diff --git a/README.md b/README.md
index 66fc26d..936ae84 100644
--- a/README.md
+++ b/README.md
@@ -295,6 +295,17 @@ REP is a formal, open specification — not just a tool.
 
 ---
 
+## Examples
+
+| Example | Pattern | Description |
+|---|---|---|
+| [`examples/todo-react/`](examples/todo-react/) | React + embedded | Full React todo app — `useRep()`, `useRepSecure()`, hot reload, `FROM scratch` Docker image |
+| [`examples/simple-html/`](examples/simple-html/) | Plain HTML + embedded | Single HTML file, SDK via esm.sh, no build step, `FROM scratch` image |
+| [`examples/nextjs-proxy/`](examples/nextjs-proxy/) | Next.js SSR + proxy | Next.js server behind the gateway in proxy mode; Docker Compose two-service setup |
+| [`examples/nextjs-csr-embedded/`](examples/nextjs-csr-embedded/) | Next.js CSR + embedded + Kubernetes | Static export served by gateway; ConfigMap-driven feature flags with hot-reload variant (zero pod restarts) |
+
+---
+
 ## Contributing
 
 We welcome contributions. See [CONTRIBUTING.md](CONTRIBUTING.md) for development setup, commit conventions, and the release process.
diff --git a/docs/astro.config.mjs b/docs/astro.config.mjs
index cfc611f..a739118 100644
--- a/docs/astro.config.mjs
+++ b/docs/astro.config.mjs
@@ -144,6 +144,12 @@ export default defineConfig({
               slug: 'examples/quick-no-manifest',
             },
             { label: 'Todo App (React)', slug: 'examples/todo-react' },
+            { label: 'Simple HTML (ESM.sh)', slug: 'examples/simple-html' },
+            { label: 'Next.js — Proxy Mode', slug: 'examples/nextjs-proxy' },
+            {
+              label: 'Next.js CSR + Kubernetes',
+              slug: 'examples/nextjs-csr-kubernetes',
+            },
           ],
         },
         {
diff --git a/docs/src/content/docs/examples/nextjs-csr-kubernetes.mdx b/docs/src/content/docs/examples/nextjs-csr-kubernetes.mdx
new file mode 100644
index 0000000..f37cc01
--- /dev/null
+++ b/docs/src/content/docs/examples/nextjs-csr-kubernetes.mdx
@@ -0,0 +1,285 @@
+---
+title: Next.js CSR — Embedded Mode + Kubernetes
+description: Export Next.js as a static site, serve it with the REP gateway in embedded mode, and manage feature flags dynamically via a Kubernetes ConfigMap. Includes a hot-reload variant with zero pod restarts.
+---
+
+import { Aside, FileTree, Steps } from '@astrojs/starlight/components';
+
+Next.js with `output: 'export'` produces a fully static site. The REP gateway serves the output in **embedded mode** — no Node.js server needed in production. A Kubernetes ConfigMap holds all runtime config. Update it to change feature flags across all pods without rebuilding the image.
+
+Source code at [`examples/nextjs-csr-embedded/`](https://github.com/ruachtech/rep/tree/main/examples/nextjs-csr-embedded).
+
+## Architecture
+
+```
+Browser → REP Gateway :8080 (embedded mode)
+          │ serves /static (Next.js export)
+          │ injects __rep__ payload from environment vars
+          └ environment vars come from Kubernetes ConfigMap + Secret
+```
+
+No upstream server. No Node.js runtime in production. The final container is `FROM scratch`.
+
+## When to use this pattern
+
+- Next.js app with no server-side rendering requirements (pure CSR)
+- Kubernetes deployments where you want to change feature flags without rebuilds
+- Minimal container surface area (`FROM scratch`, ~8MB total image size)
+
+## File structure
+
+<FileTree>
+- examples/nextjs-csr-embedded/
+  - src/
+    - app/
+      - layout.tsx
+      - page.tsx
+    - components/
+      - ConfigPanel.tsx  Reads REP public + sensitive vars
+      - FeatureFlags.tsx  Hot-reload-aware flag toggle display
+  - k8s/
+    - configmap.yaml          Standard envFrom pattern
+    - configmap-envfile.yaml  Hot-reload variant (mounted as file)
+    - deployment.yaml         Both variants documented
+    - secret.yaml             Sensitive vars
+    - service.yaml + Ingress
+  - Dockerfile  3-stage: gateway + Next.js build + FROM scratch
+  - next.config.ts  output: 'export'
+  - .rep.yaml
+  - .env.example
+</FileTree>
+
+## Next.js static export
+
+Set `output: 'export'` in `next.config.ts`:
+
+```typescript
+const nextConfig: NextConfig = {
+  output: 'export',
+  images: { unoptimized: true },  // required for static export
+};
+```
+
+The build produces an `out/` directory of static HTML/CSS/JS. This is what the gateway serves.
+
+## Reading REP vars in client components
+
+```tsx
+'use client';
+
+import { useRep, useRepSecure } from '@rep-protocol/react';
+
+export function ConfigPanel() {
+  // Synchronous — available on first render
+  const apiUrl  = useRep('API_URL',  'http://localhost:3001');
+  const envName = useRep('ENV_NAME', 'development');
+
+  // Decrypted on demand (async)
+  const { value: analyticsKey, loading } = useRepSecure('ANALYTICS_KEY');
+
+  return (/* … */);
+}
+```
+
+```tsx
+'use client';
+
+import { useRep } from '@rep-protocol/react';
+
+export function FeatureFlags() {
+  // useRep() subscribes to hot reload — component re-renders
+  // when FEATURE_FLAGS changes without a page refresh
+  const rawFlags = useRep('FEATURE_FLAGS', '');
+  const active   = new Set(rawFlags.split(',').map(f => f.trim()).filter(Boolean));
+
+  return (
+    <ul>
+      {['dark-mode', 'new-checkout', 'ai-assist'].map(flag => (
+        <li key={flag}>{active.has(flag) ? '✅' : '⬜'} {flag}</li>
+      ))}
+    </ul>
+  );
+}
+```
+
+## Dockerfile (FROM scratch)
+
+Three stages: download gateway, build Next.js, assemble scratch image:
+
+```dockerfile
+FROM alpine:3.21 AS gateway
+ARG GATEWAY_VERSION=0.1.3
+RUN apk add --no-cache curl ca-certificates && \
+    curl -fsSL "…/rep-gateway_${GATEWAY_VERSION}_linux_amd64.tar.gz" \
+      | tar -xz -C /tmp && \
+    mv /tmp/rep-gateway /rep-gateway && chmod +x /rep-gateway
+
+FROM node:22-alpine AS builder
+WORKDIR /app
+COPY package.json package-lock.json* ./
+RUN npm ci
+COPY . .
+RUN npm run build   # produces out/
+
+FROM scratch
+COPY --from=gateway /rep-gateway /rep-gateway
+COPY --from=builder /app/out /static
+COPY --from=gateway /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+USER 65534:65534
+EXPOSE 8080
+ENTRYPOINT ["/rep-gateway", "--mode", "embedded", "--static-dir", "/static"]
+```
+
+## Kubernetes: ConfigMap for feature flags
+
+### Standard pattern (envFrom)
+
+Store all `REP_PUBLIC_*` vars in a ConfigMap. Sensitive vars go in a Secret:
+
+```yaml
+# configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: rep-config
+data:
+  REP_PUBLIC_API_URL: "https://api.example.com"
+  REP_PUBLIC_ENV_NAME: "production"
+  REP_PUBLIC_FEATURE_FLAGS: "dark-mode,new-checkout"   # ← update this to toggle flags
+  REP_GATEWAY_MODE: "embedded"
+  REP_GATEWAY_HOT_RELOAD: "true"
+```
+
+```yaml
+# secret.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: rep-secrets
+stringData:
+  REP_SENSITIVE_ANALYTICS_KEY: "ak_live_replace_me"
+```
+
+Reference both in the Deployment:
+
+```yaml
+envFrom:
+  - configMapRef:
+      name: rep-config
+  - secretRef:
+      name: rep-secrets
+```
+
+To update feature flags:
+
+```bash
+kubectl edit configmap rep-config
+# Change REP_PUBLIC_FEATURE_FLAGS, save
+
+kubectl rollout restart deployment/frontend
+# New pods start with updated config
+```
+
+### Hot-reload variant (zero pod restarts)
+
+Mount the ConfigMap as a `.env` file and start the gateway with `--hot-reload --hot-reload-mode=file_watch`:
+
+<Steps>
+1. **Apply the env-file ConfigMap**
+
+   ```bash
+   kubectl apply -f k8s/configmap-envfile.yaml
+   ```
+
+   The ConfigMap stores a `.env` file as a single key:
+
+   ```yaml
+   data:
+     rep.env: |
+       REP_PUBLIC_API_URL=https://api.example.com
+       REP_PUBLIC_FEATURE_FLAGS=dark-mode,new-checkout
+   ```
+
+2. **Mount the file in the Deployment**
+
+   ```yaml
+   args:
+     - "--mode=embedded"
+     - "--static-dir=/static"
+     - "--env-file=/config/rep.env"
+     - "--hot-reload"
+     - "--hot-reload-mode=file_watch"
+     - "--watch-path=/config/rep.env"
+   volumeMounts:
+     - name: rep-config-volume
+       mountPath: /config
+       readOnly: true
+   volumes:
+     - name: rep-config-volume
+       configMap:
+         name: rep-config-envfile
+   ```
+
+3. **Update feature flags**
+
+   ```bash
+   kubectl edit configmap rep-config-envfile
+   # Change REP_PUBLIC_FEATURE_FLAGS in the rep.env block, save
+   ```
+
+4. **Wait ~60 seconds**
+
+   Kubernetes propagates ConfigMap changes to mounted files. The gateway detects the file change, re-reads vars, re-encrypts sensitive values with a fresh ephemeral key, and pushes a reload event to all connected browsers via `/rep/changes` (SSE).
+
+5. **Components re-render automatically**
+
+   Any component using `useRep('FEATURE_FLAGS')` re-renders with the new value. No pod restart, no page refresh.
+</Steps>
+
+<Aside type="note">
+  The hot-reload file-watch variant requires the gateway to be started with `--env-file` and `--watch-path` flags pointing to the mounted ConfigMap file. Sensitive vars still come from the `secretRef` (not the mounted file) since Secrets should not be mounted as env files.
+</Aside>
+
+## Running locally
+
+### Docker
+
+```bash
+cd examples/nextjs-csr-embedded
+
+docker build -t rep-nextjs-csr .
+
+docker run --rm -p 8080:8080 \
+  -e REP_PUBLIC_API_URL=https://api.example.com \
+  -e REP_PUBLIC_ENV_NAME=production \
+  -e REP_PUBLIC_FEATURE_FLAGS=dark-mode,new-checkout \
+  -e REP_SENSITIVE_ANALYTICS_KEY=ak_live_abc123 \
+  rep-nextjs-csr
+```
+
+### CLI dev mode
+
+```bash
+cd examples/nextjs-csr-embedded
+
+# Build the static export
+npm run build   # → out/
+
+# Serve with gateway in embedded mode
+npx @rep-protocol/cli dev \
+  --mode embedded \
+  --static-dir ./out \
+  --env-file .env.local
+```
+
+## Comparison: static vs SSR
+
+| | CSR + Embedded (this example) | SSR + Proxy |
+|---|---|---|
+| Next.js `output` | `'export'` (static) | default (server) |
+| Runtime container | `FROM scratch` (~8MB) | Node.js image (~150MB) |
+| Server features | ❌ No API routes, no SSR | ✅ Full Next.js server |
+| Feature flag updates | ConfigMap edit + SIGHUP (no restart) | ConfigMap edit + rolling restart |
+| Gateway mode | `embedded` | `proxy` |
+
+Use the CSR + embedded pattern when you don't need server-side rendering or Next.js API routes. Use the [proxy mode example](/examples/nextjs-proxy/) when you do.
diff --git a/docs/src/content/docs/examples/nextjs-proxy.mdx b/docs/src/content/docs/examples/nextjs-proxy.mdx
new file mode 100644
index 0000000..630a2fc
--- /dev/null
+++ b/docs/src/content/docs/examples/nextjs-proxy.mdx
@@ -0,0 +1,205 @@
+---
+title: Next.js — Proxy Mode
+description: Run the REP gateway as a reverse proxy in front of a Next.js SSR server. Environment variables are injected into every HTML response without touching the Next.js build.
