@iqauth/sdk 2.0.0

package/dist/react.js

@@ -0,0 +1,1457 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/react.ts
+var react_exports = {};
+__export(react_exports, {
+  AuthCallback: () => AuthCallback,
+  IQAuthProvider: () => IQAuthProvider,
+  OrganizationSwitcher: () => OrganizationSwitcher,
+  RedirectToSignIn: () => RedirectToSignIn,
+  SignIn: () => SignIn,
+  SignUp: () => SignUp,
+  SignedIn: () => SignedIn,
+  SignedOut: () => SignedOut,
+  UserButton: () => UserButton,
+  UserProfile: () => UserProfile,
+  __version__: () => __version__,
+  useAuth: () => useAuth,
+  useAuthFetch: () => useAuthFetch,
+  useIQAuthSignInContext: () => useIQAuthSignInContext,
+  useOrganization: () => useOrganization,
+  useSession: () => useSession,
+  useUser: () => useUser
+});
+module.exports = __toCommonJS(react_exports);
+
+// src/react/index.tsx
+var import_react = require("react");
+
+// src/errors.ts
+var IQAuthError = class extends Error {
+  constructor(code, message, status, raw) {
+    super(message);
+    this.name = "IQAuthError";
+    this.code = code;
+    this.status = status;
+    this.raw = raw;
+  }
+};
+
+// src/publishableKey.ts
+function b64urlDecode(input) {
+  const pad = input.length % 4 === 0 ? "" : "=".repeat(4 - input.length % 4);
+  const normalized = input.replace(/-/g, "+").replace(/_/g, "/") + pad;
+  if (typeof atob === "function") {
+    const bin = atob(normalized);
+    const bytes = new Uint8Array(bin.length);
+    for (let i = 0; i < bin.length; i++) bytes[i] = bin.charCodeAt(i);
+    return new TextDecoder().decode(bytes);
+  }
+  const { Buffer: Buffer2 } = require("buffer");
+  return Buffer2.from(normalized, "base64").toString("utf8");
+}
+function parsePublishableKey(raw) {
+  if (typeof raw !== "string") return null;
+  const m = raw.match(/^pk_(test|live)_([A-Za-z0-9_-]+)$/);
+  if (!m) return null;
+  try {
+    const json = JSON.parse(b64urlDecode(m[2]));
+    if (!json || typeof json !== "object") return null;
+    if (typeof json.iss !== "string" || typeof json.appId !== "string" || typeof json.tenantId !== "string" || typeof json.kid !== "string") {
+      return null;
+    }
+    return { mode: m[1], iss: json.iss, appId: json.appId, tenantId: json.tenantId, kid: json.kid, raw };
+  } catch {
+    return null;
+  }
+}
+
+// src/browser/storage.ts
+var REFRESH_COOKIE = "iqauth_rt";
+var PKCE_STORAGE_PREFIX = "iqauth.pkce.";
+function isBrowser() {
+  return typeof window !== "undefined" && typeof document !== "undefined";
+}
+function setCookie(name, value, opts = {}) {
+  if (!isBrowser()) return;
+  const parts = [`${name}=${encodeURIComponent(value)}`];
+  parts.push(`Path=${opts.path ?? "/"}`);
+  if (opts.maxAgeSeconds !== void 0) parts.push(`Max-Age=${opts.maxAgeSeconds}`);
+  if (opts.domain) parts.push(`Domain=${opts.domain}`);
+  if (opts.secure ?? location.protocol === "https:") parts.push("Secure");
+  parts.push(`SameSite=${opts.sameSite ?? "lax"}`);
+  document.cookie = parts.join("; ");
+}
+function getCookie(name) {
+  if (!isBrowser()) return null;
+  const target = `${name}=`;
+  const segments = document.cookie ? document.cookie.split(";") : [];
+  for (const seg of segments) {
+    const trimmed = seg.trim();
+    if (trimmed.startsWith(target)) {
+      try {
+        return decodeURIComponent(trimmed.slice(target.length));
+      } catch {
+        return null;
+      }
+    }
+  }
+  return null;
+}
+function clearCookie(name, opts = {}) {
+  setCookie(name, "", { ...opts, maxAgeSeconds: 0 });
+}
+function savePkce(record) {
+  if (!isBrowser()) return;
+  try {
+    sessionStorage.setItem(PKCE_STORAGE_PREFIX + record.state, JSON.stringify(record));
+  } catch {
+  }
+}
+function loadPkce(state) {
+  if (!isBrowser()) return null;
+  try {
+    const raw = sessionStorage.getItem(PKCE_STORAGE_PREFIX + state);
+    if (!raw) return null;
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+function clearPkce(state) {
+  if (!isBrowser()) return;
+  try {
+    sessionStorage.removeItem(PKCE_STORAGE_PREFIX + state);
+  } catch {
+  }
+}
+
+// src/browser/sessionManager.ts
+var DEFAULT_REFRESH_PATH = "/api/v1/auth/refresh";
+var DEFAULT_USERINFO_PATH = "/api/v1/auth/me";
+function decodeClaims(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    const json = typeof atob === "function" ? decodeURIComponent(
+      atob(parts[1].replace(/-/g, "+").replace(/_/g, "/")).split("").map((c) => "%" + ("00" + c.charCodeAt(0).toString(16)).slice(-2)).join("")
+    ) : Buffer.from(parts[1], "base64url").toString("utf8");
+    return JSON.parse(json);
+  } catch {
+    return null;
+  }
+}
+function claimsToSessionUser(claims) {
+  if (!claims) return null;
+  return {
+    sub: claims.sub,
+    email: claims.email,
+    name: claims.name,
+    tenantId: claims.tenantId,
+    vendorId: claims.vendorId,
+    roles: claims.roles ?? [],
+    entitlements: claims.entitlements ?? []
+  };
+}
+var EMPTY = {
+  status: "loading",
+  accessToken: null,
+  user: null,
+  claims: null,
+  tenantId: null,
+  error: null,
+  version: 0
+};
+function defaultCookieStore() {
+  return {
+    read: () => getCookie(REFRESH_COOKIE),
+    write: (token) => setCookie(REFRESH_COOKIE, token, { maxAgeSeconds: 60 * 60 * 24 * 30 }),
+    clear: () => clearCookie(REFRESH_COOKIE)
+  };
+}
+var NO_OP_STORE = {
+  read: () => null,
+  write: () => void 0,
+  clear: () => void 0
+};
+var SessionManager = class {
+  constructor(options) {
+    this.snapshot = { ...EMPTY };
+    this.listeners = /* @__PURE__ */ new Set();
+    this.refreshPromise = null;
+    this.channel = null;
+    this.proactiveTimer = null;
+    this.bootstrapped = false;
+    /** Pending refresh awaited by other tabs after a `refresh:claim` from us. */
+    this.remoteRefreshWaiters = [];
+    /** Active claims by other tabs (keyed by source tabId). */
+    this.foreignClaim = null;
+    const parsed = parsePublishableKey(options.publishableKey);
+    if (!parsed) {
+      throw new Error(
+        `Invalid IQAuth publishable key. Expected pk_test_\u2026 or pk_live_\u2026 (got ${options.publishableKey?.slice(0, 12) ?? "<empty>"}\u2026).`
+      );
+    }
+    this.key = parsed;
+    const inferred = options.issuer ?? (parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`);
+    this.issuer = inferred.replace(/\/+$/, "");
+    this.refreshPath = options.refreshPath ?? DEFAULT_REFRESH_PATH;
+    this.userinfoPath = options.userinfoPath ?? DEFAULT_USERINFO_PATH;
+    this.useCookies = options.useCookies ?? true;
+    this.proactiveRefresh = options.proactiveRefresh ?? true;
+    this.tokenStore = options.tokenStore ?? (this.useCookies ? defaultCookieStore() : NO_OP_STORE);
+    this.crossTabLockTimeoutMs = options.crossTabLockTimeoutMs ?? 4e3;
+    this.fetchImpl = options.fetchImpl ?? (typeof fetch !== "undefined" ? fetch.bind(globalThis) : (() => {
+      throw new Error("global fetch is not available; pass fetchImpl");
+    }));
+    this.tabId = Math.random().toString(36).slice(2);
+    if (typeof BroadcastChannel !== "undefined") {
+      const name = options.channelName ?? `iqauth.${parsed.appId}`;
+      try {
+        this.channel = new BroadcastChannel(name);
+        this.channel.onmessage = (ev) => this.onBroadcast(ev.data);
+      } catch {
+        this.channel = null;
+      }
+    }
+  }
+  get publishableKey() {
+    return this.key;
+  }
+  get appKey() {
+    return this.key.appId;
+  }
+  get tenantIdFromKey() {
+    return this.key.tenantId;
+  }
+  get issuerUrl() {
+    return this.issuer;
+  }
+  getSnapshot() {
+    return this.snapshot;
+  }
+  subscribe(listener) {
+    this.listeners.add(listener);
+    return () => {
+      this.listeners.delete(listener);
+    };
+  }
+  /**
+   * One-time bootstrap: warm the session from the refresh cookie if present.
