From cbefd0fc4c7ab6679ce0050be90dede199de5996 Mon Sep 17 00:00:00 2001
From: pauljacobb <pauljacob1717@gmail.com>
Date: Fri, 26 Jun 2026 07:47:04 +0000
Subject: [PATCH 1/2] feat: add dependency supply-chain verification (#602)

---
 .github/workflows/supply-chain.yml | 34 ++++++++++++++++++++++++++++++
 apps/contracts/deny.toml           | 24 +++++++++++++++++++++
 2 files changed, 58 insertions(+)
 create mode 100644 .github/workflows/supply-chain.yml
 create mode 100644 apps/contracts/deny.toml

diff --git a/.github/workflows/supply-chain.yml b/.github/workflows/supply-chain.yml
new file mode 100644
index 0000000..a5fee80
--- /dev/null
+++ b/.github/workflows/supply-chain.yml
@@ -0,0 +1,34 @@
+name: Supply Chain Verification
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+  schedule:
+    - cron: '0 6 * * 1'  # weekly on Monday
+
+jobs:
+  npm-provenance:
+    name: npm audit signatures
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+      - uses: pnpm/action-setup@v4
+        with:
+          version: 10
+      - run: pnpm install --frozen-lockfile
+      - run: npm audit signatures
+
+  cargo-deny:
+    name: cargo deny
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: EmbarkStudios/cargo-deny-action@v2
+        with:
+          manifest-path: apps/contracts/Cargo.toml
+          command: check
+          arguments: --config apps/contracts/deny.toml
diff --git a/apps/contracts/deny.toml b/apps/contracts/deny.toml
new file mode 100644
index 0000000..41e3876
--- /dev/null
+++ b/apps/contracts/deny.toml
@@ -0,0 +1,24 @@
+[advisories]
+version = 2
+db-urls = ["https://github.com/rustsec/advisory-db"]
+ignore = []
+
+[licenses]
+version = 2
+allow = [
+    "Apache-2.0",
+    "MIT",
+    "ISC",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+    "Unicode-3.0",
+]
+
+[bans]
+multiple-versions = "warn"
+wildcards = "deny"
+
+[sources]
+unknown-registry = "deny"
+unknown-git = "deny"
+allow-registry = ["https://github.com/rust-lang/crates.io-index"]

From a23763db274b35a1f19bb1c5f749a1c015ec7f0f Mon Sep 17 00:00:00 2001
From: pauljacobb <pauljacob1717@gmail.com>
Date: Fri, 26 Jun 2026 07:47:16 +0000
Subject: [PATCH 2/2] feat: add analytics tracking for verifier and governance
 (#607)

---
 apps/web/.env.example         |  6 ++++++
 apps/web/src/lib/analytics.ts | 16 +++++++++++++++
 docs/ANALYTICS.md             | 37 +++++++++++++++++++++++++++++++++++
 3 files changed, 59 insertions(+)
 create mode 100644 apps/web/src/lib/analytics.ts
 create mode 100644 docs/ANALYTICS.md

diff --git a/apps/web/.env.example b/apps/web/.env.example
index 4bbce95..fb8ac90 100644
--- a/apps/web/.env.example
+++ b/apps/web/.env.example
@@ -63,3 +63,9 @@ LOGTAIL_SOURCE_TOKEN=
 # In development, http://localhost:3000 is always permitted.
 # Example: https://solarproof.vercel.app,https://staging.solarproof.vercel.app
 CORS_ALLOWED_ORIGINS=https://solarproof.vercel.app
+
+# ── Analytics (optional) ──────────────────────────────────────────────────────
+# Plausible Analytics — privacy-first, cookieless, GDPR-compliant.
+# Set to your site domain (e.g. solarproof.vercel.app) to enable.
+# See docs/ANALYTICS.md for setup instructions.
+NEXT_PUBLIC_PLAUSIBLE_DOMAIN=
diff --git a/apps/web/src/lib/analytics.ts b/apps/web/src/lib/analytics.ts
new file mode 100644
index 0000000..419bad1
--- /dev/null
+++ b/apps/web/src/lib/analytics.ts
@@ -0,0 +1,16 @@
+declare global {
+  interface Window {
+    plausible?: (event: string, options?: { props?: Record<string, unknown> }) => void;
+  }
+}
+
+export function trackEvent(name: string, props?: Record<string, unknown>): void {
+  if (typeof window === 'undefined' || !window.plausible) return;
+  window.plausible(name, props ? { props } : undefined);
+}
+
+export const trackVerify = (certId: string) =>
+  trackEvent('Verify', { certId });
+
+export const trackGovernanceVote = (proposalId: string) =>
+  trackEvent('GovernanceVote', { proposalId });
diff --git a/docs/ANALYTICS.md b/docs/ANALYTICS.md
new file mode 100644
index 0000000..bff5831
--- /dev/null
+++ b/docs/ANALYTICS.md
@@ -0,0 +1,37 @@
+# Analytics
+
+SolarProof uses [Plausible Analytics](https://plausible.io) — a privacy-first, cookieless analytics tool that is GDPR-compliant out of the box.
+
+## What is tracked
+
+| Event | Trigger | Properties |
+|---|---|---|
+| `Verify` | User submits a certificate ID on `/verify` | `certId` |
+| `GovernanceVote` | User casts a vote on `/governance` | `proposalId` |
+
+No personal data, IP addresses, or cookies are collected.
+
+## How to enable Plausible
+
+1. Create a site in your [Plausible dashboard](https://plausible.io/sites).
+2. Set the environment variable:
+   ```
+   NEXT_PUBLIC_PLAUSIBLE_DOMAIN=yourdomain.com
+   ```
+3. Add the Plausible script to `apps/web/src/app/layout.tsx`:
+   ```tsx
+   {process.env.NEXT_PUBLIC_PLAUSIBLE_DOMAIN && (
+     <Script
+       defer
+       data-domain={process.env.NEXT_PUBLIC_PLAUSIBLE_DOMAIN}
+       src="https://plausible.io/js/script.js"
+     />
+   )}
+   ```
+
+## Privacy
+
+- **No cookies** — Plausible does not use cookies or persistent identifiers.
+- **No PII** — event properties contain only opaque IDs (`certId`, `proposalId`), never user-identifiable data.
+- **GDPR / CCPA compliant** — no consent banner required.
+- **Self-hostable** — Plausible can be self-hosted if your deployment requires data residency controls.