@nauth-toolkit/client 0.1.50 → 0.1.53

package/dist/angular/index.cjs

@@ -1,2402 +0,0 @@
-"use strict";
-var __create = Object.create;
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-var __copyProps = (to, from2, except, desc) => {
-  if (from2 && typeof from2 === "object" || typeof from2 === "function") {
-    for (let key of __getOwnPropNames(from2))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from2[key], enumerable: !(desc = __getOwnPropDesc(from2, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-var __publicField = (obj, key, value) => __defNormalProp(obj, typeof key !== "symbol" ? key + "" : key, value);
-
-// tmp/ngc/angular/angular/index.js
-var index_exports = {};
-__export(index_exports, {
-  AngularHttpAdapter: () => AngularHttpAdapter,
-  AuthGuard: () => AuthGuard,
-  AuthInterceptor: () => AuthInterceptor,
-  AuthService: () => AuthService,
-  NAUTH_CLIENT_CONFIG: () => NAUTH_CLIENT_CONFIG,
-  NAuthModule: () => NAuthModule,
-  authGuard: () => authGuard,
-  authInterceptor: () => authInterceptor,
-  socialRedirectCallbackGuard: () => socialRedirectCallbackGuard
-});
-module.exports = __toCommonJS(index_exports);
-
-// tmp/ngc/angular/angular/tokens.js
-var import_core = require("@angular/core");
-var NAUTH_CLIENT_CONFIG = new import_core.InjectionToken("NAUTH_CLIENT_CONFIG");
-
-// tmp/ngc/angular/angular/auth.service.js
-var import_core3 = require("@angular/core");
-var import_rxjs2 = require("rxjs");
-var import_operators = require("rxjs/operators");
-
-// tmp/ngc/angular/angular/http-adapter.js
-var import_core2 = require("@angular/core");
-var import_http = require("@angular/common/http");
-var import_rxjs = require("rxjs");
-
-// tmp/ngc/angular/core/errors.js
-var _NAuthClientError = class _NAuthClientError extends Error {
-  /**
-   * Create a new client error.
-   *
-   * @param code - Error code from NAuthErrorCode enum
-   * @param message - Human-readable error message
-   * @param options - Optional metadata including details, statusCode, timestamp, and network error flag
-   */
-  constructor(code, message, options) {
-    super(message);
-    __publicField(this, "code");
-    __publicField(this, "details");
-    __publicField(this, "statusCode");
-    __publicField(this, "timestamp");
-    __publicField(this, "isNetworkError");
-    this.code = code;
-    this.details = options?.details;
-    this.statusCode = options?.statusCode;
-    this.timestamp = options?.timestamp || (/* @__PURE__ */ new Date()).toISOString();
-    this.isNetworkError = options?.isNetworkError ?? false;
-    this.name = "NAuthClientError";
-    Object.setPrototypeOf(this, _NAuthClientError.prototype);
-  }
-  /**
-   * Check if error matches a specific error code.
-   *
-   * @param code - Error code to check against
-   * @returns True if the error code matches
-   *
-   * @example
-   * ```typescript
-   * if (error.isCode(NAuthErrorCode.RATE_LIMIT_SMS)) {
-   *   // Handle SMS rate limit
-   * }
-   * ```
-   */
-  isCode(code) {
-    return this.code === code;
-  }
-  /**
-   * Get error details/metadata.
-   *
-   * @returns Error details object or undefined
-   *
-   * @example
-   * ```typescript
-   * const details = error.getDetails();
-   * if (details?.retryAfter) {
-   *   console.log(`Retry after ${details.retryAfter} seconds`);
-   * }
-   * ```
-   */
-  getDetails() {
-    return this.details;
-  }
-  /**
-   * Get the error code.
-   *
-   * @returns The error code enum value
-   */
-  getCode() {
-    return this.code;
-  }
-  /**
-   * Serialize error to JSON object.
-   *
-   * @returns Plain object representation
-   *
-   * @example
-   * ```typescript
-   * const errorJson = error.toJSON();
-   * // { code: 'AUTH_INVALID_CREDENTIALS', message: '...', timestamp: '...', details: {...} }
-   * ```
-   */
-  toJSON() {
-    return {
-      code: this.code,
-      message: this.message,
-      timestamp: this.timestamp,
-      details: this.details,
-      statusCode: this.statusCode
-    };
-  }
-};
-__name(_NAuthClientError, "NAuthClientError");
-var NAuthClientError = _NAuthClientError;
-
-// tmp/ngc/angular/types/error.types.js
-var NAuthErrorCode;
-(function(NAuthErrorCode2) {
-  NAuthErrorCode2["AUTH_INVALID_CREDENTIALS"] = "AUTH_INVALID_CREDENTIALS";
-  NAuthErrorCode2["AUTH_ACCOUNT_LOCKED"] = "AUTH_ACCOUNT_LOCKED";
-  NAuthErrorCode2["AUTH_ACCOUNT_INACTIVE"] = "AUTH_ACCOUNT_INACTIVE";
-  NAuthErrorCode2["AUTH_TOKEN_EXPIRED"] = "AUTH_TOKEN_EXPIRED";
-  NAuthErrorCode2["AUTH_TOKEN_INVALID"] = "AUTH_TOKEN_INVALID";
-  NAuthErrorCode2["AUTH_BEARER_NOT_ALLOWED"] = "AUTH_BEARER_NOT_ALLOWED";
-  NAuthErrorCode2["AUTH_COOKIES_NOT_ALLOWED"] = "AUTH_COOKIES_NOT_ALLOWED";
-  NAuthErrorCode2["AUTH_CSRF_TOKEN_INVALID"] = "AUTH_CSRF_TOKEN_INVALID";
-  NAuthErrorCode2["AUTH_CSRF_TOKEN_MISSING"] = "AUTH_CSRF_TOKEN_MISSING";
-  NAuthErrorCode2["AUTH_TOKEN_REUSE_DETECTED"] = "AUTH_TOKEN_REUSE_DETECTED";
-  NAuthErrorCode2["AUTH_SESSION_NOT_FOUND"] = "AUTH_SESSION_NOT_FOUND";
-  NAuthErrorCode2["AUTH_SESSION_EXPIRED"] = "AUTH_SESSION_EXPIRED";
-  NAuthErrorCode2["SIGNUP_DISABLED"] = "SIGNUP_DISABLED";
-  NAuthErrorCode2["SIGNUP_EMAIL_EXISTS"] = "SIGNUP_EMAIL_EXISTS";
-  NAuthErrorCode2["SIGNUP_USERNAME_EXISTS"] = "SIGNUP_USERNAME_EXISTS";
-  NAuthErrorCode2["SIGNUP_PHONE_EXISTS"] = "SIGNUP_PHONE_EXISTS";
-  NAuthErrorCode2["SIGNUP_WEAK_PASSWORD"] = "SIGNUP_WEAK_PASSWORD";
-  NAuthErrorCode2["SIGNUP_PHONE_REQUIRED"] = "SIGNUP_PHONE_REQUIRED";
-  NAuthErrorCode2["SIGNUP_NOT_ALLOWED"] = "SIGNUP_NOT_ALLOWED";
-  NAuthErrorCode2["VERIFY_CODE_INVALID"] = "VERIFY_CODE_INVALID";
-  NAuthErrorCode2["VERIFY_CODE_EXPIRED"] = "VERIFY_CODE_EXPIRED";
-  NAuthErrorCode2["VERIFY_TOO_MANY_ATTEMPTS"] = "VERIFY_TOO_MANY_ATTEMPTS";
-  NAuthErrorCode2["VERIFY_ALREADY_VERIFIED"] = "VERIFY_ALREADY_VERIFIED";
-  NAuthErrorCode2["MFA_SETUP_REQUIRED"] = "MFA_SETUP_REQUIRED";
-  NAuthErrorCode2["RATE_LIMIT_SMS"] = "RATE_LIMIT_SMS";
-  NAuthErrorCode2["RATE_LIMIT_EMAIL"] = "RATE_LIMIT_EMAIL";
-  NAuthErrorCode2["RATE_LIMIT_LOGIN"] = "RATE_LIMIT_LOGIN";
-  NAuthErrorCode2["RATE_LIMIT_RESEND"] = "RATE_LIMIT_RESEND";
-  NAuthErrorCode2["SOCIAL_TOKEN_INVALID"] = "SOCIAL_TOKEN_INVALID";
-  NAuthErrorCode2["SOCIAL_ACCOUNT_LINKED"] = "SOCIAL_ACCOUNT_LINKED";
-  NAuthErrorCode2["SOCIAL_CONFIG_MISSING"] = "SOCIAL_CONFIG_MISSING";
-  NAuthErrorCode2["SOCIAL_EMAIL_REQUIRED"] = "SOCIAL_EMAIL_REQUIRED";
-  NAuthErrorCode2["SOCIAL_ACCOUNT_NOT_FOUND"] = "SOCIAL_ACCOUNT_NOT_FOUND";
-  NAuthErrorCode2["CHALLENGE_EXPIRED"] = "CHALLENGE_EXPIRED";
-  NAuthErrorCode2["CHALLENGE_INVALID"] = "CHALLENGE_INVALID";
-  NAuthErrorCode2["CHALLENGE_TYPE_MISMATCH"] = "CHALLENGE_TYPE_MISMATCH";
-  NAuthErrorCode2["CHALLENGE_MAX_ATTEMPTS"] = "CHALLENGE_MAX_ATTEMPTS";
-  NAuthErrorCode2["CHALLENGE_ALREADY_COMPLETED"] = "CHALLENGE_ALREADY_COMPLETED";
-  NAuthErrorCode2["VALIDATION_FAILED"] = "VALIDATION_FAILED";
-  NAuthErrorCode2["VALIDATION_INVALID_PHONE"] = "VALIDATION_INVALID_PHONE";
-  NAuthErrorCode2["VALIDATION_INVALID_EMAIL"] = "VALIDATION_INVALID_EMAIL";
-  NAuthErrorCode2["VALIDATION_INVALID_PASSWORD"] = "VALIDATION_INVALID_PASSWORD";
-  NAuthErrorCode2["PASSWORD_INCORRECT"] = "PASSWORD_INCORRECT";
-  NAuthErrorCode2["PASSWORD_REUSED"] = "PASSWORD_REUSED";
-  NAuthErrorCode2["PASSWORD_CHANGE_NOT_ALLOWED"] = "PASSWORD_CHANGE_NOT_ALLOWED";
-  NAuthErrorCode2["WEAK_PASSWORD"] = "SIGNUP_WEAK_PASSWORD";
-  NAuthErrorCode2["PASSWORD_RESET_CODE_INVALID"] = "PASSWORD_RESET_CODE_INVALID";
-  NAuthErrorCode2["PASSWORD_RESET_CODE_EXPIRED"] = "PASSWORD_RESET_CODE_EXPIRED";
-  NAuthErrorCode2["PASSWORD_RESET_MAX_ATTEMPTS"] = "PASSWORD_RESET_MAX_ATTEMPTS";
-  NAuthErrorCode2["RATE_LIMIT_PASSWORD_RESET"] = "RATE_LIMIT_PASSWORD_RESET";
-  NAuthErrorCode2["SIGNIN_BLOCKED_HIGH_RISK"] = "SIGNIN_BLOCKED_HIGH_RISK";
-  NAuthErrorCode2["RESOURCE_NOT_FOUND"] = "RESOURCE_NOT_FOUND";
-  NAuthErrorCode2["FORBIDDEN"] = "FORBIDDEN";
-  NAuthErrorCode2["INTERNAL_ERROR"] = "INTERNAL_ERROR";
-  NAuthErrorCode2["SERVICE_UNAVAILABLE"] = "SERVICE_UNAVAILABLE";
-})(NAuthErrorCode || (NAuthErrorCode = {}));
-
-// tmp/ngc/angular/angular/http-adapter.js
-var i0 = __toESM(require("@angular/core"));
-var _AngularHttpAdapter = class _AngularHttpAdapter {
-  constructor() {
-    __publicField(this, "http", (0, import_core2.inject)(import_http.HttpClient));
-  }
-  /**
-   * Execute HTTP request using Angular's HttpClient.
