@nativewindow/webview 1.0.5 → 1.0.6

package/dist/index.d.ts

@@ -1,5 +1,3 @@
-declare const checkRuntime: () => RuntimeInfo, ensureRuntime: () => RuntimeInfo, loadHtmlOrigin: () => string;
-export { checkRuntime, ensureRuntime, loadHtmlOrigin };
 /** Information about the native webview runtime. */
 export interface RuntimeInfo {
     /** Whether the webview runtime is available. */
@@ -9,6 +7,79 @@ export interface RuntimeInfo {
     /** The current platform: "macos", "windows", "linux", or "unsupported". */
     platform: "macos" | "windows" | "linux" | "unsupported";
 }
+/**
+ * Information about a cookie from the native cookie store.
+ * Includes `HttpOnly` cookies that are invisible to `document.cookie`.
+ */
+export interface CookieInfo {
+    /** Cookie name. */
+    name: string;
+    /** Cookie value. */
+    value: string;
+    /** Domain the cookie belongs to. */
+    domain: string;
+    /** Path the cookie is restricted to. */
+    path: string;
+    /** Whether the cookie is HttpOnly (inaccessible to JS). */
+    httpOnly: boolean;
+    /** Whether the cookie requires HTTPS. */
+    secure: boolean;
+    /** SameSite policy: "Strict", "Lax", "None", or null for unset. */
+    sameSite: string | null;
+    /** Expiry as Unix timestamp (seconds). Null for session cookies. */
+    expires: number | null;
+}
+/** @internal Constructor type for the raw native NativeWindow class. */
+interface NativeWindowConstructor {
+    new (options?: WindowOptions): NativeWindowInstance;
+}
+/** @internal Instance type for the raw native NativeWindow class. */
+interface NativeWindowInstance {
+    readonly id: number;
+    loadUrl(url: string): void;
+    loadHtml(html: string): void;
+    evaluateJs(script: string): void;
+    postMessage(message: string): void;
+    setTitle(title: string): void;
+    setSize(width: number, height: number): void;
+    setMinSize(width: number, height: number): void;
+    setMaxSize(width: number, height: number): void;
+    setPosition(x: number, y: number): void;
+    setResizable(resizable: boolean): void;
+    setDecorations(decorations: boolean): void;
+    setAlwaysOnTop(alwaysOnTop: boolean): void;
+    setIcon(path: string): void;
+    show(): void;
+    hide(): void;
+    close(): void;
+    focus(): void;
+    maximize(): void;
+    minimize(): void;
+    unmaximize(): void;
+    reload(): void;
+    onMessage(callback: (message: string, sourceUrl: string) => void): void;
+    onClose(callback: () => void): void;
+    onResize(callback: (width: number, height: number) => void): void;
+    onMove(callback: (x: number, y: number) => void): void;
+    onFocus(callback: () => void): void;
+    onBlur(callback: () => void): void;
+    onPageLoad(callback: (event: "started" | "finished", url: string) => void): void;
+    onTitleChanged(callback: (title: string) => void): void;
+    onReload(callback: () => void): void;
+    onNavigationBlocked(callback: (url: string) => void): void;
+    getCookies(url?: string): CookieInfo[];
+    clearCookies(host?: string): void;
+    openDevtools(): void;
+    closeDevtools(): void;
+    isDevtoolsOpen(): boolean;
+}
+/**
+ * Options for creating a new native window.
+ *
+ * Security: When loading untrusted content, use the `csp` field to restrict
+ * what the page can do. Without a CSP, loaded content can execute inline
+ * scripts and load resources from any origin.
+ */
 export interface WindowOptions {
     /** Window title. Default: "" */
     title?: string;
@@ -124,267 +195,58 @@ export interface WindowOptions {
      */
     incognito?: boolean;
 }
+/** {@inheritDoc RuntimeInfo} */
+export declare const checkRuntime: () => RuntimeInfo;
+/** {@inheritDoc RuntimeInfo} */
+export declare const ensureRuntime: () => RuntimeInfo;
 /**
- * Operations that execute arbitrary code in the webview context.
