@fluid-app/portal-sdk 0.1.101 → 0.1.103

package/dist/{FluidProvider-CyzA2g75.cjs → FluidProvider-DbYLBGGg.cjs}

@@ -28,15 +28,6 @@ let react = require("react");
 let _tanstack_react_query = require("@tanstack/react-query");
 let react_jsx_runtime = require("react/jsx-runtime");
 let node_buffer = require("node:buffer");
-let node_crypto = require("node:crypto");
-node_crypto = require_chunk.__toESM(node_crypto);
-let node_util = require("node:util");
-node_util = require_chunk.__toESM(node_util);
-let node_http = require("node:http");
-node_http = require_chunk.__toESM(node_http);
-let node_https = require("node:https");
-node_https = require_chunk.__toESM(node_https);
-let node_events = require("node:events");
 let zod = require("zod");
 let colorjs_io = require("colorjs.io");
 colorjs_io = require_chunk.__toESM(colorjs_io);
@@ -67,7 +58,7 @@ var ApiError$1 = class ApiError$1 extends Error {
 * Creates a configured fetch client instance
 */
 function createFetchClient(config) {
-	const { baseUrl, getAuthToken, onAuthError, defaultHeaders = {} } = config;
+	const { baseUrl, getAuthToken, onAuthError, defaultHeaders = {}, credentials } = config;
 	/**
 	* Build headers for a request
 	*/
@@ -156,6 +147,7 @@ function createFetchClient(config) {
 				method,
 				headers
 			};
+			if (credentials) fetchOptions.credentials = credentials;
 			const serializedBody = body && method !== "GET" ? JSON.stringify(body) : null;
 			if (serializedBody) fetchOptions.body = serializedBody;
 			if (signal) fetchOptions.signal = signal;
@@ -180,6 +172,7 @@ function createFetchClient(config) {
 				headers,
 				body: formData
 			};
+			if (credentials) fetchOptions.credentials = credentials;
 			if (signal) fetchOptions.signal = signal;
 			response = await fetch(url, fetchOptions);
 		} catch (networkError) {
@@ -1166,20 +1159,8 @@ const URL_PARAMS = {
 function isBrowser() {
 	return typeof window !== "undefined" && typeof document !== "undefined";
 }
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/lib/buffer_utils.js
-const encoder = new TextEncoder();
+new TextEncoder();
 const decoder = new TextDecoder();
-function concat(...buffers) {
-	const size = buffers.reduce((acc, { length }) => acc + length, 0);
-	const buf = new Uint8Array(size);
-	let i = 0;
-	for (const buffer of buffers) {
-		buf.set(buffer, i);
-		i += buffer.length;
-	}
-	return buf;
-}
 //#endregion
 //#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/runtime/base64url.js
 function normalize(input) {
@@ -1199,216 +1180,11 @@ var JOSEError = class extends Error {
 		Error.captureStackTrace?.(this, this.constructor);
 	}
 };
-var JWTClaimValidationFailed = class extends JOSEError {
-	static code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
-	code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
-	claim;
-	reason;
-	payload;
-	constructor(message, payload, claim = "unspecified", reason = "unspecified") {
-		super(message, { cause: {
-			claim,
-			reason,
-			payload
-		} });
-		this.claim = claim;
-		this.reason = reason;
-		this.payload = payload;
-	}
-};
-var JWTExpired = class extends JOSEError {
-	static code = "ERR_JWT_EXPIRED";
-	code = "ERR_JWT_EXPIRED";
-	claim;
-	reason;
-	payload;
-	constructor(message, payload, claim = "unspecified", reason = "unspecified") {
-		super(message, { cause: {
-			claim,
-			reason,
-			payload
-		} });
-		this.claim = claim;
-		this.reason = reason;
-		this.payload = payload;
-	}
-};
-var JOSEAlgNotAllowed = class extends JOSEError {
-	static code = "ERR_JOSE_ALG_NOT_ALLOWED";
-	code = "ERR_JOSE_ALG_NOT_ALLOWED";
-};
-var JOSENotSupported = class extends JOSEError {
-	static code = "ERR_JOSE_NOT_SUPPORTED";
-	code = "ERR_JOSE_NOT_SUPPORTED";
-};
-var JWSInvalid = class extends JOSEError {
-	static code = "ERR_JWS_INVALID";
-	code = "ERR_JWS_INVALID";
-};
 var JWTInvalid = class extends JOSEError {
 	static code = "ERR_JWT_INVALID";
 	code = "ERR_JWT_INVALID";
 };
-var JWKSInvalid = class extends JOSEError {
-	static code = "ERR_JWKS_INVALID";
-	code = "ERR_JWKS_INVALID";
-};
-var JWKSNoMatchingKey = class extends JOSEError {
-	static code = "ERR_JWKS_NO_MATCHING_KEY";
-	code = "ERR_JWKS_NO_MATCHING_KEY";
-	constructor(message = "no applicable key found in the JSON Web Key Set", options) {
-		super(message, options);
-	}
-};
-var JWKSMultipleMatchingKeys = class extends JOSEError {
-	[Symbol.asyncIterator];
-	static code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
-	code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
-	constructor(message = "multiple matching keys found in the JSON Web Key Set", options) {
-		super(message, options);
-	}
-};
-var JWKSTimeout = class extends JOSEError {
-	static code = "ERR_JWKS_TIMEOUT";
-	code = "ERR_JWKS_TIMEOUT";
-	constructor(message = "request timed out", options) {
-		super(message, options);
-	}
-};
-var JWSSignatureVerificationFailed = class extends JOSEError {
-	static code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
-	code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
-	constructor(message = "signature verification failed", options) {
-		super(message, options);
-	}
-};
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/runtime/is_key_object.js
-var is_key_object_default = (obj) => node_util.types.isKeyObject(obj);
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/runtime/webcrypto.js
-const webcrypto = node_crypto.webcrypto;
-const isCryptoKey = (key) => node_util.types.isCryptoKey(key);
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/lib/crypto_key.js
-function unusable(name, prop = "algorithm.name") {
-	return /* @__PURE__ */ new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);
-}
-function isAlgorithm(algorithm, name) {
-	return algorithm.name === name;
-}
-function getHashLength(hash) {
-	return parseInt(hash.name.slice(4), 10);
-}
-function getNamedCurve$1(alg) {
-	switch (alg) {
-		case "ES256": return "P-256";
-		case "ES384": return "P-384";
-		case "ES512": return "P-521";
-		default: throw new Error("unreachable");
-	}
-}
-function checkUsage(key, usages) {
-	if (usages.length && !usages.some((expected) => key.usages.includes(expected))) {
-		let msg = "CryptoKey does not support this operation, its usages must include ";
-		if (usages.length > 2) {
-			const last = usages.pop();
-			msg += `one of ${usages.join(", ")}, or ${last}.`;
-		} else if (usages.length === 2) msg += `one of ${usages[0]} or ${usages[1]}.`;
-		else msg += `${usages[0]}.`;
-		throw new TypeError(msg);
-	}
-}
-function checkSigCryptoKey(key, alg, ...usages) {
-	switch (alg) {
-		case "HS256":
-		case "HS384":
-		case "HS512": {
-			if (!isAlgorithm(key.algorithm, "HMAC")) throw unusable("HMAC");
-			const expected = parseInt(alg.slice(2), 10);
-			if (getHashLength(key.algorithm.hash) !== expected) throw unusable(`SHA-${expected}`, "algorithm.hash");
-			break;
-		}
-		case "RS256":
-		case "RS384":
-		case "RS512": {
-			if (!isAlgorithm(key.algorithm, "RSASSA-PKCS1-v1_5")) throw unusable("RSASSA-PKCS1-v1_5");
-			const expected = parseInt(alg.slice(2), 10);
-			if (getHashLength(key.algorithm.hash) !== expected) throw unusable(`SHA-${expected}`, "algorithm.hash");
-			break;
-		}
-		case "PS256":
-		case "PS384":
-		case "PS512": {
