@ait-co/devtools 0.1.27 → 0.1.29

package/README.en.md

@@ -840,7 +840,7 @@ Both modes expose the same `AIT.*` tool surface — debug mode backed by the Chi
 
 ### Debug mode (CDP via Chii)
 
-> Read-only tools only. The phone attach roundtrip requires a real-device dog-food step and is deferred to a later phase; the tool layer is CI-verified via mockable injectable CDP connection / AIT source.
+Read-only tools only. The phone attach roundtrip is fully wired; all that remains is a single on-device acceptance run. The tool layer is CI-verified via a mockable injectable CDP connection / AIT source.
 
 Running `devtools-mcp` as a stdio server starts a local Chii relay on `:9100` and opens a cloudflared quick tunnel, printing a public `wss://*.trycloudflare.com` URL, a QR code, and a secret token in the terminal. When the phone enters the dogfood entry point, the in-app attach UI connects to the relay with that URL and token, and the agent reads console/network/page state via `chrome-devtools-mcp`-compatible tools — diagnosing regressions without anyone watching the phone.
 
@@ -868,11 +868,11 @@ Running `devtools-mcp` as a stdio server starts a local Chii relay on `:9100` an
 | `AIT.getMockState` | AIT domain | Mock state snapshot (`window.__ait`) |
 | `AIT.getOperationalEnvironment` | AIT domain | `getOperationalEnvironment()` + SDK version |
 
-`AIT.*` covers what raw CDP cannot; the same MCP server forwards it alongside CDP. In debug mode the in-app side answers over the Chii channel (phone integration is a later phase).
+`AIT.*` covers what raw CDP cannot; the same MCP server forwards it alongside CDP. In debug mode the in-app side answers over the Chii channel.
 
 ### Dev mode (mock state)
 
-`devtools-mcp --mode=dev` reads the mock state from a running browser. Phase 3 aligned it on the same `AIT.*` tool surface as debug mode.
+`devtools-mcp --mode=dev` reads the mock state from a running browser. It shares the same `AIT.*` tool surface as debug mode.
 
 #### Architecture
 
@@ -940,7 +940,7 @@ Returns the full current mock state (permissions, location, auth, network, IAP,
 | `@ait-co/devtools/unplugin` | Bundler plugin (.vite, .webpack, .rspack, .esbuild, .rollup) |
 | `@ait-co/devtools/mcp/server` | Dev-mode MCP stdio server function (Node.js) |
 | `@ait-co/devtools/mcp/cli` | `devtools-mcp` bin entry point (debug / dev mode, Node.js) |
-| `@ait-co/devtools/in-app` | In-app debug attach — 3-layer gate + Chii target.js injection (dogfood builds only; active when `__DEBUG_BUILD__=true`) |
+| `@ait-co/devtools/in-app` | In-app debug attach — runtime gate (layers B/C) + Chii target.js injection. The consumer wraps the import in `if (__DEBUG_BUILD__)` so it is DCE'd from release builds — dogfood builds only |
 
 ## Telemetry
 

package/README.md

@@ -843,8 +843,8 @@ tool을 봅니다.
 
 ### Debug 모드 (CDP via Chii)
 
-> read-only tool만 노출합니다. 폰 attach 라운드트립은 실기기 dog-food가 필요해 후속 phase로 분리되어
-> 있고, tool 계층은 주입 가능한 CDP 연결 / AIT 소스를 mock해 CI에서 검증됩니다.
+read-only tool만 노출합니다. 폰 attach 라운드트립은 fully wired 상태이며 남은 것은 실기기 acceptance
+한 번뿐입니다. tool 계층은 주입 가능한 CDP 연결 / AIT 소스를 mock해 CI에서 검증됩니다.
 
 `devtools-mcp`를 stdio로 실행하면 로컬 Chii 릴레이(:9100)를 띄우고 cloudflared quick tunnel로
 공개 `wss://*.trycloudflare.com` URL을 발급한 뒤 QR + secret token을 터미널에 출력합니다.
@@ -877,12 +877,12 @@ tool을 봅니다.
 | `AIT.getOperationalEnvironment` | AIT 도메인 | `getOperationalEnvironment()` + SDK 버전 |
 
 `AIT.*`는 raw CDP가 못 잡는 영역으로, 같은 MCP server가 CDP와 함께 forward합니다. debug 모드에서는
-in-app 측이 Chii 채널로 응답합니다(폰 통합은 후속 phase).
+in-app 측이 Chii 채널로 응답합니다.
 
 ### Dev 모드 (mock state)
 
-`devtools-mcp --mode=dev`는 실행 중인 브라우저의 mock state를 읽습니다. Phase 3에서 debug 모드와
-같은 `AIT.*` tool surface로 정렬되었습니다.
+`devtools-mcp --mode=dev`는 실행 중인 브라우저의 mock state를 읽습니다. debug 모드와 같은 `AIT.*`
+tool surface를 공유합니다.
 
 #### 구조
 
@@ -950,7 +950,7 @@ export default {
 | `@ait-co/devtools/unplugin` | 번들러 플러그인 (.vite, .webpack, .rspack, .esbuild, .rollup) |
 | `@ait-co/devtools/mcp/server` | dev-mode MCP stdio server 함수 (Node.js) |
 | `@ait-co/devtools/mcp/cli` | `devtools-mcp` bin 진입점 (debug / dev 모드, Node.js) |
-| `@ait-co/devtools/in-app` | In-app debug attach — 3-layer gate + Chii target.js 주입 (dogfood 빌드 전용, `__DEBUG_BUILD__=true` 시에만 활성) |
+| `@ait-co/devtools/in-app` | In-app debug attach — 런타임 gate(layer B·C) + Chii target.js 주입. 소비자가 `if (__DEBUG_BUILD__)`로 import를 감싸 release 빌드에서 DCE — dogfood 빌드 전용 |
 
