@civitai/blocks-react 0.5.1 → 0.6.0

package/dist/hooks/useRequestConsent.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Lazy consent. Asks the host to open civitai.com's consent UI when a
+ * LOGGED-IN viewer clicks an action whose consent-gated scope the block token
+ * is missing — e.g. the block's Generate button needs `ai:write:budgeted` /
+ * `buzz:read:self` but the viewer hasn't granted them yet (so the mint withheld
+ * them and `useBlockToken().scopes` doesn't include them). The host validates
+ * the message like every inbound one (origin + `event.source` pinned, only
+ * honored after BLOCK_READY) and opens its consent UI.
+ *
+ * `scopes` is an optional advisory hint of which scopes the action needs; the
+ * host independently grants the missing set it computed at mint, so the block
+ * can omit it.
+ *
+ * Fire-and-forget: the host doesn't reply. On grant the host re-mints the block
+ * token and pushes a TOKEN_REFRESH carrying the now-granted scopes — observe
+ * `useBlockToken().scopes` and retry the action once the scope appears. Mirrors
+ * {@link useRequestSignIn} (the anonymous-conversion analog).
+ */
+export declare function useRequestConsent(): {
+    requestConsent: (payload?: {
+        scopes?: string[];
+    }) => void;
+};
+//# sourceMappingURL=useRequestConsent.d.ts.map

package/dist/hooks/useRequestConsent.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"useRequestConsent.d.ts","sourceRoot":"","sources":["../../src/hooks/useRequestConsent.ts"],"names":[],"mappings":"AAIA;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,iBAAiB,IAAI;IACnC,cAAc,EAAE,CAAC,OAAO,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;KAAE,KAAK,IAAI,CAAC;CAC3D,CAQA"}

package/dist/hooks/useRequestConsent.js

@@ -0,0 +1,30 @@
+import { useCallback } from 'react';
+import { getTransport } from '../internal/singleton.js';
+/**
+ * Lazy consent. Asks the host to open civitai.com's consent UI when a
+ * LOGGED-IN viewer clicks an action whose consent-gated scope the block token
+ * is missing — e.g. the block's Generate button needs `ai:write:budgeted` /
+ * `buzz:read:self` but the viewer hasn't granted them yet (so the mint withheld
+ * them and `useBlockToken().scopes` doesn't include them). The host validates
+ * the message like every inbound one (origin + `event.source` pinned, only
+ * honored after BLOCK_READY) and opens its consent UI.
+ *
+ * `scopes` is an optional advisory hint of which scopes the action needs; the
+ * host independently grants the missing set it computed at mint, so the block
+ * can omit it.
+ *
+ * Fire-and-forget: the host doesn't reply. On grant the host re-mints the block
+ * token and pushes a TOKEN_REFRESH carrying the now-granted scopes — observe
+ * `useBlockToken().scopes` and retry the action once the scope appears. Mirrors
+ * {@link useRequestSignIn} (the anonymous-conversion analog).
+ */
+export function useRequestConsent() {
+    const requestConsent = useCallback((payload) => {
+        getTransport().sendMessage({
+            type: 'REQUEST_CONSENT',
+            ...(payload ? { payload } : {}),
+        });
+    }, []);
+    return { requestConsent };
+}
+//# sourceMappingURL=useRequestConsent.js.map

package/dist/hooks/useRequestConsent.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"useRequestConsent.js","sourceRoot":"","sources":["../../src/hooks/useRequestConsent.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,OAAO,CAAC;AAEpC,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAExD;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,iBAAiB;IAG/B,MAAM,cAAc,GAAG,WAAW,CAAC,CAAC,OAA+B,EAAE,EAAE;QACrE,YAAY,EAAE,CAAC,WAAW,CAAC;YACzB,IAAI,EAAE,iBAAiB;YACvB,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAChC,CAAC,CAAC;IACL,CAAC,EAAE,EAAE,CAAC,CAAC;IACP,OAAO,EAAE,cAAc,EAAE,CAAC;AAC5B,CAAC"}

package/dist/hooks/useRequestSignIn.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Anonymous conversion. Asks the host to start civitai.com's login flow when a
+ * logged-out viewer (`useBlockContext().viewer === null`) clicks an action that
+ * needs auth/money — e.g. the block's Generate button. The host validates the
+ * message like every inbound one (origin + `event.source` pinned, only honored
+ * after BLOCK_READY) and opens its login UI.
+ *
+ * `returnUrl` is an optional same-origin in-app path to return to after sign-in;
+ * the host sanitises it (rejecting absolute / protocol-relative values) and
+ * defaults to the current page when omitted.
+ *
+ * Fire-and-forget: the host doesn't reply. After login the page reloads / the
+ * block re-inits as an authenticated viewer.
+ */
+export declare function useRequestSignIn(): {
+    requestSignIn: (payload?: {
+        returnUrl?: string;
+    }) => void;
+};
+//# sourceMappingURL=useRequestSignIn.d.ts.map

package/dist/hooks/useRequestSignIn.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"useRequestSignIn.d.ts","sourceRoot":"","sources":["../../src/hooks/useRequestSignIn.ts"],"names":[],"mappings":"AAIA;;;;;;;;;;;;;GAaG;AACH,wBAAgB,gBAAgB,IAAI;IAClC,aAAa,EAAE,CAAC,OAAO,CAAC,EAAE;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,KAAK,IAAI,CAAC;CAC3D,CAQA"}

package/dist/hooks/useRequestSignIn.js

@@ -0,0 +1,26 @@
+import { useCallback } from 'react';
+import { getTransport } from '../internal/singleton.js';
+/**
+ * Anonymous conversion. Asks the host to start civitai.com's login flow when a
+ * logged-out viewer (`useBlockContext().viewer === null`) clicks an action that
+ * needs auth/money — e.g. the block's Generate button. The host validates the
+ * message like every inbound one (origin + `event.source` pinned, only honored
+ * after BLOCK_READY) and opens its login UI.
+ *
+ * `returnUrl` is an optional same-origin in-app path to return to after sign-in;
+ * the host sanitises it (rejecting absolute / protocol-relative values) and
+ * defaults to the current page when omitted.
+ *
+ * Fire-and-forget: the host doesn't reply. After login the page reloads / the
+ * block re-inits as an authenticated viewer.
+ */
+export function useRequestSignIn() {
+    const requestSignIn = useCallback((payload) => {
+        getTransport().sendMessage({
+            type: 'REQUEST_SIGN_IN',
+            ...(payload ? { payload } : {}),
+        });
+    }, []);
+    return { requestSignIn };
+}
+//# sourceMappingURL=useRequestSignIn.js.map

