Address PR review thread feedback for Node 25 upgrade docs and dev environment metadata

.devcontainer/devcontainer.json

@@ -1,11 +1,11 @@
 {
-  "name": "CIA Compliance Manager Dev Container",
-  "image": "mcr.microsoft.com/devcontainers/javascript-node:24-trixie",
+  "name": "React Three.js Game Template Dev Container",
+  "image": "mcr.microsoft.com/devcontainers/javascript-node:25-trixie",
   "features": {
     "ghcr.io/devcontainers/features/github-cli:1": {},
     "ghcr.io/devcontainers/features/node:1": {
       "nodeGypDependencies": true,
-      "version": "24"
+      "version": "25"
     }
   },
   // MCP Servers: See .github/mcp-config.json for Model Context Protocol configuration

.github/workflows/codeql.yml

@@ -51,7 +51,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: "24"
+          node-version: "25"
           cache: "npm"
 
       - name: Cache dependencies

.github/workflows/copilot-setup-steps.yml

@@ -46,7 +46,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: "24"
+          node-version: "25"
           cache: "npm"
 
       - name: Install dependencies

.github/workflows/copilot-setup.yml

@@ -34,7 +34,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: '24'
+          node-version: '25'
           cache: 'npm'
 
       - name: Cache dependencies
@@ -214,7 +214,7 @@ jobs:
           - [ ] Brave Search Server - Requires API key
           
           ### System Dependencies
-          - [x] Node.js 24
+          - [x] Node.js 25
           - [x] Build tools
           - [x] Display server (Xvfb)
           - [x] Cypress dependencies

.github/workflows/release.yml

@@ -60,7 +60,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: "24"
+          node-version: "25"
           cache: "npm"
 
       - name: Cache Cypress binary
@@ -132,7 +132,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: "24"
+          node-version: "25"
           cache: "npm"
 
       - name: Install dependencies

.github/workflows/test-and-report.yml

@@ -24,7 +24,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: "24"
+          node-version: "25"
           cache: "npm"
 
       - name: Cache apt packages
@@ -82,7 +82,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: "24"
+          node-version: "25"
           cache: "npm"
 
       - name: Cache dependencies
@@ -163,7 +163,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: "24"
+          node-version: "25"
           cache: "npm"
 
       - name: Cache dependencies
@@ -208,7 +208,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: "24"
+          node-version: "25"
           cache: "npm"
 
       - name: Cache Cypress binary

cypress/tsconfig.json

@@ -1,7 +1,7 @@
 {
   "compilerOptions": {
-    "target": "ES2020",
-    "lib": ["ES2020", "DOM", "DOM.Iterable"],
+    "target": "ES2024",
+    "lib": ["ES2024", "DOM", "DOM.Iterable"],
     "module": "ESNext",
     "moduleResolution": "Node",
     "composite": true,