+---
+
+import { Aside, FileTree, Tabs, TabItem } from '@astrojs/starlight/components';
+
+The REP gateway runs in **proxy mode** in front of a Next.js server. It intercepts every HTML response and injects the `__rep__` payload — no changes to the Next.js build pipeline required.
+
+Source code at [`examples/nextjs-proxy/`](https://github.com/ruachtech/rep/tree/main/examples/nextjs-proxy).
+
+## Architecture
+
+```
+Client → REP Gateway :8080 (proxy mode)
+              ↓ injects __rep__ payload into HTML responses
+         Next.js Server :3000
+```
+
+The Next.js server is never exposed directly. All traffic flows through the gateway. Config lives entirely in the gateway's environment variables — the Next.js image is the same across every deployment.
+
+## When to use this pattern
+
+- Next.js App Router or Pages Router with server-side rendering (SSR)
+- You want the full Next.js server (streaming, server actions, API routes)
+- Docker Compose, Kubernetes single-container pod, or multi-service deployments
+
+## File structure
+
+<FileTree>
+- examples/nextjs-proxy/
+  - src/
+    - app/
+      - layout.tsx
+      - page.tsx           Server component shell
+    - components/
+      - EnvDisplay.tsx     Client component — reads REP vars
+      - IntegrityBanner.tsx  Verifies payload was not modified in transit
+  - Dockerfile             Next.js-only image (for docker-compose)
+  - Dockerfile.single      Gateway + Next.js in one image (for Kubernetes)
+  - docker-compose.yml     Two-service stack (recommended)
+  - docker-entrypoint.sh   Startup script for Dockerfile.single
+  - next.config.ts
+  - .rep.yaml
+  - .env.example
+</FileTree>
+
+## Reading REP vars in Next.js
+
+REP runs entirely in the browser. In the App Router, use `'use client'` components:
+
+```tsx
+'use client';
+
+import { useRep, useRepSecure } from '@rep-protocol/react';
+
+export function EnvDisplay() {
+  // Synchronous — available on first render, no loading state
+  const apiUrl   = useRep('API_URL',  'http://localhost:3001');
+  const envName  = useRep('ENV_NAME', 'development');
+  const features = useRep('FEATURE_FLAGS', '');
+
+  // Async — decrypted via the session-key endpoint
+  const { value: analyticsKey, loading } = useRepSecure('ANALYTICS_KEY');
+
+  return (
+    <div>
+      <p>Environment: {envName}</p>
+      <p>API: {apiUrl}</p>
+      <p>Key: {loading ? 'loading…' : analyticsKey}</p>
+    </div>
+  );
+}
+```
+
+<Aside type="caution">
+  Do NOT call `rep.get()` in server components — the `__rep__` payload exists only in the browser DOM. REP vars are always accessed from `'use client'` components.
+</Aside>
+
+## Integrity verification
+
+The example includes an `IntegrityBanner` client component that verifies the payload was not modified after the gateway injected it. The SDK checks a SHA-256 SRI hash embedded on the `<script id="__rep__">` tag using the Web Crypto API. A mismatch means something (a CDN, a misconfigured proxy) altered the payload in transit.
+
+```tsx
+'use client';
+
+import { useEffect, useState } from 'react';
+import { rep } from '@rep-protocol/sdk';
+
+export function IntegrityBanner() {
+  const [ok, setOk] = useState<boolean | null>(null);
+
+  useEffect(() => {
+    // _verifySRI fires as a microtask during SDK init — await a tick first
+    Promise.resolve().then(() => setOk(rep.verify()));
+  }, []);
+
+  if (ok === null)  return <p>Verifying payload integrity…</p>;
+  if (ok)           return <p>✅ Payload integrity verified</p>;
+  return <p>🚨 Integrity check FAILED — payload may have been tampered with</p>;
+}
+```
+
+## Deployment options
+
+<Tabs>
+<TabItem label="Docker Compose (two services)">
+
+Recommended for development and multi-service production setups. Gateway and Next.js run as separate containers:
+
+```yaml
+services:
+  gateway:
+    image: ghcr.io/ruachtech/rep/gateway:0.1.3
+    ports:
+      - "8080:8080"
+    environment:
+      REP_GATEWAY_MODE: proxy
+      REP_GATEWAY_UPSTREAM: "app:3000"
+      REP_PUBLIC_API_URL: "https://api.example.com"
+      REP_PUBLIC_ENV_NAME: "production"
+      REP_PUBLIC_FEATURE_FLAGS: "dark-mode"
+      REP_SENSITIVE_ANALYTICS_KEY: "ak_live_abc123"
+    depends_on:
+      - app
+
+  app:
+    build: .
+    expose:
+      - "3000"
+    environment:
+      NODE_ENV: production
+    # No REP_PUBLIC_* vars here — gateway injects them at request time
+```
+
+```bash
+cd examples/nextjs-proxy
+docker compose up
+```
+
+To change config without rebuilding:
+
+```bash
+# Edit REP_PUBLIC_* in docker-compose.yml, then:
+docker compose up -d gateway   # restart only the gateway
+```
+
+</TabItem>
+<TabItem label="Single container (Kubernetes)">
+
+`Dockerfile.single` packages the gateway and Next.js server into one image. A startup script (`docker-entrypoint.sh`) launches both processes:
+
+```sh
+#!/bin/sh
+# Start Next.js in the background
+NODE_ENV=production node /app/server.js &
+
+# REP gateway in the foreground (proxy → localhost:3000)
+exec rep-gateway --mode proxy --port 8080 --upstream localhost:3000
+```
+
+Build and run:
+
+```bash
+docker build -f Dockerfile.single -t rep-nextjs-proxy .
+
+docker run --rm -p 8080:8080 \
+  -e REP_PUBLIC_API_URL=https://api.example.com \
+  -e REP_PUBLIC_ENV_NAME=production \
+  -e REP_PUBLIC_FEATURE_FLAGS=dark-mode \
+  -e REP_SENSITIVE_ANALYTICS_KEY=ak_live_abc123 \
+  rep-nextjs-proxy
+```
+
+**Kubernetes** — pass config from a ConfigMap + Secret:
+
+```yaml
+containers:
+  - name: frontend
+    image: your-registry/rep-nextjs-proxy:latest
+    ports:
+      - containerPort: 8080
+    envFrom:
+      - configMapRef:
+          name: rep-config      # REP_PUBLIC_* and REP_GATEWAY_*
+      - secretRef:
+          name: rep-secrets     # REP_SENSITIVE_*
+```
+
+See [`examples/nextjs-csr-embedded/k8s/`](https://github.com/ruachtech/rep/tree/main/examples/nextjs-csr-embedded/k8s) for complete Kubernetes manifests including Service and Ingress.
+
+</TabItem>
+</Tabs>
+
+## CLI dev mode (no Docker)
+
+```bash
+# Terminal 1 — run Next.js dev server
+npm run dev   # starts on :3000
+
+# Terminal 2 — run REP gateway in proxy mode
+npx @rep-protocol/cli dev --proxy http://localhost:3000 --env-file .env.local
+```
+
+Open `http://localhost:8080`.
diff --git a/docs/src/content/docs/examples/simple-html.mdx b/docs/src/content/docs/examples/simple-html.mdx
new file mode 100644
index 0000000..6d18e08
--- /dev/null
+++ b/docs/src/content/docs/examples/simple-html.mdx
@@ -0,0 +1,140 @@
+---
+title: Simple HTML — No Build Step
+description: Use REP in a plain HTML file with no bundler or framework. The SDK is loaded via esm.sh and the gateway serves the file in embedded mode with a FROM scratch container.
+---
+
+import { Aside, FileTree } from '@astrojs/starlight/components';
+
+A single HTML file using the REP SDK via [esm.sh](https://esm.sh), served by the gateway in embedded mode. No build step, no bundler, no framework.
+
+Source code at [`examples/simple-html/`](https://github.com/ruachtech/rep/tree/main/examples/simple-html).
+
+## When to use this pattern
+
+- Static marketing pages or single-file dashboards
+- Quick prototyping without a build pipeline
+- Demonstrating REP concepts with minimal infrastructure
+- Environments where adding a Node.js build step is impractical
+
+## File structure
+
+<FileTree>
+- examples/simple-html/
+  - index.html  Single HTML file — the entire app
+  - Dockerfile  Two-stage: gateway download → FROM scratch
+  - .rep.yaml   Optional manifest for validate/typegen
+  - .env.example Template environment variables
+</FileTree>
+
+## How it works
+
+The REP gateway runs in **embedded mode**, serving `index.html` directly. When a browser requests the page, the gateway injects the `__rep__` payload before the response is sent:
+
+```
+Browser → REP Gateway :8080 (embedded mode)
+          ↓ injects <script id="__rep__" type="application/json">…</script>
+          ↓ serves index.html
+```
+
+The HTML file imports the SDK as an ES module from esm.sh — no npm install, no bundler:
+
+```html
+<script type="module">
+  import { rep } from 'https://esm.sh/@rep-protocol/sdk@0.1.8';
+
+  // Public vars — synchronous, available immediately
+  const apiUrl  = rep.get('API_URL', 'http://localhost:3001');
+  const envName = rep.get('ENV_NAME', 'development');
+
+  // Sensitive var — AES-256-GCM encrypted, decrypted on demand
+  const analyticsKey = await rep.getSecure('ANALYTICS_KEY');
+
+  // Hot reload — react to config changes pushed via SSE
+  rep.onChange('FEATURE_FLAGS', (next) => {
+    document.getElementById('features').textContent = next || '(none)';
+  });
+</script>
+```
+
+<Aside type="tip">
+  The `__rep__` script tag is injected **before** the browser parses `<script type="module">`, so `rep.get()` is synchronous and always returns a value — no loading state needed.
+</Aside>
+
+## Dockerfile
+
+A two-stage build. No app build step is needed — the HTML file is copied as-is:
+
+```dockerfile
+FROM alpine:3.21 AS gateway
+ARG GATEWAY_VERSION=0.1.3
+RUN apk add --no-cache curl ca-certificates && \
+    curl -fsSL "…/rep-gateway_${GATEWAY_VERSION}_linux_amd64.tar.gz" \
+      -o /tmp/gateway.tar.gz && \
+    tar -xzf /tmp/gateway.tar.gz -C /tmp && \
+    mv /tmp/rep-gateway /rep-gateway && \
+    chmod +x /rep-gateway
+
+FROM scratch
+COPY --from=gateway /rep-gateway /rep-gateway
+COPY index.html /static/index.html
+COPY --from=gateway /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+USER 65534:65534
+EXPOSE 8080
+ENTRYPOINT ["/rep-gateway", "--mode", "embedded", "--static-dir", "/static"]
+```
+
+The final image contains: gateway binary + one HTML file + CA certificates. Total size is approximately 6MB.
