@every-app/sdk 0.1.10 → 0.1.12

package/dist/core/authenticatedFetch.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authenticatedFetch.d.ts","sourceRoot":"","sources":["../../src/core/authenticatedFetch.ts"],"names":[],"mappings":"AAQA;;GAEG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC,MAAM,CAAC,CAevD;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,KAAK,EAAE,WAAW,GAAG,GAAG,EACxB,IAAI,CAAC,EAAE,WAAW,GACjB,OAAO,CAAC,QAAQ,CAAC,CAUnB"}
+{"version":3,"file":"authenticatedFetch.d.ts","sourceRoot":"","sources":["../../src/core/authenticatedFetch.ts"],"names":[],"mappings":"AAaA;;GAEG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC,MAAM,CAAC,CAmBvD;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,KAAK,EAAE,WAAW,GAAG,GAAG,EACxB,IAAI,CAAC,EAAE,WAAW,GACjB,OAAO,CAAC,QAAQ,CAAC,CAUnB"}

package/dist/core/authenticatedFetch.js

@@ -1,7 +1,11 @@
+import { BYPASS_GATEWAY_LOCAL_ONLY_TOKEN, isBypassGatewayLocalOnlyClient, } from "../shared/bypassGatewayLocalOnly.js";
 /**
  * Gets the current session token from the embedded session manager
  */
 export async function getSessionToken() {
+    if (isBypassGatewayLocalOnlyClient()) {
+        return BYPASS_GATEWAY_LOCAL_ONLY_TOKEN;
+    }
     const windowWithSession = window;
     const sessionManager = windowWithSession.__embeddedSessionManager;
     if (!sessionManager) {

package/dist/core/index.d.ts

@@ -1,4 +1,4 @@
-export { SessionManager, isRunningInIframe } from "./sessionManager.js";
-export type { SessionManagerConfig } from "./sessionManager.js";
+export { SessionManager, isRunningInIframe, isRunningInReactNativeWebView, detectEnvironment, } from "./sessionManager.js";
+export type { SessionManagerConfig, EmbeddedEnvironment, } from "./sessionManager.js";
 export { authenticatedFetch, getSessionToken } from "./authenticatedFetch.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/core/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/core/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AACxE,YAAY,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAEhE,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/core/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,cAAc,EACd,iBAAiB,EACjB,6BAA6B,EAC7B,iBAAiB,GAClB,MAAM,qBAAqB,CAAC;AAC7B,YAAY,EACV,oBAAoB,EACpB,mBAAmB,GACpB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC"}

package/dist/core/index.js

@@ -1,2 +1,2 @@
-export { SessionManager, isRunningInIframe } from "./sessionManager.js";
+export { SessionManager, isRunningInIframe, isRunningInReactNativeWebView, detectEnvironment, } from "./sessionManager.js";
 export { authenticatedFetch, getSessionToken } from "./authenticatedFetch.js";

package/dist/core/sessionManager.d.ts

@@ -1,20 +1,45 @@
 export interface SessionManagerConfig {
     appId: string;
 }
+/**
+ * Environment detection types
+ */
+export type EmbeddedEnvironment = "iframe" | "react-native-webview" | "standalone";
 /**
  * Detects whether the current window is running inside an iframe.
  * Returns true if in an iframe, false if running as top-level window.
  */
 export declare function isRunningInIframe(): boolean;
+/**
+ * Detects whether the current window is running inside a React Native WebView.
+ * Returns true if window.ReactNativeWebView is available.
+ */
+export declare function isRunningInReactNativeWebView(): boolean;
+/**
+ * Detects the current embedded environment.
+ * Priority: React Native WebView > iframe > standalone
+ */
+export declare function detectEnvironment(): EmbeddedEnvironment;
 export declare class SessionManager {
     readonly parentOrigin: string;
     readonly appId: string;
     readonly isInIframe: boolean;
+    readonly environment: EmbeddedEnvironment;
+    readonly isBypassGatewayLocalOnly: boolean;
     private token;
     private refreshPromise;
+    private tokenWaiters;
     constructor(config: SessionManagerConfig);
+    /**
+     * Check if running in an embedded environment (iframe or React Native WebView)
+     */
+    isEmbedded(): boolean;
+    isTrustedHostMessage(event: MessageEvent): boolean;
+    postToHost(message: object): void;
     private isTokenExpiringSoon;
     private postMessageWithResponse;
+    private setupReactNativeTokenListener;
+    private waitForReactNativeTokenPush;
     requestNewToken(): Promise<string>;
     getToken(): Promise<string>;
     getTokenState(): {

