pretext-pdf 1.9.0 → 2.0.13

package/CHANGELOG.md

@@ -7,6 +7,420 @@ Format: [Keep a Changelog 1.1.0](https://keepachangelog.com/en/1.1.0/)
 
 ---
 
+## [2.0.13] — 2026-05-29
+
+Security hardening and coverage improvements from final review pass.
+
+### Security
+
+- **Symlink escape closed in `assertPathAllowed`** — `path-allowlist.ts` now calls `realpathSync` before the prefix comparison, so a symlink placed inside an allowed directory cannot dereference to an arbitrary path outside the allowlist (F-1).
+- **Chart `spec` scanned for prototype-pollution keys** — `validateChart` in `media.ts` now rejects any `spec` object containing `__proto__`, `constructor`, or `prototype` keys at any nesting depth before passing it to the Vega renderer (F-9).
+- **`http://` URLs rejected at loader entry points** — `images.ts` and `resolve-content.ts` now throw immediately on `http://` src values instead of entering the fetch path and relying on the inner SSRF guard (F-4).
+
+### Fixed
+
+- **`stageInit` metadata fallback logs message only** — `pipeline.ts` no longer serializes the full error object into `console.warn`; only `err.message` is included, preventing internal API names and stack frames from appearing in library stderr (F-3).
+
+### Tests Added
+
+- `test/compat-normalize.test.ts` — 62 tests covering all exported functions in `src/compat/normalize.ts` directly via tsx (previously only reachable through the dist/ barrel).
+
+---
+
+## [2.0.12] — 2026-05-29
+
+Multi-perspective review fixes: security, correctness, silent failures, dead code, and test coverage.
+
+### Security
+
+- **`allowedFileDirs` array now copied in `fromPdfmake()`** — Previously assigned by reference, allowing the caller to mutate the allowlist after translation and silently expand path-traversal permissions mid-render. Now copied with `[...arr]` (SEC-1).
+
+### Fixed
+
+- **`content` field is now `readonly ContentElement[]` on `PdfDocument`** — The last mutable public field. Prevents callers from `.push()`-ing into a document after passing it to `render()`, which could corrupt multi-stage async pipeline results. `builder.toDocument()` now snapshots the content array at call time (H-1).
+- **`buildFootnoteNumbering` and `runFootnoteTwoPass` parameter widened to `readonly ContentElement[]`** — Required by the `content` readonly change; no semantic change.
+- **Footnote sentinel `?? 0` replaced with `PretextPdfError`** — A missing footnote number now throws `PAGINATION_FAILED` with a clear message instead of silently rendering footnote `0` (M-3).
+- **`onUnsupported` default now logs a one-time warning** — The previous default was a silent no-op, contradicting its own JSDoc. Default is now `console.warn('[pretext-pdf/compat] Unsupported pdfmake feature skipped: <feature>')` with per-call deduplication (M-1).
+- **`stageInit` metadata catch block now logs the error** — The fallback path for `getInfoDict()` unavailability no longer silently swallows the root cause (M-2).
+- **`FONT_EMBED_FAILED` error message is user-facing** — Removed "this is a bug" from the message; replaced with actionable guidance (M-5).
+- **Internal exports removed from `translate.ts`** — `translateNodeInner`, `applyStyleToParagraph`, `collectSpans` are no longer exported from the sub-module (M-4).
+- **`_require` unexported from `bundled-paths.ts`** — Was exported with a misleading `_` prefix but only used internally (L-1).
+- **`fonts.ts` header comment includes `collect-text.ts`** — Fourth sub-module was omitted (L-2).
+- **`translate.ts` uses named `ListItem` import** — Replaced inline `import('../types.js').ListItem` expression (L-3).
+
+### Tests Added
+
+- `test/compat/normalize.test.ts` — 28 direct unit tests for `mergeStyles`, `normalizePageSize`, `normalizeMargins`, `normalizeHeaderFooter`, `normalizeStyleNames`
+- `test/fonts/collect-text.test.ts` — 9 direct unit tests for `collectTextByFont` across paragraph, heading, rich-paragraph, header/footer, and defaultFont override
+- `test/compat.test.ts` — 3 isolation tests for `allowedFileDirs` array copy (SEC-1)
+- `test/builder.test.ts` — 2 snapshot isolation tests for `toDocument()` content copy (H-1)
+
+### Changed
+
+- **`pdfmake-types.ts`: `allowedFileDirs` is now `readonly string[]`** — Type made symmetric with `PdfDocument.allowedFileDirs`
+
+## [2.0.11] — 2026-05-29
+
+Phase 6a: `readonly` on all scalar public interface fields (non-breaking).
+
+### Changed
+
+- **All scalar fields on public interfaces marked `readonly`** — `PdfDocument`, `DocumentMetadata`,
+  `Margins`, `FontSpec`, `HeaderFooterSpec`, `WatermarkBase`/`WatermarkSpec`, `EncryptionSpec`,
+  `SignatureSpec`, `BookmarkConfig`, `HyphenationConfig`, `AnnotationSpec`.
+
+  Array fields (`content`, `fonts`, `keywords`, `sections`, `allowedFileDirs`) are intentionally
+  left mutable — marking those `readonly` is a breaking change deferred to v3.
+
+  This is non-breaking for all callers: TypeScript allows assigning to `readonly` fields in
+  object literal initializers, and the runtime behavior is identical.
+
+- **`compat.ts`**: Internal construction variables use `Mutable<T>` to allow incremental property
+  assignment, cast to the full interface at return. Externally the API is unchanged.
+
+---
+
+## [2.0.10] — 2026-05-29
+
+Sprint 5B: Split `compat.ts` (613L) and `fonts.ts` (530L) into focused sub-directories.
+
+### Changed
+
+- **`src/compat.ts` split into `src/compat/` (3 files)**
+  - `compat/pdfmake-types.ts` (76L) — `PdfmakeDocument`, `PdfmakeObjectNode`, `PdfmakeStyle`, `CompatOptions`, `TranslateCtx`, `DEFAULT_HEADING_MAP`
+  - `compat/translate.ts` (155L) — `translateNode`, `translateNodeInner`, `translateTextNode`, `applyStyleToParagraph`, `collectSpans`, `pdfmakeNodeToListItem`
+  - `compat/normalize.ts` (115L) — `extractFlatText`, `translateTable`, `mergeStyles`, `normalizeStyleNames`, `pdfmakeAlignToPretext`, `normalizePageSize`, `normalizeMargins`, `normalizeHeaderFooter`
+  - `compat.ts` (85L) — `fromPdfmake` (the only public export) + type re-exports
+  Circular-dependency between translate↔normalize avoided by moving `extractFlatText` to `normalize.ts`.
+
+- **`src/fonts.ts` split into `src/fonts/` (4 files)**
+  - `fonts/bundled-paths.ts` (50L) — `IS_NODE`, `resolveInterFile`, all four `BUNDLED_INTER_*_PATHS` arrays
+  - `fonts/load-bytes.ts` (80L) — `loadFontBytes` (file / Uint8Array / bundled-Inter async loader)
+  - `fonts/collect-needed.ts` (75L) — `collectNeededFonts` (document font-variant scanner)
+  - `fonts/collect-text.ts` (120L) — `collectTextByFont` (glyph subsetting text collector)
+  - `fonts.ts` (70L) — `loadFonts` + `collectTextByFont` re-export (both public exports intact)
+
+  The public API is unchanged. All existing test and source imports continue to work.
+
+---
+
+## [2.0.9] — 2026-05-29
+
+Sprint 5A: dead-export removal, ts-prune scan.
