@iqauth/sdk 2.6.3 → 2.7.0

package/dist/react.mjs

@@ -1,2616 +1,63 @@
 import {
-  AccountRegistry,
-  MultiAccountTokenStore,
-  SessionManager,
-  defaultCookieStore,
-  enrollPasskey,
-  linkProvider,
-  listLinkedIdentities,
-  requestMagicLink,
-  signInWithPasskey,
-  unlinkProvider
-} from "./chunk-76W5TLQQ.mjs";
-import {
-  handleAuthCallback,
-  redirectToSignIn,
-  signIn,
-  signOut
-} from "./chunk-TKZTCPEK.mjs";
-import "./chunk-WQWBJSSS.mjs";
-import {
-  defaultBundle,
-  localizeErrorCode,
-  resolveBundle,
-  t
-} from "./chunk-5T7GHBX6.mjs";
-import "./chunk-6I6RM4MN.mjs";
+  AuthCallback,
+  CreateOrganization,
+  IQAuthLoaded,
+  IQAuthLoading,
+  IQAuthProvider,
+  IQAuthReturnToBouncer,
+  ImpersonationBanner,
+  LinkedAccounts,
+  MagicLinkSignInForm,
+  MultisessionAppSupport,
+  OrganizationList,
+  OrganizationProfile,
+  OrganizationSwitcher,
+  PasskeySignInButton,
+  Protect,
+  RedirectToSignIn,
+  RedirectToSignedIn,
+  SignIn,
+  SignUp,
+  SignedIn,
+  SignedOut,
+  UserButton,
+  UserProfile,
+  Waitlist,
+  __useIQAuthInternal,
+  __version__,
+  isReturnToAllowed,
+  isSilentSsoEligible,
+  preflightReturnTo,
+  revokeSession,
+  sanitizeBrandCss,
+  sanitizeReturnTo,
+  slugify,
+  useAccountList,
+  useAccountSwitcher,
+  useAuth,
+  useAuthFetch,
+  useIQAuthSignInContext,
+  useImpersonation,
+  useLinkedIdentities,
+  useLocale,
+  useMagicLink,
+  useOrganization,
+  usePasskey,
+  useResolvedSdkBranding,
+  useReturnTo,
+  useReverification,
+  useSession,
+  useSessionList,
+  useT,
+  useUser
+} from "./chunk-RR2MGPTK.mjs";
+import "./chunk-RTJAIBXY.mjs";
+import "./chunk-GN37E64I.mjs";
+import "./chunk-C2ZTBOAC.mjs";
+import "./chunk-HVHNYPDC.mjs";
+import "./chunk-5T7GHBX6.mjs";
+import "./chunk-6PJRLRB4.mjs";
 import "./chunk-Y6FXYEAI.mjs";
-
-// src/react/index.tsx
-import {
-  createContext,
-  createElement,
-  Fragment,
-  useCallback,
-  useContext,
-  useEffect,
-  useMemo,
-  useRef,
-  useState,
-  useSyncExternalStore
-} from "react";
-
-// src/browser/returnTo.ts
-function normalizeOrigin(o) {
-  try {
-    return new URL(o).origin;
-  } catch {
-    return o.replace(/\/+$/, "");
-  }
-}
-function sanitizeReturnTo(input, options = {}) {
-  const fallback = options.fallback ?? "/";
-  if (!input || typeof input !== "string") return fallback;
-  const trimmed = input.trim();
-  if (!trimmed) return fallback;
-  if (trimmed.startsWith("//")) return fallback;
-  if (trimmed.startsWith("/") || trimmed.startsWith("#") || trimmed.startsWith("?")) {
-    return trimmed;
-  }
-  if (!/^[a-z][a-z0-9+\-.]*:/i.test(trimmed)) {
-    return trimmed.startsWith("/") ? trimmed : `/${trimmed}`;
-  }
-  let parsed;
-  try {
-    parsed = new URL(trimmed);
-  } catch {
-    return fallback;
-  }
-  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") return fallback;
-  const currentOrigin = options.currentOrigin ?? (typeof window !== "undefined" ? window.location.origin : "");
-  const allowed = /* @__PURE__ */ new Set();
-  if (currentOrigin) allowed.add(normalizeOrigin(currentOrigin));
-  for (const o of options.allowedOrigins ?? []) allowed.add(normalizeOrigin(o));
-  if (allowed.has(parsed.origin)) return parsed.toString();
-  return fallback;
-}
-function isReturnToAllowed(input, options = {}) {
-  const fallback = options.fallback ?? "/";
-  const out = sanitizeReturnTo(input, options);
-  if (!input) return false;
-  return out !== fallback || input === fallback;
-}
-
-// src/react/index.tsx
-import { Fragment as Fragment2, jsx, jsxs } from "react/jsx-runtime";
-var globalManager = null;
-function setGlobalManager(m) {
-  globalManager = m;
-}
-function getGlobalManager() {
-  return globalManager;
-}
-var IQAuthContext = createContext(null);
-function IQAuthProvider({
-  publishableKey,
-  issuer,
-  channelName,
-  proactiveRefresh,
-  manager: externalManager,
-  allowedReturnOrigins,
-  appearance,
-  roleMapper,
-  cookieNames,
-  localization,
-  silentSso,
-  children
-}) {
-  const managerRef = useRef(null);
-  if (!managerRef.current) {
-    managerRef.current = externalManager ?? new SessionManager({
-      publishableKey,
-      issuer,
-      channelName,
-      proactiveRefresh,
-      cookieNames
-    });
-    setGlobalManager(managerRef.current);
-  }
-  const manager = managerRef.current;
-  const subscribe = useCallback(
-    (cb) => manager.subscribe(() => cb()),
-    [manager]
-  );
-  const getSnapshot = useCallback(() => manager.getSnapshot(), [manager]);
-  const getServerSnapshot = useCallback(() => manager.getSnapshot(), [manager]);
-  const snapshot = useSyncExternalStore(subscribe, getSnapshot, getServerSnapshot);
-  useEffect(() => {
-    void manager.bootstrap();
-    const onVisible = () => {
-      if (typeof document !== "undefined" && document.visibilityState === "visible") {
-        void manager.refresh();
-      }
-    };
-    if (typeof document !== "undefined") {
-      document.addEventListener("visibilitychange", onVisible);
-    }
-    return () => {
-      if (typeof document !== "undefined") {
-        document.removeEventListener("visibilitychange", onVisible);
-      }
-    };
-  }, [manager]);
-  const resolvedLocalization = useMemo(
-    () => resolveBundle(localization),
-    [localization]
-  );
-  const value = useMemo(
-    () => ({
-      manager,
-      snapshot,
-      allowedReturnOrigins: allowedReturnOrigins ?? [],
-      appearance: appearance ?? null,
-      roleMapper: roleMapper ?? null,
-      localization: resolvedLocalization,
-      silentSso: silentSso ?? false
-    }),
-    [manager, snapshot, allowedReturnOrigins, appearance, roleMapper, resolvedLocalization, silentSso]
-  );
-  return createElement(IQAuthContext.Provider, { value }, children);
-}
-function useCtx() {
-  const ctx = useContext(IQAuthContext);
-  if (!ctx) throw new Error("IQAuth hooks must be used inside <IQAuthProvider>");
-  return ctx;
-}
-function useLocale() {
-  const ctx = useContext(IQAuthContext);
-  return ctx?.localization ?? defaultBundle;
-}
-function useT() {
-  const bundle = useLocale();
-  return useMemo(
-    () => (key, vars) => t(bundle, key, vars),
-    [bundle]
-  );
-}
-function localizeError(bundle, raw) {
-  if (!raw) return t(bundle, "errors.generic");
-  if (typeof raw === "string") {
-    if (/^[A-Z][A-Z0-9_]+$/.test(raw)) return localizeErrorCode(bundle, raw);
-    return raw;
-  }
-  if (raw.code) return localizeErrorCode(bundle, raw.code);
-  return raw.message || t(bundle, "errors.generic");
-}
-function useUser() {
-  const { snapshot, roleMapper } = useCtx();
-  return useMemo(
-    () => {
-      const user = snapshot.user ? {
-        ...snapshot.user,
-        // F13 — derive `role` via roleMapper, falling back to a sensible default
-        role: (() => {
-          if (roleMapper) {
-            try {
-              return roleMapper(snapshot.claims);
-            } catch {
-              return null;
-            }
-          }
-          const c = snapshot.claims;
-          if (!c) return null;
-          if (typeof c.role === "string" && c.role) return c.role;
-          if (Array.isArray(c.roles) && c.roles.length > 0 && typeof c.roles[0] === "string") return c.roles[0];
-          return null;
-        })()
-      } : null;
-      return {
-        isLoaded: snapshot.status !== "loading",
-        isSignedIn: snapshot.status === "authenticated" && !!snapshot.user,
-        user,
-        error: snapshot.error
-      };
-    },
-    [snapshot.status, snapshot.user, snapshot.claims, snapshot.error, snapshot.version, roleMapper]
-  );
-}
-function useSession() {
-  const { snapshot } = useCtx();
-  return useMemo(
-    () => ({
-      isLoaded: snapshot.status !== "loading",
-      isSignedIn: snapshot.status === "authenticated",
-      claims: snapshot.claims,
-      accessToken: snapshot.accessToken,
-      error: snapshot.error
-    }),
-    [snapshot.status, snapshot.claims, snapshot.accessToken, snapshot.error, snapshot.version]
-  );
-}
-function useAuth() {
-  const { manager, snapshot } = useCtx();
-  return useMemo(
-    () => ({
-      isLoaded: snapshot.status !== "loading",
-      isSignedIn: snapshot.status === "authenticated",
-      userId: snapshot.user?.sub ?? null,
-      tenantId: snapshot.tenantId,
-      error: snapshot.error,
-      signIn: (opts) => signIn(manager, opts),
-      signOut: (opts) => signOut(manager, opts),
-      redirectToSignIn: (opts) => redirectToSignIn(manager, opts),
-      getToken: () => manager.getToken(),
-      fetch: (input, init) => manager.fetch(input, init)
-    }),
-    [manager, snapshot.status, snapshot.user, snapshot.tenantId, snapshot.error, snapshot.version]
-  );
-}
-function useOrganization() {
-  const { snapshot } = useCtx();
-  return useMemo(
-    () => ({
-      isLoaded: snapshot.status !== "loading",
-      organization: snapshot.tenantId ? { id: snapshot.tenantId, tenantId: snapshot.tenantId } : null,
-      error: snapshot.error
-    }),
-    [snapshot.status, snapshot.tenantId, snapshot.error, snapshot.version]
-  );
-}
-function useAuthFetch() {
-  const { manager } = useCtx();
-  return useCallback(
-    (input, init) => manager.fetch(input, init),
-    [manager]
-  );
-}
-function useSessionList() {
-  const { manager } = useCtx();
-  const [sessions, setSessions] = useState([]);
-  const [loading, setLoading] = useState(true);
-  const [error, setError] = useState(null);
-  const base = manager.issuerUrl.replace(/\/$/, "");
-  const refresh = useCallback(async () => {
-    setLoading(true);
-    setError(null);
-    try {
-      const res = await manager.fetch(`${base}/api/v1/users/me/sessions`);
-      const json = await res.json().catch(() => ({}));
-      if (!res.ok) throw new Error(json?.error?.message || `HTTP ${res.status}`);
-      setSessions(json?.data?.sessions || []);
-    } catch (err) {
-      setError(err.message);
-    } finally {
-      setLoading(false);
-    }
-  }, [manager, base]);
-  useEffect(() => {
-    void refresh();
-  }, [refresh]);
-  const revoke = useCallback(async (sessionId) => {
-    const res = await manager.fetch(`${base}/api/v1/users/me/sessions/${encodeURIComponent(sessionId)}`, { method: "DELETE" });
-    if (!res.ok) {
-      const j = await res.json().catch(() => ({}));
-      throw new Error(j?.error?.message || `HTTP ${res.status}`);
-    }
-    setSessions((prev) => prev.filter((s) => s.id !== sessionId));
-  }, [manager, base]);
-  const revokeAllOthers = useCallback(async () => {
-    const res = await manager.fetch(`${base}/api/v1/users/me/sessions/revoke-all-others`, { method: "POST" });
-    const json = await res.json().catch(() => ({}));
-    if (!res.ok) throw new Error(json?.error?.message || `HTTP ${res.status}`);
-    setSessions((prev) => prev.filter((s) => s.isCurrent));
-    return { terminatedCount: json?.data?.terminatedCount ?? 0 };
-  }, [manager, base]);
-  return { sessions, loading, error, refresh, revoke, revokeAllOthers };
-}
-async function revokeSession(sessionId) {
-  const mgr = getGlobalManager();
-  if (!mgr) throw new Error("revokeSession() requires <IQAuthProvider> mounted");
-  const base = mgr.issuerUrl.replace(/\/$/, "");
-  const res = await mgr.fetch(`${base}/api/v1/users/me/sessions/${encodeURIComponent(sessionId)}`, { method: "DELETE" });
-  if (!res.ok) {
-    const j = await res.json().catch(() => ({}));
-    throw new Error(j?.error?.message || `HTTP ${res.status}`);
-  }
-}
-var MultisessionContext = createContext(null);
-function MultisessionAppSupport({ children }) {
-  const { manager, snapshot } = useCtx();
-  const registryRef = useRef(null);
-  if (!registryRef.current) {
-    registryRef.current = new AccountRegistry(manager.appKey);
-  }
-  const registry = registryRef.current;
-  const [version, setVersion] = useState(0);
-  useEffect(() => {
-    const store = new MultiAccountTokenStore(registry, defaultCookieStore());
-    manager.setTokenStore(store);
-    const unsub = registry.subscribe(() => setVersion((v) => v + 1));
-    return () => {
-      unsub();
-      registry.destroy();
-    };
-  }, [manager]);
-  useEffect(() => {
-    if (snapshot.status !== "authenticated" || !snapshot.user) return;
-    const claims = snapshot.claims;
-    const rec = {
-      accountId: snapshot.user.sub,
-      userId: snapshot.user.sub,
-      email: snapshot.user.email,
-      name: snapshot.user.name,
-      tenantId: snapshot.tenantId ?? claims?.tenantId ?? null,
-      addedAt: Date.now()
-    };
-    registry.upsert(rec);
-    if (registry.active() !== rec.accountId) {
-      registry.setActive(rec.accountId);
-    }
-  }, [snapshot.user?.sub, snapshot.tenantId, snapshot.status]);
-  const value = useMemo(
-    () => ({ registry, version }),
-    [registry, version]
-  );
-  return createElement(MultisessionContext.Provider, { value }, children);
-}
-function useMultiCtx() {
-  const ctx = useContext(MultisessionContext);
-  if (!ctx) throw new Error("F22 hooks must be used inside <MultisessionAppSupport>");
-  return ctx;
-}
-function useAccountList() {
-  const { registry, version } = useMultiCtx();
-  const { isLoaded } = useUser();
-  const accounts = useMemo(() => {
-    const active = registry.active();
-    return registry.list().map((a) => ({
-      accountId: a.accountId,
-      userId: a.userId,
-      email: a.email,
-      name: a.name,
-      tenantId: a.tenantId,
-      isActive: a.accountId === active
-    }));
-  }, [registry, version]);
-  return { accounts, loading: !isLoaded };
-}
-function useAccountSwitcher() {
-  const { manager } = useCtx();
-  const { registry } = useMultiCtx();
-  const addAccount = useCallback(
-    async (opts = {}) => {
-      registry.setActive(null);
-      await signIn(manager, { ...opts, prompt: "login" });
-    },
-    [manager, registry]
-  );
-  const switchTo = useCallback(
-    async (accountId) => {
-      const target = registry.get(accountId);
-      if (!target) throw new Error(`Unknown accountId: ${accountId}`);
-      registry.setActive(accountId);
-      const ok = await manager.refresh();
-      if (!ok) {
-        registry.remove(accountId);
-        throw new Error("Could not switch account; session may have been revoked");
-      }
-    },
-    [manager, registry]
-  );
-  const removeAccount = useCallback(
-    (accountId) => {
-      registry.remove(accountId);
-    },
-    [registry]
-  );
-  return { addAccount, switchTo, removeAccount };
-}
-function SignedIn({ children }) {
-  const { isSignedIn, isLoaded } = useUser();
-  if (!isLoaded || !isSignedIn) return null;
-  return createElement(Fragment, null, children);
-}
-function SignedOut({ children }) {
-  const { isSignedIn, isLoaded } = useUser();
-  if (!isLoaded || isSignedIn) return null;
-  return createElement(Fragment, null, children);
-}
-function IQAuthLoading({ children }) {
-  const { isLoaded } = useAuth();
-  if (isLoaded) return null;
-  return createElement(Fragment, null, children);
-}
-function IQAuthLoaded({ children }) {
-  const { isLoaded } = useAuth();
-  if (!isLoaded) return null;
-  return createElement(Fragment, null, children);
-}
-function RedirectToSignIn(props = {}) {
-  const { manager, snapshot } = useCtx();
-  const [error, setError] = useState(null);
-  useEffect(() => {
-    if (snapshot.status === "unauthenticated") {
-      redirectToSignIn(manager, props).catch((err) => {
