@iqauth/sdk 2.6.4 → 2.8.1

package/dist/react.js

@@ -25,13 +25,30 @@ var IQAuthError;
 var init_errors = __esm({
   "src/errors.ts"() {
     "use strict";
-    IQAuthError = class extends Error {
-      constructor(code, message, status, raw) {
+    IQAuthError = class _IQAuthError extends Error {
+      constructor(code, message, status, cause) {
         super(message);
         this.name = "IQAuthError";
         this.code = code;
         this.status = status;
-        this.raw = raw;
+        this.cause = cause;
+        this.raw = cause;
+      }
+      /**
+       * Type guard: true when `value` is an `IQAuthError`. Useful for adapters
+       * that round-trip errors through `unknown` (e.g. fastify's `setErrorHandler`).
+       */
+      static isIQAuthError(value) {
+        return value instanceof _IQAuthError || typeof value === "object" && value !== null && value.name === "IQAuthError" && typeof value.code === "string";
+      }
+      /**
+       * Type-narrowed code check. Lets callers write
+       * `if (err.is("token_expired")) …` with full IntelliSense for the typed
+       * taxonomy without losing the ability to handle server codes via
+       * `err.code === "TOKEN_REVOKED"`.
+       */
+      is(code) {
+        return this.code === code;
       }
     };
   }
@@ -177,7 +194,7 @@ async function buildSignInUrl(manager, opts = {}) {
     returnTo,
     createdAt: Date.now()
   });
-  const url2 = new URL(opts.signInPath ?? DEFAULT_SIGN_IN_PATH, manager.issuerUrl);
+  const url2 = new URL(opts.signInPath ?? DEFAULT_SIGN_IN_PATH, manager.hostedIssuerUrl);
   url2.searchParams.set("response_type", "code");
   url2.searchParams.set("app", manager.appKey);
   url2.searchParams.set("publishable_key", manager.publishableKey.raw);
@@ -192,33 +209,50 @@ async function buildSignInUrl(manager, opts = {}) {
   return url2.toString();
 }
 async function redirectToSignIn(manager, opts = {}) {
-  const url2 = await buildSignInUrl(manager, opts);
-  if (typeof window === "undefined") {
-    throw new Error("redirectToSignIn requires a browser environment");
+  const t0 = Date.now();
+  let ok = false;
+  let code;
+  try {
+    const url2 = await buildSignInUrl(manager, opts);
+    if (typeof window === "undefined") {
+      code = "NO_WINDOW";
+      throw new Error("redirectToSignIn requires a browser environment");
+    }
+    ok = true;
+    manager.recordTiming("signIn", Date.now() - t0, true);
+    window.location.assign(url2);
+  } catch (err) {
+    if (!ok) manager.recordTiming("signIn", Date.now() - t0, false, code ?? (err instanceof Error ? err.message : "ERROR"));
+    throw err;
   }
-  window.location.assign(url2);
 }
 async function signIn(manager, opts = {}) {
   return redirectToSignIn(manager, opts);
 }
 async function handleAuthCallback(manager, options = {}) {
+  const t0 = Date.now();
+  const emit = (ok, code2) => manager.recordTiming("signIn", Date.now() - t0, ok, code2);
   const url2 = new URL(options.url ?? (typeof window !== "undefined" ? window.location.href : ""));
   const code = url2.searchParams.get("code");
   const state = url2.searchParams.get("state");
   const errorParam = url2.searchParams.get("error");
   if (errorParam) {
+    emit(false, errorParam);
     return { ok: false, returnTo: "/", error: errorParam };
   }
   if (!code || !state) {
+    emit(false, "missing_code_or_state");
     return { ok: false, returnTo: "/", error: "missing_code_or_state" };
   }
   const record = loadPkce(state);
   if (!record) {
+    emit(false, "unknown_state");
     return { ok: false, returnTo: "/", error: "unknown_state" };
   }
   clearPkce(state);
   const fetchImpl = options.fetchImpl ?? (typeof fetch !== "undefined" ? fetch.bind(globalThis) : null);
   if (!fetchImpl) {
+    emit(false, "no_fetch");
     return { ok: false, returnTo: record.returnTo, error: "no_fetch" };
   }
   const tokenUrl = `${manager.issuerUrl}${options.tokenPath ?? DEFAULT_TOKEN_PATH}`;
@@ -237,10 +271,12 @@ async function handleAuthCallback(manager, options = {}) {
   const body = await res.json().catch(() => ({}));
   if (!res.ok) {
     const desc = body.error_description ?? body.error ?? "token_exchange_failed";
+    emit(false, desc);
     return { ok: false, returnTo: record.returnTo, error: desc };
   }
   const tokens = body;
   if (!tokens.access_token) {
+    emit(false, "missing_access_token");
     return { ok: false, returnTo: record.returnTo, error: "missing_access_token" };
   }
   if (tokens.refresh_token) {
@@ -248,21 +284,24 @@ async function handleAuthCallback(manager, options = {}) {
     setCookie(cookieName, tokens.refresh_token, { maxAgeSeconds: 60 * 60 * 24 * 30 });
   }
   manager.applyAccessToken(tokens.access_token, tokens.refresh_token);
+  emit(true);
   return { ok: true, returnTo: record.returnTo };
 }
 async function signOut(manager, opts = {}) {
   if (!opts.localOnly) {
     const issuer = manager.issuerUrl.replace(/\/$/, "");
+    const idempotency = manager.getIdempotencyToken();
     try {
       const url2 = `${issuer}${opts.logoutPath ?? DEFAULT_LOGOUT_PATH}`;
-      await manager.fetch(url2, { method: "POST" }).catch(() => void 0);
+      await manager.fetch(url2, { method: "POST", headers: { "X-IQAuth-Idempotency": idempotency } }).catch(() => void 0);
     } catch {
     }
     if (opts.endSsoSession !== false) {
       try {
         await fetch(`${issuer}${DEFAULT_SSO_LOGOUT_PATH}`, {
           method: "POST",
-          credentials: "include"
+          credentials: "include",
+          headers: { "X-IQAuth-Idempotency": idempotency }
         }).catch(() => void 0);
       } catch {
       }
@@ -782,6 +821,7 @@ __export(react_exports, {
   Protect: () => Protect,
   RedirectToSignIn: () => RedirectToSignIn,
   RedirectToSignedIn: () => RedirectToSignedIn,
+  ScopeSwitcher: () => ScopeSwitcher,
   SignIn: () => SignIn,
   SignUp: () => SignUp,
   SignedIn: () => SignedIn,
@@ -789,10 +829,15 @@ __export(react_exports, {
   UserButton: () => UserButton,
   UserProfile: () => UserProfile,
   Waitlist: () => Waitlist,
+  __useIQAuthInternal: () => __useIQAuthInternal,
   __version__: () => __version__,
+  claimSatisfiesScope: () => claimSatisfiesScope,
   isReturnToAllowed: () => isReturnToAllowed,
   isSilentSsoEligible: () => isSilentSsoEligible,
+  performScopeSwitch: () => performScopeSwitch,
+  performTenantSwitch: () => performTenantSwitch,
   preflightReturnTo: () => preflightReturnTo,
+  resolveAfterSignInDestination: () => resolveAfterSignInDestination,
   revokeSession: () => revokeSession,
   sanitizeBrandCss: () => sanitizeBrandCss,
   sanitizeReturnTo: () => sanitizeReturnTo,
@@ -806,6 +851,7 @@ __export(react_exports, {
   useLinkedIdentities: () => useLinkedIdentities,
   useLocale: () => useLocale,
   useMagicLink: () => useMagicLink,
+  useMemberships: () => useMemberships,
   useOrganization: () => useOrganization,
   usePasskey: () => usePasskey,
   useResolvedSdkBranding: () => useResolvedSdkBranding,
@@ -854,14 +900,14 @@ function assertPublishableKey(raw, opts) {
   const ctx = opts?.context ? `${opts.context}: ` : "";
   if (typeof raw !== "string" || raw.length === 0) {
     throw new IQAuthError(
-      "CONFIG_INVALID",
+      "config_invalid",
       `${ctx}IQAuth publishable key is missing. Set IQAUTH_PUBLISHABLE_KEY (or pass publishableKey) to a pk_test_\u2026 or pk_live_\u2026 value from the IQAuth admin console.`
     );
   }
   const shapeMatch = raw.match(/^pk_(test|live)_([A-Za-z0-9_-]+)$/);
   if (!shapeMatch) {
     throw new IQAuthError(
