed
+- **DNR Functionality**: Fixed persistence of "Do Not Remind" settings across version updates
+- **Settings Management**: Improved error handling and logging for settings operations
+- **TypeScript Definitions**: Enhanced type safety and autocomplete for better developer experience
+- **Performance**: Optimized translation lookups with reduced memory footprint
+- **Shell Security**: Verified zero shell access vulnerabilities in setup-enforcer.js
+- **Configuration Loading**: Fixed multiple "Initializing with default configuration" messages
+- **Path Resolution**: Fixed source directory path handling for CLI arguments
+
+### Security
+- **Settings Persistence**: Secure handling of user preferences and framework settings
+- **Error Handling**: Improved error reporting for configuration issues
+- **Dependencies**: Maintained zero runtime dependencies for maximum security
+- **Shell Access**: Confirmed no child_process usage in setup-enforcer.js
+- **Input Validation**: Enhanced path validation for source and output directories
+
+
+
+## [1.9.1] - 2025-08-14
+
+### Added
+- **Python Support**: Full support for Python frameworks including Django, Flask, FastAPI, and generic Python projects
+- **Enhanced Framework Detection**: Improved accuracy for all supported frameworks with new Python detection algorithms
+- **Common Locale File**: Added `locales/common.json` for shared translation keys across frameworks
+- **Zero Shell Security**: Complete removal of `child_process` dependencies for maximum security
+- **Exit/Cancel Option**: Added option to exit/cancel (press 0) during directory selection in fixer command
+
+### Changed
+- **Security Overhaul**: Replaced all `child_process` imports with native Node.js APIs
+- **Performance**: Maintained 97% performance improvement while adding security enhancements
+- **Framework Detection**: Updated detection patterns for JavaScript, Python, Go, Java, and PHP
+- **File Structure**: Optimized package structure with removed outdated files
+- **Documentation**: Comprehensive updates to reflect new features and security improvements
+
+### Removed
+- **Outdated Test Files**: Cleaned up test directories and removed deprecated test scripts
+- **Debug Tools**: Removed unused benchmark and package test files
+- **Shell Dependencies**: Eliminated all shell command dependencies
+- **Legacy Files**: Removed outdated configuration and development files
+
+### Security
+- **Zero Vulnerabilities**: Successfully passed security audit with 0 vulnerabilities
+- **Memory Safety**: Enhanced memory-safe operations throughout the codebase
+- **Input Validation**: Improved validation for all user inputs and file operations
+- **Dependency Cleanup**: Removed all shell-related dependencies
+
+### Performance
+- **Zero Overhead**: Security enhancements added zero performance overhead
+- **Python Detection**: Minimal overhead from new Python framework detection
+- **Memory Usage**: Maintained <2MB memory usage for all operations
+- **Validation**: Enhanced validation with no performance impact

package/CODE_OF_CONDUCT.md

@@ -0,0 +1,133 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, caste, color, religion, or sexual identity
+and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the overall
+  community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or advances
+of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email address,
+  without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+GitHub Security Advisories for sensitive reports, or GitHub issues for non-sensitive community concerns.
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series of
+actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or permanent
+ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior, harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within the
+community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.1, available at
+[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].
+
+Community Impact Guidelines were inspired by [Mozilla's code of conduct
+enforcement ladder][Mozilla CoC].
+
+[homepage]: https://www.contributor-covenant.org
+[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html
+[Mozilla CoC]: https://github.com/mozilla/diversity
+
+For answers to common questions about this code of conduct, see the FAQ at
+[https://www.contributor-covenant.org/faq][FAQ]. Translations are available at
+[https://www.contributor-covenant.org/translations][translations].
+
+[FAQ]: https://www.contributor-covenant.org/faq
+[translations]: https://www.contributor-covenant.org/translations

package/CONTRIBUTING.md

@@ -0,0 +1,41 @@
+# Contributing to i18ntk
+
+Thanks for helping improve i18ntk.
+
+## Project Priorities
+
+- Keep the npm package zero-dependency.
+- Keep the published package minimal and free of tests, local setup state, reports, backups, logs, credentials, and generated artifacts.
+- Preserve backward compatibility unless a breaking change is intentional and documented.
+- Prefer small, well-tested fixes over broad refactors.
+
+## Development Setup
+
+Clone the repository, install with npm, and run the project validation checks before opening a pull request.
+
+## Release Validation
+
+Maintainer release commands are documented in the repository development guide. The package published to npm uses a stripped public manifest.
+
+## Security
+
+Follow the security guidance in `SECURITY.md` and `docs/development/AGENTS.md`.
+
+Report vulnerabilities through GitHub Security Advisories. Do not open public issues for sensitive security reports.
+
+## Translations
+
+When editing `ui-locales/`, preserve JSON structure, placeholders, command names, file paths, and config keys.
+
+Run:
+
+Run the locale lint check before submitting translation changes.
+
+## Pull Requests
+
+Include:
+
+- the problem being fixed
+- the user-visible behavior change
+- validation commands that were run
+- any remaining risk or unverified behavior

package/FUNDING.md

@@ -0,0 +1,5 @@
+# Funding
+
+i18ntk does not request project donations.
+
+If you wanted to give something, please give it to a charity or community cause you trust.

package/README.md

@@ -1,20 +1,35 @@
-# i18ntk v2.5.0
+# i18ntk v2.6.0
 
 Zero-dependency internationalization toolkit for setup, scanning, analysis, validation, usage tracking, and translation completion.
 
