v0.1.0-alpha.4

OpenWebDoc v0.1.0-alpha.4

OpenWebDoc v0.1.0-alpha.4 is a public-readiness contract release for HTMLX
Document Package validation, examples, release assets, and the tag-pinned
GitHub Action validator.

This is still an alpha prerelease. OpenWebDoc does not publish npm packages
during the public preview phase.

Highlights

• Strengthens the fixed-stage profile contract so fixed-stage packages must
  declare editing metadata before they are accepted as self-editable packages.
• Keeps public examples, packed .htmlx files, and bundled app copies under the
  release drift gate.
• Keeps npm package tarballs inspection-ready with package-local license files.
• Keeps GitHub Action examples pinned to a release tag for external repository
  adoption.
• Adds a release consistency gate that catches stale active release references
  and mismatched CLI/package versions before tagging.

Security and Profile Contract

HTMLX packages remain untrusted input. The validator continues to reject unsafe
package paths, scripts, inline event handlers, remote resources, stale resource
integrity, stale LLM metadata, and profile mismatches.

The public profile taxonomy is:

• flow-document for browser-reflowing pageless documents
• fixed-stage-document for proportional visual documents that declare editing
  stage metadata
• slide-deck for HTMLX-native 16:9 presentations with presentation metadata

Fixed-stage packages now need package-owned editing metadata. This prevents
visual documents from being treated as self-editable without declaring the
runtime geometry and editing boundary that the OpenWebDoc app needs.

GitHub Action Pin

Use the release tag when adding the validator to another repository:

- uses: lhy0718/OpenWebDoc/.github/actions/validate-htmlx@v0.1.0-alpha.4
  with:
    paths: |
      documents/**/*.htmlx

Use @main only when intentionally testing unreleased validator behavior.

Release Assets

The GitHub Release attaches:

• npm tarballs for @openwebdoc/spec, @openwebdoc/core,
  @openwebdoc/cli, and @openwebdoc/ui
• valid example .htmlx packages
• the static site manifest
• the spec/docs snapshot archive

The intentionally invalid security fixture is not published as a release asset.

Known Limitations

• npm registry publication is intentionally deferred.
• OpenWebDoc app editing remains limited to micro-edits. Larger structural
  changes should use the unpacked package workflow.
• The GitHub Action is an alpha validation surface, not a long-term stable API.
• .pptx, .docx, .hwpx, and PDF import/export are outside the alpha scope.

Validation

The release gate is:

pnpm release:check
pnpm smoke:e2e
pnpm pages:smoke

The security-invalid fixture is expected to fail validation.

Links

• App: https://lhy0718.github.io/OpenWebDoc/app/
• Gallery: https://lhy0718.github.io/OpenWebDoc/
• Release: https://github.com/lhy0718/OpenWebDoc/releases/tag/v0.1.0-alpha.4

v0.1.0-alpha.3

OpenWebDoc v0.1.0-alpha.3

This alpha refresh closes public-readiness blockers found during the preview
audit. It upgrades the production sanitizer dependency, adds a dependency-audit
gate to CI and release:check, expands validator conformance coverage, and
clarifies that npm packages are not published during the preview.

HTMLX remains an alpha-stage browser-readable document package. The recommended
adoption path is still to add one .htmlx package to a repository, validate it
in pull requests, and let coding agents edit unpacked package files only inside
the validated package boundary.

What Changed Since v0.1.0-alpha.2

• Upgraded sanitize-html to a patched 2.17.4 production dependency.
• Added pnpm audit:prod to CI and pnpm release:check.
• Added a JSON Schema for metadata/editing.json and stricter editing metadata
  validation.
• Added conformance cases for CSS-local resource references, resource integrity,
  editing metadata shape, missing editable blocks, stage mismatch, and editing
  guide instruction leakage.
• Added public project hygiene files: SECURITY.md, CONTRIBUTING.md, code of
  conduct, issue templates, and pull request template.
• Clarified public preview usage: use the repository checkout, GitHub Action, or
  release assets; npm publishing remains disabled.