package/dist/hooks/useRequestSignIn.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"useRequestSignIn.js","sourceRoot":"","sources":["../../src/hooks/useRequestSignIn.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,OAAO,CAAC;AAEpC,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAExD;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,gBAAgB;IAG9B,MAAM,aAAa,GAAG,WAAW,CAAC,CAAC,OAAgC,EAAE,EAAE;QACrE,YAAY,EAAE,CAAC,WAAW,CAAC;YACzB,IAAI,EAAE,iBAAiB;YACvB,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAChC,CAAC,CAAC;IACL,CAAC,EAAE,EAAE,CAAC,CAAC;IACP,OAAO,EAAE,aAAa,EAAE,CAAC;AAC3B,CAAC"}

package/dist/index.d.ts

@@ -21,6 +21,8 @@ export { useBlockResize } from './hooks/useBlockResize.js';
 export { useBuzzPurchase } from './hooks/useBuzzPurchase.js';
 export { useCheckpointPicker } from './hooks/useCheckpointPicker.js';
 export { useCivitaiNavigate } from './hooks/useCivitaiNavigate.js';
+export { useRequestSignIn } from './hooks/useRequestSignIn.js';
+export { useRequestConsent } from './hooks/useRequestConsent.js';
 export { useBlockAnalytics } from './hooks/useBlockAnalytics.js';
 export { useAppStorage } from './hooks/useAppStorage.js';
 export type { AppStorageKeyEntry, AppStorageListResult, AppStorageQuota, UseAppStorage, } from './hooks/useAppStorage.js';

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAChE,YAAY,EAAE,sBAAsB,EAAE,MAAM,+BAA+B,CAAC;AAE5E,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAEhE,OAAO,EAAE,sBAAsB,EAAE,yBAAyB,EAAE,MAAM,wBAAwB,CAAC;AAC3F,YAAY,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAE5D,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAEvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,YAAY,EACV,aAAa,EACb,cAAc,EACd,eAAe,GAChB,MAAM,yBAAyB,CAAC;AAGjC,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAAE,gBAAgB,EAAE,MAAM,6BAA6B,CAAC;AAC/D,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AACzD,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAC3D,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AACrE,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AACnE,OAAO,EAAE,iBAAiB,EAAE,MAAM,8BAA8B,CAAC;AACjE,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AACzD,YAAY,EACV,kBAAkB,EAClB,oBAAoB,EACpB,eAAe,EACf,aAAa,GACd,MAAM,0BAA0B,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAChE,YAAY,EAAE,sBAAsB,EAAE,MAAM,+BAA+B,CAAC;AAE5E,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAEhE,OAAO,EAAE,sBAAsB,EAAE,yBAAyB,EAAE,MAAM,wBAAwB,CAAC;AAC3F,YAAY,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAE5D,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAEvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,YAAY,EACV,aAAa,EACb,cAAc,EACd,eAAe,GAChB,MAAM,yBAAyB,CAAC;AAGjC,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAAE,gBAAgB,EAAE,MAAM,6BAA6B,CAAC;AAC/D,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AACzD,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAC3D,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AACrE,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AACnE,OAAO,EAAE,gBAAgB,EAAE,MAAM,6BAA6B,CAAC;AAC/D,OAAO,EAAE,iBAAiB,EAAE,MAAM,8BAA8B,CAAC;AACjE,OAAO,EAAE,iBAAiB,EAAE,MAAM,8BAA8B,CAAC;AACjE,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AACzD,YAAY,EACV,kBAAkB,EAClB,oBAAoB,EACpB,eAAe,EACf,aAAa,GACd,MAAM,0BAA0B,CAAC"}

package/dist/index.js

@@ -19,6 +19,8 @@ export { useBlockResize } from './hooks/useBlockResize.js';
 export { useBuzzPurchase } from './hooks/useBuzzPurchase.js';
 export { useCheckpointPicker } from './hooks/useCheckpointPicker.js';
 export { useCivitaiNavigate } from './hooks/useCivitaiNavigate.js';
+export { useRequestSignIn } from './hooks/useRequestSignIn.js';
+export { useRequestConsent } from './hooks/useRequestConsent.js';
 export { useBlockAnalytics } from './hooks/useBlockAnalytics.js';
 export { useAppStorage } from './hooks/useAppStorage.js';
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAGhE,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAEhE,OAAO,EAAE,sBAAsB,EAAE,yBAAyB,EAAE,MAAM,wBAAwB,CAAC;AAG3F,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAEvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAO3D,QAAQ;AACR,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAAE,gBAAgB,EAAE,MAAM,6BAA6B,CAAC;AAC/D,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AACzD,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAC3D,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AACrE,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AACnE,OAAO,EAAE,iBAAiB,EAAE,MAAM,8BAA8B,CAAC;AACjE,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAGhE,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAEhE,OAAO,EAAE,sBAAsB,EAAE,yBAAyB,EAAE,MAAM,wBAAwB,CAAC;AAG3F,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAEvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAO3D,QAAQ;AACR,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAAE,gBAAgB,EAAE,MAAM,6BAA6B,CAAC;AAC/D,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AACzD,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAC3D,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AACrE,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AACnE,OAAO,EAAE,gBAAgB,EAAE,MAAM,6BAA6B,CAAC;AAC/D,OAAO,EAAE,iBAAiB,EAAE,MAAM,8BAA8B,CAAC;AACjE,OAAO,EAAE,iBAAiB,EAAE,MAAM,8BAA8B,CAAC;AACjE,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC"}

package/dist/internal/iframeTransport.d.ts

@@ -20,7 +20,7 @@ export interface IframeTransportOptions {
  * correlates request/response pairs by `requestId`.
  */
 export declare class IframeTransport implements BlockTransport {
-    private readonly allowedOrigins;
+    private readonly originMatcher;
     private readonly window;
     private snapshot;
     private readonly listeners;

