@iqauth/sdk 2.0.0

package/dist/service.js

@@ -0,0 +1,1809 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/service.ts
+var service_exports = {};
+__export(service_exports, {
+  ErrorCodes: () => ErrorCodes,
+  IQAuthClient: () => IQAuthClient,
+  IQAuthError: () => IQAuthError,
+  ServiceIQAuthClient: () => ServiceIQAuthClient,
+  createServiceClient: () => createServiceClient
+});
+module.exports = __toCommonJS(service_exports);
+
+// src/errors.ts
+var IQAuthError = class extends Error {
+  constructor(code, message, status, raw) {
+    super(message);
+    this.name = "IQAuthError";
+    this.code = code;
+    this.status = status;
+    this.raw = raw;
+  }
+};
+var ErrorCodes = {
+  VALIDATION_ERROR: "VALIDATION_ERROR",
+  INVALID_CREDENTIALS: "INVALID_CREDENTIALS",
+  ACCOUNT_INACTIVE: "ACCOUNT_INACTIVE",
+  ACCOUNT_LOCKED: "ACCOUNT_LOCKED",
+  INSUFFICIENT_PERMISSIONS: "INSUFFICIENT_PERMISSIONS",
+  TOKEN_INVALID: "TOKEN_INVALID",
+  TOKEN_EXPIRED: "TOKEN_EXPIRED",
+  TOKEN_REVOKED: "TOKEN_REVOKED",
+  USER_INACTIVE: "USER_INACTIVE",
+  INTERNAL_ERROR: "INTERNAL_ERROR",
+  NOT_FOUND: "NOT_FOUND",
+  SESSION_INVALID: "SESSION_INVALID",
+  SESSION_EXPIRED: "SESSION_EXPIRED",
+  REFRESH_TOKEN_REUSED: "REFRESH_TOKEN_REUSED",
+  PASSWORD_EXPIRED: "PASSWORD_EXPIRED",
+  PIN_EXPIRED: "PIN_EXPIRED",
+  PASSWORD_POLICY_VIOLATION: "PASSWORD_POLICY_VIOLATION",
+  MFA_INVALID_CODE: "MFA_INVALID_CODE",
+  MFA_METHOD_UNAVAILABLE: "MFA_METHOD_UNAVAILABLE",
+  MFA_RATE_LIMITED: "MFA_RATE_LIMITED",
+  MFA_ENROLLMENT_REQUIRED: "MFA_ENROLLMENT_REQUIRED",
+  API_KEY_REQUIRED: "API_KEY_REQUIRED",
+  API_KEY_INVALID: "API_KEY_INVALID",
+  AUTH_REQUIRED: "AUTH_REQUIRED",
+  ALREADY_EXISTS: "ALREADY_EXISTS",
+  FORBIDDEN: "FORBIDDEN",
+  OAUTH_NOT_CONFIGURED: "OAUTH_NOT_CONFIGURED",
+  UPLOAD_ERROR: "UPLOAD_ERROR",
+  EMAIL_SERVICE_UNAVAILABLE: "EMAIL_SERVICE_UNAVAILABLE",
+  INVALID_CODE: "INVALID_CODE",
+  CODE_ALREADY_USED: "CODE_ALREADY_USED",
+  CODE_EXPIRED: "CODE_EXPIRED",
+  CODE_IP_MISMATCH: "CODE_IP_MISMATCH",
+  UNKNOWN_PAYLOAD: "UNKNOWN_PAYLOAD"
+};
+
+// src/http.ts
+var DEFAULT_RETRY = {
+  maxAttempts: 3,
+  baseDelayMs: 100,
+  maxDelayMs: 2e3
+};
+function resolveRetry(cfg) {
+  return {
+    maxAttempts: Math.max(1, cfg?.maxAttempts ?? DEFAULT_RETRY.maxAttempts),
+    baseDelayMs: Math.max(0, cfg?.baseDelayMs ?? DEFAULT_RETRY.baseDelayMs),
+    maxDelayMs: Math.max(0, cfg?.maxDelayMs ?? DEFAULT_RETRY.maxDelayMs)
+  };
+}
+function sleep(ms) {
+  if (ms <= 0) return Promise.resolve();
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+var HttpClient = class {
+  constructor(config) {
+    this.refreshPromise = null;
+    this.config = config;
+    this.retryConfig = resolveRetry(config.retry);
+  }
+  computeBackoffDelay(attempt) {
+    const exp = Math.min(this.retryConfig.maxDelayMs, this.retryConfig.baseDelayMs * 2 ** (attempt - 1));
+    return Math.floor(Math.random() * exp);
+  }
+  isRetryableStatus(status) {
+    return status === 429 || status >= 500 && status <= 599;
+  }
+  async fetchWithRetry(url, init) {
+    const { maxAttempts } = this.retryConfig;
+    let lastError;
+    for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+      try {
+        const res = await fetch(url, init);
+        if (this.isRetryableStatus(res.status) && attempt < maxAttempts) {
+          await sleep(this.computeBackoffDelay(attempt));
+          continue;
+        }
+        return res;
+      } catch (err) {
+        lastError = err;
+        if (attempt >= maxAttempts) break;
+        await sleep(this.computeBackoffDelay(attempt));
+      }
+    }
+    throw lastError instanceof Error ? lastError : new IQAuthError("INTERNAL_ERROR", "Network request failed");
+  }
+  get baseUrl() {
+    return this.config.baseUrl;
+  }
+  get environment() {
+    return this.config.environment;
+  }
+  isBrowserSession() {
+    return this.config.environment === "browser_session";
+  }
+  hasCredentials() {
+    return this.isBrowserSession() || !!(this.config.getApiKey() || this.config.getAccessToken());
+  }
+  buildHeaders(overrideAuth) {
+    const headers = {
+      "Content-Type": "application/json"
+    };
+    if (this.isBrowserSession()) {
+      const headerName = this.config.sessionHeaderName || "x-iqauth-session";
+      headers[headerName] = this.config.sessionHeaderValue || "cookie";
+      return headers;
+    }
+    const authMode = overrideAuth || (this.config.getApiKey() ? "apikey" : "bearer");
+    if (authMode === "apikey") {
+      const apiKey = this.config.getApiKey();
+      if (apiKey) {
+        headers["X-API-Key"] = apiKey;
+      }
+    } else {
+      const token = this.config.getAccessToken();
+      if (token) {
+        headers["Authorization"] = `Bearer ${token}`;
+      }
+    }
+    return headers;
+  }
+  isTokenExpiringSoon() {
+    const token = this.config.getAccessToken();
+    if (!token) return false;
+    try {
+      const parts = token.split(".");
+      if (parts.length !== 3) return false;
+      const payload = JSON.parse(
+        typeof atob === "function" ? atob(parts[1].replace(/-/g, "+").replace(/_/g, "/")) : Buffer.from(parts[1], "base64url").toString("utf8")
+      );
+      if (!payload.exp) return false;
+      const now = Math.floor(Date.now() / 1e3);
+      return payload.exp - now < 60;
+    } catch {
+      return false;
+    }
+  }
+  async attemptRefresh() {
+    if (this.refreshPromise) {
+      return this.refreshPromise;
+    }
+    this.refreshPromise = (async () => {
+      try {
+        const res = await this.fetchWithRetry(`${this.config.baseUrl}/api/v1/auth/refresh`, {
+          method: "POST",
+          headers: this.buildHeaders(),
+          ...this.isBrowserSession() ? { credentials: "include" } : (() => {
+            const refreshToken = this.config.getRefreshToken();
+            if (!refreshToken) throw new IQAuthError("TOKEN_INVALID", "No refresh token available");
+            return { body: JSON.stringify({ refreshToken }) };
+          })()
+        });
+        const body = await res.json();
+        if (!body.success) {
+          throw new IQAuthError(
+            body.error.code,
+            body.error.message,
+            res.status,
+            body
+          );
+        }
+        if (this.isBrowserSession()) {
+          return;
+        }
+        if (!body.data.accessToken || !body.data.refreshToken) {
+          throw new IQAuthError("TOKEN_INVALID", "Refresh response did not include a token pair");
+        }
+        const tokens = {
+          accessToken: body.data.accessToken,
+          refreshToken: body.data.refreshToken
+        };
+        this.config.setTokens(tokens);
+        this.config.onTokenRefresh?.(tokens);
+      } finally {
+        this.refreshPromise = null;
+      }
+    })();
+    return this.refreshPromise;
+  }
+  async request(method, path, body, options) {
+    return this.requestWithRetry(method, path, body, options, false);
+  }
+  async requestWithRetry(method, path, body, options, hasRetried) {
+    if (this.config.autoRefresh && !options?.skipAutoRefresh && !this.isBrowserSession() && this.config.getRefreshToken() && this.isTokenExpiringSoon()) {
+      await this.attemptRefresh();
+    }
+    const url = `${this.config.baseUrl}${path}`;
+    const headers = this.buildHeaders(options?.authMode);
+    const fetchOptions = {
+      method,
+      headers,
+      ...this.isBrowserSession() ? { credentials: "include" } : {}
+    };
+    if (body !== void 0 && method !== "GET") {
