@concavejs/cli 0.0.1-alpha.12 → 0.0.1-alpha.13

package/dist/assets/runtime-bun/server/index.js

@@ -958,6 +958,113 @@ var init_base64url2 = __esm(() => {
   init_buffer_utils2();
 });
 
+// ../../node_modules/jose/dist/webapi/lib/crypto_key.js
+function getHashLength2(hash) {
+  return parseInt(hash.name.slice(4), 10);
+}
+function checkHashLength2(algorithm, expected) {
+  const actual = getHashLength2(algorithm.hash);
+  if (actual !== expected)
+    throw unusable2(`SHA-${expected}`, "algorithm.hash");
+}
+function getNamedCurve2(alg) {
+  switch (alg) {
+    case "ES256":
+      return "P-256";
+    case "ES384":
+      return "P-384";
+    case "ES512":
+      return "P-521";
+    default:
+      throw new Error("unreachable");
+  }
+}
+function checkUsage2(key, usage) {
+  if (usage && !key.usages.includes(usage)) {
+    throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);
+  }
+}
+function checkSigCryptoKey2(key, alg, usage) {
+  switch (alg) {
+    case "HS256":
+    case "HS384":
+    case "HS512": {
+      if (!isAlgorithm2(key.algorithm, "HMAC"))
+        throw unusable2("HMAC");
+      checkHashLength2(key.algorithm, parseInt(alg.slice(2), 10));
+      break;
+    }
+    case "RS256":
+    case "RS384":
+    case "RS512": {
+      if (!isAlgorithm2(key.algorithm, "RSASSA-PKCS1-v1_5"))
+        throw unusable2("RSASSA-PKCS1-v1_5");
+      checkHashLength2(key.algorithm, parseInt(alg.slice(2), 10));
+      break;
+    }
+    case "PS256":
+    case "PS384":
+    case "PS512": {
+      if (!isAlgorithm2(key.algorithm, "RSA-PSS"))
+        throw unusable2("RSA-PSS");
+      checkHashLength2(key.algorithm, parseInt(alg.slice(2), 10));
+      break;
+    }
+    case "Ed25519":
+    case "EdDSA": {
+      if (!isAlgorithm2(key.algorithm, "Ed25519"))
+        throw unusable2("Ed25519");
+      break;
+    }
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87": {
+      if (!isAlgorithm2(key.algorithm, alg))
+        throw unusable2(alg);
+      break;
+    }
+    case "ES256":
+    case "ES384":
+    case "ES512": {
+      if (!isAlgorithm2(key.algorithm, "ECDSA"))
+        throw unusable2("ECDSA");
+      const expected = getNamedCurve2(alg);
+      const actual = key.algorithm.namedCurve;
+      if (actual !== expected)
+        throw unusable2(expected, "algorithm.namedCurve");
+      break;
+    }
+    default:
+      throw new TypeError("CryptoKey does not support this operation");
+  }
+  checkUsage2(key, usage);
+}
+var unusable2 = (name, prop = "algorithm.name") => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`), isAlgorithm2 = (algorithm, name) => algorithm.name === name;
+
+// ../../node_modules/jose/dist/webapi/lib/invalid_key_input.js
+function message2(msg, actual, ...types) {
+  types = types.filter(Boolean);
+  if (types.length > 2) {
+    const last = types.pop();
+    msg += `one of type ${types.join(", ")}, or ${last}.`;
+  } else if (types.length === 2) {
+    msg += `one of type ${types[0]} or ${types[1]}.`;
+  } else {
+    msg += `of type ${types[0]}.`;
+  }
+  if (actual == null) {
+    msg += ` Received ${actual}`;
+  } else if (typeof actual === "function" && actual.name) {
+    msg += ` Received function ${actual.name}`;
+  } else if (typeof actual === "object" && actual != null) {
+    if (actual.constructor?.name) {
+      msg += ` Received an instance of ${actual.constructor.name}`;
+    }
+  }
+  return msg;
+}
+var invalidKeyInput2 = (actual, ...types) => message2("Key must be ", actual, ...types), withAlg2 = (alg, actual, ...types) => message2(`Key for the ${alg} algorithm must be `, actual, ...types);
+
 // ../../node_modules/jose/dist/webapi/util/errors.js
 var exports_errors2 = {};
 __export(exports_errors2, {
@@ -982,8 +1089,8 @@ var init_errors5 = __esm(() => {
   JOSEError2 = class JOSEError2 extends Error {
     static code = "ERR_JOSE_GENERIC";
     code = "ERR_JOSE_GENERIC";
-    constructor(message2, options) {
-      super(message2, options);
+    constructor(message3, options) {
+      super(message3, options);
       this.name = this.constructor.name;
       Error.captureStackTrace?.(this, this.constructor);
     }
@@ -994,8 +1101,8 @@ var init_errors5 = __esm(() => {
     claim;
     reason;
     payload;
-    constructor(message2, payload, claim = "unspecified", reason = "unspecified") {
-      super(message2, { cause: { claim, reason, payload } });
+    constructor(message3, payload, claim = "unspecified", reason = "unspecified") {
+      super(message3, { cause: { claim, reason, payload } });
       this.claim = claim;
       this.reason = reason;
       this.payload = payload;
@@ -1007,8 +1114,8 @@ var init_errors5 = __esm(() => {
     claim;
     reason;
     payload;
-    constructor(message2, payload, claim = "unspecified", reason = "unspecified") {
-      super(message2, { cause: { claim, reason, payload } });
+    constructor(message3, payload, claim = "unspecified", reason = "unspecified") {
+      super(message3, { cause: { claim, reason, payload } });
       this.claim = claim;
       this.reason = reason;
       this.payload = payload;
@@ -1025,8 +1132,8 @@ var init_errors5 = __esm(() => {
   JWEDecryptionFailed2 = class JWEDecryptionFailed2 extends JOSEError2 {
     static code = "ERR_JWE_DECRYPTION_FAILED";
     code = "ERR_JWE_DECRYPTION_FAILED";
-    constructor(message2 = "decryption operation failed", options) {
-      super(message2, options);
+    constructor(message3 = "decryption operation failed", options) {
+      super(message3, options);
     }
   };
   JWEInvalid2 = class JWEInvalid2 extends JOSEError2 {
@@ -1052,145 +1159,34 @@ var init_errors5 = __esm(() => {
   JWKSNoMatchingKey2 = class JWKSNoMatchingKey2 extends JOSEError2 {
     static code = "ERR_JWKS_NO_MATCHING_KEY";
     code = "ERR_JWKS_NO_MATCHING_KEY";
-    constructor(message2 = "no applicable key found in the JSON Web Key Set", options) {
-      super(message2, options);
+    constructor(message3 = "no applicable key found in the JSON Web Key Set", options) {
+      super(message3, options);
     }
   };
   JWKSMultipleMatchingKeys2 = class JWKSMultipleMatchingKeys2 extends JOSEError2 {
     [Symbol.asyncIterator];
     static code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
     code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
-    constructor(message2 = "multiple matching keys found in the JSON Web Key Set", options) {
-      super(message2, options);
+    constructor(message3 = "multiple matching keys found in the JSON Web Key Set", options) {
+      super(message3, options);
     }
   };
   JWKSTimeout2 = class JWKSTimeout2 extends JOSEError2 {
     static code = "ERR_JWKS_TIMEOUT";
     code = "ERR_JWKS_TIMEOUT";
-    constructor(message2 = "request timed out", options) {
-      super(message2, options);
+    constructor(message3 = "request timed out", options) {
+      super(message3, options);
     }
   };
   JWSSignatureVerificationFailed2 = class JWSSignatureVerificationFailed2 extends JOSEError2 {
     static code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
     code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
-    constructor(message2 = "signature verification failed", options) {
-      super(message2, options);
+    constructor(message3 = "signature verification failed", options) {
+      super(message3, options);
     }
   };
 });
 
-// ../../node_modules/jose/dist/webapi/lib/crypto_key.js
-function getHashLength2(hash) {
-  return parseInt(hash.name.slice(4), 10);
-}
-function getNamedCurve2(alg) {
-  switch (alg) {
-    case "ES256":
-      return "P-256";
-    case "ES384":
-      return "P-384";
-    case "ES512":
-      return "P-521";
-    default:
-      throw new Error("unreachable");
-  }
-}
-function checkUsage2(key, usage) {
-  if (usage && !key.usages.includes(usage)) {
-    throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);
-  }
-}
-function checkSigCryptoKey2(key, alg, usage) {
-  switch (alg) {
-    case "HS256":
-    case "HS384":
-    case "HS512": {
-      if (!isAlgorithm2(key.algorithm, "HMAC"))
-        throw unusable2("HMAC");
-      const expected = parseInt(alg.slice(2), 10);
-      const actual = getHashLength2(key.algorithm.hash);
-      if (actual !== expected)
-        throw unusable2(`SHA-${expected}`, "algorithm.hash");
-      break;
-    }
-    case "RS256":
