@ait-co/devtools 0.1.75 → 0.1.76

package/README.en.md

@@ -82,6 +82,26 @@ devtools-mcp   # start MCP server
 
 ---
 
+## On-device debugging in one line
+
+To enable on-device CDP debugging in environments 2, 3, and 4, add **one line** to your mini-app entry (`main.tsx` or equivalent):
+
+```ts
+// main.tsx (or the top of your mini-app entry)
+import '@ait-co/devtools/in-app/auto';
+```
+
+What this single line does:
+
+- **Self-gate**: if neither `?debug=1` nor `?relay=` is in the URL, and it is not a DEV build, the entry does nothing. The chunk stays dormant and has no impact on a normal production load.
+- **Attach**: when the gate passes, calls `maybeAttach()` to inject the Chii `target.js` script (Layer B/C gate semantics are fully preserved).
+- **SDK bridge**: installs `window.__sdk` / `window.__sdkCall` so an agent can drive any SDK API directly over the CDP relay via `Runtime.evaluate`. Silently skipped if `@apps-in-toss/web-framework` is not available.
+- **Types**: provides `Window.__sdk` / `__sdkCall` global type declarations automatically — no separate `globals.d.ts` needed in your project.
+
+For environments 3 and 4 (intoss-private relay), the relay QR deep-link carries `?debug=1&relay=<wss>` query params, so this one line is all the wiring you need. Environment 2 (PWA, `tunnel: { cdp: true }`) works the same way.
+
+> For dogfood builds with TOTP authentication, inject `__DEBUG_TOTP_SECRET__` via your build define and use `@ait-co/devtools/in-app` directly with `evaluateDebugGate({ verifyTotpCode })` + `maybeAttach()`. `in-app/auto` does not inject a TOTP verifier, so Layer C3 is disabled.
+
 ## Five common problems
 
 **"QR window doesn't open"**
@@ -102,7 +122,7 @@ The page on the phone died (OOM, JS exception, or native bridge crash). Relaunch
 
 **"SDK not available" — window.__sdkCall not injected**
 
-When `call_sdk` returns `ok: false, error: "window.__sdkCall is not available"`, a non-dogfood bundle is loaded. Redeploy through the dogfood channel with the `__DEBUG_BUILD__` flag enabled and try again. This error is the expected result in environment 2 (PWA). (Related: [#285](https://github.com/apps-in-toss-community/devtools/issues/285))
+When `call_sdk` returns `ok: false, error: "window.__sdkCall is not available"`, the SDK bridge has not been installed. Check that `import '@ait-co/devtools/in-app/auto'` is present at the top of your mini-app entry — see the "On-device debugging in one line" section above. This error is the expected result in environment 2 (PWA). (Related: [#285](https://github.com/apps-in-toss-community/devtools/issues/285))
 
 **"QR scanned but auth rejected" — TOTP code expired**
 
@@ -1123,6 +1143,7 @@ Returns the full current mock state (permissions, location, auth, network, IAP,
 | `@ait-co/devtools/mcp/server` | Dev-mode MCP stdio server function (Node.js) |
 | `@ait-co/devtools/mcp/cli` | `devtools-mcp` bin entry point (debug / dev mode, Node.js) |
 | `@ait-co/devtools/in-app` | In-app debug attach — runtime gate (layers B/C) + Chii target.js injection. The consumer wraps the import in `if (__DEBUG_BUILD__)` so it is DCE'd from release builds — dogfood builds only |
+| `@ait-co/devtools/in-app/auto` | Self-gating side-effect entry — a single `import '@ait-co/devtools/in-app/auto'` line wires attach + SDK bridge. Active only when `?debug=1` / `?relay=` are in the URL or it is a DEV build; stays dormant on normal production loads. See the [section above](#on-device-debugging-in-one-line) |
 
 ## Telemetry
 

package/README.md

@@ -82,6 +82,26 @@ devtools-mcp   # MCP 서버 시작
 
 ---
 
+## on-device 디버깅 한 줄 설정
+
+환경 2·3·4에서 on-device CDP 디버깅을 활성화하려면 미니앱 entry(`main.tsx` 등)에 **한 줄**을 추가하세요:
+
+```ts
+// main.tsx (또는 미니앱 entry 최상단)
+import '@ait-co/devtools/in-app/auto';
+```
+
+이 한 줄이 하는 일:
+
+- **self-gate**: URL에 `?debug=1` 또는 `?relay=`가 없고, DEV 빌드도 아니라면 아무것도 하지 않습니다. 청크는 dormant 상태로 남아 일반 프로덕션 로드에 영향을 주지 않습니다.
+- **attach**: gate가 통과하면 `maybeAttach()`를 호출해 Chii `target.js`를 주입합니다 (Layer B·C 게이트 시맨틱스는 완전히 유지).
+- **SDK 브리지**: `window.__sdk` / `window.__sdkCall`을 설치해 에이전트가 CDP relay의 `Runtime.evaluate`로 SDK API를 직접 구동할 수 있게 합니다. `@apps-in-toss/web-framework`가 없으면 조용히 skip합니다.
+- **타입**: `Window.__sdk` / `__sdkCall` 글로벌 타입을 자동으로 제공합니다 — 별도 `globals.d.ts` 불필요.
+
+환경 3·4(intoss-private relay) 빌드는 relay QR 딥링크가 `?debug=1&relay=<wss>` 파라미터를 실어 보내므로, 이 한 줄만 있으면 별도 게이트 코드가 필요 없습니다. 환경 2(PWA, `tunnel: { cdp: true }`)도 동일하게 동작합니다.
+
+> TOTP 인증이 필요한 dogfood 빌드는 빌드 define으로 `__DEBUG_TOTP_SECRET__`을 주입하고 `@ait-co/devtools/in-app`을 직접 import해 `evaluateDebugGate({ verifyTotpCode })` + `maybeAttach()`를 사용하세요. `in-app/auto`는 TOTP verifier를 주입하지 않으므로 C3 레이어가 비활성화됩니다.
+
 ## 자주 겪는 문제 5가지
 
 **"QR 창이 안 열림"**
@@ -102,7 +122,7 @@ cloudflared quick tunnel은 수 시간 후 drop될 수 있습니다. `devtools-m
 
 **"SDK 부재" — window.__sdkCall 미주입**
 
-`call_sdk` 호출 시 `ok: false, error: "window.__sdkCall is not available"` 에러가 뜨면 dogfood 빌드가 아닌 일반 번들이 로드된 것입니다. `__DEBUG_BUILD__` 플래그가 켜진 dogfood 채널로 재배포 후 다시 시도하세요. 환경 2(PWA)에서는 이 에러가 예상 결과입니다. (관련: [#285](https://github.com/apps-in-toss-community/devtools/issues/285))
+`call_sdk` 호출 시 `ok: false, error: "window.__sdkCall is not available"` 에러가 뜨면 SDK 브리지가 아직 설치되지 않은 상태입니다. 아래 "on-device 디버깅 한 줄 설정" 섹션을 참고해 `import '@ait-co/devtools/in-app/auto'`가 미니앱 entry에 추가돼 있는지 확인하세요. 환경 2(PWA)에서는 이 에러가 예상 결과입니다. (관련: [#285](https://github.com/apps-in-toss-community/devtools/issues/285))
 
 **"QR 스캔했는데 인증 실패" — TOTP 만료**
 
@@ -1163,6 +1183,7 @@ export default {
 | `@ait-co/devtools/mcp/server` | dev-mode MCP stdio server 함수 (Node.js) |
 | `@ait-co/devtools/mcp/cli` | `devtools-mcp` bin 진입점 (debug / dev 모드, Node.js) |
 | `@ait-co/devtools/in-app` | In-app debug attach — 런타임 gate(layer B·C) + Chii target.js 주입. 소비자가 `if (__DEBUG_BUILD__)`로 import를 감싸 release 빌드에서 DCE — dogfood 빌드 전용 |
+| `@ait-co/devtools/in-app/auto` | Self-gating side-effect entry — `import '@ait-co/devtools/in-app/auto'` 한 줄로 attach + SDK 브리지 설치. URL 파라미터(`?debug=1` / `?relay=`) 또는 DEV 빌드에서만 활성화, 일반 프로덕션 로드는 dormant. [위 섹션](#on-device-디버깅-한-줄-설정) 참고 |
 
 ## 텔레메트리
 

package/dist/in-app/auto.d.ts

@@ -0,0 +1,86 @@
+//#region src/in-app/auto.d.ts
+/**
+ * @ait-co/devtools/in-app/auto — self-gating side-effect entry.
+ *
+ * Consumers add a single line to their mini-app entry:
+ *
+ *   import '@ait-co/devtools/in-app/auto';
+ *
+ * The entry self-gates: if none of the debug activation signals are present
+ * (no `?debug=1`, no `?relay=`, and not a DEV build), it does nothing. The
+ * imported chunk stays dormant and `window.__sdk` / `window.__sdkCall` are
+ * never installed on a normal production load.
+ *
+ * When the gate passes it:
+ *  1. Calls `maybeAttach()` — runs the full Layer B/C gate (host allowlist,
+ *     opt-in params, relay URL, TOTP) and injects the Chii `target.js` script.
+ *     Gate semantics are NOT changed — this is a thin self-gate wrapper.
+ *  2. Installs the SDK bridge (`window.__sdk` / `window.__sdkCall`) so an AI
+ *     agent can drive any SDK API over the CDP relay without hand-synthesising
+ *     the Granite/ReactNative bridge envelope. SDK access uses a dynamic
+ *     import of `@apps-in-toss/web-framework` — the peer is optional, so if
+ *     the SDK is not installed the bridge install is silently skipped
+ *     (fail-silent). The namespace mirror pattern (iterate `Object.keys`) is
+ *     SDK version-neutral: 2.x and 3.x are both covered without any static
+ *     import that would couple the entry to a specific SDK line.
+ *
+ * SECRET-HANDLING: no secret, TOTP code, relay URL, or host value is ever
+ * logged or surfaced beyond the reason enum in `maybeAttach()`.
+ *
+ * Layer A (build-time DCE) is NOT enforced here — this entry IS the
+ * consumer-facing alternative to `if (__DEBUG_BUILD__) { … }`. The self-gate
+ * below performs the same dormancy guarantee via a URL param check, which is
+ * safe in a side-effect import context (the gate runs at module evaluation
+ * time, before any React tree mounts). Consumers who already manage their own
+ * `__DEBUG_BUILD__` guard can keep using `@ait-co/devtools/in-app` directly.
+ *
+ * DEV detection: `import.meta.env.DEV` is resolved by the consumer's bundler
+ * at their build time (Vite/Webpack/Rspack inject the value), not at this
+ * package's publish time — same pattern used by the polyfill's `auto` entry.
+ * When the consumer is NOT running a bundler that injects `import.meta.env`
+ * (e.g. bare Node or a test runner that leaves the raw identifiers in place),
+ * the `typeof` guard makes it safe: a missing `import.meta.env.DEV` resolves
+ * to `undefined`, which is falsy — the DEV path is simply skipped.
+ */
+declare global {
+  interface Window {
+    /**
+     * Entire `@apps-in-toss/web-framework` export namespace mirrored onto a
+     * plain writable object. Installed by the auto entry when `?debug=1` /
+     * `?relay=` is present in the URL, or in DEV builds.
+     *
+     * Lets an AI agent call any SDK API over a CDP relay without
+     * hand-synthesising the Granite/ReactNative bridge envelope:
+     *   `window.__sdk.setDeviceOrientation({ type: 'landscape' })`
+     */
+    __sdk?: Record<string, unknown>;
+    /**
+     * Safe call wrapper for `window.__sdk`. Returns a JSON-serialisable
+     * `{ ok: true, value }` or `{ ok: false, error }` tuple even for
+     * throwing/async SDK functions — ideal for `Runtime.evaluate` results.
+     *
+     * @example
+     * window.__sdkCall('setDeviceOrientation', { type: 'landscape' })
+     */
+    __sdkCall?: (name: string, ...args: unknown[]) => Promise<{
+      ok: boolean;
+      value?: unknown;
+      error?: string;
+    }>;
+  }
+}
+/**
+ * Pure predicate for the self-gate. Exported for unit tests.
+ *
+ * @param isDev - Whether the consumer's bundler folded `import.meta.env.DEV`
+ *   to `true`. Default: reads from `import.meta.env.DEV` at call time, which
+ *   is what the consumer's bundler replaces with a literal at build time.
+ *   Pass an explicit value in tests to control the DEV signal without
+ *   depending on the Vite/vitest build environment.
+ * @param searchStr - URL search string to inspect. Defaults to
+ *   `window.location.search` when called in a browser context.
+ */
+declare function shouldActivate(isDev?: boolean, searchStr?: string): boolean;
+//#endregion
+export { shouldActivate };
+//# sourceMappingURL=auto.d.ts.map