docs/End-of-Life-Strategy.md

@@ -0,0 +1,128 @@
+# Node.js End-of-Life Strategy
+
+## Overview
+
+This document defines the strategy for managing Node.js runtime versions in the **game** project, ensuring we stay on actively maintained releases and plan upgrades proactively. All version decisions align with the [Hack23 ISMS Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC).
+
+---
+
+## Current Status (March 2026)
+
+| Node.js | Release Date | Status | Bug Fixes Until | Security Fixes Until |
+|---------|-------------|--------|-----------------|----------------------|
+| **25 (Current)** | Oct 15, 2025 | ✅ **Active — in use** | Apr 1, 2026 | Jun 1, 2026 |
+| 24 (LTS – Krypton) | May 2025 | Active LTS | Oct 2026 | Apr 28, 2028 |
+| 22 (LTS – Jod) | Apr 2024 | Maintenance | Oct 2025 | Apr 30, 2027 |
+| 20 (LTS – Iron) | Apr 2023 | Maintenance | Oct 2024 | Apr 30, 2026 |
+
+> **Note:** Node.js 25 is an odd-numbered "Current" release, meaning it does **not** receive LTS status. It is supported for approximately 6 months before reaching end-of-life. We use it to validate readiness for Node.js 26.
+
+---
+
+## Node.js Release Cadence
+
+The OpenJS Foundation follows a predictable release schedule:
+
+- **Every April** — A new **even-numbered** major version is published as "Current"; odd-numbered Current versions reach EOL
+- **Every October** — The April even-numbered release graduates to "Active LTS", and a new odd-numbered major is published as "Current"
+- **Active LTS** lasts 12 months; **Maintenance LTS** lasts an additional 18 months
+
+```
+Version  | Release   | Current  | Active LTS    | Maintenance LTS | EOL
+---------|-----------|----------|---------------|-----------------|----------
+Node 20  | Apr 2023  | ~6 mo    | Oct 2023      | Oct 2024        | Apr 2026
+Node 22  | Apr 2024  | ~6 mo    | Oct 2024      | Oct 2025        | Apr 2027
+Node 24  | May 2025  | ~6 mo    | Oct 2025      | Oct 2026        | Apr 2028
+Node 25  | Oct 2025  | ~6 mo    | N/A (odd)     | N/A             | Jun 2026
+Node 26  | Apr 2026  | ~6 mo    | Oct 2026      | Oct 2027        | Apr 2029
+Node 27  | Oct 2026  | ~6 mo    | N/A (odd)     | N/A             | Jun 2027
+Node 28  | Apr 2027  | ~6 mo    | Oct 2027      | Oct 2028        | Apr 2030
+```
+
+---
+
+## Version Upgrade Policy
+
+### Principles
+
+1. **Never run end-of-life Node.js in CI/CD or production** — upgrade within 30 days of EOL.
+2. **Track even-numbered LTS releases for stability** — use Current (odd) releases for forward compatibility testing.
+3. **Upgrade CI/CD and dev containers together** — single PR, all-or-nothing.
+4. **Test on the next version before it is released** — reduce upgrade friction.
+
+### Upgrade Triggers
+
+| Trigger | Action | Timeline |
+|---------|--------|----------|
+| New major version release | Update `test-and-report-latest-node.yml` to new version | Within 1 week of release |
+| Current version reaches EOL | Upgrade all workflows to next version | Before EOL date |
+| LTS version graduates | Evaluate adoption for main workflow | Within 2 weeks |
+| Security advisory | Apply patch or upgrade immediately | Within 24 hours |
+
+---
+
+## Upcoming Milestones
+
+### ⚠️ Immediate — Node.js 25 End of Bug Fixes: April 1, 2026
+
+Node.js 25 receives its final bug-fix release around **April 1, 2026**. Security-only patches continue until **June 1, 2026**.
+
+Action required: Upgrade all CI/CD workflows to Node.js 26 immediately after its release in April 2026. See [FUTURE_WORKFLOWS.md](./FUTURE_WORKFLOWS.md) for the detailed upgrade plan.
+
+### 🔜 Upcoming — Node.js 26 Release: April 2026
+
+Node.js 26 is expected in **April 2026**. It will:
+
+- Enter "Current" status immediately upon release
+- Graduate to **Active LTS in October 2026**
+- Be maintained (Active + Maintenance) until **April 2029**
+
+**Planned upgrade:** Within **2 weeks** of the Node.js 26 release. See [FUTURE_WORKFLOWS.md](./FUTURE_WORKFLOWS.md).
+
+### 📅 Future — Node.js 26 Active LTS: October 2026
+
+When Node.js 26 enters Active LTS, it becomes the recommended production runtime. At this point:
+
+- Node.js 24 transitions from Active LTS to Maintenance LTS
+- The primary workflow (`test-and-report.yml`) should target Node.js 26
+
+### 📅 Future — Node.js 24 EOL: April 2028
+
+Node.js 24 reaches end-of-life in April 2028. By this date, all workflows and devcontainers must have moved to Node.js 26 or later.
+
+---
+
+## Version Matrix
+
+The project maintains two parallel test workflows:
+
+| Workflow | Purpose | Current Node Version |
+|----------|---------|----------------------|
+| `test-and-report.yml` | Primary CI — stable, production-ready | **25** |
+| `test-and-report-latest-node.yml` | Forward-compat — tests next version | **25** (will become 26) |
+
+When a new Node.js version is released:
+1. Update `test-and-report-latest-node.yml` to the new version first
+2. Once validated (typically within the same sprint), update `test-and-report.yml`
+3. Update all other workflows (`release.yml`, `codeql.yml`, copilot setup) together
+
+---
+
+## Risk Assessment
+
+| Risk | Likelihood | Impact | Mitigation |
+|------|-----------|--------|------------|
+| Security vulnerability in EOL Node.js | High (after EOL) | Critical | Upgrade before EOL |
+| Incompatible npm packages | Medium | High | Run tests on new version early |
+| Breaking API changes | Low | High | Test on Current release before it becomes primary |
+| CI/CD downtime during upgrade | Low | Medium | Upgrade in dedicated PR with rollback plan |
+
+---
+
+## References
+
+- [Node.js Release Schedule](https://nodejs.org/en/about/previous-releases)
+- [Node.js End-of-Life Dates — endoflife.date](https://endoflife.date/nodejs)
+- [Hack23 ISMS Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC)
+- [WORKFLOWS.md](./WORKFLOWS.md) — Current CI/CD workflow documentation
+- [FUTURE_WORKFLOWS.md](./FUTURE_WORKFLOWS.md) — Planned Node.js 26 upgrade

