@iqauth/sdk 2.6.4 → 2.8.1

package/dist/chunk-WHT6WKTY.mjs

@@ -0,0 +1,3180 @@
+import {
+  AccountRegistry,
+  MultiAccountTokenStore,
+  SessionManager,
+  defaultCookieStore,
+  enrollPasskey,
+  linkProvider,
+  listLinkedIdentities,
+  requestMagicLink,
+  signInWithPasskey,
+  unlinkProvider
+} from "./chunk-4V7FKOTG.mjs";
+import {
+  handleAuthCallback,
+  redirectToSignIn,
+  signIn,
+  signOut
+} from "./chunk-GN37E64I.mjs";
+import {
+  sanitizeReturnTo
+} from "./chunk-JRDVUWAL.mjs";
+import {
+  defaultBundle,
+  localizeErrorCode,
+  resolveBundle,
+  t
+} from "./chunk-TLET552H.mjs";
+
+// src/react/index.tsx
+import {
+  createContext,
+  createElement,
+  Fragment,
+  useCallback,
+  useContext,
+  useEffect,
+  useMemo,
+  useRef,
+  useState,
+  useSyncExternalStore
+} from "react";
+
+// src/browser/hostedIssuerGuard.ts
+var HOSTED_ISSUER_MISMATCH_CODE = "IQAUTH_HOSTED_ISSUER_MISMATCH";
+var HOSTED_ISSUER_MISMATCH_DOCS_URL = "https://docs.dispositioniq.com/iqauth/errors#hosted-issuer-mismatch";
+function computeHostedIssuerMismatch(input) {
+  const {
+    nodeEnv,
+    fetchError,
+    explicitOverride,
+    resolvedBaseUrl,
+    managerIssuerUrl,
+    hostedIssuerUrl,
+    appKey
+  } = input;
+  if (nodeEnv === "production") return null;
+  if (!fetchError) return null;
+  if (explicitOverride) return null;
+  if (!managerIssuerUrl || !hostedIssuerUrl) return null;
+  if (resolvedBaseUrl !== managerIssuerUrl) return null;
+  if (resolvedBaseUrl === hostedIssuerUrl) return null;
+  const e = new Error(
+    `[IQAuth] ${HOSTED_ISSUER_MISMATCH_CODE}: <SignIn /> targeted "${resolvedBaseUrl}" (inherited from <IQAuthProvider issuer="\u2026"/>), but that host does not serve /api/public/apps/${appKey}/sign-in-context. The hosted UI lives at the publishable key's issuer: "${hostedIssuerUrl}". Fix: drop the <IQAuthProvider issuer="\u2026"/> override so the SDK uses the publishable key's iss, OR pass <SignIn iqAuthBaseUrl="${hostedIssuerUrl}"/> explicitly. Docs: ${HOSTED_ISSUER_MISMATCH_DOCS_URL}. Underlying fetch error: ${fetchError}`
+  );
+  e.code = HOSTED_ISSUER_MISMATCH_CODE;
+  return e;
+}
+
+// src/react/index.tsx
+import { Fragment as Fragment2, jsx, jsxs } from "react/jsx-runtime";
+var globalManager = null;
+function setGlobalManager(m) {
+  globalManager = m;
+}
+function getGlobalManager() {
+  return globalManager;
+}
+var IQAuthContext = createContext(null);
+function IQAuthProvider({
+  publishableKey,
+  issuer,
+  channelName,
+  proactiveRefresh,
+  manager: externalManager,
+  allowedReturnOrigins,
+  appearance,
+  roleMapper,
+  cookieNames,
+  localization,
+  silentSso,
+  children
+}) {
+  const managerRef = useRef(null);
+  if (!managerRef.current) {
+    managerRef.current = externalManager ?? new SessionManager({
+      publishableKey,
+      issuer,
+      channelName,
+      proactiveRefresh,
+      cookieNames
+    });
+    setGlobalManager(managerRef.current);
+  }
+  const manager = managerRef.current;
+  const subscribe = useCallback(
+    (cb) => manager.subscribe(() => cb()),
+    [manager]
+  );
+  const getSnapshot = useCallback(() => manager.getSnapshot(), [manager]);
+  const getServerSnapshot = useCallback(() => manager.getSnapshot(), [manager]);
+  const snapshot = useSyncExternalStore(subscribe, getSnapshot, getServerSnapshot);
+  useEffect(() => {
+    void manager.bootstrap();
+    const onVisible = () => {
+      if (typeof document !== "undefined" && document.visibilityState === "visible") {
+        void manager.refresh();
+      }
+    };
+    if (typeof document !== "undefined") {
+      document.addEventListener("visibilitychange", onVisible);
+    }
+    return () => {
+      if (typeof document !== "undefined") {
+        document.removeEventListener("visibilitychange", onVisible);
+      }
+    };
+  }, [manager]);
+  const resolvedLocalization = useMemo(
+    () => resolveBundle(localization),
+    [localization]
+  );
+  const value = useMemo(
+    () => ({
+      manager,
+      snapshot,
+      allowedReturnOrigins: allowedReturnOrigins ?? [],
+      appearance: appearance ?? null,
+      roleMapper: roleMapper ?? null,
+      localization: resolvedLocalization,
+      silentSso: silentSso ?? false
+    }),
+    [manager, snapshot, allowedReturnOrigins, appearance, roleMapper, resolvedLocalization, silentSso]
+  );
+  return createElement(IQAuthContext.Provider, { value }, children);
+}
+function __useIQAuthInternal() {
+  return useCtx();
+}
+function useCtx() {
+  const ctx = useContext(IQAuthContext);
+  if (!ctx) throw new Error("IQAuth hooks must be used inside <IQAuthProvider>");
+  return ctx;
+}
+function useLocale() {
+  const ctx = useContext(IQAuthContext);
+  return ctx?.localization ?? defaultBundle;
+}
+function useT() {
+  const bundle = useLocale();
+  return useMemo(
+    () => (key, vars) => t(bundle, key, vars),
+    [bundle]
+  );
+}
+function localizeError(bundle, raw) {
+  if (!raw) return t(bundle, "errors.generic");
+  if (typeof raw === "string") {
+    if (/^[A-Z][A-Z0-9_]+$/.test(raw)) return localizeErrorCode(bundle, raw);
+    return raw;
+  }
+  if (raw.code) return localizeErrorCode(bundle, raw.code);
+  return raw.message || t(bundle, "errors.generic");
+}
+function useUser() {
+  const { snapshot, roleMapper } = useCtx();
+  return useMemo(
+    () => {
+      const user = snapshot.user ? {
+        ...snapshot.user,
+        // F13 — derive `role` via roleMapper, falling back to a sensible default
+        role: (() => {
+          if (roleMapper) {
+            try {
+              return roleMapper(snapshot.claims);
+            } catch {
+              return null;
+            }
+          }
+          const c = snapshot.claims;
+          if (!c) return null;
+          if (typeof c.role === "string" && c.role) return c.role;
+          if (Array.isArray(c.roles) && c.roles.length > 0 && typeof c.roles[0] === "string") return c.roles[0];
+          return null;
+        })()
+      } : null;
+      return {
+        isLoaded: snapshot.status !== "loading",
+        isSignedIn: snapshot.status === "authenticated" && !!snapshot.user,
+        user,
+        error: snapshot.error
+      };
+    },
+    [snapshot.status, snapshot.user, snapshot.claims, snapshot.error, snapshot.version, roleMapper]
+  );
+}
+function useSession() {
+  const { snapshot } = useCtx();
+  return useMemo(
+    () => ({
+      isLoaded: snapshot.status !== "loading",
+      isSignedIn: snapshot.status === "authenticated",
+      claims: snapshot.claims,
+      accessToken: snapshot.accessToken,
+      error: snapshot.error
+    }),
+    [snapshot.status, snapshot.claims, snapshot.accessToken, snapshot.error, snapshot.version]
+  );
+}
+function useAuth() {
+  const { manager, snapshot } = useCtx();
+  return useMemo(
+    () => ({
+      isLoaded: snapshot.status !== "loading",
+      isSignedIn: snapshot.status === "authenticated",
+      userId: snapshot.user?.sub ?? null,
+      tenantId: snapshot.tenantId,
+      error: snapshot.error,
+      signIn: (opts) => signIn(manager, opts),
+      signOut: (opts) => signOut(manager, opts),
+      redirectToSignIn: (opts) => redirectToSignIn(manager, opts),
+      getToken: () => manager.getToken(),
+      fetch: (input, init) => manager.fetch(input, init)
+    }),
+    [manager, snapshot.status, snapshot.user, snapshot.tenantId, snapshot.error, snapshot.version]
+  );
+}
+function useOrganization() {
+  const { snapshot } = useCtx();
+  return useMemo(
+    () => ({
+      isLoaded: snapshot.status !== "loading",
+      organization: snapshot.tenantId ? { id: snapshot.tenantId, tenantId: snapshot.tenantId } : null,
+      error: snapshot.error
+    }),
+    [snapshot.status, snapshot.tenantId, snapshot.error, snapshot.version]
+  );
+}
+function useAuthFetch() {
+  const { manager } = useCtx();
+  return useCallback(
+    (input, init) => manager.fetch(input, init),
+    [manager]
+  );
+}
+function useSessionList() {
+  const { manager } = useCtx();
+  const [sessions, setSessions] = useState([]);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState(null);
+  const base = manager.issuerUrl.replace(/\/$/, "");
+  const refresh = useCallback(async () => {
+    setLoading(true);
+    setError(null);
+    try {
+      const res = await manager.fetch(`${base}/api/v1/users/me/sessions`);
+      const json = await res.json().catch(() => ({}));
+      if (!res.ok) throw new Error(json?.error?.message || `HTTP ${res.status}`);
+      setSessions(json?.data?.sessions || []);
+    } catch (err) {
+      setError(err.message);
+    } finally {
+      setLoading(false);
+    }
+  }, [manager, base]);
+  useEffect(() => {
+    void refresh();
+  }, [refresh]);
+  const revoke = useCallback(async (sessionId) => {
+    const res = await manager.fetch(`${base}/api/v1/users/me/sessions/${encodeURIComponent(sessionId)}`, { method: "DELETE" });
+    if (!res.ok) {
+      const j = await res.json().catch(() => ({}));
+      throw new Error(j?.error?.message || `HTTP ${res.status}`);
+    }
+    setSessions((prev) => prev.filter((s) => s.id !== sessionId));
+  }, [manager, base]);
+  const revokeAllOthers = useCallback(async () => {
+    const res = await manager.fetch(`${base}/api/v1/users/me/sessions/revoke-all-others`, { method: "POST" });
+    const json = await res.json().catch(() => ({}));
+    if (!res.ok) throw new Error(json?.error?.message || `HTTP ${res.status}`);
+    setSessions((prev) => prev.filter((s) => s.isCurrent));
+    return { terminatedCount: json?.data?.terminatedCount ?? 0 };
+  }, [manager, base]);
+  return { sessions, loading, error, refresh, revoke, revokeAllOthers };
+}
+async function revokeSession(sessionId) {
+  const mgr = getGlobalManager();
+  if (!mgr) throw new Error("revokeSession() requires <IQAuthProvider> mounted");
+  const base = mgr.issuerUrl.replace(/\/$/, "");
+  const res = await mgr.fetch(`${base}/api/v1/users/me/sessions/${encodeURIComponent(sessionId)}`, { method: "DELETE" });
+  if (!res.ok) {
+    const j = await res.json().catch(() => ({}));
+    throw new Error(j?.error?.message || `HTTP ${res.status}`);
+  }
+}
+var MultisessionContext = createContext(null);
+function MultisessionAppSupport({ children }) {
+  const { manager, snapshot } = useCtx();
+  const registryRef = useRef(null);
+  if (!registryRef.current) {
+    registryRef.current = new AccountRegistry(manager.appKey);
+  }
+  const registry = registryRef.current;
+  const [version, setVersion] = useState(0);
+  useEffect(() => {
+    const store = new MultiAccountTokenStore(registry, defaultCookieStore());
+    manager.setTokenStore(store);
+    const unsub = registry.subscribe(() => setVersion((v) => v + 1));
+    return () => {
+      unsub();
+      registry.destroy();
+    };
+  }, [manager]);
+  useEffect(() => {
+    if (snapshot.status !== "authenticated" || !snapshot.user) return;
+    const claims = snapshot.claims;
+    const rec = {
+      accountId: snapshot.user.sub,
+      userId: snapshot.user.sub,
+      email: snapshot.user.email,
+      name: snapshot.user.name,
+      tenantId: snapshot.tenantId ?? claims?.tenantId ?? null,
+      addedAt: Date.now()
+    };
+    registry.upsert(rec);
+    if (registry.active() !== rec.accountId) {
+      registry.setActive(rec.accountId);
+    }
+  }, [snapshot.user?.sub, snapshot.tenantId, snapshot.status]);
+  const value = useMemo(
+    () => ({ registry, version }),
+    [registry, version]
+  );
+  return createElement(MultisessionContext.Provider, { value }, children);
+}
+function useMultiCtx() {
+  const ctx = useContext(MultisessionContext);
+  if (!ctx) throw new Error("F22 hooks must be used inside <MultisessionAppSupport>");
+  return ctx;
+}
+function useAccountList() {
+  const { registry, version } = useMultiCtx();
+  const { isLoaded } = useUser();
+  const accounts = useMemo(() => {
+    const active = registry.active();
+    return registry.list().map((a) => ({
+      accountId: a.accountId,
+      userId: a.userId,
+      email: a.email,
+      name: a.name,
+      tenantId: a.tenantId,
+      isActive: a.accountId === active
+    }));
+  }, [registry, version]);
+  return { accounts, loading: !isLoaded };
+}
+function useAccountSwitcher() {
+  const { manager } = useCtx();
+  const { registry } = useMultiCtx();
+  const addAccount = useCallback(
+    async (opts = {}) => {
+      registry.setActive(null);
+      await signIn(manager, { ...opts, prompt: "login" });
+    },
+    [manager, registry]
+  );
+  const switchTo = useCallback(
+    async (accountId) => {
+      const target = registry.get(accountId);
+      if (!target) throw new Error(`Unknown accountId: ${accountId}`);
+      registry.setActive(accountId);
+      const ok = await manager.refresh();
+      if (!ok) {
+        registry.remove(accountId);
+        throw new Error("Could not switch account; session may have been revoked");
+      }
+    },
+    [manager, registry]
+  );
+  const removeAccount = useCallback(
+    (accountId) => {
+      registry.remove(accountId);
+    },
+    [registry]
+  );
+  return { addAccount, switchTo, removeAccount };
+}
+function SignedIn({ children }) {
+  const { isSignedIn, isLoaded } = useUser();
+  if (!isLoaded || !isSignedIn) return null;
+  return createElement(Fragment, null, children);
+}
+function SignedOut({ children }) {
+  const { isSignedIn, isLoaded } = useUser();
+  if (!isLoaded || isSignedIn) return null;
+  return createElement(Fragment, null, children);
+}
+function IQAuthLoading({ children }) {
+  const { isLoaded } = useAuth();
+  if (isLoaded) return null;
+  return createElement(Fragment, null, children);
+}
+function IQAuthLoaded({ children }) {
+  const { isLoaded } = useAuth();
+  if (!isLoaded) return null;
+  return createElement(Fragment, null, children);
+}
+function RedirectToSignIn(props = {}) {
+  const { manager, snapshot } = useCtx();
+  const [error, setError] = useState(null);
+  useEffect(() => {
+    if (snapshot.status === "unauthenticated") {
+      redirectToSignIn(manager, props).catch((err) => {
+        const message = err instanceof Error ? err.message : String(err);
+        console.error("[IQAuth] RedirectToSignIn failed:", err, {
+          issuer: manager.issuerUrl,
+          appKey: manager.appKey
+        });
+        setError(message);
+      });
+    }
+  }, [manager, snapshot.status]);
+  if (error) {
+    return createElement(
+      "div",
+      {
+        role: "alert",
+        style: {
+          maxWidth: 520,
+          margin: "48px auto",
+          padding: 16,
+          border: "1px solid #f0c0c0",
+          background: "#fff5f5",
+          borderRadius: 8,
+          fontFamily: "system-ui, sans-serif",
+          fontSize: 14,
+          color: "#7a1f1f"
+        }
+      },
+      createElement("strong", null, "IQAuth: sign-in redirect failed"),
+      createElement("div", { style: { marginTop: 8, fontSize: 13 } }, error),
+      createElement(
+        "div",
+        { style: { marginTop: 12, fontSize: 12, color: "#5a4a4a" } },
+        `Issuer: ${manager.issuerUrl} \xB7 App: ${manager.appKey}. Check browser console for details.`
+      )
+    );
+  }
+  return null;
+}
+async function performScopeSwitch(manager, base, target) {
+  const res = await manager.fetch(`${base}/api/v1/auth/switch-scope`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ scopeType: target.type, scopeId: target.id })
+  });
+  const body = await res.json().catch(() => ({}));
+  if (!res.ok) {
+    throw new Error(body?.error?.message || `HTTP ${res.status}`);
+  }
+  const newToken = body?.data?.accessToken;
+  if (newToken) {
+    manager.adoptAccessToken(newToken);
+    void manager.refresh().catch(() => void 0);
+    return;
+  }
+  const ok = await manager.refresh();
+  if (!ok) {
+    throw new Error("scope switch succeeded server-side but token refresh failed; reload to recover");
+  }
+}
+async function performTenantSwitch(manager, base, tenantId) {
+  const res = await manager.fetch(`${base.replace(/\/$/, "")}/api/v1/auth/select-tenant`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ tenantId })
+  });
+  const body = await res.json().catch(() => ({}));
+  if (!res.ok) {
+    throw new Error(body?.error?.message || `HTTP ${res.status}`);
+  }
+  if (body?.data?.mfaChallengeToken) {
