@fluid-app/portal-sdk 0.1.101 → 0.1.103

package/dist/{FluidProvider-CWYquEIF.mjs → FluidProvider-B59bzF__.mjs}

@@ -55,7 +55,7 @@ var ApiError$1 = class ApiError$1 extends Error {
 * Creates a configured fetch client instance
 */
 function createFetchClient(config) {
-	const { baseUrl, getAuthToken, onAuthError, defaultHeaders = {} } = config;
+	const { baseUrl, getAuthToken, onAuthError, defaultHeaders = {}, credentials } = config;
 	/**
 	* Build headers for a request
 	*/
@@ -144,6 +144,7 @@ function createFetchClient(config) {
 				method,
 				headers
 			};
+			if (credentials) fetchOptions.credentials = credentials;
 			const serializedBody = body && method !== "GET" ? JSON.stringify(body) : null;
 			if (serializedBody) fetchOptions.body = serializedBody;
 			if (signal) fetchOptions.signal = signal;
@@ -168,6 +169,7 @@ function createFetchClient(config) {
 				headers,
 				body: formData
 			};
+			if (credentials) fetchOptions.credentials = credentials;
 			if (signal) fetchOptions.signal = signal;
 			response = await fetch(url, fetchOptions);
 		} catch (networkError) {
@@ -1140,24 +1142,8 @@ const URL_PARAMS = {
 function isBrowser() {
 	return typeof window !== "undefined" && typeof document !== "undefined";
 }
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/browser/runtime/webcrypto.js
-var webcrypto_default = crypto;
-const isCryptoKey = (key) => key instanceof CryptoKey;
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/browser/lib/buffer_utils.js
-const encoder = new TextEncoder();
+new TextEncoder();
 const decoder = new TextDecoder();
-function concat(...buffers) {
-	const size = buffers.reduce((acc, { length }) => acc + length, 0);
-	const buf = new Uint8Array(size);
-	let i = 0;
-	for (const buffer of buffers) {
-		buf.set(buffer, i);
-		i += buffer.length;
-	}
-	return buf;
-}
 const decodeBase64 = (encoded) => {
 	const binary = atob(encoded);
 	const bytes = new Uint8Array(binary.length);
@@ -1298,128 +1284,6 @@ var JWSSignatureVerificationFailed = class extends JOSEError {
 };
 JWSSignatureVerificationFailed.code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
 //#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/browser/lib/crypto_key.js
-function unusable(name, prop = "algorithm.name") {
-	return /* @__PURE__ */ new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);
-}
-function isAlgorithm(algorithm, name) {
-	return algorithm.name === name;
-}
-function getHashLength(hash) {
-	return parseInt(hash.name.slice(4), 10);
-}
-function getNamedCurve(alg) {
-	switch (alg) {
-		case "ES256": return "P-256";
-		case "ES384": return "P-384";
-		case "ES512": return "P-521";
-		default: throw new Error("unreachable");
-	}
-}
-function checkUsage(key, usages) {
-	if (usages.length && !usages.some((expected) => key.usages.includes(expected))) {
-		let msg = "CryptoKey does not support this operation, its usages must include ";
-		if (usages.length > 2) {
-			const last = usages.pop();
-			msg += `one of ${usages.join(", ")}, or ${last}.`;
-		} else if (usages.length === 2) msg += `one of ${usages[0]} or ${usages[1]}.`;
-		else msg += `${usages[0]}.`;
-		throw new TypeError(msg);
-	}
-}
-function checkSigCryptoKey(key, alg, ...usages) {
-	switch (alg) {
-		case "HS256":
-		case "HS384":
-		case "HS512": {
-			if (!isAlgorithm(key.algorithm, "HMAC")) throw unusable("HMAC");
-			const expected = parseInt(alg.slice(2), 10);
-			if (getHashLength(key.algorithm.hash) !== expected) throw unusable(`SHA-${expected}`, "algorithm.hash");
-			break;
-		}
-		case "RS256":
-		case "RS384":
-		case "RS512": {
-			if (!isAlgorithm(key.algorithm, "RSASSA-PKCS1-v1_5")) throw unusable("RSASSA-PKCS1-v1_5");
-			const expected = parseInt(alg.slice(2), 10);
-			if (getHashLength(key.algorithm.hash) !== expected) throw unusable(`SHA-${expected}`, "algorithm.hash");
-			break;
-		}
-		case "PS256":
-		case "PS384":
-		case "PS512": {
-			if (!isAlgorithm(key.algorithm, "RSA-PSS")) throw unusable("RSA-PSS");
-			const expected = parseInt(alg.slice(2), 10);
-			if (getHashLength(key.algorithm.hash) !== expected) throw unusable(`SHA-${expected}`, "algorithm.hash");
-			break;
-		}
-		case "EdDSA":
-			if (key.algorithm.name !== "Ed25519" && key.algorithm.name !== "Ed448") throw unusable("Ed25519 or Ed448");
-			break;
-		case "Ed25519":
-			if (!isAlgorithm(key.algorithm, "Ed25519")) throw unusable("Ed25519");
-			break;
-		case "ES256":
-		case "ES384":
-		case "ES512": {
-			if (!isAlgorithm(key.algorithm, "ECDSA")) throw unusable("ECDSA");
-			const expected = getNamedCurve(alg);
-			if (key.algorithm.namedCurve !== expected) throw unusable(expected, "algorithm.namedCurve");
-			break;
-		}
-		default: throw new TypeError("CryptoKey does not support this operation");
-	}
-	checkUsage(key, usages);
-}
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/browser/lib/invalid_key_input.js
-function message(msg, actual, ...types) {
-	types = types.filter(Boolean);
-	if (types.length > 2) {
-		const last = types.pop();
-		msg += `one of type ${types.join(", ")}, or ${last}.`;
-	} else if (types.length === 2) msg += `one of type ${types[0]} or ${types[1]}.`;
-	else msg += `of type ${types[0]}.`;
-	if (actual == null) msg += ` Received ${actual}`;
-	else if (typeof actual === "function" && actual.name) msg += ` Received function ${actual.name}`;
-	else if (typeof actual === "object" && actual != null) {
-		if (actual.constructor?.name) msg += ` Received an instance of ${actual.constructor.name}`;
-	}
-	return msg;
-}
-var invalid_key_input_default = (actual, ...types) => {
-	return message("Key must be ", actual, ...types);
-};
-function withAlg(alg, actual, ...types) {
-	return message(`Key for the ${alg} algorithm must be `, actual, ...types);
-}
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/browser/runtime/is_key_like.js
-var is_key_like_default = (key) => {
-	if (isCryptoKey(key)) return true;
-	return key?.[Symbol.toStringTag] === "KeyObject";
-};
-const types = ["CryptoKey"];
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/browser/lib/is_disjoint.js
-const isDisjoint = (...headers) => {
-	const sources = headers.filter(Boolean);
-	if (sources.length === 0 || sources.length === 1) return true;
-	let acc;
-	for (const header of sources) {
-		const parameters = Object.keys(header);
-		if (!acc || acc.size === 0) {
-			acc = new Set(parameters);
-			continue;
-		}
-		for (const parameter of parameters) {
-			if (acc.has(parameter)) return false;
-			acc.add(parameter);
-		}
-	}
-	return true;
-};
-//#endregion
 //#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/browser/lib/is_object.js
 function isObjectLike(value) {
 	return typeof value === "object" && value !== null;
@@ -1431,802 +1295,6 @@ function isObject(input) {
 	while (Object.getPrototypeOf(proto) !== null) proto = Object.getPrototypeOf(proto);