docs/FUTURE_WORKFLOWS.md

@@ -0,0 +1,150 @@
+# Future Workflows: Node.js 26 Upgrade Plan
+
+## Overview
+
+This document describes the planned upgrade of all CI/CD workflows, devcontainer configuration, and documentation from **Node.js 25** to **Node.js 26**.
+
+Node.js 26 is expected in **April 2026**. This upgrade plan is designed to be executed immediately after the official Node.js 26 release.
+
+---
+
+## Node.js 26 Release Facts
+
+| Attribute | Detail |
+|-----------|--------|
+| **Expected release** | April 2026 |
+| **Initial status** | Current |
+| **LTS graduation** | October 2026 |
+| **Active LTS until** | October 2027 |
+| **End of Maintenance** | April 2029 |
+| **Why upgrade** | Node.js 25 bug fixes end April 1, 2026; security fixes end June 1, 2026 |
+
+Node.js 26 is an even-numbered release and will become **Long-Term Support (LTS)** in October 2026. Adopting it early gives us:
+
+- Forward compatibility validation before broad ecosystem adoption
+- Alignment with the upcoming LTS baseline
+- Coverage of the ~6-month "Current" phase before LTS promotion
+
+---
+
+## Upgrade Checklist
+
+When Node.js 26 is officially released, execute the following steps in a single PR:
+
+### Phase 1 — Core Configuration (Day 1)
+
+- [ ] **`package.json`** — Update `engines.node` from `>=25` to `>=26`
+- [ ] **`.devcontainer/devcontainer.json`** — Update image from `javascript-node:25-trixie` to `javascript-node:26-trixie`, and node feature version from `"25"` to `"26"`
+
+### Phase 2 — GitHub Actions Workflows (Day 1)
+
+Update `node-version` from `"25"` to `"26"` in each of the following files:
+
+- [ ] **`.github/workflows/test-and-report.yml`** — 4 occurrences (prepare, build-validation, unit-tests, e2e-tests)
+- [ ] **`.github/workflows/release.yml`** — 2 occurrences (prepare, build)
+- [ ] **`.github/workflows/codeql.yml`** — 1 occurrence (analyze)
+- [ ] **`.github/workflows/copilot-setup-steps.yml`** — 1 occurrence
+- [ ] **`.github/workflows/copilot-setup.yml`** — 1 occurrence in `node-version`, 1 occurrence in setup report text (`Node.js 25` → `Node.js 26`)
+- [ ] **`.github/workflows/test-and-report-latest-node.yml`** — 4 occurrences (update to next version beyond 26, e.g., `"27"` once it exists, or keep at `"26"` until 27 ships)
+
+### Phase 3 — Documentation (Day 1–2)
+
+- [ ] **`docs/End-of-Life-Strategy.md`** — Update "Current Status" table, highlight Node.js 26 as active
+- [ ] **`docs/WORKFLOWS.md`** — Update "Current Node.js version" and all version references
+- [ ] **`docs/FUTURE_WORKFLOWS.md`** (this file) — Update to reflect Node.js 27 as the next planned upgrade
+- [ ] **`README.md`** — Update any Node.js version badges or requirements section if present
+
+### Phase 4 — Validation (Day 2)
+
+- [ ] Verify all CI jobs pass on the PR before merging
+- [ ] Confirm `test-and-report-latest-node.yml` passes
+- [ ] Confirm `release.yml` dry-run succeeds (workflow_dispatch with a pre-release tag)
+- [ ] Confirm devcontainer builds successfully with Node.js 26
+- [ ] Run `npm audit` to check for any dependency advisories under Node.js 26
+- [ ] Check `npm run test:licenses` passes