-			if (!isAlgorithm(key.algorithm, "RSA-PSS")) throw unusable("RSA-PSS");
-			const expected = parseInt(alg.slice(2), 10);
-			if (getHashLength(key.algorithm.hash) !== expected) throw unusable(`SHA-${expected}`, "algorithm.hash");
-			break;
-		}
-		case "EdDSA":
-			if (key.algorithm.name !== "Ed25519" && key.algorithm.name !== "Ed448") throw unusable("Ed25519 or Ed448");
-			break;
-		case "Ed25519":
-			if (!isAlgorithm(key.algorithm, "Ed25519")) throw unusable("Ed25519");
-			break;
-		case "ES256":
-		case "ES384":
-		case "ES512": {
-			if (!isAlgorithm(key.algorithm, "ECDSA")) throw unusable("ECDSA");
-			const expected = getNamedCurve$1(alg);
-			if (key.algorithm.namedCurve !== expected) throw unusable(expected, "algorithm.namedCurve");
-			break;
-		}
-		default: throw new TypeError("CryptoKey does not support this operation");
-	}
-	checkUsage(key, usages);
-}
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/lib/invalid_key_input.js
-function message(msg, actual, ...types) {
-	types = types.filter(Boolean);
-	if (types.length > 2) {
-		const last = types.pop();
-		msg += `one of type ${types.join(", ")}, or ${last}.`;
-	} else if (types.length === 2) msg += `one of type ${types[0]} or ${types[1]}.`;
-	else msg += `of type ${types[0]}.`;
-	if (actual == null) msg += ` Received ${actual}`;
-	else if (typeof actual === "function" && actual.name) msg += ` Received function ${actual.name}`;
-	else if (typeof actual === "object" && actual != null) {
-		if (actual.constructor?.name) msg += ` Received an instance of ${actual.constructor.name}`;
-	}
-	return msg;
-}
-var invalid_key_input_default = (actual, ...types) => {
-	return message("Key must be ", actual, ...types);
-};
-function withAlg(alg, actual, ...types) {
-	return message(`Key for the ${alg} algorithm must be `, actual, ...types);
-}
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/runtime/is_key_like.js
-var is_key_like_default = (key) => is_key_object_default(key) || isCryptoKey(key);
-const types = ["KeyObject"];
-if (globalThis.CryptoKey || webcrypto?.CryptoKey) types.push("CryptoKey");
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/lib/is_disjoint.js
-const isDisjoint = (...headers) => {
-	const sources = headers.filter(Boolean);
-	if (sources.length === 0 || sources.length === 1) return true;
-	let acc;
-	for (const header of sources) {
-		const parameters = Object.keys(header);
-		if (!acc || acc.size === 0) {
-			acc = new Set(parameters);
-			continue;
-		}
-		for (const parameter of parameters) {
-			if (acc.has(parameter)) return false;
-			acc.add(parameter);
-		}
-	}
-	return true;
-};
+Symbol.asyncIterator;
 //#endregion
 //#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/lib/is_object.js
 function isObjectLike(value) {
@@ -1421,792 +1197,6 @@ function isObject(input) {
 	while (Object.getPrototypeOf(proto) !== null) proto = Object.getPrototypeOf(proto);
 	return Object.getPrototypeOf(input) === proto;
 }
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/lib/is_jwk.js
-function isJWK(key) {
-	return isObject(key) && typeof key.kty === "string";
-}
-function isPrivateJWK(key) {
-	return key.kty !== "oct" && typeof key.d === "string";
-}
-function isPublicJWK(key) {
-	return key.kty !== "oct" && typeof key.d === "undefined";
-}
-function isSecretJWK(key) {
-	return isJWK(key) && key.kty === "oct" && typeof key.k === "string";
-}
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/runtime/get_named_curve.js
-const namedCurveToJOSE = (namedCurve) => {
-	switch (namedCurve) {
-		case "prime256v1": return "P-256";
-		case "secp384r1": return "P-384";
-		case "secp521r1": return "P-521";
-		case "secp256k1": return "secp256k1";
-		default: throw new JOSENotSupported("Unsupported key curve for this operation");
-	}
-};
-const getNamedCurve = (kee, raw) => {
-	let key;
-	if (isCryptoKey(kee)) key = node_crypto.KeyObject.from(kee);
-	else if (is_key_object_default(kee)) key = kee;
-	else if (isJWK(kee)) return kee.crv;
-	else throw new TypeError(invalid_key_input_default(kee, ...types));
-	if (key.type === "secret") throw new TypeError("only \"private\" or \"public\" type keys can be used for this operation");
-	switch (key.asymmetricKeyType) {
-		case "ed25519":
-		case "ed448": return `Ed${key.asymmetricKeyType.slice(2)}`;
-		case "x25519":
-		case "x448": return `X${key.asymmetricKeyType.slice(1)}`;
-		case "ec": {
-			const namedCurve = key.asymmetricKeyDetails.namedCurve;
-			if (raw) return namedCurve;
-			return namedCurveToJOSE(namedCurve);
-		}
-		default: throw new TypeError("Invalid asymmetric key type for this operation");
-	}
-};
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/runtime/check_key_length.js
-var check_key_length_default = (key, alg) => {
-	let modulusLength;
-	try {
-		if (key instanceof node_crypto.KeyObject) modulusLength = key.asymmetricKeyDetails?.modulusLength;
-		else modulusLength = Buffer.from(key.n, "base64url").byteLength << 3;
-	} catch {}
-	if (typeof modulusLength !== "number" || modulusLength < 2048) throw new TypeError(`${alg} requires key modulusLength to be 2048 bits or larger`);
-};
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/runtime/jwk_to_key.js
-const parse = (key) => {
-	if (key.d) return (0, node_crypto.createPrivateKey)({
-		format: "jwk",
-		key
-	});
-	return (0, node_crypto.createPublicKey)({
-		format: "jwk",
-		key
-	});
-};
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/key/import.js
-async function importJWK(jwk, alg) {
-	if (!isObject(jwk)) throw new TypeError("JWK must be an object");
-	alg ||= jwk.alg;
-	switch (jwk.kty) {
-		case "oct":
-			if (typeof jwk.k !== "string" || !jwk.k) throw new TypeError("missing \"k\" (Key Value) Parameter value");
-			return decode$1(jwk.k);
-		case "RSA": if ("oth" in jwk && jwk.oth !== void 0) throw new JOSENotSupported("RSA JWK \"oth\" (Other Primes Info) Parameter value is not supported");
-		case "EC":
-		case "OKP": return parse({
-			...jwk,
-			alg
-		});
-		default: throw new JOSENotSupported("Unsupported \"kty\" (Key Type) Parameter value");
-	}
-}
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/lib/check_key_type.js
-const tag = (key) => key?.[Symbol.toStringTag];
-const jwkMatchesOp = (alg, key, usage) => {
-	if (key.use !== void 0 && key.use !== "sig") throw new TypeError("Invalid key for this operation, when present its use must be sig");
-	if (key.key_ops !== void 0 && key.key_ops.includes?.(usage) !== true) throw new TypeError(`Invalid key for this operation, when present its key_ops must include ${usage}`);
-	if (key.alg !== void 0 && key.alg !== alg) throw new TypeError(`Invalid key for this operation, when present its alg must be ${alg}`);
-	return true;
-};
-const symmetricTypeCheck = (alg, key, usage, allowJwk) => {
-	if (key instanceof Uint8Array) return;
-	if (allowJwk && isJWK(key)) {
-		if (isSecretJWK(key) && jwkMatchesOp(alg, key, usage)) return;
-		throw new TypeError(`JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present`);
-	}
-	if (!is_key_like_default(key)) throw new TypeError(withAlg(alg, key, ...types, "Uint8Array", allowJwk ? "JSON Web Key" : null));
-	if (key.type !== "secret") throw new TypeError(`${tag(key)} instances for symmetric algorithms must be of type "secret"`);
-};
