@openclaw/msteams 2026.6.5 → 2026.6.6-beta.1

package/node_modules/@azure/msal-browser/lib/custom-auth-path/msal-custom-auth.js

@@ -1,4 +1,4 @@
-/*! @azure/msal-browser v5.11.0 2026-05-19 */
+/*! @azure/msal-browser v5.12.0 2026-06-05 */
 'use strict';
 (function (global, factory) {
     typeof exports === 'object' && typeof module !== 'undefined' ? factory(exports) :
@@ -6,7 +6,7 @@
     (global = typeof globalThis !== 'undefined' ? globalThis : global || self, factory(global.msalCustomAuth = {}));
 })(this, (function (exports) { 'use strict';
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
      * Licensed under the MIT License.
@@ -233,7 +233,7 @@
     // Token renewal offset default in seconds
     const DEFAULT_TOKEN_RENEWAL_OFFSET_SEC = 300;
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
      * Licensed under the MIT License.
@@ -285,7 +285,7 @@
     const RESOURCE = "resource";
     const CLI_DATA = "clidata";
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
      * Licensed under the MIT License.
@@ -316,7 +316,7 @@
         return new AuthError(code, additionalMessage || getDefaultErrorMessage$1(code));
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -336,7 +336,7 @@
         return new ClientConfigurationError(errorCode);
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
      * Licensed under the MIT License.
@@ -416,7 +416,7 @@
         }
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -439,7 +439,7 @@
         return new ClientAuthError(errorCode, additionalMessage);
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
      * Licensed under the MIT License.
@@ -465,7 +465,7 @@
     const invalidPlatformBrokerConfiguration = "invalid_platform_broker_configuration";
     const issuerValidationFailed = "issuer_validation_failed";
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
      * Licensed under the MIT License.
@@ -504,7 +504,7 @@
     const resourceParameterRequired = "resource_parameter_required";
     const misplacedResourceParam = "misplaced_resource_parameter";
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -699,7 +699,7 @@
         }
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1088,7 +1088,7 @@
         }
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1197,7 +1197,7 @@
         }
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1236,7 +1236,7 @@
         },
     };
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
      * Licensed under the MIT License.
@@ -1497,12 +1497,12 @@
         }
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
     /* eslint-disable header/header */
     const name$1 = "@azure/msal-common";
-    const version$1 = "16.6.2";
+    const version$1 = "16.7.0";
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
      * Licensed under the MIT License.
@@ -1511,7 +1511,7 @@
         // AzureCloudInstance is not specified.
         None: "none"};
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
      * Licensed under the MIT License.
@@ -1594,7 +1594,7 @@
         return updatedAccountInfo;
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1674,7 +1674,7 @@
         }
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1831,7 +1831,7 @@
         }
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1997,7 +1997,7 @@
         return null;
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
      * Licensed under the MIT License.
@@ -2005,7 +2005,7 @@
     const cacheQuotaExceeded = "cache_quota_exceeded";
     const cacheErrorUnknown = "cache_error_unknown";
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2043,7 +2043,7 @@
         }
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2081,7 +2081,7 @@
         };
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
      * Licensed under the MIT License.
@@ -2096,7 +2096,7 @@
         Ciam: 3,
     };
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
      * Licensed under the MIT License.
@@ -2118,7 +2118,7 @@
         return null;
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
      * Licensed under the MIT License.
@@ -2142,7 +2142,7 @@
         EAR: "EAR",
     };
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
     /**
      * Returns the AccountInfo interface for this account.
      */
@@ -2317,7 +2317,7 @@
             entity.hasOwnProperty("authorityType"));
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2457,8 +2457,8 @@
                 return false;
             }
             if (!!tenantProfileFilter.username &&
-                !(this.matchUsername(tenantProfile.username, tenantProfileFilter.username) ||
-                    !this.matchUsername(tenantProfile.upn, tenantProfileFilter.username))) {
+                !this.matchUsername(tenantProfile.username, tenantProfileFilter.username) &&
+                !this.matchUsername(tenantProfile.upn, tenantProfileFilter.username)) {
                 return false;
             }
             if (!!tenantProfileFilter.loginHint &&
@@ -3448,7 +3448,7 @@
         }
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
      * Licensed under the MIT License.
