Skip to content

ThePracticalHow/ninenames.com

Repository files navigation

ninenames.com

Public Site Check

Public static website for Nine Names LLC.

The site is intentionally small: static HTML, local assets, no live translation widget, no analytics, no cookies, no backend, and no public intake form. Public pages are generated from reviewed JSON source so findings, copy, and locale pages can be checked before publishing.

Current public site: https://www.ninenames.com

Fallback preview: https://ninenames-com.pages.dev

Domain status: https://www.ninenames.com currently serves the static site. As of 2026-07-01, the bare apex, https://ninenames.com, still resolves to 66.223.49.89 and fails the live HTTPS check instead of serving Cloudflare Pages. Production is not clean until apex either serves the same static site or redirects to www with a standards-compliant, path-preserving HTTPS redirect. The current provider redirect emits malformed LF-only headers for strict clients and drops requested paths, so https://ninenames.com/.well-known/security.txt does not reach the security file.

Deployment freshness is separate from static routing. Treat the public domain as production-clean only when npm run check:live passes.

Public audit lane: https://www.ninenames.com/audit/

Structure

  • site/ contains the generated static website output.
  • localization/ contains the modular source used to rebuild the public pages.
  • src/ contains editable source for heavy public assets; npm run build:assets flattens those files into the browser-facing assets under site/.
  • src/theme/ contains the tiny shared palette controller; quiet pages use this without loading the full wayfinder.
  • src/textures/ contains authored procedural texture sources copied into the public site with explicit provenance.
  • src/social/ contains the authored social-preview source; the deployed JPEG is checked as a stable 1200 x 630 link-preview asset.
  • src/app/ contains authored install-icon source for app-like browser and mobile shells.
  • src/meta/ contains authored public orientation text copied into site/llms.txt and site/humans.txt.
  • site/assets/provenance.json is generated from src/public-assets.json so public asset sources, outputs, kinds, and provenance can be audited without scraping the build.
  • localization/topology-map.json defines homepage audit-map places, zones, and local edges.
  • localization/intent-grammar.json defines the assisted-navigation timing, pointer scoring, likely-next preview, intent-lens focus, graph-connection explanation, graph-backed path-ahead rail, same-page soft pan for ordinary cursor assistance, bounded local map pan from cursor motion, no page/viewport pan from topology route sync, no-hover panel choices, keyboard graph traversal, session-only route trail, safety boundaries, and reduced-motion fallback.
  • localization/gesture-commands.json defines the gaze/cursor command lab: attention previews, the preview-vs-commit interaction model, dwell fuses, dwell profiles, visible fill/cancel/fire feedback, practice calibration, flicks, click-only local speech, click-only one-shot voice hints, pause, and forbidden eye-only actions.
  • scripts/check-public-site.mjs runs public-safety and deploy-bundle checks.
  • scripts/check-gesture-lab.mjs verifies the gesture command lab is local-only, non-submitting, non-tracking, and embedded into the generated homepage.
  • scripts/check-wayfinder-contract.mjs verifies the stable browser contract exposed by window.NineNamesWayfinderContract.audit() and the mirrored data-wayfinder-contract DOM snapshot.
  • site/assets/topology-contract.json is a generated portable contract for wrappers and test harnesses that need the topology rules without loading the homepage.
  • window.NineNamesTopologyContract.audit() exposes the homepage audit-map contract: current route, likely route, continuation, low/medium/high intent band, intent strength, no-auto-action safety flags, gesture lab, live eye-comfort report, bounded local map pan, and no page/viewport pan from topology route sync.
  • window.NineNamesTopologyGestureLab.audit() exposes the current gaze/cursor command grammar for local testing and debugging.
  • audit-ledgers/ is reserved for future public-safe audit ledgers; audit-ledgers/RELEASE_CRITERIA.md is the public gate before any scientific ledger appears.
  • .github/ISSUE_TEMPLATE/ routes public correction, translation, reproducibility, and site-integrity reports.

Build

npm run build
npm run check
npm run check:audio
npm run check:a11y
npm run check:comfort
npm run check:compression
npm run check:content
npm run check:dns
npm run check:gestures
npm run check:html
npm run check:intent
npm run check:links
npm run check:metadata
npm run check:size
npm run check:theme-contrast
npm run check:themes
npm run check:wayfinder
npm run check:topology
npm run check:live
npm run release:plan
npm run --silent release:plan:json
npm run release:ready
npm run deploy:prepare

npm run build:assets is the lower-level asset step. It flattens editable source assets from src/ into site/styles.css, site/assets/theme-mode.js, site/assets/topology-mode.js, and site/assets/site-wayfinder.js, copies authored public SVG/text sources into site/assets/textures/, site/assets/social-card.svg, site/assets/app-icon.svg, site/llms.txt, and site/humans.txt, and emits site/assets/provenance.json.

npm run build first runs build:assets, then regenerates generated pages and contracts in site/ from the local JSON source. npm run check rebuilds and scans the public export for missing files, source/deploy asset drift, asset-provenance drift, unsafe paths, forbidden internal terms, accidental scripts, HTML semantics, size budgets, no-surprise-audio guarantees, and gesture safety.

