Add native link-service tasks and SEO doctor route support

[PrzemyslawKlys]

Summary

• add native link-service tasks for legacy AMP generation, redirect validation, Apache export, and related pipeline wiring
• teach seo-doctor how to validate root-served language hosts such as evotec.pl mapping back to /pl/...
• reduce false positives in markdown leak/frontmatter detection and cover the new behavior with tests

Validation

• dotnet test .\PowerForge.Tests\PowerForge.Tests.csproj -c Release --no-restore --logger "console;verbosity=normal" --logger "trx;LogFileName=powerforge-tests-full-20260423.trx" --blame-hang --blame-hang-timeout 5m
• focused SEO/link tests also passed while iterating locally

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0e32dd550f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Preserve trailing slash in nginx query redirect matcher

The nginx branch for query-specific redirects strips the normalized path's trailing slash before building the $request_uri regex, so a rule from a typical route like /docs/?v=1 is emitted to match only /docs?v=1. Because NormalizeRedirectSourcePath normalizes non-root routes with a trailing slash, real requests that include that slash (/docs/?v=1) will bypass the redirect entirely in nginx while Apache/IIS equivalents still match.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Compare decoded URLs before rewriting HTML attributes

After decoding HTML entities in href/src, the code compares the rewritten URL against the original encoded string and then writes the decoded value back unescaped. With rewrites enabled, links containing entity-encoded query chars (for example &) are treated as changed even when no rule matches, so output HTML is mutated and may end up with unescaped attribute content.

Useful? React with 👍 / 👎.

[claude]

Code Review — PR #326: Add native link-service tasks and SEO doctor route support

Overview

This PR adds three major capabilities:

1. Legacy AMP continuity — generates redirect CSVs mapping old WordPress AMP URLs to modern equivalents
2. Split-domain language SEO — SEO doctor can now validate hreflang alternates when a language is served from a root domain (evotec.pl) rather than a sub-path
3. Sitemap comparison tooling — a new Build/Compare-WebSitemaps.ps1 script for migration analysis

All changes are backward-compatible (new parameters have safe defaults). The architecture follows the project's established service-first pattern correctly.

---

Issues Worth Addressing

Medium priority

1. Silent CSS strategy fallback on typos (WebAssetOptimizer.cs, strategy normalization block)

When CssStrategy is set to an unrecognized value, the code silently falls back to "blocking". A user who types "prelaod" instead of "preload" gets no warning. Consider logging a warning or throwing on unknown strategy values so misconfiguration is visible.

// Suggestion: add an else-log here
default:
    _logger.LogWarning("Unknown CssStrategy '{Strategy}', falling back to blocking", strategy);
    return "blocking";

2. Potential double-decode of HTML entities (WebAssetOptimizer.cs, HTML attribute extraction)

HtmlDecode is applied when extracting src/href attribute values. If the attribute is already partially decoded (e.g., a URL that legitimately contains & as part of a query string), the second decode turns & → &, which could corrupt URLs before comparison. Verify the exact round-trip for encoded query strings in asset URLs.

3. CountLinesBefore is O(n) per match (WebSeoDoctor.cs)

The line-counting helper iterates the full document substring for each regex match. For a document with many matches this compounds — a 5 000-line file with 200 flagged patterns triggers 200 substring scans. Consider pre-splitting lines once per file:

var lines = content.Split('\n');
// then use Array.IndexOf or a pre-built offset table

For typical Markdown file sizes this is fine, but could become noticeable if users run SEO doctor over very large generated API reference pages.

4. Removed #{1,6} heading pattern from content-leak detection (WebSeoDoctor.cs)

The simplified pattern reduces false positives in API doc pages (which is the intent and is validated by the new test). However, the trade-off is that actual content leaks whose first "leaked" token looks like a Markdown heading will no longer be flagged. The new frontmatter-delimiter guard (--- / +++) is a reasonable mitigation, but it assumes leaked content always retains its frontmatter delimiters — if the delimiter gets stripped but the body leaks, the check won't catch it. Worth documenting this assumption in a comment near the pattern.

---

Low priority / informational

5. No timeout on Invoke-WebRequest in Compare-WebSitemaps.ps1

The $ProgressPreference = 'SilentlyContinue' is set (good), but there's no -TimeoutSec on any Invoke-WebRequest call. A hanging server during sitemap fetch or AMP probe will block the script indefinitely. Recommend -TimeoutSec 30 (or configurable via parameter).

6. Silent swallowing of AMP probe failures (Compare-WebSitemaps.ps1, Get-AmpHtmlAlternateUrl)

Multiple try-catch blocks return $null without writing to the verbose/warning stream. This makes it hard to diagnose why probes silently produce no results. At minimum, Write-Verbose the exception message so -Verbose users get the signal.

7. Redirect CSV status codes not validated as 3xx (WebLinkService.LegacyAmp.cs)

The status-code column is parsed with int.TryParse but there's no range check. A CSV row with status 200 or 500 would be accepted and written to the redirect output. Consider validating statusCode >= 300 && statusCode < 400.

8. Language code values are not validated (pipeline task handler)

LanguageRootHosts keys flow in directly from config without checking they resemble ISO 639-1/BCP 47 codes. A typo ("en_US" instead of "en") would produce mismatched hreflang tags with no error. A simple regex guard (^[a-z]{2}(-[A-Z]{2})?$) at options-parse time would surface this early.

---

Test Coverage

New tests are well-targeted and cover the primary happy paths:

Test	Coverage quality
GenerateLegacyAmpRedirects_EmitsHostScopedAmpContinuityCsv	Good — covers language routing, already-AMP paths, query strings
Analyze_LocalizedAlternates_ResolveRootServedHosts…	Good — realistic multi-language structure
Analyze_DoesNotFlagContentLeak_ForApiStyleDocumentation	Good — validates the heading-pattern removal
Analyze_BacklogMetrics_FlagsEmptyAltAndSourceMarkdown	Good — covers both HTML and Markdown paths
Build_LocalizedPages_SupportLanguageAllowList	Good — covers filtered build scenario

Gaps to consider (not blocking):

• No test for an unknown CssStrategy value (relates to issue Release version number does not automatically update #1 above)
• No test covering a malformed/empty LegacySitemapUrls input to the PS script
• No negative test for the redirect CSV with non-3xx status codes
• The new WebSeoDoctorPageMetric and WebSeoDoctorSourceMarkdownMetric models are used in tests only through the aggregate result — direct serialization round-trip tests would catch field name/type regressions

---

Security

No significant concerns. The HTTP-only asset download path correctly guards against non-HTTP(S) schemes. The javascript:/data: URL filtering in Test-AmpProbeCandidate is a good catch. One note: Compare-WebSitemaps.ps1 accepts arbitrary $LegacySitemapUrls without validating that they are HTTPS — for a migration tool run in CI this is low risk, but worth noting if the script is ever surfaced in a less-controlled context.

---

Summary

This is a solid, well-structured addition. The code follows the project's service-first conventions, the backward-compatibility story is clean, and the test suite covers the new behavior meaningfully. The medium-priority items above (CSS strategy fallback, possible double-decode, O(n) line counting, and the leak-pattern trade-off) are worth a second look before merge, but none are blocking. The low-priority items can be addressed as follow-ups.

Reviewed by Claude (claude-sonnet-4-6)

[claude]

PR #326 Code Review — Add native link-service tasks and SEO doctor route support

Overview: This PR adds legacy WordPress AMP redirect generation, Apache redirect pipeline tasks, SEO Doctor language-root-host support, improved editorial image metadata precedence, and a standalone Compare-WebSitemaps.ps1 migration helper. It's a substantial change (~4900 line net) with solid test coverage for the C# side. A few areas warrant attention before merge.

---

Bugs / Correctness

High: Bare catch in BuildPortableCatalogPath
The bare catch block (no exception type) will swallow OutOfMemoryException, StackOverflowException, and other CLR fatal exceptions that should never be caught:

catch  // should be: catch (Exception ex) { ... }
{
    return relativePath;
}

Suggest scoping to catch (Exception) at minimum, or ideally catch (InvalidOperationException, ArgumentException) for the specific path-normalization failures you expect.

Medium: DateTime.Now in SeoDoctor backlog metrics
DateTime.Now captures local wall time, which is environment-dependent and non-reproducible in CI. Prefer DateTimeOffset.UtcNow (or at least DateTime.UtcNow) to match the rest of the system's timestamp conventions.

Medium: Trailing-slash inconsistency in Test-GeneratedRouteExists (Compare-WebSitemaps.ps1 ~L300-310)
The function appends / to candidate URLs before the check, but Get-NormalizedUrl explicitly strips trailing slashes. A generated redirect could canonicalize to /path/ while everything else expects /path.

Low: Inconsistent path format in WebSeoDoctorTests.cs (lines 1791-1792)
image-alt-empty uses "index.html" (no leading slash) while source-image-alt-empty uses "/source/post.md" (with leading slash). If these go through any path comparison/lookup downstream, one will fail to match.

---

Test Concerns

Weakened social card assertion

// Before
Assert.Equal(68, logoFrame!.Value.Y);
// After
Assert.True(logoFrame!.Value.Y > 68);

Changing from an exact equality check to a lower-bound assertion hides potential regressions. If the layout algorithm changes again, tests would still pass while the output drifts. Please comment explaining why the value is now non-deterministic (e.g., font metrics vary by platform), or restore the exact check.

No tests for Compare-WebSitemaps.ps1
This is ~900 lines of business-critical migration logic (sitemap diffing, slug-variant heuristics, AMP URL detection, redirect candidate scoring) with no automated tests. At a minimum, consider adding Pester tests for:

• Get-NormalizedUrl / Get-UrlPath edge cases (trailing slashes, uppercase, ports)
• Get-SlugVariants regex patterns (number suffixes, empty slug, special characters)
• Test-GeneratedRouteExists false-positive rate with known inputs

---

Security

XXE risk in sitemap XML parsing (Compare-WebSitemaps.ps1 ~L84-97)
The script fetches remote XML and casts it directly to [xml]:

$response = Invoke-WebRequest -Uri $Url -UseBasicParsing
[xml]$xml = $response.Content

PowerShell's [xml] cast uses XmlDocument with default settings, which allows DTD processing and may be vulnerable to XXE if a malicious or compromised sitemap URL is supplied. Consider using XmlReaderSettings with DtdProcessing = Prohibit:

$settings = [System.Xml.XmlReaderSettings]::new()
$settings.DtdProcessing = [System.Xml.DtdProcessing]::Prohibit
$reader = [System.Xml.XmlReader]::Create([System.IO.StringReader]::new($response.Content), $settings)
$xml = [xml]::new(); $xml.Load($reader)

Even if the URLs are trusted inputs in practice, defense-in-depth is worthwhile here.

Silent exception swallowing in AMP discovery (Compare-WebSitemaps.ps1 ~L382-387)

catch { return $null }

Network errors, DNS failures, and unexpected HTML structures all surface as $null with no diagnostic output. This makes it very hard to debug false negatives in production. At minimum, add a Write-Verbose or Write-Warning so the reason for the miss is observable.

---

Code Quality

Duplicate "try-read-JSON" pattern
TryPreserveEcosystemSources and ShouldPreserveExistingStats share nearly identical JSON-read-and-compare logic. A small shared helper would reduce maintenance burden when the deserialization path needs to change.

NormalizeApacheRedirectRow host prepending without URL validation
When prepending a language host to relative URLs, there is no guard against inputs that are already absolute or contain ../ path segments. A quick Uri.TryCreate check before prepending would prevent malformed redirect rules from being silently emitted.

QSD flag usage in Apache redirects
Using [R=301,L,QSD] intentionally drops query strings. This is correct for most slug-based canonical redirects, but for legacy WordPress ?p=123 (post-by-ID) URLs that are not slug-matched, dropping the query string may return a 301 to a catch-all that returns 404. Worth documenting the assumption or adding a comment in the generated config header.

---

Nitpicks

• The switch statement with multiple case labels executing the same body (cache invalidation section) could be refactored to use case X: case Y: case Z: fall-through grouping for readability.
• BuildSeoDoctorPageMetricsCsv assembles the full CSV in memory before writing. For very large sites this is fine, but a StreamWriter-based approach would be more memory-efficient at scale.

---

Summary

Area	Status
Core feature correctness	✅ Looks solid
C# test coverage	✅ Good breadth
PowerShell script tests	❌ None provided
Error handling	⚠️ Several bare/silent catches
Security (XXE)	⚠️ Worth addressing
Assertion precision	⚠️ Two regressions
DateTime/UTC consistency	⚠️ Minor fix needed

The SEO Doctor language-root-host work and image metadata precedence changes look well-thought-out. The main asks before merge are: (1) explain or restore the weakened social card assertions, (2) add exception types to the bare catch blocks, (3) address the XXE risk in the sitemap script, and (4) add at least minimal Pester tests for Compare-WebSitemaps.ps1.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fb5ee9fb75

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Keep site-base fallback when resolving default fallback URLs

ResolveAbsoluteLanguageRoute now bypasses ResolveLanguageBaseUrl and only uses the language entry's BaseUrl. In the fallback-to-default path (ResolveLocalizedPageUrl), if the default language omits BaseUrl but spec.BaseUrl is set, this returns a relative route; that route is then reinterpreted as target-language output and can generate hreflang URLs to non-existent localized pages instead of the default-language URL. This regresses split-language fallback behavior for common configs that only set site.baseUrl.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Preserve query matching for absolute legacy redirect rows

For absolute legacy_url entries that include query parameters (other than ?p=/?page_id=), export now builds rules from source.PathOnly, which drops the query. That means a source like https://example.com/docs/?v=1 becomes a generic /docs rewrite and will redirect unrelated requests on that host. This broadens redirect scope and can hijack valid traffic; the query constraint needs to be retained for these rows.

Useful? React with 👍 / 👎.

[claude]

Code Review: PR #326 — "Add native link-service tasks and SEO doctor route support"

Overview

This PR has four main thrusts:

1. Refactor: Extracts ~650 lines of inline functions from Compare-WebSitemaps.ps1 into a companion helper file and adds a validated $TimeoutSec parameter.
2. New C# native tasks: Adds links-generate-legacy-amp and links-compare-sitemaps pipeline tasks backed by new service classes (WebLinkService.LegacyAmp.cs, WebSitemapMigrationAnalyzer.cs), making migration logic testable.
3. SEO-doctor enhancements: Teaches WebSeoDoctor to resolve hreflang targets for root-served language hosts (e.g. evotec.pl → /pl/…), reducing false-positive hreflang warnings.
4. False-positive reductions: Narrows FrontMatterLeakPattern and VisibleMarkdownLeakPattern detectors so technical API docs don't produce spurious warnings.

Overall the PR is well-structured and test coverage is solid. The issues below are ordered by severity.

---

Bugs / Correctness

🔴 WebSitemapMigrationAnalyzer.NormalizeUrl throws UriFormatException on malformed <loc> entries

public static string NormalizeUrl(string url)
{
    var uri = new Uri(url); // throws if url is malformed

GetUrlPath, GetUrlOrigin, and GetSyntheticAmpLegacyUrl have the same issue. A single bad <loc> in a sitemap will abort the entire pipeline step with an unhelpful exception. Replace with Uri.TryCreate and filter out unparseable URLs at NormalizeInputUrls with a warning.

---

🟡 WebLinkService.LegacyAmp.cs — SkippedCount is misleading

SkippedCount = Math.Max(0, Math.Max(0, lines.Length - 1) - generated.Count)

This conflates intentionally-skipped rows (non-3xx status, already-AMP, query URLs) with parse failures. A dedicated skippedCount counter incremented at each continue path would make the output summary accurate.

---

🟡 WebPipelineRunner.Tasks.Content.cs — double JSON deserialization

ReleaseCount = TryReadReleaseHubDocument(existingOutputContent)?.Releases.Count ?? 0,
AssetCount   = TryReadReleaseHubDocument(existingOutputContent)?.Releases.Sum(…) ?? 0,

Cache the result of TryReadReleaseHubDocument(existingOutputContent) in a local variable.

---

🟡 No max recursion depth for nested sitemaps in C# implementation

ReadSitemapUrls is recursive and tracks visited URLs, but there is no depth cap. The PowerShell helper had $MaxSitemapDepth. A crafted sitemap with deep nesting could overflow the stack. Add a depth parameter (e.g. max 8) mirroring the PS implementation.