package/dist/core/sessionManager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sessionManager.d.ts","sourceRoot":"","sources":["../../src/core/sessionManager.ts"],"names":[],"mappings":"AAWA,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,MAAM,CAAC;CACf;AAMD;;;GAGG;AACH,wBAAgB,iBAAiB,IAAI,OAAO,CAQ3C;AAED,qBAAa,cAAc;IACzB,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC;IAE7B,OAAO,CAAC,KAAK,CAA6B;IAC1C,OAAO,CAAC,cAAc,CAAgC;gBAE1C,MAAM,EAAE,oBAAoB;IAqBxC,OAAO,CAAC,mBAAmB;IAO3B,OAAO,CAAC,uBAAuB;IAuCzB,eAAe,IAAI,OAAO,CAAC,MAAM,CAAC;IA8ClC,QAAQ,IAAI,OAAO,CAAC,MAAM,CAAC;IAOjC,aAAa,IAAI;QACf,MAAM,EAAE,UAAU,GAAG,OAAO,GAAG,SAAS,GAAG,YAAY,CAAC;QACxD,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;KACtB;IAgBD;;;OAGG;IACH,OAAO,IAAI;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI;CAwBpD"}
+{"version":3,"file":"sessionManager.d.ts","sourceRoot":"","sources":["../../src/core/sessionManager.ts"],"names":[],"mappings":"AAiEA,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,MAAM,CAAC;CACf;AAOD;;GAEG;AACH,MAAM,MAAM,mBAAmB,GAC3B,QAAQ,GACR,sBAAsB,GACtB,YAAY,CAAC;AAEjB;;;GAGG;AACH,wBAAgB,iBAAiB,IAAI,OAAO,CAY3C;AAED;;;GAGG;AACH,wBAAgB,6BAA6B,IAAI,OAAO,CASvD;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,IAAI,mBAAmB,CAWvD;AAED,qBAAa,cAAc;IACzB,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC;IAC7B,QAAQ,CAAC,WAAW,EAAE,mBAAmB,CAAC;IAC1C,QAAQ,CAAC,wBAAwB,EAAE,OAAO,CAAC;IAE3C,OAAO,CAAC,KAAK,CAA6B;IAC1C,OAAO,CAAC,cAAc,CAAgC;IACtD,OAAO,CAAC,YAAY,CAIZ;gBAEI,MAAM,EAAE,oBAAoB;IAyCxC;;OAEG;IACH,UAAU,IAAI,OAAO;IAIrB,oBAAoB,CAAC,KAAK,EAAE,YAAY,GAAG,OAAO;IAelD,UAAU,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI;IAiBjC,OAAO,CAAC,mBAAmB;IAO3B,OAAO,CAAC,uBAAuB;IA+C/B,OAAO,CAAC,6BAA6B;IAgErC,OAAO,CAAC,2BAA2B;IAmB7B,eAAe,IAAI,OAAO,CAAC,MAAM,CAAC;IAgElC,QAAQ,IAAI,OAAO,CAAC,MAAM,CAAC;IAcjC,aAAa,IAAI;QACf,MAAM,EAAE,UAAU,GAAG,OAAO,GAAG,SAAS,GAAG,YAAY,CAAC;QACxD,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;KACtB;IAgBD;;;OAGG;IACH,OAAO,IAAI;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI;CA0BpD"}

