@iqauth/sdk 2.7.0 → 2.8.1

package/dist/browser-session.d.mts

@@ -1,7 +1,7 @@
-import { I as IQAuthBrowserSessionClientConfig, S as SessionUser } from './types-XOV9XPVi.mjs';
-import { I as IQAuthClient } from './client-BGFnBpfc.mjs';
+import { I as IQAuthBrowserSessionClientConfig, S as SessionUser } from './types-Bn8O-OEd.mjs';
+import { I as IQAuthClient } from './client-D8L-PaWr.mjs';
 export { E as ErrorCodes, I as IQAuthError } from './errors-Jl1Jtm-6.mjs';
-import './tokens-CITeoG6P.mjs';
+import './tokens-B06VtvUi.mjs';
 
 declare class BrowserSessionIQAuthClient extends IQAuthClient {
     constructor(config: Omit<IQAuthBrowserSessionClientConfig, "environment">);

package/dist/browser-session.d.ts

@@ -1,7 +1,7 @@
-import { I as IQAuthBrowserSessionClientConfig, S as SessionUser } from './types-XOV9XPVi.js';
-import { I as IQAuthClient } from './client-CDQ21LvW.js';
+import { I as IQAuthBrowserSessionClientConfig, S as SessionUser } from './types-Bn8O-OEd.js';
+import { I as IQAuthClient } from './client-DkPL0EPZ.js';
 export { E as ErrorCodes, I as IQAuthError } from './errors-Jl1Jtm-6.js';
-import './tokens-Bqhmqq_R.js';
+import './tokens-9F6ETrzk.js';
 
 declare class BrowserSessionIQAuthClient extends IQAuthClient {
     constructor(config: Omit<IQAuthBrowserSessionClientConfig, "environment">);

package/dist/browser-session.js

@@ -335,17 +335,27 @@ function parseLoginResponse(data, browserSessionMode) {
       tenants: data.tenants
     };
   }
+  if (data.type === "scope_selection" && data.scopeSelectionToken && data.scopes && data.tenantId) {
+    return {
+      status: "scope_selection",
+      scopeSelectionToken: data.scopeSelectionToken,
+      tenantId: data.tenantId,
+      scopes: data.scopes
+    };
+  }
   throw new Error("Unexpected login response shape");
 }
 var AuthModule = class {
   constructor(http) {
     this.http = http;
   }
-  async login(email, password) {
+  async login(email, password, opts) {
+    const body = { email, password };
+    if (opts?.scopeHint) body.scopeHint = opts.scopeHint;
     const data = await this.http.request(
       "POST",
       "/api/v1/auth/login",
-      { email, password },
+      body,
       { skipAutoRefresh: true }
     );
     return parseLoginResponse(data, this.http.isBrowserSession());
@@ -383,13 +393,29 @@ var AuthModule = class {
       method
     }, { skipAutoRefresh: true });
   }
-  async selectTenant(tenantSelectionToken, tenantId) {
+  async selectTenant(tenantSelectionToken, tenantId, opts) {
+    const body = { tenantSelectionToken, tenantId };
+    if (opts?.scopeHint) body.scopeHint = opts.scopeHint;
     const data = await this.http.request(
       "POST",
       "/api/v1/auth/select-tenant",
+      body,
+      { skipAutoRefresh: true }
+    );
+    return parseLoginResponse(data, this.http.isBrowserSession());
+  }
+  /**
+   * Task #171 — redeem a scope-selection token + chosen membership for a
+   * real authenticated session. `membershipId` must be one of the scopes
+   * returned in the prior `scope_selection` envelope.
+   */
+  async selectScope(scopeSelectionToken, membershipId) {
+    const data = await this.http.request(
+      "POST",
+      "/api/v1/auth/select-scope",
       {
-        tenantSelectionToken,
-        tenantId
+        scopeSelectionToken,
+        membershipId
       },
       { skipAutoRefresh: true }
     );

package/dist/browser-session.mjs

@@ -1,6 +1,6 @@
 import {
   IQAuthClient
-} from "./chunk-JXQI62A7.mjs";
+} from "./chunk-ZLJPABB7.mjs";
 import "./chunk-NUO2I65G.mjs";
 import {
   ErrorCodes,