Try It

• Open the app: https://lhy0718.github.io/OpenWebDoc/app/
• Browse the template gallery: https://lhy0718.github.io/OpenWebDoc/
• Read the introduction example: https://lhy0718.github.io/OpenWebDoc/app/?example=openwebdoc-introduction
• Open the slide deck example: https://lhy0718.github.io/OpenWebDoc/app/?example=openwebdoc-slide-deck

Recommended GitHub Action

Use the tag-pinned action in repositories that want a readable alpha reference:

- uses: lhy0718/OpenWebDoc/.github/actions/validate-htmlx@v0.1.0-alpha.3
  with:
    paths: |
      docs/**/*.htmlx
      examples/*.htmlx

Security-sensitive repositories can resolve the release tag to a full commit SHA
and pin the action to that SHA.

Recommended Package Workflow

pnpm htmlx unpack input.htmlx ./work --json
# edit ./work/index.html, styles/*, metadata/*, and declared assets
pnpm htmlx refresh-metadata ./work --json
pnpm htmlx refresh-metadata ./work --check --json
pnpm htmlx validate ./work --json
pnpm htmlx pack ./work edited.htmlx --json
pnpm htmlx validate edited.htmlx --json

The unpacked package directory remains the canonical boundary for external
AI-agent editing. The browser app does not call model providers, store API keys,
generate hidden instructions, or perform large document redesigns.

Release Assets

This release attaches:

• valid example .htmlx packages
• npm package tarballs for inspection
• a generated release manifest
• a compressed spec and docs snapshot

The intentionally invalid security fixture is not a release asset. It remains in
the repository as validator test data.

Current Boundaries

• This is an alpha preview, not a stable format release.
• npm publishing is intentionally disabled; tarballs are attached for inspection
  only.
• The app is a trusted runtime and micro-edit surface, not a full document design
  suite.
• Large rewrites, new figures, new tables, new slides, or structural redesigns
  should be done by editing unpacked package files and validating before
  repacking.
• DOCX, HWPX, PDF, cloud sync, plugin systems, browser-side model calls, and
  arbitrary package JavaScript execution are outside this alpha scope.

Useful Links

• App: https://lhy0718.github.io/OpenWebDoc/app/
• Template gallery: https://lhy0718.github.io/OpenWebDoc/
• Repository: https://github.com/lhy0718/OpenWebDoc
• Release: https://github.com/lhy0718/OpenWebDoc/releases/tag/v0.1.0-alpha.3

v0.1.0-alpha.2

OpenWebDoc v0.1.0-alpha.2

This alpha refresh fixes the public GitHub Action validator for external
repositories and tightens the example-gallery release gate.

HTMLX remains an alpha-stage browser-readable document package. The recommended
public adoption path is to add one .htmlx package to a repository, validate it
in pull requests, and let coding agents edit unpacked package files only inside
the validated package boundary.

What Changed Since v0.1.0-alpha.1

• The repository-local GitHub Action now builds @openwebdoc/spec and
  @openwebdoc/core before building @openwebdoc/cli, so external repositories
  can use the action from a release tag without relying on prebuilt workspace
  artifacts.
• The template gallery release check now compares each gallery entry profile with
  the source package manifest profile.
• General document templates now advertise flow-document instead of
  fixed-stage-document when their manifests are flow-native.
• Flow document examples use realistic reader-facing sample content instead of
  OpenWebDoc release or implementation-status copy.
• The README now highlights a 10-minute PR gate adoption path through starter
  repositories and the Agentic Document Integrity check.

Try It

• Open the app: https://lhy0718.github.io/OpenWebDoc/app/
• Browse the template gallery: https://lhy0718.github.io/OpenWebDoc/
• Read the introduction example: https://lhy0718.github.io/OpenWebDoc/app/?example=openwebdoc-introduction
• Open the slide deck example: https://lhy0718.github.io/OpenWebDoc/app/?example=openwebdoc-slide-deck

Recommended GitHub Action

Use the tag-pinned action in repositories that want a readable alpha reference:

- uses: lhy0718/OpenWebDoc/.github/actions/validate-htmlx@v0.1.0-alpha.2
  with:
    paths: |
      docs/**/*.htmlx
      examples/*.htmlx

Security-sensitive repositories can pin the same release tag to its resolved commit
SHA after the release is created.

Recommended Package Workflow

pnpm htmlx unpack input.htmlx ./work --json
# edit ./work/index.html, styles/*, metadata/*, and declared assets
pnpm htmlx refresh-metadata ./work --json
pnpm htmlx refresh-metadata ./work --check --json
pnpm htmlx validate ./work --json
pnpm htmlx pack ./work edited.htmlx --json
pnpm htmlx validate edited.htmlx --json

The unpacked package directory remains the canonical boundary for external
AI-agent editing. The browser app does not call model providers, store API keys,
generate hidden instructions, or perform large document redesigns.

