@toon-protocol/views 0.2.0

package/dist/filters.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"filters.js","sourceRoot":"","sources":["../src/filters.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAoB,MAAM,YAAY,CAAC;AAE9C,8EAA8E;AAE9E,2CAA2C;AAC3C,MAAM,UAAU,mBAAmB;IACjC,OAAO,EAAE,KAAK,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC;AAC5B,CAAC;AAED,qDAAqD;AACrD,MAAM,UAAU,mBAAmB,CAAC,MAAc,EAAE,MAAc;IAChE,OAAO,EAAE,KAAK,EAAE,CAAC,KAAK,CAAC,EAAE,OAAO,EAAE,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC;AAC/D,CAAC;AAED,yCAAyC;AACzC,MAAM,UAAU,oBAAoB,CAAC,WAAmB,EAAE,MAAc;IACtE,OAAO,EAAE,KAAK,EAAE,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,SAAS,WAAW,IAAI,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;AACjF,CAAC;AAED,8CAA8C;AAC9C,MAAM,UAAU,iBAAiB,CAAC,WAAmB,EAAE,MAAc;IACnE,OAAO,EAAE,KAAK,EAAE,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,SAAS,WAAW,IAAI,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;AACjF,CAAC;AAED,gDAAgD;AAChD,MAAM,UAAU,kBAAkB,CAAC,QAAkB;IACnD,OAAO,EAAE,KAAK,EAAE,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;AACvD,CAAC;AAED,8DAA8D;AAC9D,MAAM,UAAU,iBAAiB,CAAC,QAAkB;IAClD,OAAO,EAAE,KAAK,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;AACzE,CAAC;AAED,yDAAyD;AACzD,MAAM,UAAU,qBAAqB,CAAC,QAAkB;IACtD,OAAO,EAAE,KAAK,EAAE,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;AACvD,CAAC;AAED,mCAAmC;AACnC,MAAM,UAAU,oBAAoB,CAAC,QAAkB;IACrD,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,CAAC;AAC3B,CAAC;AAED,gFAAgF;AAEhF,qDAAqD;AACrD,MAAM,UAAU,kBAAkB,CAAC,OAAiB;IAClD,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AAC1C,CAAC;AAED,2DAA2D;AAC3D,MAAM,UAAU,eAAe,CAAC,OAAkB,EAAE,KAAK,GAAG,GAAG;IAC7D,MAAM,CAAC,GAAgB,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC;IAC7C,IAAI,OAAO,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC;QAAE,CAAC,CAAC,OAAO,GAAG,OAAO,CAAC;IACvD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,uEAAuE;AACvE,MAAM,UAAU,kBAAkB,CAAC,QAAkB;IACnD,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;AACpD,CAAC;AAED,uCAAuC;AACvC,MAAM,UAAU,qBAAqB,CAAC,MAAc;IAClD,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;AACrD,CAAC;AAED,wDAAwD;AACxD,MAAM,UAAU,mBAAmB,CAAC,QAAkB;IACpD,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;AACrD,CAAC;AAED,yDAAyD;AACzD,MAAM,UAAU,iBAAiB,CAAC,QAAkB;IAClD,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;AACxD,CAAC;AAED,gFAAgF;AAEhF,+DAA+D;AAC/D,MAAM,UAAU,oBAAoB,CAAC,OAAkB,EAAE,KAAK,GAAG,GAAG;IAClE,MAAM,CAAC,GAAgB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC;IACtD,IAAI,OAAO,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC;QAAE,CAAC,CAAC,OAAO,GAAG,OAAO,CAAC;IACvD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,oEAAoE;AACpE,MAAM,UAAU,uBAAuB,CAAC,OAAkB,EAAE,KAAK,GAAG,GAAG;IACrE,MAAM,CAAC,GAAgB,EAAE,KAAK,EAAE,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,CAAC;IAChD,IAAI,OAAO,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC;QAAE,CAAC,CAAC,OAAO,GAAG,OAAO,CAAC;IACvD,OAAO,CAAC,CAAC;AACX,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,18 @@
+/**
+ * @toon-protocol/views — shared kind→atom registry, NIP parsers, filter
+ * builders, and the ViewSpec composition language. Consumed by `rig` and the
+ * `toon-mcp` apps surface.
+ *
+ * The React atoms + iframe runtime (atoms/, runtime, app-bridge, app-entry) are
+ * built separately into the MCP-app bundle and are not part of this Node barrel.
+ */
+export * from './types.js';
+export * from './filters.js';
+export * from './spec.js';
+export * from './catalog.js';
+export * from './tool-names.js';
+export * from './examples.js';
+export * from './parsers/nip34.js';
+export * from './parsers/social.js';
+export * from './parsers/media.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,cAAc,YAAY,CAAC;AAC3B,cAAc,cAAc,CAAC;AAC7B,cAAc,WAAW,CAAC;AAC1B,cAAc,cAAc,CAAC;AAC7B,cAAc,iBAAiB,CAAC;AAChC,cAAc,eAAe,CAAC;AAC9B,cAAc,oBAAoB,CAAC;AACnC,cAAc,qBAAqB,CAAC;AACpC,cAAc,oBAAoB,CAAC"}

package/dist/index.js

@@ -0,0 +1,18 @@
+/**
+ * @toon-protocol/views — shared kind→atom registry, NIP parsers, filter
+ * builders, and the ViewSpec composition language. Consumed by `rig` and the
+ * `toon-mcp` apps surface.
+ *
+ * The React atoms + iframe runtime (atoms/, runtime, app-bridge, app-entry) are
+ * built separately into the MCP-app bundle and are not part of this Node barrel.
+ */
+export * from './types.js';
+export * from './filters.js';
+export * from './spec.js';
+export * from './catalog.js';
+export * from './tool-names.js';
+export * from './examples.js';
+export * from './parsers/nip34.js';
+export * from './parsers/social.js';
+export * from './parsers/media.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,cAAc,YAAY,CAAC;AAC3B,cAAc,cAAc,CAAC;AAC7B,cAAc,WAAW,CAAC;AAC1B,cAAc,cAAc,CAAC;AAC7B,cAAc,iBAAiB,CAAC;AAChC,cAAc,eAAe,CAAC;AAC9B,cAAc,oBAAoB,CAAC;AACnC,cAAc,qBAAqB,CAAC;AACpC,cAAc,oBAAoB,CAAC"}

