npm - @hexclave/tanstack-start - Versions diffs - 1.0.0 - Mend

@hexclave/tanstack-start 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1049) hide show

package/dist/lib/stack-app/apps/implementations/client-app-impl.js ADDED Viewed

@@ -0,0 +1,2858 @@
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+const require_chunk = require('../../../../chunk-BE-pF4vm.js');
+let _stackframe_stack_shared_dist_utils_errors = require("@hexclave/shared/dist/utils/errors");
+let _stackframe_stack_shared_dist_utils_promises = require("@hexclave/shared/dist/utils/promises");
+let react = require("react");
+react = require_chunk.__toESM(react);
+let _stackframe_stack_shared = require("@hexclave/shared");
+let _stackframe_stack_shared_dist_utils_urls = require("@hexclave/shared/dist/utils/urls");
+let _stackframe_stack_shared_dist_utils_react = require("@hexclave/shared/dist/utils/react");
+let _stackframe_stack_shared_dist_utils_objects = require("@hexclave/shared/dist/utils/objects");
+let _stackframe_stack_shared_dist_utils_results = require("@hexclave/shared/dist/utils/results");
+let _stackframe_stack_shared_dist_utils_strings = require("@hexclave/shared/dist/utils/strings");
+let _stackframe_stack_shared_dist_utils_env = require("@hexclave/shared/dist/utils/env");
+let _stackframe_tanstack_start_tanstack_start_server_context = require("@hexclave/tanstack-start/tanstack-start-server-context");
+_stackframe_tanstack_start_tanstack_start_server_context = require_chunk.__toESM(_stackframe_tanstack_start_tanstack_start_server_context);
+let __common_js = require("./common.js");
+let _stackframe_stack_shared_dist_utils_redirect_urls = require("@hexclave/shared/dist/utils/redirect-urls");
+let _stackframe_stack_shared_dist_utils_bytes = require("@hexclave/shared/dist/utils/bytes");
+let ______common_js = require("../../common.js");
+let ______projects_index_js = require("../../projects/index.js");
+let _simplewebauthn_browser = require("@simplewebauthn/browser");
+let _stackframe_stack_shared_dist_sessions = require("@hexclave/shared/dist/sessions");
+let _stackframe_stack_shared_dist_utils_json = require("@hexclave/shared/dist/utils/json");
+let _stackframe_stack_shared_dist_utils_maps = require("@hexclave/shared/dist/utils/maps");
+let _stackframe_stack_shared_dist_utils_stores = require("@hexclave/shared/dist/utils/stores");
+let _stackframe_stack_shared_dist_utils_turnstile_flow = require("@hexclave/shared/dist/utils/turnstile-flow");
+let _stackframe_stack_shared_dist_utils_uuids = require("@hexclave/shared/dist/utils/uuids");
+let _tanstack_react_router = require("@tanstack/react-router");
+_tanstack_react_router = require_chunk.__toESM(_tanstack_react_router);
+let cookie = require("cookie");
+cookie = require_chunk.__toESM(cookie);
+let ____________utils_url_js = require("../../../../utils/url.js");
+let _________auth_js = require("../../../auth.js");
+let _________cookie_js = require("../../../cookie.js");
+let _________env_js = require("../../../env.js");
+let ______api_keys_index_js = require("../../api-keys/index.js");
+let ______contact_channels_index_js = require("../../contact-channels/index.js");
+let ______teams_index_js = require("../../teams/index.js");
+let ______url_targets_js = require("../../url-targets.js");
+let ______users_index_js = require("../../users/index.js");
+let __event_tracker_js = require("./event-tracker.js");
+let __redirect_page_urls_js = require("./redirect-page-urls.js");
+let __session_refresh_subscription_js = require("./session-refresh-subscription.js");
+let __session_replay_js = require("./session-replay.js");
+let ____________dev_tool_index_js = require("../../../../dev-tool/index.js");
+//#region src/lib/stack-app/apps/implementations/client-app-impl.ts
+const prefetchedCrossDomainHandoffTtlMs = 3300 * 1e3;
+const nestedCrossDomainAuthQueryParams = {
+	refreshTokenId: "stack_nested_cross_domain_auth_refresh_token_id",
+	callbackUrl: "stack_nested_cross_domain_auth_callback_url",
+	redirectUri: "redirect_uri",
+	state: "state",
+	codeChallenge: "code_challenge",
+	codeChallengeMethod: "code_challenge_method",
+	afterCallbackRedirectUrl: "after_callback_redirect_url"
+};
+const oauthCallbackResponseQueryParams = [
+	"code",
+	"state",
+	"error",
+	"error_description",
+	"errorCode",
+	"message",
+	"details"
+];
+const allClientApps = /* @__PURE__ */ new Map();
+const STACK_AUTHORIZATION_VALUE_PREFIX = "stackauth_";
+const HEXCLAVE_AUTHORIZATION_VALUE_PREFIX = "hexclave_";
+function getAuthorizationHeaderValueFromAuthJson(authJson) {
+	if (authJson.accessToken == null && authJson.refreshToken == null) return null;
+	return `Bearer ${STACK_AUTHORIZATION_VALUE_PREFIX}${(0, _stackframe_stack_shared_dist_utils_bytes.encodeBase64)(new TextEncoder().encode(JSON.stringify(authJson)))}`;
+}
+function getAuthJsonFromAuthorizationHeaderValue(authorizationHeaderValue) {
+	const match = authorizationHeaderValue.match(/^Bearer\s+(.+)$/i);
+	if (match == null) return null;
+	const credential = match[1].trim();
+	const matchedPrefix = credential.startsWith(HEXCLAVE_AUTHORIZATION_VALUE_PREFIX) ? HEXCLAVE_AUTHORIZATION_VALUE_PREFIX : credential.startsWith(STACK_AUTHORIZATION_VALUE_PREFIX) ? STACK_AUTHORIZATION_VALUE_PREFIX : null;
+	if (matchedPrefix == null) return null;
+	const encodedAuthJson = credential.slice(matchedPrefix.length);
+	if (encodedAuthJson.length === 0) throw new Error("Invalid Authorization header format. Expected `Bearer stackauth_<base64(getAuthJson())>`.");
+	let parsed;
+	try {
+		const decodedAuthJson = new TextDecoder().decode((0, _stackframe_stack_shared_dist_utils_bytes.decodeBase64)(encodedAuthJson));
+		parsed = JSON.parse(decodedAuthJson);
+	} catch (e) {
+		throw new Error("Invalid stackauth authorization header.", { cause: e });
+	}
+	if (parsed == null || typeof parsed !== "object" || Array.isArray(parsed)) throw new Error("Invalid stackauth authorization payload. Expected an object.");
+	const accessToken = Reflect.get(parsed, "accessToken");
+	const refreshToken = Reflect.get(parsed, "refreshToken");
+	if (accessToken != null && typeof accessToken !== "string") throw new Error("Invalid stackauth authorization payload. `accessToken` must be a string or null.");
+	if (refreshToken != null && typeof refreshToken !== "string") throw new Error("Invalid stackauth authorization payload. `refreshToken` must be a string or null.");
+	return {
+		accessToken: accessToken ?? null,
+		refreshToken: refreshToken ?? null
+	};
+}
+function getHeaderValueFromRequestLikeHeaders(headers, name) {
+	if ("get" in headers && typeof headers.get === "function") return headers.get(name);
+	const lowerCaseName = name.toLowerCase();
+	for (const [headerName, headerValue] of Object.entries(headers)) if (headerName.toLowerCase() === lowerCaseName) return headerValue;
+	return null;
+}
+function getTanStackStartRequestHeader(name) {
+	const { getRequestHeader } = _stackframe_tanstack_start_tanstack_start_server_context;
+	if (getRequestHeader == null) throw new _stackframe_stack_shared_dist_utils_errors.HexclaveAssertionError("TanStack Start request headers are only available during server rendering");
+	return getRequestHeader(name) ?? null;
+}
+async function getServerRequestHost() {
+	return getTanStackStartRequestHeader("host");
+}
+var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
+	static {
+		this.LazyStackAdminAppImpl = { value: void 0 };
+	}
+	async _createCookieHelper(overrideTokenStoreInit) {
+		const tokenStoreInit = overrideTokenStoreInit === void 0 ? this._tokenStoreInit : overrideTokenStoreInit;
+		if (tokenStoreInit === "nextjs-cookie" || tokenStoreInit === "cookie") return await (0, _________cookie_js.createCookieHelper)();
+		else return await (0, _________cookie_js.createPlaceholderCookieHelper)();
+	}
+	/** @deprecated Used by legacy getConnectedAccount(providerId) — combines user check + token check + redirect into one cache */
+	async _getUserOAuthConnectionCacheFn(options) {
+		const user = await options.getUser();
+		let hasConnection = true;
+		if (!user || !user.oauth_providers.find((p) => p.id === options.providerId)) hasConnection = false;
+		if (!await options.getOrWaitOAuthToken()) hasConnection = false;
+		if (!hasConnection && options.redirect) {
+			if (!options.session) throw new Error(_stackframe_stack_shared_dist_utils_strings.deindent`
+          Cannot add new scopes to a user that is not a CurrentUser. Please ensure that you are calling this function on a CurrentUser object, or remove the 'or: redirect' option.
+          Often, you can solve this by calling this function in the browser instead, or by removing the 'or: redirect' option and dealing with the case where the user doesn't have enough permissions.
+        `);
+			const location = await (0, _________auth_js.getNewOAuthProviderOrScopeUrl)(this._interface, {
+				provider: options.providerId,
+				redirectUrl: this._getOAuthCallbackRedirectUri(),
+				errorRedirectUrl: this.urls.error,
+				providerScope: (0, _stackframe_stack_shared_dist_utils_strings.mergeScopeStrings)(options.scope || "", (this._oauthScopesOnSignIn[options.providerId] ?? []).join(" "))
+			}, options.session);
+			await this._redirectTo({ url: location });
+			return await (0, _stackframe_stack_shared_dist_utils_promises.neverResolve)();
+		} else if (!hasConnection) return null;
+		const providerAccountId = user.oauth_providers.find((p) => p.id === options.providerId)?.account_id ?? "";
+		return {
+			id: options.providerId,
+			provider: options.providerId,
+			providerAccountId,
+			async getAccessToken() {
+				const result = await options.getOrWaitOAuthToken();
+				if (!result) throw new _stackframe_stack_shared_dist_utils_errors.HexclaveAssertionError(`Failed to retrieve an access token for this connected account (provider: ${options.providerId}). This usually means the OAuth refresh token has been revoked or expired. The user needs to re-authorize by calling \`linkConnectedAccount\` or using \`getOrLinkConnectedAccount\`.`);
+				return result;
+			},
+			useAccessToken() {
+				const result = options.useOAuthToken();
+				if (!result) throw new _stackframe_stack_shared_dist_utils_errors.HexclaveAssertionError(`Failed to retrieve an access token for this connected account (provider: ${options.providerId}). This usually means the OAuth refresh token has been revoked or expired. The user needs to re-authorize by calling \`linkConnectedAccount\` or using \`getOrLinkConnectedAccount\`.`);
+				return result;
+			}
+		};
+	}
+	_createOAuthConnectionFromCrudItem(item, session) {
+		const app = this;
+		const providerId = item.provider;
+		const providerAccountId = item.provider_account_id;
+		return {
+			id: providerId,
+			provider: providerId,
+			providerAccountId,
+			async getAccessToken(options) {
+				const scopeString = options?.scopes?.join(" ") ?? "";
+				const result = _stackframe_stack_shared_dist_utils_results.Result.orThrow(await app._currentUserOAuthConnectionAccessTokensByAccountCache.getOrWait([
+					session,
+					providerId,
+					providerAccountId,
+					scopeString
+				], "write-only"));
+				if (!result) {
+					const scopeDetail = scopeString ? `The requested scopes [${scopeString}] are not available on the existing token.` : "The OAuth refresh token has likely been revoked or expired.";
+					return _stackframe_stack_shared_dist_utils_results.Result.error(new _stackframe_stack_shared.KnownErrors.OAuthAccessTokenNotAvailable(providerId, `${scopeDetail} The user needs to re-authorize by calling \`linkConnectedAccount\` or using \`getOrLinkConnectedAccount\`.`));
+				}
+				return _stackframe_stack_shared_dist_utils_results.Result.ok(result);
+			},
+			useAccessToken(options) {
+				const scopeString = options?.scopes?.join(" ") ?? "";
+				const result = (0, __common_js.useAsyncCache)(app._currentUserOAuthConnectionAccessTokensByAccountCache, [
+					session,
+					providerId,
+					providerAccountId,
+					scopeString
+				], "connection.useAccessToken()");
+				if (!result) {
+					const scopeDetail = scopeString ? `The requested scopes [${scopeString}] are not available on the existing token.` : "The OAuth refresh token has likely been revoked or expired.";
+					return _stackframe_stack_shared_dist_utils_results.Result.error(new _stackframe_stack_shared.KnownErrors.OAuthAccessTokenNotAvailable(providerId, `${scopeDetail} The user needs to re-authorize by calling \`linkConnectedAccount\` or using \`getOrLinkConnectedAccount\`.`));
+				}
+				return _stackframe_stack_shared_dist_utils_results.Result.ok(result);
+			}
+		};
+	}
+	constructor(options, extraOptions) {
+		this._uniqueIdentifier = void 0;
+		this._sessionRecorder = null;
+		this._eventTracker = null;
+		this.__DEMO_ENABLE_SLIGHT_FETCH_DELAY = false;
+		this._ownedAdminApps = new _stackframe_stack_shared_dist_utils_maps.DependenciesMap();
+		this._currentUserCache = (0, __common_js.createCacheBySession)(async (session) => {
+			if (this.__DEMO_ENABLE_SLIGHT_FETCH_DELAY) await (0, _stackframe_stack_shared_dist_utils_promises.wait)(2e3);
+			if (session.isKnownToBeInvalid()) return null;
+			return await this._interface.getClientUserByToken(session);
+		});
+		this._currentProjectCache = (0, __common_js.createCache)(async () => {
+			return _stackframe_stack_shared_dist_utils_results.Result.orThrow(await this._interface.getClientProject());
+		});
+		this._ownedProjectsCache = (0, __common_js.createCacheBySession)(async (session) => {
+			return await this._interface.listProjects(session);
+		});
+		this._currentUserPermissionsCache = (0, __common_js.createCacheBySession)(async (session, [teamId, recursive]) => {
+			return await this._interface.listCurrentUserTeamPermissions({
+				teamId,
+				recursive
+			}, session);
+		});
+		this._currentUserProjectPermissionsCache = (0, __common_js.createCacheBySession)(async (session, [recursive]) => {
+			return await this._interface.listCurrentUserProjectPermissions({ recursive }, session);
+		});
+		this._currentUserTeamsCache = (0, __common_js.createCacheBySession)(async (session) => {
+			return await this._interface.listCurrentUserTeams(session);
+		});
+		this._currentUserOAuthConnectionAccessTokensCache = (0, __common_js.createCacheBySession)(async (session, [providerId, scope]) => {
+			try {
+				return { accessToken: (await this._interface.createProviderAccessToken(providerId, scope || "", session)).access_token };
+			} catch (err) {
+				if (!(_stackframe_stack_shared.KnownErrors.OAuthAccessTokenNotAvailable.isInstance(err) || _stackframe_stack_shared.KnownErrors.OAuthConnectionDoesNotHaveRequiredScope.isInstance(err) || _stackframe_stack_shared.KnownErrors.OAuthConnectionNotConnectedToUser.isInstance(err))) throw err;
+			}
+			return null;
+		});
+		this._currentUserOAuthConnectionCache = (0, __common_js.createCacheBySession)(async (session, [providerId, scope, redirect]) => {
+			return await this._getUserOAuthConnectionCacheFn({
+				getUser: async () => _stackframe_stack_shared_dist_utils_results.Result.orThrow(await this._currentUserCache.getOrWait([session], "write-only")),
+				getOrWaitOAuthToken: async () => _stackframe_stack_shared_dist_utils_results.Result.orThrow(await this._currentUserOAuthConnectionAccessTokensCache.getOrWait([
+					session,
+					providerId,
+					scope || ""
+				], "write-only")),
+				useOAuthToken: () => (0, __common_js.useAsyncCache)(this._currentUserOAuthConnectionAccessTokensCache, [
+					session,
+					providerId,
+					scope || ""
+				], "connection.useAccessToken()"),
+				providerId,
+				scope,
+				redirect,
+				session
+			});
+		});
+		this._currentUserConnectedAccountsCache = (0, __common_js.createCacheBySession)(async (session) => {
+			return (await this._interface.listConnectedAccounts(session)).items.map((item) => this._createOAuthConnectionFromCrudItem(item, session));
+		});
+		this._currentUserOAuthConnectionAccessTokensByAccountCache = (0, __common_js.createCacheBySession)(async (session, [providerId, providerAccountId, scope]) => {
+			try {
+				return { accessToken: (await this._interface.createProviderAccessTokenByAccount(providerId, providerAccountId, scope, session)).access_token };
+			} catch (err) {
+				if (_stackframe_stack_shared.KnownErrors.OAuthAccessTokenNotAvailable.isInstance(err) || _stackframe_stack_shared.KnownErrors.OAuthConnectionDoesNotHaveRequiredScope.isInstance(err) || _stackframe_stack_shared.KnownErrors.OAuthConnectionNotConnectedToUser.isInstance(err)) return null;
+				throw err;
+			}
+		});
+		this._currentUserValidConnectedAccountForProviderCache = (0, __common_js.createCacheBySession)(async (session, [provider, scopeString]) => {
+			const matchingAccounts = _stackframe_stack_shared_dist_utils_results.Result.orThrow(await this._currentUserConnectedAccountsCache.getOrWait([session], "write-only")).filter((a) => a.provider === provider);
+			const scopes = scopeString ? scopeString.split(" ") : void 0;
+			for (const account of matchingAccounts) if ((await account.getAccessToken({ scopes })).status === "ok") return account;
+			const location = await (0, _________auth_js.getNewOAuthProviderOrScopeUrl)(this._interface, {
+				provider,
+				redirectUrl: this._getOAuthCallbackRedirectUri(),
+				errorRedirectUrl: this.urls.error,
+				providerScope: (0, _stackframe_stack_shared_dist_utils_strings.mergeScopeStrings)(scopeString, (this._oauthScopesOnSignIn[provider] ?? []).join(" "))
+			}, session);
+			await this._redirectTo({ url: location });
+			return await (0, _stackframe_stack_shared_dist_utils_promises.neverResolve)();
+		});
+		this._teamMemberProfilesCache = (0, __common_js.createCacheBySession)(async (session, [teamId]) => {
+			return await this._interface.listTeamMemberProfiles({ teamId }, session);
+		});
+		this._teamInvitationsCache = (0, __common_js.createCacheBySession)(async (session, [teamId]) => {
+			return await this._interface.listTeamInvitations({ teamId }, session);
+		});
+		this._currentUserTeamProfileCache = (0, __common_js.createCacheBySession)(async (session, [teamId]) => {
+			return await this._interface.getTeamMemberProfile({
