@saacms/blocks-essentials 0.1.0

package/dist/internal/html-element-base.d.ts

@@ -0,0 +1,17 @@
+/**
+ * SSR-safe `HTMLElement` base class.
+ *
+ * Built-in blocks are authored as Web Components (ADR 0004 Mode 1), but their
+ * modules are also imported in a DOM-less context — the saacms compile step (Node)
+ * imports the `*.block.ts` defs, and the test suite imports the element modules to
+ * unit-test the pure security helpers (sanitizer / escaper).
+ *
+ * `class X extends HTMLElement` is evaluated at module load. In Node/Bun there is
+ * no global `HTMLElement`, so `extends HTMLElement` would throw at import time and
+ * make the whole package un-importable outside a browser. Extending this base
+ * instead resolves to the real `HTMLElement` in the browser and an inert stub
+ * elsewhere, so the modules import cleanly everywhere. The stub is never
+ * instantiated as a custom element (no host calls `customElements.define` in Node).
+ */
+export declare const HTMLElementBase: typeof HTMLElement;
+//# sourceMappingURL=html-element-base.d.ts.map

package/dist/internal/html-element-base.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"html-element-base.d.ts","sourceRoot":"","sources":["../../src/internal/html-element-base.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,eAAO,MAAM,eAAe,EAAE,OAAO,WAGY,CAAA"}

package/dist/internal/safe-href.d.ts

@@ -0,0 +1,17 @@
+/**
+ * `safeHref` — URL-scheme allowlist for user-supplied link/media targets.
+ *
+ * Shared by the PricingTable CTA `<a href>` and the Video `<video src/poster>`.
+ * Mirrors the sanitizer's discipline (conservative allowlist, not a denylist):
+ * only `http:` / `https:` absolute URLs and scheme-less relative URLs survive.
+ * Everything else — `javascript:`, `data:`, `vbscript:`, `file:`, `mailto:`,
+ * etc. — is NEUTRALIZED by returning the empty string `""`.
+ *
+ * Returning `""` (not `"#"`) is the documented contract: callers MUST treat an
+ * empty result as "no usable target" and render accordingly (omit the `href`,
+ * skip the `src`) rather than emitting a broken/exploitable attribute.
+ *
+ * Dependency-free and DOM-less so it is unit-testable without a browser.
+ */
+export declare function safeHref(value: string): string;
+//# sourceMappingURL=safe-href.d.ts.map

package/dist/internal/safe-href.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"safe-href.d.ts","sourceRoot":"","sources":["../../src/internal/safe-href.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAa9C"}

package/dist/internal/sanitize-html.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Shared allowlist HTML sanitizer — the SINGLE source of truth.
+ *
+ * Originally authored inside `rich-text/RichText.ts`; extracted here so the
+ * RichText block AND the RawHtml escape-hatch block sanitize identically. A
+ * forked second copy is the classic XSS-regression trap, so this lives in
+ * `internal/` and is imported by both. `RichText.ts` re-exports it to keep its
+ * existing public surface + unit tests working unchanged.
+ *
+ * Dependency-free and DOM-less so it runs in Node (compile step / tests) and the
+ * browser identically. The element is an exported pure function so the security
+ * boundary is unit-testable without a DOM.
+ */
+/**
+ * Allowlist sanitizer for untrusted HTML. Dependency-free and DOM-less
+ * so it runs in Node (compile step / tests) and the browser identically.
+ *
+ * - `<script>` / `<style>` elements are removed wholesale (tag + contents).
+ * - HTML comments are removed.
+ * - Tags not in {@link ALLOWED_TAGS} have their markup stripped (text is kept).
+ * - Allowed tags keep only allowlisted attributes; `on*` handlers are always
+ *   dropped and `javascript:` / `vbscript:` / `data:` / `file:` URLs are neutralized.
+ */
+export declare function sanitizeRichTextHtml(input: string): string;
+//# sourceMappingURL=sanitize-html.d.ts.map

