npm - @chemmangat/msal-next - Versions diffs - 4.0.2 → 4.1.0 - Mend

@chemmangat/msal-next 4.0.2 → 4.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/dist/index.mjs CHANGED Viewed

@@ -1,32 +1,236 @@
-import {MsalProvider,useMsal,useAccount}from'@azure/msal-react';export{useAccount,useIsAuthenticated,useMsal}from'@azure/msal-react';import {LogLevel,PublicClientApplication,EventType,InteractionStatus}from'@azure/msal-browser';import {createContext,useState,useRef,useEffect,useMemo,useCallback,Component}from'react';import {jsx,Fragment,jsxs}from'react/jsx-runtime';import {useRouter}from'next/navigation';import {NextResponse}from'next/server';function j(t,e){try{let r=JSON.parse(t);return e(r)?r:(console.warn("[Validation] JSON validation failed"),null)}catch(r){return console.error("[Validation] JSON parse error:",r),null}}function Z(t){return typeof t=="object"&&t!==null&&typeof t.homeAccountId=="string"&&t.homeAccountId.length>0&&typeof t.username=="string"&&t.username.length>0&&(t.name===void 0||typeof t.name=="string")}function R(t){return t instanceof Error?t.message.replace(/[A-Za-z0-9_-]{20,}\.[A-Za-z0-9_-]{20,}\.[A-Za-z0-9_-]{20,}/g,"[TOKEN_REDACTED]").replace(/[a-f0-9]{32,}/gi,"[SECRET_REDACTED]").replace(/Bearer\s+[^\s]+/gi,"Bearer [REDACTED]"):"An unexpected error occurred"}function V(t,e){try{let r=new URL(t);return e.some(o=>{let i=new URL(o);return r.origin===i.origin})}catch{return  false}}function fe(t){return /^[a-zA-Z0-9._-]+$/.test(t)}function Ne(t){return Array.isArray(t)&&t.every(fe)}function X(t){if(t.msalConfig)return t.msalConfig;let{clientId:e,tenantId:r,authorityType:o="common",redirectUri:i,postLogoutRedirectUri:s,cacheLocation:p="sessionStorage",storeAuthStateInCookie:u=false,navigateToLoginRequestUrl:l=false,enableLogging:a=false,loggerCallback:m,allowedRedirectUris:h}=t;if(!e)throw new Error("@chemmangat/msal-next: clientId is required");let c=()=>{if(o==="tenant"){if(!r)throw new Error('@chemmangat/msal-next: tenantId is required when authorityType is "tenant"');return `https://login.microsoftonline.com/${r}`}return `https://login.microsoftonline.com/${o}`},n=typeof window<"u"?window.location.origin:"http://localhost:3000",f=i||n;if(h&&h.length>0){if(!V(f,h))throw new Error(`@chemmangat/msal-next: redirectUri "${f}" is not in the allowed list`);let d=s||f;if(!V(d,h))throw new Error(`@chemmangat/msal-next: postLogoutRedirectUri "${d}" is not in the allowed list`)}return {auth:{clientId:e,authority:c(),redirectUri:f,postLogoutRedirectUri:s||f,navigateToLoginRequestUrl:l},cache:{cacheLocation:p,storeAuthStateInCookie:u},system:{loggerOptions:{loggerCallback:m||((d,y,C)=>{if(!(C||!a))switch(d){case LogLevel.Error:console.error("[MSAL]",y);break;case LogLevel.Warning:console.warn("[MSAL]",y);break;case LogLevel.Info:console.info("[MSAL]",y);break;case LogLevel.Verbose:console.debug("[MSAL]",y);break}}),logLevel:a?LogLevel.Verbose:LogLevel.Error}}}}var J=null,ge=false;function Y(t){if(process.env.NODE_ENV!=="development")return {valid:true,warnings:[],errors:[]};if(J)return J;let e=[],r=[];if(t.clientId?he(t.clientId)?e.push({field:"clientId",message:"Client ID appears to be a placeholder",fix:`Replace the placeholder with your actual Application (client) ID from Azure Portal.
+"use client";
-Current value: ${t.clientId}
-Expected format: 12345678-1234-1234-1234-123456789012 (GUID)`}):me(t.clientId)||e.push({field:"clientId",message:"Client ID format is invalid",fix:`Client ID should be a GUID (UUID) format.
+// src/components/MsalAuthProvider.tsx
+import { MsalProvider } from "@azure/msal-react";
+import { PublicClientApplication, EventType } from "@azure/msal-browser";
+import { useEffect as useEffect2, useState, useRef as useRef2 } from "react";
-Current value: ${t.clientId}
-Expected format: 12345678-1234-1234-1234-123456789012
+// src/utils/createMsalConfig.ts
+import { LogLevel } from "@azure/msal-browser";
+// src/utils/validation.ts
+function safeJsonParse(jsonString, validator) {
+  try {
+    const parsed = JSON.parse(jsonString);
+    if (validator(parsed)) {
+      return parsed;
+    }
+    console.warn("[Validation] JSON validation failed");
+    return null;
+  } catch (error) {
+    console.error("[Validation] JSON parse error:", error);
+    return null;
+  }
+}
+function isValidAccountData(data) {
+  return typeof data === "object" && data !== null && typeof data.homeAccountId === "string" && data.homeAccountId.length > 0 && typeof data.username === "string" && data.username.length > 0 && (data.name === void 0 || typeof data.name === "string");
+}
+function sanitizeError(error) {
+  if (error instanceof Error) {
+    const message = error.message;
+    const sanitized = message.replace(/[A-Za-z0-9_-]{20,}\.[A-Za-z0-9_-]{20,}\.[A-Za-z0-9_-]{20,}/g, "[TOKEN_REDACTED]").replace(/[a-f0-9]{32,}/gi, "[SECRET_REDACTED]").replace(/Bearer\s+[^\s]+/gi, "Bearer [REDACTED]");
+    return sanitized;
+  }
+  return "An unexpected error occurred";
+}
+function isValidRedirectUri(uri, allowedOrigins) {
+  try {
+    const url = new URL(uri);
+    return allowedOrigins.some((allowed) => {
+      const allowedUrl = new URL(allowed);
+      return url.origin === allowedUrl.origin;
+    });
+  } catch {
+    return false;
+  }
+}
+function isValidScope(scope) {
+  return /^[a-zA-Z0-9._-]+$/.test(scope);
+}
+function validateScopes(scopes) {
+  return Array.isArray(scopes) && scopes.every(isValidScope);
+}
+// src/utils/createMsalConfig.ts
+function createMsalConfig(config) {
+  if (config.msalConfig) {
+    return config.msalConfig;
+  }
+  const {
+    clientId,
+    tenantId,
+    authorityType = "common",
+    redirectUri,
+    postLogoutRedirectUri,
+    cacheLocation = "sessionStorage",
+    storeAuthStateInCookie = false,
+    navigateToLoginRequestUrl = false,
+    enableLogging = false,
+    loggerCallback,
+    allowedRedirectUris
+  } = config;
+  if (!clientId) {
+    throw new Error("@chemmangat/msal-next: clientId is required");
+  }
+  const getAuthority = () => {
+    if (authorityType === "tenant") {
+      if (!tenantId) {
+        throw new Error('@chemmangat/msal-next: tenantId is required when authorityType is "tenant"');
+      }
+      return `https://login.microsoftonline.com/${tenantId}`;
+    }
+    return `https://login.microsoftonline.com/${authorityType}`;
+  };
+  const defaultRedirectUri = typeof window !== "undefined" ? window.location.origin : "http://localhost:3000";
+  const finalRedirectUri = redirectUri || defaultRedirectUri;
+  if (allowedRedirectUris && allowedRedirectUris.length > 0) {
+    if (!isValidRedirectUri(finalRedirectUri, allowedRedirectUris)) {
+      throw new Error(
+        `@chemmangat/msal-next: redirectUri "${finalRedirectUri}" is not in the allowed list`
+      );
+    }
+    const finalPostLogoutUri = postLogoutRedirectUri || finalRedirectUri;
+    if (!isValidRedirectUri(finalPostLogoutUri, allowedRedirectUris)) {
+      throw new Error(
+        `@chemmangat/msal-next: postLogoutRedirectUri "${finalPostLogoutUri}" is not in the allowed list`
+      );
+    }
+  }
+  const msalConfig = {
+    auth: {
+      clientId,
+      authority: getAuthority(),
+      redirectUri: finalRedirectUri,
+      postLogoutRedirectUri: postLogoutRedirectUri || finalRedirectUri,
+      navigateToLoginRequestUrl
+    },
+    cache: {
+      cacheLocation,
+      storeAuthStateInCookie
+    },
+    system: {
+      loggerOptions: {
+        loggerCallback: loggerCallback || ((level, message, containsPii) => {
+          if (containsPii || !enableLogging) return;
+          switch (level) {
+            case LogLevel.Error:
+              console.error("[MSAL]", message);
+              break;
+            case LogLevel.Warning:
+              console.warn("[MSAL]", message);
+              break;
+            case LogLevel.Info:
+              console.info("[MSAL]", message);
+              break;
+            case LogLevel.Verbose:
+              console.debug("[MSAL]", message);
+              break;
+          }
+        }),
+        logLevel: enableLogging ? LogLevel.Verbose : LogLevel.Error
+      }
+    }
+  };
+  return msalConfig;
+}
+// src/utils/configValidator.ts
+var validationCache = null;
+var hasDisplayedResults = false;
+function validateConfig(config) {
+  if (process.env.NODE_ENV !== "development") {
+    return { valid: true, warnings: [], errors: [] };
+  }
+  if (validationCache) {
+    return validationCache;
+  }
+  const warnings = [];
+  const errors = [];
+  if (!config.clientId) {
+    errors.push({
+      field: "clientId",
+      message: "Client ID is missing",
+      fix: `Add NEXT_PUBLIC_AZURE_AD_CLIENT_ID to your .env.local file.
-Get the correct value from: Azure Portal \u2192 App registrations \u2192 Your app`}):r.push({field:"clientId",message:"Client ID is missing",fix:`Add NEXT_PUBLIC_AZURE_AD_CLIENT_ID to your .env.local file.
+Get it from: Azure Portal \u2192 App registrations \u2192 Your app \u2192 Application (client) ID`
+    });
+  } else if (isPlaceholderValue(config.clientId)) {
+    warnings.push({
+      field: "clientId",
+      message: "Client ID appears to be a placeholder",
+      fix: `Replace the placeholder with your actual Application (client) ID from Azure Portal.
-Get it from: Azure Portal \u2192 App registrations \u2192 Your app \u2192 Application (client) ID`}),t.tenantId&&(he(t.tenantId)?e.push({field:"tenantId",message:"Tenant ID appears to be a placeholder",fix:`Replace the placeholder with your actual Directory (tenant) ID from Azure Portal.
+Current value: ${config.clientId}
+Expected format: 12345678-1234-1234-1234-123456789012 (GUID)`
+    });
+  } else if (!isValidGuid(config.clientId)) {
+    warnings.push({
+      field: "clientId",
+      message: "Client ID format is invalid",
+      fix: `Client ID should be a GUID (UUID) format.
-Current value: ${t.tenantId}
+Current value: ${config.clientId}
+Expected format: 12345678-1234-1234-1234-123456789012
+Get the correct value from: Azure Portal \u2192 App registrations \u2192 Your app`
+    });
+  }
+  if (config.tenantId) {
+    if (isPlaceholderValue(config.tenantId)) {
+      warnings.push({
+        field: "tenantId",
+        message: "Tenant ID appears to be a placeholder",
+        fix: `Replace the placeholder with your actual Directory (tenant) ID from Azure Portal.
+Current value: ${config.tenantId}
 Expected format: 87654321-4321-4321-4321-210987654321 (GUID)
-Or remove tenantId and use authorityType: 'common' for multi-tenant apps.`}):me(t.tenantId)||e.push({field:"tenantId",message:"Tenant ID format is invalid",fix:`Tenant ID should be a GUID (UUID) format.
+Or remove tenantId and use authorityType: 'common' for multi-tenant apps.`
+      });
+    } else if (!isValidGuid(config.tenantId)) {
+      warnings.push({
+        field: "tenantId",
+        message: "Tenant ID format is invalid",
+        fix: `Tenant ID should be a GUID (UUID) format.
-Current value: ${t.tenantId}
+Current value: ${config.tenantId}
 Expected format: 87654321-4321-4321-4321-210987654321
-Get the correct value from: Azure Portal \u2192 Azure Active Directory \u2192 Properties \u2192 Tenant ID`})),t.redirectUri&&(ke(t.redirectUri)&&!t.redirectUri.startsWith("https://")&&r.push({field:"redirectUri",message:"Production redirect URI must use HTTPS",fix:`Change your redirect URI to use HTTPS in production.
+Get the correct value from: Azure Portal \u2192 Azure Active Directory \u2192 Properties \u2192 Tenant ID`
+      });
+    }
+  }
+  if (config.redirectUri) {
+    if (isProductionUrl(config.redirectUri) && !config.redirectUri.startsWith("https://")) {
+      errors.push({
+        field: "redirectUri",
+        message: "Production redirect URI must use HTTPS",
+        fix: `Change your redirect URI to use HTTPS in production.
-Current value: ${t.redirectUri}
-Should be: ${t.redirectUri.replace("http://","https://")}
+Current value: ${config.redirectUri}
+Should be: ${config.redirectUri.replace("http://", "https://")}
-HTTP is only allowed for localhost development.`}),_e(t.redirectUri)||r.push({field:"redirectUri",message:"Redirect URI is not a valid URL",fix:`Provide a valid URL for redirectUri.
+HTTP is only allowed for localhost development.`
+      });
+    }
+    if (!isValidUrl(config.redirectUri)) {
+      errors.push({
+        field: "redirectUri",
+        message: "Redirect URI is not a valid URL",
+        fix: `Provide a valid URL for redirectUri.
