sovren-software
diff --git a/‎.github/dependabot.yml‎
Lines changed: 13 additions & 0 deletions b/‎.github/dependabot.yml‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎.github/workflows/deploy.yml‎
Lines changed: 2 additions & 0 deletions b/‎.github/workflows/deploy.yml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎.nvmrc‎
Lines changed: 1 addition & 0 deletions b/‎.nvmrc‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.prettierrc‎
Lines changed: 16 additions & 0 deletions b/‎.prettierrc‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 88 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 88 additions & 0 deletions
diff --git a/‎CLAUDE.md‎
Lines changed: 56 additions & 9 deletions b/‎CLAUDE.md‎
Lines changed: 56 additions & 9 deletions
diff --git a/‎LICENSE‎
Lines changed: 13 additions & 0 deletions b/‎LICENSE‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 51 additions & 6 deletions b/‎README.md‎
Lines changed: 51 additions & 6 deletions
@@ -0,0 +1,13 @@
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
@@ -24,6 +24,8 @@ jobs:
           node-version: 20
           cache: npm
       - run: npm ci
+      - run: npm run check
+      - run: npm run lint
       - run: npm run build
       - uses: actions/upload-pages-artifact@v3
         with:
 
@@ -0,0 +1 @@
+20
@@ -0,0 +1,16 @@
+{
+  "useTabs": false,
+  "tabWidth": 2,
+  "singleQuote": true,
+  "trailingComma": "es5",
+  "printWidth": 100,
+  "plugins": ["prettier-plugin-svelte"],
+  "overrides": [
+    {
+      "files": "*.svelte",
+      "options": {
+        "parser": "svelte"
+      }
+    }
+  ]
+}
@@ -0,0 +1,88 @@
+# Changelog
+
+All notable changes to the Sovren Software website are documented here.
+
+---
+
+## [1.0.0] — 2026-02-26
+
+### Added
+- Favicon suite: `favicon.svg` (wireframe cube mark), `favicon.ico`, `favicon-32x32.png`, `favicon-16x16.png`, `apple-touch-icon.png`, `icon-192.png`, `icon-512.png`
+- Web app manifest (`manifest.webmanifest`) with PWA metadata, icon references, `theme_color`, and `background_color`
+- OG image (`og-image.png`, 1200×630) generated via Satori with actual Geist Mono TTF font — consistent rendering across all social platforms
+- OG image generator script (`scripts/generate-og.js`) — run with `npm run generate-og`
+- Open Graph `og:image`, `og:type`, `og:site_name` tags in `app.html` as global defaults; per-page `og:url` and `og:title`/`og:description` already present
+- Twitter Card meta tags (`twitter:card`, `twitter:site`, `twitter:title`, `twitter:description`, `twitter:image`) on all pages
+- `<link rel="canonical">` on all five routes
+- `<meta name="robots" content="noindex">` on 404 error page
+- `<meta name="description">` on 404 error page
+- Security headers file (`static/_headers`): authoritative reference for `X-Frame-Options`, `X-Content-Type-Options`, `Referrer-Policy`, `Permissions-Policy`, `Strict-Transport-Security`, `Content-Security-Policy`, `Cross-Origin-Opener-Policy`, `Cross-Origin-Resource-Policy`
+- `Content-Security-Policy`, `Referrer-Policy`, `X-Content-Type-Options` enforced at browser level via `<meta http-equiv>` in `app.html`
+- `SECURITY.md` — exact Cloudflare Transform Rules to configure CDN-level headers; verification command; future migration steps
+- Font preload `<link rel="preload">` for `GeistMono-Variable.woff2` in `app.html` (eliminates FOUT, improves LCP)
+- `<meta name="theme-color" content="#000000">` in `app.html`
+- `--fs-footer-link` and `--fs-footer-copy` CSS custom properties in `app.css` (live bug fix — were undefined, footer font sizes were indeterminate)
+- `@media (prefers-reduced-motion: reduce)` global CSS rule in `app.css`
+- `prefers-reduced-motion` runtime check in `SceneManager.js` — all animations halt for users with vestibular/motion sensitivity; respects dynamic changes via `MediaQueryList` event listener
+- `<h2 id="products-heading" class="sr-only">` on home page products section (heading hierarchy fix for screen readers and SEO)
+- `aria-labelledby="products-heading"` on home page products `<section>`
