@mission_sciences/provider-sdk 0.1.1

package/dist/marketplace-sdk.es.js

@@ -0,0 +1,3276 @@
+var __defProp = Object.defineProperty;
+var __typeError = (msg) => {
+  throw TypeError(msg);
+};
+var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField = (obj, key, value) => __defNormalProp(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __accessCheck = (obj, member, msg) => member.has(obj) || __typeError("Cannot " + msg);
+var __privateGet = (obj, member, getter) => (__accessCheck(obj, member, "read from private field"), getter ? getter.call(obj) : member.get(obj));
+var __privateAdd = (obj, member, value) => member.has(obj) ? __typeError("Cannot add the same private member more than once") : member instanceof WeakSet ? member.add(obj) : member.set(obj, value);
+var __privateSet = (obj, member, value, setter) => (__accessCheck(obj, member, "write to private field"), setter ? setter.call(obj, value) : member.set(obj, value), value);
+var _a, _b, _jwks, _cached, _url, _timeoutDuration, _cooldownDuration, _cacheMaxAge, _jwksTimestamp, _pendingFetch, _headers, _customFetch, _local, _cache;
+class SDKError extends Error {
+  constructor(message2, code, statusCode) {
+    super(message2);
+    this.code = code;
+    this.statusCode = statusCode;
+    this.name = "SDKError";
+    if (Error.captureStackTrace) {
+      Error.captureStackTrace(this, SDKError);
+    }
+  }
+}
+class JWTParser {
+  /**
+   * Decode JWT payload without verification
+   * @param token - JWT token string
+   * @returns Decoded payload
+   */
+  static decode(token) {
+    if (!token || typeof token !== "string") {
+      throw new SDKError("Invalid JWT token format", "INVALID_TOKEN");
+    }
+    const parts = token.split(".");
+    if (parts.length !== 3) {
+      throw new SDKError("Malformed JWT token - expected 3 parts", "MALFORMED_TOKEN");
+    }
+    try {
+      const payload = parts[1];
+      const decoded = this.base64UrlDecode(payload);
+      return JSON.parse(decoded);
+    } catch (error) {
+      throw new SDKError(
+        `Failed to decode JWT payload: ${error instanceof Error ? error.message : "Unknown error"}`,
+        "DECODE_ERROR"
+      );
+    }
+  }
+  /**
+   * Decode JWT header
+   * @param token - JWT token string
+   * @returns Decoded header
+   */
+  static decodeHeader(token) {
+    if (!token || typeof token !== "string") {
+      throw new SDKError("Invalid JWT token format", "INVALID_TOKEN");
+    }
+    const parts = token.split(".");
+    if (parts.length !== 3) {
+      throw new SDKError("Malformed JWT token - expected 3 parts", "MALFORMED_TOKEN");
+    }
+    try {
+      const header = parts[0];
+      const decoded = this.base64UrlDecode(header);
+      return JSON.parse(decoded);
+    } catch (error) {
+      throw new SDKError(
+        `Failed to decode JWT header: ${error instanceof Error ? error.message : "Unknown error"}`,
+        "DECODE_ERROR"
+      );
+    }
+  }
+  /**
+   * Extract specific claim from JWT
+   * @param token - JWT token string
+   * @param claim - Claim name to extract
+   * @returns Claim value
+   */
+  static extractClaim(token, claim) {
+    const payload = this.decode(token);
+    return payload[claim];
+  }
+  /**
+   * Check if JWT is expired (client-side only, not authoritative)
+   * @param token - JWT token string
+   * @returns True if token is expired
+   */
+  static isExpired(token) {
+    const payload = this.decode(token);
+    const exp = payload.exp;
+    if (!exp) {
+      return false;
+    }
+    return Date.now() >= exp * 1e3;
+  }
+  /**
+   * Get time remaining until expiration
+   * @param token - JWT token string
+   * @returns Seconds remaining (0 if expired)
+   */
+  static getTimeRemaining(token) {
+    const payload = this.decode(token);
+    const exp = payload.exp;
+    if (!exp) {
+      return 0;
+    }
+    const remaining = exp - Math.floor(Date.now() / 1e3);
+    return Math.max(0, remaining);
+  }
+  /**
+   * Base64 URL decode
+   * @param str - Base64 URL encoded string
+   * @returns Decoded string
+   */
+  static base64UrlDecode(str) {
+    let base64 = str.replace(/-/g, "+").replace(/_/g, "/");
+    const padding = base64.length % 4;
+    if (padding) {
+      base64 += "=".repeat(4 - padding);
+    }
+    try {
+      if (typeof Buffer !== "undefined") {
+        return Buffer.from(base64, "base64").toString("utf-8");
+      } else if (typeof atob !== "undefined") {
+        return atob(base64);
+      } else {
+        throw new Error("No base64 decoding available");
+      }
+    } catch (error) {
+      throw new SDKError(
+        "Invalid base64 encoding",
+        "ENCODING_ERROR"
+      );
+    }
+  }
+}
+const encoder = new TextEncoder();
+const decoder = new TextDecoder();
+function concat(...buffers) {
+  const size = buffers.reduce((acc, { length }) => acc + length, 0);
+  const buf = new Uint8Array(size);
+  let i = 0;
+  for (const buffer of buffers) {
+    buf.set(buffer, i);
+    i += buffer.length;
+  }
+  return buf;
+}
+function decodeBase64(encoded) {
+  if (Uint8Array.fromBase64) {
+    return Uint8Array.fromBase64(encoded);
+  }
+  const binary = atob(encoded);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+function decode(input) {
+  if (Uint8Array.fromBase64) {
+    return Uint8Array.fromBase64(typeof input === "string" ? input : decoder.decode(input), {
+      alphabet: "base64url"
+    });
+  }
+  let encoded = input;
+  if (encoded instanceof Uint8Array) {
+    encoded = decoder.decode(encoded);
+  }
+  encoded = encoded.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "");
+  try {
+    return decodeBase64(encoded);
+  } catch {
+    throw new TypeError("The input to be decoded is not correctly encoded.");
+  }
+}
+class JOSEError extends Error {
+  constructor(message2, options) {
+    super(message2, options);
+    __publicField(this, "code", "ERR_JOSE_GENERIC");
+    this.name = this.constructor.name;
+    Error.captureStackTrace?.(this, this.constructor);
+  }
+}
+__publicField(JOSEError, "code", "ERR_JOSE_GENERIC");
+class JWTClaimValidationFailed extends JOSEError {
+  constructor(message2, payload, claim = "unspecified", reason = "unspecified") {
+    super(message2, { cause: { claim, reason, payload } });
+    __publicField(this, "code", "ERR_JWT_CLAIM_VALIDATION_FAILED");
+    __publicField(this, "claim");
+    __publicField(this, "reason");
+    __publicField(this, "payload");
+    this.claim = claim;
+    this.reason = reason;
+    this.payload = payload;
+  }
+}
+__publicField(JWTClaimValidationFailed, "code", "ERR_JWT_CLAIM_VALIDATION_FAILED");
+class JWTExpired extends JOSEError {
+  constructor(message2, payload, claim = "unspecified", reason = "unspecified") {
+    super(message2, { cause: { claim, reason, payload } });
+    __publicField(this, "code", "ERR_JWT_EXPIRED");
+    __publicField(this, "claim");
+    __publicField(this, "reason");
+    __publicField(this, "payload");
+    this.claim = claim;
+    this.reason = reason;
+    this.payload = payload;
+  }
+}
+__publicField(JWTExpired, "code", "ERR_JWT_EXPIRED");
+class JOSEAlgNotAllowed extends JOSEError {
+  constructor() {
+    super(...arguments);
+    __publicField(this, "code", "ERR_JOSE_ALG_NOT_ALLOWED");
+  }
+}
+__publicField(JOSEAlgNotAllowed, "code", "ERR_JOSE_ALG_NOT_ALLOWED");
+class JOSENotSupported extends JOSEError {
+  constructor() {
+    super(...arguments);
+    __publicField(this, "code", "ERR_JOSE_NOT_SUPPORTED");
+  }
+}
+__publicField(JOSENotSupported, "code", "ERR_JOSE_NOT_SUPPORTED");
+class JWSInvalid extends JOSEError {
+  constructor() {
+    super(...arguments);
+    __publicField(this, "code", "ERR_JWS_INVALID");
+  }
+}
+__publicField(JWSInvalid, "code", "ERR_JWS_INVALID");
+class JWTInvalid extends JOSEError {
+  constructor() {
+    super(...arguments);
+    __publicField(this, "code", "ERR_JWT_INVALID");
+  }
+}
+__publicField(JWTInvalid, "code", "ERR_JWT_INVALID");
+class JWKSInvalid extends JOSEError {
+  constructor() {
+    super(...arguments);
+    __publicField(this, "code", "ERR_JWKS_INVALID");
+  }
+}
+__publicField(JWKSInvalid, "code", "ERR_JWKS_INVALID");
+class JWKSNoMatchingKey extends JOSEError {
+  constructor(message2 = "no applicable key found in the JSON Web Key Set", options) {
+    super(message2, options);
+    __publicField(this, "code", "ERR_JWKS_NO_MATCHING_KEY");
+  }
+}
+__publicField(JWKSNoMatchingKey, "code", "ERR_JWKS_NO_MATCHING_KEY");
+class JWKSMultipleMatchingKeys extends (_b = JOSEError, _a = Symbol.asyncIterator, _b) {
+  constructor(message2 = "multiple matching keys found in the JSON Web Key Set", options) {
+    super(message2, options);
+    __publicField(this, _a);
+    __publicField(this, "code", "ERR_JWKS_MULTIPLE_MATCHING_KEYS");
+  }
+}
+__publicField(JWKSMultipleMatchingKeys, "code", "ERR_JWKS_MULTIPLE_MATCHING_KEYS");
+class JWKSTimeout extends JOSEError {
+  constructor(message2 = "request timed out", options) {
+    super(message2, options);
+    __publicField(this, "code", "ERR_JWKS_TIMEOUT");
+  }
+}
+__publicField(JWKSTimeout, "code", "ERR_JWKS_TIMEOUT");
+class JWSSignatureVerificationFailed extends JOSEError {
+  constructor(message2 = "signature verification failed", options) {
+    super(message2, options);
+    __publicField(this, "code", "ERR_JWS_SIGNATURE_VERIFICATION_FAILED");
+  }
+}
+__publicField(JWSSignatureVerificationFailed, "code", "ERR_JWS_SIGNATURE_VERIFICATION_FAILED");
+function unusable(name, prop = "algorithm.name") {
+  return new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);
+}
+function isAlgorithm(algorithm, name) {
+  return algorithm.name === name;
+}
+function getHashLength(hash) {
+  return parseInt(hash.name.slice(4), 10);
+}
+function getNamedCurve(alg) {
+  switch (alg) {
+    case "ES256":
+      return "P-256";
+    case "ES384":
+      return "P-384";
+    case "ES512":
+      return "P-521";
+    default:
+      throw new Error("unreachable");
+  }
+}
+function checkUsage(key, usage) {
+  if (!key.usages.includes(usage)) {
+    throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);
+  }
+}
+function checkSigCryptoKey(key, alg, usage) {
+  switch (alg) {
+    case "HS256":
+    case "HS384":
+    case "HS512": {
+      if (!isAlgorithm(key.algorithm, "HMAC"))
+        throw unusable("HMAC");
+      const expected = parseInt(alg.slice(2), 10);
+      const actual = getHashLength(key.algorithm.hash);
+      if (actual !== expected)
+        throw unusable(`SHA-${expected}`, "algorithm.hash");
+      break;
+    }
+    case "RS256":
+    case "RS384":
+    case "RS512": {
+      if (!isAlgorithm(key.algorithm, "RSASSA-PKCS1-v1_5"))
+        throw unusable("RSASSA-PKCS1-v1_5");
+      const expected = parseInt(alg.slice(2), 10);
+      const actual = getHashLength(key.algorithm.hash);
+      if (actual !== expected)
+        throw unusable(`SHA-${expected}`, "algorithm.hash");
+      break;
+    }
+    case "PS256":
+    case "PS384":
+    case "PS512": {
+      if (!isAlgorithm(key.algorithm, "RSA-PSS"))
+        throw unusable("RSA-PSS");
+      const expected = parseInt(alg.slice(2), 10);
+      const actual = getHashLength(key.algorithm.hash);
+      if (actual !== expected)
+        throw unusable(`SHA-${expected}`, "algorithm.hash");
+      break;
+    }
+    case "Ed25519":
+    case "EdDSA": {
+      if (!isAlgorithm(key.algorithm, "Ed25519"))
+        throw unusable("Ed25519");
+      break;
+    }
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87": {
+      if (!isAlgorithm(key.algorithm, alg))
+        throw unusable(alg);
+      break;
+    }
+    case "ES256":
+    case "ES384":
+    case "ES512": {
+      if (!isAlgorithm(key.algorithm, "ECDSA"))
+        throw unusable("ECDSA");
+      const expected = getNamedCurve(alg);
+      const actual = key.algorithm.namedCurve;
+      if (actual !== expected)
+        throw unusable(expected, "algorithm.namedCurve");
+      break;
+    }
+    default:
+      throw new TypeError("CryptoKey does not support this operation");
+  }
+  checkUsage(key, usage);
+}
+function message(msg, actual, ...types) {
+  types = types.filter(Boolean);
+  if (types.length > 2) {
+    const last = types.pop();
+    msg += `one of type ${types.join(", ")}, or ${last}.`;
+  } else if (types.length === 2) {
+    msg += `one of type ${types[0]} or ${types[1]}.`;
+  } else {
+    msg += `of type ${types[0]}.`;
+  }
+  if (actual == null) {
+    msg += ` Received ${actual}`;
+  } else if (typeof actual === "function" && actual.name) {
+    msg += ` Received function ${actual.name}`;
+  } else if (typeof actual === "object" && actual != null) {
+    if (actual.constructor?.name) {
+      msg += ` Received an instance of ${actual.constructor.name}`;
+    }
+  }
+  return msg;
+}
+const invalidKeyInput = (actual, ...types) => {
+  return message("Key must be ", actual, ...types);
+};
+function withAlg(alg, actual, ...types) {
+  return message(`Key for the ${alg} algorithm must be `, actual, ...types);
+}
+function isCryptoKey(key) {
+  return key?.[Symbol.toStringTag] === "CryptoKey";
+}
+function isKeyObject(key) {
+  return key?.[Symbol.toStringTag] === "KeyObject";
+}
+const isKeyLike = (key) => {
+  return isCryptoKey(key) || isKeyObject(key);
+};
+const isDisjoint = (...headers) => {
+  const sources = headers.filter(Boolean);
+  if (sources.length === 0 || sources.length === 1) {
+    return true;
+  }
+  let acc;
+  for (const header of sources) {