package/dist/in-app/auto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auto.d.ts","names":[],"sources":["../../src/in-app/auto.ts"],"mappings":";;;;;;;;;;;;;;;;;;;;AAuGA;;;;;;;;;;;;;;;;;;;;;;;;QAnDQ,MAAA;EAAA,UACI,MAAA;;;;;;;;;;IAUR,KAAA,GAAQ,MAAA;;;;;;;;;IAUR,SAAA,IACE,IAAA,aACG,IAAA,gBACA,OAAA;MAAU,EAAA;MAAa,KAAA;MAAiB,KAAA;IAAA;EAAA;AAAA;;;;;;;;;;;;iBA2BjC,cAAA,CACd,KAAA,YAMA,SAAA"}

package/dist/in-app/auto.js

@@ -0,0 +1,549 @@
+import { setScreenAwakeMode } from "@apps-in-toss/web-framework";
+//#region src/shared/relay-auth-close.ts
+/**
+* Shared constants for the relay's named TOTP-auth rejection (issue #478).
+*
+* Before #478 the relay rejected an unauthenticated WebSocket upgrade with a
+* raw `HTTP/1.1 401` + `socket.destroy()`. A handshake aborted that way is
+* indistinguishable from a network failure on the browser side — the
+* WebSocket only ever sees close code 1006, so the phone (env-2 launcher PWA)
+* could not tell "stale TOTP code" apart from "tunnel down" and stayed
+* silent. The fix is accept-then-close: complete the handshake, then close
+* with an application close code that NAMES the rejection.
+*
+* Three parties share this contract:
+*   - `src/mcp/chii-relay.ts` (Node) sends the close frame / HTTP error body;
+*   - `src/in-app/attach.ts` (browser) observes relay-bound WebSockets and
+*     surfaces the code to the launcher shell;
+*   - `src/mcp/chii-connection.ts` (Node daemon client) recognises the code
+*     as an auth failure on its own `/client` dial (defensive — #439's fresh
+*     code mint means it should not normally hit this).
+*
+* This module is intentionally dependency-free (no Node, no DOM) so it is
+* safe to import from both the browser in-app bundle and the MCP daemon
+* bundle.
+*
+* SECRET-HANDLING: these are fixed enum values. The close reason / error body
+* must never grow to carry a secret, a TOTP code, or a host.
+*/
+/**
+* WebSocket close code sent by the relay when TOTP auth is rejected.
+*
+* 4000–4999 is the application-reserved range (RFC 6455 §7.4.2); 4401 mirrors
+* HTTP 401 so it reads as "unauthorized" at a glance.
+*/
+const RELAY_AUTH_REJECT_CLOSE_CODE = 4401;
+/**
+* Close reason string accompanying {@link RELAY_AUTH_REJECT_CLOSE_CODE}, and
+* the `error` value of the relay's HTTP 401 JSON body. Enum string only —
+* never interpolated with request data.
+*/
+const RELAY_AUTH_REJECT_REASON = "totp-rejected";
+//#endregion
+//#region src/in-app/gate.ts
+/**
+* The host suffix the Toss app uses to serve dogfood / private mini-apps.
+*
+* A `intoss-private://` (dogfood) entry maps to a host such as
+* `aitc-sdk-example.private-apps.tossmini.com`. A production `intoss://`
+* entry is served from `*.apps.tossmini.com` — the `.private-apps.` segment
+* is absent. Confirmed live over CDP for mini-app 31146; the exact production
+* host is to be re-confirmed once 31146 passes review (spec open question 2).
+*/
+const PRIVATE_APPS_HOST_SUFFIX = ".private-apps.tossmini.com";
+/**
+* The host suffix Cloudflare quick-tunnels serve from — the env 2 (PWA) entry.
+* See {@link isTrycloudflareHost} for why this host kind bypasses Layer B1.
+*/
+const TRYCLOUDFLARE_HOST_SUFFIX = ".trycloudflare.com";
+/**
+* Returns whether `hostname` is a `*.private-apps.tossmini.com` subdomain —
+* the host the Toss app reserves for dogfood / private mini-app entries.
+*
+* The match is an exact suffix check, not a substring `.includes()`: a
+* substring test would also accept an attacker-controlled host like
+* `private-apps.tossmini.com.evil.example`, which ends in `.example`, not in
+* `.tossmini.com`. Requiring the string to END with the suffix closes that.
+* The leading `.` in the suffix also forces a real subdomain label, so a
+* bare `private-apps.tossmini.com` (no mini-app subdomain) does not match.
+*/
+function isPrivateAppsHost(hostname) {
+	return hostname.endsWith(PRIVATE_APPS_HOST_SUFFIX);
+}
+/**
+* The host suffix Cloudflare quick-tunnels use — the env 2 (PWA) entry.
+*
+* Env 2 serves the local Vite dev server through a `*.trycloudflare.com` quick
+* tunnel (`src/unplugin/tunnel.ts`). It has no Toss app, no `intoss-private://`
+* scheme, and — critically — no production runtime: the SDK is the devtools
+* mock, and the page is the developer's own dev build. The Layer B1 safety net
+* (which stops a dogfood build that lands on a Toss *production* host from
+* attaching) has nothing to protect against here, because env 2 has no
+* production host. So a trycloudflare host is allowed past B1 — but ONLY past
+* B1: the remaining layers (C1 opt-in, C2 relay, C3 TOTP) still apply, so a
+* leaked tunnel URL is still blocked by TOTP exactly as on the Toss path.
+*
+* The match is the same exact-suffix `endsWith` check as
+* {@link isPrivateAppsHost} — never a substring `.includes()`, which would
+* accept an attacker-controlled `evil.trycloudflare.com.example.com`. The
+* leading `.` forces a real subdomain label, so a bare `trycloudflare.com`
+* (no tunnel subdomain) does not match.
+*/
+function isTrycloudflareHost(hostname) {
+	return hostname.endsWith(TRYCLOUDFLARE_HOST_SUFFIX);
+}
+/**
+* Pure function that evaluates the runtime debug activation layers (B and C).
+*
+* Has no side effects. The input is explicit. Returns a discriminated union
+* so callers can pattern-match on `result.attach`.
+*
+* Layer A (build-time) is intentionally not evaluated here — see the file-level
+* comment. By the time this function runs, the consumer's `if (__DEBUG_BUILD__)`
+* guard has already passed; this function only decides B and C.
+*
+* @example
+* ```ts
+* const result = evaluateDebugGate({
+*   hostname: window.location.hostname,
+*   searchParams: new URLSearchParams(window.location.search),
+* });
+* if (result.attach) {
+*   // Proceed to load Chii client
+* }
+* ```
+*/
+function evaluateDebugGate(input) {
+	const isTunnel = isTrycloudflareHost(input.hostname);
+	if (!isPrivateAppsHost(input.hostname) && !isTunnel) return {
+		attach: false,
+		reason: "host"
+	};
+	let deploymentId = "";
+	if (!isTunnel) {
+		deploymentId = input.searchParams.get("_deploymentId") ?? "";
+		if (deploymentId === "") return {
+			attach: false,
+			reason: "entry"
+		};
+	}
+	if (input.searchParams.get("debug") !== "1") return {
+		attach: false,
+		reason: "opt-in"
+	};
+	const relayRaw = input.searchParams.get("relay") ?? "";
+	if (relayRaw === "") return {
+		attach: false,
+		reason: "invalid-relay"
+	};
+	let relayUrl;
+	try {
+		relayUrl = new URL(relayRaw);
+	} catch {
+		return {
+			attach: false,
+			reason: "invalid-relay"
+		};
+	}
+	if (relayUrl.protocol !== "wss:") return {
+		attach: false,
+		reason: "invalid-relay"
+	};
+	if (input.verifyTotpCode !== void 0) {
+		const code = input.searchParams.get("at") ?? "";
+		if (!input.verifyTotpCode(code)) return {
+			attach: false,
+			reason: "auth"
+		};
+	}
+	return {
+		attach: true,
+		relayUrl: relayUrl.href,
+		deploymentId
+	};
+}
+//#endregion
+//#region src/in-app/index.ts
+/**
+* @ait-co/devtools/in-app entry point.
+*
+* Spec: docs/superpowers/specs/2026-05-18-in-app-debug-mcp.md
+*
+* Phase 1 — gate + browser-side Chii target injection.
+* WebSocket relay, QR/paste UI, and AI-host MCP bin are later phases that
+* require real-device validation and are not included here.
+*
+* This thin entry reads `window.location` and calls the pure
+* {@link evaluateDebugGate} function. All testable logic lives in `./gate.ts`
+* and `./attach.ts`, not here.
+*
+* Layer A of the activation gate (build-time) is NOT enforced in this module.
+* It is the consumer's responsibility: the consumer wraps its
+* `import('@ait-co/devtools/in-app')` call site in `if (__DEBUG_BUILD__) { … }`
+* (see sdk-example `src/main.tsx`), where `__DEBUG_BUILD__` is a
+* consumer-build-time constant. A release consumer build folds that constant
+* to `false` and dead-code-eliminates this whole module. This package is
+* pre-built and ships with `__DEBUG_BUILD__` already resolved at devtools'
+* publish time, so it could never re-evaluate the consumer's build channel —
+* which is exactly why Layer A lives at the consumer guard, not here.
+*/
+/**
+* Evaluates the runtime debug activation layers (B and C) against the current
+* page URL.
+*
+* Returns the gate result. Callers can check `result.attach` to decide whether
+* to proceed with debug surface attachment.
+*
+* This function reads `window.location` only — both the hostname (Layer B1
+* host allowlist) and the search params (Layers B2 and C). Layer A
+* (build-time) is enforced by the consumer's `if (__DEBUG_BUILD__)` guard
+* around the import site, not here — see the file-level comment. Consumers
+* call this with no arguments, so the Layer B1 host check is picked up with
+* no change at the call site.
+*/
+function checkDebugGate() {
+	return evaluateDebugGate({
+		hostname: window.location.hostname,
+		searchParams: new URLSearchParams(window.location.search)
+	});
+}
+//#endregion
+//#region src/in-app/attach.ts
+/**
+* In-app Chii target injection for the debug attach flow.
+*
+* Spec: docs/superpowers/specs/2026-05-18-in-app-debug-mcp.md
+* "MCP attach" topology section — Phase 1 browser-side implementation.
+*
+* This module bridges the 3-layer gate result to a Chii `target.js` script
+* injection. The Chii npm package is the relay SERVER — the in-app side is
+* a plain `<script src="…/target.js">` pointing at the relay host. No chii
+* npm dependency is needed here.
+*/
+/**
+* Converts a validated `wss:` relay URL into the Chii `target.js` script URL.
+*
+* Scheme is mapped `wss:` → `https:`. Host and port are preserved.
+* Pathname is set to `/target.js` (or `/at/<code>/target.js` when a TOTP code
+* is given) regardless of the relay path. Query params and hash from the
+* relay URL are dropped — the target script URL is a static asset path on the
+* same host.
+*
+* TOTP path-prefix transport (issue #466): chii's stock `target.js` derives
+* its WS endpoint from the script `src` (`scriptEl.src.replace('target.js',
+* '')`), so embedding the current TOTP code in the script URL *path* is the
+* only way the phone-side WS upgrade can carry it — both the script fetch and
+* the derived `wss://<host>/at/<code>/target/<id>` dial inherit the prefix,
+* and the relay verifies + strips it before chii parses the URL. The
+* `window.ChiiServerUrl` + query alternative does NOT work: chii appends
+* `target/<id>` to the serverUrl string, which would land after a `?`.
+*
+* SECRET-HANDLING: `atCode` rides only inside the returned URL (the intended
+* transport — same exposure grade as the daemon client's `at=` query). It is
+* never logged here.
+*
+* @example
+* deriveTargetScriptUrl('wss://abc.trycloudflare.com/relay')
+* // → 'https://abc.trycloudflare.com/target.js'
+*
+* deriveTargetScriptUrl('wss://h.example.com:9100/', '123456')
+* // → 'https://h.example.com:9100/at/123456/target.js'
+*
+* @param relayUrl - Validated `wss:` relay URL from the gate result.
+* @param atCode - Current TOTP code from the page URL's `at` query param, or
+*   `null`/`undefined`/`''` to keep the legacy un-prefixed URL.
+*/
+function deriveTargetScriptUrl(relayUrl, atCode) {
+	const u = new URL(relayUrl);
+	u.protocol = "https:";
+	u.pathname = atCode !== void 0 && atCode !== null && atCode !== "" ? `/at/${encodeURIComponent(atCode)}/target.js` : "/target.js";
+	u.search = "";
+	u.hash = "";
+	return u.toString();
+}
+/** Module-level guard against double-injection within a page lifecycle. */
+let attached = false;
+/** One-shot guard for the parent notification (both observer + onerror probe). */