-Current value: ${t.redirectUri}
-Expected format: https://yourdomain.com or http://localhost:3000`})),t.scopes&&t.scopes.length>0){let i=t.scopes.filter(s=>!Fe(s));i.length>0&&e.push({field:"scopes",message:"Some scopes have invalid format",fix:`Invalid scopes: ${i.join(", ")}
+Current value: ${config.redirectUri}
+Expected format: https://yourdomain.com or http://localhost:3000`
+      });
+    }
+  }
+  if (config.scopes && config.scopes.length > 0) {
+    const invalidScopes = config.scopes.filter((scope) => !isValidScope2(scope));
+    if (invalidScopes.length > 0) {
+      warnings.push({
+        field: "scopes",
+        message: "Some scopes have invalid format",
+        fix: `Invalid scopes: ${invalidScopes.join(", ")}
 Scopes should be in format: "Resource.Permission" (e.g., "User.Read", "Mail.Read")
@@ -34,26 +238,124 @@ Common scopes:
 \u2022 User.Read - Read user profile
 \u2022 Mail.Read - Read user mail
 \u2022 Calendars.Read - Read user calendars
-\u2022 Files.Read - Read user files`});}if(typeof window<"u"){let i=process.env.NEXT_PUBLIC_AZURE_AD_CLIENT_ID,s=process.env.NEXT_PUBLIC_AZURE_AD_TENANT_ID;i||e.push({field:"environment",message:"NEXT_PUBLIC_AZURE_AD_CLIENT_ID not found in environment",fix:`Add NEXT_PUBLIC_AZURE_AD_CLIENT_ID to your .env.local file:
+\u2022 Files.Read - Read user files`
+      });
+    }
+  }
+  if (typeof window !== "undefined") {
+    const clientIdFromEnv = process.env.NEXT_PUBLIC_AZURE_AD_CLIENT_ID;
+    const tenantIdFromEnv = process.env.NEXT_PUBLIC_AZURE_AD_TENANT_ID;
+    if (!clientIdFromEnv) {
+      warnings.push({
+        field: "environment",
+        message: "NEXT_PUBLIC_AZURE_AD_CLIENT_ID not found in environment",
+        fix: `Add NEXT_PUBLIC_AZURE_AD_CLIENT_ID to your .env.local file:
 NEXT_PUBLIC_AZURE_AD_CLIENT_ID=your-client-id-here
-Then restart your development server.`}),!s&&t.authorityType==="tenant"&&e.push({field:"environment",message:'NEXT_PUBLIC_AZURE_AD_TENANT_ID not found but authorityType is "tenant"',fix:`Either:
+Then restart your development server.`
+      });
+    }
+    if (!tenantIdFromEnv && config.authorityType === "tenant") {
+      warnings.push({
+        field: "environment",
+        message: 'NEXT_PUBLIC_AZURE_AD_TENANT_ID not found but authorityType is "tenant"',
+        fix: `Either:
 1. Add NEXT_PUBLIC_AZURE_AD_TENANT_ID to your .env.local file, OR
 2. Change authorityType to 'common' for multi-tenant support
 For single-tenant apps:
-NEXT_PUBLIC_AZURE_AD_TENANT_ID=your-tenant-id-here`});}let o={valid:r.length===0,warnings:e,errors:r};return J=o,o}function K(t){if(!(ge||process.env.NODE_ENV!=="development")){if(ge=true,t.valid&&t.warnings.length===0){console.log("\u2705 MSAL configuration validated successfully");return}console.group("\u{1F50D} MSAL Configuration Validation"),t.errors.length>0&&(console.group("\u274C Errors (must fix)"),t.errors.forEach(e=>{console.error(`
-${e.field}:`),console.error(`  ${e.message}`),console.error(`
+NEXT_PUBLIC_AZURE_AD_TENANT_ID=your-tenant-id-here`
+      });
+    }
+  }
+  const result = {
+    valid: errors.length === 0,
+    warnings,
+    errors
+  };
+  validationCache = result;
+  return result;
+}
+function displayValidationResults(result) {
+  if (hasDisplayedResults || process.env.NODE_ENV !== "development") {
+    return;
+  }
+  hasDisplayedResults = true;
+  if (result.valid && result.warnings.length === 0) {
+    console.log("\u2705 MSAL configuration validated successfully");
+    return;
+  }
+  console.group("\u{1F50D} MSAL Configuration Validation");
+  if (result.errors.length > 0) {
+    console.group("\u274C Errors (must fix)");
+    result.errors.forEach((error) => {
+      console.error(`
+${error.field}:`);
+      console.error(`  ${error.message}`);
+      console.error(`
   Fix:
-  ${e.fix.split(`
-`).join(`
-  `)}`);}),console.groupEnd()),t.warnings.length>0&&(console.group("\u26A0\uFE0F  Warnings (should fix)"),t.warnings.forEach(e=>{console.warn(`
-${e.field}:`),console.warn(`  ${e.message}`),console.warn(`
+  ${error.fix.split("\n").join("\n  ")}`);
+    });
+    console.groupEnd();
+  }
+  if (result.warnings.length > 0) {
+    console.group("\u26A0\uFE0F  Warnings (should fix)");
+    result.warnings.forEach((warning) => {
+      console.warn(`
+${warning.field}:`);
+      console.warn(`  ${warning.message}`);
+      console.warn(`
   Fix:
-  ${e.fix.split(`
-`).join(`
-  `)}`);}),console.groupEnd()),console.groupEnd();}}function he(t){let e=["your-client-id","your-tenant-id","your-client-id-here","your-tenant-id-here","client-id","tenant-id","replace-me","changeme","placeholder","example","xxx","000"],r=t.toLowerCase();return e.some(o=>r.includes(o))}function me(t){return /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(t)}function ke(t){return !t.includes("localhost")&&!t.includes("127.0.0.1")}function _e(t){try{return new URL(t),!0}catch{return  false}}function Fe(t){return /^([a-zA-Z0-9]+\.[a-zA-Z0-9]+|https?:\/\/.+)$/.test(t)}var Q={AADSTS50011:{message:"Redirect URI mismatch",fix:`Your redirect URI doesn't match what's configured in Azure AD.
+  ${warning.fix.split("\n").join("\n  ")}`);
+    });
+    console.groupEnd();
+  }
+  console.groupEnd();
+}
+function isPlaceholderValue(value) {
+  const placeholders = [
+    "your-client-id",
+    "your-tenant-id",
+    "your-client-id-here",
+    "your-tenant-id-here",
+    "client-id",
+    "tenant-id",
+    "replace-me",
+    "changeme",
+    "placeholder",
+    "example",
+    "xxx",
+    "000"
+  ];
+  const lowerValue = value.toLowerCase();
+  return placeholders.some((placeholder) => lowerValue.includes(placeholder));
+}
+function isValidGuid(value) {
+  const guidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+  return guidRegex.test(value);
+}
+function isProductionUrl(url) {
+  return !url.includes("localhost") && !url.includes("127.0.0.1");
+}
+function isValidUrl(url) {
+  try {
+    new URL(url);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function isValidScope2(scope) {
+  return /^([a-zA-Z0-9]+\.[a-zA-Z0-9]+|https?:\/\/.+)$/.test(scope);
+}
+// src/errors/MsalError.ts
+var MSAL_ERROR_SOLUTIONS = {
+  // Redirect URI mismatch
+  "AADSTS50011": {
+    message: "Redirect URI mismatch",
+    fix: `Your redirect URI doesn't match what's configured in Azure AD.
 Fix:
 1. Go to Azure Portal \u2192 Azure Active Directory \u2192 App registrations
@@ -63,7 +365,13 @@ Fix:
    \u2022 https://yourdomain.com (for production)
 4. Click "Save"
-Current redirect URI: ${typeof window<"u"?window.location.origin:"unknown"}`,docs:"https://learn.microsoft.com/en-us/azure/active-directory/develop/reply-url"},AADSTS65001:{message:"Admin consent required",fix:`Your app requires admin consent for the requested permissions.
+Current redirect URI: ${typeof window !== "undefined" ? window.location.origin : "unknown"}`,
+    docs: "https://learn.microsoft.com/en-us/azure/active-directory/develop/reply-url"
+  },
+  // Consent required
+  "AADSTS65001": {
+    message: "Admin consent required",
+    fix: `Your app requires admin consent for the requested permissions.
 Fix:
 1. Go to Azure Portal \u2192 Azure Active Directory \u2192 App registrations
@@ -71,53 +379,1942 @@ Fix:
 3. Click "Grant admin consent for [Your Organization]"
 4. Confirm the consent
-Alternatively, ask your Azure AD administrator to grant consent.`,docs:"https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-admin-consent"},AADSTS700016:{message:"Invalid client application",fix:`The application ID (client ID) is not found in the directory.
+Alternatively, ask your Azure AD administrator to grant consent.`,
+    docs: "https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-admin-consent"
+  },
+  // Invalid client
+  "AADSTS700016": {
+    message: "Invalid client application",
+    fix: `The application ID (client ID) is not found in the directory.
 Fix:
 1. Verify your NEXT_PUBLIC_AZURE_AD_CLIENT_ID in .env.local
 2. Ensure the app registration exists in Azure Portal
 3. Check that you're using the correct tenant
-Current client ID: Check your environment variables`,docs:"https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-aadsts-error-codes"},AADSTS90002:{message:"Invalid tenant",fix:`The tenant ID is invalid or not found.
+Current client ID: Check your environment variables`,
+    docs: "https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-aadsts-error-codes"
+  },
+  // Invalid tenant
+  "AADSTS90002": {
+    message: "Invalid tenant",
+    fix: `The tenant ID is invalid or not found.
 Fix:
 1. Verify your NEXT_PUBLIC_AZURE_AD_TENANT_ID in .env.local
 2. Ensure you're using the correct tenant ID (GUID format)
 3. For multi-tenant apps, use authorityType: 'common' instead
-Current tenant ID: Check your environment variables`,docs:"https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-national-cloud"},user_cancelled:{message:"User cancelled authentication",fix:"The user closed the authentication window or cancelled the login process. This is normal user behavior.",docs:void 0},no_token_request_cache_error:{message:"No cached token request",fix:`This usually happens when the page is refreshed during authentication.
+Current tenant ID: Check your environment variables`,
+    docs: "https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-national-cloud"
+  },
+  // User cancelled
+  "user_cancelled": {
+    message: "User cancelled authentication",
+    fix: "The user closed the authentication window or cancelled the login process. This is normal user behavior.",
+    docs: void 0
+  },
+  // No token in cache
+  "no_token_request_cache_error": {
+    message: "No cached token request",
+    fix: `This usually happens when the page is refreshed during authentication.
 This is normal and will be handled automatically. If the issue persists:
 1. Clear your browser cache and cookies
 2. Try logging in again
-3. Ensure cookies are enabled in your browser`,docs:void 0},interaction_required:{message:"User interaction required",fix:`The token cannot be acquired silently and requires user interaction.
+3. Ensure cookies are enabled in your browser`,
+    docs: void 0
+  },
+  // Interaction required
+  "interaction_required": {
+    message: "User interaction required",
+    fix: `The token cannot be acquired silently and requires user interaction.
-This is normal behavior. The app will redirect you to sign in.`,docs:void 0},consent_required:{message:"User consent required",fix:`Additional consent is required for the requested permissions.
+This is normal behavior. The app will redirect you to sign in.`,
+    docs: void 0
+  },
+  // Consent required
+  "consent_required": {
+    message: "User consent required",
+    fix: `Additional consent is required for the requested permissions.
-This is normal behavior. You'll be prompted to grant consent.`,docs:void 0}},T=class t extends Error{constructor(e){let r=t.parseError(e);super(r.message),this.name="MsalError",this.code=r.code,this.fix=r.fix,this.docs=r.docs,this.originalError=e,Error.captureStackTrace&&Error.captureStackTrace(this,t);}static parseError(e){if(e&&typeof e=="object"){let r=e,o=r.errorCode||r.error||r.code;if(o&&Q[o]){let s=Q[o];return {message:s.message,code:o,fix:s.fix,docs:s.docs}}let i=r.errorMessage||r.message||String(e);for(let[s,p]of Object.entries(Q))if(i.includes(s))return {message:p.message,code:s,fix:p.fix,docs:p.docs};return {message:i||"Authentication error occurred",code:o}}return {message:"An unexpected authentication error occurred"}}toConsoleString(){if(!(process.env.NODE_ENV==="development"))return this.message;let r=`
+This is normal behavior. You'll be prompted to grant consent.`,
+    docs: void 0
+  }
+};
+var MsalError = class _MsalError extends Error {
+  constructor(error) {
+    const errorInfo = _MsalError.parseError(error);
+    super(errorInfo.message);
+    this.name = "MsalError";
+    this.code = errorInfo.code;
+    this.fix = errorInfo.fix;
+    this.docs = errorInfo.docs;
+    this.originalError = error;
+    if (Error.captureStackTrace) {
+      Error.captureStackTrace(this, _MsalError);
+    }
+  }
+  /**
+   * Parse error and extract actionable information
+   */
+  static parseError(error) {
+    if (error && typeof error === "object") {
+      const err = error;
+      const errorCode = err.errorCode || err.error || err.code;
+      if (errorCode && MSAL_ERROR_SOLUTIONS[errorCode]) {
+        const solution = MSAL_ERROR_SOLUTIONS[errorCode];
+        return {
+          message: solution.message,
+          code: errorCode,
+          fix: solution.fix,
+          docs: solution.docs
+        };
+      }
+      const errorMessage = err.errorMessage || err.message || String(error);
+      for (const [code, solution] of Object.entries(MSAL_ERROR_SOLUTIONS)) {
+        if (errorMessage.includes(code)) {
+          return {
+            message: solution.message,
+            code,
+            fix: solution.fix,
+            docs: solution.docs
+          };
+        }
+      }
+      return {
+        message: errorMessage || "Authentication error occurred",
+        code: errorCode
+      };
+    }
+    return {
+      message: "An unexpected authentication error occurred"
+    };
+  }
+  /**
+   * Format error for console logging with colors (development only)
+   */
+  toConsoleString() {
+    const isDev = process.env.NODE_ENV === "development";
+    if (!isDev) {
+      return this.message;
+    }
+    let output = `
 \u{1F6A8} MSAL Authentication Error
-`;return r+=`
+`;
+    output += `
 Error: ${this.message}
-`,this.code&&(r+=`Code: ${this.code}
-`),this.fix&&(r+=`
+`;
+    if (this.code) {
+      output += `Code: ${this.code}
+`;
+    }
+    if (this.fix) {
+      output += `
 \u{1F4A1} How to fix:
 ${this.fix}
-`),this.docs&&(r+=`
+`;
+    }
+    if (this.docs) {
+      output += `
 \u{1F4DA} Documentation: ${this.docs}
-`),r}isUserCancellation(){return this.code==="user_cancelled"}requiresInteraction(){return this.code==="interaction_required"||this.code==="consent_required"}};function P(t){return t instanceof T?t:new T(t)}function $e(t){let e={errorCode:"missing_env_var",errorMessage:`Missing environment variable: ${t}`,message:`${t} not found`},r=`Environment variable ${t} is not set.
+`;
+    }
+    return output;
+  }
+  /**
+   * Check if error is a user cancellation (not a real error)
+   */
+  isUserCancellation() {
+    return this.code === "user_cancelled";
+  }
+  /**
+   * Check if error requires user interaction
+   */
+  requiresInteraction() {
+    return this.code === "interaction_required" || this.code === "consent_required";
+  }
+};
+function wrapMsalError(error) {
+  if (error instanceof MsalError) {
+    return error;
+  }
+  return new MsalError(error);
+}
+function createMissingEnvVarError(varName) {
+  const error = {
+    errorCode: "missing_env_var",
+    errorMessage: `Missing environment variable: ${varName}`,
+    message: `${varName} not found`
+  };
+  const fix = `Environment variable ${varName} is not set.