+    return {
+      kind: "mfa_required",
+      tenantId: body?.data?.tenantId || tenantId,
+      mfaChallengeToken: body.data.mfaChallengeToken,
+      availableMethods: Array.isArray(body.data.availableMethods) ? body.data.availableMethods : []
+    };
+  }
+  if (body?.data?.type === "scope_selection" || body?.data?.scopeSelectionToken) {
+    return {
+      kind: "scope_selection_required",
+      tenantId: body?.data?.tenantId || tenantId,
+      scopeSelectionToken: body?.data?.scopeSelectionToken || "",
+      scopes: Array.isArray(body?.data?.scopes) ? body.data.scopes : []
+    };
+  }
+  const newToken = body?.data?.accessToken;
+  if (newToken) {
+    manager.adoptAccessToken(newToken);
+    void manager.refresh().catch(() => void 0);
+    return { kind: "ok", tenantId: body?.data?.user?.tenantId || tenantId };
+  }
+  const ok = await manager.refresh();
+  if (!ok) {
+    throw new Error("tenant switch succeeded server-side but token refresh failed; reload to recover");
+  }
+  return { kind: "ok", tenantId };
+}
+function asArray(v) {
+  if (v == null) return [];
+  return Array.isArray(v) ? v : [v];
+}
+function claimRoles(c) {
+  if (!c) return [];
+  const x = c;
+  if (Array.isArray(x.roles)) return x.roles.filter((r) => typeof r === "string");
+  if (typeof x.role === "string") return [x.role];
+  return [];
+}
+function claimPermissions(c) {
+  if (!c) return [];
+  const x = c;
+  const out = /* @__PURE__ */ new Set();
+  if (Array.isArray(x.permissions)) {
+    for (const p of x.permissions) if (typeof p === "string") out.add(p);
+  }
+  if (Array.isArray(x.entitlements)) {
+    for (const p of x.entitlements) if (typeof p === "string") out.add(p);
+  }
+  if (typeof x.scope === "string") {
+    for (const s of x.scope.split(/\s+/)) if (s) out.add(s);
+  }
+  return Array.from(out);
+}
+function claimSatisfiesScope(claims, required) {
+  if (!claims) return false;
+  const ctx = claims.scopeContext;
+  if (!ctx || !ctx.type || !ctx.id) return false;
+  const list = Array.isArray(required) ? required : [required];
+  return list.some((r) => r.type === ctx.type && r.id === ctx.id);
+}
+function Protect({ role, permission, scope, condition, fallback = null, children }) {
+  const { snapshot } = useCtx();
+  if (snapshot.status !== "authenticated") return createElement(Fragment, null, fallback);
+  const wantedRoles = asArray(role);
+  const wantedPerms = asArray(permission);
+  if (wantedRoles.length) {
+    const have = new Set(claimRoles(snapshot.claims));
+    if (!wantedRoles.some((r) => have.has(r))) return createElement(Fragment, null, fallback);
+  }
+  if (wantedPerms.length) {
+    const have = new Set(claimPermissions(snapshot.claims));
+    if (!wantedPerms.some((p) => have.has(p))) return createElement(Fragment, null, fallback);
+  }
+  if (scope) {
+    if (!claimSatisfiesScope(snapshot.claims, scope)) return createElement(Fragment, null, fallback);
+  }
+  if (condition && !condition(snapshot.claims)) return createElement(Fragment, null, fallback);
+  return createElement(Fragment, null, children);
+}
+function RedirectToSignedIn({ to = "/", replace = true } = {}) {
+  const { snapshot, allowedReturnOrigins } = useCtx();
+  useEffect(() => {
+    if (snapshot.status !== "authenticated") return;
+    if (typeof window === "undefined") return;
+    const safe = sanitizeReturnTo(to, { allowedOrigins: allowedReturnOrigins, fallback: "/" });
+    if (replace) window.location.replace(safe);
+    else window.location.assign(safe);
+  }, [snapshot.status, to, replace, allowedReturnOrigins]);
+  return null;
+}
+function useReturnTo(options = {}) {
+  const { allowedReturnOrigins } = useCtx();
+  const paramName = options.paramName ?? "return_to";
+  const storageKey = options.storageKey ?? "iqauth_return_to";
+  const fallback = options.fallback ?? "/";
+  return useMemo(() => {
+    if (typeof window === "undefined") return fallback;
+    let raw = null;
+    try {
+      const params = new URLSearchParams(window.location.search);
+      raw = params.get(paramName) || params.get("next");
+    } catch {
+    }
+    if (!raw) {
+      try {
+        raw = window.sessionStorage.getItem(storageKey);
+      } catch {
+      }
+    }
+    const safe = sanitizeReturnTo(raw, { allowedOrigins: allowedReturnOrigins, fallback });
+    if (safe !== fallback) {
+      try {
+        window.sessionStorage.setItem(storageKey, safe);
+      } catch {
+      }
+    }
+    return safe;
+  }, [paramName, storageKey, fallback, allowedReturnOrigins]);
+}
+function IQAuthReturnToBouncer({ children, ...opts }) {
+  const { snapshot } = useCtx();
+  const returnTo = useReturnTo(opts);
+  useEffect(() => {
+    if (snapshot.status !== "authenticated") return;
+    if (typeof window === "undefined") return;
+    window.location.replace(returnTo);
+  }, [snapshot.status, returnTo]);
+  if (snapshot.status === "authenticated") return null;
+  return createElement(Fragment, null, children);
+}
+async function preflightReturnTo(args) {
+  const f = args.fetchImpl ?? fetch;
+  const url = `${args.iqAuthBaseUrl.replace(/\/$/, "")}/api/public/apps/${encodeURIComponent(args.appKey)}/sign-in-context?return_to=${encodeURIComponent(args.returnTo)}`;
+  try {
+    const r = await f(url, { credentials: "include" });
+    const body = await r.json().catch(() => null);
+    if (!r.ok || !body?.success || !body.data) {
+      return { ok: false, allowedOrigins: [], reason: body?.error?.message || `HTTP ${r.status}` };
+    }
+    return { ok: !!body.data.returnAllowed, allowedOrigins: body.data.allowedOrigins ?? [], reason: body.data.returnAllowed ? void 0 : "returnTo not in app allowedOrigins" };
+  } catch (err) {
+    return { ok: false, allowedOrigins: [], reason: err.message };
+  }
+}
+function AuthCallback({ onComplete, fallback } = {}) {
+  const { manager } = useCtx();
+  useEffect(() => {
+    let cancelled = false;
+    void handleAuthCallback(manager).then((result) => {
+      if (cancelled) return;
+      if (onComplete) onComplete(result);
+      else if (typeof window !== "undefined") {
+        window.location.replace(result.returnTo || "/");
+      }
+    });
+    return () => {
+      cancelled = true;
+    };
+  }, [manager, onComplete]);
+  return createElement(Fragment, null, fallback ?? null);
+}
+function brandStyle(branding) {
+  if (!branding) return {};
+  const s = {};
+  if (branding.primaryColor) s["--brand-primary"] = branding.primaryColor;
+  if (branding.accentColor) s["--brand-accent"] = branding.accentColor;
+  if (branding.backgroundColor) s["--brand-bg"] = branding.backgroundColor;
+  if (branding.surfaceColor) s["--brand-surface"] = branding.surfaceColor;
+  if (branding.textColor) s["--brand-text"] = branding.textColor;
+  if (branding.borderRadius != null && branding.borderRadius !== "") {
+    const n = typeof branding.borderRadius === "number" ? `${branding.borderRadius}px` : String(branding.borderRadius);
+    s["--brand-radius"] = n;
+  }
+  if (branding.fontFamilyBody) s["--brand-font-body"] = branding.fontFamilyBody;
+  if (branding.fontFamilyHeading) s["--brand-font-heading"] = branding.fontFamilyHeading;
+  return s;
+}
+async function jsonFetch(url, init) {
+  const res = await fetch(url, { ...init, credentials: init?.credentials || "include" });
+  const payload = await res.json().catch(() => ({}));
+  if (!res.ok && payload?.success !== true) {
+    const message = payload?.error?.message || payload?.error_description || payload?.error || `HTTP ${res.status}`;
+    throw new Error(typeof message === "string" ? message : "Request failed");
+  }
+  return payload;
+}
+function useIQAuthSignInContext(iqAuthBaseUrl, appKey, returnTo) {
+  const [ctx, setCtx] = useState(null);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState(null);
+  useEffect(() => {
+    if (!appKey) {
+      setLoading(false);
+      setError("appKey is required");
+      return;
+    }
+    let cancelled = false;
+    setLoading(true);
+    const url = `${iqAuthBaseUrl.replace(/\/$/, "")}/api/public/apps/${encodeURIComponent(appKey)}/sign-in-context?return_to=${encodeURIComponent(returnTo)}`;
+    fetch(url, { credentials: "include" }).then(async (r) => {
+      const contentType = r.headers.get("content-type") || "";
+      if (!r.ok || !contentType.includes("json")) {
+        const bodyPreview = await r.text().then((t2) => t2.slice(0, 160)).catch(() => "");
+        console.error(
+          `[IQAuth] sign-in-context request failed: ${r.status} ${r.statusText} (content-type: ${contentType || "\u2014"}). URL: ${url}. Common causes: (1) iqAuthBaseUrl points at the wrong host (it should be your IQAuth issuer, e.g. https://auth.dispositioniq.com \u2014 NOT your own app's domain); (2) the app key "${appKey}" is wrong or revoked; (3) CORS preflight is blocked because this origin isn't in the app's allowed-origins list. Response body preview: ${bodyPreview}`
+        );
+        throw new Error(
+          r.status >= 500 ? "Failed to load sign-in context (server error)" : `Failed to load sign-in context (HTTP ${r.status})`
+        );
+      }
+      return r.json();
+    }).then((payload) => {
+      if (cancelled) return;
+      if (payload?.success === false) throw new Error(payload?.error?.message || "Failed to load sign-in context");
+      setCtx(payload.data);
+    }).catch((err) => {
+      if (!cancelled) setError(err.message);
+    }).finally(() => {
+      if (!cancelled) setLoading(false);
+    });
+    return () => {
+      cancelled = true;
+    };
+  }, [iqAuthBaseUrl, appKey, returnTo]);
+  return { ctx, loading, error };
+}
+var SHELL_CSS = `
+.iqauth-sdk-shell {
+  min-height: 100vh;
+  width: 100%;
+  display: grid;
+  grid-template-columns: 1fr;
+  background: var(--brand-bg, #f7f7f6);
+  color: var(--brand-text, #0f172a);
+  /* Container queries so the two-pane layout responds to the SDK's
+     RENDERED width, not the viewport. This keeps the form usable when
+     a host app embeds <SignIn/> inside a narrower card or sidebar
+     instead of full-screen \u2014 the previous viewport @media query would
+     happily render the side-by-side hero+form into a 200px container
+     and wrap text one character per line. */
+  container-type: inline-size;
+  container-name: iqauth-sdk;
+}
+.iqauth-sdk-hero { display: none; }
+.iqauth-sdk-pane {
+  display: flex; flex-direction: column; align-items: center; justify-content: center;
+  padding: 32px 20px;
+  /* 2.6.1 \u2014 Default to natural height so embedded usage (inside a card,
+     modal, or sidebar) sizes to its content instead of forcing a full
+     viewport. The hosted/full-page layout re-introduces 100vh below the
+     768px container-query threshold for the side-by-side hero variant. */
+  min-height: auto;
+  box-sizing: border-box;
+}
+.iqauth-sdk-card {
+  width: 100%; max-width: 480px;
+  background: var(--brand-surface, #ffffff);
+  border: 1px solid rgba(15,23,42,0.08);
+  border-radius: var(--brand-radius, 16px);
+  box-shadow: 0 1px 2px rgba(0,0,0,0.04), 0 12px 32px rgba(15,23,42,0.06);
+  overflow: hidden;
+}
+.iqauth-sdk-shell, .iqauth-sdk-shell input, .iqauth-sdk-shell button { font-family: var(--brand-font-body, inherit); }
+.iqauth-sdk-shell h1, .iqauth-sdk-shell h2, .iqauth-sdk-shell h3 { font-family: var(--brand-font-heading, var(--brand-font-body, inherit)); }
+.iqauth-sdk-shell[data-layout="centered_card"] { grid-template-columns: 1fr; }
+.iqauth-sdk-shell[data-layout="centered_card"] .iqauth-sdk-hero { display: none; }
+.iqauth-sdk-shell[data-layout="full_bleed"] { background-size: cover; background-position: center; background-repeat: no-repeat; }
+.iqauth-sdk-shell[data-layout="full_bleed"] .iqauth-sdk-hero { display: none; }
+.iqauth-sdk-shell[data-layout="full_bleed"] .iqauth-sdk-pane { background: rgba(15,23,42,0.30); }
+.iqauth-sdk-shell[data-social-style="outline"] .iqauth-sdk-google-btn { background: transparent; border-color: var(--brand-primary, rgba(15,23,42,0.18)); color: var(--brand-text, inherit); }
+.iqauth-sdk-shell[data-social-style="ghost"] .iqauth-sdk-google-btn { background: transparent; border-color: transparent; color: var(--brand-text, inherit); }
+.iqauth-sdk-shell[data-social-style="solid"] .iqauth-sdk-google-btn { background: var(--brand-primary, #3b82f6); border-color: transparent; color: #fff; }
+.iqauth-sdk-shell[data-social-style="solid"] .iqauth-sdk-google-btn:hover { background: var(--brand-primary, #3b82f6); opacity: 0.92; }
+.iqauth-sdk-card-header { padding: 32px 36px 0; }
+.iqauth-sdk-card-header h1 { font-size: 24px; font-weight: 600; margin: 0; line-height: 1.2; letter-spacing: -0.01em; }
+.iqauth-sdk-card-header p { margin: 8px 0 0; font-size: 14px; color: rgba(15,23,42,0.65); line-height: 1.5; }
+.iqauth-sdk-card-body { padding: 32px 36px 28px; display: flex; flex-direction: column; gap: 18px; }
+.iqauth-sdk-mobile-brand { display: flex; align-items: center; gap: 10px; margin-bottom: 20px; }
+.iqauth-sdk-mobile-brand img { height: 36px; width: auto; }
+.iqauth-sdk-mobile-brand span { font-size: 16px; font-weight: 600; }
+.iqauth-sdk-footer { margin-top: 20px; text-align: center; font-size: 13px; color: rgba(15,23,42,0.55); display: flex; flex-direction: column; gap: 8px; align-items: center; }
+.iqauth-sdk-footer-links { display: flex; gap: 14px; flex-wrap: wrap; justify-content: center; }
+.iqauth-sdk-footer-links a { color: inherit; opacity: 0.75; text-decoration: none; }
+.iqauth-sdk-footer-links a:hover { opacity: 1; text-decoration: underline; }
+.iqauth-sdk-divider { display: flex; align-items: center; gap: 10px; font-size: 12px; color: rgba(15,23,42,0.45); text-transform: uppercase; letter-spacing: 0.08em; }
+.iqauth-sdk-divider::before, .iqauth-sdk-divider::after { content: ""; flex: 1; height: 1px; background: rgba(15,23,42,0.1); }
+.iqauth-sdk-google-btn {
+  display: inline-flex; align-items: center; justify-content: center; gap: 10px;
+  width: 100%; padding: 10px 16px; border-radius: 8px;
+  background: #fff; color: #0f172a;
+  border: 1px solid rgba(15,23,42,0.18);
+  font-size: 14px; font-weight: 500; cursor: pointer;
+  transition: background 120ms ease, border-color 120ms ease;
+}
+.iqauth-sdk-google-btn:hover { background: #f8fafc; border-color: rgba(15,23,42,0.28); }
+.iqauth-sdk-google-btn[disabled] { opacity: 0.6; cursor: not-allowed; }
+
+@container iqauth-sdk (min-width: 768px) {
+  .iqauth-sdk-shell:not([data-layout="centered_card"]):not([data-layout="full_bleed"]) { grid-template-columns: minmax(0, 1fr) minmax(0, 1fr); }
+  /* 2.6.1 \u2014 Restore 100vh ONLY for the wide side-by-side layout where
+     hero+pane need height parity. Embedded narrow uses keep natural height. */
+  .iqauth-sdk-pane { padding: 48px 24px; min-height: 100vh; }
+  /* 2.6.2 \u2014 Let the card breathe on desktop. The 480px mobile cap looks
+     phone-sized on a 720px+ pane; bump to 540px and grow the inner padding
+     so the form fills its half of the split layout. */
+  .iqauth-sdk-card { max-width: 540px; }
+  .iqauth-sdk-card-header { padding: 40px 44px 0; }
+  .iqauth-sdk-card-body { padding: 32px 44px 32px; }
+  .iqauth-sdk-card-header h1 { font-size: 26px; }
+  .iqauth-sdk-hero {
+    display: flex; flex-direction: column; justify-content: space-between;
+    padding: clamp(32px, 4vw, 56px); color: #ffffff;
+    background: linear-gradient(135deg, var(--brand-primary, #3b82f6) 0%, var(--brand-accent, #6366f1) 100%);
+    background-size: cover; background-position: center;
+    position: relative; overflow: hidden; min-height: 100vh;
+  }
+  .iqauth-sdk-hero[data-bg-image="true"] {
+    background-image: var(--iqauth-sdk-hero-image), linear-gradient(135deg, var(--brand-primary, #3b82f6), var(--brand-accent, #6366f1));
+    background-blend-mode: multiply;
+  }
+  .iqauth-sdk-hero-brand img { height: 40px; width: auto; filter: brightness(0) invert(1); opacity: 0.96; }
+  .iqauth-sdk-hero-brand .iqauth-sdk-hero-name { font-size: 20px; font-weight: 600; letter-spacing: -0.01em; }
+  .iqauth-sdk-hero-content { max-width: 520px; }
+  .iqauth-sdk-hero-content h2 { font-size: clamp(24px, 2.4vw, 34px); font-weight: 600; line-height: 1.2; margin: 0 0 14px; letter-spacing: -0.015em; word-wrap: break-word; overflow-wrap: break-word; hyphens: auto; }
