/**
 * Allowlist of parent origins that may drive the Fastfold DevTools bridge
 * or receive forwarded runtime/React errors from the embedded app.
 *
 * The deployed app is only ever embedded by the Flavo admin UI (flavo.ai in
 * prod, localhost ports in dev). Any postMessage from other origins is
 * ignored, and all outbound postMessages are targeted at a specific origin
 * rather than '*' so third-party iframes on malicious pages can't receive
 * data that leaks request payloads, stack traces, or schema.
 */
export declare const DEFAULT_ALLOWED_PARENT_ORIGINS: readonly string[];
export declare function setAllowedParentOrigins(origins: readonly string[]): void;
export declare function getAllowedParentOrigins(): readonly string[];
export declare function isAllowedParentOrigin(origin: string, allowed?: readonly string[]): boolean;
/**
 * Broadcast a message to the parent window, sending to each allowed origin
 * in turn. Browsers silently drop postMessages whose target origin doesn't
 * match the actual parent, so only the real Flavo parent receives it.
 * Use this when the specific parent origin is unknown (e.g. initial
 * bridge-ready signal, async error forwarding).
 */
export declare function postMessageToAllowedParents(message: unknown, allowed?: readonly string[]): void;
//# sourceMappingURL=bridgeOrigins.d.ts.map