 	return Object.getPrototypeOf(input) === proto;
 }
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/browser/runtime/check_key_length.js
-var check_key_length_default = (alg, key) => {
-	if (alg.startsWith("RS") || alg.startsWith("PS")) {
-		const { modulusLength } = key.algorithm;
-		if (typeof modulusLength !== "number" || modulusLength < 2048) throw new TypeError(`${alg} requires key modulusLength to be 2048 bits or larger`);
-	}
-};
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/browser/lib/is_jwk.js
-function isJWK(key) {
-	return isObject(key) && typeof key.kty === "string";
-}
-function isPrivateJWK(key) {
-	return key.kty !== "oct" && typeof key.d === "string";
-}
-function isPublicJWK(key) {
-	return key.kty !== "oct" && typeof key.d === "undefined";
-}
-function isSecretJWK(key) {
-	return isJWK(key) && key.kty === "oct" && typeof key.k === "string";
-}
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/browser/runtime/jwk_to_key.js
-function subtleMapping(jwk) {
-	let algorithm;
-	let keyUsages;
-	switch (jwk.kty) {
-		case "RSA":
-			switch (jwk.alg) {
-				case "PS256":
-				case "PS384":
-				case "PS512":
-					algorithm = {
-						name: "RSA-PSS",
-						hash: `SHA-${jwk.alg.slice(-3)}`
-					};
-					keyUsages = jwk.d ? ["sign"] : ["verify"];
-					break;
-				case "RS256":
-				case "RS384":
-				case "RS512":
-					algorithm = {
-						name: "RSASSA-PKCS1-v1_5",
-						hash: `SHA-${jwk.alg.slice(-3)}`
-					};
-					keyUsages = jwk.d ? ["sign"] : ["verify"];
-					break;
-				case "RSA-OAEP":
-				case "RSA-OAEP-256":
-				case "RSA-OAEP-384":
-				case "RSA-OAEP-512":
-					algorithm = {
-						name: "RSA-OAEP",
-						hash: `SHA-${parseInt(jwk.alg.slice(-3), 10) || 1}`
-					};
-					keyUsages = jwk.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
-					break;
-				default: throw new JOSENotSupported("Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value");
-			}
-			break;
-		case "EC":
-			switch (jwk.alg) {
-				case "ES256":
-					algorithm = {
-						name: "ECDSA",
-						namedCurve: "P-256"
-					};
-					keyUsages = jwk.d ? ["sign"] : ["verify"];
-					break;
-				case "ES384":
-					algorithm = {
-						name: "ECDSA",
-						namedCurve: "P-384"
-					};
-					keyUsages = jwk.d ? ["sign"] : ["verify"];
-					break;
-				case "ES512":
-					algorithm = {
-						name: "ECDSA",
-						namedCurve: "P-521"
-					};
-					keyUsages = jwk.d ? ["sign"] : ["verify"];
-					break;
-				case "ECDH-ES":
-				case "ECDH-ES+A128KW":
-				case "ECDH-ES+A192KW":
-				case "ECDH-ES+A256KW":
-					algorithm = {
-						name: "ECDH",
-						namedCurve: jwk.crv
-					};
-					keyUsages = jwk.d ? ["deriveBits"] : [];
-					break;
-				default: throw new JOSENotSupported("Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value");
-			}
-			break;
-		case "OKP":
-			switch (jwk.alg) {
-				case "Ed25519":
-					algorithm = { name: "Ed25519" };
-					keyUsages = jwk.d ? ["sign"] : ["verify"];
-					break;
-				case "EdDSA":
-					algorithm = { name: jwk.crv };
-					keyUsages = jwk.d ? ["sign"] : ["verify"];
-					break;
-				case "ECDH-ES":
-				case "ECDH-ES+A128KW":
-				case "ECDH-ES+A192KW":
-				case "ECDH-ES+A256KW":
-					algorithm = { name: jwk.crv };
-					keyUsages = jwk.d ? ["deriveBits"] : [];
-					break;
-				default: throw new JOSENotSupported("Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value");
-			}
-			break;
-		default: throw new JOSENotSupported("Invalid or unsupported JWK \"kty\" (Key Type) Parameter value");
-	}
-	return {
-		algorithm,
-		keyUsages
-	};
-}
-const parse = async (jwk) => {
-	if (!jwk.alg) throw new TypeError("\"alg\" argument is required when \"jwk.alg\" is not present");
-	const { algorithm, keyUsages } = subtleMapping(jwk);
-	const rest = [
-		algorithm,
-		jwk.ext ?? false,
-		jwk.key_ops ?? keyUsages
-	];
-	const keyData = { ...jwk };
-	delete keyData.alg;
-	delete keyData.use;
-	return webcrypto_default.subtle.importKey("jwk", keyData, ...rest);
-};
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/browser/runtime/normalize_key.js
-const exportKeyValue = (k) => decode$1(k);
-let privCache;
-let pubCache;
-const isKeyObject = (key) => {
-	return key?.[Symbol.toStringTag] === "KeyObject";
-};
-const importAndCache = async (cache, key, jwk, alg, freeze = false) => {
-	let cached = cache.get(key);
-	if (cached?.[alg]) return cached[alg];
-	const cryptoKey = await parse({
-		...jwk,
-		alg
-	});
-	if (freeze) Object.freeze(key);
-	if (!cached) cache.set(key, { [alg]: cryptoKey });
-	else cached[alg] = cryptoKey;
-	return cryptoKey;
-};
-const normalizePublicKey = (key, alg) => {
-	if (isKeyObject(key)) {
-		let jwk = key.export({ format: "jwk" });
-		delete jwk.d;
-		delete jwk.dp;
-		delete jwk.dq;
-		delete jwk.p;
-		delete jwk.q;
-		delete jwk.qi;
-		if (jwk.k) return exportKeyValue(jwk.k);
-		pubCache || (pubCache = /* @__PURE__ */ new WeakMap());
-		return importAndCache(pubCache, key, jwk, alg);
-	}
-	if (isJWK(key)) {
-		if (key.k) return decode$1(key.k);
-		pubCache || (pubCache = /* @__PURE__ */ new WeakMap());
-		return importAndCache(pubCache, key, key, alg, true);
-	}
-	return key;
-};
-const normalizePrivateKey = (key, alg) => {
-	if (isKeyObject(key)) {
-		let jwk = key.export({ format: "jwk" });
-		if (jwk.k) return exportKeyValue(jwk.k);
-		privCache || (privCache = /* @__PURE__ */ new WeakMap());
-		return importAndCache(privCache, key, jwk, alg);
-	}
-	if (isJWK(key)) {
-		if (key.k) return decode$1(key.k);
-		privCache || (privCache = /* @__PURE__ */ new WeakMap());
-		return importAndCache(privCache, key, key, alg, true);
-	}
-	return key;
-};
-var normalize_key_default = {
-	normalizePublicKey,
-	normalizePrivateKey
-};
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/browser/key/import.js
-async function importJWK(jwk, alg) {
-	if (!isObject(jwk)) throw new TypeError("JWK must be an object");
-	alg || (alg = jwk.alg);
-	switch (jwk.kty) {
-		case "oct":
-			if (typeof jwk.k !== "string" || !jwk.k) throw new TypeError("missing \"k\" (Key Value) Parameter value");
-			return decode$1(jwk.k);
-		case "RSA": if ("oth" in jwk && jwk.oth !== void 0) throw new JOSENotSupported("RSA JWK \"oth\" (Other Primes Info) Parameter value is not supported");
-		case "EC":
-		case "OKP": return parse({
-			...jwk,
-			alg
-		});
-		default: throw new JOSENotSupported("Unsupported \"kty\" (Key Type) Parameter value");
-	}
-}
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/browser/lib/check_key_type.js
-const tag = (key) => key?.[Symbol.toStringTag];
-const jwkMatchesOp = (alg, key, usage) => {
-	if (key.use !== void 0 && key.use !== "sig") throw new TypeError("Invalid key for this operation, when present its use must be sig");
