@feelflow/ffid-sdk 2.17.1 → 2.19.0

package/README.md

@@ -206,16 +206,51 @@ const {
 
 ```tsx
 const {
-  subscription,  // FFIDSubscription | null - 現在のサブスクリプション
-  planCode,      // string | null - プランコード
-  isActive,      // boolean - アクティブ契約
-  isTrialing,    // boolean - トライアル中
-  isCanceled,    // boolean - 解約済み
-  hasPlan,       // (plans: string | string[]) => boolean - プラン確認
-  hasAccess,     // () => boolean - アクセス権確認
+  subscription,     // FFIDSubscription | null - 現在のサブスクリプション
+  planCode,         // string | null - プランコード
+  isActive,         // boolean - DB ステータスが 'active'
+  isTrialing,       // boolean - トライアル中
+  isCanceled,       // boolean - 解約済み
+  isTrialExpired,   // boolean - トライアル期間超過
+  effectiveStatus,  // EffectiveSubscriptionStatus | null - 意味論的アクセス制御値
+  isBlocked,        // boolean - blocked / expired / canceled / trial_expired
+  isGrace,          // boolean - past_due_grace (支払い失敗の猶予期間中)
+  hasPlan,          // (plans: string | string[]) => boolean - プラン確認
+  hasAccess,        // () => boolean - アクセス権確認 (active || past_due_grace)
+  hasAccessLegacy,  // () => boolean - 旧セマンティクス (active || trialing, pre-2.19)
 } = useSubscription()
 ```
 
+`effectiveStatus` は `/api/v1/subscriptions/ext/check` が返す意味論的ステータスと同じ値を取る。詳細は [契約期限切れハンドリング](#契約期限切れハンドリング) を参照。
+
+### useRequireActiveSubscription()
+
+契約が期限切れ/遮断状態のときに自動でリダイレクトするフック。
+
+```tsx
+'use client'
+import { useRouter } from 'next/navigation'
+import { useRequireActiveSubscription } from '@feelflow/ffid-sdk'
+
+function ProtectedShell({ children }: { children: React.ReactNode }) {
+  const router = useRouter()
+  const { loading } = useRequireActiveSubscription({
+    redirectTo: (status) =>
+      status === 'canceled' ? '/contract-ended' : '/contract-required',
+    onRedirect: (url) => router.replace(url),
+  })
+
+  if (loading) return <FullPageSpinner />
+  return <>{children}</>
+}
+```
+
+オプション:
+
+- `redirectTo`: `string` または `(status: EffectiveSubscriptionStatus) => string`
+- `allowGrace` (default: `true`): `past_due_grace` を通過させるか
+- `onRedirect` (optional): 独自のリダイレクト関数（未指定時は `window.location.href`）
+
 ### withSubscription()
 
 サブスクリプション確認HOC。
@@ -228,6 +263,34 @@ const PremiumFeature = withSubscription(MyComponent, {
 })
 ```
 
+## 契約期限切れハンドリング
+
+契約が失効したり解約されたとき、外部サービス側で適切にアクセスを遮断し、ユーザーを再契約動線に案内する必要があります。SDK は 3 層構成（トークン検証 / 契約チェック / Webhook 受信）をサポートしています。
+
+### 最小構成（Next.js App Router）
+
+```tsx
+'use client'
+import { useRouter } from 'next/navigation'
+import { useRequireActiveSubscription } from '@feelflow/ffid-sdk'
+
+export default function Layout({ children }: { children: React.ReactNode }) {
+  const router = useRouter()
+  const { loading, effectiveStatus } = useRequireActiveSubscription({
+    redirectTo: '/contract-required',
+    onRedirect: (url) => router.replace(url),
+  })
+
+  if (loading) return <Spinner />
+  if (effectiveStatus !== 'active' && effectiveStatus !== 'past_due_grace') {
+    return null // リダイレクト発火中
+  }
+  return <>{children}</>
+}
+```
+
+**詳細な実装レシピ**（middleware、Express、UI 分岐、Webhook 受信、fixture API を使ったテスト、`EffectiveSubscriptionStatus` 別の UI 推奨動作まで） → [docs/03-implementation/EXPIRED_CONTRACT_HANDLING.md](https://github.com/feel-flow/feelflow-id-platform/blob/develop/docs/03-implementation/EXPIRED_CONTRACT_HANDLING.md)
+
