@civitai/blocks-react 0.5.0 → 0.6.0

package/README.md

@@ -4,8 +4,8 @@ React hooks and iframe transport for [Civitai App Blocks](https://developer.civi
 
 Pairs with [`@civitai/app-sdk`](https://www.npmjs.com/package/@civitai/app-sdk)'s
 `/blocks` subpath, which carries the framework-agnostic manifest, scope, and
-`postMessage` contract. This package adds the transport that actually moves
-bytes and the React hooks block authors call.
+`postMessage` contract. This package adds the transport that actually moves bytes
+and the React hooks block authors call.
 
 ## Install
 
@@ -19,29 +19,240 @@ your block app and the SDK share a single React tree.
 ## Quick start
 
 ```tsx
-import { useBlockContext, useBuzzWorkflow } from '@civitai/blocks-react';
+import { useRef } from 'react';
+import { useBlockContext, useBlockResize, useBuzzWorkflow } from '@civitai/blocks-react';
+import type { ModelSlotContext } from '@civitai/app-sdk/blocks';
 
 export function App() {
-  const { ready, context, viewer } = useBlockContext();
-  const { estimate, submit, status, result } = useBuzzWorkflow();
+  const { ready, context, viewer, theme } = useBlockContext();
+  const { submit, status, result } = useBuzzWorkflow();
+  const rootRef = useRef<HTMLDivElement>(null);
+  useBlockResize(rootRef);                 // host fits the iframe to content
+
+  if (!ready) return <div ref={rootRef}>Loading…</div>;
+  const model = context as ModelSlotContext;
 
-  if (!ready) return <div>Loading…</div>;
   return (
-    <div>
-      <p>Block for model {context.modelId} ({viewer.username})</p>
-      <button onClick={() => submit({ prompt: 'a cat' })}>Generate</button>
+    // GOTCHA #60: set data-theme on YOUR OWN root — the host can't reach into
+    // the iframe to set it. Without this any [data-theme="dark"] CSS is dormant.
+    <div ref={rootRef} data-theme={theme}>
+      <p>Block for model {model.modelName} ({viewer?.username ?? 'anon'})</p>
+      <button
+        onClick={() =>
+          submit({
+            kind: 'textToImage',
+            modelId: model.modelId,
+            modelVersionId: model.modelVersionId,
+            params: { prompt: 'a cat' },
+          })
+        }
+      >
+        Generate
+      </button>
       {status === 'done' && result?.imageUrls?.map((u) => <img key={u} src={u} />)}
     </div>
   );
 }
 ```
 
-## What lives where
+> `submit` takes a full `WorkflowBody` (`{ kind, modelId, modelVersionId, params }`),
+> **not** `{ prompt }`. Both ids come from `useBlockContext().context` narrowed to
+> `ModelSlotContext`.
+
+## The hooks
+
+All hooks build on a singleton transport, so they're safe to call from any
+component without prop-drilling. Below: one minimal snippet each.
+
+### `useBlockContext()`
+
+The primary hook. Returns everything the host delivered in `BLOCK_INIT` plus a
+`ready` gate — fields are sentinel-empty before init, so gate your UI on `ready`.
+
+```tsx
+const { ready, context, viewer, theme, settings, blockId, blockInstanceId, appId, token, renderMode } =
+  useBlockContext();
+```
+
+- `context` — `BlockContext` (`{ slotId, … }`); narrow to `ModelSlotContext` for
+  model-page slots.
+- `viewer` — `ViewerInfo | null` (`null` = anonymous).
+- `theme` — `'light' | 'dark'`. **Set `data-theme={theme}` on your root** (gotcha #60).
+- `settings` — `{ publisherSettings, userSettings }`.
+
+### `useBlockResize(ref)`
+
+Attach to your root element. Observes its height and posts `RESIZE_IFRAME` so the
+host sizes the iframe to fit. No-op on the inline transport (host DOM reflows
+naturally).
+
+```tsx
+const rootRef = useRef<HTMLDivElement>(null);
+useBlockResize(rootRef);
+```
+
+> Also set `iframe.minHeight` in your manifest to the block's *real* rendered
+> height — a too-small minHeight makes the iframe seed short and grow-jump on
+> `BLOCK_READY` (CLS). Measure it in the dev harness (gotcha #53).
+
+### `useBlockToken()`
+
+Current block-scoped JWT, auto-refreshing ~2 min before expiry. Returns the token
+fields plus a `refresh()` for the 401-retry path.
+
+```tsx
+const { raw, scopes, expiresAt, buzzBudget, refresh } = useBlockToken();
+// after a 401: await refresh(); then retry the request once with the new `raw`.
+```
+
+### `useBlockSettings()`
+
+Shorthand for `useBlockContext().settings`. Read-only from the iframe — settings
+are *written* on the platform `/apps/installed` page, not via a bridge message.
+
+```tsx
+const { publisherSettings, userSettings } = useBlockSettings();
+```
+
+### `useBuzzWorkflow()`
+
+The generation flow: `estimate` → `submit` → `poll`, host-mediated. Returns
+`{ estimate, submit, poll, status, result, error }`.
+
+```tsx
+const { estimate, submit, poll, status, result } = useBuzzWorkflow();
+const body = { kind: 'textToImage', modelId, modelVersionId, params: { prompt } };
+await estimate(body);            // status 'estimating' → 'confirming' (cost in result.cost.total)
+const snap = await submit(body); // status 'submitting' → 'polling'; returns a workflowId
+await poll(snap.workflowId);     // you loop this on a backoff until terminal
+```
+
+**Status semantics** (gotcha #8/#9/#10):
+
+- `status === 'confirming'` is **IDLE** (estimate landed, user reviewing the
+  cost) — keep the Generate button enabled. Only `estimating | submitting |
+  polling` are busy.
+- `result` is populated after `estimate()` too — don't treat a non-null `result`
+  as "something is queued."
+- The hook does **not** auto-poll. After `submit` flips status to `'polling'`,
+  the **caller** runs a `useEffect` that calls `poll(workflowId)` on a backoff
+  until the snapshot is terminal (`succeeded | failed | canceled | expired`).
+- An over-budget / rejected submit comes back as a **resolved** snapshot with
+  `status: 'failed'` + an `error` string — the transport resolves the reply, it
+  doesn't throw. Check `snap.status`, not just `try/catch`.
+
+> **Estimate must mirror submit** (gotcha #59): build the params for `estimate`
+> with the *exact* same logic as `submit` — same seed decision especially. The
+> orchestrator whatif prices a cache hit (identical workflow) at 0 and a fresh
+> job at full cost, and the seed decides which. A drifting estimate silently
+> mis-quotes. See the `buzz-workflow` example.
+
+> **cancel** — `@civitai/blocks-react@0.5.0+` adds `useBuzzWorkflow().cancel(workflowId)`
+> for a real server-side orchestrator cancel (gotcha #51), so a running workflow
+> stops spending Buzz. Before that, cancel was client-side only (stop polling). If
+> your installed version predates 0.5.0, do the client-side half and add the
+> `cancel(...)` call after upgrading.
+
+### `useBuzzPurchase()`
+
+Open the Buzz purchase modal — the insufficient-budget recovery path.
+
+```tsx
+const { openPurchaseModal } = useBuzzPurchase();
+const { purchased, newBalance } = await openPurchaseModal(suggestedAmount);
+if (purchased) { /* retry the generation */ }
+```
+
+### `useAppStorage()`
+
+Per-(block instance, viewer) KV datastore, host-mediated. 64 KB per value,
+50 MB + ~1M rows per app.
+
+```tsx
+const storage = useAppStorage();
+await storage.set('key', { any: 'json' });   // throws "PAYLOAD_TOO_LARGE" over a limit
+const v = await storage.get<MyShape>('key'); // null if unset / anon
+await storage.delete('key');                  // idempotent
+const { keys } = await storage.list({ prefix: 'note-' });
+const quota = await storage.getQuota();       // { usedBytes, rowCount, limitBytes, limitRows }
+```
+
+### `useCheckpointPicker()`
+
+Drive the platform Checkpoint picker + persist a viewer override.
+
+```tsx
+const { open, persist } = useCheckpointPicker();
+const { selected } = await open({ baseModelGroup: 'SDXL', currentVersionId });
+if (selected) await persist(selected.versionId);   // null clears the override
+```
+
+### `useCivitaiNavigate()`
+
+Request a navigation within civitai.com (host-mediated; fire-and-forget).
+
+```tsx
+const { navigate } = useCivitaiNavigate();
+navigate('/models/12345', 'new_tab');   // 'new_tab' needs allow-popups* in the manifest sandbox
+```
+
+### `useBlockAnalytics()`
+
+Fire-and-forget event tracking into the host's analytics pipeline.
+
+```tsx
+const { track } = useBlockAnalytics();
+track('generate_clicked', { modelId });
+```
+
+## The `/ui` subexport
+
+Opinionated components, imported separately so a transport-only block stays lean.
+v0 ships the headless, manifest-driven `SettingsForm`:
+
+```tsx
+import { SettingsForm } from '@civitai/blocks-react/ui';
+
+<SettingsForm
+  manifestSettings={manifest.settings}
+  declaredScopes={manifest.scopes}
+  forScope="viewer"               // or "publisher"
+  initialValues={settings.userSettings}
+  onSubmit={async (values) => { /* persist (platform page) */ }}
+/>
+```
+
+Unstyled native controls (host themes them). `isFieldVisible` + `SettingsFormError`
+are also exported. See the `settings` example.
+
+## Lower-level transport
+
+For non-React or advanced use, the transport primitives are exported too:
+`IframeTransport`, `InlineTransport`, `BlockTransportDetector`,
+`readAllowedOriginsFromEnv`, `getTransport`, and `sendTypedRequest`. Hooks are the
+recommended surface; reach for these only when a hook doesn't fit.
+
+## Examples
+
+Runnable, minimal blocks — one per feature, each with its own README:
+
+- [`hello-world`](https://github.com/civitai/civitai-app-starters/tree/main/starters/examples/hello-world) — `useBlockContext`, lifecycle, `data-theme` (#60)
+- [`settings`](https://github.com/civitai/civitai-app-starters/tree/main/starters/examples/settings) — manifest settings + `SettingsForm`
+- [`buzz-workflow`](https://github.com/civitai/civitai-app-starters/tree/main/starters/examples/buzz-workflow) — `useBuzzWorkflow` (#59, #8/#9/#10, #19)
+- [`kv-storage`](https://github.com/civitai/civitai-app-starters/tree/main/starters/examples/kv-storage) — `useAppStorage`
+- [`scopes-api`](https://github.com/civitai/civitai-app-starters/tree/main/starters/examples/scopes-api) — scopes + REST + `useBlockToken`
+- [`buzz-purchase`](https://github.com/civitai/civitai-app-starters/tree/main/starters/examples/buzz-purchase) — `useBuzzPurchase`
+
+## Version compatibility
 
