@certrev/cert-block 0.1.2 → 0.1.3

package/dist/builder/index.d.ts

@@ -1,73 +1,75 @@
 /**
- * @certrev/cert-block/builder — the Builder.io adapter for the cert-block render edge.
+ * @certrev/cert-block/builder — Builder.io adapter, "ambient-URL anchor" model.
  *
- * Lets a Builder.io content editor place a "CertREV Review" block into a page; the
- * headless app's loader (Hydrogen/Next/Remix) crypto-verifies that placement's signed
- * envelope and supplies the verdict via React context; this block renders cert-block's
- * <CertReview> from the VERIFIED verdict — and renders NOTHING (fail-closed) on any
- * suppress or unknown placement.
+ * Validated by an independent architecture panel (Codex gpt-5.5 + Gemini, blind): a visual
+ * page builder must NOT choose WHICH credential renders — that invites cross-article misuse and
+ * re-opens the wrong-subject surface. Instead:
+ *   • the CMS controls LAYOUT — an editor drags a ZERO-INPUT <CertRevAnchor/> to position the
+ *     badge on the page;
+ *   • the SYSTEM controls TRUTH — the headless loader resolves THIS page's credential from its
+ *     own URL (Track-1 delivery), crypto-verifies it (fail-closed VerdictKernel), and supplies
+ *     the verdict via context.
+ * The anchor renders the current page's verified badge or NOTHING. It cannot be pointed at
+ * another article, and there is no `placementId` input to forge or mis-select.
  *
- * THE TRUST BOUNDARY: the credential is never trusted from CMS content. A Builder block
- * only carries an opaque `placementId` pointer; the authority comes solely from the
- * loader-side WebCrypto verdict supplied through <CertVerifyProvider>. So a revoked /
- * tampered / expired / wrong-subject placement that an editor drops into Builder renders
- * nothing, even though the block is present in the published content.
+ * JSON-LD is DECOUPLED (panel finding): the anchor renders the BADGE only (`omitJsonLd`). The
+ * article template emits the schema.org JSON-LD server-side from the same verified verdict, so a
+ * page builder can't duplicate, move, or omit structured data. (See the route example.)
  *
- * cert-block carries NO dependency on `@builder.io/sdk-react` — the registration's shape is
- * declared structurally below, so the emitted JS pulls no Builder code and the type resolves
- * without Builder installed. The consumer (who already has Builder) passes
- * `certReviewBuilderComponent` to Builder's `<Content customComponents={[...]}>`; it is
- * assignable to Builder's `RegisteredComponent` there.
+ * EDGE-CACHE DISCIPLINE (panel finding): the consumer's loader MUST verify per request as a
+ * dynamic edge subrequest and must NOT long-cache the rendered badge HTML — a revoked/expired
+ * credential sitting in a stale edge cache would defeat fail-closed. Bound any positive-verdict
+ * cache by min(expiry, revocation-TTL, content-version).
+ *
+ * cert-block carries no Builder dependency: the registration shape is declared structurally, and
+ * `isEditing` is a passed-in flag (the consumer supplies Builder's `isPreviewing()`).
  */
 import { type ReactNode } from 'react';
 import type { CertVerdict } from '../contract/kernel.js';
-/** A loader-verified placement: the verdict cert-block renders from, plus the canonical
- *  page URL for JSON-LD @id alignment. */
-export interface VerifiedPlacement {
+/** The current page's credential, resolved + verified by the loader (Track-1 delivery). */
+export interface CurrentCredential {
     readonly verdict: CertVerdict;
+    /** Canonical page URL for JSON-LD @id alignment (used by the server-side JSON-LD, not the anchor). */
     readonly pageUrl?: string;
 }
-/** Map of `placementId` → the loader's verified result. Built server-side in the loader
- *  (it crypto-verifies each placement) and handed to <CertVerifyProvider>. */
-export type VerifiedPlacements = Record<string, VerifiedPlacement>;
-/** Wraps Builder's <Content>; carries the loader's verified verdicts down to every
- *  CertReview block, keyed by `placementId`. */
-export declare function CertVerifyProvider({ value, children, }: {
-    readonly value: VerifiedPlacements;
+/**
+ * Supplies THIS page's loader-verified credential to the anchor. `current` is the verdict for
+ * the current page (or null if the page has no delivered credential). `isEditing` is the
+ * consumer's Builder `isPreviewing()` result — it ONLY toggles a design-time placeholder and
+ * NEVER affects the published render.
+ */
+export declare function CertRevProvider({ current, isEditing, children, }: {
+    readonly current: CurrentCredential | null;
+    readonly isEditing?: boolean;
     readonly children: ReactNode;
 }): import("react").JSX.Element;
-export interface CertReviewBlockProps {
-    /** The CertREV placement id the editor set on this Builder block. */
-    readonly placementId?: string;
-}
 /**
- * The component Builder renders for a "CertREV Review" block. It pulls the loader-verified
- * verdict for its `placementId` from context and renders <CertReview>. Unknown placement
- * OR a non-`render` verdict → renders nothing. cert-block's <CertReview> ALSO suppresses on
- * a non-render verdict, so the boundary fails closed twice over (defense in depth).
+ * Design-time placeholder shown ONLY in the Builder editor when the current page has no live
+ * verified credential. Truthful (never a fake badge), emits NO JSON-LD, and never renders in
+ * production — so it cannot leak to or be crawled on the live site.
+ */
+export declare function CertRevEditorPlaceholder(): import("react").JSX.Element;
+/**
+ * The Builder block. ZERO inputs — a layout anchor only. Renders the current page's VERIFIED
+ * badge (badge only; JSON-LD is emitted server-side), the editor placeholder in design mode, or
+ * NOTHING in production (fail-closed). The credential is whatever Track-1 delivered + verified for
+ * THIS page; the editor can neither choose nor forge it.
  */
-export declare function CertReviewBlock({ placementId }: CertReviewBlockProps): import("react").JSX.Element | null;
+export declare function CertRevAnchor(): import("react").JSX.Element | null;
 /**
- * Structural shape of `@builder.io/sdk-react`'s `RegisteredComponent` — exactly the subset
- * cert-block populates. Declared locally (not imported) so cert-block needs no Builder
- * build- or runtime-dependency; the object below is assignable to Builder's
- * `RegisteredComponent` at the consumer's `<Content customComponents={[...]}>` call site.
+ * Structural shape of `@builder.io/sdk-react`'s `RegisteredComponent` — the subset cert-block
+ * populates. Declared locally so cert-block needs no Builder build/runtime dependency; assignable
+ * to Builder's `RegisteredComponent` at the consumer's `<Content customComponents={[...]}>`.
  */
-export interface CertReviewBuilderRegistration {
-    component: typeof CertReviewBlock;
+export interface CertRevBuilderRegistration {
+    component: typeof CertRevAnchor;
     name: string;
-    inputs: Array<{
-        name: string;
-        type: 'string';
-        required?: boolean;
-        helperText?: string;
-    }>;
+    inputs: never[];
 }
 /**
- * The registration object to pass to Builder's `<Content customComponents={[...]}>`.
- * Editors see a "CertREV Review" component with one input — the placement id. Because the
- * block is matched by NAME at render time, this also works for content created via the
- * Builder Write API (no visual-editor registration required for rendering).
+ * The registration to pass to Builder's `<Content customComponents={[...]}>`. ZERO inputs by
+ * design — the editor places it (layout); the system resolves the credential from the page URL
+ * (truth). Matched by NAME at render, so Write-API content works without visual-editor setup.
  */
-export declare const certReviewBuilderComponent: CertReviewBuilderRegistration;
+export declare const certRevAnchorComponent: CertRevBuilderRegistration;
 //# sourceMappingURL=index.d.ts.map