 ## 텔레메트리
 

package/dist/in-app/index.d.ts

@@ -1,18 +1,40 @@
 //#region src/in-app/gate.d.ts
 /**
- * 3-layer activation gate for the in-app debug surface.
+ * Runtime activation gate for the in-app debug surface.
  *
  * Spec: docs/superpowers/specs/2026-05-18-in-app-debug-mcp.md
  * "3-layer activation gate". This is the pure gate decision; the Chii client,
  * WebSocket transport, MCP server, and CLI that consume it live in src/mcp/.
  *
- * Decision matrix:
+ * This function evaluates the two RUNTIME layers, B and C. Layer A — the
+ * build-time gate — is NOT evaluated here, and deliberately so: it is enforced
+ * entirely by the consumer's `if (__DEBUG_BUILD__) { … }` guard around the
+ * import site (see sdk-example `src/main.tsx`). `__DEBUG_BUILD__` is a
+ * consumer-build-time constant; a release consumer build folds it to `false`
+ * and dead-code-eliminates the whole import of `@ait-co/devtools/in-app`, so
+ * this code is simply absent from release bundles. A pre-built npm package
+ * cannot re-check that flag — it was already baked at devtools' own publish
+ * time — so any `isDebugBuild` check inside this function would be permanently
+ * `false` and could never pass. Layer A is the consumer guard; B and C are
+ * here.
  *
- *   build channel | _deploymentId | debug=1 | result
- *   release       | (any)         | (any)   | BLOCKED  (Layer A — code absent via DCE)
- *   dogfood       | absent        | (any)   | BLOCKED  (Layer B — entry gate)
- *   dogfood       | present       | absent  | BLOCKED  (Layer C — opt-in gate)
- *   dogfood       | present       | present | ATTACH
+ * Layer B has two parts. Both must pass:
+ *   B1 — host allowlist: `hostname` must be a `*.private-apps.tossmini.com`
+ *        subdomain. The Toss app serves dogfood / private mini-apps from a
+ *        separate `private-apps` host; a production (`intoss://`) entry is
+ *        served from `*.apps.tossmini.com` WITHOUT the `private-apps` segment.
+ *        This is the security gate against a dogfood build that somehow lands
+ *        on a production entry — see the comment on {@link isPrivateAppsHost}.
+ *   B2 — entry query: `_deploymentId` must be present and non-empty.
+ *
+ * Decision matrix (the gate only ever runs in a debug build — Layer A already
+ * passed by the time this code is reachable):
+ *
+ *   private-apps host | _deploymentId | debug=1 | result
+ *   no                | (any)         | (any)   | BLOCKED  (Layer B1 — host)
+ *   yes               | absent        | (any)   | BLOCKED  (Layer B2 — entry)
+ *   yes               | present       | absent  | BLOCKED  (Layer C  — opt-in)
+ *   yes               | present       | present | ATTACH
  */
 /** Shape returned when the gate allows attachment. */
 interface GateResultAttach {
@@ -26,55 +48,71 @@ interface GateResultAttach {
 interface GateResultBlocked {
   readonly attach: false;
   /**
-   * - `'build'`        Layer A: `__DEBUG_BUILD__` is false (release build).
-   * - `'entry'`        Layer B: `_deploymentId` param is absent or empty.
+   * - `'host'`         Layer B1: `hostname` is not a `*.private-apps.tossmini.com` host.
+   * - `'entry'`        Layer B2: `_deploymentId` param is absent or empty.
    * - `'opt-in'`       Layer C: `debug=1` param is absent.
    * - `'invalid-relay'` Layer C: `relay` param is absent, empty, or not a `wss:` URL.
+   *
+   * There is no `'build'` reason: Layer A is enforced by the consumer's
+   * `if (__DEBUG_BUILD__)` guard, not by this function.
    */
-  readonly reason: 'build' | 'entry' | 'opt-in' | 'invalid-relay';
+  readonly reason: 'host' | 'entry' | 'opt-in' | 'invalid-relay';
 }
 type GateResult = GateResultAttach | GateResultBlocked;
 /**
  * Input for {@link evaluateDebugGate}.
  *
- * Keeping each field explicit makes the function trivially testable without
- * needing to manipulate `window.location`.
+ * Both fields are explicit so the function is trivially testable without
+ * touching `window`.
  */
 interface GateInput {
   /**
-   * Whether this is a debug build. Corresponds to the `__DEBUG_BUILD__`
-   * compile-time constant injected by tsdown.
+   * The host the page is served from — `window.location.hostname`.
    *
-   * In source code consumed via `@ait-co/devtools/in-app`, the thin
-   * `src/in-app/index.ts` entry reads `__DEBUG_BUILD__` and passes it here.
-   * Tests supply it directly.
+   * This is the Layer B1 security signal. Why hostname and not the entry
+   * scheme: the Toss SDK normalises `intoss-private://` to `intoss://` in
+   * `getSchemeUri()`, and `getOperationalEnvironment()` / `getWebViewType()`
+   * return the same value (`"toss"` / `"partner"`) for both dogfood and
+   * production entries — none of them distinguish a dogfood entry. The host
+   * does: a dogfood / private-apps entry is served from
+   * `*.private-apps.tossmini.com`, a production entry is not. This was
+   * confirmed live over CDP against mini-app 31146 (see spec open question 2).
    */
-  readonly isDebugBuild: boolean;
+  readonly hostname: string;
   /**
-   * The URL search params to inspect for gate signals.
+   * The URL search params to inspect for gate signals (Layers B2 and C).
    *
    * Prefer `URLSearchParams` so callers can pass `new URLSearchParams(location.search)`
    * without coupling the pure function to `window`.
-   *
-   * Layer B open seam (spec open question 2): if the Toss SDK ever exposes
-   * `getEntryScheme()` or a similar API that reliably signals a dogfood entry,
-   * that signal should be checked before `_deploymentId` here. For now only the
-   * `_deploymentId` query param fallback is implemented. Pass a custom
-   * `URLSearchParams` to inject the SDK signal at the call site without
-   * modifying this function.
    */
   readonly searchParams: URLSearchParams;
 }
 /**
- * Pure function that evaluates the 3-layer debug activation gate.
+ * Returns whether `hostname` is a `*.private-apps.tossmini.com` subdomain —
+ * the host the Toss app reserves for dogfood / private mini-app entries.
  *
- * Has no side effects. All inputs are explicit. Returns a discriminated union
+ * The match is an exact suffix check, not a substring `.includes()`: a
+ * substring test would also accept an attacker-controlled host like
+ * `private-apps.tossmini.com.evil.example`, which ends in `.example`, not in
+ * `.tossmini.com`. Requiring the string to END with the suffix closes that.
+ * The leading `.` in the suffix also forces a real subdomain label, so a
+ * bare `private-apps.tossmini.com` (no mini-app subdomain) does not match.
+ */
+declare function isPrivateAppsHost(hostname: string): boolean;