+  .iqauth-sdk-hero-content p { font-size: 15px; line-height: 1.6; opacity: 0.92; margin: 0; white-space: pre-wrap; }
+  .iqauth-sdk-hero-foot { font-size: 12px; opacity: 0.7; }
+  .iqauth-sdk-mobile-brand { display: none; }
+}
+@container iqauth-sdk (min-width: 1280px) {
+  .iqauth-sdk-shell:not([data-layout="centered_card"]):not([data-layout="full_bleed"]) { grid-template-columns: minmax(0, 5fr) minmax(0, 6fr); }
+  /* 2.6.2 \u2014 Extra-wide screens: card grows once more so the form keeps
+     pace with the hero pane on 1440px+ monitors. */
+  .iqauth-sdk-card { max-width: 580px; }
+}
+`;
+var sdkShellStylesInjected = false;
+var SDK_CSS_MAX_LEN = 50 * 1024;
+var SDK_CSS_FORBIDDEN = [
+  /<\/?\s*style[^>]*>/gi,
+  /<\/?\s*script[^>]*>/gi,
+  /<!--[\s\S]*?-->/g,
+  /@import\s+[^;]*;?/gi,
+  /expression\s*\(/gi,
+  /behavior\s*:/gi,
+  /-moz-binding\s*:/gi,
+  /javascript\s*:/gi,
+  /vbscript\s*:/gi
+];
+var SDK_URL_DATA_RE = /url\s*\(\s*(['"]?)\s*data\s*:[^)]*\)/gi;
+function sanitizeBrandCss(input) {
+  if (!input) return "";
+  let out = String(input);
+  if (out.length > SDK_CSS_MAX_LEN) out = out.slice(0, SDK_CSS_MAX_LEN);
+  out = out.replace(/</g, "");
+  for (const re of SDK_CSS_FORBIDDEN) out = out.replace(re, "");
+  out = out.replace(SDK_URL_DATA_RE, "url()");
+  return out;
+}
+function SdkBrandLogo({ branding, alt, fallback }) {
+  const light = branding?.logoLightUrl || branding?.logoUrl || null;
+  const dark = branding?.logoDarkUrl || null;
+  if (!light && !dark) return /* @__PURE__ */ jsx(Fragment2, { children: fallback });
+  const fallbackSrc = light || dark;
+  return /* @__PURE__ */ jsxs("picture", { "data-iqauth-sdk-logo": "", children: [
+    dark ? /* @__PURE__ */ jsx("source", { srcSet: dark, media: "(prefers-color-scheme: dark)" }) : null,
+    light ? /* @__PURE__ */ jsx("source", { srcSet: light, media: "(prefers-color-scheme: light)" }) : null,
+    /* @__PURE__ */ jsx("img", { src: fallbackSrc, alt })
+  ] });
+}
+var sdkBrandingCache = /* @__PURE__ */ new Map();
+var SDK_BRANDING_TTL_MS = 6e4;
+function flattenBrandingPayload(data) {
+  const e = data && data.effective || {};
+  const meta = data && data.meta || {};
+  return {
+    brandName: e.brandName ?? data?.brandName ?? null,
+    logoUrl: e.logoLightUrl ?? data?.logoUrl ?? null,
+    logoLightUrl: e.logoLightUrl ?? data?.logoLightUrl ?? null,
+    logoDarkUrl: e.logoDarkUrl ?? data?.logoDarkUrl ?? null,
+    faviconUrl: e.faviconUrl ?? data?.faviconUrl ?? null,
+    primaryColor: e.primaryColor ?? data?.primaryColor ?? null,
+    accentColor: e.accentColor ?? data?.accentColor ?? null,
+    backgroundColor: e.backgroundColor ?? data?.backgroundColor ?? null,
+    surfaceColor: e.surfaceColor ?? data?.surfaceColor ?? null,
+    textColor: e.textColor ?? data?.textColor ?? null,
+    fontFamilyBody: e.fontFamilyBody ?? data?.fontFamilyBody ?? null,
+    fontFamilyHeading: e.fontFamilyHeading ?? data?.fontFamilyHeading ?? null,
+    customFontUrl: e.customFontUrl ?? data?.customFontUrl ?? null,
+    borderRadius: e.borderRadius ?? data?.borderRadius ?? null,
+    backgroundImageUrl: e.backgroundImageUrl ?? data?.backgroundImageUrl ?? null,
+    customCss: e.customCss ?? data?.customCss ?? null,
+    loginLayout: e.loginLayout ?? data?.loginLayout ?? null,
+    socialButtonStyle: e.socialButtonStyle ?? data?.socialButtonStyle ?? null,
+    footerText: e.footerText ?? data?.footerText ?? null,
+    brandingRev: meta.brandingRev ?? data?.brandingRev ?? null
+  };
+}
+function useResolvedSdkBranding(iqAuthBaseUrl, appId) {
+  const ctx = useContext(IQAuthContext);
+  const resolvedAppId = appId ?? ctx?.manager?.appKey ?? null;
+  const url = `${iqAuthBaseUrl.replace(/\/$/, "")}/api/public/branding${resolvedAppId ? `?appId=${encodeURIComponent(resolvedAppId)}` : ""}`;
+  const cached = sdkBrandingCache.get(url);
+  const fresh = cached && Date.now() - cached.ts < SDK_BRANDING_TTL_MS ? cached.data : null;
+  const [b, setB] = useState(fresh);
+  useEffect(() => {
+    let cancelled = false;
+    const entry = sdkBrandingCache.get(url);
+    const headers = {};
+    if (entry?.rev) headers["If-None-Match"] = `W/"brand-${entry.rev}"`;
+    if (entry) setB(entry.data);
+    fetch(url, { credentials: "include", headers }).then(async (r) => {
+      if (cancelled) return;
+      if (r.status === 304 && entry) {
+        sdkBrandingCache.set(url, { ...entry, ts: Date.now() });
+        return;
+      }
+      if (!r.ok) return;
+      const p = await r.json().catch(() => null);
+      if (!p?.data) return;
+      const flat = flattenBrandingPayload(p.data);
+      sdkBrandingCache.set(url, { ts: Date.now(), rev: flat.brandingRev || "", data: flat });
+      setB(flat);
+    }).catch(() => {
+    });
+    return () => {
+      cancelled = true;
+    };
+  }, [url]);
+  return b;
+}
+function ensureSdkShellStyles() {
+  if (typeof document === "undefined" || sdkShellStylesInjected) return;
+  const tag = document.createElement("style");
+  tag.setAttribute("data-iqauth-sdk-shell", "");
+  tag.textContent = SHELL_CSS;
+  document.head.appendChild(tag);
+  sdkShellStylesInjected = true;
+}
+function useDocumentBranding(branding, fallbackTitle) {
+  useEffect(() => {
+    if (typeof document === "undefined") return;
+    const prevTitle = document.title;
+    const brandName = branding?.brandName || "IQAuth";
+    document.title = `${fallbackTitle} \xB7 ${brandName}`;
+    let linkEl = null;
+    let prevHref = null;
+    if (branding?.faviconUrl) {
+      linkEl = document.querySelector("link[rel='icon']");
+      if (!linkEl) {
+        linkEl = document.createElement("link");
+        linkEl.rel = "icon";
+        document.head.appendChild(linkEl);
+      } else {
+        prevHref = linkEl.href;
+      }
+      linkEl.href = branding.faviconUrl;
+    }
+    return () => {
+      document.title = prevTitle;
+      if (linkEl && prevHref !== null) linkEl.href = prevHref;
+    };
+  }, [branding?.brandName, branding?.faviconUrl, fallbackTitle]);
+}
+function Shell({
+  branding,
+  className,
+  children,
+  title,
+  subtitle,
+  appearance
+}) {
+  ensureSdkShellStyles();
+  const t2 = useT();
+  useDocumentBranding(branding, title || t2("signIn.title"));
+  const brandVars = brandStyle(branding);
+  const brandName = branding?.brandName || "IQAuth";
+  const heroImage = branding?.heroImageUrl || null;
+  const layout = (branding?.loginLayout || "split_screen").toString();
+  const bgImage = branding?.backgroundImageUrl || null;
+  const fontUrl = branding?.customFontUrl || null;
+  const socialStyle = (branding?.socialButtonStyle || "").toString();
+  const heroStyle = heroImage ? { ["--iqauth-sdk-hero-image"]: `url("${heroImage.replace(/"/g, '\\"')}")` } : {};
+  const shellStyle = {
+    ...brandVars,
+    ...layout === "full_bleed" && bgImage ? { backgroundImage: `linear-gradient(rgba(15,23,42,0.35), rgba(15,23,42,0.45)), url("${bgImage.replace(/"/g, '\\"')}")` } : {},
+    ...appearance?.elements?.rootBox?.style || {}
+  };
+  const ap = appearance?.elements;
+  const supportLink = branding?.supportUrl ? branding.supportUrl : branding?.supportEmail ? `mailto:${branding.supportEmail}` : null;
+  const hasFooterLinks = !!(branding?.termsUrl || branding?.privacyUrl || supportLink);
+  return /* @__PURE__ */ jsxs(
+    "div",
+    {
+      className: `iqauth-sdk-shell${className ? ` ${className}` : ""}${ap?.rootBox?.className ? ` ${ap.rootBox.className}` : ""}`,
+      "data-layout": layout,
+      "data-social-style": socialStyle || void 0,
+      style: shellStyle,
+      "data-iqauth-shell": "",
+      "data-branding-rev": branding?.brandingRev || "",
+      children: [
+        /* @__PURE__ */ jsx("style", { "data-brand": true, children: [
+          fontUrl ? `@font-face{font-family:"${(branding?.fontFamilyBody || "Brand").replace(/"/g, "")}";src:url("${fontUrl.replace(/"/g, '\\"')}");font-display:swap;}` : "",
+          sanitizeBrandCss(branding?.customCss)
+        ].filter(Boolean).join("\n") }),
+        /* @__PURE__ */ jsxs("aside", { className: "iqauth-sdk-hero", "data-bg-image": heroImage ? "true" : "false", style: heroStyle, "aria-hidden": "true", children: [
+          /* @__PURE__ */ jsx("div", { className: "iqauth-sdk-hero-brand", style: { display: "flex", alignItems: "center", gap: 12 }, children: /* @__PURE__ */ jsx(SdkBrandLogo, { branding, alt: "", fallback: /* @__PURE__ */ jsx("span", { className: "iqauth-sdk-hero-name", children: brandName }) }) }),
+          /* @__PURE__ */ jsxs("div", { className: "iqauth-sdk-hero-content", children: [
+            /* @__PURE__ */ jsx("h2", { children: branding?.tagline || `Welcome to ${brandName}` }),
+            /* @__PURE__ */ jsx("p", { children: branding?.loginSideCopy || branding?.loginSubheadline || `Sign in to continue to your ${brandName} workspace.` })
+          ] }),
+          /* @__PURE__ */ jsx("div", { className: "iqauth-sdk-hero-foot", children: `\xA9 ${(/* @__PURE__ */ new Date()).getFullYear()} ${brandName}` })
+        ] }),
+        /* @__PURE__ */ jsx("div", { className: "iqauth-sdk-pane", children: /* @__PURE__ */ jsxs("main", { style: { width: "100%", maxWidth: 420 }, children: [
+          /* @__PURE__ */ jsx("div", { className: "iqauth-sdk-mobile-brand", children: /* @__PURE__ */ jsx(SdkBrandLogo, { branding, alt: `${brandName} logo`, fallback: /* @__PURE__ */ jsx("span", { children: brandName }) }) }),
+          /* @__PURE__ */ jsxs(
+            "section",
+            {
+              className: `iqauth-sdk-card${ap?.card?.className ? ` ${ap.card.className}` : ""}`,
+              style: ap?.card?.style,
+              children: [
+                title || subtitle ? /* @__PURE__ */ jsxs(
+                  "div",
+                  {
+                    className: `iqauth-sdk-card-header${ap?.cardHeader?.className ? ` ${ap.cardHeader.className}` : ""}`,
+                    style: ap?.cardHeader?.style,
+                    children: [
+                      title ? /* @__PURE__ */ jsx("h1", { className: ap?.headerTitle?.className, style: ap?.headerTitle?.style, children: title }) : null,
+                      subtitle ? /* @__PURE__ */ jsx("p", { className: ap?.headerSubtitle?.className, style: ap?.headerSubtitle?.style, children: subtitle }) : null
+                    ]
+                  }
+                ) : null,
+                /* @__PURE__ */ jsx(
+                  "div",
+                  {
+                    className: `iqauth-sdk-card-body${ap?.cardBody?.className ? ` ${ap.cardBody.className}` : ""}`,
+                    style: ap?.cardBody?.style,
+                    children
+                  }
+                )
+              ]
+            }
+          ),
+          hasFooterLinks || branding?.footerText ? /* @__PURE__ */ jsxs("footer", { className: "iqauth-sdk-footer", children: [
+            branding?.footerText ? /* @__PURE__ */ jsx("div", { "data-testid": "text-brand-footer-sdk", style: { fontSize: 12, opacity: 0.75 }, children: branding.footerText }) : null,
+            hasFooterLinks ? /* @__PURE__ */ jsxs("div", { className: "iqauth-sdk-footer-links", children: [
+              branding?.termsUrl ? /* @__PURE__ */ jsx("a", { href: branding.termsUrl, target: "_blank", rel: "noreferrer noopener", children: "Terms" }) : null,
+              branding?.privacyUrl ? /* @__PURE__ */ jsx("a", { href: branding.privacyUrl, target: "_blank", rel: "noreferrer noopener", children: "Privacy" }) : null,
+              supportLink ? /* @__PURE__ */ jsx("a", { href: supportLink, target: "_blank", rel: "noreferrer noopener", children: "Support" }) : null
+            ] }) : null
+          ] }) : null
+        ] }) })
+      ]
+    },
+    branding?.brandingRev || void 0
+  );
+}
+function Field({ label, children }) {
+  return /* @__PURE__ */ jsxs("label", { style: { display: "flex", flexDirection: "column", gap: 6, fontSize: 13 }, children: [
+    /* @__PURE__ */ jsx("span", { style: { fontWeight: 500 }, children: label }),
+    children
+  ] });
+}
+function inputStyle() {
+  return {
+    padding: "8px 12px",
+    border: "1px solid rgba(15,23,42,0.15)",
+    borderRadius: 6,
+    fontSize: 14,
+    width: "100%",
+    background: "transparent",
+    color: "inherit"
+  };
+}
+function PrimaryButton(props) {
+  return /* @__PURE__ */ jsx(
+    "button",
+    {
+      ...props,
+      style: {
+        background: "var(--brand-primary, #3b82f6)",
+        color: "#fff",
+        border: "none",
+        padding: "10px 16px",
+        borderRadius: 8,
+        fontSize: 14,
+        fontWeight: 500,
+        cursor: props.disabled ? "not-allowed" : "pointer",
+        opacity: props.disabled ? 0.6 : 1,
+        width: "100%",
+        ...props.style
+      }
+    }
+  );
+}
+function GhostButton(props) {
+  return /* @__PURE__ */ jsx(
+    "button",
+    {
+      ...props,
+      style: {
+        background: "transparent",
+        color: "inherit",
+        border: "1px solid rgba(15,23,42,0.15)",
+        padding: "10px 16px",
+        borderRadius: 8,
+        fontSize: 14,
+        fontWeight: 500,
+        cursor: props.disabled ? "not-allowed" : "pointer",
+        width: "100%",
+        ...props.style
+      }
+    }
+  );
+}
+function ErrorBanner({ message }) {
+  return /* @__PURE__ */ jsx("div", { role: "alert", style: {
+    borderLeft: "3px solid #dc2626",
+    background: "rgba(220,38,38,0.08)",
+    padding: "10px 14px",
+    borderRadius: "0 6px 6px 0",
+    fontSize: 13,
+    color: "#b91c1c"
+  }, children: message });
+}
+function isSilentSsoEligible(ctx, effectivePrompt) {
+  if (!ctx) return false;
+  if (effectivePrompt === "login") return false;
+  if (!ctx.session) return false;
+  if (!ctx.app.defaultClientId) return false;
+  if (!ctx.returnAllowed) return false;
+  return true;
+}
+function resolveAfterSignInDestination(args) {
+  let raw = args.prop ?? null;
+  if (!raw && typeof args.search === "string") {
+    try {
+      const params = new URLSearchParams(args.search);
+      raw = params.get("return_to") ?? params.get("next");
+    } catch {
+    }
+  }
+  return sanitizeReturnTo(raw, {
+    allowedOrigins: args.allowedOrigins,
+    currentOrigin: args.currentOrigin,
+    fallback: "/"
+  });
+}
+function SignIn(props) {
+  const providerCtx = useContext(IQAuthContext);
+  const iqAuthBaseUrl = props.iqAuthBaseUrl ?? providerCtx?.manager.hostedIssuerUrl ?? "";
+  const appKey = props.appKey ?? providerCtx?.manager.appKey ?? "";
+  const returnTo = props.returnTo ?? (typeof window !== "undefined" ? `${window.location.origin}/api/iqauth/callback` : "");
+  const afterSignInUrl = resolveAfterSignInDestination({
+    prop: props.afterSignInUrl,
+    search: typeof window !== "undefined" ? window.location.search : "",
+    allowedOrigins: providerCtx?.allowedReturnOrigins
+  });
+  const { onRedirect, className, prompt, appearance: instanceAppearance, silentSso: instanceSilentSso, scopeHint: scopeHintProp } = props;
+  const effectiveScopeHint = (() => {
+    const fromProp = scopeHintProp ?? null;
+    let raw = fromProp;
+    if (!raw && typeof window !== "undefined") {
+      try {
+        raw = new URLSearchParams(window.location.search).get("scope_hint");
+      } catch {
+      }
+    }
+    if (!raw) return null;
+    if (typeof raw === "object" && raw && raw.type && raw.id) {
+      const t3 = raw.type;
+      if (t3 === "vendor" || t3 === "source" || t3 === "client") return { type: t3, id: String(raw.id) };
+      return null;
+    }
+    if (typeof raw === "string" && raw.includes(":")) {
+      const [t3, id] = raw.split(":", 2);
+      if ((t3 === "vendor" || t3 === "source" || t3 === "client") && id) return { type: t3, id };
+    }
+    return null;
+  })();
+  const scopeHintBody = effectiveScopeHint ? { scopeHint: effectiveScopeHint } : {};
+  const silentSsoEnabled = instanceSilentSso ?? providerCtx?.silentSso ?? false;
+  const appearance = instanceAppearance && providerCtx?.appearance ? { elements: { ...providerCtx.appearance.elements, ...instanceAppearance.elements } } : instanceAppearance ?? providerCtx?.appearance ?? null;
+  if (!iqAuthBaseUrl || !appKey) {
+    console.error(
+      "[IQAuth] <SignIn /> could not determine iqAuthBaseUrl/appKey. Either pass them explicitly OR wrap the component in <IQAuthProvider publishableKey=\u2026/>."
