@enterprisestandard/core 0.0.17 → 0.0.18-beta.20260504.1

package/dist/index.d.ts

@@ -2,34 +2,24 @@ import { version } from "../package.json";
 import { StandardSchemaV1 as StandardSchemaV18 } from "@standard-schema/spec";
 import { StandardSchemaV1 as StandardSchemaV17 } from "@standard-schema/spec";
 /**
-* Minimal logger interface compatible with common patterns (console, pino, winston, etc.)
+* Minimal logger interface compatible with common structured logging patterns.
 */
 interface Logger {
+	trace(message?: unknown, ...optionalParams: unknown[]): void;
 	debug(message?: unknown, ...optionalParams: unknown[]): void;
 	info(message?: unknown, ...optionalParams: unknown[]): void;
 	warn(message?: unknown, ...optionalParams: unknown[]): void;
 	error(message?: unknown, ...optionalParams: unknown[]): void;
 }
 /**
-* Default production-friendly logger:
-* - trace, debug, info → completely silent (no console output)
-* - warn, error       → logged to console with basic formatting
-*/
-declare const defaultLogger: Logger;
-/**
 * No-op implementation — does nothing for any log level
 */
 declare const silentLogger: Logger;
 /**
-* Logger that logs info, warn, and error to the console.
-*/
-declare const infoLogger: Logger;
-/**
-* Logger that logs debug, info, warn, and error to the console.
-* Debug uses console.log with [DEBUG] prefix so it is visible in normal terminal runs.
+* Default logger used until an Enterprise Standard instance is configured with
+* an OpenTelemetry-backed logger or an application-provided logger.
 */
-declare const debugLogger: Logger;
-declare const consoleLogger: Logger;
+declare const defaultLogger: Logger;
 /**
 * Shared types for paginated list operations across stores.
 *
@@ -642,6 +632,90 @@ interface GroupStore<TExtended = Record<string, never>> {
 	removeMember(groupId: string, memberId: string): Promise<void>;
 }
 import { StandardSchemaV1 as StandardSchemaV16 } from "@standard-schema/spec";
+type ChangeListener = () => void;
+type ReactiveHandle = {
+	beforeChange?(listener: ChangeListener): () => void;
+	afterChange?(listener: ChangeListener): () => void;
+	isAvailable?(): boolean;
+};
+type OtelSignalName = "traces" | "metrics" | "logs";
+type OtelProtocol = "http/protobuf" | "http/json";
+type OtelProviderType = "otlp" | "grafana-lgtm" | "datadog" | "splunk" | "elastic";
+type OtelLogLevel = "trace" | "debug" | "info" | "warn" | "error";
+type OtelLevels = Partial<Record<OtelLogLevel, boolean>>;
+type OtelAttributeValue = string | number | boolean | string[] | number[] | boolean[];
+type OtelAttributes = Record<string, OtelAttributeValue>;
+type OtelSignalConfig = {
+	/** Per-signal OTLP endpoint. When omitted, the module appends /v1/{signal} to `endpoint`. */
+	endpoint?: string;
+	headers?: Record<string, string>;
+	timeoutMillis?: number;
+	concurrencyLimit?: number;
+};
+type OtelMetricsSignalConfig = OtelSignalConfig & {
+	exportIntervalMillis?: number;
+	exportTimeoutMillis?: number;
+};
+type OtelOAuthClientCredentialsConfig = {
+	tokenUrl: string;
+	clientId: string;
+	clientSecret: string;
+	scope?: string;
+	audience?: string;
+	headers?: Record<string, string>;
+};
+type OtelLogRecord = {
+	severityNumber?: number;
+	severityText?: string;
+	body?: unknown;
+	attributes?: Record<string, unknown>;
+};
+/**
+* OpenTelemetry config supplied by ConfigSource/RemoteConfig.
+* Keep environment-specific URLs and credentials here, not in FrameworkConfig.
+*/
+type OtelConfig = {
+	type?: OtelProviderType;
+	name: string;
+	endpoint?: string;
+	protocol?: OtelProtocol;
+	headers?: Record<string, string>;
+	apiKey?: string;
+	apiKeyHeader?: string;
+	oauth?: OtelOAuthClientCredentialsConfig;
+	version?: string;
+	deploymentEnvironment?: string;
+	resourceAttributes?: OtelAttributes;
+	levels?: OtelLevels;
+	traces?: boolean | OtelSignalConfig;
+	metrics?: boolean | OtelMetricsSignalConfig;
+	logs?: boolean | OtelSignalConfig;
+};
+/**
+* OpenTelemetry app/runtime wiring supplied by code.
+* Instrumentation instances and callbacks live here because they are framework-specific code.
+*/
+type FrameworkOtelConfig = {
+	levels?: OtelLevels;
+	instrument?: unknown[];
+	console?: boolean | ((record: OtelLogRecord) => void);
+	spanProcessors?: unknown[];
+	metricReaders?: unknown[];
+	logRecordProcessors?: unknown[];
+	sampler?: unknown;
+	textMapPropagator?: unknown;
+	contextManager?: unknown;
+	configure?: (options: Record<string, unknown>) => Record<string, unknown> | void;
+};
+type Otel = {
+	beforeChange(listener: ChangeListener): () => void;
+	afterChange(listener: ChangeListener): () => void;
+	isAvailable(): boolean;
+	ready(timeout?: number): Promise<void>;
+	logger: Logger;
+	forceFlush(): Promise<void>;
+	shutdown(): Promise<void>;
+};
 import { StandardSchemaV1 as StandardSchemaV12 } from "@standard-schema/spec";
 /**
 * OIDC Code Flow Callback URL Parameters
@@ -1034,9 +1108,10 @@ declare function deepEqualPlain(a: unknown, b: unknown): boolean;
 * @param pingInterval - The interval in milliseconds to poll the URL.
 * @param warnInterval - The interval in milliseconds to warn about the status. Set warnInterval to 0 to disable warnings.
 * @param timeout - The timeout in milliseconds to reject the promise.
+* @param log - Optional logger for readiness warnings.
 * @returns A promise that resolves when the service is ready.
 */
-declare function waitOn(url: string, test?: (resp: Response) => boolean | Promise<boolean>, pingInterval?: number, warnInterval?: number, timeout?: number): Promise<void>;
+declare function waitOn(url: string, test?: (resp: Response) => boolean | Promise<boolean>, pingInterval?: number, warnInterval?: number, timeout?: number, log?: Logger): Promise<void>;
 type SSOConfig<
 	TSessionData = Record<string, never>,
 	TUserData = Record<string, never>
@@ -1135,12 +1210,6 @@ type SSO<
 	handler: (request: Request) => Promise<Response>;
 };
 import { StandardSchemaV1 as StandardSchemaV15 } from "@standard-schema/spec";
-type ChangeListener = () => void;
-type ReactiveHandle = {
-	beforeChange?(listener: ChangeListener): () => void;
-	afterChange?(listener: ChangeListener): () => void;
-	isAvailable?(): boolean;
-};
 import { StandardSchemaV1 as StandardSchemaV14 } from "@standard-schema/spec";
 /**
 * JWT Assertion Claims for OAuth2 JWT Bearer Grant (RFC 7523) and OAuth2 Access Tokens
@@ -1896,8 +1965,7 @@ type VaultLfvSecretsConfig = {
 	/** Warning interval in milliseconds for LFV retry logs. Set to 0 to disable warnings. */
 	warnInterval?: number;
 	/**
-	* Optional logger for request/response tracing. Use `debugLogger` from `@enterprisestandard/core`
-	* to get debug output with request_id for LFV operations.
+	* Optional logger for request/response tracing.
 	*/
 	log?: Logger;
 };
@@ -1943,6 +2011,8 @@ type VaultSecretsConfig = {
 	* MINIMUM: 600_000 milliseconds (10 minutes). Polls the path every ttl milliseconds and calls onConfig when config changes.
 	*/
 	ttl?: number;
+	/** Optional logger used for vault source warnings. */
+	log?: Logger;
 };
 type AwsSecretsConfig = {
 	type: "aws";
@@ -2145,13 +2215,14 @@ type ApplicationValidators<TTenantValidators extends TenantValidators = TenantVa
 * from ConfigSource / adaptive (typed as the module type, non-optional).
 */
 type FrameworkConfig = {
-	/** Optional `Logger` implementation (e.g. `consoleLogger`); exposed on the instance as `log`. */
+	/** Optional `Logger` implementation; exposed on the instance as `log`. */
 	log?: Logger;
 	sso?: SSOConfig | null;
 	iam?: IAMConfig | null;
 	workload?: FrameworkWorkloadConfig | null;
 	secrets?: FrameworkSecretsModuleConfig | null;
 	ciam?: CIAMConfig | null;
+	otel?: FrameworkOtelConfig | null;
 	validators: ESValidators;
 };
 /**
@@ -2178,6 +2249,8 @@ type RemoteConfig = {
 	/** Optional named secrets-source configs available to this ESA instance. */
 	secrets?: SecretsModuleConfig;
 	ciam?: CIAMConfig;
+	/** OpenTelemetry collector/exporter config loaded from ConfigSource. */
+	otel?: OtelConfig;
 };
 /**
 * Stores supplied by the framework/application when creating an Enterprise Standard instance.
@@ -2984,6 +3057,7 @@ type EnterpriseStandardBase = {
 	iam?: IAM;
 	workload?: Workload | AggregateWorkload;
 	ciam?: CIAM;
+	otel?: Otel;
 	/**
 	* Framework-agnostic request handler that routes requests to the appropriate
 	* module (SSO, IAM, Workload, or CIAM) based on the configured URLs.
@@ -3013,6 +3087,7 @@ type EnterpriseStandardStrict<C extends FrameworkConfig> = {
 	iam: ESModuleFromConfig<C, "iam", IAM>;
 	workload: ESModuleFromConfig<C, "workload", WorkloadModuleFromConfig<C>>;
 	ciam: ESModuleFromConfig<C, "ciam", CIAM>;
+	otel: ESModuleFromConfig<C, "otel", Otel>;
 	handler: (request: Request) => Promise<Response>;
 	ready(timeout?: number): Promise<void>;
 	isReady(): boolean;
@@ -3555,4 +3630,4 @@ type LfvErrorResponse = {
 	error: LfvErrorCode;
 	message: string;
 };
-export { workloadTokenResponseSchema, withValidate, waitOn, version, validationFailureResponse, userSchema, tokenResponseSchema, stripJsonComments, silentLogger, setActiveSession, serializeESConfig, sendTenantWebhook, parseJsonc, oidcCallbackSchema, normalizeTenantRoutingStrategy, normalizeTenantPathNamespace, must, mergeConfig, matchTenantPath, listSsoClientIdsFromCookies, list, jwtAssertionClaimsSchema, isConfigLocator, infoLogger, idTokenClaimsSchema, hydrateTenantForEs, groupResourceSchema, getActiveSession, findTenantFromStateParam, defaultLogger, deepEqualPlain, decodeUser, debugLogger, consoleLogger, clearActiveSession, claimsToUser, buildTenantPath, X509Certificate, WorkloadValidators, WorkloadTokenStore, WorkloadTokenResponse, WorkloadIncomingOutgoing, WorkloadIdentity, WorkloadConfigMap, WorkloadConfig, WorkloadClient, Workload, WorkforceUser, VaultWorkloadAuthConfig, VaultWebSocketSecretsConfig, VaultWebSocketAuthHeader, VaultSecretsConfig, VaultLfvSecretsConfig, VaultConfigLocator, ValidateResult, UsersInboundHandlerConfig, UserStoreOptions, UserStore, UserSortOptions, UserSortField, UserListOptions, UpsertTenantResponse, UpsertTenantRequest, TokenValidationResult, TokenResponse, TenantWebhookPayload, TenantValidators, TenantStore, TenantStatus, TenantSortOptions, TenantSortField, TenantRoutingStrategy, TenantRequestError, TenantPathRoutingStrategy, TenantPathNamespace, TenantPathMatch, TenantListOptions, TenantJwtRoutingStrategy, TenantEsFactory, TenantDirectoryTenant, TenantDirectoryResponse, TenantDirectoryAccount, StoredUser, StoredGroup, StateCookie, StandardSchemaWithValidate, SortDirection, SessionStore, Session, ServerOnlyWorkloadConfig, SerializableTenant, SecretsValidators, SecretsSourceType, SecretsSourceMap, SecretsSourceConfig, SecretsSource, SecretsOperationOptions, SecretsModuleConfig, Secrets, SecretRequestSeverity, SecretLifecycleRequest, Secret, User as ScimUser, ScimServiceProviderConfig, ScimSchemaDefinition, ScimSchemaAttributeDefinition, ScimResult, ScimResourceTypeSchemaExtension, ScimResourceType, ScimListResponse, ScimError, ScimAuthenticationScheme, SSOValidators, SSOHandlerConfig, SSOConfig, SSOAppValidators, SSOAppRegistry, SSO, Role, ResolvedVaultLfvSecretsConfig, RemoteConfigRetryOptions, RemoteConfigRetryHook, RemoteConfigRetryContext, RemoteConfigLoadErrorKind, RemoteConfig, RegisterSSOAppResult, RegisterSSOAppPayload, RegisterSSOAppError, RegisterIAMAppResult, RegisterIAMAppPayload, RegisterIAMAppError, ReactiveHandle, Photo, PhoneNumber, OidcCallbackParams, Name, MultipleTenantsForUserError, ModifiableFrameworkConfig, MetaData, MagicLinkStore, MagicLink, LoginConfig, Logger, ListResult, LfvOtpResponse, LfvOtpRequest, LfvErrorResponse, LfvErrorCode, LfvActionRequestBase, LfvActionName, LfvActionAcceptedResponse, JwtBearerWorkloadConfig, JWTAssertionClaims, InMemoryTenantStoreOptions, InMemoryTenantStore, IdTokenClaims, IAMValidators, IAMUsersInbound, IAMInboundUsersConfig, IAMInboundUserContext, IAMHandlerConfig, IAMGroupsOutbound, IAMGroupsInbound, IAMDiscoveryHandlerConfig, IAMDiscoveryContext, IAMDiscoveryConfig, IAMConfig, IAMAppValidators, IAMAppRole, IAMAppRegistry, IAM, GroupsInboundHandlerConfig, GroupStore, GroupSortOptions, GroupSortField, GroupResource, GroupMember, GroupListOptions, Group, GcpSecretsConfig, GcpConfigLocator, FrameworkWorkloadIncomingOutgoing, FrameworkWorkloadConfig, FrameworkStores, FrameworkSecretsSourceConfig, FrameworkSecretsModuleConfig, FrameworkConfig, EnvironmentType, EnterpriseUser, EnterpriseStandardFromConfig, EnterpriseStandardBase, EnterpriseStandard, EnterpriseExtension, Email, ESValidators, ESRoutingOptions, ESRouteModule, ESRouteFilterResult, ESResolvedRoute, ESModuleFromConfig, ESConfigChangeResult, ESConfigChangeOptions, ESConfigChangeCallback, ESConfig, DevSecretsConfig, DEFAULT_TENANT_UI_NAMESPACE, DEFAULT_TENANT_API_NAMESPACE, Customer, CreateUserOptions, CreateGroupOptions, ConfigSourceType, ConfigSourceEnv, ConfigSource, ConfigLocator, ClientCredentialsWorkloadConfig, ChangeListener, CachedWorkloadToken, CIAMValidators, CIAMConfigFromCode, CIAMConfig, CIAM, BaseUser, BaseTenant, AzureSecretsConfig, AzureConfigLocator, AwsSecretsConfig, AwsConfigLocator, AwsAuthMethod, AuthenticatedUser, ApplicationValidators, Address };
+export { workloadTokenResponseSchema, withValidate, waitOn, version, validationFailureResponse, userSchema, tokenResponseSchema, stripJsonComments, silentLogger, setActiveSession, serializeESConfig, sendTenantWebhook, parseJsonc, oidcCallbackSchema, normalizeTenantRoutingStrategy, normalizeTenantPathNamespace, must, mergeConfig, matchTenantPath, listSsoClientIdsFromCookies, list, jwtAssertionClaimsSchema, isConfigLocator, idTokenClaimsSchema, hydrateTenantForEs, groupResourceSchema, getActiveSession, findTenantFromStateParam, defaultLogger, deepEqualPlain, decodeUser, clearActiveSession, claimsToUser, buildTenantPath, X509Certificate, WorkloadValidators, WorkloadTokenStore, WorkloadTokenResponse, WorkloadIncomingOutgoing, WorkloadIdentity, WorkloadConfigMap, WorkloadConfig, WorkloadClient, Workload, WorkforceUser, VaultWorkloadAuthConfig, VaultWebSocketSecretsConfig, VaultWebSocketAuthHeader, VaultSecretsConfig, VaultLfvSecretsConfig, VaultConfigLocator, ValidateResult, UsersInboundHandlerConfig, UserStoreOptions, UserStore, UserSortOptions, UserSortField, UserListOptions, UpsertTenantResponse, UpsertTenantRequest, TokenValidationResult, TokenResponse, TenantWebhookPayload, TenantValidators, TenantStore, TenantStatus, TenantSortOptions, TenantSortField, TenantRoutingStrategy, TenantRequestError, TenantPathRoutingStrategy, TenantPathNamespace, TenantPathMatch, TenantListOptions, TenantJwtRoutingStrategy, TenantEsFactory, TenantDirectoryTenant, TenantDirectoryResponse, TenantDirectoryAccount, StoredUser, StoredGroup, StateCookie, StandardSchemaWithValidate, SortDirection, SessionStore, Session, ServerOnlyWorkloadConfig, SerializableTenant, SecretsValidators, SecretsSourceType, SecretsSourceMap, SecretsSourceConfig, SecretsSource, SecretsOperationOptions, SecretsModuleConfig, Secrets, SecretRequestSeverity, SecretLifecycleRequest, Secret, User as ScimUser, ScimServiceProviderConfig, ScimSchemaDefinition, ScimSchemaAttributeDefinition, ScimResult, ScimResourceTypeSchemaExtension, ScimResourceType, ScimListResponse, ScimError, ScimAuthenticationScheme, SSOValidators, SSOHandlerConfig, SSOConfig, SSOAppValidators, SSOAppRegistry, SSO, Role, ResolvedVaultLfvSecretsConfig, RemoteConfigRetryOptions, RemoteConfigRetryHook, RemoteConfigRetryContext, RemoteConfigLoadErrorKind, RemoteConfig, RegisterSSOAppResult, RegisterSSOAppPayload, RegisterSSOAppError, RegisterIAMAppResult, RegisterIAMAppPayload, RegisterIAMAppError, ReactiveHandle, Photo, PhoneNumber, OtelSignalName, OtelSignalConfig, OtelProviderType, OtelProtocol, OtelOAuthClientCredentialsConfig, OtelMetricsSignalConfig, OtelLogRecord, OtelLogLevel, OtelLevels, OtelConfig, OtelAttributes, OtelAttributeValue, Otel, OidcCallbackParams, Name, MultipleTenantsForUserError, ModifiableFrameworkConfig, MetaData, MagicLinkStore, MagicLink, LoginConfig, Logger, ListResult, LfvOtpResponse, LfvOtpRequest, LfvErrorResponse, LfvErrorCode, LfvActionRequestBase, LfvActionName, LfvActionAcceptedResponse, JwtBearerWorkloadConfig, JWTAssertionClaims, InMemoryTenantStoreOptions, InMemoryTenantStore, IdTokenClaims, IAMValidators, IAMUsersInbound, IAMInboundUsersConfig, IAMInboundUserContext, IAMHandlerConfig, IAMGroupsOutbound, IAMGroupsInbound, IAMDiscoveryHandlerConfig, IAMDiscoveryContext, IAMDiscoveryConfig, IAMConfig, IAMAppValidators, IAMAppRole, IAMAppRegistry, IAM, GroupsInboundHandlerConfig, GroupStore, GroupSortOptions, GroupSortField, GroupResource, GroupMember, GroupListOptions, Group, GcpSecretsConfig, GcpConfigLocator, FrameworkWorkloadIncomingOutgoing, FrameworkWorkloadConfig, FrameworkStores, FrameworkSecretsSourceConfig, FrameworkSecretsModuleConfig, FrameworkOtelConfig, FrameworkConfig, EnvironmentType, EnterpriseUser, EnterpriseStandardFromConfig, EnterpriseStandardBase, EnterpriseStandard, EnterpriseExtension, Email, ESValidators, ESRoutingOptions, ESRouteModule, ESRouteFilterResult, ESResolvedRoute, ESModuleFromConfig, ESConfigChangeResult, ESConfigChangeOptions, ESConfigChangeCallback, ESConfig, DevSecretsConfig, DEFAULT_TENANT_UI_NAMESPACE, DEFAULT_TENANT_API_NAMESPACE, Customer, CreateUserOptions, CreateGroupOptions, ConfigSourceType, ConfigSourceEnv, ConfigSource, ConfigLocator, ClientCredentialsWorkloadConfig, ChangeListener, CachedWorkloadToken, CIAMValidators, CIAMConfigFromCode, CIAMConfig, CIAM, BaseUser, BaseTenant, AzureSecretsConfig, AzureConfigLocator, AwsSecretsConfig, AwsConfigLocator, AwsAuthMethod, AuthenticatedUser, ApplicationValidators, Address };

package/dist/index.js

@@ -1 +1 @@
-import{J as Y,a as Ax,b as _x,c as Jx,d as fx,e as Lx,f as Nx,g as Rx,h as $x,i as Cx,j as Dx,k as zx,l as Hx,m as Qx,n as Xx,o as Zx,p as Ex,q as Gx,r as Yx,u as wx,v as Bx,w as Mx,x as Wx,y as Fx}from"./shared/core-1x31ar7h.js";var y="0.0.17";var k=["sessionStore","userStore","groupStore","tokenStore","magicLinkStore"];function G(x){if(x===null||typeof x!=="object")return x;let c={};for(let[T,A]of Object.entries(x)){if(k.includes(T)||T==="validators"||T==="setStores")continue;c[T]=A!==null&&typeof A==="object"&&!Array.isArray(A)&&Object.getPrototypeOf(A)===Object.prototype?G(A):A}return c}function S(x){return G(x)}function Q(x,c,T,A){let _=c.length,L=A??x,J=L>0?Math.floor(T/L)+1:1,f=L>0?Math.ceil(x/L):0;return{total:x,count:_,items:c,size:L,page:J,pages:f}}class X extends Error{constructor(x,c){super(x,c);this.name="TenantRequestError",Object.setPrototypeOf(this,X.prototype)}}class Z extends Error{userId;tenantIds;constructor(x,c,T){super(`Multiple tenants found for user id "${x}"`,T);this.name="MultipleTenantsForUserError",this.userId=x,this.tenantIds=c,Object.setPrototypeOf(this,Z.prototype)}}function j(x){if(typeof x!=="object"||x==null)return!1;let c=x.type;return c==="vault"||c==="aws"||c==="azure"||c==="gcp"}function w(x){if(typeof x.config==="function")return x;return Y({...x,configSource:x.configSource})}class B{tenants=new Map;userTenantIds=new Map;async get(x){return this.tenants.get(x)}async list(x){let c=Array.from(this.tenants.values()),T=Math.max(0,x?.start??0),A=x?.limit,_=x?.sort;if(_?.length)c=[...c].sort((R,C)=>{for(let{field:$,direction:K}of _){let q=R[$],U=C[$],H=O(q,U);if(H!==0)return K==="desc"?-H:H}return 0});let L=c.length,J=A!=null?T+A:void 0,f=c.slice(T,J);return Q(L,f,T,A)}async upsert(x){return this.tenants.set(x.tenantId,x),x}async delete(x){let c=this.tenants.has(x);return this.tenants.delete(x),c?1:0}async registerUserTenantId(x,c){if(!x)return;let T=I(c),A=this.userTenantIds.get(x);if(A){A.add(T);return}this.userTenantIds.set(x,new Set([T]))}async findTenantsByUser(x){let c=g(x);return this.resolveTenantsByUserId(c)}async resolveTenantsByUserId(x){let c=this.userTenantIds.get(x);if(!c||c.size===0)return[];let T=c.has(null),A=Array.from(c).filter((J)=>J!=null);if(A.length===0)return[];let _=await Promise.all(A.map(async(J)=>({tenantId:J,tenant:await this.get(J)}))),L=_.filter((J)=>J.tenant!=null).map((J)=>J.tenantId);if(L.length===0){if(T)this.userTenantIds.set(x,new Set([null]));else this.userTenantIds.delete(x);return[]}if(L.length!==A.length){let J=T?[null,...L]:L;this.userTenantIds.set(x,new Set(J))}return _.map((J)=>J.tenant).filter((J)=>J!=null)}}class M{store;createEs;constructor(x={}){this.createEs=x.createEs,this.store=new B}async get(x){return this.store.get(x)}async list(x){return this.store.list(x)}async upsert(x){return this.store.upsert(x)}async delete(x){return this.store.delete(x)}async registerUserTenantId(x,c){return this.store.registerUserTenantId(x,c)}async findTenantsByUser(x){return this.store.findTenantsByUser(x)}async getEs(x){let c=await this.get(x);if(!c)return;if(!this.createEs)throw Error(`${this.constructor.name} requires options.createEs to use getEs()`);return this.createEs(w(c))}}function O(x,c){let T=x===void 0||x===null,A=c===void 0||c===null;if(T&&A)return 0;if(T)return 1;if(A)return-1;if(x instanceof Date&&c instanceof Date)return x.getTime()-c.getTime();let _=String(x),L=String(c);return _.localeCompare(L)}function g(x){let c=x.id?.trim();if(!c)throw Error("Tenant lookup requires user.id");return c}function I(x){if(typeof x!=="string")return null;return x.trim()||null}function P(x,c,T){return(async()=>{try{let A=await fetch(x,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify(c)});if(!A.ok)T.error(`Failed to send webhook update: ${A.status} ${A.statusText}`)}catch(A){T.error("Failed to send webhook update:",A)}})()}async function p(x,c,T){return P(x,c,T)}var m={beforeTenantSegments:["ui"]},h={beforeTenantSegments:["api"]};function W(x){return{segments:E(x?.segments)}}function E(x){return(x??[]).map((c)=>c.trim()).filter(Boolean)}function n(x){let c=x.trim();if(!c)return"/";let T=c.replace(/\\/g,"/").replace(/\/+/g,"/");return T.startsWith("/")?T:`/${T}`}function F(x){return n(x).split("/").filter(Boolean)}function D(x){return{beforeTenantSegments:E(x?.beforeTenantSegments),afterTenantSegments:E(x?.afterTenantSegments)}}function b(x){if(!x||x.type===void 0||x.type==="path"){let T=x;return{type:"path",ui:D(T?.ui),api:D(T?.api)}}let c=x;return{...c,ui:W(c.ui),api:W(c.api)}}function o(x,c){let T=D(c),A=T.beforeTenantSegments??[],_=T.afterTenantSegments??[],L=F(x),J=A.length+1+_.length;if(L.length<J)return null;for(let $=0;$<A.length;$++)if(L[$]!==A[$])return null;let f=A.length,R=L[f];if(!R)return null;for(let $=0;$<_.length;$++)if(L[f+1+$]!==_[$])return null;let C=L.slice(f+1+_.length);return{tenantId:decodeURIComponent(R),restSegments:C,restPath:C.length>0?`/${C.join("/")}`:"/"}}function v(x,c="/",T){let A=D(T),_=A.beforeTenantSegments??[],L=A.afterTenantSegments??[],J=F(c),f=[..._,encodeURIComponent(x),...L,...J];return f.length>0?`/${f.join("/")}`:"/"}function N(x,c,T,A,_){if(x===void 0||x===null){if(T)A.push({message:`${c} is required`,path:_});return}if(typeof x!=="string"){A.push({message:`${c} must be a string`,path:_});return}return x}function z(x,c,T,A){if(x===void 0||x===null)return;if(typeof x!=="boolean"){T.push({message:`${c} must be a boolean`,path:A});return}return x}function d(x,c,T){if(x===void 0||x===null)return;if(typeof x!=="object"||x===null){c.push({message:"name must be an object",path:T});return}let A=x,_={};return _.formatted=N(A.formatted,"formatted",!1,c,[...T,"formatted"]),_.familyName=N(A.familyName,"familyName",!1,c,[...T,"familyName"]),_.givenName=N(A.givenName,"givenName",!1,c,[...T,"givenName"]),_.middleName=N(A.middleName,"middleName",!1,c,[...T,"middleName"]),_.honorificPrefix=N(A.honorificPrefix,"honorificPrefix",!1,c,[...T,"honorificPrefix"]),_.honorificSuffix=N(A.honorificSuffix,"honorificSuffix",!1,c,[...T,"honorificSuffix"]),_}function r(x,c,T){if(x===void 0||x===null)return;if(!Array.isArray(x)){c.push({message:"emails must be an array",path:T});return}let A=[];for(let _=0;_<x.length;_++){let L=x[_],J=[...T,_];if(typeof L!=="object"||L===null){c.push({message:"email must be an object",path:J});continue}let f=L,R=N(f.value,"value",!0,c,[...J,"value"]);if(R)A.push({value:R,display:N(f.display,"display",!1,c,[...J,"display"]),type:N(f.type,"type",!1,c,[...J,"type"]),primary:z(f.primary,"primary",c,[...J,"primary"])})}return A.length>0?A:void 0}function t(x,c,T){if(x===void 0||x===null)return;if(!Array.isArray(x)){c.push({message:"phoneNumbers must be an array",path:T});return}let A=[];for(let _=0;_<x.length;_++){let L=x[_],J=[...T,_];if(typeof L!=="object"||L===null){c.push({message:"phoneNumber must be an object",path:J});continue}let f=L,R=N(f.value,"value",!0,c,[...J,"value"]);if(R)A.push({value:R,display:N(f.display,"display",!1,c,[...J,"display"]),type:N(f.type,"type",!1,c,[...J,"type"]),primary:z(f.primary,"primary",c,[...J,"primary"])})}return A.length>0?A:void 0}function l(x,c,T){if(x===void 0||x===null)return;if(!Array.isArray(x)){c.push({message:"addresses must be an array",path:T});return}let A=[];for(let _=0;_<x.length;_++){let L=x[_],J=[...T,_];if(typeof L!=="object"||L===null){c.push({message:"address must be an object",path:J});continue}let f=L;A.push({formatted:N(f.formatted,"formatted",!1,c,[...J,"formatted"]),streetAddress:N(f.streetAddress,"streetAddress",!1,c,[...J,"streetAddress"]),locality:N(f.locality,"locality",!1,c,[...J,"locality"]),region:N(f.region,"region",!1,c,[...J,"region"]),postalCode:N(f.postalCode,"postalCode",!1,c,[...J,"postalCode"]),country:N(f.country,"country",!1,c,[...J,"country"]),type:N(f.type,"type",!1,c,[...J,"type"]),primary:z(f.primary,"primary",c,[...J,"primary"])})}return A.length>0?A:void 0}function i(x,c,T){if(x===void 0||x===null)return;if(!Array.isArray(x)){c.push({message:"groups must be an array",path:T});return}let A=[];for(let _=0;_<x.length;_++){let L=x[_],J=[...T,_];if(typeof L!