-      "CONFIG_INVALID",
+      "config_invalid",
       `${ctx}IQAuth publishable key is malformed (got ${raw.slice(0, 12)}\u2026). Expected pk_test_\u2026 or pk_live_\u2026; regenerate the key from the IQAuth admin console.`
     );
   }
@@ -870,19 +916,19 @@ function assertPublishableKey(raw, opts) {
     decoded = JSON.parse(b64urlDecode(shapeMatch[2]));
   } catch {
     throw new IQAuthError(
-      "CONFIG_INVALID",
+      "config_invalid",
       `${ctx}IQAuth publishable key payload is not valid base64url JSON. Regenerate the key from the IQAuth admin console.`
     );
   }
   if (!isPublishableKeyPayload(decoded)) {
     throw new IQAuthError(
-      "CONFIG_INVALID",
+      "config_invalid",
       `${ctx}IQAuth publishable key payload is missing required fields {iss, appId, tenantId, kid}. Regenerate the key from the IQAuth admin console.`
     );
   }
   if (!isValidIssuerUrl(decoded.iss)) {
     throw new IQAuthError(
-      "CONFIG_INVALID",
+      "config_invalid",
       `${ctx}IQAuth publishable key encodes an invalid issuer (iss=${JSON.stringify(decoded.iss)}). Expected a fully-qualified URL like "https://auth.example.com" (scheme required). Regenerate the key from the IQAuth admin console \u2014 the new key will encode a valid issuer URL.`
     );
   }
@@ -896,6 +942,7 @@ function isPublishableKeyPayload(value) {
 
 // src/browser/sessionManager.ts
 init_storage();
+var PROBE_WAIT_MS = 80;
 var DEFAULT_REFRESH_PATH = "/api/v1/auth/refresh";
 var DEFAULT_USERINFO_PATH = "/api/v1/auth/me";
 async function readAuthErrorCode(res) {
@@ -933,7 +980,16 @@ function claimsToSessionUser(claims) {
     tenantId: claims.tenantId,
     vendorId: claims.vendorId,
     roles: claims.roles ?? [],
-    entitlements: claims.entitlements ?? []
+    entitlements: claims.entitlements ?? [],
+    // SDK 2.7.0 (Task #124) — pass through identity claims when issued.
+    ...claims.picture !== void 0 ? { picture: claims.picture } : {},
+    ...claims.email_verified !== void 0 ? { emailVerified: claims.email_verified } : {},
+    ...claims.given_name !== void 0 ? { givenName: claims.given_name } : {},
+    ...claims.family_name !== void 0 ? { familyName: claims.family_name } : {},
+    ...claims.locale !== void 0 ? { locale: claims.locale } : {},
+    // Task #171 — surface the active source/client scope when the token was
+    // minted scoped, so consumers reading useUser().user can branch on it.
+    ...claims.scopeContext !== void 0 ? { scopeContext: claims.scopeContext } : {}
   };
 }
 var EMPTY = {
@@ -957,11 +1013,50 @@ var NO_OP_STORE = {
   write: () => void 0,
   clear: () => void 0
 };
+var IDEMPOTENCY_HEADER = "X-IQAuth-Idempotency";
+function randomIdempotencyToken() {
+  if (typeof crypto !== "undefined" && typeof crypto.getRandomValues === "function") {
+    const bytes = new Uint8Array(16);
+    crypto.getRandomValues(bytes);
+    let out = "";
+    for (const b of bytes) out += b.toString(16).padStart(2, "0");
+    return out;
+  }
+  return Math.random().toString(36).slice(2) + Math.random().toString(36).slice(2);
+}
 var SessionManager = class {
   constructor(options) {
     this.snapshot = { ...EMPTY };
     this.listeners = /* @__PURE__ */ new Set();
     this.refreshPromise = null;
+    /**
+     * Cancellation handle for the in-flight refresh, if any. `signOut()` (or a
+     * `session:signout` broadcast from another tab) calls `abort()` so the
+     * refresh response is dropped before it can write a fresh access cookie
+     * on top of the just-cleared session — the second root cause of "ghost
+     * signed-in" sessions after Sign Out.
+     */
+    this.refreshAbort = null;
+    /**
+     * Set to `true` by `signOut()` / `signOutLocal()` for the lifetime of the
+     * call. Used as a safety belt: even if a refresh response arrives while
+     * `refreshAbort` was unable to interrupt the network call (e.g. the body
+     * was already streaming back), `runRefresh` checks this flag before
+     * mutating session state and bails out.
+     */
+    this.signoutInProgress = false;
+    /**
+     * Per-session opaque idempotency token. Sent as `X-IQAuth-Idempotency` on
+     * every /refresh and /signout request the SDK makes through a framework
+     * adapter (Express/Fastify/Hono/Next), so the adapter's `SignoutRegistry`
+     * can collapse a refresh that lands moments after a signout — even when
+     * the two requests are routed to different server instances (multi-replica
+     * deployments).
+     *
+     * Generated lazily on first use, rotated on signout so the next session
+     * starts with a fresh token. Opaque random — never the raw refresh token.
+     */
+    this.idempotencyToken = null;
     this.channel = null;
     this.proactiveTimer = null;
     this.bootstrapped = false;
@@ -969,6 +1064,8 @@ var SessionManager = class {
     this.remoteRefreshWaiters = [];
     /** Active claims by other tabs (keyed by source tabId). */
     this.foreignClaim = null;
+    /** Resolver for an in-flight cross-tab `session:probe`, set during bootstrap. */
+    this.probeResolver = null;
     const parsed = assertPublishableKey(options.publishableKey, { context: "@iqauth/sdk/browser SessionManager" });
     this.key = parsed;
     const inferred = options.issuer ?? (parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`);
@@ -981,6 +1078,8 @@ var SessionManager = class {
     this.refreshCookieName = options.cookieNames?.refresh ?? REFRESH_COOKIE;
     this.tokenStore = options.tokenStore ?? (this.serverManagedSession ? NO_OP_STORE : this.useCookies ? defaultCookieStore(this.refreshCookieName) : NO_OP_STORE);
     this.crossTabLockTimeoutMs = options.crossTabLockTimeoutMs ?? 4e3;
+    this.debug = options.debug ?? false;
+    this.onTimingEvent = options.onTimingEvent ?? null;
     this.fetchImpl = options.fetchImpl ?? (typeof fetch !== "undefined" ? fetch.bind(globalThis) : (() => {
       throw new Error("global fetch is not available; pass fetchImpl");
     }));
@@ -1007,10 +1106,35 @@ var SessionManager = class {
   get issuerUrl() {
     return this.issuer;
   }
+  /**
+   * SDK 2.7.0 (Task #124) — The hosted IQAuth host derived from the
+   * publishable key's `iss` claim, normalized to URL form. This is what
+   * `<SignIn/>` and `buildSignInUrl` use to talk to the hosted UI; it
+   * deliberately ignores the `issuer` constructor override so a misrouted
+   * `issuer` (e.g. pointed at the consumer app's own domain) cannot break
+   * the hosted flow. Use {@link issuerUrl} for token / discovery endpoints.
+   */
+  get hostedIssuerUrl() {
+    const iss = this.key.iss;
+    return (iss.startsWith("http") ? iss : `https://${iss}`).replace(/\/+$/, "");
+  }
   /** Cookie name the SDK uses for the refresh token (overridable via `cookieNames.refresh`). */
   get refreshCookie() {
     return this.refreshCookieName;
   }
+  /**
+   * Returns the current per-session idempotency token, generating one
+   * lazily on first use. Sent as the `X-IQAuth-Idempotency` header on
+   * /refresh and /signout requests so the framework adapter's
+   * `SignoutRegistry` can collapse a refresh-vs-signout race even across
+   * server instances.
+   */
+  getIdempotencyToken() {
+    if (!this.idempotencyToken) {
+      this.idempotencyToken = randomIdempotencyToken();
+    }
+    return this.idempotencyToken;
+  }
   getSnapshot() {
     return this.snapshot;
   }
@@ -1024,9 +1148,44 @@ var SessionManager = class {
    * One-time bootstrap: warm the session from the refresh cookie if present.