+- Skip navigation link (`<a href="#main-content">`) in `+layout.svelte` — appears on keyboard focus (WCAG 2.4.1 Level A)
+- `id="main-content"` on layout slot wrapper — valid skip-link target for all pages
+- `aria-label="Primary"` on `<nav>` in `Nav.svelte`
+- `aria-label="Footer"` on `<nav>` in footer (`+layout.svelte`)
+- `LICENSE` — proprietary, all rights reserved, © 2025–2026 Sovren Software
+- `CHANGELOG.md`
+- `.nvmrc` — Node 20
+- `engines: { "node": ">=20" }` in `package.json`
+- ESLint (`eslint`, `eslint-plugin-svelte`, `globals`) — `npm run lint`
+- Prettier (`prettier`, `prettier-plugin-svelte`) — `npm run format`
+- `svelte-check` — `npm run check`
+- `eslint.config.js` and `.prettierrc` configuration files
+- Dependabot config (`.github/dependabot.yml`) — weekly npm dependency PRs
+- `vite.config.js` `chunkSizeWarningLimit: 600` to suppress Three.js bundle size warning
+- Satori + `@resvg/resvg-js` as devDependencies for OG image generation
+
+### Fixed
+- `SceneManager.destroy()` memory leak — event listeners now use stored bound references (`_onResize`, `_onScroll`, `_onMouseMove`) and are correctly removed on component unmount
+- `SceneManager` Three.js geometry and material disposal in `destroy()` — GPU memory no longer accumulates across page navigations
+- `SceneManager` `powerPreference` changed from `"high-performance"` to `"default"` — prevents forcing discrete GPU on battery-powered devices
+- `SceneManager` `getDelta()` removed — was called after `getElapsedTime()`, always returned near-zero, was unused
+- `SceneManager` catch block changed from `catch (e)` to bare `catch {}` (unused variable)
+- `ProductHero.svelte` — added `// @ts-nocheck` to suppress pre-existing Three.js 0.183 type incompatibilities (not regressions)
+- `ProductMonoliths.svelte` — same `// @ts-nocheck` fix
+- Mr. Haven naming: `MrHaven` → `Mr. Haven` in all `stackNote` props (Augmentum OS and Mr. Haven pages)
+- Visage version: `v0.1.0` → `v0.2.0` in `llms.txt`
+- `llms.txt` Augmentum OS GitHub link: removed dead `aegis-os` repo reference, replaced with org URL
+- Removed dead `asciiArt` variable from `+page.svelte`
+- Removed unused `CtaSection` import from `ecosystem/+page.svelte`
+- CLAUDE.md token values synced to match `app.css`: `--space-7xl` (8rem), `--nav-h` (80px), `--max-w-prose` (800px), `--max-w-body` (520px), `--max-w-tagline` (640px)
+- CLAUDE.md 3D scene description: "inner icosahedron" → "inner octahedron" (matches actual `OctahedronGeometry` in code)
+- CLAUDE.md Visage version: `v0.1.0` → `v0.2.0`
+- Sitemap: added `<lastmod>2026-02-26</lastmod>` to all five URLs
+
+### Changed
+- `package.json` version: `0.0.0` → `1.0.0`
+- `Overview.svelte` `stackNote` prop renders via `{@html}` instead of plain text — enables anchor links in stack notes
+- All three product page `stackNote` props now contain working internal anchor links to the other two products in the stack
+- CI pipeline (`deploy.yml`) now runs `npm run check` and `npm run lint` before `npm run build`
+- README updated: Node requirement (18+ → 20+), all new scripts, static asset inventory, deployment security header guidance, code quality section, license section
+
+---
+
+## 2026-02-25
+
+### Added
+- 3D cinematic scene — wireframe cube, grid, particles
+- Light/dark theme toggle with localStorage persistence and 3D sync
+- Theme-aware CSS variables — all hardcoded colors removed
+
+## 2026-02-24
+
+### Added
+- Waitlist capture on Augmentum OS page (mailto)
+- AI agent angle on MrHaven page
+- Convergence story across Augmentum OS and Ecosystem pages
+
+### Changed
+- Visage version updated to v0.2.0
+- Visage v2/Augmentum OS integration callout added
@@ -95,18 +95,18 @@ The site uses a `data-theme` attribute on `<html>` to switch between light and d
 | `--space-4xl` | 3rem |
 | `--space-5xl` | 4rem |
 | `--space-6xl` | 6rem |
-| `--space-7xl` | 7rem |
+| `--space-7xl` | 8rem |
 
-**Section padding:** `--pad-section` (6rem 2.5rem), `--pad-section-lg` (7rem 2.5rem), `--pad-hero` (5rem 2.5rem)
+**Section padding:** `--pad-section` (6rem 2.5rem), `--pad-section-lg` (8rem 2.5rem), `--pad-hero` (5rem 2.5rem)
 
