@nowline/embed 0.2.5 → 0.4.1

package/dist/pipeline.d.ts

@@ -1,5 +1,5 @@
-import { type NowlineFile } from '@nowline/core';
-import { type ThemeName } from '@nowline/layout';
+import { type ParseResult } from '@nowline/browser';
+import type { ThemeName } from '@nowline/layout';
 export interface EmbedRenderOptions {
     theme?: ThemeName;
     today?: Date;
@@ -14,7 +14,7 @@ export interface EmbedRenderOptions {
     idPrefix?: string;
 }
 export interface EmbedParseResult {
-    ast: NowlineFile;
+    ast: ParseResult['ast'];
     /** Lexer + parser + Langium validation diagnostics, normalized to strings. */
     errors: string[];
 }

package/dist/pipeline.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"pipeline.d.ts","sourceRoot":"","sources":["../src/pipeline.ts"],"names":[],"mappings":"AAOA,OAAO,EAEH,KAAK,WAAW,EAGnB,MAAM,eAAe,CAAC;AACvB,OAAO,EAAiB,KAAK,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAKhE,MAAM,WAAW,kBAAkB;IAC/B,KAAK,CAAC,EAAE,SAAS,CAAC;IAClB,KAAK,CAAC,EAAE,IAAI,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;;;;OAKG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,gBAAgB;IAC7B,GAAG,EAAE,WAAW,CAAC;IACjB,8EAA8E;IAC9E,MAAM,EAAE,MAAM,EAAE,CAAC;CACpB;AAoBD,wBAAsB,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAa3E;AAED,wBAAsB,YAAY,CAC9B,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,kBAAuB,GACjC,OAAO,CAAC,MAAM,CAAC,CAiDjB;AAED,qBAAa,gBAAiB,SAAQ,KAAK;aAGnB,OAAO,EAAE,MAAM,EAAE;gBADjC,OAAO,EAAE,MAAM,EACC,OAAO,EAAE,MAAM,EAAE;CAKxC;AAKD,wBAAgB,4BAA4B,IAAI,IAAI,CAInD"}
+{"version":3,"file":"pipeline.d.ts","sourceRoot":"","sources":["../src/pipeline.ts"],"names":[],"mappings":"AAcA,OAAO,EAMH,KAAK,WAAW,EACnB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAIjD,MAAM,WAAW,kBAAkB;IAC/B,KAAK,CAAC,EAAE,SAAS,CAAC;IAClB,KAAK,CAAC,EAAE,IAAI,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;;;;OAKG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,gBAAgB;IAC7B,GAAG,EAAE,WAAW,CAAC,KAAK,CAAC,CAAC;IACxB,8EAA8E;IAC9E,MAAM,EAAE,MAAM,EAAE,CAAC;CACpB;AAID,wBAAsB,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAU3E;AAED,wBAAsB,YAAY,CAC9B,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,kBAAuB,GACjC,OAAO,CAAC,MAAM,CAAC,CAwBjB;AAED,qBAAa,gBAAiB,SAAQ,KAAK;aAGnB,OAAO,EAAE,MAAM,EAAE;gBADjC,OAAO,EAAE,MAAM,EACC,OAAO,EAAE,MAAM,EAAE;CAKxC;AAKD,wBAAgB,4BAA4B,IAAI,IAAI,CAGnD"}

