diff --git a/README.md b/README.md
index 312a061..67b4c2b 100644
--- a/README.md
+++ b/README.md
@@ -1,39 +1,47 @@
 # DOMFortify
 
-[![npm](https://img.shields.io/npm/v/domfortify.svg)](https://www.npmjs.com/package/domfortify) [![License](https://img.shields.io/badge/license-MPL--2.0%20OR%20Apache--2.0-blue.svg)](https://github.com/cure53/DOMFortify/blob/main/LICENSE) ![npm package minimized gzipped size (select exports)](https://img.shields.io/bundlejs/size/domfortify?color=%233C1&label=gzip) [![Build & Test](https://github.com/cure53/DOMFortify/actions/workflows/build-and-test.yml/badge.svg?branch=main)](https://github.com/cure53/DOMFortify/actions/workflows/build-and-test.yml) [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/cure53/DOMFortify/badge)](https://scorecard.dev/viewer/?uri=github.com/cure53/DOMFortify) [![Socket Badge](https://badge.socket.dev/npm/package/domfortify/latest)](https://badge.socket.dev/npm/package/domfortify/latest)
+[![npm](https://img.shields.io/npm/v/domfortify.svg)](https://www.npmjs.com/package/domfortify) [![License](https://img.shields.io/badge/license-MPL--2.0%20OR%20Apache--2.0-blue.svg)](https://github.com/cure53/DOMFortify/blob/main/LICENSE) ![npm package minimized gzipped size](https://img.shields.io/bundlejs/size/domfortify?color=%233C1&label=gzip) [![Build & Test](https://github.com/cure53/DOMFortify/actions/workflows/build-and-test.yml/badge.svg?branch=main)](https://github.com/cure53/DOMFortify/actions/workflows/build-and-test.yml) [![CodeQL](https://github.com/cure53/DOMFortify/actions/workflows/codeql-analysis.yml/badge.svg?branch=main)](https://github.com/cure53/DOMFortify/actions/workflows/codeql-analysis.yml) 
 
-DOMFortify turns on Trusted Types for a page and quietly takes over the browser's `default` policy,
-so that old, vulnerable code like `el.innerHTML = location.hash` gets sanitized before it ever hits
-the DOM. You don't touch the code. You don't even need to know where the bug is.
+[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/13287/badge)](https://www.bestpractices.dev/projects/13287) [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/cure53/DOMFortify/badge)](https://scorecard.dev/viewer/?uri=github.com/cure53/DOMFortify) [![Socket Badge](https://badge.socket.dev/npm/package/domfortify/latest)](https://badge.socket.dev/npm/package/domfortify/latest)
 
-It's for the sites you can't easily fix: complex apps or legacy apps nobody wants to touch, the third-party widget you
-can't patch, the 2000+ `innerHTML` sinks written before anyone had heard of XSS.
+DOMFortify turns Trusted Types on for a page and quietly takes over the browser's `default` policy, so
+that old, vulnerable code like `el.innerHTML = location.hash` gets sanitized before it ever reaches the
+DOM. You don't touch the code. You don't even need to know where the bug is.
 
-**Just ship the policy, and the browser automatically protects every HTML sink with DOMPurify or other sanitizers.**
+It's for the sites you can't easily fix: sprawling apps and legacy code nobody wants to touch, the
+third-party widget you can't patch, the 2000-plus `innerHTML` sinks written before anyone had heard of
+XSS.
+
+**Ship the policy, and the browser routes every HTML sink through DOMPurify (or any sanitizer you give
+it) on its way into the DOM.**
 
 ## Is there a demo?
 
-Of course there is. [Play with DOMFortify](https://cure53.de/fortify) - throw payloads at a
-deliberately broken page and watch the browser neutralize them before they reach the DOM.
+Of course. [Play with DOMFortify](https://cure53.de/fortify) - throw payloads at a deliberately broken
+page and watch the browser neutralize them before they reach the DOM.
 
 ## How it works
 
-Trusted Types lets a page register one `default` policy that the browser calls for every dangerous
+Trusted Types lets a page register one `default` policy that the browser consults for every dangerous
 sink. DOMFortify is that policy.
 
-HTML goes through [DOMPurify](https://github.com/cure53/DOMPurify)
-(or any sanitizer you hand it); script sinks like `eval` and `script.src` are refused outright,
-because there is no safe way to sanitize executable code.
+HTML goes through [DOMPurify](https://github.com/cure53/DOMPurify) (or any sanitizer you hand it). Script
+sinks like `eval` and `script.src` are refused outright, because there is no safe way to sanitize
+executable code.
+
+It does two jobs and no more: own the `default` policy, and route sinks. Whether enforcement is even on
+is a CSP's job, not the library's - so DOMFortify reports honestly, through `status()`, whether the page
+is actually protected.
 
-## Usage
+## Quick start (CDN)
 
-Two parts. First, turn enforcement on with a CSP - a response header if you can set one:
+Two parts. First, turn enforcement on with a CSP. A response header is the sturdiest option:
 
 ```
 Content-Security-Policy: require-trusted-types-for 'script'; trusted-types default dompurify;
 ```
 
-...or via `<meta>` tag if you cannot set any headers:
+...or a `<meta>` tag when you cannot set headers (it must be present at parse time):
 
 ```html
 <meta
@@ -42,13 +50,23 @@ Content-Security-Policy: require-trusted-types-for 'script'; trusted-types defau
 />
 ```
 
-Second, load the sanitizer and then DOMFortify, **first thing in `<head>`**, before anything an
-attacker could reach. Pin both with SRI so a bad CDN day fails closed instead of open:
+...or, when you can place neither, let DOMFortify inject that `<meta>` for you with one config flag:
+
+```js
+window.DOMFortifyConfig = { INJECT_META: true };
+```
+
+This is best-effort and only takes when DOMFortify runs during the initial parse (inline, first thing
+in `<head>`); a header or hand-placed `<meta>` is still sturdier. Confirm it took with
+`status().enforcementActive`. Details in [Turning enforcement on](#turning-enforcement-on-advanced).
+
+Second, load the sanitizer and then DOMFortify **first thing in `<head>`**, before anything an attacker
+could reach. Pin both with SRI so a bad CDN day fails closed instead of open:
 
 ```html
 <script
-  src="https://cdn.jsdelivr.net/npm/dompurify@3.4.10/dist/purify.min.js"
-  integrity="sha384-eguRoJERj8ghOpzO//Rl7+ScQsQIR1cH+ajll7+fG+IpbNPlkZsQn9h8ccr+wPXx"
+  src="https://cdn.jsdelivr.net/npm/dompurify@3.4.11/dist/purify.min.js"
+  integrity="sha384-o44XUELLEnv/iSlA1NWxBweqbD4TSR0qgq2VzVsxtkHS989JJjGKSE9vkfo5MN4K"
   crossorigin="anonymous"
 ></script>
 <script
@@ -58,26 +76,70 @@ attacker could reach. Pin both with SRI so a bad CDN day fails closed instead of
 ></script>
 ```
 
-That's it. The script installs itself on load. Want to check it actually worked?
+That's it. This build installs itself on load. Check it actually worked:
 
 ```js
-DOMFortify.status().protected; // true when enforced, owning the policy, and sanitizer ready
+DOMFortify.status().protected; // true when enforced, owning the policy, and the sanitizer is ready
 ```
 
-If you have to go through a bundler, import the module build and call `init()` as early as you can -
-but understand that a bundler will not place your code first, which is the one thing this needs:
+> Pin a version you have vetted and regenerate the SRI hash whenever you change it, for example
+> `openssl dgst -sha384 -binary purify.min.js | openssl base64 -A`. The two hashes above are for the
+> exact versions named in the URLs.
+
+## Using it from npm
+
+```sh
+npm install domfortify
+```
+
+The package ships three builds and TypeScript types, picked automatically by your tooling:
+
+| Build               | File                  | What it does                                                 |
+| ------------------- | --------------------- | ------------------------------------------------------------ |
+| ESM                 | `dist/fortify.es.mjs` | `import { init } from 'domfortify'` - you call `init()`      |
+| CommonJS            | `dist/fortify.cjs.js` | `const { init } = require('domfortify')` - you call `init()` |
+| IIFE (auto-install) | `dist/fortify.min.js` | self-installs on load; this is the `<script>` and CDN build  |
+
+The module builds do **not** auto-install, so you call `init()` yourself:
 
 ```js
-import { init } from 'domfortify';
-init();
+import { init, status } from 'domfortify';
+import DOMPurify from 'dompurify'; // no window.DOMPurify in a bundle, so pass it in
+
+init({ SANITIZER: DOMPurify });
+status()?.protected;
+```
+
+CommonJS is the same shape:
+
+```js
+const { init } = require('domfortify');
+const DOMPurify = require('dompurify');
+init({ SANITIZER: DOMPurify });
+```
+
+Two things matter when you go through a bundler:
+
+- **There is no `window.DOMPurify`.** The CDN path picks the global up for free; a bundle has no global,
+  so pass your sanitizer as `SANITIZER` (or set `window.DOMPurify` before `init()`).
+- **A bundler will not place your code first**, and owning the `default` policy is winner-takes-all. Make
+  `init()` the very first thing your entry module runs, before any code that could touch a sink or
+  register a policy, and confirm with `status().protected`. If load order is hard to guarantee, prefer
+  the inline `<script>` from the CDN section - that is the one path that reliably wins the slot.
+
+If you would rather keep the auto-install behavior in a bundle, import the side-effecting build for its
+effect and let it self-install (it reads `window.DOMFortifyConfig`):
+
+```js
+import 'domfortify/fortify.js'; // attaches window.DOMFortify and calls init() on import
 ```
 
 ## Configuration
 
 Set `window.DOMFortifyConfig` before the script tag, or pass the same object to `DOMFortify.init()`.
-Every option is optional; the defaults give you DOMPurify on every HTML sink and a hard refusal on
-every script sink. Config is read once, own-properties only, so a polluted prototype can't sneak a
-value in or loosen a refusal.
+Every option is optional; the defaults give you DOMPurify on every HTML sink and a hard refusal on every
+script sink. Config is read once, own-properties only, so a polluted prototype can't sneak a value in or
+loosen a refusal.
 
 Each topic below has a runnable page in [`/demos`](demos/) - the links point straight at them.
 
@@ -140,14 +202,14 @@ Demo: [scoping by URL](demos/url-config-demo.html).
 