---

Security

🟡 OpenSitemapReader — no HTTP redirect limit or response size cap

using var client = new HttpClient { Timeout = TimeSpan.FromSeconds(...) };
var content = client.GetStringAsync(location).GetAwaiter().GetResult();

HttpClient follows up to 50 redirects by default. A gigabyte-scale response would be fully buffered. For a CI/CD build tool with developer-controlled inputs this is low severity, but cheap guards add resilience:

var handler = new HttpClientHandler { MaxAutomaticRedirections = 5 };
using var client = new HttpClient(handler) { MaxResponseContentBufferSize = 50 * 1024 * 1024, ... };

---

🟡 WebSeoDoctor.ScanSourceMarkdownEmptyAlt — bare catch swallows all exceptions

catch
{
    continue;
}

A bare catch swallows OutOfMemoryException and similar fatal exceptions. Use:

catch (Exception ex) when (ex is IOException or UnauthorizedAccessException)

---

Design / Code Quality

🟡 evotec.xyz / evotec.pl hardcoded as library fallback defaults

WebLinkService.LegacyAmp.cs:

var englishHost = string.IsNullOrWhiteSpace(options.DefaultEnglishHost) ? "evotec.xyz" : ...;
var polishHost  = string.IsNullOrWhiteSpace(options.DefaultPolishHost)  ? "evotec.pl"  : ...;

These are also repeated in the pipeline runner. Embedding specific domain names as fallbacks in a reusable library tightly couples it to one deployment. The library should throw ArgumentException when required fields are unset; domain defaults belong only in the schema definition.

---

🟡 HttpClient created per sitemap file in OpenSitemapReader

A new HttpClient is instantiated for each sitemap fetch. For sitemap indexes with many nested sitemaps this causes socket exhaustion. Create one client per ExecuteLinksCompareSitemaps call and pass it through.

---

🟢 Compare-WebSitemaps.Helpers.ps1 — implicit global variables

Import-SitemapUrls reads $MaxSitemapDepth and $TimeoutSec from the parent scope without declaring them as parameters. If the helper is dot-sourced independently these silently default to zero/null. Pass them as explicit parameters.

---

🟢 Compare-WebSitemaps.ps1 — no deprecation warning for -FetchTimeoutSec

The compatibility shim silently accepts $FetchTimeoutSec without telling callers to migrate. Add Write-Warning "FetchTimeoutSec is deprecated; use TimeoutSec instead.".

---

🟢 Minor: missing newline at end of Compare-WebSitemaps.Helpers.ps1

---

Performance

🟡 WebSitemapMigrationAnalyzer.GetSlugVariants — uncompiled regex in a hot loop

Regex.Replace(current, @"-\d+$", string.Empty, RegexOptions.CultureInvariant)

Calling Regex.Replace with a string literal pattern compiles a new Regex on each invocation. With thousands of legacy URLs and multiple variants each, this adds up. Compile the three patterns as static readonly Regex fields.

---

🟡 WebSeoDoctor.Analyze — 9 sequential .Count() scans over pageMetrics

The final summary block calls .Count(predicate) nine times over the same list. A single pass accumulating all counters would be more efficient for large sites.

---

🟢 WebSeoDoctor — unconditional per-page LINQ materialisation

visibleImages, missingAltSources, and emptyAltSources are computed for every page even when CheckImageAlt and CheckEmptyImageAlt are both disabled. Guard with the relevant option checks.

---

Test Coverage

Test coverage is thorough — each new feature has unit and pipeline integration tests. Minor gaps worth filling:

• WebPipelineRunnerSitemapMigrationTests.cs only tests the happy path. Missing: malformed <loc> XML, non-existent local sitemap file, includeSyntheticAmpRedirects: false.
• WebSeoDoctorTests.cs has no negative test for an unmapped hreflang host — verify it still produces hreflang-route-missing.
• WebPipelineRunnerEcosystemStatsTests.cs: duplicate File.WriteAllText(statsPath, …) — the first write (line ~1880) appears to be dead code; the second write (line ~1917) is the live one. The duplicate is a copy-paste artifact.

---

Summary

Priority	Issue
🔴 High	NormalizeUrl / GetUrlPath throw unhandled UriFormatException on bad sitemap <loc>
🟡 Medium	evotec.xyz/evotec.pl hardcoded in reusable library
🟡 Medium	No recursion depth cap in C# sitemap reader
🟡 Medium	HttpClient created per sitemap fetch; no redirect/size limits
🟡 Medium	SkippedCount conflates parse failures with intentional skips
🟡 Medium	Bare catch in ScanSourceMarkdownEmptyAlt
🟡 Medium	Double TryReadReleaseHubDocument call
🟡 Medium	Slug-variant regex patterns not pre-compiled
🟢 Low	Missing deprecation warning for -FetchTimeoutSec
🟢 Low	Implicit global scope reads in PS helper functions
🟢 Low	Nine sequential .Count() calls; unconditional LINQ materialisation
🟢 Low	Missing newline at EOF in Helpers.ps1; duplicate test write

The core logic and test suite are well-written. Addressing the 🔴 UriFormatException issue and the hardcoded domain names are the most important changes before merging.

---

Review generated with Claude Code

[claude]

Code Review — PR #326

Overview

This PR makes three focused additions:

1. Link-service tasks — Two new pipeline tasks (links-generate-legacy-amp, links-compare-sitemaps) backed by a new WebSitemapMigrationAnalyzer class, and an extracted Compare-WebSitemaps.Helpers.ps1 helper file.
2. SEO Doctor enhancements — Support for languageRootHosts to validate split-domain language deployments (e.g., evotec.pl → /pl/…), plus two new optional backlog checks (checkEmptyImageAlt, checkSourceMarkdownImageAlt).
3. False-positive reductions — Improved content-leak / frontmatter detection that no longer flags API-style documentation content.

The overall shape is good: concerns are well-separated, documentation is updated, and nearly all new behaviour is exercised by tests. Comments below are mostly observations and a few actionable suggestions.

---

Code Quality

Positive

• ConvertTo-SafeXmlDocument correctly sets DtdProcessing = Prohibit and nulls XmlResolver on both the reader settings and the loaded document — a solid XXE defence.
• The FetchTimeoutSec deprecation path ($null sentinel + Write-Warning) is clean, and [ValidateRange] attributes replace the old manual throws.
• Extracting all helper functions into Compare-WebSitemaps.Helpers.ps1 makes the helpers unit-testable and keeps the main script thin — good refactoring.
• WebSitemapMigrationAnalyzer (new C# class) properly pulls migration heuristics into the typed layer so they can be exercised without a .ps1 wrapper.
• TryDelete retry loop in PowerForgeReleaseServiceTests addresses a real flakiness source on Windows CI.

Observations

• Get-SlugVariants hard-codes language codes (pl|fr|de|es) inside a regex. This works for the current site but will silently fail to strip suffixes for any language not in that list. Consider a comment explaining why those four codes are the complete set, or make the list configurable.
• GetFreePortRange in WebStaticServerTests probes by grabbing and immediately releasing consecutive listeners. There is a tiny TOCTOU window between releasing them and the actual server bind; the original GetFreePort had the same gap, and the wider range (20 ports) reduces the probability significantly, but it still exists. This is fine for a test helper — just worth noting.
• WebPipelineRunnerEcosystemStatsTests.RunPipeline_EcosystemStats_PreservesExistingPowerShellGallery_WhenOnlyThatSourceFails writes statsPath twice with identical content. The first write is dead code; it could be removed.

---

Potential Bugs / Issues

• Import-LocalSitemapUrls drops BOM stripping — the previous version had $content.TrimStart([char] 0xFEFF) before parsing local sitemaps; the new version reads directly with Get-Content -Path $Path -Raw without stripping the BOM. HTTP downloads via Import-SitemapUrls still strip it. Local sitemap files saved with a UTF-8 BOM will silently produce a parse error or empty set depending on the XML parser's tolerance.

  # Before (old Compare-WebSitemaps.ps1)
  $content = [string] (Get-Content -Path $Path -Raw)
  $content = $content.TrimStart([char] 0xFEFF)
  
  # After (Helpers.ps1 — BOM strip removed)
  $xml = ConvertTo-SafeXmlDocument -Content (Get-Content -Path $Path -Raw) -Source $Path

  System.Xml.XmlDocument usually handles UTF-8 BOM correctly, but [System.IO.StringReader] may or may not, depending on the string encoding path. It is safer to keep the explicit strip or add a test covering a BOM-prefixed local file.

• missingLegacyCount assertion mismatch in WebPipelineRunnerSitemapMigrationTests — The test adds 4 <url> entries to the legacy sitemap but one (not-a-url) is malformed, so only 3 are valid. The test then asserts missingLegacyCount == 3. However missingLegacyCount likely counts URLs from the legacy sitemap not present in the new sitemap — /old-post/ and /category/powershell/ are matched, so the only truly missing one is /missing/. Asserting 3 here seems wrong; the intended value should probably be 1. If this test is passing today, it suggests the metric counts something slightly different — worth confirming the definition is intentional.

• links-compare-sitemaps maxSitemapDepth: 0 error test — The test uses a local sitemapindex file with a relative <loc> (legacy-nested.xml). The native C# WebSitemapMigrationAnalyzer presumably does not support relative paths as sitemap URLs; the test asserts result.Success == false with a message containing "maxSitemapDepth", which would only happen if the index file is actually fetched and followed. If the relative URL is silently dropped instead, this test could pass for the wrong reason. A comment or assertion on the exact error message would clarify intent.

---

Performance Considerations

• ConvertTo-ComparablePath allocates a StringBuilder per call and iterates character-by-character. For large sitemaps (tens of thousands of URLs) this accumulates. A regex-based diacritic strip (\p{Mn}) would be more concise; performance is probably acceptable at sitemap scale, but worth noting for future maintenance.
• New-PathAliasLookup silently skips duplicate path keys (first-wins). If there are multiple URLs sharing the same comparable path (e.g., a page and its language variant), only one survives the lookup. This is likely intentional but could produce unexpected alias misses — a Write-Verbose on the skip would help diagnostics.

---

Security

• XXE is correctly mitigated in ConvertTo-SafeXmlDocument (DTD prohibited, resolver nulled). Good.
• Path traversal in Test-GeneratedRouteExists: $path = $uri.AbsolutePath.Trim('/') and then Join-Path $SiteRoot (...). Absolute paths embedded in sitemap <loc> values (e.g., file:///etc/passwd) would parse to an AbsolutePath that, after trimming, could still join to a path outside $SiteRoot. The subsequent Test-Path -PathType Leaf read-only check limits the blast radius to information disclosure, but it is worth a defensive check: verify $filePath.StartsWith($SiteRoot) before calling Test-Path.

---

Test Coverage

Coverage is strong. New behaviour is exercised end-to-end through WebPipelineRunnerSitemapMigrationTests and unit-level through WebSitemapMigrationAnalyzerTests. The SEO Doctor languageRootHosts path has two test cases (unit + pipeline). The GenerateLegacyAmpRedirects tests cover skip conditions and the missing-host guard.

One gap: there is no test for links-generate-legacy-amp with an absolute legacy_url that already contains a host different from the default hosts — the test data only has relative paths and one pre-existing AMP URL. A test confirming that an absolute English URL (https://evotec.xyz/post/) is expanded correctly without duplicating the default host would strengthen confidence.

---

Summary

Solid, well-structured PR. The main actionable items are:

1. Restore (or verify) BOM handling in Import-LocalSitemapUrls.
2. Verify the missingLegacyCount == 3 assertion in WebPipelineRunnerSitemapMigrationTests is intentional.
3. Add a path-containment guard in Test-GeneratedRouteExists to prevent outside-root probing from crafted sitemap files.

Everything else is low-priority or informational.

[claude]

Code Review — PR #326: Native link-service tasks and SEO doctor route support

Overview

This is a large, well-structured PR (~4 500 additions, ~760 deletions) that adds three related capabilities:

1. links-generate-legacy-amp — a new pipeline task that generates WordPress AMP continuity redirects from an existing legacy CSV.
2. links-compare-sitemaps — a new pipeline task (backed by the native WebSitemapMigrationAnalyzer) that compares legacy vs. new sitemaps and emits redirect/review artifacts.
3. SEO doctor improvements — languageRootHosts support for root-served language domains, optional empty-alt / source-markdown-alt backlog metrics, and several false-positive reductions.

The PR also includes a good set of companion tests, backward-compatibility cleanups (deprecated FetchTimeoutSec, extracted helper file), and a handful of unrelated bug fixes (asset-rewrite HTML-encode, nginx trailing-slash regex, static-server port range).

---

Code Quality & Style

Positives

• The refactor of Compare-WebSitemaps.ps1 into a .Helpers.ps1 dot-sourced file is clean and makes the helpers testable in isolation without rerunning the script. The ConvertTo-SafeXmlDocument helper (DTD processing disabled, null resolver) is a clear security improvement over the raw [xml] cast.
• The new C# WebSitemapMigrationAnalyzer correctly duplicates (and improves on) the PowerShell heuristics in a strongly-typed, unit-testable form.
• The path-traversal guard in Test-GeneratedRouteExists / GeneratedRouteExists is explicit and sound (full-path prefix check with separator anchoring).
• TryNormalizeRelativeApacheLegacyPath adds safe input validation before constructing an absolute Apache legacy URL — good defensive coding.
• The WebEcosystemStatsGenerator fix correctly extends the 401 retry path alongside the existing 403 path.

Minor style observations

• WebPipelineRunner.Tasks.Links.SitemapMigration.cs contains a Csv / WriteCsv helper and a EscapeCsv private static. A near-identical Csv method already exists in WebPipelineRunner.Tasks.SeoDoctor.cs. This is a small duplication worth collapsing into a shared internal utility at some point.
• TryReadReleaseHubDocument and TryReadEcosystemStatsDocument both deserialise with new JsonSerializerOptions { PropertyNameCaseInsensitive = true } without re-using a cached instance. JsonSerializerOptions is designed to be long-lived; allocating it inline on hot paths is a minor but avoidable overhead. These are not hot paths here, so it is not critical — just worth noting for consistency with the cached-options pattern used elsewhere.
• The GetFreePortRange helper in WebStaticServerTests is a clean fix for the flaky port collision problem, but it leaks up to count TcpListener instances between listener.Start() and listener.Stop() when the range succeeds (the loop returns before all offsets have been stopped). In practice the OS will reclaim them promptly, but wrapping the success path in the same finally-stop loop would be more correct.

---

Potential Bugs / Issues

NormalizeRequiredHost checks the wrong condition

if (host.Contains('/', StringComparison.Ordinal) ||
    host.Contains('\\', StringComparison.Ordinal) ||
    string.IsNullOrWhiteSpace(host))   // ← always false here

After the scheme-strip block, host is already normalised and non-null. The string.IsNullOrWhiteSpace(host) guard is redundant and will never trip — the "must be a host name without a path" exception can never be thrown for the empty-string case. The intended guard against an empty host surviving strip should be placed before the slash check.

ResolveLegacyAmpTargetUrl language prefix stripping is order-dependent

The function strips /pl/ from the path only when the host matches polishHost, and /en/ only when the host matches englishHost. If an absolute target URL on a third domain is passed, neither branch fires and the prefix stays. This is probably intentional, but deserves a comment, since it differs subtly from what the equivalent PowerShell script did.

TryPreserveExistingReleaseHub reads output file twice

var existing = TryReadReleaseHubDocument(existingJson);         // existingJson = pre-generate content
var generated = TryReadReleaseHubDocument(File.ReadAllText(outputPath)); // outputPath = post-generate file

The caller in ExecuteReleaseHub has already written the result to outPath, so this is correct. But the logic is subtle: existingOutputContent is captured before the generate call, then outputPath is re-read after the generate call. A brief comment on the ordering would prevent future confusion.

HasSourceWarning uses substring match

HasSourceWarning(generated.Warnings, "NuGet") will also match a warning mentioning "NuGet rate-limit" or any other NuGet-related message, even if that warning is not necessarily about an empty fetch. This broad match could cause a healthy partial result to trigger a source-preservation path unintentionally. A more precise match (e.g. checking for the specific warning text emitted by the generator) would be safer.

