@iqauth/sdk 2.6.4 → 2.8.1

package/dist/{chunk-DJIBN2N7.mjs → chunk-GN37E64I.mjs}

@@ -91,7 +91,7 @@ async function buildSignInUrl(manager, opts = {}) {
     returnTo,
     createdAt: Date.now()
   });
-  const url = new URL(opts.signInPath ?? DEFAULT_SIGN_IN_PATH, manager.issuerUrl);
+  const url = new URL(opts.signInPath ?? DEFAULT_SIGN_IN_PATH, manager.hostedIssuerUrl);
   url.searchParams.set("response_type", "code");
   url.searchParams.set("app", manager.appKey);
   url.searchParams.set("publishable_key", manager.publishableKey.raw);
@@ -106,33 +106,50 @@ async function buildSignInUrl(manager, opts = {}) {
   return url.toString();
 }
 async function redirectToSignIn(manager, opts = {}) {
-  const url = await buildSignInUrl(manager, opts);
-  if (typeof window === "undefined") {
-    throw new Error("redirectToSignIn requires a browser environment");
+  const t0 = Date.now();
+  let ok = false;
+  let code;
+  try {
+    const url = await buildSignInUrl(manager, opts);
+    if (typeof window === "undefined") {
+      code = "NO_WINDOW";
+      throw new Error("redirectToSignIn requires a browser environment");
+    }
+    ok = true;
+    manager.recordTiming("signIn", Date.now() - t0, true);
+    window.location.assign(url);
+  } catch (err) {
+    if (!ok) manager.recordTiming("signIn", Date.now() - t0, false, code ?? (err instanceof Error ? err.message : "ERROR"));
+    throw err;
   }
-  window.location.assign(url);
 }
 async function signIn(manager, opts = {}) {
   return redirectToSignIn(manager, opts);
 }
 async function handleAuthCallback(manager, options = {}) {
+  const t0 = Date.now();
+  const emit = (ok, code2) => manager.recordTiming("signIn", Date.now() - t0, ok, code2);
   const url = new URL(options.url ?? (typeof window !== "undefined" ? window.location.href : ""));
   const code = url.searchParams.get("code");
   const state = url.searchParams.get("state");
   const errorParam = url.searchParams.get("error");
   if (errorParam) {
+    emit(false, errorParam);
     return { ok: false, returnTo: "/", error: errorParam };
   }
   if (!code || !state) {
+    emit(false, "missing_code_or_state");
     return { ok: false, returnTo: "/", error: "missing_code_or_state" };
   }
   const record = loadPkce(state);
   if (!record) {
+    emit(false, "unknown_state");
     return { ok: false, returnTo: "/", error: "unknown_state" };
   }
   clearPkce(state);
   const fetchImpl = options.fetchImpl ?? (typeof fetch !== "undefined" ? fetch.bind(globalThis) : null);
   if (!fetchImpl) {
+    emit(false, "no_fetch");
     return { ok: false, returnTo: record.returnTo, error: "no_fetch" };
   }
   const tokenUrl = `${manager.issuerUrl}${options.tokenPath ?? DEFAULT_TOKEN_PATH}`;
@@ -151,10 +168,12 @@ async function handleAuthCallback(manager, options = {}) {
   const body = await res.json().catch(() => ({}));
   if (!res.ok) {
     const desc = body.error_description ?? body.error ?? "token_exchange_failed";
+    emit(false, desc);
     return { ok: false, returnTo: record.returnTo, error: desc };
   }
   const tokens = body;
   if (!tokens.access_token) {
+    emit(false, "missing_access_token");
     return { ok: false, returnTo: record.returnTo, error: "missing_access_token" };
   }
   if (tokens.refresh_token) {
@@ -162,21 +181,24 @@ async function handleAuthCallback(manager, options = {}) {
     setCookie(cookieName, tokens.refresh_token, { maxAgeSeconds: 60 * 60 * 24 * 30 });