-![i18ntk Logo](docs/screenshots/i18ntk-logo-public.PNG)
+![i18ntk Logo](https://raw.githubusercontent.com/vladnoskv/i18ntk/main/docs/screenshots/i18ntk-logo-public.PNG)
 
 [![npm version](https://img.shields.io/npm/v/i18ntk.svg?color=brightgreen)](https://www.npmjs.com/package/i18ntk)
 [![npm downloads](https://img.shields.io/npm/dt/i18ntk.svg)](https://www.npmjs.com/package/i18ntk)
 [![node](https://img.shields.io/badge/node-%3E%3D16-339933)](https://nodejs.org)
 [![dependencies](https://img.shields.io/badge/dependencies-0-success)](https://www.npmjs.com/package/i18ntk)
 [![license](https://img.shields.io/badge/license-MIT-yellow.svg)](LICENSE)
-[![socket](https://socket.dev/api/badge/npm/package/i18ntk/2.5.0)](https://socket.dev/npm/package/i18ntk/overview/2.5.0)
+[![socket](https://socket.dev/api/badge/npm/package/i18ntk/2.6.0)](https://socket.dev/npm/package/i18ntk/overview/2.6.0)
 
 ## Upgrade Notice
 
-Versions earlier than `2.5.0` may contain known stability and security issues.
-They are considered unsupported for production use. Upgrade to `2.5.0` or newer.
+Versions earlier than `2.6.0` may contain known stability and security issues.
+They are considered unsupported for production use. Upgrade to `2.6.0` or newer.
+
+## v2.6.0 — Deep-Code Audit Release
+
+v2.6.0 is a comprehensive hardening release from a two-pass code audit fixing 35+ bugs and security issues across 18 files. Highlights:
+
+- **Critical**: Fixed silent-write failures where `safeWriteFileSync` was called incorrectly across 4 modules.
+- **Security**: Replaced all remaining raw `fs` calls with validated `SecurityUtils` wrappers.
+- **Security**: Fixed path traversal bypass in the fallback `SecurityUtils` implementation.
+- **Security**: Fixed Windows path traversal false negatives (fragile `path.sep` comparison).
+- **Security**: Added `safeUnlinkSync` and `safeRmdirSync` for validated file/directory deletion.
+- **Runtime**: Fixed process event handler leak, missing `setInterval.unref()`, and JSON parse error handling.
+- **TypeScript**: Fixed `BasicI18nRuntime.translate/t` return type from `Promise<string>` to `string`.
+- **Scripts**: Fixed `npm_execpath` fallback in build/release scripts.
+
+For the full detailed changelog, see [CHANGELOG.md](./CHANGELOG.md). For migration notes, see [docs/migration-guide-v2.6.0.md](./docs/migration-guide-v2.6.0.md).
 
 ## What i18ntk Does
 
@@ -154,7 +169,7 @@ Example `.i18ntk-config`:
 
 ```json
 {
-  "version": "2.5.0",
+  "version": "2.6.0",
   "sourceDir": "./locales",
   "i18nDir": "./locales",
   "outputDir": "./i18ntk-reports",
@@ -170,16 +185,23 @@ See [docs/api/CONFIGURATION.md](docs/api/CONFIGURATION.md) for the full configur
 
 ## Docs
 
-- [Documentation Index](docs/README.md)
-- [Getting Started](docs/getting-started.md)
-- [API Reference](docs/api/API_REFERENCE.md)
-- [Configuration Guide](docs/api/CONFIGURATION.md)
-- [Runtime API Guide](docs/runtime.md)
-- [Scanner Guide](docs/scanner-guide.md)
-- [Environment Variables](docs/environment-variables.md)
-- [Migration Guide v2.5.0](docs/migration-guide-v2.5.0.md)
-- [Migration Guide v2.4.0](docs/migration-guide-v2.4.0.md)
-- [Optimization Prompt](docs/development/package-optimization-prompt.md)
+- [Documentation Index](https://github.com/vladnoskv/i18ntk/blob/main/docs/README.md)
+- [Getting Started](https://github.com/vladnoskv/i18ntk/blob/main/docs/getting-started.md)
+- [API Reference](https://github.com/vladnoskv/i18ntk/blob/main/docs/api/API_REFERENCE.md)
+- [Configuration Guide](https://github.com/vladnoskv/i18ntk/blob/main/docs/api/CONFIGURATION.md)
+- [Runtime API Guide](https://github.com/vladnoskv/i18ntk/blob/main/docs/runtime.md)
+- [Scanner Guide](https://github.com/vladnoskv/i18ntk/blob/main/docs/scanner-guide.md)
+- [Environment Variables](https://github.com/vladnoskv/i18ntk/blob/main/docs/environment-variables.md)
+- [Migration Guide v2.6.0](https://github.com/vladnoskv/i18ntk/blob/main/docs/migration-guide-v2.6.0.md)
+- [Migration Guide v2.5.1](https://github.com/vladnoskv/i18ntk/blob/main/docs/migration-guide-v2.5.1.md)
+- [Migration Guide v2.5.0](https://github.com/vladnoskv/i18ntk/blob/main/docs/migration-guide-v2.5.0.md)
+
+## Community
+
+- [Contributing](CONTRIBUTING.md)
+- [Code of Conduct](CODE_OF_CONDUCT.md)
+- [Security Policy](SECURITY.md)
+- [Funding](FUNDING.md)
 
 ## Code of Conduct