-    case "RS384":
-    case "RS512": {
-      if (!isAlgorithm2(key.algorithm, "RSASSA-PKCS1-v1_5"))
-        throw unusable2("RSASSA-PKCS1-v1_5");
-      const expected = parseInt(alg.slice(2), 10);
-      const actual = getHashLength2(key.algorithm.hash);
-      if (actual !== expected)
-        throw unusable2(`SHA-${expected}`, "algorithm.hash");
-      break;
-    }
-    case "PS256":
-    case "PS384":
-    case "PS512": {
-      if (!isAlgorithm2(key.algorithm, "RSA-PSS"))
-        throw unusable2("RSA-PSS");
-      const expected = parseInt(alg.slice(2), 10);
-      const actual = getHashLength2(key.algorithm.hash);
-      if (actual !== expected)
-        throw unusable2(`SHA-${expected}`, "algorithm.hash");
-      break;
-    }
-    case "Ed25519":
-    case "EdDSA": {
-      if (!isAlgorithm2(key.algorithm, "Ed25519"))
-        throw unusable2("Ed25519");
-      break;
-    }
-    case "ML-DSA-44":
-    case "ML-DSA-65":
-    case "ML-DSA-87": {
-      if (!isAlgorithm2(key.algorithm, alg))
-        throw unusable2(alg);
-      break;
-    }
-    case "ES256":
-    case "ES384":
-    case "ES512": {
-      if (!isAlgorithm2(key.algorithm, "ECDSA"))
-        throw unusable2("ECDSA");
-      const expected = getNamedCurve2(alg);
-      const actual = key.algorithm.namedCurve;
-      if (actual !== expected)
-        throw unusable2(expected, "algorithm.namedCurve");
-      break;
-    }
-    default:
-      throw new TypeError("CryptoKey does not support this operation");
-  }
-  checkUsage2(key, usage);
-}
-var unusable2 = (name, prop = "algorithm.name") => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`), isAlgorithm2 = (algorithm, name) => algorithm.name === name;
-
-// ../../node_modules/jose/dist/webapi/lib/invalid_key_input.js
-function message2(msg, actual, ...types) {
-  types = types.filter(Boolean);
-  if (types.length > 2) {
-    const last = types.pop();
-    msg += `one of type ${types.join(", ")}, or ${last}.`;
-  } else if (types.length === 2) {
-    msg += `one of type ${types[0]} or ${types[1]}.`;
-  } else {
-    msg += `of type ${types[0]}.`;
-  }
-  if (actual == null) {
-    msg += ` Received ${actual}`;
-  } else if (typeof actual === "function" && actual.name) {
-    msg += ` Received function ${actual.name}`;
-  } else if (typeof actual === "object" && actual != null) {
-    if (actual.constructor?.name) {
-      msg += ` Received an instance of ${actual.constructor.name}`;
-    }
-  }
-  return msg;
-}
-var invalidKeyInput2 = (actual, ...types) => message2("Key must be ", actual, ...types), withAlg2 = (alg, actual, ...types) => message2(`Key for the ${alg} algorithm must be `, actual, ...types);
-
 // ../../node_modules/jose/dist/webapi/lib/is_key_like.js
 var isCryptoKey2 = (key) => {
   if (key?.[Symbol.toStringTag] === "CryptoKey")
@@ -1202,7 +1198,34 @@ var isCryptoKey2 = (key) => {
   }
 }, isKeyObject2 = (key) => key?.[Symbol.toStringTag] === "KeyObject", isKeyLike2 = (key) => isCryptoKey2(key) || isKeyObject2(key);
 
-// ../../node_modules/jose/dist/webapi/lib/is_disjoint.js
+// ../../node_modules/jose/dist/webapi/lib/helpers.js
+function decodeBase64url2(value, label, ErrorClass) {
+  try {
+    return decode2(value);
+  } catch {
+    throw new ErrorClass(`Failed to base64url decode the ${label}`);
+  }
+}
+var unprotected2;
+var init_helpers2 = __esm(() => {
+  init_base64url2();
+  unprotected2 = Symbol();
+});
+
+// ../../node_modules/jose/dist/webapi/lib/type_checks.js
+function isObject2(input) {
+  if (!isObjectLike2(input) || Object.prototype.toString.call(input) !== "[object Object]") {
+    return false;
+  }
+  if (Object.getPrototypeOf(input) === null) {
+    return true;
+  }
+  let proto = input;
+  while (Object.getPrototypeOf(proto) !== null) {
+    proto = Object.getPrototypeOf(proto);
+  }
+  return Object.getPrototypeOf(input) === proto;
+}
 function isDisjoint2(...headers) {
   const sources = headers.filter(Boolean);
   if (sources.length === 0 || sources.length === 1) {
@@ -1224,24 +1247,9 @@ function isDisjoint2(...headers) {
   }
   return true;
 }
+var isObjectLike2 = (value) => typeof value === "object" && value !== null, isJWK2 = (key) => isObject2(key) && typeof key.kty === "string", isPrivateJWK2 = (key) => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string"), isPublicJWK2 = (key) => key.kty !== "oct" && key.d === undefined && key.priv === undefined, isSecretJWK2 = (key) => key.kty === "oct" && typeof key.k === "string";
 
-// ../../node_modules/jose/dist/webapi/lib/is_object.js
-function isObject2(input) {
-  if (!isObjectLike2(input) || Object.prototype.toString.call(input) !== "[object Object]") {
-    return false;
-  }
-  if (Object.getPrototypeOf(input) === null) {
-    return true;
-  }
-  let proto = input;
-  while (Object.getPrototypeOf(proto) !== null) {
-    proto = Object.getPrototypeOf(proto);
-  }
-  return Object.getPrototypeOf(input) === proto;
-}
-var isObjectLike2 = (value) => typeof value === "object" && value !== null;
-
-// ../../node_modules/jose/dist/webapi/lib/check_key_length.js
+// ../../node_modules/jose/dist/webapi/lib/signing.js
 function checkKeyLength2(alg, key) {
   if (alg.startsWith("RS") || alg.startsWith("PS")) {
     const { modulusLength } = key.algorithm;
@@ -1250,10 +1258,63 @@ function checkKeyLength2(alg, key) {
     }
   }
 }
-
-// ../../node_modules/jose/dist/webapi/lib/jwk_to_key.js
-function subtleMapping2(jwk) {
-  let algorithm;
+function subtleAlgorithm2(alg, algorithm) {
+  const hash = `SHA-${alg.slice(-3)}`;
+  switch (alg) {
+    case "HS256":
+    case "HS384":
+    case "HS512":
+      return { hash, name: "HMAC" };
+    case "PS256":
+    case "PS384":
+    case "PS512":
+      return { hash, name: "RSA-PSS", saltLength: parseInt(alg.slice(-3), 10) >> 3 };
+    case "RS256":
+    case "RS384":
+    case "RS512":
+      return { hash, name: "RSASSA-PKCS1-v1_5" };
+    case "ES256":
+    case "ES384":
+    case "ES512":
+      return { hash, name: "ECDSA", namedCurve: algorithm.namedCurve };
+    case "Ed25519":
+    case "EdDSA":
+      return { name: "Ed25519" };
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+      return { name: alg };
+    default:
+      throw new JOSENotSupported2(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
+  }
+}
+async function getSigKey2(alg, key, usage) {
+  if (key instanceof Uint8Array) {
+    if (!alg.startsWith("HS")) {
+      throw new TypeError(invalidKeyInput2(key, "CryptoKey", "KeyObject", "JSON Web Key"));
+    }
+    return crypto.subtle.importKey("raw", key, { hash: `SHA-${alg.slice(-3)}`, name: "HMAC" }, false, [usage]);
+  }
+  checkSigCryptoKey2(key, alg, usage);
+  return key;
+}
+async function verify2(alg, key, signature, data) {
+  const cryptoKey = await getSigKey2(alg, key, "verify");
+  checkKeyLength2(alg, cryptoKey);
+  const algorithm = subtleAlgorithm2(alg, cryptoKey.algorithm);
+  try {
+    return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
+  } catch {
+    return false;
+  }
+}
+var init_signing2 = __esm(() => {
+  init_errors5();
+});
+
+// ../../node_modules/jose/dist/webapi/lib/jwk_to_key.js
+function subtleMapping2(jwk) {
+  let algorithm;
   let keyUsages;
   switch (jwk.kty) {
     case "AKP": {
@@ -1265,7 +1326,7 @@ function subtleMapping2(jwk) {
           keyUsages = jwk.priv ? ["sign"] : ["verify"];
           break;
         default:
-          throw new JOSENotSupported2('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new JOSENotSupported2(unsupportedAlg2);
       }
       break;
     }
@@ -1294,22 +1355,19 @@ function subtleMapping2(jwk) {
           keyUsages = jwk.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
           break;
         default:
-          throw new JOSENotSupported2('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new JOSENotSupported2(unsupportedAlg2);
       }
       break;
     }
     case "EC": {
       switch (jwk.alg) {
         case "ES256":
-          algorithm = { name: "ECDSA", namedCurve: "P-256" };
-          keyUsages = jwk.d ? ["sign"] : ["verify"];
-          break;
         case "ES384":
-          algorithm = { name: "ECDSA", namedCurve: "P-384" };
-          keyUsages = jwk.d ? ["sign"] : ["verify"];
-          break;
         case "ES512":
-          algorithm = { name: "ECDSA", namedCurve: "P-521" };