+/**
+ * Pure function that evaluates the runtime debug activation layers (B and C).
+ *
+ * Has no side effects. The input is explicit. Returns a discriminated union
  * so callers can pattern-match on `result.attach`.
  *
+ * Layer A (build-time) is intentionally not evaluated here — see the file-level
+ * comment. By the time this function runs, the consumer's `if (__DEBUG_BUILD__)`
+ * guard has already passed; this function only decides B and C.
+ *
  * @example
  * ```ts
  * const result = evaluateDebugGate({
- *   isDebugBuild: __DEBUG_BUILD__,
+ *   hostname: window.location.hostname,
  *   searchParams: new URLSearchParams(window.location.search),
  * });
  * if (result.attach) {
@@ -114,23 +152,27 @@ declare function deriveTargetScriptUrl(relayUrl: string): string;
  * guard — in practice this always runs in a real WebView).
  *
  * @param gateResult - Optional pre-evaluated gate result for testability.
- *   Defaults to `checkDebugGate()` which reads the current page URL and the
- *   `__DEBUG_BUILD__` compile-time constant. Passing a custom value avoids
- *   the need to manipulate `window.location` in tests.
+ *   Defaults to `checkDebugGate()` which reads the current page URL. Passing a
+ *   custom value avoids the need to manipulate `window.location` in tests.
  */
 declare function maybeAttach(gateResult?: GateResult): void;
 //#endregion
 //#region src/in-app/index.d.ts
 /**
- * Evaluates the 3-layer debug activation gate against the current page URL.
+ * Evaluates the runtime debug activation layers (B and C) against the current
+ * page URL.
  *
  * Returns the gate result. Callers can check `result.attach` to decide whether
  * to proceed with debug surface attachment.
  *
- * This function reads `window.location` and the `__DEBUG_BUILD__` compile-time
- * constant. It has no other side effects.
+ * This function reads `window.location` only — both the hostname (Layer B1
+ * host allowlist) and the search params (Layers B2 and C). Layer A
+ * (build-time) is enforced by the consumer's `if (__DEBUG_BUILD__)` guard
+ * around the import site, not here — see the file-level comment. Consumers
+ * call this with no arguments, so the Layer B1 host check is picked up with
+ * no change at the call site.
  */
 declare function checkDebugGate(): GateResult;
 //#endregion
-export { type GateInput, type GateResult, type GateResultAttach, type GateResultBlocked, checkDebugGate, deriveTargetScriptUrl, evaluateDebugGate, maybeAttach };
+export { type GateInput, type GateResult, type GateResultAttach, type GateResultBlocked, checkDebugGate, deriveTargetScriptUrl, evaluateDebugGate, isPrivateAppsHost, maybeAttach };
 //# sourceMappingURL=index.d.ts.map

package/dist/in-app/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","names":[],"sources":["../../src/in-app/gate.ts","../../src/in-app/attach.ts","../../src/in-app/index.ts"],"mappings":";;AAiBA;;;;;;;;;AASA;;;;;AAWA;AAAA,UApBiB,gBAAA;EAAA,SACN,MAAA;EAmBc;EAAA,SAjBd,QAAA;EAyBM;EAAA,SAvBN,YAAA;AAAA;;UAIM,iBAAA;EAAA,SACN,MAAA;EA0Cc;;;AAoBzB;;;EApByB,SAnCd,MAAA;AAAA;AAAA,KAGC,UAAA,GAAa,gBAAA,GAAmB,iBAAA;;;;;;;UAQ3B,SAAA;EChBoB;;;;AA6BrC;;;;EA7BqC,SDyB1B,YAAA;;;;AEzBX;;;;;;;;;;WFwCW,YAAA,EAAc,eAAA;AAAA;;;;;;;;;;;;;;;;;;iBAoBT,iBAAA,CAAkB,KAAA,EAAO,SAAA,GAAY,UAAA;;;;;;AApDrD;;;;;AAQA;;;;;;;iBChBgB,qBAAA,CAAsB,QAAA;;AD4DtC;;;;;;;;;;;;AC5DA;;;;iBA6BgB,WAAA,CAAY,UAAA,GAAY,UAAA;;;;;;ADbxC;;;;;;iBEhBgB,cAAA,CAAA,GAAkB,UAAA"}
+{"version":3,"file":"index.d.ts","names":[],"sources":["../../src/in-app/gate.ts","../../src/in-app/attach.ts","../../src/in-app/index.ts"],"mappings":";;AAuCA;;;;;;;;;AASA;;;;;AAcA;;;;;AAQA;;;;;;;;;AA8CA;;;;;AAyBA;;;;UAtGiB,gBAAA;EAAA,SACN,MAAA;EAqG0C;EAAA,SAnG1C,QAAA;EAmGoD;EAAA,SAjGpD,YAAA;AAAA;;UAIM,iBAAA;EAAA,SACN,MAAA;;;;ACQX;;;;;;WDEW,MAAA;AAAA;AAAA,KAGC,UAAA,GAAa,gBAAA,GAAmB,iBAAA;;;;;;;UAQ3B,SAAA;;;;;;;;;;;;;WAaN,QAAA;;;;;;;WAQA,YAAA,EAAc,eAAA;AAAA;;;;;;;;;;;;iBAyBT,iBAAA,CAAkB,QAAA;;;;;;;;;;;;;;;;;;;;;;iBAyBlB,iBAAA,CAAkB,KAAA,EAAO,SAAA,GAAY,UAAA;;;;;;AA/ErD;;;;;AAQA;;;;;;;iBCzCgB,qBAAA,CAAsB,QAAA;;ADuFtC;;;;;AAyBA;;;;;;;;;;iBCpFgB,WAAA,CAAY,UAAA,GAAY,UAAA;;;;;AD2DxC;;;;;AAyBA;;;;;;;iBEjGgB,cAAA,CAAA,GAAkB,UAAA"}

package/dist/in-app/index.js

@@ -1,14 +1,42 @@
 //#region src/in-app/gate.ts
 /**
-* Pure function that evaluates the 3-layer debug activation gate.
+* The host suffix the Toss app uses to serve dogfood / private mini-apps.
 *
-* Has no side effects. All inputs are explicit. Returns a discriminated union
+* A `intoss-private://` (dogfood) entry maps to a host such as
+* `aitc-sdk-example.private-apps.tossmini.com`. A production `intoss://`
+* entry is served from `*.apps.tossmini.com` — the `.private-apps.` segment
+* is absent. Confirmed live over CDP for mini-app 31146; the exact production
+* host is to be re-confirmed once 31146 passes review (spec open question 2).
+*/
+const PRIVATE_APPS_HOST_SUFFIX = ".private-apps.tossmini.com";
+/**
+* Returns whether `hostname` is a `*.private-apps.tossmini.com` subdomain —
+* the host the Toss app reserves for dogfood / private mini-app entries.
+*
+* The match is an exact suffix check, not a substring `.includes()`: a
+* substring test would also accept an attacker-controlled host like
+* `private-apps.tossmini.com.evil.example`, which ends in `.example`, not in
+* `.tossmini.com`. Requiring the string to END with the suffix closes that.
+* The leading `.` in the suffix also forces a real subdomain label, so a
+* bare `private-apps.tossmini.com` (no mini-app subdomain) does not match.
+*/
+function isPrivateAppsHost(hostname) {
+	return hostname.endsWith(PRIVATE_APPS_HOST_SUFFIX);
+}
+/**
+* Pure function that evaluates the runtime debug activation layers (B and C).
+*
+* Has no side effects. The input is explicit. Returns a discriminated union
 * so callers can pattern-match on `result.attach`.
 *
+* Layer A (build-time) is intentionally not evaluated here — see the file-level
+* comment. By the time this function runs, the consumer's `if (__DEBUG_BUILD__)`
+* guard has already passed; this function only decides B and C.
+*
 * @example
 * ```ts
 * const result = evaluateDebugGate({
-*   isDebugBuild: __DEBUG_BUILD__,
+*   hostname: window.location.hostname,
 *   searchParams: new URLSearchParams(window.location.search),
 * });
 * if (result.attach) {
@@ -17,9 +45,9 @@
 * ```
 */
 function evaluateDebugGate(input) {
-	if (!input.isDebugBuild) return {
+	if (!isPrivateAppsHost(input.hostname)) return {
 		attach: false,
-		reason: "build"
+		reason: "host"
 	};
 	const deploymentId = input.searchParams.get("_deploymentId") ?? "";
 	if (deploymentId === "") return {
@@ -105,9 +133,8 @@ let attached = false;
