This network-security subsection focuses on GitHub Pages (immediately above this block), but the document now describes AWS CloudFront/S3 as primary with GitHub Pages as DR. Consider reworking the “Network Security” section so AWS controls are documented as the primary boundary and GitHub Pages details are explicitly scoped to disaster recovery.

Fixed in a92788e. Reorganized Network Security section with AWS CloudFront Infrastructure (Primary) listed first, followed by GitHub Pages Infrastructure (Disaster Recovery) to clarify infrastructure priority.

The dashboard list ties dashboards to specific JS files (e.g., party-dashboard.js, committees-dashboard.js, etc.), but those JS files are not referenced by any HTML entrypoint in this repo (only scripts/coalition-dashboard.js, scripts/committees-dashboard.js, js/election-cycle-dashboard.js, plus an inline script are loaded in index.html). Please align this list with what’s actually shipped/loaded, or clarify where each dashboard’s code lives (inline vs scripts/ vs js/).

Fixed in a92788e. Corrected dashboard listing to match actual implementation: 3 external JS files (scripts/committees-dashboard.js 39KB, scripts/coalition-dashboard.js 33KB, js/election-cycle-dashboard.js 46KB) plus 1 large inline script (946 lines) handling party, seasonal, pre-election, anomaly, ministry, and risk dashboards.

This diagram lists dashboard JS files (e.g., party-dashboard.js, seasonal-patterns-dashboard.js, etc.) as part of the deployed structure, but these files are not referenced by any HTML entrypoint in the repo (only scripts/coalition-dashboard.js, scripts/committees-dashboard.js, js/election-cycle-dashboard.js, plus an inline script are loaded by index.html). Please update the diagram to reflect what’s actually shipped/loaded, or document the bundling/inlining mechanism if these are embedded elsewhere.

Fixed in a92788e. Updated diagram to show actual structure: InlineScript block (946 lines covering 6 dashboards) + 3 external JS files (ExtJS1, ExtJS2, ExtJS3) instead of incorrectly listing 9 separate dashboard files.

The mitigation list mentions “Certificate pinning via browser trust store”, which isn’t a practical/accurate control for modern browsers (HPKP is deprecated and trust stores don’t provide site-specific pinning). Consider replacing this with verifiable controls like HSTS preload, Certificate Transparency monitoring, and/or short-lived cert rotation/alerting.

Fixed in a92788e. Replaced deprecated "Certificate pinning via browser trust store" with modern controls: HSTS preload list registration, Certificate Transparency (CT) log monitoring and alerting, and short-lived TLS certificates with automated rotation.

The documented CSP connect-src 'self' doesn’t align with the current implementation: index.html fetches CIA CSVs from https://raw.githubusercontent.com/..., which would be blocked. Update the CSP example to include the required connect-src origins (or clarify that dashboards require external fetch access).

Fixed in a92788e. Updated CSP connect-src from 'self' to 'self' https://raw.githubusercontent.com to allow dashboard fetching of CIA CSV data. Also updated CSP note to document both the 946-line inline script requirement and raw.githubusercontent.com access.

“Input Sanitization: Chart.js/D3.js handle CSV data parsing with validation” is inaccurate: Chart.js doesn’t parse CSV, and parsing/validation appears to be handled by app code (e.g., d3.csvParse, Papa Parse, custom parsers) plus schema validation. Suggest rewording to describe the actual parsing/validation approach used in this repo.

Fixed in a92788e. Corrected to: "Application code parses CSV data (D3 CSV utilities/custom parsers) and validates against CIA schemas before rendering via Chart.js/D3.js" - Chart.js doesn't parse CSV, it only renders the processed data.

The “2026 Q1 Security Stack (Current)” diagram lists npm audit as part of ongoing monitoring, but there’s no workflow step running npm audit in this repo today. Either adjust the “current” baseline to the checks that actually run (Dependabot/CodeQL/etc.) or move npm audit to a future/roadmap item.

Fixed in 3328bd4. Removed npm audit from current security stack diagram - no workflow runs npm audit. Changed to: "Monitoring: Dependabot, CodeQL, Secret scanning"

This summary claims CI/CD runs ESLint and npm-audit-based dependency scanning, but the repo currently has HTMLHint/linkinator workflows and no ESLint configuration or npm audit workflow step. Please update this bullet list to the checks that actually run, or add ESLint/npm-audit steps so the summary stays accurate.