 ### getProfile() / updateProfile()
 
 ログイン中ユーザー自身のプロフィールを取得・更新するメソッド（`createFFIDClient` から呼び出し）。

package/dist/{chunk-DERFBYBZ.cjs → chunk-BBXUZS4U.cjs}

@@ -105,10 +105,7 @@ function createTokenStore(storageType) {
 // src/client/oauth-userinfo.ts
 var SESSION_ELIGIBLE_SUBSCRIPTION_STATUSES = [
   "trialing",
-  "active",
-  "past_due",
-  "canceled",
-  "paused"
+  "active"
 ];
 function isSessionEligibleSubscriptionStatus(value) {
   return typeof value === "string" && SESSION_ELIGIBLE_SUBSCRIPTION_STATUSES.includes(value);
@@ -810,7 +807,7 @@ function createProfileMethods(deps) {
 }
 
 // src/client/version-check.ts
-var SDK_VERSION = "2.17.1";
+var SDK_VERSION = "2.19.0";
 var SDK_USER_AGENT = `FFID-SDK/${SDK_VERSION} (TypeScript)`;
 var SDK_VERSION_HEADER = "X-FFID-SDK-Version";
 function sdkHeaders() {
@@ -1373,6 +1370,87 @@ var OAUTH_AUTHORIZE_ENDPOINT = "/api/v1/oauth/authorize";
 var AUTH_LOGOUT_ENDPOINT = "/api/v1/auth/logout";
 var STATE_RANDOM_BYTES = 16;
 var HEX_BASE2 = 16;
+var REDIRECT_LOOP_KEY = "ffid_sdk_redirect_loop_history";
+var REDIRECT_LOOP_WINDOW_MS = 6e4;
+var REDIRECT_LOOP_THRESHOLD = 3;
+var storageReadFailureLogged = false;
+var storageWriteFailureLogged = false;
+function logStorageReadFailure(logger, err) {
+  if (storageReadFailureLogged) return;
+  storageReadFailureLogged = true;
+  logger.warn(
+    "[FFID SDK] sessionStorage read failed \u2014 redirect loop detection disabled on this browser (fail-open). iOS WebKit private mode / eviction \u304C\u5178\u578B\u8981\u56E0",
+    err
+  );
+}
+function logStorageWriteFailure(logger, err) {
+  if (storageWriteFailureLogged) return;
+  storageWriteFailureLogged = true;
+  logger.warn(
+    "[FFID SDK] sessionStorage write failed \u2014 redirect loop detection disabled on this browser (fail-open).",
+    err
+  );
+}
+function isRedirectLoopHistory(value) {
+  if (value === null || typeof value !== "object" || Array.isArray(value)) return false;
+  return Object.values(value).every(
+    (arr) => Array.isArray(arr) && arr.every((t) => typeof t === "number" && Number.isFinite(t))
+  );
+}
+function readRedirectLoopHistory(logger) {
+  if (typeof window === "undefined") return {};
+  try {
+    const raw = window.sessionStorage.getItem(REDIRECT_LOOP_KEY);
+    if (raw === null) return {};
+    const parsed = JSON.parse(raw);
+    return isRedirectLoopHistory(parsed) ? parsed : {};
+  } catch (err) {
+    logStorageReadFailure(logger, err);
+    return {};
+  }
+}
+function writeRedirectLoopHistory(history, logger) {
+  if (typeof window === "undefined") return;
+  try {
+    window.sessionStorage.setItem(REDIRECT_LOOP_KEY, JSON.stringify(history));
+  } catch (err) {
+    logStorageWriteFailure(logger, err);
+  }
+}
+function pruneRedirectLoopHistory(history, now) {
+  const cutoff = now - REDIRECT_LOOP_WINDOW_MS;
+  const pruned = {};
+  for (const [key, timestamps] of Object.entries(history)) {
+    const fresh = timestamps.filter((t) => t > cutoff);
+    if (fresh.length > 0) pruned[key] = fresh;
+  }
+  return pruned;
+}
+function getRecentRedirectCount(authorizeKey, now, logger) {
+  const pruned = pruneRedirectLoopHistory(readRedirectLoopHistory(logger), now);
+  writeRedirectLoopHistory(pruned, logger);
+  return pruned[authorizeKey]?.length ?? 0;
+}
+function recordRedirectAttempt(authorizeKey, now, logger) {