    * Safe to call multiple times.
    */
+  /**
+   * Task #126: Public timing-event emitter. Used by the browser sign-in
+   * helpers (redirectToSignIn / handleAuthCallback) to surface signIn-phase
+   * timings through the same `debug` + `onTimingEvent` channel as
+   * bootstrap/refresh. Safe to call from anywhere — internal callers
+   * pre-compute durationMs.
+   */
+  recordTiming(phase, durationMs, ok, code) {
+    this.emitTiming(phase, durationMs, ok, code);
+  }
+  /** Task #126: emit a session timing event to debug log + onTimingEvent hook. */
+  emitTiming(phase, durationMs, ok, code) {
+    if (this.debug) {
+      try {
+        console.debug("[iqauth_session]", { phase, durationMs, ok, code });
+      } catch {
+      }
+    }
+    if (this.onTimingEvent) {
+      try {
+        this.onTimingEvent({ phase, durationMs, ok, code });
+      } catch {
+      }
+    }
+  }
   async bootstrap() {
     if (this.bootstrapped) return;
     this.bootstrapped = true;
+    const t0 = Date.now();
+    try {
+      await this.bootstrapInner();
+      this.emitTiming("bootstrap", Date.now() - t0, this.snapshot.status === "authenticated");
+    } catch (err) {
+      this.emitTiming("bootstrap", Date.now() - t0, false, err instanceof Error ? err.message : "ERROR");
+      throw err;
+    }
+  }
+  async bootstrapInner() {
     if (this.serverManagedSession) {
       try {
         const res = await this.fetchImpl(`${this.issuer}${this.userinfoPath}`, {
@@ -1061,6 +1220,15 @@ var SessionManager = class {
         return;
       }
     }
+    const peerSnapshot = await this.probePeers();
+    if (peerSnapshot && peerSnapshot.status === "authenticated") {
+      this.update({
+        ...peerSnapshot,
+        version: Math.max(this.snapshot.version, peerSnapshot.version) + 1
+      });
+      this.scheduleProactiveRefresh();
+      return;
+    }
     const stored = await Promise.resolve(this.tokenStore.read());
     if (!stored) {
       this.setStatus("unauthenticated");
@@ -1069,6 +1237,22 @@ var SessionManager = class {
     const ok = await this.refresh();
     if (!ok) this.setStatus("unauthenticated");
   }
+  probePeers() {
+    if (!this.channel) return Promise.resolve(null);
+    return new Promise((resolve) => {
+      let settled = false;
+      const finish = (snap) => {
+        if (settled) return;
+        settled = true;
+        this.probeResolver = null;
+        clearTimeout(timer);
+        resolve(snap);
+      };
+      this.probeResolver = (snap) => finish(snap);
+      const timer = setTimeout(() => finish(null), PROBE_WAIT_MS);
+      this.broadcastEnvelope({ type: "session:probe", source: this.tabId, ts: Date.now() });
+    });
+  }
   /**
    * Single-flight token refresh, coordinated across tabs via BroadcastChannel.
    *
@@ -1082,30 +1266,48 @@ var SessionManager = class {
    */
   refresh() {
     if (this.refreshPromise) return this.refreshPromise;
-    this.refreshPromise = this.runRefresh().finally(() => {
+    const t0 = Date.now();
+    this.refreshPromise = this.runRefresh().then((ok) => {
+      this.emitTiming("refresh", Date.now() - t0, ok, ok ? void 0 : this.snapshot.error?.code ?? "REFRESH_FAILED");
+      return ok;
+    }).finally(() => {
       this.refreshPromise = null;
     });
     return this.refreshPromise;
   }
   async runRefresh() {
-    const myClaim = { source: this.tabId, ts: Date.now() };
-    if (this.channel) {
-      this.broadcastEnvelope({ type: "refresh:claim", source: myClaim.source, ts: myClaim.ts });
-      await new Promise((r) => setTimeout(r, 25));
-      const foreign = this.foreignClaim;
-      if (foreign && this.claimWins(foreign, myClaim)) {
-        return this.waitForForeignRefresh();
-      }
-    }
+    const abort = new AbortController();
+    this.refreshAbort = abort;
     try {
+      const myClaim = { source: this.tabId, ts: Date.now() };
+      if (this.channel) {
+        this.broadcastEnvelope({ type: "refresh:claim", source: myClaim.source, ts: myClaim.ts });
+        await new Promise((r) => setTimeout(r, 25));
+        if (abort.signal.aborted || this.signoutInProgress) {
+          this.broadcastEnvelope({ type: "refresh:done", source: this.tabId, ts: Date.now(), ok: false });
+          return false;
+        }
+        const foreign = this.foreignClaim;
+        if (foreign && this.claimWins(foreign, myClaim)) {
+          return this.waitForForeignRefresh();
+        }
+      }
       const refreshToken = await Promise.resolve(this.tokenStore.read());
       const res = await this.fetchImpl(`${this.issuer}${this.refreshPath}`, {
         method: "POST",
         credentials: "include",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify(refreshToken ? { refreshToken } : {})
+        headers: {
+          "Content-Type": "application/json",
+          [IDEMPOTENCY_HEADER]: this.getIdempotencyToken()
+        },
+        body: JSON.stringify(refreshToken ? { refreshToken } : {}),
+        signal: abort.signal
       });
       const body = await res.json().catch(() => ({}));
+      if (this.signoutInProgress || abort.signal.aborted) {
+        this.broadcastEnvelope({ type: "refresh:done", source: this.tabId, ts: Date.now(), ok: false });
+        return false;
+      }
       const data = body.data;
       if (!res.ok || !body.success || !data?.accessToken) {
         const err = body.error;
@@ -1124,14 +1326,18 @@ var SessionManager = class {
       this.broadcastEnvelope({ type: "refresh:done", source: this.tabId, ts: Date.now(), ok: true });
       return true;
     } catch (err) {
-      this.setError({
-        code: "NETWORK_ERROR",
-        message: err instanceof Error ? err.message : "Refresh request failed"
-      });
+      const aborted = err?.name === "AbortError" || abort.signal.aborted || this.signoutInProgress;
+      if (!aborted) {
+        this.setError({
+          code: "NETWORK_ERROR",
+          message: err instanceof Error ? err.message : "Refresh request failed"
+        });
+      }
       this.broadcastEnvelope({ type: "refresh:done", source: this.tabId, ts: Date.now(), ok: false });
       return false;
     } finally {
       this.foreignClaim = null;
+      if (this.refreshAbort === abort) this.refreshAbort = null;
     }
   }
   claimWins(foreign, mine) {
@@ -1158,10 +1364,27 @@ var SessionManager = class {
    * session and notify subscribers and other tabs.
    */
   applyAccessToken(accessToken, refreshToken) {
+    this.adoptAccessToken(accessToken, { refreshToken });
+  }
+  /**
+   * Task #197 — Adopt an access token that the server has already minted
+   * for us (e.g. from `POST /api/v1/auth/switch-scope`) without contacting
+   * the issuer. Swaps the in-memory token, re-decodes claims, bumps
+   * `version`, schedules proactive refresh, and broadcasts a
+   * `session:update` to peer tabs.
+   *
+   * This is the safe path for any server endpoint that returns a fresh
+   * access token in its JSON body: we want the new claims (scope, roles,
+   * etc.) to take effect immediately, even if the refresh-cookie round-trip
+   * would have failed (network blip, rate limit, signout race). When the
+   * server also rotated the refresh token, pass it via
+   * `opts.refreshToken` so the cookie stays aligned.
+   */
+  adoptAccessToken(accessToken, opts) {
     const claims = decodeClaims(accessToken);
     const user = claimsToSessionUser(claims);
-    if (refreshToken) {
-      void Promise.resolve(this.tokenStore.write(refreshToken, { claims }));
+    if (opts?.refreshToken) {
+      void Promise.resolve(this.tokenStore.write(opts.refreshToken, { claims }));
     }
     this.update({
       status: user ? "authenticated" : "unauthenticated",
@@ -1239,6 +1462,14 @@ var SessionManager = class {
    * the server-side logout request.
