chore: release prep for v1.25.6 (#156)

Author: SunDevil311

.github/workflows/probely-scan.yml

@@ -21,39 +21,58 @@ jobs:
 
     env:
       PROBELY_API_KEY: ${{ secrets.PROBELY_API_KEY }}
-      TARGET_ID: 3by8xa6kzArN
-      API_BASE: https://api.probely.com/v2 # Always include /v2
+      TARGET_ID: ${{ secrets.PROBELY_TARGET_ID }}
+      API_BASE: https://api.probely.com
       MAX_WAIT_MINUTES: 60 # configurable
 
     steps:
       - name: Start Probely Scan
         id: start-scan
         run: |
+          curl_retry() {
+            curl --fail-with-body --retry 3 --retry-delay 5 --retry-max-time 30 "$@"
+          }
+
           echo "🧪 Triggering Probely scan for target $TARGET_ID ..."
-          response=$(curl -s -X POST "$API_BASE/targets/$TARGET_ID/scans/" \
+
+          response_file=$(mktemp)
+          http_code=$(curl_retry -s -w "%{http_code}" -o "$response_file" -X POST "$API_BASE/targets/$TARGET_ID/scan_now/" \
             -H "Authorization: JWT $PROBELY_API_KEY" \
             -H "Content-Type: application/json" \
             -d '{}')
 
-          echo "Raw API response:"
-          echo "$response" | jq .
+          echo "🌐 HTTP status: $http_code"
+          echo "📄 Raw API response:"
+          cat "$response_file"
+
+          if [ "$http_code" -ne 201 ]; then
+            echo "::error ::Unexpected HTTP response from Probely API: $http_code"
+            exit 1
+          fi
+
+          if ! jq . "$response_file" >/dev/null 2>&1; then
+            echo "::error ::Invalid JSON response from Probely API."
+            cat "$response_file"
+            exit 1
+          fi
 
-          scan_id=$(echo "$response" | jq -r '.id // empty')
+          jq . "$response_file"
+          scan_id=$(jq -r '.id // empty' "$response_file")
 
           if [ -z "$scan_id" ]; then
-            echo "::error ::Failed to start scan — check API key, target ID, or base URL."
+            echo "::error ::Scan ID not found in response. Check API key, target ID, or base URL."
             exit 1
           fi
 
-          echo "scan_id=$scan_id" >> $GITHUB_ENV
+          echo "scan_id=$scan_id" >> "$GITHUB_ENV"
           echo "✅ Scan started with ID: $scan_id"
 
       - name: Wait for Scan Completion
         run: |
           echo "⏳ Waiting for scan $scan_id to complete..."
           elapsed=0
           while [ $elapsed -lt $((MAX_WAIT_MINUTES * 60)) ]; do
-            status=$(curl -s "$API_BASE/scans/$scan_id/" \
+            status=$(curl --fail-with-body -s "$API_BASE/targets/$TARGET_ID/scans/$scan_id/" \
               -H "Authorization: JWT $PROBELY_API_KEY" | jq -r '.status // empty')
 
             echo "⏱️  Status: $status (elapsed $elapsed sec)"
@@ -78,18 +97,19 @@ jobs:
       - name: Download Probely HTML Report
         run: |
           echo "📥 Downloading report for scan $scan_id ..."
-          curl -s "$API_BASE/scans/$scan_id/report/" \
+          curl -s "$API_BASE/targets/$TARGET_ID/scans/$scan_id/endpoints/" \
             -H "Authorization: JWT $PROBELY_API_KEY" \
-            -o probely-report.html
+            -o probely-scan-coverage.csv
 
-          if [ ! -s probely-report.html ]; then
+          if [ ! -s probely-scan-coverage.csv ]; then
             echo "::error ::Report file is empty or missing."
             exit 1
           fi
-          echo "✅ Report saved as probely-report.html"
+          echo "✅ Report saved as probely-scan-coverage.csv"
 
       - name: Upload report artifact
         uses: actions/upload-artifact@v5
         with:
-          name: probely-report
-          path: probely-report.html
+          name: probely-scan-coverage
+          path: probely-scan-coverage.csv
+# cspell:ignore mktemp

.vscode/settings.json

@@ -41,40 +41,5 @@
   "css.customData": [
     ".vscode/customData.json" // Path to your custom data file
   ],
-  "markdown.validate.enabled": false,
-  "markdown.validate.ignoredLinks": [
-    "#bugs",
-    "#features",
-    "#top",
-    "#ownership",
-    "#trademark",
-    "#branding",
-    "#licensed-material",
-    "#licenses",
-    "#dlnotes",
-    "#cc-by",
-    "#gnu-gpl",
-    "#third-party",
-    "#prohibited-uses",
-    "#disclaimer",
-    "#contact",
-    "#revisions",
-    "#pledge",
-    "#standards",
-    "#response",
-    "#enforce",
-    "#attribute",
-    "#version",
-    "#structure",
-    "#getting-started",
-    "#configuration",
-    "#sw-utilities",
-    "#cspreport",
-    "#testing",
-    "#toolchain",
-    "#toolconfig",
-    "#scripts",
-    "#license",
-    "#questions"
-  ]
+  "markdown.validate.enabled": false
 }

CHANGELOG.md

@@ -22,6 +22,35 @@ This project attempts to follow [Keep a Changelog](https://keepachangelog.com/en
 