 ### Turning enforcement on (advanced)
 
-DOMFortify does not enable Trusted Types - a CSP does, and a response header is the only fully
-reliable way. For pages that can set neither a header nor a hand-placed `<meta>`, `INJECT_META` is an
-opt-in, best-effort fallback (see [What it won't do](#what-it-wont-do) for the caveat).
+DOMFortify does not enable Trusted Types - a CSP does, and a response header is the only fully reliable
+way. For pages that can set neither a header nor a hand-placed `<meta>`, `INJECT_META` is an opt-in,
+best-effort fallback (see [What it won't do](#what-it-wont-do) for the caveat).
 
 ```js
-// Opt-in, default false. Best-effort: a <meta> CSP is honored only when the parser inserts it, so
-// this can work only when DOMFortify runs during the initial parse and only for content parsed
-// afterwards. Otherwise it appends a non-enforcing node and reports status().metaInjected === false.
+// Opt-in, default false. Best-effort: a <meta> CSP is honored only when the parser inserts it, so this
+// can work only when DOMFortify runs during the initial parse and only for content parsed afterwards.
+// Otherwise it appends a non-enforcing node and reports status().metaInjected === false.
 window.DOMFortifyConfig = { INJECT_META: true };
 
 // META_DIRECTIVE overrides the whole trusted-types directive, e.g. if your policy names differ.
@@ -171,19 +233,32 @@ window.DOMFortifyConfig = {
 
 Demo: [report-only monitoring](demos/report-only-demo.html).
 
+### Reading the status
+
+`init()` returns, and `status()` later re-reads, a frozen snapshot of what actually happened:
+
+```js
+const s = DOMFortify.status();
+// { version, ttSupported, enforcementActive, defaultPolicyOwned, sanitizerReady,
+//   excluded, metaInjected, protected, reason }
+```
+
+`protected` is true only when enforcement is on, DOMFortify owns the `default` policy, and the sanitizer
+passed its smoke test. `reason` explains the current state in one line. Demo: [status](demos/status-demo.html).
+
 ## What it won't do
 
 It's a retrofit, not magic. Know the edges:
 
 - **It needs the CSP.** No enforcement, no protection - and it'll tell you so via `status()`.
-- **`INJECT_META` is best-effort.** A script-inserted `<meta>` CSP is ignored unless the parser
-  inserts it during the initial parse. Don't rely on it where a header or hand-placed `<meta>` is an
-  option; check `status()` to see whether enforcement actually took.
-- **Load it first.** Whoever registers the `default` policy first wins. If attacker code beats you to
-  it, you're worse off than before. Don't add `'allow-duplicates'`.
+- **`INJECT_META` is best-effort.** A script-inserted `<meta>` CSP is ignored unless the parser inserts
+  it during the initial parse. Don't rely on it where a header or hand-placed `<meta>` is an option;
+  check `status()` to see whether enforcement actually took.
+- **Load it first.** Whoever registers the `default` policy first wins. If attacker code beats you to it,
+  you're worse off than before. Don't add `'allow-duplicates'`.
 - **One realm at a time.** Each iframe is its own world and needs its own DOMFortify.
-- **Trusted Types sinks only.** Inline handlers (`onclick=`), `style`, and `href` URLs aren't TT
-  sinks. Close those with a real `script-src` that drops `'unsafe-inline'`.
+- **Trusted Types sinks only.** Inline handlers (`onclick=`), `style`, and `href` URLs aren't TT sinks.
+  Close those with a real `script-src` that drops `'unsafe-inline'`.
 - **One sanitizer.** A bypass in the sanitizer is a bypass in everything it guards.
 - **It sanitizes a string, then the sink re-parses it.** The `default` policy returns sanitized HTML as a
   string that the browser parses again in context - the serialize/re-parse step that can re-open
@@ -199,8 +274,9 @@ Found a hole? Please report it privately - see [SECURITY.md](SECURITY.md). Don't
 ---
 
 Built on the shoulders of Frederik Braun's
-[Perfect types with setHTML()](https://frederikbraun.de/perfect-types-with-sethtml.html) and his Mozilla explainer [Trusted or Sanitized HTML](https://github.com/mozilla/explainers/blob/main/trusted-or-sanitized-html.md), plus Jun
-Kokatsu's "Perfect Types". By [Cure53](https://cure53.de).
+[Perfect types with setHTML()](https://frederikbraun.de/perfect-types-with-sethtml.html) and his Mozilla
+explainer [Trusted or Sanitized HTML](https://github.com/mozilla/explainers/blob/main/trusted-or-sanitized-html.md),
+plus Jun Kokatsu's "Perfect Types". By [Cure53](https://cure53.de).
 
 ## Relationship to the platform
 
@@ -212,4 +288,4 @@ The one design difference worth stating plainly: the platform proposal sanitizes
 
 DOMFortify builds on established browser and ecosystem concepts rather than claiming to invent Trusted Types-based HTML sanitization from scratch. The underlying enforcement mechanism is the browser-native [Trusted Types API](https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API), and the sanitizer commonly used with DOMFortify, [DOMPurify](https://github.com/cure53/DOMPurify), already provides Trusted Types integration. Earlier tooling such as [`melloware/csp-webpack-plugin`](https://github.com/melloware/csp-webpack-plugin) and its Rspack counterpart [`rspack-contrib/csp-rspack-plugin`](https://github.com/rspack-contrib/csp-rspack-plugin) also demonstrated the idea of installing a DOMPurify-backed `default` Trusted Types policy to retrofit protection for legacy `innerHTML`-style sinks.
 
-DOMFortify differs in its focus and packaging: it is a standalone runtime hardening layer, not a bundler-side CSP helper, and it emphasizes safer defaults for script-like sinks, sanitizer abstraction, route-aware configuration, CSP/telemetry integration, and defensive handling of configuration and prototype-pollution edge cases. Related ecosystem work includes framework- or type-system-oriented approaches such as [Angular’s Trusted Types integration](https://angular.dev/best-practices/security), Google’s [`safevalues`](https://github.com/google/safevalues), and earlier Trusted Types integrations collected by the [W3C Trusted Types project](https://github.com/w3c/trusted-types/wiki/Integrations). The browser-native direction this whole approach points toward is set out in Mozilla's [Trusted or Sanitized HTML](https://github.com/mozilla/explainers/blob/main/trusted-or-sanitized-html.md) explainer (see [Relationship to the platform](#relationship-to-the-platform)).
+DOMFortify differs in its focus and packaging: it is a standalone runtime hardening layer, not a bundler-side CSP helper, and it emphasizes safer defaults for script-like sinks, sanitizer abstraction, route-aware configuration, CSP/telemetry integration, and defensive handling of configuration and prototype-pollution edge cases. Related ecosystem work includes framework- or type-system-oriented approaches such as [Angular's Trusted Types integration](https://angular.dev/best-practices/security), Google's [`safevalues`](https://github.com/google/safevalues), and earlier Trusted Types integrations collected by the [W3C Trusted Types project](https://github.com/w3c/trusted-types/wiki/Integrations). The browser-native direction this whole approach points toward is set out in Mozilla's [Trusted or Sanitized HTML](https://github.com/mozilla/explainers/blob/main/trusted-or-sanitized-html.md) explainer (see [Relationship to the platform](#relationship-to-the-platform)).
diff --git a/dist/fortify.cjs.js b/dist/fortify.cjs.js
index a8dc968..ae5bbcc 100644
--- a/dist/fortify.cjs.js
+++ b/dist/fortify.cjs.js
@@ -1,44 +1,44 @@
-/*! DOMFortify 0.1.0 | (c) Cure53 and contributors | (MPL-2.0 OR Apache-2.0) */
+/*! DOMFortify 0.2.0 | (c) Cure53 and contributors | (MPL-2.0 OR Apache-2.0) */
 'use strict';
 
 Object.defineProperty(exports, '__esModule', { value: true });
 
-const VERSION = '0.1.0';
-// Grab natives up front so later prototype-pollution or clobbering can't swap them out.
+// Cached up front so later prototype pollution or clobbering can't swap hasOwnProperty out.
 const hasOwn = Object.prototype.hasOwnProperty;
-const root = typeof globalThis !== 'undefined' ? globalThis : window;
-const doc = typeof document !== 'undefined' ? document : undefined;
-const loc = root.location;
-const own = (obj, key) => obj != null && hasOwn.call(obj, key);
-const cfg = (obj, key) => (own(obj, key) ? obj[key] : undefined);
-const clip = (s) => String(s).slice(0, 80);
-const emsg = (e) => String(e?.message);
-const TT = root.trustedTypes;
-let installed = false;
-let cachedStatus = null;
-// Are we actually enforced? Under enforcement with no default policy yet, a sink write throws.
-// Run this BEFORE we install our policy, or it would always read as "off".
-function enforcementActive() {
-    try {
-        doc.createElement('div').innerHTML = 'x';
-        return false;
-    }
-    catch {
-        return true;
-    }
+/** True only for an own (non-inherited) property, so a polluted prototype is never consulted. */
+function own(obj, key) {
+    return obj != null && hasOwn.call(obj, key);
+}
+/** Read an own key off a config-like object, else undefined. Never walks the prototype chain. */
+function cfg(obj, key) {
+    return own(obj, key) ? obj[key] : undefined;
+}
+/** A short, safe preview of an arbitrary value, for violation reports. */
+function clip(s) {
+    return String(s).slice(0, 80);
+}
+/** Best-effort error message, tolerant of non-Error throws. */
+function emsg(e) {
+    return String(e?.message);
 }
-// Copy config off the caller's object, skipping keys that could pollute. Don't JSON-clone - that
-// would corrupt RegExp and functions.
+/**
+ * Copy an object's own keys, dropping the three that could pollute a prototype. Deliberately not a
+ * JSON clone: that would corrupt the RegExps and functions a sanitizer config may carry.
+ */
 function shallowCopy(obj) {
     const out = {};
     for (const k in obj) {
-        if (hasOwn.call(obj, k) && k !== '__proto__' && k !== 'constructor' && k !== 'prototype')
+        if (hasOwn.call(obj, k) && k !== '__proto__' && k !== 'constructor' && k !== 'prototype') {
             out[k] = obj[k];
+        }
     }
     return out;
 }
-// Test a URL against one or more patterns. String = substring match; RegExp = test. Used for both
-// EXCLUDE and URL_CONFIG, always against the realm's own location.href.
+/**
+ * Test a URL against one or more patterns. A string matches as a substring (the empty string never
+ * matches); a RegExp is test()ed, and a pattern that throws is treated as no match. Used for both
+ * EXCLUDE and URL_CONFIG, always against the realm's own location.href.
+ */
 function urlMatches(pattern, url) {
     if (pattern == null)
         return false;
@@ -55,24 +55,53 @@ function urlMatches(pattern, url) {
                     return true;
             }
             catch {
-                /* ignore a pattern that throws */
+                /* a pattern that throws is treated as no match */
             }
         }
     }
     return false;
 }
-// Best-effort CSP <meta> injection (opt-in). IMPORTANT: a <meta> CSP is honored only when the PARSER
-// inserts it, so document.write during the initial parse is the only path that can actually switch
-// enforcement on - and only for content parsed afterwards. A node appended after parsing is ignored by
-// the CSP engine; we still add it (harmless) but report that injection did NOT take. Returns true only
-// when written during parse.
+
+/**
+ * DOMFortify - bolt Trusted Types onto a legacy page so old DOM-XSS sinks get sanitized
+ * without touching the code. See README for the full picture; the short version:
+ *
+ *  - Claims the realm's `default` Trusted Types policy and routes every HTML sink through a
+ *    sanitizer. Script sinks (eval, javascript: URLs, script.src) are refused.
+ *  - Does NOT switch enforcement on; a CSP does (header best, `<meta>` works).
+ *  - Must load FIRST: the default policy is winner-takes-all.
+ *  - Fails closed: no sanitizer means sinks throw, never leak.
+ *  - Only covers Trusted Types sinks; inline handlers / style / URL props stay open.
+ */
+const VERSION = '0.2.0';
+// Natives captured up front, so later prototype pollution or clobbering can't swap them out.
+const root = typeof globalThis !== 'undefined' ? globalThis : window;
+const doc = typeof document !== 'undefined' ? document : undefined;
+const loc = root.location;
+const TT = root.trustedTypes;
+let installed = false;
+let cachedStatus = null;
+// --- environment probes --------------------------------------------------------------------------
+// Are we actually enforced? Under enforcement with no default policy yet, a sink write throws. Must
+// run BEFORE we install our policy, or it would always read as "off".
+function enforcementActive() {
+    try {
+        doc.createElement('div').innerHTML = 'x';
+        return false;
+    }
+    catch {
+        return true;
+    }
+}
+// Best-effort CSP <meta> injection (opt-in). A <meta> CSP is honored only when the PARSER inserts it,
+// so document.write during the initial parse is the one path that can switch enforcement on - and only
+// for content parsed afterwards. We return true only on that path. After parse we still append the node
+// (harmless) but report that it did NOT take.
 //
-// `content` is the trusted CSP directive built from config (the derived default, or META_DIRECTIVE).
-// META_DIRECTIVE is developer-controlled and is expected to be trusted, but since this path reaches
-// document.write we still strip the characters that could break out of the content="..." attribute or
-// the <meta> tag. A real CSP directive never contains ", <, >, or newlines (single quotes, e.g.
-// 'script', are kept - they are harmless inside the double-quoted attribute), so this is lossless for
-// valid input and neutralizes a hostile or malformed directive. Defense in depth.
+// `content` is the trusted directive built from config. META_DIRECTIVE is developer-controlled, but
+// because this path reaches document.write we still strip the characters that could break out of the
+// content="..." attribute. A valid directive never contains ", <, >, or newlines, so the strip is
+// lossless for good input and neutralizes a hostile or malformed one. Defense in depth.
 function injectMeta(content) {
     if (!doc)
         return false;
@@ -99,12 +128,119 @@ function injectMeta(content) {
     }
     return false;
 }
+// --- config resolution (all own-key only, so a polluted prototype can't loosen anything) ---------
+// First URL_CONFIG rule whose `match` hits, else null. Own-key reads only, so a polluted prototype
+// can neither inject a rule nor reach one.
+function selectOverride(options, url) {
+    const rules = cfg(options, 'URL_CONFIG');
+    if (!Array.isArray(rules))
+        return null;
+    for (let i = 0; i < rules.length; i++) {
+        const r = rules[i];
+        if (r && urlMatches(r.match, url))
+            return r;
+    }
+    return null;
+}
+// Normalize whatever the caller handed us into a sanitizer with a `.sanitize` method, or null.
+// DOMPurify's export is itself a callable factory that ALSO carries `.sanitize`, so we must check for
+// `.sanitize` FIRST - otherwise we'd wrap the factory and call the wrong thing. A bare function (e.g. a
+// Sanitizer-API adapter) has no `.sanitize` and falls through to the function case.
+function resolveSanitizer(raw) {
+    if (raw && typeof raw.sanitize === 'function')
+        return raw;
+    if (typeof raw === 'function')
+        return { sanitize: raw };
+    return null;
+}
+// The trusted-types directive for INJECT_META. META_DIRECTIVE wins; otherwise we list the policies
+// that will exist: our own `default`, plus `dompurify` unless a bare-function sanitizer is in use.
+function metaDirective(md, functionSanitizer) {
+    if (typeof md === 'string' && md)
+        return md;
+    const ttNames = functionSanitizer ? 'default' : 'default dompurify';
+    return `require-trusted-types-for 'script'; trusted-types ${ttNames};`;
+}
+// Exercise the sanitizer once so a broken one fails loudly here, not silently on the first real write.
+// It must return a string; anything else would inject junk into every sink.
+function smokeTest(sanitizer, config) {
+    try {
+        const out = sanitizer.sanitize('<b>x</b>', config);
+        return typeof out === 'string'
+            ? { ready: true, error: null }
+            : { ready: false, error: 'sanitize() did not return a string' };
+    }
+    catch (e) {
+        return { ready: false, error: emsg(e) };
+    }
+}
+// --- the default policy --------------------------------------------------------------------------
+// createHTML: route through the sanitizer, fail closed on any problem. `reentry` is true only while
+// the sanitizer parses our input internally (inert and synchronous), so handing the raw string back
+// is safe and keeps us alive if the sanitizer's own sink re-enters us.
+function makeSanitizeHTML(sanitizer, config, ready, report) {
+    let reentry = false;
+    return (s) => {
+        if (!ready) {
+            report('sanitizer-unavailable', { sink: 'createHTML' });
+            return null; // fail closed
+        }
+        if (reentry)
+            return s;
+        try {
+            reentry = true;
+            return sanitizer.sanitize(s, config);
+        }
+        catch (e) {
+            report('sanitize-threw', { error: emsg(e) });
+            return null; // fail closed - never hand back raw markup on error
+        }
+        finally {
+            reentry = false;
+        }
+    };
+}
+// createScript / createScriptURL: code has no safe subset, so refuse by default. A caller hook may
+// allow specific values; if it throws or returns a non-string, we refuse.
+function makeScriptHook(kind, fn, report) {
+    return (s) => {
+        if (fn) {
+            let r;
+            try {
+                r = fn(s);
+            }
+            catch (e) {
+                report('script-hook-threw', { sink: kind, error: emsg(e) });
+                return null; // fail closed
+            }
+            if (typeof r === 'string') {
+                report('script-sink-allowed', { sink: kind });
+                return r;
+            }
+        }
+        report('script-sink-refused', { sink: kind, sample: clip(s) });
+        return null;
+    };
+}
+// --- public entry point --------------------------------------------------------------------------
 function init(options = {}) {
     if (installed)
         return cachedStatus;
     installed = true;
+    // The violation reporter is observability, never control flow. Wrap it so a throwing ON_VIOLATION
+    // can neither abort init() (which would leave us installed with a null status) nor turn a
+    // fail-closed sink - one that should quietly return null - into a thrown exception.
     const onv = cfg(options, 'ON_VIOLATION');
-    const report = (typeof onv === 'function' ? onv : () => { });
+    const report = typeof onv === 'function'
+        ? (code, detail) => {
+            try {
+                onv(code, detail);
+            }
+            catch {
+                /* a misbehaving reporter must never break the policy */
+            }
+        }
+        : () => { };
     const status = {
         version: VERSION,
         ttSupported: !!TT,
@@ -119,15 +255,17 @@ function init(options = {}) {
     const done = (reason, code) => {
         status.protected = status.defaultPolicyOwned && status.enforcementActive && status.sanitizerReady;
         status.reason = reason;
-        if (code)
-            report(code, status);
+        // Freeze the snapshot first, then report it: the reporter sees exactly the authoritative status
+        // that gets cached and returned, and has no window to mutate the cached copy.
         cachedStatus = Object.freeze({ ...status });
+        if (code)
+            report(code, cachedStatus);
         return cachedStatus;
     };
     const url = loc && typeof loc.href !== 'undefined' ? String(loc.href) : '';
-    // EXCLUDE: on a matching URL, DOMFortify stays completely out of the way - no policy, no meta. It
-    // does NOT install a passthrough (that would be a silent XSS hole); under globally delivered
-    // enforcement, excluded pages are the developer's responsibility. Reported via status.excluded.
+    // EXCLUDE: on a match, stay completely out of the way - no policy, no meta. We do NOT install a
+    // passthrough (that would be a silent XSS hole); under globally delivered enforcement, excluded
+    // pages are the developer's responsibility. Reported via status.excluded.
     if (urlMatches(cfg(options, 'EXCLUDE'), url)) {
         status.excluded = true;
         return done('URL matched EXCLUDE; DOMFortify is intentionally inactive on this page.', 'excluded-by-url');
@@ -135,46 +273,24 @@ function init(options = {}) {
     if (!TT || typeof TT.createPolicy !== 'function') {
         return done('Trusted Types not supported; library is inert. Sinks are NOT routed.', 'tt-unsupported');
     }
-    // URL_CONFIG: the first rule whose `match` hits supplies per-URL overrides. `eff(key)` reads that
-    // rule's own key when present, else falls back to the base config - both own-key only, so a polluted
-    // prototype can neither inject a rule nor loosen a refusal.
-    let override = null;
-    const rules = cfg(options, 'URL_CONFIG');
-    if (Array.isArray(rules)) {
-        for (let i = 0; i < rules.length; i++) {
-            const r = rules[i];
-            if (r && urlMatches(r.match, url)) {
-                override = r;
-                break;
-            }
-        }
-    }
+    // Resolve config once. `eff(key)` reads the matching URL_CONFIG rule's own key when present, else the
+    // base config - both own-key only. Nothing is re-read later, so runtime clobbering can't retarget
+    // the policy after this point either.
+    const override = selectOverride(options, url);
     const eff = (key) => (override && own(override, key) ? override[key] : cfg(options, key));
-    // INJECT_META (opt-in, best-effort - see injectMeta and the README). We only attempt it when TT is
-    // supported; the directive lists the policies that will exist: our own `default`, plus `dompurify`
-    // unless a bare-function sanitizer (e.g. the native Sanitizer API) is in use. META_DIRECTIVE overrides.
+    // INJECT_META (opt-in, best-effort - see injectMeta and the README).
     if (cfg(options, 'INJECT_META') === true) {
-        const md = cfg(options, 'META_DIRECTIVE');
-        const ttNames = typeof eff('SANITIZER') === 'function' ? 'default' : 'default dompurify';
-        const directive = typeof md === 'string' && md ? md : `require-trusted-types-for 'script'; trusted-types ${ttNames};`;
+        const directive = metaDirective(cfg(options, 'META_DIRECTIVE'), typeof eff('SANITIZER') === 'function');
         status.metaInjected = injectMeta(directive);
         report('meta-injection-attempted', { directive, written: status.metaInjected });
     }
     status.enforcementActive = enforcementActive();
-    // Resolve config once, reading own keys only so a polluted prototype can't supply a value - and,
-    // most importantly, can't loosen a refusal. Nothing is re-read later, so runtime clobbering can't
-    // retarget the policy either. URL_CONFIG overrides are applied here via `eff`.
+    // Sanitizer: explicit SANITIZER (possibly per-URL), else window.DOMPurify. Config is forwarded
+    // verbatim as the second argument, copied to drop pollution-prone keys.
     let rawSan = eff('SANITIZER');
     if (rawSan === undefined)
         rawSan = root.DOMPurify;
-    // DOMPurify's export is itself a callable function (the factory) that also exposes `.sanitize`, so
-    // check for a `.sanitize` method FIRST - otherwise we'd wrap the factory and call the wrong thing. A
-    // bare function (e.g. a Sanitizer-API adapter) has no `.sanitize` and falls through to the function case.
-    const DP = rawSan && typeof rawSan.sanitize === 'function'
-        ? rawSan
-        : typeof rawSan === 'function'
-            ? { sanitize: rawSan }
-            : null;
+    const sanitizer = resolveSanitizer(rawSan);
     const rawCfg = eff('SANITIZER_CONFIG');
     const sanitizeConfig = rawCfg && typeof rawCfg === 'object' ? shallowCopy(rawCfg) : undefined;
     // Sink openers count only if they're own functions, so prototype pollution can never open a sink.
@@ -182,66 +298,19 @@ function init(options = {}) {
     const asuCand = eff('ALLOW_SCRIPT_URL');
     const allowScript = typeof asCand === 'function' ? asCand : null;
     const allowScriptURL = typeof asuCand === 'function' ? asuCand : null;
-    // Smoke-test once so a broken sanitizer fails loudly here, not silently on the first real write. It
-    // must return a string - a sanitizer that returns anything else would otherwise inject junk.
     let sanitizerReady = false;
-    if (DP && typeof DP.sanitize === 'function') {
-        try {
-            sanitizerReady = typeof DP.sanitize('<b>x</b>', sanitizeConfig) === 'string';
-            if (!sanitizerReady)
-                report('sanitizer-smoketest-failed', { error: 'sanitize() did not return a string' });