package/dist/builder/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/builder/index.tsx"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,OAAO,EAAiB,KAAK,SAAS,EAAc,MAAM,OAAO,CAAA;AAEjE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAA;AAExD;0CAC0C;AAC1C,MAAM,WAAW,iBAAiB;IACjC,QAAQ,CAAC,OAAO,EAAE,WAAW,CAAA;IAC7B,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAA;CACzB;AAED;8EAC8E;AAC9E,MAAM,MAAM,kBAAkB,GAAG,MAAM,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAA;AAIlE;gDACgD;AAChD,wBAAgB,kBAAkB,CAAC,EAClC,KAAK,EACL,QAAQ,GACR,EAAE;IACF,QAAQ,CAAC,KAAK,EAAE,kBAAkB,CAAA;IAClC,QAAQ,CAAC,QAAQ,EAAE,SAAS,CAAA;CAC5B,+BAEA;AAED,MAAM,WAAW,oBAAoB;IACpC,qEAAqE;IACrE,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAA;CAC7B;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,EAAE,WAAW,EAAE,EAAE,oBAAoB,sCAKpE;AAED;;;;;GAKG;AACH,MAAM,WAAW,6BAA6B;IAC7C,SAAS,EAAE,OAAO,eAAe,CAAA;IACjC,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,QAAQ,CAAC;QAAC,QAAQ,CAAC,EAAE,OAAO,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;CACxF;AAED;;;;;GAKG;AACH,eAAO,MAAM,0BAA0B,EAAE,6BAaxC,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/builder/index.tsx"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,OAAO,EAAiB,KAAK,SAAS,EAAc,MAAM,OAAO,CAAA;AAEjE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAA;AAExD,2FAA2F;AAC3F,MAAM,WAAW,iBAAiB;IACjC,QAAQ,CAAC,OAAO,EAAE,WAAW,CAAA;IAC7B,sGAAsG;IACtG,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAA;CACzB;AASD;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,EAC/B,OAAO,EACP,SAAiB,EACjB,QAAQ,GACR,EAAE;IACF,QAAQ,CAAC,OAAO,EAAE,iBAAiB,GAAG,IAAI,CAAA;IAC1C,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,CAAA;IAC5B,QAAQ,CAAC,QAAQ,EAAE,SAAS,CAAA;CAC5B,+BAEA;AAED;;;;GAIG;AACH,wBAAgB,wBAAwB,gCAiBvC;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,uCAO5B;AAED;;;;GAIG;AACH,MAAM,WAAW,0BAA0B;IAC1C,SAAS,EAAE,OAAO,aAAa,CAAA;IAC/B,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,EAAE,KAAK,EAAE,CAAA;CACf;AAED;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,EAAE,0BAIpC,CAAA"}

