Merge pull request #2098 from Hack23/copilot/prepare-qualify-improvements

Implementing quality improvements for next release

Author: pethers

.github/workflows/README.md

@@ -1,6 +1,6 @@
 # ⚙️ `.github/workflows/` — GitHub Actions Catalog
 
-This directory holds **43 workflow files** (21 standard `.yml` + 11 agentic Markdown sources + 11 compiled `.lock.yml` siblings) that power Riksdagsmonitor's CI/CD, security, data pipeline, agentic news generation, and monitoring.
+This directory holds **44 workflow files** (22 standard `.yml` + 11 agentic Markdown sources + 11 compiled `.lock.yml` siblings) that power Riksdagsmonitor's CI/CD, security, data pipeline, agentic news generation, and monitoring.
 
 > **Canonical long-form workflow reference:** [`WORKFLOWS.md`](../../WORKFLOWS.md) at the repository root — version matrices, Mermaid pipeline diagrams, ISMS control mapping, troubleshooting, and KPIs.
 > **Agentic workflow contract (imports, analysis gate, 9/14 artifacts):** [`.github/prompts/README.md`](../prompts/README.md).
@@ -11,10 +11,10 @@ This directory holds **43 workflow files** (21 standard `.yml` + 11 agentic Mark
 
 | File kind | Count | Notes |
 |-----------|------:|-------|
-| Standard GitHub Actions (`*.yml`, not `*.lock.yml`) | **21** | Run natively on the GitHub Actions runner |
-| Agentic workflow **sources** (`news-*.md`) | **12** | Authored in Markdown with gh-aw frontmatter + prompt imports |
-| Agentic workflow **compiled lock files** (`news-*.lock.yml`) | **12** | Auto-generated by `compile-agentic-workflows.yml` — these are what actually execute |
-| **Total** | **45** | Verify with `ls .github/workflows/ | wc -l` |
+| Standard GitHub Actions (`*.yml`, not `*.lock.yml`) | **22** | Run natively on the GitHub Actions runner |
+| Agentic workflow **sources** (`news-*.md`) | **11** | Authored in Markdown with gh-aw frontmatter + prompt imports |
+| Agentic workflow **compiled lock files** (`news-*.lock.yml`) | **11** | Auto-generated by `compile-agentic-workflows.yml` — these are what actually execute |
+| **Total** | **44** | Verify with `ls .github/workflows/ | wc -l` (excludes this `README.md`) |
 
 **Only the compiled `.lock.yml` files run.** The `.md` sources are the source of truth and are reviewed in PRs; lock files are regenerated via the `gh aw compile` CLI.
 
@@ -30,13 +30,14 @@ This directory holds **43 workflow files** (21 standard `.yml` + 11 agentic Mark
 | [`setup-labels.yml`](setup-labels.yml) | Manual dispatch | Repository label management (`.github/labeler.yml` source) |
 | [`labeler.yml`](labeler.yml) | Pull requests | Auto-label PRs from `.github/labeler.yml` patterns |
 
-## 🧪 Testing & Validation (7)
+## 🧪 Testing & Validation (8)
 
 | File | Trigger | Purpose |
 |------|---------|---------|
 | [`javascript-testing.yml`](javascript-testing.yml) | Push/PR on TS/JS/HTML/config | TypeScript type-check + Vitest (2 890 tests) + Vite build |
 | [`jsdoc-validation.yml`](jsdoc-validation.yml) | Manual dispatch | TypeDoc generation + coverage report |
 | [`quality-checks.yml`](quality-checks.yml) | Push/PR to `main` | ESLint + HTMLHint + linkinator (parallel jobs) |
+| [`knip.yml`](knip.yml) | Push/PR to `main` | Knip dead-code detector — blocks on unused files / dependencies / binaries / duplicate exports; reports unused exports & types informationally |
 | [`translation-validation.yml`](translation-validation.yml) | Push/PR on HTML | 14-language completeness + RTL + hreflang |
 | [`test-dashboard.yml`](test-dashboard.yml) | Push/PR on dashboards | Cypress E2E for dashboard pages |
 | [`test-homepage.yml`](test-homepage.yml) | Push/PR on homepage | Cypress E2E for the 14 `index*.html` homepages |
@@ -149,7 +150,7 @@ flowchart LR
     C9[Weekly → codeql + scorecards + lighthouse-ci]
   end
   subgraph "🔀 Event"
-    E1[push/PR → quality-checks + javascript-testing + translation-validation + codeql + test-*]
+    E1[push/PR → quality-checks + knip + javascript-testing + translation-validation + codeql + test-*]
     E2[Tag v*.*.* → release]
     E3[push main → deploy-s3]
     E4[PR → dependency-review + labeler]