+   * Safe to call multiple times.
+   */
+  async bootstrap() {
+    if (this.bootstrapped) return;
+    this.bootstrapped = true;
+    const stored = await Promise.resolve(this.tokenStore.read());
+    if (!stored) {
+      this.setStatus("unauthenticated");
+      return;
+    }
+    const ok = await this.refresh();
+    if (!ok) this.setStatus("unauthenticated");
+  }
+  /**
+   * Single-flight token refresh, coordinated across tabs via BroadcastChannel.
+   *
+   * Per-tab: concurrent callers share the same `refreshPromise`.
+   * Cross-tab: a tab that wants to refresh first broadcasts a `refresh:claim`
+   * with its tabId + timestamp. If it has already received a competing claim
+   * with an earlier timestamp (or lower tabId on tie), it waits for that
+   * tab's `refresh:done` message instead of issuing its own HTTP request.
+   * This prevents two tabs racing on rotating refresh tokens, which would
+   * invalidate the session.
+   */
+  refresh() {
+    if (this.refreshPromise) return this.refreshPromise;
+    this.refreshPromise = this.runRefresh().finally(() => {
+      this.refreshPromise = null;
+    });
+    return this.refreshPromise;
+  }
+  async runRefresh() {
+    const myClaim = { source: this.tabId, ts: Date.now() };
+    if (this.channel) {
+      this.broadcastEnvelope({ type: "refresh:claim", source: myClaim.source, ts: myClaim.ts });
+      await new Promise((r) => setTimeout(r, 25));
+      const foreign = this.foreignClaim;
+      if (foreign && this.claimWins(foreign, myClaim)) {
+        return this.waitForForeignRefresh();
+      }
+    }
+    try {
+      const refreshToken = await Promise.resolve(this.tokenStore.read());
+      const res = await this.fetchImpl(`${this.issuer}${this.refreshPath}`, {
+        method: "POST",
+        credentials: "include",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(refreshToken ? { refreshToken } : {})
+      });
+      const body = await res.json().catch(() => ({}));
+      const data = body.data;
+      if (!res.ok || !body.success || !data?.accessToken) {
+        const err = body.error;
+        this.setError({
+          code: err?.code ?? "REFRESH_FAILED",
+          message: err?.message ?? `Refresh failed with status ${res.status}`
+        });
+        this.broadcastEnvelope({ type: "refresh:done", source: this.tabId, ts: Date.now(), ok: false });
+        return false;
+      }
+      if (data.refreshToken) {
+        await Promise.resolve(this.tokenStore.write(data.refreshToken));
+      }
+      this.applyAccessToken(data.accessToken);
+      this.broadcast("session:refresh");
+      this.broadcastEnvelope({ type: "refresh:done", source: this.tabId, ts: Date.now(), ok: true });
+      return true;
+    } catch (err) {
+      this.setError({
+        code: "NETWORK_ERROR",
+        message: err instanceof Error ? err.message : "Refresh request failed"
+      });
+      this.broadcastEnvelope({ type: "refresh:done", source: this.tabId, ts: Date.now(), ok: false });
+      return false;
+    } finally {
+      this.foreignClaim = null;
+    }
+  }
+  claimWins(foreign, mine) {
+    if (foreign.ts < mine.ts) return true;
+    if (foreign.ts > mine.ts) return false;
+    return foreign.source < mine.source;
+  }
+  waitForForeignRefresh() {
+    return new Promise((resolve) => {
+      let settled = false;
+      const finish = (ok) => {
+        if (settled) return;
+        settled = true;
+        const idx = this.remoteRefreshWaiters.indexOf(finish);
+        if (idx >= 0) this.remoteRefreshWaiters.splice(idx, 1);
+        resolve(ok);
+      };
+      this.remoteRefreshWaiters.push(finish);
+      setTimeout(() => finish(this.snapshot.status === "authenticated"), this.crossTabLockTimeoutMs);
+    });
+  }
+  /**
+   * Apply an access token (e.g. fresh from a callback exchange) to the
+   * session and notify subscribers and other tabs.
+   */
+  applyAccessToken(accessToken, refreshToken) {
+    const claims = decodeClaims(accessToken);
+    const user = claimsToSessionUser(claims);
+    if (refreshToken) {
+      void Promise.resolve(this.tokenStore.write(refreshToken));
+    }
+    this.update({
+      status: user ? "authenticated" : "unauthenticated",
+      accessToken,
+      user,
+      claims,
+      tenantId: claims?.tenantId ?? this.key.tenantId,
+      error: null,
+      version: this.snapshot.version + 1
+    });
+    this.scheduleProactiveRefresh();
+    this.broadcast("session:update");
+  }
+  /**
+   * Returns a valid access token, refreshing once if it is expired or about
+   * to expire. Resolves to `null` if the session can no longer be revived.
+   */
+  async getToken() {
+    if (this.snapshot.accessToken && !this.isTokenExpiringSoon(this.snapshot.accessToken)) {
+      return this.snapshot.accessToken;
+    }
+    const ok = await this.refresh();
+    return ok ? this.snapshot.accessToken : null;
+  }
+  /**
+   * Browser-safe HTTP wrapper. Attaches the current access token and retries
+   * once on 401 (refreshing in between). Rejects with an `IQAuthError` on
+   * the second 401 — the caller is then responsible for redirecting to
+   * sign-in (typically by letting the unauthenticated state surface through
+   * `<SignedOut/>`).
+   */
+  async fetch(input, init = {}) {
+    const exec = async (token2) => {
+      const headers = new Headers(init.headers || {});
+      if (token2) headers.set("Authorization", `Bearer ${token2}`);
+      return this.fetchImpl(input, {
+        ...init,
+        headers,
+        credentials: init.credentials ?? "include"
+      });
+    };
+    let token = await this.getToken();
+    let res = await exec(token);
+    if (res.status !== 401) return res;
+    const refreshed = await this.refresh();
+    if (!refreshed) {
+      this.signOutLocal("unauthenticated");
+      throw new IQAuthError(
+        "TOKEN_EXPIRED",
+        "Session refresh failed; user must sign in again",
+        401
+      );
+    }
+    token = this.snapshot.accessToken;
+    res = await exec(token);
+    if (res.status === 401) {
+      this.signOutLocal("unauthenticated");
+      throw new IQAuthError(
+        "TOKEN_EXPIRED",
+        "Authenticated request failed twice with 401; aborting",
+        401
+      );
+    }
+    return res;
+  }
+  /**
+   * Clear the session locally and broadcast a sign-out to other tabs. Does
+   * not call the server — callers (e.g. signOut helper) are responsible for
+   * the server-side logout request.