+
+### Changed
+
+- **`addGoToAnnotation` removed from `src/render-utils.ts`** — The function was exported but
+  never called anywhere in the codebase. GoTo annotation support (internal document links)
+  was prepared prematurely; the implementation is preserved in git history and can be
+  restored when anchor-link rendering is actually wired up.
+
+- **`RTL_REGEX` removed from `src/validate/helpers.ts`** — Exported constant never imported
+  anywhere. The regex pattern is preserved in git history.
+
+- **`PDFRef` import removed from `render-utils.ts`** — Only needed for the now-deleted
+  `addGoToAnnotation` signature.
+
+---
+
+## [2.0.7] — 2026-05-28
+
+Sprint 4: Split `schema.ts` (907 LOC) into focused `src/schema/` modules.
+
+### Changed
+
+- **`src/schema.ts` split into `src/schema/` (6 focused files)** — The 907-line monolith is
+  replaced by a 19-line barrel re-export and six cohesive sub-files, each under 300 lines:
+  - `schema/shared.ts` (30L) — atomic sub-schemas: align, color, fontWeight, dir, space, inlineSpan
+  - `schema/elements-text.ts` (270L) — paragraph, heading, blockquote, code, callout, richParagraph, list, toc, footnoteDef
+  - `schema/elements-media.ts` (87L) — image, svg, qrCode, barcode, chart
+  - `schema/elements-block.ts` (164L) — spacer, hr, pageBreak, comment, formField, floatGroup
+  - `schema/elements-table.ts` (60L) — table
+  - `schema/document.ts` (293L) — top-level pdfDocumentSchema (assembles all element schemas)
+  The public API (`import { pdfDocumentSchema } from 'pretext-pdf/schema'`) is unchanged.
+
+---
+
+## [2.0.6] — 2026-05-28
+
+Post-sprint audit fixes: /Lang encoding, BCP47 regex, test correctness.
+
+### Fixed
+
+- **`/Lang` catalog entry now uses `PDFString.of()` (correct literal string)** — Previously
+  used `PDFHexString.of()` which stored raw ASCII bytes as invalid hex. `/Lang` is a
+  PDF text string per spec §14.9.2; `PDFString` (literal string) is correct and matches
+  pdf-lib's own `setLanguage()`. BCP47 tags are ASCII-only (validated by regex) so
+  literal-string injection risk is zero.
+
+- **BCP47 regex widened to accept `i-` and `x-` prefixed tags** — `/^[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*$/`
+  now allows the single-char leading subtag required by grandfathered (`i-klingon`) and
+  private-use (`x-custom-app`) tags per RFC 5646 §2.2.7. Previously `{2,8}` incorrectly
+  rejected valid language codes.
+
+### Tests
+
+- **H6 (signerName truncation)** strengthened — replaced the vacuous 5% byte-size ratio with
+  a `deepEqual(pdf100, pdf101)` identity check: a 100-char and 101-char signerName must produce
+  byte-identical PDFs, directly testing that `slice(0, 100)` is applied.
+
+- **M5 (/TU encoding)** — added `FEFF` BOM assertion to the radio and dropdown loop,
+  making it consistent with the checkbox/button loop.
+
+- **M6 (bookmark Title)** — replaced the `FEFF0043` prefix check (too broad) with the full
+  6-character "Chapte" UTF-16BE hex prefix for an unambiguous unique match.
+
+- **M7 (signing field escaping)** — clarified test scope: the visual placeholder path uses
+  `drawText()` (CIDFont glyph encoding — no injection risk). The `escapePdfLit` contract is
+  tested in `signatures-validation.test.ts` which covers the crypto signing code path.
+
+---
+
+## [2.0.5] — 2026-05-28
+
+Sprint 3 audit fixes: annotation array safety, test coverage gaps closed.
+
+### Fixed
+
+- **`addStickyNoteAnnotation` now has `instanceof PDFArray` guard** — the last remaining
+  `as any` annotation-push in `render-utils.ts`. All three annotation functions
+  (`addLinkAnnotation`, `addGoToAnnotation`, `addStickyNoteAnnotation`) now safely fall back
+  to creating a new array if the existing `Annots` entry is not a direct `PDFArray`.
+
+### Tests
+
+- **H6** (`test/signatures-visual.test.ts`): `signerName` longer than 100 chars renders to
+  the same byte-size PDF as a 100-char name — confirms the `slice(0, 100)` truncation is applied.
+- **M5** (`test/forms.test.ts`): `/TU` encoding verified for checkbox, radio, dropdown, and
+  button field types — not just `text`.
+- **M6** (`test/bookmarks.test.ts`): Bookmark `Title` with special chars (parentheses) appears
+  as UTF-16BE hex in the PDF bytes — raw literal form `(Chapter (1): ...)` does not appear.
+- **M7** (`test/signatures-visual.test.ts`): Backslash and parentheses in `signerName`,
+  `reason`, and `location` render without throwing (escaping confirmed).
+
+---
+
+## [2.0.4] — 2026-05-28
+
+Sprint 2 audit fixes: type-safety improvements in render-utils.ts and vendor declarations.
+
+### Changed
+
+- **`pdf-lib-augment.d.ts` expanded** — Declares `PdfFontEmbedder` interface covering the
+  private `embedder.font` (underlinePosition, underlineThickness, xHeight) and `embedder.scale`
+  fields accessed for text decoration metrics. The `(pdfFont as any).embedder` cast in
+  `render-utils.ts` is now `(pdfFont as unknown as { embedder?: PdfFontEmbedder }).embedder`,
+  eliminating untyped `any` propagation into font-metric arithmetic.
+
+---
+
+## [2.0.3] — 2026-05-28
+
+Sprint 1 audit fixes: GoTo annotation guard, BCP47 metadata validation, dependency security.
+
+### Fixed
+
+- **`addGoToAnnotation` now has `instanceof PDFArray` guard** — the same fix applied to
+  `addLinkAnnotation` and `addStickyNoteAnnotation` in v2.0.2 was missed for GoTo annotations.
+  Existing `Annots` entries that are not a direct `PDFArray` now fall back to creating a new
+  array instead of silently calling `.push()` on an `any`-cast value.
+
+- **`metadata.language` validated against `LANGUAGE_TAG_REGEX`** — previously only checked for
+  non-empty string and max length. Now enforces the same BCP47 regex (`/^[a-zA-Z]{2,8}(-[a-zA-Z0-9]{2,8})*$/`)
+  used for `hyphenation.language`, closing an inconsistency in the validation layer.
+
+- **Dependency audit** — `npm audit fix` resolved `fast-uri <=3.1.1` CVE (GHSA-v39h-62p7-jpjc,
+  GHSA-q3j6-qgpj-74h6) in the dev dependency chain.
+
+---
+
+## [2.0.2] — 2026-05-28
+
+Second post-release audit patch: PDF injection hardening (metadata, AcroForm names), PDFHexString encoding correctness, signing field escaping, annotation array safety.
+
+### Fixed
+
+- **Metadata Info dict fields now use `PDFHexString.fromText()` (correct UTF-16BE encoding)** —
+  The v2.0.1 fix used `PDFHexString.of()` which stored raw bytes between `<>` delimiters (not
+  valid hex). `fromText` correctly produces `<FEFF...>` UTF-16BE hex, the same encoding used by
+  pdf-lib's built-in `setTitle()` etc. Injection protection is now both correct AND effective.
+
+- **Form field `name` and option `value` restricted to AcroForm-safe characters** — Field names
+  and radio/dropdown option export values are written as PDF literal strings by pdf-lib. Characters
+  like `)`, `\`, and null bytes that could corrupt the AcroForm `/T` dictionary are now rejected
+  at validation time with a clear error message. Allowed: `[a-zA-Z0-9_.@-]+` (`HIGH-2`).