package/dist/internal/iframeTransport.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"iframeTransport.d.ts","sourceRoot":"","sources":["../../src/internal/iframeTransport.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,KAAK,gBAAgB,EACrB,KAAK,oBAAoB,EAEzB,KAAK,wBAAwB,EAC9B,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EAKL,KAAK,aAAa,EAClB,KAAK,cAAc,EACnB,KAAK,eAAe,EACrB,MAAM,gBAAgB,CAAC;AAQxB,MAAM,WAAW,sBAAsB;IACrC;;;;;;;OAOG;IACH,oBAAoB,EAAE,MAAM,EAAE,CAAC;IAC/B,iEAAiE;IACjE,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AASD;;;;;GAKG;AACH,qBAAa,eAAgB,YAAW,cAAc;IACpD,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAsB;IACrD,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAEhC,OAAO,CAAC,QAAQ,CAAiC;IACjD,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAyB;IAEnD,yEAAyE;IACzE,OAAO,CAAC,YAAY,CAAuB;IAE3C,2EAA2E;IAC3E,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAiD;IAC1E,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAqC;IAE7D,OAAO,CAAC,QAAQ,CAAC,WAAW,CAA4B;IACxD,OAAO,CAAC,WAAW,CAAuC;IAC1D,OAAO,CAAC,UAAU,CAAwB;IAC1C,OAAO,CAAC,aAAa,CAAgC;IACrD,OAAO,CAAC,YAAY,CAAS;IAE7B,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAgC;gBAEpD,IAAI,EAAE,sBAAsB;IAiCxC,WAAW,IAAI,aAAa;IAI5B,SAAS,CAAC,QAAQ,EAAE,MAAM,IAAI,GAAG,MAAM,IAAI;IAO3C,WAAW,IAAI,OAAO,CAAC,gBAAgB,CAAC;IAIxC,WAAW,CAAC,OAAO,EAAE,oBAAoB,GAAG,IAAI;IAIhD,WAAW,CACT,OAAO,EAAE,eAAe,EACxB,YAAY,EAAE,wBAAwB,EACtC,IAAI,GAAE;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAO,GAChC,OAAO,CAAC,OAAO,CAAC;IAmBnB,uDAAuD;IACvD,OAAO,IAAI,IAAI;IAWf,OAAO,CAAC,QAAQ;IAQhB,OAAO,CAAC,aAAa;IAOrB,OAAO,CAAC,YAAY;IAKpB,OAAO,CAAC,aAAa;IA2FrB,OAAO,CAAC,iBAAiB;IASzB,OAAO,CAAC,IAAI;CAGb"}
+{"version":3,"file":"iframeTransport.d.ts","sourceRoot":"","sources":["../../src/internal/iframeTransport.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,KAAK,gBAAgB,EACrB,KAAK,oBAAoB,EAEzB,KAAK,wBAAwB,EAC9B,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EAKL,KAAK,aAAa,EAClB,KAAK,cAAc,EACnB,KAAK,eAAe,EACrB,MAAM,gBAAgB,CAAC;AASxB,MAAM,WAAW,sBAAsB;IACrC;;;;;;;OAOG;IACH,oBAAoB,EAAE,MAAM,EAAE,CAAC;IAC/B,iEAAiE;IACjE,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AASD;;;;;GAKG;AACH,qBAAa,eAAgB,YAAW,cAAc;IACpD,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAgB;IAC9C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAEhC,OAAO,CAAC,QAAQ,CAAiC;IACjD,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAyB;IAEnD,yEAAyE;IACzE,OAAO,CAAC,YAAY,CAAuB;IAE3C,2EAA2E;IAC3E,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAiD;IAC1E,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAqC;IAE7D,OAAO,CAAC,QAAQ,CAAC,WAAW,CAA4B;IACxD,OAAO,CAAC,WAAW,CAAuC;IAC1D,OAAO,CAAC,UAAU,CAAwB;IAC1C,OAAO,CAAC,aAAa,CAAgC;IACrD,OAAO,CAAC,YAAY,CAAS;IAE7B,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAgC;gBAEpD,IAAI,EAAE,sBAAsB;IAoCxC,WAAW,IAAI,aAAa;IAI5B,SAAS,CAAC,QAAQ,EAAE,MAAM,IAAI,GAAG,MAAM,IAAI;IAO3C,WAAW,IAAI,OAAO,CAAC,gBAAgB,CAAC;IAIxC,WAAW,CAAC,OAAO,EAAE,oBAAoB,GAAG,IAAI;IAIhD,WAAW,CACT,OAAO,EAAE,eAAe,EACxB,YAAY,EAAE,wBAAwB,EACtC,IAAI,GAAE;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAO,GAChC,OAAO,CAAC,OAAO,CAAC;IAmBnB,uDAAuD;IACvD,OAAO,IAAI,IAAI;IAWf,OAAO,CAAC,QAAQ;IAQhB,OAAO,CAAC,aAAa;IAOrB,OAAO,CAAC,YAAY;IAKpB,OAAO,CAAC,aAAa;IA2FrB,OAAO,CAAC,iBAAiB;IASzB,OAAO,CAAC,IAAI;CAGb"}

package/dist/internal/iframeTransport.js

@@ -1,5 +1,6 @@
 import { isMessage, } from '@civitai/app-sdk/blocks';
 import { EMPTY_SNAPSHOT, nextRequestId, snapshotFromInit, tokenFromWrapped, } from './transport.js';
+import { OriginMatcher } from './originMatcher.js';
 import { payloadValidatorFor } from './validate.js';
 const INIT_TIMEOUT_MS = 10_000;
 const DEFAULT_REQUEST_TIMEOUT_MS = 30_000;
@@ -10,7 +11,7 @@ const DEFAULT_REQUEST_TIMEOUT_MS = 30_000;
  * correlates request/response pairs by `requestId`.
  */
 export class IframeTransport {
-    allowedOrigins;
+    originMatcher;
     window;
     snapshot = EMPTY_SNAPSHOT;
     listeners = new Set();
@@ -30,7 +31,10 @@ export class IframeTransport {
             throw new Error('IframeTransport: allowedParentOrigins must contain at least one entry. ' +
                 'Configure NEXT_PUBLIC_BLOCK_ALLOWED_PARENT_ORIGINS (or the framework equivalent).');
         }
-        this.allowedOrigins = new Set(opts.allowedParentOrigins);
+        // Build the matcher from the allowlist. Exact entries match by equality;
+        // `https://*.example.com` entries match any subdomain on a dot boundary
+        // (mirrors the host-side CSP frame-ancestors convention).
+        this.originMatcher = new OriginMatcher(opts.allowedParentOrigins);
         this.window = opts.window ?? globalThis.window;
         if (!this.window) {
             throw new Error('IframeTransport: no window available; cannot mount on the server.');
@@ -111,7 +115,7 @@ export class IframeTransport {
         this.window.parent.postMessage(msg, this.parentOrigin);
     }
     handleMessage(event) {
-        if (!this.allowedOrigins.has(event.origin))
+        if (!this.originMatcher.matches(event.origin))
             return;
         const data = event.data;
         if (data == null || typeof data !== 'object' || typeof data.type !== 'string')