-        const message = err instanceof Error ? err.message : String(err);
-        console.error("[IQAuth] RedirectToSignIn failed:", err, {
-          issuer: manager.issuerUrl,
-          appKey: manager.appKey
-        });
-        setError(message);
-      });
-    }
-  }, [manager, snapshot.status]);
-  if (error) {
-    return createElement(
-      "div",
-      {
-        role: "alert",
-        style: {
-          maxWidth: 520,
-          margin: "48px auto",
-          padding: 16,
-          border: "1px solid #f0c0c0",
-          background: "#fff5f5",
-          borderRadius: 8,
-          fontFamily: "system-ui, sans-serif",
-          fontSize: 14,
-          color: "#7a1f1f"
-        }
-      },
-      createElement("strong", null, "IQAuth: sign-in redirect failed"),
-      createElement("div", { style: { marginTop: 8, fontSize: 13 } }, error),
-      createElement(
-        "div",
-        { style: { marginTop: 12, fontSize: 12, color: "#5a4a4a" } },
-        `Issuer: ${manager.issuerUrl} \xB7 App: ${manager.appKey}. Check browser console for details.`
-      )
-    );
-  }
-  return null;
-}
-function asArray(v) {
-  if (v == null) return [];
-  return Array.isArray(v) ? v : [v];
-}
-function claimRoles(c) {
-  if (!c) return [];
-  const x = c;
-  if (Array.isArray(x.roles)) return x.roles.filter((r) => typeof r === "string");
-  if (typeof x.role === "string") return [x.role];
-  return [];
-}
-function claimPermissions(c) {
-  if (!c) return [];
-  const x = c;
-  const out = /* @__PURE__ */ new Set();
-  if (Array.isArray(x.permissions)) {
-    for (const p of x.permissions) if (typeof p === "string") out.add(p);
-  }
-  if (Array.isArray(x.entitlements)) {
-    for (const p of x.entitlements) if (typeof p === "string") out.add(p);
-  }
-  if (typeof x.scope === "string") {
-    for (const s of x.scope.split(/\s+/)) if (s) out.add(s);
-  }
-  return Array.from(out);
-}
-function Protect({ role, permission, condition, fallback = null, children }) {
-  const { snapshot } = useCtx();
-  if (snapshot.status !== "authenticated") return createElement(Fragment, null, fallback);
-  const wantedRoles = asArray(role);
-  const wantedPerms = asArray(permission);
-  if (wantedRoles.length) {
-    const have = new Set(claimRoles(snapshot.claims));
-    if (!wantedRoles.some((r) => have.has(r))) return createElement(Fragment, null, fallback);
-  }
-  if (wantedPerms.length) {
-    const have = new Set(claimPermissions(snapshot.claims));
-    if (!wantedPerms.some((p) => have.has(p))) return createElement(Fragment, null, fallback);
-  }
-  if (condition && !condition(snapshot.claims)) return createElement(Fragment, null, fallback);
-  return createElement(Fragment, null, children);
-}
-function RedirectToSignedIn({ to = "/", replace = true } = {}) {
-  const { snapshot, allowedReturnOrigins } = useCtx();
-  useEffect(() => {
-    if (snapshot.status !== "authenticated") return;
-    if (typeof window === "undefined") return;
-    const safe = sanitizeReturnTo(to, { allowedOrigins: allowedReturnOrigins, fallback: "/" });
-    if (replace) window.location.replace(safe);
-    else window.location.assign(safe);
-  }, [snapshot.status, to, replace, allowedReturnOrigins]);
-  return null;
-}
-function useReturnTo(options = {}) {
-  const { allowedReturnOrigins } = useCtx();
-  const paramName = options.paramName ?? "return_to";
-  const storageKey = options.storageKey ?? "iqauth_return_to";
-  const fallback = options.fallback ?? "/";
-  return useMemo(() => {
-    if (typeof window === "undefined") return fallback;
-    let raw = null;
-    try {
-      const params = new URLSearchParams(window.location.search);
-      raw = params.get(paramName) || params.get("next");
-    } catch {
-    }
-    if (!raw) {
-      try {
-        raw = window.sessionStorage.getItem(storageKey);
-      } catch {
-      }
-    }
-    const safe = sanitizeReturnTo(raw, { allowedOrigins: allowedReturnOrigins, fallback });
-    if (safe !== fallback) {
-      try {
-        window.sessionStorage.setItem(storageKey, safe);
-      } catch {
-      }
-    }
-    return safe;
-  }, [paramName, storageKey, fallback, allowedReturnOrigins]);
-}
-function IQAuthReturnToBouncer({ children, ...opts }) {
-  const { snapshot } = useCtx();
-  const returnTo = useReturnTo(opts);
-  useEffect(() => {
-    if (snapshot.status !== "authenticated") return;
-    if (typeof window === "undefined") return;
-    window.location.replace(returnTo);
-  }, [snapshot.status, returnTo]);
-  if (snapshot.status === "authenticated") return null;
-  return createElement(Fragment, null, children);
-}
-async function preflightReturnTo(args) {
-  const f = args.fetchImpl ?? fetch;
-  const url = `${args.iqAuthBaseUrl.replace(/\/$/, "")}/api/public/apps/${encodeURIComponent(args.appKey)}/sign-in-context?return_to=${encodeURIComponent(args.returnTo)}`;
-  try {
-    const r = await f(url, { credentials: "include" });
-    const body = await r.json().catch(() => null);
-    if (!r.ok || !body?.success || !body.data) {
-      return { ok: false, allowedOrigins: [], reason: body?.error?.message || `HTTP ${r.status}` };
-    }
-    return { ok: !!body.data.returnAllowed, allowedOrigins: body.data.allowedOrigins ?? [], reason: body.data.returnAllowed ? void 0 : "returnTo not in app allowedOrigins" };
-  } catch (err) {
-    return { ok: false, allowedOrigins: [], reason: err.message };
-  }
-}
-function AuthCallback({ onComplete, fallback } = {}) {
-  const { manager } = useCtx();
-  useEffect(() => {
-    let cancelled = false;
-    void handleAuthCallback(manager).then((result) => {
-      if (cancelled) return;
-      if (onComplete) onComplete(result);
-      else if (typeof window !== "undefined") {
-        window.location.replace(result.returnTo || "/");
-      }
-    });
-    return () => {
-      cancelled = true;
-    };
-  }, [manager, onComplete]);
-  return createElement(Fragment, null, fallback ?? null);
-}
-function brandStyle(branding) {
-  if (!branding) return {};
-  const s = {};
-  if (branding.primaryColor) s["--brand-primary"] = branding.primaryColor;
-  if (branding.accentColor) s["--brand-accent"] = branding.accentColor;
-  if (branding.backgroundColor) s["--brand-bg"] = branding.backgroundColor;
-  if (branding.surfaceColor) s["--brand-surface"] = branding.surfaceColor;
-  if (branding.textColor) s["--brand-text"] = branding.textColor;
-  if (branding.borderRadius != null && branding.borderRadius !== "") {
-    const n = typeof branding.borderRadius === "number" ? `${branding.borderRadius}px` : String(branding.borderRadius);
-    s["--brand-radius"] = n;
-  }
-  if (branding.fontFamilyBody) s["--brand-font-body"] = branding.fontFamilyBody;
-  if (branding.fontFamilyHeading) s["--brand-font-heading"] = branding.fontFamilyHeading;
-  return s;
-}
-async function jsonFetch(url, init) {
-  const res = await fetch(url, { ...init, credentials: init?.credentials || "include" });
-  const payload = await res.json().catch(() => ({}));
-  if (!res.ok && payload?.success !== true) {
-    const message = payload?.error?.message || payload?.error_description || payload?.error || `HTTP ${res.status}`;
-    throw new Error(typeof message === "string" ? message : "Request failed");
-  }
-  return payload;
-}
-function useIQAuthSignInContext(iqAuthBaseUrl, appKey, returnTo) {
-  const [ctx, setCtx] = useState(null);
-  const [loading, setLoading] = useState(true);
-  const [error, setError] = useState(null);
-  useEffect(() => {
-    if (!appKey) {
-      setLoading(false);
-      setError("appKey is required");
-      return;
-    }
-    let cancelled = false;
-    setLoading(true);
-    const url = `${iqAuthBaseUrl.replace(/\/$/, "")}/api/public/apps/${encodeURIComponent(appKey)}/sign-in-context?return_to=${encodeURIComponent(returnTo)}`;
-    fetch(url, { credentials: "include" }).then(async (r) => {
-      const contentType = r.headers.get("content-type") || "";
-      if (!r.ok || !contentType.includes("json")) {
-        const bodyPreview = await r.text().then((t2) => t2.slice(0, 160)).catch(() => "");
-        console.error(
-          `[IQAuth] sign-in-context request failed: ${r.status} ${r.statusText} (content-type: ${contentType || "\u2014"}). URL: ${url}. Common causes: (1) iqAuthBaseUrl points at the wrong host (it should be your IQAuth issuer, e.g. https://auth.dispositioniq.com \u2014 NOT your own app's domain); (2) the app key "${appKey}" is wrong or revoked; (3) CORS preflight is blocked because this origin isn't in the app's allowed-origins list. Response body preview: ${bodyPreview}`
-        );
-        throw new Error(
-          r.status >= 500 ? "Failed to load sign-in context (server error)" : `Failed to load sign-in context (HTTP ${r.status})`
-        );
-      }
-      return r.json();
-    }).then((payload) => {
-      if (cancelled) return;
-      if (payload?.success === false) throw new Error(payload?.error?.message || "Failed to load sign-in context");
-      setCtx(payload.data);
-    }).catch((err) => {
-      if (!cancelled) setError(err.message);
-    }).finally(() => {
-      if (!cancelled) setLoading(false);
-    });
-    return () => {
-      cancelled = true;
-    };
-  }, [iqAuthBaseUrl, appKey, returnTo]);
-  return { ctx, loading, error };
-}
-var SHELL_CSS = `
-.iqauth-sdk-shell {
-  min-height: 100vh;
-  width: 100%;
-  display: grid;
-  grid-template-columns: 1fr;
-  background: var(--brand-bg, #f7f7f6);
-  color: var(--brand-text, #0f172a);
-  /* Container queries so the two-pane layout responds to the SDK's
-     RENDERED width, not the viewport. This keeps the form usable when
-     a host app embeds <SignIn/> inside a narrower card or sidebar
-     instead of full-screen \u2014 the previous viewport @media query would
-     happily render the side-by-side hero+form into a 200px container
-     and wrap text one character per line. */
-  container-type: inline-size;
-  container-name: iqauth-sdk;
-}
-.iqauth-sdk-hero { display: none; }
-.iqauth-sdk-pane {
-  display: flex; flex-direction: column; align-items: center; justify-content: center;
-  padding: 32px 20px;
-  /* 2.6.1 \u2014 Default to natural height so embedded usage (inside a card,
-     modal, or sidebar) sizes to its content instead of forcing a full
-     viewport. The hosted/full-page layout re-introduces 100vh below the
-     768px container-query threshold for the side-by-side hero variant. */
-  min-height: auto;
-  box-sizing: border-box;
-}
-.iqauth-sdk-card {
-  width: 100%; max-width: 480px;
-  background: var(--brand-surface, #ffffff);
-  border: 1px solid rgba(15,23,42,0.08);
-  border-radius: var(--brand-radius, 16px);
-  box-shadow: 0 1px 2px rgba(0,0,0,0.04), 0 12px 32px rgba(15,23,42,0.06);
-  overflow: hidden;
-}
-.iqauth-sdk-shell, .iqauth-sdk-shell input, .iqauth-sdk-shell button { font-family: var(--brand-font-body, inherit); }
-.iqauth-sdk-shell h1, .iqauth-sdk-shell h2, .iqauth-sdk-shell h3 { font-family: var(--brand-font-heading, var(--brand-font-body, inherit)); }
-.iqauth-sdk-shell[data-layout="centered_card"] { grid-template-columns: 1fr; }
-.iqauth-sdk-shell[data-layout="centered_card"] .iqauth-sdk-hero { display: none; }
-.iqauth-sdk-shell[data-layout="full_bleed"] { background-size: cover; background-position: center; background-repeat: no-repeat; }
-.iqauth-sdk-shell[data-layout="full_bleed"] .iqauth-sdk-hero { display: none; }
-.iqauth-sdk-shell[data-layout="full_bleed"] .iqauth-sdk-pane { background: rgba(15,23,42,0.30); }
-.iqauth-sdk-shell[data-social-style="outline"] .iqauth-sdk-google-btn { background: transparent; border-color: var(--brand-primary, rgba(15,23,42,0.18)); color: var(--brand-text, inherit); }
-.iqauth-sdk-shell[data-social-style="ghost"] .iqauth-sdk-google-btn { background: transparent; border-color: transparent; color: var(--brand-text, inherit); }
-.iqauth-sdk-shell[data-social-style="solid"] .iqauth-sdk-google-btn { background: var(--brand-primary, #3b82f6); border-color: transparent; color: #fff; }
-.iqauth-sdk-shell[data-social-style="solid"] .iqauth-sdk-google-btn:hover { background: var(--brand-primary, #3b82f6); opacity: 0.92; }
-.iqauth-sdk-card-header { padding: 32px 36px 0; }
-.iqauth-sdk-card-header h1 { font-size: 24px; font-weight: 600; margin: 0; line-height: 1.2; letter-spacing: -0.01em; }
-.iqauth-sdk-card-header p { margin: 8px 0 0; font-size: 14px; color: rgba(15,23,42,0.65); line-height: 1.5; }
-.iqauth-sdk-card-body { padding: 32px 36px 28px; display: flex; flex-direction: column; gap: 18px; }
-.iqauth-sdk-mobile-brand { display: flex; align-items: center; gap: 10px; margin-bottom: 20px; }
-.iqauth-sdk-mobile-brand img { height: 36px; width: auto; }
-.iqauth-sdk-mobile-brand span { font-size: 16px; font-weight: 600; }
-.iqauth-sdk-footer { margin-top: 20px; text-align: center; font-size: 13px; color: rgba(15,23,42,0.55); display: flex; flex-direction: column; gap: 8px; align-items: center; }
-.iqauth-sdk-footer-links { display: flex; gap: 14px; flex-wrap: wrap; justify-content: center; }
-.iqauth-sdk-footer-links a { color: inherit; opacity: 0.75; text-decoration: none; }
-.iqauth-sdk-footer-links a:hover { opacity: 1; text-decoration: underline; }
-.iqauth-sdk-divider { display: flex; align-items: center; gap: 10px; font-size: 12px; color: rgba(15,23,42,0.45); text-transform: uppercase; letter-spacing: 0.08em; }
-.iqauth-sdk-divider::before, .iqauth-sdk-divider::after { content: ""; flex: 1; height: 1px; background: rgba(15,23,42,0.1); }
-.iqauth-sdk-google-btn {
-  display: inline-flex; align-items: center; justify-content: center; gap: 10px;
-  width: 100%; padding: 10px 16px; border-radius: 8px;
-  background: #fff; color: #0f172a;
-  border: 1px solid rgba(15,23,42,0.18);
-  font-size: 14px; font-weight: 500; cursor: pointer;
-  transition: background 120ms ease, border-color 120ms ease;
-}
-.iqauth-sdk-google-btn:hover { background: #f8fafc; border-color: rgba(15,23,42,0.28); }
-.iqauth-sdk-google-btn[disabled] { opacity: 0.6; cursor: not-allowed; }
-
-@container iqauth-sdk (min-width: 768px) {
-  .iqauth-sdk-shell:not([data-layout="centered_card"]):not([data-layout="full_bleed"]) { grid-template-columns: minmax(0, 1fr) minmax(0, 1fr); }
-  /* 2.6.1 \u2014 Restore 100vh ONLY for the wide side-by-side layout where
-     hero+pane need height parity. Embedded narrow uses keep natural height. */
-  .iqauth-sdk-pane { padding: 48px 24px; min-height: 100vh; }
-  /* 2.6.2 \u2014 Let the card breathe on desktop. The 480px mobile cap looks
-     phone-sized on a 720px+ pane; bump to 540px and grow the inner padding
-     so the form fills its half of the split layout. */
-  .iqauth-sdk-card { max-width: 540px; }
-  .iqauth-sdk-card-header { padding: 40px 44px 0; }
-  .iqauth-sdk-card-body { padding: 32px 44px 32px; }
-  .iqauth-sdk-card-header h1 { font-size: 26px; }
-  .iqauth-sdk-hero {
-    display: flex; flex-direction: column; justify-content: space-between;
-    padding: clamp(32px, 4vw, 56px); color: #ffffff;
-    background: linear-gradient(135deg, var(--brand-primary, #3b82f6) 0%, var(--brand-accent, #6366f1) 100%);
-    background-size: cover; background-position: center;
-    position: relative; overflow: hidden; min-height: 100vh;
-  }
-  .iqauth-sdk-hero[data-bg-image="true"] {
-    background-image: var(--iqauth-sdk-hero-image), linear-gradient(135deg, var(--brand-primary, #3b82f6), var(--brand-accent, #6366f1));