=="object"||L===null){c.push({message:"group must be an object",path:J});continue}let f=L,R=N(f.value,"value",!0,c,[...J,"value"]);if(R)A.push({value:R,$ref:N(f.$ref,"$ref",!1,c,[...J,"$ref"]),display:N(f.display,"display",!1,c,[...J,"display"]),type:N(f.type,"type",!1,c,[...J,"type"])})}return A.length>0?A:void 0}function u(x,c,T){if(x===void 0||x===null)return;if(!Array.isArray(x)){c.push({message:"roles must be an array",path:T});return}let A=[];for(let _=0;_<x.length;_++){let L=x[_],J=[...T,_];if(typeof L!=="object"||L===null){c.push({message:"role must be an object",path:J});continue}let f=L,R=N(f.value,"value",!0,c,[...J,"value"]);if(R)A.push({value:R,display:N(f.display,"display",!1,c,[...J,"display"]),type:N(f.type,"type",!1,c,[...J,"type"]),primary:z(f.primary,"primary",c,[...J,"primary"])})}return A.length>0?A:void 0}function a(x,c,T){if(x===void 0||x===null)return;if(typeof x!=="object"||x===null){c.push({message:"Enterprise User extension must be an object",path:T});return}let A=x,_={};if(_.employeeNumber=N(A.employeeNumber,"employeeNumber",!1,c,[...T,"employeeNumber"]),_.costCenter=N(A.costCenter,"costCenter",!1,c,[...T,"costCenter"]),_.organization=N(A.organization,"organization",!1,c,[...T,"organization"]),_.division=N(A.division,"division",!1,c,[...T,"division"]),_.department=N(A.department,"department",!1,c,[...T,"department"]),A.manager!==void 0&&A.manager!==null)if(typeof A.manager!=="object"||A.manager===null)c.push({message:"manager must be an object",path:[...T,"manager"]});else{let L=A.manager;_.manager={value:N(L.value,"value",!1,c,[...T,"manager","value"]),$ref:N(L.$ref,"$ref",!1,c,[...T,"manager","$ref"]),displayName:N(L.displayName,"displayName",!1,c,[...T,"manager","displayName"])}}return _}function e(x){return{"~standard":{version:1,vendor:x,validate:(c)=>{if(typeof c!=="object"||c===null)return{issues:[{message:"Expected an object"}]};let T=c,A=[],_={},L=N(T.userName,"userName",!0,A,["userName"]);if(!L)return{issues:A};_.userName=L,_.id=N(T.id,"id",!1,A,["id"]),_.externalId=N(T.externalId,"externalId",!1,A,["externalId"]),_.displayName=N(T.displayName,"displayName",!1,A,["displayName"]),_.nickName=N(T.nickName,"nickName",!1,A,["nickName"]),_.profileUrl=N(T.profileUrl,"profileUrl",!1,A,["profileUrl"]),_.title=N(T.title,"title",!1,A,["title"]),_.userType=N(T.userType,"userType",!1,A,["userType"]),_.preferredLanguage=N(T.preferredLanguage,"preferredLanguage",!1,A,["preferredLanguage"]),_.locale=N(T.locale,"locale",!1,A,["locale"]),_.timezone=N(T.timezone,"timezone",!1,A,["timezone"]),_.password=N(T.password,"password",!1,A,["password"]),_.active=z(T.active,"active",A,["active"]),_.name=d(T.name,A,["name"]),_.emails=r(T.emails,A,["emails"]),_.phoneNumbers=t(T.phoneNumbers,A,["phoneNumbers"]),_.addresses=l(T.addresses,A,["addresses"]),_.groups=i(T.groups,A,["groups"]),_.roles=u(T.roles,A,["roles"]);let J="urn:ietf:params:scim:schemas:extension:enterprise:2.0:User";if(T[J]!==void 0)_[J]=a(T[J],A,[J]);if(T.schemas!==void 0)if(Array.isArray(T.schemas))_.schemas=T.schemas.filter((f)=>typeof f==="string");else A.push({message:"schemas must be an array",path:["schemas"]});if(T.meta!==void 0)if(typeof T.meta==="object"&&T.meta!==null){let f=T.meta;_.meta={resourceType:typeof f.resourceType==="string"?f.resourceType:void 0,created:typeof f.created==="string"?f.created:void 0,lastModified:typeof f.lastModified==="string"?f.lastModified:void 0,location:typeof f.location==="string"?f.location:void 0,version:typeof f.version==="string"?f.version:void 0}}else A.push({message:"meta must be an object",path:["meta"]});if(A.length>0)return{issues:A};return{value:_}}}}}function s(x,c,T){if(x===void 0||x===null)return;if(!Array.isArray(x)){c.push({message:"members must be an array",path:T});return}let A=[];for(let _=0;_<x.length;_++){let L=x[_],J=[...T,_];if(typeof L!=="object"||L===null){c.push({message:"member must be an object",path:J});continue}let f=L,R=N(f.value,"value",!0,c,[...J,"value"]);if(R){let C=N(f.type,"type",!1,c,[...J,"type"]);A.push({value:R,$ref:N(f.$ref,"$ref",!1,c,[...J,"$ref"]),display:N(f.display,"display",!1,c,[...J,"display"]),type:C==="User"||C==="Group"?C:void 0})}}return A.length>0?A:void 0}function xx(x){return{"~standard":{version:1,vendor:x,validate:(c)=>{if(typeof c!=="object"||c===null)return{issues:[{message:"Expected an object"}]};let T=c,A=[],_={},L=N(T.displayName,"displayName",!0,A,["displayName"]);if(!L)return{issues:A};if(_.displayName=L,_.id=N(T.id,"id",!1,A,["id"]),_.externalId=N(T.externalId,"externalId",!1,A,["externalId"]),_.members=s(T.members,A,["members"]),T.schemas!==void 0)if(Array.isArray(T.schemas))_.schemas=T.schemas.filter((J)=>typeof J==="string");else A.push({message:"schemas must be an array",path:["schemas"]});if(T.meta!==void 0)if(typeof T.meta==="object"&&T.meta!==null){let J=T.meta;_.meta={resourceType:typeof J.resourceType==="string"?J.resourceType:void 0,created:typeof J.created==="string"?J.created:void 0,lastModified:typeof J.lastModified==="string"?J.lastModified:void 0,location:typeof J.location==="string"?J.location:void 0,version:typeof J.version==="string"?J.version:void 0}}else A.push({message:"meta must be an object",path:["meta"]});if(A.length>0)return{issues:A};return{value:_}}}}}function Tx(x){return{"~standard":{version:1,vendor:x,validate:(c)=>{if(typeof c!=="object"||c===null)return{issues:[{message:"Expected an object"}]};let T=c,A=[],_={...T},L=["iss","sub"];for(let R of L)if(R in T){if(typeof T[R]!=="string")A.push({message:`${R} must be a string`,path:[R]})}else A.push({message:`${R} is required`,path:[R]});if("aud"in T&&T.aud!==void 0){let R=T.aud;if(typeof R!=="string"&&!Array.isArray(R))A.push({message:"aud must be a string or array of strings",path:["aud"]});else if(Array.isArray(R)&&!R.every((C)=>typeof C==="string"))A.push({message:"aud array must contain only strings",path:["aud"]})}let J=["jti","scope"];for(let R of J)if(R in T&&T[R]!==void 0){if(typeof T[R]!=="string")A.push({message:`${R} must be a string`,path:[R]})}let f=["exp","iat"];for(let R of f)if(R in T){if(typeof T[R]!=="number")A.push({message:`${R} must be a number`,path:[R]})}else A.push({message:`${R} is required`,path:[R]});if(A.length>0)return{issues:A};return{value:_}}}}}function cx(x){return{"~standard":{version:1,vendor:x,validate:(c)=>{if(typeof c!=="object"||c===null)return{issues:[{message:"Expected an object"}]};let T=c,A=[],_={};if("access_token"in T)if(typeof T.access_token==="string")_.access_token=T.access_token;else A.push({message:"access_token must be a string",path:["access_token"]});else A.push({message:"access_token is required",path:["access_token"]});if("token_type"in T)if(typeof T.token_type==="string")_.token_type=T.token_type;else A.push({message:"token_type must be a string",path:["token_type"]});else A.push({message:"token_type is required",path:["token_type"]});if("scope"in T)if(typeof T.scope==="string"||T.scope===void 0)_.scope=T.scope;else A.push({message:"scope must be a string",path:["scope"]});if("refresh_token"in T)if(typeof T.refresh_token==="string"||T.refresh_token===void 0)_.refresh_token=T.refresh_token;else A.push({message:"refresh_token must be a string",path:["refresh_token"]});if("expires"in T)if(typeof T.expires==="string"||T.expires===void 0)_.expires=T.expires;else A.push({message:"expires must be a string",path:["expires"]});if("expires_in"in T)if(typeof T.expires_in==="number"||T.expires_in===void 0)_.expires_in=T.expires_in;else A.push({message:"expires_in must be a number",path:["expires_in"]});if(A.length>0)return{issues:A};return{value:_}}}}}export{cx as workloadTokenResponseSchema,fx as withValidate,zx as waitOn,y as version,Nx as validationFailureResponse,e as userSchema,_x as tokenResponseSchema,$x as stripJsonComments,Zx as silentLogger,Bx as setActiveSession,S as serializeESConfig,p as sendTenantWebhook,Cx as parseJsonc,Ax as oidcCallbackSchema,b as normalizeTenantRoutingStrategy,D as normalizeTenantPathNamespace,Lx as must,Rx as mergeConfig,o as matchTenantPath,Wx as listSsoClientIdsFromCookies,Q as list,Tx as jwtAssertionClaimsSchema,j as isConfigLocator,Ex as infoLogger,Jx as idTokenClaimsSchema,w as hydrateTenantForEs,xx as groupResourceSchema,wx as getActiveSession,Fx as findTenantFromStateParam,Xx as defaultLogger,Dx as deepEqualPlain,Qx as decodeUser,Gx as debugLogger,Yx as consoleLogger,Mx as clearActiveSession,Hx as claimsToUser,v as buildTenantPath,X as TenantRequestError,Z as MultipleTenantsForUserError,M as InMemoryTenantStore,m as DEFAULT_TENANT_UI_NAMESPACE,h as DEFAULT_TENANT_API_NAMESPACE};
+import{G as Y,a as A0,b as _0,c as J0,d as f0,e as L0,f as N0,g as R0,h as $0,i as C0,j as D0,k as z0,l as H0,m as Q0,n as X0,o as Z0,r as E0,s as G0,t as Y0,u as w0,v as B0}from"./shared/core-nrs9cxe3.js";var y="0.0.18-beta.20260504.1";var k=["sessionStore","userStore","groupStore","tokenStore","magicLinkStore"];function G(x){if(x===null||typeof x!=="object")return x;let c={};for(let[T,A]of Object.entries(x)){if(k.includes(T)||T==="validators"||T==="setStores")continue;c[T]=A!==null&&typeof A==="object"&&!Array.isArray(A)&&Object.getPrototypeOf(A)===Object.prototype?G(A):A}return c}function S(x){return G(x)}function Q(x,c,T,A){let _=c.length,L=A??x,J=L>0?Math.floor(T/L)+1:1,f=L>0?Math.ceil(x/L):0;return{total:x,count:_,items:c,size:L,page:J,pages:f}}class X extends Error{constructor(x,c){super(x,c);this.name="TenantRequestError",Object.setPrototypeOf(this,X.prototype)}}class Z extends Error{userId;tenantIds;constructor(x,c,T){super(`Multiple tenants found for user id "${x}"`,T);this.name="MultipleTenantsForUserError",this.userId=x,this.tenantIds=c,Object.setPrototypeOf(this,Z.prototype)}}function j(x){if(typeof x!=="object"||x==null)return!1;let c=x.type;return c==="vault"||c==="aws"||c==="azure"||c==="gcp"}function w(x){if(typeof x.config==="function")return x;return Y({...x,configSource:x.configSource})}class B{tenants=new Map;userTenantIds=new Map;async get(x){return this.tenants.get(x)}async list(x){let c=Array.from(this.tenants.values()),T=Math.max(0,x?.start??0),A=x?.limit,_=x?.sort;if(_?.length)c=[...c].sort((R,C)=>{for(let{field:$,direction:K}of _){let q=R[$],U=C[$],H=O(q,U);if(H!==0)return K==="desc"?-H:H}return 0});let L=c.length,J=A!=null?T+A:void 0,f=c.slice(T,J);return Q(L,f,T,A)}async upsert(x){return this.tenants.set(x.tenantId,x),x}async delete(x){let c=this.tenants.has(x);return this.tenants.delete(x),c?1:0}async registerUserTenantId(x,c){if(!x)return;let T=I(c),A=this.userTenantIds.get(x);if(A){A.add(T);return}this.userTenantIds.set(x,new Set([T]))}async findTenantsByUser(x){let c=g(x);return this.resolveTenantsByUserId(c)}async resolveTenantsByUserId(x){let c=this.userTenantIds.get(x);if(!c||c.size===0)return[];let T=c.has(null),A=Array.from(c).filter((J)=>J!=null);if(A.length===0)return[];let _=await Promise.all(A.map(async(J)=>({tenantId:J,tenant:await this.get(J)}))),L=_.filter((J)=>J.tenant!=null).map((J)=>J.tenantId);if(L.length===0){if(T)this.userTenantIds.set(x,new Set([null]));else this.userTenantIds.delete(x);return[]}if(L.length!==A.length){let J=T?[null,...L]:L;this.userTenantIds.set(x,new Set(J))}return _.map((J)=>J.tenant).filter((J)=>J!=null)}}class M{store;createEs;constructor(x={}){this.createEs=x.createEs,this.store=new B}async get(x){return this.store.get(x)}async list(x){return this.store.list(x)}async upsert(x){return this.store.upsert(x)}async delete(x){return this.store.delete(x)}async registerUserTenantId(x,c){return this.store.registerUserTenantId(x,c)}async findTenantsByUser(x){return this.store.findTenantsByUser(x)}async getEs(x){let c=await this.get(x);if(!c)return;if(!this.createEs)throw Error(`${this.constructor.name} requires options.createEs to use getEs()`);return this.createEs(w(c))}}function O(x,c){let T=x===void 0||x===null,A=c===void 0||c===null;if(T&&A)return 0;if(T)return 1;if(A)return-1;if(x instanceof Date&&c instanceof Date)return x.getTime()-c.getTime();let _=String(x),L=String(c);return _.localeCompare(L)}function g(x){let c=x.id?.trim();if(!c)throw Error("Tenant lookup requires user.id");return c}function I(x){if(typeof x!=="string")return null;return x.trim()||null}function P(x,c,T){return(async()=>{try{let A=await fetch(x,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify(c)});if(!A.ok)T.error("Failed to send webhook update",{"es.operation":"webhook.update","es.outcome":"failure",status:A.status,statusText:A.statusText})}catch(A){T.error("Failed to send webhook update",{"es.operation":"webhook.update","es.outcome":"failure"},A)}})()}async function p(x,c,T){return P(x,c,T)}var m={beforeTenantSegments:["ui"]},h={beforeTenantSegments:["api"]};function W(x){return{segments:E(x?.segments)}}function E(x){return(x??[]).map((c)=>c.trim()).filter(Boolean)}function n(x){let c=x.trim();if(!c)return"/";let T=c.replace(/\\/g,"/").replace(/\/+/g,"/");return T.startsWith("/")?T:`/${T}`}function F(x){return n(x).split("/").filter(Boolean)}function D(x){return{beforeTenantSegments:E(x?.beforeTenantSegments),afterTenantSegments:E(x?.afterTenantSegments)}}function b(x){if(!x||x.type===void 0||x.type==="path"){let T=x;return{type:"path",ui:D(T?.ui),api:D(T?.api)}}let c=x;return{...c,ui:W(c.ui),api:W(c.api)}}function o(x,c){let T=D(c),A=T.beforeTenantSegments??[],_=T.afterTenantSegments??[],L=F(x),J=A.length+1+_.length;if(L.length<J)return null;for(let $=0;$<A.length;$++)if(L[$]!==A[$])return null;let f=A.length,R=L[f];if(!R)return null;for(let $=0;$<_.length;$++)if(L[f+1+$]!==_[$])return null;let C=L.slice(f+1+_.length);return{tenantId:decodeURIComponent(R),restSegments:C,restPath:C.length>0?`/${C.join("/")}`:"/"}}function v(x,c="/",T){let A=D(T),_=A.beforeTenantSegments??[],L=A.afterTenantSegments??[],J=F(c),f=[..._,encodeURIComponent(x),...L,...J];return f.length>0?`/${f.join("/")}`:"/"}function N(x,c,T,A,_){if(x===void 0||x===null){if(T)A.push({message:`${c} is required`,path:_});return}if(typeof x!=="string"){A.push({message:`${c} must be a string`,path:_});return}return x}function z(x,c,T,A){if(x===void 0||x===null)return;if(typeof x!=="boolean"){T.push({message:`${c} must be a boolean`,path:A});return}return x}function d(x,c,T){if(x===void 0||x===null)return;if(typeof x!=="object"||x===null){c.push({message:"name must be an object",path:T});return}let A=x,_={};return _.formatted=N(A.formatted,"formatted",!1,c,[...T,"formatted"]),_.familyName=N(A.familyName,"familyName",!1,c,[...T,"familyName"]),_.givenName=N(A.givenName,"givenName",!1,c,[...T,"givenName"]),_.middleName=N(A.middleName,"middleName",!1,c,[...T,"middleName"]),_.honorificPrefix=N(A.honorificPrefix,"honorificPrefix",!1,c,[...T,"honorificPrefix"]),_.honorificSuffix=N(A.honorificSuffix,"honorificSuffix",!1,c,[...T,"honorificSuffix"]),_}function r(x,c,T){if(x===void 0||x===null)return;if(!Array.isArray(x)){c.push({message:"emails must be an array",path:T});return}let A=[];for(let _=0;_<x.length;_++){let L=x[_],J=[...T,_];if(typeof L!=="object"||L===null){c.push({message:"email must be an object",path:J});continue}let f=L,R=N(f.value,"value",!0,c,[...J,"value"]);if(R)A.push({value:R,display:N(f.display,"display",!1,c,[...J,"display"]),type:N(f.type,"type",!1,c,[...J,"type"]),primary:z(f.primary,"primary",c,[...J,"primary"])})}return A.length>0?A:void 0}function t(x,c,T){if(x===void 0||x===null)return;if(!Array.isArray(x)){c.push({message:"phoneNumbers must be an array",path:T});return}let A=[];for(let _=0;_<x.length;_++){let L=x[_],J=[...T,_];if(typeof L!=="object"||L===null){c.push({message:"phoneNumber must be an object",path:J});continue}let f=L,R=N(f.value,"value",!0,c,[...J,"value"]);if(R)A.push({value:R,display:N(f.display,"display",!1,c,[...J,"display"]),type:N(f.type,"type",!1,c,[...J,"type"]),primary:z(f.primary,"primary",c,[...J,"primary"])})}return A.length>0?A:void 0}function l(x,c,T){if(x===void 0||x===null)return;if(!Array.isArray(x)){c.push({message:"addresses must be an array",path:T});return}let A=[];for(let _=0;_<x.length;_++){let L=x[_],J=[...T,_];if(typeof L!=="object"||L===null){c.push({message:"address must be an object",path:J});continue}let f=L;A.push({formatted:N(f.formatted,"formatted",!1,c,[...J,"formatted"]),streetAddress:N(f.streetAddress,"streetAddress",!1,c,[...J,"streetAddress"]),locality:N(f.locality,"locality",!1,c,[...J,"locality"]),region:N(f.region,"region",!1,c,[...J,"region"]),postalCode:N(f.postalCode,"postalCode",!1,c,[...J,"postalCode"]),country:N(f.country,"country",!1,c,[...J,"country"]),type:N(f.type,"type",!1,c,[...J,"type"]),primary:z(f.primary,"primary",c,[...J,"primary"])})}return A.length>0?A:void 0}function i(x,c,T){if(x===void 0||x===null)return;if(!Array.isArray(x)){c.push({message:"groups must be an array",path:T});return}let A=[];for(let _=0;_<x.length;_++){let L=x[_],J=[...T,_];if(typeof L!=="object"||L===null){c.push({message:"group must be an object",path:J});continue}let f=L,R=N(f.value,"value",!0,c,[...J,"value"]);if(R)A.push({value:R,$ref:N(f.$ref,"$ref",!1,c,[...J,"$ref"]),display:N(f.display,"display",!1,c,[...J,"display"]),type:N(f.type,"type",!1,c,[...J,"type"])})}return A.length>0?A:void 0}function u(x,c,T){if(x===void 0||x===null)return;if(!Array.isArray(x)){c.push({message:"roles must be an array",path:T});return}let A=[];for(let _=0;_<x.length;_++){let L=x[_],J=[...T,_];if(typeof L!=="object"||L===null){c.push({message:"role must be an object",path:J});continue}let f=L,R=N(f.value,"value",!0,c,[...J,"value"]);if(R)A.push({value:R,display:N(f.display,"display",!1,c,[...J,"display"]),type:N(f.type,"type",!1,c,[...J,"type"]),primary:z(f.primary,"primary",c,[...J,"primary"])})}return A.length>0?A:void 0}function a(x,c,T){if(x===void 0||x===null)return;if(typeof x!=="object"||x===null){c.push({message:"Enterprise User extension must be an object",path:T});return}let A=x,_={};if(_.employeeNumber=N(A.employeeNumber,"employeeNumber",!1,c,[...T,"employeeNumber"]),_.costCenter=N(A.costCenter,"costCenter",!1,c,[...T,"costCenter"]),_.organization=N(A.organization,"organization",!1,c,[...T,"organization"]),_.division=N(A.division,"division",!1,c,[...T,"division"]),_.department=N(A.department,"department",!1,c,[...T,"department"]),A.manager!==void 0&&A.manager!==null)if(typeof A.manager!=="object"||A.manager===null)c.push({message:"manager must be an object",path:[...T,"manager"]});else{let L=A.manager;_.manager={value:N(L.value,"value",!1,c,[...T,"manager","value"]),$ref:N(L.$ref,"$ref",!1,c,[...T,"manager","$ref"]),displayName:N(L.displayName,"displayName",!1,c,[...T,"manager","displayName"])}}return _}function e(x){return{"~standard":{version:1,vendor:x,validate:(c)=>{if(typeof c!=="object"||c===null)return{issues:[{message:"Expected an object"}]};let T=c,A=[],_={},L=N(T.userName,"userName",!0,A,["userName"]);if(!L)return{issues:A};_.userName=L,_.id=N(T.id,"id",!1,A,["id"]),_.externalId=N(T.externalId,"externalId",!1,A,["externalId"]),_.displayName=N(T.displayName,"displayName",!1,A,["displayName"]),_.nickName=N(T.nickName,"nickName",!1,A,["nickName"]),_.profileUrl=N(T.profileUrl,"profileUrl",!1,A,["profileUrl"]),_.title=N(T.title,"title",!1,A,["title"]),_.userType=N(T.userType,"userType",!1,A,["userType"]),_.preferredLanguage=N(T.preferredLanguage,"preferredLanguage",!1,A,["preferredLanguage"]),_.locale=N(T.locale,"locale",!1,A,["locale"]),_.timezone=N(T.timezone,"timezone",!1,A,["timezone"]),_.password=N(T.password,"password",!1,A,["password"]),_.active=z(T.active,"active",A,["active"]),_.name=d(T.name,A,["name"]),_.emails=r(T.emails,A,["emails"]),_.phoneNumbers=t(T.phoneNumbers,A,["phoneNumbers"]),_.addresses=l(T.addresses,A,["addresses"]),_.groups=i(T.groups,A,["groups"]),_.roles=u(T.roles,A,["roles"]);let J="urn:ietf:params:scim:schemas:extension:enterprise:2.0:User";if(T[J]!==void 0)_[J]=a(T[J],A,[J]);if(T.schemas!==void 0)if(Array.isArray(T.schemas))_.schemas=T.schemas.filter((f)=>typeof f==="string");else A.push({message:"schemas must be an array",path:["schemas"]});if(T.meta!==void 0)if(typeof T.meta==="object"&&T.meta!==null){let f=T.meta;_.meta={resourceType:typeof f.resourceType==="string"?f.resourceType:void 0,created:typeof f.created==="string"?f.created:void 0,lastModified:typeof f.lastModified==="string"?f.lastModified:void 0,location:typeof f.location==="string"?f.location:void 0,version:typeof f.version==="string"?f.version:void 0}}else A.push({message:"meta must be an object",path:["meta"]});if(A.length>0)return{issues:A};return{value:_}}}}}function s(x,c,T){if(x===void 0||x===null)return;if(!Array.isArray(x)){c.push({message:"members must be an array",path:T});return}let A=[];for(let _=0;_<x.length;_++){let L=x[_],J=[...T,_];if(typeof L!=="object"||L===null){c.push({message:"member must be an object",path:J});continue}let f=L,R=N(f.value,"value",!0,c,[...J,"value"]);if(R){let C=N(f.type,"type",!1,c,[...J,"type"]);A.push({value:R,$ref:N(f.$ref,"$ref",!1,c,[...J,"$ref"]),display:N(f.display,"display",!1,c,[...J,"display"]),type:C==="User"||C==="Group"?C:void 0})}}return A.length>0?A:void 0}function x0(x){return{"~standard":{version:1,vendor:x,validate:(c)=>{if(typeof c!=="object"||c===null)return{issues:[{message:"Expected an object"}]};let T=c,A=[],_={},L=N(T.displayName,"displayName",!0,A,["displayName"]);if(!L)return{issues:A};if(_.displayName=L,_.id=N(T.id,"id",!1,A,["id"]),_.externalId=N(T.externalId,"externalId",!1,A,["externalId"]),_.members=s(T.members,A,["members"]),T.schemas!==void 0)if(Array.isArray(T.schemas))_.schemas=T.schemas.filter((J)=>typeof J==="string");else A.push({message:"schemas must be an array",path:["schemas"]});if(T.meta!==void 0)if(typeof T.meta==="object"&&T.meta!==null){let J=T.meta;_.meta={resourceType:typeof J.resourceType==="string"?J.resourceType:void 0,created:typeof J.created==="string"?J.created:void 0,lastModified:typeof J.lastModified==="string"?J.lastModified:void 0,location:typeof J.location==="string"?J.location:void 0,version:typeof J.version==="string"?J.version:void 0}}else A.push({message:"meta must be an object",path:["meta"]});if(A.length>0)return{issues:A};return{value:_}}}}}function T0(x){return{"~standard":{version:1,vendor:x,validate:(c)=>{if(typeof c!=="object"||c===null)return{issues:[{message:"Expected an object"}]};let T=c,A=[],_={...T},L=["iss","sub"];for(let R of L)if(R in T){if(typeof T[R]!=="string")A.push({message:`${R} must be a string`,path:[R]})}else A.push({message:`${R} is required`,path:[R]});if("aud"in T&&T.aud!==void 0){let R=T.aud;if(typeof R!=="string"&&!Array.isArray(R))A.push({message:"aud must be a string or array of strings",path:["aud"]});else if(Array.isArray(R)&&!R.every((C)=>typeof C==="string"))A.push({message:"aud array must contain only strings",path:["aud"]})}let J=["jti","scope"];for(let R of J)if(R in T&&T[R]!==void 0){if(typeof T[R]!=="string")A.push({message:`${R} must be a string`,path:[R]})}let f=["exp","iat"];for(let R of f)if(R in T){if(typeof T[R]!=="number")A.push({message:`${R} must be a number`,path:[R]})}else A.push({message:`${R} is required`,path:[R]});if(A.length>0)return{issues:A};return{value:_}}}}}function c0(x){return{"~standard":{version:1,vendor:x,validate:(c)=>{if(typeof c!=="object"||c===null)return{issues:[{message:"Expected an object"}]};let T=c,A=[],_={};if("access_token"in T)if(typeof T.access_token==="string")_.access_token=T.access_token;else A.push({message:"access_token must be a string",path:["access_token"]});else A.push({message:"access_token is required",path:["access_token"]});if("token_type"in T)if(typeof T.token_type==="string")_.token_type=T.token_type;else A.push({message:"token_type must be a string",path:["token_type"]});else A.push({message:"token_type is required",path:["token_type"]});if("scope"in T)if(typeof T.scope==="string"||T.scope===void 0)_.scope=T.scope;else A.push({message:"scope must be a string",path:["scope"]});if("refresh_token"in T)if(typeof T.refresh_token==="string"||T.refresh_token===void 0)_.refresh_token=T.refresh_token;else A.push({message:"refresh_token must be a string",path:["refresh_token"]});if("expires"in T)if(typeof T.expires==="string"||T.expires===void 0)_.expires=T.expires;else A.push({message:"expires must be a string",path:["expires"]});if("expires_in"in T)if(typeof T.expires_in==="number"||T.expires_in===void 0)_.expires_in=T.expires_in;else A.push({message:"expires_in must be a number",path:["expires_in"]});if(A.length>0)return{issues:A};return{value:_}}}}}export{c0 as workloadTokenResponseSchema,f0 as withValidate,z0 as waitOn,y as version,N0 as validationFailureResponse,e as userSchema,_0 as tokenResponseSchema,$0 as stripJsonComments,X0 as silentLogger,G0 as setActiveSession,S as serializeESConfig,p as sendTenantWebhook,C0 as parseJsonc,A0 as oidcCallbackSchema,b as normalizeTenantRoutingStrategy,D as normalizeTenantPathNamespace,L0 as must,R0 as mergeConfig,o as matchTenantPath,w0 as listSsoClientIdsFromCookies,Q as list,T0 as jwtAssertionClaimsSchema,j as isConfigLocator,J0 as idTokenClaimsSchema,w as hydrateTenantForEs,x0 as groupResourceSchema,E0 as getActiveSession,B0 as findTenantFromStateParam,Z0 as defaultLogger,D0 as deepEqualPlain,Q0 as decodeUser,Y0 as clearActiveSession,H0 as claimsToUser,v as buildTenantPath,X as TenantRequestError,Z as MultipleTenantsForUserError,M as InMemoryTenantStore,m as DEFAULT_TENANT_UI_NAMESPACE,h as DEFAULT_TENANT_API_NAMESPACE};

package/dist/server.d.ts

@@ -1,9 +1,10 @@
 import { StandardSchemaV1 as StandardSchemaV18 } from "@standard-schema/spec";
 import { StandardSchemaV1 as StandardSchemaV17 } from "@standard-schema/spec";
 /**
-* Minimal logger interface compatible with common patterns (console, pino, winston, etc.)