@@ -3462,7 +3462,7 @@
     const PerformanceEventStatus = {
         InProgress: 1};
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3517,7 +3517,7 @@
         }
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3612,7 +3612,7 @@
         return (config.authOptions.authority.options.protocolMode === ProtocolMode.OIDC);
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
      * Licensed under the MIT License.
@@ -3639,7 +3639,7 @@
         }
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
      * Licensed under the MIT License.
@@ -3704,7 +3704,7 @@
         return cachedAtSec > nowSeconds();
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3963,7 +3963,7 @@
         return metadata.expiresAt <= nowSeconds();
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
      * Licensed under the MIT License.
@@ -4034,7 +4034,7 @@
     const CacheManagerGetRefreshToken = "cacheManagerGetRefreshToken";
     const SetUserData = "setUserData";
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
      * Licensed under the MIT License.
@@ -4127,7 +4127,7 @@
         };
     };
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4207,7 +4207,7 @@
         }
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
      * Licensed under the MIT License.
@@ -4231,7 +4231,7 @@
      * MSAL-defined error code indicating UI/UX is not allowed (e.g., blocked by policy), requiring alternate interaction.
      * @public
      */
-    const uxNotAllowed = "ux_not_allowed";
+    const uiNotAllowed = "ui_not_allowed";
     /**
      * Server-originated error code indicating interaction is required to complete the request.
      * @public
@@ -4258,7 +4258,7 @@
      */
     const interruptedUser = "interrupted_user";
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4272,7 +4272,7 @@
         consentRequired,
         loginRequired,
         badToken,
-        uxNotAllowed,
+        uiNotAllowed,
         interruptedUser,
     ];
     const InteractionRequiredAuthSubErrorMessage = [
@@ -4282,7 +4282,7 @@
         "user_password_expired",
         "consent_required",
         "bad_token",
-        "ux_not_allowed",
+        "ui_not_allowed",
         "interrupted_user",
     ];
     /**
@@ -4326,7 +4326,7 @@
         return new InteractionRequiredAuthError(errorCode, errorMessage);
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4345,7 +4345,7 @@
         }
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4413,7 +4413,7 @@
         }
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4761,7 +4761,7 @@
         return baseAccount;
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
      * Licensed under the MIT License.
@@ -4771,7 +4771,7 @@
         UPN: "UPN",
     };
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
      * Licensed under the MIT License.
@@ -4789,7 +4789,7 @@
         }
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
      * Licensed under the MIT License.
@@ -4810,7 +4810,7 @@
         };
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4896,7 +4896,7 @@
         }
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4927,7 +4927,7 @@
         return new NetworkError(error, httpStatus, responseHeaders);
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5041,7 +5041,7 @@
         return response;
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
      * Licensed under the MIT License.
@@ -5053,7 +5053,7 @@
             response.hasOwnProperty("jwks_uri"));
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
      * Licensed under the MIT License.
@@ -5063,7 +5063,7 @@
             response.hasOwnProperty("metadata"));
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
      * Licensed under the MIT License.
@@ -5073,7 +5073,7 @@
             response.hasOwnProperty("error_description"));
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5178,7 +5178,7 @@
         },
     };
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5735,7 +5735,7 @@
                 }
             }
             // If cloudDiscoveryMetadata is empty or does not contain the host, check knownAuthorities
-            if (this.isInKnownAuthorities()) {
+            if (this.isInKnownAuthorities(this.hostnameAndPort)) {
                 this.logger.verbose("0mt9al", this.correlationId);
                 return Authority.createCloudDiscoveryMetadataFromHost(this.hostnameAndPort);
             }
@@ -5802,13 +5802,14 @@
             return match;
         }
         /**
-         * Helper function to determine if this host is included in the knownAuthorities config option
+         * Helper function to determine if a host is included in the knownAuthorities config option.