package/dist/builder/index.js

@@ -1,63 +1,80 @@
-import { jsx as _jsx } from "react/jsx-runtime";
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
 /**
- * @certrev/cert-block/builder — the Builder.io adapter for the cert-block render edge.
+ * @certrev/cert-block/builder — Builder.io adapter, "ambient-URL anchor" model.
  *
- * Lets a Builder.io content editor place a "CertREV Review" block into a page; the
- * headless app's loader (Hydrogen/Next/Remix) crypto-verifies that placement's signed
- * envelope and supplies the verdict via React context; this block renders cert-block's
- * <CertReview> from the VERIFIED verdict — and renders NOTHING (fail-closed) on any
- * suppress or unknown placement.
+ * Validated by an independent architecture panel (Codex gpt-5.5 + Gemini, blind): a visual
+ * page builder must NOT choose WHICH credential renders — that invites cross-article misuse and
+ * re-opens the wrong-subject surface. Instead:
+ *   • the CMS controls LAYOUT — an editor drags a ZERO-INPUT <CertRevAnchor/> to position the
+ *     badge on the page;
+ *   • the SYSTEM controls TRUTH — the headless loader resolves THIS page's credential from its
+ *     own URL (Track-1 delivery), crypto-verifies it (fail-closed VerdictKernel), and supplies
+ *     the verdict via context.
+ * The anchor renders the current page's verified badge or NOTHING. It cannot be pointed at
+ * another article, and there is no `placementId` input to forge or mis-select.
  *
- * THE TRUST BOUNDARY: the credential is never trusted from CMS content. A Builder block
- * only carries an opaque `placementId` pointer; the authority comes solely from the
- * loader-side WebCrypto verdict supplied through <CertVerifyProvider>. So a revoked /
- * tampered / expired / wrong-subject placement that an editor drops into Builder renders
- * nothing, even though the block is present in the published content.
+ * JSON-LD is DECOUPLED (panel finding): the anchor renders the BADGE only (`omitJsonLd`). The
+ * article template emits the schema.org JSON-LD server-side from the same verified verdict, so a
+ * page builder can't duplicate, move, or omit structured data. (See the route example.)
  *
- * cert-block carries NO dependency on `@builder.io/sdk-react` — the registration's shape is
- * declared structurally below, so the emitted JS pulls no Builder code and the type resolves
- * without Builder installed. The consumer (who already has Builder) passes
- * `certReviewBuilderComponent` to Builder's `<Content customComponents={[...]}>`; it is
- * assignable to Builder's `RegisteredComponent` there.
+ * EDGE-CACHE DISCIPLINE (panel finding): the consumer's loader MUST verify per request as a
+ * dynamic edge subrequest and must NOT long-cache the rendered badge HTML — a revoked/expired
+ * credential sitting in a stale edge cache would defeat fail-closed. Bound any positive-verdict
+ * cache by min(expiry, revocation-TTL, content-version).
+ *
+ * cert-block carries no Builder dependency: the registration shape is declared structurally, and
+ * `isEditing` is a passed-in flag (the consumer supplies Builder's `isPreviewing()`).
  */
 import { createContext, useContext } from 'react';
 import { CertReview } from '../components/CertReview.js';
-const CertVerifyContext = createContext({});
-/** Wraps Builder's <Content>; carries the loader's verified verdicts down to every
- *  CertReview block, keyed by `placementId`. */
-export function CertVerifyProvider({ value, children, }) {
-    return _jsx(CertVerifyContext.Provider, { value: value, children: children });
+const CertRevContext = createContext({ current: null, isEditing: false });
+/**
+ * Supplies THIS page's loader-verified credential to the anchor. `current` is the verdict for
+ * the current page (or null if the page has no delivered credential). `isEditing` is the
+ * consumer's Builder `isPreviewing()` result — it ONLY toggles a design-time placeholder and
+ * NEVER affects the published render.
+ */
+export function CertRevProvider({ current, isEditing = false, children, }) {
+    return _jsx(CertRevContext.Provider, { value: { current, isEditing }, children: children });
+}
+/**
+ * Design-time placeholder shown ONLY in the Builder editor when the current page has no live
+ * verified credential. Truthful (never a fake badge), emits NO JSON-LD, and never renders in
+ * production — so it cannot leak to or be crawled on the live site.
+ */
+export function CertRevEditorPlaceholder() {
+    return (_jsxs("div", { "data-certrev-editor-placeholder": "", style: {
+            border: '1px dashed #e6007e',
+            borderRadius: 8,
+            padding: '10px 14px',
+            font: '13px system-ui',
+            color: '#6b7280',
+            background: '#fff5fa',
+        }, children: ["CertREV Review \u2014 ", _jsx("b", { children: "resolves at publish" }), " from issuer verification. The expert badge appears here once this page\u2019s article is certified, and only while the credential is valid."] }));
 }
 /**
- * The component Builder renders for a "CertREV Review" block. It pulls the loader-verified
- * verdict for its `placementId` from context and renders <CertReview>. Unknown placement
- * OR a non-`render` verdict → renders nothing. cert-block's <CertReview> ALSO suppresses on
- * a non-render verdict, so the boundary fails closed twice over (defense in depth).
+ * The Builder block. ZERO inputs — a layout anchor only. Renders the current page's VERIFIED
+ * badge (badge only; JSON-LD is emitted server-side), the editor placeholder in design mode, or
+ * NOTHING in production (fail-closed). The credential is whatever Track-1 delivered + verified for
+ * THIS page; the editor can neither choose nor forge it.
  */
-export function CertReviewBlock({ placementId }) {
-    const placements = useContext(CertVerifyContext);
-    const placement = placementId ? placements[placementId] : undefined;
-    if (!placement)
-        return null;
-    return _jsx(CertReview, { verdict: placement.verdict, pageUrl: placement.pageUrl });
+export function CertRevAnchor() {
+    const { current, isEditing } = useContext(CertRevContext);
+    if (current && current.verdict.decision === 'render') {
+        return _jsx(CertReview, { verdict: current.verdict, pageUrl: current.pageUrl, omitJsonLd: true });
+    }
+    if (isEditing)
+        return _jsx(CertRevEditorPlaceholder, {});
+    return null;
 }
 /**
- * The registration object to pass to Builder's `<Content customComponents={[...]}>`.
- * Editors see a "CertREV Review" component with one input — the placement id. Because the
- * block is matched by NAME at render time, this also works for content created via the
- * Builder Write API (no visual-editor registration required for rendering).
+ * The registration to pass to Builder's `<Content customComponents={[...]}>`. ZERO inputs by
+ * design — the editor places it (layout); the system resolves the credential from the page URL
+ * (truth). Matched by NAME at render, so Write-API content works without visual-editor setup.
  */
-export const certReviewBuilderComponent = {
-    component: CertReviewBlock,
+export const certRevAnchorComponent = {
+    component: CertRevAnchor,
     name: 'CertREV Review',
-    inputs: [
-        {
-            name: 'placementId',
-            type: 'string',
-            required: true,
-            helperText: 'CertREV placement id (which certified article this badge attests). The headless ' +
-                'loader verifies that placement’s signed envelope; only a render-verdict shows a badge.',
-        },
-    ],
+    inputs: [],
 };
 //# sourceMappingURL=index.js.map