package/dist/pipeline.js

@@ -1,79 +1,51 @@
-// Render pipeline shared by `nowline.render(source)` and the auto-scan
-// path. Mirrors the shape of `packages/vscode-extension/src/preview/
-// render-pipeline.ts` but stripped of every Node-only dependency: no
-// `fs`, no `path`, no asset resolver. Includes are resolved against a
-// no-op `readFile` so a file containing `include "./other.nowline"`
-// renders the parts that survive without a network fetch.
-import { createNowlineServices, resolveIncludes, } from '@nowline/core';
-import { layoutRoadmap } from '@nowline/layout';
-import { renderSvg } from '@nowline/renderer';
-import { URI } from 'langium';
-import { isNoOpIncludeDiagnosticMessage, noOpIncludeReadFile } from './no-op-include-resolver.js';
-let cachedServices;
-let docCounter = 0;
+// Thin shim around `@nowline/browser`'s pipeline. The browser package
+// owns parse / resolveIncludes / layout / render; the embed layers two
+// embed-specific behaviours on top:
+//
+//  - Throws `EmbedRenderError` on failure instead of returning a
+//    discriminated union. The Mermaid-compatible `nowline.render(source)`
+//    surface promises a string; throwing matches the documented v1
+//    contract and keeps the auto-scan path's per-block error handling
+//    simple.
+//  - Latches a once-per-page-load `console.warn` the first time an
+//    `include` directive is encountered. The browser pipeline emits a
+//    structured callback for each skip; the embed converts that into a
+//    single, deduped user-visible message.
+import { __resetBrowserPipelineForTests, parseSource as browserParseSource, renderSource as browserRenderSource, } from '@nowline/browser';
+const EMBED_SOURCE_PATH = '/embed.nowline';
 let includeWarningEmitted = false;
-function getServices() {
-    if (!cachedServices)
-        cachedServices = createNowlineServices();
-    return cachedServices;
-}
-function freshUri() {
-    return URI.parse(`memory:///nowline-embed-${++docCounter}.nowline`);
-}
 export async function parseSource(source) {
-    const services = getServices();
-    const docFactory = services.shared.workspace.LangiumDocumentFactory;
-    const doc = docFactory.fromString(source, freshUri());
-    await services.shared.workspace.DocumentBuilder.build([doc], { validation: true });
-    const errors = [];
-    for (const e of doc.parseResult.lexerErrors)
-        errors.push(e.message);
-    for (const e of doc.parseResult.parserErrors)
-        errors.push(e.message);
-    for (const d of doc.diagnostics ?? []) {
-        if (d.severity === 1)
-            errors.push(d.message);
-    }
-    return { ast: doc.parseResult.value, errors };
+    const { ast, diagnostics } = await browserParseSource(source, {
+        filePath: EMBED_SOURCE_PATH,
+    });
+    return {
+        ast,
+        errors: diagnostics
+            .filter((d) => d.severity === 'error')
+            .map((d) => d.message),
+    };
 }
 export async function renderSource(source, options = {}) {
-    const parsed = await parseSource(source);
-    if (parsed.errors.length > 0) {
-        throw new EmbedRenderError(`Failed to parse Nowline source: ${parsed.errors.join('; ')}`, parsed.errors);
-    }
-    const services = getServices();
-    const resolved = await resolveIncludes(parsed.ast, '/embed.nowline', {
-        services: services.Nowline,
-        readFile: noOpIncludeReadFile,
-    });
-    let sawIncludeWarning = false;
-    const blockingErrors = [];
-    for (const diag of resolved.diagnostics) {
-        if (diag.severity !== 'error')
-            continue;
-        if (isNoOpIncludeDiagnosticMessage(diag.message)) {
-            sawIncludeWarning = true;
-            continue;
-        }
-        blockingErrors.push(diag.message);
-    }
-    if (blockingErrors.length > 0) {
-        throw new EmbedRenderError(`Failed to resolve Nowline source: ${blockingErrors.join('; ')}`, blockingErrors);
-    }
-    if (sawIncludeWarning && !includeWarningEmitted) {
-        includeWarningEmitted = true;
-        console.warn('nowline: `include` directives are skipped in the browser embed (single-file mode). ' +
-            'Render multi-file roadmaps with the CLI or the GitHub Action.');
-    }
-    const model = layoutRoadmap(parsed.ast, resolved, {
+    const browserOptions = {
+        filePath: EMBED_SOURCE_PATH,
         theme: options.theme,
         today: options.today,
         locale: options.locale,
         width: options.width,
-    });
-    return renderSvg(model, {
         idPrefix: options.idPrefix,
-    });
+        onSkippedInclude: () => {
+            if (!includeWarningEmitted) {
+                includeWarningEmitted = true;
+                console.warn('nowline: `include` directives are skipped in the browser embed (single-file mode). ' +
+                    'Render multi-file roadmaps with the CLI or the GitHub Action.');
+            }
+        },
+    };
+    const result = await browserRenderSource(source, browserOptions);
+    if (result.kind === 'svg')
+        return result.svg;
+    const messages = result.diagnostics.filter((d) => d.severity === 'error').map((d) => d.message);
+    throw new EmbedRenderError(`Failed to render Nowline source: ${messages.join('; ')}`, messages);
 }
 export class EmbedRenderError extends Error {
     details;
@@ -88,7 +60,6 @@ export class EmbedRenderError extends Error {
 // reset the latch between cases.
 export function __resetEmbedPipelineForTests() {
     includeWarningEmitted = false;
-    cachedServices = undefined;
-    docCounter = 0;
+    __resetBrowserPipelineForTests();
 }
 //# sourceMappingURL=pipeline.js.map

