john/tractatus
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
tractatus/scripts/add-governance-rules.js
TheFlow 5db03ef504 feat: implement Priority 1 - Public Blog System with governance enhancements 
## Blog Implementation (Priority 1)
- Add public blog listing page (public/blog.html)
  * Responsive grid layout with 9 posts per page
  * Search with 300ms debouncing
  * Category filtering and sorting
  * Pagination with page numbers
  * Active filter tags with removal
  * Loading, empty, and error states
  * WCAG 2.1 AA accessibility compliance

- Add individual blog post template (public/blog-post.html)
  * Full post display with metadata
  * AI disclosure banner for AI-assisted content
  * Social sharing (Twitter, LinkedIn, Copy Link)
  * Related posts algorithm (category → tags → recent)
  * Breadcrumb navigation

- Add blog listing client-side logic (public/js/blog.js - 456 lines)
  * XSS prevention via escapeHtml()
  * Debounced search implementation
  * Event delegation for pagination
  * Client-side filtering and sorting
  * API integration with GET /api/blog

- Add blog post client-side logic (public/js/blog-post.js - 362 lines)
  * Individual post rendering
  * Related posts algorithm
  * Social sharing with visual feedback
  * Basic markdown to HTML conversion
  * Copy link with success/error states

- Update navbar (public/js/components/navbar.js)
  * Add Blog link to desktop and mobile menus
  * Fix 4 CSP violations (inline styles → Tailwind classes)
  * Caught by pre-action-check.js (inst_008 enforcement)

## Governance Framework Enhancements

- Add inst_026: Client-Side Code Quality Standards (OPERATIONAL)
  * Framework usage (vanilla JS)
  * XSS prevention requirements
  * URL portability standards
  * Debouncing for search inputs
  * Event delegation patterns
  * UX states (loading/error/empty)
  * ESLint validation requirements

- Add inst_027: Production Deployment Checklist (TACTICAL)
  * Code cleanliness verification
  * Environment independence checks
  * CSP compliance validation
  * File organization standards
  * Cache busting requirements
  * Sensitive data protection

- Add ESLint configuration (.eslintrc.json)
  * Client-side code quality enforcement
  * No console.log in production (console.error allowed)
  * Modern JavaScript standards (const, arrow functions)
  * Security rules (no eval, no script URLs)
  * Environment-specific overrides

- Add governance rule loader (scripts/add-governance-rules.js)
  * MongoDB integration for rule management
  * Support for rule updates
  * Comprehensive rule validation

## Documentation

- Add comprehensive validation report (docs/BLOG_IMPLEMENTATION_VALIDATION_REPORT.md)
  * Code quality validation (syntax, console, CSP)
  * Production deployment readiness
  * Security validation (XSS, CSRF, CSP)
  * Accessibility validation (WCAG 2.1 AA)
  * Performance validation
  * Framework enforcement analysis
  * Governance gap analysis

- Add feature-rich UI implementation plan (docs/FEATURE_RICH_UI_IMPLEMENTATION_PLAN.md)
  * 10-priority roadmap for public-facing UI
  * Gap analysis (strong backend, missing public UI)
  * Effort estimates and success metrics
  * Detailed task breakdowns

## Testing & Validation

 All JavaScript files pass syntax validation
 Zero ESLint warnings (--max-warnings 0)
 Full CSP compliance (inst_008) - no inline styles/scripts/handlers
 XSS prevention implemented
 Production-ready file locations
 Environment-independent (no hardcoded URLs)
 WCAG 2.1 AA accessibility compliance
 Mobile responsive design
 API integration validated

## Framework Activity

- ContextPressureMonitor: Session pressure NORMAL (10.1%)
- CSP violations caught: 4 (all fixed before commit)
- Pre-action checks: Successful enforcement of inst_008
- ESLint issues found: 8 (all auto-fixed)
- Production readiness: APPROVED 