+    );
+  }
+  const t2 = useT();
+  const localeBundle = useLocale();
+  const { ctx, loading, error } = useIQAuthSignInContext(iqAuthBaseUrl, appKey, returnTo);
+  const guardError = computeHostedIssuerMismatch({
+    nodeEnv: typeof process !== "undefined" ? process.env?.NODE_ENV : void 0,
+    fetchError: error,
+    explicitOverride: !!props.iqAuthBaseUrl,
+    resolvedBaseUrl: iqAuthBaseUrl,
+    managerIssuerUrl: providerCtx?.manager.issuerUrl,
+    hostedIssuerUrl: providerCtx?.manager.hostedIssuerUrl,
+    appKey
+  });
+  if (guardError) throw guardError;
+  useEffect(() => {
+    if (typeof document === "undefined") return;
+    const attrs = "; path=/; SameSite=Lax" + (typeof window !== "undefined" && window.location.protocol === "https:" ? "; Secure" : "");
+    document.cookie = `iqauth_return_to=${encodeURIComponent(afterSignInUrl)}${attrs}`;
+  }, [afterSignInUrl]);
+  const preflightLoggedRef = useRef(false);
+  useEffect(() => {
+    if (!ctx || preflightLoggedRef.current) return;
+    if (ctx.returnAllowed) return;
+    preflightLoggedRef.current = true;
+    console.error(
+      `[IQAuth] returnTo "${returnTo}" is NOT in the app's allowed origins. Add it via the IQAuth admin console: Apps \u2192 ${ctx.app.key} \u2192 Allowed Origins. Currently allowed: [${ctx.allowedOrigins.join(", ") || "\u2014"}].`
+    );
+  }, [ctx, returnTo]);
+  const [email, setEmail] = useState("");
+  const [password, setPassword] = useState("");
+  const [submitting, setSubmitting] = useState(false);
+  const [formError, setFormError] = useState("");
+  const [mfa, setMfa] = useState(null);
+  const [tenantSel, setTenantSel] = useState(null);
+  const [scopeSel, setScopeSel] = useState(null);
+  const [oauthExchanging, setOauthExchanging] = useState(false);
+  const [silent, setSilent] = useState("idle");
+  const [forcePrompt, setForcePrompt] = useState(false);
+  const effectivePrompt = useMemo(() => {
+    if (prompt === "login" || forcePrompt) return "login";
+    if (!silentSsoEnabled) return "login";
+    if (typeof window !== "undefined") {
+      try {
+        if (new URLSearchParams(window.location.search).get("prompt") === "login") return "login";
+      } catch {
+      }
+    }
+    return void 0;
+  }, [prompt, forcePrompt, silentSsoEnabled]);
+  const oidcPayload = () => ({
+    client_id: ctx?.app.defaultClientId,
+    redirect_uri: returnTo,
+    scope: "openid"
+  });
+  const handlePayload = (payload) => {
+    if (payload.type === "redirect" && payload.redirectUrl) {
+      (onRedirect || ((u) => {
+        window.location.href = u;
+      }))(payload.redirectUrl);
+      return true;
+    }
+    if (payload.type === "tenant_selection") {
+      setTenantSel({ token: payload.tenantSelectionToken, tenants: payload.tenants || [] });
+      return true;
+    }
+    if (payload.type === "scope_selection") {
+      setScopeSel({ token: payload.scopeSelectionToken, tenantId: payload.tenantId, scopes: payload.scopes || [] });
+      setTenantSel(null);
+      setMfa(null);
+      return true;
+    }
+    if (payload.type === "mfa_required") {
+      const methods = payload.availableMethods || ["totp"];
+      setMfa({ token: payload.mfaChallengeToken, methods, selected: methods[0], code: "", backup: false });
+      return true;
+    }
+    return false;
+  };
+  const submitLogin = async (e) => {
+    e.preventDefault();
+    if (!ctx?.app.defaultClientId) {
+      setFormError("Application is not configured for hosted sign-in.");
+      return;
+    }
+    setSubmitting(true);
+    setFormError("");
+    try {
+      const r = await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/oidc/sso-login`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        credentials: "include",
+        body: JSON.stringify({ email, password, ...oidcPayload(), ...scopeHintBody })
+      });
+      const payload = await r.json().catch(() => ({}));
+      if (!handlePayload(payload)) setFormError(localizeError(localeBundle, { code: payload.error, message: payload.error_description }));
+    } catch (err) {
+      setFormError(err.message || t(localeBundle, "errors.network"));
+    }
+    setSubmitting(false);
+  };
+  const submitMfa = async (e) => {
+    e.preventDefault();
+    if (!mfa) return;
+    setSubmitting(true);
+    setFormError("");
+    const r = await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/oidc/sso-mfa-complete`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      credentials: "include",
+      body: JSON.stringify({
+        mfaChallengeToken: mfa.token,
+        code: mfa.code,
+        method: mfa.selected,
+        useBackup: mfa.backup,
+        ...oidcPayload(),
+        ...scopeHintBody
+      })
+    });
+    const payload = await r.json().catch(() => ({}));
+    if (!handlePayload(payload)) setFormError(localizeError(localeBundle, { code: payload.error, message: payload.error_description }));
+    setSubmitting(false);
+  };
+  const submitTenant = async (tenantId) => {
+    if (!tenantSel) return;
+    setSubmitting(true);
+    setFormError("");
+    const r = await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/oidc/sso-tenant-select`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      credentials: "include",
+      body: JSON.stringify({ tenantSelectionToken: tenantSel.token, tenantId, ...oidcPayload(), ...scopeHintBody })
+    });
+    const payload = await r.json().catch(() => ({}));
+    if (!handlePayload(payload)) setFormError(localizeError(localeBundle, { code: payload.error, message: payload.error_description }));
+    setSubmitting(false);
+  };
+  const submitScope = async (membershipId) => {
+    if (!scopeSel) return;
+    setSubmitting(true);
+    setFormError("");
+    const r = await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/oidc/sso-scope-select`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      credentials: "include",
+      body: JSON.stringify({ scopeSelectionToken: scopeSel.token, membershipId, ...oidcPayload(), ...scopeHintBody })
+    });
+    const payload = await r.json().catch(() => ({}));
+    if (!handlePayload(payload)) setFormError(localizeError(localeBundle, { code: payload.error, message: payload.error_description }));
+    setSubmitting(false);
+  };
+  const startGoogleLogin = async () => {
+    if (!ctx?.app.defaultClientId) {
+      setFormError("Application is not configured for hosted sign-in.");
+      return;
+    }
+    let pkce;
+    try {
+      const mod = await import("./pkce-7WKV4OIN.mjs");
+      pkce = await mod.createPkcePair();
+    } catch (err) {
+      setFormError(err.message || "Unable to initialize Google sign-in");
+      return;
+    }
+    if (typeof document !== "undefined") {
+      const cookieAttrs = "; path=/; SameSite=Lax" + (window.location.protocol === "https:" ? "; Secure" : "");
+      document.cookie = `iqauth_pkce=${pkce.codeVerifier}${cookieAttrs}`;
+      document.cookie = `iqauth_state=${pkce.state}${cookieAttrs}`;
+    }
+    const params = new URLSearchParams({
+      redirect_uri: returnTo,
+      client_id: ctx.app.defaultClientId,
+      state: pkce.state,
+      nonce: pkce.nonce,
+      code_challenge: pkce.codeChallenge,
+      code_challenge_method: "S256",
+      scope: "openid profile email"
+    });
+    const url = `${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/google?${params.toString()}`;
+    window.location.href = url;
+  };
+  useEffect(() => {
+    if (loading || error || !ctx) return;
+    if (effectivePrompt === "login") {
+      setSilent("skipped");
+      return;
+    }
+    if (silent !== "idle") return;
+    if (!ctx.session || !ctx.app.defaultClientId || !ctx.returnAllowed) {
+      setSilent("skipped");
+      return;
+    }
+    setSilent("trying");
+    (async () => {
+      try {
+        const r = await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/oidc/sso-resume`, {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          credentials: "include",
+          body: JSON.stringify(oidcPayload())
+        });
+        const payload = await r.json().catch(() => ({}));
+        if (payload?.type === "redirect" && payload.redirectUrl) {
+          (onRedirect || ((u) => {
+            window.location.replace(u);
+          }))(payload.redirectUrl);
+          return;
+        }
+        if (payload?.type === "tenant_selection") {
+          setTenantSel({ token: payload.tenantSelectionToken, tenants: payload.tenants || [] });
+          setSilent("failed");
+          return;
+        }
+        if (payload?.type === "scope_selection") {
+          setScopeSel({ token: payload.scopeSelectionToken, tenantId: payload.tenantId, scopes: payload.scopes || [] });
+          setSilent("failed");
+          return;
+        }
+        setSilent("failed");
+      } catch {
+        setSilent("failed");
+      }
+    })();
+  }, [loading, error, ctx, effectivePrompt]);
+  const switchAccount = (e) => {
+    if (e) e.preventDefault();
+    setForcePrompt(true);
+    setSilent("skipped");
+    setTenantSel(null);
+    setScopeSel(null);
+    if (typeof window !== "undefined") {
+      try {
+        const u = new URL(window.location.href);
+        u.searchParams.set("prompt", "login");
+        window.history.replaceState({}, "", u.toString());
+      } catch {
+      }
+    }
+  };
+  useEffect(() => {
+    if (!ctx?.app.defaultClientId) return;
+    const params = new URLSearchParams(window.location.search);
+    const oauthCode = params.get("code");
+    if (!oauthCode) return;
+    const u = new URL(window.location.href);
+    u.searchParams.delete("code");
+    const codeRedirectUri = u.toString();
+    setOauthExchanging(true);
+    setFormError("");
+    (async () => {
+      try {
+        const r = await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/oidc/sso-complete-oauth`, {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          credentials: "include",
+          body: JSON.stringify({
+            authCode: oauthCode,
+            code_redirect_uri: codeRedirectUri,
+            ...oidcPayload()
+          })
+        });
+        const payload = await r.json().catch(() => ({}));
+        try {
+          window.history.replaceState({}, "", u.pathname + (u.search ? u.search : "") + u.hash);
+        } catch {
+        }
+        if (!handlePayload(payload)) setFormError(payload.error_description || payload.error || "Authorization code exchange failed");
+      } catch (err) {
+        setFormError(err.message || "Authorization code exchange failed");
+      }
+      setOauthExchanging(false);
+    })();
+  }, [ctx?.app.defaultClientId]);
+  if (loading || oauthExchanging) return /* @__PURE__ */ jsx(Shell, { appearance, branding: ctx?.branding || null, className, title: oauthExchanging ? t2("signIn.submitting") : t2("common.loading"), children: /* @__PURE__ */ jsx("p", { children: oauthExchanging ? t2("signIn.submitting") : t2("common.loading") }) });
+  if (error || !ctx) return /* @__PURE__ */ jsx(Shell, { appearance, branding: null, className, title: t2("errors.serverError"), children: /* @__PURE__ */ jsx(ErrorBanner, { message: error || t2("errors.serverError") }) });
+  if (!ctx.returnAllowed) return /* @__PURE__ */ jsx(Shell, { appearance, branding: ctx.branding, className, title: t2("errors.generic"), children: /* @__PURE__ */ jsx(ErrorBanner, { message: `returnTo "${returnTo}" is not in this app's allowed origins.` }) });
+  const silentEligible = isSilentSsoEligible(ctx, effectivePrompt);
+  if (silentEligible && silent !== "failed") {
+    return /* @__PURE__ */ jsxs(Shell, { appearance, branding: ctx.branding, className, title: t2("signIn.resumingSession"), subtitle: ctx.session ? `${t2("signIn.subtitle")}, ${ctx.session.name || ctx.session.email}.` : void 0, children: [
+      /* @__PURE__ */ jsx("p", { "data-testid": "text-silent-resume", style: { fontSize: 14, opacity: 0.8 }, children: t2("signIn.resumingSession") }),
+      /* @__PURE__ */ jsx("a", { href: "#", onClick: switchAccount, "data-testid": "link-switch-account", style: { fontSize: 13 }, children: t2("signIn.useDifferentAccount") })
+    ] });
+  }
+  const cardTitle = ctx.branding?.loginHeadline || t2("signIn.titleWithApp", { appName: ctx.app.name });
+  const cardSubtitle = ctx.branding?.loginSubheadline || void 0;
+  return /* @__PURE__ */ jsxs(Shell, { appearance, branding: ctx.branding, className, title: cardTitle, subtitle: cardSubtitle, children: [
+    formError ? /* @__PURE__ */ jsx(ErrorBanner, { message: formError }) : null,
+    tenantSel ? /* @__PURE__ */ jsx("div", { role: "radiogroup", "aria-label": t2("signIn.selectTenant"), style: { display: "flex", flexDirection: "column", gap: 8 }, children: tenantSel.tenants.map((tn) => /* @__PURE__ */ jsxs(
+      "button",
+      {
+        type: "button",
+        "data-iqauth-tenant": tn.tenantId,
+        onClick: () => submitTenant(tn.tenantId),
+        style: { textAlign: "left", padding: "10px 14px", border: "1px solid rgba(15,23,42,0.15)", borderRadius: 8, background: "transparent", color: "inherit", cursor: "pointer" },
+        children: [
+          /* @__PURE__ */ jsx("p", { style: { margin: 0, fontWeight: 500 }, children: tn.tenantName || tn.tenantSlug || tn.tenantId }),
+          /* @__PURE__ */ jsx("p", { style: { margin: 0, fontSize: 12, opacity: 0.6 }, children: tn.roles.join(", ") })
+        ]
+      },
+      tn.tenantId
+    )) }) : scopeSel ? (
+      // Task #171 — scope picker (source/client memberships)
+      /* @__PURE__ */ jsx("div", { role: "radiogroup", "aria-label": t2("signIn.selectScope") || "Choose scope", "data-iqauth-scope-picker": "1", style: { display: "flex", flexDirection: "column", gap: 8 }, children: scopeSel.scopes.map((s) => /* @__PURE__ */ jsxs(
+        "button",
+        {
+          type: "button",
+          "data-iqauth-scope": s.membershipId,
+          onClick: () => submitScope(s.membershipId),
+          style: { textAlign: "left", padding: "10px 14px", border: "1px solid rgba(15,23,42,0.15)", borderRadius: 8, background: "transparent", color: "inherit", cursor: "pointer" },
+          children: [
+            /* @__PURE__ */ jsx("p", { style: { margin: 0, fontWeight: 500 }, children: s.scopeName }),
+            /* @__PURE__ */ jsxs("p", { style: { margin: 0, fontSize: 12, opacity: 0.6 }, children: [
+              s.scopeType,
+              " \xB7 ",
+              s.roleName
+            ] })
+          ]
+        },
+        s.membershipId
+      )) })
+    ) : mfa ? /* @__PURE__ */ jsxs("form", { onSubmit: submitMfa, style: { display: "flex", flexDirection: "column", gap: 12 }, "aria-label": t2("mfa.title"), children: [
+      !mfa.backup && mfa.methods.length > 1 ? /* @__PURE__ */ jsx(Field, { label: t2("mfa.title"), children: /* @__PURE__ */ jsx("select", { style: inputStyle(), value: mfa.selected, onChange: (e) => setMfa({ ...mfa, selected: e.target.value }), children: mfa.methods.map((m) => /* @__PURE__ */ jsx("option", { value: m, children: m.toUpperCase() }, m)) }) }) : null,
+      /* @__PURE__ */ jsx(Field, { label: mfa.backup ? t2("mfa.backupCodeLabel") : t2("mfa.totpLabel"), children: /* @__PURE__ */ jsx(
+        "input",
+        {
+          style: { ...inputStyle(), fontFamily: "monospace", textAlign: mfa.backup ? "left" : "center", letterSpacing: mfa.backup ? "0.04em" : "0.3em" },
+          value: mfa.code,
+          onChange: (e) => setMfa({ ...mfa, code: e.target.value }),
+          autoComplete: "one-time-code",
+          inputMode: mfa.backup ? "text" : "numeric"
+        }
+      ) }),
+      /* @__PURE__ */ jsx(PrimaryButton, { type: "submit", disabled: submitting || !mfa.code, children: submitting ? t2("mfa.submitting") : t2("mfa.submit") }),
+      /* @__PURE__ */ jsx(GhostButton, { type: "button", onClick: () => setMfa({ ...mfa, backup: !mfa.backup, code: "" }), children: mfa.backup ? t2("mfa.useAuthenticator") : t2("mfa.useBackupCode") })
+    ] }) : /* @__PURE__ */ jsxs("div", { style: { display: "flex", flexDirection: "column", gap: 12 }, children: [
+      ctx.providers?.google ? /* @__PURE__ */ jsxs(Fragment2, { children: [
+        /* @__PURE__ */ jsxs("button", { type: "button", className: "iqauth-sdk-google-btn", onClick: startGoogleLogin, disabled: submitting, "aria-label": ctx.branding?.googleButtonLabel || t2("signIn.continueWithGoogle"), children: [
+          /* @__PURE__ */ jsxs("svg", { width: "18", height: "18", viewBox: "0 0 18 18", "aria-hidden": "true", children: [
+            /* @__PURE__ */ jsx("path", { fill: "#4285F4", d: "M17.64 9.2c0-.64-.06-1.25-.17-1.84H9v3.48h4.84a4.14 4.14 0 0 1-1.8 2.71v2.26h2.92a8.78 8.78 0 0 0 2.68-6.61z" }),
+            /* @__PURE__ */ jsx("path", { fill: "#34A853", d: "M9 18c2.43 0 4.47-.81 5.96-2.18l-2.92-2.26a5.4 5.4 0 0 1-8.04-2.83H.96v2.33A9 9 0 0 0 9 18z" }),
+            /* @__PURE__ */ jsx("path", { fill: "#FBBC05", d: "M3.96 10.71A5.41 5.41 0 0 1 3.68 9c0-.59.1-1.17.29-1.71V4.96H.96a9 9 0 0 0 0 8.08l3-2.33z" }),
+            /* @__PURE__ */ jsx("path", { fill: "#EA4335", d: "M9 3.58c1.32 0 2.5.45 3.44 1.35l2.58-2.59A9 9 0 0 0 .96 4.96l3 2.33A5.4 5.4 0 0 1 9 3.58z" })
+          ] }),
+          ctx.branding?.googleButtonLabel || t2("signIn.continueWithGoogle")
+        ] }),
+        /* @__PURE__ */ jsx("div", { role: "separator", "aria-label": t2("common.or"), className: "iqauth-sdk-divider", children: t2("signIn.dividerOr").toUpperCase() })
+      ] }) : null,
+      /* @__PURE__ */ jsxs("form", { onSubmit: submitLogin, style: { display: "flex", flexDirection: "column", gap: 12 }, "aria-label": t2("signIn.titleWithApp", { appName: ctx.app.name }), children: [
+        /* @__PURE__ */ jsx(Field, { label: t2("signIn.emailLabel"), children: /* @__PURE__ */ jsx("input", { style: inputStyle(), type: "email", autoComplete: "email", required: true, value: email, onChange: (e) => setEmail(e.target.value) }) }),
+        /* @__PURE__ */ jsx(Field, { label: t2("signIn.passwordLabel"), children: /* @__PURE__ */ jsx("input", { style: inputStyle(), type: "password", autoComplete: "current-password", required: true, value: password, onChange: (e) => setPassword(e.target.value) }) }),
+        /* @__PURE__ */ jsx(PrimaryButton, { type: "submit", disabled: submitting || !email || !password, children: submitting ? t2("signIn.submitting") : t2("signIn.submit") })
+      ] })
+    ] }),
