@iqauth/sdk 2.3.0 → 2.6.0

package/dist/cli/index.js

@@ -338,76 +338,184 @@ var doctor_exports = {};
 __export(doctor_exports, {
   runDoctor: () => runDoctor
 });
+function pass(name, detail) {
+  return { name, level: "pass", detail };
+}
+function fail(name, detail, remediation) {
+  return { name, level: "fail", detail, remediation };
+}
+function info(name, detail) {
+  return { name, level: "info", detail };
+}
 async function runDoctor(argv) {
   const { flags } = parseFlags(argv);
   const envFile = flags.get("env-file") || ".env";
   const env = await loadEnv(envFile);
   const probes = [];
   const pkRaw = env.IQAUTH_PUBLISHABLE_KEY;
+  const skRaw = env.IQAUTH_SECRET_KEY;
   const issuerEnv = env.IQAUTH_ISSUER;
   const redirect = env.IQAUTH_REDIRECT_URI;
-  probes.push({
-    name: ".env present",
-    ok: !!pkRaw,
-    detail: pkRaw ? `${envFile} loaded; IQAUTH_PUBLISHABLE_KEY=${pkRaw.slice(0, 10)}\u2026` : `IQAUTH_PUBLISHABLE_KEY missing in ${envFile}`
-  });
+  const appOrigin = env.IQAUTH_APP_ORIGIN || env.APP_ORIGIN;
+  probes.push(
+    pkRaw ? pass(".env present", `${envFile} loaded; IQAUTH_PUBLISHABLE_KEY=${pkRaw.slice(0, 10)}\u2026`) : fail(
+      ".env present",
+      `IQAUTH_PUBLISHABLE_KEY missing in ${envFile}`,
+      "Run `iqauth init` or copy your publishable key from the IQAuth admin console into .env."
+    )
+  );
   const parsed = pkRaw ? parsePublishableKey(pkRaw) : null;
-  probes.push({
-    name: "publishable key parses",
-    ok: !!parsed,
-    detail: parsed ? `mode=${parsed.mode} appId=${parsed.appId} tenantId=${parsed.tenantId} kid=${parsed.kid}` : "key did not match pk_<test|live>_<base64> format"
-  });
+  probes.push(
+    parsed ? pass(
+      "publishable key parses",
+      `mode=${parsed.mode} appId=${parsed.appId} tenantId=${parsed.tenantId} kid=${parsed.kid}`
+    ) : fail(
+      "publishable key parses",
+      "key did not match pk_<test|live>_<base64> format",
+      "Regenerate the key from the IQAuth admin console \u2014 it must be the URL-safe base64 form."
+    )
+  );
   const issuer = (issuerEnv || (parsed?.iss.startsWith("http") ? parsed.iss : parsed ? `https://${parsed.iss}` : "")).replace(/\/+$/, "");
   if (issuer) {
     try {
       const res = await fetch(`${issuer}/.well-known/openid-configuration`);
-      probes.push({
-        name: "issuer reachable",
-        ok: res.ok,
-        detail: `${issuer}/.well-known/openid-configuration \u2192 ${res.status}`
-      });
+      const body = res.ok ? await res.json().catch(() => null) : null;
+      probes.push(
+        res.ok ? pass("issuer reachable", `${issuer}/.well-known/openid-configuration \u2192 ${res.status}`) : fail(
+          "issuer reachable",
+          `${issuer}/.well-known/openid-configuration \u2192 ${res.status}`,
+          "Check that IQAUTH_ISSUER (or the host encoded in your publishable key) points to a running IQAuth deployment."
+        )
+      );
+      if (parsed && body?.issuer) {
+        const expected = parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`;
+        const ok = body.issuer.replace(/\/+$/, "") === expected.replace(/\/+$/, "");
+        probes.push(
+          ok ? pass("iss matches publishable key", `discovery.issuer=${body.issuer}`) : fail(
+            "iss matches publishable key",
+            `discovery.issuer=${body.issuer} but publishable key encodes ${expected}`,
+            "Regenerate your publishable key from the SAME issuer host you're targeting (mismatched issuers are the #1 cause of TOKEN_INVALID)."
+          )
+        );
+      }
     } catch (err) {
-      probes.push({
-        name: "issuer reachable",
-        ok: false,
-        detail: `fetch failed: ${err.message}`
-      });
+      probes.push(fail(
+        "issuer reachable",
+        `fetch failed: ${err.message}`,
+        "Verify network reachability and that IQAUTH_ISSUER is correct."
+      ));
     }
   } else {
-    probes.push({ name: "issuer reachable", ok: false, detail: "issuer URL unknown (no IQAUTH_ISSUER and no key)" });
+    probes.push(fail("issuer reachable", "issuer URL unknown (no IQAUTH_ISSUER and no key)"));
   }
   if (issuer) {
     try {
       const res = await fetch(`${issuer}/.well-known/jwks.json`);
       const json = await res.json().catch(() => ({}));
       const keys = json.keys;
-      probes.push({
-        name: "JWKS reachable",
-        ok: res.ok && Array.isArray(keys) && keys.length > 0,
-        detail: `${issuer}/.well-known/jwks.json \u2192 ${res.status} (${Array.isArray(keys) ? keys.length : 0} keys)`
-      });
+      const ok = res.ok && Array.isArray(keys) && keys.length > 0;
+      probes.push(
+        ok ? pass("JWKS reachable", `${issuer}/.well-known/jwks.json \u2192 ${res.status} (${keys.length} keys)`) : fail(
+          "JWKS reachable",
+          `${issuer}/.well-known/jwks.json \u2192 ${res.status} (${Array.isArray(keys) ? keys.length : 0} keys)`,