   }
   manager.applyAccessToken(tokens.access_token, tokens.refresh_token);
+  emit(true);
   return { ok: true, returnTo: record.returnTo };
 }
 async function signOut(manager, opts = {}) {
   if (!opts.localOnly) {
     const issuer = manager.issuerUrl.replace(/\/$/, "");
+    const idempotency = manager.getIdempotencyToken();
     try {
       const url = `${issuer}${opts.logoutPath ?? DEFAULT_LOGOUT_PATH}`;
-      await manager.fetch(url, { method: "POST" }).catch(() => void 0);
+      await manager.fetch(url, { method: "POST", headers: { "X-IQAuth-Idempotency": idempotency } }).catch(() => void 0);
     } catch {
     }
     if (opts.endSsoSession !== false) {
       try {
         await fetch(`${issuer}${DEFAULT_SSO_LOGOUT_PATH}`, {
           method: "POST",
-          credentials: "include"
+          credentials: "include",
+          headers: { "X-IQAuth-Idempotency": idempotency }
         }).catch(() => void 0);
       } catch {
       }

package/dist/{chunk-WQWBJSSS.mjs → chunk-HVHNYPDC.mjs}

@@ -1,6 +1,6 @@
 import {
   IQAuthError
-} from "./chunk-6I6RM4MN.mjs";
+} from "./chunk-6PJRLRB4.mjs";
 import {
   __require
 } from "./chunk-Y6FXYEAI.mjs";
@@ -64,14 +64,14 @@ function assertPublishableKey(raw, opts) {
   const ctx = opts?.context ? `${opts.context}: ` : "";
   if (typeof raw !== "string" || raw.length === 0) {
     throw new IQAuthError(
-      "CONFIG_INVALID",
+      "config_invalid",
       `${ctx}IQAuth publishable key is missing. Set IQAUTH_PUBLISHABLE_KEY (or pass publishableKey) to a pk_test_\u2026 or pk_live_\u2026 value from the IQAuth admin console.`
     );
   }
   const shapeMatch = raw.match(/^pk_(test|live)_([A-Za-z0-9_-]+)$/);
   if (!shapeMatch) {
     throw new IQAuthError(
-      "CONFIG_INVALID",
+      "config_invalid",
       `${ctx}IQAuth publishable key is malformed (got ${raw.slice(0, 12)}\u2026). Expected pk_test_\u2026 or pk_live_\u2026; regenerate the key from the IQAuth admin console.`
     );
   }
@@ -80,19 +80,19 @@ function assertPublishableKey(raw, opts) {
     decoded = JSON.parse(b64urlDecode(shapeMatch[2]));
   } catch {
     throw new IQAuthError(
-      "CONFIG_INVALID",
+      "config_invalid",
       `${ctx}IQAuth publishable key payload is not valid base64url JSON. Regenerate the key from the IQAuth admin console.`
     );
   }
   if (!isPublishableKeyPayload(decoded)) {
     throw new IQAuthError(
-      "CONFIG_INVALID",
+      "config_invalid",
       `${ctx}IQAuth publishable key payload is missing required fields {iss, appId, tenantId, kid}. Regenerate the key from the IQAuth admin console.`
     );
   }
   if (!isValidIssuerUrl(decoded.iss)) {
     throw new IQAuthError(
-      "CONFIG_INVALID",
+      "config_invalid",
       `${ctx}IQAuth publishable key encodes an invalid issuer (iss=${JSON.stringify(decoded.iss)}). Expected a fully-qualified URL like "https://auth.example.com" (scheme required). Regenerate the key from the IQAuth admin console \u2014 the new key will encode a valid issuer URL.`
     );
   }

package/dist/chunk-JRDVUWAL.mjs

@@ -0,0 +1,46 @@
+// src/browser/returnTo.ts
+function normalizeOrigin(o) {
+  try {
+    return new URL(o).origin;
+  } catch {
+    return o.replace(/\/+$/, "");
+  }
+}
+function sanitizeReturnTo(input, options = {}) {
+  const fallback = options.fallback ?? "/";
+  if (!input || typeof input !== "string") return fallback;