+   */
+  signOutLocal(status = "unauthenticated") {
+    void Promise.resolve(this.tokenStore.clear());
+    if (this.proactiveTimer) {
+      clearTimeout(this.proactiveTimer);
+      this.proactiveTimer = null;
+    }
+    this.update({
+      status,
+      accessToken: null,
+      user: null,
+      claims: null,
+      tenantId: null,
+      error: null,
+      version: this.snapshot.version + 1
+    });
+    this.broadcast("session:signout");
+  }
+  destroy() {
+    if (this.proactiveTimer) clearTimeout(this.proactiveTimer);
+    this.proactiveTimer = null;
+    if (this.channel) {
+      try {
+        this.channel.close();
+      } catch {
+      }
+    }
+    this.channel = null;
+    this.listeners.clear();
+  }
+  // --- internals -----------------------------------------------------------
+  setStatus(status) {
+    if (this.snapshot.status === status) return;
+    this.update({ ...this.snapshot, status, version: this.snapshot.version + 1 });
+  }
+  setError(error) {
+    this.update({ ...this.snapshot, error, version: this.snapshot.version + 1 });
+  }
+  update(next) {
+    this.snapshot = next;
+    for (const l of this.listeners) l(next);
+  }
+  isTokenExpiringSoon(token) {
+    const claims = decodeClaims(token);
+    if (!claims?.exp) return false;
+    return claims.exp - Math.floor(Date.now() / 1e3) < 60;
+  }
+  scheduleProactiveRefresh() {
+    if (!this.proactiveRefresh) return;
+    if (this.proactiveTimer) {
+      clearTimeout(this.proactiveTimer);
+      this.proactiveTimer = null;
+    }
+    const claims = this.snapshot.claims;
+    if (!claims?.exp) return;
+    const msUntilRefresh = Math.max(5e3, claims.exp * 1e3 - Date.now() - 6e4);
+    this.proactiveTimer = setTimeout(() => {
+      void this.refresh();
+    }, msUntilRefresh);
+  }
+  broadcast(type) {
+    this.broadcastEnvelope({ type, source: this.tabId, ts: Date.now(), payload: this.snapshot });
+  }
+  broadcastEnvelope(env) {
+    if (!this.channel) return;
+    try {
+      this.channel.postMessage(env);
+    } catch {
+    }
+  }
+  onBroadcast(env) {
+    if (!env || env.source === this.tabId) return;
+    if (env.type === "refresh:claim") {
+      this.foreignClaim = { source: env.source, ts: env.ts };
+      return;
+    }
+    if (env.type === "refresh:done") {
+      const ok = env.ok ?? false;
+      const waiters = this.remoteRefreshWaiters;
+      this.remoteRefreshWaiters = [];
+      for (const w of waiters) w(ok);
+      this.foreignClaim = null;
+      return;
+    }
+    if (env.type === "session:signout") {
+      this.update({
+        status: "unauthenticated",
+        accessToken: null,
+        user: null,
+        claims: null,
+        tenantId: null,
+        error: null,
+        version: this.snapshot.version + 1
+      });
+      return;
+    }
+    if ((env.type === "session:update" || env.type === "session:refresh") && env.payload) {
+      this.update({
+        ...env.payload,
+        version: Math.max(this.snapshot.version, env.payload.version) + 1
+      });
+      if (this.remoteRefreshWaiters.length) {
+        const waiters = this.remoteRefreshWaiters;
+        this.remoteRefreshWaiters = [];
+        for (const w of waiters) w(true);
+      }
+    }
+  }
+};
+
+// src/browser/pkce.ts
+function getCrypto() {
+  if (typeof globalThis !== "undefined" && globalThis.crypto) {
+    return globalThis.crypto;
+  }
+  try {
+    const nodeCrypto = require("crypto").webcrypto;
+    if (nodeCrypto) return nodeCrypto;
+  } catch {
+  }
+  throw new Error("WebCrypto is not available in this environment");
+}
+function base64UrlEncode(bytes) {
+  let bin = "";
+  for (let i = 0; i < bytes.length; i++) bin += String.fromCharCode(bytes[i]);
+  const b64 = typeof btoa === "function" ? btoa(bin) : Buffer.from(bin, "binary").toString("base64");
+  return b64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+function randomUrlSafe(byteLength = 32) {
+  const bytes = new Uint8Array(byteLength);
+  getCrypto().getRandomValues(bytes);
+  return base64UrlEncode(bytes);
+}
+async function s256Challenge(verifier) {
+  const data = new TextEncoder().encode(verifier);
+  const digest = await getCrypto().subtle.digest("SHA-256", data);
+  return base64UrlEncode(new Uint8Array(digest));
+}
+async function createPkcePair() {
+  const codeVerifier = randomUrlSafe(32);
+  const codeChallenge = await s256Challenge(codeVerifier);
+  const state = randomUrlSafe(16);
+  const nonce = randomUrlSafe(16);
+  return { codeVerifier, codeChallenge, state, nonce };
+}
+
+// src/browser/signIn.ts
+var DEFAULT_SIGN_IN_PATH = "/sign-in";
+var DEFAULT_LOGOUT_PATH = "/api/v1/auth/logout";
+var DEFAULT_TOKEN_PATH = "/oidc/token";
+var DEFAULT_CALLBACK_PATH = "/auth/callback";
+function defaultRedirectUri() {
+  if (typeof window === "undefined") {
+    throw new Error("redirectToSignIn requires a browser environment (window)");
+  }
+  return `${window.location.origin}${DEFAULT_CALLBACK_PATH}`;
+}
+function defaultReturnTo() {
+  if (typeof window === "undefined") return "/";
+  return window.location.href;
+}
+async function buildSignInUrl(manager, opts = {}) {
+  const pkce = await createPkcePair();
+  const redirectUri = opts.redirectUri ?? defaultRedirectUri();
+  const returnTo = opts.returnTo ?? defaultReturnTo();
+  savePkce({
+    codeVerifier: pkce.codeVerifier,
+    state: pkce.state,
+    nonce: pkce.nonce,
+    redirectUri,
+    appKey: manager.publishableKey.raw,
+    returnTo,
+    createdAt: Date.now()
+  });
+  const url = new URL(opts.signInPath ?? DEFAULT_SIGN_IN_PATH, manager.issuerUrl);
+  url.searchParams.set("response_type", "code");
+  url.searchParams.set("app", manager.appKey);
+  url.searchParams.set("publishable_key", manager.publishableKey.raw);
+  url.searchParams.set("redirect_uri", redirectUri);
+  url.searchParams.set("state", pkce.state);
+  url.searchParams.set("nonce", pkce.nonce);
+  url.searchParams.set("code_challenge", pkce.codeChallenge);
+  url.searchParams.set("code_challenge_method", "S256");
+  url.searchParams.set("scope", opts.scope ?? "openid profile email");
+  url.searchParams.set("return_to", returnTo);
+  return url.toString();
+}
+async function redirectToSignIn(manager, opts = {}) {
+  const url = await buildSignInUrl(manager, opts);
+  if (typeof window === "undefined") {
+    throw new Error("redirectToSignIn requires a browser environment");
+  }
+  window.location.assign(url);
+}
+async function signIn(manager, opts = {}) {
+  return redirectToSignIn(manager, opts);
+}
+async function handleAuthCallback(manager, options = {}) {
+  const url = new URL(options.url ?? (typeof window !== "undefined" ? window.location.href : ""));
+  const code = url.searchParams.get("code");
+  const state = url.searchParams.get("state");
+  const errorParam = url.searchParams.get("error");
+  if (errorParam) {
+    return { ok: false, returnTo: "/", error: errorParam };
+  }
+  if (!code || !state) {
+    return { ok: false, returnTo: "/", error: "missing_code_or_state" };
+  }
+  const record = loadPkce(state);
+  if (!record) {
+    return { ok: false, returnTo: "/", error: "unknown_state" };
+  }
+  clearPkce(state);
+  const fetchImpl = options.fetchImpl ?? (typeof fetch !== "undefined" ? fetch.bind(globalThis) : null);
+  if (!fetchImpl) {
+    return { ok: false, returnTo: record.returnTo, error: "no_fetch" };
+  }
+  const tokenUrl = `${manager.issuerUrl}${options.tokenPath ?? DEFAULT_TOKEN_PATH}`;
+  const res = await fetchImpl(tokenUrl, {
+    method: "POST",
+    credentials: "include",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      grant_type: "authorization_code",
+      code,
+      redirect_uri: record.redirectUri,
+      client_id: manager.appKey,
+      code_verifier: record.codeVerifier
+    })
+  });
+  const body = await res.json().catch(() => ({}));
+  if (!res.ok) {
+    const desc = body.error_description ?? body.error ?? "token_exchange_failed";
+    return { ok: false, returnTo: record.returnTo, error: desc };