-    background-blend-mode: multiply;
-  }
-  .iqauth-sdk-hero-brand img { height: 40px; width: auto; filter: brightness(0) invert(1); opacity: 0.96; }
-  .iqauth-sdk-hero-brand .iqauth-sdk-hero-name { font-size: 20px; font-weight: 600; letter-spacing: -0.01em; }
-  .iqauth-sdk-hero-content { max-width: 520px; }
-  .iqauth-sdk-hero-content h2 { font-size: clamp(24px, 2.4vw, 34px); font-weight: 600; line-height: 1.2; margin: 0 0 14px; letter-spacing: -0.015em; word-wrap: break-word; overflow-wrap: break-word; hyphens: auto; }
-  .iqauth-sdk-hero-content p { font-size: 15px; line-height: 1.6; opacity: 0.92; margin: 0; white-space: pre-wrap; }
-  .iqauth-sdk-hero-foot { font-size: 12px; opacity: 0.7; }
-  .iqauth-sdk-mobile-brand { display: none; }
-}
-@container iqauth-sdk (min-width: 1280px) {
-  .iqauth-sdk-shell:not([data-layout="centered_card"]):not([data-layout="full_bleed"]) { grid-template-columns: minmax(0, 5fr) minmax(0, 6fr); }
-  /* 2.6.2 \u2014 Extra-wide screens: card grows once more so the form keeps
-     pace with the hero pane on 1440px+ monitors. */
-  .iqauth-sdk-card { max-width: 580px; }
-}
-`;
-var sdkShellStylesInjected = false;
-var SDK_CSS_MAX_LEN = 50 * 1024;
-var SDK_CSS_FORBIDDEN = [
-  /<\/?\s*style[^>]*>/gi,
-  /<\/?\s*script[^>]*>/gi,
-  /<!--[\s\S]*?-->/g,
-  /@import\s+[^;]*;?/gi,
-  /expression\s*\(/gi,
-  /behavior\s*:/gi,
-  /-moz-binding\s*:/gi,
-  /javascript\s*:/gi,
-  /vbscript\s*:/gi
-];
-var SDK_URL_DATA_RE = /url\s*\(\s*(['"]?)\s*data\s*:[^)]*\)/gi;
-function sanitizeBrandCss(input) {
-  if (!input) return "";
-  let out = String(input);
-  if (out.length > SDK_CSS_MAX_LEN) out = out.slice(0, SDK_CSS_MAX_LEN);
-  out = out.replace(/</g, "");
-  for (const re of SDK_CSS_FORBIDDEN) out = out.replace(re, "");
-  out = out.replace(SDK_URL_DATA_RE, "url()");
-  return out;
-}
-function SdkBrandLogo({ branding, alt, fallback }) {
-  const light = branding?.logoLightUrl || branding?.logoUrl || null;
-  const dark = branding?.logoDarkUrl || null;
-  if (!light && !dark) return /* @__PURE__ */ jsx(Fragment2, { children: fallback });
-  const fallbackSrc = light || dark;
-  return /* @__PURE__ */ jsxs("picture", { "data-iqauth-sdk-logo": "", children: [
-    dark ? /* @__PURE__ */ jsx("source", { srcSet: dark, media: "(prefers-color-scheme: dark)" }) : null,
-    light ? /* @__PURE__ */ jsx("source", { srcSet: light, media: "(prefers-color-scheme: light)" }) : null,
-    /* @__PURE__ */ jsx("img", { src: fallbackSrc, alt })
-  ] });
-}
-var sdkBrandingCache = /* @__PURE__ */ new Map();
-var SDK_BRANDING_TTL_MS = 6e4;
-function flattenBrandingPayload(data) {
-  const e = data && data.effective || {};
-  const meta = data && data.meta || {};
-  return {
-    brandName: e.brandName ?? data?.brandName ?? null,
-    logoUrl: e.logoLightUrl ?? data?.logoUrl ?? null,
-    logoLightUrl: e.logoLightUrl ?? data?.logoLightUrl ?? null,
-    logoDarkUrl: e.logoDarkUrl ?? data?.logoDarkUrl ?? null,
-    faviconUrl: e.faviconUrl ?? data?.faviconUrl ?? null,
-    primaryColor: e.primaryColor ?? data?.primaryColor ?? null,
-    accentColor: e.accentColor ?? data?.accentColor ?? null,
-    backgroundColor: e.backgroundColor ?? data?.backgroundColor ?? null,
-    surfaceColor: e.surfaceColor ?? data?.surfaceColor ?? null,
-    textColor: e.textColor ?? data?.textColor ?? null,
-    fontFamilyBody: e.fontFamilyBody ?? data?.fontFamilyBody ?? null,
-    fontFamilyHeading: e.fontFamilyHeading ?? data?.fontFamilyHeading ?? null,
-    customFontUrl: e.customFontUrl ?? data?.customFontUrl ?? null,
-    borderRadius: e.borderRadius ?? data?.borderRadius ?? null,
-    backgroundImageUrl: e.backgroundImageUrl ?? data?.backgroundImageUrl ?? null,
-    customCss: e.customCss ?? data?.customCss ?? null,
-    loginLayout: e.loginLayout ?? data?.loginLayout ?? null,
-    socialButtonStyle: e.socialButtonStyle ?? data?.socialButtonStyle ?? null,
-    footerText: e.footerText ?? data?.footerText ?? null,
-    brandingRev: meta.brandingRev ?? data?.brandingRev ?? null
-  };
-}
-function useResolvedSdkBranding(iqAuthBaseUrl, appId) {
-  const ctx = useContext(IQAuthContext);
-  const resolvedAppId = appId ?? ctx?.manager?.appKey ?? null;
-  const url = `${iqAuthBaseUrl.replace(/\/$/, "")}/api/public/branding${resolvedAppId ? `?appId=${encodeURIComponent(resolvedAppId)}` : ""}`;
-  const cached = sdkBrandingCache.get(url);
-  const fresh = cached && Date.now() - cached.ts < SDK_BRANDING_TTL_MS ? cached.data : null;
-  const [b, setB] = useState(fresh);
-  useEffect(() => {
-    let cancelled = false;
-    const entry = sdkBrandingCache.get(url);
-    const headers = {};
-    if (entry?.rev) headers["If-None-Match"] = `W/"brand-${entry.rev}"`;
-    if (entry) setB(entry.data);
-    fetch(url, { credentials: "include", headers }).then(async (r) => {
-      if (cancelled) return;
-      if (r.status === 304 && entry) {
-        sdkBrandingCache.set(url, { ...entry, ts: Date.now() });
-        return;
-      }
-      if (!r.ok) return;
-      const p = await r.json().catch(() => null);
-      if (!p?.data) return;
-      const flat = flattenBrandingPayload(p.data);
-      sdkBrandingCache.set(url, { ts: Date.now(), rev: flat.brandingRev || "", data: flat });
-      setB(flat);
-    }).catch(() => {
-    });
-    return () => {
-      cancelled = true;
-    };
-  }, [url]);
-  return b;
-}
-function ensureSdkShellStyles() {
-  if (typeof document === "undefined" || sdkShellStylesInjected) return;
-  const tag = document.createElement("style");
-  tag.setAttribute("data-iqauth-sdk-shell", "");
-  tag.textContent = SHELL_CSS;
-  document.head.appendChild(tag);
-  sdkShellStylesInjected = true;
-}
-function useDocumentBranding(branding, fallbackTitle) {
-  useEffect(() => {
-    if (typeof document === "undefined") return;
-    const prevTitle = document.title;
-    const brandName = branding?.brandName || "IQAuth";
-    document.title = `${fallbackTitle} \xB7 ${brandName}`;
-    let linkEl = null;
-    let prevHref = null;
-    if (branding?.faviconUrl) {
-      linkEl = document.querySelector("link[rel='icon']");
-      if (!linkEl) {
-        linkEl = document.createElement("link");
-        linkEl.rel = "icon";
-        document.head.appendChild(linkEl);
-      } else {
-        prevHref = linkEl.href;
-      }
-      linkEl.href = branding.faviconUrl;
-    }
-    return () => {
-      document.title = prevTitle;
-      if (linkEl && prevHref !== null) linkEl.href = prevHref;
-    };
-  }, [branding?.brandName, branding?.faviconUrl, fallbackTitle]);
-}
-function Shell({
-  branding,
-  className,
-  children,
-  title,
-  subtitle,
-  appearance
-}) {
-  ensureSdkShellStyles();
-  const t2 = useT();
-  useDocumentBranding(branding, title || t2("signIn.title"));
-  const brandVars = brandStyle(branding);
-  const brandName = branding?.brandName || "IQAuth";
-  const heroImage = branding?.heroImageUrl || null;
-  const layout = (branding?.loginLayout || "split_screen").toString();
-  const bgImage = branding?.backgroundImageUrl || null;
-  const fontUrl = branding?.customFontUrl || null;
-  const socialStyle = (branding?.socialButtonStyle || "").toString();
-  const heroStyle = heroImage ? { ["--iqauth-sdk-hero-image"]: `url("${heroImage.replace(/"/g, '\\"')}")` } : {};
-  const shellStyle = {
-    ...brandVars,
-    ...layout === "full_bleed" && bgImage ? { backgroundImage: `linear-gradient(rgba(15,23,42,0.35), rgba(15,23,42,0.45)), url("${bgImage.replace(/"/g, '\\"')}")` } : {},
-    ...appearance?.elements?.rootBox?.style || {}
-  };
-  const ap = appearance?.elements;
-  const supportLink = branding?.supportUrl ? branding.supportUrl : branding?.supportEmail ? `mailto:${branding.supportEmail}` : null;
-  const hasFooterLinks = !!(branding?.termsUrl || branding?.privacyUrl || supportLink);
-  return /* @__PURE__ */ jsxs(
-    "div",
-    {
-      className: `iqauth-sdk-shell${className ? ` ${className}` : ""}${ap?.rootBox?.className ? ` ${ap.rootBox.className}` : ""}`,
-      "data-layout": layout,
-      "data-social-style": socialStyle || void 0,
-      style: shellStyle,
-      "data-iqauth-shell": "",
-      "data-branding-rev": branding?.brandingRev || "",
-      children: [
-        /* @__PURE__ */ jsx("style", { "data-brand": true, children: [
-          fontUrl ? `@font-face{font-family:"${(branding?.fontFamilyBody || "Brand").replace(/"/g, "")}";src:url("${fontUrl.replace(/"/g, '\\"')}");font-display:swap;}` : "",
-          sanitizeBrandCss(branding?.customCss)
-        ].filter(Boolean).join("\n") }),
-        /* @__PURE__ */ jsxs("aside", { className: "iqauth-sdk-hero", "data-bg-image": heroImage ? "true" : "false", style: heroStyle, "aria-hidden": "true", children: [
-          /* @__PURE__ */ jsx("div", { className: "iqauth-sdk-hero-brand", style: { display: "flex", alignItems: "center", gap: 12 }, children: /* @__PURE__ */ jsx(SdkBrandLogo, { branding, alt: "", fallback: /* @__PURE__ */ jsx("span", { className: "iqauth-sdk-hero-name", children: brandName }) }) }),
-          /* @__PURE__ */ jsxs("div", { className: "iqauth-sdk-hero-content", children: [
-            /* @__PURE__ */ jsx("h2", { children: branding?.tagline || `Welcome to ${brandName}` }),
-            /* @__PURE__ */ jsx("p", { children: branding?.loginSideCopy || branding?.loginSubheadline || `Sign in to continue to your ${brandName} workspace.` })
-          ] }),
-          /* @__PURE__ */ jsx("div", { className: "iqauth-sdk-hero-foot", children: `\xA9 ${(/* @__PURE__ */ new Date()).getFullYear()} ${brandName}` })
-        ] }),
-        /* @__PURE__ */ jsx("div", { className: "iqauth-sdk-pane", children: /* @__PURE__ */ jsxs("main", { style: { width: "100%", maxWidth: 420 }, children: [
-          /* @__PURE__ */ jsx("div", { className: "iqauth-sdk-mobile-brand", children: /* @__PURE__ */ jsx(SdkBrandLogo, { branding, alt: `${brandName} logo`, fallback: /* @__PURE__ */ jsx("span", { children: brandName }) }) }),
-          /* @__PURE__ */ jsxs(
-            "section",
-            {
-              className: `iqauth-sdk-card${ap?.card?.className ? ` ${ap.card.className}` : ""}`,
-              style: ap?.card?.style,
-              children: [
-                title || subtitle ? /* @__PURE__ */ jsxs(
-                  "div",
-                  {
-                    className: `iqauth-sdk-card-header${ap?.cardHeader?.className ? ` ${ap.cardHeader.className}` : ""}`,
-                    style: ap?.cardHeader?.style,
-                    children: [
-                      title ? /* @__PURE__ */ jsx("h1", { className: ap?.headerTitle?.className, style: ap?.headerTitle?.style, children: title }) : null,
-                      subtitle ? /* @__PURE__ */ jsx("p", { className: ap?.headerSubtitle?.className, style: ap?.headerSubtitle?.style, children: subtitle }) : null
-                    ]
-                  }
-                ) : null,
-                /* @__PURE__ */ jsx(
-                  "div",
-                  {
-                    className: `iqauth-sdk-card-body${ap?.cardBody?.className ? ` ${ap.cardBody.className}` : ""}`,
-                    style: ap?.cardBody?.style,
-                    children
-                  }
-                )
-              ]
-            }
-          ),
-          hasFooterLinks || branding?.footerText ? /* @__PURE__ */ jsxs("footer", { className: "iqauth-sdk-footer", children: [
-            branding?.footerText ? /* @__PURE__ */ jsx("div", { "data-testid": "text-brand-footer-sdk", style: { fontSize: 12, opacity: 0.75 }, children: branding.footerText }) : null,
-            hasFooterLinks ? /* @__PURE__ */ jsxs("div", { className: "iqauth-sdk-footer-links", children: [
-              branding?.termsUrl ? /* @__PURE__ */ jsx("a", { href: branding.termsUrl, target: "_blank", rel: "noreferrer noopener", children: "Terms" }) : null,
-              branding?.privacyUrl ? /* @__PURE__ */ jsx("a", { href: branding.privacyUrl, target: "_blank", rel: "noreferrer noopener", children: "Privacy" }) : null,
-              supportLink ? /* @__PURE__ */ jsx("a", { href: supportLink, target: "_blank", rel: "noreferrer noopener", children: "Support" }) : null
-            ] }) : null
-          ] }) : null
-        ] }) })
-      ]
-    },
-    branding?.brandingRev || void 0
-  );
-}
-function Field({ label, children }) {
-  return /* @__PURE__ */ jsxs("label", { style: { display: "flex", flexDirection: "column", gap: 6, fontSize: 13 }, children: [
-    /* @__PURE__ */ jsx("span", { style: { fontWeight: 500 }, children: label }),
-    children
-  ] });
-}
-function inputStyle() {
-  return {
-    padding: "8px 12px",
-    border: "1px solid rgba(15,23,42,0.15)",
-    borderRadius: 6,
-    fontSize: 14,
-    width: "100%",
-    background: "transparent",
-    color: "inherit"
-  };
-}
-function PrimaryButton(props) {
-  return /* @__PURE__ */ jsx(
-    "button",
-    {
-      ...props,
-      style: {
-        background: "var(--brand-primary, #3b82f6)",
-        color: "#fff",
-        border: "none",
-        padding: "10px 16px",
-        borderRadius: 8,
-        fontSize: 14,
-        fontWeight: 500,
-        cursor: props.disabled ? "not-allowed" : "pointer",
-        opacity: props.disabled ? 0.6 : 1,
-        width: "100%",
-        ...props.style
-      }
-    }
-  );
-}
-function GhostButton(props) {
-  return /* @__PURE__ */ jsx(
-    "button",
-    {
-      ...props,
-      style: {
-        background: "transparent",
-        color: "inherit",
-        border: "1px solid rgba(15,23,42,0.15)",
-        padding: "10px 16px",
-        borderRadius: 8,
-        fontSize: 14,
-        fontWeight: 500,
-        cursor: props.disabled ? "not-allowed" : "pointer",
-        width: "100%",
-        ...props.style
-      }
-    }
-  );
-}
-function ErrorBanner({ message }) {
-  return /* @__PURE__ */ jsx("div", { role: "alert", style: {
-    borderLeft: "3px solid #dc2626",
-    background: "rgba(220,38,38,0.08)",
-    padding: "10px 14px",
-    borderRadius: "0 6px 6px 0",
-    fontSize: 13,
-    color: "#b91c1c"
-  }, children: message });
-}
-function isSilentSsoEligible(ctx, effectivePrompt) {
-  if (!ctx) return false;
-  if (effectivePrompt === "login") return false;
-  if (!ctx.session) return false;
-  if (!ctx.app.defaultClientId) return false;
-  if (!ctx.returnAllowed) return false;
-  return true;
-}
-function SignIn(props) {
-  const providerCtx = useContext(IQAuthContext);
-  const iqAuthBaseUrl = props.iqAuthBaseUrl ?? providerCtx?.manager.issuerUrl ?? "";
-  const appKey = props.appKey ?? providerCtx?.manager.appKey ?? "";
-  const returnTo = props.returnTo ?? (typeof window !== "undefined" ? `${window.location.origin}/api/iqauth/callback` : "");
-  const { onRedirect, className, prompt, appearance: instanceAppearance, silentSso: instanceSilentSso } = props;
-  const silentSsoEnabled = instanceSilentSso ?? providerCtx?.silentSso ?? false;
-  const appearance = instanceAppearance && providerCtx?.appearance ? { elements: { ...providerCtx.appearance.elements, ...instanceAppearance.elements } } : instanceAppearance ?? providerCtx?.appearance ?? null;
-  if (!iqAuthBaseUrl || !appKey) {
-    console.error(
-      "[IQAuth] <SignIn /> could not determine iqAuthBaseUrl/appKey. Either pass them explicitly OR wrap the component in <IQAuthProvider publishableKey=\u2026/>."