+let authExpiredNotified = false;
+/** Set once a relay-bound socket closed with 4401 — flips dials to fail-fast. */
+let relayAuthExpired = false;
+/** Guard against stacking multiple observer wrappers on window.WebSocket. */
+let wsObserverInstalled = false;
+/**
+* Posts the `auth-expired` block signal to the parent launcher shell, once.
+*
+* Mirrors the existing `reason: 'auth'` postMessage in {@link maybeAttach}.
+* SECRET-HANDLING: the payload carries ONLY the reason enum — never the code,
+* secret, host, or relay URL.
+*/
+function notifyAuthExpired() {
+	if (authExpiredNotified) return;
+	if (typeof window === "undefined" || window.parent === window) return;
+	authExpiredNotified = true;
+	window.parent.postMessage({
+		type: "ait:debug-attach-blocked",
+		reason: "auth-expired"
+	}, "*");
+}
+/**
+* Normalises a URL into a comparable origin key, mapping the HTTP scheme pair
+* onto the WS pair (`https:`→`wss:`, `http:`→`ws:`) so the `wss:` relay URL
+* from the gate result matches the dials target.js derives from its
+* `https://…/target.js` script src. Returns `null` for unparsable URLs.
+*/
+function wsOriginKey(rawUrl) {
+	let parsed;
+	try {
+		parsed = new URL(rawUrl);
+	} catch {
+		return null;
+	}
+	return `${parsed.protocol === "https:" ? "wss:" : parsed.protocol === "http:" ? "ws:" : parsed.protocol}//${parsed.host}`;
+}
+/**
+* Builds a dummy WebSocket that never connects and closes immediately
+* (asynchronously, with the 4401 code) — returned for relay-bound dials after
+* auth expiry so chii's internal reconnect loop stops producing real network
+* traffic. We cannot stop the loop itself (it lives inside stock target.js);
+* we can only make each iteration free.
+*
+* Both `onclose`-style property handlers and `addEventListener` listeners are
+* fired — stock target.js uses property handlers, but we cannot know every
+* consumer. (A consumer wiring BOTH would see a double callback; acceptable
+* for a retry scheduler and irrelevant for chii.)
+*/
+function createFailFastSocket(url) {
+	const eventTarget = new EventTarget();
+	const sock = {
+		url,
+		readyState: 3,
+		bufferedAmount: 0,
+		extensions: "",
+		protocol: "",
+		binaryType: "blob",
+		onopen: null,
+		onmessage: null,
+		onerror: null,
+		onclose: null,
+		close() {},
+		send() {},
+		addEventListener: eventTarget.addEventListener.bind(eventTarget),
+		removeEventListener: eventTarget.removeEventListener.bind(eventTarget),
+		dispatchEvent: eventTarget.dispatchEvent.bind(eventTarget),
+		CONNECTING: 0,
+		OPEN: 1,
+		CLOSING: 2,
+		CLOSED: 3
+	};
+	setTimeout(() => {
+		const errorEvent = new Event("error");
+		sock.onerror?.(errorEvent);
+		eventTarget.dispatchEvent(errorEvent);
+		let closeEvent;
+		try {
+			closeEvent = new CloseEvent("close", {
+				code: RELAY_AUTH_REJECT_CLOSE_CODE,
+				reason: RELAY_AUTH_REJECT_REASON,
+				wasClean: false
+			});
+		} catch {
+			closeEvent = Object.assign(new Event("close"), {
+				code: RELAY_AUTH_REJECT_CLOSE_CODE,
+				reason: RELAY_AUTH_REJECT_REASON,
+				wasClean: false
+			});
+		}
+		sock.onclose?.(closeEvent);
+		eventTarget.dispatchEvent(closeEvent);
+	}, 0);
+	return sock;
+}
+/**
+* Wraps `window.WebSocket` with a relay-origin-scoped observer (issue #478).
+*
+* - Connections whose URL origin does NOT match the relay origin pass through
+*   to the native constructor untouched — app traffic is never observed.
+* - Relay-origin connections get a `close` listener: code 4401 (the relay's
+*   named TOTP rejection) flips the module into the expired state and posts
+*   `reason: 'auth-expired'` to the parent launcher shell (once).
+* - After 4401, further relay-origin dials return a fail-fast dummy socket so
+*   target.js's autonomous reconnect loop stops hitting the network.
+*
+* Installed by {@link maybeAttach} BEFORE target.js is injected so the very
+* first dial is already observed. Idempotent per page lifecycle. Exported for
+* unit tests.
+*/
+function installRelayWsObserver(relayUrl) {
+	if (wsObserverInstalled) return;
+	if (typeof window === "undefined" || typeof window.WebSocket !== "function") return;
+	const relayKey = wsOriginKey(relayUrl);
+	if (relayKey === null) return;
+	wsObserverInstalled = true;
+	const NativeWebSocket = window.WebSocket;
+	const observed = new Proxy(NativeWebSocket, { construct(target, args) {
+		const url = String(args[0]);
+		if (wsOriginKey(url) !== relayKey) return Reflect.construct(target, args);
+		if (relayAuthExpired) return createFailFastSocket(url);
+		const ws = Reflect.construct(target, args);
+		ws.addEventListener("close", (event) => {
+			if (event.code === 4401) {
+				relayAuthExpired = true;
+				notifyAuthExpired();
+			}
+		});
+		return ws;
+	} });
+	window.WebSocket = observed;
+}
+/**
+* Evaluates the 3-layer debug gate and, if the gate passes, injects the Chii
+* `target.js` script into `document.head`.
+*
+* Idempotent — calling more than once is safe. The second call is a no-op if
+* a script with the same `src` is already present in the document, and the
+* module-level `attached` flag prevents redundant DOM queries after the first
+* successful injection.
+*
+* Safe to call even if `document` is somehow unavailable (defensive boundary
+* guard — in practice this always runs in a real WebView).
+*
+* **keepAwake side effect**: on a successful attach, `setScreenAwakeMode({
+* enabled: true })` is called so the phone screen stays awake during the debug
+* session. A `beforeunload` handler restores normal sleep on page unload.
+* Opt out by adding `noKeepAwake=1` to the page URL query string — the check
+* reads `window.location.search` directly, consistent with other guards in
+* this file.
+*
+* @param gateResult - Optional pre-evaluated gate result for testability.
+*   Defaults to `checkDebugGate()` which reads the current page URL. Passing a
+*   custom value avoids the need to manipulate `window.location` in tests.
+*/
+function maybeAttach(gateResult = checkDebugGate()) {
+	if (!gateResult.attach) {
+		console.debug(`[@ait-co/devtools] debug attach skipped — gate blocked (reason: ${gateResult.reason})`);
+		if (gateResult.reason === "auth" && typeof window !== "undefined" && window.parent !== window) window.parent.postMessage({
+			type: "ait:debug-attach-blocked",
+			reason: "auth"
+		}, "*");
+		return;
+	}
+	if (attached) return;
+	if (typeof document === "undefined") return;
+	const atCode = typeof window !== "undefined" ? new URLSearchParams(window.location.search).get("at") : null;
+	const src = deriveTargetScriptUrl(gateResult.relayUrl, atCode);
+	installRelayWsObserver(gateResult.relayUrl);
+	if (document.querySelector(`script[src="${src}"]`) !== null) {
+		attached = true;
+		return;
+	}
+	const script = document.createElement("script");
+	script.src = src;
+	script.async = true;
+	script.onerror = () => {
+		fetch(src).then((res) => {
+			if (res.status === 401) notifyAuthExpired();
+		}).catch(() => {});
+	};
+	(document.head ?? document.documentElement).appendChild(script);
+	attached = true;
+	if (typeof window !== "undefined" && new URLSearchParams(window.location.search).get("noKeepAwake") === "1") return;
+	setScreenAwakeMode({ enabled: true }).then(() => {
+		window.addEventListener("beforeunload", () => {
+			setScreenAwakeMode({ enabled: false }).catch(() => {});
+		}, { once: true });
+	}).catch((err) => {
+		console.debug("[@ait-co/devtools] setScreenAwakeMode failed:", err);
+	});
+}
+//#endregion
+//#region src/in-app/auto.ts
+/**
+* @ait-co/devtools/in-app/auto — self-gating side-effect entry.
+*
+* Consumers add a single line to their mini-app entry:
+*
+*   import '@ait-co/devtools/in-app/auto';
+*
+* The entry self-gates: if none of the debug activation signals are present
+* (no `?debug=1`, no `?relay=`, and not a DEV build), it does nothing. The
+* imported chunk stays dormant and `window.__sdk` / `window.__sdkCall` are
+* never installed on a normal production load.
+*
+* When the gate passes it:
+*  1. Calls `maybeAttach()` — runs the full Layer B/C gate (host allowlist,
+*     opt-in params, relay URL, TOTP) and injects the Chii `target.js` script.
+*     Gate semantics are NOT changed — this is a thin self-gate wrapper.
+*  2. Installs the SDK bridge (`window.__sdk` / `window.__sdkCall`) so an AI
+*     agent can drive any SDK API over the CDP relay without hand-synthesising
+*     the Granite/ReactNative bridge envelope. SDK access uses a dynamic
+*     import of `@apps-in-toss/web-framework` — the peer is optional, so if
+*     the SDK is not installed the bridge install is silently skipped
+*     (fail-silent). The namespace mirror pattern (iterate `Object.keys`) is
+*     SDK version-neutral: 2.x and 3.x are both covered without any static
+*     import that would couple the entry to a specific SDK line.
+*
+* SECRET-HANDLING: no secret, TOTP code, relay URL, or host value is ever
+* logged or surfaced beyond the reason enum in `maybeAttach()`.
+*
+* Layer A (build-time DCE) is NOT enforced here — this entry IS the
+* consumer-facing alternative to `if (__DEBUG_BUILD__) { … }`. The self-gate
+* below performs the same dormancy guarantee via a URL param check, which is
+* safe in a side-effect import context (the gate runs at module evaluation
+* time, before any React tree mounts). Consumers who already manage their own
+* `__DEBUG_BUILD__` guard can keep using `@ait-co/devtools/in-app` directly.
+*
+* DEV detection: `import.meta.env.DEV` is resolved by the consumer's bundler
+* at their build time (Vite/Webpack/Rspack inject the value), not at this
+* package's publish time — same pattern used by the polyfill's `auto` entry.
+* When the consumer is NOT running a bundler that injects `import.meta.env`
+* (e.g. bare Node or a test runner that leaves the raw identifiers in place),
+* the `typeof` guard makes it safe: a missing `import.meta.env.DEV` resolves
+* to `undefined`, which is falsy — the DEV path is simply skipped.
+*/
+/**
+* Pure predicate for the self-gate. Exported for unit tests.
+*
+* @param isDev - Whether the consumer's bundler folded `import.meta.env.DEV`
+*   to `true`. Default: reads from `import.meta.env.DEV` at call time, which
+*   is what the consumer's bundler replaces with a literal at build time.
+*   Pass an explicit value in tests to control the DEV signal without
+*   depending on the Vite/vitest build environment.
+* @param searchStr - URL search string to inspect. Defaults to
+*   `window.location.search` when called in a browser context.
+*/
+function shouldActivate(isDev = (import.meta?.env)?.DEV === true, searchStr = typeof window !== "undefined" ? window.location.search : "") {
+	if (isDev) return true;
+	const params = new URLSearchParams(searchStr);
+	return params.get("debug") === "1" || params.has("relay");
+}
+if (!shouldActivate()) {} else {
+	maybeAttach();
+	import("@apps-in-toss/web-framework").then((sdk) => {
+		if (typeof window === "undefined") return;
+		const bridge = {};
+		for (const key of Object.keys(sdk)) bridge[key] = sdk[key];
+		window.__sdk = bridge;
+		window.__sdkCall = async (name, ...args) => {
+			const fn = bridge[name];
+			if (typeof fn !== "function") return {
+				ok: false,
+				error: `__sdk.${name} is not a function`
+			};
+			try {
+				return {
+					ok: true,
+					value: await fn(...args)
+				};
+			} catch (e) {
+				return {
+					ok: false,
+					error: e instanceof Error ? e.message : String(e)
+				};
+			}
+		};
+	}).catch(() => {});
+}
+//#endregion
+export { shouldActivate };
+
+//# sourceMappingURL=auto.js.map

