tekivex-ui 3.18.0 → 3.18.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -4,7 +4,7 @@
4
4
 
5
5
  **The React component library that ships with a threat model.**
6
6
 
7
- WCAG 2.1 AAA (audit-firm engagement open) · WAI-ARIA 1.2 · **SecurityCore** (XSS · clickjacking · Trojan Source · CSP · PII · magic-byte MIME · Trusted Types) · **115 production components** (+ 4 experimental, opt-in) · Zero runtime dependencies in core
7
+ WCAG 2.1 AAA target (third-party audit on roadmap, not yet completed) · WAI-ARIA 1.2 · **SecurityCore** (XSS · clickjacking · Trojan Source · CSP · PII · magic-byte MIME · Trusted Types) · **116 production components** (+ 4 experimental, opt-in) · Zero runtime dependencies in core
8
8
 
9
9
  📄 **[Security Threat Model](./docs/SECURITY-THREAT-MODEL.md)** — the only mainstream React UI library that publishes one. 15 STRIDE-mapped threats with CWE references.
10
10
 
@@ -14,7 +14,7 @@ WCAG 2.1 AAA (audit-firm engagement open) · WAI-ARIA 1.2 · **SecurityCore** (X
14
14
  [![TypeScript](https://img.shields.io/badge/TypeScript-5.6-3178c6.svg?logo=typescript&logoColor=white)](https://www.typescriptlang.org/)
15
15
  [![React](https://img.shields.io/badge/React-18+-61dafb.svg?logo=react&logoColor=white)](https://react.dev/)
16
16
  [![WCAG 2.1 AAA](https://img.shields.io/badge/WCAG-2.1%20AAA-00c853.svg)](https://www.w3.org/TR/WCAG21/)
17
- [![Tests](https://img.shields.io/badge/Tests-1777%20passing-00c853.svg)](#testing)
17
+ [![Tests](https://img.shields.io/badge/Tests-1798%20passing-00c853.svg)](#testing)
18
18
  [![SecurityCore](https://img.shields.io/badge/SecurityCore-v3.0-f72585.svg)](./docs/SECURITY-THREAT-MODEL.md)
19
19
  [![Socket.dev](https://socket.dev/api/badge/npm/package/tekivex-ui)](https://socket.dev/npm/package/tekivex-ui)
20
20
  [![SBOM](https://img.shields.io/badge/SBOM-CycloneDX%201.5-7c5cff.svg)](https://ui.tekivex.com/security/sbom.json)
@@ -35,13 +35,18 @@ npm install tekivex-ui
35
35
 
36
36
  TekiVex UI is **pre-1.0** and currently maintained by a single developer
37
37
  ([007krcs](https://github.com/007krcs)) on `novaai0401@gmail.com`. We
38
- publish to npm with [provenance attestations](https://docs.npmjs.com/generating-provenance-statements),
39
38
  ship a public [CycloneDX SBOM](https://ui.tekivex.com/security/sbom.json),
40
39
  a [security threat model](./docs/SECURITY-THREAT-MODEL.md) (15 STRIDE
41
- threats with CWE refs), and 1,777 tests at the published version — but
40
+ threats with CWE refs), and 1,798 tests at the published version — but
42
41
  none of that substitutes for the human-scale risk of any pre-1.0,
43
42
  single-maintainer library.
44
43
 
44
+ When published from CI, releases carry npm
45
+ [provenance attestations](https://docs.npmjs.com/generating-provenance-statements).
46
+ Local releases (currently the norm during pre-1.0) do not — verify
47
+ provenance status with `npm view tekivex-ui --json | jq '.dist.attestations'`
48
+ if it matters to your supply-chain policy.
49
+
45
50
  **Honest guidance:**
46
51
 
47
52
  - **Pin your version** (`"tekivex-ui": "3.18.0"`, not `"^3.18.0"`) until v4.0
@@ -49,7 +54,7 @@ single-maintainer library.
49
54
  - **Audit the SBOM** at [`ui.tekivex.com/security/sbom.json`](https://ui.tekivex.com/security/sbom.json) — verifies zero runtime deps
50
55
  - **Verify the package** with `npm view tekivex-ui` before installing if you're concerned about typosquats (the legitimate name is exactly `tekivex-ui`)
51
56
  - **Check Socket.dev** [![Socket.dev](https://socket.dev/api/badge/npm/package/tekivex-ui)](https://socket.dev/npm/package/tekivex-ui) for supply-chain risk score
52
- - **For regulated-industry teams**: the [design-partner program](./docs/design-partners/README.md) gets a direct Slack channel + priority response + custom-components on demand. Free.
57
+ - **For regulated-industry teams**: we're open to design-partner collaborations with regulated-industry teams — see [`docs/design-partners/README.md`](./docs/design-partners/README.md) for the playbook. No reserved slots, no formal program in place yet; reach out if it fits your situation.
53
58
 
54
59
  **Expect breaking changes at v4.0** — see [docs/ROADMAP.md](./docs/ROADMAP.md).
55
60
  Until then, the API surface marked stable will not break in minor or
@@ -106,7 +111,7 @@ Portal3D, Avatar3D — 14 primitives at source v0.7).
106
111
 
107
112
  | Feature | TekiVex UI | MUI | Ant Design | Mantine | shadcn/ui |
108
113
  |---|:---:|:---:|:---:|:---:|:---:|
109
- | WCAG **AAA** target (third-party audit-firm engagement open) | ✅ | ❌ | ❌ | ❌ | ❌ |
114
+ | WCAG **AAA** target (third-party audit on roadmap, not yet completed) | ✅ | ❌ | ❌ | ❌ | ❌ |
110
115
  | **XSS** — string props sanitised by default across all text components | ✅ | ❌ | ❌ | ❌ | ❌ |
111
116
  | **Clickjacking** — `isFramed()` detection + `frame-ancestors` CSP | ✅ | ❌ | ❌ | ❌ | ❌ |
112
117
  | **Trojan Source** — bidi/zero-width stripped from text inputs | ✅ | ❌ | ❌ | ❌ | ❌ |
@@ -119,7 +124,7 @@ Portal3D, Avatar3D — 14 primitives at source v0.7).
119
124
  | Tamper-evident SHA-256 hash-chained audit trail | ✅ | ❌ | ❌ | ❌ | ❌ |
120
125
  | Published threat model | ✅ | ❌ | ❌ | ❌ | ❌ |
121
126
  | Full-featured DataGrid — **free** | ✅ | 💰 Pro | Partial | Partial | ❌ |
122
- | 115 production components — **free** | ✅ | ✅ | ✅ | ✅ | 30 |
127
+ | 116 production components — **free** | ✅ | ✅ | ✅ | ✅ | 30 |
123
128
  | Hooks layer (a11y, theme, i18n) | ✅ | ❌ | ❌ | ✅ | ✅ |
124
129
  | i18n — 44 locales incl. RTL | ✅ | ✅ | ✅ | Partial | ❌ |
125
130
  | Plugin-extensible CSS engine | ✅ | ❌ | ❌ | ❌ | ❌ |
@@ -518,17 +523,17 @@ const aaa = meetsAAA('#00f5d4', '#0a0a1a'); // → true (≥ 7:1)
518
523
  ```
519
524
 
520
525
  **What's unique:**
521
- - 🛡️ **Automatic sanitisation** — no opt-in needed, every prop is safe by default
522
- - 📋 **Immutable audit trail** — append-only log of all security events for compliance / SIEM
526
+ - 🛡️ **String-prop sanitisation by default** — `sanitizeString` runs on string props across components without opt-in
527
+ - 📋 **Tamper-evident audit trail** — SHA-256 hash-chained append-only log for compliance / SIEM
523
528
  - 🎨 **Built-in WCAG checker** — `contrastRatio()`, `meetsAA()`, `meetsAAA()` available anywhere
524
529
 
525
530
  ---
526
531
 
527
532
  ## Accessibility
528
533
 
529
- Every component meets **WCAG 2.1 AAA** — the highest accessibility standard:
534
+ We target **WCAG 2.1 AAA** — the highest accessibility standard. Self-tested against the criteria below; **a third-party audit is on the roadmap and has not been completed.** Treat this section as our internal compliance target, not a certification.
530
535
 
531
- - ✅ Contrast ratio ≥ **7:1** for all text (AAA, not just AA's 4.5:1)
536
+ - ✅ Contrast ratio ≥ **7:1** for all text (AAA, not just AA's 4.5:1) — verified via internal `meetsAAA()` helper
532
537
  - ✅ Full **keyboard navigation** — Tab, Enter, Space, Arrow keys, Escape
533
538
  - ✅ Correct **ARIA roles, states & properties** (WAI-ARIA 1.2)
534
539
  - ✅ **Focus management** — focus trap in modals, visible focus rings
@@ -599,7 +604,7 @@ npm install
599
604
  # Build the library
600
605
  npm run build
601
606
 
602
- # Run all 1777 tests
607
+ # Run all 1798 tests
603
608
  npm test
604
609
 
605
610
  # Run tests with coverage report
@@ -629,11 +634,11 @@ npm run security:audit
629
634
  ## Testing
630
635
 
631
636
  ```
632
- 90 dedicated component test files · 1777 tests · 0 failures · 1 todo
637
+ 90 dedicated component test files · 1798 tests · 0 failures · 1 todo
633
638
  Coverage: 64.84% lines · 51.10% functions · 56.77% branches · 61.41% statements (ratchet enforced in CI)
634
639
  ```
635
640
 
636
- Coverage includes dedicated unit tests for 88 of 115 production components plus smoke coverage for the rest, 7 chart types, headless hooks (incl. useWebSocket / useSSE / useMediaQuery), the TKX CSS engine, the WCAG engine, the security (Shield) engine, the i18n provider, and Indian KYC validators (Aadhaar Verhoeff, PAN, Voter ID, DL).
641
+ Coverage includes dedicated unit tests for 88 of 116 production components plus smoke coverage for the rest, 7 chart types, headless hooks (incl. useWebSocket / useSSE / useMediaQuery), the TKX CSS engine, the WCAG engine, the security (Shield) engine, the i18n provider, and Indian KYC validators (Aadhaar Verhoeff, PAN, Voter ID, DL).
637
642
 
638
643
  Coverage thresholds are enforced as a CI ratchet in `vitest.config.ts` — the floor never drops between releases. Path to 90/90/85 is documented in [`docs/test-coverage-roadmap.md`](./docs/test-coverage-roadmap.md).
639
644
 
@@ -0,0 +1,3 @@
1
+ // Auto-generated by scripts/emit-dts-shims.mjs — re-exports the per-entry
2
+ // declarations that tsc emits under dist/src/. See package.json exports.
3
+ export * from './src/agent/index';
@@ -0,0 +1,3 @@
1
+ // Auto-generated by scripts/emit-dts-shims.mjs — re-exports the per-entry
2
+ // declarations that tsc emits under dist/src/. See package.json exports.
3
+ export * from './src/charts/index';
@@ -0,0 +1,3 @@
1
+ // Auto-generated by scripts/emit-dts-shims.mjs — re-exports the per-entry
2
+ // declarations that tsc emits under dist/src/. See package.json exports.
3
+ export * from './src/experimental/index';
@@ -0,0 +1,3 @@
1
+ // Auto-generated by scripts/emit-dts-shims.mjs — re-exports the per-entry
2
+ // declarations that tsc emits under dist/src/. See package.json exports.
3
+ export * from './src/headless/index';
package/dist/i18n.d.ts ADDED
@@ -0,0 +1,3 @@
1
+ // Auto-generated by scripts/emit-dts-shims.mjs — re-exports the per-entry
2
+ // declarations that tsc emits under dist/src/. See package.json exports.
3
+ export * from './src/i18n/index';