-- [`@civitai/app-sdk/blocks`](https://github.com/civitai/civitai-app-starters/tree/main/packages/civitai-app-sdk/src/blocks): manifest types, `defineBlock`, `BLOCK_SCOPES`, `postMessage` protocol, JSON schema.
-- This package: `IframeTransport`, transport detector, and the eight React hooks (`useBlockContext`, `useBlockToken`, `useBlockSettings`, `useBuzzWorkflow`, `useBlockResize`, `useBuzzPurchase`, `useCivitaiNavigate`, `useBlockAnalytics`).
+| `@civitai/blocks-react` | pairs with `@civitai/app-sdk` | adds |
+|---|---|---|
+| `0.5.0` | `^0.7.0` | `useBuzzWorkflow().cancel()` (real server-side cancel, gotcha #51) |
+| `0.4.x` | `^0.6.0` | `useAppStorage`, `SettingsForm` (`/ui`) |
+| `0.3.x` | `^0.5.0` | earlier hook set |
 
-Architecture and contribution notes live in the [in-repo `AGENTS.md`](https://github.com/civitai/civitai-app-starters/blob/main/packages/civitai-blocks-react/AGENTS.md) (not shipped in the published tarball).
+Always keep `@civitai/app-sdk` at or above the paired minor — the React package
+peer-depends on the SDK's message/type contract.
 
 ## License
 

package/dist/hooks/useRequestConsent.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Lazy consent. Asks the host to open civitai.com's consent UI when a
+ * LOGGED-IN viewer clicks an action whose consent-gated scope the block token
+ * is missing — e.g. the block's Generate button needs `ai:write:budgeted` /
+ * `buzz:read:self` but the viewer hasn't granted them yet (so the mint withheld
+ * them and `useBlockToken().scopes` doesn't include them). The host validates
+ * the message like every inbound one (origin + `event.source` pinned, only
+ * honored after BLOCK_READY) and opens its consent UI.
+ *
+ * `scopes` is an optional advisory hint of which scopes the action needs; the
+ * host independently grants the missing set it computed at mint, so the block
+ * can omit it.
+ *
+ * Fire-and-forget: the host doesn't reply. On grant the host re-mints the block
+ * token and pushes a TOKEN_REFRESH carrying the now-granted scopes — observe
+ * `useBlockToken().scopes` and retry the action once the scope appears. Mirrors
+ * {@link useRequestSignIn} (the anonymous-conversion analog).
+ */
+export declare function useRequestConsent(): {
+    requestConsent: (payload?: {
+        scopes?: string[];
+    }) => void;
+};
+//# sourceMappingURL=useRequestConsent.d.ts.map

package/dist/hooks/useRequestConsent.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"useRequestConsent.d.ts","sourceRoot":"","sources":["../../src/hooks/useRequestConsent.ts"],"names":[],"mappings":"AAIA;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,iBAAiB,IAAI;IACnC,cAAc,EAAE,CAAC,OAAO,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;KAAE,KAAK,IAAI,CAAC;CAC3D,CAQA"}

package/dist/hooks/useRequestConsent.js

@@ -0,0 +1,30 @@
+import { useCallback } from 'react';
+import { getTransport } from '../internal/singleton.js';
+/**
+ * Lazy consent. Asks the host to open civitai.com's consent UI when a
+ * LOGGED-IN viewer clicks an action whose consent-gated scope the block token
+ * is missing — e.g. the block's Generate button needs `ai:write:budgeted` /
+ * `buzz:read:self` but the viewer hasn't granted them yet (so the mint withheld
+ * them and `useBlockToken().scopes` doesn't include them). The host validates
+ * the message like every inbound one (origin + `event.source` pinned, only
+ * honored after BLOCK_READY) and opens its consent UI.
+ *
+ * `scopes` is an optional advisory hint of which scopes the action needs; the
+ * host independently grants the missing set it computed at mint, so the block
+ * can omit it.
+ *
+ * Fire-and-forget: the host doesn't reply. On grant the host re-mints the block
+ * token and pushes a TOKEN_REFRESH carrying the now-granted scopes — observe
+ * `useBlockToken().scopes` and retry the action once the scope appears. Mirrors
+ * {@link useRequestSignIn} (the anonymous-conversion analog).
+ */
+export function useRequestConsent() {
+    const requestConsent = useCallback((payload) => {
+        getTransport().sendMessage({
+            type: 'REQUEST_CONSENT',
+            ...(payload ? { payload } : {}),
+        });
+    }, []);
+    return { requestConsent };
+}
+//# sourceMappingURL=useRequestConsent.js.map

package/dist/hooks/useRequestConsent.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"useRequestConsent.js","sourceRoot":"","sources":["../../src/hooks/useRequestConsent.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,OAAO,CAAC;AAEpC,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAExD;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,iBAAiB;IAG/B,MAAM,cAAc,GAAG,WAAW,CAAC,CAAC,OAA+B,EAAE,EAAE;QACrE,YAAY,EAAE,CAAC,WAAW,CAAC;YACzB,IAAI,EAAE,iBAAiB;YACvB,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAChC,CAAC,CAAC;IACL,CAAC,EAAE,EAAE,CAAC,CAAC;IACP,OAAO,EAAE,cAAc,EAAE,CAAC;AAC5B,CAAC"}

package/dist/hooks/useRequestSignIn.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Anonymous conversion. Asks the host to start civitai.com's login flow when a
+ * logged-out viewer (`useBlockContext().viewer === null`) clicks an action that
+ * needs auth/money — e.g. the block's Generate button. The host validates the
+ * message like every inbound one (origin + `event.source` pinned, only honored
+ * after BLOCK_READY) and opens its login UI.
+ *
+ * `returnUrl` is an optional same-origin in-app path to return to after sign-in;
+ * the host sanitises it (rejecting absolute / protocol-relative values) and
+ * defaults to the current page when omitted.
+ *
+ * Fire-and-forget: the host doesn't reply. After login the page reloads / the
+ * block re-inits as an authenticated viewer.
+ */
+export declare function useRequestSignIn(): {
+    requestSignIn: (payload?: {
+        returnUrl?: string;
+    }) => void;
+};
+//# sourceMappingURL=useRequestSignIn.d.ts.map

package/dist/hooks/useRequestSignIn.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"useRequestSignIn.d.ts","sourceRoot":"","sources":["../../src/hooks/useRequestSignIn.ts"],"names":[],"mappings":"AAIA;;;;;;;;;;;;;GAaG;AACH,wBAAgB,gBAAgB,IAAI;IAClC,aAAa,EAAE,CAAC,OAAO,CAAC,EAAE;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,KAAK,IAAI,CAAC;CAC3D,CAQA"}

package/dist/hooks/useRequestSignIn.js

@@ -0,0 +1,26 @@
+import { useCallback } from 'react';
+import { getTransport } from '../internal/singleton.js';
+/**
+ * Anonymous conversion. Asks the host to start civitai.com's login flow when a
+ * logged-out viewer (`useBlockContext().viewer === null`) clicks an action that
+ * needs auth/money — e.g. the block's Generate button. The host validates the
+ * message like every inbound one (origin + `event.source` pinned, only honored
+ * after BLOCK_READY) and opens its login UI.
+ *
+ * `returnUrl` is an optional same-origin in-app path to return to after sign-in;
+ * the host sanitises it (rejecting absolute / protocol-relative values) and
+ * defaults to the current page when omitted.
+ *
+ * Fire-and-forget: the host doesn't reply. After login the page reloads / the
+ * block re-inits as an authenticated viewer.
+ */
+export function useRequestSignIn() {
+    const requestSignIn = useCallback((payload) => {
+        getTransport().sendMessage({
+            type: 'REQUEST_SIGN_IN',
+            ...(payload ? { payload } : {}),
+        });
+    }, []);
+    return { requestSignIn };
+}
+//# sourceMappingURL=useRequestSignIn.js.map

package/dist/hooks/useRequestSignIn.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"useRequestSignIn.js","sourceRoot":"","sources":["../../src/hooks/useRequestSignIn.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,OAAO,CAAC;AAEpC,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAExD;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,gBAAgB;IAG9B,MAAM,aAAa,GAAG,WAAW,CAAC,CAAC,OAAgC,EAAE,EAAE;QACrE,YAAY,EAAE,CAAC,WAAW,CAAC;YACzB,IAAI,EAAE,iBAAiB;YACvB,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAChC,CAAC,CAAC;IACL,CAAC,EAAE,EAAE,CAAC,CAAC;IACP,OAAO,EAAE,aAAa,EAAE,CAAC;AAC3B,CAAC"}

package/dist/index.d.ts

@@ -21,6 +21,8 @@ export { useBlockResize } from './hooks/useBlockResize.js';
 export { useBuzzPurchase } from './hooks/useBuzzPurchase.js';
 export { useCheckpointPicker } from './hooks/useCheckpointPicker.js';
 export { useCivitaiNavigate } from './hooks/useCivitaiNavigate.js';
+export { useRequestSignIn } from './hooks/useRequestSignIn.js';
+export { useRequestConsent } from './hooks/useRequestConsent.js';
 export { useBlockAnalytics } from './hooks/useBlockAnalytics.js';
 export { useAppStorage } from './hooks/useAppStorage.js';
 export type { AppStorageKeyEntry, AppStorageListResult, AppStorageQuota, UseAppStorage, } from './hooks/useAppStorage.js';