+				teamId,
+				userId: "me"
+			}, session);
+		});
+		this._currentUserTeamInvitationsCache = (0, __common_js.createCacheBySession)(async (session) => {
+			return await this._interface.listCurrentUserTeamInvitations(session);
+		});
+		this._clientContactChannelsCache = (0, __common_js.createCacheBySession)(async (session) => {
+			return await this._interface.listClientContactChannels(session);
+		});
+		this._userApiKeysCache = (0, __common_js.createCacheBySession)(async (session) => {
+			return await this._interface.listProjectApiKeys({ user_id: "me" }, session, "client");
+		});
+		this._teamApiKeysCache = (0, __common_js.createCacheBySession)(async (session, [teamId]) => {
+			return await this._interface.listProjectApiKeys({ team_id: teamId }, session, "client");
+		});
+		this._notificationCategoriesCache = (0, __common_js.createCacheBySession)(async (session) => {
+			return await this._interface.listNotificationCategories(session);
+		});
+		this._currentUserOAuthProvidersCache = (0, __common_js.createCacheBySession)(async (session) => {
+			return await this._interface.listOAuthProviders({ user_id: "me" }, session);
+		});
+		this._userItemCache = (0, __common_js.createCacheBySession)(async (session, [userId, itemId]) => {
+			return await this._interface.getItem({
+				userId,
+				itemId
+			}, session);
+		});
+		this._teamItemCache = (0, __common_js.createCacheBySession)(async (session, [teamId, itemId]) => {
+			return await this._interface.getItem({
+				teamId,
+				itemId
+			}, session);
+		});
+		this._customItemCache = (0, __common_js.createCacheBySession)(async (session, [customCustomerId, itemId]) => {
+			return await this._interface.getItem({
+				customCustomerId,
+				itemId
+			}, session);
+		});
+		this._userProductsCache = (0, __common_js.createCacheBySession)(async (session, [userId, cursor, limit]) => {
+			return await this._interface.listProducts({
+				customer_type: "user",
+				customer_id: userId,
+				cursor: cursor ?? void 0,
+				limit: limit ?? void 0
+			}, session);
+		});
+		this._teamProductsCache = (0, __common_js.createCacheBySession)(async (session, [teamId, cursor, limit]) => {
+			return await this._interface.listProducts({
+				customer_type: "team",
+				customer_id: teamId,
+				cursor: cursor ?? void 0,
+				limit: limit ?? void 0
+			}, session);
+		});
+		this._customProductsCache = (0, __common_js.createCacheBySession)(async (session, [customCustomerId, cursor, limit]) => {
+			return await this._interface.listProducts({
+				customer_type: "custom",
+				customer_id: customCustomerId,
+				cursor: cursor ?? void 0,
+				limit: limit ?? void 0
+			}, session);
+		});
+		this._userInvoicesCache = (0, __common_js.createCacheBySession)(async (session, [userId, cursor, limit]) => {
+			return await this._interface.listInvoices({
+				customer_type: "user",
+				customer_id: userId,
+				cursor: cursor ?? void 0,
+				limit: limit ?? void 0
+			}, session);
+		});
+		this._teamInvoicesCache = (0, __common_js.createCacheBySession)(async (session, [teamId, cursor, limit]) => {
+			return await this._interface.listInvoices({
+				customer_type: "team",
+				customer_id: teamId,
+				cursor: cursor ?? void 0,
+				limit: limit ?? void 0
+			}, session);
+		});
+		this._customerBillingCache = (0, __common_js.createCacheBySession)(async (session, [customerType, customerId]) => {
+			return await this._interface.getCustomerBilling(customerType, customerId, session);
+		});
+		this._convexPartialUserCache = (0, __common_js.createCache)(async ([ctx]) => await this._getPartialUserFromConvex(ctx));
+		this._trustedParentDomainCache = (0, __common_js.createCache)(async ([domain]) => await this._getTrustedParentDomain(domain));
+		this._anonymousSignUpInProgress = null;
+		this._prefetchedCrossDomainHandoffParams = null;
+		this._prefetchedCrossDomainHandoffParamsFetchedAt = 0;
+		this._isPrefetchingCrossDomainHandoffParams = false;
+		this._pendingAuthResolutionPromises = [];
+		this._memoryTokenStore = (0, __common_js.createEmptyTokenStore)();
+		this._nextServerCookiesTokenStores = /* @__PURE__ */ new WeakMap();
+		this._requestTokenStores = /* @__PURE__ */ new WeakMap();
+		this._storedBrowserCookieTokenStore = null;
+		this._mostRecentQueuedCookieRefreshIndex = 0;
+		this._sessionsByTokenStoreAndSessionKey = /* @__PURE__ */ new WeakMap();
+		this._botChallengeSiteKeysWarned = false;
+		const resolvedOptions = (0, __common_js.resolveConstructorOptions)(options);
+		if (!_StackClientAppImplIncomplete.LazyStackAdminAppImpl.value) throw new _stackframe_stack_shared_dist_utils_errors.HexclaveAssertionError("Admin app implementation not initialized. Did you import the _StackClientApp from stack-app/apps/implementations/index.ts? You can't import it directly from ./apps/implementations/client-app-impl.ts as that causes a circular dependency (see the comment at _LazyStackAdminAppImpl for more details).");
+		this._options = resolvedOptions;
+		this._extraOptions = extraOptions;
+		const projectId = resolvedOptions.projectId ?? (0, __common_js.getDefaultProjectId)();
+		if (projectId !== "internal" && !projectId.match(/^[0-9a-f]{8}-[0-9a-f]{4}-[1-8][0-9a-f]{3}-[089ab][0-9a-f]{3}-[0-9a-f]{12}$/i)) throw new Error(`Invalid project ID: ${projectId}. Project IDs must be UUIDs. Please check your environment variables and/or your StackApp.`);
+		const publishableClientKey = resolvedOptions.publishableClientKey ?? (0, __common_js.getDefaultPublishableClientKey)();
+		if (extraOptions && extraOptions.interface) this._interface = extraOptions.interface;
+		else {
+			const apiUrls = (0, __common_js.resolveApiUrls)(resolvedOptions.baseUrl);
+			this._interface = new _stackframe_stack_shared.HexclaveClientInterface({
+				getBaseUrl: () => apiUrls()[0],
+				getAnalyticsBaseUrl: () => (0, __common_js.getAnalyticsBaseUrl)(apiUrls()[0]),
+				getApiUrls: apiUrls,
+				extraRequestHeaders: resolvedOptions.extraRequestHeaders ?? (0, __common_js.getDefaultExtraRequestHeaders)(),
+				projectId,
+				clientVersion: __common_js.clientVersion,
+				...publishableClientKey != null ? { publishableClientKey } : {},
+				prepareRequest: async () => {}
+			});
+		}
+		this._tokenStoreInit = resolvedOptions.tokenStore;
+		this._redirectMethod = resolvedOptions.redirectMethod || ((0, _stackframe_stack_shared_dist_utils_env.isBrowserLike)() ? "window" : "none");
+		this._redirectMethod = resolvedOptions.redirectMethod || "tanstack-start";
+		this._urlOptions = resolvedOptions.urls ?? {};
+		this._oauthScopesOnSignIn = resolvedOptions.oauthScopesOnSignIn ?? {};
+		if ((0, _stackframe_stack_shared_dist_utils_env.isBrowserLike)() && (resolvedOptions.tokenStore === "cookie" || resolvedOptions.tokenStore === "nextjs-cookie")) {
+			(0, _stackframe_stack_shared_dist_utils_promises.runAsynchronously)(this._trustedParentDomainCache.getOrWait([window.location.hostname], "write-only"));
+			this._ensureCrossSubdomainCookieExists();
+		}
+		if (extraOptions && extraOptions.uniqueIdentifier) {
+			this._uniqueIdentifier = extraOptions.uniqueIdentifier;
+			this._initUniqueIdentifier();
+		}
+		this._analyticsOptions = resolvedOptions.analytics;
+		const getAnalyticsSession = async () => {
+			this._ensurePersistentTokenStore();
+			if (await this.getPartialUser({
+				from: "token",
+				or: "anonymous-if-exists"
+			})) return await this._getSession();
+			return (await this.getUser({ or: "anonymous" }))._internalSession;
+		};
+		const analyticsEnabled = this._analyticsOptions?.enabled !== false;
+		if (analyticsEnabled && (0, _stackframe_stack_shared_dist_utils_env.isBrowserLike)() && this._hasPersistentTokenStore() && this._analyticsOptions?.replays?.enabled === true) {
+			this._sessionRecorder = new __session_replay_js.SessionRecorder({
+				projectId: this.projectId,
+				sendBatch: async (body, opts) => {
+					return await this._interface.sendSessionReplayBatch(body, await getAnalyticsSession(), opts);
+				}
+			}, this._analyticsOptions.replays);
+			this._sessionRecorder.start();
+		}
+		if (analyticsEnabled && (0, _stackframe_stack_shared_dist_utils_env.isBrowserLike)() && this._hasPersistentTokenStore()) {
+			this._eventTracker = new __event_tracker_js.EventTracker({
+				projectId: this.projectId,
+				sendBatch: async (body, opts) => {
+					return await this._interface.sendAnalyticsEventBatch(body, await getAnalyticsSession(), opts);
+				}
+			});
+			this._eventTracker.start();
+		}
+		if ((0, _stackframe_stack_shared_dist_utils_env.isBrowserLike)() && this._isOAuthCallbackUrlHosted() && this._currentUrlLooksLikeStackOAuthCallback()) this._trackPendingAuthResolution(async () => {
+			if ((0, _stackframe_stack_shared_dist_utils_env.isBrowserLike)()) await this.callOAuthCallback({ dontWarnAboutMissingQueryParams: true });
+		});
+		if ((0, _stackframe_stack_shared_dist_utils_env.isBrowserLike)()) this._trackPendingAuthResolution(async () => {
+			await this._maybeHandleNestedCrossDomainAuth();
+		});
+		if ((0, _stackframe_stack_shared_dist_utils_env.isBrowserLike)() && resolvedOptions.devTool !== false) (0, ____________dev_tool_index_js.mountDevTool)(this);
+	}
+	_initUniqueIdentifier() {
+		if (!this._uniqueIdentifier) throw new _stackframe_stack_shared_dist_utils_errors.HexclaveAssertionError("Unique identifier not initialized");
+		if (allClientApps.has(this._uniqueIdentifier)) throw new _stackframe_stack_shared_dist_utils_errors.HexclaveAssertionError("A Stack client app with the same unique identifier already exists");
+		allClientApps.set(this._uniqueIdentifier, [this._extraOptions?.checkString ?? void 0, this]);
+	}
+	_trackPendingAuthResolution(callback) {
+		const promise = (async () => {
+			await Promise.resolve();
+			try {
+				await callback();
+			} catch (error) {
+				(0, _stackframe_stack_shared_dist_utils_errors.captureError)("pending-auth-resolution-failed", error);
+			}
+		})();
+		this._pendingAuthResolutionPromises.push(promise);
+		(0, _stackframe_stack_shared_dist_utils_promises.runAsynchronously)(async () => {
+			try {
+				await promise;
+			} finally {
+				this._pendingAuthResolutionPromises = this._pendingAuthResolutionPromises.filter((p) => p !== promise);
+			}
+		});
+	}
+	async _awaitPendingAuthResolutions(overrideTokenStoreInit, options) {
+		if (options?.awaitPendingAuthResolutions === false || overrideTokenStoreInit !== void 0 || !this._hasPersistentTokenStore() || this._pendingAuthResolutionPromises.length === 0) return;
+		await Promise.all(this._pendingAuthResolutionPromises);
+	}
+	_usePendingAuthResolutions(overrideTokenStoreInit) {
+		if (overrideTokenStoreInit !== void 0 || !this._hasPersistentTokenStore() || this._pendingAuthResolutionPromises.length === 0) return;
+		(0, _stackframe_stack_shared_dist_utils_react.use)(Promise.all(this._pendingAuthResolutionPromises));
+	}
+	_isOAuthCallbackUrlHosted() {
+		const oauthCallbackTarget = this._urlOptions.oauthCallback ?? this._urlOptions.default;
+		return typeof oauthCallbackTarget !== "string" && oauthCallbackTarget?.type === "hosted";
+	}
+	_currentUrlLooksLikeOAuthCallback() {
+		if (typeof window === "undefined") return false;
+		const currentUrl = new URL(window.location.href);
+		return currentUrl.searchParams.has("code") && currentUrl.searchParams.has("state") || currentUrl.searchParams.has("errorCode") && currentUrl.searchParams.has("message");
+	}
+	_currentUrlLooksLikeStackOAuthCallback() {
+		if (typeof window === "undefined") return false;
+		const currentUrl = new URL(window.location.href);
+		const state = currentUrl.searchParams.get("state");
+		if (!currentUrl.searchParams.has("code") || state == null) return false;
+		return (0, _________cookie_js.getCookieClient)(`stack-oauth-outer-${state}`) != null;
+	}
+	_getOAuthCallbackRedirectUri() {
+		if (!this._isOAuthCallbackUrlHosted()) return this.urls.oauthCallback;
+		if (typeof window === "undefined") throw new _stackframe_stack_shared_dist_utils_errors.HexclaveAssertionError("Hosted OAuth callback URLs require a browser environment to use the current URL as the redirect URI");
+		const currentUrl = new URL(window.location.href);
+		for (const param of oauthCallbackResponseQueryParams) currentUrl.searchParams.delete(param);
+		return currentUrl.toString();
+	}
+	async _getCurrentRefreshTokenIdIfSignedIn(options) {
+		const tokens = await (await this._getSession(options?.overrideTokenStoreInit, options)).getOrFetchLikelyValidTokens(0, null);
+		if (tokens?.refreshToken == null) return null;
+		return tokens.accessToken.payload.refresh_token_id;
+	}
+	async _addNestedCrossDomainAuthParamsToRedirectUrl(options) {
+		const targetUrl = new URL(options.url, options.currentUrl);
+		if (targetUrl.origin === options.currentUrl.origin) return options.url;
+		const refreshTokenId = await this._getCurrentRefreshTokenIdIfSignedIn({
+			awaitPendingAuthResolutions: options.awaitPendingAuthResolutions,
+			overrideTokenStoreInit: options.overrideTokenStoreInit
+		});
+		if (refreshTokenId == null) return options.url;
+		targetUrl.searchParams.set(nestedCrossDomainAuthQueryParams.refreshTokenId, refreshTokenId);
+		targetUrl.searchParams.set(nestedCrossDomainAuthQueryParams.callbackUrl, new URL(this._getOAuthCallbackRedirectUri(), options.currentUrl).toString());
+		return targetUrl.toString();
+	}
+	async _maybeHandleNestedCrossDomainAuth() {
+		if (typeof window === "undefined") return false;
+		const currentUrl = new URL(window.location.href);
+		if (currentUrl.searchParams.has("code") && currentUrl.searchParams.has("state")) return false;
+		const refreshTokenId = currentUrl.searchParams.get(nestedCrossDomainAuthQueryParams.refreshTokenId);
+		if (refreshTokenId == null) return false;
+		const redirectUri = currentUrl.searchParams.get(nestedCrossDomainAuthQueryParams.redirectUri);
+		const state = currentUrl.searchParams.get(nestedCrossDomainAuthQueryParams.state);
+		const codeChallenge = currentUrl.searchParams.get(nestedCrossDomainAuthQueryParams.codeChallenge);
+		if (redirectUri != null || state != null || codeChallenge != null) {
+			if (redirectUri == null || state == null || codeChallenge == null) throw new _stackframe_stack_shared_dist_utils_errors.HexclaveAssertionError("Nested cross-domain auth callback URL is missing OAuth request parameters", {
+				redirectUri,
+				state,
+				codeChallenge
+			});
+			if ((currentUrl.searchParams.get(nestedCrossDomainAuthQueryParams.codeChallengeMethod) ?? "S256") !== "S256") throw new _stackframe_stack_shared_dist_utils_errors.HexclaveAssertionError("Nested cross-domain auth only supports S256 PKCE");
+			if ((0, _stackframe_stack_shared_dist_utils_urls.isRelative)(redirectUri)) throw new Error("Nested cross-domain auth redirect URI must be absolute.");
+			const redirectUriUrl = new URL(redirectUri);
+			if (!await this._isTrusted(redirectUriUrl.toString())) throw new Error(`Nested cross-domain auth redirect URI ${redirectUri} is not trusted.`);
+			const afterCallbackRedirectUrlString = currentUrl.searchParams.get(nestedCrossDomainAuthQueryParams.afterCallbackRedirectUrl);
+			const afterCallbackRedirectUrl = afterCallbackRedirectUrlString == null ? redirectUriUrl : new URL(afterCallbackRedirectUrlString, redirectUriUrl);
+			if (!await this._isTrusted(afterCallbackRedirectUrl.toString())) throw new Error(`Nested cross-domain auth after-callback redirect URL ${afterCallbackRedirectUrlString} is not trusted.`);
+			if (await this._getCurrentRefreshTokenIdIfSignedIn({ awaitPendingAuthResolutions: false }) !== refreshTokenId) throw new Error("Nested cross-domain auth source session does not match the requested refresh token ID.");
+			await this._redirectTo({
+				url: await this._createCrossDomainAuthRedirectUrl({
+					redirectUri: redirectUriUrl.toString(),
+					state,
+					codeChallenge,
+					afterCallbackRedirectUrl: afterCallbackRedirectUrl.toString(),
+					awaitPendingAuthResolutions: false
+				}),
+				replace: true
+			});
+			return true;
+		}
+		if (await this._getCurrentRefreshTokenIdIfSignedIn({ awaitPendingAuthResolutions: false }) === refreshTokenId) return false;
+		const callbackUrlString = currentUrl.searchParams.get(nestedCrossDomainAuthQueryParams.callbackUrl);
+		if (callbackUrlString == null) throw new _stackframe_stack_shared_dist_utils_errors.HexclaveAssertionError("Nested cross-domain auth URL is missing callback URL");
+		if ((0, _stackframe_stack_shared_dist_utils_urls.isRelative)(callbackUrlString)) throw new Error("Nested cross-domain auth callback URL must be absolute.");
+		const callbackUrl = new URL(callbackUrlString);
+		if (!await this._isTrusted(callbackUrl.toString())) throw new Error(`Nested cross-domain auth callback URL ${callbackUrlString} is not trusted.`);
+		const afterCallbackRedirectUrl = new URL(currentUrl);
+		afterCallbackRedirectUrl.searchParams.delete(nestedCrossDomainAuthQueryParams.refreshTokenId);
+		afterCallbackRedirectUrl.searchParams.delete(nestedCrossDomainAuthQueryParams.callbackUrl);
+		const { state: newState, codeChallenge: newCodeChallenge } = await this._getCrossDomainHandoffParamsForRedirect(currentUrl);
+		callbackUrl.searchParams.set(nestedCrossDomainAuthQueryParams.refreshTokenId, refreshTokenId);
+		callbackUrl.searchParams.set(nestedCrossDomainAuthQueryParams.redirectUri, new URL(this._getOAuthCallbackRedirectUri(), currentUrl).toString());
+		callbackUrl.searchParams.set(nestedCrossDomainAuthQueryParams.state, newState);
+		callbackUrl.searchParams.set(nestedCrossDomainAuthQueryParams.codeChallenge, newCodeChallenge);
+		callbackUrl.searchParams.set(nestedCrossDomainAuthQueryParams.codeChallengeMethod, "S256");
+		callbackUrl.searchParams.set(nestedCrossDomainAuthQueryParams.afterCallbackRedirectUrl, afterCallbackRedirectUrl.toString());
+		await this._redirectTo({
+			url: callbackUrl,
+			replace: true
+		});
+		return true;
+	}
+	/**
+	* Cloudflare workers does not allow use of randomness on the global scope (on which the Stack app is probably
+	* initialized). For that reason, we generate the unique identifier lazily when it is first needed instead of in the
+	* constructor.