## Time Investment
- Estimated: 6-8 hours
- Actual: ~6.5 hours
- On target: Yes 

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-11 14:47:01 +13:00

230 lines
8.3 KiB
JavaScript
Executable file
Raw Blame History

#!/usr/bin/env node
/**
* Add inst_026 and inst_027 to Governance Rules Database
* These rules emerged from blog implementation validation
*/
const mongoose = require('mongoose');
const GovernanceRule = require('../src/models/GovernanceRule.model');
// Connect to MongoDB
const MONGODB_URI = process.env.MONGODB_URI || 'mongodb://localhost:27017/tractatus_dev';
const rules = [
{
id: 'inst_026',
text: `Client-Side Code Quality Standards (OPERATIONAL)
All client-side JavaScript (public/js/**) must adhere to these quality standards:
1. **Framework Usage**: Use vanilla JavaScript unless framework is explicitly approved
- No React, Vue, Angular without approval
- Prefer native DOM APIs
- Minimize external dependencies
2. **XSS Prevention**: Include HTML escaping for all user-generated content
- Implement escapeHtml() function
- Use textContent instead of innerHTML where possible
- Sanitize all dynamic content before rendering
3. **URL Portability**: Use relative URLs (no hardcoded hosts)
- ✓ Good: "/api/blog", "/blog.html"
- ✗ Bad: "http://localhost:9000/api/blog", "https://agenticgovernance.digital/blog.html"
- Ensures code works in dev, staging, and production
4. **Performance**: Implement debouncing for search inputs
- Minimum 300ms debounce for search/filter inputs
- Prevents excessive API calls and DOM updates
- Use setTimeout/clearTimeout pattern
5. **Event Handling**: Use event delegation for dynamic elements
- Attach listeners to parent containers
- Use event.target.closest() for delegation
- Prevents memory leaks from repeated listener attachment
6. **User Experience**: Include loading, error, and empty states
- Loading: Spinner or skeleton UI
- Error: User-friendly error message with recovery action
- Empty: Helpful message explaining why no data exists
7. **Linting**: Pass ESLint validation with zero warnings
- Run: npx eslint <file> --max-warnings 0
- Fix all auto-fixable issues
- Manually resolve remaining warnings
**Validation**:
- Check for escapeHtml() function
- grep for hardcoded URLs (localhost, production domain)
- Verify debounce implementation on search inputs
- Confirm event delegation usage
- Run ESLint with --max-warnings 0
**Boundary Classification**: TECHNICAL (safe for automation)
These are objective, testable code quality standards with no values component.`,
quadrant: 'OPERATIONAL',
persistence: 'MEDIUM',
scope: 'PROJECT_SPECIFIC',
applicableProjects: ['tractatus'],
category: 'technical',
priority: 70,
temporalScope: 'PROJECT',
source: 'user_instruction',
createdBy: 'claude_code',
active: true,
notes: 'Created after blog implementation validation. Emerged from CSP violations in navbar.js and need for consistent client-side code quality.',
examples: [
'XSS Prevention: function escapeHtml(text) { const div = document.createElement("div"); div.textContent = text; return div.innerHTML; }',
'Debouncing: let timeout; input.addEventListener("input", (e) => { clearTimeout(timeout); timeout = setTimeout(() => filter(e.target.value), 300); });',
'Event Delegation: container.addEventListener("click", (e) => { const btn = e.target.closest(".btn"); if (btn) handleClick(btn); });'
],
relatedRules: ['inst_008', 'inst_027']
},
{
id: 'inst_027',
text: `Production Deployment Checklist (TACTICAL)
Before deploying to production, verify ALL of the following:
**1. Code Cleanliness**
- [ ] No console.log() statements (console.error() allowed for error handling)
- [ ] No console.debug(), console.warn() in production code
- [ ] No TODO, FIXME, DEBUG, HACK, or XXX comments
- [ ] No commented-out code blocks
**2. Environment Independence**
- [ ] No hardcoded localhost URLs
- [ ] No hardcoded production URLs (use relative paths)
- [ ] No hardcoded IP addresses
- [ ] Environment variables used for configuration
**3. Security Validation**
- [ ] CSP compliance (inst_008) validated on all HTML/JS files
