npm - @pigmilcom/a11y - Versions diffs - 1.0.9 → 1.1.1 - Mend

@pigmilcom/a11y 1.0.9 → 1.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of @pigmilcom/a11y might be problematic. Click here for more details.

Files changed (10) hide show

package/README.md CHANGED Viewed

@@ -61,6 +61,54 @@ PigmilA11y.unmount();  // remove the widget and clean up
 ---
+## Plans & domain validation
+Starting from v1.1.0, the widget validates the hosting domain against the **PIGMIL API** before rendering. This enables usage-based quotas and per-domain access control.
+### Tiers
+| Plan   | Requests / day | Requests / month | PIGMIL branding |
+| ------ | -------------- | ---------------- | --------------- |
+| Free   | 1,000          | 30,000           | Shown in footer |
+| Pro    | Unlimited      | Unlimited        | Hidden          |
+A "request" is one widget initialisation (page load / route change).
+### How validation works
+1. On widget mount the browser makes a single `GET` request to the PIGMIL API.
+2. The API checks whether the domain is registered and within quota.
+3. The response controls whether the widget renders:
+   - **`valid`** — widget renders normally.
+   - **`blocked`** — quota exceeded; widget does not render until the day / month resets or the plan is upgraded.
+   - **`error`** / API unreachable — widget does not render (fail-closed on non-local domains).
+4. The result is cached in `sessionStorage` for 30 minutes to avoid redundant calls.
+5. Cached and returned result objects are `Object.freeze()`d — their `status` and `plan` properties cannot be mutated after resolution.
+### Local / development environments
+Validation is **automatically skipped** when the page runs on:
+- `localhost`, `127.x.x.x`, `::1`, `0.0.0.0`
+- Any non-standard port (e.g. `:3000`, `:5173`, `:8080`)
+The widget always renders in these environments with a free-plan appearance. No API key or sign-up is required during development.
+### Security layers
+| Layer | What it does |
+|---|---|
+| **Server-side enforcement** (primary) | The PIGMIL API only validates registered domains, increments per-domain counters, and returns `blocked:true` when quotas are exceeded. This is the real gate — no client-side bypass can defeat it. |
+| **Frozen result objects** | `Object.freeze()` on the validation result prevents callers from mutating `{ status, plan }` to escalate their own access level. |
+| **CDN bundle obfuscation** | `dist/a11y.cdn.js` is post-processed by `javascript-obfuscator` with Base64 string-array encoding and self-defending code. The self-defending wrapper causes the bundle to break at runtime if it has been reformatted / prettified before execution, deterring the "prettify → grep → patch → re-minify" bypass workflow. The npm package source remains intentionally readable (open source). |
+| **XOR-encoded endpoint** | The API URL is stored as a numeric XOR array in source and decoded at runtime, making it non-trivial to locate in the minified + obfuscated CDN bundle. |
+| **Daily-rotating request signature** | Each API call includes an FNV-1a hash of `domain + YYYY-MM-DD` — a per-domain-per-day token the server can optionally verify to detect replayed or forged requests. |
+### Current status (mock mode)
+The API endpoint is being implemented in the PIGMIL backend. Until it is live, `src/license.js` uses `MOCK_MODE = true`, which always returns `{ ok: true, plan: 'free', blocked: false }`. To switch to the real API, set `MOCK_MODE = false` in that file — the fetch code is already written and ready.
+---
 ## Features
 - Text size — Normal / Large / X-Large
@@ -120,13 +168,71 @@ class rules applied to `<html>`.
 ### 2 — Drop in the widget
 ```jsx
-import A11yWidget from '@pigmilcom/a11y';
+import a11y from '@pigmilcom/a11y';
+// Assign to a capitalized variable to use in JSX
+const A11y = a11y;
+<A11y className="fixed bottom-4 right-4 rounded" />
+```
+The `className` prop is merged onto the trigger button — use Tailwind classes,
+custom classes, or anything your bundler supports to position the widget.
+---
+## Customising the widget with CSS
+The widget exposes stable **`a11y-widget-*`** class names on its key elements
+as a public API. Target them from a `<style>` tag (CDN / self-hosted) or your
+own stylesheet (React):
+```html
+<style>
+  /* Trigger button */
+  .a11y-widget-btn {
+    border-radius: 8px !important;
+    background: rgba(15, 15, 40, 0.9) !important;
+  }
+  /* Dialog panel */
+  .a11y-widget-dialog {
+    border-color: rgba(99, 102, 241, 0.4) !important;
+  }
+  /* Toggle option rows */
+  .a11y-widget-toggle-btn:hover {
+    background: rgba(99, 102, 241, 0.06) !important;
+  }
+</style>
+```
+| Public class                | Element              |
+| --------------------------- | -------------------- |
+| `a11y-widget-btn`           | Trigger button       |
+| `a11y-widget-dialog`        | Dialog panel         |
+| `a11y-widget-toggle-btn`    | Each toggle option   |
+> Place your `<style>` tag **after** the widget `<script>` tag so it takes
+> precedence in the cascade. Use `!important` where the widget's base styles
+> have higher specificity.
+---
+## Tailwind CSS support
+Tailwind utility classes work transparently via the `className` prop:
+```jsx
+import a11y from '@pigmilcom/a11y';
+const A11y = a11y;
-<A11yWidget className="fixed bottom-4 right-4 rounded" />
+// Tailwind classes are passed straight through to the trigger button
+<A11y className="fixed bottom-6 right-6 rounded-full shadow-xl" />
 ```
-The `className` prop is forwarded to the trigger button — use it to position
-the widget wherever suits your layout.
+Because the classes come from *your* source files, Tailwind's JIT scanner
+picks them up automatically. No purge exceptions or safelist entries needed.
 ---
@@ -137,14 +243,16 @@ the widget wherever suits your layout.
 ```jsx
 // app/layout.jsx
 import '@pigmilcom/a11y/styles';
-import A11yWidget from '@pigmilcom/a11y';
+import a11y from '@pigmilcom/a11y';
+const A11y = a11y;
 export default function RootLayout({ children }) {
     return (
         <html lang="en">
             <body>
                 {children}
-                <A11yWidget className="fixed bottom-4 right-4 rounded" />
+                <A11y className="fixed bottom-4 right-4 rounded" />
             </body>
         </html>
     );
@@ -155,25 +263,17 @@ export default function RootLayout({ children }) {
 ### Vite + React
-```jsx
-// src/main.jsx
-import '@pigmilcom/a11y/styles';
-import React from 'react';
-import ReactDOM from 'react-dom/client';
-import App from './App';
-ReactDOM.createRoot(document.getElementById('root')).render(<App />);
-```
 ```jsx
 // src/App.jsx
-import A11yWidget from '@pigmilcom/a11y';
+import a11y from '@pigmilcom/a11y';
+const A11y = a11y;
 export default function App() {
     return (
         <>
             {/* …your content… */}
-            <A11yWidget className="fixed bottom-4 right-4 rounded" />
+            <A11y className="fixed bottom-4 right-4 rounded" />
         </>
     );
 }