-   *
-   * @param config - Request configuration
-   * @returns Response with parsed data
-   * @throws NAuthClientError if request fails
-   */
-  async request(config) {
-    try {
-      const data = await (0, import_rxjs.firstValueFrom)(this.http.request(config.method, config.url, {
-        body: config.body,
-        headers: config.headers,
-        withCredentials: config.credentials === "include",
-        observe: "body"
-        // Only return body data
-      }));
-      return {
-        data,
-        status: 200,
-        // HttpClient only returns data on success
-        headers: {}
-        // Can extract from observe: 'response' if needed
-      };
-    } catch (error) {
-      if (error instanceof import_http.HttpErrorResponse) {
-        const errorData = error.error || {};
-        const code = typeof errorData["code"] === "string" ? errorData.code : NAuthErrorCode.INTERNAL_ERROR;
-        const message = typeof errorData["message"] === "string" ? errorData.message : error.message || `Request failed with status ${error.status}`;
-        const timestamp = typeof errorData["timestamp"] === "string" ? errorData.timestamp : void 0;
-        const details = errorData["details"];
-        throw new NAuthClientError(code, message, {
-          statusCode: error.status,
-          timestamp,
-          details,
-          isNetworkError: error.status === 0
-          // Network error (no response from server)
-        });
-      }
-      throw error;
-    }
-  }
-};
-__name(_AngularHttpAdapter, "AngularHttpAdapter");
-__publicField(_AngularHttpAdapter, "\u0275fac", i0.\u0275\u0275ngDeclareFactory({ minVersion: "12.0.0", version: "21.0.5", ngImport: i0, type: _AngularHttpAdapter, deps: [], target: i0.\u0275\u0275FactoryTarget.Injectable }));
-__publicField(_AngularHttpAdapter, "\u0275prov", i0.\u0275\u0275ngDeclareInjectable({ minVersion: "12.0.0", version: "21.0.5", ngImport: i0, type: _AngularHttpAdapter, providedIn: "root" }));
-var AngularHttpAdapter = _AngularHttpAdapter;
-i0.\u0275\u0275ngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.0.5", ngImport: i0, type: AngularHttpAdapter, decorators: [{
-  type: import_core2.Injectable,
-  args: [{ providedIn: "root" }]
-}] });
-
-// tmp/ngc/angular/core/config.js
-var defaultEndpoints = {
-  login: "/login",
-  signup: "/signup",
-  logout: "/logout",
-  logoutAll: "/logout/all",
-  refresh: "/refresh",
-  respondChallenge: "/respond-challenge",
-  resendCode: "/challenge/resend",
-  getSetupData: "/challenge/setup-data",
-  getChallengeData: "/challenge/challenge-data",
-  profile: "/profile",
-  changePassword: "/change-password",
-  requestPasswordChange: "/request-password-change",
-  forgotPassword: "/forgot-password",
-  confirmForgotPassword: "/forgot-password/confirm",
-  mfaStatus: "/mfa/status",
-  mfaDevices: "/mfa/devices",
-  mfaSetupData: "/mfa/setup-data",
-  mfaVerifySetup: "/mfa/verify-setup",
-  mfaRemove: "/mfa/method",
-  mfaPreferred: "/mfa/preferred-method",
-  mfaBackupCodes: "/mfa/backup-codes/generate",
-  mfaExemption: "/mfa/exemption",
-  socialLinked: "/social/linked",
-  socialLink: "/social/link",
-  socialUnlink: "/social/unlink",
-  socialVerify: "/social/:provider/verify",
-  socialRedirectStart: "/social/:provider/redirect",
-  socialExchange: "/social/exchange",
-  trustDevice: "/trust-device",
-  isTrustedDevice: "/is-trusted-device",
-  auditHistory: "/audit/history",
-  updateProfile: "/profile"
-};
-var resolveConfig = /* @__PURE__ */ __name((config, defaultAdapter) => {
-  const resolvedEndpoints = {
-    ...defaultEndpoints,
-    ...config.endpoints ?? {}
-  };
-  return {
-    ...config,
-    csrf: {
-      cookieName: config.csrf?.cookieName ?? "nauth_csrf_token",
-      headerName: config.csrf?.headerName ?? "x-csrf-token"
-    },
-    deviceTrust: {
-      headerName: config.deviceTrust?.headerName ?? "X-Device-Token",
-      storageKey: config.deviceTrust?.storageKey ?? "nauth_device_token"
-    },
-    headers: config.headers ?? {},
-    timeout: config.timeout ?? 3e4,
-    endpoints: resolvedEndpoints,
-    storage: config.storage,
-    httpAdapter: config.httpAdapter ?? defaultAdapter
-  };
-}, "resolveConfig");
-
-// tmp/ngc/angular/core/refresh.js
-var ACCESS_TOKEN_KEY = "nauth_access_token";
-var REFRESH_TOKEN_KEY = "nauth_refresh_token";
-var ACCESS_EXPIRES_AT_KEY = "nauth_access_token_expires_at";
-var REFRESH_EXPIRES_AT_KEY = "nauth_refresh_token_expires_at";
-var USER_KEY = "nauth_user";
-var CHALLENGE_KEY = "nauth_challenge_session";
-var _TokenManager = class _TokenManager {
-  /**
-   * @param storage - storage adapter
-   */
-  constructor(storage) {
-    __publicField(this, "storage");
-    __publicField(this, "refreshPromise", null);
-    __publicField(this, "isBrowser", typeof window !== "undefined");
-    this.storage = storage;
-  }
-  /**
-   * Load tokens from storage.
-   */
-  async getTokens() {
-    const [accessToken, refreshToken, accessExpRaw, refreshExpRaw] = await Promise.all([
-      this.storage.getItem(ACCESS_TOKEN_KEY),
-      this.storage.getItem(REFRESH_TOKEN_KEY),
-      this.storage.getItem(ACCESS_EXPIRES_AT_KEY),
-      this.storage.getItem(REFRESH_EXPIRES_AT_KEY)
-    ]);
-    return {
-      accessToken,
-      refreshToken,
-      accessTokenExpiresAt: accessExpRaw ? Number(accessExpRaw) : null,
-      refreshTokenExpiresAt: refreshExpRaw ? Number(refreshExpRaw) : null
-    };
-  }
-  /**
-   * Persist tokens.
-   *
-   * @param tokens - new token pair
-   */
-  async setTokens(tokens) {
-    await Promise.all([
-      this.storage.setItem(ACCESS_TOKEN_KEY, tokens.accessToken),
-      this.storage.setItem(REFRESH_TOKEN_KEY, tokens.refreshToken),
-      this.storage.setItem(ACCESS_EXPIRES_AT_KEY, tokens.accessTokenExpiresAt.toString()),
-      this.storage.setItem(REFRESH_EXPIRES_AT_KEY, tokens.refreshTokenExpiresAt.toString())
-    ]);
-    this.broadcastStorage();
-  }
-  /**
-   * Clear tokens and related auth state.
-   */
-  async clearTokens() {
-    await Promise.all([
-      this.storage.removeItem(ACCESS_TOKEN_KEY),
-      this.storage.removeItem(REFRESH_TOKEN_KEY),
-      this.storage.removeItem(ACCESS_EXPIRES_AT_KEY),
-      this.storage.removeItem(REFRESH_EXPIRES_AT_KEY),
-      this.storage.removeItem(USER_KEY),
-      this.storage.removeItem(CHALLENGE_KEY)
-    ]);
-    this.broadcastStorage();
-  }
-  /**
-   * Ensure only one refresh in flight.
-   *
-   * @param refreshFn - function performing refresh request
-   */
-  async refreshOnce(refreshFn) {
-    if (!this.refreshPromise) {
-      this.refreshPromise = refreshFn().then(async (tokens) => {
-        await this.setTokens(tokens);
-        return tokens;
-      }).catch((error) => {
-        throw error;
-      }).finally(() => {
-        this.refreshPromise = null;
-      });
-    }
-    return this.refreshPromise;
-  }
-  /**
-   * Validate that a refresh token exists before attempting refresh.
-   */
-  async assertHasRefreshToken() {
-    const state = await this.getTokens();
-    if (!state.refreshToken) {
-      throw new NAuthClientError(NAuthErrorCode.AUTH_SESSION_NOT_FOUND, "No refresh token available");
-    }
-  }
-  /**
-   * Broadcast a no-op write to trigger storage listeners in other tabs.
-   */
-  broadcastStorage() {
-    if (!this.isBrowser)
-      return;
-    try {
-      window.localStorage.setItem("nauth_sync", Date.now().toString());
-    } catch {
-    }
-  }
-};
-__name(_TokenManager, "TokenManager");
-var TokenManager = _TokenManager;
-
-// tmp/ngc/angular/storage/browser.js
-var _BrowserStorage = class _BrowserStorage {
-  /**
-   * Create a browser storage adapter.