+* Minimal logger interface compatible with common structured logging patterns.
 */
 interface Logger {
+	trace(message?: unknown, ...optionalParams: unknown[]): void;
 	debug(message?: unknown, ...optionalParams: unknown[]): void;
 	info(message?: unknown, ...optionalParams: unknown[]): void;
 	warn(message?: unknown, ...optionalParams: unknown[]): void;
@@ -591,6 +592,89 @@ interface GroupStore<TExtended = Record<string, never>> {
 	*/
 	removeMember(groupId: string, memberId: string): Promise<void>;
 }
+type ChangeListener = () => void;
+type ReactiveHandle = {
+	beforeChange?(listener: ChangeListener): () => void;
+	afterChange?(listener: ChangeListener): () => void;
+	isAvailable?(): boolean;
+};
+type OtelProtocol = "http/protobuf" | "http/json";
+type OtelProviderType = "otlp" | "grafana-lgtm" | "datadog" | "splunk" | "elastic";
+type OtelLogLevel = "trace" | "debug" | "info" | "warn" | "error";
+type OtelLevels = Partial<Record<OtelLogLevel, boolean>>;
+type OtelAttributeValue = string | number | boolean | string[] | number[] | boolean[];
+type OtelAttributes = Record<string, OtelAttributeValue>;
+type OtelSignalConfig = {
+	/** Per-signal OTLP endpoint. When omitted, the module appends /v1/{signal} to `endpoint`. */
+	endpoint?: string;
+	headers?: Record<string, string>;
+	timeoutMillis?: number;
+	concurrencyLimit?: number;
+};
+type OtelMetricsSignalConfig = OtelSignalConfig & {
+	exportIntervalMillis?: number;
+	exportTimeoutMillis?: number;
+};
+type OtelOAuthClientCredentialsConfig = {
+	tokenUrl: string;
+	clientId: string;
+	clientSecret: string;
+	scope?: string;
+	audience?: string;
+	headers?: Record<string, string>;
+};
+type OtelLogRecord = {
+	severityNumber?: number;
+	severityText?: string;
+	body?: unknown;
+	attributes?: Record<string, unknown>;
+};
+/**
+* OpenTelemetry config supplied by ConfigSource/RemoteConfig.
+* Keep environment-specific URLs and credentials here, not in FrameworkConfig.
+*/
+type OtelConfig = {
+	type?: OtelProviderType;
+	name: string;
+	endpoint?: string;
+	protocol?: OtelProtocol;
+	headers?: Record<string, string>;
+	apiKey?: string;
+	apiKeyHeader?: string;
+	oauth?: OtelOAuthClientCredentialsConfig;
+	version?: string;
+	deploymentEnvironment?: string;
+	resourceAttributes?: OtelAttributes;
+	levels?: OtelLevels;
+	traces?: boolean | OtelSignalConfig;
+	metrics?: boolean | OtelMetricsSignalConfig;
+	logs?: boolean | OtelSignalConfig;
+};
+/**
+* OpenTelemetry app/runtime wiring supplied by code.
+* Instrumentation instances and callbacks live here because they are framework-specific code.
+*/
+type FrameworkOtelConfig = {
+	levels?: OtelLevels;
+	instrument?: unknown[];
+	console?: boolean | ((record: OtelLogRecord) => void);
+	spanProcessors?: unknown[];
+	metricReaders?: unknown[];
+	logRecordProcessors?: unknown[];
+	sampler?: unknown;
+	textMapPropagator?: unknown;
+	contextManager?: unknown;
+	configure?: (options: Record<string, unknown>) => Record<string, unknown> | void;
+};
+type Otel = {
+	beforeChange(listener: ChangeListener): () => void;
+	afterChange(listener: ChangeListener): () => void;
+	isAvailable(): boolean;
+	ready(timeout?: number): Promise<void>;
+	logger: Logger;
+	forceFlush(): Promise<void>;
+	shutdown(): Promise<void>;
+};
 /**
 * OIDC Code Flow Callback URL Parameters
 * @see https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
@@ -998,7 +1082,7 @@ type SSO<
 declare function sso<
 	TSessionData = Record<string, never>,
 	TUserData = Record<string, never>
->(validators: SSOValidators, _log: Logger, fromVault?: Partial<SSOConfig<TSessionData, TUserData>>, fromCode?: Partial<SSOConfig<TSessionData, TUserData>>): SSO<TSessionData, TUserData> | undefined;
+>(validators: SSOValidators, log: Logger, fromVault?: Partial<SSOConfig<TSessionData, TUserData>>, fromCode?: Partial<SSOConfig<TSessionData, TUserData>>): SSO<TSessionData, TUserData> | undefined;
 declare function getSSOUser(request: Request, es: EnterpriseStandard): Promise<WorkforceUser | undefined>;
 declare function getSSOorCIAMUser(request: Request, es: EnterpriseStandard): Promise<AuthenticatedUser | undefined>;
 declare function getRequiredSSOorCIAMUser(request: Request, es: EnterpriseStandard): Promise<AuthenticatedUser>;
@@ -1007,12 +1091,6 @@ declare function callback(request: Request, es: EnterpriseStandard): Promise<Res
 declare function logout(request: Request, es: EnterpriseStandard): Promise<Response>;
 declare function logoutBackChannel2(request: Request, es: EnterpriseStandard): Promise<Response>;
 import { StandardSchemaV1 as StandardSchemaV15 } from "@standard-schema/spec";
-type ChangeListener = () => void;
-type ReactiveHandle = {
-	beforeChange?(listener: ChangeListener): () => void;
-	afterChange?(listener: ChangeListener): () => void;
-	isAvailable?(): boolean;
-};
 /**
 * JWT Assertion Claims for OAuth2 JWT Bearer Grant (RFC 7523) and OAuth2 Access Tokens
 * @see https://datatracker.ietf.org/doc/html/rfc7523
@@ -1754,8 +1832,7 @@ type VaultLfvSecretsConfig = {
 	/** Warning interval in milliseconds for LFV retry logs. Set to 0 to disable warnings. */
 	warnInterval?: number;
 	/**
-	* Optional logger for request/response tracing. Use `debugLogger` from `@enterprisestandard/core`
-	* to get debug output with request_id for LFV operations.
+	* Optional logger for request/response tracing.
 	*/
 	log?: Logger;
 };
@@ -1792,6 +1869,8 @@ type VaultSecretsConfig = {
 	* MINIMUM: 600_000 milliseconds (10 minutes). Polls the path every ttl milliseconds and calls onConfig when config changes.
 	*/
 	ttl?: number;
+	/** Optional logger used for vault source warnings. */
+	log?: Logger;
 };
 type AwsSecretsConfig = {
 	type: "aws";
@@ -1950,13 +2029,14 @@ type ESValidators = {
 * from ConfigSource / adaptive (typed as the module type, non-optional).
 */
 type FrameworkConfig = {
-	/** Optional `Logger` implementation (e.g. `consoleLogger`); exposed on the instance as `log`. */
+	/** Optional `Logger` implementation; exposed on the instance as `log`. */
 	log?: Logger;
 	sso?: SSOConfig | null;
 	iam?: IAMConfig | null;
 	workload?: FrameworkWorkloadConfig | null;
 	secrets?: FrameworkSecretsModuleConfig | null;
 	ciam?: CIAMConfig | null;
+	otel?: FrameworkOtelConfig | null;
 	validators: ESValidators;
 };
 /**
@@ -1977,6 +2057,8 @@ type RemoteConfig = {
 	/** Optional named secrets-source configs available to this ESA instance. */
 	secrets?: SecretsModuleConfig;
 	ciam?: CIAMConfig;
+	/** OpenTelemetry collector/exporter config loaded from ConfigSource. */
+	otel?: OtelConfig;
 };
 /**
 * Stores supplied by the framework/application when creating an Enterprise Standard instance.
@@ -2615,6 +2697,7 @@ type EnterpriseStandardBase = {
 	iam?: IAM;
 	workload?: Workload | AggregateWorkload;
 	ciam?: CIAM;
+	otel?: Otel;
 	/**
 	* Framework-agnostic request handler that routes requests to the appropriate
 	* module (SSO, IAM, Workload, or CIAM) based on the configured URLs.
@@ -2757,7 +2840,7 @@ type CIAMConfigFromCode<
 declare function ciam<
 	TMagicLinkData = Record<string, never>,
 	TUserData = Record<string, never>
->(_validators: CIAMValidators, _log: Logger, fromVault?: Partial<CIAMConfig<TMagicLinkData, TUserData>>, fromCode?: Partial<CIAMConfigFromCode<TMagicLinkData, TUserData>>, workload?: {
+>(_validators: CIAMValidators, log: Logger, fromVault?: Partial<CIAMConfig<TMagicLinkData, TUserData>>, fromCode?: Partial<CIAMConfigFromCode<TMagicLinkData, TUserData>>, workload?: {
 	getWorkloadIdentity: (request: Request) => Promise<WorkloadIdentity | undefined>;
 }): CIAM<TMagicLinkData, TUserData> | undefined;
 /**

package/dist/server.js

@@ -1 +1 @@
-import{A as vA,B as yA,C as xA,D as bA,E as kA,F as qA,G as hA,H as gA,I as pA,J as mA,c as KA,d as VA,e as BA,l as LA,s as EA,t as OA,z as fA}from"./shared/core-1x31ar7h.js";function _A($,L,N,b,k){if(!N&&!b)return;let y={...N,...b},Z={...y,signingKey:N?.signingKey,magicLinkTtl:y.magicLinkTtl??3600,sessionTtl:y.sessionTtl??86400,cookiesSecure:y.cookiesSecure!==void 0?y.cookiesSecure:!0,cookiesSameSite:y.cookiesSameSite!==void 0?y.cookiesSameSite:"Strict",cookiesPrefix:y.cookiesPrefix??(y.ciamId?`es.ciam.${y.ciamId}`:"es.ciam"),cookiesPath:y.cookiesPath??"/",sessionValidation:y.sessionValidation??"always"};function AA(){if(!Z.signingKey)throw Error("Missing CIAM configuration field: signingKey. CIAM signingKey is required for JWT token signing and must be provided via Vault (ciam.signingKey).")}function q(){if(!Z.sessionStore)throw Error("Missing CIAM configuration field: sessionStore. CIAM sessionStore is required for server-side session tracking and backchannel logout.");return Z.sessionStore}function m(){AA(),q()}function s(M=32){let X=new Uint8Array(M);return crypto.getRandomValues(X),Array.from(X,(H)=>H.toString(16).padStart(2,"0")).join("").substring(0,M)}function d(M){let X=typeof M==="string"?new TextEncoder().encode(M):M,H="";return X.forEach((z)=>{H+=String.fromCharCode(z)}),btoa(H).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/,"")}function MA(M){let X=M.replace(/-/g,"+").replace(/_/g,"/"),H=X.padEnd(X.length+(4-X.length%4)%4,"=");return atob(H)}async function n(){AA();let M=new TextEncoder().encode(Z.signingKey??"");return crypto.subtle.importKey("raw",M,{name:"HMAC",hash:"SHA-256"},!1,["sign","verify"])}async function i(M){let H=d(JSON.stringify({alg:"HS256",typ:"JWT"})),z=d(JSON.stringify(M)),G=`${H}.${z}`,K=await n(),V=await crypto.subtle.sign("HMAC",K,new TextEncoder().encode(G)),j=d(new Uint8Array(V));return`${G}.${j}`}async function h(M){let X=M.split(".");if(X.length!==3)throw Error("Invalid JWT");let[H,z,G]=X,K=`${H}.${z}`,V=await n(),j=new Uint8Array(MA(G).split("").map((x)=>x.charCodeAt(0)));if(!await crypto.subtle.verify("HMAC",V,j,new TextEncoder().encode(K)))throw Error("Invalid JWT signature");let u=MA(z),l=JSON.parse(u);if(typeof l.exp==="number"&&l.exp<Math.floor(Date.now()/1000))throw Error("Token expired");return l}function U(M,X,H){if(!Z)throw Error("Enterprise Standard CIAM Manager not initialized");if(M=`${Z.cookiesPrefix}.${M}`,typeof X!=="string")X=btoa(JSON.stringify(X));let z;if(H instanceof Date)z=`Expires=${H.toUTCString()}`;else if(typeof H==="number")z=`Max-Age=${H}`;else throw Error("Invalid expires type",H);if(X.length>4000)throw Error(`Error setting cookie: ${M}. Cookie length is: ${X.length}`);return`${M}=${X}; ${z}; Path=${Z.cookiesPath}; HttpOnly;${Z.cookiesSecure?" Secure;":""} SameSite=${Z.cookiesSameSite};`}function QA(M){if(!Z)throw Error("Enterprise Standard CIAM Manager not initialized");return`${Z.cookiesPrefix}.${M}=; Max-Age=0; Path=${Z.cookiesPath}; HttpOnly;${Z.cookiesSecure?" Secure;":""} SameSite=${Z.cookiesSameSite};`}function r(M,X,H=!1){if(!Z)throw Error("Enterprise Standard CIAM Manager not initialized");let z=X.headers.get("cookie");if(!z)return null;let G=`${Z.cookiesPrefix}.${M}`,K=z.split(";").find((P)=>P.trim().startsWith(`${G}=`));if(!K)return null;let V=K.indexOf("="),j=K.substring(V+1).trim();if(!H)return j;try{let P=atob(j);return JSON.parse(P)}catch(P){return console.error(`[CIAM] Failed to parse cookie '${G}':`,P),null}}function ZA(M,X,H){let z={expires_in:Z.sessionTtl??86400,token_type:"Bearer",expires:H.toISOString()};return[["Set-Cookie",U("access",M,H)],["Set-Cookie",U("id",X,H)],["Set-Cookie",U("control",z,H)]]}function a(M){let X=r("access",M),H=r("id",M),z=r("control",M,!0);if(!X||!H||!z)return;if(z.expires&&Date.now()>new Date(z.expires).getTime())return;return{access:X,id:H,control:z}}async function o(M){if(!Z)throw Error("Enterprise Standard CIAM Manager not initialized");m();try{let X=a(M);if(!X)return;let H=await h(X.access),z=await h(X.id);if(!H.sid||!z.sub)return;if(Z.sessionValidation!=="disabled"){if(!await q().get(H.sid))return}return S(z)}catch(X){return}}async function FA(M){let X=await o(M);if(X)return X;throw new Response("Unauthorized",{status:401,statusText:"Unauthorized"})}async function B(M){if(!Z)throw Error("Enterprise Standard CIAM Manager not initialized");m();try{let V=a(M);if(V){let j=await h(V.access);if(j.sid)await q().delete(j.sid)}}catch(V){console.warn("Failed to delete CIAM session:",V)}let X=[["Set-Cookie",QA("access")],["Set-Cookie",QA("id")],["Set-Cookie",QA("control")]],z=new URL(M.url).searchParams.get("redirect");if(z)return new Response("Logged out",{status:302,headers:[["Location",z],...X]});let G=M.headers.get("accept");if(G?.includes("application/json")||G?.includes("text/javascript"))return new Response(JSON.stringify({success:!0,message:"Logged out"}),{status:200,headers:[["Content-Type","application/json"],...X]});return new Response("Logout Complete",{status:200,headers:[["Content-Type","text/plain"],...X]})}async function O(M){if(!Z)throw Error("Enterprise Standard CIAM Manager not initialized");m();try{let X=M.headers.get("content-type");if(!X||!X.includes("application/x-www-form-urlencoded"))return new Response("Invalid Content-Type, expected application/x-www-form-urlencoded",{status:400});let H=await M.text(),G=new URLSearchParams(H).get("logout_token");if(!G)return new Response("Missing logout_token parameter",{status:400});let V=(await h(G)).sid;if(!V)return new Response("Invalid logout_token: missing sid claim",{status:400});return await q().delete(V),new Response("OK",{status:200})}catch(X){return console.error("Error during CIAM back-channel logout:",X),new Response("Internal Server Error",{status:500})}}function J(M){return M.id||M.email||`ciam-${M.userName}`}function C(M,X,H){return{sub:J(M),iss:"ciam",aud:"ciam",exp:Math.floor(H.getTime()/1000),iat:Math.floor(Date.now()/1000),email:M.email,name:M.name,preferred_username:M.userName,picture:M.avatar,sid:X}}function v(M,X,H){return{sub:M,iss:"ciam",aud:"ciam",exp:Math.floor(H.getTime()/1000),iat:Math.floor(Date.now()/1000),sid:X,scope:"openid profile email"}}function S(M){let X=M.exp?new Date(M.exp*1000):new Date;return{id:M.sub,userName:M.preferred_username??"",name:M.name??"",email:M.email??"",avatar:M.picture,userType:"customer",ciam:{profile:M,scope:"openid profile email",tokenType:"Bearer",expires:X}}}async function g(M){if(!Z)throw Error("Enterprise Standard CIAM Manager not initialized");if(!k)return new Response(JSON.stringify({error:"Workload authentication required"}),{status:401,headers:{"Content-Type":"application/json"}});if(!await k.getWorkloadIdentity(M))return new Response(JSON.stringify({error:"Unauthorized: Valid workload token required"}),{status:401,headers:{"Content-Type":"application/json"}});let H,z;try{let A=M.headers.get("content-type");if(!A||!A.includes("application/json"))return new Response(JSON.stringify({error:"Content-Type must be application/json"}),{status:400,headers:{"Content-Type":"application/json"}});let Y=await M.text(),F=JSON.parse(Y);if(z=typeof F?.redirect==="string"&&F.redirect.length>0?F.redirect:void 0,H={userName:F.userName,name:F.name,email:F.email,avatar:F.avatar},!H.userName||!H.name||!H.email)return new Response(JSON.stringify({error:"Missing required fields: userName, name, email"}),{status:400,headers:{"Content-Type":"application/json"}})}catch(A){return new Response(JSON.stringify({error:"Invalid JSON in request body"}),{status:400,headers:{"Content-Type":"application/json"}})}let K=new URL(M.url).searchParams.get("ttl"),V=K?parseInt(K,10):Z.magicLinkTtl??3600;if(Number.isNaN(V)||V<=0)return new Response(JSON.stringify({error:"Invalid TTL parameter"}),{status:400,headers:{"Content-Type":"application/json"}});let j=s(32),P=new Date(Date.now()+V*1000);if(!Z.magicLinkStore)return new Response(JSON.stringify({error:"Magic link store not configured"}),{status:500,headers:{"Content-Type":"application/json"}});try{await Z.magicLinkStore.create(j,H,P)}catch(A){return console.error("Error creating magic link:",A),new Response(JSON.stringify({error:"Failed to create magic link"}),{status:500,headers:{"Content-Type":"application/json"}})}let u=new URL(M.url),l=Z.magicLinkLoginUrl||"/magic-link/login",x=new URL(l,u.origin);if(x.searchParams.set("token",j),z)x.searchParams.set("redirect",z);return new Response(JSON.stringify({magicLink:x.toString(),expiresAt:P.toISOString()}),{status:200,headers:{"Content-Type":"application/json"}})}async function c(M){if(!Z)throw Error("Enterprise Standard CIAM Manager not initialized");m();let X=new URL(M.url),H=X.searchParams.get("token");if(!H){let W=Z.errorUrl||"/";return new Response("Redirecting to error URL",{status:302,headers:{Location:W}})}if(!Z.magicLinkStore){let W=Z.errorUrl||"/";return new Response("Redirecting to error URL",{status:302,headers:{Location:W}})}let z=await Z.magicLinkStore.get(H);if(!z){let W=Z.errorUrl||"/";return new Response("Redirecting to error URL",{status:302,headers:{Location:W}})}let G=new Date(Date.now()+(Z.sessionTtl??86400)*1000),K=s(32),V=J(z.user),j=C(z.user,K,G),P=v(V,K,G),u=S(j);try{let W={sid:K,sub:V,createdAt:new Date,lastActivityAt:new Date};await q().create(W)}catch(W){console.warn("Failed to create session:",W)}if(Z.userStore)try{let W=u.id;if(W){let _=new Date,D=await Z.userStore.get(W);if(D||Z.enableJitUserProvisioning){let T={...D??{},...u,id:W,tenantId:D?.tenantId,createdAt:D?.createdAt??_,updatedAt:_,userType:D?.userType??"customer"};await Z.userStore.upsert(T)}}}catch(W){console.warn("Failed to store user:",W)}try{await Z.magicLinkStore.delete(H)}catch(W){console.warn("Failed to delete magic link:",W)}let l=await i(P),x=await i(j),A=Z.landingUrl||"/",Y=X.searchParams.get("redirect"),F=A;if(Y)if(Y.startsWith("/"))F=Y;else try{if(new URL(Y).origin===new URL(M.url).origin)F=Y}catch{}return new Response("Authentication successful, redirecting",{status:302,headers:[["Location",F],...ZA(l,x,G)]})}async function E(M){if(!Z)throw Error("Enterprise Standard CIAM Manager not initialized");m();let X=Z.magicLinkUrl||"/magic-link",H=Z.magicLinkLoginUrl||"/magic-link/login",z=Z.logoutUrl||"/auth/logout",G=Z.logoutBackChannelUrl||"/auth/logout/backchannel",K=new URL(M.url).pathname,V=(x)=>{if(!x)return;try{return new URL(x).pathname}catch{return x.startsWith("/")?x:`/${x}`}};if(V(X)===K&&M.method==="POST")return g(M);if(V(H)===K&&M.method==="GET")return c(M);if(V(z)===K&&M.method==="GET")return B(M);if(V(G)===K&&M.method==="POST")return O(M);return new Response("Not Found",{status:404})}return{...Z,getUser:o,getRequiredUser:FA,logout:B,logoutBackChannel:O,handler:E}}async function JA($,L){return BA(L,"EnterpriseStandard instance is required. Create one with enterpriseStandard(source, config) and pass it to this function."),L.ciam?.getUser($)}function I($,L,N){return new Response(JSON.stringify({schemas:["urn:ietf:params:scim:api:messages:2.0:Error"],status:String($),scimType:N,detail:L}),{status:$,headers:{"Content-Type":"application/scim+json"}})}function HA($,L){let N=L?.totalResults??$.length,b=L?.startIndex??1,k=L?.itemsPerPage??$.length;return new Response(JSON.stringify({schemas:["urn:ietf:params:scim:api:messages:2.0:ListResponse"],totalResults:N,startIndex:b,itemsPerPage:k,Resources:$}),{status:200,headers:{"Content-Type":"application/scim+json"}})}function p($,L=200){return new Response(JSON.stringify($),{status:L,headers:{"Content-Type":"application/scim+json"}})}function XA($){return{schemas:["urn:ietf:params:scim:schemas:core:2.0:Group"],id:$.id,externalId:$.externalId,displayName:$.displayName,members:$.members,meta:{resourceType:"Group",created:$.createdAt.toISOString(),lastModified:$.updatedAt.toISOString()}}}function WA(){return crypto.randomUUID()}function YA($,L){let N=$;if(typeof N.validate==="function")return N.validate(L);return Promise.resolve($["~standard"].validate(L))}function IA($){if(!$)return;try{return new URL($).pathname}catch{return $.startsWith("/")?$:`/${$}`}}function zA($){return $==="/"?$:$.replace(/\/+$/,"")}function t($){let L=IA($);return L?zA(L):void 0}function jA($,L){let N=t($);if(N?.endsWith("/Users"))return N.slice(0,-6);let b=t(L);if(b?.endsWith("/Groups"))return b.slice(0,-7);return}function e($,L){return new URL(L,$.url).toString()}function Q($,L,N,b){let{multiValued:k=!1,...y}=b??{};return{name:$,type:L,description:N,multiValued:k,...y}}function SA($,L){return{schemas:["urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"],documentationUri:L?.documentationUri,patch:{supported:!0},bulk:{supported:!1},filter:{supported:!1},changePassword:{supported:!1},sort:{supported:!1},etag:{supported:!1},authenticationSchemes:[{type:"oauthbearertoken",name:"OAuth Bearer Token",description:"Use an Enterprise Standard workload bearer token for IAM discovery and provisioning requests.",primary:!0}],meta:{resourceType:"ServiceProviderConfig",location:e($.request,`${$.basePath}/ServiceProviderConfig`)}}}function NA($){let L=[];if($.supportsUsers)L.push({schemas:["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],id:"User",name:"User",description:"User Account",endpoint:$.usersUrl,schema:"urn:ietf:params:scim:schemas:core:2.0:User",schemaExtensions:[{schema:"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",required:!1}],meta:{resourceType:"ResourceType",location:e($.request,`${$.basePath}/ResourceTypes/User`)}});if($.supportsGroups)L.push({schemas:["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],id:"Group",name:"Group",description:"Group",endpoint:$.groupsUrl,schema:"urn:ietf:params:scim:schemas:core:2.0:Group",meta:{resourceType:"ResourceType",location:e($.request,`${$.basePath}/ResourceTypes/Group`)}});return L}function wA($){let L=[];if($.supportsUsers)L.push({schemas:["urn:ietf:params:scim:schemas:core:2.0:Schema"],id:"urn:ietf:params:scim:schemas:core:2.0:User",name:"User",description:"User Account",meta:{resourceType:"Schema",location:e($.request,`${$.basePath}/Schemas/${encodeURIComponent("urn:ietf:params:scim:schemas:core:2.0:User")}`)},attributes:[Q("id","string","Unique identifier for the User.",{multiValued:!1,required:!1,mutability:"readOnly",returned:"always",uniqueness:"global"}),Q("externalId","string","External identifier from the provisioning client.",{multiValued:!1,required:!1,mutability:"readWrite",returned:"default",uniqueness:"none"}),Q("userName","string","Unique identifier typically used for login.",{multiValued:!1,required:!0,caseExact:!1,mutability:"readWrite",returned:"default",uniqueness:"server"}),Q("name","complex","The components of the user name.",{multiValued:!1,required:!1,mutability:"readWrite",returned:"default",subAttributes:[Q("formatted","string","The full name, including titles and suffixes.",{multiValued:!1}),Q("familyName","string","The family name of the User.",{multiValued:!1}),Q("givenName","string","The given name of the User.",{multiValued:!1}),Q("middleName","string","The middle name(s) of the User.",{multiValued:!1}),Q("honorificPrefix","string","The honorific prefix(es) of the User.",{multiValued:!1}),Q("honorificSuffix","string","The honorific suffix(es) of the User.",{multiValued:!1})]}),Q("displayName","string","The name of the User, suitable for display.",{multiValued:!1}),Q("nickName","string","The casual way to address the user.",{multiValued:!1}),Q("profileUrl","reference","A URL pointing to the User profile.",{multiValued:!1,referenceTypes:["external"]}),Q("title","string","The user title, such as Vice President.",{multiValued:!1}),Q("userType","string","The relationship between the organization and the User.",{multiValued:!1}),Q("preferredLanguage","string","Preferred written or spoken language.",{multiValued:!1}),Q("locale","string","Default location for localizing values.",{multiValued:!1}),Q("timezone","string","The User time zone.",{multiValued:!1}),Q("active","boolean","The User administrative status.",{multiValued:!1}),Q("emails","complex","Email addresses for the User.",{multiValued:!0,subAttributes:[Q("value","string","Email address value.",{multiValued:!1,required:!0}),Q("display","string","Display label for the