.github/workflows/javascript-testing.yml

@@ -120,6 +120,17 @@ jobs:
         run: npm ci
 
       - name: Build with Vite
+        # Vite/Rollup loads ~4200+ news/*.html entries (auto-discovered in
+        # vite.config.js → discoverNewsArticles()), and at the
+        # `rendering chunks` phase the default ~4 GB Node heap is no longer
+        # enough — the build OOMs with
+        # `FATAL ERROR: Ineffective mark-compacts near heap limit
+        #  Allocation failed - JavaScript heap out of memory` → exit 134.
+        # GitHub-hosted ubuntu-latest runners ship with 16 GB RAM, so
+        # raising the V8 old-space limit to 8 GB gives the build headroom
+        # (matches deploy-s3.yml).
+        env:
+          NODE_OPTIONS: --max-old-space-size=8192
         run: npm run build
 
       - name: Check build output

.github/workflows/knip.yml

@@ -0,0 +1,83 @@
+name: Knip Dead Code Check
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+permissions:
+  contents: read
+
+jobs:
+  knip:
+    name: Run Knip
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            codeload.github.com:443
+            github.com:443
+            nodejs.org:443
+            objects.githubusercontent.com:443
+            registry.npmjs.org:443
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Setup Node.js
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          node-version: '25'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run Knip (blocking — files, dependencies, duplicates)
+        # Blocks the workflow on actionable findings: unused files, unused/unlisted/
+        # unresolved dependencies, unused binaries, and duplicate exports. Unused
+        # exports/types are intentionally informational only (see next step) — most
+        # are barrel re-exports that form the public API of internal libraries.
+        run: |
+          echo "🔍 Running Knip dead-code detector (blocking subset)..."
+          echo ""
+          if npx knip --no-progress --include files,dependencies,unlisted,binaries,unresolved,duplicates > knip-blocking.txt 2>&1; then
+            echo "✅ No actionable dead-code findings."
+            cat knip-blocking.txt
+          else
+            echo "❌ Knip found actionable issues:"
+            cat knip-blocking.txt
+            echo ""
+            echo "Triage options for each finding:"
+            echo "  a) Used but not detected → update knip.json (entry/ignoreDependencies)."
+            echo "  b) Should be used but isn't → wire it up in the consumer."
+            echo "  c) Truly unused → delete the file/dep/binary."
+            exit 1
+          fi
+
+      - name: Run Knip (informational — exports & types)
+        # Non-blocking: surfaces unused exports/types so reviewers can spot drift
+        # without forcing every barrel re-export to be hand-pruned. Failures here
+        # do NOT fail the workflow.
+        if: always()
+        continue-on-error: true
+        run: |
+          echo "🔎 Running Knip (informational — unused exports / types)..."
+          echo ""
+          npx knip --no-progress --include exports,nsExports,types,nsTypes,enumMembers > knip-informational.txt 2>&1 || true
+          cat knip-informational.txt
+
+      - name: Upload Knip Report
+        if: always()
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: knip-report
+          path: |
+            knip-blocking.txt
+            knip-informational.txt
+          retention-days: 30