+    const parameters = Object.keys(header);
+    if (!acc || acc.size === 0) {
+      acc = new Set(parameters);
+      continue;
+    }
+    for (const parameter of parameters) {
+      if (acc.has(parameter)) {
+        return false;
+      }
+      acc.add(parameter);
+    }
+  }
+  return true;
+};
+function isObjectLike(value) {
+  return typeof value === "object" && value !== null;
+}
+const isObject = (input) => {
+  if (!isObjectLike(input) || Object.prototype.toString.call(input) !== "[object Object]") {
+    return false;
+  }
+  if (Object.getPrototypeOf(input) === null) {
+    return true;
+  }
+  let proto = input;
+  while (Object.getPrototypeOf(proto) !== null) {
+    proto = Object.getPrototypeOf(proto);
+  }
+  return Object.getPrototypeOf(input) === proto;
+};
+const checkKeyLength = (alg, key) => {
+  if (alg.startsWith("RS") || alg.startsWith("PS")) {
+    const { modulusLength } = key.algorithm;
+    if (typeof modulusLength !== "number" || modulusLength < 2048) {
+      throw new TypeError(`${alg} requires key modulusLength to be 2048 bits or larger`);
+    }
+  }
+};
+function subtleMapping(jwk) {
+  let algorithm;
+  let keyUsages;
+  switch (jwk.kty) {
+    case "AKP": {
+      switch (jwk.alg) {
+        case "ML-DSA-44":
+        case "ML-DSA-65":
+        case "ML-DSA-87":
+          algorithm = { name: jwk.alg };
+          keyUsages = jwk.priv ? ["sign"] : ["verify"];
+          break;
+        default:
+          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+      }
+      break;
+    }
+    case "RSA": {
+      switch (jwk.alg) {
+        case "PS256":
+        case "PS384":
+        case "PS512":
+          algorithm = { name: "RSA-PSS", hash: `SHA-${jwk.alg.slice(-3)}` };
+          keyUsages = jwk.d ? ["sign"] : ["verify"];
+          break;
+        case "RS256":
+        case "RS384":
+        case "RS512":
+          algorithm = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${jwk.alg.slice(-3)}` };
+          keyUsages = jwk.d ? ["sign"] : ["verify"];
+          break;
+        case "RSA-OAEP":
+        case "RSA-OAEP-256":
+        case "RSA-OAEP-384":
+        case "RSA-OAEP-512":
+          algorithm = {
+            name: "RSA-OAEP",
+            hash: `SHA-${parseInt(jwk.alg.slice(-3), 10) || 1}`
+          };
+          keyUsages = jwk.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
+          break;
+        default:
+          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+      }
+      break;
+    }
+    case "EC": {
+      switch (jwk.alg) {
+        case "ES256":
+          algorithm = { name: "ECDSA", namedCurve: "P-256" };
+          keyUsages = jwk.d ? ["sign"] : ["verify"];
+          break;
+        case "ES384":
+          algorithm = { name: "ECDSA", namedCurve: "P-384" };
+          keyUsages = jwk.d ? ["sign"] : ["verify"];
+          break;
+        case "ES512":
+          algorithm = { name: "ECDSA", namedCurve: "P-521" };
+          keyUsages = jwk.d ? ["sign"] : ["verify"];
+          break;
+        case "ECDH-ES":
+        case "ECDH-ES+A128KW":
+        case "ECDH-ES+A192KW":
+        case "ECDH-ES+A256KW":
+          algorithm = { name: "ECDH", namedCurve: jwk.crv };
+          keyUsages = jwk.d ? ["deriveBits"] : [];
+          break;
+        default:
+          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+      }
+      break;
+    }
+    case "OKP": {
+      switch (jwk.alg) {
+        case "Ed25519":
+        case "EdDSA":
+          algorithm = { name: "Ed25519" };
+          keyUsages = jwk.d ? ["sign"] : ["verify"];
+          break;
+        case "ECDH-ES":
+        case "ECDH-ES+A128KW":
+        case "ECDH-ES+A192KW":
+        case "ECDH-ES+A256KW":
+          algorithm = { name: jwk.crv };
+          keyUsages = jwk.d ? ["deriveBits"] : [];
+          break;
+        default:
+          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+      }
+      break;
+    }
+    default:
+      throw new JOSENotSupported('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
+  }
+  return { algorithm, keyUsages };
+}
+const importJWK$1 = async (jwk) => {
+  if (!jwk.alg) {
+    throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
+  }
+  const { algorithm, keyUsages } = subtleMapping(jwk);
+  const keyData = { ...jwk };
+  if (keyData.kty !== "AKP") {
+    delete keyData.alg;
+  }
+  delete keyData.use;
+  return crypto.subtle.importKey("jwk", keyData, algorithm, jwk.ext ?? (jwk.d || jwk.priv ? false : true), jwk.key_ops ?? keyUsages);
+};
+async function importJWK(jwk, alg, options) {
+  if (!isObject(jwk)) {
+    throw new TypeError("JWK must be an object");
+  }
+  let ext;
+  alg ?? (alg = jwk.alg);
+  ext ?? (ext = jwk.ext);
+  switch (jwk.kty) {
+    case "oct":
+      if (typeof jwk.k !== "string" || !jwk.k) {
+        throw new TypeError('missing "k" (Key Value) Parameter value');
+      }
+      return decode(jwk.k);
+    case "RSA":
+      if ("oth" in jwk && jwk.oth !== void 0) {
+        throw new JOSENotSupported('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
+      }
+      return importJWK$1({ ...jwk, alg, ext });
+    case "AKP": {
+      if (typeof jwk.alg !== "string" || !jwk.alg) {
+        throw new TypeError('missing "alg" (Algorithm) Parameter value');
+      }
+      if (alg !== void 0 && alg !== jwk.alg) {
+        throw new TypeError("JWK alg and alg option value mismatch");
+      }
+      return importJWK$1({ ...jwk, ext });
+    }
+    case "EC":
+    case "OKP":
+      return importJWK$1({ ...jwk, alg, ext });
+    default:
+      throw new JOSENotSupported('Unsupported "kty" (Key Type) Parameter value');
+  }
+}
+const validateCrit = (Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) => {
+  if (joseHeader.crit !== void 0 && protectedHeader?.crit === void 0) {
+    throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
+  }
+  if (!protectedHeader || protectedHeader.crit === void 0) {
+    return /* @__PURE__ */ new Set();
+  }
+  if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input) => typeof input !== "string" || input.length === 0)) {
+    throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
+  }
+  let recognized;
+  if (recognizedOption !== void 0) {
+    recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);
+  } else {
+    recognized = recognizedDefault;
+  }
+  for (const parameter of protectedHeader.crit) {
+    if (!recognized.has(parameter)) {
+      throw new JOSENotSupported(`Extension Header Parameter "${parameter}" is not recognized`);
+    }
+    if (joseHeader[parameter] === void 0) {
+      throw new Err(`Extension Header Parameter "${parameter}" is missing`);
+    }
+    if (recognized.get(parameter) && protectedHeader[parameter] === void 0) {
+      throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
+    }
+  }
+  return new Set(protectedHeader.crit);
+};
+const validateAlgorithms = (option, algorithms) => {
+  if (algorithms !== void 0 && (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== "string"))) {
+    throw new TypeError(`"${option}" option must be an array of strings`);
+  }
+  if (!algorithms) {
+    return void 0;
+  }
+  return new Set(algorithms);
+};
+function isJWK(key) {
+  return isObject(key) && typeof key.kty === "string";
+}
+function isPrivateJWK(key) {
+  return key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string");
+}
+function isPublicJWK(key) {
+  return key.kty !== "oct" && typeof key.d === "undefined" && typeof key.priv === "undefined";
+}
+function isSecretJWK(key) {
+  return key.kty === "oct" && typeof key.k === "string";
+}
+let cache;
+const handleJWK = async (key, jwk, alg, freeze = false) => {
+  cache || (cache = /* @__PURE__ */ new WeakMap());
+  let cached = cache.get(key);
+  if (cached?.[alg]) {
+    return cached[alg];
+  }
+  const cryptoKey = await importJWK$1({ ...jwk, alg });
+  if (freeze)
+    Object.freeze(key);
+  if (!cached) {
+    cache.set(key, { [alg]: cryptoKey });
+  } else {
+    cached[alg] = cryptoKey;
+  }
+  return cryptoKey;
+};
+const handleKeyObject = (keyObject, alg) => {
+  cache || (cache = /* @__PURE__ */ new WeakMap());
+  let cached = cache.get(keyObject);
+  if (cached?.[alg]) {
+    return cached[alg];
+  }
+  const isPublic = keyObject.type === "public";
+  const extractable = isPublic ? true : false;
+  let cryptoKey;
+  if (keyObject.asymmetricKeyType === "x25519") {
+    switch (alg) {
+      case "ECDH-ES":
+      case "ECDH-ES+A128KW":
+      case "ECDH-ES+A192KW":
+      case "ECDH-ES+A256KW":
+        break;
+      default:
+        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+    }
+    cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : ["deriveBits"]);
+  }
+  if (keyObject.asymmetricKeyType === "ed25519") {
+    if (alg !== "EdDSA" && alg !== "Ed25519") {
+      throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+    }
+    cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
+      isPublic ? "verify" : "sign"
+    ]);
+  }
+  switch (keyObject.asymmetricKeyType) {
+    case "ml-dsa-44":
+    case "ml-dsa-65":
+    case "ml-dsa-87": {
+      if (alg !== keyObject.asymmetricKeyType.toUpperCase()) {
+        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+      }
+      cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
+        isPublic ? "verify" : "sign"
+      ]);
+    }
+  }
+  if (keyObject.asymmetricKeyType === "rsa") {
+    let hash;
+    switch (alg) {
+      case "RSA-OAEP":
+        hash = "SHA-1";
+        break;
+      case "RS256":
+      case "PS256":
+      case "RSA-OAEP-256":
+        hash = "SHA-256";
+        break;
+      case "RS384":
+      case "PS384":
+      case "RSA-OAEP-384":
+        hash = "SHA-384";
+        break;
+      case "RS512":
+      case "PS512":
+      case "RSA-OAEP-512":
+        hash = "SHA-512";
+        break;
+      default:
+        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+    }
+    if (alg.startsWith("RSA-OAEP")) {
+      return keyObject.toCryptoKey({
+        name: "RSA-OAEP",
+        hash
+      }, extractable, isPublic ? ["encrypt"] : ["decrypt"]);
+    }
+    cryptoKey = keyObject.toCryptoKey({
+      name: alg.startsWith("PS") ? "RSA-PSS" : "RSASSA-PKCS1-v1_5",
+      hash
+    }, extractable, [isPublic ? "verify" : "sign"]);
+  }
+  if (keyObject.asymmetricKeyType === "ec") {
+    const nist = /* @__PURE__ */ new Map([
+      ["prime256v1", "P-256"],
+      ["secp384r1", "P-384"],
+      ["secp521r1", "P-521"]
+    ]);
+    const namedCurve = nist.get(keyObject.asymmetricKeyDetails?.namedCurve);
+    if (!namedCurve) {
+      throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+    }
+    if (alg === "ES256" && namedCurve === "P-256") {
+      cryptoKey = keyObject.toCryptoKey({
+        name: "ECDSA",
+        namedCurve
+      }, extractable, [isPublic ? "verify" : "sign"]);
+    }
+    if (alg === "ES384" && namedCurve === "P-384") {
+      cryptoKey = keyObject.toCryptoKey({
+        name: "ECDSA",
+        namedCurve
+      }, extractable, [isPublic ? "verify" : "sign"]);
+    }
+    if (alg === "ES512" && namedCurve === "P-521") {
+      cryptoKey = keyObject.toCryptoKey({
+        name: "ECDSA",
+        namedCurve
+      }, extractable, [isPublic ? "verify" : "sign"]);
+    }
+    if (alg.startsWith("ECDH-ES")) {
+      cryptoKey = keyObject.toCryptoKey({
+        name: "ECDH",
+        namedCurve
+      }, extractable, isPublic ? [] : ["deriveBits"]);
+    }
+  }
+  if (!cryptoKey) {
+    throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+  }
+  if (!cached) {
+    cache.set(keyObject, { [alg]: cryptoKey });
+  } else {
+    cached[alg] = cryptoKey;
+  }
+  return cryptoKey;
+};
+const normalizeKey = async (key, alg) => {
+  if (key instanceof Uint8Array) {
+    return key;
+  }
+  if (isCryptoKey(key)) {
+    return key;
+  }
+  if (isKeyObject(key)) {
+    if (key.type === "secret") {
+      return key.export();
+    }
+    if ("toCryptoKey" in key && typeof key.toCryptoKey === "function") {
+      try {
+        return handleKeyObject(key, alg);
+      } catch (err) {
+        if (err instanceof TypeError) {
+          throw err;
+        }
+      }
+    }
+    let jwk = key.export({ format: "jwk" });
+    return handleJWK(key, jwk, alg);
+  }
+  if (isJWK(key)) {
+    if (key.k) {
+      return decode(key.k);
+    }
+    return handleJWK(key, key, alg, true);
+  }
+  throw new Error("unreachable");
+};
+const tag = (key) => key?.[Symbol.toStringTag];
+const jwkMatchesOp = (alg, key, usage) => {
+  if (key.use !== void 0) {
+    let expected;
+    switch (usage) {
+      case "sign":
+      case "verify":
+        expected = "sig";
+        break;
+      case "encrypt":
+      case "decrypt":
+        expected = "enc";
+        break;
+    }
+    if (key.use !== expected) {
+      throw new TypeError(`Invalid key for this operation, its "use" must be "${expected}" when present`);
+    }
+  }
+  if (key.alg !== void 0 && key.alg !== alg) {
+    throw new TypeError(`Invalid key for this operation, its "alg" must be "${alg}" when present`);
+  }
+  if (Array.isArray(key.key_ops)) {
+    let expectedKeyOp;
+    switch (true) {
+      case usage === "verify":
+      case alg === "dir":
+      case alg.includes("CBC-HS"):
+        expectedKeyOp = usage;
+        break;
+      case alg.startsWith("PBES2"):
+        expectedKeyOp = "deriveBits";
+        break;
+      case /^A\d{3}(?:GCM)?(?:KW)?$/.test(alg):
