Release: merge development into beta#45
Conversation
Move all Docusaurus config, src, and static files from docusaurus/ into docs/. Switch to the company-wide reusable documentation workflow. Update editUrl reference accordingly.
Quality Report
Summary
PHP Quality
Vue Quality
Security
License Compliance
composer dependencies (100 total)
npm dependencies (7 total)
PHPUnit Tests
Code coverage: 0% (0 / 24 statements) Integration Tests (Newman)Newman integration tests were not enabled for this run. Generated automatically by the Quality workflow.
|
Quality Report
Summary
PHP Quality
Vue Quality
Security
License Compliance
composer dependencies (100 total)
npm dependencies (7 total)
PHPUnit Tests
Code coverage: 0% (0 / 24 statements) Integration Tests (Newman)Newman integration tests were not enabled for this run. Generated automatically by the Quality workflow.
|
- Add status: implemented frontmatter to 13 specs missing it - Rename '## ADDED Requirements' to '## Requirements' in all specs and archives
All specs moved from openspec/specs/ to openspec/changes/ with proper proposal.md as the entry point. Follows the spec-driven workflow: proposal -> design -> specs -> tasks
All 20 active changes processed: - admin-settings, component-tokens, css-architecture, custom-css-overrides, docs-content, extended-token-sets, hide-slogan, menu-labels, nextcloud-variable-mapping, nl-design, prometheus-metrics, theming-sync-dialog, theming-sync, token-editor-ui, token-import-export, token-set-apply-dialog, token-set-dropdown, token-sets, token-sync-workflow, vng-token-set For each change: - Generated design.md and tasks.md (all tasks marked done) - Updated 7 enriched specs to implemented status - Synced all 20 specs to openspec/specs/ - Archived all 20 changes with date prefix
Adds a features overview document for the NL Design theming app, covering 39+ token sets, token editor UI, CSS architecture, theming sync, import/export, and government design standard compliance (NL Design System, WCAG 2.1 AA).
[Docs] Feature overview with GEMMA/TEC standards
Quality Report
Summary
PHP Quality
Vue Quality
Security
License Compliance
composer dependencies (100 total)
npm dependencies (7 total)
PHPUnit Tests
Code coverage: 0% (0 / 24 statements) Integration Tests (Newman)Newman integration tests were not enabled for this run. Generated automatically by the Quality workflow.
|
Quality Report
Summary
PHP Quality
Vue Quality
Security
License Compliance
composer dependencies (100 total)
npm dependencies (7 total)
PHPUnit Tests
Code coverage: 0% (0 / 24 statements) Integration Tests (Newman)Newman integration tests were not enabled for this run. E2E Tests (Playwright)Playwright E2E tests were not enabled for this run. Generated automatically by the Quality workflow.
|
- Create l10n/en.json with 58 identity-mapped keys - Create l10n/nl.json with 58 Dutch translations - Keys collected from js/admin.js and templates/settings/admin.php
Update all translation keys to use sentence case (only first letter capitalized) instead of title case. Keys changed: - "Add Groups" → "Add groups" - "Active Collections" → "Active collections" - "API Key" → "API key" - And 400+ similar keys across all apps Sentence case for keys improves consistency and readability while preserving proper English grammar in translated values. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…asset only) (#58) The central Quality workflow (ConductionNL/.github#34) now publishes SBOMs exclusively as release assets — see SECURITY.md "Software Bill of Materials". This PR cleans up the per-app remnants: - delete .github/workflows/sbom.yml (the central job replaces it) - delete the checked-in sbom.cdx.json (release asset is the source of truth) - gitignore SBOM files so future generations don't accidentally land in repo Stable URL for clients: https://github.com/ConductionNL/nldesign/releases/latest/download/sbom.cdx.json Co-authored-by: SBOM Cleanup <ops@conduction.nl>
Quality Report — ConductionNL/nldesign @
|
| Check | PHP | Vue | Security | License | Tests |
|---|---|---|---|---|---|
| lint | ✅ | ||||
| phpcs | ✅ | ||||
| phpmd | ✅ | ||||
| psalm | ✅ | ||||
| phpstan | ✅ | ||||
| phpmetrics | ✅ | ||||
| eslint | ✅ | ||||
| stylelint | ✅ | ||||
| composer | ✅ | ✅ 100/100 | |||
| npm | ✅ | ✅ 7/7 | |||
| PHPUnit | ✅ | ||||
| Newman | ⏭️ | ||||
| Playwright | ⏭️ |
Coverage: 0% (0/24 statements)
Quality workflow — 2026-05-01 11:51 UTC
Download the full PDF report from the workflow artifacts.