package/dist/internal/iframeTransport.js.map

@@ -1 +1 @@
-{"version":3,"file":"iframeTransport.js","sourceRoot":"","sources":["../../src/internal/iframeTransport.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,GAKV,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,cAAc,EACd,aAAa,EACb,gBAAgB,EAChB,gBAAgB,GAIjB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAC;AAIpD,MAAM,eAAe,GAAG,MAAM,CAAC;AAC/B,MAAM,0BAA0B,GAAG,MAAM,CAAC;AAuB1C;;;;;GAKG;AACH,MAAM,OAAO,eAAe;IACT,cAAc,CAAsB;IACpC,MAAM,CAAS;IAExB,QAAQ,GAAkB,cAAc,CAAC;IAChC,SAAS,GAAG,IAAI,GAAG,EAAc,CAAC;IAEnD,yEAAyE;IACjE,YAAY,GAAkB,IAAI,CAAC;IAE3C,2EAA2E;IAC1D,QAAQ,GAA8C,EAAE,CAAC;IACzD,OAAO,GAAG,IAAI,GAAG,EAA0B,CAAC;IAE5C,WAAW,CAA4B;IAChD,WAAW,CAAuC;IAClD,UAAU,CAAwB;IAClC,aAAa,CAAgC;IAC7C,YAAY,GAAG,KAAK,CAAC;IAEZ,eAAe,CAAgC;IAEhE,YAAY,IAA4B;QACtC,IAAI,CAAC,IAAI,CAAC,oBAAoB,CAAC,MAAM,EAAE,CAAC;YACtC,MAAM,IAAI,KAAK,CACb,yEAAyE;gBACvE,mFAAmF,CACtF,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,cAAc,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;QACzD,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,IAAK,UAAkC,CAAC,MAAO,CAAC;QACzE,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,mEAAmE,CAAC,CAAC;QACvF,CAAC;QAED,IAAI,CAAC,WAAW,GAAG,IAAI,OAAO,CAAmB,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACnE,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC;YAC3B,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC;QAC3B,CAAC,CAAC,CAAC;QACH,IAAI,CAAC,aAAa,GAAG,UAAU,CAAC,GAAG,EAAE;YACnC,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;gBACvB,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;gBACzB,IAAI,CAAC,UAAU,CACb,IAAI,KAAK,CACP,2DAA2D,eAAe,MAAM;oBAC9E,mGAAmG,CACtG,CACF,CAAC;YACJ,CAAC;QACH,CAAC,EAAE,eAAe,CAAC,CAAC;QAEpB,IAAI,CAAC,eAAe,GAAG,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;QAC5D,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,SAAS,EAAE,IAAI,CAAC,eAAe,CAAC,CAAC;IAChE,CAAC;IAED,WAAW;QACT,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;IAED,SAAS,CAAC,QAAoB;QAC5B,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC7B,OAAO,GAAG,EAAE;YACV,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAClC,CAAC,CAAC;IACJ,CAAC;IAED,WAAW;QACT,OAAO,IAAI,CAAC,WAAW,CAAC;IAC1B,CAAC;IAED,WAAW,CAAC,OAA6B;QACvC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAC/C,CAAC;IAED,WAAW,CACT,OAAwB,EACxB,YAAsC,EACtC,OAA+B,EAAE;QAEjC,MAAM,SAAS,GAAG,aAAa,EAAE,CAAC;QAClC,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,0BAA0B,CAAC;QAC/D,OAAO,IAAI,OAAO,CAAU,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC9C,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE;gBAChC,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC;oBACnC,MAAM,CAAC,IAAI,KAAK,CAAC,6BAA6B,OAAO,CAAC,IAAI,qBAAqB,SAAS,IAAI,CAAC,CAAC,CAAC;gBACjG,CAAC;YACH,CAAC,EAAE,SAAS,CAAC,CAAC;YACd,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE;gBAC1B,OAAO;gBACP,MAAM;gBACN,SAAS;gBACT,YAAY;aACb,CAAC,CAAC;YACH,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,GAAG,OAAO,CAAC,OAAO,EAAE,SAAS,EAAE,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;IACL,CAAC;IAED,uDAAuD;IACvD,OAAO;QACL,IAAI,CAAC,MAAM,CAAC,mBAAmB,CAAC,SAAS,EAAE,IAAI,CAAC,eAAe,CAAC,CAAC;QACjE,YAAY,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QACjC,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;YAC5C,YAAY,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YAChC,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC,CAAC;QACxD,CAAC;QACD,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QACrB,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC;IACzB,CAAC;IAEO,QAAQ,CAAC,IAAY,EAAE,OAAgB;QAC7C,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACvB,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;YACtC,OAAO;QACT,CAAC;QACD,IAAI,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;IACvC,CAAC;IAEO,aAAa;QACnB,OAAO,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;YAC5B,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAG,CAAC;YACnC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;QACzB,CAAC;IACH,CAAC;IAEO,YAAY,CAAC,GAAuC;QAC1D,uFAAuF;QACvF,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,GAAG,EAAE,IAAI,CAAC,YAAa,CAAC,CAAC;IAC1D,CAAC;IAEO,aAAa,CAAC,KAAmB;QACvC,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC;YAAE,OAAO;QACnD,MAAM,IAAI,GAAG,KAAK,CAAC,IAA6C,CAAC;QACjE,IAAI,IAAI,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ;YAAE,OAAO;QAEtF,kEAAkE;QAClE,gEAAgE;QAChE,oEAAoE;QACpE,yCAAyC;QACzC,MAAM,SAAS,GAAG,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjD,IAAI,SAAS,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1C,yFAAyF;YACzF,OAAO,CAAC,IAAI,CACV,wCAAwC,IAAI,CAAC,IAAI,kBAAkB,KAAK,CAAC,MAAM,EAAE,CAClF,CAAC;YACF,OAAO;QACT,CAAC;QAED,yEAAyE;QACzE,4EAA4E;QAC5E,4EAA4E;QAC5E,0EAA0E;QAC1E,wEAAwE;QACxE,8EAA8E;QAC9E,2EAA2E;QAC3E,kEAAkE;QAClE,8FAA8F;QAC9F,IAAI,SAAS,CAAqC,IAAI,EAAE,YAAY,CAAC,EAAE,CAAC;YACtE,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;gBACvB,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;gBACzB,YAAY,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;gBACjC,IAAI,CAAC,YAAY,GAAG,KAAK,CAAC,MAAM,CAAC;gBACjC,IAAI,CAAC,QAAQ,GAAG,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBAC/C,IAAI,CAAC,IAAI,EAAE,CAAC;gBACZ,IAAI,CAAC,aAAa,EAAE,CAAC;gBACrB,kEAAkE;gBAClE,kEAAkE;gBAClE,kEAAkE;gBAClE,iEAAiE;gBACjE,gEAAgE;gBAChE,4DAA4D;gBAC5D,IAAI,CAAC,QAAQ,CAAC,aAAa,EAAE,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC,CAAC;gBAC5C,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACjC,CAAC;YACD,OAAO;QACT,CAAC;QAED,iEAAiE;QACjE,6CAA6C;QAC7C,IAAI,SAAS,CAAwC,IAAI,EAAE,eAAe,CAAC,EAAE,CAAC;YAC5E,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YAC3C,OAAO;QACT,CAAC;QAED,0EAA0E;QAC1E,MAAM,OAAO,GAAG,IAAI,CAAC,OAA8C,CAAC;QACpE,IAAI,OAAmC,CAAC;QACxC,IAAI,gBAAgB,GAAkB,IAAI,CAAC;QAC3C,IAAI,OAAO,IAAI,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;YACrD,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YACtD,IAAI,SAAS,IAAI,SAAS,CAAC,YAAY,KAAK,IAAI,CAAC,IAAI,EAAE,CAAC;gBACtD,OAAO,GAAG,SAAS,CAAC;gBACpB,gBAAgB,GAAG,OAAO,CAAC,SAAS,CAAC;YACvC,CAAC;QACH,CAAC;QAED,iEAAiE;QACjE,oEAAoE;QACpE,gEAAgE;QAChE,kEAAkE;QAClE,oDAAoD;QACpD,IAAI,SAAS,CAAiD,IAAI,EAAE,wBAAwB,CAAC,EAAE,CAAC;YAC9F,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QAC7C,CAAC;QAED,IAAI,OAAO,IAAI,gBAAgB,KAAK,IAAI,EAAE,CAAC;YACzC,YAAY,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YAChC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;YACtC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;YACzB,OAAO;QACT,CAAC;QAED,IAAI,SAAS,CAAkC,IAAI,EAAE,SAAS,CAAC,EAAE,CAAC;YAChE,oDAAoD;YACpD,OAAO;QACT,CAAC;QACD,IAAI,SAAS,CAAiC,IAAI,EAAE,QAAQ,CAAC,EAAE,CAAC;YAC9D,OAAO;QACT,CAAC;IACH,CAAC;IAEO,iBAAiB,CAAC,OAAqB;QAC7C,wEAAwE;QACxE,sEAAsE;QACtE,qEAAqE;QACrE,6CAA6C;QAC7C,IAAI,CAAC,QAAQ,GAAG,EAAE,GAAG,IAAI,CAAC,QAAQ,EAAE,KAAK,EAAE,gBAAgB,CAAC,OAAO,CAAC,EAAE,CAAC;QACvE,IAAI,CAAC,IAAI,EAAE,CAAC;IACd,CAAC;IAEO,IAAI;QACV,KAAK,MAAM,QAAQ,IAAI,IAAI,CAAC,SAAS;YAAE,QAAQ,EAAE,CAAC;IACpD,CAAC;CACF"}