-	if (key.key_ops !== void 0 && key.key_ops.includes?.(usage) !== true) throw new TypeError(`Invalid key for this operation, when present its key_ops must include ${usage}`);
-	if (key.alg !== void 0 && key.alg !== alg) throw new TypeError(`Invalid key for this operation, when present its alg must be ${alg}`);
-	return true;
-};
-const symmetricTypeCheck = (alg, key, usage, allowJwk) => {
-	if (key instanceof Uint8Array) return;
-	if (allowJwk && isJWK(key)) {
-		if (isSecretJWK(key) && jwkMatchesOp(alg, key, usage)) return;
-		throw new TypeError(`JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present`);
-	}
-	if (!is_key_like_default(key)) throw new TypeError(withAlg(alg, key, ...types, "Uint8Array", allowJwk ? "JSON Web Key" : null));
-	if (key.type !== "secret") throw new TypeError(`${tag(key)} instances for symmetric algorithms must be of type "secret"`);
-};
-const asymmetricTypeCheck = (alg, key, usage, allowJwk) => {
-	if (allowJwk && isJWK(key)) switch (usage) {
-		case "sign":
-			if (isPrivateJWK(key) && jwkMatchesOp(alg, key, usage)) return;
-			throw new TypeError(`JSON Web Key for this operation be a private JWK`);
-		case "verify":
-			if (isPublicJWK(key) && jwkMatchesOp(alg, key, usage)) return;
-			throw new TypeError(`JSON Web Key for this operation be a public JWK`);
-	}
-	if (!is_key_like_default(key)) throw new TypeError(withAlg(alg, key, ...types, allowJwk ? "JSON Web Key" : null));
-	if (key.type === "secret") throw new TypeError(`${tag(key)} instances for asymmetric algorithms must not be of type "secret"`);
-	if (usage === "sign" && key.type === "public") throw new TypeError(`${tag(key)} instances for asymmetric algorithm signing must be of type "private"`);
-	if (usage === "decrypt" && key.type === "public") throw new TypeError(`${tag(key)} instances for asymmetric algorithm decryption must be of type "private"`);
-	if (key.algorithm && usage === "verify" && key.type === "private") throw new TypeError(`${tag(key)} instances for asymmetric algorithm verifying must be of type "public"`);
-	if (key.algorithm && usage === "encrypt" && key.type === "private") throw new TypeError(`${tag(key)} instances for asymmetric algorithm encryption must be of type "public"`);
-};
-function checkKeyType(allowJwk, alg, key, usage) {
-	if (alg.startsWith("HS") || alg === "dir" || alg.startsWith("PBES2") || /^A\d{3}(?:GCM)?KW$/.test(alg)) symmetricTypeCheck(alg, key, usage, allowJwk);
-	else asymmetricTypeCheck(alg, key, usage, allowJwk);
-}
-checkKeyType.bind(void 0, false);
-const checkKeyTypeWithJwk = checkKeyType.bind(void 0, true);
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/browser/lib/validate_crit.js
-function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
-	if (joseHeader.crit !== void 0 && protectedHeader?.crit === void 0) throw new Err("\"crit\" (Critical) Header Parameter MUST be integrity protected");
-	if (!protectedHeader || protectedHeader.crit === void 0) return /* @__PURE__ */ new Set();
-	if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input) => typeof input !== "string" || input.length === 0)) throw new Err("\"crit\" (Critical) Header Parameter MUST be an array of non-empty strings when present");
-	let recognized;
-	if (recognizedOption !== void 0) recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);
-	else recognized = recognizedDefault;
-	for (const parameter of protectedHeader.crit) {
-		if (!recognized.has(parameter)) throw new JOSENotSupported(`Extension Header Parameter "${parameter}" is not recognized`);
-		if (joseHeader[parameter] === void 0) throw new Err(`Extension Header Parameter "${parameter}" is missing`);
-		if (recognized.get(parameter) && protectedHeader[parameter] === void 0) throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
-	}
-	return new Set(protectedHeader.crit);
-}
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/browser/lib/validate_algorithms.js
-const validateAlgorithms = (option, algorithms) => {
-	if (algorithms !== void 0 && (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== "string"))) throw new TypeError(`"${option}" option must be an array of strings`);
-	if (!algorithms) return;
-	return new Set(algorithms);
-};
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/browser/runtime/subtle_dsa.js
-function subtleDsa(alg, algorithm) {
-	const hash = `SHA-${alg.slice(-3)}`;
-	switch (alg) {
-		case "HS256":
-		case "HS384":
-		case "HS512": return {
-			hash,
-			name: "HMAC"
-		};
-		case "PS256":
-		case "PS384":
-		case "PS512": return {
-			hash,
-			name: "RSA-PSS",
-			saltLength: alg.slice(-3) >> 3
-		};
-		case "RS256":
-		case "RS384":
-		case "RS512": return {
-			hash,
-			name: "RSASSA-PKCS1-v1_5"
-		};
-		case "ES256":
-		case "ES384":
-		case "ES512": return {
-			hash,
-			name: "ECDSA",
-			namedCurve: algorithm.namedCurve
-		};
-		case "Ed25519": return { name: "Ed25519" };
-		case "EdDSA": return { name: algorithm.name };
-		default: throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
-	}
-}
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/browser/runtime/get_sign_verify_key.js
-async function getCryptoKey(alg, key, usage) {
-	if (usage === "sign") key = await normalize_key_default.normalizePrivateKey(key, alg);
-	if (usage === "verify") key = await normalize_key_default.normalizePublicKey(key, alg);
-	if (isCryptoKey(key)) {
-		checkSigCryptoKey(key, alg, usage);
-		return key;
-	}
-	if (key instanceof Uint8Array) {
-		if (!alg.startsWith("HS")) throw new TypeError(invalid_key_input_default(key, ...types));
-		return webcrypto_default.subtle.importKey("raw", key, {
-			hash: `SHA-${alg.slice(-3)}`,
-			name: "HMAC"
-		}, false, [usage]);
-	}
-	throw new TypeError(invalid_key_input_default(key, ...types, "Uint8Array", "JSON Web Key"));
-}
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/browser/runtime/verify.js
-const verify = async (alg, key, signature, data) => {
-	const cryptoKey = await getCryptoKey(alg, key, "verify");
-	check_key_length_default(alg, cryptoKey);
-	const algorithm = subtleDsa(alg, cryptoKey.algorithm);
-	try {
-		return await webcrypto_default.subtle.verify(algorithm, cryptoKey, signature, data);
-	} catch {
-		return false;
-	}
-};
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/browser/jws/flattened/verify.js
-async function flattenedVerify(jws, key, options) {
-	if (!isObject(jws)) throw new JWSInvalid("Flattened JWS must be an object");
-	if (jws.protected === void 0 && jws.header === void 0) throw new JWSInvalid("Flattened JWS must have either of the \"protected\" or \"header\" members");
-	if (jws.protected !== void 0 && typeof jws.protected !== "string") throw new JWSInvalid("JWS Protected Header incorrect type");
-	if (jws.payload === void 0) throw new JWSInvalid("JWS Payload missing");
-	if (typeof jws.signature !== "string") throw new JWSInvalid("JWS Signature missing or incorrect type");