+      fetchOptions.body = JSON.stringify(body);
+    }
+    const res = await this.fetchWithRetry(url, fetchOptions);
+    if (res.status === 204) {
+      return void 0;
+    }
+    const responseBody = await res.json();
+    if (!responseBody.success) {
+      const shouldRetryRefresh = !hasRetried && this.config.autoRefresh && !options?.skipAutoRefresh && responseBody.error.code === "TOKEN_EXPIRED" && (this.isBrowserSession() || !!this.config.getRefreshToken());
+      if (shouldRetryRefresh) {
+        await this.attemptRefresh();
+        return this.requestWithRetry(method, path, body, options, true);
+      }
+      throw new IQAuthError(
+        responseBody.error.code,
+        responseBody.error.message,
+        res.status,
+        responseBody
+      );
+    }
+    return responseBody.data;
+  }
+  async requestRaw(method, path, body) {
+    const url = `${this.config.baseUrl}${path}`;
+    const headers = { "Content-Type": "application/json" };
+    if (this.isBrowserSession()) {
+      const headerName = this.config.sessionHeaderName || "x-iqauth-session";
+      headers[headerName] = this.config.sessionHeaderValue || "cookie";
+    }
+    const token = this.config.getAccessToken();
+    if (token) {
+      headers["Authorization"] = `Bearer ${token}`;
+    }
+    const fetchOptions = { method, headers };
+    if (this.isBrowserSession()) {
+      fetchOptions.credentials = "include";
+    }
+    if (body !== void 0 && method !== "GET") {
+      fetchOptions.body = JSON.stringify(body);
+    }
+    const res = await fetch(url, fetchOptions);
+    return await res.json();
+  }
+};
+
+// src/modules/auth.ts
+function parseLoginResponse(data, browserSessionMode) {
+  if (data.accessToken && data.refreshToken && data.user) {
+    return {
+      status: "authenticated",
+      authMode: "token",
+      tokens: { accessToken: data.accessToken, refreshToken: data.refreshToken },
+      user: data.user
+    };
+  }
+  if (browserSessionMode && data.user) {
+    return {
+      status: "authenticated",
+      authMode: "session",
+      user: data.user
+    };
+  }
+  if (data.mfaChallengeToken && !data.tenantSelectionToken) {
+    return {
+      status: "mfa_required",
+      mfaChallengeToken: data.mfaChallengeToken,
+      availableMethods: data.availableMethods ?? []
+    };
+  }
+  if (data.tenantSelectionToken && data.tenants) {
+    return {
+      status: "tenant_selection",
+      tenantSelectionToken: data.tenantSelectionToken,
+      tenants: data.tenants
+    };
+  }
+  throw new Error("Unexpected login response shape");
+}
+var AuthModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  async login(email, password) {
+    const data = await this.http.request(
+      "POST",
+      "/api/v1/auth/login",
+      { email, password },
+      { skipAutoRefresh: true }
+    );
+    return parseLoginResponse(data, this.http.isBrowserSession());
+  }
+  async signup(input) {
+    const data = await this.http.request(
+      "POST",
+      "/api/v1/auth/signup",
+      input,
+      { skipAutoRefresh: true }
+    );
+    return parseLoginResponse(data, this.http.isBrowserSession());
+  }
+  async completeMfa(mfaChallengeToken, code, method) {
+    const data = await this.http.request(
+      "POST",
+      "/api/v1/mfa/verify",
+      { mfaChallengeToken, code, method },
+      { skipAutoRefresh: true }
+    );
+    return parseMfaResponse(data, this.http.isBrowserSession());
+  }
+  async completeMfaWithBackup(mfaChallengeToken, backupCode) {
+    const data = await this.http.request(
+      "POST",
+      "/api/v1/mfa/verify-backup",
+      { mfaChallengeToken, backupCode },
+      { skipAutoRefresh: true }
+    );
+    return parseMfaResponse(data, this.http.isBrowserSession());
+  }
+  async sendMfaChallenge(mfaChallengeToken, method) {
+    return this.http.request("POST", "/api/v1/mfa/challenge", {
+      mfaChallengeToken,
+      method
+    }, { skipAutoRefresh: true });
+  }
+  async selectTenant(tenantSelectionToken, tenantId) {
+    const data = await this.http.request(
+      "POST",
+      "/api/v1/auth/select-tenant",
+      {
+        tenantSelectionToken,
+        tenantId
+      },
+      { skipAutoRefresh: true }
+    );
+    return parseLoginResponse(data, this.http.isBrowserSession());
+  }
+  async logout() {
+    return this.http.request("POST", "/api/v1/auth/logout");
+  }
+  async logoutAll() {
+    return this.http.request("POST", "/api/v1/auth/logout-all");
+  }
+  async refreshTokens(refreshToken) {
+    if (this.http.isBrowserSession()) {
+      throw new Error("refreshTokens(refreshToken) is not used in browser_session mode; the backend session should own refresh.");
+    }
+    const data = await this.http.request(
+      "POST",
+      "/api/v1/auth/refresh",
+      { refreshToken },
+      { skipAutoRefresh: true }
+    );
+    return { accessToken: data.accessToken, refreshToken: data.refreshToken };
+  }
+  async forgotPassword(email) {
+    return this.http.request("POST", "/api/v1/auth/password/reset/request", { email }, { skipAutoRefresh: true });
+  }
+  async resetPassword(token, newPassword) {
+    return this.http.request("POST", "/api/v1/auth/password/reset/confirm", { token, newPassword }, { skipAutoRefresh: true });
+  }
+  async changePassword(currentPassword, newPassword) {
+    return this.http.request("POST", "/api/v1/auth/password/change", {
+      currentPassword,
+      newPassword
+    });
+  }
+  async verifyToken() {
+    return this.http.request("GET", "/api/v1/auth/verify");
+  }
+  async exchangeOAuthCode(code) {
+    const data = await this.http.request(
+      "POST",
+      "/api/v1/auth/oauth/exchange",
+      { code },
+      { skipAutoRefresh: true }
+    );
+    return parseLoginResponse(data, this.http.isBrowserSession());
+  }
+  async getSessionUser() {
+    return this.http.request("GET", "/api/v1/auth/me");
+  }
+};
+function parseMfaResponse(data, browserSessionMode) {
+  if (data.accessToken && data.refreshToken && data.user) {
+    return {
+      authMode: "token",
+      tokens: { accessToken: data.accessToken, refreshToken: data.refreshToken },
+      user: data.user,
+      ...data.remainingBackupCodes !== void 0 ? { remainingBackupCodes: data.remainingBackupCodes } : {},
+      ...data.warning ? { warning: data.warning } : {}
+    };
+  }
+  if (browserSessionMode && data.user) {
+    return {
+      authMode: "session",
+      user: data.user,
+      ...data.remainingBackupCodes !== void 0 ? { remainingBackupCodes: data.remainingBackupCodes } : {},
+      ...data.warning ? { warning: data.warning } : {}
+    };
+  }
+  throw new Error("Unexpected MFA response shape");
+}
+
+// src/modules/tokens.ts
+var import_crypto = __toESM(require("crypto"));
+var import_jsonwebtoken = __toESM(require("jsonwebtoken"));
+var JWKS_CACHE_TTL_MS = 60 * 60 * 1e3;
+var DEFAULT_TOKEN_ISSUER = "auth.dispositioniq.com";
+var DEFAULT_TOKEN_AUDIENCE = [
+  "dispositioniq",
+  "iqcapture",
+  "iqreuse",
+  "iqvalidate"
+];
+var DEFAULT_CLOCK_TOLERANCE_SECONDS = 30;
+var TokensModule = class {
+  constructor(baseUrl, options = {}) {
+    this.jwksCache = null;
+    this.inFlightRefresh = null;
+    this.baseUrl = baseUrl;
+    this.defaultIssuer = options.issuer ?? DEFAULT_TOKEN_ISSUER;
+    this.defaultAudience = options.audience ?? DEFAULT_TOKEN_AUDIENCE;
+    this.defaultClockTolerance = options.clockTolerance ?? DEFAULT_CLOCK_TOLERANCE_SECONDS;
+  }
+  /**
+   * Verify a JWT access token using RS256 via JWKS from /.well-known/jwks.json.