 ---
 
+## [1.25.6] - 2025-11-04
+
+### Security
+
+- Hardened `Content-Security-Policy (CSP)` in `hooks.server.js`:
+  - Environment-specific policies for `production`, `audit`, `dev`, and `test`
+  - Added real CSP reporting endpoint (`csp.netwk.pro`) in production
+  - Report-only mode enabled in non-prod for safer diagnostics
+- Added `/api/mock-csp` endpoint to capture and log CSP violation reports in non-prod environments
+
+### Changed
+
+- Updated `README.md` with detailed explanation of the CSP enforcement strategy and future nonce-based roadmap
+- Moved inline styles from `Badges.svelte` and `Logo.svelte` to external stylesheet (`default.css`)
+- Regenerated `global.min.css` using LightningCSS to reflect updated external styles
+- Bumped project version to `v1.25.6`
+- Updated dependencies:
+  - `@eslint/js` `^9.39.0` → `^9.39.1`
+  - `eslint` `^9.39.0` → `^9.39.1`
+  - `eslint-plugin-jsdoc` `^61.1.11` → `^61.1.12`
+  - `svelte` `5.43.2` → `5.43.3`
+  - `posthog-js` `^1.284.0` → `^1.285.1`
+
+### Fixed
+
+- Updated `probely-scan.yml` GitHub workflow to utilize the correct API endpoint and cURL requests.
+
+---
+
 ## [1.25.5] - 2025-11-03
 
 ### Added
@@ -1702,7 +1731,8 @@ This enables analytics filtering and CSP hardening for the audit environment.
 
 <!-- Link references -->
 
-[Unreleased]: https://github.com/netwk-pro/netwk-pro.github.io/compare/v1.25.5...HEAD
+[Unreleased]: https://github.com/netwk-pro/netwk-pro.github.io/compare/v1.25.6...HEAD
+[1.25.6]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.6
 [1.25.5]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.5
 [1.25.4]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.4
 [1.25.3]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.3

README.md

@@ -173,23 +173,55 @@ This project includes custom runtime configuration files for enhancing security,
 
 ### 🔐 `hooks.server.js`
 
-Located at `src/hooks.server.js`, this file is responsible for injecting dynamic security headers. It includes:
+Located at `src/hooks.server.js`, this file dynamically injects security headers depending on the environment. It includes:
+
+- A **Content Security Policy (CSP)** with environment-based directives:
+  - **Production/Audit**: Enforced, hardened CSP
+  - **Test/Dev**: Uses `Content-Security-Policy-Report-Only` for safe diagnostics
+- A **Permissions Policy** that disables nonessential browser APIs
+- Standard HTTP security headers:
+  - `X-Content-Type-Options`
+  - `X-Frame-Options`
+  - `Referrer-Policy`
+  - `Strict-Transport-Security` (in non-test environments)
 
-- A Content Security Policy (CSP) configured with relaxed directives to permit inline scripts and styles (`'unsafe-inline'`)
-- A Permissions Policy to explicitly disable unnecessary browser APIs
-- Standard security headers such as `X-Content-Type-Options`, `X-Frame-Options`, and `Referrer-Policy`
+---
+
+### ⚙️ CSP Behavior by Environment
+
+| Environment  | Header                                | Analytics Enabled | CSP Reporting |
+| ------------ | ------------------------------------- | ----------------- | ------------- |
+| `production` | `Content-Security-Policy`             | ✅ Yes            | ✅ Yes        |
+| `audit`      | `Content-Security-Policy`             | ❌ No             | ❌ No         |
+| `dev`        | `Content-Security-Policy-Report-Only` | ❌ No             | ✅ Yes (mock) |
+| `test`       | `Content-Security-Policy-Report-Only` | ❌ No             | ✅ Yes (mock) |
+
+---
+
+### 🧪 Reporting & Debugging
 
-> ℹ️ A stricter CSP (excluding `'unsafe-inline'`) was attempted but reverted due to framework-level and third-party script compatibility issues. The current policy allows inline scripts to ensure stability across SvelteKit and analytics features such as PostHog.
+- In **non-production environments**, CSP headers are set to `report-only` mode.
+- Violations are POSTed to `/api/mock-csp`, which logs reports to the console.
+- In **production**, violations are sent to a real CSP collection endpoint (`https://csp.netwk.pro/.netlify/functions/csp-report`).
+
+---
+
+### ⚠️ Current Trade-Off
+
+> Due to limitations in PostHog and certain SvelteKit internals, the current policy allows `'unsafe-inline'` for scripts and styles. A strict CSP using nonces was previously attempted but blocked critical functionality.
+
+---
 
-#### Future Improvements
+### 📈 Future Improvements (Strict CSP Plan)
 
-To implement a strict nonce-based CSP in the future:
+To move toward a strict, nonce-based CSP:
 
-1. Add nonce generation and injection logic in `hooks.server.js`
-2. Update all inline `<script>` tags (e.g. in `app.html`) to include `nonce="__cspNonce__"`
-3. Ensure any analytics libraries or dynamic scripts support nonced or external loading
+1. Ensure **all inline scripts** are updated to include injected nonces (`nonce="%nonce%"`)
+2. Confirm **PostHog** or future analytics platforms support nonced or external scripts/stylesheets
+3. Review and refactor any components that rely on dynamic `style=` or `<style>` blocks without support for CSP nonces
+4. Move third-party scripts out of inline `<script>` tags where possible
 
-Note: Strict CSP adoption may require restructuring third-party integrations and deeper framework coordination.
+> ℹ️ Nonce-based CSP is the most secure long-term path but requires cooperation from all dependencies — and possibly upstream fixes to analytics tooling or SvelteKit itself.
 
 &nbsp;