@oxy-hq/sdk 1.0.0 → 2.0.0

package/package.json

@@ -1,78 +1,73 @@
-{
-  "name": "@oxy-hq/sdk",
-  "version": "1.0.0",
-  "description": "TypeScript SDK for interacting with Oxy data platform",
-  "main": "./dist/index.js",
-  "module": "./dist/index.mjs",
-  "types": "./dist/index.d.ts",
-  "type": "module",
-  "exports": {
-    ".": {
-      "types": "./dist/index.d.ts",
-      "require": "./dist/index.js",
-      "import": "./dist/index.mjs"
-    }
-  },
-  "files": [
-    "dist",
-    "README.md",
-    "LICENSE"
-  ],
-  "scripts": {
-    "build": "tsdown",
-    "build:watch": "tsdown --watch",
-    "dev": "tsdown --watch",
-    "typecheck": "tsc --noEmit",
-    "lint": "ESLINT_USE_FLAT_CONFIG=false eslint src --ext .ts",
-    "test": "vitest run",
-    "test:watch": "vitest",
-    "prepublishOnly": "pnpm build",
-    "publish:beta": "npm publish --tag beta",
-    "publish:latest": "npm publish --tag latest",
-    "demo:react": "cd examples/react-vite-demo && pnpm install --ignore-workspace && pnpm dev",
-    "demo:setup": "cd examples/react-vite-demo && pnpm install --ignore-workspace"
-  },
-  "keywords": [
-    "oxy",
-    "data",
-    "analytics",
-    "sdk",
-    "parquet",
-    "duckdb"
-  ],
-  "author": "Oxy Team",
-  "license": "MIT",
-  "repository": {
-    "type": "git",
-    "url": "https://github.com/dataframehq/oxy-internal.git",
-    "directory": "sdk/typescript"
-  },
-  "bugs": {
-    "url": "https://github.com/dataframehq/oxy-internal/issues"
-  },
-  "homepage": "https://oxy.tech",
-  "peerDependencies": {
-    "@duckdb/duckdb-wasm": "^1.29.0",
-    "react": "^19.0.0"
-  },
-  "peerDependenciesMeta": {
-    "react": {
-      "optional": true
-    }
-  },
-  "devDependencies": {
-    "@duckdb/duckdb-wasm": "^1.32.0",
-    "@types/node": "^25.2.3",
-    "@types/react": "^19.2.14",
-    "@typescript-eslint/eslint-plugin": "^8.55.0",
-    "@typescript-eslint/parser": "^8.55.0",
-    "eslint": "^10.0.0",
-    "react": "^19.2.4",
-    "tsdown": "^0.20.3",
-    "typescript": "^5.9.3",
-    "vitest": "^4.0.18"
-  },
-  "engines": {
-    "node": ">=18.0.0"
-  }
-}
+{
+  "name": "@oxy-hq/sdk",
+  "version": "2.0.0",
+  "description": "React SDK for building customer-app bundles on the Oxy platform",
+  "main": "./dist/index.js",
+  "module": "./dist/index.mjs",
+  "types": "./dist/index.d.ts",
+  "type": "module",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "require": "./dist/index.js",
+      "import": "./dist/index.mjs"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "publishConfig": {
+    "registry": "https://registry.npmjs.org",
+    "access": "public"
+  },
+  "scripts": {
+    "build": "tsdown",
+    "build:watch": "tsdown --watch",
+    "dev": "tsdown --watch",
+    "typecheck": "tsc --noEmit",
+    "lint": "ESLINT_USE_FLAT_CONFIG=false eslint src --ext .ts",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "prepublishOnly": "pnpm build",
+    "publish:beta": "npm publish --tag beta",
+    "publish:latest": "npm publish --tag latest"
+  },
+  "keywords": [
+    "oxy",
+    "data",
+    "analytics",
+    "sdk",
+    "react",
+    "customer-apps"
+  ],
+  "author": "Oxy Team",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/oxy-hq/oxy-internal.git",
+    "directory": "sdk/typescript"
+  },
+  "bugs": {
+    "url": "https://github.com/oxy-hq/oxy-internal/issues"
+  },
+  "homepage": "https://oxy.tech",
+  "peerDependencies": {
+    "react": "^19.0.0"
+  },
+  "devDependencies": {
+    "@types/node": "^25.9.1",
+    "@types/react": "^19.2.15",
+    "@typescript-eslint/eslint-plugin": "^8.60.0",
+    "@typescript-eslint/parser": "^8.60.0",
+    "eslint": "^10.4.0",
+    "react": "^19.2.6",
+    "tsdown": "^0.22.0",
+    "typescript": "^6.0.3",
+    "vitest": "^4.1.7"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  }
+}

package/dist/postMessage-Cb5PCtcE.cjs

@@ -1,233 +0,0 @@
-// @oxy/sdk - TypeScript SDK for Oxy data platform
-const require_index = require('./index.cjs');
-
-//#region src/types.ts
-/**
-* Custom error classes for postMessage authentication
-*/
-/**
-* Error thrown when postMessage authentication times out
-*/
-var PostMessageAuthTimeoutError = class extends Error {
-	constructor(timeout) {
-		super(`Parent window did not respond to authentication request within ${timeout}ms.\n\nPossible causes:\n- Parent window is not listening for 'OXY_AUTH_REQUEST' messages\n- Parent origin mismatch\n- Network/browser issues\n\nTroubleshooting:\n1. Verify parent window has message listener set up\n2. Check parentOrigin configuration matches parent window origin\n3. Open browser console in parent window for errors`);