+{"version":3,"file":"iframeTransport.js","sourceRoot":"","sources":["../../src/internal/iframeTransport.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,GAKV,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,cAAc,EACd,aAAa,EACb,gBAAgB,EAChB,gBAAgB,GAIjB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAC;AAIpD,MAAM,eAAe,GAAG,MAAM,CAAC;AAC/B,MAAM,0BAA0B,GAAG,MAAM,CAAC;AAuB1C;;;;;GAKG;AACH,MAAM,OAAO,eAAe;IACT,aAAa,CAAgB;IAC7B,MAAM,CAAS;IAExB,QAAQ,GAAkB,cAAc,CAAC;IAChC,SAAS,GAAG,IAAI,GAAG,EAAc,CAAC;IAEnD,yEAAyE;IACjE,YAAY,GAAkB,IAAI,CAAC;IAE3C,2EAA2E;IAC1D,QAAQ,GAA8C,EAAE,CAAC;IACzD,OAAO,GAAG,IAAI,GAAG,EAA0B,CAAC;IAE5C,WAAW,CAA4B;IAChD,WAAW,CAAuC;IAClD,UAAU,CAAwB;IAClC,aAAa,CAAgC;IAC7C,YAAY,GAAG,KAAK,CAAC;IAEZ,eAAe,CAAgC;IAEhE,YAAY,IAA4B;QACtC,IAAI,CAAC,IAAI,CAAC,oBAAoB,CAAC,MAAM,EAAE,CAAC;YACtC,MAAM,IAAI,KAAK,CACb,yEAAyE;gBACvE,mFAAmF,CACtF,CAAC;QACJ,CAAC;QACD,yEAAyE;QACzE,wEAAwE;QACxE,0DAA0D;QAC1D,IAAI,CAAC,aAAa,GAAG,IAAI,aAAa,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;QAClE,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,IAAK,UAAkC,CAAC,MAAO,CAAC;QACzE,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,mEAAmE,CAAC,CAAC;QACvF,CAAC;QAED,IAAI,CAAC,WAAW,GAAG,IAAI,OAAO,CAAmB,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACnE,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC;YAC3B,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC;QAC3B,CAAC,CAAC,CAAC;QACH,IAAI,CAAC,aAAa,GAAG,UAAU,CAAC,GAAG,EAAE;YACnC,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;gBACvB,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;gBACzB,IAAI,CAAC,UAAU,CACb,IAAI,KAAK,CACP,2DAA2D,eAAe,MAAM;oBAC9E,mGAAmG,CACtG,CACF,CAAC;YACJ,CAAC;QACH,CAAC,EAAE,eAAe,CAAC,CAAC;QAEpB,IAAI,CAAC,eAAe,GAAG,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;QAC5D,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,SAAS,EAAE,IAAI,CAAC,eAAe,CAAC,CAAC;IAChE,CAAC;IAED,WAAW;QACT,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;IAED,SAAS,CAAC,QAAoB;QAC5B,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC7B,OAAO,GAAG,EAAE;YACV,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAClC,CAAC,CAAC;IACJ,CAAC;IAED,WAAW;QACT,OAAO,IAAI,CAAC,WAAW,CAAC;IAC1B,CAAC;IAED,WAAW,CAAC,OAA6B;QACvC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAC/C,CAAC;IAED,WAAW,CACT,OAAwB,EACxB,YAAsC,EACtC,OAA+B,EAAE;QAEjC,MAAM,SAAS,GAAG,aAAa,EAAE,CAAC;QAClC,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,0BAA0B,CAAC;QAC/D,OAAO,IAAI,OAAO,CAAU,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC9C,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE;gBAChC,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC;oBACnC,MAAM,CAAC,IAAI,KAAK,CAAC,6BAA6B,OAAO,CAAC,IAAI,qBAAqB,SAAS,IAAI,CAAC,CAAC,CAAC;gBACjG,CAAC;YACH,CAAC,EAAE,SAAS,CAAC,CAAC;YACd,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE;gBAC1B,OAAO;gBACP,MAAM;gBACN,SAAS;gBACT,YAAY;aACb,CAAC,CAAC;YACH,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,GAAG,OAAO,CAAC,OAAO,EAAE,SAAS,EAAE,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;IACL,CAAC;IAED,uDAAuD;IACvD,OAAO;QACL,IAAI,CAAC,MAAM,CAAC,mBAAmB,CAAC,SAAS,EAAE,IAAI,CAAC,eAAe,CAAC,CAAC;QACjE,YAAY,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QACjC,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;YAC5C,YAAY,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YAChC,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC,CAAC;QACxD,CAAC;QACD,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QACrB,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC;IACzB,CAAC;IAEO,QAAQ,CAAC,IAAY,EAAE,OAAgB;QAC7C,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACvB,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;YACtC,OAAO;QACT,CAAC;QACD,IAAI,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;IACvC,CAAC;IAEO,aAAa;QACnB,OAAO,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;YAC5B,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAG,CAAC;YACnC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;QACzB,CAAC;IACH,CAAC;IAEO,YAAY,CAAC,GAAuC;QAC1D,uFAAuF;QACvF,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,GAAG,EAAE,IAAI,CAAC,YAAa,CAAC,CAAC;IAC1D,CAAC;IAEO,aAAa,CAAC,KAAmB;QACvC,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC;YAAE,OAAO;QACtD,MAAM,IAAI,GAAG,KAAK,CAAC,IAA6C,CAAC;QACjE,IAAI,IAAI,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ;YAAE,OAAO;QAEtF,kEAAkE;QAClE,gEAAgE;QAChE,oEAAoE;QACpE,yCAAyC;QACzC,MAAM,SAAS,GAAG,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjD,IAAI,SAAS,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1C,yFAAyF;YACzF,OAAO,CAAC,IAAI,CACV,wCAAwC,IAAI,CAAC,IAAI,kBAAkB,KAAK,CAAC,MAAM,EAAE,CAClF,CAAC;YACF,OAAO;QACT,CAAC;QAED,yEAAyE;QACzE,4EAA4E;QAC5E,4EAA4E;QAC5E,0EAA0E;QAC1E,wEAAwE;QACxE,8EAA8E;QAC9E,2EAA2E;QAC3E,kEAAkE;QAClE,8FAA8F;QAC9F,IAAI,SAAS,CAAqC,IAAI,EAAE,YAAY,CAAC,EAAE,CAAC;YACtE,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;gBACvB,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;gBACzB,YAAY,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;gBACjC,IAAI,CAAC,YAAY,GAAG,KAAK,CAAC,MAAM,CAAC;gBACjC,IAAI,CAAC,QAAQ,GAAG,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBAC/C,IAAI,CAAC,IAAI,EAAE,CAAC;gBACZ,IAAI,CAAC,aAAa,EAAE,CAAC;gBACrB,kEAAkE;gBAClE,kEAAkE;gBAClE,kEAAkE;gBAClE,iEAAiE;gBACjE,gEAAgE;gBAChE,4DAA4D;gBAC5D,IAAI,CAAC,QAAQ,CAAC,aAAa,EAAE,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC,CAAC;gBAC5C,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACjC,CAAC;YACD,OAAO;QACT,CAAC;QAED,iEAAiE;QACjE,6CAA6C;QAC7C,IAAI,SAAS,CAAwC,IAAI,EAAE,eAAe,CAAC,EAAE,CAAC;YAC5E,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YAC3C,OAAO;QACT,CAAC;QAED,0EAA0E;QAC1E,MAAM,OAAO,GAAG,IAAI,CAAC,OAA8C,CAAC;QACpE,IAAI,OAAmC,CAAC;QACxC,IAAI,gBAAgB,GAAkB,IAAI,CAAC;QAC3C,IAAI,OAAO,IAAI,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;YACrD,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YACtD,IAAI,SAAS,IAAI,SAAS,CAAC,YAAY,KAAK,IAAI,CAAC,IAAI,EAAE,CAAC;gBACtD,OAAO,GAAG,SAAS,CAAC;gBACpB,gBAAgB,GAAG,OAAO,CAAC,SAAS,CAAC;YACvC,CAAC;QACH,CAAC;QAED,iEAAiE;QACjE,oEAAoE;QACpE,gEAAgE;QAChE,kEAAkE;QAClE,oDAAoD;QACpD,IAAI,SAAS,CAAiD,IAAI,EAAE,wBAAwB,CAAC,EAAE,CAAC;YAC9F,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QAC7C,CAAC;QAED,IAAI,OAAO,IAAI,gBAAgB,KAAK,IAAI,EAAE,CAAC;YACzC,YAAY,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YAChC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;YACtC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;YACzB,OAAO;QACT,CAAC;QAED,IAAI,SAAS,CAAkC,IAAI,EAAE,SAAS,CAAC,EAAE,CAAC;YAChE,oDAAoD;YACpD,OAAO;QACT,CAAC;QACD,IAAI,SAAS,CAAiC,IAAI,EAAE,QAAQ,CAAC,EAAE,CAAC;YAC9D,OAAO;QACT,CAAC;IACH,CAAC;IAEO,iBAAiB,CAAC,OAAqB;QAC7C,wEAAwE;QACxE,sEAAsE;QACtE,qEAAqE;QACrE,6CAA6C;QAC7C,IAAI,CAAC,QAAQ,GAAG,EAAE,GAAG,IAAI,CAAC,QAAQ,EAAE,KAAK,EAAE,gBAAgB,CAAC,OAAO,CAAC,EAAE,CAAC;QACvE,IAAI,CAAC,IAAI,EAAE,CAAC;IACd,CAAC;IAEO,IAAI;QACV,KAAK,MAAM,QAAQ,IAAI,IAAI,CAAC,SAAS;YAAE,QAAQ,EAAE,CAAC;IACpD,CAAC;CACF"}

