Merge main to dev

.github/dependabot.yml

@@ -0,0 +1,11 @@
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/ci.yml

@@ -59,6 +59,10 @@ jobs:
         run: |
           & $env:VENV_PYTHON -m ruff check .
 
+      - name: Run source security lint
+        run: |
+          & $env:VENV_PYTHON -m ruff check src --select S
+
       - name: Check Ruff formatting
         run: |
           & $env:VENV_PYTHON -m ruff format --check .
@@ -71,6 +75,11 @@ jobs:
         run: |
           & $env:VENV_PYTHON -m pyright
 
+      - name: Run dependency security audit
+        if: matrix.os == 'ubuntu-latest' && matrix.python-version == '3.12'
+        run: |
+          & $env:VENV_PYTHON -m pip_audit --skip-editable
+
       - name: Run tests
         run: |
           & $env:VENV_PYTHON -m pytest -q

.gitignore

@@ -24,6 +24,7 @@ __pycache__/
 node_modules/
 playwright-report/
 test-results/
+session.log*
 *.log
 .DS_Store
 Thumbs.db

CHANGELOG.md

@@ -4,21 +4,188 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+## [1.0.1] - 2026-05-14
+
+### Security
+
+- The local editor server now requires a per-session API token for `/api/*`
+  requests, rejects non-JSON POST bodies, blocks untrusted `Host`/`Origin`
+  headers, and refuses non-loopback binds unless `allow_remote=True` is set
+  explicitly.
+- Editor API routes now reject excessive tensor-network payloads and oversized
+  template parameters before running expensive validation, rendering,
+  contraction analysis, code generation, or subnetwork operations.
+- CI now runs a dependency vulnerability audit with `pip-audit` as part of the
+  development dependency set.
+- Bundled PrismJS assets were updated to 1.30.0, and the editor server now
+  emits a nonce-based Content Security Policy plus additional browser defense
+  headers.
+- Live Python import prompts and docs now state that live import should only be
+  used with trusted local Python files, because it executes code in a
+  subprocess with the active Python environment.
+- CI now runs Ruff's Bandit security rules against `src`, and Dependabot tracks
+  Python and GitHub Actions dependency updates.
+- Added `SECURITY.md` with private reporting guidance, a maintainer disclosure
+  checklist, and a PrismJS advisory draft for releases that bundled PrismJS
+  1.29.0.
+
+### Changed
+
+- CLI help now includes a top-level command argument quick reference and
+  descriptions for previously unlabeled command options and positionals.
+- Academic SVG/PNG/PDF exports now inherit the active editor theme for figure
+  text/background colors; light themes use white PDF backgrounds, while SVG and
+  PNG exports can preserve transparent backgrounds.
+
+## [1.0.0] - 2026-05-02
+
+### Added
+
+- The editor now supports an explicit UI launch mode across the CLI and Python
+  API: browser by default, `pywebview` with the optional `desktop` extra, or a
+  server-only mode that prints the local URL without opening a window.
+
+### Changed
+
+- PyPI trove classifiers and README now state **Production/Stable** readiness
+  (replacing the previous Beta development-status marker).
+- Publishing polish: the README no longer advertises a removed `png` extra, and
+  `MANIFEST.in` no longer carries redundant exclusions for non-package
+  directories, which keeps `python -m build` quieter.
+- `pywebview` editor launches now open their native window maximized by
+  default, so the desktop mode starts with the same roomy workspace users
+  usually expect from the browser flow.
+- `pywebview` exports now open a native `Save As` dialog and write the selected
+  file from Python, so desktop-mode JSON, Python, and academic exports no
+  longer disappear into the embedded browser backend's implicit download
+  folder.
+- `pywebview` export actions now detect the native save API lazily at export
+  time instead of only during page startup, so the desktop `Save As` dialog
+  still appears even when the webview bridge finishes attaching just after the
+  editor UI initializes.
+- `pywebview` export actions now detect text and binary save capabilities
+  independently, so desktop exports still use the native `Save As` dialog even
+  when an embedded backend exposes only one of the two save methods at first.
+- The editor bootstrap now starts immediately when the document is already in
+  `interactive` or `complete`, which fixes `pywebview` windows that could show
+  the shell markup without wiring toolbar actions, canvas interactions, or the
+  template bootstrap if `DOMContentLoaded` had already fired.
+- Windows `pywebview` launches now reuse the packaged
+  [`favicon.ico`](src/tensor_network_editor/app/static/favicon.ico) for the
+  native window icon instead of inheriting the default Python executable icon.
+- `pywebview` desktop launches now treat the native window-icon hook as best
+  effort, so backends that do not expose a `before_show` event still open
+  correctly instead of crashing during startup.
+- `pywebview` desktop launches now also tolerate backends with partial window
+  event hooks, so missing `closed` callbacks no longer crash the editor during
+  startup.
+- Local `EditorServer` startup now waits until a real loopback asset request can
+  be served before reporting readiness, which stabilizes rapid restart cycles
+  in tests and makes `_on_server_ready` URLs immediately usable.
+- `EditorServer.stop()` is now safe even if it runs before `start()`, so early
+  cleanup paths no longer risk hanging while waiting for a serve loop that
+  never began.
+- Repeated `EditorServer` startups now reuse the shared static-asset cache
+  without forcing an immediate full rescan of the asset tree every time, which
+  trims bursty local startup overhead while still refreshing changed assets
+  shortly afterward.
+- Editor undo/redo snapshots now keep benchmark-mode session history lighter by
+  stripping inactive scheme view snapshots and ephemeral compare-modal state,
+  while the active scheme still restores its exact contraction layouts.
+- Test cleanup scripts now remove `session.log*` artifacts, and the repository
+  ignores those rotating session logs explicitly.
+- Shared HTTP test helpers now give bundled editor assets more time to load,
+  which reduces intermittent timeout failures when the local test server is
+  under load.
+- Removed a few unused internal helpers from logging, periodic-mode utilities,
+  rendering, and einsum code generation, and deduplicated built-in template
+  defaults so the catalog now keeps each template's default parameters in one
+  shared definition.
+- Periodic code generation now routes linear, grid, and tree modes through one
+  shared internal dispatcher, and the grid/tree array helpers reuse shared cell
+  preparation utilities instead of repeating the same setup in each backend.
+- Static rendering helpers and the `/api/render` route now share more of their
+  internal option parsing, validation, and response assembly logic instead of
+  repeating the same flow per export format.
+- Internal built-in template builders are now split by family with shared
+  construction primitives, while the existing template catalog and public
+  template APIs keep the same behavior and registration order.
+- Large static renders now reuse connected-component geometry and connected
+  index direction lookups instead of recomputing the same layout heuristics for
+  every free index, which substantially reduces hot-path SVG/PNG/TikZ latency.
+- CLI `edit` now exposes `--ui {browser,pywebview,server}` while keeping
+  `--no-browser` as a compatibility alias for the server-only mode.
+
+## [0.5.0] - 2026-04-30
+
 ### Changed
 