+    (silent === "failed" || effectivePrompt === "login" && ctx.session) && !mfa ? /* @__PURE__ */ jsx("p", { style: { marginTop: 12, fontSize: 13, opacity: 0.75 }, children: /* @__PURE__ */ jsx("a", { href: "#", onClick: switchAccount, "data-testid": "link-switch-account", children: t2("signIn.useDifferentAccount") }) }) : null
+  ] });
+}
+function SignUp({ iqAuthBaseUrl, appKey, returnTo, onSuccess, className }) {
+  const t2 = useT();
+  const localeBundle = useLocale();
+  const { ctx, loading } = useIQAuthSignInContext(iqAuthBaseUrl, appKey, returnTo || "");
+  const [name, setName] = useState("");
+  const [email, setEmail] = useState("");
+  const [password, setPassword] = useState("");
+  const [organizationName, setOrganizationName] = useState("");
+  const [submitting, setSubmitting] = useState(false);
+  const [error, setError] = useState("");
+  const [done, setDone] = useState(false);
+  const submit = async (e) => {
+    e.preventDefault();
+    setSubmitting(true);
+    setError("");
+    try {
+      await jsonFetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/signup`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ email, name, password, organizationName: organizationName || void 0 })
+      });
+      setDone(true);
+      onSuccess?.();
+    } catch (err) {
+      setError(localizeError(localeBundle, err.message));
+    }
+    setSubmitting(false);
+  };
+  if (loading) return /* @__PURE__ */ jsx(Shell, { branding: null, className, children: /* @__PURE__ */ jsx("p", { children: t2("common.loading") }) });
+  return /* @__PURE__ */ jsx(Shell, { branding: ctx?.branding || null, className, title: t2("signUp.title"), children: done ? /* @__PURE__ */ jsx("div", { role: "status", children: /* @__PURE__ */ jsx("p", { children: t2("magicLink.subtitle", { email }) }) }) : /* @__PURE__ */ jsxs("form", { onSubmit: submit, style: { display: "flex", flexDirection: "column", gap: 12 }, children: [
+    error ? /* @__PURE__ */ jsx(ErrorBanner, { message: error }) : null,
+    /* @__PURE__ */ jsx(Field, { label: t2("signUp.nameLabel"), children: /* @__PURE__ */ jsx("input", { style: inputStyle(), value: name, onChange: (e) => setName(e.target.value), required: true }) }),
+    /* @__PURE__ */ jsx(Field, { label: t2("signUp.emailLabel"), children: /* @__PURE__ */ jsx("input", { style: inputStyle(), type: "email", autoComplete: "email", value: email, onChange: (e) => setEmail(e.target.value), required: true }) }),
+    /* @__PURE__ */ jsx(Field, { label: `${t2("signUp.tenantNameLabel")} (${t2("common.optional")})`, children: /* @__PURE__ */ jsx("input", { style: inputStyle(), value: organizationName, onChange: (e) => setOrganizationName(e.target.value) }) }),
+    /* @__PURE__ */ jsx(Field, { label: t2("signUp.passwordLabel"), children: /* @__PURE__ */ jsx("input", { style: inputStyle(), type: "password", autoComplete: "new-password", minLength: 8, value: password, onChange: (e) => setPassword(e.target.value), required: true }) }),
+    /* @__PURE__ */ jsx(PrimaryButton, { type: "submit", disabled: submitting || !email || !password || !name, children: submitting ? t2("signUp.submitting") : t2("signUp.submit") })
+  ] }) });
+}
+function initialsOf(name, email) {
+  const src = name || email || "?";
+  const parts = src.split(/[\s@]+/).filter(Boolean);
+  if (parts.length >= 2) return (parts[0][0] + parts[1][0]).toUpperCase();
+  return src.substring(0, 2).toUpperCase();
+}
+function UserButton({ iqAuthBaseUrl, accountUrl, onSignOut, className }) {
+  const t2 = useT();
+  const [user, setUser] = useState(null);
+  const [open, setOpen] = useState(false);
+  const branding = useResolvedSdkBranding(iqAuthBaseUrl);
+  const accent = branding?.accentColor || "#6366f1";
+  const primary = branding?.primaryColor || "#0f172a";
+  useEffect(() => {
+    let cancelled = false;
+    fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/me`, { credentials: "include" }).then((r) => r.json()).then((p) => {
+      if (!cancelled && p?.data) setUser(p.data);
+    }).catch(() => {
+    });
+    return () => {
+      cancelled = true;
+    };
+  }, [iqAuthBaseUrl]);
+  const signOut2 = async () => {
+    try {
+      await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/logout`, { method: "POST", credentials: "include" });
+    } catch {
+    }
+    if (onSignOut) onSignOut();
+    else window.location.reload();
+  };
+  if (!user) return null;
+  const target = accountUrl || `${iqAuthBaseUrl.replace(/\/$/, "")}/account`;
+  return /* @__PURE__ */ jsxs(
+    "div",
+    {
+      className,
+      style: { position: "relative", display: "inline-block", ...brandStyle(branding) },
+      "data-iqauth-sdk-userbutton": "",
+      "data-branding-rev": branding?.brandingRev || "",
+      children: [
+        /* @__PURE__ */ jsx(
+          "button",
+          {
+            type: "button",
+            "aria-haspopup": "menu",
+            "aria-expanded": open,
+            onClick: () => setOpen((o) => !o),
+            style: {
+              width: 32,
+              height: 32,
+              borderRadius: "50%",
+              background: accent,
+              color: "#fff",
+              border: "none",
+              cursor: "pointer",
+              fontSize: 12,
+              fontWeight: 600
+            },
+            children: user.picture ? /* @__PURE__ */ jsx("img", { src: user.picture, alt: user.name, style: { width: "100%", height: "100%", borderRadius: "50%" } }) : initialsOf(user.name, user.email)
+          }
+        ),
+        open ? /* @__PURE__ */ jsxs("div", { role: "menu", style: {
+          position: "absolute",
+          right: 0,
+          top: 40,
+          minWidth: 200,
+          background: "#fff",
+          border: "1px solid rgba(15,23,42,0.12)",
+          borderRadius: 8,
+          boxShadow: "0 4px 12px rgba(0,0,0,0.08)",
+          padding: 8,
+          zIndex: 100
+        }, children: [
+          /* @__PURE__ */ jsxs("div", { style: { padding: "8px 10px", fontSize: 12, opacity: 0.7, borderBottom: "1px solid rgba(15,23,42,0.06)" }, children: [
+            /* @__PURE__ */ jsx("div", { style: { fontWeight: 500, color: "#0f172a" }, children: user.name }),
+            /* @__PURE__ */ jsx("div", { children: user.email })
+          ] }),
+          /* @__PURE__ */ jsx("a", { href: target, role: "menuitem", style: { display: "block", padding: "8px 10px", fontSize: 13, color: primary, textDecoration: "none" }, children: t2("userButton.manageAccount") }),
+          /* @__PURE__ */ jsx(
+            "button",
+            {
+              role: "menuitem",
+              type: "button",
+              onClick: signOut2,
+              style: { display: "block", width: "100%", textAlign: "left", padding: "8px 10px", fontSize: 13, background: "transparent", border: "none", cursor: "pointer", color: "#b91c1c" },
+              children: t2("userButton.signOut")
+            }
+          )
+        ] }) : null
+      ]
+    }
+  );
+}
+function UserProfile({ iqAuthBaseUrl, className }) {
+  const t2 = useT();
+  const localeBundle = useLocale();
+  const branding = useResolvedSdkBranding(iqAuthBaseUrl);
+  const [user, setUser] = useState(null);
+  const [oldPassword, setOldPassword] = useState("");
+  const [newPassword, setNewPassword] = useState("");
+  const [pwState, setPwState] = useState({ submitting: false, message: "", error: "" });
+  const [sessions, setSessions] = useState([]);
+  const [revokeAllBusy, setRevokeAllBusy] = useState(false);
+  const loadSessions = () => {
+    fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/users/me/sessions`, { credentials: "include" }).then((r) => r.ok ? r.json() : Promise.reject(r)).then((p) => setSessions(p?.data?.sessions || [])).catch(() => {
+      fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/sessions`, { credentials: "include" }).then((r) => r.json()).then((p) => setSessions(p?.data?.sessions || p?.data || [])).catch(() => {
+      });
+    });
+  };
+  useEffect(() => {
+    fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/me`, { credentials: "include" }).then((r) => r.json()).then((p) => {
+      if (p?.data) setUser(p.data);
+    }).catch(() => {
+    });
+    loadSessions();
+  }, [iqAuthBaseUrl]);
+  const changePassword = async (e) => {
+    e.preventDefault();
+    setPwState({ submitting: true, message: "", error: "" });
+    try {
+      await jsonFetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/password/change`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ oldPassword, newPassword })
+      });
+      setPwState({ submitting: false, message: t(localeBundle, "userProfile.passwordUpdated"), error: "" });
+      setOldPassword("");
+      setNewPassword("");
+    } catch (err) {
+      setPwState({ submitting: false, message: "", error: localizeError(localeBundle, err.message) });
+    }
+  };
+  const revoke = async (sessionId) => {
+    const newRes = await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/users/me/sessions/${sessionId}`, { method: "DELETE", credentials: "include" });
+    if (!newRes.ok && newRes.status === 404) {
+      await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/sessions/${sessionId}`, { method: "DELETE", credentials: "include" });
+    }
+    setSessions((prev) => prev.filter((s) => s.id !== sessionId));
+  };
+  const revokeAllOthers = async () => {
+    setRevokeAllBusy(true);
+    try {
+      await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/users/me/sessions/revoke-all-others`, { method: "POST", credentials: "include" });
+      setSessions((prev) => prev.filter((s) => s.isCurrent));
+    } finally {
+      setRevokeAllBusy(false);
+    }
+  };
+  if (!user) return /* @__PURE__ */ jsx(Shell, { branding, className, children: /* @__PURE__ */ jsx("p", { children: t2("common.loading") }) });
+  return /* @__PURE__ */ jsxs(Shell, { branding, className, title: t2("userProfile.title"), children: [
+    /* @__PURE__ */ jsxs("section", { "aria-labelledby": "iqauth-profile", style: { marginBottom: 20 }, children: [
+      /* @__PURE__ */ jsx("h3", { id: "iqauth-profile", style: { fontSize: 14, fontWeight: 600 }, children: t2("userProfile.profileTab") }),
+      /* @__PURE__ */ jsxs("p", { style: { fontSize: 13, margin: "4px 0" }, children: [
+        /* @__PURE__ */ jsxs("strong", { children: [
+          t2("common.name"),
+          ":"
+        ] }),
+        " ",
+        user.name
+      ] }),
+      /* @__PURE__ */ jsxs("p", { style: { fontSize: 13, margin: "4px 0" }, children: [
+        /* @__PURE__ */ jsxs("strong", { children: [
+          t2("common.email"),
+          ":"
+        ] }),
+        " ",
+        user.email
+      ] })
+    ] }),
+    /* @__PURE__ */ jsxs("section", { "aria-labelledby": "iqauth-pw", style: { marginBottom: 20 }, children: [
+      /* @__PURE__ */ jsx("h3", { id: "iqauth-pw", style: { fontSize: 14, fontWeight: 600 }, children: t2("userProfile.changePassword") }),
+      pwState.error ? /* @__PURE__ */ jsx(ErrorBanner, { message: pwState.error }) : null,
+      pwState.message ? /* @__PURE__ */ jsx("div", { role: "status", style: { fontSize: 13, color: "#047857" }, children: pwState.message }) : null,
+      /* @__PURE__ */ jsxs("form", { onSubmit: changePassword, style: { display: "flex", flexDirection: "column", gap: 10 }, children: [
+        /* @__PURE__ */ jsx(Field, { label: t2("userProfile.currentPassword"), children: /* @__PURE__ */ jsx("input", { style: inputStyle(), type: "password", autoComplete: "current-password", value: oldPassword, onChange: (e) => setOldPassword(e.target.value), required: true }) }),
+        /* @__PURE__ */ jsx(Field, { label: t2("userProfile.newPassword"), children: /* @__PURE__ */ jsx("input", { style: inputStyle(), type: "password", autoComplete: "new-password", minLength: 8, value: newPassword, onChange: (e) => setNewPassword(e.target.value), required: true }) }),
+        /* @__PURE__ */ jsx(PrimaryButton, { type: "submit", disabled: pwState.submitting || !oldPassword || !newPassword, children: pwState.submitting ? t2("common.saving") : t2("userProfile.changePassword") })
+      ] })
+    ] }),
+    /* @__PURE__ */ jsxs("section", { "aria-labelledby": "iqauth-sessions", children: [
+      /* @__PURE__ */ jsxs("div", { style: { display: "flex", alignItems: "center", justifyContent: "space-between" }, children: [
+        /* @__PURE__ */ jsx("h3", { id: "iqauth-sessions", style: { fontSize: 14, fontWeight: 600, margin: 0 }, children: t2("userProfile.sessionsTab") }),
+        sessions.some((s) => !s.isCurrent) && /* @__PURE__ */ jsx(
+          "button",
+          {
+            type: "button",
+            disabled: revokeAllBusy,
+            onClick: revokeAllOthers,
+            style: { fontSize: 12, color: "#b91c1c", background: "transparent", border: "1px solid #fecaca", borderRadius: 4, padding: "4px 10px", cursor: "pointer" },
+            children: revokeAllBusy ? t2("common.submitting") : t2("userProfile.revokeAllOthers")
+          }
+        )
+      ] }),
+      sessions.length === 0 ? /* @__PURE__ */ jsx("p", { style: { fontSize: 13, opacity: 0.6 }, children: t2("userProfile.sessionsEmpty") }) : /* @__PURE__ */ jsx("ul", { style: { listStyle: "none", padding: 0, margin: "8px 0 0", display: "flex", flexDirection: "column", gap: 6 }, children: sessions.map((s) => /* @__PURE__ */ jsxs("li", { style: { display: "flex", justifyContent: "space-between", alignItems: "center", fontSize: 13, padding: "8px 10px", background: s.isCurrent ? "#ecfdf5" : "#f8fafc", borderRadius: 6, border: s.isCurrent ? "1px solid #a7f3d0" : "1px solid transparent" }, children: [
+        /* @__PURE__ */ jsxs("div", { style: { display: "flex", flexDirection: "column", gap: 2 }, children: [
+          /* @__PURE__ */ jsxs("span", { style: { fontWeight: 500 }, children: [
+            s.device || s.userAgent || s.deviceName || "\u2014",
+            s.isCurrent && /* @__PURE__ */ jsxs("span", { style: { marginLeft: 8, fontSize: 11, color: "#047857" }, children: [
+              "(",
+              t2("userProfile.thisDevice"),
+              ")"
+            ] })
+          ] }),
+          /* @__PURE__ */ jsxs("span", { style: { fontSize: 11, opacity: 0.65 }, children: [
+            s.ip || "\u2014",
+            s.lastActiveAt ? ` \xB7 ${new Date(s.lastActiveAt).toLocaleString()}` : ""
+          ] })
+        ] }),
+        !s.isCurrent && /* @__PURE__ */ jsx("button", { type: "button", onClick: () => revoke(s.id), style: { fontSize: 12, color: "#b91c1c", background: "transparent", border: "1px solid #fecaca", borderRadius: 4, padding: "2px 8px", cursor: "pointer" }, children: t2("userProfile.revokeSession") })
+      ] }, s.id)) })
+    ] })
+  ] });
+}
+function OrganizationSwitcher({ iqAuthBaseUrl, onSwitched, appearance: _appearance, className }) {
+  const t2 = useT();
+  const branding = useResolvedSdkBranding(iqAuthBaseUrl);
+  const accent = branding?.accentColor || "#6366f1";
+  const { manager } = useCtx();
+  const [memberships, setMemberships] = useState([]);
+  const [activeTenantId, setActiveTenantId] = useState(null);
+  const [open, setOpen] = useState(false);
+  const [pendingStep, setPendingStep] = useState(null);
+  const [switchError, setSwitchError] = useState(null);
+  useEffect(() => {
+    fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/me`, { credentials: "include" }).then((r) => r.json()).then((p) => {
+      if (p?.data?.tenantId) setActiveTenantId(p.data.tenantId);
+    }).catch(() => {
+    });
+    fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/tenants/memberships`, { credentials: "include" }).then((r) => r.json()).then((p) => setMemberships(p?.data?.memberships || p?.data || [])).catch(() => {
+    });
+  }, [iqAuthBaseUrl]);
+  const switchTo = async (tenantId) => {
+    setSwitchError(null);
+    setPendingStep(null);
+    try {
+      const result = await performTenantSwitch(manager, iqAuthBaseUrl, tenantId);
+      if (result.kind === "mfa_required") {
+        setPendingStep({
+          kind: "mfa_required",
+          tenantId: result.tenantId,
+          mfaChallengeToken: result.mfaChallengeToken,
+          availableMethods: result.availableMethods
+        });
+        return;
+      }
+      if (result.kind === "scope_selection_required") {
+        setPendingStep({
+          kind: "scope_selection_required",
+          tenantId: result.tenantId,
+          scopeSelectionToken: result.scopeSelectionToken
+        });
+        return;
+      }
+      setActiveTenantId(tenantId);
+      setOpen(false);
+      onSwitched?.(tenantId);
+    } catch (err) {
+      setSwitchError(err instanceof Error ? err.message : "Failed to switch organization");
+    }
+  };
+  const hostedSignInUrl = () => {
+    const baseHosted = `${iqAuthBaseUrl.replace(/\/$/, "")}/sign-in`;
+    if (!pendingStep) return baseHosted;
+    const params = new URLSearchParams();
+    if (pendingStep.kind === "mfa_required") {
+      params.set("mfaChallengeToken", pendingStep.mfaChallengeToken);
+      if (pendingStep.availableMethods.length) {
+        params.set("availableMethods", pendingStep.availableMethods.join(","));
+      }
+    } else {
+      params.set("prompt", "login");
+    }
+    return `${baseHosted}?${params.toString()}`;
+  };
+  const active = memberships.find((m) => m.tenantId === activeTenantId);
+  return /* @__PURE__ */ jsxs(
+    "div",
+    {
+      className,
+      style: { position: "relative", display: "inline-block", ...brandStyle(branding) },
+      "data-iqauth-sdk-orgswitcher": "",
+      "data-branding-rev": branding?.brandingRev || "",
+      children: [
+        /* @__PURE__ */ jsx(
+          "button",
+          {
+            type: "button",
+            "aria-haspopup": "menu",
+            "aria-expanded": open,
+            onClick: () => setOpen((o) => !o),
+            style: { background: "transparent", border: `1px solid ${accent}55`, color: branding?.primaryColor || "#0f172a", padding: "6px 12px", borderRadius: 6, cursor: "pointer", fontSize: 13 },
+            children: active?.tenantName || active?.tenantSlug || t2("orgSwitcher.label")
+          }
+        ),
+        open ? /* @__PURE__ */ jsxs("div", { role: "menu", style: {
+          position: "absolute",
+          left: 0,
+          top: 36,
+          minWidth: 260,
+          background: "#fff",
+          border: "1px solid rgba(15,23,42,0.12)",
+          borderRadius: 8,
+          boxShadow: "0 4px 12px rgba(0,0,0,0.08)",
+          padding: 8,
+          zIndex: 100
+        }, children: [
