Merge branch 'dev' into claude/issue-546-20250807-1706

Author: jonobr1

.github/workflows/claude-code-review.yml

@@ -13,7 +13,7 @@ jobs:
     name: Analyze
     runs-on: ubuntu-latest
     permissions:
-      actions: read
+      actions: write
       contents: read
       security-events: write
 
@@ -23,19 +23,40 @@ jobs:
         language: [ javascript ]
 
     steps:
-      - name: Checkout
-        uses: actions/checkout@v3
+      # checkout@v5
+      - name: Checkout repository
+        uses: jonobr1/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
 
+      # setup-node@v5
+      - name: Set up Node.js
+        uses: jonobr1/setup-node@a0853c24544627f65ddf259abe73b1d18a591444
+        with:
+          node-version: '20' # Use latest LTS
+
+      # cache@v4
+      - name: Cache node modules
+        uses: jonobr1/cache@0400d5f644dc74513175e3cd8d07132dd4860809
+        with:
+          path: |
+            node_modules
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+
+      - name: Install dependencies
+        run: npm ci
+
+      # codeql-action/init@v3
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: jonobr1/codeql-action/init@192325c86100d080feab897ff886c34abd4c83a3
         with:
           languages: ${{ matrix.language }}
-          queries: +security-and-quality
+          queries: security-and-quality
 
+      # codeql-action/autobuild@v3
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
+        uses: jonobr1/codeql-action/autobuild@192325c86100d080feab897ff886c34abd4c83a3
 
+      # codeql-action/analyze@v3
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: jonobr1/codeql-action/analyze@192325c86100d080feab897ff886c34abd4c83a3
         with:
           category: "/language:${{ matrix.language }}"

.github/workflows/claude.yml

@@ -4,7 +4,8 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/[email protected]
+      # checkout@v5
+    - uses: jonobr1/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
     - name: Install modules
       run: npm install
     - name: Run ESLint

.github/workflows/codeql.yml

@@ -3,6 +3,9 @@ node_modules
 junk/
 *.log
 docs.json
-package-lock.json
 dist
-.idea
+.idea
+.codacy
+
+#Ignore vscode AI rules
+.github/instructions/codacy.instructions.md

.github/workflows/lint.yml

@@ -83,10 +83,11 @@ The Two class provides factory methods for creating and adding objects to the sc
 - Tests located in `tests/` directory
 - Test suites in `tests/suite/` organized by functionality
 - HTML test runners: `tests/index.html`, `tests/noWebGL.html`
-- TypeScript tests in `tests/typescript/`
+- TypeScript compilation tests in `tests/typescript/` with `index.ts` that imports and uses Two.js API
 
 ### Running Tests
-No automated test runner specified - tests are run manually via HTML files in browser.
+- Manual browser testing via HTML files: `tests/index.html` and `tests/noWebGL.html`
+- TypeScript compilation testing: `cd tests/typescript && npx tsc index.ts` to verify types work correctly
 
 ## Key Files to Understand
 
@@ -146,8 +147,8 @@ Designed for modern browsers with ES6+ support. Uses feature detection for rende
 - Open `tests/index.html` in browser for manual testing
 - Test new features across Canvas, SVG, and WebGL renderers
 - Check `tests/noWebGL.html` for fallback scenarios
-- TypeScript tests in `tests/typescript/` should compile without errors
-- No automated test runner - manual browser testing required
+- TypeScript compilation tests: Run `cd tests/typescript && npx tsc index.ts` to verify TypeScript definitions work correctly
+- Manual browser testing required - no automated test runner
 
 ## File Organization Rules
 
@@ -174,7 +175,6 @@ Designed for modern browsers with ES6+ support. Uses feature detection for rende
 - Browser: UMD build for direct script inclusion
 
 ### Nota Bene
-- There aren't any linting commands
-- All the tests run in the browser
-- There are no TypeScript tests
-- Let the developer check these manually instead of trying to run commands
+- All visual tests run in the browser via HTML files
+- TypeScript tests verify that the type definitions work correctly by compiling sample code – this is work in progress
+- Manual testing approach - no automated test runners or CI integration

.gitignore

@@ -55,7 +55,7 @@ further defined and clarified by project maintainers.
 ## Enforcement
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project team at [email protected]. All
+reported by contacting the project team at inquiries+two.js@jono.fyi. All
 complaints will be reviewed and investigated and will result in a response that
 is deemed necessary and appropriate to the circumstances. The project team is
 obligated to maintain confidentiality with regard to the reporter of an incident.

CLAUDE.md

@@ -6,7 +6,7 @@
 
 A two-dimensional drawing api meant for modern browsers. It is renderer agnostic enabling the same api to render in multiple contexts: webgl, canvas2d, and svg.
 
-[Home](http://two.js.org/) • [Releases](https://github.com/jonobr1/two.js/releases) • [Examples](http://two.js.org/examples/) • [Documentation](https://two.js.org/docs/two/) • [Change Log](https://github.com/jonobr1/two.js/tree/dev/wiki/changelog) • [Help](https://github.com/jonobr1/two.js/issues/new/choose)
+[Home](http://two.js.org/) • [Releases](https://github.com/jonobr1/two.js/releases) • [Examples](http://two.js.org/examples/) • [Documentation](https://two.js.org/docs/two/) • [Changelog](https://github.com/jonobr1/two.js/tree/dev/wiki/changelog) • [Help](https://github.com/jonobr1/two.js/issues/new/choose)
 
 ## Usage
 Download the latest [minified library](https://raw.github.com/jonobr1/two.js/dev/build/two.min.js) and include it in your html.

CODE_OF_CONDUCT.md

@@ -0,0 +1,26 @@
+# Security Policy
+
+If you have discovered a security vulnerability in this project, please report it
+privately. **Do not disclose it as a public issue.** This gives us time to work with you to fix the issue before public exposure, reducing the chance that the exploit will be used before a patch is released.
+
+**You may submit the report in the following ways:**
+
+- Github users can privately report security advisories directly [here](https://github.com/jonobr1/two.js/security/advisories/new)
+
+- Send an email to [[email protected]](mailto:[email protected]).
+
+**Please provide the following information in your report:**
+
+- The type of issue (e.g., buffer overflow, SQL injection, or cross-site scripting)
+- Full paths of source file(s) related to the manifestation of the issue
+- The location of the affected source code (tag/branch/commit or direct URL)
+- Any special configuration required to reproduce the issue
+- Step-by-step instructions to reproduce the issue
+- Proof-of-concept or exploit code (if possible)
+- Impact of the issue, including how an attacker might exploit the issue
+
+This project is maintained by volunteers on a reasonable-effort basis. As such, we ask that you give us 90 days to work on a fix before public exposure.
+
+---
+
+_Two.js conforms to this [Incident Response Plan](https://two.js.org/incident-response-plan) in moments of security risks._