+  const history = readRedirectLoopHistory(logger);
+  const existing = history[authorizeKey] ?? [];
+  history[authorizeKey] = [...existing, now];
+  writeRedirectLoopHistory(history, logger);
+}
+function rollbackLastRedirectAttempt(authorizeKey, logger) {
+  const history = readRedirectLoopHistory(logger);
+  const existing = history[authorizeKey];
+  if (!Array.isArray(existing) || existing.length === 0) return;
+  history[authorizeKey] = existing.slice(0, -1);
+  if (history[authorizeKey].length === 0) delete history[authorizeKey];
+  writeRedirectLoopHistory(history, logger);
+}
+function buildAuthorizeKey(baseUrl, clientId, organizationId) {
+  const params = new URLSearchParams({ client_id: clientId });
+  const trimmedOrg = organizationId?.trim();
+  if (trimmedOrg) params.set("organization_id", trimmedOrg);
+  return `${baseUrl}${OAUTH_AUTHORIZE_ENDPOINT}?${params.toString()}`;
+}
 function generateRandomState() {
   const array = new Uint8Array(STATE_RANDOM_BYTES);
   crypto.getRandomValues(array);
@@ -1392,6 +1470,23 @@ function createRedirectMethods(deps) {
       logger.warn("SSR \u74B0\u5883\u3067\u306F\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u3067\u304D\u307E\u305B\u3093");
       return { success: false, error: "SSR \u74B0\u5883\u3067\u306F\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u3067\u304D\u307E\u305B\u3093" };
     }
+    const authorizeKey = buildAuthorizeKey(baseUrl, clientId, options?.organizationId);
+    const now = Date.now();
+    const recentCount = getRecentRedirectCount(authorizeKey, now, logger);
+    if (recentCount >= REDIRECT_LOOP_THRESHOLD) {
+      cleanupVerifierStorage(logger);
+      logger.warn("[FFID SDK] redirect loop detected \u2014 \u81EA\u52D5\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u3092\u505C\u6B62\u3057\u307E\u3057\u305F", {
+        authorizeKey,
+        recentCount,
+        windowMs: REDIRECT_LOOP_WINDOW_MS,
+        threshold: REDIRECT_LOOP_THRESHOLD
+      });
+      return {
+        success: false,
+        code: "redirect_loop_detected",
+        error: "\u77ED\u6642\u9593\u306B\u540C\u3058\u8A8D\u53EF\u30A8\u30F3\u30C9\u30DD\u30A4\u30F3\u30C8\u3078\u306E\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u304C\u7E70\u308A\u8FD4\u3055\u308C\u305F\u305F\u3081\u3001\u30EB\u30FC\u30D7\u691C\u51FA\u306B\u3088\u308A\u81EA\u52D5\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u3092\u505C\u6B62\u3057\u307E\u3057\u305F"
+      };
+    }
     const verifier = generateCodeVerifier();
     storeCodeVerifier(verifier, logger);
     let challenge;
@@ -1422,7 +1517,13 @@ function createRedirectMethods(deps) {
     }
     const authorizeUrl = `${baseUrl}${OAUTH_AUTHORIZE_ENDPOINT}?${params.toString()}`;
     logger.debug("Redirecting to authorize:", authorizeUrl);
-    window.location.href = authorizeUrl;
+    recordRedirectAttempt(authorizeKey, now, logger);
+    try {
+      window.location.href = authorizeUrl;
+    } catch (err) {
+      rollbackLastRedirectAttempt(authorizeKey, logger);
+      throw err;
+    }
     return { success: true };
   }
   async function redirectToLogin() {
@@ -3061,6 +3162,67 @@ function FFIDOrganizationSwitcher({
     ] })
   ] });
 }
+
+// src/subscriptions/types.ts
+var PAST_DUE_GRACE_PERIOD_DAYS = 7;
+var HOURS_PER_DAY = 24;