+   * Caches JWKS keys for 1 hour. Retries once on unknown `kid`.
+   *
+   * @remarks Validates against /.well-known/jwks.json. Issuer, audience, and
+   * clock tolerance default to client config but can be overridden per call.
+   */
+  async verify(token, options = {}) {
+    const decoded = import_jsonwebtoken.default.decode(token, { complete: true });
+    if (!decoded || typeof decoded === "string") {
+      throw new IQAuthError("TOKEN_INVALID", "Unable to decode token");
+    }
+    const kid = decoded.header.kid;
+    if (!kid) {
+      throw new IQAuthError("TOKEN_INVALID", "Token missing kid header");
+    }
+    let publicKey = await this.getPublicKey(kid);
+    if (!publicKey) {
+      await this.refreshJwks();
+      publicKey = await this.getPublicKey(kid);
+    }
+    if (!publicKey) {
+      throw new IQAuthError("TOKEN_INVALID", `Unknown key ID: ${kid}`);
+    }
+    const issuer = options.issuer ?? this.defaultIssuer;
+    const audience = options.audience ?? this.defaultAudience;
+    const clockTolerance = options.clockTolerance ?? this.defaultClockTolerance;
+    const algorithms = options.algorithms ?? ["RS256"];
+    try {
+      const verifyOptions = {
+        algorithms,
+        clockTolerance,
+        // The jsonwebtoken types insist on tuple types for arrays; runtime
+        // accepts plain string[] so we cast to satisfy the compiler.
+        issuer,
+        audience
+      };
+      const verified = import_jsonwebtoken.default.verify(token, publicKey, verifyOptions);
+      return verified;
+    } catch (err) {
+      if (err instanceof Error) {
+        if (err.name === "TokenExpiredError") {
+          throw new IQAuthError("TOKEN_EXPIRED", "Token has expired");
+        }
+        throw new IQAuthError("TOKEN_INVALID", err.message);
+      }
+      throw new IQAuthError("TOKEN_INVALID", "Token verification failed");
+    }
+  }
+  /**
+   * Decode a JWT without verification. Returns null if malformed.
+   *
+   * @remarks Local decode only — no network call
+   */
+  decode(token) {
+    const decoded = import_jsonwebtoken.default.decode(token);
+    return decoded;
+  }
+  /**
+   * Check if a token is expired based on the `exp` claim.
+   *
+   * @remarks Local check only — no network call
+   */
+  isExpired(token) {
+    const claims = this.decode(token);
+    if (!claims?.exp) return true;
+    const now = Math.floor(Date.now() / 1e3);
+    return claims.exp <= now;
+  }
+  /**
+   * Get the claims from a token without verification.
+   *
+   * @remarks Local decode only — no network call
+   */
+  getClaims(token) {
+    const claims = this.decode(token);
+    if (!claims) {
+      throw new IQAuthError("TOKEN_INVALID", "Unable to decode token claims");
+    }
+    return claims;
+  }
+  async getPublicKey(kid) {
+    if (!this.jwksCache || Date.now() - this.jwksCache.fetchedAt > JWKS_CACHE_TTL_MS) {
+      await this.refreshJwks();
+    }
+    return this.jwksCache?.keys.get(kid) ?? null;
+  }
+  async refreshJwks() {
+    if (this.inFlightRefresh) {
+      return this.inFlightRefresh;
+    }
+    this.inFlightRefresh = (async () => {
+      try {
+        const res = await fetch(`${this.baseUrl}/.well-known/jwks.json`);
+        if (!res.ok) {
+          throw new IQAuthError(
+            "INTERNAL_ERROR",
+            `Failed to fetch JWKS: ${res.status}`
+          );
+        }
+        let jwks;
+        try {
+          jwks = await res.json();
+        } catch {
+          throw new IQAuthError("INTERNAL_ERROR", "Malformed JWKS response: invalid JSON");
+        }
+        if (!jwks || !Array.isArray(jwks.keys)) {
+          throw new IQAuthError(
+            "INTERNAL_ERROR",
+            "Malformed JWKS response: expected { keys: [...] }"
+          );
+        }
+        const keys = /* @__PURE__ */ new Map();
+        for (const key of jwks.keys) {
+          if (!key || typeof key.kid !== "string" || typeof key.n !== "string" || typeof key.e !== "string") {
+            throw new IQAuthError(
+              "INTERNAL_ERROR",
+              "Malformed JWKS response: key missing required fields"
+            );
+          }
+          const pem = this.jwkToPem(key);
+          keys.set(key.kid, pem);
+        }
+        this.jwksCache = { keys, fetchedAt: Date.now() };
+      } finally {
+        this.inFlightRefresh = null;
+      }
+    })();
+    return this.inFlightRefresh;
+  }
+  jwkToPem(jwk) {
+    const keyObject = import_crypto.default.createPublicKey({
+      key: {
+        kty: jwk.kty,
+        n: jwk.n,
+        e: jwk.e
+      },
+      format: "jwk"
+    });
+    return keyObject.export({ type: "spki", format: "pem" });
+  }
+  /** @internal Exposed for testing — clears JWKS cache */
+  clearCache() {
+    this.jwksCache = null;
+  }
+};
+
+// src/modules/sessions.ts
+var SessionsModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /**
+   * List all active sessions for the current user.
+   *
+   * @remarks Wraps GET /api/v1/sessions
+   */
+  async list() {
+    return this.http.request("GET", "/api/v1/sessions");
+  }
+  /**
+   * Revoke (terminate) a specific session by ID.
+   *
+   * @remarks Wraps DELETE /api/v1/sessions/:sessionId
+   */
+  async revoke(sessionId) {
+    return this.http.request("DELETE", `/api/v1/sessions/${sessionId}`);
+  }
+  /**
+   * Revoke all sessions for the current user.
+   *
+   * @remarks Wraps POST /api/v1/auth/logout-all
+   */
+  async revokeAll() {
+    return this.http.request("POST", "/api/v1/auth/logout-all");
+  }
+};
+
+// src/modules/users.ts
+var UsersModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /**
+   * Get the currently authenticated user's profile.
+   *
+   * @remarks Wraps GET /api/v1/users/me
+   */
+  async getCurrent() {
+    return this.http.request("GET", "/api/v1/users/me");
+  }
+  /**
+   * Get a user by ID.
+   *
+   * @remarks Wraps GET /api/v1/users/:id
+   */
+  async getById(userId) {
+    return this.http.request("GET", `/api/v1/users/${userId}`);
+  }
+  /**
+   * List users in the current tenant. Requires tenant_admin role.
+   *
+   * @remarks Wraps GET /api/v1/users
+   */
+  async list(params) {
+    const query = new URLSearchParams();
+    if (params?.email) query.set("email", params.email);
+    if (params?.tenantId) query.set("tenantId", params.tenantId);
+    const qs = query.toString();
+    return this.http.request("GET", `/api/v1/users${qs ? `?${qs}` : ""}`);
+  }
+  /**
+   * Provision (create) a new user in a tenant. Requires platform_admin or tenant-scoped API key with admin role.
+   *
+   * @remarks Wraps POST /api/v1/tenants/:tenantId/users/provision
+   */
+  async create(tenantId, data) {
+    return this.http.request("POST", `/api/v1/tenants/${tenantId}/users/provision`, data);
+  }
+  /**
+   * Update the current user's profile (name, picture).
+   *
+   * @remarks Wraps PATCH /api/v1/users/me
+   */
+  async update(data) {
+    return this.http.request("PATCH", "/api/v1/users/me", data);
+  }
+  /**
+   * Deactivate a user in the current tenant. Requires tenant_admin role.
+   *
+   * @remarks Wraps PATCH /api/v1/users/:id/deactivate
+   */
+  async deactivate(userId) {
+    return this.http.request("PATCH", `/api/v1/users/${userId}/deactivate`);
+  }
+  /**
+   * Reactivate a user in the current tenant. Requires tenant_admin role.
