@nowline/embed 0.4.1 → 0.5.0

package/dist/auth/env.d.ts

@@ -1,23 +0,0 @@
-/**
- * Build-time environment helpers for `@nowline/embed`.
- *
- * `__NOWLINE_EMBED_ENV__` is substituted at bundle time by esbuild's
- * `define` (see `packages/embed/scripts/bundle.mjs`). The substitution
- * lets the prod minified bundle dead-code-eliminate the dev auth gate
- * and its Firebase imports — when the constant folds to the literal
- * string `"prod"`, every `IS_DEV` branch becomes `false` and esbuild's
- * minifier strips the dynamic-import site that pulls in `firebase/app`
- * + `firebase/auth`.
- *
- * The `typeof` guards keep this module safe to import under vitest,
- * where esbuild's define never runs and the identifier is undeclared.
- */
-export type EmbedEnv = 'dev' | 'prod';
-export declare const EMBED_ENV: EmbedEnv;
-export declare const IS_DEV: boolean;
-export declare const IS_PROD: boolean;
-export declare const EMBED_VERSION: string;
-export declare const EMBED_SHA: string;
-export declare const PROD_ORIGIN = "https://embed.nowline.io";
-export declare const DEV_ORIGIN = "https://embed.nowline.dev";
-//# sourceMappingURL=env.d.ts.map

package/dist/auth/env.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"env.d.ts","sourceRoot":"","sources":["../../src/auth/env.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAMH,MAAM,MAAM,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;AAEtC,eAAO,MAAM,SAAS,EAAE,QAGR,CAAC;AAEjB,eAAO,MAAM,MAAM,EAAE,OAA6B,CAAC;AACnD,eAAO,MAAM,OAAO,EAAE,OAA8B,CAAC;AAErD,eAAO,MAAM,aAAa,EAAE,MAC8D,CAAC;AAE3F,eAAO,MAAM,SAAS,EAAE,MAC4D,CAAC;AAErF,eAAO,MAAM,WAAW,6BAA6B,CAAC;AACtD,eAAO,MAAM,UAAU,8BAA8B,CAAC"}

package/dist/auth/env.js

@@ -1,24 +0,0 @@
-/**
- * Build-time environment helpers for `@nowline/embed`.
- *
- * `__NOWLINE_EMBED_ENV__` is substituted at bundle time by esbuild's
- * `define` (see `packages/embed/scripts/bundle.mjs`). The substitution
- * lets the prod minified bundle dead-code-eliminate the dev auth gate
- * and its Firebase imports — when the constant folds to the literal
- * string `"prod"`, every `IS_DEV` branch becomes `false` and esbuild's
- * minifier strips the dynamic-import site that pulls in `firebase/app`
- * + `firebase/auth`.
- *
- * The `typeof` guards keep this module safe to import under vitest,
- * where esbuild's define never runs and the identifier is undeclared.
- */
-export const EMBED_ENV = typeof __NOWLINE_EMBED_ENV__ !== 'undefined' && __NOWLINE_EMBED_ENV__ === 'dev'
-    ? 'dev'
-    : 'prod';
-export const IS_DEV = EMBED_ENV === 'dev';
-export const IS_PROD = EMBED_ENV === 'prod';
-export const EMBED_VERSION = typeof __NOWLINE_EMBED_VERSION__ !== 'undefined' ? __NOWLINE_EMBED_VERSION__ : '0.0.0';
-export const EMBED_SHA = typeof __NOWLINE_EMBED_SHA__ !== 'undefined' ? __NOWLINE_EMBED_SHA__ : 'unknown';
-export const PROD_ORIGIN = 'https://embed.nowline.io';
-export const DEV_ORIGIN = 'https://embed.nowline.dev';
-//# sourceMappingURL=env.js.map