package/dist/browser.d.mts

@@ -1,8 +1,8 @@
-import { S as SessionManager } from './signIn-T-CZ6t6r.mjs';
-export { p as AccountRecord, A as AccountRegistry, C as CallbackResult, d as LinkProviderInput, L as LinkedIdentity, M as MagicLinkRequestInput, o as MultiAccountTokenStore, n as PasskeyAuthInput, P as PasswordlessOptions, z as REFRESH_COOKIE, R as RefreshTokenStore, e as SessionManagerOptions, a as SessionSnapshot, f as SessionStatus, b as SignInOptions, c as SignOutOptions, U as UnlinkProviderInput, g as beginPasskeyAuthentication, i as beginPasskeyRegistration, q as buildSignInUrl, B as clearCookie, k as enrollPasskey, h as finishPasskeyAuthentication, j as finishPasskeyRegistration, D as getCookie, t as handleAuthCallback, m as linkProvider, l as listLinkedIdentities, w as redirectToSignIn, r as requestMagicLink, E as setCookie, x as signIn, s as signInWithPasskey, y as signOut, u as unlinkProvider, v as verifyMagicLink } from './signIn-T-CZ6t6r.mjs';
+import { S as SessionManager } from './signIn-CReqfXsh.mjs';
+export { p as AccountRecord, A as AccountRegistry, C as CallbackResult, d as LinkProviderInput, L as LinkedIdentity, M as MagicLinkRequestInput, o as MultiAccountTokenStore, n as PasskeyAuthInput, P as PasswordlessOptions, z as REFRESH_COOKIE, R as RefreshTokenStore, e as SessionManagerOptions, a as SessionSnapshot, f as SessionStatus, b as SignInOptions, c as SignOutOptions, U as UnlinkProviderInput, g as beginPasskeyAuthentication, i as beginPasskeyRegistration, q as buildSignInUrl, B as clearCookie, k as enrollPasskey, h as finishPasskeyAuthentication, j as finishPasskeyRegistration, D as getCookie, t as handleAuthCallback, m as linkProvider, l as listLinkedIdentities, w as redirectToSignIn, r as requestMagicLink, E as setCookie, x as signIn, s as signInWithPasskey, y as signOut, u as unlinkProvider, v as verifyMagicLink } from './signIn-CReqfXsh.mjs';
 export { K as KeyMode, c as ParsedPublishableKey, P as PublishableKeyPayload, e as encodePublishableKey, i as isPublishableKey, b as isSecretKey, p as parsePublishableKey } from './publishableKey-f2kq-rKw.mjs';
 export { b as ErrorCode, E as ErrorCodes, I as IQAuthError } from './errors-Jl1Jtm-6.mjs';
-import './types-XOV9XPVi.mjs';
+import './types-Bn8O-OEd.mjs';
 
 /**
  * Browser-safe PKCE + state/nonce generation using WebCrypto.

package/dist/browser.d.ts

@@ -1,8 +1,8 @@
-import { S as SessionManager } from './signIn-BLFnz8SV.js';
-export { p as AccountRecord, A as AccountRegistry, C as CallbackResult, d as LinkProviderInput, L as LinkedIdentity, M as MagicLinkRequestInput, o as MultiAccountTokenStore, n as PasskeyAuthInput, P as PasswordlessOptions, z as REFRESH_COOKIE, R as RefreshTokenStore, e as SessionManagerOptions, a as SessionSnapshot, f as SessionStatus, b as SignInOptions, c as SignOutOptions, U as UnlinkProviderInput, g as beginPasskeyAuthentication, i as beginPasskeyRegistration, q as buildSignInUrl, B as clearCookie, k as enrollPasskey, h as finishPasskeyAuthentication, j as finishPasskeyRegistration, D as getCookie, t as handleAuthCallback, m as linkProvider, l as listLinkedIdentities, w as redirectToSignIn, r as requestMagicLink, E as setCookie, x as signIn, s as signInWithPasskey, y as signOut, u as unlinkProvider, v as verifyMagicLink } from './signIn-BLFnz8SV.js';
+import { S as SessionManager } from './signIn-Cfa1GTpO.js';
+export { p as AccountRecord, A as AccountRegistry, C as CallbackResult, d as LinkProviderInput, L as LinkedIdentity, M as MagicLinkRequestInput, o as MultiAccountTokenStore, n as PasskeyAuthInput, P as PasswordlessOptions, z as REFRESH_COOKIE, R as RefreshTokenStore, e as SessionManagerOptions, a as SessionSnapshot, f as SessionStatus, b as SignInOptions, c as SignOutOptions, U as UnlinkProviderInput, g as beginPasskeyAuthentication, i as beginPasskeyRegistration, q as buildSignInUrl, B as clearCookie, k as enrollPasskey, h as finishPasskeyAuthentication, j as finishPasskeyRegistration, D as getCookie, t as handleAuthCallback, m as linkProvider, l as listLinkedIdentities, w as redirectToSignIn, r as requestMagicLink, E as setCookie, x as signIn, s as signInWithPasskey, y as signOut, u as unlinkProvider, v as verifyMagicLink } from './signIn-Cfa1GTpO.js';
 export { K as KeyMode, c as ParsedPublishableKey, P as PublishableKeyPayload, e as encodePublishableKey, i as isPublishableKey, b as isSecretKey, p as parsePublishableKey } from './publishableKey-f2kq-rKw.js';
 export { b as ErrorCode, E as ErrorCodes, I as IQAuthError } from './errors-Jl1Jtm-6.js';
-import './types-XOV9XPVi.js';
+import './types-Bn8O-OEd.js';
 
