@feelflow/ffid-sdk 2.17.0 → 2.18.0

package/dist/{chunk-OWE6EPWE.cjs → chunk-EK2W67BW.cjs}

@@ -105,10 +105,7 @@ function createTokenStore(storageType) {
 // src/client/oauth-userinfo.ts
 var SESSION_ELIGIBLE_SUBSCRIPTION_STATUSES = [
   "trialing",
-  "active",
-  "past_due",
-  "canceled",
-  "paused"
+  "active"
 ];
 function isSessionEligibleSubscriptionStatus(value) {
   return typeof value === "string" && SESSION_ELIGIBLE_SUBSCRIPTION_STATUSES.includes(value);
@@ -810,10 +807,11 @@ function createProfileMethods(deps) {
 }
 
 // src/client/version-check.ts
-var SDK_VERSION = "2.17.0";
+var SDK_VERSION = "2.18.0";
 var SDK_USER_AGENT = `FFID-SDK/${SDK_VERSION} (TypeScript)`;
 var SDK_VERSION_HEADER = "X-FFID-SDK-Version";
 function sdkHeaders() {
+  if (typeof window !== "undefined") return {};
   return {
     "User-Agent": SDK_USER_AGENT,
     [SDK_VERSION_HEADER]: SDK_VERSION
@@ -1372,6 +1370,87 @@ var OAUTH_AUTHORIZE_ENDPOINT = "/api/v1/oauth/authorize";
 var AUTH_LOGOUT_ENDPOINT = "/api/v1/auth/logout";
 var STATE_RANDOM_BYTES = 16;
 var HEX_BASE2 = 16;
+var REDIRECT_LOOP_KEY = "ffid_sdk_redirect_loop_history";
+var REDIRECT_LOOP_WINDOW_MS = 6e4;
+var REDIRECT_LOOP_THRESHOLD = 3;
+var storageReadFailureLogged = false;
+var storageWriteFailureLogged = false;
+function logStorageReadFailure(logger, err) {
+  if (storageReadFailureLogged) return;
+  storageReadFailureLogged = true;
+  logger.warn(
+    "[FFID SDK] sessionStorage read failed \u2014 redirect loop detection disabled on this browser (fail-open). iOS WebKit private mode / eviction \u304C\u5178\u578B\u8981\u56E0",
+    err
+  );
+}
+function logStorageWriteFailure(logger, err) {
+  if (storageWriteFailureLogged) return;
+  storageWriteFailureLogged = true;
+  logger.warn(
+    "[FFID SDK] sessionStorage write failed \u2014 redirect loop detection disabled on this browser (fail-open).",
+    err
+  );
+}
+function isRedirectLoopHistory(value) {
+  if (value === null || typeof value !== "object" || Array.isArray(value)) return false;
+  return Object.values(value).every(
+    (arr) => Array.isArray(arr) && arr.every((t) => typeof t === "number" && Number.isFinite(t))
+  );
+}
+function readRedirectLoopHistory(logger) {
+  if (typeof window === "undefined") return {};
+  try {
+    const raw = window.sessionStorage.getItem(REDIRECT_LOOP_KEY);
+    if (raw === null) return {};
+    const parsed = JSON.parse(raw);
+    return isRedirectLoopHistory(parsed) ? parsed : {};
+  } catch (err) {
+    logStorageReadFailure(logger, err);
+    return {};
+  }
+}
+function writeRedirectLoopHistory(history, logger) {
+  if (typeof window === "undefined") return;
+  try {
+    window.sessionStorage.setItem(REDIRECT_LOOP_KEY, JSON.stringify(history));
+  } catch (err) {
+    logStorageWriteFailure(logger, err);
+  }
+}
+function pruneRedirectLoopHistory(history, now) {
+  const cutoff = now - REDIRECT_LOOP_WINDOW_MS;
+  const pruned = {};
+  for (const [key, timestamps] of Object.entries(history)) {
+    const fresh = timestamps.filter((t) => t > cutoff);
+    if (fresh.length > 0) pruned[key] = fresh;
+  }
+  return pruned;
+}
+function getRecentRedirectCount(authorizeKey, now, logger) {
+  const pruned = pruneRedirectLoopHistory(readRedirectLoopHistory(logger), now);
+  writeRedirectLoopHistory(pruned, logger);
+  return pruned[authorizeKey]?.length ?? 0;
+}
+function recordRedirectAttempt(authorizeKey, now, logger) {
+  const history = readRedirectLoopHistory(logger);
+  const existing = history[authorizeKey] ?? [];
+  history[authorizeKey] = [...existing, now];
+  writeRedirectLoopHistory(history, logger);
+}
+function rollbackLastRedirectAttempt(authorizeKey, logger) {
+  const history = readRedirectLoopHistory(logger);
+  const existing = history[authorizeKey];
+  if (!Array.isArray(existing) || existing.length === 0) return;
+  history[authorizeKey] = existing.slice(0, -1);
+  if (history[authorizeKey].length === 0) delete history[authorizeKey];
+  writeRedirectLoopHistory(history, logger);
+}
+function buildAuthorizeKey(baseUrl, clientId, organizationId) {
+  const params = new URLSearchParams({ client_id: clientId });
+  const trimmedOrg = organizationId?.trim();
+  if (trimmedOrg) params.set("organization_id", trimmedOrg);
+  return `${baseUrl}${OAUTH_AUTHORIZE_ENDPOINT}?${params.toString()}`;
+}
 function generateRandomState() {
   const array = new Uint8Array(STATE_RANDOM_BYTES);
   crypto.getRandomValues(array);
@@ -1391,6 +1470,23 @@ function createRedirectMethods(deps) {
       logger.warn("SSR \u74B0\u5883\u3067\u306F\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u3067\u304D\u307E\u305B\u3093");
       return { success: false, error: "SSR \u74B0\u5883\u3067\u306F\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u3067\u304D\u307E\u305B\u3093" };
     }
+    const authorizeKey = buildAuthorizeKey(baseUrl, clientId, options?.organizationId);
+    const now = Date.now();
+    const recentCount = getRecentRedirectCount(authorizeKey, now, logger);
+    if (recentCount >= REDIRECT_LOOP_THRESHOLD) {
+      cleanupVerifierStorage(logger);
+      logger.warn("[FFID SDK] redirect loop detected \u2014 \u81EA\u52D5\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u3092\u505C\u6B62\u3057\u307E\u3057\u305F", {
+        authorizeKey,
+        recentCount,
+        windowMs: REDIRECT_LOOP_WINDOW_MS,
+        threshold: REDIRECT_LOOP_THRESHOLD
+      });
+      return {
+        success: false,
+        code: "redirect_loop_detected",
+        error: "\u77ED\u6642\u9593\u306B\u540C\u3058\u8A8D\u53EF\u30A8\u30F3\u30C9\u30DD\u30A4\u30F3\u30C8\u3078\u306E\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u304C\u7E70\u308A\u8FD4\u3055\u308C\u305F\u305F\u3081\u3001\u30EB\u30FC\u30D7\u691C\u51FA\u306B\u3088\u308A\u81EA\u52D5\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u3092\u505C\u6B62\u3057\u307E\u3057\u305F"
+      };
+    }
     const verifier = generateCodeVerifier();
     storeCodeVerifier(verifier, logger);
     let challenge;
@@ -1421,7 +1517,13 @@ function createRedirectMethods(deps) {
     }
     const authorizeUrl = `${baseUrl}${OAUTH_AUTHORIZE_ENDPOINT}?${params.toString()}`;
     logger.debug("Redirecting to authorize:", authorizeUrl);
-    window.location.href = authorizeUrl;
+    recordRedirectAttempt(authorizeKey, now, logger);
+    try {
+      window.location.href = authorizeUrl;
+    } catch (err) {
+      rollbackLastRedirectAttempt(authorizeKey, logger);
+      throw err;
+    }
     return { success: true };
   }
   async function redirectToLogin() {

package/dist/{chunk-O2YI5N6S.js → chunk-IEYXT3LA.js}

@@ -103,10 +103,7 @@ function createTokenStore(storageType) {
 // src/client/oauth-userinfo.ts
 var SESSION_ELIGIBLE_SUBSCRIPTION_STATUSES = [
   "trialing",
-  "active",
-  "past_due",
-  "canceled",
-  "paused"
+  "active"
 ];
 function isSessionEligibleSubscriptionStatus(value) {
   return typeof value === "string" && SESSION_ELIGIBLE_SUBSCRIPTION_STATUSES.includes(value);
@@ -808,10 +805,11 @@ function createProfileMethods(deps) {
 }
 
