From b8838603dc52392f241896a79b5e5622447e0b69 Mon Sep 17 00:00:00 2001
From: Jon Gallant <2163001+jongio@users.noreply.github.com>
Date: Mon, 2 Mar 2026 13:03:29 -0800
Subject: [PATCH 1/3] Security hardening and code quality improvements

MQ + Hack dual-model analysis (Opus 4.6 + Codex 5.3) findings and fixes:

HIGH:
- HTTPS downgrade via redirect following in update-registry.js (CWE-319)
- No artifact domain validation - added ALLOWED_ARTIFACT_HOST allowlist (CWE-20)
- Response size DoS - added 5MB size limit on artifact downloads (CWE-400)

MEDIUM:
- Weak checksum acceptance (MD5/SHA1) rejected in validate-registry.js (CWE-328)
- Missing CSP headers on website (CWE-16)
- Regex injection in update-readme-versions.js - added escapeRegExp (CWE-1333)
- Removed unused code in validate-registry.js

DRY refactor: extracted compareSemver to shared scripts/lib/semver.js module.
Updated dependencies, pinned astro@5.17.3 (5.18.0 Windows build bug).
Added azd-rest to install/uninstall/watch scripts.
Updated SECURITY.md with GitHub Security Advisories link.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 SECURITY.md                               |   2 +-
 docs/archive/security-audit-2025-07-14.md | 556 ++++++++++++++++++++++
 package.json                              |  10 +-
 pnpm-lock.yaml                            | 150 ++++--
 scripts/install-all.ps1                   |   3 +-
 scripts/lib/semver.js                     |  49 ++
 scripts/uninstall-all.ps1                 |   3 +-
 scripts/update-readme-versions.js         |  18 +-
 scripts/update-registry.js                |  79 ++-
 scripts/validate-registry.js              |  41 +-
 scripts/watch-all.ps1                     |   3 +-
 src/components/ExtensionShowcase.astro    |   4 +-
 src/pages/index.astro                     |   1 +
 13 files changed, 824 insertions(+), 95 deletions(-)
 create mode 100644 docs/archive/security-audit-2025-07-14.md
 create mode 100644 scripts/lib/semver.js

diff --git a/SECURITY.md b/SECURITY.md
index 6a33afb..d7c0f86 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -13,7 +13,7 @@ We release patches for security vulnerabilities for the following versions:
 If you discover a security vulnerability, please do the following:
 