package/dist/lib/cn.d.ts

@@ -0,0 +1,4 @@
+import { type ClassValue } from 'clsx';
+/** Tailwind-aware className combiner (clsx + tailwind-merge). */
+export declare function cn(...inputs: ClassValue[]): string;
+//# sourceMappingURL=cn.d.ts.map

package/dist/lib/cn.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cn.d.ts","sourceRoot":"","sources":["../../src/lib/cn.ts"],"names":[],"mappings":"AAAA,OAAO,EAAQ,KAAK,UAAU,EAAE,MAAM,MAAM,CAAC;AAG7C,iEAAiE;AACjE,wBAAgB,EAAE,CAAC,GAAG,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,CAElD"}

package/dist/lib/cn.js

@@ -0,0 +1,7 @@
+import { clsx } from 'clsx';
+import { twMerge } from 'tailwind-merge';
+/** Tailwind-aware className combiner (clsx + tailwind-merge). */
+export function cn(...inputs) {
+    return twMerge(clsx(inputs));
+}
+//# sourceMappingURL=cn.js.map

package/dist/lib/cn.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cn.js","sourceRoot":"","sources":["../../src/lib/cn.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAmB,MAAM,MAAM,CAAC;AAC7C,OAAO,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAC;AAEzC,iEAAiE;AACjE,MAAM,UAAU,EAAE,CAAC,GAAG,MAAoB;IACxC,OAAO,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;AAC/B,CAAC"}

package/dist/lib/utils.d.ts

@@ -0,0 +1,3 @@
+import { type ClassValue } from "clsx";
+export declare function cn(...inputs: ClassValue[]): string;
+//# sourceMappingURL=utils.d.ts.map

package/dist/lib/utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../src/lib/utils.ts"],"names":[],"mappings":"AAAA,OAAO,EAAQ,KAAK,UAAU,EAAE,MAAM,MAAM,CAAA;AAG5C,wBAAgB,EAAE,CAAC,GAAG,MAAM,EAAE,UAAU,EAAE,UAEzC"}

package/dist/lib/utils.js

@@ -0,0 +1,6 @@
+import { clsx } from "clsx";
+import { twMerge } from "tailwind-merge";
+export function cn(...inputs) {
+    return twMerge(clsx(inputs));
+}
+//# sourceMappingURL=utils.js.map

package/dist/lib/utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.js","sourceRoot":"","sources":["../../src/lib/utils.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAmB,MAAM,MAAM,CAAA;AAC5C,OAAO,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAA;AAExC,MAAM,UAAU,EAAE,CAAC,GAAG,MAAoB;IACxC,OAAO,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAA;AAC9B,CAAC"}

package/dist/main.d.ts

@@ -0,0 +1,3 @@
+/** Browser bundle entry: mount the MCP-app runtime into #root. */
+import './globals.css';
+//# sourceMappingURL=main.d.ts.map

package/dist/main.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"main.d.ts","sourceRoot":"","sources":["../src/main.tsx"],"names":[],"mappings":"AAAA,kEAAkE;AAClE,OAAO,eAAe,CAAC"}

package/dist/main.js

@@ -0,0 +1,7 @@
+/** Browser bundle entry: mount the MCP-app runtime into #root. */
+import './globals.css';
+import { mount } from './app-entry.js';
+const root = document.getElementById('root');
+if (root)
+    mount(root);
+//# sourceMappingURL=main.js.map

package/dist/main.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"main.js","sourceRoot":"","sources":["../src/main.tsx"],"names":[],"mappings":"AAAA,kEAAkE;AAClE,OAAO,eAAe,CAAC;AACvB,OAAO,EAAE,KAAK,EAAE,MAAM,gBAAgB,CAAC;AAEvC,MAAM,IAAI,GAAG,QAAQ,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;AAC7C,IAAI,IAAI;IAAE,KAAK,CAAC,IAAI,CAAC,CAAC"}

package/dist/mcp-ui/ConsentPrompt.d.ts

@@ -0,0 +1,41 @@
+/**
+ * ConsentPrompt — the TRUSTED authorization surface for branch 3 (sandboxed
+ * mcp-ui, low trust) of the NIP-on-TOON render trust gradient (toon-meta#58,
+ * toon-client#90).
+ *
+ * ── The consent invariant ───────────────────────────────────────────────────
+ * A sandboxed widget may only *request* an action; it may never *perform* one,
+ * and it may never draw, style, or spoof the authorization UI. This component IS
+ * that authorization UI. It is rendered by the trusted client OUTSIDE the
+ * widget's iframe, using only the client's own audited primitives (`Button`,
+ * `Badge`, `Separator`). It is non-themeable by construction:
+ *
+ *   1. Its ONLY input is a `ConsentRequest` from `@toon-protocol/client`, whose
+ *      type has nowhere to carry styling/markup — only a tool name, plain
+ *      arguments, and a client-fixed `trust: 'low'`.
+ *   2. The tool name and arguments are rendered as TEXT (`{value}` /
+ *      `JSON.stringify`), never as HTML — no `dangerouslySetInnerHTML`, ever.
+ *   3. The grant/deny buttons and all chrome use fixed, client-owned classes;
+ *      the widget supplies no className, style, color, or label.
+ *
+ * A widget that could paint this surface would collapse the whole trust gradient
+ * to its lowest tier, so this file must never accept presentation input from
+ * widget-controlled data. (See `consent.ts` in `@toon-protocol/client`.)
+ */
+import { type FC } from 'react';
+import { type ConsentRequest, type ConsentDecision } from '@toon-protocol/client/render';
+export interface ConsentPromptProps {
+    /**
+     * The request to authorize, built by the trusted client
+     * (`buildConsentRequest`) from a widget intent. Carries no presentation data.
+     */
+    request: ConsentRequest;
+    /** Resolve the prompt with the user's decision. */
+    onResolve: (decision: ConsentDecision) => void;
+}
+/**
+ * The host-rendered authorization prompt. Always drawn outside the widget
+ * iframe, in fixed trusted chrome the widget cannot influence.
+ */
+export declare const ConsentPrompt: FC<ConsentPromptProps>;
+//# sourceMappingURL=ConsentPrompt.d.ts.map

