blocfeed 0.6.1 → 0.7.1

package/CHANGELOG.md

@@ -1,5 +1,50 @@
 # Changelog
 
+## 0.7.1 — 2026-02-21
+
+### New features
+
+- **Client-side secret leak scanner** — `config.security` detects accidentally exposed API keys, database credentials, and tokens in client-side code. Scans Next.js `__NEXT_DATA__`, Nuxt `__NUXT__`, inline scripts, meta tags, and DOM attributes. Supports 20+ known patterns including:
+  - **Supabase / Postgres**: `SUPABASE_SERVICE_ROLE_KEY`, `POSTGRES_PASSWORD`, `DATABASE_URL` with embedded credentials
+  - **AWS**: Access keys (`AKIA...`), secret keys, session tokens
+  - **Stripe**: Secret keys (`sk_live_...`, `sk_test_...`), restricted keys
+  - **GitHub**: PATs, OAuth tokens, fine-grained tokens
+  - **OpenAI / Anthropic**: API keys
+  - **Infrastructure**: Private keys, database URLs with credentials, SendGrid, Twilio
+  - **Generic**: Any env var ending in `_SECRET`, `_PASSWORD`, `_PRIVATE_KEY`
+- **Custom patterns**: `config.security.customPatterns` for app-specific secret formats
+- **Security warning banner**: Visual alert when secrets are detected, dismissible by user
+- **Redacted findings**: Secret values are never transmitted — only the first 6 characters + `***`
+- **Dashboard reporting**: Findings attached as `metadata._securityFindings` in every feedback submission
+
+### Improvements
+
+- New types exported: `SecurityConfig`, `SecurityFinding`, `SecuritySnapshot`.
+- Engine exports: `runSecretScan`, `getSecurityFindings`, `clearSecurityFindings` for headless usage.
+- 14 new tests for secret scanning (80 total).
+
+---
+
+## 0.7.0 — 2026-02-20
+
+### New features
+
+- **XHR network capture** — Network diagnostics now intercept `XMLHttpRequest` in addition to `fetch`. Apps using axios, jQuery, or other XHR-based libraries get full network error capture.
+- **Conditional display (`showOn`)** — `config.ui.showOn` restricts widget visibility to specific routes. Accepts an array of route patterns (with wildcard `*` suffix) or a custom predicate function. Default: show on all pages.
+- **Programmatic API** — `BlocFeedWidget` now accepts a React ref exposing `open()`, `close()`, `submit(message)`, and `isOpen`. New `BlocFeedHandle` type exported for TypeScript consumers.
+- **Feedback categories** — Pill selector in the feedback form: Bug, Feature, UX, General. Selection is included as `category` in the payload. Configurable via `config.ui.categories` and fully localizable via `config.ui.strings`.
+- **Dark / Light mode** — `config.ui.theme.mode` supports `"light"`, `"dark"`, or `"auto"` (uses `prefers-color-scheme`). Default remains `"dark"`. Light theme includes fully styled panel, textarea, highlight, and overlay.
+
+### Improvements
+
+- New types exported: `BlocFeedHandle`, `FeedbackCategory`.
+- `BlocFeedStrings` extended with `categoryBug`, `categoryFeature`, `categoryUx`, `categoryGeneral`.
+- `FeedbackPayload` now includes optional `category` field.
+- SPA route detection for `showOn`: patches `history.pushState` / `replaceState` and listens for `popstate`.
+- Backlog updated: shipped items tracked, remaining ideas reorganized.
+
+---
+
 ## 0.6.1 — 2026-02-20
 
 - Re-publish of 0.6.0 with all features included (diagnostics, i18n, watermark).

package/README.md

@@ -11,6 +11,11 @@ Drop-in in-app feedback widget for **Next.js** and **React**:
 - **Offline queue** — failed submissions are stored and retried automatically
 - **Customizable position, theme, and retry behavior**
 - **Accessible** — keyboard navigation, focus trapping, ARIA attributes
+- **Feedback categories** — pill selector (Bug, Feature, UX, General) included in payload
+- **Dark / Light mode** — `"dark"`, `"light"`, or `"auto"` (follows system preference)
+- **Conditional display** — show/hide widget by route pattern or custom predicate
+- **Programmatic API** — `ref.open()`, `ref.close()`, `ref.submit(msg)` via React ref
+- **Secret leak detection** — scans client-side code for exposed API keys, database credentials, and tokens
 
 Docs live in `docs/` (start at `docs/index.md`). Architecture pointers are in `ARCHITECTURE.md`.
 
@@ -114,13 +119,16 @@ All configuration is passed via the `config` prop on `<BlocFeedWidget>` or `<Blo
         panelBackground: "rgba(0, 0, 0, 0.95)",
         panelForeground: "#ffffff",
         fontFamily: "Inter, sans-serif",
+        mode: "dark",           // "dark" | "light" | "auto"
       },
+      categories: ["bug", "feature", "ux", "general"],  // feedback category pills
+      showOn: ["/dashboard/*", "/app/*"],                // route-based visibility
     },
 
-    // Diagnostics (console + network capture)
+    // Diagnostics (console + network capture, including XHR)
     diagnostics: {
       console: true,
-      network: true,
+      network: true,             // captures both fetch and XMLHttpRequest
     },
 
     // Screenshot defaults
@@ -141,6 +149,12 @@ All configuration is passed via the `config` prop on `<BlocFeedWidget>` or `<Blo
       backoffMs: 500,         // base backoff delay
     },
 
+    // Security — secret leak detection
+    security: {
+      secretScan: true,
+      scanTargets: ["hydration", "scripts", "meta", "dom"],
+    },
+
     // Metadata enrichment
     metadata: {
       enabled: true,
@@ -271,7 +285,103 @@ config={{
 }}
 ```
 
-All fields are optional — only override the ones you need.
+All fields are optional — only override the ones you need. Category labels are also localizable:
+
+```tsx
+strings: {
+  categoryBug: "Fehler",
+  categoryFeature: "Funktion",
+  categoryUx: "UX",
+  categoryGeneral: "Allgemein",
+}
+```
+
+## Feedback Categories
+
+Show a pill selector in the feedback form so users can tag their feedback:
+
+```tsx
+config={{
+  ui: {
+    categories: ["bug", "feature", "ux", "general"],
+  },
+}}
+```
+
+The selected category is included in the payload as `category`. All four categories are shown by default. To show only a subset:
+
+```tsx
+config={{
+  ui: {
+    categories: ["bug", "feature"],  // only Bug and Feature pills
+  },
+}}
+```
+
+Set `categories: []` to hide the pill selector entirely.
+
+## Conditional Display (`showOn`)
+
+Restrict widget visibility to specific routes. By default the widget shows on all pages.
+
+### Route patterns
+
+```tsx
+config={{
+  ui: {
+    showOn: ["/dashboard/*", "/app/*", "/settings"],
+  },
+}}
+```
+
+Patterns support exact matching or wildcard `*` suffix (matches any path starting with the prefix).
+
+### Custom predicate
+
+```tsx
+config={{
+  ui: {
+    showOn: (pathname) => !pathname.startsWith("/admin"),
+  },
+}}
+```
+
+The widget automatically detects SPA navigation (`pushState`, `replaceState`, `popstate`) and re-evaluates on every route change.
+
+## Programmatic API
+
+Control the widget programmatically via a React ref:
+
+```tsx
+import { useRef } from "react";
+import { BlocFeedWidget, type BlocFeedHandle } from "blocfeed";
+
+function App() {
+  const feedbackRef = useRef<BlocFeedHandle>(null);
+
+  return (
+    <>
+      <button onClick={() => feedbackRef.current?.open()}>
+        Report a Bug
+      </button>
+
+      <BlocFeedWidget
+        ref={feedbackRef}
+        blocfeed_id="bf_..."
+      />
+    </>
+  );
+}
+```
+
+### `BlocFeedHandle` methods
+
+| Method | Description |
+|--------|-------------|
+| `open()` | Open the widget (starts element picking) |
+| `close()` | Close the widget and reset state |
+| `submit(message)` | Submit feedback programmatically (returns `Promise<SubmitResult>`) |
+| `isOpen` | `boolean` — whether the widget is currently active |
 
 ## Console & Network Diagnostics
 
@@ -283,7 +393,7 @@ config={{
     console: true,               // capture console.error & console.warn
     consoleLevels: ["error", "warn"],  // which levels to capture
     consoleLimit: 20,            // max entries retained
-    network: true,               // capture failed fetch requests
+    network: true,               // capture failed fetch & XHR requests
     networkLimit: 15,            // max entries retained
   },
 }}
@@ -291,6 +401,8 @@ config={{
 
 Captured data is attached to `metadata._consoleLogs` and `metadata._networkErrors` in the payload. BlocFeed's own API calls are excluded. Messages and stacks are truncated at 2KB.
 
+Both `fetch` and `XMLHttpRequest` are intercepted, so apps using axios, jQuery, or other XHR-based libraries get full network error capture.
+
 ### Headless diagnostics
 