 /**
  * Browser-safe PKCE + state/nonce generation using WebCrypto.

package/dist/browser.js

@@ -717,7 +717,10 @@ function claimsToSessionUser(claims) {
     ...claims.email_verified !== void 0 ? { emailVerified: claims.email_verified } : {},
     ...claims.given_name !== void 0 ? { givenName: claims.given_name } : {},
     ...claims.family_name !== void 0 ? { familyName: claims.family_name } : {},
-    ...claims.locale !== void 0 ? { locale: claims.locale } : {}
+    ...claims.locale !== void 0 ? { locale: claims.locale } : {},
+    // Task #171 — surface the active source/client scope when the token was
+    // minted scoped, so consumers reading useUser().user can branch on it.
+    ...claims.scopeContext !== void 0 ? { scopeContext: claims.scopeContext } : {}
   };
 }
 var EMPTY = {
@@ -1092,10 +1095,27 @@ var SessionManager = class {
    * session and notify subscribers and other tabs.
    */
   applyAccessToken(accessToken, refreshToken) {
+    this.adoptAccessToken(accessToken, { refreshToken });
+  }
+  /**
+   * Task #197 — Adopt an access token that the server has already minted
+   * for us (e.g. from `POST /api/v1/auth/switch-scope`) without contacting
+   * the issuer. Swaps the in-memory token, re-decodes claims, bumps
+   * `version`, schedules proactive refresh, and broadcasts a
+   * `session:update` to peer tabs.
+   *
+   * This is the safe path for any server endpoint that returns a fresh
+   * access token in its JSON body: we want the new claims (scope, roles,
+   * etc.) to take effect immediately, even if the refresh-cookie round-trip
+   * would have failed (network blip, rate limit, signout race). When the
+   * server also rotated the refresh token, pass it via
+   * `opts.refreshToken` so the cookie stays aligned.
+   */
+  adoptAccessToken(accessToken, opts) {
     const claims = decodeClaims(accessToken);
     const user = claimsToSessionUser(claims);
-    if (refreshToken) {
-      void Promise.resolve(this.tokenStore.write(refreshToken, { claims }));
+    if (opts?.refreshToken) {
+      void Promise.resolve(this.tokenStore.write(opts.refreshToken, { claims }));
     }
     this.update({
       status: user ? "authenticated" : "unauthenticated",

package/dist/browser.mjs

@@ -20,7 +20,7 @@ import {
   signInWithPasskey,
   unlinkProvider,
   verifyMagicLink
-} from "./chunk-RTJAIBXY.mjs";
+} from "./chunk-4V7FKOTG.mjs";
 import {
   REFRESH_COOKIE,
   buildSignInUrl,

package/dist/{chunk-YVALAG3B.mjs → chunk-25SSYDIP.mjs}

@@ -3,7 +3,7 @@ import {
 } from "./chunk-HVHNYPDC.mjs";
 import {
   IQAuthClient
-} from "./chunk-JXQI62A7.mjs";
+} from "./chunk-ZLJPABB7.mjs";
 import {
   IQAuthError
 } from "./chunk-6PJRLRB4.mjs";