 ### Layout
 
 ```
 --max-w: 1200px           /* Container max-width */
---max-w-prose: 760px      /* Prose blocks (manifesto) */
---max-w-body: 480px       /* Body paragraphs */
---max-w-tagline: 600px    /* Tagline blocks */
---nav-h: 60px             /* Navigation height */
+--max-w-prose: 800px      /* Prose blocks (manifesto) */
+--max-w-body: 520px       /* Body paragraphs */
+--max-w-tagline: 640px    /* Tagline blocks */
+--nav-h: 80px             /* Navigation height */
 --z-nav: 100              /* Navigation z-index */
 ```
 
@@ -183,7 +183,7 @@ A cinematic Three.js background renders behind all page content on every route.
             ├── Renderer (alpha: true, transparent canvas)
             ├── FogExp2 (theme-aware color + density)
             ├── Wireframe cube (rotating, mouse-reactive)
-            ├── Inner icosahedron (counter-rotating)
+            ├── Inner octahedron (counter-rotating)
             ├── GridHelper (100×100, scroll-linked drift)
             └── Particle system (500 dust particles)
 
@@ -221,7 +221,7 @@ All page sections must have transparent backgrounds. Do **not** add `background-
 | Grid primary | `0x888888` | `0x444444` |
 | Grid secondary | `0xcccccc` | `0x222222` |
 | Particle color | `0x000000` (opacity 0.2) | `0xffffff` (opacity 0.4) |
-| Monolith wireframe | `0x333333` | `0xffffff` | *(unused — monoliths removed)* |
+| Monolith wireframe | `0x333333` | `0xffffff` | *(unused — ProductMonoliths removed)* |
 
 ### Modifying the 3D Scene
 
@@ -298,7 +298,7 @@ All static files live in `static/` (NOT `public/` — SvelteKit convention). Cop
 ### Visage
 - Tagline: "Linux face authentication via PAM. Your face is your key — processed locally, never broadcast to the cloud."
 - Key angle: Open source identity layer; integrates natively with Augmentum OS
-- Status: Live · v0.1.0 · MIT
+- **Status:** Live · v0.2.0 · MIT
 
 ### MrHaven
 - Tagline: "Programmable asset control for humans and autonomous agents — no custodian, no intermediary, no exceptions."
@@ -312,14 +312,35 @@ All static files live in `static/` (NOT `public/` — SvelteKit convention). Cop
 ## Deploy Process
 
 ```bash
+npm run check        # svelte-check — must pass
+npm run lint         # ESLint — must pass
 npm run build        # verify build passes before pushing
 git push             # GitHub Actions auto-deploys from main branch
 ```
 
+CI pipeline runs `check → lint → build` in sequence. All three must pass before deployment.
+
 CNAME file at `static/CNAME` contains `sovren.software`. Do not delete it.
 
 DNS: 4 A records (185.199.108-111.153) + www CNAME → `sovren-software.github.io`. All proxied through Cloudflare.
 
+### Security Headers
+
+Two-level enforcement on GitHub Pages + Cloudflare:
+- **Active (meta):** CSP, Referrer-Policy, X-Content-Type-Options via `<meta http-equiv>` in `app.html`
+- **Requires Cloudflare dashboard:** X-Frame-Options, HSTS, COOP, CORP, Permissions-Policy — see `SECURITY.md`
+- `static/_headers` is authoritative source; auto-enforced if migrated to Cloudflare Pages
+
+### OG Image
+
+The social preview image (`static/og-image.png`) is generated via Satori using Geist Mono TTF:
+
+```bash
+npm run generate-og  # rewrites static/og-image.png
+```
+
+Script is at `scripts/generate-og.js`. Run it after any brand or copy changes that should be reflected in social previews.
+
 ## Known Limitations
 