package/dist/core/sessionManager.js

@@ -1,11 +1,47 @@
+import { BYPASS_GATEWAY_LOCAL_ONLY_EMAIL, BYPASS_GATEWAY_LOCAL_ONLY_TOKEN, BYPASS_GATEWAY_LOCAL_ONLY_USER_ID, isBypassGatewayLocalOnlyClient, } from "../shared/bypassGatewayLocalOnly.js";
+import { parseMessagePayload } from "../shared/parseMessagePayload.js";
+function isTokenUpdateMessage(data) {
+    if (!data || typeof data !== "object" || Array.isArray(data)) {
+        return false;
+    }
+    return data.type === "SESSION_TOKEN_UPDATE";
+}
+function decodeJwtPayload(token) {
+    try {
+        const parts = token.split(".");
+        if (parts.length !== 3) {
+            return null;
+        }
+        const base64 = parts[1].replace(/-/g, "+").replace(/_/g, "/");
+        const padded = base64 + "=".repeat((4 - (base64.length % 4)) % 4);
+        return JSON.parse(atob(padded));
+    }
+    catch {
+        return null;
+    }
+}
+function tokenAudienceMatchesApp(payload, appId) {
+    const aud = payload.aud;
+    if (typeof aud === "string") {
+        return aud === appId;
+    }
+    if (Array.isArray(aud)) {
+        return aud.some((value) => value === appId);
+    }
+    return false;
+}
 const MESSAGE_TIMEOUT_MS = 5000;
 const TOKEN_EXPIRY_BUFFER_MS = 10000;
 const DEFAULT_TOKEN_LIFETIME_MS = 60000;
+const REACT_NATIVE_TOKEN_WAIT_TIMEOUT_MS = 10000;
 /**
  * Detects whether the current window is running inside an iframe.
  * Returns true if in an iframe, false if running as top-level window.
  */
 export function isRunningInIframe() {
+    if (typeof window === "undefined") {
+        return false;
+    }
     try {
         return window.self !== window.top;
     }
@@ -15,29 +51,101 @@ export function isRunningInIframe() {
         return true;
     }
 }
+/**
+ * Detects whether the current window is running inside a React Native WebView.
+ * Returns true if window.ReactNativeWebView is available.
+ */
+export function isRunningInReactNativeWebView() {
+    if (typeof window === "undefined") {
+        return false;
+    }
+    return (typeof window.ReactNativeWebView?.postMessage === "function" ||
+        window.isReactNativeWebView === true);
+}
+/**
+ * Detects the current embedded environment.
+ * Priority: React Native WebView > iframe > standalone
+ */
+export function detectEnvironment() {
+    const isRNWebView = isRunningInReactNativeWebView();
+    const isIframe = isRunningInIframe();
+    if (isRNWebView) {
+        return "react-native-webview";
+    }
+    if (isIframe) {
+        return "iframe";
+    }
+    return "standalone";
+}
 export class SessionManager {
     parentOrigin;
     appId;
     isInIframe;
+    environment;
+    isBypassGatewayLocalOnly;
     token = null;
     refreshPromise = null;
+    tokenWaiters = [];
     constructor(config) {
         if (!config.appId) {
             throw new Error("[SessionManager] appId is required.");
         }
+        this.isBypassGatewayLocalOnly = isBypassGatewayLocalOnlyClient();
         const gatewayUrl = import.meta.env.VITE_GATEWAY_URL;
-        if (!gatewayUrl) {
-            throw new Error("[SessionManager] VITE_GATEWAY_URL env var is required.");
-        }
-        try {
-            new URL(gatewayUrl);
-        }
-        catch {
-            throw new Error(`[SessionManager] Invalid gateway URL: ${gatewayUrl}`);
+        if (!this.isBypassGatewayLocalOnly) {
+            if (!gatewayUrl) {
+                throw new Error("[SessionManager] VITE_GATEWAY_URL env var is required.");
+            }
+            try {
+                new URL(gatewayUrl);
+            }
+            catch {
+                throw new Error(`[SessionManager] Invalid gateway URL: ${gatewayUrl}`);
+            }
         }
         this.appId = config.appId;
-        this.parentOrigin = gatewayUrl;
+        this.parentOrigin = this.isBypassGatewayLocalOnly
+            ? window.location.origin
+            : gatewayUrl;
+        this.environment = detectEnvironment();
         this.isInIframe = isRunningInIframe();
+        if (this.environment === "react-native-webview") {
+            this.setupReactNativeTokenListener();
+        }
+        if (this.isBypassGatewayLocalOnly) {
+            this.token = {
+                token: BYPASS_GATEWAY_LOCAL_ONLY_TOKEN,
+                expiresAt: Date.now() + DEFAULT_TOKEN_LIFETIME_MS,
+            };
+        }
+    }
+    /**
+     * Check if running in an embedded environment (iframe or React Native WebView)
+     */
+    isEmbedded() {
+        return this.environment !== "standalone";
+    }
+    isTrustedHostMessage(event) {
+        if (this.environment === "react-native-webview") {
+            const origin = event
+                .origin;
+            return (origin === "react-native" ||
+                origin === "null" ||
+                origin === "" ||
+                origin == null);
+        }
+        return event.origin === this.parentOrigin;
+    }
+    postToHost(message) {
+        if (this.environment === "react-native-webview") {
+            const postMessage = window.ReactNativeWebView?.postMessage;
+            if (typeof postMessage !== "function") {
+                throw new Error("React Native WebView bridge is unavailable");
+            }
+            postMessage.call(window.ReactNativeWebView, JSON.stringify(message));
+            return;
+        }
+        window.parent.postMessage(message, this.parentOrigin);
     }
     isTokenExpiringSoon(bufferMs = TOKEN_EXPIRY_BUFFER_MS) {
         if (!this.token)
@@ -51,20 +159,19 @@ export class SessionManager {
                 window.removeEventListener("message", handler);
             };
             const handler = (event) => {
-                // Security: reject messages from wrong origin (including null from sandboxed iframes)
-                if (event.origin !== this.parentOrigin)
+                // Security: validate message origin based on environment
+                if (!this.isTrustedHostMessage(event))
                     return;
-                // Safety: ignore malformed messages that could crash the handler
-                if (!event.data || typeof event.data !== "object")
+                const data = parseMessagePayload(event.data);
+                if (!data)