package/dist/auth/env.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"env.js","sourceRoot":"","sources":["../../src/auth/env.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAQH,MAAM,CAAC,MAAM,SAAS,GAClB,OAAO,qBAAqB,KAAK,WAAW,IAAI,qBAAqB,KAAK,KAAK;IAC3E,CAAC,CAAC,KAAK;IACP,CAAC,CAAC,MAAM,CAAC;AAEjB,MAAM,CAAC,MAAM,MAAM,GAAY,SAAS,KAAK,KAAK,CAAC;AACnD,MAAM,CAAC,MAAM,OAAO,GAAY,SAAS,KAAK,MAAM,CAAC;AAErD,MAAM,CAAC,MAAM,aAAa,GACtB,OAAO,yBAAyB,KAAK,WAAW,CAAC,CAAC,CAAC,yBAAyB,CAAC,CAAC,CAAC,OAAO,CAAC;AAE3F,MAAM,CAAC,MAAM,SAAS,GAClB,OAAO,qBAAqB,KAAK,WAAW,CAAC,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,SAAS,CAAC;AAErF,MAAM,CAAC,MAAM,WAAW,GAAG,0BAA0B,CAAC;AACtD,MAAM,CAAC,MAAM,UAAU,GAAG,2BAA2B,CAAC"}

package/dist/auth/firebase-auth.client.d.ts

@@ -1,21 +0,0 @@
-/**
- * Client-side Firebase Auth gate for the dev embed bundle.
- *
- * Mirrors the commercial site's `firebase-auth.client.ts` so the
- * two Lolay dev surfaces share one allowlist UX. Loaded only on the
- * dev build (when `__NOWLINE_EMBED_ENV__ === 'dev'`); the prod build
- * tree-shakes the dynamic import in `src/index.ts` and never pulls
- * `firebase/app` or `firebase/auth` into the IIFE.
- *
- * Renders a full-viewport overlay with z-index 2147483647 so it sits
- * above any host-page content. Until the visitor signs in with an
- * allowlisted Google account, the overlay stays put; once allowlisted,
- * it removes itself and the embed's auto-scan reaches the rendered
- * SVG underneath. The host page is told nothing — the gate is purely
- * client-side, opaque to the embedder.
- *
- * See specs/embed.md § Bootstrap status (dev auth gate) and
- * the infrastructure deploy runbook § 4 for the deploy-side wiring.
- */
-export declare function startDevAuthGate(): void;
-//# sourceMappingURL=firebase-auth.client.d.ts.map

package/dist/auth/firebase-auth.client.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"firebase-auth.client.d.ts","sourceRoot":"","sources":["../../src/auth/firebase-auth.client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAyGH,wBAAgB,gBAAgB,IAAI,IAAI,CAkDvC"}