 Fix:
 1. Copy .env.local.example to .env.local (if it exists)
 2. Add the following to your .env.local file:
-   ${t}=your-value-here
+   ${varName}=your-value-here
 3. Get the value from Azure Portal:
    \u2022 Go to Azure Active Directory \u2192 App registrations
    \u2022 Select your app
-   \u2022 Copy the ${t.includes("CLIENT_ID")?"Application (client) ID":"Directory (tenant) ID"}
+   \u2022 Copy the ${varName.includes("CLIENT_ID") ? "Application (client) ID" : "Directory (tenant) ID"}
 4. Restart your development server
-Note: Environment variables starting with NEXT_PUBLIC_ are exposed to the browser.`;return new T({...e,fix:r,docs:"https://nextjs.org/docs/basic-features/environment-variables"})}var Ae=null;function Be(){return Ae}function ee({children:t,loadingComponent:e,onInitialized:r,...o}){let[i,s]=useState(null),p=useRef(null);return useEffect(()=>{if(typeof window>"u"||p.current)return;(async()=>{try{if(process.env.NODE_ENV==="development"){let c=Y(o);K(c);}let l=X(o),a=new PublicClientApplication(l);await a.initialize();try{let c=await a.handleRedirectPromise();c&&(o.enableLogging&&console.log("[MSAL] Redirect authentication successful"),c.account&&a.setActiveAccount(c.account),window.location.hash&&window.history.replaceState(null,"",window.location.pathname+window.location.search));}catch(c){let n=P(c);n.code==="no_token_request_cache_error"?o.enableLogging&&console.log("[MSAL] No pending redirect found (this is normal)"):n.isUserCancellation()?o.enableLogging&&console.log("[MSAL] User cancelled authentication"):process.env.NODE_ENV==="development"?console.error(n.toConsoleString()):console.error("[MSAL] Redirect handling error:",n.message),window.location.hash&&(window.location.hash.includes("code=")||window.location.hash.includes("error="))&&window.history.replaceState(null,"",window.location.pathname+window.location.search);}let m=a.getAllAccounts();m.length>0&&!a.getActiveAccount()&&a.setActiveAccount(m[0]);let h=o.enableLogging||!1;a.addEventCallback(c=>{if(c.eventType===EventType.LOGIN_SUCCESS){let n=c.payload;n?.account&&a.setActiveAccount(n.account),h&&console.log("[MSAL] Login successful:",n.account?.username);}if(c.eventType===EventType.LOGIN_FAILURE&&console.error("[MSAL] Login failed:",c.error),c.eventType===EventType.LOGOUT_SUCCESS&&(a.setActiveAccount(null),h&&console.log("[MSAL] Logout successful")),c.eventType===EventType.ACQUIRE_TOKEN_SUCCESS){let n=c.payload;n?.account&&!a.getActiveAccount()&&a.setActiveAccount(n.account);}c.eventType===EventType.ACQUIRE_TOKEN_FAILURE&&h&&console.error("[MSAL] Token acquisition failed:",c.error);}),p.current=a,Ae=a,s(a),r&&r(a);}catch(l){throw console.error("[MSAL] Initialization failed:",l),l}})();},[]),typeof window>"u"?jsx(Fragment,{children:e||jsx("div",{children:"Loading authentication..."})}):i?jsx(MsalProvider,{instance:i,children:t}):jsx(Fragment,{children:e||jsx("div",{children:"Loading authentication..."})})}var We=createContext(void 0);function je({children:t,protection:e,...r}){return jsx(We.Provider,{value:e,children:jsx(ee,{...r,children:t})})}var te=new Map;function A(t=["User.Read"]){let{instance:e,accounts:r,inProgress:o}=useMsal(),i=useAccount(r[0]||null),s=useMemo(()=>r.length>0,[r]),p=useCallback(async(c=t)=>{if(o!==InteractionStatus.None){console.warn("[MSAL] Interaction already in progress");return}try{let n={scopes:c,prompt:"select_account"};await e.loginRedirect(n);}catch(n){let f=P(n);if(f.isUserCancellation()){console.log("[MSAL] User cancelled login");return}throw process.env.NODE_ENV==="development"?console.error(f.toConsoleString()):console.error("[MSAL] Login redirect failed:",f.message),f}},[e,t,o]),u=useCallback(async()=>{try{await e.logoutRedirect({account:i||void 0});}catch(c){let n=P(c);throw process.env.NODE_ENV==="development"?console.error(n.toConsoleString()):console.error("[MSAL] Logout redirect failed:",n.message),n}},[e,i]),l=useCallback(async(c=t)=>{if(!i)throw new Error("[MSAL] No active account. Please login first.");try{let n={scopes:c,account:i,forceRefresh:!1};return (await e.acquireTokenSilent(n)).accessToken}catch(n){let f=P(n);throw process.env.NODE_ENV==="development"?console.error(f.toConsoleString()):console.error("[MSAL] Silent token acquisition failed:",f.message),f}},[e,i,t]),a=useCallback(async(c=t)=>{if(!i)throw new Error("[MSAL] No active account. Please login first.");try{let n={scopes:c,account:i};await e.acquireTokenRedirect(n);}catch(n){let f=P(n);throw process.env.NODE_ENV==="development"?console.error(f.toConsoleString()):console.error("[MSAL] Token redirect acquisition failed:",f.message),f}},[e,i,t]),m=useCallback(async(c=t)=>{let n=`${i?.homeAccountId||"anonymous"}-${c.sort().join(",")}`,f=te.get(n);if(f)return f;let g=(async()=>{try{return await l(c)}catch{throw console.warn("[MSAL] Silent token acquisition failed, falling back to redirect"),await a(c),new Error("[MSAL] Redirecting for token acquisition")}finally{te.delete(n);}})();return te.set(n,g),g},[l,a,t,i]),h=useCallback(async()=>{e.setActiveAccount(null),await e.clearCache();},[e]);return {account:i,accounts:r,isAuthenticated:s,inProgress:o!==InteractionStatus.None,loginRedirect:p,logoutRedirect:u,acquireToken:m,acquireTokenSilent:l,acquireTokenRedirect:a,clearSession:h}}function Ke({text:t="Sign in with Microsoft",variant:e="dark",size:r="medium",scopes:o,className:i="",style:s,onSuccess:p,onError:u}){let{loginRedirect:l,inProgress:a}=A(),[m,h]=useState(false),c=async()=>{h(true);try{await l(o),p?.();}catch(y){u?.(y);}finally{setTimeout(()=>h(false),500);}},n={small:{padding:"8px 16px",fontSize:"14px",height:"36px"},medium:{padding:"10px 20px",fontSize:"15px",height:"41px"},large:{padding:"12px 24px",fontSize:"16px",height:"48px"}},f={dark:{backgroundColor:"#2F2F2F",color:"#FFFFFF",border:"1px solid #8C8C8C"},light:{backgroundColor:"#FFFFFF",color:"#5E5E5E",border:"1px solid #8C8C8C"}},g=a||m,d={display:"inline-flex",alignItems:"center",justifyContent:"center",gap:"12px",fontFamily:'"Segoe UI", Tahoma, Geneva, Verdana, sans-serif',fontWeight:600,borderRadius:"2px",cursor:g?"not-allowed":"pointer",transition:"all 0.2s ease",opacity:g?.6:1,...f[e],...n[r],...s};return jsxs("button",{onClick:c,disabled:g,className:i,style:d,"aria-label":t,children:[jsx(Qe,{}),jsx("span",{children:t})]})}function Qe(){return jsxs("svg",{width:"21",height:"21",viewBox:"0 0 21 21",fill:"none",xmlns:"http://www.w3.org/2000/svg",children:[jsx("rect",{width:"10",height:"10",fill:"#F25022"}),jsx("rect",{x:"11",width:"10",height:"10",fill:"#7FBA00"}),jsx("rect",{y:"11",width:"10",height:"10",fill:"#00A4EF"}),jsx("rect",{x:"11",y:"11",width:"10",height:"10",fill:"#FFB900"})]})}function et({text:t="Sign out",variant:e="dark",size:r="medium",className:o="",style:i,onSuccess:s,onError:p}){let{logoutRedirect:u,inProgress:l}=A(),a=async()=>{try{await u(),s?.();}catch(n){p?.(n);}},m={small:{padding:"8px 16px",fontSize:"14px",height:"36px"},medium:{padding:"10px 20px",fontSize:"15px",height:"41px"},large:{padding:"12px 24px",fontSize:"16px",height:"48px"}},c={display:"inline-flex",alignItems:"center",justifyContent:"center",gap:"12px",fontFamily:'"Segoe UI", Tahoma, Geneva, Verdana, sans-serif',fontWeight:600,borderRadius:"2px",cursor:l?"not-allowed":"pointer",transition:"all 0.2s ease",opacity:l?.6:1,...{dark:{backgroundColor:"#2F2F2F",color:"#FFFFFF",border:"1px solid #8C8C8C"},light:{backgroundColor:"#FFFFFF",color:"#5E5E5E",border:"1px solid #8C8C8C"}}[e],...m[r],...i};return jsxs("button",{onClick:a,disabled:l,className:o,style:c,"aria-label":t,children:[jsx(tt,{}),jsx("span",{children:t})]})}function tt(){return jsxs("svg",{width:"21",height:"21",viewBox:"0 0 21 21",fill:"none",xmlns:"http://www.w3.org/2000/svg",children:[jsx("rect",{width:"10",height:"10",fill:"#F25022"}),jsx("rect",{x:"11",width:"10",height:"10",fill:"#7FBA00"}),jsx("rect",{y:"11",width:"10",height:"10",fill:"#00A4EF"}),jsx("rect",{x:"11",y:"11",width:"10",height:"10",fill:"#FFB900"})]})}function k(){let{acquireToken:t}=A(),e=useCallback(async(u,l={})=>{let{scopes:a=["User.Read"],version:m="v1.0",debug:h=false,...c}=l;try{let n=await t(a),f=`https://graph.microsoft.com/${m}`,g=u.startsWith("http")?u:`${f}${u.startsWith("/")?u:`/${u}`}`;h&&console.log("[GraphAPI] Request:",{url:g,method:c.method||"GET"});let d=await fetch(g,{...c,headers:{Authorization:`Bearer ${n}`,"Content-Type":"application/json",...c.headers}});if(!d.ok){let C=await d.text(),D=`Graph API error (${d.status}): ${C}`;throw new Error(D)}if(d.status===204||d.headers.get("content-length")==="0")return null;let y=await d.json();return h&&console.log("[GraphAPI] Response:",y),y}catch(n){let f=R(n);throw console.error("[GraphAPI] Request failed:",f),new Error(f)}},[t]),r=useCallback((u,l={})=>e(u,{...l,method:"GET"}),[e]),o=useCallback((u,l,a={})=>e(u,{...a,method:"POST",body:l?JSON.stringify(l):void 0}),[e]),i=useCallback((u,l,a={})=>e(u,{...a,method:"PUT",body:l?JSON.stringify(l):void 0}),[e]),s=useCallback((u,l,a={})=>e(u,{...a,method:"PATCH",body:l?JSON.stringify(l):void 0}),[e]),p=useCallback((u,l={})=>e(u,{...l,method:"DELETE"}),[e]);return {get:r,post:o,put:i,patch:s,delete:p,request:e}}var b=new Map,rt=300*1e3,Ce=100;function ot(){if(b.size>Ce){let t=Array.from(b.entries());t.sort((r,o)=>r[1].timestamp-o[1].timestamp),t.slice(0,b.size-Ce).forEach(([r])=>{let o=b.get(r);o?.data.photo&&URL.revokeObjectURL(o.data.photo),b.delete(r);});}}function oe(){let{isAuthenticated:t,account:e}=A(),r=k(),[o,i]=useState(null),[s,p]=useState(false),[u,l]=useState(null),a=useCallback(async()=>{if(!t||!e){i(null);return}let h=e.homeAccountId,c=b.get(h);if(c&&Date.now()-c.timestamp<rt){i(c.data);return}p(true),l(null);try{let n=await r.get("/me",{scopes:["User.Read"]}),f;try{let d=await r.get("/me/photo/$value",{scopes:["User.Read"],headers:{"Content-Type":"image/jpeg"}});d&&(f=URL.createObjectURL(d));}catch{console.debug("[UserProfile] Photo not available");}let g={id:n.id,displayName:n.displayName,givenName:n.givenName,surname:n.surname,userPrincipalName:n.userPrincipalName,mail:n.mail,jobTitle:n.jobTitle,department:n.department,companyName:n.companyName,officeLocation:n.officeLocation,mobilePhone:n.mobilePhone,businessPhones:n.businessPhones,preferredLanguage:n.preferredLanguage,employeeId:n.employeeId,employeeHireDate:n.employeeHireDate,employeeType:n.employeeType,country:n.country,city:n.city,state:n.state,streetAddress:n.streetAddress,postalCode:n.postalCode,usageLocation:n.usageLocation,manager:n.manager,aboutMe:n.aboutMe,birthday:n.birthday,interests:n.interests,skills:n.skills,schools:n.schools,pastProjects:n.pastProjects,responsibilities:n.responsibilities,mySite:n.mySite,faxNumber:n.faxNumber,accountEnabled:n.accountEnabled,ageGroup:n.ageGroup,userType:n.userType,photo:f,...n};b.set(h,{data:g,timestamp:Date.now()}),ot(),i(g);}catch(n){let g=R(n),d=new Error(g);l(d),console.error("[UserProfile] Failed to fetch profile:",g);}finally{p(false);}},[t,e,r]),m=useCallback(()=>{if(e){let h=b.get(e.homeAccountId);h?.data.photo&&URL.revokeObjectURL(h.data.photo),b.delete(e.homeAccountId);}o?.photo&&URL.revokeObjectURL(o.photo),i(null);},[e,o]);return useEffect(()=>(a(),()=>{o?.photo&&URL.revokeObjectURL(o.photo);}),[a]),useEffect(()=>()=>{o?.photo&&URL.revokeObjectURL(o.photo);},[o?.photo]),{profile:o,loading:s,error:u,refetch:a,clearCache:m}}function it({size:t=40,className:e="",style:r,showTooltip:o=true,fallbackImage:i}){let{profile:s,loading:p}=oe(),[u,l]=useState(null),[a,m]=useState(false);useEffect(()=>{s?.photo&&l(s.photo);},[s?.photo]);let h=()=>{if(!s)return "?";let{givenName:f,surname:g,displayName:d}=s;if(f&&g)return `${f[0]}${g[0]}`.toUpperCase();if(d){let y=d.split(" ");return y.length>=2?`${y[0][0]}${y[y.length-1][0]}`.toUpperCase():d.substring(0,2).toUpperCase()}return "?"},c={width:`${t}px`,height:`${t}px`,borderRadius:"50%",display:"inline-flex",alignItems:"center",justifyContent:"center",fontSize:`${t*.4}px`,fontWeight:600,fontFamily:'"Segoe UI", Tahoma, Geneva, Verdana, sans-serif',backgroundColor:"#0078D4",color:"#FFFFFF",overflow:"hidden",userSelect:"none",...r},n=s?.displayName||"User";return p?jsx("div",{className:e,style:{...c,backgroundColor:"#E1E1E1"},"aria-label":"Loading user avatar",children:jsx("span",{style:{fontSize:`${t*.3}px`},children:"..."})}):u&&!a?jsx("div",{className:e,style:c,title:o?n:void 0,"aria-label":`${n} avatar`,children:jsx("img",{src:u,alt:n,style:{width:"100%",height:"100%",objectFit:"cover"},onError:()=>{m(true),i&&l(i);}})}):jsx("div",{className:e,style:c,title:o?n:void 0,"aria-label":`${n} avatar`,children:h()})}function st({className:t="",style:e,showDetails:r=false,renderLoading:o,renderAuthenticated:i,renderUnauthenticated:s}){let{isAuthenticated:p,inProgress:u,account:l}=A(),a={display:"inline-flex",alignItems:"center",gap:"8px",padding:"8px 12px",borderRadius:"4px",fontFamily:'"Segoe UI", Tahoma, Geneva, Verdana, sans-serif',fontSize:"14px",fontWeight:500,...e};if(u)return o?jsx(Fragment,{children:o()}):jsxs("div",{className:t,style:{...a,backgroundColor:"#FFF4CE",color:"#8A6D3B"},role:"status","aria-live":"polite",children:[jsx(ne,{color:"#FFA500"}),jsx("span",{children:"Loading..."