-    );
-  }
-  const t2 = useT();
-  const localeBundle = useLocale();
-  const { ctx, loading, error } = useIQAuthSignInContext(iqAuthBaseUrl, appKey, returnTo);
-  const preflightLoggedRef = useRef(false);
-  useEffect(() => {
-    if (!ctx || preflightLoggedRef.current) return;
-    if (ctx.returnAllowed) return;
-    preflightLoggedRef.current = true;
-    console.error(
-      `[IQAuth] returnTo "${returnTo}" is NOT in the app's allowed origins. Add it via the IQAuth admin console: Apps \u2192 ${ctx.app.key} \u2192 Allowed Origins. Currently allowed: [${ctx.allowedOrigins.join(", ") || "\u2014"}].`
-    );
-  }, [ctx, returnTo]);
-  const [email, setEmail] = useState("");
-  const [password, setPassword] = useState("");
-  const [submitting, setSubmitting] = useState(false);
-  const [formError, setFormError] = useState("");
-  const [mfa, setMfa] = useState(null);
-  const [tenantSel, setTenantSel] = useState(null);
-  const [oauthExchanging, setOauthExchanging] = useState(false);
-  const [silent, setSilent] = useState("idle");
-  const [forcePrompt, setForcePrompt] = useState(false);
-  const effectivePrompt = useMemo(() => {
-    if (prompt === "login" || forcePrompt) return "login";
-    if (!silentSsoEnabled) return "login";
-    if (typeof window !== "undefined") {
-      try {
-        if (new URLSearchParams(window.location.search).get("prompt") === "login") return "login";
-      } catch {
-      }
-    }
-    return void 0;
-  }, [prompt, forcePrompt, silentSsoEnabled]);
-  const oidcPayload = () => ({
-    client_id: ctx?.app.defaultClientId,
-    redirect_uri: returnTo,
-    scope: "openid"
-  });
-  const handlePayload = (payload) => {
-    if (payload.type === "redirect" && payload.redirectUrl) {
-      (onRedirect || ((u) => {
-        window.location.href = u;
-      }))(payload.redirectUrl);
-      return true;
-    }
-    if (payload.type === "tenant_selection") {
-      setTenantSel({ token: payload.tenantSelectionToken, tenants: payload.tenants || [] });
-      return true;
-    }
-    if (payload.type === "mfa_required") {
-      const methods = payload.availableMethods || ["totp"];
-      setMfa({ token: payload.mfaChallengeToken, methods, selected: methods[0], code: "", backup: false });
-      return true;
-    }
-    return false;
-  };
-  const submitLogin = async (e) => {
-    e.preventDefault();
-    if (!ctx?.app.defaultClientId) {
-      setFormError("Application is not configured for hosted sign-in.");
-      return;
-    }
-    setSubmitting(true);
-    setFormError("");
-    try {
-      const r = await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/oidc/sso-login`, {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        credentials: "include",
-        body: JSON.stringify({ email, password, ...oidcPayload() })
-      });
-      const payload = await r.json().catch(() => ({}));
-      if (!handlePayload(payload)) setFormError(localizeError(localeBundle, { code: payload.error, message: payload.error_description }));
-    } catch (err) {
-      setFormError(err.message || t(localeBundle, "errors.network"));
-    }
-    setSubmitting(false);
-  };
-  const submitMfa = async (e) => {
-    e.preventDefault();
-    if (!mfa) return;
-    setSubmitting(true);
-    setFormError("");
-    const r = await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/oidc/sso-mfa-complete`, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      credentials: "include",
-      body: JSON.stringify({
-        mfaChallengeToken: mfa.token,
-        code: mfa.code,
-        method: mfa.selected,
-        useBackup: mfa.backup,
-        ...oidcPayload()
-      })
-    });
-    const payload = await r.json().catch(() => ({}));
-    if (!handlePayload(payload)) setFormError(localizeError(localeBundle, { code: payload.error, message: payload.error_description }));
-    setSubmitting(false);
-  };
-  const submitTenant = async (tenantId) => {
-    if (!tenantSel) return;
-    setSubmitting(true);
-    setFormError("");
-    const r = await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/oidc/sso-tenant-select`, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      credentials: "include",
-      body: JSON.stringify({ tenantSelectionToken: tenantSel.token, tenantId, ...oidcPayload() })
-    });
-    const payload = await r.json().catch(() => ({}));
-    if (!handlePayload(payload)) setFormError(localizeError(localeBundle, { code: payload.error, message: payload.error_description }));
-    setSubmitting(false);
-  };
-  const startGoogleLogin = () => {
-    if (!ctx?.app.defaultClientId) {
-      setFormError("Application is not configured for hosted sign-in.");
-      return;
-    }
-    const bridgeUrl = window.location.href;
-    const url = `${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/google?redirect_uri=${encodeURIComponent(bridgeUrl)}&client_id=${encodeURIComponent(ctx.app.defaultClientId)}`;
-    window.location.href = url;
-  };
-  useEffect(() => {
-    if (loading || error || !ctx) return;
-    if (effectivePrompt === "login") {
-      setSilent("skipped");
-      return;
-    }
-    if (silent !== "idle") return;
-    if (!ctx.session || !ctx.app.defaultClientId || !ctx.returnAllowed) {
-      setSilent("skipped");
-      return;
-    }
-    setSilent("trying");
-    (async () => {
-      try {
-        const r = await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/oidc/sso-resume`, {
-          method: "POST",
-          headers: { "Content-Type": "application/json" },
-          credentials: "include",
-          body: JSON.stringify(oidcPayload())
-        });
-        const payload = await r.json().catch(() => ({}));
-        if (payload?.type === "redirect" && payload.redirectUrl) {
-          (onRedirect || ((u) => {
-            window.location.replace(u);
-          }))(payload.redirectUrl);
-          return;
-        }
-        if (payload?.type === "tenant_selection") {
-          setTenantSel({ token: payload.tenantSelectionToken, tenants: payload.tenants || [] });
-          setSilent("failed");
-          return;
-        }
-        setSilent("failed");
-      } catch {
-        setSilent("failed");
-      }
-    })();
-  }, [loading, error, ctx, effectivePrompt]);
-  const switchAccount = (e) => {
-    if (e) e.preventDefault();
-    setForcePrompt(true);
-    setSilent("skipped");
-    setTenantSel(null);
-    if (typeof window !== "undefined") {
-      try {
-        const u = new URL(window.location.href);
-        u.searchParams.set("prompt", "login");
-        window.history.replaceState({}, "", u.toString());
-      } catch {
-      }
-    }
-  };
-  useEffect(() => {
-    if (!ctx?.app.defaultClientId) return;
-    const params = new URLSearchParams(window.location.search);
-    const oauthCode = params.get("code");
-    if (!oauthCode) return;
-    const u = new URL(window.location.href);
-    u.searchParams.delete("code");
-    const codeRedirectUri = u.toString();
-    setOauthExchanging(true);
-    setFormError("");
-    (async () => {
-      try {
-        const r = await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/oidc/sso-complete-oauth`, {
-          method: "POST",
-          headers: { "Content-Type": "application/json" },
-          credentials: "include",
-          body: JSON.stringify({
-            authCode: oauthCode,
-            code_redirect_uri: codeRedirectUri,
-            ...oidcPayload()
-          })
-        });
-        const payload = await r.json().catch(() => ({}));
-        try {
-          window.history.replaceState({}, "", u.pathname + (u.search ? u.search : "") + u.hash);
-        } catch {
-        }
-        if (!handlePayload(payload)) setFormError(payload.error_description || payload.error || "Authorization code exchange failed");
-      } catch (err) {
-        setFormError(err.message || "Authorization code exchange failed");
-      }
-      setOauthExchanging(false);
-    })();
-  }, [ctx?.app.defaultClientId]);
-  if (loading || oauthExchanging) return /* @__PURE__ */ jsx(Shell, { appearance, branding: ctx?.branding || null, className, title: oauthExchanging ? t2("signIn.submitting") : t2("common.loading"), children: /* @__PURE__ */ jsx("p", { children: oauthExchanging ? t2("signIn.submitting") : t2("common.loading") }) });
-  if (error || !ctx) return /* @__PURE__ */ jsx(Shell, { appearance, branding: null, className, title: t2("errors.serverError"), children: /* @__PURE__ */ jsx(ErrorBanner, { message: error || t2("errors.serverError") }) });
-  if (!ctx.returnAllowed) return /* @__PURE__ */ jsx(Shell, { appearance, branding: ctx.branding, className, title: t2("errors.generic"), children: /* @__PURE__ */ jsx(ErrorBanner, { message: `returnTo "${returnTo}" is not in this app's allowed origins.` }) });
-  const silentEligible = isSilentSsoEligible(ctx, effectivePrompt);
-  if (silentEligible && silent !== "failed") {
-    return /* @__PURE__ */ jsxs(Shell, { appearance, branding: ctx.branding, className, title: t2("signIn.resumingSession"), subtitle: ctx.session ? `${t2("signIn.subtitle")}, ${ctx.session.name || ctx.session.email}.` : void 0, children: [
-      /* @__PURE__ */ jsx("p", { "data-testid": "text-silent-resume", style: { fontSize: 14, opacity: 0.8 }, children: t2("signIn.resumingSession") }),
-      /* @__PURE__ */ jsx("a", { href: "#", onClick: switchAccount, "data-testid": "link-switch-account", style: { fontSize: 13 }, children: t2("signIn.useDifferentAccount") })
-    ] });
-  }
-  const cardTitle = ctx.branding?.loginHeadline || t2("signIn.titleWithApp", { appName: ctx.app.name });
-  const cardSubtitle = ctx.branding?.loginSubheadline || void 0;
-  return /* @__PURE__ */ jsxs(Shell, { appearance, branding: ctx.branding, className, title: cardTitle, subtitle: cardSubtitle, children: [
-    formError ? /* @__PURE__ */ jsx(ErrorBanner, { message: formError }) : null,
-    tenantSel ? /* @__PURE__ */ jsx("div", { role: "radiogroup", "aria-label": t2("signIn.selectTenant"), style: { display: "flex", flexDirection: "column", gap: 8 }, children: tenantSel.tenants.map((tn) => /* @__PURE__ */ jsxs(
-      "button",
-      {
-        type: "button",
-        "data-iqauth-tenant": tn.tenantId,
-        onClick: () => submitTenant(tn.tenantId),
-        style: { textAlign: "left", padding: "10px 14px", border: "1px solid rgba(15,23,42,0.15)", borderRadius: 8, background: "transparent", color: "inherit", cursor: "pointer" },
-        children: [
-          /* @__PURE__ */ jsx("p", { style: { margin: 0, fontWeight: 500 }, children: tn.tenantName || tn.tenantSlug || tn.tenantId }),
-          /* @__PURE__ */ jsx("p", { style: { margin: 0, fontSize: 12, opacity: 0.6 }, children: tn.roles.join(", ") })
-        ]
-      },
-      tn.tenantId
-    )) }) : mfa ? /* @__PURE__ */ jsxs("form", { onSubmit: submitMfa, style: { display: "flex", flexDirection: "column", gap: 12 }, "aria-label": t2("mfa.title"), children: [
-      !mfa.backup && mfa.methods.length > 1 ? /* @__PURE__ */ jsx(Field, { label: t2("mfa.title"), children: /* @__PURE__ */ jsx("select", { style: inputStyle(), value: mfa.selected, onChange: (e) => setMfa({ ...mfa, selected: e.target.value }), children: mfa.methods.map((m) => /* @__PURE__ */ jsx("option", { value: m, children: m.toUpperCase() }, m)) }) }) : null,
-      /* @__PURE__ */ jsx(Field, { label: mfa.backup ? t2("mfa.backupCodeLabel") : t2("mfa.totpLabel"), children: /* @__PURE__ */ jsx(
-        "input",
-        {
-          style: { ...inputStyle(), fontFamily: "monospace", textAlign: mfa.backup ? "left" : "center", letterSpacing: mfa.backup ? "0.04em" : "0.3em" },
-          value: mfa.code,
-          onChange: (e) => setMfa({ ...mfa, code: e.target.value }),
-          autoComplete: "one-time-code",
-          inputMode: mfa.backup ? "text" : "numeric"
-        }
-      ) }),
-      /* @__PURE__ */ jsx(PrimaryButton, { type: "submit", disabled: submitting || !mfa.code, children: submitting ? t2("mfa.submitting") : t2("mfa.submit") }),
-      /* @__PURE__ */ jsx(GhostButton, { type: "button", onClick: () => setMfa({ ...mfa, backup: !mfa.backup, code: "" }), children: mfa.backup ? t2("mfa.useAuthenticator") : t2("mfa.useBackupCode") })
-    ] }) : /* @__PURE__ */ jsxs("div", { style: { display: "flex", flexDirection: "column", gap: 12 }, children: [
-      ctx.providers?.google ? /* @__PURE__ */ jsxs(Fragment2, { children: [
-        /* @__PURE__ */ jsxs("button", { type: "button", className: "iqauth-sdk-google-btn", onClick: startGoogleLogin, disabled: submitting, "aria-label": ctx.branding?.googleButtonLabel || t2("signIn.continueWithGoogle"), children: [
-          /* @__PURE__ */ jsxs("svg", { width: "18", height: "18", viewBox: "0 0 18 18", "aria-hidden": "true", children: [
-            /* @__PURE__ */ jsx("path", { fill: "#4285F4", d: "M17.64 9.2c0-.64-.06-1.25-.17-1.84H9v3.48h4.84a4.14 4.14 0 0 1-1.8 2.71v2.26h2.92a8.78 8.78 0 0 0 2.68-6.61z" }),
-            /* @__PURE__ */ jsx("path", { fill: "#34A853", d: "M9 18c2.43 0 4.47-.81 5.96-2.18l-2.92-2.26a5.4 5.4 0 0 1-8.04-2.83H.96v2.33A9 9 0 0 0 9 18z" }),
-            /* @__PURE__ */ jsx("path", { fill: "#FBBC05", d: "M3.96 10.71A5.41 5.41 0 0 1 3.68 9c0-.59.1-1.17.29-1.71V4.96H.96a9 9 0 0 0 0 8.08l3-2.33z" }),
-            /* @__PURE__ */ jsx("path", { fill: "#EA4335", d: "M9 3.58c1.32 0 2.5.45 3.44 1.35l2.58-2.59A9 9 0 0 0 .96 4.96l3 2.33A5.4 5.4 0 0 1 9 3.58z" })
-          ] }),
-          ctx.branding?.googleButtonLabel || t2("signIn.continueWithGoogle")
-        ] }),
-        /* @__PURE__ */ jsx("div", { role: "separator", "aria-label": t2("common.or"), className: "iqauth-sdk-divider", children: t2("signIn.dividerOr").toUpperCase() })
-      ] }) : null,
-      /* @__PURE__ */ jsxs("form", { onSubmit: submitLogin, style: { display: "flex", flexDirection: "column", gap: 12 }, "aria-label": t2("signIn.titleWithApp", { appName: ctx.app.name }), children: [
-        /* @__PURE__ */ jsx(Field, { label: t2("signIn.emailLabel"), children: /* @__PURE__ */ jsx("input", { style: inputStyle(), type: "email", autoComplete: "email", required: true, value: email, onChange: (e) => setEmail(e.target.value) }) }),
-        /* @__PURE__ */ jsx(Field, { label: t2("signIn.passwordLabel"), children: /* @__PURE__ */ jsx("input", { style: inputStyle(), type: "password", autoComplete: "current-password", required: true, value: password, onChange: (e) => setPassword(e.target.value) }) }),
-        /* @__PURE__ */ jsx(PrimaryButton, { type: "submit", disabled: submitting || !email || !password, children: submitting ? t2("signIn.submitting") : t2("signIn.submit") })
-      ] })
-    ] }),
-    (silent === "failed" || effectivePrompt === "login" && ctx.session) && !mfa ? /* @__PURE__ */ jsx("p", { style: { marginTop: 12, fontSize: 13, opacity: 0.75 }, children: /* @__PURE__ */ jsx("a", { href: "#", onClick: switchAccount, "data-testid": "link-switch-account", children: t2("signIn.useDifferentAccount") }) }) : null
-  ] });
-}
-function SignUp({ iqAuthBaseUrl, appKey, returnTo, onSuccess, className }) {
-  const t2 = useT();
-  const localeBundle = useLocale();
-  const { ctx, loading } = useIQAuthSignInContext(iqAuthBaseUrl, appKey, returnTo || "");
-  const [name, setName] = useState("");
-  const [email, setEmail] = useState("");
-  const [password, setPassword] = useState("");
-  const [organizationName, setOrganizationName] = useState("");
-  const [submitting, setSubmitting] = useState(false);
-  const [error, setError] = useState("");