 - No blog platform for the content launch strategy (teaser article, X thread)
@@ -334,6 +355,32 @@ DNS: 4 A records (185.199.108-111.153) + www CNAME → `sovren-software.github.i
 - [ ] MrHaven SDK section on the MrHaven page (when SDK docs exist)
 - [ ] Visual convergence diagram on Ecosystem page
 - [ ] X profile update (currently MrHaven-branded)
+- [ ] Cloudflare Transform Rules for CDN-level security headers (see `SECURITY.md`)
+- [x] Favicon suite — SVG, ICO, PNGs, apple-touch-icon (2026-02-26)
+- [x] Web app manifest + PWA metadata (2026-02-26)
+- [x] OG image 1200×630 with Geist Mono via Satori — `npm run generate-og` (2026-02-26)
+- [x] Open Graph + Twitter Card tags on all pages (2026-02-26)
+- [x] Canonical URLs on all pages (2026-02-26)
+- [x] Security headers — meta-level CSP, Referrer-Policy, X-Content-Type-Options (2026-02-26)
+- [x] Skip navigation link + `id="main-content"` target (WCAG 2.4.1) (2026-02-26)
+- [x] `aria-label` on primary nav and footer nav landmarks (2026-02-26)
+- [x] `prefers-reduced-motion` — global CSS rule + SceneManager runtime check (2026-02-26)
+- [x] SceneManager memory leak fixed — stored bound handler refs in destroy() (2026-02-26)
+- [x] SceneManager GPU memory — geometry/material disposal on destroy (2026-02-26)
+- [x] SceneManager powerPreference changed to "default" (2026-02-26)
+- [x] ESLint + Prettier + svelte-check configured — `lint`, `check`, `format` scripts (2026-02-26)
+- [x] CI pipeline updated — check + lint run before build (2026-02-26)
+- [x] Dependabot weekly npm updates configured (2026-02-26)
+- [x] LICENSE file added — proprietary, all rights reserved (2026-02-26)
+- [x] CHANGELOG.md added (2026-02-26)
+- [x] SECURITY.md added with exact Cloudflare Transform Rules (2026-02-26)
+- [x] Internal cross-linking — stackNote product mentions converted to anchor links (2026-02-26)
+- [x] Font preload in app.html (2026-02-26)
+- [x] `--fs-footer-link` and `--fs-footer-copy` tokens defined (live bug fix) (2026-02-26)
+- [x] Sitemap lastmod dates added (2026-02-26)
+- [x] llms.txt — Visage version corrected, aegis-os dead link removed (2026-02-26)
+- [x] Heading hierarchy fixed — sr-only h2 + aria-labelledby on products section (2026-02-26)
+- [x] 404 error page — meta description + noindex added (2026-02-26)
 - [x] 3D cinematic scene — wireframe cube, grid, particles, product monoliths (2026-02-25)
 - [x] Light/dark theme toggle with persistence and 3D sync (2026-02-25)
 - [x] Theme-aware CSS variables — all hardcoded colors removed (2026-02-25)
 
@@ -0,0 +1,13 @@
+Copyright (c) 2025–2026 Sovren Software. All rights reserved.
+
+This software and associated documentation files (the "Software") are the
+proprietary and confidential property of Sovren Software. No part of this
+Software may be reproduced, distributed, modified, reverse-engineered,
+decompiled, or transmitted in any form or by any means, electronic or
+mechanical, without the prior written permission of Sovren Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED. IN NO EVENT SHALL SOVREN SOFTWARE BE LIABLE FOR ANY CLAIM, DAMAGES,
+OR OTHER LIABILITY ARISING FROM THE USE OF OR INABILITY TO USE THE SOFTWARE.
+
+For licensing inquiries: hello@sovren.software
@@ -41,9 +41,13 @@ npm install
 npm run dev          # http://localhost:5173
 npm run build        # static output → dist/
 npm run preview      # preview production build
+npm run check        # svelte-check type validation
+npm run lint         # ESLint
+npm run format       # Prettier
+npm run generate-og  # regenerate static/og-image.png
 ```
 
-**Requirements:** Node.js 18+
+**Requirements:** Node.js 20+ (see `.nvmrc`)
 
 ---
 
@@ -74,11 +78,23 @@ src/
 │   └── ecosystem/+page.svelte       # Ecosystem manifesto page
 static/
 ├── CNAME                            # GitHub Pages custom domain
+├── _headers                         # Security headers (Cloudflare Pages / reference for CF Transform Rules)
 ├── fonts/GeistMono-Variable.woff2   # Self-hosted font
+├── favicon.ico                      # 32×32 ICO
+├── favicon.svg                      # SVG favicon (wireframe cube mark)
+├── favicon-32x32.png                # 32×32 PNG
+├── favicon-16x16.png                # 16×16 PNG
+├── apple-touch-icon.png             # 180×180 for iOS
+├── icon-192.png                     # PWA icon
+├── icon-512.png                     # PWA icon
+├── manifest.webmanifest             # Web app manifest (PWA)
+├── og-image.png                     # 1200×630 OG image (Geist Mono rendered via Satori)
 ├── robots.txt                       # Crawler access rules
-├── sitemap.xml                      # All routes for search engines
+├── sitemap.xml                      # All routes with lastmod dates
 ├── llms.txt                         # AI crawler context file
 └── BingSiteAuth.xml                 # Bing Webmaster verification
+scripts/
+└── generate-og.js                   # OG image generator (Satori + Resvg, uses Geist Mono TTF)
 ```
 