-        }
-        catch (e) {
-            report('sanitizer-smoketest-failed', { error: emsg(e) });
-        }
+    if (sanitizer) {
+        const result = smokeTest(sanitizer, sanitizeConfig);
+        sanitizerReady = result.ready;
+        if (!result.ready)
+            report('sanitizer-smoketest-failed', { error: result.error });
     }
     status.sanitizerReady = sanitizerReady;
-    // `reentry` is true only while the sanitizer parses our input internally - inert and synchronous - so
-    // handing the raw string straight back is safe, and keeps us alive if its own sink re-enters us.
-    let reentry = false;
-    const sanitizeHTML = (s) => {
-        if (!sanitizerReady) {
-            report('sanitizer-unavailable', { sink: 'createHTML' });
-            return null; // fail closed
-        }
-        if (reentry)
-            return s;
-        try {
-            reentry = true;
-            return DP.sanitize(s, sanitizeConfig);
-        }
-        catch (e) {
-            report('sanitize-threw', { error: emsg(e) });
-            return null; // fail closed - never hand back raw markup on error
-        }
-        finally {
-            reentry = false;
-        }
-    };
-    // Code has no safe subset, so refuse by default. A caller hook may allow specific values; if it throws
-    // or returns a non-string, we refuse.
-    const scriptHook = (kind, fn) => (s) => {
-        if (fn) {
-            let r;
-            try {
-                r = fn(s);
-            }
-            catch (e) {
-                report('script-hook-threw', { sink: kind, error: emsg(e) });
-                return null; // fail closed
-            }
-            if (typeof r === 'string') {
-                report('script-sink-allowed', { sink: kind });
-                return r;
-            }
-        }
-        report('script-sink-refused', { sink: kind, sample: clip(s) });
-        return null;
-    };
+    // createHTML closes over sanitizeConfig; the script hooks refuse unless an own-function hook allows.
     const policyDef = {
-        createHTML: sanitizeHTML,
-        createScript: scriptHook('createScript', allowScript),
-        createScriptURL: scriptHook('createScriptURL', allowScriptURL),
+        createHTML: makeSanitizeHTML(sanitizer, sanitizeConfig, sanitizerReady, report),
+        createScript: makeScriptHook('createScript', allowScript, report),
+        createScriptURL: makeScriptHook('createScriptURL', allowScriptURL, report),
     };
     // Did someone grab the default slot first? We can't evict them and won't vouch for them.
     if (TT.defaultPolicy) {
diff --git a/dist/fortify.cjs.js.map b/dist/fortify.cjs.js.map
index c52529f..ea0cdc4 100644
--- a/dist/fortify.cjs.js.map
+++ b/dist/fortify.cjs.js.map
@@ -1 +1 @@
-{"version":3,"file":"fortify.cjs.js","sources":["../src/fortify.ts"],"sourcesContent":[null],"names":[],"mappings":";;;;;AAuBA,MAAM,OAAO,GAAG,OAAa;AAO7B;AACA,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,cAAc;AAC9C,MAAM,IAAI,GACR,OAAO,UAAU,KAAK,WAAW,GAAG,UAAU,GAAI,MAAuC;AAC3F,MAAM,GAAG,GAAyB,OAAO,QAAQ,KAAK,WAAW,GAAG,QAAQ,GAAG,SAAS;AACxF,MAAM,GAAG,GAAoC,IAAqD,CAAC,QAAQ;AAE3G,MAAM,GAAG,GAAG,CAAC,GAAY,EAAE,GAAW,KAAc,GAAG,IAAI,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC;AACxF,MAAM,GAAG,GAAG,CAAC,GAAY,EAAE,GAAW,MAAe,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,GAAI,GAA+B,CAAC,GAAG,CAAC,GAAG,SAAS,CAAC;AACvH,MAAM,IAAI,GAAG,CAAC,CAAU,KAAa,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;AAC3D,MAAM,IAAI,GAAG,CAAC,CAAU,KAAa,MAAM,CAAE,CAAuC,EAAE,OAAO,CAAC;AAE9F,MAAM,EAAE,GAAI,IAAgD,CAAC,YAAY;AAEzE,IAAI,SAAS,GAAG,KAAK;AACrB,IAAI,YAAY,GAAsC,IAAI;AAE1D;AACA;AACA,SAAS,iBAAiB,GAAA;AACxB,IAAA,IAAI;QACD,GAAgB,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,SAAS,GAAG,GAAG;AACtD,QAAA,OAAO,KAAK;IACd;AAAE,IAAA,MAAM;AACN,QAAA,OAAO,IAAI;IACb;AACF;AAEA;AACA;AACA,SAAS,WAAW,CAAC,GAA4B,EAAA;IAC/C,MAAM,GAAG,GAA4B,EAAE;AACvC,IAAA,KAAK,MAAM,CAAC,IAAI,GAAG,EAAE;AACnB,QAAA,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,WAAW,IAAI,CAAC,KAAK,aAAa,IAAI,CAAC,KAAK,WAAW;YAAE,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;IAC3G;AACA,IAAA,OAAO,GAAG;AACZ;AAEA;AACA;AACA,SAAS,UAAU,CAAC,OAA8C,EAAE,GAAW,EAAA;IAC7E,IAAI,OAAO,IAAI,IAAI;AAAE,QAAA,OAAO,KAAK;AACjC,IAAA,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,OAAO,GAAG,CAAC,OAAO,CAAC;AACzD,IAAA,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE;AACpC,QAAA,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC;AACjB,QAAA,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE;AACzB,YAAA,IAAI,CAAC,KAAK,EAAE,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,EAAE;AAAE,gBAAA,OAAO,IAAI;QACpD;AAAO,aAAA,IAAI,CAAC,YAAY,MAAM,EAAE;AAC9B,YAAA,IAAI;AACF,gBAAA,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC;AAAE,oBAAA,OAAO,IAAI;YAC9B;AAAE,YAAA,MAAM;;YAER;QACF;IACF;AACA,IAAA,OAAO,KAAK;AACd;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,SAAS,UAAU,CAAC,OAAe,EAAA;AACjC,IAAA,IAAI,CAAC,GAAG;AAAE,QAAA,OAAO,KAAK;IACtB,MAAM,CAAC,GAAG,GAAsE;IAChF,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC;AAC9C,IAAA,MAAM,GAAG,GAAG,sDAAsD,GAAG,IAAI,GAAG,IAAI;AAChF,IAAA,IAAI,CAAC,CAAC,UAAU,KAAK,SAAS,IAAI,OAAO,CAAC,CAAC,KAAK,KAAK,UAAU,EAAE;AAC/D,QAAA,IAAI;AACF,YAAA,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC;AACZ,YAAA,OAAO,IAAI;QACb;AAAE,QAAA,MAAM;;QAER;IACF;AACA,IAAA,IAAI;QACF,MAAM,CAAC,GAAG,CAAC,CAAC,aAAa,CAAC,MAAM,CAAC;AACjC,QAAA,CAAC,CAAC,YAAY,CAAC,YAAY,EAAE,yBAAyB,CAAC;AACvD,QAAA,CAAC,CAAC,YAAY,CAAC,SAAS,EAAE,OAAO,CAAC;AAClC,QAAA,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,eAAe,EAAE,WAAW,CAAC,CAAC,CAAC;IAC9C;AAAE,IAAA,MAAM;;IAER;AACA,IAAA,OAAO,KAAK;AACd;AAEM,SAAU,IAAI,CAAC,OAAA,GAA4B,EAAE,EAAA;AACjD,IAAA,IAAI,SAAS;AAAE,QAAA,OAAO,YAA0C;IAChE,SAAS,GAAG,IAAI;IAEhB,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,EAAE,cAAc,CAAC;AACxC,IAAA,MAAM,MAAM,IAAI,OAAO,GAAG,KAAK,UAAU,GAAG,GAAG,GAAG,MAAK,EAAE,CAAC,CAAoD;AAE9G,IAAA,MAAM,MAAM,GAAqB;AAC/B,QAAA,OAAO,EAAE,OAAO;QAChB,WAAW,EAAE,CAAC,CAAC,EAAE;AACjB,QAAA,iBAAiB,EAAE,KAAK;AACxB,QAAA,kBAAkB,EAAE,KAAK;AACzB,QAAA,cAAc,EAAE,KAAK;AACrB,QAAA,QAAQ,EAAE,KAAK;AACf,QAAA,YAAY,EAAE,KAAK;AACnB,QAAA,SAAS,EAAE,KAAK;AAChB,QAAA,MAAM,EAAE,EAAE;KACX;AACD,IAAA,MAAM,IAAI,GAAG,CAAC,MAAc,EAAE,IAAoB,KAAgC;AAChF,QAAA,MAAM,CAAC,SAAS,GAAG,MAAM,CAAC,kBAAkB,IAAI,MAAM,CAAC,iBAAiB,IAAI,MAAM,CAAC,cAAc;AACjG,QAAA,MAAM,CAAC,MAAM,GAAG,MAAM;AACtB,QAAA,IAAI,IAAI;AAAE,YAAA,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC;QAC9B,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,EAAE,GAAG,MAAM,EAAE,CAAC;AAC3C,QAAA,OAAO,YAAY;AACrB,IAAA,CAAC;IAED,MAAM,GAAG,GAAG,GAAG,IAAI,OAAO,GAAG,CAAC,IAAI,KAAK,WAAW,GAAG,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE;;;;AAK1E,IAAA,IAAI,UAAU,CAAC,GAAG,CAAC,OAAO,EAAE,SAAS,CAA0C,EAAE,GAAG,CAAC,EAAE;AACrF,QAAA,MAAM,CAAC,QAAQ,GAAG,IAAI;AACtB,QAAA,OAAO,IAAI,CAAC,yEAAyE,EAAE,iBAAiB,CAAC;IAC3G;IAEA,IAAI,CAAC,EAAE,IAAI,OAAO,EAAE,CAAC,YAAY,KAAK,UAAU,EAAE;AAChD,QAAA,OAAO,IAAI,CAAC,sEAAsE,EAAE,gBAAgB,CAAC;IACvG;;;;IAKA,IAAI,QAAQ,GAAmC,IAAI;IACnD,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,EAAE,YAAY,CAAC;AACxC,IAAA,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE;AACxB,QAAA,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE;AACrC,YAAA,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,CAA8B;YAC/C,IAAI,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC,KAAK,EAAE,GAAG,CAAC,EAAE;gBACjC,QAAQ,GAAG,CAAuC;gBAClD;YACF;QACF;IACF;AACA,IAAA,MAAM,GAAG,GAAG,CAAC,GAAW,MAAe,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,GAAG,QAAQ,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;;;;IAK1G,IAAI,GAAG,CAAC,OAAO,EAAE,aAAa,CAAC,KAAK,IAAI,EAAE;QACxC,MAAM,EAAE,GAAG,GAAG,CAAC,OAAO,EAAE,gBAAgB,CAAC;AACzC,QAAA,MAAM,OAAO,GAAG,OAAO,GAAG,CAAC,WAAW,CAAC,KAAK,UAAU,GAAG,SAAS,GAAG,mBAAmB;AACxF,QAAA,MAAM,SAAS,GACb,OAAO,EAAE,KAAK,QAAQ,IAAI,EAAE,GAAG,EAAE,GAAG,CAAA,kDAAA,EAAqD,OAAO,GAAG;AACrG,QAAA,MAAM,CAAC,YAAY,GAAG,UAAU,CAAC,SAAS,CAAC;AAC3C,QAAA,MAAM,CAAC,0BAA0B,EAAE,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,CAAC,YAAY,EAAE,CAAC;IACjF;AAEA,IAAA,MAAM,CAAC,iBAAiB,GAAG,iBAAiB,EAAE;;;;AAK9C,IAAA,IAAI,MAAM,GAAY,GAAG,CAAC,WAAW,CAAC;IACtC,IAAI,MAAM,KAAK,SAAS;AAAE,QAAA,MAAM,GAAI,IAA2C,CAAC,SAAS;;;;IAIzF,MAAM,EAAE,GACN,MAAM,IAAI,OAAQ,MAAoB,CAAC,QAAQ,KAAK;AAClD,UAAG;AACH,UAAE,OAAO,MAAM,KAAK;AAClB,cAAE,EAAE,QAAQ,EAAE,MAAoB;cAChC,IAAI;AACZ,IAAA,MAAM,MAAM,GAAG,GAAG,CAAC,kBAAkB,CAAC;AACtC,IAAA,MAAM,cAAc,GAClB,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,GAAG,WAAW,CAAC,MAAiC,CAAC,GAAG,SAAS;;AAGnG,IAAA,MAAM,MAAM,GAAG,GAAG,CAAC,cAAc,CAAC;AAClC,IAAA,MAAM,OAAO,GAAG,GAAG,CAAC,kBAAkB,CAAC;AACvC,IAAA,MAAM,WAAW,GAAG,OAAO,MAAM,KAAK,UAAU,GAAI,MAAqB,GAAG,IAAI;AAChF,IAAA,MAAM,cAAc,GAAG,OAAO,OAAO,KAAK,UAAU,GAAI,OAAsB,GAAG,IAAI;;;IAIrF,IAAI,cAAc,GAAG,KAAK;IAC1B,IAAI,EAAE,IAAI,OAAO,EAAE,CAAC,QAAQ,KAAK,UAAU,EAAE;AAC3C,QAAA,IAAI;AACF,YAAA,cAAc,GAAG,OAAO,EAAE,CAAC,QAAQ,CAAC,UAAU,EAAE,cAAc,CAAC,KAAK,QAAQ;AAC5E,YAAA,IAAI,CAAC,cAAc;gBAAE,MAAM,CAAC,4BAA4B,EAAE,EAAE,KAAK,EAAE,oCAAoC,EAAE,CAAC;QAC5G;QAAE,OAAO,CAAC,EAAE;AACV,YAAA,MAAM,CAAC,4BAA4B,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1D;IACF;AACA,IAAA,MAAM,CAAC,cAAc,GAAG,cAAc;;;IAItC,IAAI,OAAO,GAAG,KAAK;AACnB,IAAA,MAAM,YAAY,GAAG,CAAC,CAAS,KAAmB;QAChD,IAAI,CAAC,cAAc,EAAE;YACnB,MAAM,CAAC,uBAAuB,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC;YACvD,OAAO,IAAI,CAAC;QACd;AACA,QAAA,IAAI,OAAO;AAAE,YAAA,OAAO,CAAC;AACrB,QAAA,IAAI;YACF,OAAO,GAAG,IAAI;YACd,OAAQ,EAAgB,CAAC,QAAQ,CAAC,CAAC,EAAE,cAAc,CAAW;QAChE;QAAE,OAAO,CAAC,EAAE;AACV,YAAA,MAAM,CAAC,gBAAgB,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;YAC5C,OAAO,IAAI,CAAC;QACd;gBAAU;YACR,OAAO,GAAG,KAAK;QACjB;AACF,IAAA,CAAC;;;AAID,IAAA,MAAM,UAAU,GACd,CAAC,IAAwC,EAAE,EAAqB,KAChE,CAAC,CAAS,KAAmB;QAC3B,IAAI,EAAE,EAAE;AACN,YAAA,IAAI,CAAU;AACd,YAAA,IAAI;AACF,gBAAA,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;YACX;YAAE,OAAO,CAAC,EAAE;AACV,gBAAA,MAAM,CAAC,mBAAmB,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC3D,OAAO,IAAI,CAAC;YACd;AACA,YAAA,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE;gBACzB,MAAM,CAAC,qBAAqB,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;AAC7C,gBAAA,OAAO,CAAC;YACV;QACF;AACA,QAAA,MAAM,CAAC,qBAAqB,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;AAC9D,QAAA,OAAO,IAAI;AACb,IAAA,CAAC;AAEH,IAAA,MAAM,SAAS,GAAG;AAChB,QAAA,UAAU,EAAE,YAAY;AACxB,QAAA,YAAY,EAAE,UAAU,CAAC,cAAc,EAAE,WAAW,CAAC;AACrD,QAAA,eAAe,EAAE,UAAU,CAAC,iBAAiB,EAAE,cAAc,CAAC;KAC/D;;AAGD,IAAA,IAAI,EAAE,CAAC,aAAa,EAAE;QACpB,OAAO,IAAI,CACT,qGAAqG;YACnG,0CAA0C,EAC5C,4BAA4B,CAC7B;IACH;AAEA,IAAA,IAAI,IAAa;AACjB,IAAA,IAAI;QACF,IAAI,GAAG,EAAE,CAAC,YAAY,CAAC,SAAS,EAAE,SAAS,CAAC;IAC9C;IAAE,OAAO,CAAC,EAAE;;QAEV,OAAO,IAAI,CACT,CAAA,+BAAA,EAAkC,IAAI,CAAC,CAAC,CAAC,CAAA,uCAAA,CAAyC,EAClF,qBAAqB,CACtB;IACH;;IAGA,IAAI,EAAE,CAAC,aAAa,IAAI,EAAE,CAAC,aAAa,KAAK,IAAI,EAAE;QACjD,OAAO,IAAI,CACT,qFAAqF;YACnF,6DAA6D,EAC/D,2BAA2B,CAC5B;IACH;AAEA,IAAA,MAAM,CAAC,kBAAkB,GAAG,IAAI;AAEhC,IAAA,IAAI,CAAC,MAAM,CAAC,iBAAiB,EAAE;QAC7B,OAAO,IAAI,CACT,qGAAqG;YACnG,uDAAuD,EACzD,sBAAsB,CACvB;IACH;IACA,IAAI,CAAC,cAAc,EAAE;QACnB,OAAO,IAAI,CACT,+FAA+F;YAC7F,mEAAmE,EACrE,gBAAgB,CACjB;IACH;AACA,IAAA,OAAO,IAAI,CACT,CAAA,2CAAA,EAA8C,WAAW,IAAI,cAAc,GAAG,yBAAyB,GAAG,SAAS,CAAA,CAAA,CAAG,CACvH;AACH;SAEgB,MAAM,GAAA;AACpB,IAAA,OAAO,YAAY;AACrB;AAEO,MAAM,UAAU,GAAkB,MAAM,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE;;;;;;;"}
\ No newline at end of file
+{"version":3,"file":"fortify.cjs.js","sources":["../src/internal.ts","../src/fortify.ts"],"sourcesContent":[null,null],"names":[],"mappings":";;;;;AAOA;AACA,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,cAAc;AAE9C;AACM,SAAU,GAAG,CAAC,GAAY,EAAE,GAAW,EAAA;AAC3C,IAAA,OAAO,GAAG,IAAI,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC;AAC7C;AAEA;AACM,SAAU,GAAG,CAAC,GAAY,EAAE,GAAW,EAAA;AAC3C,IAAA,OAAO,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,GAAI,GAA+B,CAAC,GAAG,CAAC,GAAG,SAAS;AAC1E;AAEA;AACM,SAAU,IAAI,CAAC,CAAU,EAAA;IAC7B,OAAO,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;AAC/B;AAEA;AACM,SAAU,IAAI,CAAC,CAAU,EAAA;AAC7B,IAAA,OAAO,MAAM,CAAE,CAAuC,EAAE,OAAO,CAAC;AAClE;AAEA;;;AAGG;AACG,SAAU,WAAW,CAAC,GAA4B,EAAA;IACtD,MAAM,GAAG,GAA4B,EAAE;AACvC,IAAA,KAAK,MAAM,CAAC,IAAI,GAAG,EAAE;QACnB,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,WAAW,IAAI,CAAC,KAAK,aAAa,IAAI,CAAC,KAAK,WAAW,EAAE;YACxF,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;QACjB;IACF;AACA,IAAA,OAAO,GAAG;AACZ;AAEA;;;;AAIG;AACG,SAAU,UAAU,CAAC,OAA8C,EAAE,GAAW,EAAA;IACpF,IAAI,OAAO,IAAI,IAAI;AAAE,QAAA,OAAO,KAAK;AACjC,IAAA,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,OAAO,GAAG,CAAC,OAAO,CAAC;AACzD,IAAA,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE;AACpC,QAAA,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC;AACjB,QAAA,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE;AACzB,YAAA,IAAI,CAAC,KAAK,EAAE,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,EAAE;AAAE,gBAAA,OAAO,IAAI;QACpD;AAAO,aAAA,IAAI,CAAC,YAAY,MAAM,EAAE;AAC9B,YAAA,IAAI;AACF,gBAAA,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC;AAAE,oBAAA,OAAO,IAAI;YAC9B;AAAE,YAAA,MAAM;;YAER;QACF;IACF;AACA,IAAA,OAAO,KAAK;AACd;;ACjEA;;;;;;;;;;AAUG;AAcH,MAAM,OAAO,GAAG,OAAa;AAS7B;AACA,MAAM,IAAI,GACR,OAAO,UAAU,KAAK,WAAW,GAAG,UAAU,GAAI,MAAuC;AAC3F,MAAM,GAAG,GAAyB,OAAO,QAAQ,KAAK,WAAW,GAAG,QAAQ,GAAG,SAAS;AACxF,MAAM,GAAG,GAAoC,IAAqD,CAAC,QAAQ;AAC3G,MAAM,EAAE,GAAI,IAAgD,CAAC,YAAY;AAEzE,IAAI,SAAS,GAAG,KAAK;AACrB,IAAI,YAAY,GAAsC,IAAI;AAE1D;AAEA;AACA;AACA,SAAS,iBAAiB,GAAA;AACxB,IAAA,IAAI;QACD,GAAgB,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,SAAS,GAAG,GAAG;AACtD,QAAA,OAAO,KAAK;IACd;AAAE,IAAA,MAAM;AACN,QAAA,OAAO,IAAI;IACb;AACF;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,SAAS,UAAU,CAAC,OAAe,EAAA;AACjC,IAAA,IAAI,CAAC,GAAG;AAAE,QAAA,OAAO,KAAK;IACtB,MAAM,CAAC,GAAG,GAAsE;IAChF,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC;AAC9C,IAAA,MAAM,GAAG,GAAG,sDAAsD,GAAG,IAAI,GAAG,IAAI;AAChF,IAAA,IAAI,CAAC,CAAC,UAAU,KAAK,SAAS,IAAI,OAAO,CAAC,CAAC,KAAK,KAAK,UAAU,EAAE;AAC/D,QAAA,IAAI;AACF,YAAA,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC;AACZ,YAAA,OAAO,IAAI;QACb;AAAE,QAAA,MAAM;;QAER;IACF;AACA,IAAA,IAAI;QACF,MAAM,CAAC,GAAG,CAAC,CAAC,aAAa,CAAC,MAAM,CAAC;AACjC,QAAA,CAAC,CAAC,YAAY,CAAC,YAAY,EAAE,yBAAyB,CAAC;AACvD,QAAA,CAAC,CAAC,YAAY,CAAC,SAAS,EAAE,OAAO,CAAC;AAClC,QAAA,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,eAAe,EAAE,WAAW,CAAC,CAAC,CAAC;IAC9C;AAAE,IAAA,MAAM;;IAER;AACA,IAAA,OAAO,KAAK;AACd;AAEA;AAEA;AACA;AACA,SAAS,cAAc,CAAC,OAAyB,EAAE,GAAW,EAAA;IAC5D,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,EAAE,YAAY,CAAC;AACxC,IAAA,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;AAAE,QAAA,OAAO,IAAI;AACtC,IAAA,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE;AACrC,QAAA,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,CAA8B;QAC/C,IAAI,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC,KAAK,EAAE,GAAG,CAAC;AAAE,YAAA,OAAO,CAAuC;IACnF;AACA,IAAA,OAAO,IAAI;AACb;AAEA;AACA;AACA;AACA;AACA,SAAS,gBAAgB,CAAC,GAAY,EAAA;AACpC,IAAA,IAAI,GAAG,IAAI,OAAQ,GAAiB,CAAC,QAAQ,KAAK,UAAU;AAAE,QAAA,OAAO,GAAgB;IACrF,IAAI,OAAO,GAAG,KAAK,UAAU;AAAE,QAAA,OAAO,EAAE,QAAQ,EAAE,GAAiB,EAAE;AACrE,IAAA,OAAO,IAAI;AACb;AAEA;AACA;AACA,SAAS,aAAa,CAAC,EAAW,EAAE,iBAA0B,EAAA;AAC5D,IAAA,IAAI,OAAO,EAAE,KAAK,QAAQ,IAAI,EAAE;AAAE,QAAA,OAAO,EAAE;IAC3C,MAAM,OAAO,GAAG,iBAAiB,GAAG,SAAS,GAAG,mBAAmB;IACnE,OAAO,CAAA,kDAAA,EAAqD,OAAO,CAAA,CAAA,CAAG;AACxE;AAEA;AACA;AACA,SAAS,SAAS,CAAC,SAAoB,EAAE,MAAe,EAAA;AACtD,IAAA,IAAI;QACF,MAAM,GAAG,GAAG,SAAS,CAAC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;QAClD,OAAO,OAAO,GAAG,KAAK;cAClB,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI;cAC1B,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,oCAAoC,EAAE;IACnE;IAAE,OAAO,CAAC,EAAE;AACV,QAAA,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE;IACzC;AACF;AAEA;AAEA;AACA;AACA;AACA,SAAS,gBAAgB,CACvB,SAA2B,EAC3B,MAAe,EACf,KAAc,EACd,MAAc,EAAA;IAEd,IAAI,OAAO,GAAG,KAAK;IACnB,OAAO,CAAC,CAAS,KAAmB;QAClC,IAAI,CAAC,KAAK,EAAE;YACV,MAAM,CAAC,uBAAuB,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC;YACvD,OAAO,IAAI,CAAC;QACd;AACA,QAAA,IAAI,OAAO;AAAE,YAAA,OAAO,CAAC;AACrB,QAAA,IAAI;YACF,OAAO,GAAG,IAAI;YACd,OAAQ,SAAuB,CAAC,QAAQ,CAAC,CAAC,EAAE,MAAM,CAAW;QAC/D;QAAE,OAAO,CAAC,EAAE;AACV,YAAA,MAAM,CAAC,gBAAgB,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;YAC5C,OAAO,IAAI,CAAC;QACd;gBAAU;YACR,OAAO,GAAG,KAAK;QACjB;AACF,IAAA,CAAC;AACH;AAEA;AACA;AACA,SAAS,cAAc,CACrB,IAAwC,EACxC,EAAqB,EACrB,MAAc,EAAA;IAEd,OAAO,CAAC,CAAS,KAAmB;QAClC,IAAI,EAAE,EAAE;AACN,YAAA,IAAI,CAAU;AACd,YAAA,IAAI;AACF,gBAAA,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;YACX;YAAE,OAAO,CAAC,EAAE;AACV,gBAAA,MAAM,CAAC,mBAAmB,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC3D,OAAO,IAAI,CAAC;YACd;AACA,YAAA,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE;gBACzB,MAAM,CAAC,qBAAqB,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;AAC7C,gBAAA,OAAO,CAAC;YACV;QACF;AACA,QAAA,MAAM,CAAC,qBAAqB,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;AAC9D,QAAA,OAAO,IAAI;AACb,IAAA,CAAC;AACH;AAEA;AAEM,SAAU,IAAI,CAAC,OAAA,GAA4B,EAAE,EAAA;AACjD,IAAA,IAAI,SAAS;AAAE,QAAA,OAAO,YAA0C;IAChE,SAAS,GAAG,IAAI;;;;IAKhB,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,EAAE,cAAc,CAAC;AACxC,IAAA,MAAM,MAAM,GACV,OAAO,GAAG,KAAK;AACb,UAAE,CAAC,IAAI,EAAE,MAAM,KAAI;AACf,YAAA,IAAI;AACD,gBAAA,GAAc,CAAC,IAAI,EAAE,MAAM,CAAC;YAC/B;AAAE,YAAA,MAAM;;YAER;QACF;AACF,UAAE,MAAK,EAAE,CAAC;AAEd,IAAA,MAAM,MAAM,GAAqB;AAC/B,QAAA,OAAO,EAAE,OAAO;QAChB,WAAW,EAAE,CAAC,CAAC,EAAE;AACjB,QAAA,iBAAiB,EAAE,KAAK;AACxB,QAAA,kBAAkB,EAAE,KAAK;AACzB,QAAA,cAAc,EAAE,KAAK;AACrB,QAAA,QAAQ,EAAE,KAAK;AACf,QAAA,YAAY,EAAE,KAAK;AACnB,QAAA,SAAS,EAAE,KAAK;AAChB,QAAA,MAAM,EAAE,EAAE;KACX;AACD,IAAA,MAAM,IAAI,GAAG,CAAC,MAAc,EAAE,IAAoB,KAAgC;AAChF,QAAA,MAAM,CAAC,SAAS,GAAG,MAAM,CAAC,kBAAkB,IAAI,MAAM,CAAC,iBAAiB,IAAI,MAAM,CAAC,cAAc;AACjG,QAAA,MAAM,CAAC,MAAM,GAAG,MAAM;;;QAGtB,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,EAAE,GAAG,MAAM,EAAE,CAAC;AAC3C,QAAA,IAAI,IAAI;AAAE,YAAA,MAAM,CAAC,IAAI,EAAE,YAAY,CAAC;AACpC,QAAA,OAAO,YAAY;AACrB,IAAA,CAAC;IAED,MAAM,GAAG,GAAG,GAAG,IAAI,OAAO,GAAG,CAAC,IAAI,KAAK,WAAW,GAAG,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE;;;;AAK1E,IAAA,IAAI,UAAU,CAAC,GAAG,CAAC,OAAO,EAAE,SAAS,CAA0C,EAAE,GAAG,CAAC,EAAE;AACrF,QAAA,MAAM,CAAC,QAAQ,GAAG,IAAI;AACtB,QAAA,OAAO,IAAI,CAAC,yEAAyE,EAAE,iBAAiB,CAAC;IAC3G;IAEA,IAAI,CAAC,EAAE,IAAI,OAAO,EAAE,CAAC,YAAY,KAAK,UAAU,EAAE;AAChD,QAAA,OAAO,IAAI,CAAC,sEAAsE,EAAE,gBAAgB,CAAC;IACvG;;;;IAKA,MAAM,QAAQ,GAAG,cAAc,CAAC,OAAO,EAAE,GAAG,CAAC;AAC7C,IAAA,MAAM,GAAG,GAAG,CAAC,GAAW,MAAe,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,GAAG,QAAQ,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;;IAG1G,IAAI,GAAG,CAAC,OAAO,EAAE,aAAa,CAAC,KAAK,IAAI,EAAE;AACxC,QAAA,MAAM,SAAS,GAAG,aAAa,CAAC,GAAG,CAAC,OAAO,EAAE,gBAAgB,CAAC,EAAE,OAAO,GAAG,CAAC,WAAW,CAAC,KAAK,UAAU,CAAC;AACvG,QAAA,MAAM,CAAC,YAAY,GAAG,UAAU,CAAC,SAAS,CAAC;AAC3C,QAAA,MAAM,CAAC,0BAA0B,EAAE,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,CAAC,YAAY,EAAE,CAAC;IACjF;AAEA,IAAA,MAAM,CAAC,iBAAiB,GAAG,iBAAiB,EAAE;;;AAI9C,IAAA,IAAI,MAAM,GAAY,GAAG,CAAC,WAAW,CAAC;IACtC,IAAI,MAAM,KAAK,SAAS;AAAE,QAAA,MAAM,GAAI,IAA2C,CAAC,SAAS;AACzF,IAAA,MAAM,SAAS,GAAG,gBAAgB,CAAC,MAAM,CAAC;AAC1C,IAAA,MAAM,MAAM,GAAG,GAAG,CAAC,kBAAkB,CAAC;AACtC,IAAA,MAAM,cAAc,GAClB,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,GAAG,WAAW,CAAC,MAAiC,CAAC,GAAG,SAAS;;AAGnG,IAAA,MAAM,MAAM,GAAG,GAAG,CAAC,cAAc,CAAC;AAClC,IAAA,MAAM,OAAO,GAAG,GAAG,CAAC,kBAAkB,CAAC;AACvC,IAAA,MAAM,WAAW,GAAG,OAAO,MAAM,KAAK,UAAU,GAAI,MAAqB,GAAG,IAAI;AAChF,IAAA,MAAM,cAAc,GAAG,OAAO,OAAO,KAAK,UAAU,GAAI,OAAsB,GAAG,IAAI;IAErF,IAAI,cAAc,GAAG,KAAK;IAC1B,IAAI,SAAS,EAAE;QACb,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,EAAE,cAAc,CAAC;AACnD,QAAA,cAAc,GAAG,MAAM,CAAC,KAAK;QAC7B,IAAI,CAAC,MAAM,CAAC,KAAK;YAAE,MAAM,CAAC,4BAA4B,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC;IAClF;AACA,IAAA,MAAM,CAAC,cAAc,GAAG,cAAc;;AAGtC,IAAA,MAAM,SAAS,GAAG;QAChB,UAAU,EAAE,gBAAgB,CAAC,SAAS,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,CAAC;QAC/E,YAAY,EAAE,cAAc,CAAC,cAAc,EAAE,WAAW,EAAE,MAAM,CAAC;QACjE,eAAe,EAAE,cAAc,CAAC,iBAAiB,EAAE,cAAc,EAAE,MAAM,CAAC;KAC3E;;AAGD,IAAA,IAAI,EAAE,CAAC,aAAa,EAAE;QACpB,OAAO,IAAI,CACT,qGAAqG;YACnG,0CAA0C,EAC5C,4BAA4B,CAC7B;IACH;AAEA,IAAA,IAAI,IAAa;AACjB,IAAA,IAAI;QACF,IAAI,GAAG,EAAE,CAAC,YAAY,CAAC,SAAS,EAAE,SAAS,CAAC;IAC9C;IAAE,OAAO,CAAC,EAAE;;QAEV,OAAO,IAAI,CACT,CAAA,+BAAA,EAAkC,IAAI,CAAC,CAAC,CAAC,CAAA,uCAAA,CAAyC,EAClF,qBAAqB,CACtB;IACH;;IAGA,IAAI,EAAE,CAAC,aAAa,IAAI,EAAE,CAAC,aAAa,KAAK,IAAI,EAAE;QACjD,OAAO,IAAI,CACT,qFAAqF;YACnF,6DAA6D,EAC/D,2BAA2B,CAC5B;IACH;AAEA,IAAA,MAAM,CAAC,kBAAkB,GAAG,IAAI;AAEhC,IAAA,IAAI,CAAC,MAAM,CAAC,iBAAiB,EAAE;QAC7B,OAAO,IAAI,CACT,qGAAqG;YACnG,uDAAuD,EACzD,sBAAsB,CACvB;IACH;IACA,IAAI,CAAC,cAAc,EAAE;QACnB,OAAO,IAAI,CACT,+FAA+F;YAC7F,mEAAmE,EACrE,gBAAgB,CACjB;IACH;AACA,IAAA,OAAO,IAAI,CACT,CAAA,2CAAA,EAA8C,WAAW,IAAI,cAAc,GAAG,yBAAyB,GAAG,SAAS,CAAA,CAAA,CAAG,CACvH;AACH;SAEgB,MAAM,GAAA;AACpB,IAAA,OAAO,YAAY;AACrB;AAEO,MAAM,UAAU,GAAkB,MAAM,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE;;;;;;;"}
\ No newline at end of file
diff --git a/dist/fortify.d.ts b/dist/fortify.d.ts
index c05e889..83ef828 100644
--- a/dist/fortify.d.ts
+++ b/dist/fortify.d.ts
@@ -78,18 +78,6 @@ interface DOMFortifyApi {
     status(): Readonly<DOMFortifyStatus> | null;
 }
 
-/**
- * DOMFortify - bolt Trusted Types onto a legacy page so old DOM-XSS sinks get sanitized
- * without touching the code. See README for the full picture; the short version:
- *
- *  - Claims the realm's `default` Trusted Types policy and routes every HTML sink through a
- *    sanitizer. Script sinks (eval, javascript: URLs, script.src) are refused.
- *  - Does NOT switch enforcement on; a CSP does (header best, `<meta>` works).
- *  - Must load FIRST: the default policy is winner-takes-all.
- *  - Fails closed: no sanitizer means sinks throw, never leak.
- *  - Only covers Trusted Types sinks; inline handlers / style / URL props stay open.
- */
-
 declare function init(options?: DOMFortifyConfig): Readonly<DOMFortifyStatus>;
 declare function status(): Readonly<DOMFortifyStatus> | null;
 declare const DOMFortify: DOMFortifyApi;
diff --git a/dist/fortify.es.mjs b/dist/fortify.es.mjs
index 53d3432..5dd9143 100644
--- a/dist/fortify.es.mjs
+++ b/dist/fortify.es.mjs
@@ -1,40 +1,40 @@
-/*! DOMFortify 0.1.0 | (c) Cure53 and contributors | (MPL-2.0 OR Apache-2.0) */
-const VERSION = '0.1.0';
-// Grab natives up front so later prototype-pollution or clobbering can't swap them out.
+/*! DOMFortify 0.2.0 | (c) Cure53 and contributors | (MPL-2.0 OR Apache-2.0) */
+// Cached up front so later prototype pollution or clobbering can't swap hasOwnProperty out.
 const hasOwn = Object.prototype.hasOwnProperty;
-const root = typeof globalThis !== 'undefined' ? globalThis : window;
-const doc = typeof document !== 'undefined' ? document : undefined;
-const loc = root.location;
-const own = (obj, key) => obj != null && hasOwn.call(obj, key);
-const cfg = (obj, key) => (own(obj, key) ? obj[key] : undefined);
-const clip = (s) => String(s).slice(0, 80);
-const emsg = (e) => String(e?.message);
-const TT = root.trustedTypes;
-let installed = false;
-let cachedStatus = null;
-// Are we actually enforced? Under enforcement with no default policy yet, a sink write throws.
-// Run this BEFORE we install our policy, or it would always read as "off".
-function enforcementActive() {
-    try {
-        doc.createElement('div').innerHTML = 'x';
-        return false;
-    }
-    catch {
-        return true;
-    }
+/** True only for an own (non-inherited) property, so a polluted prototype is never consulted. */
+function own(obj, key) {
+    return obj != null && hasOwn.call(obj, key);
+}
+/** Read an own key off a config-like object, else undefined. Never walks the prototype chain. */
+function cfg(obj, key) {
+    return own(obj, key) ? obj[key] : undefined;
+}
+/** A short, safe preview of an arbitrary value, for violation reports. */
+function clip(s) {
+    return String(s).slice(0, 80);
+}
+/** Best-effort error message, tolerant of non-Error throws. */
+function emsg(e) {
+    return String(e?.message);
 }
-// Copy config off the caller's object, skipping keys that could pollute. Don't JSON-clone - that
-// would corrupt RegExp and functions.
+/**
+ * Copy an object's own keys, dropping the three that could pollute a prototype. Deliberately not a
+ * JSON clone: that would corrupt the RegExps and functions a sanitizer config may carry.
+ */
 function shallowCopy(obj) {
     const out = {};
     for (const k in obj) {
-        if (hasOwn.call(obj, k) && k !== '__proto__' && k !== 'constructor' && k !== 'prototype')
+        if (hasOwn.call(obj, k) && k !== '__proto__' && k !== 'constructor' && k !== 'prototype') {
             out[k] = obj[k];
+        }
     }
     return out;
 }
-// Test a URL against one or more patterns. String = substring match; RegExp = test. Used for both
-// EXCLUDE and URL_CONFIG, always against the realm's own location.href.
+/**
+ * Test a URL against one or more patterns. A string matches as a substring (the empty string never
+ * matches); a RegExp is test()ed, and a pattern that throws is treated as no match. Used for both
+ * EXCLUDE and URL_CONFIG, always against the realm's own location.href.
+ */
 function urlMatches(pattern, url) {
     if (pattern == null)