-  const [done, setDone] = useState(false);
-  const submit = async (e) => {
-    e.preventDefault();
-    setSubmitting(true);
-    setError("");
-    try {
-      await jsonFetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/signup`, {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({ email, name, password, organizationName: organizationName || void 0 })
-      });
-      setDone(true);
-      onSuccess?.();
-    } catch (err) {
-      setError(localizeError(localeBundle, err.message));
-    }
-    setSubmitting(false);
-  };
-  if (loading) return /* @__PURE__ */ jsx(Shell, { branding: null, className, children: /* @__PURE__ */ jsx("p", { children: t2("common.loading") }) });
-  return /* @__PURE__ */ jsx(Shell, { branding: ctx?.branding || null, className, title: t2("signUp.title"), children: done ? /* @__PURE__ */ jsx("div", { role: "status", children: /* @__PURE__ */ jsx("p", { children: t2("magicLink.subtitle", { email }) }) }) : /* @__PURE__ */ jsxs("form", { onSubmit: submit, style: { display: "flex", flexDirection: "column", gap: 12 }, children: [
-    error ? /* @__PURE__ */ jsx(ErrorBanner, { message: error }) : null,
-    /* @__PURE__ */ jsx(Field, { label: t2("signUp.nameLabel"), children: /* @__PURE__ */ jsx("input", { style: inputStyle(), value: name, onChange: (e) => setName(e.target.value), required: true }) }),
-    /* @__PURE__ */ jsx(Field, { label: t2("signUp.emailLabel"), children: /* @__PURE__ */ jsx("input", { style: inputStyle(), type: "email", autoComplete: "email", value: email, onChange: (e) => setEmail(e.target.value), required: true }) }),
-    /* @__PURE__ */ jsx(Field, { label: `${t2("signUp.tenantNameLabel")} (${t2("common.optional")})`, children: /* @__PURE__ */ jsx("input", { style: inputStyle(), value: organizationName, onChange: (e) => setOrganizationName(e.target.value) }) }),
-    /* @__PURE__ */ jsx(Field, { label: t2("signUp.passwordLabel"), children: /* @__PURE__ */ jsx("input", { style: inputStyle(), type: "password", autoComplete: "new-password", minLength: 8, value: password, onChange: (e) => setPassword(e.target.value), required: true }) }),
-    /* @__PURE__ */ jsx(PrimaryButton, { type: "submit", disabled: submitting || !email || !password || !name, children: submitting ? t2("signUp.submitting") : t2("signUp.submit") })
-  ] }) });
-}
-function initialsOf(name, email) {
-  const src = name || email || "?";
-  const parts = src.split(/[\s@]+/).filter(Boolean);
-  if (parts.length >= 2) return (parts[0][0] + parts[1][0]).toUpperCase();
-  return src.substring(0, 2).toUpperCase();
-}
-function UserButton({ iqAuthBaseUrl, accountUrl, onSignOut, className }) {
-  const t2 = useT();
-  const [user, setUser] = useState(null);
-  const [open, setOpen] = useState(false);
-  const branding = useResolvedSdkBranding(iqAuthBaseUrl);
-  const accent = branding?.accentColor || "#6366f1";
-  const primary = branding?.primaryColor || "#0f172a";
-  useEffect(() => {
-    let cancelled = false;
-    fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/me`, { credentials: "include" }).then((r) => r.json()).then((p) => {
-      if (!cancelled && p?.data) setUser(p.data);
-    }).catch(() => {
-    });
-    return () => {
-      cancelled = true;
-    };
-  }, [iqAuthBaseUrl]);
-  const signOut2 = async () => {
-    try {
-      await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/logout`, { method: "POST", credentials: "include" });
-    } catch {
-    }
-    if (onSignOut) onSignOut();
-    else window.location.reload();
-  };
-  if (!user) return null;
-  const target = accountUrl || `${iqAuthBaseUrl.replace(/\/$/, "")}/account`;
-  return /* @__PURE__ */ jsxs(
-    "div",
-    {
-      className,
-      style: { position: "relative", display: "inline-block", ...brandStyle(branding) },
-      "data-iqauth-sdk-userbutton": "",
-      "data-branding-rev": branding?.brandingRev || "",
-      children: [
-        /* @__PURE__ */ jsx(
-          "button",
-          {
-            type: "button",
-            "aria-haspopup": "menu",
-            "aria-expanded": open,
-            onClick: () => setOpen((o) => !o),
-            style: {
-              width: 32,
-              height: 32,
-              borderRadius: "50%",
-              background: accent,
-              color: "#fff",
-              border: "none",
-              cursor: "pointer",
-              fontSize: 12,
-              fontWeight: 600
-            },
-            children: user.picture ? /* @__PURE__ */ jsx("img", { src: user.picture, alt: user.name, style: { width: "100%", height: "100%", borderRadius: "50%" } }) : initialsOf(user.name, user.email)
-          }
-        ),
-        open ? /* @__PURE__ */ jsxs("div", { role: "menu", style: {
-          position: "absolute",
-          right: 0,
-          top: 40,
-          minWidth: 200,
-          background: "#fff",
-          border: "1px solid rgba(15,23,42,0.12)",
-          borderRadius: 8,
-          boxShadow: "0 4px 12px rgba(0,0,0,0.08)",
-          padding: 8,
-          zIndex: 100
-        }, children: [
-          /* @__PURE__ */ jsxs("div", { style: { padding: "8px 10px", fontSize: 12, opacity: 0.7, borderBottom: "1px solid rgba(15,23,42,0.06)" }, children: [
-            /* @__PURE__ */ jsx("div", { style: { fontWeight: 500, color: "#0f172a" }, children: user.name }),
-            /* @__PURE__ */ jsx("div", { children: user.email })
-          ] }),
-          /* @__PURE__ */ jsx("a", { href: target, role: "menuitem", style: { display: "block", padding: "8px 10px", fontSize: 13, color: primary, textDecoration: "none" }, children: t2("userButton.manageAccount") }),
-          /* @__PURE__ */ jsx(
-            "button",
-            {
-              role: "menuitem",
-              type: "button",
-              onClick: signOut2,
-              style: { display: "block", width: "100%", textAlign: "left", padding: "8px 10px", fontSize: 13, background: "transparent", border: "none", cursor: "pointer", color: "#b91c1c" },
-              children: t2("userButton.signOut")
-            }
-          )
-        ] }) : null
-      ]
-    }
-  );
-}
-function UserProfile({ iqAuthBaseUrl, className }) {
-  const t2 = useT();
-  const localeBundle = useLocale();
-  const branding = useResolvedSdkBranding(iqAuthBaseUrl);
-  const [user, setUser] = useState(null);
-  const [oldPassword, setOldPassword] = useState("");
-  const [newPassword, setNewPassword] = useState("");
-  const [pwState, setPwState] = useState({ submitting: false, message: "", error: "" });
-  const [sessions, setSessions] = useState([]);
-  const [revokeAllBusy, setRevokeAllBusy] = useState(false);
-  const loadSessions = () => {
-    fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/users/me/sessions`, { credentials: "include" }).then((r) => r.ok ? r.json() : Promise.reject(r)).then((p) => setSessions(p?.data?.sessions || [])).catch(() => {
-      fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/sessions`, { credentials: "include" }).then((r) => r.json()).then((p) => setSessions(p?.data?.sessions || p?.data || [])).catch(() => {
-      });
-    });
-  };
-  useEffect(() => {
-    fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/me`, { credentials: "include" }).then((r) => r.json()).then((p) => {
-      if (p?.data) setUser(p.data);
-    }).catch(() => {
-    });
-    loadSessions();
-  }, [iqAuthBaseUrl]);
-  const changePassword = async (e) => {
-    e.preventDefault();
-    setPwState({ submitting: true, message: "", error: "" });
-    try {
-      await jsonFetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/password/change`, {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({ oldPassword, newPassword })
-      });
-      setPwState({ submitting: false, message: t(localeBundle, "userProfile.passwordUpdated"), error: "" });
-      setOldPassword("");
-      setNewPassword("");
-    } catch (err) {
-      setPwState({ submitting: false, message: "", error: localizeError(localeBundle, err.message) });
-    }
-  };
-  const revoke = async (sessionId) => {
-    const newRes = await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/users/me/sessions/${sessionId}`, { method: "DELETE", credentials: "include" });
-    if (!newRes.ok && newRes.status === 404) {
-      await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/sessions/${sessionId}`, { method: "DELETE", credentials: "include" });
-    }
-    setSessions((prev) => prev.filter((s) => s.id !== sessionId));
-  };
-  const revokeAllOthers = async () => {
-    setRevokeAllBusy(true);
-    try {
-      await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/users/me/sessions/revoke-all-others`, { method: "POST", credentials: "include" });
-      setSessions((prev) => prev.filter((s) => s.isCurrent));
-    } finally {
-      setRevokeAllBusy(false);
-    }
-  };
-  if (!user) return /* @__PURE__ */ jsx(Shell, { branding, className, children: /* @__PURE__ */ jsx("p", { children: t2("common.loading") }) });
-  return /* @__PURE__ */ jsxs(Shell, { branding, className, title: t2("userProfile.title"), children: [
-    /* @__PURE__ */ jsxs("section", { "aria-labelledby": "iqauth-profile", style: { marginBottom: 20 }, children: [
-      /* @__PURE__ */ jsx("h3", { id: "iqauth-profile", style: { fontSize: 14, fontWeight: 600 }, children: t2("userProfile.profileTab") }),
-      /* @__PURE__ */ jsxs("p", { style: { fontSize: 13, margin: "4px 0" }, children: [
-        /* @__PURE__ */ jsxs("strong", { children: [
-          t2("common.name"),
-          ":"
-        ] }),
-        " ",
-        user.name
-      ] }),
-      /* @__PURE__ */ jsxs("p", { style: { fontSize: 13, margin: "4px 0" }, children: [
-        /* @__PURE__ */ jsxs("strong", { children: [
-          t2("common.email"),
-          ":"
-        ] }),
-        " ",
-        user.email
-      ] })
-    ] }),
-    /* @__PURE__ */ jsxs("section", { "aria-labelledby": "iqauth-pw", style: { marginBottom: 20 }, children: [
-      /* @__PURE__ */ jsx("h3", { id: "iqauth-pw", style: { fontSize: 14, fontWeight: 600 }, children: t2("userProfile.changePassword") }),
-      pwState.error ? /* @__PURE__ */ jsx(ErrorBanner, { message: pwState.error }) : null,
-      pwState.message ? /* @__PURE__ */ jsx("div", { role: "status", style: { fontSize: 13, color: "#047857" }, children: pwState.message }) : null,
-      /* @__PURE__ */ jsxs("form", { onSubmit: changePassword, style: { display: "flex", flexDirection: "column", gap: 10 }, children: [
-        /* @__PURE__ */ jsx(Field, { label: t2("userProfile.currentPassword"), children: /* @__PURE__ */ jsx("input", { style: inputStyle(), type: "password", autoComplete: "current-password", value: oldPassword, onChange: (e) => setOldPassword(e.target.value), required: true }) }),
-        /* @__PURE__ */ jsx(Field, { label: t2("userProfile.newPassword"), children: /* @__PURE__ */ jsx("input", { style: inputStyle(), type: "password", autoComplete: "new-password", minLength: 8, value: newPassword, onChange: (e) => setNewPassword(e.target.value), required: true }) }),
-        /* @__PURE__ */ jsx(PrimaryButton, { type: "submit", disabled: pwState.submitting || !oldPassword || !newPassword, children: pwState.submitting ? t2("common.saving") : t2("userProfile.changePassword") })
-      ] })
-    ] }),
-    /* @__PURE__ */ jsxs("section", { "aria-labelledby": "iqauth-sessions", children: [
-      /* @__PURE__ */ jsxs("div", { style: { display: "flex", alignItems: "center", justifyContent: "space-between" }, children: [
-        /* @__PURE__ */ jsx("h3", { id: "iqauth-sessions", style: { fontSize: 14, fontWeight: 600, margin: 0 }, children: t2("userProfile.sessionsTab") }),
-        sessions.some((s) => !s.isCurrent) && /* @__PURE__ */ jsx(
-          "button",
-          {
-            type: "button",
-            disabled: revokeAllBusy,
-            onClick: revokeAllOthers,
-            style: { fontSize: 12, color: "#b91c1c", background: "transparent", border: "1px solid #fecaca", borderRadius: 4, padding: "4px 10px", cursor: "pointer" },
-            children: revokeAllBusy ? t2("common.submitting") : t2("userProfile.revokeAllOthers")
-          }
-        )
-      ] }),
-      sessions.length === 0 ? /* @__PURE__ */ jsx("p", { style: { fontSize: 13, opacity: 0.6 }, children: t2("userProfile.sessionsEmpty") }) : /* @__PURE__ */ jsx("ul", { style: { listStyle: "none", padding: 0, margin: "8px 0 0", display: "flex", flexDirection: "column", gap: 6 }, children: sessions.map((s) => /* @__PURE__ */ jsxs("li", { style: { display: "flex", justifyContent: "space-between", alignItems: "center", fontSize: 13, padding: "8px 10px", background: s.isCurrent ? "#ecfdf5" : "#f8fafc", borderRadius: 6, border: s.isCurrent ? "1px solid #a7f3d0" : "1px solid transparent" }, children: [
-        /* @__PURE__ */ jsxs("div", { style: { display: "flex", flexDirection: "column", gap: 2 }, children: [
-          /* @__PURE__ */ jsxs("span", { style: { fontWeight: 500 }, children: [
-            s.device || s.userAgent || s.deviceName || "\u2014",
-            s.isCurrent && /* @__PURE__ */ jsxs("span", { style: { marginLeft: 8, fontSize: 11, color: "#047857" }, children: [
-              "(",
-              t2("userProfile.thisDevice"),
-              ")"
-            ] })
-          ] }),
-          /* @__PURE__ */ jsxs("span", { style: { fontSize: 11, opacity: 0.65 }, children: [
-            s.ip || "\u2014",
-            s.lastActiveAt ? ` \xB7 ${new Date(s.lastActiveAt).toLocaleString()}` : ""
-          ] })
-        ] }),
-        !s.isCurrent && /* @__PURE__ */ jsx("button", { type: "button", onClick: () => revoke(s.id), style: { fontSize: 12, color: "#b91c1c", background: "transparent", border: "1px solid #fecaca", borderRadius: 4, padding: "2px 8px", cursor: "pointer" }, children: t2("userProfile.revokeSession") })
-      ] }, s.id)) })
-    ] })
-  ] });
-}
-function OrganizationSwitcher({ iqAuthBaseUrl, onSwitched, appearance: _appearance, className }) {
-  const t2 = useT();
-  const branding = useResolvedSdkBranding(iqAuthBaseUrl);
-  const accent = branding?.accentColor || "#6366f1";
-  const [memberships, setMemberships] = useState([]);
-  const [activeTenantId, setActiveTenantId] = useState(null);
-  const [open, setOpen] = useState(false);
-  useEffect(() => {
-    fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/me`, { credentials: "include" }).then((r) => r.json()).then((p) => {
-      if (p?.data?.tenantId) setActiveTenantId(p.data.tenantId);
-    }).catch(() => {
-    });
-    fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/tenants/memberships`, { credentials: "include" }).then((r) => r.json()).then((p) => setMemberships(p?.data?.memberships || p?.data || [])).catch(() => {
-    });
-  }, [iqAuthBaseUrl]);
-  const switchTo = async (tenantId) => {
-    try {
-      await jsonFetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/select-tenant`, {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({ tenantId })
-      });
-      setActiveTenantId(tenantId);
-      setOpen(false);
-      onSwitched?.(tenantId);
-    } catch {
-    }
-  };
-  const active = memberships.find((m) => m.tenantId === activeTenantId);
-  return /* @__PURE__ */ jsxs(
-    "div",
-    {
-      className,
-      style: { position: "relative", display: "inline-block", ...brandStyle(branding) },
-      "data-iqauth-sdk-orgswitcher": "",
-      "data-branding-rev": branding?.brandingRev || "",
-      children: [
-        /* @__PURE__ */ jsx(
-          "button",
-          {