-const asymmetricTypeCheck = (alg, key, usage, allowJwk) => {
-	if (allowJwk && isJWK(key)) switch (usage) {
-		case "sign":
-			if (isPrivateJWK(key) && jwkMatchesOp(alg, key, usage)) return;
-			throw new TypeError(`JSON Web Key for this operation be a private JWK`);
-		case "verify":
-			if (isPublicJWK(key) && jwkMatchesOp(alg, key, usage)) return;
-			throw new TypeError(`JSON Web Key for this operation be a public JWK`);
-	}
-	if (!is_key_like_default(key)) throw new TypeError(withAlg(alg, key, ...types, allowJwk ? "JSON Web Key" : null));
-	if (key.type === "secret") throw new TypeError(`${tag(key)} instances for asymmetric algorithms must not be of type "secret"`);
-	if (usage === "sign" && key.type === "public") throw new TypeError(`${tag(key)} instances for asymmetric algorithm signing must be of type "private"`);
-	if (usage === "decrypt" && key.type === "public") throw new TypeError(`${tag(key)} instances for asymmetric algorithm decryption must be of type "private"`);
-	if (key.algorithm && usage === "verify" && key.type === "private") throw new TypeError(`${tag(key)} instances for asymmetric algorithm verifying must be of type "public"`);
-	if (key.algorithm && usage === "encrypt" && key.type === "private") throw new TypeError(`${tag(key)} instances for asymmetric algorithm encryption must be of type "public"`);
-};
-function checkKeyType(allowJwk, alg, key, usage) {
-	if (alg.startsWith("HS") || alg === "dir" || alg.startsWith("PBES2") || /^A\d{3}(?:GCM)?KW$/.test(alg)) symmetricTypeCheck(alg, key, usage, allowJwk);
-	else asymmetricTypeCheck(alg, key, usage, allowJwk);
-}
-checkKeyType.bind(void 0, false);
-const checkKeyTypeWithJwk = checkKeyType.bind(void 0, true);
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/lib/validate_crit.js
-function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
-	if (joseHeader.crit !== void 0 && protectedHeader?.crit === void 0) throw new Err("\"crit\" (Critical) Header Parameter MUST be integrity protected");
-	if (!protectedHeader || protectedHeader.crit === void 0) return /* @__PURE__ */ new Set();
-	if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input) => typeof input !== "string" || input.length === 0)) throw new Err("\"crit\" (Critical) Header Parameter MUST be an array of non-empty strings when present");
-	let recognized;
-	if (recognizedOption !== void 0) recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);
-	else recognized = recognizedDefault;
-	for (const parameter of protectedHeader.crit) {
-		if (!recognized.has(parameter)) throw new JOSENotSupported(`Extension Header Parameter "${parameter}" is not recognized`);
-		if (joseHeader[parameter] === void 0) throw new Err(`Extension Header Parameter "${parameter}" is missing`);
-		if (recognized.get(parameter) && protectedHeader[parameter] === void 0) throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
-	}
-	return new Set(protectedHeader.crit);
-}
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/lib/validate_algorithms.js
-const validateAlgorithms = (option, algorithms) => {
-	if (algorithms !== void 0 && (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== "string"))) throw new TypeError(`"${option}" option must be an array of strings`);
-	if (!algorithms) return;
-	return new Set(algorithms);
-};
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/runtime/dsa_digest.js
-function dsaDigest(alg) {
-	switch (alg) {
-		case "PS256":
-		case "RS256":
-		case "ES256":
-		case "ES256K": return "sha256";
-		case "PS384":
-		case "RS384":
-		case "ES384": return "sha384";
-		case "PS512":
-		case "RS512":
-		case "ES512": return "sha512";
-		case "Ed25519":
-		case "EdDSA": return;
-		default: throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
-	}
-}
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/runtime/node_key.js
-const ecCurveAlgMap = new Map([
-	["ES256", "P-256"],
-	["ES256K", "secp256k1"],
-	["ES384", "P-384"],
-	["ES512", "P-521"]
-]);
-function keyForCrypto(alg, key) {
-	let asymmetricKeyType;
-	let asymmetricKeyDetails;
-	let isJWK;
-	if (key instanceof node_crypto.KeyObject) {
-		asymmetricKeyType = key.asymmetricKeyType;
-		asymmetricKeyDetails = key.asymmetricKeyDetails;
-	} else {
-		isJWK = true;
-		switch (key.kty) {
-			case "RSA":
-				asymmetricKeyType = "rsa";
-				break;
-			case "EC":
-				asymmetricKeyType = "ec";
-				break;
-			case "OKP":
-				if (key.crv === "Ed25519") {
-					asymmetricKeyType = "ed25519";
-					break;
-				}
-				if (key.crv === "Ed448") {
-					asymmetricKeyType = "ed448";
-					break;
-				}
-				throw new TypeError("Invalid key for this operation, its crv must be Ed25519 or Ed448");
-			default: throw new TypeError("Invalid key for this operation, its kty must be RSA, OKP, or EC");
-		}
-	}
-	let options;
-	switch (alg) {
-		case "Ed25519":
-			if (asymmetricKeyType !== "ed25519") throw new TypeError(`Invalid key for this operation, its asymmetricKeyType must be ed25519`);
-			break;
-		case "EdDSA":
-			if (!["ed25519", "ed448"].includes(asymmetricKeyType)) throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be ed25519 or ed448");
-			break;
-		case "RS256":
-		case "RS384":
-		case "RS512":
-			if (asymmetricKeyType !== "rsa") throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be rsa");
-			check_key_length_default(key, alg);
-			break;
-		case "PS256":
-		case "PS384":
-		case "PS512":
-			if (asymmetricKeyType === "rsa-pss") {
-				const { hashAlgorithm, mgf1HashAlgorithm, saltLength } = asymmetricKeyDetails;
-				const length = parseInt(alg.slice(-3), 10);
-				if (hashAlgorithm !== void 0 && (hashAlgorithm !== `sha${length}` || mgf1HashAlgorithm !== hashAlgorithm)) throw new TypeError(`Invalid key for this operation, its RSA-PSS parameters do not meet the requirements of "alg" ${alg}`);
-				if (saltLength !== void 0 && saltLength > length >> 3) throw new TypeError(`Invalid key for this operation, its RSA-PSS parameter saltLength does not meet the requirements of "alg" ${alg}`);
-			} else if (asymmetricKeyType !== "rsa") throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be rsa or rsa-pss");
-			check_key_length_default(key, alg);
-			options = {
-				padding: node_crypto.constants.RSA_PKCS1_PSS_PADDING,
-				saltLength: node_crypto.constants.RSA_PSS_SALTLEN_DIGEST
-			};
-			break;
-		case "ES256":
-		case "ES256K":
-		case "ES384":
-		case "ES512": {
-			if (asymmetricKeyType !== "ec") throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be ec");
-			const actual = getNamedCurve(key);
-			const expected = ecCurveAlgMap.get(alg);
-			if (actual !== expected) throw new TypeError(`Invalid key curve for the algorithm, its curve must be ${expected}, got ${actual}`);
-			options = { dsaEncoding: "ieee-p1363" };
-			break;
-		}
-		default: throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
-	}
-	if (isJWK) return {
-		format: "jwk",
-		key,
-		...options
-	};
-	return options ? {
-		...options,
-		key
-	} : key;
-}
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/runtime/hmac_digest.js
-function hmacDigest(alg) {
-	switch (alg) {
-		case "HS256": return "sha256";
-		case "HS384": return "sha384";
-		case "HS512": return "sha512";
-		default: throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
-	}
-}