+          "JWKS must publish at least one signing key \u2014 contact your IQAuth admin."
+        )
+      );
     } catch (err) {
-      probes.push({ name: "JWKS reachable", ok: false, detail: `fetch failed: ${err.message}` });
+      probes.push(fail("JWKS reachable", `fetch failed: ${err.message}`));
     }
   }
   if (redirect) {
     try {
       const res = await fetch(redirect, { method: "GET" });
-      probes.push({
-        name: "redirect URI reachable",
-        ok: res.status > 0 && res.status < 500,
-        detail: `${redirect} \u2192 ${res.status}`
-      });
+      const ok = res.status > 0 && res.status < 500;
+      probes.push(
+        ok ? pass("redirect URI reachable", `${redirect} \u2192 ${res.status}`) : fail(
+          "redirect URI reachable",
+          `${redirect} \u2192 ${res.status}`,
+          "The configured callback path must be reachable from the public internet (or localhost for dev)."
+        )
+      );
     } catch (err) {
-      probes.push({ name: "redirect URI reachable", ok: false, detail: `fetch failed: ${err.message}` });
+      probes.push(fail("redirect URI reachable", `fetch failed: ${err.message}`));
     }
   } else {
-    probes.push({ name: "redirect URI reachable", ok: false, detail: "IQAUTH_REDIRECT_URI not set" });
+    probes.push(info("redirect URI reachable", "IQAUTH_REDIRECT_URI not set (skipped \u2014 set it to enable this probe)"));
+  }
+  if (issuer && parsed) {
+    const probeReturnTo = appOrigin || redirect || `${issuer}/`;
+    const ctxUrl = `${issuer}/api/public/apps/${encodeURIComponent(parsed.appId)}/sign-in-context?return_to=${encodeURIComponent(probeReturnTo)}`;
+    try {
+      const res = await fetch(ctxUrl);
+      const body = await res.json().catch(() => null);
+      if (!res.ok || !body?.success || !body.data) {
+        probes.push(fail(
+          "app active at issuer",
+          `GET sign-in-context \u2192 ${res.status}${body?.error?.code ? ` ${body.error.code}` : ""}`,
+          "The app key may be revoked, archived, or pointing at the wrong tenant. Check the IQAuth admin console."
+        ));
+      } else {
+        const data = body.data;
+        probes.push(pass("app active at issuer", `app=${data.app?.key} mode=${data.app?.mode}`));
+        const allowed = data.allowedOrigins ?? [];
+        if (appOrigin) {
+          let originOk = false;
+          try {
+            originOk = allowed.includes(new URL(appOrigin).origin);
+          } catch {
+            originOk = allowed.includes(appOrigin);
+          }
+          probes.push(
+            originOk ? pass("APP_ORIGIN allowed", `${appOrigin} \u2208 allowedOrigins`) : fail(
+              "APP_ORIGIN allowed",
+              `${appOrigin} not in [${allowed.join(", ") || "\u2014"}]`,
+              `Add this origin in the IQAuth admin console: Apps \u2192 ${data.app?.key} \u2192 Allowed Origins.`
+            )
+          );
+        } else {
+          probes.push(info("APP_ORIGIN allowed", "Set IQAUTH_APP_ORIGIN to enable this probe"));
+        }
+        if (redirect) {
+          let cbOriginOk = false;
+          try {
+            cbOriginOk = allowed.includes(new URL(redirect).origin);
+          } catch {
+            cbOriginOk = false;
+          }
+          probes.push(
+            cbOriginOk ? pass("callback origin allowed", `origin of ${redirect} \u2208 allowedOrigins`) : fail(
+              "callback origin allowed",
+              `origin of ${redirect} not in [${allowed.join(", ") || "\u2014"}]`,
+              `Register the callback URL in the IQAuth admin console: Apps \u2192 ${data.app?.key} \u2192 Allowed Redirect URIs.`
+            )
+          );
+        } else {
+          probes.push(info("callback origin allowed", "Set IQAUTH_REDIRECT_URI to enable this probe"));
+        }
+      }
+    } catch (err) {
+      probes.push(fail("app active at issuer", `fetch failed: ${err.message}`));
+    }
+  }
+  if (skRaw) {
+    probes.push(
+      /^sk_(test|live)_[A-Za-z0-9_\-]+$/.test(skRaw) ? pass("secret key shape", `IQAUTH_SECRET_KEY=${skRaw.slice(0, 8)}\u2026`) : fail(
+        "secret key shape",
+        "IQAUTH_SECRET_KEY does not match sk_<test|live>_<base64>",
+        "Regenerate the secret from the IQAuth admin console."
+      )
+    );
+  } else {
+    probes.push(info("secret key shape", "IQAUTH_SECRET_KEY not set (only required for backend adapters)"));
   }
   let allOk = true;
   for (const p of probes) {
-    console.log(`${symbol(p.ok)} ${p.name.padEnd(28)} ${p.detail}`);
-    if (!p.ok) allOk = false;
+    const sym = p.level === "pass" ? symbol(true) : p.level === "fail" ? symbol(false) : "\u2139";
+    console.log(`${sym} ${p.name.padEnd(32)} ${p.detail}`);
+    if (p.remediation && p.level === "fail") {
+      console.log(`  \u21B3 ${p.remediation}`);
+    }
+    if (p.level === "fail") allOk = false;
   }
   console.log("");
   console.log(allOk ? "\u2705 All checks passed." : "\u274C One or more checks failed \u2014 see above.");