                     return;
-                if (event.data.type === responseType &&
-                    event.data.requestId === requestId) {
+                if (data.type === responseType && data.requestId === requestId) {
                     cleanup();
-                    if (event.data.error) {
-                        reject(new Error(event.data.error));
+                    if (typeof data.error === "string" && data.error) {
+                        reject(new Error(data.error));
                     }
                     else {
-                        resolve(event.data);
+                        resolve(data);
                     }
                 }
             };
@@ -73,13 +180,99 @@ export class SessionManager {
                 reject(new Error("Token request timeout - parent did not respond"));
             }, MESSAGE_TIMEOUT_MS);
             window.addEventListener("message", handler);
-            window.parent.postMessage(request, this.parentOrigin);
+            try {
+                this.postToHost(request);
+            }
+            catch (error) {
+                cleanup();
+                reject(error instanceof Error
+                    ? error
+                    : new Error("Failed to post message to host"));
+            }
+        });
+    }
+    setupReactNativeTokenListener() {
+        window.addEventListener("message", (event) => {
+            if (!this.isTrustedHostMessage(event)) {
+                return;
+            }
+            const data = parseMessagePayload(event.data);
+            if (!data) {
+                return;
+            }
+            if (!isTokenUpdateMessage(data)) {
+                return;
+            }
+            const message = data;
+            if (!message.token || typeof message.token !== "string") {
+                return;
+            }
+            if (typeof message.appId !== "string" || message.appId !== this.appId) {
+                return;
+            }
+            if (message.expiresAt !== undefined &&
+                typeof message.expiresAt !== "string") {
+                return;
+            }
+            const payload = decodeJwtPayload(message.token);
+            if (!payload || !tokenAudienceMatchesApp(payload, this.appId)) {
+                return;
+            }
+            // Native controls token minting and pushes updates into the embedded app.
+            // We only consume pushed tokens in React Native WebView mode.
+            let expiresAt = Date.now() + DEFAULT_TOKEN_LIFETIME_MS;
+            if (message.expiresAt) {
+                const parsed = new Date(message.expiresAt).getTime();
+                if (!Number.isNaN(parsed)) {
+                    expiresAt = parsed;
+                }
+            }
+            this.token = {
+                token: message.token,
+                expiresAt,
+            };
+            if (this.tokenWaiters.length > 0) {
+                const waiters = this.tokenWaiters;
+                this.tokenWaiters = [];
+                for (const waiter of waiters) {
+                    clearTimeout(waiter.timeout);
+                    waiter.resolve(message.token);
+                }
+            }
+        });
+    }
+    waitForReactNativeTokenPush() {
+        if (this.token && !this.isTokenExpiringSoon()) {
+            return Promise.resolve(this.token.token);
+        }
+        return new Promise((resolve, reject) => {
+            const timeout = setTimeout(() => {
+                this.tokenWaiters = this.tokenWaiters.filter((w) => w.timeout !== timeout);
+                reject(new Error("Timed out waiting for token from React Native bridge"));
+            }, REACT_NATIVE_TOKEN_WAIT_TIMEOUT_MS);
+            this.tokenWaiters.push({ resolve, reject, timeout });
         });
     }
     async requestNewToken() {
+        if (this.isBypassGatewayLocalOnly) {
+            this.token = {
+                token: BYPASS_GATEWAY_LOCAL_ONLY_TOKEN,
+                expiresAt: Date.now() + DEFAULT_TOKEN_LIFETIME_MS,
+            };
+            return this.token.token;
+        }
         if (this.refreshPromise) {
             return this.refreshPromise;
         }
+        if (this.environment === "react-native-webview") {
+            this.refreshPromise = this.waitForReactNativeTokenPush();
+            try {
+                return await this.refreshPromise;
+            }
+            finally {
+                this.refreshPromise = null;
+            }
+        }
         this.refreshPromise = (async () => {
             const requestId = crypto.randomUUID();
             const response = await this.postMessageWithResponse({
@@ -112,6 +305,12 @@ export class SessionManager {
         }
     }
     async getToken() {
+        if (this.isBypassGatewayLocalOnly) {
+            if (!this.token || this.isTokenExpiringSoon()) {
+                return this.requestNewToken();
+            }
+            return this.token.token;
+        }
         if (this.isTokenExpiringSoon()) {
             return this.requestNewToken();
         }
@@ -134,25 +333,25 @@ export class SessionManager {
      * Returns null if no valid token is available.
      */
     getUser() {
+        if (this.isBypassGatewayLocalOnly) {
+            return {
+                userId: BYPASS_GATEWAY_LOCAL_ONLY_USER_ID,
+                email: BYPASS_GATEWAY_LOCAL_ONLY_EMAIL,
+            };
+        }
         if (!this.token) {
             return null;
         }
-        try {
-            const parts = this.token.token.split(".");
-            if (parts.length !== 3) {
-                return null;
-            }
-            const payload = JSON.parse(atob(parts[1]));
-            if (!payload.sub) {
-                return null;
-            }
-            return {
-                userId: payload.sub,
-                email: payload.email ?? "",
-            };
+        const payload = decodeJwtPayload(this.token.token);
+        if (!payload) {
+            return null;
         }
-        catch {
+        if (typeof payload.sub !== "string") {
             return null;
         }
+        return {
+            userId: payload.sub,
+            email: typeof payload.email === "string" ? payload.email : "",
+        };
     }
 }