package/dist/builder/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/builder/index.tsx"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,OAAO,EAAE,aAAa,EAAkB,UAAU,EAAE,MAAM,OAAO,CAAA;AACjE,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAA;AAcxD,MAAM,iBAAiB,GAAG,aAAa,CAAqB,EAAE,CAAC,CAAA;AAE/D;gDACgD;AAChD,MAAM,UAAU,kBAAkB,CAAC,EAClC,KAAK,EACL,QAAQ,GAIR;IACA,OAAO,KAAC,iBAAiB,CAAC,QAAQ,IAAC,KAAK,EAAE,KAAK,YAAG,QAAQ,GAA8B,CAAA;AACzF,CAAC;AAOD;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAAC,EAAE,WAAW,EAAwB;IACpE,MAAM,UAAU,GAAG,UAAU,CAAC,iBAAiB,CAAC,CAAA;IAChD,MAAM,SAAS,GAAG,WAAW,CAAC,CAAC,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;IACnE,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAA;IAC3B,OAAO,KAAC,UAAU,IAAC,OAAO,EAAE,SAAS,CAAC,OAAO,EAAE,OAAO,EAAE,SAAS,CAAC,OAAO,GAAI,CAAA;AAC9E,CAAC;AAcD;;;;;GAKG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAkC;IACxE,SAAS,EAAE,eAAe;IAC1B,IAAI,EAAE,gBAAgB;IACtB,MAAM,EAAE;QACP;YACC,IAAI,EAAE,aAAa;YACnB,IAAI,EAAE,QAAQ;YACd,QAAQ,EAAE,IAAI;YACd,UAAU,EACT,kFAAkF;gBAClF,wFAAwF;SACzF;KACD;CACD,CAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/builder/index.tsx"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,OAAO,EAAE,aAAa,EAAkB,UAAU,EAAE,MAAM,OAAO,CAAA;AACjE,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAA;AAexD,MAAM,cAAc,GAAG,aAAa,CAAsB,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC,CAAA;AAE9F;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAAC,EAC/B,OAAO,EACP,SAAS,GAAG,KAAK,EACjB,QAAQ,GAKR;IACA,OAAO,KAAC,cAAc,CAAC,QAAQ,IAAC,KAAK,EAAE,EAAE,OAAO,EAAE,SAAS,EAAE,YAAG,QAAQ,GAA2B,CAAA;AACpG,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,wBAAwB;IACvC,OAAO,CACN,kDACiC,EAAE,EAClC,KAAK,EAAE;YACN,MAAM,EAAE,oBAAoB;YAC5B,YAAY,EAAE,CAAC;YACf,OAAO,EAAE,WAAW;YACpB,IAAI,EAAE,gBAAgB;YACtB,KAAK,EAAE,SAAS;YAChB,UAAU,EAAE,SAAS;SACrB,uCAEgB,8CAA0B,oJAEtC,CACN,CAAA;AACF,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,aAAa;IAC5B,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,UAAU,CAAC,cAAc,CAAC,CAAA;IACzD,IAAI,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACtD,OAAO,KAAC,UAAU,IAAC,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,UAAU,SAAG,CAAA;IACrF,CAAC;IACD,IAAI,SAAS;QAAE,OAAO,KAAC,wBAAwB,KAAG,CAAA;IAClD,OAAO,IAAI,CAAA;AACZ,CAAC;AAaD;;;;GAIG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAA+B;IACjE,SAAS,EAAE,aAAa;IACxB,IAAI,EAAE,gBAAgB;IACtB,MAAM,EAAE,EAAE;CACV,CAAA"}