email.",{multiValued:!1}),Q("type","string","Email type such as work or home.",{multiValued:!1}),Q("primary","boolean","Primary email indicator.",{multiValued:!1})]}),Q("phoneNumbers","complex","Phone numbers for the User.",{multiValued:!0,subAttributes:[Q("value","string","Phone number value.",{multiValued:!1,required:!0}),Q("display","string","Display label for the phone number.",{multiValued:!1}),Q("type","string","Phone number type.",{multiValued:!1}),Q("primary","boolean","Primary phone number indicator.",{multiValued:!1})]}),Q("photos","complex","Photo URLs for the User.",{multiValued:!0,subAttributes:[Q("value","reference","Photo URL.",{multiValued:!1,required:!0,referenceTypes:["external"]}),Q("display","string","Display label for the photo.",{multiValued:!1}),Q("type","string","Photo type.",{multiValued:!1}),Q("primary","boolean","Primary photo indicator.",{multiValued:!1})]}),Q("addresses","complex","Physical mailing addresses for the User.",{multiValued:!0,subAttributes:[Q("formatted","string","Formatted mailing address.",{multiValued:!1}),Q("streetAddress","string","Full street address component.",{multiValued:!1}),Q("locality","string","City or locality.",{multiValued:!1}),Q("region","string","State or region.",{multiValued:!1}),Q("postalCode","string","Postal code.",{multiValued:!1}),Q("country","string","Country.",{multiValued:!1}),Q("type","string","Address type.",{multiValued:!1}),Q("primary","boolean","Primary address indicator.",{multiValued:!1})]}),Q("groups","complex","Groups to which the User belongs.",{multiValued:!0,mutability:"readOnly",subAttributes:[Q("value","string","Group identifier.",{multiValued:!1,required:!0}),Q("$ref","reference","Reference to the Group resource.",{multiValued:!1,referenceTypes:["Group"]}),Q("display","string","Display name of the group.",{multiValued:!1}),Q("type","string","Relationship type.",{multiValued:!1})]}),Q("entitlements","complex","Entitlements for the User.",{multiValued:!0,subAttributes:[Q("value","string","Entitlement value.",{multiValued:!1,required:!0}),Q("display","string","Display value.",{multiValued:!1}),Q("type","string","Entitlement type.",{multiValued:!1}),Q("primary","boolean","Primary entitlement indicator.",{multiValued:!1})]}),Q("roles","complex","Roles for the User.",{multiValued:!0,subAttributes:[Q("value","string","Role value.",{multiValued:!1,required:!0}),Q("display","string","Display value.",{multiValued:!1}),Q("type","string","Role type.",{multiValued:!1}),Q("primary","boolean","Primary role indicator.",{multiValued:!1})]}),Q("x509Certificates","complex","Certificates issued to the User.",{multiValued:!0,subAttributes:[Q("value","string","Certificate value.",{multiValued:!1,required:!0}),Q("display","string","Display value.",{multiValued:!1}),Q("type","string","Certificate type.",{multiValued:!1}),Q("primary","boolean","Primary certificate indicator.",{multiValued:!1})]})]}),L.push({schemas:["urn:ietf:params:scim:schemas:core:2.0:Schema"],id:"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",name:"EnterpriseUser",description:"Enterprise User extension",meta:{resourceType:"Schema",location:e($.request,`${$.basePath}/Schemas/${encodeURIComponent("urn:ietf:params:scim:schemas:extension:enterprise:2.0:User")}`)},attributes:[Q("employeeNumber","string","Numeric or alphanumeric identifier assigned to a person.",{multiValued:!1}),Q("costCenter","string","Name of a cost center.",{multiValued:!1}),Q("organization","string","Name of an organization.",{multiValued:!1}),Q("division","string","Name of a division.",{multiValued:!1}),Q("department","string","Name of a department.",{multiValued:!1}),Q("manager","complex","The User manager.",{multiValued:!1,subAttributes:[Q("value","string","Identifier of the manager User resource.",{multiValued:!1}),Q("$ref","reference","Reference to the manager User resource.",{multiValued:!1,referenceTypes:["User"]}),Q("displayName","string","Display name of the manager.",{multiValued:!1})]})]});if($.supportsGroups)L.push({schemas:["urn:ietf:params:scim:schemas:core:2.0:Schema"],id:"urn:ietf:params:scim:schemas:core:2.0:Group",name:"Group",description:"Group",meta:{resourceType:"Schema",location:e($.request,`${$.basePath}/Schemas/${encodeURIComponent("urn:ietf:params:scim:schemas:core:2.0:Group")}`)},attributes:[Q("id","string","Unique identifier for the Group.",{multiValued:!1,mutability:"readOnly",returned:"always",uniqueness:"global"}),Q("externalId","string","External identifier from the provisioning client.",{multiValued:!1,uniqueness:"none"}),Q("displayName","string","Human-readable name for the Group.",{multiValued:!1,required:!0,uniqueness:"none"}),Q("members","complex","Members of the Group.",{multiValued:!0,subAttributes:[Q("value","string","Identifier of the member resource.",{multiValued:!1,required:!0}),Q("$ref","reference","Reference to the member resource.",{multiValued:!1,referenceTypes:["User","Group"]}),Q("display","string","Display name of the member.",{multiValued:!1}),Q("type","string","Member type.",{multiValued:!1})]})]});return L}function TA($,L,N,b,k){if(!b&&!k)return;let Z={...b,...k};if(Boolean(Z.url||Z.userStore||Z.groupStore)&&!N)L.error?.("IAM requires workload identity for SCIM push/pull operations");function q(){if(!N)throw L.error?.("IAM requires workload identity for SCIM push/pull operations"),Error("IAM requires workload identity for SCIM push/pull operations");return N}async function m(B){let O=q(),J=B.headers.get("Authorization");if(!J||!J.startsWith("Bearer "))return!1;try{let C=J.substring(7);return(await O.validateToken(C)).valid}catch{return!1}}async function s(){let B=q(),O=typeof B.getServerToken==="function"?await B.getServerToken():await B.getToken();return new Headers({"Content-Type":"application/scim+json",Accept:"application/scim+json",Authorization:`Bearer ${O}`})}async function d(B,O,J,C){if(!Z.url)throw Error("IAM URL not configured for outgoing requests");let v=`${Z.url}${O}`;try{let S=await s(),g=await fetch(v,{method:B,headers:S,body:J?JSON.stringify(J):void 0}),c=await g.json();if(!g.ok)return{success:!1,error:c,status:g.status};let E=await C["~standard"].validate(c);if(E.issues)return console.error("SCIM response validation failed:",E.issues),{success:!1,error:{schemas:["urn:ietf:params:scim:api:messages:2.0:Error"],status:"400",scimType:"invalidValue",detail:`Response validation failed: ${E.issues.map((M)=>M.message).join("; ")}`},status:400};return{success:!0,data:E.value,status:g.status}}catch(S){return{success:!1,error:{schemas:["urn:ietf:params:scim:api:messages:2.0:Error"],status:"500",detail:S instanceof Error?S.message:"Unknown error occurred"},status:500}}}function MA(){return Z.url}function n(B,O){let J=t(O?.usersUrl??Z.usersUrl??"/api/iam/Users")??"/api/iam/Users",C=t(O?.groupsUrl??Z.groupsUrl??"/api/iam/Groups")??"/api/iam/Groups",v=t(O?.discovery?.basePath??Z.discovery?.basePath)??jA(J,C);if(!v)return;return{request:B,basePath:v,usersUrl:J,groupsUrl:C,supportsUsers:Boolean(Z.userStore),supportsGroups:Boolean(Z.groupStore)}}async function i(B){let O=SA(B,Z.discovery);return await Z.discovery?.buildServiceProviderConfig?.(B,O)??O}async function h(B){let O=NA(B);return await Z.discovery?.buildResourceTypes?.(B,O)??O}async function U(B){let O=wA(B);return await Z.discovery?.buildSchemas?.(B,O)??O}async function QA(B,O){let J=n(B,O);if(!J)return;let C=zA(new URL(B.url).pathname),{basePath:v}=J;if(C!==v&&!C.startsWith(`${v}/`))return;let S=zA(C.slice(v.length)||"/");if(!(S==="/ServiceProviderConfig"||S==="/ResourceTypes"||S.startsWith("/ResourceTypes/")||S==="/Schemas"||S.startsWith("/Schemas/")))return;if(B.method!=="GET")return I(405,"Method not allowed");if(!await m(B))return I(401,"Authorization required");if(S==="/ServiceProviderConfig")return p(await i(J));if(S==="/ResourceTypes")return HA(await h(J));if(S.startsWith("/ResourceTypes/")){let E=decodeURIComponent(S.slice(15)),M=(await h(J)).find((X)=>X.id===E||X.name===E);return M?p(M):I(404,"Resource not found")}if(S==="/Schemas")return HA(await U(J));if(S.startsWith("/Schemas/")){let E=decodeURIComponent(S.slice(9)),M=(await U(J)).find((X)=>X.id===E);return M?p(M):I(404,"Resource not found")}return}let r,ZA;if(Z.url)ZA=async(O,J)=>{let C={...O,schemas:O.schemas??["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"]};return d("POST","/Users",C,$.user)},r={createGroup:async(O,J)=>{let C={schemas:["urn:ietf:params:scim:schemas:core:2.0:Group"],displayName:O,externalId:J?.externalId,members:J?.members};return d("POST","/Groups",C,$.group)}};let a;if(Z.groupStore){let B=Z.groupStore,O=async(E,M)=>{if(!await m(E))return I(401,"Authorization required");let H=new URL(E.url),z=M?.basePath??"/Groups",G=H.pathname;if(G.startsWith(z))G=G.substring(z.length);let V=G.match(/^\/([^/]+)$/)?.[1],j=E.method;try{if(V)switch(j){case"GET":return await C(V);case"PUT":return await S(E,V);case"PATCH":return await g(E,V);case"DELETE":return await c(V);default:return I(405,"Method not allowed")}else if(G===""||G==="/")switch(j){case"GET":return await J(E);case"POST":return await v(E);default:return I(405,"Method not allowed")}return I(404,"Resource not found")}catch(P){return console.error("Groups inbound handler error:",P),I(500,P instanceof Error?P.message:"Internal server error")}},J=async(E)=>{let M=new URL(E.url),X=M.searchParams.get("startIndex"),H=M.searchParams.get("count"),z=X!=null?parseInt(X,10):void 0,G=H!=null?parseInt(H,10):void 0,K=z!=null&&!Number.isNaN(z)?Math.max(0,z-1):0,V=G!=null&&!Number.isNaN(G)?G:void 0,j=await B.list({start:K,limit:V}),P=j.items.map(XA);return HA(P,{totalResults:j.total,startIndex:K+1,itemsPerPage:j.count})},C=async(E)=>{let M=await B.get(E);if(!M)return I(404,`Group ${E} not found`,"invalidValue");return p(XA(M))},v=async(E)=>{let M=await E.json(),X=await YA($.group,M);if(X.issues)return console.error("Group creation validation failed:",X.issues),I(400,`Request validation failed: ${X.issues.map((K)=>K.message).join("; ")}`,"invalidValue");let H=X.value;if(!H.displayName)return I(400,"displayName is required","invalidValue");let z=new Date,G={id:WA(),displayName:H.displayName,externalId:H.externalId,members:H.members,createdAt:z,updatedAt:z};return await B.upsert(G),p(XA(G),201)},S=async(E,M)=>{let X=await B.get(M);if(!X)return I(404,`Group ${M} not found`,"invalidValue");let H=await E.json(),z=await YA($.group,H);if(z.issues)return console.error("Group replacement validation failed:",z.issues),I(400,`Request validation failed: ${z.issues.map((V)=>V.message).join("; ")}`,"invalidValue");let G=z.value,K={...X,displayName:G.displayName??X.displayName,externalId:G.externalId,members:G.members,updatedAt:new Date};return await B.upsert(K),p(XA(K))},g=async(E,M)=>{let X=await B.get(M);if(!X)return I(404,`Group ${M} not found`,"invalidValue");let z=(await E.json()).Operations??[],G={...X};for(let K of z)if(K.op==="replace"&&K.path&&K.value!==void 0){if(K.path==="displayName")G.displayName=K.value}else if(K.op==="add"&&K.path&&K.value!==void 0){if(K.path==="members"){let V=K.value;G.members=[...G.members??[],...V]}}else if(K.op==="remove"&&K.path){if(K.path.startsWith("members[")){let V=K.path.match(/members\[value eq "([^"]+)"\]/);if(V)G.members=(G.members??[]).filter((j)=>j.value!==V[1])}}return G.updatedAt=new Date,await B.upsert(G),p(XA(G))},c=async(E)=>{if(!await B.get(E))return I(404,`Group ${E} not found`,"invalidValue");return await B.delete(E),new Response(null,{status:204})};a={handler:O}}let o;if(Z.userStore){let{userStore:B,inboundUsers:O}=Z,J=(A)=>A?.find((Y)=>Y.primary)?.value||A?.[0]?.value,C=(A)=>{if(A.scimName)return A.scimName;if(!A.name)return;let[Y,...F]=A.name.split(" ");return{givenName:Y,familyName:F.join(" ")||void 0}},v=(A)=>Object.keys(A.scimSchemaExtensions??{}).filter((Y)=>Y.startsWith("urn:")&&A.scimSchemaExtensions?.[Y]!==void 0),S=(A)=>{let Y=new Set(["urn:ietf:params:scim:schemas:core:2.0:User"]);if(A.scimEnterprise!==void 0)Y.add("urn:ietf:params:scim:schemas:extension:enterprise:2.0:User");for(let F of v(A))Y.add(F);return Array.from(Y)},g=(A)=>{let Y={};if(A.scimEnterprise!==void 0)Y["urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"]=A.scimEnterprise;for(let[F,W]of Object.entries(A.scimSchemaExtensions??{}))if(F.startsWith("urn:")&&W!==void 0)Y[F]=W;return Y},c=(A)=>{let Y=A.userName||A.email||A.id||"",F=A.emails??(A.email?[{value:A.email,primary:!0}]:[]);return{schemas:S(A),id:A.id,externalId:A.externalId,userName:Y,displayName:A.displayName??A.name??Y,name:C(A),nickName:A.nickName,profileUrl:A.avatar,title:A.title,userType:A.userType,preferredLanguage:A.preferredLanguage,locale:A.locale,timezone:A.timezone,active:A.active??!0,emails:F,phoneNumbers:A.phoneNumbers,ims:A.ims,photos:A.photos,addresses:A.addresses,groups:A.groups,entitlements:A.entitlements,roles:A.roles,x509Certificates:A.x509Certificates,meta:{resourceType:"User",created:(A.createdAt??A.updatedAt??new Date).toISOString(),lastModified:(A.updatedAt??A.createdAt??new Date).toISOString()},...g(A)}},E=async(A)=>{if(O?.mapStoredUserToScim)return await O.mapStoredUserToScim(A);return c(A)},M=async(A,Y)=>{if(O?.mapValidatedScimToStoredUser)return await O.mapValidatedScimToStoredUser(A,Y);let F=new Date,W=J(A.emails),_=A.name?.formatted||[A.name?.givenName,A.name?.middleName,A.name?.familyName].filter(Boolean).join(" ").trim()||A.displayName,D=A.id||Y.existing?.id||WA(),T=A.userName||W||Y.existing?.userName||D,w=_||A.displayName||Y.existing?.name||T,R=Object.fromEntries(Object.entries(A).filter(([$A,DA])=>$A.startsWith("urn:")&&$A!=="urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"&&DA!==void 0)),f=Y.existing?.sso;return{...Y.existing??{},id:D,userName:T,name:w,email:W||Y.existing?.email||T,avatar:A.profileUrl,sso:{...f??{},profile:{...f?.profile??{},sub:D,iss:f?.profile.iss??"iam-provisioned",aud:f?.profile.aud??"iam-provisioned",exp:f?.profile.exp??Math.floor(Date.now()/1000)+3600,iat:f?.profile.iat??Math.floor(Date.now()/1000),email:W||Y.existing?.email||T,email_verified:!0,name:w,preferred_username:T},tenant:f?.tenant??{id:"iam-provisioned",name:"IAM Provisioned"},scope:f?.scope??"openid profile email",tokenType:f?.tokenType??"Bearer",expires:f?.expires??new Date(Date.now()+3600000)},externalId:A.externalId,displayName:A.displayName,scimName:A.name,emails:A.emails,nickName:A.nickName,title:A.title,preferredLanguage:A.preferredLanguage,locale:A.locale,timezone:A.timezone,active:A.active,phoneNumbers:A.phoneNumbers,ims:A.ims,photos:A.photos,addresses:A.addresses,groups:A.groups,entitlements:A.entitlements,roles:A.roles,x509Certificates:A.x509Certificates,scimEnterprise:A["urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],scimSchemaExtensions:Object.keys(R).length>0?R:void 0,createdAt:Y.existing?.createdAt??(A.meta?.created?new Date(A.meta.created):F),updatedAt:A.meta?.lastModified?new Date(A.meta.lastModified):F,userType:A.userType}},X=(A,Y,F)=>{A[Y]=F},H=(A,Y,F)=>{let W=A[Y];if(Array.isArray(W)){A[Y]=[...W,...Array.isArray(F)?F:[F]];return}if(W&&typeof W==="object"&&!Array.isArray(W)&&F&&typeof F==="object"&&!Array.isArray(F)){A[Y]={...W,...F};return}A[Y]=F},z=(A,Y,F)=>{let W=Y.match(/^(urn:.*:(?:User|Group))(?::(.+))?$/),_=W?[W[1],...W[2]?.split(":")??[]]:Y.split("."),D=A;for(let w of _.slice(0,-1)){let R=D[w];if(R===void 0){if(!F)return null;D[w]={}}else if(R===null||typeof R!=="object"||Array.isArray(R)){if(!F)return null;D[w]={}}D=D[w]}let T=_.at(-1);if(!T)return null;return{parent:D,key:T}},G=(A,Y)=>{let F=Y.op.toLowerCase();if(!Y.path){if(F!=="remove"&&Y.value&&typeof Y.value==="object"&&!Array.isArray(Y.value))Object.assign(A,Y.value);return}let W=Y.path.match(/^([A-Za-z0-9]+)\[value eq "([^"]+)"\]$/);if(W&&F==="remove"){let[,D,T]=W,w=A[D];if(Array.isArray(w))A[D]=w.filter((R)=>!(R&&typeof R==="object"&&("value"in R)&&R.value===T));return}let _=z(A,Y.path,F!=="remove");if(!_)return;if(F==="remove"){delete _.parent[_.key];return}if(F==="add"){H(_.parent,_.key,Y.value);return}X(_.parent,_.key,Y.value)},K=async(A,Y)=>{if(!await m(A))return I(401,"Authorization required");let W=new URL(A.url),_=Y?.basePath??"/Users",D=W.pathname;if(D.startsWith(_))D=D.substring(_.length);let w=D.match(/^\/([^/]+)$/)?.[1],R=A.method;try{if(w)switch(R){case"GET":return await j(w);case"PUT":return await u(A,w);case"PATCH":return await l(A,w);case"DELETE":return await x(w);default:return I(405,"Method not allowed")}else if(D===""||D==="/")switch(R){case"GET":return await V(A);case"POST":return await P(A);default:return I(405,"Method not allowed")}return I(404,"Resource not found")}catch(f){return console.error("Users inbound handler error:",f),I(500,f instanceof Error?f.message:"Internal server error")}},V=async(A)=>{let Y=new URL(A.url),F=Y.searchParams.get("startIndex"),W=Y.searchParams.get("count"),_=F!=null?parseInt(F,10):void 0,D=W!=null?parseInt(W,10):void 0,T=_!=null&&!Number.isNaN(_)?Math.max(0,_-1):0,w=D!=null&&!Number.isNaN(D)?D:void 0,R=await B.list({start:T,limit:w}),f=await Promise.all(R.items.map(($A)=>E($A)));return HA(f,{totalResults:R.total,startIndex:T+1,itemsPerPage:R.count})},j=async(A)=>{let Y=await B.get(A);if(!Y)return I(404,`User ${A} not found`,"invalidValue");return p(await E(Y))},P=async(A)=>{let Y=await A.json(),F=await YA($.user,Y);if(F.issues)return console.error("User creation validation failed:",F.issues),I(400,`Request validation failed: ${F.issues.map((D)=>D.message).join("; ")}`,"invalidValue");let W=F.value;if(!W.userName&&!W.emails?.[0]?.value)return I(400,"userName or email is required","invalidValue");let _=await M(W,{mode:"create"});return await B.upsert(_),p(await E(_),201)},u=async(A,Y)=>{let F=await B.get(Y);if(!F)return I(404,`User ${Y} not found`,"invalidValue");let W=await A.json(),_=await YA($.user,W);if(_.issues)return console.error("User replacement validation failed:",_.issues),I(400,`Request validation failed: ${_.issues.map((w)=>w.message).join("; ")}`,"invalidValue");let D=_.value,T=await M({...D,id:Y},{existing:F,mode:"replace"});return T.createdAt=F.createdAt,T.updatedAt=new Date,await B.upsert(T),p(await E(T))},l=async(A,Y)=>{let F=await B.get(Y);if(!F)return I(404,`User ${Y} not found`,"invalidValue");let _=(await A.json()).Operations??[],T={...await E(F)};for(let f of _)G(T,f);let w=await YA($.user,T);if(w.issues)return console.error("User patch validation failed:",w.issues),I(400,`Request validation failed: ${w.issues.map((f)=>f.message).join("; ")}`,"invalidValue");let R=await M(w.value,{existing:F,mode:"patch"});return R.updatedAt=new Date,await B.upsert(R),p(await E(R))},x=async(A)=>{if(!await B.get(A))return I(404,`User ${A} not found`,"invalidValue");return await B.delete(A),new Response(null,{status:204})};o={handler:K}}async function FA(B,O){q();let J=new URL(B.url).pathname,C=t(O?.usersUrl??Z.usersUrl??"/api/iam/Users")??"/api/iam/Users",v=t(O?.groupsUrl??Z.groupsUrl??"/api/iam/Groups")??"/api/iam/Groups",S=await QA(B,O);if(S)return S;if(J.startsWith(C)&&o)return o.handler(B,{basePath:C});if(J.startsWith(v)&&a)return a.handler(B,{basePath:v});return I(404,"Resource not found")}return{...Z,createUser:ZA,getBaseUrl:MA,groups_outbound:r,groups_inbound:a,users_inbound:o,handler:FA}}var CA="@enterprisestandard/core",RA=VA(KA(CA));function GA($){let L=$.replace(/-/g,"+").replace(/_/g,"/");return atob(L)}async function PA($,L){let N=$.split(".");if(N.length!==3)throw Error("Invalid JWT");let b=JSON.parse(GA(N[0])),k=JSON.parse(GA(N[1])),y=N[2].replace(/-/g,"+").replace(/_/g,"/"),Z=b.kid;if(!Z)throw Error("JWT header missing kid");let AA=await EA(L),q=await OA(AA,Z),s=new TextEncoder().encode(`${N[0]}.${N[1]}`),d=Uint8Array.from(atob(y),(U)=>U.charCodeAt(0));if(!await crypto.subtle.verify("RSASSA-PKCS1-v1_5",q,d,s))throw Error("Invalid JWT signature");let n=await RA.validate(k);if(n.issues)throw Error(`ID token claims validation failed: ${n.issues.map((U)=>U.message).join("; ")}`);let i=n.value;if(i===void 0)throw Error("ID token claims missing");let h=i;if(typeof h.exp==="number"&&h.exp<Math.floor(Date.now()/1000))throw Error("Token expired");return LA(h)}export{mA as withTenantConfigMethod,PA as verifyUser,pA as tenantConfigSource,fA as sso,gA as registerConfigLocatorFactory,hA as logoutBackChannel,qA as logout,bA as initiateLogin,TA as iam,yA as getSSOorCIAMUser,vA as getSSOUser,xA as getRequiredSSOorCIAMUser,JA as getCIAMUser,_A as ciam,kA as callback};