 // src/client/version-check.ts
-var SDK_VERSION = "2.17.0";
+var SDK_VERSION = "2.18.0";
 var SDK_USER_AGENT = `FFID-SDK/${SDK_VERSION} (TypeScript)`;
 var SDK_VERSION_HEADER = "X-FFID-SDK-Version";
 function sdkHeaders() {
+  if (typeof window !== "undefined") return {};
   return {
     "User-Agent": SDK_USER_AGENT,
     [SDK_VERSION_HEADER]: SDK_VERSION
@@ -1370,6 +1368,87 @@ var OAUTH_AUTHORIZE_ENDPOINT = "/api/v1/oauth/authorize";
 var AUTH_LOGOUT_ENDPOINT = "/api/v1/auth/logout";
 var STATE_RANDOM_BYTES = 16;
 var HEX_BASE2 = 16;
+var REDIRECT_LOOP_KEY = "ffid_sdk_redirect_loop_history";
+var REDIRECT_LOOP_WINDOW_MS = 6e4;
+var REDIRECT_LOOP_THRESHOLD = 3;
+var storageReadFailureLogged = false;
+var storageWriteFailureLogged = false;
+function logStorageReadFailure(logger, err) {
+  if (storageReadFailureLogged) return;
+  storageReadFailureLogged = true;
+  logger.warn(
+    "[FFID SDK] sessionStorage read failed \u2014 redirect loop detection disabled on this browser (fail-open). iOS WebKit private mode / eviction \u304C\u5178\u578B\u8981\u56E0",
+    err
+  );
+}
+function logStorageWriteFailure(logger, err) {
+  if (storageWriteFailureLogged) return;
+  storageWriteFailureLogged = true;
+  logger.warn(
+    "[FFID SDK] sessionStorage write failed \u2014 redirect loop detection disabled on this browser (fail-open).",
+    err
+  );
+}
+function isRedirectLoopHistory(value) {
+  if (value === null || typeof value !== "object" || Array.isArray(value)) return false;
+  return Object.values(value).every(
+    (arr) => Array.isArray(arr) && arr.every((t) => typeof t === "number" && Number.isFinite(t))
+  );
+}
+function readRedirectLoopHistory(logger) {
+  if (typeof window === "undefined") return {};
+  try {
+    const raw = window.sessionStorage.getItem(REDIRECT_LOOP_KEY);
+    if (raw === null) return {};
+    const parsed = JSON.parse(raw);
+    return isRedirectLoopHistory(parsed) ? parsed : {};
+  } catch (err) {
+    logStorageReadFailure(logger, err);
+    return {};
+  }
+}
+function writeRedirectLoopHistory(history, logger) {
+  if (typeof window === "undefined") return;
+  try {
+    window.sessionStorage.setItem(REDIRECT_LOOP_KEY, JSON.stringify(history));
+  } catch (err) {
+    logStorageWriteFailure(logger, err);
+  }
+}
+function pruneRedirectLoopHistory(history, now) {
+  const cutoff = now - REDIRECT_LOOP_WINDOW_MS;
+  const pruned = {};
+  for (const [key, timestamps] of Object.entries(history)) {
+    const fresh = timestamps.filter((t) => t > cutoff);
+    if (fresh.length > 0) pruned[key] = fresh;
+  }
+  return pruned;
+}
+function getRecentRedirectCount(authorizeKey, now, logger) {
+  const pruned = pruneRedirectLoopHistory(readRedirectLoopHistory(logger), now);
+  writeRedirectLoopHistory(pruned, logger);
+  return pruned[authorizeKey]?.length ?? 0;
+}
+function recordRedirectAttempt(authorizeKey, now, logger) {
+  const history = readRedirectLoopHistory(logger);
+  const existing = history[authorizeKey] ?? [];
+  history[authorizeKey] = [...existing, now];
+  writeRedirectLoopHistory(history, logger);
+}
+function rollbackLastRedirectAttempt(authorizeKey, logger) {
+  const history = readRedirectLoopHistory(logger);
+  const existing = history[authorizeKey];
+  if (!Array.isArray(existing) || existing.length === 0) return;
+  history[authorizeKey] = existing.slice(0, -1);
+  if (history[authorizeKey].length === 0) delete history[authorizeKey];
+  writeRedirectLoopHistory(history, logger);
+}
+function buildAuthorizeKey(baseUrl, clientId, organizationId) {
+  const params = new URLSearchParams({ client_id: clientId });
+  const trimmedOrg = organizationId?.trim();
+  if (trimmedOrg) params.set("organization_id", trimmedOrg);
+  return `${baseUrl}${OAUTH_AUTHORIZE_ENDPOINT}?${params.toString()}`;
+}
 function generateRandomState() {
   const array = new Uint8Array(STATE_RANDOM_BYTES);
   crypto.getRandomValues(array);
@@ -1389,6 +1468,23 @@ function createRedirectMethods(deps) {
       logger.warn("SSR \u74B0\u5883\u3067\u306F\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u3067\u304D\u307E\u305B\u3093");
       return { success: false, error: "SSR \u74B0\u5883\u3067\u306F\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u3067\u304D\u307E\u305B\u3093" };
     }
+    const authorizeKey = buildAuthorizeKey(baseUrl, clientId, options?.organizationId);
+    const now = Date.now();
+    const recentCount = getRecentRedirectCount(authorizeKey, now, logger);
+    if (recentCount >= REDIRECT_LOOP_THRESHOLD) {
+      cleanupVerifierStorage(logger);
+      logger.warn("[FFID SDK] redirect loop detected \u2014 \u81EA\u52D5\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u3092\u505C\u6B62\u3057\u307E\u3057\u305F", {
+        authorizeKey,
+        recentCount,
+        windowMs: REDIRECT_LOOP_WINDOW_MS,
+        threshold: REDIRECT_LOOP_THRESHOLD
+      });
+      return {
+        success: false,
+        code: "redirect_loop_detected",
+        error: "\u77ED\u6642\u9593\u306B\u540C\u3058\u8A8D\u53EF\u30A8\u30F3\u30C9\u30DD\u30A4\u30F3\u30C8\u3078\u306E\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u304C\u7E70\u308A\u8FD4\u3055\u308C\u305F\u305F\u3081\u3001\u30EB\u30FC\u30D7\u691C\u51FA\u306B\u3088\u308A\u81EA\u52D5\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u3092\u505C\u6B62\u3057\u307E\u3057\u305F"
+      };
+    }
     const verifier = generateCodeVerifier();
     storeCodeVerifier(verifier, logger);
     let challenge;
@@ -1419,7 +1515,13 @@ function createRedirectMethods(deps) {
     }
     const authorizeUrl = `${baseUrl}${OAUTH_AUTHORIZE_ENDPOINT}?${params.toString()}`;
     logger.debug("Redirecting to authorize:", authorizeUrl);
-    window.location.href = authorizeUrl;
+    recordRedirectAttempt(authorizeKey, now, logger);
+    try {
+      window.location.href = authorizeUrl;
+    } catch (err) {
+      rollbackLastRedirectAttempt(authorizeKey, logger);
+      throw err;
+    }
     return { success: true };
   }
   async function redirectToLogin() {

package/dist/components/index.cjs

@@ -1,34 +1,34 @@
 'use strict';
 
-var chunkOWE6EPWE_cjs = require('../chunk-OWE6EPWE.cjs');
+var chunkEK2W67BW_cjs = require('../chunk-EK2W67BW.cjs');
 
 
 
 Object.defineProperty(exports, "FFIDAnnouncementBadge", {
   enumerable: true,
-  get: function () { return chunkOWE6EPWE_cjs.FFIDAnnouncementBadge; }
+  get: function () { return chunkEK2W67BW_cjs.FFIDAnnouncementBadge; }
 });
 Object.defineProperty(exports, "FFIDAnnouncementList", {
   enumerable: true,
-  get: function () { return chunkOWE6EPWE_cjs.FFIDAnnouncementList; }
+  get: function () { return chunkEK2W67BW_cjs.FFIDAnnouncementList; }
 });
 Object.defineProperty(exports, "FFIDInquiryForm", {
   enumerable: true,
-  get: function () { return chunkOWE6EPWE_cjs.FFIDInquiryForm; }
+  get: function () { return chunkEK2W67BW_cjs.FFIDInquiryForm; }
 });
 Object.defineProperty(exports, "FFIDLoginButton", {
   enumerable: true,
-  get: function () { return chunkOWE6EPWE_cjs.FFIDLoginButton; }
+  get: function () { return chunkEK2W67BW_cjs.FFIDLoginButton; }
 });
 Object.defineProperty(exports, "FFIDOrganizationSwitcher", {
   enumerable: true,
-  get: function () { return chunkOWE6EPWE_cjs.FFIDOrganizationSwitcher; }
+  get: function () { return chunkEK2W67BW_cjs.FFIDOrganizationSwitcher; }
 });
 Object.defineProperty(exports, "FFIDSubscriptionBadge", {
   enumerable: true,
-  get: function () { return chunkOWE6EPWE_cjs.FFIDSubscriptionBadge; }
+  get: function () { return chunkEK2W67BW_cjs.FFIDSubscriptionBadge; }
 });
 Object.defineProperty(exports, "FFIDUserMenu", {
   enumerable: true,
-  get: function () { return chunkOWE6EPWE_cjs.FFIDUserMenu; }
+  get: function () { return chunkEK2W67BW_cjs.FFIDUserMenu; }
 });

package/dist/components/index.d.cts

@@ -1,3 +1,3 @@
-export { K as FFIDAnnouncementBadge, aj as FFIDAnnouncementBadgeClassNames, ak as FFIDAnnouncementBadgeProps, M as FFIDAnnouncementList, al as FFIDAnnouncementListClassNames, am as FFIDAnnouncementListProps, U as FFIDInquiryForm, V as FFIDInquiryFormCategoryItem, W as FFIDInquiryFormClassNames, X as FFIDInquiryFormOrganization, Y as FFIDInquiryFormPlaceholderContext, Z as FFIDInquiryFormPrefill, _ as FFIDInquiryFormProps, $ as FFIDInquiryFormSubmitData, a0 as FFIDInquiryFormSubmitResult, a2 as FFIDLoginButton, an as FFIDLoginButtonProps, a8 as FFIDOrganizationSwitcher, ao as FFIDOrganizationSwitcherClassNames, ap as FFIDOrganizationSwitcherProps, aa as FFIDSubscriptionBadge, aq as FFIDSubscriptionBadgeClassNames, ar as FFIDSubscriptionBadgeProps, ac as FFIDUserMenu, as as FFIDUserMenuClassNames, at as FFIDUserMenuProps } from '../index-DbEyptzr.cjs';
+export { K as FFIDAnnouncementBadge, ak as FFIDAnnouncementBadgeClassNames, al as FFIDAnnouncementBadgeProps, M as FFIDAnnouncementList, am as FFIDAnnouncementListClassNames, an as FFIDAnnouncementListProps, U as FFIDInquiryForm, V as FFIDInquiryFormCategoryItem, W as FFIDInquiryFormClassNames, X as FFIDInquiryFormOrganization, Y as FFIDInquiryFormPlaceholderContext, Z as FFIDInquiryFormPrefill, _ as FFIDInquiryFormProps, $ as FFIDInquiryFormSubmitData, a0 as FFIDInquiryFormSubmitResult, a2 as FFIDLoginButton, ao as FFIDLoginButtonProps, a8 as FFIDOrganizationSwitcher, ap as FFIDOrganizationSwitcherClassNames, aq as FFIDOrganizationSwitcherProps, ab as FFIDSubscriptionBadge, ar as FFIDSubscriptionBadgeClassNames, as as FFIDSubscriptionBadgeProps, ad as FFIDUserMenu, at as FFIDUserMenuClassNames, au as FFIDUserMenuProps } from '../index--S6rLHjr.cjs';
 import 'react/jsx-runtime';
 import 'react';

package/dist/components/index.d.ts

@@ -1,3 +1,3 @@
-export { K as FFIDAnnouncementBadge, aj as FFIDAnnouncementBadgeClassNames, ak as FFIDAnnouncementBadgeProps, M as FFIDAnnouncementList, al as FFIDAnnouncementListClassNames, am as FFIDAnnouncementListProps, U as FFIDInquiryForm, V as FFIDInquiryFormCategoryItem, W as FFIDInquiryFormClassNames, X as FFIDInquiryFormOrganization, Y as FFIDInquiryFormPlaceholderContext, Z as FFIDInquiryFormPrefill, _ as FFIDInquiryFormProps, $ as FFIDInquiryFormSubmitData, a0 as FFIDInquiryFormSubmitResult, a2 as FFIDLoginButton, an as FFIDLoginButtonProps, a8 as FFIDOrganizationSwitcher, ao as FFIDOrganizationSwitcherClassNames, ap as FFIDOrganizationSwitcherProps, aa as FFIDSubscriptionBadge, aq as FFIDSubscriptionBadgeClassNames, ar as FFIDSubscriptionBadgeProps, ac as FFIDUserMenu, as as FFIDUserMenuClassNames, at as FFIDUserMenuProps } from '../index-DbEyptzr.js';
+export { K as FFIDAnnouncementBadge, ak as FFIDAnnouncementBadgeClassNames, al as FFIDAnnouncementBadgeProps, M as FFIDAnnouncementList, am as FFIDAnnouncementListClassNames, an as FFIDAnnouncementListProps, U as FFIDInquiryForm, V as FFIDInquiryFormCategoryItem, W as FFIDInquiryFormClassNames, X as FFIDInquiryFormOrganization, Y as FFIDInquiryFormPlaceholderContext, Z as FFIDInquiryFormPrefill, _ as FFIDInquiryFormProps, $ as FFIDInquiryFormSubmitData, a0 as FFIDInquiryFormSubmitResult, a2 as FFIDLoginButton, ao as FFIDLoginButtonProps, a8 as FFIDOrganizationSwitcher, ap as FFIDOrganizationSwitcherClassNames, aq as FFIDOrganizationSwitcherProps, ab as FFIDSubscriptionBadge, ar as FFIDSubscriptionBadgeClassNames, as as FFIDSubscriptionBadgeProps, ad as FFIDUserMenu, at as FFIDUserMenuClassNames, au as FFIDUserMenuProps } from '../index--S6rLHjr.js';
 import 'react/jsx-runtime';
 import 'react';

