Feature/analytics and csp (#151)

* chore: release prep for v1.25.0

* docs: corrected changelog

* chore: updated service-worker.js cache, posthog.js, and env.js

* docs: updated changelog

Author: SunDevil311

.github/workflows/branch-guard.yml

@@ -24,14 +24,30 @@ jobs:
     steps:
       - name: Check commit source
         run: |
-          # Only trigger warning if commit wasn't from a merge or bot
-          if [[ "${{ github.event.head_commit.message }}" != *"Merge pull request"* ]] && \
-             [[ "${{ github.actor }}" != "dependabot[bot]" ]]; then
-            echo "::warning ::⚠️ Direct commit to ${GITHUB_REF##*/} by $GITHUB_ACTOR."
-            echo "### ⚠️ Direct Commit Detected" >> $GITHUB_STEP_SUMMARY
-            echo "A commit was pushed directly to \`${GITHUB_REF##*/}\` by **${GITHUB_ACTOR}**." >> $GITHUB_STEP_SUMMARY
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "💡 It's recommended to use pull requests for traceability and CI validation." >> $GITHUB_STEP_SUMMARY
-          else
-            echo "✅ Merge or bot commit detected — no action needed."
+          commit_msg="${{ github.event.head_commit.message }}"
+          actor="${{ github.actor }}"
+          branch="${GITHUB_REF##*/}"
+
+          echo "📝 Commit message: $commit_msg"
+          echo "👤 Actor: $actor"
+          echo "🌿 Branch: $branch"
+
+          # Define known safe patterns (merge or bot commits)
+          if echo "$commit_msg" | grep -Eq "Merge pull request|See merge request|Merge branch|(#\d+)$"; then
+            echo "✅ Merge-related commit detected — no warning."
+            exit 0
           fi
+
+          if [[ "$actor" == "dependabot[bot]" ]] || [[ "$actor" == "renovate[bot]" ]] || [[ "$actor" == "github-actions[bot]" ]]; then
+            echo "🤖 Bot commit detected — skipping warning."
+            exit 0
+          fi
+
+          # Otherwise, warn for direct commits
+          echo "::warning ::⚠️ Direct commit to $branch by $actor."
+          {
+            echo "### ⚠️ Direct Commit Detected"
+            echo "A commit was pushed directly to \`$branch\` by **$actor**."
+            echo ""
+            echo "💡 It's recommended to use pull requests for traceability and CI validation."
+          } >> $GITHUB_STEP_SUMMARY

CHANGELOG.md

@@ -22,6 +22,71 @@ This project attempts to follow [Keep a Changelog](https://keepachangelog.com/en
 