 * guard — in practice this always runs in a real WebView).
 *
 * @param gateResult - Optional pre-evaluated gate result for testability.
-*   Defaults to `checkDebugGate()` which reads the current page URL and the
-*   `__DEBUG_BUILD__` compile-time constant. Passing a custom value avoids
-*   the need to manipulate `window.location` in tests.
+*   Defaults to `checkDebugGate()` which reads the current page URL. Passing a
+*   custom value avoids the need to manipulate `window.location` in tests.
 */
 function maybeAttach(gateResult = checkDebugGate()) {
 	if (!gateResult.attach) {
@@ -138,26 +165,41 @@ function maybeAttach(gateResult = checkDebugGate()) {
 * WebSocket relay, QR/paste UI, and AI-host MCP bin are later phases that
 * require real-device validation and are not included here.
 *
-* This thin entry reads `__DEBUG_BUILD__` and `window.location`, then calls
-* the pure {@link evaluateDebugGate} function. All testable logic lives in
-* `./gate.ts` and `./attach.ts`, not here.
+* This thin entry reads `window.location` and calls the pure
+* {@link evaluateDebugGate} function. All testable logic lives in `./gate.ts`
+* and `./attach.ts`, not here.
+*
+* Layer A of the activation gate (build-time) is NOT enforced in this module.
+* It is the consumer's responsibility: the consumer wraps its
+* `import('@ait-co/devtools/in-app')` call site in `if (__DEBUG_BUILD__) { … }`
+* (see sdk-example `src/main.tsx`), where `__DEBUG_BUILD__` is a
+* consumer-build-time constant. A release consumer build folds that constant
+* to `false` and dead-code-eliminates this whole module. This package is
+* pre-built and ships with `__DEBUG_BUILD__` already resolved at devtools'
+* publish time, so it could never re-evaluate the consumer's build channel —
+* which is exactly why Layer A lives at the consumer guard, not here.
 */
 /**
-* Evaluates the 3-layer debug activation gate against the current page URL.
+* Evaluates the runtime debug activation layers (B and C) against the current
+* page URL.
 *
 * Returns the gate result. Callers can check `result.attach` to decide whether
 * to proceed with debug surface attachment.
 *
-* This function reads `window.location` and the `__DEBUG_BUILD__` compile-time
-* constant. It has no other side effects.
+* This function reads `window.location` only — both the hostname (Layer B1
+* host allowlist) and the search params (Layers B2 and C). Layer A
+* (build-time) is enforced by the consumer's `if (__DEBUG_BUILD__)` guard
+* around the import site, not here — see the file-level comment. Consumers
+* call this with no arguments, so the Layer B1 host check is picked up with
+* no change at the call site.
 */
 function checkDebugGate() {
 	return evaluateDebugGate({
-		isDebugBuild: false,
+		hostname: window.location.hostname,
 		searchParams: new URLSearchParams(window.location.search)
 	});
 }
 //#endregion
-export { checkDebugGate, deriveTargetScriptUrl, evaluateDebugGate, maybeAttach };
+export { checkDebugGate, deriveTargetScriptUrl, evaluateDebugGate, isPrivateAppsHost, maybeAttach };
 
 //# sourceMappingURL=index.js.map

package/dist/in-app/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","names":[],"sources":["../../src/in-app/gate.ts","../../src/in-app/attach.ts","../../src/in-app/index.ts"],"sourcesContent":["/**\n * 3-layer activation gate for the in-app debug surface.\n *\n * Spec: docs/superpowers/specs/2026-05-18-in-app-debug-mcp.md\n * \"3-layer activation gate\". This is the pure gate decision; the Chii client,\n * WebSocket transport, MCP server, and CLI that consume it live in src/mcp/.\n *\n * Decision matrix:\n *\n *   build channel | _deploymentId | debug=1 | result\n *   release       | (any)         | (any)   | BLOCKED  (Layer A — code absent via DCE)\n *   dogfood       | absent        | (any)   | BLOCKED  (Layer B — entry gate)\n *   dogfood       | present       | absent  | BLOCKED  (Layer C — opt-in gate)\n *   dogfood       | present       | present | ATTACH\n */\n\n/** Shape returned when the gate allows attachment. */\nexport interface GateResultAttach {\n  readonly attach: true;\n  /** The validated `wss:` relay URL from the `relay` query param. */\n  readonly relayUrl: string;\n  /** The deployment ID extracted from the `_deploymentId` query param. */\n  readonly deploymentId: string;\n}\n\n/** Shape returned when the gate blocks attachment, with a reason code. */\nexport interface GateResultBlocked {\n  readonly attach: false;\n  /**\n   * - `'build'`        Layer A: `__DEBUG_BUILD__` is false (release build).\n   * - `'entry'`        Layer B: `_deploymentId` param is absent or empty.\n   * - `'opt-in'`       Layer C: `debug=1` param is absent.\n   * - `'invalid-relay'` Layer C: `relay` param is absent, empty, or not a `wss:` URL.\n   */\n  readonly reason: 'build' | 'entry' | 'opt-in' | 'invalid-relay';\n}\n\nexport type GateResult = GateResultAttach | GateResultBlocked;\n\n/**\n * Input for {@link evaluateDebugGate}.\n *\n * Keeping each field explicit makes the function trivially testable without\n * needing to manipulate `window.location`.\n */\nexport interface GateInput {\n  /**\n   * Whether this is a debug build. Corresponds to the `__DEBUG_BUILD__`\n   * compile-time constant injected by tsdown.\n   *\n   * In source code consumed via `@ait-co/devtools/in-app`, the thin\n   * `src/in-app/index.ts` entry reads `__DEBUG_BUILD__` and passes it here.\n   * Tests supply it directly.\n   */\n  readonly isDebugBuild: boolean;\n\n  /**\n   * The URL search params to inspect for gate signals.\n   *\n   * Prefer `URLSearchParams` so callers can pass `new URLSearchParams(location.search)`\n   * without coupling the pure function to `window`.\n   *\n   * Layer B open seam (spec open question 2): if the Toss SDK ever exposes\n   * `getEntryScheme()` or a similar API that reliably signals a dogfood entry,\n   * that signal should be checked before `_deploymentId` here. For now only the\n   * `_deploymentId` query param fallback is implemented. Pass a custom\n   * `URLSearchParams` to inject the SDK signal at the call site without\n   * modifying this function.\n   */\n  readonly searchParams: URLSearchParams;\n}\n\n/**\n * Pure function that evaluates the 3-layer debug activation gate.\n *\n * Has no side effects. All inputs are explicit. Returns a discriminated union\n * so callers can pattern-match on `result.attach`.\n *\n * @example\n * ```ts\n * const result = evaluateDebugGate({\n *   isDebugBuild: __DEBUG_BUILD__,\n *   searchParams: new URLSearchParams(window.location.search),\n * });\n * if (result.attach) {\n *   // Proceed to load Chii client\n * }\n * ```\n */\nexport function evaluateDebugGate(input: GateInput): GateResult {\n  // Layer A — build-time gate.