package/package.json

@@ -1,78 +1,78 @@
 {
-	"name": "@certrev/cert-block",
-	"version": "0.1.2",
-	"description": "Headless / crypto_verify render edge for the CertREV CertDeliveryEnvelope. SSR-safe React components (<CertBadge>/<ExpertBio>/<CertRevBacklink>), a deterministic schema.org JSON-LD projector, a fail-closed verify layer over the shared VerdictKernel, and a framework-agnostic <certrev-badge> Web Component. Sign once (portal), render everywhere (Hydrogen / Next / Builder / universal embed).",
-	"type": "module",
-	"main": "./dist/index.js",
-	"types": "./dist/index.d.ts",
-	"exports": {
-		".": {
-			"types": "./dist/index.d.ts",
-			"default": "./dist/index.js"
-		},
-		"./builder": {
-			"types": "./dist/builder/index.d.ts",
-			"default": "./dist/builder/index.js"
-		},
-		"./webcomponent": {
-			"types": "./dist/webcomponent/certrev-badge.d.ts",
-			"default": "./dist/webcomponent/certrev-badge.js"
-		},
-		"./fixtures": {
-			"types": "./dist/contract/fixtures.d.ts",
-			"default": "./dist/contract/fixtures.js"
-		}
-	},
-	"files": [
-		"dist",
-		"src",
-		"README.md"
-	],
-	"publishConfig": {
-		"registry": "https://registry.npmjs.org",
-		"access": "public"
-	},
-	"publishTargets": [
-		"npmjs"
-	],
-	"scripts": {
-		"build": "tsc",
-		"typecheck": "tsc --noEmit",
-		"test": "vitest run"
-	},
-	"peerDependencies": {
-		"@certrev/cert-contract": ">=0.1.2",
-		"react": ">=18.0.0"
-	},
-	"peerDependenciesMeta": {
-		"react": {
-			"optional": false
-		}
-	},
-	"devDependencies": {
-		"@certrev/cert-contract": "workspace:*",
-		"@testing-library/react": "^16.1.0",
-		"@types/node": "^20.0.0",
-		"@types/react": "^18.3.0",
-		"@types/react-dom": "^18.3.0",
-		"jsdom": "^25.0.0",
-		"react": "^18.3.1",
-		"react-dom": "^18.3.1",
-		"typescript": "^6.0.3",
-		"vitest": "^4.1.5"
-	},
-	"keywords": [
-		"certrev",
-		"certification",
-		"react",
-		"server-components",
-		"hydrogen",
-		"shopify",
-		"json-ld",
-		"schema-org",
-		"web-component",
-		"ed25519",
-		"ssr"
-	],
-	"license": "MIT"
+  "name": "@certrev/cert-block",
+  "version": "0.1.3",
+  "description": "Headless / crypto_verify render edge for the CertREV CertDeliveryEnvelope. SSR-safe React components (<CertBadge>/<ExpertBio>/<CertRevBacklink>), a deterministic schema.org JSON-LD projector, a fail-closed verify layer over the shared VerdictKernel, and a framework-agnostic <certrev-badge> Web Component. Sign once (portal), render everywhere (Hydrogen / Next / Builder / universal embed).",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    },
+    "./builder": {
+      "types": "./dist/builder/index.d.ts",
+      "default": "./dist/builder/index.js"
+    },
+    "./webcomponent": {
+      "types": "./dist/webcomponent/certrev-badge.d.ts",
+      "default": "./dist/webcomponent/certrev-badge.js"
+    },
+    "./fixtures": {
+      "types": "./dist/contract/fixtures.d.ts",
+      "default": "./dist/contract/fixtures.js"
+    }
+  },
+  "files": [
+    "dist",
+    "src",
+    "README.md"
+  ],
+  "publishConfig": {
+    "registry": "https://registry.npmjs.org",
+    "access": "public"
+  },
+  "publishTargets": [
+    "npmjs"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "typecheck": "tsc --noEmit",
+    "test": "vitest run"
+  },
+  "peerDependencies": {
+    "@certrev/cert-contract": ">=0.1.2",
+    "react": ">=18.0.0"
+  },
+  "peerDependenciesMeta": {
+    "react": {
+      "optional": false
+    }
+  },
+  "devDependencies": {
+    "@certrev/cert-contract": "workspace:*",
+    "@testing-library/react": "^16.1.0",
+    "@types/node": "^20.0.0",
+    "@types/react": "^18.3.0",
+    "@types/react-dom": "^18.3.0",
+    "jsdom": "^25.0.0",
+    "react": "^18.3.1",
+    "react-dom": "^18.3.1",
+    "typescript": "^6.0.3",
+    "vitest": "^4.1.5"
+  },
+  "keywords": [
+    "certrev",
+    "certification",
+    "react",
+    "server-components",
+    "hydrogen",
+    "shopify",
+    "json-ld",
+    "schema-org",
+    "web-component",
+    "ed25519",
+    "ssr"
+  ],
+  "license": "MIT"
 }