+  }
+  const tokens = body;
+  if (!tokens.access_token) {
+    return { ok: false, returnTo: record.returnTo, error: "missing_access_token" };
+  }
+  if (tokens.refresh_token) {
+    setCookie(REFRESH_COOKIE, tokens.refresh_token, { maxAgeSeconds: 60 * 60 * 24 * 30 });
+  }
+  manager.applyAccessToken(tokens.access_token, tokens.refresh_token);
+  return { ok: true, returnTo: record.returnTo };
+}
+async function signOut(manager, opts = {}) {
+  if (!opts.localOnly) {
+    try {
+      const url = `${manager.issuerUrl}${opts.logoutPath ?? DEFAULT_LOGOUT_PATH}`;
+      await manager.fetch(url, { method: "POST" }).catch(() => void 0);
+    } catch {
+    }
+  }
+  clearCookie(REFRESH_COOKIE);
+  manager.signOutLocal();
+  if (opts.returnTo && typeof window !== "undefined") {
+    window.location.assign(opts.returnTo);
+  }
+}
+
+// src/react/index.tsx
+var import_jsx_runtime = require("react/jsx-runtime");
+var IQAuthContext = (0, import_react.createContext)(null);
+function IQAuthProvider({
+  publishableKey,
+  issuer,
+  channelName,
+  proactiveRefresh,
+  manager: externalManager,
+  children
+}) {
+  const managerRef = (0, import_react.useRef)(null);
+  if (!managerRef.current) {
+    managerRef.current = externalManager ?? new SessionManager({
+      publishableKey,
+      issuer,
+      channelName,
+      proactiveRefresh
+    });
+  }
+  const manager = managerRef.current;
+  const subscribe = (0, import_react.useCallback)(
+    (cb) => manager.subscribe(() => cb()),
+    [manager]
+  );
+  const getSnapshot = (0, import_react.useCallback)(() => manager.getSnapshot(), [manager]);
+  const getServerSnapshot = (0, import_react.useCallback)(() => manager.getSnapshot(), [manager]);
+  const snapshot = (0, import_react.useSyncExternalStore)(subscribe, getSnapshot, getServerSnapshot);
+  (0, import_react.useEffect)(() => {
+    void manager.bootstrap();
+    const onVisible = () => {
+      if (typeof document !== "undefined" && document.visibilityState === "visible") {
+        void manager.refresh();
+      }
+    };
+    if (typeof document !== "undefined") {
+      document.addEventListener("visibilitychange", onVisible);
+    }
+    return () => {
+      if (typeof document !== "undefined") {
+        document.removeEventListener("visibilitychange", onVisible);
+      }
+    };
+  }, [manager]);
+  const value = (0, import_react.useMemo)(() => ({ manager, snapshot }), [manager, snapshot]);
+  return (0, import_react.createElement)(IQAuthContext.Provider, { value }, children);
+}
+function useCtx() {
+  const ctx = (0, import_react.useContext)(IQAuthContext);
+  if (!ctx) throw new Error("IQAuth hooks must be used inside <IQAuthProvider>");
+  return ctx;
+}
+function useUser() {
+  const { snapshot } = useCtx();
+  return (0, import_react.useMemo)(
+    () => ({
+      isLoaded: snapshot.status !== "loading",
+      isSignedIn: snapshot.status === "authenticated" && !!snapshot.user,
+      user: snapshot.user,
+      error: snapshot.error
+    }),
+    [snapshot.status, snapshot.user, snapshot.error, snapshot.version]
+  );
+}
+function useSession() {
+  const { snapshot } = useCtx();
+  return (0, import_react.useMemo)(
+    () => ({
+      isLoaded: snapshot.status !== "loading",
+      isSignedIn: snapshot.status === "authenticated",
+      claims: snapshot.claims,
+      accessToken: snapshot.accessToken,
+      error: snapshot.error
+    }),
+    [snapshot.status, snapshot.claims, snapshot.accessToken, snapshot.error, snapshot.version]
+  );
+}
+function useAuth() {
+  const { manager, snapshot } = useCtx();
+  return (0, import_react.useMemo)(
+    () => ({
+      isLoaded: snapshot.status !== "loading",
+      isSignedIn: snapshot.status === "authenticated",
+      userId: snapshot.user?.sub ?? null,
+      tenantId: snapshot.tenantId,
+      error: snapshot.error,
+      signIn: (opts) => signIn(manager, opts),
+      signOut: (opts) => signOut(manager, opts),
+      redirectToSignIn: (opts) => redirectToSignIn(manager, opts),
+      getToken: () => manager.getToken(),
+      fetch: (input, init) => manager.fetch(input, init)
+    }),
+    [manager, snapshot.status, snapshot.user, snapshot.tenantId, snapshot.error, snapshot.version]
+  );
+}
+function useOrganization() {
+  const { snapshot } = useCtx();
+  return (0, import_react.useMemo)(
+    () => ({
+      isLoaded: snapshot.status !== "loading",
+      organization: snapshot.tenantId ? { id: snapshot.tenantId, tenantId: snapshot.tenantId } : null,
+      error: snapshot.error
+    }),
+    [snapshot.status, snapshot.tenantId, snapshot.error, snapshot.version]
+  );
+}
+function useAuthFetch() {
+  const { manager } = useCtx();
+  return (0, import_react.useCallback)(
+    (input, init) => manager.fetch(input, init),
+    [manager]
+  );
+}
+function SignedIn({ children }) {
+  const { isSignedIn, isLoaded } = useUser();
+  if (!isLoaded || !isSignedIn) return null;
+  return (0, import_react.createElement)(import_react.Fragment, null, children);
+}
+function SignedOut({ children }) {
+  const { isSignedIn, isLoaded } = useUser();
+  if (!isLoaded || isSignedIn) return null;
+  return (0, import_react.createElement)(import_react.Fragment, null, children);
+}
+function RedirectToSignIn(props = {}) {
+  const { manager, snapshot } = useCtx();
+  (0, import_react.useEffect)(() => {
+    if (snapshot.status === "unauthenticated") {
+      void redirectToSignIn(manager, props);
+    }
+  }, [manager, snapshot.status]);
+  return null;
+}
+function AuthCallback({ onComplete, fallback } = {}) {
+  const { manager } = useCtx();
+  (0, import_react.useEffect)(() => {
+    let cancelled = false;
+    void handleAuthCallback(manager).then((result) => {
+      if (cancelled) return;
+      if (onComplete) onComplete(result);
+      else if (typeof window !== "undefined") {
+        window.location.replace(result.returnTo || "/");
+      }
+    });
+    return () => {
+      cancelled = true;
+    };
+  }, [manager, onComplete]);
+  return (0, import_react.createElement)(import_react.Fragment, null, fallback ?? null);
+}
+function brandStyle(branding) {
+  if (!branding) return {};
+  const s = {};
+  if (branding.primaryColor) s["--brand-primary"] = branding.primaryColor;
+  if (branding.accentColor) s["--brand-accent"] = branding.accentColor;
+  if (branding.backgroundColor) s["--brand-bg"] = branding.backgroundColor;
+  if (branding.surfaceColor) s["--brand-surface"] = branding.surfaceColor;
+  if (branding.textColor) s["--brand-text"] = branding.textColor;
+  return s;
+}
+async function jsonFetch(url, init) {
+  const res = await fetch(url, { ...init, credentials: init?.credentials || "include" });
+  const payload = await res.json().catch(() => ({}));
+  if (!res.ok && payload?.success !== true) {
+    const message = payload?.error?.message || payload?.error_description || payload?.error || `HTTP ${res.status}`;
+    throw new Error(typeof message === "string" ? message : "Request failed");
+  }
+  return payload;
+}
+function useIQAuthSignInContext(iqAuthBaseUrl, appKey, returnTo) {
+  const [ctx, setCtx] = (0, import_react.useState)(null);
+  const [loading, setLoading] = (0, import_react.useState)(true);
+  const [error, setError] = (0, import_react.useState)(null);
+  (0, import_react.useEffect)(() => {
+    if (!appKey) {
+      setLoading(false);
+      setError("appKey is required");
+      return;
+    }
+    let cancelled = false;
+    setLoading(true);
+    const url = `${iqAuthBaseUrl.replace(/\/$/, "")}/api/public/apps/${encodeURIComponent(appKey)}/sign-in-context?return_to=${encodeURIComponent(returnTo)}`;
+    fetch(url).then((r) => r.json()).then((payload) => {
+      if (cancelled) return;
+      if (payload?.success === false) throw new Error(payload?.error?.message || "Failed to load sign-in context");
+      setCtx(payload.data);
+    }).catch((err) => {
+      if (!cancelled) setError(err.message);
+    }).finally(() => {