-	if (jws.header !== void 0 && !isObject(jws.header)) throw new JWSInvalid("JWS Unprotected Header incorrect type");
-	let parsedProt = {};
-	if (jws.protected) try {
-		const protectedHeader = decode$1(jws.protected);
-		parsedProt = JSON.parse(decoder.decode(protectedHeader));
-	} catch {
-		throw new JWSInvalid("JWS Protected Header is invalid");
-	}
-	if (!isDisjoint(parsedProt, jws.header)) throw new JWSInvalid("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
-	const joseHeader = {
-		...parsedProt,
-		...jws.header
-	};
-	const extensions = validateCrit(JWSInvalid, new Map([["b64", true]]), options?.crit, parsedProt, joseHeader);
-	let b64 = true;
-	if (extensions.has("b64")) {
-		b64 = parsedProt.b64;
-		if (typeof b64 !== "boolean") throw new JWSInvalid("The \"b64\" (base64url-encode payload) Header Parameter must be a boolean");
-	}
-	const { alg } = joseHeader;
-	if (typeof alg !== "string" || !alg) throw new JWSInvalid("JWS \"alg\" (Algorithm) Header Parameter missing or invalid");
-	const algorithms = options && validateAlgorithms("algorithms", options.algorithms);
-	if (algorithms && !algorithms.has(alg)) throw new JOSEAlgNotAllowed("\"alg\" (Algorithm) Header Parameter value not allowed");
-	if (b64) {
-		if (typeof jws.payload !== "string") throw new JWSInvalid("JWS Payload must be a string");
-	} else if (typeof jws.payload !== "string" && !(jws.payload instanceof Uint8Array)) throw new JWSInvalid("JWS Payload must be a string or an Uint8Array instance");
-	let resolvedKey = false;
-	if (typeof key === "function") {
-		key = await key(parsedProt, jws);
-		resolvedKey = true;
-		checkKeyTypeWithJwk(alg, key, "verify");
-		if (isJWK(key)) key = await importJWK(key, alg);
-	} else checkKeyTypeWithJwk(alg, key, "verify");
-	const data = concat(encoder.encode(jws.protected ?? ""), encoder.encode("."), typeof jws.payload === "string" ? encoder.encode(jws.payload) : jws.payload);
-	let signature;
-	try {
-		signature = decode$1(jws.signature);
-	} catch {
-		throw new JWSInvalid("Failed to base64url decode the signature");
-	}
-	if (!await verify(alg, key, signature, data)) throw new JWSSignatureVerificationFailed();
-	let payload;
-	if (b64) try {
-		payload = decode$1(jws.payload);
-	} catch {
-		throw new JWSInvalid("Failed to base64url decode the payload");
-	}
-	else if (typeof jws.payload === "string") payload = encoder.encode(jws.payload);
-	else payload = jws.payload;
-	const result = { payload };
-	if (jws.protected !== void 0) result.protectedHeader = parsedProt;
-	if (jws.header !== void 0) result.unprotectedHeader = jws.header;
-	if (resolvedKey) return {
-		...result,
-		key
-	};
-	return result;
-}
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/browser/jws/compact/verify.js
-async function compactVerify(jws, key, options) {
-	if (jws instanceof Uint8Array) jws = decoder.decode(jws);
-	if (typeof jws !== "string") throw new JWSInvalid("Compact JWS must be a string or Uint8Array");
-	const { 0: protectedHeader, 1: payload, 2: signature, length } = jws.split(".");
-	if (length !== 3) throw new JWSInvalid("Invalid Compact JWS");
-	const verified = await flattenedVerify({
-		payload,
-		protected: protectedHeader,
-		signature
-	}, key, options);
-	const result = {
-		payload: verified.payload,
-		protectedHeader: verified.protectedHeader
-	};
-	if (typeof key === "function") return {
-		...result,
-		key: verified.key
-	};
-	return result;
-}
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/browser/lib/epoch.js
-var epoch_default = (date) => Math.floor(date.getTime() / 1e3);
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/browser/lib/secs.js
-const minute = 60;
-const hour = minute * 60;
-const day = hour * 24;
-const week = day * 7;
-const year = day * 365.25;
-const REGEX = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;
-var secs_default = (str) => {
-	const matched = REGEX.exec(str);
-	if (!matched || matched[4] && matched[1]) throw new TypeError("Invalid time period format");
-	const value = parseFloat(matched[2]);
-	const unit = matched[3].toLowerCase();
-	let numericDate;
-	switch (unit) {
-		case "sec":
-		case "secs":
-		case "second":
-		case "seconds":
-		case "s":
-			numericDate = Math.round(value);
-			break;
-		case "minute":
-		case "minutes":
-		case "min":
-		case "mins":
-		case "m":
-			numericDate = Math.round(value * minute);
-			break;
-		case "hour":
-		case "hours":
-		case "hr":
-		case "hrs":
-		case "h":
-			numericDate = Math.round(value * hour);
-			break;
-		case "day":
-		case "days":
-		case "d":
-			numericDate = Math.round(value * day);
-			break;
-		case "week":
-		case "weeks":
-		case "w":
-			numericDate = Math.round(value * week);
-			break;
-		default:
-			numericDate = Math.round(value * year);
-			break;
-	}
-	if (matched[1] === "-" || matched[4] === "ago") return -numericDate;
-	return numericDate;
-};
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/browser/lib/jwt_claims_set.js
-const normalizeTyp = (value) => value.toLowerCase().replace(/^application\//, "");
-const checkAudiencePresence = (audPayload, audOption) => {
-	if (typeof audPayload === "string") return audOption.includes(audPayload);
-	if (Array.isArray(audPayload)) return audOption.some(Set.prototype.has.bind(new Set(audPayload)));
-	return false;
-};
-var jwt_claims_set_default = (protectedHeader, encodedPayload, options = {}) => {
-	let payload;
-	try {
-		payload = JSON.parse(decoder.decode(encodedPayload));
-	} catch {}
-	if (!isObject(payload)) throw new JWTInvalid("JWT Claims Set must be a top-level JSON object");
-	const { typ } = options;
-	if (typ && (typeof protectedHeader.typ !== "string" || normalizeTyp(protectedHeader.typ) !== normalizeTyp(typ))) throw new JWTClaimValidationFailed("unexpected \"typ\" JWT header value", payload, "typ", "check_failed");
-	const { requiredClaims = [], issuer, subject, audience, maxTokenAge } = options;
-	const presenceCheck = [...requiredClaims];
-	if (maxTokenAge !== void 0) presenceCheck.push("iat");
-	if (audience !== void 0) presenceCheck.push("aud");
-	if (subject !== void 0) presenceCheck.push("sub");
-	if (issuer !== void 0) presenceCheck.push("iss");
-	for (const claim of new Set(presenceCheck.reverse())) if (!(claim in payload)) throw new JWTClaimValidationFailed(`missing required "${claim}" claim`, payload, claim, "missing");
-	if (issuer && !(Array.isArray(issuer) ? issuer : [issuer]).includes(payload.iss)) throw new JWTClaimValidationFailed("unexpected \"iss\" claim value", payload, "iss", "check_failed");
-	if (subject && payload.sub !== subject) throw new JWTClaimValidationFailed("unexpected \"sub\" claim value", payload, "sub", "check_failed");
-	if (audience && !checkAudiencePresence(payload.aud, typeof audience === "string" ? [audience] : audience)) throw new JWTClaimValidationFailed("unexpected \"aud\" claim value", payload, "aud", "check_failed");
