Release v0.1.2 with TypeScript widgets and new modals

[asvitloaten]

This pull request delivers the v0.1.2 release of @olsystem/lt-lh, featuring major documentation improvements, new widgets, enhanced security practices, and a more robust package structure. The README and DELIVERY documentation have been rewritten for clarity, the package now ships with new TypeScript-based widgets and modals, and security policies have been tightened and clarified. Minor branding and metadata changes align all files with the new package name. The most important changes are summarized below.

---

Documentation and Developer Experience:

• Added a comprehensive DELIVERY.md handoff guide detailing all new features, build steps, security requirements, and design decisions for v0.1.2.
• Completely rewrote the README.md for clarity: improved Quick Start, API reference, and added a "What's New" section for v0.1.2 features (clean toggles, modals, enhanced settings, and About section). [1] [2] [3] [4] [5]

New Features and Widgets:

• Updated package.json exports to include new vanilla widgets: calendar-orb and solar-day-arc, with type definitions and global builds.
• All widgets are now written in TypeScript with proper types and interfaces; legacy JS/CSS widget files removed (see DELIVERY.md).

Security and Compliance:

• Updated SECURITY.md to clarify reporting, enumerate covered assets, and reinforce strict security practices (no eval, no inline styles, Zod validation, CSP-friendly, zero network calls or secrets). [1] [2] [3]
• Added Node.js engine requirement and sideEffects: false to package.json for safer publishing.

Branding and Metadata:

• Updated all references from @onelightsystem/light-time to @olsystem/lt-lh and fixed homepage, repository, and bug URLs in package.json. [1] [2] [3]
• Removed the physical location from the footer in CODE_OF_CONDUCT.md and similar files for a more global, privacy-conscious brand. [1] [2] [3]

Core Logic Improvements:

• Refactored getLightDay in src/core.ts to use local midnight for day calculations, preventing DST and timezone-related errors.

---

These changes collectively improve developer onboarding, end-user experience, package security, and future maintainability.

[Copilot]

Pull request overview

This PR prepares the @olsystem/lt-lh v0.1.2 release by restructuring the build/publish outputs and adding new TypeScript-based vanilla widgets/modals alongside updated docs and security/policy text.

Changes:

• Updates the tsup/TypeScript build to emit library outputs plus widget bundles (ESM + global/IIFE) with .d.ts.
• Adds new TypeScript widget/modals (calendar-orb, solar-day-arc, updated Light Time + Calendar widgets) and a snippet generator export.
• Refreshes release documentation/policies (README, SECURITY, DELIVERY) and package metadata/exports.

Reviewed changes

Copilot reviewed 18 out of 20 changed files in this pull request and generated 20 comments.

Show a summary per file

File	Description
tsup.config.ts	Splits build into main library + widget bundles (ESM + IIFE).
tsconfig.json	Sets rootDir to ./src for cleaner emit paths.
src/core.ts	Refactors getLightDay day-diff calculation (now has timezone/DST risk).
src/index.ts	Exposes generateSnippet and SnippetMode publicly.
src/snippets.ts	Adds snippet generator for TS/React integration examples.
src/widgets/ols-lighttime-widget.ts	New TS vanilla Light Time widget (currently has XSS + timer lifecycle + SSR issues).
src/widgets/ols-calendar-widget.ts	New TS vanilla calendar widget (currently has DST/timezone + XSS + SSR issues).
src/widgets/calendar-orb.ts	New calendar orb modal (currently has 0-based LD display + CSP inline-style + XSS + SSR issues).
src/widgets/solar-day-arc.ts	New solar day arc modal (currently has incorrect progress math + CSP inline-style + SSR issues).
src/widgets/ols-lighttime-widget.js	Removes legacy JS widget implementation.
src/widgets/ols-lighttime-widget.css	Removes legacy widget CSS.
src/widgets/ols-calendar-widget.js	Removes legacy JS calendar widget implementation.
src/widgets/ols-calendar-widget.css	Removes legacy calendar CSS.
README.md	Rewrites docs, adds v0.1.2 “What’s new”, updates widget embed guidance (currently missing init calls).
SECURITY.md	Updates policy language and scope (now inconsistent with actual inline styles / removed CSS).
DELIVERY.md	Adds v0.1.2 handoff guide and build/publish checklist.
package.json	Updates exports/engines/sideEffects/publishConfig (version currently mismatched with v0.1.2).
package-lock.json	Updates lockfile for new deps/version.
eslint.config.js	Adds HTMLElement global for linting.
CODE_OF_CONDUCT.md	Removes physical location from footer.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 18 out of 20 changed files in this pull request and generated 7 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 18 out of 20 changed files in this pull request and generated 14 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 18 out of 20 changed files in this pull request and generated 9 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 19 out of 21 changed files in this pull request and generated 9 comments.

Comments suppressed due to low confidence (1)

SECURITY.md:52

• Security Practices state that "all styles are in dedicated .css files" and that strict CSP works without unsafe-inline, but the repo no longer contains shipped widget CSS, and the README’s embed example relies on inline <script> init calls (blocked under the CSP example). Please update SECURITY.md (or the implementation/docs) so the CSP and styling guidance reflects what consumers actually need.