+      if (!cancelled) setLoading(false);
+    });
+    return () => {
+      cancelled = true;
+    };
+  }, [iqAuthBaseUrl, appKey, returnTo]);
+  return { ctx, loading, error };
+}
+function Shell({
+  branding,
+  className,
+  children
+}) {
+  return /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(
+    "div",
+    {
+      className,
+      style: {
+        background: "var(--brand-surface, #ffffff)",
+        color: "var(--brand-text, #0f172a)",
+        border: "1px solid rgba(15,23,42,0.08)",
+        borderRadius: 12,
+        padding: 24,
+        ...brandStyle(branding)
+      },
+      children: [
+        branding?.logoUrl ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("img", { src: branding.logoUrl, alt: branding.brandName || "", style: { height: 28, width: "auto", marginBottom: 16 } }) : null,
+        children
+      ]
+    }
+  );
+}
+function Field({ label, children }) {
+  return /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("label", { style: { display: "flex", flexDirection: "column", gap: 6, fontSize: 13 }, children: [
+    /* @__PURE__ */ (0, import_jsx_runtime.jsx)("span", { style: { fontWeight: 500 }, children: label }),
+    children
+  ] });
+}
+function inputStyle() {
+  return {
+    padding: "8px 12px",
+    border: "1px solid rgba(15,23,42,0.15)",
+    borderRadius: 6,
+    fontSize: 14,
+    width: "100%",
+    background: "transparent",
+    color: "inherit"
+  };
+}
+function PrimaryButton(props) {
+  return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
+    "button",
+    {
+      ...props,
+      style: {
+        background: "var(--brand-primary, #3b82f6)",
+        color: "#fff",
+        border: "none",
+        padding: "10px 16px",
+        borderRadius: 8,
+        fontSize: 14,
+        fontWeight: 500,
+        cursor: props.disabled ? "not-allowed" : "pointer",
+        opacity: props.disabled ? 0.6 : 1,
+        width: "100%",
+        ...props.style
+      }
+    }
+  );
+}
+function GhostButton(props) {
+  return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
+    "button",
+    {
+      ...props,
+      style: {
+        background: "transparent",
+        color: "inherit",
+        border: "1px solid rgba(15,23,42,0.15)",
+        padding: "10px 16px",
+        borderRadius: 8,
+        fontSize: 14,
+        fontWeight: 500,
+        cursor: props.disabled ? "not-allowed" : "pointer",
+        width: "100%",
+        ...props.style
+      }
+    }
+  );
+}
+function ErrorBanner({ message }) {
+  return /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { role: "alert", style: {
+    borderLeft: "3px solid #dc2626",
+    background: "rgba(220,38,38,0.08)",
+    padding: "10px 14px",
+    borderRadius: "0 6px 6px 0",
+    fontSize: 13,
+    color: "#b91c1c"
+  }, children: message });
+}
+function SignIn({ iqAuthBaseUrl, appKey, returnTo, onRedirect, className }) {
+  const { ctx, loading, error } = useIQAuthSignInContext(iqAuthBaseUrl, appKey, returnTo);
+  const [email, setEmail] = (0, import_react.useState)("");
+  const [password, setPassword] = (0, import_react.useState)("");
+  const [submitting, setSubmitting] = (0, import_react.useState)(false);
+  const [formError, setFormError] = (0, import_react.useState)("");
+  const [mfa, setMfa] = (0, import_react.useState)(null);
+  const [tenantSel, setTenantSel] = (0, import_react.useState)(null);
+  const [oauthExchanging, setOauthExchanging] = (0, import_react.useState)(false);
+  const oidcPayload = () => ({
+    client_id: ctx?.app.defaultClientId,
+    redirect_uri: returnTo,
+    scope: "openid"
+  });
+  const handlePayload = (payload) => {
+    if (payload.type === "redirect" && payload.redirectUrl) {
+      (onRedirect || ((u) => {
+        window.location.href = u;
+      }))(payload.redirectUrl);
+      return true;
+    }
+    if (payload.type === "tenant_selection") {
+      setTenantSel({ token: payload.tenantSelectionToken, tenants: payload.tenants || [] });
+      return true;
+    }
+    if (payload.type === "mfa_required") {
+      const methods = payload.availableMethods || ["totp"];
+      setMfa({ token: payload.mfaChallengeToken, methods, selected: methods[0], code: "", backup: false });
+      return true;
+    }
+    return false;
+  };
+  const submitLogin = async (e) => {
+    e.preventDefault();
+    if (!ctx?.app.defaultClientId) {
+      setFormError("Application is not configured for hosted sign-in.");
+      return;
+    }
+    setSubmitting(true);
+    setFormError("");
+    try {
+      const r = await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/oidc/sso-login`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        credentials: "include",
+        body: JSON.stringify({ email, password, ...oidcPayload() })
+      });
+      const payload = await r.json().catch(() => ({}));
+      if (!handlePayload(payload)) setFormError(payload.error_description || payload.error || "Sign-in failed");
+    } catch (err) {
+      setFormError(err.message || "Network error");
+    }
+    setSubmitting(false);
+  };
+  const submitMfa = async (e) => {
+    e.preventDefault();
+    if (!mfa) return;
+    setSubmitting(true);
+    setFormError("");
+    const r = await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/oidc/sso-mfa-complete`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      credentials: "include",
+      body: JSON.stringify({
+        mfaChallengeToken: mfa.token,
+        code: mfa.code,
+        method: mfa.selected,
+        useBackup: mfa.backup,
+        ...oidcPayload()
+      })
+    });
+    const payload = await r.json().catch(() => ({}));
+    if (!handlePayload(payload)) setFormError(payload.error_description || payload.error || "MFA verification failed");
+    setSubmitting(false);
+  };
+  const submitTenant = async (tenantId) => {
+    if (!tenantSel) return;
+    setSubmitting(true);
+    setFormError("");
+    const r = await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/oidc/sso-tenant-select`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      credentials: "include",
+      body: JSON.stringify({ tenantSelectionToken: tenantSel.token, tenantId, ...oidcPayload() })
+    });
+    const payload = await r.json().catch(() => ({}));
+    if (!handlePayload(payload)) setFormError(payload.error_description || payload.error || "Tenant selection failed");
+    setSubmitting(false);
+  };
+  const startGoogleLogin = () => {
+    if (!ctx?.app.defaultClientId) {
+      setFormError("Application is not configured for hosted sign-in.");
+      return;
+    }
+    const bridgeUrl = window.location.href;
+    const url = `${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/google?redirect_uri=${encodeURIComponent(bridgeUrl)}&client_id=${encodeURIComponent(ctx.app.defaultClientId)}`;
+    window.location.href = url;
+  };
+  (0, import_react.useEffect)(() => {
+    if (!ctx?.app.defaultClientId) return;
+    const params = new URLSearchParams(window.location.search);
+    const oauthCode = params.get("code");
+    if (!oauthCode) return;
+    const u = new URL(window.location.href);
+    u.searchParams.delete("code");
+    const codeRedirectUri = u.toString();
+    setOauthExchanging(true);
+    setFormError("");
+    (async () => {
+      try {
+        const r = await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/oidc/sso-complete-oauth`, {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          credentials: "include",
+          body: JSON.stringify({
+            authCode: oauthCode,
+            code_redirect_uri: codeRedirectUri,
+            ...oidcPayload()
+          })
+        });
+        const payload = await r.json().catch(() => ({}));
+        try {
+          window.history.replaceState({}, "", u.pathname + (u.search ? u.search : "") + u.hash);
+        } catch {
+        }
+        if (!handlePayload(payload)) setFormError(payload.error_description || payload.error || "Authorization code exchange failed");
