Setup riksdagsmonitor: 14-language Swedish Parliament intelligence platform with ISMS compliance

.github/copilot-mcp.json

@@ -0,0 +1,62 @@
+{
+  "$schema": "https://github.com/modelcontextprotocol/specification/blob/main/schema/mcp-config-schema.json",
+  "mcpServers": {
+    "filesystem": {
+      "command": "npx",
+      "args": ["-y", "@modelcontextprotocol/server-filesystem", "/workspaces/riksdagsmonitor"],
+      "description": "Provides secure filesystem access for reading and editing project files",
+      "disabled": false
+    },
+    "github": {
+      "type": "local",
+      "command": "npx",
+      "args": [
+        "-y",
+        "@modelcontextprotocol/server-github",
+        "--toolsets",
+        "all"
+      ],
+      "env": {
+        "GITHUB_TOKEN": "${{ secrets.COPILOT_MCP_GITHUB_PERSONAL_ACCESS_TOKEN }}",
+        "GITHUB_PERSONAL_ACCESS_TOKEN": "${{ secrets.COPILOT_MCP_GITHUB_PERSONAL_ACCESS_TOKEN }}",
+        "GITHUB_OWNER": "Hack23"
+      }
+    },
+    "sequential-thinking": {
+      "command": "npx",
+      "args": [
+        "-y",
+        "@modelcontextprotocol/server-sequential-thinking"
+      ]
+    },
+    "git": {
+      "command": "npx",
+      "args": ["-y", "@modelcontextprotocol/server-git", "--repository", "/workspaces/riksdagsmonitor"],
+      "description": "Provides Git operations and repository history context",
+      "disabled": false
+    },
+    "memory": {
+      "command": "npx",
+      "args": ["-y", "@modelcontextprotocol/server-memory"],
+      "description": "Maintains conversation history and context between agent sessions",
+      "disabled": false
+    },
+    "brave-search": {
+      "command": "npx",
+      "args": ["-y", "@modelcontextprotocol/server-brave-search"],
+      "env": {
+        "BRAVE_API_KEY": "${BRAVE_API_KEY}"
+      },
+      "description": "Enables searching documentation",
+      "disabled": true,
+      "note": "Enable this by setting BRAVE_API_KEY environment variable"
+    },
+    "playwright": {
+      "command": "npx",
+      "args": ["-y", "@modelcontextprotocol/server-playwright"],
+      "description": "Browser automation for testing and debugging web applications",
+      "disabled": false
+    }
+  },
+  "globalShortcut": "Ctrl+Shift+Space"
+}

.github/workflows/copilot-setup-steps.yml

@@ -0,0 +1,42 @@
+name: "Copilot Setup Steps"
+
+# Automatically run the setup steps when they are changed to allow for easy validation, and
+# allow manual testing through the repository's "Actions" tab
+on:
+  workflow_dispatch:
+  push:
+    paths:
+      - .github/workflows/copilot-setup-steps.yml
+  pull_request:
+    paths:
+      - .github/workflows/copilot-setup-steps.yml
+
+env:
+  GITHUB_TOKEN: ${{ secrets.COPILOT_MCP_GITHUB_PERSONAL_ACCESS_TOKEN }}
+  GITHUB_PERSONAL_ACCESS_TOKEN: ${{ secrets.COPILOT_MCP_GITHUB_PERSONAL_ACCESS_TOKEN }}
+
+jobs:
+  # The job MUST be called `copilot-setup-steps` or it will not be picked up by Copilot.
+  copilot-setup-steps:
+    runs-on: ubuntu-latest
+
+    # Set the permissions to the lowest permissions possible needed for your steps.
+    # Copilot will be given its own token for its operations.
+    permissions:
+      contents: read
+      actions: read
+      attestations: read
+      checks: read
+      deployments: read
+      issues: write
+      models: read
+      discussions: read
+      pages: read
+      pull-requests: write
+      security-events: read
+      statuses: read
+
+    # Steps run before the agent starts working
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

.github/workflows/dependency-review.yml

@@ -0,0 +1,38 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required, 
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@20cf305ff2073D973412fa9b1e3a4f227bda3c76 # v2.14.0
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Cache apt packages
+        uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+        with:
+          path: /var/cache/apt/archives
+          key: ${{ runner.os }}-apt-${{ hashFiles('**/.github/workflows/dependency-review.yml') }}
+          restore-keys: |
+            ${{ runner.os }}-apt-
+
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2
+        with:
+          comment-summary-in-pr: always