+          algorithm = {
+            name: "ECDSA",
+            namedCurve: { ES256: "P-256", ES384: "P-384", ES512: "P-521" }[jwk.alg]
+          };
           keyUsages = jwk.d ? ["sign"] : ["verify"];
           break;
         case "ECDH-ES":
@@ -1320,7 +1378,7 @@ function subtleMapping2(jwk) {
           keyUsages = jwk.d ? ["deriveBits"] : [];
           break;
         default:
-          throw new JOSENotSupported2('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new JOSENotSupported2(unsupportedAlg2);
       }
       break;
     }
@@ -1339,7 +1397,7 @@ function subtleMapping2(jwk) {
           keyUsages = jwk.d ? ["deriveBits"] : [];
           break;
         default:
-          throw new JOSENotSupported2('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new JOSENotSupported2(unsupportedAlg2);
       }
       break;
     }
@@ -1360,100 +1418,11 @@ async function jwkToKey2(jwk) {
   delete keyData.use;
   return crypto.subtle.importKey("jwk", keyData, algorithm, jwk.ext ?? (jwk.d || jwk.priv ? false : true), jwk.key_ops ?? keyUsages);
 }
+var unsupportedAlg2 = 'Invalid or unsupported JWK "alg" (Algorithm) Parameter value';
 var init_jwk_to_key2 = __esm(() => {
   init_errors5();
 });
 
-// ../../node_modules/jose/dist/webapi/key/import.js
-async function importJWK2(jwk, alg, options) {
-  if (!isObject2(jwk)) {
-    throw new TypeError("JWK must be an object");
-  }
-  let ext;
-  alg ??= jwk.alg;
-  ext ??= options?.extractable ?? jwk.ext;
-  switch (jwk.kty) {
-    case "oct":
-      if (typeof jwk.k !== "string" || !jwk.k) {
-        throw new TypeError('missing "k" (Key Value) Parameter value');
-      }
-      return decode2(jwk.k);
-    case "RSA":
-      if ("oth" in jwk && jwk.oth !== undefined) {
-        throw new JOSENotSupported2('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
-      }
-      return jwkToKey2({ ...jwk, alg, ext });
-    case "AKP": {
-      if (typeof jwk.alg !== "string" || !jwk.alg) {
-        throw new TypeError('missing "alg" (Algorithm) Parameter value');
-      }
-      if (alg !== undefined && alg !== jwk.alg) {
-        throw new TypeError("JWK alg and alg option value mismatch");
-      }
-      return jwkToKey2({ ...jwk, ext });
-    }
-    case "EC":
-    case "OKP":
-      return jwkToKey2({ ...jwk, alg, ext });
-    default:
-      throw new JOSENotSupported2('Unsupported "kty" (Key Type) Parameter value');
-  }
-}
-var init_import2 = __esm(() => {
-  init_base64url2();
-  init_jwk_to_key2();
-  init_errors5();
-});
-
-// ../../node_modules/jose/dist/webapi/lib/validate_crit.js
-function validateCrit2(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
-  if (joseHeader.crit !== undefined && protectedHeader?.crit === undefined) {
-    throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
-  }
-  if (!protectedHeader || protectedHeader.crit === undefined) {
-    return new Set;
-  }
-  if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input) => typeof input !== "string" || input.length === 0)) {
-    throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
-  }
-  let recognized;
-  if (recognizedOption !== undefined) {
-    recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);
-  } else {
-    recognized = recognizedDefault;
-  }
-  for (const parameter of protectedHeader.crit) {
-    if (!recognized.has(parameter)) {
-      throw new JOSENotSupported2(`Extension Header Parameter "${parameter}" is not recognized`);
-    }
-    if (joseHeader[parameter] === undefined) {
-      throw new Err(`Extension Header Parameter "${parameter}" is missing`);
-    }
-    if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {
-      throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
-    }
-  }
-  return new Set(protectedHeader.crit);
-}
-var init_validate_crit2 = __esm(() => {
-  init_errors5();
-});
-
-// ../../node_modules/jose/dist/webapi/lib/validate_algorithms.js
-function validateAlgorithms2(option, algorithms) {
-  if (algorithms !== undefined && (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== "string"))) {
-    throw new TypeError(`"${option}" option must be an array of strings`);
-  }
-  if (!algorithms) {
-    return;
-  }
-  return new Set(algorithms);
-}
-
-// ../../node_modules/jose/dist/webapi/lib/is_jwk.js
-var isJWK2 = (key) => isObject2(key) && typeof key.kty === "string", isPrivateJWK2 = (key) => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string"), isPublicJWK2 = (key) => key.kty !== "oct" && key.d === undefined && key.priv === undefined, isSecretJWK2 = (key) => key.kty === "oct" && typeof key.k === "string";
-var init_is_jwk2 = () => {};
-
 // ../../node_modules/jose/dist/webapi/lib/normalize_key.js
 async function normalizeKey2(key, alg) {
   if (key instanceof Uint8Array) {
@@ -1486,7 +1455,7 @@ async function normalizeKey2(key, alg) {
   }
   throw new Error("unreachable");
 }
-var cache2, handleJWK2 = async (key, jwk, alg, freeze = false) => {
+var unusableForAlg2 = "given KeyObject instance cannot be used for this algorithm", cache2, handleJWK2 = async (key, jwk, alg, freeze = false) => {
   cache2 ||= new WeakMap;
   let cached = cache2.get(key);
   if (cached?.[alg]) {
@@ -1518,13 +1487,13 @@ var cache2, handleJWK2 = async (key, jwk, alg, freeze = false) => {
       case "ECDH-ES+A256KW":
         break;
       default:
-        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+        throw new TypeError(unusableForAlg2);
     }
     cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : ["deriveBits"]);
   }
   if (keyObject.asymmetricKeyType === "ed25519") {
     if (alg !== "EdDSA" && alg !== "Ed25519") {
-      throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+      throw new TypeError(unusableForAlg2);
     }
     cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
       isPublic ? "verify" : "sign"
@@ -1535,7 +1504,7 @@ var cache2, handleJWK2 = async (key, jwk, alg, freeze = false) => {
     case "ml-dsa-65":
     case "ml-dsa-87": {
       if (alg !== keyObject.asymmetricKeyType.toUpperCase()) {
-        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+        throw new TypeError(unusableForAlg2);
       }
       cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
         isPublic ? "verify" : "sign"
@@ -1564,7 +1533,7 @@ var cache2, handleJWK2 = async (key, jwk, alg, freeze = false) => {
         hash = "SHA-512";
         break;
       default:
-        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+        throw new TypeError(unusableForAlg2);
     }
     if (alg.startsWith("RSA-OAEP")) {
       return keyObject.toCryptoKey({
@@ -1585,21 +1554,10 @@ var cache2, handleJWK2 = async (key, jwk, alg, freeze = false) => {
     ]);
     const namedCurve = nist.get(keyObject.asymmetricKeyDetails?.namedCurve);
     if (!namedCurve) {
-      throw new TypeError("given KeyObject instance cannot be used for this algorithm");
-    }
-    if (alg === "ES256" && namedCurve === "P-256") {
-      cryptoKey = keyObject.toCryptoKey({
-        name: "ECDSA",
-        namedCurve
-      }, extractable, [isPublic ? "verify" : "sign"]);
-    }
-    if (alg === "ES384" && namedCurve === "P-384") {
-      cryptoKey = keyObject.toCryptoKey({
-        name: "ECDSA",
-        namedCurve
-      }, extractable, [isPublic ? "verify" : "sign"]);
+      throw new TypeError(unusableForAlg2);
     }
-    if (alg === "ES512" && namedCurve === "P-521") {
+    const expectedCurve = { ES256: "P-256", ES384: "P-384", ES512: "P-521" };
+    if (expectedCurve[alg] && namedCurve === expectedCurve[alg]) {
       cryptoKey = keyObject.toCryptoKey({
         name: "ECDSA",
         namedCurve
@@ -1613,7 +1571,7 @@ var cache2, handleJWK2 = async (key, jwk, alg, freeze = false) => {
     }
   }
   if (!cryptoKey) {
-    throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+    throw new TypeError(unusableForAlg2);
   }
   if (!cached) {
     cache2.set(keyObject, { [alg]: cryptoKey });
@@ -1623,11 +1581,96 @@ var cache2, handleJWK2 = async (key, jwk, alg, freeze = false) => {
   return cryptoKey;
 };
 var init_normalize_key2 = __esm(() => {
-  init_is_jwk2();
   init_base64url2();
   init_jwk_to_key2();
 });
 
+// ../../node_modules/jose/dist/webapi/key/import.js
+async function importJWK2(jwk, alg, options) {
+  if (!isObject2(jwk)) {
+    throw new TypeError("JWK must be an object");