+
+## Running locally
+
+### Docker
+
+```bash
+cd examples/simple-html
+
+docker build -t rep-simple-html .
+
+docker run --rm -p 8080:8080 \
+  -e REP_PUBLIC_APP_TITLE="My App" \
+  -e REP_PUBLIC_API_URL=https://api.example.com \
+  -e REP_PUBLIC_ENV_NAME=production \
+  -e REP_PUBLIC_FEATURE_FLAGS=dark-mode,beta \
+  -e REP_SENSITIVE_ANALYTICS_KEY=ak_live_abc123 \
+  rep-simple-html
+```
+
+### Without Docker (CLI)
+
+```bash
+cd examples/simple-html
+
+# Serve the HTML file locally with the gateway
+npx @rep-protocol/cli dev \
+  --mode embedded \
+  --static-dir . \
+  --env-file .env.local
+```
+
+## Changing config
+
+No rebuild required. Stop, change env vars, restart:
+
+```bash
+# Production config
+docker run --rm -p 8080:8080 \
+  -e REP_PUBLIC_API_URL=https://api.prod.example.com \
+  -e REP_PUBLIC_FEATURE_FLAGS=dark-mode \
+  rep-simple-html
+
+# Staging config — same image
+docker run --rm -p 8080:8080 \
+  -e REP_PUBLIC_API_URL=https://api.staging.example.com \
+  -e REP_PUBLIC_FEATURE_FLAGS=dark-mode,beta,new-checkout \
+  rep-simple-html
+```
+
+Same `index.html`. Same Docker image. Different runtime config.
+
+## Security note
+
+The esm.sh `import` call happens in the browser after the page loads. For production, consider pinning the SDK version and adding an [import map](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/script/type/importmap) or hosting the SDK on your own CDN to remove the esm.sh dependency. If you self-host the SDK and load it via `<script type="module" src="...">`, you can add an `integrity` attribute for [Subresource Integrity (SRI)](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) verification. Note that SRI works on `<script src>` / `<link>` tags, not on bare `import` statements inside a module.
diff --git a/examples/README.md b/examples/README.md
new file mode 100644
index 0000000..f937c53
--- /dev/null
+++ b/examples/README.md
@@ -0,0 +1,132 @@
+# REP Examples
+
+Runnable examples covering the main REP deployment patterns. Each example is self-contained — pick the one closest to your stack.
+
+## Overview
+
+| Example | Stack | Gateway mode | Container | Best for |
+|---|---|---|---|---|
+| [`todo-react/`](#todo-react) | React + Vite | Embedded | `FROM scratch` | Full-featured React reference app |
+| [`simple-html/`](#simple-html) | Plain HTML | Embedded | `FROM scratch` | No framework, no build step |
+| [`nextjs-proxy/`](#nextjs-proxy) | Next.js 15 (SSR) | Proxy | Node.js | Next.js with server-side rendering |
+| [`nextjs-csr-embedded/`](#nextjs-csr-embedded) | Next.js 15 (CSR) | Embedded | `FROM scratch` | Static Next.js + Kubernetes ConfigMap |
+
+---
+
+## todo-react
+
+**[`examples/todo-react/`](todo-react/)**
+
+The primary reference example. A complete React todo application demonstrating the full REP feature set:
+
+- `useRep()` for synchronous public variable access
+- `useRepSecure()` for encrypted sensitive variables
+- Hot reload — config changes re-render components without a page refresh
+- `FROM scratch` Docker image (~8MB) using the REP gateway in embedded mode
+
+Run it:
+```bash
+cd examples/todo-react
+docker build -t rep-todo .
+docker run -p 8080:8080 \
+  -e REP_PUBLIC_APP_TITLE="My Todo App" \
+  -e REP_PUBLIC_API_URL=https://api.example.com \
+  -e REP_PUBLIC_ENV_NAME=development \
+  -e REP_PUBLIC_MAX_TODOS=10 \
+  -e REP_SENSITIVE_ANALYTICS_KEY=ak_dev_abc123 \
+  rep-todo
+```
+
+---
+
+## simple-html
+
+**[`examples/simple-html/`](simple-html/)**
+
+A single `index.html` file — no bundler, no build step, no framework. The REP SDK is loaded directly from [esm.sh](https://esm.sh) in a `<script type="module">` block.
+
+Key points:
+- `rep.get()` is synchronous: no loading state in your markup
+- `rep.getSecure()` decrypts sensitive vars in the browser via the Web Crypto API
+- Integrity verification via `rep.verify()` — detects if the payload was tampered with in transit (CDN modification, MITM proxy)
+- 2-stage Dockerfile: Alpine (gateway download) → `FROM scratch`
+
+Run it:
+```bash
+cd examples/simple-html
+docker build -t rep-simple-html .
+docker run -p 8080:8080 \
+  -e REP_PUBLIC_APP_TITLE="My App" \
+  -e REP_PUBLIC_API_URL=https://api.example.com \
+  -e REP_PUBLIC_ENV_NAME=production \
+  -e REP_PUBLIC_FEATURE_FLAGS=dark-mode,beta \
+  -e REP_SENSITIVE_ANALYTICS_KEY=ak_live_abc123 \
+  rep-simple-html
+```
+
+---
+
+## nextjs-proxy
+
+**[`examples/nextjs-proxy/`](nextjs-proxy/)**
+
+Next.js 15 (App Router, SSR) behind the REP gateway in **proxy mode**. The gateway intercepts every HTML response from the Next.js server and injects the `__rep__` payload before the browser receives it.
+
+Key points:
+- REP SDK access is in `'use client'` components only — server components run on the server where there is no DOM
+- `docker-compose.yml` runs gateway + Next.js as two services; only the gateway is exposed externally
+- Config changes only require restarting the gateway container, not the Next.js app
+- Integrity verification in `EnvDisplay` — surfaces `meta().integrityValid` to confirm the payload was not modified in transit
+
+Run it:
+```bash
+cd examples/nextjs-proxy
+docker compose up
+# open http://localhost:8080
+```
+
+---
+
+## nextjs-csr-embedded
+
+**[`examples/nextjs-csr-embedded/`](nextjs-csr-embedded/)**
+
+Next.js 15 with `output: 'export'` (fully static, CSR). The REP gateway serves the static export in embedded mode — no Node.js server in production.
+
+Key points:
+- `FROM scratch` final image (~8MB: gateway binary + static assets)
+- Full Kubernetes manifests in `k8s/`:
+  - Standard `envFrom` ConfigMap + Secret pattern
+  - Volume-mounted ConfigMap with `--hot-reload --hot-reload-mode=file_watch` — update `FEATURE_FLAGS` in the ConfigMap and browsers reflect the change within ~60 seconds, no pod restart required
+- `FeatureFlags` component demonstrates `useRep()` hot-reload subscriptions
+- Integrity check in `ConfigPanel` — warns if the payload has been modified in transit
+
+Run it:
+```bash
+cd examples/nextjs-csr-embedded
+docker build -t rep-nextjs-csr .
+docker run -p 8080:8080 \
+  -e REP_PUBLIC_API_URL=https://api.example.com \
+  -e REP_PUBLIC_ENV_NAME=production \
+  -e REP_PUBLIC_FEATURE_FLAGS=dark-mode,new-checkout \
+  -e REP_SENSITIVE_ANALYTICS_KEY=ak_live_abc123 \
+  rep-nextjs-csr
+```
+
+---
+
+## What integrity verification detects
+
+All examples that show `rep.verify()` / `meta().integrityValid` are checking a **SHA-256 SRI hash** of the injected payload. The gateway embeds this hash as `data-rep-integrity="sha256-<base64>"` on the `<script id="__rep__">` tag. The SDK recomputes the hash in the browser using the Web Crypto API and compares.
+
+A failed check means the payload JSON was modified after the gateway injected it — for example, by a CDN caching a tampered response or a misconfigured reverse proxy altering the response body.
+
+It does **not** prove the payload came from your gateway (there is no source authentication). It proves the content you received matches what was originally injected.
+
+For the full threat model see [`spec/SECURITY-MODEL.md`](../spec/SECURITY-MODEL.md).
+
+---
+
+## No-manifest guide
+
+[`examples/no-manifest.md`](no-manifest.md) — REP works with zero configuration files. The prefix convention alone is the protocol. Read this if you want to get started without creating a `.rep.yaml`.
diff --git a/examples/nextjs-csr-embedded/.dockerignore b/examples/nextjs-csr-embedded/.dockerignore
new file mode 100644
index 0000000..e1e75f5
--- /dev/null
+++ b/examples/nextjs-csr-embedded/.dockerignore
@@ -0,0 +1,7 @@
+.next
+out
+node_modules
+.env.local
+.env.*.local
+*.md
+k8s/
diff --git a/examples/nextjs-csr-embedded/.env.example b/examples/nextjs-csr-embedded/.env.example
new file mode 100644
index 0000000..1907b8f
--- /dev/null
+++ b/examples/nextjs-csr-embedded/.env.example
@@ -0,0 +1,13 @@
+# .env.example — copy to .env.local for local development
+# In production, these are supplied via Kubernetes ConfigMap / Secret.
+
+REP_PUBLIC_API_URL=http://localhost:3001
+REP_PUBLIC_ENV_NAME=development
+REP_PUBLIC_FEATURE_FLAGS=dark-mode,beta
+REP_PUBLIC_APP_VERSION=0.0.0
+REP_SENSITIVE_ANALYTICS_KEY=ak_dev_replace_me
+
+# Gateway config
+REP_GATEWAY_MODE=embedded
+REP_GATEWAY_PORT=8080
+REP_GATEWAY_HOT_RELOAD=true
diff --git a/examples/nextjs-csr-embedded/.rep.yaml b/examples/nextjs-csr-embedded/.rep.yaml
new file mode 100644
index 0000000..fd7be02
--- /dev/null
+++ b/examples/nextjs-csr-embedded/.rep.yaml
@@ -0,0 +1,47 @@
+# .rep.yaml — REP manifest for the Next.js CSR + embedded example
+
+version: "0.1.0"
+
+variables:
+  API_URL:
+    tier: public
+    type: url
+    required: true
+    description: "Backend API base URL"
+    example: "https://api.example.com"
+
+  ENV_NAME:
+    tier: public
+    type: enum
+    required: true
+    values: ["development", "staging", "production"]
+    description: "Deployment environment name"
+
+  FEATURE_FLAGS:
+    tier: public
+    type: csv
+    required: false
+    default: ""
+    description: "Comma-separated active feature flags — managed via Kubernetes ConfigMap"
+    example: "dark-mode,new-checkout,ai-assist"
+
+  APP_VERSION:
+    tier: public
+    type: string
+    required: false
+    default: "0.0.0"
+    description: "Application version (for display/debugging)"
+
+  ANALYTICS_KEY:
+    tier: sensitive
+    type: string
+    required: false
+    description: "Analytics write key — AES-256-GCM encrypted, stored in Kubernetes Secret"
+    example: "ak_live_abc123"
+
+settings:
+  strict_guardrails: true
+  hot_reload: true
+  hot_reload_mode: signal
+  session_key_ttl: "30s"
+  session_key_max_rate: 10
diff --git a/examples/nextjs-csr-embedded/Dockerfile b/examples/nextjs-csr-embedded/Dockerfile
new file mode 100644
index 0000000..ecc4f8c
--- /dev/null
+++ b/examples/nextjs-csr-embedded/Dockerfile
@@ -0,0 +1,65 @@
+# examples/nextjs-csr-embedded/Dockerfile
+#
+# Next.js static export served by the REP gateway in embedded mode.