package/dist/pipeline.js.map

@@ -1 +1 @@
-{"version":3,"file":"pipeline.js","sourceRoot":"","sources":["../src/pipeline.ts"],"names":[],"mappings":"AAAA,uEAAuE;AACvE,qEAAqE;AACrE,qEAAqE;AACrE,sEAAsE;AACtE,oEAAoE;AACpE,0DAA0D;AAE1D,OAAO,EACH,qBAAqB,EAGrB,eAAe,GAClB,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,aAAa,EAAkB,MAAM,iBAAiB,CAAC;AAChE,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,EAAE,GAAG,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,EAAE,8BAA8B,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AA2BlG,IAAI,cAA0C,CAAC;AAC/C,IAAI,UAAU,GAAG,CAAC,CAAC;AACnB,IAAI,qBAAqB,GAAG,KAAK,CAAC;AAElC,SAAS,WAAW;IAChB,IAAI,CAAC,cAAc;QAAE,cAAc,GAAG,qBAAqB,EAAE,CAAC;IAC9D,OAAO,cAAc,CAAC;AAC1B,CAAC;AAED,SAAS,QAAQ;IACb,OAAO,GAAG,CAAC,KAAK,CAAC,2BAA2B,EAAE,UAAU,UAAU,CAAC,CAAC;AACxE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,MAAc;IAC5C,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAC;IAC/B,MAAM,UAAU,GAAG,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,sBAAsB,CAAC;IACpE,MAAM,GAAG,GAAG,UAAU,CAAC,UAAU,CAAc,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC;IACnE,MAAM,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC;IAEnF,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,WAAW,CAAC,WAAW;QAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;IACpE,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,WAAW,CAAC,YAAY;QAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;IACrE,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,WAAW,IAAI,EAAE,EAAE,CAAC;QACpC,IAAI,CAAC,CAAC,QAAQ,KAAK,CAAC;YAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;IACjD,CAAC;IACD,OAAO,EAAE,GAAG,EAAE,GAAG,CAAC,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,CAAC;AAClD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAC9B,MAAc,EACd,UAA8B,EAAE;IAEhC,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,MAAM,CAAC,CAAC;IACzC,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,gBAAgB,CACtB,mCAAmC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EAC7D,MAAM,CAAC,MAAM,CAChB,CAAC;IACN,CAAC;IAED,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAC;IAC/B,MAAM,QAAQ,GAAG,MAAM,eAAe,CAAC,MAAM,CAAC,GAAG,EAAE,gBAAgB,EAAE;QACjE,QAAQ,EAAE,QAAQ,CAAC,OAAO;QAC1B,QAAQ,EAAE,mBAAmB;KAChC,CAAC,CAAC;IAEH,IAAI,iBAAiB,GAAG,KAAK,CAAC;IAC9B,MAAM,cAAc,GAAa,EAAE,CAAC;IACpC,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,WAAW,EAAE,CAAC;QACtC,IAAI,IAAI,CAAC,QAAQ,KAAK,OAAO;YAAE,SAAS;QACxC,IAAI,8BAA8B,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC/C,iBAAiB,GAAG,IAAI,CAAC;YACzB,SAAS;QACb,CAAC;QACD,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACtC,CAAC;IACD,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