- * Grouped under {@link NativeWindow.unsafe} to signal injection risk.
+ * Returns the origin of pages loaded via `loadHtml()`.
+ *
+ * This is the origin string to use in `trustedOrigins` when restricting
+ * IPC messages to only accept messages from `loadHtml()` content.
  *
- * @security Never pass unsanitized user input to these methods.
- * Use {@link sanitizeForJs} to escape strings before embedding them in
- * script code.
+ * - macOS/Linux: `"nativewindow://localhost"`
+ * - Windows: `"https://nativewindow.localhost"`
  */
-export interface UnsafeNamespace {
-    /**
-     * Evaluate arbitrary JavaScript in the webview context.
-     * Fire-and-forget — there is no return value.
-     * Use `postMessage`/`onMessage` to send results back.
-     *
-     * @security **Injection risk.** Never pass unsanitized user input directly.
-     * Use {@link sanitizeForJs} to escape strings before embedding them in
-     * script code.
-     */
-    evaluateJs(script: string): void;
-}
+export declare const loadHtmlOrigin: () => string;
 /**
- * Control the browser devtools panel for this window's webview.
- * Grouped under {@link NativeWindow.devtools} for discoverability.
+ * Escape a string for safe embedding inside a JavaScript string literal.
+ * Handles backslashes, double quotes, newlines, carriage returns, null
+ * bytes, closing `</script>` tags, Unicode line/paragraph separators
+ * (U+2028, U+2029), backticks, and `${` template expressions.
  *
- * Requires `devtools: true` in {@link WindowOptions} at window creation.
+ * Safe for use in double-quoted, single-quoted, and template literal
+ * contexts.
  *
  * @example
  * ```ts
- * const win = new NativeWindow({ devtools: true });
- * win.devtools.open();
- * console.log(win.devtools.isOpen()); // true
- * win.devtools.close();
- * ```
- */
-export interface DevtoolsNamespace {
-    /** Open the browser devtools panel. */
-    open(): void;
-    /** Close the browser devtools panel. */
-    close(): void;
-    /** Check whether the devtools panel is currently open. */
-    isOpen(): boolean;
-}
-/**
- * Information about a cookie from the native cookie store.
- * Includes `HttpOnly` cookies that are invisible to `document.cookie`.
+ * import { NativeWindow, sanitizeForJs } from "@nativewindow/webview";
  *
- * @example
- * ```ts
- * win.onCookies((cookies) => {
- *   for (const c of cookies) {
- *     console.log(c.name, c.value, c.httpOnly);
- *   }
- * });
- * win.getCookies("https://example.com");
+ * const userInput = 'He said "hello"\n<script>alert(1)</script>';
+ * win.evaluateJs(`display("${sanitizeForJs(userInput)}")`);
  * ```
  */
-export interface CookieInfo {
-    /** Cookie name. */
-    name: string;
-    /** Cookie value. */
-    value: string;
-    /** Domain the cookie belongs to. */
-    domain: string;
-    /** Path the cookie is restricted to. */
-    path: string;
-    /** Whether the cookie is HttpOnly (inaccessible to JS). */
-    httpOnly: boolean;
-    /** Whether the cookie requires HTTPS. */
-    secure: boolean;
-    /** SameSite policy: "none", "lax", or "strict". */
-    sameSite: string;
-    /** Expiry as Unix timestamp (seconds). -1 for session cookies. */
-    expires: number;
-}
+export declare const sanitizeForJs: (input: string) => string;
 /**
  * A native OS window with an embedded webview.
  *
  * Automatically initializes the native subsystem and starts pumping
  * events on first construction. Stops the pump when all windows close.
- */
-export declare class NativeWindow {
-    /** @internal */
-    private _native;
-    /** @internal */
-    private _closed;
-    /** @internal */
-    private _unsafe?;
-    /** @internal */
-    private _devtools?;
-    constructor(options?: WindowOptions);
-    /** @internal */
-    private _handleClose;
-    /**
-     * Throws if the window has been closed.