-		this.name = "PostMessageAuthTimeoutError";
-	}
-};
-/**
-* Error thrown when authentication response comes from unauthorized origin
-*/
-var PostMessageAuthInvalidOriginError = class extends Error {
-	constructor(expected, actual) {
-		super(`Received authentication response from unauthorized origin.\n\nExpected: ${expected}\nActual: ${actual}\n\nThis is a security error. Verify your parentOrigin configuration.`);
-		this.name = "PostMessageAuthInvalidOriginError";
-	}
-};
-/**
-* Error thrown when postMessage authentication is attempted outside iframe context
-*/
-var PostMessageAuthNotInIframeError = class extends Error {
-	constructor() {
-		const currentContext = getCurrentContext();
-		super(`PostMessage authentication is only available when running in an iframe context.\n\nCurrent context: ${currentContext}\n\nIf you're running in a regular browser window, use direct configuration instead:\nconst client = new OxyClient({ apiKey: 'your-key', ... })`);
-		this.name = "PostMessageAuthNotInIframeError";
-	}
-};
-function getCurrentContext() {
-	if (typeof window === "undefined") return "non-browser (Node.js)";
-	if (window === window.parent) return "top-level window";
-	return "iframe";
-}
-/**
-* Error thrown when authentication response is malformed or invalid
-*/
-var PostMessageAuthInvalidResponseError = class extends Error {
-	constructor(reason) {
-		super(`Invalid authentication response from parent: ${reason}`);
-		this.name = "PostMessageAuthInvalidResponseError";
-	}
-};
-
-//#endregion
-//#region src/auth/postMessage.ts
-var postMessage_exports = /* @__PURE__ */ require_index.__exportAll({
-	generateRequestId: () => generateRequestId,
-	isInIframe: () => isInIframe,
-	requestAuthFromParent: () => requestAuthFromParent,
-	validateOrigin: () => validateOrigin
-});
-/**
-* Check if the current context is running inside an iframe
-*
-* @returns true if running in an iframe, false otherwise (including Node.js)
-*/
-function isInIframe() {
-	if (typeof window === "undefined") return false;
-	try {
-		return window !== window.parent && window.parent !== null;
-	} catch {
-		return true;
-	}
-}
-/**
-* Generate a unique request ID for tracking auth requests
-*
-* @returns A unique identifier string
-*/
-function generateRequestId() {
-	if (typeof crypto !== "undefined" && crypto.randomUUID) return crypto.randomUUID();
-	return `${Date.now()}-${Math.random().toString(36).substring(2, 11)}`;
-}
-/**
-* Validate that a message origin matches the expected origin
-*
-* @param messageOrigin - The origin from the message event
-* @param allowedOrigin - The expected/allowed origin
-* @returns true if origin is valid, false otherwise
-*/
-function validateOrigin(messageOrigin, allowedOrigin) {
-	if (!allowedOrigin) return false;
-	if (allowedOrigin === "*") return true;
-	if (messageOrigin === allowedOrigin) return true;
-	try {
-		const messageUrl = new URL(messageOrigin);
-		const allowedUrl = new URL(allowedOrigin);
-		return messageUrl.origin === allowedUrl.origin;
-	} catch {
-		return messageOrigin === allowedOrigin;
-	}
-}
-/**
-* Create a promise that listens for an authentication response
-*
-* @param requestId - The request ID to match against
-* @param origin - The expected parent origin
-* @param timeout - Timeout in milliseconds
-* @returns Promise that resolves with the auth response
-*/
-function createAuthListener(requestId, origin, timeout) {
-	return new Promise((resolve, reject) => {
-		const listener = (event) => {
-			if (!validateOrigin(event.origin, origin)) return;
-			if (!event.data || event.data.type !== "OXY_AUTH_RESPONSE") return;
-			const response = event.data;
-			if (response.requestId !== requestId) return;
-			if (response.version !== "1.0") {
-				clearTimeout(timeoutId);
-				window.removeEventListener("message", listener);
-				reject(new PostMessageAuthInvalidResponseError(`Unsupported protocol version: ${response.version}`));
-				return;
-			}
-			clearTimeout(timeoutId);
-			window.removeEventListener("message", listener);
-			resolve(response);
-		};
-		const timeoutId = setTimeout(() => {
-			window.removeEventListener("message", listener);
-			reject(new PostMessageAuthTimeoutError(timeout));
-		}, timeout);
-		window.addEventListener("message", listener);
-	});
-}
-/**
-* Request authentication from parent window via postMessage
-*
-* This is the main entry point for iframe-based authentication.
-* It sends a request to the parent window and waits for a response.