+	*/
+	_getUniqueIdentifier() {
+		if (!this._uniqueIdentifier) {
+			this._uniqueIdentifier = (0, _stackframe_stack_shared_dist_utils_uuids.generateUuid)();
+			this._initUniqueIdentifier();
+		}
+		return this._uniqueIdentifier;
+	}
+	async _checkFeatureSupport(name, options) {
+		return await this._interface.checkFeatureSupport({
+			...options,
+			name
+		});
+	}
+	_useCheckFeatureSupport(name, options) {
+		(0, _stackframe_stack_shared_dist_utils_promises.runAsynchronously)(this._checkFeatureSupport(name, options));
+		throw new _stackframe_stack_shared_dist_utils_errors.HexclaveAssertionError(`${name} is not currently supported. Please reach out to Stack support for more information.`);
+	}
+	get _legacyRefreshTokenCookieName() {
+		return `stack-refresh-${this.projectId}`;
+	}
+	get _refreshTokenCookieName() {
+		return `hexclave-refresh-${this.projectId}`;
+	}
+	_getRefreshTokenDefaultCookieNameForSecure(secure) {
+		return `${secure ? "__Host-" : ""}${this._refreshTokenCookieName}--default`;
+	}
+	_getCustomRefreshCookieName(domain) {
+		const encoded = (0, _stackframe_stack_shared_dist_utils_bytes.encodeBase32)(new TextEncoder().encode(domain.toLowerCase()));
+		return `${this._refreshTokenCookieName}--custom-${encoded}`;
+	}
+	_getDomainFromCustomRefreshCookieName(name) {
+		for (const base of [this._refreshTokenCookieName, this._legacyRefreshTokenCookieName]) {
+			const prefix = `${base}--custom-`;
+			if (!name.startsWith(prefix)) continue;
+			try {
+				return new TextDecoder().decode((0, _stackframe_stack_shared_dist_utils_bytes.decodeBase32)(name.slice(prefix.length)));
+			} catch {
+				return null;
+			}
+		}
+		return null;
+	}
+	_formatRefreshCookieValue(refreshToken, updatedAt) {
+		return JSON.stringify({
+			refresh_token: refreshToken,
+			updated_at_millis: updatedAt
+		});
+	}
+	_formatAccessCookieValue(refreshToken, accessToken) {
+		return refreshToken && accessToken ? JSON.stringify([refreshToken, accessToken]) : null;
+	}
+	_parseStructuredRefreshCookie(value) {
+		if (!value) return null;
+		const parsed = (0, _stackframe_stack_shared_dist_utils_json.parseJson)(value);
+		if (parsed.status !== "ok" || typeof parsed.data !== "object" || parsed.data === null) {
+			console.warn("Failed to parse structured refresh cookie");
+			return null;
+		}
+		const data = parsed.data;
+		const refreshToken = "refresh_token" in data && typeof data.refresh_token === "string" ? data.refresh_token : null;
+		const updatedAt = "updated_at_millis" in data && typeof data.updated_at_millis === "number" ? data.updated_at_millis : null;
+		if (!refreshToken) {
+			console.warn("Refresh token not found in structured refresh cookie");
+			return null;
+		}
+		return {
+			refreshToken,
+			updatedAt
+		};
+	}
+	_extractRefreshTokenFromCookieMap(cookies) {
+		const { legacyNames, structuredPrefixes } = this._getRefreshTokenCookieNamePatterns();
+		const currentStructuredPrefixes = [`${this._refreshTokenCookieName}--`, `__Host-${this._refreshTokenCookieName}--`];
+		const getNewestStructuredCookie = (prefixes) => {
+			let selected = null;
+			for (const [name, value] of Object.entries(cookies)) {
+				if (!prefixes.some((prefix) => name.startsWith(prefix))) continue;
+				const parsed = this._parseStructuredRefreshCookie(value);
+				if (!parsed) continue;
+				const candidateUpdatedAt = parsed.updatedAt ?? Number.NEGATIVE_INFINITY;
+				const selectedUpdatedAt = selected?.updatedAt ?? Number.NEGATIVE_INFINITY;
+				if (!selected || candidateUpdatedAt > selectedUpdatedAt) selected = parsed;
+			}
+			return selected;
+		};
+		const currentStructuredCookie = getNewestStructuredCookie(currentStructuredPrefixes);
+		if (currentStructuredCookie) return {
+			refreshToken: currentStructuredCookie.refreshToken,
+			updatedAt: currentStructuredCookie.updatedAt ?? null
+		};
+		for (const name of legacyNames) {
+			const value = cookies[name];
+			if (value) return {
+				refreshToken: value,
+				updatedAt: null
+			};
+		}
+		const selected = getNewestStructuredCookie(structuredPrefixes);
+		if (!selected) return {
+			refreshToken: null,
+			updatedAt: null
+		};
+		return {
+			refreshToken: selected.refreshToken,
+			updatedAt: selected.updatedAt ?? null
+		};
+	}
+	_getTokensFromCookies(cookies) {
+		const { refreshToken } = this._extractRefreshTokenFromCookieMap(cookies);
+		const accessTokenCookie = cookies[this._accessTokenCookieName] ?? cookies[this._legacyAccessTokenCookieName] ?? null;
+		let accessToken = null;
+		if (accessTokenCookie && accessTokenCookie.startsWith("[\"")) {
+			const parsed = (0, _stackframe_stack_shared_dist_utils_json.parseJson)(accessTokenCookie);
+			if (parsed.status === "ok" && typeof parsed.data === "object" && parsed.data !== null && Array.isArray(parsed.data) && parsed.data.length === 2 && typeof parsed.data[0] === "string" && typeof parsed.data[1] === "string") {
+				if (parsed.data[0] === refreshToken) accessToken = parsed.data[1];
+			} else console.warn("Access token cookie has invalid format");
+		}
+		return {
+			refreshToken,
+			accessToken
+		};
+	}
+	get _accessTokenCookieName() {
+		return `hexclave-access`;
+	}
+	get _legacyAccessTokenCookieName() {
+		return `stack-access`;
+	}
+	_getAllBrowserCookies() {
+		if (!(0, _stackframe_stack_shared_dist_utils_env.isBrowserLike)()) throw new _stackframe_stack_shared_dist_utils_errors.HexclaveAssertionError("Cannot get browser cookies on the server!");
+		return cookie.parseCookie(document.cookie || "");
+	}
+	_getRefreshTokenCookieNamePatterns() {
+		return {
+			legacyNames: [this._legacyRefreshTokenCookieName, "stack-refresh"],
+			structuredPrefixes: [
+				`${this._refreshTokenCookieName}--`,
+				`__Host-${this._refreshTokenCookieName}--`,
+				`${this._legacyRefreshTokenCookieName}--`,
+				`__Host-${this._legacyRefreshTokenCookieName}--`
+			]
+		};
+	}
+	_collectRefreshTokenCookieNames(cookies) {
+		const { legacyNames, structuredPrefixes } = this._getRefreshTokenCookieNamePatterns();
+		const names = /* @__PURE__ */ new Set();
+		for (const name of legacyNames) if (cookies[name]) names.add(name);
+		for (const name of Object.keys(cookies)) if (structuredPrefixes.some((prefix) => name.startsWith(prefix))) names.add(name);
+		return names;
+	}
+	_prepareRefreshCookieUpdate(existingCookies, refreshToken, accessToken, defaultCookieName) {
+		const cookieNames = this._collectRefreshTokenCookieNames(existingCookies);
+		cookieNames.delete(defaultCookieName);
+		const updatedAt = refreshToken ? Date.now() : null;
+		return {
+			updatedAt,
+			refreshCookieValue: refreshToken && updatedAt !== null ? this._formatRefreshCookieValue(refreshToken, updatedAt) : null,
+			accessTokenPayload: this._formatAccessCookieValue(refreshToken, accessToken),
+			cookieNamesToDelete: [...cookieNames]
+		};
+	}
+	_ensureCrossSubdomainCookieExists() {
+		(0, _stackframe_stack_shared_dist_utils_promises.runAsynchronously)(async () => {
+			const hostname = window.location.hostname;
+			const domain = await this._trustedParentDomainCache.getOrWait([hostname], "read-write");
+			if (domain.status === "error" || !domain.data) return;
+			const cookies = this._getAllBrowserCookies();
+			const customCookieName = this._getCustomRefreshCookieName(domain.data);
+			if (cookies[customCookieName]) return;
+			const { refreshToken, updatedAt } = this._extractRefreshTokenFromCookieMap(cookies);
+			if (refreshToken && updatedAt) (0, _________cookie_js.setOrDeleteCookieClient)(customCookieName, this._formatRefreshCookieValue(refreshToken, updatedAt), {
+				maxAge: 3600 * 24 * 365,
+				domain: domain.data
+			});
+		});
+	}
+	_queueCustomRefreshCookieUpdate(refreshToken, updatedAt, context) {
+		(0, _stackframe_stack_shared_dist_utils_promises.runAsynchronously)(async () => {
+			this._mostRecentQueuedCookieRefreshIndex++;
+			const updateIndex = this._mostRecentQueuedCookieRefreshIndex;
+			let hostname;
+			if ((0, _stackframe_stack_shared_dist_utils_env.isBrowserLike)()) hostname = window.location.hostname;
+			else hostname = await getServerRequestHost();
+			if (!hostname) {
+				console.warn("No hostname found when queueing custom refresh cookie update");
+				return;
+			}
+			const domain = await this._trustedParentDomainCache.getOrWait([hostname], "read-write");
+			const cookieOptions = {
+				maxAge: 3600 * 24 * 365,
+				noOpIfServerComponent: true
+			};
+			const setCookie = async (targetDomain, value) => {
+				const name = this._getCustomRefreshCookieName(targetDomain);
+				const options = {
+					...cookieOptions,
+					domain: targetDomain
+				};
+				if (context === "browser") (0, _________cookie_js.setOrDeleteCookieClient)(name, value, options);
+				else await (0, _________cookie_js.setOrDeleteCookie)(name, value, options);
+			};
+			if (domain.status === "error" || !domain.data || updateIndex !== this._mostRecentQueuedCookieRefreshIndex) return;
+			const value = refreshToken && updatedAt ? this._formatRefreshCookieValue(refreshToken, updatedAt) : null;
+			await setCookie(domain.data, value);
+			const isSecure = await (0, _________cookie_js.isSecure)();
+			const defaultName = this._getRefreshTokenDefaultCookieNameForSecure(isSecure);
+			if (context === "browser") (0, _________cookie_js.setOrDeleteCookieClient)(defaultName, null, cookieOptions);
+			else await (0, _________cookie_js.setOrDeleteCookie)(defaultName, null, cookieOptions);
+		});
+	}
+	async _getTrustedRedirectConfig() {
+		const project = _stackframe_stack_shared_dist_utils_results.Result.orThrow(await this._currentProjectCache.getOrWait([], "write-only"));
+		return {
+			allowLocalhost: project.config.allow_localhost,
+			trustedDomains: [...project.config.domains.map((d) => d.domain), new URL((0, ______url_targets_js.getHostedHandlerUrl)({
+				projectId: this.projectId,
+				pagePath: ""
+			})).origin]
+		};
+	}
+	async _getTrustedParentDomain(currentDomain) {
+		return (0, _stackframe_stack_shared_dist_utils_redirect_urls.getTrustedParentDomain)(currentDomain, (await this._getTrustedRedirectConfig()).trustedDomains);
+	}
+	_getBrowserCookieTokenStore() {
+		if (!(0, _stackframe_stack_shared_dist_utils_env.isBrowserLike)()) throw new Error("Cannot use cookie token store on the server!");
+		if (this._storedBrowserCookieTokenStore === null) {
+			const getCurrentValue = (old) => {
+				const tokens = this._getTokensFromCookies(this._getAllBrowserCookies());
+				return {
+					refreshToken: tokens.refreshToken,
+					accessToken: tokens.accessToken ?? (old?.refreshToken === tokens.refreshToken ? old.accessToken : null)
+				};
+			};
+			this._storedBrowserCookieTokenStore = new _stackframe_stack_shared_dist_utils_stores.Store(getCurrentValue(null));
+			let hasSucceededInWriting = true;
+			setInterval(() => {
+				if (hasSucceededInWriting) {
+					const oldValue = this._storedBrowserCookieTokenStore.get();
+					const currentValue = getCurrentValue(oldValue);
+					if (!(0, _stackframe_stack_shared_dist_utils_objects.deepPlainEquals)(currentValue, oldValue)) this._storedBrowserCookieTokenStore.set(currentValue);
+				}
+			}, 100);
+			this._storedBrowserCookieTokenStore.onChange((value) => {
+				try {
+					const refreshToken = value.refreshToken;
+					const secure = window.location.protocol === "https:";
+					const defaultName = this._getRefreshTokenDefaultCookieNameForSecure(secure);
+					const { updatedAt, refreshCookieValue, accessTokenPayload, cookieNamesToDelete } = this._prepareRefreshCookieUpdate(this._getAllBrowserCookies(), refreshToken, value.accessToken ?? null, defaultName);
+					(0, _________cookie_js.setOrDeleteCookieClient)(defaultName, refreshCookieValue, {
+						maxAge: 3600 * 24 * 365,
+						secure
+					});
+					(0, _________cookie_js.setOrDeleteCookieClient)(this._accessTokenCookieName, accessTokenPayload, { maxAge: 3600 * 24 });
+					cookieNamesToDelete.forEach((name) => {
+						const domain = this._getDomainFromCustomRefreshCookieName(name);
+						(0, _________cookie_js.deleteCookieClient)(name, domain ? { domain } : {});
+					});
+					this._queueCustomRefreshCookieUpdate(refreshToken, updatedAt, "browser");
+					hasSucceededInWriting = true;
+				} catch (e) {
+					if (!(0, _stackframe_stack_shared_dist_utils_env.isBrowserLike)()) hasSucceededInWriting = false;
+					else throw e;
+				}
+			});
+		}
+		return this._storedBrowserCookieTokenStore;
+	}
+	_getOrCreateTokenStore(cookieHelper, overrideTokenStoreInit) {
+		const tokenStoreInit = overrideTokenStoreInit === void 0 ? this._tokenStoreInit : overrideTokenStoreInit;
+		switch (tokenStoreInit) {
+			case "cookie":
+				if (!(0, _stackframe_stack_shared_dist_utils_env.isBrowserLike)()) return this._getOrCreateTokenStore(cookieHelper, "nextjs-cookie");
+				return this._getBrowserCookieTokenStore();
+			case "nextjs-cookie": if ((0, _stackframe_stack_shared_dist_utils_env.isBrowserLike)()) return this._getBrowserCookieTokenStore();
+			else {
+				const store = new _stackframe_stack_shared_dist_utils_stores.Store(this._getTokensFromCookies(cookieHelper.getAll()));
+				store.onChange((value) => {
+					(0, _stackframe_stack_shared_dist_utils_promises.runAsynchronously)(async () => {
+						const refreshToken = value.refreshToken;
+						const secure = await (0, _________cookie_js.isSecure)();
+						const defaultName = this._getRefreshTokenDefaultCookieNameForSecure(secure);
+						const { updatedAt, refreshCookieValue, accessTokenPayload, cookieNamesToDelete } = this._prepareRefreshCookieUpdate(cookieHelper.getAll(), refreshToken, value.accessToken ?? null, defaultName);
+						await Promise.all([(0, _________cookie_js.setOrDeleteCookie)(defaultName, refreshCookieValue, {
+							maxAge: 3600 * 24 * 365,
+							noOpIfServerComponent: true
+						}), (0, _________cookie_js.setOrDeleteCookie)(this._accessTokenCookieName, accessTokenPayload, {
+							maxAge: 3600 * 24,
+							noOpIfServerComponent: true
+						})]);
+						if (cookieNamesToDelete.length > 0) await Promise.all(cookieNamesToDelete.map((name) => {
+							const domain = this._getDomainFromCustomRefreshCookieName(name);
+							return (0, _________cookie_js.deleteCookie)(name, {
+								noOpIfServerComponent: true,
+								...domain ? { domain } : {}
+							});
+						}));
+						this._queueCustomRefreshCookieUpdate(refreshToken, updatedAt, "server");
+					});
+				});
+				return store;
+			}
+			case "memory": return this._memoryTokenStore;
+			default:
+				if (tokenStoreInit === null) return (0, __common_js.createEmptyTokenStore)();
+				else if (typeof tokenStoreInit === "object" && "headers" in tokenStoreInit) {
+					if (this._requestTokenStores.has(tokenStoreInit)) return this._requestTokenStores.get(tokenStoreInit);
+					const authorizationHeader = getHeaderValueFromRequestLikeHeaders(tokenStoreInit.headers, "authorization");
+					if (authorizationHeader) {
+						const authJson = getAuthJsonFromAuthorizationHeaderValue(authorizationHeader);
+						if (authJson != null) {
+							const tokenStore = new _stackframe_stack_shared_dist_utils_stores.Store({
+								accessToken: authJson.accessToken,
+								refreshToken: authJson.refreshToken
+							});
+							this._requestTokenStores.set(tokenStoreInit, tokenStore);
+							return tokenStore;
+						}
+					}
+					const stackAuthHeader = getHeaderValueFromRequestLikeHeaders(tokenStoreInit.headers, "x-stack-auth");
+					if (stackAuthHeader) {
+						let parsed;
+						try {
+							parsed = JSON.parse(stackAuthHeader);
+							if (typeof parsed !== "object") throw new Error("x-stack-auth header must be a JSON object");
+							if (parsed === null) throw new Error("x-stack-auth header must not be null");
+						} catch (e) {
+							throw new Error("Invalid x-stack-auth header.", { cause: e });
+						}
+						return this._getOrCreateTokenStore(cookieHelper, {
+							accessToken: parsed.accessToken ?? null,
+							refreshToken: parsed.refreshToken ?? null
+						});
+					}
+					const cookieHeader = getHeaderValueFromRequestLikeHeaders(tokenStoreInit.headers, "cookie");
+					const parsed = cookie.parseCookie(cookieHeader || "");
+					const res = new _stackframe_stack_shared_dist_utils_stores.Store(this._getTokensFromCookies(parsed));
+					this._requestTokenStores.set(tokenStoreInit, res);
+					return res;
+				} else if ("accessToken" in tokenStoreInit || "refreshToken" in tokenStoreInit) return new _stackframe_stack_shared_dist_utils_stores.Store({
+					refreshToken: tokenStoreInit.refreshToken,
+					accessToken: tokenStoreInit.accessToken
+				});
+				throw new Error(`Invalid token store ${tokenStoreInit}`);
+		}
+	}
+	_useTokenStore(overrideTokenStoreInit) {
+		if (!(0, _stackframe_stack_shared_dist_utils_env.isBrowserLike)()) return this._getOrCreateTokenStore((0, _stackframe_stack_shared_dist_utils_react.use)((0, _________cookie_js.createCookieHelper)()), overrideTokenStoreInit);
+		(0, _stackframe_stack_shared_dist_utils_react.suspendIfSsr)();
+		const cookieHelper = (0, _________cookie_js.createBrowserCookieHelper)();
+		return this._getOrCreateTokenStore(cookieHelper, overrideTokenStoreInit);
+	}
+	_getSessionFromTokenStore(tokenStore) {
+		const tokenObj = tokenStore.get();
+		const sessionKey = _stackframe_stack_shared_dist_sessions.InternalSession.calculateSessionKey(tokenObj);
+		const existing = sessionKey ? this._sessionsByTokenStoreAndSessionKey.get(tokenStore)?.get(sessionKey) : null;
+		if (existing) return existing;
+		const session = this._interface.createSession({
+			refreshToken: tokenObj.refreshToken,
+			accessToken: tokenObj.accessToken
+		});
+		session.onAccessTokenChange((newAccessToken) => {
+			tokenStore.update((old) => ({
+				...old,
+				accessToken: newAccessToken?.token ?? null
+			}));
+		});
+		session.onInvalidate(() => {
+			tokenStore.update((old) => ({
+				...old,
+				accessToken: null,
+				refreshToken: null