    */
   signOutLocal(status = "unauthenticated") {
+    this.signoutInProgress = true;
+    if (this.refreshAbort) {
+      try {
+        this.refreshAbort.abort();
+      } catch {
+      }
+      this.refreshAbort = null;
+    }
     void Promise.resolve(this.tokenStore.clear());
     if (this.proactiveTimer) {
       clearTimeout(this.proactiveTimer);
@@ -1253,7 +1484,12 @@ var SessionManager = class {
       error: null,
       version: this.snapshot.version + 1
     });
+    this.broadcastEnvelope({ type: "refresh:abort", source: this.tabId, ts: Date.now() });
     this.broadcast("session:signout");
+    this.idempotencyToken = null;
+    setTimeout(() => {
+      this.signoutInProgress = false;
+    }, 0);
   }
   /**
    * Replace the refresh-token store at runtime. Used by the F22
@@ -1317,6 +1553,12 @@ var SessionManager = class {
   }
   onBroadcast(env) {
     if (!env || env.source === this.tabId) return;
+    if (env.type === "session:probe") {
+      if (this.snapshot.status === "authenticated") {
+        this.broadcast("session:update");
+      }
+      return;
+    }
     if (env.type === "refresh:claim") {
       this.foreignClaim = { source: env.source, ts: env.ts };
       return;
@@ -1329,6 +1571,24 @@ var SessionManager = class {
       this.foreignClaim = null;
       return;
     }
+    if (env.type === "refresh:abort") {
+      this.signoutInProgress = true;
+      if (this.refreshAbort) {
+        try {
+          this.refreshAbort.abort();
+        } catch {
+        }
+        this.refreshAbort = null;
+      }
+      const waiters = this.remoteRefreshWaiters;
+      this.remoteRefreshWaiters = [];
+      for (const w of waiters) w(false);
+      this.foreignClaim = null;
+      setTimeout(() => {
+        this.signoutInProgress = false;
+      }, 0);
+      return;
+    }
     if (env.type === "session:signout") {
       this.update({
         status: "unauthenticated",
@@ -1342,6 +1602,12 @@ var SessionManager = class {
       return;
     }
     if ((env.type === "session:update" || env.type === "session:refresh") && env.payload) {
+      if (this.probeResolver && env.payload.status === "authenticated") {
+        const r = this.probeResolver;
+        this.probeResolver = null;
+        r(env.payload);
+        return;
+      }
       this.update({
         ...env.payload,
         version: Math.max(this.snapshot.version, env.payload.version) + 1
@@ -1355,6 +1621,32 @@ var SessionManager = class {
   }
 };
 
+// src/browser/hostedIssuerGuard.ts
+var HOSTED_ISSUER_MISMATCH_CODE = "IQAUTH_HOSTED_ISSUER_MISMATCH";
+var HOSTED_ISSUER_MISMATCH_DOCS_URL = "https://docs.dispositioniq.com/iqauth/errors#hosted-issuer-mismatch";
+function computeHostedIssuerMismatch(input) {
+  const {
+    nodeEnv,
+    fetchError,
+    explicitOverride,
+    resolvedBaseUrl,
+    managerIssuerUrl,
+    hostedIssuerUrl,
+    appKey
+  } = input;
+  if (nodeEnv === "production") return null;
+  if (!fetchError) return null;
+  if (explicitOverride) return null;
+  if (!managerIssuerUrl || !hostedIssuerUrl) return null;
+  if (resolvedBaseUrl !== managerIssuerUrl) return null;
+  if (resolvedBaseUrl === hostedIssuerUrl) return null;
+  const e = new Error(
+    `[IQAuth] ${HOSTED_ISSUER_MISMATCH_CODE}: <SignIn /> targeted "${resolvedBaseUrl}" (inherited from <IQAuthProvider issuer="\u2026"/>), but that host does not serve /api/public/apps/${appKey}/sign-in-context. The hosted UI lives at the publishable key's issuer: "${hostedIssuerUrl}". Fix: drop the <IQAuthProvider issuer="\u2026"/> override so the SDK uses the publishable key's iss, OR pass <SignIn iqAuthBaseUrl="${hostedIssuerUrl}"/> explicitly. Docs: ${HOSTED_ISSUER_MISMATCH_DOCS_URL}. Underlying fetch error: ${fetchError}`
+  );
+  e.code = HOSTED_ISSUER_MISMATCH_CODE;
+  return e;
+}
+
 // src/react/index.tsx
 init_signIn();
 
@@ -1540,6 +1832,7 @@ var enUS = {
   "signIn.useDifferentAccount": "Use a different account",
   "signIn.selectTenant": "Choose an organization",
   "signIn.selectTenantSubtitle": "You belong to multiple organizations. Pick one to continue.",
+  "signIn.selectScope": "Choose scope",
   "signIn.dividerOr": "or",
   "signIn.preparingExperience": "Preparing your sign-in experience.",
   "signIn.applicationUnavailable": "Application unavailable",
@@ -1628,6 +1921,11 @@ var enUS = {
   "orgSwitcher.createNew": "Create organization",
   "orgSwitcher.manage": "Manage organization",
   "orgSwitcher.noOrgs": "You don't belong to any organizations yet.",
+  "orgSwitcher.mfaRequiredTitle": "Two-factor verification required",
+  "orgSwitcher.mfaRequiredBody": "This organization requires an extra verification step. Continue in the hosted sign-in to finish switching.",
+  "orgSwitcher.scopeSelectionRequiredTitle": "Choose what to access",
+  "orgSwitcher.scopeSelectionRequiredBody": "This organization needs you to pick which workspace to open. Continue in the hosted sign-in to choose.",
+  "orgSwitcher.continueInHostedSignIn": "Continue in hosted sign-in \u2192",
   "orgProfile.title": "Organization settings",
   "orgProfile.generalTab": "General",
   "orgProfile.membersTab": "Members",
@@ -1738,6 +2036,7 @@ function sanitizeReturnTo(input, options = {}) {
   if (!input || typeof input !== "string") return fallback;
   const trimmed = input.trim();
   if (!trimmed) return fallback;
+  if (trimmed.includes("\\")) return fallback;
   if (trimmed.startsWith("//")) return fallback;
   if (trimmed.startsWith("/") || trimmed.startsWith("#") || trimmed.startsWith("?")) {
     return trimmed;
@@ -1909,6 +2208,9 @@ function IQAuthProvider({
   );
   return (0, import_react.createElement)(IQAuthContext.Provider, { value }, children);
 }
+function __useIQAuthInternal() {
+  return useCtx();
+}
 function useCtx() {
   const ctx = (0, import_react.useContext)(IQAuthContext);
   if (!ctx) throw new Error("IQAuth hooks must be used inside <IQAuthProvider>");
@@ -2220,6 +2522,65 @@ function RedirectToSignIn(props = {}) {
   }
   return null;
 }
+async function performScopeSwitch(manager, base, target) {
+  const res = await manager.fetch(`${base}/api/v1/auth/switch-scope`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ scopeType: target.type, scopeId: target.id })
+  });
+  const body = await res.json().catch(() => ({}));
+  if (!res.ok) {
+    throw new Error(body?.error?.message || `HTTP ${res.status}`);
+  }
+  const newToken = body?.data?.accessToken;
+  if (newToken) {
+    manager.adoptAccessToken(newToken);
+    void manager.refresh().catch(() => void 0);
+    return;
+  }
+  const ok = await manager.refresh();
+  if (!ok) {
+    throw new Error("scope switch succeeded server-side but token refresh failed; reload to recover");
+  }
+}
+async function performTenantSwitch(manager, base, tenantId) {
+  const res = await manager.fetch(`${base.replace(/\/$/, "")}/api/v1/auth/select-tenant`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ tenantId })
+  });
+  const body = await res.json().catch(() => ({}));
+  if (!res.ok) {
+    throw new Error(body?.error?.message || `HTTP ${res.status}`);
+  }
+  if (body?.data?.mfaChallengeToken) {
+    return {
+      kind: "mfa_required",
+      tenantId: body?.data?.tenantId || tenantId,
+      mfaChallengeToken: body.data.mfaChallengeToken,
+      availableMethods: Array.isArray(body.data.availableMethods) ? body.data.availableMethods : []
+    };
+  }
+  if (body?.data?.type === "scope_selection" || body?.data?.scopeSelectionToken) {
+    return {
+      kind: "scope_selection_required",
+      tenantId: body?.data?.tenantId || tenantId,
+      scopeSelectionToken: body?.data?.scopeSelectionToken || "",
+      scopes: Array.isArray(body?.data?.scopes) ? body.data.scopes : []
+    };
+  }
+  const newToken = body?.data?.accessToken;
+  if (newToken) {
+    manager.adoptAccessToken(newToken);
+    void manager.refresh().catch(() => void 0);
+    return { kind: "ok", tenantId: body?.data?.user?.tenantId || tenantId };
+  }
+  const ok = await manager.refresh();
+  if (!ok) {
+    throw new Error("tenant switch succeeded server-side but token refresh failed; reload to recover");
+  }
+  return { kind: "ok", tenantId };