-*
-* @param options - Configuration options for the auth request
-* @returns Promise that resolves with authentication credentials
-* @throws {PostMessageAuthNotInIframeError} If not in an iframe
-* @throws {PostMessageAuthTimeoutError} If parent doesn't respond in time
-* @throws {PostMessageAuthInvalidOriginError} If response from wrong origin
-* @throws {PostMessageAuthInvalidResponseError} If response is malformed
-*
-* @example
-* ```typescript
-* const auth = await requestAuthFromParent({
-*   parentOrigin: 'https://app.example.com',
-*   timeout: 5000
-* });
-* console.log('Received API key:', auth.apiKey);
-* ```
-*/
-async function requestAuthFromParent(options = {}) {
-	const { parentOrigin, timeout = 5e3, retries = 0 } = options;
-	if (!isInIframe()) throw new PostMessageAuthNotInIframeError();
-	if (typeof window === "undefined") throw new PostMessageAuthNotInIframeError();
-	const requestId = generateRequestId();
-	const request = {
-		type: "OXY_AUTH_REQUEST",
-		version: "1.0",
-		timestamp: Date.now(),
-		requestId
-	};
-	let lastError = null;
-	const maxAttempts = retries + 1;
-	for (let attempt = 0; attempt < maxAttempts; attempt++) try {
-		const responsePromise = createAuthListener(requestId, parentOrigin, timeout);
-		const targetOrigin = parentOrigin || "*";
-		window.parent.postMessage(request, targetOrigin);
-		const response = await responsePromise;
-		return {
-			apiKey: response.apiKey,
-			projectId: response.projectId,
-			baseUrl: response.baseUrl,
-			source: "postmessage"
-		};
-	} catch (error) {
-		lastError = error;
-		if (!(error instanceof PostMessageAuthTimeoutError)) throw error;
-		if (attempt < maxAttempts - 1) {
-			await new Promise((resolve) => setTimeout(resolve, 100));
-			continue;
-		}
-		throw error;
-	}
-	throw lastError || /* @__PURE__ */ new Error("Authentication failed");
-}
-
-//#endregion
-Object.defineProperty(exports, 'PostMessageAuthInvalidOriginError', {
-  enumerable: true,
-  get: function () {
-    return PostMessageAuthInvalidOriginError;
-  }
-});
-Object.defineProperty(exports, 'PostMessageAuthInvalidResponseError', {
-  enumerable: true,
-  get: function () {
-    return PostMessageAuthInvalidResponseError;
-  }
-});
-Object.defineProperty(exports, 'PostMessageAuthNotInIframeError', {
-  enumerable: true,
-  get: function () {
-    return PostMessageAuthNotInIframeError;
-  }
-});
-Object.defineProperty(exports, 'PostMessageAuthTimeoutError', {
-  enumerable: true,
-  get: function () {
-    return PostMessageAuthTimeoutError;
-  }
-});
-Object.defineProperty(exports, 'isInIframe', {
-  enumerable: true,
-  get: function () {
-    return isInIframe;
-  }
-});
-Object.defineProperty(exports, 'postMessage_exports', {
-  enumerable: true,
-  get: function () {
-    return postMessage_exports;
-  }
-});
-Object.defineProperty(exports, 'requestAuthFromParent', {
-  enumerable: true,
-  get: function () {
-    return requestAuthFromParent;
-  }
-});
-//# sourceMappingURL=postMessage-Cb5PCtcE.cjs.map

package/dist/postMessage-Cb5PCtcE.cjs.map

@@ -1 +0,0 @@
-{"version":3,"file":"postMessage-Cb5PCtcE.cjs","names":[],"sources":["../src/types.ts","../src/auth/postMessage.ts"],"sourcesContent":["/**\n * Represents an app item in the project\n */\nexport interface AppItem {\n  name: string;\n  path: string;\n}\n\n/**\n * Reference to a data file (usually parquet)\n */\nexport interface FileReference {\n  file_path: string;\n}\n\n/**\n * Table data structure for in-memory tables\n * (used when data is fetched and parsed)\n */\nexport interface TableData {\n  columns: string[];\n  rows: unknown[][];\n  total_rows?: number;\n}\n\nexport type DataContainer = Record<string, FileReference>;\n\n/**\n * Response from app data endpoints\n */\nexport interface AppDataResponse {\n  data: DataContainer | null;\n  error: string | null;\n}\n\n/**\n * Display with potential error\n */\nexport interface DisplayWithError {\n  display?: DisplayData;\n  error?: string;\n}\n\n/**\n * Display data structure\n */\nexport interface DisplayData {\n  type: string;\n  content: unknown;\n}\n\n/**\n * Response from get displays endpoint\n */\nexport interface GetDisplaysResponse {\n  displays: DisplayWithError[];\n}\n\n/**\n * Error response from the API\n */\nexport interface ApiError {\n  message: string;\n  status: number;\n  details?: unknown;\n}\n\n/**\n * PostMessage authentication protocol types\n */\n\n/**\n * Request message sent from iframe to parent window\n */\nexport interface OxyAuthRequestMessage {\n  type: \"OXY_AUTH_REQUEST\";\n  version: \"1.0\";\n  timestamp: number;\n  requestId: string;\n}\n\n/**\n * Response message sent from parent window to iframe\n */\nexport interface OxyAuthResponseMessage {\n  type: \"OXY_AUTH_RESPONSE\";\n  version: \"1.0\";\n  requestId: string;\n  apiKey?: string;\n  projectId?: string;\n  baseUrl?: string;\n}\n\n/**\n * Options for postMessage authentication\n */\nexport interface PostMessageAuthOptions {\n  /** Required parent window origin for security (e.g., 'https://app.example.com'). Use '*' only in development! */\n  parentOrigin?: string;\n  /** Timeout in milliseconds (default: 5000) */\n  timeout?: number;\n  /** Number of retry attempts (default: 0) */\n  retries?: number;\n}\n\n/**\n * Result from successful postMessage authentication\n */\nexport interface PostMessageAuthResult {\n  apiKey?: string;\n  projectId?: string;\n  baseUrl?: string;\n  source: \"postmessage\";\n}\n\n/**\n * Custom error classes for postMessage authentication\n */\n\n/**\n * Error thrown when postMessage authentication times out\n */\nexport class PostMessageAuthTimeoutError extends Error {\n  constructor(timeout: number) {\n    super(\n      `Parent window did not respond to authentication request within ${timeout}ms.\\n\\n` +\n        `Possible causes:\\n` +\n        `- Parent window is not listening for 'OXY_AUTH_REQUEST' messages\\n` +\n        `- Parent origin mismatch\\n` +\n        `- Network/browser issues\\n\\n` +\n        `Troubleshooting:\\n` +\n        `1. Verify parent window has message listener set up\\n` +\n        `2. Check parentOrigin configuration matches parent window origin\\n` +\n        `3. Open browser console in parent window for errors`,\n    );\n    this.name = \"PostMessageAuthTimeoutError\";\n  }\n}\n\n/**\n * Error thrown when authentication response comes from unauthorized origin\n */\nexport class PostMessageAuthInvalidOriginError extends Error {\n  constructor(expected: string, actual: string) {\n    super(\n      `Received authentication response from unauthorized origin.\\n\\n` +\n        `Expected: ${expected}\\n` +\n        `Actual: ${actual}\\n\\n` +\n        `This is a security error. Verify your parentOrigin configuration.`,\n    );\n    this.name = \"PostMessageAuthInvalidOriginError\";\n  }\n}\n\n/**\n * Error thrown when postMessage authentication is attempted outside iframe context\n */\nexport class PostMessageAuthNotInIframeError extends Error {\n  constructor() {\n    const currentContext = getCurrentContext();\n    super(\n      `PostMessage authentication is only available when running in an iframe context.\\n\\n` +\n        `Current context: ${currentContext}\\n\\n` +\n        `If you're running in a regular browser window, use direct configuration instead:\\n` +\n        `const client = new OxyClient({ apiKey: 'your-key', ... })`,\n    );\n    this.name = \"PostMessageAuthNotInIframeError\";\n  }\n}\n\nfunction getCurrentContext(): string {\n  if (typeof window === \"undefined\") {\n    return \"non-browser (Node.js)\";\n  }\n  if (window === window.parent) {\n    return \"top-level window\";\n  }\n  return \"iframe\";\n}\n\n/**\n * Error thrown when authentication response is malformed or invalid\n */\nexport class PostMessageAuthInvalidResponseError extends Error {\n  constructor(reason: string) {\n    super(`Invalid authentication response from parent: ${reason}`);\n    this.name = \"PostMessageAuthInvalidResponseError\";\n  }\n}\n","/**\n * PostMessage-based authentication for iframe scenarios\n *\n * This module enables secure cross-origin authentication between an iframe\n * (running the Oxy SDK) and its parent window (holding the API key).\n */\n\nimport type {\n  OxyAuthRequestMessage,\n  OxyAuthResponseMessage,\n  PostMessageAuthOptions,\n  PostMessageAuthResult,\n} from \"../types\";\n\nimport {\n  PostMessageAuthTimeoutError,\n  PostMessageAuthNotInIframeError,\n  PostMessageAuthInvalidResponseError,\n} from \"../types\";\n\n/**\n * Check if the current context is running inside an iframe\n *\n * @returns true if running in an iframe, false otherwise (including Node.js)\n */\nexport function isInIframe(): boolean {\n  // Check if we're in a browser environment\n  if (typeof window === \"undefined\") {\n    return false;\n  }\n\n  // Check if window has a parent and it's different from itself\n  try {\n    return window !== window.parent && window.parent !== null;\n  } catch {\n    // Cross-origin access might throw an error, but we're still in an iframe\n    return true;\n  }\n}\n\n/**\n * Generate a unique request ID for tracking auth requests\n *\n * @returns A unique identifier string\n */\nexport function generateRequestId(): string {\n  // Use crypto.randomUUID if available (modern browsers)\n  if (typeof crypto !