-	let tolerance;
-	switch (typeof options.clockTolerance) {
-		case "string":
-			tolerance = secs_default(options.clockTolerance);
-			break;
-		case "number":
-			tolerance = options.clockTolerance;
-			break;
-		case "undefined":
-			tolerance = 0;
-			break;
-		default: throw new TypeError("Invalid clockTolerance option type");
-	}
-	const { currentDate } = options;
-	const now = epoch_default(currentDate || /* @__PURE__ */ new Date());
-	if ((payload.iat !== void 0 || maxTokenAge) && typeof payload.iat !== "number") throw new JWTClaimValidationFailed("\"iat\" claim must be a number", payload, "iat", "invalid");
-	if (payload.nbf !== void 0) {
-		if (typeof payload.nbf !== "number") throw new JWTClaimValidationFailed("\"nbf\" claim must be a number", payload, "nbf", "invalid");
-		if (payload.nbf > now + tolerance) throw new JWTClaimValidationFailed("\"nbf\" claim timestamp check failed", payload, "nbf", "check_failed");
-	}
-	if (payload.exp !== void 0) {
-		if (typeof payload.exp !== "number") throw new JWTClaimValidationFailed("\"exp\" claim must be a number", payload, "exp", "invalid");
-		if (payload.exp <= now - tolerance) throw new JWTExpired("\"exp\" claim timestamp check failed", payload, "exp", "check_failed");
-	}
-	if (maxTokenAge) {
-		const age = now - payload.iat;
-		const max = typeof maxTokenAge === "number" ? maxTokenAge : secs_default(maxTokenAge);
-		if (age - tolerance > max) throw new JWTExpired("\"iat\" claim timestamp check failed (too far in the past)", payload, "iat", "check_failed");
-		if (age < 0 - tolerance) throw new JWTClaimValidationFailed("\"iat\" claim timestamp check failed (it should be in the past)", payload, "iat", "check_failed");
-	}
-	return payload;
-};
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/browser/jwt/verify.js
-async function jwtVerify(jwt, key, options) {
-	const verified = await compactVerify(jwt, key, options);
-	if (verified.protectedHeader.crit?.includes("b64") && verified.protectedHeader.b64 === false) throw new JWTInvalid("JWTs MUST NOT use unencoded payload");
-	const result = {
-		payload: jwt_claims_set_default(verified.protectedHeader, verified.payload, options),
-		protectedHeader: verified.protectedHeader
-	};
-	if (typeof key === "function") return {
-		...result,
-		key: verified.key
-	};
-	return result;
-}
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/browser/jwks/local.js
-function getKtyFromAlg(alg) {
-	switch (typeof alg === "string" && alg.slice(0, 2)) {
-		case "RS":
-		case "PS": return "RSA";
-		case "ES": return "EC";
-		case "Ed": return "OKP";
-		default: throw new JOSENotSupported("Unsupported \"alg\" value for a JSON Web Key Set");
-	}
-}
-function isJWKSLike(jwks) {
-	return jwks && typeof jwks === "object" && Array.isArray(jwks.keys) && jwks.keys.every(isJWKLike);
-}
-function isJWKLike(key) {
-	return isObject(key);
-}
-function clone(obj) {
-	if (typeof structuredClone === "function") return structuredClone(obj);
-	return JSON.parse(JSON.stringify(obj));
-}
-var LocalJWKSet = class {
-	constructor(jwks) {
-		this._cached = /* @__PURE__ */ new WeakMap();
-		if (!isJWKSLike(jwks)) throw new JWKSInvalid("JSON Web Key Set malformed");
-		this._jwks = clone(jwks);
-	}
-	async getKey(protectedHeader, token) {
-		const { alg, kid } = {
-			...protectedHeader,
-			...token?.header
-		};
-		const kty = getKtyFromAlg(alg);
-		const candidates = this._jwks.keys.filter((jwk) => {
-			let candidate = kty === jwk.kty;
-			if (candidate && typeof kid === "string") candidate = kid === jwk.kid;
-			if (candidate && typeof jwk.alg === "string") candidate = alg === jwk.alg;
-			if (candidate && typeof jwk.use === "string") candidate = jwk.use === "sig";
-			if (candidate && Array.isArray(jwk.key_ops)) candidate = jwk.key_ops.includes("verify");
-			if (candidate) switch (alg) {
-				case "ES256":
-					candidate = jwk.crv === "P-256";
-					break;
-				case "ES256K":
-					candidate = jwk.crv === "secp256k1";
-					break;
-				case "ES384":
-					candidate = jwk.crv === "P-384";
-					break;
-				case "ES512":
-					candidate = jwk.crv === "P-521";
-					break;
-				case "Ed25519":
-					candidate = jwk.crv === "Ed25519";
-					break;
-				case "EdDSA":
-					candidate = jwk.crv === "Ed25519" || jwk.crv === "Ed448";
-					break;
-			}
-			return candidate;
-		});
-		const { 0: jwk, length } = candidates;
-		if (length === 0) throw new JWKSNoMatchingKey();
-		if (length !== 1) {
-			const error = new JWKSMultipleMatchingKeys();
-			const { _cached } = this;
-			error[Symbol.asyncIterator] = async function* () {
-				for (const jwk of candidates) try {
-					yield await importWithAlgCache(_cached, jwk, alg);
-				} catch {}
-			};
-			throw error;
-		}
-		return importWithAlgCache(this._cached, jwk, alg);
-	}
-};
-async function importWithAlgCache(cache, jwk, alg) {
-	const cached = cache.get(jwk) || cache.set(jwk, {}).get(jwk);
-	if (cached[alg] === void 0) {
-		const key = await importJWK({
-			...jwk,
-			ext: true
-		}, alg);
-		if (key instanceof Uint8Array || key.type !== "public") throw new JWKSInvalid("JSON Web Key Set members must be public keys");
-		cached[alg] = key;
-	}
-	return cached[alg];
-}
-function createLocalJWKSet(jwks) {
-	const set = new LocalJWKSet(jwks);
-	const localJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);
-	Object.defineProperties(localJWKSet, { jwks: {
-		value: () => clone(set._jwks),
-		enumerable: true,
-		configurable: false,
-		writable: false
-	} });
-	return localJWKSet;
-}
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/browser/runtime/fetch_jwks.js
-const fetchJwks = async (url, timeout, options) => {
-	let controller;
-	let id;
-	let timedOut = false;
-	if (typeof AbortController === "function") {
-		controller = new AbortController();
-		id = setTimeout(() => {
-			timedOut = true;
-			controller.abort();
-		}, timeout);
-	}
-	const response = await fetch(url.href, {
-		signal: controller ? controller.signal : void 0,
-		redirect: "manual",
-		headers: options.headers
-	}).catch((err) => {
-		if (timedOut) throw new JWKSTimeout();
-		throw err;
-	});
-	if (id !== void 0) clearTimeout(id);
-	if (response.status !== 200) throw new JOSEError("Expected 200 OK from the JSON Web Key Set HTTP response");
-	try {
-		return await response.json();
-	} catch {
-		throw new JOSEError("Failed to parse the JSON Web Key Set HTTP response as JSON");
-	}
-};
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/browser/jwks/remote.js
-function isCloudflareWorkers() {
-	return typeof WebSocketPair !== "undefined" || typeof navigator !== "undefined" && navigator.userAgent === "Cloudflare-Workers" || typeof EdgeRuntime !== "undefined" && EdgeRuntime === "vercel";
-}
-let USER_AGENT;
-if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) USER_AGENT = `jose/v5.10.0`;