package/dist/components/index.js

@@ -1 +1 @@
-export { FFIDAnnouncementBadge, FFIDAnnouncementList, FFIDInquiryForm, FFIDLoginButton, FFIDOrganizationSwitcher, FFIDSubscriptionBadge, FFIDUserMenu } from '../chunk-O2YI5N6S.js';
+export { FFIDAnnouncementBadge, FFIDAnnouncementList, FFIDInquiryForm, FFIDLoginButton, FFIDOrganizationSwitcher, FFIDSubscriptionBadge, FFIDUserMenu } from '../chunk-IEYXT3LA.js';

package/dist/{index-DbEyptzr.d.cts → index--S6rLHjr.d.cts}

@@ -471,8 +471,11 @@ interface FFIDUserProfile {
  * When `accessToken` is supplied with a non-empty value, it overrides the client's
  * configured auth mode: authentication for that request uses only
  * `Authorization: Bearer <accessToken>` (no service key, no cookie, no token-store
- * lookup, no auto-refresh on 401). Non-auth headers such as `Content-Type` and
- * SDK metadata headers (User-Agent / X-FFID-SDK-Version) are still attached.
+ * lookup, no auto-refresh on 401). Non-auth headers such as `Content-Type` are
+ * still attached. SDK metadata headers (`User-Agent` / `X-FFID-SDK-Version`) are
+ * attached on non-browser runtimes only (Node.js / Cloudflare Workers / Edge /
+ * Deno); browsers receive an empty object to avoid iOS WebKit `fetch()` breakage
+ * (see #2417).
  *
  * Runtime semantics:
  * - `accessToken` omitted (or `undefined`) → no override, configured `authMode` is used
@@ -534,17 +537,36 @@ interface FFIDUpdateUserProfileRequest {
     /** Arbitrary user preferences bag (null clears the column; reads return {}) */
     preferences?: Record<string, unknown> | null;
 }
+/**
+ * Discriminant for redirect failures that callers need to handle
+ * programmatically (vs. logging the human-readable `error` string).
+ *
+ * - `'redirect_loop_detected'`: `redirectToAuthorize()` detected that the
+ *   same authorize URL (keyed by `baseUrl + client_id + organization_id`)
+ *   has been fired **3 times within 60 seconds**. Caller should surface a
+ *   manual "再度ログインする" UI rather than retry automatically (#2406 / #2411).
+ *
+ * SDK 2.18.0 only ships `'redirect_loop_detected'`. Other failure paths
+ * (SSR environment, PKCE generation failure, empty organizationId) currently
+ * return `error` without a `code`. New codes will be added in future minor
+ * versions — treat this union as forward-extensible and do NOT exhaustively
+ * `switch` over it without a `default` branch for consumer code that must
+ * stay compatible across SDK upgrades.
+ */
+type FFIDRedirectErrorCode = 'redirect_loop_detected';
 /**
  * Result of a redirect operation (redirectToLogin / redirectToAuthorize / redirectToLogout)
  *
  * Structured return type so callers can inspect failure reasons
- * instead of receiving a bare `false`.
+ * instead of receiving a bare `false`. When `code` is set, branch on it
+ * for programmatic handling; otherwise log `error` for humans.
  */
 type FFIDRedirectResult = {
     success: true;
 } | {
     success: false;
     error: string;
+    code?: FFIDRedirectErrorCode;
 };
 /**
  * OAuth 2.0 token response from FFID token endpoint
@@ -1279,4 +1301,4 @@ interface FFIDInquiryFormPlaceholderContext {
 }
 declare function FFIDInquiryForm({ mode, prefill, organizations, preselectedOrganizationId, categories, termsVersion, privacyVersion, termsHref, privacyHref, turnstileToken, turnstileSlot, onSubmit, onChange, separateLegalCheckboxes, messagePlaceholder, requireCategorySelection, unstyled, classNames, locale, className, }: FFIDInquiryFormProps): react_jsx_runtime.JSX.Element;
 
-export { type FFIDInquiryFormSubmitData as $, type FFIDSubscription as A, type FFIDSubscriptionContextValue as B, type FFIDAnnouncementsClientConfig as C, type FFIDAnnouncementsApiResponse as D, type AnnouncementListResponse as E, type FFIDSubscriptionStatus as F, type FFIDAnnouncementsLogger as G, type Announcement as H, type AnnouncementStatus as I, type AnnouncementType as J, FFIDAnnouncementBadge as K, type ListAnnouncementsOptions as L, FFIDAnnouncementList as M, type FFIDAnnouncementsError as N, type FFIDAnnouncementsErrorCode as O, type FFIDAnnouncementsServerResponse as P, type FFIDCacheConfig as Q, type FFIDContextValue as R, type FFIDInquiryCategory as S, type FFIDInquiryCategorySite2026 as T, FFIDInquiryForm as U, type FFIDInquiryFormCategoryItem as V, type FFIDInquiryFormClassNames as W, type FFIDInquiryFormOrganization as X, type FFIDInquiryFormPlaceholderContext as Y, type FFIDInquiryFormPrefill as Z, type FFIDInquiryFormProps as _, type FFIDConfig as a, type FFIDInquiryFormSubmitResult as a0, type FFIDJwtClaims as a1, FFIDLoginButton as a2, type FFIDMemberStatus as a3, type FFIDOAuthTokenResponse as a4, type FFIDOAuthUserInfoMemberRole as a5, type FFIDOAuthUserInfoSubscription as a6, type FFIDOrganizationMember as a7, FFIDOrganizationSwitcher as a8, type FFIDSeatModel as a9, FFIDSubscriptionBadge as aa, type FFIDTokenIntrospectionResponse as ab, FFIDUserMenu as ac, FFID_INQUIRY_CATEGORIES as ad, FFID_INQUIRY_CATEGORIES_SITE_2026 as ae, type UseFFIDAnnouncementsOptions as af, type UseFFIDAnnouncementsReturn as ag, isFFIDInquiryCategorySite2026 as ah, useFFIDAnnouncements as ai, type FFIDAnnouncementBadgeClassNames as aj, type FFIDAnnouncementBadgeProps as ak, type FFIDAnnouncementListClassNames as al, type FFIDAnnouncementListProps as am, type FFIDLoginButtonProps as an, type FFIDOrganizationSwitcherClassNames as ao, type FFIDOrganizationSwitcherProps as ap, type FFIDSubscriptionBadgeClassNames as aq, type FFIDSubscriptionBadgeProps as ar, type FFIDUserMenuClassNames as as, type FFIDUserMenuProps as at, type FFIDApiResponse as b, type FFIDSessionResponse as c, type FFIDRedirectResult as d, type FFIDError as e, type FFIDSubscriptionCheckResponse as f, type FFIDListMembersResponse as g, type FFIDMemberRole as h, type FFIDUpdateMemberRoleResponse as i, type FFIDRemoveMemberResponse as j, type FFIDProfileCallOptions as k, type FFIDUserProfile as l, type FFIDUpdateUserProfileRequest as m, type FFIDCreateCheckoutParams as n, type FFIDCheckoutSessionResponse as o, type FFIDCreatePortalParams as p, type FFIDPortalSessionResponse as q, type FFIDVerifyAccessTokenOptions as r, type FFIDOAuthUserInfo as s, type FFIDInquiryCreateParams as t, type FFIDInquiryCreateResponse as u, type FFIDAuthMode as v, type FFIDLogger as w, type FFIDCacheAdapter as x, type FFIDUser as y, type FFIDOrganization as z };
+export { type FFIDInquiryFormSubmitData as $, type FFIDSubscription as A, type FFIDSubscriptionContextValue as B, type FFIDAnnouncementsClientConfig as C, type FFIDAnnouncementsApiResponse as D, type AnnouncementListResponse as E, type FFIDSubscriptionStatus as F, type FFIDAnnouncementsLogger as G, type Announcement as H, type AnnouncementStatus as I, type AnnouncementType as J, FFIDAnnouncementBadge as K, type ListAnnouncementsOptions as L, FFIDAnnouncementList as M, type FFIDAnnouncementsError as N, type FFIDAnnouncementsErrorCode as O, type FFIDAnnouncementsServerResponse as P, type FFIDCacheConfig as Q, type FFIDContextValue as R, type FFIDInquiryCategory as S, type FFIDInquiryCategorySite2026 as T, FFIDInquiryForm as U, type FFIDInquiryFormCategoryItem as V, type FFIDInquiryFormClassNames as W, type FFIDInquiryFormOrganization as X, type FFIDInquiryFormPlaceholderContext as Y, type FFIDInquiryFormPrefill as Z, type FFIDInquiryFormProps as _, type FFIDConfig as a, type FFIDInquiryFormSubmitResult as a0, type FFIDJwtClaims as a1, FFIDLoginButton as a2, type FFIDMemberStatus as a3, type FFIDOAuthTokenResponse as a4, type FFIDOAuthUserInfoMemberRole as a5, type FFIDOAuthUserInfoSubscription as a6, type FFIDOrganizationMember as a7, FFIDOrganizationSwitcher as a8, type FFIDRedirectErrorCode as a9, type FFIDSeatModel as aa, FFIDSubscriptionBadge as ab, type FFIDTokenIntrospectionResponse as ac, FFIDUserMenu as ad, FFID_INQUIRY_CATEGORIES as ae, FFID_INQUIRY_CATEGORIES_SITE_2026 as af, type UseFFIDAnnouncementsOptions as ag, type UseFFIDAnnouncementsReturn as ah, isFFIDInquiryCategorySite2026 as ai, useFFIDAnnouncements as aj, type FFIDAnnouncementBadgeClassNames as ak, type FFIDAnnouncementBadgeProps as al, type FFIDAnnouncementListClassNames as am, type FFIDAnnouncementListProps as an, type FFIDLoginButtonProps as ao, type FFIDOrganizationSwitcherClassNames as ap, type FFIDOrganizationSwitcherProps as aq, type FFIDSubscriptionBadgeClassNames as ar, type FFIDSubscriptionBadgeProps as as, type FFIDUserMenuClassNames as at, type FFIDUserMenuProps as au, type FFIDApiResponse as b, type FFIDSessionResponse as c, type FFIDRedirectResult as d, type FFIDError as e, type FFIDSubscriptionCheckResponse as f, type FFIDListMembersResponse as g, type FFIDMemberRole as h, type FFIDUpdateMemberRoleResponse as i, type FFIDRemoveMemberResponse as j, type FFIDProfileCallOptions as k, type FFIDUserProfile as l, type FFIDUpdateUserProfileRequest as m, type FFIDCreateCheckoutParams as n, type FFIDCheckoutSessionResponse as o, type FFIDCreatePortalParams as p, type FFIDPortalSessionResponse as q, type FFIDVerifyAccessTokenOptions as r, type FFIDOAuthUserInfo as s, type FFIDInquiryCreateParams as t, type FFIDInquiryCreateResponse as u, type FFIDAuthMode as v, type FFIDLogger as w, type FFIDCacheAdapter as x, type FFIDUser as y, type FFIDOrganization as z };