+          memberships.length === 0 ? /* @__PURE__ */ jsx("p", { style: { fontSize: 13, opacity: 0.6, padding: "4px 6px" }, children: t2("orgSwitcher.noOrgs") }) : memberships.map((m) => /* @__PURE__ */ jsxs(
+            "button",
+            {
+              role: "menuitem",
+              type: "button",
+              onClick: () => switchTo(m.tenantId),
+              style: {
+                display: "block",
+                width: "100%",
+                textAlign: "left",
+                padding: "8px 10px",
+                background: m.tenantId === activeTenantId ? `${accent}14` : "transparent",
+                border: "none",
+                borderRadius: 4,
+                cursor: "pointer",
+                fontSize: 13,
+                color: "#0f172a"
+              },
+              children: [
+                /* @__PURE__ */ jsx("div", { style: { fontWeight: 500 }, children: m.tenantName || m.tenantSlug || m.tenantId }),
+                /* @__PURE__ */ jsx("div", { style: { fontSize: 11, opacity: 0.6 }, children: m.roles.join(", ") })
+              ]
+            },
+            m.tenantId
+          )),
+          pendingStep ? /* @__PURE__ */ jsxs(
+            "div",
+            {
+              "data-testid": pendingStep.kind === "mfa_required" ? "prompt-org-switch-mfa-required" : "prompt-org-switch-scope-required",
+              role: "alert",
+              style: {
+                marginTop: 8,
+                padding: "10px 12px",
+                background: `${accent}10`,
+                border: `1px solid ${accent}55`,
+                borderRadius: 6
+              },
+              children: [
+                /* @__PURE__ */ jsx("div", { style: { fontSize: 12, fontWeight: 600, color: "#0f172a", marginBottom: 4 }, children: pendingStep.kind === "mfa_required" ? t2("orgSwitcher.mfaRequiredTitle") : t2("orgSwitcher.scopeSelectionRequiredTitle") }),
+                /* @__PURE__ */ jsx("div", { style: { fontSize: 12, color: "#334155", marginBottom: 8 }, children: pendingStep.kind === "mfa_required" ? t2("orgSwitcher.mfaRequiredBody") : t2("orgSwitcher.scopeSelectionRequiredBody") }),
+                /* @__PURE__ */ jsx(
+                  "a",
+                  {
+                    href: hostedSignInUrl(),
+                    "data-testid": "link-org-switch-continue-hosted",
+                    style: {
+                      display: "inline-block",
+                      fontSize: 12,
+                      fontWeight: 600,
+                      color: branding?.accentColor || accent,
+                      textDecoration: "none"
+                    },
+                    children: t2("orgSwitcher.continueInHostedSignIn")
+                  }
+                )
+              ]
+            }
+          ) : null,
+          switchError ? /* @__PURE__ */ jsx("p", { "data-testid": "text-org-switch-error", style: { fontSize: 12, color: "#b91c1c", padding: "6px 8px 0" }, children: switchError }) : null
+        ] }) : null
+      ]
+    }
+  );
+}
+function useMemberships() {
+  const { manager, snapshot } = useCtx();
+  const [memberships, setMemberships] = useState([]);
+  const [isLoading, setIsLoading] = useState(true);
+  const [error, setError] = useState(null);
+  const base = manager.issuerUrl.replace(/\/$/, "");
+  const refresh = useCallback(async () => {
+    setIsLoading(true);
+    setError(null);
+    try {
+      const res = await manager.fetch(`${base}/api/v1/auth/available-scopes`);
+      const json = await res.json().catch(() => ({}));
+      if (!res.ok) throw new Error(json?.error?.message || `HTTP ${res.status}`);
+      const tree = json.data || {};
+      const flat = [];
+      for (const v of tree.vendors || []) {
+        flat.push({
+          membershipId: v.membershipId,
+          scopeType: "vendor",
+          scopeId: v.id,
+          scopeName: v.name,
+          role: v.role,
+          grantedVia: v.grantedVia || "direct"
+        });
+      }
+      for (const s of tree.sources || []) {
+        flat.push({
+          membershipId: s.membershipId,
+          scopeType: "source",
+          scopeId: s.id,
+          scopeName: s.name,
+          role: s.role,
+          grantedVia: s.grantedVia || "direct"
+        });
+      }
+      for (const c of tree.clients || []) {
+        flat.push({
+          membershipId: c.membershipId,
+          scopeType: "client",
+          scopeId: c.id,
+          scopeName: c.name,
+          role: c.role,
+          grantedVia: c.grantedVia || "direct"
+        });
+      }
+      setMemberships(flat);
+    } catch (err) {
+      setError(err.message);
+      setMemberships([]);
+    } finally {
+      setIsLoading(false);
+    }
+  }, [manager, base]);
+  useEffect(() => {
+    if (snapshot.status !== "authenticated") {
+      setMemberships([]);
+      setIsLoading(false);
+      return;
+    }
+    void refresh();
+  }, [snapshot.status, snapshot.tenantId, refresh]);
+  const switchScope = useCallback(
+    (target) => performScopeSwitch(manager, base, target),
+    [manager, base]
+  );
+  const active = useMemo(() => {
+    const ctx = snapshot.user?.scopeContext;
+    if (!ctx) return null;
+    return {
+      type: ctx.type,
+      id: ctx.id,
+      role: ctx.role,
+      membershipId: ctx.membershipId
+    };
+  }, [snapshot.user, snapshot.version]);
+  return { isLoading, error, memberships, active, refresh, switchScope };
+}
+function ScopeSwitcher({ onSwitched, include, className }) {
+  const { memberships, active, isLoading, error, switchScope } = useMemberships();
+  const [open, setOpen] = useState(false);
+  const [busy, setBusy] = useState(null);
+  const [switchError, setSwitchError] = useState(null);
+  const visible = useMemo(
+    () => include ? memberships.filter((m) => include.includes(m.scopeType)) : memberships,
+    [memberships, include]
+  );
+  if (isLoading) {
+    return createElement(
+      "div",
+      { className, "data-testid": "scope-switcher-loading", style: { fontSize: 13, opacity: 0.6 } },
+      "Loading scopes\u2026"
+    );
+  }
+  if (error) {
+    return createElement(
+      "div",
+      { className, "data-testid": "scope-switcher-error", style: { fontSize: 13, color: "#b91c1c" } },
+      error
+    );
+  }
+  if (!visible.length) return null;
+  const activeLabel = active ? visible.find((m) => m.scopeType === active.type && m.scopeId === active.id)?.scopeName || `${active.type}:${active.id}` : "Select a scope";
+  return createElement(
+    "div",
+    { className, "data-testid": "scope-switcher", style: { position: "relative", display: "inline-block" } },
+    createElement(
+      "button",
+      {
+        type: "button",
+        "data-testid": "scope-switcher-trigger",
+        onClick: () => setOpen((v) => !v),
+        style: {
+          padding: "6px 10px",
+          border: "1px solid #e5e7eb",
+          borderRadius: 6,
+          background: "#fff",
+          cursor: "pointer",
+          fontSize: 13
+        }
+      },
+      active ? `${active.type}: ${activeLabel}` : activeLabel
+    ),
+    switchError ? createElement(
+      "div",
+      {
+        "data-testid": "scope-switcher-switch-error",
+        style: { marginTop: 4, fontSize: 12, color: "#b91c1c" }
+      },
+      switchError
+    ) : null,
+    open ? createElement(
+      "div",
+      {
+        "data-testid": "scope-switcher-menu",
+        style: {
+          position: "absolute",
+          top: "100%",
+          left: 0,
+          marginTop: 4,
+          minWidth: 220,
+          background: "#fff",
+          border: "1px solid #e5e7eb",
+          borderRadius: 6,
+          boxShadow: "0 4px 12px rgba(0,0,0,0.08)",
+          padding: 4,
+          zIndex: 50
+        }
+      },
+      visible.map((m) => {
+        const isActive = active?.type === m.scopeType && active?.id === m.scopeId;
+        const key = `${m.scopeType}:${m.scopeId}`;
+        return createElement(
+          "button",
+          {
+            key,
+            type: "button",
+            "data-testid": `scope-switcher-option-${m.scopeType}-${m.scopeId}`,
+            disabled: busy === key,
+            onClick: async () => {
+              setBusy(key);
+              setSwitchError(null);
+              try {
+                await switchScope({ type: m.scopeType, id: m.scopeId });
+                setOpen(false);
+                onSwitched?.({ type: m.scopeType, id: m.scopeId });
+              } catch (err) {
+                setSwitchError(err.message || "Scope switch failed");
+              } finally {
+                setBusy(null);
+              }
+            },
+            style: {
+              display: "block",
+              width: "100%",
+              textAlign: "left",
+              padding: "8px 10px",
+              border: "none",
+              background: isActive ? "#f3f4f6" : "transparent",
+              cursor: busy ? "wait" : "pointer",
+              borderRadius: 4,
+              fontSize: 13
+            }
+          },
+          createElement("div", { style: { fontWeight: 500 } }, m.scopeName),
+          createElement(
+            "div",
+            { style: { fontSize: 11, opacity: 0.6 } },
+            `${m.scopeType} \xB7 ${m.role}${m.grantedVia && m.grantedVia !== "direct" ? ` \xB7 via ${m.grantedVia}` : ""}`
+          )
+        );
+      })
+    ) : null
+  );
+}
+function useImpersonation() {
+  const { snapshot } = useCtx();
+  return useMemo(() => {
+    const claims = snapshot.claims;
+    const isImpersonating = claims?.purpose === "impersonation" && !!claims?.act?.sub;
+    return {
+      isImpersonating,
+      actor: isImpersonating ? claims.act : null,
+      target: isImpersonating ? snapshot.user : null
+    };
+  }, [snapshot]);
+}
+function ImpersonationBanner({ render, onExit, className, style } = {}) {
+  const t2 = useT();
+  const info = useImpersonation();
+  const { manager } = useCtx();
+  const exit = useCallback(async () => {
+    if (onExit) return void onExit();
+    const { exitImpersonation } = await import("./reverify-C64QXKJO.mjs");
+    const restored = exitImpersonation(manager);
+    if (restored) return;
+    const { signOut: signOut2 } = await import("./signIn-SHBW6Z4T.mjs");
+    await signOut2(manager);
+  }, [manager, onExit]);
+  if (!info.isImpersonating) return null;
+  if (render) return createElement(Fragment, null, render({ ...info, exit }));
+  const targetLabel = info.target?.email || info.target?.name || info.target?.sub || "user";
+  const _actorLabel = info.actor?.email || info.actor?.name || info.actor?.sub || "admin";
+  void _actorLabel;
+  return createElement(
+    "div",
+    {
+      role: "alert",
+      className,
+      style: {
+        position: "sticky",
+        top: 0,
+        left: 0,
+        right: 0,
+        zIndex: 9999,
+        background: "#b91c1c",
+        color: "#fff",
+        padding: "8px 16px",
+        display: "flex",
+        alignItems: "center",
+        justifyContent: "space-between",
+        fontSize: 13,
+        fontFamily: "system-ui, sans-serif",
+        ...style
+      }
+    },
+    createElement(
+      "span",
+      null,
+      t2("impersonation.banner", { targetEmail: targetLabel })
+    ),
+    createElement(
+      "button",
+      {
+        type: "button",
+        onClick: exit,
+        style: {
+          background: "rgba(255,255,255,0.18)",
+          color: "#fff",
+          border: "1px solid rgba(255,255,255,0.4)",
+          borderRadius: 4,
+          padding: "4px 10px",
+          cursor: "pointer",
+          fontSize: 12
+        }
+      },
+      t2("impersonation.exit")
+    )
+  );
+}
+function useReverification(fn, opts = {}) {
+  const { manager } = useCtx();
+  const level = opts.level ?? "password";
+  return (async (...args) => {
+    let token = null;
+    let res = await fn(token)(...args);
+    const code = await peekErrorCode(res);
+    const isReverifyError = res.status === 401 && code && (code === "REVERIFICATION_REQUIRED" || code === "REVERIFICATION_EXPIRED" || code === "REVERIFICATION_INVALID" || code === "REVERIFICATION_USED" || code === "REVERIFICATION_LEVEL_INSUFFICIENT");
+    if (!isReverifyError) return res;
+    const prompt = opts.prompt ?? defaultReverifyPrompt;
+    const credentials = await prompt(level);
+    if (!credentials) {
+      throw new Error("Reverification cancelled");
+    }
+    const { reverify } = await import("./reverify-C64QXKJO.mjs");
+    const minted = await reverify(manager, { level, ...credentials });
+    token = minted.token;
+    res = await fn(token)(...args);
+    return res;
+  });
+}
+async function peekErrorCode(res) {
+  try {
+    const cloned = res.clone();
+    const body = await cloned.json();
+    return body?.error?.code ?? null;
+  } catch {
+    return null;
+  }
+}
+async function defaultReverifyPrompt(level) {
+  if (typeof window === "undefined") return null;
+  if (level === "password") {
+    const password = window.prompt("Confirm your password to continue");
+    if (!password) return null;
+    return { password };
+  }
+  const totp = window.prompt("Enter your MFA code to continue");
+  if (!totp) return null;
+  return { totp, method: "totp" };
+}
+function slugify(input) {
+  return input.toLowerCase().normalize("NFKD").replace(/[\u0300-\u036f]/g, "").replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 64);
+}
+function CreateOrganization({ iqAuthBaseUrl, onCreated, redirectUrl, unstyled, appearance, className }) {
+  const branding = useResolvedSdkBranding(iqAuthBaseUrl);
+  const [name, setName] = useState("");
+  const [slug, setSlug] = useState("");
+  const [slugTouched, setSlugTouched] = useState(false);
+  const [submitting, setSubmitting] = useState(false);
+  const [error, setError] = useState(null);
+  const [created, setCreated] = useState(null);
+  const [slugCheck, setSlugCheck] = useState({ status: "idle" });
+  useEffect(() => {
+    if (!slugTouched) setSlug(slugify(name));
+  }, [name, slugTouched]);
+  useEffect(() => {
+    const s = slug.trim().toLowerCase();
+    if (!s) {
+      setSlugCheck({ status: "idle" });
+      return;
+    }
+    if (!/^[a-z0-9-]{2,64}$/.test(s)) {
+      setSlugCheck({ status: "invalid", checked: s });
+      return;
+    }
+    setSlugCheck({ status: "checking", checked: s });
+    const handle = setTimeout(async () => {
+      try {
+        const res = await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/tenants/check-slug?slug=${encodeURIComponent(s)}`, {
+          credentials: "include",
+          headers: { Accept: "application/json" }
+        });
+        const body = await res.json().catch(() => ({}));
+        const data = body.data;
+        if (!data) {
+          setSlugCheck({ status: "idle", checked: s });
+          return;
+        }
+        if (data.reason === "INVALID_FORMAT") {
+          setSlugCheck({ status: "invalid", checked: s });
+          return;
+        }
+        setSlugCheck({ status: data.available ? "available" : "taken", checked: s });
+      } catch {
+        setSlugCheck({ status: "idle", checked: s });
+      }
+    }, 350);
+    return () => clearTimeout(handle);
+  }, [slug, iqAuthBaseUrl]);
+  const submit = async (e) => {
+    e.preventDefault();
+    setSubmitting(true);
+    setError(null);
+    try {
+      const res = await jsonFetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/tenants`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        credentials: "include",
+        body: JSON.stringify({ name: name.trim(), slug: slug.trim() })
+      });
+      const payload = res;
+      const tenant = payload.data ?? payload;
+      const next = { id: tenant.id, name: tenant.name, slug: tenant.slug };
+      setCreated(next);
+      onCreated?.(next);
+      setName("");
+      setSlug("");
+      setSlugTouched(false);
+      if (redirectUrl && typeof window !== "undefined") {
+        const url = typeof redirectUrl === "function" ? redirectUrl(next) : redirectUrl;
+        if (url) window.location.assign(url);
+      }
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to create organization");
+    } finally {
+      setSubmitting(false);
+    }
+  };
+  const form = /* @__PURE__ */ jsxs("form", { onSubmit: submit, style: { display: "flex", flexDirection: "column", gap: 12 }, "data-iqauth-sdk-create-org": "", "aria-labelledby": "iqauth-create-org-heading", children: [
+    error ? /* @__PURE__ */ jsx(ErrorBanner, { message: error }) : null,
+    created ? /* @__PURE__ */ jsxs("p", { role: "status", style: { fontSize: 13, color: "#047857" }, children: [
+      "Organization \u201C",
+      created.name,
+      "\u201D created."
+    ] }) : null,
+    /* @__PURE__ */ jsx(Field, { label: "Organization name", children: /* @__PURE__ */ jsx("input", { "data-testid": "input-create-org-name", autoFocus: true, style: inputStyle(), value: name, onChange: (e) => setName(e.target.value), required: true, minLength: 2, "aria-required": "true" }) }),
+    /* @__PURE__ */ jsxs(Field, { label: "Organization slug", children: [
+      /* @__PURE__ */ jsx(
+        "input",
+        {
+          "data-testid": "input-create-org-slug",
+          style: { ...inputStyle(), fontFamily: "monospace" },
+          value: slug,
+          onChange: (e) => {
+            setSlugTouched(true);
+            setSlug(e.target.value.toLowerCase().replace(/[^a-z0-9-]/g, "-"));
+          },
+          required: true,
+          pattern: "[a-z0-9-]+",
+          minLength: 2,
+          "aria-required": "true",
+          "aria-describedby": "iqauth-create-org-slug-hint",
+          "aria-invalid": slugCheck.status === "taken" || slugCheck.status === "invalid"
+        }
+      ),
+      /* @__PURE__ */ jsx(
+        "p",
+        {
+          id: "iqauth-create-org-slug-hint",
+          "data-testid": "text-create-org-slug-status",
+          role: "status",
+          "aria-live": "polite",
+          style: { fontSize: 12, marginTop: 4, color: slugCheck.status === "taken" || slugCheck.status === "invalid" ? "#b91c1c" : slugCheck.status === "available" ? "#047857" : "inherit", opacity: slugCheck.status === "checking" ? 0.6 : 1 },
+          children: slugCheck.status === "checking" ? "Checking availability\u2026" : slugCheck.status === "available" ? "Slug is available." : slugCheck.status === "taken" ? "That slug is taken." : slugCheck.status === "invalid" ? "Slugs must be 2\u201364 chars, lowercase letters/numbers/hyphens." : "We'll auto-generate a slug from the name; you can override it."