…nduction.nl Mirrors the openregister docs migration (ConductionNL/openregister#1444) and the mydash one before it. The docs site now inherits brand defaults (tokens, Navbar/Footer swizzles, KvK/BTW copyright, hex-watermark hero) and gets a brand-aligned landing page composed from <DetailHero> + <WidgetShelf>. - docs/docusaurus.config.js — rewritten to call createConfig() from @conduction/docusaurus-preset. Keeps nldesign-specific bits: NL+EN i18n, mermaid theme, custom prism themes, Documentation+GitHub navbar items. Footer reduced to the brand "Conduction" column via baseFooterLinks().filter(...). minigames: false to drop the canal-footer mini-games on this product-doc surface. - docs/package.json + docs/package-lock.json — adds @conduction/docusaurus-preset@^1.4.3. - docs/src/pages/index.js — replaces the homepage with <DetailHero> (design-palette icon, orange accent, Install/Docs/GitHub CTAs) + a 3-card <WidgetShelf> (type scale, colour palette, component variants). Authored as .js not .mdx to avoid the docs-plugin/pages-plugin scan collision. - docs/static/CNAME — nldesign.app -> nldesign.conduction.nl. - .github/workflows/documentation.yml — cname: updated to nldesign.conduction.nl. Production docs URL moves from https://nldesign.app to https://nldesign.conduction.nl.
feat(docs): adopt @conduction/docusaurus-preset + move to nldesign.conduction.nl
Quality Report — ConductionNL/nldesign @
|
| Check | PHP | Vue | Security | License | Tests |
|---|---|---|---|---|---|
| lint | ✅ | ||||
| phpcs | ✅ | ||||
| phpmd | ✅ | ||||
| psalm | ✅ | ||||
| phpstan | ✅ | ||||
| phpmetrics | ✅ | ||||
| eslint | ✅ | ||||
| stylelint | ✅ | ||||
| composer | ✅ | ✅ 100/100 | |||
| npm | ✅ | ✅ 7/7 | |||
| PHPUnit | ✅ | ||||
| Newman | ⏭️ | ||||
| Playwright | ⏭️ |
Coverage: 0% (0/24 statements)
Quality workflow — 2026-05-07 20:51 UTC
Download the full PDF report from the workflow artifacts.
Bumps preset to 1.5.1 (DetailHero background='cobalt' variant + full-bleed clip-path fix). Cobalt panel now extends across the full viewport width matching the brand product-page identity used on https://mydash.conduction.nl/.
feat(docs): cobalt hero on landing (preset 1.5.1)
Quality Report — ConductionNL/nldesign @
|
| Check | PHP | Vue | Security | License | Tests |
|---|---|---|---|---|---|
| lint | ✅ | ||||
| phpcs | ✅ | ||||
| phpmd | ✅ | ||||
| psalm | ✅ | ||||
| phpstan | ✅ | ||||
| phpmetrics | ✅ | ||||
| eslint | ✅ | ||||
| stylelint | ✅ | ||||
| composer | ✅ | ✅ 100/100 | |||
| npm | ✅ | ✅ 7/7 | |||
| PHPUnit | ✅ | ||||
| Newman | ⏭️ | ||||
| Playwright | ⏭️ |
Coverage: 0% (0/24 statements)
Quality workflow — 2026-05-07 21:25 UTC
Download the full PDF report from the workflow artifacts.