== \"undefined\" && crypto.randomUUID) {\n    return crypto.randomUUID();\n  }\n\n  // Fallback for older environments: timestamp + random\n  // Note: Math.random() is used here as a fallback for environments without crypto.randomUUID\n  // This is acceptable for non-security-critical request IDs (used only for message correlation)\n  /* eslint-disable sonarjs/pseudo-random */\n  return `${Date.now()}-${Math.random().toString(36).substring(2, 11)}`;\n  /* eslint-enable sonarjs/pseudo-random */\n}\n\n/**\n * Validate that a message origin matches the expected origin\n *\n * @param messageOrigin - The origin from the message event\n * @param allowedOrigin - The expected/allowed origin\n * @returns true if origin is valid, false otherwise\n */\nexport function validateOrigin(\n  messageOrigin: string,\n  allowedOrigin?: string,\n): boolean {\n  // If no allowed origin is specified, reject (security)\n  if (!allowedOrigin) {\n    return false;\n  }\n\n  // Wildcard - allow any origin (development only!)\n  if (allowedOrigin === \"*\") {\n    return true;\n  }\n\n  // Exact match\n  if (messageOrigin === allowedOrigin) {\n    return true;\n  }\n\n  // Try URL parsing for more flexible matching\n  try {\n    const messageUrl = new URL(messageOrigin);\n    const allowedUrl = new URL(allowedOrigin);\n    return messageUrl.origin === allowedUrl.origin;\n  } catch {\n    // If URL parsing fails, do simple string match\n    return messageOrigin === allowedOrigin;\n  }\n}\n\n/**\n * Create a promise that listens for an authentication response\n *\n * @param requestId - The request ID to match against\n * @param origin - The expected parent origin\n * @param timeout - Timeout in milliseconds\n * @returns Promise that resolves with the auth response\n */\nfunction createAuthListener(\n  requestId: string,\n  origin: string | undefined,\n  timeout: number,\n): Promise<OxyAuthResponseMessage> {\n  return new Promise((resolve, reject) => {\n    // Set up message listener\n    const listener = (event: MessageEvent) => {\n      // Validate origin\n      if (!validateOrigin(event.origin, origin)) {\n        // Don't reject here - might be other postMessage traffic\n        // Just ignore messages from wrong origins\n        return;\n      }\n\n      // Check message type\n      if (!event.data || event.data.type !== \"OXY_AUTH_RESPONSE\") {\n        // Not our message type, ignore\n        return;\n      }\n\n      const response = event.data as OxyAuthResponseMessage;\n\n      // Validate request ID matches\n      if (response.requestId !== requestId) {\n        // Wrong request ID, ignore (might be another auth in progress)\n        return;\n      }\n\n      // Validate version\n      if (response.version !== \"1.0\") {\n        clearTimeout(timeoutId);\n        window.removeEventListener(\"message\", listener);\n        reject(\n          new PostMessageAuthInvalidResponseError(\n            `Unsupported protocol version: ${response.version}`,\n          ),\n        );\n        return;\n      }\n\n      // Success!\n      clearTimeout(timeoutId);\n      window.removeEventListener(\"message\", listener);\n      resolve(response);\n    };\n\n    // Set up timeout\n    const timeoutId = setTimeout(() => {\n      window.removeEventListener(\"message\", listener);\n      reject(new PostMessageAuthTimeoutError(timeout));\n    }, timeout);\n\n    // Start listening\n    window.addEventListener(\"message\", listener);\n  });\n}\n\n/**\n * Request authentication from parent window via postMessage\n *\n * This is the main entry point for iframe-based authentication.\n * It sends a request to the parent window and waits for a response.\n *\n * @param options - Configuration options for the auth request\n * @returns Promise that resolves with authentication credentials\n * @throws {PostMessageAuthNotInIframeError} If not in an iframe\n * @throws {PostMessageAuthTimeoutError} If parent doesn't respond in time\n * @throws {PostMessageAuthInvalidOriginError} If response from wrong origin\n * @throws {PostMessageAuthInvalidResponseError} If response is malformed\n *\n * @example\n * ```typescript\n * const auth = await requestAuthFromParent({\n *   parentOrigin: 'https://app.example.com',\n *   timeout: 5000\n * });\n * console.log('Received API key:', auth.apiKey);\n * ```\n */\nexport async function requestAuthFromParent(\n  options: PostMessageAuthOptions = {},\n): Promise<PostMessageAuthResult> {\n  const { parentOrigin, timeout = 5000, retries = 0 } = options;\n\n  // Validate we're in an iframe\n  if (!isInIframe()) {\n    throw new PostMessageAuthNotInIframeError();\n  }\n\n  // Validate we're in a browser environment\n  if (typeof window === \"undefined\") {\n    throw new PostMessageAuthNotInIframeError();\n  }\n\n  // Generate request ID\n  const requestId = generateRequestId();\n\n  // Create