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAChE,YAAY,EAAE,sBAAsB,EAAE,MAAM,+BAA+B,CAAC;AAE5E,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAEhE,OAAO,EAAE,sBAAsB,EAAE,yBAAyB,EAAE,MAAM,wBAAwB,CAAC;AAC3F,YAAY,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAE5D,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAEvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,YAAY,EACV,aAAa,EACb,cAAc,EACd,eAAe,GAChB,MAAM,yBAAyB,CAAC;AAGjC,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAAE,gBAAgB,EAAE,MAAM,6BAA6B,CAAC;AAC/D,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AACzD,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAC3D,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AACrE,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AACnE,OAAO,EAAE,iBAAiB,EAAE,MAAM,8BAA8B,CAAC;AACjE,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AACzD,YAAY,EACV,kBAAkB,EAClB,oBAAoB,EACpB,eAAe,EACf,aAAa,GACd,MAAM,0BAA0B,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAChE,YAAY,EAAE,sBAAsB,EAAE,MAAM,+BAA+B,CAAC;AAE5E,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAEhE,OAAO,EAAE,sBAAsB,EAAE,yBAAyB,EAAE,MAAM,wBAAwB,CAAC;AAC3F,YAAY,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAE5D,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAEvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,YAAY,EACV,aAAa,EACb,cAAc,EACd,eAAe,GAChB,MAAM,yBAAyB,CAAC;AAGjC,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAAE,gBAAgB,EAAE,MAAM,6BAA6B,CAAC;AAC/D,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AACzD,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAC3D,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AACrE,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AACnE,OAAO,EAAE,gBAAgB,EAAE,MAAM,6BAA6B,CAAC;AAC/D,OAAO,EAAE,iBAAiB,EAAE,MAAM,8BAA8B,CAAC;AACjE,OAAO,EAAE,iBAAiB,EAAE,MAAM,8BAA8B,CAAC;AACjE,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AACzD,YAAY,EACV,kBAAkB,EAClB,oBAAoB,EACpB,eAAe,EACf,aAAa,GACd,MAAM,0BAA0B,CAAC"}

package/dist/index.js

@@ -19,6 +19,8 @@ export { useBlockResize } from './hooks/useBlockResize.js';
 export { useBuzzPurchase } from './hooks/useBuzzPurchase.js';
 export { useCheckpointPicker } from './hooks/useCheckpointPicker.js';
 export { useCivitaiNavigate } from './hooks/useCivitaiNavigate.js';
+export { useRequestSignIn } from './hooks/useRequestSignIn.js';
+export { useRequestConsent } from './hooks/useRequestConsent.js';
 export { useBlockAnalytics } from './hooks/useBlockAnalytics.js';
 export { useAppStorage } from './hooks/useAppStorage.js';
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAGhE,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAEhE,OAAO,EAAE,sBAAsB,EAAE,yBAAyB,EAAE,MAAM,wBAAwB,CAAC;AAG3F,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAEvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAO3D,QAAQ;AACR,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAAE,gBAAgB,EAAE,MAAM,6BAA6B,CAAC;AAC/D,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AACzD,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAC3D,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AACrE,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AACnE,OAAO,EAAE,iBAAiB,EAAE,MAAM,8BAA8B,CAAC;AACjE,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAGhE,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAEhE,OAAO,EAAE,sBAAsB,EAAE,yBAAyB,EAAE,MAAM,wBAAwB,CAAC;AAG3F,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAEvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAO3D,QAAQ;AACR,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAAE,gBAAgB,EAAE,MAAM,6BAA6B,CAAC;AAC/D,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AACzD,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAC3D,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AACrE,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AACnE,OAAO,EAAE,gBAAgB,EAAE,MAAM,6BAA6B,CAAC;AAC/D,OAAO,EAAE,iBAAiB,EAAE,MAAM,8BAA8B,CAAC;AACjE,OAAO,EAAE,iBAAiB,EAAE,MAAM,8BAA8B,CAAC;AACjE,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC"}

package/dist/internal/iframeTransport.d.ts

@@ -20,7 +20,7 @@ export interface IframeTransportOptions {
  * correlates request/response pairs by `requestId`.
  */
 export declare class IframeTransport implements BlockTransport {
-    private readonly allowedOrigins;
+    private readonly originMatcher;
     private readonly window;
     private snapshot;
     private readonly listeners;

package/dist/internal/iframeTransport.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"iframeTransport.d.ts","sourceRoot":"","sources":["../../src/internal/iframeTransport.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,KAAK,gBAAgB,EACrB,KAAK,oBAAoB,EAEzB,KAAK,wBAAwB,EAC9B,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EAKL,KAAK,aAAa,EAClB,KAAK,cAAc,EACnB,KAAK,eAAe,EACrB,MAAM,gBAAgB,CAAC;AAQxB,MAAM,WAAW,sBAAsB;IACrC;;;;;;;OAOG;IACH,oBAAoB,EAAE,MAAM,EAAE,CAAC;IAC/B,iEAAiE;IACjE,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AASD;;;;;GAKG;AACH,qBAAa,eAAgB,YAAW,cAAc;IACpD,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAsB;IACrD,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAEhC,OAAO,CAAC,QAAQ,CAAiC;IACjD,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAyB;IAEnD,yEAAyE;IACzE,OAAO,CAAC,YAAY,CAAuB;IAE3C,2EAA2E;IAC3E,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAiD;IAC1E,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAqC;IAE7D,OAAO,CAAC,QAAQ,CAAC,WAAW,CAA4B;IACxD,OAAO,CAAC,WAAW,CAAuC;IAC1D,OAAO,CAAC,UAAU,CAAwB;IAC1C,OAAO,CAAC,aAAa,CAAgC;IACrD,OAAO,CAAC,YAAY,CAAS;IAE7B,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAgC;gBAEpD,IAAI,EAAE,sBAAsB;IAiCxC,WAAW,IAAI,aAAa;IAI5B,SAAS,CAAC,QAAQ,EAAE,MAAM,IAAI,GAAG,MAAM,IAAI;IAO3C,WAAW,IAAI,OAAO,CAAC,gBAAgB,CAAC;IAIxC,WAAW,CAAC,OAAO,EAAE,oBAAoB,GAAG,IAAI;IAIhD,WAAW,CACT,OAAO,EAAE,eAAe,EACxB,YAAY,EAAE,wBAAwB,EACtC,IAAI,GAAE;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAO,GAChC,OAAO,CAAC,OAAO,CAAC;IAmBnB,uDAAuD;IACvD,OAAO,IAAI,IAAI;IAWf,OAAO,CAAC,QAAQ;IAQhB,OAAO,CAAC,aAAa;IAOrB,OAAO,CAAC,YAAY;IAKpB,OAAO,CAAC,aAAa;IAkFrB,OAAO,CAAC,iBAAiB;IASzB,OAAO,CAAC,IAAI;CAGb"}
+{"version":3,"file":"iframeTransport.d.ts","sourceRoot":"","sources":["../../src/internal/iframeTransport.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,KAAK,gBAAgB,EACrB,KAAK,oBAAoB,EAEzB,KAAK,wBAAwB,EAC9B,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EAKL,KAAK,aAAa,EAClB,KAAK,cAAc,EACnB,KAAK,eAAe,EACrB,MAAM,gBAAgB,CAAC;AASxB,MAAM,WAAW,sBAAsB;IACrC;;;;;;;OAOG;IACH,oBAAoB,EAAE,MAAM,EAAE,CAAC;IAC/B,iEAAiE;IACjE,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AASD;;;;;GAKG;AACH,qBAAa,eAAgB,YAAW,cAAc;IACpD,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAgB;IAC9C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAEhC,OAAO,CAAC,QAAQ,CAAiC;IACjD,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAyB;IAEnD,yEAAyE;IACzE,OAAO,CAAC,YAAY,CAAuB;IAE3C,2EAA2E;IAC3E,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAiD;IAC1E,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAqC;IAE7D,OAAO,CAAC,QAAQ,CAAC,WAAW,CAA4B;IACxD,OAAO,CAAC,WAAW,CAAuC;IAC1D,OAAO,CAAC,UAAU,CAAwB;IAC1C,OAAO,CAAC,aAAa,CAAgC;IACrD,OAAO,CAAC,YAAY,CAAS;IAE7B,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAgC;gBAEpD,IAAI,EAAE,sBAAsB;IAoCxC,WAAW,IAAI,aAAa;IAI5B,SAAS,CAAC,QAAQ,EAAE,MAAM,IAAI,GAAG,MAAM,IAAI;IAO3C,WAAW,IAAI,OAAO,CAAC,gBAAgB,CAAC;IAIxC,WAAW,CAAC,OAAO,EAAE,oBAAoB,GAAG,IAAI;IAIhD,WAAW,CACT,OAAO,EAAE,eAAe,EACxB,YAAY,EAAE,wBAAwB,EACtC,IAAI,GAAE;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAO,GAChC,OAAO,CAAC,OAAO,CAAC;IAmBnB,uDAAuD;IACvD,OAAO,IAAI,IAAI;IAWf,OAAO,CAAC,QAAQ;IAQhB,OAAO,CAAC,aAAa;IAOrB,OAAO,CAAC,YAAY;IAKpB,OAAO,CAAC,aAAa;IA2FrB,OAAO,CAAC,iBAAiB;IASzB,OAAO,CAAC,IAAI;CAGb"}