,gBAAgB,CACtB,qCAAqC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EAChE,cAAc,CACjB,CAAC;IACN,CAAC;IACD,IAAI,iBAAiB,IAAI,CAAC,qBAAqB,EAAE,CAAC;QAC9C,qBAAqB,GAAG,IAAI,CAAC;QAC7B,OAAO,CAAC,IAAI,CACR,qFAAqF;YACjF,+DAA+D,CACtE,CAAC;IACN,CAAC;IAED,MAAM,KAAK,GAAG,aAAa,CAAC,MAAM,CAAC,GAAG,EAAE,QAAQ,EAAE;QAC9C,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,KAAK,EAAE,OAAO,CAAC,KAAK;KACvB,CAAC,CAAC;IAEH,OAAO,SAAS,CAAC,KAAK,EAAE;QACpB,QAAQ,EAAE,OAAO,CAAC,QAAQ;KAC7B,CAAC,CAAC;AACP,CAAC;AAED,MAAM,OAAO,gBAAiB,SAAQ,KAAK;IAGnB;IAFpB,YACI,OAAe,EACC,OAAiB;QAEjC,KAAK,CAAC,OAAO,CAAC,CAAC;QAFC,YAAO,GAAP,OAAO,CAAU;QAGjC,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;IACnC,CAAC;CACJ;AAED,uEAAuE;AACvE,wEAAwE;AACxE,iCAAiC;AACjC,MAAM,UAAU,4BAA4B;IACxC,qBAAqB,GAAG,KAAK,CAAC;IAC9B,cAAc,GAAG,SAAS,CAAC;IAC3B,UAAU,GAAG,CAAC,CAAC;AACnB,CAAC"}
+{"version":3,"file":"pipeline.js","sourceRoot":"","sources":["../src/pipeline.ts"],"names":[],"mappings":"AAAA,sEAAsE;AACtE,uEAAuE;AACvE,oCAAoC;AACpC,EAAE;AACF,iEAAiE;AACjE,0EAA0E;AAC1E,mEAAmE;AACnE,sEAAsE;AACtE,aAAa;AACb,mEAAmE;AACnE,sEAAsE;AACtE,uEAAuE;AACvE,2CAA2C;AAE3C,OAAO,EACH,8BAA8B,EAE9B,WAAW,IAAI,kBAAkB,EACjC,YAAY,IAAI,mBAAmB,GAGtC,MAAM,kBAAkB,CAAC;AAG1B,MAAM,iBAAiB,GAAG,gBAAgB,CAAC;AAsB3C,IAAI,qBAAqB,GAAG,KAAK,CAAC;AAElC,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,MAAc;IAC5C,MAAM,EAAE,GAAG,EAAE,WAAW,EAAE,GAAG,MAAM,kBAAkB,CAAC,MAAM,EAAE;QAC1D,QAAQ,EAAE,iBAAiB;KAC9B,CAAC,CAAC;IACH,OAAO;QACH,GAAG;QACH,MAAM,EAAE,WAAW;aACd,MAAM,CAAC,CAAC,CAAgB,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,OAAO,CAAC;aACpD,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;KAC7B,CAAC;AACN,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAC9B,MAAc,EACd,UAA8B,EAAE;IAEhC,MAAM,cAAc,GAAyB;QACzC,QAAQ,EAAE,iBAAiB;QAC3B,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,gBAAgB,EAAE,GAAG,EAAE;YACnB,IAAI,CAAC,qBAAqB,EAAE,CAAC;gBACzB,qBAAqB,GAAG,IAAI,CAAC;gBAC7B,OAAO,CAAC,IAAI,CACR,qFAAqF;oBACjF,+DAA+D,CACtE,CAAC;YACN,CAAC;QACL,CAAC;KACJ,CAAC;IAEF,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;IACjE,IAAI,MAAM,CAAC,IAAI,KAAK,KAAK;QAAE,OAAO,MAAM,CAAC,GAAG,CAAC;IAE7C,MAAM,QAAQ,GAAG,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;IAChG,MAAM,IAAI,gBAAgB,CAAC,oCAAoC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;AACpG,CAAC;AAED,MAAM,OAAO,gBAAiB,SAAQ,KAAK;IAGnB;IAFpB,YACI,OAAe,EACC,OAAiB;QAEjC,KAAK,CAAC,OAAO,CAAC,CAAC;QAFC,YAAO,GAAP,OAAO,CAAU;QAGjC,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;IACnC,CAAC;CACJ;AAED,uEAAuE;AACvE,wEAAwE;AACxE,iCAAiC;AACjC,MAAM,UAAU,4BAA4B;IACxC,qBAAqB,GAAG,KAAK,CAAC;IAC9B,8BAA8B,EAAE,CAAC;AACrC,CAAC"}