package/dist/{chunk-RTJAIBXY.mjs → chunk-4V7FKOTG.mjs}

@@ -56,7 +56,10 @@ function claimsToSessionUser(claims) {
     ...claims.email_verified !== void 0 ? { emailVerified: claims.email_verified } : {},
     ...claims.given_name !== void 0 ? { givenName: claims.given_name } : {},
     ...claims.family_name !== void 0 ? { familyName: claims.family_name } : {},
-    ...claims.locale !== void 0 ? { locale: claims.locale } : {}
+    ...claims.locale !== void 0 ? { locale: claims.locale } : {},
+    // Task #171 — surface the active source/client scope when the token was
+    // minted scoped, so consumers reading useUser().user can branch on it.
+    ...claims.scopeContext !== void 0 ? { scopeContext: claims.scopeContext } : {}
   };
 }
 var EMPTY = {
@@ -431,10 +434,27 @@ var SessionManager = class {
    * session and notify subscribers and other tabs.
    */
   applyAccessToken(accessToken, refreshToken) {
+    this.adoptAccessToken(accessToken, { refreshToken });
+  }
+  /**
+   * Task #197 — Adopt an access token that the server has already minted
+   * for us (e.g. from `POST /api/v1/auth/switch-scope`) without contacting
+   * the issuer. Swaps the in-memory token, re-decodes claims, bumps
+   * `version`, schedules proactive refresh, and broadcasts a
+   * `session:update` to peer tabs.
+   *
+   * This is the safe path for any server endpoint that returns a fresh
+   * access token in its JSON body: we want the new claims (scope, roles,
+   * etc.) to take effect immediately, even if the refresh-cookie round-trip
+   * would have failed (network blip, rate limit, signout race). When the
+   * server also rotated the refresh token, pass it via
+   * `opts.refreshToken` so the cookie stays aligned.
+   */
+  adoptAccessToken(accessToken, opts) {
     const claims = decodeClaims(accessToken);
     const user = claimsToSessionUser(claims);
-    if (refreshToken) {
-      void Promise.resolve(this.tokenStore.write(refreshToken, { claims }));
+    if (opts?.refreshToken) {
+      void Promise.resolve(this.tokenStore.write(opts.refreshToken, { claims }));
     }
     this.update({
       status: user ? "authenticated" : "unauthenticated",

package/dist/{chunk-SL3KRS4W.mjs → chunk-CIJORODR.mjs}

@@ -1,4 +1,11 @@
 // src/server/provisioningBridge.ts
+var ProvisioningError = class extends Error {
+  constructor(code, message) {
+    super(message);
+    this.name = "ProvisioningError";
+    this.code = code;
+  }
+};
 function defaultIsUniqueViolation(err) {
   if (!err || typeof err !== "object") return false;
   const e = err;
@@ -10,6 +17,16 @@ function defaultIsUniqueViolation(err) {
 function createProvisioningBridge(options) {
   const { storage } = options;
   const isUniqueViolation = options.isUniqueViolation ?? defaultIsUniqueViolation;
+  const allowUnverifiedEmailAdopt = options.allowUnverifiedEmailAdopt === true;
+  const emailVerified = (claims) => claims.email_verified === true;
+  const assertAdoptAllowed = (claims) => {
+    if (!allowUnverifiedEmailAdopt && !emailVerified(claims)) {
+      throw new ProvisioningError(
+        "UNVERIFIED_EMAIL_ADOPT_REFUSED",
+        "Refusing to adopt a pre-existing local account from an unverified email (claims.email_verified !== true). Set allowUnverifiedEmailAdopt:true only if your issuer is trusted to never emit unverified emails for adoption."
+      );
+    }
+  };
   const roleOf = (claims) => {
     try {
       return options.roleMapper?.(claims) ?? null;
@@ -26,6 +43,7 @@ function createProvisioningBridge(options) {
     if (claims.email) {
       const byEmail = await storage.findByEmail(claims.email);
       if (byEmail) {
+        assertAdoptAllowed(claims);
         if (storage.adoptByEmail) {
           const adopted = await storage.adoptByEmail(byEmail, claims, roleOf(claims));
           return { user: adopted, claims, created: false, adopted: true };
@@ -41,7 +59,10 @@ function createProvisioningBridge(options) {
       if (after) return { user: after, claims, created: false, adopted: false };
       if (claims.email) {
         const byEmail = await storage.findByEmail(claims.email);
-        if (byEmail) return { user: byEmail, claims, created: false, adopted: true };
+        if (byEmail) {
+          assertAdoptAllowed(claims);
+          return { user: byEmail, claims, created: false, adopted: true };
+        }
       }
       throw err;
     }
@@ -50,5 +71,6 @@ function createProvisioningBridge(options) {
 }
 
 export {
+  ProvisioningError,
   createProvisioningBridge
 };