 - The browser editor's `Info` help panel now mentions the full current export
   set (`PNG`, `SVG`, `PDF`, `TikZ/LaTeX`, `Graphviz/DOT`, and `Mermaid`) and
   clarifies that recommended startup flows can use built-in templates, session
   templates, and reusable subnetwork fragments.
+- Browser-editor `For`-mode code generation now keeps the commented
+  `TNE_SPEC_B64` round-trip metadata at the end of the generated Python source
+  instead of the beginning, and the editor only includes it when the new
+  `Metadata` checkbox is enabled in the `Code` panel.
+- Browser-editor `For` mode no longer disables template settings or
+  selection-based `Extract`, `To Library`, and `To Template` actions just for
+  being in a periodic editor view; those actions now stay available for normal
+  tensors and only reject virtual boundary cells such as `next`, `previous`,
+  grid side cells, or tree parent/child placeholders.
 
 ### Added
 
 - Static exports now include a `Mermaid` flowchart renderer for documentation
   workflows, with matching support in the Python API, CLI `render` subcommand,
   and browser editor export menu.
+- The editor `Reflow` popover now offers simple horizontal and vertical
+  alignment controls plus a 90° clockwise rotation action that also rotates the
+  selected tensor ports to keep their orientation consistent.
+- Static geometric exports now choose shape-aware directions for free indices in
+  linear, circular, and 2D-grid layouts, use a stable local fallback for
+  irregular layouts, and draw dangling stubs with a length of two tensor radii.
 