-     * @internal
-     */
-    private _ensureOpen;
-    private _userCloseCallback?;
-    /**
-     * Register a handler for the window close event.
-     * The pump is automatically stopped when all windows are closed.
-     *
-     * Calling this multiple times replaces the previous handler.
-     */
-    onClose(callback: () => void): void;
-    /** Unique window ID */
-    get id(): number;
-    loadUrl(url: string): void;
-    /**
-     * Load raw HTML content into the webview.
-     *
-     * @security **Injection risk.** Never interpolate unsanitized user input
-     * into HTML strings. Use a dedicated sanitization library such as
-     * [DOMPurify](https://github.com/cure53/DOMPurify) or
-     * [sanitize-html](https://github.com/apostrophecms/sanitize-html) to
-     * sanitize untrusted content before embedding it.
-     */
-    loadHtml(html: string): void;
-    postMessage(message: string): void;
-    /**
-     * Namespace for operations that require extra care to avoid injection risks.
-     * Methods under `unsafe` execute arbitrary code in the webview context.
-     *
-     * @security Never pass unsanitized user input to these methods.
-     * Use {@link sanitizeForJs} to escape strings before embedding them in
-     * script code.
-     */
-    get unsafe(): UnsafeNamespace;
-    /**
-     * Namespace for controlling the browser devtools panel.
-     * Requires `devtools: true` in {@link WindowOptions} at window creation.
-     *
-     * @example
-     * ```ts
-     * const win = new NativeWindow({ devtools: true });
-     * win.devtools.open();
-     * console.log(win.devtools.isOpen()); // true
-     * win.devtools.close();
-     * ```
-     */
-    get devtools(): DevtoolsNamespace;
-    setTitle(title: string): void;
-    setSize(width: number, height: number): void;
-    setMinSize(width: number, height: number): void;
-    setMaxSize(width: number, height: number): void;
-    setPosition(x: number, y: number): void;
-    setResizable(resizable: boolean): void;
-    setDecorations(decorations: boolean): void;
-    setAlwaysOnTop(alwaysOnTop: boolean): void;
-    /**
-     * Set the window icon from a PNG or ICO file path.
-     * On macOS this is silently ignored (macOS doesn't support per-window icons).
-     * Relative paths resolve from the working directory.
-     */
-    setIcon(path: string): void;
-    show(): void;
-    hide(): void;
-    close(): void;
-    focus(): void;
-    maximize(): void;
-    minimize(): void;
-    unmaximize(): void;
-    reload(): void;
-    /**
-     * Register a handler for messages from the webview.
-     *
-     * @security **No origin filtering.** The raw `onMessage` API does not
-     * enforce origin restrictions. If your webview navigates to untrusted
-     * URLs, validate the `sourceUrl` parameter before processing messages.
-     * For automatic origin filtering, use `createChannel()` with the
-     * `trustedOrigins` option from `native-window-ipc`.
-     *
-     * @security **No rate limiting.** Messages from the webview are delivered
-     * without throttling. A malicious page can flood the host with messages.
-     * Consider implementing application-level rate limiting if loading
-     * untrusted content.
-     */
-    onMessage(callback: (message: string, sourceUrl: string) => void): void;
-    onResize(callback: (width: number, height: number) => void): void;
-    onMove(callback: (x: number, y: number) => void): void;
-    onFocus(callback: () => void): void;
-    onBlur(callback: () => void): void;
-    onPageLoad(callback: (event: "started" | "finished", url: string) => void): void;
-    onTitleChanged(callback: (title: string) => void): void;
-    onReload(callback: () => void): void;
-    /**
-     * Register a handler for blocked navigation events.
-     * Fired when a navigation is blocked by the {@link WindowOptions.allowedHosts}
-     * restriction. Receives the URL that was blocked.
-     *
-     * @example
-     * ```ts
-     * win.onNavigationBlocked((url) => {
-     *   console.log("Blocked navigation to:", url);
-     * });
-     * ```
-     */
-    onNavigationBlocked(callback: (url: string) => void): void;
-    /**
-     * Validate and parse a raw cookies JSON array from the native layer.