+# Final image is FROM scratch — no OS, no shell, no package manager.
+#
+# Build:
+#   docker build -t rep-nextjs-csr .
+#
+# Run:
+#   docker run --rm -p 8080:8080 \
+#     -e REP_PUBLIC_API_URL=https://api.example.com \
+#     -e REP_PUBLIC_ENV_NAME=production \
+#     -e REP_PUBLIC_FEATURE_FLAGS=dark-mode,new-checkout \
+#     -e REP_SENSITIVE_ANALYTICS_KEY=ak_live_abc123 \
+#     rep-nextjs-csr
+#
+# For Kubernetes deployment, see k8s/ in this directory.
+
+# ── Stage 1: Download pre-built REP Gateway binary ────────────────────────────
+FROM alpine:3.21 AS gateway
+
+ARG GATEWAY_VERSION=0.1.3
+ARG TARGETARCH=amd64
+
+RUN apk add --no-cache curl ca-certificates && \
+    ARCHIVE="rep-gateway_${GATEWAY_VERSION}_linux_${TARGETARCH}.tar.gz" && \
+    curl -fsSL \
+      "https://github.com/RuachTech/rep/releases/download/gateway/v${GATEWAY_VERSION}/${ARCHIVE}" \
+      -o /tmp/gateway.tar.gz && \
+    tar -xzf /tmp/gateway.tar.gz -C /tmp && \
+    mv /tmp/rep-gateway /rep-gateway && \
+    chmod +x /rep-gateway
+
+# ── Stage 2: Build the Next.js static export ──────────────────────────────────
+FROM node:22-alpine AS builder
+WORKDIR /app
+
+COPY package.json package-lock.json* ./
+RUN npm ci
+
+COPY . .
+
+# Build produces a fully static site in `out/` (next.config.ts: output: 'export')
+# No env vars are baked in — the build output is environment-agnostic.
+RUN npm run build
+
+# ── Stage 3: Minimal runtime image (FROM scratch) ──────────────────────────────
+FROM scratch
+
+# Gateway binary
+COPY --from=gateway /rep-gateway /rep-gateway
+
+# Static export artefacts
+COPY --from=builder /app/out /static
+
+# CA certificates for /rep/session-key HTTPS calls
+COPY --from=gateway /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+
+# Non-root user (nobody)
+USER 65534:65534
+
+EXPOSE 8080
+
+# Embedded mode: gateway serves /static directly, no upstream needed
+ENTRYPOINT ["/rep-gateway", "--mode", "embedded", "--static-dir", "/static"]
diff --git a/examples/nextjs-csr-embedded/k8s/configmap-envfile.yaml b/examples/nextjs-csr-embedded/k8s/configmap-envfile.yaml
new file mode 100644
index 0000000..b873759
--- /dev/null
+++ b/examples/nextjs-csr-embedded/k8s/configmap-envfile.yaml
@@ -0,0 +1,31 @@
+# k8s/configmap-envfile.yaml
+#
+# Variant B only: ConfigMap whose value is mounted as a .env file.
+# The gateway reads this file at startup and watches it for changes
+# (--hot-reload --hot-reload-mode=file_watch --watch-path=/config/rep.env).
+#
+# Update this ConfigMap to change feature flags.
+# Kubernetes propagates the change to mounted files within ~60 seconds.
+# The gateway detects the change and pushes a reload event over SSE —
+# connected browsers re-render without a page refresh or pod restart.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: rep-config-envfile
+  namespace: default
+  labels:
+    app: frontend
+data:
+  # The entire value of `rep.env` is a .env file parsed by the gateway.
+  # Only PUBLIC and SERVER tier vars go here (SENSITIVE go in the Secret).
+  rep.env: |
+    REP_PUBLIC_API_URL=https://api.example.com
+    REP_PUBLIC_ENV_NAME=production
+    REP_PUBLIC_FEATURE_FLAGS=dark-mode,new-checkout
+    REP_PUBLIC_APP_VERSION=1.0.0
+    REP_GATEWAY_MODE=embedded
+    REP_GATEWAY_PORT=8080
+    REP_GATEWAY_HOT_RELOAD=true
+    REP_GATEWAY_HOT_RELOAD_MODE=file_watch
+    REP_GATEWAY_ALLOWED_ORIGINS=https://app.example.com
diff --git a/examples/nextjs-csr-embedded/k8s/configmap.yaml b/examples/nextjs-csr-embedded/k8s/configmap.yaml
new file mode 100644
index 0000000..5ce4df4
--- /dev/null
+++ b/examples/nextjs-csr-embedded/k8s/configmap.yaml
@@ -0,0 +1,41 @@
+# k8s/configmap.yaml
+#
+# REP environment config — the single source of truth for all runtime variables.
+#
+# To update feature flags without rebuilding the app:
+#   1. kubectl edit configmap rep-config
+#      (or apply a modified version of this file)
+#   2. kubectl rollout restart deployment/frontend
+#      (pods pick up the new ConfigMap on restart)
+#
+# For zero-downtime flag changes without pod restarts, see the hot-reload
+# variant in deployment.yaml (volume-mounted ConfigMap + SIGHUP).
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: rep-config
+  namespace: default
+  labels:
+    app: frontend
+    managed-by: rep-protocol
+data:
+  # ── PUBLIC TIER ────────────────────────────────────────────────────────────
+  # These values are injected as plaintext into the HTML payload.
+  # Safe to store in ConfigMap. Do NOT put secrets here.
+
+  REP_PUBLIC_API_URL: "https://api.example.com"
+  REP_PUBLIC_ENV_NAME: "production"
+
+  # Feature flags — update this value to toggle features across all pods.
+  # Comma-separated list of active flag names.
+  REP_PUBLIC_FEATURE_FLAGS: "dark-mode,new-checkout"
+
+  REP_PUBLIC_APP_VERSION: "1.0.0"
+
+  # ── GATEWAY CONFIG ─────────────────────────────────────────────────────────
+  REP_GATEWAY_MODE: "embedded"
+  REP_GATEWAY_PORT: "8080"
+  REP_GATEWAY_HOT_RELOAD: "true"
+  REP_GATEWAY_HOT_RELOAD_MODE: "signal"
+  REP_GATEWAY_ALLOWED_ORIGINS: "https://app.example.com"
diff --git a/examples/nextjs-csr-embedded/k8s/deployment.yaml b/examples/nextjs-csr-embedded/k8s/deployment.yaml
new file mode 100644
index 0000000..bdb142c
--- /dev/null
+++ b/examples/nextjs-csr-embedded/k8s/deployment.yaml
@@ -0,0 +1,129 @@
+# k8s/deployment.yaml
+#
+# Two deployment variants are shown here:
+#
+#   Variant A (envFrom) — Standard pattern. ConfigMap values become pod
+#   environment variables on startup. Requires a rolling restart to pick
+#   up ConfigMap changes.
+#
+#   Variant B (volume-mounted ConfigMap + hot reload) — Dynamic pattern.
+#   ConfigMap is mounted as a .env file. Gateway watches the file and
+#   pushes a reload event to connected browsers via SSE when it changes —
+#   no pod restart required. Annotate the ConfigMap with a hash to trigger
+#   rolling restarts for full-cycle failsafes.
+#
+# Use Variant A for simplicity; Variant B for zero-downtime flag changes.
+
+# ── Variant A: Standard envFrom ───────────────────────────────────────────────
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: frontend
+  namespace: default
+  labels:
+    app: frontend
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: frontend
+  template:
+    metadata:
+      labels:
+        app: frontend
+    spec:
+      containers:
+        - name: gateway
+          image: your-registry/rep-nextjs-csr:latest
+          ports:
+            - containerPort: 8080
+          # Load all keys from ConfigMap as environment variables
+          envFrom:
+            - configMapRef:
+                name: rep-config
+            - secretRef:
+                name: rep-secrets
+          resources:
+            requests: { cpu: "10m", memory: "16Mi" }
+            limits:   { cpu: "100m", memory: "64Mi" }
+          livenessProbe:
+            httpGet: { path: /rep/health, port: 8080 }
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          readinessProbe:
+            httpGet: { path: /rep/health, port: 8080 }
+            initialDelaySeconds: 2
+            periodSeconds: 5
+
+---
+
+# ── Variant B: Volume-mounted ConfigMap + hot reload (zero-downtime) ──────────
+#
+# How it works:
+#   1. ConfigMap is mounted as /config/rep.env inside the container
+#   2. Gateway starts with --env-file=/config/rep.env --hot-reload --hot-reload-mode=file_watch
+#   3. Kubernetes updates the mounted file within ~60s of a ConfigMap change
+#   4. Gateway detects the file change, re-reads vars, re-encrypts sensitive
+#      values, and pushes a reload event to all connected browsers via SSE
+#   5. Components using useRep() / rep.onChange() re-render automatically
+#
+# No pod restart required for feature flag changes.
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: frontend-hotreload
+  namespace: default
+  labels:
+    app: frontend-hotreload
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: frontend-hotreload
+  template:
+    metadata:
+      labels:
+        app: frontend-hotreload
+      annotations:
+        # Force a rolling restart when the ConfigMap content changes.
+        # Update this hash in CI/CD when applying a new ConfigMap version.
+        # kubectl get configmap rep-config -o jsonpath='{.data}' | sha256sum
+        rep-config-hash: "replace-with-configmap-data-sha256"
+    spec:
+      containers:
+        - name: gateway
+          image: your-registry/rep-nextjs-csr:latest
+          ports:
+            - containerPort: 8080
+          # Sensitive vars still come from a Secret (not the mounted file)
+          envFrom:
+            - secretRef:
+                name: rep-secrets
+          # Gateway reads public/config vars from the mounted env file
+          args:
+            - "--mode=embedded"
+            - "--static-dir=/static"
+            - "--env-file=/config/rep.env"
+            - "--hot-reload"
+            - "--hot-reload-mode=file_watch"
+            - "--watch-path=/config/rep.env"
+          volumeMounts:
+            - name: rep-config-volume
+              mountPath: /config
+              readOnly: true
+          resources:
+            requests: { cpu: "10m", memory: "16Mi" }
+            limits:   { cpu: "100m", memory: "64Mi" }
+          livenessProbe:
+            httpGet: { path: /rep/health, port: 8080 }
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          readinessProbe:
+            httpGet: { path: /rep/health, port: 8080 }
+            initialDelaySeconds: 2
+            periodSeconds: 5
+      volumes:
+        - name: rep-config-volume
+          configMap:
+            name: rep-config-envfile
diff --git a/examples/nextjs-csr-embedded/k8s/secret.yaml b/examples/nextjs-csr-embedded/k8s/secret.yaml
new file mode 100644
index 0000000..105d1fe
--- /dev/null
+++ b/examples/nextjs-csr-embedded/k8s/secret.yaml
@@ -0,0 +1,25 @@
+# k8s/secret.yaml
+#
+# SENSITIVE tier variables — stored as a Kubernetes Secret, NOT a ConfigMap.
+# Base64-encode values before adding them here, or use kubectl create secret:
+#
+#   kubectl create secret generic rep-secrets \
+#     --from-literal=REP_SENSITIVE_ANALYTICS_KEY=ak_live_abc123 \
+#     --dry-run=client -o yaml > k8s/secret.yaml
+#
+# IMPORTANT: REP encrypts these values with AES-256-GCM before they reach
+# the browser — they never appear in plaintext in the HTML source.
