Feature/improvements v3

[hexplus]

Description

Releases SibuJS v1.3.0. Large minor release built around three themes:

1. 27 new reactive/DOM primitives across sibujs/browser, sibujs/ui, reactivity, components, devtools, and testing — defer, transition, formAction, strict / strictEffect, asyncDerived, nextTick, createId, hover, interval, timeout, scrollLock, visibility, network, mouse, swipe, windowSize, urlState, broadcast, fullscreen, wakeLock, animationFrame, mutationObserver, bounds, keyboard, speech, gamepad, pointerLock, vibrate, favicon / svgFavicon, textSelection, imageLoader, createFocusManager, createListbox, createDialogAria, captureSignalGraph, diffSignalGraphs, createTraceProfiler, plus Testing-Library-style queryBy* / findBy* / waitForSignal / type.

2. Full SSR + OWASP security hardening pass (A01, A02, A03, A10, CWE-1321). renderToString / renderToStream / renderToDocument validate attribute names, drop on* handlers, strip <script> / <style>, sanitize URL attributes, escape comment terminators, and escape U+2028 / U+2029 in script payloads. Router navigate() refuses javascript: / data: / vbscript: / blob: at every entry (top-level + every guard redirect + route.redirect). routerSSR.parseURL uses Object.create(null) and filters forbidden keys; decodeURIComponent wrapped against malformed percent sequences. bindAttribute refuses on*. machine() context merge filters prototype-pollution keys. scopedStyle decodes CSS hex escapes before the dangerous-pattern scan. socket() / stream() restrict URLs to ws:// / wss:// / http(s). Head validates attribute names, sanitizes base.href, and drops <meta http-equiv="refresh" content="0;url=javascript:…">. hydrateIslands uses Object.hasOwn to block prototype-pollution lookups. suspenseSwapScript requires IDs to match [A-Za-z0-9_-]+.

3. Ergonomic wins — new tag(props, children) positional shorthand removes the need for the nodes: key at every level of a nested tree; the legacy { class, nodes } form still works. Per-element typed prop overloads (AnchorProps, InputProps, ButtonProps, FormProps, SelectProps, TextareaProps, LabelProps, OptionProps, ImgProps, VideoProps, AudioProps, MediaProps, InputType, TypedTagFunction<Props, El>) give IDE autocomplete and typo detection while preserving the [attr: string]: unknown escape hatch. LazyRoute shorthand: { path, lazy: () => import("./Page") } normalized by createRouter() / setRoutes(). ErrorBoundary gains a resetKeys prop. New hydrate(component, container, { diagnostics }) mismatch walker with onMismatch hook and HydrateOptions / HydrationMismatch types. serializeState / serializeRouteState / renderToSuspenseStream accept an optional nonce for strict-CSP. persisted() gains syncTabs cross-tab sync and a cleanable dispose() on the returned setter.

New shared ErrorDisplay component with copy-to-clipboard (full message + stack + cause chain + metadata + env), colored severity header, colored error-code badge, parsed stack frames, Error.cause walking, retry/reload buttons, and a dev/prod split. ErrorBoundary's default fallback delegates to it automatically.

Related Issue

Closes #

Type of Change

• Bug fix
• New feature
• Breaking change
• Documentation update

Checklist

• I have read CONTRIBUTING.md
• My code builds without errors
• I have tested my changes
• I have updated documentation if needed