+			}));
+		});
+		let sessionsBySessionKey = this._sessionsByTokenStoreAndSessionKey.get(tokenStore) ?? /* @__PURE__ */ new Map();
+		this._sessionsByTokenStoreAndSessionKey.set(tokenStore, sessionsBySessionKey);
+		sessionsBySessionKey.set(sessionKey, session);
+		return session;
+	}
+	async _getSession(overrideTokenStoreInit, options) {
+		await this._awaitPendingAuthResolutions(overrideTokenStoreInit, options);
+		const tokenStore = this._getOrCreateTokenStore(await this._createCookieHelper(overrideTokenStoreInit), overrideTokenStoreInit);
+		return this._getSessionFromTokenStore(tokenStore);
+	}
+	_useSession(overrideTokenStoreInit) {
+		this._usePendingAuthResolutions(overrideTokenStoreInit);
+		const tokenStore = this._useTokenStore(overrideTokenStoreInit);
+		const subscribe = (0, react.useCallback)((cb) => {
+			return (0, __session_refresh_subscription_js.subscribeSessionRefresh)({
+				tokenStore,
+				getSession: () => this._getSessionFromTokenStore(tokenStore),
+				onTokenStoreChange: cb
+			});
+		}, [tokenStore]);
+		const getSnapshot = (0, react.useCallback)(() => this._getSessionFromTokenStore(tokenStore), [tokenStore]);
+		return react.default.useSyncExternalStore(subscribe, getSnapshot, getSnapshot);
+	}
+	async _signInToAccountWithTokens(tokens) {
+		if (!("accessToken" in tokens) || !("refreshToken" in tokens)) throw new _stackframe_stack_shared_dist_utils_errors.HexclaveAssertionError("Invalid tokens object; can't sign in with this", { tokens });
+		const tokenStore = this._getOrCreateTokenStore(await this._createCookieHelper());
+		tokenStore.set(tokens);
+		const newSession = this._getSessionFromTokenStore(tokenStore);
+		this._currentUserCache.getOrWait([newSession], "write-only").catch(() => {});
+	}
+	_getTokenStoreInitForFreshTokens(tokens) {
+		if (tokens.accessToken == null) return;
+		return {
+			accessToken: tokens.accessToken,
+			refreshToken: tokens.refreshToken
+		};
+	}
+	_hasPersistentTokenStore(overrideTokenStoreInit) {
+		return (overrideTokenStoreInit !== void 0 ? overrideTokenStoreInit : this._tokenStoreInit) !== null;
+	}
+	_ensurePersistentTokenStore(overrideTokenStoreInit) {
+		if (!this._hasPersistentTokenStore(overrideTokenStoreInit)) throw new Error("Cannot call this function on a Stack app without a persistent token store. Make sure the tokenStore option on the constructor is set to a non-null value when initializing Stack.\n\nStack uses token stores to access access tokens of the current user. For example, on web frontends it is commonly the string value 'cookies' for cookie storage.");
+	}
+	_isInternalProject() {
+		return this.projectId === "internal";
+	}
+	_ensureInternalProject() {
+		if (!this._isInternalProject()) throw new Error("Cannot call this function on a Stack app with a project ID other than 'internal'.");
+	}
+	_clientProjectFromCrud(crud) {
+		return {
+			id: crud.id,
+			displayName: crud.display_name,
+			config: {
+				signUpEnabled: crud.config.sign_up_enabled,
+				credentialEnabled: crud.config.credential_enabled,
+				magicLinkEnabled: crud.config.magic_link_enabled,
+				passkeyEnabled: crud.config.passkey_enabled,
+				clientTeamCreationEnabled: crud.config.client_team_creation_enabled,
+				clientUserDeletionEnabled: crud.config.client_user_deletion_enabled,
+				allowTeamApiKeys: crud.config.allow_team_api_keys,
+				allowUserApiKeys: crud.config.allow_user_api_keys,
+				oauthProviders: crud.config.enabled_oauth_providers.map((p) => ({ id: p.id }))
+			}
+		};
+	}
+	_clientPermissionFromCrud(crud) {
+		return { id: crud.id };
+	}
+	_clientTeamUserFromCrud(crud) {
+		return {
+			id: crud.user_id,
+			teamProfile: {
+				displayName: crud.display_name,
+				profileImageUrl: crud.profile_image_url
+			}
+		};
+	}
+	_clientSentTeamInvitationFromCrud(session, crud) {
+		return {
+			id: crud.id,
+			recipientEmail: crud.recipient_email,
+			expiresAt: new Date(crud.expires_at_millis),
+			revoke: async () => {
+				await this._interface.revokeTeamInvitation(crud.id, crud.team_id, session);
+				await this._teamInvitationsCache.refresh([session, crud.team_id]);
+			}
+		};
+	}
+	_clientReceivedTeamInvitationFromCrud(session, crud) {
+		const app = this;
+		return {
+			id: crud.id,
+			teamId: crud.team_id,
+			teamDisplayName: crud.team_display_name,
+			recipientEmail: crud.recipient_email,
+			expiresAt: new Date(crud.expires_at_millis),
+			accept: async () => {
+				await app._interface.acceptTeamInvitationById(crud.id, session);
+				await Promise.all([
+					app._currentUserTeamInvitationsCache.refresh([session]),
+					app._currentUserTeamsCache.refresh([session]),
+					app._teamInvitationsCache.refresh([session, crud.team_id])
+				]);
+			}
+		};
+	}
+	_baseApiKeyFromCrud(crud) {
+		return {
+			id: crud.id,
+			description: crud.description,
+			expiresAt: crud.expires_at_millis ? new Date(crud.expires_at_millis) : void 0,
+			manuallyRevokedAt: crud.manually_revoked_at_millis ? new Date(crud.manually_revoked_at_millis) : null,
+			createdAt: new Date(crud.created_at_millis),
+			...crud.type === "team" ? {
+				type: "team",
+				teamId: crud.team_id
+			} : {
+				type: "user",
+				userId: crud.user_id
+			},
+			value: typeof crud.value === "string" ? crud.value : { lastFour: crud.value.last_four },
+			isValid: function() {
+				return this.whyInvalid() === null;
+			},
+			whyInvalid: function() {
+				if (this.manuallyRevokedAt) return "manually-revoked";
+				if (this.expiresAt && this.expiresAt < /* @__PURE__ */ new Date()) return "expired";
+				return null;
+			}
+		};
+	}
+	_clientApiKeyFromCrud(session, crud) {
+		return {
+			...this._baseApiKeyFromCrud(crud),
+			async revoke() {
+				await this.update({ revoked: true });
+			},
+			update: async (options) => {
+				await this._interface.updateProjectApiKey(crud.type === "team" ? { team_id: crud.team_id } : { user_id: crud.user_id }, crud.id, options, session, "client");
+				if (crud.type === "team") await this._teamApiKeysCache.refresh([session, crud.team_id]);
+				else await this._userApiKeysCache.refresh([session]);
+			}
+		};
+	}
+	_clientTeamFromCrud(crud, session) {
+		const app = this;
+		return {
+			id: crud.id,
+			displayName: crud.display_name,
+			profileImageUrl: crud.profile_image_url,
+			clientMetadata: crud.client_metadata,
+			clientReadOnlyMetadata: crud.client_read_only_metadata,
+			...this._createCustomer(crud.id, "team", session),
+			async inviteUser(options) {
+				await app._interface.sendTeamInvitation({
+					teamId: crud.id,
+					email: options.email,
+					session,
+					callbackUrl: options.callbackUrl ?? (0, ____________utils_url_js.constructRedirectUrl)(app.urls.teamInvitation, "callbackUrl")
+				});
+				await app._teamInvitationsCache.refresh([session, crud.id]);
+			},
+			async listUsers() {
+				return _stackframe_stack_shared_dist_utils_results.Result.orThrow(await app._teamMemberProfilesCache.getOrWait([session, crud.id], "write-only")).map((crud) => app._clientTeamUserFromCrud(crud));
+			},
+			useUsers() {
+				return (0, __common_js.useAsyncCache)(app._teamMemberProfilesCache, [session, crud.id], "team.useUsers()").map((crud) => app._clientTeamUserFromCrud(crud));
+			},
+			async listInvitations() {
+				return _stackframe_stack_shared_dist_utils_results.Result.orThrow(await app._teamInvitationsCache.getOrWait([session, crud.id], "write-only")).map((crud) => app._clientSentTeamInvitationFromCrud(session, crud));
+			},
+			useInvitations() {
+				return (0, __common_js.useAsyncCache)(app._teamInvitationsCache, [session, crud.id], "team.useInvitations()").map((crud) => app._clientSentTeamInvitationFromCrud(session, crud));
+			},
+			async update(data) {
+				await app._interface.updateTeam({
+					data: (0, ______teams_index_js.teamUpdateOptionsToCrud)(data),
+					teamId: crud.id
+				}, session);
+				await app._currentUserTeamsCache.refresh([session]);
+			},
+			async delete() {
+				await app._interface.deleteTeam(crud.id, session);
+				await app._currentUserTeamsCache.refresh([session]);
+			},
+			useApiKeys() {
+				return (0, __common_js.useAsyncCache)(app._teamApiKeysCache, [session, crud.id], "team.useApiKeys()").map((crud) => app._clientApiKeyFromCrud(session, crud));
+			},
+			async listApiKeys() {
+				return _stackframe_stack_shared_dist_utils_results.Result.orThrow(await app._teamApiKeysCache.getOrWait([session, crud.id], "write-only")).map((crud) => app._clientApiKeyFromCrud(session, crud));
+			},
+			async createApiKey(options) {
+				const result = await app._interface.createProjectApiKey(await (0, ______api_keys_index_js.apiKeyCreationOptionsToCrud)("team", crud.id, options), session, "client");
+				await app._teamApiKeysCache.refresh([session, crud.id]);
+				return app._clientApiKeyFromCrud(session, result);
+			}
+		};
+	}
+	_clientContactChannelFromCrud(crud, session) {
+		const app = this;
+		return {
+			id: crud.id,
+			value: crud.value,
+			type: crud.type,
+			isVerified: crud.is_verified,
+			isPrimary: crud.is_primary,
+			usedForAuth: crud.used_for_auth,
+			async sendVerificationEmail(options) {
+				await app._interface.sendCurrentUserContactChannelVerificationEmail(crud.id, options?.callbackUrl || (0, ____________utils_url_js.constructRedirectUrl)(app.urls.emailVerification, "callbackUrl"), session);
+			},
+			async update(data) {
+				await app._interface.updateClientContactChannel(crud.id, (0, ______contact_channels_index_js.contactChannelUpdateOptionsToCrud)(data), session);
+				await app._clientContactChannelsCache.refresh([session]);
+			},
+			async delete() {
+				await app._interface.deleteClientContactChannel(crud.id, session);
+				await app._clientContactChannelsCache.refresh([session]);
+			}
+		};
+	}
+	_clientNotificationCategoryFromCrud(crud, session) {
+		const app = this;
+		return {
+			id: crud.notification_category_id,
+			name: crud.notification_category_name,
+			enabled: crud.enabled,
+			canDisable: crud.can_disable,
+			async setEnabled(enabled) {
+				await app._interface.setNotificationsEnabled(crud.notification_category_id, enabled, session);
+				await app._notificationCategoriesCache.refresh([session]);
+			}
+		};
+	}
+	_clientOAuthProviderFromCrud(crud, session) {
+		const app = this;
+		return {
+			id: crud.id,
+			type: crud.type,
+			userId: crud.user_id,
+			email: crud.email,
+			allowSignIn: crud.allow_sign_in,
+			allowConnectedAccounts: crud.allow_connected_accounts,
+			async update(data) {
+				try {
+					await app._interface.updateOAuthProvider(crud.user_id, crud.id, {
+						allow_sign_in: data.allowSignIn,
+						allow_connected_accounts: data.allowConnectedAccounts
+					}, session);
+					await Promise.all([app._currentUserOAuthProvidersCache.refresh([session]), app._currentUserConnectedAccountsCache.refresh([session])]);
+					return _stackframe_stack_shared_dist_utils_results.Result.ok(void 0);
+				} catch (error) {
+					if (_stackframe_stack_shared.KnownErrors.OAuthProviderAccountIdAlreadyUsedForSignIn.isInstance(error)) return _stackframe_stack_shared_dist_utils_results.Result.error(error);
+					throw error;
+				}
+			},
+			async delete() {
+				await app._interface.deleteOAuthProvider(crud.user_id, crud.id, session);
+				await Promise.all([app._currentUserOAuthProvidersCache.refresh([session]), app._currentUserConnectedAccountsCache.refresh([session])]);
+			}
+		};
+	}
+	_clientItemFromCrud(crud) {
+		return {
+			displayName: crud.display_name,
+			quantity: crud.quantity,
+			nonNegativeQuantity: Math.max(0, crud.quantity)
+		};
+	}
+	_customerProductsFromResponse(response) {
+		const products = response.items.map((item) => ({
+			id: item.id,
+			quantity: item.quantity,
+			displayName: item.product.display_name,
+			customerType: item.product.customer_type,
+			isServerOnly: item.product.server_only,
+			stackable: item.product.stackable,
+			type: item.type,
+			subscription: item.subscription ? {
+				subscriptionId: item.subscription.subscription_id,
+				currentPeriodEnd: item.subscription.current_period_end ? new Date(item.subscription.current_period_end) : null,
+				cancelAtPeriodEnd: item.subscription.cancel_at_period_end,
+				isCancelable: item.subscription.is_cancelable
+			} : null,
+			switchOptions: item.switch_options?.map((option) => ({
+				productId: option.product_id,
+				displayName: option.product.display_name,
+				prices: option.product.prices
+			}))
+		}));
+		return Object.assign(products, { nextCursor: response.pagination.next_cursor ?? null });
+	}
+	_customerInvoicesFromResponse(response) {
+		const invoices = response.items.map((item) => ({
+			status: item.status,
+			amountTotal: item.amount_total,
+			hostedInvoiceUrl: item.hosted_invoice_url,
+			createdAt: new Date(item.created_at_millis)
+		}));
+		return Object.assign(invoices, { nextCursor: response.pagination.next_cursor ?? null });
+	}
+	_customerBillingFromResponse(response) {
+		return {
+			hasCustomer: response.has_customer,
+			defaultPaymentMethod: response.default_payment_method
+		};
+	}
+	_createAuth(session) {
+		const app = this;
+		return {
+			_internalSession: session,
+			currentSession: {
+				async getTokens() {
+					const tokens = await session.getOrFetchLikelyValidTokens(2e4, 75e3);
+					return {
+						accessToken: tokens?.accessToken.token ?? null,
+						refreshToken: tokens?.refreshToken?.token ?? null
+					};
+				},
+				useTokens() {
+					const subscribe = (0, react.useCallback)((cb) => {
+						const { unsubscribe: unsubscribeInvalidate } = session.onInvalidate(cb);
+						const { unsubscribe: unsubscribeAccessTokenChange } = session.onAccessTokenChange(cb);
+						return () => {
+							unsubscribeInvalidate();
+							unsubscribeAccessTokenChange();
+						};
+					}, [session]);
+					const getSnapshot = (0, react.useCallback)(() => {
+						return session.isKnownToBeInvalid() ? null : session.getAccessTokenIfNotExpiredYet(2e4, 75e3)?.token ?? null;
+					}, [session]);
+					let accessToken = react.default.useSyncExternalStore(subscribe, getSnapshot, getSnapshot);
+					if (accessToken === null && !session.isKnownToBeInvalid()) accessToken = (0, _stackframe_stack_shared_dist_utils_react.use)(session.getOrFetchLikelyValidTokens(2e4, 75e3))?.accessToken.token ?? null;
+					return {
+						accessToken,
+						refreshToken: session.getRefreshToken()?.token ?? null
+					};
+				}
+			},
+			async getAccessToken() {
+				return (await this.currentSession.getTokens()).accessToken;
+			},
+			useAccessToken() {
+				return this.currentSession.useTokens().accessToken;
+			},
+			async getRefreshToken() {
+				return (await this.currentSession.getTokens()).refreshToken;
+			},
+			useRefreshToken() {
+				return this.currentSession.useTokens().refreshToken;
+			},
+			async getAuthorizationHeader() {
+				return getAuthorizationHeaderValueFromAuthJson(await this.getAuthJson());
+			},
+			useAuthorizationHeader() {
+				return getAuthorizationHeaderValueFromAuthJson(this.useAuthJson());
+			},
+			async getAuthHeaders() {
+				return { "x-stack-auth": JSON.stringify(await this.getAuthJson()) };
+			},
+			useAuthHeaders() {
+				return { "x-stack-auth": JSON.stringify(this.useAuthJson()) };
+			},
+			async getAuthJson() {
+				return await this.currentSession.getTokens();
+			},
+			useAuthJson() {
+				return this.currentSession.useTokens();
+			},
+			signOut(options) {
+				return app._signOut(session, options);
+			}
+		};
+	}
+	_editableTeamProfileFromCrud(crud, session) {
+		const app = this;
+		return {
+			displayName: crud.display_name,
+			profileImageUrl: crud.profile_image_url,
+			async update(update) {
+				await app._interface.updateTeamMemberProfile({
+					teamId: crud.team_id,
+					userId: crud.user_id,
+					profile: {
+						display_name: update.displayName,
+						profile_image_url: update.profileImageUrl
+					}
+				}, session);
+				await app._currentUserTeamProfileCache.refresh([session, crud.team_id]);
+			}
+		};
+	}
+	_createBaseUser(crud) {
+		return {
+			id: crud.id,
+			displayName: crud.display_name,
+			primaryEmail: crud.primary_email,
+			primaryEmailVerified: crud.primary_email_verified,
+			profileImageUrl: crud.profile_image_url,
+			signedUpAt: new Date(crud.signed_up_at_millis),
+			clientMetadata: crud.client_metadata,
+			clientReadOnlyMetadata: crud.client_read_only_metadata,
+			hasPassword: crud.has_password,
+			emailAuthEnabled: crud.auth_with_email,
+			otpAuthEnabled: crud.otp_auth_enabled,
+			oauthProviders: crud.oauth_providers,
+			passkeyAuthEnabled: crud.passkey_auth_enabled,
+			isMultiFactorRequired: crud.requires_totp_mfa,
+			isAnonymous: crud.is_anonymous,
+			isRestricted: crud.is_restricted,
+			restrictedReason: crud.restricted_reason,
+			toClientJson() {
+				return crud;
+			}
+		};
+	}
+	_createUserExtraFromCurrent(crud, session) {
+		const app = this;
+		async function getConnectedAccount(idOrAccount, options) {
+			const scopeString = options?.scopes?.join(" ") ?? "";
+			if (typeof idOrAccount === "object" && "provider" in idOrAccount && "providerAccountId" in idOrAccount) {
+				const { provider, providerAccountId } = idOrAccount;
+				const found = _stackframe_stack_shared_dist_utils_results.Result.orThrow(await app._currentUserConnectedAccountsCache.getOrWait([session], "write-only")).find((a) => a.provider === provider && a.providerAccountId === providerAccountId);
+				if (!found) return null;
+				return found;
+			}
+			return _stackframe_stack_shared_dist_utils_results.Result.orThrow(await app._currentUserOAuthConnectionCache.getOrWait([
+				session,
+				idOrAccount,
+				scopeString,
+				options?.or === "redirect"
+			], "write-only"));
+		}
+		function useConnectedAccount(idOrAccount, options) {
+			const scopeString = options?.scopes?.join(" ") ?? "";
+			if (typeof idOrAccount === "object" && "provider" in idOrAccount && "providerAccountId" in idOrAccount) {