package/package.json

@@ -1,8 +1,12 @@
 {
   "name": "@nowline/embed",
-  "version": "0.2.5",
+  "version": "0.4.1",
   "description": "Browser embed bundle for Nowline. Drop a <script> tag and ```nowline``` blocks render in place.",
   "license": "Apache-2.0",
+  "engines": {
+    "node": ">=22",
+    "pnpm": ">=11"
+  },
   "type": "module",
   "sideEffects": false,
   "main": "./dist/index.js",
@@ -35,23 +39,26 @@
     "cdn"
   ],
   "dependencies": {
-    "langium": "~4.2.2",
-    "@nowline/layout": "0.2.5",
-    "@nowline/renderer": "0.2.5",
-    "@nowline/core": "0.2.5"
+    "langium": "~4.2.4",
+    "@nowline/browser": "0.4.1",
+    "@nowline/core": "0.4.1",
+    "@nowline/renderer": "0.4.1",
+    "@nowline/layout": "0.4.1"
   },
   "devDependencies": {
-    "@types/node": "^22.0.0",
-    "esbuild": "^0.27.0",
-    "happy-dom": "^15.11.0",
-    "typescript": "~5.7.0",
-    "vitest": "^3.1.0"
+    "@types/node": "^25.9.1",
+    "esbuild": "^0.28.0",
+    "firebase": "^12.13.0",
+    "happy-dom": "^20.9.0",
+    "typescript": "^6.0.3",
+    "vitest": "^4.1.7"
   },
   "scripts": {
     "build": "tsc -b tsconfig.json && node scripts/bundle.mjs",
     "watch": "tsc -b tsconfig.json --watch",
     "typecheck": "tsc --noEmit -p tsconfig.json",
     "bundle": "node scripts/bundle.mjs",
+    "bundle:dev": "node scripts/bundle.mjs --dev",
     "check-size": "node scripts/check-size.mjs",
     "test": "vitest run",
     "test:watch": "vitest"

package/src/auth/allowlist.ts

@@ -0,0 +1,32 @@
+/**
+ * Allowlist for the dev embed bundle's Firebase Auth gate.
+ *
+ * An email is allowlisted if either:
+ *   1. Its domain is in ALLOWED_DOMAINS (e.g. anything @nowline.io), OR
+ *   2. The exact lowercase email is in ALLOWED_EMAILS.
+ *
+ * Mirrors the commercial site's `auth-allowlist.ts` so both Lolay
+ * dev surfaces (the marketing site and the embed CDN dev tier) share
+ * one allowlist policy. Keep this short; when it grows past ~5 entries,
+ * migrate to Firebase custom claims (Admin SDK) or a Firestore
+ * `allowlist` collection.
+ *
+ * See specs/embed.md § Bootstrap status (dev auth gate) and
+ * the infrastructure deploy runbook § 4 for the deploy-side wiring.
+ */
+
+export const ALLOWED_DOMAINS: readonly string[] = ['nowline.io'];
+
+export const ALLOWED_EMAILS: readonly string[] = [
+    // Add additional allowlisted Google account emails here, one per line.
+];
+
+export function isAllowlisted(email: string | null | undefined): boolean {
+    if (!email) return false;
+    const normalized = email.trim().toLowerCase();
+    if (ALLOWED_EMAILS.includes(normalized)) return true;
+    const at = normalized.lastIndexOf('@');
+    if (at === -1) return false;
+    const domain = normalized.slice(at + 1);
+    return ALLOWED_DOMAINS.includes(domain);
+}

package/src/auth/env.ts

@@ -0,0 +1,37 @@
+/**
+ * Build-time environment helpers for `@nowline/embed`.
+ *
+ * `__NOWLINE_EMBED_ENV__` is substituted at bundle time by esbuild's
+ * `define` (see `packages/embed/scripts/bundle.mjs`). The substitution
+ * lets the prod minified bundle dead-code-eliminate the dev auth gate
+ * and its Firebase imports — when the constant folds to the literal
+ * string `"prod"`, every `IS_DEV` branch becomes `false` and esbuild's
+ * minifier strips the dynamic-import site that pulls in `firebase/app`
+ * + `firebase/auth`.
+ *
+ * The `typeof` guards keep this module safe to import under vitest,
+ * where esbuild's define never runs and the identifier is undeclared.
+ */
+
+declare const __NOWLINE_EMBED_ENV__: string;
+declare const __NOWLINE_EMBED_VERSION__: string;
+declare const __NOWLINE_EMBED_SHA__: string;
+
+export type EmbedEnv = 'dev' | 'prod';
+
+export const EMBED_ENV: EmbedEnv =
+    typeof __NOWLINE_EMBED_ENV__ !== 'undefined' && __NOWLINE_EMBED_ENV__ === 'dev'
+        ? 'dev'
+        : 'prod';
+
+export const IS_DEV: boolean = EMBED_ENV === 'dev';
+export const IS_PROD: boolean = EMBED_ENV === 'prod';
+
+export const EMBED_VERSION: string =
+    typeof __NOWLINE_EMBED_VERSION__ !== 'undefined' ? __NOWLINE_EMBED_VERSION__ : '0.0.0';
+
+export const EMBED_SHA: string =
+    typeof __NOWLINE_EMBED_SHA__ !== 'undefined' ? __NOWLINE_EMBED_SHA__ : 'unknown';
+
+export const PROD_ORIGIN = 'https://embed.nowline.io';
+export const DEV_ORIGIN = 'https://embed.nowline.dev';