+# The Kubernetes Secret prevents them from appearing in pod specs/logs.
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: rep-secrets
+  namespace: default
+  labels:
+    app: frontend
+type: Opaque
+stringData:
+  # stringData accepts plaintext; Kubernetes base64-encodes automatically.
+  # Replace with real values before applying.
+  REP_SENSITIVE_ANALYTICS_KEY: "ak_live_replace_me"
diff --git a/examples/nextjs-csr-embedded/k8s/service.yaml b/examples/nextjs-csr-embedded/k8s/service.yaml
new file mode 100644
index 0000000..c0951d9
--- /dev/null
+++ b/examples/nextjs-csr-embedded/k8s/service.yaml
@@ -0,0 +1,39 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: frontend
+  namespace: default
+  labels:
+    app: frontend
+spec:
+  selector:
+    app: frontend
+  ports:
+    - name: http
+      port: 80
+      targetPort: 8080
+  type: ClusterIP
+
+---
+
+# Expose via Ingress (example — adjust for your ingress controller)
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: frontend
+  namespace: default
+  annotations:
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"   # keep SSE connections alive
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
+spec:
+  rules:
+    - host: app.example.com
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: frontend
+                port:
+                  name: http
diff --git a/examples/nextjs-csr-embedded/next.config.ts b/examples/nextjs-csr-embedded/next.config.ts
new file mode 100644
index 0000000..8e3663d
--- /dev/null
+++ b/examples/nextjs-csr-embedded/next.config.ts
@@ -0,0 +1,13 @@
+import type { NextConfig } from 'next';
+
+const nextConfig: NextConfig = {
+  // Static export — produces a fully client-rendered site in `out/`.
+  // The REP gateway serves the output directory in embedded mode.
+  // No Node.js server needed; the final container can be FROM scratch.
+  output: 'export',
+
+  // Required for static export: disable image optimisation (needs a server)
+  images: { unoptimized: true },
+};
+
+export default nextConfig;
diff --git a/examples/nextjs-csr-embedded/package.json b/examples/nextjs-csr-embedded/package.json
new file mode 100644
index 0000000..305dde2
--- /dev/null
+++ b/examples/nextjs-csr-embedded/package.json
@@ -0,0 +1,26 @@
+{
+  "name": "rep-nextjs-csr-embedded-example",
+  "version": "0.1.0",
+  "private": true,
+  "scripts": {
+    "dev": "next dev",
+    "build": "next build",
+    "start": "next start",
+    "rep:validate": "rep validate",
+    "rep:typegen": "rep typegen --output src/rep.d.ts"
+  },
+  "dependencies": {
+    "next": "^15.0.0",
+    "react": "^19.0.0",
+    "react-dom": "^19.0.0",
+    "@rep-protocol/sdk": "^0.1.8",
+    "@rep-protocol/react": "^0.1.8"
+  },
+  "devDependencies": {
+    "@rep-protocol/cli": "^0.1.8",
+    "@types/node": "^22.0.0",
+    "@types/react": "^19.0.0",
+    "@types/react-dom": "^19.0.0",
+    "typescript": "^5.4.0"
+  }
+}
diff --git a/examples/nextjs-csr-embedded/src/app/layout.tsx b/examples/nextjs-csr-embedded/src/app/layout.tsx
new file mode 100644
index 0000000..c91dc37
--- /dev/null
+++ b/examples/nextjs-csr-embedded/src/app/layout.tsx
@@ -0,0 +1,13 @@
+import type { Metadata } from 'next';
+
+export const metadata: Metadata = {
+  title: 'REP — Next.js CSR Embedded Example',
+};
+
+export default function RootLayout({ children }: { children: React.ReactNode }) {
+  return (
+    <html lang="en">
+      <body>{children}</body>
+    </html>
+  );
+}
diff --git a/examples/nextjs-csr-embedded/src/app/page.tsx b/examples/nextjs-csr-embedded/src/app/page.tsx
new file mode 100644
index 0000000..a845d5e
--- /dev/null
+++ b/examples/nextjs-csr-embedded/src/app/page.tsx
@@ -0,0 +1,26 @@
+// Static export: all pages are pre-rendered to HTML at build time.
+// REP config is injected by the gateway at request time (after build).
+import { IntegrityBanner } from '@/components/IntegrityBanner';
+import { ConfigPanel } from '@/components/ConfigPanel';
+import { FeatureFlags } from '@/components/FeatureFlags';
+
+export default function HomePage() {
+  return (
+    <main style={{ fontFamily: 'system-ui', maxWidth: 640, margin: '4rem auto', padding: '0 1rem' }}>
+      {/* Verifies the payload was not modified in transit (SRI hash check) */}
+      <IntegrityBanner />
+      <h1>REP — Next.js CSR + Embedded Mode</h1>
+      <p>
+        This Next.js app is exported as a static site (<code>output: &apos;export&apos;</code>)
+        and served by the REP gateway in embedded mode. The gateway injects environment
+        variables at request time — the static files are identical across all environments.
+      </p>
+      <p>
+        In Kubernetes, a <strong>ConfigMap</strong> holds all <code>REP_PUBLIC_*</code> vars.
+        Update the ConfigMap to change feature flags without rebuilding or redeploying the app.
+      </p>
+      <ConfigPanel />
+      <FeatureFlags />
+    </main>
+  );
+}
diff --git a/examples/nextjs-csr-embedded/src/components/ConfigPanel.tsx b/examples/nextjs-csr-embedded/src/components/ConfigPanel.tsx
new file mode 100644
index 0000000..9fc8a46
--- /dev/null
+++ b/examples/nextjs-csr-embedded/src/components/ConfigPanel.tsx
@@ -0,0 +1,49 @@
+'use client';
+
+import { useRep, useRepSecure } from '@rep-protocol/react';
+import { rep } from '@rep-protocol/sdk';
+
+export function ConfigPanel() {
+  const apiUrl  = useRep('API_URL',  'http://localhost:3001');
+  const envName = useRep('ENV_NAME', 'development');
+  const meta    = rep.meta();
+
+  const { value: analyticsKey, loading } = useRepSecure('ANALYTICS_KEY');
+
+  return (
+    <section>
+      <h2>Runtime Config</h2>
+      <table style={{ borderCollapse: 'collapse', width: '100%' }}>
+        <tbody>
+          <Row label="ENV_NAME"     value={envName} />
+          <Row label="API_URL"      value={apiUrl} />
+          <Row
+            label="ANALYTICS_KEY"
+            value={loading ? 'decrypting…' : (analyticsKey ? `${analyticsKey.slice(0, 4)}…` : 'not set')}
+          />
+        </tbody>
+      </table>
+
+      {meta && (
+        <>
+          <h2>Payload Metadata</h2>
+          <table style={{ borderCollapse: 'collapse', width: '100%' }}>
+            <tbody>
+              <Row label="REP version"  value={meta.version} />
+              <Row label="Injected at"  value={meta.injectedAt} />
+            </tbody>
+          </table>
+        </>
+      )}
+    </section>
+  );
+}
+
+function Row({ label, value }: { label: string; value: string }) {
+  return (
+    <tr style={{ borderBottom: '1px solid #e5e7eb' }}>
+      <td style={{ padding: '0.5rem', fontWeight: 600, width: 180 }}>{label}</td>
+      <td style={{ padding: '0.5rem' }}><code>{value}</code></td>
+    </tr>
+  );
+}
diff --git a/examples/nextjs-csr-embedded/src/components/FeatureFlags.tsx b/examples/nextjs-csr-embedded/src/components/FeatureFlags.tsx
new file mode 100644
index 0000000..1648332
--- /dev/null
+++ b/examples/nextjs-csr-embedded/src/components/FeatureFlags.tsx
@@ -0,0 +1,38 @@
+'use client';
+
+// Demonstrates hot-reload-aware feature flag consumption.
+// When the Kubernetes ConfigMap is updated and a SIGHUP is sent to the gateway,
+// active flags re-render automatically without a page refresh.
+import { useRep } from '@rep-protocol/react';
+
+const ALL_FLAGS = ['dark-mode', 'new-checkout', 'ai-assist', 'beta-pricing'] as const;
+
+export function FeatureFlags() {
+  // useRep() subscribes to hot reload: the component re-renders whenever
+  // FEATURE_FLAGS changes (e.g., after a ConfigMap update + SIGHUP).
+  const rawFlags = useRep('FEATURE_FLAGS', '');
+  const active   = new Set(rawFlags.split(',').map(f => f.trim()).filter(Boolean));
+
+  return (
+    <section>
+      <h2>Feature Flags</h2>
+      <p style={{ fontSize: '0.875rem', color: '#6b7280' }}>
+        Managed via <code>REP_PUBLIC_FEATURE_FLAGS</code> in the Kubernetes ConfigMap.
+        Update the ConfigMap and send SIGHUP to the gateway to reload without restarting pods.
+      </p>
+      <ul style={{ listStyle: 'none', padding: 0 }}>
+        {ALL_FLAGS.map(flag => (
+          <li key={flag} style={{ padding: '0.4rem 0', display: 'flex', alignItems: 'center', gap: '0.5rem' }}>
+            <span role="img" aria-label={active.has(flag) ? 'enabled' : 'disabled'} style={{ fontSize: '1.2rem' }}>
+              {active.has(flag) ? '✅' : '⬜'}
+            </span>
+            <code>{flag}</code>
+          </li>
+        ))}
+      </ul>
+      <p style={{ fontSize: '0.875rem', color: '#6b7280' }}>
+        Raw value: <code>{rawFlags || '(empty)'}</code>
+      </p>
+    </section>
+  );
+}
diff --git a/examples/nextjs-csr-embedded/src/components/IntegrityBanner.tsx b/examples/nextjs-csr-embedded/src/components/IntegrityBanner.tsx
new file mode 100644
index 0000000..9965814
--- /dev/null
+++ b/examples/nextjs-csr-embedded/src/components/IntegrityBanner.tsx
@@ -0,0 +1,67 @@
+'use client';
+
+// Verifies the REP payload has not been modified in transit.
+//
+// The gateway embeds a SHA-256 SRI hash as `data-rep-integrity` on the
+// <script id="__rep__"> tag. The SDK recomputes this hash in the browser
+// (Web Crypto API) and compares. A mismatch means the payload JSON was
+// altered after the gateway injected it — e.g., by a CDN serving a cached
+// tampered response or a misconfigured reverse proxy mutating the body.
+//
+// This is a client-side transit-integrity check. It does not prove the
+// payload came from your gateway (no source authentication); it proves the
+// content you received was not modified after injection.
+import { useEffect, useState } from 'react';
+import { rep } from '@rep-protocol/sdk';
+
+type Status = 'checking' | 'ok' | 'failed' | 'unavailable';
+
+const styles: Record<Status, React.CSSProperties> = {
+  checking:    { background: '#f3f4f6', color: '#374151', border: '1px solid #e5e7eb' },
+  ok:          { background: '#dcfce7', color: '#166534', border: '1px solid #bbf7d0' },
+  failed:      { background: '#fee2e2', color: '#991b1b', border: '1px solid #fecaca' },
+  unavailable: { background: '#f3f4f6', color: '#374151', border: '1px solid #e5e7eb' },
+};
+
+const messages: Record<Status, string> = {
+  checking:    '⏳ Verifying payload integrity…',
+  ok:          '✅ Integrity verified — payload matches the gateway-injected hash',
+  failed:      '🚨 Integrity check FAILED — payload may have been modified in transit. Do not trust these values.',
+  unavailable: '⚪ No REP payload detected (running without the gateway?)',
+};
+
+export function IntegrityBanner() {
+  const [status, setStatus] = useState<Status>('checking');
+
+  useEffect(() => {
+    // rep.verify() reads the _tampered flag which is set by an async
+    // microtask (_verifySRI) that fires during SDK module init.