+				const { provider, providerAccountId } = idOrAccount;
+				return (0, __common_js.useAsyncCache)(app._currentUserConnectedAccountsCache, [session], "user.useConnectedAccount()").find((a) => a.provider === provider && a.providerAccountId === providerAccountId) ?? null;
+			}
+			return (0, __common_js.useAsyncCache)(app._currentUserOAuthConnectionCache, [
+				session,
+				idOrAccount,
+				scopeString,
+				options?.or === "redirect"
+			], "user.useConnectedAccount()");
+		}
+		return {
+			async getActiveSessions() {
+				return (await app._interface.listSessions(session)).items.map((crud) => app._clientSessionFromCrud(crud));
+			},
+			async revokeSession(sessionId) {
+				await app._interface.deleteSession(sessionId, session);
+			},
+			setDisplayName(displayName) {
+				return this.update({ displayName });
+			},
+			setClientMetadata(metadata) {
+				return this.update({ clientMetadata: metadata });
+			},
+			async setSelectedTeam(team) {
+				await this.update({ selectedTeamId: typeof team === "string" ? team : team?.id ?? null });
+			},
+			getConnectedAccount,
+			useConnectedAccount,
+			async listConnectedAccounts() {
+				return _stackframe_stack_shared_dist_utils_results.Result.orThrow(await app._currentUserConnectedAccountsCache.getOrWait([session], "write-only"));
+			},
+			useConnectedAccounts() {
+				return (0, __common_js.useAsyncCache)(app._currentUserConnectedAccountsCache, [session], "user.useConnectedAccounts()");
+			},
+			async linkConnectedAccount(provider, options) {
+				const scopeString = options?.scopes?.join(" ") ?? "";
+				const location = await (0, _________auth_js.getNewOAuthProviderOrScopeUrl)(app._interface, {
+					provider,
+					redirectUrl: app._getOAuthCallbackRedirectUri(),
+					errorRedirectUrl: app.urls.error,
+					providerScope: (0, _stackframe_stack_shared_dist_utils_strings.mergeScopeStrings)(scopeString, (app._oauthScopesOnSignIn[provider] ?? []).join(" "))
+				}, session);
+				await app._redirectTo({ url: location });
+				return await (0, _stackframe_stack_shared_dist_utils_promises.neverResolve)();
+			},
+			async getOrLinkConnectedAccount(provider, options) {
+				const matchingAccounts = _stackframe_stack_shared_dist_utils_results.Result.orThrow(await app._currentUserConnectedAccountsCache.getOrWait([session], "write-only")).filter((a) => a.provider === provider);
+				for (const account of matchingAccounts) if ((await account.getAccessToken({ scopes: options?.scopes })).status === "ok") return account;
+				await this.linkConnectedAccount(provider, options);
+				return await (0, _stackframe_stack_shared_dist_utils_promises.neverResolve)();
+			},
+			useOrLinkConnectedAccount(provider, options) {
+				const scopeString = options?.scopes?.join(" ") ?? "";
+				return (0, __common_js.useAsyncCache)(app._currentUserValidConnectedAccountForProviderCache, [
+					session,
+					provider,
+					scopeString
+				], "user.useOrLinkConnectedAccount()");
+			},
+			async getTeam(teamId) {
+				return (await this.listTeams()).find((t) => t.id === teamId) ?? null;
+			},
+			useTeam(teamId) {
+				const teams = this.useTeams();
+				return (0, react.useMemo)(() => {
+					return teams.find((t) => t.id === teamId) ?? null;
+				}, [teams, teamId]);
+			},
+			async listTeams() {
+				return _stackframe_stack_shared_dist_utils_results.Result.orThrow(await app._currentUserTeamsCache.getOrWait([session], "write-only")).map((crud) => app._clientTeamFromCrud(crud, session));
+			},
+			useTeams() {
+				const teams = (0, __common_js.useAsyncCache)(app._currentUserTeamsCache, [session], "user.useTeams()");
+				return (0, react.useMemo)(() => teams.map((crud) => app._clientTeamFromCrud(crud, session)), [teams]);
+			},
+			async createTeam(data) {
+				const crud = await app._interface.createClientTeam((0, ______teams_index_js.teamCreateOptionsToCrud)(data, "me"), session);
+				await app._currentUserTeamsCache.refresh([session]);
+				await this.update({ selectedTeamId: crud.id });
+				return app._clientTeamFromCrud(crud, session);
+			},
+			async leaveTeam(team) {
+				await app._interface.leaveTeam(team.id, session);
+			},
+			async listTeamInvitations() {
+				return _stackframe_stack_shared_dist_utils_results.Result.orThrow(await app._currentUserTeamInvitationsCache.getOrWait([session], "write-only")).map((crud) => app._clientReceivedTeamInvitationFromCrud(session, crud));
+			},
+			useTeamInvitations() {
+				const invitations = (0, __common_js.useAsyncCache)(app._currentUserTeamInvitationsCache, [session], "user.useTeamInvitations()");
+				return (0, react.useMemo)(() => invitations.map((crud) => app._clientReceivedTeamInvitationFromCrud(session, crud)), [invitations]);
+			},
+			async listPermissions(scopeOrOptions, options) {
+				if (scopeOrOptions && "id" in scopeOrOptions) {
+					const scope = scopeOrOptions;
+					const recursive = options?.recursive ?? true;
+					return _stackframe_stack_shared_dist_utils_results.Result.orThrow(await app._currentUserPermissionsCache.getOrWait([
+						session,
+						scope.id,
+						recursive
+					], "write-only")).map((crud) => app._clientPermissionFromCrud(crud));
+				} else {
+					const recursive = scopeOrOptions?.recursive ?? true;
+					return _stackframe_stack_shared_dist_utils_results.Result.orThrow(await app._currentUserProjectPermissionsCache.getOrWait([session, recursive], "write-only")).map((crud) => app._clientPermissionFromCrud(crud));
+				}
+			},
+			usePermissions(scopeOrOptions, options) {
+				if (scopeOrOptions && "id" in scopeOrOptions) {
+					const scope = scopeOrOptions;
+					const recursive = options?.recursive ?? true;
+					const permissions = (0, __common_js.useAsyncCache)(app._currentUserPermissionsCache, [
+						session,
+						scope.id,
+						recursive
+					], "user.usePermissions()");
+					return (0, react.useMemo)(() => permissions.map((crud) => app._clientPermissionFromCrud(crud)), [permissions]);
+				} else {
+					const recursive = scopeOrOptions?.recursive ?? true;
+					const permissions = (0, __common_js.useAsyncCache)(app._currentUserProjectPermissionsCache, [session, recursive], "user.usePermissions()");
+					return (0, react.useMemo)(() => permissions.map((crud) => app._clientPermissionFromCrud(crud)), [permissions]);
+				}
+			},
+			usePermission(scopeOrPermissionId, permissionId) {
+				if (scopeOrPermissionId && typeof scopeOrPermissionId !== "string") {
+					const scope = scopeOrPermissionId;
+					const permissions = this.usePermissions(scope);
+					return (0, react.useMemo)(() => permissions.find((p) => p.id === permissionId) ?? null, [permissions, permissionId]);
+				} else {
+					const pid = scopeOrPermissionId;
+					const permissions = this.usePermissions();
+					return (0, react.useMemo)(() => permissions.find((p) => p.id === pid) ?? null, [permissions, pid]);
+				}
+			},
+			async getPermission(scopeOrPermissionId, permissionId) {
+				if (scopeOrPermissionId && typeof scopeOrPermissionId !== "string") {
+					const scope = scopeOrPermissionId;
+					return (await this.listPermissions(scope)).find((p) => p.id === permissionId) ?? null;
+				} else {
+					const pid = scopeOrPermissionId;
+					return (await this.listPermissions()).find((p) => p.id === pid) ?? null;
+				}
+			},
+			async hasPermission(scopeOrPermissionId, permissionId) {
+				if (scopeOrPermissionId && typeof scopeOrPermissionId !== "string") {
+					const scope = scopeOrPermissionId;
+					return await this.getPermission(scope, permissionId) !== null;
+				} else {
+					const pid = scopeOrPermissionId;
+					return await this.getPermission(pid) !== null;
+				}
+			},
+			async update(update) {
+				return await app._updateClientUser(update, session);
+			},
+			async sendVerificationEmail(options) {
+				if (!crud.primary_email) throw new _stackframe_stack_shared_dist_utils_errors.HexclaveAssertionError("User does not have a primary email");
+				return await app._interface.sendVerificationEmail(crud.primary_email, options?.callbackUrl ?? (0, ____________utils_url_js.constructRedirectUrl)(app.urls.emailVerification, "callbackUrl"), session);
+			},
+			async updatePassword(options) {
+				const result = await app._interface.updatePassword(options, session);
+				await app._currentUserCache.refresh([session]);
+				return result;
+			},
+			async setPassword(options) {
+				const result = await app._interface.setPassword(options, session);
+				await app._currentUserCache.refresh([session]);
+				return result;
+			},
+			selectedTeam: crud.selected_team && this._clientTeamFromCrud(crud.selected_team, session),
+			async getTeamProfile(team) {
+				const result = _stackframe_stack_shared_dist_utils_results.Result.orThrow(await app._currentUserTeamProfileCache.getOrWait([session, team.id], "write-only"));
+				return app._editableTeamProfileFromCrud(result, session);
+			},
+			useTeamProfile(team) {
+				const result = (0, __common_js.useAsyncCache)(app._currentUserTeamProfileCache, [session, team.id], "user.useTeamProfile()");
+				return app._editableTeamProfileFromCrud(result, session);
+			},
+			async delete() {
+				await app._interface.deleteCurrentUser(session);
+				session.markInvalid();
+			},
+			async listContactChannels() {
+				return _stackframe_stack_shared_dist_utils_results.Result.orThrow(await app._clientContactChannelsCache.getOrWait([session], "write-only")).map((crud) => app._clientContactChannelFromCrud(crud, session));
+			},
+			useContactChannels() {
+				return (0, __common_js.useAsyncCache)(app._clientContactChannelsCache, [session], "user.useContactChannels()").map((crud) => app._clientContactChannelFromCrud(crud, session));
+			},
+			async createContactChannel(data) {
+				const crud = await app._interface.createClientContactChannel((0, ______contact_channels_index_js.contactChannelCreateOptionsToCrud)("me", data), session);
+				await app._clientContactChannelsCache.refresh([session]);
+				return app._clientContactChannelFromCrud(crud, session);
+			},
+			useNotificationCategories() {
+				return (0, __common_js.useAsyncCache)(app._notificationCategoriesCache, [session], "user.useNotificationCategories()").map((crud) => app._clientNotificationCategoryFromCrud(crud, session));
+			},
+			async listNotificationCategories() {
+				return _stackframe_stack_shared_dist_utils_results.Result.orThrow(await app._notificationCategoriesCache.getOrWait([session], "write-only")).map((crud) => app._clientNotificationCategoryFromCrud(crud, session));
+			},
+			useApiKeys() {
+				return (0, __common_js.useAsyncCache)(app._userApiKeysCache, [session], "user.useApiKeys()").map((crud) => app._clientApiKeyFromCrud(session, crud));
+			},
+			async listApiKeys() {
+				return (await app._interface.listProjectApiKeys({ user_id: "me" }, session, "client")).map((crud) => app._clientApiKeyFromCrud(session, crud));
+			},
+			async createApiKey(options) {
+				const result = await app._interface.createProjectApiKey(await (0, ______api_keys_index_js.apiKeyCreationOptionsToCrud)("user", "me", options), session, "client");
+				await app._userApiKeysCache.refresh([session]);
+				return app._clientApiKeyFromCrud(session, result);
+			},
+			useOAuthProviders() {
+				return (0, __common_js.useAsyncCache)(app._currentUserOAuthProvidersCache, [session], "user.useOAuthProviders()").map((crud) => app._clientOAuthProviderFromCrud(crud, session));
+			},
+			async listOAuthProviders() {
+				return _stackframe_stack_shared_dist_utils_results.Result.orThrow(await app._currentUserOAuthProvidersCache.getOrWait([session], "write-only")).map((crud) => app._clientOAuthProviderFromCrud(crud, session));
+			},
+			useOAuthProvider(id) {
+				const providers = this.useOAuthProviders();
+				return (0, react.useMemo)(() => providers.find((p) => p.id === id) ?? null, [providers, id]);
+			},
+			async getOAuthProvider(id) {
+				return (await this.listOAuthProviders()).find((p) => p.id === id) ?? null;
+			},
+			async registerPasskey(options) {
+				const hostname = (await app._getCurrentUrl())?.hostname;
+				if (!hostname) throw new _stackframe_stack_shared_dist_utils_errors.HexclaveAssertionError("hostname must be provided if the Stack App does not have a redirect method");
+				const initiationResult = await app._interface.initiatePasskeyRegistration({}, session);
+				if (initiationResult.status !== "ok") return _stackframe_stack_shared_dist_utils_results.Result.error(new _stackframe_stack_shared.KnownErrors.PasskeyRegistrationFailed("Failed to get initiation options for passkey registration"));
+				const { options_json, code } = initiationResult.data;
+				if (options_json.rp.id !== "THIS_VALUE_WILL_BE_REPLACED.example.com") throw new _stackframe_stack_shared_dist_utils_errors.HexclaveAssertionError(`Expected returned RP ID from server to equal sentinel, but found ${options_json.rp.id}`);
+				options_json.rp.id = hostname;
+				let attResp;
+				try {
+					attResp = await (0, _simplewebauthn_browser.startRegistration)({ optionsJSON: options_json });
+				} catch (error) {
+					if (error instanceof _simplewebauthn_browser.WebAuthnError) return _stackframe_stack_shared_dist_utils_results.Result.error(new _stackframe_stack_shared.KnownErrors.PasskeyWebAuthnError(error.message, error.name));
+					else {
+						(0, _stackframe_stack_shared_dist_utils_errors.captureError)("passkey-registration-failed", error);
+						return _stackframe_stack_shared_dist_utils_results.Result.error(new _stackframe_stack_shared.KnownErrors.PasskeyRegistrationFailed("Failed to start passkey registration due to unknown error"));
+					}
+				}
+				const registrationResult = await app._interface.registerPasskey({
+					credential: attResp,
+					code
+				}, session);
+				await app._refreshUser(session);
+				return registrationResult;
+			}
+		};
+	}
+	_createInternalUserExtra(session) {
+		const app = this;
+		this._ensureInternalProject();
+		return {
+			createProject(newProject) {
+				return app._createProject(session, newProject);
+			},
+			async transferProject(projectIdToTransfer, newTeamId) {
+				await app._interface.transferProject(session, projectIdToTransfer, newTeamId);
+				await app._refreshProject();
+			},
+			listOwnedProjects() {
+				return app._listOwnedProjects(session);
+			},
+			useOwnedProjects() {
+				return app._useOwnedProjects(session);
+			}
+		};
+	}
+	_createCustomer(userIdOrTeamId, type, session) {
+		const app = this;
+		const effectiveSession = session ?? app._interface.createSession({ refreshToken: null });
+		const customerOptions = type === "user" ? { userId: userIdOrTeamId } : { teamId: userIdOrTeamId };
+		return {
+			async getBilling() {
+				const response = _stackframe_stack_shared_dist_utils_results.Result.orThrow(await app._customerBillingCache.getOrWait([
+					effectiveSession,
+					type,
+					userIdOrTeamId
+				], "write-only"));
+				return app._customerBillingFromResponse(response);
+			},
+			useBilling() {
+				const response = (0, __common_js.useAsyncCache)(app._customerBillingCache, [
+					effectiveSession,
+					type,
+					userIdOrTeamId
+				], "customer.useBilling()");
+				return app._customerBillingFromResponse(response);
+			},
+			async createPaymentMethodSetupIntent() {
+				const body = await app._interface.createCustomerPaymentMethodSetupIntent(type, userIdOrTeamId, effectiveSession);
+				return {
+					clientSecret: body.client_secret,
+					stripeAccountId: body.stripe_account_id
+				};
+			},
+			async setDefaultPaymentMethodFromSetupIntent(setupIntentId) {
+				const body = await app._interface.setDefaultCustomerPaymentMethodFromSetupIntent(type, userIdOrTeamId, setupIntentId, effectiveSession);
+				await app._customerBillingCache.refresh([
+					effectiveSession,
+					type,
+					userIdOrTeamId
+				]);
+				return body.default_payment_method;
+			},
+			async getItem(itemId) {
+				return await app.getItem({
+					itemId,
+					...customerOptions
+				});
+			},
+			useItem(itemId) {
+				return app.useItem({
+					itemId,
+					...customerOptions
+				});
+			},
+			async listProducts(options) {
+				return await app.listProducts({
+					...options,
+					...customerOptions
+				});
+			},
+			useProducts(options) {
+				return app.useProducts({
+					...options,
+					...customerOptions
+				});
+			},
+			async listInvoices(options) {
+				return await app.listInvoices({
+					...options,
+					...customerOptions
+				});
+			},
+			useInvoices(options) {
+				return app.useInvoices({
+					...options,
+					...customerOptions
+				});
+			},
+			async createCheckoutUrl(options) {
+				return await app._interface.createCheckoutUrl(type, userIdOrTeamId, options.productId, effectiveSession, options.returnUrl, "client");
+			},
+			async switchSubscription(options) {
+				await app._interface.switchSubscription({
+					customer_type: type,
+					customer_id: userIdOrTeamId,
+					from_product_id: options.fromProductId,
+					to_product_id: options.toProductId,
+					price_id: options.priceId,
+					quantity: options.quantity
+				}, effectiveSession);
+				await app._customerBillingCache.refresh([
+					effectiveSession,
+					type,
+					userIdOrTeamId
+				]);
+				if (type === "user") await app._userProductsCache.invalidateWhere(([cachedSession, userId]) => cachedSession === effectiveSession && userId === userIdOrTeamId);
+				else await app._teamProductsCache.invalidateWhere(([cachedSession, teamId]) => cachedSession === effectiveSession && teamId === userIdOrTeamId);
+			}
+		};
+	}
+	async getItem(options) {
+		const session = await this._getSession();
+		let crud;
+		if ("userId" in options) crud = _stackframe_stack_shared_dist_utils_results.Result.orThrow(await this._userItemCache.getOrWait([
+			session,
+			options.userId,
+			options.itemId
+		], "write-only"));