+        if (!alg.includes("GCM") && alg.endsWith("KW")) {
+          expectedKeyOp = "unwrapKey";
+        } else {
+          expectedKeyOp = usage;
+        }
+        break;
+      case usage === "encrypt":
+        expectedKeyOp = "wrapKey";
+        break;
+      case usage === "decrypt":
+        expectedKeyOp = alg.startsWith("RSA") ? "unwrapKey" : "deriveBits";
+        break;
+    }
+    if (expectedKeyOp && key.key_ops?.includes?.(expectedKeyOp) === false) {
+      throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${expectedKeyOp}" when present`);
+    }
+  }
+  return true;
+};
+const symmetricTypeCheck = (alg, key, usage) => {
+  if (key instanceof Uint8Array)
+    return;
+  if (isJWK(key)) {
+    if (isSecretJWK(key) && jwkMatchesOp(alg, key, usage))
+      return;
+    throw new TypeError(`JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present`);
+  }
+  if (!isKeyLike(key)) {
+    throw new TypeError(withAlg(alg, key, "CryptoKey", "KeyObject", "JSON Web Key", "Uint8Array"));
+  }
+  if (key.type !== "secret") {
+    throw new TypeError(`${tag(key)} instances for symmetric algorithms must be of type "secret"`);
+  }
+};
+const asymmetricTypeCheck = (alg, key, usage) => {
+  if (isJWK(key)) {
+    switch (usage) {
+      case "decrypt":
+      case "sign":
+        if (isPrivateJWK(key) && jwkMatchesOp(alg, key, usage))
+          return;
+        throw new TypeError(`JSON Web Key for this operation be a private JWK`);
+      case "encrypt":
+      case "verify":
+        if (isPublicJWK(key) && jwkMatchesOp(alg, key, usage))
+          return;
+        throw new TypeError(`JSON Web Key for this operation be a public JWK`);
+    }
+  }
+  if (!isKeyLike(key)) {
+    throw new TypeError(withAlg(alg, key, "CryptoKey", "KeyObject", "JSON Web Key"));
+  }
+  if (key.type === "secret") {
+    throw new TypeError(`${tag(key)} instances for asymmetric algorithms must not be of type "secret"`);
+  }
+  if (key.type === "public") {
+    switch (usage) {
+      case "sign":
+        throw new TypeError(`${tag(key)} instances for asymmetric algorithm signing must be of type "private"`);
+      case "decrypt":
+        throw new TypeError(`${tag(key)} instances for asymmetric algorithm decryption must be of type "private"`);
+    }
+  }
+  if (key.type === "private") {
+    switch (usage) {
+      case "verify":
+        throw new TypeError(`${tag(key)} instances for asymmetric algorithm verifying must be of type "public"`);
+      case "encrypt":
+        throw new TypeError(`${tag(key)} instances for asymmetric algorithm encryption must be of type "public"`);
+    }
+  }
+};
+const checkKeyType = (alg, key, usage) => {
+  const symmetric = alg.startsWith("HS") || alg === "dir" || alg.startsWith("PBES2") || /^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(alg) || /^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(alg);
+  if (symmetric) {
+    symmetricTypeCheck(alg, key, usage);
+  } else {
+    asymmetricTypeCheck(alg, key, usage);
+  }
+};
+const subtleAlgorithm = (alg, algorithm) => {
+  const hash = `SHA-${alg.slice(-3)}`;
+  switch (alg) {
+    case "HS256":
+    case "HS384":
+    case "HS512":
+      return { hash, name: "HMAC" };
+    case "PS256":
+    case "PS384":
+    case "PS512":
+      return { hash, name: "RSA-PSS", saltLength: parseInt(alg.slice(-3), 10) >> 3 };
+    case "RS256":
+    case "RS384":
+    case "RS512":
+      return { hash, name: "RSASSA-PKCS1-v1_5" };
+    case "ES256":
+    case "ES384":
+    case "ES512":
+      return { hash, name: "ECDSA", namedCurve: algorithm.namedCurve };
+    case "Ed25519":
+    case "EdDSA":
+      return { name: "Ed25519" };
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+      return { name: alg };
+    default:
+      throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
+  }
+};
+const getSignKey = async (alg, key, usage) => {
+  if (key instanceof Uint8Array) {
+    if (!alg.startsWith("HS")) {
+      throw new TypeError(invalidKeyInput(key, "CryptoKey", "KeyObject", "JSON Web Key"));
+    }
+    return crypto.subtle.importKey("raw", key, { hash: `SHA-${alg.slice(-3)}`, name: "HMAC" }, false, [usage]);
+  }
+  checkSigCryptoKey(key, alg, usage);
+  return key;
+};
+const verify = async (alg, key, signature, data) => {
+  const cryptoKey = await getSignKey(alg, key, "verify");
+  checkKeyLength(alg, cryptoKey);
+  const algorithm = subtleAlgorithm(alg, cryptoKey.algorithm);
+  try {
+    return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
+  } catch {
+    return false;
+  }
+};
+async function flattenedVerify(jws, key, options) {
+  if (!isObject(jws)) {
+    throw new JWSInvalid("Flattened JWS must be an object");
+  }
+  if (jws.protected === void 0 && jws.header === void 0) {
+    throw new JWSInvalid('Flattened JWS must have either of the "protected" or "header" members');
+  }
+  if (jws.protected !== void 0 && typeof jws.protected !== "string") {
+    throw new JWSInvalid("JWS Protected Header incorrect type");
+  }
+  if (jws.payload === void 0) {
+    throw new JWSInvalid("JWS Payload missing");
+  }
+  if (typeof jws.signature !== "string") {
+    throw new JWSInvalid("JWS Signature missing or incorrect type");
+  }
+  if (jws.header !== void 0 && !isObject(jws.header)) {
+    throw new JWSInvalid("JWS Unprotected Header incorrect type");
+  }
+  let parsedProt = {};
+  if (jws.protected) {
+    try {
+      const protectedHeader = decode(jws.protected);
+      parsedProt = JSON.parse(decoder.decode(protectedHeader));
+    } catch {
+      throw new JWSInvalid("JWS Protected Header is invalid");
+    }
+  }
+  if (!isDisjoint(parsedProt, jws.header)) {
+    throw new JWSInvalid("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
+  }
+  const joseHeader = {
+    ...parsedProt,
+    ...jws.header
+  };
+  const extensions = validateCrit(JWSInvalid, /* @__PURE__ */ new Map([["b64", true]]), options?.crit, parsedProt, joseHeader);
+  let b64 = true;
+  if (extensions.has("b64")) {
+    b64 = parsedProt.b64;
+    if (typeof b64 !== "boolean") {
+      throw new JWSInvalid('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
+    }
+  }
+  const { alg } = joseHeader;
+  if (typeof alg !== "string" || !alg) {
+    throw new JWSInvalid('JWS "alg" (Algorithm) Header Parameter missing or invalid');
+  }
+  const algorithms = options && validateAlgorithms("algorithms", options.algorithms);
+  if (algorithms && !algorithms.has(alg)) {
+    throw new JOSEAlgNotAllowed('"alg" (Algorithm) Header Parameter value not allowed');
+  }
+  if (b64) {
+    if (typeof jws.payload !== "string") {
+      throw new JWSInvalid("JWS Payload must be a string");
+    }
+  } else if (typeof jws.payload !== "string" && !(jws.payload instanceof Uint8Array)) {
+    throw new JWSInvalid("JWS Payload must be a string or an Uint8Array instance");
+  }
+  let resolvedKey = false;
+  if (typeof key === "function") {
+    key = await key(parsedProt, jws);
+    resolvedKey = true;
+  }
+  checkKeyType(alg, key, "verify");
+  const data = concat(encoder.encode(jws.protected ?? ""), encoder.encode("."), typeof jws.payload === "string" ? encoder.encode(jws.payload) : jws.payload);
+  let signature;
+  try {
+    signature = decode(jws.signature);
+  } catch {
+    throw new JWSInvalid("Failed to base64url decode the signature");
+  }
+  const k = await normalizeKey(key, alg);
+  const verified = await verify(alg, k, signature, data);
+  if (!verified) {
+    throw new JWSSignatureVerificationFailed();
+  }
+  let payload;
+  if (b64) {
+    try {
+      payload = decode(jws.payload);
+    } catch {
+      throw new JWSInvalid("Failed to base64url decode the payload");
+    }
+  } else if (typeof jws.payload === "string") {
+    payload = encoder.encode(jws.payload);
+  } else {
+    payload = jws.payload;
+  }
+  const result = { payload };
+  if (jws.protected !== void 0) {
+    result.protectedHeader = parsedProt;
+  }
+  if (jws.header !== void 0) {
+    result.unprotectedHeader = jws.header;
+  }
+  if (resolvedKey) {
+    return { ...result, key: k };
+  }
+  return result;
+}
+async function compactVerify(jws, key, options) {
+  if (jws instanceof Uint8Array) {
+    jws = decoder.decode(jws);
+  }
+  if (typeof jws !== "string") {
+    throw new JWSInvalid("Compact JWS must be a string or Uint8Array");
+  }
+  const { 0: protectedHeader, 1: payload, 2: signature, length } = jws.split(".");
+  if (length !== 3) {
+    throw new JWSInvalid("Invalid Compact JWS");
+  }
+  const verified = await flattenedVerify({ payload, protected: protectedHeader, signature }, key, options);
+  const result = { payload: verified.payload, protectedHeader: verified.protectedHeader };
+  if (typeof key === "function") {
+    return { ...result, key: verified.key };
+  }
+  return result;
+}
+const epoch = (date) => Math.floor(date.getTime() / 1e3);
+const minute = 60;
+const hour = minute * 60;
+const day = hour * 24;
+const week = day * 7;
+const year = day * 365.25;
+const REGEX = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;
+const secs = (str) => {
+  const matched = REGEX.exec(str);
+  if (!matched || matched[4] && matched[1]) {
+    throw new TypeError("Invalid time period format");
+  }
+  const value = parseFloat(matched[2]);
+  const unit = matched[3].toLowerCase();
+  let numericDate;
+  switch (unit) {
+    case "sec":
+    case "secs":
+    case "second":
+    case "seconds":
+    case "s":
+      numericDate = Math.round(value);
+      break;
+    case "minute":
+    case "minutes":
+    case "min":
+    case "mins":
+    case "m":
+      numericDate = Math.round(value * minute);
+      break;
+    case "hour":
+    case "hours":
+    case "hr":
+    case "hrs":
+    case "h":
+      numericDate = Math.round(value * hour);
+      break;
+    case "day":
+    case "days":
+    case "d":
+      numericDate = Math.round(value * day);
+      break;
+    case "week":
+    case "weeks":
+    case "w":
+      numericDate = Math.round(value * week);
+      break;
+    default:
+      numericDate = Math.round(value * year);
+      break;
+  }
+  if (matched[1] === "-" || matched[4] === "ago") {
+    return -numericDate;
+  }
+  return numericDate;
+};
+const normalizeTyp = (value) => {
+  if (value.includes("/")) {
+    return value.toLowerCase();
+  }
+  return `application/${value.toLowerCase()}`;
+};
+const checkAudiencePresence = (audPayload, audOption) => {
+  if (typeof audPayload === "string") {
+    return audOption.includes(audPayload);
+  }
+  if (Array.isArray(audPayload)) {
+    return audOption.some(Set.prototype.has.bind(new Set(audPayload)));
+  }
+  return false;
+};
+function validateClaimsSet(protectedHeader, encodedPayload, options = {}) {
+  let payload;
+  try {
+    payload = JSON.parse(decoder.decode(encodedPayload));
+  } catch {
+  }
+  if (!isObject(payload)) {
+    throw new JWTInvalid("JWT Claims Set must be a top-level JSON object");
+  }
+  const { typ } = options;
+  if (typ && (typeof protectedHeader.typ !== "string" || normalizeTyp(protectedHeader.typ) !== normalizeTyp(typ))) {
+    throw new JWTClaimValidationFailed('unexpected "typ" JWT header value', payload, "typ", "check_failed");
+  }
+  const { requiredClaims = [], issuer, subject, audience, maxTokenAge } = options;
+  const presenceCheck = [...requiredClaims];
+  if (maxTokenAge !== void 0)
+    presenceCheck.push("iat");
+  if (audience !== void 0)
+    presenceCheck.push("aud");
+  if (subject !== void 0)
+    presenceCheck.push("sub");
+  if (issuer !== void 0)
+    presenceCheck.push("iss");
+  for (const claim of new Set(presenceCheck.reverse())) {
+    if (!(claim in payload)) {
+      throw new JWTClaimValidationFailed(`missing required "${claim}" claim`, payload, claim, "missing");
+    }
+  }
+  if (issuer && !(Array.isArray(issuer) ? issuer : [issuer]).includes(payload.iss)) {
+    throw new JWTClaimValidationFailed('unexpected "iss" claim value', payload, "iss", "check_failed");
+  }
+  if (subject && payload.sub !== subject) {
+    throw new JWTClaimValidationFailed('unexpected "sub" claim value', payload, "sub", "check_failed");
+  }
+  if (audience && !checkAudiencePresence(payload.aud, typeof audience === "string" ? [audience] : audience)) {
+    throw new JWTClaimValidationFailed('unexpected "aud" claim value', payload, "aud", "check_failed");
+  }
+  let tolerance;
+  switch (typeof options.clockTolerance) {
+    case "string":
+      tolerance = secs(options.clockTolerance);
+      break;
+    case "number":
+      tolerance = options.clockTolerance;
+      break;
+    case "undefined":
+      tolerance = 0;
+      break;
+    default:
+      throw new TypeError("Invalid clockTolerance option type");
+  }
+  const { currentDate } = options;
+  const now = epoch(currentDate || /* @__PURE__ */ new Date());
+  if ((payload.iat !== void 0 || maxTokenAge) && typeof payload.iat !== "number") {
+    throw new JWTClaimValidationFailed('"iat" claim must be a number', payload, "iat", "invalid");
+  }
+  if (payload.nbf !== void 0) {
+    if (typeof payload.nbf !== "number") {
+      throw new JWTClaimValidationFailed('"nbf" claim must be a number', payload, "nbf", "invalid");
+    }
+    if (payload.nbf > now + tolerance) {
+      throw new JWTClaimValidationFailed('"nbf" claim timestamp check failed', payload, "nbf", "check_failed");
+    }
+  }
+  if (payload.exp !== void 0) {
+    if (typeof payload.exp !== "number") {
+      throw new JWTClaimValidationFailed('"exp" claim must be a number', payload, "exp", "invalid");
