v0.0.40

Bug-fix release focused on false positives, publish reliability, and binary compatibility. Huge thanks to @AnkitClassicVision, @MoriNo23, @wildfiremedia, and @v2lightingintl for the detailed reports that drove this release.

Audit Rule Fixes

• E-E-A-T rules now understand @graph JSON-LD (#21, thanks @AnkitClassicVision) — author bylines, content dates, and LocalBusiness data nested in Yoast-style @graph wrappers (most WordPress sites) are now detected. Previously these rules reported "no author / no dates" on fully-marked-up sites.
• Contact, About, Privacy, and Terms pages are always crawled first (#21) — large sitemaps no longer crowd them out of the page budget, fixing false "No Contact page found" / "No Privacy Policy found" warnings.
• Leaked-secrets rule no longer flags public client-side keys — Stripe publishable keys, Google Maps/Firebase browser keys, GTM/GA tag IDs, OAuth client IDs, Sentry DSNs, Mapbox public tokens, and Supabase anon keys are now reported as informational (public by design) instead of errors. Real secrets (e.g. sk_live_…, AWS keys, private key blocks) still fail.
• Fixed a11y/duplicate-id-aria rule error (#21) — "CSS is not defined" no longer crashes the rule.
• Issue severity now reflects what actually happened — a rule whose checks all came back as warnings reports as a warning, not an error.
• mailto:?subject=… share links are no longer flagged invalid (#17, thanks @wildfiremedia) — address-less mailto links are a legitimate email-share pattern.
• Shopify's native hCaptcha is now detected (#24, thanks @v2lightingintl) — the form-captcha rule recognizes the captcha-bootstrap inline loader and CDN script.
• social/og-image-size now names the image (#18, thanks @wildfiremedia) — warnings include the og:image URL instead of just the page.

Publishing & Crawling

• Fixed "Invalid report format" publish failures — relative links like href="index.html" no longer resolve to bogus hosts, duplicate source-page lists are deduplicated, and validation errors from the server now show the exact field and reason.
• Publish no longer hangs forever — the upload has a 30s timeout and retries transient connection failures.
• Crawler watchdog (#13) — a wedged crawl batch can no longer hang an audit indefinitely; the crawl finishes with partial results instead.

Compatibility & Updates

• Linux/Windows x64 binaries now run on older CPUs (#22, thanks @MoriNo23) — built without AVX requirements, fixing "Illegal instruction" crashes on pre-2013 hardware (e.g. Sandy Bridge).
• Self-update fixes (#14, thanks @wildfiremedia) — draft releases are never offered as updates, and answering "y" to an update prompt that can't proceed now explains why instead of silently doing nothing.