})]});if(p){let m=l?.username||l?.name||"User";return i?jsx(Fragment,{children:i(m)}):jsxs("div",{className:t,style:{...a,backgroundColor:"#D4EDDA",color:"#155724"},role:"status","aria-live":"polite",children:[jsx(ne,{color:"#28A745"}),jsx("span",{children:r?`Authenticated as ${m}`:"Authenticated"})]})}return s?jsx(Fragment,{children:s()}):jsxs("div",{className:t,style:{...a,backgroundColor:"#F8D7DA",color:"#721C24"},role:"status","aria-live":"polite",children:[jsx(ne,{color:"#DC3545"}),jsx("span",{children:"Not authenticated"})]})}function ne({color:t}){return jsx("svg",{width:"8",height:"8",viewBox:"0 0 8 8",fill:"none",xmlns:"http://www.w3.org/2000/svg",children:jsx("circle",{cx:"4",cy:"4",r:"4",fill:t})})}function le({children:t,loadingComponent:e,fallbackComponent:r,scopes:o,onAuthRequired:i}){let{isAuthenticated:s,inProgress:p,loginRedirect:u}=A();return useEffect(()=>{!s&&!p&&(i?.(),(async()=>{try{await u(o);}catch(a){console.error("[AuthGuard] Authentication failed:",a);}})());},[s,p,o,u,i]),p?jsx(Fragment,{children:e||jsx("div",{children:"Authenticating..."})}):s?jsx(Fragment,{children:t}):jsx(Fragment,{children:r||jsx("div",{children:"Redirecting to login..."})})}var ue=class extends Component{constructor(r){super(r);this.reset=()=>{this.setState({hasError:false,error:null});};this.state={hasError:false,error:null};}static getDerivedStateFromError(r){return {hasError:true,error:r}}componentDidCatch(r,o){let{onError:i,debug:s}=this.props;s&&(console.error("[ErrorBoundary] Caught error:",r),console.error("[ErrorBoundary] Error info:",o)),i?.(r,o);}render(){let{hasError:r,error:o}=this.state,{children:i,fallback:s}=this.props;return r&&o?s?s(o,this.reset):jsxs("div",{style:{padding:"20px",margin:"20px",border:"1px solid #DC3545",borderRadius:"4px",backgroundColor:"#F8D7DA",color:"#721C24",fontFamily:'"Segoe UI", Tahoma, Geneva, Verdana, sans-serif'},children:[jsx("h2",{style:{margin:"0 0 10px 0",fontSize:"18px"},children:"Authentication Error"}),jsx("p",{style:{margin:"0 0 10px 0"},children:o.message}),jsx("button",{onClick:this.reset,style:{padding:"8px 16px",backgroundColor:"#DC3545",color:"#FFFFFF",border:"none",borderRadius:"4px",cursor:"pointer",fontSize:"14px",fontWeight:600},children:"Try Again"})]}):i}};var E=new Map,dt=300*1e3,Te=100;function pt(t){t?E.delete(t):E.clear();}function ft(){if(E.size>Te){let t=Array.from(E.entries());t.sort((r,o)=>r[1].timestamp-o[1].timestamp),t.slice(0,E.size-Te).forEach(([r])=>E.delete(r));}}function gt(){let{isAuthenticated:t,account:e}=A(),r=k(),[o,i]=useState([]),[s,p]=useState([]),[u,l]=useState(false),[a,m]=useState(null),h=useCallback(async()=>{if(!t||!e){i([]),p([]);return}let d=e.homeAccountId,y=E.get(d);if(y&&Date.now()-y.timestamp<dt){i(y.roles),p(y.groups);return}l(true),m(null);try{let D=e.idTokenClaims?.roles||[],G=(await r.get("/me/memberOf",{scopes:["User.Read","Directory.Read.All"]})).value.map(pe=>pe.id);E.set(d,{roles:D,groups:G,timestamp:Date.now()}),ft(),i(D),p(G);}catch(C){let W=R(C),G=new Error(W);m(G),console.error("[Roles] Failed to fetch roles/groups:",W);let Me=e.idTokenClaims?.roles||[];i(Me);}finally{l(false);}},[t,e,r]),c=useCallback(d=>o.includes(d),[o]),n=useCallback(d=>s.includes(d),[s]),f=useCallback(d=>d.some(y=>o.includes(y)),[o]),g=useCallback(d=>d.every(y=>o.includes(y)),[o]);return useEffect(()=>(h(),()=>{e&&pt(e.homeAccountId);}),[h,e]),{roles:o,groups:s,loading:u,error:a,hasRole:c,hasGroup:n,hasAnyRole:f,hasAllRoles:g,refetch:h}}function ht(t,e={}){let{displayName:r,...o}=e,i=s=>jsx(le,{...o,children:jsx(t,{...s})});return i.displayName=r||`withAuth(${t.displayName||t.name||"Component"})`,i}async function Ue(t,e={}){let{maxRetries:r=3,initialDelay:o=1e3,maxDelay:i=1e4,backoffMultiplier:s=2,debug:p=false}=e,u,l=o;for(let a=0;a<=r;a++)try{return p&&a>0&&console.log(`[TokenRetry] Attempt ${a+1}/${r+1}`),await t()}catch(m){if(u=m,a===r){p&&console.error("[TokenRetry] All retry attempts failed");break}if(!mt(m))throw p&&console.log("[TokenRetry] Non-retryable error, aborting"),m;p&&console.warn(`[TokenRetry] Attempt ${a+1} failed, retrying in ${l}ms...`),await yt(l),l=Math.min(l*s,i);}throw u}function mt(t){let e=t.message.toLowerCase();return !!(e.includes("network")||e.includes("timeout")||e.includes("fetch")||e.includes("connection")||e.includes("500")||e.includes("502")||e.includes("503")||e.includes("429")||e.includes("rate limit")||e.includes("token")&&e.includes("expired"))}function yt(t){return new Promise(e=>setTimeout(e,t))}function At(t,e={}){return (...r)=>Ue(()=>t(...r),e)}var B=class{constructor(e={}){this.logHistory=[];this.performanceTimings=new Map;this.config={enabled:e.enabled??false,prefix:e.prefix??"[MSAL-Next]",showTimestamp:e.showTimestamp??true,level:e.level??"info",enablePerformance:e.enablePerformance??false,enableNetworkLogs:e.enableNetworkLogs??false,maxHistorySize:e.maxHistorySize??100};}shouldLog(e){if(!this.config.enabled)return  false;let r=["error","warn","info","debug"],o=r.indexOf(this.config.level);return r.indexOf(e)<=o}formatMessage(e,r,o){let i=this.config.showTimestamp?`[${new Date().toISOString()}]`:"",s=this.config.prefix,p=`[${e.toUpperCase()}]`,u=`${i} ${s} ${p} ${r}`;return o!==void 0&&(u+=`
-`+JSON.stringify(o,null,2)),u}addToHistory(e,r,o){this.logHistory.length>=this.config.maxHistorySize&&this.logHistory.shift(),this.logHistory.push({timestamp:Date.now(),level:e,message:r,data:o});}error(e,r){this.shouldLog("error")&&(console.error(this.formatMessage("error",e,r)),this.addToHistory("error",e,r));}warn(e,r){this.shouldLog("warn")&&(console.warn(this.formatMessage("warn",e,r)),this.addToHistory("warn",e,r));}info(e,r){this.shouldLog("info")&&(console.info(this.formatMessage("info",e,r)),this.addToHistory("info",e,r));}debug(e,r){this.shouldLog("debug")&&(console.debug(this.formatMessage("debug",e,r)),this.addToHistory("debug",e,r));}group(e){this.config.enabled&&console.group(`${this.config.prefix} ${e}`);}groupEnd(){this.config.enabled&&console.groupEnd();}startTiming(e){this.config.enablePerformance&&(this.performanceTimings.set(e,{operation:e,startTime:performance.now()}),this.debug(`\u23F1\uFE0F Started: ${e}`));}endTiming(e){if(this.config.enablePerformance){let r=this.performanceTimings.get(e);if(r)return r.endTime=performance.now(),r.duration=r.endTime-r.startTime,this.info(`\u23F1\uFE0F Completed: ${e} (${r.duration.toFixed(2)}ms)`),r.duration}}logRequest(e,r,o){this.config.enableNetworkLogs&&this.debug(`\u{1F310} ${e} ${r}`,o);}logResponse(e,r,o,i){if(this.config.enableNetworkLogs){let s=o>=200&&o<300?"\u2705":"\u274C";this.debug(`${s} ${e} ${r} - ${o}`,i);}}getHistory(){return [...this.logHistory]}getPerformanceTimings(){return Array.from(this.performanceTimings.values())}clearHistory(){this.logHistory=[];}clearTimings(){this.performanceTimings.clear();}exportLogs(){return JSON.stringify({config:this.config,history:this.logHistory,performanceTimings:Array.from(this.performanceTimings.values()),exportedAt:new Date().toISOString()},null,2)}downloadLogs(e="msal-next-debug-logs.json"){if(typeof window>"u")return;let r=this.exportLogs(),o=new Blob([r],{type:"application/json"}),i=URL.createObjectURL(o),s=document.createElement("a");s.href=i,s.download=e,s.click(),URL.revokeObjectURL(i);}setEnabled(e){this.config.enabled=e;}setLevel(e){e&&(this.config.level=e);}},O=null;function vt(t){return O?t&&(t.enabled!==void 0&&O.setEnabled(t.enabled),t.level&&O.setLevel(t.level)):O=new B(t),O}function xt(t,e){return new B({...e,prefix:`[MSAL-Next:${t}]`})}function H({children:t,config:e,defaultRedirectTo:r="/login",defaultLoading:o,defaultUnauthorized:i,debug:s=false}){let p=useRouter(),{isAuthenticated:u,account:l,inProgress:a}=A(),[m,h]=useState(true),[c,n]=useState(false);return useEffect(()=>{async function f(){if(s&&console.log("[ProtectedPage] Checking auth...",{isAuthenticated:u,inProgress:a,config:e}),!a){if(!e.required){n(true),h(false);return}if(!u||!l){s&&console.log("[ProtectedPage] Not authenticated, redirecting...");let g=e.redirectTo||r,d=encodeURIComponent(window.location.pathname+window.location.search);p.push(`${g}?returnUrl=${d}`);return}if(e.roles&&e.roles.length>0){let g=l.idTokenClaims?.roles||[];if(!e.roles.some(y=>g.includes(y))){s&&console.log("[ProtectedPage] Missing required role",{required:e.roles,user:g}),n(false),h(false);return}}if(e.validate)try{if(!await e.validate(l)){s&&console.log("[ProtectedPage] Custom validation failed"),n(!1),h(!1);return}}catch(g){console.error("[ProtectedPage] Validation error:",g),n(false),h(false);return}s&&console.log("[ProtectedPage] Authorization successful"),n(true),h(false);}}f();},[u,l,a,e,p,r,s]),m||a?e.loading?jsx(Fragment,{children:e.loading}):o?jsx(Fragment,{children:o}):jsx("div",{className:"flex items-center justify-center min-h-screen",children:jsx("div",{className:"animate-spin rounded-full h-12 w-12 border-b-2 border-blue-600"})}):c?jsx(Fragment,{children:t}):e.unauthorized?jsx(Fragment,{children:e.unauthorized}):i?jsx(Fragment,{children:i}):jsx("div",{className:"flex items-center justify-center min-h-screen",children:jsxs("div",{className:"text-center",children:[jsx("h1",{className:"text-2xl font-bold text-gray-900 mb-2",children:"Access Denied"}),jsx("p",{className:"text-gray-600",children:"You don't have permission to access this page."})]})})}function De(t,e,r){let o=i=>jsx(H,{config:e,defaultRedirectTo:r?.defaultRedirectTo,defaultLoading:r?.defaultLoading,defaultUnauthorized:r?.defaultUnauthorized,debug:r?.debug,children:jsx(t,{...i})});return o.displayName=`withPageAuth(${t.displayName||t.name||"Component"})`,o}function Rt(t={}){let{protectedRoutes:e=[],publicOnlyRoutes:r=[],loginPath:o="/login",redirectAfterLogin:i="/",sessionCookie:s="msal.account",isAuthenticated:p,debug:u=false}=t;return async function(a){let{pathname:m}=a.nextUrl;u&&console.log("[AuthMiddleware] Processing:",m);let h=false;p?h=await p(a):h=!!a.cookies.get(s)?.value,u&&console.log("[AuthMiddleware] Authenticated:",h);let c=e.some(g=>m.startsWith(g)),n=r.some(g=>m.startsWith(g));if(c&&!h){u&&console.log("[AuthMiddleware] Redirecting to login");let g=a.nextUrl.clone();return g.pathname=o,g.searchParams.set("returnUrl",m),NextResponse.redirect(g)}if(n&&h){u&&console.log("[AuthMiddleware] Redirecting to home");let g=a.nextUrl.searchParams.get("returnUrl"),d=a.nextUrl.clone();return d.pathname=g||i,d.searchParams.delete("returnUrl"),NextResponse.redirect(d)}let f=NextResponse.next();if(h){f.headers.set("x-msal-authenticated","true");try{let g=a.cookies.get(s);if(g?.value){let d=j(g.value,Z);d?.username&&f.headers.set("x-msal-username",d.username);}}catch{u&&console.warn("[AuthMiddleware] Failed to parse session data");}}return f}}export{le as AuthGuard,st as AuthStatus,ue as ErrorBoundary,je as MSALProvider,Ke as MicrosoftSignInButton,ee as MsalAuthProvider,T as MsalError,H as ProtectedPage,et as SignOutButton,it as UserAvatar,Rt as createAuthMiddleware,$e as createMissingEnvVarError,X as createMsalConfig,At as createRetryWrapper,xt as createScopedLogger,K as displayValidationResults,vt as getDebugLogger,Be as getMsalInstance,Z as isValidAccountData,V as isValidRedirectUri,fe as isValidScope,Ue as retryWithBackoff,j as safeJsonParse,R as sanitizeError,k as useGraphApi,A as useMsalAuth,gt as useRoles,oe as useUserProfile,Y as validateConfig,Ne as validateScopes,ht as withAuth,De as withPageAuth,P as wrapMsalError};
+Note: Environment variables starting with NEXT_PUBLIC_ are exposed to the browser.`;
+  return new MsalError({
+    ...error,
+    fix,
+    docs: "https://nextjs.org/docs/basic-features/environment-variables"
+  });
+}
+// src/hooks/useTokenRefresh.ts
+import { useEffect, useRef, useCallback as useCallback2 } from "react";
+// src/hooks/useMsalAuth.ts
+import { useMsal, useAccount } from "@azure/msal-react";
+import { InteractionStatus } from "@azure/msal-browser";
+import { useCallback, useMemo } from "react";
+var pendingTokenRequests = /* @__PURE__ */ new Map();
+function useMsalAuth(defaultScopes = ["User.Read"]) {
+  const { instance, accounts, inProgress } = useMsal();
+  const account = useAccount(accounts[0] || null);
+  const isAuthenticated = useMemo(() => accounts.length > 0, [accounts]);
+  const loginRedirect = useCallback(
+    async (scopes = defaultScopes) => {
+      if (inProgress !== InteractionStatus.None) {
+        console.warn("[MSAL] Interaction already in progress");
+        return;
+      }
+      try {
+        const request = {
+          scopes,
+          prompt: "select_account"
+        };
+        await instance.loginRedirect(request);
+      } catch (error) {
+        const msalError = wrapMsalError(error);
+        if (msalError.isUserCancellation()) {
+          console.log("[MSAL] User cancelled login");
+          return;
+        }
+        if (process.env.NODE_ENV === "development") {
+          console.error(msalError.toConsoleString());
+        } else {
+          console.error("[MSAL] Login redirect failed:", msalError.message);
+        }
+        throw msalError;
+      }
+    },
+    [instance, defaultScopes, inProgress]
+  );
+  const logoutRedirect = useCallback(async () => {
+    try {
+      await instance.logoutRedirect({
+        account: account || void 0
+      });
+    } catch (error) {
+      const msalError = wrapMsalError(error);