+    }
+    if (payload.exp <= now - tolerance) {
+      throw new JWTExpired('"exp" claim timestamp check failed', payload, "exp", "check_failed");
+    }
+  }
+  if (maxTokenAge) {
+    const age = now - payload.iat;
+    const max = typeof maxTokenAge === "number" ? maxTokenAge : secs(maxTokenAge);
+    if (age - tolerance > max) {
+      throw new JWTExpired('"iat" claim timestamp check failed (too far in the past)', payload, "iat", "check_failed");
+    }
+    if (age < 0 - tolerance) {
+      throw new JWTClaimValidationFailed('"iat" claim timestamp check failed (it should be in the past)', payload, "iat", "check_failed");
+    }
+  }
+  return payload;
+}
+async function jwtVerify(jwt, key, options) {
+  const verified = await compactVerify(jwt, key, options);
+  if (verified.protectedHeader.crit?.includes("b64") && verified.protectedHeader.b64 === false) {
+    throw new JWTInvalid("JWTs MUST NOT use unencoded payload");
+  }
+  const payload = validateClaimsSet(verified.protectedHeader, verified.payload, options);
+  const result = { payload, protectedHeader: verified.protectedHeader };
+  if (typeof key === "function") {
+    return { ...result, key: verified.key };
+  }
+  return result;
+}
+function getKtyFromAlg(alg) {
+  switch (typeof alg === "string" && alg.slice(0, 2)) {
+    case "RS":
+    case "PS":
+      return "RSA";
+    case "ES":
+      return "EC";
+    case "Ed":
+      return "OKP";
+    case "ML":
+      return "AKP";
+    default:
+      throw new JOSENotSupported('Unsupported "alg" value for a JSON Web Key Set');
+  }
+}
+function isJWKSLike(jwks) {
+  return jwks && typeof jwks === "object" && Array.isArray(jwks.keys) && jwks.keys.every(isJWKLike);
+}
+function isJWKLike(key) {
+  return isObject(key);
+}
+class LocalJWKSet {
+  constructor(jwks) {
+    __privateAdd(this, _jwks);
+    __privateAdd(this, _cached, /* @__PURE__ */ new WeakMap());
+    if (!isJWKSLike(jwks)) {
+      throw new JWKSInvalid("JSON Web Key Set malformed");
+    }
+    __privateSet(this, _jwks, structuredClone(jwks));
+  }
+  jwks() {
+    return __privateGet(this, _jwks);
+  }
+  async getKey(protectedHeader, token) {
+    const { alg, kid } = { ...protectedHeader, ...token?.header };
+    const kty = getKtyFromAlg(alg);
+    const candidates = __privateGet(this, _jwks).keys.filter((jwk2) => {
+      let candidate = kty === jwk2.kty;
+      if (candidate && typeof kid === "string") {
+        candidate = kid === jwk2.kid;
+      }
+      if (candidate && (typeof jwk2.alg === "string" || kty === "AKP")) {
+        candidate = alg === jwk2.alg;
+      }
+      if (candidate && typeof jwk2.use === "string") {
+        candidate = jwk2.use === "sig";
+      }
+      if (candidate && Array.isArray(jwk2.key_ops)) {
+        candidate = jwk2.key_ops.includes("verify");
+      }
+      if (candidate) {
+        switch (alg) {
+          case "ES256":
+            candidate = jwk2.crv === "P-256";
+            break;
+          case "ES384":
+            candidate = jwk2.crv === "P-384";
+            break;
+          case "ES512":
+            candidate = jwk2.crv === "P-521";
+            break;
+          case "Ed25519":
+          case "EdDSA":
+            candidate = jwk2.crv === "Ed25519";
+            break;
+        }
+      }
+      return candidate;
+    });
+    const { 0: jwk, length } = candidates;
+    if (length === 0) {
+      throw new JWKSNoMatchingKey();
+    }
+    if (length !== 1) {
+      const error = new JWKSMultipleMatchingKeys();
+      const _cached2 = __privateGet(this, _cached);
+      error[Symbol.asyncIterator] = async function* () {
+        for (const jwk2 of candidates) {
+          try {
+            yield await importWithAlgCache(_cached2, jwk2, alg);
+          } catch {
+          }
+        }
+      };
+      throw error;
+    }
+    return importWithAlgCache(__privateGet(this, _cached), jwk, alg);
+  }
+}
+_jwks = new WeakMap();
+_cached = new WeakMap();
+async function importWithAlgCache(cache2, jwk, alg) {
+  const cached = cache2.get(jwk) || cache2.set(jwk, {}).get(jwk);
+  if (cached[alg] === void 0) {
+    const key = await importJWK({ ...jwk, ext: true }, alg);
+    if (key instanceof Uint8Array || key.type !== "public") {
+      throw new JWKSInvalid("JSON Web Key Set members must be public keys");
+    }
+    cached[alg] = key;
+  }
+  return cached[alg];
+}
+function createLocalJWKSet(jwks) {
+  const set = new LocalJWKSet(jwks);
+  const localJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);
+  Object.defineProperties(localJWKSet, {
+    jwks: {
+      value: () => structuredClone(set.jwks()),
+      enumerable: false,
+      configurable: false,
+      writable: false
+    }
+  });
+  return localJWKSet;
+}
+function isCloudflareWorkers() {
+  return typeof WebSocketPair !== "undefined" || typeof navigator !== "undefined" && navigator.userAgent === "Cloudflare-Workers" || typeof EdgeRuntime !== "undefined" && EdgeRuntime === "vercel";
+}
+let USER_AGENT;
+if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) {
+  const NAME = "jose";
+  const VERSION = "v6.1.0";
+  USER_AGENT = `${NAME}/${VERSION}`;
+}
+const customFetch = Symbol();
+async function fetchJwks(url, headers, signal, fetchImpl = fetch) {
+  const response = await fetchImpl(url, {
+    method: "GET",
+    signal,
+    redirect: "manual",
+    headers
+  }).catch((err) => {
+    if (err.name === "TimeoutError") {
+      throw new JWKSTimeout();
+    }
+    throw err;
+  });
+  if (response.status !== 200) {
+    throw new JOSEError("Expected 200 OK from the JSON Web Key Set HTTP response");
+  }
+  try {
+    return await response.json();
+  } catch {
+    throw new JOSEError("Failed to parse the JSON Web Key Set HTTP response as JSON");
+  }
+}
+const jwksCache = Symbol();
+function isFreshJwksCache(input, cacheMaxAge) {
+  if (typeof input !== "object" || input === null) {
+    return false;
+  }
+  if (!("uat" in input) || typeof input.uat !== "number" || Date.now() - input.uat >= cacheMaxAge) {
+    return false;
+  }
+  if (!("jwks" in input) || !isObject(input.jwks) || !Array.isArray(input.jwks.keys) || !Array.prototype.every.call(input.jwks.keys, isObject)) {
+    return false;
+  }
+  return true;
+}
+class RemoteJWKSet {
+  constructor(url, options) {
+    __privateAdd(this, _url);
+    __privateAdd(this, _timeoutDuration);
+    __privateAdd(this, _cooldownDuration);
+    __privateAdd(this, _cacheMaxAge);
+    __privateAdd(this, _jwksTimestamp);
+    __privateAdd(this, _pendingFetch);
+    __privateAdd(this, _headers);
+    __privateAdd(this, _customFetch);
+    __privateAdd(this, _local);
+    __privateAdd(this, _cache);
+    if (!(url instanceof URL)) {
+      throw new TypeError("url must be an instance of URL");
+    }
+    __privateSet(this, _url, new URL(url.href));
+    __privateSet(this, _timeoutDuration, typeof options?.timeoutDuration === "number" ? options?.timeoutDuration : 5e3);
+    __privateSet(this, _cooldownDuration, typeof options?.cooldownDuration === "number" ? options?.cooldownDuration : 3e4);
+    __privateSet(this, _cacheMaxAge, typeof options?.cacheMaxAge === "number" ? options?.cacheMaxAge : 6e5);
+    __privateSet(this, _headers, new Headers(options?.headers));
+    if (USER_AGENT && !__privateGet(this, _headers).has("User-Agent")) {
+      __privateGet(this, _headers).set("User-Agent", USER_AGENT);
+    }
+    if (!__privateGet(this, _headers).has("accept")) {
+      __privateGet(this, _headers).set("accept", "application/json");
+      __privateGet(this, _headers).append("accept", "application/jwk-set+json");
+    }
+    __privateSet(this, _customFetch, options?.[customFetch]);
+    if (options?.[jwksCache] !== void 0) {
+      __privateSet(this, _cache, options?.[jwksCache]);
+      if (isFreshJwksCache(options?.[jwksCache], __privateGet(this, _cacheMaxAge))) {
+        __privateSet(this, _jwksTimestamp, __privateGet(this, _cache).uat);
+        __privateSet(this, _local, createLocalJWKSet(__privateGet(this, _cache).jwks));
+      }
+    }
+  }
+  pendingFetch() {
+    return !!__privateGet(this, _pendingFetch);
+  }
+  coolingDown() {
+    return typeof __privateGet(this, _jwksTimestamp) === "number" ? Date.now() < __privateGet(this, _jwksTimestamp) + __privateGet(this, _cooldownDuration) : false;
+  }
+  fresh() {
+    return typeof __privateGet(this, _jwksTimestamp) === "number" ? Date.now() < __privateGet(this, _jwksTimestamp) + __privateGet(this, _cacheMaxAge) : false;
+  }
+  jwks() {
+    return __privateGet(this, _local)?.jwks();
+  }
+  async getKey(protectedHeader, token) {
+    if (!__privateGet(this, _local) || !this.fresh()) {
+      await this.reload();
+    }
+    try {
+      return await __privateGet(this, _local).call(this, protectedHeader, token);
+    } catch (err) {
+      if (err instanceof JWKSNoMatchingKey) {
+        if (this.coolingDown() === false) {
+          await this.reload();
+          return __privateGet(this, _local).call(this, protectedHeader, token);
+        }
+      }
+      throw err;
+    }
+  }
+  async reload() {
+    if (__privateGet(this, _pendingFetch) && isCloudflareWorkers()) {
+      __privateSet(this, _pendingFetch, void 0);
+    }
+    __privateGet(this, _pendingFetch) || __privateSet(this, _pendingFetch, fetchJwks(__privateGet(this, _url).href, __privateGet(this, _headers), AbortSignal.timeout(__privateGet(this, _timeoutDuration)), __privateGet(this, _customFetch)).then((json) => {
+      __privateSet(this, _local, createLocalJWKSet(json));
+      if (__privateGet(this, _cache)) {
+        __privateGet(this, _cache).uat = Date.now();
+        __privateGet(this, _cache).jwks = json;
+      }
+      __privateSet(this, _jwksTimestamp, Date.now());
+      __privateSet(this, _pendingFetch, void 0);
+    }).catch((err) => {
+      __privateSet(this, _pendingFetch, void 0);
+      throw err;
+    }));
+    await __privateGet(this, _pendingFetch);
+  }
+}
+_url = new WeakMap();
+_timeoutDuration = new WeakMap();
+_cooldownDuration = new WeakMap();
+_cacheMaxAge = new WeakMap();
+_jwksTimestamp = new WeakMap();
+_pendingFetch = new WeakMap();
+_headers = new WeakMap();
+_customFetch = new WeakMap();
+_local = new WeakMap();
+_cache = new WeakMap();
+function createRemoteJWKSet(url, options) {
+  const set = new RemoteJWKSet(url, options);
+  const remoteJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);
+  Object.defineProperties(remoteJWKSet, {
+    coolingDown: {
+      get: () => set.coolingDown(),
+      enumerable: true,
+      configurable: false
+    },
+    fresh: {
+      get: () => set.fresh(),
+      enumerable: true,
+      configurable: false
+    },
+    reload: {
+      value: () => set.reload(),
+      enumerable: true,
+      configurable: false,
+      writable: false
+    },
+    reloading: {
+      get: () => set.pendingFetch(),
+      enumerable: true,
+      configurable: false
+    },
+    jwks: {
+      value: () => set.jwks(),
+      enumerable: true,
+      configurable: false,
+      writable: false
+    }
+  });
+  return remoteJWKSet;
+}
+class Logger {
+  constructor(debug = false, prefix = "[MarketplaceSDK]") {
+    this.debug = debug;
+    this.prefix = prefix;
+  }
+  /**
+   * Log debug message (only if debug enabled)
+   */
+  log(...args) {
+    if (this.debug) {
+      console.log(this.prefix, ...args);
+    }
+  }
+  /**
+   * Log info message (only if debug enabled)
+   */
+  info(...args) {
+    if (this.debug) {
+      console.info(this.prefix, ...args);
+    }
+  }
+  /**
+   * Log warning message (always shown)
+   */
+  warn(...args) {
+    console.warn(this.prefix, ...args);
+  }
+  /**
+   * Log error message (always shown)
+   */
+  error(...args) {
+    console.error(this.prefix, ...args);
+  }
+}
+class JWKSValidator {
+  constructor(jwksUri, debug = false) {
+    this.jwksUri = jwksUri;
+    this.logger = new Logger(debug, "[JWKSValidator]");
+    this.jwks = createRemoteJWKSet(new URL(this.jwksUri));
+    this.logger.info("Initialized with JWKS URI:", this.jwksUri);
+  }
+  /**
+   * Verify JWT signature using JWKS public key
+   * @param token - JWT token to verify
+   * @param expectedIssuer - Expected issuer (default: 'generalwisdom.com')
+   * @param expectedApplicationId - Optional application ID to validate
+   * @returns Decoded and verified JWT claims
+   */
+  async verify(token, expectedIssuer = "generalwisdom.com", expectedApplicationId) {
+    this.logger.log("Verifying JWT signature...");
+    try {
+      const result = await jwtVerify(token, this.jwks, {
+        issuer: expectedIssuer,
+        algorithms: ["RS256"]
+      });
+      const payload = result.payload;
+      const requiredClaims = [
+        "sessionId",
+        "userId",
+        "orgId",
+        "applicationId",
+        "exp",
+        "iat"
+      ];
+      for (const claim of requiredClaims) {
+        if (!(claim in payload)) {
+          throw new SDKError(
+            `Missing required claim: ${claim}`,
+            "MISSING_CLAIM"
+          );
+        }
+      }
+      if (expectedApplicationId && payload.applicationId !== expectedApplicationId) {
+        this.logger.error(
+          `Application ID mismatch: expected ${expectedApplicationId}, got ${payload.applicationId}`
+        );
+        throw new SDKError(
+          "Token is for a different application",
+          "APPLICATION_MISMATCH"
+        );
+      }
+      const claims = {