\n  // When false, the entire in-app entry + Chii imports are dead-code-eliminated\n  // by the bundler (tsdown/Rolldown constant folding). Release builds never\n  // contain this branch at all.\n  if (!input.isDebugBuild) {\n    return { attach: false, reason: 'build' };\n  }\n\n  // Layer B — runtime entry scheme gate.\n  // `_deploymentId` must be present and non-empty. The `intoss-private://`\n  // scheme used for dogfood entries includes this param; general user entry\n  // paths do not.\n  //\n  // Open seam (spec open question 2): if the Toss SDK exposes getEntryScheme()\n  // or similar, that should be the 1st-priority signal checked here, with\n  // `_deploymentId` as fallback. Extend this check at the call site by\n  // pre-populating `searchParams` with the SDK signal, or add an optional\n  // `entryScheme` field to `GateInput` in a later phase.\n  const deploymentId = input.searchParams.get('_deploymentId') ?? '';\n  if (deploymentId === '') {\n    return { attach: false, reason: 'entry' };\n  }\n\n  // Layer C — explicit opt-in gate.\n  // Require `debug=1` so that an operator who opens a dogfood URL by accident\n  // does not inadvertently trigger the debug surface.\n  const debugParam = input.searchParams.get('debug');\n  if (debugParam !== '1') {\n    return { attach: false, reason: 'opt-in' };\n  }\n\n  // Layer C continued — relay URL validation.\n  // `relay=<wss-url>` must be present and must use the `wss:` scheme.\n  // Plain `ws:` is rejected (no TLS). `http:`/`https:` are rejected.\n  const relayRaw = input.searchParams.get('relay') ?? '';\n  if (relayRaw === '') {\n    return { attach: false, reason: 'invalid-relay' };\n  }\n\n  let relayUrl: URL;\n  try {\n    relayUrl = new URL(relayRaw);\n  } catch {\n    return { attach: false, reason: 'invalid-relay' };\n  }\n\n  if (relayUrl.protocol !== 'wss:') {\n    return { attach: false, reason: 'invalid-relay' };\n  }\n\n  return { attach: true, relayUrl: relayUrl.href, deploymentId };\n}\n","/**\n * In-app Chii target injection for the debug attach flow.\n *\n * Spec: docs/superpowers/specs/2026-05-18-in-app-debug-mcp.md\n * \"MCP attach\" topology section — Phase 1 browser-side implementation.\n *\n * This module bridges the 3-layer gate result to a Chii `target.js` script\n * injection. The Chii npm package is the relay SERVER — the in-app side is\n * a plain `<script src=\"…/target.js\">` pointing at the relay host. No chii\n * npm dependency is needed here.\n */\n\nimport { checkDebugGate, type GateResult } from './index.js';\n\n/**\n * Converts a validated `wss:` relay URL into the Chii `target.js` script URL.\n *\n * Scheme is mapped `wss:` → `https:`. Host and port are preserved.\n * Pathname is set to `/target.js` regardless of the relay path.\n * Query params and hash from the relay URL are dropped — the target script\n * URL is a static asset path on the same host.\n *\n * @example\n * deriveTargetScriptUrl('wss://abc.trycloudflare.com/relay')\n * // → 'https://abc.trycloudflare.com/target.js'\n *\n * deriveTargetScriptUrl('wss://h.example.com:9100/')\n * // → 'https://h.example.com:9100/target.js'\n */\nexport function deriveTargetScriptUrl(relayUrl: string): string {\n  const u = new URL(relayUrl);\n  u.protocol = 'https:';\n  u.pathname = '/target.js';\n  u.search = '';\n  u.hash = '';\n  return u.toString();\n}\n\n/** Module-level guard against double-injection within a page lifecycle. */\nlet attached = false;\n\n/**\n * Evaluates the 3-layer debug gate and, if the gate passes, injects the Chii\n * `target.js` script into `document.head`.\n *\n * Idempotent — calling more than once is safe. The second call is a no-op if\n * a script with the same `src` is already present in the document, and the\n * module-level `attached` flag prevents redundant DOM queries after the first\n * successful injection.\n *\n * Safe to call even if `document` is somehow unavailable (defensive boundary\n * guard — in practice this always runs in a real WebView).\n *\n * @param gateResult - Optional pre-evaluated gate result for testability.\n *   Defaults to `checkDebugGate()` which reads the current page URL and the\n *   `__DEBUG_BUILD__` compile-time constant. Passing a custom value avoids\n *   the need to manipulate `window.location` in tests.\n */\nexport function maybeAttach(gateResult: GateResult = checkDebugGate()): void {\n  if (!gateResult.attach) {\n    console.debug(\n      `[@ait-co/devtools] debug attach skipped — gate blocked (reason: ${gateResult.reason})`,\n    );\n    return;\n  }\n\n  // Guard against double-injection across repeated calls.\n  if (attached) {\n    return;\n  }\n\n  // Defensive: if document is not available (unusual, but possible in some\n  // SSR-adjacent edge cases), bail silently rather than throwing.\n  if (typeof document === 'undefined') {\n    return;\n  }\n\n  const src = deriveTargetScriptUrl(gateResult.relayUrl);\n\n  // Also guard against a script with the same src already in the DOM\n  // (e.g. injected by a different code path or a page reload within SPA).\n  const existing = document.querySelector<HTMLScriptElement>(`script[src=\"${src}\"]`);\n  if (existing !== null) {\n    attached = true;\n    return;\n  }\n\n  const script = document.createElement('script');\n  script.src = src;\n  script.async = true;\n  (document.head ?? document.documentElement).appendChild(script);\n\n  attached = true;\n}\n","/**\n * @ait-co/devtools/in-app entry point.\n *\n * Spec: docs/superpowers/specs/2026-05-18-in-app-debug-mcp.md\n *\n * Phase 1 — gate + browser-side Chii target injection.\n * WebSocket relay, QR/paste UI, and AI-host MCP bin are later phases that\n * require real-device validation and are not included here.\n *\n * This thin entry reads `__DEBUG_BUILD__` and `window.location`, then calls\n * the pure {@link evaluateDebugGate} function. All testable logic lives in\n * `./gate.ts` and `./attach.ts`, not here.\n */\n\nimport { evaluateDebugGate, type GateResult } from './gate.js';\n\nexport { deriveTargetScriptUrl, maybeAttach } from './attach.js';\nexport type { GateInput, GateResult, GateResultAttach, GateResultBlocked } from './gate.js';\nexport { evaluateDebugGate } from './gate.js';\n\n/**\n * Evaluates the 3-layer debug activation gate against the current page URL.\n *\n * Returns the gate result. Callers can check `result.attach` to decide whether\n * to proceed with debug surface attachment.\n *\n * This function reads `window.location` and the `__DEBUG_BUILD__` compile-time\n * constant. It has no other side effects.