 ### Fixed
 
+- Linear-periodic `For`-mode validation now rejects carry plans that the code
+  generator cannot realize, so the editor no longer reports some
+  multi-boundary manual schemes as valid during analysis only to fail later
+  when generating Python code.
+- Linear-periodic `For`-mode carry code generation now keeps non-interface
+  labels from the previous payload distinct from the current cell's local
+  labels, so valid manual schemes with repeated index names across cells no
+  longer collapse accidentally during periodic carry simulation.
+- Linear-periodic `For`-mode `tensorkrowch` carry generation now keeps local
+  open edges on stable current-cell edge objects while exporting repeated
+  carry interfaces from the materialized result node, so periodic helpers no
+  longer hand later loop iterations a stale leaf edge.
+- Linear-periodic `For`-mode `tensorkrowch` carry helpers now reattach
+  intermediate contraction results before later manual steps reuse them, so
+  valid periodic plans no longer lose the shared inter-cell edge during
+  multi-step cell contractions.
+- Linear-periodic `For`-mode `tensorkrowch` carry helpers now materialize
+  shared edges with `reattach_edges(override=True)` instead of relying on
+  `network.reset()`, so repeated periodic iterations keep their inter-cell
+  bond visible to later `contract_between` steps.
+- Normal `tensorkrowch` manual code generation no longer injects
+  `reattach_edges(...)` between ordinary contraction steps, so non-`For`
+  exports keep the simpler node structure that the standard visualizer already
+  handles correctly.
+- Contraction-scene tensor layering now follows the current visible operands
+  instead of only the base spec tensor list, so selecting or dragging derived
+  result tensors in `single`/`contract` keeps their free ports visible above
+  overlapping front tensors.
+- Static exports now keep free-index directions aligned with the network's real
+  on-canvas orientation, so vertical, diagonal, and rotated-grid layouts no
+  longer get reinterpreted as axis-aligned during `SVG`, `PNG`, `PDF`, and
+  `TikZ/LaTeX` rendering.
+- `Ctrl/Cmd+Enter` now closes the editor with info reliably from contraction
+  planner views, preview states, `For` mode, and benchmark mode by registering
+  the global shortcut listener in capture mode.
+- Browser-editor academic exports now invalidate the serialized-spec cache
+  after layout moves and rotations, so exported figures follow the current
+  canvas geometry instead of occasionally reusing stale pre-reflow positions.
 - Mermaid export now renders free indices as labeled dangling-edge terminals
   instead of boxed open-index nodes, so the flowchart output reads more like a
   tensor-network leg.

CITATION.cff

@@ -5,12 +5,12 @@ type: software
 authors:
   - family-names: "Mata Ali"
     given-names: "Alejandro"
-version: "0.4.0"
-date-released: "2026-04-25"
+version: "1.0.1"
+date-released: "2026-05-14"
 repository-code: "https://github.com/DOKOS-TAYOS/Tensor-Network-Editor"
 url: "https://github.com/DOKOS-TAYOS/Tensor-Network-Editor"
 license: "MIT"
-abstract: "A local Python package and browser editor for drawing tensor networks, saving versioned JSON designs, and generating readable Python code for tensor-network backends."
+abstract: "A production-ready local Python package and browser editor for drawing tensor networks, saving versioned JSON designs, and generating readable Python code for tensor-network backends."
 keywords:
   - "tensor networks"
   - "scientific computing"

MANIFEST.in

@@ -3,5 +3,3 @@ include THIRD_PARTY_LICENSES
 include README.md
 recursive-include src/tensor_network_editor/app/static *.css *.html *.ico *.js
 include src/tensor_network_editor/py.typed
-recursive-exclude docs/images *
-recursive-exclude tests *

README.md

@@ -12,6 +12,7 @@
 [![Python 3.11+](https://img.shields.io/badge/python-3.11%2B-blue)](https://github.com/DOKOS-TAYOS/Tensor-Network-Editor)
 [![Windows%20%7C%20Linux](https://img.shields.io/badge/platform-Windows%20%7C%20Linux-0A7BBB)](https://github.com/DOKOS-TAYOS/Tensor-Network-Editor/actions/workflows/ci.yml)
 [![MIT License](https://img.shields.io/badge/license-MIT-green.svg)](LICENSE)
+[![Stability](https://img.shields.io/badge/stability-production--ready-brightgreen)](https://pypi.org/project/tensor-network-editor/)
 
 `tensor-network-editor` is a local Python package for drawing tensor networks,
 saving them as versioned JSON, and generating readable Python code for several
@@ -89,10 +90,10 @@ offline use, and generated code you can inspect.
 