 1. **Do NOT** open a public issue
-2. Email security details to: [your-email@example.com]
+2. Use [GitHub Security Advisories](https://github.com/jongio/azd-extensions/security/advisories/new) to privately report a vulnerability
 3. Include:
    - Description of the vulnerability
    - Steps to reproduce
diff --git a/docs/archive/security-audit-2025-07-14.md b/docs/archive/security-audit-2025-07-14.md
new file mode 100644
index 0000000..bcf98be
--- /dev/null
+++ b/docs/archive/security-audit-2025-07-14.md
@@ -0,0 +1,556 @@
+# Security Audit: azd-extensions
+
+**Date**: 2025-07-14
+**Scope**: Full adversarial review of azd-extensions codebase
+**Methodology**: STRIDE threat model, OWASP Top 10 (2021), CWE-mapped vulnerability analysis
+**Auditor**: SecOps Agent (dual-model analysis)
+
+---
+
+## Executive Summary
+
+The azd-extensions codebase is a **static website + extension registry** deployed to GitHub Pages. It fetches registry data from external GitHub repositories, aggregates it, and serves it as a JSON file alongside a showcase website. The attack surface is concentrated in three areas: (1) the CI/CD pipeline that builds and publishes the registry, (2) the registry aggregation scripts that fetch and trust external data, and (3) the GitHub Actions supply chain.
+
+**Overall risk**: MEDIUM. No CRITICAL vulnerabilities found. The most significant risks are supply chain integrity issues in the CI/CD pipeline and missing security headers on the deployed site.
+
+### Finding Summary
+
+| Severity | Count | Status |
+|----------|-------|--------|
+| CRITICAL | 0 | -- |
+| HIGH | 3 | Remediation recommended |
+| MEDIUM | 5 | Remediation recommended |
+| LOW | 4 | Backlog / informational |
+
+---
+
+## Phase 1: Attack Surface Enumeration
+
+### Entry Points
+
+| # | Entry Point | Type | Trust Level |
+|---|-------------|------|-------------|
+| 1 | GitHub Pages static site | Web (HTML/JS/CSS) | Public, unauthenticated |
+| 2 | `public/registry.json` | REST endpoint (static JSON) | Public, unauthenticated |
+| 3 | GitHub Actions `repository_dispatch` | API trigger | Authenticated (PAT) |
+| 4 | GitHub Actions `schedule` (cron) | Timer trigger | Automated |
+| 5 | GitHub Actions `workflow_dispatch` | Manual trigger | Repo collaborator |
+| 6 | External registry sources (raw.githubusercontent.com) | HTTP fetch | Semi-trusted (upstream repos) |
+| 7 | PowerShell scripts (local dev) | Local execution | Developer workstation |
+| 8 | Extension submission issue template | GitHub Issues | Public, unauthenticated |
+
+### Trust Boundaries
+
+```
+[Public Internet] --> [GitHub Pages CDN] --> [Static HTML + registry.json]
+                                                    ^
+                                                    |  (build-time)
+[GitHub Actions Runner] --> [fetch from upstream repos] --> [aggregate] --> [deploy]
+                                ^
+                                |
+[Upstream Extension Repos] -- (4 external registry.json files, semi-trusted)
+```
+
+---
+
+## Phase 2: STRIDE Threat Model
+
+### S - Spoofing
+
+| Component | Threat | Mitigation Status |
+|-----------|--------|-------------------|
+| Registry sources | Attacker compromises upstream repo (e.g., jongio/azd-app) and injects malicious registry entries | **PARTIAL** - Checksums verified but no signature verification |
+| CI/CD dispatch | Attacker sends forged `repository_dispatch` to trigger malicious builds | **OK** - Requires PAT with repo scope |
+| Static site | Attacker spoofs the GitHub Pages domain | **OK** - GitHub enforces HTTPS for *.github.io |
+
+### T - Tampering
+
+| Component | Threat | Mitigation Status |
+|-----------|--------|-------------------|
+| Registry JSON | Attacker tampers with registry.json in transit | **OK** - Served over HTTPS |
+| Registry JSON | Attacker tampers with upstream registry data before aggregation | **GAP** - No cryptographic signing of registry entries (see Finding SEC-02) |
+| CI/CD pipeline | Attacker modifies build artifacts between build and deploy | **OK** - Same job, no artifact handoff between jobs |
+| Checksums | Registry contains checksums but azd CLI verification depends on client implementation | **PARTIAL** - SHA-256 checksums present |
+
+### R - Repudiation
+
+| Component | Threat | Mitigation Status |
+|-----------|--------|-------------------|
+| Registry updates | No audit trail of what changed between registry versions | **PARTIAL** - Git history shows commits by github-actions[bot] |
+| Extension submissions | Issue template allows public submissions with no verification | **OK** - Manual review process |
+
+### I - Information Disclosure
+
+| Component | Threat | Mitigation Status |
+|-----------|--------|-------------------|
+| Static site | Source maps or debug info exposed | **OK** - Production build strips debug |
+| Error messages | Scripts log URLs and error details to CI logs | **LOW RISK** - Public repo, no secrets in logs |
+| Astro version disclosure | `meta[name=generator]` exposes Astro v5.18.0 | **INFORMATIONAL** (see Finding SEC-10) |
+
+### D - Denial of Service
+
+| Component | Threat | Mitigation Status |
+|-----------|--------|-------------------|
+| Registry update script | Upstream source returns extremely large JSON, exhausting CI runner memory | **GAP** - No size limit on fetched data (see Finding SEC-05) |
+| HEAD request validation | Attacker-controlled URL causes slow response, blocking CI pipeline | **PARTIAL** - 10s timeout exists |
+| GitHub Pages | DDoS against static site | **OK** - GitHub CDN handles this |
+
+### E - Elevation of Privilege
+
+| Component | Threat | Mitigation Status |
+|-----------|--------|-------------------|
+| Publish workflow | `contents: write` permission allows pushing to main | **ACCEPTABLE** - Required for auto-commit pattern |
+| Local PowerShell scripts | Scripts run as current user, modify `~/.azd/config.json` | **ACCEPTABLE** - Local dev tooling |
+
+---
+
+## Phase 3: OWASP Top 10 (2021) Coverage
+
+| # | Category | Status | Details |
+|---|----------|--------|---------|
+| A01 | Broken Access Control | **N/A** | Static site, no auth required, no protected resources |
+| A02 | Cryptographic Failures | **PASS** | SHA-256 checksums on artifacts, HTTPS enforced for artifact URLs |
+| A03 | Injection | **PASS** | No XSS vectors found (see detailed analysis below) |
+| A04 | Insecure Design | **PASS** | Registry aggregation design is sound; validation pipeline exists |
+| A05 | Security Misconfiguration | **FINDING** | Missing CSP, X-Frame-Options, and other security headers (SEC-04) |
+| A06 | Vulnerable Components | **PASS** | `pnpm audit` reports 0 vulnerabilities; dependency-review action in CI |
+| A07 | Identification & Auth Failures | **N/A** | No authentication in static site |
+| A08 | Software & Data Integrity Failures | **FINDING** | GitHub Actions not pinned to SHA (SEC-01); no registry signing (SEC-02) |
+| A09 | Security Logging & Monitoring | **N/A** | Static site on GitHub Pages - no server-side logging capability |
+| A10 | Server-Side Request Forgery | **PASS** | URLs are hardcoded constants, not user-controlled (see analysis below) |
+
+---
+
+## Phase 4: Detailed Findings
+
+### SEC-01: GitHub Actions Not Pinned to Commit SHA [HIGH]
+
+- **CWE**: CWE-829 (Inclusion of Functionality from Untrusted Control Sphere)
+- **CVSS**: 8.1 (High)
+- **STRIDE**: Tampering, Elevation of Privilege
+- **OWASP**: A08 Software and Data Integrity Failures
+- **Classification**: [PROPOSE]
+
+**Files affected**:
+- `.github/workflows/ci.yml` lines 19, 22, 25
+- `.github/workflows/publish.yml` lines 28, 31, 37, 45, 82, 85, 91
+- `.github/workflows/codeql.yml` lines 29, 32, 37, 40
+- `.github/workflows/dependency-review.yml` lines 12, 15
+- `.github/workflows/spellcheck.yml` lines 15, 18
+
+**Description**: All 17 GitHub Actions `uses:` references use mutable version tags (e.g., `actions/checkout@v4`, `pnpm/action-setup@v4`) instead of immutable commit SHAs. A compromised or hijacked action tag could inject malicious code into the CI/CD pipeline.
+
+**Attack scenario**: An attacker who compromises the `pnpm/action-setup` repository (or any third-party action) can push malicious code under the existing `v4` tag. The next CI run would execute the attacker's code with `contents: write`, `pages: write`, and `id-token: write` permissions -- enough to push malicious registry entries and deploy them to GitHub Pages.
+
+**Why this matters for a registry**: The `publish.yml` workflow has `contents: write` and commits directly to `main`. A compromised action could:
+1. Modify `public/registry.json` to point artifact URLs at malicious binaries
+2. Push the change to `main`
+3. Deploy the poisoned registry to GitHub Pages
+
+Users who then install extensions would download and execute attacker-controlled binaries.
+
+**Recommended fix**: Pin all actions to full commit SHAs with version comments:
+```yaml
+# Before
+- uses: actions/checkout@v4
+# After
+- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+```
+
+---
+
+### SEC-02: Registry Data Integrity - No Cryptographic Signing [HIGH]
+
+- **CWE**: CWE-345 (Insufficient Verification of Data Authenticity)
+- **CVSS**: 7.5 (High)
+- **STRIDE**: Tampering, Spoofing
+- **OWASP**: A08 Software and Data Integrity Failures
+- **Classification**: [CONSULT]
+
+**File**: `scripts/update-registry.js` lines 50-58, `public/registry.json`
+
+**Description**: The registry aggregation script fetches registry data from 4 upstream GitHub repositories and trusts it without cryptographic verification. The upstream repos are all owned by the same account (`jongio`), but there is no signature verification (e.g., GPG-signed commits, Sigstore cosign, or a manifest signature).
+
+**Attack scenario**: If an attacker gains write access to any upstream repo (e.g., `jongio/azd-app`), they can modify that repo's `registry.json` to point artifact URLs at malicious binaries with valid-looking checksums. The aggregation script would happily incorporate these entries. The checksum values in the registry are self-reported by the upstream repo -- the build pipeline does not independently compute them.
+
+**Current mitigations** (partial):
+- Artifact URLs must start with `https://` (line 115-116)
+- Placeholder checksums (all zeros) are rejected (lines 121-127)
+- HEAD requests verify URLs return 200 (lines 136-162)
+
+**Gap**: None of these prevent an attacker who controls an upstream repo from providing a valid HTTPS URL to a malicious binary with a real SHA-256 checksum for that malicious binary.
+
+**Recommended approach**: Consider one or more of:
+1. Pin upstream registry sources to specific commit SHAs or use signed tags
+2. Implement a manual approval gate for registry changes (PR-based flow instead of auto-commit)
+3. Add Sigstore/cosign verification for release artifacts
+
+---
+
+### SEC-03: Publish Workflow Auto-Commits to Main Without PR Review [HIGH]
+
+- **CWE**: CWE-862 (Missing Authorization)
+- **CVSS**: 7.2 (High)
+- **STRIDE**: Tampering, Elevation of Privilege
+- **OWASP**: A08 Software and Data Integrity Failures
+- **Classification**: [CONSULT]
+
+**File**: `.github/workflows/publish.yml` lines 69-79
+
+**Description**: The publish workflow runs on a schedule (daily cron) and on `repository_dispatch`. It fetches external data, writes it to `public/registry.json`, commits directly to `main`, and pushes -- all without human review.
+
+```yaml
+git config user.name "github-actions[bot]"
+git config user.email "github-actions[bot]@users.noreply.github.com"
+git add public/registry.json README.md
+git commit -m "chore: update extension registry"
+git push
+```
+
+**Attack scenario**: Combined with SEC-01 and SEC-02, this creates a fully automated attack chain:
+1. Compromise upstream repo -> poisoned registry data
+2. Wait for cron or trigger `repository_dispatch` -> publish workflow runs
+3. Poisoned data auto-committed to main and deployed -> malicious registry live
+
+**Current mitigations**: The `validate-registry.js` script runs before commit, but it only checks structural validity (semver order, platform coverage, URL reachability, checksum presence) -- not whether the data is authentically from the expected source.
+
+**Recommended fix**: Consider:
+1. Create registry update PRs instead of direct pushes (allows review)
+2. Add branch protection rules requiring approvals for changes to `public/registry.json`
+3. Add a diff summary to CI logs showing exactly what changed
+
+---
+
+### SEC-04: Missing Security Headers on Static Site [MEDIUM]
+
+- **CWE**: CWE-1021 (Improper Restriction of Rendered UI Layers)
+- **CVSS**: 5.3 (Medium)
+- **STRIDE**: Information Disclosure, Spoofing
+- **OWASP**: A05 Security Misconfiguration
+- **Classification**: [INFORM]
+
+**Files affected**: `astro.config.mjs`, no `_headers` file, no security headers configuration
+
+**Description**: The deployed GitHub Pages site has no Content Security Policy (CSP), no X-Frame-Options, no X-Content-Type-Options, no Referrer-Policy, and no Permissions-Policy headers. GitHub Pages does set some baseline headers (HTTPS, HSTS), but application-level headers are absent.
+
+**Impact**:
+- **No CSP**: The page uses inline `<script>` blocks (index.astro lines 223-245, ExtensionShowcase.astro lines 190-208). Without CSP, there is no defense-in-depth against XSS if a vulnerability is introduced.
+- **No X-Frame-Options**: The site can be embedded in iframes on malicious sites (clickjacking potential, though limited value for a static showcase site).
+- **No Referrer-Policy**: External links (X, LinkedIn, GitHub) may receive full referrer information.
+
+**Note**: GitHub Pages has limited header customization. CSP can be set via `<meta>` tags for static sites.
+
+**Recommended fix**: Add a CSP meta tag to the Layout component head:
+```html
+<meta http-equiv="Content-Security-Policy"
+      content="default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src https://fonts.gstatic.com; img-src 'self' data:; connect-src 'self'" />
+```
+
+---
+
+### SEC-05: No Response Size Limit on External Registry Fetch [MEDIUM]
+
+- **CWE**: CWE-400 (Uncontrolled Resource Consumption)
+- **CVSS**: 5.3 (Medium)
+- **STRIDE**: Denial of Service
+- **OWASP**: A05 Security Misconfiguration
+- **Classification**: [INFORM]
+
+**File**: `scripts/update-registry.js` lines 50-59
+
+```javascript
+async function fetchRegistry(url) {
+  const response = await fetch(url);
+  if (!response.ok) {
+    throw new Error(`Failed to fetch ${url}: ${response.statusText}`);
+  }
+  return await response.json();
+}
+```
+
+**Description**: The `fetch()` call reads the entire response body into memory and parses it as JSON with no size limit. If an upstream registry source is compromised to return an extremely large JSON payload (e.g., several GB), it would exhaust the CI runner's memory.
+
+**Impact**: Denial of service against the CI pipeline. An attacker who controls an upstream repo could prevent registry updates by serving a resource-bomb.
+
+**Mitigating factor**: The sources are hardcoded URLs to specific GitHub repos (line 40-45), so the attacker already needs write access to one of those repos.
+
+**Recommended fix**: Add a content-length check before reading the body:
+```javascript
+const contentLength = parseInt(response.headers.get('content-length') || '0');
+if (contentLength > 5 * 1024 * 1024) { // 5MB limit
+  throw new Error(`Registry too large: ${contentLength} bytes from ${url}`);
+}
+```
+
+---
+
+### SEC-06: validate-registry.js Follows Redirects to HTTP [MEDIUM]
+
+- **CWE**: CWE-319 (Cleartext Transmission of Sensitive Information)
+- **CVSS**: 4.8 (Medium)
+- **STRIDE**: Information Disclosure, Tampering
+- **OWASP**: A02 Cryptographic Failures
+- **Classification**: [AUTO-FIX]
+
+**File**: `scripts/validate-registry.js` lines 46-48
+
+```javascript
+const parsedUrl = new URL(targetUrl);
+const lib = parsedUrl.protocol === 'https:' ? https : http;
+```
+
+**Description**: The `headRequest` function in `validate-registry.js` supports both HTTP and HTTPS protocols and will follow redirects. If an HTTPS URL redirects to an HTTP URL, the validation would follow the redirect over cleartext. While `update-registry.js` correctly enforces HTTPS-only artifact URLs (line 115), the validation script's redirect-following behavior could validate a redirect chain that downgrades to HTTP.
+
+**Impact**: An attacker who can MITM the CI runner's network traffic could intercept HEAD requests that are redirected to HTTP and return fake 200 responses, causing the validator to pass artifacts that are actually unreachable.
+
+**Recommended fix**: Reject HTTP redirects in the `headRequest` function:
+```javascript
+const next = new URL(res.headers.location, targetUrl).href;
+if (!next.startsWith('https://')) {
+  reject(new Error(`Redirect to non-HTTPS URL: ${next}`));
+  return;
+}
+```
+
+---
+
+### SEC-07: Permissive Permissions in Publish Workflow [MEDIUM]
+
+- **CWE**: CWE-250 (Execution with Unnecessary Privileges)
+- **CVSS**: 4.3 (Medium)
+- **STRIDE**: Elevation of Privilege
+- **OWASP**: A05 Security Misconfiguration
+- **Classification**: [INFORM]
+
+**File**: `.github/workflows/publish.yml` lines 11-14
+
+```yaml
+permissions:
+  contents: write
+  pages: write
+  id-token: write
+  packages: read
+```
+
+**Description**: The publish workflow requests `id-token: write` and `contents: write` at the workflow level. These permissions are granted to ALL steps in the job, including all third-party actions. If any action (e.g., `pnpm/action-setup`, `actions/cache`) is compromised, it inherits these powerful permissions.
+
+**Impact**: A compromised action could:
+- Use `contents: write` to push arbitrary commits to `main`
+- Use `id-token: write` to request OIDC tokens and impersonate the repo
+- Use `pages: write` to deploy arbitrary content to GitHub Pages
+
+**Recommended fix**: Move permissions to the job level and minimize scope per step where possible. The `id-token: write` is only needed for the Pages deployment step.
+
+---
+
+### SEC-08: SECURITY.md Contains Placeholder Contact Email [MEDIUM]
+
+- **CWE**: CWE-1059 (Insufficient Technical Documentation)
+- **CVSS**: 4.0 (Medium)
+- **STRIDE**: Information Disclosure (attackers know there's no real reporting channel)
+- **OWASP**: A05 Security Misconfiguration
+- **Classification**: [AUTO-FIX]
+
+**File**: `SECURITY.md` line 14
+
+```markdown
+2. Email security details to: [your-email@example.com]
+```
+
+**Description**: The security policy contains a placeholder email address that will never be monitored. Security researchers who discover vulnerabilities have no way to responsibly disclose them.
+
+**Impact**: Vulnerabilities go unreported or are disclosed publicly instead of privately.
+
+**Recommended fix**: Replace with a real contact address or enable GitHub's private vulnerability reporting feature (Settings > Code security > Private vulnerability reporting).
+
+---
+
+### SEC-09: Caret Version Ranges in package.json Dependencies [LOW]
+
+- **CWE**: CWE-1104 (Use of Unmaintained Third-Party Components)
+- **CVSS**: 3.7 (Low)
+- **STRIDE**: Tampering
+- **OWASP**: A06 Vulnerable and Outdated Components
+- **Classification**: [INFORM]
+
+**File**: `package.json` lines 14-26
+
+**Description**: All dependencies use caret (`^`) version ranges, which allow minor and patch updates. While `pnpm-lock.yaml` pins exact versions, a fresh `pnpm install` (without `--frozen-lockfile`) could pull in newer versions with vulnerabilities.
+
+**Current mitigations**:
+- `--frozen-lockfile` is used in CI (ci.yml line 32, publish.yml line 53)
+- `pnpm-lock.yaml` is committed
+- Dependency review action runs on PRs
+
+**Residual risk**: Low. The mitigations are adequate.
+
+---
+
+### SEC-10: Astro Version Disclosure in Meta Generator Tag [LOW]
+
+- **CWE**: CWE-200 (Exposure of Sensitive Information)
+- **CVSS**: 2.1 (Low)
+- **STRIDE**: Information Disclosure
+- **OWASP**: A05 Security Misconfiguration
+- **Classification**: [INFORM]
+
+**File**: `dist/index.html` line 1
+
+```html
+<meta name="generator" content="Astro v5.18.0">
+```
+
+**Description**: The deployed HTML reveals the exact Astro framework version. This helps attackers identify applicable CVEs.
+
+**Impact**: Minimal. Astro is a static site generator -- the version is only relevant at build time, not runtime.
+
+---
+
+### SEC-11: Inline Scripts Without Nonce/Hash (CSP Incompatibility) [LOW]
+
+- **CWE**: CWE-79 (Cross-site Scripting)
+- **CVSS**: 2.3 (Low)
+- **STRIDE**: Tampering
+- **OWASP**: A03 Injection
+- **Classification**: [INFORM]
+
+**Files**:
+- `src/pages/index.astro` lines 223-245 (theme toggle script)
+- `src/components/ExtensionShowcase.astro` lines 190-208 (copy button script)
+
+**Description**: Both Astro components contain inline `<script>` blocks. If CSP is ever added (see SEC-04), these scripts would require either `'unsafe-inline'` (weakens CSP) or nonce/hash-based CSP directives.
+
+**Current XSS analysis**: The inline scripts do NOT process any user-controlled input. The `dataset.command` value (line 198) comes from the `data-command` attribute set at build time from static extension data (developer-controlled, not user-controlled). The `innerHTML` assignments (lines 201, 203, 205) use hardcoded SVG strings, not dynamic data. **No XSS vector exists.**
+
+---
+
+### SEC-12: `set:html` Usage in Astro Template [LOW]
+
+- **CWE**: CWE-79 (Cross-site Scripting)
+- **CVSS**: 2.0 (Low)
+- **STRIDE**: Tampering
+- **OWASP**: A03 Injection
+- **Classification**: [INFORM]
+
+**File**: `src/pages/index.astro` line 136
+
+```astro
+<script type="application/ld+json" set:html={JSON.stringify({...})} />
+```
+
+**Description**: The `set:html` directive bypasses Astro's default HTML escaping. In this case, it's used to inject a JSON-LD structured data block. The data is a static object literal defined in the component frontmatter -- it contains no user-controlled input.
+
+**XSS analysis**: The `JSON.stringify()` output is placed inside a `<script type="application/ld+json">` tag, which browsers do not execute as JavaScript. **No XSS vector exists.**
+
+---
+
+## Phase 5: Supply Chain Analysis
+
+### npm Dependencies
+
+```
+pnpm audit: 0 vulnerabilities
+```
+
+| Check | Status |
+|-------|--------|
+| Lock file committed | PASS (`pnpm-lock.yaml` present) |
+| `--frozen-lockfile` in CI | PASS (both ci.yml and publish.yml) |
+| Dependency review on PRs | PASS (`dependency-review.yml` with `fail-on-severity: moderate`) |
+| CodeQL scanning | PASS (weekly + on push/PR) |
+| No wildcard versions | PASS (all use caret `^`) |
+| Private registry scoped | PASS (`@jongio:registry=https://npm.pkg.github.com` in `.npmrc`) |
+
+### GitHub Actions Supply Chain
+
+| Action | Pinned to SHA? | Risk |
+|--------|----------------|------|
+| `actions/checkout@v4` | NO | HIGH |
+| `actions/setup-node@v4` | NO | HIGH |
+| `pnpm/action-setup@v4` | NO | HIGH |
+| `actions/cache@v4` | NO | MEDIUM |
+| `actions/configure-pages@v4` | NO | MEDIUM |
+| `actions/upload-pages-artifact@v3` | NO | MEDIUM |
+| `actions/deploy-pages@v4` | NO | MEDIUM |
+| `github/codeql-action/init@v3` | NO | MEDIUM |
+| `github/codeql-action/autobuild@v3` | NO | MEDIUM |
+| `github/codeql-action/analyze@v3` | NO | MEDIUM |
+| `actions/dependency-review-action@v4` | NO | MEDIUM |
+| `streetsidesoftware/cspell-action@v6` | NO | LOW |
+
+**Verdict**: 0 of 17 actions are SHA-pinned. This is the single largest supply chain risk in the project.
+
+---
+
+## Phase 6: SSRF Analysis
+
+**File**: `scripts/update-registry.js`
+
+The `EXTENSION_SOURCES` array (lines 40-45) contains 4 hardcoded URLs. These URLs are hardcoded constants (not derived from user input, environment variables, or registry data). The script does NOT follow URLs from within the fetched data to make additional requests.
+
+The `headRequest` function (lines 18-37) only operates on artifact URLs from within the registry data, but these are validated to start with `https://` and are only used for HEAD requests (no response body is read).
+
+**SSRF Verdict**: No SSRF vulnerability.
+
+---
+
+## Phase 7: Path Traversal Analysis
+
+All file paths in all scripts are derived from `__dirname`, `import.meta.url`, or hardcoded constants. No user-controlled input reaches any filesystem operation.
+
+**Path Traversal Verdict**: No vulnerability.
+
+---
+
+## Phase 8: Secrets Exposure Analysis
+
+| Check | Result |
+|-------|--------|
+| Hardcoded passwords/keys | NONE FOUND |
+| API keys in source | NONE FOUND |
+| `.env` files committed | NONE |
+| Secrets in git history | NOT FOUND |
+| CI secrets usage | `GITHUB_TOKEN` only, properly referenced |
+
+**Secrets Verdict**: Clean.
+
+---
+
+## Remediation Roadmap
+
+### Immediate (< 1 week)
+
+1. **SEC-08** [AUTO-FIX]: Replace placeholder email in SECURITY.md
+2. **SEC-06** [AUTO-FIX]: Add HTTPS enforcement to redirect following in validate-registry.js
+
+### Short-term (< 30 days)
+
+3. **SEC-01** [PROPOSE]: Pin all GitHub Actions to commit SHAs
+4. **SEC-04** [INFORM]: Add CSP meta tag to Layout component
+5. **SEC-07** [INFORM]: Tighten workflow permissions to job level
+
+### Medium-term (< 90 days)
+
+6. **SEC-02** [CONSULT]: Evaluate registry signing approach
+7. **SEC-03** [CONSULT]: Consider PR-based flow for registry updates
+8. **SEC-05** [INFORM]: Add response size limit to fetch
+
+---
+
+## Positive Security Observations
+
+The codebase demonstrates several security-conscious practices:
+
+1. **HTTPS enforcement**: `update-registry.js` rejects non-HTTPS artifact URLs (line 115)
+2. **Checksum validation**: Placeholder/zero checksums are rejected (lines 121-127)
+3. **URL reachability**: HEAD requests verify artifact URLs are live (lines 136-162)
+4. **Redirect limits**: Both scripts cap redirects at 5 to prevent infinite loops
+5. **Timeouts**: All HTTP requests have 10-second timeouts
+6. **Frozen lockfile**: CI uses `--frozen-lockfile` preventing dependency confusion
+7. **Dependency review**: PR-time dependency scanning with `fail-on-severity: moderate`
+8. **CodeQL**: Weekly and on-push SAST scanning
+9. **Minimal dependencies**: Only 2 runtime dependencies (Astro + shared core)
+10. **No `eval()` / `child_process`**: Scripts avoid dangerous Node.js APIs
+11. **Input sanitization**: `update-readme-versions.js` escapes regex special chars (line 41)
+12. **Static output**: Astro generates static HTML at build time; no server-side rendering attack surface
+13. **`rel="noopener noreferrer"`**: All external links use proper `rel` attributes
diff --git a/package.json b/package.json
index 70ad56a..bf90148 100644
--- a/package.json
+++ b/package.json
@@ -13,12 +13,14 @@
   },
   "dependencies": {
     "@jongio/azd-web-core": "^2.4.0",
-    "astro": "^5.17.1"
+    "astro": "^5.17.3"
   },
   "devDependencies": {
-    "@tailwindcss/vite": "^4.1.18",
-    "@types/node": "^25.2.1",
-    "tailwindcss": "^4.1.18",
+    "@tailwindcss/vite": "^4.2.1",
+    "@types/node": "^25.3.3",
+    "prettier": "^3.8.1",
+    "prettier-plugin-tailwindcss": "^0.7.2",
+    "tailwindcss": "^4.2.1",
     "typescript": "^5.9.3"
   },
   "repository": {
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index f6db77e..6c25fca 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -10,19 +10,25 @@ importers:
     dependencies:
       '@jongio/azd-web-core':
         specifier: ^2.4.0
-        version: 2.4.0(astro@5.17.3(@types/node@25.3.0)(jiti@2.6.1)(lightningcss@1.31.1)(rollup@4.59.0)(typescript@5.9.3))(tailwindcss@4.2.1)
+        version: 2.4.0(astro@5.17.3(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1)(rollup@4.59.0)(typescript@5.9.3))(tailwindcss@4.2.1)
       astro:
-        specifier: ^5.17.1
-        version: 5.17.3(@types/node@25.3.0)(jiti@2.6.1)(lightningcss@1.31.1)(rollup@4.59.0)(typescript@5.9.3)
+        specifier: ^5.17.3
+        version: 5.17.3(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1)(rollup@4.59.0)(typescript@5.9.3)
     devDependencies:
       '@tailwindcss/vite':
-        specifier: ^4.1.18
-        version: 4.2.1(vite@6.4.1(@types/node@25.3.0)(jiti@2.6.1)(lightningcss@1.31.1))
+        specifier: ^4.2.1
+        version: 4.2.1(vite@6.4.1(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1))
       '@types/node':
-        specifier: ^25.2.1
-        version: 25.3.0
+        specifier: ^25.3.3
+        version: 25.3.3
+      prettier:
+        specifier: ^3.8.1
+        version: 3.8.1
+      prettier-plugin-tailwindcss:
+        specifier: ^0.7.2
+        version: 0.7.2(prettier@3.8.1)
       tailwindcss:
-        specifier: ^4.1.18
+        specifier: ^4.2.1
         version: 4.2.1
       typescript:
         specifier: ^5.9.3
@@ -383,8 +389,8 @@ packages:
     cpu: [x64]
     os: [win32]
 