+  }
+  let ext;
+  alg ??= jwk.alg;
+  ext ??= options?.extractable ?? jwk.ext;
+  switch (jwk.kty) {
+    case "oct":
+      if (typeof jwk.k !== "string" || !jwk.k) {
+        throw new TypeError('missing "k" (Key Value) Parameter value');
+      }
+      return decode2(jwk.k);
+    case "RSA":
+      if ("oth" in jwk && jwk.oth !== undefined) {
+        throw new JOSENotSupported2('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
+      }
+      return jwkToKey2({ ...jwk, alg, ext });
+    case "AKP": {
+      if (typeof jwk.alg !== "string" || !jwk.alg) {
+        throw new TypeError('missing "alg" (Algorithm) Parameter value');
+      }
+      if (alg !== undefined && alg !== jwk.alg) {
+        throw new TypeError("JWK alg and alg option value mismatch");
+      }
+      return jwkToKey2({ ...jwk, ext });
+    }
+    case "EC":
+    case "OKP":
+      return jwkToKey2({ ...jwk, alg, ext });
+    default:
+      throw new JOSENotSupported2('Unsupported "kty" (Key Type) Parameter value');
+  }
+}
+var init_import2 = __esm(() => {
+  init_base64url2();
+  init_jwk_to_key2();
+  init_errors5();
+});
+
+// ../../node_modules/jose/dist/webapi/lib/validate_crit.js
+function validateCrit2(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
+  if (joseHeader.crit !== undefined && protectedHeader?.crit === undefined) {
+    throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
+  }
+  if (!protectedHeader || protectedHeader.crit === undefined) {
+    return new Set;
+  }
+  if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input) => typeof input !== "string" || input.length === 0)) {
+    throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
+  }
+  let recognized;
+  if (recognizedOption !== undefined) {
+    recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);
+  } else {
+    recognized = recognizedDefault;
+  }
+  for (const parameter of protectedHeader.crit) {
+    if (!recognized.has(parameter)) {
+      throw new JOSENotSupported2(`Extension Header Parameter "${parameter}" is not recognized`);
+    }
+    if (joseHeader[parameter] === undefined) {
+      throw new Err(`Extension Header Parameter "${parameter}" is missing`);
+    }
+    if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {
+      throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
+    }
+  }
+  return new Set(protectedHeader.crit);
+}
+var init_validate_crit2 = __esm(() => {
+  init_errors5();
+});
+
+// ../../node_modules/jose/dist/webapi/lib/validate_algorithms.js
+function validateAlgorithms2(option, algorithms) {
+  if (algorithms !== undefined && (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== "string"))) {
+    throw new TypeError(`"${option}" option must be an array of strings`);
+  }
+  if (!algorithms) {
+    return;
+  }
+  return new Set(algorithms);
+}
+
 // ../../node_modules/jose/dist/webapi/lib/check_key_type.js
 function checkKeyType2(alg, key, usage) {
   switch (alg.substring(0, 2)) {
@@ -1744,73 +1787,7 @@ var tag2 = (key) => key?.[Symbol.toStringTag], jwkMatchesOp2 = (alg, key, usage)
     }
   }
 };
-var init_check_key_type2 = __esm(() => {
-  init_is_jwk2();
-});
-
-// ../../node_modules/jose/dist/webapi/lib/subtle_dsa.js
-function subtleAlgorithm2(alg, algorithm) {
-  const hash = `SHA-${alg.slice(-3)}`;
-  switch (alg) {
-    case "HS256":
-    case "HS384":
-    case "HS512":
-      return { hash, name: "HMAC" };
-    case "PS256":
-    case "PS384":
-    case "PS512":
-      return { hash, name: "RSA-PSS", saltLength: parseInt(alg.slice(-3), 10) >> 3 };
-    case "RS256":
-    case "RS384":
-    case "RS512":
-      return { hash, name: "RSASSA-PKCS1-v1_5" };
-    case "ES256":
-    case "ES384":
-    case "ES512":
-      return { hash, name: "ECDSA", namedCurve: algorithm.namedCurve };
-    case "Ed25519":
-    case "EdDSA":
-      return { name: "Ed25519" };
-    case "ML-DSA-44":
-    case "ML-DSA-65":
-    case "ML-DSA-87":
-      return { name: alg };
-    default:
-      throw new JOSENotSupported2(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
-  }
-}
-var init_subtle_dsa2 = __esm(() => {
-  init_errors5();
-});
-
-// ../../node_modules/jose/dist/webapi/lib/get_sign_verify_key.js
-async function getSigKey2(alg, key, usage) {
-  if (key instanceof Uint8Array) {
-    if (!alg.startsWith("HS")) {
-      throw new TypeError(invalidKeyInput2(key, "CryptoKey", "KeyObject", "JSON Web Key"));
-    }
-    return crypto.subtle.importKey("raw", key, { hash: `SHA-${alg.slice(-3)}`, name: "HMAC" }, false, [usage]);
-  }
-  checkSigCryptoKey2(key, alg, usage);
-  return key;
-}
-var init_get_sign_verify_key2 = () => {};
-
-// ../../node_modules/jose/dist/webapi/lib/verify.js
-async function verify2(alg, key, signature, data) {
-  const cryptoKey = await getSigKey2(alg, key, "verify");
-  checkKeyLength2(alg, cryptoKey);
-  const algorithm = subtleAlgorithm2(alg, cryptoKey.algorithm);
-  try {
-    return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
-  } catch {
-    return false;
-  }
-}
-var init_verify5 = __esm(() => {
-  init_subtle_dsa2();
-  init_get_sign_verify_key2();
-});
+var init_check_key_type2 = () => {};
 
 // ../../node_modules/jose/dist/webapi/jws/flattened/verify.js
 async function flattenedVerify2(jws, key, options) {
@@ -1878,12 +1855,7 @@ async function flattenedVerify2(jws, key, options) {
   }
   checkKeyType2(alg, key, "verify");
   const data = concat2(jws.protected !== undefined ? encode2(jws.protected) : new Uint8Array, encode2("."), typeof jws.payload === "string" ? b64 ? encode2(jws.payload) : encoder2.encode(jws.payload) : jws.payload);
-  let signature;
-  try {
-    signature = decode2(jws.signature);
-  } catch {
-    throw new JWSInvalid2("Failed to base64url decode the signature");
-  }
+  const signature = decodeBase64url2(jws.signature, "signature", JWSInvalid2);
   const k = await normalizeKey2(key, alg);
   const verified = await verify2(alg, k, signature, data);
   if (!verified) {
@@ -1891,11 +1863,7 @@ async function flattenedVerify2(jws, key, options) {
   }
   let payload;
   if (b64) {
-    try {
-      payload = decode2(jws.payload);
-    } catch {
-      throw new JWSInvalid2("Failed to base64url decode the payload");
-    }
+    payload = decodeBase64url2(jws.payload, "payload", JWSInvalid2);
   } else if (typeof jws.payload === "string") {
     payload = encoder2.encode(jws.payload);
   } else {
@@ -1913,11 +1881,12 @@ async function flattenedVerify2(jws, key, options) {
   }
   return result;
 }
-var init_verify7 = __esm(() => {
+var init_verify4 = __esm(() => {
   init_base64url2();
-  init_verify5();
+  init_signing2();
   init_errors5();
   init_buffer_utils2();
+  init_helpers2();
   init_check_key_type2();
   init_validate_crit2();
   init_normalize_key2();
@@ -1942,8 +1911,8 @@ async function compactVerify2(jws, key, options) {
   }
   return result;
 }
-var init_verify8 = __esm(() => {
-  init_verify7();
+var init_verify6 = __esm(() => {
+  init_verify4();
   init_errors5();
   init_buffer_utils2();
 });
@@ -2187,8 +2156,8 @@ async function jwtVerify2(jwt, key, options) {
   }
   return result;
 }
-var init_verify9 = __esm(() => {
-  init_verify8();
+var init_verify7 = __esm(() => {
+  init_verify6();
   init_jwt_claims_set2();
   init_errors5();
 });
@@ -2473,7 +2442,7 @@ var init_remote2 = __esm(() => {
   init_local2();
   if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) {
     const NAME = "jose";
-    const VERSION = "v6.1.3";
+    const VERSION = "v6.2.1";
     USER_AGENT2 = `${NAME}/${VERSION}`;
   }
   customFetch2 = Symbol();
@@ -2482,7 +2451,7 @@ var init_remote2 = __esm(() => {
 
 // ../../node_modules/jose/dist/webapi/index.js
 var init_webapi2 = __esm(() => {
-  init_verify9();
+  init_verify7();
   init_local2();
   init_remote2();
   init_errors5();
@@ -10257,6 +10226,111 @@ function decode(input) {
 var init_base64url = __esm2(() => {
   init_buffer_utils();
 });
+function getHashLength(hash) {
+  return parseInt(hash.name.slice(4), 10);
+}
+function checkHashLength(algorithm, expected) {
+  const actual = getHashLength(algorithm.hash);
+  if (actual !== expected)
+    throw unusable(`SHA-${expected}`, "algorithm.hash");
+}
+function getNamedCurve(alg) {
+  switch (alg) {
+    case "ES256":
+      return "P-256";
+    case "ES384":
+      return "P-384";
+    case "ES512":