package/dist/internal/sanitize-html.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sanitize-html.d.ts","sourceRoot":"","sources":["../../src/internal/sanitize-html.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAoDH;;;;;;;;;GASG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAqB1D"}

package/dist/pricing-table/PricingTable.block.d.ts

@@ -0,0 +1,36 @@
+/**
+ * PricingTable block definition (saacms Block).
+ *
+ * Authoring mode: web-component (ADR 0004 Mode 1). The canonical `component`
+ * field is the custom-element TAG NAME (`saacms-pricing-table`), so this def
+ * imports cleanly in the DOM-less compile step.
+ *
+ * `price` is a PRE-FORMATTED display string (e.g. "$9/mo"). v1 deliberately does
+ * no currency math / locale formatting — the operator types exactly what renders.
+ * Tier `name` / `features` / CTA text are untrusted and are emitted via
+ * `textContent`; the CTA `href` is run through `safeHref` (see PricingTable.ts).
+ */
+import { Schema } from "effect";
+declare const PricingTableSchema: Schema.Struct<{
+    tiers: Schema.Array$<Schema.Struct<{
+        name: typeof Schema.String;
+        price: typeof Schema.String;
+        features: Schema.Array$<typeof Schema.String>;
+        highlighted: Schema.optional<typeof Schema.Boolean>;
+        ctaLabel: Schema.optional<typeof Schema.String>;
+        ctaHref: Schema.optional<typeof Schema.String>;
+    }>>;
+}>;
+export type PricingTableProps = Schema.Schema.Type<typeof PricingTableSchema>;
+export declare const PricingTableBlock: import("@saacms/core").BlockDef<Schema.Struct<{
+    tiers: Schema.Array$<Schema.Struct<{
+        name: typeof Schema.String;
+        price: typeof Schema.String;
+        features: Schema.Array$<typeof Schema.String>;
+        highlighted: Schema.optional<typeof Schema.Boolean>;
+        ctaLabel: Schema.optional<typeof Schema.String>;
+        ctaHref: Schema.optional<typeof Schema.String>;
+    }>>;
+}>>;
+export {};
+//# sourceMappingURL=PricingTable.block.d.ts.map

package/dist/pricing-table/PricingTable.block.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"PricingTable.block.d.ts","sourceRoot":"","sources":["../../src/pricing-table/PricingTable.block.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAA;AAG/B,QAAA,MAAM,kBAAkB;;;;;;;;;EAWtB,CAAA;AAEF,MAAM,MAAM,iBAAiB,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,kBAAkB,CAAC,CAAA;AAE7E,eAAO,MAAM,iBAAiB;;;;;;;;;GAK5B,CAAA"}

package/dist/pricing-table/PricingTable.d.ts

@@ -0,0 +1,37 @@
+/**
+ * <saacms-pricing-table> — built-in PricingTable block (ADR 0004 Mode 1).
+ *
+ * The `tiers` prop is a structured array, not a scalar attribute. It is accepted
+ * two ways (ADR 0004 Mode 1 attribute+property contract):
+ *   - JS property `tiers` (the Puck canvas sets this directly), and
+ *   - a `tiers` attribute carrying the same value as a JSON string.
+ *
+ * Every tier field is UNTRUSTED. The whole subtree is built with
+ * `createElement` + `textContent` (never `innerHTML` of user data), so the
+ * browser escapes names / prices / features for us. The CTA `href` is the one
+ * URL-bearing value and is passed through the shared `safeHref` allowlist; an
+ * empty result means "no usable target" so the CTA renders as plain text.
+ *
+ * `safeHref` is re-exported for hosts that render this block to a static string.
+ */
+import { HTMLElementBase } from "../internal/html-element-base.ts";
+export { safeHref } from "../internal/safe-href.ts";
+interface Tier {
+    readonly name: string;
+    readonly price: string;
+    readonly features: readonly string[];
+    readonly highlighted?: boolean;
+    readonly ctaLabel?: string;
+    readonly ctaHref?: string;
+}
+export declare class PricingTable extends HTMLElementBase {
+    static get observedAttributes(): readonly string[];
+    private propTiers;
+    get tiers(): Tier[];
+    set tiers(value: readonly Tier[] | null);
+    private parseAttr;
+    connectedCallback(): void;
+    attributeChangedCallback(name: string, _oldValue: string | null, _newValue: string | null): void;
+    private render;
+}
+//# sourceMappingURL=PricingTable.d.ts.map