package/dist/internal/originMatcher.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Origin allowlist matching for {@link IframeTransport}.
+ *
+ * Each `allowedParentOrigins` entry is either:
+ * - an EXACT origin (`https://civitai.com`) — matched by string equality, or
+ * - a SUFFIX-WILDCARD origin (`https://*.civitaic.com`) — matches any
+ *   `https://<sub>.civitaic.com`, where `<sub>` is one or more labels
+ *   (single-label `pr-9` or a full subtree `a.b`), but NOT the bare apex
+ *   `https://civitaic.com` and NOT a different registrable domain.
+ *
+ * The wildcard form mirrors the host-side CSP `frame-ancestors` convention
+ * (`https://*.civitaic.com`) so a single block build can trust both prod
+ * (`civitai.com`, an exact entry) and dynamic preview subdomains
+ * (`pr-N.civitaic.com`, a wildcard entry).
+ *
+ * Security: matching is scheme-pinned and suffix-anchored on a DOT boundary,
+ * so `https://*.civitaic.com` does NOT match `https://civitaic.com.attacker.tld`
+ * (different suffix) nor `https://evilcivitaic.com` (no dot boundary). A
+ * bare `*` or empty wildcard is rejected at construction.
+ */
+export declare class OriginMatcher {
+    private readonly exact;
+    private readonly wildcards;
+    constructor(allowedParentOrigins: readonly string[]);
+    /** True when `origin` is allowed by an exact or wildcard allowlist entry. */
+    matches(origin: string): boolean;
+}
+//# sourceMappingURL=originMatcher.d.ts.map