WORKFLOWS.md

@@ -48,6 +48,7 @@
 [![TypeScript & JavaScript Testing](https://github.com/Hack23/riksdagsmonitor/actions/workflows/javascript-testing.yml/badge.svg)](https://github.com/Hack23/riksdagsmonitor/actions/workflows/javascript-testing.yml)
 [![TypeDoc Validation](https://github.com/Hack23/riksdagsmonitor/actions/workflows/jsdoc-validation.yml/badge.svg)](https://github.com/Hack23/riksdagsmonitor/actions/workflows/jsdoc-validation.yml)
 [![Translation Validation](https://github.com/Hack23/riksdagsmonitor/actions/workflows/translation-validation.yml/badge.svg)](https://github.com/Hack23/riksdagsmonitor/actions/workflows/translation-validation.yml)
+[![Knip Dead Code Check](https://github.com/Hack23/riksdagsmonitor/actions/workflows/knip.yml/badge.svg)](https://github.com/Hack23/riksdagsmonitor/actions/workflows/knip.yml)
 
 ### Documentation & Release
 
@@ -293,11 +294,12 @@ graph TB
 ### Core CI/CD Workflows
 
 1. **✅ Quality Checks** (`.github/workflows/quality-checks.yml`) — ESLint linting, HTML validation, link checking
-2. **🧪 TypeScript & JavaScript Testing** (`.github/workflows/javascript-testing.yml`) — Vitest unit tests, TypeScript type-checking, Cypress E2E
-3. **📖 TypeDoc Validation** (`.github/workflows/jsdoc-validation.yml`) — API documentation generation and coverage
-4. **🌐 Translation Validation** (`.github/workflows/translation-validation.yml`) — 14-language validation with RTL and hreflang
-5. **🚀 Release with Attestations** (`.github/workflows/release.yml`) — SLSA provenance, SBOM, dual deployment
-6. **☁️ Deploy to S3** (`.github/workflows/deploy-s3.yml`) — AWS S3/CloudFront deployment
+2. **🧹 Knip Dead Code Check** (`.github/workflows/knip.yml`) — Detects unused files, dependencies, binaries, and duplicate exports on every PR (informational pass also reports unused exports/types)
+3. **🧪 TypeScript & JavaScript Testing** (`.github/workflows/javascript-testing.yml`) — Vitest unit tests, TypeScript type-checking, Cypress E2E
+4. **📖 TypeDoc Validation** (`.github/workflows/jsdoc-validation.yml`) — API documentation generation and coverage
+5. **🌐 Translation Validation** (`.github/workflows/translation-validation.yml`) — 14-language validation with RTL and hreflang
+6. **🚀 Release with Attestations** (`.github/workflows/release.yml`) — SLSA provenance, SBOM, dual deployment
+7. **☁️ Deploy to S3** (`.github/workflows/deploy-s3.yml`) — AWS S3/CloudFront deployment
 
 ### Security Scanning Workflows
 
@@ -425,6 +427,7 @@ flowchart TB
 | **ESLint** | Zero errors | quality-checks.yml | Required ✅ |
 | **HTMLHint Validation** | Zero errors | quality-checks.yml | Required ✅ |
 | **Link Integrity** | Zero broken internal links | quality-checks.yml | Required ✅ |
+| **Knip Dead Code (files/deps/dups)** | Zero unused files, deps, binaries, or duplicate exports | knip.yml | Required ✅ |
 | **Unit Test Pass Rate** | 100% (2890 tests) | javascript-testing.yml | Required ✅ |
 | **CodeQL SAST** | No critical/high | codeql.yml | Required ✅ |
 | **Dependency Vulnerabilities** | No critical/high | dependency-review.yml | Required ✅ |
@@ -1095,17 +1098,18 @@ flowchart LR
 | 1.4 | 🏷️ Setup Labels | `setup-labels.yml` | Manual dispatch | A.5.37, PR.IP-1 |
 | 1.5 | 🏷️ PR Labeler | `labeler.yml` | Pull requests | A.5.37, PR.IP-1 |
 
-### 🧪 Testing & Validation (7 workflows)
+### 🧪 Testing & Validation (8 workflows)
 
