Add CrawlProof stats tracker

[crawlproof]

This PR adds the CrawlProof stats tracker to your site.

What it does: counts pageviews by source — AI engine referrals (ChatGPT, Perplexity, Claude, Gemini…) and AI crawler hits (GPTBot, ClaudeBot, PerplexityBot…). No cookies. No PII. Rolls up to a daily counter on the CrawlProof Stats tab for your project.

What changed: one line added to sites/sh1pt.com/app/layout.tsx, just before </body>:

<Script data-site="09d382f0-1b98-4d28-b360-78eaf4e030f2" src="https://crawlproof.com/stats.js" strategy="afterInteractive" />

The diff also imports Script from next/script if it wasn't already imported.

Docs: https://crawlproof.com/docs/stats-tracker
Disable: flip the tracker off on your CrawlProof project Stats tab and the script becomes a no-op (or remove this line).

[github-actions]

vu1nz Security Review

1 finding(s) in PR #416

MEDIUM: 1

Findings

Severity	File	Issue	Suggestion
MEDIUM	sites/sh1pt.com/app/layout.tsx	Third-party script dependency risk: Adding an external analytics script from crawlproof.com introduces supply chain risk. The script loads from	1. Verify the legitimacy and security practices of crawlproof.com 2. Consider using Subresource Integrity (SRI) hash to ensure script integrity

Full AI Analysis

Looking at this diff, I can see that a third-party analytics script from crawlproof.com is being added to the application layout.

Security Analysis

Severity	File	Line	Issue	Suggestion
Medium	sites/sh1pt.com/app/layout.tsx	87	Third-party script dependency risk: Adding an external analytics script from crawlproof.com introduces supply chain risk. The script loads from an external domain and could potentially be compromised or modified to inject malicious code.	1. Verify the legitimacy and security practices of crawlproof.com 2. Consider using Subresource Integrity (SRI) hash to ensure script integrity 3. Implement Content Security Policy (CSP) headers to restrict script execution 4. Monitor the script for any changes 5. Consider self-hosting the analytics solution if possible

Additional Security Considerations

While not immediate vulnerabilities, consider these security best practices:

1. Content Security Policy: Ensure your CSP allows this external script domain
2. Privacy compliance: Verify this analytics service complies with relevant privacy regulations (GDPR, CCPA, etc.)
3. Data handling: Review what data this analytics service collects and how it's processed

The use of Next.js Script component with strategy="afterInteractive" is appropriate as it ensures the script loads after the page becomes interactive, which is good for performance and reduces some security risks compared to inline scripts.