+        sessionId: payload.sessionId,
+        applicationId: payload.applicationId,
+        userId: payload.userId,
+        orgId: payload.orgId,
+        startTime: payload.startTime,
+        durationMinutes: payload.durationMinutes,
+        iat: payload.iat,
+        exp: payload.exp,
+        iss: payload.iss,
+        sub: payload.sub
+      };
+      this.logger.log("JWT verified successfully");
+      return claims;
+    } catch (error) {
+      this.logger.error("JWT verification failed:", error);
+      if (error instanceof SDKError) {
+        throw error;
+      }
+      const errorMessage = error instanceof Error ? error.message : "Unknown error";
+      const errorName = error instanceof Error ? error.name : "Error";
+      if (errorName === "JWTExpired" || errorMessage.includes("expired")) {
+        throw new SDKError("Session expired", "SESSION_EXPIRED");
+      }
+      if (errorName === "JWSSignatureVerificationFailed") {
+        throw new SDKError("Invalid JWT signature", "INVALID_SIGNATURE");
+      }
+      if (errorName === "JWTClaimValidationFailed") {
+        throw new SDKError(`JWT claim validation failed: ${errorMessage}`, "INVALID_CLAIM");
+      }
+      throw new SDKError(
+        `JWT verification failed: ${errorMessage}`,
+        "VERIFICATION_FAILED"
+      );
+    }
+  }
+  /**
+   * Update JWKS URI
+   * @param jwksUri - New JWKS URI
+   */
+  updateJwksUri(jwksUri) {
+    this.jwksUri = jwksUri;
+    this.jwks = createRemoteJWKSet(new URL(this.jwksUri));
+    this.logger.info("Updated JWKS URI:", this.jwksUri);
+  }
+}
+class TimerManager {
+  constructor(durationSeconds, warningThresholdSeconds = 300, events = {}, debug = false) {
+    this.intervalId = null;
+    this.warningShown = false;
+    this.remainingSeconds = durationSeconds;
+    this.warningThreshold = warningThresholdSeconds;
+    this.events = events;
+    this.logger = new Logger(debug, "[TimerManager]");
+    this.logger.log("Initialized with duration:", durationSeconds, "seconds");
+  }
+  /**
+   * Start countdown timer
+   */
+  start() {
+    if (this.intervalId !== null) {
+      this.logger.warn("Timer already running");
+      return;
+    }
+    this.logger.log("Starting timer with", this.remainingSeconds, "seconds remaining");
+    this.intervalId = window.setInterval(() => {
+      this.remainingSeconds--;
+      if (!this.warningShown && this.remainingSeconds <= this.warningThreshold && this.remainingSeconds > 0) {
+        this.warningShown = true;
+        this.logger.warn("Warning threshold reached:", this.remainingSeconds, "seconds remaining");
+        this.events.onSessionWarning?.({
+          remainingSeconds: this.remainingSeconds
+        });
+      }
+      if (this.remainingSeconds <= 0) {
+        this.logger.warn("Session expired");
+        this.stop();
+        this.events.onSessionEnd?.();
+      }
+    }, 1e3);
+  }
+  /**
+   * Stop timer
+   */
+  stop() {
+    if (this.intervalId !== null) {
+      clearInterval(this.intervalId);
+      this.intervalId = null;
+      this.logger.log("Timer stopped");
+    }
+  }
+  /**
+   * Pause timer
+   */
+  pause() {
+    this.stop();
+    this.logger.log("Timer paused at:", this.remainingSeconds, "seconds");
+  }
+  /**
+   * Resume timer
+   */
+  resume() {
+    if (this.intervalId === null && this.remainingSeconds > 0) {
+      this.start();
+      this.logger.log("Timer resumed at:", this.remainingSeconds, "seconds");
+    }
+  }
+  /**
+   * Get remaining time in seconds
+   */
+  getRemainingSeconds() {
+    return this.remainingSeconds;
+  }
+  /**
+   * Get formatted time string (MM:SS)
+   */
+  getFormattedTime() {
+    const minutes = Math.floor(this.remainingSeconds / 60);
+    const seconds = this.remainingSeconds % 60;
+    return `${minutes}:${seconds.toString().padStart(2, "0")}`;
+  }
+  /**
+   * Get formatted time string with hours (HH:MM:SS)
+   */
+  getFormattedTimeWithHours() {
+    const hours = Math.floor(this.remainingSeconds / 3600);
+    const minutes = Math.floor(this.remainingSeconds % 3600 / 60);
+    const seconds = this.remainingSeconds % 60;
+    if (hours > 0) {
+      return `${hours}:${minutes.toString().padStart(2, "0")}:${seconds.toString().padStart(2, "0")}`;
+    }
+    return this.getFormattedTime();
+  }
+  /**
+   * Check if timer is running
+   */
+  isRunning() {
+    return this.intervalId !== null;
+  }
+  /**
+   * Check if warning has been shown
+   */
+  hasWarningBeenShown() {
+    return this.warningShown;
+  }
+  /**
+   * Update remaining time (useful for syncing with server)
+   */
+  updateRemainingTime(seconds) {
+    this.remainingSeconds = seconds;
+    this.logger.log("Remaining time updated to:", seconds, "seconds");
+  }
+}
+class HeartbeatManager {
+  constructor(sessionId, apiEndpoint, token, onSync, onError, heartbeatIntervalSeconds = 30, debug = false) {
+    this.sessionId = sessionId;
+    this.apiEndpoint = apiEndpoint;
+    this.token = token;
+    this.onSync = onSync;
+    this.onError = onError;
+    this.intervalId = null;
+    this.failureCount = 0;
+    this.maxFailures = 3;
+    this.isEnabled = false;
+    this.heartbeatInterval = heartbeatIntervalSeconds * 1e3;
+    this.logger = new Logger(debug, "[HeartbeatManager]");
+    this.logger.log("Initialized with", heartbeatIntervalSeconds, "second interval");
+  }
+  /**
+   * Start sending heartbeats
+   */
+  start() {
+    if (this.intervalId !== null) {
+      this.logger.warn("Heartbeat already running");
+      return;
+    }
+    this.isEnabled = true;
+    this.logger.log("Starting heartbeat for session:", this.sessionId);
+    this.sendHeartbeat();
+    this.intervalId = window.setInterval(() => {
+      this.sendHeartbeat();
+    }, this.heartbeatInterval);
+  }
+  /**
+   * Stop sending heartbeats
+   */
+  stop() {
+    if (this.intervalId !== null) {
+      clearInterval(this.intervalId);
+      this.intervalId = null;
+      this.isEnabled = false;
+      this.logger.log("Heartbeat stopped");
+    }
+  }
+  /**
+   * Send a single heartbeat to backend
+   */
+  async sendHeartbeat() {
+    if (!this.isEnabled) {
+      return;
+    }
+    this.logger.log("Sending heartbeat...");
+    try {
+      const response = await fetch(
+        `${this.apiEndpoint}/sessions/${this.sessionId}/heartbeat`,
+        {
+          method: "POST",
+          headers: {
+            "Authorization": `Bearer ${this.token}`,
+            "Content-Type": "application/json"
+          },
+          body: JSON.stringify({
+            timestamp: Date.now(),
+            active: true
+          })
+        }
+      );
+      if (!response.ok) {
+        throw new SDKError(
+          `Heartbeat failed with status ${response.status}`,
+          "HEARTBEAT_FAILED",
+          response.status
+        );
+      }
+      const data = await response.json();
+      this.failureCount = 0;
+      if (typeof data.remaining_seconds === "number") {
+        this.logger.log("Server reports", data.remaining_seconds, "seconds remaining");
+        this.onSync?.(data.remaining_seconds);
+      }
+      this.logger.log("Heartbeat acknowledged");
+    } catch (error) {
+      this.failureCount++;
+      this.logger.error("Heartbeat failed:", error, `(${this.failureCount}/${this.maxFailures})`);
+      if (this.failureCount >= this.maxFailures) {
+        this.logger.error("Max heartbeat failures reached, stopping");
+        this.stop();
+        const sdkError = error instanceof SDKError ? error : new SDKError(
+          error instanceof Error ? error.message : "Heartbeat failed",
+          "HEARTBEAT_ERROR"
+        );
+        this.onError?.(sdkError);
+      }
+    }
+  }
+  /**
+   * Check if heartbeat is running
+   */
+  isRunning() {
+    return this.intervalId !== null;
+  }
+  /**
+   * Get failure count
+   */
+  getFailureCount() {
+    return this.failureCount;
+  }
+  /**
+   * Update heartbeat interval
+   */
+  updateInterval(seconds) {
+    const wasRunning = this.isRunning();
+    if (wasRunning) {
+      this.stop();
+    }
+    this.heartbeatInterval = seconds * 1e3;
+    this.logger.log("Heartbeat interval updated to", seconds, "seconds");
+    if (wasRunning) {
+      this.start();
+    }
+  }
+}
+class TabSyncManager {
+  constructor(sessionId, onMessage, debug = false) {
+    this.sessionId = sessionId;
+    this.onMessage = onMessage;
+    this.channel = null;
+    this.isMaster = false;
+    this.handleStorageEvent = (event) => {
+      if (event.key === this.storageKey && event.newValue) {
+        try {
+          const data = JSON.parse(event.newValue);
+          this.handleMessage(data);
+        } catch (error) {
+          this.logger.error("Failed to parse storage event:", error);
+        }
+      }
+    };
+    this.storageKey = `gw_session_sync_${sessionId}`;
+    this.logger = new Logger(debug, "[TabSyncManager]");
+    this.initialize();
+  }
+  /**
+   * Initialize sync mechanism
+   */
+  initialize() {
+    if (typeof BroadcastChannel !== "undefined") {
+      this.logger.log("Using BroadcastChannel for tab sync");
+      this.channel = new BroadcastChannel(`gw-session-${this.sessionId}`);
+      this.channel.onmessage = (event) => {
+        this.handleMessage(event.data);
+      };
+    } else {
+      this.logger.log("Using localStorage for tab sync (fallback)");
+      window.addEventListener("storage", this.handleStorageEvent);
+    }
+    this.electMaster();
+  }
+  /**
+   * Broadcast message to other tabs
+   */
+  broadcast(type, data) {
+    const message2 = {
+      type,
+      sessionId: this.sessionId,
+      timestamp: Date.now(),
+      ...data
+    };
+    if (this.channel) {
+      this.channel.postMessage(message2);
+      this.logger.log("Broadcasted:", type);
+    } else {
+      localStorage.setItem(this.storageKey, JSON.stringify(message2));
+      this.logger.log("Broadcasted via localStorage:", type);
+    }
+  }
+  /**
+   * Handle incoming message
+   */
+  handleMessage(data) {
+    if (data.sessionId !== this.sessionId) {
+      return;
+    }
+    this.logger.log("Received message:", data.type);
+    this.onMessage(data);
+  }
+  /**
+   * Elect this tab as master if appropriate
+   * Master tab is responsible for heartbeats
+   */
+  electMaster() {
+    const masterKey = `gw_session_master_${this.sessionId}`;
+    const existingMaster = localStorage.getItem(masterKey);
+    if (!existingMaster) {
+      this.isMaster = true;
+      localStorage.setItem(masterKey, Date.now().toString());
+      this.logger.log("Elected as master tab");
+      setInterval(() => {
+        if (this.isMaster) {
+          localStorage.setItem(masterKey, Date.now().toString());
+        }
+      }, 5e3);
+      window.addEventListener("beforeunload", () => {
+        if (this.isMaster) {
+          localStorage.removeItem(masterKey);
+          this.logger.log("Removed master status");
+        }
+      });
+    } else {
+      this.logger.log("Another tab is master");
+      setInterval(() => {
+        const masterTimestamp = localStorage.getItem(masterKey);
+        if (masterTimestamp) {
+          const age = Date.now() - parseInt(masterTimestamp);
+          if (age > 1e4) {
+            this.logger.warn("Master tab appears dead, becoming master");
+            this.isMaster = true;
+            localStorage.setItem(masterKey, Date.now().toString());
+          }
+        }
+      }, 5e3);
+    }
+  }
+  /**
+   * Check if this tab is the master
+   */
+  isMasterTab() {
+    return this.isMaster;
+  }
+  /**
+   * Cleanup and destroy
+   */
+  destroy() {
+    if (this.channel) {
+      this.channel.close();
+      this.channel = null;
+    } else {
+      window.removeEventListener("storage", this.handleStorageEvent);
+    }
+    localStorage.removeItem(this.storageKey);
+    if (this.isMaster) {
+      localStorage.removeItem(`gw_session_master_${this.sessionId}`);
+    }
+    this.logger.log("Tab sync destroyed");
+  }
+}
+const lightTheme = {
+  colors: {
+    // Background
+    background: "hsl(0 0% 100%)",
+    foreground: "hsl(222.2 84% 4.9%)",
+    // Card
+    card: "hsl(0 0% 100%)",
+    cardForeground: "hsl(222.2 84% 4.9%)",
+    // Popover
+    popover: "hsl(0 0% 100%)",
+    popoverForeground: "hsl(222.2 84% 4.9%)",
+    // Primary (brand blue)
+    primary: "hsl(221.2 83.2% 53.3%)",
+    primaryForeground: "hsl(210 40% 98%)",
+    // Secondary (light gray)
+    secondary: "hsl(210 40% 96.1%)",
+    secondaryForeground: "hsl(222.2 47.4% 11.2%)",
+    // Muted
+    muted: "hsl(210 40% 96.1%)",
+    mutedForeground: "hsl(215.4 16.3% 46.9%)",
+    // Accent
+    accent: "hsl(210 40% 96.1%)",
+    accentForeground: "hsl(222.2 47.4% 11.2%)",
+    // Destructive (red)
+    destructive: "hsl(0 84.2% 60.2%)",
+    destructiveForeground: "hsl(210 40% 98%)",
+    // Success (green)
+    success: "hsl(142 76% 36%)",
+    // Tailwind green-600 equivalent
+    successForeground: "hsl(0 0% 100%)",
+    // Border and input
+    border: "hsl(214.3 31.8% 91.4%)",
+    input: "hsl(214.3 31.8% 91.4%)",
+    ring: "hsl(221.2 83.2% 53.3%)"
+  },
+  typography: {
+    fontFamily: '-apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, sans-serif',
+    fontSize: {
+      xs: "12px",
+      sm: "14px",
+      base: "16px",
+      lg: "18px",
+      xl: "20px",
+      "2xl": "24px"
+    },
+    fontWeight: {
+      normal: "400",
+      medium: "500",
+      semibold: "600",
+      bold: "700"
+    },