+}
 function asArray(v) {
   if (v == null) return [];
   return Array.isArray(v) ? v : [v];
@@ -2246,7 +2607,14 @@ function claimPermissions(c) {
   }
   return Array.from(out);
 }
-function Protect({ role, permission, condition, fallback = null, children }) {
+function claimSatisfiesScope(claims, required) {
+  if (!claims) return false;
+  const ctx = claims.scopeContext;
+  if (!ctx || !ctx.type || !ctx.id) return false;
+  const list = Array.isArray(required) ? required : [required];
+  return list.some((r) => r.type === ctx.type && r.id === ctx.id);
+}
+function Protect({ role, permission, scope, condition, fallback = null, children }) {
   const { snapshot } = useCtx();
   if (snapshot.status !== "authenticated") return (0, import_react.createElement)(import_react.Fragment, null, fallback);
   const wantedRoles = asArray(role);
@@ -2259,6 +2627,9 @@ function Protect({ role, permission, condition, fallback = null, children }) {
     const have = new Set(claimPermissions(snapshot.claims));
     if (!wantedPerms.some((p) => have.has(p))) return (0, import_react.createElement)(import_react.Fragment, null, fallback);
   }
+  if (scope) {
+    if (!claimSatisfiesScope(snapshot.claims, scope)) return (0, import_react.createElement)(import_react.Fragment, null, fallback);
+  }
   if (condition && !condition(snapshot.claims)) return (0, import_react.createElement)(import_react.Fragment, null, fallback);
   return (0, import_react.createElement)(import_react.Fragment, null, children);
 }
@@ -2815,12 +3186,54 @@ function isSilentSsoEligible(ctx, effectivePrompt) {
   if (!ctx.returnAllowed) return false;
   return true;
 }
+function resolveAfterSignInDestination(args) {
+  let raw = args.prop ?? null;
+  if (!raw && typeof args.search === "string") {
+    try {
+      const params = new URLSearchParams(args.search);
+      raw = params.get("return_to") ?? params.get("next");
+    } catch {
+    }
+  }
+  return sanitizeReturnTo(raw, {
+    allowedOrigins: args.allowedOrigins,
+    currentOrigin: args.currentOrigin,
+    fallback: "/"
+  });
+}
 function SignIn(props) {
   const providerCtx = (0, import_react.useContext)(IQAuthContext);
-  const iqAuthBaseUrl = props.iqAuthBaseUrl ?? providerCtx?.manager.issuerUrl ?? "";
+  const iqAuthBaseUrl = props.iqAuthBaseUrl ?? providerCtx?.manager.hostedIssuerUrl ?? "";
   const appKey = props.appKey ?? providerCtx?.manager.appKey ?? "";
   const returnTo = props.returnTo ?? (typeof window !== "undefined" ? `${window.location.origin}/api/iqauth/callback` : "");
-  const { onRedirect, className, prompt, appearance: instanceAppearance, silentSso: instanceSilentSso } = props;
+  const afterSignInUrl = resolveAfterSignInDestination({
+    prop: props.afterSignInUrl,
+    search: typeof window !== "undefined" ? window.location.search : "",
+    allowedOrigins: providerCtx?.allowedReturnOrigins
+  });
+  const { onRedirect, className, prompt, appearance: instanceAppearance, silentSso: instanceSilentSso, scopeHint: scopeHintProp } = props;
+  const effectiveScopeHint = (() => {
+    const fromProp = scopeHintProp ?? null;
+    let raw = fromProp;
+    if (!raw && typeof window !== "undefined") {
+      try {
+        raw = new URLSearchParams(window.location.search).get("scope_hint");
+      } catch {
+      }
+    }
+    if (!raw) return null;
+    if (typeof raw === "object" && raw && raw.type && raw.id) {
+      const t3 = raw.type;
+      if (t3 === "vendor" || t3 === "source" || t3 === "client") return { type: t3, id: String(raw.id) };
+      return null;
+    }
+    if (typeof raw === "string" && raw.includes(":")) {
+      const [t3, id] = raw.split(":", 2);
+      if ((t3 === "vendor" || t3 === "source" || t3 === "client") && id) return { type: t3, id };
+    }
+    return null;
+  })();
+  const scopeHintBody = effectiveScopeHint ? { scopeHint: effectiveScopeHint } : {};
   const silentSsoEnabled = instanceSilentSso ?? providerCtx?.silentSso ?? false;
   const appearance = instanceAppearance && providerCtx?.appearance ? { elements: { ...providerCtx.appearance.elements, ...instanceAppearance.elements } } : instanceAppearance ?? providerCtx?.appearance ?? null;
   if (!iqAuthBaseUrl || !appKey) {
@@ -2831,6 +3244,21 @@ function SignIn(props) {
   const t2 = useT();
   const localeBundle = useLocale();
   const { ctx, loading, error } = useIQAuthSignInContext(iqAuthBaseUrl, appKey, returnTo);
+  const guardError = computeHostedIssuerMismatch({
+    nodeEnv: typeof process !== "undefined" ? process.env?.NODE_ENV : void 0,
+    fetchError: error,
+    explicitOverride: !!props.iqAuthBaseUrl,
+    resolvedBaseUrl: iqAuthBaseUrl,
+    managerIssuerUrl: providerCtx?.manager.issuerUrl,
+    hostedIssuerUrl: providerCtx?.manager.hostedIssuerUrl,
+    appKey
+  });
+  if (guardError) throw guardError;
+  (0, import_react.useEffect)(() => {
+    if (typeof document === "undefined") return;
+    const attrs = "; path=/; SameSite=Lax" + (typeof window !== "undefined" && window.location.protocol === "https:" ? "; Secure" : "");
+    document.cookie = `iqauth_return_to=${encodeURIComponent(afterSignInUrl)}${attrs}`;
+  }, [afterSignInUrl]);
   const preflightLoggedRef = (0, import_react.useRef)(false);
   (0, import_react.useEffect)(() => {
     if (!ctx || preflightLoggedRef.current) return;
@@ -2846,6 +3274,7 @@ function SignIn(props) {
   const [formError, setFormError] = (0, import_react.useState)("");
   const [mfa, setMfa] = (0, import_react.useState)(null);
   const [tenantSel, setTenantSel] = (0, import_react.useState)(null);
+  const [scopeSel, setScopeSel] = (0, import_react.useState)(null);
   const [oauthExchanging, setOauthExchanging] = (0, import_react.useState)(false);
   const [silent, setSilent] = (0, import_react.useState)("idle");
   const [forcePrompt, setForcePrompt] = (0, import_react.useState)(false);
@@ -2876,6 +3305,12 @@ function SignIn(props) {
       setTenantSel({ token: payload.tenantSelectionToken, tenants: payload.tenants || [] });
       return true;
     }
+    if (payload.type === "scope_selection") {
+      setScopeSel({ token: payload.scopeSelectionToken, tenantId: payload.tenantId, scopes: payload.scopes || [] });
+      setTenantSel(null);
+      setMfa(null);
+      return true;
+    }
     if (payload.type === "mfa_required") {
       const methods = payload.availableMethods || ["totp"];
       setMfa({ token: payload.mfaChallengeToken, methods, selected: methods[0], code: "", backup: false });
@@ -2896,7 +3331,7 @@ function SignIn(props) {
         method: "POST",
         headers: { "Content-Type": "application/json" },
         credentials: "include",
-        body: JSON.stringify({ email, password, ...oidcPayload() })
+        body: JSON.stringify({ email, password, ...oidcPayload(), ...scopeHintBody })
       });
       const payload = await r.json().catch(() => ({}));
       if (!handlePayload(payload)) setFormError(localizeError(localeBundle, { code: payload.error, message: payload.error_description }));
@@ -2919,7 +3354,8 @@ function SignIn(props) {
         code: mfa.code,
         method: mfa.selected,
         useBackup: mfa.backup,
-        ...oidcPayload()
+        ...oidcPayload(),
+        ...scopeHintBody
       })
     });
     const payload = await r.json().catch(() => ({}));
@@ -2934,7 +3370,21 @@ function SignIn(props) {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       credentials: "include",
-      body: JSON.stringify({ tenantSelectionToken: tenantSel.token, tenantId, ...oidcPayload() })
+      body: JSON.stringify({ tenantSelectionToken: tenantSel.token, tenantId, ...oidcPayload(), ...scopeHintBody })
+    });
+    const payload = await r.json().catch(() => ({}));
+    if (!handlePayload(payload)) setFormError(localizeError(localeBundle, { code: payload.error, message: payload.error_description }));
+    setSubmitting(false);
+  };
+  const submitScope = async (membershipId) => {
+    if (!scopeSel) return;
+    setSubmitting(true);
+    setFormError("");
+    const r = await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/oidc/sso-scope-select`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      credentials: "include",