+      return "P-521";
+    default:
+      throw new Error("unreachable");
+  }
+}
+function checkUsage(key, usage) {
+  if (usage && !key.usages.includes(usage)) {
+    throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);
+  }
+}
+function checkSigCryptoKey(key, alg, usage) {
+  switch (alg) {
+    case "HS256":
+    case "HS384":
+    case "HS512": {
+      if (!isAlgorithm(key.algorithm, "HMAC"))
+        throw unusable("HMAC");
+      checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
+      break;
+    }
+    case "RS256":
+    case "RS384":
+    case "RS512": {
+      if (!isAlgorithm(key.algorithm, "RSASSA-PKCS1-v1_5"))
+        throw unusable("RSASSA-PKCS1-v1_5");
+      checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
+      break;
+    }
+    case "PS256":
+    case "PS384":
+    case "PS512": {
+      if (!isAlgorithm(key.algorithm, "RSA-PSS"))
+        throw unusable("RSA-PSS");
+      checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
+      break;
+    }
+    case "Ed25519":
+    case "EdDSA": {
+      if (!isAlgorithm(key.algorithm, "Ed25519"))
+        throw unusable("Ed25519");
+      break;
+    }
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87": {
+      if (!isAlgorithm(key.algorithm, alg))
+        throw unusable(alg);
+      break;
+    }
+    case "ES256":
+    case "ES384":
+    case "ES512": {
+      if (!isAlgorithm(key.algorithm, "ECDSA"))
+        throw unusable("ECDSA");
+      const expected = getNamedCurve(alg);
+      const actual = key.algorithm.namedCurve;
+      if (actual !== expected)
+        throw unusable(expected, "algorithm.namedCurve");
+      break;
+    }
+    default:
+      throw new TypeError("CryptoKey does not support this operation");
+  }
+  checkUsage(key, usage);
+}
+var unusable = (name, prop = "algorithm.name") => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);
+var isAlgorithm = (algorithm, name) => algorithm.name === name;
+function message(msg, actual, ...types) {
+  types = types.filter(Boolean);
+  if (types.length > 2) {
+    const last = types.pop();
+    msg += `one of type ${types.join(", ")}, or ${last}.`;
+  } else if (types.length === 2) {
+    msg += `one of type ${types[0]} or ${types[1]}.`;
+  } else {
+    msg += `of type ${types[0]}.`;
+  }
+  if (actual == null) {
+    msg += ` Received ${actual}`;
+  } else if (typeof actual === "function" && actual.name) {
+    msg += ` Received function ${actual.name}`;
+  } else if (typeof actual === "object" && actual != null) {
+    if (actual.constructor?.name) {
+      msg += ` Received an instance of ${actual.constructor.name}`;
+    }
+  }
+  return msg;
+}
+var invalidKeyInput = (actual, ...types) => message("Key must be ", actual, ...types);
+var withAlg = (alg, actual, ...types) => message(`Key for the ${alg} algorithm must be `, actual, ...types);
 var exports_errors = {};
 __export2(exports_errors, {
   JWTInvalid: () => JWTInvalid,
@@ -10294,8 +10368,8 @@ var init_errors2 = __esm2(() => {
   JOSEError = class JOSEError2 extends Error {
     static code = "ERR_JOSE_GENERIC";
     code = "ERR_JOSE_GENERIC";
-    constructor(message, options) {
-      super(message, options);
+    constructor(message2, options) {
+      super(message2, options);
       this.name = this.constructor.name;
       Error.captureStackTrace?.(this, this.constructor);
     }
@@ -10306,8 +10380,8 @@ var init_errors2 = __esm2(() => {
     claim;
     reason;
     payload;
-    constructor(message, payload, claim = "unspecified", reason = "unspecified") {
-      super(message, { cause: { claim, reason, payload } });
+    constructor(message2, payload, claim = "unspecified", reason = "unspecified") {
+      super(message2, { cause: { claim, reason, payload } });
       this.claim = claim;
       this.reason = reason;
       this.payload = payload;
@@ -10319,8 +10393,8 @@ var init_errors2 = __esm2(() => {
     claim;
     reason;
     payload;
-    constructor(message, payload, claim = "unspecified", reason = "unspecified") {
-      super(message, { cause: { claim, reason, payload } });
+    constructor(message2, payload, claim = "unspecified", reason = "unspecified") {
+      super(message2, { cause: { claim, reason, payload } });
       this.claim = claim;
       this.reason = reason;
       this.payload = payload;
@@ -10337,8 +10411,8 @@ var init_errors2 = __esm2(() => {
   JWEDecryptionFailed = class JWEDecryptionFailed2 extends JOSEError {
     static code = "ERR_JWE_DECRYPTION_FAILED";
     code = "ERR_JWE_DECRYPTION_FAILED";
-    constructor(message = "decryption operation failed", options) {
-      super(message, options);
+    constructor(message2 = "decryption operation failed", options) {
+      super(message2, options);
     }
   };
   JWEInvalid = class JWEInvalid2 extends JOSEError {
@@ -10364,142 +10438,33 @@ var init_errors2 = __esm2(() => {
   JWKSNoMatchingKey = class JWKSNoMatchingKey2 extends JOSEError {
     static code = "ERR_JWKS_NO_MATCHING_KEY";
     code = "ERR_JWKS_NO_MATCHING_KEY";
-    constructor(message = "no applicable key found in the JSON Web Key Set", options) {
-      super(message, options);
+    constructor(message2 = "no applicable key found in the JSON Web Key Set", options) {
+      super(message2, options);
     }
   };
   JWKSMultipleMatchingKeys = class JWKSMultipleMatchingKeys2 extends JOSEError {
     [Symbol.asyncIterator];
     static code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
     code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
-    constructor(message = "multiple matching keys found in the JSON Web Key Set", options) {
-      super(message, options);
+    constructor(message2 = "multiple matching keys found in the JSON Web Key Set", options) {
+      super(message2, options);
     }
   };
   JWKSTimeout = class JWKSTimeout2 extends JOSEError {
     static code = "ERR_JWKS_TIMEOUT";
     code = "ERR_JWKS_TIMEOUT";
-    constructor(message = "request timed out", options) {
-      super(message, options);
+    constructor(message2 = "request timed out", options) {
+      super(message2, options);
     }
   };
   JWSSignatureVerificationFailed = class JWSSignatureVerificationFailed2 extends JOSEError {
     static code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
     code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
-    constructor(message = "signature verification failed", options) {
-      super(message, options);
+    constructor(message2 = "signature verification failed", options) {
+      super(message2, options);
     }
   };
 });
-function getHashLength(hash) {
-  return parseInt(hash.name.slice(4), 10);
-}
-function getNamedCurve(alg) {
-  switch (alg) {
-    case "ES256":
-      return "P-256";
-    case "ES384":
-      return "P-384";
-    case "ES512":
-      return "P-521";
-    default:
-      throw new Error("unreachable");
-  }
-}
-function checkUsage(key, usage) {
-  if (usage && !key.usages.includes(usage)) {
-    throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);
-  }
-}
-function checkSigCryptoKey(key, alg, usage) {
-  switch (alg) {
-    case "HS256":
-    case "HS384":
-    case "HS512": {
-      if (!isAlgorithm(key.algorithm, "HMAC"))
-        throw unusable("HMAC");
-      const expected = parseInt(alg.slice(2), 10);
-      const actual = getHashLength(key.algorithm.hash);
-      if (actual !== expected)
-        throw unusable(`SHA-${expected}`, "algorithm.hash");
-      break;
-    }
-    case "RS256":
-    case "RS384":
-    case "RS512": {
-      if (!isAlgorithm(key.algorithm, "RSASSA-PKCS1-v1_5"))
-        throw unusable("RSASSA-PKCS1-v1_5");
-      const expected = parseInt(alg.slice(2), 10);
-      const actual = getHashLength(key.algorithm.hash);
-      if (actual !== expected)
-        throw unusable(`SHA-${expected}`, "algorithm.hash");
-      break;
-    }
-    case "PS256":
-    case "PS384":
-    case "PS512": {
-      if (!isAlgorithm(key.algorithm, "RSA-PSS"))
-        throw unusable("RSA-PSS");
-      const expected = parseInt(alg.slice(2), 10);
-      const actual = getHashLength(key.algorithm.hash);
-      if (actual !== expected)
-        throw unusable(`SHA-${expected}`, "algorithm.hash");
-      break;
-    }
-    case "Ed25519":
-    case "EdDSA": {
-      if (!isAlgorithm(key.algorithm, "Ed25519"))
