narrarium-astro-reader 0.1.33 → 0.1.37

package/cli-dist/lib/content-crypto.d.ts

@@ -1,4 +1,4 @@
-/** Return the singleton salt for this build process, creating it on first call. */
+/** Return the singleton salt for this build/dev process, creating it on first call. */
 export declare function getBuildSalt(): Buffer;
 /** Base64-encoded build salt, ready to embed in an HTML attribute. */
 export declare function getBuildSaltBase64(): string;
@@ -30,4 +30,17 @@ export declare function encryptString(plaintext: string, password: string): Encr
  * the result equals `CANARY_PLAINTEXT` — no fast-hash oracle in the HTML.
  */
 export declare function encryptCanary(password: string): EncryptedChunk;
+/**
+ * Encrypt a raw Buffer with AES-256-GCM using the same PBKDF2-derived build
+ * key. Returns raw `iv` and `ct` Buffers for binary file endpoints.
+ *
+ * Wire format (concatenate before serving):
+ *   [12-byte IV][ciphertext ∥ 16-byte GCM auth tag]
+ *
+ * Client side: `bytes.slice(0, 12)` = IV, `bytes.slice(12)` = ciphertext+tag.
+ */
+export declare function encryptBufferRaw(data: Buffer, password: string): {
+    iv: Buffer;
+    ct: Buffer;
+};
 //# sourceMappingURL=content-crypto.d.ts.map

package/cli-dist/lib/content-crypto.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"content-crypto.d.ts","sourceRoot":"","sources":["../../src/lib/content-crypto.ts"],"names":[],"mappings":"AAcA,mFAAmF;AACnF,wBAAgB,YAAY,IAAI,MAAM,CAMrC;AAED,sEAAsE;AACtE,wBAAgB,kBAAkB,IAAI,MAAM,CAE3C;AAMD;;;;GAIG;AACH,eAAO,MAAM,gBAAgB,iBAAiB,CAAC;AAE/C,MAAM,WAAW,cAAc;IAC7B,wCAAwC;IACxC,EAAE,EAAE,MAAM,CAAC;IACX,0DAA0D;IAC1D,EAAE,EAAE,MAAM,CAAC;CACZ;AAED;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,cAAc,CAWjF;AAED;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,cAAc,CAE9D"}
+{"version":3,"file":"content-crypto.d.ts","sourceRoot":"","sources":["../../src/lib/content-crypto.ts"],"names":[],"mappings":"AAiBA,uFAAuF;AACvF,wBAAgB,YAAY,IAAI,MAAM,CAOrC;AAED,sEAAsE;AACtE,wBAAgB,kBAAkB,IAAI,MAAM,CAE3C;AAMD;;;;GAIG;AACH,eAAO,MAAM,gBAAgB,iBAAiB,CAAC;AAE/C,MAAM,WAAW,cAAc;IAC7B,wCAAwC;IACxC,EAAE,EAAE,MAAM,CAAC;IACX,0DAA0D;IAC1D,EAAE,EAAE,MAAM,CAAC;CACZ;AAED;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,cAAc,CAWjF;AAED;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,cAAc,CAE9D;AAED;;;;;;;;GAQG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,MAAM,CAAA;CAAE,CAQ3F"}

package/cli-dist/lib/content-crypto.js

@@ -8,14 +8,18 @@ import { createCipheriv, pbkdf2Sync, randomBytes } from "node:crypto";
  * with the same parameters. A public salt is fine — it only prevents rainbow
  * tables; the security comes from the password entropy.
  */
-let _buildSalt = null;
-/** Return the singleton salt for this build process, creating it on first call. */
+// Use a process-global symbol so the singleton survives Vite module re-evaluation
+// in dev mode (HMR). Without this, each Astro page request may get a fresh module
+// instance with a new random salt, making the canary and content salts diverge.
+const SALT_GLOBAL_KEY = Symbol.for("narrarium.buildSalt");
+/** Return the singleton salt for this build/dev process, creating it on first call. */
 export function getBuildSalt() {
-    if (!_buildSalt) {
-        _buildSalt = randomBytes(16);
+    const g = globalThis;
+    if (!g[SALT_GLOBAL_KEY]) {
+        g[SALT_GLOBAL_KEY] = randomBytes(16);
         console.info("[narrarium-reader] Content encryption enabled (AES-256-GCM).");
     }
-    return _buildSalt;
+    return g[SALT_GLOBAL_KEY];
 }
 /** Base64-encoded build salt, ready to embed in an HTML attribute. */
 export function getBuildSaltBase64() {
@@ -59,4 +63,22 @@ export function encryptString(plaintext, password) {
 export function encryptCanary(password) {
     return encryptString(CANARY_PLAINTEXT, password);
 }
+/**
+ * Encrypt a raw Buffer with AES-256-GCM using the same PBKDF2-derived build
+ * key. Returns raw `iv` and `ct` Buffers for binary file endpoints.
+ *
+ * Wire format (concatenate before serving):
+ *   [12-byte IV][ciphertext ∥ 16-byte GCM auth tag]
+ *
+ * Client side: `bytes.slice(0, 12)` = IV, `bytes.slice(12)` = ciphertext+tag.
+ */
+export function encryptBufferRaw(data, password) {
+    const salt = getBuildSalt();
+    const key = deriveKey(password, salt);
+    const iv = randomBytes(12);
+    const cipher = createCipheriv("aes-256-gcm", key, iv);
+    const body = Buffer.concat([cipher.update(data), cipher.final()]);
+    const tag = cipher.getAuthTag(); // always 16 bytes for AES-GCM
+    return { iv, ct: Buffer.concat([body, tag]) };
+}
 //# sourceMappingURL=content-crypto.js.map

package/cli-dist/lib/content-crypto.js.map

@@ -1 +1 @@
-{"version":3,"file":"content-crypto.js","sourceRoot":"","sources":["../../src/lib/content-crypto.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAEtE;;;;;;;;GAQG;AAEH,IAAI,UAAU,GAAkB,IAAI,CAAC;AAErC,mFAAmF;AACnF,MAAM,UAAU,YAAY;IAC1B,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,UAAU,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;QAC7B,OAAO,CAAC,IAAI,CAAC,8DAA8D,CAAC,CAAC;IAC/E,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,sEAAsE;AACtE,MAAM,UAAU,kBAAkB;IAChC,OAAO,YAAY,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AAC3C,CAAC;AAED,SAAS,SAAS,CAAC,QAAgB,EAAE,IAAY;IAC/C,OAAO,UAAU,CAAC,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,QAAQ,CAAC,CAAC;AAC3D,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,cAAc,CAAC;AAS/C;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAAC,SAAiB,EAAE,QAAgB;IAC/D,MAAM,IAAI,GAAG,YAAY,EAAE,CAAC;IAC5B,MAAM,GAAG,GAAG,SAAS,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;IACtC,MAAM,EAAE,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAC3B,MAAM,MAAM,GAAG,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACtD,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAC/E,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC,8BAA8B;IAC/D,OAAO;QACL,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACzB,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;KAClD,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAAC,QAAgB;IAC5C,OAAO,aAAa,CAAC,gBAAgB,EAAE,QAAQ,CAAC,CAAC;AACnD,CAAC"}
+{"version":3,"file":"content-crypto.js","sourceRoot":"","sources":["../../src/lib/content-crypto.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAEtE;;;;;;;;GAQG;AAEH,kFAAkF;AAClF,kFAAkF;AAClF,gFAAgF;AAChF,MAAM,eAAe,GAAG,MAAM,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;AAE1D,uFAAuF;AACvF,MAAM,UAAU,YAAY;IAC1B,MAAM,CAAC,GAAG,UAAuE,CAAC;IAClF,IAAI,CAAC,CAAC,CAAC,eAAe,CAAC,EAAE,CAAC;QACxB,CAAC,CAAC,eAAe,CAAC,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;QACrC,OAAO,CAAC,IAAI,CAAC,8DAA8D,CAAC,CAAC;IAC/E,CAAC;IACD,OAAO,CAAC,CAAC,eAAe,CAAE,CAAC;AAC7B,CAAC;AAED,sEAAsE;AACtE,MAAM,UAAU,kBAAkB;IAChC,OAAO,YAAY,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AAC3C,CAAC;AAED,SAAS,SAAS,CAAC,QAAgB,EAAE,IAAY;IAC/C,OAAO,UAAU,CAAC,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,QAAQ,CAAC,CAAC;AAC3D,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,cAAc,CAAC;AAS/C;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAAC,SAAiB,EAAE,QAAgB;IAC/D,MAAM,IAAI,GAAG,YAAY,EAAE,CAAC;IAC5B,MAAM,GAAG,GAAG,SAAS,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;IACtC,MAAM,EAAE,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAC3B,MAAM,MAAM,GAAG,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACtD,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAC/E,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC,8BAA8B;IAC/D,OAAO;QACL,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACzB,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;KAClD,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAAC,QAAgB;IAC5C,OAAO,aAAa,CAAC,gBAAgB,EAAE,QAAQ,CAAC,CAAC;AACnD,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,gBAAgB,CAAC,IAAY,EAAE,QAAgB;IAC7D,MAAM,IAAI,GAAG,YAAY,EAAE,CAAC;IAC5B,MAAM,GAAG,GAAG,SAAS,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;IACtC,MAAM,EAAE,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAC3B,MAAM,MAAM,GAAG,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACtD,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAClE,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC,8BAA8B;IAC/D,OAAO,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,EAAE,CAAC;AAChD,CAAC"}

package/cli-dist/lib/evaluations.d.ts

@@ -0,0 +1,17 @@
+export interface EvaluationData {
+    id: string;
+    title: string;
+    htmlContent: string;
+}
+/**
+ * Load the chapter-level evaluation from
+ * `evaluations/chapters/<chapterSlug>.md`, or return null if the file does
+ * not exist (evaluation has not been run yet).
+ */
+export declare function loadChapterEvaluation(chapterSlug: string): Promise<EvaluationData | null>;
+/**
+ * Load the paragraph-level evaluation from
+ * `evaluations/paragraphs/<chapterSlug>/<paragraphSlug>.md`, or return null.
+ */
+export declare function loadParagraphEvaluation(chapterSlug: string, paragraphSlug: string): Promise<EvaluationData | null>;
+//# sourceMappingURL=evaluations.d.ts.map

package/cli-dist/lib/evaluations.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"evaluations.d.ts","sourceRoot":"","sources":["../../src/lib/evaluations.ts"],"names":[],"mappings":"AAMA,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;GAIG;AACH,wBAAsB,qBAAqB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CAe/F;AAED;;;GAGG;AACH,wBAAsB,uBAAuB,CAC3C,WAAW,EAAE,MAAM,EACnB,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CAwBhC"}

package/cli-dist/lib/evaluations.js

@@ -0,0 +1,45 @@
+import path from "node:path";
+import { readFile } from "node:fs/promises";
+import { marked } from "marked";
+import { parseNarrariumMarkdownDocument } from "narrarium";
+import { getBookRoot } from "./book.js";
+/**
+ * Load the chapter-level evaluation from
+ * `evaluations/chapters/<chapterSlug>.md`, or return null if the file does
+ * not exist (evaluation has not been run yet).
+ */
+export async function loadChapterEvaluation(chapterSlug) {
+    const root = getBookRoot();
+    const filePath = path.join(root, "evaluations", "chapters", `${chapterSlug}.md`);
+    const raw = await readFile(filePath, "utf8").catch(() => null);
+    if (!raw)
+        return null;
+    const doc = parseNarrariumMarkdownDocument(`evaluations/chapters/${chapterSlug}.md`, raw);
+    const fm = doc.frontmatter;
+    const htmlContent = await marked.parse(doc.body ?? "");
+    return {
+        id: String(fm.id ?? `evaluation:chapter:${chapterSlug}`),
+        title: String(fm.title ?? "Chapter Evaluation"),
+        htmlContent,
+    };
+}
+/**
+ * Load the paragraph-level evaluation from
+ * `evaluations/paragraphs/<chapterSlug>/<paragraphSlug>.md`, or return null.
+ */
+export async function loadParagraphEvaluation(chapterSlug, paragraphSlug) {
+    const root = getBookRoot();
+    const filePath = path.join(root, "evaluations", "paragraphs", chapterSlug, `${paragraphSlug}.md`);
+    const raw = await readFile(filePath, "utf8").catch(() => null);
+    if (!raw)
+        return null;
+    const doc = parseNarrariumMarkdownDocument(`evaluations/paragraphs/${chapterSlug}/${paragraphSlug}.md`, raw);
+    const fm = doc.frontmatter;
+    const htmlContent = await marked.parse(doc.body ?? "");
+    return {
+        id: String(fm.id ?? `evaluation:paragraph:${chapterSlug}:${paragraphSlug}`),
+        title: String(fm.title ?? "Scene Evaluation"),
+        htmlContent,
+    };
+}
+//# sourceMappingURL=evaluations.js.map

package/cli-dist/lib/evaluations.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"evaluations.js","sourceRoot":"","sources":["../../src/lib/evaluations.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAChC,OAAO,EAAE,8BAA8B,EAAE,MAAM,WAAW,CAAC;AAC3D,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AAQxC;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,WAAmB;IAC7D,MAAM,IAAI,GAAG,WAAW,EAAE,CAAC;IAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,aAAa,EAAE,UAAU,EAAE,GAAG,WAAW,KAAK,CAAC,CAAC;IACjF,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IAC/D,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAEtB,MAAM,GAAG,GAAG,8BAA8B,CAAC,wBAAwB,WAAW,KAAK,EAAE,GAAG,CAAC,CAAC;IAC1F,MAAM,EAAE,GAAG,GAAG,CAAC,WAAsC,CAAC;IACtD,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;IAEvD,OAAO;QACL,EAAE,EAAE,MAAM,CAAC,EAAE,CAAC,EAAE,IAAI,sBAAsB,WAAW,EAAE,CAAC;QACxD,KAAK,EAAE,MAAM,CAAC,EAAE,CAAC,KAAK,IAAI,oBAAoB,CAAC;QAC/C,WAAW;KACZ,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,WAAmB,EACnB,aAAqB;IAErB,MAAM,IAAI,GAAG,WAAW,EAAE,CAAC;IAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CACxB,IAAI,EACJ,aAAa,EACb,YAAY,EACZ,WAAW,EACX,GAAG,aAAa,KAAK,CACtB,CAAC;IACF,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IAC/D,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAEtB,MAAM,GAAG,GAAG,8BAA8B,CACxC,0BAA0B,WAAW,IAAI,aAAa,KAAK,EAC3D,GAAG,CACJ,CAAC;IACF,MAAM,EAAE,GAAG,GAAG,CAAC,WAAsC,CAAC;IACtD,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;IAEvD,OAAO;QACL,EAAE,EAAE,MAAM,CAAC,EAAE,CAAC,EAAE,IAAI,wBAAwB,WAAW,IAAI,aAAa,EAAE,CAAC;QAC3E,KAAK,EAAE,MAAM,CAAC,EAAE,CAAC,KAAK,IAAI,kBAAkB,CAAC;QAC7C,WAAW;KACZ,CAAC;AACJ,CAAC"}

package/cli-dist/pages/epub.enc.d.ts

@@ -0,0 +1,17 @@
+import type { APIRoute } from "astro";
+/**
+ * Build-time endpoint that generates the book EPUB and — when a reader
+ * password is configured — encrypts it with the same AES-256-GCM key used
+ * for page content.
+ *
+ * Wire format (encrypted):
+ *   [12-byte IV][ciphertext ∥ 16-byte GCM auth tag]
+ *
+ * The client downloads this blob, slices the IV from the first 12 bytes, and
+ * decrypts the rest with the already-derived AES key stored in localStorage.
+ *
+ * Wire format (no password):
+ *   Raw EPUB bytes (application/epub+zip).
+ */
+export declare const GET: APIRoute;
+//# sourceMappingURL=epub.enc.d.ts.map

package/cli-dist/pages/epub.enc.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"epub.enc.d.ts","sourceRoot":"","sources":["../../src/pages/epub.enc.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,OAAO,CAAC;AAUtC;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,GAAG,EAAE,QA6BjB,CAAC"}

package/cli-dist/pages/epub.enc.js

@@ -0,0 +1,50 @@
+import { exportEpub, pathExists } from "narrarium";
+import path from "node:path";
+import { readFile, rm } from "node:fs/promises";
+import { tmpdir } from "node:os";
+import { randomBytes } from "node:crypto";
+import { getBookRoot } from "../lib/book.js";
+import { getReaderPassword } from "../lib/reader-mode.js";
+import { encryptBufferRaw } from "../lib/content-crypto.js";
+/**
+ * Build-time endpoint that generates the book EPUB and — when a reader
+ * password is configured — encrypts it with the same AES-256-GCM key used
+ * for page content.
+ *
+ * Wire format (encrypted):
+ *   [12-byte IV][ciphertext ∥ 16-byte GCM auth tag]
+ *
+ * The client downloads this blob, slices the IV from the first 12 bytes, and
+ * decrypts the rest with the already-derived AES key stored in localStorage.
+ *
+ * Wire format (no password):
+ *   Raw EPUB bytes (application/epub+zip).
+ */
+export const GET = async () => {
+    const root = getBookRoot();
+    const ready = await pathExists(path.join(root, "book.md"));
+    if (!ready) {
+        return new Response("Book not found", { status: 404 });
+    }
+    const password = getReaderPassword();
+    const tempId = randomBytes(8).toString("hex");
+    const tempPath = path.join(tmpdir(), `narrarium-epub-${tempId}.epub`);
+    try {
+        await exportEpub(root, { outputPath: tempPath });
+        const epubBytes = await readFile(tempPath);
+        if (password) {
+            const { iv, ct } = encryptBufferRaw(epubBytes, password);
+            const combined = Buffer.concat([iv, ct]);
+            return new Response(combined, {
+                headers: { "Content-Type": "application/octet-stream" },
+            });
+        }
+        return new Response(epubBytes, {
+            headers: { "Content-Type": "application/octet-stream" },
+        });
+    }
+    finally {
+        await rm(tempPath, { force: true }).catch(() => { });
+    }
+};
+//# sourceMappingURL=epub.enc.js.map

package/cli-dist/pages/epub.enc.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"epub.enc.js","sourceRoot":"","sources":["../../src/pages/epub.enc.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AACnD,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,kBAAkB,CAAC;AAChD,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC7C,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAE5D;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,MAAM,GAAG,GAAa,KAAK,IAAI,EAAE;IACtC,MAAM,IAAI,GAAG,WAAW,EAAE,CAAC;IAC3B,MAAM,KAAK,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC;IAC3D,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,IAAI,QAAQ,CAAC,gBAAgB,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,QAAQ,GAAG,iBAAiB,EAAE,CAAC;IACrC,MAAM,MAAM,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC9C,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,kBAAkB,MAAM,OAAO,CAAC,CAAC;IAEtE,IAAI,CAAC;QACH,MAAM,UAAU,CAAC,IAAI,EAAE,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC,CAAC;QACjD,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAE3C,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,GAAG,gBAAgB,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;YACzD,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;YACzC,OAAO,IAAI,QAAQ,CAAC,QAAQ,EAAE;gBAC5B,OAAO,EAAE,EAAE,cAAc,EAAE,0BAA0B,EAAE;aACxD,CAAC,CAAC;QACL,CAAC;QAED,OAAO,IAAI,QAAQ,CAAC,SAAS,EAAE;YAC7B,OAAO,EAAE,EAAE,cAAc,EAAE,0BAA0B,EAAE;SACxD,CAAC,CAAC;IACL,CAAC;YAAS,CAAC;QACT,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;IACtD,CAAC;AACH,CAAC,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "narrarium-astro-reader",
-  "version": "0.1.33",
+  "version": "0.1.37",
   "type": "module",
   "description": "Astro reader and scaffolding CLI for Narrarium book repositories.",
   "license": "MIT",

package/src/components/EvaluationModal.astro

@@ -0,0 +1,28 @@
+---
+interface Props {
+  dialogId: string;
+  title: string;
+  htmlContent: string;
+}
+
+const { dialogId, title, htmlContent } = Astro.props;
+---
+
+<dialog class="eval-dialog" id={dialogId} aria-label={title}>
+  <div class="eval-dialog__inner">
+    <div class="eval-dialog__header">
+      <h2 class="eval-dialog__title">{title}</h2>
+      <button
+        type="button"
+        class="eval-dialog__close"
+        aria-label="Close evaluation"
+        data-eval-close={dialogId}
+      >
+        ✕
+      </button>
+    </div>
+    <div class="eval-dialog__body prose">
+      <Fragment set:html={htmlContent} />
+    </div>
+  </div>
+</dialog>

package/src/layouts/BaseLayout.astro

@@ -185,7 +185,22 @@ const isChapterPage = Number.isFinite(currentChapterNumber);
               // before we touch any page content.
               return aesDecrypt(key, canaryIv, canaryCt).then(function (plaintext) {
                 if (plaintext !== "narrarium-ok") throw new Error("stale");
-                return window._narrariumDecryptPage(key, true);
+                // Expose the key so the EPUB download handler can reuse it.
+                window._narrariumAesKey = key;
+                // Guard against a race where the auto-decrypt micro-task resolves
+                // before the HTML parser has emitted <main> and its encrypted spans.
+                // If the DOM is still being parsed, defer until DOMContentLoaded.
+                function waitForDom() {
+                  if (document.readyState === "loading") {
+                    return new Promise(function (resolve) {
+                      document.addEventListener("DOMContentLoaded", resolve, { once: true });
+                    });
+                  }
+                  return Promise.resolve();
+                }
+                return waitForDom().then(function () {
+                  return window._narrariumDecryptPage(key, true);
+                });
               });
             })
             .then(function () {
@@ -246,6 +261,7 @@ const isChapterPage = Number.isFinite(currentChapterNumber);
         <div class="masthead-actions">
           <a class="chip reader-status" data-continue-link href="./" hidden>Continue reading</a>
           <button type="button" class="masthead-btn" data-tts-panel-toggle aria-label="Open read aloud controls" aria-pressed="false" hidden>🔊</button>
+          <button type="button" class="masthead-btn" data-epub-download aria-label="Download EPUB" hidden>⬇</button>
           <button type="button" class="masthead-btn" data-search-toggle aria-label="Search">🔍</button>
           <button type="button" class="masthead-btn" data-reader-settings-toggle aria-label="Open reading settings">⚙</button>
         </div>
@@ -314,6 +330,9 @@ const isChapterPage = Number.isFinite(currentChapterNumber);
                     try { localStorage.setItem("narrarium-reader-aes-key", b64); } catch (_) {}
                   });
 
+                  // Expose the key so the EPUB download handler can reuse it.
+                  window._narrariumAesKey = aesKey;
+
                   // Decrypt the page — passes false = manual unlock, so the
                   // content-unlocked event will fire for late-init scripts.
                   return window._narrariumDecryptPage(aesKey, false);
@@ -327,5 +346,65 @@ const isChapterPage = Number.isFinite(currentChapterNumber);
         })();
       </script>
     )}
+    <script is:inline>
+      /* ── EPUB download ──────────────────────────────────────────────────────
+         The epub.enc static endpoint is always generated at build time.
+         • Encrypted build: client fetches, decrypts with the stored AES key,
+           creates an in-memory Blob and triggers a browser <a download>.
+         • Plain build:     client fetches, wraps in a Blob, triggers download.
+         The button is hidden until _narrariumContentReady resolves.
+      ──────────────────────────────────────────────────────────────────────── */
+      (function () {
+        var btn = document.querySelector("[data-epub-download]");
+        if (!btn) return;
+
+        window._narrariumContentReady.then(function (state) {
+          if (state === "decrypted" || state === "plain") {
+            btn.removeAttribute("hidden");
+          }
+        });
+
+        btn.addEventListener("click", function () {
+          var isEncrypted = Boolean(document.body.dataset.cryptoSalt);
+          var epubUrl = new URL("epub.enc", document.baseURI).toString();
+
+          btn.setAttribute("disabled", "");
+
+          fetch(epubUrl)
+            .then(function (r) {
+              if (!r.ok) throw new Error("fetch failed: " + r.status);
+              return r.arrayBuffer();
+            })
+            .then(function (buf) {
+              if (isEncrypted) {
+                var aesKey = window._narrariumAesKey;
+                if (!aesKey) throw new Error("no key");
+                var bytes = new Uint8Array(buf);
+                var iv = bytes.slice(0, 12);
+                var ct = bytes.slice(12);
+                return crypto.subtle.decrypt({ name: "AES-GCM", iv: iv }, aesKey, ct);
+              }
+              return buf;
+            })
+            .then(function (plainBuf) {
+              var blob = new Blob([plainBuf], { type: "application/epub+zip" });
+              var url = URL.createObjectURL(blob);
+              var a = document.createElement("a");
+              a.href = url;
+              a.download = "book.epub";
+              document.body.appendChild(a);
+              a.click();
+              document.body.removeChild(a);
+              setTimeout(function () { URL.revokeObjectURL(url); }, 60000);
+            })
+            .catch(function (err) {
+              console.error("[narrarium] EPUB download failed", err);
+            })
+            .finally(function () {
+              btn.removeAttribute("disabled");
+            });
+        });
+      })();
+    </script>
   </body>
 </html>

package/src/lib/content-crypto.ts

@@ -10,15 +10,19 @@ import { createCipheriv, pbkdf2Sync, randomBytes } from "node:crypto";
  * tables; the security comes from the password entropy.
  */
 
-let _buildSalt: Buffer | null = null;
+// Use a process-global symbol so the singleton survives Vite module re-evaluation
+// in dev mode (HMR). Without this, each Astro page request may get a fresh module
+// instance with a new random salt, making the canary and content salts diverge.
+const SALT_GLOBAL_KEY = Symbol.for("narrarium.buildSalt");
 
-/** Return the singleton salt for this build process, creating it on first call. */
+/** Return the singleton salt for this build/dev process, creating it on first call. */
 export function getBuildSalt(): Buffer {
-  if (!_buildSalt) {
-    _buildSalt = randomBytes(16);
+  const g = globalThis as typeof globalThis & { [key: symbol]: Buffer | undefined };
+  if (!g[SALT_GLOBAL_KEY]) {
+    g[SALT_GLOBAL_KEY] = randomBytes(16);
     console.info("[narrarium-reader] Content encryption enabled (AES-256-GCM).");
   }
-  return _buildSalt;
+  return g[SALT_GLOBAL_KEY]!;
 }
 
 /** Base64-encoded build salt, ready to embed in an HTML attribute. */
@@ -74,3 +78,22 @@ export function encryptString(plaintext: string, password: string): EncryptedChu
 export function encryptCanary(password: string): EncryptedChunk {
   return encryptString(CANARY_PLAINTEXT, password);
 }
+
+/**
+ * Encrypt a raw Buffer with AES-256-GCM using the same PBKDF2-derived build
+ * key. Returns raw `iv` and `ct` Buffers for binary file endpoints.
+ *
+ * Wire format (concatenate before serving):
+ *   [12-byte IV][ciphertext ∥ 16-byte GCM auth tag]
+ *
+ * Client side: `bytes.slice(0, 12)` = IV, `bytes.slice(12)` = ciphertext+tag.
+ */
+export function encryptBufferRaw(data: Buffer, password: string): { iv: Buffer; ct: Buffer } {
+  const salt = getBuildSalt();
+  const key = deriveKey(password, salt);
+  const iv = randomBytes(12);
+  const cipher = createCipheriv("aes-256-gcm", key, iv);
+  const body = Buffer.concat([cipher.update(data), cipher.final()]);
+  const tag = cipher.getAuthTag(); // always 16 bytes for AES-GCM
+  return { iv, ct: Buffer.concat([body, tag]) };
+}

package/src/lib/evaluations.ts

@@ -0,0 +1,66 @@
+import path from "node:path";
+import { readFile } from "node:fs/promises";
+import { marked } from "marked";
+import { parseNarrariumMarkdownDocument } from "narrarium";
+import { getBookRoot } from "./book.js";
+
+export interface EvaluationData {
+  id: string;
+  title: string;
+  htmlContent: string;
+}
+
+/**
+ * Load the chapter-level evaluation from
+ * `evaluations/chapters/<chapterSlug>.md`, or return null if the file does
+ * not exist (evaluation has not been run yet).
+ */
+export async function loadChapterEvaluation(chapterSlug: string): Promise<EvaluationData | null> {
+  const root = getBookRoot();
+  const filePath = path.join(root, "evaluations", "chapters", `${chapterSlug}.md`);
+  const raw = await readFile(filePath, "utf8").catch(() => null);
+  if (!raw) return null;
+
+  const doc = parseNarrariumMarkdownDocument(`evaluations/chapters/${chapterSlug}.md`, raw);
+  const fm = doc.frontmatter as Record<string, unknown>;
+  const htmlContent = await marked.parse(doc.body ?? "");
+
+  return {
+    id: String(fm.id ?? `evaluation:chapter:${chapterSlug}`),
+    title: String(fm.title ?? "Chapter Evaluation"),
+    htmlContent,
+  };
+}
+
+/**
+ * Load the paragraph-level evaluation from
+ * `evaluations/paragraphs/<chapterSlug>/<paragraphSlug>.md`, or return null.
+ */
+export async function loadParagraphEvaluation(
+  chapterSlug: string,
+  paragraphSlug: string,
+): Promise<EvaluationData | null> {
+  const root = getBookRoot();
+  const filePath = path.join(
+    root,
+    "evaluations",
+    "paragraphs",
+    chapterSlug,
+    `${paragraphSlug}.md`,
+  );
+  const raw = await readFile(filePath, "utf8").catch(() => null);
+  if (!raw) return null;
+
+  const doc = parseNarrariumMarkdownDocument(
+    `evaluations/paragraphs/${chapterSlug}/${paragraphSlug}.md`,
+    raw,
+  );
+  const fm = doc.frontmatter as Record<string, unknown>;
+  const htmlContent = await marked.parse(doc.body ?? "");
+
+  return {
+    id: String(fm.id ?? `evaluation:paragraph:${chapterSlug}:${paragraphSlug}`),
+    title: String(fm.title ?? "Scene Evaluation"),
+    htmlContent,
+  };
+}

package/src/pages/chapters/[chapter].astro

@@ -5,6 +5,7 @@ import { listChapters, pathExists } from "narrarium";
 import AssetFigure from "../../components/AssetFigure.astro";
 import ChapterPager from "../../components/ChapterPager.astro";
 import EncryptedHtml from "../../components/EncryptedHtml.astro";
+import EvaluationModal from "../../components/EvaluationModal.astro";
 import LinkedValue from "../../components/LinkedValue.astro";
 import MetadataSection from "../../components/MetadataSection.astro";
 import RelatedLinks from "../../components/RelatedLinks.astro";
@@ -12,6 +13,8 @@ import BaseLayout from "../../layouts/BaseLayout.astro";
 import { loadAssetFigure } from "../../lib/assets";
 import { loadRelatedCanonLinks, loadStoryMentionLinks } from "../../lib/canon";
 import { getBookRoot, loadChapterPageData } from "../../lib/book";
+import { loadChapterEvaluation, loadParagraphEvaluation } from "../../lib/evaluations";
+import { isFullCanonMode } from "../../lib/reader-mode";
 
 export async function getStaticPaths() {
   const root = getBookRoot();
@@ -41,13 +44,23 @@ const chapterId = String(chapter.metadata.id);
 const chapterRelatedLinks = await loadRelatedCanonLinks(chapterId, [chapter.metadata.pov, chapter.metadata.timeline_ref]);
 const chapterStoryLinks = await loadStoryMentionLinks(chapterId, chapter.metadata.number);
 const chapterFigure = await loadAssetFigure(String(chapter.metadata.id), chapter.metadata.title);
+
+// Full-canon mode: load evaluations for author view.
+const fullCanonMode = isFullCanonMode();
+const chapterEvaluation = fullCanonMode ? await loadChapterEvaluation(chapterSlug) : null;
+
 const renderedParagraphs = await Promise.all(
-  chapter.paragraphs.map(async (paragraph) => ({
-    ...paragraph,
-    anchorId: `scene-${path.basename(paragraph.path, ".md")}`,
-    figure: await loadAssetFigure(String(paragraph.metadata.id), paragraph.metadata.title),
-    html: await marked.parse(paragraph.body),
-  })),
+  chapter.paragraphs.map(async (paragraph) => {
+    const paragraphSlug = path.basename(paragraph.path, ".md");
+    return {
+      ...paragraph,
+      paragraphSlug,
+      anchorId: `scene-${paragraphSlug}`,
+      figure: await loadAssetFigure(String(paragraph.metadata.id), paragraph.metadata.title),
+      html: await marked.parse(paragraph.body),
+      evaluation: fullCanonMode ? await loadParagraphEvaluation(chapterSlug, paragraphSlug) : null,
+    };
+  }),
 );
 ---
 
@@ -66,6 +79,11 @@ const renderedParagraphs = await Promise.all(
       <button type="button" class="chip is-action" data-bookmark-toggle>Save bookmark</button>
       <button type="button" class="chip is-action" data-tts-trigger="chapter" hidden>Read aloud</button>
       <button type="button" class="chip is-action" data-reader-focus-toggle>Full read</button>
+      {chapterEvaluation && (
+        <button type="button" class="chip is-action eval-trigger" data-eval-open={`eval-chapter-${chapterSlug}`}>
+          Evaluation
+        </button>
+      )}
     </div>
   </section>
 
@@ -148,6 +166,11 @@ const renderedParagraphs = await Promise.all(
                     Mark voice start
                   </button>
                   <button type="button" class="chip is-action" data-tts-trigger={paragraph.anchorId} hidden>Read aloud</button>
+                  {paragraph.evaluation && (
+                    <button type="button" class="chip is-action eval-trigger" data-eval-open={`eval-paragraph-${paragraph.paragraphSlug}`}>
+                      Evaluation
+                    </button>
+                  )}
                 </div>
               </div>
 
@@ -221,6 +244,24 @@ const renderedParagraphs = await Promise.all(
     Double-tap or double-click to show controls, or press a key.
   </div>
 
+  {/* Evaluation modals — full-canon mode only */}
+  {chapterEvaluation && (
+    <EvaluationModal
+      dialogId={`eval-chapter-${chapterSlug}`}
+      title={chapterEvaluation.title}
+      htmlContent={chapterEvaluation.htmlContent}
+    />
+  )}
+  {renderedParagraphs.map((paragraph) =>
+    paragraph.evaluation ? (
+      <EvaluationModal
+        dialogId={`eval-paragraph-${paragraph.paragraphSlug}`}
+        title={paragraph.evaluation.title}
+        htmlContent={paragraph.evaluation.htmlContent}
+      />
+    ) : null
+  )}
+
   <script is:inline>
     (() => {
       const focusModeKey = "narrarium-reader-focus-mode";
@@ -548,6 +589,28 @@ const renderedParagraphs = await Promise.all(
       function isEditable(node) {
         return node instanceof HTMLElement && (node.isContentEditable || /^(INPUT|TEXTAREA|SELECT)$/.test(node.tagName));
       }
+
+      // ── Evaluation modal wiring ─────────────────────────────────────────
+      document.querySelectorAll("[data-eval-open]").forEach(function (btn) {
+        btn.addEventListener("click", function () {
+          var dialogId = btn.getAttribute("data-eval-open");
+          var dialog = dialogId ? document.getElementById(dialogId) : null;
+          if (dialog instanceof HTMLDialogElement) dialog.showModal();
+        });
+      });
+      document.querySelectorAll("[data-eval-close]").forEach(function (btn) {
+        btn.addEventListener("click", function () {
+          var dialogId = btn.getAttribute("data-eval-close");
+          var dialog = dialogId ? document.getElementById(dialogId) : null;
+          if (dialog instanceof HTMLDialogElement) dialog.close();
+        });
+      });
+      // Close on backdrop click (click lands directly on <dialog>, not its children).
+      document.querySelectorAll(".eval-dialog").forEach(function (dialog) {
+        dialog.addEventListener("click", function (event) {
+          if (event.target === dialog) /** @type {HTMLDialogElement} */ (dialog).close();
+        });
+      });
     })();
   </script>
 </BaseLayout>

package/src/pages/epub.enc.ts

@@ -0,0 +1,54 @@
+import type { APIRoute } from "astro";
+import { exportEpub, pathExists } from "narrarium";
+import path from "node:path";
+import { readFile, rm } from "node:fs/promises";
+import { tmpdir } from "node:os";
+import { randomBytes } from "node:crypto";
+import { getBookRoot } from "../lib/book.js";
+import { getReaderPassword } from "../lib/reader-mode.js";
+import { encryptBufferRaw } from "../lib/content-crypto.js";
+
+/**
+ * Build-time endpoint that generates the book EPUB and — when a reader
+ * password is configured — encrypts it with the same AES-256-GCM key used
+ * for page content.
+ *
+ * Wire format (encrypted):
+ *   [12-byte IV][ciphertext ∥ 16-byte GCM auth tag]
+ *
+ * The client downloads this blob, slices the IV from the first 12 bytes, and
+ * decrypts the rest with the already-derived AES key stored in localStorage.
+ *
+ * Wire format (no password):
+ *   Raw EPUB bytes (application/epub+zip).
+ */
+export const GET: APIRoute = async () => {
+  const root = getBookRoot();
+  const ready = await pathExists(path.join(root, "book.md"));
+  if (!ready) {
+    return new Response("Book not found", { status: 404 });
+  }
+
+  const password = getReaderPassword();
+  const tempId = randomBytes(8).toString("hex");
+  const tempPath = path.join(tmpdir(), `narrarium-epub-${tempId}.epub`);
+
+  try {
+    await exportEpub(root, { outputPath: tempPath });
+    const epubBytes = await readFile(tempPath);
+
+    if (password) {
+      const { iv, ct } = encryptBufferRaw(epubBytes, password);
+      const combined = Buffer.concat([iv, ct]);
+      return new Response(combined, {
+        headers: { "Content-Type": "application/octet-stream" },
+      });
+    }
+
+    return new Response(epubBytes, {
+      headers: { "Content-Type": "application/octet-stream" },
+    });
+  } finally {
+    await rm(tempPath, { force: true }).catch(() => {});
+  }
+};

package/src/styles/global.css

@@ -934,7 +934,7 @@ h3 {
   display: grid;
   grid-template-columns: minmax(0, 1fr) auto minmax(0, 1fr);
   gap: 1rem;
-  align-items: center;
+  align-items: stretch;
   border: 1px solid var(--line);
   background: var(--surface);
   padding: 0.9rem 1.25rem;
@@ -943,7 +943,7 @@ h3 {
 }
 
 .pager-link {
-  display: inline-flex;
+  display: flex;
   align-items: center;
   gap: 0.4rem;
   padding: 0.5rem 0.75rem;
@@ -974,6 +974,7 @@ h3 {
 .pager-jump {
   display: grid;
   gap: 0.3rem;
+  align-content: center;
   min-width: 0;
 }
 
@@ -1588,3 +1589,74 @@ body.reader-auth-locked #reader-password-gate {
 html[data-theme="dark"] .reader-password-gate__error {
   color: #e74c3c;
 }
+
+/* ─── Evaluation modal ──────────────────────────────────────── */
+.eval-dialog {
+  position: fixed;
+  inset: 0;
+  z-index: 300;
+  width: min(720px, calc(100% - 2rem));
+  max-height: calc(100dvh - 4rem);
+  margin: auto;
+  padding: 0;
+  border: 1px solid var(--line);
+  border-radius: 12px;
+  background: var(--surface);
+  color: var(--text);
+  box-shadow: 0 8px 40px rgba(0, 0, 0, 0.22);
+  overflow: hidden;
+}
+
+.eval-dialog::backdrop {
+  background: rgba(0, 0, 0, 0.5);
+  backdrop-filter: blur(3px);
+}
+
+.eval-dialog__inner {
+  display: flex;
+  flex-direction: column;
+  max-height: calc(100dvh - 4rem);
+}
+
+.eval-dialog__header {
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  gap: 1rem;
+  padding: 1rem 1.5rem;
+  border-bottom: 1px solid var(--line);
+  flex-shrink: 0;
+}
+
+.eval-dialog__title {
+  margin: 0;
+  font-size: 1rem;
+  font-weight: 600;
+}
+
+.eval-dialog__close {
+  flex-shrink: 0;
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  width: 2rem;
+  height: 2rem;
+  border-radius: 50%;
+  border: 1px solid var(--line);
+  background: transparent;
+  color: var(--text-muted);
+  cursor: pointer;
+  font-size: 0.875rem;
+  transition: background 120ms ease, color 120ms ease;
+}
+
+.eval-dialog__close:hover {
+  background: var(--surface-muted);
+  color: var(--text);
+}
+
+.eval-dialog__body {
+  overflow-y: auto;
+  padding: 1.5rem;
+  flex: 1 1 auto;
+}