          */
-        isInKnownAuthorities() {
+        isInKnownAuthorities(host) {
+            const normalizedHost = host.toLowerCase();
             const matches = this.authorityOptions.knownAuthorities.filter((authority) => {
                 return (authority &&
                     UrlString.getDomainFromUrl(authority).toLowerCase() ===
-                        this.hostnameAndPort);
+                        normalizedHost);
             });
             return matches.length > 0;
         }
@@ -5885,6 +5886,10 @@
          *  4. Same as (2), but the issuer host matches the CIAM tenant pattern
          *     `{tenant}.ciamlogin.com` with an optional `/{tenant}[.onmicrosoft.com][/v2.0]`
          *     path.
+         *  5. The issuer host is HTTPS and is explicitly listed in the
+         *     developer-configured `knownAuthorities`. This covers scenarios where
+         *     the OIDC discovery document returns an issuer host that differs from
+         *     the authority (e.g., a GUID-based issuer for a name-based CIAM authority).
          *
          * @param issuer The `issuer` value returned in the OIDC discovery document.
          * @throws ClientConfigurationError("issuer_validation_failed") on failure.
@@ -5921,11 +5926,19 @@
              * have "{tenant}.ciamlogin.com" as the host, even when using a custom domain.
              */
             const matchesCiamTenantPattern = this.matchesCiamTenantPattern(issuerUrl, authorityHost, this.canonicalAuthorityUrlComponents.PathSegments);
+            /*
+             * Rule 5: The issuer host is explicitly listed in the developer-configured
+             * knownAuthorities. This covers scenarios where the OIDC discovery document
+             * returns an issuer with a different host than the authority
+             * (e.g., a GUID-based issuer for a name-based authority).
+             */
+            const matchesKnownAuthority = issuerScheme === "https:" && this.isInKnownAuthorities(issuerHost);
             // Each rule is an independent boolean; the issuer is valid if ANY rule matches.
             if (matchesAuthorityOrigin ||
                 matchesKnownMicrosoftHost ||
                 matchesRegionalMicrosoftHost ||
-                matchesCiamTenantPattern) {
+                matchesCiamTenantPattern ||
+                matchesKnownAuthority) {
                 return;
             }
             // issuer validation fails if none of the above rules are satisfied
@@ -6133,7 +6146,7 @@
         };
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6167,7 +6180,7 @@
         }
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6424,7 +6437,7 @@
         }
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6645,7 +6658,7 @@
         }
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6761,7 +6774,7 @@
         }
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6776,7 +6789,7 @@
         },
     };
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6999,7 +7012,7 @@
         return account.loginHint || account.idTokenClaims?.login_hint || null;
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7032,7 +7045,7 @@
         return Object.prototype.hasOwnProperty.call(params, "resource");
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
      * Licensed under the MIT License.
@@ -7042,7 +7055,7 @@
      */
     const unexpectedError = "unexpected_error";
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7303,7 +7316,7 @@
         }
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7324,7 +7337,7 @@
         return new JoseHeaderError(code);
     }
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
      * Licensed under the MIT License.
@@ -7332,7 +7345,7 @@
     const missingKidError = "missing_kid_error";
     const missingAlgError = "missing_alg_error";
 
-    /*! @azure/msal-common v16.6.2 2026-05-19 */
+    /*! @azure/msal-common v16.7.0 2026-06-05 */
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7767,7 +7780,7 @@
 
     /* eslint-disable header/header */
     const name = "@azure/msal-browser";
-    const version = "5.11.0";
+    const version = "5.12.0";
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -8661,6 +8674,43 @@
         return new BrowserAuthError(errorCode, subError);
     }
 
+    /*
+     * Copyright (c) Microsoft Corporation. All rights reserved.
+     * Licensed under the MIT License.
+     */
+    /**
+     * Class which exposes APIs to decode base64 strings to plaintext. See here for implementation details:
+     * https://developer.mozilla.org/en-US/docs/Glossary/Base64#the_unicode_problem
+     */
+    /**
+     * Returns a URL-safe plaintext decoded string from b64 encoded input.