 ---
 
+## [1.25.0]
+
+### Added
+
+- Introduced unified environment detection utility (`src/lib/utils/env.js`) with full **JSDoc typing**.
+  - Normalizes `process.env` and `import.meta.env` usage across SSR (Node) and client contexts.
+  - Safely handles browser environments where `process` is undefined.
+  - Provides standardized flags for:
+    - `isDev`, `isProd`, `isAudit`, `isCI`, and `isTest`
+  - Enables consistent environment checks across analytics, CSP, and runtime logic.
+
+- Added hybrid **environment + host-based analytics guard** in `src/lib/stores/posthog.js`.
+  - Automatically disables PostHog tracking in `audit` mode or when hostname matches `*.audit.netwk.pro`.
+  - Prevents analytics initialization during development and test contexts.
+  - Uses the shared `detectEnvironment()` utility for centralized logic.
+  - Improves runtime logging for environment-specific behavior.
+
+### Changed
+
+- Updated `hooks.server.js` to include a dedicated **audit environment block** for Content Security Policy (CSP).
+  - Hardened audit CSP by removing all analytics-related sources (`posthog.com`, `posthog-assets.com`).
+  - Redirects CSP violation reporting to the mock endpoint (`/api/mock-csp`) in audit mode.
+  - Preserves full HSTS and other production security headers for audit deployments.
+  - Added clear separation between `test`, `audit`, and `prod` security policies.
+  - Improved console debugging for environment detection (`NODE_ENV`, `ENV_MODE`).
+
+- Refactored **environment detection logic** for improved reliability across client and server contexts.
+  - Added unified environment resolver at `src/lib/utils/env.js` to standardize detection for `dev`, `prod`, `audit`, `ci`, and `test` modes.
+  - Ensures consistent handling of both `process.env.*` (Node/SSR) and `import.meta.env.*` (Vite/client) variables.
+  - Prevents mismatched behavior between browser-side analytics (`posthog.js`) and server-side policies (`hooks.server.js`).
+  - Automatically falls back to `'unknown'` if no explicit mode is set, avoiding build-time exceptions.
+
+- Refactored **Branch Guard** workflow (`.github/workflows/branch-guard.yml`) for improved accuracy and reduced noise.
+  - Adjusted detection logic to **ignore merge commits**, Dependabot updates, and automated actions.
+  - Ensures workflow warnings are shown **only for true direct commits** to protected branches (`master`, `main`).
+  - Simplified step output and summary formatting for clearer reporting in the Actions log and job summary.
+  - Maintains lightweight permissions (`contents: read`) and executes entirely without repository writes.
+  - Improves reliability of branch protection monitoring without affecting CI or merge operations.
+
+### Fixed
+
+- Resolved client-side crash in browser environments caused by `process.env` being undefined.
+  - Implemented defensive checks in `env.js` for `process` availability.
+  - Eliminated reference errors during client-side initialization of analytics.
+
+### Developer Experience
+
+- Simplified future configuration by consolidating environment checks into a single typed utility.
+- Improved maintainability and Vercel compatibility by ensuring `.env.audit` and `PUBLIC_ENV_MODE` variables propagate correctly to both client and server environments.
+
+### Developer Notes
+
+- When deploying audit builds, ensure Vercel environment variables include:
+
+```bash
+ENV_MODE=audit
+PUBLIC_ENV_MODE=audit
+```
+
+This enables analytics filtering and CSP hardening for the audit environment.
+
+- Audit deployments retain full HTTPS and security headers but omit telemetry and external CSP reporting.
+
+---
+
 ## [1.24.5]
 
 ### Added
@@ -54,6 +119,9 @@ This project attempts to follow [Keep a Changelog](https://keepachangelog.com/en
 
 - For instructions on installing and configuring the new dependencies, please see the **[Editor Configuration](https://github.com/netwk-pro/netwk-pro.github.io/wiki/Editor-Configuration#automation)** section of the [Wiki](https://github.com/netwk-pro/netwk-pro.github.io/wiki).
 
+> **Note:** Version `1.24.4` was merged but not tagged or released.  
+> Subsequent updates are reflected in `v1.24.5` and later.
+
 ---
 
 ## [1.24.4]
@@ -1515,7 +1583,8 @@ This project attempts to follow [Keep a Changelog](https://keepachangelog.com/en
 
 <!-- Link references -->
 
-[Unreleased]: https://github.com/netwk-pro/netwk-pro.github.io/compare/v1.24.5...HEAD
+[Unreleased]: https://github.com/netwk-pro/netwk-pro.github.io/compare/v1.25.0...HEAD
+[1.25.0]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.0
 [1.24.5]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.24.5
 [1.24.4]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.24.4
 [1.24.3]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.24.3

cspell.json

@@ -27,6 +27,7 @@
     "heliboard",
     "homescreen",
     "HREFTOP",
+    "HSTS",
     "Izzy",
     "Keybase",
     "keypair",

package-lock.json

@@ -1,7 +1,7 @@
 {
   "name": "@networkpro/web",
   "private": false,
-  "version": "1.24.5",
+  "version": "1.25.0",
   "description": "Locking Down Networks, Unlocking Confidence™ | Security, Networking, Privacy — Network Pro Strategies",
   "keywords": [
     "advisory",
@@ -35,9 +35,11 @@
   },
   "scripts": {
     "dev": "vite dev",
+    "dev:audit": "vite --mode audit",
     "start": "npm run dev",
     "dev:vercel": "vercel dev",
     "build": "vite build",
+    "build:audit": "vite build --mode audit",
     "build:vercel": "vercel build",
     "preview": "vite preview",
     "css:bundle": "node scripts/bundleCss.js",

package.json

@@ -6,33 +6,25 @@ SPDX-License-Identifier: CC-BY-4.0 OR GPL-3.0-or-later
 This file is part of Network Pro.
 ========================================================================== */
 