\n */\nexport function checkDebugGate(): GateResult {\n  return evaluateDebugGate({\n    isDebugBuild: __DEBUG_BUILD__,\n    searchParams: new URLSearchParams(window.location.search),\n  });\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAyFA,SAAgB,kBAAkB,OAA8B;AAK9D,KAAI,CAAC,MAAM,aACT,QAAO;EAAE,QAAQ;EAAO,QAAQ;EAAS;CAa3C,MAAM,eAAe,MAAM,aAAa,IAAI,gBAAgB,IAAI;AAChE,KAAI,iBAAiB,GACnB,QAAO;EAAE,QAAQ;EAAO,QAAQ;EAAS;AAO3C,KADmB,MAAM,aAAa,IAAI,QAAQ,KAC/B,IACjB,QAAO;EAAE,QAAQ;EAAO,QAAQ;EAAU;CAM5C,MAAM,WAAW,MAAM,aAAa,IAAI,QAAQ,IAAI;AACpD,KAAI,aAAa,GACf,QAAO;EAAE,QAAQ;EAAO,QAAQ;EAAiB;CAGnD,IAAI;AACJ,KAAI;AACF,aAAW,IAAI,IAAI,SAAS;SACtB;AACN,SAAO;GAAE,QAAQ;GAAO,QAAQ;GAAiB;;AAGnD,KAAI,SAAS,aAAa,OACxB,QAAO;EAAE,QAAQ;EAAO,QAAQ;EAAiB;AAGnD,QAAO;EAAE,QAAQ;EAAM,UAAU,SAAS;EAAM;EAAc;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AC/GhE,SAAgB,sBAAsB,UAA0B;CAC9D,MAAM,IAAI,IAAI,IAAI,SAAS;AAC3B,GAAE,WAAW;AACb,GAAE,WAAW;AACb,GAAE,SAAS;AACX,GAAE,OAAO;AACT,QAAO,EAAE,UAAU;;;AAIrB,IAAI,WAAW;;;;;;;;;;;;;;;;;;AAmBf,SAAgB,YAAY,aAAyB,gBAAgB,EAAQ;AAC3E,KAAI,CAAC,WAAW,QAAQ;AACtB,UAAQ,MACN,mEAAmE,WAAW,OAAO,GACtF;AACD;;AAIF,KAAI,SACF;AAKF,KAAI,OAAO,aAAa,YACtB;CAGF,MAAM,MAAM,sBAAsB,WAAW,SAAS;AAKtD,KADiB,SAAS,cAAiC,eAAe,IAAI,IAAI,KACjE,MAAM;AACrB,aAAW;AACX;;CAGF,MAAM,SAAS,SAAS,cAAc,SAAS;AAC/C,QAAO,MAAM;AACb,QAAO,QAAQ;AACf,EAAC,SAAS,QAAQ,SAAS,iBAAiB,YAAY,OAAO;AAE/D,YAAW;;;;;;;;;;;;;;;;;;;;;;;;;;AC/Db,SAAgB,iBAA6B;AAC3C,QAAO,kBAAkB;EACvB,cAAA;EACA,cAAc,IAAI,gBAAgB,OAAO,SAAS,OAAO;EAC1D,CAAC"}
+{"version":3,"file":"index.js","names":[],"sources":["../../src/in-app/gate.ts","../../src/in-app/attach.ts","../../src/in-app/index.ts"],"sourcesContent":["/**\n * Runtime activation gate for the in-app debug surface.\n *\n * Spec: docs/superpowers/specs/2026-05-18-in-app-debug-mcp.md\n * \"3-layer activation gate\". This is the pure gate decision; the Chii client,\n * WebSocket transport, MCP server, and CLI that consume it live in src/mcp/.\n *\n * This function evaluates the two RUNTIME layers, B and C. Layer A — the\n * build-time gate — is NOT evaluated here, and deliberately so: it is enforced\n * entirely by the consumer's `if (__DEBUG_BUILD__) { … }` guard around the\n * import site (see sdk-example `src/main.tsx`). `__DEBUG_BUILD__` is a\n * consumer-build-time constant; a release consumer build folds it to `false`\n * and dead-code-eliminates the whole import of `@ait-co/devtools/in-app`, so\n * this code is simply absent from release bundles. A pre-built npm package\n * cannot re-check that flag — it was already baked at devtools' own publish\n * time — so any `isDebugBuild` check inside this function would be permanently\n * `false` and could never pass. Layer A is the consumer guard; B and C are\n * here.\n *\n * Layer B has two parts. Both must pass:\n *   B1 — host allowlist: `hostname` must be a `*.private-apps.tossmini.com`\n *        subdomain. The Toss app serves dogfood / private mini-apps from a\n *        separate `private-apps` host; a production (`intoss://`) entry is\n *        served from `*.apps.tossmini.com` WITHOUT the `private-apps` segment.\n *        This is the security gate against a dogfood build that somehow lands\n *        on a production entry — see the comment on {@link isPrivateAppsHost}.\n *   B2 — entry query: `_deploymentId` must be present and non-empty.\n *\n * Decision matrix (the gate only ever runs in a debug build — Layer A already\n * passed by the time this code is reachable):\n *\n *   private-apps host | _deploymentId | debug=1 | result\n *   no                | (any)         | (any)   | BLOCKED  (Layer B1 — host)\n *   yes               | absent        | (any)   | BLOCKED  (Layer B2 — entry)\n *   yes               | present       | absent  | BLOCKED  (Layer C  — opt-in)\n *   yes               | present       | present | ATTACH\n */\n\n/** Shape returned when the gate allows attachment. */\nexport interface GateResultAttach {\n  readonly attach: true;\n  /** The validated `wss:` relay URL from the `relay` query param. */\n  readonly relayUrl: string;\n  /** The deployment ID extracted from the `_deploymentId` query param. */\n  readonly deploymentId: string;\n}\n\n/** Shape returned when the gate blocks attachment, with a reason code. */\nexport interface GateResultBlocked {\n  readonly attach: false;\n  /**\n   * - `'host'`         Layer B1: `hostname` is not a `*.private-apps.tossmini.com` host.\n   * - `'entry'`        Layer B2: `_deploymentId` param is absent or empty.\n   * - `'opt-in'`       Layer C: `debug=1` param is absent.\n   * - `'invalid-relay'` Layer C: `relay` param is absent, empty, or not a `wss:` URL.\n   *\n   * There is no `'build'` reason: Layer A is enforced by the consumer's\n   * `if (__DEBUG_BUILD__)` guard, not by this function.\n   */\n  readonly reason: 'host' | 'entry' | 'opt-in' | 'invalid-relay';\n}\n\nexport type GateResult = GateResultAttach | GateResultBlocked;\n\n/**\n * Input for {@link evaluateDebugGate}.\n *\n * Both fields are explicit so the function is trivially testable without\n * touching `window`.\n */\nexport interface GateInput {\n  /**\n   * The host the page is served from — `window.location.hostname`.\n   *\n   * This is the Layer B1 security signal. Why hostname and not the entry\n   * scheme: the Toss SDK normalises `intoss-private://` to `intoss://` in\n   * `getSchemeUri()`, and `getOperationalEnvironment()` / `getWebViewType()`\n   * return the same value (`\"toss\"` / `\"partner\"`) for both dogfood and\n   * production entries — none of them distinguish a dogfood entry. The host\n   * does: a dogfood / private-apps entry is served from\n   * `*.private-apps.tossmini.com`, a production entry is not. This was\n   * confirmed live over CDP against mini-app 31146 (see spec open question 2).\n   */\n  readonly hostname: string;\n\n  /**\n   * The URL search params to inspect for gate signals (Layers B2 and C).\n   *\n   * Prefer `URLSearchParams` so callers can pass `new URLSearchParams(location.search)`\n   * without coupling the pure function to `window`.\n   */\n  readonly searchParams: URLSearchParams;\n}\n\n/**\n * The host suffix the Toss app uses to serve dogfood / private mini-apps.\n *\n * A `intoss-private://` (dogfood) entry maps to a host such as\n * `aitc-sdk-example.private-apps.tossmini.com`. A production `intoss://`\n * entry is served from `*.apps.tossmini.com` — the `.private-apps.` segment\n * is absent. Confirmed live over CDP for mini-app 31146; the exact production\n * host is to be re-confirmed once 31146 passes review (spec open question 2).