+     * @param input
+     */
+    function base64Decode(input) {
+        return new TextDecoder().decode(base64DecToArr(input));
+    }
+    /**
+     * Decodes base64 into Uint8Array
+     * @param base64String
+     */
+    function base64DecToArr(base64String) {
+        let encodedString = base64String.replace(/-/g, "+").replace(/_/g, "/");
+        switch (encodedString.length % 4) {
+            case 0:
+                break;
+            case 2:
+                encodedString += "==";
+                break;
+            case 3:
+                encodedString += "=";
+                break;
+            default:
+                throw createBrowserAuthError(invalidBase64String);
+        }
+        const binString = atob(encodedString);
+        return Uint8Array.from(binString, (m) => m.codePointAt(0) || 0);
+    }
+
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
      * Licensed under the MIT License.
@@ -8705,43 +8755,6 @@
         return btoa(binString);
     }
 
-    /*
-     * Copyright (c) Microsoft Corporation. All rights reserved.
-     * Licensed under the MIT License.
-     */
-    /**
-     * Class which exposes APIs to decode base64 strings to plaintext. See here for implementation details:
-     * https://developer.mozilla.org/en-US/docs/Glossary/Base64#the_unicode_problem
-     */
-    /**
-     * Returns a URL-safe plaintext decoded string from b64 encoded input.
-     * @param input
-     */
-    function base64Decode(input) {
-        return new TextDecoder().decode(base64DecToArr(input));
-    }
-    /**
-     * Decodes base64 into Uint8Array
-     * @param base64String
-     */
-    function base64DecToArr(base64String) {
-        let encodedString = base64String.replace(/-/g, "+").replace(/_/g, "/");
-        switch (encodedString.length % 4) {
-            case 0:
-                break;
-            case 2:
-                encodedString += "==";
-                break;
-            case 3:
-                encodedString += "=";
-                break;
-            default:
-                throw createBrowserAuthError(invalidBase64String);
-        }
-        const binString = atob(encodedString);
-        return Uint8Array.from(binString, (m) => m.codePointAt(0) || 0);
-    }
-
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
      * Licensed under the MIT License.
@@ -9210,7 +9223,7 @@
             activeBridgeMonitor = null;
         }
     }
-    async function waitForBridgeResponse(timeoutMs, logger, browserCrypto, request, performanceClient, experimentalConfig) {
+    async function waitForBridgeResponse(timeoutMs, logger, request, performanceClient, experimentalConfig) {
         return new Promise((resolve, reject) => {
             logger.verbose("BrowserUtils.waitForBridgeResponse - started", request.correlationId);
             const correlationId = request.correlationId;
@@ -9218,7 +9231,7 @@
                 redirectBridgeTimeoutMs: timeoutMs,
                 lateResponseExperimentEnabled: experimentalConfig?.iframeTimeoutTelemetry || false,
             }, correlationId);
-            const { libraryState } = parseRequestState(browserCrypto.base64Decode, request.state || "");
+            const { libraryState } = parseRequestState(base64Decode, request.state || "");
             const channel = new BroadcastChannel(libraryState.id);
             let responseString = undefined;
             let timedOut$1 = false;
@@ -15083,6 +15096,7 @@
                 ? await this.browserStorage.decryptData(key, parsedValue, correlationId)
                 : parsedValue;
             if (!decryptedData || !isCredentialEntity(decryptedData)) {
+                this.browserStorage.removeItem(key);
                 this.performanceClient.incrementFields({ invalidCacheCount: 1 }, correlationId);
                 return null;
             }
@@ -15113,6 +15127,7 @@
                 const rawValue = this.browserStorage.getItem(accountKey);
                 const parsedValue = this.validateAndParseJson(rawValue || "");
                 if (!parsedValue) {
+                    this.browserStorage.removeItem(accountKey);
                     removeElementFromArray(accountKeysToCheck, accountKey);
                     continue;
                 }
@@ -15127,6 +15142,15 @@
                     await this.removeAccountOldSchema(accountKey, parsedValue, credentialSchema, correlationId);
                     removeElementFromArray(accountKeysToCheck, accountKey);
                 }
+                else if (isEncrypted(parsedValue)) {
+                    // Remove accounts encrypted with a different key (session cookie expired/changed)