+    lineHeight: {
+      tight: "1.25",
+      normal: "1.5",
+      relaxed: "1.75"
+    }
+  },
+  spacing: {
+    borderRadius: {
+      sm: "4px",
+      // calc(0.5rem - 4px)
+      md: "6px",
+      // calc(0.5rem - 2px)
+      lg: "8px"
+      // 0.5rem
+    },
+    padding: {
+      sm: "8px",
+      md: "16px",
+      lg: "24px",
+      xl: "32px"
+    },
+    gap: {
+      sm: "8px",
+      md: "12px",
+      lg: "16px"
+    }
+  }
+};
+const darkTheme = {
+  colors: {
+    // Background
+    background: "hsl(222.2 84% 4.9%)",
+    foreground: "hsl(210 40% 98%)",
+    // Card
+    card: "hsl(222.2 84% 4.9%)",
+    cardForeground: "hsl(210 40% 98%)",
+    // Popover
+    popover: "hsl(222.2 84% 4.9%)",
+    popoverForeground: "hsl(210 40% 98%)",
+    // Primary (lighter blue for dark mode)
+    primary: "hsl(217.2 91.2% 59.8%)",
+    primaryForeground: "hsl(222.2 47.4% 11.2%)",
+    // Secondary (dark gray)
+    secondary: "hsl(217.2 32.6% 17.5%)",
+    secondaryForeground: "hsl(210 40% 98%)",
+    // Muted
+    muted: "hsl(217.2 32.6% 17.5%)",
+    mutedForeground: "hsl(215 20.2% 65.1%)",
+    // Accent
+    accent: "hsl(217.2 32.6% 17.5%)",
+    accentForeground: "hsl(210 40% 98%)",
+    // Destructive (darker red for dark mode)
+    destructive: "hsl(0 62.8% 30.6%)",
+    destructiveForeground: "hsl(210 40% 98%)",
+    // Success (darker green for dark mode)
+    success: "hsl(142 71% 45%)",
+    // Tailwind green-500 equivalent
+    successForeground: "hsl(0 0% 100%)",
+    // Border and input
+    border: "hsl(217.2 32.6% 17.5%)",
+    input: "hsl(217.2 32.6% 17.5%)",
+    ring: "hsl(224.3 76.3% 48%)"
+  },
+  typography: {
+    fontFamily: '-apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, sans-serif',
+    fontSize: {
+      xs: "12px",
+      sm: "14px",
+      base: "16px",
+      lg: "18px",
+      xl: "20px",
+      "2xl": "24px"
+    },
+    fontWeight: {
+      normal: "400",
+      medium: "500",
+      semibold: "600",
+      bold: "700"
+    },
+    lineHeight: {
+      tight: "1.25",
+      normal: "1.5",
+      relaxed: "1.75"
+    }
+  },
+  spacing: {
+    borderRadius: {
+      sm: "4px",
+      md: "6px",
+      lg: "8px"
+    },
+    padding: {
+      sm: "8px",
+      md: "16px",
+      lg: "24px",
+      xl: "32px"
+    },
+    gap: {
+      sm: "8px",
+      md: "12px",
+      lg: "16px"
+    }
+  }
+};
+function getTheme(prefersDark) {
+  if (prefersDark !== void 0) {
+    return prefersDark ? darkTheme : lightTheme;
+  }
+  if (typeof window !== "undefined" && window.matchMedia) {
+    const isDarkMode = window.matchMedia("(prefers-color-scheme: dark)").matches;
+    return isDarkMode ? darkTheme : lightTheme;
+  }
+  return lightTheme;
+}
+function generateCSSVariables(theme) {
+  return `
+    --gw-background: ${theme.colors.background};
+    --gw-foreground: ${theme.colors.foreground};
+    --gw-card: ${theme.colors.card};
+    --gw-card-foreground: ${theme.colors.cardForeground};
+    --gw-primary: ${theme.colors.primary};
+    --gw-primary-foreground: ${theme.colors.primaryForeground};
+    --gw-secondary: ${theme.colors.secondary};
+    --gw-secondary-foreground: ${theme.colors.secondaryForeground};
+    --gw-muted: ${theme.colors.muted};
+    --gw-muted-foreground: ${theme.colors.mutedForeground};
+    --gw-accent: ${theme.colors.accent};
+    --gw-accent-foreground: ${theme.colors.accentForeground};
+    --gw-destructive: ${theme.colors.destructive};
+    --gw-destructive-foreground: ${theme.colors.destructiveForeground};
+    --gw-success: ${theme.colors.success};
+    --gw-success-foreground: ${theme.colors.successForeground};
+    --gw-border: ${theme.colors.border};
+    --gw-input: ${theme.colors.input};
+    --gw-ring: ${theme.colors.ring};
+  `.trim();
+}
+class WarningModal {
+  constructor(themeMode = "light", customStyles) {
+    this.modal = null;
+    this.legacyStyles = null;
+    this.updateInterval = null;
+    this.timeDisplay = null;
+    this.startTime = 0;
+    this.initialSeconds = 0;
+    this.onEndCallback = void 0;
+    const prefersDark = themeMode === "dark" || themeMode === "auto" && this.detectDarkMode();
+    this.theme = getTheme(prefersDark);
+    if (customStyles) {
+      this.legacyStyles = {
+        backgroundColor: customStyles.backgroundColor || "#ffffff",
+        textColor: customStyles.textColor || "#333333",
+        primaryColor: customStyles.primaryColor || "#007bff",
+        borderRadius: customStyles.borderRadius || "8px",
+        fontFamily: customStyles.fontFamily || '-apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif'
+      };
+    }
+  }
+  detectDarkMode() {
+    if (typeof window !== "undefined" && window.matchMedia) {
+      return window.matchMedia("(prefers-color-scheme: dark)").matches;
+    }
+    return false;
+  }
+  /**
+   * Show warning modal
+   */
+  show(options) {
+    this.hide();
+    this.modal = document.createElement("div");
+    this.modal.id = "gw-session-warning-modal";
+    this.modal.style.cssText = `
+      position: fixed;
+      top: 0;
+      left: 0;
+      width: 100%;
+      height: 100%;
+      background-color: rgba(0, 0, 0, 0.5);
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      z-index: 99999;
+      font-family: ${this.legacyStyles?.fontFamily || this.theme.typography.fontFamily};
+    `;
+    const content = document.createElement("div");
+    const bgColor = this.legacyStyles?.backgroundColor || this.theme.colors.card;
+    const textColor = this.legacyStyles?.textColor || this.theme.colors.cardForeground;
+    const borderRadius = this.legacyStyles?.borderRadius || this.theme.spacing.borderRadius.lg;
+    content.style.cssText = `
+      background-color: ${bgColor};
+      color: ${textColor};
+      border-radius: ${borderRadius};
+      padding: ${this.theme.spacing.padding.lg};
+      max-width: 400px;
+      width: 90%;
+      box-shadow: 0 4px 6px rgba(0, 0, 0, 0.1);
+      border: 1px solid ${this.theme.colors.border};
+    `;
+    this.initialSeconds = options.remainingSeconds;
+    this.startTime = Date.now();
+    this.onEndCallback = options.onEnd;
+    const minutes = Math.floor(options.remainingSeconds / 60);
+    const seconds = options.remainingSeconds % 60;
+    content.innerHTML = `
+      <h2 style="margin: 0 0 ${this.theme.spacing.padding.md} 0; font-size: ${this.theme.typography.fontSize.xl}; font-weight: ${this.theme.typography.fontWeight.semibold}; color: ${textColor};">
+        ⏱️ Time Running Low
+      </h2>
+      <p style="margin: 0 0 ${this.theme.spacing.padding.lg} 0; font-size: ${this.theme.typography.fontSize.base}; line-height: ${this.theme.typography.lineHeight.normal}; color: ${this.theme.colors.mutedForeground};">
+        Your session will expire in <strong id="gw-time-display" style="color: ${textColor};">${minutes}:${seconds.toString().padStart(2, "0")}</strong>.
+      </p>
+      <div style="display: flex; gap: ${this.theme.spacing.gap.md}; justify-content: flex-end;">
+        <button id="gw-dismiss-btn" style="
+          padding: 10px 20px;
+          background-color: ${this.theme.colors.secondary};
+          color: ${this.theme.colors.secondaryForeground};
+          border: 1px solid ${this.theme.colors.border};
+          border-radius: ${this.theme.spacing.borderRadius.sm};
+          font-size: ${this.theme.typography.fontSize.sm};
+          font-weight: ${this.theme.typography.fontWeight.medium};
+          cursor: pointer;
+          transition: all 0.2s;
+          font-family: ${this.theme.typography.fontFamily};
+        ">
+          Continue
+        </button>
+        ${options.onExtend ? `<button id="gw-extend-btn" style="
+                padding: 10px 20px;
+                background-color: ${this.theme.colors.success};
+                color: ${this.theme.colors.successForeground};
+                border: none;
+                border-radius: ${this.theme.spacing.borderRadius.sm};
+                font-size: ${this.theme.typography.fontSize.sm};
+                font-weight: ${this.theme.typography.fontWeight.medium};
+                cursor: pointer;
+                transition: all 0.2s;
+                font-family: ${this.theme.typography.fontFamily};
+              ">
+                Extend Session
+              </button>` : ""}
+        ${options.onEnd ? `<button id="gw-end-btn" style="
+                padding: 10px 20px;
+                background-color: ${this.theme.colors.destructive};
+                color: ${this.theme.colors.destructiveForeground};
+                border: none;
+                border-radius: ${this.theme.spacing.borderRadius.sm};
+                font-size: ${this.theme.typography.fontSize.sm};
+                font-weight: ${this.theme.typography.fontWeight.medium};
+                cursor: pointer;
+                transition: all 0.2s;
+                font-family: ${this.theme.typography.fontFamily};
+              ">
+                End Session
+              </button>` : ""}
+      </div>
+    `;
+    this.modal.appendChild(content);
+    document.body.appendChild(this.modal);
+    const extendBtn = document.getElementById("gw-extend-btn");
+    if (extendBtn && options.onExtend) {
+      extendBtn.addEventListener("click", () => {
+        options.onExtend?.();
+        this.hide();
+      });
+    }
+    const dismissBtn = document.getElementById("gw-dismiss-btn");
+    if (dismissBtn) {
+      dismissBtn.addEventListener("click", () => {
+        this.hide();
+      });
+    }
+    const endBtn = document.getElementById("gw-end-btn");
+    if (endBtn && options.onEnd) {
+      endBtn.addEventListener("click", () => {
+        options.onEnd?.();
+      });
+    }
+    const buttons = content.querySelectorAll("button");
+    buttons.forEach((button) => {
+      button.addEventListener("mouseenter", () => {
+        button.style.opacity = "0.9";
+      });
+      button.addEventListener("mouseleave", () => {
+        button.style.opacity = "1";
+      });
+      button.addEventListener("focus", () => {
+        button.style.outline = `2px solid ${this.theme.colors.ring}`;
+        button.style.outlineOffset = "2px";
+      });
+      button.addEventListener("blur", () => {
+        button.style.outline = "none";
+      });
+    });
+    this.timeDisplay = document.getElementById("gw-time-display");
+    this.updateInterval = window.setInterval(() => {
+      const elapsed = Math.floor((Date.now() - this.startTime) / 1e3);
+      const remaining = Math.max(0, this.initialSeconds - elapsed);
+      const minutes2 = Math.floor(remaining / 60);
+      const seconds2 = remaining % 60;
+      if (this.timeDisplay) {
+        this.timeDisplay.textContent = `${minutes2}:${seconds2.toString().padStart(2, "0")}`;
+      }
+      if (remaining === 0) {
+        if (this.onEndCallback) {
+          this.onEndCallback();
+        }
+        this.hide();
+      }
+    }, 1e3);
+  }
+  /**
+   * Hide and remove modal
+   */
+  hide() {
+    if (this.updateInterval !== null) {
+      clearInterval(this.updateInterval);
+      this.updateInterval = null;
+    }
+    if (this.modal && this.modal.parentNode) {
+      this.modal.parentNode.removeChild(this.modal);
+      this.modal = null;
+      this.timeDisplay = null;
+    }
+  }
+  /**
+   * Check if modal is currently shown
+   */
+  isShown() {
+    return this.modal !== null;
+  }
+  /**
+   * Show "Session Ending" modal before redirect
+   * Displays for a fixed duration (3 seconds) then calls callback
+   */
+  showEndingMessage(onComplete, durationMs = 3e3) {
+    this.hide();
+    const bgColor = this.legacyStyles?.backgroundColor || this.theme.colors.card;
+    const textColor = this.legacyStyles?.textColor || this.theme.colors.cardForeground;
+    const borderRadius = this.legacyStyles?.borderRadius || this.theme.spacing.borderRadius.lg;
+    this.modal = document.createElement("div");
+    this.modal.id = "gw-session-ending-modal";
+    this.modal.style.cssText = `
+      position: fixed;
+      top: 0;
+      left: 0;
+      width: 100%;
+      height: 100%;
+      background-color: rgba(0, 0, 0, 0.5);
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      z-index: 99999;
+      font-family: ${this.legacyStyles?.fontFamily || this.theme.typography.fontFamily};
+      animation: fadeIn 0.2s ease-in;
+    `;
+    const content = document.createElement("div");
+    content.style.cssText = `
+      background-color: ${bgColor};
+      color: ${textColor};
+      border-radius: ${borderRadius};
+      padding: ${this.theme.spacing.padding.xl};
+      max-width: 400px;
+      width: 90%;
+      box-shadow: 0 4px 6px rgba(0, 0, 0, 0.1);
+      text-align: center;
+      animation: slideIn 0.3s ease-out;
+      border: 1px solid ${this.theme.colors.border};
+    `;
+    content.innerHTML = `
+      <div style="font-size: 48px; margin-bottom: ${this.theme.spacing.padding.lg};">⏱️</div>
+      <h2 style="margin: 0 0 ${this.theme.spacing.padding.md} 0; font-size: ${this.theme.typography.fontSize["2xl"]}; font-weight: ${this.theme.typography.fontWeight.semibold}; color: ${this.theme.colors.destructive};">
+        Session Ending
+      </h2>
+      <p style="margin: 0 0 ${this.theme.spacing.padding.lg} 0; font-size: ${this.theme.typography.fontSize.base}; line-height: ${this.theme.typography.lineHeight.normal}; color: ${this.theme.colors.mutedForeground};">
+        Your session has expired.<br/>
+        Redirecting to marketplace...
