diff --git a/CHANGELOG.md b/CHANGELOG.md
index fcadd58..97a4a71 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,39 +1,56 @@
# cveClient Changelog
-Version 1.0.22 2025-06-26
-* Resolved a bug as filled in #31 multiple versions under affected tree
-* Moved from jquery .data() to .attr(data- to avoid unexpected behaviors.
-* ProblemTypes can be array of array with only one dictionary object - fixed issue where m*n array can be consisten in JSON view and Friendly (Minimal) view.
+## Version 1.0.24 — 2026-03-28
-Version 1.0.21 2025-06-24
-* Added a new version of CVE Chatbot
-* Ask chatGPT button
-* Fixed bugs on multi-row elements
+- Security: Fixed XSS vulnerability — use `.text()` instead of `.html()` for CVE ID in modal title
+- Security: Prevent plaintext API key storage and harden encryption key handling
+- Security: Added prototype pollution protection to `queryParser` and removed sensitive logging
+- Updated SweetAlert2 from 11.4.9 to 11.26.24
+- Made schema references version-agnostic with automatic schema version detection
+- Added ADP (Authorized Data Publisher) read and delete support
+## Version 1.0.23 — 2025-12-15
-Version 1.0.20 2023-08-21
+- Updates to resolve bugs including security issues (CVE-pending)
+- Updates after demo to CVE AWG
+- Login bug fixes
+- Updated `check_json` function validation
-* Add schemaToJson.js generic library to support conversion of CVE schema
-* Added updates to support viewing of full schema as presented by CVE5.0 schema
+## Version 1.0.22 — 2025-06-26
+- Resolved a bug as filed in #31 — multiple versions under affected tree
+- Moved from jQuery `.data()` to `.attr("data-")` to avoid unexpected behaviors
+- ProblemTypes can be array of array with only one dictionary object — fixed issue where m\*n array can be consistent in JSON view and Friendly (Minimal) view
-Version 1.0.19 2023-08-21
+## Version 1.0.21 — 2025-06-24
-* Fixed some bugs on cveInterface.js related to apply_diff
-* Added the ability to download CVE JSON from repositories for edit/duplicate
-* Moved display capabilities using CSS.
+- Added a new version of CVE Chatbot
+- Ask ChatGPT button
+- Fixed bugs on multi-row elements
+- Added `cwe-common.json` for CWE autocomplete lookup
+## Version 1.0.20 — 2023-08-21
-Version 1.0.18 2023-08-09
+- Added `schemaToForm.js` generic library to support conversion of CVE schema
+- Added updates to support viewing of full schema as presented by CVE 5.0 schema
-* Fixed some bugs on cveInterface.js related to from_json and to_json routines
-* The cveclientLib on 1.0.14 now support ADP capability
-* The User Management interface bug fixes on duplicate ID or duplicate name field fixed.
-* ADP client interface is available only via JSON editor at this time.
-* Require at least One product to have STatus "affected" or "unknown".
+## Version 1.0.19 — 2023-08-21
-Version 1.0.17 2023-08-09
-* Allow entry of CVE data without being logged in just to create mock records
-* Implemented offload download button for CVE records
-* Fixed XSS issue due to changes to CVE Services RSUS interface
-* Pagination issues resolved
+- Fixed bugs on `cveInterface.js` related to `apply_diff`
+- Added the ability to download CVE JSON from repositories for edit/duplicate
+- Moved display capabilities using CSS
+
+## Version 1.0.18 — 2023-08-09
+
+- Fixed bugs on `cveInterface.js` related to `from_json` and `to_json` routines
+- The `cveClientlib.js` on 1.0.14 now supports ADP capability
+- User Management interface bug fixes on duplicate ID or duplicate name field
+- ADP client interface is available only via JSON editor at this time
+- Require at least one product to have status "affected" or "unknown"
+
+## Version 1.0.17 — 2023-08-09
+
+- Allow entry of CVE data without being logged in just to create mock records
+- Implemented offload download button for CVE records
+- Fixed XSS issue due to changes to CVE Services RSUS interface
+- Pagination issues resolved
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 0000000..4e60ac5
--- /dev/null
+++ b/CONTRIBUTING.md
@@ -0,0 +1,118 @@
+# Contributing to cveClient
+
+This guide covers the technical details for developers contributing to cveClient.
+
+## Architecture
+
+cveClient is a pure client-side JavaScript application with no backend, no build system, and no transpilation.