 ```ts
@@ -302,6 +414,74 @@ import {
 } from "blocfeed/engine";
 ```
 
+## Security — Client-Side Secret Leak Detection
+
+Detect accidentally exposed API keys, database credentials, and tokens in client-side code:
+
+```tsx
+<BlocFeedWidget
+  blocfeed_id="bf_..."
+  config={{
+    security: {
+      secretScan: true,           // enable scanning (default when security config is present)
+      scanTargets: ["hydration", "scripts", "meta", "dom"],  // what to scan
+    },
+  }}
+/>
+```
+
+When secrets are detected, a dismissible warning banner appears in the widget, and findings are attached as `metadata._securityFindings` in every feedback submission. Secret values are **never transmitted** — only the first 6 characters + `***`.
+
+### What gets scanned
+
+| Target | What | Why |
+|--------|------|-----|
+| `hydration` | `__NEXT_DATA__`, `__NUXT__` | Server-side props leaked to client |
+| `scripts` | Inline `<script>` tags | Hardcoded secrets in JavaScript |
+| `meta` | `<meta>` tag `content` attributes | Tokens in meta tags |
+| `dom` | `data-api-key`, `data-secret`, etc. | Keys in HTML attributes |
+
+### Built-in patterns (20+)
+
+- **Supabase / Postgres**: `SUPABASE_SERVICE_ROLE_KEY`, `POSTGRES_PASSWORD`, `DATABASE_URL` with embedded credentials
+- **AWS**: Access keys (`AKIA...`), secret keys, session tokens
+- **Stripe**: Secret keys (`sk_live_...`, `sk_test_...`), restricted keys
+- **GitHub**: PATs (`ghp_`), OAuth tokens (`gho_`), fine-grained tokens (`github_pat_`)
+- **OpenAI / Anthropic**: API keys
+- **Infrastructure**: Private keys, database URLs with credentials, SendGrid, Twilio
+- **Generic**: Any env var ending in `_SECRET`, `_PASSWORD`, `_PRIVATE_KEY`
+
+> **Note**: Known-public keys like `SUPABASE_ANON_KEY` and `SUPABASE_URL` are intentionally **not** flagged.
+
+### Custom patterns
+
+Add app-specific secret formats:
+
+```tsx
+config={{
+  security: {
+    customPatterns: [
+      { name: "internal_api_key", pattern: /myapp_sk_[a-zA-Z0-9]{32}/ },
+    ],
+  },
+}}
+```
+
+### Headless secret scanning
+
+```ts
+import {
+  runSecretScan,
+  getSecurityFindings,
+  clearSecurityFindings,
+} from "blocfeed/engine";
+
+runSecretScan({ secretScan: true });
+// ... after scan completes (~100ms)
+const snapshot = getSecurityFindings();
+console.log(snapshot.findings);
+```
+
 ## Theme Customization
 
 Override the widget's visual appearance via CSS variables:
@@ -314,11 +494,24 @@ config={{
       panelBackground: "rgba(0,0,0,0.95)", // panel & trigger background
       panelForeground: "#ffffff",        // text color
       fontFamily: "Inter, sans-serif",   // font stack
+      mode: "auto",                      // "dark" | "light" | "auto"
     },
   },
 }}
 ```
 
+### Dark / Light Mode
+
+The widget defaults to dark mode. Set `theme.mode` to change the color scheme:
+
+| Mode | Behavior |
+|------|----------|
+| `"dark"` | Dark panel, light text (default) |
+| `"light"` | Light panel, dark text |
+| `"auto"` | Follows the user's system preference (`prefers-color-scheme`) and updates live |
+
+Explicit `panelBackground` / `panelForeground` overrides take precedence over the mode defaults.
+
 ## Retry & Transport
 
 Configure retry behavior for unreliable networks:
@@ -489,15 +682,20 @@ All types are exported from both entry points:
 ```ts
 import type {
   BlocFeedConfig,
+  BlocFeedHandle,
   BlocFeedUser,
-  TransportConfig,
-  TriggerStyle,
-  WidgetPosition,
-  ThemeConfig,
+  FeedbackCategory,
   FeedbackPayload,
   FeedbackApiResponse,
   BlocFeedState,
   SessionPhase,
+  ThemeConfig,
+  TransportConfig,
+  TriggerStyle,
+  WidgetPosition,
+  SecurityConfig,
+  SecurityFinding,
+  SecuritySnapshot,
   // ... and more
 } from "blocfeed";
 ```