FormatFailureMessage change introduces a dead assignment

if (!hasMessage)
    message = current.GetType().Name;
message ??= current.GetType().Name;   // ← always null-safe here; dead code

After the if (!hasMessage) branch, message is either a non-empty string (set from current.Message) or current.GetType().Name. The ??= line is unreachable. This is harmless but should be cleaned up.

ResolveNestedSitemapLocation path traversal via relative loc values

When a local sitemap index references a loc value that is a simple relative path like ../../etc/passwd, the Path.GetFullPath(Path.Combine(baseLocation, ...)) call resolves it relative to the sitemap's directory. While exploiting this requires a malicious local sitemap file (not a remote one), there is no subsequent path-containment check, unlike the equivalent check in Test-GeneratedRouteExists. Consider adding a guard when the base location is local.

---

Performance Considerations

• pageMetrics.Count(static page => page.MissingDescription) is called once per aggregated field (6 similar LINQ passes over the same list). A single loop over pageMetrics would be marginally more efficient, though this is a non-hot path in an already-linear scan.
• BuildSeoDoctorBacklogSummary calls .ToArray() twice on potentially large enumerations (once for topEmptyAltPages, once for topSourceEmptyAltFiles). These are already filtered and Take(25), so the impact is negligible.

---

Security

• DTD processing is correctly disabled in both the PowerShell helper (ConvertTo-SafeXmlDocument) and the C# sitemap loader (NewSafeSitemapXmlReaderSettings). ✅
• The CreateSitemapHttpClient correctly caps MaxResponseContentBufferSize at 50 MB and limits MaxAutomaticRedirections to 5. ✅
• BuildPortableCatalogPath correctly relativises manifest paths and falls back to filename-only when the path escapes baseDir. ✅
• IsProjectCatalogPathWithinRoot includes both DirectorySeparatorChar and AltDirectorySeparatorChar boundaries. ✅
• The TryNormalizeRelativeApacheLegacyPath guard rejects .. traversal sequences and protocol-relative (//) paths. ✅
• The local sitemap nesting traversal note above (under Bugs) warrants attention.

---

Test Coverage

Test coverage is thorough:

• WebLinkServiceTests — covers happy path, skipped rows (query-style, already-amp, non-301 status, missing default hosts), and absolute legacy URL preservation.
• WebSitemapMigrationAnalyzerTests — covers root-to-blog, category normalisation (diacritics), generated-route fallback, AMP listing roots, malformed URLs, and the path-traversal guard.
• WebPipelineRunnerSitemapMigrationTests — end-to-end pipeline integration for sitemap comparison including depth-limit enforcement.
• WebSeoDoctorTests — covers the new LanguageRootHosts scenario and CheckEmptyImageAlt / CheckSourceMarkdownImageAlt backlog metrics.

Gaps worth considering:

• No test for NormalizeRequiredHost receiving a URL with a path component (e.g. "example.com/path"), which is the one case that should throw.
• No test for TryPreserveEcosystemSources when all sources simultaneously fail (should it preserve all or none?).
• No test for FormatFailureMessage with the refactored -> separator.

---

Summary

This is a solid, well-tested PR. The main concerns are:

1. The dead string.IsNullOrWhiteSpace(host) guard in NormalizeRequiredHost.
2. The broad substring match in HasSourceWarning that could produce false positives.
3. The dead message ??= assignment in FormatFailureMessage.
4. The missing path-containment check when traversing local nested sitemaps.

Items 1, 3, and 4 are straightforward fixes. Item 2 is a design trade-off — adding specificity would improve correctness but requires knowing the exact warning strings the generator emits.

[claude]

Code Review — PR #326: Add native link-service tasks and SEO doctor route support

Overview

This is a large, well-scoped PR that adds three main capabilities:

• Native C# sitemap migration analysis (WebSitemapMigrationAnalyzer) replacing a PowerShell wrapper
• Legacy WordPress AMP redirect generation (WebLinkService.LegacyAmp.cs)
• SEO backlog metrics and empty-alt scanning (per-page metrics CSVs, source Markdown alt scanning)

Additionally it fixes false positives in the front-matter/Markdown content-leak detector by making the heading-only signal require a front-matter delimiter, and extends GitHub retry logic to cover 401 alongside 403.

Overall the code is well-structured, security-conscious, and ships with strong test coverage. The notes below are mostly minor.

---

Security ✅

The PR demonstrates consistently good security hygiene:

• XXE protection: Every XML/sitemap load site uses XmlReaderSettings { DtdProcessing = Prohibit, XmlResolver = null } and XDocument.Load(xmlReader). Well done.
• Path traversal prevention: EnsureNestedSitemapPathWithinBase uses Path.GetFullPath on both sides before comparing with a StartsWith prefix check. The approach is correct.
• Host validation: NormalizeRequiredHost strips URL prefixes, rejects paths/queries in host strings, and blocks embedded slashes/backslashes. Solid.
• HTTP client limits: MaxAutomaticRedirections = 5 and MaxResponseContentBufferSize = 50 MB are sensible caps for sitemap fetches.

---

Potential Issues

1. Sync-over-async in OpenSitemapReader (mild risk in CLI context)

var content = httpClient.GetStringAsync(location).GetAwaiter().GetResult();

This blocks the calling thread synchronously. In a CLI process with no SynchronizationContext it works without deadlock, but it forecloses async refactoring and will throw poorly if a timeout fires during the wait. Consider accepting this as an intentional CLI trade-off and documenting it, or adding a CancellationToken parameter for future use.

2. Inline regex in ScanSourceMarkdownEmptyAlt

var matches = Regex.Matches(
    content,
    @"!\[\]\((?<target>[^)\r\n]+)\)",
    RegexOptions.CultureInvariant,
    TimeSpan.FromMilliseconds(250));

This is called once per .md file and has a timeout guard, so ReDoS is not a concern. However, the regex is recompiled on every file. Promoting it to a static readonly compiled field (like the other patterns in the class) would be more consistent and avoids redundant compilation on large content roots.

3. GetLineNumber — off-by-one edge case

var position = Array.BinarySearch(lineStartOffsets, boundedIndex);
if (position >= 0)
    return position + 1;
return Math.Max(1, ~position);

When the match index falls exactly on a newline boundary (i.e., the \n at offset i — lineStartOffsets contains i + 1, not i), the binary search misses and returns the insertion point before that line. This is a cosmetic off-by-one in the diagnostic output (±1 line) and won't cause incorrect behaviour, but worth a quick test with a match at position 0 and at a line-start.

---

Code Quality

Positive highlights:

• The hardcoded alias tables for config keys (e.g., "legacySitemaps", "legacy-sitemaps", "legacySitemapPaths" …) are verbose but maximally ergonomic for consumers. Consistent with the pattern used elsewhere in the runner.
• FrontMatterDelimiterPattern gating for the heading-leak signal is a targeted, well-motivated fix. The comment explaining why headings were removed from VisibleMarkdownLeakPattern is exactly the right use of a comment (non-obvious constraint).
• NormalizeLanguageRootHosts normalises the map up-front so callers don't repeat the case-folding logic — clean design.
• The Csv(string) helper uses "\"\"" doubling (RFC 4180 compliant) rather than backslash escaping — correct.

Minor nits:

• WebAssetCssStrategy.WarnUnknown uses Trace.TraceWarning. Depending on whether a TraceListener is wired up in the CLI host, this may silently discard the warning at runtime. If users are expected to see unknown-strategy diagnostics, routing through the pipeline's own logging might be more reliable.
• ResolveLegacyAmpTargetUrl has hardcoded /pl/ and /en/ path stripping for the two known hosts. This is fine for its purpose, but a brief comment noting the site-specific nature of these constants would help future maintainers.
• HttpClient is created and disposed per-invocation in ExecuteLinksCompareSitemaps (via using var). This is fine for a CLI that runs once and exits; it would be a socket-exhaustion risk in a long-lived server context. The using correctly handles disposal, so no leak.

---

Test Coverage ✅

Coverage for new functionality is thorough:

• WebPipelineRunnerSitemapMigrationTests — redirect/review artifact generation, depth limits, path-escape rejection
• WebLinkServiceTests — AMP generation, host resolution, relative/absolute legacy rows, deduplication
• WebPipelineRunnerSeoDoctorTests — languageRootHosts config round-trip
• WebSeoDoctorTests — localized alternates with root-served hosts, backlog metric counts
• WebPipelineRunnerLinksTests / WebPipelineRunnerApacheRedirectsTests — query-string rewrites

The one gap is that ScanSourceMarkdownEmptyAlt is exercised indirectly through the full Analyze integration path. A dedicated unit test feeding a small in-memory .md tree would isolate the line-number and regex logic independently.

---

Summary

This PR is production-quality. The three concerns worth addressing before merge:

1. Promote the inline regex in ScanSourceMarkdownEmptyAlt to a static compiled field — consistency + minor performance.
2. Verify GetLineNumber edge case at position 0 and at exact line-start offsets — low-risk but the BinarySearch return-value semantics are easy to get wrong.
3. Decide on a stance for Trace.TraceWarning in WarnUnknown — make it visible to operators or document that it requires a listener.

Everything else looks solid. The security posture is strong, the architecture is clean, and the test suite gives good confidence in the new paths.

[claude]

Code Review — PR #326: Native link-service tasks and SEO doctor route support

Overview

This PR delivers three major additions:

1. Native link-service pipeline tasks — links-compare-sitemaps, links-generate-legacy-amp, and links-validate-redirects as first-class C# tasks replacing the PowerShell script equivalents.
2. SEO doctor language root host support — evotec.pl-style root-hosted language domains mapped back to /pl/... paths for hreflang/canonical validation.
3. Reduced Markdown leak false positives — # headings removed from the visible leak pattern; YAML front matter delimiters get their own dedicated guard pattern.

The scope is large (4,657 additions), but changes are well-contained and the test coverage is solid. Below are findings by category.

---

Security

Positive: XXE protection added to PowerShell sitemap parser.
The old [xml] $xml = $content cast accepts DTD processing by default. The new ConvertTo-SafeXmlDocument helper correctly locks this down:

$settings.DtdProcessing = [System.Xml.DtdProcessing]::Prohibit
$settings.XmlResolver   = $null
$xml.XmlResolver        = $null

This is a meaningful improvement, especially for remote sitemap URLs.

Positive: Path traversal guard added to Test-GeneratedRouteExists.
The new version validates that resolved file paths remain within the site root before calling Test-Path, using GetFullPath + StartsWith comparisons. The old version had no such boundary check.

Concern: row.TargetUrl written directly into Apache config without escaping.
In ExecuteApacheRedirects, the target URL is interpolated into RewriteRule lines without any Apache-level escaping:

lines.Add($"RewriteRule ^{escapedPath}/?$ {row.TargetUrl} [R={row.Status},L,QSD]");

If a target URL contains spaces or other Apache config metacharacters, the generated .conf file could be malformed. A validation step or explicit character allowlist for TargetUrl values before writing would close this gap. (This was a pre-existing pattern, but worth flagging given the new query-string-aware code path.)

Minor: Regex.Escape used for Apache PCRE patterns.
AppendApacheLegacyQueryCondition uses System.Text.RegularExpressions.Regex.Escape to escape source query strings before inserting them into RewriteCond directives. .NET regex and Apache PCRE escaping are largely compatible for alphanumeric query strings, but they are not identical — for example, .NET escapes # while Apache PCRE does not treat it as special. For the expected inputs (typical HTTP query strings), this is fine in practice.

---

Correctness

Positive: Nginx URI matcher trailing-slash fix is correct.
BuildNginxRequestUriMatcher now allows an optional slash before the query string:

// Before: "^\/path\?v\=1$"  — strict, won't match /path/?v=1
// After:  "^\/path/?\?v\=1$" — handles both /path?v=1 and /path/?v=1

The /? is intentionally unescaped here as a regex quantifier. The approach is correct and the root-path branch (path == "/") correctly delegates the whole /?" + sourceQuery string to Regex.Escape.

Positive: PathOnly → RewriteRulePath rename with explanatory comment.
The accompanying comment // RewriteRule cannot match the query string; SourceQuery is emitted as a RewriteCond. clarifies a genuine Apache constraint that was previously silently assumed.

Potential issue: links-generate-legacy-amp hardcodes a two-language (English/Polish) host model.
The WebLegacyAmpRedirectOptions model and its pipeline task require defaultEnglishHost and defaultPolishHost as mandatory named properties. This couples the general-purpose redirect generation logic to a specific site topology. A Dictionary<string, string> LanguageHosts (language code → host) would be equally simple to implement and would allow the same task to serve other multilingual sites without a new API surface.

Minor: FrontMatterDelimiterPattern covers -- (two dashes) as well as ---.

--{2,3}  # matches -- or ---

Two consecutive dashes appear commonly in prose (em-dash approximation, code comments, SQL). If the content scanner encounters -- DROP TABLE in body copy it will now be silently allowed where it was previously (incorrectly) flagged as a front matter leak. The intent to reduce false positives from --- delimiters is good, but tightening to --{3} (exactly three dashes) would be safer.

Get-SlugVariants language suffix stripping is hardcoded.

if ($current -match '^(.*?)-(pl|fr|de|es)$' ...)

Only four languages are handled. Adding a new language to the site would require a code change here. Passing the known language codes as a parameter would avoid the coupling.

---

Testing

Test coverage is comprehensive and well-structured:

• WebLinkServiceTests covers happy path, missing host validation, host-with-path rejection, and absolute-URL row preservation for GenerateLegacyAmpRedirects. ✅
• WebPipelineRunnerApacheRedirectsTests explicitly verifies the new query-string RewriteCond and QSD flag emission. ✅
• WebSeoDoctorTests covers the frontmatter delimiter false-positive fix and the heading-as-leak false-positive fix. ✅
• WebSitemapMigrationAnalyzerTests — not shown fully but referenced as passing. ✅

Concern: TryPreserveExistingReleaseHub tested via reflection.

var preserveMethod = typeof(WebPipelineRunner)
    .GetMethod("TryPreserveExistingReleaseHub", BindingFlags.NonPublic | BindingFlags.Static);
Assert.NotNull(preserveMethod);

If this method is renamed, the Assert.NotNull will catch it, but only at test runtime, not compile time. Consider exposing the behavior through a public, testable entry point (e.g., a dedicated integration test that runs the full pipeline step with a pre-existing output file), or moving the logic into a separately testable helper class.

---

Code Quality

Positive: Refactoring the 669-line helper blob out of Compare-WebSitemaps.ps1 into its own file is the right move. The dot-sourcing check (Test-Path -LiteralPath $helperPath -PathType Leaf) gives a clear error if the dependency is missing.

Positive: [ValidateRange] attribute guards on TimeoutSec and MaxSitemapDepth replace hand-written validation with declarative constraints, reducing boilerplate.

Positive: Graceful deprecation of FetchTimeoutSec via Write-Warning and a [Nullable[int]] bridging parameter is clean API evolution.

Minor: LanguageRootHosts on WebSeoDoctorOptions uses a mutable Dictionary<string, string> instead of IReadOnlyDictionary<string, string>. Callers could mutate the dictionary after construction. Changing the property type to IReadOnlyDictionary<string, string> (or accepting it only in the constructor) would make the intent clearer.

Minor: Multiple JSON property name aliases in ExecuteLinksGenerateLegacyAmp (source, sourceCsv, source-csv, sourceCsvPath, source-csv-path) are consistent with how other tasks work in this codebase, so this is fine — just verbose.

---

Summary

Area	Status
Core feature correctness	✅ Solid
Security (XXE, path traversal)	✅ Improved vs. prior code
Apache config injection risk	⚠️ Pre-existing gap, not worsened
Two-dash front matter pattern	⚠️ Minor false-negative risk
Hardcoded English/Polish model	⚠️ Limits generalisability
Test coverage	✅ Good breadth
Reflection-based private method test	⚠️ Fragile, consider refactor
Nginx URI matcher fix	✅ Correct

Overall this is well-executed work. The XXE hardening and path traversal fix are welcome security improvements. The main suggestions worth acting on before merge are: (1) evaluate whether defaultPolishHost should generalise to a language map, (2) tighten --{2,3} to --{3} in the front matter delimiter pattern, and (3) add a target-URL character validation guard in the Apache config writer.