-            type: "button",
-            "aria-haspopup": "menu",
-            "aria-expanded": open,
-            onClick: () => setOpen((o) => !o),
-            style: { background: "transparent", border: `1px solid ${accent}55`, color: branding?.primaryColor || "#0f172a", padding: "6px 12px", borderRadius: 6, cursor: "pointer", fontSize: 13 },
-            children: active?.tenantName || active?.tenantSlug || t2("orgSwitcher.label")
-          }
-        ),
-        open ? /* @__PURE__ */ jsx("div", { role: "menu", style: {
-          position: "absolute",
-          left: 0,
-          top: 36,
-          minWidth: 220,
-          background: "#fff",
-          border: "1px solid rgba(15,23,42,0.12)",
-          borderRadius: 8,
-          boxShadow: "0 4px 12px rgba(0,0,0,0.08)",
-          padding: 8,
-          zIndex: 100
-        }, children: memberships.length === 0 ? /* @__PURE__ */ jsx("p", { style: { fontSize: 13, opacity: 0.6, padding: "4px 6px" }, children: t2("orgSwitcher.noOrgs") }) : memberships.map((m) => /* @__PURE__ */ jsxs(
-          "button",
-          {
-            role: "menuitem",
-            type: "button",
-            onClick: () => switchTo(m.tenantId),
-            style: {
-              display: "block",
-              width: "100%",
-              textAlign: "left",
-              padding: "8px 10px",
-              background: m.tenantId === activeTenantId ? `${accent}14` : "transparent",
-              border: "none",
-              borderRadius: 4,
-              cursor: "pointer",
-              fontSize: 13,
-              color: "#0f172a"
-            },
-            children: [
-              /* @__PURE__ */ jsx("div", { style: { fontWeight: 500 }, children: m.tenantName || m.tenantSlug || m.tenantId }),
-              /* @__PURE__ */ jsx("div", { style: { fontSize: 11, opacity: 0.6 }, children: m.roles.join(", ") })
-            ]
-          },
-          m.tenantId
-        )) }) : null
-      ]
-    }
-  );
-}
-function useImpersonation() {
-  const { snapshot } = useCtx();
-  return useMemo(() => {
-    const claims = snapshot.claims;
-    const isImpersonating = claims?.purpose === "impersonation" && !!claims?.act?.sub;
-    return {
-      isImpersonating,
-      actor: isImpersonating ? claims.act : null,
-      target: isImpersonating ? snapshot.user : null
-    };
-  }, [snapshot]);
-}
-function ImpersonationBanner({ render, onExit, className, style } = {}) {
-  const t2 = useT();
-  const info = useImpersonation();
-  const { manager } = useCtx();
-  const exit = useCallback(async () => {
-    if (onExit) return void onExit();
-    const { exitImpersonation } = await import("./reverify-4UEJXUS6.mjs");
-    const restored = exitImpersonation(manager);
-    if (restored) return;
-    const { signOut: signOut2 } = await import("./signIn-CCY4JE5G.mjs");
-    await signOut2(manager);
-  }, [manager, onExit]);
-  if (!info.isImpersonating) return null;
-  if (render) return createElement(Fragment, null, render({ ...info, exit }));
-  const targetLabel = info.target?.email || info.target?.name || info.target?.sub || "user";
-  const _actorLabel = info.actor?.email || info.actor?.name || info.actor?.sub || "admin";
-  void _actorLabel;
-  return createElement(
-    "div",
-    {
-      role: "alert",
-      className,
-      style: {
-        position: "sticky",
-        top: 0,
-        left: 0,
-        right: 0,
-        zIndex: 9999,
-        background: "#b91c1c",
-        color: "#fff",
-        padding: "8px 16px",
-        display: "flex",
-        alignItems: "center",
-        justifyContent: "space-between",
-        fontSize: 13,
-        fontFamily: "system-ui, sans-serif",
-        ...style
-      }
-    },
-    createElement(
-      "span",
-      null,
-      t2("impersonation.banner", { targetEmail: targetLabel })
-    ),
-    createElement(
-      "button",
-      {
-        type: "button",
-        onClick: exit,
-        style: {
-          background: "rgba(255,255,255,0.18)",
-          color: "#fff",
-          border: "1px solid rgba(255,255,255,0.4)",
-          borderRadius: 4,
-          padding: "4px 10px",
-          cursor: "pointer",
-          fontSize: 12
-        }
-      },
-      t2("impersonation.exit")
-    )
-  );
-}
-function useReverification(fn, opts = {}) {
-  const { manager } = useCtx();
-  const level = opts.level ?? "password";
-  return (async (...args) => {
-    let token = null;
-    let res = await fn(token)(...args);
-    const code = await peekErrorCode(res);
-    const isReverifyError = res.status === 401 && code && (code === "REVERIFICATION_REQUIRED" || code === "REVERIFICATION_EXPIRED" || code === "REVERIFICATION_INVALID" || code === "REVERIFICATION_USED" || code === "REVERIFICATION_LEVEL_INSUFFICIENT");
-    if (!isReverifyError) return res;
-    const prompt = opts.prompt ?? defaultReverifyPrompt;
-    const credentials = await prompt(level);
-    if (!credentials) {
-      throw new Error("Reverification cancelled");
-    }
-    const { reverify } = await import("./reverify-4UEJXUS6.mjs");
-    const minted = await reverify(manager, { level, ...credentials });
-    token = minted.token;
-    res = await fn(token)(...args);
-    return res;
-  });
-}
-async function peekErrorCode(res) {
-  try {
-    const cloned = res.clone();
-    const body = await cloned.json();
-    return body?.error?.code ?? null;
-  } catch {
-    return null;
-  }
-}
-async function defaultReverifyPrompt(level) {
-  if (typeof window === "undefined") return null;
-  if (level === "password") {
-    const password = window.prompt("Confirm your password to continue");
-    if (!password) return null;
-    return { password };
-  }
-  const totp = window.prompt("Enter your MFA code to continue");
-  if (!totp) return null;
-  return { totp, method: "totp" };
-}
-function slugify(input) {
-  return input.toLowerCase().normalize("NFKD").replace(/[\u0300-\u036f]/g, "").replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 64);
-}
-function CreateOrganization({ iqAuthBaseUrl, onCreated, redirectUrl, unstyled, appearance, className }) {
-  const branding = useResolvedSdkBranding(iqAuthBaseUrl);
-  const [name, setName] = useState("");
-  const [slug, setSlug] = useState("");
-  const [slugTouched, setSlugTouched] = useState(false);
-  const [submitting, setSubmitting] = useState(false);
-  const [error, setError] = useState(null);
-  const [created, setCreated] = useState(null);
-  const [slugCheck, setSlugCheck] = useState({ status: "idle" });
-  useEffect(() => {
-    if (!slugTouched) setSlug(slugify(name));
-  }, [name, slugTouched]);
-  useEffect(() => {
-    const s = slug.trim().toLowerCase();
-    if (!s) {
-      setSlugCheck({ status: "idle" });
-      return;
-    }
-    if (!/^[a-z0-9-]{2,64}$/.test(s)) {
-      setSlugCheck({ status: "invalid", checked: s });
-      return;
-    }
-    setSlugCheck({ status: "checking", checked: s });
-    const handle = setTimeout(async () => {
-      try {
-        const res = await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/tenants/check-slug?slug=${encodeURIComponent(s)}`, {
-          credentials: "include",
-          headers: { Accept: "application/json" }
-        });
-        const body = await res.json().catch(() => ({}));
-        const data = body.data;
-        if (!data) {
-          setSlugCheck({ status: "idle", checked: s });
-          return;
-        }
-        if (data.reason === "INVALID_FORMAT") {
-          setSlugCheck({ status: "invalid", checked: s });
-          return;
-        }
-        setSlugCheck({ status: data.available ? "available" : "taken", checked: s });
-      } catch {
-        setSlugCheck({ status: "idle", checked: s });
-      }
-    }, 350);
-    return () => clearTimeout(handle);
-  }, [slug, iqAuthBaseUrl]);
-  const submit = async (e) => {
-    e.preventDefault();
-    setSubmitting(true);
-    setError(null);
-    try {
-      const res = await jsonFetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/tenants`, {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        credentials: "include",
-        body: JSON.stringify({ name: name.trim(), slug: slug.trim() })
-      });
-      const payload = res;
-      const tenant = payload.data ?? payload;
-      const next = { id: tenant.id, name: tenant.name, slug: tenant.slug };
-      setCreated(next);
-      onCreated?.(next);
-      setName("");
-      setSlug("");
-      setSlugTouched(false);
-      if (redirectUrl && typeof window !== "undefined") {
-        const url = typeof redirectUrl === "function" ? redirectUrl(next) : redirectUrl;
-        if (url) window.location.assign(url);
-      }
-    } catch (err) {
-      setError(err instanceof Error ? err.message : "Failed to create organization");
-    } finally {
-      setSubmitting(false);
-    }
-  };
-  const form = /* @__PURE__ */ jsxs("form", { onSubmit: submit, style: { display: "flex", flexDirection: "column", gap: 12 }, "data-iqauth-sdk-create-org": "", "aria-labelledby": "iqauth-create-org-heading", children: [
-    error ? /* @__PURE__ */ jsx(ErrorBanner, { message: error }) : null,
-    created ? /* @__PURE__ */ jsxs("p", { role: "status", style: { fontSize: 13, color: "#047857" }, children: [
-      "Organization \u201C",
-      created.name,
-      "\u201D created."
-    ] }) : null,
-    /* @__PURE__ */ jsx(Field, { label: "Organization name", children: /* @__PURE__ */ jsx("input", { "data-testid": "input-create-org-name", autoFocus: true, style: inputStyle(), value: name, onChange: (e) => setName(e.target.value), required: true, minLength: 2, "aria-required": "true" }) }),
-    /* @__PURE__ */ jsxs(Field, { label: "Organization slug", children: [
-      /* @__PURE__ */ jsx(
-        "input",
-        {
-          "data-testid": "input-create-org-slug",
-          style: { ...inputStyle(), fontFamily: "monospace" },
-          value: slug,
-          onChange: (e) => {
-            setSlugTouched(true);
-            setSlug(e.target.value.toLowerCase().replace(/[^a-z0-9-]/g, "-"));
-          },
-          required: true,
-          pattern: "[a-z0-9-]+",
-          minLength: 2,
-          "aria-required": "true",
-          "aria-describedby": "iqauth-create-org-slug-hint",
-          "aria-invalid": slugCheck.status === "taken" || slugCheck.status === "invalid"
-        }
-      ),
-      /* @__PURE__ */ jsx(
-        "p",
-        {
-          id: "iqauth-create-org-slug-hint",
-          "data-testid": "text-create-org-slug-status",
-          role: "status",
-          "aria-live": "polite",
-          style: { fontSize: 12, marginTop: 4, color: slugCheck.status === "taken" || slugCheck.status === "invalid" ? "#b91c1c" : slugCheck.status === "available" ? "#047857" : "inherit", opacity: slugCheck.status === "checking" ? 0.6 : 1 },
-          children: slugCheck.status === "checking" ? "Checking availability\u2026" : slugCheck.status === "available" ? "Slug is available." : slugCheck.status === "taken" ? "That slug is taken." : slugCheck.status === "invalid" ? "Slugs must be 2\u201364 chars, lowercase letters/numbers/hyphens." : "We'll auto-generate a slug from the name; you can override it."
-        }
-      )
-    ] }),
-    /* @__PURE__ */ jsx(
-      PrimaryButton,
-      {
-        "data-testid": "button-create-org-submit",
-        type: "submit",
-        disabled: submitting || !name.trim() || !slug.trim() || slugCheck.status === "taken" || slugCheck.status === "invalid" || slugCheck.status === "checking",
-        children: submitting ? "Creating\u2026" : "Create organization"
-      }
-    )
-  ] });
-  if (unstyled) {
-    return /* @__PURE__ */ jsxs("div", { className, "data-iqauth-sdk-create-org-bare": "", children: [
-      /* @__PURE__ */ jsx("h3", { id: "iqauth-create-org-heading", style: { fontSize: 14, fontWeight: 600, margin: "0 0 12px" }, children: "Create organization" }),
-      form
-    ] });
-  }
-  return /* @__PURE__ */ jsx(Shell, { appearance, branding, className, title: "Create organization", subtitle: "Spin up a new tenant for this app.", children: form });
-}
-function OrganizationProfile({ iqAuthBaseUrl, tenantId: tenantIdProp, tabs, onDeleted, appearance, className }) {
-  const branding = useResolvedSdkBranding(iqAuthBaseUrl);
-  const baseUrl = iqAuthBaseUrl.replace(/\/$/, "");
-  const visibleTabs = tabs && tabs.length > 0 ? tabs : ["general", "members", "invitations", "danger"];
-  const [activeTab, setActiveTab] = useState(visibleTabs[0]);
-  const [tenantId, setTenantId] = useState(tenantIdProp || null);
-  const [tenant, setTenant] = useState(null);
-  const [members, setMembers] = useState([]);
-  const [pendingInvites, setPendingInvites] = useState([]);
-  const [loading, setLoading] = useState(true);
-  const [invitesLoading, setInvitesLoading] = useState(false);
-  const [error, setError] = useState(null);
-  const [renameValue, setRenameValue] = useState("");
-  const [slugValue, setSlugValue] = useState("");
-  const [renameSubmitting, setRenameSubmitting] = useState(false);
-  const [inviteEmail, setInviteEmail] = useState("");
-  const [inviteRole, setInviteRole] = useState("tenant_member");
-  const [inviteSubmitting, setInviteSubmitting] = useState(false);
-  const [actionMessage, setActionMessage] = useState(null);
-  const [confirmDeleteText, setConfirmDeleteText] = useState("");
-  const [confirmDeletePassword, setConfirmDeletePassword] = useState("");
-  const [deleteSubmitting, setDeleteSubmitting] = useState(false);
-  const { user } = useUser();
-  const callerRole = user?.role || null;
-  const callerIsAdmin = callerRole === "tenant_admin" || callerRole === "platform_admin";
-  const visibleTabsFiltered = visibleTabs.filter((t2) => t2 !== "danger" || callerIsAdmin);
-  useEffect(() => {
-    let cancelled = false;
-    (async () => {
-      try {
-        let tid = tenantIdProp || null;
-        if (!tid) {
-          const me = await fetch(`${baseUrl}/api/v1/auth/me`, { credentials: "include" }).then((r) => r.json());
-          tid = me?.data?.tenantId || null;
-        }
-        if (!tid) {
-          if (!cancelled) {
-            setError("No active tenant");
-            setLoading(false);
-          }
-          return;
-        }
-        const t2 = await fetch(`${baseUrl}/api/v1/tenants/${tid}`, { credentials: "include" }).then((r) => r.json());
-        const m = await fetch(`${baseUrl}/api/v1/tenants/${tid}/users`, { credentials: "include" }).then((r) => r.json());
-        if (cancelled) return;
-        setTenantId(tid);
-        setTenant(t2?.data ? { id: t2.data.id, name: t2.data.name, slug: t2.data.slug } : null);
-        setRenameValue(t2?.data?.name || "");
-        setSlugValue(t2?.data?.slug || "");
-        const rows = m?.data || [];
-        setMembers(rows.map((row) => ({
-          userId: String(row.userId ?? row.user?.id ?? row.id ?? ""),
-          email: String(row.email ?? row.user?.email ?? ""),
-          name: String(row.name ?? row.user?.name ?? ""),
-          role: String(row.role ?? row.roles?.[0] ?? "tenant_member"),
-          joinedAt: row.joinedAt ?? row.createdAt
-        })));
-      } catch (err) {
-        if (!cancelled) setError(err instanceof Error ? err.message : "Failed to load organization");
-      } finally {
-        if (!cancelled) setLoading(false);
-      }
-    })();
-    return () => {
-      cancelled = true;
-    };
-  }, [baseUrl, tenantIdProp]);
-  const loadInvites = async (tid) => {
-    setInvitesLoading(true);
-    try {