GitHub Actions runs npm run check:topology, not just the static export check, so public commits have to pass the browser-level map, dwell, wayfinder, comfort, and theme smoke contracts before the badge turns green.

npm run check:html verifies generated page semantics: language, title, meta description, one main, one h1, duplicate-id safety, image alt and dimensions, button labels/types, local link targets, and same-page anchors.

npm run check:links verifies generated bundle integrity: internal routes, anchors, topology data-href targets, CSS url() assets, image/script/style references, manifest icons, sitemap URLs, robots links, redirects, and required public static files must all resolve inside site/.

npm run check:a11y verifies the accessibility contract across generated pages: skip links resolve, ARIA ID references point at real elements, interactive controls have names, form controls have explicit labels, multiple navigation landmarks are labeled, hidden topology nodes are not left in the tab order, and positive tabindex is blocked.

npm run check:metadata verifies the trust/preview contract across generated pages: canonical URLs, localized alternates, Open Graph/Twitter cards, JSON-LD Organization/WebSite/WebPage records, app manifest icons, sitemap coverage, robots orientation, and security.txt discovery have to agree with the current static build.

npm run check:content verifies generated page copy hygiene: locale-aware title and description lengths, one usable H1, public-safe term boundaries, no unconfirmed role-email exposure, allowlisted outbound links, and safe target="_blank" handling.

npm run check:size enforces public payload budgets so the static site stays usable on slower, older, or tunnelled client machines. The homepage can carry the audit map; routing/legal pages have tighter HTML budgets, review pages have a separate content budget, and non-topology pages must not ship unused gesture grammar.

npm run check:compression enforces compressed transfer budgets for the homepage bundle, major text assets, the topology contract, and the full text site using local gzip and Brotli measurements.

npm run check:theme-contrast verifies the palette registry, public theme-picker candidates, source CSS token sync, texture provenance, and minimum text contrast for public themes.

npm run check:themes runs a local browser smoke test for every public theme on desktop and mobile: URL selection, picker state, color-scheme, loaded texture layers, audit-map visibility, horizontal overflow, console errors, and third-party requests.

npm run check:audio verifies that browser speech is click-only, one-shot, local, and user-initiated. Cursor movement, gaze/hover dwell, and route changes must never start audio or leave a persistent narrator armed.

npm run check:comfort runs a local browser smoke test for first-screen actions, mobile overflow, focus landings, and topology exits.

npm run check:gestures validates the gaze/cursor command lab: look-near previews, dwell-fuse commits, each visual fuse declares a comfort profile and visible feedback loop, horizontal flicks move through local routes, vertical flicks zoom without changing route, answer-pace is a route-inert local fuse, practice calibration is route-inert, speak and voice hints are explicit click/keyboard audio only, pause remains a safety stop, and eye-only payments/uploads/contact are forbidden.

The interaction model is deliberate: movement, hover, and gaze-near can preview only; dwell, flick, or an explicit click fallback can commit only local state; eye-only gestures never send forms, files, credentials, payments, legal notices, medical instructions, or external messages.

The visible map primer mirrors that contract: move near means preview, hold the small dot means commit, and looking away cancels a partial hold. The browser dwell check verifies those states on the generated homepage so the eye-command surface does not drift into surprise actions.

The primer state machine lives in localization/gesture-commands.json and is exposed at runtime through window.NineNamesTopologyContract.audit().console.primer: preview, commit, and cancel, each with its input, local effect, commit flag, and safety flags.

The motion budget is also explicit: cursor gravity can shift nodes only within the configured pixel cap, cursor motion can pan the local map field only within its own cap, edge auto-scroll is bounded per frame, transitions stay short, reduced-motion/coarse-pointer users get the static semantic map, and the pause command locks the dynamic map into static mode.