package/src/builder/__tests__/builder.test.tsx

@@ -1,81 +1,68 @@
 /**
- * SSR-render tests for the Builder.io adapter (`@certrev/cert-block/builder`), exercised
- * through `react-dom/server`'s `renderToStaticMarkup` — the same path Hydrogen/Next use to
- * produce crawlable HTML on the edge. These prove the adapter's load-bearing contract:
+ * SSR-render tests for the Builder.io adapter (`@certrev/cert-block/builder`), the panel-validated
+ * "ambient-URL anchor" model — exercised through `renderToStaticMarkup` (the edge SSR path).
  *
- *   • a render-verdict placement renders the in-DOM cert badge (crawlable);
- *   • EVERY non-render path — suppress verdict, unknown placement, missing placementId —
- *     renders NOTHING (fail-closed survives the CMS boundary);
- *   • when one Content tree mixes a valid + a revoked placement (the /builder-cert proof
- *     shape), only the valid one renders.
- *
- * Authority comes solely from the loader-supplied verdict in <CertVerifyProvider>; the
- * `placementId` is an opaque pointer the CMS cannot use to manufacture a badge.
+ * Contract proved here:
+ *   • the anchor renders the CURRENT page's verified badge — and badge ONLY (JSON-LD is emitted
+ *     server-side, decoupled from the visual slot);
+ *   • EVERY non-render path (suppress verdict, no credential for the page) renders nothing in
+ *     production (fail-closed);
+ *   • in the Builder editor (`isEditing`) with no live credential, a truthful placeholder shows —
+ *     never a fake badge, and never any JSON-LD;
+ *   • the registration is ZERO-input: the editor cannot choose or forge which credential renders.
  */
 import { renderToStaticMarkup } from 'react-dom/server'
 import { describe, expect, it } from 'vitest'
 import { makeMockPayload } from '../../contract/fixtures.js'
 import type { CertVerdict } from '../../contract/kernel.js'
-import { CertReviewBlock, CertVerifyProvider, certReviewBuilderComponent, type VerifiedPlacements } from '../index.js'
+import { CertRevAnchor, CertRevProvider, certRevAnchorComponent, type CurrentCredential } from '../index.js'
 
 const renderVerdict: CertVerdict = { decision: 'render', payload: makeMockPayload() }
 const suppressVerdict: CertVerdict = { decision: 'suppress', reason: 'revoked' }
 
-function renderBlock(placements: VerifiedPlacements, placementId?: string): string {
+function render(current: CurrentCredential | null, isEditing = false): string {
 	return renderToStaticMarkup(
-		<CertVerifyProvider value={placements}>
-			<CertReviewBlock placementId={placementId} />
-		</CertVerifyProvider>,
+		<CertRevProvider current={current} isEditing={isEditing}>
+			<CertRevAnchor />
+		</CertRevProvider>,
 	)
 }
 
-describe('Builder adapter — registration', () => {
-	it('registers as "CertREV Review" with a single required string `placementId` input', () => {
-		expect(certReviewBuilderComponent.name).toBe('CertREV Review')
-		expect(certReviewBuilderComponent.component).toBe(CertReviewBlock)
-		const input = certReviewBuilderComponent.inputs?.find((i) => i.name === 'placementId')
-		expect(input).toBeDefined()
-		expect(input?.required).toBe(true)
-		expect(input?.type).toBe('string')
+describe('Builder adapter — registration (zero-input anchor)', () => {
+	it('registers "CertREV Review" with NO inputs (editor places it; system resolves the credential)', () => {
+		expect(certRevAnchorComponent.name).toBe('CertREV Review')
+		expect(certRevAnchorComponent.component).toBe(CertRevAnchor)
+		expect(certRevAnchorComponent.inputs).toEqual([])
 	})
 })
 
-describe('Builder adapter — CertReviewBlock render', () => {
-	it('renders the verified badge for a render-verdict placement (in-DOM, crawlable)', () => {
-		const html = renderBlock({ 'p-valid': { verdict: renderVerdict, pageUrl: 'https://brand.example.com/a' } }, 'p-valid')
+describe('Builder adapter — CertRevAnchor render', () => {
+	it('renders the current page’s verified badge — and ONLY the badge (no JSON-LD; that is server-side)', () => {
+		const html = render({ verdict: renderVerdict, pageUrl: 'https://brand.example.com/a' })
 		expect(html).toContain('certrev-badge')
 		expect(html).toContain('Dr. Jane Doe')
-		expect(html).toContain('data-certrev-cert-id="cert_fixture_001"')
+		expect(html).not.toContain('application/ld+json') // JSON-LD decoupled to the article template
 	})
 
-	it('FAIL-CLOSED: a suppress-verdict placement renders nothing', () => {
-		expect(renderBlock({ 'p-revoked': { verdict: suppressVerdict } }, 'p-revoked')).toBe('')
+	it('FAIL-CLOSED: a suppress verdict renders nothing', () => {
+		expect(render({ verdict: suppressVerdict })).toBe('')
 	})
 
-	it('FAIL-CLOSED: an unknown placementId renders nothing', () => {
-		expect(renderBlock({ 'p-valid': { verdict: renderVerdict } }, 'p-not-here')).toBe('')
+	it('FAIL-CLOSED: no credential for this page renders nothing in production', () => {
+		expect(render(null, false)).toBe('')
 	})
 
-	it('FAIL-CLOSED: a missing placementId renders nothing', () => {
-		expect(renderBlock({ 'p-valid': { verdict: renderVerdict } }, undefined)).toBe('')
+	it('EDITOR: no live credential + isEditing renders a truthful placeholder (no badge, no JSON-LD)', () => {
+		const html = render(null, true)
+		expect(html).toContain('data-certrev-editor-placeholder')
+		expect(html).toContain('resolves at publish')
+		expect(html).not.toContain('certrev-badge')
+		expect(html).not.toContain('application/ld+json')
 	})
 