+
+- **Signing placeholder fields escaped for PDF literal strings** — `sig.reason`, `sig.location`,
+  `sig.contactInfo`, and `sig.signerName` are passed to `@signpdf/placeholder-pdf-lib` which
+  writes them as PDF literal strings. Backslashes and parentheses are now escaped with `\` before
+  passing, so values like "New York (USA)" are preserved correctly without breaking the dict.
+
+- **Annotation array push guarded with `instanceof PDFArray`** — The previous `as any` cast on
+  `pdfDoc.context.lookup(existingAnnots)` allowed silent no-ops if the value wasn't a PDFArray.
+  All three annotation functions now check `instanceof PDFArray` and fall back to creating a new
+  array rather than silently dropping the annotation.
+
+- **Bookmark `Title` and AcroForm `/TU` use `PDFHexString.fromText()`** — Same `of()` → `fromText()`
+  correction applied to bookmark headings and all five AcroForm `/TU` (accessibility tooltip) writes.
+
+- **Sticky note `Contents` and author `T` use `PDFHexString.fromText()`** — Human-readable text in
+  sticky note annotations now uses proper UTF-16BE encoding.
+
+- **Signature placeholder `signerName` truncated to 100 chars** — Prevents glyph overflow outside
+  the visual signature box for very long signer names.
+
+- **Schema `content.items` changed from `anyOf` to `oneOf`** — JSON Schema validators and AI agent
+  code generators now get exclusive-match semantics, preventing multi-schema ambiguity.
+
+### Tests
+
+- Added T6: `/TU` accessibilityLabel byte-level injection guard in `test/forms.test.ts`.
+- Added T7: metadata title/author/accessibility UTF-16BE hex-encoding byte checks in `test/metadata.test.ts`.
+- Added field name and option value AcroForm-safety tests in `test/forms.test.ts`.
+
+---
+
+## [2.0.1] — 2026-05-28
+
+Post-release patch: audit-driven hardening of every change introduced in v2.0.0.
+
+### Fixed
+
+- **SVG sanitizer: `on*` handlers with whitespace in attribute name now stripped** — Attackers
+  could inject `on\nload=` or `on\tclick=` to bypass the previous `\w+` name regex. The pattern
+  now uses `[\w\r\n\t ]+` for the attribute name portion (`H3`).
+
+- **SVG sanitizer: `expression()` strips arguments with nested parens** — `expression(alert(1))`
+  and `expression(eval(x))` are now stripped in a single pass. The inner-parens pattern
+  `(?:[^()]*|\([^()]*\))*` handles one level of argument nesting; multi-pass unwinds deeper
+  nesting (`M6`).
+
+- **SVG sanitizer: size/element-count guards now throw `PretextPdfError('SVG_LOAD_FAILED')`** —
+  Previously both guards returned the raw unstripped SVG on overflow, silently bypassing
+  script/event stripping. Now both throw, so callers always receive a typed error (`H1`).
+
+- **Form-field strict mode no longer flags cross-variant props as unknown** — `ALLOWED_PROPS`
+  entry for `form-field` now covers the union of all variant-specific keys so the first strict
+  check never fires false positives. Per-variant narrowing still runs inside `validateFormField`
+  to catch cross-contamination (`B1`).
+
+- **Bookmark `Title` and AcroForm `/TU` now use `PDFHexString`** — Previously `PDFString` was
+  used, which is vulnerable to unbalanced-parenthesis injection in user-controlled strings. All
+  five `/TU` writes and the outline `Title` write now use the hex-encoded form (`B3`).
+
+- **Link URI annotation and sticky-note `Contents`/`T` use `PDFHexString`** — Same injection
+  guard extended to `addLinkAnnotation` and `addStickyNoteAnnotation` (`B3`).
+
+- **`getInfoDict()` private-API call is now try/caught** — Accessibility and semantic metadata
+  are silently omitted (rather than throwing) if the `@cantoo/pdf-lib` internal API is removed
+  in a future library version (`M7`).
+
+- **`SignPdf`/`P12Signer` dynamic imports typed via local interfaces** — Removes `any` casts
+  on the signpdf module destructuring, catching future API drift at compile time (`M4`).
+
+- **Signing error message scrubbed of certificate details** — `SIGNATURE_FAILED` no longer
+  leaks P12 structural details or ASN.1 internals; only the first 120 chars of the underlying
+  error message are included (`F9`).
+
+- **`FORM_FIELD_VARIANT_PROPS` type narrowed** — The export type is now
+  `Record<'text'|'checkbox'|'radio'|'dropdown'|'button', ReadonlySet<string>>` so callers that
+  iterate the map get exhaustive narrowing rather than a plain string index (`M1`).
+
+- **`fieldType` validation is now derived from `FORM_FIELD_VARIANT_PROPS`** — The allowed-values
+  list and the dispatch map are now the same object, removing the risk of one going stale (`M2`).
+
+- **Form-field options arrays are structurally validated** — Each item in `options` for `radio`
+  and `dropdown` is now checked to be a `{value: string, label: string}` object. Invalid items
+  throw `VALIDATION_ERROR` with an indexed path like `options[1].value` (`H2`).
+
+- **`accessibilityLabel` validated as non-empty string** — Empty or non-string values now
+  throw `VALIDATION_ERROR` rather than embedding an empty `/TU` annotation (`H2`).
+
+- **`signing/placeholder.ts` uses `buildFontKey()` instead of hardcoded literal** — Keeps the
+  font lookup in sync with the canonical key format if the naming convention ever changes (`L1`).
+
+- **`PluginMeasureResult.spaceBefore/spaceAfter` marked readonly** — Plugins cannot mutate the
+  pipeline's spacing side-table; callers can still construct the object with literal values (`L2`).
+
+- **`package.json` `mcpCompat` range updated** — Was `>=1.4.0 <2.0.0` (excluded v2.0.0 itself);
+  now `>=1.5.0 <3.0.0` (`B2`).
+
+- **`pdfDocumentSchema`: `form-field` now a `oneOf` discriminated union** — The flat single-object
+  schema was replaced with five variant schemas keyed by `fieldType: { const: '...' }`, with
+  correct per-variant `required` arrays (radio/dropdown require `options`) (`M3`).
+
+### Tests
+
+- Added T1: `on\nload` and `on\tclick` attribute-name injection regression guard in
+  `test/svg-sanitizer.test.ts`.
+- Added T2: Per-variant strict-mode unknown-props tests for form-field in
+  `test/validate-strict.test.ts` (Group 8).
+- Added T3: `./signing` entry point added to `test/public-api-surface.test.ts` tripwire.
+- Added T4: `MAX_SVG_ELEMENTS` boundary tests (at-limit sanitizes, over-limit throws) in
+  `test/svg-sanitizer.test.ts`.
+- Added T5: `fieldType: 'textarea'` (unknown value) test triggering `VALIDATION_ERROR`.
+
+---
+
+## [2.0.0] — 2026-05-28
+
+Major release. Three breaking changes, six improvements, and two security fixes.
+
+### Breaking Changes
+
+- **`FormFieldElement` is now a discriminated union** — Replace the single flat interface with
+  five per-variant types (`TextFormField | CheckboxFormField | RadioFormField | DropdownFormField |
+  ButtonFormField`) that narrow available properties by `fieldType`. The `BaseFormField` interface
+  holds all shared fields and is also exported. Callers that assign into `FormFieldElement` without
+  narrowing will need to specify the concrete variant. **Migration:** narrow on `fieldType` or
+  import the specific variant type.