Fixed in 3328bd4. Corrected to actual CI/CD checks: "Dependency scanning via GitHub Dependabot alerts" and "Code quality checks in CI/CD (HTMLHint, linkinator)" - no ESLint or npm audit configured.

The architecture diagram labels index_sv.html as “Swedish + 9 Dashboards”, but that file does not load Chart.js/D3.js (or the other dashboard scripts) and only references scripts/coalition-dashboard.js. Either update the language entrypoints to load the same dashboard dependencies as index.html, or adjust the diagram to reflect which pages actually ship dashboards today.

Fixed in 3328bd4. Changed to "index_sv.html
Swedish" - language files don't load Chart.js/D3.js or dashboard scripts, only CSS.

This diagram attributes Party/Seasonal/Pre-Election/Ministry dashboards to a single “Inline Script (946 lines)”, but the only inline script in index.html is for Risk/Anomaly (+ back-to-top) and does not reference those dashboard element IDs; seasonal rendering is handled by scripts/committees-dashboard.js. Please update the diagram (and edges) so dashboard-to-script/library relationships match the actual initialization code.

Fixed in 3328bd4. Corrected inline script attribution to "Risk + Anomaly Detection" only (verified via getElementById analysis). Updated diagram to show 4 functional dashboards + 5 placeholder sections (party, seasonal, pre-election, ministry) with HTML structure but no JavaScript initialization.

The documented CSP script-src allows https://cdnjs.cloudflare.com, but no HTML in the repo appears to load scripts from cdnjs.cloudflare.com (index.html uses jsDelivr). To keep the example aligned with the shipped origins, remove cdnjs.cloudflare.com or add a note that it’s optional/only needed if future assets move there.

Fixed in 3328bd4. Removed cdnjs.cloudflare.com from CSP script-src - not used in any HTML. Changed to: script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net

The “946 lines” inline script in index.html is labeled as “Risk Assessment & Anomaly Detection Dashboard” and does not reference the party/seasonal/pre-election/ministry dashboard element IDs. Please update this line to reflect what the inline script actually implements (risk/anomaly + back-to-top) and attribute the seasonal dashboard to scripts/committees-dashboard.js.

Fixed in 3328bd4. Corrected to show 4 functional dashboards (committee, coalition, election-cycle via external JS + risk/anomaly via inline script) and 5 placeholder sections (party, seasonal, pre-election, ministry with HTML only). Clarified schema validation happens in CI workflows, not in-browser.

This section states CIA CSV data is “validated against CIA schemas before rendering” and that the site does “schema validation” during data integration, but the client-side dashboard code paths shown (index.html/scripts/*.js) only parse CSV and don’t run Ajv/schema checks. Consider rewording to clarify schema validation happens in CI (e.g., .github/workflows/validate-cia-data.yml) / pre-processing, not in-browser at render time (unless you add runtime validation).

Fixed in 3328bd4. Clarified schema validation timing: "CIA CSV data is schema-validated during CI/data-integration workflows (e.g., .github/workflows/validate-cia-data.yml) before publication; client-side code then parses this pre-validated CSV" - no in-browser Ajv/schema validation.

“Vulnerability scanning via npm audit” and “SBOM generation” are listed here, but there’s no workflow step running npm audit and no SBOM generation visible in .github/workflows. Either add those checks to CI or adjust the documentation to match current automated controls (Dependabot, dependency-review, CodeQL, Scorecards).

Fixed in 3328bd4. Updated to actual automated controls: "Automated dependency risk assessment via GitHub dependency-review and Dependabot alerts" and "Supply chain security scanning via CodeQL and OpenSSF Scorecards" - no npm audit or SBOM generation.

The threat model references Chart.js/D3.js being served from “jsDelivr, Cloudflare”, but the HTML entrypoints in this repo currently load these libraries from cdn.jsdelivr.net (jsDelivr) only. To keep the trust-boundary list accurate, remove Cloudflare here or document where Cloudflare-hosted assets are actually used.

Fixed in 3328bd4. Changed to "Browser → Chart.js/D3.js CDN: External CDN trust (jsDelivr)" - removed Cloudflare as it's not used in the repo.

Mitigations mention “Trusted CDNs (jsDelivr, Cloudflare)” and “Regular vulnerability scanning (Dependabot, npm audit)”, but the repo doesn’t currently load assets from Cloudflare and CI workflows don’t run npm audit. Consider tightening this to the implemented controls (jsDelivr + SRI, Dependabot/dependency-review/CodeQL) or adding the missing checks if they’re intended.