## Security Practices

- **No `eval()` or `new Function()`** — fully CSP-friendly
- **No inline style injection via JavaScript** — all styles are in dedicated `.css` files
- **Input validation** — Zod schemas enforce Light Time format and coordinate bounds
- **No network calls** — purely computational (no fetch, XHR, WebSocket, etc.)
- **Zero secrets or tokens** — requires no credentials or environment variables
- **Strict TypeScript** — compiled with `strict: true` and `noUncheckedIndexedAccess`
- **Minimal dependencies** — only `zod` as runtime dependency (~13 KB)

## Content Security Policy (CSP)

This package is designed to work under strict CSP headers:

```http
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self';

No unsafe-inline or unsafe-eval is required.

</details>



---

💡 <a href="/onelightsystem/LT-LH/new/master?filename=.github/instructions/*.instructions.md" class="Link--inTextBlock" target="_blank" rel="noopener noreferrer">Add Copilot custom instructions</a> for smarter, more guided reviews. <a href="https://docs.github.com/en/copilot/customizing-copilot/adding-repository-custom-instructions-for-github-copilot" class="Link--inTextBlock" target="_blank" rel="noopener noreferrer">Learn how to get started</a>.

[Copilot]

The widget classnames (ols-lighttime-*, ols-calendar-*, etc.) require corresponding CSS, but this repo no longer ships any widget .css files and the README examples don’t include a stylesheet. Either reintroduce/shipping CSS in dist/ (and export it) or update docs to state that host pages must provide styles for these classnames.

[Copilot]

The embed example uses inline <script>initLightTimeWidget()</script> / <script>initCalendarWidget()</script>, which will be blocked under the strict CSP example in SECURITY.md (script-src 'self' without nonces/hashes). Consider moving init calls into a separate external script, or document the need for a nonce/hash when using a strict CSP.

[Copilot]

The Browser Support section claims some widgets use inline style attributes requiring style-src 'unsafe-inline', but there are no style= attributes in src/widgets/*.ts (and the arc uses a <progress value>). Please correct this CSP guidance so it matches the shipped implementation, and consider revising the ES5 support claim since the build target isn’t configured to guarantee ES5 output.

Suggested change

	- Vanilla widgets work in any browser supporting ES5
	- No `eval()` and no network calls; note that some vanilla widgets currently use inline `style` attributes, so strict CSP deployments may require `style-src 'unsafe-inline'`
	- Vanilla widgets are intended for the same modern browser baseline; ES5 output is not currently guaranteed by the build configuration
	- No `eval()` and no network calls; the shipped vanilla widgets do not rely on inline `style` attributes, so they do not require `style-src 'unsafe-inline'` on that basis

[Copilot]

If data-start-date / epochDate is invalid, new Date(startStr) becomes Invalid Date, causing daysDiff to be NaN and rendering "Day NaN". Add validation (e.g., check Number.isFinite(startDate.getTime())) and fall back to DEFAULT_EPOCH (or throw) when the input can’t be parsed.

[Copilot]

These widget modules attach functions onto window at import time. Because the same source is used for both ESM and IIFE builds, importing the ESM widget entrypoint will also create globals as a side effect, which can be surprising and can cause name collisions. Consider limiting window.* exposure to the IIFE/global build only (e.g., via a separate entry file or a tsup banner/define) and keep the ESM build side-effect-free.

Suggested change

	// Expose for direct script usage (vanilla <script> tag)
	if (typeof window !== "undefined") {
	declare const __OLS_IIFE_BUILD__: boolean | undefined;
	// Expose for direct script usage (vanilla <script> tag) only in the IIFE/global build.
	if (
	typeof window !== "undefined" &&
	typeof __OLS_IIFE_BUILD__ !== "undefined" &&
	__OLS_IIFE_BUILD__
	) {

[Copilot]

The header comment still references the old package name (@onelightsystem/light-time) even though this PR rebrands to @olsystem/lt-lh. Update the comment for consistency and to avoid confusing consumers reading the source.

Suggested change

	// @onelightsystem/light-time — Calendar Orb modal (vanilla DOM)
	// @olsystem/lt-lh — Calendar Orb modal (vanilla DOM)

[Copilot]

centerImageUrl and centerImageAlt are interpolated into an <img> tag inside innerHTML without escaping. encodeURI() does not escape quotes, so a crafted value can break out of the attribute context and inject markup/handlers (XSS). Prefer constructing the <img> with DOM APIs (document.createElement('img'), img.src = ..., img.alt = ...) and validate/normalize the URL (and optionally restrict protocols) before assignment.

[Copilot]

This modal attaches createCalendarOrb onto window at module import time. That means importing the ESM entrypoint also creates a global as a side effect (potential name collisions). Consider restricting window.* exposure to the IIFE/global bundle only and keeping the ESM build side-effect-free.

Suggested change

	// Expose for vanilla script usage
	if (typeof window !== "undefined") {
	(window as unknown as Record<string, unknown>).createCalendarOrb = createCalendarOrb;
	}

[Copilot]

This modal attaches createSolarDayArc onto window at module import time, so importing the ESM entrypoint also creates a global as a side effect. Consider restricting window.* exposure to the IIFE/global bundle only and keeping the ESM build side-effect-free.

Suggested change

	// Expose for vanilla script usage
	if (typeof window !== "undefined") {
	(window as unknown as Record<string, unknown>).createSolarDayArc = createSolarDayArc;
	}