+import{A as bA,B as kA,C as qA,D as hA,E as gA,F as pA,G as mA,c as KA,d as VA,e as BA,l as LA,p as EA,q as OA,w as fA,x as vA,y as yA,z as xA}from"./shared/core-nrs9cxe3.js";function _A($,z,N,b,k){if(!N&&!b)return;let y={...N,...b},Z={...y,signingKey:N?.signingKey,magicLinkTtl:y.magicLinkTtl??3600,sessionTtl:y.sessionTtl??86400,cookiesSecure:y.cookiesSecure!==void 0?y.cookiesSecure:!0,cookiesSameSite:y.cookiesSameSite!==void 0?y.cookiesSameSite:"Strict",cookiesPrefix:y.cookiesPrefix??(y.ciamId?`es.ciam.${y.ciamId}`:"es.ciam"),cookiesPath:y.cookiesPath??"/",sessionValidation:y.sessionValidation??"always"};function AA(){if(!Z.signingKey)throw Error("Missing CIAM configuration field: signingKey. CIAM signingKey is required for JWT token signing and must be provided via Vault (ciam.signingKey).")}function q(){if(!Z.sessionStore)throw Error("Missing CIAM configuration field: sessionStore. CIAM sessionStore is required for server-side session tracking and backchannel logout.");return Z.sessionStore}function m(){AA(),q()}function s(M=32){let X=new Uint8Array(M);return crypto.getRandomValues(X),Array.from(X,(H)=>H.toString(16).padStart(2,"0")).join("").substring(0,M)}function d(M){let X=typeof M==="string"?new TextEncoder().encode(M):M,H="";return X.forEach((B)=>{H+=String.fromCharCode(B)}),btoa(H).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/,"")}function MA(M){let X=M.replace(/-/g,"+").replace(/_/g,"/"),H=X.padEnd(X.length+(4-X.length%4)%4,"=");return atob(H)}async function n(){AA();let M=new TextEncoder().encode(Z.signingKey??"");return crypto.subtle.importKey("raw",M,{name:"HMAC",hash:"SHA-256"},!1,["sign","verify"])}async function i(M){let H=d(JSON.stringify({alg:"HS256",typ:"JWT"})),B=d(JSON.stringify(M)),K=`${H}.${B}`,V=await n(),L=await crypto.subtle.sign("HMAC",V,new TextEncoder().encode(K)),j=d(new Uint8Array(L));return`${K}.${j}`}async function h(M){let X=M.split(".");if(X.length!==3)throw Error("Invalid JWT");let[H,B,K]=X,V=`${H}.${B}`,L=await n(),j=new Uint8Array(MA(K).split("").map((x)=>x.charCodeAt(0)));if(!await crypto.subtle.verify("HMAC",L,j,new TextEncoder().encode(V)))throw Error("Invalid JWT signature");let u=MA(B),c=JSON.parse(u);if(typeof c.exp==="number"&&c.exp<Math.floor(Date.now()/1000))throw Error("Token expired");return c}function U(M,X,H){if(!Z)throw Error("Enterprise Standard CIAM Manager not initialized");if(M=`${Z.cookiesPrefix}.${M}`,typeof X!=="string")X=btoa(JSON.stringify(X));let B;if(H instanceof Date)B=`Expires=${H.toUTCString()}`;else if(typeof H==="number")B=`Max-Age=${H}`;else throw Error("Invalid expires type",H);if(X.length>4000)throw Error(`Error setting cookie: ${M}. Cookie length is: ${X.length}`);return`${M}=${X}; ${B}; Path=${Z.cookiesPath}; HttpOnly;${Z.cookiesSecure?" Secure;":""} SameSite=${Z.cookiesSameSite};`}function QA(M){if(!Z)throw Error("Enterprise Standard CIAM Manager not initialized");return`${Z.cookiesPrefix}.${M}=; Max-Age=0; Path=${Z.cookiesPath}; HttpOnly;${Z.cookiesSecure?" Secure;":""} SameSite=${Z.cookiesSameSite};`}function r(M,X,H=!1){if(!Z)throw Error("Enterprise Standard CIAM Manager not initialized");let B=X.headers.get("cookie");if(!B)return null;let K=`${Z.cookiesPrefix}.${M}`,V=B.split(";").find((P)=>P.trim().startsWith(`${K}=`));if(!V)return null;let L=V.indexOf("="),j=V.substring(L+1).trim();if(!H)return j;try{let P=atob(j);return JSON.parse(P)}catch(P){return z.error("[CIAM] Failed to parse cookie",{"es.operation":"cookie.parse","es.outcome":"failure",cookieName:K},P),null}}function ZA(M,X,H){let B={expires_in:Z.sessionTtl??86400,token_type:"Bearer",expires:H.toISOString()};return[["Set-Cookie",U("access",M,H)],["Set-Cookie",U("id",X,H)],["Set-Cookie",U("control",B,H)]]}function a(M){let X=r("access",M),H=r("id",M),B=r("control",M,!0);if(!X||!H||!B)return;if(B.expires&&Date.now()>new Date(B.expires).getTime())return;return{access:X,id:H,control:B}}async function o(M){if(!Z)throw Error("Enterprise Standard CIAM Manager not initialized");m();try{let X=a(M);if(!X)return;let H=await h(X.access),B=await h(X.id);if(!H.sid||!B.sub)return;if(Z.sessionValidation!=="disabled"){if(!await q().get(H.sid))return}return S(B)}catch(X){return}}async function FA(M){let X=await o(M);if(X)return X;throw new Response("Unauthorized",{status:401,statusText:"Unauthorized"})}async function W(M){if(!Z)throw Error("Enterprise Standard CIAM Manager not initialized");m();try{let L=a(M);if(L){let j=await h(L.access);if(j.sid)await q().delete(j.sid)}}catch(L){z.warn("Failed to delete CIAM session",{"es.operation":"session.delete","es.outcome":"degraded"},L)}let X=[["Set-Cookie",QA("access")],["Set-Cookie",QA("id")],["Set-Cookie",QA("control")]],B=new URL(M.url).searchParams.get("redirect");if(B)return new Response("Logged out",{status:302,headers:[["Location",B],...X]});let K=M.headers.get("accept");if(K?.includes("application/json")||K?.includes("text/javascript"))return new Response(JSON.stringify({success:!0,message:"Logged out"}),{status:200,headers:[["Content-Type","application/json"],...X]});return new Response("Logout Complete",{status:200,headers:[["Content-Type","text/plain"],...X]})}async function O(M){if(!Z)throw Error("Enterprise Standard CIAM Manager not initialized");m();try{let X=M.headers.get("content-type");if(!X||!X.includes("application/x-www-form-urlencoded"))return new Response("Invalid Content-Type, expected application/x-www-form-urlencoded",{status:400});let H=await M.text(),K=new URLSearchParams(H).get("logout_token");if(!K)return new Response("Missing logout_token parameter",{status:400});let L=(await h(K)).sid;if(!L)return new Response("Invalid logout_token: missing sid claim",{status:400});return await q().delete(L),new Response("OK",{status:200})}catch(X){return z.error("Error during CIAM back-channel logout",{"es.operation":"backchannel_logout","es.outcome":"failure"},X),new Response("Internal Server Error",{status:500})}}function J(M){return M.id||M.email||`ciam-${M.userName}`}function C(M,X,H){return{sub:J(M),iss:"ciam",aud:"ciam",exp:Math.floor(H.getTime()/1000),iat:Math.floor(Date.now()/1000),email:M.email,name:M.name,preferred_username:M.userName,picture:M.avatar,sid:X}}function v(M,X,H){return{sub:M,iss:"ciam",aud:"ciam",exp:Math.floor(H.getTime()/1000),iat:Math.floor(Date.now()/1000),sid:X,scope:"openid profile email"}}function S(M){let X=M.exp?new Date(M.exp*1000):new Date;return{id:M.sub,userName:M.preferred_username??"",name:M.name??"",email:M.email??"",avatar:M.picture,userType:"customer",ciam:{profile:M,scope:"openid profile email",tokenType:"Bearer",expires:X}}}async function g(M){if(!Z)throw Error("Enterprise Standard CIAM Manager not initialized");if(!k)return new Response(JSON.stringify({error:"Workload authentication required"}),{status:401,headers:{"Content-Type":"application/json"}});if(!await k.getWorkloadIdentity(M))return new Response(JSON.stringify({error:"Unauthorized: Valid workload token required"}),{status:401,headers:{"Content-Type":"application/json"}});let H,B;try{let A=M.headers.get("content-type");if(!A||!A.includes("application/json"))return new Response(JSON.stringify({error:"Content-Type must be application/json"}),{status:400,headers:{"Content-Type":"application/json"}});let Y=await M.text(),F=JSON.parse(Y);if(B=typeof F?.redirect==="string"&&F.redirect.length>0?F.redirect:void 0,H={userName:F.userName,name:F.name,email:F.email,avatar:F.avatar},!H.userName||!H.name||!H.email)return new Response(JSON.stringify({error:"Missing required fields: userName, name, email"}),{status:400,headers:{"Content-Type":"application/json"}})}catch(A){return new Response(JSON.stringify({error:"Invalid JSON in request body"}),{status:400,headers:{"Content-Type":"application/json"}})}let V=new URL(M.url).searchParams.get("ttl"),L=V?parseInt(V,10):Z.magicLinkTtl??3600;if(Number.isNaN(L)||L<=0)return new Response(JSON.stringify({error:"Invalid TTL parameter"}),{status:400,headers:{"Content-Type":"application/json"}});let j=s(32),P=new Date(Date.now()+L*1000);if(!Z.magicLinkStore)return new Response(JSON.stringify({error:"Magic link store not configured"}),{status:500,headers:{"Content-Type":"application/json"}});try{await Z.magicLinkStore.create(j,H,P)}catch(A){return z.error("Error creating magic link",{"es.operation":"magic_link.create","es.outcome":"failure"},A),new Response(JSON.stringify({error:"Failed to create magic link"}),{status:500,headers:{"Content-Type":"application/json"}})}let u=new URL(M.url),c=Z.magicLinkLoginUrl||"/magic-link/login",x=new URL(c,u.origin);if(x.searchParams.set("token",j),B)x.searchParams.set("redirect",B);return new Response(JSON.stringify({magicLink:x.toString(),expiresAt:P.toISOString()}),{status:200,headers:{"Content-Type":"application/json"}})}async function l(M){if(!Z)throw Error("Enterprise Standard CIAM Manager not initialized");m();let X=new URL(M.url),H=X.searchParams.get("token");if(!H){let G=Z.errorUrl||"/";return new Response("Redirecting to error URL",{status:302,headers:{Location:G}})}if(!Z.magicLinkStore){let G=Z.errorUrl||"/";return new Response("Redirecting to error URL",{status:302,headers:{Location:G}})}let B=await Z.magicLinkStore.get(H);if(!B){let G=Z.errorUrl||"/";return new Response("Redirecting to error URL",{status:302,headers:{Location:G}})}let K=new Date(Date.now()+(Z.sessionTtl??86400)*1000),V=s(32),L=J(B.user),j=C(B.user,V,K),P=v(L,V,K),u=S(j);try{let G={sid:V,sub:L,createdAt:new Date,lastActivityAt:new Date};await q().create(G)}catch(G){z.warn("Failed to create session",{"es.operation":"session.create","es.outcome":"degraded"},G)}if(Z.userStore)try{let G=u.id;if(G){let _=new Date,D=await Z.userStore.get(G);if(D||Z.enableJitUserProvisioning){let T={...D??{},...u,id:G,tenantId:D?.tenantId,createdAt:D?.createdAt??_,updatedAt:_,userType:D?.userType??"customer"};await Z.userStore.upsert(T)}}}catch(G){z.warn("Failed to store user",{"es.operation":"user.store","es.outcome":"degraded"},G)}try{await Z.magicLinkStore.delete(H)}catch(G){z.warn("Failed to delete magic link",{"es.operation":"magic_link.delete","es.outcome":"degraded"},G)}let c=await i(P),x=await i(j),A=Z.landingUrl||"/",Y=X.searchParams.get("redirect"),F=A;if(Y)if(Y.startsWith("/"))F=Y;else try{if(new URL(Y).origin===new URL(M.url).origin)F=Y}catch{}return new Response("Authentication successful, redirecting",{status:302,headers:[["Location",F],...ZA(c,x,K)]})}async function E(M){if(!Z)throw Error("Enterprise Standard CIAM Manager not initialized");m();let X=Z.magicLinkUrl||"/magic-link",H=Z.magicLinkLoginUrl||"/magic-link/login",B=Z.logoutUrl||"/auth/logout",K=Z.logoutBackChannelUrl||"/auth/logout/backchannel",V=new URL(M.url).pathname,L=(x)=>{if(!x)return;try{return new URL(x).pathname}catch{return x.startsWith("/")?x:`/${x}`}};if(L(X)===V&&M.method==="POST")return g(M);if(L(H)===V&&M.method==="GET")return l(M);if(L(B)===V&&M.method==="GET")return W(M);if(L(K)===V&&M.method==="POST")return O(M);return new Response("Not Found",{status:404})}return{...Z,getUser:o,getRequiredUser:FA,logout:W,logoutBackChannel:O,handler:E}}async function JA($,z){return BA(z,"EnterpriseStandard instance is required. Create one with enterpriseStandard(source, config) and pass it to this function."),z.ciam?.getUser($)}function I($,z,N){return new Response(JSON.stringify({schemas:["urn:ietf:params:scim:api:messages:2.0:Error"],status:String($),scimType:N,detail:z}),{status:$,headers:{"Content-Type":"application/scim+json"}})}function HA($,z){let N=z?.totalResults??$.length,b=z?.startIndex??1,k=z?.itemsPerPage??$.length;return new Response(JSON.stringify({schemas:["urn:ietf:params:scim:api:messages:2.0:ListResponse"],totalResults:N,startIndex:b,itemsPerPage:k,Resources:$}),{status:200,headers:{"Content-Type":"application/scim+json"}})}function p($,z=200){return new Response(JSON.stringify($),{status:z,headers:{"Content-Type":"application/scim+json"}})}function XA($){return{schemas:["urn:ietf:params:scim:schemas:core:2.0:Group"],id:$.id,externalId:$.externalId,displayName:$.displayName,members:$.members,meta:{resourceType:"Group",created:$.createdAt.toISOString(),lastModified:$.updatedAt.toISOString()}}}function WA(){return crypto.randomUUID()}function YA($,z){let N=$;if(typeof N.validate==="function")return N.validate(z);return Promise.resolve($["~standard"].validate(z))}function IA($){if(!$)return;try{return new URL($).pathname}catch{return $.startsWith("/")?$:`/${$}`}}function zA($){return $==="/"?$:$.replace(/\/+$/,"")}function t($){let z=IA($);return z?zA(z):void 0}function jA($,z){let N=t($);if(N?.endsWith("/Users"))return N.slice(0,-6);let b=t(z);if(b?.endsWith("/Groups"))return b.slice(0,-7);return}function e($,z){return new URL(z,$.url).toString()}function Q($,z,N,b){let{multiValued:k=!1,...y}=b??{};return{name:$,type:z,description:N,multiValued:k,...y}}function SA($,z){return{schemas:["urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"],documentationUri:z?.documentationUri,patch:{supported:!0},bulk:{supported:!1},filter:{supported:!1},changePassword:{supported:!1},sort:{supported:!1},etag:{supported:!1},authenticationSchemes:[{type:"oauthbearertoken",name:"OAuth Bearer Token",description:"Use an Enterprise Standard workload bearer token for IAM discovery and provisioning requests.",primary:!0}],meta:{resourceType:"ServiceProviderConfig",location:e($.request,`${$.basePath}/ServiceProviderConfig`)}}}function NA($){let z=[];if($.supportsUsers)z.push({schemas:["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],id:"User",name:"User",description:"User Account",endpoint:$.usersUrl,schema:"urn:ietf:params:scim:schemas:core:2.0:User",schemaExtensions:[{schema:"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",required:!1}],meta:{resourceType:"ResourceType",location:e($.request,`${$.basePath}/ResourceTypes/User`)}});if($.supportsGroups)z.push({schemas:["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],id:"Group",name:"Group",description:"Group",endpoint:$.groupsUrl,schema:"urn:ietf:params:scim:schemas:core:2.0:Group",meta:{resourceType:"ResourceType",location:e($.request,`${$.basePath}/ResourceTypes/Group`)}});return z}function wA($){let z=[];if($.supportsUsers)z.push({schemas:["urn:ietf:params:scim:schemas:core:2.0:Schema"],id:"urn:ietf:params:scim:schemas:core:2.0:User",name:"User",description:"User Account",meta:{resourceType:"Schema",location:e($.request,`${$.basePath}/Schemas/${encodeURIComponent("urn:ietf:params:scim:schemas:core:2.0:User")}`)},attributes:[Q("id","string","Unique identifier for the User.",{multiValued:!1,required:!1,mutability:"readOnly",returned:"always",uniqueness:"global"}),Q("externalId","string","External identifier from the provisioning client.",{multiValued:!1,required:!1,mutability:"readWrite",returned:"default",uniqueness:"none"}),Q("userName","string","Unique identifier typically used for login.",{multiValued:!1,required:!0,caseExact:!1,mutability:"readWrite",returned:"default",uniqueness:"server"}),Q("name","complex","The components of the user name.",{multiValued:!1,required:!1,mutability:"readWrite",returned:"default",subAttributes:[Q("formatted","string","The full name, including titles and suffixes.",{multiValued:!1}),Q("familyName","string","The family name of the User.",{multiValued:!1}),Q("givenName","string","The given name of the User.",{multiValued:!1}),Q("middleName","string","The middle name(s) of the User.",{multiValued:!1}),Q("honorificPrefix","string","The honorific prefix(es) of the User.",{multiValued:!1}),Q("honorificSuffix","string","The honorific suffix(es) of the User.",{multiValued:!1})]}),Q("displayName","string","The name of the User, suitable for display.",{multiValued:!1}),Q("nickName","string","The casual way to address the user.",{multiValued:!1}),Q("profileUrl","reference","A URL pointing to the User profile.",{multiValued:!1,referenceTypes:["external"]}),Q("title","string","The user title, such as Vice President.",{multiValued:!1}),Q("userType","string","The relationship between the organization and the User.",{multiValued:!1}),Q("preferredLanguage","string","Preferred written or spoken language.",{multiValued:!1}),Q("locale","string","Default location for localizing values.",{multiValued:!1}),Q("timezone","string","The User time zone.",{multiValued:!1}),Q("active","boolean","The User administrative status.",{multiValued:!1}),Q("emails","complex","Email addresses for the User.",{multiValued:!0,subAttributes:[Q("value","string","Email address value.",{multiValued:!1,required:!0}),Q("display","string","Display label for the email.",{multiValued:!1}),Q("type","string","Email type such as work or home.",{multiValued:!1}),Q("primary","boolean","Primary email indicator.",{multiValued:!1})]}),Q("phoneNumbers","complex","Phone numbers for the User.",{multiValued:!0,subAttributes:[Q("value","string","Phone number value.",{multiValued:!1,required:!0}),Q("display","string","Display label for the phone number.",{multiValued:!1}),Q("type","string","Phone number type.",{multiValued:!1}),Q("primary","boolean","Primary phone number indicator.",{multiValued:!1})]}),Q("photos","complex","Photo URLs for the User.",{multiValued:!0,subAttributes:[Q("value","reference","Photo URL.",{multiValued:!1,required:!0,referenceTypes:["external"]}),Q("display","string","Display label for the photo.",{multiValued:!1}),Q("type","string","Photo type.",{multiValued:!1}),Q("primary","boolean","Primary photo indicator.",{multiValued:!1})]}),Q("addresses","complex","Physical mailing addresses for the User.",{multiValued:!0,subAttributes:[Q("formatted","string","Formatted mailing address.",{multiValued:!1}),Q("streetAddress","string","Full street address component.",{multiValued:!1}),Q("locality","string","City or locality.",{multiValued:!1}),Q("region","string","State or region.",{multiValued:!1}),Q("postalCode","string","Postal code.",{multiValued:!1}),Q("country","string","Country.",{multiValued:!1}),Q("type","string","Address type.",{multiValued:!1}),Q("primary","boolean","Primary address indicator.",{multiValued:!1})]}),Q("groups","complex","Groups to which the User belongs.",{multiValued:!0,mutability:"readOnly",subAttributes:[Q("value","string","Group identifier.",{multiValued:!1,required:!0}),Q("$ref","reference","Reference to the Group resource.",{multiValued:!1,referenceTypes:["Group"]}),Q("display","string","Display name of the group.",{multiValued:!1}),Q("type","string","Relationship type.",{multiValued:!1})]}),Q("entitlements","complex","Entitlements for the User.",{multiValued:!0,subAttributes:[Q("value","string","Entitlement value.",{multiValued:!1,required:!0}),Q("display","string","Display value.",{multiValued:!1}),Q("type","string","Entitlement type.",{multiValued:!1}),Q("primary","boolean","Primary entitlement indicator.",{multiValued:!1})]}),Q("roles","complex","Roles for the User.",{multiValued:!0,subAttributes:[Q("value","string","Role value.",{multiValued:!1,required:!0}),Q("display","string","Display value.",{multiValued:!1}),Q("type","string","Role type.",{multiValued:!1}),Q("primary","boolean","Primary role indicator.",{multiValued:!1})]}),Q("x509Certificates","complex","Certificates issued to the User.",{multiValued:!0,subAttributes:[Q("value","string","Certificate value.",{multiValued:!1,required:!0}),Q("display","string","Display value.",{multiValued:!1}),Q("type","string","Certificate type.",{multiValued:!1}),Q("primary","boolean","Primary certificate indicator.",{multiValued:!1})]})]}),z.push({schemas:["urn:ietf:params:scim:schemas:core:2.0:Schema"],id:"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",name:"EnterpriseUser",description:"Enterprise User extension",meta:{resourceType:"Schema",location:e($.request,`${$.basePath}/Schemas/${encodeURIComponent("urn:ietf:params:scim:schemas:extension:enterprise:2.0:User")}`)},attributes:[Q("employeeNumber","string","Numeric or alphanumeric identifier assigned to a person.",{multiValued:!1}),Q("costCenter","string","Name of a cost center.",{multiValued:!1}),Q("organization","string","Name of an organization.",{multiValued:!1}),Q("division","string","Name of a division.",{multiValued:!1}),Q("department","string","Name of a department.",{multiValued:!1}),Q("manager","complex","The User manager.",{multiValued:!1,subAttributes:[Q("value","string","Identifier of the manager User resource.",{multiValued:!1}),Q("$ref","reference","Reference to the manager User resource.",{multiValued:!1,referenceTypes:["User"]}),Q("displayName","string","Display name of the manager.",{multiValued:!1})]})]});if($.supportsGroups)z.push({schemas:["urn:ietf:params:scim:schemas:core:2.0:Schema"],id:"urn:ietf:params:scim:schemas:core:2.0:Group",name:"Group",description:"Group",meta:{resourceType:"Schema",location:e($.request,`${$.basePath}/Schemas/${encodeURIComponent("urn:ietf:params:scim:schemas:core:2.0:Group")}`)},attributes:[Q("id","string","Unique identifier for the Group.",{multiValued:!1,mutability:"readOnly",returned:"always",uniqueness:"global"}),Q("externalId","string","External identifier from the provisioning client.",{multiValued:!1,uniqueness:"none"}),Q("displayName","string","Human-readable name for the Group.",{multiValued:!1,required:!0,uniqueness:"none"}),Q("members","complex","Members of the Group.",{multiValued:!0,subAttributes:[Q("value","string","Identifier of the member resource.",{multiValued:!1,required:!0}),Q("$ref","reference","Reference to the member resource.",{multiValued:!1,referenceTypes:["User","Group"]}),Q("display","string","Display name of the member.",{multiValued:!1}),Q("type","string","Member type.",{multiValued:!1})]})]});return z}function TA($,z,N,b,k){if(!b&&!k)return;let Z={...b,...k};if(Boolean(Z.url||Z.userStore||Z.groupStore)&&!N)z.error("IAM requires workload identity for SCIM push/pull operations",{"es.operation":"workload.require","es.outcome":"failure"});function q(){if(!N)throw z.error("IAM requires workload identity for SCIM push/pull operations",{"es.operation":"workload.require","es.outcome":"failure"}),Error("IAM requires workload identity for SCIM push/pull operations");return N}async function m(W){let O=q(),J=W.headers.get("Authorization");if(!J||!J.startsWith("Bearer "))return!1;try{let C=J.substring(7);return(await O.validateToken(C)).valid}catch{return!1}}async function s(){let W=q(),O=typeof W.getServerToken==="function"?await W.getServerToken():await W.getToken();return new Headers({"Content-Type":"application/scim+json",Accept:"application/scim+json",Authorization:`Bearer ${O}`})}async function d(W,O,J,C){if(!Z.url)throw Error("IAM URL not configured for outgoing requests");let v=`${Z.url}${O}`;try{let S=await s(),g=await fetch(v,{method:W,headers:S,body:J?JSON.stringify(J):void 0}),l=await g.json();if(!g.ok)return{success:!1,error:l,status:g.status};let E=await C["~standard"].validate(l);if(E.issues)return z.error("SCIM response validation failed",{"es.operation":"scim.response.validate","es.outcome":"failure",validationIssues:E.issues}),{success:!1,error:{schemas:["urn:ietf:params:scim:api:messages:2.0:Error"],status:"400",scimType:"invalidValue",detail:`Response validation failed: ${E.issues.map((M)=>M.message).join("; ")}`},status:400};return{success:!0,data:E.value,status:g.status}}catch(S){return{success:!1,error:{schemas:["urn:ietf:params:scim:api:messages:2.0:Error"],status:"500",detail:S instanceof Error?S.message:"Unknown error occurred"},status:500}}}function MA(){return Z.url}function n(W,O){let J=t(O?.usersUrl??Z.usersUrl??"/api/iam/Users")??"/api/iam/Users",C=t(O?.groupsUrl??Z.groupsUrl??"/api/iam/Groups")??"/api/iam/Groups",v=t(O?.discovery?.basePath??Z.discovery?.basePath)??jA(J,C);if(!v)return;return{request:W,basePath:v,usersUrl:J,groupsUrl:C,supportsUsers:Boolean(Z.userStore),supportsGroups:Boolean(Z.groupStore)}}async function i(W){let O=SA(W,Z.discovery);return await Z.discovery?.buildServiceProviderConfig?.(W,O)??O}async function h(W){let O=NA(W);return await Z.discovery?.buildResourceTypes?.(W,O)??O}async function U(W){let O=wA(W);return await Z.discovery?.buildSchemas?.(W,O)??O}async function QA(W,O){let J=n(W,O);if(!J)return;let C=zA(new URL(W.url).pathname),{basePath:v}=J;if(C!==v&&!C.startsWith(`${v}/`))return;let S=zA(C.slice(v.length)||"/");if(!(S==="/ServiceProviderConfig"||S==="/ResourceTypes"||S.startsWith("/ResourceTypes/")||S==="/Schemas"||S.startsWith("/Schemas/")))return;if(W.method!=="GET")return I(405,"Method not allowed");if(!await m(W))return I(401,"Authorization required");if(S==="/ServiceProviderConfig")return p(await i(J));if(S==="/ResourceTypes")return HA(await h(J));if(S.startsWith("/ResourceTypes/")){let E=decodeURIComponent(S.slice(15)),M=(await h(J)).find((X)=>X.id===E||X.name===E);return M?p(M):I(404,"Resource not found")}if(S==="/Schemas")return HA(await U(J));if(S.startsWith("/Schemas/")){let E=decodeURIComponent(S.slice(9)),M=(await U(J)).find((X)=>X.id===E);return M?p(M):I(404,"Resource not found")}return}let r,ZA;if(Z.url)ZA=async(O,J)=>{let C={...O,schemas:O.schemas??["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"]};return d("POST","/Users",C,$.user)},r={createGroup:async(O,J)=>{let C={schemas:["urn:ietf:params:scim:schemas:core:2.0:Group"],displayName:O,externalId:J?.externalId,members:J?.members};return d("POST","/Groups",C,$.group)}};let a;if(Z.groupStore){let W=Z.groupStore,O=async(E,M)=>{if(!await m(E))return I(401,"Authorization required");let H=new URL(E.url),B=M?.basePath??"/Groups",K=H.pathname;if(K.startsWith(B))K=K.substring(B.length);let L=K.match(/^\/([^/]+)$/)?.[1],j=E.method;try{if(L)switch(j){case"GET":return await C(L);case"PUT":return await S(E,L);case"PATCH":return await g(E,L);case"DELETE":return await l(L);default:return I(405,"Method not allowed")}else if(K===""||K==="/")switch(j){case"GET":return await J(E);case"POST":return await v(E);default:return I(405,"Method not allowed")}return I(404,"Resource not found")}catch(P){return z.error("Groups inbound handler error",{"es.operation":"scim.groups.handler","es.outcome":"failure"},P),I(500,P instanceof Error?P.message:"Internal server error")}},J=async(E)=>{let M=new URL(E.url),X=M.searchParams.get("startIndex"),H=M.searchParams.get("count"),B=X!=null?parseInt(X,10):void 0,K=H!=null?parseInt(H,10):void 0,V=B!=null&&!Number.isNaN(B)?Math.max(0,B-1):0,L=K!=null&&!Number.isNaN(K)?K:void 0,j=await W.list({start:V,limit:L}),P=j.items.map(XA);return HA(P,{totalResults:j.total,startIndex:V+1,itemsPerPage:j.count})},C=async(E)=>{let M=await W.get(E);if(!M)return I(404,`Group ${E} not found`,"invalidValue");return p(XA(M))},v=async(E)=>{let M=await E.json(),X=await YA($.group,M);if(X.issues)return z.error("Group creation validation failed",{"es.operation":"scim.group.create","es.outcome":"failure",validationIssues:X.issues}),I(400,`Request validation failed: ${X.issues.map((V)=>V.message).join("; ")}`,"invalidValue");let H=X.value;if(!H.displayName)return I(400,"displayName is required","invalidValue");let B=new Date,K={id:WA(),displayName:H.displayName,externalId:H.externalId,members:H.members,createdAt:B,updatedAt:B};return await W.upsert(K),p(XA(K),201)},S=async(E,M)=>{let X=await W.get(M);if(!X)return I(404,`Group ${M} not found`,"invalidValue");let H=await E.json(),B=await YA($.group,H);if(B.issues)return z.error("Group replacement validation failed",{"es.operation":"scim.group.replace","es.outcome":"failure",validationIssues:B.issues}),I(400,`Request validation failed: ${B.issues.map((L)=>L.message).join("; ")}`,"invalidValue");let K=B.value,V={...X,displayName:K.displayName??X.displayName,externalId:K.externalId,members:K.members,updatedAt:new Date};return await W.upsert(V),p(XA(V))},g=async(E,M)=>{let X=await W.get(M);if(!X)return I(404,`Group ${M} not found`,"invalidValue");let B=(await E.json()).Operations??