package/dist/internal/iframeTransport.js

@@ -1,5 +1,6 @@
 import { isMessage, } from '@civitai/app-sdk/blocks';
 import { EMPTY_SNAPSHOT, nextRequestId, snapshotFromInit, tokenFromWrapped, } from './transport.js';
+import { OriginMatcher } from './originMatcher.js';
 import { payloadValidatorFor } from './validate.js';
 const INIT_TIMEOUT_MS = 10_000;
 const DEFAULT_REQUEST_TIMEOUT_MS = 30_000;
@@ -10,7 +11,7 @@ const DEFAULT_REQUEST_TIMEOUT_MS = 30_000;
  * correlates request/response pairs by `requestId`.
  */
 export class IframeTransport {
-    allowedOrigins;
+    originMatcher;
     window;
     snapshot = EMPTY_SNAPSHOT;
     listeners = new Set();
@@ -30,7 +31,10 @@ export class IframeTransport {
             throw new Error('IframeTransport: allowedParentOrigins must contain at least one entry. ' +
                 'Configure NEXT_PUBLIC_BLOCK_ALLOWED_PARENT_ORIGINS (or the framework equivalent).');
         }
-        this.allowedOrigins = new Set(opts.allowedParentOrigins);
+        // Build the matcher from the allowlist. Exact entries match by equality;
+        // `https://*.example.com` entries match any subdomain on a dot boundary
+        // (mirrors the host-side CSP frame-ancestors convention).
+        this.originMatcher = new OriginMatcher(opts.allowedParentOrigins);
         this.window = opts.window ?? globalThis.window;
         if (!this.window) {
             throw new Error('IframeTransport: no window available; cannot mount on the server.');
@@ -111,7 +115,7 @@ export class IframeTransport {
         this.window.parent.postMessage(msg, this.parentOrigin);
     }
     handleMessage(event) {
-        if (!this.allowedOrigins.has(event.origin))
+        if (!this.originMatcher.matches(event.origin))
             return;
         const data = event.data;
         if (data == null || typeof data !== 'object' || typeof data.type !== 'string')
@@ -126,6 +130,15 @@ export class IframeTransport {
             console.warn(`IframeTransport: dropping malformed "${data.type}" message from ${event.origin}`);
             return;
         }
+        // CONTRACT — load-bearing, do NOT weaken the `!this.initResolved` guard:
+        // BLOCK_INIT is DEDUPED. Only the FIRST valid init is honored; every repeat
+        // is a complete no-op (no re-snapshot, no re-emit to subscribers, no second
+        // BLOCK_READY, parentOrigin frozen to the first sender). The civitai host
+        // (`IframeHost.tsx`) depends on this: to defeat the cross-origin iframe
+        // `onLoad` race it RE-SENDS BLOCK_INIT on a ~400ms interval until it observes
+        // BLOCK_READY (civitai PR #2546). If this dedupe were removed, every retry
+        // tick would re-init the block and re-emit BLOCK_READY. Pinned by
+        // iframe-transport.test.ts → "dedupes repeated BLOCK_INIT (host retry-until-ready contract)".
         if (isMessage(data, 'BLOCK_INIT')) {
             if (!this.initResolved) {
                 this.initResolved = true;

