Runtime Bump! V 0.2.13 (mostly quiet changes)

Thread body

From v0.2.4 to v0.2.13, most of the work was about making the runtime boot path more reliable, tightening frame security, and reducing bootstrap complexity without breaking existing embeds. v0.2.4 focused on launch correctness. We cleaned up launch-contract normalization, tightened React runtime readiness/error handling, and republished the immutable runtime asset set so runtime startup behavior was more predictable. v0.2.5 was the first big structural shift in this range. We split vanity frame delivery into a policy envelope plus a dedicated frame-loader, added the asset plumbing and route coverage to support that model, and effectively moved runtime boot into a cleaner staged bootstrap flow. v0.2.6 hardened the delivery path around vanity frame state and published artifact warming. This release was less about visible runtime features and more about making frame-backed delivery and cache behavior safer and more dependable under real traffic. v0.2.7 tightened how frame config gets transported. Instead of leaning on looser bootstrap state, the runtime moved to signed header-only frame-config state, added a hard timeout around config fetches, and tightened fallback behavior for grant-backed frames. This reduced ambiguity in startup and improved failure behavior. v0.2.8 closed a CSP/security gap by removing nonce exposure from the DOM. The frame loader now reads its nonce from the executing script instead of leaving it visible in markup, which is a cleaner and safer boot model. v0.2.9 tightened frame-state lifecycle handling. Signed frame state is cleared as soon as bootstrap hands it off, verified tokens now require frameOrigin, and the loader/API path got regression coverage. This was mainly about reducing token/state linger and making the trust boundary stricter. v0.2.10 fixed a real startup issue: a frame boot deadlock. The runtime now loads the React globals module through a blob-backed module URL so vanity/runtime frames can continue through guard, bridge, and runtime boot without stalling. There was no v0.2.11 runtime release in the repo history. v0.2.12 focused on hardening runtime guardrails. The main themes were safer link behavior in the guard layer, tighter fallback SEO scope, and better checks around runtime scroll/link policy. This release was about reducing edge-case leakage while keeping runtime behavior predictable. v0.2.13 was mostly about simplifying and speeding up bootstrap. We first regenerated the runtime bundle, then changed the vanity frame path to inline frame config directly into the shell so startup requires fewer network hops. The old frame-config endpoint stayed in place as a backward-compatible fallback. Follow-up fixes then tightened the frame-loader and vanity bundle behavior around that new inline path. In plain terms Across this whole range, the runtime got: a more structured boot pipeline a dedicated frame-loader in the published asset set fewer fragile startup paths stricter frame-state and nonce handling fewer bootstrap network hops better fallback behavior when frames or config loading go wrong