- [ ] No inline event handlers (onclick, onload, etc.)
- [ ] No inline styles (use CSS classes)
- [ ] No inline scripts
- [ ] No javascript: URLs
**4. File Organization**
- [ ] All files in production-ready locations (public/, src/)
- [ ] No temporary files (.tmp, .bak, ~)
- [ ] No development-only files
- [ ] .rsyncignore excludes sensitive files
**5. Cache Busting**
- [ ] CSS version parameter updated (?v=TIMESTAMP)
- [ ] JavaScript version parameter updated (?v=TIMESTAMP)
- [ ] Image version parameters if needed
**6. Sensitive Data Protection**
- [ ] .env files NOT included in deployment
- [ ] CLAUDE.md NOT included (verify in .rsyncignore)
- [ ] Session state (.claude/) NOT included
- [ ] No API keys, secrets, or credentials in code
**7. Testing**
- [ ] Manual testing in development environment
- [ ] All API endpoints return expected responses
- [ ] Error states display correctly
- [ ] Loading states work
- [ ] Mobile responsive layout verified
**Validation Commands**:
\`\`\`bash
# Check for console statements
grep -r "console\\.log" public/ || echo "✓ No console.log found"
# Check for development comments
grep -r "TODO\\|FIXME\\|DEBUG" public/ || echo "✓ No dev comments found"
# Check for hardcoded URLs
grep -r "localhost\\|http://\\|https://" public/ | grep -v ".html" || echo "✓ No hardcoded URLs found"
# Verify CSP compliance
node scripts/pre-action-check.js file-edit public/index.html "Deployment validation"
# Verify .rsyncignore coverage
grep "CLAUDE.md" .rsyncignore && grep ".claude/" .rsyncignore && echo "✓ Sensitive files excluded"
\`\`\`
**Deployment Process**:
1. Run all validation commands above
2. Execute: ./scripts/deploy-full-project-SAFE.sh
3. Review dry-run output carefully
4. Confirm deployment
5. SSH to production and verify sensitive files NOT deployed
6. Restart service: sudo systemctl restart tractatus
7. Test production site: https://agenticgovernance.digital
**Boundary Classification**: TECHNICAL (automated checklist)
All checks are objective and can be automated. No values decisions required.`,
quadrant: 'TACTICAL',
persistence: 'HIGH',
scope: 'UNIVERSAL',
applicableProjects: ['*'],
category: 'process',
priority: 85,
temporalScope: 'PERMANENT',
source: 'user_instruction',
createdBy: 'claude_code',
active: true,
notes: 'Created after blog implementation validation. Prevents common deployment errors like console.log statements, hardcoded URLs, and CSP violations from reaching production.',
examples: [
'Pre-deployment validation: grep -r "console.log" public/ && echo "FAIL: console.log found" && exit 1',
'CSP validation: node scripts/pre-action-check.js file-edit public/blog.html "Deployment check"',
'Sensitive file check: ssh production "ls /var/www/tractatus/CLAUDE.md 2>/dev/null && echo FAIL || echo OK"'
],
relatedRules: ['inst_008', 'inst_026']
}
];
async function addRules() {
try {
console.log('Connecting to MongoDB:', MONGODB_URI);
await mongoose.connect(MONGODB_URI);
console.log('✓ Connected to MongoDB\n');
for (const rule of rules) {
console.log(`Adding ${rule.id}...`);
// Check if rule already exists
const existing = await GovernanceRule.findOne({ id: rule.id });
if (existing) {
console.log(` ⚠ Rule ${rule.id} already exists. Updating...`);
await GovernanceRule.updateOne({ id: rule.id }, rule);
console.log(` ✓ Updated ${rule.id}`);
} else {
await GovernanceRule.create(rule);
console.log(` ✓ Created ${rule.id}`);
}
console.log(` Quadrant: ${rule.quadrant}`);
console.log(` Persistence: ${rule.persistence}`);
console.log(` Scope: ${rule.scope}`);
console.log(` Priority: ${rule.priority}`);
console.log('');
}
console.log('✓ All rules added successfully!\n');
// Show summary
const allRules = await GovernanceRule.find({ active: true }).sort({ id: 1 });
console.log(`Total active rules: ${allRules.length}`);
console.log('Rule IDs:', allRules.map(r => r.id).join(', '));
await mongoose.disconnect();
console.log('\n✓ Disconnected from MongoDB');
process.exit(0);
} catch (error) {
console.error('Error adding rules:', error);
await mongoose.disconnect();
process.exit(1);
}
}
addRules();
Reference in a new issue View git blame Copy permalink