package/dist/{index-DbEyptzr.d.ts → index--S6rLHjr.d.ts}

@@ -471,8 +471,11 @@ interface FFIDUserProfile {
  * When `accessToken` is supplied with a non-empty value, it overrides the client's
  * configured auth mode: authentication for that request uses only
  * `Authorization: Bearer <accessToken>` (no service key, no cookie, no token-store
- * lookup, no auto-refresh on 401). Non-auth headers such as `Content-Type` and
- * SDK metadata headers (User-Agent / X-FFID-SDK-Version) are still attached.
+ * lookup, no auto-refresh on 401). Non-auth headers such as `Content-Type` are
+ * still attached. SDK metadata headers (`User-Agent` / `X-FFID-SDK-Version`) are
+ * attached on non-browser runtimes only (Node.js / Cloudflare Workers / Edge /
+ * Deno); browsers receive an empty object to avoid iOS WebKit `fetch()` breakage
+ * (see #2417).
  *
  * Runtime semantics:
  * - `accessToken` omitted (or `undefined`) → no override, configured `authMode` is used
@@ -534,17 +537,36 @@ interface FFIDUpdateUserProfileRequest {
     /** Arbitrary user preferences bag (null clears the column; reads return {}) */
     preferences?: Record<string, unknown> | null;
 }
+/**
+ * Discriminant for redirect failures that callers need to handle
+ * programmatically (vs. logging the human-readable `error` string).
+ *
+ * - `'redirect_loop_detected'`: `redirectToAuthorize()` detected that the
+ *   same authorize URL (keyed by `baseUrl + client_id + organization_id`)
+ *   has been fired **3 times within 60 seconds**. Caller should surface a
+ *   manual "再度ログインする" UI rather than retry automatically (#2406 / #2411).
+ *
+ * SDK 2.18.0 only ships `'redirect_loop_detected'`. Other failure paths
+ * (SSR environment, PKCE generation failure, empty organizationId) currently
+ * return `error` without a `code`. New codes will be added in future minor
+ * versions — treat this union as forward-extensible and do NOT exhaustively
+ * `switch` over it without a `default` branch for consumer code that must
+ * stay compatible across SDK upgrades.
+ */
+type FFIDRedirectErrorCode = 'redirect_loop_detected';
 /**
  * Result of a redirect operation (redirectToLogin / redirectToAuthorize / redirectToLogout)
  *
  * Structured return type so callers can inspect failure reasons
- * instead of receiving a bare `false`.
+ * instead of receiving a bare `false`. When `code` is set, branch on it
+ * for programmatic handling; otherwise log `error` for humans.
  */
 type FFIDRedirectResult = {
     success: true;
 } | {
     success: false;
     error: string;
+    code?: FFIDRedirectErrorCode;
 };
 /**
  * OAuth 2.0 token response from FFID token endpoint
@@ -1279,4 +1301,4 @@ interface FFIDInquiryFormPlaceholderContext {
 }
 declare function FFIDInquiryForm({ mode, prefill, organizations, preselectedOrganizationId, categories, termsVersion, privacyVersion, termsHref, privacyHref, turnstileToken, turnstileSlot, onSubmit, onChange, separateLegalCheckboxes, messagePlaceholder, requireCategorySelection, unstyled, classNames, locale, className, }: FFIDInquiryFormProps): react_jsx_runtime.JSX.Element;
 
-export { type FFIDInquiryFormSubmitData as $, type FFIDSubscription as A, type FFIDSubscriptionContextValue as B, type FFIDAnnouncementsClientConfig as C, type FFIDAnnouncementsApiResponse as D, type AnnouncementListResponse as E, type FFIDSubscriptionStatus as F, type FFIDAnnouncementsLogger as G, type Announcement as H, type AnnouncementStatus as I, type AnnouncementType as J, FFIDAnnouncementBadge as K, type ListAnnouncementsOptions as L, FFIDAnnouncementList as M, type FFIDAnnouncementsError as N, type FFIDAnnouncementsErrorCode as O, type FFIDAnnouncementsServerResponse as P, type FFIDCacheConfig as Q, type FFIDContextValue as R, type FFIDInquiryCategory as S, type FFIDInquiryCategorySite2026 as T, FFIDInquiryForm as U, type FFIDInquiryFormCategoryItem as V, type FFIDInquiryFormClassNames as W, type FFIDInquiryFormOrganization as X, type FFIDInquiryFormPlaceholderContext as Y, type FFIDInquiryFormPrefill as Z, type FFIDInquiryFormProps as _, type FFIDConfig as a, type FFIDInquiryFormSubmitResult as a0, type FFIDJwtClaims as a1, FFIDLoginButton as a2, type FFIDMemberStatus as a3, type FFIDOAuthTokenResponse as a4, type FFIDOAuthUserInfoMemberRole as a5, type FFIDOAuthUserInfoSubscription as a6, type FFIDOrganizationMember as a7, FFIDOrganizationSwitcher as a8, type FFIDSeatModel as a9, FFIDSubscriptionBadge as aa, type FFIDTokenIntrospectionResponse as ab, FFIDUserMenu as ac, FFID_INQUIRY_CATEGORIES as ad, FFID_INQUIRY_CATEGORIES_SITE_2026 as ae, type UseFFIDAnnouncementsOptions as af, type UseFFIDAnnouncementsReturn as ag, isFFIDInquiryCategorySite2026 as ah, useFFIDAnnouncements as ai, type FFIDAnnouncementBadgeClassNames as aj, type FFIDAnnouncementBadgeProps as ak, type FFIDAnnouncementListClassNames as al, type FFIDAnnouncementListProps as am, type FFIDLoginButtonProps as an, type FFIDOrganizationSwitcherClassNames as ao, type FFIDOrganizationSwitcherProps as ap, type FFIDSubscriptionBadgeClassNames as aq, type FFIDSubscriptionBadgeProps as ar, type FFIDUserMenuClassNames as as, type FFIDUserMenuProps as at, type FFIDApiResponse as b, type FFIDSessionResponse as c, type FFIDRedirectResult as d, type FFIDError as e, type FFIDSubscriptionCheckResponse as f, type FFIDListMembersResponse as g, type FFIDMemberRole as h, type FFIDUpdateMemberRoleResponse as i, type FFIDRemoveMemberResponse as j, type FFIDProfileCallOptions as k, type FFIDUserProfile as l, type FFIDUpdateUserProfileRequest as m, type FFIDCreateCheckoutParams as n, type FFIDCheckoutSessionResponse as o, type FFIDCreatePortalParams as p, type FFIDPortalSessionResponse as q, type FFIDVerifyAccessTokenOptions as r, type FFIDOAuthUserInfo as s, type FFIDInquiryCreateParams as t, type FFIDInquiryCreateResponse as u, type FFIDAuthMode as v, type FFIDLogger as w, type FFIDCacheAdapter as x, type FFIDUser as y, type FFIDOrganization as z };
+export { type FFIDInquiryFormSubmitData as $, type FFIDSubscription as A, type FFIDSubscriptionContextValue as B, type FFIDAnnouncementsClientConfig as C, type FFIDAnnouncementsApiResponse as D, type AnnouncementListResponse as E, type FFIDSubscriptionStatus as F, type FFIDAnnouncementsLogger as G, type Announcement as H, type AnnouncementStatus as I, type AnnouncementType as J, FFIDAnnouncementBadge as K, type ListAnnouncementsOptions as L, FFIDAnnouncementList as M, type FFIDAnnouncementsError as N, type FFIDAnnouncementsErrorCode as O, type FFIDAnnouncementsServerResponse as P, type FFIDCacheConfig as Q, type FFIDContextValue as R, type FFIDInquiryCategory as S, type FFIDInquiryCategorySite2026 as T, FFIDInquiryForm as U, type FFIDInquiryFormCategoryItem as V, type FFIDInquiryFormClassNames as W, type FFIDInquiryFormOrganization as X, type FFIDInquiryFormPlaceholderContext as Y, type FFIDInquiryFormPrefill as Z, type FFIDInquiryFormProps as _, type FFIDConfig as a, type FFIDInquiryFormSubmitResult as a0, type FFIDJwtClaims as a1, FFIDLoginButton as a2, type FFIDMemberStatus as a3, type FFIDOAuthTokenResponse as a4, type FFIDOAuthUserInfoMemberRole as a5, type FFIDOAuthUserInfoSubscription as a6, type FFIDOrganizationMember as a7, FFIDOrganizationSwitcher as a8, type FFIDRedirectErrorCode as a9, type FFIDSeatModel as aa, FFIDSubscriptionBadge as ab, type FFIDTokenIntrospectionResponse as ac, FFIDUserMenu as ad, FFID_INQUIRY_CATEGORIES as ae, FFID_INQUIRY_CATEGORIES_SITE_2026 as af, type UseFFIDAnnouncementsOptions as ag, type UseFFIDAnnouncementsReturn as ah, isFFIDInquiryCategorySite2026 as ai, useFFIDAnnouncements as aj, type FFIDAnnouncementBadgeClassNames as ak, type FFIDAnnouncementBadgeProps as al, type FFIDAnnouncementListClassNames as am, type FFIDAnnouncementListProps as an, type FFIDLoginButtonProps as ao, type FFIDOrganizationSwitcherClassNames as ap, type FFIDOrganizationSwitcherProps as aq, type FFIDSubscriptionBadgeClassNames as ar, type FFIDSubscriptionBadgeProps as as, type FFIDUserMenuClassNames as at, type FFIDUserMenuProps as au, type FFIDApiResponse as b, type FFIDSessionResponse as c, type FFIDRedirectResult as d, type FFIDError as e, type FFIDSubscriptionCheckResponse as f, type FFIDListMembersResponse as g, type FFIDMemberRole as h, type FFIDUpdateMemberRoleResponse as i, type FFIDRemoveMemberResponse as j, type FFIDProfileCallOptions as k, type FFIDUserProfile as l, type FFIDUpdateUserProfileRequest as m, type FFIDCreateCheckoutParams as n, type FFIDCheckoutSessionResponse as o, type FFIDCreatePortalParams as p, type FFIDPortalSessionResponse as q, type FFIDVerifyAccessTokenOptions as r, type FFIDOAuthUserInfo as s, type FFIDInquiryCreateParams as t, type FFIDInquiryCreateResponse as u, type FFIDAuthMode as v, type FFIDLogger as w, type FFIDCacheAdapter as x, type FFIDUser as y, type FFIDOrganization as z };

package/dist/index.cjs

@@ -1,6 +1,6 @@
 'use strict';
 
-var chunkOWE6EPWE_cjs = require('./chunk-OWE6EPWE.cjs');
+var chunkEK2W67BW_cjs = require('./chunk-EK2W67BW.cjs');
 var react = require('react');
 var jsxRuntime = require('react/jsx-runtime');
 
@@ -46,7 +46,7 @@ function createKVCacheAdapter(kv) {
 }
 function withFFIDAuth(Component, options = {}) {
   const WrappedComponent = (props) => {
-    const { isLoading, isAuthenticated, login } = chunkOWE6EPWE_cjs.useFFIDContext();
+    const { isLoading, isAuthenticated, login } = chunkEK2W67BW_cjs.useFFIDContext();
     const hasRedirected = react.useRef(false);
     react.useEffect(() => {
       if (!isLoading && !isAuthenticated && options.redirectToLogin && !hasRedirected.current) {
@@ -74,107 +74,107 @@ var FFID_NEWSLETTER_TYPES = ["inquiry_followup", "general"];
 