package/dist/internal/originMatcher.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"originMatcher.d.ts","sourceRoot":"","sources":["../../src/internal/originMatcher.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AASH,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAsB;IAC5C,OAAO,CAAC,QAAQ,CAAC,SAAS,CAA2B;gBAEzC,oBAAoB,EAAE,SAAS,MAAM,EAAE;IAoBnD,6EAA6E;IAC7E,OAAO,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO;CAkBjC"}

package/dist/internal/originMatcher.js

@@ -0,0 +1,89 @@
+/**
+ * Origin allowlist matching for {@link IframeTransport}.
+ *
+ * Each `allowedParentOrigins` entry is either:
+ * - an EXACT origin (`https://civitai.com`) — matched by string equality, or
+ * - a SUFFIX-WILDCARD origin (`https://*.civitaic.com`) — matches any
+ *   `https://<sub>.civitaic.com`, where `<sub>` is one or more labels
+ *   (single-label `pr-9` or a full subtree `a.b`), but NOT the bare apex
+ *   `https://civitaic.com` and NOT a different registrable domain.
+ *
+ * The wildcard form mirrors the host-side CSP `frame-ancestors` convention
+ * (`https://*.civitaic.com`) so a single block build can trust both prod
+ * (`civitai.com`, an exact entry) and dynamic preview subdomains
+ * (`pr-N.civitaic.com`, a wildcard entry).
+ *
+ * Security: matching is scheme-pinned and suffix-anchored on a DOT boundary,
+ * so `https://*.civitaic.com` does NOT match `https://civitaic.com.attacker.tld`
+ * (different suffix) nor `https://evilcivitaic.com` (no dot boundary). A
+ * bare `*` or empty wildcard is rejected at construction.
+ */
+export class OriginMatcher {
+    exact;
+    wildcards;
+    constructor(allowedParentOrigins) {
+        const exact = new Set();
+        const wildcards = [];
+        for (const raw of allowedParentOrigins) {
+            const entry = raw.trim();
+            if (!entry)
+                continue;
+            const wildcard = parseWildcard(entry);
+            if (wildcard) {
+                wildcards.push(wildcard);
+            }
+            else {
+                exact.add(entry);
+            }
+        }
+        this.exact = exact;
+        this.wildcards = wildcards;
+    }
+    /** True when `origin` is allowed by an exact or wildcard allowlist entry. */
+    matches(origin) {
+        if (this.exact.has(origin))
+            return true;
+        for (const wc of this.wildcards) {
+            if (!origin.startsWith(wc.scheme))
+                continue;
+            const host = origin.slice(wc.scheme.length);
+            // Reject anything with a path/port/query smuggled into the host span:
+            // a real `event.origin` is scheme + host (+ optional :port). We require
+            // an exact host-suffix match with at least one leading label, and no '/'.
+            if (host.includes('/'))
+                continue;
+            // The host must END with the dot-anchored suffix AND have at least one
+            // character of label before the leading dot (so the apex itself is excluded).
+            if (host.length > wc.suffix.length && host.endsWith(wc.suffix)) {
+                return true;
+            }
+        }
+        return false;
+    }
+}
+/**
+ * Parses a `https://*.example.com`-style entry into `{scheme, suffix}`.
+ * Returns `null` for non-wildcard (exact) entries.
+ * Throws for malformed wildcards (`*` only, `https://*`, `https://*.`).
+ */
+function parseWildcard(entry) {
+    const star = entry.indexOf('*');
+    if (star === -1)
+        return null;
+    // Wildcard must be of the exact form `<scheme>://*.<suffix>`.
+    const marker = '://*.';
+    const markerAt = entry.indexOf(marker);
+    if (markerAt === -1) {
+        throw new Error(`IframeTransport: invalid wildcard origin "${entry}". ` +
+            'Wildcard entries must look like "https://*.example.com".');
+    }
+    const scheme = entry.slice(0, markerAt + 3); // include "://"
+    const bareSuffix = entry.slice(markerAt + marker.length); // after "://*."
+    if (!scheme || scheme === '://' || !bareSuffix) {
+        throw new Error(`IframeTransport: invalid wildcard origin "${entry}". ` +
+            'A wildcard needs a scheme and a non-empty domain suffix, e.g. "https://*.example.com".');
+    }
+    // Dot-anchor the suffix so `*.civitaic.com` only matches on a label boundary.
+    return { scheme, suffix: `.${bareSuffix}` };
+}
+//# sourceMappingURL=originMatcher.js.map