[claude]

Code Review — PR #326: Native link-service tasks and SEO doctor route support

Overview

This is a large, well-structured PR (+4881/-766) that:

1. Extracts helper functions from Compare-WebSitemaps.ps1 into a companion .Helpers.ps1 file
2. Ports sitemap migration analysis into a native C# WebSitemapMigrationAnalyzer
3. Adds two new pipeline tasks: links-generate-legacy-amp and links-compare-sitemaps
4. Extends SEO doctor with root-served language host support and backlog audit artifacts
5. Hardens Apache redirect generation (query string conditions, target safety validation)
6. Adds partial ecosystem stats source preservation on upstream failure

The PR comes with broad test coverage and passing CI. Overall quality is high. Notes below range from blocking to advisory.

---

Security

Apache target validation is narrower than its name implies (WebLinkService.ExportApache.cs)

IsSafeApacheRewriteSubstitution rejects whitespace and control characters but not Apache RewriteRule metacharacters ($1, [R=], backreferences, etc.) that could alter rule semantics if they appeared in a target URL. The error message says "URL-encoded", which is the right user guidance, but the check itself is weak. Consider tightening to an allowlist of safe URL characters, or at minimum add a note in the method doc that callers are expected to have already validated/encoded the target.

TryNormalizeRelativeApacheLegacyPath — percent-encoded traversal (WebPipelineRunner.Tasks.ApacheRedirects.cs)

The Contains("..", ...) check catches literal dotdot but not %2e%2e. This is only triggered for CSV-sourced paths, so risk is low, but worth a comment.

Good: EnsureNestedSitemapPathWithinBase uses Path.GetFullPath prefix-comparison (no symlink risk), and the test RejectsNestedLocalSitemapOutsideBaseDirectory explicitly exercises a ../ escape. Similarly GeneratedRouteExists_DoesNotProbeOutsideSiteRoot covers %2e%2e in the analyzer.

---

Code Quality

Synchronous HTTP in pipeline runner (WebPipelineRunner.Tasks.Links.SitemapMigration.cs, line ~4111)

var content = httpClient.GetStringAsync(location).GetAwaiter().GetResult();

.GetAwaiter().GetResult() on a Task<string> blocks a thread pool thread and can deadlock in some synchronization contexts. The pipeline is currently synchronous throughout, so this isn't a live bug, but it's technical debt. A comment acknowledging the intentional sync-over-async would prevent future confusion.

Reflection against private methods in tests (WebPipelineRunnerEcosystemStatsTests.cs, WebPipelineRunnerReleaseHubTests.cs)

Both test files invoke private static methods via GetMethod(..., BindingFlags.NonPublic | BindingFlags.Static). This is fragile (rename breaks tests silently at runtime, not compile-time) and tests implementation detail rather than observable behavior. TryPreserveExistingReleaseHub and TryPreserveEcosystemSources could be exposed as internal with [InternalsVisibleTo], or the tests could be restructured to drive them through the full RunPipeline path (which is already partially done by other tests in the same file).

JsonSerializerOptions allocation on hot path (WebPipelineRunner.Tasks.Content.cs, WebPipelineRunner.Tasks.EcosystemStats.cs)

return JsonSerializer.Deserialize<WebReleaseHubDocument>(json, new JsonSerializerOptions { PropertyNameCaseInsensitive = true });

JsonSerializerOptions construction is expensive (builds a cache). These are pipeline-step calls, not hot loops, so no functional impact today — but if these methods get called repeatedly (watch mode, large pipelines), this adds up. Cache as a private static readonly.

Inconsistent CSV escaping helpers

EscapeCsv (sitemap migration) wraps only when special characters are present. Csv (SEO doctor backlog) always double-quotes. Both are correct, but the inconsistency means the outputs have different quoting styles. Not a bug, but could surprise consumers that rely on consistent format.

GetFreePortRange race window (WebStaticServerTests.cs)

The helper allocates and immediately releases N consecutive listeners before returning start. There's a narrow TOCTOU window before the test re-binds those ports. In high-concurrency CI environments this can cause intermittent failures. Consider holding at least the first listener open and returning it alongside the port number so the caller can release it right before ServeWithPortFallback starts. (The PR does improve the flakiness situation vs. the previous single-port helper — this is a pre-existing pattern.)

---

Potential Bugs / Semantic Changes

Module manifest test flip (ModulePipelineApprovedModulesTests.cs, ModulePipelineManifestRefreshTests.cs)

Several assertions flip from Contains("Microsoft.PowerShell.Utility") to DoesNotContain(...), and Az.Accounts is removed from RequiredModules. This implies a behavior change in how inbox or previously-approved modules are filtered. The tests reflect the new intent, but there's no summary comment explaining why this semantic changed. A brief note in the test or PR description would help future maintainers understand why inbox modules are now excluded.

usedFallback flag interaction in ExecuteEcosystemStats

The new TryPreserveEcosystemSources call sets usedFallback = true before TryReadEcosystemStatsSnapshotFromFile reads the file. After TryPreserveEcosystemSources merges source data, the on-disk file has been modified, so generatedSnapshot will reflect the merged state — which is then skipped by the !usedFallback guard. This is correct, but the ordering is subtle and a comment would help.

stepResult.Message overwrite risk in ExecuteEcosystemStats

When TryPreserveEcosystemSources succeeds it sets stepResult.Message to the preserved-sources message, but then stepResult.Message can be overwritten again on lines further down. The final stepResult.Message assignment in the usedFallback block uses string.Equals(fallbackReason, "existing-source-on-warning-empty") to pass through the earlier assignment — this works, but is an implicit coupling. Consider a preservedSourcesMessage variable rather than writing to stepResult.Message early.

spec.BaseUrl vs. Languages[0].BaseUrl (WebSiteLocalizationFeaturesTests.cs)

The test change moves the English base URL from spec.Localization.Languages[0].BaseUrl to spec.BaseUrl. This is likely correct (the root BaseUrl is the source of truth), but verifying the hreflang assertion Assert.Contains("hreflang=\"en\" href=\"https://evotec.xyz/docs" is newly added suggests this was previously silently broken. If so, worth calling out explicitly in the PR summary.

---

Minor Notes

• WebAssetCssStrategy.WarnUnknown uses Trace.TraceWarning — this is only visible when a TraceListener is configured. Console.Error or a structured logger would be more visible in pipeline output.
• The WebPipelineRunner.Watch.cs change that skips empty-message inner exceptions when segments already exist is a nice noise reduction, but the direction separator change from <-- to -> may break external tooling that parses error messages.
• Compare-WebSitemaps.ps1 deprecation of FetchTimeoutSec → TimeoutSec is handled cleanly with Write-Warning. The [ValidateRange(1, 300)] on TimeoutSec and [ValidateRange(0, 64)] on MaxSitemapDepth are good additions.

---

Summary

The core logic is solid and the security boundaries (path traversal, DTD processing disabled, Apache target validation, response size cap) are well considered. The main action items are:

1. Security: Tighten IsSafeApacheRewriteSubstitution or document its known limitations.
2. Tests: Replace private-method reflection tests with internal/InternalsVisibleTo or full pipeline-path tests.
3. Documentation: Add a note explaining the inbox-module filtering change in the manifest tests.
4. Minor: Cache JsonSerializerOptions instances; add a comment on sync-over-async in the sitemap HTTP loader.

[claude]

Code Review — PR #326: Native link-service tasks and SEO doctor language-root support

Overview

This is a substantial, well-organized PR (+4889/-766). It delivers:

• Extraction of sitemap-comparison helpers into a separate .ps1 file and a new WebSitemapMigrationAnalyzer C# class
• Two new pipeline tasks: links-generate-legacy-amp and links-compare-sitemaps
• SEO doctor enhancements: root-served language host support, per-page backlog metrics, empty-alt tracking, source-markdown scanning, and reduced false positives in content-leak detection
• A bug fix in the nginx $request_uri query-string redirect matcher
• Per-source fallback preservation in WebEcosystemStatsGenerator

Test coverage is broad and the commit history is clean. The points below are in priority order.

---

Bugs / Correctness

1. Unhandled RegexMatchTimeoutException in ScanSourceMarkdownEmptyAlt

EmptyMarkdownImageAltPattern is compiled with a 250 ms timeout (good defensive practice), but the call site never catches RegexMatchTimeoutException:

// WebSeoDoctor.cs – ScanSourceMarkdownEmptyAlt
var matches = EmptyMarkdownImageAltPattern.Matches(content);

A pathological markdown file will propagate the exception through Analyze() and surface as an unclassified crash rather than a scan warning. Wrap in a try/catch and emit a review-severity issue so the run still completes.

---

2. Nginx query-string regex: raw /? is intentional but fragile

// WebSiteBuilder.Redirects.cs
var exactPath = path.TrimEnd('/');
return "\"^" + Regex.Escape(exactPath) + "/?" + Regex.Escape("?" + sourceQuery) + "$\"";

The /? between the two Regex.Escape calls is a raw PCRE quantifier (optional trailing slash). This is correct for the intended fix, but a future reader might assume every piece is escaped. A short comment like // /? allows optional trailing slash before query would prevent accidental "cleanup". Also worth confirming: if sourceQuery contains characters that nginx's PCRE dialect escapes differently from .NET (e.g. ~), the generated pattern may mismatch — the existing test coverage should be sufficient to catch that for the current values, but it's worth noting.

---

3. NormalizeCanonicalLegacyPath always appends a trailing slash

// WebLinkService.LegacyAmp.cs
private static string NormalizeCanonicalLegacyPath(string path)
{
    ...
    return normalized + "/";
}

This is the opposite convention from every other path normalization in the codebase (which strips trailing slashes). If a target URL produced by ResolveLegacyAmpTargetUrl is later fed back into NormalizeUrl (which strips them), the round-trip is safe; but if consumed raw elsewhere, it could silently differ from normalized forms in lookup dictionaries. Consider aligning conventions or documenting the deviation explicitly.

---

Design / Maintainability

4. Csv() helper defined in two places

WebPipelineRunner.Tasks.SeoDoctor.cs and WebLinkService.LegacyAmp.cs each define an identical private static Csv(string) method (quote-doubling CSV escape). Both are in namespace PowerForge.Web / PowerForge.Web.Cli. A shared internal static helper (e.g. CsvWriter.Escape) would avoid the drift risk.

---

5. Get-SlugVariants hardcodes two-letter language codes

# Compare-WebSitemaps.Helpers.ps1
if ($current -match '^(.*?)-(pl|fr|de|es)$' ...)

This is domain-specific to Evotec's content. The C# counterpart WebSitemapMigrationAnalyzer.GetSlugVariants uses numeric-suffix and diacritic stripping only (no language codes), so the two implementations diverge. If the PowerShell script is ever used on sites with other language suffixes, this will silently miss matches. Consider making the language list a parameter or moving the stripping logic into the C# analyzer so the PowerShell script just wraps it.

---

6. FrontMatterDelimiterPattern without Multiline — verify intent

private static readonly Regex FrontMatterDelimiterPattern = new(
    @"(?:^|\s)---(?:\s|$)",
    RegexOptions.IgnoreCase | RegexOptions.CultureInvariant | RegexOptions.Compiled);

Without RegexOptions.Multiline, ^ matches only the very start of the input string. If CheckContentLeaks feeds individual text nodes this works fine; if it ever feeds a multi-line block of body text and relies on ^ to anchor to line starts, matches on non-first lines will only work via the \s branch. The existing test Analyze_DoesNotTreatTwoDashProseAsFrontMatterDelimiter passes, so the current call sites are safe, but the absence of Multiline is a latent trap for the next person who extends this check.

---

7. VisibleMarkdownLeakPattern drops heading detection entirely

Removing #{1,6}\s+\S+ from the pattern eliminates false positives from API documentation content (good), but it also means actual rendered Markdown headings that leak into HTML body text will no longer be flagged. If there is an alternative mechanism that catches heading leaks, this is fine; if not, consider replacing the broad match with a tighter one (e.g. require the # to start a line and be followed by multiple words) rather than removing it completely.

---

Positive Highlights

• XXE prevention: ConvertTo-SafeXmlDocument properly sets DtdProcessing = Prohibit and XmlResolver = null. The old [xml]$content cast was vulnerable to XXE; this is a genuine security improvement.
• Path traversal guard in Test-GeneratedRouteExists: Both the new PowerShell and C# versions verify the resolved path stays under $root / rootPrefix before checking File.Exists. The old PS version had no such guard.
• Deprecation handling for FetchTimeoutSec: Clean backward-compatible shim with a Write-Warning and [Nullable[int]] type — avoids silently breaking callers.
• Per-source ecosystem-stats fallback: Preserving only the failed source's data (GitHub/NuGet/PSGallery independently) rather than the all-or-nothing strategy is a significant reliability improvement.
• Static lambdas throughout: Consistent use of static closures in LINQ (e.g. OrderByDescending(static page => page.EmptyAltCount)) avoids unintended captures.
• WebSitemapMigrationAnalyzer as a testable public static class: Extracting the PowerShell heuristics into C# with public API surface is a good architectural move that makes the logic unit-testable and reusable.

---

Minor / Nits

• sourceNormalized → legacyNormalized rename in the AMP discovery loop is a clarity improvement; no issues.
• The task aliases (link-generate-legacy-amp, legacy-amp-redirects) are welcome for ergonomics; ensure the schema JSON also documents them so IDEs can offer them.
• WebLegacyAmpRedirectOptions.DefaultEnglishHost and DefaultPolishHost are noted as compatibility aliases — consider adding an [Obsolete] attribute or at least a <remarks> XML doc to signal to callers they should prefer LanguageHosts.

---

Summary: The PR is solid and well-tested. The one issue worth fixing before merge is the unhandled RegexMatchTimeoutException in the source markdown scanner (item 1). The nginx comment (item 2) and NormalizeCanonicalLegacyPath convention note (item 3) are lower-priority but worth addressing in a follow-up or inline. Everything else is advisory.

[claude]

Code Review — PR #326: Native link-service tasks and SEO doctor route support

This is a substantial, well-structured PR (+4907 / -766) that promotes migration tooling from a project-local PowerShell script into first-class pipeline tasks and adds meaningful SEO doctor capabilities. Overall the code quality is high and test coverage is thorough. Below are observations by area.

---

Overview

Three main areas of change:

1. PowerShell helpers extracted – Compare-WebSitemaps.ps1 helper functions moved to a dedicated Compare-WebSitemaps.Helpers.ps1 file; the main script dot-sources it instead of embedding 650+ lines of helper code. Backward-compatible FetchTimeoutSec alias maintained with a deprecation warning.
2. Two new native pipeline tasks – links-generate-legacy-amp and links-compare-sitemaps are now implemented in C# (WebLinkService.LegacyAmp.cs, WebSitemapMigrationAnalyzer, WebPipelineRunner.Tasks.Links.SitemapMigration.cs).
3. SEO doctor enhancements – languageRootHosts support for root-served language domains, optional empty-alt and source-Markdown alt scanning, richer backlog metrics / CSV exports, and false-positive reductions for frontmatter/Markdown leak detection.

---

Positives

• Security is well considered. XML DTD processing is explicitly disabled everywhere sitemap XML is loaded (DtdProcessing.Prohibit, XmlResolver = null). Path traversal is guarded in Test-GeneratedRouteExists (PowerShell helpers) and EnsureNestedSitemapPathWithinBase (C#). Apache export validates destination characters in IsSafeApacheRewriteSubstitution and the new TryNormalizeRelativeApacheLegacyPath guards against .. and double-slash paths.
• Thorough test coverage. Every new code path has accompanying tests: language-host map routing, malformed sitemap URLs, path-escape prevention, absolute/relative legacy rows, missing host validation, AMP alias generation, partial-source fallback, and UI regression checks for encoded HTML attributes and Nginx query regex.
• Deprecation handled gracefully. The FetchTimeoutSec → TimeoutSec rename in Compare-WebSitemaps.ps1 uses a warning and compatibility shim rather than a hard break.
• File-level retry in TryDelete – the 5-attempt retry loop for IOException/UnauthorizedAccessException in PowerForgeReleaseServiceTests is a practical fix for flaky Windows cleanup.