package/dist/cli/index.mjs

@@ -17,7 +17,7 @@ async function run() {
       return;
     }
     case "doctor": {
-      const { runDoctor } = await import("../doctor-A5E7LSFW.mjs");
+      const { runDoctor } = await import("../doctor-YYNHNMLD.mjs");
       await runDoctor(rest);
       return;
     }

package/dist/{client-DTX4hNdS.d.ts → client-BNQe3AgF.d.ts}

@@ -1,4 +1,5 @@
-import { I as IQAuthEnvironment, T as TokenPair, W as IQAuthRetryConfig, L as LoginResult, a$ as SignupRequest, D as MfaVerifyResult, d as SessionUser, J as JwtClaims, h as Session, U as UserProfile, H as ProvisionUserRequest, K as ProvisionUserResponse, G as UserPermissions, O as OidcDiscovery, t as JwksResponse, u as OidcTokenResponse, b0 as HostedClientContext, i as TenantInfo, C as CreateTenantRequest, j as UpdateTenantRequest, P as PromoteToVendorRequest, k as PromoteToVendorResult, a7 as TenantUser, l as InviteTenantUserRequest, m as InviteTenantUserResult, n as TenantUserRoleUpdate, M as MigrateUserRequest, E as PasswordPolicy, F as MfaPolicy, B as BrandingConfig, _ as AppInfo, $ as PermissionNodeInfo, Z as AppManifest, a0 as AppSyncResult, a1 as Role, a2 as CreateRoleRequest, a3 as UpdateRoleRequest, a4 as AssignRoleRequest, a5 as UserRoleAssignment, a8 as PermissionGroup, a9 as GroupPermission, aa as AddGroupPermissionRequest, ab as InheritanceRelation, a6 as UserGroupAssignment, ac as UserPermissionOverride, ad as AddUserOverrideRequest, ae as EffectivePermission, af as PermissionCheckResult, ah as CreateApiKeyRequest, ai as CreateApiKeyResult, ag as ApiKeyInfo, aj as ApiKeyIntrospection, al as CreateInviteRequest, ak as Invitation, am as InviteValidation, an as AcceptInviteRequest, ap as CreateWebhookRequest, aq as CreateWebhookResult, ao as WebhookEndpoint, ar as WebhookDelivery, as as WebhookTestResult, at as Entitlement, au as GrantEntitlementRequest, av as Vendor, aw as CreateVendorRequest, ax as UpdateVendorRequest, az as CreateSourceRequest, ay as Source, aA as UpdateSourceRequest, aC as CreateClientRequest, aB as Client, aD as UpdateClientRequest, aE as HierarchyVendor, aH as HierarchyLink, aL as MembershipWithDetails, aJ as CreateMembershipRequest, aI as Membership, aK as UpdateMembershipRequest, aM as AvailableScopesTree, aQ as ScopeSwitchResult, aR as GdprExportData, aS as PinStatus, aU as MfaAvailableMethods, aV as TotpEnrollResult, aW as TotpVerifyResult, aX as SmsEnrollResult, y as MfaEnrollment, aY as EmailEnrollResult, aZ as BackupCodesResult, a_ as BackupCodeCountResult, o as UpdateBrandingRequest, q as UploadAssetRequest, p as BrandingAsset, r as BrandingDomainMapping, a as IQAuthClientConfig, c as IQAuthBrowserSessionClientConfig, b as IQAuthTokenClientConfig } from './types-Cxl3bQHt.js';
+import { I as IQAuthEnvironment, T as TokenPair, W as IQAuthRetryConfig, L as LoginResult, a$ as SignupRequest, D as MfaVerifyResult, d as SessionUser, h as Session, U as UserProfile, H as ProvisionUserRequest, K as ProvisionUserResponse, G as UserPermissions, J as JwtClaims, O as OidcDiscovery, t as JwksResponse, u as OidcTokenResponse, b0 as HostedClientContext, i as TenantInfo, C as CreateTenantRequest, j as UpdateTenantRequest, P as PromoteToVendorRequest, k as PromoteToVendorResult, a7 as TenantUser, l as InviteTenantUserRequest, m as InviteTenantUserResult, n as TenantUserRoleUpdate, M as MigrateUserRequest, E as PasswordPolicy, F as MfaPolicy, B as BrandingConfig, _ as AppInfo, $ as PermissionNodeInfo, Z as AppManifest, a0 as AppSyncResult, a1 as Role, a2 as CreateRoleRequest, a3 as UpdateRoleRequest, a4 as AssignRoleRequest, a5 as UserRoleAssignment, a8 as PermissionGroup, a9 as GroupPermission, aa as AddGroupPermissionRequest, ab as InheritanceRelation, a6 as UserGroupAssignment, ac as UserPermissionOverride, ad as AddUserOverrideRequest, ae as EffectivePermission, af as PermissionCheckResult, ah as CreateApiKeyRequest, ai as CreateApiKeyResult, ag as ApiKeyInfo, aj as ApiKeyIntrospection, al as CreateInviteRequest, ak as Invitation, am as InviteValidation, an as AcceptInviteRequest, ap as CreateWebhookRequest, aq as CreateWebhookResult, ao as WebhookEndpoint, ar as WebhookDelivery, as as WebhookTestResult, at as Entitlement, au as GrantEntitlementRequest, av as Vendor, aw as CreateVendorRequest, ax as UpdateVendorRequest, az as CreateSourceRequest, ay as Source, aA as UpdateSourceRequest, aC as CreateClientRequest, aB as Client, aD as UpdateClientRequest, aE as HierarchyVendor, aH as HierarchyLink, aL as MembershipWithDetails, aJ as CreateMembershipRequest, aI as Membership, aK as UpdateMembershipRequest, aM as AvailableScopesTree, aQ as ScopeSwitchResult, aR as GdprExportData, aS as PinStatus, aU as MfaAvailableMethods, aV as TotpEnrollResult, aW as TotpVerifyResult, aX as SmsEnrollResult, y as MfaEnrollment, aY as EmailEnrollResult, aZ as BackupCodesResult, a_ as BackupCodeCountResult, o as UpdateBrandingRequest, q as UploadAssetRequest, p as BrandingAsset, r as BrandingDomainMapping, a as IQAuthClientConfig, c as IQAuthBrowserSessionClientConfig, b as IQAuthTokenClientConfig } from './types-DZAflmmq.js';
+import { T as TokensModule } from './tokens-aHiGFr_E.js';
 
