V0.12.0
Name:v0.12.0Status:active

v0.12.0 — Polish & Hardening

Generic next-release bucket. Picks up follow-ups deferred from v0.11.0 (config polish, schema versioning, deprecation timelines) and absorbs whatever incremental work lands between v0.11 and v0.12.

Currently planned:

Milestone burndown: 0 open work items remaining; peak 0, started May 901May 9May 11
Open work items Ideal burndown
Progress 1/1 work items
History 3
  1. 5a65eb4
    Created (active)by bjornolofandersson
  2. 7537459
    Content editedby Claude
    feat(config): v0.11.0 follow-ups (WORK-176)
  3. cf7a67a
    Content editedby Claude
    v0.11.0 review fixes: path semantics, site naming, plugins clarification
  • Config polish follow-ups from v0.11.0 review (WORK-176): schema URL versioning, mirroring footgun, three-shapes deprecation timeline, target field review.

Add other items as they emerge.

Work Items

Done 1
WORK-177 main
Security policy for transform pipeline (sandbox hardening)
Today the transform pipeline assumes its input is trusted. The sandbox rune in particular concatenates author HTML/CSS/JS into a srcdoc iframe with sandbox="allow-scripts allow-same-origin" (packages/behaviors/src/elements/sandbox.ts:127), which gives author scripts the parent origin's cookies, localStorage, and DOM. That's fine for self-hosted single-author projects but unsafe for any hosted product surface that renders content from one tenant in another tenant's session.Add an opt-in security policy on the pipeline so hosts can render untrusted content with layered defences (sanitisation, CSP, iframe sandbox, optional separate origin) without breaking the trusted-default behaviour self-hosted users rely on.
high moderate
19/19 criteria