-const jwksCache = Symbol();
-function isFreshJwksCache(input, cacheMaxAge) {
-	if (typeof input !== "object" || input === null) return false;
-	if (!("uat" in input) || typeof input.uat !== "number" || Date.now() - input.uat >= cacheMaxAge) return false;
-	if (!("jwks" in input) || !isObject(input.jwks) || !Array.isArray(input.jwks.keys) || !Array.prototype.every.call(input.jwks.keys, isObject)) return false;
-	return true;
-}
-var RemoteJWKSet = class {
-	constructor(url, options) {
-		if (!(url instanceof URL)) throw new TypeError("url must be an instance of URL");
-		this._url = new URL(url.href);
-		this._options = {
-			agent: options?.agent,
-			headers: options?.headers
-		};
-		this._timeoutDuration = typeof options?.timeoutDuration === "number" ? options?.timeoutDuration : 5e3;
-		this._cooldownDuration = typeof options?.cooldownDuration === "number" ? options?.cooldownDuration : 3e4;
-		this._cacheMaxAge = typeof options?.cacheMaxAge === "number" ? options?.cacheMaxAge : 6e5;
-		if (options?.[jwksCache] !== void 0) {
-			this._cache = options?.[jwksCache];
-			if (isFreshJwksCache(options?.[jwksCache], this._cacheMaxAge)) {
-				this._jwksTimestamp = this._cache.uat;
-				this._local = createLocalJWKSet(this._cache.jwks);
-			}
-		}
-	}
-	coolingDown() {
-		return typeof this._jwksTimestamp === "number" ? Date.now() < this._jwksTimestamp + this._cooldownDuration : false;
-	}
-	fresh() {
-		return typeof this._jwksTimestamp === "number" ? Date.now() < this._jwksTimestamp + this._cacheMaxAge : false;
-	}
-	async getKey(protectedHeader, token) {
-		if (!this._local || !this.fresh()) await this.reload();
-		try {
-			return await this._local(protectedHeader, token);
-		} catch (err) {
-			if (err instanceof JWKSNoMatchingKey) {
-				if (this.coolingDown() === false) {
-					await this.reload();
-					return this._local(protectedHeader, token);
-				}
-			}
-			throw err;
-		}
-	}
-	async reload() {
-		if (this._pendingFetch && isCloudflareWorkers()) this._pendingFetch = void 0;
-		const headers = new Headers(this._options.headers);
-		if (USER_AGENT && !headers.has("User-Agent")) {
-			headers.set("User-Agent", USER_AGENT);
-			this._options.headers = Object.fromEntries(headers.entries());
-		}
-		this._pendingFetch || (this._pendingFetch = fetchJwks(this._url, this._timeoutDuration, this._options).then((json) => {
-			this._local = createLocalJWKSet(json);
-			if (this._cache) {
-				this._cache.uat = Date.now();
-				this._cache.jwks = json;
-			}
-			this._jwksTimestamp = Date.now();
-			this._pendingFetch = void 0;
-		}).catch((err) => {
-			this._pendingFetch = void 0;
-			throw err;
-		}));
-		await this._pendingFetch;
-	}
-};
-function createRemoteJWKSet(url, options) {
-	const set = new RemoteJWKSet(url, options);
-	const remoteJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);
-	Object.defineProperties(remoteJWKSet, {
-		coolingDown: {
-			get: () => set.coolingDown(),
-			enumerable: true,
-			configurable: false
-		},
-		fresh: {
-			get: () => set.fresh(),
-			enumerable: true,
-			configurable: false
-		},
-		reload: {
-			value: () => set.reload(),
-			enumerable: true,
-			configurable: false,
-			writable: false
-		},
-		reloading: {
-			get: () => !!set._pendingFetch,
-			enumerable: true,
-			configurable: false
-		},
-		jwks: {
-			value: () => set._local?.jwks(),
-			enumerable: true,
-			configurable: false,
-			writable: false
-		}
-	});
-	return remoteJWKSet;
-}
 const decode = decode$1;
 //#endregion
 //#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/browser/util/decode_jwt.js
@@ -2393,25 +1461,6 @@ function getTokenTimeRemaining(token) {
 		return 0;
 	}
 }
-/**
-* Verify a JWT token's signature using a JWKS endpoint and extract its payload.
-*
-* Unlike {@link decodeToken}, this function cryptographically verifies
-* that the token was signed by a trusted key.
-*
-* @param token - The JWT token string
-* @param jwksUrl - URL of the JWKS endpoint
-* @returns The verified JWT payload, or null if verification fails
-*/
-async function verifyToken(token, jwksUrl) {
-	try {
-		const { payload } = await jwtVerify(token, createRemoteJWKSet(new URL(jwksUrl)));
-		return extractPayloadFromJose(payload);
-	} catch (error) {
-		console.error("[FluidAuth] JWT signature verification failed:", error);
-		return null;
-	}
-}
 //#endregion
 //#region ../../platform/auth/src/token-storage.ts
 /**
@@ -2630,36 +1679,6 @@ function extractAllTokensFromUrl(userTokenKey = URL_PARAMS.USER_TOKEN, companyTo
 		};
 	}
 }
-//#endregion
-//#region ../../platform/auth/src/dev-utils.ts
-/**
-* Check if dev bypass should be active.
-* Requires both the config flag AND Vite dev mode.
-*/
-function isDevBypassActive(devBypass) {
-	if (!devBypass) return false;
-	try {
-		return import.meta.env?.DEV === true;
-	} catch {
-		return false;
-	}
-}
-/**
-* Create a synthetic dev user for local development.
-* This user has realistic data for UI rendering but no real auth.
-*/
-function createDevUser() {
-	return {
-		id: 99999,
-		email: "dev@localhost",
-		full_name: "Dev User",
-		user_type: USER_TYPES.rep,
-		og_user_type: void 0,
-		company_id: 99999,
-		exp: void 0,
-		auth_type: "dev_bypass"
-	};
-}
 z.object({
 	id: z.number(),
 	name: z.string(),
@@ -2747,17 +1766,6 @@ function createDefaultAuthRedirect(authUrl) {
 		window.location.href = `${base}/?redirect_url=${currentUrl}`;
 	};
 }
-/**
-* Resolves the effective auth failure handler.
-* Returns the custom callback if provided, otherwise creates a default redirect.
-*
-* @param onAuthFailure - Custom callback from user config
-* @param authUrl - Custom auth URL (only used when creating the default redirect)
-* @returns The resolved handler function
-*/
-function resolveAuthFailureHandler(onAuthFailure, authUrl) {
-	return onAuthFailure ?? createDefaultAuthRedirect(authUrl);
-}
 //#endregion
 //#region ../core/src/theme/types.ts
 const SEMANTIC_COLOR_NAMES = [
@@ -3718,6 +2726,13 @@ function extractErrorMessage(data, fallback) {
 	return fallback;
 }
 /**
+* Type guard to detect whether a parsed JSON value is an API envelope.
+* Envelopes always have numeric `status` and a `data` key.
+*/
+function isApiEnvelope(value) {
+	return typeof value === "object" && value !== null && "status" in value && typeof value.status === "number" && "data" in value;
+}
+/**
 * Creates a configured Fluid API client instance
 */
 function createFluidClient(config) {
@@ -3727,22 +2742,19 @@ function createFluidClient(config) {
 		baseUrl,
 		...getAuthToken ? { getAuthToken } : {},
 		onAuthError: effectiveOnAuthError,
-		defaultHeaders
+		defaultHeaders,
+		credentials: "include"
 	});
 	/**
-	* Build headers for a request
+	* Build headers for a request.
+	* Auth is handled by session cookies via `credentials: 'include'` on fetch calls.