package/dist/shared/bypassGatewayLocalOnly.d.ts

@@ -0,0 +1,14 @@
+export declare const BYPASS_GATEWAY_LOCAL_ONLY_TOKEN = "BYPASS_GATEWAY_LOCAL_ONLY";
+export declare const BYPASS_GATEWAY_LOCAL_ONLY_USER_ID = "demo-local-user";
+export declare const BYPASS_GATEWAY_LOCAL_ONLY_EMAIL = "demo-local-user@local";
+export declare function isBypassGatewayLocalOnlyClient(): boolean;
+export declare function isBypassGatewayLocalOnlyServer(): boolean;
+export declare function createBypassGatewayLocalOnlySessionPayload(audience: string): {
+    sub: string;
+    email: string;
+    iss: string;
+    aud: string;
+    iat: number;
+    exp: number;
+};
+//# sourceMappingURL=bypassGatewayLocalOnly.d.ts.map

package/dist/shared/bypassGatewayLocalOnly.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bypassGatewayLocalOnly.d.ts","sourceRoot":"","sources":["../../src/shared/bypassGatewayLocalOnly.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,+BAA+B,8BAA8B,CAAC;AAC3E,eAAO,MAAM,iCAAiC,oBAAoB,CAAC;AACnE,eAAO,MAAM,+BAA+B,0BAA0B,CAAC;AAEvE,wBAAgB,8BAA8B,IAAI,OAAO,CAYxD;AAED,wBAAgB,8BAA8B,IAAI,OAAO,CAsBxD;AAED,wBAAgB,0CAA0C,CAAC,QAAQ,EAAE,MAAM;;;;;;;EAY1E"}