package/src/auth/firebase-auth.client.ts

@@ -0,0 +1,174 @@
+/**
+ * Client-side Firebase Auth gate for the dev embed bundle.
+ *
+ * Mirrors the commercial site's `firebase-auth.client.ts` so the
+ * two Lolay dev surfaces share one allowlist UX. Loaded only on the
+ * dev build (when `__NOWLINE_EMBED_ENV__ === 'dev'`); the prod build
+ * tree-shakes the dynamic import in `src/index.ts` and never pulls
+ * `firebase/app` or `firebase/auth` into the IIFE.
+ *
+ * Renders a full-viewport overlay with z-index 2147483647 so it sits
+ * above any host-page content. Until the visitor signs in with an
+ * allowlisted Google account, the overlay stays put; once allowlisted,
+ * it removes itself and the embed's auto-scan reaches the rendered
+ * SVG underneath. The host page is told nothing — the gate is purely
+ * client-side, opaque to the embedder.
+ *
+ * See specs/embed.md § Bootstrap status (dev auth gate) and
+ * the infrastructure deploy runbook § 4 for the deploy-side wiring.
+ */
+
+import { type FirebaseApp, initializeApp } from 'firebase/app';
+import {
+    type Auth,
+    GoogleAuthProvider,
+    getAuth,
+    onAuthStateChanged,
+    signInWithPopup,
+    signOut,
+    type User,
+} from 'firebase/auth';
+import { isAllowlisted } from './allowlist.js';
+
+// esbuild-substituted at build time from PUBLIC_FIREBASE_* env vars in
+// .github/workflows/embed-cdn.yml (sourced from the `embed-dev` GitHub
+// environment-scoped variables — see the infrastructure deploy runbook § 2.5).
+declare const __NOWLINE_FIREBASE_API_KEY__: string;
+declare const __NOWLINE_FIREBASE_AUTH_DOMAIN__: string;
+declare const __NOWLINE_FIREBASE_PROJECT_ID__: string;
+declare const __NOWLINE_FIREBASE_APP_ID__: string;
+
+const config = {
+    apiKey: typeof __NOWLINE_FIREBASE_API_KEY__ !== 'undefined' ? __NOWLINE_FIREBASE_API_KEY__ : '',
+    authDomain:
+        typeof __NOWLINE_FIREBASE_AUTH_DOMAIN__ !== 'undefined'
+            ? __NOWLINE_FIREBASE_AUTH_DOMAIN__
+            : '',
+    projectId:
+        typeof __NOWLINE_FIREBASE_PROJECT_ID__ !== 'undefined'
+            ? __NOWLINE_FIREBASE_PROJECT_ID__
+            : '',
+    appId: typeof __NOWLINE_FIREBASE_APP_ID__ !== 'undefined' ? __NOWLINE_FIREBASE_APP_ID__ : '',
+};
+
+const OVERLAY_ID = 'nowline-embed-dev-auth-overlay';
+
+let app: FirebaseApp | null = null;
+let auth: Auth | null = null;
+
+function getOrCreateOverlay(): HTMLDivElement {
+    let overlay = document.getElementById(OVERLAY_ID) as HTMLDivElement | null;
+    if (overlay) return overlay;
+
+    overlay = document.createElement('div');
+    overlay.id = OVERLAY_ID;
+    overlay.setAttribute('role', 'dialog');
+    overlay.setAttribute('aria-modal', 'true');
+    overlay.setAttribute('aria-label', 'Internal preview sign-in');
+    overlay.style.cssText = [
+        'position: fixed',
+        'inset: 0',
+        'z-index: 2147483647',
+        'background-color: #ffffff',
+        'color: #1a1a2e',
+        'display: flex',
+        'align-items: center',
+        'justify-content: center',
+        'padding: 1.5rem',
+        'font-family: system-ui, -apple-system, "Segoe UI", sans-serif',
+    ].join(';');
+    document.body.appendChild(overlay);
+    return overlay;
+}
+
+function removeOverlay(): void {
+    const overlay = document.getElementById(OVERLAY_ID);
+    overlay?.remove();
+}
+
+function renderSignIn(overlay: HTMLDivElement, onClick: () => void): void {
+    overlay.innerHTML = `
+        <div style="max-width: 28rem; text-align: center;">
+            <div style="font-size: 0.75rem; letter-spacing: 0.08em; text-transform: uppercase; color: #5a5a6a; margin-bottom: 0.75rem;">embed.nowline.dev &mdash; internal preview</div>
+            <h1 style="font-size: 1.875rem; font-weight: 700; margin: 0 0 0.75rem;">Sign in to continue</h1>