+
+- **`HorizontalRuleElement.spaceAbove` / `spaceBelow` removed** — Use `spaceBefore` / `spaceAfter`
+  (stable since v0.9). The deprecated aliases were present in v1.x with `@deprecated` JSDoc.
+  **Migration:** replace `spaceAbove` → `spaceBefore`, `spaceBelow` → `spaceAfter`.
+
+- **`ValidationResult.warningCount` removed** — The field was always `0` in v1.x (validator emits
+  errors only). **Migration:** use `result.errors.filter(e => e.severity === 'warning').length` if
+  you need a count — returns `0` until warning-severity issues are introduced.
+
+### Added
+
+- **`./signing` export** — New subpath export `pretext-pdf/signing` exposes `applySignature`,
+  `applyEncryption`, `applyPostProcessing`, and `renderSignaturePlaceholder` as a standalone
+  signing module. Useful for post-render pipeline composition without importing the full library.
+
+- **`MAX_SVG_ELEMENTS` constant** — Exported from `dist/assets.js` alongside `SVG_MAX_BYTES`.
+  Heuristic element-count guard (5,000 open tags) that skips sanitization of pathologically deep
+  SVGs to prevent memory exhaustion during rasterization.
+
+- **Per-variant `accessibilityLabel` wired to AcroForm `/TU`** — `accessibilityLabel` on form
+  fields is now written to the PDF annotation `/TU` (tooltip/alt-text) dictionary entry.
+  Screen readers and assistive technology that consume AcroForm annotations will pick it up.
+
+- **`metadata.accessibility` / `metadata.semantic` written to Info dict** — Both reserved fields
+  are now serialized as JSON strings into the PDF Info dictionary (`Accessibility` and `Semantic`
+  keys). Previously they were accepted but ignored at render time.
+
+### Changed
+
+- **`ValidationError` and `ValidationResult` fields are `readonly`** — All fields on both
+  interfaces are now `readonly`. This is technically breaking for callers that mutate validation
+  results directly (which should be none in practice).
+
+- **`PluginMeasureResult.height` is `readonly`** — Prevents accidental mutation of the measured
+  height by render hooks.
+
+### Fixed (security)
+
+- **SVG `on*` handler regex now catches newline-injected attributes** — The previous pattern
+  `\bon\w+\s*=` missed attributes like `on\nload=`. Fixed to `\bon\w+[\s\n\r]*=`.
+
+- **`allowed-props` strict mode now covers `accessibilityLabel`, `accessibility`, `semantic`** —
+  These fields were missing from their respective key arrays; strict-mode validation would
+  incorrectly report them as unknown properties. Fixed.
+
+---
+
 ## [1.9.0] — 2026-05-28
 
 Additive release: error categorisation, typed plugin generics, beta graduations, soft deprecations, and a 100 MB output size guard.

package/dist/allowed-props.d.ts

@@ -3,12 +3,12 @@
  * Enforced at runtime by strict: true validation.
  * Compile-time drift guards via Exact<T, Keys> ensure types stay synchronized.
  */
-import type { PdfDocument, ParagraphElement, HeadingElement, SpacerElement, TableElement, TableCell, ColumnDef, ImageElement, SvgElement, QrCodeElement, BarcodeElement, ChartElement, ListElement, ListItem, HorizontalRuleElement, PageBreakElement, CodeBlockElement, RichParagraphElement, InlineSpan, BlockquoteElement, CalloutElement, CommentElement, FormFieldElement, FootnoteDefElement, TocElement, FloatGroupElement, AnnotationSpec, TableRow, DocumentMetadata, EncryptionSpec } from './types.js';
+import type { PdfDocument, ParagraphElement, HeadingElement, SpacerElement, TableElement, TableCell, ColumnDef, ImageElement, SvgElement, QrCodeElement, BarcodeElement, ChartElement, ListElement, ListItem, HorizontalRuleElement, PageBreakElement, CodeBlockElement, RichParagraphElement, InlineSpan, BlockquoteElement, CalloutElement, CommentElement, TextFormField, CheckboxFormField, RadioFormField, DropdownFormField, ButtonFormField, FootnoteDefElement, TocElement, FloatGroupElement, AnnotationSpec, TableRow, DocumentMetadata, EncryptionSpec } from './types.js';
 import type { TocEntryElement } from './types-internal.js';
 /** Compile-time assertion that T has exactly the keys in Keys (no more, no less) */
 type Exact<T, Keys extends readonly (keyof T)[]> = T & Record<Exclude<keyof T, Keys[number]>, never>;
 declare const DOC_KEYS: readonly ["pageSize", "margins", "defaultFont", "defaultFontSize", "defaultLineHeight", "fonts", "header", "footer", "watermark", "encryption", "signature", "bookmarks", "hyphenation", "metadata", "defaultParagraphStyle", "sections", "content", "flattenForms", "onImageLoadError", "onFormFieldError", "renderDate", "allowedFileDirs"];
-declare const METADATA_KEYS: readonly ["title", "author", "subject", "keywords", "creator", "language", "producer"];
+declare const METADATA_KEYS: readonly ["title", "author", "subject", "keywords", "creator", "language", "producer", "accessibility", "semantic"];
 declare const PARAGRAPH_KEYS: readonly ["type", "text", "dir", "fontSize", "lineHeight", "fontFamily", "fontWeight", "color", "align", "bgColor", "spaceAfter", "spaceBefore", "keepTogether", "underline", "strikethrough", "url", "columns", "columnGap", "hyphenate", "letterSpacing", "smallCaps", "tabularNumbers", "annotation"];
 declare const HEADING_KEYS: readonly ["type", "level", "text", "dir", "fontFamily", "fontWeight", "fontSize", "lineHeight", "align", "color", "bgColor", "spaceBefore", "spaceAfter", "keepTogether", "underline", "strikethrough", "bookmark", "hyphenate", "url", "anchor", "letterSpacing", "smallCaps", "tabularNumbers", "annotation"];
 declare const SPACER_KEYS: readonly ["type", "height"];
@@ -23,7 +23,7 @@ declare const BARCODE_KEYS: readonly ["type", "symbology", "data", "width", "hei
 declare const CHART_KEYS: readonly ["type", "spec", "width", "height", "caption", "align", "spaceBefore", "spaceAfter"];
 declare const LIST_KEYS: readonly ["type", "style", "items", "marker", "indent", "markerWidth", "fontSize", "lineHeight", "itemSpaceAfter", "spaceAfter", "spaceBefore", "color", "nestedNumberingStyle"];
 declare const LIST_ITEM_KEYS: readonly ["text", "dir", "fontWeight", "items"];
-declare const HR_KEYS: readonly ["type", "thickness", "color", "spaceAbove", "spaceBelow", "spaceBefore", "spaceAfter"];
+declare const HR_KEYS: readonly ["type", "thickness", "color", "spaceBefore", "spaceAfter"];
 declare const PAGE_BREAK_KEYS: readonly ["type"];
 declare const CODE_KEYS: readonly ["type", "text", "dir", "fontFamily", "fontSize", "lineHeight", "bgColor", "color", "padding", "spaceAfter", "spaceBefore", "keepTogether", "language", "highlightTheme"];
