v3.1.5
Hosted clients deliberately give their authorization window an opaque browser origin. Miracle now accepts that window only when the browser also supplies its protected same-origin fetch signal.
An arbitrary origin, a cross-site request, a missing browser signal, or any unreviewed callback still fails before a consent request can be used.
One short email when something meaningful ships. No streaks required.