-   *
-   * @param storage - Storage implementation (localStorage by default)
-   */
-  constructor(storage = window.localStorage) {
-    __publicField(this, "storage");
-    this.storage = storage;
-  }
-  async getItem(key) {
-    return this.storage.getItem(key);
-  }
-  async setItem(key, value) {
-    this.storage.setItem(key, value);
-  }
-  async removeItem(key) {
-    this.storage.removeItem(key);
-  }
-  async clear() {
-    this.storage.clear();
-  }
-};
-__name(_BrowserStorage, "BrowserStorage");
-var BrowserStorage = _BrowserStorage;
-
-// tmp/ngc/angular/storage/memory.js
-var _InMemoryStorage = class _InMemoryStorage {
-  constructor() {
-    __publicField(this, "store", /* @__PURE__ */ new Map());
-  }
-  async getItem(key) {
-    return this.store.has(key) ? this.store.get(key) : null;
-  }
-  async setItem(key, value) {
-    this.store.set(key, value);
-  }
-  async removeItem(key) {
-    this.store.delete(key);
-  }
-  async clear() {
-    this.store.clear();
-  }
-};
-__name(_InMemoryStorage, "InMemoryStorage");
-var InMemoryStorage = _InMemoryStorage;
-
-// tmp/ngc/angular/core/events.js
-var _EventEmitter = class _EventEmitter {
-  constructor() {
-    __publicField(this, "listeners", /* @__PURE__ */ new Map());
-  }
-  /**
-   * Subscribe to an authentication event
-   *
-   * @param event - Event type or '*' for all events
-   * @param listener - Callback function
-   * @returns Unsubscribe function
-   *
-   * @example
-   * ```typescript
-   * const unsubscribe = emitter.on('auth:success', (event) => {
-   *   console.log('User logged in:', event.data);
-   * });
-   *
-   * // Later
-   * unsubscribe();
-   * ```
-   */
-  on(event, listener) {
-    if (!this.listeners.has(event)) {
-      this.listeners.set(event, /* @__PURE__ */ new Set());
-    }
-    this.listeners.get(event).add(listener);
-    return () => this.off(event, listener);
-  }
-  /**
-   * Unsubscribe from an authentication event
-   *
-   * @param event - Event type or '*'
-   * @param listener - Callback function to remove
-   */
-  off(event, listener) {
-    this.listeners.get(event)?.delete(listener);
-  }
-  /**
-   * Emit an authentication event
-   *
-   * Notifies all listeners for the specific event type and wildcard listeners.
-   *
-   * @param event - Event to emit
-   * @internal
-   */
-  emit(event) {
-    const specificListeners = this.listeners.get(event.type);
-    const wildcardListeners = this.listeners.get("*");
-    specificListeners?.forEach((listener) => {
-      try {
-        listener(event);
-      } catch (error) {
-        console.error(`Error in ${event.type} event listener:`, error);
-      }
-    });
-    wildcardListeners?.forEach((listener) => {
-      try {
-        listener(event);
-      } catch (error) {
-        console.error(`Error in wildcard event listener:`, error);
-      }
-    });
-  }
-  /**
-   * Remove all listeners
-   *
-   * @internal
-   */
-  clear() {
-    this.listeners.clear();
-  }
-};
-__name(_EventEmitter, "EventEmitter");
-var EventEmitter = _EventEmitter;
-
-// tmp/ngc/angular/adapters/fetch-adapter.js
-var _FetchAdapter = class _FetchAdapter {
-  /**
-   * Execute HTTP request using native fetch.
-   *
-   * @param config - Request configuration
-   * @returns Response with parsed data
-   * @throws NAuthClientError if request fails
-   */
-  async request(config) {
-    const fetchOptions = {
-      method: config.method,
-      headers: config.headers,
-      signal: config.signal,
-      credentials: config.credentials
-    };
-    if (config.body !== void 0) {
-      fetchOptions.body = JSON.stringify(config.body);
-    }
-    let response;
-    try {
-      response = await fetch(config.url, fetchOptions);
-    } catch (error) {
-      throw new NAuthClientError(NAuthErrorCode.INTERNAL_ERROR, "Network request failed", {
-        isNetworkError: true,
-        details: { url: config.url, message: error.message }
-      });
-    }
-    const status = response.status;
-    let data = null;
-    const text = await response.text();
-    if (text) {
-      try {
-        data = JSON.parse(text);
-      } catch {
-        data = text;
-      }
-    }
-    const headers = {};
-    response.headers.forEach((value, key) => {
-      headers[key] = value;
-    });
-    if (!response.ok) {
-      const errorData = typeof data === "object" && data !== null ? data : {};
-      const code = typeof errorData["code"] === "string" ? errorData["code"] : NAuthErrorCode.INTERNAL_ERROR;
-      const message = typeof errorData["message"] === "string" ? errorData["message"] : `Request failed with status ${status}`;
-      const timestamp = typeof errorData["timestamp"] === "string" ? errorData["timestamp"] : void 0;
-      const details = errorData["details"];
-      throw new NAuthClientError(code, message, {
-        statusCode: status,
-        timestamp,
-        details
-      });
-    }
-    return { data, status, headers };
-  }
-};
-__name(_FetchAdapter, "FetchAdapter");
-var FetchAdapter = _FetchAdapter;
-
-// tmp/ngc/angular/types/auth.types.js
-var AuthChallenge;
-(function(AuthChallenge2) {
-  AuthChallenge2["VERIFY_EMAIL"] = "VERIFY_EMAIL";
-  AuthChallenge2["VERIFY_PHONE"] = "VERIFY_PHONE";
-  AuthChallenge2["MFA_REQUIRED"] = "MFA_REQUIRED";
-  AuthChallenge2["MFA_SETUP_REQUIRED"] = "MFA_SETUP_REQUIRED";
-  AuthChallenge2["FORCE_CHANGE_PASSWORD"] = "FORCE_CHANGE_PASSWORD";
-})(AuthChallenge || (AuthChallenge = {}));
-
-// tmp/ngc/angular/core/client.js
-var USER_KEY2 = "nauth_user";
-var CHALLENGE_KEY2 = "nauth_challenge_session";
-var hasWindow = /* @__PURE__ */ __name(() => typeof globalThis !== "undefined" && typeof globalThis.window !== "undefined", "hasWindow");
-var defaultStorage = /* @__PURE__ */ __name(() => {
-  if (hasWindow() && typeof window.localStorage !== "undefined") {
-    return new BrowserStorage();
-  }
-  return new InMemoryStorage();
-}, "defaultStorage");
-var _NAuthClient = class _NAuthClient {
-  /**
-   * Create a new client instance.
-   *
-   * @param userConfig - Client configuration
-   */
-  constructor(userConfig) {
-    __publicField(this, "config");
-    __publicField(this, "tokenManager");
-    __publicField(this, "eventEmitter");
-    __publicField(this, "currentUser", null);
-    /**
-     * Handle cross-tab storage updates.
-     */
-    __publicField(this, "handleStorageEvent", /* @__PURE__ */ __name((event) => {
-      if (event.key === "nauth_sync") {
-        this.config.storage.getItem(USER_KEY2).then((value) => value ? JSON.parse(value) : null).then((user) => {
-          this.currentUser = user;
-          this.config.onAuthStateChange?.(user);
-        }).catch(() => {
-        });
-      }
-    }, "handleStorageEvent"));
-    const storage = userConfig.storage ?? defaultStorage();
-    const defaultAdapter = userConfig.httpAdapter ?? new FetchAdapter();
-    this.config = resolveConfig({ ...userConfig, storage }, defaultAdapter);
-    this.tokenManager = new TokenManager(storage);
-    this.eventEmitter = new EventEmitter();
-    if (hasWindow()) {
-      window.addEventListener("storage", this.handleStorageEvent);
-    }
-  }
-  /**
-   * Clean up resources.
-   */
-  dispose() {
-    if (hasWindow()) {
-      window.removeEventListener("storage", this.handleStorageEvent);
-    }
-  }
-  /**
-   * Login with identifier and password.
-   */
-  async login(identifier, password) {
-    const loginEvent = { type: "auth:login", data: { identifier }, timestamp: Date.now() };
-    this.eventEmitter.emit(loginEvent);
-    try {
-      const body = { identifier, password };
-      const response = await this.post(this.config.endpoints.login, body);
-      await this.handleAuthResponse(response);
-      if (response.challengeName) {
-        const challengeEvent = { type: "auth:challenge", data: response, timestamp: Date.now() };
-        this.eventEmitter.emit(challengeEvent);
-      } else {
-        const successEvent = { type: "auth:success", data: response, timestamp: Date.now() };
-        this.eventEmitter.emit(successEvent);
-      }
-      return response;
-    } catch (error) {
-      const authError = error instanceof NAuthClientError ? error : new NAuthClientError(NAuthErrorCode.AUTH_INVALID_CREDENTIALS, error.message || "Login failed");
-      const errorEvent = { type: "auth:error", data: authError, timestamp: Date.now() };
-      this.eventEmitter.emit(errorEvent);
-      throw authError;
-    }
-  }
-  /**
-   * Signup with credentials.
-   */
-  async signup(payload) {
-    this.eventEmitter.emit({ type: "auth:signup", data: { email: payload.email }, timestamp: Date.now() });
-    try {
-      const response = await this.post(this.config.endpoints.signup, payload);
-      await this.handleAuthResponse(response);
-      if (response.challengeName) {
-        this.eventEmitter.emit({ type: "auth:challenge", data: response, timestamp: Date.now() });
-      } else {
-        this.eventEmitter.emit({ type: "auth:success", data: response, timestamp: Date.now() });
-      }
-      return response;
-    } catch (error) {
-      const authError = error instanceof NAuthClientError ? error : new NAuthClientError(NAuthErrorCode.AUTH_INVALID_CREDENTIALS, error.message || "Signup failed");
-      this.eventEmitter.emit({ type: "auth:error", data: authError, timestamp: Date.now() });
-      throw authError;
-    }
-  }
-  /**
-   * Refresh tokens manually.
-   */
-  async refreshTokens() {
-    const tokenDelivery = this.getTokenDeliveryMode();
-    if (tokenDelivery === "json") {
-      await this.tokenManager.assertHasRefreshToken();
-    }
-    const body = tokenDelivery === "json" ? { refreshToken: (await this.tokenManager.getTokens()).refreshToken } : { refreshToken: "" };
-    const refreshFn = /* @__PURE__ */ __name(async () => {
-      return this.post(this.config.endpoints.refresh, body, false);
-    }, "refreshFn");
-    const tokens = await this.tokenManager.refreshOnce(refreshFn);
-    this.config.onTokenRefresh?.();
-    this.eventEmitter.emit({ type: "auth:refresh", data: { success: true }, timestamp: Date.now() });
-    return tokens;
-  }
-  /**
-   * Logout current session.
-   *
-   * Uses GET request to avoid CSRF token issues.
-   *
-   * @param forgetDevice - If true, also untrust the device (require MFA on next login)
-   */
-  async logout(forgetDevice) {
-    const queryParams = forgetDevice ? "?forgetMe=true" : "";
-    try {
-      await this.get(this.config.endpoints.logout + queryParams, true);
-    } catch (error) {
-      console.warn("[nauth] Logout request failed (session may already be invalid):", error);
-    } finally {
-      await this.clearAuthState(forgetDevice);
-      this.eventEmitter.emit({
-        type: "auth:logout",
-        data: { forgetDevice: !!forgetDevice, global: false },
-        timestamp: Date.now()
-      });
-    }
-  }
-  /**
-   * Logout all sessions.
-   *
-   * Revokes all active sessions for the current user across all devices.
-   * Optionally revokes all trusted devices if forgetDevices is true.
-   *
-   * @param forgetDevices - If true, also revokes all trusted devices (default: false)
-   * @returns Number of sessions revoked
-   */
-  async logoutAll(forgetDevices) {
-    try {
-      const payload = {
-        forgetDevices: forgetDevices ?? false
-      };
-      const result = await this.post(this.config.endpoints.logoutAll, payload, true);
-      await this.clearAuthState(forgetDevices);
-      this.eventEmitter.emit({
-        type: "auth:logout",
-        data: { forgetDevice: !!forgetDevices, global: true },
-        timestamp: Date.now()
-      });
-      return { revokedCount: result.revokedCount };
-    } catch (error) {
-      await this.clearAuthState(forgetDevices);
-      this.eventEmitter.emit({
-        type: "auth:logout",
-        data: { forgetDevice: !!forgetDevices, global: true },
-        timestamp: Date.now()
-      });
-      throw error;
-    }
-  }
-  /**
-   * Respond to a challenge.