+      if (process.env.NODE_ENV === "development") {
+        console.error(msalError.toConsoleString());
+      } else {
+        console.error("[MSAL] Logout redirect failed:", msalError.message);
+      }
+      throw msalError;
+    }
+  }, [instance, account]);
+  const acquireTokenSilent = useCallback(
+    async (scopes = defaultScopes) => {
+      if (!account) {
+        throw new Error("[MSAL] No active account. Please login first.");
+      }
+      try {
+        const request = {
+          scopes,
+          account,
+          forceRefresh: false
+        };
+        const response = await instance.acquireTokenSilent(request);
+        return response.accessToken;
+      } catch (error) {
+        const msalError = wrapMsalError(error);
+        if (process.env.NODE_ENV === "development") {
+          console.error(msalError.toConsoleString());
+        } else {
+          console.error("[MSAL] Silent token acquisition failed:", msalError.message);
+        }
+        throw msalError;
+      }
+    },
+    [instance, account, defaultScopes]
+  );
+  const acquireTokenRedirect = useCallback(
+    async (scopes = defaultScopes) => {
+      if (!account) {
+        throw new Error("[MSAL] No active account. Please login first.");
+      }
+      try {
+        const request = {
+          scopes,
+          account
+        };
+        await instance.acquireTokenRedirect(request);
+      } catch (error) {
+        const msalError = wrapMsalError(error);
+        if (process.env.NODE_ENV === "development") {
+          console.error(msalError.toConsoleString());
+        } else {
+          console.error("[MSAL] Token redirect acquisition failed:", msalError.message);
+        }
+        throw msalError;
+      }
+    },
+    [instance, account, defaultScopes]
+  );
+  const acquireToken = useCallback(
+    async (scopes = defaultScopes) => {
+      const requestKey = `${account?.homeAccountId || "anonymous"}-${scopes.sort().join(",")}`;
+      const pendingRequest = pendingTokenRequests.get(requestKey);
+      if (pendingRequest) {
+        return pendingRequest;
+      }
+      const tokenRequest = (async () => {
+        try {
+          return await acquireTokenSilent(scopes);
+        } catch (error) {
+          console.warn("[MSAL] Silent token acquisition failed, falling back to redirect");
+          await acquireTokenRedirect(scopes);
+          throw new Error("[MSAL] Redirecting for token acquisition");
+        } finally {
+          pendingTokenRequests.delete(requestKey);
+        }
+      })();
+      pendingTokenRequests.set(requestKey, tokenRequest);
+      return tokenRequest;
+    },
+    [acquireTokenSilent, acquireTokenRedirect, defaultScopes, account]
+  );
+  const clearSession = useCallback(async () => {
+    instance.setActiveAccount(null);
+    await instance.clearCache();
+  }, [instance]);
+  return {
+    account,
+    accounts,
+    isAuthenticated,
+    inProgress: inProgress !== InteractionStatus.None,
+    loginRedirect,
+    logoutRedirect,
+    acquireToken,
+    acquireTokenSilent,
+    acquireTokenRedirect,
+    clearSession
+  };
+}
+// src/hooks/useTokenRefresh.ts
+function useTokenRefresh(options = {}) {
+  const {
+    enabled = true,
+    refreshBeforeExpiry = 300,
+    // 5 minutes
+    scopes = ["User.Read"],
+    onRefresh,
+    onError
+  } = options;
+  const { isAuthenticated, account, acquireTokenSilent } = useMsalAuth();
+  const intervalRef = useRef(null);
+  const lastRefreshRef = useRef(null);
+  const expiresInRef = useRef(null);
+  const refresh = useCallback2(async () => {
+    if (!isAuthenticated || !account) {
+      return;
+    }
+    try {
+      await acquireTokenSilent(scopes);
+      lastRefreshRef.current = /* @__PURE__ */ new Date();
+      const expiresIn = 3600;
+      expiresInRef.current = expiresIn;
+      onRefresh?.(expiresIn);
+    } catch (error) {
+      console.error("[TokenRefresh] Failed to refresh token:", error);
+      onError?.(error);
+    }
+  }, [isAuthenticated, account, acquireTokenSilent, scopes, onRefresh, onError]);
+  useEffect(() => {
+    if (!enabled || !isAuthenticated) {
+      return;
+    }
+    refresh();
+    intervalRef.current = setInterval(() => {
+      if (!expiresInRef.current) {
+        return;
+      }
+      const timeSinceRefresh = lastRefreshRef.current ? (Date.now() - lastRefreshRef.current.getTime()) / 1e3 : 0;
+      const remainingTime = expiresInRef.current - timeSinceRefresh;
+      expiresInRef.current = Math.max(0, remainingTime);
+      if (remainingTime <= refreshBeforeExpiry && remainingTime > 0) {
+        refresh();
+      }
+    }, 6e4);
+    return () => {
+      if (intervalRef.current) {
+        clearInterval(intervalRef.current);
+      }
+    };
+  }, [enabled, isAuthenticated, refreshBeforeExpiry, refresh]);
+  const isExpiringSoon = expiresInRef.current !== null && expiresInRef.current <= refreshBeforeExpiry;
+  return {
+    expiresIn: expiresInRef.current,
+    isExpiringSoon,
+    refresh,
+    lastRefresh: lastRefreshRef.current
+  };
+}
+// src/components/TokenRefreshManager.tsx
+function TokenRefreshManager({
+  enabled,
+  refreshBeforeExpiry = 300,
+  scopes = ["User.Read"],
+  enableLogging = false
+}) {
+  useTokenRefresh({
+    enabled,
+    refreshBeforeExpiry,
+    scopes,
+    onRefresh: (expiresIn) => {
+      if (enableLogging) {
+        console.log(`[TokenRefresh] Token refreshed successfully. Expires in ${expiresIn} seconds.`);
+      }
+    },
+    onError: (error) => {
+      if (enableLogging) {
+        console.error("[TokenRefresh] Failed to refresh token:", error);
+      }
+    }
+  });
+  return null;
+}
+// src/components/MsalAuthProvider.tsx
+import { Fragment, jsx, jsxs } from "react/jsx-runtime";
+var globalMsalInstance = null;
+function getMsalInstance() {
+  return globalMsalInstance;
+}
+function MsalAuthProvider({
+  children,
+  loadingComponent,
+  onInitialized,
+  autoRefreshToken = false,
+  refreshBeforeExpiry = 300,
+  ...config
+}) {
+  const [msalInstance, setMsalInstance] = useState(null);
+  const instanceRef = useRef2(null);
+  const { scopes = ["User.Read"], enableLogging = false } = config;
+  useEffect2(() => {
+    if (typeof window === "undefined") {
+      return;
+    }
+    if (instanceRef.current) {
+      return;
+    }
+    const initializeMsal = async () => {
+      try {
+        if (process.env.NODE_ENV === "development") {
+          const validationResult = validateConfig(config);
+          displayValidationResults(validationResult);
+        }
+        const msalConfig = createMsalConfig(config);
+        const instance = new PublicClientApplication(msalConfig);
+        await instance.initialize();
+        try {
+          const response = await instance.handleRedirectPromise();
+          if (response) {
+            if (config.enableLogging) {
+              console.log("[MSAL] Redirect authentication successful");
+            }
+            if (response.account) {
+              instance.setActiveAccount(response.account);
+            }
+            if (window.location.hash) {
+              window.history.replaceState(null, "", window.location.pathname + window.location.search);
+            }
+          }
+        } catch (redirectError) {
+          const msalError = wrapMsalError(redirectError);
+          if (msalError.code === "no_token_request_cache_error") {
+            if (config.enableLogging) {
+              console.log("[MSAL] No pending redirect found (this is normal)");
+            }
+          } else if (msalError.isUserCancellation()) {
+            if (config.enableLogging) {
+              console.log("[MSAL] User cancelled authentication");
+            }
+          } else {
+            if (process.env.NODE_ENV === "development") {
+              console.error(msalError.toConsoleString());
+            } else {
+              console.error("[MSAL] Redirect handling error:", msalError.message);
+            }
+          }
+          if (window.location.hash && (window.location.hash.includes("code=") || window.location.hash.includes("error="))) {
+            window.history.replaceState(null, "", window.location.pathname + window.location.search);
+          }
+        }
+        const accounts = instance.getAllAccounts();
+        if (accounts.length > 0 && !instance.getActiveAccount()) {
+          instance.setActiveAccount(accounts[0]);
+        }
+        const loggingEnabled = config.enableLogging || false;
+        instance.addEventCallback((event) => {
+          if (event.eventType === EventType.LOGIN_SUCCESS) {
+            const payload = event.payload;
+            if (payload?.account) {
+              instance.setActiveAccount(payload.account);
+            }
+            if (loggingEnabled) {
+              console.log("[MSAL] Login successful:", payload.account?.username);
+            }
+          }
+          if (event.eventType === EventType.LOGIN_FAILURE) {
+            console.error("[MSAL] Login failed:", event.error);
+          }
+          if (event.eventType === EventType.LOGOUT_SUCCESS) {
+            instance.setActiveAccount(null);
+            if (loggingEnabled) {
+              console.log("[MSAL] Logout successful");
+            }
+          }
+          if (event.eventType === EventType.ACQUIRE_TOKEN_SUCCESS) {
+            const payload = event.payload;
+            if (payload?.account && !instance.getActiveAccount()) {
+              instance.setActiveAccount(payload.account);
+            }
+          }
+          if (event.eventType === EventType.ACQUIRE_TOKEN_FAILURE) {
+            if (loggingEnabled) {
+              console.error("[MSAL] Token acquisition failed:", event.error);
+            }
+          }
+        });
+        instanceRef.current = instance;
+        globalMsalInstance = instance;
+        setMsalInstance(instance);
+        if (onInitialized) {
+          onInitialized(instance);
+        }
+      } catch (error) {
+        console.error("[MSAL] Initialization failed:", error);
+        throw error;
+      }
+    };
+    initializeMsal();
+  }, []);
+  if (typeof window === "undefined") {
+    return /* @__PURE__ */ jsx(Fragment, { children: loadingComponent || /* @__PURE__ */ jsx("div", { children: "Loading authentication..." }) });
+  }
+  if (!msalInstance) {
+    return /* @__PURE__ */ jsx(Fragment, { children: loadingComponent || /* @__PURE__ */ jsx("div", { children: "Loading authentication..." }) });
+  }
+  return /* @__PURE__ */ jsxs(MsalProvider, { instance: msalInstance, children: [
+    autoRefreshToken && /* @__PURE__ */ jsx(
+      TokenRefreshManager,
+      {
+        enabled: autoRefreshToken,
+        refreshBeforeExpiry,
+        scopes,
+        enableLogging
+      }
+    ),
+    children
+  ] });
+}
+// src/components/MSALProvider.tsx
+import { createContext, useContext } from "react";
+import { jsx as jsx2 } from "react/jsx-runtime";
+var ProtectionConfigContext = createContext(void 0);
+function MSALProvider({ children, protection, ...props }) {
+  return /* @__PURE__ */ jsx2(ProtectionConfigContext.Provider, { value: protection, children: /* @__PURE__ */ jsx2(MsalAuthProvider, { ...props, children }) });
+}
+// src/components/MicrosoftSignInButton.tsx
+import { useState as useState2, useEffect as useEffect3, useRef as useRef3 } from "react";
+import { jsx as jsx3, jsxs as jsxs2 } from "react/jsx-runtime";
+function MicrosoftSignInButton({
+  text = "Sign in with Microsoft",
+  variant = "dark",
+  size = "medium",
+  scopes,
+  className = "",
+  style,
+  onSuccess,
+  onError
+}) {
+  const { loginRedirect, inProgress, isAuthenticated } = useMsalAuth();
+  const [isLoading, setIsLoading] = useState2(false);
+  const timeoutRef = useRef3(null);
+  useEffect3(() => {
+    return () => {
+      if (timeoutRef.current) {
+        clearTimeout(timeoutRef.current);
+      }
+    };
+  }, []);
+  useEffect3(() => {
+    if (isAuthenticated && isLoading) {
+      setIsLoading(false);
+    }
+  }, [isAuthenticated, isLoading]);
+  const handleClick = async () => {
+    if (inProgress || isLoading || isAuthenticated) {
+      return;
+    }
+    setIsLoading(true);
+    try {
+      await loginRedirect(scopes);
+      onSuccess?.();
+    } catch (error) {
+      onError?.(error);
+      setIsLoading(false);
+    }
+    timeoutRef.current = setTimeout(() => {
+      setIsLoading(false);
+    }, 3e3);
+  };
+  const sizeStyles = {
+    small: {
+      padding: "8px 16px",
+      fontSize: "14px",
+      height: "36px"
+    },
+    medium: {
+      padding: "10px 20px",
+      fontSize: "15px",
+      height: "41px"
+    },
+    large: {
+      padding: "12px 24px",
+      fontSize: "16px",
+      height: "48px"
+    }
+  };
+  const variantStyles = {
+    dark: {
+      backgroundColor: "#2F2F2F",
+      color: "#FFFFFF",
+      border: "1px solid #8C8C8C"
+    },
+    light: {
+      backgroundColor: "#FFFFFF",
+      color: "#5E5E5E",
+      border: "1px solid #8C8C8C"
+    }
+  };
+  const isDisabled = inProgress || isLoading;
+  const baseStyles = {
+    display: "inline-flex",
+    alignItems: "center",
+    justifyContent: "center",
+    gap: "12px",
+    fontFamily: '"Segoe UI", Tahoma, Geneva, Verdana, sans-serif',