         return false;
@@ -51,24 +51,53 @@ function urlMatches(pattern, url) {
                     return true;
             }
             catch {
-                /* ignore a pattern that throws */
+                /* a pattern that throws is treated as no match */
             }
         }
     }
     return false;
 }
-// Best-effort CSP <meta> injection (opt-in). IMPORTANT: a <meta> CSP is honored only when the PARSER
-// inserts it, so document.write during the initial parse is the only path that can actually switch
-// enforcement on - and only for content parsed afterwards. A node appended after parsing is ignored by
-// the CSP engine; we still add it (harmless) but report that injection did NOT take. Returns true only
-// when written during parse.
+
+/**
+ * DOMFortify - bolt Trusted Types onto a legacy page so old DOM-XSS sinks get sanitized
+ * without touching the code. See README for the full picture; the short version:
+ *
+ *  - Claims the realm's `default` Trusted Types policy and routes every HTML sink through a
+ *    sanitizer. Script sinks (eval, javascript: URLs, script.src) are refused.
+ *  - Does NOT switch enforcement on; a CSP does (header best, `<meta>` works).
+ *  - Must load FIRST: the default policy is winner-takes-all.
+ *  - Fails closed: no sanitizer means sinks throw, never leak.
+ *  - Only covers Trusted Types sinks; inline handlers / style / URL props stay open.
+ */
+const VERSION = '0.2.0';
+// Natives captured up front, so later prototype pollution or clobbering can't swap them out.
+const root = typeof globalThis !== 'undefined' ? globalThis : window;
+const doc = typeof document !== 'undefined' ? document : undefined;
+const loc = root.location;
+const TT = root.trustedTypes;
+let installed = false;
+let cachedStatus = null;
+// --- environment probes --------------------------------------------------------------------------
+// Are we actually enforced? Under enforcement with no default policy yet, a sink write throws. Must
+// run BEFORE we install our policy, or it would always read as "off".
+function enforcementActive() {
+    try {
+        doc.createElement('div').innerHTML = 'x';
+        return false;
+    }
+    catch {
+        return true;
+    }
+}
+// Best-effort CSP <meta> injection (opt-in). A <meta> CSP is honored only when the PARSER inserts it,
+// so document.write during the initial parse is the one path that can switch enforcement on - and only
+// for content parsed afterwards. We return true only on that path. After parse we still append the node
+// (harmless) but report that it did NOT take.
 //
-// `content` is the trusted CSP directive built from config (the derived default, or META_DIRECTIVE).
-// META_DIRECTIVE is developer-controlled and is expected to be trusted, but since this path reaches
-// document.write we still strip the characters that could break out of the content="..." attribute or
-// the <meta> tag. A real CSP directive never contains ", <, >, or newlines (single quotes, e.g.
-// 'script', are kept - they are harmless inside the double-quoted attribute), so this is lossless for
-// valid input and neutralizes a hostile or malformed directive. Defense in depth.
+// `content` is the trusted directive built from config. META_DIRECTIVE is developer-controlled, but
+// because this path reaches document.write we still strip the characters that could break out of the
+// content="..." attribute. A valid directive never contains ", <, >, or newlines, so the strip is
+// lossless for good input and neutralizes a hostile or malformed one. Defense in depth.
 function injectMeta(content) {
     if (!doc)
         return false;
@@ -95,12 +124,119 @@ function injectMeta(content) {
     }
     return false;
 }
+// --- config resolution (all own-key only, so a polluted prototype can't loosen anything) ---------
+// First URL_CONFIG rule whose `match` hits, else null. Own-key reads only, so a polluted prototype
+// can neither inject a rule nor reach one.
+function selectOverride(options, url) {
+    const rules = cfg(options, 'URL_CONFIG');
+    if (!Array.isArray(rules))
+        return null;
+    for (let i = 0; i < rules.length; i++) {
+        const r = rules[i];
+        if (r && urlMatches(r.match, url))
+            return r;
+    }
+    return null;
+}
+// Normalize whatever the caller handed us into a sanitizer with a `.sanitize` method, or null.
+// DOMPurify's export is itself a callable factory that ALSO carries `.sanitize`, so we must check for
+// `.sanitize` FIRST - otherwise we'd wrap the factory and call the wrong thing. A bare function (e.g. a
+// Sanitizer-API adapter) has no `.sanitize` and falls through to the function case.
+function resolveSanitizer(raw) {
+    if (raw && typeof raw.sanitize === 'function')
+        return raw;
+    if (typeof raw === 'function')
+        return { sanitize: raw };
+    return null;
+}
+// The trusted-types directive for INJECT_META. META_DIRECTIVE wins; otherwise we list the policies
+// that will exist: our own `default`, plus `dompurify` unless a bare-function sanitizer is in use.
+function metaDirective(md, functionSanitizer) {
+    if (typeof md === 'string' && md)
+        return md;
+    const ttNames = functionSanitizer ? 'default' : 'default dompurify';
+    return `require-trusted-types-for 'script'; trusted-types ${ttNames};`;
+}
+// Exercise the sanitizer once so a broken one fails loudly here, not silently on the first real write.
+// It must return a string; anything else would inject junk into every sink.
+function smokeTest(sanitizer, config) {
+    try {
+        const out = sanitizer.sanitize('<b>x</b>', config);
+        return typeof out === 'string'
+            ? { ready: true, error: null }
+            : { ready: false, error: 'sanitize() did not return a string' };
+    }
+    catch (e) {
+        return { ready: false, error: emsg(e) };
+    }
+}
+// --- the default policy --------------------------------------------------------------------------
+// createHTML: route through the sanitizer, fail closed on any problem. `reentry` is true only while
+// the sanitizer parses our input internally (inert and synchronous), so handing the raw string back
+// is safe and keeps us alive if the sanitizer's own sink re-enters us.
+function makeSanitizeHTML(sanitizer, config, ready, report) {
+    let reentry = false;
+    return (s) => {
+        if (!ready) {
+            report('sanitizer-unavailable', { sink: 'createHTML' });
+            return null; // fail closed
+        }
+        if (reentry)
+            return s;
+        try {
+            reentry = true;
+            return sanitizer.sanitize(s, config);
+        }
+        catch (e) {
+            report('sanitize-threw', { error: emsg(e) });
+            return null; // fail closed - never hand back raw markup on error
+        }
+        finally {
+            reentry = false;
+        }
+    };
+}
+// createScript / createScriptURL: code has no safe subset, so refuse by default. A caller hook may
+// allow specific values; if it throws or returns a non-string, we refuse.
+function makeScriptHook(kind, fn, report) {
+    return (s) => {
+        if (fn) {
+            let r;
+            try {
+                r = fn(s);
+            }
+            catch (e) {
+                report('script-hook-threw', { sink: kind, error: emsg(e) });
+                return null; // fail closed
+            }
+            if (typeof r === 'string') {
+                report('script-sink-allowed', { sink: kind });
+                return r;
+            }
+        }
+        report('script-sink-refused', { sink: kind, sample: clip(s) });
+        return null;
+    };
+}
+// --- public entry point --------------------------------------------------------------------------
 function init(options = {}) {
     if (installed)
         return cachedStatus;
     installed = true;
+    // The violation reporter is observability, never control flow. Wrap it so a throwing ON_VIOLATION
+    // can neither abort init() (which would leave us installed with a null status) nor turn a
+    // fail-closed sink - one that should quietly return null - into a thrown exception.
     const onv = cfg(options, 'ON_VIOLATION');
-    const report = (typeof onv === 'function' ? onv : () => { });
+    const report = typeof onv === 'function'
+        ? (code, detail) => {
+            try {
+                onv(code, detail);
+            }
+            catch {
+                /* a misbehaving reporter must never break the policy */
+            }
+        }
+        : () => { };
     const status = {
         version: VERSION,
         ttSupported: !!TT,
@@ -115,15 +251,17 @@ function init(options = {}) {
     const done = (reason, code) => {
         status.protected = status.defaultPolicyOwned && status.enforcementActive && status.sanitizerReady;
         status.reason = reason;
-        if (code)
-            report(code, status);
+        // Freeze the snapshot first, then report it: the reporter sees exactly the authoritative status
+        // that gets cached and returned, and has no window to mutate the cached copy.
         cachedStatus = Object.freeze({ ...status });
+        if (code)
+            report(code, cachedStatus);
         return cachedStatus;
     };
     const url = loc && typeof loc.href !== 'undefined' ? String(loc.href) : '';
-    // EXCLUDE: on a matching URL, DOMFortify stays completely out of the way - no policy, no meta. It
-    // does NOT install a passthrough (that would be a silent XSS hole); under globally delivered
-    // enforcement, excluded pages are the developer's responsibility. Reported via status.excluded.
+    // EXCLUDE: on a match, stay completely out of the way - no policy, no meta. We do NOT install a
+    // passthrough (that would be a silent XSS hole); under globally delivered enforcement, excluded
+    // pages are the developer's responsibility. Reported via status.excluded.
     if (urlMatches(cfg(options, 'EXCLUDE'), url)) {
         status.excluded = true;
         return done('URL matched EXCLUDE; DOMFortify is intentionally inactive on this page.', 'excluded-by-url');
@@ -131,46 +269,24 @@ function init(options = {}) {
     if (!TT || typeof TT.createPolicy !== 'function') {
         return done('Trusted Types not supported; library is inert. Sinks are NOT routed.', 'tt-unsupported');
     }
-    // URL_CONFIG: the first rule whose `match` hits supplies per-URL overrides. `eff(key)` reads that
-    // rule's own key when present, else falls back to the base config - both own-key only, so a polluted
-    // prototype can neither inject a rule nor loosen a refusal.
-    let override = null;
-    const rules = cfg(options, 'URL_CONFIG');
-    if (Array.isArray(rules)) {
-        for (let i = 0; i < rules.length; i++) {
-            const r = rules[i];
-            if (r && urlMatches(r.match, url)) {
-                override = r;
-                break;
-            }
-        }
-    }
+    // Resolve config once. `eff(key)` reads the matching URL_CONFIG rule's own key when present, else the
+    // base config - both own-key only. Nothing is re-read later, so runtime clobbering can't retarget
+    // the policy after this point either.
+    const override = selectOverride(options, url);
     const eff = (key) => (override && own(override, key) ? override[key] : cfg(options, key));
-    // INJECT_META (opt-in, best-effort - see injectMeta and the README). We only attempt it when TT is
-    // supported; the directive lists the policies that will exist: our own `default`, plus `dompurify`
-    // unless a bare-function sanitizer (e.g. the native Sanitizer API) is in use. META_DIRECTIVE overrides.
+    // INJECT_META (opt-in, best-effort - see injectMeta and the README).
     if (cfg(options, 'INJECT_META') === true) {
-        const md = cfg(options, 'META_DIRECTIVE');
-        const ttNames = typeof eff('SANITIZER') === 'function' ? 'default' : 'default dompurify';
-        const directive = typeof md === 'string' && md ? md : `require-trusted-types-for 'script'; trusted-types ${ttNames};`;
+        const directive = metaDirective(cfg(options, 'META_DIRECTIVE'), typeof eff('SANITIZER') === 'function');
         status.metaInjected = injectMeta(directive);
         report('meta-injection-attempted', { directive, written: status.metaInjected });
     }
     status.enforcementActive = enforcementActive();
-    // Resolve config once, reading own keys only so a polluted prototype can't supply a value - and,
-    // most importantly, can't loosen a refusal. Nothing is re-read later, so runtime clobbering can't
-    // retarget the policy either. URL_CONFIG overrides are applied here via `eff`.
+    // Sanitizer: explicit SANITIZER (possibly per-URL), else window.DOMPurify. Config is forwarded
+    // verbatim as the second argument, copied to drop pollution-prone keys.
     let rawSan = eff('SANITIZER');
     if (rawSan === undefined)
         rawSan = root.DOMPurify;
-    // DOMPurify's export is itself a callable function (the factory) that also exposes `.sanitize`, so
-    // check for a `.sanitize` method FIRST - otherwise we'd wrap the factory and call the wrong thing. A
-    // bare function (e.g. a Sanitizer-API adapter) has no `.sanitize` and falls through to the function case.
-    const DP = rawSan && typeof rawSan.sanitize === 'function'
-        ? rawSan
-        : typeof rawSan === 'function'
-            ? { sanitize: rawSan }
-            : null;
+    const sanitizer = resolveSanitizer(rawSan);
     const rawCfg = eff('SANITIZER_CONFIG');
     const sanitizeConfig = rawCfg && typeof rawCfg === 'object' ? shallowCopy(rawCfg) : undefined;
     // Sink openers count only if they're own functions, so prototype pollution can never open a sink.
@@ -178,66 +294,19 @@ function init(options = {}) {
     const asuCand = eff('ALLOW_SCRIPT_URL');
     const allowScript = typeof asCand === 'function' ? asCand : null;
     const allowScriptURL = typeof asuCand === 'function' ? asuCand : null;
-    // Smoke-test once so a broken sanitizer fails loudly here, not silently on the first real write. It
-    // must return a string - a sanitizer that returns anything else would otherwise inject junk.
     let sanitizerReady = false;
-    if (DP && typeof DP.sanitize === 'function') {
-        try {
-            sanitizerReady = typeof DP.sanitize('<b>x</b>', sanitizeConfig) === 'string';
-            if (!sanitizerReady)
-                report('sanitizer-smoketest-failed', { error: 'sanitize() did not return a string' });
-        }
-        catch (e) {
-            report('sanitizer-smoketest-failed', { error: emsg(e) });
-        }
+    if (sanitizer) {
+        const result = smokeTest(sanitizer, sanitizeConfig);
+        sanitizerReady = result.ready;
+        if (!result.ready)
+            report('sanitizer-smoketest-failed', { error: result.error });
     }
     status.sanitizerReady = sanitizerReady;
-    // `reentry` is true only while the sanitizer parses our input internally - inert and synchronous - so
-    // handing the raw string straight back is safe, and keeps us alive if its own sink re-enters us.
-    let reentry = false;
-    const sanitizeHTML = (s) => {
-        if (!sanitizerReady) {
-            report('sanitizer-unavailable', { sink: 'createHTML' });
-            return null; // fail closed
-        }
-        if (reentry)
-            return s;
-        try {
-            reentry = true;
-            return DP.sanitize(s, sanitizeConfig);
-        }
-        catch (e) {
-            report('sanitize-threw', { error: emsg(e) });
-            return null; // fail closed - never hand back raw markup on error
-        }
-        finally {
-            reentry = false;
-        }
-    };
-    // Code has no safe subset, so refuse by default. A caller hook may allow specific values; if it throws
-    // or returns a non-string, we refuse.
-    const scriptHook = (kind, fn) => (s) => {
-        if (fn) {
-            let r;
-            try {
-                r = fn(s);
-            }
-            catch (e) {
-                report('script-hook-threw', { sink: kind, error: emsg(e) });
-                return null; // fail closed
-            }
-            if (typeof r === 'string') {
-                report('script-sink-allowed', { sink: kind });
-                return r;
-            }
-        }
-        report('script-sink-refused', { sink: kind, sample: clip(s) });
-        return null;
-    };
+    // createHTML closes over sanitizeConfig; the script hooks refuse unless an own-function hook allows.
     const policyDef = {
-        createHTML: sanitizeHTML,
-        createScript: scriptHook('createScript', allowScript),
-        createScriptURL: scriptHook('createScriptURL', allowScriptURL),
+        createHTML: makeSanitizeHTML(sanitizer, sanitizeConfig, sanitizerReady, report),
+        createScript: makeScriptHook('createScript', allowScript, report),
+        createScriptURL: makeScriptHook('createScriptURL', allowScriptURL, report),
     };
     // Did someone grab the default slot first? We can't evict them and won't vouch for them.
     if (TT.defaultPolicy) {
diff --git a/dist/fortify.es.mjs.map b/dist/fortify.es.mjs.map
index c28b7ab..0e1a0fa 100644
--- a/dist/fortify.es.mjs.map
+++ b/dist/fortify.es.mjs.map
@@ -1 +1 @@
-{"version":3,"file":"fortify.es.mjs","sources":["../src/fortify.ts"],"sourcesContent":[null],"names":[],"mappings":";AAuBA,MAAM,OAAO,GAAG,OAAa;AAO7B;AACA,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,cAAc;AAC9C,MAAM,IAAI,GACR,OAAO,UAAU,KAAK,WAAW,GAAG,UAAU,GAAI,MAAuC;AAC3F,MAAM,GAAG,GAAyB,OAAO,QAAQ,KAAK,WAAW,GAAG,QAAQ,GAAG,SAAS;AACxF,MAAM,GAAG,GAAoC,IAAqD,CAAC,QAAQ;AAE3G,MAAM,GAAG,GAAG,CAAC,GAAY,EAAE,GAAW,KAAc,GAAG,IAAI,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC;AACxF,MAAM,GAAG,GAAG,CAAC,GAAY,EAAE,GAAW,MAAe,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,GAAI,GAA+B,CAAC,GAAG,CAAC,GAAG,SAAS,CAAC;AACvH,MAAM,IAAI,GAAG,CAAC,CAAU,KAAa,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;AAC3D,MAAM,IAAI,GAAG,CAAC,CAAU,KAAa,MAAM,CAAE,CAAuC,EAAE,OAAO,CAAC;AAE9F,MAAM,EAAE,GAAI,IAAgD,CAAC,YAAY;AAEzE,IAAI,SAAS,GAAG,KAAK;AACrB,IAAI,YAAY,GAAsC,IAAI;AAE1D;AACA;AACA,SAAS,iBAAiB,GAAA;AACxB,IAAA,IAAI;QACD,GAAgB,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,SAAS,GAAG,GAAG;AACtD,QAAA,OAAO,KAAK;IACd;AAAE,IAAA,MAAM;AACN,QAAA,OAAO,IAAI;IACb;AACF;AAEA;AACA;AACA,SAAS,WAAW,CAAC,GAA4B,EAAA;IAC/C,MAAM,GAAG,GAA4B,EAAE;AACvC,IAAA,KAAK,MAAM,CAAC,IAAI,GAAG,EAAE;AACnB,QAAA,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,WAAW,IAAI,CAAC,KAAK,aAAa,IAAI,CAAC,KAAK,WAAW;YAAE,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;IAC3G;AACA,IAAA,OAAO,GAAG;AACZ;AAEA;AACA;AACA,SAAS,UAAU,CAAC,OAA8C,EAAE,GAAW,EAAA;IAC7E,IAAI,OAAO,IAAI,IAAI;AAAE,QAAA,OAAO,KAAK;AACjC,IAAA,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,OAAO,GAAG,CAAC,OAAO,CAAC;AACzD,IAAA,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE;AACpC,QAAA,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC;AACjB,QAAA,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE;AACzB,YAAA,IAAI,CAAC,KAAK,EAAE,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,EAAE;AAAE,gBAAA,OAAO,IAAI;QACpD;AAAO,aAAA,IAAI,CAAC,YAAY,MAAM,EAAE;AAC9B,YAAA,IAAI;AACF,gBAAA,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC;AAAE,oBAAA,OAAO,IAAI;YAC9B;AAAE,YAAA,MAAM;;YAER;QACF;IACF;AACA,IAAA,OAAO,KAAK;AACd;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,SAAS,UAAU,CAAC,OAAe,EAAA;AACjC,IAAA,IAAI,CAAC,GAAG;AAAE,QAAA,OAAO,KAAK;IACtB,MAAM,CAAC,GAAG,GAAsE;IAChF,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC;AAC9C,IAAA,MAAM,GAAG,GAAG,sDAAsD,GAAG,IAAI,GAAG,IAAI;AAChF,IAAA,IAAI,CAAC,CAAC,UAAU,KAAK,SAAS,IAAI,OAAO,CAAC,CAAC,KAAK,KAAK,UAAU,EAAE;AAC/D,QAAA,IAAI;AACF,YAAA,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC;AACZ,YAAA,OAAO,IAAI;QACb;AAAE,QAAA,MAAM;;QAER;IACF;AACA,IAAA,IAAI;QACF,MAAM,CAAC,GAAG,CAAC,CAAC,aAAa,CAAC,MAAM,CAAC;AACjC,QAAA,CAAC,CAAC,YAAY,CAAC,YAAY,EAAE,yBAAyB,CAAC;AACvD,QAAA,CAAC,CAAC,YAAY,CAAC,SAAS,EAAE,OAAO,CAAC;AAClC,QAAA,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,eAAe,EAAE,WAAW,CAAC,CAAC,CAAC;IAC9C;AAAE,IAAA,MAAM;;IAER;AACA,IAAA,OAAO,KAAK;AACd;AAEM,SAAU,IAAI,CAAC,OAAA,GAA4B,EAAE,EAAA;AACjD,IAAA,IAAI,SAAS;AAAE,QAAA,OAAO,YAA0C;IAChE,SAAS,GAAG,IAAI;IAEhB,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,EAAE,cAAc,CAAC;AACxC,IAAA,MAAM,MAAM,IAAI,OAAO,GAAG,KAAK,UAAU,GAAG,GAAG,GAAG,MAAK,EAAE,CAAC,CAAoD;AAE9G,IAAA,MAAM,MAAM,GAAqB;AAC/B,QAAA,OAAO,EAAE,OAAO;QAChB,WAAW,EAAE,CAAC,CAAC,EAAE;AACjB,QAAA,iBAAiB,EAAE,KAAK;AACxB,QAAA,kBAAkB,EAAE,KAAK;AACzB,QAAA,cAAc,EAAE,KAAK;AACrB,QAAA,QAAQ,EAAE,KAAK;AACf,QAAA,YAAY,EAAE,KAAK;AACnB,QAAA,SAAS,EAAE,KAAK;AAChB,QAAA,MAAM,EAAE,EAAE;KACX;AACD,IAAA,MAAM,IAAI,GAAG,CAAC,MAAc,EAAE,IAAoB,KAAgC;AAChF,QAAA,MAAM,CAAC,SAAS,GAAG,MAAM,CAAC,kBAAkB,IAAI,MAAM,CAAC,iBAAiB,IAAI,MAAM,CAAC,cAAc;AACjG,QAAA,MAAM,CAAC,MAAM,GAAG,MAAM;AACtB,QAAA,IAAI,IAAI;AAAE,YAAA,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC;QAC9B,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,EAAE,GAAG,MAAM,EAAE,CAAC;AAC3C,QAAA,OAAO,YAAY;AACrB,IAAA,CAAC;IAED,MAAM,GAAG,GAAG,GAAG,IAAI,OAAO,GAAG,CAAC,IAAI,KAAK,WAAW,GAAG,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE;;;;AAK1E,IAAA,IAAI,UAAU,CAAC,GAAG,CAAC,OAAO,EAAE,SAAS,CAA0C,EAAE,GAAG,CAAC,EAAE;AACrF,QAAA,MAAM,CAAC,QAAQ,GAAG,IAAI;AACtB,QAAA,OAAO,IAAI,CAAC,yEAAyE,EAAE,iBAAiB,CAAC;IAC3G;IAEA,IAAI,CAAC,EAAE,IAAI,OAAO,EAAE,CAAC,YAAY,KAAK,UAAU,EAAE;AAChD,QAAA,OAAO,IAAI,CAAC,sEAAsE,EAAE,gBAAgB,CAAC;IACvG;;;;IAKA,IAAI,QAAQ,GAAmC,IAAI;IACnD,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,EAAE,YAAY,CAAC;AACxC,IAAA,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE;AACxB,QAAA,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE;AACrC,YAAA,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,CAA8B;YAC/C,IAAI,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC,KAAK,EAAE,GAAG,CAAC,EAAE;gBACjC,QAAQ,GAAG,CAAuC;gBAClD;YACF;QACF;IACF;AACA,IAAA,MAAM,GAAG,GAAG,CAAC,GAAW,MAAe,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,GAAG,QAAQ,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;;;;IAK1G,IAAI,GAAG,CAAC,OAAO,EAAE,aAAa,CAAC,KAAK,IAAI,EAAE;QACxC,MAAM,EAAE,GAAG,GAAG,CAAC,OAAO,EAAE,gBAAgB,CAAC;AACzC,QAAA,MAAM,OAAO,GAAG,OAAO,GAAG,CAAC,WAAW,CAAC,KAAK,UAAU,GAAG,SAAS,GAAG,mBAAmB;AACxF,QAAA,MAAM,SAAS,GACb,OAAO,EAAE,KAAK,QAAQ,IAAI,EAAE,GAAG,EAAE,GAAG,CAAA,kDAAA,EAAqD,OAAO,GAAG;AACrG,QAAA,MAAM,CAAC,YAAY,GAAG,UAAU,CAAC,SAAS,CAAC;AAC3C,QAAA,MAAM,CAAC,0BAA0B,EAAE,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,CAAC,YAAY,EAAE,CAAC;IACjF;AAEA,IAAA,MAAM,CAAC,iBAAiB,GAAG,iBAAiB,EAAE;;;;AAK9C,IAAA,IAAI,MAAM,GAAY,GAAG,CAAC,WAAW,CAAC;IACtC,IAAI,MAAM,KAAK,SAAS;AAAE,QAAA,MAAM,GAAI,IAA2C,CAAC,SAAS;;;;IAIzF,MAAM,EAAE,GACN,MAAM,IAAI,OAAQ,MAAoB,CAAC,QAAQ,KAAK;AAClD,UAAG;AACH,UAAE,OAAO,MAAM,KAAK;AAClB,cAAE,EAAE,QAAQ,EAAE,MAAoB;cAChC,IAAI;AACZ,IAAA,MAAM,MAAM,GAAG,GAAG,CAAC,kBAAkB,CAAC;AACtC,IAAA,MAAM,cAAc,GAClB,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,GAAG,WAAW,CAAC,MAAiC,CAAC,GAAG,SAAS;;AAGnG,IAAA,MAAM,MAAM,GAAG,GAAG,CAAC,cAAc,CAAC;AAClC,IAAA,MAAM,OAAO,GAAG,GAAG,CAAC,kBAAkB,CAAC;AACvC,IAAA,MAAM,WAAW,GAAG,OAAO,MAAM,KAAK,UAAU,GAAI,MAAqB,GAAG,IAAI;AAChF,IAAA,MAAM,cAAc,GAAG,OAAO,OAAO,KAAK,UAAU,GAAI,OAAsB,GAAG,IAAI;;;IAIrF,IAAI,cAAc,GAAG,KAAK;IAC1B,IAAI,EAAE,IAAI,OAAO,EAAE,CAAC,QAAQ,KAAK,UAAU,EAAE;AAC3C,QAAA,IAAI;AACF,YAAA,cAAc,GAAG,OAAO,EAAE,CAAC,QAAQ,CAAC,UAAU,EAAE,cAAc,CAAC,KAAK,QAAQ;AAC5E,YAAA,IAAI,CAAC,cAAc;gBAAE,MAAM,CAAC,4BAA4B,EAAE,EAAE,KAAK,EAAE,oCAAoC,EAAE,CAAC;QAC5G;QAAE,OAAO,CAAC,EAAE;AACV,YAAA,MAAM,CAAC,4BAA4B,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1D;IACF;AACA,IAAA,MAAM,CAAC,cAAc,GAAG,cAAc;;;IAItC,IAAI,OAAO,GAAG,KAAK;AACnB,IAAA,MAAM,YAAY,GAAG,CAAC,CAAS,KAAmB;QAChD,IAAI,CAAC,cAAc,EAAE;YACnB,MAAM,CAAC,uBAAuB,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC;YACvD,OAAO,IAAI,CAAC;QACd;AACA,QAAA,IAAI,OAAO;AAAE,YAAA,OAAO,CAAC;AACrB,QAAA,IAAI;YACF,OAAO,GAAG,IAAI;YACd,OAAQ,EAAgB,CAAC,QAAQ,CAAC,CAAC,EAAE,cAAc,CAAW;QAChE;QAAE,OAAO,CAAC,EAAE;AACV,YAAA,MAAM,CAAC,gBAAgB,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;YAC5C,OAAO,IAAI,CAAC;QACd;gBAAU;YACR,OAAO,GAAG,KAAK;QACjB;AACF,IAAA,CAAC;;;AAID,IAAA,MAAM,UAAU,GACd,CAAC,IAAwC,EAAE,EAAqB,KAChE,CAAC,CAAS,KAAmB;QAC3B,IAAI,EAAE,EAAE;AACN,YAAA,IAAI,CAAU;AACd,YAAA,IAAI;AACF,gBAAA,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;YACX;YAAE,OAAO,CAAC,EAAE;AACV,gBAAA,MAAM,CAAC,mBAAmB,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC3D,OAAO,IAAI,CAAC;YACd;AACA,YAAA,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE;gBACzB,MAAM,CAAC,qBAAqB,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;AAC7C,gBAAA,OAAO,CAAC;YACV;QACF;AACA,QAAA,MAAM,CAAC,qBAAqB,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;AAC9D,QAAA,OAAO,IAAI;AACb,IAAA,CAAC;AAEH,IAAA,MAAM,SAAS,GAAG;AAChB,QAAA,UAAU,EAAE,YAAY;AACxB,QAAA,YAAY,EAAE,UAAU,CAAC,cAAc,EAAE,WAAW,CAAC;AACrD,QAAA,eAAe,EAAE,UAAU,CAAC,iBAAiB,EAAE,cAAc,CAAC;KAC/D;;AAGD,IAAA,IAAI,EAAE,CAAC,aAAa,EAAE;QACpB,OAAO,IAAI,CACT,qGAAqG;YACnG,0CAA0C,EAC5C,4BAA4B,CAC7B;IACH;AAEA,IAAA,IAAI,IAAa;AACjB,IAAA,IAAI;QACF,IAAI,GAAG,EAAE,CAAC,YAAY,CAAC,SAAS,EAAE,SAAS,CAAC;IAC9C;IAAE,OAAO,CAAC,EAAE;;QAEV,OAAO,IAAI,CACT,CAAA,+BAAA,EAAkC,IAAI,CAAC,CAAC,CAAC,CAAA,uCAAA,CAAyC,EAClF,qBAAqB,CACtB;IACH;;IAGA,IAAI,EAAE,CAAC,aAAa,IAAI,EAAE,CAAC,aAAa,KAAK,IAAI,EAAE;QACjD,OAAO,IAAI,CACT,qFAAqF;YACnF,6DAA6D,EAC/D,2BAA2B,CAC5B;IACH;AAEA,IAAA,MAAM,CAAC,kBAAkB,GAAG,IAAI;AAEhC,IAAA,IAAI,CAAC,MAAM,CAAC,iBAAiB,EAAE;QAC7B,OAAO,IAAI,CACT,qGAAqG;YACnG,uDAAuD,EACzD,sBAAsB,CACvB;IACH;IACA,IAAI,CAAC,cAAc,EAAE;QACnB,OAAO,IAAI,CACT,+FAA+F;YAC7F,mEAAmE,EACrE,gBAAgB,CACjB;IACH;AACA,IAAA,OAAO,IAAI,CACT,CAAA,2CAAA,EAA8C,WAAW,IAAI,cAAc,GAAG,yBAAyB,GAAG,SAAS,CAAA,CAAA,CAAG,CACvH;AACH;SAEgB,MAAM,GAAA;AACpB,IAAA,OAAO,YAAY;AACrB;AAEO,MAAM,UAAU,GAAkB,MAAM,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE;;;;"}