 /**
  * SOURCE REFS:
@@ -82,66 +83,6 @@ declare class AuthModule {
     getSessionUser(): Promise<SessionUser>;
 }
 
-/**
- * SOURCE REFS:
- * - Route file: src/services/token.service.ts (RS256, issuer "auth.dispositioniq.com", audience array)
- * - Route file: src/routes/wellknown.routes.ts (JWKS endpoint /.well-known/jwks.json)
- * - Route file: src/lib/crypto.ts (key rotation with kid)
- * - Verified claims: sub, email, name, tenantId, vendorId, roles, entitlements, sessionId, jti, iss, aud, exp, iat, scopeContext, loginMethod
- * - Last verified: Phase 0 Research Summary
- *
- * 2.3.0: Verify path swapped from `jsonwebtoken` (which depends on
- * `node:crypto`) to `jose` so the SDK works on Next.js / Vercel / Cloudflare
- * edge runtimes. Edge has only Web Crypto, so every call from a Next
- * middleware previously threw and was wrapped as `TOKEN_INVALID`,
- * indistinguishable from a real bad token. We keep our own JWKS fetch +
- * cache to preserve INTERNAL_ERROR mapping for malformed JWKS payloads and
- * to keep the kid-aware "Unknown key ID" diagnostic.
- */
-
-declare const DEFAULT_TOKEN_ISSUER: string[];
-declare const DEFAULT_TOKEN_AUDIENCE: string[];
-declare const DEFAULT_CLOCK_TOLERANCE_SECONDS = 30;
-interface TokenVerifyOptions {
-    issuer?: string | string[];
-    audience?: string | string[];
-    clockTolerance?: number;
-    algorithms?: string[];
-}
-interface TokensModuleOptions {
-    issuer?: string | string[];
-    audience?: string | string[];
-    clockTolerance?: number;
-}
-declare class TokensModule {
-    private baseUrl;
-    private jwksCache;
-    private inFlightRefresh;
-    private defaultIssuer;
-    private defaultAudience;
-    private defaultClockTolerance;
-    constructor(baseUrl: string, options?: TokensModuleOptions);
-    /**
-     * Verify a JWT access token using RS256/ES256 via JWKS from
-     * `/.well-known/jwks.json`. Backed by `jose` (Web Crypto) so it runs on
-     * Node, browser, and edge runtimes alike — no `node:crypto` dependency.
-     * Caches JWKS for 1 hour and refetches once on unknown `kid`.
-     */
-    verify(token: string, options?: TokenVerifyOptions): Promise<JwtClaims>;
-    /**
-     * Decode a JWT without verification. Returns null if malformed.
-     */
-    decode(token: string): JwtClaims | null;
-    /** Check if a token is expired based on the `exp` claim. */
-    isExpired(token: string): boolean;
-    /** Get the claims from a token without verification. */
-    getClaims(token: string): JwtClaims;
-    private ensureCache;
-    private refreshJwks;
-    /** @internal Exposed for testing — clears JWKS cache */
-    clearCache(): void;
-}
-
 /**
  * SOURCE REFS:
  * - Route file: src/routes/sessions.routes.ts (GET /, DELETE /:sessionId)
@@ -903,4 +844,4 @@ declare class IQAuthClient {
     private static resolveEnvironment;
 }
 
-export { AuthModule as A, BrandingModule as B, type CreateAppRequest as C, DEFAULT_TOKEN_ISSUER as D, EntitlementsModule as E, GdprModule as G, HierarchyModule as H, IQAuthClient as I, MembershipsModule as M, OidcModule as O, PermissionsModule as P, RolesModule as R, SessionsModule as S, TokensModule as T, UsersModule as U, VendorsModule as V, WebhooksModule as W, InMemoryOidcStateStore as a, type OidcStateStore as b, type OidcStoredRequest as c, type OidcAuthRequest as d, type OidcCallbackResult as e, type OidcModuleOptions as f, DEFAULT_TOKEN_AUDIENCE as g, DEFAULT_CLOCK_TOLERANCE_SECONDS as h, type TokenVerifyOptions as i, type TokensModuleOptions as j, TenantsModule as k, AppsModule as l, type CreateAppResponse as m, PermissionGroupsModule as n, ApiKeysModule as o, InvitesModule as p, SourcesModule as q, ClientsModule as r, ScopeModule as s, PinModule as t, MfaModule as u };
+export { AuthModule as A, BrandingModule as B, type CreateAppRequest as C, EntitlementsModule as E, GdprModule as G, HierarchyModule as H, IQAuthClient as I, MembershipsModule as M, OidcModule as O, PermissionsModule as P, RolesModule as R, SessionsModule as S, TenantsModule as T, UsersModule as U, VendorsModule as V, WebhooksModule as W, InMemoryOidcStateStore as a, type OidcStateStore as b, type OidcStoredRequest as c, type OidcAuthRequest as d, type OidcCallbackResult as e, type OidcModuleOptions as f, AppsModule as g, type CreateAppResponse as h, PermissionGroupsModule as i, ApiKeysModule as j, InvitesModule as k, SourcesModule as l, ClientsModule as m, ScopeModule as n, PinModule as o, MfaModule as p };