package/dist/in-app/auto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auto.js","names":[],"sources":["../../src/shared/relay-auth-close.ts","../../src/in-app/gate.ts","../../src/in-app/index.ts","../../src/in-app/attach.ts","../../src/in-app/auto.ts"],"sourcesContent":["/**\n * Shared constants for the relay's named TOTP-auth rejection (issue #478).\n *\n * Before #478 the relay rejected an unauthenticated WebSocket upgrade with a\n * raw `HTTP/1.1 401` + `socket.destroy()`. A handshake aborted that way is\n * indistinguishable from a network failure on the browser side — the\n * WebSocket only ever sees close code 1006, so the phone (env-2 launcher PWA)\n * could not tell \"stale TOTP code\" apart from \"tunnel down\" and stayed\n * silent. The fix is accept-then-close: complete the handshake, then close\n * with an application close code that NAMES the rejection.\n *\n * Three parties share this contract:\n *   - `src/mcp/chii-relay.ts` (Node) sends the close frame / HTTP error body;\n *   - `src/in-app/attach.ts` (browser) observes relay-bound WebSockets and\n *     surfaces the code to the launcher shell;\n *   - `src/mcp/chii-connection.ts` (Node daemon client) recognises the code\n *     as an auth failure on its own `/client` dial (defensive — #439's fresh\n *     code mint means it should not normally hit this).\n *\n * This module is intentionally dependency-free (no Node, no DOM) so it is\n * safe to import from both the browser in-app bundle and the MCP daemon\n * bundle.\n *\n * SECRET-HANDLING: these are fixed enum values. The close reason / error body\n * must never grow to carry a secret, a TOTP code, or a host.\n */\n\n/**\n * WebSocket close code sent by the relay when TOTP auth is rejected.\n *\n * 4000–4999 is the application-reserved range (RFC 6455 §7.4.2); 4401 mirrors\n * HTTP 401 so it reads as \"unauthorized\" at a glance.\n */\nexport const RELAY_AUTH_REJECT_CLOSE_CODE = 4401;\n\n/**\n * Close reason string accompanying {@link RELAY_AUTH_REJECT_CLOSE_CODE}, and\n * the `error` value of the relay's HTTP 401 JSON body. Enum string only —\n * never interpolated with request data.\n */\nexport const RELAY_AUTH_REJECT_REASON = 'totp-rejected';\n","/**\n * Runtime activation gate for the in-app debug surface.\n *\n * Spec: docs/superpowers/specs/2026-05-18-in-app-debug-mcp.md\n * \"3-layer activation gate\". This is the pure gate decision; the Chii client,\n * WebSocket transport, MCP server, and CLI that consume it live in src/mcp/.\n *\n * This function evaluates the two RUNTIME layers, B and C. Layer A — the\n * build-time gate — is NOT evaluated here, and deliberately so: it is enforced\n * entirely by the consumer's `if (__DEBUG_BUILD__) { … }` guard around the\n * import site (see sdk-example `src/main.tsx`). `__DEBUG_BUILD__` is a\n * consumer-build-time constant; a release consumer build folds it to `false`\n * and dead-code-eliminates the whole import of `@ait-co/devtools/in-app`, so\n * this code is simply absent from release bundles. A pre-built npm package\n * cannot re-check that flag — it was already baked at devtools' own publish\n * time — so any `isDebugBuild` check inside this function would be permanently\n * `false` and could never pass. Layer A is the consumer guard; B and C are\n * here.\n *\n * Layer B has two parts:\n *   B1 — host allowlist: `hostname` must be a `*.private-apps.tossmini.com`\n *        subdomain (Toss dogfood entry) OR a `*.trycloudflare.com` host (env 2\n *        PWA dev tunnel). The Toss app serves dogfood / private mini-apps from\n *        a separate `private-apps` host; a production (`intoss://`) entry is\n *        served from `*.apps.tossmini.com` WITHOUT the `private-apps` segment.\n *        This is the security gate against a dogfood build that somehow lands\n *        on a production entry — see the comment on {@link isPrivateAppsHost}.\n *        The env 2 tunnel host is allowed because it has no production runtime\n *        (mock SDK, the developer's own dev server) — see {@link\n *        isTrycloudflareHost}.\n *   B2 — entry query: `_deploymentId` must be present and non-empty. Applies to\n *        the Toss path only; the env 2 tunnel has no deployed bundle, so B2 is\n *        skipped for `*.trycloudflare.com` hosts.\n *\n * Layer C — opt-in + relay + optional TOTP auth:\n *   C1 — opt-in:       `debug=1` must be present.\n *   C2 — relay URL:    `relay=<wss-url>` must be a valid `wss:` URL.\n *   C3 — TOTP auth:    When `verifyTotpCode` is provided (consumer injected the\n *                      baked secret at build time via `__DEBUG_TOTP_SECRET__`),\n *                      `at=<code>` is checked. Invalid or absent code → BLOCKED.\n *                      When no verifier is provided (TOTP disabled), `at` is\n *                      ignored (backward compatible).\n *\n * Security note on baked secrets:\n *   The TOTP secret baked in via `__DEBUG_TOTP_SECRET__` is present in the\n *   dogfood bundle and is extractable by a determined reverse engineer.\n *   The practical bar raised is: \"URL leak\" (Slack paste, QR screenshot) →\n *   blocked; \"URL + bundle extraction + live TOTP code\" → not blocked.\n *   This is the intended threat model. Do not overpromise on this guarantee.\n *\n * SECRET-HANDLING: `verifyTotpCode` is a black-box predicate. This module\n *   does NOT log the secret, any code value, or pass/fail details beyond the\n *   `'auth'` reason enum.\n *\n * Decision matrix (gate only runs in a debug build — Layer A already passed):\n *\n *   host        | _deploymentId | debug=1 | relay ok | TOTP ok* | result\n *   neither     | (any)         | (any)   | (any)    | (any)    | BLOCKED (host)\n *   private-apps| absent        | (any)   | (any)    | (any)    | BLOCKED (entry)\n *   private-apps| present       | absent  | (any)    | (any)    | BLOCKED (opt-in)\n *   private-apps| present       | present | invalid  | (any)    | BLOCKED (invalid-relay)\n *   private-apps| present       | present | valid    | fail*    | BLOCKED (auth)\n *   private-apps| present       | present | valid    | pass/n/a | ATTACH\n *   trycloudflare| (skipped)    | absent  | (any)    | (any)    | BLOCKED (opt-in)\n *   trycloudflare| (skipped)    | present | invalid  | (any)    | BLOCKED (invalid-relay)\n *   trycloudflare| (skipped)    | present | valid    | fail*    | BLOCKED (auth)\n *   trycloudflare| (skipped)    | present | valid    | pass/n/a | ATTACH\n *\n *   * \"TOTP ok\" column only applies when `verifyTotpCode` is provided.\n *     When no verifier is injected, TOTP check is skipped entirely.\n *   For trycloudflare (env 2 tunnel) hosts B1 is bypassed and B2 is skipped;\n *   C1/C2/C3 still apply identically. The ATTACH result carries\n *   `deploymentId: ''` for tunnel hosts.\n */\n\n/** Shape returned when the gate allows attachment. */\nexport interface GateResultAttach {\n  readonly attach: true;\n  /** The validated `wss:` relay URL from the `relay` query param. */\n  readonly relayUrl: string;\n  /** The deployment ID extracted from the `_deploymentId` query param. */\n  readonly deploymentId: string;\n}\n\n/** Shape returned when the gate blocks attachment, with a reason code. */\nexport interface GateResultBlocked {\n  readonly attach: false;\n  /**\n   * - `'host'`          Layer B1: `hostname` is not a `*.private-apps.tossmini.com` host.\n   * - `'entry'`         Layer B2: `_deploymentId` param is absent or empty.\n   * - `'opt-in'`        Layer C1: `debug=1` param is absent.\n   * - `'invalid-relay'` Layer C2: `relay` param is absent, empty, or not a `wss:` URL.\n   * - `'auth'`          Layer C3: TOTP `at=` code is absent, invalid, or expired\n   *                     (only when a `verifyTotpCode` predicate is injected).\n   *\n   * There is no `'build'` reason: Layer A is enforced by the consumer's\n   * `if (__DEBUG_BUILD__)` guard, not by this function.\n   *\n   * SECRET-HANDLING: `'auth'` is the only value surfaced for auth failures —\n   * no code value, expected value, or secret fragment is ever exposed.\n   */\n  readonly reason: 'host' | 'entry' | 'opt-in' | 'invalid-relay' | 'auth';\n}\n\nexport type GateResult = GateResultAttach | GateResultBlocked;\n\n/**\n * Input for {@link evaluateDebugGate}.\n *\n * All fields are explicit so the function is trivially testable without\n * touching `window`.\n */\nexport interface GateInput {\n  /**\n   * The host the page is served from — `window.location.hostname`.\n   *\n   * This is the Layer B1 security signal. Why hostname and not the entry\n   * scheme: the Toss SDK normalises `intoss-private://` to `intoss://` in\n   * `getSchemeUri()`, and `getOperationalEnvironment()` / `getWebViewType()`\n   * return the same value (`\"toss\"` / `\"partner\"`) for both dogfood and\n   * production entries — none of them distinguish a dogfood entry. The host\n   * does: a dogfood / private-apps entry is served from\n   * `*.private-apps.tossmini.com`, a production entry is not. This was\n   * confirmed live over CDP against mini-app 31146 (see spec open question 2).\n   */\n  readonly hostname: string;\n\n  /**\n   * The URL search params to inspect for gate signals (Layers B2 and C).\n   *\n   * Prefer `URLSearchParams` so callers can pass `new URLSearchParams(location.search)`\n   * without coupling the pure function to `window`.\n   */\n  readonly searchParams: URLSearchParams;\n\n  /**\n   * Optional TOTP code verifier for Layer C3 auth gate.\n   *\n   * When provided, `evaluateDebugGate` reads the `at` query param and passes\n   * it to this predicate. Return `true` to allow, `false` to block with\n   * `reason: 'auth'`.\n   *\n   * Inject via the consumer's build define, e.g.:\n   * ```ts\n   * // dogfood build entry — consumer's build injects __DEBUG_TOTP_SECRET__\n   * declare const __DEBUG_TOTP_SECRET__: string | undefined;\n   * const verifyTotpCode = typeof __DEBUG_TOTP_SECRET__ !== 'undefined'\n   *   ? (code: string) => verifyTotp(__DEBUG_TOTP_SECRET__, code)\n   *   : undefined;\n   * maybeAttach(evaluateDebugGate({ ...params, verifyTotpCode }));\n   * ```\n   *\n   * Security note: this predicate is a black-box from the gate's perspective.\n   * The gate only surfaces pass/fail and the `'auth'` reason code — no code\n   * value or secret fragment is ever logged or returned.\n   *\n   * When `undefined` (TOTP disabled), `at=` is silently ignored and the gate\n   * proceeds to ATTACH if all other layers pass.\n   */\n  readonly verifyTotpCode?: (code: string) => boolean;\n}\n\n/**\n * The host suffix the Toss app uses to serve dogfood / private mini-apps.\n *\n * A `intoss-private://` (dogfood) entry maps to a host such as\n * `aitc-sdk-example.private-apps.tossmini.com`. A production `intoss://`\n * entry is served from `*.apps.tossmini.com` — the `.private-apps.` segment\n * is absent. Confirmed live over CDP for mini-app 31146; the exact production\n * host is to be re-confirmed once 31146 passes review (spec open question 2).\n */\nconst PRIVATE_APPS_HOST_SUFFIX = '.private-apps.tossmini.com';\n\n/**\n * The host suffix Cloudflare quick-tunnels serve from — the env 2 (PWA) entry.\n * See {@link isTrycloudflareHost} for why this host kind bypasses Layer B1.\n */\nconst TRYCLOUDFLARE_HOST_SUFFIX = '.trycloudflare.com';\n\n/**\n * Returns whether `hostname` is a `*.private-apps.tossmini.com` subdomain —\n * the host the Toss app reserves for dogfood / private mini-app entries.\n *\n * The match is an exact suffix check, not a substring `.includes()`: a\n * substring test would also accept an attacker-controlled host like\n * `private-apps.tossmini.com.evil.example`, which ends in `.example`, not in\n * `.tossmini.com`. Requiring the string to END with the suffix closes that.\n * The leading `.` in the suffix also forces a real subdomain label, so a\n * bare `private-apps.tossmini.com` (no mini-app subdomain) does not match.\n */\nexport function isPrivateAppsHost(hostname: string): boolean {\n  return hostname.endsWith(PRIVATE_APPS_HOST_SUFFIX);\n}\n\n/**\n * The host suffix Cloudflare quick-tunnels use — the env 2 (PWA) entry.