\n */\nconst PRIVATE_APPS_HOST_SUFFIX = '.private-apps.tossmini.com';\n\n/**\n * Returns whether `hostname` is a `*.private-apps.tossmini.com` subdomain —\n * the host the Toss app reserves for dogfood / private mini-app entries.\n *\n * The match is an exact suffix check, not a substring `.includes()`: a\n * substring test would also accept an attacker-controlled host like\n * `private-apps.tossmini.com.evil.example`, which ends in `.example`, not in\n * `.tossmini.com`. Requiring the string to END with the suffix closes that.\n * The leading `.` in the suffix also forces a real subdomain label, so a\n * bare `private-apps.tossmini.com` (no mini-app subdomain) does not match.\n */\nexport function isPrivateAppsHost(hostname: string): boolean {\n  return hostname.endsWith(PRIVATE_APPS_HOST_SUFFIX);\n}\n\n/**\n * Pure function that evaluates the runtime debug activation layers (B and C).\n *\n * Has no side effects. The input is explicit. Returns a discriminated union\n * so callers can pattern-match on `result.attach`.\n *\n * Layer A (build-time) is intentionally not evaluated here — see the file-level\n * comment. By the time this function runs, the consumer's `if (__DEBUG_BUILD__)`\n * guard has already passed; this function only decides B and C.\n *\n * @example\n * ```ts\n * const result = evaluateDebugGate({\n *   hostname: window.location.hostname,\n *   searchParams: new URLSearchParams(window.location.search),\n * });\n * if (result.attach) {\n *   // Proceed to load Chii client\n * }\n * ```\n */\nexport function evaluateDebugGate(input: GateInput): GateResult {\n  // Layer B1 — host allowlist (the security gate).\n  // The page must be served from a `*.private-apps.tossmini.com` host. A\n  // production `intoss://` entry is served from `*.apps.tossmini.com` and is\n  // rejected here. This is what stops a dogfood build that somehow reaches a\n  // production entry from attaching: Layer A keeps debug code out of release\n  // bundles, and this layer keeps a dogfood bundle that lands on a production\n  // host from attaching even though its code is present.\n  if (!isPrivateAppsHost(input.hostname)) {\n    return { attach: false, reason: 'host' };\n  }\n\n  // Layer B2 — runtime entry query gate.\n  // `_deploymentId` must be present and non-empty. The `intoss-private://`\n  // scheme used for dogfood entries includes this param; general user entry\n  // paths do not.\n  const deploymentId = input.searchParams.get('_deploymentId') ?? '';\n  if (deploymentId === '') {\n    return { attach: false, reason: 'entry' };\n  }\n\n  // Layer C — explicit opt-in gate.\n  // Require `debug=1` so that an operator who opens a dogfood URL by accident\n  // does not inadvertently trigger the debug surface.\n  const debugParam = input.searchParams.get('debug');\n  if (debugParam !== '1') {\n    return { attach: false, reason: 'opt-in' };\n  }\n\n  // Layer C continued — relay URL validation.\n  // `relay=<wss-url>` must be present and must use the `wss:` scheme.\n  // Plain `ws:` is rejected (no TLS). `http:`/`https:` are rejected.\n  const relayRaw = input.searchParams.get('relay') ?? '';\n  if (relayRaw === '') {\n    return { attach: false, reason: 'invalid-relay' };\n  }\n\n  let relayUrl: URL;\n  try {\n    relayUrl = new URL(relayRaw);\n  } catch {\n    return { attach: false, reason: 'invalid-relay' };\n  }\n\n  if (relayUrl.protocol !== 'wss:') {\n    return { attach: false, reason: 'invalid-relay' };\n  }\n\n  return { attach: true, relayUrl: relayUrl.href, deploymentId };\n}\n","/**\n * In-app Chii target injection for the debug attach flow.\n *\n * Spec: docs/superpowers/specs/2026-05-18-in-app-debug-mcp.md\n * \"MCP attach\" topology section — Phase 1 browser-side implementation.\n *\n * This module bridges the 3-layer gate result to a Chii `target.js` script\n * injection. The Chii npm package is the relay SERVER — the in-app side is\n * a plain `<script src=\"…/target.js\">` pointing at the relay host. No chii\n * npm dependency is needed here.\n */\n\nimport { checkDebugGate, type GateResult } from './index.js';\n\n/**\n * Converts a validated `wss:` relay URL into the Chii `target.js` script URL.\n *\n * Scheme is mapped `wss:` → `https:`. Host and port are preserved.\n * Pathname is set to `/target.js` regardless of the relay path.\n * Query params and hash from the relay URL are dropped — the target script\n * URL is a static asset path on the same host.\n *\n * @example\n * deriveTargetScriptUrl('wss://abc.trycloudflare.com/relay')\n * // → 'https://abc.trycloudflare.com/target.js'\n *\n * deriveTargetScriptUrl('wss://h.example.com:9100/')\n * // → 'https://h.example.com:9100/target.js'\n */\nexport function deriveTargetScriptUrl(relayUrl: string): string {\n  const u = new URL(relayUrl);\n  u.protocol = 'https:';\n  u.pathname = '/target.js';\n  u.search = '';\n  u.hash = '';\n  return u.toString();\n}\n\n/** Module-level guard against double-injection within a page lifecycle. */\nlet attached = false;\n\n/**\n * Evaluates the 3-layer debug gate and, if the gate passes, injects the Chii\n * `target.js` script into `document.head`.\n *\n * Idempotent — calling more than once is safe. The second call is a no-op if\n * a script with the same `src` is already present in the document, and the\n * module-level `attached` flag prevents redundant DOM queries after the first\n * successful injection.\n *\n * Safe to call even if `document` is somehow unavailable (defensive boundary\n * guard — in practice this always runs in a real WebView).\n *\n * @param gateResult - Optional pre-evaluated gate result for testability.\n *   Defaults to `checkDebugGate()` which reads the current page URL. Passing a\n *   custom value avoids the need to manipulate `window.location` in tests.\n */\nexport function maybeAttach(gateResult: GateResult = checkDebugGate()): void {\n  if (!gateResult.attach) {\n    console.debug(\n      `[@ait-co/devtools] debug attach skipped — gate blocked (reason: ${gateResult.reason})`,\n    );\n    return;\n  }\n\n  // Guard against double-injection across repeated calls.\n  if (attached) {\n    return;\n  }\n\n  // Defensive: if document is not available (unusual, but possible in some\n  // SSR-adjacent edge cases), bail silently rather than throwing.\n  if (typeof document === 'undefined') {\n    return;\n  }\n\n  const src = deriveTargetScriptUrl(gateResult.relayUrl);\n\n  // Also guard against a script with the same src already in the DOM\n  // (e.g. injected by a different code path or a page reload within SPA).\n  const existing = document.querySelector<HTMLScriptElement>(`script[src=\"${src}\"]`);\n  if (existing !