+  const trimmed = input.trim();
+  if (!trimmed) return fallback;
+  if (trimmed.includes("\\")) return fallback;
+  if (trimmed.startsWith("//")) return fallback;
+  if (trimmed.startsWith("/") || trimmed.startsWith("#") || trimmed.startsWith("?")) {
+    return trimmed;
+  }
+  if (!/^[a-z][a-z0-9+\-.]*:/i.test(trimmed)) {
+    return trimmed.startsWith("/") ? trimmed : `/${trimmed}`;
+  }
+  let parsed;
+  try {
+    parsed = new URL(trimmed);
+  } catch {
+    return fallback;
+  }
+  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") return fallback;
+  const currentOrigin = options.currentOrigin ?? (typeof window !== "undefined" ? window.location.origin : "");
+  const allowed = /* @__PURE__ */ new Set();
+  if (currentOrigin) allowed.add(normalizeOrigin(currentOrigin));
+  for (const o of options.allowedOrigins ?? []) allowed.add(normalizeOrigin(o));
+  if (allowed.has(parsed.origin)) return parsed.toString();
+  return fallback;
+}
+function isReturnToAllowed(input, options = {}) {
+  const fallback = options.fallback ?? "/";
+  const out = sanitizeReturnTo(input, options);
+  if (!input) return false;
+  return out !== fallback || input === fallback;
+}
+
+export {
+  sanitizeReturnTo,
+  isReturnToAllowed
+};

package/dist/{chunk-UNYDG2L4.mjs → chunk-NUO2I65G.mjs}

@@ -1,6 +1,6 @@
 import {
   IQAuthError
-} from "./chunk-6I6RM4MN.mjs";
+} from "./chunk-6PJRLRB4.mjs";
 import {
   __require
 } from "./chunk-Y6FXYEAI.mjs";
@@ -23,6 +23,18 @@ var DEFAULT_TOKEN_AUDIENCE = [
   "iqvalidate"
 ];
 var DEFAULT_CLOCK_TOLERANCE_SECONDS = 30;
+function classifyJoseError(err) {
+  if (err instanceof joseErrors.JWTExpired) {
+    return { code: "token_expired", message: "Token has expired" };
+  }
+  if (err instanceof joseErrors.JOSEError) {
+    return { code: "token_invalid", message: err.message };
+  }
+  if (err instanceof Error) {
+    return { code: "token_invalid", message: err.message };
+  }
+  return { code: "token_invalid", message: "Token verification failed" };
+}
 function decodeProtectedHeader(token) {
   const parts = token.split(".");
   if (parts.length < 2) return null;
@@ -59,11 +71,11 @@ var TokensModule = class {
   async verify(token, options = {}) {
     const header = decodeProtectedHeader(token);
     if (!header) {
-      throw new IQAuthError("TOKEN_INVALID", "Unable to decode token");
+      throw new IQAuthError("token_invalid", "Unable to decode token");
     }
     const kid = header.kid;
     if (!kid) {
-      throw new IQAuthError("TOKEN_INVALID", "Token missing kid header");
+      throw new IQAuthError("token_invalid", "Token missing kid header");
     }
     let cache = await this.ensureCache();
     if (!cache.byKid.has(kid)) {
@@ -71,7 +83,7 @@ var TokensModule = class {
       cache = await this.ensureCache();
     }
     if (!cache.byKid.has(kid)) {
-      throw new IQAuthError("TOKEN_INVALID", `Unknown key ID: ${kid}`);
+      throw new IQAuthError("token_invalid", `Unknown key ID: ${kid}`);
     }
     const issuer = options.issuer ?? this.defaultIssuer;
     const audience = options.audience ?? this.defaultAudience;
@@ -87,16 +99,8 @@ var TokensModule = class {
       const { payload } = await jwtVerify(token, cache.verifier, verifyOptions);
       return payload;
     } catch (err) {
-      if (err instanceof joseErrors.JWTExpired) {
-        throw new IQAuthError("TOKEN_EXPIRED", "Token has expired");
-      }