package/dist/mcp-ui/ConsentPrompt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ConsentPrompt.d.ts","sourceRoot":"","sources":["../../src/mcp-ui/ConsentPrompt.tsx"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,EAAE,KAAK,EAAE,EAAE,MAAM,OAAO,CAAC;AAChC,OAAO,EAAE,KAAK,cAAc,EAAE,KAAK,eAAe,EAAE,MAAM,8BAA8B,CAAC;AAKzF,MAAM,WAAW,kBAAkB;IACjC;;;OAGG;IACH,OAAO,EAAE,cAAc,CAAC;IACxB,mDAAmD;IACnD,SAAS,EAAE,CAAC,QAAQ,EAAE,eAAe,KAAK,IAAI,CAAC;CAChD;AAED;;;GAGG;AACH,eAAO,MAAM,aAAa,EAAE,EAAE,CAAC,kBAAkB,CAuEhD,CAAC"}

package/dist/mcp-ui/ConsentPrompt.js

@@ -0,0 +1,45 @@
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+/**
+ * ConsentPrompt — the TRUSTED authorization surface for branch 3 (sandboxed
+ * mcp-ui, low trust) of the NIP-on-TOON render trust gradient (toon-meta#58,
+ * toon-client#90).
+ *
+ * ── The consent invariant ───────────────────────────────────────────────────
+ * A sandboxed widget may only *request* an action; it may never *perform* one,
+ * and it may never draw, style, or spoof the authorization UI. This component IS
+ * that authorization UI. It is rendered by the trusted client OUTSIDE the
+ * widget's iframe, using only the client's own audited primitives (`Button`,
+ * `Badge`, `Separator`). It is non-themeable by construction:
+ *
+ *   1. Its ONLY input is a `ConsentRequest` from `@toon-protocol/client`, whose
+ *      type has nowhere to carry styling/markup — only a tool name, plain
+ *      arguments, and a client-fixed `trust: 'low'`.
+ *   2. The tool name and arguments are rendered as TEXT (`{value}` /
+ *      `JSON.stringify`), never as HTML — no `dangerouslySetInnerHTML`, ever.
+ *   3. The grant/deny buttons and all chrome use fixed, client-owned classes;
+ *      the widget supplies no className, style, color, or label.
+ *
+ * A widget that could paint this surface would collapse the whole trust gradient
+ * to its lowest tier, so this file must never accept presentation input from
+ * widget-controlled data. (See `consent.ts` in `@toon-protocol/client`.)
+ */
+import {} from 'react';
+import {} from '@toon-protocol/client/render';
+import { Button } from '@/components/ui/button.js';
+import { Badge } from '@/components/ui/badge.js';
+import { Separator } from '@/components/ui/separator.js';
+/**
+ * The host-rendered authorization prompt. Always drawn outside the widget
+ * iframe, in fixed trusted chrome the widget cannot influence.
+ */
+export const ConsentPrompt = ({ request, onResolve }) => {
+    // Render arguments as inspectable TEXT — never as markup. A widget cannot
+    // inject HTML/script through them because they are stringified, not dangerously
+    // set.
+    const argsText = JSON.stringify(request.arguments, null, 2);
+    return (_jsxs("div", { role: "alertdialog", "aria-modal": "true", "aria-label": "Authorize action requested by an untrusted widget", "data-consent-prompt": true, "data-trust": request.trust, 
+        // Fixed, client-owned chrome. No className/style is ever taken from the
+        // widget — the props type cannot supply one.
+        className: "flex flex-col gap-3 rounded-lg border border-destructive/40 bg-card p-4 text-card-foreground shadow-sm", children: [_jsxs("div", { className: "flex items-center gap-2", children: [_jsx(Badge, { variant: "destructive", "data-consent-trust-badge": true, children: "untrusted widget" }), _jsx("span", { className: "text-sm font-semibold", children: "Authorize action" })] }), _jsx("p", { className: "text-sm text-muted-foreground", children: "A sandboxed widget is requesting to run an action on your behalf. This prompt is drawn by your client \u2014 the widget cannot change how it looks." }), _jsx(Separator, {}), _jsxs("div", { className: "flex flex-col gap-1", children: [_jsx("span", { className: "text-xs font-medium text-muted-foreground", children: "Tool" }), _jsx("code", { "data-consent-tool": true, className: "rounded bg-muted px-1.5 py-0.5 text-xs", children: request.toolName })] }), _jsxs("div", { className: "flex flex-col gap-1", children: [_jsx("span", { className: "text-xs font-medium text-muted-foreground", children: "Arguments" }), _jsx("pre", { "data-consent-args": true, className: "max-h-40 overflow-auto rounded bg-muted px-2 py-1.5 text-xs whitespace-pre-wrap break-words", children: argsText })] }), _jsx(Separator, {}), _jsxs("div", { className: "flex justify-end gap-2", children: [_jsx(Button, { variant: "ghost", size: "sm", "data-consent-deny": true, onClick: () => onResolve('deny'), children: "Deny" }), _jsx(Button, { variant: "destructive", size: "sm", "data-consent-grant": true, onClick: () => onResolve('grant'), children: "Authorize" })] })] }));
+};
+//# sourceMappingURL=ConsentPrompt.js.map