+      } catch (err) {
+        setFormError(err.message || "Authorization code exchange failed");
+      }
+      setOauthExchanging(false);
+    })();
+  }, [ctx?.app.defaultClientId]);
+  if (loading || oauthExchanging) return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Shell, { branding: ctx?.branding || null, className, children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { children: oauthExchanging ? "Completing sign-in\u2026" : "Loading\u2026" }) });
+  if (error || !ctx) return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Shell, { branding: null, className, children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)(ErrorBanner, { message: error || "Failed to load app context" }) });
+  if (!ctx.returnAllowed) return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Shell, { branding: ctx.branding, className, children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)(ErrorBanner, { message: `returnTo "${returnTo}" is not in this app's allowed origins.` }) });
+  return /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(Shell, { branding: ctx.branding, className, children: [
+    /* @__PURE__ */ (0, import_jsx_runtime.jsx)("h2", { style: { fontSize: 20, fontWeight: 600, margin: "0 0 12px" }, children: ctx.branding?.loginHeadline || `Sign in to ${ctx.app.name}` }),
+    ctx.branding?.loginSubheadline ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { style: { marginBottom: 16, fontSize: 13, opacity: 0.7 }, children: ctx.branding.loginSubheadline }) : null,
+    formError ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { style: { marginBottom: 12 }, children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)(ErrorBanner, { message: formError }) }) : null,
+    tenantSel ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { role: "radiogroup", "aria-label": "Choose tenant", style: { display: "flex", flexDirection: "column", gap: 8 }, children: tenantSel.tenants.map((t) => /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(
+      "button",
+      {
+        type: "button",
+        "data-iqauth-tenant": t.tenantId,
+        onClick: () => submitTenant(t.tenantId),
+        style: { textAlign: "left", padding: "10px 14px", border: "1px solid rgba(15,23,42,0.15)", borderRadius: 8, background: "transparent", color: "inherit", cursor: "pointer" },
+        children: [
+          /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { style: { margin: 0, fontWeight: 500 }, children: t.tenantName || t.tenantSlug || t.tenantId }),
+          /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { style: { margin: 0, fontSize: 12, opacity: 0.6 }, children: t.roles.join(", ") })
+        ]
+      },
+      t.tenantId
+    )) }) : mfa ? /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("form", { onSubmit: submitMfa, style: { display: "flex", flexDirection: "column", gap: 12 }, "aria-label": "MFA verification", children: [
+      !mfa.backup && mfa.methods.length > 1 ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: "Method", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("select", { style: inputStyle(), value: mfa.selected, onChange: (e) => setMfa({ ...mfa, selected: e.target.value }), children: mfa.methods.map((m) => /* @__PURE__ */ (0, import_jsx_runtime.jsx)("option", { value: m, children: m.toUpperCase() }, m)) }) }) : null,
+      /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: mfa.backup ? "Backup code" : "Verification code", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
+        "input",
+        {
+          style: { ...inputStyle(), fontFamily: "monospace", textAlign: mfa.backup ? "left" : "center", letterSpacing: mfa.backup ? "0.04em" : "0.3em" },
+          value: mfa.code,
+          onChange: (e) => setMfa({ ...mfa, code: e.target.value }),
+          autoComplete: "one-time-code",
+          inputMode: mfa.backup ? "text" : "numeric"
+        }
+      ) }),
+      /* @__PURE__ */ (0, import_jsx_runtime.jsx)(PrimaryButton, { type: "submit", disabled: submitting || !mfa.code, children: submitting ? "Verifying\u2026" : "Verify" }),
+      /* @__PURE__ */ (0, import_jsx_runtime.jsx)(GhostButton, { type: "button", onClick: () => setMfa({ ...mfa, backup: !mfa.backup, code: "" }), children: mfa.backup ? "Use verification code" : "Use backup code" })
+    ] }) : /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("div", { style: { display: "flex", flexDirection: "column", gap: 12 }, children: [
+      ctx.providers?.google ? /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(import_jsx_runtime.Fragment, { children: [
+        /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(GhostButton, { type: "button", onClick: startGoogleLogin, disabled: submitting, "aria-label": "Continue with Google", style: { display: "flex", alignItems: "center", justifyContent: "center", gap: 10 }, children: [
+          /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("svg", { width: "18", height: "18", viewBox: "0 0 18 18", "aria-hidden": "true", children: [
+            /* @__PURE__ */ (0, import_jsx_runtime.jsx)("path", { fill: "#4285F4", d: "M17.64 9.2c0-.64-.06-1.25-.17-1.84H9v3.48h4.84a4.14 4.14 0 0 1-1.8 2.71v2.26h2.92a8.78 8.78 0 0 0 2.68-6.61z" }),
+            /* @__PURE__ */ (0, import_jsx_runtime.jsx)("path", { fill: "#34A853", d: "M9 18c2.43 0 4.47-.81 5.96-2.18l-2.92-2.26a5.4 5.4 0 0 1-8.04-2.83H.96v2.33A9 9 0 0 0 9 18z" }),
+            /* @__PURE__ */ (0, import_jsx_runtime.jsx)("path", { fill: "#FBBC05", d: "M3.96 10.71A5.41 5.41 0 0 1 3.68 9c0-.59.1-1.17.29-1.71V4.96H.96a9 9 0 0 0 0 8.08l3-2.33z" }),
+            /* @__PURE__ */ (0, import_jsx_runtime.jsx)("path", { fill: "#EA4335", d: "M9 3.58c1.32 0 2.5.45 3.44 1.35l2.58-2.59A9 9 0 0 0 .96 4.96l3 2.33A5.4 5.4 0 0 1 9 3.58z" })
+          ] }),
+          "Continue with Google"
+        ] }),
+        /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("div", { role: "separator", "aria-label": "or", style: { display: "flex", alignItems: "center", gap: 10, fontSize: 12, opacity: 0.6 }, children: [
+          /* @__PURE__ */ (0, import_jsx_runtime.jsx)("span", { style: { flex: 1, height: 1, background: "rgba(15,23,42,0.12)" } }),
+          "OR",
+          /* @__PURE__ */ (0, import_jsx_runtime.jsx)("span", { style: { flex: 1, height: 1, background: "rgba(15,23,42,0.12)" } })
+        ] })
+      ] }) : null,
+      /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("form", { onSubmit: submitLogin, style: { display: "flex", flexDirection: "column", gap: 12 }, "aria-label": `Sign in to ${ctx.app.name}`, children: [
+        /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: "Email", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("input", { style: inputStyle(), type: "email", autoComplete: "email", required: true, value: email, onChange: (e) => setEmail(e.target.value) }) }),
+        /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: "Password", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("input", { style: inputStyle(), type: "password", autoComplete: "current-password", required: true, value: password, onChange: (e) => setPassword(e.target.value) }) }),
+        /* @__PURE__ */ (0, import_jsx_runtime.jsx)(PrimaryButton, { type: "submit", disabled: submitting || !email || !password, children: submitting ? "Signing in\u2026" : "Sign in" })
+      ] })
+    ] })
+  ] });
+}
+function SignUp({ iqAuthBaseUrl, appKey, returnTo, onSuccess, className }) {
+  const { ctx, loading } = useIQAuthSignInContext(iqAuthBaseUrl, appKey, returnTo || "");
+  const [name, setName] = (0, import_react.useState)("");
+  const [email, setEmail] = (0, import_react.useState)("");
+  const [password, setPassword] = (0, import_react.useState)("");
+  const [organizationName, setOrganizationName] = (0, import_react.useState)("");
+  const [submitting, setSubmitting] = (0, import_react.useState)(false);
+  const [error, setError] = (0, import_react.useState)("");
+  const [done, setDone] = (0, import_react.useState)(false);
