fix: address issue 72 and resolve dependabot alerts

[one-ea]

Summary

• Fix [Bug] 本地环境初始化后 D1 schema 缺失字段，且提示的 schema reconcile 无对应执行方式 #72 by exposing local D1 schema reconcile commands and making the reconcile script robust from both repo root and server/.
• Preserve Hexo import metadata including cover image, publish time, category, and tag associations across storage adapters.
• Sync release metadata to v2.4.0 and carry the generated changelog forward.
• Resolve current npm Dependabot alerts with patched dependency versions and overrides.

Verification

• npm audit -> 0 vulnerabilities
• npm -w monolith-server run check
• npm -w monolith-client run check
• npm run build
• npm -w monolith-client run lint
• npx eslint "src/**/*.ts" --max-warnings 0 from server/
• Cloudflare deploy completed and live checks passed: Workers /api/health 200, Pages 200, AE auth 401, sitemap/robots/rss 200.

Notes

• This PR supersedes Dependabot PRs chore(deps): bump ip-address and express-rate-limit #68, chore(deps): bump fast-xml-builder from 1.1.5 to 1.2.0 #69, chore(deps): bump hono from 4.12.15 to 4.12.18 #70, chore(deps): bump fast-uri from 3.1.0 to 3.1.2 #71, and chore(deps): bump @babel/plugin-transform-modules-systemjs from 7.29.0 to 7.29.4 #73 with one verified lockfile update.
• Vite 8 PR chore(deps): bump vite from 6.4.2 to 8.0.11 in /client #74 is intentionally left separate as a major upgrade.
• Root minor/patch group PR chore(deps): bump the root-minor-patch-updates group across 1 directory with 15 updates #75 should be re-evaluated after this lands.

[coderabbitai]

Warning

Rate limit exceeded

@one-ea has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 48 minutes and 27 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6a12788b-12b2-47d9-a62b-3ac72f184a0a

📥 Commits

Reviewing files that changed from the base of the PR and between 0bc8bb0 and f37f70c.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json, !**/package-lock.json

📒 Files selected for processing (26)

• CHANGELOG.md
• client/src/components/admin-layout.tsx
• client/src/components/article-card.tsx
• client/src/components/cookie-consent.tsx
• client/src/components/hero.tsx
• client/src/components/navbar.tsx
• client/src/components/reading-controls.tsx
• client/src/components/related-posts.tsx
• client/src/globals.css
• client/src/lib/api.ts
• client/src/lib/importers/frontmatter.ts
• client/src/lib/importers/hexo.ts
• client/src/lib/importers/types.ts
• client/src/pages/admin/dashboard.tsx
• client/src/pages/admin/editor.tsx
• client/src/pages/archive.tsx
• client/src/pages/home.tsx
• client/src/pages/post.tsx
• client/vite.config.ts
• package.json
• scripts/reconcile-d1-schema.mjs
• server/package.json
• server/src/index.ts
• server/src/storage/db/d1.ts
• server/src/storage/db/postgres.ts
• server/src/storage/db/turso.ts

📝 Walkthrough

Walkthrough

本 PR 升级 Monolith 至 v2.4.0，核心改动涵盖：(1) 新增 D1 Schema 基线迁移与运行时对账脚本，解决本地开发初始化 schema 缺失问题；(2) 实现可配置的社交链接系统（settings 管理 + home 展示）并支持旧字段迁移；(3) 扩展文章元数据支持 coverImage、category、publishAt，完善导入流程；(4) 统一前端组件样式、强化无障碍属性（焦点管理、ARIA 标签）；(5) 重构部署脚本以自动创建 Pages 项目与对齐 D1 schema。