package/dist/chunk-JRDVUWAL.mjs

@@ -0,0 +1,46 @@
+// src/browser/returnTo.ts
+function normalizeOrigin(o) {
+  try {
+    return new URL(o).origin;
+  } catch {
+    return o.replace(/\/+$/, "");
+  }
+}
+function sanitizeReturnTo(input, options = {}) {
+  const fallback = options.fallback ?? "/";
+  if (!input || typeof input !== "string") return fallback;
+  const trimmed = input.trim();
+  if (!trimmed) return fallback;
+  if (trimmed.includes("\\")) return fallback;
+  if (trimmed.startsWith("//")) return fallback;
+  if (trimmed.startsWith("/") || trimmed.startsWith("#") || trimmed.startsWith("?")) {
+    return trimmed;
+  }
+  if (!/^[a-z][a-z0-9+\-.]*:/i.test(trimmed)) {
+    return trimmed.startsWith("/") ? trimmed : `/${trimmed}`;
+  }
+  let parsed;
+  try {
+    parsed = new URL(trimmed);
+  } catch {
+    return fallback;
+  }
+  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") return fallback;
+  const currentOrigin = options.currentOrigin ?? (typeof window !== "undefined" ? window.location.origin : "");
+  const allowed = /* @__PURE__ */ new Set();
+  if (currentOrigin) allowed.add(normalizeOrigin(currentOrigin));
+  for (const o of options.allowedOrigins ?? []) allowed.add(normalizeOrigin(o));
+  if (allowed.has(parsed.origin)) return parsed.toString();
+  return fallback;
+}
+function isReturnToAllowed(input, options = {}) {
+  const fallback = options.fallback ?? "/";
+  const out = sanitizeReturnTo(input, options);
+  if (!input) return false;
+  return out !== fallback || input === fallback;
+}
+
+export {
+  sanitizeReturnTo,
+  isReturnToAllowed
+};