+   *
+   * @remarks Wraps PATCH /api/v1/users/:id/reactivate
+   */
+  async reactivate(userId) {
+    return this.http.request("PATCH", `/api/v1/users/${userId}/reactivate`);
+  }
+  /**
+   * Unlock a locked user account in the current tenant. Requires tenant_admin role.
+   *
+   * @remarks Wraps PATCH /api/v1/users/:id/unlock
+   */
+  async unlock(userId) {
+    return this.http.request("PATCH", `/api/v1/users/${userId}/unlock`);
+  }
+  /**
+   * Get effective permissions for a user for a specific product.
+   *
+   * @remarks Wraps GET /api/v1/users/:id/permissions?product=...
+   */
+  async getPermissions(userId, product) {
+    return this.http.request("GET", `/api/v1/users/${userId}/permissions?product=${encodeURIComponent(product)}`);
+  }
+  /**
+   * Change the current user's password.
+   *
+   * @remarks Wraps POST /api/v1/auth/password/change
+   */
+  async updatePassword(currentPassword, newPassword) {
+    return this.http.request("POST", "/api/v1/auth/password/change", {
+      currentPassword,
+      newPassword
+    });
+  }
+};
+
+// src/modules/permissions.ts
+var PermissionsModule = class {
+  constructor(claimsProvider) {
+    this.getClaims = claimsProvider;
+  }
+  /**
+   * Get the roles from the current JWT claims.
+   *
+   * @remarks Extracted from JWT claim `roles` (string[])
+   */
+  getRoles() {
+    return this.getClaims()?.roles ?? [];
+  }
+  /**
+   * Get the entitlements from the current JWT claims.
+   *
+   * @remarks Extracted from JWT claim `entitlements` (string[])
+   */
+  getEntitlements() {
+    return this.getClaims()?.entitlements ?? [];
+  }
+  /**
+   * Check if the current user has a specific role.
+   *
+   * @remarks Checks against JWT claim `roles`
+   */
+  hasRole(role) {
+    return this.getRoles().includes(role);
+  }
+  /**
+   * Check if the current user has a specific entitlement.
+   *
+   * @remarks Checks against JWT claim `entitlements`
+   */
+  hasEntitlement(entitlement) {
+    return this.getEntitlements().includes(entitlement);
+  }
+  /**
+   * Check if the current user has all of the specified roles.
+   *
+   * @remarks Checks against JWT claim `roles`
+   */
+  hasAllRoles(roles) {
+    const userRoles = this.getRoles();
+    return roles.every((r) => userRoles.includes(r));
+  }
+  /**
+   * Check if the current user has any of the specified roles.
+   *
+   * @remarks Checks against JWT claim `roles`
+   */
+  hasAnyRole(roles) {
+    const userRoles = this.getRoles();
+    return roles.some((r) => userRoles.includes(r));
+  }
+  /**
+   * Check if the current user has all of the specified entitlements.
+   *
+   * @remarks Checks against JWT claim `entitlements`
+   */
+  hasAllEntitlements(entitlements) {
+    const userEntitlements = this.getEntitlements();
+    return entitlements.every((e) => userEntitlements.includes(e));
+  }
+  /**
+   * Check if the current user has any of the specified entitlements.
+   *
+   * @remarks Checks against JWT claim `entitlements`
+   */
+  hasAnyEntitlement(entitlements) {
+    const userEntitlements = this.getEntitlements();
+    return entitlements.some((e) => userEntitlements.includes(e));
+  }
+};
+
+// src/modules/oidc.ts
+var import_crypto2 = __toESM(require("crypto"));
+var InMemoryOidcStateStore = class {
+  constructor() {
+    this.map = /* @__PURE__ */ new Map();
+  }
+  set(state, value) {
+    this.map.set(state, value);
+  }
+  get(state) {
+    const entry = this.map.get(state);
+    if (!entry) return null;
+    if (entry.expiresAt < Date.now()) {
+      this.map.delete(state);
+      return null;
+    }
+    return entry;
+  }
+  delete(state) {
+    this.map.delete(state);
+  }
+};
+var DEFAULT_REQUEST_TTL_MS = 10 * 60 * 1e3;
+function base64UrlEncode(buf) {
+  return buf.toString("base64").replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+var OidcModule = class {
+  constructor(http, baseUrl, options = {}) {
+    this.http = http;
+    this.baseUrl = baseUrl;
+    this.stateStore = options.stateStore ?? new InMemoryOidcStateStore();
+    this.requestTtlMs = options.requestTtlMs ?? DEFAULT_REQUEST_TTL_MS;
+    this.tokensModule = options.tokens;
+  }
+  /** @internal Allow the client to inject its TokensModule after construction. */
+  _setTokensModule(tokens) {
+    if (!this.tokensModule) this.tokensModule = tokens;
+  }
+  /**
+   * Fetch the OpenID Connect discovery document.
+   *
+   * @remarks Wraps GET /.well-known/openid-configuration
+   */
+  async getDiscovery() {
+    const res = await fetch(`${this.baseUrl}/.well-known/openid-configuration`);
+    if (!res.ok) throw new Error(`Failed to fetch OIDC discovery: ${res.status}`);
+    return res.json();
+  }
+  /**
+   * Fetch the JSON Web Key Set.
+   *
+   * @remarks Wraps GET /.well-known/jwks.json
+   */
+  async getJwks() {
+    const res = await fetch(`${this.baseUrl}/.well-known/jwks.json`);
+    if (!res.ok) throw new Error(`Failed to fetch JWKS: ${res.status}`);
+    return res.json();
+  }
+  /**
+   * Build an OIDC authorization URL for redirect-based login.
+   *
+   * @remarks Constructs URL pointing to /oidc/authorize. Prefer
+   * {@link createAuthRequest} which also generates and stores PKCE/state/nonce.
+   */
+  buildAuthorizationUrl(params) {
+    const url = new URL("/oidc/authorize", this.baseUrl);
+    url.searchParams.set("response_type", "code");
+    url.searchParams.set("client_id", params.clientId);
+    url.searchParams.set("redirect_uri", params.redirectUri);
+    url.searchParams.set("scope", params.scope || "openid");
+    url.searchParams.set("state", params.state);
+    if (params.nonce) url.searchParams.set("nonce", params.nonce);
+    if (params.codeChallenge) url.searchParams.set("code_challenge", params.codeChallenge);
+    if (params.codeChallengeMethod) url.searchParams.set("code_challenge_method", params.codeChallengeMethod);
+    return url.toString();
+  }
+  /**
+   * Generate `code_verifier`, `code_challenge`, `state`, and `nonce`, persist
+   * them via the configured storage adapter, and return an authorization URL
+   * ready to redirect the user to.
+   */
+  async createAuthRequest(params) {
+    const codeVerifier = base64UrlEncode(import_crypto2.default.randomBytes(32));
+    const codeChallenge = base64UrlEncode(
+      import_crypto2.default.createHash("sha256").update(codeVerifier).digest()
+    );
+    const state = base64UrlEncode(import_crypto2.default.randomBytes(16));
+    const nonce = base64UrlEncode(import_crypto2.default.randomBytes(16));
+    await this.stateStore.set(state, {
+      codeVerifier,
+      state,
+      nonce,
+      redirectUri: params.redirectUri,
+      clientId: params.clientId,
+      expiresAt: Date.now() + this.requestTtlMs
+    });
+    const authorizationUrl = this.buildAuthorizationUrl({
+      clientId: params.clientId,
+      redirectUri: params.redirectUri,
+      scope: params.scope,
+      state,
+      nonce,
+      codeChallenge,
+      codeChallengeMethod: "S256"
+    });
+    return {
+      authorizationUrl,
+      state,
+      nonce,
+      codeVerifier,
+      codeChallenge,
+      codeChallengeMethod: "S256"
+    };
+  }
+  /**
+   * Validate the callback `state`, exchange the code with the bound PKCE
+   * verifier, and verify that the returned `id_token` (if any) carries the
+   * stored `nonce` and `aud === clientId`.