+  const submit = async (e) => {
+    e.preventDefault();
+    setSubmitting(true);
+    setError("");
+    try {
+      await jsonFetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/signup`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ email, name, password, organizationName: organizationName || void 0 })
+      });
+      setDone(true);
+      onSuccess?.();
+    } catch (err) {
+      setError(err.message);
+    }
+    setSubmitting(false);
+  };
+  if (loading) return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Shell, { branding: null, className, children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { children: "Loading\u2026" }) });
+  return /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(Shell, { branding: ctx?.branding || null, className, children: [
+    /* @__PURE__ */ (0, import_jsx_runtime.jsx)("h2", { style: { fontSize: 20, fontWeight: 600, margin: "0 0 12px" }, children: "Create your account" }),
+    done ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { role: "status", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { children: "Account created. Check your email for verification." }) }) : /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("form", { onSubmit: submit, style: { display: "flex", flexDirection: "column", gap: 12 }, children: [
+      error ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)(ErrorBanner, { message: error }) : null,
+      /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: "Full name", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("input", { style: inputStyle(), value: name, onChange: (e) => setName(e.target.value), required: true }) }),
+      /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: "Email", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("input", { style: inputStyle(), type: "email", autoComplete: "email", value: email, onChange: (e) => setEmail(e.target.value), required: true }) }),
+      /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: "Organization (optional)", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("input", { style: inputStyle(), value: organizationName, onChange: (e) => setOrganizationName(e.target.value) }) }),
+      /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: "Password", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("input", { style: inputStyle(), type: "password", autoComplete: "new-password", minLength: 8, value: password, onChange: (e) => setPassword(e.target.value), required: true }) }),
+      /* @__PURE__ */ (0, import_jsx_runtime.jsx)(PrimaryButton, { type: "submit", disabled: submitting || !email || !password || !name, children: submitting ? "Creating\u2026" : "Create account" })
+    ] })
+  ] });
+}
+function initialsOf(name, email) {
+  const src = name || email || "?";
+  const parts = src.split(/[\s@]+/).filter(Boolean);
+  if (parts.length >= 2) return (parts[0][0] + parts[1][0]).toUpperCase();
+  return src.substring(0, 2).toUpperCase();
+}
+function UserButton({ iqAuthBaseUrl, accountUrl, onSignOut, className }) {
+  const [user, setUser] = (0, import_react.useState)(null);
+  const [open, setOpen] = (0, import_react.useState)(false);
+  (0, import_react.useEffect)(() => {
+    let cancelled = false;
+    fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/me`, { credentials: "include" }).then((r) => r.json()).then((p) => {
+      if (!cancelled && p?.data) setUser(p.data);
+    }).catch(() => {
+    });
+    return () => {
+      cancelled = true;
+    };
+  }, [iqAuthBaseUrl]);
+  const signOut2 = async () => {
+    try {
+      await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/logout`, { method: "POST", credentials: "include" });
+    } catch {
+    }
+    if (onSignOut) onSignOut();
+    else window.location.reload();
+  };
+  if (!user) return null;
+  const target = accountUrl || `${iqAuthBaseUrl.replace(/\/$/, "")}/account`;
+  return /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("div", { className, style: { position: "relative", display: "inline-block" }, children: [
+    /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
+      "button",
+      {
+        type: "button",
+        "aria-haspopup": "menu",
+        "aria-expanded": open,
+        onClick: () => setOpen((o) => !o),
+        style: {
+          width: 32,
+          height: 32,
+          borderRadius: "50%",
+          background: "var(--brand-accent, #6366f1)",
+          color: "#fff",
+          border: "none",
+          cursor: "pointer",
+          fontSize: 12,
+          fontWeight: 600
+        },
+        children: user.picture ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("img", { src: user.picture, alt: user.name, style: { width: "100%", height: "100%", borderRadius: "50%" } }) : initialsOf(user.name, user.email)
+      }
+    ),
+    open ? /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("div", { role: "menu", style: {
+      position: "absolute",
+      right: 0,
+      top: 40,
+      minWidth: 200,
+      background: "#fff",
+      border: "1px solid rgba(15,23,42,0.12)",
+      borderRadius: 8,
+      boxShadow: "0 4px 12px rgba(0,0,0,0.08)",
+      padding: 8,
+      zIndex: 100
+    }, children: [
+      /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("div", { style: { padding: "8px 10px", fontSize: 12, opacity: 0.7, borderBottom: "1px solid rgba(15,23,42,0.06)" }, children: [
+        /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { style: { fontWeight: 500, color: "#0f172a" }, children: user.name }),
+        /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { children: user.email })
+      ] }),
+      /* @__PURE__ */ (0, import_jsx_runtime.jsx)("a", { href: target, role: "menuitem", style: { display: "block", padding: "8px 10px", fontSize: 13, color: "#0f172a", textDecoration: "none" }, children: "Account" }),
+      /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
+        "button",
+        {
+          role: "menuitem",
+          type: "button",
+          onClick: signOut2,
+          style: { display: "block", width: "100%", textAlign: "left", padding: "8px 10px", fontSize: 13, background: "transparent", border: "none", cursor: "pointer", color: "#b91c1c" },
+          children: "Sign out"
+        }
+      )
+    ] }) : null
+  ] });
+}
+function UserProfile({ iqAuthBaseUrl, className }) {
+  const [user, setUser] = (0, import_react.useState)(null);
+  const [oldPassword, setOldPassword] = (0, import_react.useState)("");
+  const [newPassword, setNewPassword] = (0, import_react.useState)("");
+  const [pwState, setPwState] = (0, import_react.useState)({ submitting: false, message: "", error: "" });
+  const [sessions, setSessions] = (0, import_react.useState)([]);
+  (0, import_react.useEffect)(() => {
+    fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/me`, { credentials: "include" }).then((r) => r.json()).then((p) => {
+      if (p?.data) setUser(p.data);
+    }).catch(() => {
+    });
+    fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/sessions`, { credentials: "include" }).then((r) => r.json()).then((p) => setSessions(p?.data?.sessions || p?.data || [])).catch(() => {
+    });
+  }, [iqAuthBaseUrl]);
+  const changePassword = async (e) => {
+    e.preventDefault();
+    setPwState({ submitting: true, message: "", error: "" });
+    try {
+      await jsonFetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/password/change`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ oldPassword, newPassword })
+      });
+      setPwState({ submitting: false, message: "Password updated.", error: "" });
+      setOldPassword("");
+      setNewPassword("");
+    } catch (err) {
+      setPwState({ submitting: false, message: "", error: err.message });
+    }
+  };
+  const revoke = async (sessionId) => {
+    await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/sessions/${sessionId}`, { method: "DELETE", credentials: "include" });