package/dist/{chunk-5T7GHBX6.mjs → chunk-TLET552H.mjs}

@@ -37,6 +37,7 @@ var enUS = {
   "signIn.useDifferentAccount": "Use a different account",
   "signIn.selectTenant": "Choose an organization",
   "signIn.selectTenantSubtitle": "You belong to multiple organizations. Pick one to continue.",
+  "signIn.selectScope": "Choose scope",
   "signIn.dividerOr": "or",
   "signIn.preparingExperience": "Preparing your sign-in experience.",
   "signIn.applicationUnavailable": "Application unavailable",
@@ -125,6 +126,11 @@ var enUS = {
   "orgSwitcher.createNew": "Create organization",
   "orgSwitcher.manage": "Manage organization",
   "orgSwitcher.noOrgs": "You don't belong to any organizations yet.",
+  "orgSwitcher.mfaRequiredTitle": "Two-factor verification required",
+  "orgSwitcher.mfaRequiredBody": "This organization requires an extra verification step. Continue in the hosted sign-in to finish switching.",
+  "orgSwitcher.scopeSelectionRequiredTitle": "Choose what to access",
+  "orgSwitcher.scopeSelectionRequiredBody": "This organization needs you to pick which workspace to open. Continue in the hosted sign-in to choose.",
+  "orgSwitcher.continueInHostedSignIn": "Continue in hosted sign-in \u2192",
   "orgProfile.title": "Organization settings",
   "orgProfile.generalTab": "General",
   "orgProfile.membersTab": "Members",
@@ -217,6 +223,7 @@ var frFR = {
   "signIn.useDifferentAccount": "Utiliser un autre compte",
   "signIn.selectTenant": "Choisir une organisation",
   "signIn.selectTenantSubtitle": "Vous appartenez \xE0 plusieurs organisations. Choisissez-en une pour continuer.",
+  "signIn.selectScope": "Choisir une port\xE9e",
   "signIn.dividerOr": "ou",
   "signIn.preparingExperience": "Pr\xE9paration de votre exp\xE9rience de connexion.",
   "signIn.applicationUnavailable": "Application indisponible",
@@ -305,6 +312,11 @@ var frFR = {
   "orgSwitcher.createNew": "Cr\xE9er une organisation",
   "orgSwitcher.manage": "G\xE9rer l'organisation",
   "orgSwitcher.noOrgs": "Vous n'appartenez encore \xE0 aucune organisation.",
+  "orgSwitcher.mfaRequiredTitle": "V\xE9rification en deux \xE9tapes requise",
+  "orgSwitcher.mfaRequiredBody": "Cette organisation n\xE9cessite une \xE9tape de v\xE9rification suppl\xE9mentaire. Poursuivez sur la page de connexion h\xE9berg\xE9e pour terminer le changement.",
+  "orgSwitcher.scopeSelectionRequiredTitle": "Choisir l'espace \xE0 ouvrir",
+  "orgSwitcher.scopeSelectionRequiredBody": "Cette organisation n\xE9cessite que vous choisissiez un espace de travail. Poursuivez sur la page de connexion h\xE9berg\xE9e pour choisir.",
+  "orgSwitcher.continueInHostedSignIn": "Continuer sur la connexion h\xE9berg\xE9e \u2192",
   "orgProfile.title": "Param\xE8tres de l'organisation",
   "orgProfile.generalTab": "G\xE9n\xE9ral",
   "orgProfile.membersTab": "Membres",
@@ -397,6 +409,7 @@ var esES = {
   "signIn.useDifferentAccount": "Usar otra cuenta",
   "signIn.selectTenant": "Elige una organizaci\xF3n",
   "signIn.selectTenantSubtitle": "Perteneces a varias organizaciones. Selecciona una para continuar.",
+  "signIn.selectScope": "Elegir \xE1mbito",
   "signIn.dividerOr": "o",
   "signIn.preparingExperience": "Preparando tu experiencia de inicio de sesi\xF3n.",
   "signIn.applicationUnavailable": "Aplicaci\xF3n no disponible",
@@ -485,6 +498,11 @@ var esES = {
   "orgSwitcher.createNew": "Crear organizaci\xF3n",
   "orgSwitcher.manage": "Gestionar organizaci\xF3n",
   "orgSwitcher.noOrgs": "A\xFAn no perteneces a ninguna organizaci\xF3n.",
+  "orgSwitcher.mfaRequiredTitle": "Se requiere verificaci\xF3n en dos pasos",
+  "orgSwitcher.mfaRequiredBody": "Esta organizaci\xF3n requiere un paso de verificaci\xF3n adicional. Contin\xFAa en el inicio de sesi\xF3n alojado para completar el cambio.",
+  "orgSwitcher.scopeSelectionRequiredTitle": "Elige a qu\xE9 acceder",
+  "orgSwitcher.scopeSelectionRequiredBody": "Esta organizaci\xF3n requiere que elijas un espacio de trabajo. Contin\xFAa en el inicio de sesi\xF3n alojado para elegir.",
+  "orgSwitcher.continueInHostedSignIn": "Continuar en el inicio de sesi\xF3n alojado \u2192",
   "orgProfile.title": "Configuraci\xF3n de la organizaci\xF3n",
   "orgProfile.generalTab": "Generales",
   "orgProfile.membersTab": "Miembros",
@@ -577,6 +595,7 @@ var deDE = {
   "signIn.useDifferentAccount": "Anderes Konto verwenden",
   "signIn.selectTenant": "Organisation ausw\xE4hlen",
   "signIn.selectTenantSubtitle": "Sie geh\xF6ren zu mehreren Organisationen. Bitte w\xE4hlen Sie eine aus.",
+  "signIn.selectScope": "Bereich ausw\xE4hlen",
   "signIn.preparingExperience": "Anmeldung wird vorbereitet.",
   "signIn.applicationUnavailable": "Anwendung nicht verf\xFCgbar",
