973acd7e9b
When a logged-in user opens an nsite preview, a window.nostr provider is injected into the sandboxed iframe. The provider proxies signEvent, nip04, and nip44 calls to the parent signer over the existing JSON-RPC bridge. A permission system gates each operation: - getPublicKey is auto-allowed (clicking Run implies consent) - signEvent prompts are granular per event kind (like Amber) - encrypt/decrypt prompts are per operation type - Users can check 'Remember for this site' to persist decisions - Permissions are scoped to (userPubkey, siteId) in localStorage The nsite preview nav bar gains a shield icon that opens a popover for managing stored permissions. Kind labels for the signer nudge, the permission prompt, and the post- detail loading title now route through a central KIND_LABELS registry (src/lib/kindLabels.ts) instead of three divergent inline maps. The native SandboxPlugin (iOS WKWebView / Android WebView overlay) is removed; SandboxFrame now always uses iframe.diy, so native behavior matches web. This drops ~1100 lines of native code, the Android-only blob prefetch workaround in NsitePreviewDialog, and the createPluginCall registration in MainActivity and capacitor.config.json.