+    fontWeight: 600,
+    borderRadius: "2px",
+    cursor: isDisabled ? "not-allowed" : "pointer",
+    transition: "all 0.2s ease",
+    opacity: isDisabled ? 0.6 : 1,
+    ...variantStyles[variant],
+    ...sizeStyles[size],
+    ...style
+  };
+  return /* @__PURE__ */ jsxs2(
+    "button",
+    {
+      onClick: handleClick,
+      disabled: isDisabled,
+      className,
+      style: baseStyles,
+      "aria-label": text,
+      children: [
+        /* @__PURE__ */ jsx3(MicrosoftLogo, {}),
+        /* @__PURE__ */ jsx3("span", { children: text })
+      ]
+    }
+  );
+}
+function MicrosoftLogo() {
+  return /* @__PURE__ */ jsxs2("svg", { width: "21", height: "21", viewBox: "0 0 21 21", fill: "none", xmlns: "http://www.w3.org/2000/svg", children: [
+    /* @__PURE__ */ jsx3("rect", { width: "10", height: "10", fill: "#F25022" }),
+    /* @__PURE__ */ jsx3("rect", { x: "11", width: "10", height: "10", fill: "#7FBA00" }),
+    /* @__PURE__ */ jsx3("rect", { y: "11", width: "10", height: "10", fill: "#00A4EF" }),
+    /* @__PURE__ */ jsx3("rect", { x: "11", y: "11", width: "10", height: "10", fill: "#FFB900" })
+  ] });
+}
+// src/components/SignOutButton.tsx
+import { jsx as jsx4, jsxs as jsxs3 } from "react/jsx-runtime";
+function SignOutButton({
+  text = "Sign out",
+  variant = "dark",
+  size = "medium",
+  className = "",
+  style,
+  onSuccess,
+  onError
+}) {
+  const { logoutRedirect, inProgress } = useMsalAuth();
+  const handleClick = async () => {
+    try {
+      await logoutRedirect();
+      onSuccess?.();
+    } catch (error) {
+      onError?.(error);
+    }
+  };
+  const sizeStyles = {
+    small: {
+      padding: "8px 16px",
+      fontSize: "14px",
+      height: "36px"
+    },
+    medium: {
+      padding: "10px 20px",
+      fontSize: "15px",
+      height: "41px"
+    },
+    large: {
+      padding: "12px 24px",
+      fontSize: "16px",
+      height: "48px"
+    }
+  };
+  const variantStyles = {
+    dark: {
+      backgroundColor: "#2F2F2F",
+      color: "#FFFFFF",
+      border: "1px solid #8C8C8C"
+    },
+    light: {
+      backgroundColor: "#FFFFFF",
+      color: "#5E5E5E",
+      border: "1px solid #8C8C8C"
+    }
+  };
+  const baseStyles = {
+    display: "inline-flex",
+    alignItems: "center",
+    justifyContent: "center",
+    gap: "12px",
+    fontFamily: '"Segoe UI", Tahoma, Geneva, Verdana, sans-serif',
+    fontWeight: 600,
+    borderRadius: "2px",
+    cursor: inProgress ? "not-allowed" : "pointer",
+    transition: "all 0.2s ease",
+    opacity: inProgress ? 0.6 : 1,
+    ...variantStyles[variant],
+    ...sizeStyles[size],
+    ...style
+  };
+  return /* @__PURE__ */ jsxs3(
+    "button",
+    {
+      onClick: handleClick,
+      disabled: inProgress,
+      className,
+      style: baseStyles,
+      "aria-label": text,
+      children: [
+        /* @__PURE__ */ jsx4(MicrosoftLogo2, {}),
+        /* @__PURE__ */ jsx4("span", { children: text })
+      ]
+    }
+  );
+}
+function MicrosoftLogo2() {
+  return /* @__PURE__ */ jsxs3("svg", { width: "21", height: "21", viewBox: "0 0 21 21", fill: "none", xmlns: "http://www.w3.org/2000/svg", children: [
+    /* @__PURE__ */ jsx4("rect", { width: "10", height: "10", fill: "#F25022" }),
+    /* @__PURE__ */ jsx4("rect", { x: "11", width: "10", height: "10", fill: "#7FBA00" }),
+    /* @__PURE__ */ jsx4("rect", { y: "11", width: "10", height: "10", fill: "#00A4EF" }),
+    /* @__PURE__ */ jsx4("rect", { x: "11", y: "11", width: "10", height: "10", fill: "#FFB900" })
+  ] });
+}
+// src/components/UserAvatar.tsx
+import { useEffect as useEffect5, useState as useState4 } from "react";
+// src/hooks/useUserProfile.ts
+import { useState as useState3, useEffect as useEffect4, useCallback as useCallback4 } from "react";
+// src/hooks/useGraphApi.ts
+import { useCallback as useCallback3 } from "react";
+function useGraphApi() {
+  const { acquireToken } = useMsalAuth();
+  const request = useCallback3(
+    async (endpoint, options = {}) => {
+      const {
+        scopes = ["User.Read"],
+        version = "v1.0",
+        debug = false,
+        ...fetchOptions
+      } = options;
+      try {
+        const token = await acquireToken(scopes);
+        const baseUrl = `https://graph.microsoft.com/${version}`;
+        const url = endpoint.startsWith("http") ? endpoint : `${baseUrl}${endpoint.startsWith("/") ? endpoint : `/${endpoint}`}`;
+        if (debug) {
+          console.log("[GraphAPI] Request:", { url, method: fetchOptions.method || "GET" });
+        }
+        const response = await fetch(url, {
+          ...fetchOptions,
+          headers: {
+            "Authorization": `Bearer ${token}`,
+            "Content-Type": "application/json",
+            ...fetchOptions.headers
+          }
+        });
+        if (!response.ok) {
+          const errorText = await response.text();
+          const errorMessage = `Graph API error (${response.status}): ${errorText}`;
+          throw new Error(errorMessage);
+        }
+        if (response.status === 204 || response.headers.get("content-length") === "0") {
+          return null;
+        }
+        const data = await response.json();
+        if (debug) {
+          console.log("[GraphAPI] Response:", data);
+        }
+        return data;
+      } catch (error) {
+        const sanitizedMessage = sanitizeError(error);
+        console.error("[GraphAPI] Request failed:", sanitizedMessage);
+        throw new Error(sanitizedMessage);
+      }
+    },
+    [acquireToken]
+  );
+  const get = useCallback3(
+    (endpoint, options = {}) => {
+      return request(endpoint, { ...options, method: "GET" });
+    },
+    [request]
+  );
+  const post = useCallback3(
+    (endpoint, body, options = {}) => {
+      return request(endpoint, {
+        ...options,
+        method: "POST",
+        body: body ? JSON.stringify(body) : void 0
+      });
+    },
+    [request]
+  );
+  const put = useCallback3(
+    (endpoint, body, options = {}) => {
+      return request(endpoint, {
+        ...options,
+        method: "PUT",
+        body: body ? JSON.stringify(body) : void 0
+      });
+    },
+    [request]
+  );
+  const patch = useCallback3(
+    (endpoint, body, options = {}) => {
+      return request(endpoint, {
+        ...options,
+        method: "PATCH",
+        body: body ? JSON.stringify(body) : void 0
+      });
+    },
+    [request]
+  );
+  const deleteRequest = useCallback3(
+    (endpoint, options = {}) => {
+      return request(endpoint, { ...options, method: "DELETE" });
+    },
+    [request]
+  );
+  return {
+    get,
+    post,
+    put,
+    patch,
+    delete: deleteRequest,
+    request
+  };
+}
+// src/hooks/useUserProfile.ts
+var profileCache = /* @__PURE__ */ new Map();
+var CACHE_DURATION = 5 * 60 * 1e3;
+var MAX_CACHE_SIZE = 100;
+function enforceCacheLimit() {
+  if (profileCache.size > MAX_CACHE_SIZE) {
+    const entries = Array.from(profileCache.entries());
+    entries.sort((a, b) => a[1].timestamp - b[1].timestamp);
+    const toRemove = entries.slice(0, profileCache.size - MAX_CACHE_SIZE);
+    toRemove.forEach(([key]) => {
+      const cached = profileCache.get(key);
+      if (cached?.data.photo) {
+        URL.revokeObjectURL(cached.data.photo);
+      }
+      profileCache.delete(key);
+    });
+  }
+}
+function useUserProfile() {
+  const { isAuthenticated, account } = useMsalAuth();
+  const graph = useGraphApi();
+  const [profile, setProfile] = useState3(null);
+  const [loading, setLoading] = useState3(false);
+  const [error, setError] = useState3(null);
+  const fetchProfile = useCallback4(async () => {
+    if (!isAuthenticated || !account) {
+      setProfile(null);
+      return;
+    }
+    const cacheKey = account.homeAccountId;
+    const cached = profileCache.get(cacheKey);
+    if (cached && Date.now() - cached.timestamp < CACHE_DURATION) {
+      setProfile(cached.data);
+      return;
+    }
+    setLoading(true);
+    setError(null);
+    try {
+      const userData = await graph.get("/me", {
+        scopes: ["User.Read"]
+      });
+      let photoUrl;
+      try {
+        const photoBlob = await graph.get("/me/photo/$value", {
+          scopes: ["User.Read"],
+          headers: {
+            "Content-Type": "image/jpeg"
+          }
+        });
+        if (photoBlob) {
+          photoUrl = URL.createObjectURL(photoBlob);
+        }
+      } catch (photoError) {
+        console.debug("[UserProfile] Photo not available");
+      }
+      const profileData = {
+        id: userData.id,
+        displayName: userData.displayName,
+        givenName: userData.givenName,
+        surname: userData.surname,
+        userPrincipalName: userData.userPrincipalName,
+        mail: userData.mail,
+        jobTitle: userData.jobTitle,
+        department: userData.department,
+        companyName: userData.companyName,
+        officeLocation: userData.officeLocation,
+        mobilePhone: userData.mobilePhone,
+        businessPhones: userData.businessPhones,
+        preferredLanguage: userData.preferredLanguage,
+        employeeId: userData.employeeId,
+        employeeHireDate: userData.employeeHireDate,
+        employeeType: userData.employeeType,
+        country: userData.country,
+        city: userData.city,
+        state: userData.state,
+        streetAddress: userData.streetAddress,
+        postalCode: userData.postalCode,
+        usageLocation: userData.usageLocation,
+        manager: userData.manager,
+        aboutMe: userData.aboutMe,
+        birthday: userData.birthday,
+        interests: userData.interests,
+        skills: userData.skills,
+        schools: userData.schools,
+        pastProjects: userData.pastProjects,
+        responsibilities: userData.responsibilities,
+        mySite: userData.mySite,
+        faxNumber: userData.faxNumber,
+        accountEnabled: userData.accountEnabled,
+        ageGroup: userData.ageGroup,
+        userType: userData.userType,
+        photo: photoUrl,
+        ...userData
+        // Include any additional fields from the API
+      };
+      profileCache.set(cacheKey, {
+        data: profileData,
+        timestamp: Date.now()
+      });
+      enforceCacheLimit();
+      setProfile(profileData);
+    } catch (err) {
+      const error2 = err;
+      const sanitizedMessage = sanitizeError(error2);
+      const sanitizedError = new Error(sanitizedMessage);
+      setError(sanitizedError);
+      console.error("[UserProfile] Failed to fetch profile:", sanitizedMessage);
+    } finally {
+      setLoading(false);
+    }
+  }, [isAuthenticated, account, graph]);
+  const clearCache = useCallback4(() => {
+    if (account) {
+      const cached = profileCache.get(account.homeAccountId);
+      if (cached?.data.photo) {
+        URL.revokeObjectURL(cached.data.photo);
+      }
+      profileCache.delete(account.homeAccountId);
+    }
+    if (profile?.photo) {
+      URL.revokeObjectURL(profile.photo);
+    }
+    setProfile(null);
+  }, [account, profile]);
+  useEffect4(() => {
+    fetchProfile();
+    return () => {
+      if (profile?.photo) {
+        URL.revokeObjectURL(profile.photo);
+      }
+    };
+  }, [fetchProfile]);
+  useEffect4(() => {
+    return () => {
+      if (profile?.photo) {
+        URL.revokeObjectURL(profile.photo);
+      }
+    };
+  }, [profile?.photo]);
+  return {
+    profile,
+    loading,
+    error,
+    refetch: fetchProfile,
+    clearCache
+  };
+}
+// src/components/UserAvatar.tsx
+import { jsx as jsx5 } from "react/jsx-runtime";
+function UserAvatar({
+  size = 40,
+  className = "",
+  style,
+  showTooltip = true,
+  fallbackImage
+}) {
+  const { profile, loading } = useUserProfile();
+  const [photoUrl, setPhotoUrl] = useState4(null);
+  const [photoError, setPhotoError] = useState4(false);
+  useEffect5(() => {
+    if (profile?.photo) {
+      setPhotoUrl(profile.photo);
+    }
+  }, [profile?.photo]);
+  const getInitials = () => {
+    if (!profile) return "?";
+    const { givenName, surname, displayName: displayName2 } = profile;
+    if (givenName && surname) {
+      return `${givenName[0]}${surname[0]}`.toUpperCase();
+    }
+    if (displayName2) {
+      const parts = displayName2.split(" ");
+      if (parts.length >= 2) {
+        return `${parts[0][0]}${parts[parts.length - 1][0]}`.toUpperCase();
+      }
+      return displayName2.substring(0, 2).toUpperCase();
+    }
+    return "?";
+  };
+  const baseStyles = {
+    width: `${size}px`,
+    height: `${size}px`,
+    borderRadius: "50%",
+    display: "inline-flex",
+    alignItems: "center",
+    justifyContent: "center",
+    fontSize: `${size * 0.4}px`,
+    fontWeight: 600,
+    fontFamily: '"Segoe UI", Tahoma, Geneva, Verdana, sans-serif',
+    backgroundColor: "#0078D4",
+    color: "#FFFFFF",
+    overflow: "hidden",
+    userSelect: "none",
+    ...style
+  };
+  const displayName = profile?.displayName || "User";
+  if (loading) {
+    return /* @__PURE__ */ jsx5(
+      "div",
+      {
+        className,
+        style: { ...baseStyles, backgroundColor: "#E1E1E1" },
+        "aria-label": "Loading user avatar",
+        children: /* @__PURE__ */ jsx5("span", { style: { fontSize: `${size * 0.3}px` }, children: "..." })