[],K={...X};for(let V of B)if(V.op==="replace"&&V.path&&V.value!==void 0){if(V.path==="displayName")K.displayName=V.value}else if(V.op==="add"&&V.path&&V.value!==void 0){if(V.path==="members"){let L=V.value;K.members=[...K.members??[],...L]}}else if(V.op==="remove"&&V.path){if(V.path.startsWith("members[")){let L=V.path.match(/members\[value eq "([^"]+)"\]/);if(L)K.members=(K.members??[]).filter((j)=>j.value!==L[1])}}return K.updatedAt=new Date,await W.upsert(K),p(XA(K))},l=async(E)=>{if(!await W.get(E))return I(404,`Group ${E} not found`,"invalidValue");return await W.delete(E),new Response(null,{status:204})};a={handler:O}}let o;if(Z.userStore){let{userStore:W,inboundUsers:O}=Z,J=(A)=>A?.find((Y)=>Y.primary)?.value||A?.[0]?.value,C=(A)=>{if(A.scimName)return A.scimName;if(!A.name)return;let[Y,...F]=A.name.split(" ");return{givenName:Y,familyName:F.join(" ")||void 0}},v=(A)=>Object.keys(A.scimSchemaExtensions??{}).filter((Y)=>Y.startsWith("urn:")&&A.scimSchemaExtensions?.[Y]!==void 0),S=(A)=>{let Y=new Set(["urn:ietf:params:scim:schemas:core:2.0:User"]);if(A.scimEnterprise!==void 0)Y.add("urn:ietf:params:scim:schemas:extension:enterprise:2.0:User");for(let F of v(A))Y.add(F);return Array.from(Y)},g=(A)=>{let Y={};if(A.scimEnterprise!==void 0)Y["urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"]=A.scimEnterprise;for(let[F,G]of Object.entries(A.scimSchemaExtensions??{}))if(F.startsWith("urn:")&&G!==void 0)Y[F]=G;return Y},l=(A)=>{let Y=A.userName||A.email||A.id||"",F=A.emails??(A.email?[{value:A.email,primary:!0}]:[]);return{schemas:S(A),id:A.id,externalId:A.externalId,userName:Y,displayName:A.displayName??A.name??Y,name:C(A),nickName:A.nickName,profileUrl:A.avatar,title:A.title,userType:A.userType,preferredLanguage:A.preferredLanguage,locale:A.locale,timezone:A.timezone,active:A.active??!0,emails:F,phoneNumbers:A.phoneNumbers,ims:A.ims,photos:A.photos,addresses:A.addresses,groups:A.groups,entitlements:A.entitlements,roles:A.roles,x509Certificates:A.x509Certificates,meta:{resourceType:"User",created:(A.createdAt??A.updatedAt??new Date).toISOString(),lastModified:(A.updatedAt??A.createdAt??new Date).toISOString()},...g(A)}},E=async(A)=>{if(O?.mapStoredUserToScim)return await O.mapStoredUserToScim(A);return l(A)},M=async(A,Y)=>{if(O?.mapValidatedScimToStoredUser)return await O.mapValidatedScimToStoredUser(A,Y);let F=new Date,G=J(A.emails),_=A.name?.formatted||[A.name?.givenName,A.name?.middleName,A.name?.familyName].filter(Boolean).join(" ").trim()||A.displayName,D=A.id||Y.existing?.id||WA(),T=A.userName||G||Y.existing?.userName||D,w=_||A.displayName||Y.existing?.name||T,R=Object.fromEntries(Object.entries(A).filter(([$A,DA])=>$A.startsWith("urn:")&&$A!=="urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"&&DA!==void 0)),f=Y.existing?.sso;return{...Y.existing??{},id:D,userName:T,name:w,email:G||Y.existing?.email||T,avatar:A.profileUrl,sso:{...f??{},profile:{...f?.profile??{},sub:D,iss:f?.profile.iss??"iam-provisioned",aud:f?.profile.aud??"iam-provisioned",exp:f?.profile.exp??Math.floor(Date.now()/1000)+3600,iat:f?.profile.iat??Math.floor(Date.now()/1000),email:G||Y.existing?.email||T,email_verified:!0,name:w,preferred_username:T},tenant:f?.tenant??{id:"iam-provisioned",name:"IAM Provisioned"},scope:f?.scope??"openid profile email",tokenType:f?.tokenType??"Bearer",expires:f?.expires??new Date(Date.now()+3600000)},externalId:A.externalId,displayName:A.displayName,scimName:A.name,emails:A.emails,nickName:A.nickName,title:A.title,preferredLanguage:A.preferredLanguage,locale:A.locale,timezone:A.timezone,active:A.active,phoneNumbers:A.phoneNumbers,ims:A.ims,photos:A.photos,addresses:A.addresses,groups:A.groups,entitlements:A.entitlements,roles:A.roles,x509Certificates:A.x509Certificates,scimEnterprise:A["urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],scimSchemaExtensions:Object.keys(R).length>0?R:void 0,createdAt:Y.existing?.createdAt??(A.meta?.created?new Date(A.meta.created):F),updatedAt:A.meta?.lastModified?new Date(A.meta.lastModified):F,userType:A.userType}},X=(A,Y,F)=>{A[Y]=F},H=(A,Y,F)=>{let G=A[Y];if(Array.isArray(G)){A[Y]=[...G,...Array.isArray(F)?F:[F]];return}if(G&&typeof G==="object"&&!Array.isArray(G)&&F&&typeof F==="object"&&!Array.isArray(F)){A[Y]={...G,...F};return}A[Y]=F},B=(A,Y,F)=>{let G=Y.match(/^(urn:.*:(?:User|Group))(?::(.+))?$/),_=G?[G[1],...G[2]?.split(":")??[]]:Y.split("."),D=A;for(let w of _.slice(0,-1)){let R=D[w];if(R===void 0){if(!F)return null;D[w]={}}else if(R===null||typeof R!=="object"||Array.isArray(R)){if(!F)return null;D[w]={}}D=D[w]}let T=_.at(-1);if(!T)return null;return{parent:D,key:T}},K=(A,Y)=>{let F=Y.op.toLowerCase();if(!Y.path){if(F!=="remove"&&Y.value&&typeof Y.value==="object"&&!Array.isArray(Y.value))Object.assign(A,Y.value);return}let G=Y.path.match(/^([A-Za-z0-9]+)\[value eq "([^"]+)"\]$/);if(G&&F==="remove"){let[,D,T]=G,w=A[D];if(Array.isArray(w))A[D]=w.filter((R)=>!(R&&typeof R==="object"&&("value"in R)&&R.value===T));return}let _=B(A,Y.path,F!=="remove");if(!_)return;if(F==="remove"){delete _.parent[_.key];return}if(F==="add"){H(_.parent,_.key,Y.value);return}X(_.parent,_.key,Y.value)},V=async(A,Y)=>{if(!await m(A))return I(401,"Authorization required");let G=new URL(A.url),_=Y?.basePath??"/Users",D=G.pathname;if(D.startsWith(_))D=D.substring(_.length);let w=D.match(/^\/([^/]+)$/)?.[1],R=A.method;try{if(w)switch(R){case"GET":return await j(w);case"PUT":return await u(A,w);case"PATCH":return await c(A,w);case"DELETE":return await x(w);default:return I(405,"Method not allowed")}else if(D===""||D==="/")switch(R){case"GET":return await L(A);case"POST":return await P(A);default:return I(405,"Method not allowed")}return I(404,"Resource not found")}catch(f){return z.error("Users inbound handler error",{"es.operation":"scim.users.handler","es.outcome":"failure"},f),I(500,f instanceof Error?f.message:"Internal server error")}},L=async(A)=>{let Y=new URL(A.url),F=Y.searchParams.get("startIndex"),G=Y.searchParams.get("count"),_=F!=null?parseInt(F,10):void 0,D=G!=null?parseInt(G,10):void 0,T=_!=null&&!Number.isNaN(_)?Math.max(0,_-1):0,w=D!=null&&!Number.isNaN(D)?D:void 0,R=await W.list({start:T,limit:w}),f=await Promise.all(R.items.map(($A)=>E($A)));return HA(f,{totalResults:R.total,startIndex:T+1,itemsPerPage:R.count})},j=async(A)=>{let Y=await W.get(A);if(!Y)return I(404,`User ${A} not found`,"invalidValue");return p(await E(Y))},P=async(A)=>{let Y=await A.json(),F=await YA($.user,Y);if(F.issues)return z.error("User creation validation failed",{"es.operation":"scim.user.create","es.outcome":"failure",validationIssues:F.issues}),I(400,`Request validation failed: ${F.issues.map((D)=>D.message).join("; ")}`,"invalidValue");let G=F.value;if(!G.userName&&!G.emails?.[0]?.value)return I(400,"userName or email is required","invalidValue");let _=await M(G,{mode:"create"});return await W.upsert(_),p(await E(_),201)},u=async(A,Y)=>{let F=await W.get(Y);if(!F)return I(404,`User ${Y} not found`,"invalidValue");let G=await A.json(),_=await YA($.user,G);if(_.issues)return z.error("User replacement validation failed",{"es.operation":"scim.user.replace","es.outcome":"failure",validationIssues:_.issues}),I(400,`Request validation failed: ${_.issues.map((w)=>w.message).join("; ")}`,"invalidValue");let D=_.value,T=await M({...D,id:Y},{existing:F,mode:"replace"});return T.createdAt=F.createdAt,T.updatedAt=new Date,await W.upsert(T),p(await E(T))},c=async(A,Y)=>{let F=await W.get(Y);if(!F)return I(404,`User ${Y} not found`,"invalidValue");let _=(await A.json()).Operations??[],T={...await E(F)};for(let f of _)K(T,f);let w=await YA($.user,T);if(w.issues)return z.error("User patch validation failed",{"es.operation":"scim.user.patch","es.outcome":"failure",validationIssues:w.issues}),I(400,`Request validation failed: ${w.issues.map((f)=>f.message).join("; ")}`,"invalidValue");let R=await M(w.value,{existing:F,mode:"patch"});return R.updatedAt=new Date,await W.upsert(R),p(await E(R))},x=async(A)=>{if(!await W.get(A))return I(404,`User ${A} not found`,"invalidValue");return await W.delete(A),new Response(null,{status:204})};o={handler:V}}async function FA(W,O){q();let J=new URL(W.url).pathname,C=t(O?.usersUrl??Z.usersUrl??"/api/iam/Users")??"/api/iam/Users",v=t(O?.groupsUrl??Z.groupsUrl??"/api/iam/Groups")??"/api/iam/Groups",S=await QA(W,O);if(S)return S;if(J.startsWith(C)&&o)return o.handler(W,{basePath:C});if(J.startsWith(v)&&a)return a.handler(W,{basePath:v});return I(404,"Resource not found")}return{...Z,createUser:ZA,getBaseUrl:MA,groups_outbound:r,groups_inbound:a,users_inbound:o,handler:FA}}var CA="@enterprisestandard/core",RA=VA(KA(CA));function GA($){let z=$.replace(/-/g,"+").replace(/_/g,"/");return atob(z)}async function PA($,z){let N=$.split(".");if(N.length!==3)throw Error("Invalid JWT");let b=JSON.parse(GA(N[0])),k=JSON.parse(GA(N[1])),y=N[2].replace(/-/g,"+").replace(/_/g,"/"),Z=b.kid;if(!Z)throw Error("JWT header missing kid");let AA=await EA(z),q=await OA(AA,Z),s=new TextEncoder().encode(`${N[0]}.${N[1]}`),d=Uint8Array.from(atob(y),(U)=>U.charCodeAt(0));if(!await crypto.subtle.verify("RSASSA-PKCS1-v1_5",q,d,s))throw Error("Invalid JWT signature");let n=await RA.validate(k);if(n.issues)throw Error(`ID token claims validation failed: ${n.issues.map((U)=>U.message).join("; ")}`);let i=n.value;if(i===void 0)throw Error("ID token claims missing");let h=i;if(typeof h.exp==="number"&&h.exp<Math.floor(Date.now()/1000))throw Error("Token expired");return LA(h)}export{mA as withTenantConfigMethod,PA as verifyUser,pA as tenantConfigSource,fA as sso,gA as registerConfigLocatorFactory,hA as logoutBackChannel,qA as logout,bA as initiateLogin,TA as iam,yA as getSSOorCIAMUser,vA as getSSOUser,xA as getRequiredSSOorCIAMUser,JA as getCIAMUser,_A as ciam,kA as callback};

package/dist/shared/core-nrs9cxe3.js

@@ -0,0 +1,12 @@
+function TX(Y){return{"~standard":{version:1,vendor:Y,validate:(Z)=>{if(typeof Z!=="object"||Z===null)return{issues:[{message:"Expected an object"}]};let X=Z,B=[],$={};if("code"in X)if(typeof X.code==="string")$.code=X.code;else B.push({message:"code must be a string",path:["code"]});else if(!("error"in X))B.push({message:"code is required",path:["code"]});if("state"in X)if(typeof X.state==="string"||X.state===void 0)$.state=X.state;else B.push({message:"state must be a string",path:["state"]});if("session_state"in X)if(typeof X.session_state==="string"||X.session_state===void 0)$.session_state=X.session_state;else B.push({message:"session_state must be a string",path:["session_state"]});if("error"in X){if(typeof X.error==="string")$.error=X.error;else B.push({message:"error must be a string",path:["error"]});if("error_description"in X)if(typeof X.error_description==="string"||X.error_description===void 0)$.error_description=X.error_description;else B.push({message:"error_description must be a string",path:["error_description"]});if("error_uri"in X)if(typeof X.error_uri==="string"||X.error_uri===void 0)$.error_uri=X.error_uri;else B.push({message:"error_uri must be a string",path:["error_uri"]})}if("iss"in X)if(typeof X.iss==="string"||X.iss===void 0)$.iss=X.iss;else B.push({message:"iss must be a string",path:["iss"]});if(B.length>0)return{issues:B};return{value:$}}}}}function zX(Y){return{"~standard":{version:1,vendor:Y,validate:(Z)=>{if(typeof Z!=="object"||Z===null)return{issues:[{message:"Expected an object"}]};let X=Z,B=[],$={};if("access_token"in X)if(typeof X.access_token==="string")$.access_token=X.access_token;else B.push({message:"access_token must be a string",path:["access_token"]});else B.push({message:"access_token is required",path:["access_token"]});if("id_token"in X)if(typeof X.id_token==="string")$.id_token=X.id_token;else B.push({message:"id_token must be a string",path:["id_token"]});else B.push({message:"id_token is required",path:["id_token"]});if("token_type"in X)if(typeof X.token_type==="string")$.token_type=X.token_type;else B.push({message:"token_type must be a string",path:["token_type"]});else B.push({message:"token_type is required",path:["token_type"]});if("refresh_token"in X)if(typeof X.refresh_token==="string"||X.refresh_token===void 0)$.refresh_token=X.refresh_token;else B.push({message:"refresh_token must be a string",path:["refresh_token"]});if("scope"in X)if(typeof X.scope==="string"||X.scope===void 0)$.scope=X.scope;else B.push({message:"scope must be a string",path:["scope"]});if("session_state"in X)if(typeof X.session_state==="string"||X.session_state===void 0)$.session_state=X.session_state;else B.push({message:"session_state must be a string",path:["session_state"]});if("expires"in X)if(typeof X.expires==="string"||X.expires===void 0)$.expires=X.expires;else B.push({message:"expires must be a string",path:["expires"]});if("expires_in"in X)if(typeof X.expires_in==="number"||X.expires_in===void 0)$.expires_in=X.expires_in;else B.push({message:"expires_in must be a number",path:["expires_in"]});if("refresh_expires_in"in X)if(typeof X.refresh_expires_in==="number"||X.refresh_expires_in===void 0)$.refresh_expires_in=X.refresh_expires_in;else B.push({message:"refresh_expires_in must be a number",path:["refresh_expires_in"]});if(B.length>0)return{issues:B};return{value:$}}}}}function a(Y){return{"~standard":{version:1,vendor:Y,validate:(Z)=>{if(typeof Z!=="object"||Z===null)return{issues:[{message:"Expected an object"}]};let X=Z,B=[],$={...X},S=["iss","aud","sub","sid","name","email","preferred_username","picture"];for(let A of S)if(A in X&&X[A]!==void 0){if(typeof X[A]!=="string")B.push({message:`${A} must be a string`,path:[A]})}let L=["exp","iat"];for(let A of L)if(A in X&&X[A]!==void 0){if(typeof X[A]!=="number")B.push({message:`${A} must be a number`,path:[A]})}if(B.length>0)return{issues:B};return{value:$}}}}}function r(Y){let Z=Y["~standard"];return Object.assign(Y,{validate(X){return Promise.resolve(Z.validate(X))}})}function D(Y,Z="Assertion failed. Required value is null or undefined."){if(Y===void 0||Y===null)throw Error(Z);return Y}function e(Y,Z){return Response.json({error:"validation_failed",message:Z,issues:Y},{status:400,headers:{"Content-Type":"application/json"}})}function xX(Y,Z,X=[]){let B={...Y,...Z};for(let $ of X)B[$]=Y?.[$]??Z?.[$];return B}function KX(Y){let Z="",X=0,B=Y.length;while(X<B){let $=Y[X];if($==='"'||$==="'"){let S=$;Z+=$,X++;while(X<B){let L=Y[X];if(L==="\\"){if(Z+=L,X+1<B)Z+=Y[X+1],X+=2;else X++;continue}if(L===S){Z+=L,X++;break}Z+=L,X++}continue}if($==="/"&&X+1<B){let S=Y[X+1];if(S==="/"){X+=2;while(X<B&&Y[X]!==`
+`)X++;if(X<B)Z+=`
+`;X++;continue}if(S==="*"){X+=2;while(X+1<B&&!(Y[X]==="*"&&Y[X+1]==="/"))X++;X+=2;continue}}Z+=$,X++}return Z}function wX(Y){let Z=KX(Y);return JSON.parse(Z)}function i(Y){if(Y===null||typeof Y!=="object"||Array.isArray(Y))return!1;let Z=Object.getPrototypeOf(Y);return Z===Object.prototype||Z===null}function o(Y){return Object.keys(Y).filter((Z)=>Y[Z]!==void 0).sort()}function s(Y,Z){if(Object.is(Y,Z))return!0;if(Y===null||Z===null)return Y===Z;if(Array.isArray(Y)||Array.isArray(Z)){if(!Array.isArray(Y)||!Array.isArray(Z)||Y.length!==Z.length)return!1;for(let $=0;$<Y.length;$+=1)if(!s(Y[$],Z[$]))return!1;return!0}if(!i(Y)||!i(Z))return!1;let X=o(Y),B=o(Z);if(X.length!==B.length)return!1;for(let $=0;$<X.length;$+=1)if(X[$]!==B[$])return!1;for(let $ of X)if(!s(Y[$],Z[$]))return!1;return!0}async function yX(Y,Z=async(L)=>L.status===200,X=1000,B=1e4,$,S){let L=Date.now(),A=`Awaiting Ping (${Y})`;return new Promise((z,y)=>{let x=null,R=null,U=async()=>{try{let j=await fetch(Y);if(j.ok)if(await Z(j)){if(x)clearInterval(x);if(R)clearInterval(R);z()}else A=`Response test failed: ${j.status}: ${j.statusText} - ${Y}`;else try{let C=await j.json();A=`Response error: ${j.status}: ${j.statusText} - ${Y}: ${JSON.stringify(C)}`}catch(C){A=`Response error: ${j.status}: ${j.statusText} - ${Y}`}}catch(j){A=`${j instanceof Error?j.message:String(j)} - ${Y}`}};if(U(),x=setInterval(U,X),B>0)R=setInterval(()=>{S?.warn(`${A}: ${Date.now()-L}ms`)},B);if($)setTimeout(()=>{if(x)clearInterval(x);if(R)clearInterval(R);y(Error(`Timeout: ${$}ms: ${A}`))},$)})}var FX="@enterprisestandard/core",JX=r(a(FX));function PX(Y){let Z=Y.exp!=null?new Date(Y.exp*1000):new Date,X=Y.iss??"";return{id:Y.sub??"",userName:Y.preferred_username??"",name:Y.name??"",email:Y.email??"",avatar:Y.picture,sso:{profile:{...Y,iss:Y.iss??X,aud:Y.aud},tenant:{id:Y.idp??X,name:X},tokenType:"Bearer",expires:Z}}}function VX(Y){let Z=Y.replace(/-/g,"+").replace(/_/g,"/");return atob(Z)}async function vX(Y){let Z=Y.split(".");if(Z.length!==3)throw Error("Invalid JWT");let X=VX(Z[1]),B=JSON.parse(X),$=await JX.validate(B);if($.issues)throw Error(`ID token claims validation failed: ${$.issues.map((S)=>S.message).join("; ")}`);if($.value)return PX($.value);throw Error("ID token claims validation failed")}var DX={trace:()=>{},debug:()=>{},info:()=>{},warn:()=>{},error:()=>{}},XX=DX;var p=new Map;async function c(Y,Z=3,X=1000,B=30000,$){let S=Error("Placeholder Error");for(let L=0;L<=Z;L++)try{return await Y()}catch(A){if(S=A instanceof Error?A:Error(String(A)),A instanceof Error&&A.message.includes("400"))throw A;if(L===Z)throw S;let z=Math.min(X*2**L,B),y=Math.random()*0.1*z;await new Promise((x)=>setTimeout(x,z+y)),$?.warn(`Retry attempt ${L+1} after ${z+y}ms delay`)}throw S}async function m(Y,Z){let X=p.get(Y);if(X)return X;return c(async()=>{let B=await fetch(Y);if(!B.ok)throw Error("Failed to fetch JWKS");let $=await B.json();return p.set(Y,$),$},void 0,void 0,void 0,Z)}function _X(Y){if(Y){p.delete(Y);return}p.clear()}async function YX(Y,Z){let X=Y.keys.find((B)=>B.kid===Z);if(!X)throw Error("Public key not found");return crypto.subtle.importKey("jwk",{kty:X.kty,n:X.n,e:X.e},{name:"RSASSA-PKCS1-v1_5",hash:"SHA-256"},!1,["verify"])}async function ZX(Y,Z,X){try{return await YX(await m(Y,X),Z)}catch(B){if(!(B instanceof Error)||B.message!=="Public key not found")throw B;return _X(Y),YX(await m(Y,X),Z)}}function mX(Y,Z={}){let X=Z.cookieName??"es.active_session",B=Y.headers.get("cookie");if(!B)return;return d(B)[X]}function gX(Y,Z={}){let X=Z.cookieName??"es.active_session",B=Z.path??"/",$=Z.secure??!1,S=Z.sameSite??"Lax",L=Z.maxAge,A=[`${X}=${Y}`,`Path=${B}`,"HttpOnly",`SameSite=${S}`];if($)A.push("Secure");if(typeof L==="number")A.push(`Max-Age=${L}`);return A.join("; ")}function cX(Y={}){let Z=Y.cookieName??"es.active_session",X=Y.path??"/",B=Y.secure??!1,$=Y.sameSite??"Lax",S=[`${Z}=`,"Max-Age=0",`Path=${X}`,"HttpOnly",`SameSite=${$}`];if(B)S.push("Secure");return S.join("; ")}function dX(Y,Z={}){let X=typeof Y==="string"?Y:Y?.headers.get("cookie")??void 0;if(!X)return[];let $=`${Z.cookiePrefix??"es.sso"}.`,S=new Set;for(let L of Object.keys(d(X))){if(!L.startsWith($))continue;let A=L.slice($.length),z=A.lastIndexOf(".");if(z<=0)continue;let y=A.slice(0,z).trim();if(y)S.add(y)}return Array.from(S)}function uX(Y,Z){if(!Y)return;let X=d(Y);for(let[B,$]of Object.entries(X)){if(!B.startsWith("es.sso.")||!B.endsWith(".state"))continue;try{let S=JSON.parse(atob($));if(S?.state===Z)return{clientId:B.slice(7,-6),stateCookie:S}}catch{}}return}function lX(Y,Z,X,B){if(!X&&!B)return;let $={...X,...B},S=!!($.authority&&$.tokenUrl&&$.authorizationUrl&&$.clientId&&$.redirectUri&&$.scope),L={...$,authority:S?D($.authority,"Missing 'authority' from SSO Config"):$.authority,tokenUrl:S?D($.tokenUrl,"Missing 'tokenUrl' from SSO Config"):$.tokenUrl,authorizationUrl:S?D($.authorizationUrl,"Missing 'authorizationUrl' from SSO Config"):$.authorizationUrl,clientId:S?D($.clientId,"Missing 'clientId' from SSO Config"):$.clientId,redirectUri:S?D($.redirectUri,"Missing 'redirectUri' from SSO Config"):$.redirectUri,scope:S?D($.scope,"Missing 'scope' from SSO Config"):$.scope,responseType:$.responseType??"code",cookiesSecure:$.cookiesSecure!==void 0?$.cookiesSecure:!0,cookiesSameSite:$.cookiesSameSite!==void 0?$.cookiesSameSite:"Strict",cookiesPrefix:$.cookiesPrefix??($.clientId?`es.sso.${$.clientId}`:"es.sso"),cookiesPath:$.cookiesPath??"/"};function A(){let N=[];if(!L.authority)N.push("authority");if(!L.tokenUrl)N.push("tokenUrl");if(!L.authorizationUrl)N.push("authorizationUrl");if(!L.clientId)N.push("clientId");if(!L.redirectUri)N.push("redirectUri");if(!L.scope)N.push("scope");if(N.length>0)throw Error(`Missing OIDC configuration fields: ${N.join(", ")}. OIDC configuration is required for SSO operations. Please provide these fields either in your vault configuration or in the SSO config when initializing enterpriseStandard.`)}async function z(N){if(!L)throw Error("Enterprise Standard SSO Manager not initialized");try{let{tokens:G}=await k(N);if(!G)return;return await C(G)}catch(G){if(!HX(G))Z.error("Error parsing user from cookies",{"es.operation":"cookie.parse","es.outcome":"failure"},G);return}}async function y(N){let G=await z(N);if(G)return G;throw new Response("Unauthorized",{status:401,statusText:"Unauthorized"})}async function x({landingUrl:N,errorUrl:G},Q){if(!L)throw Error("Enterprise Standard SSO Manager not initialized");A();let W=D(L.redirectUri,"Missing 'redirectUri' from SSO Config"),K=D(L.authorizationUrl,"Missing 'authorizationUrl' from SSO Config"),P=D(L.clientId,"Missing 'clientId' from SSO Config"),F=D(L.scope,"Missing 'scope' from SSO Config"),J=t(),_=t(64),M=W;try{new URL(M)}catch{if(Q)try{let V=new URL(Q),H=M.startsWith("//")?M.slice(1):M.startsWith("/")?M:`/${M}`;M=new URL(H,V.origin).toString()}catch{try{let V=new URL(K),H=M.startsWith("//")?M.slice(1):M.startsWith("/")?M:`/${M}`;M=new URL(H,V.origin).toString()}catch{throw Error(`Invalid redirectUri: "${W}". It must be a valid absolute URL.`)}}}let O=new URL(K);O.searchParams.append("client_id",P),O.searchParams.append("redirect_uri",M),O.searchParams.append("response_type","code"),O.searchParams.append("scope",F),O.searchParams.append("state",J);let E=await QX(_);O.searchParams.append("code_challenge",E),O.searchParams.append("code_challenge_method","S256");let T={state:J,codeVerifier:_,landingUrl:N,errorUrl:G};return new Response("Redirecting to SSO Provider",{status:302,headers:{Location:O.toString(),"Set-Cookie":f("state",T,86400)}})}async function R(N,G){if(!L)throw Error("Enterprise Standard SSO Manager not initialized");try{let J=q("refresh",N);if(J)await BX(J)}catch(J){Z.warn("Failed to revoke token",{"es.operation":"token.revoke","es.outcome":"degraded"},J)}if(L.sessionStore)try{let J=await z(N);if(J?.sso?.profile.sid){let _=J.sso.profile.sid;await L.sessionStore.delete(_)}}catch(J){Z.warn("Failed to delete session",{"es.operation":"session.delete","es.outcome":"degraded"},J)}let Q=[["Set-Cookie",v("access")],["Set-Cookie",v("id")],["Set-Cookie",v("refresh")],["Set-Cookie",v("control")],["Set-Cookie",v("state")]],K=new URL(N.url).searchParams.get("redirect");if(K)return new Response("Logged out",{status:302,headers:[["Location",K],...Q]});let P=N.headers.get("accept");if(P?.includes("application/json")||P?.includes("text/javascript"))return new Response(JSON.stringify({success:!0,message:"Logged out"}),{status:200,headers:[["Content-Type","application/json"],...Q]});else return new Response(`
+          <!DOCTYPE html><html lang="en"><body>
+            <h1>Logout Complete</h1>
+            <div style="display: none">
+              It is not recommended to show the default logout page. Include '?redirect=/someHomePage' or logout asynchronously.