+
+### Core Files
+
+| File | Description |
+| -------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| [`cveClientlib.js`](./cveClientlib.js) | Reusable API client library. Class `cveClient` wraps the CVE Services REST API with `rfetch()` (Fetch API wrapper that injects API key auth). Methods for CVE CRUD, user management, and org info. |
+| [`cveInterface.js`](./cveInterface.js) | Main UI logic (~2000 lines). Handles login/logout, CVE operations, user management, and form-to-JSON conversion. |
+| [`schemaToForm.js`](./schemaToForm.js) | Dynamically generates HTML forms from the CVE JSON 5.x schema. Bidirectional: `FormToObject()` extracts JSON from form fields, `ObjectToForm()` populates forms from JSON. Fields linked via `data-field` attributes. |
+| [`autoCompleter.js`](./autoCompleter.js) | Autocomplete/suggestion UI for input fields with dynamic URL fetching (used for CWE lookup). |
+| [`encrypt-storage.js`](./encrypt-storage.js) | RSA-OAEP 4096-bit encryption for API keys in browser storage using Web Crypto API + IndexedDB for key persistence. |
+| [`index.html`](./index.html) | Single-page app with Bootstrap modals for all operations. |
+
+### How It Works
+
+1. User logs in with CNA short name, username, and API key
+2. API key is encrypted and stored in browser storage (localStorage or sessionStorage)
+3. All API calls go directly from the browser to CVE Services — no proxy or middleware
+4. The CVE JSON 5.x schema is fetched at runtime from the [CVE Schema Project](https://github.com/CVEProject/cve-schema) to dynamically generate the "All Fields" form
+5. Form data is converted to/from CVE JSON using `data-field` attribute mappings
+
+### Key Patterns
+
+- Heavy jQuery DOM manipulation with Bootstrap modals
+- Promise-based async/await for all API calls
+- State: global `client` object (session), localStorage/sessionStorage (credentials), IndexedDB (encryption keys)
+- Dynamic HTML generation for array fields (versions, descriptions, references) using `duplicate()`/`unduplicate()`
+- Version branches named `version-X.X.X`, PRs merged to `main`
+
+## Local Development
+
+There is no build step. Serve the files from any local web server:
+
+```bash
+python3 -m http.server 8080
+# or
+npx serve .
+# or
+php -S localhost:8080
+```
+
+Then open `http://localhost:8080` in your browser.
+
+**Note:** Opening `index.html` directly from the filesystem (`file://`) will not work — browsers block network requests from local files.
+
+## Using cveClientlib in Node.js
+
+The `cveClientlib.js` file includes conditional exports for Node.js environments. You can use it directly in Node.js scripts (`fetch` is available natively in Node 18+):
+
+```javascript
+const cveClient = require("./cveClientlib.js");
+
+const client = new cveClient(
+ "your_org_short_name",
+ "your_username",
+ "your_api_key",
+ "https://cveawg.mitre.org/api",
+);
+
+// Get CVE details
+client.getcvedetail("CVE-2024-1234").then(function (cve) {
+ console.log(JSON.stringify(cve, null, 2));
+});
+
+// Reserve a CVE ID
+client.reservecve(1).then(function (result) {
+ console.log("Reserved:", result);
+});
+
+// Get org quota
+client.getquota().then(function (quota) {
+ console.log("Quota:", quota);
+});
+```
+
+For older Node.js versions without native `fetch`, use [node-fetch](https://github.com/node-fetch/node-fetch):
+
+```javascript
+const fetch = require("node-fetch");
+globalThis.fetch = fetch;
+const cveClient = require("./cveClientlib.js");
+```
+
+## Running Tests
+
+Tests use [Vitest](https://vitest.dev/) with jsdom. Requires Node.js 22+.
+
+```bash
+npm ci
+npm test
+```
+
+Test suites:
+
+- **Pure function tests** (24 tests) — `get_deep`, `set_deep`, `simpleCopy`, `checkurl`, `check_json`, `queryParser`
+- **Security regression tests** (13 tests) — prototype pollution protection, XSS prevention via `safeHTML` and `cleanHTML`
+- **API client tests** (14 tests) — URL construction, auth headers, CVE/ADP operations
+
+## Dependencies
+
+All dependencies are for the HTML UI only. The `cveClientlib.js` library has zero dependencies.
+
+| Library | Version | Source | Integrity |
+| ----------------------------------------------- | ------- | ------ | ----------- |
+| [jQuery](https://jquery.com/) | 3.5.1 | CDN | SHA-384 SRI |
+| [Bootstrap](https://getbootstrap.com/) | 4.3.1 | CDN | SHA-384 SRI |
+| [Popper.js](https://popper.js.org/) | 1.14.7 | CDN | SHA-384 SRI |
+| [Bootstrap-Table](https://bootstrap-table.com/) | 1.19.1 | CDN | SHA-384 SRI |
+| [SweetAlert2](https://sweetalert2.github.io/) | 11.x | Local | — |
+| [Ace Editor](https://ace.c9.io/) | 1.2.4 | Local | — |
+
+CDN dependencies use [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) (SRI) checks. SweetAlert2 and Ace Editor are served from local copies due to build issues with their CDN versions — please review their respective license agreements.
diff --git a/INSTALL.md b/INSTALL.md
index c235ba0..b367697 100644
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -1,12 +1,78 @@
-### Installing cveClient on your webserver (apache2, IIS, nginx, tinyhttp)
+# Installing cveClient
-All the files in this repository are client utilities expected to served from a webserver to run inside a web browser. Directly accessing the index.html file inside a browser will NOT work as most browsers will not allow network activity from static files on your local or network attached drive/storage.