+    // Awaiting a resolved promise lets that microtask settle first.
+    Promise.resolve().then(() => {
+      const meta = rep.meta();
+      if (!meta) {
+        setStatus('unavailable');
+      } else if (rep.verify()) {
+        setStatus('ok');
+      } else {
+        setStatus('failed');
+        console.error('[REP] Integrity check failed. Payload may have been tampered with.');
+      }
+    });
+  }, []);
+
+  return (
+    <div
+      role={status === 'failed' ? 'alert' : 'status'}
+      style={{
+        padding: '0.6rem 1rem',
+        borderRadius: 6,
+        marginBottom: '1.5rem',
+        fontSize: '0.875rem',
+        ...styles[status],
+      }}
+    >
+      {messages[status]}
+    </div>
+  );
+}
diff --git a/examples/nextjs-csr-embedded/tsconfig.json b/examples/nextjs-csr-embedded/tsconfig.json
new file mode 100644
index 0000000..fba2bf3
--- /dev/null
+++ b/examples/nextjs-csr-embedded/tsconfig.json
@@ -0,0 +1,21 @@
+{
+  "compilerOptions": {
+    "target": "ES2017",
+    "lib": ["dom", "dom.iterable", "esnext"],
+    "allowJs": true,
+    "skipLibCheck": true,
+    "strict": true,
+    "noEmit": true,
+    "esModuleInterop": true,
+    "module": "esnext",
+    "moduleResolution": "bundler",
+    "resolveJsonModule": true,
+    "isolatedModules": true,
+    "jsx": "preserve",
+    "incremental": true,
+    "plugins": [{ "name": "next" }],
+    "paths": { "@/*": ["./src/*"] }
+  },
+  "include": ["next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts"],
+  "exclude": ["node_modules"]
+}
diff --git a/examples/nextjs-proxy/.dockerignore b/examples/nextjs-proxy/.dockerignore
new file mode 100644
index 0000000..339cd6d
--- /dev/null
+++ b/examples/nextjs-proxy/.dockerignore
@@ -0,0 +1,7 @@
+.next
+node_modules
+.env.local
+.env.*.local
+*.md
+.rep.yaml
+k8s/
diff --git a/examples/nextjs-proxy/.env.example b/examples/nextjs-proxy/.env.example
new file mode 100644
index 0000000..8224085
--- /dev/null
+++ b/examples/nextjs-proxy/.env.example
@@ -0,0 +1,13 @@
+# .env.example — copy to .env.local for local development
+# These vars are passed to the gateway, NOT to Next.js.
+# Next.js never sees these — the gateway injects them at request time.
+
+REP_PUBLIC_API_URL=http://localhost:3001
+REP_PUBLIC_ENV_NAME=development
+REP_PUBLIC_FEATURE_FLAGS=dark-mode
+REP_SENSITIVE_ANALYTICS_KEY=ak_dev_replace_me
+
+# Gateway config
+REP_GATEWAY_MODE=proxy
+REP_GATEWAY_PORT=8080
+REP_GATEWAY_UPSTREAM=localhost:3000
diff --git a/examples/nextjs-proxy/.rep.yaml b/examples/nextjs-proxy/.rep.yaml
new file mode 100644
index 0000000..dcdf7ad
--- /dev/null
+++ b/examples/nextjs-proxy/.rep.yaml
@@ -0,0 +1,40 @@
+# .rep.yaml — REP manifest for the Next.js proxy example
+
+version: "0.1.0"
+
+variables:
+  API_URL:
+    tier: public
+    type: url
+    required: true
+    description: "Backend API base URL"
+    example: "https://api.example.com"
+
+  ENV_NAME:
+    tier: public
+    type: enum
+    required: true
+    values: ["development", "staging", "production"]
+    description: "Deployment environment name"
+
+  FEATURE_FLAGS:
+    tier: public
+    type: csv
+    required: false
+    default: ""
+    description: "Comma-separated active feature flags"
+    example: "dark-mode,new-checkout"
+
+  ANALYTICS_KEY:
+    tier: sensitive
+    type: string
+    required: false
+    description: "Analytics write key — encrypted in transit"
+    example: "ak_live_abc123"
+
+settings:
+  strict_guardrails: true
+  hot_reload: true
+  hot_reload_mode: signal
+  session_key_ttl: "30s"
+  session_key_max_rate: 10
diff --git a/examples/nextjs-proxy/Dockerfile b/examples/nextjs-proxy/Dockerfile
new file mode 100644
index 0000000..195525f
--- /dev/null
+++ b/examples/nextjs-proxy/Dockerfile
@@ -0,0 +1,37 @@
+# examples/nextjs-proxy/Dockerfile
+#
+# Builds the Next.js application only.
+# The REP gateway runs as a separate service (see docker-compose.yml).
+#
+# Build:
+#   docker build -t rep-nextjs-app .
+#
+# For a full stack, use docker-compose.yml in this directory.
+
+FROM node:22-alpine AS builder
+WORKDIR /app
+COPY package.json package-lock.json* ./
+# Install all deps (including devDependencies) — TypeScript is needed for the build
+RUN npm ci
+COPY . .
+RUN npm run build
+
+FROM node:22-alpine AS runner
+WORKDIR /app
+
+ENV NODE_ENV=production
+
+# Non-root user
+RUN addgroup --system --gid 1001 nodejs && \
+    adduser  --system --uid 1001 nextjs
+
+COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
+COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
+COPY --from=builder --chown=nextjs:nodejs /app/public ./public
+
+USER nextjs
+
+EXPOSE 3000
+
+# Next.js standalone server
+CMD ["node", "server.js"]
diff --git a/examples/nextjs-proxy/Dockerfile.single b/examples/nextjs-proxy/Dockerfile.single
new file mode 100644
index 0000000..c49be16
--- /dev/null
+++ b/examples/nextjs-proxy/Dockerfile.single
@@ -0,0 +1,75 @@
+# examples/nextjs-proxy/Dockerfile.single
+#
+# Single-container build — REP gateway (proxy) + Next.js server in one image.
+# Use this when you want a single pod/container for Kubernetes or any
+# environment where you can't (or don't want to) run two separate services.
+#
+#   Client → REP Gateway :8080 → Next.js :3000 (same container)
+#
+# For a two-service setup (recommended for separation of concerns), see
+# docker-compose.yml and the plain Dockerfile in this directory instead.
+#
+# Build:
+#   docker build -f Dockerfile.single -t rep-nextjs-proxy .
+#
+# Run:
+#   docker run --rm -p 8080:8080 \
+#     -e REP_PUBLIC_API_URL=https://api.example.com \
+#     -e REP_PUBLIC_ENV_NAME=production \
+#     -e REP_PUBLIC_FEATURE_FLAGS=dark-mode \
+#     -e REP_SENSITIVE_ANALYTICS_KEY=ak_live_abc123 \
+#     rep-nextjs-proxy
+#
+# Kubernetes: pass REP_PUBLIC_* from a ConfigMap and REP_SENSITIVE_* from a
+# Secret via envFrom. See examples/nextjs-csr-embedded/k8s/ for full manifests.
+
+# ── Stage 1: Download pre-built REP Gateway binary ────────────────────────────
+FROM alpine:3.21 AS gateway
+
+ARG GATEWAY_VERSION=0.1.3
+ARG TARGETARCH=amd64
+
+RUN apk add --no-cache curl ca-certificates && \
+    ARCHIVE="rep-gateway_${GATEWAY_VERSION}_linux_${TARGETARCH}.tar.gz" && \
+    curl -fsSL \
+      "https://github.com/RuachTech/rep/releases/download/gateway/v${GATEWAY_VERSION}/${ARCHIVE}" \
+      -o /tmp/gateway.tar.gz && \
+    tar -xzf /tmp/gateway.tar.gz -C /tmp && \
+    mv /tmp/rep-gateway /rep-gateway && \
+    chmod +x /rep-gateway
+
+# ── Stage 2: Build the Next.js application ────────────────────────────────────
+FROM node:22-alpine AS builder
+WORKDIR /app
+
+COPY package.json package-lock.json* ./
+RUN npm ci
+
+COPY . .
+
+# Standalone output bundles the Next.js server into a self-contained directory.
+# Required for this pattern — update next.config.ts: output: 'standalone'
+RUN npm run build
+
+# ── Stage 3: Runtime image — Node.js + gateway in one container ───────────────
+FROM node:22-alpine AS runner
+WORKDIR /app
+
+# Gateway binary
+COPY --from=gateway /rep-gateway /usr/local/bin/rep-gateway
+
+# Next.js standalone build
+COPY --from=builder --chown=node:node /app/.next/standalone ./
+COPY --from=builder --chown=node:node /app/.next/static     ./.next/static
+COPY --from=builder --chown=node:node /app/public           ./public
+
+# Startup script
+COPY docker-entrypoint.sh /docker-entrypoint.sh
+RUN chmod +x /docker-entrypoint.sh
+
+USER node
+
+# Gateway is the public-facing port
+EXPOSE 8080
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
diff --git a/examples/nextjs-proxy/docker-compose.yml b/examples/nextjs-proxy/docker-compose.yml
new file mode 100644
index 0000000..f73cc7e
--- /dev/null
+++ b/examples/nextjs-proxy/docker-compose.yml
@@ -0,0 +1,52 @@
+# examples/nextjs-proxy/docker-compose.yml
+#
+# Two-service stack: REP gateway (proxy mode) + Next.js application server.
+#
+#   Client → REP Gateway :8080 → Next.js :3000
+#
+# The gateway intercepts HTML responses from Next.js and injects the
+# __rep__ payload before the browser receives them.
+#
+# Usage:
+#   docker compose up
+#   REP_PUBLIC_API_URL=https://api.prod.example.com docker compose up
+#
+# Change config without rebuilding: update the environment block below,
+# then `docker compose up -d gateway` to restart only the gateway.
+
+services:
+
+  # ── REP Gateway ──────────────────────────────────────────────────────────────
+  gateway:
+    image: ghcr.io/ruachtech/rep/gateway:0.1.3
+    ports:
+      - "8080:8080"
+    environment:
+      # Gateway config
+      REP_GATEWAY_MODE: proxy
+      REP_GATEWAY_PORT: "8080"
+      REP_GATEWAY_UPSTREAM: "app:3000"
+      REP_GATEWAY_HOT_RELOAD: "true"
+      REP_GATEWAY_HOT_RELOAD_MODE: signal
+      REP_GATEWAY_ALLOWED_ORIGINS: "http://localhost:8080"
+
+      # Application variables — change these per environment, not the Next.js image
+      REP_PUBLIC_API_URL: "http://localhost:3001"
+      REP_PUBLIC_ENV_NAME: "development"
+      REP_PUBLIC_FEATURE_FLAGS: "dark-mode"
+      REP_SENSITIVE_ANALYTICS_KEY: "ak_dev_replace_me"
+    depends_on:
+      - app
+    restart: unless-stopped
+
+  # ── Next.js application ───────────────────────────────────────────────────────
+  app:
+    build: .
+    # Next.js server is NOT exposed externally — all traffic goes through the gateway
+    expose:
+      - "3000"
+    # No REP_PUBLIC_* vars here — they are injected by the gateway at request time,
+    # not embedded into the Next.js build.
