v1.1.0

Security Hardening

• CSS custom properties (--var-name) now accepted in inline styles
• Style values block url(), expression(), and @import injection vectors while preserving safe functions like calc()
• hsxComponent.handle() enforces HTTP methods, returning 405 with Allow header for disallowed methods
• Multi-verb forms (<form post={...} get={...}>) now throw instead of silently picking one

New Features

• SSE support: ext, sseConnect, and sseSwap attributes normalize to hx-ext, sse-connect, sse-swap
• HsxAttrs on 18 more elements: body, main, header, footer, nav, aside, p, li, ol, table, thead, tfoot, td, th, details, input, textarea, select
• hsxPage validateOnce option: skip repeated tree validation for static page structures
• Duplicate path parameters (e.g., /users/:id/related/:id) detected at component creation time

Type Safety

• Urlish type no longer uses any - uses bivariant method syntax for safe variance
• HsxExt and HsxTrigger types expanded with SSE patterns

Performance

• Path regex and parameter names precomputed once per component instead of on every match() call

Infrastructure

• CI pipeline now runs deno task test before publishing
• Package versions synced at 1.1.0

Test Coverage

24 new tests covering HTMX auto-injection, SSE normalization, form fallback action/method, HTTP method enforcement, duplicate params, and full POST/FormData integration. Total: 81 tests.