package/dist/auth/firebase-auth.client.js

@@ -1,142 +0,0 @@
-/**
- * Client-side Firebase Auth gate for the dev embed bundle.
- *
- * Mirrors the commercial site's `firebase-auth.client.ts` so the
- * two Lolay dev surfaces share one allowlist UX. Loaded only on the
- * dev build (when `__NOWLINE_EMBED_ENV__ === 'dev'`); the prod build
- * tree-shakes the dynamic import in `src/index.ts` and never pulls
- * `firebase/app` or `firebase/auth` into the IIFE.
- *
- * Renders a full-viewport overlay with z-index 2147483647 so it sits
- * above any host-page content. Until the visitor signs in with an
- * allowlisted Google account, the overlay stays put; once allowlisted,
- * it removes itself and the embed's auto-scan reaches the rendered
- * SVG underneath. The host page is told nothing — the gate is purely
- * client-side, opaque to the embedder.
- *
- * See specs/embed.md § Bootstrap status (dev auth gate) and
- * the infrastructure deploy runbook § 4 for the deploy-side wiring.
- */
-import { initializeApp } from 'firebase/app';
-import { GoogleAuthProvider, getAuth, onAuthStateChanged, signInWithPopup, signOut, } from 'firebase/auth';
-import { isAllowlisted } from './allowlist.js';
-const config = {
-    apiKey: typeof __NOWLINE_FIREBASE_API_KEY__ !== 'undefined' ? __NOWLINE_FIREBASE_API_KEY__ : '',
-    authDomain: typeof __NOWLINE_FIREBASE_AUTH_DOMAIN__ !== 'undefined'
-        ? __NOWLINE_FIREBASE_AUTH_DOMAIN__
-        : '',
-    projectId: typeof __NOWLINE_FIREBASE_PROJECT_ID__ !== 'undefined'
-        ? __NOWLINE_FIREBASE_PROJECT_ID__
-        : '',
-    appId: typeof __NOWLINE_FIREBASE_APP_ID__ !== 'undefined' ? __NOWLINE_FIREBASE_APP_ID__ : '',
-};
-const OVERLAY_ID = 'nowline-embed-dev-auth-overlay';
-let app = null;
-let auth = null;
-function getOrCreateOverlay() {
-    let overlay = document.getElementById(OVERLAY_ID);
-    if (overlay)
-        return overlay;
-    overlay = document.createElement('div');
-    overlay.id = OVERLAY_ID;
-    overlay.setAttribute('role', 'dialog');
-    overlay.setAttribute('aria-modal', 'true');
-    overlay.setAttribute('aria-label', 'Internal preview sign-in');
-    overlay.style.cssText = [
-        'position: fixed',
-        'inset: 0',
-        'z-index: 2147483647',
-        'background-color: #ffffff',
-        'color: #1a1a2e',
-        'display: flex',
-        'align-items: center',
-        'justify-content: center',
-        'padding: 1.5rem',
-        'font-family: system-ui, -apple-system, "Segoe UI", sans-serif',
-    ].join(';');
-    document.body.appendChild(overlay);
-    return overlay;
-}
-function removeOverlay() {
-    const overlay = document.getElementById(OVERLAY_ID);
-    overlay?.remove();
-}
-function renderSignIn(overlay, onClick) {
-    overlay.innerHTML = `
-        <div style="max-width: 28rem; text-align: center;">
-            <div style="font-size: 0.75rem; letter-spacing: 0.08em; text-transform: uppercase; color: #5a5a6a; margin-bottom: 0.75rem;">embed.nowline.dev &mdash; internal preview</div>
-            <h1 style="font-size: 1.875rem; font-weight: 700; margin: 0 0 0.75rem;">Sign in to continue</h1>
-            <p style="margin: 0 0 1.5rem; color: #5a5a6a;">Access is limited to allowlisted Lolay accounts. Production embed is at <a href="https://embed.nowline.io" style="color: #1a4ed8;">embed.nowline.io</a>.</p>
-            <button type="button" id="nowline-embed-dev-signin-btn" style="display: inline-block; padding: 0.75rem 1.5rem; border-radius: 8px; background-color: #e53e3e; color: #ffffff; font-weight: 700; border: 1px solid transparent; cursor: pointer; font-size: 1rem;">Sign in with Google</button>