 declare const RICH_PARAGRAPH_KEYS: readonly ["type", "spans", "dir", "fontSize", "lineHeight", "align", "bgColor", "spaceBefore", "spaceAfter", "keepTogether", "columns", "columnGap", "letterSpacing", "smallCaps", "tabularNumbers"];
@@ -31,7 +31,11 @@ declare const INLINE_SPAN_KEYS: readonly ["text", "dir", "fontFamily", "fontWeig
 declare const BLOCKQUOTE_KEYS: readonly ["type", "text", "dir", "borderColor", "borderWidth", "bgColor", "color", "fontFamily", "fontWeight", "fontStyle", "fontSize", "lineHeight", "padding", "paddingH", "paddingV", "align", "spaceBefore", "spaceAfter", "keepTogether", "underline", "strikethrough"];
 declare const CALLOUT_KEYS: readonly ["type", "content", "style", "title", "backgroundColor", "borderColor", "color", "titleColor", "fontFamily", "fontWeight", "fontSize", "lineHeight", "padding", "paddingH", "paddingV", "spaceAfter", "spaceBefore", "keepTogether", "dir"];
 declare const COMMENT_KEYS: readonly ["type", "contents", "author", "color", "open", "spaceAfter"];
-declare const FORM_FIELD_KEYS: readonly ["type", "fieldType", "name", "label", "placeholder", "defaultValue", "multiline", "maxLength", "checked", "options", "defaultSelected", "width", "height", "fontSize", "borderColor", "backgroundColor", "spaceAfter", "spaceBefore", "keepTogether"];
+declare const TEXT_FORM_FIELD_KEYS: readonly ["type", "fieldType", "name", "label", "width", "height", "fontSize", "borderColor", "backgroundColor", "spaceAfter", "spaceBefore", "keepTogether", "accessibilityLabel", "placeholder", "defaultValue", "multiline", "maxLength"];
+declare const CHECKBOX_FORM_FIELD_KEYS: readonly ["type", "fieldType", "name", "label", "width", "height", "fontSize", "borderColor", "backgroundColor", "spaceAfter", "spaceBefore", "keepTogether", "accessibilityLabel", "checked"];
+declare const RADIO_FORM_FIELD_KEYS: readonly ["type", "fieldType", "name", "label", "width", "height", "fontSize", "borderColor", "backgroundColor", "spaceAfter", "spaceBefore", "keepTogether", "accessibilityLabel", "options", "defaultSelected"];
+declare const DROPDOWN_FORM_FIELD_KEYS: readonly ["type", "fieldType", "name", "label", "width", "height", "fontSize", "borderColor", "backgroundColor", "spaceAfter", "spaceBefore", "keepTogether", "accessibilityLabel", "options", "defaultSelected"];
+declare const BUTTON_FORM_FIELD_KEYS: readonly ["type", "fieldType", "name", "label", "width", "height", "fontSize", "borderColor", "backgroundColor", "spaceAfter", "spaceBefore", "keepTogether", "accessibilityLabel"];
 declare const FOOTNOTE_DEF_KEYS: readonly ["type", "id", "text", "fontSize", "fontFamily", "spaceAfter"];
 declare const TOC_KEYS: readonly ["type", "title", "showTitle", "minLevel", "maxLevel", "fontSize", "titleFontSize", "levelIndent", "leader", "entrySpacing", "fontFamily", "spaceBefore", "spaceAfter"];
 declare const TOC_ENTRY_KEYS: readonly ["type", "text", "pageNumber", "level", "levelIndent", "leader", "fontFamily", "fontWeight"];
@@ -70,7 +74,11 @@ export type _AllowedPropsDriftGuard = [
     Exact<BlockquoteElement, typeof BLOCKQUOTE_KEYS>,
     Exact<CalloutElement, typeof CALLOUT_KEYS>,
     Exact<CommentElement, typeof COMMENT_KEYS>,
-    Exact<FormFieldElement, typeof FORM_FIELD_KEYS>,
+    Exact<TextFormField, typeof TEXT_FORM_FIELD_KEYS>,
+    Exact<CheckboxFormField, typeof CHECKBOX_FORM_FIELD_KEYS>,
+    Exact<RadioFormField, typeof RADIO_FORM_FIELD_KEYS>,
+    Exact<DropdownFormField, typeof DROPDOWN_FORM_FIELD_KEYS>,
+    Exact<ButtonFormField, typeof BUTTON_FORM_FIELD_KEYS>,
     Exact<FootnoteDefElement, typeof FOOTNOTE_DEF_KEYS>,
     Exact<TocElement, typeof TOC_KEYS>,
     Exact<TocEntryElement, typeof TOC_ENTRY_KEYS>,
@@ -89,7 +97,7 @@ export declare const ALLOWED_PROPS: {
     readonly barcode: Set<"type" | "align" | "spaceAfter" | "spaceBefore" | "height" | "width" | "data" | "symbology" | "includeText">;
     readonly chart: Set<"type" | "align" | "spaceAfter" | "spaceBefore" | "height" | "width" | "spec" | "caption">;
     readonly list: Set<"type" | "fontSize" | "lineHeight" | "color" | "spaceAfter" | "spaceBefore" | "style" | "items" | "marker" | "indent" | "markerWidth" | "itemSpaceAfter" | "nestedNumberingStyle">;
-    readonly hr: Set<"type" | "color" | "spaceAfter" | "spaceBefore" | "thickness" | "spaceAbove" | "spaceBelow">;
+    readonly hr: Set<"type" | "color" | "spaceAfter" | "spaceBefore" | "thickness">;
     readonly 'page-break': Set<"type">;
     readonly code: Set<"text" | "language" | "type" | "dir" | "fontSize" | "lineHeight" | "fontFamily" | "color" | "bgColor" | "spaceAfter" | "spaceBefore" | "keepTogether" | "padding" | "highlightTheme">;
     readonly 'rich-paragraph': Set<"type" | "dir" | "fontSize" | "lineHeight" | "align" | "bgColor" | "spaceAfter" | "spaceBefore" | "keepTogether" | "columns" | "columnGap" | "letterSpacing" | "smallCaps" | "tabularNumbers" | "spans">;
@@ -97,14 +105,21 @@ export declare const ALLOWED_PROPS: {
     readonly toc: Set<"title" | "type" | "fontSize" | "fontFamily" | "spaceAfter" | "spaceBefore" | "showTitle" | "minLevel" | "maxLevel" | "titleFontSize" | "levelIndent" | "leader" | "entrySpacing">;
     readonly 'toc-entry': Set<"text" | "type" | "fontFamily" | "fontWeight" | "level" | "levelIndent" | "leader" | "pageNumber">;
     readonly comment: Set<"author" | "type" | "color" | "spaceAfter" | "contents" | "open">;
-    readonly 'form-field': Set<"type" | "fontSize" | "spaceAfter" | "spaceBefore" | "keepTogether" | "height" | "borderColor" | "width" | "backgroundColor" | "fieldType" | "name" | "label" | "placeholder" | "defaultValue" | "multiline" | "maxLength" | "checked" | "options" | "defaultSelected">;
     readonly callout: Set<"content" | "title" | "type" | "dir" | "fontSize" | "lineHeight" | "fontFamily" | "fontWeight" | "color" | "spaceAfter" | "spaceBefore" | "keepTogether" | "borderColor" | "style" | "padding" | "paddingH" | "paddingV" | "backgroundColor" | "titleColor">;
     readonly 'footnote-def': Set<"text" | "type" | "fontSize" | "fontFamily" | "spaceAfter" | "id">;
     readonly 'float-group': Set<"image" | "content" | "type" | "spaceAfter" | "spaceBefore" | "float" | "floatWidth" | "floatGap">;
+    readonly 'form-field': Set<"type" | "fontSize" | "spaceAfter" | "spaceBefore" | "keepTogether" | "height" | "borderColor" | "width" | "backgroundColor" | "fieldType" | "name" | "label" | "accessibilityLabel" | "placeholder" | "defaultValue" | "multiline" | "maxLength" | "checked" | "options" | "defaultSelected">;
 };
+/**
+ * Per-variant allowed-property sets for form-field strict validation.