-  '@img/colour@1.0.0':
-    resolution: {integrity: sha512-A5P/LfWGFSl6nsckYtjw9da+19jB8hkJ6ACTGcDfEJ0aE+l2n2El7dsVM7UVHZQ9s2lmYMWlrS21YLy2IR1LUw==}
+  '@img/colour@1.1.0':
+    resolution: {integrity: sha512-Td76q7j57o/tLVdgS746cYARfSyxk8iEfRxewL9h4OMzYhbW4TAcppl0mT4eyqXddh6L/jwoM75mo7ixa/pCeQ==}
     engines: {node: '>=18'}
 
   '@img/sharp-darwin-arm64@0.34.5':
@@ -808,8 +814,8 @@ packages:
   '@types/nlcst@2.0.3':
     resolution: {integrity: sha512-vSYNSDe6Ix3q+6Z7ri9lyWqgGhJTmzRjZRqyq15N0Z/1/UnVsno9G/N40NBijoYx2seFDIl0+B2mgAb9mezUCA==}
 
-  '@types/node@25.3.0':
-    resolution: {integrity: sha512-4K3bqJpXpqfg2XKGK9bpDTc6xO/xoUP/RBWS7AtRMug6zZFaRekiLzjVtAoZMquxoAbzBvy5nxQ7veS5eYzf8A==}
+  '@types/node@25.3.3':
+    resolution: {integrity: sha512-DpzbrH7wIcBaJibpKo9nnSQL0MTRdnWttGyE5haGwK86xgMOkFLp7vEyfQPGLOJh5wNYiJ3V9PmUMDhV9u8kkQ==}
 
   '@types/unist@3.0.3':
     resolution: {integrity: sha512-ko/gIFJRv177XgZsZcBwnqJN5x/Gien8qNOn0D5bQU/zAzVf9Zt3BlcUiLqhV9y4ARk0GbT3tnUiPNgnTXzc/Q==}
@@ -1019,8 +1025,8 @@ packages:
   emoji-regex@8.0.0:
     resolution: {integrity: sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==}
 
-  enhanced-resolve@5.19.0:
-    resolution: {integrity: sha512-phv3E1Xl4tQOShqSte26C7Fl84EwUdZsyOuSSk9qtAGyyQs2s3jJzComh+Abf4g187lUUAvH+H26omrqia2aGg==}
+  enhanced-resolve@5.20.0:
+    resolution: {integrity: sha512-/ce7+jQ1PQ6rVXwe+jKEg5hW5ciicHwIQUagZkp6IufBoY3YDgdTTY1azVs0qoRgVmvsNB+rbjLJxDAeHHtwsQ==}
     engines: {node: '>=10.13.0'}
 
   entities@4.5.0:
@@ -1475,6 +1481,66 @@ packages:
     resolution: {integrity: sha512-3Ybi1tAuwAP9s0r1UQ2J4n5Y0G05bJkpUIO0/bI9MhwmD70S5aTWbXGBwxHrelT+XM1k6dM0pk+SwNkpTRN7Pg==}
     engines: {node: ^10 || ^12 || >=14}
 
+  prettier-plugin-tailwindcss@0.7.2:
+    resolution: {integrity: sha512-LkphyK3Fw+q2HdMOoiEHWf93fNtYJwfamoKPl7UwtjFQdei/iIBoX11G6j706FzN3ymX9mPVi97qIY8328vdnA==}
+    engines: {node: '>=20.19'}
+    peerDependencies:
+      '@ianvs/prettier-plugin-sort-imports': '*'
+      '@prettier/plugin-hermes': '*'
+      '@prettier/plugin-oxc': '*'
+      '@prettier/plugin-pug': '*'
+      '@shopify/prettier-plugin-liquid': '*'
+      '@trivago/prettier-plugin-sort-imports': '*'
+      '@zackad/prettier-plugin-twig': '*'
+      prettier: ^3.0
+      prettier-plugin-astro: '*'
+      prettier-plugin-css-order: '*'
+      prettier-plugin-jsdoc: '*'
+      prettier-plugin-marko: '*'
+      prettier-plugin-multiline-arrays: '*'
+      prettier-plugin-organize-attributes: '*'
+      prettier-plugin-organize-imports: '*'
+      prettier-plugin-sort-imports: '*'
+      prettier-plugin-svelte: '*'
+    peerDependenciesMeta:
+      '@ianvs/prettier-plugin-sort-imports':
+        optional: true
+      '@prettier/plugin-hermes':
+        optional: true
+      '@prettier/plugin-oxc':
+        optional: true
+      '@prettier/plugin-pug':
+        optional: true
+      '@shopify/prettier-plugin-liquid':
+        optional: true
+      '@trivago/prettier-plugin-sort-imports':
+        optional: true
+      '@zackad/prettier-plugin-twig':
+        optional: true
+      prettier-plugin-astro:
+        optional: true
+      prettier-plugin-css-order:
+        optional: true
+      prettier-plugin-jsdoc:
+        optional: true
+      prettier-plugin-marko:
+        optional: true
+      prettier-plugin-multiline-arrays:
+        optional: true
+      prettier-plugin-organize-attributes:
+        optional: true
+      prettier-plugin-organize-imports:
+        optional: true
+      prettier-plugin-sort-imports:
+        optional: true
+      prettier-plugin-svelte:
+        optional: true
+
+  prettier@3.8.1:
+    resolution: {integrity: sha512-UOnG6LftzbdaHZcKoPFtOcCKztrQ57WkHDeRD9t/PTQtmT0NHSeWWepj6pS0z/N7+08BHFDQVUrfmfMRcZwbMg==}
+    engines: {node: '>=14'}
+    hasBin: true
+
   prismjs@1.30.0:
     resolution: {integrity: sha512-DEvV2ZF2r2/63V+tK8hQvrR2ZGn10srHbXviTlcv7Kpzw8jWiNTqbVgjO3IY8RxrrOUF8VPMQQFysYYYv0YZxw==}
     engines: {node: '>=6'}
@@ -1547,8 +1613,8 @@ packages:
     engines: {node: '>=18.0.0', npm: '>=8.0.0'}
     hasBin: true
 
-  sax@1.4.4:
-    resolution: {integrity: sha512-1n3r/tGXO6b6VXMdFT54SHzT9ytu9yr7TaELowdYpMqY/Ao7EnlQGmAQ1+RatX7Tkkdm6hONI2owqNx2aZj5Sw==}
+  sax@1.5.0:
+    resolution: {integrity: sha512-21IYA3Q5cQf089Z6tgaUTr7lDAyzoTPx5HRtbhsME8Udispad8dC/+sziTNugOEx54ilvatQ9YCzl4KQLPcRHA==}
     engines: {node: '>=11.0.0'}
 
   semver@7.7.4:
@@ -1592,8 +1658,8 @@ packages:
     resolution: {integrity: sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==}
     engines: {node: '>=8'}
 
-  strip-ansi@7.1.2:
-    resolution: {integrity: sha512-gmBGslpoQJtgnMAvOVqGZpEz9dyoKTCzy2nfz/n8aIFhN/jCE/rCmcxabB6jOOHV+0WNnylOxaxBQPSvcWklhA==}
+  strip-ansi@7.2.0:
+    resolution: {integrity: sha512-yDPMNjp4WyfYBkHnjIRLfca1i6KMyGCtsVgoKe/z1+6vukgaENdgGBZt+ZmKPc4gavvEZ5OgHfHdrazhgNyG7w==}
     engines: {node: '>=12'}
 
   svgo@4.0.0:
@@ -2088,7 +2154,7 @@ snapshots:
   '@esbuild/win32-x64@0.27.3':
     optional: true
 
-  '@img/colour@1.0.0':
+  '@img/colour@1.1.0':
     optional: true
 
   '@img/sharp-darwin-arm64@0.34.5':
@@ -2185,9 +2251,9 @@ snapshots:
   '@img/sharp-win32-x64@0.34.5':
     optional: true
 
-  '@jongio/azd-web-core@2.4.0(astro@5.17.3(@types/node@25.3.0)(jiti@2.6.1)(lightningcss@1.31.1)(rollup@4.59.0)(typescript@5.9.3))(tailwindcss@4.2.1)':
+  '@jongio/azd-web-core@2.4.0(astro@5.17.3(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1)(rollup@4.59.0)(typescript@5.9.3))(tailwindcss@4.2.1)':
     dependencies:
-      astro: 5.17.3(@types/node@25.3.0)(jiti@2.6.1)(lightningcss@1.31.1)(rollup@4.59.0)(typescript@5.9.3)
+      astro: 5.17.3(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1)(rollup@4.59.0)(typescript@5.9.3)
       tailwindcss: 4.2.1
 
   '@jridgewell/gen-mapping@0.3.13':
@@ -2330,7 +2396,7 @@ snapshots:
   '@tailwindcss/node@4.2.1':
     dependencies:
       '@jridgewell/remapping': 2.3.5
-      enhanced-resolve: 5.19.0
+      enhanced-resolve: 5.20.0
       jiti: 2.6.1
       lightningcss: 1.31.1
       magic-string: 0.30.21
@@ -2388,12 +2454,12 @@ snapshots:
       '@tailwindcss/oxide-win32-arm64-msvc': 4.2.1
       '@tailwindcss/oxide-win32-x64-msvc': 4.2.1
 
-  '@tailwindcss/vite@4.2.1(vite@6.4.1(@types/node@25.3.0)(jiti@2.6.1)(lightningcss@1.31.1))':
+  '@tailwindcss/vite@4.2.1(vite@6.4.1(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1))':
     dependencies:
       '@tailwindcss/node': 4.2.1
       '@tailwindcss/oxide': 4.2.1
       tailwindcss: 4.2.1
-      vite: 6.4.1(@types/node@25.3.0)(jiti@2.6.1)(lightningcss@1.31.1)
+      vite: 6.4.1(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1)
 
   '@types/debug@4.1.12':
     dependencies:
@@ -2415,7 +2481,7 @@ snapshots:
     dependencies:
       '@types/unist': 3.0.3
 
-  '@types/node@25.3.0':
+  '@types/node@25.3.3':
     dependencies:
       undici-types: 7.18.2
 
@@ -2446,7 +2512,7 @@ snapshots:
 
   array-iterate@2.0.1: {}
 
-  astro@5.17.3(@types/node@25.3.0)(jiti@2.6.1)(lightningcss@1.31.1)(rollup@4.59.0)(typescript@5.9.3):
+  astro@5.17.3(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1)(rollup@4.59.0)(typescript@5.9.3):
     dependencies:
       '@astrojs/compiler': 2.13.1
       '@astrojs/internal-helpers': 0.7.5
@@ -2503,8 +2569,8 @@ snapshots:
       unist-util-visit: 5.1.0
       unstorage: 1.17.4
       vfile: 6.0.3
-      vite: 6.4.1(@types/node@25.3.0)(jiti@2.6.1)(lightningcss@1.31.1)
-      vitefu: 1.1.2(vite@6.4.1(@types/node@25.3.0)(jiti@2.6.1)(lightningcss@1.31.1))
+      vite: 6.4.1(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1)
+      vitefu: 1.1.2(vite@6.4.1(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1))
       xxhash-wasm: 1.1.0
       yargs-parser: 21.1.1
       yocto-spinner: 0.2.3
@@ -2683,7 +2749,7 @@ snapshots:
 
   emoji-regex@8.0.0: {}
 
-  enhanced-resolve@5.19.0:
+  enhanced-resolve@5.20.0:
     dependencies:
       graceful-fs: 4.2.11
       tapable: 2.3.0
@@ -3376,6 +3442,12 @@ snapshots:
       picocolors: 1.1.1
       source-map-js: 1.2.1
 
+  prettier-plugin-tailwindcss@0.7.2(prettier@3.8.1):
+    dependencies:
+      prettier: 3.8.1
+
+  prettier@3.8.1: {}
+
   prismjs@1.30.0: {}
 
   prompts@2.4.2:
@@ -3521,13 +3593,13 @@ snapshots:
       '@rollup/rollup-win32-x64-msvc': 4.59.0
       fsevents: 2.3.3
 
-  sax@1.4.4: {}
+  sax@1.5.0: {}
 
   semver@7.7.4: {}
 
   sharp@0.34.5:
     dependencies:
-      '@img/colour': 1.0.0
+      '@img/colour': 1.1.0
       detect-libc: 2.1.2
       semver: 7.7.4
     optionalDependencies:
@@ -3586,7 +3658,7 @@ snapshots:
     dependencies:
       emoji-regex: 10.6.0
       get-east-asian-width: 1.5.0
-      strip-ansi: 7.1.2
+      strip-ansi: 7.2.0
 
   stringify-entities@4.0.4:
     dependencies:
@@ -3597,7 +3669,7 @@ snapshots:
     dependencies:
       ansi-regex: 5.0.1
 
-  strip-ansi@7.1.2:
+  strip-ansi@7.2.0:
     dependencies:
       ansi-regex: 6.2.2
 
@@ -3609,7 +3681,7 @@ snapshots:
       css-what: 6.2.2
       csso: 5.0.5
       picocolors: 1.1.1
-      sax: 1.4.4
+      sax: 1.5.0
 
   tailwindcss@4.2.1: {}
 
@@ -3731,7 +3803,7 @@ snapshots:
       '@types/unist': 3.0.3
       vfile-message: 4.0.3
 