-        </div>
-    `;
-    const btn = overlay.querySelector('#nowline-embed-dev-signin-btn');
-    btn?.addEventListener('click', onClick);
-}
-function renderDenied(overlay, email, onSignOut) {
-    overlay.innerHTML = `
-        <div style="max-width: 28rem; text-align: center;">
-            <div style="font-size: 0.75rem; letter-spacing: 0.08em; text-transform: uppercase; color: #5a5a6a; margin-bottom: 0.75rem;">embed.nowline.dev &mdash; internal preview</div>
-            <h1 style="font-size: 1.875rem; font-weight: 700; margin: 0 0 0.75rem;">Access denied</h1>
-            <p style="margin: 0 0 1.5rem; color: #5a5a6a;">${escapeHtml(email)} is not on the allowlist for this preview environment. Production embed is publicly available at <a href="https://embed.nowline.io" style="color: #1a4ed8;">embed.nowline.io</a>.</p>
-            <button type="button" id="nowline-embed-dev-signout-btn" style="display: inline-block; padding: 0.75rem 1.5rem; border-radius: 8px; background-color: transparent; color: #1a1a2e; font-weight: 700; border: 1px solid #c0c0c0; cursor: pointer; font-size: 1rem;">Sign out</button>
-        </div>
-    `;
-    const btn = overlay.querySelector('#nowline-embed-dev-signout-btn');
-    btn?.addEventListener('click', onSignOut);
-}
-function escapeHtml(value) {
-    return value
-        .replace(/&/g, '&amp;')
-        .replace(/</g, '&lt;')
-        .replace(/>/g, '&gt;')
-        .replace(/"/g, '&quot;')
-        .replace(/'/g, '&#39;');
-}
-export function startDevAuthGate() {
-    if (typeof window === 'undefined' || typeof document === 'undefined')
-        return;
-    if (!config.apiKey || !config.authDomain || !config.projectId || !config.appId) {
-        // No firebase config baked in. Likely a local `pnpm bundle` without
-        // PUBLIC_FIREBASE_* exported (CI deploys always set them). Skip the
-        // overlay rather than render an unrecoverable dialog so devs aren't
-        // locked out of their own local builds.
-        console.warn('[nowline-embed-dev-auth-gate] Missing PUBLIC_FIREBASE_* env vars at build time; gate is disabled. Configure them in .github/workflows/embed-cdn.yml or your local environment to enable.');
-        return;
-    }
-    // Create the overlay up front so it covers content while Firebase
-    // initialises; subsequent renders call getOrCreateOverlay() again
-    // to find the same element.
-    getOrCreateOverlay();
-    app ??= initializeApp(config);
-    auth ??= getAuth(app);
-    const provider = new GoogleAuthProvider();
-    const handleSignIn = async () => {
-        try {
-            await signInWithPopup(auth, provider);
-        }
-        catch (err) {
-            console.error('[nowline-embed-dev-auth-gate] Sign-in failed:', err);
-        }
-    };
-    const handleSignOut = async () => {
-        try {
-            await signOut(auth);
-        }
-        catch (err) {
-            console.error('[nowline-embed-dev-auth-gate] Sign-out failed:', err);
-        }
-    };
-    onAuthStateChanged(auth, (user) => {
-        if (!user) {
-            renderSignIn(getOrCreateOverlay(), handleSignIn);
-            return;
-        }
-        if (!isAllowlisted(user.email)) {
-            renderDenied(getOrCreateOverlay(), user.email ?? 'unknown', handleSignOut);
-            return;
-        }
-        removeOverlay();
-    });
-}
-//# sourceMappingURL=firebase-auth.client.js.map