-      if (err instanceof joseErrors.JOSEError) {
-        throw new IQAuthError("TOKEN_INVALID", err.message);
-      }
-      if (err instanceof Error) {
-        throw new IQAuthError("TOKEN_INVALID", err.message);
-      }
-      throw new IQAuthError("TOKEN_INVALID", "Token verification failed");
+      const classified = classifyJoseError(err);
+      throw new IQAuthError(classified.code, classified.message, void 0, err);
     }
   }
   /**
@@ -138,7 +142,7 @@ var TokensModule = class {
   getClaims(token) {
     const claims = this.decode(token);
     if (!claims) {
-      throw new IQAuthError("TOKEN_INVALID", "Unable to decode token claims");
+      throw new IQAuthError("token_invalid", "Unable to decode token claims");
     }
     return claims;
   }
@@ -148,7 +152,7 @@ var TokensModule = class {
     }
     await this.refreshJwks();
     if (!this.jwksCache) {
-      throw new IQAuthError("INTERNAL_ERROR", "JWKS cache unavailable after refresh");
+      throw new IQAuthError("jwks_unavailable", "JWKS cache unavailable after refresh");
     }
     return this.jwksCache;
   }
@@ -158,22 +162,38 @@ var TokensModule = class {
     }
     this.inFlightRefresh = (async () => {
       try {
-        const res = await fetch(`${this.baseUrl}/.well-known/jwks.json`);
+        let res;
+        try {
+          res = await fetch(`${this.baseUrl}/.well-known/jwks.json`);
+        } catch (err) {
+          throw new IQAuthError(
+            "network",
+            err instanceof Error ? err.message : "JWKS fetch network error",
+            void 0,
+            err
+          );
+        }
         if (!res.ok) {
           throw new IQAuthError(
-            "INTERNAL_ERROR",
-            `Failed to fetch JWKS: ${res.status}`
+            "jwks_fetch_failed",
+            `Failed to fetch JWKS: ${res.status}`,
+            res.status
           );
         }
         let jwks;
         try {
           jwks = await res.json();
-        } catch {
-          throw new IQAuthError("INTERNAL_ERROR", "Malformed JWKS response: invalid JSON");
+        } catch (err) {
+          throw new IQAuthError(
+            "jwks_fetch_failed",
+            "Malformed JWKS response: invalid JSON",
+            res.status,
+            err
+          );
         }
         if (!jwks || !Array.isArray(jwks.keys)) {
           throw new IQAuthError(
-            "INTERNAL_ERROR",
+            "jwks_fetch_failed",
             "Malformed JWKS response: expected { keys: [...] }"
           );
         }
@@ -181,7 +201,7 @@ var TokensModule = class {
         for (const key of jwks.keys) {
           if (!key || typeof key.kid !== "string" || typeof key.n !== "string" && typeof key.x !== "string" || key.kty === "RSA" && (typeof key.n !== "string" || typeof key.e !== "string")) {
             throw new IQAuthError(
-              "INTERNAL_ERROR",
+              "jwks_fetch_failed",
               "Malformed JWKS response: key missing required fields"
             );
           }
@@ -199,6 +219,19 @@ var TokensModule = class {
   clearCache() {
     this.jwksCache = null;
   }
+  /**
+   * Task #126: Eagerly populate the JWKS cache so the first verify() call
+   * doesn't pay a network round-trip. Safe to call repeatedly — single-flight
+   * behavior is shared with the lazy refresh path. Errors are swallowed so
+   * callers (e.g. `attachHelpers` auto-prewarm) can fire-and-forget.