-  vite@6.4.1(@types/node@25.3.0)(jiti@2.6.1)(lightningcss@1.31.1):
+  vite@6.4.1(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1):
     dependencies:
       esbuild: 0.25.12
       fdir: 6.5.0(picomatch@4.0.3)
@@ -3740,14 +3812,14 @@ snapshots:
       rollup: 4.59.0
       tinyglobby: 0.2.15
     optionalDependencies:
-      '@types/node': 25.3.0
+      '@types/node': 25.3.3
       fsevents: 2.3.3
       jiti: 2.6.1
       lightningcss: 1.31.1
 
-  vitefu@1.1.2(vite@6.4.1(@types/node@25.3.0)(jiti@2.6.1)(lightningcss@1.31.1)):
+  vitefu@1.1.2(vite@6.4.1(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1)):
     optionalDependencies:
-      vite: 6.4.1(@types/node@25.3.0)(jiti@2.6.1)(lightningcss@1.31.1)
+      vite: 6.4.1(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1)
 
   web-namespaces@2.0.1: {}
 
@@ -3761,7 +3833,7 @@ snapshots:
     dependencies:
       ansi-styles: 6.2.3
       string-width: 7.2.0
-      strip-ansi: 7.1.2
+      strip-ansi: 7.2.0
 
   xxhash-wasm@1.1.0: {}
 
diff --git a/scripts/install-all.ps1 b/scripts/install-all.ps1
index 4e5d48e..e1be755 100644
--- a/scripts/install-all.ps1
+++ b/scripts/install-all.ps1
@@ -25,7 +25,8 @@ $registryUrl = "https://jongio.github.io/azd-extensions/registry.json"
 $extensions = @(
     @{ Name = "azd-app";     Id = "jongio.azd.app";     Path = Join-Path $parentDir "azd-app\cli" },
     @{ Name = "azd-copilot"; Id = "jongio.azd.copilot"; Path = Join-Path $parentDir "azd-copilot\cli" },
-    @{ Name = "azd-exec";    Id = "jongio.azd.exec";    Path = Join-Path $parentDir "azd-exec\cli" }
+    @{ Name = "azd-exec";    Id = "jongio.azd.exec";    Path = Join-Path $parentDir "azd-exec\cli" },
+    @{ Name = "azd-rest";    Id = "jongio.azd.rest";    Path = Join-Path $parentDir "azd-rest\cli" }
 )
 
 # Ensure the jongio extension source is registered
diff --git a/scripts/lib/semver.js b/scripts/lib/semver.js
new file mode 100644
index 0000000..08f89d8
--- /dev/null
+++ b/scripts/lib/semver.js
@@ -0,0 +1,49 @@
+/**
+ * Shared semver comparison utility for registry scripts.
+ *
+ * Handles strict major.minor.patch versions. Rejects pre-release suffixes
+ * and non-numeric components rather than silently degrading.
+ */
+
+/**
+ * Parse a semver string into its numeric components.
+ * Throws if any component is not a non-negative integer.
+ *
+ * @param {string} version - Semver string (e.g., "1.2.3")
+ * @returns {number[]} Array of [major, minor, patch]
+ */
+export function parseSemver(version) {
+  const parts = version.split('.');
+  const nums = parts.map((part, i) => {
+    const n = Number(part);
+    if (!Number.isInteger(n) || n < 0) {
+      throw new Error(
+        `Invalid semver component "${part}" at position ${i} in version "${version}"`
+      );
+    }
+    return n;
+  });
+  return nums;
+}
+
+/**
+ * Compare two semver strings (major.minor.patch) for sorting ascending.
+ * Returns negative if a < b, positive if a > b, 0 if equal.
+ *
+ * Throws on invalid version strings (pre-release suffixes, non-numeric parts)
+ * rather than silently producing incorrect sort order.
+ *
+ * @param {string} a - First version string
+ * @param {string} b - Second version string
+ * @returns {number} Comparison result for Array.sort()
+ */
+export function compareSemver(a, b) {
+  const pa = parseSemver(a);
+  const pb = parseSemver(b);
+  const len = Math.max(pa.length, pb.length);
+  for (let i = 0; i < len; i++) {
+    const diff = (pa[i] || 0) - (pb[i] || 0);
+    if (diff !== 0) return diff;
+  }
+  return 0;
+}
diff --git a/scripts/uninstall-all.ps1 b/scripts/uninstall-all.ps1
index 974e3f4..b353078 100644
--- a/scripts/uninstall-all.ps1
+++ b/scripts/uninstall-all.ps1
@@ -15,7 +15,8 @@ $registrySource = "jongio"
 $extensions = @(
     @{ Name = "azd-app";     Id = "jongio.azd.app" },
     @{ Name = "azd-copilot"; Id = "jongio.azd.copilot" },
-    @{ Name = "azd-exec";    Id = "jongio.azd.exec" }
+    @{ Name = "azd-exec";    Id = "jongio.azd.exec" },
+    @{ Name = "azd-rest";    Id = "jongio.azd.rest" }
 )
 
 Write-Host "`n🗑️  Uninstalling all azd extensions...`n" -ForegroundColor Cyan
diff --git a/scripts/update-readme-versions.js b/scripts/update-readme-versions.js
index 1b4d0d9..be6077f 100644
--- a/scripts/update-readme-versions.js
+++ b/scripts/update-readme-versions.js
@@ -3,6 +3,7 @@
 import { readFileSync, writeFileSync } from 'fs';
 import { join, dirname } from 'path';
 import { fileURLToPath } from 'url';
+import { compareSemver } from './lib/semver.js';
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const root = join(__dirname, '..');
@@ -19,18 +20,10 @@ for (const ext of registry.extensions) {
   const parts = ext.id.split('.');
   const repoName = parts.slice(1).join('-');
 
-  // Find highest version using semver-style comparison
+  // Find highest version using shared semver comparison
   const latest = ext.versions
     .map((v) => v.version)
-    .sort((a, b) => {
-      const pa = a.split('.').map(Number);
-      const pb = b.split('.').map(Number);
-      for (let i = 0; i < Math.max(pa.length, pb.length); i++) {
-        const diff = (pa[i] || 0) - (pb[i] || 0);
-        if (diff !== 0) return diff;
-      }
-      return 0;
-    })
+    .sort(compareSemver)
     .pop();
 
   if (latest) {
@@ -43,9 +36,12 @@ let readme = readFileSync(readmePath, 'utf8');
 let updated = readme;
 
 for (const [repoName, version] of latestVersions) {
+  // Escape regex special characters in repoName to prevent injection,
+  // then allow dash to also match dots (azd-app matches azd.app in table)
+  const escapedName = repoName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&').replace(/-/g, '[-.]');
   // Match table rows containing the repo name and update the version at the end
   const pattern = new RegExp(
-    `(\\|[^|]*${repoName.replace(/-/g, '[-\\\\.]')}[^|]*\\|[^|]*\\|)\\s*v?[0-9]+\\.[0-9]+\\.[0-9]+\\s*(\\|)`,
+    `(\\|[^|]*${escapedName}[^|]*\\|[^|]*\\|)\\s*v?[0-9]+\\.[0-9]+\\.[0-9]+\\s*(\\|)`,
     'g',
   );
   updated = updated.replace(pattern, `$1 v${version} $2`);
diff --git a/scripts/update-registry.js b/scripts/update-registry.js
index afb8c3c..4eabd31 100644
--- a/scripts/update-registry.js
+++ b/scripts/update-registry.js
@@ -8,36 +8,36 @@
 
 import { writeFileSync } from 'fs';
 import https from 'https';
+import { compareSemver } from './lib/semver.js';
 
 const REGISTRY_FILE = 'public/registry.json';
 
-/**
- * Compare two semver strings (major.minor.patch) for sorting ascending.
- * Returns negative if a < b, positive if a > b, 0 if equal.
- */
-function compareSemver(a, b) {
-  const pa = a.split('.').map(Number);
-  const pb = b.split('.').map(Number);
-  for (let i = 0; i < 3; i++) {
-    const diff = (pa[i] || 0) - (pb[i] || 0);
-    if (diff !== 0) return diff;
-  }
-  return 0;
-}
-
 /**
  * HEAD request with redirect following. Returns HTTP status code.
+ * Only follows redirects to HTTPS URLs to prevent downgrade attacks.
  */
 function headRequest(url, redirectCount = 0) {
   return new Promise((resolve, reject) => {
     if (redirectCount > 5) return resolve(0);
+    if (!url.startsWith('https://')) {
+      console.warn(`  ⚠ Refusing non-HTTPS URL: ${url}`);
+      return resolve(0);
+    }
     const req = https.request(url, { method: 'HEAD', timeout: 10_000 }, (res) => {
       if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
-        return headRequest(res.headers.location, redirectCount + 1).then(resolve).catch(reject);
+        const redirectTarget = new URL(res.headers.location, url).href;
+        if (!redirectTarget.startsWith('https://')) {
+          console.warn(`  ⚠ Refusing redirect to non-HTTPS URL: ${redirectTarget}`);
+          return resolve(0);
+        }
+        return headRequest(redirectTarget, redirectCount + 1).then(resolve).catch(reject);
       }
       resolve(res.statusCode);
     });
-    req.on('error', () => resolve(0));
+    req.on('error', (err) => {
+      console.warn(`  ⚠ HEAD request failed for ${url}: ${err.message}`);
+      resolve(0);
+    });
     req.on('timeout', () => {
       req.destroy();
       resolve(0);
@@ -54,8 +54,26 @@ const EXTENSION_SOURCES = [
   'https://raw.githubusercontent.com/jongio/azd-rest/refs/heads/main/registry.json',
 ];
 
+// Allowed hostname for artifact download URLs (GitHub releases only)
+const ALLOWED_ARTIFACT_HOST = 'github.com';
+
+/**
+ * Validate that an artifact URL points to an allowed domain.
+ * Prevents a compromised upstream registry from redirecting downloads
+ * to attacker-controlled infrastructure.
+ */
+function isAllowedArtifactUrl(url) {
+  try {
+    const parsed = new URL(url);
+    return parsed.protocol === 'https:' && parsed.hostname.endsWith(ALLOWED_ARTIFACT_HOST);
+  } catch {
+    return false;
+  }
+}
+
 /**
- * Fetch registry JSON from a URL
+ * Fetch registry JSON from a URL.
+ * Enforces a 5 MB size limit to prevent DoS from oversized responses.
  */
 async function fetchRegistry(url) {
   console.log(`Fetching ${url}...`);
@@ -65,7 +83,18 @@ async function fetchRegistry(url) {
     throw new Error(`Failed to fetch ${url}: ${response.statusText}`);
   }
 
-  return await response.json();
+  const MAX_REGISTRY_SIZE = 5 * 1024 * 1024; // 5 MB
+  const contentLength = response.headers.get('content-length');
+  if (contentLength && parseInt(contentLength, 10) > MAX_REGISTRY_SIZE) {
+    throw new Error(`Registry at ${url} exceeds maximum size of ${MAX_REGISTRY_SIZE} bytes`);
+  }
+
+  const text = await response.text();
+  if (text.length > MAX_REGISTRY_SIZE) {
+    throw new Error(`Registry at ${url} exceeds maximum size of ${MAX_REGISTRY_SIZE} bytes`);
+  }
+
+  return JSON.parse(text);
 }
 
 /**
@@ -120,20 +149,30 @@ async function main() {
           console.log(`  ⚠ Dropping ${ext.id}@${ver.version}: missing required platforms`);
           return false;
         }
-        // All artifact URLs must be valid HTTPS URLs
+        // All artifact URLs must be valid HTTPS URLs from allowed domains
         for (const [, artifact] of Object.entries(artifacts)) {
           if (!artifact.url || !artifact.url.startsWith('https://')) {
             console.log(`  ⚠ Dropping ${ext.id}@${ver.version}: non-HTTPS or missing artifact URL`);
             return false;
           }
+          if (!isAllowedArtifactUrl(artifact.url)) {
+            console.log(`  ⚠ Dropping ${ext.id}@${ver.version}: artifact URL from disallowed domain — ${artifact.url}`);
+            return false;
+          }
         }
-        // Must not have zero/placeholder checksums
+        // Must not have zero/placeholder checksums or weak hash algorithms
+        const ALLOWED_HASH_ALGORITHMS = ['sha256', 'sha384', 'sha512'];
         for (const [, artifact] of Object.entries(artifacts)) {
           const value = artifact.checksum?.value || '';
           if (/^0+$/.test(value)) {
             console.log(`  ⚠ Dropping ${ext.id}@${ver.version}: placeholder checksum`);
             return false;
           }
+          const algorithm = (artifact.checksum?.algorithm || '').toLowerCase();
+          if (algorithm && !ALLOWED_HASH_ALGORITHMS.includes(algorithm)) {
+            console.log(`  ⚠ Dropping ${ext.id}@${ver.version}: weak checksum algorithm "${algorithm}"`);
+            return false;
+          }
         }
         return true;
       });
diff --git a/scripts/validate-registry.js b/scripts/validate-registry.js
index 5112cc2..cac251f 100644
--- a/scripts/validate-registry.js
+++ b/scripts/validate-registry.js
@@ -16,7 +16,7 @@ import { readFileSync } from 'fs';
 import { fileURLToPath } from 'url';
 import { dirname, resolve } from 'path';
 import https from 'https';
-import http from 'http';
+import { compareSemver } from './lib/semver.js';
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
@@ -31,34 +31,32 @@ const REQUIRED_PLATFORMS = [
   'linux/arm64',
 ];
 
-const OPTIONAL_PLATFORMS = ['windows/arm64'];
+// Allowed hostname for artifact download URLs
+const ALLOWED_ARTIFACT_HOST = 'github.com';
+
+// Acceptable checksum algorithms (reject weak hashes like MD5, SHA1)
+const ALLOWED_HASH_ALGORITHMS = ['sha256', 'sha384', 'sha512'];
 
 const URL_TIMEOUT_MS = 10_000;
 const MAX_REDIRECTS = 5;
 
 // ── Helpers ──────────────────────────────────────────────────────────────────
 
-function compareSemver(a, b) {
-  const pa = a.split('.').map(Number);
-  const pb = b.split('.').map(Number);
-  for (let i = 0; i < 3; i++) {
-    const diff = (pa[i] || 0) - (pb[i] || 0);
-    if (diff !== 0) return diff;
-  }
-  return 0;
-}
-
 /**
- * Perform an HTTP(S) HEAD request, following redirects up to `maxRedirects`.
+ * Perform an HTTPS HEAD request, following redirects up to `maxRedirects`.
+ * Rejects redirects to non-HTTPS URLs to prevent downgrade attacks.
  * Resolves with the final status code or rejects on error / timeout.
  */
 function headRequest(url, maxRedirects = MAX_REDIRECTS) {
   return new Promise((resolvePromise, reject) => {
     const doRequest = (targetUrl, redirectsLeft) => {
       const parsedUrl = new URL(targetUrl);
-      const lib = parsedUrl.protocol === 'https:' ? https : http;
+      if (parsedUrl.protocol !== 'https:') {
+        reject(new Error(`Refusing non-HTTPS URL: ${targetUrl}`));
+        return;
+      }
 