 	*/
-	async function buildHeaders(customHeaders) {
-		const headers = {
+	function buildHeaders(customHeaders) {
+		return {
 			"Content-Type": "application/json",
 			...defaultHeaders,
 			...customHeaders
 		};
-		if (getAuthToken) {
-			const token = await getAuthToken();
-			if (token) headers.Authorization = `Bearer ${token}`;
-		}
-		return headers;
 	}
 	/**
 	* Build URL with query parameters (Rails-compatible)
@@ -3750,7 +2762,7 @@ function createFluidClient(config) {
 	function buildUrl(endpoint, params) {
 		const normalizedBase = baseUrl.endsWith("/") ? baseUrl.slice(0, -1) : baseUrl;
 		const normalizedEndpoint = endpoint.startsWith("/") ? endpoint : `/${endpoint}`;
-		const url = new URL(normalizedBase + normalizedEndpoint);
+		const url = normalizedBase ? new URL(normalizedBase + normalizedEndpoint) : new URL(normalizedEndpoint, typeof window !== "undefined" ? window.location.origin : "http://localhost");
 		if (params) for (const [key, value] of Object.entries(params)) {
 			if (value === void 0 || value === null) continue;
 			if (Array.isArray(value)) for (const item of value) url.searchParams.append(`${key}[]`, String(item));
@@ -3774,12 +2786,13 @@ function createFluidClient(config) {
 	async function request(endpoint, options = {}) {
 		const { method = defaultRequestOptions.method, headers: customHeaders, params, body, signal } = options;
 		const url = buildUrl(endpoint, method === HTTP_METHODS.GET ? params : void 0);
-		const headers = await buildHeaders(customHeaders);
+		const headers = buildHeaders(customHeaders);
 		let response;
 		try {
 			const fetchOptions = {
 				method,
-				headers
+				headers,
+				credentials: "include"
 			};
 			if (signal !== void 0) fetchOptions.signal = signal;
 			if (body && method !== HTTP_METHODS.GET) fetchOptions.body = JSON.stringify(body);
@@ -3802,9 +2815,9 @@ function createFluidClient(config) {
 		}
 		if (response.status === 204 || response.headers.get("content-length") === "0") return null;
 		try {
-			const data = await response.json();
-			if (data === null || data === void 0) throw new ApiError("Unexpected null/undefined in JSON response", response.status, null);
-			return data;
+			const raw = await response.json();
+			if (raw === null || raw === void 0) throw new ApiError("Unexpected null/undefined in JSON response", response.status, null);
+			return isApiEnvelope(raw) ? raw.data : raw;
 		} catch (parseError) {
 			if (isApiError(parseError)) throw parseError;
 			throw new ApiError("Failed to parse response as JSON", response.status, null);
@@ -3839,6 +2852,51 @@ function createFluidClient(config) {
 		}
 	}
 	/**
+	* Request wrapper for paginated list endpoints.
+	* Parses the API envelope and returns both `data` and cursor pagination metadata.
+	* Falls back gracefully when the response is not an envelope.
+	*/
+	async function requestPaginated(endpoint, options = {}) {
+		const { method = defaultRequestOptions.method, headers: customHeaders, params, body, signal } = options;
+		const url = buildUrl(endpoint, method === HTTP_METHODS.GET ? params : void 0);
+		const headers = buildHeaders(customHeaders);
+		let response;
+		try {
+			const fetchOptions = {
+				method,
+				headers,
+				credentials: "include"
+			};
+			if (signal !== void 0) fetchOptions.signal = signal;
+			if (body && method !== HTTP_METHODS.GET) fetchOptions.body = JSON.stringify(body);
+			response = await fetch(url, fetchOptions);
+		} catch (networkError) {
+			throw new ApiError(`Network error: ${networkError instanceof Error ? networkError.message : "Unknown network error"}`, 0, null);
+		}
+		if (response.status === 401) {
+			effectiveOnAuthError();
+			throw new ApiError("Authentication required", 401, null);
+		}
+		if (!response.ok) try {
+			if (response.headers.get("content-type")?.includes("application/json")) {
+				const errorData = await response.json();
+				throw new ApiError(extractErrorMessage(errorData, `${method} request failed`), response.status, "errors" in errorData ? errorData.errors : errorData);
+			} else throw new ApiError(`${method} request failed with status ${response.status}`, response.status, null);
+		} catch (error) {
+			if (isApiError(error)) throw error;
+			throw new ApiError(`${method} request failed with status ${response.status}`, response.status, null);
+		}
+		const raw = await response.json();
+		if (isApiEnvelope(raw)) return {
+			data: raw.data,
+			pagination: raw.meta.pagination
+		};
+		return {
+			data: raw,
+			pagination: void 0
+		};
+	}
+	/**
 	* Helper to safely convert typed params to Record<string, unknown>.
 	* Type assertion required: TypeScript's structural typing allows any object
 	* to be treated as Record<string, unknown> when we only need to iterate
@@ -3888,11 +2946,17 @@ function createFluidClient(config) {
 		patch,
 		delete: del,
 		products: {
-			list: (params) => get("/api/company/v1/products", params),
+			list: (params) => requestPaginated("/api/company/v1/products", {
+				method: HTTP_METHODS.GET,
+				params: toParams(params)
+			}),
 			get: (id) => get(`/api/company/v1/products/${id}`),
-			search: (query, params) => get("/api/company/v1/products", {
-				search_query: query,
-				...params
+			search: (query, params) => requestPaginated("/api/company/v1/products", {
+				method: HTTP_METHODS.GET,
+				params: {
+					search_query: query,
+					...toParams(params)
+				}
 			})
 		},
 		orders: {
@@ -4000,9 +3064,17 @@ function useThemeContext() {
 /**
 * FluidAuthProvider - Authentication Provider for Fluid Portal SDK
 *
-* Handles JWT token extraction from URL, validation, storage, and
-* provides authentication context to child components.
+* Session-based authentication: Rails establishes an HTTP-only session cookie
+* during the Hub → Tenant handoff. The SPA checks session state via a BFF
+* endpoint (`/api/me`).
+*
+* When the session is missing or expires, the provider reloads the page rather
+* than redirecting client-side. This delegates redirect logic to Rails, which
+* correctly resolves the Portal Hub URL for any hostname pattern — including
+* CNAMEs like `portal.acme.com` where client-side hostname parsing would fail.
 */
+/** BFF endpoint that returns the current user from the server session. */
+const SESSION_ENDPOINT = "/api/me";
 /**
 * Auth context - null when outside provider
 */
@@ -4011,7 +3083,7 @@ function authReducer(state, action) {
 	switch (action.type) {
 		case "SET_AUTH": return {
 			isLoading: false,
-			token: action.token,
+			token: null,
 			user: action.user,
 			error: action.error
 		};
@@ -4037,12 +3109,13 @@ const initialAuthState = {
 * Authentication provider for Fluid portal applications.
 *
 * On mount, this provider:
-* 1. Checks for a token in the URL (passed from parent app)
-* 2. Cleans token from URL immediately (security)
-* 3. Falls back to stored token (cookie/localStorage)
-* 4. Validates the token (checks expiration)
-* 5. Stores valid tokens for future use
-* 6. Calls onAuthFailure if no valid token found
+* 1. Checks the server session via `GET /api/me` (BFF endpoint)
+* 2. If 401 — no session — reloads the page so Rails can redirect to the Hub
+* 3. Populates auth state from the API response
+*
+* The Hub → Tenant handoff is fully server-side: Rails consumes a short-lived
+* DB token and establishes an HTTP-only session cookie before the SPA boots.
+* Unauthenticated HTML requests are 302'd to the Portal Hub by Rails.