-	it('mixed content (valid + revoked in one Content tree): only the valid placement renders', () => {
-		const placements: VerifiedPlacements = {
-			'p-valid': { verdict: renderVerdict, pageUrl: 'https://brand.example.com/a' },
-			'p-revoked': { verdict: suppressVerdict },
-		}
-		const html = renderToStaticMarkup(
-			<CertVerifyProvider value={placements}>
-				<div id="valid-block">
-					<CertReviewBlock placementId="p-valid" />
-				</div>
-				<div id="revoked-block">
-					<CertReviewBlock placementId="p-revoked" />
-				</div>
-			</CertVerifyProvider>,
-		)
-		expect(html).toContain('certrev-badge') // valid rendered
-		expect(html).toContain('<div id="revoked-block"></div>') // revoked empty — fail-closed through the CMS
+	it('EDITOR: a live verified credential renders the REAL badge even in editing mode (true draft-verify)', () => {
+		const html = render({ verdict: renderVerdict }, true)
+		expect(html).toContain('certrev-badge')
+		expect(html).not.toContain('data-certrev-editor-placeholder')
 	})
 })

package/src/builder/index.tsx

@@ -1,100 +1,122 @@
 /**
- * @certrev/cert-block/builder — the Builder.io adapter for the cert-block render edge.
+ * @certrev/cert-block/builder — Builder.io adapter, "ambient-URL anchor" model.
  *
- * Lets a Builder.io content editor place a "CertREV Review" block into a page; the
- * headless app's loader (Hydrogen/Next/Remix) crypto-verifies that placement's signed
- * envelope and supplies the verdict via React context; this block renders cert-block's
- * <CertReview> from the VERIFIED verdict — and renders NOTHING (fail-closed) on any
- * suppress or unknown placement.
+ * Validated by an independent architecture panel (Codex gpt-5.5 + Gemini, blind): a visual
+ * page builder must NOT choose WHICH credential renders — that invites cross-article misuse and
+ * re-opens the wrong-subject surface. Instead:
+ *   • the CMS controls LAYOUT — an editor drags a ZERO-INPUT <CertRevAnchor/> to position the
+ *     badge on the page;
+ *   • the SYSTEM controls TRUTH — the headless loader resolves THIS page's credential from its
+ *     own URL (Track-1 delivery), crypto-verifies it (fail-closed VerdictKernel), and supplies
+ *     the verdict via context.
+ * The anchor renders the current page's verified badge or NOTHING. It cannot be pointed at
+ * another article, and there is no `placementId` input to forge or mis-select.
  *
- * THE TRUST BOUNDARY: the credential is never trusted from CMS content. A Builder block
- * only carries an opaque `placementId` pointer; the authority comes solely from the
- * loader-side WebCrypto verdict supplied through <CertVerifyProvider>. So a revoked /
- * tampered / expired / wrong-subject placement that an editor drops into Builder renders
- * nothing, even though the block is present in the published content.
+ * JSON-LD is DECOUPLED (panel finding): the anchor renders the BADGE only (`omitJsonLd`). The
+ * article template emits the schema.org JSON-LD server-side from the same verified verdict, so a
+ * page builder can't duplicate, move, or omit structured data. (See the route example.)
  *
- * cert-block carries NO dependency on `@builder.io/sdk-react` — the registration's shape is
- * declared structurally below, so the emitted JS pulls no Builder code and the type resolves
- * without Builder installed. The consumer (who already has Builder) passes
- * `certReviewBuilderComponent` to Builder's `<Content customComponents={[...]}>`; it is
- * assignable to Builder's `RegisteredComponent` there.
+ * EDGE-CACHE DISCIPLINE (panel finding): the consumer's loader MUST verify per request as a
+ * dynamic edge subrequest and must NOT long-cache the rendered badge HTML — a revoked/expired
+ * credential sitting in a stale edge cache would defeat fail-closed. Bound any positive-verdict
+ * cache by min(expiry, revocation-TTL, content-version).
+ *
+ * cert-block carries no Builder dependency: the registration shape is declared structurally, and
+ * `isEditing` is a passed-in flag (the consumer supplies Builder's `isPreviewing()`).
  */
 import { createContext, type ReactNode, useContext } from 'react'
 import { CertReview } from '../components/CertReview.js'
 import type { CertVerdict } from '../contract/kernel.js'
 
-/** A loader-verified placement: the verdict cert-block renders from, plus the canonical
- *  page URL for JSON-LD @id alignment. */
-export interface VerifiedPlacement {
+/** The current page's credential, resolved + verified by the loader (Track-1 delivery). */
+export interface CurrentCredential {
 	readonly verdict: CertVerdict
+	/** Canonical page URL for JSON-LD @id alignment (used by the server-side JSON-LD, not the anchor). */
 	readonly pageUrl?: string
 }
 
-/** Map of `placementId` → the loader's verified result. Built server-side in the loader
- *  (it crypto-verifies each placement) and handed to <CertVerifyProvider>. */
-export type VerifiedPlacements = Record<string, VerifiedPlacement>
+interface CertRevContextValue {
+	readonly current: CurrentCredential | null
+	readonly isEditing: boolean
+}
 
-const CertVerifyContext = createContext<VerifiedPlacements>({})
+const CertRevContext = createContext<CertRevContextValue>({ current: null, isEditing: false })
 
