diff --git a/.github/workflows/lighthouse.yml b/.github/workflows/lighthouse.yml index 24fbb6eb..d3f00660 100644 --- a/.github/workflows/lighthouse.yml +++ b/.github/workflows/lighthouse.yml @@ -13,10 +13,22 @@ on: jobs: lighthouse: runs-on: ubuntu-latest - timeout-minutes: 10 + timeout-minutes: 15 steps: - uses: actions/checkout@v4 + - name: Setup Go + uses: actions/setup-go@v5 + with: + go-version: '1.26' + + - name: Build WASM + run: | + cd wasm && make build + mkdir -p ../website/public/wasm + cp playground/gosqlx.wasm ../website/public/wasm/ + cp playground/wasm_exec.js ../website/public/wasm/ + - name: Setup Node uses: actions/setup-node@v4 with: diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 35d4384b..0ba49bac 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -168,9 +168,11 @@ jobs: # to handle golang.org/x packages which report as compound license allow-licenses: >- MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, - BlueOak-1.0.0, OFL-1.1, CC-BY-4.0, MPL-2.0, + BlueOak-1.0.0, OFL-1.1, CC-BY-4.0, MPL-2.0, 0BSD, LicenseRef-scancode-google-patent-license-golang, - BSD-3-Clause AND LicenseRef-scancode-google-patent-license-golang + BSD-3-Clause AND LicenseRef-scancode-google-patent-license-golang, + LicenseRef-bad-fsl-1.1-mit, + 0BSD AND ISC AND MIT govulncheck: name: Go Vulnerability Check diff --git a/CHANGELOG.md b/CHANGELOG.md index 0e17a4e8..6969db3e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,7 +5,7 @@ All notable changes to GoSQLX will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). -## [1.12.1] - 2026-03-15 - Website Performance & Mobile Optimization +## [1.12.1] - 2026-03-15 — Website Performance & Mobile Optimization ### Improved - Lighthouse Desktop: 100 Performance, 100 Accessibility, 100 SEO @@ -508,7 +508,7 @@ if tok.Type == models.TokenTypeSelect { ... } **Who is affected:** Only users who directly access `token.Token` fields or use string-based token constants from `pkg/sql/token`. Users of the high-level `gosqlx.Parse()` / `gosqlx.Validate()` API are **not affected**. -See [docs/MIGRATION.md](docs/MIGRATION.md) for detailed migration instructions. +See [Migration Guide](https://github.com/ajitpratap0/GoSQLX/blob/main/docs/MIGRATION.md) for detailed migration instructions. --- diff --git a/docs/audits/2026-03-17-website-audit/SUMMARY.md b/docs/audits/2026-03-17-website-audit/SUMMARY.md new file mode 100644 index 00000000..24da05bc --- /dev/null +++ b/docs/audits/2026-03-17-website-audit/SUMMARY.md @@ -0,0 +1,51 @@ +# GoSQLX Website Audit Summary — 2026-03-17 + +## Overall Health + +| Category | Top Finding | Status | +|----------|-------------|--------| +| Performance | JS 627KB home / 985KB playground; WASM no preload | 🟡 | +| SEO | No canonical tags; broken sitemap discovery; no JSON-LD | 🔴 | +| Accessibility | No skip link; contrast failures; code blocks not keyboard accessible | 🟡 | +| Security | Missing HSTS + Permissions-Policy; unsafe-eval in CSP | 🟡 | +| Visual/Responsive | Homepage sections invisible below hero; overflow at 320px | 🔴 | +| Functional | Wrong GitHub owner links; 404 returns 200; broken .md doc links | 🔴 | +| Content | 1.28 MB unused assets; missing blog post for latest release | 🟡 | + +## Fixes Applied in This PR + +| # | Fix | File Changed | Impact | +|---|-----|--------------|--------| +| 1 | Fixed robots.txt sitemap URL | website/public/robots.txt | SEO: sitemap now discoverable | +| 2 | Deleted 1.28 MB unused assets | website/public/images/ | Perf: reduced repo size | +| 3 | Fixed GitHub owner links (ajitpsingh → ajitpratap0) | website/src/components/layout/Footer.tsx, Navbar.tsx | Functional: correct repo links site-wide | +| 4 | Added HSTS + Permissions-Policy security headers | website/next.config.ts | Security | +| 5 | Removed unsafe-eval from CSP; added frame-ancestors/base-uri/form-action | website/next.config.ts | Security | +| 6 | Added canonical to layout (homepage) | website/src/app/layout.tsx | SEO | +| 7 | Added JSON-LD SoftwareApplication structured data | website/src/app/layout.tsx | SEO | +| 8 | Added canonical + og:url to docs pages | website/src/app/docs/[...slug]/page.tsx | SEO | +| 9 | Added canonical + og:url + og:type to blog pages | website/src/app/blog/[slug]/page.tsx | SEO | +| 10 | Added skip-to-main-content link | website/src/app/layout.tsx | A11y | +| 11 | Wrapped page content in `