+
+---
+
+## Sed Commands for Automation
+
+The following commands can be run to perform the bulk of the Node.js 25 → 26 migration:
+
+```bash
+# Update all workflow node-version references (double-quoted)
+find .github/workflows -name "*.yml" -exec sed -i 's/node-version: "25"/node-version: "26"/g' {} +
+
+# Update copilot-setup.yml (single-quoted)
+sed -i "s/node-version: '25'/node-version: '26'/g" .github/workflows/copilot-setup.yml
+
+# Update text references
+sed -i 's/Node\.js 25/Node.js 26/g' .github/workflows/copilot-setup.yml
+
+# Update package.json engines field
+sed -i 's/"node": ">=25"/"node": ">=26"/' package.json
+
+# Update devcontainer image
+sed -i 's/javascript-node:25-trixie/javascript-node:26-trixie/' .devcontainer/devcontainer.json
+sed -i 's/"version": "25"/"version": "26"/' .devcontainer/devcontainer.json
+```
+
+---
+
+## Compatibility Considerations
+
+### Known Ecosystem Dependencies to Monitor
+
+| Package | Concern | Action |
+|---------|---------|--------|
+| `vite` | May ship Node.js 26 support update | Check release notes |
+| `cypress` | Historically supports new Node quickly | Verify with `npx cypress verify` |
+| `vitest` | Tracks Vite compatibility | Validate test suite passes |
+| `typescript` | Generally Node-agnostic | No action expected |
+
+### V8 Engine Changes (Node.js 26)
+
+Node.js 26 will ship with a new V8 engine version. This may affect:
+- WebAssembly performance
+- JavaScript language features (new syntax, built-ins)
+- Three.js WebGL rendering path (test via `test-and-report-latest-node.yml` first)
+
+### Breaking API Changes
+
+Review the Node.js 26 migration guide at [nodejs.org/en/blog](https://nodejs.org/en/blog) for:
+- Deprecated APIs removed
+- Stream and buffer API changes
+- Permission model updates
+- `node:` prefix enforcement
+
+---
+
+## Rollback Plan
+
+If CI fails after the upgrade to Node.js 26:
+
+1. Revert the PR
+2. Re-pin `test-and-report-latest-node.yml` to Node.js 26 and investigate failures
+3. File issues against specific failing packages
+4. Once all failures are resolved, re-open the upgrade PR
+
+The project can safely remain on Node.js 25 until **June 1, 2026** (security EOL), providing a 2-month window to resolve compatibility issues.
+
+---
+
+## Future Roadmap Beyond Node.js 26
+
+| Target | Expected Date | Action Required |
+|--------|--------------|-----------------|
+| Node.js 26 Active LTS | October 2026 | Update primary workflow from 25 to 26 (already planned) |
+| Node.js 27 release | October 2026 | Update `test-and-report-latest-node.yml` to 27 |
+| Node.js 25 security EOL | June 2026 | Must be on 26 by this date |
+| Node.js 28 LTS | April 2027 | Next LTS evaluation |
+| Node.js 26 EOL | April 2029 | Migrate to 28 before this date |
+
+---
+
+## Related Documents
+
+- [End-of-Life-Strategy.md](./End-of-Life-Strategy.md) — Full Node.js lifecycle policy
+- [WORKFLOWS.md](./WORKFLOWS.md) — Current CI/CD workflow documentation
+- [Node.js Release Schedule](https://nodejs.org/en/about/previous-releases)
+- [Node.js Changelog](https://github.com/nodejs/node/blob/main/CHANGELOG.md)