package/dist/internal/iframeTransport.js.map

@@ -1 +1 @@
-{"version":3,"file":"iframeTransport.js","sourceRoot":"","sources":["../../src/internal/iframeTransport.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,GAKV,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,cAAc,EACd,aAAa,EACb,gBAAgB,EAChB,gBAAgB,GAIjB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAC;AAIpD,MAAM,eAAe,GAAG,MAAM,CAAC;AAC/B,MAAM,0BAA0B,GAAG,MAAM,CAAC;AAuB1C;;;;;GAKG;AACH,MAAM,OAAO,eAAe;IACT,cAAc,CAAsB;IACpC,MAAM,CAAS;IAExB,QAAQ,GAAkB,cAAc,CAAC;IAChC,SAAS,GAAG,IAAI,GAAG,EAAc,CAAC;IAEnD,yEAAyE;IACjE,YAAY,GAAkB,IAAI,CAAC;IAE3C,2EAA2E;IAC1D,QAAQ,GAA8C,EAAE,CAAC;IACzD,OAAO,GAAG,IAAI,GAAG,EAA0B,CAAC;IAE5C,WAAW,CAA4B;IAChD,WAAW,CAAuC;IAClD,UAAU,CAAwB;IAClC,aAAa,CAAgC;IAC7C,YAAY,GAAG,KAAK,CAAC;IAEZ,eAAe,CAAgC;IAEhE,YAAY,IAA4B;QACtC,IAAI,CAAC,IAAI,CAAC,oBAAoB,CAAC,MAAM,EAAE,CAAC;YACtC,MAAM,IAAI,KAAK,CACb,yEAAyE;gBACvE,mFAAmF,CACtF,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,cAAc,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;QACzD,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,IAAK,UAAkC,CAAC,MAAO,CAAC;QACzE,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,mEAAmE,CAAC,CAAC;QACvF,CAAC;QAED,IAAI,CAAC,WAAW,GAAG,IAAI,OAAO,CAAmB,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACnE,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC;YAC3B,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC;QAC3B,CAAC,CAAC,CAAC;QACH,IAAI,CAAC,aAAa,GAAG,UAAU,CAAC,GAAG,EAAE;YACnC,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;gBACvB,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;gBACzB,IAAI,CAAC,UAAU,CACb,IAAI,KAAK,CACP,2DAA2D,eAAe,MAAM;oBAC9E,mGAAmG,CACtG,CACF,CAAC;YACJ,CAAC;QACH,CAAC,EAAE,eAAe,CAAC,CAAC;QAEpB,IAAI,CAAC,eAAe,GAAG,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;QAC5D,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,SAAS,EAAE,IAAI,CAAC,eAAe,CAAC,CAAC;IAChE,CAAC;IAED,WAAW;QACT,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;IAED,SAAS,CAAC,QAAoB;QAC5B,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC7B,OAAO,GAAG,EAAE;YACV,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAClC,CAAC,CAAC;IACJ,CAAC;IAED,WAAW;QACT,OAAO,IAAI,CAAC,WAAW,CAAC;IAC1B,CAAC;IAED,WAAW,CAAC,OAA6B;QACvC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAC/C,CAAC;IAED,WAAW,CACT,OAAwB,EACxB,YAAsC,EACtC,OAA+B,EAAE;QAEjC,MAAM,SAAS,GAAG,aAAa,EAAE,CAAC;QAClC,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,0BAA0B,CAAC;QAC/D,OAAO,IAAI,OAAO,CAAU,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC9C,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE;gBAChC,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC;oBACnC,MAAM,CAAC,IAAI,KAAK,CAAC,6BAA6B,OAAO,CAAC,IAAI,qBAAqB,SAAS,IAAI,CAAC,CAAC,CAAC;gBACjG,CAAC;YACH,CAAC,EAAE,SAAS,CAAC,CAAC;YACd,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE;gBAC1B,OAAO;gBACP,MAAM;gBACN,SAAS;gBACT,YAAY;aACb,CAAC,CAAC;YACH,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,GAAG,OAAO,CAAC,OAAO,EAAE,SAAS,EAAE,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;IACL,CAAC;IAED,uDAAuD;IACvD,OAAO;QACL,IAAI,CAAC,MAAM,CAAC,mBAAmB,CAAC,SAAS,EAAE,IAAI,CAAC,eAAe,CAAC,CAAC;QACjE,YAAY,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QACjC,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;YAC5C,YAAY,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YAChC,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC,CAAC;QACxD,CAAC;QACD,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QACrB,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC;IACzB,CAAC;IAEO,QAAQ,CAAC,IAAY,EAAE,OAAgB;QAC7C,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACvB,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;YACtC,OAAO;QACT,CAAC;QACD,IAAI,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;IACvC,CAAC;IAEO,aAAa;QACnB,OAAO,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;YAC5B,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAG,CAAC;YACnC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;QACzB,CAAC;IACH,CAAC;IAEO,YAAY,CAAC,GAAuC;QAC1D,uFAAuF;QACvF,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,GAAG,EAAE,IAAI,CAAC,YAAa,CAAC,CAAC;IAC1D,CAAC;IAEO,aAAa,CAAC,KAAmB;QACvC,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC;YAAE,OAAO;QACnD,MAAM,IAAI,GAAG,KAAK,CAAC,IAA6C,CAAC;QACjE,IAAI,IAAI,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ;YAAE,OAAO;QAEtF,kEAAkE;QAClE,gEAAgE;QAChE,oEAAoE;QACpE,yCAAyC;QACzC,MAAM,SAAS,GAAG,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjD,IAAI,SAAS,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1C,yFAAyF;YACzF,OAAO,CAAC,IAAI,CACV,wCAAwC,IAAI,CAAC,IAAI,kBAAkB,KAAK,CAAC,MAAM,EAAE,CAClF,CAAC;YACF,OAAO;QACT,CAAC;QAED,IAAI,SAAS,CAAqC,IAAI,EAAE,YAAY,CAAC,EAAE,CAAC;YACtE,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;gBACvB,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;gBACzB,YAAY,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;gBACjC,IAAI,CAAC,YAAY,GAAG,KAAK,CAAC,MAAM,CAAC;gBACjC,IAAI,CAAC,QAAQ,GAAG,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBAC/C,IAAI,CAAC,IAAI,EAAE,CAAC;gBACZ,IAAI,CAAC,aAAa,EAAE,CAAC;gBACrB,kEAAkE;gBAClE,kEAAkE;gBAClE,kEAAkE;gBAClE,iEAAiE;gBACjE,gEAAgE;gBAChE,4DAA4D;gBAC5D,IAAI,CAAC,QAAQ,CAAC,aAAa,EAAE,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC,CAAC;gBAC5C,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACjC,CAAC;YACD,OAAO;QACT,CAAC;QAED,iEAAiE;QACjE,6CAA6C;QAC7C,IAAI,SAAS,CAAwC,IAAI,EAAE,eAAe,CAAC,EAAE,CAAC;YAC5E,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YAC3C,OAAO;QACT,CAAC;QAED,0EAA0E;QAC1E,MAAM,OAAO,GAAG,IAAI,CAAC,OAA8C,CAAC;QACpE,IAAI,OAAmC,CAAC;QACxC,IAAI,gBAAgB,GAAkB,IAAI,CAAC;QAC3C,IAAI,OAAO,IAAI,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;YACrD,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YACtD,IAAI,SAAS,IAAI,SAAS,CAAC,YAAY,KAAK,IAAI,CAAC,IAAI,EAAE,CAAC;gBACtD,OAAO,GAAG,SAAS,CAAC;gBACpB,gBAAgB,GAAG,OAAO,CAAC,SAAS,CAAC;YACvC,CAAC;QACH,CAAC;QAED,iEAAiE;QACjE,oEAAoE;QACpE,gEAAgE;QAChE,kEAAkE;QAClE,oDAAoD;QACpD,IAAI,SAAS,CAAiD,IAAI,EAAE,wBAAwB,CAAC,EAAE,CAAC;YAC9F,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QAC7C,CAAC;QAED,IAAI,OAAO,IAAI,gBAAgB,KAAK,IAAI,EAAE,CAAC;YACzC,YAAY,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YAChC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;YACtC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;YACzB,OAAO;QACT,CAAC;QAED,IAAI,SAAS,CAAkC,IAAI,EAAE,SAAS,CAAC,EAAE,CAAC;YAChE,oDAAoD;YACpD,OAAO;QACT,CAAC;QACD,IAAI,SAAS,CAAiC,IAAI,EAAE,QAAQ,CAAC,EAAE,CAAC;YAC9D,OAAO;QACT,CAAC;IACH,CAAC;IAEO,iBAAiB,CAAC,OAAqB;QAC7C,wEAAwE;QACxE,sEAAsE;QACtE,qEAAqE;QACrE,6CAA6C;QAC7C,IAAI,CAAC,QAAQ,GAAG,EAAE,GAAG,IAAI,CAAC,QAAQ,EAAE,KAAK,EAAE,gBAAgB,CAAC,OAAO,CAAC,EAAE,CAAC;QACvE,IAAI,CAAC,IAAI,EAAE,CAAC;IACd,CAAC;IAEO,IAAI;QACV,KAAK,MAAM,QAAQ,IAAI,IAAI,CAAC,SAAS;YAAE,QAAQ,EAAE,CAAC;IACpD,CAAC;CACF"}
+{"version":3,"file":"iframeTransport.js","sourceRoot":"","sources":["../../src/internal/iframeTransport.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,GAKV,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,cAAc,EACd,aAAa,EACb,gBAAgB,EAChB,gBAAgB,GAIjB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAC;AAIpD,MAAM,eAAe,GAAG,MAAM,CAAC;AAC/B,MAAM,0BAA0B,GAAG,MAAM,CAAC;AAuB1C;;;;;GAKG;AACH,MAAM,OAAO,eAAe;IACT,aAAa,CAAgB;IAC7B,MAAM,CAAS;IAExB,QAAQ,GAAkB,cAAc,CAAC;IAChC,SAAS,GAAG,IAAI,GAAG,EAAc,CAAC;IAEnD,yEAAyE;IACjE,YAAY,GAAkB,IAAI,CAAC;IAE3C,2EAA2E;IAC1D,QAAQ,GAA8C,EAAE,CAAC;IACzD,OAAO,GAAG,IAAI,GAAG,EAA0B,CAAC;IAE5C,WAAW,CAA4B;IAChD,WAAW,CAAuC;IAClD,UAAU,CAAwB;IAClC,aAAa,CAAgC;IAC7C,YAAY,GAAG,KAAK,CAAC;IAEZ,eAAe,CAAgC;IAEhE,YAAY,IAA4B;QACtC,IAAI,CAAC,IAAI,CAAC,oBAAoB,CAAC,MAAM,EAAE,CAAC;YACtC,MAAM,IAAI,KAAK,CACb,yEAAyE;gBACvE,mFAAmF,CACtF,CAAC;QACJ,CAAC;QACD,yEAAyE;QACzE,wEAAwE;QACxE,0DAA0D;QAC1D,IAAI,CAAC,aAAa,GAAG,IAAI,aAAa,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;QAClE,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,IAAK,UAAkC,CAAC,MAAO,CAAC;QACzE,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,mEAAmE,CAAC,CAAC;QACvF,CAAC;QAED,IAAI,CAAC,WAAW,GAAG,IAAI,OAAO,CAAmB,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACnE,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC;YAC3B,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC;QAC3B,CAAC,CAAC,CAAC;QACH,IAAI,CAAC,aAAa,GAAG,UAAU,CAAC,GAAG,EAAE;YACnC,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;gBACvB,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;gBACzB,IAAI,CAAC,UAAU,CACb,IAAI,KAAK,CACP,2DAA2D,eAAe,MAAM;oBAC9E,mGAAmG,CACtG,CACF,CAAC;YACJ,CAAC;QACH,CAAC,EAAE,eAAe,CAAC,CAAC;QAEpB,IAAI,CAAC,eAAe,GAAG,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;QAC5D,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,SAAS,EAAE,IAAI,CAAC,eAAe,CAAC,CAAC;IAChE,CAAC;IAED,WAAW;QACT,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;IAED,SAAS,CAAC,QAAoB;QAC5B,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC7B,OAAO,GAAG,EAAE;YACV,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAClC,CAAC,CAAC;IACJ,CAAC;IAED,WAAW;QACT,OAAO,IAAI,CAAC,WAAW,CAAC;IAC1B,CAAC;IAED,WAAW,CAAC,OAA6B;QACvC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAC/C,CAAC;IAED,WAAW,CACT,OAAwB,EACxB,YAAsC,EACtC,OAA+B,EAAE;QAEjC,MAAM,SAAS,GAAG,aAAa,EAAE,CAAC;QAClC,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,0BAA0B,CAAC;QAC/D,OAAO,IAAI,OAAO,CAAU,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC9C,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE;gBAChC,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC;oBACnC,MAAM,CAAC,IAAI,KAAK,CAAC,6BAA6B,OAAO,CAAC,IAAI,qBAAqB,SAAS,IAAI,CAAC,CAAC,CAAC;gBACjG,CAAC;YACH,CAAC,EAAE,SAAS,CAAC,CAAC;YACd,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE;gBAC1B,OAAO;gBACP,MAAM;gBACN,SAAS;gBACT,YAAY;aACb,CAAC,CAAC;YACH,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,GAAG,OAAO,CAAC,OAAO,EAAE,SAAS,EAAE,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;IACL,CAAC;IAED,uDAAuD;IACvD,OAAO;QACL,IAAI,CAAC,MAAM,CAAC,mBAAmB,CAAC,SAAS,EAAE,IAAI,CAAC,eAAe,CAAC,CAAC;QACjE,YAAY,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QACjC,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;YAC5C,YAAY,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YAChC,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC,CAAC;QACxD,CAAC;QACD,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QACrB,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC;IACzB,CAAC;IAEO,QAAQ,CAAC,IAAY,EAAE,OAAgB;QAC7C,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACvB,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;YACtC,OAAO;QACT,CAAC;QACD,IAAI,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;IACvC,CAAC;IAEO,aAAa;QACnB,OAAO,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;YAC5B,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAG,CAAC;YACnC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;QACzB,CAAC;IACH,CAAC;IAEO,YAAY,CAAC,GAAuC;QAC1D,uFAAuF;QACvF,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,GAAG,EAAE,IAAI,CAAC,YAAa,CAAC,CAAC;IAC1D,CAAC;IAEO,aAAa,CAAC,KAAmB;QACvC,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC;YAAE,OAAO;QACtD,MAAM,IAAI,GAAG,KAAK,CAAC,IAA6C,CAAC;QACjE,IAAI,IAAI,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ;YAAE,OAAO;QAEtF,kEAAkE;QAClE,gEAAgE;QAChE,oEAAoE;QACpE,yCAAyC;QACzC,MAAM,SAAS,GAAG,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjD,IAAI,SAAS,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1C,yFAAyF;YACzF,OAAO,CAAC,IAAI,CACV,wCAAwC,IAAI,CAAC,IAAI,kBAAkB,KAAK,CAAC,MAAM,EAAE,CAClF,CAAC;YACF,OAAO;QACT,CAAC;QAED,yEAAyE;QACzE,4EAA4E;QAC5E,4EAA4E;QAC5E,0EAA0E;QAC1E,wEAAwE;QACxE,8EAA8E;QAC9E,2EAA2E;QAC3E,kEAAkE;QAClE,8FAA8F;QAC9F,IAAI,SAAS,CAAqC,IAAI,EAAE,YAAY,CAAC,EAAE,CAAC;YACtE,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;gBACvB,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;gBACzB,YAAY,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;gBACjC,IAAI,CAAC,YAAY,GAAG,KAAK,CAAC,MAAM,CAAC;gBACjC,IAAI,CAAC,QAAQ,GAAG,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBAC/C,IAAI,CAAC,IAAI,EAAE,CAAC;gBACZ,IAAI,CAAC,aAAa,EAAE,CAAC;gBACrB,kEAAkE;gBAClE,kEAAkE;gBAClE,kEAAkE;gBAClE,iEAAiE;gBACjE,gEAAgE;gBAChE,4DAA4D;gBAC5D,IAAI,CAAC,QAAQ,CAAC,aAAa,EAAE,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC,CAAC;gBAC5C,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACjC,CAAC;YACD,OAAO;QACT,CAAC;QAED,iEAAiE;QACjE,6CAA6C;QAC7C,IAAI,SAAS,CAAwC,IAAI,EAAE,eAAe,CAAC,EAAE,CAAC;YAC5E,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YAC3C,OAAO;QACT,CAAC;QAED,0EAA0E;QAC1E,MAAM,OAAO,GAAG,IAAI,CAAC,OAA8C,CAAC;QACpE,IAAI,OAAmC,CAAC;QACxC,IAAI,gBAAgB,GAAkB,IAAI,CAAC;QAC3C,IAAI,OAAO,IAAI,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;YACrD,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YACtD,IAAI,SAAS,IAAI,SAAS,CAAC,YAAY,KAAK,IAAI,CAAC,IAAI,EAAE,CAAC;gBACtD,OAAO,GAAG,SAAS,CAAC;gBACpB,gBAAgB,GAAG,OAAO,CAAC,SAAS,CAAC;YACvC,CAAC;QACH,CAAC;QAED,iEAAiE;QACjE,oEAAoE;QACpE,gEAAgE;QAChE,kEAAkE;QAClE,oDAAoD;QACpD,IAAI,SAAS,CAAiD,IAAI,EAAE,wBAAwB,CAAC,EAAE,CAAC;YAC9F,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QAC7C,CAAC;QAED,IAAI,OAAO,IAAI,gBAAgB,KAAK,IAAI,EAAE,CAAC;YACzC,YAAY,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YAChC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;YACtC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;YACzB,OAAO;QACT,CAAC;QAED,IAAI,SAAS,CAAkC,IAAI,EAAE,SAAS,CAAC,EAAE,CAAC;YAChE,oDAAoD;YACpD,OAAO;QACT,CAAC;QACD,IAAI,SAAS,CAAiC,IAAI,EAAE,QAAQ,CAAC,EAAE,CAAC;YAC9D,OAAO;QACT,CAAC;IACH,CAAC;IAEO,iBAAiB,CAAC,OAAqB;QAC7C,wEAAwE;QACxE,sEAAsE;QACtE,qEAAqE;QACrE,6CAA6C;QAC7C,IAAI,CAAC,QAAQ,GAAG,EAAE,GAAG,IAAI,CAAC,QAAQ,EAAE,KAAK,EAAE,gBAAgB,CAAC,OAAO,CAAC,EAAE,CAAC;QACvE,IAAI,CAAC,IAAI,EAAE,CAAC;IACd,CAAC;IAEO,IAAI;QACV,KAAK,MAAM,QAAQ,IAAI,IAAI,CAAC,SAAS;YAAE,QAAQ,EAAE,CAAC;IACpD,CAAC;CACF"}