package/dist/chunk-JVY6JTXP.cjs

@@ -0,0 +1,2 @@
+'use strict';function w(){return typeof window<"u"&&typeof document<"u"}function ue(e){let t=globalThis.CSS;return typeof t?.escape=="function"?t.escape(e):e.replace(/[^a-zA-Z0-9_-]/g,n=>{let r=n.codePointAt(0);return r===void 0?"":`\\${r.toString(16)} `})}function Y(e){return {x:e.x,y:e.y,width:e.width,height:e.height}}function Be(e){return {x:e.x+window.scrollX,y:e.y+window.scrollY,width:e.width,height:e.height}}function De(e){return e.replace(/\s+/g," ").trim()}function Oe(e,t=140){let n=e.textContent;if(!n)return;let r=De(n);if(r)return r.length<=t?r:`${r.slice(0,t-1)}\u2026`}function Ue(e){let t=1;for(let n=e.previousElementSibling;n;n=n.previousElementSibling)n.tagName===e.tagName&&(t+=1);return t}var pe=["data-testid","data-test-id","data-test","data-qa","data-cy"],de="data-blocfeed-component";function He(e){let t=e.closest(`[${de}]`);if(!t)return;let r=t.getAttribute(de)?.trim();return r||void 0}function qe(e){for(let t of pe){let n=e.closest(`[${t}]`);if(!n)continue;let o=n.getAttribute(t)?.trim();if(o)return o}}function fe(e){try{let t=e,n=Object.getOwnPropertyNames(t);for(let r of n)if(r.startsWith("__reactFiber$")||r.startsWith("__reactInternalInstance$")){let o=t[r];if(o&&typeof o=="object")return o}}catch{}return null}function T(e){if(e.length<=1||e.length===2&&e[0]===e[0].toLowerCase())return  true;let t=e[0];return t>="a"&&t<="z"}function I(e){if(e){for(let t of e)if(typeof t.name=="string"&&t.name&&!T(t.name))return t.name}}function k(e){if(e&&typeof e!="string"){if(typeof e=="function"){let t=e;return typeof t.displayName=="string"&&t.displayName?t.displayName:typeof t.name=="string"&&t.name?t.name:void 0}if(typeof e=="object"){let t=e,n=t.displayName;if(typeof n=="string"&&n)return n;let r=t.render;if(typeof r=="function"){let i=r;if(typeof i.displayName=="string"&&i.displayName)return i.displayName;if(typeof i.name=="string"&&i.name)return i.name}let o=t.type;return k(o)}}}function $e(e){let t=fe(e);if(!t)return;let n=I(t._debugInfo);if(n)return n;let r=t._debugOwner!==void 0;if(r){let a=t._debugOwner;for(let l=0;a&&l<50;l+=1){let d=I(a._debugInfo);if(d)return d;let g=k(a.type)??k(a.elementType);if(g&&!T(g))return g;a=a._debugOwner;}}if(t._owner!==void 0&&t._owner!==t._debugOwner){let a=t._owner;for(let l=0;a&&l<50;l+=1){let d=I(a._debugInfo);if(d)return d;let g=k(a.type)??k(a.elementType);if(g&&!T(g))return g;a=a._owner;}}let i=t,s=r?80:25;for(let a=0;i&&a<s;a+=1){let l=I(i._debugInfo);if(l)return l;let d=k(i.type)??k(i.elementType);if(d&&!T(d))return d;i=i.return;}let c=e.parentElement;for(let a=0;c&&a<15;a+=1){let l=fe(c);if(l){let d=I(l._debugInfo);if(d)return d;let g=k(l.type)??k(l.elementType);if(g&&!T(g))return g;if(l._debugOwner){let h=k(l._debugOwner.type)??k(l._debugOwner.elementType);if(h&&!T(h))return h}if(l._owner&&l._owner!==l._debugOwner){let h=k(l._owner.type)??k(l._owner.elementType);if(h&&!T(h))return h}}c=c.parentElement;}}function ze(e){let t=e.tagName.toLowerCase(),n=e.getAttribute("id");if(n)return `#${ue(n)}`;for(let r of pe){let o=e.getAttribute(r);if(o)return `${t}[${r}="${ue(o)}"]`}return `${t}:nth-of-type(${Ue(e)})`}function Xe(e,t=10){let n=[],r=e;for(;r&&n.length<t;){let o=ze(r);if(n.unshift(o),o.startsWith("#"))break;r=r.parentElement;}return n.join(" > ")}function me(e,t){if(!t||t.length===0)return  false;for(let n of t)if(e.closest(n))return  true;return  false}function J(e,t){if(!e||me(e,t.ignoreSelectors))return null;let n=e;for(;n;){if(me(n,t.ignoreSelectors))return null;if(t.isSelectable?.(n)??Ze(n))return n;n=n.parentElement;}return null}function Ze(e){let t=e.tagName;return !(t==="HTML"||t==="BODY")}function ge(e){let t=e.getBoundingClientRect(),n={selector:Xe(e),tagName:e.tagName.toLowerCase(),rect:Y(t),pageRect:Be(t)},r=e.getAttribute("id");r&&(n.id=r);let o=e.className;typeof o=="string"&&o.trim()&&(n.className=o);let i=Oe(e);i&&(n.textSnippet=i);let s=He(e)??$e(e);s&&(n.componentName=s);let c=qe(e);return c&&(n.testId=c),n}var G=null;async function he(){return G||(G=import('html-to-image')),G}async function je(e){return await new Promise((t,n)=>{let r=new Image;r.onload=()=>t({width:r.naturalWidth,height:r.naturalHeight}),r.onerror=()=>n(new Error("Failed to load generated screenshot")),r.src=e;})}async function we(e,t){let{width:n,height:r}=await je(e);return {dataUrl:e,mime:t,width:n,height:r}}function L(e){if(e?.aborted)throw new Error("Aborted")}function ye(){return {async captureElement(e,t){if(!w())throw new Error("captureElement can only run in the browser");L(t.signal);let n=await he();L(t.signal);let r=t.mime==="image/jpeg"?await n.toJpeg(e,{quality:t.quality??.92,pixelRatio:t.pixelRatio}):await n.toPng(e,{pixelRatio:t.pixelRatio});return L(t.signal),await we(r,t.mime)},async captureFullPage(e){if(!w())throw new Error("captureFullPage can only run in the browser");L(e.signal);let t=document.documentElement,n=Math.max(t.scrollWidth,t.clientWidth),r=Math.max(t.scrollHeight,t.clientHeight),o=Math.min(1,e.maxDimension/Math.max(n,r)),i=Math.max(1,Math.round(n*o)),s=Math.max(1,Math.round(r*o)),c=await he();L(e.signal);let a=e.mime==="image/jpeg"?await c.toJpeg(t,{width:i,height:s,quality:e.quality??.92,pixelRatio:e.pixelRatio}):await c.toPng(t,{width:i,height:s,pixelRatio:e.pixelRatio});return L(e.signal),await we(a,e.mime)}}}function We(e){if(e instanceof Error)return e.message;if(typeof e=="string")return e;try{return JSON.stringify(e)}catch{return "Unknown error"}}function y(e,t,n){let r={kind:e,message:We(t)};return n&&(r.detail=n),r}var Ke=12e3,Qe=2048,Ye=.92;function be(){return Date.now()}function Je(e){return new Promise((t,n)=>{let r=()=>n(new Error("Aborted"));if(e.aborted){r();return}e.addEventListener("abort",r,{once:true});})}async function Ee(e,t,n){let r=new Promise((i,s)=>{let c=setTimeout(()=>s(new Error("Timeout")),t);typeof c.unref=="function"&&c.unref();}),o=[e,r];return n&&o.push(Je(n)),await Promise.race(o)}function Ge(e){if(!w())return 1;let t=window.devicePixelRatio||1,n=e?.pixelRatio??Math.min(t,2);return Math.max(.1,n)}function Ve(e){return !!(e?.element||e?.fullPage)}function _e(e){let t={mime:e.mime,pixelRatio:e.pixelRatio,maxDimension:e.maxDimension};return e.includeQuality&&(t.quality=e.quality),e.signal&&(t.signal=e.signal),t}async function Se(e){let{selectionElement:t,capture:n,signal:r}=e;if(!w()||!Ve(n))return;let o=be(),i=[],s=n?.timeoutMs??Ke,c=n?.maxDimension??Qe,a=n?.mime??"image/png",l=n?.quality??Ye,d=n?.adapter??ye(),g={},h=Ge(n);if(n?.element&&t)try{let f=t.getBoundingClientRect(),m=Math.min(1,c/Math.max(f.width,f.height)),v=Math.min(h,h*m),A=await Ee(Promise.resolve(d.captureElement(t,{..._e({mime:a,quality:l,pixelRatio:v,maxDimension:c,includeQuality:a==="image/jpeg",...r?{signal:r}:{}})})),s,r);g.element=A;}catch(f){if(r?.aborted)throw f;i.push(y("capture_failed",f,{target:"element"}));}if(n?.fullPage)try{let f=await Ee(Promise.resolve(d.captureFullPage(_e({mime:a,quality:l,pixelRatio:h,maxDimension:c,includeQuality:a==="image/jpeg",...r?{signal:r}:{}}))),s,r);g.fullPage=f;}catch(f){if(r?.aborted)throw f;i.push(y("capture_failed",f,{target:"fullPage"}));}let b=be(),u={startedAt:o,finishedAt:b,durationMs:Math.max(0,b-o)};return i.length>0&&(u.errors=i),{...g,diagnostics:u}}function et(){try{return Intl.DateTimeFormat().resolvedOptions().timeZone}catch{return}}function tt(){return w()?