package/dist/pricing-table/PricingTable.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"PricingTable.d.ts","sourceRoot":"","sources":["../../src/pricing-table/PricingTable.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,kCAAkC,CAAA;AAGlE,OAAO,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAA;AAKnD,UAAU,IAAI;IACZ,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAA;IACrB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAA;IACtB,QAAQ,CAAC,QAAQ,EAAE,SAAS,MAAM,EAAE,CAAA;IACpC,QAAQ,CAAC,WAAW,CAAC,EAAE,OAAO,CAAA;IAC9B,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;IAC1B,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAA;CAC1B;AAyBD,qBAAa,YAAa,SAAQ,eAAe;IAC/C,MAAM,KAAK,kBAAkB,IAAI,SAAS,MAAM,EAAE,CAEjD;IAED,OAAO,CAAC,SAAS,CAAsB;IAGvC,IAAI,KAAK,IAAI,IAAI,EAAE,CAGlB;IACD,IAAI,KAAK,CAAC,KAAK,EAAE,SAAS,IAAI,EAAE,GAAG,IAAI,EAGtC;IAED,OAAO,CAAC,SAAS;IAUjB,iBAAiB,IAAI,IAAI;IAIzB,wBAAwB,CACtB,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,GAAG,IAAI,EACxB,SAAS,EAAE,MAAM,GAAG,IAAI,GACvB,IAAI;IAOP,OAAO,CAAC,MAAM;CAmDf"}

package/dist/raw-html/RawHtml.block.d.ts

@@ -0,0 +1,31 @@
+/**
+ * RawHtml block definition (saacms Block) — ⚠️ DELIBERATE ESCAPE HATCH ⚠️.
+ *
+ * Authoring mode: web-component (ADR 0004 Mode 1). The canonical `component`
+ * field is the custom-element TAG NAME (`saacms-raw-html`).
+ *
+ * FOOTGUN WARNING: with `trusted: true` this block injects its `html` prop
+ * VERBATIM via `innerHTML` with NO sanitization. That is stored XSS by design
+ * and must only ever hold FIRST-PARTY content authored by a trusted operator.
+ * The default (`trusted` absent / not `true`) routes `html` through the SAME
+ * allowlist sanitizer RichText uses (single source of truth in
+ * `internal/sanitize-html.ts`) — there is no second, forkable sanitizer.
+ *
+ * When `trusted: true` the element additionally sets `data-saacms-trusted="true"`
+ * on itself and `console.warn`s once per instance. The admin UI is expected to
+ * surface an explicit confirmation before allowing `trusted: true` (out of scope
+ * here — this def only declares the schema; the warn + data-attr live in the
+ * element).
+ */
+import { Schema } from "effect";
+declare const RawHtmlSchema: Schema.Struct<{
+    html: typeof Schema.String;
+    trusted: Schema.optional<typeof Schema.Boolean>;
+}>;
+export type RawHtmlProps = Schema.Schema.Type<typeof RawHtmlSchema>;
+export declare const RawHtmlBlock: import("@saacms/core").BlockDef<Schema.Struct<{
+    html: typeof Schema.String;
+    trusted: Schema.optional<typeof Schema.Boolean>;
+}>>;
+export {};
+//# sourceMappingURL=RawHtml.block.d.ts.map

package/dist/raw-html/RawHtml.block.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"RawHtml.block.d.ts","sourceRoot":"","sources":["../../src/raw-html/RawHtml.block.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAA;AAG/B,QAAA,MAAM,aAAa;;;EAGjB,CAAA;AAEF,MAAM,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,aAAa,CAAC,CAAA;AAEnE,eAAO,MAAM,YAAY;;;GAKvB,CAAA"}

