Interface ShellBridge

Readonlyruntime

destroy

• destroy(): void

  Destroy the bridge instance, cleaning up all internal state. Persists manifest cache and clears all subscriptions, buffers, and registries. Call when the shell is shutting down or the bridge is no longer needed.

  Returns void

  Example

  bridge.destroy();
  Copy

handleMessage

• handleMessage(event: MessageEvent): void

  Handle an incoming postMessage from a napplet iframe.

  Only NIP-5D envelope objects (plain objects with a .type string) are accepted. NIP-01 arrays and all other message shapes are silently dropped (clean break — no legacy array fallback).

  shell.ready messages are handled locally: the bridge responds with shell.init containing the capability set and registered service list. All other envelopes are delegated to the runtime's NAP domain dispatch.

  Parameters

  • event: MessageEvent

    The raw MessageEvent from window.addEventListener('message', ...)

  Returns void

  Example

  window.addEventListener('message', bridge.handleMessage);
  Copy

injectEvent

• injectEvent(topic: string, payload: unknown): void

  Inject a shell-originated event into subscription delivery. Under NIP-5D, shell-originated events are forwarded to napplets as inc.event envelope messages. The runtime's injectEvent() handles the per-session routing.

  v1.10 hard-removed the v1.8 soft-rename compatibility branch for the old auth:identity-changed topic. Use the canonical identity:changed topic for identity-change pushes.

  Parameters

  • topic: string

    The event topic tag value. Forwarded exactly once.

  • payload: unknown

    The event content

  Returns void

  Example

  bridge.injectEvent('identity:changed', { pubkey: userPubkey });
  Copy

publishIdentityChanged

• publishIdentityChanged(pubkey: string): void

  Publish the current shell-user identity to every loaded napplet.

  Posts an identity.changed envelope (shell → napplet push) with the current user pubkey. An empty pubkey means no signer/user identity is currently connected. This is distinct from NIP-5D napplet session identity, which remains source-bound at iframe creation.

  Parameters

  • pubkey: string

    Current user's hex pubkey, or empty string when signed out.

  Returns void

publishTheme

• publishTheme(theme: Theme): void

  Publish a theme update to every registered napplet.

  Posts a theme.changed envelope (shell → napplet push) to every window currently tracked by the runtime's sessionRegistry, using the browser-adapter originRegistry to resolve windowId → iframe. Napplets whose window cannot be resolved (stale sessions) are silently skipped; this method never throws.

  ACL is enforced BY THE RECIPIENT NAPPLET — the runtime's themeMap in @kehto/acl assigns recipientCap: 'theme:read' for theme.changed, and @napplet/shim drops pushes the napplet lacks the capability for. Hosts should not self-filter here.

  Parameters

  • theme: Theme

    The new theme payload to broadcast.

  Returns void

  Example

  bridge.publishTheme({
    colors: { background: '#0a0a0a', text: '#e0e0e0', primary: '#7aa2f7' },
    title: 'Dark',
  });
  Copy

registerConsentHandler

• registerConsentHandler(handler: (request: ConsentRequest) => void): void

  Register a handler for consent requests on destructive signing kinds. Called when a napplet requests signing for kinds 0, 3, 5, or 10002.

  Parameters

  • handler: (request: ConsentRequest) => void

    Callback receiving the consent request with a resolve function

  Returns void

  Example

  bridge.registerConsentHandler((request) => {
    const allowed = confirm(`Allow signing kind ${request.event.kind}?`);
    request.resolve(allowed);
  });
  Copy