-   *
-   * Validates challenge response data before sending to backend.
-   * Provides helpful error messages for common validation issues.
-   *
-   * @param response - Challenge response data
-   * @returns Auth response from backend
-   * @throws {NAuthClientError} If validation fails
-   */
-  async respondToChallenge(response) {
-    if (response.type === AuthChallenge.MFA_SETUP_REQUIRED && response.method === "totp") {
-      const setupData = response.setupData;
-      if (!setupData || typeof setupData !== "object") {
-        throw new NAuthClientError(NAuthErrorCode.VALIDATION_FAILED, "TOTP setup requires setupData with both secret and code", { details: { field: "setupData" } });
-      }
-      const secret = setupData["secret"];
-      const code = setupData["code"];
-      if (!secret || typeof secret !== "string") {
-        throw new NAuthClientError(NAuthErrorCode.VALIDATION_FAILED, "TOTP setup requires secret in setupData. Make sure to include the secret from getSetupData() response.", { details: { field: "secret" } });
-      }
-      if (!code || typeof code !== "string") {
-        throw new NAuthClientError(NAuthErrorCode.VALIDATION_FAILED, "TOTP setup requires code in setupData. Please enter the verification code from your authenticator app.", { details: { field: "code" } });
-      }
-    }
-    try {
-      const result = await this.post(this.config.endpoints.respondChallenge, response);
-      await this.handleAuthResponse(result);
-      if (result.challengeName) {
-        const challengeEvent = { type: "auth:challenge", data: result, timestamp: Date.now() };
-        this.eventEmitter.emit(challengeEvent);
-      } else {
-        const successEvent = { type: "auth:success", data: result, timestamp: Date.now() };
-        this.eventEmitter.emit(successEvent);
-      }
-      return result;
-    } catch (error) {
-      const authError = error instanceof NAuthClientError ? error : new NAuthClientError(NAuthErrorCode.CHALLENGE_INVALID, error.message || "Challenge response failed");
-      const errorEvent = { type: "auth:error", data: authError, timestamp: Date.now() };
-      this.eventEmitter.emit(errorEvent);
-      throw authError;
-    }
-  }
-  /**
-   * Resend a challenge code.
-   */
-  async resendCode(session) {
-    const payload = { session };
-    return this.post(this.config.endpoints.resendCode, payload);
-  }
-  /**
-   * Get setup data for MFA.
-   *
-   * Returns method-specific setup information:
-   * - TOTP: { secret, qrCode, manualEntryKey }
-   * - SMS: { maskedPhone }
-   * - Email: { maskedEmail }
-   * - Passkey: WebAuthn registration options
-   *
-   * @param session - Challenge session token
-   * @param method - MFA method to set up
-   * @returns Setup data wrapped in GetSetupDataResponse
-   */
-  async getSetupData(session, method) {
-    const payload = { session, method };
-    return this.post(this.config.endpoints.getSetupData, payload);
-  }
-  /**
-   * Get challenge data (e.g., WebAuthn options).
-   *
-   * Returns challenge-specific data for verification flows.
-   *
-   * @param session - Challenge session token
-   * @param method - Challenge method to get data for
-   * @returns Challenge data wrapped in GetChallengeDataResponse
-   */
-  async getChallengeData(session, method) {
-    const payload = { session, method };
-    return this.post(this.config.endpoints.getChallengeData, payload);
-  }
-  /**
-   * Get current user profile.
-   */
-  async getProfile() {
-    const profile = await this.get(this.config.endpoints.profile, true);
-    await this.setUser(profile);
-    return profile;
-  }
-  /**
-   * Update user profile.
-   */
-  async updateProfile(updates) {
-    const updated = await this.put(this.config.endpoints.updateProfile, updates, true);
-    await this.setUser(updated);
-    return updated;
-  }
-  /**
-   * Change user password.
-   */
-  async changePassword(oldPassword, newPassword) {
-    const payload = { currentPassword: oldPassword, newPassword };
-    await this.post(this.config.endpoints.changePassword, payload, true);
-  }
-  /**
-   * Request a password reset code (forgot password).
-   */
-  async forgotPassword(identifier) {
-    const payload = { identifier };
-    return this.post(this.config.endpoints.forgotPassword, payload);
-  }
-  /**
-   * Confirm a password reset code and set a new password.
-   */
-  async confirmForgotPassword(identifier, code, newPassword) {
-    const payload = { identifier, code, newPassword };
-    const result = await this.post(this.config.endpoints.confirmForgotPassword, payload);
-    await this.clearAuthState(false);
-    return result;
-  }
-  /**
-   * Request password change (must change on next login).
-   */
-  async requestPasswordChange() {
-    await this.post(this.config.endpoints.requestPasswordChange, {}, true);
-  }
-  /**
-   * Get MFA status.
-   */
-  async getMfaStatus() {
-    return this.get(this.config.endpoints.mfaStatus, true);
-  }
-  /**
-   * Get MFA devices.
-   */
-  async getMfaDevices() {
-    return this.get(this.config.endpoints.mfaDevices, true);
-  }
-  /**
-   * Setup MFA device (authenticated user).
-   */
-  async setupMfaDevice(method) {
-    return this.post(this.config.endpoints.mfaSetupData, { method }, true);
-  }
-  /**
-   * Verify MFA setup (authenticated user).
-   */
-  async verifyMfaSetup(method, setupData, deviceName) {
-    return this.post(this.config.endpoints.mfaVerifySetup, { method, setupData, deviceName }, true);
-  }
-  /**
-   * Remove MFA method.
-   */
-  async removeMfaDevice(method) {
-    const path = `${this.config.endpoints.mfaRemove}/${method}`;
-    return this.delete(path, true);
-  }
-  /**
-   * Set preferred MFA method.
-   *
-   * @param method - Device method to set as preferred ('totp', 'sms', 'email', or 'passkey'). Cannot be 'backup'.
-   * @returns Success message
-   */
-  async setPreferredMfaMethod(method) {
-    return this.post(this.config.endpoints.mfaPreferred, { method }, true);
-  }
-  /**
-   * Generate backup codes.
-   */
-  async generateBackupCodes() {
-    const result = await this.post(this.config.endpoints.mfaBackupCodes, {}, true);
-    return result.codes;
-  }
-  /**
-   * Set MFA exemption (admin/test scenarios).
-   */
-  async setMfaExemption(exempt, reason) {
-    await this.post(this.config.endpoints.mfaExemption, { exempt, reason }, true);
-  }
-  // ============================================================================
-  // Event System
-  // ============================================================================
-  /**
-   * Subscribe to authentication events.
-   *
-   * Emits events throughout the auth lifecycle for custom logic, analytics, or UI updates.
-   *
-   * @param event - Event type to listen for, or '*' for all events
-   * @param listener - Callback function to handle the event
-   * @returns Unsubscribe function
-   *
-   * @example
-   * ```typescript
-   * // Listen to successful authentication
-   * const unsubscribe = client.on('auth:success', (event) => {
-   *   console.log('User logged in:', event.data.user);
-   *   analytics.track('login_success');
-   * });
-   *
-   * // Listen to all events
-   * client.on('*', (event) => {
-   *   console.log('Auth event:', event.type, event.data);
-   * });
-   *
-   * // Unsubscribe when done
-   * unsubscribe();
-   * ```
-   */
-  on(event, listener) {
-    return this.eventEmitter.on(event, listener);
-  }
-  /**
-   * Unsubscribe from authentication events.
-   *
-   * @param event - Event type
-   * @param listener - Callback function to remove
-   */
-  off(event, listener) {
-    this.eventEmitter.off(event, listener);
-  }
-  // ============================================================================
-  // Social Authentication
-  // ============================================================================
-  /**
-   * Start redirect-first social OAuth flow (web).
-   *
-   * This performs a browser navigation to:
-   * `GET {baseUrl}/social/:provider/redirect?returnTo=...&appState=...`
-   *
-   * The backend:
-   * - generates and stores CSRF state (cluster-safe)
-   * - redirects the user to the provider
-   * - completes OAuth on callback and sets cookies (or issues an exchange token)
-   * - redirects back to `returnTo` with `appState` (and `exchangeToken` for json/hybrid)
-   *
-   * @param provider - OAuth provider ('google', 'apple', 'facebook')
-   * @param options - Optional redirect options
-   *
-   * @example
-   * ```typescript
-   * await client.loginWithSocial('google', { returnTo: '/auth/callback', appState: '12345' });
-   * ```
-   */
-  async loginWithSocial(provider, options) {
-    this.eventEmitter.emit({ type: "oauth:started", data: { provider }, timestamp: Date.now() });
-    if (hasWindow()) {
-      const startPath = this.config.endpoints.socialRedirectStart.replace(":provider", provider);
-      const base = this.config.baseUrl.replace(/\/$/, "");
-      const startUrl = new URL(`${base}${startPath}`);
-      const returnTo = options?.returnTo ?? this.config.redirects?.success ?? "/";
-      startUrl.searchParams.set("returnTo", returnTo);
-      if (options?.action === "link") {
-        startUrl.searchParams.set("action", "link");
-      }
-      if (typeof options?.appState === "string" && options.appState.trim() !== "") {
-        startUrl.searchParams.set("appState", options.appState);
-      }
-      window.location.href = startUrl.toString();
-    }
-  }
-  /**
-   * Exchange an `exchangeToken` (from redirect callback URL) into an AuthResponse.
-   *
-   * Used for `tokenDelivery: 'json'` or hybrid flows where the backend redirects back
-   * with `exchangeToken` instead of setting cookies.
-   *
-   * @param exchangeToken - One-time exchange token from the callback URL
-   * @returns AuthResponse
-   */
-  async exchangeSocialRedirect(exchangeToken) {
-    const token = exchangeToken?.trim();
-    if (!token) {
-      throw new NAuthClientError(NAuthErrorCode.CHALLENGE_INVALID, "Missing exchangeToken");
-    }
-    const result = await this.post(this.config.endpoints.socialExchange, { exchangeToken: token });
-    await this.handleAuthResponse(result);
-    return result;
-  }
-  /**
-   * Verify native social token (mobile).
-   */
-  async verifyNativeSocial(request) {
-    try {
-      const path = this.config.endpoints.socialVerify.replace(":provider", request.provider);
-      const result = await this.post(path, request);
-      await this.handleAuthResponse(result);
-      if (result.challengeName) {
-        const challengeEvent = { type: "auth:challenge", data: result, timestamp: Date.now() };
-        this.eventEmitter.emit(challengeEvent);
-      } else {
-        const successEvent = { type: "auth:success", data: result, timestamp: Date.now() };
-        this.eventEmitter.emit(successEvent);
-      }
-      return result;
-    } catch (error) {
-      const authError = error instanceof NAuthClientError ? error : new NAuthClientError(NAuthErrorCode.SOCIAL_TOKEN_INVALID, error.message || "Social verification failed");
-      const errorEvent = { type: "auth:error", data: authError, timestamp: Date.now() };
-      this.eventEmitter.emit(errorEvent);
-      throw authError;
-    }
-  }
-  /**
-   * Get linked accounts.