package/dist/raw-html/RawHtml.d.ts

@@ -0,0 +1,31 @@
+/**
+ * <saacms-raw-html> — built-in RawHtml block (ADR 0004 Mode 1).
+ *
+ * The deliberate escape hatch. Two modes:
+ *
+ *   - DEFAULT (`trusted` !== true): the `html` prop is UNTRUSTED and is run
+ *     through the SAME allowlist sanitizer RichText uses, imported from
+ *     `../internal/sanitize-html.ts`. There is exactly one sanitizer in this
+ *     package — RawHtml does NOT fork its own copy (a divergent second
+ *     sanitizer is the classic XSS-regression trap).
+ *
+ *   - `trusted === true`: ⚠️ the `html` is injected VERBATIM via `innerHTML`
+ *     with NO sanitization. This is stored XSS by design and is only safe for
+ *     FIRST-PARTY content. The element flags itself with
+ *     `data-saacms-trusted="true"` and `console.warn`s once per instance so the
+ *     bypass is observable in logs / DOM audits. The admin UI gates this with a
+ *     confirmation (out of scope here).
+ */
+import { HTMLElementBase } from "../internal/html-element-base.ts";
+export declare class RawHtml extends HTMLElementBase {
+    static get observedAttributes(): readonly string[];
+    private warnedTrusted;
+    get html(): string;
+    set html(value: string);
+    get trusted(): boolean;
+    set trusted(value: boolean);
+    connectedCallback(): void;
+    attributeChangedCallback(name: string, _oldValue: string | null, _newValue: string | null): void;
+    private render;
+}
+//# sourceMappingURL=RawHtml.d.ts.map

package/dist/raw-html/RawHtml.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"RawHtml.d.ts","sourceRoot":"","sources":["../../src/raw-html/RawHtml.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,kCAAkC,CAAA;AASlE,qBAAa,OAAQ,SAAQ,eAAe;IAC1C,MAAM,KAAK,kBAAkB,IAAI,SAAS,MAAM,EAAE,CAEjD;IAGD,OAAO,CAAC,aAAa,CAAQ;IAG7B,IAAI,IAAI,IAAI,MAAM,CAEjB;IACD,IAAI,IAAI,CAAC,KAAK,EAAE,MAAM,EAErB;IAED,IAAI,OAAO,IAAI,OAAO,CAErB;IACD,IAAI,OAAO,CAAC,KAAK,EAAE,OAAO,EAGzB;IAED,iBAAiB,IAAI,IAAI;IAIzB,wBAAwB,CACtB,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,GAAG,IAAI,EACxB,SAAS,EAAE,MAAM,GAAG,IAAI,GACvB,IAAI;IAKP,OAAO,CAAC,MAAM;CAkBf"}

package/dist/register.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Runtime registration of every built-in custom element shipped by this package.
+ *
+ * Idempotent: re-registration is a no-op (custom elements throw if defined twice,
+ * so we guard with `customElements.get(...)`). Safe to call from a host's app boot
+ * regardless of how many times other code may have already invoked it.
+ *
+ * The {@link REGISTRATIONS} table is exported so the tag↔ctor mapping can be
+ * introspected (tests, tooling) without invoking `customElements.define` — which
+ * is unavailable outside a browser. `register()` itself additionally no-ops in a
+ * DOM-less context so importing and probing this module never throws.
+ */
+export interface ElementRegistration {
+    readonly tag: string;
+    readonly ctor: CustomElementConstructor;
+}
+export declare const REGISTRATIONS: readonly ElementRegistration[];
+export declare function register(): void;
+//# sourceMappingURL=register.d.ts.map

package/dist/register.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"register.d.ts","sourceRoot":"","sources":["../src/register.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAUH,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAA;IACpB,QAAQ,CAAC,IAAI,EAAE,wBAAwB,CAAA;CACxC;AAED,eAAO,MAAM,aAAa,EAAE,SAAS,mBAAmB,EAQvD,CAAA;AAED,wBAAgB,QAAQ,IAAI,IAAI,CAO/B"}