+                    const decrypted = await this.browserStorage.decryptData(accountKey, parsedValue, correlationId);
+                    if (!decrypted) {
+                        this.browserStorage.removeItem(accountKey);
+                        this.performanceClient.incrementFields({ expiredAcntRemovedCount: 1 }, correlationId);
+                        removeElementFromArray(accountKeysToCheck, accountKey);
+                    }
+                }
             }
             this.setAccountKeys(accountKeysToCheck, correlationId, accountSchema);
         }
@@ -16656,7 +16680,7 @@
     const NO_NETWORK = "NO_NETWORK";
     const DISABLED = "DISABLED";
     const ACCOUNT_UNAVAILABLE = "ACCOUNT_UNAVAILABLE";
-    const UX_NOT_ALLOWED = "UX_NOT_ALLOWED";
+    const UI_NOT_ALLOWED = "UI_NOT_ALLOWED";
 
     /*
      * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -16711,8 +16735,8 @@
                     return createBrowserAuthError(userCancelled);
                 case NO_NETWORK:
                     return createBrowserAuthError(noNetworkConnectivity);
-                case UX_NOT_ALLOWED:
-                    return createInteractionRequiredAuthError(uxNotAllowed);
+                case UI_NOT_ALLOWED:
+                    return createInteractionRequiredAuthError(uiNotAllowed);
             }
         }
         return new NativeAuthError(code, description, ext);
@@ -16943,7 +16967,7 @@
                 noHistory: false,
             };
             const redirectUri = navigateToLoginRequestUrl
-                ? window.location.href
+                ? UrlString.getAbsoluteUrl(request.redirectStartPage || window.location.href, getCurrentUri())
                 : getRedirectUri(request.redirectUri, this.config.auth.redirectUri, this.logger, this.correlationId);
             rootMeasurement.end({ success: true });
             await this.navigationClient.navigateExternal(redirectUri, navigationOptions); // Need to treat this as external to ensure handleRedirectPromise is run again
@@ -18512,10 +18536,11 @@
      * Licensed under the MIT License.
      */
     class PopupClient extends StandardInteractionClient {
-        constructor(config, storageImpl, browserCrypto, logger, eventHandler, navigationClient, performanceClient, nativeStorageImpl, correlationId, platformAuthHandler) {
+        constructor(config, storageImpl, browserCrypto, logger, eventHandler, navigationClient, performanceClient, nativeStorageImpl, correlationId, platformAuthHandler, waitForPopupResponseHook) {
             super(config, storageImpl, browserCrypto, logger, eventHandler, navigationClient, performanceClient, correlationId, platformAuthHandler);
             this.nativeStorage = nativeStorageImpl;
             this.eventHandler = eventHandler;
+            this.waitForPopupResponseHook = waitForPopupResponseHook;
         }
         /**
          * Acquires tokens by opening a popup window to the /authorize endpoint of the authority
@@ -18649,7 +18674,7 @@
                     const popupWindow = this.initiateAuthRequest(navigateUrl, popupParams);
                     this.eventHandler.emitEvent(EventType.POPUP_OPENED, correlationId, InteractionType.Popup, { popupWindow }, null);
                     // Wait for the redirect bridge response
-                    const responseString = await waitForBridgeResponse(this.config.system.popupBridgeTimeout, this.logger, this.browserCrypto, request, this.performanceClient);
+                    const responseString = await this.waitForPopupResponse(request, popupWindow, popupParams.popupWindowParent);
                     const serverParams = invoke(deserializeResponse, DeserializeResponse, this.logger, this.performanceClient, this.correlationId)(responseString, this.config.auth.OIDCOptions.responseMode, this.logger, this.correlationId);
                     return await invokeAsync(handleResponseCode, HandleResponseCode, this.logger, this.performanceClient, correlationId)(request, serverParams, pkce.verifier, ApiId.acquireTokenPopup, this.config, authClient, this.browserStorage, this.nativeStorage, this.eventHandler, this.logger, this.performanceClient, this.platformAuthProvider);
                 }
@@ -18684,7 +18709,7 @@
             const form = await getEARForm(popupWindow.document, this.config, discoveredAuthority, popupRequest, this.logger, this.performanceClient);
             form.submit();
             // Monitor the popup for the hash. Return the string value and close the popup when the hash is received. Default timeout is 60 seconds.