package/dist/mcp-ui/ConsentPrompt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ConsentPrompt.js","sourceRoot":"","sources":["../../src/mcp-ui/ConsentPrompt.tsx"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,EAAW,MAAM,OAAO,CAAC;AAChC,OAAO,EAA6C,MAAM,8BAA8B,CAAC;AACzF,OAAO,EAAE,MAAM,EAAE,MAAM,2BAA2B,CAAC;AACnD,OAAO,EAAE,KAAK,EAAE,MAAM,0BAA0B,CAAC;AACjD,OAAO,EAAE,SAAS,EAAE,MAAM,8BAA8B,CAAC;AAYzD;;;GAGG;AACH,MAAM,CAAC,MAAM,aAAa,GAA2B,CAAC,EAAE,OAAO,EAAE,SAAS,EAAE,EAAE,EAAE;IAC9E,0EAA0E;IAC1E,gFAAgF;IAChF,OAAO;IACP,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IAE5D,OAAO,CACL,eACE,IAAI,EAAC,aAAa,gBACP,MAAM,gBACN,mDAAmD,6CAElD,OAAO,CAAC,KAAK;QACzB,wEAAwE;QACxE,6CAA6C;QAC7C,SAAS,EAAC,wGAAwG,aAElH,eAAK,SAAS,EAAC,yBAAyB,aACtC,KAAC,KAAK,IAAC,OAAO,EAAC,aAAa,mEAEpB,EACR,eAAM,SAAS,EAAC,uBAAuB,iCAAwB,IAC3D,EAEN,YAAG,SAAS,EAAC,+BAA+B,oKAGxC,EAEJ,KAAC,SAAS,KAAG,EAEb,eAAK,SAAS,EAAC,qBAAqB,aAClC,eAAM,SAAS,EAAC,2CAA2C,qBAAY,EAEvE,0CAAwB,SAAS,EAAC,wCAAwC,YACvE,OAAO,CAAC,QAAQ,GACZ,IACH,EAEN,eAAK,SAAS,EAAC,qBAAqB,aAClC,eAAM,SAAS,EAAC,2CAA2C,0BAAiB,EAC5E,yCAEE,SAAS,EAAC,6FAA6F,YAEtG,QAAQ,GACL,IACF,EAEN,KAAC,SAAS,KAAG,EAEb,eAAK,SAAS,EAAC,wBAAwB,aACrC,KAAC,MAAM,IACL,OAAO,EAAC,OAAO,EACf,IAAI,EAAC,IAAI,6BAET,OAAO,EAAE,GAAG,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,qBAGzB,EACT,KAAC,MAAM,IACL,OAAO,EAAC,aAAa,EACrB,IAAI,EAAC,IAAI,8BAET,OAAO,EAAE,GAAG,EAAE,CAAC,SAAS,CAAC,OAAO,CAAC,0BAG1B,IACL,IACF,CACP,CAAC;AACJ,CAAC,CAAC"}

package/dist/mcp-ui/SandboxedAppRenderer.d.ts

@@ -0,0 +1,54 @@
+/**
+ * SandboxedAppRenderer — branch 3 of the NIP-on-TOON render trust gradient
+ * (sandboxed mcp-ui, LOW trust). toon-meta#58, toon-client#90.
+ *
+ * Renders an untrusted raw widget (the `kind:31036` renderer's HTML, carried as
+ * a `UIResource` with `m: text/html;profile=mcp-app`) inside a hardened,
+ * sandboxed iframe via `@mcp-ui/client`'s `AppRenderer`. The widget may only
+ * *request* actions over the mcp-ui bridge; this component enforces the consent
+ * invariant by routing every requested action to a HOST-rendered, non-themeable
+ * {@link ConsentPrompt} drawn OUTSIDE the iframe.
+ *
+ * Data flow of a widget-requested action:
+ *
+ *   widget (iframe)  --tools/call-->  AppRenderer.onCallTool   (this file)
+ *        │                                   │
+ *        │                          classifyIntent (trusted client)
+ *        │                          ├─ 'auto'             → forward to onCallTool callback
+ *        │                          └─ 'requires-consent' → render ConsentPrompt OUTSIDE
+ *        │                                                   the iframe; await user
+ *        │                                   ▼
+ *        └──────── result / "denied" error ◄─┘  (widget NEVER performs the action)
+ *
+ * The widget cannot draw, style, suppress, or auto-approve the prompt: the
+ * prompt is React state owned by THIS component, rendered with the client's own
+ * audited primitives, and its only data input (`ConsentRequest`) carries no
+ * presentation fields. See `ConsentPrompt.tsx` and `consent.ts`.
+ */
+import { type FC } from 'react';
+import type { CallToolResult } from '@modelcontextprotocol/sdk/types.js';
+import { type UiResource } from '@toon-protocol/client/render';
+/** A host callback that actually performs an authorized tool call. */
+export type PerformTool = (toolName: string, args: Record<string, unknown>) => Promise<CallToolResult>;
+export interface SandboxedAppRendererProps {
+    /**
+     * The untrusted widget to render, extracted from the branch-3 `kind:31036`
+     * renderer by `@toon-protocol/client`'s `extractUiResource`.
+     */
+    resource: UiResource;
+    /**
+     * URL of the mcp-ui sandbox proxy HTML. Required by `@mcp-ui/client`'s
+     * `AppRenderer` so the widget runs in an opaque, cross-origin frame.
+     */
+    sandboxUrl: URL;
+    /** Logical tool name for the rendered widget (mcp-ui bookkeeping). */
+    toolName?: string;
+    /**
+     * Perform an AUTHORIZED tool call. Invoked only after the consent gate passes
+     * (auto-forward for read-only tools, or an explicit user grant otherwise).
+     * Wire this to the trusted client's tool runner.
+     */
+    onPerform: PerformTool;
+}
+export declare const SandboxedAppRenderer: FC<SandboxedAppRendererProps>;
+//# sourceMappingURL=SandboxedAppRenderer.d.ts.map

package/dist/mcp-ui/SandboxedAppRenderer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SandboxedAppRenderer.d.ts","sourceRoot":"","sources":["../../src/mcp-ui/SandboxedAppRenderer.tsx"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH,OAAO,EAAyB,KAAK,EAAE,EAAE,MAAM,OAAO,CAAC;AAEvD,OAAO,KAAK,EAAmB,cAAc,EAAE,MAAM,oCAAoC,CAAC;AAC1F,OAAO,EAKL,KAAK,UAAU,EAChB,MAAM,8BAA8B,CAAC;AAItC,sEAAsE;AACtE,MAAM,MAAM,WAAW,GAAG,CACxB,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC1B,OAAO,CAAC,cAAc,CAAC,CAAC;AAE7B,MAAM,WAAW,yBAAyB;IACxC;;;OAGG;IACH,QAAQ,EAAE,UAAU,CAAC;IACrB;;;OAGG;IACH,UAAU,EAAE,GAAG,CAAC;IAChB,sEAAsE;IACtE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;;;OAIG;IACH,SAAS,EAAE,WAAW,CAAC;CACxB;AAgBD,eAAO,MAAM,oBAAoB,EAAE,EAAE,CAAC,yBAAyB,CAmE9D,CAAC"}

