wip

Author: dansysanalyst

.github/workflows/check_media_types.yml

@@ -0,0 +1,165 @@
+name: Secure Media + Docs Validation
+
+on:
+  push:
+  pull_request:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: validation-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: Install dependencies
+        run: |
+          set -euo pipefail
+
+          sudo apt-get update
+
+          sudo apt-get install -y \
+            file \
+            ffmpeg \
+            imagemagick \
+            jq \
+            clamav \
+            clamav-freshclam
+
+      - name: Update ClamAV signatures
+        run: |
+          set -euo pipefail
+
+          sudo systemctl stop clamav-freshclam || true
+
+          # Allow fallback if signature update fails (common on CI)
+          sudo freshclam || true
+
+          echo "ClamAV databases:"
+          ls -lah /var/lib/clamav || true
+
+      - name: Scan for malware
+        run: |
+          set -euo pipefail
+
+          SCAN_TARGETS=()
+          [ -d media ] && SCAN_TARGETS+=(media)
+          [ -d docs ] && SCAN_TARGETS+=(docs)
+
+          if [ ${#SCAN_TARGETS[@]} -eq 0 ]; then
+            echo "Neither media/ nor docs/ exists"
+            exit 1
+          fi
+
+          if ls /var/lib/clamav/*.cvd >/dev/null 2>&1 || \
+             ls /var/lib/clamav/*.cld >/dev/null 2>&1; then
+
+            clamscan -r "${SCAN_TARGETS[@]}" \
+              --infected \
+              --no-summary \
+              --max-filesize=50M \
+              --max-scansize=100M
+          else
+            echo "WARNING: No ClamAV signatures found. Skipping scan."
+          fi
+
+      - name: Validate media files
+        run: |
+          set -euo pipefail
+
+          if [ ! -d media ]; then
+            echo "media/ directory not found"
+            exit 1
+          fi
+
+          find media -type f -print0 | while IFS= read -r -d '' file; do
+            echo "Checking media: $file"
+
+            mime=$(file --mime-type -b "$file")
+
+            case "$mime" in
+              image/jpeg|image/png|image/gif|image/webp)
+                identify "$file" >/dev/null
+                ;;
+
+              video/mp4|video/webm|video/quicktime)
+                ffprobe -v error "$file" >/dev/null
+                ;;
+
+              audio/mpeg|audio/wav|audio/ogg)
+                ffprobe -v error "$file" >/dev/null
+                ;;
+
+              *)
+                echo "ERROR: Unsupported media type"
+                echo "File: $file"
+                echo "MIME: $mime"
+                exit 1
+                ;;
+            esac
+          done
+
+      - name: Validate docs files
+        run: |
+          set -euo pipefail
+
+          if [ ! -d docs ]; then
+            echo "docs/ directory not found"
+            exit 1
+          fi
+
+          find docs -type f -print0 | while IFS= read -r -d '' file; do
+            echo "Checking docs: $file"
+
+            case "$file" in
+              *.md)
+                # 1. Must be valid text file (reject binaries properly)
+                if ! grep -Iq . "$file"; then
+                  echo "ERROR: Non-text or binary markdown detected"
+                  echo "File: $file"
+                  exit 1
+                fi
+
+                # 2. Enforce UTF-8 encoding (prevents UTF-16 issues)
+                encoding=$(file --mime-encoding -b "$file" || true)
+
+                case "$encoding" in
+                  utf-8|us-ascii) ;;
+                  *)
+                    echo "ERROR: Invalid encoding in markdown: $encoding"
+                    echo "File: $file"
+                    exit 1
+                    ;;
+                esac
+                ;;
+
+              *.json)
+                jq -e . "$file" >/dev/null
+                ;;
+
+              *)
+                echo "ERROR: Unsupported file in docs/"
+                echo "File: $file"
+                exit 1
+                ;;
+            esac
+          done
+
+      - name: Reject executable files
+        run: |
+          set -euo pipefail
+
+          mapfile -d '' exec_files < <(find media docs -type f -executable -print0 2>/dev/null || true)
+
+          if [ ${#exec_files[@]} -gt 0 ]; then
+            echo "ERROR: Executable files found"
+            printf '%s\n' "${exec_files[@]}"
+            exit 1
+          fi

.github/workflows/json_check.yml

@@ -0,0 +1,43 @@
+name: JSON Validation
+
+on:
+  push:
+  pull_request:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: json-validation-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  validate-json:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+
+      - name: 🧐 Validate JSON files in docs/
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          echo "🔎 Checking docs/*.json files..."
+
+          shopt -s nullglob
+
+          for file in docs/*.json; do
+            echo "Validating $file"
+            node -e "JSON.parse(require('fs').readFileSync('$file','utf8'))"
+          done
+
+          echo "✅ All JSON files are valid."