Release Assets

This release attaches:

• valid example .htmlx packages
• npm package tarballs for inspection
• a generated release manifest
• a compressed spec and docs snapshot

The intentionally invalid security fixture is not a release asset. It remains in
the repository as validator test data.

Current Boundaries

• This is an alpha preview, not a stable format release.
• npm publishing is intentionally disabled; tarballs are attached for inspection
  only.
• The app is a trusted runtime and micro-edit surface, not a full document design
  suite.
• Large rewrites, new figures, new tables, new slides, or structural redesigns
  should be done by editing unpacked package files and validating before
  repacking.
• DOCX, HWPX, PDF, cloud sync, plugin systems, browser-side model calls, and
  arbitrary package JavaScript execution are outside this alpha scope.

Useful Links

• App: https://lhy0718.github.io/OpenWebDoc/app/
• Template gallery: https://lhy0718.github.io/OpenWebDoc/
• Repository: https://github.com/lhy0718/OpenWebDoc
• Release: https://github.com/lhy0718/OpenWebDoc/releases/tag/v0.1.0-alpha.2

v0.1.0-alpha.1

OpenWebDoc v0.1.0-alpha.1

This alpha refreshes the first public OpenWebDoc preview with cleaner release
packaging, user-facing release notes, and the latest GitHub Pages template gallery.
It is the recommended alpha build for trying the HTMLX Document Package today.

HTMLX is a browser-readable, agent-safe document package: one .htmlx file contains
HTML, CSS, local assets, an explicit manifest, provenance metadata, and user-visible
LLM reference metadata.

Try It

• Open the app: https://lhy0718.github.io/OpenWebDoc/app/
• Browse the template gallery: https://lhy0718.github.io/OpenWebDoc/
• Read the introduction example: https://lhy0718.github.io/OpenWebDoc/app/?example=openwebdoc-introduction
• Open the slide deck example: https://lhy0718.github.io/OpenWebDoc/app/?example=openwebdoc-slide-deck

The app starts with a single .htmlx file-open screen. After a valid package is
loaded, the document is the primary surface. Read first, enable edit mode only for
small corrections, then export a validated package.

What Changed Since v0.1.0-alpha.0

• GitHub Release notes now come from a tracked docs/releases/<tag>.md file instead
  of an auto-generated changelog.
• Release assets include only valid public .htmlx examples; the intentionally
  invalid security fixture remains repository-only test data.
• The release workflow opts JavaScript actions into the Node 24 action runtime.
• The release checklist now gates release-note quality, valid example assets,
  metadata freshness, packed-source drift, and public example copy identity.

What Is Included

• A single OpenWebDoc runtime for reading .htmlx packages, micro-editing packages
  that declare metadata/editing.json, and exporting validated packages.
• A public template gallery with flow documents, fixed-stage visual documents, and
  HTMLX-native slide decks.
• HTMLX profile support for flow-document, fixed-stage-document, and slide-deck.
• CLI support for creating, validating, unpacking, packing, inspecting, and refreshing
  package metadata.
• Package validation for manifests, package-local resources, integrity hashes,
  script-free HTML, remote-resource blocking, path traversal defense, presentation
  metadata, editing metadata, and LLM metadata freshness.
• A repository-local GitHub Action for validating .htmlx files in other workflows.
• Agent workflow documentation for Codex, Claude Code, Cursor, GitHub Copilot, and
  Aider.

Recommended Workflow

Use the live app when you want to inspect or lightly correct a document.

Use the CLI when a coding agent or CI system edits package files:

pnpm htmlx unpack input.htmlx ./work --json
# edit ./work/index.html, styles/*, metadata/*, and declared assets
pnpm htmlx refresh-metadata ./work --json
pnpm htmlx refresh-metadata ./work --check --json
pnpm htmlx validate ./work --json
pnpm htmlx pack ./work edited.htmlx --json
pnpm htmlx validate edited.htmlx --json

The unpacked package directory is the canonical boundary for external AI-agent
editing. The browser app does not call model providers, store API keys, generate
hidden instructions, or perform large document redesigns.

Release Assets

This release attaches:

• valid example .htmlx packages
• npm package tarballs for inspection
• a generated release manifest
• a compressed spec and docs snapshot

The intentionally invalid security fixture is not a release asset. It remains in the
repository as validator test data.