package/dist/shared/bypassGatewayLocalOnly.js

@@ -0,0 +1,41 @@
+export const BYPASS_GATEWAY_LOCAL_ONLY_TOKEN = "BYPASS_GATEWAY_LOCAL_ONLY";
+export const BYPASS_GATEWAY_LOCAL_ONLY_USER_ID = "demo-local-user";
+export const BYPASS_GATEWAY_LOCAL_ONLY_EMAIL = "demo-local-user@local";
+export function isBypassGatewayLocalOnlyClient() {
+    if (import.meta.env.PROD) {
+        return false;
+    }
+    const metaEnv = import.meta
+        .env;
+    return (metaEnv?.VITE_BYPASS_GATEWAY_LOCAL_ONLY === "true" ||
+        metaEnv?.BYPASS_GATEWAY_LOCAL_ONLY === "true");
+}
+export function isBypassGatewayLocalOnlyServer() {
+    if (import.meta.env.PROD) {
+        return false;
+    }
+    const metaEnv = import.meta
+        .env;
+    const metaValue = metaEnv?.BYPASS_GATEWAY_LOCAL_ONLY ??
+        metaEnv?.VITE_BYPASS_GATEWAY_LOCAL_ONLY;
+    if (metaValue === "true") {
+        return true;
+    }
+    if (typeof process !== "undefined" &&
+        process.env?.BYPASS_GATEWAY_LOCAL_ONLY === "true") {
+        return true;
+    }
+    return false;
+}
+export function createBypassGatewayLocalOnlySessionPayload(audience) {
+    const issuedAt = Math.floor(Date.now() / 1000);
+    const expiresAt = issuedAt + 60 * 60;
+    return {
+        sub: BYPASS_GATEWAY_LOCAL_ONLY_USER_ID,
+        email: BYPASS_GATEWAY_LOCAL_ONLY_EMAIL,
+        iss: "local",
+        aud: audience,
+        iat: issuedAt,
+        exp: expiresAt,
+    };
+}

package/dist/shared/parseMessagePayload.d.ts

@@ -0,0 +1,3 @@
+export type MessagePayload = Record<string, unknown>;
+export declare function parseMessagePayload(data: unknown): MessagePayload | null;
+//# sourceMappingURL=parseMessagePayload.d.ts.map

package/dist/shared/parseMessagePayload.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"parseMessagePayload.d.ts","sourceRoot":"","sources":["../../src/shared/parseMessagePayload.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,cAAc,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAErD,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,OAAO,GAAG,cAAc,GAAG,IAAI,CAmBxE"}

package/dist/shared/parseMessagePayload.js

@@ -0,0 +1,18 @@
+export function parseMessagePayload(data) {
+    if (data && typeof data === "object" && !Array.isArray(data)) {
+        return data;
+    }
+    if (typeof data !== "string") {
+        return null;
+    }
+    try {
+        const parsed = JSON.parse(data);
+        if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+            return parsed;
+        }
+    }
+    catch {
+        return null;
+    }
+    return null;
+}

package/dist/tanstack/EmbeddedAppProvider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"EmbeddedAppProvider.d.ts","sourceRoot":"","sources":["../../src/tanstack/EmbeddedAppProvider.tsx"],"names":[],"mappings":"AAAA,OAAO,KAA6C,MAAM,OAAO,CAAC;AAClE,OAAO,EAEL,oBAAoB,EACrB,MAAM,2BAA2B,CAAC;AAKnC,UAAU,sBAAuB,SAAQ,oBAAoB;IAC3D,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAC;CAC3B;AAUD,wBAAgB,mBAAmB,CAAC,EAClC,QAAQ,EACR,GAAG,MAAM,EACV,EAAE,sBAAsB,kDA6BxB;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,cAAc,IAAI;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAmBzE"}
+{"version":3,"file":"EmbeddedAppProvider.d.ts","sourceRoot":"","sources":["../../src/tanstack/EmbeddedAppProvider.tsx"],"names":[],"mappings":"AAAA,OAAO,KAA6C,MAAM,OAAO,CAAC;AAClE,OAAO,EAEL,oBAAoB,EACrB,MAAM,2BAA2B,CAAC;AAKnC,UAAU,sBAAuB,SAAQ,oBAAoB;IAC3D,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAC;CAC3B;AAUD,wBAAgB,mBAAmB,CAAC,EAClC,QAAQ,EACR,GAAG,MAAM,EACV,EAAE,sBAAsB,kDAgCxB;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,cAAc,IAAI;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAmBzE"}

package/dist/tanstack/EmbeddedAppProvider.js

@@ -11,8 +11,9 @@ export function EmbeddedAppProvider({ children, ...config }) {
     useEveryAppRouter({ sessionManager });
     if (!sessionManager)
         return null;
-    // Check if the app is running outside of the Gateway iframe
-    if (!sessionManager.isInIframe) {
+    // Check if the app is running outside of the Gateway (iframe or React Native WebView)
+    if (!sessionManager.isEmbedded() &&
+        !sessionManager.isBypassGatewayLocalOnly) {
         return (_jsx(GatewayRequiredError, { gatewayOrigin: sessionManager.parentOrigin, appId: config.appId }));
     }
     const value = {