+      }
+    );
+  }
+  if (photoUrl && !photoError) {
+    return /* @__PURE__ */ jsx5(
+      "div",
+      {
+        className,
+        style: baseStyles,
+        title: showTooltip ? displayName : void 0,
+        "aria-label": `${displayName} avatar`,
+        children: /* @__PURE__ */ jsx5(
+          "img",
+          {
+            src: photoUrl,
+            alt: displayName,
+            style: { width: "100%", height: "100%", objectFit: "cover" },
+            onError: () => {
+              setPhotoError(true);
+              if (fallbackImage) {
+                setPhotoUrl(fallbackImage);
+              }
+            }
+          }
+        )
+      }
+    );
+  }
+  return /* @__PURE__ */ jsx5(
+    "div",
+    {
+      className,
+      style: baseStyles,
+      title: showTooltip ? displayName : void 0,
+      "aria-label": `${displayName} avatar`,
+      children: getInitials()
+    }
+  );
+}
+// src/components/AuthStatus.tsx
+import { Fragment as Fragment2, jsx as jsx6, jsxs as jsxs4 } from "react/jsx-runtime";
+function AuthStatus({
+  className = "",
+  style,
+  showDetails = false,
+  renderLoading,
+  renderAuthenticated,
+  renderUnauthenticated
+}) {
+  const { isAuthenticated, inProgress, account } = useMsalAuth();
+  const baseStyles = {
+    display: "inline-flex",
+    alignItems: "center",
+    gap: "8px",
+    padding: "8px 12px",
+    borderRadius: "4px",
+    fontFamily: '"Segoe UI", Tahoma, Geneva, Verdana, sans-serif',
+    fontSize: "14px",
+    fontWeight: 500,
+    ...style
+  };
+  if (inProgress) {
+    if (renderLoading) {
+      return /* @__PURE__ */ jsx6(Fragment2, { children: renderLoading() });
+    }
+    return /* @__PURE__ */ jsxs4(
+      "div",
+      {
+        className,
+        style: { ...baseStyles, backgroundColor: "#FFF4CE", color: "#8A6D3B" },
+        role: "status",
+        "aria-live": "polite",
+        children: [
+          /* @__PURE__ */ jsx6(StatusIndicator, { color: "#FFA500" }),
+          /* @__PURE__ */ jsx6("span", { children: "Loading..." })
+        ]
+      }
+    );
+  }
+  if (isAuthenticated) {
+    const username = account?.username || account?.name || "User";
+    if (renderAuthenticated) {
+      return /* @__PURE__ */ jsx6(Fragment2, { children: renderAuthenticated(username) });
+    }
+    return /* @__PURE__ */ jsxs4(
+      "div",
+      {
+        className,
+        style: { ...baseStyles, backgroundColor: "#D4EDDA", color: "#155724" },
+        role: "status",
+        "aria-live": "polite",
+        children: [
+          /* @__PURE__ */ jsx6(StatusIndicator, { color: "#28A745" }),
+          /* @__PURE__ */ jsx6("span", { children: showDetails ? `Authenticated as ${username}` : "Authenticated" })
+        ]
+      }
+    );
+  }
+  if (renderUnauthenticated) {
+    return /* @__PURE__ */ jsx6(Fragment2, { children: renderUnauthenticated() });
+  }
+  return /* @__PURE__ */ jsxs4(
+    "div",
+    {
+      className,
+      style: { ...baseStyles, backgroundColor: "#F8D7DA", color: "#721C24" },
+      role: "status",
+      "aria-live": "polite",
+      children: [
+        /* @__PURE__ */ jsx6(StatusIndicator, { color: "#DC3545" }),
+        /* @__PURE__ */ jsx6("span", { children: "Not authenticated" })
+      ]
+    }
+  );
+}
+function StatusIndicator({ color }) {
+  return /* @__PURE__ */ jsx6("svg", { width: "8", height: "8", viewBox: "0 0 8 8", fill: "none", xmlns: "http://www.w3.org/2000/svg", children: /* @__PURE__ */ jsx6("circle", { cx: "4", cy: "4", r: "4", fill: color }) });
+}
+// src/components/AuthGuard.tsx
+import { useEffect as useEffect6 } from "react";
+import { Fragment as Fragment3, jsx as jsx7 } from "react/jsx-runtime";
+function AuthGuard({
+  children,
+  loadingComponent,
+  fallbackComponent,
+  scopes,
+  onAuthRequired
+}) {
+  const { isAuthenticated, inProgress, loginRedirect } = useMsalAuth();
+  useEffect6(() => {
+    if (!isAuthenticated && !inProgress) {
+      onAuthRequired?.();
+      const login = async () => {
+        try {
+          await loginRedirect(scopes);
+        } catch (error) {
+          console.error("[AuthGuard] Authentication failed:", error);
+        }
+      };
+      login();
+    }
+  }, [isAuthenticated, inProgress, scopes, loginRedirect, onAuthRequired]);
+  if (inProgress) {
+    return /* @__PURE__ */ jsx7(Fragment3, { children: loadingComponent || /* @__PURE__ */ jsx7("div", { children: "Authenticating..." }) });
+  }
+  if (!isAuthenticated) {
+    return /* @__PURE__ */ jsx7(Fragment3, { children: fallbackComponent || /* @__PURE__ */ jsx7("div", { children: "Redirecting to login..." }) });
+  }
+  return /* @__PURE__ */ jsx7(Fragment3, { children });
+}
+// src/components/ErrorBoundary.tsx
+import { Component } from "react";
+import { jsx as jsx8, jsxs as jsxs5 } from "react/jsx-runtime";
+var ErrorBoundary = class extends Component {
+  constructor(props) {
+    super(props);
+    this.reset = () => {
+      this.setState({
+        hasError: false,
+        error: null
+      });
+    };
+    this.state = {
+      hasError: false,
+      error: null
+    };
+  }
+  static getDerivedStateFromError(error) {
+    return {
+      hasError: true,
+      error
+    };
+  }
+  componentDidCatch(error, errorInfo) {
+    const { onError, debug } = this.props;
+    if (debug) {
+      console.error("[ErrorBoundary] Caught error:", error);
+      console.error("[ErrorBoundary] Error info:", errorInfo);
+    }
+    onError?.(error, errorInfo);
+  }
+  render() {
+    const { hasError, error } = this.state;
+    const { children, fallback } = this.props;
+    if (hasError && error) {
+      if (fallback) {
+        return fallback(error, this.reset);
+      }
+      return /* @__PURE__ */ jsxs5(
+        "div",
+        {
+          style: {
+            padding: "20px",
+            margin: "20px",
+            border: "1px solid #DC3545",
+            borderRadius: "4px",
+            backgroundColor: "#F8D7DA",
+            color: "#721C24",
+            fontFamily: '"Segoe UI", Tahoma, Geneva, Verdana, sans-serif'
+          },
+          children: [
+            /* @__PURE__ */ jsx8("h2", { style: { margin: "0 0 10px 0", fontSize: "18px" }, children: "Authentication Error" }),
+            /* @__PURE__ */ jsx8("p", { style: { margin: "0 0 10px 0" }, children: error.message }),
+            /* @__PURE__ */ jsx8(
+              "button",
+              {
+                onClick: this.reset,
+                style: {
+                  padding: "8px 16px",
+                  backgroundColor: "#DC3545",
+                  color: "#FFFFFF",
+                  border: "none",
+                  borderRadius: "4px",
+                  cursor: "pointer",
+                  fontSize: "14px",
+                  fontWeight: 600
+                },
+                children: "Try Again"
+              }
+            )
+          ]
+        }
+      );
+    }
+    return children;
+  }
+};
+// src/hooks/useRoles.ts
+import { useState as useState5, useEffect as useEffect7, useCallback as useCallback5 } from "react";
+var rolesCache = /* @__PURE__ */ new Map();
+var CACHE_DURATION2 = 5 * 60 * 1e3;
+var MAX_CACHE_SIZE2 = 100;
+function clearRolesCache(accountId) {
+  if (accountId) {
+    rolesCache.delete(accountId);
+  } else {
+    rolesCache.clear();
+  }
+}
+function enforceCacheLimit2() {
+  if (rolesCache.size > MAX_CACHE_SIZE2) {
+    const entries = Array.from(rolesCache.entries());
+    entries.sort((a, b) => a[1].timestamp - b[1].timestamp);
+    const toRemove = entries.slice(0, rolesCache.size - MAX_CACHE_SIZE2);
+    toRemove.forEach(([key]) => rolesCache.delete(key));
+  }
+}
+function useRoles() {
+  const { isAuthenticated, account } = useMsalAuth();
+  const graph = useGraphApi();
+  const [roles, setRoles] = useState5([]);
+  const [groups, setGroups] = useState5([]);
+  const [loading, setLoading] = useState5(false);
+  const [error, setError] = useState5(null);
+  const fetchRolesAndGroups = useCallback5(async () => {
+    if (!isAuthenticated || !account) {
+      setRoles([]);
+      setGroups([]);
+      return;
+    }
+    const cacheKey = account.homeAccountId;
+    const cached = rolesCache.get(cacheKey);
+    if (cached && Date.now() - cached.timestamp < CACHE_DURATION2) {
+      setRoles(cached.roles);
+      setGroups(cached.groups);
+      return;
+    }
+    setLoading(true);
+    setError(null);
+    try {
+      const idTokenClaims = account.idTokenClaims;
+      const tokenRoles = idTokenClaims?.roles || [];
+      const groupsResponse = await graph.get("/me/memberOf", {
+        scopes: ["User.Read", "Directory.Read.All"]
+      });
+      const userGroups = groupsResponse.value.map((group) => group.id);
+      rolesCache.set(cacheKey, {
+        roles: tokenRoles,
+        groups: userGroups,
+        timestamp: Date.now()
+      });
+      enforceCacheLimit2();
+      setRoles(tokenRoles);
+      setGroups(userGroups);
+    } catch (err) {
+      const error2 = err;
+      const sanitizedMessage = sanitizeError(error2);
+      const sanitizedError = new Error(sanitizedMessage);
+      setError(sanitizedError);
+      console.error("[Roles] Failed to fetch roles/groups:", sanitizedMessage);
+      const idTokenClaims = account.idTokenClaims;
+      const tokenRoles = idTokenClaims?.roles || [];
+      setRoles(tokenRoles);
+    } finally {
+      setLoading(false);
+    }
+  }, [isAuthenticated, account, graph]);
+  const hasRole = useCallback5(
+    (role) => {
+      return roles.includes(role);
+    },
+    [roles]
+  );
+  const hasGroup = useCallback5(
+    (groupId) => {
+      return groups.includes(groupId);
+    },
+    [groups]
+  );
+  const hasAnyRole = useCallback5(
+    (checkRoles) => {
+      return checkRoles.some((role) => roles.includes(role));
+    },
+    [roles]
+  );
+  const hasAllRoles = useCallback5(
+    (checkRoles) => {
+      return checkRoles.every((role) => roles.includes(role));
+    },
+    [roles]
+  );
+  useEffect7(() => {
+    fetchRolesAndGroups();
+    return () => {
+      if (account) {
+        clearRolesCache(account.homeAccountId);
+      }
+    };
+  }, [fetchRolesAndGroups, account]);
+  return {
+    roles,
+    groups,
+    loading,
+    error,
+    hasRole,
+    hasGroup,
+    hasAnyRole,
+    hasAllRoles,
+    refetch: fetchRolesAndGroups
+  };
+}
+// src/utils/withAuth.tsx
+import { jsx as jsx9 } from "react/jsx-runtime";
+function withAuth(Component2, options = {}) {
+  const { displayName, ...guardProps } = options;
+  const WrappedComponent = (props) => {
+    return /* @__PURE__ */ jsx9(AuthGuard, { ...guardProps, children: /* @__PURE__ */ jsx9(Component2, { ...props }) });
+  };
+  WrappedComponent.displayName = displayName || `withAuth(${Component2.displayName || Component2.name || "Component"})`;
+  return WrappedComponent;
+}
+// src/utils/tokenRetry.ts
+async function retryWithBackoff(fn, config = {}) {
+  const {
+    maxRetries = 3,
+    initialDelay = 1e3,
+    maxDelay = 1e4,
+    backoffMultiplier = 2,
+    debug = false
+  } = config;
+  let lastError;
+  let delay = initialDelay;
+  for (let attempt = 0; attempt <= maxRetries; attempt++) {
+    try {
+      if (debug && attempt > 0) {
+        console.log(`[TokenRetry] Attempt ${attempt + 1}/${maxRetries + 1}`);
+      }
+      return await fn();
+    } catch (error) {
+      lastError = error;
+      if (attempt === maxRetries) {
+        if (debug) {
+          console.error("[TokenRetry] All retry attempts failed");
+        }
+        break;
+      }
+      if (!isRetryableError(error)) {
+        if (debug) {
+          console.log("[TokenRetry] Non-retryable error, aborting");
+        }
+        throw error;
+      }
+      if (debug) {
+        console.warn(`[TokenRetry] Attempt ${attempt + 1} failed, retrying in ${delay}ms...`);
+      }
+      await sleep(delay);
+      delay = Math.min(delay * backoffMultiplier, maxDelay);
+    }
+  }
+  throw lastError;
+}
+function isRetryableError(error) {
+  const message = error.message.toLowerCase();
+  if (message.includes("network") || message.includes("timeout") || message.includes("fetch") || message.includes("connection")) {
+    return true;
+  }
+  if (message.includes("500") || message.includes("502") || message.includes("503")) {
+    return true;
+  }
+  if (message.includes("429") || message.includes("rate limit")) {
+    return true;
+  }
+  if (message.includes("token") && message.includes("expired")) {
+    return true;
+  }
+  return false;
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function createRetryWrapper(fn, config = {}) {
+  return (...args) => {
+    return retryWithBackoff(() => fn(...args), config);
+  };
+}
+// src/utils/debugLogger.ts
+var DebugLogger = class {
+  constructor(config = {}) {
+    this.logHistory = [];
+    this.performanceTimings = /* @__PURE__ */ new Map();
+    this.config = {
+      enabled: config.enabled ?? false,
+      prefix: config.prefix ?? "[MSAL-Next]",
+      showTimestamp: config.showTimestamp ?? true,
+      level: config.level ?? "info",
+      enablePerformance: config.enablePerformance ?? false,
+      enableNetworkLogs: config.enableNetworkLogs ?? false,