+   */
+  async prewarm() {
+    if (this.jwksCache && Date.now() - this.jwksCache.fetchedAt <= JWKS_CACHE_TTL_MS) return;
+    try {
+      await this.refreshJwks();
+    } catch {
+    }
+  }
 };
 
 export {

package/dist/{chunk-5T7GHBX6.mjs → chunk-TLET552H.mjs}

@@ -37,6 +37,7 @@ var enUS = {
   "signIn.useDifferentAccount": "Use a different account",
   "signIn.selectTenant": "Choose an organization",
   "signIn.selectTenantSubtitle": "You belong to multiple organizations. Pick one to continue.",
+  "signIn.selectScope": "Choose scope",
   "signIn.dividerOr": "or",
   "signIn.preparingExperience": "Preparing your sign-in experience.",
   "signIn.applicationUnavailable": "Application unavailable",
@@ -125,6 +126,11 @@ var enUS = {
   "orgSwitcher.createNew": "Create organization",
   "orgSwitcher.manage": "Manage organization",
   "orgSwitcher.noOrgs": "You don't belong to any organizations yet.",
+  "orgSwitcher.mfaRequiredTitle": "Two-factor verification required",
+  "orgSwitcher.mfaRequiredBody": "This organization requires an extra verification step. Continue in the hosted sign-in to finish switching.",
+  "orgSwitcher.scopeSelectionRequiredTitle": "Choose what to access",
+  "orgSwitcher.scopeSelectionRequiredBody": "This organization needs you to pick which workspace to open. Continue in the hosted sign-in to choose.",
+  "orgSwitcher.continueInHostedSignIn": "Continue in hosted sign-in \u2192",
   "orgProfile.title": "Organization settings",
   "orgProfile.generalTab": "General",
   "orgProfile.membersTab": "Members",
@@ -217,6 +223,7 @@ var frFR = {
   "signIn.useDifferentAccount": "Utiliser un autre compte",
   "signIn.selectTenant": "Choisir une organisation",
   "signIn.selectTenantSubtitle": "Vous appartenez \xE0 plusieurs organisations. Choisissez-en une pour continuer.",
+  "signIn.selectScope": "Choisir une port\xE9e",
   "signIn.dividerOr": "ou",
   "signIn.preparingExperience": "Pr\xE9paration de votre exp\xE9rience de connexion.",
   "signIn.applicationUnavailable": "Application indisponible",
@@ -305,6 +312,11 @@ var frFR = {
   "orgSwitcher.createNew": "Cr\xE9er une organisation",
   "orgSwitcher.manage": "G\xE9rer l'organisation",
   "orgSwitcher.noOrgs": "Vous n'appartenez encore \xE0 aucune organisation.",
+  "orgSwitcher.mfaRequiredTitle": "V\xE9rification en deux \xE9tapes requise",
+  "orgSwitcher.mfaRequiredBody": "Cette organisation n\xE9cessite une \xE9tape de v\xE9rification suppl\xE9mentaire. Poursuivez sur la page de connexion h\xE9berg\xE9e pour terminer le changement.",
+  "orgSwitcher.scopeSelectionRequiredTitle": "Choisir l'espace \xE0 ouvrir",
+  "orgSwitcher.scopeSelectionRequiredBody": "Cette organisation n\xE9cessite que vous choisissiez un espace de travail. Poursuivez sur la page de connexion h\xE9berg\xE9e pour choisir.",
+  "orgSwitcher.continueInHostedSignIn": "Continuer sur la connexion h\xE9berg\xE9e \u2192",
   "orgProfile.title": "Param\xE8tres de l'organisation",
   "orgProfile.generalTab": "G\xE9n\xE9ral",
   "orgProfile.membersTab": "Membres",
@@ -397,6 +409,7 @@ var esES = {
   "signIn.useDifferentAccount": "Usar otra cuenta",
   "signIn.selectTenant": "Elige una organizaci\xF3n",