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/runtime/get_sign_verify_key.js
-function getSignVerifyKey(alg, key, usage) {
-	if (key instanceof Uint8Array) {
-		if (!alg.startsWith("HS")) throw new TypeError(invalid_key_input_default(key, ...types));
-		return (0, node_crypto.createSecretKey)(key);
-	}
-	if (key instanceof node_crypto.KeyObject) return key;
-	if (isCryptoKey(key)) {
-		checkSigCryptoKey(key, alg, usage);
-		return node_crypto.KeyObject.from(key);
-	}
-	if (isJWK(key)) {
-		if (alg.startsWith("HS")) return (0, node_crypto.createSecretKey)(Buffer.from(key.k, "base64url"));
-		return key;
-	}
-	throw new TypeError(invalid_key_input_default(key, ...types, "Uint8Array", "JSON Web Key"));
-}
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/runtime/sign.js
-const oneShotSign = (0, node_util.promisify)(node_crypto.sign);
-const sign = async (alg, key, data) => {
-	const k = getSignVerifyKey(alg, key, "sign");
-	if (alg.startsWith("HS")) {
-		const hmac = node_crypto.createHmac(hmacDigest(alg), k);
-		hmac.update(data);
-		return hmac.digest();
-	}
-	return oneShotSign(dsaDigest(alg), data, keyForCrypto(alg, k));
-};
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/runtime/verify.js
-const oneShotVerify = (0, node_util.promisify)(node_crypto.verify);
-const verify = async (alg, key, signature, data) => {
-	const k = getSignVerifyKey(alg, key, "verify");
-	if (alg.startsWith("HS")) {
-		const expected = await sign(alg, k, data);
-		const actual = signature;
-		try {
-			return node_crypto.timingSafeEqual(actual, expected);
-		} catch {
-			return false;
-		}
-	}
-	const algorithm = dsaDigest(alg);
-	const keyInput = keyForCrypto(alg, k);
-	try {
-		return await oneShotVerify(algorithm, data, keyInput, signature);
-	} catch {
-		return false;
-	}
-};
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/jws/flattened/verify.js
-async function flattenedVerify(jws, key, options) {
-	if (!isObject(jws)) throw new JWSInvalid("Flattened JWS must be an object");
-	if (jws.protected === void 0 && jws.header === void 0) throw new JWSInvalid("Flattened JWS must have either of the \"protected\" or \"header\" members");
-	if (jws.protected !== void 0 && typeof jws.protected !== "string") throw new JWSInvalid("JWS Protected Header incorrect type");
-	if (jws.payload === void 0) throw new JWSInvalid("JWS Payload missing");
-	if (typeof jws.signature !== "string") throw new JWSInvalid("JWS Signature missing or incorrect type");
-	if (jws.header !== void 0 && !isObject(jws.header)) throw new JWSInvalid("JWS Unprotected Header incorrect type");
-	let parsedProt = {};
-	if (jws.protected) try {
-		const protectedHeader = decode$1(jws.protected);
-		parsedProt = JSON.parse(decoder.decode(protectedHeader));
-	} catch {
-		throw new JWSInvalid("JWS Protected Header is invalid");
-	}
-	if (!isDisjoint(parsedProt, jws.header)) throw new JWSInvalid("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
-	const joseHeader = {
-		...parsedProt,
-		...jws.header
-	};
-	const extensions = validateCrit(JWSInvalid, new Map([["b64", true]]), options?.crit, parsedProt, joseHeader);
-	let b64 = true;
-	if (extensions.has("b64")) {
-		b64 = parsedProt.b64;
-		if (typeof b64 !== "boolean") throw new JWSInvalid("The \"b64\" (base64url-encode payload) Header Parameter must be a boolean");
-	}
-	const { alg } = joseHeader;
-	if (typeof alg !== "string" || !alg) throw new JWSInvalid("JWS \"alg\" (Algorithm) Header Parameter missing or invalid");
-	const algorithms = options && validateAlgorithms("algorithms", options.algorithms);
-	if (algorithms && !algorithms.has(alg)) throw new JOSEAlgNotAllowed("\"alg\" (Algorithm) Header Parameter value not allowed");
-	if (b64) {
-		if (typeof jws.payload !== "string") throw new JWSInvalid("JWS Payload must be a string");
-	} else if (typeof jws.payload !== "string" && !(jws.payload instanceof Uint8Array)) throw new JWSInvalid("JWS Payload must be a string or an Uint8Array instance");
-	let resolvedKey = false;
-	if (typeof key === "function") {
-		key = await key(parsedProt, jws);
-		resolvedKey = true;
-		checkKeyTypeWithJwk(alg, key, "verify");
-		if (isJWK(key)) key = await importJWK(key, alg);
-	} else checkKeyTypeWithJwk(alg, key, "verify");
-	const data = concat(encoder.encode(jws.protected ?? ""), encoder.encode("."), typeof jws.payload === "string" ? encoder.encode(jws.payload) : jws.payload);
-	let signature;
-	try {
-		signature = decode$1(jws.signature);
-	} catch {
-		throw new JWSInvalid("Failed to base64url decode the signature");
-	}
-	if (!await verify(alg, key, signature, data)) throw new JWSSignatureVerificationFailed();
-	let payload;
-	if (b64) try {
-		payload = decode$1(jws.payload);
-	} catch {
-		throw new JWSInvalid("Failed to base64url decode the payload");
-	}
-	else if (typeof jws.payload === "string") payload = encoder.encode(jws.payload);
-	else payload = jws.payload;
-	const result = { payload };
-	if (jws.protected !== void 0) result.protectedHeader = parsedProt;
-	if (jws.header !== void 0) result.unprotectedHeader = jws.header;
-	if (resolvedKey) return {
-		...result,
-		key
-	};
-	return result;
-}
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/jws/compact/verify.js
-async function compactVerify(jws, key, options) {
-	if (jws instanceof Uint8Array) jws = decoder.decode(jws);
-	if (typeof jws !== "string") throw new JWSInvalid("Compact JWS must be a string or Uint8Array");
-	const { 0: protectedHeader, 1: payload, 2: signature, length } = jws.split(".");
-	if (length !== 3) throw new JWSInvalid("Invalid Compact JWS");
-	const verified = await flattenedVerify({
-		payload,
-		protected: protectedHeader,
-		signature
-	}, key, options);
-	const result = {
-		payload: verified.payload,
-		protectedHeader: verified.protectedHeader
-	};
-	if (typeof key === "function") return {
-		...result,
-		key: verified.key
-	};
-	return result;
-}
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/lib/epoch.js
-var epoch_default = (date) => Math.floor(date.getTime() / 1e3);
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/lib/secs.js
-const minute = 60;
-const hour = minute * 60;
-const day = hour * 24;
-const week = day * 7;
-const year = day * 365.25;
-const REGEX = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;
-var secs_default = (str) => {
-	const matched = REGEX.exec(str);
-	if (!matched || matched[4] && matched[1]) throw new TypeError("Invalid time period format");
-	const value = parseFloat(matched[2]);
-	const unit = matched[3].toLowerCase();
-	let numericDate;
-	switch (unit) {
-		case "sec":
-		case "secs":
-		case "second":
-		case "seconds":
-		case "s":
-			numericDate = Math.round(value);
-			break;
-		case "minute":
-		case "minutes":
-		case "min":
-		case "mins":
-		case "m":
-			numericDate = Math.round(value * minute);
-			break;
-		case "hour":
-		case "hours":
-		case "hr":
-		case "hrs":
-		case "h":
-			numericDate = Math.round(value * hour);
-			break;
-		case "day":
-		case "days":
-		case "d":
-			numericDate = Math.round(value * day);
-			break;
-		case "week":
-		case "weeks":
-		case "w":
-			numericDate = Math.round(value * week);
-			break;
-		default:
-			numericDate = Math.round(value * year);
-			break;
-	}
-	if (matched[1] === "-" || matched[4] === "ago") return -numericDate;