---

Issues and Suggestions

Medium

1. GetFreePortRange has a race window (WebStaticServerTests.cs)
   The helper reserves a contiguous range with TcpListener, then releases all of them before returning. Between Stop() and the test's HttpListener.Start() another process could claim one of those ports. The existing GetFreePort() has the same problem but the new helper makes it more visible. Consider binding a Socket to port 0 and keeping the TcpListener alive until the blocker has started, or accept the existing pattern if flakiness is acceptable in CI.

2. TryPreserveExistingReleaseHub reads outputPath from disk after writing it (WebPipelineRunner.Tasks.Content.cs:3692)

   var generated = TryReadReleaseHubDocument(File.ReadAllText(outputPath));

   At this point outputPath still holds the generated content (written by WebReleaseHubGenerator.Generate). The function receives existingJson as a parameter specifically to avoid re-reading from disk, but then reads the generated content fresh. This is correct today because outputPath is the generated path, but the naming (existing / generated) is slightly misleading: the variable named generated is derived from disk while existingJson (pre-existing) is the in-memory string. A comment or variable rename would clarify intent.

3. ResolveLegacyAmpHost falls back silently to the default language host (WebLinkService.LegacyAmp.cs)

   return languageHosts.TryGetValue(languageKey, out var host)
       ? host
       : languageHosts[defaultLanguage]; // KeyNotFoundException if default not in map

   BuildLegacyAmpLanguageHosts guarantees the default language key exists, so a KeyNotFoundException is not possible today. But this will be a confusing failure mode if the invariant ever breaks (e.g. the option object is constructed directly in tests without going through BuildLegacyAmpLanguageHosts). Prefer languageHosts[defaultLanguage] only after checking, or document the precondition explicitly.

4. ResolvePathWithinRoot used without caller context in SEO doctor backlog output (WebPipelineRunner.Tasks.SeoDoctor.cs)
   WriteSeoDoctorJsonFile / WriteSeoDoctorCsvFile call ResolvePathWithinRoot(baseDir, path, path) where the third argument appears to be a fallback. If the path resolves outside baseDir, the third argument silently becomes the output location. This is the same pattern used elsewhere in the runner, but it is worth checking whether that fallback-to-raw-path behavior is intentional for the new backlog artifact paths.

Minor / Style

5. GetSlugVariants hardcodes language suffixes (Compare-WebSitemaps.Helpers.ps1:236)
   The pattern -(pl|fr|de|es)$ is specific to a small set of languages. If the pipeline is extended to new language codes, this will silently miss slug variants for those languages. Consider externalising the set or documenting it as a known limitation.

6. BuildSeoDoctorPageMetricsCsv uses Csv() helper for boolean values (WebPipelineRunner.Tasks.SeoDoctor.cs)
   Csv(row.MissingDescription) converts the bool via Convert.ToString which produces "True" / "False". Most CSV consumers expect true/false or 0/1 for boolean fields. This may cause issues for downstream data pipelines. Consider row.MissingDescription ? "true" : "false" explicitly.

7. WebSitemapMigrationAnalyzer.GetSlugVariants is public but also tested indirectly (WebSitemapMigrationAnalyzerTests.cs)
   The test directly calls WebSitemapMigrationAnalyzer.GetSlugVariants(...) and WebSitemapMigrationAnalyzer.GeneratedRouteExists(...). Exposing internal helpers as public for testability is a common tradeoff; just make sure this is intentional rather than an oversight.

8. FormatFailureMessage separator changed from <-- to -> without a test (WebPipelineRunner.Watch.cs:4756)
   This is a user-visible change to error output. If any downstream tooling or test assertion parses the separator, it will silently break. The existing watch tests should cover the format — worth confirming they still pass.

9. NormalizeSeoDoctorLanguagePrefix in WebPipelineRunner.Tasks.SeoDoctor.cs vs NormalizeLanguageRootPrefix in WebSeoDoctor.cs
   Both methods do exactly the same thing (Trim().Trim('/').Replace('\\',...)). Consider extracting to a shared helper or referencing one from the other to avoid drift.

---

Security

• Path traversal protections look solid. The .. check in TryNormalizeRelativeApacheLegacyPath and the EnsureNestedSitemapPathWithinBase boundary enforcement are good defensive additions.
• IsSafeApacheRewriteSubstitution uses an allowlist of URL-safe characters for the Apache RewriteRule substitution target. The allowlist includes [ and ] which Apache sometimes treats specially in substitution context; verify these are safe for the RewriteRule substitution destination (not just the match side).
• The HttpClient created in CreateSitemapHttpClient caps response size at 50 MB and sets MaxAutomaticRedirections = 5, which is reasonable. Note the .GetAwaiter().GetResult() sync-over-async pattern — this is acknowledged in the inline comment but will block a thread pool thread during remote sitemap fetches; acceptable for pipeline tasks.

---

Test Coverage

Coverage is strong. A few gaps worth noting:

• No test for the FormatFailureMessage separator change.
• No test for ResolveSeoDoctorLanguageRootHosts parsing a site config file (the pipeline test covers the end-to-end flow, but not invalid/missing config paths).
• GetFreePortRange race condition noted above could cause intermittent CI failures.

---

Summary

This is a high-quality contribution. The main code path is well tested, security boundaries are in place, and the deprecation strategy is clean. The issues above are mostly minor clarity/robustness notes; none block merging. The hardcoded language-suffix list in the PowerShell helper and the boolean CSV serialisation format are the items most worth addressing before wider adoption.

[claude]

Code Review: PR #326 — Native link-service tasks & SEO doctor route support

Overall this is a well-structured PR with good XML security hardening and thoughtful deprecation patterns. A few items need attention before merging.

---

Overview

~5,700 lines of new code across 30+ files:

• New helper file: Build/Compare-WebSitemaps.Helpers.ps1 (669 lines) — URL normalization and redirect-candidate logic extracted from the monolithic script
• C# additions: WebSitemapMigrationAnalyzer, WebLinkService.LegacyAmp, extended WebSeoDoctor, Apache export safety checks, new pipeline tasks
• Models: LinksSpec, WebSeoDoctorOptions, WebSeoDoctorPageMetric, WebSitemapMigrationModels
• 9 new test classes covering sitemap migration, AMP redirects, SEO language roots, and markdown empty-alt detection

---

🔴 Critical

Path traversal check could be strengthened (WebPipelineRunner.Tasks.Links.SitemapMigration.cs, EnsureNestedSitemapPathWithinBase):

The current string.StartsWith(basePrefix) check doesn't resolve symlinks on Unix, leaving a narrow symlink-escape path on shared build hosts. A more robust pattern:

var relative = Path.GetRelativePath(basePath, fullNestedPath);
if (relative.StartsWith("..", StringComparison.Ordinal))
    throw new InvalidOperationException(
        $"Nested sitemap path '{fullNestedPath}' escapes the base directory '{basePath}'.");

Path.GetRelativePath is available on all supported .NET versions and makes the intent clearer.

---

🟠 High Priority

Slug variant regex is now significantly more permissive (Compare-WebSitemaps.Helpers.ps1, line 237; WebSitemapMigrationAnalyzer.cs equivalent):

The old pattern was (pl|fr|de|es) — four explicit languages.
The new pattern is [a-z]{2,3}(?:-[a-z0-9]{2,8})? — any 2–3 letter code.

Side effect: slugs like article-abc, post-fix, report-dev now get their suffix stripped as a "language variant", potentially matching a wrong redirect target. This is a silent behavioral change with no test covering the unintended-suffix case. Please either:

• Add a test asserting that article-fix does not produce a stripped variant (or does, and that is intentional), and
• Document this in the release notes.

FetchTimeoutSec deprecation warning fires too late: the null check / warning at the top of the script runs after Set-StrictMode -Version Latest is set but before the helpers are dot-sourced, which is fine — but the warning doesn't appear if the caller passes $null explicitly (the default). Consider making the intent clearer with a [Parameter(DontShow)] attribute on the deprecated parameter.

---

🟡 Medium Priority

Broad catch (Exception) in catalog path handling (WebPipelineRunner.Tasks.ProjectCatalog.cs):

catch (Exception)  // masks ArgumentException, NullReferenceException, etc.

Prefer a filtered catch:

catch (Exception ex) when (ex is ArgumentException
    or NotSupportedException or PathTooLongException
    or IOException or UnauthorizedAccessException)

Error chain format change (WebPipelineRunner.Watch.cs): separator changed from " <-- " to " -> ". This is a log-output breaking change — any tooling that parses structured error chains will need updating. Worth a one-line note in the release.

CSV column index validation (WebLinkService.LegacyAmp.cs, header-parsing section): if the input CSV is missing legacy_url or target_url columns, the current code throws an IndexOutOfRangeException. A pre-flight check with an actionable error message would be easier to debug.

---

✅ What's Done Well

• XML security: DTD processing disabled, XmlResolver = null set on both XmlReaderSettings and the XmlDocument itself — correctly hardened against XXE in both PowerShell and C# paths.
• Apache rewrite safety: IsSafeApacheRewriteSubstitution() whitelists allowed characters rather than blacklisting, and correctly excludes spaces and control characters.
• Deprecation pattern: FetchTimeoutSec → TimeoutSec issues a Write-Warning and still works, which is the right PowerShell idiom.
• AMP probe filtering: Test-AmpProbeCandidate correctly excludes listing/taxonomy routes before attempting expensive HTTP probes.
• 50 MB sitemap cap and MaxAutomaticRedirections = 5 are sensible defaults that prevent runaway fetches.

---

Test Coverage Assessment

Good coverage on the happy paths. Gaps worth noting:

Area	Gap
Slug variant regex	No test for unintended suffix stripping (e.g., post-fix → post)
Symlink path traversal	No test on Unix symlink escape through EnsureNestedSitemapPathWithinBase
Large sitemaps	No stress test near the 50 MB limit
AMP CSV bad headers	No test for missing legacy_url/target_url columns

The SEO language-root host mapping tests and the markdown empty-alt regex tests are thorough — the FrontMatterDelimiterPattern gating of leak detection is well-justified and the tests validate the new threshold correctly.

---

Summary

Conditional approval. The path traversal hardening and slug-variant behavioral documentation are the two items that should be addressed before merge. Everything else is medium/low priority and could follow in a small cleanup PR.

🤖 Reviewed with Claude Code

[claude]

Code Review — PR #326: Add native link-service tasks and SEO doctor route support

Overview

This PR adds production-grade sitemap migration tooling, legacy WordPress AMP redirect generation, and SEO doctor enhancements. The scope is large (4,935 additions / 766 deletions across 30+ files) but well-organized. No breaking changes detected; all new functionality is additive with backward-compatibility maintained.

---

Strengths

• Security-first XML parsing — DTD processing disabled and XmlResolver = null in ConvertTo-SafeXmlDocument / WebSitemapMigrationAnalyzer prevents XXE attacks. Good defensive posture.
• Path traversal prevention — Explicit checks for both / and \ in nested sitemap resolution guard against directory escape attacks.
• Regex timeout protection — 250 ms MatchTimeout on the markdown image-alt scanning regex prevents ReDoS on malformed content.
• Immutable data structures — Consistent use of sealed record types (UrlEntry, LegacyAmpRedirectRow, etc.) makes the data flow easy to reason about.
• Backward compatibility — FetchTimeoutSec deprecation is handled gracefully with a fallback and a clear warning, rather than a hard break.
• Test coverage — Edge cases are well-covered: relative-URL host validation, language host map precedence, nested sitemap traversal attacks, and unauthorized API fallback behavior are all exercised.

---

Issues & Suggestions

Medium — Blocking HTTP call in async context

In WebSitemapMigrationAnalyzer.cs, HTTP fetches use .GetAwaiter().GetResult() to synchronously block. If the configured timeout silently fails (e.g., DNS hang before the socket connects), this can deadlock the pipeline thread indefinitely.

Suggestion: Wrap with Task.Run(...).WaitAsync(CancellationToken) or propagate async/await to the call site so the timeout is enforced at the task level, not just at the HttpClient level.

Medium — 50 MB response buffer is generous for untrusted inputs

The sitemap HTTP fetch caps the response buffer at 50 MB. For an internal build tool this is likely fine, but if the tool is ever pointed at third-party sitemaps, a slow/large response can exhaust memory before the timeout fires.

Suggestion: Add a note in the XML doc / task help text that this limit exists, or enforce a hard byte cap via HttpClient.MaxResponseContentBufferSize.

Low — Overly broad catch in BuildPortableCatalogPath

The exception handler silently strips absolute paths to relative on any exception. Swallowing UnauthorizedAccessException or IOException here could hide real environment problems that are hard to debug later.

Suggestion: Catch only UriFormatException / ArgumentException (the expected cases) and let unexpected exceptions propagate.

Low — Regex timeout not applied uniformly

The 250 ms MatchTimeout is applied to markdown alt scanning but other regex patterns in the same file use the default (no timeout). Consistency would make the behavior easier to reason about and guard against future ReDoS if patterns are extended.

Low — Polish diacritic normalization is locale-specific

The slug-normalization that maps ł → l, ó → o, etc. is correct for Polish but will silently produce wrong slugs for any other language with similar Unicode characters. This is probably acceptable for the current use case but worth a comment.

Suggestion: Add a comment noting this is intentionally Polish-specific, so future contributors don't accidentally generalize it incorrectly.

Info — Markdown heading pattern removal

Removing the #-heading pattern from leak detection (line 1055-1057) reduces false positives on API docs — understood. The change is intentional and the new delimiter-required behavior is covered by tests. No action needed, just noting the intentional regression.

---

Test Coverage Gaps

The new tests are solid. Three areas worth adding in a follow-up:

1. Timeout/slow-response behavior — a test that verifies the pipeline fails fast when a sitemap server hangs (currently untested).
2. Malformed CSV handling — input with missing columns or extra quotes in links-generate-legacy-amp; currently only happy-path CSV is tested.
3. Large sitemap files — a sitemap near or beyond the buffer limit to confirm memory behavior.

---

Summary

The implementation is well-structured, secure, and thoughtfully backward-compatible. The blocking-HTTP concern is the only medium-severity item worth addressing before merge; the rest are low/informational. Test coverage is strong for the core scenarios. Ready to merge once the async/blocking concern is reviewed by the author.

[claude]

Code Review — PR #326: Native Link-Service Tasks & SEO Doctor Enhancements

Overall assessment: This is a well-structured, feature-complete PR with solid test coverage and good security awareness. The code is production-ready with a few items worth addressing before or after merge.

---

Overview

Three major additions:

1. Sitemap migration analysis — PowerShell helpers + C# WebSitemapMigrationAnalyzer + CLI pipeline task
2. Legacy AMP redirect generation — WebLinkService.GenerateLegacyAmpRedirects() with language-host mapping
3. SEO Doctor root-served localization — languageRootHosts support, empty alt tracking, source Markdown scanning

Architecture is clean: analysis logic sits in the library layer, CLI tasks orchestrate I/O, models are immutable records. PowerShell and C# implementations are appropriately parallel rather than sharing code across boundaries.

---

Security — Good Baseline, One Gap Worth Closing

XXE prevention ✓ — DtdProcessing.Prohibit + XmlResolver = null applied consistently in both C# and PowerShell. Good.

URL scheme validation ✓ — All URL construction goes through Uri.TryCreate() with explicit scheme checks.

Local path traversal ✓ — EnsureNestedSitemapPathWithinBase() uses Path.GetFullPath() + relative-path check correctly.

Potential gap — nested remote sitemaps ⚠️

In ResolveNestedSitemapLocation(), when a sitemap index is fetched remotely, its <loc> entries that are absolute URIs pass through without a domain whitelist check. The 5-redirect cap on HttpClientHandler limits chained SSRF, but a DNS-rebinding scenario or an attacker-controlled sitemap index could still redirect traversal to an internal host. Consider validating that nested sitemap URLs share the same origin (host) as the root sitemap URL passed by the caller.