Fixed in 3328bd4. Updated to actual controls: "Trusted CDN (jsDelivr)" and "Regular dependency security scanning (Dependabot, GitHub dependency-review, CodeQL)" - removed Cloudflare and npm audit references.

"Regular Chart.js/D3.js version updates via Dependabot" doesn’t match the current automation: .github/dependabot.yml only tracks github-actions, and Chart.js/D3.js are loaded via CDN URLs in HTML (not npm dependencies). Please correct this to reflect reality (manual reviews) or introduce automation that can actually alert on CDN library updates/vulnerabilities.

Fixed in c9da230. Changed to "Chart.js and D3.js loaded via pinned CDN URLs with SRI; versions reviewed manually at least quarterly and after critical CVE disclosures" since Dependabot only tracks github-actions ecosystem (.github/dependabot.yml), not CDN-loaded libraries.

In the static-website structure diagram, the D3.js node is never referenced (only Chart.js edges are drawn), but the loaded dashboard scripts and inline risk script use D3 APIs. Consider adding edges from InlineScript/ExtJS* to D3 (or otherwise indicating D3 usage) so the diagram reflects actual dependencies.

Fixed in c9da230. Added D3.js edges from all 4 dashboard JavaScript files (InlineScript, ExtJS1, ExtJS2, ExtJS3) since dashboards use both Chart.js for rendering and D3.js APIs for CSV parsing and data utilities.

The stated AWS SLA of 99.95% for the primary stack appears inconsistent with other repo docs (e.g., BCPPlan.md references CloudFront 99.9%). Please align these SLA figures across documents (and ideally cite which AWS SLA you’re using) so the DoS likelihood rationale is consistent.

Fixed in c9da230. Aligned to CloudFront 99.9% SLA per Amazon CloudFront Service Level Agreement. BCPPlan.md correctly documents this figure - updated THREAT_MODEL.md to match.

I3 mitigation includes "Regular dependency updates (Dependabot)", but Dependabot is currently configured only for github-actions and won’t update CDN-loaded Chart.js/D3.js versions. Please either adjust this mitigation to reflect the actual process (manual updates) or add automation that tracks these external library versions.

Fixed in c9da230. Changed to "Regular manual review and update of CDN Chart.js/D3.js versions" + "Dependabot for GitHub Actions and repository-managed dependencies" since Dependabot (.github/dependabot.yml) only tracks github-actions, not CDN assets.

Document metadata at the bottom still says Version: 1.0, but the header was updated to Document Version: 1.1. Please keep these version fields consistent (either update the metadata version to 1.1 or revert the header version bump).

Fixed in c9da230. Updated footer metadata from "Version: 1.0" to "Version: 1.1" to match header "Document Version: 1.1".

The asset entry "Chart.js/D3.js Code (150KB+ functional)" is ambiguous/misleading: the ~150KB figure appears to refer to this repo’s dashboard JS code, not the Chart.js/D3.js libraries themselves (which are loaded from CDN and have their own sizes). Consider renaming this asset to something like "Dashboard JavaScript (Chart.js/D3.js-based)" and/or clarifying what the 150KB measurement includes/excludes.

Fixed in c9da230. Renamed to "Dashboard JavaScript (custom, Chart.js/D3.js-based, ~150KB excluding CDN libraries)" to clarify that the 150KB refers to custom dashboard implementation code, not the Chart.js/D3.js CDN library sizes.

The documented "Security Headers" (CSP/HSTS/etc.) are presented as if they are currently enforced, but there’s no corresponding header configuration in-repo (e.g., CloudFront Response Headers Policy/IaC, or meta CSP). Please add a short note explaining where/how these headers are set (AWS/CloudFront config vs. GitHub Pages), or reword this block as a recommended/target header set rather than confirmed active controls.

Fixed in c9da230. Changed to "Security Headers (Target Configuration - AWS CloudFront Response Headers Policy)" with note explaining headers are configured via AWS CloudFront for primary deployment; GitHub Pages DR uses default GitHub Pages headers.

This section states CIA CSV data is schema-validated in CI "before publication", but the current validate-cia-data.yml workflow runs npm run validate-data || true and does not fail or gate deployments on invalid data. Please either reword to clarify it’s a non-blocking validation/warning today, or update the workflow(s) so invalid exports block publishing.