+var MINUTES_PER_HOUR = 60;
+var SECONDS_PER_MINUTE = 60;
+var MS_PER_SECOND2 = 1e3;
+var MS_PER_DAY = HOURS_PER_DAY * MINUTES_PER_HOUR * SECONDS_PER_MINUTE * MS_PER_SECOND2;
+
+// src/subscriptions/compute-effective-status.ts
+function isExpired(isoTimestamp, nowMs) {
+  if (!isoTimestamp) return null;
+  const parsed = Date.parse(isoTimestamp);
+  if (Number.isNaN(parsed)) return null;
+  return parsed < nowMs;
+}
+function computeEffectiveStatusFromSession(input, nowMs = Date.now()) {
+  const { status, currentPeriodEnd, trialEnd, pastDueSince } = input;
+  switch (status) {
+    case "trialing": {
+      const relevantEnd = trialEnd ?? currentPeriodEnd;
+      const expired = isExpired(relevantEnd, nowMs);
+      return expired === true ? "trial_expired" : "active";
+    }
+    case "active": {
+      const expired = isExpired(currentPeriodEnd, nowMs);
+      return expired === true ? "expired" : "active";
+    }
+    case "past_due": {
+      const baselineIso = pastDueSince ?? currentPeriodEnd;
+      if (!baselineIso) return "blocked";
+      const baselineMs = Date.parse(baselineIso);
+      if (Number.isNaN(baselineMs)) return "blocked";
+      const graceEndMs = baselineMs + PAST_DUE_GRACE_PERIOD_DAYS * MS_PER_DAY;
+      return graceEndMs > nowMs ? "past_due_grace" : "blocked";
+    }
+    case "pending_invoice":
+      return "active";
+    case "paused":
+    case "incomplete":
+      return "active";
+    case "canceled":
+      return "canceled";
+    case "unpaid":
+    case "incomplete_expired":
+      return "blocked";
+    default: {
+      return "blocked";
+    }
+  }
+}
+var ACCESS_GRANTING_STATUSES = [
+  "active",
+  "past_due_grace"
+];
+var BLOCKING_STATUSES = [
+  "blocked",
+  "expired",
+  "canceled",
+  "trial_expired"
+];
 function useSubscription() {
   const context = useFFIDContext();
   const client = useFFIDClient();
@@ -3078,12 +3240,23 @@ function useSubscription() {
   const isActive = subscription?.status === "active";
   const isTrialing = subscription?.status === "trialing";
   const isCanceled = subscription?.status === "canceled";
-  const isTrialExpired = react.useMemo(() => {
-    if (!isTrialing) return false;
-    const relevantEnd = subscription?.trialEnd ?? subscription?.currentPeriodEnd;
-    if (!relevantEnd) return false;
-    return new Date(relevantEnd).getTime() < Date.now();
-  }, [isTrialing, subscription?.trialEnd, subscription?.currentPeriodEnd]);
+  const effectiveStatus = react.useMemo(() => {
+    if (!subscription) return null;
+    return computeEffectiveStatusFromSession({
+      status: subscription.status,
+      currentPeriodEnd: subscription.currentPeriodEnd,
+      trialEnd: subscription.trialEnd,
+      // TODO(別Issue): FFID backend の session API (`/api/auth/session`) に
+      //   `pastDueSince` (ISO timestamp) を追加し、ここで渡す。現状は undefined
+      //   のため `computeEffectiveStatusFromSession` 内で currentPeriodEnd を
+      //   fallback に使う (Stripe は period end 近辺で past_due にする)。
+      //   Canonical な verdict が必要な consumer は `/ext/check` を直接呼ぶ。
+      pastDueSince: void 0
+    });
+  }, [subscription]);
+  const isGrace = effectiveStatus === "past_due_grace";
+  const isBlocked = effectiveStatus !== null && BLOCKING_STATUSES.includes(effectiveStatus);
+  const isTrialExpired = effectiveStatus === "trial_expired";