{url:window.location.href,title:document.title,referrer:document.referrer||void 0,userAgent:navigator.userAgent,language:navigator.language,platform:navigator.platform,viewport:{width:window.innerWidth,height:window.innerHeight},screen:{width:window.screen.width,height:window.screen.height},scroll:{x:window.scrollX,y:window.scrollY},devicePixelRatio:window.devicePixelRatio||1,timezone:et()}:{}}function nt(e){if(!e)return {};let t={};return e.id&&(t.userId=e.id),e.email&&(t.userEmail=e.email),e.name&&(t.userName=e.name),t}async function ke(e){let{config:t,context:n,user:r}=e;if(t?.enabled===false)return {};let o={...tt(),...nt(r)},i=t?.enrich;if(!i)return o;try{let s=await i(n);return {...o,...s}}catch(s){let c=y("unknown",s);return {...o,blocfeedMetadataError:c.message}}}var V="blocfeed-queue",rt=50;function ee(){if(!w())return [];try{let e=localStorage.getItem(V);if(!e)return [];let t=JSON.parse(e);return Array.isArray(t)?t:[]}catch{return []}}function te(e){if(w())try{e.length===0?localStorage.removeItem(V):localStorage.setItem(V,JSON.stringify(e));}catch{}}function ot(e){let t={...e};if(t.screenshots){let n={...t.screenshots};n.element&&(n.element={...n.element,dataUrl:""}),n.fullPage&&(n.fullPage={...n.fullPage,dataUrl:""}),t.screenshots=n;}return t}function ne(e){let t=ee(),n=ot(e);for(n.metadata={...n.metadata,_queued:true},t.push({payload:n,timestamp:Date.now()});t.length>rt;)t.shift();te(t);}function ve(){let e=ee();return e.length===0?[]:(te([]),e.map(t=>t.payload))}function Ot(){te([]);}function Ut(){return ee().length}function re(e){let t=null,n=null,r=(...o)=>{n=o,t===null&&(t=requestAnimationFrame(()=>{if(t=null,!n)return;let i=n;n=null,e(...i);}));};return r.cancel=()=>{t!==null&&cancelAnimationFrame(t),t=null,n=null;},r}function X(e){return e instanceof Element?!!e.closest("[data-blocfeed-ui]"):false}function Z(e){e.stopPropagation(),e.stopImmediatePropagation?.();}function Pe(e,t){if(!w())throw new Error("BlocFeed picker can only run in a browser environment.");let n=e.ignoreSelectors,r=e.isSelectable,o={};n&&n.length>0&&(o.ignoreSelectors=n),r&&(o.isSelectable=r);let i=null,s=null,c=(u,f=false)=>{if(!u){i=null,s=null,t.onHover(null);return}let m=Y(u.getBoundingClientRect()),v=`${Math.round(m.x)}:${Math.round(m.y)}:${Math.round(m.width)}:${Math.round(m.height)}`;!f&&u===i&&v===s||(i=u,s=v,t.onHover({element:u,rect:m}));},a=re(u=>{if(X(u.target))return;let f=document.elementFromPoint(u.clientX,u.clientY),m=J(f,o);c(m);}),l=re(()=>{i&&c(i,true);}),d=u=>{X(u.target)||(Z(u),u.pointerType==="mouse"&&u.preventDefault());},g=u=>{X(u.target)||(Z(u),u.pointerType==="mouse"&&u.preventDefault());},h=u=>{if(X(u.target))return;Z(u),u.preventDefault();let f=document.elementFromPoint(u.clientX,u.clientY),m=J(f,o);m&&t.onSelect({element:m,descriptor:ge(m)});},b=u=>{u.key==="Escape"&&(Z(u),u.preventDefault(),t.onCancel());};return window.addEventListener("pointermove",a,{capture:true,passive:true}),window.addEventListener("pointerdown",d,{capture:true}),window.addEventListener("pointerup",g,{capture:true}),window.addEventListener("click",h,{capture:true}),window.addEventListener("keydown",b,{capture:true}),window.addEventListener("scroll",l,{capture:true,passive:true}),window.addEventListener("resize",l,{passive:true}),{stop(){window.removeEventListener("pointermove",a,{capture:true}),window.removeEventListener("pointerdown",d,{capture:true}),window.removeEventListener("pointerup",g,{capture:true}),window.removeEventListener("click",h,{capture:true}),window.removeEventListener("keydown",b,{capture:true}),window.removeEventListener("scroll",l,{capture:true}),window.removeEventListener("resize",l),a.cancel(),l.cancel(),t.onHover(null);}}}var it=12e3,at=2,st=500,ct=2e3,Re="https://blocfeed.com/api/feedback",Ae=0;function xe(e,t){return new Promise((n,r)=>{if(t?.aborted){r(new Error("Aborted"));return}let o=setTimeout(n,e),i=()=>{clearTimeout(o),r(new Error("Aborted"));};t?.addEventListener("abort",i,{once:true});})}function lt(e){return e>=500&&e<=599}function ut(e){let[t,n]=e.split(",",2);if(!t||!n)throw new Error("Invalid data URL");let o=/data:(.*?);base64/.exec(t)?.[1]||"application/octet-stream",i=atob(n),s=new Uint8Array(i.length);for(let c=0;c<i.length;c+=1)s[c]=i.charCodeAt(c);return new Blob([s],{type:o})}function dt(e){let t={},n={...e};if(n.screenshots){let r={},o={...n.screenshots};o.element&&(t.element=o.element.dataUrl,r.element={mime:o.element.mime,width:o.element.width,height:o.element.height},o.element={...o.element,dataUrl:""}),o.fullPage&&(t.fullPage=o.fullPage.dataUrl,r.fullPage={mime:o.fullPage.mime,width:o.fullPage.width,height:o.fullPage.height},o.fullPage={...o.fullPage,dataUrl:""}),n.screenshots=o,(r.element||r.fullPage)&&(n.screenshot_intent=r);}return {lean:n,extracted:t}}async function Te(e,t,n){let r=ut(t);await fetch(e,{method:"PUT",body:r,headers:{"content-type":r.type},...n?{signal:n}:{}});}async function ft(e){let{feedbackId:t,extracted:n,screenshots:r,signal:o}=e,i={};n.element&&r?.element&&(i.element={dataUrl:n.element,mime:r.element.mime,width:r.element.width,height:r.element.height}),n.fullPage&&r?.fullPage&&(i.fullPage={dataUrl:n.fullPage,mime:r.fullPage.mime,width:r.fullPage.width,height:r.fullPage.height}),Object.keys(i).length!==0&&await fetch(`${Re}/${t}/screenshots`,{method:"POST",headers:{"content-type":"application/json"},body:JSON.stringify(i),...o?{signal:o}:{}});}async function Fe(e){let{signal:t,transport:n}=e;if(Date.now()-Ae<ct)return {ok:false,error:y("configuration",new Error("Please wait before submitting again"))};let o=n?.timeoutMs??it,i=n?.maxAttempts??at,s=n?.backoffMs??st,c=!!(e.payload.screenshots?.element?.dataUrl||e.payload.screenshots?.fullPage?.dataUrl),{lean:a,extracted:l}=c?dt(e.payload):{lean:e.payload,extracted:{}},d={...l,...e.screenshotDataUrls};for(let g=1;g<=i;g+=1){let h=new AbortController,b=setTimeout(()=>h.abort(),o),u=()=>h.abort();t&&t.addEventListener("abort",u,{once:true});try{let f=await fetch(Re,{method:"POST",headers:{"content-type":"application/json"},body:JSON.stringify(a),signal:h.signal});if(f.ok){Ae=Date.now();let m;try{m=await f.json();}catch{}if((d.element||d.fullPage)&&m){let p=m.upload_urls;if(p){let _=[];d.element&&p.element&&_.push(Te(p.element,d.element,t)),d.fullPage&&p.fullPage&&_.push(Te(p.fullPage,d.fullPage,t));try{await Promise.all(_);}catch{}}else if(m.feedback_id)try{await ft({feedbackId:m.feedback_id,extracted:d,screenshots:e.payload.screenshots,...t?{signal:t}:{}});}catch{}}let A={ok:!0,status:f.status};return m&&(A.apiResponse=m),A}if(g<i&&lt(f.status)){let m=.85+Math.random()*.3,v=Math.round(s*2**(g-1)*m);await xe(v,t);continue}return {ok:!1,status:f.status,error:y("api_failed",new Error(`HTTP ${f.status}`))}}catch(f){if(h.signal.aborted||t?.aborted)return {ok:false,error:y("aborted",f)};if(g<i){let m=.85+Math.random()*.3,v=Math.round(s*2**(g-1)*m);await xe(v,t);continue}return {ok:false,error:y("api_failed",f)}}finally{clearTimeout(b),t&&t.removeEventListener("abort",u);}}return {ok:false,error:y("api_failed",new Error("Failed"))}}async function oe(e){let{signal:t,transport:n}=e,r={ok:false};try{let o={payload:e.payload,...t?{signal:t}:{},...n?{transport:n}:{}};r.api=await Fe(o),r.ok=!!r.api?.ok;}catch(o){r.api={ok:false,error:y("api_failed",o)},r.ok=false;}return {payload:e.payload,result:r}}var mt=["[data-blocfeed-ui]","[data-blocfeed-ignore]"];function pt(e){let t=[...mt,...e?.ignoreSelectors??[]],n=Array.from(new Set(t));return {...e,ignoreSelectors:n}}function Ce(){return {phase:"idle"}}function gt(e){if(e.ok)return  false;let t=e.api;return t?t.status&&t.status>=400&&t.status<500||t.error?.kind==="aborted"||t.error?.kind==="configuration"?false:!t.ok:true}function rn(e){let t=e,n=Ce(),r=new Set,o=new Set,i=null,s=null,c=null,a=null,l=0,d=null,g=()=>{for(let p of r)p(n);},h=p=>{for(let _ of o)_(p);},b=p=>{n=p,g();},u=()=>{l+=1,a?.abort(),a=null;},f=()=>{i?.stop(),i=null,h(null),c!==null&&w()&&(document.documentElement.style.cursor=c,c=null);},m=()=>{u(),f(),s=null,b(Ce());},v=()=>{if(!w())return;f(),s=null;let p=pt(t.picker);c=document.documentElement.style.cursor,document.documentElement.style.cursor="crosshair",b({phase:"picking"}),i=Pe(p,{onHover:h,onSelect:({element:_,descriptor:z})=>{s=_,f(),b({phase:"review",selection:z});},onCancel:()=>{m();}});},A=()=>{let p=ve();if(p.length!==0)for(let _ of p)oe({payload:_,...t.transport?{transport:t.transport}:{}}).catch(()=>{ne(_);});};if(w()){setTimeout(A,1e3);let p=()=>A();window.addEventListener("online",p),d=()=>window.removeEventListener("online",p);}return {getState:()=>n,subscribe(p){return r.add(p),()=>r.delete(p)},subscribeHover(p){return o.add(p),()=>o.delete(p)},start(){n.phase==="capturing"||n.phase==="submitting"||n.phase!