+   */
+  async handleCallback(params) {
+    if (!params.state) {
+      throw new IQAuthError("VALIDATION_ERROR", "OIDC callback missing state parameter");
+    }
+    if (!params.code) {
+      throw new IQAuthError("VALIDATION_ERROR", "OIDC callback missing code parameter");
+    }
+    const stored = await this.stateStore.get(params.state);
+    if (!stored) {
+      throw new IQAuthError("VALIDATION_ERROR", "Unknown or expired OIDC state");
+    }
+    let tokens;
+    try {
+      tokens = await this.exchangeCode({
+        code: params.code,
+        redirectUri: stored.redirectUri,
+        clientId: stored.clientId,
+        clientSecret: params.clientSecret,
+        codeVerifier: stored.codeVerifier
+      });
+    } finally {
+      await this.stateStore.delete(params.state);
+    }
+    let idTokenClaims = null;
+    if (tokens.id_token) {
+      if (!this.tokensModule) {
+        throw new IQAuthError(
+          "INTERNAL_ERROR",
+          "OIDC handleCallback received an id_token but no TokensModule is configured for verification"
+        );
+      }
+      idTokenClaims = await this.tokensModule.verify(tokens.id_token, {
+        audience: stored.clientId
+      });
+      const claimsBag = idTokenClaims;
+      const tokenNonce = typeof claimsBag.nonce === "string" ? claimsBag.nonce : void 0;
+      if (!tokenNonce || tokenNonce !== stored.nonce) {
+        throw new IQAuthError(
+          "TOKEN_INVALID",
+          "OIDC id_token nonce did not match the stored value"
+        );
+      }
+    }
+    return { tokens, idTokenClaims };
+  }
+  /**
+   * Exchange an authorization code for tokens at the OIDC token endpoint.
+   *
+   * @remarks Wraps POST /oidc/token (or /api/v1/oidc/token)
+   */
+  async exchangeCode(params) {
+    const body = {
+      grant_type: "authorization_code",
+      code: params.code,
+      redirect_uri: params.redirectUri,
+      client_id: params.clientId
+    };
+    if (params.clientSecret) body.client_secret = params.clientSecret;
+    if (params.codeVerifier) body.code_verifier = params.codeVerifier;
+    const res = await fetch(`${this.baseUrl}/oidc/token`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(body)
+    });
+    if (!res.ok) {
+      const err = await res.json().catch(() => ({}));
+      throw new Error(
+        `OIDC token exchange failed: ${err.error_description || err.error || res.status}`
+      );
+    }
+    return res.json();
+  }
+  /**
+   * Get user info from the OIDC userinfo endpoint.
+   *
+   * @remarks Wraps GET /oidc/userinfo (requires Bearer token)
+   */
+  async getUserInfo() {
+    if (this.http.isBrowserSession()) {
+      throw new Error("oidc.getUserInfo() requires a bearer token and is not supported in browser_session mode.");
+    }
+    return this.http.requestRaw("GET", "/oidc/userinfo");
+  }
+  async getClientContext(clientId) {
+    const res = await fetch(`${this.baseUrl}/oidc/client-context?client_id=${encodeURIComponent(clientId)}`);
+    if (!res.ok) throw new Error(`Failed to fetch OIDC client context: ${res.status}`);
+    const payload = await res.json();
+    if (!payload.success || !payload.data) {
+      throw new Error("OIDC client context response was invalid");
+    }
+    return payload.data;
+  }
+};
+
+// src/modules/tenants.ts
+function normalizeBrandingConfig(config) {
+  return {
+    ...config,
+    brandName: config.brandName ?? config.companyName,
+    loginHeadline: config.loginHeadline ?? config.headline ?? null,
+    loginSubheadline: config.loginSubheadline ?? config.subheadline ?? null,
+    companyName: config.companyName ?? config.brandName,
+    headline: config.headline ?? config.loginHeadline ?? null,
+    subheadline: config.subheadline ?? config.loginSubheadline ?? null
+  };
+}
+var TenantsModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  async getCurrent(tenantId) {
+    return this.http.request("GET", `/api/v1/tenants/${tenantId}`);
+  }
+  async get(tenantId) {
+    return this.http.request("GET", `/api/v1/tenants/${tenantId}`);
+  }
+  async list(params) {
+    const query = new URLSearchParams();
+    if (params?.vendorId) query.set("vendorId", params.vendorId);
+    const qs = query.toString();
+    return this.http.request("GET", `/api/v1/tenants${qs ? `?${qs}` : ""}`);
+  }
+  async create(data) {
+    return this.http.request("POST", "/api/v1/tenants", data);
+  }
+  async update(tenantId, data) {
+    return this.http.request("PATCH", `/api/v1/tenants/${tenantId}`, data);
+  }
+  async delete(tenantId) {
+    return this.http.request("DELETE", `/api/v1/tenants/${tenantId}`);
+  }
+  async promoteToVendor(tenantId, data) {
+    return this.http.request("POST", `/api/v1/tenants/${tenantId}/promote-to-vendor`, data);
+  }
+  async getUsers(tenantId) {
+    return this.http.request("GET", `/api/v1/tenants/${tenantId}/users`);
+  }
+  async inviteUser(tenantId, data) {
+    return this.http.request("POST", `/api/v1/tenants/${tenantId}/users/invite`, data);
+  }
+  async changeUserRole(tenantId, userId, role) {
+    return this.http.request("PATCH", `/api/v1/tenants/${tenantId}/users/${userId}/role`, { role });
+  }
+  async migrateUser(tenantId, userId, data) {
+    return this.http.request("POST", `/api/v1/tenants/${tenantId}/users/${userId}/migrate`, data);
+  }
+  async removeUser(tenantId, userId) {
+    return this.http.request("DELETE", `/api/v1/tenants/${tenantId}/users/${userId}`);
+  }
+  async getPasswordPolicy(tenantId) {
+    return this.http.request("GET", `/api/v1/tenants/${tenantId}/password-policy`);
+  }
+  async updatePasswordPolicy(tenantId, data) {
+    return this.http.request("PATCH", `/api/v1/tenants/${tenantId}/password-policy`, data);
+  }
+  async getMfaPolicies(tenantId) {
+    return this.http.request("GET", `/api/v1/tenants/${tenantId}/mfa-policies`);
+  }
+  async updateMfaPolicy(tenantId, role, data) {
+    return this.http.request("PATCH", `/api/v1/tenants/${tenantId}/mfa-policies/${role}`, data);
+  }
+  async getPublicBranding(params) {
+    const query = new URLSearchParams();
+    if (params?.vendor) query.set("vendor", params.vendor);
+    const qs = query.toString();
+    const url = `${this.http.baseUrl}/api/public/branding${qs ? `?${qs}` : ""}`;
+    const res = await fetch(url);
+    if (!res.ok) return null;
+    const body = await res.json();
+    if (body.success && body.data) return normalizeBrandingConfig(body.data);
+    return null;
+  }
+  async getPublicBrandingBySlug(vendorSlug) {
+    const url = `${this.http.baseUrl}/api/public/branding/by-slug/${encodeURIComponent(vendorSlug)}`;
+    const res = await fetch(url);
+    if (!res.ok) return null;
+    const body = await res.json();
+    if (body.success && body.data) return normalizeBrandingConfig(body.data);
+    return null;
+  }
+};
+
+// src/modules/apps.ts
+var AppsModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /**
+   * Self-service Phase A: provision an app + OIDC client + key pair in one shot.
+   * Caller must be authenticated as a tenant_admin (or platform_admin).
+   *
+   * @remarks Wraps POST /api/v1/apps
+   */
+  async create(data) {
+    return this.http.request("POST", "/api/v1/apps", data);
+  }
+  async update(id, data) {
+    return this.http.request("PATCH", `/api/v1/apps/${encodeURIComponent(id)}`, data);
+  }
+  async remove(id) {
+    return this.http.request("DELETE", `/api/v1/apps/${encodeURIComponent(id)}`);
+  }
+  async listOrigins(id) {
+    return this.http.request("GET", `/api/v1/apps/${encodeURIComponent(id)}/origins`);
+  }
+  async addOrigin(id, origin) {
+    return this.http.request("POST", `/api/v1/apps/${encodeURIComponent(id)}/origins`, { origin });
+  }
+  async removeOrigin(id, origin) {
+    return this.http.request("DELETE", `/api/v1/apps/${encodeURIComponent(id)}/origins/${encodeURIComponent(origin)}`);
+  }
+  async listKeys(id) {
+    return this.http.request("GET", `/api/v1/apps/${encodeURIComponent(id)}/keys`);
+  }
+  async createKey(id, data) {
+    return this.http.request("POST", `/api/v1/apps/${encodeURIComponent(id)}/keys`, data);
+  }
+  async rotateKey(id, keyId) {
+    return this.http.request("POST", `/api/v1/apps/${encodeURIComponent(id)}/keys/${encodeURIComponent(keyId)}/rotate`, {});
+  }
+  async revokeKey(id, keyId) {
+    return this.http.request("DELETE", `/api/v1/apps/${encodeURIComponent(id)}/keys/${encodeURIComponent(keyId)}`);
+  }
+  /**
+   * List all registered applications.