package/dist/auth/firebase-auth.client.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"firebase-auth.client.js","sourceRoot":"","sources":["../../src/auth/firebase-auth.client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAAoB,aAAa,EAAE,MAAM,cAAc,CAAC;AAC/D,OAAO,EAEH,kBAAkB,EAClB,OAAO,EACP,kBAAkB,EAClB,eAAe,EACf,OAAO,GAEV,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAU/C,MAAM,MAAM,GAAG;IACX,MAAM,EAAE,OAAO,4BAA4B,KAAK,WAAW,CAAC,CAAC,CAAC,4BAA4B,CAAC,CAAC,CAAC,EAAE;IAC/F,UAAU,EACN,OAAO,gCAAgC,KAAK,WAAW;QACnD,CAAC,CAAC,gCAAgC;QAClC,CAAC,CAAC,EAAE;IACZ,SAAS,EACL,OAAO,+BAA+B,KAAK,WAAW;QAClD,CAAC,CAAC,+BAA+B;QACjC,CAAC,CAAC,EAAE;IACZ,KAAK,EAAE,OAAO,2BAA2B,KAAK,WAAW,CAAC,CAAC,CAAC,2BAA2B,CAAC,CAAC,CAAC,EAAE;CAC/F,CAAC;AAEF,MAAM,UAAU,GAAG,gCAAgC,CAAC;AAEpD,IAAI,GAAG,GAAuB,IAAI,CAAC;AACnC,IAAI,IAAI,GAAgB,IAAI,CAAC;AAE7B,SAAS,kBAAkB;IACvB,IAAI,OAAO,GAAG,QAAQ,CAAC,cAAc,CAAC,UAAU,CAA0B,CAAC;IAC3E,IAAI,OAAO;QAAE,OAAO,OAAO,CAAC;IAE5B,OAAO,GAAG,QAAQ,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;IACxC,OAAO,CAAC,EAAE,GAAG,UAAU,CAAC;IACxB,OAAO,CAAC,YAAY,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IACvC,OAAO,CAAC,YAAY,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;IAC3C,OAAO,CAAC,YAAY,CAAC,YAAY,EAAE,0BAA0B,CAAC,CAAC;IAC/D,OAAO,CAAC,KAAK,CAAC,OAAO,GAAG;QACpB,iBAAiB;QACjB,UAAU;QACV,qBAAqB;QACrB,2BAA2B;QAC3B,gBAAgB;QAChB,eAAe;QACf,qBAAqB;QACrB,yBAAyB;QACzB,iBAAiB;QACjB,+DAA+D;KAClE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACZ,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;IACnC,OAAO,OAAO,CAAC;AACnB,CAAC;AAED,SAAS,aAAa;IAClB,MAAM,OAAO,GAAG,QAAQ,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;IACpD,OAAO,EAAE,MAAM,EAAE,CAAC;AACtB,CAAC;AAED,SAAS,YAAY,CAAC,OAAuB,EAAE,OAAmB;IAC9D,OAAO,CAAC,SAAS,GAAG;;;;;;;KAOnB,CAAC;IACF,MAAM,GAAG,GAAG,OAAO,CAAC,aAAa,CAAoB,+BAA+B,CAAC,CAAC;IACtF,GAAG,EAAE,gBAAgB,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;AAC5C,CAAC;AAED,SAAS,YAAY,CAAC,OAAuB,EAAE,KAAa,EAAE,SAAqB;IAC/E,OAAO,CAAC,SAAS,GAAG;;;;6DAIqC,UAAU,CAAC,KAAK,CAAC;;;KAGzE,CAAC;IACF,MAAM,GAAG,GAAG,OAAO,CAAC,aAAa,CAAoB,gCAAgC,CAAC,CAAC;IACvF,GAAG,EAAE,gBAAgB,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;AAC9C,CAAC;AAED,SAAS,UAAU,CAAC,KAAa;IAC7B,OAAO,KAAK;SACP,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC;SACvB,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;AAChC,CAAC;AAED,MAAM,UAAU,gBAAgB;IAC5B,IAAI,OAAO,MAAM,KAAK,WAAW,IAAI,OAAO,QAAQ,KAAK,WAAW;QAAE,OAAO;IAC7E,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;QAC7E,oEAAoE;QACpE,oEAAoE;QACpE,oEAAoE;QACpE,wCAAwC;QACxC,OAAO,CAAC,IAAI,CACR,0LAA0L,CAC7L,CAAC;QACF,OAAO;IACX,CAAC;IAED,kEAAkE;IAClE,kEAAkE;IAClE,4BAA4B;IAC5B,kBAAkB,EAAE,CAAC;IAErB,GAAG,KAAK,aAAa,CAAC,MAAM,CAAC,CAAC;IAC9B,IAAI,KAAK,OAAO,CAAC,GAAG,CAAC,CAAC;IAEtB,MAAM,QAAQ,GAAG,IAAI,kBAAkB,EAAE,CAAC;IAE1C,MAAM,YAAY,GAAG,KAAK,IAAmB,EAAE;QAC3C,IAAI,CAAC;YACD,MAAM,eAAe,CAAC,IAAY,EAAE,QAAQ,CAAC,CAAC;QAClD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACX,OAAO,CAAC,KAAK,CAAC,+CAA+C,EAAE,GAAG,CAAC,CAAC;QACxE,CAAC;IACL,CAAC,CAAC;IAEF,MAAM,aAAa,GAAG,KAAK,IAAmB,EAAE;QAC5C,IAAI,CAAC;YACD,MAAM,OAAO,CAAC,IAAY,CAAC,CAAC;QAChC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACX,OAAO,CAAC,KAAK,CAAC,gDAAgD,EAAE,GAAG,CAAC,CAAC;QACzE,CAAC;IACL,CAAC,CAAC;IAEF,kBAAkB,CAAC,IAAY,EAAE,CAAC,IAAiB,EAAE,EAAE;QACnD,IAAI,CAAC,IAAI,EAAE,CAAC;YACR,YAAY,CAAC,kBAAkB,EAAE,EAAE,YAAY,CAAC,CAAC;YACjD,OAAO;QACX,CAAC;QACD,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YAC7B,YAAY,CAAC,kBAAkB,EAAE,EAAE,IAAI,CAAC,KAAK,IAAI,SAAS,EAAE,aAAa,CAAC,CAAC;YAC3E,OAAO;QACX,CAAC;QACD,aAAa,EAAE,CAAC;IACpB,CAAC,CAAC,CAAC;AACP,CAAC"}