-            const responseString = await invokeAsync(waitForBridgeResponse, SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(this.config.system.popupBridgeTimeout, this.logger, this.browserCrypto, popupRequest, this.performanceClient);
+            const responseString = await invokeAsync(this.waitForPopupResponse.bind(this), SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(popupRequest, popupWindow, popupParams.popupWindowParent);
             const serverParams = invoke(deserializeResponse, DeserializeResponse, this.logger, this.performanceClient, this.correlationId)(responseString, this.config.auth.OIDCOptions.responseMode, this.logger, this.correlationId);
             if (!serverParams.ear_jwe && serverParams.code) {
                 const authClient = await invokeAsync(this.createAuthCodeClient.bind(this), StandardInteractionClientCreateAuthCodeClient, this.logger, this.performanceClient, correlationId)({
@@ -18709,7 +18734,7 @@
             const form = await getCodeForm(popupWindow.document, this.config, discoveredAuthority, request, this.logger, this.performanceClient);
             form.submit();
             // Monitor the popup for the hash. Return the string value and close the popup when the hash is received. Default timeout is 60 seconds.
-            const responseString = await invokeAsync(waitForBridgeResponse, SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(this.config.system.popupBridgeTimeout, this.logger, this.browserCrypto, request, this.performanceClient);
+            const responseString = await invokeAsync(this.waitForPopupResponse.bind(this), SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(request, popupWindow, popupParams.popupWindowParent);
             const serverParams = invoke(deserializeResponse, DeserializeResponse, this.logger, this.performanceClient, this.correlationId)(responseString, this.config.auth.OIDCOptions.responseMode, this.logger, this.correlationId);
             return invokeAsync(handleResponseCode, HandleResponseCode, this.logger, this.performanceClient, correlationId)(request, serverParams, pkceVerifier, ApiId.acquireTokenPopup, this.config, authClient, this.browserStorage, this.nativeStorage, this.eventHandler, this.logger, this.performanceClient, this.platformAuthProvider);
         }
@@ -18766,7 +18791,7 @@
                 // Open the popup window to requestUrl.
                 const popupWindow = this.openPopup(logoutUri, popupParams);
                 this.eventHandler.emitEvent(EventType.POPUP_OPENED, validRequest.correlationId, InteractionType.Popup, { popupWindow }, null);
-                await waitForBridgeResponse(this.config.system.popupBridgeTimeout, this.logger, this.browserCrypto, validRequest, this.performanceClient).catch(() => {
+                await this.waitForPopupResponse(validRequest, popupWindow, popupParams.popupWindowParent).catch(() => {
                     // Swallow any errors related to monitoring the window. Server logout is best effort
                 });
                 if (mainWindowRedirectUri) {
@@ -18845,6 +18870,19 @@
                 if (!popupWindow) {
                     throw createBrowserAuthError(emptyWindowError);
                 }
+                try {
+                    popupWindow.document.title = "Microsoft Authentication";
+                }
+                catch (e) {
+                    if (typeof DOMException !== "undefined" &&
+                        e instanceof DOMException &&
+                        e.name === "SecurityError") {
+                        // Cross-origin - title cannot be set
+                    }
+                    else {
+                        this.logger.verbose("Could not set document.title on popup window", this.correlationId);
+                    }
+                }
                 if (popupWindow.focus) {
                     popupWindow.focus();
                 }
@@ -18923,6 +18961,12 @@
             const homeAccountId = request.account && request.account.homeAccountId;
             return `${BrowserConstants.POPUP_NAME_PREFIX}.${this.config.auth.clientId}.${homeAccountId}.${this.correlationId}`;
         }
+        async waitForPopupResponse(request, popupWindow, popupWindowParent) {
+            if (this.waitForPopupResponseHook) {
+                return this.waitForPopupResponseHook(request, popupWindow, popupWindowParent);
+            }
+            return waitForBridgeResponse(this.config.system.popupBridgeTimeout, this.logger, request, this.performanceClient);
+        }
     }
 
     /*
@@ -19076,6 +19120,8 @@
          * @param options {HandleRedirectPromiseOptions} options for handling redirect promise
          */
         async handleRedirectPromise(request, pkceVerifier, parentMeasurement, options) {
+            const originalTitle = document.title;
+            document.title = "Microsoft Authentication";
             const serverTelemetryManager = initializeServerTelemetryManager(ApiId.handleRedirectPromise, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
             const navigateToLoginRequestUrl = options?.navigateToLoginRequestUrl ?? true;
             try {
@@ -19158,6 +19204,9 @@
                 }
                 throw e;
             }
+            finally {
+                document.title = originalTitle;
+            }
         }
         /**
          * Gets the response hash for a redirect request
@@ -19413,6 +19462,7 @@
     function createHiddenIframe() {
         const authFrame = document.createElement("iframe");
         authFrame.className = "msalSilentIframe";
+        authFrame.title = "Microsoft Authentication";
         authFrame.style.visibility = "hidden";
         authFrame.style.position = "absolute";
         authFrame.style.width = authFrame.style.height = "0";
@@ -19438,10 +19488,11 @@
      * Licensed under the MIT License.