+cveClient is a pure static web application — all files are served directly to the browser with no build step, no transpilation, and no server-side processing.
-Clone this repository to a web accessible folder in your webserver says into a folder called `cveClient` using git command `git clone https://github.com/CERTCC/cveClient`. Once you have cloned this folder, you can visit your webserver's relative URL at `/cveClient/` to the folder where the repository was cloned. Ensure your webserver's default index file is `index.html`
+## Quick Start (Local Development)
-If you use Content-Security-Policy (CSP) headers on your webserver or on your web reverse proxy, make sure the appropriate domain URLs are allowed for the folder that was cloned (`cveClient`). Below is the sample Content-Security-Policy header recommended for this folder:
+Any local web server will work. Pick whichever you have installed:
-`default-src 'self' blob: http://127.0.0.1:* http://localhost:*; connect-src 'self' http://127.0.0.1:* http://localhost:* *.mitre.org; script-src 'self' https://stackpath.bootstrapcdn.com https://code.jquery.com https://cdnjs.cloudflare.com https://unpkg.com https://apis.google.com blob:; style-src 'self' https://stackpath.bootstrapcdn.com 'unsafe-inline' https://unpkg.com; img-src 'self' data: blob:;object-src 'self'`
+```bash
+# Python
+python3 -m http.server 8080
+# Node.js
+npx serve .
+# PHP
+php -S localhost:8080
+# Ruby
+ruby -run -e httpd . -p 8080
+```
+
+Then open `http://localhost:8080` in your browser.
+
+**Note:** Opening `index.html` directly from the filesystem (`file://`) will not work — browsers block network requests from local files.
+
+## Production Deployment (Apache, Nginx, IIS)
+
+Clone the repository into a web-accessible folder on your web server:
+
+```bash
+git clone https://github.com/CERTCC/cveClient.git /var/www/html/cveClient
+```
+
+Then visit your server's URL at `/cveClient/`. Ensure your web server's default index file includes `index.html`.
+
+### Content-Security-Policy
+
+If you use Content-Security-Policy (CSP) headers on your web server or reverse proxy, the following CSP is recommended for the cveClient folder:
+
+```
+default-src 'self' blob: http://127.0.0.1:* http://localhost:*;
+connect-src 'self' http://127.0.0.1:* http://localhost:* *.mitre.org;
+script-src 'self' https://stackpath.bootstrapcdn.com https://code.jquery.com https://cdnjs.cloudflare.com https://unpkg.com https://apis.google.com blob:;
+style-src 'self' https://stackpath.bootstrapcdn.com 'unsafe-inline' https://unpkg.com;
+img-src 'self' data: blob:;
+object-src 'self'
+```
+
+### Apache Example
+
+Add to your `.htaccess` or virtual host configuration:
+
+```apache
+
+ Header set Content-Security-Policy "default-src 'self' blob: http://127.0.0.1:* http://localhost:*; connect-src 'self' http://127.0.0.1:* http://localhost:* *.mitre.org; script-src 'self' https://stackpath.bootstrapcdn.com https://code.jquery.com https://cdnjs.cloudflare.com https://unpkg.com https://apis.google.com blob:; style-src 'self' https://stackpath.bootstrapcdn.com 'unsafe-inline' https://unpkg.com; img-src 'self' data: blob:; object-src 'self'"
+
+```
+
+### Nginx Example
+
+```nginx
+location /cveClient/ {
+ add_header Content-Security-Policy "default-src 'self' blob: http://127.0.0.1:* http://localhost:*; connect-src 'self' http://127.0.0.1:* http://localhost:* *.mitre.org; script-src 'self' https://stackpath.bootstrapcdn.com https://code.jquery.com https://cdnjs.cloudflare.com https://unpkg.com https://apis.google.com blob:; style-src 'self' https://stackpath.bootstrapcdn.com 'unsafe-inline' https://unpkg.com; img-src 'self' data: blob:; object-src 'self'";
+}
+```
+
+## CVE Services Endpoints
+
+The application connects to one of three CVE Services environments, selectable at login:
+
+| Environment | URL |
+| ----------- | ----------------------------------- |
+| Production | `https://cveawg.mitre.org/api` |
+| Test | `https://cveawg-test.mitre.org/api` |
+| Local | `http://127.0.0.1:3000/api` |
+
+If you need to connect to a different endpoint, modify the `