package/dist/mcp-ui/SandboxedAppRenderer.js

@@ -0,0 +1,74 @@
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+/**
+ * SandboxedAppRenderer — branch 3 of the NIP-on-TOON render trust gradient
+ * (sandboxed mcp-ui, LOW trust). toon-meta#58, toon-client#90.
+ *
+ * Renders an untrusted raw widget (the `kind:31036` renderer's HTML, carried as
+ * a `UIResource` with `m: text/html;profile=mcp-app`) inside a hardened,
+ * sandboxed iframe via `@mcp-ui/client`'s `AppRenderer`. The widget may only
+ * *request* actions over the mcp-ui bridge; this component enforces the consent
+ * invariant by routing every requested action to a HOST-rendered, non-themeable
+ * {@link ConsentPrompt} drawn OUTSIDE the iframe.
+ *
+ * Data flow of a widget-requested action:
+ *
+ *   widget (iframe)  --tools/call-->  AppRenderer.onCallTool   (this file)
+ *        │                                   │
+ *        │                          classifyIntent (trusted client)
+ *        │                          ├─ 'auto'             → forward to onCallTool callback
+ *        │                          └─ 'requires-consent' → render ConsentPrompt OUTSIDE
+ *        │                                                   the iframe; await user
+ *        │                                   ▼
+ *        └──────── result / "denied" error ◄─┘  (widget NEVER performs the action)
+ *
+ * The widget cannot draw, style, suppress, or auto-approve the prompt: the
+ * prompt is React state owned by THIS component, rendered with the client's own
+ * audited primitives, and its only data input (`ConsentRequest`) carries no
+ * presentation fields. See `ConsentPrompt.tsx` and `consent.ts`.
+ */
+import { useCallback, useState } from 'react';
+import { AppRenderer } from '@mcp-ui/client';
+import { buildConsentRequest, classifyIntent, } from '@toon-protocol/client/render';
+import { ConsentPrompt } from './ConsentPrompt.js';
+import { assertSafeSandbox, BRANCH3_SANDBOX_PERMISSIONS } from './sandbox.js';
+/** A `CallToolResult` representing a host-side denial (the widget never acts). */
+function deniedResult(toolName) {
+    return {
+        isError: true,
+        content: [{ type: 'text', text: `Action "${toolName}" was not authorized by the user.` }],
+    };
+}
+export const SandboxedAppRenderer = ({ resource, sandboxUrl, toolName = 'mcp-app-widget', onPerform, }) => {
+    const [pending, setPending] = useState(null);
+    // Belt-and-braces: never render with a sandbox that re-enables an escape token.
+    assertSafeSandbox(BRANCH3_SANDBOX_PERMISSIONS);
+    /**
+     * The iframe → host intent channel. `@mcp-ui/client` calls this for every
+     * `tools/call` the widget requests. We classify it; auto-forward read-only
+     * intents; and for everything else render the host consent prompt and await
+     * the user's decision before performing (or denying) the action.
+     */
+    const onCallTool = useCallback(async (params) => {
+        const intent = {
+            toolName: params.name,
+            arguments: (params.arguments ?? {}),
+        };
+        if (classifyIntent(intent) === 'auto') {
+            return onPerform(intent.toolName, intent.arguments);
+        }
+        // requires-consent: surface a HOST-rendered prompt outside the iframe and
+        // block on the user's decision. The widget cannot resolve this itself.
+        const decision = await new Promise((resolve) => {
+            setPending({ request: buildConsentRequest(intent), resolve });
+        });
+        setPending(null);
+        if (decision !== 'grant')
+            return deniedResult(intent.toolName);
+        return onPerform(intent.toolName, intent.arguments);
+    }, [onPerform]);
+    return (_jsxs("div", { "data-branch": "mcp-ui", "data-trust": "low", className: "flex flex-col gap-3", children: [_jsx(AppRenderer, { toolName: toolName, html: resource.html, sandbox: { url: sandboxUrl, permissions: BRANCH3_SANDBOX_PERMISSIONS }, onCallTool: onCallTool, 
+                // Open-link requests are likewise just *requests*; deny by default —
+                // the widget cannot navigate the host.
+                onOpenLink: async () => ({}) }), pending !== null && (_jsx(ConsentPrompt, { request: pending.request, onResolve: pending.resolve }))] }));
+};
+//# sourceMappingURL=SandboxedAppRenderer.js.map