+		else if ("teamId" in options) crud = _stackframe_stack_shared_dist_utils_results.Result.orThrow(await this._teamItemCache.getOrWait([
+			session,
+			options.teamId,
+			options.itemId
+		], "write-only"));
+		else crud = _stackframe_stack_shared_dist_utils_results.Result.orThrow(await this._customItemCache.getOrWait([
+			session,
+			options.customCustomerId,
+			options.itemId
+		], "write-only"));
+		return this._clientItemFromCrud(crud);
+	}
+	useItem(options) {
+		const session = this._useSession();
+		const [cache, ownerId] = "userId" in options ? [this._userItemCache, options.userId] : "teamId" in options ? [this._teamItemCache, options.teamId] : [this._customItemCache, options.customCustomerId];
+		const crud = (0, __common_js.useAsyncCache)(cache, [
+			session,
+			ownerId,
+			options.itemId
+		], "app.useItem()");
+		return this._clientItemFromCrud(crud);
+	}
+	async listProducts(options) {
+		const session = (await this.getUser())?._internalSession ?? await this._getSession();
+		if ("userId" in options) {
+			const response = _stackframe_stack_shared_dist_utils_results.Result.orThrow(await this._userProductsCache.getOrWait([
+				session,
+				options.userId,
+				options.cursor ?? null,
+				options.limit ?? null
+			], "write-only"));
+			return this._customerProductsFromResponse(response);
+		} else if ("teamId" in options) {
+			const response = _stackframe_stack_shared_dist_utils_results.Result.orThrow(await this._teamProductsCache.getOrWait([
+				session,
+				options.teamId,
+				options.cursor ?? null,
+				options.limit ?? null
+			], "write-only"));
+			return this._customerProductsFromResponse(response);
+		}
+		const response = _stackframe_stack_shared_dist_utils_results.Result.orThrow(await this._customProductsCache.getOrWait([
+			session,
+			options.customCustomerId,
+			options.cursor ?? null,
+			options.limit ?? null
+		], "write-only"));
+		return this._customerProductsFromResponse(response);
+	}
+	async listInvoices(options) {
+		const session = await this._getSession();
+		if ("userId" in options) {
+			const response = _stackframe_stack_shared_dist_utils_results.Result.orThrow(await this._userInvoicesCache.getOrWait([
+				session,
+				options.userId,
+				options.cursor ?? null,
+				options.limit ?? null
+			], "write-only"));
+			return this._customerInvoicesFromResponse(response);
+		}
+		const response = _stackframe_stack_shared_dist_utils_results.Result.orThrow(await this._teamInvoicesCache.getOrWait([
+			session,
+			options.teamId,
+			options.cursor ?? null,
+			options.limit ?? null
+		], "write-only"));
+		return this._customerInvoicesFromResponse(response);
+	}
+	async cancelSubscription(options) {
+		const session = await this._getSession();
+		const user = await this.getUser();
+		if (!user) throw new _stackframe_stack_shared.KnownErrors.UserAuthenticationRequired();
+		const customerType = "teamId" in options ? "team" : "user";
+		const customerId = "teamId" in options ? options.teamId : user.id;
+		await this._interface.cancelSubscription({
+			customer_type: customerType,
+			customer_id: customerId,
+			product_id: options.productId,
+			subscription_id: options.subscriptionId
+		}, session);
+		if (customerType === "user") await this._userProductsCache.invalidateWhere(([cachedSession, userId]) => cachedSession === session && userId === customerId);
+		else await this._teamProductsCache.invalidateWhere(([cachedSession, teamId]) => cachedSession === session && teamId === customerId);
+	}
+	useProducts(options) {
+		const session = this._useSession();
+		const response = (0, __common_js.useAsyncCache)("userId" in options ? this._userProductsCache : "teamId" in options ? this._teamProductsCache : this._customProductsCache, [
+			session,
+			"userId" in options ? options.userId : "teamId" in options ? options.teamId : options.customCustomerId,
+			options.cursor ?? null,
+			options.limit ?? null
+		], "clientApp.useProducts()");
+		return this._customerProductsFromResponse(response);
+	}
+	useInvoices(options) {
+		const session = this._useSession();
+		const response = (0, __common_js.useAsyncCache)("userId" in options ? this._userInvoicesCache : this._teamInvoicesCache, [
+			session,
+			"userId" in options ? options.userId : options.teamId,
+			options.cursor ?? null,
+			options.limit ?? null
+		], "clientApp.useInvoices()");
+		return this._customerInvoicesFromResponse(response);
+	}
+	_currentUserFromCrud(crud, session) {
+		return (0, ______users_index_js.withUserDestructureGuard)({
+			...this._createBaseUser(crud),
+			...this._createAuth(session),
+			...this._createUserExtraFromCurrent(crud, session),
+			...this._isInternalProject() ? this._createInternalUserExtra(session) : {},
+			...this._createCustomer(crud.id, "user", session)
+		});
+	}
+	_clientSessionFromCrud(crud) {
+		return {
+			id: crud.id,
+			userId: crud.user_id,
+			createdAt: new Date(crud.created_at),
+			isImpersonation: crud.is_impersonation,
+			lastUsedAt: crud.last_used_at ? new Date(crud.last_used_at) : void 0,
+			isCurrentSession: crud.is_current_session ?? false,
+			geoInfo: crud.last_used_at_end_user_ip_info
+		};
+	}
+	_getOwnedAdminApp(forProjectId, session) {
+		if (!this._ownedAdminApps.has([session, forProjectId])) this._ownedAdminApps.set([session, forProjectId], new _StackClientAppImplIncomplete.LazyStackAdminAppImpl.value({
+			baseUrl: this._interface.options.getBaseUrl(),
+			projectId: forProjectId,
+			tokenStore: null,
+			projectOwnerSession: session,
+			noAutomaticPrefetch: true
+		}));
+		return this._ownedAdminApps.get([session, forProjectId]);
+	}
+	get projectId() {
+		return this._interface.projectId;
+	}
+	get version() {
+		return __common_js.clientVersion;
+	}
+	_getBotChallengeSiteKeys() {
+		if (!(0, _stackframe_stack_shared_dist_utils_env.isBrowserLike)()) return null;
+		const visibleSiteKey = _________env_js.envVars.NEXT_PUBLIC_STACK_BOT_CHALLENGE_SITE_KEY;
+		if (!visibleSiteKey) {
+			if (!this._botChallengeSiteKeysWarned) {
+				this._botChallengeSiteKeysWarned = true;
+				console.warn("[stack-auth] NEXT_PUBLIC_STACK_BOT_CHALLENGE_SITE_KEY is not set — bot challenge fraud protection is disabled. Set the env variable to enable it.");
+			}
+			return null;
+		}
+		return {
+			visibleSiteKey,
+			invisibleSiteKey: _________env_js.envVars.NEXT_PUBLIC_STACK_BOT_CHALLENGE_INVISIBLE_SITE_KEY ?? visibleSiteKey
+		};
+	}
+	_getBotChallengeFlowFailure(error) {
+		if (error instanceof _stackframe_stack_shared_dist_utils_turnstile_flow.BotChallengeUserCancelledError) return {
+			type: "cancelled",
+			knownError: new _stackframe_stack_shared.KnownErrors.BotChallengeFailed("Bot challenge cancelled by user")
+		};
+		if (error instanceof _stackframe_stack_shared_dist_utils_turnstile_flow.BotChallengeExecutionFailedError) return {
+			type: "failed",
+			knownError: new _stackframe_stack_shared.KnownErrors.BotChallengeFailed(error.message)
+		};
+		return null;
+	}
+	_normalizeBotChallengeResult(result) {
+		if (result.status === "ok") return result;
+		if (_stackframe_stack_shared.KnownErrors.BotChallengeRequired.isInstance(result.error)) {
+			(0, _stackframe_stack_shared_dist_utils_errors.captureError)("bot-challenge-unexpected-after-flow", result.error);
+			return _stackframe_stack_shared_dist_utils_results.Result.error(new _stackframe_stack_shared.KnownErrors.BotChallengeFailed("Unexpected bot challenge after flow completion"));
+		}
+		return _stackframe_stack_shared_dist_utils_results.Result.error(result.error);
+	}
+	_toInterfaceBotChallengeInput(challenge) {
+		if (challenge.unavailable) return { phase: "visible" };
+		return {
+			token: challenge.token,
+			phase: challenge.phase
+		};
+	}
+	async _executeResultWithBotChallengeFlow(options) {
+		const siteKeys = this._getBotChallengeSiteKeys();
+		let result;
+		try {
+			if (siteKeys) result = await (0, _stackframe_stack_shared_dist_utils_turnstile_flow.withBotChallengeFlow)({
+				...siteKeys,
+				action: options.action,
+				execute: options.execute,
+				isChallengeRequired: (flowResult) => {
+					return flowResult.status === "error" && _stackframe_stack_shared.KnownErrors.BotChallengeRequired.isInstance(flowResult.error);
+				}
+			});
+			else result = await options.execute({});
+		} catch (e) {
+			const flowFailure = this._getBotChallengeFlowFailure(e);
+			if (flowFailure) return _stackframe_stack_shared_dist_utils_results.Result.error(flowFailure.knownError);
+			throw e;
+		}
+		return this._normalizeBotChallengeResult(result);
+	}
+	async _isTrusted(url) {
+		if ((0, _stackframe_stack_shared_dist_utils_urls.isRelative)(url)) return true;
+		const parsedUrl = (0, _stackframe_stack_shared_dist_utils_urls.createUrlIfValid)(url);
+		if (parsedUrl == null) return false;
+		if (typeof window !== "undefined" && window.location.origin === parsedUrl.origin) return true;
+		if ((0, ______url_targets_js.isHostedHandlerUrlForProject)({
+			url,
+			projectId: this.projectId
+		})) return true;
+		const trustedRedirectConfig = await this._getTrustedRedirectConfig();
+		return (0, _stackframe_stack_shared_dist_utils_redirect_urls.validateRedirectUrl)(parsedUrl, {
+			allowLocalhost: trustedRedirectConfig.allowLocalhost,
+			trustedDomains: trustedRedirectConfig.trustedDomains
+		});
+	}
+	get urls() {
+		return (0, __common_js.getUrls)(this._urlOptions, { projectId: this.projectId });
+	}
+	_prefetchCrossDomainHandoffParamsIfNeeded() {
+		const canWriteOauthVerifierCookie = this._tokenStoreInit === "cookie" || this._tokenStoreInit === "nextjs-cookie";
+		if (!(0, _stackframe_stack_shared_dist_utils_env.isBrowserLike)() || !canWriteOauthVerifierCookie || this._isPrefetchingCrossDomainHandoffParams || this._getFreshPrefetchedCrossDomainHandoffParams() != null) return;
+		this._isPrefetchingCrossDomainHandoffParams = true;
+		(0, _stackframe_stack_shared_dist_utils_promises.runAsynchronously)(async () => {
+			try {
+				if (!(0, _stackframe_stack_shared_dist_utils_env.isBrowserLike)()) return;
+				const { state, codeChallenge } = await (0, _________cookie_js.saveVerifierAndState)();
+				this._prefetchedCrossDomainHandoffParams = {
+					state,
+					codeChallenge
+				};
+				this._prefetchedCrossDomainHandoffParamsFetchedAt = performance.now();
+			} finally {
+				this._isPrefetchingCrossDomainHandoffParams = false;
+			}
+		});
+	}
+	_getCrossDomainHandoffParamsForUrlsGetter(currentUrl) {
+		const fromQuery = (0, __redirect_page_urls_js.getCrossDomainHandoffParamsFromCurrentUrl)(currentUrl);
+		if (fromQuery != null) return fromQuery;
+		const prefetched = this._getFreshPrefetchedCrossDomainHandoffParams();
+		if (prefetched != null) return prefetched;
+		this._prefetchCrossDomainHandoffParamsIfNeeded();
+		return null;
+	}
+	async _getCrossDomainHandoffParamsForRedirect(currentUrl) {
+		const fromQuery = (0, __redirect_page_urls_js.getCrossDomainHandoffParamsFromCurrentUrl)(currentUrl);
+		if (fromQuery != null) return fromQuery;
+		const prefetched = this._getFreshPrefetchedCrossDomainHandoffParams();
+		if (prefetched != null) return prefetched;
+		const { state, codeChallenge } = await (0, _________cookie_js.saveVerifierAndState)();
+		this._prefetchedCrossDomainHandoffParams = {
+			state,
+			codeChallenge
+		};
+		this._prefetchedCrossDomainHandoffParamsFetchedAt = performance.now();
+		return {
+			state,
+			codeChallenge
+		};
+	}
+	_getLocalOAuthCallbackHandlerUrl() {
+		if (this._isOAuthCallbackUrlHosted()) return this._getOAuthCallbackRedirectUri();
+		return (0, ______url_targets_js.resolveHandlerUrls)({
+			urls: {
+				...this._urlOptions,
+				default: { type: "handler-component" },
+				oauthCallback: { type: "handler-component" }
+			},
+			projectId: this.projectId
+		}).oauthCallback;
+	}
+	async _createCrossDomainAuthRedirectUrl(options) {
+		const session = await this._getSession(options.overrideTokenStoreInit, { awaitPendingAuthResolutions: options.awaitPendingAuthResolutions });
+		const response = await this._interface.sendClientRequest("/auth/oauth/cross-domain/authorize", {
+			method: "POST",
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({
+				redirect_uri: options.redirectUri,
+				state: options.state,
+				code_challenge: options.codeChallenge,
+				code_challenge_method: "S256",
+				after_callback_redirect_url: options.afterCallbackRedirectUrl
+			})
+		}, session);
+		if (!response.ok) {
+			const responseBody = await response.text();
+			throw new _stackframe_stack_shared_dist_utils_errors.HexclaveAssertionError(`Cross-domain authorization endpoint failed: ${response.status} ${responseBody}`);
+		}
+		const result = await response.json();
+		if (!("redirect_url" in result) || typeof result.redirect_url !== "string") throw new _stackframe_stack_shared_dist_utils_errors.HexclaveAssertionError("Cross-domain authorization endpoint returned an invalid payload", { result });
+		return result.redirect_url;
+	}
+	_getFreshPrefetchedCrossDomainHandoffParams() {
+		if (this._prefetchedCrossDomainHandoffParams == null) return null;
+		if (performance.now() - this._prefetchedCrossDomainHandoffParamsFetchedAt > prefetchedCrossDomainHandoffTtlMs) {
+			this._prefetchedCrossDomainHandoffParams = null;
+			this._prefetchedCrossDomainHandoffParamsFetchedAt = 0;
+			return null;
+		}
+		return this._prefetchedCrossDomainHandoffParams;
+	}
+	async _getCurrentUrl() {
+		if (this._redirectMethod === "none") return null;
+		return new URL(window.location.href);
+	}
+	async _redirectTo(options) {
+		if (this._redirectMethod === "none") return;
+		else if (this._redirectMethod === "tanstack-start" && !(0, _stackframe_stack_shared_dist_utils_env.isBrowserLike)()) throw _tanstack_react_router.redirect({
+			href: options.url.toString(),
+			replace: options.replace
+		});
+		else if (typeof this._redirectMethod === "object" && this._redirectMethod.navigate) this._redirectMethod.navigate(options.url.toString());
+		else if (options.replace) window.location.replace(options.url);
+		else window.location.assign(options.url);
+		await (0, _stackframe_stack_shared_dist_utils_promises.wait)(2e3);
+	}
+	useNavigate() {
+		if (typeof this._redirectMethod === "object") return this._redirectMethod.useNavigate();
+		else if (this._redirectMethod === "window") return (to) => window.location.assign(to);
+		else if (this._redirectMethod === "tanstack-start") return (to) => window.location.assign(to);
+		else return (to) => {};
+	}
+	async _redirectIfTrusted(url, options) {
+		if (!await this._isTrusted(url)) throw new Error(`Redirect URL ${url} is not trusted; should be relative.`);
+		return await this._redirectTo({
+			url,
+			...options
+		});
+	}
+	async _redirectToHandler(handlerName, options, internalOptions) {
+		const rawHandlerUrl = (0, __common_js.getUrls)(this._urlOptions, { projectId: this.projectId })[handlerName];
+		if (!rawHandlerUrl) throw new Error(`No URL for handler name ${handlerName}`);
+		const currentUrl = typeof window === "undefined" ? null : new URL(window.location.href);
+		const plan = await (0, __redirect_page_urls_js.planRedirectToHandler)({
+			handlerName,
+			rawHandlerUrl,
+			noRedirectBack: options?.noRedirectBack === true,
+			currentUrl,
+			localOAuthCallbackUrl: this._getLocalOAuthCallbackHandlerUrl(),
+			getCrossDomainHandoffParams: async (href) => await this._getCrossDomainHandoffParamsForRedirect(href)
+		});
+		if (plan.type === "cross-domain-authorize") {
+			const crossDomainRedirectUrl = await this._createCrossDomainAuthRedirectUrl({
+				redirectUri: plan.redirectUri,
+				state: plan.state,
+				codeChallenge: plan.codeChallenge,
+				afterCallbackRedirectUrl: plan.afterCallbackRedirectUrl,
+				awaitPendingAuthResolutions: internalOptions?.awaitPendingAuthResolutions,
+				overrideTokenStoreInit: internalOptions?.overrideTokenStoreInit
+			});
+			await this._redirectTo({
+				url: crossDomainRedirectUrl,
+				...options
+			});
+			return;
+		}
+		const redirectUrl = currentUrl != null && handlerName !== "signOut" && handlerName !== "afterSignOut" && handlerName !== "oauthCallback" ? await this._addNestedCrossDomainAuthParamsToRedirectUrl({
+			url: plan.url,
+			currentUrl,
+			awaitPendingAuthResolutions: internalOptions?.awaitPendingAuthResolutions,
+			overrideTokenStoreInit: internalOptions?.overrideTokenStoreInit
+		}) : plan.url;
+		await this._redirectIfTrusted(redirectUrl, options);
+	}
+	_redirectToHandlerDuringRender(handlerName, options) {
+		if (this._redirectMethod === "tanstack-start" && !(0, _stackframe_stack_shared_dist_utils_env.isBrowserLike)()) {
+			const rawHandlerUrl = (0, __common_js.getUrls)(this._urlOptions, { projectId: this.projectId })[handlerName];
+			if (!rawHandlerUrl) throw new Error(`No URL for handler name ${handlerName}`);
+			throw _tanstack_react_router.redirect({
+				href: rawHandlerUrl,
+				replace: options?.replace
+			});
+		}
+		return false;
+	}
+	async redirectToSignIn(options) {
+		return await this._redirectToHandler("signIn", options);
+	}
+	async redirectToSignUp(options) {
+		return await this._redirectToHandler("signUp", options);
+	}
+	async redirectToSignOut(options) {
+		return await this._redirectToHandler("signOut", options);
+	}
+	async redirectToEmailVerification(options) {
+		return await this._redirectToHandler("emailVerification", options);
+	}
+	async redirectToPasswordReset(options) {
+		return await this._redirectToHandler("passwordReset", options);
+	}
+	async redirectToForgotPassword(options) {
+		return await this._redirectToHandler("forgotPassword", options);
+	}
+	async redirectToHome(options) {
+		return await this._redirectToHandler("home", options);
+	}
+	async redirectToOAuthCallback(options) {
+		return await this._redirectToHandler("oauthCallback", options);
+	}
+	async redirectToMagicLinkCallback(options) {
+		return await this._redirectToHandler("magicLinkCallback", options);
+	}
+	async redirectToAfterSignIn(options) {