   const hasPlan = react.useCallback(
     (plans) => {
       if (!planCode) return false;
@@ -3093,6 +3266,10 @@ function useSubscription() {
     [planCode]
   );
   const hasAccess = react.useCallback(() => {
+    if (effectiveStatus === null) return false;
+    return ACCESS_GRANTING_STATUSES.includes(effectiveStatus);
+  }, [effectiveStatus]);
+  const hasAccessLegacy = react.useCallback(() => {
     if (isTrialExpired) return false;
     return isActive || isTrialing;
   }, [isActive, isTrialing, isTrialExpired]);
@@ -3103,8 +3280,12 @@ function useSubscription() {
     isTrialing,
     isTrialExpired,
     isCanceled,
+    effectiveStatus,
+    isBlocked,
+    isGrace,
     hasPlan,
-    hasAccess
+    hasAccess,
+    hasAccessLegacy
   };
 }
 function withSubscription(Component, options = {}) {
@@ -4340,6 +4521,7 @@ exports.FFIDUserMenu = FFIDUserMenu;
 exports.FFID_ANNOUNCEMENTS_ERROR_CODES = FFID_ANNOUNCEMENTS_ERROR_CODES;
 exports.FFID_INQUIRY_CATEGORIES = FFID_INQUIRY_CATEGORIES;
 exports.FFID_INQUIRY_CATEGORIES_SITE_2026 = FFID_INQUIRY_CATEGORIES_SITE_2026;
+exports.computeEffectiveStatusFromSession = computeEffectiveStatusFromSession;
 exports.createFFIDAnnouncementsClient = createFFIDAnnouncementsClient;
 exports.createFFIDClient = createFFIDClient;
 exports.createTokenStore = createTokenStore;

package/dist/{chunk-FGTRPNSW.js → chunk-SXYB5QM3.js}

@@ -103,10 +103,7 @@ function createTokenStore(storageType) {
 // src/client/oauth-userinfo.ts
 var SESSION_ELIGIBLE_SUBSCRIPTION_STATUSES = [
   "trialing",
-  "active",
-  "past_due",
-  "canceled",
-  "paused"
+  "active"
 ];
 function isSessionEligibleSubscriptionStatus(value) {
   return typeof value === "string" && SESSION_ELIGIBLE_SUBSCRIPTION_STATUSES.includes(value);
@@ -808,7 +805,7 @@ function createProfileMethods(deps) {
 }
 
 // src/client/version-check.ts
-var SDK_VERSION = "2.17.1";
+var SDK_VERSION = "2.19.0";
 var SDK_USER_AGENT = `FFID-SDK/${SDK_VERSION} (TypeScript)`;
 var SDK_VERSION_HEADER = "X-FFID-SDK-Version";
 function sdkHeaders() {
@@ -1371,6 +1368,87 @@ var OAUTH_AUTHORIZE_ENDPOINT = "/api/v1/oauth/authorize";
 var AUTH_LOGOUT_ENDPOINT = "/api/v1/auth/logout";
 var STATE_RANDOM_BYTES = 16;
 var HEX_BASE2 = 16;
+var REDIRECT_LOOP_KEY = "ffid_sdk_redirect_loop_history";
+var REDIRECT_LOOP_WINDOW_MS = 6e4;
+var REDIRECT_LOOP_THRESHOLD = 3;
+var storageReadFailureLogged = false;
+var storageWriteFailureLogged = false;
+function logStorageReadFailure(logger, err) {
+  if (storageReadFailureLogged) return;
+  storageReadFailureLogged = true;
+  logger.warn(
+    "[FFID SDK] sessionStorage read failed \u2014 redirect loop detection disabled on this browser (fail-open). iOS WebKit private mode / eviction \u304C\u5178\u578B\u8981\u56E0",
+    err
+  );
+}
+function logStorageWriteFailure(logger, err) {
+  if (storageWriteFailureLogged) return;
+  storageWriteFailureLogged = true;
+  logger.warn(
+    "[FFID SDK] sessionStorage write failed \u2014 redirect loop detection disabled on this browser (fail-open).",
+    err
+  );
+}
+function isRedirectLoopHistory(value) {
+  if (value === null || typeof value !== "object" || Array.isArray(value)) return false;
+  return Object.values(value).every(
+    (arr) => Array.isArray(arr) && arr.every((t) => typeof t === "number" && Number.isFinite(t))