-     * Returns a cleaned {@link CookieInfo} array or `null` if the payload
-     * is malformed.
-     *
-     * @internal
-     */
-    private _validateCookies;
-    /**
-     * Query cookies from the native cookie store.
-     *
-     * Returns a Promise that resolves with validated {@link CookieInfo} objects,
-     * including `HttpOnly` cookies that are invisible to `document.cookie`.
-     *
-     * - **macOS**: Uses `WKHTTPCookieStore.getAllCookies` with client-side
-     *   URL filtering (domain + path match).
-     * - **Windows**: Uses `ICoreWebView2CookieManager.GetCookies` which
-     *   filters by URI natively.
-     *
-     * @param url  If provided, only cookies matching this URL are returned.
-     *             If omitted, all cookies in the webview's cookie store are returned.
-     *
-     * @example
-     * ```ts
-     * const cookies = await win.getCookies("https://example.com");
-     * const session = cookies.find((c) => c.name === "session_id");
-     * if (session) console.log("Session:", session.value, "HttpOnly:", session.httpOnly);
-     * ```
-     */
-    getCookies(url?: string): Promise<CookieInfo[]>;
-    /**
-     * Clear cookies from the native cookie store.
-     *
-     * - If `host` is provided, only cookies whose domain matches that host
-     *   are deleted (e.g. `"example.com"` deletes `.example.com` cookies).
-     * - If omitted, all cookies in the webview's cookie store are cleared.
-     *
-     * @example
-     * ```ts
-     * // Clear all cookies
-     * win.clearCookies();
-     *
-     * // Clear cookies for a specific host
-     * win.clearCookies("example.com");
-     * ```
-     */
-    clearCookies(host?: string): void;
-}
-/**
- * Escape a string for safe embedding inside a JavaScript string literal.
- * Handles backslashes, double quotes, newlines, carriage returns, null
- * bytes, closing `</script>` tags, Unicode line/paragraph separators
- * (U+2028, U+2029), backticks, and `${` template expressions.
  *
- * Safe for use in double-quoted, single-quoted, and template literal
- * contexts.
+ * All methods throw `"Window is closed"` if called after `close()`.
  *
  * @example
  * ```ts
- * import { NativeWindow, sanitizeForJs } from "native-window";
+ * import { NativeWindow } from "@nativewindow/webview";
  *
- * const userInput = 'He said "hello"\n<script>alert(1)</script>';
- * win.unsafe.evaluateJs(`display("${sanitizeForJs(userInput)}")`);
+ * const win = new NativeWindow({ title: "Hello", width: 800, height: 600 });
+ * win.loadUrl("https://example.com");
+ * win.onClose(() => console.log("Window closed"));
  * ```
  */
-export declare function sanitizeForJs(input: string): string;
+export declare const NativeWindow: NativeWindowConstructor;
+/**
+ * Instance type for {@link NativeWindow}.