=="picking"&&v();},stop(){m();},clearSelection(){n.phase==="capturing"||n.phase==="submitting"||v();},setConfig(p){t=p;},async submit(p,_){if(!w()){let E=y("configuration",new Error("BlocFeed submit can only run in the browser"));return b({phase:"error",lastError:E}),{ok:false}}let z=t.blocfeed_id?.trim?.()??"";if(!z){let x={phase:"error",lastError:y("configuration",new Error("Missing blocfeed_id. Create a project in BlocFeed and pass its blocfeed_id."))};return n.selection&&(x.selection=n.selection),b(x),{ok:false}}if(n.phase==="capturing"||n.phase==="submitting")return {ok:false};let N=l+1;l=N,a?.abort(),a=new AbortController;let F=a.signal,S=n.selection,W=_?.capture?{...t.capture,..._.capture}:t.capture,ce=!!(W?.element||W?.fullPage),le={phase:ce?"capturing":"submitting"};S&&(le.selection=S),b(le);try{let E=ce?await Se({selectionElement:s,capture:W,signal:F}):void 0;if(F.aborted||l!==N)return {ok:!1};let x={phase:"submitting"};S&&(x.selection=S),E&&(x.capture=E),b(x);let C={};S&&(C.selection=S),E&&(C.capture=E);let Ne=await ke({config:t.metadata,context:C,...t.user?{user:t.user}:{}}),M={version:1,createdAt:new Date().toISOString(),blocfeed_id:z,message:p,metadata:Ne};_?.category&&(M.category=_.category),t.user&&(M.user=t.user),S&&(M.selection=S),E&&(M.screenshots=E);let{result:P}=await oe({payload:M,signal:F,...t.transport?{transport:t.transport}:{}});if(F.aborted||l!==N)return P;if(P.ok){let Q={phase:"success",lastSubmit:P};return S&&(Q.selection=S),E&&(Q.capture=E),b(Q),P}gt(P)&&ne(M);let Ie=P.api?.error??y("unknown",new Error("Submission failed")),K={phase:"error",lastSubmit:P,lastError:Ie};return S&&(K.selection=S),E&&(K.capture=E),b(K),P}catch(E){if(F.aborted||l!==N)return {ok:false};let C={phase:"error",lastError:F.aborted?y("aborted",E):y("unknown",E)};return S&&(C.selection=S),b(C),{ok:false}}finally{l===N&&(a=null);}},__unsafeGetSelectedElement(){return s},destroy(){m(),r.clear(),o.clear(),d?.(),d=null;}}}var B=[],D=[],Me=20,Le=15,O={},U=null,H=null,q=null,j=false;function ht(e){if(e instanceof Error)return e.message;if(typeof e=="string")return e;try{return JSON.stringify(e)}catch{return String(e)}}function wt(e,t){let n=t.map(ht).join(" "),r=t.find(i=>i instanceof Error),o={level:e,message:n.slice(0,2e3),timestamp:Date.now()};for(r?.stack&&(o.stack=r.stack.slice(0,2e3)),B.push(o);B.length>Me;)B.shift();}function ie(e){if(!e.url.includes("blocfeed.com"))for(D.push(e);D.length>Le;)D.shift();}function sn(e={}){if(!(j||!w())){if(j=true,Me=e.consoleLimit??20,Le=e.networkLimit??15,e.console!==false){let t=e.consoleLevels??["error","warn"];for(let n of t)O[n]=console[n],console[n]=(...r)=>{wt(n,r),O[n]?.apply(console,r);};}if(e.network!==false&&typeof window.fetch=="function"){U=window.fetch;let t=U;window.fetch=async function(r,o){let i=typeof r=="string"?r:r instanceof URL?r.toString():r.url,s=(o?.method??"GET").toUpperCase(),c=Date.now();try{let a=await t.call(window,r,o);return a.ok||ie({url:i.slice(0,500),method:s,status:a.status,statusText:a.statusText,timestamp:c,durationMs:Date.now()-c}),a}catch(a){throw ie({url:i.slice(0,500),method:s,status:0,statusText:a instanceof Error?a.message:"Network error",timestamp:c,durationMs:Date.now()-c}),a}};}if(e.network!==false&&typeof XMLHttpRequest<"u"){H=XMLHttpRequest.prototype.open,q=XMLHttpRequest.prototype.send;let t=H,n=q;XMLHttpRequest.prototype.open=function(r,o,...i){return this.__bf_method=r.toUpperCase(),this.__bf_url=String(o),t.apply(this,[r,o,...i])},XMLHttpRequest.prototype.send=function(...r){let o=this.__bf_method||"GET",i=this.__bf_url||"",s=Date.now();return this.addEventListener("loadend",function(){if(this.status>=400||this.status===0){let c={url:i.slice(0,500),method:o,status:this.status,timestamp:s,durationMs:Date.now()-s};this.statusText&&(c.statusText=this.statusText),ie(c);}}),n.apply(this,r)};}}}function cn(){if(j){for(let[e,t]of Object.entries(O))console[e]=t;for(let e of Object.keys(O))delete O[e];U&&(window.fetch=U,U=null),H&&(XMLHttpRequest.prototype.open=H,H=null),q&&(XMLHttpRequest.prototype.send=q,q=null),j=false;}}function ln(){return {consoleLogs:[...B],networkErrors:[...D]}}function un(){B=[],D=[];}var yt=[{name:"supabase_service_role_key",pattern:/SUPABASE_SERVICE_ROLE_KEY["'=:\s]+[A-Za-z0-9_.=-]{30,}/},{name:"supabase_db_password",pattern:/SUPABASE_DB_PASSWORD["'=:\s]+[^\s"']{6,}/},{name:"postgres_password",pattern:/POSTGRES_PASSWORD["'=:\s]+[^\s"']{6,}/},{name:"database_url_with_creds",pattern:/(?:postgres|postgresql|mysql|mongodb|redis|amqp):\/\/[^:]+:[^@\s"']+@/},{name:"aws_access_key",pattern:/AKIA[0-9A-Z]{16}/},{name:"aws_secret_key",pattern:/AWS_SECRET_ACCESS_KEY["'=:\s]+[A-Za-z0-9/+=]{30,}/},{name:"aws_session_token",pattern:/AWS_SESSION_TOKEN["'=:\s]+[A-Za-z0-9/+=]{30,}/},{name:"stripe_secret_key",pattern:/sk_live_[a-zA-Z0-9]{10,}/},{name:"stripe_secret_key_test",pattern:/sk_test_[a-zA-Z0-9]{10,}/},{name:"stripe_restricted_key",pattern:/rk_(?:live|test)_[a-zA-Z0-9]{10,}/},{name:"github_pat",pattern:/ghp_[A-Za-z0-9_]{36,}/},{name:"github_oauth",pattern:/gho_[A-Za-z0-9_]{36,}/},{name:"github_user_token",pattern:/ghu_[A-Za-z0-9_]{36,}/},{name:"github_server_token",pattern:/ghs_[A-Za-z0-9_]{36,}/},{name:"github_fine_grained",pattern:/github_pat_[A-Za-z0-9_]{22,}/},{name:"openai_api_key",pattern:/sk-[a-zA-Z0-9]{20,}(?![a-zA-Z0-9_])/},{name:"anthropic_api_key",pattern:/sk-ant-[a-zA-Z0-9\-_]{20,}/},{name:"private_key",pattern:/-----BEGIN (?:RSA |EC |DSA |OPENSSH |PGP )?PRIVATE KEY-----/},{name:"sendgrid_api_key",pattern:/SG\.[a-zA-Z0-9_-]{22,}\.[a-zA-Z0-9_-]{22,}/},{name:"twilio_auth_token",pattern:/TWILIO_AUTH_TOKEN["'=:\s]+[a-f0-9]{32}/},{name:"generic_secret_key",pattern:/[A-Z_]{2,}_SECRET_KEY["'=:\s]+[^\s"']{8,}/},{name:"generic_secret",pattern:/[A-Z_]{2,}_SECRET["'=:\s]+[^\s"']{8,}/},{name:"generic_password",pattern:/[A-Z_]{2,}_PASSWORD["'=:\s]+[^\s"']{6,}/},{name:"generic_private_key_var",pattern:/[A-Z_]{2,}_PRIVATE_KEY["'=:\s]+[^\s"']{8,}/}],R=[],se=0,ae=false;function bt(e){let t=e.slice(0,80);return t.length<=6?"***":t.slice(0,6)+"***"}function Et(e,t,n,r){if(R.some(s=>s.rule===e&&s.source===t))return;let i={rule:e,source:t,hint:bt(n),timestamp:Date.now()};r&&(i.location=r),R.push(i);}function $(e,t,n,r){for(let{name:o,pattern:i}of n){let s=i.exec(e);s&&Et(o,t,s[0],r);}}function _t(e){try{let t=window;if(t.__NEXT_DATA__){let n=JSON.stringify(t.__NEXT_DATA__);$(n,"hydration",e,"__NEXT_DATA__");}if(t.__NUXT__){let n=JSON.stringify(t.__NUXT__);$(n,"hydration",e,"__NUXT__");}}catch{}}function St(e){try{document.querySelectorAll("script:not([src])").forEach((n,r)=>{let o=n.textContent;o&&o.length>0&&$(o,"scripts",e,`inline-script[${r}]`);});}catch{}}function kt(e){try{document.querySelectorAll("meta[content]").forEach(n=>{let r=n.getAttribute("content"),o=n.getAttribute("name")||n.getAttribute("property")||"";r&&r.length>10&&$(r,"meta",e,o?`meta[${o}]`:void 0);});}catch{}}function vt(e){try{document.querySelectorAll("[data-api-key], [data-secret], [data-token], [data-password]").forEach(n=>{let r=n.attributes;for(let o=0;o<r.length;o++){let i=r[o];i.name.startsWith("data-")&&i.value.length>10&&$(i.value,"dom",e,`${n.tagName.toLowerCase()}[${i.name}]`);}});}catch{}}function mn(e={}){if(ae||!w()||(ae=true,e.secretScan===false))return;let t=[...yt,...e.customPatterns??[]],n=e.scanTargets??["hydration","scripts","meta","dom"];setTimeout(()=>{se=Date.now(),n.includes("hydration")&&_t(t),n.includes("scripts")&&St(t),n.includes("meta")&&kt(t),n.includes("dom")&&vt(t);let r=e.notify??"both";R.length>0&&(r==="console"||r==="both")&&console.warn(`[BlocFeed Security] Found ${R.length} potential secret(s) exposed in client code:`,R.map(o=>`${o.rule} (${o.source}${o.location?`: ${o.location}`:""})`));},100);}function pn(){return {findings:[...R],scannedAt:se}}function gn(){R=[],se=0,ae=false;}
+exports.a=w;exports.b=Y;exports.c=ye;exports.d=Se;exports.e=ke;exports.f=ne;exports.g=ve;exports.h=Ot;exports.i=Ut;exports.j=rn;exports.k=sn;exports.l=cn;exports.m=ln;exports.n=un;exports.o=mn;exports.p=pn;exports.q=gn;

package/dist/chunk-LAK7UUTC.js

@@ -0,0 +1,2 @@
+function w(){return typeof window<"u"&&typeof document<"u"}function ue(e){let t=globalThis.CSS;return typeof t?.escape=="function"?t.escape(e):e.replace(/[^a-zA-Z0-9_-]/g,n=>{let r=n.codePointAt(0);return r===void 0?"":`\\${r.toString(16)} `})}function Y(e){return {x:e.x,y:e.y,width:e.width,height:e.height}}function Be(e){return {x:e.x+window.scrollX,y:e.y+window.scrollY,width:e.width,height:e.height}}function De(e){return e.replace(/\s+/g," ").trim()}function Oe(e,t=140){let n=e.textContent;if(!n)return;let r=De(n);if(r)return r.length<=t?r:`${r.slice(0,t-1)}\u2026`}function Ue(e){let t=1;for(let n=e.previousElementSibling;n;n=n.previousElementSibling)n.tagName===e.tagName&&(t+=1);return t}var pe=["data-testid","data-test-id","data-test","data-qa","data-cy"],de="data-blocfeed-component";function He(e){let t=e.closest(`[${de}]`);if(!t)return;let r=t.getAttribute(de)?.trim();return r||void 0}function qe(e){for(let t of pe){let n=e.closest(`[${t}]`);if(!n)continue;let o=n.getAttribute(t)?.trim();if(o)return o}}function fe(e){try{let t=e,n=Object.getOwnPropertyNames(t);for(let r of n)if(r.startsWith("__reactFiber$")||r.startsWith("__reactInternalInstance$")){let o=t[r];if(o&&typeof o=="object")return o}}catch{}return null}function T(e){if(e.length<=1||e.length===2&&e[0]===e[0].toLowerCase())return  true;let t=e[0];return t>="a"&&t<="z"}function I(e){if(e){for(let t of e)if(typeof t.name=="string"&&t.name&&!T(t.name))return t.name}}function k(e){if(e&&typeof e!="string"){if(typeof e=="function"){let t=e;return typeof t.displayName=="string"&&t.displayName?t.displayName:typeof t.name=="string"&&t.name?t.name:void 0}if(typeof e=="object"){let t=e,n=t.displayName;if(typeof n=="string"&&n)return n;let r=t.render;if(typeof r=="function"){let i=r;if(typeof i.displayName=="string"&&i.displayName)return i.displayName;if(typeof i.name=="string"&&i.name)return i.name}let o=t.type;return k(o)}}}function $e(e){let t=fe(e);if(!t)return;let n=I(t._debugInfo);if(n)return n;let r=t._debugOwner!==void 0;if(r){let a=t._debugOwner;for(let l=0;a&&l<50;l+=1){let d=I(a._debugInfo);if(d)return d;let g=k(a.type)??k(a.elementType);if(g&&!T(g))return g;a=a._debugOwner;}}if(t._owner!==void 0&&t._owner!==t._debugOwner){let a=t._owner;for(let l=0;a&&l<50;l+=1){let d=I(a._debugInfo);if(d)return d;let g=k(a.type)??k(a.elementType);if(g&&!T(g))return g;a=a._owner;}}let i=t,s=r?80:25;for(let a=0;i&&a<s;a+=1){let l=I(i._debugInfo);if(l)return l;let d=k(i.type)??k(i.elementType);if(d&&!T(d))return d;i=i.return;}let c=e.parentElement;for(let a=0;c&&a<15;a+=1){let l=fe(c);if(l){let d=I(l._debugInfo);if(d)return d;let g=k(l.type)??k(l.elementType);if(g&&!T(g))return g;if(l._debugOwner){let h=k(l._debugOwner.type)??k(l._debugOwner.elementType);if(h&&!T(h))return h}if(l._owner&&l._owner!==l._debugOwner){let h=k(l._owner.type)??k(l._owner.elementType);if(h&&!T(h))return h}}c=c.parentElement;}}function ze(e){let t=e.tagName.toLowerCase(),n=e.getAttribute("id");if(n)return `#${ue(n)}`;for(let r of pe){let o=e.getAttribute(r);if(o)return `${t}[${r}="${ue(o)}"]`}return `${t}:nth-of-type(${Ue(e)})`}function Xe(e,t=10){let n=[],r=e;for(;r&&n.length<t;){let o=ze(r);if(n.unshift(o),o.startsWith("#"))break;r=r.parentElement;}return n.join(" > ")}function me(e,t){if(!t||t.length===0)return  false;for(let n of t)if(e.closest(n))return  true;return  false}function J(e,t){if(!e||me(e,t.ignoreSelectors))return null;let n=e;for(;n;){if(me(n,t.ignoreSelectors))return null;if(t.isSelectable?.(n)??Ze(n))return n;n=n.parentElement;}return null}function Ze(e){let t=e.tagName;return !(t==="HTML"||t==="BODY")}function ge(e){let t=e.getBoundingClientRect(),n={selector:Xe(e),tagName:e.tagName.toLowerCase(),rect:Y(t),pageRect:Be(t)},r=e.getAttribute("id");r&&(n.id=r);let o=e.className;typeof o=="string"&&o.trim()&&(n.className=o);let i=Oe(e);i&&(n.textSnippet=i);let s=He(e)??$e(e);s&&(n.componentName=s);let c=qe(e);return c&&(n.testId=c),n}var G=null;async function he(){return G||(G=import('html-to-image')),G}async function je(e){return await new Promise((t,n)=>{let r=new Image;r.onload=()=>t({width:r.naturalWidth,height:r.naturalHeight}),r.onerror=()=>n(new Error("Failed to load generated screenshot")),r.src=e;})}async function we(e,t){let{width:n,height:r}=await je(e);return {dataUrl:e,mime:t,width:n,height:r}}function L(e){if(e?.aborted)throw new Error("Aborted")}function ye(){return {async captureElement(e,t){if(!w())throw new Error("captureElement can only run in the browser");L(t.signal);let n=await he();L(t.signal);let r=t.mime==="image/jpeg"?await n.toJpeg(e,{quality:t.quality??.92,pixelRatio:t.pixelRatio}):await n.toPng(e,{pixelRatio:t.pixelRatio});return L(t.signal),await we(r,t.mime)},async captureFullPage(e){if(!w())throw new Error("captureFullPage can only run in the browser");L(e.signal);let t=document.documentElement,n=Math.max(t.scrollWidth,t.clientWidth),r=Math.max(t.scrollHeight,t.clientHeight),o=Math.min(1,e.maxDimension/Math.max(n,r)),i=Math.max(1,Math.round(n*o)),s=Math.max(1,Math.round(r*o)),c=await he();L(e.signal);let a=e.mime==="image/jpeg"?await c.toJpeg(t,{width:i,height:s,quality:e.quality??.92,pixelRatio:e.pixelRatio}):await c.toPng(t,{width:i,height:s,pixelRatio:e.pixelRatio});return L(e.signal),await we(a,e.mime)}}}function We(e){if(e instanceof Error)return e.message;if(typeof e=="string")return e;try{return JSON.stringify(e)}catch{return "Unknown error"}}function y(e,t,n){let r={kind:e,message:We(t)};return n&&(r.detail=n),r}var Ke=12e3,Qe=2048,Ye=.92;function be(){return Date.now()}function Je(e){return new Promise((t,n)=>{let r=()=>n(new Error("Aborted"));if(e.aborted){r();return}e.addEventListener("abort",r,{once:true});})}async function Ee(e,t,n){let r=new Promise((i,s)=>{let c=setTimeout(()=>s(new Error("Timeout")),t);typeof c.unref=="function"&&c.unref();}),o=[e,r];return n&&o.push(Je(n)),await Promise.race(o)}function Ge(e){if(!w())return 1;let t=window.devicePixelRatio||1,n=e?.pixelRatio??Math.min(t,2);return Math.max(.1,n)}function Ve(e){return !!(e?.element||e?.fullPage)}function _e(e){let t={mime:e.mime,pixelRatio:e.pixelRatio,maxDimension:e.maxDimension};return e.includeQuality&&(t.quality=e.quality),e.signal&&(t.signal=e.signal),t}async function Se(e){let{selectionElement:t,capture:n,signal:r}=e;if(!w()||!Ve(n))return;let o=be(),i=[],s=n?.timeoutMs??Ke,c=n?.maxDimension??Qe,a=n?.mime??"image/png",l=n?.quality??Ye,d=n?.adapter??ye(),g={},h=Ge(n);if(n?.element&&t)try{let f=t.getBoundingClientRect(),m=Math.min(1,c/Math.max(f.width,f.height)),v=Math.min(h,h*m),A=await Ee(Promise.resolve(d.captureElement(t,{..._e({mime:a,quality:l,pixelRatio:v,maxDimension:c,includeQuality:a==="image/jpeg",...r?{signal:r}:{}})})),s,r);g.element=A;}catch(f){if(r?.aborted)throw f;i.push(y("capture_failed",f,{target:"element"}));}if(n?.fullPage)try{let f=await Ee(Promise.resolve(d.captureFullPage(_e({mime:a,quality:l,pixelRatio:h,maxDimension:c,includeQuality:a==="image/jpeg",...r?{signal:r}:{}}))),s,r);g.fullPage=f;}catch(f){if(r?.aborted)throw f;i.push(y("capture_failed",f,{target:"fullPage"}));}let b=be(),u={startedAt:o,finishedAt:b,durationMs:Math.max(0,b-o)};return i.length>0&&(u.errors=i),{...g,diagnostics:u}}function et(){try{return Intl.DateTimeFormat().resolvedOptions().timeZone}catch{return}}function tt(){return w()?{url:window.location.href,title:document.title,referrer:document.referrer||void 0,userAgent:navigator.userAgent,language:navigator.language,platform:navigator.platform,viewport:{width:window.innerWidth,height:window.innerHeight},screen:{width:window.screen.width,height:window.screen.height},scroll:{x:window.scrollX,y:window.scrollY},devicePixelRatio:window.devicePixelRatio||1,timezone:et()}:{}}function nt(e){if(!e)return {};let t={};return e.id&&(t.userId=e.id),e.email&&(t.userEmail=e.email),e.name&&(t.userName=e.name),t}async function ke(e){let{config:t,context:n,user:r}=e;if(t?.enabled===false)return {};let o={...tt(),...nt(r)},i=t?.enrich;if(!i)return o;try{let s=await i(n);return {...o,...s}}catch(s){let c=y("unknown",s);return {...o,blocfeedMetadataError:c.message}}}var V="blocfeed-queue",rt=50;function ee(){if(!w())return [];try{let e=localStorage.getItem(V);if(!e)return [];let t=JSON.parse(e);return Array.isArray(t)?t:[]}catch{return []}}function te(e){if(w())try{e.length===0?localStorage.removeItem(V):localStorage.setItem(V,JSON.stringify(e));}catch{}}function ot(e){let t={...e};if(t.screenshots){let n={...t.screenshots};n.element&&(n.element={...n.element,dataUrl:""}),n.fullPage&&(n.fullPage={...n.fullPage,dataUrl:""}),t.screenshots=n;}return t}function ne(e){let t=ee(),n=ot(e);for(n.metadata={...n.metadata,_queued:true},t.push({payload:n,timestamp:Date.now()});t.length>rt;)t.shift();te(t);}function ve(){let e=ee();return e.length===0?[]:(te([]),e.map(t=>t.payload))}function Ot(){te([]);}function Ut(){return ee().length}function re(e){let t=null,n=null,r=(...o)=>{n=o,t===null&&(t=requestAnimationFrame(()=>{if(t=null,!n)return;let i=n;n=null,e(...i);}));};return r.cancel=()=>{t!==null&&cancelAnimationFrame(t),t=null,n=null;},r}function X(e){return e instanceof Element?!!e.closest("[data-blocfeed-ui]"):false}function Z(e){e.stopPropagation(),e.stopImmediatePropagation?.();}function Pe(e,t){if(!w())throw new Error("BlocFeed picker can only run in a browser environment.");let n=e.ignoreSelectors,r=e.isSelectable,o={};n&&n.length>0&&(o.ignoreSelectors=n),r&&(o.isSelectable=r);let i=null,s=null,c=(u,f=false)=>{if(!u){i=null,s=null,t.onHover(null);return}let m=Y(u.getBoundingClientRect()),v=`${Math.round(m.x)}:${Math.round(m.y)}:${Math.round(m.width)}:${Math.round(m.height)}`;!f&&u===i&&v===s||(i=u,s=v,t.onHover({element:u,rect:m}));},a=re(u=>{if(X(u.target))return;let f=document.elementFromPoint(u.clientX,u.clientY),m=J(f,o);c(m);}),l=re(()=>{i&&c(i,true);}),d=u=>{X(u.target)||(Z(u),u.pointerType==="mouse"&&u.preventDefault());},g=u=>{X(u.target)||(Z(u),u.pointerType==="mouse"&&u.preventDefault());},h=u=>{if(X(u.target))return;Z(u),u.preventDefault();let f=document.elementFromPoint(u.clientX,u.clientY),m=J(f,o);m&&t.onSelect({element:m,descriptor:ge(m)});},b=u=>{u.key==="Escape"&&(Z(u),u.preventDefault(),t.onCancel());};return window.addEventListener("pointermove",a,{capture:true,passive:true}),window.addEventListener("pointerdown",d,{capture:true}),window.addEventListener("pointerup",g,{capture:true}),window.addEventListener("click",h,{capture:true}),window.addEventListener("keydown",b,{capture:true}),window.addEventListener("scroll",l,{capture:true,passive:true}),window.addEventListener("resize",l,{passive:true}),{stop(){window.removeEventListener("pointermove",a,{capture:true}),window.removeEventListener("pointerdown",d,{capture:true}),window.removeEventListener("pointerup",g,{capture:true}),window.removeEventListener("click",h,{capture:true}),window.removeEventListener("keydown",b,{capture:true}),window.removeEventListener("scroll",l,{capture:true}),window.removeEventListener("resize",l),a.cancel(),l.cancel(),t.onHover(null);}}}var it=12e3,at=2,st=500,ct=2e3,Re="https://blocfeed.com/api/feedback",Ae=0;function xe(e,t){return new Promise((n,r)=>{if(t?.aborted){r(new Error("Aborted"));return}let o=setTimeout(n,e),i=()=>{clearTimeout(o),r(new Error("Aborted"));};t?.addEventListener("abort",i,{once:true});})}function lt(e){return e>=500&&e<=599}function ut(e){let[t,n]=e.split(",",2);if(!t||!n)throw new Error("Invalid data URL");let o=/data:(.*?);base64/.exec(t)?.[1]||"application/octet-stream",i=atob(n),s=new Uint8Array(i.length);for(let c=0;c<i.length;c+=1)s[c]=i.charCodeAt(c);return new Blob([s],{type:o})}function dt(e){let t={},n={...e};if(n.screenshots){let r={},o={...n.screenshots};o.element&&(t.element=o.element.dataUrl,r.element={mime:o.element.mime,width:o.element.width,height:o.element.height},o.element={...o.element,dataUrl:""}),o.fullPage&&(t.fullPage=o.fullPage.dataUrl,r.fullPage={mime:o.fullPage.mime,width:o.fullPage.width,height:o.fullPage.height},o.fullPage={...o.fullPage,dataUrl:""}),n.screenshots=o,(r.element||r.fullPage)&&(n.screenshot_intent=r);}return {lean:n,extracted:t}}async function Te(e,t,n){let r=ut(t);await fetch(e,{method:"PUT",body:r,headers:{"content-type":r.type},...n?{signal:n}:{}});}async function ft(e){let{feedbackId:t,extracted:n,screenshots:r,signal:o}=e,i={};n.element&&r?.element&&(i.element={dataUrl:n.element,mime:r.element.mime,width:r.element.width,height:r.element.height}),n.fullPage&&r?.fullPage&&(i.fullPage={dataUrl:n.fullPage,mime:r.fullPage.mime,width:r.fullPage.width,height:r.fullPage.height}),Object.keys(i).length!==0&&await fetch(`${Re}/${t}/screenshots`,{method:"POST",headers:{"content-type":"application/json"},body:JSON.stringify(i),...o?{signal:o}:{}});}async function Fe(e){let{signal:t,transport:n}=e;if(Date.now()-Ae<ct)return {ok:false,error:y("configuration",new Error("Please wait before submitting again"))};let o=n?.timeoutMs??it,i=n?.maxAttempts??at,s=n?.backoffMs??st,c=!!(e.payload.screenshots?.element?.dataUrl||e.payload.screenshots?.fullPage?.dataUrl),{lean:a,extracted:l}=c?dt(e.payload):{lean:e.payload,extracted:{}},d={...l,...e.screenshotDataUrls};for(let g=1;g<=i;g+=1){let h=new AbortController,b=setTimeout(()=>h.abort(),o),u=()=>h.abort();t&&t.addEventListener("abort",u,{once:true});try{let f=await fetch(Re,{method:"POST",headers:{"content-type":"application/json"},body:JSON.stringify(a),signal:h.signal});if(f.ok){Ae=Date.now();let m;try{m=await f.json();}catch{}if((d.element||d.fullPage)&&m){let p=m.upload_urls;if(p){let _=[];d.element&&p.element&&_.push(Te(p.element,d.element,t)),d.fullPage&&p.fullPage&&_.push(Te(p.fullPage,d.fullPage,t));try{await Promise.all(_);}catch{}}else if(m.feedback_id)try{await ft({feedbackId:m.feedback_id,extracted:d,screenshots:e.payload.screenshots,...t?{signal:t}:{}});}catch{}}let A={ok:!0,status:f.status};return m&&(A.apiResponse=m),A}if(g<i&&lt(f.status)){let m=.85+Math.random()*.3,v=Math.round(s*2**(g-1)*m);await xe(v,t);continue}return {ok:!1,status:f.status,error:y("api_failed",new Error(`HTTP ${f.status}`))}}catch(f){if(h.signal.aborted||t?.aborted)return {ok:false,error:y("aborted",f)};if(g<i){let m=.85+Math.random()*.3,v=Math.round(s*2**(g-1)*m);await xe(v,t);continue}return {ok:false,error:y("api_failed",f)}}finally{clearTimeout(b),t&&t.removeEventListener("abort",u);}}return {ok:false,error:y("api_failed",new Error("Failed"))}}async function oe(e){let{signal:t,transport:n}=e,r={ok:false};try{let o={payload:e.payload,...t?{signal:t}:{},...n?{transport:n}:{}};r.api=await Fe(o),r.ok=!!r.api?.ok;}catch(o){r.api={ok:false,error:y("api_failed",o)},r.ok=false;}return {payload:e.payload,result:r}}var mt=["[data-blocfeed-ui]","[data-blocfeed-ignore]"];function pt(e){let t=[...mt,...e?.ignoreSelectors??[]],n=Array.from(new Set(t));return {...e,ignoreSelectors:n}}function Ce(){return {phase:"idle"}}function gt(e){if(e.ok)return  false;let t=e.api;return t?t.status&&t.status>=400&&t.status<500||t.error?.kind==="aborted"||t.error?.kind==="configuration"?false:!t.ok:true}function rn(e){let t=e,n=Ce(),r=new Set,o=new Set,i=null,s=null,c=null,a=null,l=0,d=null,g=()=>{for(let p of r)p(n);},h=p=>{for(let _ of o)_(p);},b=p=>{n=p,g();},u=()=>{l+=1,a?.abort(),a=null;},f=()=>{i?.stop(),i=null,h(null),c!==null&&w()&&(document.documentElement.style.cursor=c,c=null);},m=()=>{u(),f(),s=null,b(Ce());},v=()=>{if(!w())return;f(),s=null;let p=pt(t.picker);c=document.documentElement.style.cursor,document.documentElement.style.cursor="crosshair",b({phase:"picking"}),i=Pe(p,{onHover:h,onSelect:({element:_,descriptor:z})=>{s=_,f(),b({phase:"review",selection:z});},onCancel:()=>{m();}});},A=()=>{let p=ve();if(p.length!==0)for(let _ of p)oe({payload:_,...t.transport?{transport:t.transport}:{}}).catch(()=>{ne(_);});};if(w()){setTimeout(A,1e3);let p=()=>A();window.addEventListener("online",p),d=()=>window.removeEventListener("online",p);}return {getState:()=>n,subscribe(p){return r.add(p),()=>r.delete(p)},subscribeHover(p){return o.add(p),()=>o.delete(p)},start(){n.phase==="capturing"||n.phase==="submitting"||n.phase!=="picking"&&v();},stop(){m();},clearSelection(){n.phase==="capturing"||n.phase==="submitting"||v();},setConfig(p){t=p;},async submit(p,_){if(!w()){let E=y("configuration",new Error("BlocFeed submit can only run in the browser"));return b({phase:"error",lastError:E}),{ok:false}}let z=t.blocfeed_id?.trim?.()??"";if(!z){let x={phase:"error",lastError:y("configuration",new Error("Missing blocfeed_id. Create a project in BlocFeed and pass its blocfeed_id."))};return n.selection&&(x.selection=n.selection),b(x),{ok:false}}if(n.phase==="capturing"||n.phase==="submitting")return {ok:false};let N=l+1;l=N,a?.abort(),a=new AbortController;let F=a.signal,S=n.selection,W=_?.capture?{...t.capture,..._.capture}:t.capture,ce=!!(W?.element||W?.fullPage),le={phase:ce?"capturing":"submitting"};S&&(le.selection=S),b(le);try{let E=ce?await Se({selectionElement:s,capture:W,signal:F}):void 0;if(F.aborted||l!==N)return {ok:!1};let x={phase:"submitting"};S&&(x.selection=S),E&&(x.capture=E),b(x);let C={};S&&(C.selection=S),E&&(C.capture=E);let Ne=await ke({config:t.metadata,context:C,...t.user?{user:t.user}:{}}),M={version:1,createdAt:new Date().toISOString(),blocfeed_id:z,message:p,metadata:Ne};_?.category&&(M.category=_.category),t.user&&(M.user=t.user),S&&(M.selection=S),E&&(M.screenshots=E);let{result:P}=await oe({payload:M,signal:F,...t.transport?{transport:t.transport}:{}});if(F.aborted||l!==N)return P;if(P.ok){let Q={phase:"success",lastSubmit:P};return S&&(Q.selection=S),E&&(Q.capture=E),b(Q),P}gt(P)&&ne(M);let Ie=P.api?.error??y("unknown",new Error("Submission failed")),K={phase:"error",lastSubmit:P,lastError:Ie};return S&&(K.selection=S),E&&(K.capture=E),b(K),P}catch(E){if(F.aborted||l!==N)return {ok:false};let C={phase:"error",lastError:F.aborted?y("aborted",E):y("unknown",E)};return S&&(C.selection=S),b(C),{ok:false}}finally{l===N&&(a=null);}},__unsafeGetSelectedElement(){return s},destroy(){m(),r.clear(),o.clear(),d?.(),d=null;}}}var B=[],D=[],Me=20,Le=15,O={},U=null,H=null,q=null,j=false;function ht(e){if(e instanceof Error)return e.message;if(typeof e=="string")return e;try{return JSON.stringify(e)}catch{return String(e)}}function wt(e,t){let n=t.map(ht).join(" "),r=t.find(i=>i instanceof Error),o={level:e,message:n.slice(0,2e3),timestamp:Date.now()};for(r?.stack&&(o.stack=r.stack.slice(0,2e3)),B.push(o);B.length>Me;)B.shift();}function ie(e){if(!e.url.includes("blocfeed.com"))for(D.push(e);D.length>Le;)D.shift();}function sn(e={}){if(!(j||!w())){if(j=true,Me=e.consoleLimit??20,Le=e.networkLimit??15,e.console!==false){let t=e.consoleLevels??["error","warn"];for(let n of t)O[n]=console[n],console[n]=(...r)=>{wt(n,r),O[n]?.apply(console,r);};}if(e.network!==false&&typeof window.fetch=="function"){U=window.fetch;let t=U;window.fetch=async function(r,o){let i=typeof r=="string"?r:r instanceof URL?r.toString():r.url,s=(o?.method??"GET").toUpperCase(),c=Date.now();try{let a=await t.call(window,r,o);return a.ok||ie({url:i.slice(0,500),method:s,status:a.status,statusText:a.statusText,timestamp:c,durationMs:Date.now()-c}),a}catch(a){throw ie({url:i.slice(0,500),method:s,status:0,statusText:a instanceof Error?a.message:"Network error",timestamp:c,durationMs:Date.now()-c}),a}};}if(e.network!==false&&typeof XMLHttpRequest<"u"){H=XMLHttpRequest.prototype.open,q=XMLHttpRequest.prototype.send;let t=H,n=q;XMLHttpRequest.prototype.open=function(r,o,...i){return this.__bf_method=r.toUpperCase(),this.__bf_url=String(o),t.apply(this,[r,o,...i])},XMLHttpRequest.prototype.send=function(...r){let o=this.__bf_method||"GET",i=this.__bf_url||"",s=Date.now();return this.addEventListener("loadend",function(){if(this.status>=400||this.status===0){let c={url:i.slice(0,500),method:o,status:this.status,timestamp:s,durationMs:Date.now()-s};this.statusText&&(c.statusText=this.statusText),ie(c);}}),n.apply(this,r)};}}}function cn(){if(j){for(let[e,t]of Object.entries(O))console[e]=t;for(let e of Object.keys(O))delete O[e];U&&(window.fetch=U,U=null),H&&(XMLHttpRequest.prototype.open=H,H=null),q&&(XMLHttpRequest.prototype.send=q,q=null),j=false;}}function ln(){return {consoleLogs:[...B],networkErrors:[...D]}}function un(){B=[],D=[];}var yt=[{name:"supabase_service_role_key",pattern:/SUPABASE_SERVICE_ROLE_KEY["'=:\s]+[A-Za-z0-9_.=-]{30,}/},{name:"supabase_db_password",pattern:/SUPABASE_DB_PASSWORD["'=:\s]+[^\s"']{6,}/},{name:"postgres_password",pattern:/POSTGRES_PASSWORD["'=:\s]+[^\s"']{6,}/},{name:"database_url_with_creds",pattern:/(?:postgres|postgresql|mysql|mongodb|redis|amqp):\/\/[^:]+:[^@\s"']+@/},{name:"aws_access_key",pattern:/AKIA[0-9A-Z]{16}/},{name:"aws_secret_key",pattern:/AWS_SECRET_ACCESS_KEY["'=:\s]+[A-Za-z0-9/+=]{30,}/},{name:"aws_session_token",pattern:/AWS_SESSION_TOKEN["'=:\s]+[A-Za-z0-9/+=]{30,}/},{name:"stripe_secret_key",pattern:/sk_live_[a-zA-Z0-9]{10,}/},{name:"stripe_secret_key_test",pattern:/sk_test_[a-zA-Z0-9]{10,}/},{name:"stripe_restricted_key",pattern:/rk_(?:live|test)_[a-zA-Z0-9]{10,}/},{name:"github_pat",pattern:/ghp_[A-Za-z0-9_]{36,}/},{name:"github_oauth",pattern:/gho_[A-Za-z0-9_]{36,}/},{name:"github_user_token",pattern:/ghu_[A-Za-z0-9_]{36,}/},{name:"github_server_token",pattern:/ghs_[A-Za-z0-9_]{36,}/},{name:"github_fine_grained",pattern:/github_pat_[A-Za-z0-9_]{22,}/},{name:"openai_api_key",pattern:/sk-[a-zA-Z0-9]{20,}(?![a-zA-Z0-9_])/},{name:"anthropic_api_key",pattern:/sk-ant-[a-zA-Z0-9\-_]{20,}/},{name:"private_key",pattern:/-----BEGIN (?:RSA |EC |DSA |OPENSSH |PGP )?PRIVATE KEY-----/},{name:"sendgrid_api_key",pattern:/SG\.[a-zA-Z0-9_-]{22,}\.[a-zA-Z0-9_-]{22,}/},{name:"twilio_auth_token",pattern:/TWILIO_AUTH_TOKEN["'=:\s]+[a-f0-9]{32}/},{name:"generic_secret_key",pattern:/[A-Z_]{2,}_SECRET_KEY["'=:\s]+[^\s"']{8,}/},{name:"generic_secret",pattern:/[A-Z_]{2,}_SECRET["'=:\s]+[^\s"']{8,}/},{name:"generic_password",pattern:/[A-Z_]{2,}_PASSWORD["'=:\s]+[^\s"']{6,}/},{name:"generic_private_key_var",pattern:/[A-Z_]{2,}_PRIVATE_KEY["'=:\s]+[^\s"']{8,}/}],R=[],se=0,ae=false;function bt(e){let t=e.slice(0,80);return t.length<=6?"***":t.slice(0,6)+"***"}function Et(e,t,n,r){if(R.some(s=>s.rule===e&&s.source===t))return;let i={rule:e,source:t,hint:bt(n),timestamp:Date.now()};r&&(i.location=r),R.push(i);}function $(e,t,n,r){for(let{name:o,pattern:i}of n){let s=i.exec(e);s&&Et(o,t,s[0],r);}}function _t(e){try{let t=window;if(t.__NEXT_DATA__){let n=JSON.stringify(t.__NEXT_DATA__);$(n,"hydration",e,"__NEXT_DATA__");}if(t.__NUXT__){let n=JSON.stringify(t.__NUXT__);$(n,"hydration",e,"__NUXT__");}}catch{}}function St(e){try{document.querySelectorAll("script:not([src])").forEach((n,r)=>{let o=n.textContent;o&&o.length>0&&$(o,"scripts",e,`inline-script[${r}]`);});}catch{}}function kt(e){try{document.querySelectorAll("meta[content]").forEach(n=>{let r=n.getAttribute("content"),o=n.getAttribute("name")||n.getAttribute("property")||"";r&&r.length>10&&$(r,"meta",e,o?`meta[${o}]`:void 0);});}catch{}}function vt(e){try{document.querySelectorAll("[data-api-key], [data-secret], [data-token], [data-password]").forEach(n=>{let r=n.attributes;for(let o=0;o<r.length;o++){let i=r[o];i.name.startsWith("data-")&&i.value.length>10&&$(i.value,"dom",e,`${n.tagName.toLowerCase()}[${i.name}]`);}});}catch{}}function mn(e={}){if(ae||!w()||(ae=true,e.secretScan===false))return;let t=[...yt,...e.customPatterns??[]],n=e.scanTargets??["hydration","scripts","meta","dom"];setTimeout(()=>{se=Date.now(),n.includes("hydration")&&_t(t),n.includes("scripts")&&St(t),n.includes("meta")&&kt(t),n.includes("dom")&&vt(t);let r=e.notify??"both";R.length>0&&(r==="console"||r==="both")&&console.warn(`[BlocFeed Security] Found ${R.length} potential secret(s) exposed in client code:`,R.map(o=>`${o.rule} (${o.source}${o.location?`: ${o.location}`:""})`));},100);}function pn(){return {findings:[...R],scannedAt:se}}function gn(){R=[],se=0,ae=false;}
+export{w as a,Y as b,ye as c,Se as d,ke as e,ne as f,ve as g,Ot as h,Ut as i,rn as j,sn as k,cn as l,ln as m,un as n,mn as o,pn as p,gn as q};