 Object.defineProperty(exports, "DEFAULT_API_BASE_URL", {
   enumerable: true,
-  get: function () { return chunkOWE6EPWE_cjs.DEFAULT_API_BASE_URL; }
+  get: function () { return chunkEK2W67BW_cjs.DEFAULT_API_BASE_URL; }
 });
 Object.defineProperty(exports, "FFIDAnnouncementBadge", {
   enumerable: true,
-  get: function () { return chunkOWE6EPWE_cjs.FFIDAnnouncementBadge; }
+  get: function () { return chunkEK2W67BW_cjs.FFIDAnnouncementBadge; }
 });
 Object.defineProperty(exports, "FFIDAnnouncementList", {
   enumerable: true,
-  get: function () { return chunkOWE6EPWE_cjs.FFIDAnnouncementList; }
+  get: function () { return chunkEK2W67BW_cjs.FFIDAnnouncementList; }
 });
 Object.defineProperty(exports, "FFIDInquiryForm", {
   enumerable: true,
-  get: function () { return chunkOWE6EPWE_cjs.FFIDInquiryForm; }
+  get: function () { return chunkEK2W67BW_cjs.FFIDInquiryForm; }
 });
 Object.defineProperty(exports, "FFIDLoginButton", {
   enumerable: true,
-  get: function () { return chunkOWE6EPWE_cjs.FFIDLoginButton; }
+  get: function () { return chunkEK2W67BW_cjs.FFIDLoginButton; }
 });
 Object.defineProperty(exports, "FFIDOrganizationSwitcher", {
   enumerable: true,
-  get: function () { return chunkOWE6EPWE_cjs.FFIDOrganizationSwitcher; }
+  get: function () { return chunkEK2W67BW_cjs.FFIDOrganizationSwitcher; }
 });
 Object.defineProperty(exports, "FFIDProvider", {
   enumerable: true,
-  get: function () { return chunkOWE6EPWE_cjs.FFIDProvider; }
+  get: function () { return chunkEK2W67BW_cjs.FFIDProvider; }
 });
 Object.defineProperty(exports, "FFIDSDKError", {
   enumerable: true,
-  get: function () { return chunkOWE6EPWE_cjs.FFIDSDKError; }
+  get: function () { return chunkEK2W67BW_cjs.FFIDSDKError; }
 });
 Object.defineProperty(exports, "FFIDSubscriptionBadge", {
   enumerable: true,
-  get: function () { return chunkOWE6EPWE_cjs.FFIDSubscriptionBadge; }
+  get: function () { return chunkEK2W67BW_cjs.FFIDSubscriptionBadge; }
 });
 Object.defineProperty(exports, "FFIDUserMenu", {
   enumerable: true,
-  get: function () { return chunkOWE6EPWE_cjs.FFIDUserMenu; }
+  get: function () { return chunkEK2W67BW_cjs.FFIDUserMenu; }
 });
 Object.defineProperty(exports, "FFID_ANNOUNCEMENTS_ERROR_CODES", {
   enumerable: true,
-  get: function () { return chunkOWE6EPWE_cjs.FFID_ANNOUNCEMENTS_ERROR_CODES; }
+  get: function () { return chunkEK2W67BW_cjs.FFID_ANNOUNCEMENTS_ERROR_CODES; }
 });
 Object.defineProperty(exports, "FFID_INQUIRY_CATEGORIES", {
   enumerable: true,
-  get: function () { return chunkOWE6EPWE_cjs.FFID_INQUIRY_CATEGORIES; }
+  get: function () { return chunkEK2W67BW_cjs.FFID_INQUIRY_CATEGORIES; }
 });
 Object.defineProperty(exports, "FFID_INQUIRY_CATEGORIES_SITE_2026", {
   enumerable: true,
-  get: function () { return chunkOWE6EPWE_cjs.FFID_INQUIRY_CATEGORIES_SITE_2026; }
+  get: function () { return chunkEK2W67BW_cjs.FFID_INQUIRY_CATEGORIES_SITE_2026; }
 });
 Object.defineProperty(exports, "createFFIDAnnouncementsClient", {
   enumerable: true,
-  get: function () { return chunkOWE6EPWE_cjs.createFFIDAnnouncementsClient; }
+  get: function () { return chunkEK2W67BW_cjs.createFFIDAnnouncementsClient; }
 });
 Object.defineProperty(exports, "createFFIDClient", {
   enumerable: true,
-  get: function () { return chunkOWE6EPWE_cjs.createFFIDClient; }
+  get: function () { return chunkEK2W67BW_cjs.createFFIDClient; }
 });
 Object.defineProperty(exports, "createTokenStore", {
   enumerable: true,
-  get: function () { return chunkOWE6EPWE_cjs.createTokenStore; }
+  get: function () { return chunkEK2W67BW_cjs.createTokenStore; }
 });
 Object.defineProperty(exports, "generateCodeChallenge", {
   enumerable: true,
-  get: function () { return chunkOWE6EPWE_cjs.generateCodeChallenge; }
+  get: function () { return chunkEK2W67BW_cjs.generateCodeChallenge; }
 });
 Object.defineProperty(exports, "generateCodeVerifier", {
   enumerable: true,
-  get: function () { return chunkOWE6EPWE_cjs.generateCodeVerifier; }
+  get: function () { return chunkEK2W67BW_cjs.generateCodeVerifier; }
 });
 Object.defineProperty(exports, "isFFIDInquiryCategorySite2026", {
   enumerable: true,
-  get: function () { return chunkOWE6EPWE_cjs.isFFIDInquiryCategorySite2026; }
+  get: function () { return chunkEK2W67BW_cjs.isFFIDInquiryCategorySite2026; }
 });
 Object.defineProperty(exports, "normalizeRedirectUri", {
   enumerable: true,
-  get: function () { return chunkOWE6EPWE_cjs.normalizeRedirectUri; }
+  get: function () { return chunkEK2W67BW_cjs.normalizeRedirectUri; }
 });
 Object.defineProperty(exports, "retrieveCodeVerifier", {
   enumerable: true,
-  get: function () { return chunkOWE6EPWE_cjs.retrieveCodeVerifier; }
+  get: function () { return chunkEK2W67BW_cjs.retrieveCodeVerifier; }
 });
 Object.defineProperty(exports, "storeCodeVerifier", {
   enumerable: true,
-  get: function () { return chunkOWE6EPWE_cjs.storeCodeVerifier; }
+  get: function () { return chunkEK2W67BW_cjs.storeCodeVerifier; }
 });
 Object.defineProperty(exports, "useFFID", {
   enumerable: true,
-  get: function () { return chunkOWE6EPWE_cjs.useFFID; }
+  get: function () { return chunkEK2W67BW_cjs.useFFID; }
 });
 Object.defineProperty(exports, "useFFIDAnnouncements", {
   enumerable: true,
-  get: function () { return chunkOWE6EPWE_cjs.useFFIDAnnouncements; }
+  get: function () { return chunkEK2W67BW_cjs.useFFIDAnnouncements; }
 });
 Object.defineProperty(exports, "useSubscription", {
   enumerable: true,
-  get: function () { return chunkOWE6EPWE_cjs.useSubscription; }
+  get: function () { return chunkEK2W67BW_cjs.useSubscription; }
 });
 Object.defineProperty(exports, "withSubscription", {
   enumerable: true,
-  get: function () { return chunkOWE6EPWE_cjs.withSubscription; }
+  get: function () { return chunkEK2W67BW_cjs.withSubscription; }
 });
 exports.FFID_NEWSLETTER_TYPES = FFID_NEWSLETTER_TYPES;
 exports.createKVCacheAdapter = createKVCacheAdapter;

package/dist/index.d.cts

@@ -1,5 +1,5 @@
-import { F as FFIDSubscriptionStatus, a as FFIDConfig, b as FFIDApiResponse, c as FFIDSessionResponse, d as FFIDRedirectResult, e as FFIDError, f as FFIDSubscriptionCheckResponse, g as FFIDListMembersResponse, h as FFIDMemberRole, i as FFIDUpdateMemberRoleResponse, j as FFIDRemoveMemberResponse, k as FFIDProfileCallOptions, l as FFIDUserProfile, m as FFIDUpdateUserProfileRequest, n as FFIDCreateCheckoutParams, o as FFIDCheckoutSessionResponse, p as FFIDCreatePortalParams, q as FFIDPortalSessionResponse, r as FFIDVerifyAccessTokenOptions, s as FFIDOAuthUserInfo, t as FFIDInquiryCreateParams, u as FFIDInquiryCreateResponse, v as FFIDAuthMode, w as FFIDLogger, x as FFIDCacheAdapter, y as FFIDUser, z as FFIDOrganization, A as FFIDSubscription, B as FFIDSubscriptionContextValue, C as FFIDAnnouncementsClientConfig, L as ListAnnouncementsOptions, D as FFIDAnnouncementsApiResponse, E as AnnouncementListResponse, G as FFIDAnnouncementsLogger } from './index-DbEyptzr.cjs';
-export { H as Announcement, I as AnnouncementStatus, J as AnnouncementType, K as FFIDAnnouncementBadge, M as FFIDAnnouncementList, N as FFIDAnnouncementsError, O as FFIDAnnouncementsErrorCode, P as FFIDAnnouncementsServerResponse, Q as FFIDCacheConfig, R as FFIDContextValue, S as FFIDInquiryCategory, T as FFIDInquiryCategorySite2026, U as FFIDInquiryForm, V as FFIDInquiryFormCategoryItem, W as FFIDInquiryFormClassNames, X as FFIDInquiryFormOrganization, Y as FFIDInquiryFormPlaceholderContext, Z as FFIDInquiryFormPrefill, _ as FFIDInquiryFormProps, $ as FFIDInquiryFormSubmitData, a0 as FFIDInquiryFormSubmitResult, a1 as FFIDJwtClaims, a2 as FFIDLoginButton, a3 as FFIDMemberStatus, a4 as FFIDOAuthTokenResponse, a5 as FFIDOAuthUserInfoMemberRole, a6 as FFIDOAuthUserInfoSubscription, a7 as FFIDOrganizationMember, a8 as FFIDOrganizationSwitcher, a9 as FFIDSeatModel, aa as FFIDSubscriptionBadge, ab as FFIDTokenIntrospectionResponse, ac as FFIDUserMenu, ad as FFID_INQUIRY_CATEGORIES, ae as FFID_INQUIRY_CATEGORIES_SITE_2026, af as UseFFIDAnnouncementsOptions, ag as UseFFIDAnnouncementsReturn, ah as isFFIDInquiryCategorySite2026, ai as useFFIDAnnouncements } from './index-DbEyptzr.cjs';
+import { F as FFIDSubscriptionStatus, a as FFIDConfig, b as FFIDApiResponse, c as FFIDSessionResponse, d as FFIDRedirectResult, e as FFIDError, f as FFIDSubscriptionCheckResponse, g as FFIDListMembersResponse, h as FFIDMemberRole, i as FFIDUpdateMemberRoleResponse, j as FFIDRemoveMemberResponse, k as FFIDProfileCallOptions, l as FFIDUserProfile, m as FFIDUpdateUserProfileRequest, n as FFIDCreateCheckoutParams, o as FFIDCheckoutSessionResponse, p as FFIDCreatePortalParams, q as FFIDPortalSessionResponse, r as FFIDVerifyAccessTokenOptions, s as FFIDOAuthUserInfo, t as FFIDInquiryCreateParams, u as FFIDInquiryCreateResponse, v as FFIDAuthMode, w as FFIDLogger, x as FFIDCacheAdapter, y as FFIDUser, z as FFIDOrganization, A as FFIDSubscription, B as FFIDSubscriptionContextValue, C as FFIDAnnouncementsClientConfig, L as ListAnnouncementsOptions, D as FFIDAnnouncementsApiResponse, E as AnnouncementListResponse, G as FFIDAnnouncementsLogger } from './index--S6rLHjr.cjs';
+export { H as Announcement, I as AnnouncementStatus, J as AnnouncementType, K as FFIDAnnouncementBadge, M as FFIDAnnouncementList, N as FFIDAnnouncementsError, O as FFIDAnnouncementsErrorCode, P as FFIDAnnouncementsServerResponse, Q as FFIDCacheConfig, R as FFIDContextValue, S as FFIDInquiryCategory, T as FFIDInquiryCategorySite2026, U as FFIDInquiryForm, V as FFIDInquiryFormCategoryItem, W as FFIDInquiryFormClassNames, X as FFIDInquiryFormOrganization, Y as FFIDInquiryFormPlaceholderContext, Z as FFIDInquiryFormPrefill, _ as FFIDInquiryFormProps, $ as FFIDInquiryFormSubmitData, a0 as FFIDInquiryFormSubmitResult, a1 as FFIDJwtClaims, a2 as FFIDLoginButton, a3 as FFIDMemberStatus, a4 as FFIDOAuthTokenResponse, a5 as FFIDOAuthUserInfoMemberRole, a6 as FFIDOAuthUserInfoSubscription, a7 as FFIDOrganizationMember, a8 as FFIDOrganizationSwitcher, a9 as FFIDRedirectErrorCode, aa as FFIDSeatModel, ab as FFIDSubscriptionBadge, ac as FFIDTokenIntrospectionResponse, ad as FFIDUserMenu, ae as FFID_INQUIRY_CATEGORIES, af as FFID_INQUIRY_CATEGORIES_SITE_2026, ag as UseFFIDAnnouncementsOptions, ah as UseFFIDAnnouncementsReturn, ai as isFFIDInquiryCategorySite2026, aj as useFFIDAnnouncements } from './index--S6rLHjr.cjs';
 import * as react_jsx_runtime from 'react/jsx-runtime';
 import { ReactNode, ComponentType, FC } from 'react';
 