+    environment:
+      NODE_ENV: production
+    restart: unless-stopped
diff --git a/examples/nextjs-proxy/docker-entrypoint.sh b/examples/nextjs-proxy/docker-entrypoint.sh
new file mode 100644
index 0000000..1519d86
--- /dev/null
+++ b/examples/nextjs-proxy/docker-entrypoint.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+# docker-entrypoint.sh
+#
+# Starts the Next.js server in the background on :3000,
+# then the REP gateway in proxy mode on :8080 in the foreground.
+#
+# The gateway receives REP_PUBLIC_* / REP_SENSITIVE_* / REP_GATEWAY_*
+# from the container environment (Kubernetes ConfigMap / Secret / Deployment env).
+
+set -e
+
+echo "[entrypoint] Starting Next.js server on :3000"
+NODE_ENV=production node /app/server.js &
+NEXTJS_PID=$!
+
+# Brief pause to let Next.js bind before the gateway starts proxying
+sleep 1
+
+echo "[entrypoint] Starting REP gateway on :${REP_GATEWAY_PORT:-8080} (proxy → localhost:3000)"
+exec /usr/local/bin/rep-gateway \
+  --mode proxy \
+  --port "${REP_GATEWAY_PORT:-8080}" \
+  --upstream "localhost:3000"
diff --git a/examples/nextjs-proxy/next.config.ts b/examples/nextjs-proxy/next.config.ts
new file mode 100644
index 0000000..49a1cc9
--- /dev/null
+++ b/examples/nextjs-proxy/next.config.ts
@@ -0,0 +1,15 @@
+import type { NextConfig } from 'next';
+
+const nextConfig: NextConfig = {
+  // Standalone output bundles the Next.js server into .next/standalone.
+  // Required for Dockerfile.single (single container: gateway + Next.js).
+  // Also compatible with the two-service docker-compose.yml setup.
+  output: 'standalone',
+
+  // REP proxy mode: the gateway sits in front of the Next.js server.
+  // No special Next.js config is needed beyond the above — REP works by
+  // intercepting HTML responses and injecting the __rep__ payload.
+  // Client components read config via rep.get() / useRep().
+};
+
+export default nextConfig;
diff --git a/examples/nextjs-proxy/package.json b/examples/nextjs-proxy/package.json
new file mode 100644
index 0000000..cb36266
--- /dev/null
+++ b/examples/nextjs-proxy/package.json
@@ -0,0 +1,26 @@
+{
+  "name": "rep-nextjs-proxy-example",
+  "version": "0.1.0",
+  "private": true,
+  "scripts": {
+    "dev": "next dev",
+    "build": "next build",
+    "start": "next start",
+    "rep:validate": "rep validate",
+    "rep:typegen": "rep typegen --output src/rep.d.ts"
+  },
+  "dependencies": {
+    "next": "^15.0.0",
+    "react": "^19.0.0",
+    "react-dom": "^19.0.0",
+    "@rep-protocol/sdk": "^0.1.8",
+    "@rep-protocol/react": "^0.1.8"
+  },
+  "devDependencies": {
+    "@rep-protocol/cli": "^0.1.8",
+    "@types/node": "^22.0.0",
+    "@types/react": "^19.0.0",
+    "@types/react-dom": "^19.0.0",
+    "typescript": "^5.4.0"
+  }
+}
diff --git a/examples/nextjs-proxy/src/app/layout.tsx b/examples/nextjs-proxy/src/app/layout.tsx
new file mode 100644
index 0000000..2d27823
--- /dev/null
+++ b/examples/nextjs-proxy/src/app/layout.tsx
@@ -0,0 +1,13 @@
+import type { Metadata } from 'next';
+
+export const metadata: Metadata = {
+  title: 'REP — Next.js Proxy Example',
+};
+
+export default function RootLayout({ children }: { children: React.ReactNode }) {
+  return (
+    <html lang="en">
+      <body>{children}</body>
+    </html>
+  );
+}
diff --git a/examples/nextjs-proxy/src/app/page.tsx b/examples/nextjs-proxy/src/app/page.tsx
new file mode 100644
index 0000000..4a9c199
--- /dev/null
+++ b/examples/nextjs-proxy/src/app/page.tsx
@@ -0,0 +1,20 @@
+// Server component — renders the shell.
+// REP SDK access happens in client components below.
+import { IntegrityBanner } from '@/components/IntegrityBanner';
+import { EnvDisplay } from '@/components/EnvDisplay';
+
+export default function HomePage() {
+  return (
+    <main style={{ fontFamily: 'system-ui', maxWidth: 640, margin: '4rem auto', padding: '0 1rem' }}>
+      {/* Verifies the payload was not modified in transit (SRI hash check) */}
+      <IntegrityBanner />
+      <h1>REP — Next.js Proxy Mode</h1>
+      <p>
+        The REP gateway is running in <strong>proxy mode</strong> in front of this
+        Next.js server. It intercepts HTML responses and injects environment variables
+        before the browser receives them. No rebuilds required when config changes.
+      </p>
+      <EnvDisplay />
+    </main>
+  );
+}
diff --git a/examples/nextjs-proxy/src/components/EnvDisplay.tsx b/examples/nextjs-proxy/src/components/EnvDisplay.tsx
new file mode 100644
index 0000000..779f37a
--- /dev/null
+++ b/examples/nextjs-proxy/src/components/EnvDisplay.tsx
@@ -0,0 +1,58 @@
+'use client';
+
+// REP SDK runs in the browser — must be in a 'use client' component.
+// rep.get() is synchronous: no loading state, no Suspense needed.
+import { useRep, useRepSecure } from '@rep-protocol/react';
+import { rep } from '@rep-protocol/sdk';
+
+export function EnvDisplay() {
+  // Public vars — synchronous, available on first render
+  const apiUrl   = useRep('API_URL',   'http://localhost:3001');
+  const envName  = useRep('ENV_NAME',  'development');
+  const features = useRep('FEATURE_FLAGS', '');
+
+  // Sensitive var — async, decrypted via the session-key endpoint
+  const { value: analyticsKey, loading: keyLoading } = useRepSecure('ANALYTICS_KEY');
+
+  // Payload metadata
+  const meta = rep.meta();
+
+  return (
+    <section>
+      <h2>Runtime Config</h2>
+      <table style={{ borderCollapse: 'collapse', width: '100%' }}>
+        <tbody>
+          <Row label="ENV_NAME"      value={envName} />
+          <Row label="API_URL"       value={apiUrl} />
+          <Row label="FEATURE_FLAGS" value={features || '(none)'} />
+          <Row
+            label="ANALYTICS_KEY"
+            value={keyLoading ? 'decrypting…' : (analyticsKey ? `${analyticsKey.slice(0, 4)}…` : 'not set')}
+          />
+        </tbody>
+      </table>
+
+      {meta && (
+        <>
+          <h2>Payload Metadata</h2>
+          <table style={{ borderCollapse: 'collapse', width: '100%' }}>
+            <tbody>
+              <Row label="REP version"  value={meta.version} />
+              <Row label="Injected at"  value={meta.injectedAt} />
+              <Row label="Hot reload"   value={meta.hotReloadEndpoint ?? 'disabled'} />
+            </tbody>
+          </table>
+        </>
+      )}
+    </section>
+  );
+}
+
+function Row({ label, value }: { label: string; value: string }) {
+  return (
+    <tr style={{ borderBottom: '1px solid #e5e7eb' }}>
+      <td style={{ padding: '0.5rem', fontWeight: 600, width: 180 }}>{label}</td>
+      <td style={{ padding: '0.5rem' }}><code>{value}</code></td>
+    </tr>
+  );
+}
diff --git a/examples/nextjs-proxy/src/components/IntegrityBanner.tsx b/examples/nextjs-proxy/src/components/IntegrityBanner.tsx
new file mode 100644
index 0000000..9965814
--- /dev/null
+++ b/examples/nextjs-proxy/src/components/IntegrityBanner.tsx
@@ -0,0 +1,67 @@
+'use client';
+
+// Verifies the REP payload has not been modified in transit.
+//
+// The gateway embeds a SHA-256 SRI hash as `data-rep-integrity` on the
+// <script id="__rep__"> tag. The SDK recomputes this hash in the browser
+// (Web Crypto API) and compares. A mismatch means the payload JSON was
+// altered after the gateway injected it — e.g., by a CDN serving a cached
+// tampered response or a misconfigured reverse proxy mutating the body.
+//
+// This is a client-side transit-integrity check. It does not prove the
+// payload came from your gateway (no source authentication); it proves the
+// content you received was not modified after injection.
+import { useEffect, useState } from 'react';
+import { rep } from '@rep-protocol/sdk';
+
+type Status = 'checking' | 'ok' | 'failed' | 'unavailable';
+
+const styles: Record<Status, React.CSSProperties> = {
+  checking:    { background: '#f3f4f6', color: '#374151', border: '1px solid #e5e7eb' },
+  ok:          { background: '#dcfce7', color: '#166534', border: '1px solid #bbf7d0' },
+  failed:      { background: '#fee2e2', color: '#991b1b', border: '1px solid #fecaca' },
+  unavailable: { background: '#f3f4f6', color: '#374151', border: '1px solid #e5e7eb' },
+};
+
+const messages: Record<Status, string> = {
+  checking:    '⏳ Verifying payload integrity…',
+  ok:          '✅ Integrity verified — payload matches the gateway-injected hash',
+  failed:      '🚨 Integrity check FAILED — payload may have been modified in transit. Do not trust these values.',
+  unavailable: '⚪ No REP payload detected (running without the gateway?)',
+};
+
+export function IntegrityBanner() {
+  const [status, setStatus] = useState<Status>('checking');
+
+  useEffect(() => {
+    // rep.verify() reads the _tampered flag which is set by an async
+    // microtask (_verifySRI) that fires during SDK module init.
+    // Awaiting a resolved promise lets that microtask settle first.
+    Promise.resolve().then(() => {
+      const meta = rep.meta();
+      if (!meta) {
+        setStatus('unavailable');
+      } else if (rep.verify()) {
+        setStatus('ok');
+      } else {
+        setStatus('failed');
+        console.error('[REP] Integrity check failed. Payload may have been tampered with.');
+      }
+    });
+  }, []);
+
+  return (
+    <div
+      role={status === 'failed' ? 'alert' : 'status'}
+      style={{
+        padding: '0.6rem 1rem',
+        borderRadius: 6,
+        marginBottom: '1.5rem',
+        fontSize: '0.875rem',
+        ...styles[status],
+      }}
+    >
+      {messages[status]}
+    </div>
+  );
+}
diff --git a/examples/nextjs-proxy/tsconfig.json b/examples/nextjs-proxy/tsconfig.json
new file mode 100644
index 0000000..fba2bf3
--- /dev/null
+++ b/examples/nextjs-proxy/tsconfig.json
@@ -0,0 +1,21 @@
+{
+  "compilerOptions": {
+    "target": "ES2017",
+    "lib": ["dom", "dom.iterable", "esnext"],
+    "allowJs": true,
+    "skipLibCheck": true,
+    "strict": true,
+    "noEmit": true,
+    "esModuleInterop": true,
+    "module": "esnext",
+    "moduleResolution": "bundler",
+    "resolveJsonModule": true,
+    "isolatedModules": true,
+    "jsx": "preserve",
+    "incremental": true,
+    "plugins": [{ "name": "next" }],
+    "paths": { "@/*": ["./src/*"] }
+  },
+  "include": ["next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts"],
+  "exclude": ["node_modules"]
+}
diff --git a/examples/simple-html/.env.example b/examples/simple-html/.env.example
new file mode 100644
index 0000000..01b4b0c
--- /dev/null
+++ b/examples/simple-html/.env.example
@@ -0,0 +1,12 @@
+# .env.example — copy to .env.local for local development
+# Pass these at container runtime, not build time.