-      const req = lib.request(
+      const req = https.request(
         targetUrl,
         { method: 'HEAD', timeout: URL_TIMEOUT_MS },
         (res) => {
@@ -139,6 +137,8 @@ function validateChecksums(extId, latestVersion) {
       fail(`[${extId}@${latestVersion.version}] ${platform}: missing checksum`);
     } else if (!checksum.algorithm) {
       fail(`[${extId}@${latestVersion.version}] ${platform}: checksum missing algorithm`);
+    } else if (!ALLOWED_HASH_ALGORITHMS.includes(checksum.algorithm.toLowerCase())) {
+      fail(`[${extId}@${latestVersion.version}] ${platform}: weak checksum algorithm "${checksum.algorithm}" (allowed: ${ALLOWED_HASH_ALGORITHMS.join(', ')})`);
     } else if (!checksum.value) {
       fail(`[${extId}@${latestVersion.version}] ${platform}: checksum missing value`);
     } else if (/^0+$/.test(checksum.value)) {
@@ -165,6 +165,17 @@ function validateAllVersions(extId, versions) {
         fail(
           `[${extId}@${ver.version}] ${platform}: non-HTTPS or missing URL — ${artifact.url || '(none)'}`
         );
+      } else {
+        try {
+          const parsed = new URL(artifact.url);
+          if (!parsed.hostname.endsWith(ALLOWED_ARTIFACT_HOST)) {
+            fail(
+              `[${extId}@${ver.version}] ${platform}: URL from disallowed domain — ${artifact.url}`
+            );
+          }
+        } catch {
+          fail(`[${extId}@${ver.version}] ${platform}: malformed URL — ${artifact.url}`);
+        }
       }
       const value = artifact.checksum?.value || '';
       if (/^0+$/.test(value)) {
diff --git a/scripts/watch-all.ps1 b/scripts/watch-all.ps1
index acd616c..7cc08f3 100644
--- a/scripts/watch-all.ps1
+++ b/scripts/watch-all.ps1
@@ -21,7 +21,8 @@ $parentDir = Split-Path -Parent $repoDir
 $extensions = @(
     @{ Name = "app";     Color = "Cyan";    Path = Join-Path $parentDir "azd-app\cli" },
     @{ Name = "copilot"; Color = "Magenta"; Path = Join-Path $parentDir "azd-copilot\cli" },
-    @{ Name = "exec";    Color = "Green";   Path = Join-Path $parentDir "azd-exec\cli" }
+    @{ Name = "exec";    Color = "Green";   Path = Join-Path $parentDir "azd-exec\cli" },
+    @{ Name = "rest";    Color = "Yellow";  Path = Join-Path $parentDir "azd-rest\cli" }
 )
 
 # Validate all repos exist before starting
diff --git a/src/components/ExtensionShowcase.astro b/src/components/ExtensionShowcase.astro
index b52c71e..584cde8 100644
--- a/src/components/ExtensionShowcase.astro
+++ b/src/components/ExtensionShowcase.astro
@@ -198,9 +198,9 @@ const { id, name, tagline, description, icon, website, repository, features, sce
       const command = (btn as HTMLElement).dataset.command || '';
       try {
         await navigator.clipboard.writeText(command);
-        btn.innerHTML = '<svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><polyline points="20 6 9 17 4 12"/></svg>';
+        btn.innerHTML = '<svg aria-hidden="true" xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><polyline points="20 6 9 17 4 12"/></svg>';
       } catch {
-        btn.innerHTML = '<svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><line x1="18" y1="6" x2="6" y2="18"/><line x1="6" y1="6" x2="18" y2="18"/></svg>';
+        btn.innerHTML = '<svg aria-hidden="true" xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><line x1="18" y1="6" x2="6" y2="18"/><line x1="6" y1="6" x2="18" y2="18"/></svg>';
       }
       setTimeout(() => { btn.innerHTML = originalHTML; copying = false; }, 1500);
     });
diff --git a/src/pages/index.astro b/src/pages/index.astro
index 5d5e4d2..a64c9b7 100644
--- a/src/pages/index.astro
+++ b/src/pages/index.astro
@@ -127,6 +127,7 @@ const installAzdTabs = [
   publishedDate="2025-11-09T20:22:39Z"
 >
   <Fragment slot="head">
+    <meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; font-src 'self'; connect-src 'self'; base-uri 'self'; form-action 'none'; frame-ancestors 'none';" />
     <meta name="keywords" content="Azure, Azure Developer CLI, azd, azd extensions, azd app, azd exec, azd copilot, azd rest, Azure CLI, developer tools, Jon Gallant, jongio, Azure authentication, local development, AI assistant, REST API" />
     <meta name="robots" content="index, follow" />
     <link rel="icon" type="image/svg+xml" href="/azd-extensions/favicon.svg" />

From f56d4ff5751fd3d53c9ade819bab4c98ce361367 Mon Sep 17 00:00:00 2001
From: Jon Gallant <2163001+jongio@users.noreply.github.com>
Date: Tue, 3 Mar 2026 06:05:59 -0800
Subject: [PATCH 2/3] fix: add explicit permissions to spellcheck workflow

Add permissions: contents: read to resolve CodeQL
actions/missing-workflow-permissions alert.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/spellcheck.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/spellcheck.yml b/.github/workflows/spellcheck.yml
index 9358aa8..67dd4c6 100644
--- a/.github/workflows/spellcheck.yml
+++ b/.github/workflows/spellcheck.yml
@@ -8,6 +8,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   spellcheck:
     runs-on: ubuntu-latest

From 77e93f18be8968c6e63cda3ee784942ba59742a7 Mon Sep 17 00:00:00 2001
From: Jon Gallant <2163001+jongio@users.noreply.github.com>
Date: Tue, 3 Mar 2026 06:28:03 -0800
Subject: [PATCH 3/3] chore: update to azd-web-core 2.4.1, add workflow
 permissions

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 package.json   |   2 +-
 pnpm-lock.yaml | 638 +++++++++++++++++++++++++++++++++++++++++++++++--
 2 files changed, 623 insertions(+), 17 deletions(-)

diff --git a/package.json b/package.json
index bf90148..e8396cb 100644
--- a/package.json
+++ b/package.json
@@ -12,7 +12,7 @@
     "update-readme-versions": "node scripts/update-readme-versions.js"
   },
   "dependencies": {
-    "@jongio/azd-web-core": "^2.4.0",
+    "@jongio/azd-web-core": "^2.4.1",
     "astro": "^5.17.3"
   },
   "devDependencies": {
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 6c25fca..8e22e40 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -9,15 +9,15 @@ importers:
   .:
     dependencies:
       '@jongio/azd-web-core':
-        specifier: ^2.4.0
-        version: 2.4.0(astro@5.17.3(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1)(rollup@4.59.0)(typescript@5.9.3))(tailwindcss@4.2.1)
+        specifier: ^2.4.1
+        version: 2.4.1(astro@5.17.3(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1)(rollup@4.59.0)(typescript@5.9.3)(yaml@2.8.2))(prettier@3.8.1)(tailwindcss@4.2.1)(typescript@5.9.3)
       astro:
         specifier: ^5.17.3
-        version: 5.17.3(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1)(rollup@4.59.0)(typescript@5.9.3)
+        version: 5.17.3(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1)(rollup@4.59.0)(typescript@5.9.3)(yaml@2.8.2)
     devDependencies:
       '@tailwindcss/vite':
         specifier: ^4.2.1
-        version: 4.2.1(vite@6.4.1(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1))
+        version: 4.2.1(vite@6.4.1(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1)(yaml@2.8.2))
       '@types/node':
         specifier: ^25.3.3
         version: 25.3.3
@@ -36,12 +36,30 @@ importers:
 
 packages:
 
+  '@astrojs/check@0.9.6':
+    resolution: {integrity: sha512-jlaEu5SxvSgmfGIFfNgcn5/f+29H61NJzEMfAZ82Xopr4XBchXB1GVlcJsE+elUlsYSbXlptZLX+JMG3b/wZEA==}
+    hasBin: true
+    peerDependencies:
+      typescript: ^5.0.0
+
   '@astrojs/compiler@2.13.1':
     resolution: {integrity: sha512-f3FN83d2G/v32ipNClRKgYv30onQlMZX1vCeZMjPsMMPl1mDpmbl0+N5BYo4S/ofzqJyS5hvwacEo0CCVDn/Qg==}
 
   '@astrojs/internal-helpers@0.7.5':
     resolution: {integrity: sha512-vreGnYSSKhAjFJCWAwe/CNhONvoc5lokxtRoZims+0wa3KbHBdPHSSthJsKxPd8d/aic6lWKpRTYGY/hsgK6EA==}
 
+  '@astrojs/language-server@2.16.3':
+    resolution: {integrity: sha512-yO5K7RYCMXUfeDlnU6UnmtnoXzpuQc0yhlaCNZ67k1C/MiwwwvMZz+LGa+H35c49w5QBfvtr4w4Zcf5PcH8uYA==}
+    hasBin: true
+    peerDependencies:
+      prettier: ^3.0.0
+      prettier-plugin-astro: '>=0.11.0'
+    peerDependenciesMeta:
+      prettier:
+        optional: true
+      prettier-plugin-astro:
+        optional: true
+
   '@astrojs/markdown-remark@6.3.10':
     resolution: {integrity: sha512-kk4HeYR6AcnzC4QV8iSlOfh+N8TZ3MEStxPyenyCtemqn8IpEATBFMTJcfrNW32dgpt6MY3oCkMM/Tv3/I4G3A==}
 
@@ -53,6 +71,9 @@ packages:
     resolution: {integrity: sha512-UFBgfeldP06qu6khs/yY+q1cDAaArM2/7AEIqQ9Cuvf7B1hNLq0xDrZkct+QoIGyjq56y8IaE2I3CTvG99mlhQ==}
     engines: {node: 18.20.8 || ^20.3.0 || >=22.0.0}
 
+  '@astrojs/yaml2ts@0.2.2':
+    resolution: {integrity: sha512-GOfvSr5Nqy2z5XiwqTouBBpy5FyI6DEe+/g/Mk5am9SjILN1S5fOEvYK0GuWHg98yS/dobP4m8qyqw/URW35fQ==}
+
   '@babel/helper-string-parser@7.27.1':
     resolution: {integrity: sha512-qMlSxKbpRlAridDExk92nSobyDdpPijUq2DW6oDnUqd0iOGxmQjyqhMIihI9+zv4LPyZdRje2cavWPbCbWm3eA==}
     engines: {node: '>=6.9.0'}
@@ -74,6 +95,27 @@ packages:
     resolution: {integrity: sha512-VERIM64vtTP1C4mxQ5thVT9fK0apjPFobqybMtA1UdUujWka24ERHbRHFGmpbbhp73MhV+KSsHQH9C6uOTdEQA==}
     engines: {node: '>=18'}
 
+  '@emmetio/abbreviation@2.3.3':
+    resolution: {integrity: sha512-mgv58UrU3rh4YgbE/TzgLQwJ3pFsHHhCLqY20aJq+9comytTXUDNGG/SMtSeMJdkpxgXSXunBGLD8Boka3JyVA==}
+
+  '@emmetio/css-abbreviation@2.1.8':
+    resolution: {integrity: sha512-s9yjhJ6saOO/uk1V74eifykk2CBYi01STTK3WlXWGOepyKa23ymJ053+DNQjpFcy1ingpaO7AxCcwLvHFY9tuw==}
+
+  '@emmetio/css-parser@0.4.1':
+    resolution: {integrity: sha512-2bC6m0MV/voF4CTZiAbG5MWKbq5EBmDPKu9Sb7s7nVcEzNQlrZP6mFFFlIaISM8X6514H9shWMme1fCm8cWAfQ==}
+
+  '@emmetio/html-matcher@1.3.0':
+    resolution: {integrity: sha512-NTbsvppE5eVyBMuyGfVu2CRrLvo7J4YHb6t9sBFLyY03WYhXET37qA4zOYUjBWFCRHO7pS1B9khERtY0f5JXPQ==}
+
+  '@emmetio/scanner@1.0.4':
+    resolution: {integrity: sha512-IqRuJtQff7YHHBk4G8YZ45uB9BaAGcwQeVzgj/zj8/UdOhtQpEIupUhSk8dys6spFIWVZVeK20CzGEnqR5SbqA==}
+
+  '@emmetio/stream-reader-utils@0.1.0':
+    resolution: {integrity: sha512-ZsZ2I9Vzso3Ho/pjZFsmmZ++FWeEd/txqybHTm4OgaZzdS8V9V/YYWQwg5TC38Z7uLWUV1vavpLLbjJtKubR1A==}
+
+  '@emmetio/stream-reader@2.2.0':
+    resolution: {integrity: sha512-fXVXEyFA5Yv3M3n8sUGT7+fvecGrZP4k6FnWWMSZVQf69kAq0LLpaBQLGcPR30m3zMmKYhECP4k/ZkzvhEW5kw==}
+
   '@emnapi/runtime@1.8.1':
     resolution: {integrity: sha512-mehfKSMWjjNol8659Z8KxEMrdSJDDot5SXMq00dM8BN4o+CLNXQ0xH2V7EchNHV4RmbZLmmPdEaXZc5H2FXmDg==}
 
@@ -526,8 +568,8 @@ packages:
     cpu: [x64]
     os: [win32]
 
-  '@jongio/azd-web-core@2.4.0':
-    resolution: {integrity: sha512-qxT3l/Uf1wMwbOuClXDX4oHRGzvSHrWy+PpDkoAgQZvIoAQwxIDZTvwSYqMCLRRTQGePjiEzLNEVpl7tTwHKBg==, tarball: https://npm.pkg.github.com/download/@jongio/azd-web-core/2.4.0/a48699c64efe80f3645d6931a0635b3a9ee4e6a8}
+  '@jongio/azd-web-core@2.4.1':
+    resolution: {integrity: sha512-lkzo2YnwRIUJjqVgB3DJ4dLjODgww/o1JBIRGKlTLgwJo3XvWkpo72fNO5a7bkdyNQg6nfe7OGnmLOayE6OhgA==, tarball: https://npm.pkg.github.com/download/@jongio/azd-web-core/2.4.1/46b9ae2f978eb0c52ce2adabe536dfbf5ea483dc}
     peerDependencies:
       astro: '>=5.0.0'
       tailwindcss: '>=4.0.0'
@@ -823,11 +865,48 @@ packages:
   '@ungap/structured-clone@1.3.0':
     resolution: {integrity: sha512-WmoN8qaIAo7WTYWbAZuG8PYEhn5fkz7dZrqTBZ7dtt//lL2Gwms1IcnQ5yHqjDfX8Ft5j4YzDM23f87zBfDe9g==}
 