The portable contract at site/assets/topology-contract.json is generated from localization/intent-grammar.json, localization/gesture-commands.json, localization/navigation-graph.json, and localization/topology-map.json. App shells and external tests should read that file instead of scraping generated HTML.

npm run check:dwell runs the browser-level dwell contract. It now also verifies the live eye-comfort report: rendered button sizes, small-fuse sizes, dwell profiles, look-away rearm, visible feedback markers, and route-inert practice calibration. The practice fuse shows a visible advisory recommendation for fast, normal, or slow dwell. Applying it requires an explicit local control and never changes external state.

npm run check:intent runs a local cursor-intent contract test for the assisted-navigation surface: topology-to-route handoff, route-to-topology handoff, likely-next preview, intent-lens focus, graph-connection explanation, graph-backed path-ahead rail, session-only route trail, no hover navigation, and reduced-motion fallback.

npm run check:wayfinder checks the portable runtime contract: the page exposes a current route, likely next route, continuation route, plain-language decision readout, visible intent-strength cues, literal safety flags such as autoNavigate: false, DOM-readable audit snapshot, same-page-only soft pan boundaries, no page/viewport pan from topology route sync, no horizontal overflow, and no automatic page navigation during cursor assistance.

npm run check:comfort also verifies no-hover topology panel choices, local route-history controls, and keyboard graph traversal, so touch and keyboard users can preview related routes locally before opening any page.

npm run check:topology runs the full local topology suite sequentially: public export, no-surprise audio, gesture grammar, dwell/fuse contracts, cursor intent, wayfinder, comfort smoke, and public theme smoke. Use it before deployment or whenever the map behavior changes.

npm run check:dns is a read-only DNS routing diagnostic. It checks that www points to the Cloudflare Pages host, BusinessIdentity/Northwest mail MX remains present, and apex is no longer the known provider redirect host. It is expected to fail until apex routing is repaired.

npm run check:live checks deployed routing, freshness, social-card headers, sitemap headers/lastmod, and security.txt. It is expected to fail until the fallback preview, www, and bare apex all serve the current static build and both security.txt routes resolve.

npm run release:plan prints any missing or untracked local Node entrypoints referenced by package.json, file summaries for untracked entrypoints, dirty working-tree groups, read-only review commands for each dirty group, plus an approval-required scoped staging suggestion. It is a diagnostic command and does not change Git state.

npm run --silent release:plan:json emits the same release-integrity state as JSON for local agents and dashboards, including untracked-entrypoint size, line count, short SHA-256 fingerprints, dirty_groups, and dirty_group_review_commands. It exits 0 as a diagnostic channel; read integrity_ok, working_tree_clean, and release_ready for readiness state. Use --silent so npm does not prepend its command banner to the JSON payload.

npm run release:ready verifies that local Node entrypoints referenced by package.json exist and are tracked by Git, and that the working tree is clean, so a clean clone will not fail because a script was left unstaged or uncommitted.

npm run deploy:prepare runs release integrity, local preflight checks, DNS routing, and live routing without changing production. It exits non-zero until the public domain is production-clean. For local-only source readiness before a deploy, use npm run release:ready and npm run check:topology; use deploy:prepare after deployment/routing work to prove the live site is ready for outreach.

What GitHub Proves

This repository can show the public site source, generated pages, static/no-widget build, findings registry behavior, public-safety checks, issue routing, and visible correction path.

The generated public asset provenance ledger shows which deployable browser assets come from authored local source, including the procedural Deep Water texture. It is not a stock-image or third-party asset inventory.

It does not prove or publish raw datasets, private review packets, patient material, controlled source tables, confidential correspondence, credentials, or future scientific audit ledgers. Those require a separate source, safety, status, and translation review before public release.

Publishing Boundary

This repository is public-safe only. It must not contain private strategy, held research assets, inbox exports, credentials, patient material, internal project names, or local review audio.

Security, legal, privacy, credentials, confidential material, patient material, and vulnerabilities do not belong in public GitHub issues. Use the verified mailbox listed on Official Channels.

Deployment steps live in docs/PRODUCTION_DEPLOYMENT_RUNBOOK.md. The shortest live-site handoff is docs/OPERATOR_CUTOVER_CARD.md. The paste-ready apex support request is docs/APEX_ROUTING_SUPPORT_PACKET.md.

License

This repository uses a split license. Build scripts and tooling are MIT licensed. Website copy, figures, diagrams, public audit text, brand assets, and generated public pages are licensed under CC BY-NC-ND 4.0 unless a file states otherwise.

About

Static public site for Nine Names LLC: multilingual methods-audit surface, public-safe findings registry, and correction/audit lane.

Topics

Resources

License

Unknown and 2 other licenses found

Licenses found

Unknown
LICENSE.md
Unknown
LICENSE-CODE
Unknown
LICENSE-CONTENT.md

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors