{
  "overview": {
    "name": "WasmMvcRuntime",
    "tagline": "ASP.NET MVC running entirely in WebAssembly",
    "sdkPackage": "NetWasmMvc.SDK",
    "cliPackage": "Cepha.CLI",
    "version": "2.0.1",
    "target": "net10.0",
    "license": "MIT"
  },
  "runtime": {
    "threads": [
      "Main thread: DOM, SPA router, CMUI rendering",
      "Runtime worker: .NET WASM, MVC routing, controllers, Razor views",
      "Data worker: EF Core, SQLite, OPFS persistence"
    ],
    "viewDataPattern": "Use ViewBag/ViewData or @model/@Model where the compatibility engine supports the migration pattern.",
    "projectFile": "<Project Sdk=\"NetWasmMvc.SDK\">"
  },
  "hostingModes": {
    "browser": {
      "description": "Static SPA deployed to any CDN or file host",
      "runtimeValue": "browser",
      "architecture": "Worker thread postMessage → main.js → DOM diffing",
      "deploy": "cepha publish → wwwroot/ static files"
    },
    "pwa": {
      "description": "Browser runtime + PWA deployment layer (cache strategies + install manifest)",
      "_note": "PWA is not a CephaRuntime value; it's an opt-in deployment style on top of browser runtime",
      "serviceWorker": "Hand-rolled service-worker.js shipped in SDK content. Implements network-first navigation + cache-first fingerprinted assets. NO automatic precache via service-worker-assets.js — for true offline-first precache, set <ServiceWorkerAssetsManifest> in your csproj (consumer-managed)",
      "strategies": { "fingerprinted": "cache-first", "navigation": "network-first" },
      "manifest": "wwwroot/manifest.json — customize name, icons (192/512 required for A2HS), theme_color",
      "installation": "Browser install prompt available when manifest + HTTPS + service worker registered + 192/512 icons present"
    },
    "wasi": {
      "description": "Edge Worker / Node.js — Cloudflare Workers, Deno Deploy, Lambda@Edge",
      "runtimeValue": "wasi",
      "csproj": "<CephaRuntime>wasi</CephaRuntime>",
      "deploy": "cepha publish cf — Cloudflare Pages + Workers"
    },
    "maui": {
      "description": "Mobile and desktop native app — Android + Windows (iOS planned)",
      "_note": "MAUI is NOT a NetWasmMvc.SDK csproj attribute. It is a sibling project pattern: a separate .csproj using Microsoft.NET.Sdk with <UseMaui>true</UseMaui> that ProjectReferences the same runtime DLLs (WasmMvcRuntime.Abstractions, .Core, .Identity). See Cepha.Maui.Host in the repo for the canonical example.",
      "architecture": "In-process MvcEngine — no Worker, no postMessage, no WASM boundary",
      "renderer": "NativeRenderer converts HTML output to Microsoft.Maui.Controls (Button, Label, Border) — NO WebView (canonical path); legacy MauiPlatformInterop still ships for back-compat",
      "bootstrap": "CephaMauiBootstrap — NavigateAsync(path) + SubmitFormAsync(action, formData)",
      "differentiator": "NOT Blazor Hybrid — no WebView2 in canonical path, native MAUI controls",
      "targetsBuilt": ["net10.0-android", "net10.0-windows10.0.19041.0"],
      "targetsPlanned": ["net10.0-ios", "net10.0-maccatalyst"],
      "csprojPattern": "<Project Sdk=\"Microsoft.NET.Sdk\"><PropertyGroup><UseMaui>true</UseMaui></PropertyGroup><ItemGroup><ProjectReference Include=\"..\\WasmMvcRuntime.Abstractions\\WasmMvcRuntime.Abstractions.csproj\" /></ItemGroup></Project>"
    }
  },
  "shellContract": {
    "owner": "NetWasmMvc.SDK",
    "sourceHtmlPolicy": "Do not add or edit wwwroot\\index.html for MVC migration.",
    "generation": "The SDK generates the browser boot shell under obj\\ and registers it through StaticWebAssets.",
    "applicationShell": "Views\\Shared\\_Layout.cshtml owns visible chrome, navigation, scripts, and CMUI composition.",
    "migrationContract": "For standard MVC apps, the project-level change should be the SDK attribute."
  },
  "cmuiStorage": {
    "preferred": "sqlite",
    "database": "wwwroot\\cmui-fusion.sqlite",
    "schema": "cmui-material-pack-v1",
    "encryption": "EntityCrypt ProtectDatabaseSnapshot envelope — AES-256-CBC+HMAC-SHA256 (server), keystream+HMAC-SHA256 (WASM)",
    "manifestTables": [
      "cmui_materials",
      "cmui_assets",
      "cmui_css_rules",
      "cmui_flow_rules",
      "cmui_static_asset_manifest"
    ]
  },
  "cmuiMaterials": [
    {
      "id": "cmui-fusion",
      "purpose": "Composed design material combining shadcn anatomy + tailwind tokens + radix state + cmui-x surface + cmui-mob platform flavor into a single SQLite source-of-truth (cmui-fusion.sqlite). Served as /cmui/fusion.css via the SDK _CephaEmitCmuiFusionCss target.",
      "runtimePolicy": "Authoritative composition; emit-cmui-css.py regenerates CSS at build time"
    },
    {
      "id": "cmui-shadcn",
      "purpose": "Component anatomy metadata for cards, forms, commands, tabs, and alerts",
      "runtimePolicy": "Metadata only; no imported JavaScript execution"
    },
    {
      "id": "cmui-tailwind",
      "purpose": "Token, spacing, radius, breakpoint, and CSS configuration metadata",
      "runtimePolicy": "Audited and filtered by material/profile/flow"
    },
    {
      "id": "cmui-radix",
      "purpose": "Headless primitive and state metadata such as data-state, focus, disabled, checked, and open",
      "runtimePolicy": "State semantics only; C# and appsettings remain authoritative"
    },
    {
      "id": "cmui-x",
      "purpose": "Aurora, glass, holographic cards, neon palette, scroll reveal, and futuristic web surface",
      "runtimePolicy": "CSS/asset layer"
    },
    {
      "id": "cmui-mob",
      "purpose": "Adaptive platform flavor and mobile-oriented Material/iOS behavior",
      "runtimePolicy": "CSS/asset layer"
    }
  ],
  "sdkProperties": {
    "_note": "Active = property is read by an SDK target/exec/itemgroup. Advisory = declared as part of the CMUI/Cepha contract, consumed by tooling/CLI or downstream packages rather than the SDK build. Planned = an adopted concept (see docs/specifications) whose enforcement is not yet wired; setting it emits a build warning, never an error.",
    "active": {
      "CmuiAny": { "default": "false", "consumer": "_CephaCopyCmuiDatabasesToBuildOutput, _CephaEmitCmuiFusionCss, _CephaCopyCmuiDatabasesToPublishOutput, _CephaEncryptCmuiDatabasesAtPublish", "example": "true" },
      "CmuiDatabase": { "default": "wwwroot\\cmui-l.sqlite", "consumer": "CmuiDatabases fallback", "example": "wwwroot\\cmui-fusion.sqlite" },
      "CmuiDatabases": { "default": "$(CmuiDatabase)", "consumer": "copy + emit + encrypt targets", "example": "wwwroot\\cmui-fusion.sqlite" },
      "CmuiEntityCrypt": { "default": "false", "consumer": "_CephaEncryptCmuiDatabasesAtPublish", "example": "true" },
      "CmuiEntityCryptMasterKey": { "default": "(env CEPHA_ENTITYCRYPT_ROOT_KEY_B64 or _KEY)", "consumer": "encrypt-cmui-sqlite.py --master-key arg", "example": "(base64 256-bit)" },
      "CmuiEntityCryptScope": { "default": "cmui-design-db", "consumer": "encrypt-cmui-sqlite.py --scope arg", "example": "cmui-design-db" },
      "CmuiFusionAutoEmit": { "default": "true", "consumer": "_CephaEmitCmuiFusionCss condition", "example": "true" },
      "CmuiFusionSqlite": { "default": "$(MSBuildProjectDirectory)/wwwroot/cmui-fusion.sqlite", "consumer": "_CephaEmitCmuiFusionCss --db arg + Exists() condition", "example": "wwwroot\\cmui-fusion.sqlite" },
      "CmuiFusionCssAssetPath": { "default": "/cmui/fusion.css", "consumer": "_CephaEmitCmuiFusionCss --asset-path arg + StaticWebAsset RelativePath", "example": "/cmui/fusion.css" },
      "CmuiFusionGeneratedCss": { "default": "$(IntermediateOutputPath)cepha-cmui/fusion.css", "consumer": "_CephaEmitCmuiFusionCss --out arg + StaticWebAsset Identity", "example": "obj/Debug/net10.0/cepha-cmui/fusion.css" },
      "CephaRuntime": { "default": "browser", "consumer": "all SDK targets via CephaRuntime != 'wasi' guard", "example": "browser | wasi" }
    },
    "advisory": {
      "CmuiMaterials": { "purpose": "Declares which material packs the project uses (cmui-fusion, cmui-x, cmui-mob, cmui-shadcn, cmui-tailwind, cmui-radix). Consumed by Cepha.CLI cmui-* commands during pack import, not by SDK build itself.", "example": "cmui-fusion;cmui-shadcn;cmui-tailwind;cmui-radix" },
      "CmuiFlowScope": { "purpose": "Declares whether CMUI flow rules are scoped to a single profile (isolated) or shared across profiles (shared). Audited by Cepha.CLI cmui audit; not currently enforced at SDK build time.", "example": "shared | isolated" },
      "CmuiSecurityAudit": { "purpose": "Enables Cepha.CLI cmui audit security checks (no eval, no inline script execution). Audited at CLI invocation, not at SDK build.", "example": "true" },
      "CmuiExcludePhysicalLibOnPublish": { "purpose": "Reserved for a future SDK target that strips physical wwwroot/lib/ when CmuiAny=true (CMUI SQLite is canonical instead). Currently declared but no SDK consumer — set by consumer apps in anticipation of the publish-time strip step.", "example": "true" },
      "CephaKitEnabled": { "purpose": "Enables CephaKit sidecar integration (SignalR + topology bridge). Used by CephaKit package targets, not by NetWasmMvc.SDK build.", "example": "true" },
      "CephaOAuthProxyEnabled": { "purpose": "Enables CephaOAuthProxy sidecar for OAuth/OIDC callbacks. Used by OAuth sidecar package, not by SDK build.", "example": "true" }
    },
    "planned": {
      "_note": "Adopted architectural concepts whose mechanism is defined in docs/specifications/AUTHOR-LINGUISTIC-SPECIFICATIONS.md (SPEC-0001). They are NOT phantom: setting them is intentional, but enforcement is pending. The SDK emits a friendly build warning (CEPHA-TOPO-PLANNED / CEPHA-LOCALIZATION-PLANNED) — never a stack trace or error — pointing to the spec/CLI.",
      "CephaTopology": { "purpose": "Assigns a topology to a controller/action: Server | Browser | Mirror. Server/Mirror run on the origin server (never the browser); Browser runs in WASM. IMPLEMENTED as the [CephaTopology(...)] attribute (generalizing [Mirror]) + MirrorRegistry scanning + a ForwardingPredicate for IMvcRazorPagesEngine.ShouldForwardToServer (WasmMvcRuntime.Cepha/Topology), with unit tests, plus the 'cepha topology' CLI. The csproj-level <CephaTopology> project switch is still planned and currently emits warning CEPHA-TOPO-PLANNED (no build-time effect yet).", "spec": "SPEC-0001 (D2)", "example": "Server | Browser | Mirror", "warning": "CEPHA-TOPO-PLANNED" },
      "CephaTopologyMode": { "purpose": "Coarse topology mode emitted by the identity-topology scaffold (e.g. ServerOnlyIdentity). Read by generated CephaServerOnlyAttribute in the app, not yet by the SDK build.", "spec": "SPEC-0001 (D2)", "example": "ServerOnlyIdentity" },
      "CephaIdentityTopology": { "purpose": "Marks the project as a sovereign server-only identity topology (set by the identity-topology scaffold).", "spec": "SPEC-0001 (D2)", "example": "true" },
      "CephaLocalization": { "purpose": "Opt-in to the build-time localization pipeline. The 'cepha localization' CLI is IMPLEMENTED for the scaffold step (declares languages + RTL/LTR direction, scans Razor views, emits localization/localization.config.json + keys.json). The model-backed translation (gpt-oss-120b via Cloudflare + TagHelpers + Merkle proof) is premium/staged. Setting <CephaLocalization> in csproj emits warning CEPHA-LOCALIZATION-PLANNED (no build-time effect yet).", "spec": "SPEC-0001 (D3)", "example": "true", "warning": "CEPHA-LOCALIZATION-PLANNED" }
    },
    "removed_v2_0_0": {
      "NetWasmMvc_EnableMaui": "Removed from the documented surface. MAUI integration is now a sibling-project pattern: a separate Microsoft.NET.Sdk project with <UseMaui>true</UseMaui> that ProjectReferences the runtime DLLs. See hostingModes.maui.csprojPattern."
    }
  },
  "entityCrypt": {
    "library": "EntityCrypt.Core + EntityCrypt.EFCore (bundled in NetWasmMvc.SDK/lib/net10.0/)",
    "dataDb": "UseMatryoshka(masterKey) on EF Core DbContext — column-level encryption at rest (server only)",
    "designDb": "ProtectDatabaseSnapshot envelope — full-file AES-256-CBC+HMAC-SHA256 for CMUI SQLite",
    "wasm": "ProtectDatabaseSnapshot v2 (keystream+HMAC) — AES-CBC unavailable in browser runtime",
    "keyDerivation": "HKDF-SHA256 from CEPHA_ENTITYCRYPT_ROOT_KEY_B64 or CEPHA_ENTITYCRYPT_ROOT_KEY env var",
    "sessionProtection": "EntityCryptSecurityPolicy.ProtectSessionStatePayload — OPFS session snapshots"
  },
  "docsEndpoints": {
    "security": "/docs/security",
    "esm": "/docs/esm",
    "accessibility": "/docs/accessibility",
    "sarmadPlatform": "/docs/sarmad-platform",
    "mcp": "/api/mcp.json",
    "resources": "/api/mcp-resources.json",
    "tools": "/api/mcp-tools.json",
    "knowledge": "/api/sdk-knowledge.json",
    "playground": "/docs/playground",
    "processPlayground": "CephaProcessBridge-backed C# process execution with stdout/stderr and CephaOutput protocol rendering",
    "components": "/docs/components",
    "pwa": "/docs/pwa",
    "maui": "/docs/maui"
  },
  "esmIntegration": {
    "policy": "dotnet build never invokes npm/pnpm/yarn/npx/node. node_modules is excluded from publish output. JavaScript ships as pre-bundled static assets or via CMUI-L SQLite packs.",
    "modes": [
      "M1 plain ESM in wwwroot/js",
      "M2 pre-bundled npm output in wwwroot/lib",
      "M3 importmap for bare specifiers",
      "M4 dynamic import() from Blob",
      "M5 CDN ESM with explicit CSP allow-list"
    ],
    "importMapMechanism": "SDK boot shell ships <script type=\"importmap\"></script>; main.js reads it to resolve fingerprinted _framework/dotnet.js — same element the browser uses for bare specifiers.",
    "cmuiLibPipeline": "cepha cmui-l import --source ./wwwroot/lib --out ./wwwroot/cmui-l.sqlite — encodes JS/CSS/fonts with sha256 hashes; opt-in to drop physical lib folder from publish via <CmuiExcludePhysicalLibOnPublish>"
  },
  "architectureInvariants": {
    "_purpose": "Hard rules an AI model MUST follow when generating or migrating a WasmMvcRuntime app. Violating any one of these produces an app that is NOT WasmMvcRuntime even if it appears to run. These rules exist to stop a model from improvising a different architecture (a JS SPA, a static-CSS design system, or a client bundle that leaks server secrets).",
    "runtime": "WasmMvcRuntime is ASP.NET Core MVC (C# Controllers + Razor .cshtml Views) compiled to .NET WebAssembly and executed in a Web Worker. It is NOT a JavaScript SPA framework and NOT Blazor components.",
    "mustDo": [
      "Define routing with C# controllers in Controllers/*.cs that return IActionResult / ViewResult.",
      "Author UI as Razor views in Views/**/*.cshtml using @model, @ViewBag/@ViewData and tag helpers (asp-controller, asp-action, asp-route-*).",
      "Declare the project with a single SDK line: <Project Sdk=\"NetWasmMvc.SDK/2.0.1\">.",
      "Persist data with EF Core + SQLite (OPFS-backed): DbContext, migrations, SaveChanges.",
      "Style through CMUI SQLite material packs emitted to /cmui/fusion.css at build time (CmuiAny=true, CmuiDatabases, CmuiMaterials).",
      "Let Views/Shared/_Layout.cshtml own the visible chrome, navigation, and all <link>/<script> references."
    ],
    "mustNotDo": [
      "DO NOT generate a React / Vue / Angular / Svelte / vanilla-JS SPA and present it as WasmMvcRuntime. Rendering is C#-controller -> Razor -> HTML frame -> postMessage -> DOM, not a JavaScript component tree.",
      "DO NOT hand-author or import a CSS framework (Tailwind/Bootstrap via CDN, etc.) as the design system. The styling source of truth is the CMUI SQLite material packs. CMUI-L already bundles Bootstrap + jQuery for classic MVC templates, so no extra CSS framework is needed.",
      "DO NOT add or edit wwwroot/index.html. The SDK generates the browser boot shell under obj/ and registers it as a StaticWebAsset (shellContract.owner = NetWasmMvc.SDK).",
      "DO NOT invoke npm / pnpm / yarn / npx / node during build. dotnet build never runs a JS toolchain; ship JS as pre-bundled static assets or CMUI-L SQLite packs (see esmIntegration.policy).",
      "DO NOT place OAuth client secrets, IdentityServer signing keys, or EntityCrypt master keys in the browser bundle or any client-served file (see identityTopology and CEP-SEC-001).",
      "DO NOT replace <Project Sdk=\"NetWasmMvc.SDK\"> with Microsoft.NET.Sdk.Web; the WASM MVC pipeline only activates under the NetWasmMvc SDK."
    ],
    "howToVerifyItIsRealWasmMvc": [
      "The csproj first line is <Project Sdk=\"NetWasmMvc.SDK/...\">.",
      "There are Controllers/*.cs (C#) and Views/**/*.cshtml (Razor), and no app-owned wwwroot/index.html.",
      "No package.json build step is required to produce the site; cepha publish emits a static wwwroot/.",
      "Styling is served from /cmui/fusion.css generated from a wwwroot/*.sqlite material pack, not from a hand-written framework stylesheet."
    ]
  },
  "identityTopology": {
    "_purpose": "Server-vs-browser security boundary for the three identity templates. An AI model MUST respect these boundaries; placing server-only secrets in the browser causes credential and user-data leaks — the exact failure mode this knowledge base exists to prevent.",
    "securityRule": "CEP-SEC-001: OAuth/OIDC ClientSecret, IdentityServer SigningKey, and EntityCrypt master keys are SERVER-ONLY. The browser/WASM bundle must never contain them. For external OAuth the token-exchange POST MUST be proxied through a server/edge host (CephaKit server mode or a wasi worker) so the secret never reaches the client bundle. Source: WasmMvcRuntime.Core/MvcEngine.cs (CEP-SEC-001).",
    "browserSafe": [
      "PBKDF2-SHA256 password hashing (default 600,000 iterations — WasmIdentityOptions.Password.Pbkdf2Iterations).",
      "An opaque HMAC-signed session token handed to the browser (token = HMAC-SHA256 over tokenId|fingerprint). Session state itself stays in Worker memory, never in the DOM.",
      "OPFS-persisted, encrypted session/db snapshots (EntityCrypt ProtectDatabaseSnapshot v2, keystream+HMAC; AES-CBC is unavailable in the browser runtime).",
      "PassKey / WebAuthn ceremonies (public-key; no shared secret on the client)."
    ],
    "serverOnly": [
      "OAuth/OIDC ClientSecret and the token-exchange request (identity-server and external providers).",
      "IdentityServer signing key (Base64 64-byte) used to sign access tokens with HMAC-SHA256.",
      "OAuth client-secret hashes, authorization codes, and refresh tokens (stored in the server DB).",
      "Matryoshka column-level DB encryption (applied only when !OperatingSystem.IsBrowser())."
    ],
    "templates": {
      "identity": {
        "topology": "Browser/WASM-worker identity. No external server is required for local username/password sessions.",
        "runsIn": "Runtime worker (WASM).",
        "secrets": "HMAC session key held in worker memory + OPFS; PBKDF2 password hashes stored as hash;salt;iterations. The browser receives only the opaque HMAC token.",
        "scaffold": "cepha new <name> --identity"
      },
      "identity-server": {
        "topology": "Server-side OAuth2/OIDC provider. The browser talks to it over HTTP/OIDC and only ever sees redirect URLs, authorization codes, and access tokens.",
        "runsIn": "Server (or edge/wasi host) — NOT the browser bundle.",
        "secrets": "SigningKey, client-secret hashes, authorization codes, and refresh tokens live in the server DB/config (GetDatabaseMasterKey(\"cepha-identity-server-db\")).",
        "scaffold": "cepha new <name> --identity-server"
      },
      "identity-topology": {
        "topology": "Sovereign server-thread identity with an encrypted KV store and PassKey signing (server-only + encrypted KV + topology proof).",
        "runsIn": "Server thread (sovereign). The encrypted KV is not browser-resident.",
        "secrets": "Encrypted-KV master key and PassKey signing material are server-held.",
        "scaffold": "cepha new <name> --identity-topology  (aliases: --identity-kv, --sovereign-identity)"
      }
    },
    "crossTabSync": "Sessions persist to OPFS; on restore, SyncStorageFromRestoredSessions() selects the newest session matching the browser fingerprint and rehydrates the worker token store — this is the cross-tab session-sync mechanism (WasmMvcRuntime.Identity SessionStorageService).",
    "serverForwarding": "When an action must run server-side, the runtime emits /__cepha/forward... instead of executing it in the browser (MvcRazorPagesEngine.ShouldForwardToServer)."
  },
  "referenceApp": {
    "_purpose": "The deployed developer-docs app (wmr-doc.pages.dev) is itself a WasmMvcRuntime app and the canonical worked example. A model holding this knowledge base has everything needed to reproduce an app of this shape with zero architectural improvisation.",
    "name": "CephaDocs",
    "deployedAt": "wmr-doc.pages.dev",
    "csproj": "<Project Sdk=\"NetWasmMvc.SDK/2.0.1\">\n  <PropertyGroup>\n    <CmuiAny>true</CmuiAny>\n    <CmuiDatabases>wwwroot\\cmui-fusion.sqlite</CmuiDatabases>\n    <CmuiMaterials>cmui-fusion;cmui-shadcn;cmui-tailwind;cmui-radix</CmuiMaterials>\n    <CmuiFlowScope>shared</CmuiFlowScope>\n    <CmuiSecurityAudit>true</CmuiSecurityAudit>\n  </PropertyGroup>\n</Project>",
    "controllers": ["HomeController (landing page)", "DocsController (doc sections + live playground)"],
    "views": "Views/Shared/_Layout.cshtml + Views/Home/Index.cshtml + Views/Docs/*.cshtml (QuickStart, Architecture, Sdk, Cli, Security, Esm, Accessibility, SarmadPlatform, Views, Identity, Data, Components, Pwa, Maui, Playground).",
    "styling": "CMUI Fusion: wwwroot/cmui-fusion.sqlite is emitted by the SDK _CephaEmitCmuiFusionCss target to /cmui/fusion.css. No CSS framework is imported as the design system.",
    "clientJs": "Progressive-enhancement hydration only (cepha-platform.js, docs-runtime.js, docs-editor.js, docs-esm.js) — NOT a SPA framework. All page rendering goes through the WASM MVC pipeline.",
    "mcpSurface": "Serves its own MCP knowledge statically at /api/mcp.json, /api/mcp-resources.json, /api/mcp-tools.json, and /api/sdk-knowledge.json.",
    "deploy": "cepha publish cf -> Cloudflare Pages (static wwwroot/ plus the SDK-generated _framework boot shell)."