 | # | Workflow | File | Trigger | Coverage |
 | --- | --- | --- | --- | --- |
 | 2.1 | 🧪 TypeScript & JS Testing | `javascript-testing.yml` | Push/PR (TS/JS/HTML) | TSC + Vitest + Cypress |
 | 2.2 | 📖 TypeDoc Validation | `jsdoc-validation.yml` | Manual dispatch | TypeDoc generation + coverage |
 | 2.3 | ✅ Quality Checks | `quality-checks.yml` | Push/PR to main | ESLint + HTMLHint + linkinator |
-| 2.4 | 🌐 Translation Validation | `translation-validation.yml` | Push/PR (HTML) | 14-language + RTL + hreflang |
-| 2.5 | 🖥️ Test Dashboard | `test-dashboard.yml` | Push/PR (src/browser) | Dashboard Cypress E2E |
-| 2.6 | 🏠 Test Homepage | `test-homepage.yml` | Push/PR (src/browser) | Homepage Cypress E2E |
-| 2.7 | 📰 Test News | `test-news.yml` | Push/PR (news) | News pages Cypress E2E |
+| 2.4 | 🧹 Knip Dead Code Check | `knip.yml` | Push/PR to main | Unused files, deps, binaries, duplicate exports (blocking); unused exports/types (informational) |
+| 2.5 | 🌐 Translation Validation | `translation-validation.yml` | Push/PR (HTML) | 14-language + RTL + hreflang |
+| 2.6 | 🖥️ Test Dashboard | `test-dashboard.yml` | Push/PR (src/browser) | Dashboard Cypress E2E |
+| 2.7 | 🏠 Test Homepage | `test-homepage.yml` | Push/PR (src/browser) | Homepage Cypress E2E |
+| 2.8 | 📰 Test News | `test-news.yml` | Push/PR (news) | News pages Cypress E2E |
 
 ### 📊 CIA Data Pipeline (1 workflow)
 

knip.json

@@ -3,9 +3,8 @@
   "entry": [
     "src/browser/**/*.ts",
     "js/*.js",
-    "dashboard/*.js",
     "scripts/*.ts",
-    "scripts/news-types/*.ts",
+    "scripts/audits/**/*.ts",
     "scripts/committees-dashboard/*.ts",
     "scripts/coalition-dashboard/*.ts",
     "tests/**/*.test.ts",
@@ -16,7 +15,6 @@
   "project": [
     "src/browser/**/*.ts",
     "js/**/*.js",
-    "dashboard/**/*.js",
     "scripts/**/*.ts",
     "tests/**/*.ts",
     "tests/**/*.js",
@@ -27,7 +25,10 @@
   ],
   "ignoreDependencies": [
     "htmlhint",
-    "js-yaml"
+    "js-yaml",
+    "mermaid",
+    "chartjs-plugin-annotation",
+    "worldbank-mcp"
   ],
   "ignoreBinaries": [
     "cypress",

package-lock.json

@@ -166,6 +166,7 @@
   "devDependencies": {
     "@eslint/js": "10.0.1",
     "@types/d3": "7.4.3",
+    "@types/hast": "3.0.4",
     "@types/node": "25.6.0",
     "@types/papaparse": "5.5.2",
     "@vitest/coverage-v8": "4.1.5",
@@ -176,22 +177,21 @@
     "chartjs-plugin-annotation": "3.1.0",
     "d3": "7.9.0",
     "eslint": "10.2.1",
+    "github-slugger": "^2.0.0",
     "globals": "17.5.0",
     "gray-matter": "^4.0.3",
     "happy-dom": "20.9.0",
+    "hast-util-to-string": "3.0.1",
     "htmlhint": "1.9.2",
     "js-yaml": "4.1.1",
     "json-schema-to-typescript": "15.0.4",
     "jszip": "3.10.1",
     "knip": "6.9.0",
     "mermaid": "11.14.0",
     "papaparse": "5.5.3",
-    "playwright": "1.59.1",
     "rehype-autolink-headings": "^7.1.0",
     "rehype-raw": "^7.0.0",
     "rehype-sanitize": "^6.0.0",
-    "github-slugger": "^2.0.0",
-    "rehype-slug": "^6.0.0",
     "rehype-stringify": "^10.0.1",
     "remark-gfm": "^4.0.1",
     "remark-parse": "^11.0.0",
@@ -203,6 +203,7 @@
     "typescript": "6.0.3",
     "typescript-eslint": "8.59.1",
     "unified": "^11.0.5",
+    "unist-util-visit": "5.1.0",
     "vite": "8.0.10",
     "vite-plugin-sri-gen": "1.4.1",
     "vitest": "4.1.5",