package/dist/register.js

@@ -0,0 +1,18 @@
+/**
+ * Runtime registration of every built-in custom element shipped by this package.
+ *
+ * Idempotent: re-registration is a no-op (custom elements throw if defined twice,
+ * so we guard with `customElements.get(...)`). Safe to call from a host's app boot
+ * regardless of how many times other code may have already invoked it.
+ */
+import { Hero } from "./hero/Hero.ts";
+const REGISTRATIONS = [
+    { tag: "saacms-hero", ctor: Hero },
+];
+export function register() {
+    for (const { tag, ctor } of REGISTRATIONS) {
+        if (customElements.get(tag) === undefined) {
+            customElements.define(tag, ctor);
+        }
+    }
+}

package/dist/rich-text/RichText.block.d.ts

@@ -0,0 +1,22 @@
+/**
+ * RichText block definition (saacms Block).
+ *
+ * Authoring mode: web-component (ADR 0004 Mode 1). The canonical `component`
+ * field is the custom-element TAG NAME (`saacms-rich-text`), so this def stays
+ * importable in the DOM-less compile step (it never imports the element class).
+ *
+ * The `html` prop is operator-supplied stored HTML and is therefore untrusted: the
+ * element module sanitizes it through an allowlist before it ever reaches the DOM.
+ */
+import { Schema } from "effect";
+declare const RichTextSchema: Schema.Struct<{
+    html: typeof Schema.String;
+    align: Schema.optional<Schema.Literal<["left", "center", "right"]>>;
+}>;
+export type RichTextProps = Schema.Schema.Type<typeof RichTextSchema>;
+export declare const RichTextBlock: import("@saacms/core").BlockDef<Schema.Struct<{
+    html: typeof Schema.String;
+    align: Schema.optional<Schema.Literal<["left", "center", "right"]>>;
+}>>;
+export {};
+//# sourceMappingURL=RichText.block.d.ts.map

package/dist/rich-text/RichText.block.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"RichText.block.d.ts","sourceRoot":"","sources":["../../src/rich-text/RichText.block.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAA;AAG/B,QAAA,MAAM,cAAc;;;EAGlB,CAAA;AAEF,MAAM,MAAM,aAAa,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,cAAc,CAAC,CAAA;AAErE,eAAO,MAAM,aAAa;;;GAKxB,CAAA"}

package/dist/rich-text/RichText.d.ts

@@ -0,0 +1,25 @@
+/**
+ * <saacms-rich-text> — built-in RichText block (ADR 0004 Mode 1).
+ *
+ * Renders operator-supplied HTML into the light DOM. That HTML is UNTRUSTED
+ * (stored XSS is the exact risk), so it is run through `sanitizeRichTextHtml`
+ * before it touches `innerHTML`.
+ *
+ * The sanitizer itself now lives in `../internal/sanitize-html.ts` as the SINGLE
+ * source of truth (shared with the RawHtml escape-hatch block — a forked second
+ * copy is the classic XSS-regression trap). It is re-exported here unchanged so
+ * RichText's existing public surface (`index.ts`) and unit tests keep working.
+ */
+import { HTMLElementBase } from "../internal/html-element-base.ts";
+export { sanitizeRichTextHtml } from "../internal/sanitize-html.ts";
+export declare class RichText extends HTMLElementBase {
+    static get observedAttributes(): readonly string[];
+    get html(): string;
+    set html(value: string);
+    get align(): "left" | "center" | "right";
+    set align(value: "left" | "center" | "right" | null);
+    connectedCallback(): void;
+    attributeChangedCallback(name: string, _oldValue: string | null, _newValue: string | null): void;
+    private render;
+}
+//# sourceMappingURL=RichText.d.ts.map