Current Boundaries

• This is an alpha preview, not a stable format release.
• npm publishing is intentionally disabled; tarballs are attached for inspection only.
• The app is a trusted runtime and micro-edit surface, not a full document design suite.
• Large rewrites, new figures, new tables, new slides, or structural redesigns should
  be done by editing unpacked package files and validating before repacking.
• DOCX, HWPX, PDF, cloud sync, plugin systems, browser-side model calls, and arbitrary
  package JavaScript execution are outside this alpha scope.

Useful Links

• App: https://lhy0718.github.io/OpenWebDoc/app/
• Template gallery: https://lhy0718.github.io/OpenWebDoc/
• Repository: https://github.com/lhy0718/OpenWebDoc
• Release: https://github.com/lhy0718/OpenWebDoc/releases/tag/v0.1.0-alpha.1

v0.1.0-alpha.0

OpenWebDoc v0.1.0-alpha.0

This is the first public alpha of OpenWebDoc and the HTMLX Document Package.
HTMLX is a browser-readable, agent-safe document package: one .htmlx file contains
HTML, CSS, local assets, an explicit manifest, provenance metadata, and user-visible
LLM reference metadata.

Try It

• Open the app: https://lhy0718.github.io/OpenWebDoc/app/
• Browse the template gallery: https://lhy0718.github.io/OpenWebDoc/
• Read the introduction example: https://lhy0718.github.io/OpenWebDoc/app/?example=openwebdoc-introduction
• Open the slide deck example: https://lhy0718.github.io/OpenWebDoc/app/?example=openwebdoc-slide-deck

The app starts with a single .htmlx file-open screen. After a valid package is
loaded, the document is the primary surface. Read first, enable edit mode only for
small corrections, then export a validated package.

What Is Included

• A single OpenWebDoc runtime for reading .htmlx packages, micro-editing packages
  that declare metadata/editing.json, and exporting validated packages.
• A public template gallery with flow documents, fixed-stage visual documents, and
  HTMLX-native slide decks.
• HTMLX profile support for flow-document, fixed-stage-document, and slide-deck.
• CLI support for creating, validating, unpacking, packing, inspecting, and refreshing
  package metadata.
• Package validation for manifests, package-local resources, integrity hashes,
  script-free HTML, remote-resource blocking, path traversal defense, presentation
  metadata, editing metadata, and LLM metadata freshness.
• A repository-local GitHub Action for validating .htmlx files in other workflows.
• Agent workflow documentation for Codex, Claude Code, Cursor, GitHub Copilot, and
  Aider.

Recommended Workflow

Use the live app when you want to inspect or lightly correct a document.

Use the CLI when a coding agent or CI system edits package files:

pnpm htmlx unpack input.htmlx ./work --json
# edit ./work/index.html, styles/*, metadata/*, and declared assets
pnpm htmlx refresh-metadata ./work --json
pnpm htmlx refresh-metadata ./work --check --json
pnpm htmlx validate ./work --json
pnpm htmlx pack ./work edited.htmlx --json
pnpm htmlx validate edited.htmlx --json

The unpacked package directory is the canonical boundary for external AI-agent
editing. The browser app does not call model providers, store API keys, generate
hidden instructions, or perform large document redesigns.

Release Assets

This release attaches:

• valid example .htmlx packages
• npm package tarballs for inspection
• a generated release manifest
• a compressed spec and docs snapshot

The intentionally invalid security fixture is not a release asset. It remains in the
repository as validator test data.

Current Boundaries

• This is an alpha preview, not a stable format release.
• npm publishing is intentionally disabled; tarballs are attached for inspection only.
• The app is a trusted runtime and micro-edit surface, not a full document design suite.
• Large rewrites, new figures, new tables, new slides, or structural redesigns should
  be done by editing unpacked package files and validating before repacking.
• DOCX, HWPX, PDF, cloud sync, plugin systems, browser-side model calls, and arbitrary
  package JavaScript execution are outside this alpha scope.

Useful Links

• App: https://lhy0718.github.io/OpenWebDoc/app/
• Template gallery: https://lhy0718.github.io/OpenWebDoc/
• Repository: https://github.com/lhy0718/OpenWebDoc
• Release: https://github.com/lhy0718/OpenWebDoc/releases/tag/v0.1.0-alpha.0