// Suggested guard in ResolveNestedSitemapLocation():
if (IsRemoteSitemapLocation(nestedPath))
{
    var nestedUri = new Uri(nestedPath);
    var rootUri = new Uri(baseLocation);
    if (!nestedUri.Host.Equals(rootUri.Host, StringComparison.OrdinalIgnoreCase))
        throw new InvalidOperationException($"Nested sitemap URL crosses origins: {nestedPath}");
}

---

Potential Bugs

Missing header error handling — Medium

In WebLinkService.LegacyAmp.cs, when FindHeader() returns -1 (column not found in CSV), all rows are silently skipped. A caller who typos a header name gets zero output and no indication of why. Consider throwing an InvalidOperationException or at minimum logging a warning:

if (legacyIndex < 0)
    throw new InvalidOperationException("Source CSV does not contain a 'legacy_url' column.");

Regex backtracking in PowerShell — Low

Compare-WebSitemaps.Helpers.ps1 line ~237 uses a long alternation over language codes anchored with ^(.*?)-(...lang codes...)$. The non-greedy .*? + anchor combination is safe in practice, but PowerShell's regex engine lacks a built-in timeout. On pathological input (e.g., a slug with 50 dashes followed by no matching suffix) this could be slow. The C# equivalent already uses RegexOptions.Compiled which is fine. For the PowerShell side, a precompiled [System.Text.RegularExpressions.Regex] with a timeout would be more robust.

---

Code Quality

Strengths:

• Consistent C# style: ArgumentNullException.ThrowIfNull(), nullable refs, static readonly regex fields with RegexOptions.Compiled, records for models
• PowerShell helpers follow strict mode, use [Parameter(Mandatory)] correctly, handle edge cases (empty collections, trailing slashes)
• NormalizeRequiredHost() is thorough: rejects paths, queries, fragments, and path separators ✓
• HTTP client configuration is sensible: 30 s default timeout, 50 MB buffer cap, 5-redirect limit

Opportunities:

• WebSeoDoctor.Analyze() is long (~400 lines). The new languageRootHosts logic could be extracted into a private ValidateLanguageAlternates() method to reduce cognitive load.
• Language-host map building appears in at least three places (links CLI, legacy AMP, SEO Doctor). A shared BuildLanguageHostMap(IReadOnlyDictionary<string,string>) utility would reduce future drift.
• WebSitemapMigrationAnalyzer is all-static. For a library that will grow, consider an injectable instance to enable future mocking in tests.

---

Test Coverage

Good coverage:

• 7 legacy AMP unit tests covering host scoping, language mapping, absolute vs. relative URLs, non-3xx skip, and header validation
• Sitemap migration tests cover basic comparison, max-depth rejection, and local path-traversal escape
• SEO Doctor tests cover empty alt backlog, Markdown image alt detection, and root-served language host validation

Gaps:

• No test for a CSV missing the legacy_url column (ties to the bug above)
• No test for malformed/truncated XML in sitemap parsing (DTD injection attempt, truncated gzip, etc.)
• No test for the remote→remote nested sitemap origin-crossing scenario described in the security note
• SEO Doctor languageRootHosts tests cover the happy path; a test with a misconfigured mapping (e.g., host present in config but no matching alternate in the HTML) would be valuable

---

Performance

No significant concerns for typical usage. One note: CheckSourceMarkdownImageAlt scans Markdown files on every analysis run. The 250 ms regex timeout is protective, but if ContentRoot grows very large, incremental scanning (only files modified since last run) could be worth considering as a future enhancement.

---

Summary

Area	Status
Security (XXE, path traversal)	✅ Solid
Security (nested remote sitemaps)	⚠️ Worth hardening
CSV header error handling	⚠️ Silent failure risk
Test coverage	✅ Good, minor gaps
Code style & conventions	✅ Consistent
Architecture	✅ Clean layering
Performance	✅ Acceptable

The nested remote sitemap origin check and the CSV header error are the two items I'd most recommend addressing. Everything else is polish. Nice work on the XXE prevention and the thorough URL/host normalization.

[claude]

Code Review — PR #326

Overview

This PR adds three major capabilities to the PowerForge web pipeline:

1. Native links-generate-legacy-amp — generates WordPress AMP continuity redirect CSVs via WebLinkService.LegacyAmp.cs
2. Native links-compare-sitemaps — ports the PowerShell sitemap migration analyser to C# as WebSitemapMigrationAnalyzer.cs
3. SEO Doctor languageRootHosts — fixes false-positive hreflang/canonical warnings for root-served language domains (e.g. evotec.pl → /pl/)

The refactor also extracts Compare-WebSitemaps.Helpers.ps1 from the monolithic PowerShell script, improves several resilience paths (release hub fallback, ecosystem stats per-source preservation, GitHub 401 retry), and reduces false positives in content-leak detection.

---

Security ✅

The security-sensitive areas look well handled:

• XXE prevention — DTD processing disabled in both the C# XmlReader (via NewSafeSitemapXmlReaderSettings()) and the new PowerShell ConvertTo-SafeXmlDocument. XmlResolver = null set on both reader and document.
• Path traversal — EnsureNestedSitemapPathWithinBase uses Path.GetRelativePath and checks for .. and rooted results; covers both separator chars.
• Cross-origin sitemaps — Remote nested sitemaps are rejected unless same origin (EnsureNestedRemoteSitemapSameOrigin).
• Response size cap — MaxResponseContentBufferSize = 50MB on the sitemap HTTP client.
• Redirect limit — MaxAutomaticRedirections = 5.
• Apache injection — IsSafeApacheRewriteSubstitution allowlists characters before writing RewriteRule targets; throws clearly rather than silently.
• Relative Apache legacy paths — TryNormalizeRelativeApacheLegacyPath rejects .. and \\ before path canonicalisation.

---

Bug: languageHosts missing from LinksGenerateLegacyAmpStep JSON schema

BuildLegacyAmpLanguageHostMap in WebPipelineRunner.Tasks.Links.cs reads languageHosts/language-hosts from the step JSON. The pipeline test at line 2266 exercises this path with languageHosts. However, neither languageHosts nor language-hosts appears in LinksGenerateLegacyAmpStep in powerforge.web.pipelinespec.schema.json, which uses "additionalProperties": false.

Impact: schema validators and IDE JSON schema support will flag languageHosts as an unknown property even though the runtime accepts it. defaultLanguage/default-language are also absent from the schema for the same reason.

Fix: add to the schema definition:

"languageHosts": { "type": "object", "additionalProperties": { "type": "string" } },
"language-hosts": { "type": "object", "additionalProperties": { "type": "string" } },
"defaultLanguage": { "type": "string" },
"default-language": { "type": "string" }

---

Suggestions

1. AddRegexSpecialCase uses un-compiled, timeout-less Regex.Match

// WebSitemapMigrationAnalyzer.cs
var match = Regex.Match(legacyPath, pattern, RegexOptions.CultureInvariant | RegexOptions.IgnoreCase);

The five call sites in AddSpecialCaseCandidates each spin up a fresh Regex object per URL. For URL-path inputs the risk of catastrophic backtracking is negligible, but this is inconsistent with the project's defensive style (EmptyMarkdownImageAltPattern has a 250 ms timeout; GlobMatchRegexTimeout exists for the same reason). Consider pre-compiling these five patterns as static readonly Regex fields with a short timeout, matching the style used elsewhere in the service.

2. TryReadReleaseHubDocument / TryReadEcosystemStatsDocument — new JsonSerializerOptions per call

Both helpers create a fresh JsonSerializerOptions on every invocation:

return JsonSerializer.Deserialize<WebReleaseHubDocument>(json, new JsonSerializerOptions
{
    PropertyNameCaseInsensitive = true
});

These are not on a hot path, but they allocate and can't be cached by the runtime. Extracting them as static readonly options instances is a minor but free improvement.

3. StoreSubmissionService — intent of early validation call is unclear

_ = NormalizeAuthorityHost(authentication.AuthorityHost);

This is called purely for its throw-if-invalid side effect. A brief comment or a named helper like ValidateAuthorityHost(...) would make the intent immediately clear to a future reader.

4. Compare-WebSitemaps.Helpers.ps1 — expanded language list is a silent behaviour change

Get-SlugVariants now matches a much larger set of language suffixes (21 codes vs. the original 4: pl|fr|de|es). For users already relying on the PowerShell script, this could produce additional/different redirect candidates in their migration output. Worth a brief note in the PR description or CHANGELOG so upgraders know to re-run sitemap comparison after pulling.

5. Reflection-based tests of private methods

TryPreserveExistingReleaseHub, TryPreserveEcosystemSources, and ResolveNestedSitemapLocation are all tested via typeof(WebPipelineRunner).GetMethod(..., BindingFlags.NonPublic). This is fine for behaviour that's intentionally internal, but it means method renames silently break the tests rather than producing a compile error. If these methods are stable enough to test in isolation, consider making them internal with [InternalsVisibleTo] for the test assembly.

---

Minor nits

• WebPipelineRunner.Watch.cs: exception chain separator changed from " <-- " to " -> ". The direction is now easier to read (cause → effect), but it is a UI change that could affect any log parsing that relies on the old separator.
• GetFreePortRange in WebStaticServerTests.cs: the outer retry cap of 100 is generous; this should prevent the test hanging but may slow the suite if the machine is heavily loaded. The existing comment is sufficient.
• PowerForgeReleaseServiceTests.TryDelete retry loop: Thread.Sleep(100) is fine in test teardown.

---

Test Coverage ✅

Coverage is thorough for the new features:

• links-compare-sitemaps: happy path, maxSitemapDepth enforcement, local path-traversal rejection, remote cross-origin rejection
• links-generate-legacy-amp: CSV output and summary JSON verified
• SEO Doctor root-served language hosts: hreflang/canonical validation with evotec.pl-style split domains
• Backlog metrics (empty alt, source Markdown)
• Release hub fallback and ecosystem stats per-source preservation
• GitHub 401 anonymous fallback

Overall this is a well-structured PR with good security discipline. The schema gap for languageHosts is the only issue that needs fixing before merging.

[claude]

Code Review — PR #326: Native link-service tasks + SEO doctor language root support

Overview

This is a large, well-structured PR (~5 039 additions / 766 deletions) spanning three distinct areas:

1. New pipeline tasks — links-generate-legacy-amp and links-compare-sitemaps / sitemap-migration
2. SEO doctor improvements — language root host support (evotec.pl → /pl/…), empty-alt backlog metrics, source Markdown scanning, and CSV/JSON artifact export
3. Bug fixes and polish — nginx query-string redirect matcher, Apache substitution safety gate, error message formatting, GitHub 401 retry, localization fallback URL resolution

Overall the code is clean, purposeful, and well-tested. The observations below are ranked from most actionable to cosmetic.

---

Potential Issues

1. JsonSerializerOptions created per call in WriteSeoDoctorJsonFile
WebPipelineRunner.Tasks.SeoDoctor.cs (WriteSeoDoctorJsonFile):

File.WriteAllText(resolvedPath, JsonSerializer.Serialize(payload, new JsonSerializerOptions { WriteIndented = true }));

Constructing a new JsonSerializerOptions instance on every call bypasses the serializer's internal cache and triggers a JIT compilation pass each time. Since WriteSeoDoctorBacklogArtifacts calls this once per task run the impact is small, but it's worth hoisting to a static readonly field to stay consistent with the rest of the codebase.

2. AddRegexSpecialCase uses Regex.Match without a timeout
WebSitemapMigrationAnalyzer.cs:

var match = Regex.Match(legacyPath, pattern, RegexOptions.CultureInvariant | RegexOptions.IgnoreCase);

Paths come from trusted sitemap inputs so the ReDOS risk is low in practice, but every other pattern-intensive method in the file uses compiled static regexes. Promoting the five special-case patterns to static readonly Regex fields (with a timeout like the markdown alt pattern) would be consistent and safer.

3. Behavioral change in ResolveFallbackDefaultLanguageRoute
WebSiteBuilder.Navigation.LocalizationAndVersioning.cs:
The old ResolveDefaultLanguageFallbackRoute always fell back to a root-relative ResolvePublicRouteForLanguage. The new ResolveFallbackDefaultLanguageRoute calls ResolveAbsoluteLanguageRoute when the target language has a BaseUrl. This is the intentional fix for root-served hosts, but it's a subtle behavioral change for any site that has a non-default language with a BaseUrl pointing to the same host. The new WebSiteLocalizationFeaturesTests.cs additions cover this path — worth confirming the new tests exercise both the absolute-URL and relative-URL branches before merge.

4. Duplicate Csv helpers
WebLinkService.LegacyAmp.cs defines private static string Csv(string value) and WebPipelineRunner.Tasks.SeoDoctor.cs defines private static string Csv(object? value). They're near-identical in intent. Not a bug, but the discrepancy in signature (string vs object?) means callers have different contracts. If either is ever promoted to shared utility this could cause a silent type-mismatch.

5. FetchTimeoutSec deprecation: warning only
Compare-WebSitemaps.ps1 now emits Write-Warning for FetchTimeoutSec but still honours it. Any pipeline that passes FetchTimeoutSec will start generating noisy warnings in CI. Consider whether the warning text should point at the correct replacement (TimeoutSec) and whether the migration window needs to be called out in the release notes.

---

Positive observations

• IsSafeApacheRewriteSubstitution is a solid security gate. The RFC 3986 character allowlist correctly blocks non-ASCII and control characters that could inject unintended Apache directives.
• ConvertTo-SafeXmlDocument correctly disables DTD processing and sets XmlResolver = null, preventing XXE on both network and local sitemap inputs.
• GeneratedRouteExists (C# and PS1 versions) both implement path-traversal guards via GetFullPath + prefix checks, and the dedicated test GeneratedRouteExists_DoesNotProbeOutsideSiteRoot validates this with a %2e%2e payload. Well done.
• EmptyMarkdownImageAltPattern includes a 250 ms regex timeout — good defensive practice for user-supplied file content.
• WebSitemapMigrationAnalyzer.GetSlugVariants correctly handles the diacritics + language-suffix + numeric-suffix matrix using a BFS to avoid exponential expansion.
• The test suite is thorough: WebSitemapMigrationAnalyzerTests, WebSeoDoctorTests extensions, WebPipelineRunnerSitemapMigrationTests, and WebPipelineRunnerLinksTests all cover the new paths including edge cases (malformed URLs, missing site root, multiple candidates).

---

Minor nits

• ExecuteLinksGenerateLegacyAmp error message says "requires sourceCsvPath." but any of source, sourceCsv, source-csv, etc. are accepted. A small documentation inconsistency.
• pageMetrics.Count(predicate) is called six times sequentially over the same list when building the WebSeoDoctorResult aggregate (lines ~5747–5754). A single foreach pass would avoid six list walks. Not a performance concern at typical scale, but easy to tighten.
• The #heading pattern was deliberately removed from VisibleMarkdownLeakPattern to reduce false positives in generated API docs — the inline comment explains this well. No action needed, just calling it out as a deliberate and correctly-documented change.

---

Summary

The PR is merge-ready from a correctness standpoint. The most actionable items are the JsonSerializerOptions allocation (#1) and promoting special-case patterns to static compiled regexes (#2). The behavioral change in localization fallback resolution (#3) should be confirmed covered by the new tests before merge.

🤖 Review generated with Claude Code

[claude]

Code Review — PR #326: Native link-service tasks and SEO doctor route support

Overview

This is a substantial PR (~5 000 additions / ~766 deletions) that:

1. Extracts helper functions from Compare-WebSitemaps.ps1 into a dedicated Compare-WebSitemaps.Helpers.ps1 file
2. Adds two new pipeline tasks: links-generate-legacy-amp and links-compare-sitemaps
3. Extends seo-doctor with root-served language host validation and optional backlog artifact paths
4. Fixes/updates several tests across manifest, host service, and link-service areas

---

Code Quality & Style

Positive highlights:

• ConvertTo-SafeXmlDocument (Helpers.ps1 L47–67) correctly sets DtdProcessing = Prohibit and XmlResolver = null on both the reader settings and the document — this is exactly the right way to block XXE on both axes.
• Path-traversal guard in Test-GeneratedRouteExists (Helpers.ps1 L132–164) uses GetFullPath + StartsWith with a trailing separator to prevent directory-escape. Solid.
• Get-SlugVariants extends the language-suffix list from (pl|fr|de|es) to a much broader set — aligns with the languageHosts generalisation introduced elsewhere.
• Deprecation path for FetchTimeoutSec → TimeoutSec (Compare-WebSitemaps.ps1) is clean: null-able parameter, Write-Warning, then re-assignment.