+   * Requires `apps.view` permission on the `iqauth-admin` app.
+   *
+   * @remarks Wraps GET /api/v1/apps
+   */
+  async list() {
+    return this.http.request("GET", "/api/v1/apps");
+  }
+  /**
+   * Get a registered application by its unique key, including its permission nodes.
+   * Requires `apps.view` permission on the `iqauth-admin` app.
+   *
+   * @remarks Wraps GET /api/v1/apps/:appKey
+   */
+  async get(appKey) {
+    return this.http.request("GET", `/api/v1/apps/${encodeURIComponent(appKey)}`);
+  }
+  /**
+   * Register or sync an application manifest. This is an idempotent upsert —
+   * it creates the app if it doesn't exist, or updates it if it does.
+   * Permission nodes are also upserted (created or updated) from the manifest tree.
+   *
+   * Requires `platform_admin` role and `apps.manage` permission.
+   *
+   * @remarks Wraps POST /api/v1/apps/sync
+   */
+  async register(manifest) {
+    if (!this.http.hasCredentials()) {
+      throw new IQAuthError(
+        "AUTH_REQUIRED",
+        "Cannot sync app manifest: no API key or access token configured. Initialize the client with an apiKey or accessToken.",
+        401
+      );
+    }
+    return this.http.request("POST", "/api/v1/apps/sync", manifest);
+  }
+  /**
+   * Check if an application is registered by its key.
+   * Returns `true` if the app exists, `false` otherwise.
+   *
+   * @remarks Uses GET /api/v1/apps/:appKey — catches 404 errors
+   */
+  async isRegistered(appKey) {
+    try {
+      await this.get(appKey);
+      return true;
+    } catch (err) {
+      if (err.code === "NOT_FOUND" || err.status === 404) {
+        return false;
+      }
+      throw err;
+    }
+  }
+};
+
+// src/modules/roles.ts
+var RolesModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  async list(tenantId) {
+    return this.http.request("GET", `/api/v1/tenants/${tenantId}/roles`);
+  }
+  async create(tenantId, data) {
+    return this.http.request("POST", `/api/v1/tenants/${tenantId}/roles`, data);
+  }
+  async update(tenantId, roleId, data) {
+    return this.http.request("PATCH", `/api/v1/tenants/${tenantId}/roles/${roleId}`, data);
+  }
+  async delete(tenantId, roleId) {
+    return this.http.request("DELETE", `/api/v1/tenants/${tenantId}/roles/${roleId}`);
+  }
+  async getUserRoles(tenantId, userId) {
+    return this.http.request("GET", `/api/v1/tenants/${tenantId}/users/${userId}/roles`);
+  }
+  async assignRole(tenantId, userId, data) {
+    return this.http.request("POST", `/api/v1/tenants/${tenantId}/users/${userId}/roles`, data);
+  }
+  async removeRole(tenantId, userId, roleId) {
+    return this.http.request("DELETE", `/api/v1/tenants/${tenantId}/users/${userId}/roles/${roleId}`);
+  }
+};
+
+// src/modules/permissionGroups.ts
+var PermissionGroupsModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  async list(tenantId) {
+    return this.http.request("GET", `/api/v1/tenants/${tenantId}/permission-groups`);
+  }
+  async create(tenantId, name, description) {
+    return this.http.request("POST", `/api/v1/tenants/${tenantId}/permission-groups`, { name, description });
+  }
+  async update(tenantId, groupId, data) {
+    return this.http.request("PATCH", `/api/v1/tenants/${tenantId}/permission-groups/${groupId}`, data);
+  }
+  async delete(tenantId, groupId) {
+    return this.http.request("DELETE", `/api/v1/tenants/${tenantId}/permission-groups/${groupId}`);
+  }
+  async getPermissions(tenantId, groupId) {
+    return this.http.request("GET", `/api/v1/tenants/${tenantId}/permission-groups/${groupId}/permissions`);
+  }
+  async addPermission(tenantId, groupId, data) {
+    return this.http.request("POST", `/api/v1/tenants/${tenantId}/permission-groups/${groupId}/permissions`, data);
+  }
+  async removePermission(tenantId, groupId, permissionId) {
+    return this.http.request("DELETE", `/api/v1/tenants/${tenantId}/permission-groups/${groupId}/permissions/${permissionId}`);
+  }
+  async addInheritance(tenantId, groupId, inheritsFromGroupId) {
+    return this.http.request("POST", `/api/v1/tenants/${tenantId}/permission-groups/${groupId}/inherit`, { inheritsFromGroupId });
+  }
+  async removeInheritance(tenantId, groupId, inheritedGroupId) {
+    return this.http.request("DELETE", `/api/v1/tenants/${tenantId}/permission-groups/${groupId}/inherit/${inheritedGroupId}`);
+  }
+  async getUserGroups(tenantId, userId) {
+    return this.http.request("GET", `/api/v1/tenants/${tenantId}/users/${userId}/groups`);
+  }
+  async assignUserToGroup(tenantId, userId, groupId) {
+    return this.http.request("POST", `/api/v1/tenants/${tenantId}/users/${userId}/groups`, { groupId });
+  }
+  async removeUserFromGroup(tenantId, userId, groupId) {
+    return this.http.request("DELETE", `/api/v1/tenants/${tenantId}/users/${userId}/groups/${groupId}`);
+  }
+  async getUserOverrides(tenantId, userId) {
+    return this.http.request("GET", `/api/v1/tenants/${tenantId}/users/${userId}/permissions/overrides`);
+  }
+  async addUserOverride(tenantId, userId, data) {
+    return this.http.request("POST", `/api/v1/tenants/${tenantId}/users/${userId}/permissions/overrides`, data);
+  }
+  async removeUserOverride(tenantId, userId, overrideId) {
+    return this.http.request("DELETE", `/api/v1/tenants/${tenantId}/users/${userId}/permissions/overrides/${overrideId}`);
+  }
+  async getEffectivePermissions(tenantId, userId, params) {
+    const query = new URLSearchParams();
+    if (params.product) query.set("product", params.product);
+    if (params.appKey) query.set("appKey", params.appKey);
+    const qs = query.toString();
+    return this.http.request("GET", `/api/v1/tenants/${tenantId}/users/${userId}/permissions/effective${qs ? `?${qs}` : ""}`);
+  }
+  async checkPermission(tenantId, userId, appKey, nodeKey) {
+    return this.http.request("POST", `/api/v1/tenants/${tenantId}/users/${userId}/permissions/check`, { appKey, nodeKey });
+  }
+};
+
+// src/modules/apiKeys.ts
+var ApiKeysModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  async create(data) {
+    return this.http.request("POST", "/api/v1/api-keys", data);
+  }
+  async list(params) {
+    const query = new URLSearchParams();
+    if (params?.tenantId) query.set("tenantId", params.tenantId);
+    const qs = query.toString();
+    return this.http.request("GET", `/api/v1/api-keys${qs ? `?${qs}` : ""}`);
+  }
+  async revoke(id) {
+    return this.http.request("DELETE", `/api/v1/api-keys/${id}`);
+  }
+  async introspect(apiKey) {
+    return this.http.request("POST", "/api/v1/api-keys/introspect", { apiKey }, { skipAutoRefresh: true });
+  }
+};
+
+// src/modules/invites.ts
+var InvitesModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  async create(data) {
+    return this.http.request("POST", "/api/v1/invites", data);
+  }
+  async validate(token) {
+    return this.http.request("GET", `/api/v1/invites/${token}/validate`);
+  }
+  async accept(token, data) {
+    return this.http.request("POST", `/api/v1/invites/${token}/accept`, data, { skipAutoRefresh: true });
+  }
+};
+
+// src/modules/webhooks.ts
+function normalizeWebhookDelivery(delivery) {
+  return {
+    ...delivery,
+    endpointId: delivery.endpointId ?? delivery.webhookEndpointId,
+    webhookEndpointId: delivery.webhookEndpointId ?? delivery.endpointId,
+    event: delivery.event ?? delivery.eventType,
+    eventType: delivery.eventType ?? delivery.event,
+    statusCode: delivery.statusCode ?? delivery.responseStatus ?? null,
+    responseStatus: delivery.responseStatus ?? delivery.statusCode ?? null,
+    response: delivery.response ?? delivery.responseBody ?? null,
+    responseBody: delivery.responseBody ?? delivery.response ?? null,
+    deliveredAt: delivery.deliveredAt ?? delivery.createdAt
+  };
+}
+var WebhooksModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  async createEndpoint(data) {