+        }
+      )
+    ] }),
+    /* @__PURE__ */ jsx(
+      PrimaryButton,
+      {
+        "data-testid": "button-create-org-submit",
+        type: "submit",
+        disabled: submitting || !name.trim() || !slug.trim() || slugCheck.status === "taken" || slugCheck.status === "invalid" || slugCheck.status === "checking",
+        children: submitting ? "Creating\u2026" : "Create organization"
+      }
+    )
+  ] });
+  if (unstyled) {
+    return /* @__PURE__ */ jsxs("div", { className, "data-iqauth-sdk-create-org-bare": "", children: [
+      /* @__PURE__ */ jsx("h3", { id: "iqauth-create-org-heading", style: { fontSize: 14, fontWeight: 600, margin: "0 0 12px" }, children: "Create organization" }),
+      form
+    ] });
+  }
+  return /* @__PURE__ */ jsx(Shell, { appearance, branding, className, title: "Create organization", subtitle: "Spin up a new tenant for this app.", children: form });
+}
+function OrganizationProfile({ iqAuthBaseUrl, tenantId: tenantIdProp, tabs, onDeleted, appearance, className }) {
+  const branding = useResolvedSdkBranding(iqAuthBaseUrl);
+  const baseUrl = iqAuthBaseUrl.replace(/\/$/, "");
+  const visibleTabs = tabs && tabs.length > 0 ? tabs : ["general", "members", "invitations", "danger"];
+  const [activeTab, setActiveTab] = useState(visibleTabs[0]);
+  const [tenantId, setTenantId] = useState(tenantIdProp || null);
+  const [tenant, setTenant] = useState(null);
+  const [members, setMembers] = useState([]);
+  const [pendingInvites, setPendingInvites] = useState([]);
+  const [loading, setLoading] = useState(true);
+  const [invitesLoading, setInvitesLoading] = useState(false);
+  const [error, setError] = useState(null);
+  const [renameValue, setRenameValue] = useState("");
+  const [slugValue, setSlugValue] = useState("");
+  const [renameSubmitting, setRenameSubmitting] = useState(false);
+  const [inviteEmail, setInviteEmail] = useState("");
+  const [inviteRole, setInviteRole] = useState("tenant_member");
+  const [inviteSubmitting, setInviteSubmitting] = useState(false);
+  const [actionMessage, setActionMessage] = useState(null);
+  const [confirmDeleteText, setConfirmDeleteText] = useState("");
+  const [confirmDeletePassword, setConfirmDeletePassword] = useState("");
+  const [deleteSubmitting, setDeleteSubmitting] = useState(false);
+  const { user } = useUser();
+  const callerRole = user?.role || null;
+  const callerIsAdmin = callerRole === "tenant_admin" || callerRole === "platform_admin";
+  const visibleTabsFiltered = visibleTabs.filter((t2) => t2 !== "danger" || callerIsAdmin);
+  useEffect(() => {
+    let cancelled = false;
+    (async () => {
+      try {
+        let tid = tenantIdProp || null;
+        if (!tid) {
+          const me = await fetch(`${baseUrl}/api/v1/auth/me`, { credentials: "include" }).then((r) => r.json());
+          tid = me?.data?.tenantId || null;
+        }
+        if (!tid) {
+          if (!cancelled) {
+            setError("No active tenant");
+            setLoading(false);
+          }
+          return;
+        }
+        const t2 = await fetch(`${baseUrl}/api/v1/tenants/${tid}`, { credentials: "include" }).then((r) => r.json());
+        const m = await fetch(`${baseUrl}/api/v1/tenants/${tid}/users`, { credentials: "include" }).then((r) => r.json());
+        if (cancelled) return;
+        setTenantId(tid);
+        setTenant(t2?.data ? { id: t2.data.id, name: t2.data.name, slug: t2.data.slug } : null);
+        setRenameValue(t2?.data?.name || "");
+        setSlugValue(t2?.data?.slug || "");
+        const rows = m?.data || [];
+        setMembers(rows.map((row) => ({
+          userId: String(row.userId ?? row.user?.id ?? row.id ?? ""),
+          email: String(row.email ?? row.user?.email ?? ""),
+          name: String(row.name ?? row.user?.name ?? ""),
+          role: String(row.role ?? row.roles?.[0] ?? "tenant_member"),
+          joinedAt: row.joinedAt ?? row.createdAt
+        })));
+      } catch (err) {
+        if (!cancelled) setError(err instanceof Error ? err.message : "Failed to load organization");
+      } finally {
+        if (!cancelled) setLoading(false);
+      }
+    })();
+    return () => {
+      cancelled = true;
+    };
+  }, [baseUrl, tenantIdProp]);
+  const loadInvites = async (tid) => {
+    setInvitesLoading(true);
+    try {
+      const r = await fetch(`${baseUrl}/api/v1/invites?tenantId=${encodeURIComponent(tid)}&status=pending`, { credentials: "include" }).then((res) => res.json());
+      const rows = r?.data || [];
+      setPendingInvites(rows.map((inv) => ({
+        id: String(inv.id),
+        email: String(inv.email),
+        role: String(inv.role),
+        status: String(inv.status),
+        expiresAt: inv.expiresAt,
+        createdAt: inv.createdAt
+      })));
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to load invitations");
+    } finally {
+      setInvitesLoading(false);
+    }
+  };
+  useEffect(() => {
+    if (activeTab === "invitations" && tenantId) loadInvites(tenantId);
+  }, [activeTab, tenantId]);
+  const reloadMembers = async () => {
+    if (!tenantId) return;
+    const m = await fetch(`${baseUrl}/api/v1/tenants/${tenantId}/users`, { credentials: "include" }).then((r) => r.json());
+    const rows = m?.data || [];
+    setMembers(rows.map((row) => ({
+      userId: String(row.userId ?? row.user?.id ?? row.id ?? ""),
+      email: String(row.email ?? row.user?.email ?? ""),
+      name: String(row.name ?? row.user?.name ?? ""),
+      role: String(row.role ?? row.roles?.[0] ?? "tenant_member"),
+      joinedAt: row.joinedAt ?? row.createdAt
+    })));
+  };
+  const submitRename = async (e) => {
+    e.preventDefault();
+    if (!tenantId) return;
+    setRenameSubmitting(true);
+    setError(null);
+    try {
+      const body = {};
+      if (renameValue.trim() && renameValue.trim() !== tenant?.name) body.name = renameValue.trim();
+      if (slugValue.trim() && slugValue.trim() !== tenant?.slug) body.slug = slugValue.trim();
+      if (Object.keys(body).length === 0) {
+        setRenameSubmitting(false);
+        return;
+      }
+      const res = await jsonFetch(`${baseUrl}/api/v1/tenants/${tenantId}`, {
+        method: "PATCH",
+        headers: { "Content-Type": "application/json" },
+        credentials: "include",
+        body: JSON.stringify(body)
+      });
+      const t2 = res?.data ?? res;
+      setTenant({ id: t2.id, name: t2.name, slug: t2.slug });
+      setActionMessage("Organization saved.");
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to save");
+    } finally {
+      setRenameSubmitting(false);
+    }
+  };
+  const submitInvite = async (e) => {
+    e.preventDefault();
+    if (!tenantId) return;
+    setInviteSubmitting(true);
+    setError(null);
+    try {
+      await jsonFetch(`${baseUrl}/api/v1/tenants/${tenantId}/users/invite`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        credentials: "include",
+        body: JSON.stringify({ email: inviteEmail.trim(), role: inviteRole })
+      });
+      setActionMessage(`Invitation sent to ${inviteEmail.trim()}.`);
+      setInviteEmail("");
+      if (activeTab === "invitations") await loadInvites(tenantId);
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to invite");
+    } finally {
+      setInviteSubmitting(false);
+    }
+  };
+  const changeRole = async (userId, role) => {
+    if (!tenantId) return;
+    try {
+      await jsonFetch(`${baseUrl}/api/v1/tenants/${tenantId}/users/${userId}/role`, {
+        method: "PATCH",
+        headers: { "Content-Type": "application/json" },
+        credentials: "include",
+        body: JSON.stringify({ role })
+      });
+      await reloadMembers();
+      setActionMessage("Role updated.");
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to update role");
+    }
+  };
+  const removeMember = async (userId) => {
+    if (!tenantId) return;
+    try {
+      await jsonFetch(`${baseUrl}/api/v1/tenants/${tenantId}/users/${userId}`, { method: "DELETE", credentials: "include" });
+      await reloadMembers();
+      setActionMessage("Member removed.");
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to remove member");
+    }
+  };
+  const resendInvite = async (id) => {
+    if (!tenantId) return;
+    try {
+      await jsonFetch(`${baseUrl}/api/v1/invites/${id}/resend`, { method: "POST", credentials: "include" });
+      setActionMessage("Invitation resent.");
+      await loadInvites(tenantId);
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to resend invitation");
+    }
+  };
+  const revokeInvite = async (id) => {
+    if (!tenantId) return;
+    try {
+      await jsonFetch(`${baseUrl}/api/v1/invites/${id}/revoke`, { method: "POST", credentials: "include" });
+      setActionMessage("Invitation revoked.");
+      await loadInvites(tenantId);
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to revoke invitation");
+    }
+  };
+  const submitDelete = async () => {
+    if (!tenantId || !tenant) return;
+    if (confirmDeleteText !== tenant.slug) {
+      setError("Type the organization slug to confirm deletion.");
+      return;
+    }
+    if (!confirmDeletePassword) {
+      setError("Re-enter your password to confirm deletion.");
+      return;
+    }
+    setDeleteSubmitting(true);
+    setError(null);
+    try {
+      await jsonFetch(`${baseUrl}/api/v1/tenants/${tenantId}`, {
+        method: "DELETE",
+        credentials: "include",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ confirmPassword: confirmDeletePassword })
+      });
+      setActionMessage("Organization deleted.");
+      setConfirmDeletePassword("");
+      onDeleted?.(tenantId);
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to delete organization");
+    } finally {
+      setDeleteSubmitting(false);
+    }
+  };
+  if (loading) {
+    return /* @__PURE__ */ jsx(Shell, { appearance, branding, className, title: "Organization", children: /* @__PURE__ */ jsx("p", { role: "status", "aria-live": "polite", style: { fontSize: 13 }, children: "Loading\u2026" }) });
+  }
+  const tabBtnStyle = (key) => ({
+    background: activeTab === key ? `${branding?.accentColor || "#6366f1"}1a` : "transparent",
+    border: `1px solid ${activeTab === key ? branding?.accentColor || "#6366f1" : "rgba(15,23,42,0.12)"}`,
+    color: branding?.primaryColor || "#0f172a",
+    padding: "6px 12px",
+    borderRadius: 6,
+    cursor: "pointer",
+    fontSize: 12,
+    fontWeight: 500
+  });
+  return /* @__PURE__ */ jsx(Shell, { appearance, branding, className, title: tenant?.name || "Organization", subtitle: tenant?.slug ? `slug: ${tenant.slug}` : void 0, children: /* @__PURE__ */ jsxs("div", { style: { display: "flex", flexDirection: "column", gap: 16 }, "data-iqauth-sdk-org-profile": "", children: [
+    error ? /* @__PURE__ */ jsx(ErrorBanner, { message: error }) : null,
+    actionMessage ? /* @__PURE__ */ jsx("p", { role: "status", "aria-live": "polite", style: { fontSize: 13, color: "#047857", margin: 0 }, children: actionMessage }) : null,
+    /* @__PURE__ */ jsx("div", { role: "tablist", "aria-label": "Organization sections", style: { display: "flex", gap: 6, flexWrap: "wrap" }, children: visibleTabsFiltered.map((t2) => /* @__PURE__ */ jsx(
+      "button",
+      {
+        role: "tab",
+        "aria-selected": activeTab === t2,
+        "aria-controls": `iqauth-org-tab-${t2}`,
+        "data-testid": `tab-org-${t2}`,
+        type: "button",
+        onClick: () => setActiveTab(t2),
+        style: tabBtnStyle(t2),
+        children: t2 === "general" ? "General" : t2 === "members" ? `Members (${members.length})` : t2 === "invitations" ? "Invitations" : "Danger zone"
+      },
+      t2
+    )) }),
+    activeTab === "general" ? /* @__PURE__ */ jsxs("section", { role: "tabpanel", id: "iqauth-org-tab-general", "aria-labelledby": "tab-org-general", style: { display: "flex", flexDirection: "column", gap: 8 }, children: [
+      /* @__PURE__ */ jsx("h3", { style: { fontSize: 14, fontWeight: 600, margin: 0 }, children: "Settings" }),
+      /* @__PURE__ */ jsxs("form", { onSubmit: submitRename, style: { display: "flex", flexDirection: "column", gap: 8 }, children: [
+        /* @__PURE__ */ jsx(Field, { label: "Organization name", children: /* @__PURE__ */ jsx("input", { "data-testid": "input-org-rename", style: inputStyle(), value: renameValue, onChange: (e) => setRenameValue(e.target.value), required: true, minLength: 2 }) }),
+        /* @__PURE__ */ jsx(Field, { label: "Slug", children: /* @__PURE__ */ jsx("input", { "data-testid": "input-org-slug", style: { ...inputStyle(), fontFamily: "monospace" }, value: slugValue, onChange: (e) => setSlugValue(e.target.value.toLowerCase().replace(/[^a-z0-9-]/g, "-")), required: true, pattern: "[a-z0-9-]+", minLength: 2 }) }),
+        /* @__PURE__ */ jsx(PrimaryButton, { "data-testid": "button-org-rename", type: "submit", disabled: renameSubmitting || renameValue.trim() === tenant?.name && slugValue.trim() === tenant?.slug, children: renameSubmitting ? "Saving\u2026" : "Save changes" })
+      ] })
+    ] }) : null,
+    activeTab === "members" ? /* @__PURE__ */ jsxs("section", { role: "tabpanel", id: "iqauth-org-tab-members", "aria-labelledby": "tab-org-members", style: { display: "flex", flexDirection: "column", gap: 12 }, children: [
+      /* @__PURE__ */ jsxs("form", { onSubmit: submitInvite, style: { display: "flex", gap: 8, flexWrap: "wrap" }, "aria-label": "Invite a new member", children: [
+        /* @__PURE__ */ jsx("input", { "data-testid": "input-org-invite-email", type: "email", placeholder: "email@company.com", "aria-label": "Email", style: { ...inputStyle(), flex: 1, minWidth: 180 }, value: inviteEmail, onChange: (e) => setInviteEmail(e.target.value), required: true }),
+        /* @__PURE__ */ jsxs("select", { "data-testid": "select-org-invite-role", "aria-label": "Role", style: { ...inputStyle(), width: "auto" }, value: inviteRole, onChange: (e) => setInviteRole(e.target.value), children: [
+          /* @__PURE__ */ jsx("option", { value: "tenant_member", children: "tenant_member" }),
+          /* @__PURE__ */ jsx("option", { value: "tenant_admin", children: "tenant_admin" })
+        ] }),
+        /* @__PURE__ */ jsx(PrimaryButton, { "data-testid": "button-org-invite", type: "submit", disabled: inviteSubmitting || !inviteEmail.trim(), children: inviteSubmitting ? "Sending\u2026" : "Send invite" })
+      ] }),
+      members.length === 0 ? /* @__PURE__ */ jsx("p", { style: { fontSize: 13, opacity: 0.6 }, children: "No members yet." }) : /* @__PURE__ */ jsx("ul", { "aria-label": "Members", style: { listStyle: "none", padding: 0, margin: 0, display: "flex", flexDirection: "column", gap: 6 }, children: members.map((m) => /* @__PURE__ */ jsxs("li", { "data-testid": `row-org-member-${m.userId}`, style: { display: "grid", gridTemplateColumns: "1fr auto auto", gap: 8, alignItems: "center", padding: "8px 10px", background: "rgba(15,23,42,0.04)", borderRadius: 6, fontSize: 13 }, children: [
+        /* @__PURE__ */ jsxs("div", { children: [
+          /* @__PURE__ */ jsx("div", { style: { fontWeight: 500 }, children: m.name || m.email }),
+          /* @__PURE__ */ jsx("div", { style: { fontSize: 11, opacity: 0.7 }, children: m.email })
+        ] }),
+        /* @__PURE__ */ jsxs("select", { "data-testid": `select-org-member-role-${m.userId}`, "aria-label": `Role for ${m.email}`, value: m.role, onChange: (e) => changeRole(m.userId, e.target.value), style: { ...inputStyle(), width: "auto", padding: "4px 8px", fontSize: 12 }, children: [
+          /* @__PURE__ */ jsx("option", { value: "tenant_member", children: "tenant_member" }),
+          /* @__PURE__ */ jsx("option", { value: "tenant_admin", children: "tenant_admin" })
+        ] }),
+        /* @__PURE__ */ jsx(
+          "button",
+          {
+            type: "button",
+            "data-testid": `button-org-member-remove-${m.userId}`,
+            "aria-label": `Remove ${m.email}`,
+            onClick: () => removeMember(m.userId),
+            style: { background: "transparent", border: "1px solid rgba(220,38,38,0.4)", color: "#b91c1c", borderRadius: 4, padding: "4px 10px", cursor: "pointer", fontSize: 12 },
+            children: "Remove"
+          }
+        )
+      ] }, m.userId)) })
+    ] }) : null,
+    activeTab === "invitations" ? /* @__PURE__ */ jsxs("section", { role: "tabpanel", id: "iqauth-org-tab-invitations", "aria-labelledby": "tab-org-invitations", style: { display: "flex", flexDirection: "column", gap: 8 }, children: [
+      /* @__PURE__ */ jsx("h3", { style: { fontSize: 14, fontWeight: 600, margin: 0 }, children: "Pending invitations" }),
+      invitesLoading ? /* @__PURE__ */ jsx("p", { role: "status", "aria-live": "polite", style: { fontSize: 13 }, children: "Loading\u2026" }) : pendingInvites.length === 0 ? /* @__PURE__ */ jsx("p", { style: { fontSize: 13, opacity: 0.6 }, children: "No pending invitations." }) : /* @__PURE__ */ jsx("ul", { "aria-label": "Pending invitations", style: { listStyle: "none", padding: 0, margin: 0, display: "flex", flexDirection: "column", gap: 6 }, children: pendingInvites.map((inv) => /* @__PURE__ */ jsxs("li", { "data-testid": `row-org-invite-${inv.id}`, style: { display: "grid", gridTemplateColumns: "1fr auto auto", gap: 8, alignItems: "center", padding: "8px 10px", background: "rgba(15,23,42,0.04)", borderRadius: 6, fontSize: 13 }, children: [
+        /* @__PURE__ */ jsxs("div", { children: [
+          /* @__PURE__ */ jsx("div", { style: { fontWeight: 500 }, children: inv.email }),
+          /* @__PURE__ */ jsxs("div", { style: { fontSize: 11, opacity: 0.7 }, children: [
+            "role: ",
+            inv.role,
+            inv.expiresAt ? ` \u2022 expires ${new Date(inv.expiresAt).toLocaleDateString()}` : ""
+          ] })
+        ] }),
+        /* @__PURE__ */ jsx(
+          "button",
+          {
+            type: "button",
+            "data-testid": `button-org-invite-resend-${inv.id}`,
+            onClick: () => resendInvite(inv.id),
+            style: { background: "transparent", border: "1px solid rgba(15,23,42,0.18)", color: "#0f172a", borderRadius: 4, padding: "4px 10px", cursor: "pointer", fontSize: 12 },
+            children: "Resend"
+          }
+        ),
+        /* @__PURE__ */ jsx(
+          "button",
+          {
+            type: "button",
+            "data-testid": `button-org-invite-revoke-${inv.id}`,
+            onClick: () => revokeInvite(inv.id),
+            style: { background: "transparent", border: "1px solid rgba(220,38,38,0.4)", color: "#b91c1c", borderRadius: 4, padding: "4px 10px", cursor: "pointer", fontSize: 12 },
+            children: "Revoke"
+          }
+        )
+      ] }, inv.id)) })
+    ] }) : null,
+    activeTab === "danger" ? /* @__PURE__ */ jsxs("section", { role: "tabpanel", id: "iqauth-org-tab-danger", "aria-labelledby": "tab-org-danger", style: { display: "flex", flexDirection: "column", gap: 10, border: "1px solid rgba(220,38,38,0.3)", padding: 12, borderRadius: 8, background: "rgba(220,38,38,0.04)" }, children: [
+      /* @__PURE__ */ jsx("h3", { style: { fontSize: 14, fontWeight: 600, margin: 0, color: "#b91c1c" }, children: "Delete organization" }),
+      /* @__PURE__ */ jsxs("p", { style: { fontSize: 12, opacity: 0.85, margin: 0 }, children: [
+        "This permanently deletes ",
+        /* @__PURE__ */ jsx("strong", { children: tenant?.name }),
+        " and all of its members, roles, and audit history. To confirm, type the slug ",
+        /* @__PURE__ */ jsx("code", { children: tenant?.slug }),
+        " below."