+      body: JSON.stringify({ scopeSelectionToken: scopeSel.token, membershipId, ...oidcPayload(), ...scopeHintBody })
     });
     const payload = await r.json().catch(() => ({}));
     if (!handlePayload(payload)) setFormError(localizeError(localeBundle, { code: payload.error, message: payload.error_description }));
@@ -3002,6 +3452,11 @@ function SignIn(props) {
           setSilent("failed");
           return;
         }
+        if (payload?.type === "scope_selection") {
+          setScopeSel({ token: payload.scopeSelectionToken, tenantId: payload.tenantId, scopes: payload.scopes || [] });
+          setSilent("failed");
+          return;
+        }
         setSilent("failed");
       } catch {
         setSilent("failed");
@@ -3013,6 +3468,7 @@ function SignIn(props) {
     setForcePrompt(true);
     setSilent("skipped");
     setTenantSel(null);
+    setScopeSel(null);
     if (typeof window !== "undefined") {
       try {
         const u = new URL(window.location.href);
@@ -3083,7 +3539,27 @@ function SignIn(props) {
         ]
       },
       tn.tenantId
-    )) }) : mfa ? /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("form", { onSubmit: submitMfa, style: { display: "flex", flexDirection: "column", gap: 12 }, "aria-label": t2("mfa.title"), children: [
+    )) }) : scopeSel ? (
+      // Task #171 — scope picker (source/client memberships)
+      /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { role: "radiogroup", "aria-label": t2("signIn.selectScope") || "Choose scope", "data-iqauth-scope-picker": "1", style: { display: "flex", flexDirection: "column", gap: 8 }, children: scopeSel.scopes.map((s) => /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(
+        "button",
+        {
+          type: "button",
+          "data-iqauth-scope": s.membershipId,
+          onClick: () => submitScope(s.membershipId),
+          style: { textAlign: "left", padding: "10px 14px", border: "1px solid rgba(15,23,42,0.15)", borderRadius: 8, background: "transparent", color: "inherit", cursor: "pointer" },
+          children: [
+            /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { style: { margin: 0, fontWeight: 500 }, children: s.scopeName }),
+            /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("p", { style: { margin: 0, fontSize: 12, opacity: 0.6 }, children: [
+              s.scopeType,
+              " \xB7 ",
+              s.roleName
+            ] })
+          ]
+        },
+        s.membershipId
+      )) })
+    ) : mfa ? /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("form", { onSubmit: submitMfa, style: { display: "flex", flexDirection: "column", gap: 12 }, "aria-label": t2("mfa.title"), children: [
       !mfa.backup && mfa.methods.length > 1 ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: t2("mfa.title"), children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("select", { style: inputStyle(), value: mfa.selected, onChange: (e) => setMfa({ ...mfa, selected: e.target.value }), children: mfa.methods.map((m) => /* @__PURE__ */ (0, import_jsx_runtime.jsx)("option", { value: m, children: m.toUpperCase() }, m)) }) }) : null,
       /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: mfa.backup ? t2("mfa.backupCodeLabel") : t2("mfa.totpLabel"), children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
         "input",
@@ -3375,9 +3851,12 @@ function OrganizationSwitcher({ iqAuthBaseUrl, onSwitched, appearance: _appearan
   const t2 = useT();
   const branding = useResolvedSdkBranding(iqAuthBaseUrl);
   const accent = branding?.accentColor || "#6366f1";
+  const { manager } = useCtx();
   const [memberships, setMemberships] = (0, import_react.useState)([]);
   const [activeTenantId, setActiveTenantId] = (0, import_react.useState)(null);
   const [open, setOpen] = (0, import_react.useState)(false);
+  const [pendingStep, setPendingStep] = (0, import_react.useState)(null);
+  const [switchError, setSwitchError] = (0, import_react.useState)(null);
   (0, import_react.useEffect)(() => {
     fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/me`, { credentials: "include" }).then((r) => r.json()).then((p) => {
       if (p?.data?.tenantId) setActiveTenantId(p.data.tenantId);
@@ -3387,18 +3866,48 @@ function OrganizationSwitcher({ iqAuthBaseUrl, onSwitched, appearance: _appearan
     });
   }, [iqAuthBaseUrl]);
   const switchTo = async (tenantId) => {
+    setSwitchError(null);
+    setPendingStep(null);
     try {
-      await jsonFetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/select-tenant`, {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({ tenantId })
-      });
+      const result = await performTenantSwitch(manager, iqAuthBaseUrl, tenantId);
+      if (result.kind === "mfa_required") {
+        setPendingStep({
+          kind: "mfa_required",
+          tenantId: result.tenantId,
+          mfaChallengeToken: result.mfaChallengeToken,
+          availableMethods: result.availableMethods
+        });
+        return;
+      }
+      if (result.kind === "scope_selection_required") {
+        setPendingStep({
+          kind: "scope_selection_required",
+          tenantId: result.tenantId,
+          scopeSelectionToken: result.scopeSelectionToken
+        });
+        return;
+      }
       setActiveTenantId(tenantId);
       setOpen(false);
       onSwitched?.(tenantId);
-    } catch {
+    } catch (err) {
+      setSwitchError(err instanceof Error ? err.message : "Failed to switch organization");
     }
   };
+  const hostedSignInUrl = () => {
+    const baseHosted = `${iqAuthBaseUrl.replace(/\/$/, "")}/sign-in`;
+    if (!pendingStep) return baseHosted;
+    const params = new URLSearchParams();
+    if (pendingStep.kind === "mfa_required") {
+      params.set("mfaChallengeToken", pendingStep.mfaChallengeToken);
+      if (pendingStep.availableMethods.length) {
+        params.set("availableMethods", pendingStep.availableMethods.join(","));
+      }
+    } else {
+      params.set("prompt", "login");
+    }
+    return `${baseHosted}?${params.toString()}`;
+  };
   const active = memberships.find((m) => m.tenantId === activeTenantId);
   return /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(
     "div",
@@ -3419,44 +3928,274 @@ function OrganizationSwitcher({ iqAuthBaseUrl, onSwitched, appearance: _appearan
             children: active?.tenantName || active?.tenantSlug || t2("orgSwitcher.label")
           }
         ),
-        open ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { role: "menu", style: {
+        open ? /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("div", { role: "menu", style: {
           position: "absolute",
           left: 0,
           top: 36,
-          minWidth: 220,
+          minWidth: 260,
           background: "#fff",
           border: "1px solid rgba(15,23,42,0.12)",
           borderRadius: 8,
           boxShadow: "0 4px 12px rgba(0,0,0,0.08)",
           padding: 8,
           zIndex: 100
-        }, children: memberships.length === 0 ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { style: { fontSize: 13, opacity: 0.6, padding: "4px 6px" }, children: t2("orgSwitcher.noOrgs") }) : memberships.map((m) => /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(
+        }, children: [
+          memberships.length === 0 ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { style: { fontSize: 13, opacity: 0.6, padding: "4px 6px" }, children: t2("orgSwitcher.noOrgs") }) : memberships.map((m) => /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(
+            "button",
+            {
+              role: "menuitem",
+              type: "button",
+              onClick: () => switchTo(m.tenantId),
+              style: {
+                display: "block",
+                width: "100%",
+                textAlign: "left",
+                padding: "8px 10px",
+                background: m.tenantId === activeTenantId ? `${accent}14` : "transparent",
+                border: "none",
+                borderRadius: 4,
+                cursor: "pointer",
+                fontSize: 13,
+                color: "#0f172a"