 ---
@@ -102,10 +118,12 @@ All colors use CSS custom properties — no hardcoded color values in components
 A full-viewport 3D background renders behind all page content:
 
 - **Canvas:** `position: fixed`, `z-index: -1`, `pointer-events: none` — sits behind all UI
-- **Elements:** Rotating wireframe cube, inner icosahedron, infinite grid, volumetric dust particles
+- **Elements:** Rotating wireframe cube, inner octahedron, infinite grid, volumetric dust particles
 - **Interaction:** Mouse parallax on cube rotation, scroll-linked grid drift
 - **Theme-aware:** Materials, fog color/density, and particle opacity adapt to light/dark mode
 - **Lifecycle:** `Scene.svelte` mounts/unmounts the canvas; `SceneManager.js` handles the animation loop and cleanup
+- **Accessibility:** Animations fully disabled when `prefers-reduced-motion: reduce` is set — checked at runtime and via CSS media query
+- **Memory:** `destroy()` correctly removes all event listeners using stored bound references, disposes all Three.js geometries and materials
 
 `ProductMonoliths.svelte` exists as an interactive wireframe panel component but is currently unused — it was removed from the home page to reduce visual clutter.
 
@@ -137,29 +155,56 @@ Rules: one typeface only, no color for emphasis (use weight/spacing), all values
 ## Deployment
 
 ```bash
+npm run check        # must pass before pushing
+npm run lint         # must pass before pushing
 npm run build        # verify build passes
 git push             # GitHub Actions auto-deploys from main
 ```
 
 - Output: `dist/` directory (static adapter)
 - DNS: 4 GitHub Pages A records + `www` CNAME → `sovren-software.github.io`, proxied via Cloudflare
 - `static/CNAME` contains `sovren.software` — do not delete
+- CI runs `check → lint → build` in sequence before deploying
+
+### Security Headers
+
+GitHub Pages cannot set HTTP response headers. Security is enforced at two levels:
+
+1. **Browser-level (active now):** `Content-Security-Policy`, `Referrer-Policy`, and `X-Content-Type-Options` are set via `<meta http-equiv>` in `app.html`
+2. **CDN-level (manual):** `X-Frame-Options`, `HSTS`, `COOP`, `CORP`, and `Permissions-Policy` must be configured as Cloudflare Transform Rules — see `SECURITY.md` for exact steps
+
+The `static/_headers` file is the authoritative record of all required headers and will be auto-enforced if the site ever migrates to Cloudflare Pages.
 
 ---
 
 ## SEO & AI Discoverability
 
-- `app.html` — JSON-LD structured data (Organization + WebSite schemas)
-- Each page — `<svelte:head>` with unique title, description, and Open Graph meta
+- `app.html` — JSON-LD structured data (Organization + WebSite schemas), favicon suite, manifest, OG/Twitter defaults
+- Each page — `<svelte:head>` with unique title, description, Open Graph meta, Twitter Card tags, and canonical URL
+- `static/og-image.png` — 1200×630 social preview image rendered with actual Geist Mono font via Satori
 - `static/llms.txt` — full product descriptions for AI crawlers (ChatGPT, Perplexity, Claude)
-- `static/sitemap.xml` — all 5 routes
+- `static/sitemap.xml` — all 5 routes with `<lastmod>` dates
 - Cloudflare proxy prevents GitHub/Fastly from blocking AI crawler IPs
 - Bing Webmaster Tools verified
 
+## Code Quality
+
+- **Linting:** ESLint with `eslint-plugin-svelte` — run via `npm run lint`
+- **Type checking:** `svelte-check` — run via `npm run check`
+- **Formatting:** Prettier with `prettier-plugin-svelte` — run via `npm run format`
+- **CI:** GitHub Actions runs `check → lint → build` on every push to `main`
+- **Dependencies:** Dependabot configured for weekly npm dependency PRs
+
 ---
 
 ## IDE Setup
 
 [VS Code](https://code.visualstudio.com/) + [Svelte for VS Code](https://marketplace.visualstudio.com/items?itemName=svelte.svelte-vscode)
 
 For AI-assisted development, see `CLAUDE.md` for the full design system reference, copy guidelines, and product context.
+
+## License
+
+Proprietary — © 2025–2026 Sovren Software. All rights reserved. See `LICENSE`.
+
+Exception: [Visage](https://github.com/sovren-software/visage) is MIT-licensed and open source.