+  '@volar/kit@2.4.28':
+    resolution: {integrity: sha512-cKX4vK9dtZvDRaAzeoUdaAJEew6IdxHNCRrdp5Kvcl6zZOqb6jTOfk3kXkIkG3T7oTFXguEMt5+9ptyqYR84Pg==}
+    peerDependencies:
+      typescript: '*'
+
+  '@volar/language-core@2.4.28':
+    resolution: {integrity: sha512-w4qhIJ8ZSitgLAkVay6AbcnC7gP3glYM3fYwKV3srj8m494E3xtrCv6E+bWviiK/8hs6e6t1ij1s2Endql7vzQ==}
+
+  '@volar/language-server@2.4.28':
+    resolution: {integrity: sha512-NqcLnE5gERKuS4PUFwlhMxf6vqYo7hXtbMFbViXcbVkbZ905AIVWhnSo0ZNBC2V127H1/2zP7RvVOVnyITFfBw==}
+
+  '@volar/language-service@2.4.28':
+    resolution: {integrity: sha512-Rh/wYCZJrI5vCwMk9xyw/Z+MsWxlJY1rmMZPsxUoJKfzIRjS/NF1NmnuEcrMbEVGja00aVpCsInJfixQTMdvLw==}
+
+  '@volar/source-map@2.4.28':
+    resolution: {integrity: sha512-yX2BDBqJkRXfKw8my8VarTyjv48QwxdJtvRgUpNE5erCsgEUdI2DsLbpa+rOQVAJYshY99szEcRDmyHbF10ggQ==}
+
+  '@volar/typescript@2.4.28':
+    resolution: {integrity: sha512-Ja6yvWrbis2QtN4ClAKreeUZPVYMARDYZl9LMEv1iQ1QdepB6wn0jTRxA9MftYmYa4DQ4k/DaSZpFPUfxl8giw==}
+
+  '@vscode/emmet-helper@2.11.0':
+    resolution: {integrity: sha512-QLxjQR3imPZPQltfbWRnHU6JecWTF1QSWhx3GAKQpslx7y3Dp6sIIXhKjiUJ/BR9FX8PVthjr9PD6pNwOJfAzw==}
+
+  '@vscode/l10n@0.0.18':
+    resolution: {integrity: sha512-KYSIHVmslkaCDyw013pphY+d7x1qV8IZupYfeIfzNA+nsaWHbn5uPuQRvdRFsa9zFzGeudPuoGoZ1Op4jrJXIQ==}
+
   acorn@8.16.0:
     resolution: {integrity: sha512-UVJyE9MttOsBQIDKw1skb9nAwQuR5wuGD3+82K6JgJlm/Y+KI92oNsMNGZCYdDsVtRHSak0pcV5Dno5+4jh9sw==}
     engines: {node: '>=0.4.0'}
     hasBin: true
 
+  ajv-draft-04@1.0.0:
+    resolution: {integrity: sha512-mv00Te6nmYbRp5DCwclxtt7yV/joXJPGS7nM+97GdxvuttCOfgI3K4U25zboyeX0O+myI8ERluxQe5wljMmVIw==}
+    peerDependencies:
+      ajv: ^8.5.0
+    peerDependenciesMeta:
+      ajv:
+        optional: true
+
+  ajv@8.18.0:
+    resolution: {integrity: sha512-PlXPeEWMXMZ7sPYOHqmDyCJzcfNrUr3fGNKtezX14ykXOEIvyK81d+qydx89KY5O71FKMPaQ2vBfBFI5NHR63A==}
+
   ansi-align@3.0.1:
     resolution: {integrity: sha512-IOfwwBF5iczOjp/WeY4YxyjqAFMQoZufdQWDd19SEExbVLNXqvpzSJ/M7Za4/sCPmQ0+GRquoA7bGcINcxew6w==}
 
@@ -839,6 +918,10 @@ packages:
     resolution: {integrity: sha512-Bq3SmSpyFHaWjPk8If9yc6svM8c56dB5BAtW4Qbw5jHTwwXXcTLoRMkpDJp6VL0XzlWaCHTXrkFURMYmD0sLqg==}
     engines: {node: '>=12'}
 
+  ansi-styles@4.3.0:
+    resolution: {integrity: sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==}
+    engines: {node: '>=8'}
+
   ansi-styles@6.2.3:
     resolution: {integrity: sha512-4Dj6M28JB+oAH8kFkTLUo+a2jwOFkuqb3yucU0CANcRRUbxS0cP0nZYCGjcc3BNXwRIsUVmDGgzawme7zvJHvg==}
     engines: {node: '>=12'}
@@ -899,6 +982,10 @@ packages:
   character-entities@2.0.2:
     resolution: {integrity: sha512-shx7oQ0Awen/BRIdkjkvz54PnEEI/EjwXDSIZp86/KKdbafHh1Df/RYGBhn4hbe2+uKC9FnT5UCEdyPz3ai9hQ==}
 
+  chokidar@4.0.3:
+    resolution: {integrity: sha512-Qgzu8kfBvo+cA4962jnP1KkS6Dop5NS6g7R5LFYJr4b8Ub94PPQXUksCw9PvXoeXPRRddRNC5C1JQUR2SMGtnA==}
+    engines: {node: '>= 14.16.0'}
+
   chokidar@5.0.0:
     resolution: {integrity: sha512-TQMmc3w+5AxjpL8iIiwebF73dRDF4fBIieAqGn9RGCWaEVwQ6Fb2cGe31Yns0RRIzii5goJ1Y7xbMwo1TxMplw==}
     engines: {node: '>= 20.19.0'}
@@ -911,10 +998,21 @@ packages:
     resolution: {integrity: sha512-/lzGpEWL/8PfI0BmBOPRwp0c/wFNX1RdUML3jK/RcSBA9T8mZDdQpqYBKtCFTOfQbwPqWEOpjqW+Fnayc0969g==}
     engines: {node: '>=10'}
 
+  cliui@8.0.1:
+    resolution: {integrity: sha512-BSeNnyus75C4//NQ9gQt1/csTXyo/8Sb+afLAkzAptFuMsod9HFokGNudZpi/oQV73hnVK+sR+5PVRMd+Dr7YQ==}
+    engines: {node: '>=12'}
+
   clsx@2.1.1:
     resolution: {integrity: sha512-eYm0QWBtUrBWZWG0d386OGAw16Z995PiOVo2B7bjWSbHedGl5e0ZWaq65kOGgUSNesEIDkB9ISbTg/JK9dhCZA==}
     engines: {node: '>=6'}
 
+  color-convert@2.0.1:
+    resolution: {integrity: sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==}
+    engines: {node: '>=7.0.0'}
+
+  color-name@1.1.4:
+    resolution: {integrity: sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==}
+
   comma-separated-tokens@2.0.3:
     resolution: {integrity: sha512-Fu4hJdvzeylCfQPp9SGWidpzrMs7tTrlu6Vb8XGaRGck8QSNZJJp538Wrb60Lax4fPwR64ViY468OIUTbRlGZg==}
 
@@ -1019,6 +1117,9 @@ packages:
     resolution: {integrity: sha512-2QF/g9/zTaPDc3BjNcVTGoBbXBgYfMTTceLaYcFJ/W9kggFUkhxD/hMEeuLKbugyef9SqAx8cpgwlIP/jinUTA==}
     engines: {node: '>=4'}
 
+  emmet@2.4.11:
+    resolution: {integrity: sha512-23QPJB3moh/U9sT4rQzGgeyyGIrcM+GH5uVYg2C6wZIxAIJq7Ng3QLT79tl8FUwDXhyq9SusfknOrofAKqvgyQ==}
+
   emoji-regex@10.6.0:
     resolution: {integrity: sha512-toUI84YS5YmxW219erniWD0CIVOo46xGKColeNQRgOzDorgBi1v4D71/OFzgD9GO2UGKIv1C3Sp8DAn0+j5w7A==}
 
@@ -1050,6 +1151,10 @@ packages:
     engines: {node: '>=18'}
     hasBin: true
 
+  escalade@3.2.0:
+    resolution: {integrity: sha512-WUj2qlxaQtO4g6Pq5c29GTcWGDyd8itL8zTlipgECz3JesAiiOKotd8JU6otB3PACgG6xkJUyVhboMS+bje/jA==}
+    engines: {node: '>=6'}
+
   escape-string-regexp@5.0.0:
     resolution: {integrity: sha512-/veY75JbMK4j1yjvuUxuVsiS/hr/4iHs9FTT6cgTexxdE0Ly/glccBAkloH/DofkjRbZU3bnoj38mOmhkZ0lHw==}
     engines: {node: '>=12'}
@@ -1066,6 +1171,12 @@ packages:
   extend@3.0.2:
     resolution: {integrity: sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==}
 
+  fast-deep-equal@3.1.3:
+    resolution: {integrity: sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==}
+
+  fast-uri@3.1.0:
+    resolution: {integrity: sha512-iPeeDKJSWf4IEOasVVrknXpaBV0IApz/gp7S2bb7Z4Lljbl2MGJRqInZiUrQwV16cpzw/D3S5j5Julj/gT52AA==}
+
   fdir@6.5.0:
     resolution: {integrity: sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg==}
     engines: {node: '>=12.0.0'}
@@ -1091,6 +1202,10 @@ packages:
     engines: {node: ^8.16.0 || ^10.6.0 || >=11.0.0}
     os: [darwin]
 
+  get-caller-file@2.0.5:
+    resolution: {integrity: sha512-DyFP3BM/3YHTQOCUL/w0OZHR0lpKeGrxotcHWcqNEdnltqFwXVfhEBQ94eIo34AfQpo0rGki4cyIiftY06h2Fg==}
+    engines: {node: 6.* || 8.* || >= 10.*}
+
   get-east-asian-width@1.5.0:
     resolution: {integrity: sha512-CQ+bEO+Tva/qlmw24dCejulK5pMzVnUOFOijVogd3KQs07HnRIgp8TGipvCCRT06xeYEbpbgwaCxglFyiuIcmA==}
     engines: {node: '>=18'}
@@ -1179,10 +1294,23 @@ packages:
     resolution: {integrity: sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==}
     hasBin: true
 
+  json-schema-traverse@1.0.0:
+    resolution: {integrity: sha512-NM8/P9n3XjXhIZn1lLhkFaACTOURQXjWhV4BA/RnOv8xvgqtqpAX9IO4mRQxSx1Rlo4tqzeqb0sOlruaOy3dug==}
+
+  jsonc-parser@2.3.1:
+    resolution: {integrity: sha512-H8jvkz1O50L3dMZCsLqiuB2tA7muqbSg1AtGEkN0leAqGjsUzDJir3Zwr02BhqdcITPg3ei3mZ+HjMocAknhhg==}
+
+  jsonc-parser@3.3.1:
+    resolution: {integrity: sha512-HUgH65KyejrUFPvHFPbqOY0rsFip3Bo5wb4ngvdi1EpCYWUQDC5V+Y7mZws+DLkr4M//zQJoanu1SP+87Dv1oQ==}
+
   kleur@3.0.3:
     resolution: {integrity: sha512-eTIzlVOSUR+JxdDFepEYcBMtZ9Qqdef+rnzWdRZuMbOywu5tO2w2N7rqjoANZ5k9vywhL6Br1VRjUIgTQx4E8w==}
     engines: {node: '>=6'}
 
+  kleur@4.1.5:
+    resolution: {integrity: sha512-o+NO+8WrRiQEE4/7nwRJhN1HWpVmJm511pBHUxPLtp0BUISzlBplORYSmTclCnJvQq2tKu/sgl3xVpkc7ZWuQQ==}
+    engines: {node: '>=6'}
+
   lightningcss-android-arm64@1.31.1:
     resolution: {integrity: sha512-HXJF3x8w9nQ4jbXRiNppBCqeZPIAfUo8zE/kOEGbW5NZvGc/K7nMxbhIr+YlFlHW5mpbg/YFPdbnCh1wAXCKFg==}
     engines: {node: '>= 12.0.0'}
@@ -1253,6 +1381,9 @@ packages:
     resolution: {integrity: sha512-l51N2r93WmGUye3WuFoN5k10zyvrVs0qfKBhyC5ogUQ6Ew6JUSswh78mbSO+IU3nTWsyOArqPCcShdQSadghBQ==}
     engines: {node: '>= 12.0.0'}
 
+  lodash@4.17.21:
+    resolution: {integrity: sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==}
+
   longest-streak@3.1.0:
     resolution: {integrity: sha512-9Ri+o0JYgehTaVBBDoMqIl8GXtbWg711O3srftcHhZ0dqnETqLaoIK0x17fUw9rFSlK/0NlsKe0Ahhyl5pXE2g==}
 
@@ -1405,6 +1536,9 @@ packages:
   ms@2.1.3:
     resolution: {integrity: sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==}
 
+  muggle-string@0.4.1:
+    resolution: {integrity: sha512-VNTrAak/KhO2i8dqqnqnAHOa3cYBwXEZe9h+D5h/1ZqFSTEFHdM65lR7RoIqq3tBBYavsOXV84NoHXZ0AkPyqQ==}
+
   nanoid@3.3.11:
     resolution: {integrity: sha512-N8SpfPUnUp1bK+PMYW8qSWdl9U+wwNWI4QKxOYDy9JAro3WMX7p2OeVRF9v+347pnakNevPmiHhNmZ2HbFA76w==}
     engines: {node: ^10 || ^12 || ^13.7 || ^14 || >=15.0.1}
@@ -1463,6 +1597,9 @@ packages:
   parse5@7.3.0:
     resolution: {integrity: sha512-IInvU7fabl34qmi9gY8XOVxhYyMyuH2xUNpb2q8/Y+7552KlejkRvqvD19nMoUW/uQGGbqNpA6Tufu5FL5BZgw==}
 
+  path-browserify@1.0.1:
+    resolution: {integrity: sha512-b7uo2UCUOYZcnF/3ID0lulOJi/bafxa1xPe7ZPsammBSpjSWQkjNxlt635YGS2MiR9GjvuXCtz2emr3jbsz98g==}
+
   piccolore@0.1.3:
     resolution: {integrity: sha512-o8bTeDWjE086iwKrROaDf31K0qC/BENdm15/uH9usSC/uZjJOKb2YGiVHfLY4GhwsERiPI1jmwI2XrA7ACOxVw==}
 
@@ -1555,6 +1692,10 @@ packages:
   radix3@1.1.2:
     resolution: {integrity: sha512-b484I/7b8rDEdSDKckSSBA8knMpcdsXudlE/LNL639wFoHKwLbEkQFZHWEYwDC0wa0FKUcCY+GAF73Z7wxNVFA==}
 
+  readdirp@4.1.2:
+    resolution: {integrity: sha512-GDhwkLfywWL2s6vEjyhri+eXmfH6j1L7JE27WhqLeYzoh/A3DBaYGEj2H/HFZCn/kMfim73FXxEJTw06WtxQwg==}
+    engines: {node: '>= 14.18.0'}
+
   readdirp@5.0.0:
     resolution: {integrity: sha512-9u/XQ1pvrQtYyMpZe7DXKv2p5CNvyVwzUB6uhLAnQwHMSgKMBR62lc7AHljaeteeHXn11XTAaLLUVZYVZyuRBQ==}
     engines: {node: '>= 20.19.0'}
@@ -1596,6 +1737,20 @@ packages:
   remark-stringify@11.0.0:
     resolution: {integrity: sha512-1OSmLd3awB/t8qdoEOMazZkNsfVTeY4fTsgzcQFdXNq8ToTN4ZGwrMnlda4K6smTFKD+GRV6O48i6Z4iKgPPpw==}
 
+  request-light@0.5.8:
+    resolution: {integrity: sha512-3Zjgh+8b5fhRJBQZoy+zbVKpAQGLyka0MPgW3zruTF4dFFJ8Fqcfu9YsAvi/rvdcaTeWG3MkbZv4WKxAn/84Lg==}
+
+  request-light@0.7.0:
+    resolution: {integrity: sha512-lMbBMrDoxgsyO+yB3sDcrDuX85yYt7sS8BfQd11jtbW/z5ZWgLZRcEGLsLoYw7I0WSUGQBs8CC8ScIxkTX1+6Q==}
+
+  require-directory@2.1.1:
+    resolution: {integrity: sha512-fGxEI7+wsG9xrvdjsrlmL22OMTTiHRwAMroiEeMgq8gzoLC/PQr7RsRDSTLUg/bZAZtF+TVIkHc6/4RIKrui+Q==}
+    engines: {node: '>=0.10.0'}
+
+  require-from-string@2.0.2:
+    resolution: {integrity: sha512-Xf0nWe6RseziFMu+Ap9biiUbmplq6S9/p+7w7YXP/JBHhrUDDUhwa+vANyubuqfZWTveU//DYVGsDG7RKL/vEw==}
+    engines: {node: '>=0.10.0'}
+
   retext-latin@4.0.0:
     resolution: {integrity: sha512-hv9woG7Fy0M9IlRQloq/N6atV82NxLGveq+3H2WOi79dtIYWN8OaxogDm77f8YnVXJL2VD3bbqowu5E3EMhBYA==}
 