Quality Report — ConductionNL/nldesign @
|
| Check | PHP | Vue | Security | License | Tests |
|---|---|---|---|---|---|
| lint | ✅ | ||||
| phpcs | ✅ | ||||
| phpmd | ✅ | ||||
| psalm | ✅ | ||||
| phpstan | ✅ | ||||
| phpmetrics | ✅ | ||||
| eslint | ✅ | ||||
| stylelint | ✅ | ||||
| composer | ✅ | ✅ 100/100 | |||
| npm | ✅ | ✅ 7/7 | |||
| PHPUnit | ❌ | ||||
| Newman | ⏭️ | ||||
| Playwright | ⏭️ |
Coverage: 0% (0/24 statements)
Quality workflow — 2026-05-12 22:09 UTC
Download the full PDF report from the workflow artifacts.
… deploy from development (#68)
Quality Report — ConductionNL/nldesign @
|
| Check | PHP | Vue | Security | License | Tests |
|---|---|---|---|---|---|
| lint | ✅ | ||||
| phpcs | ✅ | ||||
| phpmd | ✅ | ||||
| psalm | ✅ | ||||
| phpstan | ✅ | ||||
| phpmetrics | ✅ | ||||
| eslint | ✅ | ||||
| stylelint | ✅ | ||||
| composer | ✅ | ✅ 100/100 | |||
| npm | ✅ | ✅ 7/7 | |||
| PHPUnit | ✅ | ||||
| Newman | ⏭️ | ||||
| Playwright | ⏭️ |
Coverage: 0% (0/24 statements)
Quality workflow — 2026-05-12 22:29 UTC
Download the full PDF report from the workflow artifacts.
Quality Report — ConductionNL/nldesign @
|
| Check | PHP | Vue | Security | License | Tests |
|---|---|---|---|---|---|
| lint | ❌ | ||||
| phpcs | ❌ | ||||
| phpmd | ❌ | ||||
| psalm | ❌ | ||||
| phpstan | ❌ | ||||
| phpmetrics | ❌ | ||||
| eslint | ✅ | ||||
| stylelint | ✅ | ||||
| composer | ❌ | ❌ | |||
| npm | ✅ | ✅ 7/7 | |||
| PHPUnit | ⏭️ | ||||
| Newman | ⏭️ | ||||
| Playwright | ⏭️ |
Quality workflow — 2026-05-25 19:32 UTC
Download the full PDF report from the workflow artifacts.
Quality Report — ConductionNL/nldesign @
|
| Check | PHP | Vue | Security | License | Tests |
|---|---|---|---|---|---|
| lint | ✅ | ||||
| phpcs | ✅ | ||||
| phpmd | ✅ | ||||
| psalm | ✅ | ||||
| phpstan | ✅ | ||||
| phpmetrics | ✅ | ||||
| eslint | ✅ | ||||
| stylelint | ✅ | ||||
| composer | ❌ | ✅ 100/100 | |||
| npm | ✅ | ✅ 7/7 | |||
| PHPUnit | ⏭️ | ||||
| Newman | ⏭️ | ||||
| Playwright | ⏭️ |
Quality workflow — 2026-05-25 23:50 UTC
Download the full PDF report from the workflow artifacts.
…rsions (composer audit) (#110)
Quality Report — ConductionNL/nldesign @
|
| Check | PHP | Vue | Security | License | Tests |
|---|---|---|---|---|---|
| lint | ✅ | ||||
| phpcs | ✅ | ||||
| phpmd | ✅ | ||||
| psalm | ✅ | ||||
| phpstan | ✅ | ||||
| phpmetrics | ✅ | ||||
| eslint | ✅ | ||||
| stylelint | ✅ | ||||
| composer | ✅ | ✅ 100/100 | |||
| npm | ✅ | ✅ 7/7 | |||
| PHPUnit | ✅ | ||||
| Newman | ⏭️ | ||||
| Playwright | ⏭️ |
Coverage: 0% (0/24 statements)
Quality workflow — 2026-05-26 04:32 UTC
Download the full PDF report from the workflow artifacts.