package/dist/internal/originMatcher.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Origin allowlist matching for {@link IframeTransport}.
+ *
+ * Each `allowedParentOrigins` entry is either:
+ * - an EXACT origin (`https://civitai.com`) — matched by string equality, or
+ * - a SUFFIX-WILDCARD origin (`https://*.civitaic.com`) — matches any
+ *   `https://<sub>.civitaic.com`, where `<sub>` is one or more labels
+ *   (single-label `pr-9` or a full subtree `a.b`), but NOT the bare apex
+ *   `https://civitaic.com` and NOT a different registrable domain.
+ *
+ * The wildcard form mirrors the host-side CSP `frame-ancestors` convention
+ * (`https://*.civitaic.com`) so a single block build can trust both prod
+ * (`civitai.com`, an exact entry) and dynamic preview subdomains
+ * (`pr-N.civitaic.com`, a wildcard entry).
+ *
+ * Security: matching is scheme-pinned and suffix-anchored on a DOT boundary,
+ * so `https://*.civitaic.com` does NOT match `https://civitaic.com.attacker.tld`
+ * (different suffix) nor `https://evilcivitaic.com` (no dot boundary). A
+ * bare `*` or empty wildcard is rejected at construction.
+ */
+export declare class OriginMatcher {
+    private readonly exact;
+    private readonly wildcards;
+    constructor(allowedParentOrigins: readonly string[]);
+    /** True when `origin` is allowed by an exact or wildcard allowlist entry. */
+    matches(origin: string): boolean;
+}
+//# sourceMappingURL=originMatcher.d.ts.map

package/dist/internal/originMatcher.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"originMatcher.d.ts","sourceRoot":"","sources":["../../src/internal/originMatcher.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AASH,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAsB;IAC5C,OAAO,CAAC,QAAQ,CAAC,SAAS,CAA2B;gBAEzC,oBAAoB,EAAE,SAAS,MAAM,EAAE;IAoBnD,6EAA6E;IAC7E,OAAO,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO;CAkBjC"}

package/dist/internal/originMatcher.js

@@ -0,0 +1,89 @@
+/**
+ * Origin allowlist matching for {@link IframeTransport}.
+ *
+ * Each `allowedParentOrigins` entry is either:
+ * - an EXACT origin (`https://civitai.com`) — matched by string equality, or
+ * - a SUFFIX-WILDCARD origin (`https://*.civitaic.com`) — matches any
+ *   `https://<sub>.civitaic.com`, where `<sub>` is one or more labels
+ *   (single-label `pr-9` or a full subtree `a.b`), but NOT the bare apex
+ *   `https://civitaic.com` and NOT a different registrable domain.
+ *
+ * The wildcard form mirrors the host-side CSP `frame-ancestors` convention
+ * (`https://*.civitaic.com`) so a single block build can trust both prod
+ * (`civitai.com`, an exact entry) and dynamic preview subdomains
+ * (`pr-N.civitaic.com`, a wildcard entry).
+ *
+ * Security: matching is scheme-pinned and suffix-anchored on a DOT boundary,
+ * so `https://*.civitaic.com` does NOT match `https://civitaic.com.attacker.tld`
+ * (different suffix) nor `https://evilcivitaic.com` (no dot boundary). A
+ * bare `*` or empty wildcard is rejected at construction.
+ */
+export class OriginMatcher {
+    exact;
+    wildcards;
+    constructor(allowedParentOrigins) {
+        const exact = new Set();
+        const wildcards = [];
+        for (const raw of allowedParentOrigins) {
+            const entry = raw.trim();
+            if (!entry)
+                continue;
+            const wildcard = parseWildcard(entry);
+            if (wildcard) {
+                wildcards.push(wildcard);
+            }
+            else {
+                exact.add(entry);
+            }
+        }
+        this.exact = exact;
+        this.wildcards = wildcards;
+    }
+    /** True when `origin` is allowed by an exact or wildcard allowlist entry. */
+    matches(origin) {
+        if (this.exact.has(origin))
+            return true;
+        for (const wc of this.wildcards) {
+            if (!origin.startsWith(wc.scheme))
+                continue;
+            const host = origin.slice(wc.scheme.length);
+            // Reject anything with a path/port/query smuggled into the host span:
+            // a real `event.origin` is scheme + host (+ optional :port). We require
+            // an exact host-suffix match with at least one leading label, and no '/'.
+            if (host.includes('/'))
+                continue;
+            // The host must END with the dot-anchored suffix AND have at least one
+            // character of label before the leading dot (so the apex itself is excluded).
+            if (host.length > wc.suffix.length && host.endsWith(wc.suffix)) {
+                return true;
+            }
+        }
+        return false;
+    }
+}
+/**
+ * Parses a `https://*.example.com`-style entry into `{scheme, suffix}`.
+ * Returns `null` for non-wildcard (exact) entries.
+ * Throws for malformed wildcards (`*` only, `https://*`, `https://*.`).
+ */
+function parseWildcard(entry) {
+    const star = entry.indexOf('*');
+    if (star === -1)
+        return null;
+    // Wildcard must be of the exact form `<scheme>://*.<suffix>`.
+    const marker = '://*.';
+    const markerAt = entry.indexOf(marker);
+    if (markerAt === -1) {
+        throw new Error(`IframeTransport: invalid wildcard origin "${entry}". ` +
+            'Wildcard entries must look like "https://*.example.com".');
+    }
+    const scheme = entry.slice(0, markerAt + 3); // include "://"
+    const bareSuffix = entry.slice(markerAt + marker.length); // after "://*."
+    if (!scheme || scheme === '://' || !bareSuffix) {
+        throw new Error(`IframeTransport: invalid wildcard origin "${entry}". ` +
+            'A wildcard needs a scheme and a non-empty domain suffix, e.g. "https://*.example.com".');
+    }
+    // Dot-anchor the suffix so `*.civitaic.com` only matches on a label boundary.
+    return { scheme, suffix: `.${bareSuffix}` };
+}
+//# sourceMappingURL=originMatcher.js.map

package/dist/internal/originMatcher.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"originMatcher.js","sourceRoot":"","sources":["../../src/internal/originMatcher.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AASH,MAAM,OAAO,aAAa;IACP,KAAK,CAAsB;IAC3B,SAAS,CAA2B;IAErD,YAAY,oBAAuC;QACjD,MAAM,KAAK,GAAG,IAAI,GAAG,EAAU,CAAC;QAChC,MAAM,SAAS,GAAoB,EAAE,CAAC;QAEtC,KAAK,MAAM,GAAG,IAAI,oBAAoB,EAAE,CAAC;YACvC,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;YACzB,IAAI,CAAC,KAAK;gBAAE,SAAS;YAErB,MAAM,QAAQ,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;YACtC,IAAI,QAAQ,EAAE,CAAC;gBACb,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC3B,CAAC;iBAAM,CAAC;gBACN,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;YACnB,CAAC;QACH,CAAC;QAED,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC7B,CAAC;IAED,6EAA6E;IAC7E,OAAO,CAAC,MAAc;QACpB,IAAI,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC;YAAE,OAAO,IAAI,CAAC;QAExC,KAAK,MAAM,EAAE,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YAChC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC,MAAM,CAAC;gBAAE,SAAS;YAC5C,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YAC5C,sEAAsE;YACtE,wEAAwE;YACxE,0EAA0E;YAC1E,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC;gBAAE,SAAS;YACjC,uEAAuE;YACvE,8EAA8E;YAC9E,IAAI,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,MAAM,CAAC,MAAM,IAAI,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC/D,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;CACF;AAED;;;;GAIG;AACH,SAAS,aAAa,CAAC,KAAa;IAClC,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAChC,IAAI,IAAI,KAAK,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAE7B,8DAA8D;IAC9D,MAAM,MAAM,GAAG,OAAO,CAAC;IACvB,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACvC,IAAI,QAAQ,KAAK,CAAC,CAAC,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CACb,6CAA6C,KAAK,KAAK;YACrD,0DAA0D,CAC7D,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,GAAG,CAAC,CAAC,CAAC,CAAC,gBAAgB;IAC7D,MAAM,UAAU,GAAG,KAAK,CAAC,KAAK,CAAC,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,gBAAgB;IAC1E,IAAI,CAAC,MAAM,IAAI,MAAM,KAAK,KAAK,IAAI,CAAC,UAAU,EAAE,CAAC;QAC/C,MAAM,IAAI,KAAK,CACb,6CAA6C,KAAK,KAAK;YACrD,wFAAwF,CAC3F,CAAC;IACJ,CAAC;IAED,8EAA8E;IAC9E,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,UAAU,EAAE,EAAE,CAAC;AAC9C,CAAC"}