.github/workflows/quality-checks.yml

@@ -0,0 +1,210 @@
+name: Quality Checks
+
+on:
+  push:
+    branches: [ master, main ]
+  pull_request:
+    branches: [ master, main ]
+
+permissions:
+  contents: read
+
+jobs:
+  html-validation:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@20cf305ff2073D973412fa9b1e3a4f227bda3c76 # v2.14.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Setup Node.js
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        with:
+          node-version: '24'
+
+      - name: Cache npm global packages
+        uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-npm-global-${{ hashFiles('**/package-lock.json') }}-htmlhint
+          restore-keys: |
+            ${{ runner.os }}-npm-global-
+
+      - name: Install HTMLHint
+        run: npm install -g htmlhint
+
+      - name: Validate HTML
+        run: |
+          echo "🔍 Validating HTML files with HTMLHint..."
+          echo ""
+
+          # Run HTMLHint on all HTML files and capture results
+          if htmlhint *.html > htmlhint-report.txt 2>&1; then
+            echo "✅ All HTML files passed validation"
+            cat htmlhint-report.txt
+          else
+            echo "⚠️ HTML validation found issues:"
+            cat htmlhint-report.txt
+            echo ""
+            echo "📊 Validation completed with warnings/errors"
+            # Don't fail the build on HTML validation issues initially
+            # exit 1
+          fi
+
+      - name: Upload HTMLHint Report
+        if: always()
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: htmlhint-report
+          path: htmlhint-report.txt
+          retention-days: 30
+
+  link-checker:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@20cf305ff2073D973412fa9b1e3a4f227bda3c76 # v2.14.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Setup Node.js
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        with:
+          node-version: '24'
+
+      - name: Cache npm packages
+        uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-npm-linkinator6-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-npm-linkinator6-
+
+      - name: Cache apt packages
+        uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+        with:
+          path: /var/cache/apt/archives
+          key: ${{ runner.os }}-apt-${{ hashFiles('**/.github/workflows/quality-checks.yml') }}
+          restore-keys: |
+            ${{ runner.os }}-apt-
+
+      - name: Install linkinator@6
+        run: |
+          echo "Installing linkinator v6 (v7.5.2 has module resolution bug)..."
+          npm install -g linkinator@6
+          linkinator --version
+          echo "✅ linkinator v6 installed successfully"
+
+      - name: Install jq
+        run: sudo apt-get update && sudo apt-get install -y jq
+
+      - name: Check internal links (static files)
+        run: |
+          echo "🔍 Starting local HTTP server for internal link checking..."
+          python3 -m http.server 8080 &
+          SERVER_PID=$!
+          echo "Server PID: $SERVER_PID"
+
+          # Wait for server to start
+          sleep 5
+
+          echo ""
+          echo "🔗 Checking internal links on localhost..."
+
+          # Check links on localhost using global linkinator v6
+          linkinator http://localhost:8080/ \
+            --recurse \
+            --skip "^(?!http://localhost:8080)" \
+            --format json > internal-links-report.json || true
+
+          # Kill server
+          kill $SERVER_PID 2>/dev/null || true
+
+          # Parse and display results
+          echo ""
+          echo "📊 Internal Link Check Results:"
+          if [ -f internal-links-report.json ]; then
+            jq '.links[0:10]' internal-links-report.json
+
+            # Count passed and failed links
+            read passed failed < <(jq -r '
+              [([.links[] | select(.state == "OK")] | length),
+               ([.links[] | select(.state != "OK")] | length)] | @tsv
+            ' internal-links-report.json 2>/dev/null || echo "0	0")
+
+            echo ""
+            echo "✅ Passed: $passed links"
+            echo "❌ Failed: $failed links"
+          fi
+
+      - name: Check external links (sample pages)
+        run: |
+          echo ""
+          echo "🌐 Checking external links on deployed site (sample check)..."
+          echo "Note: Only checking main index page to avoid rate limiting"
+
+          # Check external links on deployed site
+          linkinator https://riksdagsmonitor.com/ \
+            --skip "(fonts\.googleapis\.com|fonts\.gstatic\.com|github\.com)" \
+            --timeout 30000 \
+            --format json > external-links-report.json || true
+
+          echo ""
+          echo "📊 External Link Check Results:"
+          if [ -f external-links-report.json ]; then
+            jq '.links[0:10]' external-links-report.json
+
+            # Count passed and failed links
+            read passed failed < <(jq -r '
+              [([.links[] | select(.state == "OK")] | length),
+               ([.links[] | select(.state != "OK")] | length)] | @tsv
+            ' external-links-report.json 2>/dev/null || echo "0	0")
+
+            echo ""
+            echo "✅ Passed: $passed links"
+            echo "❌ Failed: $failed links"
+            echo ""
+            echo "ℹ️ Note: External link checking is limited to avoid rate limiting"
+          fi
+
+      - name: Upload Link Check Reports
+        if: always()
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: link-checker-reports
+          path: |
+            internal-links-report.json
+            external-links-report.json
+          retention-days: 30
+
+  summary:
+    runs-on: ubuntu-latest
+    needs: [html-validation, link-checker]
+    if: always()
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@20cf305ff2073D973412fa9b1e3a4f227bda3c76 # v2.14.0
+        with:
+          egress-policy: audit
+
+      - name: Quality Check Summary
+        run: |
+          echo "=========================================="
+          echo "   Quality Checks Completed"
+          echo "=========================================="
+          echo ""
+          echo "✅ HTML validation completed"
+          echo "✅ Link checking completed"
+          echo ""
+          echo "📊 Check artifacts for detailed reports:"
+          echo "   - htmlhint-report"
+          echo "   - link-checker-reports"
+          echo ""
+          echo "=========================================="

.gitignore

@@ -1 +1,11 @@
 /.project
+.DS_Store
+*~
+*.bak
+*.swp
+.vscode/
+.idea/
+node_modules/
+dist/
+build/
+*.log