\n *\n * Env 2 serves the local Vite dev server through a `*.trycloudflare.com` quick\n * tunnel (`src/unplugin/tunnel.ts`). It has no Toss app, no `intoss-private://`\n * scheme, and — critically — no production runtime: the SDK is the devtools\n * mock, and the page is the developer's own dev build. The Layer B1 safety net\n * (which stops a dogfood build that lands on a Toss *production* host from\n * attaching) has nothing to protect against here, because env 2 has no\n * production host. So a trycloudflare host is allowed past B1 — but ONLY past\n * B1: the remaining layers (C1 opt-in, C2 relay, C3 TOTP) still apply, so a\n * leaked tunnel URL is still blocked by TOTP exactly as on the Toss path.\n *\n * The match is the same exact-suffix `endsWith` check as\n * {@link isPrivateAppsHost} — never a substring `.includes()`, which would\n * accept an attacker-controlled `evil.trycloudflare.com.example.com`. The\n * leading `.` forces a real subdomain label, so a bare `trycloudflare.com`\n * (no tunnel subdomain) does not match.\n */\nexport function isTrycloudflareHost(hostname: string): boolean {\n  return hostname.endsWith(TRYCLOUDFLARE_HOST_SUFFIX);\n}\n\n/**\n * Pure function that evaluates the runtime debug activation layers (B and C).\n *\n * Has no side effects. The input is explicit. Returns a discriminated union\n * so callers can pattern-match on `result.attach`.\n *\n * Layer A (build-time) is intentionally not evaluated here — see the file-level\n * comment. By the time this function runs, the consumer's `if (__DEBUG_BUILD__)`\n * guard has already passed; this function only decides B and C.\n *\n * @example\n * ```ts\n * const result = evaluateDebugGate({\n *   hostname: window.location.hostname,\n *   searchParams: new URLSearchParams(window.location.search),\n * });\n * if (result.attach) {\n *   // Proceed to load Chii client\n * }\n * ```\n */\nexport function evaluateDebugGate(input: GateInput): GateResult {\n  // Layer B1 — host allowlist (the security gate).\n  // Two host kinds are allowed past B1:\n  //   - Toss dogfood: `*.private-apps.tossmini.com`. A production `intoss://`\n  //     entry is served from `*.apps.tossmini.com` and is rejected here. This\n  //     is what stops a dogfood build that somehow reaches a production entry\n  //     from attaching: Layer A keeps debug code out of release bundles, and\n  //     this layer keeps a dogfood bundle that lands on a production host from\n  //     attaching even though its code is present.\n  //   - Env 2 PWA tunnel: `*.trycloudflare.com`. This is the developer's own\n  //     local dev server (mock SDK, no production runtime), so the\n  //     production-entry hazard B1 guards against cannot occur. It bypasses B1\n  //     but NOT the remaining layers — C1/C2/C3 (incl. TOTP) still apply, so a\n  //     leaked tunnel URL is blocked exactly as on the Toss path. See\n  //     {@link isTrycloudflareHost}.\n  const isTunnel = isTrycloudflareHost(input.hostname);\n  if (!isPrivateAppsHost(input.hostname) && !isTunnel) {\n    return { attach: false, reason: 'host' };\n  }\n\n  // Layer B2 — runtime entry query gate (Toss path only).\n  // `_deploymentId` must be present and non-empty. The `intoss-private://`\n  // scheme used for dogfood entries includes this param; general user entry\n  // paths do not. The env 2 tunnel has no deployed bundle and therefore no\n  // `_deploymentId` — B2 is skipped for it, and `deploymentId` is reported as\n  // the empty string on a tunnel attach (no consumer reads it; see attach.ts).\n  let deploymentId = '';\n  if (!isTunnel) {\n    deploymentId = input.searchParams.get('_deploymentId') ?? '';\n    if (deploymentId === '') {\n      return { attach: false, reason: 'entry' };\n    }\n  }\n\n  // Layer C — explicit opt-in gate.\n  // Require `debug=1` so that an operator who opens a dogfood URL by accident\n  // does not inadvertently trigger the debug surface.\n  const debugParam = input.searchParams.get('debug');\n  if (debugParam !== '1') {\n    return { attach: false, reason: 'opt-in' };\n  }\n\n  // Layer C continued — relay URL validation.\n  // `relay=<wss-url>` must be present and must use the `wss:` scheme.\n  // Plain `ws:` is rejected (no TLS). `http:`/`https:` are rejected.\n  const relayRaw = input.searchParams.get('relay') ?? '';\n  if (relayRaw === '') {\n    return { attach: false, reason: 'invalid-relay' };\n  }\n\n  let relayUrl: URL;\n  try {\n    relayUrl = new URL(relayRaw);\n  } catch {\n    return { attach: false, reason: 'invalid-relay' };\n  }\n\n  if (relayUrl.protocol !== 'wss:') {\n    return { attach: false, reason: 'invalid-relay' };\n  }\n\n  // Layer C3 — TOTP auth gate (fail-fast, only when a verifier is injected).\n  // The `at` query param carries the current TOTP code. Absent or invalid code\n  // → BLOCKED. When no verifier is provided (TOTP disabled), this check is\n  // skipped entirely for backward compatibility.\n  //\n  // SECRET-HANDLING: we do NOT log `code`, the verifier's result, or anything\n  // derived from the secret. Only the `'auth'` enum is surfaced on failure.\n  if (input.verifyTotpCode !== undefined) {\n    const code = input.searchParams.get('at') ?? '';\n    if (!input.verifyTotpCode(code)) {\n      return { attach: false, reason: 'auth' };\n    }\n  }\n\n  return { attach: true, relayUrl: relayUrl.href, deploymentId };\n}\n","/**\n * @ait-co/devtools/in-app entry point.\n *\n * Spec: docs/superpowers/specs/2026-05-18-in-app-debug-mcp.md\n *\n * Phase 1 — gate + browser-side Chii target injection.\n * WebSocket relay, QR/paste UI, and AI-host MCP bin are later phases that\n * require real-device validation and are not included here.\n *\n * This thin entry reads `window.location` and calls the pure\n * {@link evaluateDebugGate} function. All testable logic lives in `./gate.ts`\n * and `./attach.ts`, not here.\n *\n * Layer A of the activation gate (build-time) is NOT enforced in this module.\n * It is the consumer's responsibility: the consumer wraps its\n * `import('@ait-co/devtools/in-app')` call site in `if (__DEBUG_BUILD__) { … }`\n * (see sdk-example `src/main.tsx`), where `__DEBUG_BUILD__` is a\n * consumer-build-time constant. A release consumer build folds that constant\n * to `false` and dead-code-eliminates this whole module. This package is\n * pre-built and ships with `__DEBUG_BUILD__` already resolved at devtools'\n * publish time, so it could never re-evaluate the consumer's build channel —\n * which is exactly why Layer A lives at the consumer guard, not here.\n */\n\nimport { evaluateDebugGate, type GateResult } from './gate.js';\n\nexport { deriveTargetScriptUrl, maybeAttach } from './attach.js';\nexport type { GateInput, GateResult, GateResultAttach, GateResultBlocked } from './gate.js';\nexport { evaluateDebugGate, isPrivateAppsHost, isTrycloudflareHost } from './gate.js';\n\n/**\n * Evaluates the runtime debug activation layers (B and C) against the current\n * page URL.\n *\n * Returns the gate result. Callers can check `result.attach` to decide whether\n * to proceed with debug surface attachment.\n *\n * This function reads `window.location` only — both the hostname (Layer B1\n * host allowlist) and the search params (Layers B2 and C). Layer A\n * (build-time) is enforced by the consumer's `if (__DEBUG_BUILD__)` guard\n * around the import site, not here — see the file-level comment. Consumers\n * call this with no arguments, so the Layer B1 host check is picked up with\n * no change at the call site.\n */\nexport function checkDebugGate(): GateResult {\n  return evaluateDebugGate({\n    hostname: window.location.hostname,\n    searchParams: new URLSearchParams(window.location.search),\n  });\n}\n","/**\n * In-app Chii target injection for the debug attach flow.\n *\n * Spec: docs/superpowers/specs/2026-05-18-in-app-debug-mcp.md\n * \"MCP attach\" topology section — Phase 1 browser-side implementation.\n *\n * This module bridges the 3-layer gate result to a Chii `target.js` script\n * injection. The Chii npm package is the relay SERVER — the in-app side is\n * a plain `<script src=\"…/target.js\">` pointing at the relay host. No chii\n * npm dependency is needed here.\n */\n\nimport { setScreenAwakeMode } from '@apps-in-toss/web-framework';\nimport {\n  RELAY_AUTH_REJECT_CLOSE_CODE,\n  RELAY_AUTH_REJECT_REASON,\n} from '../shared/relay-auth-close.js';\nimport { checkDebugGate, type GateResult } from './index.js';\n\n/**\n * Converts a validated `wss:` relay URL into the Chii `target.js` script URL.\n *\n * Scheme is mapped `wss:` → `https:`. Host and port are preserved.\n * Pathname is set to `/target.js` (or `/at/<code>/target.js` when a TOTP code\n * is given) regardless of the relay path. Query params and hash from the\n * relay URL are dropped — the target script URL is a static asset path on the\n * same host.\n *\n * TOTP path-prefix transport (issue #466): chii's stock `target.js` derives\n * its WS endpoint from the script `src` (`scriptEl.src.replace('target.js',\n * '')`), so embedding the current TOTP code in the script URL *path* is the\n * only way the phone-side WS upgrade can carry it — both the script fetch and\n * the derived `wss://<host>/at/<code>/target/<id>` dial inherit the prefix,\n * and the relay verifies + strips it before chii parses the URL. The\n * `window.ChiiServerUrl` + query alternative does NOT work: chii appends\n * `target/<id>` to the serverUrl string, which would land after a `?`.\n *\n * SECRET-HANDLING: `atCode` rides only inside the returned URL (the intended\n * transport — same exposure grade as the daemon client's `at=` query). It is\n * never logged here.\n *\n * @example\n * deriveTargetScriptUrl('wss://abc.trycloudflare.com/relay')\n * // → 'https://abc.trycloudflare.com/target.js'\n *\n * deriveTargetScriptUrl('wss://h.example.com:9100/', '123456')\n * // → 'https://h.example.com:9100/at/123456/target.js'\n *\n * @param relayUrl - Validated `wss:` relay URL from the gate result.\n * @param atCode - Current TOTP code from the page URL's `at` query param, or\n *   `null`/`undefined`/`''` to keep the legacy un-prefixed URL.\n */\nexport function deriveTargetScriptUrl(relayUrl: string, atCode?: string | null): string {\n  const u = new URL(relayUrl);\n  u.protocol = 'https:';\n  u.pathname =\n    atCode !== undefined && atCode !== null && atCode !== ''\n      ? `/at/${encodeURIComponent(atCode)}/target.js`\n      : '/target.js';\n  u.search = '';\n  u.hash = '';\n  return u.toString();\n}\n\n/** Module-level guard against double-injection within a page lifecycle. */\nlet attached = false;\n\n// ---------------------------------------------------------------------------\n// Relay-origin WebSocket observer (issue #478)\n//\n// After a successful attach, chii's target.js owns its own reconnect loop —\n// `maybeAttach()` never re-runs, so a much-later reconnect carrying the stale\n// `/at/<code>/` prefix is rejected by the relay with NO in-page signal. The\n// relay now names that rejection (accept-then-close, code 4401), and this\n// observer is the in-page half: it watches relay-bound WebSockets for the\n// 4401 close and tells the parent launcher shell once, then fail-fasts any\n// further relay dials so the retry loop stops generating network traffic.\n// ---------------------------------------------------------------------------\n\n/** One-shot guard for the parent notification (both observer + onerror probe). */\nlet authExpiredNotified = false;\n\n/** Set once a relay-bound socket closed with 4401 — flips dials to fail-fast. */\nlet relayAuthExpired = false;\n\n/** Guard against stacking multiple observer wrappers on window.WebSocket. */\nlet wsObserverInstalled = false;\n\n/**\n * Posts the `auth-expired` block signal to the parent launcher shell, once.\n *\n * Mirrors the existing `reason: 'auth'` postMessage in {@link maybeAttach}.\n * SECRET-HANDLING: the payload carries ONLY the reason enum — never the code,\n * secret, host, or relay URL.