      */
     class SilentIframeClient extends StandardInteractionClient {
-        constructor(config, storageImpl, browserCrypto, logger, eventHandler, navigationClient, apiId, performanceClient, nativeStorageImpl, correlationId, platformAuthProvider) {
+        constructor(config, storageImpl, browserCrypto, logger, eventHandler, navigationClient, apiId, performanceClient, nativeStorageImpl, correlationId, platformAuthProvider, waitForIframeResponseHook) {
             super(config, storageImpl, browserCrypto, logger, eventHandler, navigationClient, performanceClient, correlationId, platformAuthProvider);
             this.apiId = apiId;
             this.nativeStorage = nativeStorageImpl;
+            this.waitForIframeResponseHook = waitForIframeResponseHook;
         }
         /**
          * Acquires a token silently by opening a hidden iframe to the /authorize endpoint with prompt=none or prompt=no_session
@@ -19530,7 +19581,7 @@
             const responseType = this.config.auth.OIDCOptions.responseMode;
             let responseString;
             try {
-                responseString = await invokeAsync(waitForBridgeResponse, SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(this.config.system.iframeBridgeTimeout, this.logger, this.browserCrypto, request, this.performanceClient, this.config.experimental);
+                responseString = await invokeAsync(this.waitForIframeResponse.bind(this), SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(iframe, request);
             }
             finally {
                 invoke(removeHiddenIframe, RemoveHiddenIframe, this.logger, this.performanceClient, correlationId)(iframe);
@@ -19628,7 +19679,7 @@
             // Wait for response from the redirect bridge.
             let responseString;
             try {
-                responseString = await invokeAsync(waitForBridgeResponse, SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(this.config.system.iframeBridgeTimeout, this.logger, this.browserCrypto, request, this.performanceClient, this.config.experimental);
+                responseString = await invokeAsync(this.waitForIframeResponse.bind(this), SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(iframe, request);
             }
             finally {
                 invoke(removeHiddenIframe, RemoveHiddenIframe, this.logger, this.performanceClient, correlationId)(iframe);
@@ -19636,6 +19687,12 @@
             const serverParams = invoke(deserializeResponse, DeserializeResponse, this.logger, this.performanceClient, correlationId)(responseString, responseType, this.logger, this.correlationId);
             return { serverParams, pkceCodes, silentRequest };
         }
+        async waitForIframeResponse(iframe, request) {
+            if (this.waitForIframeResponseHook) {
+                return this.waitForIframeResponseHook(iframe, request);
+            }
+            return waitForBridgeResponse(this.config.system.iframeBridgeTimeout, this.logger, request, this.performanceClient, this.config.experimental);
+        }
     }
 
     /*
@@ -20837,7 +20894,7 @@
          * @param correlationId
          */
         createPopupClient(correlationId) {
-            return new PopupClient(this.config, this.browserStorage, this.browserCrypto, this.logger, this.eventHandler, this.navigationClient, this.performanceClient, this.nativeInternalStorage, correlationId, this.platformAuthProvider);
+            return new PopupClient(this.config, this.browserStorage, this.browserCrypto, this.logger, this.eventHandler, this.navigationClient, this.performanceClient, this.nativeInternalStorage, correlationId, this.platformAuthProvider, this.operatingContext.getResponseHandlers()?.waitForPopupResponse);
         }
         /**
          * Returns new instance of the Redirect Interaction Client
@@ -20851,7 +20908,7 @@
          * @param correlationId
          */
         createSilentIframeClient(correlationId) {
-            return new SilentIframeClient(this.config, this.browserStorage, this.browserCrypto, this.logger, this.eventHandler, this.navigationClient, ApiId.ssoSilent, this.performanceClient, this.nativeInternalStorage, correlationId, this.platformAuthProvider);
+            return new SilentIframeClient(this.config, this.browserStorage, this.browserCrypto, this.logger, this.eventHandler, this.navigationClient, ApiId.ssoSilent, this.performanceClient, this.nativeInternalStorage, correlationId, this.platformAuthProvider, this.operatingContext.getResponseHandlers()?.waitForIframeResponse);
         }
         /**
          * Returns new instance of the Silent Cache Interaction Client
@@ -21624,7 +21681,7 @@
                     return;
             }
         }
-        constructor(config) {
+        constructor(config, responseHandlers) {
             /*
              * If loaded in an environment where window is not available,
              * set internal flag to false so that further requests fail.