   "signIn.selectTenantSubtitle": "Perteneces a varias organizaciones. Selecciona una para continuar.",
+  "signIn.selectScope": "Elegir \xE1mbito",
   "signIn.dividerOr": "o",
   "signIn.preparingExperience": "Preparando tu experiencia de inicio de sesi\xF3n.",
   "signIn.applicationUnavailable": "Aplicaci\xF3n no disponible",
@@ -485,6 +498,11 @@ var esES = {
   "orgSwitcher.createNew": "Crear organizaci\xF3n",
   "orgSwitcher.manage": "Gestionar organizaci\xF3n",
   "orgSwitcher.noOrgs": "A\xFAn no perteneces a ninguna organizaci\xF3n.",
+  "orgSwitcher.mfaRequiredTitle": "Se requiere verificaci\xF3n en dos pasos",
+  "orgSwitcher.mfaRequiredBody": "Esta organizaci\xF3n requiere un paso de verificaci\xF3n adicional. Contin\xFAa en el inicio de sesi\xF3n alojado para completar el cambio.",
+  "orgSwitcher.scopeSelectionRequiredTitle": "Elige a qu\xE9 acceder",
+  "orgSwitcher.scopeSelectionRequiredBody": "Esta organizaci\xF3n requiere que elijas un espacio de trabajo. Contin\xFAa en el inicio de sesi\xF3n alojado para elegir.",
+  "orgSwitcher.continueInHostedSignIn": "Continuar en el inicio de sesi\xF3n alojado \u2192",
   "orgProfile.title": "Configuraci\xF3n de la organizaci\xF3n",
   "orgProfile.generalTab": "Generales",
   "orgProfile.membersTab": "Miembros",
@@ -577,6 +595,7 @@ var deDE = {
   "signIn.useDifferentAccount": "Anderes Konto verwenden",
   "signIn.selectTenant": "Organisation ausw\xE4hlen",
   "signIn.selectTenantSubtitle": "Sie geh\xF6ren zu mehreren Organisationen. Bitte w\xE4hlen Sie eine aus.",
+  "signIn.selectScope": "Bereich ausw\xE4hlen",
   "signIn.preparingExperience": "Anmeldung wird vorbereitet.",
   "signIn.applicationUnavailable": "Anwendung nicht verf\xFCgbar",
   "signIn.applicationNotFound": "Anwendung nicht gefunden",
@@ -665,6 +684,11 @@ var deDE = {
   "orgSwitcher.createNew": "Organisation erstellen",
   "orgSwitcher.manage": "Organisation verwalten",
   "orgSwitcher.noOrgs": "Sie geh\xF6ren noch keiner Organisation an.",
+  "orgSwitcher.mfaRequiredTitle": "Zwei-Faktor-Verifizierung erforderlich",
+  "orgSwitcher.mfaRequiredBody": "Diese Organisation erfordert einen zus\xE4tzlichen Verifizierungsschritt. Fahren Sie in der gehosteten Anmeldung fort, um den Wechsel abzuschlie\xDFen.",
+  "orgSwitcher.scopeSelectionRequiredTitle": "Zugriff ausw\xE4hlen",
+  "orgSwitcher.scopeSelectionRequiredBody": "F\xFCr diese Organisation m\xFCssen Sie einen Arbeitsbereich ausw\xE4hlen. Fahren Sie in der gehosteten Anmeldung fort, um auszuw\xE4hlen.",
+  "orgSwitcher.continueInHostedSignIn": "In der gehosteten Anmeldung fortfahren \u2192",
   "orgProfile.title": "Organisationseinstellungen",
   "orgProfile.generalTab": "Allgemein",
   "orgProfile.membersTab": "Mitglieder",
@@ -757,6 +781,7 @@ var jaJP = {
   "signIn.useDifferentAccount": "\u5225\u306E\u30A2\u30AB\u30A6\u30F3\u30C8\u3092\u4F7F\u7528",
   "signIn.selectTenant": "\u7D44\u7E54\u3092\u9078\u629E",
   "signIn.selectTenantSubtitle": "\u8907\u6570\u306E\u7D44\u7E54\u306B\u6240\u5C5E\u3057\u3066\u3044\u307E\u3059\u3002\u7D9A\u3051\u308B\u306B\u306F 1 \u3064\u3092\u9078\u629E\u3057\u3066\u304F\u3060\u3055\u3044\u3002",
+  "signIn.selectScope": "\u30B9\u30B3\u30FC\u30D7\u3092\u9078\u629E",