package/src/auth/allowlist.ts

@@ -1,32 +0,0 @@
-/**
- * Allowlist for the dev embed bundle's Firebase Auth gate.
- *
- * An email is allowlisted if either:
- *   1. Its domain is in ALLOWED_DOMAINS (e.g. anything @nowline.io), OR
- *   2. The exact lowercase email is in ALLOWED_EMAILS.
- *
- * Mirrors the commercial site's `auth-allowlist.ts` so both Lolay
- * dev surfaces (the marketing site and the embed CDN dev tier) share
- * one allowlist policy. Keep this short; when it grows past ~5 entries,
- * migrate to Firebase custom claims (Admin SDK) or a Firestore
- * `allowlist` collection.
- *
- * See specs/embed.md § Bootstrap status (dev auth gate) and
- * the infrastructure deploy runbook § 4 for the deploy-side wiring.
- */
-
-export const ALLOWED_DOMAINS: readonly string[] = ['nowline.io'];
-
-export const ALLOWED_EMAILS: readonly string[] = [
-    // Add additional allowlisted Google account emails here, one per line.
-];
-
-export function isAllowlisted(email: string | null | undefined): boolean {
-    if (!email) return false;
-    const normalized = email.trim().toLowerCase();
-    if (ALLOWED_EMAILS.includes(normalized)) return true;
-    const at = normalized.lastIndexOf('@');
-    if (at === -1) return false;
-    const domain = normalized.slice(at + 1);
-    return ALLOWED_DOMAINS.includes(domain);
-}

package/src/auth/env.ts

@@ -1,37 +0,0 @@
-/**
- * Build-time environment helpers for `@nowline/embed`.
- *
- * `__NOWLINE_EMBED_ENV__` is substituted at bundle time by esbuild's
- * `define` (see `packages/embed/scripts/bundle.mjs`). The substitution
- * lets the prod minified bundle dead-code-eliminate the dev auth gate
- * and its Firebase imports — when the constant folds to the literal
- * string `"prod"`, every `IS_DEV` branch becomes `false` and esbuild's
- * minifier strips the dynamic-import site that pulls in `firebase/app`
- * + `firebase/auth`.
- *
- * The `typeof` guards keep this module safe to import under vitest,
- * where esbuild's define never runs and the identifier is undeclared.
- */
-
-declare const __NOWLINE_EMBED_ENV__: string;
-declare const __NOWLINE_EMBED_VERSION__: string;
-declare const __NOWLINE_EMBED_SHA__: string;
-
-export type EmbedEnv = 'dev' | 'prod';
-
-export const EMBED_ENV: EmbedEnv =
-    typeof __NOWLINE_EMBED_ENV__ !== 'undefined' && __NOWLINE_EMBED_ENV__ === 'dev'
-        ? 'dev'
-        : 'prod';
-
-export const IS_DEV: boolean = EMBED_ENV === 'dev';
-export const IS_PROD: boolean = EMBED_ENV === 'prod';
-
-export const EMBED_VERSION: string =
-    typeof __NOWLINE_EMBED_VERSION__ !== 'undefined' ? __NOWLINE_EMBED_VERSION__ : '0.0.0';
-
-export const EMBED_SHA: string =
-    typeof __NOWLINE_EMBED_SHA__ !== 'undefined' ? __NOWLINE_EMBED_SHA__ : 'unknown';
-
-export const PROD_ORIGIN = 'https://embed.nowline.io';
-export const DEV_ORIGIN = 'https://embed.nowline.dev';