+ * Typed as a closed record over the exact fieldType literals so TypeScript
+ * will fail the build if a new variant is added to FormFieldElement without
+ * a corresponding entry here.
+ */
+export declare const FORM_FIELD_VARIANT_PROPS: Record<'text' | 'checkbox' | 'radio' | 'dropdown' | 'button', ReadonlySet<string>>;
 export declare const ALLOWED_PROPS_SUB: {
     readonly document: Set<"header" | "footer" | "signature" | "pageSize" | "margins" | "defaultFont" | "defaultFontSize" | "defaultLineHeight" | "fonts" | "watermark" | "encryption" | "bookmarks" | "hyphenation" | "metadata" | "defaultParagraphStyle" | "sections" | "content" | "flattenForms" | "onImageLoadError" | "onFormFieldError" | "renderDate" | "allowedFileDirs">;
-    readonly metadata: Set<"title" | "author" | "subject" | "keywords" | "creator" | "language" | "producer">;
+    readonly metadata: Set<"title" | "author" | "subject" | "keywords" | "creator" | "language" | "producer" | "accessibility" | "semantic">;
     readonly 'column-def': Set<"align" | "width">;
     readonly 'table-row': Set<"cells" | "isHeader">;
     readonly 'table-cell': Set<"text" | "dir" | "fontSize" | "fontFamily" | "fontWeight" | "color" | "align" | "bgColor" | "tabularNumbers" | "colspan" | "rowspan">;

package/dist/allowed-props.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"allowed-props.d.ts","sourceRoot":"","sources":["../src/allowed-props.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,WAAW,EACX,gBAAgB,EAChB,cAAc,EACd,aAAa,EACb,YAAY,EACZ,SAAS,EACT,SAAS,EACT,YAAY,EACZ,UAAU,EACV,aAAa,EACb,cAAc,EACd,YAAY,EACZ,WAAW,EACX,QAAQ,EACR,qBAAqB,EACrB,gBAAgB,EAChB,gBAAgB,EAChB,oBAAoB,EACpB,UAAU,EACV,iBAAiB,EACjB,cAAc,EACd,cAAc,EACd,gBAAgB,EAChB,kBAAkB,EAClB,UAAU,EACV,iBAAiB,EACjB,cAAc,EACd,QAAQ,EACR,gBAAgB,EAChB,cAAc,EACf,MAAM,YAAY,CAAA;AACnB,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAA;AAE1D,oFAAoF;AACpF,KAAK,KAAK,CAAC,CAAC,EAAE,IAAI,SAAS,SAAS,CAAC,MAAM,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,EAAE,KAAK,CAAC,CAAA;AAIpG,QAAA,MAAM,QAAQ,+UAKJ,CAAA;AAEV,QAAA,MAAM,aAAa,wFAAyF,CAAA;AAE5G,QAAA,MAAM,cAAc,0SAKV,CAAA;AAEV,QAAA,MAAM,YAAY,iTAKR,CAAA;AAEV,QAAA,MAAM,WAAW,6BAA8B,CAAA;AAE/C,QAAA,MAAM,UAAU,mLAGN,CAAA;AAEV,QAAA,MAAM,eAAe,6BAA8B,CAAA;AAEnD,QAAA,MAAM,cAAc,gCAAiC,CAAA;AAErD,QAAA,MAAM,eAAe,uIAGX,CAAA;AAEV,QAAA,MAAM,UAAU,6MAIN,CAAA;AAEV,QAAA,MAAM,QAAQ,0FAA2F,CAAA;AAEzG,QAAA,MAAM,YAAY,uIAGR,CAAA;AAEV,QAAA,MAAM,YAAY,gHAER,CAAA;AAEV,QAAA,MAAM,UAAU,+FAAgG,CAAA;AAEhH,QAAA,MAAM,SAAS,kLAGL,CAAA;AAEV,QAAA,MAAM,cAAc,iDAAkD,CAAA;AAEtE,QAAA,MAAM,OAAO,kGAAmG,CAAA;AAEhH,QAAA,MAAM,eAAe,mBAAoB,CAAA;AAEzC,QAAA,MAAM,SAAS,oLAGL,CAAA;AAEV,QAAA,MAAM,mBAAmB,sMAIf,CAAA;AAEV,QAAA,MAAM,gBAAgB,mMAGZ,CAAA;AAEV,QAAA,MAAM,eAAe,8QAIX,CAAA;AAEV,QAAA,MAAM,YAAY,sPAIR,CAAA;AAEV,QAAA,MAAM,YAAY,wEAAyE,CAAA;AAE3F,QAAA,MAAM,eAAe,iQAIX,CAAA;AAEV,QAAA,MAAM,iBAAiB,yEAA0E,CAAA;AAEjG,QAAA,MAAM,QAAQ,kLAGJ,CAAA;AAEV,QAAA,MAAM,cAAc,uGAAwG,CAAA;AAE5H,QAAA,MAAM,gBAAgB,uGAAwG,CAAA;AAE9H,QAAA,MAAM,eAAe,kDAAmD,CAAA;AAExE,QAAA,MAAM,eAAe,2DAA4D,CAAA;AAEjF;;;;;;GAMG;AACH,MAAM,MAAM,uBAAuB,GAAG;IACpC,KAAK,CAAC,WAAW,EAAE,OAAO,QAAQ,CAAC;IACnC,KAAK,CAAC,gBAAgB,EAAE,OAAO,aAAa,CAAC;IAC7C,KAAK,CAAC,gBAAgB,EAAE,OAAO,cAAc,CAAC;IAC9C,KAAK,CAAC,cAAc,EAAE,OAAO,YAAY,CAAC;IAC1C,KAAK,CAAC,aAAa,EAAE,OAAO,WAAW,CAAC;IACxC,KAAK,CAAC,YAAY,EAAE,OAAO,UAAU,CAAC;IACtC,KAAK,CAAC,SAAS,EAAE,OAAO,eAAe,CAAC;IACxC,KAAK,CAAC,QAAQ,EAAE,OAAO,cAAc,CAAC;IACtC,KAAK,CAAC,SAAS,EAAE,OAAO,eAAe,CAAC;IACxC,KAAK,CAAC,YAAY,EAAE,OAAO,UAAU,CAAC;IACtC,KAAK,CAAC,UAAU,EAAE,OAAO,QAAQ,CAAC;IAClC,KAAK,CAAC,aAAa,EAAE,OAAO,YAAY,CAAC;IACzC,KAAK,CAAC,cAAc,EAAE,OAAO,YAAY,CAAC;IAC1C,KAAK,CAAC,YAAY,EAAE,OAAO,UAAU,CAAC;IACtC,KAAK,CAAC,WAAW,EAAE,OAAO,SAAS,CAAC;IACpC,KAAK,CAAC,QAAQ,EAAE,OAAO,cAAc,CAAC;IACtC,KAAK,CAAC,qBAAqB,EAAE,OAAO,OAAO,CAAC;IAC5C,KAAK,CAAC,gBAAgB,EAAE,OAAO,eAAe,CAAC;IAC/C,KAAK,CAAC,gBAAgB,EAAE,OAAO,SAAS,CAAC;IACzC,KAAK,CAAC,oBAAoB,EAAE,OAAO,mBAAmB,CAAC;IACvD,KAAK,CAAC,UAAU,EAAE,OAAO,gBAAgB,CAAC;IAC1C,KAAK,CAAC,iBAAiB,EAAE,OAAO,eAAe,CAAC;IAChD,KAAK,CAAC,cAAc,EAAE,OAAO,YAAY,CAAC;IAC1C,KAAK,CAAC,cAAc,EAAE,OAAO,YAAY,CAAC;IAC1C,KAAK,CAAC,gBAAgB,EAAE,OAAO,eAAe,CAAC;IAC/C,KAAK,CAAC,kBAAkB,EAAE,OAAO,iBAAiB,CAAC;IACnD,KAAK,CAAC,UAAU,EAAE,OAAO,QAAQ,CAAC;IAClC,KAAK,CAAC,eAAe,EAAE,OAAO,cAAc,CAAC;IAC7C,KAAK,CAAC,iBAAiB,EAAE,OAAO,gBAAgB,CAAC;IACjD,KAAK,CAAC,cAAc,EAAE,OAAO,eAAe,CAAC;IAC7C,KAAK,CAAC,cAAc,EAAE,OAAO,eAAe,CAAC;CAC9C,CAAA;AAID,eAAO,MAAM,aAAa;;;;;;;;;;;;;;;;;;;;;;;CAuBhB,CAAA;AAEV,eAAO,MAAM,iBAAiB;;;;;;;;;;CAUpB,CAAA"}