-      const r = await fetch(`${baseUrl}/api/v1/invites?tenantId=${encodeURIComponent(tid)}&status=pending`, { credentials: "include" }).then((res) => res.json());
-      const rows = r?.data || [];
-      setPendingInvites(rows.map((inv) => ({
-        id: String(inv.id),
-        email: String(inv.email),
-        role: String(inv.role),
-        status: String(inv.status),
-        expiresAt: inv.expiresAt,
-        createdAt: inv.createdAt
-      })));
-    } catch (err) {
-      setError(err instanceof Error ? err.message : "Failed to load invitations");
-    } finally {
-      setInvitesLoading(false);
-    }
-  };
-  useEffect(() => {
-    if (activeTab === "invitations" && tenantId) loadInvites(tenantId);
-  }, [activeTab, tenantId]);
-  const reloadMembers = async () => {
-    if (!tenantId) return;
-    const m = await fetch(`${baseUrl}/api/v1/tenants/${tenantId}/users`, { credentials: "include" }).then((r) => r.json());
-    const rows = m?.data || [];
-    setMembers(rows.map((row) => ({
-      userId: String(row.userId ?? row.user?.id ?? row.id ?? ""),
-      email: String(row.email ?? row.user?.email ?? ""),
-      name: String(row.name ?? row.user?.name ?? ""),
-      role: String(row.role ?? row.roles?.[0] ?? "tenant_member"),
-      joinedAt: row.joinedAt ?? row.createdAt
-    })));
-  };
-  const submitRename = async (e) => {
-    e.preventDefault();
-    if (!tenantId) return;
-    setRenameSubmitting(true);
-    setError(null);
-    try {
-      const body = {};
-      if (renameValue.trim() && renameValue.trim() !== tenant?.name) body.name = renameValue.trim();
-      if (slugValue.trim() && slugValue.trim() !== tenant?.slug) body.slug = slugValue.trim();
-      if (Object.keys(body).length === 0) {
-        setRenameSubmitting(false);
-        return;
-      }
-      const res = await jsonFetch(`${baseUrl}/api/v1/tenants/${tenantId}`, {
-        method: "PATCH",
-        headers: { "Content-Type": "application/json" },
-        credentials: "include",
-        body: JSON.stringify(body)
-      });
-      const t2 = res?.data ?? res;
-      setTenant({ id: t2.id, name: t2.name, slug: t2.slug });
-      setActionMessage("Organization saved.");
-    } catch (err) {
-      setError(err instanceof Error ? err.message : "Failed to save");
-    } finally {
-      setRenameSubmitting(false);
-    }
-  };
-  const submitInvite = async (e) => {
-    e.preventDefault();
-    if (!tenantId) return;
-    setInviteSubmitting(true);
-    setError(null);
-    try {
-      await jsonFetch(`${baseUrl}/api/v1/tenants/${tenantId}/users/invite`, {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        credentials: "include",
-        body: JSON.stringify({ email: inviteEmail.trim(), role: inviteRole })
-      });
-      setActionMessage(`Invitation sent to ${inviteEmail.trim()}.`);
-      setInviteEmail("");
-      if (activeTab === "invitations") await loadInvites(tenantId);
-    } catch (err) {
-      setError(err instanceof Error ? err.message : "Failed to invite");
-    } finally {
-      setInviteSubmitting(false);
-    }
-  };
-  const changeRole = async (userId, role) => {
-    if (!tenantId) return;
-    try {
-      await jsonFetch(`${baseUrl}/api/v1/tenants/${tenantId}/users/${userId}/role`, {
-        method: "PATCH",
-        headers: { "Content-Type": "application/json" },
-        credentials: "include",
-        body: JSON.stringify({ role })
-      });
-      await reloadMembers();
-      setActionMessage("Role updated.");
-    } catch (err) {
-      setError(err instanceof Error ? err.message : "Failed to update role");
-    }
-  };
-  const removeMember = async (userId) => {
-    if (!tenantId) return;
-    try {
-      await jsonFetch(`${baseUrl}/api/v1/tenants/${tenantId}/users/${userId}`, { method: "DELETE", credentials: "include" });
-      await reloadMembers();
-      setActionMessage("Member removed.");
-    } catch (err) {
-      setError(err instanceof Error ? err.message : "Failed to remove member");
-    }
-  };
-  const resendInvite = async (id) => {
-    if (!tenantId) return;
-    try {
-      await jsonFetch(`${baseUrl}/api/v1/invites/${id}/resend`, { method: "POST", credentials: "include" });
-      setActionMessage("Invitation resent.");
-      await loadInvites(tenantId);
-    } catch (err) {
-      setError(err instanceof Error ? err.message : "Failed to resend invitation");
-    }
-  };
-  const revokeInvite = async (id) => {
-    if (!tenantId) return;
-    try {
-      await jsonFetch(`${baseUrl}/api/v1/invites/${id}/revoke`, { method: "POST", credentials: "include" });
-      setActionMessage("Invitation revoked.");
-      await loadInvites(tenantId);
-    } catch (err) {
-      setError(err instanceof Error ? err.message : "Failed to revoke invitation");
-    }
-  };
-  const submitDelete = async () => {
-    if (!tenantId || !tenant) return;
-    if (confirmDeleteText !== tenant.slug) {
-      setError("Type the organization slug to confirm deletion.");
-      return;
-    }
-    if (!confirmDeletePassword) {
-      setError("Re-enter your password to confirm deletion.");
-      return;
-    }
-    setDeleteSubmitting(true);
-    setError(null);
-    try {
-      await jsonFetch(`${baseUrl}/api/v1/tenants/${tenantId}`, {
-        method: "DELETE",
-        credentials: "include",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({ confirmPassword: confirmDeletePassword })
-      });
-      setActionMessage("Organization deleted.");
-      setConfirmDeletePassword("");
-      onDeleted?.(tenantId);
-    } catch (err) {
-      setError(err instanceof Error ? err.message : "Failed to delete organization");
-    } finally {
-      setDeleteSubmitting(false);
-    }
-  };
-  if (loading) {
-    return /* @__PURE__ */ jsx(Shell, { appearance, branding, className, title: "Organization", children: /* @__PURE__ */ jsx("p", { role: "status", "aria-live": "polite", style: { fontSize: 13 }, children: "Loading\u2026" }) });
-  }
-  const tabBtnStyle = (key) => ({
-    background: activeTab === key ? `${branding?.accentColor || "#6366f1"}1a` : "transparent",
-    border: `1px solid ${activeTab === key ? branding?.accentColor || "#6366f1" : "rgba(15,23,42,0.12)"}`,
-    color: branding?.primaryColor || "#0f172a",
-    padding: "6px 12px",
-    borderRadius: 6,
-    cursor: "pointer",
-    fontSize: 12,
-    fontWeight: 500
-  });
-  return /* @__PURE__ */ jsx(Shell, { appearance, branding, className, title: tenant?.name || "Organization", subtitle: tenant?.slug ? `slug: ${tenant.slug}` : void 0, children: /* @__PURE__ */ jsxs("div", { style: { display: "flex", flexDirection: "column", gap: 16 }, "data-iqauth-sdk-org-profile": "", children: [
-    error ? /* @__PURE__ */ jsx(ErrorBanner, { message: error }) : null,
-    actionMessage ? /* @__PURE__ */ jsx("p", { role: "status", "aria-live": "polite", style: { fontSize: 13, color: "#047857", margin: 0 }, children: actionMessage }) : null,
-    /* @__PURE__ */ jsx("div", { role: "tablist", "aria-label": "Organization sections", style: { display: "flex", gap: 6, flexWrap: "wrap" }, children: visibleTabsFiltered.map((t2) => /* @__PURE__ */ jsx(
-      "button",
-      {
-        role: "tab",
-        "aria-selected": activeTab === t2,
-        "aria-controls": `iqauth-org-tab-${t2}`,
-        "data-testid": `tab-org-${t2}`,
-        type: "button",
-        onClick: () => setActiveTab(t2),
-        style: tabBtnStyle(t2),
-        children: t2 === "general" ? "General" : t2 === "members" ? `Members (${members.length})` : t2 === "invitations" ? "Invitations" : "Danger zone"
-      },
-      t2
-    )) }),
-    activeTab === "general" ? /* @__PURE__ */ jsxs("section", { role: "tabpanel", id: "iqauth-org-tab-general", "aria-labelledby": "tab-org-general", style: { display: "flex", flexDirection: "column", gap: 8 }, children: [
-      /* @__PURE__ */ jsx("h3", { style: { fontSize: 14, fontWeight: 600, margin: 0 }, children: "Settings" }),
-      /* @__PURE__ */ jsxs("form", { onSubmit: submitRename, style: { display: "flex", flexDirection: "column", gap: 8 }, children: [
-        /* @__PURE__ */ jsx(Field, { label: "Organization name", children: /* @__PURE__ */ jsx("input", { "data-testid": "input-org-rename", style: inputStyle(), value: renameValue, onChange: (e) => setRenameValue(e.target.value), required: true, minLength: 2 }) }),
-        /* @__PURE__ */ jsx(Field, { label: "Slug", children: /* @__PURE__ */ jsx("input", { "data-testid": "input-org-slug", style: { ...inputStyle(), fontFamily: "monospace" }, value: slugValue, onChange: (e) => setSlugValue(e.target.value.toLowerCase().replace(/[^a-z0-9-]/g, "-")), required: true, pattern: "[a-z0-9-]+", minLength: 2 }) }),
-        /* @__PURE__ */ jsx(PrimaryButton, { "data-testid": "button-org-rename", type: "submit", disabled: renameSubmitting || renameValue.trim() === tenant?.name && slugValue.trim() === tenant?.slug, children: renameSubmitting ? "Saving\u2026" : "Save changes" })
-      ] })
-    ] }) : null,
-    activeTab === "members" ? /* @__PURE__ */ jsxs("section", { role: "tabpanel", id: "iqauth-org-tab-members", "aria-labelledby": "tab-org-members", style: { display: "flex", flexDirection: "column", gap: 12 }, children: [
-      /* @__PURE__ */ jsxs("form", { onSubmit: submitInvite, style: { display: "flex", gap: 8, flexWrap: "wrap" }, "aria-label": "Invite a new member", children: [
-        /* @__PURE__ */ jsx("input", { "data-testid": "input-org-invite-email", type: "email", placeholder: "email@company.com", "aria-label": "Email", style: { ...inputStyle(), flex: 1, minWidth: 180 }, value: inviteEmail, onChange: (e) => setInviteEmail(e.target.value), required: true }),
-        /* @__PURE__ */ jsxs("select", { "data-testid": "select-org-invite-role", "aria-label": "Role", style: { ...inputStyle(), width: "auto" }, value: inviteRole, onChange: (e) => setInviteRole(e.target.value), children: [
-          /* @__PURE__ */ jsx("option", { value: "tenant_member", children: "tenant_member" }),
-          /* @__PURE__ */ jsx("option", { value: "tenant_admin", children: "tenant_admin" })
-        ] }),
-        /* @__PURE__ */ jsx(PrimaryButton, { "data-testid": "button-org-invite", type: "submit", disabled: inviteSubmitting || !inviteEmail.trim(), children: inviteSubmitting ? "Sending\u2026" : "Send invite" })
-      ] }),
-      members.length === 0 ? /* @__PURE__ */ jsx("p", { style: { fontSize: 13, opacity: 0.6 }, children: "No members yet." }) : /* @__PURE__ */ jsx("ul", { "aria-label": "Members", style: { listStyle: "none", padding: 0, margin: 0, display: "flex", flexDirection: "column", gap: 6 }, children: members.map((m) => /* @__PURE__ */ jsxs("li", { "data-testid": `row-org-member-${m.userId}`, style: { display: "grid", gridTemplateColumns: "1fr auto auto", gap: 8, alignItems: "center", padding: "8px 10px", background: "rgba(15,23,42,0.04)", borderRadius: 6, fontSize: 13 }, children: [
-        /* @__PURE__ */ jsxs("div", { children: [
-          /* @__PURE__ */ jsx("div", { style: { fontWeight: 500 }, children: m.name || m.email }),
-          /* @__PURE__ */ jsx("div", { style: { fontSize: 11, opacity: 0.7 }, children: m.email })
-        ] }),
-        /* @__PURE__ */ jsxs("select", { "data-testid": `select-org-member-role-${m.userId}`, "aria-label": `Role for ${m.email}`, value: m.role, onChange: (e) => changeRole(m.userId, e.target.value), style: { ...inputStyle(), width: "auto", padding: "4px 8px", fontSize: 12 }, children: [
-          /* @__PURE__ */ jsx("option", { value: "tenant_member", children: "tenant_member" }),
-          /* @__PURE__ */ jsx("option", { value: "tenant_admin", children: "tenant_admin" })
-        ] }),
-        /* @__PURE__ */ jsx(
-          "button",
-          {
-            type: "button",
-            "data-testid": `button-org-member-remove-${m.userId}`,
-            "aria-label": `Remove ${m.email}`,
-            onClick: () => removeMember(m.userId),
-            style: { background: "transparent", border: "1px solid rgba(220,38,38,0.4)", color: "#b91c1c", borderRadius: 4, padding: "4px 10px", cursor: "pointer", fontSize: 12 },
-            children: "Remove"
-          }
-        )
-      ] }, m.userId)) })
-    ] }) : null,
-    activeTab === "invitations" ? /* @__PURE__ */ jsxs("section", { role: "tabpanel", id: "iqauth-org-tab-invitations", "aria-labelledby": "tab-org-invitations", style: { display: "flex", flexDirection: "column", gap: 8 }, children: [
-      /* @__PURE__ */ jsx("h3", { style: { fontSize: 14, fontWeight: 600, margin: 0 }, children: "Pending invitations" }),
-      invitesLoading ? /* @__PURE__ */ jsx("p", { role: "status", "aria-live": "polite", style: { fontSize: 13 }, children: "Loading\u2026" }) : pendingInvites.length === 0 ? /* @__PURE__ */ jsx("p", { style: { fontSize: 13, opacity: 0.6 }, children: "No pending invitations." }) : /* @__PURE__ */ jsx("ul", { "aria-label": "Pending invitations", style: { listStyle: "none", padding: 0, margin: 0, display: "flex", flexDirection: "column", gap: 6 }, children: pendingInvites.map((inv) => /* @__PURE__ */ jsxs("li", { "data-testid": `row-org-invite-${inv.id}`, style: { display: "grid", gridTemplateColumns: "1fr auto auto", gap: 8, alignItems: "center", padding: "8px 10px", background: "rgba(15,23,42,0.04)", borderRadius: 6, fontSize: 13 }, children: [
-        /* @__PURE__ */ jsxs("div", { children: [
-          /* @__PURE__ */ jsx("div", { style: { fontWeight: 500 }, children: inv.email }),
-          /* @__PURE__ */ jsxs("div", { style: { fontSize: 11, opacity: 0.7 }, children: [
-            "role: ",
-            inv.role,
-            inv.expiresAt ? ` \u2022 expires ${new Date(inv.expiresAt).toLocaleDateString()}` : ""
-          ] })
-        ] }),
-        /* @__PURE__ */ jsx(
-          "button",
-          {
-            type: "button",
-            "data-testid": `button-org-invite-resend-${inv.id}`,
-            onClick: () => resendInvite(inv.id),
-            style: { background: "transparent", border: "1px solid rgba(15,23,42,0.18)", color: "#0f172a", borderRadius: 4, padding: "4px 10px", cursor: "pointer", fontSize: 12 },
-            children: "Resend"
-          }
-        ),
-        /* @__PURE__ */ jsx(
-          "button",
-          {
-            type: "button",
-            "data-testid": `button-org-invite-revoke-${inv.id}`,
-            onClick: () => revokeInvite(inv.id),
-            style: { background: "transparent", border: "1px solid rgba(220,38,38,0.4)", color: "#b91c1c", borderRadius: 4, padding: "4px 10px", cursor: "pointer", fontSize: 12 },
-            children: "Revoke"
-          }
-        )
-      ] }, inv.id)) })
-    ] }) : null,
-    activeTab === "danger" ? /* @__PURE__ */ jsxs("section", { role: "tabpanel", id: "iqauth-org-tab-danger", "aria-labelledby": "tab-org-danger", style: { display: "flex", flexDirection: "column", gap: 10, border: "1px solid rgba(220,38,38,0.3)", padding: 12, borderRadius: 8, background: "rgba(220,38,38,0.04)" }, children: [
-      /* @__PURE__ */ jsx("h3", { style: { fontSize: 14, fontWeight: 600, margin: 0, color: "#b91c1c" }, children: "Delete organization" }),
-      /* @__PURE__ */ jsxs("p", { style: { fontSize: 12, opacity: 0.85, margin: 0 }, children: [
-        "This permanently deletes ",
-        /* @__PURE__ */ jsx("strong", { children: tenant?.name }),
-        " and all of its members, roles, and audit history. To confirm, type the slug ",
-        /* @__PURE__ */ jsx("code", { children: tenant?.slug }),
-        " below."