@@ -21632,6 +21689,7 @@
              */
             this.browserEnvironment = typeof window !== "undefined";
             this.config = buildConfiguration(config, this.browserEnvironment);
+            this.responseHandlers = responseHandlers;
             let sessionStorage;
             try {
                 sessionStorage = window[BrowserCacheLocation.SessionStorage];
@@ -21668,6 +21726,13 @@
         getConfig() {
             return this.config;
         }
+        /**
+         * Returns the internal response handlers supplied by PublicClientApplication, if any.
+         * @returns AuthResponseHandlers | undefined
+         */
+        getResponseHandlers() {
+            return this.responseHandlers;
+        }
         /**
          * Returns the MSAL Logger
          * @returns Logger
@@ -22032,7 +22097,48 @@
         constructor(configuration, controller) {
             this.controller =
                 controller ||
-                    new StandardController(new StandardOperatingContext(configuration));
+                    new StandardController(new StandardOperatingContext(configuration, {
+                        waitForPopupResponse: this.waitForPopupResponse.bind(this),
+                        waitForIframeResponse: this.waitForIframeResponse.bind(this),
+                    }));
+        }
+        /**
+         * Waits for the auth response from a popup window opened by MSAL.
+         *
+         * The default implementation delegates to MSAL's `BroadcastChannel`-based bridge.
+         * Subclasses must return the raw response string (hash/query/fragment), or reject
+         * with an `AuthError` on failure.
+         *
+         * @internal
+         * @param request The in-flight authorization or end-session request.
+         * @param popupWindow The popup window opened by MSAL.
+         * @param popupWindowParent The parent window that opened the popup.
+         */
+        async waitForPopupResponse(request, 
+        // eslint-disable-next-line @typescript-eslint/no-unused-vars
+        popupWindow, 
+        // eslint-disable-next-line @typescript-eslint/no-unused-vars
+        popupWindowParent) {
+            const controller = this.controller;
+            return waitForBridgeResponse(controller.getConfiguration().system.popupBridgeTimeout, controller.getLogger(), request, controller.getPerformanceClient());
+        }
+        /**
+         * Waits for the auth response from a hidden iframe used by MSAL silent flows.
+         *
+         * The default implementation delegates to MSAL's `BroadcastChannel`-based bridge.
+         * Subclasses must return the raw response string (hash/query/fragment), or reject
+         * with an `AuthError` on failure.
+         *
+         * @internal
+         * @param iframe The hidden iframe MSAL attached to the document.
+         * @param request The in-flight authorization request.
+         */
+        async waitForIframeResponse(
+        // eslint-disable-next-line @typescript-eslint/no-unused-vars
+        iframe, request) {
+            const controller = this.controller;
+            const config = controller.getConfiguration();
+            return waitForBridgeResponse(config.system.iframeBridgeTimeout, controller.getLogger(), request, controller.getPerformanceClient(), config.experimental);
         }
         /**
          * Initializer function to perform async startup tasks such as connecting to WAM extension