package/src/auth/firebase-auth.client.ts

@@ -1,174 +0,0 @@
-/**
- * Client-side Firebase Auth gate for the dev embed bundle.
- *
- * Mirrors the commercial site's `firebase-auth.client.ts` so the
- * two Lolay dev surfaces share one allowlist UX. Loaded only on the
- * dev build (when `__NOWLINE_EMBED_ENV__ === 'dev'`); the prod build
- * tree-shakes the dynamic import in `src/index.ts` and never pulls
- * `firebase/app` or `firebase/auth` into the IIFE.
- *
- * Renders a full-viewport overlay with z-index 2147483647 so it sits
- * above any host-page content. Until the visitor signs in with an
- * allowlisted Google account, the overlay stays put; once allowlisted,
- * it removes itself and the embed's auto-scan reaches the rendered
- * SVG underneath. The host page is told nothing — the gate is purely
- * client-side, opaque to the embedder.
- *
- * See specs/embed.md § Bootstrap status (dev auth gate) and
- * the infrastructure deploy runbook § 4 for the deploy-side wiring.
- */
-
-import { type FirebaseApp, initializeApp } from 'firebase/app';
-import {
-    type Auth,
-    GoogleAuthProvider,
-    getAuth,
-    onAuthStateChanged,
-    signInWithPopup,
-    signOut,
-    type User,
-} from 'firebase/auth';
-import { isAllowlisted } from './allowlist.js';
-
-// esbuild-substituted at build time from PUBLIC_FIREBASE_* env vars in
-// .github/workflows/embed-cdn.yml (sourced from the `embed-dev` GitHub
-// environment-scoped variables — see the infrastructure deploy runbook § 2.5).
-declare const __NOWLINE_FIREBASE_API_KEY__: string;
-declare const __NOWLINE_FIREBASE_AUTH_DOMAIN__: string;
-declare const __NOWLINE_FIREBASE_PROJECT_ID__: string;
-declare const __NOWLINE_FIREBASE_APP_ID__: string;
-
-const config = {
-    apiKey: typeof __NOWLINE_FIREBASE_API_KEY__ !== 'undefined' ? __NOWLINE_FIREBASE_API_KEY__ : '',
-    authDomain:
-        typeof __NOWLINE_FIREBASE_AUTH_DOMAIN__ !== 'undefined'
-            ? __NOWLINE_FIREBASE_AUTH_DOMAIN__
-            : '',
-    projectId:
-        typeof __NOWLINE_FIREBASE_PROJECT_ID__ !== 'undefined'
-            ? __NOWLINE_FIREBASE_PROJECT_ID__
-            : '',
-    appId: typeof __NOWLINE_FIREBASE_APP_ID__ !== 'undefined' ? __NOWLINE_FIREBASE_APP_ID__ : '',
-};
-
-const OVERLAY_ID = 'nowline-embed-dev-auth-overlay';
-
-let app: FirebaseApp | null = null;
-let auth: Auth | null = null;
-
-function getOrCreateOverlay(): HTMLDivElement {
-    let overlay = document.getElementById(OVERLAY_ID) as HTMLDivElement | null;
-    if (overlay) return overlay;
-
-    overlay = document.createElement('div');
-    overlay.id = OVERLAY_ID;
-    overlay.setAttribute('role', 'dialog');
-    overlay.setAttribute('aria-modal', 'true');
-    overlay.setAttribute('aria-label', 'Internal preview sign-in');
-    overlay.style.cssText = [
-        'position: fixed',
-        'inset: 0',
-        'z-index: 2147483647',
-        'background-color: #ffffff',
-        'color: #1a1a2e',
-        'display: flex',
-        'align-items: center',
-        'justify-content: center',
-        'padding: 1.5rem',
-        'font-family: system-ui, -apple-system, "Segoe UI", sans-serif',
-    ].join(';');
-    document.body.appendChild(overlay);
-    return overlay;
-}
-
-function removeOverlay(): void {
-    const overlay = document.getElementById(OVERLAY_ID);
-    overlay?.remove();
-}
-
-function renderSignIn(overlay: HTMLDivElement, onClick: () => void): void {
-    overlay.innerHTML = `
-        <div style="max-width: 28rem; text-align: center;">
-            <div style="font-size: 0.75rem; letter-spacing: 0.08em; text-transform: uppercase; color: #5a5a6a; margin-bottom: 0.75rem;">embed.nowline.dev &mdash; internal preview</div>
-            <h1 style="font-size: 1.875rem; font-weight: 700; margin: 0 0 0.75rem;">Sign in to continue</h1>
-            <p style="margin: 0 0 1.5rem; color: #5a5a6a;">Access is limited to allowlisted Lolay accounts. Production embed is at <a href="https://embed.nowline.io" style="color: #1a4ed8;">embed.nowline.io</a>.</p>