+  );
+}
+function readRedirectLoopHistory(logger) {
+  if (typeof window === "undefined") return {};
+  try {
+    const raw = window.sessionStorage.getItem(REDIRECT_LOOP_KEY);
+    if (raw === null) return {};
+    const parsed = JSON.parse(raw);
+    return isRedirectLoopHistory(parsed) ? parsed : {};
+  } catch (err) {
+    logStorageReadFailure(logger, err);
+    return {};
+  }
+}
+function writeRedirectLoopHistory(history, logger) {
+  if (typeof window === "undefined") return;
+  try {
+    window.sessionStorage.setItem(REDIRECT_LOOP_KEY, JSON.stringify(history));
+  } catch (err) {
+    logStorageWriteFailure(logger, err);
+  }
+}
+function pruneRedirectLoopHistory(history, now) {
+  const cutoff = now - REDIRECT_LOOP_WINDOW_MS;
+  const pruned = {};
+  for (const [key, timestamps] of Object.entries(history)) {
+    const fresh = timestamps.filter((t) => t > cutoff);
+    if (fresh.length > 0) pruned[key] = fresh;
+  }
+  return pruned;
+}
+function getRecentRedirectCount(authorizeKey, now, logger) {
+  const pruned = pruneRedirectLoopHistory(readRedirectLoopHistory(logger), now);
+  writeRedirectLoopHistory(pruned, logger);
+  return pruned[authorizeKey]?.length ?? 0;
+}
+function recordRedirectAttempt(authorizeKey, now, logger) {
+  const history = readRedirectLoopHistory(logger);
+  const existing = history[authorizeKey] ?? [];
+  history[authorizeKey] = [...existing, now];
+  writeRedirectLoopHistory(history, logger);
+}
+function rollbackLastRedirectAttempt(authorizeKey, logger) {
+  const history = readRedirectLoopHistory(logger);
+  const existing = history[authorizeKey];
+  if (!Array.isArray(existing) || existing.length === 0) return;
+  history[authorizeKey] = existing.slice(0, -1);
+  if (history[authorizeKey].length === 0) delete history[authorizeKey];
+  writeRedirectLoopHistory(history, logger);
+}
+function buildAuthorizeKey(baseUrl, clientId, organizationId) {
+  const params = new URLSearchParams({ client_id: clientId });
+  const trimmedOrg = organizationId?.trim();
+  if (trimmedOrg) params.set("organization_id", trimmedOrg);
+  return `${baseUrl}${OAUTH_AUTHORIZE_ENDPOINT}?${params.toString()}`;
+}
 function generateRandomState() {
   const array = new Uint8Array(STATE_RANDOM_BYTES);
   crypto.getRandomValues(array);
@@ -1390,6 +1468,23 @@ function createRedirectMethods(deps) {
       logger.warn("SSR \u74B0\u5883\u3067\u306F\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u3067\u304D\u307E\u305B\u3093");
       return { success: false, error: "SSR \u74B0\u5883\u3067\u306F\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u3067\u304D\u307E\u305B\u3093" };
     }
+    const authorizeKey = buildAuthorizeKey(baseUrl, clientId, options?.organizationId);
+    const now = Date.now();
+    const recentCount = getRecentRedirectCount(authorizeKey, now, logger);
+    if (recentCount >= REDIRECT_LOOP_THRESHOLD) {
+      cleanupVerifierStorage(logger);
+      logger.warn("[FFID SDK] redirect loop detected \u2014 \u81EA\u52D5\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u3092\u505C\u6B62\u3057\u307E\u3057\u305F", {
+        authorizeKey,
+        recentCount,
+        windowMs: REDIRECT_LOOP_WINDOW_MS,
+        threshold: REDIRECT_LOOP_THRESHOLD
+      });
+      return {
+        success: false,
