/// Builds the complete initialization script injected into every child webview
/// before any page JavaScript runs.
pub fn build_init_script(blocked_domains_json: &str) -> String {
    let adblock_layer1 = include_str!("../../resources/scripts/adblock_layer1.js");
    let cookie_consent = include_str!("../../resources/scripts/cookie_consent.js");
    let webrtc_protect = include_str!("../../resources/scripts/webrtc_protect.js");
    let canvas_noise = include_str!("../../resources/scripts/canvas_noise.js");
    let hover_overlay = hover_overlay_script();
    let vault_detector = vault_detector_script();
    let autofill_suppress = autofill_suppress_script();
    let video_ad_scriptlets = include_str!("../../resources/scripts/video_ad_scriptlets.js");

    format!(
        r#"(function() {{
'use strict';
window.__MUSE_BLOCKED_DOMAINS__ = {blocked_domains_json};
document.addEventListener('contextmenu', function(e) {{
    e.preventDefault();
    try {{
        const target = e.target;
        const info = {{
            x: e.screenX, y: e.screenY, clientX: e.clientX, clientY: e.clientY,
            tagName: target.tagName, src: target.src || null,
            href: target.closest('a') ? target.closest('a').href : null,
            text: window.getSelection().toString().slice(0, 200) || null,
            pageUrl: location.href,
        }};
        window.__TAURI_INTERNALS__.invoke('browser_context_menu', info).catch(function() {{}});
    }} catch(ex) {{}}
}}, true);
}})();
{video_ad_scriptlets}
{adblock_layer1}
{cookie_consent}
{webrtc_protect}
{canvas_noise}
{autofill_suppress}
{hover_overlay}
{vault_detector}"#
    )
}

/// Image hover overlay script.
pub fn hover_overlay_script() -> &'static str {
    include_str!("../../resources/scripts/hover_overlay.js")
}

/// Password vault form detection + autofill script.
pub fn vault_detector_script() -> &'static str {
    include_str!("../../resources/scripts/vault_detector.js")
}

/// Suppress native browser autofill so Muse vault is the only credential source.
pub fn autofill_suppress_script() -> &'static str {
    include_str!("../../resources/scripts/autofill_suppress.js")
}

/// Known ad/tracker domains for fast JS-side lookup
pub fn blocked_domains_json() -> String {
    let domains: &[&str] = &[
        "googlesyndication.com", "doubleclick.net", "google-analytics.com",
        "googletagmanager.com", "facebook.net", "connect.facebook.net",
        "amazon-adsystem.com", "criteo.com", "outbrain.com", "taboola.com",
        "scorecardresearch.com", "quantserve.com", "adnxs.com", "rubiconproject.com",
        "pubmatic.com", "openx.net", "moatads.com", "hotjar.com", "mixpanel.com",
        "segment.io", "segment.com", "amplitude.com", "fullstory.com",
        "onetrust.com", "cookielaw.org", "trustarc.com", "consensu.org",
        "2mdn.net", "adsymptotic.com", "advertising.com", "bluekai.com",
    ];
    serde_json::to_string(domains).unwrap_or_else(|_| "[]".to_string())
}