   "signIn.applicationNotFound": "Anwendung nicht gefunden",
@@ -665,6 +684,11 @@ var deDE = {
   "orgSwitcher.createNew": "Organisation erstellen",
   "orgSwitcher.manage": "Organisation verwalten",
   "orgSwitcher.noOrgs": "Sie geh\xF6ren noch keiner Organisation an.",
+  "orgSwitcher.mfaRequiredTitle": "Zwei-Faktor-Verifizierung erforderlich",
+  "orgSwitcher.mfaRequiredBody": "Diese Organisation erfordert einen zus\xE4tzlichen Verifizierungsschritt. Fahren Sie in der gehosteten Anmeldung fort, um den Wechsel abzuschlie\xDFen.",
+  "orgSwitcher.scopeSelectionRequiredTitle": "Zugriff ausw\xE4hlen",
+  "orgSwitcher.scopeSelectionRequiredBody": "F\xFCr diese Organisation m\xFCssen Sie einen Arbeitsbereich ausw\xE4hlen. Fahren Sie in der gehosteten Anmeldung fort, um auszuw\xE4hlen.",
+  "orgSwitcher.continueInHostedSignIn": "In der gehosteten Anmeldung fortfahren \u2192",
   "orgProfile.title": "Organisationseinstellungen",
   "orgProfile.generalTab": "Allgemein",
   "orgProfile.membersTab": "Mitglieder",
@@ -757,6 +781,7 @@ var jaJP = {
   "signIn.useDifferentAccount": "\u5225\u306E\u30A2\u30AB\u30A6\u30F3\u30C8\u3092\u4F7F\u7528",
   "signIn.selectTenant": "\u7D44\u7E54\u3092\u9078\u629E",
   "signIn.selectTenantSubtitle": "\u8907\u6570\u306E\u7D44\u7E54\u306B\u6240\u5C5E\u3057\u3066\u3044\u307E\u3059\u3002\u7D9A\u3051\u308B\u306B\u306F 1 \u3064\u3092\u9078\u629E\u3057\u3066\u304F\u3060\u3055\u3044\u3002",
+  "signIn.selectScope": "\u30B9\u30B3\u30FC\u30D7\u3092\u9078\u629E",
   "signIn.preparingExperience": "\u30B5\u30A4\u30F3\u30A4\u30F3\u306E\u6E96\u5099\u3092\u3057\u3066\u3044\u307E\u3059\u3002",
   "signIn.applicationUnavailable": "\u30A2\u30D7\u30EA\u30B1\u30FC\u30B7\u30E7\u30F3\u3092\u5229\u7528\u3067\u304D\u307E\u305B\u3093",
   "signIn.applicationNotFound": "\u30A2\u30D7\u30EA\u30B1\u30FC\u30B7\u30E7\u30F3\u304C\u898B\u3064\u304B\u308A\u307E\u305B\u3093",
@@ -845,6 +870,11 @@ var jaJP = {
   "orgSwitcher.createNew": "\u7D44\u7E54\u3092\u4F5C\u6210",
   "orgSwitcher.manage": "\u7D44\u7E54\u3092\u7BA1\u7406",
   "orgSwitcher.noOrgs": "\u307E\u3060\u3069\u306E\u7D44\u7E54\u306B\u3082\u6240\u5C5E\u3057\u3066\u3044\u307E\u305B\u3093\u3002",
+  "orgSwitcher.mfaRequiredTitle": "\u4E8C\u6BB5\u968E\u8A8D\u8A3C\u304C\u5FC5\u8981\u3067\u3059",
+  "orgSwitcher.mfaRequiredBody": "\u3053\u306E\u7D44\u7E54\u3067\u306F\u8FFD\u52A0\u306E\u672C\u4EBA\u78BA\u8A8D\u304C\u5FC5\u8981\u3067\u3059\u3002\u30DB\u30B9\u30C8\u3055\u308C\u305F\u30B5\u30A4\u30F3\u30A4\u30F3\u3067\u7D9A\u3051\u3066\u5207\u308A\u66FF\u3048\u3092\u5B8C\u4E86\u3057\u3066\u304F\u3060\u3055\u3044\u3002",
+  "orgSwitcher.scopeSelectionRequiredTitle": "\u30A2\u30AF\u30BB\u30B9\u5148\u3092\u9078\u629E",
+  "orgSwitcher.scopeSelectionRequiredBody": "\u3053\u306E\u7D44\u7E54\u3067\u306F\u30EF\u30FC\u30AF\u30B9\u30DA\u30FC\u30B9\u306E\u9078\u629E\u304C\u5FC5\u8981\u3067\u3059\u3002\u30DB\u30B9\u30C8\u3055\u308C\u305F\u30B5\u30A4\u30F3\u30A4\u30F3\u3067\u9078\u629E\u3057\u3066\u304F\u3060\u3055\u3044\u3002",
+  "orgSwitcher.continueInHostedSignIn": "\u30DB\u30B9\u30C8\u3055\u308C\u305F\u30B5\u30A4\u30F3\u30A4\u30F3\u306B\u9032\u3080 \u2192",
   "orgProfile.title": "\u7D44\u7E54\u306E\u8A2D\u5B9A",
   "orgProfile.generalTab": "\u4E00\u822C",
   "orgProfile.membersTab": "\u30E1\u30F3\u30D0\u30FC",
@@ -937,6 +967,7 @@ var ptBR = {
   "signIn.useDifferentAccount": "Usar outra conta",
   "signIn.selectTenant": "Escolher uma organiza\xE7\xE3o",
   "signIn.selectTenantSubtitle": "Voc\xEA pertence a v\xE1rias organiza\xE7\xF5es. Escolha uma para continuar.",
+  "signIn.selectScope": "Escolher escopo",
   "signIn.preparingExperience": "Preparando sua experi\xEAncia de login.",
   "signIn.applicationUnavailable": "Aplicativo indispon\xEDvel",
   "signIn.applicationNotFound": "Aplicativo n\xE3o encontrado",
@@ -1024,6 +1055,11 @@ var ptBR = {
   "orgSwitcher.personal": "Conta pessoal",
   "orgSwitcher.createNew": "Criar organiza\xE7\xE3o",
   "orgSwitcher.manage": "Gerenciar organiza\xE7\xE3o",
+  "orgSwitcher.mfaRequiredTitle": "Verifica\xE7\xE3o em duas etapas necess\xE1ria",
+  "orgSwitcher.mfaRequiredBody": "Esta organiza\xE7\xE3o requer uma etapa de verifica\xE7\xE3o adicional. Continue no login hospedado para concluir a troca.",
+  "orgSwitcher.scopeSelectionRequiredTitle": "Escolha o que acessar",
+  "orgSwitcher.scopeSelectionRequiredBody": "Esta organiza\xE7\xE3o exige que voc\xEA escolha um espa\xE7o de trabalho. Continue no login hospedado para escolher.",
+  "orgSwitcher.continueInHostedSignIn": "Continuar no login hospedado \u2192",
   "orgSwitcher.noOrgs": "Voc\xEA ainda n\xE3o pertence a nenhuma organiza\xE7\xE3o.",
   "orgProfile.title": "Configura\xE7\xF5es da organiza\xE7\xE3o",
   "orgProfile.generalTab": "Geral",