+import { detectEnvironment } from '$lib/utils/env.js';
+
 /**
  * SvelteKit server hook to set Content Security Policy (CSP) header.
  * @type {import('@sveltejs/kit').Handle}
  */
 export async function handle({ event, resolve }) {
-  // Create the response
   const response = await resolve(event);
+  const { isAudit, isTest, isProd } = detectEnvironment();
 
-  // Determine environment flags
-  // Default to development policy if neither test nor prod
-  const isTestEnvironment =
-    process.env.NODE_ENV === 'development' ||
-    process.env.ENV_MODE === 'dev' ||
-    process.env.ENV_MODE === 'ci';
-  const isProdEnvironment =
-    process.env.NODE_ENV === 'production' || process.env.ENV_MODE === 'prod';
-
-  console.log('[CSP Debug] NODE_ENV:', process.env.NODE_ENV);
-  console.log('[CSP Debug] ENV_MODE:', process.env.ENV_MODE);
+  console.log('[CSP Debug ENV]', detectEnvironment());
 
   // Determine report URI
   const reportUri =
-    isProdEnvironment && !isTestEnvironment
+    isProd && !isTest && !isAudit
       ? 'https://csp.netwk.pro/.netlify/functions/csp-report'
       : '/api/mock-csp';
 
-  // Construct base policy
+  // Base hardened policy
   const cspDirectives = [
     "default-src 'self';",
     "script-src 'self' 'unsafe-inline' https://us.i.posthog.com https://us-assets.i.posthog.com;",
@@ -45,40 +37,45 @@ export async function handle({ event, resolve }) {
     "object-src 'none';",
     "frame-ancestors 'none';",
     'upgrade-insecure-requests;',
-    // Report CSP violations to external endpoint hosted at csp.netwk.pro
-    `report-uri ${reportUri};`,
-    'report-to csp-endpoint;',
   ];
 
-  // Loosen up CSP for test environments (and allow local PostHog proxy)
-  if (isTestEnvironment) {
+  // 🧪 Looser CSP for local/CI test environments
+  if (isTest) {
     cspDirectives[1] =
       "script-src 'self' 'unsafe-inline' 'unsafe-eval' http://localhost:* ws://localhost:*;";
-    cspDirectives[2] =
-      "script-src-elem 'self' 'unsafe-inline' 'unsafe-eval' http://localhost:* ws://localhost:*;";
-    cspDirectives[3] = "style-src 'self' 'unsafe-inline' http://localhost:*;";
-    cspDirectives[4] = "img-src 'self' data: http://localhost:*;";
-    cspDirectives[5] =
+    cspDirectives[2] = "style-src 'self' 'unsafe-inline' http://localhost:*;";
+    cspDirectives[3] = "img-src 'self' data: http://localhost:*;";
+    cspDirectives[4] =
       "connect-src 'self' http://localhost:* ws://localhost:* https://us.i.posthog.com https://us-assets.i.posthog.com;";
   }
 
-  response.headers.set(
-    'Report-To',
-    JSON.stringify({
-      group: 'csp-endpoint',
-      max_age: 10886400, // 18 weeks
-      endpoints: [
-        {
-          url: 'https://csp.netwk.pro/.netlify/functions/csp-report',
-        },
-      ],
-      include_subdomains: true,
-    }),
-  );
+  // 🧩 Hardened CSP for audit environment — no analytics, no CSP reporting
+  if (isAudit) {
+    cspDirectives[1] = "script-src 'self' 'unsafe-inline';";
+    cspDirectives[2] = "style-src 'self' 'unsafe-inline';";
+    cspDirectives[3] = "img-src 'self' data:;";
+    cspDirectives[4] = "connect-src 'self';";
+  }
+
+  // 📋 Attach CSP report directives ONLY in production
+  if (isProd && !isAudit && !isTest) {
+    cspDirectives.push(`report-uri ${reportUri};`, 'report-to csp-endpoint;');
 