package/dist/internal/originMatcher.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"originMatcher.js","sourceRoot":"","sources":["../../src/internal/originMatcher.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AASH,MAAM,OAAO,aAAa;IACP,KAAK,CAAsB;IAC3B,SAAS,CAA2B;IAErD,YAAY,oBAAuC;QACjD,MAAM,KAAK,GAAG,IAAI,GAAG,EAAU,CAAC;QAChC,MAAM,SAAS,GAAoB,EAAE,CAAC;QAEtC,KAAK,MAAM,GAAG,IAAI,oBAAoB,EAAE,CAAC;YACvC,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;YACzB,IAAI,CAAC,KAAK;gBAAE,SAAS;YAErB,MAAM,QAAQ,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;YACtC,IAAI,QAAQ,EAAE,CAAC;gBACb,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC3B,CAAC;iBAAM,CAAC;gBACN,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;YACnB,CAAC;QACH,CAAC;QAED,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC7B,CAAC;IAED,6EAA6E;IAC7E,OAAO,CAAC,MAAc;QACpB,IAAI,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC;YAAE,OAAO,IAAI,CAAC;QAExC,KAAK,MAAM,EAAE,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YAChC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC,MAAM,CAAC;gBAAE,SAAS;YAC5C,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YAC5C,sEAAsE;YACtE,wEAAwE;YACxE,0EAA0E;YAC1E,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC;gBAAE,SAAS;YACjC,uEAAuE;YACvE,8EAA8E;YAC9E,IAAI,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,MAAM,CAAC,MAAM,IAAI,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC/D,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;CACF;AAED;;;;GAIG;AACH,SAAS,aAAa,CAAC,KAAa;IAClC,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAChC,IAAI,IAAI,KAAK,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAE7B,8DAA8D;IAC9D,MAAM,MAAM,GAAG,OAAO,CAAC;IACvB,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACvC,IAAI,QAAQ,KAAK,CAAC,CAAC,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CACb,6CAA6C,KAAK,KAAK;YACrD,0DAA0D,CAC7D,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,GAAG,CAAC,CAAC,CAAC,CAAC,gBAAgB;IAC7D,MAAM,UAAU,GAAG,KAAK,CAAC,KAAK,CAAC,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,gBAAgB;IAC1E,IAAI,CAAC,MAAM,IAAI,MAAM,KAAK,KAAK,IAAI,CAAC,UAAU,EAAE,CAAC;QAC/C,MAAM,IAAI,KAAK,CACb,6CAA6C,KAAK,KAAK;YACrD,wFAAwF,CAC3F,CAAC;IACJ,CAAC;IAED,8EAA8E;IAC9E,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,UAAU,EAAE,EAAE,CAAC;AAC9C,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@civitai/blocks-react",
-  "version": "0.5.1",
+  "version": "0.6.0",
   "description": "React hooks and iframe transport for Civitai App Blocks. Pairs with @civitai/app-sdk/blocks.",
   "license": "MIT",
   "type": "module",
@@ -24,14 +24,21 @@
     "dist",
     "README.md"
   ],
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "typecheck": "tsc -p tsconfig.json --noEmit",
+    "test": "vitest run",
+    "test:watch": "vitest"
+  },
   "engines": {
     "node": ">=20"
   },
   "peerDependencies": {
-    "@civitai/app-sdk": "^0.7.0",
+    "@civitai/app-sdk": ">=0.7.0 <1",
     "react": "^18.0.0 || ^19.0.0"
   },
   "devDependencies": {
+    "@civitai/app-sdk": "workspace:^",
     "@testing-library/react": "^16.0.0",
     "@types/node": "^25.9.1",
     "@types/react": "^19.2.15",
@@ -39,8 +46,7 @@
     "react": "^19.0.0",
     "react-dom": "^19.0.0",
     "typescript": "^5.9.2",
-    "vitest": "^4.1.7",
-    "@civitai/app-sdk": "^0.8.0"
+    "vitest": "^4.1.7"
   },
   "publishConfig": {
     "access": "public"
@@ -59,11 +65,5 @@
     "type": "git",
     "url": "git+https://github.com/civitai/civitai-app-starters.git",
     "directory": "packages/civitai-blocks-react"
-  },
-  "scripts": {
-    "build": "tsc -p tsconfig.json",
-    "typecheck": "tsc -p tsconfig.json --noEmit",
-    "test": "vitest run",
-    "test:watch": "vitest"
   }
-}
+}

package/LICENSE

@@ -1,21 +0,0 @@
-MIT License
-
-Copyright (c) 2026 Civitai
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.