+        code: "redirect_loop_detected",
+        error: "\u77ED\u6642\u9593\u306B\u540C\u3058\u8A8D\u53EF\u30A8\u30F3\u30C9\u30DD\u30A4\u30F3\u30C8\u3078\u306E\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u304C\u7E70\u308A\u8FD4\u3055\u308C\u305F\u305F\u3081\u3001\u30EB\u30FC\u30D7\u691C\u51FA\u306B\u3088\u308A\u81EA\u52D5\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u3092\u505C\u6B62\u3057\u307E\u3057\u305F"
+      };
+    }
     const verifier = generateCodeVerifier();
     storeCodeVerifier(verifier, logger);
     let challenge;
@@ -1420,7 +1515,13 @@ function createRedirectMethods(deps) {
     }
     const authorizeUrl = `${baseUrl}${OAUTH_AUTHORIZE_ENDPOINT}?${params.toString()}`;
     logger.debug("Redirecting to authorize:", authorizeUrl);
-    window.location.href = authorizeUrl;
+    recordRedirectAttempt(authorizeKey, now, logger);
+    try {
+      window.location.href = authorizeUrl;
+    } catch (err) {
+      rollbackLastRedirectAttempt(authorizeKey, logger);
+      throw err;
+    }
     return { success: true };
   }
   async function redirectToLogin() {
@@ -3059,6 +3160,67 @@ function FFIDOrganizationSwitcher({
     ] })
   ] });
 }
+
+// src/subscriptions/types.ts
+var PAST_DUE_GRACE_PERIOD_DAYS = 7;
+var HOURS_PER_DAY = 24;
+var MINUTES_PER_HOUR = 60;
+var SECONDS_PER_MINUTE = 60;
+var MS_PER_SECOND2 = 1e3;
+var MS_PER_DAY = HOURS_PER_DAY * MINUTES_PER_HOUR * SECONDS_PER_MINUTE * MS_PER_SECOND2;
+
+// src/subscriptions/compute-effective-status.ts
+function isExpired(isoTimestamp, nowMs) {
+  if (!isoTimestamp) return null;
+  const parsed = Date.parse(isoTimestamp);
+  if (Number.isNaN(parsed)) return null;
+  return parsed < nowMs;
+}
+function computeEffectiveStatusFromSession(input, nowMs = Date.now()) {
+  const { status, currentPeriodEnd, trialEnd, pastDueSince } = input;
+  switch (status) {
+    case "trialing": {
+      const relevantEnd = trialEnd ?? currentPeriodEnd;
+      const expired = isExpired(relevantEnd, nowMs);
+      return expired === true ? "trial_expired" : "active";
+    }
+    case "active": {
+      const expired = isExpired(currentPeriodEnd, nowMs);
+      return expired === true ? "expired" : "active";
+    }
+    case "past_due": {
+      const baselineIso = pastDueSince ?? currentPeriodEnd;
+      if (!baselineIso) return "blocked";
+      const baselineMs = Date.parse(baselineIso);
+      if (Number.isNaN(baselineMs)) return "blocked";
+      const graceEndMs = baselineMs + PAST_DUE_GRACE_PERIOD_DAYS * MS_PER_DAY;
+      return graceEndMs > nowMs ? "past_due_grace" : "blocked";
+    }
+    case "pending_invoice":
+      return "active";
+    case "paused":
+    case "incomplete":
+      return "active";
+    case "canceled":
+      return "canceled";
+    case "unpaid":
+    case "incomplete_expired":
+      return "blocked";
+    default: {
+      return "blocked";
+    }
+  }
+}
+var ACCESS_GRANTING_STATUSES = [
+  "active",
+  "past_due_grace"
+];
+var BLOCKING_STATUSES = [
+  "blocked",
+  "expired",
+  "canceled",
+  "trial_expired"
+];
 function useSubscription() {
   const context = useFFIDContext();
   const client = useFFIDClient();
@@ -3076,12 +3238,23 @@ function useSubscription() {
   const isActive = subscription?.status === "active";
   const isTrialing = subscription?.status === "trialing";