\n */\nfunction notifyAuthExpired(): void {\n  if (authExpiredNotified) return;\n  if (typeof window === 'undefined' || window.parent === window) return;\n  authExpiredNotified = true;\n  window.parent.postMessage({ type: 'ait:debug-attach-blocked', reason: 'auth-expired' }, '*');\n}\n\n/**\n * Normalises a URL into a comparable origin key, mapping the HTTP scheme pair\n * onto the WS pair (`https:`→`wss:`, `http:`→`ws:`) so the `wss:` relay URL\n * from the gate result matches the dials target.js derives from its\n * `https://…/target.js` script src. Returns `null` for unparsable URLs.\n */\nfunction wsOriginKey(rawUrl: string): string | null {\n  let parsed: URL;\n  try {\n    parsed = new URL(rawUrl);\n  } catch {\n    return null;\n  }\n  const protocol =\n    parsed.protocol === 'https:' ? 'wss:' : parsed.protocol === 'http:' ? 'ws:' : parsed.protocol;\n  return `${protocol}//${parsed.host}`;\n}\n\n/**\n * Builds a dummy WebSocket that never connects and closes immediately\n * (asynchronously, with the 4401 code) — returned for relay-bound dials after\n * auth expiry so chii's internal reconnect loop stops producing real network\n * traffic. We cannot stop the loop itself (it lives inside stock target.js);\n * we can only make each iteration free.\n *\n * Both `onclose`-style property handlers and `addEventListener` listeners are\n * fired — stock target.js uses property handlers, but we cannot know every\n * consumer. (A consumer wiring BOTH would see a double callback; acceptable\n * for a retry scheduler and irrelevant for chii.)\n */\nfunction createFailFastSocket(url: string): WebSocket {\n  const eventTarget = new EventTarget();\n  const sock = {\n    url,\n    readyState: 3, // CLOSED\n    bufferedAmount: 0,\n    extensions: '',\n    protocol: '',\n    binaryType: 'blob' as BinaryType,\n    onopen: null as ((ev: Event) => unknown) | null,\n    onmessage: null as ((ev: Event) => unknown) | null,\n    onerror: null as ((ev: Event) => unknown) | null,\n    onclose: null as ((ev: Event) => unknown) | null,\n    close(): void {},\n    send(): void {},\n    addEventListener: eventTarget.addEventListener.bind(eventTarget),\n    removeEventListener: eventTarget.removeEventListener.bind(eventTarget),\n    dispatchEvent: eventTarget.dispatchEvent.bind(eventTarget),\n    CONNECTING: 0,\n    OPEN: 1,\n    CLOSING: 2,\n    CLOSED: 3,\n  };\n  setTimeout(() => {\n    const errorEvent = new Event('error');\n    sock.onerror?.(errorEvent);\n    eventTarget.dispatchEvent(errorEvent);\n    // CloseEvent exists in every real WebView; the Object.assign fallback\n    // keeps the dummy environment-proof (consumers only read `.code`).\n    let closeEvent: Event;\n    try {\n      closeEvent = new CloseEvent('close', {\n        code: RELAY_AUTH_REJECT_CLOSE_CODE,\n        reason: RELAY_AUTH_REJECT_REASON,\n        wasClean: false,\n      });\n    } catch {\n      closeEvent = Object.assign(new Event('close'), {\n        code: RELAY_AUTH_REJECT_CLOSE_CODE,\n        reason: RELAY_AUTH_REJECT_REASON,\n        wasClean: false,\n      });\n    }\n    sock.onclose?.(closeEvent);\n    eventTarget.dispatchEvent(closeEvent);\n  }, 0);\n  return sock as unknown as WebSocket;\n}\n\n/**\n * Wraps `window.WebSocket` with a relay-origin-scoped observer (issue #478).\n *\n * - Connections whose URL origin does NOT match the relay origin pass through\n *   to the native constructor untouched — app traffic is never observed.\n * - Relay-origin connections get a `close` listener: code 4401 (the relay's\n *   named TOTP rejection) flips the module into the expired state and posts\n *   `reason: 'auth-expired'` to the parent launcher shell (once).\n * - After 4401, further relay-origin dials return a fail-fast dummy socket so\n *   target.js's autonomous reconnect loop stops hitting the network.\n *\n * Installed by {@link maybeAttach} BEFORE target.js is injected so the very\n * first dial is already observed. Idempotent per page lifecycle. Exported for\n * unit tests.\n */\nexport function installRelayWsObserver(relayUrl: string): void {\n  if (wsObserverInstalled) return;\n  if (typeof window === 'undefined' || typeof window.WebSocket !== 'function') return;\n  const relayKey = wsOriginKey(relayUrl);\n  if (relayKey === null) return;\n  wsObserverInstalled = true;\n\n  const NativeWebSocket = window.WebSocket;\n  const observed = new Proxy(NativeWebSocket, {\n    construct(target, args: unknown[]): object {\n      const url = String(args[0]);\n      if (wsOriginKey(url) !== relayKey) {\n        // Not relay traffic — construct natively, no observation.\n        return Reflect.construct(target, args);\n      }\n      if (relayAuthExpired) {\n        // Retry-storm cutoff: the relay already named this session expired.\n        return createFailFastSocket(url);\n      }\n      const ws = Reflect.construct(target, args) as WebSocket;\n      ws.addEventListener('close', (event) => {\n        if ((event as CloseEvent).code === RELAY_AUTH_REJECT_CLOSE_CODE) {\n          relayAuthExpired = true;\n          notifyAuthExpired();\n        }\n      });\n      return ws;\n    },\n  });\n  window.WebSocket = observed as typeof WebSocket;\n}\n\n/**\n * Evaluates the 3-layer debug gate and, if the gate passes, injects the Chii\n * `target.js` script into `document.head`.\n *\n * Idempotent — calling more than once is safe. The second call is a no-op if\n * a script with the same `src` is already present in the document, and the\n * module-level `attached` flag prevents redundant DOM queries after the first\n * successful injection.\n *\n * Safe to call even if `document` is somehow unavailable (defensive boundary\n * guard — in practice this always runs in a real WebView).\n *\n * **keepAwake side effect**: on a successful attach, `setScreenAwakeMode({\n * enabled: true })` is called so the phone screen stays awake during the debug\n * session. A `beforeunload` handler restores normal sleep on page unload.\n * Opt out by adding `noKeepAwake=1` to the page URL query string — the check\n * reads `window.location.search` directly, consistent with other guards in\n * this file.\n *\n * @param gateResult - Optional pre-evaluated gate result for testability.\n *   Defaults to `checkDebugGate()` which reads the current page URL. Passing a\n *   custom value avoids the need to manipulate `window.location` in tests.\n */\nexport function maybeAttach(gateResult: GateResult = checkDebugGate()): void {\n  if (!gateResult.attach) {\n    console.debug(\n      `[@ait-co/devtools] debug attach skipped — gate blocked (reason: ${gateResult.reason})`,\n    );\n    // Defect 2: a wrong/expired TOTP code is the ONLY block reason that is a\n    // user-actionable failure inside a deliberate debug session — the operator\n    // scanned a QR expecting an attach. Surface it to the parent launcher shell\n    // so it can show a \"rescan the QR\" banner. Every other reason\n    // ('host'/'entry'/'opt-in'/'invalid-relay') fires on ordinary non-debug page\n    // loads and must stay silent to avoid a banner on every plain pageview.\n    // SECRET-HANDLING: the message carries ONLY the 'auth' reason enum — never\n    // the code, secret, host, or relay URL.\n    if (gateResult.reason === 'auth' && typeof window !== 'undefined' && window.parent !== window) {\n      window.parent.postMessage({ type: 'ait:debug-attach-blocked', reason: 'auth' }, '*');\n    }\n    return;\n  }\n\n  // Guard against double-injection across repeated calls.\n  if (attached) {\n    return;\n  }\n\n  // Defensive: if document is not available (unusual, but possible in some\n  // SSR-adjacent edge cases), bail silently rather than throwing.\n  if (typeof document === 'undefined') {\n    return;\n  }\n\n  // TOTP path-prefix transport (issue #466): forward the page URL's `at` code\n  // (delivered by the dashboard QR → launcher deep-link) into the target\n  // script URL so the WS upgrade derived from it passes the relay's TOTP\n  // gate. Absent `at` → legacy un-prefixed URL (relay without TOTP, tests).\n  // Read window.location.search directly, consistent with other guards in\n  // this file. SECRET-HANDLING: the code is never logged; it rides only in\n  // the script src (the intended transport).\n  //\n  // TTL note: the code is verified within the relay's ±1-step window (90 s),\n  // so the initial attach always fits. A much-later automatic reconnect by\n  // target.js reuses the stale prefix and is rejected (401) — by design under\n  // the URL-leak threat model; recover by rescanning the QR (the relay-side\n  // auth-reject counter from issue #467 makes this visible).\n  const atCode =\n    typeof window !== 'undefined' ? new URLSearchParams(window.location.search).get('at') : null;\n\n  const src = deriveTargetScriptUrl(gateResult.relayUrl, atCode);\n\n  // Issue #478: observe relay-bound WebSockets BEFORE target.js is injected so\n  // even its very first dial — and every autonomous reconnect after a session\n  // drop — is covered. The relay names a TOTP rejection with close code 4401;\n  // the observer relays it to the launcher banner and cuts the retry storm.\n  installRelayWsObserver(gateResult.relayUrl);\n\n  // Also guard against a script with the same src already in the DOM\n  // (e.g. injected by a different code path or a page reload within SPA).\n  const existing = document.querySelector<HTMLScriptElement>(`script[src=\"${src}\"]`);\n  if (existing !== null) {\n    attached = true;\n    return;\n  }\n\n  const script = document.createElement('script');\n  script.src = src;\n  script.async = true;\n  // Issue #478: a first-load stale code (QR scanned after expiry) fails the\n  // target.js GET itself — no WebSocket is ever dialled, so the observer\n  // above can't see it. Probe the same URL once with fetch(): the relay's\n  // 401 now carries CORS headers, so the status is readable cross-origin.\n  // 401 → surface auth-expired; anything else (tunnel down, transient\n  // network) stays silent — same behaviour as before #478.\n  script.onerror = () => {\n    void fetch(src)\n      .then((res) => {\n        if (res.status === 401) notifyAuthExpired();\n      })\n      .catch(() => {\n        // Network-level failure — not an auth signal; stay silent.\n      });\n  };\n  (document.head ?? document.documentElement).appendChild(script);\n\n  attached = true;\n\n  // keepAwake — keep phone screen on during the debug session.\n  // Opt out via noKeepAwake=1 in the URL (consistent with direct window reads\n  // used throughout this file).\n  if (\n    typeof window !== 'undefined' &&\n    new URLSearchParams(window.location.search).get('noKeepAwake') === '1'\n  ) {\n    return;\n  }\n\n  setScreenAwakeMode({ enabled: true })\n    .then(() => {\n      // Restore normal sleep on page unload — only if the enable call succeeded\n      // (nothing to restore if it failed).\n      window.addEventListener(\n        'beforeunload',\n        () => {\n          setScreenAwakeMode({ enabled: false }).catch(() => {});\n        },\n        { once: true },\n      );\n    })\n    .catch((err) => {\n      // Swallow rejection so attach never breaks — some platforms/mock reject.\n      console.debug('[@ait-co/devtools] setScreenAwakeMode failed:', err);\n    });\n}\n","/**\n * @ait-co/devtools/in-app/auto — self-gating side-effect entry.\n *\n * Consumers add a single line to their mini-app entry:\n *\n *   import '@ait-co/devtools/in-app/auto';\n *\n * The entry self-gates: if none of the debug activation signals are present\n * (no `?debug=1`, no `?relay=`, and not a DEV build), it does nothing. The\n * imported chunk stays dormant and `window.__sdk` / `window.__sdkCall` are\n * never installed on a normal production load.\n *\n * When the gate passes it:\n *  1. Calls `maybeAttach()` — runs the full Layer B/C gate (host allowlist,\n *     opt-in params, relay URL, TOTP) and injects the Chii `target.js` script.\n *     Gate semantics are NOT changed — this is a thin self-gate wrapper.\n *  2. Installs the SDK bridge (`window.__sdk` / `window.