request message\n  const request: OxyAuthRequestMessage = {\n    type: \"OXY_AUTH_REQUEST\",\n    version: \"1.0\",\n    timestamp: Date.now(),\n    requestId,\n  };\n\n  // Attempt authentication with retries\n  let lastError: Error | null = null;\n  const maxAttempts = retries + 1;\n\n  for (let attempt = 0; attempt < maxAttempts; attempt++) {\n    try {\n      // Set up listener before sending request to avoid race condition\n      const responsePromise = createAuthListener(\n        requestId,\n        parentOrigin,\n        timeout,\n      );\n\n      // Send request to parent\n      const targetOrigin = parentOrigin || \"*\";\n      window.parent.postMessage(request, targetOrigin);\n\n      // Wait for response\n      const response = await responsePromise;\n\n      // Return successful result\n      return {\n        apiKey: response.apiKey,\n        projectId: response.projectId,\n        baseUrl: response.baseUrl,\n        source: \"postmessage\",\n      };\n    } catch (error) {\n      lastError = error as Error;\n\n      // If this isn't a timeout, don't retry\n      if (!(error instanceof PostMessageAuthTimeoutError)) {\n        throw error;\n      }\n\n      // If we have more attempts, continue\n      if (attempt < maxAttempts - 1) {\n        // Optional: Add a small delay before retry\n        await new Promise((resolve) => setTimeout(resolve, 100));\n        continue;\n      }\n\n      // All retries exhausted\n      throw error;\n    }\n  }\n\n  // Should never reach here, but TypeScript needs this\n  throw lastError || new Error(\"Authentication failed\");\n}\n"],"mappings":";;;;;;;;;;AA0HA,IAAa,8BAAb,cAAiD,MAAM;CACrD,YAAY,SAAiB;AAC3B,QACE,kEAAkE,QAAQ,+UAS3E;AACD,OAAK,OAAO;;;;;;AAOhB,IAAa,oCAAb,cAAuD,MAAM;CAC3D,YAAY,UAAkB,QAAgB;AAC5C,QACE,2EACe,SAAS,YACX,OAAO,uEAErB;AACD,OAAK,OAAO;;;;;;AAOhB,IAAa,kCAAb,cAAqD,MAAM;CACzD,cAAc;EACZ,MAAM,iBAAiB,mBAAmB;AAC1C,QACE,uGACsB,eAAe,iJAGtC;AACD,OAAK,OAAO;;;AAIhB,SAAS,oBAA4B;AACnC,KAAI,OAAO,WAAW,YACpB,QAAO;AAET,KAAI,WAAW,OAAO,OACpB,QAAO;AAET,QAAO;;;;;AAMT,IAAa,sCAAb,cAAyD,MAAM;CAC7D,YAAY,QAAgB;AAC1B,QAAM,gDAAgD,SAAS;AAC/D,OAAK,OAAO;;;;;;;;;;;;;;;;;ACjKhB,SAAgB,aAAsB;AAEpC,KAAI,OAAO,WAAW,YACpB,QAAO;AAIT,KAAI;AACF,SAAO,WAAW,OAAO,UAAU,OAAO,WAAW;SAC/C;AAEN,SAAO;;;;;;;;AASX,SAAgB,oBAA4B;AAE1C,KAAI,OAAO,WAAW,eAAe,OAAO,WAC1C,QAAO,OAAO,YAAY;AAO5B,QAAO,GAAG,KAAK,KAAK,CAAC,GAAG,KAAK,QAAQ,CAAC,SAAS,GAAG,CAAC,UAAU,GAAG,GAAG;;;;;;;;;AAWrE,SAAgB,eACd,eACA,eACS;AAET,KAAI,CAAC,cACH,QAAO;AAIT,KAAI,kBAAkB,IACpB,QAAO;AAIT,KAAI,kBAAkB,cACpB,QAAO;AAIT,KAAI;EACF,MAAM,aAAa,IAAI,IAAI,cAAc;EACzC,MAAM,aAAa,IAAI,IAAI,cAAc;AACzC,SAAO,WAAW,WAAW,WAAW;SAClC;AAEN,SAAO,kBAAkB;;;;;;;;;;;AAY7B,SAAS,mBACP,WACA,QACA,SACiC;AACjC,QAAO,IAAI,SAAS,SAAS,WAAW;EAEtC,MAAM,YAAY,UAAwB;AAExC,OAAI,CAAC,eAAe,MAAM,QAAQ,OAAO,CAGvC;AAIF,OAAI,CAAC,MAAM,QAAQ,MAAM,KAAK,SAAS,oBAErC;GAGF,MAAM,WAAW,MAAM;AAGvB,OAAI,SAAS,cAAc,UAEzB;AAIF,OAAI,SAAS,YAAY,OAAO;AAC9B,iBAAa,UAAU;AACvB,WAAO,oBAAoB,WAAW,SAAS;AAC/C,WACE,IAAI,oCACF,iCAAiC,SAAS,UAC3C,CACF;AACD;;AAIF,gBAAa,UAAU;AACvB,UAAO,oBAAoB,WAAW,SAAS;AAC/C,WAAQ,SAAS;;EAInB,MAAM,YAAY,iBAAiB;AACjC,UAAO,oBAAoB,WAAW,SAAS;AAC/C,UAAO,IAAI,4BAA4B,QAAQ,CAAC;KAC/C,QAAQ;AAGX,SAAO,iBAAiB,WAAW,SAAS;GAC5C;;;;;;;;;;;;;;;;;;;;;;;;AAyBJ,eAAsB,sBACpB,UAAkC,EAAE,EACJ;CAChC,MAAM,EAAE,cAAc,UAAU,KAAM,UAAU,MAAM;AAGtD,KAAI,CAAC,YAAY,CACf,OAAM,IAAI,iCAAiC;AAI7C,KAAI,OAAO,WAAW,YACpB,OAAM,IAAI,iCAAiC;CAI7C,MAAM,YAAY,mBAAmB;CAGrC,MAAM,UAAiC;EACrC,MAAM;EACN,SAAS;EACT,WAAW,KAAK,KAAK;EACrB;EACD;CAGD,IAAI,YAA0B;CAC9B,MAAM,cAAc,UAAU;AAE9B,MAAK,IAAI,UAAU,GAAG,UAAU,aAAa,UAC3C,KAAI;EAEF,MAAM,kBAAkB,mBACtB,WACA,cACA,QACD;EAGD,MAAM,eAAe,gBAAgB;AACrC,SAAO,OAAO,YAAY,SAAS,aAAa;EAGhD,MAAM,WAAW,MAAM;AAGvB,SAAO;GACL,QAAQ,SAAS;GACjB,WAAW,SAAS;GACpB,SAAS,SAAS;GAClB,QAAQ;GACT;UACM,OAAO;AACd,cAAY;AAGZ,MAAI,EAAE,iBAAiB,6BACrB,OAAM;AAIR,MAAI,UAAU,cAAc,GAAG;AAE7B,SAAM,IAAI,SAAS,YAAY,WAAW,SAAS,IAAI,CAAC;AACxD;;AAIF,QAAM;;AAKV,OAAM,6BAAa,IAAI,MAAM,wBAAwB"}

package/dist/postMessage-Gnhr_wnw.mjs

@@ -1,207 +0,0 @@
-// @oxy/sdk - TypeScript SDK for Oxy data platform
-//#region \0rolldown/runtime.js
-var __defProp = Object.defineProperty;
-var __exportAll = (all, no_symbols) => {
-	let target = {};
-	for (var name in all) {
-		__defProp(target, name, {
-			get: all[name],
-			enumerable: true
-		});
-	}
-	if (!no_symbols) {
-		__defProp(target, Symbol.toStringTag, { value: "Module" });
-	}
-	return target;
-};
-
-//#endregion
-//#region src/types.ts
-/**
-* Custom error classes for postMessage authentication
-*/
-/**
-* Error thrown when postMessage authentication times out
-*/
-var PostMessageAuthTimeoutError = class extends Error {
-	constructor(timeout) {