-      ] }),
-      /* @__PURE__ */ jsx(Field, { label: "Type the organization slug to confirm", children: /* @__PURE__ */ jsx("input", { "data-testid": "input-org-delete-confirm", autoComplete: "off", placeholder: tenant?.slug || "", "aria-label": "Type slug to confirm", style: { ...inputStyle(), fontFamily: "monospace" }, value: confirmDeleteText, onChange: (e) => setConfirmDeleteText(e.target.value) }) }),
-      /* @__PURE__ */ jsx(Field, { label: "Re-enter your password", children: /* @__PURE__ */ jsx("input", { "data-testid": "input-org-delete-password", type: "password", autoComplete: "current-password", "aria-label": "Password to confirm deletion", style: inputStyle(), value: confirmDeletePassword, onChange: (e) => setConfirmDeletePassword(e.target.value) }) }),
-      /* @__PURE__ */ jsx(
-        "button",
-        {
-          type: "button",
-          "data-testid": "button-org-delete",
-          onClick: submitDelete,
-          disabled: deleteSubmitting || confirmDeleteText !== tenant?.slug || !confirmDeletePassword,
-          style: { background: "#b91c1c", color: "#fff", border: "none", padding: "8px 14px", borderRadius: 6, cursor: confirmDeleteText === tenant?.slug && confirmDeletePassword ? "pointer" : "not-allowed", fontSize: 13, opacity: confirmDeleteText === tenant?.slug && confirmDeletePassword ? 1 : 0.5 },
-          children: deleteSubmitting ? "Deleting\u2026" : "Permanently delete organization"
-        }
-      )
-    ] }) : null
-  ] }) });
-}
-function OrganizationList({ iqAuthBaseUrl, onSelect, showCreate = true, createRedirectUrl, appearance, className }) {
-  const [showCreateForm, setShowCreateForm] = useState(false);
-  const reloadList = () => {
-    setShowCreateForm(false);
-    if (typeof window !== "undefined") setTimeout(() => window.location.reload(), 50);
-  };
-  const branding = useResolvedSdkBranding(iqAuthBaseUrl);
-  const baseUrl = iqAuthBaseUrl.replace(/\/$/, "");
-  const accent = branding?.accentColor || "#6366f1";
-  const [memberships, setMemberships] = useState([]);
-  const [activeTenantId, setActiveTenantId] = useState(null);
-  const [loading, setLoading] = useState(true);
-  const [error, setError] = useState(null);
-  useEffect(() => {
-    let cancelled = false;
-    Promise.all([
-      fetch(`${baseUrl}/api/v1/auth/me`, { credentials: "include" }).then((r) => r.json()),
-      fetch(`${baseUrl}/api/v1/tenants/memberships`, { credentials: "include" }).then((r) => r.json())
-    ]).then(([me, mems]) => {
-      if (cancelled) return;
-      setActiveTenantId(me?.data?.tenantId || null);
-      setMemberships(mems?.data?.memberships || mems?.data || []);
-    }).catch((err) => {
-      if (!cancelled) setError(err instanceof Error ? err.message : "Failed to load organizations");
-    }).finally(() => {
-      if (!cancelled) setLoading(false);
-    });
-    return () => {
-      cancelled = true;
-    };
-  }, [baseUrl]);
-  const select = async (tenantId) => {
-    if (tenantId === activeTenantId) {
-      onSelect?.(tenantId);
-      return;
-    }
-    try {
-      await jsonFetch(`${baseUrl}/api/v1/auth/select-tenant`, {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        credentials: "include",
-        body: JSON.stringify({ tenantId })
-      });
-      setActiveTenantId(tenantId);
-      onSelect?.(tenantId);
-    } catch (err) {
-      setError(err instanceof Error ? err.message : "Failed to switch organization");
-    }
-  };
-  return /* @__PURE__ */ jsx(Shell, { appearance, branding, className, title: "Your organizations", subtitle: "Select an organization to make it active.", children: /* @__PURE__ */ jsxs("div", { "data-iqauth-sdk-org-list": "", style: { display: "flex", flexDirection: "column", gap: 8 }, children: [
-    error ? /* @__PURE__ */ jsx(ErrorBanner, { message: error }) : null,
-    loading ? /* @__PURE__ */ jsx("p", { style: { fontSize: 13 }, children: "Loading\u2026" }) : memberships.length === 0 ? /* @__PURE__ */ jsx("p", { style: { fontSize: 13, opacity: 0.6 }, children: "You don\u2019t belong to any organizations yet." }) : /* @__PURE__ */ jsx("ul", { style: { listStyle: "none", padding: 0, margin: 0, display: "flex", flexDirection: "column", gap: 6 }, children: memberships.map((m) => {
-      const active = m.tenantId === activeTenantId;
-      return /* @__PURE__ */ jsx("li", { children: /* @__PURE__ */ jsxs(
-        "button",
-        {
-          type: "button",
-          "data-testid": `button-org-list-${m.tenantId}`,
-          onClick: () => select(m.tenantId),
-          style: {
-            display: "block",
-            width: "100%",
-            textAlign: "left",
-            padding: "10px 12px",
-            borderRadius: 6,
-            cursor: "pointer",
-            fontSize: 13,
-            background: active ? `${accent}1a` : "transparent",
-            border: `1px solid ${active ? accent : "rgba(15,23,42,0.12)"}`,
-            color: branding?.primaryColor || "#0f172a"
-          },
-          children: [
-            /* @__PURE__ */ jsx("div", { style: { fontWeight: 500 }, children: m.tenantName || m.tenantSlug || m.tenantId }),
-            /* @__PURE__ */ jsxs("div", { style: { fontSize: 11, opacity: 0.7 }, children: [
-              (m.roles || []).join(", ") || "\u2014",
-              active ? /* @__PURE__ */ jsx("span", { style: { marginLeft: 8, color: accent, fontWeight: 600 }, children: "active" }) : null
-            ] })
-          ]
-        }
-      ) }, m.tenantId);
-    }) }),
-    showCreate ? /* @__PURE__ */ jsx("div", { style: { marginTop: 12, paddingTop: 12, borderTop: "1px solid rgba(15,23,42,0.08)" }, children: showCreateForm ? /* @__PURE__ */ jsxs(Fragment2, { children: [
-      /* @__PURE__ */ jsx(
-        CreateOrganization,
-        {
-          iqAuthBaseUrl,
-          unstyled: true,
-          appearance,
-          onCreated: (t2) => {
-            onSelect?.(t2.id);
-            reloadList();
-          },
-          redirectUrl: createRedirectUrl
-        }
-      ),
-      /* @__PURE__ */ jsx(
-        "button",
-        {
-          type: "button",
-          "data-testid": "button-org-list-create-cancel",
-          onClick: () => setShowCreateForm(false),
-          style: { marginTop: 8, background: "transparent", border: "none", color: branding?.accentColor || "#6366f1", cursor: "pointer", fontSize: 12, padding: 0 },
-          children: "Cancel"
-        }
-      )
-    ] }) : /* @__PURE__ */ jsx(
-      "button",
-      {
-        type: "button",
-        "data-testid": "button-org-list-create",
-        onClick: () => setShowCreateForm(true),
-        style: { background: "transparent", border: `1px dashed ${accent}`, color: branding?.primaryColor || "#0f172a", padding: "10px 12px", borderRadius: 6, cursor: "pointer", fontSize: 13, width: "100%" },
-        children: "+ Create new organization"
-      }
-    ) }) : null
-  ] }) });
-}
-function Waitlist({ iqAuthBaseUrl, appKey, appId, title, subtitle, successMessage, appearance, className }) {
-  const branding = useResolvedSdkBranding(iqAuthBaseUrl, appId);
-  const [email, setEmail] = useState("");
-  const [name, setName] = useState("");
-  const [organizationName, setOrganizationName] = useState("");
-  const [submitting, setSubmitting] = useState(false);
-  const [error, setError] = useState(null);
-  const [submitted, setSubmitted] = useState(null);
-  const submit = async (e) => {
-    e.preventDefault();
-    setSubmitting(true);
-    setError(null);
-    try {
-      const res = await jsonFetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/waitlist`, {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({
-          email: email.trim().toLowerCase(),
-          name: name.trim() || void 0,
-          organizationName: organizationName.trim() || void 0,
-          appKey: appKey || void 0,
-          appId: appId || void 0
-        })
-      });
-      const data = res?.data ?? res;
-      setSubmitted({ duplicate: !!data?.duplicate });
-    } catch (err) {
-      setError(err instanceof Error ? err.message : "Failed to join the waitlist");
-    } finally {
-      setSubmitting(false);
-    }
-  };
-  if (submitted) {
-    return /* @__PURE__ */ jsx(Shell, { appearance, branding, className, title: title || "You\u2019re on the list", children: /* @__PURE__ */ jsx("p", { "data-testid": "text-waitlist-success", style: { fontSize: 14 }, children: successMessage || (submitted.duplicate ? "You were already on the waitlist \u2014 we\u2019ll be in touch." : "Thanks! We\u2019ll email you when access opens up.") }) });
-  }
-  return /* @__PURE__ */ jsx(Shell, { appearance, branding, className, title: title || "Join the waitlist", subtitle: subtitle || "Enter your email and we\u2019ll be in touch when access opens up.", children: /* @__PURE__ */ jsxs("form", { onSubmit: submit, style: { display: "flex", flexDirection: "column", gap: 12 }, "data-iqauth-sdk-waitlist": "", children: [
-    error ? /* @__PURE__ */ jsx(ErrorBanner, { message: error }) : null,
-    /* @__PURE__ */ jsx(Field, { label: "Work email", children: /* @__PURE__ */ jsx("input", { "data-testid": "input-waitlist-email", type: "email", autoComplete: "email", required: true, style: inputStyle(), value: email, onChange: (e) => setEmail(e.target.value) }) }),
-    /* @__PURE__ */ jsx(Field, { label: "Name (optional)", children: /* @__PURE__ */ jsx("input", { "data-testid": "input-waitlist-name", autoComplete: "name", style: inputStyle(), value: name, onChange: (e) => setName(e.target.value) }) }),
-    /* @__PURE__ */ jsx(Field, { label: "Organization (optional)", children: /* @__PURE__ */ jsx("input", { "data-testid": "input-waitlist-org", autoComplete: "organization", style: inputStyle(), value: organizationName, onChange: (e) => setOrganizationName(e.target.value) }) }),
-    /* @__PURE__ */ jsx(PrimaryButton, { "data-testid": "button-waitlist-submit", type: "submit", disabled: submitting || !email, children: submitting ? "Joining\u2026" : "Join the waitlist" })
-  ] }) });
-}
-function usePasswordlessOptions(override) {
-  const ctx = useContext(IQAuthContext);
-  const baseFromCtx = ctx?.manager?.issuerUrl;
-  const iqAuthBaseUrl = override?.iqAuthBaseUrl || baseFromCtx || (typeof window !== "undefined" ? window.location.origin : "");
-  return { iqAuthBaseUrl, cookieSession: override?.cookieSession ?? true };
-}
-function useMagicLink(override) {
-  const opts = usePasswordlessOptions(override);
-  const [sent, setSent] = useState(false);
-  const [busy, setBusy] = useState(false);
-  const [error, setError] = useState(null);
-  const request = useCallback(async (input) => {
-    setBusy(true);
-    setError(null);
-    setSent(false);
-    try {
-      await requestMagicLink(opts, input);
-      setSent(true);
-    } catch (e) {
-      setError(e instanceof Error ? e.message : "Magic link request failed");
-    } finally {
-      setBusy(false);
-    }
-  }, [opts.iqAuthBaseUrl, opts.cookieSession]);
-  return { request, sent, busy, error };
-}
-function usePasskey(override) {
-  const opts = usePasswordlessOptions(override);
-  const [busy, setBusy] = useState(false);
-  const [error, setError] = useState(null);
-  const signIn2 = useCallback(async (input = {}) => {
-    setBusy(true);
-    setError(null);
-    try {
-      return await signInWithPasskey(opts, input);
-    } catch (e) {
-      const msg = e instanceof Error ? e.message : "Passkey sign-in failed";
-      setError(msg);
-      throw e;
-    } finally {
-      setBusy(false);
-    }
-  }, [opts.iqAuthBaseUrl]);
-  const enroll = useCallback(async (name) => {
-    setBusy(true);
-    setError(null);
-    try {
-      return await enrollPasskey(opts, name);
-    } catch (e) {
-      const msg = e instanceof Error ? e.message : "Passkey enrollment failed";
-      setError(msg);
-      throw e;
-    } finally {
-      setBusy(false);
-    }
-  }, [opts.iqAuthBaseUrl]);
-  return { signIn: signIn2, enroll, busy, error };
-}
-function useLinkedIdentities(override) {
-  const opts = usePasswordlessOptions(override);
-  const [identities, setIdentities] = useState([]);
-  const [loading, setLoading] = useState(true);
-  const [error, setError] = useState(null);
-  const refresh = useCallback(async () => {
-    setLoading(true);
-    setError(null);
-    try {
-      setIdentities(await listLinkedIdentities(opts));
-    } catch (e) {
-      setError(e instanceof Error ? e.message : "Failed to load identities");
-    } finally {
-      setLoading(false);
-    }
-  }, [opts.iqAuthBaseUrl]);
-  const link = useCallback(async (input) => {
-    await linkProvider(opts, input);
-    await refresh();
-  }, [opts.iqAuthBaseUrl, refresh]);
-  const unlink = useCallback(async (provider, password) => {
-    await unlinkProvider(opts, { provider, reauth: { password } });
-    await refresh();
-  }, [opts.iqAuthBaseUrl, refresh]);
-  useEffect(() => {
-    refresh();
-  }, [refresh]);
-  return { identities, loading, error, refresh, link, unlink };
-}
-function MagicLinkSignInForm(props) {
-  const { request, sent, busy, error } = useMagicLink(props);
-  const [email, setEmail] = useState("");
-  return /* @__PURE__ */ jsxs(
-    "form",
-    {
-      "data-testid": "form-magic-link",
-      className: props.className,
-      onSubmit: (e) => {
-        e.preventDefault();
-        if (email) void request({ email, appId: props.appId, redirectUri: props.redirectUri });
-      },
-      style: { display: "flex", flexDirection: "column", gap: 8 },
-      children: [
-        /* @__PURE__ */ jsx(
-          "input",
-          {
-            "data-testid": "input-magic-link-email",
-            type: "email",
-            required: true,
-            value: email,
-            placeholder: props.placeholder ?? "you@example.com",
-            onChange: (e) => setEmail(e.target.value),
-            style: { padding: 8, border: "1px solid rgba(15,23,42,0.15)", borderRadius: 6 }
-          }
-        ),
-        /* @__PURE__ */ jsx("button", { "data-testid": "button-magic-link-submit", type: "submit", disabled: busy || !email, children: busy ? "Sending\u2026" : props.buttonLabel ?? "Email me a sign-in link" }),
-        sent ? /* @__PURE__ */ jsx("p", { "data-testid": "text-magic-link-sent", style: { fontSize: 12 }, children: "If the email is on file, a link is on the way." }) : null,
-        error ? /* @__PURE__ */ jsx("p", { "data-testid": "text-magic-link-error", style: { fontSize: 12, color: "#b91c1c" }, children: error }) : null
-      ]
-    }
-  );
-}
-function PasskeySignInButton({ email, className, children, ...rest }) {
-  const { signIn: signIn2, busy, error } = usePasskey(rest);
-  return /* @__PURE__ */ jsxs("div", { className, children: [
-    /* @__PURE__ */ jsx(
-      "button",
-      {
-        "data-testid": "button-passkey-signin",
-        disabled: busy,
-        onClick: () => void signIn2({ email }).catch(() => {
-        }),
-        style: { padding: "8px 12px", borderRadius: 6, border: "1px solid rgba(15,23,42,0.15)", background: "transparent", cursor: "pointer" },
-        children: busy ? "Verifying\u2026" : children ?? "Sign in with a passkey"
-      }
-    ),
-    error ? /* @__PURE__ */ jsx("p", { "data-testid": "text-passkey-error", style: { fontSize: 12, color: "#b91c1c", marginTop: 4 }, children: error }) : null
-  ] });
-}
-function LinkedAccounts({ className, onChange, ...rest }) {
-  const { identities, loading, error, unlink } = useLinkedIdentities(rest);
-  return /* @__PURE__ */ jsx("div", { "data-testid": "section-linked-accounts", className, children: loading ? /* @__PURE__ */ jsx("p", { children: "Loading\u2026" }) : error ? /* @__PURE__ */ jsx("p", { style: { color: "#b91c1c" }, children: error }) : /* @__PURE__ */ jsx("ul", { style: { listStyle: "none", padding: 0, margin: 0 }, children: identities.map((i) => /* @__PURE__ */ jsxs("li", { "data-testid": `row-identity-${i.provider}`, style: { display: "flex", justifyContent: "space-between", padding: "6px 0" }, children: [
-    /* @__PURE__ */ jsxs("span", { children: [
-      /* @__PURE__ */ jsx("strong", { style: { textTransform: "capitalize" }, children: i.provider }),
-      " ",
-      /* @__PURE__ */ jsx("span", { style: { opacity: 0.7 }, children: i.label || i.providerUserId || "" })
-    ] }),
-    i.canUnlink ? /* @__PURE__ */ jsx(
-      "button",
-      {
-        "data-testid": `button-unlink-${i.provider}`,
-        onClick: async () => {
-          const pw = window.prompt("Confirm your password to unlink this identity") || void 0;
-          try {
-            await unlink(i.provider, pw);
-            onChange?.();
-          } catch {
-          }
-        },
-        children: "Unlink"
-      }
-    ) : null
-  ] }, i.id)) }) });
-}
-var __version__ = "phase-bc-1.0.0";
 export {
   AuthCallback,
   CreateOrganization,
@@ -2636,6 +83,7 @@ export {
   UserButton,
   UserProfile,
   Waitlist,
+  __useIQAuthInternal,
   __version__,
   isReturnToAllowed,
   isSilentSsoEligible,