Minor style notes:

• Get-UrlOrigin (Helpers.ps1 L40–45) uses single-line param blocks without [Parameter(Mandatory)] while every other function in the same file uses the multi-line style consistently. Not a bug, but it breaks the file's own convention.
• Get-SafeTargetUrl takes an untyped $Candidate parameter (Helpers.ps1 L322). A [pscustomobject] hint or [Parameter(Mandatory)] would make the contract explicit, especially since this is now a shared helper.
• The AMP regex in Get-AmpHtmlAlternateUrl (Helpers.ps1 L397–401) uses an alternation pattern with ["''] — that works in PowerShell regex but the doubled single-quote ('') is non-obvious inside a double-quoted string. A raw here-string or a named constant regex would be easier to audit at a glance.

---

Potential Bugs / Issues

1. FetchTimeoutSec compat block doesn't validate the zero case correctly (Compare-WebSitemaps.ps1 L758–760):

   if ($FetchTimeoutSec.Value -lt 1) {
       throw "FetchTimeoutSec must be greater than zero."
   }

   When $FetchTimeoutSec is 0, this correctly throws. However, the new [ValidateRange(1, 300)] on $TimeoutSec means a caller who passes -TimeoutSec 0 gets a nicer validation error from PowerShell itself — good — but a caller who passes -FetchTimeoutSec 0 hits the manual check. The message says "FetchTimeoutSec must be greater than zero" but the deprecation warning fires first; the order is fine. Just noting the dual-validation path exists.

2. Test-SyntheticAmpRedirectCandidate scope (Helpers.ps1 L460–477): This function matches only ^/(blog|categories|tags)(/|$) on the target path. If a resolved redirect targets /en/blog/... (a localised prefix), it will be excluded. Likely intentional for the current site shape, but worth documenting so it isn't silently wrong when languageHosts expands.

3. Get-SearchEquivalentUrl goes unused in the helper file (Helpers.ps1 L338–354): The function is defined but I don't see a call site in the new code. If it was previously called inline in Compare-WebSitemaps.ps1 and was removed during refactor, it should be deleted too. Dead code in a shared helper will confuse future readers.

4. Reflection-based testing of private methods — three tests invoke private static methods via reflection (TryPreserveEcosystemSources, TryPreserveExistingReleaseHub, ResolveNestedSitemapLocation). Reflection tests break silently on rename and bypass compiler type-checking. If the behaviour is worth testing, expose it through the public API or an internal + [InternalsVisibleTo]. The ResolveNestedSitemapLocation test in particular is testing security behaviour (cross-origin sitemap rejection) — that should be validated through the public pipeline, not a reflected private method.

5. TryDelete retry loop in PowerForgeReleaseServiceTests (lines 1616–1634): The new retry catches IOException and UnauthorizedAccessException up to 5 attempts with 100 ms sleeps. This pattern is reasonable for CI flakiness, but Thread.Sleep in a test is a smell. Consider Task.Delay + async, or using a finalizer-safe temp-dir helper. Low priority, but note it will add up to 500 ms per failure path in CI.

---

Security

• DTD/XXE is correctly disabled in the new ConvertTo-SafeXmlDocument — this addresses the regression that the old [xml] $xml = $content cast left open (the old code set no reader settings).
• Path traversal in nested local sitemaps: The test RunPipeline_LinksCompareSitemaps_RejectsNestedLocalSitemapOutsideBaseDirectory explicitly validates the escape-prevention, which is good to see. Confirm the production implementation resolves the nested loc paths relative to the directory of the parent sitemap file, not the pipeline working directory, to avoid a TOCTOU window.
• Apache redirect injection: The test ExportApache_RejectsUnsafeTargetSubstitutions verifies that a target URL with a space (which would break the RewriteRule directive) throws InvalidOperationException. Good addition.
• Cross-origin sitemap rejection: ResolveNestedSitemapLocation rejecting cross-origin nested sitemaps is an important SSRF guard — prefer exercising this through the public RunPipeline path as noted above.

---

Performance

• ConvertTo-ComparablePath allocates a StringBuilder for every slug normalisation inside the per-URL loop. For large sitemaps (tens of thousands of URLs), this is fine; just note it if memory profiling ever flags it.
• Get-SlugVariants uses a BFS queue — that's fine and bounded by the fixed suffix list. No concern.

---

Test Coverage

Well covered:

• links-generate-legacy-amp: happy path, missing hosts, bad headers, host-with-path, language map, absolute legacy rows.
• links-compare-sitemaps: happy path, depth limit, directory-escape rejection, cross-origin rejection.
• SEO doctor languageRootHosts config: the new test covers the root-served language case end-to-end.

Gaps to consider:

• No test for links-compare-sitemaps when newSitemap is a remote HTTP URL (the docs say it supports HTTP(S)). The PS helper had a Invoke-WebRequest path; the native task presumably does too.
• No test exercises the includeSyntheticAmpRedirects: true option in the links-compare-sitemaps pipeline task.
• The ModulePipelineApprovedModulesTests assertion changes (Assert.DoesNotContain("Microsoft.PowerShell.Utility", ...)) flip the expected behaviour — it would be worth a comment in those tests explaining why inbox modules are now expected to be excluded rather than included.

---

Summary

The refactor is well-structured and the security hardening (XXE, path traversal, cross-origin) is genuine and tested. The main items worth addressing before merge:

1. Remove or relocate the unused Get-SearchEquivalentUrl function from the helpers file.
2. Replace reflection-based private method tests with public-surface tests, especially for the security-critical ResolveNestedSitemapLocation path.
3. Add a brief comment on Test-SyntheticAmpRedirectCandidate noting the localised-prefix limitation.

Everything else is minor style or low-priority robustness notes. Good work overall.

[claude]

Code Review — PR #326: Link-service tasks & SEO doctor improvements

Overview

This is a substantial PR (~5,000 net additions) delivering three distinct feature areas:

1. Two new native pipeline tasks — links-generate-legacy-amp and links-compare-sitemaps — moving former PowerShell-only logic into the C# CLI layer alongside dedicated tests.
2. SEO Doctor enhancements — language-root-host support for cross-domain hreflang validation, empty-alt backlog metrics, source-Markdown scanning, and false-positive reductions in front-matter / Markdown leak detection.
3. Targeted bug fixes — nginx query-string matcher, GitHub API 401 retry, Apache rewrite safety guard, WebAssetCssStrategy unknown-value warning.

The code is well-structured and the test coverage for the new behaviour is solid. Below are specific findings.

---

Bugs / Correctness

WebSiteBuilder.Redirects.cs — nginx pattern fix is correct
The /? is intentional raw regex (optional trailing slash), and Regex.Escape("?" + sourceQuery) correctly escapes the literal query-string ?. The fix is accurate and the test validates both /path?v=1 and /path/?v=1 forms.

WebLinkService.ExportApache.cs — IsSafeApacheRewriteSubstitution throws rather than skips
Throwing InvalidOperationException on a destination that contains unexpected characters is a potentially breaking change for anyone whose existing redirects include Unicode or other characters outside the allow-list. Consider returning false and emitting a warning/skipping the row rather than aborting the export, or at minimum document the hard failure in the changelog.

The allow-list also includes % without verifying the percent-encoded sequence is well-formed. A target like https://example.com/%ZZ passes the check but is an invalid URL. A secondary Uri.TryCreate guard or a documented limitation note would be prudent.

---

Code Quality

Duplicated host-key normalisation helpers
WebPipelineRunner.Tasks.SeoDoctor.cs defines NormalizeSeoDoctorHostKey(string?), NormalizeSeoDoctorHostKey(Uri), and NormalizeSeoDoctorLanguagePrefix; WebSeoDoctor.cs defines identical-purpose helpers named NormalizeLanguageRootHostKey / NormalizeLanguageRootPrefix. Any future divergence between the two copies will cause subtle validation mismatches. Recommend extracting to a shared internal helper.

Three CSV serialisation helpers

• WebLinkService.LegacyAmp.cs — Csv(string) (always quoted)
• WebPipelineRunner.Tasks.SeoDoctor.cs — Csv(object?) (always quoted, lowercases booleans)
• WebPipelineRunner.Tasks.Links.SitemapMigration.cs — EscapeCsv(string?) (only quotes when necessary)

Three separate implementations with subtly different escaping semantics are worth unifying for consistency and maintainability.

GetSlugVariants C# vs PowerShell divergence
The C# WebSitemapMigrationAnalyzer.GetSlugVariants adds diacritics removal, SlugNonTokenRegex, and mid-segment numeric stripping that the PowerShell helper does not have. Since the PS helper is now legacy this is acceptable, but a comment noting the intentional divergence would help future maintainers.

CSV header quoting inconsistency
WriteLegacyAmpRedirectCsv produces a quoted header; WriteSitemapMigrationRedirectCsv does not. Both produce CSV consumed by the same downstream tooling. Inconsistent quoting of headers makes it harder to write generic parsers.

---

Performance

maxSitemapDepth has no upper-bound guard in ExecuteLinksCompareSitemaps
The pipeline JSON is user-controlled; a value of e.g. 500 would result in deep synchronous recursion over HTTP. The PowerShell script now has [ValidateRange(0, 64)]; the C# task should apply a similar cap or throw a clear validation error for out-of-range values.

ScanSourceMarkdownEmptyAlt enumerates all .md files without a size/count limit
For very large content trees this can be slow. A configurable limit or at least a duration warning would improve operational visibility.

sync-over-async in GetSitemapString
The code does httpClient.GetStringAsync(location).WaitAsync(timeout).GetAwaiter().GetResult(). The comment clearly explains the rationale (synchronous pipeline). Under the current execution model this is low-risk, but worth flagging if the pipeline ever moves to parallel task execution.

---

Security

• EnsureNestedSitemapPathWithinBase — correctly prevents nested sitemaps from escaping the sitemap directory. ✓
• EnsureNestedRemoteSitemapSameOrigin — correctly blocks cross-origin sitemap indices. ✓
• XML parsing uses DtdProcessing.Prohibit + XmlResolver = null in both the C# and PowerShell paths. ✓

---

Test Coverage

Test coverage for the new functionality is strong:

• Language root hosts: Analyze_LocalizedAlternates_ResolveRootServedHostsWithinSameSiteRoot_WhenLanguageRootHostsConfigured and the pipeline-level equivalent.
• Backlog metrics: Analyze_BacklogMetrics_FlagsEmptyAltAndSourceMarkdown
• Line-number reporting: Analyze_SourceMarkdownEmptyAlt_ReportsLineStarts
• False-positive regressions: Analyze_DoesNotTreatTwoDashProseAsFrontMatterDelimiter, Analyze_DoesNotFlagContentLeak_ForApiStyleDocumentationContent
• Sitemap migration: the new WebPipelineRunnerSitemapMigrationTests file

Missing coverage suggestions:

• A test that a maxSitemapDepth overflow produces a clear error message.
• A test for the IsSafeApacheRewriteSubstitution throw path (e.g. a destination URL containing a space or non-ASCII character).
• A test for the deprecated FetchTimeoutSec → TimeoutSec migration path in Compare-WebSitemaps.ps1.

---

Minor

• WebSeoDoctorOptions.LanguageRootHosts exposes a mutable Dictionary. Typing it as IReadOnlyDictionary<string, string> in the public surface would signal intent and prevent accidental mutation by callers after construction.
• CheckEmptyImageAlt defaults to false; since it emits only soft "review" severity issues that do not fail the gate, defaulting it to true would improve out-of-the-box visibility — but that is a product decision.
• NormalizeCanonicalLegacyPath always appends a trailing slash (the comment explains why). The name doesn't communicate this; ToSlashCanonicalLegacyPath would reduce surprise for readers unfamiliar with the legacy WordPress slash-canonical convention.

---

Summary

This is a solid, well-tested PR. The main actionable items before merge are:

1. Clarify the throw-vs-skip behaviour for IsSafeApacheRewriteSubstitution — the hard throw is a potentially breaking change that deserves a changelog note at minimum.
2. Add an upper-bound guard for maxSitemapDepth in the C# ExecuteLinksCompareSitemaps task to match the PowerShell [ValidateRange(0, 64)].
3. Consider consolidating the duplicated host-key normalisation helpers (low urgency, low effort).

Everything else is non-blocking.

[claude]

Code Review — PR #326: Native link-service tasks & SEO doctor route support

Overview

This PR ships three major features:

1. Native link-service tasks — C# replacements for PowerShell-driven redirect generation (AMP continuity, Apache export, redirect validation, sitemap migration)
2. SEO doctor language-root host support — maps root-served language domains (e.g. evotec.pl) back to /pl/... path prefixes
3. Markdown false-positive reduction — tightened frontmatter and empty-alt detection patterns, with test coverage

The overall code quality is high. The security practices are solid, the naming is consistent, and the new test suites are well-structured. Notes below are mostly refinements, not blockers.

---

Security — Positive findings

• XXE hardening is correct in both PowerShell (ConvertTo-SafeXmlDocument) and C# (WebSitemapMigrationAnalyzer): DtdProcessing = Prohibit and XmlResolver = null in both paths.
• Path traversal guards in Test-GeneratedRouteExists and EnsureNestedSitemapPathWithinBase() correctly normalize and compare paths with OrdinalIgnoreCase before allowing file access.
• Apache RewriteRule validation (IsSafeApacheRewriteSubstitution()) provides a good fail-fast safety net for malformed targets.

---

Issues / Suggestions

1. Unbounded regex — potential ReDoS risk

FrontMatterDelimiterPattern has no MatchTimeout set, unlike EmptyMarkdownImageAltPattern which correctly uses a 250 ms timeout. An adversarially crafted Markdown file (or just an unusually large one with many ----like sequences) could cause a hang.

Suggestion: Apply the same timeout pattern:

private static readonly Regex FrontMatterDelimiterPattern = new(
    @"...",
    RegexOptions.Multiline | RegexOptions.Compiled,
    TimeSpan.FromMilliseconds(250));

And catch RegexMatchTimeoutException in its call site the same way ScanSourceMarkdownEmptyAlt() does for the alt pattern.

---

2. No retry logic for remote sitemap fetches

Compare-WebSitemaps.Helpers.ps1 and the C# analyzer both fire a single HTTP request per sitemap URL with no retry. Transient 503s or timeouts during a pipeline run will fail the whole analysis.

Suggestion: Even a simple two-attempt retry with a short delay (or using Polly on the C# side) would improve reliability in CI environments.

---

3. CSV parsing robustness

SplitCsvLine() is used throughout WebLinkService.LegacyAmp.cs for AMP redirect source data. RFC 4180 allows quoted fields that contain commas and embedded newlines; a naive split will misparse them.

Suggestion: If source CSVs are fully controlled and will never contain quoted commas, add an assertion or validation comment. Otherwise, consider using CsvHelper or TextFieldParser.

---

4. Diacritic normalization is Polish-only

GetSlugVariants() hardcodes ł → l as a special case, then relies on Unicode NFC/NFD decomposition for other characters. This works for Polish slugs but silently drops diacritics that don't decompose via NFD (e.g., some precomposed Cyrillic or Vietnamese characters).

Suggestion: At minimum, document the assumption ("This is intentionally scoped to Latin/Polish slug normalization") so future contributors don't expect broader Unicode coverage.

---

5. DefaultEnglishHost / DefaultPolishHost deprecation path

The backward-compat aliases are introduced silently. There's no [Obsolete] attribute or warning emitted at runtime when these are used.

Suggestion: Add [Obsolete("Use LanguageHosts instead. DefaultEnglishHost/DefaultPolishHost will be removed in a future version.")] to the property setters, or log a deprecation warning when they are non-null at runtime. Otherwise downstream consumers have no signal to migrate.

---

6. ModuleInstaller.TryReadManifestVersion() catches Exception

Broad exception catches can mask transient I/O errors (file locks, antivirus scans on Windows) and make debugging painful.

Suggestion: Catch IOException and UnauthorizedAccessException explicitly, and either rethrow or log unknown exception types differently.

---

7. Memory cap on HTTP buffer

The HTTP client is configured with a 50 MB response buffer cap. For large sitemaps (some WordPress installs have multi-MB sitemap indexes), this is fine, but it's worth a comment explaining the rationale so a future reviewer doesn't bump it unnecessarily.