+    return this.http.request("POST", "/api/v1/webhooks/endpoints", data);
+  }
+  async listEndpoints() {
+    return this.http.request("GET", "/api/v1/webhooks/endpoints");
+  }
+  async deleteEndpoint(id) {
+    return this.http.request("DELETE", `/api/v1/webhooks/endpoints/${id}`);
+  }
+  async getDeliveries(endpointId) {
+    const deliveries = await this.http.request("GET", `/api/v1/webhooks/deliveries?endpointId=${encodeURIComponent(endpointId)}`);
+    return deliveries.map(normalizeWebhookDelivery);
+  }
+  async testEndpoint(id) {
+    return this.http.request("POST", `/api/v1/webhooks/endpoints/${id}/test`);
+  }
+  async rotateSecret(id) {
+    return this.http.request("POST", `/api/v1/webhooks/endpoints/${id}/rotate-secret`);
+  }
+};
+
+// src/modules/entitlements.ts
+var EntitlementsModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  async list(tenantId) {
+    return this.http.request("GET", `/api/v1/tenants/${tenantId}/entitlements`);
+  }
+  async grant(tenantId, data) {
+    return this.http.request("POST", `/api/v1/tenants/${tenantId}/entitlements`, data);
+  }
+  async revoke(tenantId, product) {
+    return this.http.request("DELETE", `/api/v1/tenants/${tenantId}/entitlements/${encodeURIComponent(product)}`);
+  }
+};
+
+// src/modules/vendors.ts
+var VendorsModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  async list() {
+    return this.http.request("GET", "/api/v1/vendors");
+  }
+  async get(vendorId) {
+    return this.http.request("GET", `/api/v1/vendors/${vendorId}`);
+  }
+  async create(data) {
+    return this.http.request("POST", "/api/v1/vendors", data);
+  }
+  async update(vendorId, data) {
+    return this.http.request("PATCH", `/api/v1/vendors/${vendorId}`, data);
+  }
+  async delete(vendorId) {
+    return this.http.request("DELETE", `/api/v1/vendors/${vendorId}`);
+  }
+};
+
+// src/modules/sources.ts
+var SourcesModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  async create(vendorId, data) {
+    return this.http.request("POST", `/api/v1/vendors/${vendorId}/sources`, data);
+  }
+  async listForVendor(vendorId) {
+    return this.http.request("GET", `/api/v1/vendors/${vendorId}/sources`);
+  }
+  async get(sourceId) {
+    return this.http.request("GET", `/api/v1/sources/${sourceId}`);
+  }
+  async update(sourceId, data) {
+    return this.http.request("PATCH", `/api/v1/sources/${sourceId}`, data);
+  }
+  async delete(sourceId) {
+    return this.http.request("DELETE", `/api/v1/sources/${sourceId}`);
+  }
+  async createClient(sourceId, data) {
+    return this.http.request("POST", `/api/v1/sources/${sourceId}/clients`, data);
+  }
+  async listClients(sourceId) {
+    return this.http.request("GET", `/api/v1/sources/${sourceId}/clients`);
+  }
+};
+
+// src/modules/clients.ts
+var ClientsModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  async get(clientId) {
+    return this.http.request("GET", `/api/v1/clients/${clientId}`);
+  }
+  async update(clientId, data) {
+    return this.http.request("PATCH", `/api/v1/clients/${clientId}`, data);
+  }
+  async delete(clientId) {
+    return this.http.request("DELETE", `/api/v1/clients/${clientId}`);
+  }
+};
+
+// src/modules/hierarchy.ts
+var HierarchyModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  async getGraph() {
+    return this.http.request("GET", "/api/v1/hierarchy");
+  }
+  async linkVendorSource(vendorId, sourceId) {
+    return this.http.request("POST", "/api/v1/hierarchy/link/vendor-source", { vendorId, sourceId });
+  }
+  async unlinkVendorSource(vendorId, sourceId) {
+    return this.http.request("DELETE", "/api/v1/hierarchy/link/vendor-source", { vendorId, sourceId });
+  }
+  async linkSourceClient(sourceId, clientId) {
+    return this.http.request("POST", "/api/v1/hierarchy/link/source-client", { sourceId, clientId });
+  }
+  async unlinkSourceClient(sourceId, clientId) {
+    return this.http.request("DELETE", "/api/v1/hierarchy/link/source-client", { sourceId, clientId });
+  }
+};
+
+// src/modules/memberships.ts
+var MembershipsModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  async listForUser(userId, tenantId) {
+    return this.http.request("GET", `/api/v1/users/${userId}/memberships?tenantId=${encodeURIComponent(tenantId)}`);
+  }
+  async listForScope(scopeType, scopeId) {
+    return this.http.request("GET", `/api/v1/memberships/scope/${scopeType}/${scopeId}`);
+  }
+  async grant(data) {
+    return this.http.request("POST", "/api/v1/memberships", data);
+  }
+  async revoke(id) {
+    return this.http.request("DELETE", `/api/v1/memberships/${id}`);
+  }
+  async update(id, data) {
+    return this.http.request("PATCH", `/api/v1/memberships/${id}`, data);
+  }
+  async listForTenant(params) {
+    const query = new URLSearchParams();
+    if (params?.scopeType) query.set("scopeType", params.scopeType);
+    if (params?.roleName) query.set("roleName", params.roleName);
+    const qs = query.toString();
+    return this.http.request("GET", `/api/v1/memberships/tenant${qs ? `?${qs}` : ""}`);
+  }
+};
+
+// src/modules/scope.ts
+var ScopeModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  async getAvailable() {
+    return this.http.request("GET", "/api/v1/auth/available-scopes");
+  }
+  async switchScope(scopeType, scopeId) {
+    return this.http.request("POST", "/api/v1/auth/switch-scope", { scopeType, scopeId });
+  }
+};
+
+// src/modules/gdpr.ts
+var GdprModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  async exportData() {
+    return this.http.request("GET", "/api/v1/gdpr/export");
+  }
+  async deleteAccount(confirmEmail) {
+    return this.http.request("POST", "/api/v1/gdpr/delete", { confirmEmail });
+  }
+};
+
+// src/modules/pin.ts
+var PinModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  async set(pin) {
+    return this.http.request("POST", "/api/v1/pin/set", { pin });
+  }
+  async change(currentPin, newPin) {
+    return this.http.request("POST", "/api/v1/pin/change", { currentPin, newPin });
+  }
+  async remove() {
+    return this.http.request("DELETE", "/api/v1/pin");
+  }
+  async getStatus() {
+    return this.http.request("GET", "/api/v1/pin/status");
+  }
+  async login(email, pin, deviceFingerprint) {
+    const data = await this.http.request(
+      "POST",
+      "/api/v1/pin/login",
+      { email, pin, ...deviceFingerprint && { deviceFingerprint } },
+      { skipAutoRefresh: true }
+    );
+    if (data.type === "success" && data.accessToken && data.refreshToken && data.user) {
+      return {
+        status: "authenticated",
+        authMode: "token",
+        tokens: { accessToken: data.accessToken, refreshToken: data.refreshToken },
+        user: data.user
+      };
+    }
+    if (data.type === "mfa_required" && data.mfaChallengeToken) {
+      return {
+        status: "mfa_required",
+        mfaChallengeToken: data.mfaChallengeToken,
+        availableMethods: data.availableMethods || []
+      };
+    }
+    if (data.type === "tenant_selection" && data.tenantSelectionToken && data.tenants) {
+      return {
+        status: "tenant_selection",
+        tenantSelectionToken: data.tenantSelectionToken,
+        tenants: data.tenants
+      };
+    }
+    throw new Error("Unexpected PIN login response shape");
+  }
+};
+
+// src/modules/mfa.ts
+var MfaModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  async getAvailableMethods() {
+    return this.http.request("GET", "/api/v1/mfa/methods");
+  }
+  async enrollTotp() {
+    return this.http.request("POST", "/api/v1/mfa/enroll/totp");
+  }
+  async verifyTotpEnrollment(code, secret) {
+    return this.http.request("POST", "/api/v1/mfa/enroll/totp/verify", { code, secret });
+  }
+  async enrollSms(phoneNumber) {
+    return this.http.request("POST", "/api/v1/mfa/enroll/sms", { phoneNumber });