package/dist/mcp-ui/SandboxedAppRenderer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"SandboxedAppRenderer.js","sourceRoot":"","sources":["../../src/mcp-ui/SandboxedAppRenderer.tsx"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAW,MAAM,OAAO,CAAC;AACvD,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAE7C,OAAO,EACL,mBAAmB,EACnB,cAAc,GAIf,MAAM,8BAA8B,CAAC;AACtC,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,EAAE,iBAAiB,EAAE,2BAA2B,EAAE,MAAM,cAAc,CAAC;AAmC9E,kFAAkF;AAClF,SAAS,YAAY,CAAC,QAAgB;IACpC,OAAO;QACL,OAAO,EAAE,IAAI;QACb,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,WAAW,QAAQ,mCAAmC,EAAE,CAAC;KAC1F,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,MAAM,oBAAoB,GAAkC,CAAC,EAClE,QAAQ,EACR,UAAU,EACV,QAAQ,GAAG,gBAAgB,EAC3B,SAAS,GACV,EAAE,EAAE;IACH,MAAM,CAAC,OAAO,EAAE,UAAU,CAAC,GAAG,QAAQ,CAAwB,IAAI,CAAC,CAAC;IAEpE,gFAAgF;IAChF,iBAAiB,CAAC,2BAA2B,CAAC,CAAC;IAE/C;;;;;OAKG;IACH,MAAM,UAAU,GAAG,WAAW,CAC5B,KAAK,EAAE,MAAiC,EAA2B,EAAE;QACnE,MAAM,MAAM,GAAG;YACb,QAAQ,EAAE,MAAM,CAAC,IAAI;YACrB,SAAS,EAAE,CAAC,MAAM,CAAC,SAAS,IAAI,EAAE,CAA4B;SAC/D,CAAC;QAEF,IAAI,cAAc,CAAC,MAAM,CAAC,KAAK,MAAM,EAAE,CAAC;YACtC,OAAO,SAAS,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;QACtD,CAAC;QAED,0EAA0E;QAC1E,uEAAuE;QACvE,MAAM,QAAQ,GAAG,MAAM,IAAI,OAAO,CAAkB,CAAC,OAAO,EAAE,EAAE;YAC9D,UAAU,CAAC,EAAE,OAAO,EAAE,mBAAmB,CAAC,MAAM,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;QAChE,CAAC,CAAC,CAAC;QACH,UAAU,CAAC,IAAI,CAAC,CAAC;QAEjB,IAAI,QAAQ,KAAK,OAAO;YAAE,OAAO,YAAY,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAC/D,OAAO,SAAS,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;IACtD,CAAC,EACD,CAAC,SAAS,CAAC,CACZ,CAAC;IAEF,OAAO,CACL,8BAAiB,QAAQ,gBAAY,KAAK,EAAC,SAAS,EAAC,qBAAqB,aAMxE,KAAC,WAAW,IACV,QAAQ,EAAE,QAAQ,EAClB,IAAI,EAAE,QAAQ,CAAC,IAAI,EACnB,OAAO,EAAE,EAAE,GAAG,EAAE,UAAU,EAAE,WAAW,EAAE,2BAA2B,EAAE,EACtE,UAAU,EAAE,UAAU;gBACtB,qEAAqE;gBACrE,uCAAuC;gBACvC,UAAU,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC,GAC5B,EAMD,OAAO,KAAK,IAAI,IAAI,CACnB,KAAC,aAAa,IAAC,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,SAAS,EAAE,OAAO,CAAC,OAAO,GAAI,CACxE,IACG,CACP,CAAC;AACJ,CAAC,CAAC"}

package/dist/mcp-ui/index.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Branch 3 — sandboxed mcp-ui renderer (LOW trust) for the NIP-on-TOON render
+ * trust gradient (toon-meta#58, toon-client#90).
+ *
+ * Renders an untrusted raw widget inside a hardened sandboxed iframe via
+ * `@mcp-ui/client`'s `AppRenderer`, and enforces the consent invariant: every
+ * action the widget *requests* is routed to a host-rendered, non-themeable
+ * {@link ConsentPrompt} drawn OUTSIDE the iframe — the widget can only request,
+ * never perform, and can never paint the authorization UI.
+ *
+ * The React components are part of the views *app bundle* (React), not the Node
+ * barrel, so they are exported from here rather than `src/index.ts` (mirroring
+ * the branch-2 A2UI renderer).
+ */
+export { SandboxedAppRenderer, type SandboxedAppRendererProps, type PerformTool, } from './SandboxedAppRenderer.js';
+export { ConsentPrompt, type ConsentPromptProps } from './ConsentPrompt.js';
+export { BRANCH3_SANDBOX_PERMISSIONS, BRANCH3_SANDBOX_TOKENS, FORBIDDEN_SANDBOX_TOKENS, DEFAULT_MCP_UI_SANDBOX_URL, assertSafeSandbox, } from './sandbox.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/mcp-ui/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/mcp-ui/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EACL,oBAAoB,EACpB,KAAK,yBAAyB,EAC9B,KAAK,WAAW,GACjB,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,aAAa,EAAE,KAAK,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAC5E,OAAO,EACL,2BAA2B,EAC3B,sBAAsB,EACtB,wBAAwB,EACxB,0BAA0B,EAC1B,iBAAiB,GAClB,MAAM,cAAc,CAAC"}

package/dist/mcp-ui/index.js

@@ -0,0 +1,18 @@
+/**
+ * Branch 3 — sandboxed mcp-ui renderer (LOW trust) for the NIP-on-TOON render
+ * trust gradient (toon-meta#58, toon-client#90).
+ *
+ * Renders an untrusted raw widget inside a hardened sandboxed iframe via
+ * `@mcp-ui/client`'s `AppRenderer`, and enforces the consent invariant: every
+ * action the widget *requests* is routed to a host-rendered, non-themeable
+ * {@link ConsentPrompt} drawn OUTSIDE the iframe — the widget can only request,
+ * never perform, and can never paint the authorization UI.
+ *
+ * The React components are part of the views *app bundle* (React), not the Node
+ * barrel, so they are exported from here rather than `src/index.ts` (mirroring
+ * the branch-2 A2UI renderer).
+ */
+export { SandboxedAppRenderer, } from './SandboxedAppRenderer.js';
+export { ConsentPrompt } from './ConsentPrompt.js';
+export { BRANCH3_SANDBOX_PERMISSIONS, BRANCH3_SANDBOX_TOKENS, FORBIDDEN_SANDBOX_TOKENS, DEFAULT_MCP_UI_SANDBOX_URL, assertSafeSandbox, } from './sandbox.js';
+//# sourceMappingURL=index.js.map

package/dist/mcp-ui/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/mcp-ui/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EACL,oBAAoB,GAGrB,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,aAAa,EAA2B,MAAM,oBAAoB,CAAC;AAC5E,OAAO,EACL,2BAA2B,EAC3B,sBAAsB,EACtB,wBAAwB,EACxB,0BAA0B,EAC1B,iBAAiB,GAClB,MAAM,cAAc,CAAC"}