   const isCanceled = subscription?.status === "canceled";
-  const isTrialExpired = useMemo(() => {
-    if (!isTrialing) return false;
-    const relevantEnd = subscription?.trialEnd ?? subscription?.currentPeriodEnd;
-    if (!relevantEnd) return false;
-    return new Date(relevantEnd).getTime() < Date.now();
-  }, [isTrialing, subscription?.trialEnd, subscription?.currentPeriodEnd]);
+  const effectiveStatus = useMemo(() => {
+    if (!subscription) return null;
+    return computeEffectiveStatusFromSession({
+      status: subscription.status,
+      currentPeriodEnd: subscription.currentPeriodEnd,
+      trialEnd: subscription.trialEnd,
+      // TODO(別Issue): FFID backend の session API (`/api/auth/session`) に
+      //   `pastDueSince` (ISO timestamp) を追加し、ここで渡す。現状は undefined
+      //   のため `computeEffectiveStatusFromSession` 内で currentPeriodEnd を
+      //   fallback に使う (Stripe は period end 近辺で past_due にする)。
+      //   Canonical な verdict が必要な consumer は `/ext/check` を直接呼ぶ。
+      pastDueSince: void 0
+    });
+  }, [subscription]);
+  const isGrace = effectiveStatus === "past_due_grace";
+  const isBlocked = effectiveStatus !== null && BLOCKING_STATUSES.includes(effectiveStatus);
+  const isTrialExpired = effectiveStatus === "trial_expired";
   const hasPlan = useCallback(
     (plans) => {
       if (!planCode) return false;
@@ -3091,6 +3264,10 @@ function useSubscription() {
     [planCode]
   );
   const hasAccess = useCallback(() => {
+    if (effectiveStatus === null) return false;
+    return ACCESS_GRANTING_STATUSES.includes(effectiveStatus);
+  }, [effectiveStatus]);
+  const hasAccessLegacy = useCallback(() => {
     if (isTrialExpired) return false;
     return isActive || isTrialing;
   }, [isActive, isTrialing, isTrialExpired]);
@@ -3101,8 +3278,12 @@ function useSubscription() {
     isTrialing,
     isTrialExpired,
     isCanceled,
+    effectiveStatus,
+    isBlocked,
+    isGrace,
     hasPlan,
-    hasAccess
+    hasAccess,
+    hasAccessLegacy
   };
 }
 function withSubscription(Component, options = {}) {
@@ -4325,4 +4506,4 @@ function FFIDInquiryForm({
   );
 }
 
-export { DEFAULT_API_BASE_URL, FFIDAnnouncementBadge, FFIDAnnouncementList, FFIDInquiryForm, FFIDLoginButton, FFIDOrganizationSwitcher, FFIDProvider, FFIDSDKError, FFIDSubscriptionBadge, FFIDUserMenu, FFID_ANNOUNCEMENTS_ERROR_CODES, FFID_INQUIRY_CATEGORIES, FFID_INQUIRY_CATEGORIES_SITE_2026, createFFIDAnnouncementsClient, createFFIDClient, createTokenStore, generateCodeChallenge, generateCodeVerifier, isFFIDInquiryCategorySite2026, normalizeRedirectUri, retrieveCodeVerifier, storeCodeVerifier, useFFID, useFFIDAnnouncements, useFFIDContext, useSubscription, withSubscription };
+export { DEFAULT_API_BASE_URL, FFIDAnnouncementBadge, FFIDAnnouncementList, FFIDInquiryForm, FFIDLoginButton, FFIDOrganizationSwitcher, FFIDProvider, FFIDSDKError, FFIDSubscriptionBadge, FFIDUserMenu, FFID_ANNOUNCEMENTS_ERROR_CODES, FFID_INQUIRY_CATEGORIES, FFID_INQUIRY_CATEGORIES_SITE_2026, computeEffectiveStatusFromSession, createFFIDAnnouncementsClient, createFFIDClient, createTokenStore, generateCodeChallenge, generateCodeVerifier, isFFIDInquiryCategorySite2026, normalizeRedirectUri, retrieveCodeVerifier, storeCodeVerifier, useFFID, useFFIDAnnouncements, useFFIDContext, useSubscription, withSubscription };