package/dist/index.d.ts

@@ -1,5 +1,5 @@
-import { F as FFIDSubscriptionStatus, a as FFIDConfig, b as FFIDApiResponse, c as FFIDSessionResponse, d as FFIDRedirectResult, e as FFIDError, f as FFIDSubscriptionCheckResponse, g as FFIDListMembersResponse, h as FFIDMemberRole, i as FFIDUpdateMemberRoleResponse, j as FFIDRemoveMemberResponse, k as FFIDProfileCallOptions, l as FFIDUserProfile, m as FFIDUpdateUserProfileRequest, n as FFIDCreateCheckoutParams, o as FFIDCheckoutSessionResponse, p as FFIDCreatePortalParams, q as FFIDPortalSessionResponse, r as FFIDVerifyAccessTokenOptions, s as FFIDOAuthUserInfo, t as FFIDInquiryCreateParams, u as FFIDInquiryCreateResponse, v as FFIDAuthMode, w as FFIDLogger, x as FFIDCacheAdapter, y as FFIDUser, z as FFIDOrganization, A as FFIDSubscription, B as FFIDSubscriptionContextValue, C as FFIDAnnouncementsClientConfig, L as ListAnnouncementsOptions, D as FFIDAnnouncementsApiResponse, E as AnnouncementListResponse, G as FFIDAnnouncementsLogger } from './index-DbEyptzr.js';
-export { H as Announcement, I as AnnouncementStatus, J as AnnouncementType, K as FFIDAnnouncementBadge, M as FFIDAnnouncementList, N as FFIDAnnouncementsError, O as FFIDAnnouncementsErrorCode, P as FFIDAnnouncementsServerResponse, Q as FFIDCacheConfig, R as FFIDContextValue, S as FFIDInquiryCategory, T as FFIDInquiryCategorySite2026, U as FFIDInquiryForm, V as FFIDInquiryFormCategoryItem, W as FFIDInquiryFormClassNames, X as FFIDInquiryFormOrganization, Y as FFIDInquiryFormPlaceholderContext, Z as FFIDInquiryFormPrefill, _ as FFIDInquiryFormProps, $ as FFIDInquiryFormSubmitData, a0 as FFIDInquiryFormSubmitResult, a1 as FFIDJwtClaims, a2 as FFIDLoginButton, a3 as FFIDMemberStatus, a4 as FFIDOAuthTokenResponse, a5 as FFIDOAuthUserInfoMemberRole, a6 as FFIDOAuthUserInfoSubscription, a7 as FFIDOrganizationMember, a8 as FFIDOrganizationSwitcher, a9 as FFIDSeatModel, aa as FFIDSubscriptionBadge, ab as FFIDTokenIntrospectionResponse, ac as FFIDUserMenu, ad as FFID_INQUIRY_CATEGORIES, ae as FFID_INQUIRY_CATEGORIES_SITE_2026, af as UseFFIDAnnouncementsOptions, ag as UseFFIDAnnouncementsReturn, ah as isFFIDInquiryCategorySite2026, ai as useFFIDAnnouncements } from './index-DbEyptzr.js';
+import { F as FFIDSubscriptionStatus, a as FFIDConfig, b as FFIDApiResponse, c as FFIDSessionResponse, d as FFIDRedirectResult, e as FFIDError, f as FFIDSubscriptionCheckResponse, g as FFIDListMembersResponse, h as FFIDMemberRole, i as FFIDUpdateMemberRoleResponse, j as FFIDRemoveMemberResponse, k as FFIDProfileCallOptions, l as FFIDUserProfile, m as FFIDUpdateUserProfileRequest, n as FFIDCreateCheckoutParams, o as FFIDCheckoutSessionResponse, p as FFIDCreatePortalParams, q as FFIDPortalSessionResponse, r as FFIDVerifyAccessTokenOptions, s as FFIDOAuthUserInfo, t as FFIDInquiryCreateParams, u as FFIDInquiryCreateResponse, v as FFIDAuthMode, w as FFIDLogger, x as FFIDCacheAdapter, y as FFIDUser, z as FFIDOrganization, A as FFIDSubscription, B as FFIDSubscriptionContextValue, C as FFIDAnnouncementsClientConfig, L as ListAnnouncementsOptions, D as FFIDAnnouncementsApiResponse, E as AnnouncementListResponse, G as FFIDAnnouncementsLogger } from './index--S6rLHjr.js';
+export { H as Announcement, I as AnnouncementStatus, J as AnnouncementType, K as FFIDAnnouncementBadge, M as FFIDAnnouncementList, N as FFIDAnnouncementsError, O as FFIDAnnouncementsErrorCode, P as FFIDAnnouncementsServerResponse, Q as FFIDCacheConfig, R as FFIDContextValue, S as FFIDInquiryCategory, T as FFIDInquiryCategorySite2026, U as FFIDInquiryForm, V as FFIDInquiryFormCategoryItem, W as FFIDInquiryFormClassNames, X as FFIDInquiryFormOrganization, Y as FFIDInquiryFormPlaceholderContext, Z as FFIDInquiryFormPrefill, _ as FFIDInquiryFormProps, $ as FFIDInquiryFormSubmitData, a0 as FFIDInquiryFormSubmitResult, a1 as FFIDJwtClaims, a2 as FFIDLoginButton, a3 as FFIDMemberStatus, a4 as FFIDOAuthTokenResponse, a5 as FFIDOAuthUserInfoMemberRole, a6 as FFIDOAuthUserInfoSubscription, a7 as FFIDOrganizationMember, a8 as FFIDOrganizationSwitcher, a9 as FFIDRedirectErrorCode, aa as FFIDSeatModel, ab as FFIDSubscriptionBadge, ac as FFIDTokenIntrospectionResponse, ad as FFIDUserMenu, ae as FFID_INQUIRY_CATEGORIES, af as FFID_INQUIRY_CATEGORIES_SITE_2026, ag as UseFFIDAnnouncementsOptions, ah as UseFFIDAnnouncementsReturn, ai as isFFIDInquiryCategorySite2026, aj as useFFIDAnnouncements } from './index--S6rLHjr.js';
 import * as react_jsx_runtime from 'react/jsx-runtime';
 import { ReactNode, ComponentType, FC } from 'react';
 

package/dist/index.js

@@ -1,5 +1,5 @@
-import { useFFIDContext } from './chunk-O2YI5N6S.js';
-export { DEFAULT_API_BASE_URL, FFIDAnnouncementBadge, FFIDAnnouncementList, FFIDInquiryForm, FFIDLoginButton, FFIDOrganizationSwitcher, FFIDProvider, FFIDSDKError, FFIDSubscriptionBadge, FFIDUserMenu, FFID_ANNOUNCEMENTS_ERROR_CODES, FFID_INQUIRY_CATEGORIES, FFID_INQUIRY_CATEGORIES_SITE_2026, createFFIDAnnouncementsClient, createFFIDClient, createTokenStore, generateCodeChallenge, generateCodeVerifier, isFFIDInquiryCategorySite2026, normalizeRedirectUri, retrieveCodeVerifier, storeCodeVerifier, useFFID, useFFIDAnnouncements, useSubscription, withSubscription } from './chunk-O2YI5N6S.js';
+import { useFFIDContext } from './chunk-IEYXT3LA.js';
+export { DEFAULT_API_BASE_URL, FFIDAnnouncementBadge, FFIDAnnouncementList, FFIDInquiryForm, FFIDLoginButton, FFIDOrganizationSwitcher, FFIDProvider, FFIDSDKError, FFIDSubscriptionBadge, FFIDUserMenu, FFID_ANNOUNCEMENTS_ERROR_CODES, FFID_INQUIRY_CATEGORIES, FFID_INQUIRY_CATEGORIES_SITE_2026, createFFIDAnnouncementsClient, createFFIDClient, createTokenStore, generateCodeChallenge, generateCodeVerifier, isFFIDInquiryCategorySite2026, normalizeRedirectUri, retrieveCodeVerifier, storeCodeVerifier, useFFID, useFFIDAnnouncements, useSubscription, withSubscription } from './chunk-IEYXT3LA.js';
 import { useRef, useEffect } from 'react';
 import { jsx, Fragment } from 'react/jsx-runtime';
 

package/dist/server/index.cjs

@@ -101,10 +101,7 @@ function createTokenStore(storageType) {
 // src/client/oauth-userinfo.ts
 var SESSION_ELIGIBLE_SUBSCRIPTION_STATUSES = [
   "trialing",
-  "active",
-  "past_due",
-  "canceled",
-  "paused"
+  "active"
 ];
 function isSessionEligibleSubscriptionStatus(value) {
   return typeof value === "string" && SESSION_ELIGIBLE_SUBSCRIPTION_STATUSES.includes(value);
@@ -806,10 +803,11 @@ function createProfileMethods(deps) {
 }
 