package/dist/{controller-DfhbkHXc.d.cts → controller-BPsU7cuY.d.cts}

@@ -30,6 +30,15 @@ interface ThemeConfig {
     panelBackground?: string;
     panelForeground?: string;
     fontFamily?: string;
+    /** Color mode. Default: "dark" */
+    mode?: "light" | "dark" | "auto";
+}
+type FeedbackCategory = "bug" | "feature" | "ux" | "general";
+interface BlocFeedHandle {
+    open: () => void;
+    close: () => void;
+    submit: (message: string) => Promise<SubmitResult>;
+    isOpen: boolean;
 }
 interface BlocFeedStrings {
     triggerLabel?: string;
@@ -46,6 +55,10 @@ interface BlocFeedStrings {
     successText?: string;
     toastText?: string;
     sendButton?: string;
+    categoryBug?: string;
+    categoryFeature?: string;
+    categoryUx?: string;
+    categoryGeneral?: string;
 }
 interface ConsoleEntry {
     level: "error" | "warn" | "log";
@@ -73,6 +86,36 @@ interface DiagnosticsConfig {
     /** Max network entries to retain. Default: 15 */
     networkLimit?: number;
 }
+type SecurityScanTarget = "hydration" | "scripts" | "meta" | "dom";
+interface SecurityConfig {
+    /** Enable secret leak scanning. Default: true when security config is present. */
+    secretScan?: boolean;
+    /** Additional regex patterns to scan for. */
+    customPatterns?: Array<{
+        name: string;
+        pattern: RegExp;
+    }>;
+    /** What to scan. Default: all targets. */
+    scanTargets?: SecurityScanTarget[];
+    /** Where to report findings. Default: "both" */
+    notify?: "dashboard" | "console" | "both";
+}
+interface SecurityFinding {
+    /** Which pattern matched. */
+    rule: string;
+    /** Where it was found. */
+    source: SecurityScanTarget;
+    /** Truncated/redacted hint (first 6 chars + "***") — NEVER the full secret. */
+    hint: string;
+    /** Location details (e.g. script index, meta name). */
+    location?: string;
+    /** Timestamp. */
+    timestamp: number;
+}
+interface SecuritySnapshot {
+    findings: SecurityFinding[];
+    scannedAt: number;
+}
 interface Rect {
     x: number;
     y: number;
@@ -190,6 +233,8 @@ interface BlocFeedConfig {
     transport?: TransportConfig;
     /** Diagnostics capture (console logs + failed network requests). */
     diagnostics?: DiagnosticsConfig;
+    /** Client-side secret leak detection. */
+    security?: SecurityConfig;
     ui?: {
         /** z-index for the widget overlay/panel. */
         zIndex?: number;
@@ -207,6 +252,15 @@ interface BlocFeedConfig {
         strings?: BlocFeedStrings;
         /** Show "Powered by BlocFeed" watermark. Default: true */
         branding?: boolean;
+        /**
+         * Restrict widget visibility to specific routes.
+         * - `string[]` — route patterns (exact match or wildcard `*` suffix)
+         * - `(pathname: string) => boolean` — custom predicate
+         * - `undefined` — show on all pages (default)
+         */
+        showOn?: string[] | ((pathname: string) => boolean);
+        /** Which feedback categories to show as pills. Default: all four. */
+        categories?: FeedbackCategory[];
     };
 }
 interface ScreenshotIntent {
@@ -226,6 +280,8 @@ interface FeedbackPayload {
     createdAt: string;
     blocfeed_id: string;
     message: string;
+    /** Feedback category selected by the user. */
+    category?: FeedbackCategory;
     selection?: ElementDescriptor;
     screenshots?: CaptureResult;
     /** Lightweight screenshot metadata sent instead of base64 dataUrls. */
@@ -277,6 +333,7 @@ interface BlocFeedController {
     setConfig: (nextConfig: BlocFeedConfig) => void;
     submit: (message: string, options?: {
         capture?: CaptureConfig;
+        category?: FeedbackCategory;
     }) => Promise<SubmitResult>;
     /** Internal: used by UI to access the live element handle. */
     __unsafeGetSelectedElement: () => Element | null;
@@ -284,4 +341,4 @@ interface BlocFeedController {
 }
 declare function createBlocFeedController(config: BlocFeedConfig): BlocFeedController;
 
-export { type BlocFeedConfig as B, type CaptureConfig as C, type DiagnosticsConfig as D, type ElementDescriptor as E, type FeedbackApiResponse as F, type HoverListener as H, type ImageAsset as I, type MaybePromise as M, type NetworkEntry as N, type PickerConfig as P, type Rect as R, type SubmitResult as S, type ThemeConfig as T, type WidgetPosition as W, type BlocFeedState as a, type BlocFeedController as b, type BlocFeedError as c, type BlocFeedStrings as d, type BlocFeedUser as e, type CaptureDiagnostics as f, type CaptureResult as g, type ConsoleEntry as h, type FeedbackPayload as i, type MetadataConfig as j, type MetadataContext as k, type ScreenshotAdapter as l, type ScreenshotAdapterOptions as m, type ScreenshotIntent as n, type ScreenshotMime as o, type SessionPhase as p, type TransportConfig as q, type TransportResult as r, type TriggerStyle as s, type StateListener as t, createBlocFeedController as u };
+export { type BlocFeedConfig as B, type CaptureConfig as C, type DiagnosticsConfig as D, type ElementDescriptor as E, type FeedbackCategory as F, type HoverListener as H, type ImageAsset as I, type MaybePromise as M, type NetworkEntry as N, type PickerConfig as P, type Rect as R, type SubmitResult as S, type ThemeConfig as T, type WidgetPosition as W, type BlocFeedHandle as a, type BlocFeedState as b, type BlocFeedController as c, type BlocFeedError as d, type BlocFeedStrings as e, type BlocFeedUser as f, type CaptureDiagnostics as g, type CaptureResult as h, type ConsoleEntry as i, type FeedbackApiResponse as j, type FeedbackPayload as k, type MetadataConfig as l, type MetadataContext as m, type ScreenshotAdapter as n, type ScreenshotAdapterOptions as o, type ScreenshotIntent as p, type ScreenshotMime as q, type SecurityConfig as r, type SecurityFinding as s, type SecuritySnapshot as t, type SessionPhase as u, type TransportConfig as v, type TransportResult as w, type TriggerStyle as x, type StateListener as y, createBlocFeedController as z };