-		super(`Parent window did not respond to authentication request within ${timeout}ms.\n\nPossible causes:\n- Parent window is not listening for 'OXY_AUTH_REQUEST' messages\n- Parent origin mismatch\n- Network/browser issues\n\nTroubleshooting:\n1. Verify parent window has message listener set up\n2. Check parentOrigin configuration matches parent window origin\n3. Open browser console in parent window for errors`);
-		this.name = "PostMessageAuthTimeoutError";
-	}
-};
-/**
-* Error thrown when authentication response comes from unauthorized origin
-*/
-var PostMessageAuthInvalidOriginError = class extends Error {
-	constructor(expected, actual) {
-		super(`Received authentication response from unauthorized origin.\n\nExpected: ${expected}\nActual: ${actual}\n\nThis is a security error. Verify your parentOrigin configuration.`);
-		this.name = "PostMessageAuthInvalidOriginError";
-	}
-};
-/**
-* Error thrown when postMessage authentication is attempted outside iframe context
-*/
-var PostMessageAuthNotInIframeError = class extends Error {
-	constructor() {
-		const currentContext = getCurrentContext();
-		super(`PostMessage authentication is only available when running in an iframe context.\n\nCurrent context: ${currentContext}\n\nIf you're running in a regular browser window, use direct configuration instead:\nconst client = new OxyClient({ apiKey: 'your-key', ... })`);
-		this.name = "PostMessageAuthNotInIframeError";
-	}
-};
-function getCurrentContext() {
-	if (typeof window === "undefined") return "non-browser (Node.js)";
-	if (window === window.parent) return "top-level window";
-	return "iframe";
-}
-/**
-* Error thrown when authentication response is malformed or invalid
-*/
-var PostMessageAuthInvalidResponseError = class extends Error {
-	constructor(reason) {
-		super(`Invalid authentication response from parent: ${reason}`);
-		this.name = "PostMessageAuthInvalidResponseError";
-	}
-};
-
-//#endregion
-//#region src/auth/postMessage.ts
-var postMessage_exports = /* @__PURE__ */ __exportAll({
-	generateRequestId: () => generateRequestId,
-	isInIframe: () => isInIframe,
-	requestAuthFromParent: () => requestAuthFromParent,
-	validateOrigin: () => validateOrigin
-});
-/**
-* Check if the current context is running inside an iframe
-*
-* @returns true if running in an iframe, false otherwise (including Node.js)
-*/
-function isInIframe() {
-	if (typeof window === "undefined") return false;
-	try {
-		return window !== window.parent && window.parent !== null;
-	} catch {
-		return true;
-	}
-}
-/**
-* Generate a unique request ID for tracking auth requests
-*
-* @returns A unique identifier string
-*/
-function generateRequestId() {
-	if (typeof crypto !== "undefined" && crypto.randomUUID) return crypto.randomUUID();
-	return `${Date.now()}-${Math.random().toString(36).substring(2, 11)}`;
-}
-/**
-* Validate that a message origin matches the expected origin
-*
-* @param messageOrigin - The origin from the message event
-* @param allowedOrigin - The expected/allowed origin
-* @returns true if origin is valid, false otherwise
-*/
-function validateOrigin(messageOrigin, allowedOrigin) {
-	if (!allowedOrigin) return false;
-	if (allowedOrigin === "*") return true;
-	if (messageOrigin === allowedOrigin) return true;
-	try {
-		const messageUrl = new URL(messageOrigin);
-		const allowedUrl = new URL(allowedOrigin);
-		return messageUrl.origin === allowedUrl.origin;
-	} catch {
-		return messageOrigin === allowedOrigin;
-	}
-}
-/**
-* Create a promise that listens for an authentication response
-*
-* @param requestId - The request ID to match against
-* @param origin - The expected parent origin
-* @param timeout - Timeout in milliseconds
-* @returns Promise that resolves with the auth response
-*/
-function createAuthListener(requestId, origin, timeout) {
-	return new Promise((resolve, reject) => {
-		const listener = (event) => {
-			if (!validateOrigin(event.origin, origin)) return;
-			if (!event.data || event.data.type !== "OXY_AUTH_RESPONSE") return;
-			const response = event.data;
-			if (response.requestId !== requestId) return;
-			if (response.version !== "1.0") {
-				clearTimeout(timeoutId);
-				window.removeEventListener("message", listener);
-				reject(new PostMessageAuthInvalidResponseError(`Unsupported protocol version: ${response.version}`));
-				return;
-			}
-			clearTimeout(timeoutId);
-			window.removeEventListener("message", listener);
-			resolve(response);
-		};
-		const timeoutId = setTimeout(() => {
-			window.removeEventListener("message", listener);
-			reject(new PostMessageAuthTimeoutError(timeout));
-		}, timeout);
-		window.addEventListener("message", listener);
-	});
-}
-/**
-* Request authentication from parent window via postMessage
-*
-* This is the main entry point for iframe-based authentication.