 ## Why This Project
 
-- Draw tensor-network diagrams in a local browser session.
+- Draw tensor-network diagrams in a local browser or `pywebview` desktop session.
 - Save and reload backend-independent JSON designs.
-- Recover the previous local browser session from a project draft if the tab is
-  closed before you save.
+- Recover the previous local editor session from a project draft if the window
+  or tab is closed before you save.
 - Generate code for `tensornetwork`, `quimb`, `tensorkrowch`, `einsum_numpy`,
   and `einsum_torch`.
 - Render designs to static SVG, TikZ/LaTeX, Graphviz/DOT, or Mermaid from Python, the
@@ -135,9 +136,9 @@ offline use, and generated code you can inspect.
 - Get structural analysis with FLOP and MAC cost summaries.
 - Use the package from the CLI or directly from Python.
 
-The editor opens in your browser, but the server runs locally on your own
-machine. No Node runtime or cloud service is needed for normal use. A future
-desktop wrapper such as `pywebview` may sit on top of this local flow, but the
+The editor server runs locally on your own machine. By default it opens in your
+browser, and you can also ask for a native `pywebview` window with the optional
+`desktop` extra. No Node runtime or cloud service is needed for normal use. The
 browser-served editor remains the core interface and compatibility target.
 
 ## Minimal Installation
@@ -176,7 +177,20 @@ tensor-network-editor edit
 ```
 
 This command starts a local server and waits until you press `Done` or
-`Cancel` in the browser session.
+`Cancel` in the editor session.
+
+Open the same local editor in a native `pywebview` window:
+
+```bash
+python -m pip install "tensor-network-editor[desktop]"
+tensor-network-editor edit --ui pywebview
+```
+
+Start only the local server and open the printed URL yourself:
+
+```bash
+tensor-network-editor edit --ui server
+```
 
 Pick a color theme when you launch the editor:
 
@@ -205,8 +219,7 @@ tensor-network-editor doctor my_network.json
 tensor-network-editor doctor my_network.json --format json
 ```
 
-Render one saved design as SVG, PDF, TikZ/LaTeX, Graphviz/DOT, Mermaid, or with the
-optional `png` extra, PNG:
+Render one saved design as SVG, PDF, TikZ/LaTeX, Graphviz/DOT, Mermaid, or PNG:
 
 ```bash
 tensor-network-editor render my_network.json --format svg --output figure.svg
@@ -369,6 +382,9 @@ whole load immediately.
   scripts or imports already resolvable from the active `.venv`. If a Python
   file depends on sibling modules or path-sensitive imports, prefer the Python
   API or CLI with the real file path.
+- Only use live import with local Python files you trust. Live import executes
+  the file in a subprocess with the active Python environment, so trusted code
+  can still read or write local files.
 - Tensor values in the visual editor support portable built-in initializers,
   dtype choices, JSON-friendly complex scalars, and external `.npy`, `.npz`,
   and `.pt` data references. Symbolic expressions are not supported yet.
@@ -386,6 +402,7 @@ whole load immediately.
 
 - Source code: [github.com/DOKOS-TAYOS/Tensor-Network-Editor](https://github.com/DOKOS-TAYOS/Tensor-Network-Editor)
 - Changelog: [CHANGELOG.md](CHANGELOG.md)
+- Security policy: [SECURITY.md](SECURITY.md)
 - Example script: [examples/basic_usage.py](examples/basic_usage.py)
 - Issue tracker: [github.com/DOKOS-TAYOS/Tensor-Network-Editor/issues](https://github.com/DOKOS-TAYOS/Tensor-Network-Editor/issues)
 - License: [LICENSE](LICENSE)