-   */
-  async getLinkedAccounts() {
-    return this.get(this.config.endpoints.socialLinked, true);
-  }
-  /**
-   * Link social account.
-   */
-  async linkSocialAccount(provider, code, state) {
-    return this.post(this.config.endpoints.socialLink, { provider, code, state }, true);
-  }
-  /**
-   * Unlink social account.
-   */
-  async unlinkSocialAccount(provider) {
-    return this.post(this.config.endpoints.socialUnlink, { provider }, true);
-  }
-  /**
-   * Trust current device.
-   */
-  async trustDevice() {
-    const result = await this.post(this.config.endpoints.trustDevice, {}, true);
-    await this.setDeviceToken(result.deviceToken);
-    return result;
-  }
-  /**
-   * Check if the current device is trusted.
-   *
-   * Returns whether the current device is trusted based on the device token
-   * (from cookie in cookies mode, or header in JSON mode).
-   *
-   * This performs a server-side validation of the device token and checks:
-   * - Device token exists and is valid
-   * - Device token matches a trusted device record in the database
-   * - Trust has not expired
-   *
-   * @returns Object with trusted status
-   *
-   * @example
-   * ```typescript
-   * const result = await client.isTrustedDevice();
-   * if (result.trusted) {
-   *   console.log('This device is trusted');
-   * }
-   * ```
-   */
-  async isTrustedDevice() {
-    return this.get(this.config.endpoints.isTrustedDevice, true);
-  }
-  /**
-   * Get paginated audit history for the current user.
-   *
-   * Returns authentication and security events with full audit details including:
-   * - Event type (login, logout, MFA, etc.)
-   * - Event status (success, failure, suspicious)
-   * - Device information, location, risk factors
-   *
-   * @param params - Query parameters for filtering and pagination
-   * @returns Paginated audit history response
-   *
-   * @example
-   * ```typescript
-   * const history = await client.getAuditHistory({
-   *   page: 1,
-   *   limit: 20,
-   *   eventType: 'LOGIN_SUCCESS'
-   * });
-   * ```
-   */
-  async getAuditHistory(params) {
-    const entries = Object.entries(params ?? {}).map(([k, v]) => [k, String(v)]);
-    const query = entries.length > 0 ? `?${new URLSearchParams(entries).toString()}` : "";
-    const path = `${this.config.endpoints.auditHistory}${query}`;
-    return this.get(path, true);
-  }
-  /**
-   * Initialize client by hydrating state from storage.
-   * Call this on app startup to restore auth state.
-   */
-  async initialize() {
-    const userJson = await this.config.storage.getItem(USER_KEY2);
-    if (userJson) {
-      try {
-        this.currentUser = JSON.parse(userJson);
-        this.config.onAuthStateChange?.(this.currentUser);
-      } catch {
-        await this.config.storage.removeItem(USER_KEY2);
-      }
-    }
-  }
-  /**
-   * Determine if user is authenticated (async - checks tokens).
-   */
-  async isAuthenticated() {
-    const tokens = await this.tokenManager.getTokens();
-    return Boolean(tokens.accessToken);
-  }
-  /**
-   * Determine if user is authenticated (sync - checks cached user).
-   * Use this for guards and sync checks. Use `isAuthenticated()` for definitive check.
-   */
-  isAuthenticatedSync() {
-    return this.currentUser !== null;
-  }
-  /**
-   * Get current access token (may be null).
-   */
-  async getAccessToken() {
-    const tokens = await this.tokenManager.getTokens();
-    return tokens.accessToken ?? null;
-  }
-  /**
-   * Get current user (cached, sync).
-   */
-  getCurrentUser() {
-    return this.currentUser;
-  }
-  /**
-   * Get stored challenge session (for resuming challenge flows).
-   */
-  async getStoredChallenge() {
-    const raw = await this.config.storage.getItem(CHALLENGE_KEY2);
-    if (!raw)
-      return null;
-    try {
-      return JSON.parse(raw);
-    } catch {
-      return null;
-    }
-  }
-  /**
-   * Clear stored challenge session.
-   */
-  async clearStoredChallenge() {
-    await this.config.storage.removeItem(CHALLENGE_KEY2);
-  }
-  /**
-   * Internal: handle auth response (tokens or challenge).
-   *
-   * In cookies mode: Tokens are set as httpOnly cookies by backend, not stored in client storage.
-   * In JSON mode: Tokens are stored in tokenManager for Authorization header.
-   */
-  async handleAuthResponse(response) {
-    if (response.challengeName) {
-      await this.persistChallenge(response);
-      return;
-    }
-    if (this.config.tokenDelivery === "json" && response.accessToken && response.refreshToken) {
-      await this.tokenManager.setTokens({
-        accessToken: response.accessToken,
-        refreshToken: response.refreshToken,
-        accessTokenExpiresAt: response.accessTokenExpiresAt ?? 0,
-        refreshTokenExpiresAt: response.refreshTokenExpiresAt ?? 0
-      });
-    }
-    if (this.config.tokenDelivery === "json" && response.deviceToken) {
-      await this.setDeviceToken(response.deviceToken);
-    }
-    if (response.user) {
-      const user = response.user;
-      user.sessionAuthMethod = response.authMethod ?? null;
-      await this.setUser(user);
-    }
-    await this.clearChallenge();
-  }
-  /**
-   * Persist challenge state.
-   */
-  async persistChallenge(challenge) {
-    await this.config.storage.setItem(CHALLENGE_KEY2, JSON.stringify(challenge));
-  }
-  /**
-   * Clear challenge state.
-   */
-  async clearChallenge() {
-    await this.config.storage.removeItem(CHALLENGE_KEY2);
-  }
-  /**
-   * Persist user.
-   */
-  async setUser(user) {
-    this.currentUser = user;
-    await this.config.storage.setItem(USER_KEY2, JSON.stringify(user));
-    this.config.onAuthStateChange?.(user);
-  }
-  /**
-   * Clear all auth state.
-   *
-   * @param forgetDevice - If true, also clear device token (for JSON mode)
-   */
-  async clearAuthState(forgetDevice) {
-    this.currentUser = null;
-    await this.tokenManager.clearTokens();
-    await this.config.storage.removeItem(USER_KEY2);
-    if (forgetDevice && this.config.tokenDelivery === "json") {
-      await this.config.storage.removeItem(this.config.deviceTrust.storageKey);
-    }
-    this.config.onAuthStateChange?.(null);
-  }
-  /**
-   * Persist device token (json mode mobile).
-   */
-  async setDeviceToken(token) {
-    await this.config.storage.setItem(this.config.deviceTrust.storageKey, token);
-  }
-  /**
-   * Determine token delivery mode for this environment.
-   */
-  getTokenDeliveryMode() {
-    return this.config.tokenDelivery;
-  }
-  /**
-   * Build request URL by combining baseUrl with path.
-   * @private
-   */
-  buildUrl(path) {
-    return `${this.config.baseUrl}${path}`;
-  }
-  /**
-   * Build request headers for authentication.
-   * @private
-   */
-  async buildHeaders(auth) {
-    const headers = {
-      "Content-Type": "application/json",
-      ...this.config.headers
-    };
-    if (auth && this.config.tokenDelivery === "json") {
-      const accessToken = (await this.tokenManager.getTokens()).accessToken;
-      if (accessToken) {
-        headers["Authorization"] = `Bearer ${accessToken}`;
-      }
-    }
-    if (this.config.tokenDelivery === "json") {
-      try {
-        const deviceToken = await this.config.storage.getItem(this.config.deviceTrust.storageKey);
-        if (deviceToken) {
-          headers[this.config.deviceTrust.headerName] = deviceToken;
-        }
-      } catch {
-      }
-    }
-    if (this.config.tokenDelivery === "cookies" && hasWindow()) {
-      const csrfToken = this.getCsrfToken();
-      if (csrfToken) {
-        headers[this.config.csrf.headerName] = csrfToken;
-      }
-    }
-    return headers;
-  }
-  /**
-   * Get CSRF token from cookie (browser only).
-   * @private
-   */
-  getCsrfToken() {
-    if (!hasWindow() || typeof document === "undefined")
-      return null;
-    const match = document.cookie.match(new RegExp(`(^| )${this.config.csrf.cookieName}=([^;]+)`));
-    return match ? decodeURIComponent(match[2]) : null;
-  }
-  /**
-   * Execute GET request.
-   * Note: 401 refresh is handled by framework interceptors (Angular) or manually.
-   */
-  async get(path, auth = false) {
-    const url = this.buildUrl(path);
-    const headers = await this.buildHeaders(auth);
-    const credentials = this.config.tokenDelivery === "cookies" ? "include" : "omit";
-    const response = await this.config.httpAdapter.request({
-      method: "GET",
-      url,
-      headers,
-      credentials
-    });
-    return response.data;
-  }
-  /**
-   * Execute POST request.
-   * Note: 401 refresh is handled by framework interceptors (Angular) or manually.
-   */
-  async post(path, body, auth = false) {
-    const url = this.buildUrl(path);
-    const headers = await this.buildHeaders(auth);
-    const credentials = this.config.tokenDelivery === "cookies" ? "include" : "omit";
-    const response = await this.config.httpAdapter.request({
-      method: "POST",
-      url,
-      headers,
-      body,
-      credentials
-    });
-    return response.data;
-  }
-  /**
-   * Execute PUT request.
-   * Note: 401 refresh is handled by framework interceptors (Angular) or manually.
-   */
-  async put(path, body, auth = false) {
-    const url = this.buildUrl(path);
-    const headers = await this.buildHeaders(auth);
-    const credentials = this.config.tokenDelivery === "cookies" ? "include" : "omit";
-    const response = await this.config.httpAdapter.request({
-      method: "PUT",
-      url,
-      headers,
-      body,
-      credentials
-    });
-    return response.data;
-  }
-  /**
-   * Execute DELETE request.
-   * Note: 401 refresh is handled by framework interceptors (Angular) or manually.
-   */
-  async delete(path, auth = false) {
-    const url = this.buildUrl(path);
-    const headers = await this.buildHeaders(auth);
-    const credentials = this.config.tokenDelivery === "cookies" ? "include" : "omit";
-    const response = await this.config.httpAdapter.request({
-      method: "DELETE",
-      url,
-      headers,
-      credentials
-    });
-    return response.data;
-  }
-};
-__name(_NAuthClient, "NAuthClient");
-var NAuthClient = _NAuthClient;
-
-// tmp/ngc/angular/angular/auth.service.js
-var i02 = __toESM(require("@angular/core"));
-var _AuthService = class _AuthService {
-  /**
-   * @param config - Injected client configuration
-   *
-   * Note: AngularHttpAdapter is automatically injected via Angular DI.