\ No newline at end of file
+{"version":3,"file":"fortify.es.mjs","sources":["../src/internal.ts","../src/fortify.ts"],"sourcesContent":[null,null],"names":[],"mappings":";AAOA;AACA,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,cAAc;AAE9C;AACM,SAAU,GAAG,CAAC,GAAY,EAAE,GAAW,EAAA;AAC3C,IAAA,OAAO,GAAG,IAAI,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC;AAC7C;AAEA;AACM,SAAU,GAAG,CAAC,GAAY,EAAE,GAAW,EAAA;AAC3C,IAAA,OAAO,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,GAAI,GAA+B,CAAC,GAAG,CAAC,GAAG,SAAS;AAC1E;AAEA;AACM,SAAU,IAAI,CAAC,CAAU,EAAA;IAC7B,OAAO,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;AAC/B;AAEA;AACM,SAAU,IAAI,CAAC,CAAU,EAAA;AAC7B,IAAA,OAAO,MAAM,CAAE,CAAuC,EAAE,OAAO,CAAC;AAClE;AAEA;;;AAGG;AACG,SAAU,WAAW,CAAC,GAA4B,EAAA;IACtD,MAAM,GAAG,GAA4B,EAAE;AACvC,IAAA,KAAK,MAAM,CAAC,IAAI,GAAG,EAAE;QACnB,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,WAAW,IAAI,CAAC,KAAK,aAAa,IAAI,CAAC,KAAK,WAAW,EAAE;YACxF,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;QACjB;IACF;AACA,IAAA,OAAO,GAAG;AACZ;AAEA;;;;AAIG;AACG,SAAU,UAAU,CAAC,OAA8C,EAAE,GAAW,EAAA;IACpF,IAAI,OAAO,IAAI,IAAI;AAAE,QAAA,OAAO,KAAK;AACjC,IAAA,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,OAAO,GAAG,CAAC,OAAO,CAAC;AACzD,IAAA,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE;AACpC,QAAA,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC;AACjB,QAAA,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE;AACzB,YAAA,IAAI,CAAC,KAAK,EAAE,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,EAAE;AAAE,gBAAA,OAAO,IAAI;QACpD;AAAO,aAAA,IAAI,CAAC,YAAY,MAAM,EAAE;AAC9B,YAAA,IAAI;AACF,gBAAA,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC;AAAE,oBAAA,OAAO,IAAI;YAC9B;AAAE,YAAA,MAAM;;YAER;QACF;IACF;AACA,IAAA,OAAO,KAAK;AACd;;ACjEA;;;;;;;;;;AAUG;AAcH,MAAM,OAAO,GAAG,OAAa;AAS7B;AACA,MAAM,IAAI,GACR,OAAO,UAAU,KAAK,WAAW,GAAG,UAAU,GAAI,MAAuC;AAC3F,MAAM,GAAG,GAAyB,OAAO,QAAQ,KAAK,WAAW,GAAG,QAAQ,GAAG,SAAS;AACxF,MAAM,GAAG,GAAoC,IAAqD,CAAC,QAAQ;AAC3G,MAAM,EAAE,GAAI,IAAgD,CAAC,YAAY;AAEzE,IAAI,SAAS,GAAG,KAAK;AACrB,IAAI,YAAY,GAAsC,IAAI;AAE1D;AAEA;AACA;AACA,SAAS,iBAAiB,GAAA;AACxB,IAAA,IAAI;QACD,GAAgB,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,SAAS,GAAG,GAAG;AACtD,QAAA,OAAO,KAAK;IACd;AAAE,IAAA,MAAM;AACN,QAAA,OAAO,IAAI;IACb;AACF;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,SAAS,UAAU,CAAC,OAAe,EAAA;AACjC,IAAA,IAAI,CAAC,GAAG;AAAE,QAAA,OAAO,KAAK;IACtB,MAAM,CAAC,GAAG,GAAsE;IAChF,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC;AAC9C,IAAA,MAAM,GAAG,GAAG,sDAAsD,GAAG,IAAI,GAAG,IAAI;AAChF,IAAA,IAAI,CAAC,CAAC,UAAU,KAAK,SAAS,IAAI,OAAO,CAAC,CAAC,KAAK,KAAK,UAAU,EAAE;AAC/D,QAAA,IAAI;AACF,YAAA,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC;AACZ,YAAA,OAAO,IAAI;QACb;AAAE,QAAA,MAAM;;QAER;IACF;AACA,IAAA,IAAI;QACF,MAAM,CAAC,GAAG,CAAC,CAAC,aAAa,CAAC,MAAM,CAAC;AACjC,QAAA,CAAC,CAAC,YAAY,CAAC,YAAY,EAAE,yBAAyB,CAAC;AACvD,QAAA,CAAC,CAAC,YAAY,CAAC,SAAS,EAAE,OAAO,CAAC;AAClC,QAAA,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,eAAe,EAAE,WAAW,CAAC,CAAC,CAAC;IAC9C;AAAE,IAAA,MAAM;;IAER;AACA,IAAA,OAAO,KAAK;AACd;AAEA;AAEA;AACA;AACA,SAAS,cAAc,CAAC,OAAyB,EAAE,GAAW,EAAA;IAC5D,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,EAAE,YAAY,CAAC;AACxC,IAAA,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;AAAE,QAAA,OAAO,IAAI;AACtC,IAAA,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE;AACrC,QAAA,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,CAA8B;QAC/C,IAAI,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC,KAAK,EAAE,GAAG,CAAC;AAAE,YAAA,OAAO,CAAuC;IACnF;AACA,IAAA,OAAO,IAAI;AACb;AAEA;AACA;AACA;AACA;AACA,SAAS,gBAAgB,CAAC,GAAY,EAAA;AACpC,IAAA,IAAI,GAAG,IAAI,OAAQ,GAAiB,CAAC,QAAQ,KAAK,UAAU;AAAE,QAAA,OAAO,GAAgB;IACrF,IAAI,OAAO,GAAG,KAAK,UAAU;AAAE,QAAA,OAAO,EAAE,QAAQ,EAAE,GAAiB,EAAE;AACrE,IAAA,OAAO,IAAI;AACb;AAEA;AACA;AACA,SAAS,aAAa,CAAC,EAAW,EAAE,iBAA0B,EAAA;AAC5D,IAAA,IAAI,OAAO,EAAE,KAAK,QAAQ,IAAI,EAAE;AAAE,QAAA,OAAO,EAAE;IAC3C,MAAM,OAAO,GAAG,iBAAiB,GAAG,SAAS,GAAG,mBAAmB;IACnE,OAAO,CAAA,kDAAA,EAAqD,OAAO,CAAA,CAAA,CAAG;AACxE;AAEA;AACA;AACA,SAAS,SAAS,CAAC,SAAoB,EAAE,MAAe,EAAA;AACtD,IAAA,IAAI;QACF,MAAM,GAAG,GAAG,SAAS,CAAC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;QAClD,OAAO,OAAO,GAAG,KAAK;cAClB,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI;cAC1B,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,oCAAoC,EAAE;IACnE;IAAE,OAAO,CAAC,EAAE;AACV,QAAA,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE;IACzC;AACF;AAEA;AAEA;AACA;AACA;AACA,SAAS,gBAAgB,CACvB,SAA2B,EAC3B,MAAe,EACf,KAAc,EACd,MAAc,EAAA;IAEd,IAAI,OAAO,GAAG,KAAK;IACnB,OAAO,CAAC,CAAS,KAAmB;QAClC,IAAI,CAAC,KAAK,EAAE;YACV,MAAM,CAAC,uBAAuB,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC;YACvD,OAAO,IAAI,CAAC;QACd;AACA,QAAA,IAAI,OAAO;AAAE,YAAA,OAAO,CAAC;AACrB,QAAA,IAAI;YACF,OAAO,GAAG,IAAI;YACd,OAAQ,SAAuB,CAAC,QAAQ,CAAC,CAAC,EAAE,MAAM,CAAW;QAC/D;QAAE,OAAO,CAAC,EAAE;AACV,YAAA,MAAM,CAAC,gBAAgB,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;YAC5C,OAAO,IAAI,CAAC;QACd;gBAAU;YACR,OAAO,GAAG,KAAK;QACjB;AACF,IAAA,CAAC;AACH;AAEA;AACA;AACA,SAAS,cAAc,CACrB,IAAwC,EACxC,EAAqB,EACrB,MAAc,EAAA;IAEd,OAAO,CAAC,CAAS,KAAmB;QAClC,IAAI,EAAE,EAAE;AACN,YAAA,IAAI,CAAU;AACd,YAAA,IAAI;AACF,gBAAA,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;YACX;YAAE,OAAO,CAAC,EAAE;AACV,gBAAA,MAAM,CAAC,mBAAmB,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC3D,OAAO,IAAI,CAAC;YACd;AACA,YAAA,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE;gBACzB,MAAM,CAAC,qBAAqB,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;AAC7C,gBAAA,OAAO,CAAC;YACV;QACF;AACA,QAAA,MAAM,CAAC,qBAAqB,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;AAC9D,QAAA,OAAO,IAAI;AACb,IAAA,CAAC;AACH;AAEA;AAEM,SAAU,IAAI,CAAC,OAAA,GAA4B,EAAE,EAAA;AACjD,IAAA,IAAI,SAAS;AAAE,QAAA,OAAO,YAA0C;IAChE,SAAS,GAAG,IAAI;;;;IAKhB,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,EAAE,cAAc,CAAC;AACxC,IAAA,MAAM,MAAM,GACV,OAAO,GAAG,KAAK;AACb,UAAE,CAAC,IAAI,EAAE,MAAM,KAAI;AACf,YAAA,IAAI;AACD,gBAAA,GAAc,CAAC,IAAI,EAAE,MAAM,CAAC;YAC/B;AAAE,YAAA,MAAM;;YAER;QACF;AACF,UAAE,MAAK,EAAE,CAAC;AAEd,IAAA,MAAM,MAAM,GAAqB;AAC/B,QAAA,OAAO,EAAE,OAAO;QAChB,WAAW,EAAE,CAAC,CAAC,EAAE;AACjB,QAAA,iBAAiB,EAAE,KAAK;AACxB,QAAA,kBAAkB,EAAE,KAAK;AACzB,QAAA,cAAc,EAAE,KAAK;AACrB,QAAA,QAAQ,EAAE,KAAK;AACf,QAAA,YAAY,EAAE,KAAK;AACnB,QAAA,SAAS,EAAE,KAAK;AAChB,QAAA,MAAM,EAAE,EAAE;KACX;AACD,IAAA,MAAM,IAAI,GAAG,CAAC,MAAc,EAAE,IAAoB,KAAgC;AAChF,QAAA,MAAM,CAAC,SAAS,GAAG,MAAM,CAAC,kBAAkB,IAAI,MAAM,CAAC,iBAAiB,IAAI,MAAM,CAAC,cAAc;AACjG,QAAA,MAAM,CAAC,MAAM,GAAG,MAAM;;;QAGtB,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,EAAE,GAAG,MAAM,EAAE,CAAC;AAC3C,QAAA,IAAI,IAAI;AAAE,YAAA,MAAM,CAAC,IAAI,EAAE,YAAY,CAAC;AACpC,QAAA,OAAO,YAAY;AACrB,IAAA,CAAC;IAED,MAAM,GAAG,GAAG,GAAG,IAAI,OAAO,GAAG,CAAC,IAAI,KAAK,WAAW,GAAG,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE;;;;AAK1E,IAAA,IAAI,UAAU,CAAC,GAAG,CAAC,OAAO,EAAE,SAAS,CAA0C,EAAE,GAAG,CAAC,EAAE;AACrF,QAAA,MAAM,CAAC,QAAQ,GAAG,IAAI;AACtB,QAAA,OAAO,IAAI,CAAC,yEAAyE,EAAE,iBAAiB,CAAC;IAC3G;IAEA,IAAI,CAAC,EAAE,IAAI,OAAO,EAAE,CAAC,YAAY,KAAK,UAAU,EAAE;AAChD,QAAA,OAAO,IAAI,CAAC,sEAAsE,EAAE,gBAAgB,CAAC;IACvG;;;;IAKA,MAAM,QAAQ,GAAG,cAAc,CAAC,OAAO,EAAE,GAAG,CAAC;AAC7C,IAAA,MAAM,GAAG,GAAG,CAAC,GAAW,MAAe,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,GAAG,QAAQ,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;;IAG1G,IAAI,GAAG,CAAC,OAAO,EAAE,aAAa,CAAC,KAAK,IAAI,EAAE;AACxC,QAAA,MAAM,SAAS,GAAG,aAAa,CAAC,GAAG,CAAC,OAAO,EAAE,gBAAgB,CAAC,EAAE,OAAO,GAAG,CAAC,WAAW,CAAC,KAAK,UAAU,CAAC;AACvG,QAAA,MAAM,CAAC,YAAY,GAAG,UAAU,CAAC,SAAS,CAAC;AAC3C,QAAA,MAAM,CAAC,0BAA0B,EAAE,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,CAAC,YAAY,EAAE,CAAC;IACjF;AAEA,IAAA,MAAM,CAAC,iBAAiB,GAAG,iBAAiB,EAAE;;;AAI9C,IAAA,IAAI,MAAM,GAAY,GAAG,CAAC,WAAW,CAAC;IACtC,IAAI,MAAM,KAAK,SAAS;AAAE,QAAA,MAAM,GAAI,IAA2C,CAAC,SAAS;AACzF,IAAA,MAAM,SAAS,GAAG,gBAAgB,CAAC,MAAM,CAAC;AAC1C,IAAA,MAAM,MAAM,GAAG,GAAG,CAAC,kBAAkB,CAAC;AACtC,IAAA,MAAM,cAAc,GAClB,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,GAAG,WAAW,CAAC,MAAiC,CAAC,GAAG,SAAS;;AAGnG,IAAA,MAAM,MAAM,GAAG,GAAG,CAAC,cAAc,CAAC;AAClC,IAAA,MAAM,OAAO,GAAG,GAAG,CAAC,kBAAkB,CAAC;AACvC,IAAA,MAAM,WAAW,GAAG,OAAO,MAAM,KAAK,UAAU,GAAI,MAAqB,GAAG,IAAI;AAChF,IAAA,MAAM,cAAc,GAAG,OAAO,OAAO,KAAK,UAAU,GAAI,OAAsB,GAAG,IAAI;IAErF,IAAI,cAAc,GAAG,KAAK;IAC1B,IAAI,SAAS,EAAE;QACb,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,EAAE,cAAc,CAAC;AACnD,QAAA,cAAc,GAAG,MAAM,CAAC,KAAK;QAC7B,IAAI,CAAC,MAAM,CAAC,KAAK;YAAE,MAAM,CAAC,4BAA4B,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC;IAClF;AACA,IAAA,MAAM,CAAC,cAAc,GAAG,cAAc;;AAGtC,IAAA,MAAM,SAAS,GAAG;QAChB,UAAU,EAAE,gBAAgB,CAAC,SAAS,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,CAAC;QAC/E,YAAY,EAAE,cAAc,CAAC,cAAc,EAAE,WAAW,EAAE,MAAM,CAAC;QACjE,eAAe,EAAE,cAAc,CAAC,iBAAiB,EAAE,cAAc,EAAE,MAAM,CAAC;KAC3E;;AAGD,IAAA,IAAI,EAAE,CAAC,aAAa,EAAE;QACpB,OAAO,IAAI,CACT,qGAAqG;YACnG,0CAA0C,EAC5C,4BAA4B,CAC7B;IACH;AAEA,IAAA,IAAI,IAAa;AACjB,IAAA,IAAI;QACF,IAAI,GAAG,EAAE,CAAC,YAAY,CAAC,SAAS,EAAE,SAAS,CAAC;IAC9C;IAAE,OAAO,CAAC,EAAE;;QAEV,OAAO,IAAI,CACT,CAAA,+BAAA,EAAkC,IAAI,CAAC,CAAC,CAAC,CAAA,uCAAA,CAAyC,EAClF,qBAAqB,CACtB;IACH;;IAGA,IAAI,EAAE,CAAC,aAAa,IAAI,EAAE,CAAC,aAAa,KAAK,IAAI,EAAE;QACjD,OAAO,IAAI,CACT,qFAAqF;YACnF,6DAA6D,EAC/D,2BAA2B,CAC5B;IACH;AAEA,IAAA,MAAM,CAAC,kBAAkB,GAAG,IAAI;AAEhC,IAAA,IAAI,CAAC,MAAM,CAAC,iBAAiB,EAAE;QAC7B,OAAO,IAAI,CACT,qGAAqG;YACnG,uDAAuD,EACzD,sBAAsB,CACvB;IACH;IACA,IAAI,CAAC,cAAc,EAAE;QACnB,OAAO,IAAI,CACT,+FAA+F;YAC7F,mEAAmE,EACrE,gBAAgB,CACjB;IACH;AACA,IAAA,OAAO,IAAI,CACT,CAAA,2CAAA,EAA8C,WAAW,IAAI,cAAc,GAAG,yBAAyB,GAAG,SAAS,CAAA,CAAA,CAAG,CACvH;AACH;SAEgB,MAAM,GAAA;AACpB,IAAA,OAAO,YAAY;AACrB;AAEO,MAAM,UAAU,GAAkB,MAAM,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE;;;;"}
\ No newline at end of file
diff --git a/dist/fortify.js b/dist/fortify.js
index afa7c59..99cd7aa 100644
--- a/dist/fortify.js
+++ b/dist/fortify.js
@@ -1,43 +1,43 @@
-/*! DOMFortify 0.1.0 | (c) Cure53 and contributors | (MPL-2.0 OR Apache-2.0) */
+/*! DOMFortify 0.2.0 | (c) Cure53 and contributors | (MPL-2.0 OR Apache-2.0) */
 (function () {
     'use strict';
 
-    const VERSION = '0.1.0';
-    // Grab natives up front so later prototype-pollution or clobbering can't swap them out.
+    // Cached up front so later prototype pollution or clobbering can't swap hasOwnProperty out.
     const hasOwn = Object.prototype.hasOwnProperty;
-    const root = typeof globalThis !== 'undefined' ? globalThis : window;
-    const doc = typeof document !== 'undefined' ? document : undefined;
-    const loc = root.location;
-    const own = (obj, key) => obj != null && hasOwn.call(obj, key);
-    const cfg = (obj, key) => (own(obj, key) ? obj[key] : undefined);
-    const clip = (s) => String(s).slice(0, 80);
-    const emsg = (e) => String(e?.message);
-    const TT = root.trustedTypes;
-    let installed = false;
-    let cachedStatus = null;
-    // Are we actually enforced? Under enforcement with no default policy yet, a sink write throws.
-    // Run this BEFORE we install our policy, or it would always read as "off".
-    function enforcementActive() {
-        try {
-            doc.createElement('div').innerHTML = 'x';
-            return false;
-        }
-        catch {
-            return true;
-        }
+    /** True only for an own (non-inherited) property, so a polluted prototype is never consulted. */
+    function own(obj, key) {
+        return obj != null && hasOwn.call(obj, key);
+    }
+    /** Read an own key off a config-like object, else undefined. Never walks the prototype chain. */
+    function cfg(obj, key) {
+        return own(obj, key) ? obj[key] : undefined;
+    }
+    /** A short, safe preview of an arbitrary value, for violation reports. */
+    function clip(s) {
+        return String(s).slice(0, 80);
+    }
+    /** Best-effort error message, tolerant of non-Error throws. */
+    function emsg(e) {
+        return String(e?.message);
     }
-    // Copy config off the caller's object, skipping keys that could pollute. Don't JSON-clone - that
-    // would corrupt RegExp and functions.
+    /**
+     * Copy an object's own keys, dropping the three that could pollute a prototype. Deliberately not a
+     * JSON clone: that would corrupt the RegExps and functions a sanitizer config may carry.
+     */
     function shallowCopy(obj) {
         const out = {};
         for (const k in obj) {
-            if (hasOwn.call(obj, k) && k !== '__proto__' && k !== 'constructor' && k !== 'prototype')
+            if (hasOwn.call(obj, k) && k !== '__proto__' && k !== 'constructor' && k !== 'prototype') {
                 out[k] = obj[k];
+            }
         }
         return out;
     }
-    // Test a URL against one or more patterns. String = substring match; RegExp = test. Used for both
-    // EXCLUDE and URL_CONFIG, always against the realm's own location.href.
+    /**
+     * Test a URL against one or more patterns. A string matches as a substring (the empty string never
+     * matches); a RegExp is test()ed, and a pattern that throws is treated as no match. Used for both
+     * EXCLUDE and URL_CONFIG, always against the realm's own location.href.
+     */
     function urlMatches(pattern, url) {
         if (pattern == null)
             return false;
@@ -54,24 +54,53 @@
                         return true;
                 }
                 catch {
-                    /* ignore a pattern that throws */
+                    /* a pattern that throws is treated as no match */
                 }
             }
         }
         return false;
     }
-    // Best-effort CSP <meta> injection (opt-in). IMPORTANT: a <meta> CSP is honored only when the PARSER
-    // inserts it, so document.write during the initial parse is the only path that can actually switch
-    // enforcement on - and only for content parsed afterwards. A node appended after parsing is ignored by
-    // the CSP engine; we still add it (harmless) but report that injection did NOT take. Returns true only
-    // when written during parse.
+
+    /**
+     * DOMFortify - bolt Trusted Types onto a legacy page so old DOM-XSS sinks get sanitized
+     * without touching the code. See README for the full picture; the short version:
+     *
+     *  - Claims the realm's `default` Trusted Types policy and routes every HTML sink through a
+     *    sanitizer. Script sinks (eval, javascript: URLs, script.src) are refused.
+     *  - Does NOT switch enforcement on; a CSP does (header best, `<meta>` works).
+     *  - Must load FIRST: the default policy is winner-takes-all.
+     *  - Fails closed: no sanitizer means sinks throw, never leak.
+     *  - Only covers Trusted Types sinks; inline handlers / style / URL props stay open.
+     */
+    const VERSION = '0.2.0';
+    // Natives captured up front, so later prototype pollution or clobbering can't swap them out.
+    const root = typeof globalThis !== 'undefined' ? globalThis : window;
+    const doc = typeof document !== 'undefined' ? document : undefined;
+    const loc = root.location;
+    const TT = root.trustedTypes;
+    let installed = false;
+    let cachedStatus = null;
+    // --- environment probes --------------------------------------------------------------------------
+    // Are we actually enforced? Under enforcement with no default policy yet, a sink write throws. Must
+    // run BEFORE we install our policy, or it would always read as "off".
+    function enforcementActive() {
+        try {
+            doc.createElement('div').innerHTML = 'x';
+            return false;
+        }
+        catch {
+            return true;
+        }
+    }
+    // Best-effort CSP <meta> injection (opt-in). A <meta> CSP is honored only when the PARSER inserts it,
+    // so document.write during the initial parse is the one path that can switch enforcement on - and only
+    // for content parsed afterwards. We return true only on that path. After parse we still append the node
+    // (harmless) but report that it did NOT take.
     //
-    // `content` is the trusted CSP directive built from config (the derived default, or META_DIRECTIVE).
-    // META_DIRECTIVE is developer-controlled and is expected to be trusted, but since this path reaches
-    // document.write we still strip the characters that could break out of the content="..." attribute or
-    // the <meta> tag. A real CSP directive never contains ", <, >, or newlines (single quotes, e.g.
-    // 'script', are kept - they are harmless inside the double-quoted attribute), so this is lossless for
-    // valid input and neutralizes a hostile or malformed directive. Defense in depth.
+    // `content` is the trusted directive built from config. META_DIRECTIVE is developer-controlled, but
+    // because this path reaches document.write we still strip the characters that could break out of the
+    // content="..." attribute. A valid directive never contains ", <, >, or newlines, so the strip is
+    // lossless for good input and neutralizes a hostile or malformed one. Defense in depth.
     function injectMeta(content) {
         if (!doc)
             return false;
@@ -98,12 +127,119 @@
         }
         return false;
     }
+    // --- config resolution (all own-key only, so a polluted prototype can't loosen anything) ---------
+    // First URL_CONFIG rule whose `match` hits, else null. Own-key reads only, so a polluted prototype
+    // can neither inject a rule nor reach one.
+    function selectOverride(options, url) {
+        const rules = cfg(options, 'URL_CONFIG');
+        if (!Array.isArray(rules))
+            return null;
+        for (let i = 0; i < rules.length; i++) {
+            const r = rules[i];
+            if (r && urlMatches(r.match, url))
+                return r;
+        }
+        return null;
+    }
+    // Normalize whatever the caller handed us into a sanitizer with a `.sanitize` method, or null.
+    // DOMPurify's export is itself a callable factory that ALSO carries `.sanitize`, so we must check for
+    // `.sanitize` FIRST - otherwise we'd wrap the factory and call the wrong thing. A bare function (e.g. a
+    // Sanitizer-API adapter) has no `.sanitize` and falls through to the function case.
+    function resolveSanitizer(raw) {
+        if (raw && typeof raw.sanitize === 'function')
+            return raw;
+        if (typeof raw === 'function')
+            return { sanitize: raw };
+        return null;
+    }
+    // The trusted-types directive for INJECT_META. META_DIRECTIVE wins; otherwise we list the policies
+    // that will exist: our own `default`, plus `dompurify` unless a bare-function sanitizer is in use.
+    function metaDirective(md, functionSanitizer) {
+        if (typeof md === 'string' && md)
+            return md;
+        const ttNames = functionSanitizer ? 'default' : 'default dompurify';
+        return `require-trusted-types-for 'script'; trusted-types ${ttNames};`;
+    }
+    // Exercise the sanitizer once so a broken one fails loudly here, not silently on the first real write.
+    // It must return a string; anything else would inject junk into every sink.
+    function smokeTest(sanitizer, config) {
+        try {
+            const out = sanitizer.sanitize('<b>x</b>', config);
+            return typeof out === 'string'
+                ? { ready: true, error: null }
+                : { ready: false, error: 'sanitize() did not return a string' };
+        }
+        catch (e) {
+            return { ready: false, error: emsg(e) };
+        }
+    }
+    // --- the default policy --------------------------------------------------------------------------
+    // createHTML: route through the sanitizer, fail closed on any problem. `reentry` is true only while
+    // the sanitizer parses our input internally (inert and synchronous), so handing the raw string back
+    // is safe and keeps us alive if the sanitizer's own sink re-enters us.
+    function makeSanitizeHTML(sanitizer, config, ready, report) {
+        let reentry = false;
+        return (s) => {
+            if (!ready) {
+                report('sanitizer-unavailable', { sink: 'createHTML' });
+                return null; // fail closed
+            }
+            if (reentry)
+                return s;
+            try {
+                reentry = true;
+                return sanitizer.sanitize(s, config);
+            }
+            catch (e) {
+                report('sanitize-threw', { error: emsg(e) });
+                return null; // fail closed - never hand back raw markup on error
+            }
+            finally {
+                reentry = false;
+            }
+        };
+    }
+    // createScript / createScriptURL: code has no safe subset, so refuse by default. A caller hook may
+    // allow specific values; if it throws or returns a non-string, we refuse.
+    function makeScriptHook(kind, fn, report) {
+        return (s) => {
+            if (fn) {
+                let r;
+                try {
+                    r = fn(s);
+                }
+                catch (e) {
+                    report('script-hook-threw', { sink: kind, error: emsg(e) });
+                    return null; // fail closed
+                }
+                if (typeof r === 'string') {
+                    report('script-sink-allowed', { sink: kind });
+                    return r;
+                }
+            }
+            report('script-sink-refused', { sink: kind, sample: clip(s) });
+            return null;
+        };
+    }
+    // --- public entry point --------------------------------------------------------------------------
     function init(options = {}) {
         if (installed)
             return cachedStatus;
         installed = true;
+        // The violation reporter is observability, never control flow. Wrap it so a throwing ON_VIOLATION
+        // can neither abort init() (which would leave us installed with a null status) nor turn a
+        // fail-closed sink - one that should quietly return null - into a thrown exception.
         const onv = cfg(options, 'ON_VIOLATION');
-        const report = (typeof onv === 'function' ? onv : () => { });
+        const report = typeof onv === 'function'
+            ? (code, detail) => {
+                try {
+                    onv(code, detail);
+                }
+                catch {
+                    /* a misbehaving reporter must never break the policy */
+                }
+            }
+            : () => { };
         const status = {
             version: VERSION,
             ttSupported: !!TT,
@@ -118,15 +254,17 @@
         const done = (reason, code) => {
             status.protected = status.defaultPolicyOwned && status.enforcementActive && status.sanitizerReady;
             status.reason = reason;
-            if (code)
-                report(code, status);
+            // Freeze the snapshot first, then report it: the reporter sees exactly the authoritative status
+            // that gets cached and returned, and has no window to mutate the cached copy.
             cachedStatus = Object.freeze({ ...status });
+            if (code)
+                report(code, cachedStatus);
             return cachedStatus;
         };
         const url = loc && typeof loc.href !== 'undefined' ? String(loc.href) : '';
-        // EXCLUDE: on a matching URL, DOMFortify stays completely out of the way - no policy, no meta. It
-        // does NOT install a passthrough (that would be a silent XSS hole); under globally delivered
-        // enforcement, excluded pages are the developer's responsibility. Reported via status.excluded.
+        // EXCLUDE: on a match, stay completely out of the way - no policy, no meta. We do NOT install a
+        // passthrough (that would be a silent XSS hole); under globally delivered enforcement, excluded
+        // pages are the developer's responsibility. Reported via status.excluded.
         if (urlMatches(cfg(options, 'EXCLUDE'), url)) {
             status.excluded = true;
             return done('URL matched EXCLUDE; DOMFortify is intentionally inactive on this page.', 'excluded-by-url');
@@ -134,46 +272,24 @@
         if (!TT || typeof TT.createPolicy !== 'function') {
             return done('Trusted Types not supported; library is inert. Sinks are NOT routed.', 'tt-unsupported');
         }
-        // URL_CONFIG: the first rule whose `match` hits supplies per-URL overrides. `eff(key)` reads that
-        // rule's own key when present, else falls back to the base config - both own-key only, so a polluted
-        // prototype can neither inject a rule nor loosen a refusal.
-        let override = null;
-        const rules = cfg(options, 'URL_CONFIG');
-        if (Array.isArray(rules)) {