---

Style & Conventions

• Naming is consistent throughout: Try* for bool+out, Get* for extraction, Check* for validation, Normalize* for canonicalization.
• XML doc comments on all public methods.
• Test naming follows Should_[Behavior]_When_[Condition] and [Feature]_[Expectation] patterns consistently.
• FetchTimeoutSec → TimeoutSec deprecation alias with a warning is a clean backward-compat approach.

---

Test Coverage

The new test suites are thorough:

• WebPipelineRunnerSitemapMigrationTests.cs (413 lines) covers the pipeline task end-to-end.
• WebSitemapMigrationAnalyzerTests.cs (158 lines) covers the core redirect matching logic including AMP variants, language stripping, and numeric suffix removal.

Missing coverage (nice-to-have, not blocking):

• Apache export with query-string-bearing sources (the QSD flag path)
• LanguageRootHosts double-prefix prevention (i.e., a URL that already has /pl/ on a evotec.pl host shouldn't become /pl/pl/...)

---

Summary

This is a well-engineered PR. The security hardening (XXE, path traversal, Apache rule validation) is correct and consistent across both the PowerShell and C# implementations. The most actionable items are:

Priority	Item
Medium	Add MatchTimeout to FrontMatterDelimiterPattern
Medium	Mark DefaultEnglishHost/DefaultPolishHost as [Obsolete]
Low	Add retry logic for remote sitemap HTTP fetches
Low	Validate or document CSV quoting assumptions
Low	Narrow the broad catch (Exception) in TryReadManifestVersion

No blockers found. Ready to merge after addressing the regex timeout gap.

---

Reviewed by Claude Sonnet 4.6

[claude]

Code Review — PR #326

Overview: This is a substantial, well-structured PR (+5237 / -766) that adds three main features: native link-service pipeline tasks (links-generate-legacy-amp, links-compare-sitemaps), SEO doctor language-root-host support, and a new WebSitemapMigrationAnalyzer C# class that ports the PowerShell migration heuristics into the testable .NET library. Test coverage is extensive.

---

✅ Strengths

• Good security posture throughout:

  • ConvertTo-SafeXmlDocument sets DtdProcessing = Prohibit and XmlResolver = null — correct XXE mitigation.
  • Test-GeneratedRouteExists now validates that resolved file paths remain within the site root (path traversal guard). The old version lacked this check.
  • IsSafeApacheRewriteSubstitution() validates characters before emitting them as a RewriteRule substitution — prevents header injection.
  • Nested local sitemaps are confined to their base directory; cross-origin remote sitemaps are rejected. Both are covered by tests.

• Clean refactoring: Extracting the large helper block from Compare-WebSitemaps.ps1 into Compare-WebSitemaps.Helpers.ps1 with a safety-checked dot-source is the right call. The script now passes $TimeoutSec as an explicit parameter rather than relying on a script-scoped variable — a latent scoping bug fixed.

• FetchTimeoutSec deprecation is correct: Using [Nullable[int]], emitting a Write-Warning, then copying to $TimeoutSec is the standard PowerShell deprecation pattern.

• False positive reduction in SEO doctor: Requiring a --- delimiter before flagging a front matter dump (instead of just 3 frontmatter keys) and removing #{1,6} from the markdown-leak pattern are well-motivated changes with coverage from the new Analyze_DoesNotTreatTwoDashProseAsFrontMatterDelimiter and Analyze_DoesNotFlagContentLeak_ForApiStyleDocumentationContent tests.

• Ecosystem stats partial fallback: Preserving only the failing upstream source (GitHub / NuGet / PS Gallery) rather than the entire snapshot is a meaningfully better resilience strategy.

---

🐛 Potential Issues

1. Duplicate write in test setup (likely accidental)

In WebPipelineRunnerEcosystemStatsTests.cs, RunPipeline_EcosystemStats_PreservesExistingPowerShellGallery_WhenOnlyThatSourceFails calls File.WriteAllText(statsPath, ...) twice with identical content before the test assertion. The second write is a no-op but it's dead code and likely a copy-paste artifact from an earlier draft.

2. Page metrics computed unconditionally — minor perf regression

In WebSeoDoctor.cs, visibleH1Count, missingAltSources, and emptyAltSources are now computed for every HTML file regardless of whether CheckH1 / CheckImageAlt is enabled (previously they were gated). For large sites this may add a noticeable per-page cost. Consider moving those computations behind a if (options.CheckH1 || collectMetrics) guard if collectMetrics is always true when a pageMetricsPath is configured.

3. Slug-variant language regex ordering (pt before pt-br)

In Get-SlugVariants / WebSitemapMigrationAnalyzer.GetSlugVariants, the alternation is ...|pt|pt-br|.... For a slug ending in -pt-br, the regex engine will attempt pt first, find it can't satisfy $ (since -br remains), then fall back to pt-br. This works due to the $ anchor, and the test GetSlugVariants_RemovesLanguageSuffixesGenerically confirms it. However, consider reordering to pt-br|pt as a defensive practice to make the intent explicit and avoid confusion for future maintainers.

4. Private-method reflection in tests

WebPipelineRunnerReleaseHubTests and WebPipelineRunnerEcosystemStatsTests both test internal behavior via GetMethod("Try...", BindingFlags.NonPublic | BindingFlags.Static). If those methods are renamed or made instance methods, the Assert.NotNull check will fail but the test message won't explain why. Consider marking these methods internal and adding [InternalsVisibleTo("PowerForge.Tests")] — this makes the contract explicit without exposing it publicly, and removes the reflection dependency.

---

⚠️ Minor Observations

• GetFreePortRange TOCTOU: The helper probes then releases ports before returning the start port, so another process could claim one in the gap. This is inherent in the test helper design and is mitigated by the 100-attempt retry loop. Acceptable for a test helper, but worth a brief comment acknowledging the race.

• Csv() duplication: There are two different Csv() helper methods — one in WebLinkService.LegacyAmp.cs (private static string Csv(string)) and another in WebPipelineRunner.Tasks.SeoDoctor.cs (private static string Csv(object?)). Since these are in different partial classes there's no collision, but the utility is independently reimplemented. Consider a shared static helper in the WebPipelineRunner partial context or a small internal utility class.

• FrontMatterDelimiterPattern timeout: The regex has a 250 ms timeout, which is conservative but correct for untrusted content. Worth making sure the timeout is surfaced as a warning rather than silently failing — the catch (RegexMatchTimeoutException) sets hasFrontMatterDelimiter = false, which silently suppresses the check. This is the safe fallback (fewer false positives), but a warnings.Add(...) might help with diagnostics.

• Error chain separator " <-- " → " -> ": Purely cosmetic but the new direction is more intuitive (cause → effect). No concerns.

• languageHosts config precedence in ResolveSeoDoctorLanguageRootHosts: When a host appears in both site.Links.LanguageRootHosts and site.Localization.Languages, the explicit Links map wins (via TryAdd). This is the right priority, but deserves a comment since the interaction between the two config paths isn't obvious.

---

Test Coverage

Comprehensive. Highlights:

• Security: directory traversal (GeneratedRouteExists_DoesNotProbeOutsideSiteRoot), cross-origin sitemap (RejectsNestedRemoteCrossOriginSitemaps), unsafe Apache target (ExportApache_RejectsUnsafeTargetSubstitutions).
• Diacritic-insensitive matching, slug variants, malformed URL handling, and maxSitemapDepth range validation all covered.
• Language-root-host hreflang validation covered end-to-end through both the unit test (Analyze_LocalizedAlternates_ResolveRootServedHostsWithinSameSiteRoot_WhenLanguageRootHostsConfigured) and the pipeline integration test.

---

Summary: This is high-quality work. The main actionable items are the duplicate write in one test, the minor perf consideration for metric collection, and the reflection-based test coupling. The security improvements are solid and the feature additions are well-tested.

🤖 Reviewed with Claude Code

[claude]

Code Review — PR #326: Add native link-service tasks and SEO doctor route support

Overview

This is a substantial PR (~5,200 additions, ~740 deletions) that:

1. Extracts helper functions from Compare-WebSitemaps.ps1 into a new Compare-WebSitemaps.Helpers.ps1 file
2. Adds native C# links-generate-legacy-amp and links-compare-sitemaps pipeline tasks (replacing PowerShell-only scripts)
3. Extends the SEO doctor to validate root-served language hosts via a new languageRootHosts configuration
4. Reduces false positives in markdown/frontmatter leak detection
5. Adds new SEO backlog metric artifacts (backlogSummaryPath, pageMetricsPath, issuesCsvPath, sourceMarkdownPath)
6. Adds partial ecosystem-stats and release-hub fallback logic for per-source warnings

The overall direction is good: moving logic from loose PowerShell scripts into typed, testable C# classes with tests to match.

---

Code Quality

Positives:

• ConvertTo-SafeXmlDocument (PS) and NewSafeSitemapXmlReaderSettings (C#) both disable DTD processing and set XmlResolver = null — correct XXE mitigation.
• Path traversal guards in EnsureNestedSitemapPathWithinBase and Test-GeneratedRouteExists (path-prefix check against rootPrefix) are well-considered.
• The cross-origin check EnsureNestedRemoteSitemapSameOrigin in WebPipelineRunner.Tasks.Links.SitemapMigration.cs prevents nested sitemaps from redirecting fetches to attacker-controlled hosts.
• GetFreePortRange in WebStaticServerTests.cs is a sensible fix for flaky port-collision tests.

---

Specific Issues & Suggestions

1. HttpClient disposal leak in ExecuteLinksCompareSitemaps

using var sitemapHttpClient = CreateSitemapHttpClient(timeoutSeconds);

CreateSitemapHttpClient creates a new HttpClient(handler) where handler is a new HttpClientHandler. When sitemapHttpClient is disposed, the HttpClientHandler is also disposed (since HttpClient owns it by default). This is correct for the single-use pipeline task pattern, but worth noting: in a long-lived process or if this method is ever called in a loop, each invocation will exhaust sockets. For the current pipeline runner design this is fine.

Minor: The using var on a method-scoped client is the right call here — just confirming it's intentional.

---

2. Fragile HasSourceWarning heuristic

private static bool HasSourceWarning(IEnumerable<string>? warnings, string sourceName)
    => warnings.Any(warning => warning.Contains(sourceName, StringComparison.OrdinalIgnoreCase));

This matches any warning whose text contains the sourceName substring (e.g. "GitHub"). Warning messages could evolve and silently break the heuristic. Consider matching on a structured warning code or prefix rather than free-form text.

---

3. Reflection on private method in tests

var preserveMethod = typeof(WebPipelineRunner)
    .GetMethod("TryPreserveEcosystemSources", BindingFlags.NonPublic | BindingFlags.Static);

Using reflection to test private methods is a coupling anti-pattern. If TryPreserveEcosystemSources is meaningful enough to need its own test, consider making it internal and using InternalsVisibleTo, or exposing it via a testable interface/helper class.

The same pattern appears for TryPreserveExistingReleaseHub.

---

4. WebReleaseHubDocument deserialized with new JsonSerializerOptions

return JsonSerializer.Deserialize<WebReleaseHubDocument>(json, new JsonSerializerOptions
{
    PropertyNameCaseInsensitive = true
});

A new JsonSerializerOptions instance is allocated on every call. For hot paths this causes GC pressure; in this context (a rare fallback path) it is acceptable, but consider a static readonly field for these options.

The same pattern appears in TryReadEcosystemStatsDocument.

---

5. FetchTimeoutSec deprecation warning placement

if ($null -ne $FetchTimeoutSec) {
    if ($FetchTimeoutSec.Value -lt 1) {
        throw "FetchTimeoutSec must be greater than zero."
    }
    Write-Warning "FetchTimeoutSec is deprecated; use TimeoutSec instead."
    $TimeoutSec = $FetchTimeoutSec.Value
}

The ValidateRange(1, 300) on $TimeoutSec combined with the manual lt 1 check for the deprecated parameter is slightly inconsistent. Now that TimeoutSec has [ValidateRange], the FetchTimeoutSec manual validation is redundant — but removing it would silently accept FetchTimeoutSec = 0. Keeping both is safe; just slightly confusing. A clarifying comment would help.

---

6. Get-SlugVariants hardcoded language list expansion

if ($current -match '^(.*?)-(en|pl|fr|de|es|pt|pt-br|it|nl|sv|no|da|fi|cs|sk|uk|ru|ja|ko|zh|zh-cn|zh-tw|tr|ro|hu|bg|hr|sl|lt|lv|et)$' ...)

The language suffix list was expanded from 4 codes to 30+ codes. This is fine functionally, but it means the slug stripping is now broader and could match legitimate slug suffixes (e.g. a post slugged intro-es about Spanish content might now be mapped to intro). The existing DoesNotStripNonLanguageSuffixes test for "article-fix" only checks non-language codes; a test confirming that intentional short two-letter slugs that coincide with ISO codes are handled predictably would add confidence.

---

7. GetFreePortRange TOCTOU race

// Reserve count consecutive ports…
foreach (var offset in 0..count) { listener.Start(); listeners.Add(listener); }
// Then stop all listeners, return start
foreach (var listener in listeners) listener.Stop();
return start;

There is an inherent TOCTOU window between releasing the listeners and the test actually binding them. On a heavily loaded CI machine this could still produce flaky tests, though it is much better than the single-port version.

---

8. Nginx query-redirect regex fix

-Assert.Contains("if ($request_uri ~ \"^/legacy/\\?id=1$\") { return 302 /new/; }", nginx
+Assert.Contains("if ($request_uri ~ \"^/legacy/?\\?id=1$\") { return 302 /new/; }", nginx

Making the trailing slash optional with /? is semantically correct for Nginx, but note the pattern now accepts both /legacy?id=1 and /legacy/?id=1. This is intentional but should be documented/noted in the PR since it subtly widens the match set.

---

9. CSV escaping in EscapeCsv

private static string EscapeCsv(string? value)
{
    var safe = value ?? string.Empty;
    return safe.IndexOfAny(new[] { ',', '"', '\r', '\n' }) < 0
        ? safe
        : "\"" + safe.Replace("\"", "\"\"", StringComparison.Ordinal) + "\"";
}

This is correct RFC 4180 escaping. The only edge case is a value consisting solely of whitespace, which will be emitted without quoting. That is typically fine for redirect CSVs, just confirming.

---

10. BuildPortableCatalogPath fallback to Path.GetFileName

return Path.GetFileName(fullPath).Replace('\\', '/');

If the manifest lives outside baseDir, the fallback is just the filename. This could cause silent collisions if two manifests in different directories share the same filename. The previous behaviour (backslash → slash only) was arguably less safe (it leaked absolute paths) but at least uniquely identified the file. Consider whether a relative-to-temp-dir or relative-to-working-dir path would be safer than dropping the directory component entirely.

---

Security

• DTD processing disabled on all XML parsing paths ✅
• Path traversal guards on nested sitemap resolution ✅
• Cross-origin nested sitemap enforcement ✅
• Apache target substitution now rejects unsafe characters (URL-encode non-ASCII guard) ✅
• TryNormalizeRelativeApacheLegacyPath blocks .. and \\ in legacy CSV paths ✅

No new high-severity security issues identified.

---

Test Coverage

Coverage is thorough. Highlights:

• WebSitemapMigrationAnalyzerTests covers exact match, slug variants, generated-route fallback, AMP listing roots, malformed URLs, and path traversal guard
• WebPipelineRunnerSitemapMigrationTests covers depth limits, range validation, local directory escape, and remote cross-origin sitemaps — the real-HTTP listener test is a nice integration case
• WebSeoDoctorTests covers the new two-dash prose false-positive, API-style documentation false-positive, and the root-hosted language resolution
• WebLinkServiceTests covers the new GenerateLegacyAmpRedirects thoroughly with edge cases (absolute rows, language host map, host-with-path rejection)

Gap: No test for the BuildPortableCatalogPath fallback-to-filename case when manifestPath is outside baseDir.

---

Summary

This is a high-quality PR with good test coverage and solid security hygiene. The main actionable items are:

1. Consider internal + InternalsVisibleTo instead of reflection for TryPreserveEcosystemSources/TryPreserveExistingReleaseHub tests.
2. Cache JsonSerializerOptions instances as static readonly fields.
3. Add a test or comment for the BuildPortableCatalogPath filename-only fallback when path is outside base dir.

The rest are minor observations or style notes. Approving with the suggestions above as non-blocking.

Reviewed by Claude Sonnet 4.6