+ */
+export type NativeWindow = InstanceType<typeof NativeWindow>;
+export {};

package/dist/index.js

@@ -1,5 +1,5 @@
 import { createRequire } from "node:module";
-//#region index.ts
+//#region src/index.ts
 var _require = createRequire(import.meta.url);
 var _platforms = {
 	"darwin-arm64": {
@@ -27,9 +27,6 @@ var _platforms = {
 		file: "native-window.linux-arm64-gnu.node"
 	}
 };
-var _platformKey = `${process.platform}-${process.arch}`;
-var _entry = _platforms[_platformKey];
-if (!_entry) throw new Error(`Unsupported platform: ${_platformKey}`);
 function _tryRequire(id) {
 	try {
 		return _require(id);
@@ -37,377 +34,25 @@ function _tryRequire(id) {
 		return null;
 	}
 }
-var _nativeBinding = _tryRequire(`./${_entry.file}`) ?? _tryRequire(`../${_entry.file}`) ?? _tryRequire(_entry.pkg);
+var _platformKey = `${process.platform}-${process.arch}`;
+var _entry = _platforms[_platformKey];
+if (!_entry) throw new Error(`Unsupported platform: ${_platformKey}`);
+var _nativeBinding = _tryRequire(`../${_entry.file}`) ?? _tryRequire(_entry.pkg);
 if (!_nativeBinding) throw new Error(`Failed to load native binding for platform: ${_platformKey}. Ensure the correct platform package is installed or the .node file exists.`);
-var { NativeWindow: _NativeWindow, init, pumpEvents, checkRuntime, ensureRuntime, loadHtmlOrigin } = _nativeBinding;
-var _pump = null;
-var _windowCount = 0;
-function ensureInit() {
-	if (_pump) return;
-	init();
-	_pump = setInterval(() => {
-		try {
-			pumpEvents();
-		} catch (e) {
-			console.error("[native-window] pumpEvents() error:", e);
-		}
-	}, 16);
-}
-function stopPump() {
-	if (_pump) {
-		clearInterval(_pump);
-		_pump = null;
-	}
-}
+/** {@inheritDoc RuntimeInfo} */
+var checkRuntime = _nativeBinding.checkRuntime;
+/** {@inheritDoc RuntimeInfo} */
+var ensureRuntime = _nativeBinding.ensureRuntime;
 /**
-* A native OS window with an embedded webview.
+* Returns the origin of pages loaded via `loadHtml()`.
 *
-* Automatically initializes the native subsystem and starts pumping
-* events on first construction. Stops the pump when all windows close.
+* This is the origin string to use in `trustedOrigins` when restricting
+* IPC messages to only accept messages from `loadHtml()` content.
+*
+* - macOS/Linux: `"nativewindow://localhost"`
+* - Windows: `"https://nativewindow.localhost"`
 */
-var NativeWindow = class {
-	/** @internal */
-	_native;
-	/** @internal */
-	_closed = false;
-	/** @internal */
-	_unsafe;
-	/** @internal */
-	_devtools;
-	constructor(options) {
-		ensureInit();
-		_windowCount++;
-		this._native = new _NativeWindow(options);
-		this._native.onClose(() => this._handleClose());
-	}
-	/** @internal */
-	_handleClose() {
-		if (this._closed) return;
-		this._closed = true;
-		_windowCount--;
-		this._userCloseCallback?.();
-		if (_windowCount <= 0) {
-			_windowCount = 0;
-			setTimeout(() => stopPump(), 200);
-		}
-	}
-	/**
-	* Throws if the window has been closed.
-	* @internal
-	*/
-	_ensureOpen() {
-		if (this._closed) throw new Error("Window is closed");
-	}
-	_userCloseCallback;
-	/**
-	* Register a handler for the window close event.
-	* The pump is automatically stopped when all windows are closed.
-	*
-	* Calling this multiple times replaces the previous handler.
-	*/
-	onClose(callback) {
-		if (this._userCloseCallback) console.warn("NativeWindow: onClose() called multiple times. The previous handler will be replaced.");
-		this._userCloseCallback = callback;
-	}
-	/** Unique window ID */
-	get id() {
-		return this._native.id;
-	}
-	loadUrl(url) {
-		this._ensureOpen();
-		this._native.loadUrl(url);
-	}
-	/**
-	* Load raw HTML content into the webview.
-	*
-	* @security **Injection risk.** Never interpolate unsanitized user input
-	* into HTML strings. Use a dedicated sanitization library such as
-	* [DOMPurify](https://github.com/cure53/DOMPurify) or
-	* [sanitize-html](https://github.com/apostrophecms/sanitize-html) to
-	* sanitize untrusted content before embedding it.
-	*/
-	loadHtml(html) {
-		this._ensureOpen();
-		this._native.loadHtml(html);
-	}
-	postMessage(message) {
-		this._ensureOpen();
-		this._native.postMessage(message);
-	}
-	/**
-	* Namespace for operations that require extra care to avoid injection risks.
-	* Methods under `unsafe` execute arbitrary code in the webview context.
-	*
-	* @security Never pass unsanitized user input to these methods.
-	* Use {@link sanitizeForJs} to escape strings before embedding them in
-	* script code.