-   * This ensures all requests go through Angular's HttpClient and interceptors.
-   */
-  constructor(config) {
-    __publicField(this, "client");
-    __publicField(this, "config");
-    __publicField(this, "currentUserSubject", new import_rxjs2.BehaviorSubject(null));
-    __publicField(this, "isAuthenticatedSubject", new import_rxjs2.BehaviorSubject(false));
-    __publicField(this, "challengeSubject", new import_rxjs2.BehaviorSubject(null));
-    __publicField(this, "authEventsSubject", new import_rxjs2.Subject());
-    __publicField(this, "initialized", false);
-    if (!config) {
-      throw new Error("NAUTH_CLIENT_CONFIG is required to initialize AuthService");
-    }
-    this.config = config;
-    const httpAdapter = config.httpAdapter ?? (0, import_core3.inject)(AngularHttpAdapter);
-    this.client = new NAuthClient({
-      ...config,
-      httpAdapter,
-      // Automatically use Angular's HttpClient
-      onAuthStateChange: /* @__PURE__ */ __name((user) => {
-        this.currentUserSubject.next(user);
-        this.isAuthenticatedSubject.next(Boolean(user));
-        config.onAuthStateChange?.(user);
-      }, "onAuthStateChange")
-    });
-    this.client.on("*", (event) => {
-      this.authEventsSubject.next(event);
-    });
-    this.initialize();
-  }
-  // ============================================================================
-  // Reactive State Observables
-  // ============================================================================
-  /**
-   * Current user observable.
-   */
-  get currentUser$() {
-    return this.currentUserSubject.asObservable();
-  }
-  /**
-   * Authenticated state observable.
-   */
-  get isAuthenticated$() {
-    return this.isAuthenticatedSubject.asObservable();
-  }
-  /**
-   * Current challenge observable (for reactive challenge navigation).
-   */
-  get challenge$() {
-    return this.challengeSubject.asObservable();
-  }
-  /**
-   * Authentication events stream.
-   * Emits all auth lifecycle events for custom logic, analytics, or UI updates.
-   */
-  get authEvents$() {
-    return this.authEventsSubject.asObservable();
-  }
-  /**
-   * Successful authentication events stream.
-   * Emits when user successfully authenticates (login, signup, social auth).
-   */
-  get authSuccess$() {
-    return this.authEventsSubject.pipe((0, import_operators.filter)((e) => e.type === "auth:success"));
-  }
-  /**
-   * Authentication error events stream.
-   * Emits when authentication fails (login error, OAuth error, etc.).
-   */
-  get authError$() {
-    return this.authEventsSubject.pipe((0, import_operators.filter)((e) => e.type === "auth:error" || e.type === "oauth:error"));
-  }
-  // ============================================================================
-  // Sync State Accessors (for guards, templates)
-  // ============================================================================
-  /**
-   * Check if authenticated (sync, uses cached state).
-   */
-  isAuthenticated() {
-    return this.client.isAuthenticatedSync();
-  }
-  /**
-   * Get current user (sync, uses cached state).
-   */
-  getCurrentUser() {
-    return this.client.getCurrentUser();
-  }
-  /**
-   * Get current challenge (sync).
-   */
-  getCurrentChallenge() {
-    return this.challengeSubject.value;
-  }
-  // ============================================================================
-  // Core Auth Methods
-  // ============================================================================
-  /**
-   * Login with identifier and password.
-   *
-   * @param identifier - User email or username
-   * @param password - User password
-   * @returns Promise with auth response or challenge
-   *
-   * @example
-   * ```typescript
-   * const response = await this.auth.login('user@example.com', 'password');
-   * if (response.challengeName) {
-   *   // Handle challenge
-   * } else {
-   *   // Login successful
-   * }
-   * ```
-   */
-  async login(identifier, password) {
-    const res = await this.client.login(identifier, password);
-    return this.updateChallengeState(res);
-  }
-  /**
-   * Signup with credentials.
-   *
-   * @param payload - Signup request payload
-   * @returns Promise with auth response or challenge
-   *
-   * @example
-   * ```typescript
-   * const response = await this.auth.signup({
-   *   email: 'new@example.com',
-   *   password: 'SecurePass123!',
-   *   firstName: 'John',
-   * });
-   * ```
-   */
-  async signup(payload) {
-    const res = await this.client.signup(payload);
-    return this.updateChallengeState(res);
-  }
-  /**
-   * Logout current session.
-   *
-   * @param forgetDevice - If true, removes device trust
-   *
-   * @example
-   * ```typescript
-   * await this.auth.logout();
-   * ```
-   */
-  async logout(forgetDevice) {
-    await this.client.logout(forgetDevice);
-    this.challengeSubject.next(null);
-    this.currentUserSubject.next(null);
-    this.isAuthenticatedSubject.next(false);
-    if (this.config.tokenDelivery === "cookies" && typeof document !== "undefined") {
-      const csrfCookieName = this.config.csrf?.cookieName ?? "nauth_csrf_token";
-      try {
-        const url = new URL(this.config.baseUrl);
-        document.cookie = `${csrfCookieName}=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/; domain=${url.hostname}`;
-        document.cookie = `${csrfCookieName}=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/`;
-      } catch {
-        document.cookie = `${csrfCookieName}=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/`;
-      }
-    }
-  }
-  /**
-   * Logout all sessions.
-   *
-   * Revokes all active sessions for the current user across all devices.
-   * Optionally revokes all trusted devices if forgetDevices is true.
-   *
-   * @param forgetDevices - If true, also revokes all trusted devices (default: false)
-   * @returns Promise with number of sessions revoked
-   *
-   * @example
-   * ```typescript
-   * const result = await this.auth.logoutAll();
-   * console.log(`Revoked ${result.revokedCount} sessions`);
-   * ```
-   */
-  async logoutAll(forgetDevices) {
-    const res = await this.client.logoutAll(forgetDevices);
-    this.challengeSubject.next(null);
-    this.currentUserSubject.next(null);
-    this.isAuthenticatedSubject.next(false);
-    return res;
-  }
-  /**
-   * Refresh tokens.
-   *
-   * @returns Promise with new tokens
-   *
-   * @example
-   * ```typescript
-   * const tokens = await this.auth.refresh();
-   * ```
-   */
-  async refresh() {
-    return this.client.refreshTokens();
-  }
-  // ============================================================================
-  // Account Recovery (Forgot Password)
-  // ============================================================================
-  /**
-   * Request a password reset code (forgot password).
-   *
-   * @param identifier - User email, username, or phone
-   * @returns Promise with password reset response
-   *
-   * @example
-   * ```typescript
-   * await this.auth.forgotPassword('user@example.com');
-   * ```
-   */
-  async forgotPassword(identifier) {
-    return this.client.forgotPassword(identifier);
-  }
-  /**
-   * Confirm a password reset code and set a new password.
-   *
-   * @param identifier - User email, username, or phone
-   * @param code - One-time reset code
-   * @param newPassword - New password
-   * @returns Promise with confirmation response
-   *
-   * @example
-   * ```typescript
-   * await this.auth.confirmForgotPassword('user@example.com', '123456', 'NewPass123!');
-   * ```
-   */
-  async confirmForgotPassword(identifier, code, newPassword) {
-    return this.client.confirmForgotPassword(identifier, code, newPassword);
-  }
-  /**
-   * Change user password (requires current password).
-   *
-   * @param oldPassword - Current password
-   * @param newPassword - New password (must meet requirements)
-   * @returns Promise that resolves when password is changed
-   *
-   * @example
-   * ```typescript
-   * await this.auth.changePassword('oldPassword123', 'newSecurePassword456!');
-   * ```
-   */
-  async changePassword(oldPassword, newPassword) {
-    return this.client.changePassword(oldPassword, newPassword);
-  }
-  /**
-   * Request password change (must change on next login).
-   *
-   * @returns Promise that resolves when request is sent
-   *
-   * @example
-   * ```typescript
-   * await this.auth.requestPasswordChange();
-   * ```
-   */
-  async requestPasswordChange() {
-    return this.client.requestPasswordChange();
-  }
-  // ============================================================================
-  // Profile Management
-  // ============================================================================
-  /**
-   * Get current user profile.
-   *
-   * @returns Promise of current user profile
-   *
-   * @example
-   * ```typescript
-   * const user = await this.auth.getProfile();
-   * console.log('User profile:', user);
-   * ```
-   */
-  async getProfile() {
-    const user = await this.client.getProfile();
-    this.currentUserSubject.next(user);
-    return user;
-  }
-  /**
-   * Update user profile.
-   *
-   * @param updates - Profile fields to update
-   * @returns Promise of updated user profile
-   *
-   * @example
-   * ```typescript
-   * const user = await this.auth.updateProfile({ firstName: 'John', lastName: 'Doe' });
-   * console.log('Profile updated:', user);
-   * ```
-   */
-  async updateProfile(updates) {
-    const user = await this.client.updateProfile(updates);
-    this.currentUserSubject.next(user);
-    return user;
-  }
-  // ============================================================================
-  // Challenge Flow Methods (Essential for any auth flow)
-  // ============================================================================
-  /**
-   * Respond to a challenge (VERIFY_EMAIL, VERIFY_PHONE, MFA_REQUIRED, etc.).
-   *
-   * @param response - Challenge response data
-   * @returns Promise with auth response or next challenge
-   *
-   * @example
-   * ```typescript
-   * const result = await this.auth.respondToChallenge({
-   *   session: challengeSession,
-   *   type: 'VERIFY_EMAIL',
-   *   code: '123456',
-   * });
-   * ```
-   */
-  async respondToChallenge(response) {
-    const res = await this.client.respondToChallenge(response);
-    return this.updateChallengeState(res);
-  }
-  /**
-   * Resend challenge code.
-   *
-   * @param session - Challenge session token
-   * @returns Promise with destination information
-   *
-   * @example
-   * ```typescript
-   * const result = await this.auth.resendCode(session);
-   * console.log('Code sent to:', result.destination);
-   * ```
-   */
-  async resendCode(session) {
-    return this.client.resendCode(session);
-  }
-  /**
-   * Get MFA setup data (for MFA_SETUP_REQUIRED challenge).
-   *
-   * Returns method-specific setup information:
-   * - TOTP: { secret, qrCode, manualEntryKey }
-   * - SMS: { maskedPhone }
-   * - Email: { maskedEmail }
-   * - Passkey: WebAuthn registration options
-   *
-   * @param session - Challenge session token
-   * @param method - MFA method to set up
-   * @returns Promise of setup data response
-   *
-   * @example
-   * ```typescript
-   * const setupData = await this.auth.getSetupData(session, 'totp');
-   * console.log('QR Code:', setupData.setupData.qrCode);
-   * ```
-   */
-  async getSetupData(session, method) {
-    return this.client.getSetupData(session, method);
-  }
-  /**
-   * Get MFA challenge data (for MFA_REQUIRED challenge - e.g., passkey options).