+      </p>
+      <div style="
+        width: 100%;
+        height: 4px;
+        background: ${this.theme.colors.muted};
+        border-radius: ${this.theme.spacing.borderRadius.sm};
+        overflow: hidden;
+        margin-top: ${this.theme.spacing.padding.lg};
+      ">
+        <div id="gw-progress-bar" style="
+          width: 100%;
+          height: 100%;
+          background: linear-gradient(90deg, ${this.theme.colors.destructive}, ${this.theme.colors.primary});
+          animation: progressBar ${durationMs}ms linear forwards;
+        "></div>
+      </div>
+    `;
+    const style = document.createElement("style");
+    style.textContent = `
+      @keyframes fadeIn {
+        from { opacity: 0; }
+        to { opacity: 1; }
+      }
+      @keyframes slideIn {
+        from { transform: translateY(-20px); opacity: 0; }
+        to { transform: translateY(0); opacity: 1; }
+      }
+      @keyframes progressBar {
+        from { width: 100%; }
+        to { width: 0%; }
+      }
+    `;
+    document.head.appendChild(style);
+    this.modal.appendChild(content);
+    document.body.appendChild(this.modal);
+    setTimeout(() => {
+      this.hide();
+      onComplete();
+    }, durationMs);
+  }
+}
+function extractTokenFromURL(paramName = "jwt", url) {
+  try {
+    const targetUrl = url || (typeof window !== "undefined" ? window.location.href : "");
+    if (!targetUrl) {
+      return null;
+    }
+    const urlObj = new URL(targetUrl);
+    const token = urlObj.searchParams.get(paramName);
+    return token;
+  } catch (error) {
+    throw new SDKError(
+      `Failed to extract token from URL: ${error instanceof Error ? error.message : "Unknown error"}`,
+      "URL_PARSE_ERROR"
+    );
+  }
+}
+function isBrowser() {
+  return typeof window !== "undefined" && typeof window.document !== "undefined";
+}
+class MarketplaceSDK {
+  constructor(config) {
+    this.timer = null;
+    this.heartbeat = null;
+    this.tabSync = null;
+    this.modal = null;
+    this.events = {};
+    this.sessionData = null;
+    this.jwtToken = null;
+    this.endReason = "manual";
+    this.config = {
+      jwksUri: config.jwksUri || "https://api.generalwisdom.com/.well-known/jwks.json",
+      apiEndpoint: config.apiEndpoint || "http://localhost:3000",
+      debug: config.debug ?? false,
+      autoStart: config.autoStart ?? true,
+      warningThresholdSeconds: config.warningThresholdSeconds ?? 300,
+      customStyles: config.customStyles ?? {},
+      themeMode: config.themeMode ?? "light",
+      applicationId: config.applicationId ?? "",
+      marketplaceUrl: config.marketplaceUrl ?? "https://d3p2yqofgy75sz.cloudfront.net/",
+      // Phase 2 options
+      enableHeartbeat: config.enableHeartbeat ?? false,
+      heartbeatIntervalSeconds: config.heartbeatIntervalSeconds ?? 30,
+      enableTabSync: config.enableTabSync ?? false,
+      pauseOnHidden: config.pauseOnHidden ?? false,
+      useBackendValidation: config.useBackendValidation ?? false,
+      // Lifecycle hooks
+      hooks: config.hooks ?? {},
+      hookTimeoutMs: config.hookTimeoutMs ?? 5e3
+    };
+    this.validator = new JWKSValidator(this.config.jwksUri, this.config.debug);
+    this.logger = new Logger(this.config.debug, "[MarketplaceSDK]");
+    this.logger.info("SDK initialized with config:", {
+      jwksUri: this.config.jwksUri,
+      apiEndpoint: this.config.apiEndpoint,
+      enableHeartbeat: this.config.enableHeartbeat,
+      enableTabSync: this.config.enableTabSync,
+      pauseOnHidden: this.config.pauseOnHidden
+    });
+  }
+  /**
+   * Register event handlers
+   */
+  on(event, handler) {
+    this.events[event] = handler;
+    this.logger.log("Event handler registered:", event);
+  }
+  /**
+   * Execute a lifecycle hook with timeout
+   */
+  async executeHook(hookName, hook, context, isStrict = true) {
+    if (!hook) return;
+    this.logger.log(`Calling ${hookName} hook`);
+    const timeout = new Promise(
+      (_, reject) => setTimeout(
+        () => reject(new SDKError(`${hookName} hook timeout after ${this.config.hookTimeoutMs}ms`, "HOOK_TIMEOUT")),
+        this.config.hookTimeoutMs
+      )
+    );
+    try {
+      await Promise.race([
+        Promise.resolve(hook(context)),
+        timeout
+      ]);
+      this.logger.log(`${hookName} hook completed successfully`);
+    } catch (error) {
+      this.logger.error(`${hookName} hook failed:`, error);
+      if (isStrict) {
+        throw new SDKError(
+          `${hookName} hook failed: ${error instanceof Error ? error.message : "Unknown error"}`,
+          "HOOK_ERROR"
+        );
+      } else {
+        this.logger.warn(`${hookName} hook failed but continuing (lenient mode)`);
+      }
+    }
+  }
+  /**
+   * Calculate actual session duration in minutes
+   */
+  calculateActualDuration() {
+    if (!this.sessionData) return void 0;
+    const now = Math.floor(Date.now() / 1e3);
+    const durationSeconds = now - this.sessionData.startTime;
+    return Math.ceil(durationSeconds / 60);
+  }
+  /**
+   * Initialize SDK and validate session
+   */
+  async initialize() {
+    this.logger.info("Initializing session...");
+    try {
+      const JWT_STORAGE_KEY = "gw_marketplace_jwt";
+      this.jwtToken = extractTokenFromURL("jwt");
+      if (!this.jwtToken && typeof sessionStorage !== "undefined") {
+        this.jwtToken = sessionStorage.getItem(JWT_STORAGE_KEY);
+        if (this.jwtToken) {
+          this.logger.log("JWT token retrieved from storage");
+        }
+      }
+      if (!this.jwtToken) {
+        throw new SDKError(
+          "No jwt token found in URL or storage",
+          "MISSING_TOKEN"
+        );
+      }
+      if (typeof sessionStorage !== "undefined") {
+        sessionStorage.setItem(JWT_STORAGE_KEY, this.jwtToken);
+        this.logger.log("JWT token stored in sessionStorage");
+      }
+      this.logger.log("JWT token extracted from URL");
+      let verifiedClaims;
+      if (this.config.useBackendValidation) {
+        this.logger.log("Using backend validation");
+        verifiedClaims = await this.validateWithBackend(this.jwtToken);
+      } else {
+        this.logger.log("Using JWKS validation");
+        verifiedClaims = await this.validator.verify(
+          this.jwtToken,
+          "generalwisdom.com",
+          this.config.applicationId || void 0
+        );
+      }
+      this.logger.log("JWT verified successfully");
+      this.sessionData = {
+        sessionId: verifiedClaims.sessionId,
+        applicationId: verifiedClaims.applicationId,
+        userId: verifiedClaims.userId,
+        orgId: verifiedClaims.orgId,
+        startTime: verifiedClaims.startTime,
+        durationMinutes: verifiedClaims.durationMinutes,
+        iat: verifiedClaims.iat,
+        exp: verifiedClaims.exp,
+        iss: verifiedClaims.iss,
+        sub: verifiedClaims.sub
+      };
+      const now = Math.floor(Date.now() / 1e3);
+      const remainingSeconds = Math.max(0, this.sessionData.exp - now);
+      if (remainingSeconds <= 0) {
+        throw new SDKError(
+          "Session has already expired",
+          "SESSION_EXPIRED"
+        );
+      }
+      this.logger.log("Remaining time:", remainingSeconds, "seconds");
+      if (this.config.hooks?.onSessionStart) {
+        const startContext = {
+          sessionId: this.sessionData.sessionId,
+          userId: this.sessionData.userId,
+          email: verifiedClaims.email,
+          // May not be in all JWTs
+          orgId: this.sessionData.orgId,
+          applicationId: this.sessionData.applicationId,
+          durationMinutes: this.sessionData.durationMinutes,
+          expiresAt: this.sessionData.exp,
+          jwt: this.jwtToken
+        };
+        await this.executeHook("onSessionStart", this.config.hooks.onSessionStart, startContext, true);
+        this.logger.log("Application auth synchronized with marketplace session");
+      }
+      this.timer = new TimerManager(
+        remainingSeconds,
+        this.config.warningThresholdSeconds,
+        {
+          onSessionWarning: (data) => {
+            if (this.config.hooks?.onSessionWarning) {
+              const warningContext = {
+                sessionId: this.sessionData.sessionId,
+                userId: this.sessionData.userId,
+                remainingSeconds: data.remainingSeconds
+              };
+              this.executeHook("onSessionWarning", this.config.hooks.onSessionWarning, warningContext, false).catch((error) => this.logger.error("onSessionWarning hook failed:", error));
+            }
+            this.showWarningModal(data.remainingSeconds);
+            this.events.onSessionWarning?.(data);
+          },
+          onSessionEnd: () => {
+            this.endReason = "expired";
+            this.endSession();
+          }
+        },
+        this.config.debug
+      );
+      if (this.config.enableHeartbeat && this.jwtToken) {
+        this.heartbeat = new HeartbeatManager(
+          this.sessionData.sessionId,
+          this.config.apiEndpoint,
+          this.jwtToken,
+          (remainingSeconds2) => {
+            this.timer?.updateRemainingTime(remainingSeconds2);
+          },
+          (error) => {
+            this.logger.error("Heartbeat error:", error);
+            this.events.onError?.(error);
+          },
+          this.config.heartbeatIntervalSeconds,
+          this.config.debug
+        );
+      }
+      if (this.config.enableTabSync) {
+        this.tabSync = new TabSyncManager(
+          this.sessionData.sessionId,
+          (message2) => this.handleTabSyncMessage(message2),
+          this.config.debug
+        );
+      }
+      if (this.config.pauseOnHidden) {
+        this.initializeVisibilityHandling();
+      }
+      if (this.config.autoStart) {
+        this.timer.start();
+        this.logger.log("Timer started automatically");
+        if (this.config.enableHeartbeat && this.heartbeat) {
+          const isMaster = !this.tabSync || this.tabSync.isMasterTab();
+          if (isMaster) {
+            this.heartbeat.start();
+            this.logger.log("Heartbeat started (master tab)");
+          } else {
+            this.logger.log("Heartbeat not started (slave tab)");
+          }
+        }
+      }
+      this.events.onSessionStart?.(this.sessionData);
+      this.logger.info("Session initialized successfully");
+      return this.sessionData;
+    } catch (error) {
+      this.logger.error("Initialization failed:", error);
+      const sdkError = error instanceof SDKError ? error : new SDKError(
+        error instanceof Error ? error.message : "Unknown error",
+        "INITIALIZATION_ERROR"
+      );
+      this.events.onError?.(sdkError);
+      throw sdkError;
+    }
+  }
+  /**
+   * Phase 2: Validate JWT with backend
+   */
+  async validateWithBackend(token) {
+    const response = await fetch(
+      `${this.config.apiEndpoint}/sessions/validate`,
+      {
+        method: "POST",
+        headers: {
+          "Authorization": `Bearer ${token}`,
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify({ session_jwt: token })
+      }
+    );
+    if (!response.ok) {
+      throw new SDKError(
+        "Backend validation failed",
+        "BACKEND_VALIDATION_FAILED",
+        response.status
+      );
+    }
+    const data = await response.json();
+    if (!data.valid) {
+      throw new SDKError(
+        data.error || "Session validation failed",
+        "SESSION_INVALID"
+      );
+    }
+    const decoded = JWTParser.decode(token);
+    return decoded;
+  }
+  /**
+   * Phase 2: Handle tab sync messages
+   */
+  handleTabSyncMessage(message2) {
+    this.logger.log("Tab sync message:", message2.type);
+    switch (message2.type) {
+      case "pause":
+        this.timer?.pause();
+        break;
+      case "resume":
+        this.timer?.resume();
+        break;
+      case "end":
+        this.endSession();
+        break;
+      case "timer_update":
+        if (message2.remainingSeconds !== void 0) {
+          this.timer?.updateRemainingTime(message2.remainingSeconds);
+        }
+        break;
+    }
+  }
+  /**
+   * Phase 2: Initialize Visibility API handling
+   */
+  initializeVisibilityHandling() {
+    document.addEventListener("visibilitychange", () => {
+      if (document.hidden) {
+        this.logger.log("Tab hidden, pausing timer");
+        this.pauseTimer();
+      } else {
+        this.logger.log("Tab visible, resuming timer");
+        this.resumeTimer();
+      }
+    });
+    this.logger.log("Visibility API handler initialized");
+  }
+  /**
+   * Start session timer manually
+   */
+  startTimer() {
+    if (!this.timer) {
+      throw new SDKError(
+        "SDK not initialized. Call initialize() first.",
+        "NOT_INITIALIZED"
+      );
+    }
+    this.timer.start();
+    this.tabSync?.broadcast("resume");
+    this.logger.info("Timer started manually");
+  }
+  /**
+   * Pause session timer
+   */
+  pauseTimer() {
+    this.timer?.pause();
+    this.tabSync?.broadcast("pause");
+    this.logger.info("Timer paused");
+  }
+  /**
+   * Resume session timer
+   */
+  resumeTimer() {
+    this.timer?.resume();
+    this.tabSync?.broadcast("resume");
+    this.logger.info("Timer resumed");
+  }
+  /**
+   * Phase 2: Extend session
+   */
+  async extendSession(additionalMinutes) {
+    if (!this.sessionData || !this.jwtToken) {
+      throw new SDKError("No active session", "NO_SESSION");
+    }
+    this.logger.info("Extending session by", additionalMinutes, "minutes");
+    try {
+      const response = await fetch(
+        `${this.config.apiEndpoint}/sessions/${this.sessionData.sessionId}/renew`,
+        {
+          method: "PUT",
+          headers: {
+            "Authorization": `Bearer ${this.jwtToken}`,
+            "Content-Type": "application/json"
+          },
+          body: JSON.stringify({
+            additional_minutes: additionalMinutes