+		return await this._redirectToHandler("afterSignIn", options);
+	}
+	async redirectToAfterSignUp(options) {
+		return await this._redirectToHandler("afterSignUp", options);
+	}
+	async redirectToOnboarding(options) {
+		return await this._redirectToHandler("onboarding", options);
+	}
+	async redirectToAfterSignOut(options) {
+		return await this._redirectToHandler("afterSignOut", options);
+	}
+	async redirectToAccountSettings(options) {
+		return await this._redirectToHandler("accountSettings", options);
+	}
+	async redirectToError(options) {
+		return await this._redirectToHandler("error", options);
+	}
+	async redirectToTeamInvitation(options) {
+		return await this._redirectToHandler("teamInvitation", options);
+	}
+	async redirectToCliAuthConfirm(options) {
+		return await this._redirectToHandler("cliAuthConfirm", options);
+	}
+	async redirectToMfa(options) {
+		return await this._redirectToHandler("mfa", options);
+	}
+	async sendForgotPasswordEmail(email, options) {
+		return await this._interface.sendForgotPasswordEmail(email, options?.callbackUrl ?? (0, ____________utils_url_js.constructRedirectUrl)(this.urls.passwordReset, "callbackUrl"));
+	}
+	async sendMagicLinkEmail(email, options) {
+		const callbackUrl = options?.callbackUrl ?? (0, ____________utils_url_js.constructRedirectUrl)(this.urls.magicLinkCallback, "callbackUrl");
+		return await this._executeResultWithBotChallengeFlow({
+			action: "send_magic_link_email",
+			execute: async (challenge) => {
+				return await this._interface.sendMagicLinkEmail(email, callbackUrl, this._toInterfaceBotChallengeInput(challenge));
+			}
+		});
+	}
+	async resetPassword(options) {
+		return await this._interface.resetPassword(options);
+	}
+	async verifyPasswordResetCode(code) {
+		return await this._interface.verifyPasswordResetCode(code);
+	}
+	async verifyTeamInvitationCode(code) {
+		return await this._interface.acceptTeamInvitation({
+			type: "check",
+			code,
+			session: await this._getSession()
+		});
+	}
+	async acceptTeamInvitation(code) {
+		const result = await this._interface.acceptTeamInvitation({
+			type: "use",
+			code,
+			session: await this._getSession()
+		});
+		if (result.status === "ok") return _stackframe_stack_shared_dist_utils_results.Result.ok(void 0);
+		else return _stackframe_stack_shared_dist_utils_results.Result.error(result.error);
+	}
+	async getTeamInvitationDetails(code) {
+		const result = await this._interface.acceptTeamInvitation({
+			type: "details",
+			code,
+			session: await this._getSession()
+		});
+		if (result.status === "ok") return _stackframe_stack_shared_dist_utils_results.Result.ok({ teamDisplayName: result.data.team_display_name });
+		else return _stackframe_stack_shared_dist_utils_results.Result.error(result.error);
+	}
+	async verifyEmail(code) {
+		const result = await this._interface.verifyEmail(code);
+		await this._currentUserCache.refresh([await this._getSession()]);
+		await this._clientContactChannelsCache.refresh([await this._getSession()]);
+		return result;
+	}
+	async getUser(options) {
+		if (options?.or === "anonymous" && options.includeRestricted === false) throw new Error("Cannot use { or: 'anonymous' } with { includeRestricted: false }. Anonymous users implicitly include restricted users.");
+		this._ensurePersistentTokenStore(options?.tokenStore);
+		const session = await this._getSession(options?.tokenStore);
+		let crud = _stackframe_stack_shared_dist_utils_results.Result.orThrow(await this._currentUserCache.getOrWait([session], "write-only"));
+		const includeAnonymous = options?.or === "anonymous" || options?.or === "anonymous-if-exists[deprecated]";
+		const includeRestricted = options?.includeRestricted === true || includeAnonymous;
+		if (crud === null || crud.is_anonymous && !includeAnonymous || crud.is_restricted && !includeRestricted) switch (options?.or) {
+			case "redirect":
+				if (!crud?.is_anonymous && crud?.is_restricted) await this.redirectToOnboarding({ replace: true });
+				else await this.redirectToSignIn({ replace: true });
+				break;
+			case "throw": throw new Error("User is not signed in but getUser was called with { or: 'throw' }");
+			case "anonymous": {
+				const tokens = await this._signUpAnonymously();
+				return await this.getUser({
+					tokenStore: tokens,
+					or: "anonymous-if-exists[deprecated]",
+					includeRestricted: true
+				}) ?? (0, _stackframe_stack_shared_dist_utils_errors.throwErr)("Something went wrong while signing up anonymously");
+			}
+			case void 0:
+			case "anonymous-if-exists[deprecated]":
+			case "return-null": return null;
+		}
+		return crud && this._currentUserFromCrud(crud, session);
+	}
+	useUser(options) {
+		if (options?.or === "anonymous" && options.includeRestricted === false) throw new Error("Cannot use { or: 'anonymous' } with { includeRestricted: false }. Anonymous users implicitly include restricted users.");
+		this._ensurePersistentTokenStore(options?.tokenStore);
+		const session = this._useSession(options?.tokenStore);
+		let crud = (0, __common_js.useAsyncCache)(this._currentUserCache, [session], "clientApp.useUser()");
+		const includeAnonymous = options?.or === "anonymous" || options?.or === "anonymous-if-exists[deprecated]";
+		const includeRestricted = options?.includeRestricted === true || includeAnonymous;
+		if (crud === null || crud.is_anonymous && !includeAnonymous || crud.is_restricted && !includeRestricted) switch (options?.or) {
+			case "redirect":
+				if (!crud?.is_anonymous && crud?.is_restricted) {
+					if (!this._redirectToHandlerDuringRender("onboarding", { replace: true })) (0, _stackframe_stack_shared_dist_utils_promises.runAsynchronously)(this.redirectToOnboarding({ replace: true }));
+				} else if (!this._redirectToHandlerDuringRender("signIn", { replace: true })) (0, _stackframe_stack_shared_dist_utils_promises.runAsynchronously)(this.redirectToSignIn({ replace: true }));
+				(0, _stackframe_stack_shared_dist_utils_react.suspend)();
+				throw new _stackframe_stack_shared_dist_utils_errors.HexclaveAssertionError("suspend should never return");
+			case "throw": throw new Error("User is not signed in but useUser was called with { or: 'throw' }");
+			case "anonymous":
+				(0, _stackframe_stack_shared_dist_utils_promises.runAsynchronously)(async () => {
+					await this._signUpAnonymously();
+					if (typeof window !== "undefined") window.location.reload();
+				});
+				(0, _stackframe_stack_shared_dist_utils_react.suspend)();
+				throw new _stackframe_stack_shared_dist_utils_errors.HexclaveAssertionError("suspend should never return");
+			case void 0:
+			case "anonymous-if-exists[deprecated]":
+			case "return-null":
+				crud = null;
+				break;
+		}
+		return (0, react.useMemo)(() => {
+			return crud && this._currentUserFromCrud(crud, session);
+		}, [
+			crud,
+			session,
+			options?.or
+		]);
+	}
+	_getTokenPartialUserFromSession(session, options) {
+		const accessToken = session.getAccessTokenIfNotExpiredYet(0, null);
+		if (!accessToken) return null;
+		const isAnonymous = accessToken.payload.is_anonymous;
+		if (isAnonymous && options.or !== "anonymous-if-exists") return null;
+		return {
+			id: accessToken.payload.sub,
+			primaryEmail: accessToken.payload.email,
+			displayName: accessToken.payload.name,
+			primaryEmailVerified: accessToken.payload.email_verified,
+			isAnonymous,
+			isMultiFactorRequired: accessToken.payload.requires_totp_mfa,
+			isRestricted: accessToken.payload.is_restricted,
+			restrictedReason: accessToken.payload.restricted_reason
+		};
+	}
+	async _getPartialUserFromConvex(ctx) {
+		const auth = await ctx.auth.getUserIdentity();
+		if (!auth) return null;
+		return {
+			id: auth.subject,
+			displayName: auth.name ?? null,
+			primaryEmail: auth.email ?? null,
+			primaryEmailVerified: auth.email_verified,
+			isAnonymous: auth.is_anonymous,
+			isMultiFactorRequired: auth.requires_totp_mfa,
+			isRestricted: auth.is_restricted,
+			restrictedReason: auth.restricted_reason ?? null
+		};
+	}
+	async getPartialUser(options) {
+		switch (options.from) {
+			case "token": {
+				this._ensurePersistentTokenStore(options.tokenStore ?? this._tokenStoreInit);
+				const session = await this._getSession(options.tokenStore);
+				return this._getTokenPartialUserFromSession(session, options);
+			}
+			case "convex": return await this._getPartialUserFromConvex(options.ctx);
+			default: throw new Error(`Invalid 'from' option: ${options.from}`);
+		}
+	}
+	usePartialUser(options) {
+		switch (options.from) {
+			case "token": {
+				this._ensurePersistentTokenStore(options.tokenStore ?? this._tokenStoreInit);
+				const session = this._useSession(options.tokenStore);
+				return this._getTokenPartialUserFromSession(session, options);
+			}
+			case "convex": return (0, __common_js.useAsyncCache)(this._convexPartialUserCache, [options.ctx], "clientApp.usePartialUser()");
+			default: throw new Error(`Invalid 'from' option: ${options.from}`);
+		}
+	}
+	getConvexClientAuth(options) {
+		return async (args) => {
+			const session = await this._getSession(options.tokenStore ?? this._tokenStoreInit);
+			if (!args.forceRefreshToken) return (await session.getOrFetchLikelyValidTokens(2e4, 75e3))?.accessToken.token ?? null;
+			return (await session.fetchNewTokens())?.accessToken.token ?? null;
+		};
+	}
+	async getConvexHttpClientAuth(options) {
+		return (await (await this._getSession(options.tokenStore)).getOrFetchLikelyValidTokens(2e4, 75e3))?.accessToken.token ?? "";
+	}
+	async _updateClientUser(update, session) {
+		const res = await this._interface.updateClientUser((0, ______users_index_js.userUpdateOptionsToCrud)(update), session);
+		await this._refreshUser(session);
+		return res;
+	}
+	async signInWithOAuth(provider, options) {
+		if (typeof window === "undefined") throw new Error("signInWithOAuth can currently only be called in a browser environment");
+		this._ensurePersistentTokenStore();
+		const session = await this._getSession();
+		const currentUrl = new URL(window.location.href);
+		const afterCallbackRedirectUrl = options?.returnTo != null ? (0, ____________utils_url_js.constructRedirectUrl)(options.returnTo, "returnTo") : currentUrl.searchParams.has("after_auth_return_to") ? currentUrl.toString() : void 0;
+		const siteKeys = this._getBotChallengeSiteKeys();
+		const { codeChallenge, state } = await (0, _________cookie_js.saveVerifierAndState)();
+		const executeOAuth = async (challenge) => {
+			return await this._interface.authorizeOAuth({
+				provider,
+				redirectUrl: (0, ____________utils_url_js.constructRedirectUrl)(this._getOAuthCallbackRedirectUri(), "redirectUrl"),
+				errorRedirectUrl: (0, ____________utils_url_js.constructRedirectUrl)(this.urls.error, "errorRedirectUrl"),
+				afterCallbackRedirectUrl,
+				type: "authenticate",
+				providerScope: this._oauthScopesOnSignIn[provider]?.join(" "),
+				codeChallenge,
+				state,
+				botChallenge: this._toInterfaceBotChallengeInput(challenge),
+				session
+			});
+		};
+		let authorizeResult;
+		try {
+			if (siteKeys) authorizeResult = await (0, _stackframe_stack_shared_dist_utils_turnstile_flow.withBotChallengeFlow)({
+				...siteKeys,
+				action: "oauth_authenticate",
+				execute: executeOAuth,
+				isChallengeRequired: (result) => {
+					return result.status === "error" && _stackframe_stack_shared.KnownErrors.BotChallengeRequired.isInstance(result.error);
+				}
+			});
+			else authorizeResult = await executeOAuth({});
+		} catch (e) {
+			const flowFailure = this._getBotChallengeFlowFailure(e);
+			if (flowFailure?.type === "cancelled") return;
+			if (flowFailure?.type === "failed") throw flowFailure.knownError;
+			throw e;
+		}
+		const location = _stackframe_stack_shared_dist_utils_results.Result.orThrow(authorizeResult);
+		await this._redirectTo({ url: location });
+		await (0, _stackframe_stack_shared_dist_utils_promises.neverResolve)();
+	}
+	/**
+	* Handles MFA verification by redirecting to the OTP page
+	*/
+	async _experimentalMfa(error, session) {
+		if (typeof window !== "undefined") window.sessionStorage.setItem("hexclave_mfa_attempt_code", error.details?.attempt_code ?? (0, _stackframe_stack_shared_dist_utils_errors.throwErr)("attempt code missing"));
+		await this.redirectToMfa();
+		throw new _stackframe_stack_shared_dist_utils_errors.HexclaveAssertionError("we should have redirected in redirectToMfa()");
+	}
+	/**
+	* @deprecated
+	* TODO remove
+	*/
+	async _catchMfaRequiredError(callback) {
+		try {
+			return await callback();
+		} catch (e) {
+			if (_stackframe_stack_shared.KnownErrors.MultiFactorAuthenticationRequired.isInstance(e)) return _stackframe_stack_shared_dist_utils_results.Result.ok(await this._experimentalMfa(e, await this._getSession(void 0, { awaitPendingAuthResolutions: false })));
+			throw e;
+		}
+	}
+	async signInWithCredential(options) {
+		this._ensurePersistentTokenStore();
+		const session = await this._getSession();
+		let result;
+		try {
+			result = await this._catchMfaRequiredError(async () => {
+				return await this._interface.signInWithCredential(options.email, options.password, session);
+			});
+		} catch (e) {
+			if (_stackframe_stack_shared.KnownErrors.InvalidTotpCode.isInstance(e)) return _stackframe_stack_shared_dist_utils_results.Result.error(e);
+			throw e;
+		}
+		if (result.status === "ok") {
+			await this._signInToAccountWithTokens(result.data);
+			if (!options.noRedirect) await this._redirectToHandler("afterSignIn", { replace: true }, { overrideTokenStoreInit: this._getTokenStoreInitForFreshTokens(result.data) });
+			return _stackframe_stack_shared_dist_utils_results.Result.ok(void 0);
+		} else return _stackframe_stack_shared_dist_utils_results.Result.error(result.error);
+	}
+	async signUpWithCredential(options) {
+		if (options.noVerificationCallback && options.verificationCallbackUrl) throw new _stackframe_stack_shared_dist_utils_errors.HexclaveAssertionError("verificationCallbackUrl is not allowed when noVerificationCallback is true");
+		this._ensurePersistentTokenStore();
+		const session = await this._getSession();
+		const emailVerificationRedirectUrl = options.noVerificationCallback ? void 0 : options.verificationCallbackUrl ?? (0, ____________utils_url_js.constructRedirectUrl)(this.urls.emailVerification, "verificationCallbackUrl");
+		const executeSignUp = async (challenge) => {
+			let result = await this._interface.signUpWithCredential(options.email, options.password, emailVerificationRedirectUrl, session, this._toInterfaceBotChallengeInput(challenge));
+			if (result.status === "error" && result.error instanceof _stackframe_stack_shared.KnownErrors.RedirectUrlNotWhitelisted && emailVerificationRedirectUrl !== void 0) {
+				if (!options.verificationCallbackUrl) {
+					(0, _stackframe_stack_shared_dist_utils_errors.captureError)("signup-verification-url-not-whitelisted", new _stackframe_stack_shared_dist_utils_errors.HexclaveAssertionError("The auto-constructed verification callback URL is not whitelisted; proceeding without email verification", { emailVerificationRedirectUrl }));
+					result = await this._interface.signUpWithCredential(options.email, options.password, void 0, session, this._toInterfaceBotChallengeInput(challenge));
+				}
+			}
+			return result;
+		};
+		let result;
+		result = await this._executeResultWithBotChallengeFlow({
+			action: "sign_up_with_credential",
+			execute: executeSignUp
+		});
+		if (result.status === "ok") {
+			await this._signInToAccountWithTokens(result.data);
+			if (!options.noRedirect) await this._redirectToHandler("afterSignUp", { replace: true }, { overrideTokenStoreInit: this._getTokenStoreInitForFreshTokens(result.data) });
+			return _stackframe_stack_shared_dist_utils_results.Result.ok(void 0);
+		} else return _stackframe_stack_shared_dist_utils_results.Result.error(result.error);
+	}
+	async _signUpAnonymously() {
+		this._ensurePersistentTokenStore();
+		if (!this._anonymousSignUpInProgress) this._anonymousSignUpInProgress = (async () => {
+			this._ensurePersistentTokenStore();
+			const session = await this._getSession();
+			const result = await this._interface.signUpAnonymously(session);
+			if (result.status === "ok") await this._signInToAccountWithTokens(result.data);
+			else throw new _stackframe_stack_shared_dist_utils_errors.HexclaveAssertionError("signUpAnonymously() should never return an error");
+			this._anonymousSignUpInProgress = null;
+			return result.data;
+		})();
+		return await this._anonymousSignUpInProgress;
+	}
+	async signInWithMagicLink(code, options) {
+		this._ensurePersistentTokenStore();
+		const session = await this._getSession();
+		let result;
+		try {
+			result = await this._catchMfaRequiredError(async () => {
+				return await this._interface.signInWithMagicLink(code, session);
+			});
+		} catch (e) {
+			if (_stackframe_stack_shared.KnownErrors.InvalidTotpCode.isInstance(e)) return _stackframe_stack_shared_dist_utils_results.Result.error(e);
+			throw e;
+		}
+		if (result.status === "ok") {
+			await this._signInToAccountWithTokens(result.data);
+			if (!options?.noRedirect) if (result.data.newUser) await this._redirectToHandler("afterSignUp", { replace: true }, {
+				awaitPendingAuthResolutions: false,
+				overrideTokenStoreInit: this._getTokenStoreInitForFreshTokens(result.data)
+			});
+			else await this._redirectToHandler("afterSignIn", { replace: true }, {
+				awaitPendingAuthResolutions: false,
+				overrideTokenStoreInit: this._getTokenStoreInitForFreshTokens(result.data)
+			});
+			return _stackframe_stack_shared_dist_utils_results.Result.ok(void 0);
+		} else return _stackframe_stack_shared_dist_utils_results.Result.error(result.error);
+	}
+	/**
+	* Initiates a CLI authentication process that allows a command line application
+	* to get a refresh token for a user's account.