-        throw unusable("Ed25519");
-      break;
-    }
-    case "ML-DSA-44":
-    case "ML-DSA-65":
-    case "ML-DSA-87": {
-      if (!isAlgorithm(key.algorithm, alg))
-        throw unusable(alg);
-      break;
-    }
-    case "ES256":
-    case "ES384":
-    case "ES512": {
-      if (!isAlgorithm(key.algorithm, "ECDSA"))
-        throw unusable("ECDSA");
-      const expected = getNamedCurve(alg);
-      const actual = key.algorithm.namedCurve;
-      if (actual !== expected)
-        throw unusable(expected, "algorithm.namedCurve");
-      break;
-    }
-    default:
-      throw new TypeError("CryptoKey does not support this operation");
-  }
-  checkUsage(key, usage);
-}
-var unusable = (name, prop = "algorithm.name") => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);
-var isAlgorithm = (algorithm, name) => algorithm.name === name;
-function message(msg, actual, ...types) {
-  types = types.filter(Boolean);
-  if (types.length > 2) {
-    const last = types.pop();
-    msg += `one of type ${types.join(", ")}, or ${last}.`;
-  } else if (types.length === 2) {
-    msg += `one of type ${types[0]} or ${types[1]}.`;
-  } else {
-    msg += `of type ${types[0]}.`;
-  }
-  if (actual == null) {
-    msg += ` Received ${actual}`;
-  } else if (typeof actual === "function" && actual.name) {
-    msg += ` Received function ${actual.name}`;
-  } else if (typeof actual === "object" && actual != null) {
-    if (actual.constructor?.name) {
-      msg += ` Received an instance of ${actual.constructor.name}`;
-    }
-  }
-  return msg;
-}
-var invalidKeyInput = (actual, ...types) => message("Key must be ", actual, ...types);
-var withAlg = (alg, actual, ...types) => message(`Key for the ${alg} algorithm must be `, actual, ...types);
 var isCryptoKey = (key) => {
   if (key?.[Symbol.toStringTag] === "CryptoKey")
     return true;
@@ -10511,6 +10476,31 @@ var isCryptoKey = (key) => {
 };
 var isKeyObject = (key) => key?.[Symbol.toStringTag] === "KeyObject";
 var isKeyLike = (key) => isCryptoKey(key) || isKeyObject(key);
+function decodeBase64url(value, label, ErrorClass) {
+  try {
+    return decode(value);
+  } catch {
+    throw new ErrorClass(`Failed to base64url decode the ${label}`);
+  }
+}
+var unprotected;
+var init_helpers = __esm2(() => {
+  init_base64url();
+  unprotected = Symbol();
+});
+function isObject(input) {
+  if (!isObjectLike(input) || Object.prototype.toString.call(input) !== "[object Object]") {
+    return false;
+  }
+  if (Object.getPrototypeOf(input) === null) {
+    return true;
+  }
+  let proto = input;
+  while (Object.getPrototypeOf(proto) !== null) {
+    proto = Object.getPrototypeOf(proto);
+  }
+  return Object.getPrototypeOf(input) === proto;
+}
 function isDisjoint(...headers) {
   const sources = headers.filter(Boolean);
   if (sources.length === 0 || sources.length === 1) {
@@ -10532,20 +10522,11 @@ function isDisjoint(...headers) {
   }
   return true;
 }
-function isObject(input) {
-  if (!isObjectLike(input) || Object.prototype.toString.call(input) !== "[object Object]") {
-    return false;
-  }
-  if (Object.getPrototypeOf(input) === null) {
-    return true;
-  }
-  let proto = input;
-  while (Object.getPrototypeOf(proto) !== null) {
-    proto = Object.getPrototypeOf(proto);
-  }
-  return Object.getPrototypeOf(input) === proto;
-}
 var isObjectLike = (value) => typeof value === "object" && value !== null;
+var isJWK = (key) => isObject(key) && typeof key.kty === "string";
+var isPrivateJWK = (key) => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string");
+var isPublicJWK = (key) => key.kty !== "oct" && key.d === undefined && key.priv === undefined;
+var isSecretJWK = (key) => key.kty === "oct" && typeof key.k === "string";
 function checkKeyLength(alg, key) {
   if (alg.startsWith("RS") || alg.startsWith("PS")) {
     const { modulusLength } = key.algorithm;
@@ -10554,6 +10535,59 @@ function checkKeyLength(alg, key) {
     }
   }
 }
+function subtleAlgorithm(alg, algorithm) {
+  const hash = `SHA-${alg.slice(-3)}`;
+  switch (alg) {
+    case "HS256":
+    case "HS384":
+    case "HS512":
+      return { hash, name: "HMAC" };
+    case "PS256":
+    case "PS384":
+    case "PS512":
+      return { hash, name: "RSA-PSS", saltLength: parseInt(alg.slice(-3), 10) >> 3 };
+    case "RS256":
+    case "RS384":
+    case "RS512":
+      return { hash, name: "RSASSA-PKCS1-v1_5" };
+    case "ES256":
+    case "ES384":
+    case "ES512":
+      return { hash, name: "ECDSA", namedCurve: algorithm.namedCurve };
+    case "Ed25519":
+    case "EdDSA":
+      return { name: "Ed25519" };
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+      return { name: alg };
+    default:
+      throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
+  }
+}
+async function getSigKey(alg, key, usage) {
+  if (key instanceof Uint8Array) {
+    if (!alg.startsWith("HS")) {
+      throw new TypeError(invalidKeyInput(key, "CryptoKey", "KeyObject", "JSON Web Key"));
+    }
+    return crypto.subtle.importKey("raw", key, { hash: `SHA-${alg.slice(-3)}`, name: "HMAC" }, false, [usage]);
+  }
+  checkSigCryptoKey(key, alg, usage);
+  return key;
+}
+async function verify(alg, key, signature, data) {
+  const cryptoKey = await getSigKey(alg, key, "verify");
+  checkKeyLength(alg, cryptoKey);
+  const algorithm = subtleAlgorithm(alg, cryptoKey.algorithm);
+  try {
+    return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
+  } catch {
+    return false;
+  }
+}
+var init_signing = __esm2(() => {
+  init_errors2();
+});
 function subtleMapping(jwk) {
   let algorithm;
   let keyUsages;
@@ -10567,7 +10601,7 @@ function subtleMapping(jwk) {
           keyUsages = jwk.priv ? ["sign"] : ["verify"];
           break;
         default:
-          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new JOSENotSupported(unsupportedAlg);
       }
       break;
     }
@@ -10596,22 +10630,19 @@ function subtleMapping(jwk) {
           keyUsages = jwk.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
           break;
         default:
-          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new JOSENotSupported(unsupportedAlg);
       }
       break;
     }
     case "EC": {
       switch (jwk.alg) {
         case "ES256":
-          algorithm = { name: "ECDSA", namedCurve: "P-256" };
-          keyUsages = jwk.d ? ["sign"] : ["verify"];
-          break;
         case "ES384":
-          algorithm = { name: "ECDSA", namedCurve: "P-384" };
-          keyUsages = jwk.d ? ["sign"] : ["verify"];
-          break;
         case "ES512":
-          algorithm = { name: "ECDSA", namedCurve: "P-521" };
+          algorithm = {
+            name: "ECDSA",
+            namedCurve: { ES256: "P-256", ES384: "P-384", ES512: "P-521" }[jwk.alg]
+          };
           keyUsages = jwk.d ? ["sign"] : ["verify"];
           break;
         case "ECDH-ES":
@@ -10622,134 +10653,50 @@ function subtleMapping(jwk) {
           keyUsages = jwk.d ? ["deriveBits"] : [];
           break;
         default:
-          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
-      }
-      break;
-    }
-    case "OKP": {
-      switch (jwk.alg) {
-        case "Ed25519":
-        case "EdDSA":
-          algorithm = { name: "Ed25519" };
-          keyUsages = jwk.d ? ["sign"] : ["verify"];
-          break;
-        case "ECDH-ES":
-        case "ECDH-ES+A128KW":
-        case "ECDH-ES+A192KW":
-        case "ECDH-ES+A256KW":
-          algorithm = { name: jwk.crv };
-          keyUsages = jwk.d ? ["deriveBits"] : [];
-          break;
-        default:
-          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
-      }
-      break;
-    }
-    default:
-      throw new JOSENotSupported('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
-  }
-  return { algorithm, keyUsages };
-}
-async function jwkToKey(jwk) {
-  if (!jwk.alg) {
-    throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
-  }
-  const { algorithm, keyUsages } = subtleMapping(jwk);
-  const keyData = { ...jwk };
-  if (keyData.kty !== "AKP") {
-    delete keyData.alg;
-  }
-  delete keyData.use;
-  return crypto.subtle.importKey("jwk", keyData, algorithm, jwk.ext ?? (jwk.d || jwk.priv ? false : true), jwk.key_ops ?? keyUsages);
-}
-var init_jwk_to_key = __esm2(() => {
-  init_errors2();
-});
-async function importJWK(jwk, alg, options) {