__sdkCall`) so an AI\n *     agent can drive any SDK API over the CDP relay without hand-synthesising\n *     the Granite/ReactNative bridge envelope. SDK access uses a dynamic\n *     import of `@apps-in-toss/web-framework` — the peer is optional, so if\n *     the SDK is not installed the bridge install is silently skipped\n *     (fail-silent). The namespace mirror pattern (iterate `Object.keys`) is\n *     SDK version-neutral: 2.x and 3.x are both covered without any static\n *     import that would couple the entry to a specific SDK line.\n *\n * SECRET-HANDLING: no secret, TOTP code, relay URL, or host value is ever\n * logged or surfaced beyond the reason enum in `maybeAttach()`.\n *\n * Layer A (build-time DCE) is NOT enforced here — this entry IS the\n * consumer-facing alternative to `if (__DEBUG_BUILD__) { … }`. The self-gate\n * below performs the same dormancy guarantee via a URL param check, which is\n * safe in a side-effect import context (the gate runs at module evaluation\n * time, before any React tree mounts). Consumers who already manage their own\n * `__DEBUG_BUILD__` guard can keep using `@ait-co/devtools/in-app` directly.\n *\n * DEV detection: `import.meta.env.DEV` is resolved by the consumer's bundler\n * at their build time (Vite/Webpack/Rspack inject the value), not at this\n * package's publish time — same pattern used by the polyfill's `auto` entry.\n * When the consumer is NOT running a bundler that injects `import.meta.env`\n * (e.g. bare Node or a test runner that leaves the raw identifiers in place),\n * the `typeof` guard makes it safe: a missing `import.meta.env.DEV` resolves\n * to `undefined`, which is falsy — the DEV path is simply skipped.\n */\n\nimport { maybeAttach } from './attach.js';\n\n// ---------------------------------------------------------------------------\n// Global type augmentation\n//\n// Consumers who import '@ait-co/devtools/in-app/auto' get these Window types\n// automatically — no separate globals.d.ts needed in their project.\n// ---------------------------------------------------------------------------\ndeclare global {\n  interface Window {\n    /**\n     * Entire `@apps-in-toss/web-framework` export namespace mirrored onto a\n     * plain writable object. Installed by the auto entry when `?debug=1` /\n     * `?relay=` is present in the URL, or in DEV builds.\n     *\n     * Lets an AI agent call any SDK API over a CDP relay without\n     * hand-synthesising the Granite/ReactNative bridge envelope:\n     *   `window.__sdk.setDeviceOrientation({ type: 'landscape' })`\n     */\n    __sdk?: Record<string, unknown>;\n\n    /**\n     * Safe call wrapper for `window.__sdk`. Returns a JSON-serialisable\n     * `{ ok: true, value }` or `{ ok: false, error }` tuple even for\n     * throwing/async SDK functions — ideal for `Runtime.evaluate` results.\n     *\n     * @example\n     * window.__sdkCall('setDeviceOrientation', { type: 'landscape' })\n     */\n    __sdkCall?: (\n      name: string,\n      ...args: unknown[]\n    ) => Promise<{ ok: boolean; value?: unknown; error?: string }>;\n  }\n}\n\n// ---------------------------------------------------------------------------\n// Self-gate\n//\n// Mirrors the gate in sdk-example/src/main.tsx:\n//   - import.meta.env.DEV  →  env 1 (plain `pnpm dev`)\n//   - ?debug=1             →  on-device debug deep-link (env 3/4)\n//   - ?relay=              →  on-device relay (env 2/3/4)\n//\n// A normal production load matches none of these and the module exits here,\n// keeping the SDK bridge chunk dormant.\n// ---------------------------------------------------------------------------\n\n/**\n * Pure predicate for the self-gate. Exported for unit tests.\n *\n * @param isDev - Whether the consumer's bundler folded `import.meta.env.DEV`\n *   to `true`. Default: reads from `import.meta.env.DEV` at call time, which\n *   is what the consumer's bundler replaces with a literal at build time.\n *   Pass an explicit value in tests to control the DEV signal without\n *   depending on the Vite/vitest build environment.\n * @param searchStr - URL search string to inspect. Defaults to\n *   `window.location.search` when called in a browser context.\n */\nexport function shouldActivate(\n  isDev: boolean = ((): boolean => {\n    const metaEnv = (import.meta as unknown as Record<string, unknown>)?.env as\n      | Record<string, unknown>\n      | undefined;\n    return metaEnv?.DEV === true;\n  })(),\n  searchStr: string = typeof window !== 'undefined' ? window.location.search : '',\n): boolean {\n  if (isDev) return true;\n  const params = new URLSearchParams(searchStr);\n  return params.get('debug') === '1' || params.has('relay');\n}\n\nif (!shouldActivate()) {\n  // Dormant — no-op. Normal production load exits here.\n} else {\n  // ---------------------------------------------------------------------------\n  // Step 1: attach (runs the full Layer B/C gate — zero semantics change).\n  // ---------------------------------------------------------------------------\n  maybeAttach();\n\n  // ---------------------------------------------------------------------------\n  // Step 2: SDK bridge — install window.__sdk / window.__sdkCall.\n  //\n  // Dynamic import keeps the SDK out of the top-level module graph so the\n  // bridge chunk stays dormant when not needed. The namespace mirror pattern\n  // (iterate Object.keys) works identically for SDK 2.x and 3.x without any\n  // version-specific code path (version-agnostic, umbrella §5.1).\n  //\n  // `@apps-in-toss/web-framework` is an optional peer. If it is absent (e.g.\n  // MCP-only consumers, test environments without the SDK), the dynamic import\n  // rejects and we catch + swallow silently.\n  //\n  // SECRET-HANDLING: no host, relay URL, or auth code is logged here.\n  // ---------------------------------------------------------------------------\n  void import('@apps-in-toss/web-framework')\n    .then((sdk) => {\n      if (typeof window === 'undefined') return;\n\n      // Enumerate all exports onto a plain writable object. A namespace import\n      // is frozen/read-only, so callers need a plain enumerable surface.\n      const bridge: Record<string, unknown> = {};\n      for (const key of Object.keys(sdk)) {\n        bridge[key] = (sdk as Record<string, unknown>)[key];\n      }\n      window.__sdk = bridge;\n\n      // Convenience call helper: window.__sdkCall('apiName', arg1, arg2)\n      // returns { ok: true, value } or { ok: false, error } — safe for any\n      // CDP Runtime.evaluate result consumer.\n      window.__sdkCall = async (name: string, ...args: unknown[]) => {\n        const fn = bridge[name];\n        if (typeof fn !== 'function') {\n          return { ok: false, error: `__sdk.${name} is not a function` };\n        }\n        try {\n          const value = await (fn as (...a: unknown[]) => unknown)(...args);\n          return { ok: true, value };\n        } catch (e) {\n          return { ok: false, error: e instanceof Error ? e.message : String(e) };\n        }\n      };\n    })\n    .catch(() => {\n      // Optional peer absent or failed to resolve — fail silently.\n      // Do not log: a missing SDK on MCP-only consumers or test environments\n      // is expected and should not produce console noise.\n    });\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAiCA,MAAa,+BAA+B;;;;;;AAO5C,MAAa,2BAA2B;;;;;;;;;;;;ACmIxC,MAAM,2BAA2B;;;;;AAMjC,MAAM,4BAA4B;;;;;;;;;;;;AAalC,SAAgB,kBAAkB,UAA2B;AAC3D,QAAO,SAAS,SAAS,yBAAyB;;;;;;;;;;;;;;;;;;;;;AAsBpD,SAAgB,oBAAoB,UAA2B;AAC7D,QAAO,SAAS,SAAS,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;AAwBrD,SAAgB,kBAAkB,OAA8B;CAe9D,MAAM,WAAW,oBAAoB,MAAM,SAAS;AACpD,KAAI,CAAC,kBAAkB,MAAM,SAAS,IAAI,CAAC,SACzC,QAAO;EAAE,QAAQ;EAAO,QAAQ;EAAQ;CAS1C,IAAI,eAAe;AACnB,KAAI,CAAC,UAAU;AACb,iBAAe,MAAM,aAAa,IAAI,gBAAgB,IAAI;AAC1D,MAAI,iBAAiB,GACnB,QAAO;GAAE,QAAQ;GAAO,QAAQ;GAAS;;AAQ7C,KADmB,MAAM,aAAa,IAAI,QAAQ,KAC/B,IACjB,QAAO;EAAE,QAAQ;EAAO,QAAQ;EAAU;CAM5C,MAAM,WAAW,MAAM,aAAa,IAAI,QAAQ,IAAI;AACpD,KAAI,aAAa,GACf,QAAO;EAAE,QAAQ;EAAO,QAAQ;EAAiB;CAGnD,IAAI;AACJ,KAAI;AACF,aAAW,IAAI,IAAI,SAAS;SACtB;AACN,SAAO;GAAE,QAAQ;GAAO,QAAQ;GAAiB;;AAGnD,KAAI,SAAS,aAAa,OACxB,QAAO;EAAE,QAAQ;EAAO,QAAQ;EAAiB;AAUnD,KAAI,MAAM,mBAAmB,KAAA,GAAW;EACtC,MAAM,OAAO,MAAM,aAAa,IAAI,KAAK,IAAI;AAC7C,MAAI,CAAC,MAAM,eAAe,KAAK,CAC7B,QAAO;GAAE,QAAQ;GAAO,QAAQ;GAAQ;;AAI5C,QAAO;EAAE,QAAQ;EAAM,UAAU,SAAS;EAAM;EAAc;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AC7QhE,SAAgB,iBAA6B;AAC3C,QAAO,kBAAkB;EACvB,UAAU,OAAO,SAAS;EAC1B,cAAc,IAAI,gBAAgB,OAAO,SAAS,OAAO;EAC1D,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACIJ,SAAgB,sBAAsB,UAAkB,QAAgC;CACtF,MAAM,IAAI,IAAI,IAAI,SAAS;AAC3B,GAAE,WAAW;AACb,GAAE,WACA,WAAW,KAAA,KAAa,WAAW,QAAQ,WAAW,KAClD,OAAO,mBAAmB,OAAO,CAAC,cAClC;AACN,GAAE,SAAS;AACX,GAAE,OAAO;AACT,QAAO,EAAE,UAAU;;;AAIrB,IAAI,WAAW;;AAef,IAAI,sBAAsB;;AAG1B,IAAI,mBAAmB;;AAGvB,IAAI,sBAAsB;;;;;;;;AAS1B,SAAS,oBAA0B;AACjC,KAAI,oBAAqB;AACzB,KAAI,OAAO,WAAW,eAAe,OAAO,WAAW,OAAQ;AAC/D,uBAAsB;AACtB,QAAO,OAAO,YAAY;EAAE,MAAM;EAA4B,QAAQ;EAAgB,EAAE,IAAI;;;;;;;;AAS9F,SAAS,YAAY,QAA+B;CAClD,IAAI;AACJ,KAAI;AACF,WAAS,IAAI,IAAI,OAAO;SAClB;AACN,SAAO;;AAIT,QAAO,GADL,OAAO,aAAa,WAAW,SAAS,OAAO,aAAa,UAAU,QAAQ,OAAO,SACpE,IAAI,OAAO;;;;;;;;;;;;;;AAehC,SAAS,qBAAqB,KAAwB;CACpD,MAAM,cAAc,IAAI,aAAa;CACrC,MAAM,OAAO;EACX;EACA,YAAY;EACZ,gBAAgB;EAChB,YAAY;EACZ,UAAU;EACV,YAAY;EACZ,QAAQ;EACR,WAAW;EACX,SAAS;EACT,SAAS;EACT,QAAc;EACd,OAAa;EACb,kBAAkB,YAAY,iBAAiB,KAAK,YAAY;EAChE,qBAAqB,YAAY,oBAAoB,KAAK,YAAY;EACtE,eAAe,YAAY,cAAc,KAAK,YAAY;EAC1D,YAAY;EACZ,MAAM;EACN,SAAS;EACT,QAAQ;EACT;AACD,kBAAiB;EACf,MAAM,aAAa,IAAI,MAAM,QAAQ;AACrC,OAAK,UAAU,WAAW;AAC1B,cAAY,cAAc,WAAW;EAGrC,IAAI;AACJ,MAAI;AACF,gBAAa,IAAI,WAAW,SAAS;IACnC,MAAM;IACN,QAAQ;IACR,UAAU;IACX,CAAC;UACI;AACN,gBAAa,OAAO,OAAO,IAAI,MAAM,QAAQ,EAAE;IAC7C,MAAM;IACN,QAAQ;IACR,UAAU;IACX,CAAC;;AAEJ,OAAK,UAAU,WAAW;AAC1B,cAAY,cAAc,WAAW;IACpC,EAAE;AACL,QAAO;;;;;;;;;;;;;;;;;AAkBT,SAAgB,uBAAuB,UAAwB;AAC7D,KAAI,oBAAqB;AACzB,KAAI,OAAO,WAAW,eAAe,OAAO,OAAO,cAAc,WAAY;CAC7E,MAAM,WAAW,YAAY,SAAS;AACtC,KAAI,aAAa,KAAM;AACvB,uBAAsB;CAEtB,MAAM,kBAAkB,OAAO;CAC/B,MAAM,WAAW,IAAI,MAAM,iBAAiB,EAC1C,UAAU,QAAQ,MAAyB;EACzC,MAAM,MAAM,OAAO,KAAK,GAAG;AAC3B,MAAI,YAAY,IAAI,KAAK,SAEvB,QAAO,QAAQ,UAAU,QAAQ,KAAK;AAExC,MAAI,iBAEF,QAAO,qBAAqB,IAAI;EAElC,MAAM,KAAK,QAAQ,UAAU,QAAQ,KAAK;AAC1C,KAAG,iBAAiB,UAAU,UAAU;AACtC,OAAK,MAAqB,SAAA,MAAuC;AAC/D,uBAAmB;AACnB,uBAAmB;;IAErB;AACF,SAAO;IAEV,CAAC;AACF,QAAO,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;AA0BrB,SAAgB,YAAY,aAAyB,gBAAgB,EAAQ;AAC3E,KAAI,CAAC,WAAW,QAAQ;AACtB,UAAQ,MACN,mEAAmE,WAAW,OAAO,GACtF;AASD,MAAI,WAAW,WAAW,UAAU,OAAO,WAAW,eAAe,OAAO,WAAW,OACrF,QAAO,OAAO,YAAY;GAAE,MAAM;GAA4B,QAAQ;GAAQ,EAAE,IAAI;AAEtF;;AAIF,KAAI,SACF;AAKF,KAAI,OAAO,aAAa,YACtB;CAgBF,MAAM,SACJ,OAAO,WAAW,cAAc,IAAI,gBAAgB,OAAO,SAAS,OAAO,CAAC,IAAI,KAAK,GAAG;CAE1F,MAAM,MAAM,sBAAsB,WAAW,UAAU,OAAO;AAM9D,wBAAuB,WAAW,SAAS;AAK3C,KADiB,SAAS,cAAiC,eAAe,IAAI,IAAI,KACjE,MAAM;AACrB,aAAW;AACX;;CAGF,MAAM,SAAS,SAAS,cAAc,SAAS;AAC/C,QAAO,MAAM;AACb,QAAO,QAAQ;AAOf,QAAO,gBAAgB;AAChB,QAAM,IAAI,CACZ,MAAM,QAAQ;AACb,OAAI,IAAI,WAAW,IAAK,oBAAmB;IAC3C,CACD,YAAY,GAEX;;AAEN,EAAC,SAAS,QAAQ,SAAS,iBAAiB,YAAY,OAAO;AAE/D,YAAW;AAKX,KACE,OAAO,WAAW,eAClB,IAAI,gBAAgB,OAAO,SAAS,OAAO,CAAC,IAAI,cAAc,KAAK,IAEnE;AAGF,oBAAmB,EAAE,SAAS,MAAM,CAAC,CAClC,WAAW;AAGV,SAAO,iBACL,sBACM;AACJ,sBAAmB,EAAE,SAAS,OAAO,CAAC,CAAC,YAAY,GAAG;KAExD,EAAE,MAAM,MAAM,CACf;GACD,CACD,OAAO,QAAQ;AAEd,UAAQ,MAAM,iDAAiD,IAAI;GACnE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACjQN,SAAgB,eACd,SACmB,OAAO,MAA6C,MAGrD,QAAQ,MAE1B,YAAoB,OAAO,WAAW,cAAc,OAAO,SAAS,SAAS,IACpE;AACT,KAAI,MAAO,QAAO;CAClB,MAAM,SAAS,IAAI,gBAAgB,UAAU;AAC7C,QAAO,OAAO,IAAI,QAAQ,KAAK,OAAO,OAAO,IAAI,QAAQ;;AAG3D,IAAI,CAAC,gBAAgB,EAAE,QAEhB;AAIL,cAAa;AAgBR,QAAO,+BACT,MAAM,QAAQ;AACb,MAAI,OAAO,WAAW,YAAa;EAInC,MAAM,SAAkC,EAAE;AAC1C,OAAK,MAAM,OAAO,OAAO,KAAK,IAAI,CAChC,QAAO,OAAQ,IAAgC;AAEjD,SAAO,QAAQ;AAKf,SAAO,YAAY,OAAO,MAAc,GAAG,SAAoB;GAC7D,MAAM,KAAK,OAAO;AAClB,OAAI,OAAO,OAAO,WAChB,QAAO;IAAE,IAAI;IAAO,OAAO,SAAS,KAAK;IAAqB;AAEhE,OAAI;AAEF,WAAO;KAAE,IAAI;KAAM,OADL,MAAO,GAAoC,GAAG,KAAK;KACvC;YACnB,GAAG;AACV,WAAO;KAAE,IAAI;KAAO,OAAO,aAAa,QAAQ,EAAE,UAAU,OAAO,EAAE;KAAE;;;GAG3E,CACD,YAAY,GAIX"}