package/dist/{chunk-PMAFENVI.mjs → chunk-VYQ3ETCK.mjs}

@@ -74,12 +74,8 @@ function verifyWebhookSignature(opts) {
   }
   const body = toBuffer(opts.payload);
   const { modern, legacy } = computeSignatures(opts.secret, body, t);
-  const matched = v1.some((sig) => {
-    const lower = sig.toLowerCase();
-    if (timingSafeEqualHex(lower, modern)) return true;
-    if (legacy && timingSafeEqualHex(lower, legacy)) return true;
-    return false;
-  });
+  const expected = Number.isFinite(t) ? legacy : modern;
+  const matched = expected !== null && v1.some((sig) => timingSafeEqualHex(sig.toLowerCase(), expected));
   if (!matched) {
     throw new WebhookSignatureError("SIGNATURE_MISMATCH", "Webhook signature does not match expected value");
   }
@@ -89,6 +85,29 @@ function verifyWebhookSignature(opts) {
   } catch {
     throw new WebhookSignatureError("MALFORMED_BODY", "Webhook body is not valid JSON");
   }
+  if (!Number.isFinite(t) && !opts.allowMissingTimestamp) {
+    const rawTime = parsed.time;
+    if (typeof rawTime !== "string" || !rawTime) {
+      throw new WebhookSignatureError(
+        "MISSING_TIMESTAMP",
+        "Modern webhook delivery has no header `t=` and no envelope `time`; cannot enforce replay protection. Use parseWebhookEvent, or set allowMissingTimestamp:true (insecure)."
+      );
+    }
+    const eventMs = Date.parse(rawTime);
+    if (!Number.isFinite(eventMs)) {
+      throw new WebhookSignatureError(
+        "MALFORMED_TIMESTAMP",
+        `Envelope \`time\` is not a valid ISO timestamp: ${rawTime}`
+      );
+    }
+    const nowMs = (opts.nowSeconds ?? Math.floor(Date.now() / 1e3)) * 1e3;
+    if (Math.abs(nowMs - eventMs) > tolerance * 1e3) {
+      throw new WebhookSignatureError(
+        "TIMESTAMP_OUT_OF_TOLERANCE",
+        `Envelope time ${rawTime} is outside the ${tolerance}s tolerance window`
+      );
+    }
+  }
   return parsed;
 }
 function isValidWebhookSignature(opts) {
@@ -158,12 +177,8 @@ function parseWebhookEvent(rawBody, headers, secrets, opts = {}) {
     const secret = secrets[i];
     if (!secret) continue;
     const { modern, legacy } = computeSignatures(secret, body, t);
-    const ok = v1.some((sig) => {
-      const lower = sig.toLowerCase();
-      if (timingSafeEqualHex(lower, modern)) return true;
-      if (legacy && timingSafeEqualHex(lower, legacy)) return true;
-      return false;
-    });
+    const expected = Number.isFinite(t) ? legacy : modern;
+    const ok = expected !== null && v1.some((sig) => timingSafeEqualHex(sig.toLowerCase(), expected));
     if (ok) {
       verifiedIdx = i;
       break;