Site Modernization Mimesis Audit — 2026-05-29

이 artifact는 블로그 전체가 완성됐다는 증명이 아니다. 이 repo 안에서 publish-ready Mimesis Audit 샘플을 만들고, 로컬 repo truth, 병렬 페르소나 감사, 1차 자료, edit diff, build verification을 한 루프로 묶은 기록이다.

Claim

이 사이트는 미메시스 엔지니어링을 말로만 설명하지 않고, 사이트 자체의 콘텐츠, 검색, 접근성, CMS/OAuth, proof boundary를 같은 방법으로 다시 점검하기 시작했다.

Verified Originals

source	class	operating grammar extracted
W3C WCAG 2.2	web standard	접근성은 미감이 아니라 perceivable, operable, understandable, robust 기준으로 검수해야 한다.
WAI-ARIA APG Dialog Pattern	W3C pattern	modal dialog는 내부 focus 이동, Escape 닫기, 닫힌 뒤 호출자 focus 복귀가 필요하다.
WAI-ARIA APG Listbox Pattern	W3C pattern	listbox는 option의 active state를 `aria-activedescendant` 같은 composite focus 방식으로 표현할 수 있다.
Google Search Central SEO Starter Guide	official product documentation	제목, 설명, 이미지 맥락, 탐색 구조는 검색보다 먼저 독자의 이해를 돕는 정보 구조여야 한다.
Hugo Image Render Hooks	official framework documentation	Markdown 이미지 출력은 render hook으로 프로젝트 계약에 맞게 바꿀 수 있다.
MDN postMessage security guidance	primary web platform documentation	토큰 같은 민감한 데이터는 `targetOrigin="*"`로 보내지 않고, 수신 origin도 검증해야 한다.
MDN CORS guide	primary web platform documentation	credentialed/cached cross-origin 응답은 wildcard보다 명시적 origin과 `Vary: Origin` 경계가 필요하다.
GitHub Pages docs	official hosting documentation	local build proof와 live public route proof는 분리해야 한다.

Ontology Impact Map

object	changed or audited
`SiteSurface`	home, Start Here, About, Mimesis Engineering, Mimesis Audit, Proof, Reports, Demos, posts, proof artifacts
`ClaimBoundary`	public draft, offer draft, local build verified, live route pending vocabulary를 분리
`ReferenceCard`	source class, learn, do-not-copy, project mapping, validation criterion 형식을 proof artifact에 적용
`Navigation`	Operator OS와 command palette action을 1차 경로로 승격
`SearchIndex`	posts-only 검색에서 regular pages + description + summary + tags 검색으로 확장
`AccessibilityGate`	mobile search trigger, dialog name, listbox/options, focus return, Markdown image render hook
`CmsAuthSurface`	Decap OAuth worker scope, CORS, postMessage target origin
`Memory`	repo-level source-first and Mimesis chain rule을 durable memory로 남김

Commands / Redlines

command	redline
Mimesis definition must include operating grammar, ontology, commands/redlines, output contracts, golden examples, validation, and memory.	Do not present Mimesis as industry standard or proven consulting method without external outcomes.
Local build proof must be labeled local.	Do not use local build as live public deployment proof.
OAuth token handoff must use exact origins.	Do not use wildcard `postMessage` for auth tokens.
Search/dialog UI must keep keyboard and assistive-tech behavior in scope.	Do not treat visual polish as accessibility proof.
Reference examples must say what to learn and what not to copy.	Do not use references as style-cloning permission.

Output Contract

Every future site modernization pass should emit:

field	required evidence
Scope	which pages, templates, workers, generated routes, and live routes were inspected
Persona audits	at least reader, proof/source, UX/accessibility, security/ops viewpoints
Reference cards	official/original source, extracted grammar, do-not-copy boundary
Edit diff	exact files changed
Verification	Hugo build, route existence, worker syntax/bundle where relevant
Boundary	what remains local, pending, historical, or unproven
Memory update	durable rule or discarded direction if the pass changes operating behavior

What Changed In This Pass

Rewrote the Mimesis hub around verified original -> decomposition -> ontology -> commands/redlines -> output contracts -> golden examples -> validation -> memory.
Standardized the public proof boundary around Mimesis Engineering and Mimesis Audit.
Added slug/category/draft/archive/alias/image-alt metadata to the CMS reference schema, then disabled the live CMS entrypoint until Worker proof exists.
Expanded the generated search index beyond posts.
Removed stale build-time cache-busting query strings.
Disabled unsafe Goldmark rendering and escaped the terminal shortcode.
Hardened the CMS OAuth worker around public_repo, exact CMS_ORIGIN, allowlisted CORS, and Vary: Origin.
Added mobile search access and improved command palette dialog/listbox semantics.
Added a Markdown image render hook so inline images use the same figure contract.

Verification

Current verification:

hugo --destination <temp> --minify --printPathWarnings --printUnusedTemplates: passed locally.
git diff --check: passed locally.
node --check worker/src/index.js: passed locally.
npx wrangler deploy --dry-run --outdir .wrangler-dry-run-final-check from worker/: passed locally.
Source commits were pushed to origin/main.
Hugo output was published to the legacy gh-pages / Pages source.
The latest pages-build-deployment run passed for the generated gh-pages output.
scripts/check-live-routes.ps1: passed against https://svy04.github.io.
Representative legacy Korean post URLs returned HTTP 200 after alias preservation.

What Remains Unproven

CMS OAuth is bundle-verified but not manually verified with a live Decap login/edit/media workflow in this artifact.
Worker OAuth hardening is not live-proven because wrangler deploy needs CLOUDFLARE_API_TOKEN in this environment; /admin/ is therefore disabled until proof exists.
Search and command palette behavior received browser snapshots, but still needs a full keyboard-only regression pass.
External user outcomes for Mimesis Audit are still not proven.

Allowed Public Claim

The live site now contains a self-applied Mimesis Audit artifact showing how the method is being used on the site itself, with local build, Pages deployment, live route proof, and Worker OAuth limits separated.

Forbidden Public Claim

Do not claim the entire site modernization is complete, live, externally validated, or commercially proven from this artifact alone.

Next Verification

Deploy the Worker after CLOUDFLARE_API_TOKEN is available, then run live OAuth smoke checks and a manual Decap login/edit/media/unauthorized-denial flow.