-	return numericDate;
-};
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/lib/jwt_claims_set.js
-const normalizeTyp = (value) => value.toLowerCase().replace(/^application\//, "");
-const checkAudiencePresence = (audPayload, audOption) => {
-	if (typeof audPayload === "string") return audOption.includes(audPayload);
-	if (Array.isArray(audPayload)) return audOption.some(Set.prototype.has.bind(new Set(audPayload)));
-	return false;
-};
-var jwt_claims_set_default = (protectedHeader, encodedPayload, options = {}) => {
-	let payload;
-	try {
-		payload = JSON.parse(decoder.decode(encodedPayload));
-	} catch {}
-	if (!isObject(payload)) throw new JWTInvalid("JWT Claims Set must be a top-level JSON object");
-	const { typ } = options;
-	if (typ && (typeof protectedHeader.typ !== "string" || normalizeTyp(protectedHeader.typ) !== normalizeTyp(typ))) throw new JWTClaimValidationFailed("unexpected \"typ\" JWT header value", payload, "typ", "check_failed");
-	const { requiredClaims = [], issuer, subject, audience, maxTokenAge } = options;
-	const presenceCheck = [...requiredClaims];
-	if (maxTokenAge !== void 0) presenceCheck.push("iat");
-	if (audience !== void 0) presenceCheck.push("aud");
-	if (subject !== void 0) presenceCheck.push("sub");
-	if (issuer !== void 0) presenceCheck.push("iss");
-	for (const claim of new Set(presenceCheck.reverse())) if (!(claim in payload)) throw new JWTClaimValidationFailed(`missing required "${claim}" claim`, payload, claim, "missing");
-	if (issuer && !(Array.isArray(issuer) ? issuer : [issuer]).includes(payload.iss)) throw new JWTClaimValidationFailed("unexpected \"iss\" claim value", payload, "iss", "check_failed");
-	if (subject && payload.sub !== subject) throw new JWTClaimValidationFailed("unexpected \"sub\" claim value", payload, "sub", "check_failed");
-	if (audience && !checkAudiencePresence(payload.aud, typeof audience === "string" ? [audience] : audience)) throw new JWTClaimValidationFailed("unexpected \"aud\" claim value", payload, "aud", "check_failed");
-	let tolerance;
-	switch (typeof options.clockTolerance) {
-		case "string":
-			tolerance = secs_default(options.clockTolerance);
-			break;
-		case "number":
-			tolerance = options.clockTolerance;
-			break;
-		case "undefined":
-			tolerance = 0;
-			break;
-		default: throw new TypeError("Invalid clockTolerance option type");
-	}
-	const { currentDate } = options;
-	const now = epoch_default(currentDate || /* @__PURE__ */ new Date());
-	if ((payload.iat !== void 0 || maxTokenAge) && typeof payload.iat !== "number") throw new JWTClaimValidationFailed("\"iat\" claim must be a number", payload, "iat", "invalid");
-	if (payload.nbf !== void 0) {
-		if (typeof payload.nbf !== "number") throw new JWTClaimValidationFailed("\"nbf\" claim must be a number", payload, "nbf", "invalid");
-		if (payload.nbf > now + tolerance) throw new JWTClaimValidationFailed("\"nbf\" claim timestamp check failed", payload, "nbf", "check_failed");
-	}
-	if (payload.exp !== void 0) {
-		if (typeof payload.exp !== "number") throw new JWTClaimValidationFailed("\"exp\" claim must be a number", payload, "exp", "invalid");
-		if (payload.exp <= now - tolerance) throw new JWTExpired("\"exp\" claim timestamp check failed", payload, "exp", "check_failed");
-	}
-	if (maxTokenAge) {
-		const age = now - payload.iat;
-		const max = typeof maxTokenAge === "number" ? maxTokenAge : secs_default(maxTokenAge);
-		if (age - tolerance > max) throw new JWTExpired("\"iat\" claim timestamp check failed (too far in the past)", payload, "iat", "check_failed");
-		if (age < 0 - tolerance) throw new JWTClaimValidationFailed("\"iat\" claim timestamp check failed (it should be in the past)", payload, "iat", "check_failed");
-	}
-	return payload;
-};
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/jwt/verify.js
-async function jwtVerify(jwt, key, options) {
-	const verified = await compactVerify(jwt, key, options);
-	if (verified.protectedHeader.crit?.includes("b64") && verified.protectedHeader.b64 === false) throw new JWTInvalid("JWTs MUST NOT use unencoded payload");
-	const result = {
-		payload: jwt_claims_set_default(verified.protectedHeader, verified.payload, options),
-		protectedHeader: verified.protectedHeader
-	};
-	if (typeof key === "function") return {
-		...result,
-		key: verified.key
-	};
-	return result;
-}
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/jwks/local.js
-function getKtyFromAlg(alg) {
-	switch (typeof alg === "string" && alg.slice(0, 2)) {
-		case "RS":
-		case "PS": return "RSA";
-		case "ES": return "EC";
-		case "Ed": return "OKP";
-		default: throw new JOSENotSupported("Unsupported \"alg\" value for a JSON Web Key Set");
-	}
-}
-function isJWKSLike(jwks) {
-	return jwks && typeof jwks === "object" && Array.isArray(jwks.keys) && jwks.keys.every(isJWKLike);
-}
-function isJWKLike(key) {
-	return isObject(key);
-}
-function clone(obj) {
-	if (typeof structuredClone === "function") return structuredClone(obj);
-	return JSON.parse(JSON.stringify(obj));
-}
-var LocalJWKSet = class {
-	_jwks;
-	_cached = /* @__PURE__ */ new WeakMap();
-	constructor(jwks) {
-		if (!isJWKSLike(jwks)) throw new JWKSInvalid("JSON Web Key Set malformed");
-		this._jwks = clone(jwks);
-	}
-	async getKey(protectedHeader, token) {
-		const { alg, kid } = {
-			...protectedHeader,
-			...token?.header
-		};
-		const kty = getKtyFromAlg(alg);
-		const candidates = this._jwks.keys.filter((jwk) => {
-			let candidate = kty === jwk.kty;
-			if (candidate && typeof kid === "string") candidate = kid === jwk.kid;
-			if (candidate && typeof jwk.alg === "string") candidate = alg === jwk.alg;
-			if (candidate && typeof jwk.use === "string") candidate = jwk.use === "sig";
-			if (candidate && Array.isArray(jwk.key_ops)) candidate = jwk.key_ops.includes("verify");
-			if (candidate) switch (alg) {
-				case "ES256":
-					candidate = jwk.crv === "P-256";
-					break;
-				case "ES256K":
-					candidate = jwk.crv === "secp256k1";
-					break;
-				case "ES384":
-					candidate = jwk.crv === "P-384";
-					break;
-				case "ES512":
-					candidate = jwk.crv === "P-521";
-					break;
-				case "Ed25519":
-					candidate = jwk.crv === "Ed25519";
-					break;
-				case "EdDSA":
-					candidate = jwk.crv === "Ed25519" || jwk.crv === "Ed448";
-					break;
-			}
-			return candidate;
-		});
-		const { 0: jwk, length } = candidates;
-		if (length === 0) throw new JWKSNoMatchingKey();
-		if (length !== 1) {
-			const error = new JWKSMultipleMatchingKeys();
-			const { _cached } = this;
-			error[Symbol.asyncIterator] = async function* () {
-				for (const jwk of candidates) try {
-					yield await importWithAlgCache(_cached, jwk, alg);
-				} catch {}
-			};
-			throw error;
-		}
-		return importWithAlgCache(this._cached, jwk, alg);
-	}
-};
-async function importWithAlgCache(cache, jwk, alg) {
-	const cached = cache.get(jwk) || cache.set(jwk, {}).get(jwk);
-	if (cached[alg] === void 0) {
-		const key = await importJWK({
-			...jwk,
-			ext: true
-		}, alg);
-		if (key instanceof Uint8Array || key.type !== "public") throw new JWKSInvalid("JSON Web Key Set members must be public keys");
-		cached[alg] = key;
-	}
-	return cached[alg];
-}
-function createLocalJWKSet(jwks) {