+      maxHistorySize: config.maxHistorySize ?? 100
+    };
+  }
+  shouldLog(level) {
+    if (!this.config.enabled) return false;
+    const levels = ["error", "warn", "info", "debug"];
+    const currentLevelIndex = levels.indexOf(this.config.level);
+    const messageLevelIndex = levels.indexOf(level);
+    return messageLevelIndex <= currentLevelIndex;
+  }
+  formatMessage(level, message, data) {
+    const timestamp = this.config.showTimestamp ? `[${(/* @__PURE__ */ new Date()).toISOString()}]` : "";
+    const prefix = this.config.prefix;
+    const levelStr = `[${level.toUpperCase()}]`;
+    let formatted = `${timestamp} ${prefix} ${levelStr} ${message}`;
+    if (data !== void 0) {
+      formatted += "\n" + JSON.stringify(data, null, 2);
+    }
+    return formatted;
+  }
+  addToHistory(level, message, data) {
+    if (this.logHistory.length >= this.config.maxHistorySize) {
+      this.logHistory.shift();
+    }
+    this.logHistory.push({
+      timestamp: Date.now(),
+      level,
+      message,
+      data
+    });
+  }
+  error(message, data) {
+    if (this.shouldLog("error")) {
+      console.error(this.formatMessage("error", message, data));
+      this.addToHistory("error", message, data);
+    }
+  }
+  warn(message, data) {
+    if (this.shouldLog("warn")) {
+      console.warn(this.formatMessage("warn", message, data));
+      this.addToHistory("warn", message, data);
+    }
+  }
+  info(message, data) {
+    if (this.shouldLog("info")) {
+      console.info(this.formatMessage("info", message, data));
+      this.addToHistory("info", message, data);
+    }
+  }
+  debug(message, data) {
+    if (this.shouldLog("debug")) {
+      console.debug(this.formatMessage("debug", message, data));
+      this.addToHistory("debug", message, data);
+    }
+  }
+  group(label) {
+    if (this.config.enabled) {
+      console.group(`${this.config.prefix} ${label}`);
+    }
+  }
+  groupEnd() {
+    if (this.config.enabled) {
+      console.groupEnd();
+    }
+  }
+  /**
+   * Start performance timing for an operation
+   */
+  startTiming(operation) {
+    if (this.config.enablePerformance) {
+      this.performanceTimings.set(operation, {
+        operation,
+        startTime: performance.now()
+      });
+      this.debug(`\u23F1\uFE0F Started: ${operation}`);
+    }
+  }
+  /**
+   * End performance timing for an operation
+   */
+  endTiming(operation) {
+    if (this.config.enablePerformance) {
+      const timing = this.performanceTimings.get(operation);
+      if (timing) {
+        timing.endTime = performance.now();
+        timing.duration = timing.endTime - timing.startTime;
+        this.info(`\u23F1\uFE0F Completed: ${operation} (${timing.duration.toFixed(2)}ms)`);
+        return timing.duration;
+      }
+    }
+    return void 0;
+  }
+  /**
+   * Log network request
+   */
+  logRequest(method, url, options) {
+    if (this.config.enableNetworkLogs) {
+      this.debug(`\u{1F310} ${method} ${url}`, options);
+    }
+  }
+  /**
+   * Log network response
+   */
+  logResponse(method, url, status, data) {
+    if (this.config.enableNetworkLogs) {
+      const statusEmoji = status >= 200 && status < 300 ? "\u2705" : "\u274C";
+      this.debug(`${statusEmoji} ${method} ${url} - ${status}`, data);
+    }
+  }
+  /**
+   * Get log history
+   */
+  getHistory() {
+    return [...this.logHistory];
+  }
+  /**
+   * Get performance timings
+   */
+  getPerformanceTimings() {
+    return Array.from(this.performanceTimings.values());
+  }
+  /**
+   * Clear log history
+   */
+  clearHistory() {
+    this.logHistory = [];
+  }
+  /**
+   * Clear performance timings
+   */
+  clearTimings() {
+    this.performanceTimings.clear();
+  }
+  /**
+   * Export logs as JSON
+   */
+  exportLogs() {
+    return JSON.stringify({
+      config: this.config,
+      history: this.logHistory,
+      performanceTimings: Array.from(this.performanceTimings.values()),
+      exportedAt: (/* @__PURE__ */ new Date()).toISOString()
+    }, null, 2);
+  }
+  /**
+   * Download logs as a file
+   */
+  downloadLogs(filename = "msal-next-debug-logs.json") {
+    if (typeof window === "undefined") return;
+    const logs = this.exportLogs();
+    const blob = new Blob([logs], { type: "application/json" });
+    const url = URL.createObjectURL(blob);
+    const a = document.createElement("a");
+    a.href = url;
+    a.download = filename;
+    a.click();
+    URL.revokeObjectURL(url);
+  }
+  setEnabled(enabled) {
+    this.config.enabled = enabled;
+  }
+  setLevel(level) {
+    if (level) {
+      this.config.level = level;
+    }
+  }
+};
+var globalLogger = null;
+function getDebugLogger(config) {
+  if (!globalLogger) {
+    globalLogger = new DebugLogger(config);
+  } else if (config) {
+    if (config.enabled !== void 0) {
+      globalLogger.setEnabled(config.enabled);
+    }
+    if (config.level) {
+      globalLogger.setLevel(config.level);
+    }
+  }
+  return globalLogger;
+}
+function createScopedLogger(scope, config) {
+  return new DebugLogger({
+    ...config,
+    prefix: `[MSAL-Next:${scope}]`
+  });
+}
+// src/protection/ProtectedPage.tsx
+import { useEffect as useEffect8, useState as useState6 } from "react";
+import { useRouter } from "next/navigation";
+import { Fragment as Fragment4, jsx as jsx10, jsxs as jsxs6 } from "react/jsx-runtime";
+function ProtectedPage({
+  children,
+  config,
+  defaultRedirectTo = "/login",
+  defaultLoading,
+  defaultUnauthorized,
+  debug = false
+}) {
+  const router = useRouter();
+  const { isAuthenticated, account, inProgress } = useMsalAuth();
+  const [isValidating, setIsValidating] = useState6(true);
+  const [isAuthorized, setIsAuthorized] = useState6(false);
+  useEffect8(() => {
+    async function checkAuth() {
+      if (debug) {
+        console.log("[ProtectedPage] Checking auth...", {
+          isAuthenticated,
+          inProgress,
+          config
+        });
+      }
+      if (inProgress) {
+        return;
+      }
+      if (!config.required) {
+        setIsAuthorized(true);
+        setIsValidating(false);
+        return;
+      }
+      if (!isAuthenticated || !account) {
+        if (debug) {
+          console.log("[ProtectedPage] Not authenticated, redirecting...");
+        }
+        const redirectPath = config.redirectTo || defaultRedirectTo;
+        const returnUrl = encodeURIComponent(window.location.pathname + window.location.search);
+        router.push(`${redirectPath}?returnUrl=${returnUrl}`);
+        return;
+      }
+      if (config.roles && config.roles.length > 0) {
+        const userRoles = account.idTokenClaims?.roles || [];
+        const hasRequiredRole = config.roles.some((role) => userRoles.includes(role));
+        if (!hasRequiredRole) {
+          if (debug) {
+            console.log("[ProtectedPage] Missing required role", {
+              required: config.roles,
+              user: userRoles
+            });
+          }
+          setIsAuthorized(false);
+          setIsValidating(false);
+          return;
+        }
+      }
+      if (config.validate) {
+        try {
+          const isValid = await config.validate(account);
+          if (!isValid) {
+            if (debug) {
+              console.log("[ProtectedPage] Custom validation failed");
+            }
+            setIsAuthorized(false);
+            setIsValidating(false);
+            return;
+          }
+        } catch (error) {
+          console.error("[ProtectedPage] Validation error:", error);
+          setIsAuthorized(false);
+          setIsValidating(false);
+          return;
+        }
+      }
+      if (debug) {
+        console.log("[ProtectedPage] Authorization successful");
+      }
+      setIsAuthorized(true);
+      setIsValidating(false);
+    }
+    checkAuth();
+  }, [isAuthenticated, account, inProgress, config, router, defaultRedirectTo, debug]);
+  if (isValidating || inProgress) {
+    if (config.loading) {
+      return /* @__PURE__ */ jsx10(Fragment4, { children: config.loading });
+    }
+    if (defaultLoading) {
+      return /* @__PURE__ */ jsx10(Fragment4, { children: defaultLoading });
+    }
+    return /* @__PURE__ */ jsx10("div", { className: "flex items-center justify-center min-h-screen", children: /* @__PURE__ */ jsx10("div", { className: "animate-spin rounded-full h-12 w-12 border-b-2 border-blue-600" }) });
+  }
+  if (!isAuthorized) {
+    if (config.unauthorized) {
+      return /* @__PURE__ */ jsx10(Fragment4, { children: config.unauthorized });
+    }
+    if (defaultUnauthorized) {
+      return /* @__PURE__ */ jsx10(Fragment4, { children: defaultUnauthorized });
+    }
+    return /* @__PURE__ */ jsx10("div", { className: "flex items-center justify-center min-h-screen", children: /* @__PURE__ */ jsxs6("div", { className: "text-center", children: [
+      /* @__PURE__ */ jsx10("h1", { className: "text-2xl font-bold text-gray-900 mb-2", children: "Access Denied" }),
+      /* @__PURE__ */ jsx10("p", { className: "text-gray-600", children: "You don't have permission to access this page." })
+    ] }) });
+  }
+  return /* @__PURE__ */ jsx10(Fragment4, { children });
+}
+// src/protection/withPageAuth.tsx
+import { jsx as jsx11 } from "react/jsx-runtime";
+function withPageAuth(Component2, authConfig, globalConfig) {
+  const WrappedComponent = (props) => {
+    return /* @__PURE__ */ jsx11(
+      ProtectedPage,
+      {
+        config: authConfig,
+        defaultRedirectTo: globalConfig?.defaultRedirectTo,
+        defaultLoading: globalConfig?.defaultLoading,
+        defaultUnauthorized: globalConfig?.defaultUnauthorized,
+        debug: globalConfig?.debug,
+        children: /* @__PURE__ */ jsx11(Component2, { ...props })
+      }
+    );
+  };
+  WrappedComponent.displayName = `withPageAuth(${Component2.displayName || Component2.name || "Component"})`;
+  return WrappedComponent;
+}
+// src/middleware/createAuthMiddleware.ts
+import { NextResponse } from "next/server";
+function createAuthMiddleware(config = {}) {
+  const {
+    protectedRoutes = [],
+    publicOnlyRoutes = [],
+    loginPath = "/login",
+    redirectAfterLogin = "/",
+    sessionCookie = "msal.account",
+    isAuthenticated: customAuthCheck,
+    debug = false
+  } = config;
+  return async function authMiddleware(request) {
+    const { pathname } = request.nextUrl;
+    if (debug) {
+      console.log("[AuthMiddleware] Processing:", pathname);
+    }
+    let authenticated = false;
+    if (customAuthCheck) {
+      authenticated = await customAuthCheck(request);
+    } else {
+      const sessionData = request.cookies.get(sessionCookie);
+      authenticated = !!sessionData?.value;
+    }
+    if (debug) {
+      console.log("[AuthMiddleware] Authenticated:", authenticated);
+    }
+    const isProtectedRoute = protectedRoutes.some(
+      (route) => pathname.startsWith(route)
+    );
+    const isPublicOnlyRoute = publicOnlyRoutes.some(
+      (route) => pathname.startsWith(route)
+    );
+    if (isProtectedRoute && !authenticated) {
+      if (debug) {
+        console.log("[AuthMiddleware] Redirecting to login");
+      }
+      const url = request.nextUrl.clone();
+      url.pathname = loginPath;
+      url.searchParams.set("returnUrl", pathname);
+      return NextResponse.redirect(url);
+    }
+    if (isPublicOnlyRoute && authenticated) {
+      if (debug) {
+        console.log("[AuthMiddleware] Redirecting to home");
+      }
+      const returnUrl = request.nextUrl.searchParams.get("returnUrl");
+      const url = request.nextUrl.clone();
+      url.pathname = returnUrl || redirectAfterLogin;
+      url.searchParams.delete("returnUrl");
+      return NextResponse.redirect(url);
+    }
+    const response = NextResponse.next();
+    if (authenticated) {
+      response.headers.set("x-msal-authenticated", "true");
+      try {
+        const sessionData = request.cookies.get(sessionCookie);
+        if (sessionData?.value) {
+          const account = safeJsonParse(sessionData.value, isValidAccountData);
+          if (account?.username) {
+            response.headers.set("x-msal-username", account.username);
+          }
+        }
+      } catch (error) {
+        if (debug) {
+          console.warn("[AuthMiddleware] Failed to parse session data");
+        }
+      }
+    }
+    return response;
+  };
+}
+// src/client.ts
+import { useMsal as useMsal2, useIsAuthenticated, useAccount as useAccount2 } from "@azure/msal-react";
+export {
+  AuthGuard,
+  AuthStatus,
+  ErrorBoundary,
+  MSALProvider,
+  MicrosoftSignInButton,
+  MsalAuthProvider,
+  MsalError,
+  ProtectedPage,
+  SignOutButton,
+  UserAvatar,
+  createAuthMiddleware,
+  createMissingEnvVarError,
+  createMsalConfig,
+  createRetryWrapper,
+  createScopedLogger,
+  displayValidationResults,
+  getDebugLogger,
+  getMsalInstance,
+  isValidAccountData,
+  isValidRedirectUri,
+  isValidScope,
+  retryWithBackoff,
+  safeJsonParse,
+  sanitizeError,
+  useAccount2 as useAccount,
+  useGraphApi,
+  useIsAuthenticated,
+  useMsal2 as useMsal,
+  useMsalAuth,
+  useRoles,
+  useTokenRefresh,
+  useUserProfile,
+  validateConfig,
+  validateScopes,
+  withAuth,
+  withPageAuth,
+  wrapMsalError
+};