 *
 * @example
 * ```tsx
@@ -4050,13 +3123,7 @@ const initialAuthState = {
 *
 * function App() {
 *   return (
-*     <FluidAuthProvider
-*       config={{
-*         onAuthFailure: () => {
-*           window.location.href = "/login";
-*         },
-*       }}
-*     >
+*     <FluidAuthProvider>
 *       <YourApp />
 *     </FluidAuthProvider>
 *   );
@@ -4070,107 +3137,37 @@ function FluidAuthProvider({ children, config }) {
 	const { isLoading, token, user, error } = state;
 	useEffect(() => {
 		const initializeAuth = async () => {
-			const handleAuthFailure = () => {
+			const handleUnauthenticated = () => {
 				const current = configRef.current;
-				resolveAuthFailureHandler(current?.onAuthFailure, current?.authUrl)();
-			};
-			try {
-				if (isDevBypassActive(config?.devBypass)) {
-					const envToken = import.meta.env.VITE_DEV_TOKEN;
-					if (envToken) {
-						const validation = validateToken(envToken, config?.gracePeriodMs);
-						if (validation.isValid && validation.payload) {
-							storeToken(envToken, config);
-							dispatch({
-								type: "SET_AUTH",
-								token: envToken,
-								user: validation.payload,
-								error: null
-							});
-							return;
-						}
-						console.warn("[FluidAuth] VITE_DEV_TOKEN is invalid or expired, falling back to mock user");
-					}
-					console.warn("[FluidAuth] Dev bypass active - using mock user. API calls will fail without a real token.");
-					dispatch({
-						type: "SET_AUTH",
-						token: null,
-						user: createDevUser(),
-						error: null
-					});
+				if (current?.onAuthFailure) {
+					current.onAuthFailure();
 					return;
 				}
-				const tokenKey = config?.tokenKey ?? "fluidUserToken";
-				let candidateToken = extractTokenFromUrl(tokenKey);
-				if (!candidateToken && tokenKey !== "jwt") candidateToken = extractTokenFromUrl("jwt");
-				cleanTokenFromUrl(tokenKey);
-				cleanTokenFromUrl("jwt");
-				if (!candidateToken) candidateToken = getStoredToken(config);
-				if (candidateToken) {
-					let payload = null;
-					if (config?.jwksUrl) {
-						payload = await verifyToken(candidateToken, config.jwksUrl);
-						if (!payload) {
-							clearTokens(config);
-							dispatch({
-								type: "SET_AUTH",
-								token: null,
-								user: null,
-								error: /* @__PURE__ */ new Error("JWT signature verification failed")
-							});
-							handleAuthFailure();
-							return;
-						}
-						if (isTokenExpired(candidateToken, config?.gracePeriodMs)) {
-							clearTokens(config);
-							dispatch({
-								type: "SET_AUTH",
-								token: null,
-								user: null,
-								error: /* @__PURE__ */ new Error("Token has expired")
-							});
-							handleAuthFailure();
-							return;
-						}
-					} else {
-						const validation = validateToken(candidateToken, config?.gracePeriodMs);
-						if (validation.isValid && validation.payload) payload = validation.payload;
-						else {
-							clearTokens(config);
-							dispatch({
-								type: "SET_AUTH",
-								token: null,
-								user: null,
-								error: new Error(validation.error ?? "Invalid token")
-							});
-							handleAuthFailure();
-							return;
-						}
-					}
-					storeToken(candidateToken, config);
-					dispatch({
-						type: "SET_AUTH",
-						token: candidateToken,
-						user: payload,
-						error: null
-					});
-				} else {
+				window.location.reload();
+			};
+			try {
+				const response = await fetch(SESSION_ENDPOINT, { credentials: "include" });
+				if (response.status === 401) {
 					dispatch({
 						type: "SET_AUTH",
-						token: null,
 						user: null,
-						error: /* @__PURE__ */ new Error("No authentication token found")
+						error: /* @__PURE__ */ new Error("No active session")
 					});
-					handleAuthFailure();
+					handleUnauthenticated();
+					return;
 				}
+				if (!response.ok) throw new Error(`Session check failed with status ${String(response.status)}`);
+				dispatch({
+					type: "SET_AUTH",
+					user: (await response.json()).data,
+					error: null
+				});
 			} catch (err) {
 				dispatch({
 					type: "SET_AUTH",
-					token: null,
 					user: null,
 					error: err instanceof Error ? err : /* @__PURE__ */ new Error("Authentication error")
 				});
-				handleAuthFailure();
 			} finally {
 				dispatch({ type: "DONE_LOADING" });
 			}
@@ -4178,7 +3175,6 @@ function FluidAuthProvider({ children, config }) {
 		initializeAuth();
 	}, []);
 	const clearAuth = useCallback(() => {
-		clearTokens(configRef.current);
 		dispatch({ type: "CLEAR_AUTH" });
 	}, []);
 	const contextValue = useMemo(() => ({
@@ -4322,10 +3318,7 @@ const FluidContext = createContext(null);
 * function App() {
 *   return (
 *     <FluidProvider
-*       config={{
-*         baseUrl: "https://api.fluid.app/api",
-*         getAuthToken: () => localStorage.getItem("token"),
-*       }}
+*       config={{ baseUrl: "" }}
 *     >
 *       <YourApp />
 *     </FluidProvider>
@@ -4354,13 +3347,7 @@ function FluidProvider({ config, children, queryClient, initialTheme, themeConta
 		config: configRef.current
 	}), [client]);
 	const getApiHeaders = useCallback(() => {
-		const headers = { "Content-Type": "application/json" };
-		const getAuthToken = configRef.current.getAuthToken;
-		if (typeof getAuthToken === "function") {
-			const tokenOrPromise = getAuthToken();
-			if (typeof tokenOrPromise === "string") headers.Authorization = `Bearer ${tokenOrPromise}`;
-		}
-		return headers;
+		return { "Content-Type": "application/json" };
 	}, []);
 	const dataSourceBaseUrl = useMemo(() => {
 		const base = config.baseUrl.replace(/\/+$/, "");
@@ -4458,4 +3445,4 @@ function useFluidContext() {
 //#endregion
 export { extractTokenFromUrl as $, DEFAULT_FONT_SIZES as A, mergeDarkOverrides as B, buildThemeDefinition as C, serialiseTheme as D, deserialiseTheme as E, getDefaultThemeDefinition as F, RADIUS_KEYS as G, resolveTheme as H, generateThemeCSS as I, DEFAULT_AUTH_URL as J, SEMANTIC_COLOR_NAMES as K, deriveDarkVariant as L, DEFAULT_SPACING as M, DEFAULT_THEME_ID as N, DEFAULT_COLORS as O, DEFAULT_THEME_NAME as P, extractCompanyTokenFromUrl as Q, generateShades as R, removeTheme as S, createFetchClient as St, transformThemes as T, FONT_FAMILY_KEYS as U, parseColor as V, FONT_SIZE_KEYS as W, cleanTokenFromUrl as X, createDefaultAuthRedirect as Y, extractAllTokensFromUrl as Z, toNavigationItem as _, createPersister as _t, createScreen as a, decodeToken as at, applyTheme as b, useFluidPayApi as bt, FluidAuthProvider as c, isTokenExpired as ct, useThemeContext as d, AUTH_CONSTANTS as dt, hasTokenInUrl as et, ApiError as f, STORAGE_KEYS as ft, transformManifestToRepAppData as g, useFluidOsApiOptional as gt, toRawManifest as h, isUserType as ht, widgetPropertySchemas as i, storeToken as it, DEFAULT_RADII as j, DEFAULT_FONT_FAMILIES as k, useFluidAuthContext as l, isValidToken as lt, isApiError as m, USER_TYPES as mt, useFluidContext as n, getStoredToken as nt, createWidgetFromShareable as o, getTokenExpiration as ot, createFluidClient as p, URL_PARAMS as pt, SHADE_STEPS as q, DEFAULT_SDK_WIDGET_REGISTRY as r, hasStoredToken as rt, createWidgetRegistry as s, getTokenTimeRemaining as st, FluidProvider as t, clearTokens as tt, FluidThemeProvider as u, validateToken as ut, normalizeComponentTree as v, deleteDatabase as vt, getActiveThemeId as w, removeAllThemes as x, ApiError$1 as xt, toScreenDefinition as y, useCountryStates as yt, getForegroundColor as z };
 
-//# sourceMappingURL=FluidProvider-CWYquEIF.mjs.map
+//# sourceMappingURL=FluidProvider-B59bzF__.mjs.map