+              Check the <a href="https://EnterpriseStandard.com/sso#logout">Enterprise Standard Packages</a> for more information.
+            </div>
+          </body></html>
+        `,{status:200,headers:[["Content-Type","text/html"],...Q]})}async function U(N){if(!L)throw Error("Enterprise Standard SSO Manager not initialized");if(!L.sessionStore)throw Error("Back-Channel Logout requires sessionStore configuration");try{let G=N.headers.get("content-type");if(!G||!G.includes("application/x-www-form-urlencoded"))return new Response("Invalid Content-Type, expected application/x-www-form-urlencoded",{status:400});let Q=await N.text(),K=new URLSearchParams(Q).get("logout_token");if(!K)return new Response("Missing logout_token parameter",{status:400});let F=(await n(K)).sid;if(!F)return Z.warn("Back-Channel Logout: logout_token missing sid claim",{"es.operation":"backchannel_logout","es.outcome":"failure"}),new Response("Invalid logout_token: missing sid claim",{status:400});return await L.sessionStore.delete(F),Z.info("Back-Channel Logout: successfully deleted session",{"es.module":"sso",sid:F}),new Response("OK",{status:200})}catch(G){return Z.error("Error during back-channel logout",{"es.operation":"backchannel_logout","es.outcome":"failure"},G),new Response("Internal Server Error",{status:500})}}async function j(N){if(!L)throw Error("Enterprise Standard SSO Manager not initialized");let G=new URL(N.url),Q=new URLSearchParams(G.search),W=Object.fromEntries(Q.entries()),K=await Y.callbackParams.validate(W);if(K.issues)return e(K.issues,"OIDC callback parameters validation failed");let{code:P,state:F}=K.value;try{let J=q("state",N,!0),{codeVerifier:_,state:M,landingUrl:O}=J??{};if(D(_,'OIDC "codeVerifier" was not present in cookies, ensure that the SSO login was initiated correctly'),D(M,'OIDC "stateVerifier" was not present in cookies, ensure that the SSO login was initiated correctly'),D(O,'OIDC "landingUrl" was not present in cookies'),F!==M)throw Error('SSO State Verifier failed, the "state" request parameter does not equal the "state" in the SSO cookie');let E=L.cookiesSecure?N.url.replace(/^http:\/\//,"https://"):N.url,T=await NX(P,_,E),V=await C(T);if(L.sessionStore)try{let H=V.sso.profile.sid,I=V.id;if(H&&I){let w={sid:H,sub:I,createdAt:new Date,lastActivityAt:new Date};await L.sessionStore.create(w)}else Z.warn("Session creation skipped: missing sid or sub in ID token claims",{"es.operation":"session.create","es.outcome":"skipped"})}catch(H){Z.warn("Failed to create session",{"es.operation":"session.create","es.outcome":"degraded"},H)}if(L.userStore)try{let H=V.id;if(H){let I=new Date,w=await L.userStore.get(H);if(w||L.enableJitUserProvisioning){let MX={...w??{},...V,id:H,tenantId:w?.tenantId,createdAt:w?.createdAt??I,updatedAt:I};await L.userStore.upsert(MX)}else Z.warn("JIT user provisioning disabled: user not found in store and will not be created",{"es.operation":"user.store","es.outcome":"skipped"})}else Z.warn("User storage skipped: missing sub in ID token claims",{"es.operation":"user.store","es.outcome":"skipped"})}catch(H){Z.warn("Failed to store user",{"es.operation":"user.store","es.outcome":"degraded"},H)}return new Response("Authentication successful, redirecting",{status:302,headers:[["Location",O],["Set-Cookie",v("state")],...g(T,V.sso.expires)]})}catch(J){Z.error("Error during sign-in callback",{"es.operation":"sign_in.callback","es.outcome":"failure"},J);try{let _=q("state",N,!0),{errorUrl:M}=_??{};if(M)return new Response("Redirecting to error url",{status:302,headers:[["Location",M]]})}catch(_){Z.warn("Error parsing the errorUrl from the OIDC cookie",{"es.operation":"cookie.parse","es.outcome":"degraded"})}return Z.warn("No error page was found in the cookies. The user will be shown a default error page.",{"es.operation":"sign_in.error_redirect","es.outcome":"degraded"}),new Response("An error occurred during authentication, please return to the application homepage and try again.",{status:500})}}async function C(N){if(!L)throw Error("Enterprise Standard SSO Manager not initialized");let G=await n(N.id_token),Q=Number(N.refresh_expires_in??N.expires_in??3600),W=N.expires?new Date(N.expires):new Date(Date.now()+Q*1000);return{id:G.sub,userName:G.preferred_username||"",name:G.name||"",email:G.email||"",emails:[{value:G.email||"",primary:!0}],avatar:G.picture,sso:{profile:{...G,iss:G.iss||L.authority,aud:G.aud||L.clientId},tenant:{id:G.idp||G.iss||L.authority||"",name:G.iss||L.authority||""},scope:N.scope,tokenType:N.token_type,sessionState:N.session_state,expires:W}}}async function LX(N){if(!L.userStore)return N;let G=await L.userStore.lookup(N);if(!G)return N;return{...N,...G,id:N.id,sso:N.sso}}async function NX(N,G,Q){if(!L)throw Error("Enterprise Standard SSO Manager not initialized");A();let W=D(L.tokenUrl,"Missing 'tokenUrl' from SSO Config"),K=D(L.redirectUri,"Missing 'redirectUri' from SSO Config"),P=D(L.clientId,"Missing 'clientId' from SSO Config"),F=K;try{new URL(F)}catch{if(Q)try{let _=new URL(Q),M=F.startsWith("//")?F.slice(1):F.startsWith("/")?F:`/${F}`;F=new URL(M,_.origin).toString()}catch{try{let _=new URL(W),M=F.startsWith("//")?F.slice(1):F.startsWith("/")?F:`/${F}`;F=new URL(M,_.origin).toString()}catch{throw Error(`Invalid redirectUri: "${K}". It must be a valid absolute URL.`)}}}let J=new URLSearchParams;if(J.append("grant_type","authorization_code"),J.append("code",N),J.append("redirect_uri",F),J.append("client_id",P),L.clientSecret)J.append("client_secret",L.clientSecret);J.append("code_verifier",G);try{let _=await fetch(W,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"},body:J.toString()}),M=await _.json();if(!_.ok){Z.error("Token exchange error",{"es.operation":"token.exchange","es.outcome":"failure",response:M});let E=M;throw Error(`Token exchange failed: ${E.error||_.statusText} - ${E.error_description||""}`.trim())}let O=await Y.tokenResponse.validate(M);if(O.issues)throw Z.error("Token response validation failed",{"es.operation":"token.exchange","es.outcome":"failure",validationIssues:O.issues}),Error(`Token response validation failed: ${O.issues}`);return O.value}catch(_){throw Z.error("Error during token exchange",{"es.operation":"token.exchange","es.outcome":"failure"},_),_}}async function l(N){return c(async()=>{if(!L)throw Error("Enterprise Standard SSO Manager not initialized");A();let G=D(L.tokenUrl,"Missing 'tokenUrl' from SSO Config"),Q=D(L.clientId,"Missing 'clientId' from SSO Config"),W=new URLSearchParams;W.append("grant_type","refresh_token"),W.append("refresh_token",N),W.append("client_id",Q);let K=await fetch(G,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"},body:W.toString()}),P=await K.json();if(!K.ok){Z.error("Token refresh error",{"es.operation":"token.refresh","es.outcome":"failure",response:P});let F=P;throw Error(`Token refresh failed: ${F.error||K.statusText} - ${F.error_description||""}`.trim())}return P},void 0,void 0,void 0,Z)}async function BX(N){try{if(!L)throw Error("Enterprise Standard SSO Manager not initialized");if(!L.revocationEndpoint)return;let G=D(L.clientId,"Missing 'clientId' from SSO Config"),Q=new URLSearchParams;Q.append("token",N),Q.append("token_type_hint","refresh_token"),Q.append("client_id",G);let W=await fetch(L.revocationEndpoint,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded"},body:Q.toString()});if(!W.ok)Z.warn("Token revocation failed",{"es.operation":"token.revoke","es.outcome":"degraded",status:W.status,statusText:W.statusText});else Z.info("Token revoked successfully",{"es.module":"sso"})}catch(G){Z.warn("Error revoking token",{"es.operation":"token.revoke","es.outcome":"degraded"},G)}}async function GX(){if(!L)throw Error("Enterprise Standard SSO Manager not initialized");let N=L.authority;if(!L.jwksUri&&!N)throw Error("Missing 'jwksUri' or 'authority' from SSO Config. OIDC configuration is required for this operation.");let G=L.jwksUri||`${N}/protocol/openid-connect/certs`;return m(G,Z)}async function n(N){let G=N.split(".");if(G.length!==3)throw Error("Invalid JWT");let Q=JSON.parse(atob(G[0].replace(/-/g,"+").replace(/_/g,"/"))),W=JSON.parse(atob(G[1].replace(/-/g,"+").replace(/_/g,"/"))),K=G[2].replace(/-/g,"+").replace(/_/g,"/"),P=await AX(Q.kid),J=new TextEncoder().encode(`${G[0]}.${G[1]}`);if(!await crypto.subtle.verify("RSASSA-PKCS1-v1_5",P,Uint8Array.from(atob(K),(O)=>O.charCodeAt(0)),J))throw Error("Invalid JWT signature");let M=await Y.idTokenClaims.validate(W);if(M.issues)throw Z.error("ID token claims validation failed",{"es.operation":"id_token.validate","es.outcome":"failure",validationIssues:M.issues}),Error(`ID token claims validation failed: ${M.issues}`);return M.value}function t(N=32){let G=new Uint8Array(N);return crypto.getRandomValues(G),Array.from(G,(Q)=>Q.toString(16).padStart(2,"0")).join("").substring(0,N)}async function QX(N){let Q=new TextEncoder().encode(N),W=await crypto.subtle.digest("SHA-256",Q),K=Array.from(new Uint8Array(W));return btoa(String.fromCharCode(...K)).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/,"")}async function AX(N){let G=L.authority,Q=L.jwksUri||(G?`${G}/protocol/openid-connect/certs`:void 0);if(!Q)throw Error("Missing 'jwksUri' or 'authority' from SSO Config. OIDC configuration is required for this operation.");return ZX(Q,N,Z)}function g(N,G){let Q=G instanceof Date?G:new Date(G);if(Number.isNaN(Q.getTime()))throw Error(`Invalid SSO token expiry: ${String(G)}`);let W={expires_in:N.expires_in,refresh_expires_in:N.refresh_expires_in,scope:N.scope,session_state:N.session_state,token_type:N.token_type,expires:Q.toISOString()};return[["Set-Cookie",f("access",N.access_token,Q)],["Set-Cookie",f("id",N.id_token,Q)],["Set-Cookie",f("refresh",N.refresh_token??"",Q)],["Set-Cookie",f("control",W,Q)]]}async function k(N){let G=q("access",N),Q=q("id",N),W=q("refresh",N),K=q("control",N,!0);if(!G||!Q||!W||!K)return{tokens:void 0,refreshHeaders:[]};let P={access_token:G,id_token:Q,refresh_token:W,...K};if(K.expires&&W&&Date.now()>new Date(K.expires).getTime()){P=await l(W);let F=await C(P),J=g(P,F.sso.expires);return{tokens:P,refreshHeaders:J}}return{tokens:P,refreshHeaders:[]}}async function SX(N){let{tokens:G}=await k(N);if(!G)return;return G.access_token}function f(N,G,Q){if(!L)throw Error("Enterprise Standard SSO Manager not initialized");if(N=`${L.cookiesPrefix}.${N}`,typeof G!=="string")G=btoa(JSON.stringify(G));let W;if(Q instanceof Date)W=`Expires=${Q.toUTCString()}`;else if(typeof Q==="number")W=`Max-Age=${Q}`;else throw Error("Invalid expires type",Q);if(G.length>4000)throw Error(`Error setting cookie: ${N}. Cookie length is: ${G.length}`);return`${N}=${G}; ${W}; Path=${L.cookiesPath}; HttpOnly;${L.cookiesSecure?" Secure;":""} SameSite=${L.cookiesSameSite};`}function v(N){if(!L)throw Error("Enterprise Standard SSO Manager not initialized");return`${L.cookiesPrefix}.${N}=; Max-Age=0; Path=${L.cookiesPath}; HttpOnly;${L.cookiesSecure?" Secure;":""} SameSite=${L.cookiesSameSite};`}function q(N,G,Q=!1){if(!L)throw Error("Enterprise Standard SSO Manager not initialized");let W=G.headers.get("cookie");if(!W)return null;let K=W.split(";").find((J)=>J.trim().startsWith(`${L.cookiesPrefix}.${N}=`));if(!K)return null;let P=K.split("=")[1].trim();if(!Q)return P;let F=atob(P);return JSON.parse(F)}async function WX(N,G){if(!L)throw Error("Enterprise Standard SSO Manager not initialized");let{loginUrl:Q,userUrl:W,errorUrl:K,landingUrl:P,tokenUrl:F,refreshUrl:J,logoutUrl:_,logoutBackChannelUrl:M,jwksUrl:O,redirectUri:E}={...L,...G},T=new URL(N.url).pathname;if(E){let V;try{V=new URL(E).pathname}catch{try{let H=new URL(N.url),I=E.startsWith("//")?E.slice(1):E;V=new URL(I,H.origin).pathname}catch{V=E.startsWith("/")?E:`/${E}`}}if(V===T)return j(N)}if(Q===T){let V=L.cookiesSecure?N.url.replace(/^http:\/\//,"https://"):N.url;return x({landingUrl:P||"/",errorUrl:K},V)}if(W===T){let{tokens:V,refreshHeaders:H}=await k(N);if(!V)return new Response("User not logged in",{status:401});let I=await C(V),w=await LX(I);return new Response(JSON.stringify(w),{headers:[["Content-Type","application/json"],...H]})}if(F===T){let{tokens:V,refreshHeaders:H}=await k(N);if(!V)return new Response("User not logged in",{status:401});return new Response(JSON.stringify({token:V.access_token,expires:V.expires}),{headers:[["Content-Type","application/json"],...H]})}if(J===T){let V=q("refresh",N);if(!V)return new Response("User not logged in",{status:401});let H=await l(V),I=await C(H),w=g(H,I.sso.expires);return new Response("Refresh Complete",{status:200,headers:w})}if(_===T)return R(N,{landingUrl:P||"/"});if(M===T)return U(N);if(O===T){let V=await GX();return new Response(JSON.stringify(V),{headers:[["Content-Type","application/json"]]})}return new Response("Not Found",{status:404})}return{...L,getUser:z,getRequiredUser:y,getJwt:SX,initiateLogin:x,logout:R,logoutBackChannel:U,callbackHandler:j,handler:WX}}function d(Y){let Z={},X=Y.split(";");for(let B of X){let $=B.trim();if(!$)continue;let S=$.indexOf("=");if(S===-1)continue;let L=$.slice(0,S).trim(),A=$.slice(S+1).trim();Z[L]=A}return Z}function HX(Y){if(!(Y instanceof Error))return!1;return["Public key not found","Invalid JWT","Invalid JWT signature"].some((Z)=>Y.message.includes(Z))}function b(Y){return Y=Y??"SSO Unavailable",new Response(JSON.stringify({error:Y}),{status:503,statusText:Y,headers:{"Content-Type":"application/json"}})}function $X(Y){if(!Y)return[];let Z=Y.headers;if(Z.getSetCookie)return Z.getSetCookie();let X=Y.headers.get("set-cookie");return X?[X]:[]}function OX(Y,Z){let X=new Headers;Y.headers.forEach((B,$)=>{if($.toLowerCase()!=="set-cookie")X.set($,B)});for(let B of Z)X.append("Set-Cookie",B);return new Response(Y.body,{status:Y.status,statusText:Y.statusText,headers:X})}var h="EnterpriseStandard instance is required. Create one with enterpriseStandard(source, config) and pass it to this function.";async function nX(Y,Z){return D(Z,h),Z.sso?.getUser(Y)}async function jX(Y,Z){D(Z,h);let X=Z.log??XX;X.debug("getUser called",{"es.module":"sso",hasInstance:!0,hasSso:!!Z.sso,hasCiam:!!Z.ciam});let B=await Z.sso?.getUser(Y);if(B)return X.debug("Found SSO user",{"es.module":"sso",email:B.email}),B;X.debug("No SSO user, trying CIAM",{"es.module":"sso"});let $=await Z.ciam?.getUser(Y);return X.debug("CIAM user result",{"es.module":"sso",email:$?.email??void 0}),$}async function tX(Y,Z){let X=await jX(Y,Z);if(X)return X;throw new Response("Unauthorized",{status:401,statusText:"Unauthorized"})}async function aX(Y,Z){D(Z,h);let X=Z.sso;if(!X)return b();return X.initiateLogin(Y)}async function iX(Y,Z){D(Z,h);let X=Z.sso;if(!X)return b();return X.callbackHandler(Y)}async function oX(Y,Z){D(Z,h);let{sso:X,ciam:B}=Z;if(!X&&!B)return b("Logout Unavailable");let $=X?await X.logout(Y,{landingUrl:"/"}):void 0,S=B?await B.logout(Y):void 0,L=$??S;if(!L)return b("Logout Unavailable");let A=[...$X($),...$X(S)];return OX(L,A)}async function sX(Y,Z){D(Z,h);let{sso:X,ciam:B}=Z;if(!X&&!B)return b("Back-Channel Logout Unavailable");let $=Y.clone(),S=Y.clone(),L=X?await X.logoutBackChannel($):void 0;if(L?.status===200)return L;let A=B?await B.logoutBackChannel(S):void 0;if(A)return A;return L??b("Back-Channel Logout Unavailable")}var u;function eX(Y){u=Y}function EX(Y,Z){if(!u)throw Error("Tenant config hydration is not registered. Import @enterprisestandard/server before using tenant.config().");return u(Y.configSource,Z)}function XY(Y){let Z=Y.configSource;return{...Y,config:(X)=>EX({configSource:Z},X)}}
+export{TX as a,zX as b,a as c,r as d,D as e,e as f,xX as g,KX as h,wX as i,s as j,yX as k,PX as l,vX as m,DX as n,XX as o,m as p,YX as q,mX as r,gX as s,cX as t,dX as u,uX as v,lX as w,nX as x,jX as y,tX as z,aX as A,iX as B,oX as C,sX as D,eX as E,EX as F,XY as G};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@enterprisestandard/core",
-  "version": "0.0.17",
+  "version": "0.0.18-beta.20260504.1",
   "description": "Enterprise Standard Core (Server-only)",
   "private": false,
   "author": "enterprisestandard",
@@ -27,7 +27,7 @@
     }
   },
   "peerDependencies": {
-    "@enterprisestandard/zod": "^0.0.17",
-    "@enterprisestandard/valibot": "^0.0.17"
+    "@enterprisestandard/zod": "0.0.18-beta.20260504.1",
+    "@enterprisestandard/valibot": "0.0.18-beta.20260504.1"
   }
 }

package/dist/shared/core-1x31ar7h.js

@@ -1,12 +0,0 @@
-function zX(Y){return{"~standard":{version:1,vendor:Y,validate:(Z)=>{if(typeof Z!=="object"||Z===null)return{issues:[{message:"Expected an object"}]};let X=Z,L=[],$={};if("code"in X)if(typeof X.code==="string")$.code=X.code;else L.push({message:"code must be a string",path:["code"]});else if(!("error"in X))L.push({message:"code is required",path:["code"]});if("state"in X)if(typeof X.state==="string"||X.state===void 0)$.state=X.state;else L.push({message:"state must be a string",path:["state"]});if("session_state"in X)if(typeof X.session_state==="string"||X.session_state===void 0)$.session_state=X.session_state;else L.push({message:"session_state must be a string",path:["session_state"]});if("error"in X){if(typeof X.error==="string")$.error=X.error;else L.push({message:"error must be a string",path:["error"]});if("error_description"in X)if(typeof X.error_description==="string"||X.error_description===void 0)$.error_description=X.error_description;else L.push({message:"error_description must be a string",path:["error_description"]});if("error_uri"in X)if(typeof X.error_uri==="string"||X.error_uri===void 0)$.error_uri=X.error_uri;else L.push({message:"error_uri must be a string",path:["error_uri"]})}if("iss"in X)if(typeof X.iss==="string"||X.iss===void 0)$.iss=X.iss;else L.push({message:"iss must be a string",path:["iss"]});if(L.length>0)return{issues:L};return{value:$}}}}}function IX(Y){return{"~standard":{version:1,vendor:Y,validate:(Z)=>{if(typeof Z!=="object"||Z===null)return{issues:[{message:"Expected an object"}]};let X=Z,L=[],$={};if("access_token"in X)if(typeof X.access_token==="string")$.access_token=X.access_token;else L.push({message:"access_token must be a string",path:["access_token"]});else L.push({message:"access_token is required",path:["access_token"]});if("id_token"in X)if(typeof X.id_token==="string")$.id_token=X.id_token;else L.push({message:"id_token must be a string",path:["id_token"]});else L.push({message:"id_token is required",path:["id_token"]});if("token_type"in X)if(typeof X.token_type==="string")$.token_type=X.token_type;else L.push({message:"token_type must be a string",path:["token_type"]});else L.push({message:"token_type is required",path:["token_type"]});if("refresh_token"in X)if(typeof X.refresh_token==="string"||X.refresh_token===void 0)$.refresh_token=X.refresh_token;else L.push({message:"refresh_token must be a string",path:["refresh_token"]});if("scope"in X)if(typeof X.scope==="string"||X.scope===void 0)$.scope=X.scope;else L.push({message:"scope must be a string",path:["scope"]});if("session_state"in X)if(typeof X.session_state==="string"||X.session_state===void 0)$.session_state=X.session_state;else L.push({message:"session_state must be a string",path:["session_state"]});if("expires"in X)if(typeof X.expires==="string"||X.expires===void 0)$.expires=X.expires;else L.push({message:"expires must be a string",path:["expires"]});if("expires_in"in X)if(typeof X.expires_in==="number"||X.expires_in===void 0)$.expires_in=X.expires_in;else L.push({message:"expires_in must be a number",path:["expires_in"]});if("refresh_expires_in"in X)if(typeof X.refresh_expires_in==="number"||X.refresh_expires_in===void 0)$.refresh_expires_in=X.refresh_expires_in;else L.push({message:"refresh_expires_in must be a number",path:["refresh_expires_in"]});if(L.length>0)return{issues:L};return{value:$}}}}}function a(Y){return{"~standard":{version:1,vendor:Y,validate:(Z)=>{if(typeof Z!=="object"||Z===null)return{issues:[{message:"Expected an object"}]};let X=Z,L=[],$={...X},A=["iss","aud","sub","sid","name","email","preferred_username","picture"];for(let W of A)if(W in X&&X[W]!==void 0){if(typeof X[W]!=="string")L.push({message:`${W} must be a string`,path:[W]})}let N=["exp","iat"];for(let W of N)if(W in X&&X[W]!==void 0){if(typeof X[W]!=="number")L.push({message:`${W} must be a number`,path:[W]})}if(L.length>0)return{issues:L};return{value:$}}}}}function e(Y){let Z=Y["~standard"];return Object.assign(Y,{validate(X){return Promise.resolve(Z.validate(X))}})}function O(Y,Z="Assertion failed. Required value is null or undefined."){if(Y===void 0||Y===null)throw Error(Z);return Y}function XX(Y,Z){return Response.json({error:"validation_failed",message:Z,issues:Y},{status:400,headers:{"Content-Type":"application/json"}})}function wX(Y,Z,X=[]){let L={...Y,...Z};for(let $ of X)L[$]=Y?.[$]??Z?.[$];return L}function JX(Y){let Z="",X=0,L=Y.length;while(X<L){let $=Y[X];if($==='"'||$==="'"){let A=$;Z+=$,X++;while(X<L){let N=Y[X];if(N==="\\"){if(Z+=N,X+1<L)Z+=Y[X+1],X+=2;else X++;continue}if(N===A){Z+=N,X++;break}Z+=N,X++}continue}if($==="/"&&X+1<L){let A=Y[X+1];if(A==="/"){X+=2;while(X<L&&Y[X]!==`
-`)X++;if(X<L)Z+=`
