v0.1.0-alpha.3

OpenWebDoc v0.1.0-alpha.3

This alpha refresh closes public-readiness blockers found during the preview
audit. It upgrades the production sanitizer dependency, adds a dependency-audit
gate to CI and release:check, expands validator conformance coverage, and
clarifies that npm packages are not published during the preview.

HTMLX remains an alpha-stage browser-readable document package. The recommended
adoption path is still to add one .htmlx package to a repository, validate it
in pull requests, and let coding agents edit unpacked package files only inside
the validated package boundary.

What Changed Since v0.1.0-alpha.2

• Upgraded sanitize-html to a patched 2.17.4 production dependency.
• Added pnpm audit:prod to CI and pnpm release:check.
• Added a JSON Schema for metadata/editing.json and stricter editing metadata
  validation.
• Added conformance cases for CSS-local resource references, resource integrity,
  editing metadata shape, missing editable blocks, stage mismatch, and editing
  guide instruction leakage.
• Added public project hygiene files: SECURITY.md, CONTRIBUTING.md, code of
  conduct, issue templates, and pull request template.
• Clarified public preview usage: use the repository checkout, GitHub Action, or
  release assets; npm publishing remains disabled.

Try It

• Open the app: https://lhy0718.github.io/OpenWebDoc/app/
• Browse the template gallery: https://lhy0718.github.io/OpenWebDoc/
• Read the introduction example: https://lhy0718.github.io/OpenWebDoc/app/?example=openwebdoc-introduction
• Open the slide deck example: https://lhy0718.github.io/OpenWebDoc/app/?example=openwebdoc-slide-deck

Recommended GitHub Action

Use the tag-pinned action in repositories that want a readable alpha reference:

- uses: lhy0718/OpenWebDoc/.github/actions/validate-htmlx@v0.1.0-alpha.3
  with:
    paths: |
      docs/**/*.htmlx
      examples/*.htmlx

Security-sensitive repositories can resolve the release tag to a full commit SHA
and pin the action to that SHA.

Recommended Package Workflow

pnpm htmlx unpack input.htmlx ./work --json
# edit ./work/index.html, styles/*, metadata/*, and declared assets
pnpm htmlx refresh-metadata ./work --json
pnpm htmlx refresh-metadata ./work --check --json
pnpm htmlx validate ./work --json
pnpm htmlx pack ./work edited.htmlx --json
pnpm htmlx validate edited.htmlx --json

The unpacked package directory remains the canonical boundary for external
AI-agent editing. The browser app does not call model providers, store API keys,
generate hidden instructions, or perform large document redesigns.

Release Assets

This release attaches:

• valid example .htmlx packages
• npm package tarballs for inspection
• a generated release manifest
• a compressed spec and docs snapshot

The intentionally invalid security fixture is not a release asset. It remains in
the repository as validator test data.

Current Boundaries

• This is an alpha preview, not a stable format release.
• npm publishing is intentionally disabled; tarballs are attached for inspection
  only.
• The app is a trusted runtime and micro-edit surface, not a full document design
  suite.
• Large rewrites, new figures, new tables, new slides, or structural redesigns
  should be done by editing unpacked package files and validating before
  repacking.
• DOCX, HWPX, PDF, cloud sync, plugin systems, browser-side model calls, and
  arbitrary package JavaScript execution are outside this alpha scope.

Useful Links

• App: https://lhy0718.github.io/OpenWebDoc/app/
• Template gallery: https://lhy0718.github.io/OpenWebDoc/
• Repository: https://github.com/lhy0718/OpenWebDoc
• Release: https://github.com/lhy0718/OpenWebDoc/releases/tag/v0.1.0-alpha.3