package/dist/{client-vdh2a9fJ.d.mts → client-kYlJFgPv.d.mts}

@@ -1,4 +1,5 @@
-import { I as IQAuthEnvironment, T as TokenPair, W as IQAuthRetryConfig, L as LoginResult, a$ as SignupRequest, D as MfaVerifyResult, d as SessionUser, J as JwtClaims, h as Session, U as UserProfile, H as ProvisionUserRequest, K as ProvisionUserResponse, G as UserPermissions, O as OidcDiscovery, t as JwksResponse, u as OidcTokenResponse, b0 as HostedClientContext, i as TenantInfo, C as CreateTenantRequest, j as UpdateTenantRequest, P as PromoteToVendorRequest, k as PromoteToVendorResult, a7 as TenantUser, l as InviteTenantUserRequest, m as InviteTenantUserResult, n as TenantUserRoleUpdate, M as MigrateUserRequest, E as PasswordPolicy, F as MfaPolicy, B as BrandingConfig, _ as AppInfo, $ as PermissionNodeInfo, Z as AppManifest, a0 as AppSyncResult, a1 as Role, a2 as CreateRoleRequest, a3 as UpdateRoleRequest, a4 as AssignRoleRequest, a5 as UserRoleAssignment, a8 as PermissionGroup, a9 as GroupPermission, aa as AddGroupPermissionRequest, ab as InheritanceRelation, a6 as UserGroupAssignment, ac as UserPermissionOverride, ad as AddUserOverrideRequest, ae as EffectivePermission, af as PermissionCheckResult, ah as CreateApiKeyRequest, ai as CreateApiKeyResult, ag as ApiKeyInfo, aj as ApiKeyIntrospection, al as CreateInviteRequest, ak as Invitation, am as InviteValidation, an as AcceptInviteRequest, ap as CreateWebhookRequest, aq as CreateWebhookResult, ao as WebhookEndpoint, ar as WebhookDelivery, as as WebhookTestResult, at as Entitlement, au as GrantEntitlementRequest, av as Vendor, aw as CreateVendorRequest, ax as UpdateVendorRequest, az as CreateSourceRequest, ay as Source, aA as UpdateSourceRequest, aC as CreateClientRequest, aB as Client, aD as UpdateClientRequest, aE as HierarchyVendor, aH as HierarchyLink, aL as MembershipWithDetails, aJ as CreateMembershipRequest, aI as Membership, aK as UpdateMembershipRequest, aM as AvailableScopesTree, aQ as ScopeSwitchResult, aR as GdprExportData, aS as PinStatus, aU as MfaAvailableMethods, aV as TotpEnrollResult, aW as TotpVerifyResult, aX as SmsEnrollResult, y as MfaEnrollment, aY as EmailEnrollResult, aZ as BackupCodesResult, a_ as BackupCodeCountResult, o as UpdateBrandingRequest, q as UploadAssetRequest, p as BrandingAsset, r as BrandingDomainMapping, a as IQAuthClientConfig, c as IQAuthBrowserSessionClientConfig, b as IQAuthTokenClientConfig } from './types-Cxl3bQHt.mjs';
+import { I as IQAuthEnvironment, T as TokenPair, W as IQAuthRetryConfig, L as LoginResult, a$ as SignupRequest, D as MfaVerifyResult, d as SessionUser, h as Session, U as UserProfile, H as ProvisionUserRequest, K as ProvisionUserResponse, G as UserPermissions, J as JwtClaims, O as OidcDiscovery, t as JwksResponse, u as OidcTokenResponse, b0 as HostedClientContext, i as TenantInfo, C as CreateTenantRequest, j as UpdateTenantRequest, P as PromoteToVendorRequest, k as PromoteToVendorResult, a7 as TenantUser, l as InviteTenantUserRequest, m as InviteTenantUserResult, n as TenantUserRoleUpdate, M as MigrateUserRequest, E as PasswordPolicy, F as MfaPolicy, B as BrandingConfig, _ as AppInfo, $ as PermissionNodeInfo, Z as AppManifest, a0 as AppSyncResult, a1 as Role, a2 as CreateRoleRequest, a3 as UpdateRoleRequest, a4 as AssignRoleRequest, a5 as UserRoleAssignment, a8 as PermissionGroup, a9 as GroupPermission, aa as AddGroupPermissionRequest, ab as InheritanceRelation, a6 as UserGroupAssignment, ac as UserPermissionOverride, ad as AddUserOverrideRequest, ae as EffectivePermission, af as PermissionCheckResult, ah as CreateApiKeyRequest, ai as CreateApiKeyResult, ag as ApiKeyInfo, aj as ApiKeyIntrospection, al as CreateInviteRequest, ak as Invitation, am as InviteValidation, an as AcceptInviteRequest, ap as CreateWebhookRequest, aq as CreateWebhookResult, ao as WebhookEndpoint, ar as WebhookDelivery, as as WebhookTestResult, at as Entitlement, au as GrantEntitlementRequest, av as Vendor, aw as CreateVendorRequest, ax as UpdateVendorRequest, az as CreateSourceRequest, ay as Source, aA as UpdateSourceRequest, aC as CreateClientRequest, aB as Client, aD as UpdateClientRequest, aE as HierarchyVendor, aH as HierarchyLink, aL as MembershipWithDetails, aJ as CreateMembershipRequest, aI as Membership, aK as UpdateMembershipRequest, aM as AvailableScopesTree, aQ as ScopeSwitchResult, aR as GdprExportData, aS as PinStatus, aU as MfaAvailableMethods, aV as TotpEnrollResult, aW as TotpVerifyResult, aX as SmsEnrollResult, y as MfaEnrollment, aY as EmailEnrollResult, aZ as BackupCodesResult, a_ as BackupCodeCountResult, o as UpdateBrandingRequest, q as UploadAssetRequest, p as BrandingAsset, r as BrandingDomainMapping, a as IQAuthClientConfig, c as IQAuthBrowserSessionClientConfig, b as IQAuthTokenClientConfig } from './types-DZAflmmq.mjs';
+import { T as TokensModule } from './tokens-DCyzzn8L.mjs';
 