  },
  "sarmadAccessibility": {
    "package": "CephaKit.Sarmad.Accessibility (skeleton — opt-in via <CephaSarmadAccessibility>true</CephaSarmadAccessibility>)",
    "purpose": "Voice + keyboard + screen-reader accessibility framework that ships as a Web Component <cepha-sarmad-watch> over the existing CephaSarmad guardian. Bilingual ar-SA + en-US.",
    "originContract": "Derived from sbay-dev/card-Base · CephaKit.Sarmad.Accessibility spec: ISarmadCommandCatalog, ISpeechGateway, AddSarmadAccessibility() options (Language, RequireUserGesture, SendTranscriptToModel, EnableEchoGuard).",
    "capabilities": [
      "TTS/STT via Web Speech API (no default recording — requires user gesture)",
      "Echo guard — recognition pauses while synthesizer speaks",
      "Command catalog harvested from page anchors/buttons with explicit data-sarmad-command attribute, aria-label, and visible text",
      "Natural-language fallback via /api/sarmad/ask mode=accessibility-agent using @cf/openai/gpt-oss-120b by default",
      "Built-in blind-user commands: read_page, list_headings, next_heading, list_links, open/activate visible links, stop reading",
      "Keyboard command input fallback for users who cannot grant microphone access",
      "Keyboard navigation (Tab loops, Esc collapses overlays, Arrow keys move between cards)",
      "prefers-reduced-motion and prefers-contrast respected automatically",
      "aria-live announcer for Worker frame transitions",
      "Focus restoration after CephaSecureDOM frame swap"
    ],
    "boundaries": [
      "No transcript leaves the page unless options.SendTranscriptToModel == true (opt-in)",
      "Docs demo enables AI assist explicitly; SDK default remains local-only unless send-transcript/AI assist is configured",
      "Commands execute only against existing DOM elements — no script eval, no DOM injection",
      "Clear fallback message when Web Speech API is unavailable (Firefox/Linux)",
      "Audited as Layer 2 of CephaSecureDOM — every voice-triggered DOM change passes through beginWorkerFrame/endWorkerFrame"
    ]
  },
  "sarmadPlatform": {
    "status": "mesh v0 shipping now as Pages Function /api/sarmad/ask plus <cepha-sarmad-chat> MCP personal builder",
    "purpose": "Layer 3 of Sarmad — personal MCP-connected chat assistant, reward council, and Cloudflare Workers AI mesh routed through the sbay-dev master tenant so every Cepha app gets a free governed AI assistant on first deploy.",
    "meshEndpoint": "/api/sarmad/ask (POST)",
    "meshContract": {
      "request": { "mode": "docs-assistant|cepha-system-builder", "surface": "string", "prompt": "string", "context": "string?", "mcpContext": "string?", "history": "chat turns?", "language": "en-US|ar-SA" },
      "response": { "surface": "string", "language": "string", "model": "string", "answer": "string", "critic": { "passed": "bool", "score": "0-10|null", "notes": "string" }, "buildPlan": "cepha-build-plan|null", "quota": { "remainingThisHour": "int" }, "tenant": "string" }
    },
    "defaultModel": "@cf/meta/llama-3.1-8b-instruct",
    "tenantPolicy": "Free, opt-in via <CephaSarmadPlatform>true</CephaSarmadPlatform>. Per-IP hourly rate cap (25/hr in-memory, 100/day via SARMAD_KV when bound). No prompt or response is persisted in v0 — public reward ledger ships with Layer 3 GA.",
    "rewardCouncil": [
      "R1 linguist · grammar, register, idiomatic quality (separate ar / en critics)",
      "R2 temporal · date/time/occasion alignment",
      "R3 context · refuses claims unsupported by provided context (shipping in mesh v0)",
      "R4 brevity · enforces surface-declared length budget",
      "R5 protocol · structured output adherence"
    ],
    "webComponent": "<cepha-sarmad-ask surface='docs-faq' language='en-US' context-from='#sdk-knowledge' />",
    "personalBuilderComponent": "<cepha-sarmad-chat surface='cepha-system-builder' language='en-US' endpoint='/api/sarmad/ask'></cepha-sarmad-chat>",
    "buildPlanEvent": "sarmad:build-plan — dispatched by <cepha-sarmad-chat>; trusted host/MCP server/Cepha process bridge may execute it in real time",
    "csprojSurface": [
      "<CephaSarmadGuardian>true</CephaSarmadGuardian>",
      "<CephaSarmadAccessibility>true</CephaSarmadAccessibility>",
      "<CephaSarmadLanguage>en-US</CephaSarmadLanguage>",
      "<CephaSarmadSecondaryLanguage>ar-SA</CephaSarmadSecondaryLanguage>",
      "<CephaSarmadRequireUserGesture>true</CephaSarmadRequireUserGesture>",
      "<CephaSarmadEchoGuard>true</CephaSarmadEchoGuard>",
      "<CephaSarmadSendTranscriptToModel>false</CephaSarmadSendTranscriptToModel>",
      "<CephaSarmadPlatform>true</CephaSarmadPlatform>",
      "<CephaSarmadModel>@cf/meta/llama-3.1-8b-instruct</CephaSarmadModel>",
      "<CephaSarmadRewardCouncil>true</CephaSarmadRewardCouncil>",
      "<CephaSarmadMeshEndpoint>/api/sarmad/ask</CephaSarmadMeshEndpoint>",
      "<CephaSarmadOwnAccount>false</CephaSarmadOwnAccount>"
    ]
  }
}