@@ -1708,6 +1863,12 @@ packages:
     resolution: {integrity: sha512-TeTSQ6H5YHvpqVwBRcnLDCBnDOHWYu7IvGbHT6N8AOymcr9PJGjc1GTtiWZTYg0NCgYwvnYWEkVChQAr9bjfwA==}
     engines: {node: '>=16'}
 
+  typesafe-path@0.2.2:
+    resolution: {integrity: sha512-OJabfkAg1WLZSqJAJ0Z6Sdt3utnbzr/jh+NAHoyWHJe8CMSy79Gm085094M9nvTPy22KzTVn5Zq5mbapCI/hPA==}
+
+  typescript-auto-import-cache@0.3.6:
+    resolution: {integrity: sha512-RpuHXrknHdVdK7wv/8ug3Fr0WNsNi5l5aB8MYYuXhq2UH5lnEB1htJ1smhtD5VeCsGr2p8mUDtd83LCQDFVgjQ==}
+
   typescript@5.9.3:
     resolution: {integrity: sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==}
     engines: {node: '>=14.17'}
@@ -1877,6 +2038,98 @@ packages:
       vite:
         optional: true
 
+  volar-service-css@0.0.68:
+    resolution: {integrity: sha512-lJSMh6f3QzZ1tdLOZOzovLX0xzAadPhx8EKwraDLPxBndLCYfoTvnNuiFFV8FARrpAlW5C0WkH+TstPaCxr00Q==}
+    peerDependencies:
+      '@volar/language-service': ~2.4.0
+    peerDependenciesMeta:
+      '@volar/language-service':
+        optional: true
+
+  volar-service-emmet@0.0.68:
+    resolution: {integrity: sha512-nHvixrRQ83EzkQ4G/jFxu9Y4eSsXS/X2cltEPDM+K9qZmIv+Ey1w0tg1+6caSe8TU5Hgw4oSTwNMf/6cQb3LzQ==}
+    peerDependencies:
+      '@volar/language-service': ~2.4.0
+    peerDependenciesMeta:
+      '@volar/language-service':
+        optional: true
+
+  volar-service-html@0.0.68:
+    resolution: {integrity: sha512-fru9gsLJxy33xAltXOh4TEdi312HP80hpuKhpYQD4O5hDnkNPEBdcQkpB+gcX0oK0VxRv1UOzcGQEUzWCVHLfA==}
+    peerDependencies:
+      '@volar/language-service': ~2.4.0
+    peerDependenciesMeta:
+      '@volar/language-service':
+        optional: true
+
+  volar-service-prettier@0.0.68:
+    resolution: {integrity: sha512-grUmWHkHlebMOd6V8vXs2eNQUw/bJGJMjekh/EPf/p2ZNTK0Uyz7hoBRngcvGfJHMsSXZH8w/dZTForIW/4ihw==}
+    peerDependencies:
+      '@volar/language-service': ~2.4.0
+      prettier: ^2.2 || ^3.0
+    peerDependenciesMeta:
+      '@volar/language-service':
+        optional: true
+      prettier:
+        optional: true
+
+  volar-service-typescript-twoslash-queries@0.0.68:
+    resolution: {integrity: sha512-NugzXcM0iwuZFLCJg47vI93su5YhTIweQuLmZxvz5ZPTaman16JCvmDZexx2rd5T/75SNuvvZmrTOTNYUsfe5w==}
+    peerDependencies:
+      '@volar/language-service': ~2.4.0
+    peerDependenciesMeta:
+      '@volar/language-service':
+        optional: true
+
+  volar-service-typescript@0.0.68:
+    resolution: {integrity: sha512-z7B/7CnJ0+TWWFp/gh2r5/QwMObHNDiQiv4C9pTBNI2Wxuwymd4bjEORzrJ/hJ5Yd5+OzeYK+nFCKevoGEEeKw==}
+    peerDependencies:
+      '@volar/language-service': ~2.4.0
+    peerDependenciesMeta:
+      '@volar/language-service':
+        optional: true
+
+  volar-service-yaml@0.0.68:
+    resolution: {integrity: sha512-84XgE02LV0OvTcwfqhcSwVg4of3MLNUWPMArO6Aj8YXqyEVnPu8xTEMY2btKSq37mVAPuaEVASI4e3ptObmqcA==}
+    peerDependencies:
+      '@volar/language-service': ~2.4.0
+    peerDependenciesMeta:
+      '@volar/language-service':
+        optional: true
+
+  vscode-css-languageservice@6.3.10:
+    resolution: {integrity: sha512-eq5N9Er3fC4vA9zd9EFhyBG90wtCCuXgRSpAndaOgXMh1Wgep5lBgRIeDgjZBW9pa+332yC9+49cZMW8jcL3MA==}
+
+  vscode-html-languageservice@5.6.2:
+    resolution: {integrity: sha512-ulCrSnFnfQ16YzvwnYUgEbUEl/ZG7u2eV27YhvLObSHKkb8fw1Z9cgsnUwjTEeDIdJDoTDTDpxuhQwoenoLNMg==}
+
+  vscode-json-languageservice@4.1.8:
+    resolution: {integrity: sha512-0vSpg6Xd9hfV+eZAaYN63xVVMOTmJ4GgHxXnkLCh+9RsQBkWKIghzLhW2B9ebfG+LQQg8uLtsQ2aUKjTgE+QOg==}
+    engines: {npm: '>=7.0.0'}
+
+  vscode-jsonrpc@8.2.0:
+    resolution: {integrity: sha512-C+r0eKJUIfiDIfwJhria30+TYWPtuHJXHtI7J0YlOmKAo7ogxP20T0zxB7HZQIFhIyvoBPwWskjxrvAtfjyZfA==}
+    engines: {node: '>=14.0.0'}
+
+  vscode-languageserver-protocol@3.17.5:
+    resolution: {integrity: sha512-mb1bvRJN8SVznADSGWM9u/b07H7Ecg0I3OgXDuLdn307rl/J3A9YD6/eYOssqhecL27hK1IPZAsaqh00i/Jljg==}
+
+  vscode-languageserver-textdocument@1.0.12:
+    resolution: {integrity: sha512-cxWNPesCnQCcMPeenjKKsOCKQZ/L6Tv19DTRIGuLWe32lyzWhihGVJ/rcckZXJxfdKCFvRLS3fpBIsV/ZGX4zA==}
+
+  vscode-languageserver-types@3.17.5:
+    resolution: {integrity: sha512-Ld1VelNuX9pdF39h2Hgaeb5hEZM2Z3jUrrMgWQAu82jMtZp7p3vJT3BzToKtZI7NgQssZje5o0zryOrhQvzQAg==}
+
+  vscode-languageserver@9.0.1:
+    resolution: {integrity: sha512-woByF3PDpkHFUreUa7Hos7+pUWdeWMXRd26+ZX2A8cFx6v/JPTtd4/uN0/jB6XQHYaOlHbio03NTHCqrgG5n7g==}
+    hasBin: true
+
+  vscode-nls@5.2.0:
+    resolution: {integrity: sha512-RAaHx7B14ZU04EU31pT+rKz2/zSl7xMsfIZuo8pd+KZO6PXtQmpevpq3vxvWNcrGbdmhM/rr5Uw5Mz+NBfhVng==}
+
+  vscode-uri@3.1.0:
+    resolution: {integrity: sha512-/BpdSx+yCQGnCvecbyXdxHDkuk55/G3xwnC0GqY4gmQ3j+A+g8kzzgB4Nk/SINjqn6+waqw3EgbVF2QKExkRxQ==}
+
   web-namespaces@2.0.1:
     resolution: {integrity: sha512-bKr1DkiNa2krS7qxNtdrtHAmzuYGFQLiQ13TsorsdT6ULTkPLKuu5+GsFpDlg6JFjUTwX2DyhMPG2be8uPrqsQ==}
 
@@ -1888,6 +2141,10 @@ packages:
     resolution: {integrity: sha512-c9bZp7b5YtRj2wOe6dlj32MK+Bx/M/d+9VB2SHM1OtsUHR0aV0tdP6DWh/iMt0kWi1t5g1Iudu6hQRNd1A4PVA==}
     engines: {node: '>=18'}
 
+  wrap-ansi@7.0.0:
+    resolution: {integrity: sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==}
+    engines: {node: '>=10'}
+
   wrap-ansi@9.0.2:
     resolution: {integrity: sha512-42AtmgqjV+X1VpdOfyTGOYRi0/zsoLqtXQckTmqTeybT+BDIbM/Guxo7x3pE2vtpr1ok6xRqM9OpBe+Jyoqyww==}
     engines: {node: '>=18'}
@@ -1895,10 +2152,32 @@ packages:
   xxhash-wasm@1.1.0:
     resolution: {integrity: sha512-147y/6YNh+tlp6nd/2pWq38i9h6mz/EuQ6njIrmW8D1BS5nCqs0P6DG+m6zTGnNz5I+uhZ0SHxBs9BsPrwcKDA==}
 
+  y18n@5.0.8:
+    resolution: {integrity: sha512-0pfFzegeDWJHJIAmTLRP2DwHjdF5s7jo9tuztdQxAhINCdvS+3nGINqPd00AphqJR/0LhANUS6/+7SCb98YOfA==}
+    engines: {node: '>=10'}
+
+  yaml-language-server@1.19.2:
+    resolution: {integrity: sha512-9F3myNmJzUN/679jycdMxqtydPSDRAarSj3wPiF7pchEPnO9Dg07Oc+gIYLqXR4L+g+FSEVXXv2+mr54StLFOg==}
+    hasBin: true
+
+  yaml@2.7.1:
+    resolution: {integrity: sha512-10ULxpnOCQXxJvBgxsn9ptjq6uviG/htZKk9veJGhlqn3w/DxQ631zFF+nlQXLwmImeS5amR2dl2U8sg6U9jsQ==}
+    engines: {node: '>= 14'}
+    hasBin: true
+
+  yaml@2.8.2:
+    resolution: {integrity: sha512-mplynKqc1C2hTVYxd0PU2xQAc22TI1vShAYGksCCfxbn/dFwnHTNi1bvYsBTkhdUNtGIf5xNOg938rrSSYvS9A==}
+    engines: {node: '>= 14.6'}
+    hasBin: true
+
   yargs-parser@21.1.1:
     resolution: {integrity: sha512-tVpsJW7DdjecAiFpbIB1e3qxIQsE6NoPc5/eTdrbbIC4h0LVsWhnoa3g+m2HclBIujHzsxZ4VJVA+GUuc2/LBw==}
     engines: {node: '>=12'}
 
+  yargs@17.7.2:
+    resolution: {integrity: sha512-7dSzzRQ++CKnNI/krKnYRV7JKKPUXMEh61soaHKg9mrWEhzFWhFnxPxGl+69cD1Ou63C13NUPCnmIcrvqCuM6w==}
+    engines: {node: '>=12'}
+
   yocto-queue@1.2.2:
     resolution: {integrity: sha512-4LCcse/U2MHZ63HAJVE+v71o7yOdIe4cZ70Wpf8D/IyjDKYQLV5GD46B+hSTjJsvV5PztjvHoU580EftxjDZFQ==}
     engines: {node: '>=12.20'}
@@ -1930,10 +2209,46 @@ packages:
 
 snapshots:
 
+  '@astrojs/check@0.9.6(prettier@3.8.1)(typescript@5.9.3)':
+    dependencies:
+      '@astrojs/language-server': 2.16.3(prettier@3.8.1)(typescript@5.9.3)
+      chokidar: 4.0.3
+      kleur: 4.1.5
+      typescript: 5.9.3
+      yargs: 17.7.2
+    transitivePeerDependencies:
+      - prettier
+      - prettier-plugin-astro
+
   '@astrojs/compiler@2.13.1': {}
 
   '@astrojs/internal-helpers@0.7.5': {}
 
+  '@astrojs/language-server@2.16.3(prettier@3.8.1)(typescript@5.9.3)':
+    dependencies:
+      '@astrojs/compiler': 2.13.1
+      '@astrojs/yaml2ts': 0.2.2
+      '@jridgewell/sourcemap-codec': 1.5.5
+      '@volar/kit': 2.4.28(typescript@5.9.3)
+      '@volar/language-core': 2.4.28
+      '@volar/language-server': 2.4.28
+      '@volar/language-service': 2.4.28
+      muggle-string: 0.4.1
+      tinyglobby: 0.2.15
+      volar-service-css: 0.0.68(@volar/language-service@2.4.28)
+      volar-service-emmet: 0.0.68(@volar/language-service@2.4.28)
+      volar-service-html: 0.0.68(@volar/language-service@2.4.28)
+      volar-service-prettier: 0.0.68(@volar/language-service@2.4.28)(prettier@3.8.1)
+      volar-service-typescript: 0.0.68(@volar/language-service@2.4.28)
+      volar-service-typescript-twoslash-queries: 0.0.68(@volar/language-service@2.4.28)
+      volar-service-yaml: 0.0.68(@volar/language-service@2.4.28)
+      vscode-html-languageservice: 5.6.2
+      vscode-uri: 3.1.0
+    optionalDependencies:
+      prettier: 3.8.1
+    transitivePeerDependencies:
+      - typescript
+
   '@astrojs/markdown-remark@6.3.10':
     dependencies:
       '@astrojs/internal-helpers': 0.7.5
@@ -1976,6 +2291,10 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
+  '@astrojs/yaml2ts@0.2.2':
+    dependencies:
+      yaml: 2.8.2
+
   '@babel/helper-string-parser@7.27.1': {}
 
   '@babel/helper-validator-identifier@7.28.5': {}
@@ -1993,6 +2312,29 @@ snapshots:
     dependencies:
       fontkitten: 1.0.2
 
+  '@emmetio/abbreviation@2.3.3':
+    dependencies:
+      '@emmetio/scanner': 1.0.4
+
+  '@emmetio/css-abbreviation@2.1.8':
+    dependencies:
+      '@emmetio/scanner': 1.0.4
+
+  '@emmetio/css-parser@0.4.1':
+    dependencies:
+      '@emmetio/stream-reader': 2.2.0
+      '@emmetio/stream-reader-utils': 0.1.0
+
+  '@emmetio/html-matcher@1.3.0':
+    dependencies:
+      '@emmetio/scanner': 1.0.4
+
+  '@emmetio/scanner@1.0.4': {}
+
+  '@emmetio/stream-reader-utils@0.1.0': {}
+
+  '@emmetio/stream-reader@2.2.0': {}
+
   '@emnapi/runtime@1.8.1':
     dependencies:
       tslib: 2.8.1
@@ -2251,10 +2593,15 @@ snapshots:
   '@img/sharp-win32-x64@0.34.5':
     optional: true
 