.github/workflows/lint_markdown.yml

@@ -0,0 +1,48 @@
+name: Lint Markdown
+
+on:
+  push:
+    branches:
+    - 6x
+    - 7x
+    paths:
+      - "docs/**/*.md"
+  pull_request:
+    branches:
+    - 6x
+    - 7x
+    paths:
+      - "docs/**/*.md"
+
+permissions:
+  contents: read
+
+concurrency:
+  group: markdown-lint-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  markdown-linter:
+    name: Run Markdown Linter
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: 🏗️ Markdown Lint Check
+        run: npm run markdown:lint-check
+
+      - name: 💅 Markdown Format Check
+        run: npm run markdown:format-check

.github/workflows/lychee.yml

@@ -0,0 +1,105 @@
+name: Link Check
+
+on:
+  push:
+    branches:
+      - 6x
+      - 7x
+  pull_request:
+    branches:
+      - 6x
+      - 7x
+
+permissions:
+  contents: read
+
+jobs:
+  links:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Normalize docs
+        run: |
+          set -euo pipefail
+
+          INPUT_DIR="docs"
+          OUTPUT_DIR=".docs-clean"
+          MEDIA_DIR="media"
+          MEDIA_OUT="${OUTPUT_DIR}/media"
+
+          # --- reset output dir -------------------------------------------
+          rm -rf "${OUTPUT_DIR}"
+          mkdir -p "${OUTPUT_DIR}"
+
+          # --- walk docs/, transform .md files into .docs-clean -----------
+          if [ -d "${INPUT_DIR}" ]; then
+            find "${INPUT_DIR}" -type f -name "*.md" -print0 | while IFS= read -r -d '' file; do
+              rel="${file#${INPUT_DIR}/}"
+              out="${OUTPUT_DIR}/${rel}"
+              mkdir -p "$(dirname "${out}")"
+
+              perl -CSD -pe '
+                BEGIN {
+                  sub rewrite_link {
+                    my ($link) = @_;
+                    return $link unless defined $link && length $link;
+
+                    # leave external / mailto links untouched
+                    return $link if $link =~ m{^https?://} || $link =~ m{^mailto:};
+
+                    # sponsor links -> harmless placeholder
+                    #return "#" if $link =~ m{^/sponsors/};
+
+                    my $out = $link;
+
+                    # 1. root-relative path -> relative path
+                    $out =~ s{^/+(.*)$}{../$1};
+
+                    # 2. strip anchors
+                    $out =~ s{^(?!https?://)([^#]*)#.*$}{$1};
+
+                    # 3. .html -> no extension
+                    $out =~ s{^(?!https?://)(.+)\.html$}{$1};
+
+                    # 4. default to .md if no known extension
+                    $out =~ s{^(?!https?://)(.+)(?<!\.(?:md|png|jpg|jpeg|gif|svg|webp|pdf|mp4))$}{$1.md};
+
+                    # 5. collapse stray leading double slashes
+                    $out =~ s{^//+}{/};
+
+                    # 6. legacy media dir -> media/
+                    $out =~ s{_media/}{media/}g;
+
+                    return $out;
+                  }
+                }
+
+                s{\]\(([^)]+)\)}{"](" . rewrite_link($1) . ")"}ge;
+                s{src=(["\x27])([^"\x27]+)\1}{"src=" . $1 . rewrite_link($2) . $1}ge;
+                s{href=(["\x27])([^"\x27]+)\1}{"href=" . $1 . rewrite_link($2) . $1}ge;
+              ' "${file}" > "${out}"
+            done
+          fi
+
+          # --- copy root media/ -> .docs-clean/media -----------------------
+          if [ -d "${MEDIA_DIR}" ]; then
+            mkdir -p "${MEDIA_OUT}"
+            cp -a "${MEDIA_DIR}/." "${MEDIA_OUT}/"
+          fi
+
+          echo "OK: docs + root media -> .docs-clean"
+
+      - name: Run lychee
+        id: lychee
+        uses: lycheeverse/lychee-action@v2
+        with:
+          args: >
+            .docs-clean
+            --exclude '^https?://(www\.)?(twitter\.com|x\.com|instagram\.com|linkedin\.com)'
+            --exclude '/sponsors/'
+          format: markdown
+          output: lychee-report.md
+          fail: true

.gitignore

@@ -0,0 +1,11 @@
+node_modules
+.temp
+.cache
+node_modules
+.temp
+.cache
+.env
+docs/.vitepress/dist
+docs/.vitepress/cache
+.idea
+.DS_Store