-            for (let i = 0; i < rules.length; i++) {
-                const r = rules[i];
-                if (r && urlMatches(r.match, url)) {
-                    override = r;
-                    break;
-                }
-            }
-        }
+        // Resolve config once. `eff(key)` reads the matching URL_CONFIG rule's own key when present, else the
+        // base config - both own-key only. Nothing is re-read later, so runtime clobbering can't retarget
+        // the policy after this point either.
+        const override = selectOverride(options, url);
         const eff = (key) => (override && own(override, key) ? override[key] : cfg(options, key));
-        // INJECT_META (opt-in, best-effort - see injectMeta and the README). We only attempt it when TT is
-        // supported; the directive lists the policies that will exist: our own `default`, plus `dompurify`
-        // unless a bare-function sanitizer (e.g. the native Sanitizer API) is in use. META_DIRECTIVE overrides.
+        // INJECT_META (opt-in, best-effort - see injectMeta and the README).
         if (cfg(options, 'INJECT_META') === true) {
-            const md = cfg(options, 'META_DIRECTIVE');
-            const ttNames = typeof eff('SANITIZER') === 'function' ? 'default' : 'default dompurify';
-            const directive = typeof md === 'string' && md ? md : `require-trusted-types-for 'script'; trusted-types ${ttNames};`;
+            const directive = metaDirective(cfg(options, 'META_DIRECTIVE'), typeof eff('SANITIZER') === 'function');
             status.metaInjected = injectMeta(directive);
             report('meta-injection-attempted', { directive, written: status.metaInjected });
         }
         status.enforcementActive = enforcementActive();
-        // Resolve config once, reading own keys only so a polluted prototype can't supply a value - and,
-        // most importantly, can't loosen a refusal. Nothing is re-read later, so runtime clobbering can't
-        // retarget the policy either. URL_CONFIG overrides are applied here via `eff`.
+        // Sanitizer: explicit SANITIZER (possibly per-URL), else window.DOMPurify. Config is forwarded
+        // verbatim as the second argument, copied to drop pollution-prone keys.
         let rawSan = eff('SANITIZER');
         if (rawSan === undefined)
             rawSan = root.DOMPurify;
-        // DOMPurify's export is itself a callable function (the factory) that also exposes `.sanitize`, so
-        // check for a `.sanitize` method FIRST - otherwise we'd wrap the factory and call the wrong thing. A
-        // bare function (e.g. a Sanitizer-API adapter) has no `.sanitize` and falls through to the function case.
-        const DP = rawSan && typeof rawSan.sanitize === 'function'
-            ? rawSan
-            : typeof rawSan === 'function'
-                ? { sanitize: rawSan }
-                : null;
+        const sanitizer = resolveSanitizer(rawSan);
         const rawCfg = eff('SANITIZER_CONFIG');
         const sanitizeConfig = rawCfg && typeof rawCfg === 'object' ? shallowCopy(rawCfg) : undefined;
         // Sink openers count only if they're own functions, so prototype pollution can never open a sink.
@@ -181,66 +297,19 @@
         const asuCand = eff('ALLOW_SCRIPT_URL');
         const allowScript = typeof asCand === 'function' ? asCand : null;
         const allowScriptURL = typeof asuCand === 'function' ? asuCand : null;
-        // Smoke-test once so a broken sanitizer fails loudly here, not silently on the first real write. It
-        // must return a string - a sanitizer that returns anything else would otherwise inject junk.
         let sanitizerReady = false;
-        if (DP && typeof DP.sanitize === 'function') {
-            try {
-                sanitizerReady = typeof DP.sanitize('<b>x</b>', sanitizeConfig) === 'string';
-                if (!sanitizerReady)
-                    report('sanitizer-smoketest-failed', { error: 'sanitize() did not return a string' });
-            }
-            catch (e) {
-                report('sanitizer-smoketest-failed', { error: emsg(e) });
-            }
+        if (sanitizer) {
+            const result = smokeTest(sanitizer, sanitizeConfig);
+            sanitizerReady = result.ready;
+            if (!result.ready)
+                report('sanitizer-smoketest-failed', { error: result.error });
         }
         status.sanitizerReady = sanitizerReady;
-        // `reentry` is true only while the sanitizer parses our input internally - inert and synchronous - so
-        // handing the raw string straight back is safe, and keeps us alive if its own sink re-enters us.
-        let reentry = false;
-        const sanitizeHTML = (s) => {
-            if (!sanitizerReady) {
-                report('sanitizer-unavailable', { sink: 'createHTML' });
-                return null; // fail closed
-            }
-            if (reentry)
-                return s;
-            try {
-                reentry = true;
-                return DP.sanitize(s, sanitizeConfig);
-            }
-            catch (e) {
-                report('sanitize-threw', { error: emsg(e) });
-                return null; // fail closed - never hand back raw markup on error
-            }
-            finally {
-                reentry = false;
-            }
-        };
-        // Code has no safe subset, so refuse by default. A caller hook may allow specific values; if it throws
-        // or returns a non-string, we refuse.
-        const scriptHook = (kind, fn) => (s) => {
-            if (fn) {
-                let r;
-                try {
-                    r = fn(s);
-                }
-                catch (e) {
-                    report('script-hook-threw', { sink: kind, error: emsg(e) });
-                    return null; // fail closed
-                }
-                if (typeof r === 'string') {
-                    report('script-sink-allowed', { sink: kind });
-                    return r;
-                }
-            }
-            report('script-sink-refused', { sink: kind, sample: clip(s) });
-            return null;
-        };
+        // createHTML closes over sanitizeConfig; the script hooks refuse unless an own-function hook allows.
         const policyDef = {
-            createHTML: sanitizeHTML,
-            createScript: scriptHook('createScript', allowScript),
-            createScriptURL: scriptHook('createScriptURL', allowScriptURL),
+            createHTML: makeSanitizeHTML(sanitizer, sanitizeConfig, sanitizerReady, report),
+            createScript: makeScriptHook('createScript', allowScript, report),
+            createScriptURL: makeScriptHook('createScriptURL', allowScriptURL, report),
         };
         // Did someone grab the default slot first? We can't evict them and won't vouch for them.
         if (TT.defaultPolicy) {
diff --git a/dist/fortify.js.map b/dist/fortify.js.map
index 8f9f552..9cf196e 100644
--- a/dist/fortify.js.map
+++ b/dist/fortify.js.map
@@ -1 +1 @@
-{"version":3,"file":"fortify.js","sources":["../src/fortify.ts","../src/auto.ts"],"sourcesContent":[null,null],"names":[],"mappings":";;;;IAuBA,MAAM,OAAO,GAAG,OAAa;IAO7B;IACA,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,cAAc;IAC9C,MAAM,IAAI,GACR,OAAO,UAAU,KAAK,WAAW,GAAG,UAAU,GAAI,MAAuC;IAC3F,MAAM,GAAG,GAAyB,OAAO,QAAQ,KAAK,WAAW,GAAG,QAAQ,GAAG,SAAS;IACxF,MAAM,GAAG,GAAoC,IAAqD,CAAC,QAAQ;IAE3G,MAAM,GAAG,GAAG,CAAC,GAAY,EAAE,GAAW,KAAc,GAAG,IAAI,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC;IACxF,MAAM,GAAG,GAAG,CAAC,GAAY,EAAE,GAAW,MAAe,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,GAAI,GAA+B,CAAC,GAAG,CAAC,GAAG,SAAS,CAAC;IACvH,MAAM,IAAI,GAAG,CAAC,CAAU,KAAa,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;IAC3D,MAAM,IAAI,GAAG,CAAC,CAAU,KAAa,MAAM,CAAE,CAAuC,EAAE,OAAO,CAAC;IAE9F,MAAM,EAAE,GAAI,IAAgD,CAAC,YAAY;IAEzE,IAAI,SAAS,GAAG,KAAK;IACrB,IAAI,YAAY,GAAsC,IAAI;IAE1D;IACA;IACA,SAAS,iBAAiB,GAAA;IACxB,IAAA,IAAI;YACD,GAAgB,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,SAAS,GAAG,GAAG;IACtD,QAAA,OAAO,KAAK;QACd;IAAE,IAAA,MAAM;IACN,QAAA,OAAO,IAAI;QACb;IACF;IAEA;IACA;IACA,SAAS,WAAW,CAAC,GAA4B,EAAA;QAC/C,MAAM,GAAG,GAA4B,EAAE;IACvC,IAAA,KAAK,MAAM,CAAC,IAAI,GAAG,EAAE;IACnB,QAAA,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,WAAW,IAAI,CAAC,KAAK,aAAa,IAAI,CAAC,KAAK,WAAW;gBAAE,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;QAC3G;IACA,IAAA,OAAO,GAAG;IACZ;IAEA;IACA;IACA,SAAS,UAAU,CAAC,OAA8C,EAAE,GAAW,EAAA;QAC7E,IAAI,OAAO,IAAI,IAAI;IAAE,QAAA,OAAO,KAAK;IACjC,IAAA,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,OAAO,GAAG,CAAC,OAAO,CAAC;IACzD,IAAA,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE;IACpC,QAAA,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC;IACjB,QAAA,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE;IACzB,YAAA,IAAI,CAAC,KAAK,EAAE,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,EAAE;IAAE,gBAAA,OAAO,IAAI;YACpD;IAAO,aAAA,IAAI,CAAC,YAAY,MAAM,EAAE;IAC9B,YAAA,IAAI;IACF,gBAAA,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC;IAAE,oBAAA,OAAO,IAAI;gBAC9B;IAAE,YAAA,MAAM;;gBAER;YACF;QACF;IACA,IAAA,OAAO,KAAK;IACd;IAEA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA,SAAS,UAAU,CAAC,OAAe,EAAA;IACjC,IAAA,IAAI,CAAC,GAAG;IAAE,QAAA,OAAO,KAAK;QACtB,MAAM,CAAC,GAAG,GAAsE;QAChF,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC;IAC9C,IAAA,MAAM,GAAG,GAAG,sDAAsD,GAAG,IAAI,GAAG,IAAI;IAChF,IAAA,IAAI,CAAC,CAAC,UAAU,KAAK,SAAS,IAAI,OAAO,CAAC,CAAC,KAAK,KAAK,UAAU,EAAE;IAC/D,QAAA,IAAI;IACF,YAAA,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC;IACZ,YAAA,OAAO,IAAI;YACb;IAAE,QAAA,MAAM;;YAER;QACF;IACA,IAAA,IAAI;YACF,MAAM,CAAC,GAAG,CAAC,CAAC,aAAa,CAAC,MAAM,CAAC;IACjC,QAAA,CAAC,CAAC,YAAY,CAAC,YAAY,EAAE,yBAAyB,CAAC;IACvD,QAAA,CAAC,CAAC,YAAY,CAAC,SAAS,EAAE,OAAO,CAAC;IAClC,QAAA,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,eAAe,EAAE,WAAW,CAAC,CAAC,CAAC;QAC9C;IAAE,IAAA,MAAM;;QAER;IACA,IAAA,OAAO,KAAK;IACd;IAEM,SAAU,IAAI,CAAC,OAAA,GAA4B,EAAE,EAAA;IACjD,IAAA,IAAI,SAAS;IAAE,QAAA,OAAO,YAA0C;QAChE,SAAS,GAAG,IAAI;QAEhB,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,EAAE,cAAc,CAAC;IACxC,IAAA,MAAM,MAAM,IAAI,OAAO,GAAG,KAAK,UAAU,GAAG,GAAG,GAAG,MAAK,EAAE,CAAC,CAAoD;IAE9G,IAAA,MAAM,MAAM,GAAqB;IAC/B,QAAA,OAAO,EAAE,OAAO;YAChB,WAAW,EAAE,CAAC,CAAC,EAAE;IACjB,QAAA,iBAAiB,EAAE,KAAK;IACxB,QAAA,kBAAkB,EAAE,KAAK;IACzB,QAAA,cAAc,EAAE,KAAK;IACrB,QAAA,QAAQ,EAAE,KAAK;IACf,QAAA,YAAY,EAAE,KAAK;IACnB,QAAA,SAAS,EAAE,KAAK;IAChB,QAAA,MAAM,EAAE,EAAE;SACX;IACD,IAAA,MAAM,IAAI,GAAG,CAAC,MAAc,EAAE,IAAoB,KAAgC;IAChF,QAAA,MAAM,CAAC,SAAS,GAAG,MAAM,CAAC,kBAAkB,IAAI,MAAM,CAAC,iBAAiB,IAAI,MAAM,CAAC,cAAc;IACjG,QAAA,MAAM,CAAC,MAAM,GAAG,MAAM;IACtB,QAAA,IAAI,IAAI;IAAE,YAAA,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC;YAC9B,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,EAAE,GAAG,MAAM,EAAE,CAAC;IAC3C,QAAA,OAAO,YAAY;IACrB,IAAA,CAAC;QAED,MAAM,GAAG,GAAG,GAAG,IAAI,OAAO,GAAG,CAAC,IAAI,KAAK,WAAW,GAAG,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE;;;;IAK1E,IAAA,IAAI,UAAU,CAAC,GAAG,CAAC,OAAO,EAAE,SAAS,CAA0C,EAAE,GAAG,CAAC,EAAE;IACrF,QAAA,MAAM,CAAC,QAAQ,GAAG,IAAI;IACtB,QAAA,OAAO,IAAI,CAAC,yEAAyE,EAAE,iBAAiB,CAAC;QAC3G;QAEA,IAAI,CAAC,EAAE,IAAI,OAAO,EAAE,CAAC,YAAY,KAAK,UAAU,EAAE;IAChD,QAAA,OAAO,IAAI,CAAC,sEAAsE,EAAE,gBAAgB,CAAC;QACvG;;;;QAKA,IAAI,QAAQ,GAAmC,IAAI;QACnD,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,EAAE,YAAY,CAAC;IACxC,IAAA,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE;IACxB,QAAA,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE;IACrC,YAAA,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,CAA8B;gBAC/C,IAAI,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC,KAAK,EAAE,GAAG,CAAC,EAAE;oBACjC,QAAQ,GAAG,CAAuC;oBAClD;gBACF;YACF;QACF;IACA,IAAA,MAAM,GAAG,GAAG,CAAC,GAAW,MAAe,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,GAAG,QAAQ,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;;;;QAK1G,IAAI,GAAG,CAAC,OAAO,EAAE,aAAa,CAAC,KAAK,IAAI,EAAE;YACxC,MAAM,EAAE,GAAG,GAAG,CAAC,OAAO,EAAE,gBAAgB,CAAC;IACzC,QAAA,MAAM,OAAO,GAAG,OAAO,GAAG,CAAC,WAAW,CAAC,KAAK,UAAU,GAAG,SAAS,GAAG,mBAAmB;IACxF,QAAA,MAAM,SAAS,GACb,OAAO,EAAE,KAAK,QAAQ,IAAI,EAAE,GAAG,EAAE,GAAG,CAAA,kDAAA,EAAqD,OAAO,GAAG;IACrG,QAAA,MAAM,CAAC,YAAY,GAAG,UAAU,CAAC,SAAS,CAAC;IAC3C,QAAA,MAAM,CAAC,0BAA0B,EAAE,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,CAAC,YAAY,EAAE,CAAC;QACjF;IAEA,IAAA,MAAM,CAAC,iBAAiB,GAAG,iBAAiB,EAAE;;;;IAK9C,IAAA,IAAI,MAAM,GAAY,GAAG,CAAC,WAAW,CAAC;QACtC,IAAI,MAAM,KAAK,SAAS;IAAE,QAAA,MAAM,GAAI,IAA2C,CAAC,SAAS;;;;QAIzF,MAAM,EAAE,GACN,MAAM,IAAI,OAAQ,MAAoB,CAAC,QAAQ,KAAK;IAClD,UAAG;IACH,UAAE,OAAO,MAAM,KAAK;IAClB,cAAE,EAAE,QAAQ,EAAE,MAAoB;kBAChC,IAAI;IACZ,IAAA,MAAM,MAAM,GAAG,GAAG,CAAC,kBAAkB,CAAC;IACtC,IAAA,MAAM,cAAc,GAClB,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,GAAG,WAAW,CAAC,MAAiC,CAAC,GAAG,SAAS;;IAGnG,IAAA,MAAM,MAAM,GAAG,GAAG,CAAC,cAAc,CAAC;IAClC,IAAA,MAAM,OAAO,GAAG,GAAG,CAAC,kBAAkB,CAAC;IACvC,IAAA,MAAM,WAAW,GAAG,OAAO,MAAM,KAAK,UAAU,GAAI,MAAqB,GAAG,IAAI;IAChF,IAAA,MAAM,cAAc,GAAG,OAAO,OAAO,KAAK,UAAU,GAAI,OAAsB,GAAG,IAAI;;;QAIrF,IAAI,cAAc,GAAG,KAAK;QAC1B,IAAI,EAAE,IAAI,OAAO,EAAE,CAAC,QAAQ,KAAK,UAAU,EAAE;IAC3C,QAAA,IAAI;IACF,YAAA,cAAc,GAAG,OAAO,EAAE,CAAC,QAAQ,CAAC,UAAU,EAAE,cAAc,CAAC,KAAK,QAAQ;IAC5E,YAAA,IAAI,CAAC,cAAc;oBAAE,MAAM,CAAC,4BAA4B,EAAE,EAAE,KAAK,EAAE,oCAAoC,EAAE,CAAC;YAC5G;YAAE,OAAO,CAAC,EAAE;IACV,YAAA,MAAM,CAAC,4BAA4B,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;YAC1D;QACF;IACA,IAAA,MAAM,CAAC,cAAc,GAAG,cAAc;;;QAItC,IAAI,OAAO,GAAG,KAAK;IACnB,IAAA,MAAM,YAAY,GAAG,CAAC,CAAS,KAAmB;YAChD,IAAI,CAAC,cAAc,EAAE;gBACnB,MAAM,CAAC,uBAAuB,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC;gBACvD,OAAO,IAAI,CAAC;YACd;IACA,QAAA,IAAI,OAAO;IAAE,YAAA,OAAO,CAAC;IACrB,QAAA,IAAI;gBACF,OAAO,GAAG,IAAI;gBACd,OAAQ,EAAgB,CAAC,QAAQ,CAAC,CAAC,EAAE,cAAc,CAAW;YAChE;YAAE,OAAO,CAAC,EAAE;IACV,YAAA,MAAM,CAAC,gBAAgB,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC5C,OAAO,IAAI,CAAC;YACd;oBAAU;gBACR,OAAO,GAAG,KAAK;YACjB;IACF,IAAA,CAAC;;;IAID,IAAA,MAAM,UAAU,GACd,CAAC,IAAwC,EAAE,EAAqB,KAChE,CAAC,CAAS,KAAmB;YAC3B,IAAI,EAAE,EAAE;IACN,YAAA,IAAI,CAAU;IACd,YAAA,IAAI;IACF,gBAAA,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;gBACX;gBAAE,OAAO,CAAC,EAAE;IACV,gBAAA,MAAM,CAAC,mBAAmB,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC3D,OAAO,IAAI,CAAC;gBACd;IACA,YAAA,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE;oBACzB,MAAM,CAAC,qBAAqB,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IAC7C,gBAAA,OAAO,CAAC;gBACV;YACF;IACA,QAAA,MAAM,CAAC,qBAAqB,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;IAC9D,QAAA,OAAO,IAAI;IACb,IAAA,CAAC;IAEH,IAAA,MAAM,SAAS,GAAG;IAChB,QAAA,UAAU,EAAE,YAAY;IACxB,QAAA,YAAY,EAAE,UAAU,CAAC,cAAc,EAAE,WAAW,CAAC;IACrD,QAAA,eAAe,EAAE,UAAU,CAAC,iBAAiB,EAAE,cAAc,CAAC;SAC/D;;IAGD,IAAA,IAAI,EAAE,CAAC,aAAa,EAAE;YACpB,OAAO,IAAI,CACT,qGAAqG;gBACnG,0CAA0C,EAC5C,4BAA4B,CAC7B;QACH;IAEA,IAAA,IAAI,IAAa;IACjB,IAAA,IAAI;YACF,IAAI,GAAG,EAAE,CAAC,YAAY,CAAC,SAAS,EAAE,SAAS,CAAC;QAC9C;QAAE,OAAO,CAAC,EAAE;;YAEV,OAAO,IAAI,CACT,CAAA,+BAAA,EAAkC,IAAI,CAAC,CAAC,CAAC,CAAA,uCAAA,CAAyC,EAClF,qBAAqB,CACtB;QACH;;QAGA,IAAI,EAAE,CAAC,aAAa,IAAI,EAAE,CAAC,aAAa,KAAK,IAAI,EAAE;YACjD,OAAO,IAAI,CACT,qFAAqF;gBACnF,6DAA6D,EAC/D,2BAA2B,CAC5B;QACH;IAEA,IAAA,MAAM,CAAC,kBAAkB,GAAG,IAAI;IAEhC,IAAA,IAAI,CAAC,MAAM,CAAC,iBAAiB,EAAE;YAC7B,OAAO,IAAI,CACT,qGAAqG;gBACnG,uDAAuD,EACzD,sBAAsB,CACvB;QACH;QACA,IAAI,CAAC,cAAc,EAAE;YACnB,OAAO,IAAI,CACT,+FAA+F;gBAC7F,mEAAmE,EACrE,gBAAgB,CACjB;QACH;IACA,IAAA,OAAO,IAAI,CACT,CAAA,2CAAA,EAA8C,WAAW,IAAI,cAAc,GAAG,yBAAyB,GAAG,SAAS,CAAA,CAAA,CAAG,CACvH;IACH;aAEgB,MAAM,GAAA;IACpB,IAAA,OAAO,YAAY;IACrB;IAEO,MAAM,UAAU,GAAkB,MAAM,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;;IC7UxE;;;;IAIG;IAWH,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE;IACjC,IAAA,MAAM,CAAC,UAAU,GAAG,UAAU;QAC9B,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,gBAAgB,IAAI,EAAE,CAAC;IAChD;;;;;;"}
\ No newline at end of file
+{"version":3,"file":"fortify.js","sources":["../src/internal.ts","../src/fortify.ts","../src/auto.ts"],"sourcesContent":[null,null,null],"names":[],"mappings":";;;;IAOA;IACA,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,cAAc;IAE9C;IACM,SAAU,GAAG,CAAC,GAAY,EAAE,GAAW,EAAA;IAC3C,IAAA,OAAO,GAAG,IAAI,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC;IAC7C;IAEA;IACM,SAAU,GAAG,CAAC,GAAY,EAAE,GAAW,EAAA;IAC3C,IAAA,OAAO,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,GAAI,GAA+B,CAAC,GAAG,CAAC,GAAG,SAAS;IAC1E;IAEA;IACM,SAAU,IAAI,CAAC,CAAU,EAAA;QAC7B,OAAO,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;IAC/B;IAEA;IACM,SAAU,IAAI,CAAC,CAAU,EAAA;IAC7B,IAAA,OAAO,MAAM,CAAE,CAAuC,EAAE,OAAO,CAAC;IAClE;IAEA;;;IAGG;IACG,SAAU,WAAW,CAAC,GAA4B,EAAA;QACtD,MAAM,GAAG,GAA4B,EAAE;IACvC,IAAA,KAAK,MAAM,CAAC,IAAI,GAAG,EAAE;YACnB,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,WAAW,IAAI,CAAC,KAAK,aAAa,IAAI,CAAC,KAAK,WAAW,EAAE;gBACxF,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;YACjB;QACF;IACA,IAAA,OAAO,GAAG;IACZ;IAEA;;;;IAIG;IACG,SAAU,UAAU,CAAC,OAA8C,EAAE,GAAW,EAAA;QACpF,IAAI,OAAO,IAAI,IAAI;IAAE,QAAA,OAAO,KAAK;IACjC,IAAA,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,OAAO,GAAG,CAAC,OAAO,CAAC;IACzD,IAAA,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE;IACpC,QAAA,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC;IACjB,QAAA,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE;IACzB,YAAA,IAAI,CAAC,KAAK,EAAE,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,EAAE;IAAE,gBAAA,OAAO,IAAI;YACpD;IAAO,aAAA,IAAI,CAAC,YAAY,MAAM,EAAE;IAC9B,YAAA,IAAI;IACF,gBAAA,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC;IAAE,oBAAA,OAAO,IAAI;gBAC9B;IAAE,YAAA,MAAM;;gBAER;YACF;QACF;IACA,IAAA,OAAO,KAAK;IACd;;ICjEA;;;;;;;;;;IAUG;IAcH,MAAM,OAAO,GAAG,OAAa;IAS7B;IACA,MAAM,IAAI,GACR,OAAO,UAAU,KAAK,WAAW,GAAG,UAAU,GAAI,MAAuC;IAC3F,MAAM,GAAG,GAAyB,OAAO,QAAQ,KAAK,WAAW,GAAG,QAAQ,GAAG,SAAS;IACxF,MAAM,GAAG,GAAoC,IAAqD,CAAC,QAAQ;IAC3G,MAAM,EAAE,GAAI,IAAgD,CAAC,YAAY;IAEzE,IAAI,SAAS,GAAG,KAAK;IACrB,IAAI,YAAY,GAAsC,IAAI;IAE1D;IAEA;IACA;IACA,SAAS,iBAAiB,GAAA;IACxB,IAAA,IAAI;YACD,GAAgB,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,SAAS,GAAG,GAAG;IACtD,QAAA,OAAO,KAAK;QACd;IAAE,IAAA,MAAM;IACN,QAAA,OAAO,IAAI;QACb;IACF;IAEA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA,SAAS,UAAU,CAAC,OAAe,EAAA;IACjC,IAAA,IAAI,CAAC,GAAG;IAAE,QAAA,OAAO,KAAK;QACtB,MAAM,CAAC,GAAG,GAAsE;QAChF,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC;IAC9C,IAAA,MAAM,GAAG,GAAG,sDAAsD,GAAG,IAAI,GAAG,IAAI;IAChF,IAAA,IAAI,CAAC,CAAC,UAAU,KAAK,SAAS,IAAI,OAAO,CAAC,CAAC,KAAK,KAAK,UAAU,EAAE;IAC/D,QAAA,IAAI;IACF,YAAA,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC;IACZ,YAAA,OAAO,IAAI;YACb;IAAE,QAAA,MAAM;;YAER;QACF;IACA,IAAA,IAAI;YACF,MAAM,CAAC,GAAG,CAAC,CAAC,aAAa,CAAC,MAAM,CAAC;IACjC,QAAA,CAAC,CAAC,YAAY,CAAC,YAAY,EAAE,yBAAyB,CAAC;IACvD,QAAA,CAAC,CAAC,YAAY,CAAC,SAAS,EAAE,OAAO,CAAC;IAClC,QAAA,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,eAAe,EAAE,WAAW,CAAC,CAAC,CAAC;QAC9C;IAAE,IAAA,MAAM;;QAER;IACA,IAAA,OAAO,KAAK;IACd;IAEA;IAEA;IACA;IACA,SAAS,cAAc,CAAC,OAAyB,EAAE,GAAW,EAAA;QAC5D,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,EAAE,YAAY,CAAC;IACxC,IAAA,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;IAAE,QAAA,OAAO,IAAI;IACtC,IAAA,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE;IACrC,QAAA,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,CAA8B;YAC/C,IAAI,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC,KAAK,EAAE,GAAG,CAAC;IAAE,YAAA,OAAO,CAAuC;QACnF;IACA,IAAA,OAAO,IAAI;IACb;IAEA;IACA;IACA;IACA;IACA,SAAS,gBAAgB,CAAC,GAAY,EAAA;IACpC,IAAA,IAAI,GAAG,IAAI,OAAQ,GAAiB,CAAC,QAAQ,KAAK,UAAU;IAAE,QAAA,OAAO,GAAgB;QACrF,IAAI,OAAO,GAAG,KAAK,UAAU;IAAE,QAAA,OAAO,EAAE,QAAQ,EAAE,GAAiB,EAAE;IACrE,IAAA,OAAO,IAAI;IACb;IAEA;IACA;IACA,SAAS,aAAa,CAAC,EAAW,EAAE,iBAA0B,EAAA;IAC5D,IAAA,IAAI,OAAO,EAAE,KAAK,QAAQ,IAAI,EAAE;IAAE,QAAA,OAAO,EAAE;QAC3C,MAAM,OAAO,GAAG,iBAAiB,GAAG,SAAS,GAAG,mBAAmB;QACnE,OAAO,CAAA,kDAAA,EAAqD,OAAO,CAAA,CAAA,CAAG;IACxE;IAEA;IACA;IACA,SAAS,SAAS,CAAC,SAAoB,EAAE,MAAe,EAAA;IACtD,IAAA,IAAI;YACF,MAAM,GAAG,GAAG,SAAS,CAAC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;YAClD,OAAO,OAAO,GAAG,KAAK;kBAClB,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI;kBAC1B,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,oCAAoC,EAAE;QACnE;QAAE,OAAO,CAAC,EAAE;IACV,QAAA,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE;QACzC;IACF;IAEA;IAEA;IACA;IACA;IACA,SAAS,gBAAgB,CACvB,SAA2B,EAC3B,MAAe,EACf,KAAc,EACd,MAAc,EAAA;QAEd,IAAI,OAAO,GAAG,KAAK;QACnB,OAAO,CAAC,CAAS,KAAmB;YAClC,IAAI,CAAC,KAAK,EAAE;gBACV,MAAM,CAAC,uBAAuB,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC;gBACvD,OAAO,IAAI,CAAC;YACd;IACA,QAAA,IAAI,OAAO;IAAE,YAAA,OAAO,CAAC;IACrB,QAAA,IAAI;gBACF,OAAO,GAAG,IAAI;gBACd,OAAQ,SAAuB,CAAC,QAAQ,CAAC,CAAC,EAAE,MAAM,CAAW;YAC/D;YAAE,OAAO,CAAC,EAAE;IACV,YAAA,MAAM,CAAC,gBAAgB,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC5C,OAAO,IAAI,CAAC;YACd;oBAAU;gBACR,OAAO,GAAG,KAAK;YACjB;IACF,IAAA,CAAC;IACH;IAEA;IACA;IACA,SAAS,cAAc,CACrB,IAAwC,EACxC,EAAqB,EACrB,MAAc,EAAA;QAEd,OAAO,CAAC,CAAS,KAAmB;YAClC,IAAI,EAAE,EAAE;IACN,YAAA,IAAI,CAAU;IACd,YAAA,IAAI;IACF,gBAAA,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;gBACX;gBAAE,OAAO,CAAC,EAAE;IACV,gBAAA,MAAM,CAAC,mBAAmB,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC3D,OAAO,IAAI,CAAC;gBACd;IACA,YAAA,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE;oBACzB,MAAM,CAAC,qBAAqB,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IAC7C,gBAAA,OAAO,CAAC;gBACV;YACF;IACA,QAAA,MAAM,CAAC,qBAAqB,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;IAC9D,QAAA,OAAO,IAAI;IACb,IAAA,CAAC;IACH;IAEA;IAEM,SAAU,IAAI,CAAC,OAAA,GAA4B,EAAE,EAAA;IACjD,IAAA,IAAI,SAAS;IAAE,QAAA,OAAO,YAA0C;QAChE,SAAS,GAAG,IAAI;;;;QAKhB,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,EAAE,cAAc,CAAC;IACxC,IAAA,MAAM,MAAM,GACV,OAAO,GAAG,KAAK;IACb,UAAE,CAAC,IAAI,EAAE,MAAM,KAAI;IACf,YAAA,IAAI;IACD,gBAAA,GAAc,CAAC,IAAI,EAAE,MAAM,CAAC;gBAC/B;IAAE,YAAA,MAAM;;gBAER;YACF;IACF,UAAE,MAAK,EAAE,CAAC;IAEd,IAAA,MAAM,MAAM,GAAqB;IAC/B,QAAA,OAAO,EAAE,OAAO;YAChB,WAAW,EAAE,CAAC,CAAC,EAAE;IACjB,QAAA,iBAAiB,EAAE,KAAK;IACxB,QAAA,kBAAkB,EAAE,KAAK;IACzB,QAAA,cAAc,EAAE,KAAK;IACrB,QAAA,QAAQ,EAAE,KAAK;IACf,QAAA,YAAY,EAAE,KAAK;IACnB,QAAA,SAAS,EAAE,KAAK;IAChB,QAAA,MAAM,EAAE,EAAE;SACX;IACD,IAAA,MAAM,IAAI,GAAG,CAAC,MAAc,EAAE,IAAoB,KAAgC;IAChF,QAAA,MAAM,CAAC,SAAS,GAAG,MAAM,CAAC,kBAAkB,IAAI,MAAM,CAAC,iBAAiB,IAAI,MAAM,CAAC,cAAc;IACjG,QAAA,MAAM,CAAC,MAAM,GAAG,MAAM;;;YAGtB,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,EAAE,GAAG,MAAM,EAAE,CAAC;IAC3C,QAAA,IAAI,IAAI;IAAE,YAAA,MAAM,CAAC,IAAI,EAAE,YAAY,CAAC;IACpC,QAAA,OAAO,YAAY;IACrB,IAAA,CAAC;QAED,MAAM,GAAG,GAAG,GAAG,IAAI,OAAO,GAAG,CAAC,IAAI,KAAK,WAAW,GAAG,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE;;;;IAK1E,IAAA,IAAI,UAAU,CAAC,GAAG,CAAC,OAAO,EAAE,SAAS,CAA0C,EAAE,GAAG,CAAC,EAAE;IACrF,QAAA,MAAM,CAAC,QAAQ,GAAG,IAAI;IACtB,QAAA,OAAO,IAAI,CAAC,yEAAyE,EAAE,iBAAiB,CAAC;QAC3G;QAEA,IAAI,CAAC,EAAE,IAAI,OAAO,EAAE,CAAC,YAAY,KAAK,UAAU,EAAE;IAChD,QAAA,OAAO,IAAI,CAAC,sEAAsE,EAAE,gBAAgB,CAAC;QACvG;;;;QAKA,MAAM,QAAQ,GAAG,cAAc,CAAC,OAAO,EAAE,GAAG,CAAC;IAC7C,IAAA,MAAM,GAAG,GAAG,CAAC,GAAW,MAAe,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,GAAG,QAAQ,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;;QAG1G,IAAI,GAAG,CAAC,OAAO,EAAE,aAAa,CAAC,KAAK,IAAI,EAAE;IACxC,QAAA,MAAM,SAAS,GAAG,aAAa,CAAC,GAAG,CAAC,OAAO,EAAE,gBAAgB,CAAC,EAAE,OAAO,GAAG,CAAC,WAAW,CAAC,KAAK,UAAU,CAAC;IACvG,QAAA,MAAM,CAAC,YAAY,GAAG,UAAU,CAAC,SAAS,CAAC;IAC3C,QAAA,MAAM,CAAC,0BAA0B,EAAE,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,CAAC,YAAY,EAAE,CAAC;QACjF;IAEA,IAAA,MAAM,CAAC,iBAAiB,GAAG,iBAAiB,EAAE;;;IAI9C,IAAA,IAAI,MAAM,GAAY,GAAG,CAAC,WAAW,CAAC;QACtC,IAAI,MAAM,KAAK,SAAS;IAAE,QAAA,MAAM,GAAI,IAA2C,CAAC,SAAS;IACzF,IAAA,MAAM,SAAS,GAAG,gBAAgB,CAAC,MAAM,CAAC;IAC1C,IAAA,MAAM,MAAM,GAAG,GAAG,CAAC,kBAAkB,CAAC;IACtC,IAAA,MAAM,cAAc,GAClB,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,GAAG,WAAW,CAAC,MAAiC,CAAC,GAAG,SAAS;;IAGnG,IAAA,MAAM,MAAM,GAAG,GAAG,CAAC,cAAc,CAAC;IAClC,IAAA,MAAM,OAAO,GAAG,GAAG,CAAC,kBAAkB,CAAC;IACvC,IAAA,MAAM,WAAW,GAAG,OAAO,MAAM,KAAK,UAAU,GAAI,MAAqB,GAAG,IAAI;IAChF,IAAA,MAAM,cAAc,GAAG,OAAO,OAAO,KAAK,UAAU,GAAI,OAAsB,GAAG,IAAI;QAErF,IAAI,cAAc,GAAG,KAAK;QAC1B,IAAI,SAAS,EAAE;YACb,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,EAAE,cAAc,CAAC;IACnD,QAAA,cAAc,GAAG,MAAM,CAAC,KAAK;YAC7B,IAAI,CAAC,MAAM,CAAC,KAAK;gBAAE,MAAM,CAAC,4BAA4B,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC;QAClF;IACA,IAAA,MAAM,CAAC,cAAc,GAAG,cAAc;;IAGtC,IAAA,MAAM,SAAS,GAAG;YAChB,UAAU,EAAE,gBAAgB,CAAC,SAAS,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,CAAC;YAC/E,YAAY,EAAE,cAAc,CAAC,cAAc,EAAE,WAAW,EAAE,MAAM,CAAC;YACjE,eAAe,EAAE,cAAc,CAAC,iBAAiB,EAAE,cAAc,EAAE,MAAM,CAAC;SAC3E;;IAGD,IAAA,IAAI,EAAE,CAAC,aAAa,EAAE;YACpB,OAAO,IAAI,CACT,qGAAqG;gBACnG,0CAA0C,EAC5C,4BAA4B,CAC7B;QACH;IAEA,IAAA,IAAI,IAAa;IACjB,IAAA,IAAI;YACF,IAAI,GAAG,EAAE,CAAC,YAAY,CAAC,SAAS,EAAE,SAAS,CAAC;QAC9C;QAAE,OAAO,CAAC,EAAE;;YAEV,OAAO,IAAI,CACT,CAAA,+BAAA,EAAkC,IAAI,CAAC,CAAC,CAAC,CAAA,uCAAA,CAAyC,EAClF,qBAAqB,CACtB;QACH;;QAGA,IAAI,EAAE,CAAC,aAAa,IAAI,EAAE,CAAC,aAAa,KAAK,IAAI,EAAE;YACjD,OAAO,IAAI,CACT,qFAAqF;gBACnF,6DAA6D,EAC/D,2BAA2B,CAC5B;QACH;IAEA,IAAA,MAAM,CAAC,kBAAkB,GAAG,IAAI;IAEhC,IAAA,IAAI,CAAC,MAAM,CAAC,iBAAiB,EAAE;YAC7B,OAAO,IAAI,CACT,qGAAqG;gBACnG,uDAAuD,EACzD,sBAAsB,CACvB;QACH;QACA,IAAI,CAAC,cAAc,EAAE;YACnB,OAAO,IAAI,CACT,+FAA+F;gBAC7F,mEAAmE,EACrE,gBAAgB,CACjB;QACH;IACA,IAAA,OAAO,IAAI,CACT,CAAA,2CAAA,EAA8C,WAAW,IAAI,cAAc,GAAG,yBAAyB,GAAG,SAAS,CAAA,CAAA,CAAG,CACvH;IACH;aAEgB,MAAM,GAAA;IACpB,IAAA,OAAO,YAAY;IACrB;IAEO,MAAM,UAAU,GAAkB,MAAM,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;;ICzVxE;;;;IAIG;IAWH,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE;IACjC,IAAA,MAAM,CAAC,UAAU,GAAG,UAAU;QAC9B,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,gBAAgB,IAAI,EAAE,CAAC;IAChD;;;;;;"}