 /**
  * SOURCE REFS:
@@ -82,66 +83,6 @@ declare class AuthModule {
     getSessionUser(): Promise<SessionUser>;
 }
 
-/**
- * SOURCE REFS:
- * - Route file: src/services/token.service.ts (RS256, issuer "auth.dispositioniq.com", audience array)
- * - Route file: src/routes/wellknown.routes.ts (JWKS endpoint /.well-known/jwks.json)
- * - Route file: src/lib/crypto.ts (key rotation with kid)
- * - Verified claims: sub, email, name, tenantId, vendorId, roles, entitlements, sessionId, jti, iss, aud, exp, iat, scopeContext, loginMethod
- * - Last verified: Phase 0 Research Summary
- *
- * 2.3.0: Verify path swapped from `jsonwebtoken` (which depends on
- * `node:crypto`) to `jose` so the SDK works on Next.js / Vercel / Cloudflare
- * edge runtimes. Edge has only Web Crypto, so every call from a Next
- * middleware previously threw and was wrapped as `TOKEN_INVALID`,
- * indistinguishable from a real bad token. We keep our own JWKS fetch +
- * cache to preserve INTERNAL_ERROR mapping for malformed JWKS payloads and
- * to keep the kid-aware "Unknown key ID" diagnostic.
- */
-
-declare const DEFAULT_TOKEN_ISSUER: string[];
-declare const DEFAULT_TOKEN_AUDIENCE: string[];
-declare const DEFAULT_CLOCK_TOLERANCE_SECONDS = 30;
-interface TokenVerifyOptions {
-    issuer?: string | string[];
-    audience?: string | string[];
-    clockTolerance?: number;
-    algorithms?: string[];
-}
-interface TokensModuleOptions {
-    issuer?: string | string[];
-    audience?: string | string[];
-    clockTolerance?: number;
-}
-declare class TokensModule {
-    private baseUrl;
-    private jwksCache;
-    private inFlightRefresh;
-    private defaultIssuer;
-    private defaultAudience;
-    private defaultClockTolerance;
-    constructor(baseUrl: string, options?: TokensModuleOptions);
-    /**
-     * Verify a JWT access token using RS256/ES256 via JWKS from
-     * `/.well-known/jwks.json`. Backed by `jose` (Web Crypto) so it runs on
-     * Node, browser, and edge runtimes alike — no `node:crypto` dependency.
-     * Caches JWKS for 1 hour and refetches once on unknown `kid`.
-     */
-    verify(token: string, options?: TokenVerifyOptions): Promise<JwtClaims>;
-    /**
-     * Decode a JWT without verification. Returns null if malformed.
-     */
-    decode(token: string): JwtClaims | null;
-    /** Check if a token is expired based on the `exp` claim. */
-    isExpired(token: string): boolean;
-    /** Get the claims from a token without verification. */
-    getClaims(token: string): JwtClaims;
-    private ensureCache;
-    private refreshJwks;
-    /** @internal Exposed for testing — clears JWKS cache */
-    clearCache(): void;
-}
-
 /**
  * SOURCE REFS:
  * - Route file: src/routes/sessions.routes.ts (GET /, DELETE /:sessionId)
@@ -903,4 +844,4 @@ declare class IQAuthClient {
     private static resolveEnvironment;
 }
 
-export { AuthModule as A, BrandingModule as B, type CreateAppRequest as C, DEFAULT_TOKEN_ISSUER as D, EntitlementsModule as E, GdprModule as G, HierarchyModule as H, IQAuthClient as I, MembershipsModule as M, OidcModule as O, PermissionsModule as P, RolesModule as R, SessionsModule as S, TokensModule as T, UsersModule as U, VendorsModule as V, WebhooksModule as W, InMemoryOidcStateStore as a, type OidcStateStore as b, type OidcStoredRequest as c, type OidcAuthRequest as d, type OidcCallbackResult as e, type OidcModuleOptions as f, DEFAULT_TOKEN_AUDIENCE as g, DEFAULT_CLOCK_TOLERANCE_SECONDS as h, type TokenVerifyOptions as i, type TokensModuleOptions as j, TenantsModule as k, AppsModule as l, type CreateAppResponse as m, PermissionGroupsModule as n, ApiKeysModule as o, InvitesModule as p, SourcesModule as q, ClientsModule as r, ScopeModule as s, PinModule as t, MfaModule as u };
+export { AuthModule as A, BrandingModule as B, type CreateAppRequest as C, EntitlementsModule as E, GdprModule as G, HierarchyModule as H, IQAuthClient as I, MembershipsModule as M, OidcModule as O, PermissionsModule as P, RolesModule as R, SessionsModule as S, TenantsModule as T, UsersModule as U, VendorsModule as V, WebhooksModule as W, InMemoryOidcStateStore as a, type OidcStateStore as b, type OidcStoredRequest as c, type OidcAuthRequest as d, type OidcCallbackResult as e, type OidcModuleOptions as f, AppsModule as g, type CreateAppResponse as h, PermissionGroupsModule as i, ApiKeysModule as j, InvitesModule as k, SourcesModule as l, ClientsModule as m, ScopeModule as n, PinModule as o, MfaModule as p };

