chore: release prep for v1.25.8

.github/workflows/prevent-audit-merge.yml

@@ -0,0 +1,27 @@
+# .github/workflows/prevent-audit-merge.yml
+#
+# Copyright © 2025 Network Pro Strategies (Network Pro™)
+# SPDX-License-Identifier: CC-BY-4.0 OR GPL-3.0-or-later
+# This file is part of Network Pro
+
+name: Prevent audit merges into master
+
+on:
+  pull_request:
+    branches: [master]
+
+permissions:
+  contents: read
+
+jobs:
+  check-branch:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Fail if source is audit-netlify
+        run: |
+          SOURCE_BRANCH="${{ github.event.pull_request.head.ref }}"
+          echo "🔍 Checking source branch: $SOURCE_BRANCH"
+          if [[ "$SOURCE_BRANCH" == "audit-netlify" ]]; then
+            echo "❌ Merge from 'audit-netlify' to 'master' is prohibited."
+            exit 1
+          fi

.stylelintignore

@@ -4,6 +4,9 @@
 # SPDX-License-Identifier: CC-BY-4.0 OR GPL-3.0-or-later
 # This file is part of Network Pro.
 
+# Netlify
+.netlify
+
 # Report files and test results
 playwright-report
 test-results

CHANGELOG.md

@@ -22,6 +22,43 @@ This project attempts to follow [Keep a Changelog](https://keepachangelog.com/en
 
 ---
 
+## [1.25.8] - 2025-11-11
+
+### Added
+
+- 🔐 **Branch protection rules** on `master`:
+  - Enforced pull requests for all changes
+  - Blocked force pushes
+  - Linear history requirement
+- 🚫 **CI workflow to prevent merges from `audit-netlify` to `master`**:
+  - PRs originating from `audit-netlify` targeting `master` are automatically rejected
+  - Triggered on `pull_request` events
+  - Uses `github.event.pull_request.head.ref` for precise branch detection
+- 🚀 **Netlify CI deployment** for audit-only branch:
+  - Workflow `.github/workflows/deploy-audit-netlify.yml` added
+  - Deploys `audit-netlify` to a separate Netlify site
+  - Uses environmental variables to trigger `vite build --mode audit`
+- 🌐 **`hooks.server.js` CSP hardening** for audit deployments:
+  - Probely scanner detection based on UA/IP added via `isProbelyScanner()`
+  - Audit-specific CSP disables analytics and CSP reporting endpoints
+  - Logs detailed CSP info when in `isAudit` or `isDebug` modes
+- 🛡️ Middleware improvements:
+  - User-agent/IP fingerprinting for Probely DAST
+  - Added logging for audit-mode scanner matches
+- 🧪 Support for per-environment `.env` files (e.g. `.env.audit`)
+- 🔄 Git helper scripts:
+  - Added bash script to sync `audit-netlify` with latest `master`
+  - Supports merge conflict resolution via VS Code diff viewer
+
+### Changed
+
+- Updated `.stylelintignore` to exclude `.netlify` directory
+- Updated `lint:md` script to exclude the `build/` and `.netlify/` directories
+- Refined `svelte.config.js` to support alternate build targets (Vercel → Netlify via adapter switch)
+- Audit builds now use isolated `.env` config and a separate Netlify site token
+
+---
+
 ## [1.25.7] - 2025-11-11
 
 ### Added
@@ -1770,7 +1807,8 @@ This enables analytics filtering and CSP hardening for the audit environment.
 
 <!-- Link references -->
 
-[Unreleased]: https://github.com/netwk-pro/netwk-pro.github.io/compare/v1.25.7...HEAD
+[Unreleased]: https://github.com/netwk-pro/netwk-pro.github.io/compare/v1.25.8...HEAD
+[1.25.8]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.8
 [1.25.7]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.7
 [1.25.6]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.6
 [1.25.5]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.5

package.json

@@ -1,7 +1,7 @@
 {
   "name": "@networkpro/web",
   "private": false,
-  "version": "1.25.7",
+  "version": "1.25.8",
   "description": "Locking Down Networks, Unlocking Confidence™ | Security, Networking, Privacy — Network Pro Strategies",
   "keywords": [
     "advisory",
@@ -70,7 +70,7 @@
     "lint:fix": "eslint . --ext .js,.cjs,.mjs,.svelte --fix",
     "lint:jsdoc": "eslint . --ext .js,.cjs,.mjs,.svelte --max-warnings=0",
     "lint:css": "stylelint \"**/*.{css,svelte}\" --ignore-path .stylelintignore",
-    "lint:md": "npx markdownlint-cli2 \"**/*.{md,markdown}\" \"#node_modules/**\" \"#playwright-report/**\" \"#test-results/**\"",
+    "lint:md": "npx markdownlint-cli2 \"**/*.{md,markdown}\" \"#build/**\" \"#.netlify/**\" \"#node_modules/**\" \"#playwright-report/**\" \"#test-results/**\"",
     "format": "prettier --check .",
     "format:fix": "prettier --write .",
     "lint:all": "npm-run-all --parallel --print-label lint lint:md lint:css --sequential format",