\ No newline at end of file
diff --git a/dist/fortify.min.js b/dist/fortify.min.js
index 4cba428..b56e0a1 100644
--- a/dist/fortify.min.js
+++ b/dist/fortify.min.js
@@ -1,3 +1,3 @@
-/*! DOMFortify 0.1.0 | (c) Cure53 and contributors | (MPL-2.0 OR Apache-2.0) */
-!function(){"use strict";const t=Object.prototype.hasOwnProperty,e="undefined"!=typeof globalThis?globalThis:window,i="undefined"!=typeof document?document:void 0,n=e.location,r=(e,i)=>null!=e&&t.call(e,i),o=(t,e)=>r(t,e)?t[e]:void 0,c=t=>String(t).slice(0,80),a=t=>String(t?.message),l=e.trustedTypes;let s=!1,u=null;function f(t,e){if(null==t)return!1;const i=Array.isArray(t)?t:[t];for(let t=0;t<i.length;t++){const n=i[t];if("string"==typeof n){if(""!==n&&-1!==e.indexOf(n))return!0}else if(n instanceof RegExp)try{if(n.test(e))return!0}catch{}}return!1}const d=Object.freeze({init:function(d={}){if(s)return u;s=!0;const y=o(d,"ON_VIOLATION"),p="function"==typeof y?y:()=>{},h={version:"0.1.0",ttSupported:!!l,enforcementActive:!1,defaultPolicyOwned:!1,sanitizerReady:!1,excluded:!1,metaInjected:!1,protected:!1,reason:""},m=(t,e)=>(h.protected=h.defaultPolicyOwned&&h.enforcementActive&&h.sanitizerReady,h.reason=t,e&&p(e,h),u=Object.freeze({...h}),u),O=n&&void 0!==n.href?String(n.href):"";if(f(o(d,"EXCLUDE"),O))return h.excluded=!0,m("URL matched EXCLUDE; DOMFortify is intentionally inactive on this page.","excluded-by-url");if(!l||"function"!=typeof l.createPolicy)return m("Trusted Types not supported; library is inert. Sinks are NOT routed.","tt-unsupported");let T=null;const v=o(d,"URL_CONFIG");if(Array.isArray(v))for(let t=0;t<v.length;t++){const e=v[t];if(e&&f(e.match,O)){T=e;break}}const w=t=>T&&r(T,t)?T[t]:o(d,t);if(!0===o(d,"INJECT_META")){const t=o(d,"META_DIRECTIVE"),e="function"==typeof w("SANITIZER")?"default":"default dompurify",n="string"==typeof t&&t?t:`require-trusted-types-for 'script'; trusted-types ${e};`;h.metaInjected=function(t){if(!i)return!1;const e=i,n='<meta http-equiv="Content-Security-Policy" content="'+t.replace(/["<>\r\n]/g,"")+'">';if("loading"===e.readyState&&"function"==typeof e.write)try{return e.write(n),!0}catch{}try{const i=e.createElement("meta");i.setAttribute("http-equiv","Content-Security-Policy"),i.setAttribute("content",t),(e.head||e.documentElement).appendChild(i)}catch{}return!1}(n),p("meta-injection-attempted",{directive:n,written:h.metaInjected})}h.enforcementActive=function(){try{return i.createElement("div").innerHTML="x",!1}catch{return!0}}();let g=w("SANITIZER");void 0===g&&(g=e.DOMPurify);const b=g&&"function"==typeof g.sanitize?g:"function"==typeof g?{sanitize:g}:null,A=w("SANITIZER_CONFIG"),k=A&&"object"==typeof A?function(e){const i={};for(const n in e)t.call(e,n)&&"__proto__"!==n&&"constructor"!==n&&"prototype"!==n&&(i[n]=e[n]);return i}(A):void 0,I=w("ALLOW_SCRIPT"),L=w("ALLOW_SCRIPT_URL"),z="function"==typeof I?I:null,E="function"==typeof L?L:null;let R=!1;if(b&&"function"==typeof b.sanitize)try{R="string"==typeof b.sanitize("<b>x</b>",k),R||p("sanitizer-smoketest-failed",{error:"sanitize() did not return a string"})}catch(t){p("sanitizer-smoketest-failed",{error:a(t)})}h.sanitizerReady=R;let S=!1;const P=(t,e)=>i=>{if(e){let n;try{n=e(i)}catch(e){return p("script-hook-threw",{sink:t,error:a(e)}),null}if("string"==typeof n)return p("script-sink-allowed",{sink:t}),n}return p("script-sink-refused",{sink:t,sample:c(i)}),null},M={createHTML:t=>{if(!R)return p("sanitizer-unavailable",{sink:"createHTML"}),null;if(S)return t;try{return S=!0,b.sanitize(t,k)}catch(t){return p("sanitize-threw",{error:a(t)}),null}finally{S=!1}},createScript:P("createScript",z),createScriptURL:P("createScriptURL",E)};if(l.defaultPolicy)return m("A default Trusted Types policy already exists; DOMFortify did NOT install and cannot vouch for it. Load DOMFortify first, inline in <head>.","preexisting-default-policy");let D;try{D=l.createPolicy("default",M)}catch(t){return m(`createPolicy("default") threw (${a(t)}); another default policy won the race.`,"default-policy-lost")}return l.defaultPolicy&&l.defaultPolicy!==D?m('Our policy was created but is not the active default (allow-duplicates race lost). Remove "allow-duplicates" from the trusted-types directive.',"default-policy-not-active"):(h.defaultPolicyOwned=!0,h.enforcementActive?R?m(`Active: HTML sinks sanitized, script sinks ${z||E?"partly allowed by hooks":"refused"}.`):m("Enforcement active and slot locked, but the sanitizer is unavailable - HTML sinks will THROW (failing closed). Bundle DOMPurify and load it before DOMFortify.","failing-closed"):m("Default policy installed and slot locked, but TT enforcement is NOT active - sinks are not routed. Deliver require-trusted-types-for (header preferred).","enforcement-inactive"))},status:function(){return u}});"undefined"!=typeof window&&(window.DOMFortify=d,d.init(window.DOMFortifyConfig||{}))}();
+/*! DOMFortify 0.2.0 | (c) Cure53 and contributors | (MPL-2.0 OR Apache-2.0) */
+!function(){"use strict";const t=Object.prototype.hasOwnProperty;function e(e,r){return null!=e&&t.call(e,r)}function r(t,r){return e(t,r)?t[r]:void 0}function n(t){return String(t).slice(0,80)}function i(t){return String(t?.message)}function o(t,e){if(null==t)return!1;const r=Array.isArray(t)?t:[t];for(let t=0;t<r.length;t++){const n=r[t];if("string"==typeof n){if(""!==n&&-1!==e.indexOf(n))return!0}else if(n instanceof RegExp)try{if(n.test(e))return!0}catch{}}return!1}const c="undefined"!=typeof globalThis?globalThis:window,a="undefined"!=typeof document?document:void 0,u=c.location,l=c.trustedTypes;let s=!1,f=null;function d(t,e,r,n){let o=!1;return c=>{if(!r)return n("sanitizer-unavailable",{sink:"createHTML"}),null;if(o)return c;try{return o=!0,t.sanitize(c,e)}catch(t){return n("sanitize-threw",{error:i(t)}),null}finally{o=!1}}}function y(t,e,r){return o=>{if(e){let n;try{n=e(o)}catch(e){return r("script-hook-threw",{sink:t,error:i(e)}),null}if("string"==typeof n)return r("script-sink-allowed",{sink:t}),n}return r("script-sink-refused",{sink:t,sample:n(o)}),null}}const p=Object.freeze({init:function(n={}){if(s)return f;s=!0;const p=r(n,"ON_VIOLATION"),h="function"==typeof p?(t,e)=>{try{p(t,e)}catch{}}:()=>{},v={version:"0.2.0",ttSupported:!!l,enforcementActive:!1,defaultPolicyOwned:!1,sanitizerReady:!1,excluded:!1,metaInjected:!1,protected:!1,reason:""},m=(t,e)=>(v.protected=v.defaultPolicyOwned&&v.enforcementActive&&v.sanitizerReady,v.reason=t,f=Object.freeze({...v}),e&&h(e,f),f),O=u&&void 0!==u.href?String(u.href):"";if(o(r(n,"EXCLUDE"),O))return v.excluded=!0,m("URL matched EXCLUDE; DOMFortify is intentionally inactive on this page.","excluded-by-url");if(!l||"function"!=typeof l.createPolicy)return m("Trusted Types not supported; library is inert. Sinks are NOT routed.","tt-unsupported");const T=function(t,e){const n=r(t,"URL_CONFIG");if(!Array.isArray(n))return null;for(let t=0;t<n.length;t++){const r=n[t];if(r&&o(r.match,e))return r}return null}(n,O),w=t=>T&&e(T,t)?T[t]:r(n,t);if(!0===r(n,"INJECT_META")){const t=(g=r(n,"META_DIRECTIVE"),A="function"==typeof w("SANITIZER"),"string"==typeof g&&g?g:`require-trusted-types-for 'script'; trusted-types ${A?"default":"default dompurify"};`);v.metaInjected=function(t){if(!a)return!1;const e=a,r='<meta http-equiv="Content-Security-Policy" content="'+t.replace(/["<>\r\n]/g,"")+'">';if("loading"===e.readyState&&"function"==typeof e.write)try{return e.write(r),!0}catch{}try{const r=e.createElement("meta");r.setAttribute("http-equiv","Content-Security-Policy"),r.setAttribute("content",t),(e.head||e.documentElement).appendChild(r)}catch{}return!1}(t),h("meta-injection-attempted",{directive:t,written:v.metaInjected})}var g,A;v.enforcementActive=function(){try{return a.createElement("div").innerHTML="x",!1}catch{return!0}}();let b=w("SANITIZER");void 0===b&&(b=c.DOMPurify);const I=(L=b)&&"function"==typeof L.sanitize?L:"function"==typeof L?{sanitize:L}:null;var L;const E=w("SANITIZER_CONFIG"),R=E&&"object"==typeof E?function(e){const r={};for(const n in e)t.call(e,n)&&"__proto__"!==n&&"constructor"!==n&&"prototype"!==n&&(r[n]=e[n]);return r}(E):void 0,S=w("ALLOW_SCRIPT"),k=w("ALLOW_SCRIPT_URL"),P="function"==typeof S?S:null,z="function"==typeof k?k:null;let M=!1;if(I){const t=function(t,e){try{return"string"==typeof t.sanitize("<b>x</b>",e)?{ready:!0,error:null}:{ready:!1,error:"sanitize() did not return a string"}}catch(t){return{ready:!1,error:i(t)}}}(I,R);M=t.ready,t.ready||h("sanitizer-smoketest-failed",{error:t.error})}v.sanitizerReady=M;const D={createHTML:d(I,R,M,h),createScript:y("createScript",P,h),createScriptURL:y("createScriptURL",z,h)};if(l.defaultPolicy)return m("A default Trusted Types policy already exists; DOMFortify did NOT install and cannot vouch for it. Load DOMFortify first, inline in <head>.","preexisting-default-policy");let C;try{C=l.createPolicy("default",D)}catch(t){return m(`createPolicy("default") threw (${i(t)}); another default policy won the race.`,"default-policy-lost")}return l.defaultPolicy&&l.defaultPolicy!==C?m('Our policy was created but is not the active default (allow-duplicates race lost). Remove "allow-duplicates" from the trusted-types directive.',"default-policy-not-active"):(v.defaultPolicyOwned=!0,v.enforcementActive?M?m(`Active: HTML sinks sanitized, script sinks ${P||z?"partly allowed by hooks":"refused"}.`):m("Enforcement active and slot locked, but the sanitizer is unavailable - HTML sinks will THROW (failing closed). Bundle DOMPurify and load it before DOMFortify.","failing-closed"):m("Default policy installed and slot locked, but TT enforcement is NOT active - sinks are not routed. Deliver require-trusted-types-for (header preferred).","enforcement-inactive"))},status:function(){return f}});"undefined"!=typeof window&&(window.DOMFortify=p,p.init(window.DOMFortifyConfig||{}))}();
 //# sourceMappingURL=fortify.min.js.map
diff --git a/dist/fortify.min.js.map b/dist/fortify.min.js.map
index 8f47d04..fd13b41 100644
--- a/dist/fortify.min.js.map
+++ b/dist/fortify.min.js.map
@@ -1 +1 @@
-{"version":3,"file":"fortify.min.js","sources":["../src/fortify.ts","../src/auto.ts"],"sourcesContent":[null,null],"names":["hasOwn","Object","prototype","hasOwnProperty","root","globalThis","window","doc","document","undefined","loc","location","own","obj","key","call","cfg","clip","s","String","slice","emsg","e","message","TT","trustedTypes","installed","cachedStatus","urlMatches","pattern","url","list","Array","isArray","i","length","p","indexOf","RegExp","test","DOMFortify","freeze","init","options","onv","report","status","version","ttSupported","enforcementActive","defaultPolicyOwned","sanitizerReady","excluded","metaInjected","protected","reason","done","code","href","createPolicy","override","rules","r","match","eff","md","ttNames","directive","content","d","tag","replace","readyState","write","m","createElement","setAttribute","head","documentElement","appendChild","injectMeta","written","innerHTML","rawSan","DOMPurify","DP","sanitize","rawCfg","sanitizeConfig","out","k","shallowCopy","asCand","asuCand","allowScript","allowScriptURL","error","reentry","scriptHook","kind","fn","sink","sample","policyDef","createHTML","createScript","createScriptURL","defaultPolicy","ours","DOMFortifyConfig"],"mappings":";yBAuBA,MAQMA,EAASC,OAAOC,UAAUC,eAC1BC,EACkB,oBAAfC,WAA6BA,WAAcC,OAC9CC,EAAgD,oBAAbC,SAA2BA,cAAWC,EACzEC,EAAuCN,EAAsDO,SAE7FC,EAAM,CAACC,EAAcC,IAAgC,MAAPD,GAAeb,EAAOe,KAAKF,EAAKC,GAC9EE,EAAM,CAACH,EAAcC,IAA0BF,EAAIC,EAAKC,GAAQD,EAAgCC,QAAOL,EACvGQ,EAAQC,GAAuBC,OAAOD,GAAGE,MAAM,EAAG,IAClDC,EAAQC,GAAuBH,OAAQG,GAAyCC,SAEhFC,EAAMpB,EAAiDqB,aAE7D,IAAIC,GAAY,EACZC,EAAkD,KAyBtD,SAASC,EAAWC,EAAgDC,GAClE,GAAe,MAAXD,EAAiB,OAAO,EAC5B,MAAME,EAAOC,MAAMC,QAAQJ,GAAWA,EAAU,CAACA,GACjD,IAAK,IAAIK,EAAI,EAAGA,EAAIH,EAAKI,OAAQD,IAAK,CACpC,MAAME,EAAIL,EAAKG,GACf,GAAiB,iBAANE,GACT,GAAU,KAANA,IAA+B,IAAnBN,EAAIO,QAAQD,GAAW,OAAO,OACzC,GAAIA,aAAaE,OACtB,IACE,GAAIF,EAAEG,KAAKT,GAAM,OAAO,CAC1B,CAAE,MAEF,CAEJ,CACA,OAAO,CACT,CAuPO,MAAMU,EAA4BvC,OAAOwC,OAAO,CAAEC,KAjNnD,SAAeC,EAA4B,IAC/C,GAAIjB,EAAW,OAAOC,EACtBD,GAAY,EAEZ,MAAMkB,EAAM5B,EAAI2B,EAAS,gBACnBE,EAAyB,mBAARD,EAAqBA,EAAM,OAE5CE,EAA2B,CAC/BC,QA7GY,QA8GZC,cAAexB,EACfyB,mBAAmB,EACnBC,oBAAoB,EACpBC,gBAAgB,EAChBC,UAAU,EACVC,cAAc,EACdC,WAAW,EACXC,OAAQ,IAEJC,EAAO,CAACD,EAAgBE,KAC5BX,EAAOQ,UAAYR,EAAOI,oBAAsBJ,EAAOG,mBAAqBH,EAAOK,eACnFL,EAAOS,OAASA,EACZE,GAAMZ,EAAOY,EAAMX,GACvBnB,EAAe1B,OAAOwC,OAAO,IAAKK,IAC3BnB,GAGHG,EAAMpB,QAA2B,IAAbA,EAAIgD,KAAuBvC,OAAOT,EAAIgD,MAAQ,GAKxE,GAAI9B,EAAWZ,EAAI2B,EAAS,WAAqDb,GAE/E,OADAgB,EAAOM,UAAW,EACXI,EAAK,0EAA2E,mBAGzF,IAAKhC,GAAiC,mBAApBA,EAAGmC,aACnB,OAAOH,EAAK,uEAAwE,kBAMtF,IAAII,EAA2C,KAC/C,MAAMC,EAAQ7C,EAAI2B,EAAS,cAC3B,GAAIX,MAAMC,QAAQ4B,GAChB,IAAK,IAAI3B,EAAI,EAAGA,EAAI2B,EAAM1B,OAAQD,IAAK,CACrC,MAAM4B,EAAID,EAAM3B,GAChB,GAAI4B,GAAKlC,EAAWkC,EAAEC,MAAOjC,GAAM,CACjC8B,EAAWE,EACX,KACF,CACF,CAEF,MAAME,EAAOlD,GAA0B8C,GAAYhD,EAAIgD,EAAU9C,GAAO8C,EAAS9C,GAAOE,EAAI2B,EAAS7B,GAKrG,IAAoC,IAAhCE,EAAI2B,EAAS,eAAyB,CACxC,MAAMsB,EAAKjD,EAAI2B,EAAS,kBAClBuB,EAAsC,mBAArBF,EAAI,aAA8B,UAAY,oBAC/DG,EACU,iBAAPF,GAAmBA,EAAKA,EAAK,qDAAqDC,KAC3FpB,EAAOO,aAxFX,SAAoBe,GAClB,IAAK7D,EAAK,OAAO,EACjB,MAAM8D,EAAI9D,EAEJ+D,EAAM,uDADCF,EAAQG,QAAQ,aAAc,IACiC,KAC5E,GAAqB,YAAjBF,EAAEG,YAA+C,mBAAZH,EAAEI,MACzC,IAEE,OADAJ,EAAEI,MAAMH,IACD,CACT,CAAE,MAEF,CAEF,IACE,MAAMI,EAAIL,EAAEM,cAAc,QAC1BD,EAAEE,aAAa,aAAc,2BAC7BF,EAAEE,aAAa,UAAWR,IACzBC,EAAEQ,MAAQR,EAAES,iBAAiBC,YAAYL,EAC5C,CAAE,MAEF,CACA,OAAO,CACT,CAkE0BM,CAAWb,GACjCtB,EAAO,2BAA4B,CAAEsB,YAAWc,QAASnC,EAAOO,cAClE,CAEAP,EAAOG,kBA/IT,WACE,IAEE,OADC1C,EAAiBoE,cAAc,OAAOO,UAAY,KAC5C,CACT,CAAE,MACA,OAAO,CACT,CACF,CAwI6BjC,GAK3B,IAAIkC,EAAkBnB,EAAI,kBACXvD,IAAX0E,IAAsBA,EAAU/E,EAA4CgF,WAIhF,MAAMC,EACJF,GAAoD,mBAAlCA,EAAqBG,SAClCH,EACiB,mBAAXA,EACL,CAAEG,SAAUH,GACZ,KACFI,EAASvB,EAAI,oBACbwB,EACJD,GAA4B,iBAAXA,EAtJrB,SAAqB1E,GACnB,MAAM4E,EAA+B,CAAA,EACrC,IAAK,MAAMC,KAAK7E,EACVb,EAAOe,KAAKF,EAAK6E,IAAY,cAANA,GAA2B,gBAANA,GAA6B,cAANA,IAAmBD,EAAIC,GAAK7E,EAAI6E,IAEzG,OAAOD,CACT,CAgJ2CE,CAAYJ,QAAqC9E,EAGpFmF,EAAS5B,EAAI,gBACb6B,EAAU7B,EAAI,oBACd8B,EAAgC,mBAAXF,EAAyBA,EAAwB,KACtEG,EAAoC,mBAAZF,EAA0BA,EAAyB,KAIjF,IAAI1C,GAAiB,EACrB,GAAIkC,GAA6B,mBAAhBA,EAAGC,SAClB,IACEnC,EAAoE,iBAA5CkC,EAAGC,SAAS,WAAYE,GAC3CrC,GAAgBN,EAAO,6BAA8B,CAAEmD,MAAO,sCACrE,CAAE,MAAO1E,GACPuB,EAAO,6BAA8B,CAAEmD,MAAO3E,EAAKC,IACrD,CAEFwB,EAAOK,eAAiBA,EAIxB,IAAI8C,GAAU,EACd,MAmBMC,EACJ,CAACC,EAA0CC,IAC1ClF,IACC,GAAIkF,EAAI,CACN,IAAItC,EACJ,IACEA,EAAIsC,EAAGlF,EACT,CAAE,MAAOI,GAEP,OADAuB,EAAO,oBAAqB,CAAEwD,KAAMF,EAAMH,MAAO3E,EAAKC,KAC/C,IACT,CACA,GAAiB,iBAANwC,EAET,OADAjB,EAAO,sBAAuB,CAAEwD,KAAMF,IAC/BrC,CAEX,CAEA,OADAjB,EAAO,sBAAuB,CAAEwD,KAAMF,EAAMG,OAAQrF,EAAKC,KAClD,MAGLqF,EAAY,CAChBC,WAxCoBtF,IACpB,IAAKiC,EAEH,OADAN,EAAO,wBAAyB,CAAEwD,KAAM,eACjC,KAET,GAAIJ,EAAS,OAAO/E,EACpB,IAEE,OADA+E,GAAU,EACFZ,EAAiBC,SAASpE,EAAGsE,EACvC,CAAE,MAAOlE,GAEP,OADAuB,EAAO,iBAAkB,CAAEmD,MAAO3E,EAAKC,KAChC,IACT,SACE2E,GAAU,CACZ,GA2BAQ,aAAcP,EAAW,eAAgBJ,GACzCY,gBAAiBR,EAAW,kBAAmBH,IAIjD,GAAIvE,EAAGmF,cACL,OAAOnD,EACL,8IAEA,8BAIJ,IAAIoD,EACJ,IACEA,EAAOpF,EAAGmC,aAAa,UAAW4C,EACpC,CAAE,MAAOjF,GAEP,OAAOkC,EACL,kCAAkCnC,EAAKC,4CACvC,sBAEJ,CAGA,OAAIE,EAAGmF,eAAiBnF,EAAGmF,gBAAkBC,EACpCpD,EACL,iJAEA,8BAIJV,EAAOI,oBAAqB,EAEvBJ,EAAOG,kBAOPE,EAOEK,EACL,8CAA8CsC,GAAeC,EAAiB,0BAA4B,cAPnGvC,EACL,iKAEA,kBAVKA,EACL,2JAEA,wBAaN,EAM+DV,kBAH7D,OAAOnB,CACT,IC5TsB,oBAAXrB,SACTA,OAAOkC,WAAaA,EACpBA,EAAWE,KAAKpC,OAAOuG,kBAAoB,CAAA"}
\ No newline at end of file
+{"version":3,"file":"fortify.min.js","sources":["../src/internal.ts","../src/fortify.ts","../src/auto.ts"],"sourcesContent":[null,null,null],"names":["hasOwn","Object","prototype","hasOwnProperty","own","obj","key","call","cfg","undefined","clip","s","String","slice","emsg","e","message","urlMatches","pattern","url","list","Array","isArray","i","length","p","indexOf","RegExp","test","root","globalThis","window","doc","document","loc","location","TT","trustedTypes","installed","cachedStatus","makeSanitizeHTML","sanitizer","config","ready","report","reentry","sink","sanitize","error","makeScriptHook","kind","fn","r","sample","DOMFortify","freeze","init","options","onv","code","detail","status","version","ttSupported","enforcementActive","defaultPolicyOwned","sanitizerReady","excluded","metaInjected","protected","reason","done","href","createPolicy","override","rules","match","selectOverride","eff","directive","md","functionSanitizer","content","d","tag","replace","readyState","write","m","createElement","setAttribute","head","documentElement","appendChild","injectMeta","written","innerHTML","rawSan","DOMPurify","raw","rawCfg","sanitizeConfig","out","k","shallowCopy","asCand","asuCand","allowScript","allowScriptURL","result","smokeTest","policyDef","createHTML","createScript","createScriptURL","defaultPolicy","ours","DOMFortifyConfig"],"mappings":";yBAQA,MAAMA,EAASC,OAAOC,UAAUC,eAG1B,SAAUC,EAAIC,EAAcC,GAChC,OAAc,MAAPD,GAAeL,EAAOO,KAAKF,EAAKC,EACzC,CAGM,SAAUE,EAAIH,EAAcC,GAChC,OAAOF,EAAIC,EAAKC,GAAQD,EAAgCC,QAAOG,CACjE,CAGM,SAAUC,EAAKC,GACnB,OAAOC,OAAOD,GAAGE,MAAM,EAAG,GAC5B,CAGM,SAAUC,EAAKC,GACnB,OAAOH,OAAQG,GAAyCC,QAC1D,CAqBM,SAAUC,EAAWC,EAAgDC,GACzE,GAAe,MAAXD,EAAiB,OAAO,EAC5B,MAAME,EAAOC,MAAMC,QAAQJ,GAAWA,EAAU,CAACA,GACjD,IAAK,IAAIK,EAAI,EAAGA,EAAIH,EAAKI,OAAQD,IAAK,CACpC,MAAME,EAAIL,EAAKG,GACf,GAAiB,iBAANE,GACT,GAAU,KAANA,IAA+B,IAAnBN,EAAIO,QAAQD,GAAW,OAAO,OACzC,GAAIA,aAAaE,OACtB,IACE,GAAIF,EAAEG,KAAKT,GAAM,OAAO,CAC1B,CAAE,MAEF,CAEJ,CACA,OAAO,CACT,CCzCA,MAUMU,EACkB,oBAAfC,WAA6BA,WAAcC,OAC9CC,EAAgD,oBAAbC,SAA2BA,cAAWxB,EACzEyB,EAAuCL,EAAsDM,SAC7FC,EAAMP,EAAiDQ,aAE7D,IAAIC,GAAY,EACZC,EAAkD,KAkGtD,SAASC,EACPC,EACAC,EACAC,EACAC,GAEA,IAAIC,GAAU,EACd,OAAQlC,IACN,IAAKgC,EAEH,OADAC,EAAO,wBAAyB,CAAEE,KAAM,eACjC,KAET,GAAID,EAAS,OAAOlC,EACpB,IAEE,OADAkC,GAAU,EACFJ,EAAwBM,SAASpC,EAAG+B,EAC9C,CAAE,MAAO3B,GAEP,OADA6B,EAAO,iBAAkB,CAAEI,MAAOlC,EAAKC,KAChC,IACT,SACE8B,GAAU,CACZ,EAEJ,CAIA,SAASI,EACPC,EACAC,EACAP,GAEA,OAAQjC,IACN,GAAIwC,EAAI,CACN,IAAIC,EACJ,IACEA,EAAID,EAAGxC,EACT,CAAE,MAAOI,GAEP,OADA6B,EAAO,oBAAqB,CAAEE,KAAMI,EAAMF,MAAOlC,EAAKC,KAC/C,IACT,CACA,GAAiB,iBAANqC,EAET,OADAR,EAAO,sBAAuB,CAAEE,KAAMI,IAC/BE,CAEX,CAEA,OADAR,EAAO,sBAAuB,CAAEE,KAAMI,EAAMG,OAAQ3C,EAAKC,KAClD,KAEX,CA6JO,MAAM2C,EAA4BrD,OAAOsD,OAAO,CAAEC,KAzJnD,SAAeC,EAA4B,IAC/C,GAAInB,EAAW,OAAOC,EACtBD,GAAY,EAKZ,MAAMoB,EAAMlD,EAAIiD,EAAS,gBACnBb,EACW,mBAARc,EACH,CAACC,EAAMC,KACL,IACGF,EAAeC,EAAMC,EACxB,CAAE,MAEF,GAEF,OAEAC,EAA2B,CAC/BC,QA5LY,QA6LZC,cAAe3B,EACf4B,mBAAmB,EACnBC,oBAAoB,EACpBC,gBAAgB,EAChBC,UAAU,EACVC,cAAc,EACdC,WAAW,EACXC,OAAQ,IAEJC,EAAO,CAACD,EAAgBX,KAC5BE,EAAOQ,UAAYR,EAAOI,oBAAsBJ,EAAOG,mBAAqBH,EAAOK,eACnFL,EAAOS,OAASA,EAGhB/B,EAAetC,OAAOsD,OAAO,IAAKM,IAC9BF,GAAMf,EAAOe,EAAMpB,GAChBA,GAGHpB,EAAMe,QAA2B,IAAbA,EAAIsC,KAAuB5D,OAAOsB,EAAIsC,MAAQ,GAKxE,GAAIvD,EAAWT,EAAIiD,EAAS,WAAqDtC,GAE/E,OADA0C,EAAOM,UAAW,EACXI,EAAK,0EAA2E,mBAGzF,IAAKnC,GAAiC,mBAApBA,EAAGqC,aACnB,OAAOF,EAAK,uEAAwE,kBAMtF,MAAMG,EA5JR,SAAwBjB,EAA2BtC,GACjD,MAAMwD,EAAQnE,EAAIiD,EAAS,cAC3B,IAAKpC,MAAMC,QAAQqD,GAAQ,OAAO,KAClC,IAAK,IAAIpD,EAAI,EAAGA,EAAIoD,EAAMnD,OAAQD,IAAK,CACrC,MAAM6B,EAAIuB,EAAMpD,GAChB,GAAI6B,GAAKnC,EAAWmC,EAAEwB,MAAOzD,GAAM,OAAOiC,CAC5C,CACA,OAAO,IACT,CAoJmByB,CAAepB,EAAStC,GACnC2D,EAAOxE,GAA0BoE,GAAYtE,EAAIsE,EAAUpE,GAAOoE,EAASpE,GAAOE,EAAIiD,EAASnD,GAGrG,IAAoC,IAAhCE,EAAIiD,EAAS,eAAyB,CACxC,MAAMsB,GA3IaC,EA2IaxE,EAAIiD,EAAS,kBA3IbwB,EA2I4D,mBAArBH,EAAI,aA1I3D,iBAAPE,GAAmBA,EAAWA,EAElC,qDADSC,EAAoB,UAAY,wBA0I9CpB,EAAOO,aA9LX,SAAoBc,GAClB,IAAKlD,EAAK,OAAO,EACjB,MAAMmD,EAAInD,EAEJoD,EAAM,uDADCF,EAAQG,QAAQ,aAAc,IACiC,KAC5E,GAAqB,YAAjBF,EAAEG,YAA+C,mBAAZH,EAAEI,MACzC,IAEE,OADAJ,EAAEI,MAAMH,IACD,CACT,CAAE,MAEF,CAEF,IACE,MAAMI,EAAIL,EAAEM,cAAc,QAC1BD,EAAEE,aAAa,aAAc,2BAC7BF,EAAEE,aAAa,UAAWR,IACzBC,EAAEQ,MAAQR,EAAES,iBAAiBC,YAAYL,EAC5C,CAAE,MAEF,CACA,OAAO,CACT,CAwK0BM,CAAWf,GACjCnC,EAAO,2BAA4B,CAAEmC,YAAWgB,QAASlC,EAAOO,cAClE,CA9IF,IAAuBY,EAAaC,EAgJlCpB,EAAOG,kBApNT,WACE,IAEE,OADChC,EAAiByD,cAAc,OAAOO,UAAY,KAC5C,CACT,CAAE,MACA,OAAO,CACT,CACF,CA6M6BhC,GAI3B,IAAIiC,EAAkBnB,EAAI,kBACXrE,IAAXwF,IAAsBA,EAAUpE,EAA4CqE,WAChF,MAAMzD,GA9JkB0D,EA8JWF,IA7Je,mBAA/BE,EAAkBpD,SAAgCoD,EAClD,mBAARA,EAA2B,CAAEpD,SAAUoD,GAC3C,KAHT,IAA0BA,EA+JxB,MAAMC,EAAStB,EAAI,oBACbuB,EACJD,GAA4B,iBAAXA,ED1Of,SAAsB/F,GAC1B,MAAMiG,EAA+B,CAAA,EACrC,IAAK,MAAMC,KAAKlG,EACVL,EAAOO,KAAKF,EAAKkG,IAAY,cAANA,GAA2B,gBAANA,GAA6B,cAANA,IACrED,EAAIC,GAAKlG,EAAIkG,IAGjB,OAAOD,CACT,CCkO2CE,CAAYJ,QAAqC3F,EAGpFgG,EAAS3B,EAAI,gBACb4B,EAAU5B,EAAI,oBACd6B,EAAgC,mBAAXF,EAAyBA,EAAwB,KACtEG,EAAoC,mBAAZF,EAA0BA,EAAyB,KAEjF,IAAIxC,GAAiB,EACrB,GAAIzB,EAAW,CACb,MAAMoE,EA3JV,SAAmBpE,EAAsBC,GACvC,IAEE,MAAsB,iBADVD,EAAUM,SAAS,WAAYL,GAEvC,CAAEC,OAAO,EAAMK,MAAO,MACtB,CAAEL,OAAO,EAAOK,MAAO,qCAC7B,CAAE,MAAOjC,GACP,MAAO,CAAE4B,OAAO,EAAOK,MAAOlC,EAAKC,GACrC,CACF,CAkJmB+F,CAAUrE,EAAW4D,GACpCnC,EAAiB2C,EAAOlE,MACnBkE,EAAOlE,OAAOC,EAAO,6BAA8B,CAAEI,MAAO6D,EAAO7D,OAC1E,CACAa,EAAOK,eAAiBA,EAGxB,MAAM6C,EAAY,CAChBC,WAAYxE,EAAiBC,EAAW4D,EAAgBnC,EAAgBtB,GACxEqE,aAAchE,EAAe,eAAgB0D,EAAa/D,GAC1DsE,gBAAiBjE,EAAe,kBAAmB2D,EAAgBhE,IAIrE,GAAIR,EAAG+E,cACL,OAAO5C,EACL,8IAEA,8BAIJ,IAAI6C,EACJ,IACEA,EAAOhF,EAAGqC,aAAa,UAAWsC,EACpC,CAAE,MAAOhG,GAEP,OAAOwD,EACL,kCAAkCzD,EAAKC,4CACvC,sBAEJ,CAGA,OAAIqB,EAAG+E,eAAiB/E,EAAG+E,gBAAkBC,EACpC7C,EACL,iJAEA,8BAIJV,EAAOI,oBAAqB,EAEvBJ,EAAOG,kBAOPE,EAOEK,EACL,8CAA8CoC,GAAeC,EAAiB,0BAA4B,cAPnGrC,EACL,iKAEA,kBAVKA,EACL,2JAEA,wBAaN,EAM+DV,kBAH7D,OAAOtB,CACT,ICxUsB,oBAAXR,SACTA,OAAOuB,WAAaA,EACpBA,EAAWE,KAAKzB,OAAOsF,kBAAoB,CAAA"}
\ No newline at end of file
diff --git a/package-lock.json b/package-lock.json
index 71b41ac..33c3203 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,19 +1,19 @@
 {
   "name": "domfortify",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "domfortify",
-      "version": "0.1.0",
+      "version": "0.2.0",
       "license": "(MPL-2.0 OR Apache-2.0)",
       "devDependencies": {
         "@playwright/test": "^1.49.0",
         "@rollup/plugin-replace": "^6.0.1",
         "@rollup/plugin-terser": "^1.0.0",
         "@rollup/plugin-typescript": "^12.1.1",
-        "dompurify": "^3.2.0",
+        "dompurify": "^3.4.11",
         "fast-check": "^4.8.0",
         "prettier": "^3.4.2",
         "qunit": "^2.23.1",
@@ -652,9 +652,9 @@
       "license": "MIT"
     },
     "node_modules/dompurify": {
-      "version": "3.4.10",
-      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.4.10.tgz",
-      "integrity": "sha512-0xzNv0e7oYC6yyuOGZIABPM4qtg3QxLFniDNPP4ZP90wR8Yq3zgwpRbrNiT4N3IKqDbbYFEJLV+JWEs19aZ//w==",
+      "version": "3.4.11",
+      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.4.11.tgz",
+      "integrity": "sha512-zhlUV12GsaRzMsf9q5M254YhA4+VuF0fG+QFqu6aYpoGlKtz+w8//jBcGVYBgQkR5GHjUomejY84AV+/uPbWdw==",
       "dev": true,
       "license": "(MPL-2.0 OR Apache-2.0)",
       "optionalDependencies": {
diff --git a/package.json b/package.json
index 0ed6d9e..2128d38 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "domfortify",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "Retrofit Trusted Types onto a legacy page: claim the realm's default policy so old DOM-XSS sinks get sanitized without touching the code.",
   "license": "(MPL-2.0 OR Apache-2.0)",
   "homepage": "https://github.com/cure53/DOMFortify",
@@ -72,7 +72,7 @@
     "@rollup/plugin-replace": "^6.0.1",
     "@rollup/plugin-terser": "^1.0.0",
     "@rollup/plugin-typescript": "^12.1.1",
-    "dompurify": "^3.2.0",
+    "dompurify": "^3.4.11",
     "fast-check": "^4.8.0",
     "prettier": "^3.4.2",
     "qunit": "^2.23.1",
diff --git a/src/fortify.ts b/src/fortify.ts
index b8e414b..a1e851f 100644
--- a/src/fortify.ts
+++ b/src/fortify.ts
@@ -9,6 +9,7 @@
  *  - Fails closed: no sanitizer means sinks throw, never leak.
  *  - Only covers Trusted Types sinks; inline handlers / style / URL props stay open.
  */
+import { cfg, clip, emsg, own, shallowCopy, urlMatches } from './internal';
 import type {
   DOMFortifyApi,
   DOMFortifyConfig,
@@ -28,25 +29,22 @@ interface TtFactory {
   defaultPolicy?: unknown;
 }
 
-// Grab natives up front so later prototype-pollution or clobbering can't swap them out.
-const hasOwn = Object.prototype.hasOwnProperty;
+type Report = (code: ViolationCode, detail?: unknown) => void;
+
+// Natives captured up front, so later prototype pollution or clobbering can't swap them out.
 const root: typeof globalThis =
   typeof globalThis !== 'undefined' ? globalThis : (window as unknown as typeof globalThis);
 const doc: Document | undefined = typeof document !== 'undefined' ? document : undefined;
 const loc: { href?: unknown } | undefined = (root as unknown as { location?: { href?: unknown } }).location;
-
-const own = (obj: unknown, key: string): boolean => obj != null && hasOwn.call(obj, key);
-const cfg = (obj: unknown, key: string): unknown => (own(obj, key) ? (obj as Record<string, unknown>)[key] : undefined);
-const clip = (s: unknown): string => String(s).slice(0, 80);
-const emsg = (e: unknown): string => String((e as { message?: unknown } | undefined)?.message);
-