+      ] }),
+      /* @__PURE__ */ jsx(Field, { label: "Type the organization slug to confirm", children: /* @__PURE__ */ jsx("input", { "data-testid": "input-org-delete-confirm", autoComplete: "off", placeholder: tenant?.slug || "", "aria-label": "Type slug to confirm", style: { ...inputStyle(), fontFamily: "monospace" }, value: confirmDeleteText, onChange: (e) => setConfirmDeleteText(e.target.value) }) }),
+      /* @__PURE__ */ jsx(Field, { label: "Re-enter your password", children: /* @__PURE__ */ jsx("input", { "data-testid": "input-org-delete-password", type: "password", autoComplete: "current-password", "aria-label": "Password to confirm deletion", style: inputStyle(), value: confirmDeletePassword, onChange: (e) => setConfirmDeletePassword(e.target.value) }) }),
+      /* @__PURE__ */ jsx(
+        "button",
+        {
+          type: "button",
+          "data-testid": "button-org-delete",
+          onClick: submitDelete,
+          disabled: deleteSubmitting || confirmDeleteText !== tenant?.slug || !confirmDeletePassword,
+          style: { background: "#b91c1c", color: "#fff", border: "none", padding: "8px 14px", borderRadius: 6, cursor: confirmDeleteText === tenant?.slug && confirmDeletePassword ? "pointer" : "not-allowed", fontSize: 13, opacity: confirmDeleteText === tenant?.slug && confirmDeletePassword ? 1 : 0.5 },
+          children: deleteSubmitting ? "Deleting\u2026" : "Permanently delete organization"
+        }
+      )
+    ] }) : null
+  ] }) });
+}
+function OrganizationList({ iqAuthBaseUrl, onSelect, showCreate = true, createRedirectUrl, appearance, className }) {
+  const [showCreateForm, setShowCreateForm] = useState(false);
+  const reloadList = () => {
+    setShowCreateForm(false);
+    if (typeof window !== "undefined") setTimeout(() => window.location.reload(), 50);
+  };
+  const branding = useResolvedSdkBranding(iqAuthBaseUrl);
+  const baseUrl = iqAuthBaseUrl.replace(/\/$/, "");
+  const accent = branding?.accentColor || "#6366f1";
+  const t2 = useT();
+  const { manager } = useCtx();
+  const [memberships, setMemberships] = useState([]);
+  const [activeTenantId, setActiveTenantId] = useState(null);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState(null);
+  const [pendingStep, setPendingStep] = useState(null);
+  useEffect(() => {
+    let cancelled = false;
+    Promise.all([
+      fetch(`${baseUrl}/api/v1/auth/me`, { credentials: "include" }).then((r) => r.json()),
+      fetch(`${baseUrl}/api/v1/tenants/memberships`, { credentials: "include" }).then((r) => r.json())
+    ]).then(([me, mems]) => {
+      if (cancelled) return;
+      setActiveTenantId(me?.data?.tenantId || null);
+      setMemberships(mems?.data?.memberships || mems?.data || []);
+    }).catch((err) => {
+      if (!cancelled) setError(err instanceof Error ? err.message : "Failed to load organizations");
+    }).finally(() => {
+      if (!cancelled) setLoading(false);
+    });
+    return () => {
+      cancelled = true;
+    };
+  }, [baseUrl]);
+  const select = async (tenantId) => {
+    if (tenantId === activeTenantId) {
+      onSelect?.(tenantId);
+      return;
+    }
+    setError(null);
+    setPendingStep(null);
+    try {
+      const result = await performTenantSwitch(manager, iqAuthBaseUrl, tenantId);
+      if (result.kind === "mfa_required") {
+        setPendingStep({
+          kind: "mfa_required",
+          tenantId: result.tenantId,
+          mfaChallengeToken: result.mfaChallengeToken,
+          availableMethods: result.availableMethods
+        });
+        return;
+      }
+      if (result.kind === "scope_selection_required") {
+        setPendingStep({
+          kind: "scope_selection_required",
+          tenantId: result.tenantId,
+          scopeSelectionToken: result.scopeSelectionToken
+        });
+        return;
+      }
+      setActiveTenantId(tenantId);
+      onSelect?.(tenantId);
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to switch organization");
+    }
+  };
+  const hostedSignInUrl = () => {
+    const baseHosted = `${baseUrl}/sign-in`;
+    if (!pendingStep) return baseHosted;
+    const params = new URLSearchParams();
+    if (pendingStep.kind === "mfa_required") {
+      params.set("mfaChallengeToken", pendingStep.mfaChallengeToken);
+      if (pendingStep.availableMethods.length) {
+        params.set("availableMethods", pendingStep.availableMethods.join(","));
+      }
+    } else {
+      params.set("prompt", "login");
+    }
+    return `${baseHosted}?${params.toString()}`;
+  };
+  return /* @__PURE__ */ jsx(Shell, { appearance, branding, className, title: "Your organizations", subtitle: "Select an organization to make it active.", children: /* @__PURE__ */ jsxs("div", { "data-iqauth-sdk-org-list": "", style: { display: "flex", flexDirection: "column", gap: 8 }, children: [
+    error ? /* @__PURE__ */ jsx(ErrorBanner, { message: error }) : null,
+    pendingStep ? /* @__PURE__ */ jsxs(
+      "div",
+      {
+        "data-testid": pendingStep.kind === "mfa_required" ? "prompt-org-list-mfa-required" : "prompt-org-list-scope-required",
+        role: "alert",
+        style: {
+          padding: "10px 12px",
+          background: `${accent}10`,
+          border: `1px solid ${accent}55`,
+          borderRadius: 6
+        },
+        children: [
+          /* @__PURE__ */ jsx("div", { style: { fontSize: 13, fontWeight: 600, color: "#0f172a", marginBottom: 4 }, children: pendingStep.kind === "mfa_required" ? t2("orgSwitcher.mfaRequiredTitle") : t2("orgSwitcher.scopeSelectionRequiredTitle") }),
+          /* @__PURE__ */ jsx("div", { style: { fontSize: 12, color: "#334155", marginBottom: 8 }, children: pendingStep.kind === "mfa_required" ? t2("orgSwitcher.mfaRequiredBody") : t2("orgSwitcher.scopeSelectionRequiredBody") }),
+          /* @__PURE__ */ jsx(
+            "a",
+            {
+              href: hostedSignInUrl(),
+              "data-testid": "link-org-list-continue-hosted",
+              style: {
+                display: "inline-block",
+                fontSize: 12,
+                fontWeight: 600,
+                color: branding?.accentColor || accent,
+                textDecoration: "none"
+              },
+              children: t2("orgSwitcher.continueInHostedSignIn")
+            }
+          )
+        ]
+      }
+    ) : null,
+    loading ? /* @__PURE__ */ jsx("p", { style: { fontSize: 13 }, children: "Loading\u2026" }) : memberships.length === 0 ? /* @__PURE__ */ jsx("p", { style: { fontSize: 13, opacity: 0.6 }, children: "You don\u2019t belong to any organizations yet." }) : /* @__PURE__ */ jsx("ul", { style: { listStyle: "none", padding: 0, margin: 0, display: "flex", flexDirection: "column", gap: 6 }, children: memberships.map((m) => {
+      const active = m.tenantId === activeTenantId;
+      return /* @__PURE__ */ jsx("li", { children: /* @__PURE__ */ jsxs(
+        "button",
+        {
+          type: "button",
+          "data-testid": `button-org-list-${m.tenantId}`,
+          onClick: () => select(m.tenantId),
+          style: {
+            display: "block",
+            width: "100%",
+            textAlign: "left",
+            padding: "10px 12px",
+            borderRadius: 6,
+            cursor: "pointer",
+            fontSize: 13,
+            background: active ? `${accent}1a` : "transparent",
+            border: `1px solid ${active ? accent : "rgba(15,23,42,0.12)"}`,
+            color: branding?.primaryColor || "#0f172a"
+          },
+          children: [
+            /* @__PURE__ */ jsx("div", { style: { fontWeight: 500 }, children: m.tenantName || m.tenantSlug || m.tenantId }),
+            /* @__PURE__ */ jsxs("div", { style: { fontSize: 11, opacity: 0.7 }, children: [
+              (m.roles || []).join(", ") || "\u2014",
+              active ? /* @__PURE__ */ jsx("span", { style: { marginLeft: 8, color: accent, fontWeight: 600 }, children: "active" }) : null
+            ] })
+          ]
+        }
+      ) }, m.tenantId);
+    }) }),
+    showCreate ? /* @__PURE__ */ jsx("div", { style: { marginTop: 12, paddingTop: 12, borderTop: "1px solid rgba(15,23,42,0.08)" }, children: showCreateForm ? /* @__PURE__ */ jsxs(Fragment2, { children: [
+      /* @__PURE__ */ jsx(
+        CreateOrganization,
+        {
+          iqAuthBaseUrl,
+          unstyled: true,
+          appearance,
+          onCreated: (t3) => {
+            onSelect?.(t3.id);
+            reloadList();
+          },
+          redirectUrl: createRedirectUrl
+        }
+      ),
+      /* @__PURE__ */ jsx(
+        "button",
+        {
+          type: "button",
+          "data-testid": "button-org-list-create-cancel",
+          onClick: () => setShowCreateForm(false),
+          style: { marginTop: 8, background: "transparent", border: "none", color: branding?.accentColor || "#6366f1", cursor: "pointer", fontSize: 12, padding: 0 },
+          children: "Cancel"
+        }
+      )
+    ] }) : /* @__PURE__ */ jsx(
+      "button",
+      {
+        type: "button",
+        "data-testid": "button-org-list-create",
+        onClick: () => setShowCreateForm(true),
+        style: { background: "transparent", border: `1px dashed ${accent}`, color: branding?.primaryColor || "#0f172a", padding: "10px 12px", borderRadius: 6, cursor: "pointer", fontSize: 13, width: "100%" },
+        children: "+ Create new organization"
+      }
+    ) }) : null
+  ] }) });
+}
+function Waitlist({ iqAuthBaseUrl, appKey, appId, title, subtitle, successMessage, appearance, className }) {
+  const branding = useResolvedSdkBranding(iqAuthBaseUrl, appId);
+  const [email, setEmail] = useState("");
+  const [name, setName] = useState("");
+  const [organizationName, setOrganizationName] = useState("");
+  const [submitting, setSubmitting] = useState(false);
+  const [error, setError] = useState(null);
+  const [submitted, setSubmitted] = useState(null);
+  const submit = async (e) => {
+    e.preventDefault();
+    setSubmitting(true);
+    setError(null);
+    try {
+      const res = await jsonFetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/waitlist`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          email: email.trim().toLowerCase(),
+          name: name.trim() || void 0,
+          organizationName: organizationName.trim() || void 0,
+          appKey: appKey || void 0,
+          appId: appId || void 0
+        })
+      });
+      const data = res?.data ?? res;
+      setSubmitted({ duplicate: !!data?.duplicate });
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to join the waitlist");
+    } finally {
+      setSubmitting(false);
+    }
+  };
+  if (submitted) {
+    return /* @__PURE__ */ jsx(Shell, { appearance, branding, className, title: title || "You\u2019re on the list", children: /* @__PURE__ */ jsx("p", { "data-testid": "text-waitlist-success", style: { fontSize: 14 }, children: successMessage || (submitted.duplicate ? "You were already on the waitlist \u2014 we\u2019ll be in touch." : "Thanks! We\u2019ll email you when access opens up.") }) });
+  }
+  return /* @__PURE__ */ jsx(Shell, { appearance, branding, className, title: title || "Join the waitlist", subtitle: subtitle || "Enter your email and we\u2019ll be in touch when access opens up.", children: /* @__PURE__ */ jsxs("form", { onSubmit: submit, style: { display: "flex", flexDirection: "column", gap: 12 }, "data-iqauth-sdk-waitlist": "", children: [
+    error ? /* @__PURE__ */ jsx(ErrorBanner, { message: error }) : null,
+    /* @__PURE__ */ jsx(Field, { label: "Work email", children: /* @__PURE__ */ jsx("input", { "data-testid": "input-waitlist-email", type: "email", autoComplete: "email", required: true, style: inputStyle(), value: email, onChange: (e) => setEmail(e.target.value) }) }),
+    /* @__PURE__ */ jsx(Field, { label: "Name (optional)", children: /* @__PURE__ */ jsx("input", { "data-testid": "input-waitlist-name", autoComplete: "name", style: inputStyle(), value: name, onChange: (e) => setName(e.target.value) }) }),
+    /* @__PURE__ */ jsx(Field, { label: "Organization (optional)", children: /* @__PURE__ */ jsx("input", { "data-testid": "input-waitlist-org", autoComplete: "organization", style: inputStyle(), value: organizationName, onChange: (e) => setOrganizationName(e.target.value) }) }),
+    /* @__PURE__ */ jsx(PrimaryButton, { "data-testid": "button-waitlist-submit", type: "submit", disabled: submitting || !email, children: submitting ? "Joining\u2026" : "Join the waitlist" })
+  ] }) });
+}
+function usePasswordlessOptions(override) {
+  const ctx = useContext(IQAuthContext);
+  const baseFromCtx = ctx?.manager?.issuerUrl;
+  const iqAuthBaseUrl = override?.iqAuthBaseUrl || baseFromCtx || (typeof window !== "undefined" ? window.location.origin : "");
+  return { iqAuthBaseUrl, cookieSession: override?.cookieSession ?? true };
+}
+function useMagicLink(override) {
+  const opts = usePasswordlessOptions(override);
+  const [sent, setSent] = useState(false);
+  const [busy, setBusy] = useState(false);
+  const [error, setError] = useState(null);
+  const request = useCallback(async (input) => {
+    setBusy(true);
+    setError(null);
+    setSent(false);
+    try {
+      await requestMagicLink(opts, input);
+      setSent(true);
+    } catch (e) {
+      setError(e instanceof Error ? e.message : "Magic link request failed");
+    } finally {
+      setBusy(false);
+    }
+  }, [opts.iqAuthBaseUrl, opts.cookieSession]);
+  return { request, sent, busy, error };
+}
+function usePasskey(override) {
+  const opts = usePasswordlessOptions(override);
+  const [busy, setBusy] = useState(false);
+  const [error, setError] = useState(null);
+  const signIn2 = useCallback(async (input = {}) => {
+    setBusy(true);
+    setError(null);
+    try {
+      return await signInWithPasskey(opts, input);
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : "Passkey sign-in failed";
+      setError(msg);
+      throw e;
+    } finally {
+      setBusy(false);
+    }
+  }, [opts.iqAuthBaseUrl]);
+  const enroll = useCallback(async (name) => {
+    setBusy(true);
+    setError(null);
+    try {
+      return await enrollPasskey(opts, name);
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : "Passkey enrollment failed";
+      setError(msg);
+      throw e;
+    } finally {
+      setBusy(false);
+    }
+  }, [opts.iqAuthBaseUrl]);
+  return { signIn: signIn2, enroll, busy, error };
+}
+function useLinkedIdentities(override) {
+  const opts = usePasswordlessOptions(override);
+  const [identities, setIdentities] = useState([]);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState(null);
+  const refresh = useCallback(async () => {
+    setLoading(true);
+    setError(null);
+    try {
+      setIdentities(await listLinkedIdentities(opts));
+    } catch (e) {
+      setError(e instanceof Error ? e.message : "Failed to load identities");
+    } finally {
+      setLoading(false);
+    }
+  }, [opts.iqAuthBaseUrl]);
+  const link = useCallback(async (input) => {
+    await linkProvider(opts, input);
+    await refresh();
+  }, [opts.iqAuthBaseUrl, refresh]);
+  const unlink = useCallback(async (provider, password) => {
+    await unlinkProvider(opts, { provider, reauth: { password } });
+    await refresh();
+  }, [opts.iqAuthBaseUrl, refresh]);
+  useEffect(() => {
+    refresh();
+  }, [refresh]);
+  return { identities, loading, error, refresh, link, unlink };
+}
+function MagicLinkSignInForm(props) {
+  const { request, sent, busy, error } = useMagicLink(props);
+  const [email, setEmail] = useState("");
+  return /* @__PURE__ */ jsxs(
+    "form",
+    {
+      "data-testid": "form-magic-link",
+      className: props.className,
+      onSubmit: (e) => {
+        e.preventDefault();
+        if (email) void request({ email, appId: props.appId, redirectUri: props.redirectUri });
+      },
+      style: { display: "flex", flexDirection: "column", gap: 8 },
+      children: [
+        /* @__PURE__ */ jsx(
+          "input",
+          {
+            "data-testid": "input-magic-link-email",
+            type: "email",
+            required: true,
+            value: email,
+            placeholder: props.placeholder ?? "you@example.com",
+            onChange: (e) => setEmail(e.target.value),
+            style: { padding: 8, border: "1px solid rgba(15,23,42,0.15)", borderRadius: 6 }
+          }
+        ),
+        /* @__PURE__ */ jsx("button", { "data-testid": "button-magic-link-submit", type: "submit", disabled: busy || !email, children: busy ? "Sending\u2026" : props.buttonLabel ?? "Email me a sign-in link" }),
+        sent ? /* @__PURE__ */ jsx("p", { "data-testid": "text-magic-link-sent", style: { fontSize: 12 }, children: "If the email is on file, a link is on the way." }) : null,
+        error ? /* @__PURE__ */ jsx("p", { "data-testid": "text-magic-link-error", style: { fontSize: 12, color: "#b91c1c" }, children: error }) : null
+      ]
+    }
+  );
+}
+function PasskeySignInButton({ email, className, children, ...rest }) {
+  const { signIn: signIn2, busy, error } = usePasskey(rest);
+  return /* @__PURE__ */ jsxs("div", { className, children: [
+    /* @__PURE__ */ jsx(
+      "button",
+      {
+        "data-testid": "button-passkey-signin",
+        disabled: busy,
+        onClick: () => void signIn2({ email }).catch(() => {
+        }),
+        style: { padding: "8px 12px", borderRadius: 6, border: "1px solid rgba(15,23,42,0.15)", background: "transparent", cursor: "pointer" },
+        children: busy ? "Verifying\u2026" : children ?? "Sign in with a passkey"
+      }
+    ),
+    error ? /* @__PURE__ */ jsx("p", { "data-testid": "text-passkey-error", style: { fontSize: 12, color: "#b91c1c", marginTop: 4 }, children: error }) : null
+  ] });
+}
+function LinkedAccounts({ className, onChange, ...rest }) {
+  const { identities, loading, error, unlink } = useLinkedIdentities(rest);
+  return /* @__PURE__ */ jsx("div", { "data-testid": "section-linked-accounts", className, children: loading ? /* @__PURE__ */ jsx("p", { children: "Loading\u2026" }) : error ? /* @__PURE__ */ jsx("p", { style: { color: "#b91c1c" }, children: error }) : /* @__PURE__ */ jsx("ul", { style: { listStyle: "none", padding: 0, margin: 0 }, children: identities.map((i) => /* @__PURE__ */ jsxs("li", { "data-testid": `row-identity-${i.provider}`, style: { display: "flex", justifyContent: "space-between", padding: "6px 0" }, children: [
+    /* @__PURE__ */ jsxs("span", { children: [
+      /* @__PURE__ */ jsx("strong", { style: { textTransform: "capitalize" }, children: i.provider }),
+      " ",
+      /* @__PURE__ */ jsx("span", { style: { opacity: 0.7 }, children: i.label || i.providerUserId || "" })
+    ] }),
+    i.canUnlink ? /* @__PURE__ */ jsx(
+      "button",
+      {
+        "data-testid": `button-unlink-${i.provider}`,
+        onClick: async () => {
+          const pw = window.prompt("Confirm your password to unlink this identity") || void 0;
+          try {
+            await unlink(i.provider, pw);
+            onChange?.();
+          } catch {
+          }
+        },
+        children: "Unlink"
+      }
+    ) : null
+  ] }, i.id)) }) });
+}
+var __version__ = "phase-bc-1.0.0";
+
+export {
+  IQAuthProvider,
+  __useIQAuthInternal,
+  useLocale,
+  useT,
+  useUser,
+  useSession,
+  useAuth,
+  useOrganization,
+  useAuthFetch,
+  useSessionList,
+  revokeSession,
+  MultisessionAppSupport,
+  useAccountList,
+  useAccountSwitcher,
+  SignedIn,
+  SignedOut,
+  IQAuthLoading,
+  IQAuthLoaded,
+  RedirectToSignIn,
+  performScopeSwitch,
+  performTenantSwitch,
+  claimSatisfiesScope,
+  Protect,
+  RedirectToSignedIn,
+  useReturnTo,
+  IQAuthReturnToBouncer,
+  preflightReturnTo,
+  AuthCallback,
+  useIQAuthSignInContext,
+  sanitizeBrandCss,
+  useResolvedSdkBranding,
+  isSilentSsoEligible,
+  resolveAfterSignInDestination,
+  SignIn,
+  SignUp,
+  UserButton,
+  UserProfile,
+  OrganizationSwitcher,
+  useMemberships,
+  ScopeSwitcher,
+  useImpersonation,
+  ImpersonationBanner,
+  useReverification,
+  slugify,
+  CreateOrganization,
+  OrganizationProfile,
+  OrganizationList,
+  Waitlist,
+  useMagicLink,
+  usePasskey,
+  useLinkedIdentities,
+  MagicLinkSignInForm,
+  PasskeySignInButton,
+  LinkedAccounts,
+  __version__
+};