+              },
+              children: [
+                /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { style: { fontWeight: 500 }, children: m.tenantName || m.tenantSlug || m.tenantId }),
+                /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { style: { fontSize: 11, opacity: 0.6 }, children: m.roles.join(", ") })
+              ]
+            },
+            m.tenantId
+          )),
+          pendingStep ? /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(
+            "div",
+            {
+              "data-testid": pendingStep.kind === "mfa_required" ? "prompt-org-switch-mfa-required" : "prompt-org-switch-scope-required",
+              role: "alert",
+              style: {
+                marginTop: 8,
+                padding: "10px 12px",
+                background: `${accent}10`,
+                border: `1px solid ${accent}55`,
+                borderRadius: 6
+              },
+              children: [
+                /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { style: { fontSize: 12, fontWeight: 600, color: "#0f172a", marginBottom: 4 }, children: pendingStep.kind === "mfa_required" ? t2("orgSwitcher.mfaRequiredTitle") : t2("orgSwitcher.scopeSelectionRequiredTitle") }),
+                /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { style: { fontSize: 12, color: "#334155", marginBottom: 8 }, children: pendingStep.kind === "mfa_required" ? t2("orgSwitcher.mfaRequiredBody") : t2("orgSwitcher.scopeSelectionRequiredBody") }),
+                /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
+                  "a",
+                  {
+                    href: hostedSignInUrl(),
+                    "data-testid": "link-org-switch-continue-hosted",
+                    style: {
+                      display: "inline-block",
+                      fontSize: 12,
+                      fontWeight: 600,
+                      color: branding?.accentColor || accent,
+                      textDecoration: "none"
+                    },
+                    children: t2("orgSwitcher.continueInHostedSignIn")
+                  }
+                )
+              ]
+            }
+          ) : null,
+          switchError ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { "data-testid": "text-org-switch-error", style: { fontSize: 12, color: "#b91c1c", padding: "6px 8px 0" }, children: switchError }) : null
+        ] }) : null
+      ]
+    }
+  );
+}
+function useMemberships() {
+  const { manager, snapshot } = useCtx();
+  const [memberships, setMemberships] = (0, import_react.useState)([]);
+  const [isLoading, setIsLoading] = (0, import_react.useState)(true);
+  const [error, setError] = (0, import_react.useState)(null);
+  const base = manager.issuerUrl.replace(/\/$/, "");
+  const refresh = (0, import_react.useCallback)(async () => {
+    setIsLoading(true);
+    setError(null);
+    try {
+      const res = await manager.fetch(`${base}/api/v1/auth/available-scopes`);
+      const json = await res.json().catch(() => ({}));
+      if (!res.ok) throw new Error(json?.error?.message || `HTTP ${res.status}`);
+      const tree = json.data || {};
+      const flat = [];
+      for (const v of tree.vendors || []) {
+        flat.push({
+          membershipId: v.membershipId,
+          scopeType: "vendor",
+          scopeId: v.id,
+          scopeName: v.name,
+          role: v.role,
+          grantedVia: v.grantedVia || "direct"
+        });
+      }
+      for (const s of tree.sources || []) {
+        flat.push({
+          membershipId: s.membershipId,
+          scopeType: "source",
+          scopeId: s.id,
+          scopeName: s.name,
+          role: s.role,
+          grantedVia: s.grantedVia || "direct"
+        });
+      }
+      for (const c of tree.clients || []) {
+        flat.push({
+          membershipId: c.membershipId,
+          scopeType: "client",
+          scopeId: c.id,
+          scopeName: c.name,
+          role: c.role,
+          grantedVia: c.grantedVia || "direct"
+        });
+      }
+      setMemberships(flat);
+    } catch (err) {
+      setError(err.message);
+      setMemberships([]);
+    } finally {
+      setIsLoading(false);
+    }
+  }, [manager, base]);
+  (0, import_react.useEffect)(() => {
+    if (snapshot.status !== "authenticated") {
+      setMemberships([]);
+      setIsLoading(false);
+      return;
+    }
+    void refresh();
+  }, [snapshot.status, snapshot.tenantId, refresh]);
+  const switchScope = (0, import_react.useCallback)(
+    (target) => performScopeSwitch(manager, base, target),
+    [manager, base]
+  );
+  const active = (0, import_react.useMemo)(() => {
+    const ctx = snapshot.user?.scopeContext;
+    if (!ctx) return null;
+    return {
+      type: ctx.type,
+      id: ctx.id,
+      role: ctx.role,
+      membershipId: ctx.membershipId
+    };
+  }, [snapshot.user, snapshot.version]);
+  return { isLoading, error, memberships, active, refresh, switchScope };
+}
+function ScopeSwitcher({ onSwitched, include, className }) {
+  const { memberships, active, isLoading, error, switchScope } = useMemberships();
+  const [open, setOpen] = (0, import_react.useState)(false);
+  const [busy, setBusy] = (0, import_react.useState)(null);
+  const [switchError, setSwitchError] = (0, import_react.useState)(null);
+  const visible = (0, import_react.useMemo)(
+    () => include ? memberships.filter((m) => include.includes(m.scopeType)) : memberships,
+    [memberships, include]
+  );
+  if (isLoading) {
+    return (0, import_react.createElement)(
+      "div",
+      { className, "data-testid": "scope-switcher-loading", style: { fontSize: 13, opacity: 0.6 } },
+      "Loading scopes\u2026"
+    );
+  }
+  if (error) {
+    return (0, import_react.createElement)(
+      "div",
+      { className, "data-testid": "scope-switcher-error", style: { fontSize: 13, color: "#b91c1c" } },
+      error
+    );
+  }
+  if (!visible.length) return null;
+  const activeLabel = active ? visible.find((m) => m.scopeType === active.type && m.scopeId === active.id)?.scopeName || `${active.type}:${active.id}` : "Select a scope";
+  return (0, import_react.createElement)(
+    "div",
+    { className, "data-testid": "scope-switcher", style: { position: "relative", display: "inline-block" } },
+    (0, import_react.createElement)(
+      "button",
+      {
+        type: "button",
+        "data-testid": "scope-switcher-trigger",
+        onClick: () => setOpen((v) => !v),
+        style: {
+          padding: "6px 10px",
+          border: "1px solid #e5e7eb",
+          borderRadius: 6,
+          background: "#fff",
+          cursor: "pointer",
+          fontSize: 13
+        }
+      },
+      active ? `${active.type}: ${activeLabel}` : activeLabel
+    ),
+    switchError ? (0, import_react.createElement)(
+      "div",
+      {
+        "data-testid": "scope-switcher-switch-error",
+        style: { marginTop: 4, fontSize: 12, color: "#b91c1c" }
+      },
+      switchError
+    ) : null,
+    open ? (0, import_react.createElement)(
+      "div",
+      {
+        "data-testid": "scope-switcher-menu",
+        style: {
+          position: "absolute",
+          top: "100%",
+          left: 0,
+          marginTop: 4,
+          minWidth: 220,
+          background: "#fff",
+          border: "1px solid #e5e7eb",
+          borderRadius: 6,
+          boxShadow: "0 4px 12px rgba(0,0,0,0.08)",
+          padding: 4,
+          zIndex: 50
+        }
+      },
+      visible.map((m) => {
+        const isActive = active?.type === m.scopeType && active?.id === m.scopeId;
+        const key = `${m.scopeType}:${m.scopeId}`;
+        return (0, import_react.createElement)(
           "button",
           {
-            role: "menuitem",
+            key,
             type: "button",
-            onClick: () => switchTo(m.tenantId),
+            "data-testid": `scope-switcher-option-${m.scopeType}-${m.scopeId}`,
+            disabled: busy === key,
+            onClick: async () => {
+              setBusy(key);
+              setSwitchError(null);
+              try {