…omplete-translations
…lations chore(openspec): add spec coverage report
Quality Report — ConductionNL/nldesign @
|
| Check | PHP | Vue | Security | License | Tests |
|---|---|---|---|---|---|
| lint | ✅ | ||||
| phpcs | ✅ | ||||
| phpmd | ✅ | ||||
| psalm | ✅ | ||||
| phpstan | ✅ | ||||
| phpmetrics | ✅ | ||||
| eslint | ✅ | ||||
| stylelint | ✅ | ||||
| composer | ✅ | ✅ 100/100 | |||
| npm | ✅ | ✅ 7/7 | |||
| PHPUnit | ✅ | ||||
| Newman | ⏭️ | ||||
| Playwright | ⏭️ |
Coverage: 0% (0/24 statements)
Quality workflow — 2026-05-26 05:04 UTC
Download the full PDF report from the workflow artifacts.
- Add Playwright test suite covering all testable UI scenarios across 5 specs: admin-settings, token-editor-ui, token-import-export, theming-sync-dialog, and token-set-apply-dialog (32 tests, all pass) - Annotate 13 whole-spec @e2e exclude markers for pure backend/CSS/docs specs (component-tokens, css-architecture, custom-css-overrides, docs-content, extended-token-sets, hide-slogan, menu-labels, nextcloud-variable-mapping, nl-design, prometheus-metrics, theming-sync, token-set-dropdown, token-sets, token-sync-workflow, vng-token-set) - Annotate per-scenario @e2e exclude markers for untestable scenarios in the 5 UI-surface specs (non-admin session, API internals, file mutations) - Fix TokenSetPreviewService wrong CSS paths (css/defaults.css → css/systems/nldesign/defaults.css, css/overrides.css → css/systems/nldesign/overrides.css) — caused tokenset-preview endpoint to always return resolved:[] making the apply dialog never appear - Fix missing .nldesign-dialog-overlay CSS (position: fixed, inset: 0, z-index: 10000) and .nldesign-dialog-actions sticky positioning so the Cancel button is reachable in the viewport during tests - Gate-19 result: 0 uncovered, 31 covered, 408 excluded (439 total)
test: Gate-19 e2e spec-coverage — 0 uncovered (32 tests pass)
…CS/PHPMD/Psalm/Stylelint Gate-1 (SPDX): add SPDX-License-Identifier + SPDX-FileCopyrightText inside docblock for all 18 PHP files in lib/; fix @license tag to include URL. Gate-5 (route-auth): replace @AuthorizedAdminSetting docblock annotations with PHP8 #[AuthorizedAdminSetting(Admin::class)] attributes on all 11 SettingsController and 4 OverridesController public methods. Gate-14 (route-reachability): consolidate overrides routing — removed duplicate getOverrides/setOverrides from SettingsController, changed routes.php to point overrides#getOverrides and overrides#setOverrides to OverridesController (which is the canonical implementation). Frontend calls /settings/overrides unchanged. PHPCS: fix named-parameters sniff (parent::__construct, private method calls), inline ternary in HealthController, alignment issues (phpcbf auto-fixed). PHPMD: fix ElseExpression in HealthController, add @SuppressWarnings(StaticAccess) for OCP\Server::get() and rename $customOverridesService → $overridesSvc in MetricsController. Refactor TokenRegistry::getTokens() (137 lines → 8 lines) by delegating to 4 private per-tab helpers, eliminating ExcessiveMethodLength. Psalm: suppress OCA\Theming\{ImageManager,ThemingDefaults} UndefinedClass in psalm.xml — these are NC peer-app classes always loaded at runtime. Also suppress OCA\NLDesign\Settings\Admin (PHP8 attribute argument, resolved at runtime). Stylelint: merge duplicate .nldesign-dialog-actions selectors in css/admin.css (lines 181+193 merged into single definition).
…lint fix: bring CI green - SPDX auth attributes routes PHPCS PHPMD Psalm Stylelint
… specs Adds spec-coverage stubs for the 15 openspec specs that had no corresponding e2e test file. Each file documents per-scenario @e2e exclude annotations (backend/CSS/API/CI scenarios) and includes a UI smoke test where a testable DOM surface exists on the admin theming page. Gate-19 result: 0 uncovered, 14 real UI tests, 425 legitimately excluded across all 20 specs.