-   *
-   * @param session - Challenge session token
-   * @param method - Challenge method
-   * @returns Promise of challenge data response
-   *
-   * @example
-   * ```typescript
-   * const challengeData = await this.auth.getChallengeData(session, 'passkey');
-   * ```
-   */
-  async getChallengeData(session, method) {
-    return this.client.getChallengeData(session, method);
-  }
-  /**
-   * Clear stored challenge (when navigating away from challenge flow).
-   *
-   * @returns Promise that resolves when challenge is cleared
-   *
-   * @example
-   * ```typescript
-   * await this.auth.clearChallenge();
-   * ```
-   */
-  async clearChallenge() {
-    await this.client.clearStoredChallenge();
-    this.challengeSubject.next(null);
-  }
-  // ============================================================================
-  // Social Authentication
-  // ============================================================================
-  /**
-   * Initiate social OAuth login flow.
-   * Redirects the browser to backend `/auth/social/:provider/redirect`.
-   *
-   * @param provider - Social provider ('google', 'apple', 'facebook')
-   * @param options - Optional redirect options
-   * @returns Promise that resolves when redirect starts
-   *
-   * @example
-   * ```typescript
-   * await this.auth.loginWithSocial('google', { returnTo: '/auth/callback' });
-   * ```
-   */
-  async loginWithSocial(provider, options) {
-    return this.client.loginWithSocial(provider, options);
-  }
-  /**
-   * Exchange an exchangeToken (from redirect callback URL) into an AuthResponse.
-   *
-   * Used for `tokenDelivery: 'json'` or hybrid flows where the backend redirects back
-   * with `exchangeToken` instead of setting cookies.
-   *
-   * @param exchangeToken - One-time exchange token from the callback URL
-   * @returns Promise of AuthResponse
-   *
-   * @example
-   * ```typescript
-   * const response = await this.auth.exchangeSocialRedirect(exchangeToken);
-   * ```
-   */
-  async exchangeSocialRedirect(exchangeToken) {
-    const res = await this.client.exchangeSocialRedirect(exchangeToken);
-    return this.updateChallengeState(res);
-  }
-  /**
-   * Verify native social token (mobile).
-   *
-   * @param request - Social verification request with provider and token
-   * @returns Promise of AuthResponse
-   *
-   * @example
-   * ```typescript
-   * const result = await this.auth.verifyNativeSocial({
-   *   provider: 'google',
-   *   idToken: nativeIdToken,
-   * });
-   * ```
-   */
-  async verifyNativeSocial(request) {
-    const res = await this.client.verifyNativeSocial(request);
-    return this.updateChallengeState(res);
-  }
-  /**
-   * Get linked social accounts.
-   *
-   * @returns Promise of linked accounts response
-   *
-   * @example
-   * ```typescript
-   * const accounts = await this.auth.getLinkedAccounts();
-   * console.log('Linked providers:', accounts.providers);
-   * ```
-   */
-  async getLinkedAccounts() {
-    return this.client.getLinkedAccounts();
-  }
-  /**
-   * Link social account.
-   *
-   * @param provider - Social provider to link
-   * @param code - OAuth authorization code
-   * @param state - OAuth state parameter
-   * @returns Promise with success message
-   *
-   * @example
-   * ```typescript
-   * await this.auth.linkSocialAccount('google', code, state);
-   * ```
-   */
-  async linkSocialAccount(provider, code, state) {
-    return this.client.linkSocialAccount(provider, code, state);
-  }
-  /**
-   * Unlink social account.
-   *
-   * @param provider - Social provider to unlink
-   * @returns Promise with success message
-   *
-   * @example
-   * ```typescript
-   * await this.auth.unlinkSocialAccount('google');
-   * ```
-   */
-  async unlinkSocialAccount(provider) {
-    return this.client.unlinkSocialAccount(provider);
-  }
-  // ============================================================================
-  // MFA Management
-  // ============================================================================
-  /**
-   * Get MFA status for the current user.
-   *
-   * @returns Promise of MFA status
-   *
-   * @example
-   * ```typescript
-   * const status = await this.auth.getMfaStatus();
-   * console.log('MFA enabled:', status.enabled);
-   * ```
-   */
-  async getMfaStatus() {
-    return this.client.getMfaStatus();
-  }
-  /**
-   * Get MFA devices for the current user.
-   *
-   * @returns Promise of MFA devices array
-   *
-   * @example
-   * ```typescript
-   * const devices = await this.auth.getMfaDevices();
-   * ```
-   */
-  async getMfaDevices() {
-    return this.client.getMfaDevices();
-  }
-  /**
-   * Setup MFA device (authenticated user).
-   *
-   * @param method - MFA method to set up
-   * @returns Promise of setup data
-   *
-   * @example
-   * ```typescript
-   * const setupData = await this.auth.setupMfaDevice('totp');
-   * ```
-   */
-  async setupMfaDevice(method) {
-    return this.client.setupMfaDevice(method);
-  }
-  /**
-   * Verify MFA setup (authenticated user).
-   *
-   * @param method - MFA method
-   * @param setupData - Setup data from setupMfaDevice
-   * @param deviceName - Optional device name
-   * @returns Promise with device ID
-   *
-   * @example
-   * ```typescript
-   * const result = await this.auth.verifyMfaSetup('totp', { code: '123456' }, 'My Phone');
-   * ```
-   */
-  async verifyMfaSetup(method, setupData, deviceName) {
-    return this.client.verifyMfaSetup(method, setupData, deviceName);
-  }
-  /**
-   * Remove MFA device.
-   *
-   * @param method - MFA method to remove
-   * @returns Promise with success message
-   *
-   * @example
-   * ```typescript
-   * await this.auth.removeMfaDevice('sms');
-   * ```
-   */
-  async removeMfaDevice(method) {
-    return this.client.removeMfaDevice(method);
-  }
-  /**
-   * Set preferred MFA method.
-   *
-   * @param method - Device method to set as preferred ('totp', 'sms', 'email', or 'passkey')
-   * @returns Promise with success message
-   *
-   * @example
-   * ```typescript
-   * await this.auth.setPreferredMfaMethod('totp');
-   * ```
-   */
-  async setPreferredMfaMethod(method) {
-    return this.client.setPreferredMfaMethod(method);
-  }
-  /**
-   * Generate backup codes.
-   *
-   * @returns Promise of backup codes array
-   *
-   * @example
-   * ```typescript
-   * const codes = await this.auth.generateBackupCodes();
-   * console.log('Backup codes:', codes);
-   * ```
-   */
-  async generateBackupCodes() {
-    return this.client.generateBackupCodes();
-  }
-  /**
-   * Set MFA exemption (admin/test scenarios).
-   *
-   * @param exempt - Whether to exempt user from MFA
-   * @param reason - Optional reason for exemption
-   * @returns Promise that resolves when exemption is set
-   *
-   * @example
-   * ```typescript
-   * await this.auth.setMfaExemption(true, 'Test account');
-   * ```
-   */
-  async setMfaExemption(exempt, reason) {
-    return this.client.setMfaExemption(exempt, reason);
-  }
-  // ============================================================================
-  // Device Trust
-  // ============================================================================
-  /**
-   * Trust current device.
-   *
-   * @returns Promise with device token
-   *
-   * @example
-   * ```typescript
-   * const result = await this.auth.trustDevice();
-   * console.log('Device trusted:', result.deviceToken);
-   * ```
-   */
-  async trustDevice() {
-    return this.client.trustDevice();
-  }
-  /**
-   * Check if the current device is trusted.
-   *
-   * @returns Promise with trusted status
-   *
-   * @example
-   * ```typescript
-   * const result = await this.auth.isTrustedDevice();
-   * if (result.trusted) {
-   *   console.log('This device is trusted');
-   * }
-   * ```
-   */
-  async isTrustedDevice() {
-    return this.client.isTrustedDevice();
-  }
-  // ============================================================================
-  // Audit History
-  // ============================================================================
-  /**
-   * Get paginated audit history for the current user.
-   *
-   * @param params - Query parameters for filtering and pagination
-   * @returns Promise of audit history response
-   *
-   * @example
-   * ```typescript
-   * const history = await this.auth.getAuditHistory({
-   *   page: 1,
-   *   limit: 20,
-   *   eventType: 'LOGIN_SUCCESS'
-   * });
-   * console.log('Audit history:', history);
-   * ```
-   */
-  async getAuditHistory(params) {
-    return this.client.getAuditHistory(params);
-  }
-  // ============================================================================
-  // Escape Hatch
-  // ============================================================================
-  /**
-   * Expose underlying NAuthClient for advanced scenarios.
-   *
-   * @deprecated All core functionality is now exposed directly on AuthService as Promises.
-   * Use the direct methods on AuthService instead (e.g., `auth.changePassword()` instead of `auth.getClient().changePassword()`).
-   * This method is kept for backward compatibility only and may be removed in a future version.
-   *
-   * @returns The underlying NAuthClient instance
-   *
-   * @example
-   * ```typescript
-   * // Deprecated - use direct methods instead
-   * const status = await this.auth.getClient().getMfaStatus();
-   *
-   * // Preferred - use direct methods
-   * const status = await this.auth.getMfaStatus();
-   * ```
-   */
-  getClient() {
-    return this.client;
-  }
-  // ============================================================================
-  // Internal Methods
-  // ============================================================================
-  /**
-   * Initialize by hydrating state from storage.
-   * Called automatically on construction.
-   */
-  async initialize() {
-    if (this.initialized)
-      return;
-    this.initialized = true;
-    await this.client.initialize();
-    const storedChallenge = await this.client.getStoredChallenge();
-    if (storedChallenge) {
-      this.challengeSubject.next(storedChallenge);
-    }
-    const user = this.client.getCurrentUser();
-    if (user) {
-      this.currentUserSubject.next(user);
-      this.isAuthenticatedSubject.next(true);
-    }
-  }
-  /**
-   * Update challenge state after auth response.