-/** Wraps Builder's <Content>; carries the loader's verified verdicts down to every
- *  CertReview block, keyed by `placementId`. */
-export function CertVerifyProvider({
-	value,
+/**
+ * Supplies THIS page's loader-verified credential to the anchor. `current` is the verdict for
+ * the current page (or null if the page has no delivered credential). `isEditing` is the
+ * consumer's Builder `isPreviewing()` result — it ONLY toggles a design-time placeholder and
+ * NEVER affects the published render.
+ */
+export function CertRevProvider({
+	current,
+	isEditing = false,
 	children,
 }: {
-	readonly value: VerifiedPlacements
+	readonly current: CurrentCredential | null
+	readonly isEditing?: boolean
 	readonly children: ReactNode
 }) {
-	return <CertVerifyContext.Provider value={value}>{children}</CertVerifyContext.Provider>
+	return <CertRevContext.Provider value={{ current, isEditing }}>{children}</CertRevContext.Provider>
 }
 
-export interface CertReviewBlockProps {
-	/** The CertREV placement id the editor set on this Builder block. */
-	readonly placementId?: string
+/**
+ * Design-time placeholder shown ONLY in the Builder editor when the current page has no live
+ * verified credential. Truthful (never a fake badge), emits NO JSON-LD, and never renders in
+ * production — so it cannot leak to or be crawled on the live site.
+ */
+export function CertRevEditorPlaceholder() {
+	return (
+		<div
+			data-certrev-editor-placeholder=""
+			style={{
+				border: '1px dashed #e6007e',
+				borderRadius: 8,
+				padding: '10px 14px',
+				font: '13px system-ui',
+				color: '#6b7280',
+				background: '#fff5fa',
+			}}
+		>
+			CertREV Review — <b>resolves at publish</b> from issuer verification. The expert badge appears here once this
+			page’s article is certified, and only while the credential is valid.
+		</div>
+	)
 }
 
 /**
- * The component Builder renders for a "CertREV Review" block. It pulls the loader-verified
- * verdict for its `placementId` from context and renders <CertReview>. Unknown placement
- * OR a non-`render` verdict → renders nothing. cert-block's <CertReview> ALSO suppresses on
- * a non-render verdict, so the boundary fails closed twice over (defense in depth).
+ * The Builder block. ZERO inputs — a layout anchor only. Renders the current page's VERIFIED
+ * badge (badge only; JSON-LD is emitted server-side), the editor placeholder in design mode, or
+ * NOTHING in production (fail-closed). The credential is whatever Track-1 delivered + verified for
+ * THIS page; the editor can neither choose nor forge it.
  */
-export function CertReviewBlock({ placementId }: CertReviewBlockProps) {
-	const placements = useContext(CertVerifyContext)
-	const placement = placementId ? placements[placementId] : undefined
-	if (!placement) return null
-	return <CertReview verdict={placement.verdict} pageUrl={placement.pageUrl} />
+export function CertRevAnchor() {
+	const { current, isEditing } = useContext(CertRevContext)
+	if (current && current.verdict.decision === 'render') {
+		return <CertReview verdict={current.verdict} pageUrl={current.pageUrl} omitJsonLd />
+	}
+	if (isEditing) return <CertRevEditorPlaceholder />
+	return null
 }
 
 /**
- * Structural shape of `@builder.io/sdk-react`'s `RegisteredComponent` — exactly the subset
- * cert-block populates. Declared locally (not imported) so cert-block needs no Builder
- * build- or runtime-dependency; the object below is assignable to Builder's
- * `RegisteredComponent` at the consumer's `<Content customComponents={[...]}>` call site.
+ * Structural shape of `@builder.io/sdk-react`'s `RegisteredComponent` — the subset cert-block
+ * populates. Declared locally so cert-block needs no Builder build/runtime dependency; assignable
+ * to Builder's `RegisteredComponent` at the consumer's `<Content customComponents={[...]}>`.
  */
-export interface CertReviewBuilderRegistration {
-	component: typeof CertReviewBlock
+export interface CertRevBuilderRegistration {
+	component: typeof CertRevAnchor
 	name: string
-	inputs: Array<{ name: string; type: 'string'; required?: boolean; helperText?: string }>
+	inputs: never[]
 }
 
 /**
- * The registration object to pass to Builder's `<Content customComponents={[...]}>`.
- * Editors see a "CertREV Review" component with one input — the placement id. Because the
- * block is matched by NAME at render time, this also works for content created via the
- * Builder Write API (no visual-editor registration required for rendering).
+ * The registration to pass to Builder's `<Content customComponents={[...]}>`. ZERO inputs by
+ * design — the editor places it (layout); the system resolves the credential from the page URL
+ * (truth). Matched by NAME at render, so Write-API content works without visual-editor setup.
  */
-export const certReviewBuilderComponent: CertReviewBuilderRegistration = {
-	component: CertReviewBlock,
+export const certRevAnchorComponent: CertRevBuilderRegistration = {
+	component: CertRevAnchor,
 	name: 'CertREV Review',
-	inputs: [
-		{
-			name: 'placementId',
-			type: 'string',
-			required: true,
-			helperText:
-				'CertREV placement id (which certified article this badge attests). The headless ' +
-				'loader verifies that placement’s signed envelope; only a render-verdict shows a badge.',
-		},
-	],
+	inputs: [],
 }