+          })
+        }
+      );
+      if (!response.ok) {
+        throw new SDKError(
+          "Session extension failed",
+          "EXTENSION_FAILED",
+          response.status
+        );
+      }
+      const data = await response.json();
+      this.sessionData.exp = data.new_expires_at;
+      const now = Math.floor(Date.now() / 1e3);
+      const remainingSeconds = data.new_expires_at - now;
+      this.timer?.updateRemainingTime(remainingSeconds);
+      this.tabSync?.broadcast("timer_update", { remainingSeconds });
+      if (this.config.hooks?.onSessionExtend) {
+        const extendContext = {
+          sessionId: this.sessionData.sessionId,
+          userId: this.sessionData.userId,
+          additionalMinutes,
+          newExpiresAt: data.new_expires_at
+        };
+        await this.executeHook("onSessionExtend", this.config.hooks.onSessionExtend, extendContext, false);
+      }
+      this.logger.info("Session extended successfully");
+    } catch (error) {
+      this.logger.error("Failed to extend session:", error);
+      const sdkError = error instanceof SDKError ? error : new SDKError(
+        error instanceof Error ? error.message : "Extension failed",
+        "EXTENSION_ERROR"
+      );
+      this.events.onError?.(sdkError);
+      throw sdkError;
+    }
+  }
+  /**
+   * Phase 2: Complete session
+   */
+  async completeSession(actualUsageMinutes) {
+    if (!this.sessionData || !this.jwtToken) {
+      throw new SDKError("No active session", "NO_SESSION");
+    }
+    this.logger.info("Completing session...");
+    try {
+      const response = await fetch(
+        `${this.config.apiEndpoint}/sessions/${this.sessionData.sessionId}/complete`,
+        {
+          method: "POST",
+          headers: {
+            "Authorization": `Bearer ${this.jwtToken}`,
+            "Content-Type": "application/json"
+          },
+          body: JSON.stringify({
+            actual_usage_minutes: actualUsageMinutes,
+            metadata: {}
+          })
+        }
+      );
+      if (!response.ok) {
+        throw new SDKError(
+          "Session completion failed",
+          "COMPLETION_FAILED",
+          response.status
+        );
+      }
+      const data = await response.json();
+      this.logger.info("Session completed:", data);
+      this.endSession();
+    } catch (error) {
+      this.logger.error("Failed to complete session:", error);
+      const sdkError = error instanceof SDKError ? error : new SDKError(
+        error instanceof Error ? error.message : "Completion failed",
+        "COMPLETION_ERROR"
+      );
+      this.events.onError?.(sdkError);
+      throw sdkError;
+    }
+  }
+  /**
+   * End session
+   */
+  async endSession() {
+    this.logger.info("Ending session...");
+    const endContext = {
+      sessionId: this.sessionData?.sessionId || "",
+      userId: this.sessionData?.userId || "",
+      reason: this.endReason,
+      actualDurationMinutes: this.calculateActualDuration()
+    };
+    if (this.config.hooks?.onSessionEnd) {
+      try {
+        await this.executeHook("onSessionEnd", this.config.hooks.onSessionEnd, endContext, false);
+        this.logger.log("Application auth cleanup completed");
+      } catch (error) {
+        this.logger.error("onSessionEnd hook error (continuing anyway):", error);
+      }
+    }
+    this.timer?.stop();
+    this.heartbeat?.stop();
+    this.tabSync?.broadcast("end");
+    if (typeof sessionStorage !== "undefined") {
+      sessionStorage.removeItem("gw_marketplace_jwt");
+      this.logger.log("JWT token cleared from storage");
+    }
+    this.events.onSessionEnd?.();
+    this.logger.info("Session ended");
+    if (typeof window !== "undefined") {
+      if (!this.modal) {
+        this.modal = new WarningModal(
+          this.config.themeMode || "light",
+          this.config.customStyles
+        );
+      }
+      this.modal.showEndingMessage(() => {
+        window.location.href = this.config.marketplaceUrl;
+      }, 3e3);
+    }
+  }
+  /**
+   * Show warning modal
+   */
+  showWarningModal(remainingSeconds) {
+    if (!this.modal) {
+      this.modal = new WarningModal(
+        this.config.themeMode || "light",
+        this.config.customStyles
+      );
+    }
+    this.modal.show({
+      remainingSeconds,
+      onExtend: async () => {
+        try {
+          await this.extendSession(15);
+          this.modal?.hide();
+          this.logger.log("Session extended successfully from modal");
+        } catch (error) {
+          this.logger.error("Extension failed, redirecting to marketplace:", error);
+          const marketplaceUrl = `${this.config.marketplaceUrl}extend-session?sessionId=${this.sessionData?.sessionId}`;
+          if (typeof window !== "undefined") {
+            if (!this.modal) {
+              this.modal = new WarningModal(
+                this.config.themeMode || "light",
+                this.config.customStyles
+              );
+            }
+            this.modal.showEndingMessage(() => {
+              window.location.href = marketplaceUrl;
+            }, 3e3);
+          }
+        }
+      },
+      onEnd: () => {
+        this.endSession();
+      }
+    });
+  }
+  /**
+   * Get current session data
+   */
+  getSessionData() {
+    return this.sessionData;
+  }
+  /**
+   * Get remaining time
+   */
+  getRemainingTime() {
+    return this.timer?.getRemainingSeconds() ?? 0;
+  }
+  /**
+   * Get formatted time (MM:SS)
+   */
+  getFormattedTime() {
+    return this.timer?.getFormattedTime() ?? "0:00";
+  }
+  /**
+   * Get formatted time with hours (HH:MM:SS)
+   */
+  getFormattedTimeWithHours() {
+    return this.timer?.getFormattedTimeWithHours() ?? "0:00:00";
+  }
+  /**
+   * Check if timer is running
+   */
+  isTimerRunning() {
+    return this.timer?.isRunning() ?? false;
+  }
+  /**
+   * Cleanup and destroy SDK instance
+   */
+  destroy() {
+    this.logger.info("Destroying SDK instance...");
+    this.timer?.stop();
+    this.heartbeat?.stop();
+    this.tabSync?.destroy();
+    this.modal?.hide();
+    if (typeof sessionStorage !== "undefined") {
+      sessionStorage.removeItem("gw_marketplace_jwt");
+      this.logger.log("JWT token cleared from storage");
+    }
+    this.sessionData = null;
+    this.jwtToken = null;
+  }
+}
+class SessionHeader {
+  constructor(themeMode = "auto") {
+    this.container = null;
+    this.updateInterval = null;
+    this.timeDisplay = null;
+    this.mounted = false;
+    const prefersDark = themeMode === "dark" || themeMode === "auto" && this.detectDarkMode();
+    this.theme = getTheme(prefersDark);
+  }
+  detectDarkMode() {
+    if (typeof window !== "undefined" && window.matchMedia) {
+      return window.matchMedia("(prefers-color-scheme: dark)").matches;
+    }
+    return false;
+  }
+  /**
+   * Mount the session header to a DOM element
+   * @param targetElement - Element to mount to (or selector string)
+   * @param options - Configuration options
+   */
+  mount(targetElement, options) {
+    if (this.mounted) {
+      this.unmount();
+    }
+    const target = typeof targetElement === "string" ? document.querySelector(targetElement) : targetElement;
+    if (!target) {
+      console.error("[SessionHeader] Mount target not found");
+      return;
+    }
+    this.getTimeCallback = options.getTime;
+    this.onExtendCallback = options.onExtend;
+    this.onEndCallback = options.onEnd;
+    this.container = document.createElement("div");
+    this.container.id = "gw-session-header";
+    const position = options.position || "right";
+    const justifyContent = position === "left" ? "flex-start" : position === "center" ? "center" : "flex-end";
+    this.container.style.cssText = `
+      display: flex;
+      align-items: center;
+      justify-content: ${justifyContent};
+      gap: ${this.theme.spacing.gap.md};
+      padding: ${this.theme.spacing.padding.sm} ${this.theme.spacing.padding.md};
+      background-color: ${this.theme.colors.card};
+      border: 1px solid ${this.theme.colors.border};
+      border-radius: ${this.theme.spacing.borderRadius.md};
+      font-family: ${this.theme.typography.fontFamily};
+      box-shadow: 0 1px 3px rgba(0, 0, 0, 0.1);
+    `;
+    const timerWrapper = document.createElement("div");
+    timerWrapper.style.cssText = `
+      display: flex;
+      align-items: center;
+      gap: ${this.theme.spacing.gap.sm};
+      color: ${this.theme.colors.foreground};
+      font-size: ${this.theme.typography.fontSize.sm};
+      font-weight: ${this.theme.typography.fontWeight.medium};
+    `;
+    const clockIcon = document.createElement("span");
+    clockIcon.textContent = "⏱️";
+    clockIcon.style.fontSize = this.theme.typography.fontSize.base;
+    this.timeDisplay = document.createElement("span");
+    this.timeDisplay.id = "gw-session-time";
+    this.timeDisplay.textContent = this.getTimeCallback?.() || "--:--";
+    this.timeDisplay.style.cssText = `
+      font-variant-numeric: tabular-nums;
+      min-width: 50px;
+      text-align: center;
+    `;
+    timerWrapper.appendChild(clockIcon);
+    timerWrapper.appendChild(this.timeDisplay);
+    this.container.appendChild(timerWrapper);
+    const buttonContainer = document.createElement("div");
+    buttonContainer.style.cssText = `
+      display: flex;
+      gap: ${this.theme.spacing.gap.sm};
+    `;
+    if (this.onExtendCallback) {
+      const extendBtn = document.createElement("button");
+      extendBtn.textContent = "Extend";
+      extendBtn.style.cssText = `
+        padding: ${this.theme.spacing.padding.sm};
+        background-color: ${this.theme.colors.success};
+        color: ${this.theme.colors.successForeground};
+        border: none;
+        border-radius: ${this.theme.spacing.borderRadius.sm};
+        font-size: ${this.theme.typography.fontSize.sm};
+        font-weight: ${this.theme.typography.fontWeight.medium};
+        font-family: ${this.theme.typography.fontFamily};
+        cursor: pointer;
+        transition: opacity 0.2s;
+      `;
+      extendBtn.addEventListener("mouseenter", () => {
+        extendBtn.style.opacity = "0.9";
+      });
+      extendBtn.addEventListener("mouseleave", () => {
+        extendBtn.style.opacity = "1";
+      });
+      extendBtn.addEventListener("click", () => {
+        this.onExtendCallback?.();
+      });
+      buttonContainer.appendChild(extendBtn);
+    }
+    if (this.onEndCallback) {
+      const endBtn = document.createElement("button");
+      endBtn.textContent = "End";
+      endBtn.style.cssText = `
+        padding: ${this.theme.spacing.padding.sm};
+        background-color: ${this.theme.colors.secondary};
+        color: ${this.theme.colors.secondaryForeground};
+        border: 1px solid ${this.theme.colors.border};
+        border-radius: ${this.theme.spacing.borderRadius.sm};
+        font-size: ${this.theme.typography.fontSize.sm};
+        font-weight: ${this.theme.typography.fontWeight.medium};
+        font-family: ${this.theme.typography.fontFamily};
+        cursor: pointer;
+        transition: opacity 0.2s;
+      `;
+      endBtn.addEventListener("mouseenter", () => {
+        endBtn.style.opacity = "0.9";
+      });
+      endBtn.addEventListener("mouseleave", () => {
+        endBtn.style.opacity = "1";
+      });
+      endBtn.addEventListener("click", () => {
+        this.onEndCallback?.();
+      });
+      buttonContainer.appendChild(endBtn);
+    }
+    if (buttonContainer.children.length > 0) {
+      this.container.appendChild(buttonContainer);
+    }
+    target.appendChild(this.container);
+    this.mounted = true;
+    this.startUpdating();
+  }
+  /**
+   * Start updating the time display
+   */
+  startUpdating() {
+    if (this.updateInterval) {
+      clearInterval(this.updateInterval);
+    }
+    this.updateInterval = window.setInterval(() => {
+      if (this.timeDisplay && this.getTimeCallback) {
+        const newTime = this.getTimeCallback();
+        this.timeDisplay.textContent = newTime;
+        const [minutes] = newTime.split(":").map(Number);
+        if (!isNaN(minutes) && minutes < 5) {
+          this.timeDisplay.style.color = this.theme.colors.destructive;
+          this.timeDisplay.style.fontWeight = this.theme.typography.fontWeight.bold;
+        } else {
+          this.timeDisplay.style.color = this.theme.colors.foreground;
+          this.timeDisplay.style.fontWeight = this.theme.typography.fontWeight.medium;
+        }
+      }
+    }, 1e3);
+  }
+  /**
+   * Unmount and cleanup the session header
+   */
+  unmount() {
+    if (this.updateInterval) {
+      clearInterval(this.updateInterval);
+      this.updateInterval = null;
+    }
+    if (this.container && this.container.parentNode) {
+      this.container.parentNode.removeChild(this.container);
+    }
+    this.container = null;
+    this.timeDisplay = null;
+    this.mounted = false;
+  }
+  /**
+   * Check if component is mounted
+   */
+  isMounted() {
+    return this.mounted;
+  }
+  /**
+   * Update the theme
+   */
+  updateTheme(themeMode) {
+    const prefersDark = themeMode === "dark" || themeMode === "auto" && this.detectDarkMode();
+    this.theme = getTheme(prefersDark);
+    if (this.mounted && this.container && this.container.parentElement) {
+      const parent = this.container.parentElement;
+      const options = {
+        getTime: this.getTimeCallback,
+        onExtend: this.onExtendCallback,
+        onEnd: this.onEndCallback
+      };
+      this.unmount();
+      this.mount(parent, options);
+    }
+  }
+}
+export {
+  HeartbeatManager,
+  JWKSValidator,
+  JWTParser,
+  Logger,
+  MarketplaceSDK,
+  SDKError,
+  SessionHeader,
+  TabSyncManager,
+  TimerManager,
+  WarningModal,
+  darkTheme,
+  MarketplaceSDK as default,
+  extractTokenFromURL,
+  generateCSSVariables,
+  getTheme,
+  isBrowser,
+  lightTheme
+};
+//# sourceMappingURL=marketplace-sdk.es.js.map