…ADR decisions (#132) Closes #116 — removed `* { font-family: ... !important }` universal selector (and the duplicate `body *, #app * ...` block) from theme.css and the large universal list in element-overrides.css. Font is now applied via body + key containers without !important; form elements targeted explicitly. This prevents clobbering icon fonts, monospace code editors, and consumer-app components that declare their own font-family. ADR-CSS-001 documented in css-architecture spec. Closes #117 (partial) — removed the most egregious !important usages on generic font declarations. Remaining !important declarations are the essential/structural category (NC variable remappings, accessibility focus rules). ADR-CSS-002 documents the policy: !important only for essential structural overrides and accessibility rules. Full sweep of remaining ~250 declarations deferred to a follow-up PR to avoid risky bulk changes. Closes #127 — audited all 33 --nldesign-component-* tokens defined in defaults.css but not consumed by any stylesheet; marked each with /* reserved */ comment and added a file-level explanation. Prevents silent pruning and documents that these tokens must not be removed. Closes #128 — added "HOW FALLBACKS WORK" documentation block to utrecht-bridge.css explaining that incomplete token sets silently fall back to Utrecht/Rijkshuisstijl defaults, and how to debug using DevTools. Closes #131 — added explicit ADR comment to --nldesign-color-focus explaining the deliberate rgba exception to the solid-colours brand rule (WCAG 2.4.7/2.4.11 accessibility rationale). ADR-CSS-003 documented in css-architecture spec.
…d assets (#133) Closes #118 — xxllnc primary/hover were translucent (#000000ad/#80); replaced with solid #000000/#333333 to comply with brand solid-colour rule and guarantee WCAG AA contrast on any background. Closes #119 — typo --nldesign-color-succes (missing 's') left success color undefined in the xxllnc set; corrected to --nldesign-color-success in both the nldesign and xxllnc palette sections. Same fix for alert-succes variants. Closes #120 — docs/static/img/logo.svg still used legacy cobalt #4376FC; replaced with canonical #21468B (Dutch flag blue, retired 2026-05-13). Closes #121 — all three app icon files contained an opacity="0.3" rect violating the solid-colours brand rule; replaced with a proper MDI palette-swatch glyph: fill="#fff" 24×24 for app.svg, no-fill for app-dark.svg, #21468B hexagon + white glyph for app-store.svg. Closes #124 — css/fonts/ was an unreferenced duplicate of css/systems/nldesign/fonts/; deleted all 8 font files (~2 MB of dead weight). Closes #125 — nederland-logo.svg and nederland-map.svg were byte-identical; only nederland-logo.svg is referenced (rijkshuisstijl.css); deleted the duplicate nederland-map.svg and the stale nederland-map-backup.svg.
…ion, preview palette (#134) Closes #122 — SettingsController::setTokenSet was instantiating a new TokenSetService via `new TokenSetService(appManager:)` instead of using the already-injected $this->tokenSetService. Removed the ad-hoc new call and the unused IAppManager constructor parameter. Closes #126 — MetricsController and HealthController carried @NoCSRFRequired but not @publicpage; Prometheus scrapers and uptime monitors received 401. Added #[PublicPage] attribute to both index() methods so automated monitoring can reach these endpoints without admin credentials. Closes #123 — admin.js had a hardcoded 9-entry preview palette, leaving ~31 token sets with a stale preview. Replaced with getPreviewColors() which reads primary_color from the already-parsed tokenSetsData (sourced from token-sets.json via data-token-sets attribute). Removed hardcoded map. Closes #129 — data-token-sets JSON in admin.php was rendered without safe HTML encoding flags; replaced json_encode() with json_encode(..., JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT) to prevent attribute truncation if token set names contain special characters. Closes #130 — importOverrides() lacked extension and MIME-type validation; added explicit .css extension check and server-side mime_content_type() validation (accepting text/css, text/plain, application/octet-stream) in validateUploadedFile().
- M1: buildDeclarationLines now rejects values containing {, }, ;, /* or */
via an up-front guard, preventing CSS injection through admin token overrides.