-	const set = new LocalJWKSet(jwks);
-	const localJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);
-	Object.defineProperties(localJWKSet, { jwks: {
-		value: () => clone(set._jwks),
-		enumerable: true,
-		configurable: false,
-		writable: false
-	} });
-	return localJWKSet;
-}
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/runtime/fetch_jwks.js
-const fetchJwks = async (url, timeout, options) => {
-	let get;
-	switch (url.protocol) {
-		case "https:":
-			get = node_https.get;
-			break;
-		case "http:":
-			get = node_http.get;
-			break;
-		default: throw new TypeError("Unsupported URL protocol.");
-	}
-	const { agent, headers } = options;
-	const req = get(url.href, {
-		agent,
-		timeout,
-		headers
-	});
-	const [response] = await Promise.race([(0, node_events.once)(req, "response"), (0, node_events.once)(req, "timeout")]);
-	if (!response) {
-		req.destroy();
-		throw new JWKSTimeout();
-	}
-	if (response.statusCode !== 200) throw new JOSEError("Expected 200 OK from the JSON Web Key Set HTTP response");
-	const parts = [];
-	for await (const part of response) parts.push(part);
-	try {
-		return JSON.parse(decoder.decode(concat(...parts)));
-	} catch {
-		throw new JOSEError("Failed to parse the JSON Web Key Set HTTP response as JSON");
-	}
-};
-//#endregion
-//#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/jwks/remote.js
-function isCloudflareWorkers() {
-	return typeof WebSocketPair !== "undefined" || typeof navigator !== "undefined" && navigator.userAgent === "Cloudflare-Workers" || typeof EdgeRuntime !== "undefined" && EdgeRuntime === "vercel";
-}
-let USER_AGENT;
-if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) USER_AGENT = `jose/v5.10.0`;
-const jwksCache = Symbol();
-function isFreshJwksCache(input, cacheMaxAge) {
-	if (typeof input !== "object" || input === null) return false;
-	if (!("uat" in input) || typeof input.uat !== "number" || Date.now() - input.uat >= cacheMaxAge) return false;
-	if (!("jwks" in input) || !isObject(input.jwks) || !Array.isArray(input.jwks.keys) || !Array.prototype.every.call(input.jwks.keys, isObject)) return false;
-	return true;
-}
-var RemoteJWKSet = class {
-	_url;
-	_timeoutDuration;
-	_cooldownDuration;
-	_cacheMaxAge;
-	_jwksTimestamp;
-	_pendingFetch;
-	_options;
-	_local;
-	_cache;
-	constructor(url, options) {
-		if (!(url instanceof URL)) throw new TypeError("url must be an instance of URL");
-		this._url = new URL(url.href);
-		this._options = {
-			agent: options?.agent,
-			headers: options?.headers
-		};
-		this._timeoutDuration = typeof options?.timeoutDuration === "number" ? options?.timeoutDuration : 5e3;
-		this._cooldownDuration = typeof options?.cooldownDuration === "number" ? options?.cooldownDuration : 3e4;
-		this._cacheMaxAge = typeof options?.cacheMaxAge === "number" ? options?.cacheMaxAge : 6e5;
-		if (options?.[jwksCache] !== void 0) {
-			this._cache = options?.[jwksCache];
-			if (isFreshJwksCache(options?.[jwksCache], this._cacheMaxAge)) {
-				this._jwksTimestamp = this._cache.uat;
-				this._local = createLocalJWKSet(this._cache.jwks);
-			}
-		}
-	}
-	coolingDown() {
-		return typeof this._jwksTimestamp === "number" ? Date.now() < this._jwksTimestamp + this._cooldownDuration : false;
-	}
-	fresh() {
-		return typeof this._jwksTimestamp === "number" ? Date.now() < this._jwksTimestamp + this._cacheMaxAge : false;
-	}
-	async getKey(protectedHeader, token) {
-		if (!this._local || !this.fresh()) await this.reload();
-		try {
-			return await this._local(protectedHeader, token);
-		} catch (err) {
-			if (err instanceof JWKSNoMatchingKey) {
-				if (this.coolingDown() === false) {
-					await this.reload();
-					return this._local(protectedHeader, token);
-				}
-			}
-			throw err;
-		}
-	}
-	async reload() {
-		if (this._pendingFetch && isCloudflareWorkers()) this._pendingFetch = void 0;
-		const headers = new Headers(this._options.headers);
-		if (USER_AGENT && !headers.has("User-Agent")) {
-			headers.set("User-Agent", USER_AGENT);
-			this._options.headers = Object.fromEntries(headers.entries());
-		}
-		this._pendingFetch ||= fetchJwks(this._url, this._timeoutDuration, this._options).then((json) => {
-			this._local = createLocalJWKSet(json);
-			if (this._cache) {
-				this._cache.uat = Date.now();
-				this._cache.jwks = json;
-			}
-			this._jwksTimestamp = Date.now();
-			this._pendingFetch = void 0;
-		}).catch((err) => {
-			this._pendingFetch = void 0;
-			throw err;
-		});
-		await this._pendingFetch;
-	}
-};
-function createRemoteJWKSet(url, options) {
-	const set = new RemoteJWKSet(url, options);
-	const remoteJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);
-	Object.defineProperties(remoteJWKSet, {
-		coolingDown: {
-			get: () => set.coolingDown(),
-			enumerable: true,
-			configurable: false
-		},
-		fresh: {
-			get: () => set.fresh(),
-			enumerable: true,
-			configurable: false
-		},
-		reload: {
-			value: () => set.reload(),
-			enumerable: true,
-			configurable: false,
-			writable: false
-		},
-		reloading: {
-			get: () => !!set._pendingFetch,
-			enumerable: true,
-			configurable: false
-		},
-		jwks: {
-			value: () => set._local?.jwks(),
-			enumerable: true,
-			configurable: false,
-			writable: false
-		}
-	});
-	return remoteJWKSet;
-}
 const decode = decode$1;
 //#endregion
 //#region ../../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/util/decode_jwt.js
@@ -2373,25 +1363,6 @@ function getTokenTimeRemaining(token) {
 		return 0;
 	}
 }
-/**
-* Verify a JWT token's signature using a JWKS endpoint and extract its payload.
-*
-* Unlike {@link decodeToken}, this function cryptographically verifies
-* that the token was signed by a trusted key.
-*
-* @param token - The JWT token string
-* @param jwksUrl - URL of the JWKS endpoint
-* @returns The verified JWT payload, or null if verification fails
-*/
-async function verifyToken(token, jwksUrl) {
-	try {
-		const { payload } = await jwtVerify(token, createRemoteJWKSet(new URL(jwksUrl)));
-		return extractPayloadFromJose(payload);
-	} catch (error) {
-		console.error("[FluidAuth] JWT signature verification failed:", error);
-		return null;
-	}
-}
 //#endregion
 //#region ../../platform/auth/src/token-storage.ts
 /**
@@ -2610,36 +1581,6 @@ function extractAllTokensFromUrl(userTokenKey = URL_PARAMS.USER_TOKEN, companyTo
 		};
 	}
 }
-//#endregion
-//#region ../../platform/auth/src/dev-utils.ts
-/**
-* Check if dev bypass should be active.
-* Requires both the config flag AND Vite dev mode.
-*/
-function isDevBypassActive(devBypass) {
-	if (!devBypass) return false;
-	try {
-		return {}.env?.DEV === true;
-	} catch {
-		return false;
-	}
-}
-/**
-* Create a synthetic dev user for local development.
-* This user has realistic data for UI rendering but no real auth.
-*/
-function createDevUser() {
-	return {
-		id: 99999,
-		email: "dev@localhost",
-		full_name: "Dev User",
-		user_type: USER_TYPES.rep,
-		og_user_type: void 0,
-		company_id: 99999,
-		exp: void 0,
-		auth_type: "dev_bypass"
-	};
-}
 zod.z.object({
 	id: zod.z.number(),
 	name: zod.z.string(),
@@ -2727,17 +1668,6 @@ function createDefaultAuthRedirect(authUrl) {
 		window.location.href = `${base}/?redirect_url=${currentUrl}`;
 	};
 }
-/**
-* Resolves the effective auth failure handler.