-`;X++;continue}if(A==="*"){X+=2;while(X+1<L&&!(Y[X]==="*"&&Y[X+1]==="/"))X++;X+=2;continue}}Z+=$,X++}return Z}function yX(Y){let Z=JX(Y);return JSON.parse(Z)}function o(Y){if(Y===null||typeof Y!=="object"||Array.isArray(Y))return!1;let Z=Object.getPrototypeOf(Y);return Z===Object.prototype||Z===null}function s(Y){return Object.keys(Y).filter((Z)=>Y[Z]!==void 0).sort()}function r(Y,Z){if(Object.is(Y,Z))return!0;if(Y===null||Z===null)return Y===Z;if(Array.isArray(Y)||Array.isArray(Z)){if(!Array.isArray(Y)||!Array.isArray(Z)||Y.length!==Z.length)return!1;for(let $=0;$<Y.length;$+=1)if(!r(Y[$],Z[$]))return!1;return!0}if(!o(Y)||!o(Z))return!1;let X=s(Y),L=s(Z);if(X.length!==L.length)return!1;for(let $=0;$<X.length;$+=1)if(X[$]!==L[$])return!1;for(let $ of X)if(!r(Y[$],Z[$]))return!1;return!0}async function RX(Y,Z=async(A)=>A.status===200,X=1000,L=1e4,$){let A=Date.now(),N=`Awaiting Ping (${Y})`;return new Promise((W,I)=>{let z=null,R=null,h=async()=>{try{let T=await fetch(Y);if(T.ok)if(await Z(T)){if(z)clearInterval(z);if(R)clearInterval(R);W()}else N=`Response test failed: ${T.status}: ${T.statusText} - ${Y}`;else try{let U=await T.json();N=`Response error: ${T.status}: ${T.statusText} - ${Y}: ${JSON.stringify(U)}`}catch(U){N=`Response error: ${T.status}: ${T.statusText} - ${Y}`}}catch(T){N=`${T instanceof Error?T.message:String(T)} - ${Y}`}};if(h(),z=setInterval(h,X),L>0)R=setInterval(()=>{console.warn(`${N}: ${Date.now()-A}ms`)},L);if($)setTimeout(()=>{if(z)clearInterval(z);if(R)clearInterval(R);I(Error(`Timeout: ${$}ms: ${N}`))},$)})}var VX="@enterprisestandard/core",DX=e(a(VX));function OX(Y){let Z=Y.exp!=null?new Date(Y.exp*1000):new Date,X=Y.iss??"";return{id:Y.sub??"",userName:Y.preferred_username??"",name:Y.name??"",email:Y.email??"",avatar:Y.picture,sso:{profile:{...Y,iss:Y.iss??X,aud:Y.aud},tenant:{id:Y.idp??X,name:X},tokenType:"Bearer",expires:Z}}}function HX(Y){let Z=Y.replace(/-/g,"+").replace(/_/g,"/");return atob(Z)}async function bX(Y){let Z=Y.split(".");if(Z.length!==3)throw Error("Invalid JWT");let X=HX(Z[1]),L=JSON.parse(X),$=await DX.validate(L);if($.issues)throw Error(`ID token claims validation failed: ${$.issues.map((A)=>A.message).join("; ")}`);if($.value)return OX($.value);throw Error("ID token claims validation failed")}var w=(Y,Z,...X)=>{if(X.length>0)console[Y](`[${Y.toUpperCase()}]`,Z,...X);else console[Y](`[${Y.toUpperCase()}]`,Z)},YX={debug:()=>{},info:()=>{},warn(Y,...Z){w("warn",Y,...Z)},error(Y,...Z){w("error",Y,...Z)}},UX={debug:()=>{},info:()=>{},warn:()=>{},error:()=>{}},fX={debug:()=>{},info:w.bind(console,"info"),warn:w.bind(console,"warn"),error:w.bind(console,"error")},ZX=(Y,...Z)=>{if(Z.length>0)console.log("[DEBUG]",Y,...Z);else console.log("[DEBUG]",Y)},kX={debug:ZX,info:w.bind(console,"info"),warn:w.bind(console,"warn"),error:w.bind(console,"error")},gX={debug:ZX,info:w.bind(console,"info"),warn:w.bind(console,"warn"),error:w.bind(console,"error")};var p=new Map;async function d(Y,Z=3,X=1000,L=30000){let $=Error("Placeholder Error");for(let A=0;A<=Z;A++)try{return await Y()}catch(N){if($=N instanceof Error?N:Error(String(N)),N instanceof Error&&N.message.includes("400"))throw N;if(A===Z)throw $;let W=Math.min(X*2**A,L),I=Math.random()*0.1*W;await new Promise((z)=>setTimeout(z,W+I)),console.warn(`Retry attempt ${A+1} after ${W+I}ms delay`)}throw $}async function m(Y){let Z=p.get(Y);if(Z)return Z;return d(async()=>{let X=await fetch(Y);if(!X.ok)throw Error("Failed to fetch JWKS");let L=await X.json();return p.set(Y,L),L})}function jX(Y){if(Y){p.delete(Y);return}p.clear()}async function $X(Y,Z){let X=Y.keys.find((L)=>L.kid===Z);if(!X)throw Error("Public key not found");return crypto.subtle.importKey("jwk",{kty:X.kty,n:X.n,e:X.e},{name:"RSASSA-PKCS1-v1_5",hash:"SHA-256"},!1,["verify"])}async function NX(Y,Z){try{return await $X(await m(Y),Z)}catch(X){if(!(X instanceof Error)||X.message!=="Public key not found")throw X;return jX(Y),$X(await m(Y),Z)}}function lX(Y,Z={}){let X=Z.cookieName??"es.active_session",L=Y.headers.get("cookie");if(!L)return;return u(L)[X]}function nX(Y,Z={}){let X=Z.cookieName??"es.active_session",L=Z.path??"/",$=Z.secure??!1,A=Z.sameSite??"Lax",N=Z.maxAge,W=[`${X}=${Y}`,`Path=${L}`,"HttpOnly",`SameSite=${A}`];if($)W.push("Secure");if(typeof N==="number")W.push(`Max-Age=${N}`);return W.join("; ")}function tX(Y={}){let Z=Y.cookieName??"es.active_session",X=Y.path??"/",L=Y.secure??!1,$=Y.sameSite??"Lax",A=[`${Z}=`,"Max-Age=0",`Path=${X}`,"HttpOnly",`SameSite=${$}`];if(L)A.push("Secure");return A.join("; ")}function iX(Y,Z={}){let X=typeof Y==="string"?Y:Y?.headers.get("cookie")??void 0;if(!X)return[];let $=`${Z.cookiePrefix??"es.sso"}.`,A=new Set;for(let N of Object.keys(u(X))){if(!N.startsWith($))continue;let W=N.slice($.length),I=W.lastIndexOf(".");if(I<=0)continue;let z=W.slice(0,I).trim();if(z)A.add(z)}return Array.from(A)}function aX(Y,Z){if(!Y)return;let X=u(Y);for(let[L,$]of Object.entries(X)){if(!L.startsWith("es.sso.")||!L.endsWith(".state"))continue;try{let A=JSON.parse(atob($));if(A?.state===Z)return{clientId:L.slice(7,-6),stateCookie:A}}catch{}}return}function oX(Y,Z,X,L){if(!X&&!L)return;let $={...X,...L},A=!!($.authority&&$.tokenUrl&&$.authorizationUrl&&$.clientId&&$.redirectUri&&$.scope),N={...$,authority:A?O($.authority,"Missing 'authority' from SSO Config"):$.authority,tokenUrl:A?O($.tokenUrl,"Missing 'tokenUrl' from SSO Config"):$.tokenUrl,authorizationUrl:A?O($.authorizationUrl,"Missing 'authorizationUrl' from SSO Config"):$.authorizationUrl,clientId:A?O($.clientId,"Missing 'clientId' from SSO Config"):$.clientId,redirectUri:A?O($.redirectUri,"Missing 'redirectUri' from SSO Config"):$.redirectUri,scope:A?O($.scope,"Missing 'scope' from SSO Config"):$.scope,responseType:$.responseType??"code",cookiesSecure:$.cookiesSecure!==void 0?$.cookiesSecure:!0,cookiesSameSite:$.cookiesSameSite!==void 0?$.cookiesSameSite:"Strict",cookiesPrefix:$.cookiesPrefix??($.clientId?`es.sso.${$.clientId}`:"es.sso"),cookiesPath:$.cookiesPath??"/"};function W(){let B=[];if(!N.authority)B.push("authority");if(!N.tokenUrl)B.push("tokenUrl");if(!N.authorizationUrl)B.push("authorizationUrl");if(!N.clientId)B.push("clientId");if(!N.redirectUri)B.push("redirectUri");if(!N.scope)B.push("scope");if(B.length>0)throw Error(`Missing OIDC configuration fields: ${B.join(", ")}. OIDC configuration is required for SSO operations. Please provide these fields either in your vault configuration or in the SSO config when initializing enterpriseStandard.`)}async function I(B){if(!N)throw Error("Enterprise Standard SSO Manager not initialized");try{let{tokens:G}=await g(B);if(!G)return;return await f(G)}catch(G){if(!EX(G))console.error("Error parsing user from cookies:",G);return}}async function z(B){let G=await I(B);if(G)return G;throw new Response("Unauthorized",{status:401,statusText:"Unauthorized"})}async function R({landingUrl:B,errorUrl:G},Q){if(!N)throw Error("Enterprise Standard SSO Manager not initialized");W();let S=O(N.redirectUri,"Missing 'redirectUri' from SSO Config"),K=O(N.authorizationUrl,"Missing 'authorizationUrl' from SSO Config"),V=O(N.clientId,"Missing 'clientId' from SSO Config"),F=O(N.scope,"Missing 'scope' from SSO Config"),J=i(),H=i(64),M=S;try{new URL(M)}catch{if(Q)try{let D=new URL(Q),j=M.startsWith("//")?M.slice(1):M.startsWith("/")?M:`/${M}`;M=new URL(j,D.origin).toString()}catch{try{let D=new URL(K),j=M.startsWith("//")?M.slice(1):M.startsWith("/")?M:`/${M}`;M=new URL(j,D.origin).toString()}catch{throw Error(`Invalid redirectUri: "${S}". It must be a valid absolute URL.`)}}}let E=new URL(K);E.searchParams.append("client_id",V),E.searchParams.append("redirect_uri",M),E.searchParams.append("response_type","code"),E.searchParams.append("scope",F),E.searchParams.append("state",J);let P=await SX(H);E.searchParams.append("code_challenge",P),E.searchParams.append("code_challenge_method","S256");let _={state:J,codeVerifier:H,landingUrl:B,errorUrl:G};return new Response("Redirecting to SSO Provider",{status:302,headers:{Location:E.toString(),"Set-Cookie":k("state",_,86400)}})}async function h(B,G){if(!N)throw Error("Enterprise Standard SSO Manager not initialized");try{let J=C("refresh",B);if(J)await QX(J)}catch(J){console.warn("Failed to revoke token:",J)}if(N.sessionStore)try{let J=await I(B);if(J?.sso?.profile.sid){let H=J.sso.profile.sid;await N.sessionStore.delete(H)}}catch(J){console.warn("Failed to delete session:",J)}let Q=[["Set-Cookie",q("access")],["Set-Cookie",q("id")],["Set-Cookie",q("refresh")],["Set-Cookie",q("control")],["Set-Cookie",q("state")]],K=new URL(B.url).searchParams.get("redirect");if(K)return new Response("Logged out",{status:302,headers:[["Location",K],...Q]});let V=B.headers.get("accept");if(V?.includes("application/json")||V?.includes("text/javascript"))return new Response(JSON.stringify({success:!0,message:"Logged out"}),{status:200,headers:[["Content-Type","application/json"],...Q]});else return new Response(`
-          <!DOCTYPE html><html lang="en"><body>
-            <h1>Logout Complete</h1>
-            <div style="display: none">
-              It is not recommended to show the default logout page. Include '?redirect=/someHomePage' or logout asynchronously.
-              Check the <a href="https://EnterpriseStandard.com/sso#logout">Enterprise Standard Packages</a> for more information.
-            </div>
-          </body></html>
-        `,{status:200,headers:[["Content-Type","text/html"],...Q]})}async function T(B){if(!N)throw Error("Enterprise Standard SSO Manager not initialized");if(!N.sessionStore)throw Error("Back-Channel Logout requires sessionStore configuration");try{let G=B.headers.get("content-type");if(!G||!G.includes("application/x-www-form-urlencoded"))return new Response("Invalid Content-Type, expected application/x-www-form-urlencoded",{status:400});let Q=await B.text(),K=new URLSearchParams(Q).get("logout_token");if(!K)return new Response("Missing logout_token parameter",{status:400});let F=(await t(K)).sid;if(!F)return console.warn("Back-Channel Logout: logout_token missing sid claim"),new Response("Invalid logout_token: missing sid claim",{status:400});return await N.sessionStore.delete(F),console.log(`Back-Channel Logout: successfully deleted session ${F}`),new Response("OK",{status:200})}catch(G){return console.error("Error during back-channel logout:",G),new Response("Internal Server Error",{status:500})}}async function U(B){if(!N)throw Error("Enterprise Standard SSO Manager not initialized");let G=new URL(B.url),Q=new URLSearchParams(G.search),S=Object.fromEntries(Q.entries()),K=await Y.callbackParams.validate(S);if(K.issues)return XX(K.issues,"OIDC callback parameters validation failed");let{code:V,state:F}=K.value;try{let J=C("state",B,!0),{codeVerifier:H,state:M,landingUrl:E}=J??{};if(O(H,'OIDC "codeVerifier" was not present in cookies, ensure that the SSO login was initiated correctly'),O(M,'OIDC "stateVerifier" was not present in cookies, ensure that the SSO login was initiated correctly'),O(E,'OIDC "landingUrl" was not present in cookies'),F!==M)throw Error('SSO State Verifier failed, the "state" request parameter does not equal the "state" in the SSO cookie');let P=N.cookiesSecure?B.url.replace(/^http:\/\//,"https://"):B.url,_=await GX(V,H,P),D=await f(_);if(N.sessionStore)try{let j=D.sso.profile.sid,x=D.id;if(j&&x){let y={sid:j,sub:x,createdAt:new Date,lastActivityAt:new Date};await N.sessionStore.create(y)}else console.warn("Session creation skipped: missing sid or sub in ID token claims")}catch(j){console.warn("Failed to create session:",j)}if(N.userStore)try{let j=D.id;if(j){let x=new Date,y=await N.userStore.get(j);if(y||N.enableJitUserProvisioning){let FX={...y??{},...D,id:j,tenantId:y?.tenantId,createdAt:y?.createdAt??x,updatedAt:x};await N.userStore.upsert(FX)}else console.warn("JIT user provisioning disabled: user not found in store and will not be created")}else console.warn("User storage skipped: missing sub in ID token claims")}catch(j){console.warn("Failed to store user:",j)}return new Response("Authentication successful, redirecting",{status:302,headers:[["Location",E],["Set-Cookie",q("state")],...c(_,D.sso.expires)]})}catch(J){console.error("Error during sign-in callback:",J);try{let H=C("state",B,!0),{errorUrl:M}=H??{};if(M)return new Response("Redirecting to error url",{status:302,headers:[["Location",M]]})}catch(H){console.warn("Error parsing the errorUrl from the OIDC cookie")}return console.warn("No error page was found in the cookies. The user will be shown a default error page."),new Response("An error occurred during authentication, please return to the application homepage and try again.",{status:500})}}async function f(B){if(!N)throw Error("Enterprise Standard SSO Manager not initialized");let G=await t(B.id_token),Q=Number(B.refresh_expires_in??B.expires_in??3600),S=B.expires?new Date(B.expires):new Date(Date.now()+Q*1000);return{id:G.sub,userName:G.preferred_username||"",name:G.name||"",email:G.email||"",emails:[{value:G.email||"",primary:!0}],avatar:G.picture,sso:{profile:{...G,iss:G.iss||N.authority,aud:G.aud||N.clientId},tenant:{id:G.idp||G.iss||N.authority||"",name:G.iss||N.authority||""},scope:B.scope,tokenType:B.token_type,sessionState:B.session_state,expires:S}}}async function LX(B){if(!N.userStore)return B;let G=await N.userStore.lookup(B);if(!G)return B;return{...B,...G,id:B.id,sso:B.sso}}async function GX(B,G,Q){if(!N)throw Error("Enterprise Standard SSO Manager not initialized");W();let S=O(N.tokenUrl,"Missing 'tokenUrl' from SSO Config"),K=O(N.redirectUri,"Missing 'redirectUri' from SSO Config"),V=O(N.clientId,"Missing 'clientId' from SSO Config"),F=K;try{new URL(F)}catch{if(Q)try{let H=new URL(Q),M=F.startsWith("//")?F.slice(1):F.startsWith("/")?F:`/${F}`;F=new URL(M,H.origin).toString()}catch{try{let H=new URL(S),M=F.startsWith("//")?F.slice(1):F.startsWith("/")?F:`/${F}`;F=new URL(M,H.origin).toString()}catch{throw Error(`Invalid redirectUri: "${K}". It must be a valid absolute URL.`)}}}let J=new URLSearchParams;if(J.append("grant_type","authorization_code"),J.append("code",B),J.append("redirect_uri",F),J.append("client_id",V),N.clientSecret)J.append("client_secret",N.clientSecret);J.append("code_verifier",G);try{let H=await fetch(S,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"},body:J.toString()}),M=await H.json();if(!H.ok){console.error("Token exchange error:",M);let P=M;throw Error(`Token exchange failed: ${P.error||H.statusText} - ${P.error_description||""}`.trim())}let E=await Y.tokenResponse.validate(M);if(E.issues)throw console.error("Token response validation failed:",E.issues),Error(`Token response validation failed: ${E.issues}`);return E.value}catch(H){throw console.error("Error during token exchange:",H),H}}async function n(B){return d(async()=>{if(!N)throw Error("Enterprise Standard SSO Manager not initialized");W();let G=O(N.tokenUrl,"Missing 'tokenUrl' from SSO Config"),Q=O(N.clientId,"Missing 'clientId' from SSO Config"),S=new URLSearchParams;S.append("grant_type","refresh_token"),S.append("refresh_token",B),S.append("client_id",Q);let K=await fetch(G,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"},body:S.toString()}),V=await K.json();if(!K.ok){console.error("Token refresh error:",V);let F=V;throw Error(`Token refresh failed: ${F.error||K.statusText} - ${F.error_description||""}`.trim())}return V})}async function QX(B){try{if(!N)throw Error("Enterprise Standard SSO Manager not initialized");if(!N.revocationEndpoint)return;let G=O(N.clientId,"Missing 'clientId' from SSO Config"),Q=new URLSearchParams;Q.append("token",B),Q.append("token_type_hint","refresh_token"),Q.append("client_id",G);let S=await fetch(N.revocationEndpoint,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded"},body:Q.toString()});if(!S.ok)console.warn("Token revocation failed:",S.status,S.statusText);else console.log("Token revoked successfully")}catch(G){console.warn("Error revoking token:",G)}}async function AX(){if(!N)throw Error("Enterprise Standard SSO Manager not initialized");let B=N.authority;if(!N.jwksUri&&!B)throw Error("Missing 'jwksUri' or 'authority' from SSO Config. OIDC configuration is required for this operation.");let G=N.jwksUri||`${B}/protocol/openid-connect/certs`;return m(G)}async function t(B){let G=B.split(".");if(G.length!==3)throw Error("Invalid JWT");let Q=JSON.parse(atob(G[0].replace(/-/g,"+").replace(/_/g,"/"))),S=JSON.parse(atob(G[1].replace(/-/g,"+").replace(/_/g,"/"))),K=G[2].replace(/-/g,"+").replace(/_/g,"/"),V=await WX(Q.kid),J=new TextEncoder().encode(`${G[0]}.${G[1]}`);if(!await crypto.subtle.verify("RSASSA-PKCS1-v1_5",V,Uint8Array.from(atob(K),(E)=>E.charCodeAt(0)),J))throw Error("Invalid JWT signature");let M=await Y.idTokenClaims.validate(S);if(M.issues)throw console.error("ID token claims validation failed:",M.issues),Error(`ID token claims validation failed: ${M.issues}`);return M.value}function i(B=32){let G=new Uint8Array(B);return crypto.getRandomValues(G),Array.from(G,(Q)=>Q.toString(16).padStart(2,"0")).join("").substring(0,B)}async function SX(B){let Q=new TextEncoder().encode(B),S=await crypto.subtle.digest("SHA-256",Q),K=Array.from(new Uint8Array(S));return btoa(String.fromCharCode(...K)).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/,"")}async function WX(B){let G=N.authority,Q=N.jwksUri||(G?`${G}/protocol/openid-connect/certs`:void 0);if(!Q)throw Error("Missing 'jwksUri' or 'authority' from SSO Config. OIDC configuration is required for this operation.");return NX(Q,B)}function c(B,G){let Q=G instanceof Date?G:new Date(G);if(Number.isNaN(Q.getTime()))throw Error(`Invalid SSO token expiry: ${String(G)}`);let S={expires_in:B.expires_in,refresh_expires_in:B.refresh_expires_in,scope:B.scope,session_state:B.session_state,token_type:B.token_type,expires:Q.toISOString()};return[["Set-Cookie",k("access",B.access_token,Q)],["Set-Cookie",k("id",B.id_token,Q)],["Set-Cookie",k("refresh",B.refresh_token??"",Q)],["Set-Cookie",k("control",S,Q)]]}async function g(B){let G=C("access",B),Q=C("id",B),S=C("refresh",B),K=C("control",B,!0);if(!G||!Q||!S||!K)return{tokens:void 0,refreshHeaders:[]};let V={access_token:G,id_token:Q,refresh_token:S,...K};if(K.expires&&S&&Date.now()>new Date(K.expires).getTime()){V=await n(S);let F=await f(V),J=c(V,F.sso.expires);return{tokens:V,refreshHeaders:J}}return{tokens:V,refreshHeaders:[]}}async function MX(B){let{tokens:G}=await g(B);if(!G)return;return G.access_token}function k(B,G,Q){if(!N)throw Error("Enterprise Standard SSO Manager not initialized");if(B=`${N.cookiesPrefix}.${B}`,typeof G!=="string")G=btoa(JSON.stringify(G));let S;if(Q instanceof Date)S=`Expires=${Q.toUTCString()}`;else if(typeof Q==="number")S=`Max-Age=${Q}`;else throw Error("Invalid expires type",Q);if(G.length>4000)throw Error(`Error setting cookie: ${B}. Cookie length is: ${G.length}`);return`${B}=${G}; ${S}; Path=${N.cookiesPath}; HttpOnly;${N.cookiesSecure?" Secure;":""} SameSite=${N.cookiesSameSite};`}function q(B){if(!N)throw Error("Enterprise Standard SSO Manager not initialized");return`${N.cookiesPrefix}.${B}=; Max-Age=0; Path=${N.cookiesPath}; HttpOnly;${N.cookiesSecure?" Secure;":""} SameSite=${N.cookiesSameSite};`}function C(B,G,Q=!1){if(!N)throw Error("Enterprise Standard SSO Manager not initialized");let S=G.headers.get("cookie");if(!S)return null;let K=S.split(";").find((J)=>J.trim().startsWith(`${N.cookiesPrefix}.${B}=`));if(!K)return null;let V=K.split("=")[1].trim();if(!Q)return V;let F=atob(V);return JSON.parse(F)}async function KX(B,G){if(!N)throw Error("Enterprise Standard SSO Manager not initialized");let{loginUrl:Q,userUrl:S,errorUrl:K,landingUrl:V,tokenUrl:F,refreshUrl:J,logoutUrl:H,logoutBackChannelUrl:M,jwksUrl:E,redirectUri:P}={...N,...G},_=new URL(B.url).pathname;if(P){let D;try{D=new URL(P).pathname}catch{try{let j=new URL(B.url),x=P.startsWith("//")?P.slice(1):P;D=new URL(x,j.origin).pathname}catch{D=P.startsWith("/")?P:`/${P}`}}if(D===_)return U(B)}if(Q===_){let D=N.cookiesSecure?B.url.replace(/^http:\/\//,"https://"):B.url;return R({landingUrl:V||"/",errorUrl:K},D)}if(S===_){let{tokens:D,refreshHeaders:j}=await g(B);if(!D)return new Response("User not logged in",{status:401});let x=await f(D),y=await LX(x);return new Response(JSON.stringify(y),{headers:[["Content-Type","application/json"],...j]})}if(F===_){let{tokens:D,refreshHeaders:j}=await g(B);if(!D)return new Response("User not logged in",{status:401});return new Response(JSON.stringify({token:D.access_token,expires:D.expires}),{headers:[["Content-Type","application/json"],...j]})}if(J===_){let D=C("refresh",B);if(!D)return new Response("User not logged in",{status:401});let j=await n(D),x=await f(j),y=c(j,x.sso.expires);return new Response("Refresh Complete",{status:200,headers:y})}if(H===_)return h(B,{landingUrl:V||"/"});if(M===_)return T(B);if(E===_){let D=await AX();return new Response(JSON.stringify(D),{headers:[["Content-Type","application/json"]]})}return new Response("Not Found",{status:404})}return{...N,getUser:I,getRequiredUser:z,getJwt:MX,initiateLogin:R,logout:h,logoutBackChannel:T,callbackHandler:U,handler:KX}}function u(Y){let Z={},X=Y.split(";");for(let L of X){let $=L.trim();if(!$)continue;let A=$.indexOf("=");if(A===-1)continue;let N=$.slice(0,A).trim(),W=$.slice(A+1).trim();Z[N]=W}return Z}function EX(Y){if(!(Y instanceof Error))return!1;return["Public key not found","Invalid JWT","Invalid JWT signature"].some((Z)=>Y.message.includes(Z))}function v(Y){return Y=Y??"SSO Unavailable",new Response(JSON.stringify({error:Y}),{status:503,statusText:Y,headers:{"Content-Type":"application/json"}})}function BX(Y){if(!Y)return[];let Z=Y.headers;if(Z.getSetCookie)return Z.getSetCookie();let X=Y.headers.get("set-cookie");return X?[X]:[]}function TX(Y,Z){let X=new Headers;Y.headers.forEach((L,$)=>{if($.toLowerCase()!=="set-cookie")X.set($,L)});for(let L of Z)X.append("Set-Cookie",L);return new Response(Y.body,{status:Y.status,statusText:Y.statusText,headers:X})}var b="EnterpriseStandard instance is required. Create one with enterpriseStandard(source, config) and pass it to this function.";async function sX(Y,Z){return O(Z,b),Z.sso?.getUser(Y)}async function PX(Y,Z){O(Z,b);let X=Z.log??YX;X.debug?.("getUser called",{hasInstance:!0,hasSso:!!Z.sso,hasCiam:!!Z.ciam});let L=await Z.sso?.getUser(Y);if(L)return X.debug?.("Found SSO user",{email:L.email}),L;X.debug?.("No SSO user, trying CIAM");let $=await Z.ciam?.getUser(Y);return X.debug?.("CIAM user result",{email:$?.email??void 0}),$}async function rX(Y,Z){let X=await PX(Y,Z);if(X)return X;throw new Response("Unauthorized",{status:401,statusText:"Unauthorized"})}async function eX(Y,Z){O(Z,b);let X=Z.sso;if(!X)return v();return X.initiateLogin(Y)}async function XY(Y,Z){O(Z,b);let X=Z.sso;if(!X)return v();return X.callbackHandler(Y)}async function YY(Y,Z){O(Z,b);let{sso:X,ciam:L}=Z;if(!X&&!L)return v("Logout Unavailable");let $=X?await X.logout(Y,{landingUrl:"/"}):void 0,A=L?await L.logout(Y):void 0,N=$??A;if(!N)return v("Logout Unavailable");let W=[...BX($),...BX(A)];return TX(N,W)}async function ZY(Y,Z){O(Z,b);let{sso:X,ciam:L}=Z;if(!X&&!L)return v("Back-Channel Logout Unavailable");let $=Y.clone(),A=Y.clone(),N=X?await X.logoutBackChannel($):void 0;if(N?.status===200)return N;let W=L?await L.logoutBackChannel(A):void 0;if(W)return W;return N??v("Back-Channel Logout Unavailable")}var l;function NY(Y){l=Y}function _X(Y,Z){if(!l)throw Error("Tenant config hydration is not registered. Import @enterprisestandard/server before using tenant.config().");return l(Y.configSource,Z)}function BY(Y){let Z=Y.configSource;return{...Y,config:(X)=>_X({configSource:Z},X)}}
-export{zX as a,IX as b,a as c,e as d,O as e,XX as f,wX as g,JX as h,yX as i,r as j,RX as k,OX as l,bX as m,YX as n,UX as o,fX as p,kX as q,gX as r,m as s,$X as t,lX as u,nX as v,tX as w,iX as x,aX as y,oX as z,sX as A,PX as B,rX as C,eX as D,XY as E,YY as F,ZY as G,NY as H,_X as I,BY as J};