-  if (!isObject(jwk)) {
-    throw new TypeError("JWK must be an object");
-  }
-  let ext;
-  alg ??= jwk.alg;
-  ext ??= options?.extractable ?? jwk.ext;
-  switch (jwk.kty) {
-    case "oct":
-      if (typeof jwk.k !== "string" || !jwk.k) {
-        throw new TypeError('missing "k" (Key Value) Parameter value');
-      }
-      return decode(jwk.k);
-    case "RSA":
-      if ("oth" in jwk && jwk.oth !== undefined) {
-        throw new JOSENotSupported('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
-      }
-      return jwkToKey({ ...jwk, alg, ext });
-    case "AKP": {
-      if (typeof jwk.alg !== "string" || !jwk.alg) {
-        throw new TypeError('missing "alg" (Algorithm) Parameter value');
-      }
-      if (alg !== undefined && alg !== jwk.alg) {
-        throw new TypeError("JWK alg and alg option value mismatch");
+          throw new JOSENotSupported(unsupportedAlg);
       }
-      return jwkToKey({ ...jwk, ext });
+      break;
+    }
+    case "OKP": {
+      switch (jwk.alg) {
+        case "Ed25519":
+        case "EdDSA":
+          algorithm = { name: "Ed25519" };
+          keyUsages = jwk.d ? ["sign"] : ["verify"];
+          break;
+        case "ECDH-ES":
+        case "ECDH-ES+A128KW":
+        case "ECDH-ES+A192KW":
+        case "ECDH-ES+A256KW":
+          algorithm = { name: jwk.crv };
+          keyUsages = jwk.d ? ["deriveBits"] : [];
+          break;
+        default:
+          throw new JOSENotSupported(unsupportedAlg);
+      }
+      break;
     }
-    case "EC":
-    case "OKP":
-      return jwkToKey({ ...jwk, alg, ext });
     default:
-      throw new JOSENotSupported('Unsupported "kty" (Key Type) Parameter value');
+      throw new JOSENotSupported('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
   }
+  return { algorithm, keyUsages };
 }
-var init_import = __esm2(() => {
-  init_base64url();
-  init_jwk_to_key();
-  init_errors2();
-});
-function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
-  if (joseHeader.crit !== undefined && protectedHeader?.crit === undefined) {
-    throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
-  }
-  if (!protectedHeader || protectedHeader.crit === undefined) {
-    return new Set;
-  }
-  if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input) => typeof input !== "string" || input.length === 0)) {
-    throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
-  }
-  let recognized;
-  if (recognizedOption !== undefined) {
-    recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);
-  } else {
-    recognized = recognizedDefault;
+async function jwkToKey(jwk) {
+  if (!jwk.alg) {
+    throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
   }
-  for (const parameter of protectedHeader.crit) {
-    if (!recognized.has(parameter)) {
-      throw new JOSENotSupported(`Extension Header Parameter "${parameter}" is not recognized`);
-    }
-    if (joseHeader[parameter] === undefined) {
-      throw new Err(`Extension Header Parameter "${parameter}" is missing`);
-    }
-    if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {
-      throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
-    }
+  const { algorithm, keyUsages } = subtleMapping(jwk);
+  const keyData = { ...jwk };
+  if (keyData.kty !== "AKP") {
+    delete keyData.alg;
   }
-  return new Set(protectedHeader.crit);
+  delete keyData.use;
+  return crypto.subtle.importKey("jwk", keyData, algorithm, jwk.ext ?? (jwk.d || jwk.priv ? false : true), jwk.key_ops ?? keyUsages);
 }
-var init_validate_crit = __esm2(() => {
+var unsupportedAlg = 'Invalid or unsupported JWK "alg" (Algorithm) Parameter value';
+var init_jwk_to_key = __esm2(() => {
   init_errors2();
 });
-function validateAlgorithms(option, algorithms) {
-  if (algorithms !== undefined && (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== "string"))) {
-    throw new TypeError(`"${option}" option must be an array of strings`);
-  }
-  if (!algorithms) {
-    return;
-  }
-  return new Set(algorithms);
-}
-var isJWK = (key) => isObject(key) && typeof key.kty === "string";
-var isPrivateJWK = (key) => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string");
-var isPublicJWK = (key) => key.kty !== "oct" && key.d === undefined && key.priv === undefined;
-var isSecretJWK = (key) => key.kty === "oct" && typeof key.k === "string";
-var init_is_jwk = () => {};
 async function normalizeKey(key, alg) {
   if (key instanceof Uint8Array) {
     return key;
@@ -10781,6 +10728,7 @@ async function normalizeKey(key, alg) {
   }
   throw new Error("unreachable");
 }
+var unusableForAlg = "given KeyObject instance cannot be used for this algorithm";
 var cache;
 var handleJWK = async (key, jwk, alg, freeze = false) => {
   cache ||= new WeakMap;
@@ -10815,13 +10763,13 @@ var handleKeyObject = (keyObject, alg) => {
       case "ECDH-ES+A256KW":
         break;
       default:
-        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+        throw new TypeError(unusableForAlg);
     }
     cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : ["deriveBits"]);
   }
   if (keyObject.asymmetricKeyType === "ed25519") {
     if (alg !== "EdDSA" && alg !== "Ed25519") {
-      throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+      throw new TypeError(unusableForAlg);
     }
     cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
       isPublic ? "verify" : "sign"
@@ -10832,7 +10780,7 @@ var handleKeyObject = (keyObject, alg) => {
     case "ml-dsa-65":
     case "ml-dsa-87": {
       if (alg !== keyObject.asymmetricKeyType.toUpperCase()) {
-        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+        throw new TypeError(unusableForAlg);
       }
       cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
         isPublic ? "verify" : "sign"
@@ -10861,7 +10809,7 @@ var handleKeyObject = (keyObject, alg) => {
         hash = "SHA-512";
         break;
       default:
-        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+        throw new TypeError(unusableForAlg);
     }
     if (alg.startsWith("RSA-OAEP")) {
       return keyObject.toCryptoKey({
@@ -10882,21 +10830,10 @@ var handleKeyObject = (keyObject, alg) => {
     ]);
     const namedCurve = nist.get(keyObject.asymmetricKeyDetails?.namedCurve);
     if (!namedCurve) {
-      throw new TypeError("given KeyObject instance cannot be used for this algorithm");
-    }
-    if (alg === "ES256" && namedCurve === "P-256") {
-      cryptoKey = keyObject.toCryptoKey({
-        name: "ECDSA",
-        namedCurve
-      }, extractable, [isPublic ? "verify" : "sign"]);
-    }
-    if (alg === "ES384" && namedCurve === "P-384") {
-      cryptoKey = keyObject.toCryptoKey({
-        name: "ECDSA",
-        namedCurve
-      }, extractable, [isPublic ? "verify" : "sign"]);
+      throw new TypeError(unusableForAlg);
     }
-    if (alg === "ES512" && namedCurve === "P-521") {
+    const expectedCurve = { ES256: "P-256", ES384: "P-384", ES512: "P-521" };
+    if (expectedCurve[alg] && namedCurve === expectedCurve[alg]) {
       cryptoKey = keyObject.toCryptoKey({
         name: "ECDSA",
         namedCurve
@@ -10910,7 +10847,7 @@ var handleKeyObject = (keyObject, alg) => {
     }
   }
   if (!cryptoKey) {
-    throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+    throw new TypeError(unusableForAlg);
   }
   if (!cached) {
     cache.set(keyObject, { [alg]: cryptoKey });
@@ -10920,10 +10857,89 @@ var handleKeyObject = (keyObject, alg) => {
   return cryptoKey;
 };
 var init_normalize_key = __esm2(() => {
-  init_is_jwk();
   init_base64url();
   init_jwk_to_key();
 });
+async function importJWK(jwk, alg, options) {
+  if (!isObject(jwk)) {
+    throw new TypeError("JWK must be an object");
+  }
+  let ext;
+  alg ??= jwk.alg;
+  ext ??= options?.extractable ?? jwk.ext;
+  switch (jwk.kty) {
+    case "oct":
+      if (typeof jwk.k !== "string" || !jwk.k) {
+        throw new TypeError('missing "k" (Key Value) Parameter value');
+      }
+      return decode(jwk.k);
+    case "RSA":
+      if ("oth" in jwk && jwk.oth !== undefined) {
+        throw new JOSENotSupported('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
+      }
+      return jwkToKey({ ...jwk, alg, ext });
+    case "AKP": {
+      if (typeof jwk.alg !== "string" || !jwk.alg) {