package/dist/tanstack/_internal/useEveryAppSession.d.ts

@@ -5,6 +5,8 @@ interface SessionManagerConfig {
 interface UseEveryAppSessionParams {
     sessionManagerConfig: SessionManagerConfig;
 }
+type SessionBootstrapGate = Pick<SessionManager, "isEmbedded" | "isBypassGatewayLocalOnly">;
+export declare function shouldBootstrapSession(sessionManager: SessionBootstrapGate): boolean;
 export declare function useEveryAppSession({ sessionManagerConfig, }: UseEveryAppSessionParams): {
     sessionManager: SessionManager | null;
     sessionTokenState: {

package/dist/tanstack/_internal/useEveryAppSession.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"useEveryAppSession.d.ts","sourceRoot":"","sources":["../../../src/tanstack/_internal/useEveryAppSession.tsx"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAE9D,UAAU,oBAAoB;IAC5B,KAAK,EAAE,MAAM,CAAC;CACf;AAED,UAAU,wBAAwB;IAChC,oBAAoB,EAAE,oBAAoB,CAAC;CAC5C;AAED,wBAAgB,kBAAkB,CAAC,EACjC,oBAAoB,GACrB,EAAE,wBAAwB;;;;;;EA8C1B"}
+{"version":3,"file":"useEveryAppSession.d.ts","sourceRoot":"","sources":["../../../src/tanstack/_internal/useEveryAppSession.tsx"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAE9D,UAAU,oBAAoB;IAC5B,KAAK,EAAE,MAAM,CAAC;CACf;AAED,UAAU,wBAAwB;IAChC,oBAAoB,EAAE,oBAAoB,CAAC;CAC5C;AAED,KAAK,oBAAoB,GAAG,IAAI,CAC9B,cAAc,EACd,YAAY,GAAG,0BAA0B,CAC1C,CAAC;AAEF,wBAAgB,sBAAsB,CACpC,cAAc,EAAE,oBAAoB,GACnC,OAAO,CAKT;AAED,wBAAgB,kBAAkB,CAAC,EACjC,oBAAoB,GACrB,EAAE,wBAAwB;;;;;;EA8C1B"}

package/dist/tanstack/_internal/useEveryAppSession.js

@@ -1,5 +1,11 @@
 import { useEffect, useRef, useState } from "react";
 import { SessionManager } from "../../core/sessionManager.js";
+export function shouldBootstrapSession(sessionManager) {
+    // Bootstrapping should happen whenever the app is hosted by a trusted container.
+    // This intentionally keys off embedded environment semantics (iframe OR RN WebView),
+    // not iframe-only detection, so RN can initialize auth from pushed tokens.
+    return sessionManager.isEmbedded() || sessionManager.isBypassGatewayLocalOnly;
+}
 export function useEveryAppSession({ sessionManagerConfig, }) {
     const sessionManagerRef = useRef(null);
     const [sessionTokenState, setSessionTokenState] = useState({
@@ -13,8 +19,8 @@ export function useEveryAppSession({ sessionManagerConfig, }) {
     useEffect(() => {
         if (!sessionManager)
             return;
-        // Skip token requests when not in iframe - the app will show GatewayRequiredError instead
-        if (!sessionManager.isInIframe)
+        // Skip token bootstrap when not embedded (unless in demo mode) - the app will show GatewayRequiredError instead
+        if (!shouldBootstrapSession(sessionManager))
             return;
         const interval = setInterval(() => {
             setSessionTokenState(sessionManager.getTokenState());

package/dist/tanstack/server/authConfig.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authConfig.d.ts","sourceRoot":"","sources":["../../../src/tanstack/server/authConfig.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAG7C,wBAAgB,aAAa,IAAI,UAAU,CAK1C"}
+{"version":3,"file":"authConfig.d.ts","sourceRoot":"","sources":["../../../src/tanstack/server/authConfig.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAI7C,wBAAgB,aAAa,IAAI,UAAU,CAc1C"}