-* Returns the custom callback if provided, otherwise creates a default redirect.
-*
-* @param onAuthFailure - Custom callback from user config
-* @param authUrl - Custom auth URL (only used when creating the default redirect)
-* @returns The resolved handler function
-*/
-function resolveAuthFailureHandler(onAuthFailure, authUrl) {
-	return onAuthFailure ?? createDefaultAuthRedirect(authUrl);
-}
 //#endregion
 //#region ../core/src/theme/types.ts
 const SEMANTIC_COLOR_NAMES = [
@@ -3698,6 +2628,13 @@ function extractErrorMessage(data, fallback) {
 	return fallback;
 }
 /**
+* Type guard to detect whether a parsed JSON value is an API envelope.
+* Envelopes always have numeric `status` and a `data` key.
+*/
+function isApiEnvelope(value) {
+	return typeof value === "object" && value !== null && "status" in value && typeof value.status === "number" && "data" in value;
+}
+/**
 * Creates a configured Fluid API client instance
 */
 function createFluidClient(config) {
@@ -3707,22 +2644,19 @@ function createFluidClient(config) {
 		baseUrl,
 		...getAuthToken ? { getAuthToken } : {},
 		onAuthError: effectiveOnAuthError,
-		defaultHeaders
+		defaultHeaders,
+		credentials: "include"
 	});
 	/**
-	* Build headers for a request
+	* Build headers for a request.
+	* Auth is handled by session cookies via `credentials: 'include'` on fetch calls.
 	*/
-	async function buildHeaders(customHeaders) {
-		const headers = {
+	function buildHeaders(customHeaders) {
+		return {
 			"Content-Type": "application/json",
 			...defaultHeaders,
 			...customHeaders
 		};
-		if (getAuthToken) {
-			const token = await getAuthToken();
-			if (token) headers.Authorization = `Bearer ${token}`;
-		}
-		return headers;
 	}
 	/**
 	* Build URL with query parameters (Rails-compatible)
@@ -3730,7 +2664,7 @@ function createFluidClient(config) {
 	function buildUrl(endpoint, params) {
 		const normalizedBase = baseUrl.endsWith("/") ? baseUrl.slice(0, -1) : baseUrl;
 		const normalizedEndpoint = endpoint.startsWith("/") ? endpoint : `/${endpoint}`;
-		const url = new URL(normalizedBase + normalizedEndpoint);
+		const url = normalizedBase ? new URL(normalizedBase + normalizedEndpoint) : new URL(normalizedEndpoint, typeof window !== "undefined" ? window.location.origin : "http://localhost");
 		if (params) for (const [key, value] of Object.entries(params)) {
 			if (value === void 0 || value === null) continue;
 			if (Array.isArray(value)) for (const item of value) url.searchParams.append(`${key}[]`, String(item));
@@ -3754,12 +2688,13 @@ function createFluidClient(config) {
 	async function request(endpoint, options = {}) {
 		const { method = defaultRequestOptions.method, headers: customHeaders, params, body, signal } = options;
 		const url = buildUrl(endpoint, method === HTTP_METHODS.GET ? params : void 0);
-		const headers = await buildHeaders(customHeaders);
+		const headers = buildHeaders(customHeaders);
 		let response;
 		try {
 			const fetchOptions = {
 				method,
-				headers
+				headers,
+				credentials: "include"
 			};
 			if (signal !== void 0) fetchOptions.signal = signal;
 			if (body && method !== HTTP_METHODS.GET) fetchOptions.body = JSON.stringify(body);
@@ -3782,9 +2717,9 @@ function createFluidClient(config) {
 		}
 		if (response.status === 204 || response.headers.get("content-length") === "0") return null;
 		try {
-			const data = await response.json();
-			if (data === null || data === void 0) throw new ApiError("Unexpected null/undefined in JSON response", response.status, null);
-			return data;
+			const raw = await response.json();
+			if (raw === null || raw === void 0) throw new ApiError("Unexpected null/undefined in JSON response", response.status, null);
+			return isApiEnvelope(raw) ? raw.data : raw;
 		} catch (parseError) {
 			if (isApiError(parseError)) throw parseError;
 			throw new ApiError("Failed to parse response as JSON", response.status, null);
@@ -3819,6 +2754,51 @@ function createFluidClient(config) {
 		}
 	}
 	/**
+	* Request wrapper for paginated list endpoints.
+	* Parses the API envelope and returns both `data` and cursor pagination metadata.
+	* Falls back gracefully when the response is not an envelope.
+	*/
+	async function requestPaginated(endpoint, options = {}) {
+		const { method = defaultRequestOptions.method, headers: customHeaders, params, body, signal } = options;
+		const url = buildUrl(endpoint, method === HTTP_METHODS.GET ? params : void 0);
+		const headers = buildHeaders(customHeaders);
+		let response;
+		try {
+			const fetchOptions = {
+				method,
+				headers,
+				credentials: "include"
+			};
+			if (signal !== void 0) fetchOptions.signal = signal;
+			if (body && method !== HTTP_METHODS.GET) fetchOptions.body = JSON.stringify(body);
+			response = await fetch(url, fetchOptions);
+		} catch (networkError) {
+			throw new ApiError(`Network error: ${networkError instanceof Error ? networkError.message : "Unknown network error"}`, 0, null);
+		}
+		if (response.status === 401) {
+			effectiveOnAuthError();
+			throw new ApiError("Authentication required", 401, null);
+		}
+		if (!response.ok) try {
+			if (response.headers.get("content-type")?.includes("application/json")) {
+				const errorData = await response.json();
+				throw new ApiError(extractErrorMessage(errorData, `${method} request failed`), response.status, "errors" in errorData ? errorData.errors : errorData);
+			} else throw new ApiError(`${method} request failed with status ${response.status}`, response.status, null);
+		} catch (error) {
+			if (isApiError(error)) throw error;
+			throw new ApiError(`${method} request failed with status ${response.status}`, response.status, null);
+		}
+		const raw = await response.json();
+		if (isApiEnvelope(raw)) return {
+			data: raw.data,
+			pagination: raw.meta.pagination
+		};
+		return {
+			data: raw,
+			pagination: void 0
+		};
+	}
+	/**
 	* Helper to safely convert typed params to Record<string, unknown>.
 	* Type assertion required: TypeScript's structural typing allows any object
 	* to be treated as Record<string, unknown> when we only need to iterate
@@ -3868,11 +2848,17 @@ function createFluidClient(config) {
 		patch,
 		delete: del,
 		products: {
-			list: (params) => get("/api/company/v1/products", params),
+			list: (params) => requestPaginated("/api/company/v1/products", {
+				method: HTTP_METHODS.GET,
+				params: toParams(params)
+			}),
 			get: (id) => get(`/api/company/v1/products/${id}`),
-			search: (query, params) => get("/api/company/v1/products", {
-				search_query: query,
-				...params
+			search: (query, params) => requestPaginated("/api/company/v1/products", {
+				method: HTTP_METHODS.GET,
+				params: {
+					search_query: query,
+					...toParams(params)
+				}
 			})
 		},
 		orders: {
@@ -3980,9 +2966,17 @@ function useThemeContext() {
 /**
 * FluidAuthProvider - Authentication Provider for Fluid Portal SDK
 *
-* Handles JWT token extraction from URL, validation, storage, and
-* provides authentication context to child components.
+* Session-based authentication: Rails establishes an HTTP-only session cookie
+* during the Hub → Tenant handoff. The SPA checks session state via a BFF
+* endpoint (`/api/me`).