+	*
+	* This process works as follows:
+	* 1. The CLI app calls this method, which initiates the auth process with the server
+	* 2. The server returns a polling code and a login code
+	* 3. The CLI app opens a browser window to the appUrl with the login code as a parameter
+	* 4. The user logs in through the browser and confirms the authorization
+	* 5. The CLI app polls for the refresh token using the polling code
+	*
+	* @param options Options for the CLI login
+	* @param options.appUrl The URL of the app that will handle the CLI auth confirmation
+	* @param options.expiresInMillis Optional duration in milliseconds before the auth attempt expires (default: 2 hours)
+	* @param options.maxAttempts Optional maximum number of polling attempts (default: Infinity)
+	* @param options.waitTimeMillis Optional time to wait between polling attempts (default: 2 seconds)
+	* @param options.promptLink Optional function to call with the login URL and code to prompt the user to open the browser
+	* @param options.anonRefreshToken Optional anonymous refresh token from the CLI's token store to associate with this login attempt
+	* @returns Result containing either the refresh token or an error
+	*/
+	async promptCliLogin(options) {
+		const response = await this._interface.sendClientRequest("/auth/cli", {
+			method: "POST",
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({
+				expires_in_millis: options.expiresInMillis,
+				...options.anonRefreshToken != null ? { anon_refresh_token: options.anonRefreshToken } : {}
+			})
+		}, null);
+		if (!response.ok) return _stackframe_stack_shared_dist_utils_results.Result.error(new _stackframe_stack_shared.KnownErrors.CliAuthError(`Failed to initiate CLI auth: ${response.status} ${await response.text()}`));
+		const initResult = await response.json();
+		const pollingCode = initResult.polling_code;
+		const loginCode = initResult.login_code;
+		const url = (0, ______url_targets_js.buildCliAuthConfirmUrl)({
+			cliAuthConfirmUrl: this.urls.cliAuthConfirm,
+			appUrl: options.appUrl,
+			loginCode
+		});
+		if (options.promptLink) options.promptLink(url, loginCode);
+		else {
+			console.log(`Your verification code: ${loginCode}`);
+			console.log(`Please visit the following URL to authenticate:\n${url}`);
+		}
+		let attempts = 0;
+		while (attempts < (options.maxAttempts ?? Infinity)) {
+			attempts++;
+			const pollResponse = await this._interface.sendClientRequest("/auth/cli/poll", {
+				method: "POST",
+				headers: { "Content-Type": "application/json" },
+				body: JSON.stringify({ polling_code: pollingCode })
+			}, null);
+			if (!pollResponse.ok) return _stackframe_stack_shared_dist_utils_results.Result.error(new _stackframe_stack_shared.KnownErrors.CliAuthError(`Failed to initiate CLI auth: ${pollResponse.status} ${await pollResponse.text()}`));
+			const pollResult = await pollResponse.json();
+			if (pollResponse.status === 201 && pollResult.status === "success") return _stackframe_stack_shared_dist_utils_results.Result.ok(pollResult.refresh_token);
+			if (pollResult.status === "waiting") {
+				await (0, _stackframe_stack_shared_dist_utils_promises.wait)(options.waitTimeMillis ?? 2e3);
+				continue;
+			}
+			if (pollResult.status === "expired") return _stackframe_stack_shared_dist_utils_results.Result.error(new _stackframe_stack_shared.KnownErrors.CliAuthExpiredError("CLI authentication request expired. Please try again."));
+			if (pollResult.status === "used") return _stackframe_stack_shared_dist_utils_results.Result.error(new _stackframe_stack_shared.KnownErrors.CliAuthUsedError("This authentication token has already been used."));
+			return _stackframe_stack_shared_dist_utils_results.Result.error(new _stackframe_stack_shared.KnownErrors.CliAuthError(`Unexpected status from CLI auth polling: ${pollResult.status}`));
+		}
+		return _stackframe_stack_shared_dist_utils_results.Result.error(new _stackframe_stack_shared.KnownErrors.CliAuthError("Timed out waiting for CLI authentication."));
+	}
+	async signInWithMfa(totp, code, options) {
+		this._ensurePersistentTokenStore();
+		const session = await this._getSession();
+		let result;
+		try {
+			result = await this._catchMfaRequiredError(async () => {
+				return await this._interface.signInWithMfa(totp, code, session);
+			});
+		} catch (e) {
+			if (e instanceof _stackframe_stack_shared.KnownErrors.InvalidTotpCode) return _stackframe_stack_shared_dist_utils_results.Result.error(e);
+			throw e;
+		}
+		if (result.status === "ok") {
+			await this._signInToAccountWithTokens(result.data);
+			if (!options?.noRedirect) if (result.data.newUser) await this._redirectToHandler("afterSignUp", { replace: true }, { overrideTokenStoreInit: this._getTokenStoreInitForFreshTokens(result.data) });
+			else await this._redirectToHandler("afterSignIn", { replace: true }, { overrideTokenStoreInit: this._getTokenStoreInitForFreshTokens(result.data) });
+			return _stackframe_stack_shared_dist_utils_results.Result.ok(void 0);
+		}
+		return _stackframe_stack_shared_dist_utils_results.Result.error(result.error);
+	}
+	async signInWithPasskey() {
+		this._ensurePersistentTokenStore();
+		const session = await this._getSession();
+		let result;
+		try {
+			result = await this._catchMfaRequiredError(async () => {
+				const initiationResult = await this._interface.initiatePasskeyAuthentication({}, session);
+				if (initiationResult.status !== "ok") return _stackframe_stack_shared_dist_utils_results.Result.error(new _stackframe_stack_shared.KnownErrors.PasskeyAuthenticationFailed("Failed to get initiation options for passkey authentication"));
+				const { options_json, code } = initiationResult.data;
+				if (options_json.rpId !== "THIS_VALUE_WILL_BE_REPLACED.example.com") throw new _stackframe_stack_shared_dist_utils_errors.HexclaveAssertionError(`Expected returned RP ID from server to equal sentinel, but found ${options_json.rpId}`);
+				options_json.rpId = window.location.hostname;
+				const authentication_response = await (0, _simplewebauthn_browser.startAuthentication)({ optionsJSON: options_json });
+				return await this._interface.signInWithPasskey({
+					authentication_response,
+					code
+				}, session);
+			});
+		} catch (error) {
+			if (error instanceof _simplewebauthn_browser.WebAuthnError) return _stackframe_stack_shared_dist_utils_results.Result.error(new _stackframe_stack_shared.KnownErrors.PasskeyWebAuthnError(error.message, error.name));
+			else return _stackframe_stack_shared_dist_utils_results.Result.error(new _stackframe_stack_shared.KnownErrors.PasskeyAuthenticationFailed("Failed to sign in with passkey"));
+		}
+		if (result.status === "ok") {
+			await this._signInToAccountWithTokens(result.data);
+			await this._redirectToHandler("afterSignIn", { replace: true }, { overrideTokenStoreInit: this._getTokenStoreInitForFreshTokens(result.data) });
+			return _stackframe_stack_shared_dist_utils_results.Result.ok(void 0);
+		} else return _stackframe_stack_shared_dist_utils_results.Result.error(result.error);
+	}
+	async callOAuthCallback(options) {
+		if (typeof window === "undefined") throw new Error("callOAuthCallback can currently only be called in a browser environment");
+		if (this._currentUrlLooksLikeOAuthCallback()) this._ensurePersistentTokenStore();
+		let oauthCallbackRedirectUri = this._getOAuthCallbackRedirectUri();
+		const currentUrl = new URL(window.location.href);
+		if (currentUrl.searchParams.get(__redirect_page_urls_js.crossDomainAuthQueryParams.marker) === "1") {
+			currentUrl.searchParams.delete("code");
+			currentUrl.searchParams.delete("state");
+			oauthCallbackRedirectUri = currentUrl.toString();
+		}
+		let result;
+		try {
+			result = await this._catchMfaRequiredError(async () => {
+				return await (0, _________auth_js.callOAuthCallback)(this._interface, oauthCallbackRedirectUri, options);
+			});
+		} catch (e) {
+			if (_stackframe_stack_shared.KnownErrors.InvalidTotpCode.isInstance(e)) {
+				alert("Invalid TOTP code. Please try signing in again.");
+				return false;
+			} else throw e;
+		}
+		if (result.status === "ok" && result.data) {
+			this._ensurePersistentTokenStore();
+			await this._signInToAccountWithTokens(result.data);
+			if ("afterCallbackRedirectUrl" in result.data && result.data.afterCallbackRedirectUrl) {
+				await this._redirectTo({
+					url: result.data.afterCallbackRedirectUrl,
+					replace: true
+				});
+				return true;
+			} else if (result.data.newUser) {
+				await this._redirectToHandler("afterSignUp", { replace: true }, {
+					awaitPendingAuthResolutions: false,
+					overrideTokenStoreInit: this._getTokenStoreInitForFreshTokens(result.data)
+				});
+				return true;
+			} else {
+				await this._redirectToHandler("afterSignIn", { replace: true }, {
+					awaitPendingAuthResolutions: false,
+					overrideTokenStoreInit: this._getTokenStoreInitForFreshTokens(result.data)
+				});
+				return true;
+			}
+		}
+		return false;
+	}
+	async _signOut(session, options) {
+		this._eventTracker?.clearBuffer();
+		this._sessionRecorder?.clearBuffer();
+		await _stackframe_stack_shared_dist_utils_stores.storeLock.withWriteLock(async () => {
+			await this._interface.signOut(session);
+			if (options?.redirectUrl) await this._redirectTo({
+				url: options.redirectUrl,
+				replace: true
+			});
+			else await this.redirectToAfterSignOut();
+		});
+	}
+	async signOut(options) {
+		const user = await this.getUser({ tokenStore: options?.tokenStore ?? void 0 });
+		if (user) await user.signOut({ redirectUrl: options?.redirectUrl });
+	}
+	async getAccessToken(options) {
+		const user = await this.getUser({ tokenStore: options?.tokenStore ?? void 0 });
+		if (user) return await user.getAccessToken();
+		return null;
+	}
+	useAccessToken(options) {
+		const user = this.useUser({ tokenStore: options?.tokenStore ?? void 0 });
+		if (user) return user.useAccessToken();
+		return null;
+	}
+	async getRefreshToken(options) {
+		const user = await this.getUser({ tokenStore: options?.tokenStore ?? void 0 });
+		if (user) return await user.getRefreshToken();
+		return null;
+	}
+	useRefreshToken(options) {
+		const user = this.useUser({ tokenStore: options?.tokenStore ?? void 0 });
+		if (user) return user.useRefreshToken();
+		return null;
+	}
+	async getAuthorizationHeader(options) {
+		return getAuthorizationHeaderValueFromAuthJson(await this.getAuthJson(options));
+	}
+	useAuthorizationHeader(options) {
+		return getAuthorizationHeaderValueFromAuthJson(this.useAuthJson(options));
+	}
+	async getAuthHeaders(options) {
+		return { "x-stack-auth": JSON.stringify(await this.getAuthJson(options)) };
+	}
+	useAuthHeaders(options) {
+		return { "x-stack-auth": JSON.stringify(this.useAuthJson(options)) };
+	}
+	async getAuthJson(options) {
+		const user = await this.getUser({ tokenStore: options?.tokenStore ?? void 0 });
+		if (user) return await user.getAuthJson();
+		return {
+			accessToken: null,
+			refreshToken: null
+		};
+	}
+	useAuthJson(options) {
+		const user = this.useUser({ tokenStore: options?.tokenStore ?? void 0 });
+		if (user) return user.useAuthJson();
+		return {
+			accessToken: null,
+			refreshToken: null
+		};
+	}
+	async getProject() {
+		const crud = _stackframe_stack_shared_dist_utils_results.Result.orThrow(await this._currentProjectCache.getOrWait([], "write-only"));
+		return this._clientProjectFromCrud(crud);
+	}
+	useProject() {
+		const crud = (0, __common_js.useAsyncCache)(this._currentProjectCache, [], "clientApp.useProject()");
+		return (0, react.useMemo)(() => this._clientProjectFromCrud(crud), [crud]);
+	}
+	async _listOwnedProjects(session) {
+		this._ensureInternalProject();
+		return _stackframe_stack_shared_dist_utils_results.Result.orThrow(await this._ownedProjectsCache.getOrWait([session], "write-only")).map((j) => this._getOwnedAdminApp(j.id, session)._adminOwnedProjectFromCrud(j, () => this._refreshOwnedProjects(session)));
+	}
+	_useOwnedProjects(session) {
+		this._ensureInternalProject();
+		const projects = (0, __common_js.useAsyncCache)(this._ownedProjectsCache, [session], "clientApp.useOwnedProjects()");
+		return (0, react.useMemo)(() => projects.map((j) => this._getOwnedAdminApp(j.id, session)._adminOwnedProjectFromCrud(j, () => this._refreshOwnedProjects(session))), [projects]);
+	}
+	async _createProject(session, newProject) {
+		this._ensureInternalProject();
+		const crud = await this._interface.createProject((0, ______projects_index_js.adminProjectCreateOptionsToCrud)(newProject), session);
+		const res = this._getOwnedAdminApp(crud.id, session)._adminOwnedProjectFromCrud(crud, () => this._refreshOwnedProjects(session));
+		await this._refreshOwnedProjects(session);
+		return res;
+	}
+	async _refreshUser(session) {
+		await this._refreshSession(session);
+	}
+	async _refreshSession(session) {
+		await Promise.all([this._currentUserCache.refresh([session]), this._currentUserConnectedAccountsCache.refresh([session])]);
+		session.suggestAccessTokenExpired();
+	}
+	async _refreshUsers() {}
+	async _refreshProject() {
+		await this._currentProjectCache.refresh([]);
+	}
+	async _refreshOwnedProjects(session) {
+		await this._ownedProjectsCache.refresh([session]);
+	}
+	static get [______common_js.stackAppInternalsSymbol]() {
+		return { fromClientJson: (json) => {
+			const providedCheckString = JSON.stringify((0, _stackframe_stack_shared_dist_utils_objects.omit)(json, []));
+			const existing = allClientApps.get(json.uniqueIdentifier);
+			if (existing) {
+				const [existingCheckString, clientApp] = existing;
+				if (existingCheckString !== void 0 && existingCheckString !== providedCheckString) throw new _stackframe_stack_shared_dist_utils_errors.HexclaveAssertionError("The provided app JSON does not match the configuration of the existing client app with the same unique identifier", {
+					providedObj: json,
+					existingString: existingCheckString
+				});
+				return clientApp;
+			}
+			const { analytics, ...restJson } = (0, _stackframe_stack_shared_dist_utils_objects.omit)(json, ["uniqueIdentifier"]);
+			return new _StackClientAppImplIncomplete({
+				...restJson,
+				analytics: (0, __session_replay_js.analyticsOptionsFromJson)(analytics)
+			}, {
+				uniqueIdentifier: json.uniqueIdentifier,
+				checkString: providedCheckString
+			});
+		} };
+	}
+	get [______common_js.stackAppInternalsSymbol]() {
+		return {
+			toClientJson: () => {
+				if (typeof this._redirectMethod !== "string") throw new _stackframe_stack_shared_dist_utils_errors.HexclaveAssertionError("Cannot serialize to JSON from an application with a non-string redirect method");
+				const publishableClientKey = "publishableClientKey" in this._interface.options ? this._interface.options.publishableClientKey : void 0;
+				return {
+					baseUrl: this._options.baseUrl,
+					projectId: this.projectId,
+					...publishableClientKey != null ? { publishableClientKey } : {},
+					tokenStore: this._tokenStoreInit,
+					urls: this._urlOptions,
+					oauthScopesOnSignIn: this._oauthScopesOnSignIn,
+					uniqueIdentifier: this._getUniqueIdentifier(),
+					redirectMethod: this._redirectMethod,
+					extraRequestHeaders: this._options.extraRequestHeaders,
+					devTool: this._options.devTool,
+					analytics: (0, __session_replay_js.analyticsOptionsToJson)(this._analyticsOptions)
+				};
+			},
+			setCurrentUser: (userJsonPromise) => {
+				(0, _stackframe_stack_shared_dist_utils_promises.runAsynchronously)(async () => {
+					await this._currentUserCache.forceSetCachedValueAsync([await this._getSession()], _stackframe_stack_shared_dist_utils_results.Result.fromPromise(userJsonPromise));
+				});
+			},
+			getConstructorOptions: () => this._options,
+			sendSessionReplayBatch: async (body, options) => {
+				return await this._interface.sendSessionReplayBatch(body, await this._getSession(), options);
+			},
+			sendAnalyticsEventBatch: async (body, options) => {
+				return await this._interface.sendAnalyticsEventBatch(body, await this._getSession(), options);
+			},
+			addRequestListener: (listener) => {
+				return this._interface.addRequestListener(listener);
+			},
+			sendRequest: async (path, requestOptions, requestType = "client") => {
+				return await this._interface.sendClientRequest(path, requestOptions, await this._getSession(), requestType);
+			},
+			getRedirectMethod: () => this._redirectMethod ?? (0, _stackframe_stack_shared_dist_utils_errors.throwErr)("Redirect method should have been initialized in the Stack client app constructor"),
+			redirectToUrl: async (url, options) => {
+				await this._redirectTo({
+					url,
+					...options
+				});
+			},
+			redirectToHandler: async (handlerName, options) => {
+				await this._redirectToHandler(handlerName, options);
+			},
+			refreshOwnedProjects: async () => {
+				await this._refreshOwnedProjects(await this._getSession());
+			},
+			signInWithTokens: async (tokens) => {
+				await this._signInToAccountWithTokens(tokens);
+			}
+		};
+	}
+};
+//#endregion
+exports._StackClientAppImplIncomplete = _StackClientAppImplIncomplete;
+//# sourceMappingURL=client-app-impl.js.map