-            <button type="button" id="nowline-embed-dev-signin-btn" style="display: inline-block; padding: 0.75rem 1.5rem; border-radius: 8px; background-color: #e53e3e; color: #ffffff; font-weight: 700; border: 1px solid transparent; cursor: pointer; font-size: 1rem;">Sign in with Google</button>
-        </div>
-    `;
-    const btn = overlay.querySelector<HTMLButtonElement>('#nowline-embed-dev-signin-btn');
-    btn?.addEventListener('click', onClick);
-}
-
-function renderDenied(overlay: HTMLDivElement, email: string, onSignOut: () => void): void {
-    overlay.innerHTML = `
-        <div style="max-width: 28rem; text-align: center;">
-            <div style="font-size: 0.75rem; letter-spacing: 0.08em; text-transform: uppercase; color: #5a5a6a; margin-bottom: 0.75rem;">embed.nowline.dev &mdash; internal preview</div>
-            <h1 style="font-size: 1.875rem; font-weight: 700; margin: 0 0 0.75rem;">Access denied</h1>
-            <p style="margin: 0 0 1.5rem; color: #5a5a6a;">${escapeHtml(email)} is not on the allowlist for this preview environment. Production embed is publicly available at <a href="https://embed.nowline.io" style="color: #1a4ed8;">embed.nowline.io</a>.</p>
-            <button type="button" id="nowline-embed-dev-signout-btn" style="display: inline-block; padding: 0.75rem 1.5rem; border-radius: 8px; background-color: transparent; color: #1a1a2e; font-weight: 700; border: 1px solid #c0c0c0; cursor: pointer; font-size: 1rem;">Sign out</button>
-        </div>
-    `;
-    const btn = overlay.querySelector<HTMLButtonElement>('#nowline-embed-dev-signout-btn');
-    btn?.addEventListener('click', onSignOut);
-}
-
-function escapeHtml(value: string): string {
-    return value
-        .replace(/&/g, '&amp;')
-        .replace(/</g, '&lt;')
-        .replace(/>/g, '&gt;')
-        .replace(/"/g, '&quot;')
-        .replace(/'/g, '&#39;');
-}
-
-export function startDevAuthGate(): void {
-    if (typeof window === 'undefined' || typeof document === 'undefined') return;
-    if (!config.apiKey || !config.authDomain || !config.projectId || !config.appId) {
-        // No firebase config baked in. Likely a local `pnpm bundle` without
-        // PUBLIC_FIREBASE_* exported (CI deploys always set them). Skip the
-        // overlay rather than render an unrecoverable dialog so devs aren't
-        // locked out of their own local builds.
-        console.warn(
-            '[nowline-embed-dev-auth-gate] Missing PUBLIC_FIREBASE_* env vars at build time; gate is disabled. Configure them in .github/workflows/embed-cdn.yml or your local environment to enable.',
-        );
-        return;
-    }
-
-    // Create the overlay up front so it covers content while Firebase
-    // initialises; subsequent renders call getOrCreateOverlay() again
-    // to find the same element.
-    getOrCreateOverlay();
-
-    app ??= initializeApp(config);
-    auth ??= getAuth(app);
-
-    const provider = new GoogleAuthProvider();
-
-    const handleSignIn = async (): Promise<void> => {
-        try {
-            await signInWithPopup(auth as Auth, provider);
-        } catch (err) {
-            console.error('[nowline-embed-dev-auth-gate] Sign-in failed:', err);
-        }
-    };
-
-    const handleSignOut = async (): Promise<void> => {
-        try {
-            await signOut(auth as Auth);
-        } catch (err) {
-            console.error('[nowline-embed-dev-auth-gate] Sign-out failed:', err);
-        }
-    };
-
-    onAuthStateChanged(auth as Auth, (user: User | null) => {
-        if (!user) {
-            renderSignIn(getOrCreateOverlay(), handleSignIn);
-            return;
-        }
-        if (!isAllowlisted(user.email)) {
-            renderDenied(getOrCreateOverlay(), user.email ?? 'unknown', handleSignOut);
-            return;
-        }
-        removeOverlay();
-    });
-}