package/dist/rich-text/RichText.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"RichText.d.ts","sourceRoot":"","sources":["../../src/rich-text/RichText.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,kCAAkC,CAAA;AAGlE,OAAO,EAAE,oBAAoB,EAAE,MAAM,8BAA8B,CAAA;AASnE,qBAAa,QAAS,SAAQ,eAAe;IAC3C,MAAM,KAAK,kBAAkB,IAAI,SAAS,MAAM,EAAE,CAEjD;IAID,IAAI,IAAI,IAAI,MAAM,CAEjB;IACD,IAAI,IAAI,CAAC,KAAK,EAAE,MAAM,EAErB;IAED,IAAI,KAAK,IAAI,MAAM,GAAG,QAAQ,GAAG,OAAO,CAEvC;IACD,IAAI,KAAK,CAAC,KAAK,EAAE,MAAM,GAAG,QAAQ,GAAG,OAAO,GAAG,IAAI,EAMlD;IAED,iBAAiB,IAAI,IAAI;IAIzB,wBAAwB,CACtB,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,GAAG,IAAI,EACxB,SAAS,EAAE,MAAM,GAAG,IAAI,GACvB,IAAI;IAOP,OAAO,CAAC,MAAM;CAMf"}

package/dist/video/Video.block.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Video block definition (saacms Block).
+ *
+ * Authoring mode: web-component (ADR 0004 Mode 1). The canonical `component`
+ * field is the custom-element TAG NAME (`saacms-video`).
+ *
+ * `controls` defaults to true at render time (a video with no controls and no
+ * autoplay is a dead element). `autoplay` implies `muted` because browsers block
+ * unmuted autoplay — that coupling lives in the pure `resolveVideoAttrs` helper
+ * in Video.ts so it is unit-testable without a DOM.
+ */
+import { Schema } from "effect";
+declare const VideoSchema: Schema.Struct<{
+    src: typeof Schema.String;
+    poster: Schema.optional<typeof Schema.String>;
+    autoplay: Schema.optional<typeof Schema.Boolean>;
+    loop: Schema.optional<typeof Schema.Boolean>;
+    muted: Schema.optional<typeof Schema.Boolean>;
+    controls: Schema.optional<typeof Schema.Boolean>;
+}>;
+export type VideoProps = Schema.Schema.Type<typeof VideoSchema>;
+export declare const VideoBlock: import("@saacms/core").BlockDef<Schema.Struct<{
+    src: typeof Schema.String;
+    poster: Schema.optional<typeof Schema.String>;
+    autoplay: Schema.optional<typeof Schema.Boolean>;
+    loop: Schema.optional<typeof Schema.Boolean>;
+    muted: Schema.optional<typeof Schema.Boolean>;
+    controls: Schema.optional<typeof Schema.Boolean>;
+}>>;
+export {};
+//# sourceMappingURL=Video.block.d.ts.map

package/dist/video/Video.block.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"Video.block.d.ts","sourceRoot":"","sources":["../../src/video/Video.block.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAA;AAG/B,QAAA,MAAM,WAAW;;;;;;;EAOf,CAAA;AAEF,MAAM,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,WAAW,CAAC,CAAA;AAE/D,eAAO,MAAM,UAAU;;;;;;;GAKrB,CAAA"}