+
+REP_PUBLIC_APP_TITLE=REP Demo
+REP_PUBLIC_API_URL=http://localhost:3001
+REP_PUBLIC_ENV_NAME=development
+REP_PUBLIC_FEATURE_FLAGS=dark-mode,beta
+REP_SENSITIVE_ANALYTICS_KEY=ak_dev_replace_me
+
+# Gateway config (optional)
+# REP_GATEWAY_PORT=8080
+# REP_GATEWAY_HOT_RELOAD=true
diff --git a/examples/simple-html/.rep.yaml b/examples/simple-html/.rep.yaml
new file mode 100644
index 0000000..da95865
--- /dev/null
+++ b/examples/simple-html/.rep.yaml
@@ -0,0 +1,45 @@
+# .rep.yaml — REP manifest for the simple-html example
+# Optional. Run `rep validate` and `rep typegen` from this directory.
+
+version: "0.1.0"
+
+variables:
+  APP_TITLE:
+    tier: public
+    type: string
+    required: false
+    default: "REP Demo"
+    description: "Application title shown in the page heading and browser tab"
+
+  API_URL:
+    tier: public
+    type: url
+    required: true
+    description: "Backend API base URL"
+    example: "https://api.example.com"
+
+  ENV_NAME:
+    tier: public
+    type: enum
+    required: true
+    values: ["development", "staging", "production"]
+    description: "Deployment environment"
+
+  FEATURE_FLAGS:
+    tier: public
+    type: csv
+    required: false
+    default: ""
+    description: "Comma-separated list of active feature flags"
+    example: "dark-mode,beta"
+
+  ANALYTICS_KEY:
+    tier: sensitive
+    type: string
+    required: false
+    description: "Analytics write key — encrypted in transit, never visible in page source"
+    example: "ak_live_abc123"
+
+settings:
+  strict_guardrails: true
+  session_key_ttl: "30s"
diff --git a/examples/simple-html/Dockerfile b/examples/simple-html/Dockerfile
new file mode 100644
index 0000000..1d4cc2f
--- /dev/null
+++ b/examples/simple-html/Dockerfile
@@ -0,0 +1,51 @@
+# examples/simple-html/Dockerfile
+#
+# Zero build-step example — a single HTML file served by the REP gateway
+# in embedded mode. The SDK is loaded via esm.sh at runtime.
+#
+# Build:
+#   docker build -t rep-simple-html .
+#
+# Run:
+#   docker run --rm -p 8080:8080 \
+#     -e REP_PUBLIC_APP_TITLE="My App" \
+#     -e REP_PUBLIC_API_URL=https://api.example.com \
+#     -e REP_PUBLIC_ENV_NAME=production \
+#     -e REP_PUBLIC_FEATURE_FLAGS=dark-mode,beta \
+#     -e REP_SENSITIVE_ANALYTICS_KEY=ak_live_abc123 \
+#     rep-simple-html
+
+# ── Stage 1: Download pre-built REP Gateway binary ────────────────────────────
+FROM alpine:3.21 AS gateway
+
+ARG GATEWAY_VERSION=0.1.3
+ARG TARGETARCH=amd64
+
+RUN apk add --no-cache curl ca-certificates && \
+    ARCHIVE="rep-gateway_${GATEWAY_VERSION}_linux_${TARGETARCH}.tar.gz" && \
+    curl -fsSL \
+      "https://github.com/RuachTech/rep/releases/download/gateway/v${GATEWAY_VERSION}/${ARCHIVE}" \
+      -o /tmp/gateway.tar.gz && \
+    tar -xzf /tmp/gateway.tar.gz -C /tmp && \
+    mv /tmp/rep-gateway /rep-gateway && \
+    chmod +x /rep-gateway
+
+# ── Stage 2: Minimal runtime image (FROM scratch) ──────────────────────────────
+FROM scratch
+
+# Gateway binary
+COPY --from=gateway /rep-gateway /rep-gateway
+
+# Static HTML file — the only "app" artefact
+COPY index.html /static/index.html
+
+# CA certificates for esm.sh and /rep/session-key HTTPS calls from the browser
+COPY --from=gateway /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+
+# Non-root user (nobody)
+USER 65534:65534
+
+EXPOSE 8080
+
+# Embedded mode: gateway serves /static directly, no upstream needed
+ENTRYPOINT ["/rep-gateway", "--mode", "embedded", "--static-dir", "/static"]
diff --git a/examples/simple-html/index.html b/examples/simple-html/index.html
new file mode 100644
index 0000000..85fd090
--- /dev/null
+++ b/examples/simple-html/index.html
@@ -0,0 +1,135 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <title>REP — Simple HTML Example</title>
+  <style>
+    body { font-family: system-ui, sans-serif; max-width: 640px; margin: 4rem auto; padding: 0 1rem; }
+    pre  { background: #f4f4f4; padding: 1rem; border-radius: 6px; overflow-x: auto; }
+    .badge { display: inline-block; padding: 2px 8px; border-radius: 4px; font-size: 0.8rem; font-weight: 600; }
+    .badge-development { background: #fef3c7; color: #92400e; }
+    .badge-staging     { background: #dbeafe; color: #1e40af; }
+    .badge-production  { background: #dcfce7; color: #166534; }
+    .encrypted { color: #6b7280; font-style: italic; }
+    .row { display: flex; gap: 1rem; align-items: baseline; border-bottom: 1px solid #e5e7eb; padding: 0.5rem 0; }
+    .label { font-weight: 600; min-width: 160px; }
+    .integrity-banner { padding: 0.6rem 1rem; border-radius: 6px; margin-bottom: 1.5rem; font-size: 0.9rem; }
+    .integrity-ok      { background: #dcfce7; color: #166534; border: 1px solid #bbf7d0; }
+    .integrity-fail    { background: #fee2e2; color: #991b1b; border: 1px solid #fecaca; }
+    .integrity-unknown { background: #f3f4f6; color: #374151; border: 1px solid #e5e7eb; }
+  </style>
+
+  <!--
+    REP SDK loaded via esm.sh — no build step required.
+    The gateway injects the __rep__ payload before this script runs,
+    so rep.get() is available synchronously.
+  -->
+  <script type="module">
+    import { rep } from 'https://esm.sh/@rep-protocol/sdk@0.1.8';
+
+    // ── PUBLIC vars — synchronous, available immediately ──────────────────────
+    const appTitle = rep.get('APP_TITLE', 'REP Demo');
+    const apiUrl   = rep.get('API_URL',   'http://localhost:3001');
+    const envName  = rep.get('ENV_NAME',  'development');
+    const features = rep.get('FEATURE_FLAGS', '');
+
+    document.title = appTitle;
+    document.getElementById('app-title').textContent = appTitle;
+    document.getElementById('api-url').textContent   = apiUrl;
+    document.getElementById('env-name').textContent  = envName;
+    document.getElementById('env-badge').className   = `badge badge-${envName}`;
+    document.getElementById('features').textContent  = features || '(none)';
+
+    // ── Payload metadata ──────────────────────────────────────────────────────
+    const meta = rep.meta();
+    if (meta) {
+      document.getElementById('injected-at').textContent = meta.injectedAt;
+      document.getElementById('rep-version').textContent = meta.version;
+    }
+
+    // ── Integrity verification ────────────────────────────────────────────────
+    // rep.verify() checks a SHA-256 SRI hash on the __rep__ script tag using
+    // the Web Crypto API. The gateway embeds this hash as data-rep-integrity.
+    // A false result means the payload JSON was modified after the gateway
+    // injected it — e.g., by a CDN caching a tampered response or a
+    // misconfigured proxy altering the response body.
+    //
+    // The underlying _verifySRI() check fires as a microtask during module
+    // init, so we await a resolved promise to let it settle before reading.
+    await Promise.resolve();
+
+    const banner = document.getElementById('integrity-banner');
+    if (!rep.meta()) {
+      // No REP payload present (e.g., running without the gateway)
+      banner.className = 'integrity-banner integrity-unknown';
+      banner.textContent = '⚪ Integrity: no REP payload detected (running without gateway?)';
+    } else if (rep.verify()) {
+      banner.className = 'integrity-banner integrity-ok';
+      banner.textContent = '✅ Integrity: payload verified — content matches the gateway-injected hash';
+    } else {
+      banner.className = 'integrity-banner integrity-fail';
+      banner.textContent = '🚨 Integrity check FAILED — payload may have been modified in transit. Do not trust these values.';
+      // In a real app you might refuse to render, redirect, or alert your monitoring.
+      console.error('[REP] Integrity check failed. Payload may have been tampered with.');
+    }
+
+    // ── SENSITIVE vars — AES-256-GCM encrypted, decrypted on demand ──────────
+    try {
+      const analyticsKey = await rep.getSecure('ANALYTICS_KEY');
+      document.getElementById('analytics-status').textContent =
+        analyticsKey ? `loaded (${analyticsKey.slice(0, 4)}…)` : 'not set';
+    } catch (err) {
+      document.getElementById('analytics-status').textContent = `error: ${err.message}`;
+    }
+
+    // ── Hot reload — listen for config changes pushed via SSE ─────────────────
+    rep.onChange('FEATURE_FLAGS', (next, prev) => {
+      document.getElementById('features').textContent = next || '(none)';
+      console.log(`[REP] FEATURE_FLAGS changed: "${prev}" → "${next}"`);
+    });
+  </script>
+</head>
+<body>
+
+  <div id="integrity-banner" class="integrity-banner integrity-unknown">⏳ Verifying payload integrity…</div>
+
+  <h1 id="app-title">Loading…</h1>
+  <p>
+    Environment: <span id="env-badge" class="badge"><span id="env-name">…</span></span>
+  </p>
+
+  <h2>Runtime Config</h2>
+  <div>
+    <div class="row"><span class="label">API_URL</span>       <code id="api-url"></code></div>
+    <div class="row"><span class="label">FEATURE_FLAGS</span> <code id="features"></code></div>
+    <div class="row"><span class="label">ANALYTICS_KEY</span> <span id="analytics-status" class="encrypted">decrypting…</span></div>
+  </div>
+
+  <h2>Payload Metadata</h2>
+  <div>
+    <div class="row"><span class="label">REP version</span>  <code id="rep-version"></code></div>
+    <div class="row"><span class="label">Injected at</span>  <code id="injected-at"></code></div>
+  </div>
+
+  <h2>About this example</h2>
+  <p>
+    This is a plain HTML file — no build step, no bundler, no framework.
+    The REP SDK is loaded directly from <a href="https://esm.sh">esm.sh</a>.
+    The gateway serves this file in <strong>embedded mode</strong> and injects
+    environment variables into the <code>&lt;script id="__rep__"&gt;</code> tag
+    before the browser receives it.
+  </p>
+  <pre>
+docker build -t rep-simple-html .
+docker run --rm -p 8080:8080 \
+  -e REP_PUBLIC_APP_TITLE="My App" \
+  -e REP_PUBLIC_API_URL=https://api.example.com \
+  -e REP_PUBLIC_ENV_NAME=production \
+  -e REP_PUBLIC_FEATURE_FLAGS=dark-mode,beta \
+  -e REP_SENSITIVE_ANALYTICS_KEY=ak_live_abc123 \
+  rep-simple-html
+  </pre>
+
+</body>
+</html>