package/dist/doctor-YYNHNMLD.mjs

@@ -0,0 +1,198 @@
+import {
+  loadEnv,
+  parseFlags,
+  symbol
+} from "./chunk-X3K3WOBR.mjs";
+import {
+  parsePublishableKey
+} from "./chunk-WQWBJSSS.mjs";
+import "./chunk-6I6RM4MN.mjs";
+import "./chunk-Y6FXYEAI.mjs";
+
+// src/cli/doctor.ts
+function pass(name, detail) {
+  return { name, level: "pass", detail };
+}
+function fail(name, detail, remediation) {
+  return { name, level: "fail", detail, remediation };
+}
+function info(name, detail) {
+  return { name, level: "info", detail };
+}
+async function runDoctor(argv) {
+  const { flags } = parseFlags(argv);
+  const envFile = flags.get("env-file") || ".env";
+  const env = await loadEnv(envFile);
+  const probes = [];
+  const pkRaw = env.IQAUTH_PUBLISHABLE_KEY;
+  const skRaw = env.IQAUTH_SECRET_KEY;
+  const issuerEnv = env.IQAUTH_ISSUER;
+  const redirect = env.IQAUTH_REDIRECT_URI;
+  const appOrigin = env.IQAUTH_APP_ORIGIN || env.APP_ORIGIN;
+  probes.push(
+    pkRaw ? pass(".env present", `${envFile} loaded; IQAUTH_PUBLISHABLE_KEY=${pkRaw.slice(0, 10)}\u2026`) : fail(
+      ".env present",
+      `IQAUTH_PUBLISHABLE_KEY missing in ${envFile}`,
+      "Run `iqauth init` or copy your publishable key from the IQAuth admin console into .env."
+    )
+  );
+  const parsed = pkRaw ? parsePublishableKey(pkRaw) : null;
+  probes.push(
+    parsed ? pass(
+      "publishable key parses",
+      `mode=${parsed.mode} appId=${parsed.appId} tenantId=${parsed.tenantId} kid=${parsed.kid}`
+    ) : fail(
+      "publishable key parses",
+      "key did not match pk_<test|live>_<base64> format",
+      "Regenerate the key from the IQAuth admin console \u2014 it must be the URL-safe base64 form."
+    )
+  );
+  const issuer = (issuerEnv || (parsed?.iss.startsWith("http") ? parsed.iss : parsed ? `https://${parsed.iss}` : "")).replace(/\/+$/, "");
+  if (issuer) {
+    try {
+      const res = await fetch(`${issuer}/.well-known/openid-configuration`);
+      const body = res.ok ? await res.json().catch(() => null) : null;
+      probes.push(
+        res.ok ? pass("issuer reachable", `${issuer}/.well-known/openid-configuration \u2192 ${res.status}`) : fail(
+          "issuer reachable",
+          `${issuer}/.well-known/openid-configuration \u2192 ${res.status}`,
+          "Check that IQAUTH_ISSUER (or the host encoded in your publishable key) points to a running IQAuth deployment."
+        )
+      );
+      if (parsed && body?.issuer) {
+        const expected = parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`;
+        const ok = body.issuer.replace(/\/+$/, "") === expected.replace(/\/+$/, "");
+        probes.push(
+          ok ? pass("iss matches publishable key", `discovery.issuer=${body.issuer}`) : fail(
+            "iss matches publishable key",
+            `discovery.issuer=${body.issuer} but publishable key encodes ${expected}`,
+            "Regenerate your publishable key from the SAME issuer host you're targeting (mismatched issuers are the #1 cause of TOKEN_INVALID)."
+          )
+        );
+      }
+    } catch (err) {
+      probes.push(fail(
+        "issuer reachable",
+        `fetch failed: ${err.message}`,
+        "Verify network reachability and that IQAUTH_ISSUER is correct."
+      ));
+    }
+  } else {
+    probes.push(fail("issuer reachable", "issuer URL unknown (no IQAUTH_ISSUER and no key)"));
+  }
+  if (issuer) {
+    try {
+      const res = await fetch(`${issuer}/.well-known/jwks.json`);
+      const json = await res.json().catch(() => ({}));
+      const keys = json.keys;
+      const ok = res.ok && Array.isArray(keys) && keys.length > 0;
+      probes.push(
+        ok ? pass("JWKS reachable", `${issuer}/.well-known/jwks.json \u2192 ${res.status} (${keys.length} keys)`) : fail(
+          "JWKS reachable",
+          `${issuer}/.well-known/jwks.json \u2192 ${res.status} (${Array.isArray(keys) ? keys.length : 0} keys)`,
+          "JWKS must publish at least one signing key \u2014 contact your IQAuth admin."
+        )
+      );
+    } catch (err) {
+      probes.push(fail("JWKS reachable", `fetch failed: ${err.message}`));
+    }
+  }
+  if (redirect) {
+    try {
+      const res = await fetch(redirect, { method: "GET" });
+      const ok = res.status > 0 && res.status < 500;
+      probes.push(
+        ok ? pass("redirect URI reachable", `${redirect} \u2192 ${res.status}`) : fail(
+          "redirect URI reachable",
+          `${redirect} \u2192 ${res.status}`,
+          "The configured callback path must be reachable from the public internet (or localhost for dev)."
+        )
+      );
+    } catch (err) {
+      probes.push(fail("redirect URI reachable", `fetch failed: ${err.message}`));
+    }
+  } else {
+    probes.push(info("redirect URI reachable", "IQAUTH_REDIRECT_URI not set (skipped \u2014 set it to enable this probe)"));
+  }
+  if (issuer && parsed) {
+    const probeReturnTo = appOrigin || redirect || `${issuer}/`;
+    const ctxUrl = `${issuer}/api/public/apps/${encodeURIComponent(parsed.appId)}/sign-in-context?return_to=${encodeURIComponent(probeReturnTo)}`;
+    try {
+      const res = await fetch(ctxUrl);
+      const body = await res.json().catch(() => null);
+      if (!res.ok || !body?.success || !body.data) {
+        probes.push(fail(
+          "app active at issuer",
+          `GET sign-in-context \u2192 ${res.status}${body?.error?.code ? ` ${body.error.code}` : ""}`,
+          "The app key may be revoked, archived, or pointing at the wrong tenant. Check the IQAuth admin console."
+        ));
+      } else {
+        const data = body.data;
+        probes.push(pass("app active at issuer", `app=${data.app?.key} mode=${data.app?.mode}`));
+        const allowed = data.allowedOrigins ?? [];
+        if (appOrigin) {
+          let originOk = false;
+          try {
+            originOk = allowed.includes(new URL(appOrigin).origin);
+          } catch {
+            originOk = allowed.includes(appOrigin);
+          }
+          probes.push(
+            originOk ? pass("APP_ORIGIN allowed", `${appOrigin} \u2208 allowedOrigins`) : fail(
+              "APP_ORIGIN allowed",
+              `${appOrigin} not in [${allowed.join(", ") || "\u2014"}]`,
+              `Add this origin in the IQAuth admin console: Apps \u2192 ${data.app?.key} \u2192 Allowed Origins.`
+            )
+          );
+        } else {
+          probes.push(info("APP_ORIGIN allowed", "Set IQAUTH_APP_ORIGIN to enable this probe"));
+        }
+        if (redirect) {
+          let cbOriginOk = false;
+          try {
+            cbOriginOk = allowed.includes(new URL(redirect).origin);
+          } catch {
+            cbOriginOk = false;
+          }
+          probes.push(
+            cbOriginOk ? pass("callback origin allowed", `origin of ${redirect} \u2208 allowedOrigins`) : fail(
+              "callback origin allowed",
+              `origin of ${redirect} not in [${allowed.join(", ") || "\u2014"}]`,
+              `Register the callback URL in the IQAuth admin console: Apps \u2192 ${data.app?.key} \u2192 Allowed Redirect URIs.`
+            )
+          );
+        } else {
+          probes.push(info("callback origin allowed", "Set IQAUTH_REDIRECT_URI to enable this probe"));
+        }
+      }
+    } catch (err) {
+      probes.push(fail("app active at issuer", `fetch failed: ${err.message}`));
+    }
+  }
+  if (skRaw) {
+    probes.push(
+      /^sk_(test|live)_[A-Za-z0-9_\-]+$/.test(skRaw) ? pass("secret key shape", `IQAUTH_SECRET_KEY=${skRaw.slice(0, 8)}\u2026`) : fail(
+        "secret key shape",
+        "IQAUTH_SECRET_KEY does not match sk_<test|live>_<base64>",
+        "Regenerate the secret from the IQAuth admin console."
+      )
+    );
+  } else {
+    probes.push(info("secret key shape", "IQAUTH_SECRET_KEY not set (only required for backend adapters)"));
+  }
+  let allOk = true;
+  for (const p of probes) {
+    const sym = p.level === "pass" ? symbol(true) : p.level === "fail" ? symbol(false) : "\u2139";
+    console.log(`${sym} ${p.name.padEnd(32)} ${p.detail}`);
+    if (p.remediation && p.level === "fail") {
+      console.log(`  \u21B3 ${p.remediation}`);
+    }
+    if (p.level === "fail") allOk = false;
+  }
+  console.log("");
+  console.log(allOk ? "\u2705 All checks passed." : "\u274C One or more checks failed \u2014 see above.");
+  process.exit(allOk ? 0 : 1);
+}
+export {
+  runDoctor
+};