package/dist/mcp/cli.js

@@ -4660,7 +4660,7 @@ async function readMcpSdkVersion() {
 * some test environments that skip the build step).
 */
 function readDevtoolsVersion() {
-	return "0.1.75";
+	return "0.1.76";
 }
 /**
 * Derives the next recommended action from a completed diagnostics snapshot.
@@ -5164,7 +5164,7 @@ function createDebugServer(deps) {
 	const collector = collectorDep ?? new InMemoryDiagnosticsCollector();
 	const server = new Server({
 		name: "ait-debug",
-		version: "0.1.75"
+		version: "0.1.76"
 	}, { capabilities: { tools: { listChanged: true } } });
 	server.setRequestHandler(ListToolsRequestSchema, () => {
 		const conn = router.active;
@@ -7105,7 +7105,7 @@ function createDevServer(deps = {}) {
 	const aitSource = deps.aitSource ?? new HttpAitSource({ stateEndpoint });
 	const server = new Server({
 		name: "ait-devtools",
-		version: "0.1.75"
+		version: "0.1.76"
 	}, { capabilities: { tools: {} } });
 	server.setRequestHandler(ListToolsRequestSchema, () => ({ tools: DEV_TOOL_DEFINITIONS.map((tool) => ({ ...tool })) }));
 	server.setRequestHandler(CallToolRequestSchema, async (request) => {

package/dist/mcp/server.js

@@ -964,7 +964,7 @@ function createDevServer(deps = {}) {
 	const aitSource = deps.aitSource ?? new HttpAitSource({ stateEndpoint });
 	const server = new Server({
 		name: "ait-devtools",
-		version: "0.1.75"
+		version: "0.1.76"
 	}, { capabilities: { tools: {} } });
 	server.setRequestHandler(ListToolsRequestSchema, () => ({ tools: DEV_TOOL_DEFINITIONS.map((tool) => ({ ...tool })) }));
 	server.setRequestHandler(CallToolRequestSchema, async (request) => {

package/dist/panel/index.js

@@ -26490,7 +26490,7 @@ function readGlobalString(key) {
 }
 const TELEMETRY_ENDPOINT = readGlobalString("__TELEMETRY_ENDPOINT__") ?? "https://t.aitc.dev";
 function getVersion() {
-	return "0.1.75";
+	return "0.1.76";
 }
 let panelVisibleSince = null;
 let accumulatedMs = 0;
@@ -30741,7 +30741,7 @@ function Panel() {
 								color: "#666",
 								fontWeight: 400
 							},
-							children: ["v", "0.1.75"]
+							children: ["v", "0.1.76"]
 						}),
 						/* @__PURE__ */ (0, import_jsx_runtime.jsx)("button", {
 							type: "button",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ait-co/devtools",
-  "version": "0.1.75",
+  "version": "0.1.76",
   "description": "Development tools for Apps in Toss mini-apps — mock SDK, floating devtools panel, and universal bundler plugin",
   "type": "module",
   "engines": {
@@ -25,6 +25,10 @@
       "types": "./dist/in-app/index.d.ts",
       "import": "./dist/in-app/index.js"
     },
+    "./in-app/auto": {
+      "types": "./dist/in-app/auto.d.ts",
+      "import": "./dist/in-app/auto.js"
+    },
     "./unplugin": {
       "types": "./dist/unplugin/index.d.ts",
       "import": "./dist/unplugin/index.js",
@@ -64,6 +68,7 @@
     "ws": "^8.18.0"
   },
   "devDependencies": {
+    "@ait-co/polyfill": "^0.1.17",
     "@apps-in-toss/web-framework": "3.0.0-beta.3051978",
     "@biomejs/biome": "2.4.15",
     "@changesets/cli": "^2.31.0",