+                await switchScope({ type: m.scopeType, id: m.scopeId });
+                setOpen(false);
+                onSwitched?.({ type: m.scopeType, id: m.scopeId });
+              } catch (err) {
+                setSwitchError(err.message || "Scope switch failed");
+              } finally {
+                setBusy(null);
+              }
+            },
             style: {
               display: "block",
               width: "100%",
               textAlign: "left",
               padding: "8px 10px",
-              background: m.tenantId === activeTenantId ? `${accent}14` : "transparent",
               border: "none",
+              background: isActive ? "#f3f4f6" : "transparent",
+              cursor: busy ? "wait" : "pointer",
               borderRadius: 4,
-              cursor: "pointer",
-              fontSize: 13,
-              color: "#0f172a"
-            },
-            children: [
-              /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { style: { fontWeight: 500 }, children: m.tenantName || m.tenantSlug || m.tenantId }),
-              /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { style: { fontSize: 11, opacity: 0.6 }, children: m.roles.join(", ") })
-            ]
+              fontSize: 13
+            }
           },
-          m.tenantId
-        )) }) : null
-      ]
-    }
+          (0, import_react.createElement)("div", { style: { fontWeight: 500 } }, m.scopeName),
+          (0, import_react.createElement)(
+            "div",
+            { style: { fontSize: 11, opacity: 0.6 } },
+            `${m.scopeType} \xB7 ${m.role}${m.grantedVia && m.grantedVia !== "direct" ? ` \xB7 via ${m.grantedVia}` : ""}`
+          )
+        );
+      })
+    ) : null
   );
 }
 function useImpersonation() {
@@ -4069,10 +4808,13 @@ function OrganizationList({ iqAuthBaseUrl, onSelect, showCreate = true, createRe
   const branding = useResolvedSdkBranding(iqAuthBaseUrl);
   const baseUrl = iqAuthBaseUrl.replace(/\/$/, "");
   const accent = branding?.accentColor || "#6366f1";
+  const t2 = useT();
+  const { manager } = useCtx();
   const [memberships, setMemberships] = (0, import_react.useState)([]);
   const [activeTenantId, setActiveTenantId] = (0, import_react.useState)(null);
   const [loading, setLoading] = (0, import_react.useState)(true);
   const [error, setError] = (0, import_react.useState)(null);
+  const [pendingStep, setPendingStep] = (0, import_react.useState)(null);
   (0, import_react.useEffect)(() => {
     let cancelled = false;
     Promise.all([
@@ -4096,21 +4838,81 @@ function OrganizationList({ iqAuthBaseUrl, onSelect, showCreate = true, createRe
       onSelect?.(tenantId);
       return;
     }
+    setError(null);
+    setPendingStep(null);
     try {
-      await jsonFetch(`${baseUrl}/api/v1/auth/select-tenant`, {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        credentials: "include",
-        body: JSON.stringify({ tenantId })
-      });
+      const result = await performTenantSwitch(manager, iqAuthBaseUrl, tenantId);
+      if (result.kind === "mfa_required") {
+        setPendingStep({
+          kind: "mfa_required",
+          tenantId: result.tenantId,
+          mfaChallengeToken: result.mfaChallengeToken,
+          availableMethods: result.availableMethods
+        });
+        return;
+      }
+      if (result.kind === "scope_selection_required") {
+        setPendingStep({
+          kind: "scope_selection_required",
+          tenantId: result.tenantId,
+          scopeSelectionToken: result.scopeSelectionToken
+        });
+        return;
+      }
       setActiveTenantId(tenantId);
       onSelect?.(tenantId);
     } catch (err) {
       setError(err instanceof Error ? err.message : "Failed to switch organization");
     }
   };
+  const hostedSignInUrl = () => {
+    const baseHosted = `${baseUrl}/sign-in`;
+    if (!pendingStep) return baseHosted;
+    const params = new URLSearchParams();
+    if (pendingStep.kind === "mfa_required") {
+      params.set("mfaChallengeToken", pendingStep.mfaChallengeToken);
+      if (pendingStep.availableMethods.length) {
+        params.set("availableMethods", pendingStep.availableMethods.join(","));
+      }
+    } else {
+      params.set("prompt", "login");
+    }
+    return `${baseHosted}?${params.toString()}`;
+  };
   return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Shell, { appearance, branding, className, title: "Your organizations", subtitle: "Select an organization to make it active.", children: /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("div", { "data-iqauth-sdk-org-list": "", style: { display: "flex", flexDirection: "column", gap: 8 }, children: [
     error ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)(ErrorBanner, { message: error }) : null,
+    pendingStep ? /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(
+      "div",
+      {
+        "data-testid": pendingStep.kind === "mfa_required" ? "prompt-org-list-mfa-required" : "prompt-org-list-scope-required",
+        role: "alert",
+        style: {
+          padding: "10px 12px",
+          background: `${accent}10`,
+          border: `1px solid ${accent}55`,
+          borderRadius: 6
+        },
+        children: [
+          /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { style: { fontSize: 13, fontWeight: 600, color: "#0f172a", marginBottom: 4 }, children: pendingStep.kind === "mfa_required" ? t2("orgSwitcher.mfaRequiredTitle") : t2("orgSwitcher.scopeSelectionRequiredTitle") }),
+          /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { style: { fontSize: 12, color: "#334155", marginBottom: 8 }, children: pendingStep.kind === "mfa_required" ? t2("orgSwitcher.mfaRequiredBody") : t2("orgSwitcher.scopeSelectionRequiredBody") }),
+          /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
+            "a",
+            {
+              href: hostedSignInUrl(),
+              "data-testid": "link-org-list-continue-hosted",
+              style: {
+                display: "inline-block",
+                fontSize: 12,
+                fontWeight: 600,
+                color: branding?.accentColor || accent,
+                textDecoration: "none"
+              },
+              children: t2("orgSwitcher.continueInHostedSignIn")
+            }
+          )
+        ]
+      }
+    ) : null,
     loading ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { style: { fontSize: 13 }, children: "Loading\u2026" }) : memberships.length === 0 ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { style: { fontSize: 13, opacity: 0.6 }, children: "You don\u2019t belong to any organizations yet." }) : /* @__PURE__ */ (0, import_jsx_runtime.jsx)("ul", { style: { listStyle: "none", padding: 0, margin: 0, display: "flex", flexDirection: "column", gap: 6 }, children: memberships.map((m) => {
       const active = m.tenantId === activeTenantId;
       return /* @__PURE__ */ (0, import_jsx_runtime.jsx)("li", { children: /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(
@@ -4148,8 +4950,8 @@ function OrganizationList({ iqAuthBaseUrl, onSelect, showCreate = true, createRe
           iqAuthBaseUrl,
           unstyled: true,
           appearance,
-          onCreated: (t2) => {
-            onSelect?.(t2.id);
+          onCreated: (t3) => {
+            onSelect?.(t3.id);
             reloadList();
           },
           redirectUrl: createRedirectUrl
@@ -4402,6 +5204,7 @@ var __version__ = "phase-bc-1.0.0";
   Protect,
   RedirectToSignIn,
   RedirectToSignedIn,
+  ScopeSwitcher,
   SignIn,
   SignUp,
   SignedIn,
@@ -4409,10 +5212,15 @@ var __version__ = "phase-bc-1.0.0";
   UserButton,
   UserProfile,
   Waitlist,
+  __useIQAuthInternal,
   __version__,
+  claimSatisfiesScope,
   isReturnToAllowed,
   isSilentSsoEligible,
+  performScopeSwitch,
+  performTenantSwitch,
   preflightReturnTo,
+  resolveAfterSignInDestination,
   revokeSession,
   sanitizeBrandCss,
   sanitizeReturnTo,
@@ -4426,6 +5234,7 @@ var __version__ = "phase-bc-1.0.0";
   useLinkedIdentities,
   useLocale,
   useMagicLink,
+  useMemberships,
   useOrganization,
   usePasskey,
   useResolvedSdkBranding,