+{"version":3,"file":"allowed-props.d.ts","sourceRoot":"","sources":["../src/allowed-props.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,WAAW,EACX,gBAAgB,EAChB,cAAc,EACd,aAAa,EACb,YAAY,EACZ,SAAS,EACT,SAAS,EACT,YAAY,EACZ,UAAU,EACV,aAAa,EACb,cAAc,EACd,YAAY,EACZ,WAAW,EACX,QAAQ,EACR,qBAAqB,EACrB,gBAAgB,EAChB,gBAAgB,EAChB,oBAAoB,EACpB,UAAU,EACV,iBAAiB,EACjB,cAAc,EACd,cAAc,EACd,aAAa,EACb,iBAAiB,EACjB,cAAc,EACd,iBAAiB,EACjB,eAAe,EACf,kBAAkB,EAClB,UAAU,EACV,iBAAiB,EACjB,cAAc,EACd,QAAQ,EACR,gBAAgB,EAChB,cAAc,EACf,MAAM,YAAY,CAAA;AACnB,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAA;AAE1D,oFAAoF;AACpF,KAAK,KAAK,CAAC,CAAC,EAAE,IAAI,SAAS,SAAS,CAAC,MAAM,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,EAAE,KAAK,CAAC,CAAA;AAIpG,QAAA,MAAM,QAAQ,+UAKJ,CAAA;AAEV,QAAA,MAAM,aAAa,qHAAsH,CAAA;AAEzI,QAAA,MAAM,cAAc,0SAKV,CAAA;AAEV,QAAA,MAAM,YAAY,iTAKR,CAAA;AAEV,QAAA,MAAM,WAAW,6BAA8B,CAAA;AAE/C,QAAA,MAAM,UAAU,mLAGN,CAAA;AAEV,QAAA,MAAM,eAAe,6BAA8B,CAAA;AAEnD,QAAA,MAAM,cAAc,gCAAiC,CAAA;AAErD,QAAA,MAAM,eAAe,uIAGX,CAAA;AAEV,QAAA,MAAM,UAAU,6MAIN,CAAA;AAEV,QAAA,MAAM,QAAQ,0FAA2F,CAAA;AAEzG,QAAA,MAAM,YAAY,uIAGR,CAAA;AAEV,QAAA,MAAM,YAAY,gHAER,CAAA;AAEV,QAAA,MAAM,UAAU,+FAAgG,CAAA;AAEhH,QAAA,MAAM,SAAS,kLAGL,CAAA;AAEV,QAAA,MAAM,cAAc,iDAAkD,CAAA;AAEtE,QAAA,MAAM,OAAO,sEAAuE,CAAA;AAEpF,QAAA,MAAM,eAAe,mBAAoB,CAAA;AAEzC,QAAA,MAAM,SAAS,oLAGL,CAAA;AAEV,QAAA,MAAM,mBAAmB,sMAIf,CAAA;AAEV,QAAA,MAAM,gBAAgB,mMAGZ,CAAA;AAEV,QAAA,MAAM,eAAe,8QAIX,CAAA;AAEV,QAAA,MAAM,YAAY,sPAIR,CAAA;AAEV,QAAA,MAAM,YAAY,wEAAyE,CAAA;AAQ3F,QAAA,MAAM,oBAAoB,8OAA8F,CAAA;AACxH,QAAA,MAAM,wBAAwB,gMAAgD,CAAA;AAC9E,QAAA,MAAM,qBAAqB,mNAAmE,CAAA;AAC9F,QAAA,MAAM,wBAAwB,mNAAmE,CAAA;AACjG,QAAA,MAAM,sBAAsB,qLAAqC,CAAA;AAiBjE,QAAA,MAAM,iBAAiB,yEAA0E,CAAA;AAEjG,QAAA,MAAM,QAAQ,kLAGJ,CAAA;AAEV,QAAA,MAAM,cAAc,uGAAwG,CAAA;AAE5H,QAAA,MAAM,gBAAgB,uGAAwG,CAAA;AAE9H,QAAA,MAAM,eAAe,kDAAmD,CAAA;AAExE,QAAA,MAAM,eAAe,2DAA4D,CAAA;AAEjF;;;;;;GAMG;AACH,MAAM,MAAM,uBAAuB,GAAG;IACpC,KAAK,CAAC,WAAW,EAAE,OAAO,QAAQ,CAAC;IACnC,KAAK,CAAC,gBAAgB,EAAE,OAAO,aAAa,CAAC;IAC7C,KAAK,CAAC,gBAAgB,EAAE,OAAO,cAAc,CAAC;IAC9C,KAAK,CAAC,cAAc,EAAE,OAAO,YAAY,CAAC;IAC1C,KAAK,CAAC,aAAa,EAAE,OAAO,WAAW,CAAC;IACxC,KAAK,CAAC,YAAY,EAAE,OAAO,UAAU,CAAC;IACtC,KAAK,CAAC,SAAS,EAAE,OAAO,eAAe,CAAC;IACxC,KAAK,CAAC,QAAQ,EAAE,OAAO,cAAc,CAAC;IACtC,KAAK,CAAC,SAAS,EAAE,OAAO,eAAe,CAAC;IACxC,KAAK,CAAC,YAAY,EAAE,OAAO,UAAU,CAAC;IACtC,KAAK,CAAC,UAAU,EAAE,OAAO,QAAQ,CAAC;IAClC,KAAK,CAAC,aAAa,EAAE,OAAO,YAAY,CAAC;IACzC,KAAK,CAAC,cAAc,EAAE,OAAO,YAAY,CAAC;IAC1C,KAAK,CAAC,YAAY,EAAE,OAAO,UAAU,CAAC;IACtC,KAAK,CAAC,WAAW,EAAE,OAAO,SAAS,CAAC;IACpC,KAAK,CAAC,QAAQ,EAAE,OAAO,cAAc,CAAC;IACtC,KAAK,CAAC,qBAAqB,EAAE,OAAO,OAAO,CAAC;IAC5C,KAAK,CAAC,gBAAgB,EAAE,OAAO,eAAe,CAAC;IAC/C,KAAK,CAAC,gBAAgB,EAAE,OAAO,SAAS,CAAC;IACzC,KAAK,CAAC,oBAAoB,EAAE,OAAO,mBAAmB,CAAC;IACvD,KAAK,CAAC,UAAU,EAAE,OAAO,gBAAgB,CAAC;IAC1C,KAAK,CAAC,iBAAiB,EAAE,OAAO,eAAe,CAAC;IAChD,KAAK,CAAC,cAAc,EAAE,OAAO,YAAY,CAAC;IAC1C,KAAK,CAAC,cAAc,EAAE,OAAO,YAAY,CAAC;IAC1C,KAAK,CAAC,aAAa,EAAE,OAAO,oBAAoB,CAAC;IACjD,KAAK,CAAC,iBAAiB,EAAE,OAAO,wBAAwB,CAAC;IACzD,KAAK,CAAC,cAAc,EAAE,OAAO,qBAAqB,CAAC;IACnD,KAAK,CAAC,iBAAiB,EAAE,OAAO,wBAAwB,CAAC;IACzD,KAAK,CAAC,eAAe,EAAE,OAAO,sBAAsB,CAAC;IACrD,KAAK,CAAC,kBAAkB,EAAE,OAAO,iBAAiB,CAAC;IACnD,KAAK,CAAC,UAAU,EAAE,OAAO,QAAQ,CAAC;IAClC,KAAK,CAAC,eAAe,EAAE,OAAO,cAAc,CAAC;IAC7C,KAAK,CAAC,iBAAiB,EAAE,OAAO,gBAAgB,CAAC;IACjD,KAAK,CAAC,cAAc,EAAE,OAAO,eAAe,CAAC;IAC7C,KAAK,CAAC,cAAc,EAAE,OAAO,eAAe,CAAC;CAC9C,CAAA;AAID,eAAO,MAAM,aAAa;;;;;;;;;;;;;;;;;;;;;;;CAuBhB,CAAA;AAEV;;;;;GAKG;AACH,eAAO,MAAM,wBAAwB,EAAE,MAAM,CAC3C,MAAM,GAAG,UAAU,GAAG,OAAO,GAAG,UAAU,GAAG,QAAQ,EACrD,WAAW,CAAC,MAAM,CAAC,CAOpB,CAAA;AAED,eAAO,MAAM,iBAAiB;;;;;;;;;;CAUpB,CAAA"}