-	*/
-	get unsafe() {
-		this._ensureOpen();
-		if (!this._unsafe) this._unsafe = { evaluateJs: (script) => {
-			this._ensureOpen();
-			this._native.evaluateJs(script);
-		} };
-		return this._unsafe;
-	}
-	/**
-	* Namespace for controlling the browser devtools panel.
-	* Requires `devtools: true` in {@link WindowOptions} at window creation.
-	*
-	* @example
-	* ```ts
-	* const win = new NativeWindow({ devtools: true });
-	* win.devtools.open();
-	* console.log(win.devtools.isOpen()); // true
-	* win.devtools.close();
-	* ```
-	*/
-	get devtools() {
-		this._ensureOpen();
-		if (!this._devtools) this._devtools = {
-			open: () => {
-				this._ensureOpen();
-				this._native.openDevtools();
-			},
-			close: () => {
-				this._ensureOpen();
-				this._native.closeDevtools();
-			},
-			isOpen: () => {
-				this._ensureOpen();
-				return this._native.isDevtoolsOpen();
-			}
-		};
-		return this._devtools;
-	}
-	setTitle(title) {
-		this._ensureOpen();
-		this._native.setTitle(title);
-	}
-	setSize(width, height) {
-		this._ensureOpen();
-		this._native.setSize(width, height);
-	}
-	setMinSize(width, height) {
-		this._ensureOpen();
-		this._native.setMinSize(width, height);
-	}
-	setMaxSize(width, height) {
-		this._ensureOpen();
-		this._native.setMaxSize(width, height);
-	}
-	setPosition(x, y) {
-		this._ensureOpen();
-		this._native.setPosition(x, y);
-	}
-	setResizable(resizable) {
-		this._ensureOpen();
-		this._native.setResizable(resizable);
-	}
-	setDecorations(decorations) {
-		this._ensureOpen();
-		this._native.setDecorations(decorations);
-	}
-	setAlwaysOnTop(alwaysOnTop) {
-		this._ensureOpen();
-		this._native.setAlwaysOnTop(alwaysOnTop);
-	}
-	/**
-	* Set the window icon from a PNG or ICO file path.
-	* On macOS this is silently ignored (macOS doesn't support per-window icons).
-	* Relative paths resolve from the working directory.
-	*/
-	setIcon(path) {
-		this._ensureOpen();
-		this._native.setIcon(path);
-	}
-	show() {
-		this._ensureOpen();
-		this._native.show();
-	}
-	hide() {
-		this._ensureOpen();
-		this._native.hide();
-	}
-	close() {
-		this._ensureOpen();
-		this._native.close();
-	}
-	focus() {
-		this._ensureOpen();
-		this._native.focus();
-	}
-	maximize() {
-		this._ensureOpen();
-		this._native.maximize();
-	}
-	minimize() {
-		this._ensureOpen();
-		this._native.minimize();
-	}
-	unmaximize() {
-		this._ensureOpen();
-		this._native.unmaximize();
-	}
-	reload() {
-		this._ensureOpen();
-		this._native.reload();
-	}
-	/**
-	* Register a handler for messages from the webview.
-	*
-	* @security **No origin filtering.** The raw `onMessage` API does not
-	* enforce origin restrictions. If your webview navigates to untrusted
-	* URLs, validate the `sourceUrl` parameter before processing messages.
-	* For automatic origin filtering, use `createChannel()` with the
-	* `trustedOrigins` option from `native-window-ipc`.
-	*
-	* @security **No rate limiting.** Messages from the webview are delivered
-	* without throttling. A malicious page can flood the host with messages.
-	* Consider implementing application-level rate limiting if loading
-	* untrusted content.