package/dist/tanstack/server/authConfig.js

@@ -1,7 +1,13 @@
 import { env } from "cloudflare:workers";
+import { isBypassGatewayLocalOnlyServer } from "../../shared/bypassGatewayLocalOnly.js";
 export function getAuthConfig() {
+    const bypassGatewayLocalOnlyEnv = env.BYPASS_GATEWAY_LOCAL_ONLY;
+    const isBypassGatewayLocalOnly = import.meta.env.PROD !== true &&
+        (bypassGatewayLocalOnlyEnv === "true" ||
+            isBypassGatewayLocalOnlyServer() === true);
+    const issuer = env.GATEWAY_URL || (isBypassGatewayLocalOnly ? "local" : "");
     return {
-        issuer: env.GATEWAY_URL,
+        issuer,
         audience: import.meta.env.VITE_APP_ID,
     };
 }

package/dist/tanstack/server/authenticateRequest.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authenticateRequest.d.ts","sourceRoot":"","sources":["../../../src/tanstack/server/authenticateRequest.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAG7C;;;GAGG;AACH,UAAU,mBAAmB;IAC3B,8BAA8B;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,iCAAiC;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,6DAA6D;IAC7D,GAAG,EAAE,MAAM,CAAC;IACZ,2BAA2B;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,0BAA0B;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,sDAAsD;IACtD,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,wBAAsB,mBAAmB,CACvC,UAAU,EAAE,UAAU,EACtB,eAAe,CAAC,EAAE,OAAO,GACxB,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC,CA8BrC;AAyCD;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,GAAG,MAAM,GAAG,IAAI,CAK3E"}
+{"version":3,"file":"authenticateRequest.d.ts","sourceRoot":"","sources":["../../../src/tanstack/server/authenticateRequest.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAQ7C;;;GAGG;AACH,UAAU,mBAAmB;IAC3B,8BAA8B;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,iCAAiC;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,6DAA6D;IAC7D,GAAG,EAAE,MAAM,CAAC;IACZ,2BAA2B;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,0BAA0B;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,sDAAsD;IACtD,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,wBAAsB,mBAAmB,CACvC,UAAU,EAAE,UAAU,EACtB,eAAe,CAAC,EAAE,OAAO,GACxB,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC,CA8CrC;AAyCD;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,GAAG,MAAM,GAAG,IAAI,CAK3E"}

package/dist/tanstack/server/authenticateRequest.js

@@ -1,9 +1,14 @@
 import { getRequest } from "@tanstack/react-start/server";
 import { createLocalJWKSet, jwtVerify, } from "jose";
 import { env } from "cloudflare:workers";
+import { BYPASS_GATEWAY_LOCAL_ONLY_TOKEN, createBypassGatewayLocalOnlySessionPayload, isBypassGatewayLocalOnlyServer, } from "../../shared/bypassGatewayLocalOnly.js";
 export async function authenticateRequest(authConfig, providedRequest) {
     const request = providedRequest || getRequest();
     const authHeader = request.headers.get("authorization");
+    const bypassGatewayLocalOnlyEnv = env.BYPASS_GATEWAY_LOCAL_ONLY;
+    const isBypassGatewayLocalOnly = import.meta.env.PROD !== true &&
+        (bypassGatewayLocalOnlyEnv === "true" ||
+            isBypassGatewayLocalOnlyServer() === true);
     if (!authHeader) {
         return null;
     }
@@ -11,6 +16,12 @@ export async function authenticateRequest(authConfig, providedRequest) {
     if (!token) {
         return null;
     }
+    if (isBypassGatewayLocalOnly) {
+        if (token !== BYPASS_GATEWAY_LOCAL_ONLY_TOKEN) {
+            return null;
+        }
+        return createBypassGatewayLocalOnlySessionPayload(authConfig.audience);
+    }
     try {
         const session = await verifySessionToken(token, authConfig);
         return session;

package/dist/tanstack/useEveryAppRouter.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"useEveryAppRouter.d.ts","sourceRoot":"","sources":["../../src/tanstack/useEveryAppRouter.tsx"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAG3D,UAAU,uBAAuB;IAC/B,cAAc,EAAE,cAAc,GAAG,IAAI,CAAC;CACvC;AAED,wBAAgB,iBAAiB,CAAC,EAAE,cAAc,EAAE,EAAE,uBAAuB,QAmE5E"}
+{"version":3,"file":"useEveryAppRouter.d.ts","sourceRoot":"","sources":["../../src/tanstack/useEveryAppRouter.tsx"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAI3D,UAAU,uBAAuB;IAC/B,cAAc,EAAE,cAAc,GAAG,IAAI,CAAC;CACvC;AAED,wBAAgB,iBAAiB,CAAC,EAAE,cAAc,EAAE,EAAE,uBAAuB,QAyE5E"}