+  }
+  async verifySmsEnrollment(code, phoneNumber) {
+    return this.http.request("POST", "/api/v1/mfa/enroll/sms/verify", { code, phoneNumber });
+  }
+  async startEmailEnrollment() {
+    return this.http.request("POST", "/api/v1/mfa/enroll/email/start");
+  }
+  async verifyEmailEnrollment(code) {
+    return this.http.request("POST", "/api/v1/mfa/enroll/email/verify", { code });
+  }
+  async listEnrollments() {
+    return this.http.request("GET", "/api/v1/mfa/enrollments");
+  }
+  async setPrimaryEnrollment(enrollmentId) {
+    return this.http.request("PATCH", `/api/v1/mfa/enrollments/${enrollmentId}/primary`);
+  }
+  async deactivateEnrollment(enrollmentId) {
+    return this.http.request("DELETE", `/api/v1/mfa/enrollments/${enrollmentId}`);
+  }
+  async regenerateBackupCodes() {
+    return this.http.request("POST", "/api/v1/mfa/backup-codes/regenerate");
+  }
+  async getBackupCodeCount() {
+    return this.http.request("GET", "/api/v1/mfa/backup-codes/count");
+  }
+};
+
+// src/modules/branding.ts
+function normalizeBrandingConfig2(config) {
+  return {
+    ...config,
+    brandName: config.brandName ?? config.companyName,
+    loginHeadline: config.loginHeadline ?? config.headline ?? null,
+    loginSubheadline: config.loginSubheadline ?? config.subheadline ?? null,
+    companyName: config.companyName ?? config.brandName,
+    headline: config.headline ?? config.loginHeadline ?? null,
+    subheadline: config.subheadline ?? config.loginSubheadline ?? null
+  };
+}
+function normalizeBrandingAsset(asset) {
+  return {
+    ...asset,
+    url: asset.url ?? asset.publicUrl,
+    publicUrl: asset.publicUrl ?? asset.url
+  };
+}
+function normalizeBrandingUpdate(data) {
+  return {
+    ...data,
+    brandName: data.brandName ?? data.companyName,
+    loginHeadline: data.loginHeadline ?? data.headline,
+    loginSubheadline: data.loginSubheadline ?? data.subheadline
+  };
+}
+var BrandingModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  async get(vendorId) {
+    const config = await this.http.request("GET", `/api/v1/branding/${vendorId}`);
+    return normalizeBrandingConfig2(config);
+  }
+  async updateBranding(vendorId, data) {
+    const config = await this.http.request("PUT", `/api/v1/branding/${vendorId}`, normalizeBrandingUpdate(data));
+    return normalizeBrandingConfig2(config);
+  }
+  async publishBranding(vendorId) {
+    const config = await this.http.request("POST", `/api/v1/branding/${vendorId}/publish`);
+    return normalizeBrandingConfig2(config);
+  }
+  async unpublishBranding(vendorId) {
+    const config = await this.http.request("POST", `/api/v1/branding/${vendorId}/unpublish`);
+    return normalizeBrandingConfig2(config);
+  }
+  async resetBranding(vendorId) {
+    const config = await this.http.request("POST", `/api/v1/branding/${vendorId}/reset`);
+    return normalizeBrandingConfig2(config);
+  }
+  async uploadAsset(vendorId, data) {
+    const asset = await this.http.request("POST", `/api/v1/branding/${vendorId}/upload`, data);
+    return normalizeBrandingAsset(asset);
+  }
+  async listAssets(vendorId) {
+    const assets = await this.http.request("GET", `/api/v1/branding/${vendorId}/assets`);
+    return assets.map(normalizeBrandingAsset);
+  }
+  async deleteAsset(vendorId, assetId) {
+    return this.http.request("DELETE", `/api/v1/branding/${vendorId}/assets/${assetId}`);
+  }
+  async listDomains(vendorId) {
+    return this.http.request("GET", `/api/v1/branding/${vendorId}/domains`);
+  }
+  async addDomain(vendorId, domain) {
+    return this.http.request("POST", `/api/v1/branding/${vendorId}/domains`, { domain });
+  }
+  async removeDomain(vendorId, domainId) {
+    return this.http.request("DELETE", `/api/v1/branding/${vendorId}/domains/${domainId}`);
+  }
+};
+
+// src/client.ts
+var IQAuthClient = class _IQAuthClient {
+  constructor(config) {
+    this.config = config;
+    this.environment = _IQAuthClient.resolveEnvironment(config);
+    this._accessToken = "accessToken" in config ? config.accessToken : void 0;
+    this._refreshToken = "refreshToken" in config ? config.refreshToken : void 0;
+    this._apiKey = "apiKey" in config ? config.apiKey : void 0;
+    this.httpClient = new HttpClient({
+      baseUrl: config.baseUrl,
+      environment: this.environment,
+      getAccessToken: () => this._accessToken,
+      getRefreshToken: () => this._refreshToken,
+      getApiKey: () => this._apiKey,
+      setTokens: (tokens) => {
+        this._accessToken = tokens.accessToken;
+        this._refreshToken = tokens.refreshToken;
+      },
+      autoRefresh: "autoRefresh" in config ? config.autoRefresh !== false : true,
+      onTokenRefresh: "onTokenRefresh" in config ? config.onTokenRefresh : void 0,
+      sessionHeaderName: config.sessionHeaderName,
+      sessionHeaderValue: config.sessionHeaderValue,
+      retry: config.retry
+    });
+    this.auth = new AuthModule(this.httpClient);
+    this.tokens = new TokensModule(config.baseUrl, {
+      issuer: config.verify?.issuer,
+      audience: config.verify?.audience,
+      clockTolerance: config.verify?.clockTolerance
+    });
+    this.sessions = new SessionsModule(this.httpClient);
+    this.users = new UsersModule(this.httpClient);
+    this.permissions = new PermissionsModule(() => this.getCurrentClaims());
+    this.oidc = new OidcModule(this.httpClient, config.baseUrl, { tokens: this.tokens });
+    this.tenants = new TenantsModule(this.httpClient);
+    this.apps = new AppsModule(this.httpClient);
+    this.roles = new RolesModule(this.httpClient);
+    this.permissionGroups = new PermissionGroupsModule(this.httpClient);
+    this.apiKeys = new ApiKeysModule(this.httpClient);
+    this.invites = new InvitesModule(this.httpClient);
+    this.webhooks = new WebhooksModule(this.httpClient);
+    this.entitlements = new EntitlementsModule(this.httpClient);
+    this.vendors = new VendorsModule(this.httpClient);
+    this.sources = new SourcesModule(this.httpClient);
+    this.clients = new ClientsModule(this.httpClient);
+    this.hierarchy = new HierarchyModule(this.httpClient);
+    this.memberships = new MembershipsModule(this.httpClient);
+    this.scope = new ScopeModule(this.httpClient);
+    this.gdpr = new GdprModule(this.httpClient);
+    this.pin = new PinModule(this.httpClient);
+    this.mfa = new MfaModule(this.httpClient);
+    this.branding = new BrandingModule(this.httpClient);
+  }
+  static forBrowserSession(config) {
+    return new _IQAuthClient({ ...config, environment: "browser_session" });
+  }
+  static forServer(config) {
+    return new _IQAuthClient({ ...config, environment: "server" });
+  }
+  static forMobile(config) {
+    return new _IQAuthClient({ ...config, environment: "mobile" });
+  }
+  static forService(config) {
+    return new _IQAuthClient({ ...config, environment: "service" });
+  }
+  setTokens(tokens) {
+    this._accessToken = tokens.accessToken;
+    this._refreshToken = tokens.refreshToken;
+  }
+  getAccessToken() {
+    return this._accessToken;
+  }
+  getRefreshToken() {
+    return this._refreshToken;
+  }
+  getCurrentClaims() {
+    if (!this._accessToken) return null;
+    return this.tokens.decode(this._accessToken);
+  }
+  static resolveEnvironment(config) {
+    if (config.environment) return config.environment;
+    if (config.apiKey) return "service";
+    return "server";
+  }
+};
+
+// src/service.ts
+var ServiceIQAuthClient = class extends IQAuthClient {
+  constructor(config) {
+    super({ ...config, environment: "service" });
+  }
+};
+function createServiceClient(config) {
+  return new ServiceIQAuthClient(config);
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ErrorCodes,
+  IQAuthClient,
+  IQAuthError,
+  ServiceIQAuthClient,
+  createServiceClient
+});