package/dist/internal/validate.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"validate.d.ts","sourceRoot":"","sources":["../../src/internal/validate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EACV,gBAAgB,EAChB,qBAAqB,EACrB,YAAY,EACb,MAAM,yBAAyB,CAAC;AAejC;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,CAAC,EAAE,OAAO,GAAG,CAAC,IAAI,YAAY,CAQjE;AAED,wBAAgB,uBAAuB,CAAC,CAAC,EAAE,OAAO,GAAG,CAAC,IAAI,gBAAgB,CA6BzE;AAcD,wBAAgB,uBAAuB,CAAC,CAAC,EAAE,OAAO,GAAG,CAAC,IAAI,qBAAqB,CA4B9E;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CACjC,CAAC,EAAE,OAAO,GACT,CAAC,IAAI;IAAE,KAAK,EAAE,YAAY,CAAA;CAAE,CAI9B;AAED;;;GAGG;AACH,wBAAgB,2BAA2B,CACzC,CAAC,EAAE,OAAO,GACT,CAAC,IAAI;IAAE,KAAK,EAAE,YAAY,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAAE,CAKlD;AAED,wBAAgB,oBAAoB,CAClC,CAAC,EAAE,OAAO,GACT,CAAC,IAAI;IAAE,QAAQ,EAAE,qBAAqB,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAAE,CAK9D;AAED,wBAAgB,yBAAyB,CACvC,CAAC,EAAE,OAAO,GACT,CAAC,IAAI;IAAE,SAAS,EAAE,OAAO,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAAE,CAMtE;AAED;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CACjC,IAAI,EAAE,MAAM,GACX,CAAC,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,GAAG,IAAI,CAuBxC"}
+{"version":3,"file":"validate.d.ts","sourceRoot":"","sources":["../../src/internal/validate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EACV,gBAAgB,EAChB,qBAAqB,EACrB,YAAY,EACb,MAAM,yBAAyB,CAAC;AAejC;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,CAAC,EAAE,OAAO,GAAG,CAAC,IAAI,YAAY,CAQjE;AAED,wBAAgB,uBAAuB,CAAC,CAAC,EAAE,OAAO,GAAG,CAAC,IAAI,gBAAgB,CAuCzE;AAcD,wBAAgB,uBAAuB,CAAC,CAAC,EAAE,OAAO,GAAG,CAAC,IAAI,qBAAqB,CA4B9E;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CACjC,CAAC,EAAE,OAAO,GACT,CAAC,IAAI;IAAE,KAAK,EAAE,YAAY,CAAA;CAAE,CAI9B;AAED;;;GAGG;AACH,wBAAgB,2BAA2B,CACzC,CAAC,EAAE,OAAO,GACT,CAAC,IAAI;IAAE,KAAK,EAAE,YAAY,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAAE,CAKlD;AAED,wBAAgB,oBAAoB,CAClC,CAAC,EAAE,OAAO,GACT,CAAC,IAAI;IAAE,QAAQ,EAAE,qBAAqB,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAAE,CAK9D;AAED,wBAAgB,yBAAyB,CACvC,CAAC,EAAE,OAAO,GACT,CAAC,IAAI;IAAE,SAAS,EAAE,OAAO,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAAE,CAMtE;AAED;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CACjC,IAAI,EAAE,MAAM,GACX,CAAC,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,GAAG,IAAI,CAuBxC"}

package/dist/internal/validate.js

@@ -64,7 +64,7 @@ export function isValidBlockInitPayload(p) {
         return false;
     if (!isObject(p.settings.userSettings))
         return false;
-    // `null` for anonymous viewers; otherwise { id, username, status }.
+    // `null` for anonymous viewers; otherwise { id, username, status? }.
     if (p.viewer !== null) {
         if (!isObject(p.viewer))
             return false;
@@ -72,7 +72,15 @@ export function isValidBlockInitPayload(p) {
             return false;
         if (p.viewer.username !== null && typeof p.viewer.username !== 'string')
             return false;
-        if (p.viewer.status !== 'active' && p.viewer.status !== 'banned' && p.viewer.status !== 'muted') {
+        // `status` is OPTIONAL. The platform deliberately omits the viewer's coarse
+        // ban/mute moderation state from BLOCK_INIT to third-party iframes for
+        // privacy (civitai #2521). When present it must be one of the three values;
+        // when absent (undefined) the init is still valid. Requiring it here
+        // rejected every signed-in viewer's init from a #2521-minimized host.
+        if (p.viewer.status !== undefined &&
+            p.viewer.status !== 'active' &&
+            p.viewer.status !== 'banned' &&
+            p.viewer.status !== 'muted') {
             return false;
         }
     }