== null) {\n    attached = true;\n    return;\n  }\n\n  const script = document.createElement('script');\n  script.src = src;\n  script.async = true;\n  (document.head ?? document.documentElement).appendChild(script);\n\n  attached = true;\n}\n","/**\n * @ait-co/devtools/in-app entry point.\n *\n * Spec: docs/superpowers/specs/2026-05-18-in-app-debug-mcp.md\n *\n * Phase 1 — gate + browser-side Chii target injection.\n * WebSocket relay, QR/paste UI, and AI-host MCP bin are later phases that\n * require real-device validation and are not included here.\n *\n * This thin entry reads `window.location` and calls the pure\n * {@link evaluateDebugGate} function. All testable logic lives in `./gate.ts`\n * and `./attach.ts`, not here.\n *\n * Layer A of the activation gate (build-time) is NOT enforced in this module.\n * It is the consumer's responsibility: the consumer wraps its\n * `import('@ait-co/devtools/in-app')` call site in `if (__DEBUG_BUILD__) { … }`\n * (see sdk-example `src/main.tsx`), where `__DEBUG_BUILD__` is a\n * consumer-build-time constant. A release consumer build folds that constant\n * to `false` and dead-code-eliminates this whole module. This package is\n * pre-built and ships with `__DEBUG_BUILD__` already resolved at devtools'\n * publish time, so it could never re-evaluate the consumer's build channel —\n * which is exactly why Layer A lives at the consumer guard, not here.\n */\n\nimport { evaluateDebugGate, type GateResult } from './gate.js';\n\nexport { deriveTargetScriptUrl, maybeAttach } from './attach.js';\nexport type { GateInput, GateResult, GateResultAttach, GateResultBlocked } from './gate.js';\nexport { evaluateDebugGate, isPrivateAppsHost } from './gate.js';\n\n/**\n * Evaluates the runtime debug activation layers (B and C) against the current\n * page URL.\n *\n * Returns the gate result. Callers can check `result.attach` to decide whether\n * to proceed with debug surface attachment.\n *\n * This function reads `window.location` only — both the hostname (Layer B1\n * host allowlist) and the search params (Layers B2 and C). Layer A\n * (build-time) is enforced by the consumer's `if (__DEBUG_BUILD__)` guard\n * around the import site, not here — see the file-level comment. Consumers\n * call this with no arguments, so the Layer B1 host check is picked up with\n * no change at the call site.\n */\nexport function checkDebugGate(): GateResult {\n  return evaluateDebugGate({\n    hostname: window.location.hostname,\n    searchParams: new URLSearchParams(window.location.search),\n  });\n}\n"],"mappings":";;;;;;;;;;AAuGA,MAAM,2BAA2B;;;;;;;;;;;;AAajC,SAAgB,kBAAkB,UAA2B;AAC3D,QAAO,SAAS,SAAS,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;AAwBpD,SAAgB,kBAAkB,OAA8B;AAQ9D,KAAI,CAAC,kBAAkB,MAAM,SAAS,CACpC,QAAO;EAAE,QAAQ;EAAO,QAAQ;EAAQ;CAO1C,MAAM,eAAe,MAAM,aAAa,IAAI,gBAAgB,IAAI;AAChE,KAAI,iBAAiB,GACnB,QAAO;EAAE,QAAQ;EAAO,QAAQ;EAAS;AAO3C,KADmB,MAAM,aAAa,IAAI,QAAQ,KAC/B,IACjB,QAAO;EAAE,QAAQ;EAAO,QAAQ;EAAU;CAM5C,MAAM,WAAW,MAAM,aAAa,IAAI,QAAQ,IAAI;AACpD,KAAI,aAAa,GACf,QAAO;EAAE,QAAQ;EAAO,QAAQ;EAAiB;CAGnD,IAAI;AACJ,KAAI;AACF,aAAW,IAAI,IAAI,SAAS;SACtB;AACN,SAAO;GAAE,QAAQ;GAAO,QAAQ;GAAiB;;AAGnD,KAAI,SAAS,aAAa,OACxB,QAAO;EAAE,QAAQ;EAAO,QAAQ;EAAiB;AAGnD,QAAO;EAAE,QAAQ;EAAM,UAAU,SAAS;EAAM;EAAc;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AChKhE,SAAgB,sBAAsB,UAA0B;CAC9D,MAAM,IAAI,IAAI,IAAI,SAAS;AAC3B,GAAE,WAAW;AACb,GAAE,WAAW;AACb,GAAE,SAAS;AACX,GAAE,OAAO;AACT,QAAO,EAAE,UAAU;;;AAIrB,IAAI,WAAW;;;;;;;;;;;;;;;;;AAkBf,SAAgB,YAAY,aAAyB,gBAAgB,EAAQ;AAC3E,KAAI,CAAC,WAAW,QAAQ;AACtB,UAAQ,MACN,mEAAmE,WAAW,OAAO,GACtF;AACD;;AAIF,KAAI,SACF;AAKF,KAAI,OAAO,aAAa,YACtB;CAGF,MAAM,MAAM,sBAAsB,WAAW,SAAS;AAKtD,KADiB,SAAS,cAAiC,eAAe,IAAI,IAAI,KACjE,MAAM;AACrB,aAAW;AACX;;CAGF,MAAM,SAAS,SAAS,cAAc,SAAS;AAC/C,QAAO,MAAM;AACb,QAAO,QAAQ;AACf,EAAC,SAAS,QAAQ,SAAS,iBAAiB,YAAY,OAAO;AAE/D,YAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AC/Cb,SAAgB,iBAA6B;AAC3C,QAAO,kBAAkB;EACvB,UAAU,OAAO,SAAS;EAC1B,cAAc,IAAI,gBAAgB,OAAO,SAAS,OAAO;EAC1D,CAAC"}

package/dist/mcp/cli.js

@@ -636,7 +636,7 @@ function createDebugServer(deps) {
 	const { connection, aitSource, getTunnelStatus } = deps;
 	const server = new Server({
 		name: "ait-debug",
-		version: "0.1.27"
+		version: "0.1.29"
 	}, { capabilities: { tools: {} } });
 	server.setRequestHandler(ListToolsRequestSchema, () => ({ tools: DEBUG_TOOL_DEFINITIONS.map((tool) => ({ ...tool })) }));
 	server.setRequestHandler(CallToolRequestSchema, async (request) => {
@@ -898,7 +898,7 @@ function createDevServer(deps = {}) {
 	const aitSource = deps.aitSource ?? new HttpAitSource({ stateEndpoint });
 	const server = new Server({
 		name: "ait-devtools",
-		version: "0.1.27"
+		version: "0.1.29"
 	}, { capabilities: { tools: {} } });
 	server.setRequestHandler(ListToolsRequestSchema, () => ({ tools: DEV_TOOL_DEFINITIONS.map((tool) => ({ ...tool })) }));
 	server.setRequestHandler(CallToolRequestSchema, async (request) => {

package/dist/mcp/server.js

@@ -234,7 +234,7 @@ function createDevServer(deps = {}) {
 	const aitSource = deps.aitSource ?? new HttpAitSource({ stateEndpoint });
 	const server = new Server({
 		name: "ait-devtools",
-		version: "0.1.27"
+		version: "0.1.29"
 	}, { capabilities: { tools: {} } });
 	server.setRequestHandler(ListToolsRequestSchema, () => ({ tools: DEV_TOOL_DEFINITIONS.map((tool) => ({ ...tool })) }));
 	server.setRequestHandler(CallToolRequestSchema, async (request) => {

package/dist/panel/index.js

@@ -1050,7 +1050,7 @@ function readGlobalString(key) {
 }
 const TELEMETRY_ENDPOINT = readGlobalString("__TELEMETRY_ENDPOINT__") ?? "https://t.aitc.dev";
 function getVersion() {
-	return "0.1.27";
+	return "0.1.29";
 }
 let panelVisibleSince = null;
 let accumulatedMs = 0;
@@ -4182,7 +4182,7 @@ function mount() {
 		mockBadge.textContent = aitState.state.panelEditable ? t("panel.editMode.on") : t("panel.editMode.off");
 		refreshPanel();
 	});
-	const headerRight = h("span", { style: "display:flex;align-items:center;gap:6px" }, mockBadge, h("span", { style: "font-size:11px;color:#666;font-weight:400" }, `v0.1.27`), closeBtn);
+	const headerRight = h("span", { style: "display:flex;align-items:center;gap:6px" }, mockBadge, h("span", { style: "font-size:11px;color:#666;font-weight:400" }, `v0.1.29`), closeBtn);
 	const header = h("div", { className: "ait-panel-header" }, h("span", {}, t("panel.title")), headerRight);
 	tabsEl = h("div", { className: "ait-panel-tabs" });
 	for (const tab of getTabs()) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ait-co/devtools",
-  "version": "0.1.27",
+  "version": "0.1.29",
   "description": "Development tools for Apps in Toss mini-apps — mock SDK, floating devtools panel, and universal bundler plugin",
   "type": "module",
   "engines": {