+    response.headers.set(
+      'Report-To',
+      JSON.stringify({
+        group: 'csp-endpoint',
+        max_age: 10886400, // 18 weeks
+        endpoints: [{ url: reportUri }],
+        include_subdomains: true,
+      }),
+    );
+  }
+
+  // ✅ Apply final CSP
   response.headers.set('Content-Security-Policy', cspDirectives.join(' '));
 
-  // Set other security headers
+  // Standard security headers
   response.headers.set(
     'Permissions-Policy',
     [
@@ -103,10 +100,10 @@ export async function handle({ event, resolve }) {
   response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
   response.headers.set('X-Frame-Options', 'DENY');
 
-  if (process.env.ENV_MODE !== 'test' && process.env.ENV_MODE !== 'ci') {
+  if (!isTest) {
     response.headers.set(
       'Strict-Transport-Security',
-      'max-age=31536000; includeSubDomains;', // No preload here
+      'max-age=31536000; includeSubDomains;',
     );
   }
 
@@ -120,8 +117,5 @@ export async function handle({ event, resolve }) {
 export function handleError({ error, event }) {
   console.error('🔴 SSR Error in route:', event.url.pathname);
   console.error(error);
-
-  return {
-    message: 'A server-side error occurred',
-  };
+  return { message: 'A server-side error occurred' };
 }

src/hooks.server.js

@@ -15,6 +15,7 @@ import {
   remindUserToReconsent,
   trackingPreferences,
 } from '$lib/stores/trackingPreferences.js';
+import { detectEnvironment } from '$lib/utils/env.js';
 import { get, writable } from 'svelte/store';
 
 /**
@@ -38,31 +39,47 @@ let ph = null;
 /**
  * Initializes the PostHog analytics client if tracking is permitted.
  * Uses dynamic import to avoid SSR failures.
+ *
  * @returns {Promise<void>}
  */
 export async function initPostHog() {
   if (initialized || typeof window === 'undefined') return;
-  const isDev = import.meta.env.MODE === 'development';
-  if (isDev) {
-    console.info('[PostHog] Skipping init in development mode.');
+
+  const { isAudit, isDev, isTest, mode } = detectEnvironment();
+
+  // 🌐 Hybrid hostname + environment guard
+  const host = window.location.hostname;
+  const isAuditHost = /(^|\.)audit\.netwk\.pro$/i.test(host);
+  const effectiveAudit = isAudit || isAuditHost;
+
+  if (effectiveAudit) {
+    console.info(`[PostHog] Skipping analytics (${mode} mode, host: ${host}).`);
+    return;
+  }
+
+  // 🧱 Skip entirely in dev/test contexts
+  if (isDev || isTest) {
+    console.info('[PostHog] Skipping init in dev/test mode.');
     return;
   }
 
+  // 🚀 Production analytics logic (with user consent)
   initialized = true;
 
   const { enabled } = get(trackingPreferences);
   trackingEnabled.set(enabled);
-  showReminder.set(get(remindUserToReconsent)); // use derived store instead
+  showReminder.set(get(remindUserToReconsent));
 
   if (!enabled) {
-    console.log('[PostHog] Tracking is disabled — skipping init.');
+    console.log('[PostHog] Tracking disabled — user opted out.');
     return;
   }
 
   try {
     const posthogModule = await import('posthog-js');
     ph = posthogModule.default;
 
+    // ✅ Initialize PostHog
     // cspell:disable-next-line
     ph.init('phc_Qshfo6AXzh4pS7aPigfqyeo4qj1qlyh7gDuHDeVMSR0', {
       api_host: '/relay-MSR0/',