package/dist/internal/validate.js.map

@@ -1 +1 @@
-{"version":3,"file":"validate.js","sourceRoot":"","sources":["../../src/internal/validate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAQH,MAAM,QAAQ,GAAG,CAAC,CAAU,EAAgC,EAAE,CAC5D,CAAC,KAAK,IAAI,IAAI,OAAO,CAAC,KAAK,QAAQ,CAAC;AAEtC,MAAM,gBAAgB,GAAG,CAAC,CAAU,EAAe,EAAE,CACnD,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;AAExC,oFAAoF;AACpF,SAAS,qBAAqB,CAAC,CAAU;IACvC,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1D,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACzB,OAAO,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;AAC7B,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,CAAU;IAC5C,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/B,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAC3C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IAC3C,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC;QAAE,OAAO,KAAK,CAAC;IAC7E,IAAI,CAAC,qBAAqB,CAAC,CAAC,CAAC,SAAS,CAAC;QAAE,OAAO,KAAK,CAAC;IACtD,IAAI,CAAC,CAAC,UAAU,KAAK,SAAS,IAAI,OAAO,CAAC,CAAC,UAAU,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IACjF,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,CAAU;IAChD,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/B,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC,OAAO,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/C,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC,eAAe,CAAC;QAAE,OAAO,KAAK,CAAC;IACvD,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC7C,IAAI,CAAC,CAAC,UAAU,KAAK,QAAQ,IAAI,CAAC,CAAC,UAAU,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAEzE,IAAI,CAAC,mBAAmB,CAAC,CAAC,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAEhD,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC;QAAE,OAAO,KAAK,CAAC;IACvC,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IAEtD,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC;QAAE,OAAO,KAAK,CAAC;IACxC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,iBAAiB,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1D,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,YAAY,CAAC;QAAE,OAAO,KAAK,CAAC;IAErD,oEAAoE;IACpE,IAAI,CAAC,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC;QACtB,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC;YAAE,OAAO,KAAK,CAAC;QACtC,IAAI,OAAO,CAAC,CAAC,MAAM,CAAC,EAAE,KAAK,QAAQ;YAAE,OAAO,KAAK,CAAC;QAClD,IAAI,CAAC,CAAC,MAAM,CAAC,QAAQ,KAAK,IAAI,IAAI,OAAO,CAAC,CAAC,MAAM,CAAC,QAAQ,KAAK,QAAQ;YAAE,OAAO,KAAK,CAAC;QACtF,IAAI,CAAC,CAAC,MAAM,CAAC,MAAM,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,CAAC,MAAM,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;YAChG,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,IAAI,CAAC,CAAC,KAAK,KAAK,OAAO,IAAI,CAAC,CAAC,KAAK,KAAK,MAAM;QAAE,OAAO,KAAK,CAAC;IAE5D,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAS;IACxC,SAAS;IACT,YAAY;IACZ,WAAW;IACX,QAAQ;IACR,SAAS;IACT,UAAU;CACX,CAAC,CAAC;AAEH,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAS,CAAC,YAAY,CAAC,CAAC,CAAC;AACzD,MAAM,wBAAwB,GAAG,IAAI,GAAG,CAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC;AAErF,MAAM,UAAU,uBAAuB,CAAC,CAAU;IAChD,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/B,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC,UAAU,CAAC;QAAE,OAAO,KAAK,CAAC;IAClD,IAAI,OAAO,CAAC,CAAC,MAAM,KAAK,QAAQ,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IACnF,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QACzB,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,KAAK,QAAQ;YAAE,OAAO,KAAK,CAAC;IAC1E,CAAC;IACD,IAAI,CAAC,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QAC9B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC;YAAE,OAAO,KAAK,CAAC;QAC9C,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC;YAAE,OAAO,KAAK,CAAC;IAClF,CAAC;IACD,IAAI,CAAC,CAAC,KAAK,KAAK,SAAS,IAAI,OAAO,CAAC,CAAC,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IACvE,IAAI,CAAC,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QAC9B,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;YAAE,OAAO,KAAK,CAAC;QACzC,IAAI,OAAO,CAAC,CAAC,SAAS,CAAC,IAAI,KAAK,QAAQ,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC;YACpF,OAAO,KAAK,CAAC;QACf,CAAC;QACD,IAAI,OAAO,CAAC,CAAC,SAAS,CAAC,MAAM,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC;YACnF,OAAO,KAAK,CAAC;QACf,CAAC;QACD,IACE,OAAO,CAAC,CAAC,SAAS,CAAC,WAAW,KAAK,QAAQ;YAC3C,CAAC,wBAAwB,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC,EACtD,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CACjC,CAAU;IAEV,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/B,IAAI,CAAC,mBAAmB,CAAC,CAAC,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAChD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,2BAA2B,CACzC,CAAU;IAEV,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/B,IAAI,CAAC,mBAAmB,CAAC,CAAC,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAChD,IAAI,CAAC,CAAC,SAAS,KAAK,SAAS,IAAI,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC/E,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,CAAU;IAEV,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/B,IAAI,CAAC,uBAAuB,CAAC,CAAC,CAAC,QAAQ,CAAC;QAAE,OAAO,KAAK,CAAC;IACvD,IAAI,CAAC,CAAC,SAAS,KAAK,SAAS,IAAI,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC/E,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,yBAAyB,CACvC,CAAU;IAEV,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/B,IAAI,OAAO,CAAC,CAAC,SAAS,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IACnD,IAAI,CAAC,CAAC,UAAU,KAAK,SAAS,IAAI,OAAO,CAAC,CAAC,UAAU,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IACjF,IAAI,CAAC,CAAC,SAAS,KAAK,SAAS,IAAI,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC/E,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,mBAAmB,CACjC,IAAY;IAEZ,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,YAAY;YACf,OAAO,uBAAuB,CAAC;QACjC,KAAK,eAAe;YAClB,OAAO,mBAAmB,CAAC;QAC7B,KAAK,wBAAwB;YAC3B,OAAO,2BAA2B,CAAC;QACrC,KAAK,iBAAiB,CAAC;QACvB,KAAK,oBAAoB,CAAC;QAC1B,KAAK,iBAAiB,CAAC;QACvB,KAAK,mBAAmB;YACtB,OAAO,oBAAoB,CAAC;QAC9B,KAAK,sBAAsB;YACzB,OAAO,yBAAyB,CAAC;QACnC,KAAK,SAAS,CAAC;QACf,KAAK,QAAQ;YACX,OAAO,IAAI,CAAC;QACd;YACE,oEAAoE;YACpE,gDAAgD;YAChD,OAAO,IAAI,CAAC;IAChB,CAAC;AACH,CAAC"}
+{"version":3,"file":"validate.js","sourceRoot":"","sources":["../../src/internal/validate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAQH,MAAM,QAAQ,GAAG,CAAC,CAAU,EAAgC,EAAE,CAC5D,CAAC,KAAK,IAAI,IAAI,OAAO,CAAC,KAAK,QAAQ,CAAC;AAEtC,MAAM,gBAAgB,GAAG,CAAC,CAAU,EAAe,EAAE,CACnD,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;AAExC,oFAAoF;AACpF,SAAS,qBAAqB,CAAC,CAAU;IACvC,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1D,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACzB,OAAO,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;AAC7B,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,CAAU;IAC5C,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/B,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAC3C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IAC3C,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC;QAAE,OAAO,KAAK,CAAC;IAC7E,IAAI,CAAC,qBAAqB,CAAC,CAAC,CAAC,SAAS,CAAC;QAAE,OAAO,KAAK,CAAC;IACtD,IAAI,CAAC,CAAC,UAAU,KAAK,SAAS,IAAI,OAAO,CAAC,CAAC,UAAU,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IACjF,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,CAAU;IAChD,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/B,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC,OAAO,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/C,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC,eAAe,CAAC;QAAE,OAAO,KAAK,CAAC;IACvD,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC7C,IAAI,CAAC,CAAC,UAAU,KAAK,QAAQ,IAAI,CAAC,CAAC,UAAU,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAEzE,IAAI,CAAC,mBAAmB,CAAC,CAAC,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAEhD,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC;QAAE,OAAO,KAAK,CAAC;IACvC,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IAEtD,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC;QAAE,OAAO,KAAK,CAAC;IACxC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,iBAAiB,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1D,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,YAAY,CAAC;QAAE,OAAO,KAAK,CAAC;IAErD,qEAAqE;IACrE,IAAI,CAAC,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC;QACtB,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC;YAAE,OAAO,KAAK,CAAC;QACtC,IAAI,OAAO,CAAC,CAAC,MAAM,CAAC,EAAE,KAAK,QAAQ;YAAE,OAAO,KAAK,CAAC;QAClD,IAAI,CAAC,CAAC,MAAM,CAAC,QAAQ,KAAK,IAAI,IAAI,OAAO,CAAC,CAAC,MAAM,CAAC,QAAQ,KAAK,QAAQ;YAAE,OAAO,KAAK,CAAC;QACtF,4EAA4E;QAC5E,uEAAuE;QACvE,4EAA4E;QAC5E,qEAAqE;QACrE,sEAAsE;QACtE,IACE,CAAC,CAAC,MAAM,CAAC,MAAM,KAAK,SAAS;YAC7B,CAAC,CAAC,MAAM,CAAC,MAAM,KAAK,QAAQ;YAC5B,CAAC,CAAC,MAAM,CAAC,MAAM,KAAK,QAAQ;YAC5B,CAAC,CAAC,MAAM,CAAC,MAAM,KAAK,OAAO,EAC3B,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,IAAI,CAAC,CAAC,KAAK,KAAK,OAAO,IAAI,CAAC,CAAC,KAAK,KAAK,MAAM;QAAE,OAAO,KAAK,CAAC;IAE5D,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAS;IACxC,SAAS;IACT,YAAY;IACZ,WAAW;IACX,QAAQ;IACR,SAAS;IACT,UAAU;CACX,CAAC,CAAC;AAEH,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAS,CAAC,YAAY,CAAC,CAAC,CAAC;AACzD,MAAM,wBAAwB,GAAG,IAAI,GAAG,CAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC;AAErF,MAAM,UAAU,uBAAuB,CAAC,CAAU;IAChD,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/B,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC,UAAU,CAAC;QAAE,OAAO,KAAK,CAAC;IAClD,IAAI,OAAO,CAAC,CAAC,MAAM,KAAK,QAAQ,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IACnF,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QACzB,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,KAAK,QAAQ;YAAE,OAAO,KAAK,CAAC;IAC1E,CAAC;IACD,IAAI,CAAC,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QAC9B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC;YAAE,OAAO,KAAK,CAAC;QAC9C,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC;YAAE,OAAO,KAAK,CAAC;IAClF,CAAC;IACD,IAAI,CAAC,CAAC,KAAK,KAAK,SAAS,IAAI,OAAO,CAAC,CAAC,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IACvE,IAAI,CAAC,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QAC9B,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;YAAE,OAAO,KAAK,CAAC;QACzC,IAAI,OAAO,CAAC,CAAC,SAAS,CAAC,IAAI,KAAK,QAAQ,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC;YACpF,OAAO,KAAK,CAAC;QACf,CAAC;QACD,IAAI,OAAO,CAAC,CAAC,SAAS,CAAC,MAAM,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC;YACnF,OAAO,KAAK,CAAC;QACf,CAAC;QACD,IACE,OAAO,CAAC,CAAC,SAAS,CAAC,WAAW,KAAK,QAAQ;YAC3C,CAAC,wBAAwB,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC,EACtD,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CACjC,CAAU;IAEV,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/B,IAAI,CAAC,mBAAmB,CAAC,CAAC,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAChD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,2BAA2B,CACzC,CAAU;IAEV,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/B,IAAI,CAAC,mBAAmB,CAAC,CAAC,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAChD,IAAI,CAAC,CAAC,SAAS,KAAK,SAAS,IAAI,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC/E,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,CAAU;IAEV,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/B,IAAI,CAAC,uBAAuB,CAAC,CAAC,CAAC,QAAQ,CAAC;QAAE,OAAO,KAAK,CAAC;IACvD,IAAI,CAAC,CAAC,SAAS,KAAK,SAAS,IAAI,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC/E,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,yBAAyB,CACvC,CAAU;IAEV,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/B,IAAI,OAAO,CAAC,CAAC,SAAS,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IACnD,IAAI,CAAC,CAAC,UAAU,KAAK,SAAS,IAAI,OAAO,CAAC,CAAC,UAAU,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IACjF,IAAI,CAAC,CAAC,SAAS,KAAK,SAAS,IAAI,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC/E,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,mBAAmB,CACjC,IAAY;IAEZ,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,YAAY;YACf,OAAO,uBAAuB,CAAC;QACjC,KAAK,eAAe;YAClB,OAAO,mBAAmB,CAAC;QAC7B,KAAK,wBAAwB;YAC3B,OAAO,2BAA2B,CAAC;QACrC,KAAK,iBAAiB,CAAC;QACvB,KAAK,oBAAoB,CAAC;QAC1B,KAAK,iBAAiB,CAAC;QACvB,KAAK,mBAAmB;YACtB,OAAO,oBAAoB,CAAC;QAC9B,KAAK,sBAAsB;YACzB,OAAO,yBAAyB,CAAC;QACnC,KAAK,SAAS,CAAC;QACf,KAAK,QAAQ;YACX,OAAO,IAAI,CAAC;QACd;YACE,oEAAoE;YACpE,gDAAgD;YAChD,OAAO,IAAI,CAAC;IAChB,CAAC;AACH,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@civitai/blocks-react",
-  "version": "0.5.0",
+  "version": "0.6.0",
   "description": "React hooks and iframe transport for Civitai App Blocks. Pairs with @civitai/app-sdk/blocks.",
   "license": "MIT",
   "type": "module",
@@ -34,7 +34,7 @@
     "node": ">=20"
   },
   "peerDependencies": {
-    "@civitai/app-sdk": "^0.7.0",
+    "@civitai/app-sdk": ">=0.7.0 <1",
     "react": "^18.0.0 || ^19.0.0"
   },
   "devDependencies": {