` | website/src/app/layout.tsx | A11y | +| 12 | Removed broken Vercel Analytics component | website/src/app/layout.tsx | Perf: eliminates 2 console errors per page | + +## GitHub Issues Created for Complex Fixes + +- #396 — fix(website): homepage sections invisible below hero (IntersectionObserver) +- #397 — fix(website): 404 page returns HTTP 200 status +- #398 — fix(website): broken .md links in docs content files +- #399 — a11y(website): fix color contrast violations +- #400 — a11y(website): make code blocks keyboard accessible (tabindex=0) +- #401 — fix(website): horizontal overflow at 320px viewport +- #402 — perf(website): add rel=preload for gosqlx.wasm +- #403 — perf(website): version WASM service worker cache key +- #404 — seo(website): add JSON-LD Article to blog, BreadcrumbList to docs +- #405 — content(website): add blog post for latest release + +## Audit Reports +- [Performance](performance.md) +- [SEO](seo.md) +- [Accessibility](accessibility.md) +- [Security](security.md) +- [Functional](functional.md) +- [Content](content.md) diff --git a/docs/audits/2026-03-17-website-audit/accessibility.md b/docs/audits/2026-03-17-website-audit/accessibility.md new file mode 100644 index 00000000..831cdfbd --- /dev/null +++ b/docs/audits/2026-03-17-website-audit/accessibility.md @@ -0,0 +1,189 @@ +# Accessibility Audit — 2026-03-17 + +**Tool**: axe-core 4.10.0 (WCAG 2A, 2AA, 2.1AA, best-practice ruleset) +**Pages audited**: https://gosqlx.dev (homepage), https://gosqlx.dev/docs/getting-started +**Auditor**: Claude Code automated audit + +--- + +## axe-core Violations Summary + +| Page | Critical | Serious | Moderate | Minor | Passes | Incomplete | +|------|----------|---------|----------|-------|--------|------------| +| Homepage (`/`) | 0 | 1 | 0 | 1 | 38 | 1 | +| `/docs/getting-started` | 0 | 2 | 1 | 1 | 40 | 0 | + +**Total unique violations across both pages: 4 distinct rules triggered** + +--- + +## Detailed Violations + +### Homepage Violations + +#### serious: scrollable-region-focusable +- **Description**: Ensure elements that have scrollable content are accessible by keyboard +- **WCAG Criterion**: WCAG 2.1 SC 2.1.1 (Keyboard, Level A) +- **Nodes affected**: 1 +- **Example HTML**: `
`
+- **Fix**: Add `tabindex="0"` to each `
` block that has `overflow-x-auto` or `overflow-y-auto` so keyboard users can scroll into the region. For the hero code block and AST output panel specifically.
+
+#### minor: image-redundant-alt
+- **Description**: Ensure image alternative text is not repeated as adjacent visible text
+- **WCAG Criterion**: Best practice (not a hard WCAG fail, but degrades screen-reader UX)
+- **Nodes affected**: 2 (both logo images — header and footer)
+- **Example HTML**: `GoSQLX` inside `` that also contains `GoSQLX`
+- **Fix**: Set `alt=""` on the logo `` when the adjacent `GoSQLX` text is already present, making the image purely decorative. The link itself is adequately labelled by the text node.
+
+---
+
+### /docs/getting-started Violations
+
+#### serious: color-contrast
+- **Description**: Ensure the contrast between foreground and background colors meets WCAG 2 AA minimum contrast ratio thresholds (4.5:1 for normal text, 3:1 for large text)
+- **WCAG Criterion**: WCAG 2.1 SC 1.4.3 (Contrast Minimum, Level AA)
+- **Nodes affected**: 19
+- **Example HTML**:
+  - `Docs` — nav links at ~65% lightness on dark background
+  - `Getting Started` — breadcrumb text
+- **Fix**: Nav link color `lab(65.6464 ...)` (~`#9ca3af` / zinc-400) on the dark `#18181b` background gives approximately 3.5:1 — below 4.5:1 required for 14px normal text. Increase to `text-zinc-300` (`#d4d4d8`) or lighter to achieve ≥4.5:1. Breadcrumb spans and sidebar section labels have the same issue.
+
+#### serious: scrollable-region-focusable
+- **Description**: Same as homepage — `
` code blocks with overflow are not keyboard-reachable
+- **WCAG Criterion**: WCAG 2.1 SC 2.1.1 (Keyboard, Level A)
+- **Nodes affected**: 13 (all code blocks on the getting-started page)
+- **Example HTML**:
+  - `
go install ...
` + - `
` (inline code blocks throughout)
+- **Fix**: Same as homepage — add `tabindex="0"` to all `
` elements that may overflow. Consider a shared `CodeBlock` component that applies this automatically.
+
+#### moderate: landmark-unique
+- **Description**: Ensure landmarks are unique — two `