---

Changes

项目版本与基础设施升级

Layer / File(s)	Summary
数据库 Schema 基线与索引 server/src/migrations/0008_runtime_schema_baseline.sql, server/src/migrations/0009_runtime_schema_indexes.sql	新增 5 张运行时表（settings、pages、comments、reactions、visits），定义主键、唯一约束、外键关联与级联删除；为 comments(post_id) 与 visits(path) 添加查询索引。
数据库 Adapter Schema 对账与导入扩展 server/src/db/schema.ts, server/src/db/schema-pg.ts, server/src/storage/db/d1.ts, server/src/storage/db/postgres.ts, server/src/storage/db/turso.ts	在 SQLite/Postgres/Turso adapter 中新增 ensureSchemaBaseline() 进行 schema 检查与字段补齐，扩展 importAll 逻辑以写入 listed/pinned/publishAt/seriesSlug/category/seriesOrder 字段并同步文章标签。
Schema 对账脚本与部署流程 scripts/reconcile-d1-schema.mjs, scripts/deploy-cloudflare.mjs, server/wrangler.toml, server/src/storage/factory.ts	新增 reconcile-d1-schema.mjs 用于对齐 posts 表缺失字段；重构 deploy-cloudflare.mjs 支持自动创建 Pages 项目、参数化 secret 注入与 D1 schema 对账集成；wrangler.toml 新增 AUTO_SCHEMA_MIGRATION="false" 禁用运行时补齐。
社交链接配置系统 server/src/index.ts, client/src/pages/admin/settings.tsx, client/src/pages/home.tsx	后端 /api/settings/public 响应增加 social_links 字段；admin-settings 实现社交链接列表管理、启用/禁用与删除；home 页新增社交链接解析、验证与规范化（支持 mailto/rss 等协议）。
文章元数据扩展 client/src/lib/importers/frontmatter.ts, client/src/lib/importers/hexo.ts, client/src/lib/importers/types.ts	FrontmatterData 新增 coverImage 字段与多别名解析（cover/cover_image/thumbnail/banner/image）；hexo.ts 补充 category 与 publishAt（含日期归一化函数）提取；ImportedPost 类型扩展新增可选字段。
管理后台页面功能 client/src/pages/admin/settings.tsx, client/src/pages/admin/dashboard.tsx, client/src/pages/admin/editor.tsx	settings 页社交链接从三项输入替换为可增删列表；dashboard 新增 SEO 健康检查卡与前端计算逻辑；editor 元信息面板扩展系列/分类输入区与新字段写入。
首页社交链接展示与分类 client/src/pages/home.tsx	新增社交链接生成与解析逻辑，标签云改用 color-mix 权重渐变，分类列表改用 CategoryList 组件，与 archive 页面打通分类筛选流程。
前端组件样式统一与无障碍增强 client/src/components/admin-gate.tsx, client/src/components/admin-layout.tsx, client/src/components/article-card.tsx, client/src/components/cookie-consent.tsx, client/src/components/hero.tsx, client/src/components/navbar.tsx, client/src/components/reading-controls.tsx, client/src/components/related-posts.tsx, client/src/components/search.tsx, client/src/components/theme-toggle.tsx, client/src/pages/post.tsx	多个组件进行 Tailwind 样式整合、响应式优化、focus-visible/aria-label/role 等无障碍属性增强；admin-gate 新增焦点陷阱与 Tab 键导航；admin-layout 新增导航搜索与模块快速定位；hero 改为网格背景布局；article-card 替换图标表达。
全局样式与字体 client/src/globals.css	引入 Space Grotesk 字体，调整 --font-mono/--font-heading；新增 focus-visible 轮廓、.hero-grid 背景、@media (prefers-reduced-motion) 处理、TOC 亮色主题配色、prose-monolith 排版优化（字号 16px、letter-spacing 统一）。
前端 API 缓存与登录安全 client/src/lib/api.ts, client/vite.config.ts	login 与 checkAuth 添加 cache: "no-store"；PWA Workbox 缓存策略排除 /api/auth 与 /api/admin 路由，确保认证即时性。
档案页分类筛选与 SEO 动态更新 client/src/pages/archive.tsx	新增基于查询参数 category 的分类过滤、列表重新分组与错误重试状态；SEO/breadcrumbs 随分类动态生成。
版本号与项目配置 package.json, client/package.json, server/package.json, .release-please-manifest.json, CHANGELOG.md, .gitignore	版本升至 2.4.0；新增 D1 reconcile 脚本命令；调整依赖覆盖（@babel/plugin-transform-modules-systemjs、esbuild、dompurify）；扩展 .gitignore 本地产物与私有文件；补充 CHANGELOG 与 release 清单。

---

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

复杂度分析：本 PR 涉及异构变更（前端 UI 样式、后端 Schema 与 adapter、部署脚本、数据流程），跨越 45+ 文件，数据库迁移与多种适配器的一致性需仔细验证，管理后台与首页的社交链接双向同步需追踪状态一致性，多个前端组件的无障碍属性修改需确认完整性。虽然单个组件改动相对独立，但社交链接系统与文章元数据扩展形成紧密的业务耦合，需跨层次理解数据流。

---

Possibly related PRs

• one-ea/Monolith#65：前置 PR，包含相同的 D1 schema 对账与社交链接初步实现，本 PR 进一步完善与集成。
• one-ea/Monolith#31：根目录 package.json 的依赖 overrides 配置调整（dompurify/esbuild），与本 PR 的覆盖项重排/新增保持关联。
• one-ea/Monolith#6：archive.tsx SEO/breadcrumb 动态更新，与本 PR 的分类筛选流程叠加实现。

---

Suggested labels

frontend, backend, database, bug-fix, feature, accessibility

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	PR 标题遵循 Conventional Commits 格式 (fix: description)，清晰说明了修复内容包括 issue #72 和 Dependabot 警报。
Description check	✅ Passed	PR 描述详细说明了四大改动方向，包含验证步骤和外部参考，与变更集高度相关。
Linked Issues check	✅ Passed	PR 完整实现了 issue #72 的所有预期：新增 npm scripts (db:reconcile/db:reconcile:local 等)、新建 schema 对账脚本、配置 AUTO_SCHEMA_MIGRATION 开关，并通过迁移文件补齐缺失字段。
Out of Scope Changes check	✅ Passed	所有变更均与 issue #72 修复、Hexo 导入增强、版本升级 (2.4.0) 和依赖补丁直接相关，未发现超出既定范围的改动。

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dev

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch dev

Warning

Review ran into problems

🔥 Problems

Stopped waiting for pipeline failures after 30000ms. One of your pipelines takes longer than our 30000ms fetch window to run, so review may not consider pipeline-failure results for inline comments if any failures occurred after the fetch window. Increase the timeout if you want to wait longer or run a @coderabbit review after the pipeline has finished.

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}