 // src/client/version-check.ts
-var SDK_VERSION = "2.17.0";
+var SDK_VERSION = "2.18.0";
 var SDK_USER_AGENT = `FFID-SDK/${SDK_VERSION} (TypeScript)`;
 var SDK_VERSION_HEADER = "X-FFID-SDK-Version";
 function sdkHeaders() {
+  if (typeof window !== "undefined") return {};
   return {
     "User-Agent": SDK_USER_AGENT,
     [SDK_VERSION_HEADER]: SDK_VERSION
@@ -1302,6 +1300,19 @@ function storeCodeVerifier(verifier, logger) {
   }
   return sessionStored || localStored;
 }
+function cleanupVerifierStorage(logger) {
+  try {
+    window.sessionStorage.removeItem(VERIFIER_STORAGE_KEY);
+  } catch (error) {
+    logger?.warn("retrieveCodeVerifier: sessionStorage \u306E\u30AF\u30EA\u30FC\u30F3\u30A2\u30C3\u30D7\u306B\u5931\u6557\u3057\u307E\u3057\u305F:", error);
+  }
+  try {
+    window.localStorage.removeItem(VERIFIER_FALLBACK_STORAGE_KEY);
+    window.localStorage.removeItem(VERIFIER_FALLBACK_TIMESTAMP_KEY);
+  } catch (error) {
+    logger?.warn("retrieveCodeVerifier: localStorage \u306E\u30AF\u30EA\u30FC\u30F3\u30A2\u30C3\u30D7\u306B\u5931\u6557\u3057\u307E\u3057\u305F:", error);
+  }
+}
 function base64UrlEncode(buffer) {
   const bytes = new Uint8Array(buffer);
   let binary = "";
@@ -1316,6 +1327,87 @@ var OAUTH_AUTHORIZE_ENDPOINT = "/api/v1/oauth/authorize";
 var AUTH_LOGOUT_ENDPOINT = "/api/v1/auth/logout";
 var STATE_RANDOM_BYTES = 16;
 var HEX_BASE2 = 16;
+var REDIRECT_LOOP_KEY = "ffid_sdk_redirect_loop_history";
+var REDIRECT_LOOP_WINDOW_MS = 6e4;
+var REDIRECT_LOOP_THRESHOLD = 3;
+var storageReadFailureLogged = false;
+var storageWriteFailureLogged = false;
+function logStorageReadFailure(logger, err) {
+  if (storageReadFailureLogged) return;
+  storageReadFailureLogged = true;
+  logger.warn(
+    "[FFID SDK] sessionStorage read failed \u2014 redirect loop detection disabled on this browser (fail-open). iOS WebKit private mode / eviction \u304C\u5178\u578B\u8981\u56E0",
+    err
+  );
+}
+function logStorageWriteFailure(logger, err) {
+  if (storageWriteFailureLogged) return;
+  storageWriteFailureLogged = true;
+  logger.warn(
+    "[FFID SDK] sessionStorage write failed \u2014 redirect loop detection disabled on this browser (fail-open).",
+    err
+  );
+}
+function isRedirectLoopHistory(value) {
+  if (value === null || typeof value !== "object" || Array.isArray(value)) return false;
+  return Object.values(value).every(
+    (arr) => Array.isArray(arr) && arr.every((t) => typeof t === "number" && Number.isFinite(t))
+  );
+}
+function readRedirectLoopHistory(logger) {
+  if (typeof window === "undefined") return {};
+  try {
+    const raw = window.sessionStorage.getItem(REDIRECT_LOOP_KEY);
+    if (raw === null) return {};
+    const parsed = JSON.parse(raw);
+    return isRedirectLoopHistory(parsed) ? parsed : {};
+  } catch (err) {
+    logStorageReadFailure(logger, err);
+    return {};
+  }
+}
+function writeRedirectLoopHistory(history, logger) {
+  if (typeof window === "undefined") return;
+  try {
+    window.sessionStorage.setItem(REDIRECT_LOOP_KEY, JSON.stringify(history));
+  } catch (err) {
+    logStorageWriteFailure(logger, err);
+  }
+}
+function pruneRedirectLoopHistory(history, now) {
+  const cutoff = now - REDIRECT_LOOP_WINDOW_MS;
+  const pruned = {};
+  for (const [key, timestamps] of Object.entries(history)) {
+    const fresh = timestamps.filter((t) => t > cutoff);
+    if (fresh.length > 0) pruned[key] = fresh;
+  }
+  return pruned;
+}
+function getRecentRedirectCount(authorizeKey, now, logger) {
+  const pruned = pruneRedirectLoopHistory(readRedirectLoopHistory(logger), now);
+  writeRedirectLoopHistory(pruned, logger);
+  return pruned[authorizeKey]?.length ?? 0;
+}
+function recordRedirectAttempt(authorizeKey, now, logger) {
+  const history = readRedirectLoopHistory(logger);
+  const existing = history[authorizeKey] ?? [];
+  history[authorizeKey] = [...existing, now];
+  writeRedirectLoopHistory(history, logger);
+}
+function rollbackLastRedirectAttempt(authorizeKey, logger) {
+  const history = readRedirectLoopHistory(logger);
+  const existing = history[authorizeKey];
+  if (!Array.isArray(existing) || existing.length === 0) return;
+  history[authorizeKey] = existing.slice(0, -1);
+  if (history[authorizeKey].length === 0) delete history[authorizeKey];
+  writeRedirectLoopHistory(history, logger);
+}
+function buildAuthorizeKey(baseUrl, clientId, organizationId) {
+  const params = new URLSearchParams({ client_id: clientId });
+  const trimmedOrg = organizationId?.trim();
+  if (trimmedOrg) params.set("organization_id", trimmedOrg);
+  return `${baseUrl}${OAUTH_AUTHORIZE_ENDPOINT}?${params.toString()}`;
+}
 function generateRandomState() {
   const array = new Uint8Array(STATE_RANDOM_BYTES);
   crypto.getRandomValues(array);
@@ -1335,6 +1427,23 @@ function createRedirectMethods(deps) {
       logger.warn("SSR \u74B0\u5883\u3067\u306F\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u3067\u304D\u307E\u305B\u3093");
       return { success: false, error: "SSR \u74B0\u5883\u3067\u306F\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u3067\u304D\u307E\u305B\u3093" };
     }
+    const authorizeKey = buildAuthorizeKey(baseUrl, clientId, options?.organizationId);
+    const now = Date.now();
+    const recentCount = getRecentRedirectCount(authorizeKey, now, logger);
+    if (recentCount >= REDIRECT_LOOP_THRESHOLD) {
+      cleanupVerifierStorage(logger);
+      logger.warn("[FFID SDK] redirect loop detected \u2014 \u81EA\u52D5\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u3092\u505C\u6B62\u3057\u307E\u3057\u305F", {
+        authorizeKey,
+        recentCount,
+        windowMs: REDIRECT_LOOP_WINDOW_MS,
+        threshold: REDIRECT_LOOP_THRESHOLD
+      });
+      return {
+        success: false,
+        code: "redirect_loop_detected",
+        error: "\u77ED\u6642\u9593\u306B\u540C\u3058\u8A8D\u53EF\u30A8\u30F3\u30C9\u30DD\u30A4\u30F3\u30C8\u3078\u306E\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u304C\u7E70\u308A\u8FD4\u3055\u308C\u305F\u305F\u3081\u3001\u30EB\u30FC\u30D7\u691C\u51FA\u306B\u3088\u308A\u81EA\u52D5\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u3092\u505C\u6B62\u3057\u307E\u3057\u305F"
+      };
+    }
     const verifier = generateCodeVerifier();
     storeCodeVerifier(verifier, logger);
     let challenge;
@@ -1365,7 +1474,13 @@ function createRedirectMethods(deps) {
     }
     const authorizeUrl = `${baseUrl}${OAUTH_AUTHORIZE_ENDPOINT}?${params.toString()}`;
     logger.debug("Redirecting to authorize:", authorizeUrl);
-    window.location.href = authorizeUrl;
+    recordRedirectAttempt(authorizeKey, now, logger);
+    try {
+      window.location.href = authorizeUrl;
+    } catch (err) {
+      rollbackLastRedirectAttempt(authorizeKey, logger);
+      throw err;
+    }
     return { success: true };
   }
   async function redirectToLogin() {

package/dist/server/index.d.cts

@@ -825,8 +825,11 @@ interface FFIDUserProfile {
  * When `accessToken` is supplied with a non-empty value, it overrides the client's
  * configured auth mode: authentication for that request uses only
  * `Authorization: Bearer <accessToken>` (no service key, no cookie, no token-store
- * lookup, no auto-refresh on 401). Non-auth headers such as `Content-Type` and
- * SDK metadata headers (User-Agent / X-FFID-SDK-Version) are still attached.
+ * lookup, no auto-refresh on 401). Non-auth headers such as `Content-Type` are
+ * still attached. SDK metadata headers (`User-Agent` / `X-FFID-SDK-Version`) are
+ * attached on non-browser runtimes only (Node.js / Cloudflare Workers / Edge /
+ * Deno); browsers receive an empty object to avoid iOS WebKit `fetch()` breakage
+ * (see #2417).
  *
  * Runtime semantics:
  * - `accessToken` omitted (or `undefined`) → no override, configured `authMode` is used
@@ -888,17 +891,36 @@ interface FFIDUpdateUserProfileRequest {
     /** Arbitrary user preferences bag (null clears the column; reads return {}) */
     preferences?: Record<string, unknown> | null;
 }
+/**
+ * Discriminant for redirect failures that callers need to handle
+ * programmatically (vs. logging the human-readable `error` string).
+ *
+ * - `'redirect_loop_detected'`: `redirectToAuthorize()` detected that the
+ *   same authorize URL (keyed by `baseUrl + client_id + organization_id`)
+ *   has been fired **3 times within 60 seconds**. Caller should surface a
+ *   manual "再度ログインする" UI rather than retry automatically (#2406 / #2411).
+ *
+ * SDK 2.18.0 only ships `'redirect_loop_detected'`. Other failure paths
+ * (SSR environment, PKCE generation failure, empty organizationId) currently
+ * return `error` without a `code`. New codes will be added in future minor
+ * versions — treat this union as forward-extensible and do NOT exhaustively
+ * `switch` over it without a `default` branch for consumer code that must
+ * stay compatible across SDK upgrades.
+ */
+type FFIDRedirectErrorCode = 'redirect_loop_detected';
 /**
  * Result of a redirect operation (redirectToLogin / redirectToAuthorize / redirectToLogout)
  *
  * Structured return type so callers can inspect failure reasons
- * instead of receiving a bare `false`.
+ * instead of receiving a bare `false`. When `code` is set, branch on it
+ * for programmatic handling; otherwise log `error` for humans.
  */
 type FFIDRedirectResult = {
     success: true;
 } | {
     success: false;
     error: string;
+    code?: FFIDRedirectErrorCode;
 };
 