package/dist/video/Video.d.ts

@@ -0,0 +1,54 @@
+/**
+ * <saacms-video> — built-in Video block (ADR 0004 Mode 1).
+ *
+ * Renders a single `<video>` into the light DOM, built via `createElement` +
+ * `setAttribute` (no `innerHTML` of user data). `src` and `poster` are passed
+ * through the shared `safeHref` allowlist (http(s)/relative only — `javascript:`
+ * and `data:` are neutralized; `data:` is irrelevant for video anyway).
+ *
+ * The final attribute set is computed by the pure, DOM-less `resolveVideoAttrs`
+ * helper so its rules are unit-testable:
+ *   - `controls` defaults to `true` unless explicitly `false`.
+ *   - `autoplay` FORCES `muted` true regardless of the `muted` prop, because
+ *     browsers block unmuted autoplay (an unmuted-autoplay video just never
+ *     plays). Coupling them here makes the emitted markup actually autoplay.
+ *   - `playsinline` is always set and `preload` is always `"metadata"`.
+ */
+import { HTMLElementBase } from "../internal/html-element-base.ts";
+export { safeHref } from "../internal/safe-href.ts";
+export interface VideoAttrInput {
+    readonly src?: string | null;
+    readonly poster?: string | null;
+    readonly autoplay?: boolean;
+    readonly loop?: boolean;
+    readonly muted?: boolean;
+    /** Omitted/undefined ⇒ defaults to true. Only an explicit `false` disables. */
+    readonly controls?: boolean;
+}
+export interface ResolvedVideoAttrs {
+    readonly src: string;
+    readonly poster: string;
+    readonly autoplay: boolean;
+    readonly loop: boolean;
+    readonly muted: boolean;
+    readonly controls: boolean;
+    readonly playsinline: true;
+    readonly preload: "metadata";
+}
+/**
+ * Pure resolver for the final `<video>` attribute set. DOM-less and total so the
+ * autoplay⇒muted coupling + controls default are unit-testable in isolation.
+ */
+export declare function resolveVideoAttrs(input: VideoAttrInput): ResolvedVideoAttrs;
+export declare class Video extends HTMLElementBase {
+    static get observedAttributes(): readonly string[];
+    get src(): string;
+    set src(value: string);
+    get poster(): string;
+    set poster(value: string);
+    connectedCallback(): void;
+    attributeChangedCallback(name: string, _oldValue: string | null, _newValue: string | null): void;
+    private resolved;
+    private render;
+}
+//# sourceMappingURL=Video.d.ts.map

package/dist/video/Video.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"Video.d.ts","sourceRoot":"","sources":["../../src/video/Video.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,kCAAkC,CAAA;AAGlE,OAAO,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAA;AAYnD,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;IAC5B,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;IAC/B,QAAQ,CAAC,QAAQ,CAAC,EAAE,OAAO,CAAA;IAC3B,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAA;IACvB,QAAQ,CAAC,KAAK,CAAC,EAAE,OAAO,CAAA;IACxB,+EAA+E;IAC/E,QAAQ,CAAC,QAAQ,CAAC,EAAE,OAAO,CAAA;CAC5B;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAA;IACpB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;IACvB,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAA;IAC1B,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAA;IACtB,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAA;IACvB,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAA;IAC1B,QAAQ,CAAC,WAAW,EAAE,IAAI,CAAA;IAC1B,QAAQ,CAAC,OAAO,EAAE,UAAU,CAAA;CAC7B;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,cAAc,GAAG,kBAAkB,CAc3E;AAMD,qBAAa,KAAM,SAAQ,eAAe;IACxC,MAAM,KAAK,kBAAkB,IAAI,SAAS,MAAM,EAAE,CAEjD;IAGD,IAAI,GAAG,IAAI,MAAM,CAEhB;IACD,IAAI,GAAG,CAAC,KAAK,EAAE,MAAM,EAEpB;IAED,IAAI,MAAM,IAAI,MAAM,CAEnB;IACD,IAAI,MAAM,CAAC,KAAK,EAAE,MAAM,EAGvB;IAED,iBAAiB,IAAI,IAAI;IAIzB,wBAAwB,CACtB,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,GAAG,IAAI,EACxB,SAAS,EAAE,MAAM,GAAG,IAAI,GACvB,IAAI;IAKP,OAAO,CAAC,QAAQ;IAYhB,OAAO,CAAC,MAAM;CAiBf"}

package/package.json

@@ -0,0 +1,36 @@
+{
+  "name": "@saacms/blocks-essentials",
+  "version": "0.1.0",
+  "type": "module",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsc --build",
+    "typecheck": "tsc --build --noEmit",
+    "prepack": "cp package.json package.json.pack-bak && bun run ../../scripts/prepack-pkg.ts",
+    "postpack": "mv package.json.pack-bak package.json"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "@saacms/core": "workspace:*",
+    "@preact/signals-core": "^1.8.0",
+    "effect": "^3.10.0"
+  },
+  "devDependencies": {
+    "@types/bun": "latest",
+    "typescript": "^5.7.0"
+  },
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts"
+}