-	*/
-	onMessage(callback) {
-		this._ensureOpen();
-		this._native.onMessage(callback);
-	}
-	onResize(callback) {
-		this._ensureOpen();
-		this._native.onResize(callback);
-	}
-	onMove(callback) {
-		this._ensureOpen();
-		this._native.onMove(callback);
-	}
-	onFocus(callback) {
-		this._ensureOpen();
-		this._native.onFocus(callback);
-	}
-	onBlur(callback) {
-		this._ensureOpen();
-		this._native.onBlur(callback);
-	}
-	onPageLoad(callback) {
-		this._ensureOpen();
-		this._native.onPageLoad(callback);
-	}
-	onTitleChanged(callback) {
-		this._ensureOpen();
-		this._native.onTitleChanged(callback);
-	}
-	onReload(callback) {
-		this._ensureOpen();
-		this._native.onReload(callback);
-	}
-	/**
-	* Register a handler for blocked navigation events.
-	* Fired when a navigation is blocked by the {@link WindowOptions.allowedHosts}
-	* restriction. Receives the URL that was blocked.
-	*
-	* @example
-	* ```ts
-	* win.onNavigationBlocked((url) => {
-	*   console.log("Blocked navigation to:", url);
-	* });
-	* ```
-	*/
-	onNavigationBlocked(callback) {
-		this._ensureOpen();
-		this._native.onNavigationBlocked(callback);
-	}
-	/**
-	* Validate and parse a raw cookies JSON array from the native layer.
-	* Returns a cleaned {@link CookieInfo} array or `null` if the payload
-	* is malformed.
-	*
-	* @internal
-	*/
-	_validateCookies(raw) {
-		let parsed;
-		try {
-			parsed = JSON.parse(raw);
-		} catch {
-			return null;
-		}
-		if (!Array.isArray(parsed)) return null;
-		const cookies = [];
-		for (const item of parsed) {
-			if (typeof item !== "object" || item === null) continue;
-			const obj = item;
-			if (typeof obj.name !== "string" || typeof obj.value !== "string") continue;
-			if (typeof obj.domain !== "string" || typeof obj.path !== "string") continue;
-			if (typeof obj.httpOnly !== "boolean" || typeof obj.secure !== "boolean") continue;
-			if (typeof obj.sameSite !== "string" || typeof obj.expires !== "number") continue;
-			cookies.push({
-				name: obj.name,
-				value: obj.value,
-				domain: obj.domain,
-				path: obj.path,
-				httpOnly: obj.httpOnly,
-				secure: obj.secure,
-				sameSite: obj.sameSite,
-				expires: obj.expires
-			});
-		}
-		return cookies;
-	}
-	/**
-	* Query cookies from the native cookie store.
-	*
-	* Returns a Promise that resolves with validated {@link CookieInfo} objects,
-	* including `HttpOnly` cookies that are invisible to `document.cookie`.
-	*
-	* - **macOS**: Uses `WKHTTPCookieStore.getAllCookies` with client-side
-	*   URL filtering (domain + path match).
-	* - **Windows**: Uses `ICoreWebView2CookieManager.GetCookies` which
-	*   filters by URI natively.
-	*
-	* @param url  If provided, only cookies matching this URL are returned.
-	*             If omitted, all cookies in the webview's cookie store are returned.
-	*
-	* @example
-	* ```ts
-	* const cookies = await win.getCookies("https://example.com");
-	* const session = cookies.find((c) => c.name === "session_id");
-	* if (session) console.log("Session:", session.value, "HttpOnly:", session.httpOnly);
-	* ```
-	*/
-	getCookies(url) {
-		this._ensureOpen();
-		return new Promise((resolve, reject) => {
-			const timeout = setTimeout(() => {
-				reject(/* @__PURE__ */ new Error("getCookies() timed out after 10 seconds"));
-			}, 1e4);
-			this._native.onCookies((raw) => {
-				clearTimeout(timeout);
-				const validated = this._validateCookies(raw);
-				if (validated) resolve(validated);
-				else reject(/* @__PURE__ */ new Error("Failed to parse cookie response"));
-			});
-			this._native.getCookies(url);
-		});
-	}
-	/**
-	* Clear cookies from the native cookie store.
-	*
-	* - If `host` is provided, only cookies whose domain matches that host
-	*   are deleted (e.g. `"example.com"` deletes `.example.com` cookies).
