feat(002): add sitemap generation feature

- Refactor kmeContentSourceAdapter.js into getValidToken(), oidcAuthFlow(),
  and sitemapFlow(); add sitemap generation using hydra:member response structure
- Add searchApiBaseUrl, tenant, proxyBaseUrl fields to kme_CSA_settings.json
  and kme_CSA_settings.json.example
- Add 17 unit tests for sitemap flow and non-sitemap routing regression
- Add 5 contract tests for sitemap endpoint (proxy-http.test.js)
- Add [Unreleased] sitemap entry to CHANGELOG.md
- Add full specs/002-sitemap-generation/ artifact directory
  (spec, plan, tasks, data-model, contracts, research, quickstart, checklist)
- Update constitution.md: add redis as permitted global, refresh
  kme_CSA_settings references
- Update copilot-instructions.md SPECKIT marker to sitemap plan

.specify/memory/constitution.md

@@ -297,8 +297,9 @@ Follow-up TODOs:
 - ✅ `jwt` - JSON Web Token library for authentication
 - ✅ `xmlBuilder` - XML document builder
 - ✅ `uuidv4` - UUID generator
+- ✅ `redis` - Redis client for token caching and shared state
 - ✅ `adapterHelper` - Helper functions (loaded from src/globalVariables/)
-- ✅ `adapter_settings` - Business data only (service account, Drive query, sitemap settings)
+- ✅ `kme_CSA_settings` - Business data only (OIDC credentials, search API config, sitemap settings)
 - ✅ `req` - HTTP request object (includes req.params with routing metadata)
 - ✅ `res` - HTTP response object
 
@@ -440,6 +441,7 @@ const globalVMContext = {
   uuidv4,
   jwt,
   xmlBuilder,
+  redis,  // Connected Redis client for token caching
 };
 
 // Load dynamic data from src/globalVariables/ directory
@@ -505,14 +507,21 @@ script.runInContext(context);
    - Package: `xmlbuilder2` (create function)
    - Injected from: `globalVMContext.xmlBuilder`
 
+7. **redis** - Redis client
+   - Purpose: Token caching and shared state across requests
+   - Usage: `await redis.hGet('key', 'field')`, `await redis.hSet('key', 'field', 'value')`
+   - Package: `redis` (node-redis v4+, connected client)
+   - Injected from: `globalVMContext.redis`
+   - Note: Client is connected before server starts; use `await` for all operations
+
 **Built-in Web APIs:**
 
-7. **URLSearchParams** - URL query string parser (built-in)
+8. **URLSearchParams** - URL query string parser (built-in)
    - Purpose: Parse and manipulate URL query strings
    - Usage: `new URLSearchParams(queryString)`
    - Injected from: `globalVMContext.URLSearchParams`
 
-8. **URL** - URL parser (built-in)
+9. **URL** - URL parser (built-in)
    - Purpose: Parse and manipulate URLs
    - Usage: `new URL(urlString)`
    - Injected from: `globalVMContext.URL`
@@ -520,14 +529,14 @@ script.runInContext(context);
 
 **Dynamic Data Context Variables:**
 
-9. **Dynamic JSON objects from src/globalVariables/ directory**
+10. **Dynamic JSON objects from src/globalVariables/ directory**
     - Purpose: Authentication credentials, secrets, API keys, and behavioral configuration
     - Pattern: Each `src/globalVariables/filename.json` loaded by server.js → added to `globalVariableContext` → spread into VM context
     - Examples:
-      - `src/globalVariables/adapter_settings.json` → context variable `adapter_settings` (consolidated service account, scopes, drive query, sitemap config)
+      - `src/globalVariables/kme_CSA_settings.json` → context variable `kme_CSA_settings` (OIDC credentials, search API config, sitemap settings)
       - `src/globalVariables/api-keys.json` → context variable `api_keys` (API keys and secrets)
       - `src/globalVariables/custom-config.json` → context variable `custom_config` (behavioral settings)
-    - Usage in src/proxyScripts/proxy.js: Direct variable access `const settings = adapter_settings;`
+    - Usage in src/proxyScripts/proxy.js: Direct variable access `const settings = kme_CSA_settings;`
     - Loading: By server.js at startup using `loadGlobalObjects()` function
     - Injection: Via spread operator `...globalVariableContext` in `vm.createContext()`
     - **Note**: ALL authentication, secrets, and behavioral configuration MUST be in src/globalVariables/, NEVER in config/default.json