package/dist/mcp-ui/sandbox.d.ts

@@ -0,0 +1,62 @@
+/**
+ * Hardened sandbox configuration for branch 3 (sandboxed mcp-ui, low trust) of
+ * the NIP-on-TOON render trust gradient (toon-meta#58, toon-client#90).
+ *
+ * The branch-3 widget is UNTRUSTED renderer code shipped as raw HTML by a
+ * `kind:31036` event with `m: text/html;profile=mcp-app`. It is confined to an
+ * iframe whose `sandbox` attribute is locked down here. The single most
+ * important hardening is dropping `allow-same-origin`: without it the iframe
+ * runs in an opaque origin, so the widget cannot reach the host's cookies,
+ * `localStorage`, `IndexedDB`, or same-origin DOM — and therefore cannot read or
+ * repaint the host-rendered consent surface.
+ *
+ * `@mcp-ui/client`'s default sandbox permission string is
+ * `"allow-scripts allow-same-origin allow-forms"`. We deliberately OVERRIDE it
+ * to a stricter allowlist with NO `allow-same-origin` and NO top-navigation /
+ * popup escapes.
+ */
+/**
+ * The locked-down iframe `sandbox` attribute for an untrusted branch-3 widget.
+ *
+ * Granted:
+ *   - `allow-scripts` — the widget needs JS to render and to *request* actions
+ *     over the postMessage bridge. (With `allow-scripts` but WITHOUT
+ *     `allow-same-origin`, the iframe is a hostile, isolated origin — exactly
+ *     what we want.)
+ *
+ * Withheld (each one is a consent-invariant escape if granted):
+ *   - `allow-same-origin`        — would give the widget the host's origin and
+ *                                  thus access to the host DOM / storage; it
+ *                                  could then read or overdraw the consent UI.
+ *   - `allow-top-navigation`*    — would let the widget navigate the top frame
+ *                                  away (phishing / consent bypass).
+ *   - `allow-popups`*            — would let the widget open windows it controls.
+ *   - `allow-modals`             — would let the widget raise `alert/confirm`
+ *                                  dialogs that could be mistaken for host chrome.
+ *   - `allow-forms`             — not needed; widget requests ride the bridge.
+ *   - `allow-pointer-lock` / `allow-presentation` — UI-capture vectors.
+ */
+export declare const BRANCH3_SANDBOX_PERMISSIONS: "allow-scripts";
+/**
+ * The default cross-origin mcp-ui sandbox proxy URL. `@mcp-ui/client`'s
+ * `AppRenderer` loads this opaque-origin proxy HTML to host the widget iframe, so
+ * the widget runs in a foreign origin it cannot escape (no `allow-same-origin`).
+ *
+ * This is the canonical mcp-ui hosted proxy; a host that self-hosts the proxy can
+ * pass its own `URL` to {@link import('./SandboxedAppRenderer.js').SandboxedAppRenderer}.
+ */
+export declare const DEFAULT_MCP_UI_SANDBOX_URL: "https://sandbox.mcpui.dev";
+/**
+ * The iframe `sandbox` tokens, as a frozen array, for assertion in tests and
+ * for callers that prefer a list over the space-joined string.
+ */
+export declare const BRANCH3_SANDBOX_TOKENS: readonly string[];
+/** Tokens that MUST NEVER appear in a branch-3 sandbox (each breaks the invariant). */
+export declare const FORBIDDEN_SANDBOX_TOKENS: readonly string[];
+/**
+ * Assert that a sandbox permission string is safe for branch 3. Throws if any
+ * forbidden token is present. Defensive belt-and-braces so a future edit can't
+ * silently re-enable `allow-same-origin`.
+ */
+export declare function assertSafeSandbox(permissions: string): void;
+//# sourceMappingURL=sandbox.d.ts.map

package/dist/mcp-ui/sandbox.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sandbox.d.ts","sourceRoot":"","sources":["../../src/mcp-ui/sandbox.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,2BAA2B,EAAG,eAAwB,CAAC;AAEpE;;;;;;;GAOG;AACH,eAAO,MAAM,0BAA0B,EAAG,2BAAoC,CAAC;AAE/E;;;GAGG;AACH,eAAO,MAAM,sBAAsB,EAAE,SAAS,MAAM,EAEnD,CAAC;AAEF,uFAAuF;AACvF,eAAO,MAAM,wBAAwB,EAAE,SAAS,MAAM,EASpD,CAAC;AAEH;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI,CAS3D"}

package/dist/mcp-ui/sandbox.js

@@ -0,0 +1,78 @@
+/**
+ * Hardened sandbox configuration for branch 3 (sandboxed mcp-ui, low trust) of
+ * the NIP-on-TOON render trust gradient (toon-meta#58, toon-client#90).
+ *
+ * The branch-3 widget is UNTRUSTED renderer code shipped as raw HTML by a
+ * `kind:31036` event with `m: text/html;profile=mcp-app`. It is confined to an
+ * iframe whose `sandbox` attribute is locked down here. The single most
+ * important hardening is dropping `allow-same-origin`: without it the iframe
+ * runs in an opaque origin, so the widget cannot reach the host's cookies,
+ * `localStorage`, `IndexedDB`, or same-origin DOM — and therefore cannot read or
+ * repaint the host-rendered consent surface.
+ *
+ * `@mcp-ui/client`'s default sandbox permission string is
+ * `"allow-scripts allow-same-origin allow-forms"`. We deliberately OVERRIDE it
+ * to a stricter allowlist with NO `allow-same-origin` and NO top-navigation /
+ * popup escapes.
+ */
+/**
+ * The locked-down iframe `sandbox` attribute for an untrusted branch-3 widget.
+ *
+ * Granted:
+ *   - `allow-scripts` — the widget needs JS to render and to *request* actions
+ *     over the postMessage bridge. (With `allow-scripts` but WITHOUT
+ *     `allow-same-origin`, the iframe is a hostile, isolated origin — exactly
+ *     what we want.)
+ *
+ * Withheld (each one is a consent-invariant escape if granted):
+ *   - `allow-same-origin`        — would give the widget the host's origin and
+ *                                  thus access to the host DOM / storage; it
+ *                                  could then read or overdraw the consent UI.
+ *   - `allow-top-navigation`*    — would let the widget navigate the top frame
+ *                                  away (phishing / consent bypass).
+ *   - `allow-popups`*            — would let the widget open windows it controls.
+ *   - `allow-modals`             — would let the widget raise `alert/confirm`
+ *                                  dialogs that could be mistaken for host chrome.
+ *   - `allow-forms`             — not needed; widget requests ride the bridge.
+ *   - `allow-pointer-lock` / `allow-presentation` — UI-capture vectors.
+ */
+export const BRANCH3_SANDBOX_PERMISSIONS = 'allow-scripts';
+/**
+ * The default cross-origin mcp-ui sandbox proxy URL. `@mcp-ui/client`'s
+ * `AppRenderer` loads this opaque-origin proxy HTML to host the widget iframe, so
+ * the widget runs in a foreign origin it cannot escape (no `allow-same-origin`).
+ *
+ * This is the canonical mcp-ui hosted proxy; a host that self-hosts the proxy can
+ * pass its own `URL` to {@link import('./SandboxedAppRenderer.js').SandboxedAppRenderer}.
+ */
+export const DEFAULT_MCP_UI_SANDBOX_URL = 'https://sandbox.mcpui.dev';
+/**
+ * The iframe `sandbox` tokens, as a frozen array, for assertion in tests and
+ * for callers that prefer a list over the space-joined string.
+ */
+export const BRANCH3_SANDBOX_TOKENS = Object.freeze(BRANCH3_SANDBOX_PERMISSIONS.split(' '));
+/** Tokens that MUST NEVER appear in a branch-3 sandbox (each breaks the invariant). */
+export const FORBIDDEN_SANDBOX_TOKENS = Object.freeze([
+    'allow-same-origin',
+    'allow-top-navigation',
+    'allow-top-navigation-by-user-activation',
+    'allow-popups',
+    'allow-modals',
+    'allow-forms',
+    'allow-pointer-lock',
+    'allow-presentation',
+]);
+/**
+ * Assert that a sandbox permission string is safe for branch 3. Throws if any
+ * forbidden token is present. Defensive belt-and-braces so a future edit can't
+ * silently re-enable `allow-same-origin`.
+ */
+export function assertSafeSandbox(permissions) {
+    const tokens = new Set(permissions.split(/\s+/).filter(Boolean));
+    for (const forbidden of FORBIDDEN_SANDBOX_TOKENS) {
+        if (tokens.has(forbidden)) {
+            throw new Error(`branch-3 sandbox must not grant "${forbidden}" — it breaks the consent invariant`);
+        }
+    }
+}
+//# sourceMappingURL=sandbox.js.map