package/dist/allowed-props.js

@@ -10,7 +10,7 @@ const DOC_KEYS = [
     'hyphenation', 'metadata', 'defaultParagraphStyle', 'sections', 'content',
     'flattenForms', 'onImageLoadError', 'onFormFieldError', 'renderDate', 'allowedFileDirs',
 ];
-const METADATA_KEYS = ['title', 'author', 'subject', 'keywords', 'creator', 'language', 'producer'];
+const METADATA_KEYS = ['title', 'author', 'subject', 'keywords', 'creator', 'language', 'producer', 'accessibility', 'semantic'];
 const PARAGRAPH_KEYS = [
     'type', 'text', 'dir', 'fontSize', 'lineHeight', 'fontFamily', 'fontWeight', 'color',
     'align', 'bgColor', 'spaceAfter', 'spaceBefore', 'keepTogether', 'underline',
@@ -53,7 +53,7 @@ const LIST_KEYS = [
     'itemSpaceAfter', 'spaceAfter', 'spaceBefore', 'color', 'nestedNumberingStyle',
 ];
 const LIST_ITEM_KEYS = ['text', 'dir', 'fontWeight', 'items'];
-const HR_KEYS = ['type', 'thickness', 'color', 'spaceAbove', 'spaceBelow', 'spaceBefore', 'spaceAfter'];
+const HR_KEYS = ['type', 'thickness', 'color', 'spaceBefore', 'spaceAfter'];
 const PAGE_BREAK_KEYS = ['type'];
 const CODE_KEYS = [
     'type', 'text', 'dir', 'fontFamily', 'fontSize', 'lineHeight', 'bgColor', 'color',
@@ -79,10 +79,29 @@ const CALLOUT_KEYS = [
     'spaceAfter', 'spaceBefore', 'keepTogether', 'dir',
 ];
 const COMMENT_KEYS = ['type', 'contents', 'author', 'color', 'open', 'spaceAfter'];
-const FORM_FIELD_KEYS = [
-    'type', 'fieldType', 'name', 'label', 'placeholder', 'defaultValue', 'multiline',
-    'maxLength', 'checked', 'options', 'defaultSelected', 'width', 'height', 'fontSize',
+const FORM_FIELD_BASE_KEYS = [
+    'type', 'fieldType', 'name', 'label', 'width', 'height', 'fontSize',
     'borderColor', 'backgroundColor', 'spaceAfter', 'spaceBefore', 'keepTogether',
+    'accessibilityLabel',
+];
+const TEXT_FORM_FIELD_KEYS = [...FORM_FIELD_BASE_KEYS, 'placeholder', 'defaultValue', 'multiline', 'maxLength'];
+const CHECKBOX_FORM_FIELD_KEYS = [...FORM_FIELD_BASE_KEYS, 'checked'];
+const RADIO_FORM_FIELD_KEYS = [...FORM_FIELD_BASE_KEYS, 'options', 'defaultSelected'];
+const DROPDOWN_FORM_FIELD_KEYS = [...FORM_FIELD_BASE_KEYS, 'options', 'defaultSelected'];
+const BUTTON_FORM_FIELD_KEYS = [...FORM_FIELD_BASE_KEYS];
+/**
+ * Union of every field that can appear on *any* FormFieldElement variant.
+ * Used for the top-level ALLOWED_PROPS dispatch so the generic strict check in
+ * validate/index.ts never false-flags a valid variant-specific key (e.g.
+ * `placeholder` on a text field). The per-variant check inside
+ * validateFormField then narrows further and rejects cross-variant
+ * contamination (e.g. `checked` on a text field).
+ */
+const FORM_FIELD_ALL_KEYS = [
+    ...FORM_FIELD_BASE_KEYS,
+    'placeholder', 'defaultValue', 'multiline', 'maxLength', // text only
+    'checked', // checkbox only
+    'options', 'defaultSelected', // radio + dropdown
 ];
 const FOOTNOTE_DEF_KEYS = ['type', 'id', 'text', 'fontSize', 'fontFamily', 'spaceAfter'];
 const TOC_KEYS = [
@@ -113,10 +132,23 @@ export const ALLOWED_PROPS = {
     'toc': new Set(TOC_KEYS),
     'toc-entry': new Set(TOC_ENTRY_KEYS),
     'comment': new Set(COMMENT_KEYS),
-    'form-field': new Set(FORM_FIELD_KEYS),
     'callout': new Set(CALLOUT_KEYS),
     'footnote-def': new Set(FOOTNOTE_DEF_KEYS),
     'float-group': new Set(FLOAT_GROUP_KEYS),
+    'form-field': new Set(FORM_FIELD_ALL_KEYS),
+};
+/**
+ * Per-variant allowed-property sets for form-field strict validation.
+ * Typed as a closed record over the exact fieldType literals so TypeScript
+ * will fail the build if a new variant is added to FormFieldElement without
+ * a corresponding entry here.
+ */
+export const FORM_FIELD_VARIANT_PROPS = {
+    text: new Set(TEXT_FORM_FIELD_KEYS),
+    checkbox: new Set(CHECKBOX_FORM_FIELD_KEYS),
+    radio: new Set(RADIO_FORM_FIELD_KEYS),
+    dropdown: new Set(DROPDOWN_FORM_FIELD_KEYS),
+    button: new Set(BUTTON_FORM_FIELD_KEYS),
 };
 export const ALLOWED_PROPS_SUB = {
     'document': new Set(DOC_KEYS),