+*
+* When the session is missing or expires, the provider reloads the page rather
+* than redirecting client-side. This delegates redirect logic to Rails, which
+* correctly resolves the Portal Hub URL for any hostname pattern — including
+* CNAMEs like `portal.acme.com` where client-side hostname parsing would fail.
 */
+/** BFF endpoint that returns the current user from the server session. */
+const SESSION_ENDPOINT = "/api/me";
 /**
 * Auth context - null when outside provider
 */
@@ -3991,7 +2985,7 @@ function authReducer(state, action) {
 	switch (action.type) {
 		case "SET_AUTH": return {
 			isLoading: false,
-			token: action.token,
+			token: null,
 			user: action.user,
 			error: action.error
 		};
@@ -4017,12 +3011,13 @@ const initialAuthState = {
 * Authentication provider for Fluid portal applications.
 *
 * On mount, this provider:
-* 1. Checks for a token in the URL (passed from parent app)
-* 2. Cleans token from URL immediately (security)
-* 3. Falls back to stored token (cookie/localStorage)
-* 4. Validates the token (checks expiration)
-* 5. Stores valid tokens for future use
-* 6. Calls onAuthFailure if no valid token found
+* 1. Checks the server session via `GET /api/me` (BFF endpoint)
+* 2. If 401 — no session — reloads the page so Rails can redirect to the Hub
+* 3. Populates auth state from the API response
+*
+* The Hub → Tenant handoff is fully server-side: Rails consumes a short-lived
+* DB token and establishes an HTTP-only session cookie before the SPA boots.
+* Unauthenticated HTML requests are 302'd to the Portal Hub by Rails.
 *
 * @example
 * ```tsx
@@ -4030,13 +3025,7 @@ const initialAuthState = {
 *
 * function App() {
 *   return (
-*     <FluidAuthProvider
-*       config={{
-*         onAuthFailure: () => {
-*           window.location.href = "/login";
-*         },
-*       }}
-*     >
+*     <FluidAuthProvider>
 *       <YourApp />
 *     </FluidAuthProvider>
 *   );
@@ -4050,107 +3039,37 @@ function FluidAuthProvider({ children, config }) {
 	const { isLoading, token, user, error } = state;
 	(0, react.useEffect)(() => {
 		const initializeAuth = async () => {
-			const handleAuthFailure = () => {
+			const handleUnauthenticated = () => {
 				const current = configRef.current;
-				resolveAuthFailureHandler(current?.onAuthFailure, current?.authUrl)();
-			};
-			try {
-				if (isDevBypassActive(config?.devBypass)) {
-					const envToken = {}.env.VITE_DEV_TOKEN;
-					if (envToken) {
-						const validation = validateToken(envToken, config?.gracePeriodMs);
-						if (validation.isValid && validation.payload) {
-							storeToken(envToken, config);
-							dispatch({
-								type: "SET_AUTH",
-								token: envToken,
-								user: validation.payload,
-								error: null
-							});
-							return;
-						}
-						console.warn("[FluidAuth] VITE_DEV_TOKEN is invalid or expired, falling back to mock user");
-					}
-					console.warn("[FluidAuth] Dev bypass active - using mock user. API calls will fail without a real token.");
-					dispatch({
-						type: "SET_AUTH",
-						token: null,
-						user: createDevUser(),
-						error: null
-					});
+				if (current?.onAuthFailure) {
+					current.onAuthFailure();
 					return;
 				}
-				const tokenKey = config?.tokenKey ?? "fluidUserToken";
-				let candidateToken = extractTokenFromUrl(tokenKey);
-				if (!candidateToken && tokenKey !== "jwt") candidateToken = extractTokenFromUrl("jwt");
-				cleanTokenFromUrl(tokenKey);
-				cleanTokenFromUrl("jwt");
-				if (!candidateToken) candidateToken = getStoredToken(config);
-				if (candidateToken) {
-					let payload = null;
-					if (config?.jwksUrl) {
-						payload = await verifyToken(candidateToken, config.jwksUrl);
-						if (!payload) {
-							clearTokens(config);
-							dispatch({
-								type: "SET_AUTH",
-								token: null,
-								user: null,
-								error: /* @__PURE__ */ new Error("JWT signature verification failed")
-							});
-							handleAuthFailure();
-							return;
-						}
-						if (isTokenExpired(candidateToken, config?.gracePeriodMs)) {
-							clearTokens(config);
-							dispatch({
-								type: "SET_AUTH",
-								token: null,
-								user: null,
-								error: /* @__PURE__ */ new Error("Token has expired")
-							});
-							handleAuthFailure();
-							return;
-						}
-					} else {
-						const validation = validateToken(candidateToken, config?.gracePeriodMs);
-						if (validation.isValid && validation.payload) payload = validation.payload;
-						else {
-							clearTokens(config);
-							dispatch({
-								type: "SET_AUTH",
-								token: null,
-								user: null,
-								error: new Error(validation.error ?? "Invalid token")
-							});
-							handleAuthFailure();
-							return;
-						}
-					}
-					storeToken(candidateToken, config);
-					dispatch({
-						type: "SET_AUTH",
-						token: candidateToken,
-						user: payload,
-						error: null
-					});
-				} else {
+				window.location.reload();
+			};
+			try {
+				const response = await fetch(SESSION_ENDPOINT, { credentials: "include" });
+				if (response.status === 401) {
 					dispatch({
 						type: "SET_AUTH",
-						token: null,
 						user: null,
-						error: /* @__PURE__ */ new Error("No authentication token found")
+						error: /* @__PURE__ */ new Error("No active session")
 					});
-					handleAuthFailure();
+					handleUnauthenticated();
+					return;
 				}
+				if (!response.ok) throw new Error(`Session check failed with status ${String(response.status)}`);
+				dispatch({
+					type: "SET_AUTH",
+					user: (await response.json()).data,
+					error: null
+				});
 			} catch (err) {
 				dispatch({
 					type: "SET_AUTH",
-					token: null,
 					user: null,
 					error: err instanceof Error ? err : /* @__PURE__ */ new Error("Authentication error")
 				});
-				handleAuthFailure();
 			} finally {
 				dispatch({ type: "DONE_LOADING" });
 			}
@@ -4158,7 +3077,6 @@ function FluidAuthProvider({ children, config }) {
 		initializeAuth();
 	}, []);
 	const clearAuth = (0, react.useCallback)(() => {
-		clearTokens(configRef.current);
 		dispatch({ type: "CLEAR_AUTH" });
 	}, []);
 	const contextValue = (0, react.useMemo)(() => ({
@@ -4302,10 +3220,7 @@ const FluidContext = (0, react.createContext)(null);
 * function App() {
 *   return (
 *     <FluidProvider
-*       config={{
-*         baseUrl: "https://api.fluid.app/api",
-*         getAuthToken: () => localStorage.getItem("token"),
-*       }}
+*       config={{ baseUrl: "" }}
 *     >
 *       <YourApp />
 *     </FluidProvider>
@@ -4334,13 +3249,7 @@ function FluidProvider({ config, children, queryClient, initialTheme, themeConta
 		config: configRef.current
 	}), [client]);
 	const getApiHeaders = (0, react.useCallback)(() => {
-		const headers = { "Content-Type": "application/json" };
-		const getAuthToken = configRef.current.getAuthToken;
-		if (typeof getAuthToken === "function") {
-			const tokenOrPromise = getAuthToken();
-			if (typeof tokenOrPromise === "string") headers.Authorization = `Bearer ${tokenOrPromise}`;
-		}
-		return headers;
+		return { "Content-Type": "application/json" };
 	}, []);
 	const dataSourceBaseUrl = (0, react.useMemo)(() => {
 		const base = config.baseUrl.replace(/\/+$/, "");
@@ -4893,4 +3802,4 @@ Object.defineProperty(exports, "widgetPropertySchemas", {
 	}
 });
 
-//# sourceMappingURL=FluidProvider-CyzA2g75.cjs.map
+//# sourceMappingURL=FluidProvider-DbYLBGGg.cjs.map