+        throw new TypeError('missing "alg" (Algorithm) Parameter value');
+      }
+      if (alg !== undefined && alg !== jwk.alg) {
+        throw new TypeError("JWK alg and alg option value mismatch");
+      }
+      return jwkToKey({ ...jwk, ext });
+    }
+    case "EC":
+    case "OKP":
+      return jwkToKey({ ...jwk, alg, ext });
+    default:
+      throw new JOSENotSupported('Unsupported "kty" (Key Type) Parameter value');
+  }
+}
+var init_import = __esm2(() => {
+  init_base64url();
+  init_jwk_to_key();
+  init_errors2();
+});
+function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
+  if (joseHeader.crit !== undefined && protectedHeader?.crit === undefined) {
+    throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
+  }
+  if (!protectedHeader || protectedHeader.crit === undefined) {
+    return new Set;
+  }
+  if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input) => typeof input !== "string" || input.length === 0)) {
+    throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
+  }
+  let recognized;
+  if (recognizedOption !== undefined) {
+    recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);
+  } else {
+    recognized = recognizedDefault;
+  }
+  for (const parameter of protectedHeader.crit) {
+    if (!recognized.has(parameter)) {
+      throw new JOSENotSupported(`Extension Header Parameter "${parameter}" is not recognized`);
+    }
+    if (joseHeader[parameter] === undefined) {
+      throw new Err(`Extension Header Parameter "${parameter}" is missing`);
+    }
+    if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {
+      throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
+    }
+  }
+  return new Set(protectedHeader.crit);
+}
+var init_validate_crit = __esm2(() => {
+  init_errors2();
+});
+function validateAlgorithms(option, algorithms) {
+  if (algorithms !== undefined && (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== "string"))) {
+    throw new TypeError(`"${option}" option must be an array of strings`);
+  }
+  if (!algorithms) {
+    return;
+  }
+  return new Set(algorithms);
+}
 function checkKeyType(alg, key, usage) {
   switch (alg.substring(0, 2)) {
     case "A1":
@@ -11042,67 +11058,7 @@ var asymmetricTypeCheck = (alg, key, usage) => {
     }
   }
 };
-var init_check_key_type = __esm2(() => {
-  init_is_jwk();
-});
-function subtleAlgorithm(alg, algorithm) {
-  const hash = `SHA-${alg.slice(-3)}`;
-  switch (alg) {
-    case "HS256":
-    case "HS384":
-    case "HS512":
-      return { hash, name: "HMAC" };
-    case "PS256":
-    case "PS384":
-    case "PS512":
-      return { hash, name: "RSA-PSS", saltLength: parseInt(alg.slice(-3), 10) >> 3 };
-    case "RS256":
-    case "RS384":
-    case "RS512":
-      return { hash, name: "RSASSA-PKCS1-v1_5" };
-    case "ES256":
-    case "ES384":
-    case "ES512":
-      return { hash, name: "ECDSA", namedCurve: algorithm.namedCurve };
-    case "Ed25519":
-    case "EdDSA":
-      return { name: "Ed25519" };
-    case "ML-DSA-44":
-    case "ML-DSA-65":
-    case "ML-DSA-87":
-      return { name: alg };
-    default:
-      throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
-  }
-}
-var init_subtle_dsa = __esm2(() => {
-  init_errors2();
-});
-async function getSigKey(alg, key, usage) {
-  if (key instanceof Uint8Array) {
-    if (!alg.startsWith("HS")) {
-      throw new TypeError(invalidKeyInput(key, "CryptoKey", "KeyObject", "JSON Web Key"));
-    }
-    return crypto.subtle.importKey("raw", key, { hash: `SHA-${alg.slice(-3)}`, name: "HMAC" }, false, [usage]);
-  }
-  checkSigCryptoKey(key, alg, usage);
-  return key;
-}
-var init_get_sign_verify_key = () => {};
-async function verify(alg, key, signature, data) {
-  const cryptoKey = await getSigKey(alg, key, "verify");
-  checkKeyLength(alg, cryptoKey);
-  const algorithm = subtleAlgorithm(alg, cryptoKey.algorithm);
-  try {
-    return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
-  } catch {
-    return false;
-  }
-}
-var init_verify = __esm2(() => {
-  init_subtle_dsa();
-  init_get_sign_verify_key();
-});
+var init_check_key_type = () => {};
 async function flattenedVerify(jws, key, options) {
   if (!isObject(jws)) {
     throw new JWSInvalid("Flattened JWS must be an object");
@@ -11168,12 +11124,7 @@ async function flattenedVerify(jws, key, options) {
   }
   checkKeyType(alg, key, "verify");
   const data = concat(jws.protected !== undefined ? encode(jws.protected) : new Uint8Array, encode("."), typeof jws.payload === "string" ? b64 ? encode(jws.payload) : encoder.encode(jws.payload) : jws.payload);
-  let signature;
-  try {
-    signature = decode(jws.signature);
-  } catch {
-    throw new JWSInvalid("Failed to base64url decode the signature");
-  }
+  const signature = decodeBase64url(jws.signature, "signature", JWSInvalid);
   const k = await normalizeKey(key, alg);
   const verified = await verify(alg, k, signature, data);
   if (!verified) {
@@ -11181,11 +11132,7 @@ async function flattenedVerify(jws, key, options) {
   }
   let payload;
   if (b64) {
-    try {
-      payload = decode(jws.payload);
-    } catch {
-      throw new JWSInvalid("Failed to base64url decode the payload");
-    }
+    payload = decodeBase64url(jws.payload, "payload", JWSInvalid);
   } else if (typeof jws.payload === "string") {
     payload = encoder.encode(jws.payload);
   } else {
@@ -11203,11 +11150,12 @@ async function flattenedVerify(jws, key, options) {
   }
   return result;
 }
-var init_verify2 = __esm2(() => {
+var init_verify = __esm2(() => {
   init_base64url();
-  init_verify();
+  init_signing();
   init_errors2();
   init_buffer_utils();
+  init_helpers();
   init_check_key_type();
   init_validate_crit();
   init_normalize_key();
@@ -11230,8 +11178,8 @@ async function compactVerify(jws, key, options) {
   }
   return result;
 }
-var init_verify3 = __esm2(() => {
-  init_verify2();
+var init_verify2 = __esm2(() => {
+  init_verify();
   init_errors2();
   init_buffer_utils();
 });
@@ -11479,8 +11427,8 @@ async function jwtVerify(jwt, key, options) {
   }
   return result;
 }
-var init_verify4 = __esm2(() => {
-  init_verify3();
+var init_verify3 = __esm2(() => {
+  init_verify2();
   init_jwt_claims_set();
   init_errors2();
 });
@@ -11763,14 +11711,14 @@ var init_remote = __esm2(() => {
   init_local();
   if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) {
     const NAME = "jose";
-    const VERSION = "v6.1.3";
+    const VERSION = "v6.2.1";
     USER_AGENT = `${NAME}/${VERSION}`;
   }
   customFetch = Symbol();
   jwksCache = Symbol();
 });
 var init_webapi = __esm2(() => {
-  init_verify4();
+  init_verify3();
   init_local();
   init_remote();
   init_errors2();
@@ -24507,6 +24455,27 @@ function notFoundHttpResponse() {
     }
   });
 }
+function isMissingModuleError(error, moduleName) {
+  if (!error) {
+    return false;
+  }
+  const errorString = String(error);
+  const moduleSpecifiers = [moduleName, `convex/${moduleName}`];
+  const hasDirectMissingMessage = moduleSpecifiers.some((specifier) => errorString.includes(`Module not found: ${specifier}`));
+  if (hasDirectMissingMessage || errorString.toLowerCase().includes("failed to load convex module")) {
+    return true;
+  }
+  const hasResolutionMessage = moduleSpecifiers.some((specifier) => errorString.includes(`Unable to resolve module "${specifier}"`));
+  const causes = error.causes;
+  if (Array.isArray(causes) && causes.length > 0) {
+    return hasResolutionMessage ? causes.every((cause2) => isMissingModuleError(cause2, moduleName)) : causes.some((cause2) => isMissingModuleError(cause2, moduleName));
+  }
+  const cause = error.cause;
+  if (cause) {
+    return isMissingModuleError(cause, moduleName);
+  }
+  return hasResolutionMessage;
+}
 function getHttpRouteRank(routePath) {
   if (routePath.endsWith("*")) {
     return { kind: 0, length: routePath.length - 1 };
@@ -24678,8 +24647,7 @@ class InlineUdfExecutor {
     try {
       return await loadConvexModule2(moduleName, { componentPath });
     } catch (error) {
-      const message3 = error?.message?.toLowerCase();
-      if (message3 && (message3.includes("module not found") || message3.includes("failed to load convex module"))) {
+      if (isMissingModuleError(error, moduleName)) {
         throw new Error(`UDF module not found: ${moduleName}`);
       }
       throw error;