-   */
-  updateChallengeState(response) {
-    if (response.challengeName) {
-      this.challengeSubject.next(response);
-    } else {
-      this.challengeSubject.next(null);
-    }
-    return response;
-  }
-};
-__name(_AuthService, "AuthService");
-__publicField(_AuthService, "\u0275fac", i02.\u0275\u0275ngDeclareFactory({ minVersion: "12.0.0", version: "21.0.5", ngImport: i02, type: _AuthService, deps: [{ token: NAUTH_CLIENT_CONFIG, optional: true }], target: i02.\u0275\u0275FactoryTarget.Injectable }));
-__publicField(_AuthService, "\u0275prov", i02.\u0275\u0275ngDeclareInjectable({ minVersion: "12.0.0", version: "21.0.5", ngImport: i02, type: _AuthService, providedIn: "root" }));
-var AuthService = _AuthService;
-i02.\u0275\u0275ngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.0.5", ngImport: i02, type: AuthService, decorators: [{
-  type: import_core3.Injectable,
-  args: [{
-    providedIn: "root"
-  }]
-}], ctorParameters: /* @__PURE__ */ __name(() => [{ type: void 0, decorators: [{
-  type: import_core3.Optional
-}, {
-  type: import_core3.Inject,
-  args: [NAUTH_CLIENT_CONFIG]
-}] }], "ctorParameters") });
-
-// tmp/ngc/angular/angular/auth.interceptor.js
-var import_core4 = require("@angular/core");
-var import_common = require("@angular/common");
-var import_http2 = require("@angular/common/http");
-var import_router = require("@angular/router");
-var import_rxjs3 = require("rxjs");
-var isRefreshing = false;
-var refreshTokenSubject = new import_rxjs3.BehaviorSubject(null);
-var retriedRequests = /* @__PURE__ */ new WeakSet();
-function getCsrfToken(cookieName) {
-  if (typeof document === "undefined")
-    return null;
-  const match = document.cookie.match(new RegExp(`(^| )${cookieName}=([^;]+)`));
-  return match ? decodeURIComponent(match[2]) : null;
-}
-__name(getCsrfToken, "getCsrfToken");
-var authInterceptor = /* @__PURE__ */ __name((req, next) => {
-  const config = (0, import_core4.inject)(NAUTH_CLIENT_CONFIG);
-  const http = (0, import_core4.inject)(import_http2.HttpClient);
-  const authService = (0, import_core4.inject)(AuthService);
-  const platformId = (0, import_core4.inject)(import_core4.PLATFORM_ID);
-  const router = (0, import_core4.inject)(import_router.Router);
-  const isBrowser = (0, import_common.isPlatformBrowser)(platformId);
-  if (!isBrowser) {
-    return next(req);
-  }
-  const tokenDelivery = config.tokenDelivery;
-  const baseUrl = config.baseUrl;
-  const endpoints = config.endpoints ?? {};
-  const refreshPath = endpoints.refresh ?? "/refresh";
-  const loginPath = endpoints.login ?? "/login";
-  const signupPath = endpoints.signup ?? "/signup";
-  const socialExchangePath = endpoints.socialExchange ?? "/social/exchange";
-  const refreshUrl = `${baseUrl}${refreshPath}`;
-  const isAuthApiRequest = req.url.includes(baseUrl);
-  const isRefreshEndpoint = req.url.includes(refreshPath);
-  const isPublicEndpoint = req.url.includes(loginPath) || req.url.includes(signupPath) || req.url.includes(socialExchangePath);
-  let authReq = req;
-  if (tokenDelivery === "cookies") {
-    authReq = authReq.clone({ withCredentials: true });
-    if (["POST", "PUT", "PATCH", "DELETE"].includes(req.method)) {
-      const csrfCookieName = config.csrf?.cookieName ?? "nauth_csrf_token";
-      const csrfHeaderName = config.csrf?.headerName ?? "x-csrf-token";
-      const csrfToken = getCsrfToken(csrfCookieName);
-      if (csrfToken) {
-        authReq = authReq.clone({ setHeaders: { [csrfHeaderName]: csrfToken } });
-      }
-    }
-  }
-  return next(authReq).pipe((0, import_rxjs3.catchError)((error) => {
-    const shouldHandle = error instanceof import_http2.HttpErrorResponse && error.status === 401 && isAuthApiRequest && !isRefreshEndpoint && !isPublicEndpoint && !retriedRequests.has(req);
-    if (!shouldHandle) {
-      return (0, import_rxjs3.throwError)(() => error);
-    }
-    if (config.debug) {
-      console.warn("[nauth-interceptor] 401 detected:", req.url);
-    }
-    if (!isRefreshing) {
-      isRefreshing = true;
-      refreshTokenSubject.next(null);
-      if (config.debug) {
-        console.warn("[nauth-interceptor] Starting refresh...");
-      }
-      const refresh$ = tokenDelivery === "cookies" ? http.post(refreshUrl, {}, { withCredentials: true }) : (0, import_rxjs3.from)(authService.refresh());
-      return refresh$.pipe((0, import_rxjs3.switchMap)((response) => {
-        if (config.debug) {
-          console.warn("[nauth-interceptor] Refresh successful");
-        }
-        isRefreshing = false;
-        const newToken = "accessToken" in response ? response.accessToken : "success";
-        refreshTokenSubject.next(newToken ?? "success");
-        const retryReq = buildRetryRequest(authReq, tokenDelivery, newToken);
-        retriedRequests.add(retryReq);
-        if (config.debug) {
-          console.warn("[nauth-interceptor] Retrying:", req.url);
-        }
-        return next(retryReq);
-      }), (0, import_rxjs3.catchError)((err) => {
-        if (config.debug) {
-          console.error("[nauth-interceptor] Refresh failed:", err);
-        }
-        isRefreshing = false;
-        refreshTokenSubject.next(null);
-        if (config.redirects?.sessionExpired) {
-          router.navigateByUrl(config.redirects.sessionExpired).catch((navError) => {
-            if (config.debug) {
-              console.error("[nauth-interceptor] Navigation failed:", navError);
-            }
-          });
-        }
-        return (0, import_rxjs3.throwError)(() => err);
-      }));
-    } else {
-      if (config.debug) {
-        console.warn("[nauth-interceptor] Waiting for refresh...");
-      }
-      return refreshTokenSubject.pipe((0, import_rxjs3.filter)((token) => token !== null), (0, import_rxjs3.take)(1), (0, import_rxjs3.switchMap)((token) => {
-        if (config.debug) {
-          console.warn("[nauth-interceptor] Refresh done, retrying:", req.url);
-        }
-        const retryReq = buildRetryRequest(authReq, tokenDelivery, token);
-        retriedRequests.add(retryReq);
-        return next(retryReq);
-      }));
-    }
-  }));
-}, "authInterceptor");
-function buildRetryRequest(originalReq, tokenDelivery, newToken) {
-  if (tokenDelivery === "json" && newToken && newToken !== "success") {
-    return originalReq.clone({
-      setHeaders: { Authorization: `Bearer ${newToken}` }
-    });
-  }
-  return originalReq.clone();
-}
-__name(buildRetryRequest, "buildRetryRequest");
-var _AuthInterceptor = class _AuthInterceptor {
-  intercept(req, next) {
-    return authInterceptor(req, next);
-  }
-};
-__name(_AuthInterceptor, "AuthInterceptor");
-var AuthInterceptor = _AuthInterceptor;
-
-// tmp/ngc/angular/angular/auth.guard.js
-var import_core5 = require("@angular/core");
-var import_router2 = require("@angular/router");
-function authGuard(redirectTo = "/login") {
-  return () => {
-    const auth = (0, import_core5.inject)(AuthService);
-    const router = (0, import_core5.inject)(import_router2.Router);
-    if (auth.isAuthenticated()) {
-      return true;
-    }
-    return router.createUrlTree([redirectTo]);
-  };
-}
-__name(authGuard, "authGuard");
-var _AuthGuard = class _AuthGuard {
-  /**
-   * @param auth - Authentication service
-   * @param router - Angular router
-   */
-  constructor(auth, router) {
-    __publicField(this, "auth");
-    __publicField(this, "router");
-    this.auth = auth;
-    this.router = router;
-  }
-  /**
-   * Check if route can be activated.
-   *
-   * @returns True if authenticated, otherwise redirects to login
-   */
-  canActivate() {
-    if (this.auth.isAuthenticated()) {
-      return true;
-    }
-    return this.router.createUrlTree(["/login"]);
-  }
-};
-__name(_AuthGuard, "AuthGuard");
-var AuthGuard = _AuthGuard;
-
-// tmp/ngc/angular/angular/social-redirect-callback.guard.js
-var import_core6 = require("@angular/core");
-var import_common2 = require("@angular/common");
-var socialRedirectCallbackGuard = /* @__PURE__ */ __name(async () => {
-  const auth = (0, import_core6.inject)(AuthService);
-  const config = (0, import_core6.inject)(NAUTH_CLIENT_CONFIG);
-  const platformId = (0, import_core6.inject)(import_core6.PLATFORM_ID);
-  const isBrowser = (0, import_common2.isPlatformBrowser)(platformId);
-  if (!isBrowser) {
-    return false;
-  }
-  const params = new URLSearchParams(window.location.search);
-  const error = params.get("error");
-  const exchangeToken = params.get("exchangeToken");
-  if (error) {
-    const errorUrl = config.redirects?.oauthError || "/login";
-    window.location.replace(errorUrl);
-    return false;
-  }
-  if (!exchangeToken) {
-    try {
-      await auth.getProfile();
-    } catch {
-      const errorUrl = config.redirects?.oauthError || "/login";
-      window.location.replace(errorUrl);
-      return false;
-    }
-    const successUrl2 = config.redirects?.success || "/";
-    window.location.replace(successUrl2);
-    return false;
-  }
-  const response = await auth.exchangeSocialRedirect(exchangeToken);
-  if (response.challengeName) {
-    const challengeBase = config.redirects?.challengeBase || "/auth/challenge";
-    const challengeRoute = response.challengeName.toLowerCase().replace(/_/g, "-");
-    window.location.replace(`${challengeBase}/${challengeRoute}`);
-    return false;
-  }
-  const successUrl = config.redirects?.success || "/";
-  window.location.replace(successUrl);
-  return false;
-}, "socialRedirectCallbackGuard");
-
-// tmp/ngc/angular/angular/auth.module.js
-var import_core7 = require("@angular/core");
-var import_http3 = require("@angular/common/http");
-var i03 = __toESM(require("@angular/core"));
-var _NAuthModule = class _NAuthModule {
-  /**
-   * Configure the module with client settings.
-   *
-   * @param config - Client configuration
-   */
-  static forRoot(config) {
-    return {
-      ngModule: _NAuthModule,
-      providers: [
-        { provide: NAUTH_CLIENT_CONFIG, useValue: config },
-        { provide: import_http3.HTTP_INTERCEPTORS, useClass: AuthInterceptor, multi: true }
-      ]
-    };
-  }
-};
-__name(_NAuthModule, "NAuthModule");
-__publicField(_NAuthModule, "\u0275fac", i03.\u0275\u0275ngDeclareFactory({ minVersion: "12.0.0", version: "21.0.5", ngImport: i03, type: _NAuthModule, deps: [], target: i03.\u0275\u0275FactoryTarget.NgModule }));
-__publicField(_NAuthModule, "\u0275mod", i03.\u0275\u0275ngDeclareNgModule({ minVersion: "14.0.0", version: "21.0.5", ngImport: i03, type: _NAuthModule }));
-__publicField(_NAuthModule, "\u0275inj", i03.\u0275\u0275ngDeclareInjector({ minVersion: "12.0.0", version: "21.0.5", ngImport: i03, type: _NAuthModule }));
-var NAuthModule = _NAuthModule;
-i03.\u0275\u0275ngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.0.5", ngImport: i03, type: NAuthModule, decorators: [{
-  type: import_core7.NgModule,
-  args: [{}]
-}] });
-// Annotate the CommonJS export names for ESM import in node:
-0 && (module.exports = {
-  AngularHttpAdapter,
-  AuthGuard,
-  AuthInterceptor,
-  AuthService,
-  NAUTH_CLIENT_CONFIG,
-  NAuthModule,
-  authGuard,
-  authInterceptor,
-  socialRedirectCallbackGuard
-});
-//# sourceMappingURL=index.cjs.map