-	* - If omitted, all cookies in the webview's cookie store are cleared.
-	*
-	* @example
-	* ```ts
-	* // Clear all cookies
-	* win.clearCookies();
-	*
-	* // Clear cookies for a specific host
-	* win.clearCookies("example.com");
-	* ```
-	*/
-	clearCookies(host) {
-		this._ensureOpen();
-		this._native.clearCookies(host);
-	}
-};
+var loadHtmlOrigin = _nativeBinding.loadHtmlOrigin;
 /**
 * Escape a string for safe embedding inside a JavaScript string literal.
 * Handles backslashes, double quotes, newlines, carriage returns, null
@@ -419,14 +64,30 @@ var NativeWindow = class {
 *
 * @example
 * ```ts
-* import { NativeWindow, sanitizeForJs } from "native-window";
+* import { NativeWindow, sanitizeForJs } from "@nativewindow/webview";
 *
 * const userInput = 'He said "hello"\n<script>alert(1)<\/script>';
-* win.unsafe.evaluateJs(`display("${sanitizeForJs(userInput)}")`);
+* win.evaluateJs(`display("${sanitizeForJs(userInput)}")`);
 * ```
 */
-function sanitizeForJs(input) {
-	return JSON.stringify(input).slice(1, -1).replace(/<\/script>/gi, "<\\/script>").replace(/`/g, "\\`").replace(/\$\{/g, "\\${");
-}
+var sanitizeForJs = _nativeBinding.sanitizeForJs;
+/**
+* A native OS window with an embedded webview.
+*
+* Automatically initializes the native subsystem and starts pumping
+* events on first construction. Stops the pump when all windows close.
+*
+* All methods throw `"Window is closed"` if called after `close()`.
+*
+* @example
+* ```ts
+* import { NativeWindow } from "@nativewindow/webview";
+*
+* const win = new NativeWindow({ title: "Hello", width: 800, height: 600 });
+* win.loadUrl("https://example.com");
+* win.onClose(() => console.log("Window closed"));
+* ```
+*/
+var NativeWindow = _nativeBinding.NativeWindow;
 //#endregion
 export { NativeWindow, checkRuntime, ensureRuntime, loadHtmlOrigin, sanitizeForJs };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nativewindow/webview",
-  "version": "1.0.5",
+  "version": "1.0.6",
   "description": "Native OS webview windows for Bun & Node.js (beta)",
   "homepage": "https://nativewindow.fcannizzaro.com",
   "bugs": {
@@ -37,8 +37,8 @@
     }
   },
   "scripts": {
-    "build": "napi build --release --platform && vite build",
-    "build:debug": "napi build --platform && vite build",
+    "build": "napi build --release --platform --no-js && rm -f index.d.ts && vite build",
+    "build:debug": "napi build --platform --no-js && rm -f index.d.ts && vite build",
     "build:ts": "vite build",
     "version": "napi version",
     "fuzz": "cargo +nightly fuzz list --fuzz-dir fuzz",
@@ -60,12 +60,12 @@
     "typescript": "^6.0.2"
   },
   "optionalDependencies": {
-    "@nativewindow/webview-darwin-arm64": "1.0.5",
-    "@nativewindow/webview-darwin-x64": "1.0.5",
-    "@nativewindow/webview-linux-arm64-gnu": "1.0.5",
-    "@nativewindow/webview-linux-x64-gnu": "1.0.5",
-    "@nativewindow/webview-win32-arm64-msvc": "1.0.5",
-    "@nativewindow/webview-win32-x64-msvc": "1.0.5"
+    "@nativewindow/webview-darwin-arm64": "1.0.6",
+    "@nativewindow/webview-darwin-x64": "1.0.6",
+    "@nativewindow/webview-linux-arm64-gnu": "1.0.6",
+    "@nativewindow/webview-linux-x64-gnu": "1.0.6",
+    "@nativewindow/webview-win32-arm64-msvc": "1.0.6",
+    "@nativewindow/webview-win32-x64-msvc": "1.0.6"
   },
   "napi": {
     "binaryName": "native-window",