+            <p style="margin: 0 0 1.5rem; color: #5a5a6a;">Access is limited to allowlisted Lolay accounts. Production embed is at <a href="https://embed.nowline.io" style="color: #1a4ed8;">embed.nowline.io</a>.</p>
+            <button type="button" id="nowline-embed-dev-signin-btn" style="display: inline-block; padding: 0.75rem 1.5rem; border-radius: 8px; background-color: #e53e3e; color: #ffffff; font-weight: 700; border: 1px solid transparent; cursor: pointer; font-size: 1rem;">Sign in with Google</button>
+        </div>
+    `;
+    const btn = overlay.querySelector<HTMLButtonElement>('#nowline-embed-dev-signin-btn');
+    btn?.addEventListener('click', onClick);
+}
+
+function renderDenied(overlay: HTMLDivElement, email: string, onSignOut: () => void): void {
+    overlay.innerHTML = `
+        <div style="max-width: 28rem; text-align: center;">
+            <div style="font-size: 0.75rem; letter-spacing: 0.08em; text-transform: uppercase; color: #5a5a6a; margin-bottom: 0.75rem;">embed.nowline.dev &mdash; internal preview</div>
+            <h1 style="font-size: 1.875rem; font-weight: 700; margin: 0 0 0.75rem;">Access denied</h1>
+            <p style="margin: 0 0 1.5rem; color: #5a5a6a;">${escapeHtml(email)} is not on the allowlist for this preview environment. Production embed is publicly available at <a href="https://embed.nowline.io" style="color: #1a4ed8;">embed.nowline.io</a>.</p>
+            <button type="button" id="nowline-embed-dev-signout-btn" style="display: inline-block; padding: 0.75rem 1.5rem; border-radius: 8px; background-color: transparent; color: #1a1a2e; font-weight: 700; border: 1px solid #c0c0c0; cursor: pointer; font-size: 1rem;">Sign out</button>
+        </div>
+    `;
+    const btn = overlay.querySelector<HTMLButtonElement>('#nowline-embed-dev-signout-btn');
+    btn?.addEventListener('click', onSignOut);
+}
+
+function escapeHtml(value: string): string {
+    return value
+        .replace(/&/g, '&amp;')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&#39;');
+}
+
+export function startDevAuthGate(): void {
+    if (typeof window === 'undefined' || typeof document === 'undefined') return;
+    if (!config.apiKey || !config.authDomain || !config.projectId || !config.appId) {
+        // No firebase config baked in. Likely a local `pnpm bundle` without
+        // PUBLIC_FIREBASE_* exported (CI deploys always set them). Skip the
+        // overlay rather than render an unrecoverable dialog so devs aren't
+        // locked out of their own local builds.
+        console.warn(
+            '[nowline-embed-dev-auth-gate] Missing PUBLIC_FIREBASE_* env vars at build time; gate is disabled. Configure them in .github/workflows/embed-cdn.yml or your local environment to enable.',
+        );
+        return;
+    }
+
+    // Create the overlay up front so it covers content while Firebase
+    // initialises; subsequent renders call getOrCreateOverlay() again
+    // to find the same element.
+    getOrCreateOverlay();
+
+    app ??= initializeApp(config);
+    auth ??= getAuth(app);
+
+    const provider = new GoogleAuthProvider();
+
+    const handleSignIn = async (): Promise<void> => {
+        try {
+            await signInWithPopup(auth as Auth, provider);
+        } catch (err) {
+            console.error('[nowline-embed-dev-auth-gate] Sign-in failed:', err);
+        }
+    };
+
+    const handleSignOut = async (): Promise<void> => {
+        try {
+            await signOut(auth as Auth);
+        } catch (err) {
+            console.error('[nowline-embed-dev-auth-gate] Sign-out failed:', err);
+        }
+    };
+
+    onAuthStateChanged(auth as Auth, (user: User | null) => {
+        if (!user) {
+            renderSignIn(getOrCreateOverlay(), handleSignIn);
+            return;
+        }
+        if (!isAllowlisted(user.email)) {
+            renderDenied(getOrCreateOverlay(), user.email ?? 'unknown', handleSignOut);
+            return;
+        }
+        removeOverlay();
+    });
+}