+    setSessions((prev) => prev.filter((s) => s.id !== sessionId));
+  };
+  if (!user) return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Shell, { branding: null, className, children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { children: "Loading account\u2026" }) });
+  return /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(Shell, { branding: null, className, children: [
+    /* @__PURE__ */ (0, import_jsx_runtime.jsx)("h2", { style: { fontSize: 20, fontWeight: 600, margin: "0 0 12px" }, children: "Your account" }),
+    /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("section", { "aria-labelledby": "iqauth-profile", style: { marginBottom: 20 }, children: [
+      /* @__PURE__ */ (0, import_jsx_runtime.jsx)("h3", { id: "iqauth-profile", style: { fontSize: 14, fontWeight: 600 }, children: "Profile" }),
+      /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("p", { style: { fontSize: 13, margin: "4px 0" }, children: [
+        /* @__PURE__ */ (0, import_jsx_runtime.jsx)("strong", { children: "Name:" }),
+        " ",
+        user.name
+      ] }),
+      /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("p", { style: { fontSize: 13, margin: "4px 0" }, children: [
+        /* @__PURE__ */ (0, import_jsx_runtime.jsx)("strong", { children: "Email:" }),
+        " ",
+        user.email
+      ] })
+    ] }),
+    /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("section", { "aria-labelledby": "iqauth-pw", style: { marginBottom: 20 }, children: [
+      /* @__PURE__ */ (0, import_jsx_runtime.jsx)("h3", { id: "iqauth-pw", style: { fontSize: 14, fontWeight: 600 }, children: "Change password" }),
+      pwState.error ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)(ErrorBanner, { message: pwState.error }) : null,
+      pwState.message ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { role: "status", style: { fontSize: 13, color: "#047857" }, children: pwState.message }) : null,
+      /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("form", { onSubmit: changePassword, style: { display: "flex", flexDirection: "column", gap: 10 }, children: [
+        /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: "Current password", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("input", { style: inputStyle(), type: "password", autoComplete: "current-password", value: oldPassword, onChange: (e) => setOldPassword(e.target.value), required: true }) }),
+        /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: "New password", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("input", { style: inputStyle(), type: "password", autoComplete: "new-password", minLength: 8, value: newPassword, onChange: (e) => setNewPassword(e.target.value), required: true }) }),
+        /* @__PURE__ */ (0, import_jsx_runtime.jsx)(PrimaryButton, { type: "submit", disabled: pwState.submitting || !oldPassword || !newPassword, children: pwState.submitting ? "Updating\u2026" : "Change password" })
+      ] })
+    ] }),
+    /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("section", { "aria-labelledby": "iqauth-sessions", children: [
+      /* @__PURE__ */ (0, import_jsx_runtime.jsx)("h3", { id: "iqauth-sessions", style: { fontSize: 14, fontWeight: 600 }, children: "Sessions" }),
+      sessions.length === 0 ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { style: { fontSize: 13, opacity: 0.6 }, children: "No active sessions." }) : /* @__PURE__ */ (0, import_jsx_runtime.jsx)("ul", { style: { listStyle: "none", padding: 0, margin: 0, display: "flex", flexDirection: "column", gap: 6 }, children: sessions.map((s) => /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("li", { style: { display: "flex", justifyContent: "space-between", fontSize: 13, padding: "6px 10px", background: "#f8fafc", borderRadius: 6 }, children: [
+        /* @__PURE__ */ (0, import_jsx_runtime.jsx)("span", { children: s.userAgent || s.deviceName || "Unknown" }),
+        /* @__PURE__ */ (0, import_jsx_runtime.jsx)("button", { type: "button", onClick: () => revoke(s.id), style: { fontSize: 12, color: "#b91c1c", background: "transparent", border: "1px solid #fecaca", borderRadius: 4, padding: "2px 8px", cursor: "pointer" }, children: "Revoke" })
+      ] }, s.id)) })
+    ] })
+  ] });
+}
+function OrganizationSwitcher({ iqAuthBaseUrl, onSwitched, className }) {
+  const [memberships, setMemberships] = (0, import_react.useState)([]);
+  const [activeTenantId, setActiveTenantId] = (0, import_react.useState)(null);
+  const [open, setOpen] = (0, import_react.useState)(false);
+  (0, import_react.useEffect)(() => {
+    fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/me`, { credentials: "include" }).then((r) => r.json()).then((p) => {
+      if (p?.data?.tenantId) setActiveTenantId(p.data.tenantId);
+    }).catch(() => {
+    });
+    fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/tenants/memberships`, { credentials: "include" }).then((r) => r.json()).then((p) => setMemberships(p?.data?.memberships || p?.data || [])).catch(() => {
+    });
+  }, [iqAuthBaseUrl]);
+  const switchTo = async (tenantId) => {
+    try {
+      await jsonFetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/select-tenant`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ tenantId })
+      });
+      setActiveTenantId(tenantId);
+      setOpen(false);
+      onSwitched?.(tenantId);
+    } catch {
+    }
+  };
+  const active = memberships.find((m) => m.tenantId === activeTenantId);
+  return /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("div", { className, style: { position: "relative", display: "inline-block" }, children: [
+    /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
+      "button",
+      {
+        type: "button",
+        "aria-haspopup": "menu",
+        "aria-expanded": open,
+        onClick: () => setOpen((o) => !o),
+        style: { background: "transparent", border: "1px solid rgba(15,23,42,0.15)", padding: "6px 12px", borderRadius: 6, cursor: "pointer", fontSize: 13 },
+        children: active?.tenantName || active?.tenantSlug || "Select organization"
+      }
+    ),
+    open ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { role: "menu", style: {
+      position: "absolute",
+      left: 0,
+      top: 36,
+      minWidth: 220,
+      background: "#fff",
+      border: "1px solid rgba(15,23,42,0.12)",
+      borderRadius: 8,
+      boxShadow: "0 4px 12px rgba(0,0,0,0.08)",
+      padding: 8,
+      zIndex: 100
+    }, children: memberships.length === 0 ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { style: { fontSize: 13, opacity: 0.6, padding: "4px 6px" }, children: "No memberships" }) : memberships.map((m) => /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(
+      "button",
+      {
+        role: "menuitem",
+        type: "button",
+        onClick: () => switchTo(m.tenantId),
+        style: {
+          display: "block",
+          width: "100%",
+          textAlign: "left",
+          padding: "8px 10px",
+          background: m.tenantId === activeTenantId ? "rgba(99,102,241,0.08)" : "transparent",
+          border: "none",
+          borderRadius: 4,
+          cursor: "pointer",
+          fontSize: 13,
+          color: "#0f172a"
+        },
+        children: [
+          /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { style: { fontWeight: 500 }, children: m.tenantName || m.tenantSlug || m.tenantId }),
+          /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { style: { fontSize: 11, opacity: 0.6 }, children: m.roles.join(", ") })
+        ]
+      },
+      m.tenantId
+    )) }) : null
+  ] });
+}
+var __version__ = "phase-bc-1.0.0";
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  AuthCallback,
+  IQAuthProvider,
+  OrganizationSwitcher,
+  RedirectToSignIn,
+  SignIn,
+  SignUp,
+  SignedIn,
+  SignedOut,
+  UserButton,
+  UserProfile,
+  __version__,
+  useAuth,
+  useAuthFetch,
+  useIQAuthSignInContext,
+  useOrganization,
+  useSession,
+  useUser
+});