package/dist/mcp-ui/sandbox.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sandbox.js","sourceRoot":"","sources":["../../src/mcp-ui/sandbox.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAG,eAAwB,CAAC;AAEpE;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAG,2BAAoC,CAAC;AAE/E;;;GAGG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAsB,MAAM,CAAC,MAAM,CACpE,2BAA2B,CAAC,KAAK,CAAC,GAAG,CAAC,CACvC,CAAC;AAEF,uFAAuF;AACvF,MAAM,CAAC,MAAM,wBAAwB,GAAsB,MAAM,CAAC,MAAM,CAAC;IACvE,mBAAmB;IACnB,sBAAsB;IACtB,yCAAyC;IACzC,cAAc;IACd,cAAc;IACd,aAAa;IACb,oBAAoB;IACpB,oBAAoB;CACrB,CAAC,CAAC;AAEH;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAAC,WAAmB;IACnD,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;IACjE,KAAK,MAAM,SAAS,IAAI,wBAAwB,EAAE,CAAC;QACjD,IAAI,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CACb,oCAAoC,SAAS,qCAAqC,CACnF,CAAC;QACJ,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/parsers/media.d.ts

@@ -0,0 +1,68 @@
+/**
+ * Media-NIP parsers.
+ *
+ * NIP-92 `imeta` tags        → MediaVariant[] (inline media on any event)
+ * NIP-94 kind:1063 file meta → FileMetadata
+ * NIP-68 kind:20 picture     → MediaPost (kind 'picture')
+ * NIP-71 kind:21/22 video    → MediaPost (kind 'video')
+ *
+ * Media bytes themselves live on Arweave (uploaded via the kind:5094 blob DVM);
+ * these parsers only surface the URLs/hashes/dimensions for rendering.
+ */
+import { type NostrEvent } from '../types.js';
+/** A single media variant (one resolution/encoding of an image or video). */
+export interface MediaVariant {
+    url: string;
+    mime?: string;
+    /** SHA-256 hex of the file (`x` field). */
+    hash?: string;
+    /** Dimensions as `<width>x<height>`. */
+    dim?: string;
+    alt?: string;
+    blurhash?: string;
+    /** Fallback mirror URLs. */
+    fallbacks: string[];
+}
+/**
+ * Parse a single NIP-92 `imeta` tag.
+ * Form: `["imeta", "url https://…", "m image/png", "x <hash>", "dim 800x600", …]`.
+ * Each element after the tag name is a space-delimited `key value` pair;
+ * `value` may itself contain spaces (e.g. `alt a cat`).
+ */
+export declare function parseImeta(tag: string[]): MediaVariant | null;
+/** Extract all NIP-92 inline media variants from an event's tags. */
+export declare function parseInlineMedia(event: NostrEvent): MediaVariant[];
+/** Parsed NIP-94 file metadata event (kind:1063). */
+export interface FileMetadata {
+    eventId: string;
+    authorPubkey: string;
+    createdAt: number;
+    url: string;
+    mime?: string;
+    hash?: string;
+    size?: number;
+    dim?: string;
+    summary?: string;
+    caption: string;
+}
+/** Parse a kind:1063 NIP-94 file metadata event. */
+export declare function parseFileMetadata(event: NostrEvent): FileMetadata | null;
+/** Kinds carrying a media-first post. */
+export declare const MEDIA_POST_KINDS: readonly [20, 21, 22];
+/** Parsed media-first post (NIP-68 picture kind:20, NIP-71 video kind:21/22). */
+export interface MediaPost {
+    eventId: string;
+    authorPubkey: string;
+    createdAt: number;
+    mediaType: 'picture' | 'video';
+    /** True for NIP-71 short-form video (kind:22). */
+    short: boolean;
+    title?: string;
+    content: string;
+    variants: MediaVariant[];
+    hashtags: string[];
+    durationSec?: number;
+}
+/** Parse a kind:20/21/22 media post. */
+export declare function parseMediaPost(event: NostrEvent): MediaPost | null;
+//# sourceMappingURL=media.d.ts.map