-  '@jongio/azd-web-core@2.4.0(astro@5.17.3(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1)(rollup@4.59.0)(typescript@5.9.3))(tailwindcss@4.2.1)':
+  '@jongio/azd-web-core@2.4.1(astro@5.17.3(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1)(rollup@4.59.0)(typescript@5.9.3)(yaml@2.8.2))(prettier@3.8.1)(tailwindcss@4.2.1)(typescript@5.9.3)':
     dependencies:
-      astro: 5.17.3(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1)(rollup@4.59.0)(typescript@5.9.3)
+      '@astrojs/check': 0.9.6(prettier@3.8.1)(typescript@5.9.3)
+      astro: 5.17.3(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1)(rollup@4.59.0)(typescript@5.9.3)(yaml@2.8.2)
       tailwindcss: 4.2.1
+    transitivePeerDependencies:
+      - prettier
+      - prettier-plugin-astro
+      - typescript
 
   '@jridgewell/gen-mapping@0.3.13':
     dependencies:
@@ -2454,12 +2801,12 @@ snapshots:
       '@tailwindcss/oxide-win32-arm64-msvc': 4.2.1
       '@tailwindcss/oxide-win32-x64-msvc': 4.2.1
 
-  '@tailwindcss/vite@4.2.1(vite@6.4.1(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1))':
+  '@tailwindcss/vite@4.2.1(vite@6.4.1(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1)(yaml@2.8.2))':
     dependencies:
       '@tailwindcss/node': 4.2.1
       '@tailwindcss/oxide': 4.2.1
       tailwindcss: 4.2.1
-      vite: 6.4.1(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1)
+      vite: 6.4.1(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1)(yaml@2.8.2)
 
   '@types/debug@4.1.12':
     dependencies:
@@ -2489,8 +2836,69 @@ snapshots:
 
   '@ungap/structured-clone@1.3.0': {}
 
+  '@volar/kit@2.4.28(typescript@5.9.3)':
+    dependencies:
+      '@volar/language-service': 2.4.28
+      '@volar/typescript': 2.4.28
+      typesafe-path: 0.2.2
+      typescript: 5.9.3
+      vscode-languageserver-textdocument: 1.0.12
+      vscode-uri: 3.1.0
+
+  '@volar/language-core@2.4.28':
+    dependencies:
+      '@volar/source-map': 2.4.28
+
+  '@volar/language-server@2.4.28':
+    dependencies:
+      '@volar/language-core': 2.4.28
+      '@volar/language-service': 2.4.28
+      '@volar/typescript': 2.4.28
+      path-browserify: 1.0.1
+      request-light: 0.7.0
+      vscode-languageserver: 9.0.1
+      vscode-languageserver-protocol: 3.17.5
+      vscode-languageserver-textdocument: 1.0.12
+      vscode-uri: 3.1.0
+
+  '@volar/language-service@2.4.28':
+    dependencies:
+      '@volar/language-core': 2.4.28
+      vscode-languageserver-protocol: 3.17.5
+      vscode-languageserver-textdocument: 1.0.12
+      vscode-uri: 3.1.0
+
+  '@volar/source-map@2.4.28': {}
+
+  '@volar/typescript@2.4.28':
+    dependencies:
+      '@volar/language-core': 2.4.28
+      path-browserify: 1.0.1
+      vscode-uri: 3.1.0
+
+  '@vscode/emmet-helper@2.11.0':
+    dependencies:
+      emmet: 2.4.11
+      jsonc-parser: 2.3.1
+      vscode-languageserver-textdocument: 1.0.12
+      vscode-languageserver-types: 3.17.5
+      vscode-uri: 3.1.0
+
+  '@vscode/l10n@0.0.18': {}
+
   acorn@8.16.0: {}
 
+  ajv-draft-04@1.0.0(ajv@8.18.0):
+    optionalDependencies:
+      ajv: 8.18.0
+
+  ajv@8.18.0:
+    dependencies:
+      fast-deep-equal: 3.1.3
+      fast-uri: 3.1.0
+      json-schema-traverse: 1.0.0
+      require-from-string: 2.0.2
+
   ansi-align@3.0.1:
     dependencies:
       string-width: 4.2.3
@@ -2499,6 +2907,10 @@ snapshots:
 
   ansi-regex@6.2.2: {}
 
+  ansi-styles@4.3.0:
+    dependencies:
+      color-convert: 2.0.1
+
   ansi-styles@6.2.3: {}
 
   anymatch@3.1.3:
@@ -2512,7 +2924,7 @@ snapshots:
 
   array-iterate@2.0.1: {}
 
-  astro@5.17.3(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1)(rollup@4.59.0)(typescript@5.9.3):
+  astro@5.17.3(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1)(rollup@4.59.0)(typescript@5.9.3)(yaml@2.8.2):
     dependencies:
       '@astrojs/compiler': 2.13.1
       '@astrojs/internal-helpers': 0.7.5
@@ -2569,8 +2981,8 @@ snapshots:
       unist-util-visit: 5.1.0
       unstorage: 1.17.4
       vfile: 6.0.3
-      vite: 6.4.1(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1)
-      vitefu: 1.1.2(vite@6.4.1(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1))
+      vite: 6.4.1(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1)(yaml@2.8.2)
+      vitefu: 1.1.2(vite@6.4.1(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1)(yaml@2.8.2))
       xxhash-wasm: 1.1.0
       yargs-parser: 21.1.1
       yocto-spinner: 0.2.3
@@ -2645,6 +3057,10 @@ snapshots:
 
   character-entities@2.0.2: {}
 
+  chokidar@4.0.3:
+    dependencies:
+      readdirp: 4.1.2
+
   chokidar@5.0.0:
     dependencies:
       readdirp: 5.0.0
@@ -2653,8 +3069,20 @@ snapshots:
 
   cli-boxes@3.0.0: {}
 
+  cliui@8.0.1:
+    dependencies:
+      string-width: 4.2.3
+      strip-ansi: 6.0.1
+      wrap-ansi: 7.0.0
+
   clsx@2.1.1: {}
 
+  color-convert@2.0.1:
+    dependencies:
+      color-name: 1.1.4
+
+  color-name@1.1.4: {}
+
   comma-separated-tokens@2.0.3: {}
 
   commander@11.1.0: {}
@@ -2745,6 +3173,11 @@ snapshots:
 
   dset@3.1.4: {}
 
+  emmet@2.4.11:
+    dependencies:
+      '@emmetio/abbreviation': 2.3.3
+      '@emmetio/css-abbreviation': 2.1.8
+
   emoji-regex@10.6.0: {}
 
   emoji-regex@8.0.0: {}
@@ -2818,6 +3251,8 @@ snapshots:
       '@esbuild/win32-ia32': 0.27.3
       '@esbuild/win32-x64': 0.27.3
 
+  escalade@3.2.0: {}
+
   escape-string-regexp@5.0.0: {}
 
   estree-walker@2.0.2: {}
@@ -2830,6 +3265,10 @@ snapshots:
 
   extend@3.0.2: {}
 
+  fast-deep-equal@3.1.3: {}
+
+  fast-uri@3.1.0: {}
+
   fdir@6.5.0(picomatch@4.0.3):
     optionalDependencies:
       picomatch: 4.0.3
@@ -2847,6 +3286,8 @@ snapshots:
   fsevents@2.3.3:
     optional: true
 
+  get-caller-file@2.0.5: {}
+
   get-east-asian-width@1.5.0: {}
 
   github-slugger@2.0.0: {}
@@ -2982,8 +3423,16 @@ snapshots:
     dependencies:
       argparse: 2.0.1
 
+  json-schema-traverse@1.0.0: {}
+
+  jsonc-parser@2.3.1: {}
+
+  jsonc-parser@3.3.1: {}
+
   kleur@3.0.3: {}
 
+  kleur@4.1.5: {}
+
   lightningcss-android-arm64@1.31.1:
     optional: true
 
@@ -3033,6 +3482,8 @@ snapshots:
       lightningcss-win32-arm64-msvc: 1.31.1
       lightningcss-win32-x64-msvc: 1.31.1
 
+  lodash@4.17.21: {}
+
   longest-streak@3.1.0: {}
 
   lru-cache@11.2.6: {}
@@ -3368,6 +3819,8 @@ snapshots:
 
   ms@2.1.3: {}
 
+  muggle-string@0.4.1: {}
+
   nanoid@3.3.11: {}
 
   neotraverse@0.6.18: {}
@@ -3428,6 +3881,8 @@ snapshots:
     dependencies:
       entities: 6.0.1
 
+  path-browserify@1.0.1: {}
+
   piccolore@0.1.3: {}
 
   picocolors@1.1.1: {}
@@ -3459,6 +3914,8 @@ snapshots:
 
   radix3@1.1.2: {}
 
+  readdirp@4.1.2: {}
+
   readdirp@5.0.0: {}
 
   regex-recursion@6.0.2:
@@ -3537,6 +3994,14 @@ snapshots:
       mdast-util-to-markdown: 2.1.2
       unified: 11.0.5
 
+  request-light@0.5.8: {}
+
+  request-light@0.7.0: {}
+
+  require-directory@2.1.1: {}
+
+  require-from-string@2.0.2: {}
+
   retext-latin@4.0.0:
     dependencies:
       '@types/nlcst': 2.0.3
@@ -3709,6 +4174,12 @@ snapshots:
 
   type-fest@4.41.0: {}
 
+  typesafe-path@0.2.2: {}
+
+  typescript-auto-import-cache@0.3.6:
+    dependencies:
+      semver: 7.7.4
+
   typescript@5.9.3: {}
 
   ufo@1.6.3: {}
@@ -3803,7 +4274,7 @@ snapshots:
       '@types/unist': 3.0.3
       vfile-message: 4.0.3
 
-  vite@6.4.1(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1):
+  vite@6.4.1(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1)(yaml@2.8.2):
     dependencies:
       esbuild: 0.25.12
       fdir: 6.5.0(picomatch@4.0.3)
@@ -3816,10 +4287,108 @@ snapshots:
       fsevents: 2.3.3
       jiti: 2.6.1
       lightningcss: 1.31.1
+      yaml: 2.8.2
+
+  vitefu@1.1.2(vite@6.4.1(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1)(yaml@2.8.2)):
+    optionalDependencies:
+      vite: 6.4.1(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1)(yaml@2.8.2)
+
+  volar-service-css@0.0.68(@volar/language-service@2.4.28):
+    dependencies:
+      vscode-css-languageservice: 6.3.10
+      vscode-languageserver-textdocument: 1.0.12
+      vscode-uri: 3.1.0
+    optionalDependencies:
+      '@volar/language-service': 2.4.28
+
+  volar-service-emmet@0.0.68(@volar/language-service@2.4.28):
+    dependencies:
+      '@emmetio/css-parser': 0.4.1
+      '@emmetio/html-matcher': 1.3.0
+      '@vscode/emmet-helper': 2.11.0
+      vscode-uri: 3.1.0
+    optionalDependencies:
+      '@volar/language-service': 2.4.28
+
+  volar-service-html@0.0.68(@volar/language-service@2.4.28):
+    dependencies:
+      vscode-html-languageservice: 5.6.2
+      vscode-languageserver-textdocument: 1.0.12
+      vscode-uri: 3.1.0
+    optionalDependencies:
+      '@volar/language-service': 2.4.28
+
+  volar-service-prettier@0.0.68(@volar/language-service@2.4.28)(prettier@3.8.1):
+    dependencies:
+      vscode-uri: 3.1.0
+    optionalDependencies:
+      '@volar/language-service': 2.4.28
+      prettier: 3.8.1
+
+  volar-service-typescript-twoslash-queries@0.0.68(@volar/language-service@2.4.28):
+    dependencies:
+      vscode-uri: 3.1.0
+    optionalDependencies:
+      '@volar/language-service': 2.4.28
+
+  volar-service-typescript@0.0.68(@volar/language-service@2.4.28):
+    dependencies:
+      path-browserify: 1.0.1
+      semver: 7.7.4
+      typescript-auto-import-cache: 0.3.6
+      vscode-languageserver-textdocument: 1.0.12
+      vscode-nls: 5.2.0
+      vscode-uri: 3.1.0
+    optionalDependencies:
+      '@volar/language-service': 2.4.28
 
-  vitefu@1.1.2(vite@6.4.1(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1)):
+  volar-service-yaml@0.0.68(@volar/language-service@2.4.28):
+    dependencies:
+      vscode-uri: 3.1.0
+      yaml-language-server: 1.19.2
     optionalDependencies:
-      vite: 6.4.1(@types/node@25.3.3)(jiti@2.6.1)(lightningcss@1.31.1)
+      '@volar/language-service': 2.4.28
+
+  vscode-css-languageservice@6.3.10:
+    dependencies:
+      '@vscode/l10n': 0.0.18
+      vscode-languageserver-textdocument: 1.0.12
+      vscode-languageserver-types: 3.17.5
+      vscode-uri: 3.1.0
+
+  vscode-html-languageservice@5.6.2:
+    dependencies:
+      '@vscode/l10n': 0.0.18
+      vscode-languageserver-textdocument: 1.0.12
+      vscode-languageserver-types: 3.17.5
+      vscode-uri: 3.1.0
+
+  vscode-json-languageservice@4.1.8:
+    dependencies:
+      jsonc-parser: 3.3.1
+      vscode-languageserver-textdocument: 1.0.12
+      vscode-languageserver-types: 3.17.5
+      vscode-nls: 5.2.0
+      vscode-uri: 3.1.0
+
+  vscode-jsonrpc@8.2.0: {}
+
+  vscode-languageserver-protocol@3.17.5:
+    dependencies:
+      vscode-jsonrpc: 8.2.0
+      vscode-languageserver-types: 3.17.5
+
+  vscode-languageserver-textdocument@1.0.12: {}
+
+  vscode-languageserver-types@3.17.5: {}
+
+  vscode-languageserver@9.0.1:
+    dependencies:
+      vscode-languageserver-protocol: 3.17.5
+
+  vscode-nls@5.2.0: {}
+
+  vscode-uri@3.1.0: {}
 
   web-namespaces@2.0.1: {}
 
@@ -3829,6 +4398,12 @@ snapshots:
     dependencies:
       string-width: 7.2.0
 
+  wrap-ansi@7.0.0:
+    dependencies:
+      ansi-styles: 4.3.0
+      string-width: 4.2.3
+      strip-ansi: 6.0.1
+
   wrap-ansi@9.0.2:
     dependencies:
       ansi-styles: 6.2.3
@@ -3837,8 +4412,39 @@ snapshots:
 
   xxhash-wasm@1.1.0: {}
 
+  y18n@5.0.8: {}
+
+  yaml-language-server@1.19.2:
+    dependencies:
+      '@vscode/l10n': 0.0.18
+      ajv: 8.18.0
+      ajv-draft-04: 1.0.0(ajv@8.18.0)
+      lodash: 4.17.21
+      prettier: 3.8.1
+      request-light: 0.5.8
+      vscode-json-languageservice: 4.1.8
+      vscode-languageserver: 9.0.1
+      vscode-languageserver-textdocument: 1.0.12
+      vscode-languageserver-types: 3.17.5
+      vscode-uri: 3.1.0
+      yaml: 2.7.1
+
+  yaml@2.7.1: {}
+
+  yaml@2.8.2: {}
+
   yargs-parser@21.1.1: {}
 
+  yargs@17.7.2:
+    dependencies:
+      cliui: 8.0.1
+      escalade: 3.2.0
+      get-caller-file: 2.0.5
+      require-directory: 2.1.1
+      string-width: 4.2.3
+      y18n: 5.0.8
+      yargs-parser: 21.1.1
+
   yocto-queue@1.2.2: {}
 
   yocto-spinner@0.2.3: