From 84270a2860398eb8056a8d4f064c6a52c08ebb16 Mon Sep 17 00:00:00 2001
From: James <jamesbconner@users.noreply.github.com>
Date: Sun, 22 Feb 2026 03:43:58 -0500
Subject: [PATCH] Fix package to include web artifacts, bump version to 1.3.1

- Update version from 1.3.0 to 1.3.1 in `__about__.py`
- Fix web UI packaging by replacing `artifacts` with `force-include` in `pyproject.toml` for both wheel and sdist targets
- Add explicit `packages` declaration and sdist `include` list to ensure proper distribution
- Document fixes for data URI sanitization, case-insensitive element filtering, duplicate error handling, type safety, rename endpoint validation, icon names validation, and Next.js dev mode warning
- Document changed default for "Inject CSS classes" checkbox from false to true
---
 CHANGELOG.md                   | 18 ++++++++++++++++++
 pyproject.toml                 | 20 +++++++++++++++++++-
 src/SVG2DrawIOLib/__about__.py |  2 +-
 3 files changed, 38 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 82d822d..60986b1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,24 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.3.1] - 2026-02-22
+
+### Fixed
+
+- **Web UI packaging**: Fixed `pyproject.toml` hatchling configuration to properly include the web UI static files in the built wheel and sdist. Changed from `artifacts` to `force-include` configuration for both wheel and sdist targets. The web UI directory (`src/SVG2DrawIOLib/web/`) is now correctly included in PyPI releases, ensuring `pip install SVG2DrawIOLib[web]` followed by `svg2drawiolib web` works out of the box.
+- **Security: Data URI sanitization** (Bug #27): Updated SVG sanitization to only block dangerous data: URIs (`data:text/html`, `data:text/javascript`, `data:application/javascript`, `data:application/x-javascript`) while allowing safe image data: URIs (`data:image/png`, `data:image/jpeg`, `data:image/svg+xml`, etc.) for legitimate embedded images.
+- **Security: Case-insensitive element filtering** (Bug #28): Made dangerous element checking case-insensitive to prevent sanitization bypass via case variants like `<Script>`, `<SCRIPT>`, or `<ForeignObject>`. Updated `_DANGEROUS_ELEMENTS` set to store lowercase values and added `.lower()` call during comparison.
+- **API: Duplicate error handling** (Bug #29): Extracted duplicate library error handling logic into shared `handle_library_value_error()` helper function in `processing.py`. Updated five routers (`add`, `remove`, `list`, `extract`, `inspect`) to use the centralized helper, eliminating code duplication.
+- **API: Type safety** (Bug #31): Changed `handle_library_value_error()` return type from `-> None` to `-> NoReturn` to accurately reflect that the function always raises an exception and never returns, improving type checker guarantees.
+- **API: Rename endpoint error handling** (Bug #32): Added "Invalid library" error check to rename endpoint to return 422 for malformed library files instead of 500 internal server error, consistent with other endpoints.
+- **API: Icon names validation** (Bug #26): Added element type validation to `parse_icon_names()` to ensure all list elements are strings, preventing unhashable type errors downstream when non-string values are passed.
+- **Next.js dev mode warning** (Bug #30): Made `output: "export"` conditional in `next.config.ts` (only set in production) to eliminate Next.js warning about rewrites not working with static exports during development.
+
+### Changed
+
+- **`pyproject.toml`**: Updated hatchling build configuration to use `force-include` for web UI static files in both wheel and sdist targets, replacing the non-functional `artifacts` configuration. Added explicit `packages` declaration and sdist `include` list.
+- **Web UI default**: Changed "Inject CSS classes" checkbox default from `false` to `true` in both CreateTab and ManageTab components for better out-of-box experience.
+
 ## [1.3.0] - 2026-02-21
 
 ### Added
diff --git a/pyproject.toml b/pyproject.toml
index e72f4fb..45ae2d7 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -72,7 +72,25 @@ svg2drawio = "SVG2DrawIOLib.cli:cli"
 path = "src/SVG2DrawIOLib/__about__.py"
 
 [tool.hatch.build.targets.wheel]
-artifacts = ["src/SVG2DrawIOLib/web"]
+packages = ["src/SVG2DrawIOLib"]
+
+[tool.hatch.build.targets.wheel.force-include]
+"src/SVG2DrawIOLib/web" = "SVG2DrawIOLib/web"
+
+[tool.hatch.build.targets.sdist]
+include = [
+  "/src",
+  "/tests",
+  "/README.md",
+  "/LICENSE.txt",
+  "/CHANGELOG.md",
+  "/CONTRIBUTING.md",
+  "/QUICKSTART.md",
+  "/pyproject.toml",
+]
+
+[tool.hatch.build.targets.sdist.force-include]
+"src/SVG2DrawIOLib/web" = "src/SVG2DrawIOLib/web"
 
 [tool.hatch.envs.default]
 dependencies = [
diff --git a/src/SVG2DrawIOLib/__about__.py b/src/SVG2DrawIOLib/__about__.py
index 526ad06..b359028 100644
--- a/src/SVG2DrawIOLib/__about__.py
+++ b/src/SVG2DrawIOLib/__about__.py
@@ -1,3 +1,3 @@
 """Package version information."""
 
-__version__ = "1.3.0"
+__version__ = "1.3.1"