   "signIn.preparingExperience": "\u30B5\u30A4\u30F3\u30A4\u30F3\u306E\u6E96\u5099\u3092\u3057\u3066\u3044\u307E\u3059\u3002",
   "signIn.applicationUnavailable": "\u30A2\u30D7\u30EA\u30B1\u30FC\u30B7\u30E7\u30F3\u3092\u5229\u7528\u3067\u304D\u307E\u305B\u3093",
   "signIn.applicationNotFound": "\u30A2\u30D7\u30EA\u30B1\u30FC\u30B7\u30E7\u30F3\u304C\u898B\u3064\u304B\u308A\u307E\u305B\u3093",
@@ -845,6 +870,11 @@ var jaJP = {
   "orgSwitcher.createNew": "\u7D44\u7E54\u3092\u4F5C\u6210",
   "orgSwitcher.manage": "\u7D44\u7E54\u3092\u7BA1\u7406",
   "orgSwitcher.noOrgs": "\u307E\u3060\u3069\u306E\u7D44\u7E54\u306B\u3082\u6240\u5C5E\u3057\u3066\u3044\u307E\u305B\u3093\u3002",
+  "orgSwitcher.mfaRequiredTitle": "\u4E8C\u6BB5\u968E\u8A8D\u8A3C\u304C\u5FC5\u8981\u3067\u3059",
+  "orgSwitcher.mfaRequiredBody": "\u3053\u306E\u7D44\u7E54\u3067\u306F\u8FFD\u52A0\u306E\u672C\u4EBA\u78BA\u8A8D\u304C\u5FC5\u8981\u3067\u3059\u3002\u30DB\u30B9\u30C8\u3055\u308C\u305F\u30B5\u30A4\u30F3\u30A4\u30F3\u3067\u7D9A\u3051\u3066\u5207\u308A\u66FF\u3048\u3092\u5B8C\u4E86\u3057\u3066\u304F\u3060\u3055\u3044\u3002",
+  "orgSwitcher.scopeSelectionRequiredTitle": "\u30A2\u30AF\u30BB\u30B9\u5148\u3092\u9078\u629E",
+  "orgSwitcher.scopeSelectionRequiredBody": "\u3053\u306E\u7D44\u7E54\u3067\u306F\u30EF\u30FC\u30AF\u30B9\u30DA\u30FC\u30B9\u306E\u9078\u629E\u304C\u5FC5\u8981\u3067\u3059\u3002\u30DB\u30B9\u30C8\u3055\u308C\u305F\u30B5\u30A4\u30F3\u30A4\u30F3\u3067\u9078\u629E\u3057\u3066\u304F\u3060\u3055\u3044\u3002",
+  "orgSwitcher.continueInHostedSignIn": "\u30DB\u30B9\u30C8\u3055\u308C\u305F\u30B5\u30A4\u30F3\u30A4\u30F3\u306B\u9032\u3080 \u2192",
   "orgProfile.title": "\u7D44\u7E54\u306E\u8A2D\u5B9A",
   "orgProfile.generalTab": "\u4E00\u822C",
   "orgProfile.membersTab": "\u30E1\u30F3\u30D0\u30FC",
@@ -937,6 +967,7 @@ var ptBR = {
   "signIn.useDifferentAccount": "Usar outra conta",
   "signIn.selectTenant": "Escolher uma organiza\xE7\xE3o",
   "signIn.selectTenantSubtitle": "Voc\xEA pertence a v\xE1rias organiza\xE7\xF5es. Escolha uma para continuar.",
+  "signIn.selectScope": "Escolher escopo",
   "signIn.preparingExperience": "Preparando sua experi\xEAncia de login.",
   "signIn.applicationUnavailable": "Aplicativo indispon\xEDvel",
   "signIn.applicationNotFound": "Aplicativo n\xE3o encontrado",
@@ -1024,6 +1055,11 @@ var ptBR = {
   "orgSwitcher.personal": "Conta pessoal",
   "orgSwitcher.createNew": "Criar organiza\xE7\xE3o",
   "orgSwitcher.manage": "Gerenciar organiza\xE7\xE3o",
+  "orgSwitcher.mfaRequiredTitle": "Verifica\xE7\xE3o em duas etapas necess\xE1ria",
+  "orgSwitcher.mfaRequiredBody": "Esta organiza\xE7\xE3o requer uma etapa de verifica\xE7\xE3o adicional. Continue no login hospedado para concluir a troca.",
+  "orgSwitcher.scopeSelectionRequiredTitle": "Escolha o que acessar",
+  "orgSwitcher.scopeSelectionRequiredBody": "Esta organiza\xE7\xE3o exige que voc\xEA escolha um espa\xE7o de trabalho. Continue no login hospedado para escolher.",
+  "orgSwitcher.continueInHostedSignIn": "Continuar no login hospedado \u2192",
   "orgSwitcher.noOrgs": "Voc\xEA ainda n\xE3o pertence a nenhuma organiza\xE7\xE3o.",
   "orgProfile.title": "Configura\xE7\xF5es da organiza\xE7\xE3o",
   "orgProfile.generalTab": "Geral",