Strip set also extended as belt-and-suspenders.
- L1: Admin::getForm injects TokenSetService via constructor (no more `new`);
Application::injectThemeCSS fetches DesignSystemService and CustomOverridesService
from the server container instead of constructing them manually.
- L2: HealthController::index now uses injected IConfig instead of
\OCP\Server::get(IConfig::class) static service-locator call.
- L3: CustomOverridesService::parseDeclarations delegates to CssParserService
(injected via constructor) — removes the duplicate :root-block parse logic.
…les (M2+L4) (#136) 7 municipality token CSS files had unresolved Style-Dictionary reference tokens (e.g. {dinkelland.color.primary}) that were synced verbatim from upstream but never post-processed — these produce invalid CSS declarations that browsers silently discard. Commenting them out makes the intent explicit and prevents the CSS sanitizer (M1) from rejecting them if read back through the editor. Files fixed: dinkelland, epe, leiden, noaberkracht, noordwijk, tubbergen, xxllnc. Total: 29 placeholder lines commented out across 7 files. L4: noaberkracht.css and token-sets.json both reference legacy #4376fc (retired Conduction cobalt, 2026-05-13). Added TODO comments flagging the need for upstream municipality verification before changing the value.
test(e2e): add Playwright spec-coverage for all 15 remaining openspec specs
Fixes CVE-2026-48808, CVE-2026-48805, CVE-2026-46636, CVE-2026-48806, CVE-2026-48807 — all twig/twig sandbox bypass/regression issues fixed in 3.27.0. Twig was transitive (via edgedesign/phpqa). Added explicit require-dev pin ^3.27.0 to prevent regression on future composer update runs. composer audit now reports clean.
fix(security): bump twig/twig to ^3.27.0 (5 CVEs)
- css/admin.css: add .nldesign-dialog-overlay / .nldesign-dialog / actions classes used by the apply-dialog and theming-sync dialogs (centered modal with sticky action footer, primary/cancel buttons). - lib/Service/TokenSetPreviewService.php: relocate defaults.css / overrides.css to css/systems/nldesign/ to match the design-system directory layout. - appinfo/info.xml: version bump 0.1.3-unstable.6 -> .8 (NC immutable Cache-Control bust).
…omplete-translations # Conflicts: # css/admin.css
…lations feat: dialog-overlay CSS + token path refactor
…lly (#139) C1: Replace external HTTP URL references in 4 municipality token-set CSS files (noaberkracht, dinkelland, leiden, tubbergen) with locally-bundled SVG logos under img/logos/. Every page-load was leaking user IP + referrer to third-party municipal origins. Placeholder SVGs created for the 3 municipalities without previously-bundled assets; leiden.svg was already present. C2: Add !/js/admin.js exception to .gitignore. /js/ was gitignored as a build artifact but js/admin.js (979 lines, hand-authored) is tracked. Without the exception, git clean -fdx would silently delete it from fresh checkouts. Fixes: /tmp/triage-nldesign-nctemplate.md C1, C2
- PHPCS: phpcbf auto-fixed equals-sign alignment in Settings/Admin.php - PHPStan: migrate Admin from ISettings to IDelegatedSettings so #[AuthorizedAdminSetting(Admin::class)] satisfies the class-string<IDelegatedSettings> constraint; add getName() + getAuthorizedAppConfig() implementations; remove unused $appManager property and constructor parameter - gate-1 spdx-headers: add @copyright 2026 Conduction B.V. to all 18 lib/ PHP files (gate checks for * @copyright docblock tag); phpcbf re-aligned category/package/link tags for consistency
fix: make composer check:strict pass on development
…ooter-bg tubbergen.css:203 had --nldesign-component-page-footer-background-image pointing to https://www.tubbergen.nl/…/footer-bg.svg. Wave-3 swept logo variables and fixed dinkelland's equivalent footer-bg with unset, but missed this one. Set to unset with the same privacy/availability comment as dinkelland.css. css/ now has zero non-logo url(https://…) references.
Automated PR to sync development changes to beta for beta release.
Merging this PR will trigger the beta release workflow.