package/dist/{express-A0-dWEMy.d.mts → express-B6_1vBYZ.d.mts}

@@ -1,5 +1,5 @@
-import { I as IQAuthClient } from './client-vdh2a9fJ.mjs';
-import { J as JwtClaims, N as ExpressMiddlewareOptions, Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-Cxl3bQHt.mjs';
+import { I as IQAuthClient } from './client-kYlJFgPv.mjs';
+import { J as JwtClaims, N as ExpressMiddlewareOptions, Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-DZAflmmq.mjs';
 
 /**
  * SOURCE REFS:
@@ -34,6 +34,27 @@ interface CookieAwareMiddlewareOptions extends ExpressMiddlewareOptions {
      * configured access cookie. When false, only the bearer header is checked.
      */
     cookieAware?: boolean;
+    /**
+     * F14 — Umbrella shorthand for `accessCookieName` / `refreshCookieName`.
+     * When both forms are supplied the individual fields win for back-compat.
+     */
+    cookieNames?: {
+        access?: string;
+        refresh?: string;
+    };
+    /**
+     * F33 — Declarative protect/public route configuration. When `protect` is
+     * given, only requests whose path matches one of the patterns are
+     * verified; everything else is allowed through (`req.auth` left unset).
+     * When `publicRoutes` is given, those paths are always allowed through
+     * even if `protect` would have matched. Each entry is either a glob-like
+     * string (`*` = single segment, `**` = any path remainder) or a `RegExp`.
+     *
+     * If neither is given, the middleware behaves as before — every request
+     * goes through the verifier.
+     */
+    protect?: Array<string | RegExp>;
+    publicRoutes?: Array<string | RegExp>;
 }
 /**
  * Express middleware that verifies access tokens via the SDK's token verifier.