 const TT = (root as unknown as { trustedTypes?: TtFactory }).trustedTypes;
 
 let installed = false;
 let cachedStatus: Readonly<DOMFortifyStatus> | null = null;
 
-// Are we actually enforced? Under enforcement with no default policy yet, a sink write throws.
-// Run this BEFORE we install our policy, or it would always read as "off".
+// --- environment probes --------------------------------------------------------------------------
+
+// Are we actually enforced? Under enforcement with no default policy yet, a sink write throws. Must
+// run BEFORE we install our policy, or it would always read as "off".
 function enforcementActive(): boolean {
   try {
     (doc as Document).createElement('div').innerHTML = 'x';
@@ -56,48 +54,15 @@ function enforcementActive(): boolean {
   }
 }
 
-// Copy config off the caller's object, skipping keys that could pollute. Don't JSON-clone - that
-// would corrupt RegExp and functions.
-function shallowCopy(obj: Record<string, unknown>): Record<string, unknown> {
-  const out: Record<string, unknown> = {};
-  for (const k in obj) {
-    if (hasOwn.call(obj, k) && k !== '__proto__' && k !== 'constructor' && k !== 'prototype') out[k] = obj[k];
-  }
-  return out;
-}
-
-// Test a URL against one or more patterns. String = substring match; RegExp = test. Used for both
-// EXCLUDE and URL_CONFIG, always against the realm's own location.href.
-function urlMatches(pattern: UrlPattern | UrlPattern[] | undefined, url: string): boolean {
-  if (pattern == null) return false;
-  const list = Array.isArray(pattern) ? pattern : [pattern];
-  for (let i = 0; i < list.length; i++) {
-    const p = list[i];
-    if (typeof p === 'string') {
-      if (p !== '' && url.indexOf(p) !== -1) return true;
-    } else if (p instanceof RegExp) {
-      try {
-        if (p.test(url)) return true;
-      } catch {
-        /* ignore a pattern that throws */
-      }
-    }
-  }
-  return false;
-}
-
-// Best-effort CSP <meta> injection (opt-in). IMPORTANT: a <meta> CSP is honored only when the PARSER
-// inserts it, so document.write during the initial parse is the only path that can actually switch
-// enforcement on - and only for content parsed afterwards. A node appended after parsing is ignored by
-// the CSP engine; we still add it (harmless) but report that injection did NOT take. Returns true only
-// when written during parse.
+// Best-effort CSP <meta> injection (opt-in). A <meta> CSP is honored only when the PARSER inserts it,
+// so document.write during the initial parse is the one path that can switch enforcement on - and only
+// for content parsed afterwards. We return true only on that path. After parse we still append the node
+// (harmless) but report that it did NOT take.
 //
-// `content` is the trusted CSP directive built from config (the derived default, or META_DIRECTIVE).
-// META_DIRECTIVE is developer-controlled and is expected to be trusted, but since this path reaches
-// document.write we still strip the characters that could break out of the content="..." attribute or
-// the <meta> tag. A real CSP directive never contains ", <, >, or newlines (single quotes, e.g.
-// 'script', are kept - they are harmless inside the double-quoted attribute), so this is lossless for
-// valid input and neutralizes a hostile or malformed directive. Defense in depth.
+// `content` is the trusted directive built from config. META_DIRECTIVE is developer-controlled, but
+// because this path reaches document.write we still strip the characters that could break out of the
+// content="..." attribute. A valid directive never contains ", <, >, or newlines, so the strip is
+// lossless for good input and neutralizes a hostile or malformed one. Defense in depth.
 function injectMeta(content: string): boolean {
   if (!doc) return false;
   const d = doc as Document & { write?: (s: string) => void; readyState?: string };
@@ -122,12 +87,127 @@ function injectMeta(content: string): boolean {
   return false;
 }
 
+// --- config resolution (all own-key only, so a polluted prototype can't loosen anything) ---------
+
+// First URL_CONFIG rule whose `match` hits, else null. Own-key reads only, so a polluted prototype
+// can neither inject a rule nor reach one.
+function selectOverride(options: DOMFortifyConfig, url: string): Record<string, unknown> | null {
+  const rules = cfg(options, 'URL_CONFIG');
+  if (!Array.isArray(rules)) return null;
+  for (let i = 0; i < rules.length; i++) {
+    const r = rules[i] as UrlConfigRule | undefined;
+    if (r && urlMatches(r.match, url)) return r as unknown as Record<string, unknown>;
+  }
+  return null;
+}
+
+// Normalize whatever the caller handed us into a sanitizer with a `.sanitize` method, or null.
+// DOMPurify's export is itself a callable factory that ALSO carries `.sanitize`, so we must check for
+// `.sanitize` FIRST - otherwise we'd wrap the factory and call the wrong thing. A bare function (e.g. a
+// Sanitizer-API adapter) has no `.sanitize` and falls through to the function case.
+function resolveSanitizer(raw: unknown): Sanitizer | null {
+  if (raw && typeof (raw as Sanitizer).sanitize === 'function') return raw as Sanitizer;
+  if (typeof raw === 'function') return { sanitize: raw as SanitizeFn };
+  return null;
+}
+
+// The trusted-types directive for INJECT_META. META_DIRECTIVE wins; otherwise we list the policies
+// that will exist: our own `default`, plus `dompurify` unless a bare-function sanitizer is in use.
+function metaDirective(md: unknown, functionSanitizer: boolean): string {
+  if (typeof md === 'string' && md) return md;
+  const ttNames = functionSanitizer ? 'default' : 'default dompurify';
+  return `require-trusted-types-for 'script'; trusted-types ${ttNames};`;
+}
+
+// Exercise the sanitizer once so a broken one fails loudly here, not silently on the first real write.
+// It must return a string; anything else would inject junk into every sink.
+function smokeTest(sanitizer: Sanitizer, config: unknown): { ready: boolean; error: string | null } {
+  try {
+    const out = sanitizer.sanitize('<b>x</b>', config);
+    return typeof out === 'string'
+      ? { ready: true, error: null }
+      : { ready: false, error: 'sanitize() did not return a string' };
+  } catch (e) {
+    return { ready: false, error: emsg(e) };
+  }
+}
+
+// --- the default policy --------------------------------------------------------------------------
+
+// createHTML: route through the sanitizer, fail closed on any problem. `reentry` is true only while
+// the sanitizer parses our input internally (inert and synchronous), so handing the raw string back
+// is safe and keeps us alive if the sanitizer's own sink re-enters us.
+function makeSanitizeHTML(
+  sanitizer: Sanitizer | null,
+  config: unknown,
+  ready: boolean,
+  report: Report,
+): (s: string) => string | null {
+  let reentry = false;
+  return (s: string): string | null => {
+    if (!ready) {
+      report('sanitizer-unavailable', { sink: 'createHTML' });
+      return null; // fail closed
+    }
+    if (reentry) return s;
+    try {
+      reentry = true;
+      return (sanitizer as Sanitizer).sanitize(s, config) as string;
+    } catch (e) {
+      report('sanitize-threw', { error: emsg(e) });
+      return null; // fail closed - never hand back raw markup on error
+    } finally {
+      reentry = false;
+    }
+  };
+}
+
+// createScript / createScriptURL: code has no safe subset, so refuse by default. A caller hook may
+// allow specific values; if it throws or returns a non-string, we refuse.
+function makeScriptHook(
+  kind: 'createScript' | 'createScriptURL',
+  fn: ScriptHook | null,
+  report: Report,
+): (s: string) => string | null {
+  return (s: string): string | null => {
+    if (fn) {
+      let r: unknown;
+      try {
+        r = fn(s);
+      } catch (e) {
+        report('script-hook-threw', { sink: kind, error: emsg(e) });
+        return null; // fail closed
+      }
+      if (typeof r === 'string') {
+        report('script-sink-allowed', { sink: kind });
+        return r;
+      }
+    }
+    report('script-sink-refused', { sink: kind, sample: clip(s) });
+    return null;
+  };
+}
+
+// --- public entry point --------------------------------------------------------------------------
+
 export function init(options: DOMFortifyConfig = {}): Readonly<DOMFortifyStatus> {
   if (installed) return cachedStatus as Readonly<DOMFortifyStatus>;
   installed = true;
 
+  // The violation reporter is observability, never control flow. Wrap it so a throwing ON_VIOLATION
+  // can neither abort init() (which would leave us installed with a null status) nor turn a
+  // fail-closed sink - one that should quietly return null - into a thrown exception.
   const onv = cfg(options, 'ON_VIOLATION');
-  const report = (typeof onv === 'function' ? onv : () => {}) as (code: ViolationCode, detail?: unknown) => void;
+  const report: Report =
+    typeof onv === 'function'
+      ? (code, detail) => {
+          try {
+            (onv as Report)(code, detail);
+          } catch {
+            /* a misbehaving reporter must never break the policy */
+          }
+        }
+      : () => {};
 
   const status: DOMFortifyStatus = {
     version: VERSION,
@@ -143,16 +223,18 @@ export function init(options: DOMFortifyConfig = {}): Readonly<DOMFortifyStatus>
   const done = (reason: string, code?: ViolationCode): Readonly<DOMFortifyStatus> => {
     status.protected = status.defaultPolicyOwned && status.enforcementActive && status.sanitizerReady;
     status.reason = reason;
-    if (code) report(code, status);
+    // Freeze the snapshot first, then report it: the reporter sees exactly the authoritative status
+    // that gets cached and returned, and has no window to mutate the cached copy.
     cachedStatus = Object.freeze({ ...status });
+    if (code) report(code, cachedStatus);
     return cachedStatus;
   };
 
   const url = loc && typeof loc.href !== 'undefined' ? String(loc.href) : '';
 
-  // EXCLUDE: on a matching URL, DOMFortify stays completely out of the way - no policy, no meta. It
-  // does NOT install a passthrough (that would be a silent XSS hole); under globally delivered
-  // enforcement, excluded pages are the developer's responsibility. Reported via status.excluded.
+  // EXCLUDE: on a match, stay completely out of the way - no policy, no meta. We do NOT install a
+  // passthrough (that would be a silent XSS hole); under globally delivered enforcement, excluded
+  // pages are the developer's responsibility. Reported via status.excluded.
   if (urlMatches(cfg(options, 'EXCLUDE') as UrlPattern | UrlPattern[] | undefined, url)) {
     status.excluded = true;
     return done('URL matched EXCLUDE; DOMFortify is intentionally inactive on this page.', 'excluded-by-url');
@@ -162,50 +244,26 @@ export function init(options: DOMFortifyConfig = {}): Readonly<DOMFortifyStatus>
     return done('Trusted Types not supported; library is inert. Sinks are NOT routed.', 'tt-unsupported');
   }
 
-  // URL_CONFIG: the first rule whose `match` hits supplies per-URL overrides. `eff(key)` reads that
-  // rule's own key when present, else falls back to the base config - both own-key only, so a polluted
-  // prototype can neither inject a rule nor loosen a refusal.
-  let override: Record<string, unknown> | null = null;
-  const rules = cfg(options, 'URL_CONFIG');
-  if (Array.isArray(rules)) {
-    for (let i = 0; i < rules.length; i++) {
-      const r = rules[i] as UrlConfigRule | undefined;
-      if (r && urlMatches(r.match, url)) {
-        override = r as unknown as Record<string, unknown>;
-        break;
-      }
-    }
-  }
+  // Resolve config once. `eff(key)` reads the matching URL_CONFIG rule's own key when present, else the
+  // base config - both own-key only. Nothing is re-read later, so runtime clobbering can't retarget
+  // the policy after this point either.
+  const override = selectOverride(options, url);
   const eff = (key: string): unknown => (override && own(override, key) ? override[key] : cfg(options, key));
 
-  // INJECT_META (opt-in, best-effort - see injectMeta and the README). We only attempt it when TT is
-  // supported; the directive lists the policies that will exist: our own `default`, plus `dompurify`
-  // unless a bare-function sanitizer (e.g. the native Sanitizer API) is in use. META_DIRECTIVE overrides.
+  // INJECT_META (opt-in, best-effort - see injectMeta and the README).
   if (cfg(options, 'INJECT_META') === true) {
-    const md = cfg(options, 'META_DIRECTIVE');
-    const ttNames = typeof eff('SANITIZER') === 'function' ? 'default' : 'default dompurify';
-    const directive =
-      typeof md === 'string' && md ? md : `require-trusted-types-for 'script'; trusted-types ${ttNames};`;
+    const directive = metaDirective(cfg(options, 'META_DIRECTIVE'), typeof eff('SANITIZER') === 'function');
     status.metaInjected = injectMeta(directive);
     report('meta-injection-attempted', { directive, written: status.metaInjected });
   }
 
   status.enforcementActive = enforcementActive();
 
-  // Resolve config once, reading own keys only so a polluted prototype can't supply a value - and,
-  // most importantly, can't loosen a refusal. Nothing is re-read later, so runtime clobbering can't
-  // retarget the policy either. URL_CONFIG overrides are applied here via `eff`.
+  // Sanitizer: explicit SANITIZER (possibly per-URL), else window.DOMPurify. Config is forwarded
+  // verbatim as the second argument, copied to drop pollution-prone keys.
   let rawSan: unknown = eff('SANITIZER');
   if (rawSan === undefined) rawSan = (root as unknown as { DOMPurify?: unknown }).DOMPurify;
-  // DOMPurify's export is itself a callable function (the factory) that also exposes `.sanitize`, so
-  // check for a `.sanitize` method FIRST - otherwise we'd wrap the factory and call the wrong thing. A
-  // bare function (e.g. a Sanitizer-API adapter) has no `.sanitize` and falls through to the function case.
-  const DP: Sanitizer | null =
-    rawSan && typeof (rawSan as Sanitizer).sanitize === 'function'
-      ? (rawSan as Sanitizer)
-      : typeof rawSan === 'function'
-        ? { sanitize: rawSan as SanitizeFn }
-        : null;
+  const sanitizer = resolveSanitizer(rawSan);
   const rawCfg = eff('SANITIZER_CONFIG');
   const sanitizeConfig =
     rawCfg && typeof rawCfg === 'object' ? shallowCopy(rawCfg as Record<string, unknown>) : undefined;
@@ -216,65 +274,19 @@ export function init(options: DOMFortifyConfig = {}): Readonly<DOMFortifyStatus>
   const allowScript = typeof asCand === 'function' ? (asCand as ScriptHook) : null;
   const allowScriptURL = typeof asuCand === 'function' ? (asuCand as ScriptHook) : null;
 
-  // Smoke-test once so a broken sanitizer fails loudly here, not silently on the first real write. It
-  // must return a string - a sanitizer that returns anything else would otherwise inject junk.
   let sanitizerReady = false;
-  if (DP && typeof DP.sanitize === 'function') {
-    try {
-      sanitizerReady = typeof DP.sanitize('<b>x</b>', sanitizeConfig) === 'string';
-      if (!sanitizerReady) report('sanitizer-smoketest-failed', { error: 'sanitize() did not return a string' });
-    } catch (e) {
-      report('sanitizer-smoketest-failed', { error: emsg(e) });
-    }
+  if (sanitizer) {
+    const result = smokeTest(sanitizer, sanitizeConfig);
+    sanitizerReady = result.ready;
+    if (!result.ready) report('sanitizer-smoketest-failed', { error: result.error });
   }
   status.sanitizerReady = sanitizerReady;
 
-  // `reentry` is true only while the sanitizer parses our input internally - inert and synchronous - so
-  // handing the raw string straight back is safe, and keeps us alive if its own sink re-enters us.
-  let reentry = false;
-  const sanitizeHTML = (s: string): string | null => {
-    if (!sanitizerReady) {
-      report('sanitizer-unavailable', { sink: 'createHTML' });
-      return null; // fail closed
-    }
-    if (reentry) return s;
-    try {
-      reentry = true;
-      return (DP as Sanitizer).sanitize(s, sanitizeConfig) as string;
-    } catch (e) {
-      report('sanitize-threw', { error: emsg(e) });
-      return null; // fail closed - never hand back raw markup on error
-    } finally {
-      reentry = false;
-    }
-  };
-
-  // Code has no safe subset, so refuse by default. A caller hook may allow specific values; if it throws
-  // or returns a non-string, we refuse.
-  const scriptHook =
-    (kind: 'createScript' | 'createScriptURL', fn: ScriptHook | null) =>
-    (s: string): string | null => {
-      if (fn) {
-        let r: unknown;
-        try {
-          r = fn(s);
-        } catch (e) {
-          report('script-hook-threw', { sink: kind, error: emsg(e) });
-          return null; // fail closed
-        }
-        if (typeof r === 'string') {
-          report('script-sink-allowed', { sink: kind });
-          return r;
-        }
-      }
-      report('script-sink-refused', { sink: kind, sample: clip(s) });
-      return null;
-    };
-
+  // createHTML closes over sanitizeConfig; the script hooks refuse unless an own-function hook allows.
   const policyDef = {
-    createHTML: sanitizeHTML,
-    createScript: scriptHook('createScript', allowScript),
-    createScriptURL: scriptHook('createScriptURL', allowScriptURL),
+    createHTML: makeSanitizeHTML(sanitizer, sanitizeConfig, sanitizerReady, report),
+    createScript: makeScriptHook('createScript', allowScript, report),
+    createScriptURL: makeScriptHook('createScriptURL', allowScriptURL, report),
   };
 
   // Did someone grab the default slot first? We can't evict them and won't vouch for them.
diff --git a/src/internal.ts b/src/internal.ts
new file mode 100644
index 0000000..2e1c307
--- /dev/null
+++ b/src/internal.ts
@@ -0,0 +1,66 @@
+/**
+ * Internal helpers shared by DOMFortify. Everything here is pure and free of side effects: no DOM,
+ * no Trusted Types, no module state. The environment captures and the policy logic live in
+ * fortify.ts; these are the small building blocks it leans on.
+ */
+import type { UrlPattern } from './types';
+
+// Cached up front so later prototype pollution or clobbering can't swap hasOwnProperty out.
+const hasOwn = Object.prototype.hasOwnProperty;
+
+/** True only for an own (non-inherited) property, so a polluted prototype is never consulted. */
+export function own(obj: unknown, key: string): boolean {
+  return obj != null && hasOwn.call(obj, key);
+}
+
+/** Read an own key off a config-like object, else undefined. Never walks the prototype chain. */
+export function cfg(obj: unknown, key: string): unknown {
+  return own(obj, key) ? (obj as Record<string, unknown>)[key] : undefined;
+}
+
+/** A short, safe preview of an arbitrary value, for violation reports. */
+export function clip(s: unknown): string {
+  return String(s).slice(0, 80);
+}
+
+/** Best-effort error message, tolerant of non-Error throws. */
+export function emsg(e: unknown): string {
+  return String((e as { message?: unknown } | undefined)?.message);
+}
+
+/**
+ * Copy an object's own keys, dropping the three that could pollute a prototype. Deliberately not a
+ * JSON clone: that would corrupt the RegExps and functions a sanitizer config may carry.
+ */
+export function shallowCopy(obj: Record<string, unknown>): Record<string, unknown> {
+  const out: Record<string, unknown> = {};
+  for (const k in obj) {
+    if (hasOwn.call(obj, k) && k !== '__proto__' && k !== 'constructor' && k !== 'prototype') {
+      out[k] = obj[k];
+    }
+  }
+  return out;
+}
+
+/**
+ * Test a URL against one or more patterns. A string matches as a substring (the empty string never
+ * matches); a RegExp is test()ed, and a pattern that throws is treated as no match. Used for both
+ * EXCLUDE and URL_CONFIG, always against the realm's own location.href.
+ */
+export function urlMatches(pattern: UrlPattern | UrlPattern[] | undefined, url: string): boolean {
+  if (pattern == null) return false;
+  const list = Array.isArray(pattern) ? pattern : [pattern];
+  for (let i = 0; i < list.length; i++) {
+    const p = list[i];
+    if (typeof p === 'string') {
+      if (p !== '' && url.indexOf(p) !== -1) return true;
+    } else if (p instanceof RegExp) {
+      try {
+        if (p.test(url)) return true;
+      } catch {
+        /* a pattern that throws is treated as no match */
+      }
+    }
+  }
+  return false;
+}
diff --git a/website/index.html b/website/index.html
index 7aab649..7371aa1 100644
--- a/website/index.html
+++ b/website/index.html
@@ -160,7 +160,7 @@
   <main class="shell">
     <header>
       <div class="eyebrow">
-        <span class="pill">DOMFortify 0.1 "Rampart"</span>
+        <span class="pill">DOMFortify 0.2 "Rampart"</span>
         <span class="pill">library: fortify.js</span>
         <span class="pill" id="versionPill">DOMPurify: loading...</span>
         <span class="pill" id="backendPill">backend: -</span>
@@ -172,10 +172,13 @@ <h1>DOMFortify</h1>
         gets sanitized by the browser - unchanged. Nothing registers a policy by hand; the library does it.
       </p>
       <div class="badges" aria-label="Project badges">
+        <a href="https://www.npmjs.com/package/domfortify"><img src="https://img.shields.io/npm/v/domfortify.svg" alt="npm"></a>
         <a href="https://github.com/cure53/DOMFortify/blob/main/LICENSE"><img src="https://img.shields.io/badge/license-MPL--2.0%20OR%20Apache--2.0-blue.svg" alt="License"></a>
-        <a href="https://github.com/cure53/DOMFortify/actions/workflows/build-and-test.yml"><img src="https://github.com/cure53/DOMFortify/actions/workflows/build-and-test.yml/badge.svg" alt="Build &amp; Test"></a>
-        <a href="https://github.com/cure53/DOMFortify/actions/workflows/codeql-analysis.yml"><img src="https://github.com/cure53/DOMFortify/actions/workflows/codeql-analysis.yml/badge.svg" alt="CodeQL"></a>
+        <img src="https://img.shields.io/bundlejs/size/domfortify?color=%233C1&amp;label=gzip" alt="gzip size">
+        <a href="https://github.com/cure53/DOMFortify/actions/workflows/build-and-test.yml"><img src="https://github.com/cure53/DOMFortify/actions/workflows/build-and-test.yml/badge.svg?branch=main" alt="Build &amp; Test"></a>
+        <a href="https://github.com/cure53/DOMFortify/actions/workflows/codeql-analysis.yml"><img src="https://github.com/cure53/DOMFortify/actions/workflows/codeql-analysis.yml/badge.svg?branch=main" alt="CodeQL"></a>
         <a href="https://scorecard.dev/viewer/?uri=github.com/cure53/DOMFortify"><img src="https://api.scorecard.dev/projects/github.com/cure53/DOMFortify/badge" alt="OpenSSF Scorecard"></a>
+        <a href="https://badge.socket.dev/npm/package/domfortify/latest"><img src="https://badge.socket.dev/npm/package/domfortify/latest" alt="Socket"></a>
       </div>
     </header>
 
@@ -325,9 +328,9 @@ <h2>What this is</h2>
     </section>
 
     <section class="preview-card" id="source" aria-label="fortify.js source">
-      <div class="card-header"><h2>fortify.js - the whole library</h2><span class="meta">the CSP plus this one file is all of DOMFortify</span></div>
+      <div class="card-header"><h2>fortify.js - the core idea, condensed</h2><span class="meta">the shape of the library, trimmed for reading; canonical source: <a href="https://github.com/cure53/DOMFortify/blob/main/src/fortify.ts">src/fortify.ts</a></span></div>
       <pre id="sourceCode" style="max-height:620px; margin:0; border-radius:0;">/*!
- * DOMFortify 0.1.0 - bolt Trusted Types onto a legacy page so old DOM-XSS sinks get sanitized
+ * DOMFortify 0.2.0 - bolt Trusted Types onto a legacy page so old DOM-XSS sinks get sanitized
  * without touching the code.
  *
  * It claims the realm's `default` Trusted Types policy. From then on, every innerHTML / outerHTML /
@@ -359,6 +362,15 @@ <h2>What this is</h2>
  *   ALLOW_SCRIPT      function(code) =&gt; string|null - return a string to allow that exact code, else
  *   ALLOW_SCRIPT_URL  function(url)  =&gt; string|null - it's refused. Both refuse everything by default.
  *   ON_VIOLATION      function(code, detail) - fires on every notable event; handy for report-only.
+ *   EXCLUDE           URL pattern(s) (string substring or RegExp) where DOMFortify stays fully inactive:
+ *                     it claims no policy and injects no meta. Matched against location.href.
+ *   URL_CONFIG        per-URL overrides; the first matching rule's keys override the base config.
+ *   INJECT_META       opt-in (default off): best-effort inject of the enabling CSP &lt;meta&gt;. Works only
+ *                     during the initial parse; a response header is strongly preferred. See README.
+ *   META_DIRECTIVE    override the full trusted-types directive used when INJECT_META is on (advanced).
+ *
+ * The body below is condensed for reading - it shows the shape, not the byte-for-byte build. The
+ * canonical, current source is src/fortify.ts in the repository.
  */
 ((global) =&gt; {
   'use strict';
@@ -404,7 +416,7 @@ <h2>What this is</h2>
     const report = typeof onv === 'function' ? onv : () =&gt; {};
 
     const status = {
-      version: '0.1.0',
+      version: '0.2.0',
       ttSupported: !!TT,
       enforcementActive: false,
       defaultPolicyOwned: false,