 /** OTP / magic link methods - sendOtp / verifyOtp */

package/dist/server/index.d.ts

@@ -825,8 +825,11 @@ interface FFIDUserProfile {
  * When `accessToken` is supplied with a non-empty value, it overrides the client's
  * configured auth mode: authentication for that request uses only
  * `Authorization: Bearer <accessToken>` (no service key, no cookie, no token-store
- * lookup, no auto-refresh on 401). Non-auth headers such as `Content-Type` and
- * SDK metadata headers (User-Agent / X-FFID-SDK-Version) are still attached.
+ * lookup, no auto-refresh on 401). Non-auth headers such as `Content-Type` are
+ * still attached. SDK metadata headers (`User-Agent` / `X-FFID-SDK-Version`) are
+ * attached on non-browser runtimes only (Node.js / Cloudflare Workers / Edge /
+ * Deno); browsers receive an empty object to avoid iOS WebKit `fetch()` breakage
+ * (see #2417).
  *
  * Runtime semantics:
  * - `accessToken` omitted (or `undefined`) → no override, configured `authMode` is used
@@ -888,17 +891,36 @@ interface FFIDUpdateUserProfileRequest {
     /** Arbitrary user preferences bag (null clears the column; reads return {}) */
     preferences?: Record<string, unknown> | null;
 }
+/**
+ * Discriminant for redirect failures that callers need to handle
+ * programmatically (vs. logging the human-readable `error` string).
+ *
+ * - `'redirect_loop_detected'`: `redirectToAuthorize()` detected that the
+ *   same authorize URL (keyed by `baseUrl + client_id + organization_id`)
+ *   has been fired **3 times within 60 seconds**. Caller should surface a
+ *   manual "再度ログインする" UI rather than retry automatically (#2406 / #2411).
+ *
+ * SDK 2.18.0 only ships `'redirect_loop_detected'`. Other failure paths
+ * (SSR environment, PKCE generation failure, empty organizationId) currently
+ * return `error` without a `code`. New codes will be added in future minor
+ * versions — treat this union as forward-extensible and do NOT exhaustively
+ * `switch` over it without a `default` branch for consumer code that must
+ * stay compatible across SDK upgrades.
+ */
+type FFIDRedirectErrorCode = 'redirect_loop_detected';
 /**
  * Result of a redirect operation (redirectToLogin / redirectToAuthorize / redirectToLogout)
  *
  * Structured return type so callers can inspect failure reasons
- * instead of receiving a bare `false`.
+ * instead of receiving a bare `false`. When `code` is set, branch on it
+ * for programmatic handling; otherwise log `error` for humans.
  */
 type FFIDRedirectResult = {
     success: true;
 } | {
     success: false;
     error: string;
+    code?: FFIDRedirectErrorCode;
 };
 
 /** OTP / magic link methods - sendOtp / verifyOtp */

package/dist/server/index.js

@@ -100,10 +100,7 @@ function createTokenStore(storageType) {
 // src/client/oauth-userinfo.ts
 var SESSION_ELIGIBLE_SUBSCRIPTION_STATUSES = [
   "trialing",
-  "active",
-  "past_due",
-  "canceled",
-  "paused"
+  "active"
 ];
 function isSessionEligibleSubscriptionStatus(value) {
   return typeof value === "string" && SESSION_ELIGIBLE_SUBSCRIPTION_STATUSES.includes(value);
@@ -805,10 +802,11 @@ function createProfileMethods(deps) {
 }
 
 // src/client/version-check.ts
-var SDK_VERSION = "2.17.0";
+var SDK_VERSION = "2.18.0";
 var SDK_USER_AGENT = `FFID-SDK/${SDK_VERSION} (TypeScript)`;
 var SDK_VERSION_HEADER = "X-FFID-SDK-Version";
 function sdkHeaders() {
+  if (typeof window !== "undefined") return {};
   return {
     "User-Agent": SDK_USER_AGENT,
     [SDK_VERSION_HEADER]: SDK_VERSION
@@ -1301,6 +1299,19 @@ function storeCodeVerifier(verifier, logger) {
   }
   return sessionStored || localStored;
 }
+function cleanupVerifierStorage(logger) {
+  try {
+    window.sessionStorage.removeItem(VERIFIER_STORAGE_KEY);
+  } catch (error) {
+    logger?.warn("retrieveCodeVerifier: sessionStorage \u306E\u30AF\u30EA\u30FC\u30F3\u30A2\u30C3\u30D7\u306B\u5931\u6557\u3057\u307E\u3057\u305F:", error);
+  }
+  try {
+    window.localStorage.removeItem(VERIFIER_FALLBACK_STORAGE_KEY);
+    window.localStorage.removeItem(VERIFIER_FALLBACK_TIMESTAMP_KEY);
+  } catch (error) {
+    logger?.warn("retrieveCodeVerifier: localStorage \u306E\u30AF\u30EA\u30FC\u30F3\u30A2\u30C3\u30D7\u306B\u5931\u6557\u3057\u307E\u3057\u305F:", error);
+  }
+}
 function base64UrlEncode(buffer) {
   const bytes = new Uint8Array(buffer);
   let binary = "";
@@ -1315,6 +1326,87 @@ var OAUTH_AUTHORIZE_ENDPOINT = "/api/v1/oauth/authorize";
 var AUTH_LOGOUT_ENDPOINT = "/api/v1/auth/logout";
 var STATE_RANDOM_BYTES = 16;
 var HEX_BASE2 = 16;
+var REDIRECT_LOOP_KEY = "ffid_sdk_redirect_loop_history";
+var REDIRECT_LOOP_WINDOW_MS = 6e4;
+var REDIRECT_LOOP_THRESHOLD = 3;
+var storageReadFailureLogged = false;
+var storageWriteFailureLogged = false;
+function logStorageReadFailure(logger, err) {
+  if (storageReadFailureLogged) return;
+  storageReadFailureLogged = true;
+  logger.warn(
+    "[FFID SDK] sessionStorage read failed \u2014 redirect loop detection disabled on this browser (fail-open). iOS WebKit private mode / eviction \u304C\u5178\u578B\u8981\u56E0",
+    err
+  );
+}
+function logStorageWriteFailure(logger, err) {
+  if (storageWriteFailureLogged) return;
+  storageWriteFailureLogged = true;
+  logger.warn(
+    "[FFID SDK] sessionStorage write failed \u2014 redirect loop detection disabled on this browser (fail-open).",
+    err
+  );
+}
+function isRedirectLoopHistory(value) {
+  if (value === null || typeof value !== "object" || Array.isArray(value)) return false;
+  return Object.values(value).every(
+    (arr) => Array.isArray(arr) && arr.every((t) => typeof t === "number" && Number.isFinite(t))
+  );
+}
+function readRedirectLoopHistory(logger) {
+  if (typeof window === "undefined") return {};
+  try {
+    const raw = window.sessionStorage.getItem(REDIRECT_LOOP_KEY);
+    if (raw === null) return {};
+    const parsed = JSON.parse(raw);
+    return isRedirectLoopHistory(parsed) ? parsed : {};
+  } catch (err) {
+    logStorageReadFailure(logger, err);
+    return {};
+  }
+}
+function writeRedirectLoopHistory(history, logger) {
+  if (typeof window === "undefined") return;
+  try {
+    window.sessionStorage.setItem(REDIRECT_LOOP_KEY, JSON.stringify(history));
+  } catch (err) {
+    logStorageWriteFailure(logger, err);
+  }
+}
+function pruneRedirectLoopHistory(history, now) {
+  const cutoff = now - REDIRECT_LOOP_WINDOW_MS;
+  const pruned = {};
+  for (const [key, timestamps] of Object.entries(history)) {
+    const fresh = timestamps.filter((t) => t > cutoff);
+    if (fresh.length > 0) pruned[key] = fresh;
+  }
+  return pruned;
+}
+function getRecentRedirectCount(authorizeKey, now, logger) {
+  const pruned = pruneRedirectLoopHistory(readRedirectLoopHistory(logger), now);
+  writeRedirectLoopHistory(pruned, logger);
+  return pruned[authorizeKey]?.length ?? 0;
+}
+function recordRedirectAttempt(authorizeKey, now, logger) {
+  const history = readRedirectLoopHistory(logger);
+  const existing = history[authorizeKey] ?? [];
+  history[authorizeKey] = [...existing, now];
+  writeRedirectLoopHistory(history, logger);
+}
+function rollbackLastRedirectAttempt(authorizeKey, logger) {
+  const history = readRedirectLoopHistory(logger);
+  const existing = history[authorizeKey];
+  if (!Array.isArray(existing) || existing.length === 0) return;
+  history[authorizeKey] = existing.slice(0, -1);
+  if (history[authorizeKey].length === 0) delete history[authorizeKey];
+  writeRedirectLoopHistory(history, logger);
+}
+function buildAuthorizeKey(baseUrl, clientId, organizationId) {
+  const params = new URLSearchParams({ client_id: clientId });
+  const trimmedOrg = organizationId?.trim();
+  if (trimmedOrg) params.set("organization_id", trimmedOrg);
+  return `${baseUrl}${OAUTH_AUTHORIZE_ENDPOINT}?${params.toString()}`;
+}
 function generateRandomState() {
   const array = new Uint8Array(STATE_RANDOM_BYTES);
   crypto.getRandomValues(array);
@@ -1334,6 +1426,23 @@ function createRedirectMethods(deps) {
       logger.warn("SSR \u74B0\u5883\u3067\u306F\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u3067\u304D\u307E\u305B\u3093");
       return { success: false, error: "SSR \u74B0\u5883\u3067\u306F\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u3067\u304D\u307E\u305B\u3093" };
     }
+    const authorizeKey = buildAuthorizeKey(baseUrl, clientId, options?.organizationId);
+    const now = Date.now();
+    const recentCount = getRecentRedirectCount(authorizeKey, now, logger);
+    if (recentCount >= REDIRECT_LOOP_THRESHOLD) {
+      cleanupVerifierStorage(logger);
+      logger.warn("[FFID SDK] redirect loop detected \u2014 \u81EA\u52D5\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u3092\u505C\u6B62\u3057\u307E\u3057\u305F", {
+        authorizeKey,
+        recentCount,
+        windowMs: REDIRECT_LOOP_WINDOW_MS,
+        threshold: REDIRECT_LOOP_THRESHOLD
+      });
+      return {
+        success: false,
+        code: "redirect_loop_detected",
+        error: "\u77ED\u6642\u9593\u306B\u540C\u3058\u8A8D\u53EF\u30A8\u30F3\u30C9\u30DD\u30A4\u30F3\u30C8\u3078\u306E\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u304C\u7E70\u308A\u8FD4\u3055\u308C\u305F\u305F\u3081\u3001\u30EB\u30FC\u30D7\u691C\u51FA\u306B\u3088\u308A\u81EA\u52D5\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u3092\u505C\u6B62\u3057\u307E\u3057\u305F"
+      };
+    }
     const verifier = generateCodeVerifier();
     storeCodeVerifier(verifier, logger);
     let challenge;
@@ -1364,7 +1473,13 @@ function createRedirectMethods(deps) {
     }
     const authorizeUrl = `${baseUrl}${OAUTH_AUTHORIZE_ENDPOINT}?${params.toString()}`;
     logger.debug("Redirecting to authorize:", authorizeUrl);
-    window.location.href = authorizeUrl;
+    recordRedirectAttempt(authorizeKey, now, logger);
+    try {
+      window.location.href = authorizeUrl;
+    } catch (err) {
+      rollbackLastRedirectAttempt(authorizeKey, logger);
+      throw err;
+    }
     return { success: true };
   }
   async function redirectToLogin() {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@feelflow/ffid-sdk",
-  "version": "2.17.0",
+  "version": "2.18.0",
   "description": "FeelFlow ID Platform SDK for React/Next.js applications",
   "keywords": [
     "feelflow",