package/src/index.ts

@@ -5,6 +5,18 @@
 // The IIFE bundle exposes everything below as `window.nowline.*`. ESM
 // consumers import named exports from the package root.
 
+import { EMBED_SHA, EMBED_VERSION } from './auth/env.js';
+
+// Build-time constant substituted by esbuild's `define` (see
+// `scripts/bundle.mjs`). Reading it directly at the call site (rather
+// than via an `IS_DEV` re-export from env.ts) means esbuild can fold
+// the `if` below to a literal `true`/`false` at minify time and
+// dead-code-eliminate the dynamic-import branch in the prod bundle,
+// stripping `firebase/app` + `firebase/auth` from `dist/nowline.min.js`.
+// The `typeof` guard keeps the file safe to import under vitest, where
+// esbuild's define never runs and the identifier is undeclared.
+declare const __NOWLINE_EMBED_ENV__: string;
+
 import {
     __resetAutoScanForTests,
     type AutoScanInputs,
@@ -23,6 +35,18 @@ import { type EmbedTheme, effectiveTheme, resolveSystemTheme } from './theme.js'
 
 export { type AutoScanResult, type EmbedParseResult, EmbedRenderError, type EmbedTheme };
 
+/**
+ * Bundle provenance, mirroring the legal-comment banner that
+ * `scripts/bundle.mjs` injects at the top of every artifact:
+ * `@nowline/embed <version> sha=<short-sha> built=<iso-utc>`.
+ *
+ * Exposed on the IIFE global as `nowline.version` / `nowline.sha` so
+ * pages and bug reports can identify the exact build without scraping
+ * the comment banner.
+ */
+export const version: string = EMBED_VERSION;
+export const sha: string = EMBED_SHA;
+
 const DEFAULT_SELECTOR = 'pre code.language-nowline, code.language-nowline';
 
 export interface InitializeOptions {
@@ -149,6 +173,24 @@ export const run = init;
 // the auto-scan branch.
 if (typeof document !== 'undefined' && !autoStartScheduled) {
     autoStartScheduled = true;
+
+    // Dev-only Firebase Auth gate (embed.nowline.dev). The condition
+    // reads `__NOWLINE_EMBED_ENV__` directly so esbuild's `define`
+    // substitutes a literal string at minify time — the prod bundle
+    // sees `if ("prod" === "dev")` → `if (false)` and DCEs the dynamic
+    // import that pulls in `firebase/app` + `firebase/auth`.
+    // `check-size.mjs` asserts no `firebase` literal survives in the
+    // prod IIFE as a belt-and-suspenders check.
+    if (typeof __NOWLINE_EMBED_ENV__ !== 'undefined' && __NOWLINE_EMBED_ENV__ === 'dev') {
+        void import('./auth/firebase-auth.client.js')
+            .then(({ startDevAuthGate }) => {
+                startDevAuthGate();
+            })
+            .catch((err) => {
+                console.error('[nowline] dev auth gate failed to load:', err);
+            });
+    }
+
     const start = (): void => {
         if (!config.startOnLoad) return;
         // Fire-and-forget; render errors are surfaced via `console.error`