-* It sends a request to the parent window and waits for a response.
-*
-* @param options - Configuration options for the auth request
-* @returns Promise that resolves with authentication credentials
-* @throws {PostMessageAuthNotInIframeError} If not in an iframe
-* @throws {PostMessageAuthTimeoutError} If parent doesn't respond in time
-* @throws {PostMessageAuthInvalidOriginError} If response from wrong origin
-* @throws {PostMessageAuthInvalidResponseError} If response is malformed
-*
-* @example
-* ```typescript
-* const auth = await requestAuthFromParent({
-*   parentOrigin: 'https://app.example.com',
-*   timeout: 5000
-* });
-* console.log('Received API key:', auth.apiKey);
-* ```
-*/
-async function requestAuthFromParent(options = {}) {
-	const { parentOrigin, timeout = 5e3, retries = 0 } = options;
-	if (!isInIframe()) throw new PostMessageAuthNotInIframeError();
-	if (typeof window === "undefined") throw new PostMessageAuthNotInIframeError();
-	const requestId = generateRequestId();
-	const request = {
-		type: "OXY_AUTH_REQUEST",
-		version: "1.0",
-		timestamp: Date.now(),
-		requestId
-	};
-	let lastError = null;
-	const maxAttempts = retries + 1;
-	for (let attempt = 0; attempt < maxAttempts; attempt++) try {
-		const responsePromise = createAuthListener(requestId, parentOrigin, timeout);
-		const targetOrigin = parentOrigin || "*";
-		window.parent.postMessage(request, targetOrigin);
-		const response = await responsePromise;
-		return {
-			apiKey: response.apiKey,
-			projectId: response.projectId,
-			baseUrl: response.baseUrl,
-			source: "postmessage"
-		};
-	} catch (error) {
-		lastError = error;
-		if (!(error instanceof PostMessageAuthTimeoutError)) throw error;
-		if (attempt < maxAttempts - 1) {
-			await new Promise((resolve) => setTimeout(resolve, 100));
-			continue;
-		}
-		throw error;
-	}
-	throw lastError || /* @__PURE__ */ new Error("Authentication failed");
-}
-
-//#endregion
-export { PostMessageAuthInvalidResponseError as a, PostMessageAuthInvalidOriginError as i, postMessage_exports as n, PostMessageAuthNotInIframeError as o, requestAuthFromParent as r, PostMessageAuthTimeoutError as s, isInIframe as t };
-//# sourceMappingURL=postMessage-Gnhr_wnw.mjs.map

package/dist/postMessage-Gnhr_wnw.mjs.map

@@ -1 +0,0 @@
-{"version":3,"file":"postMessage-Gnhr_wnw.mjs","names":[],"sources":["../src/types.ts","../src/auth/postMessage.ts"],"sourcesContent":["/**\n * Represents an app item in the project\n */\nexport interface AppItem {\n  name: string;\n  path: string;\n}\n\n/**\n * Reference to a data file (usually parquet)\n */\nexport interface FileReference {\n  file_path: string;\n}\n\n/**\n * Table data structure for in-memory tables\n * (used when data is fetched and parsed)\n */\nexport interface TableData {\n  columns: string[];\n  rows: unknown[][];\n  total_rows?: number;\n}\n\nexport type DataContainer = Record<string, FileReference>;\n\n/**\n * Response from app data endpoints\n */\nexport interface AppDataResponse {\n  data: DataContainer | null;\n  error: string | null;\n}\n\n/**\n * Display with potential error\n */\nexport interface DisplayWithError {\n  display?: DisplayData;\n  error?: string;\n}\n\n/**\n * Display data structure\n */\nexport interface DisplayData {\n  type: string;\n  content: unknown;\n}\n\n/**\n * Response from get displays endpoint\n */\nexport interface GetDisplaysResponse {\n  displays: DisplayWithError[];\n}\n\n/**\n * Error response from the API\n */\nexport interface ApiError {\n  message: string;\n  status: number;\n  details?: unknown;\n}\n\n/**\n * PostMessage authentication protocol types\n */\n\n/**\n * Request message sent from iframe to parent window\n */\nexport interface OxyAuthRequestMessage {\n  type: \"OXY_AUTH_REQUEST\";\n  version: \"1.0\";\n  timestamp: number;\n  requestId: string;\n}\n\n/**\n * Response message sent from parent window to iframe\n */\nexport interface OxyAuthResponseMessage {\n  type: \"OXY_AUTH_RESPONSE\";\n  version: \"1.0\";\n  requestId: string;\n  apiKey?: string;\n  projectId?: string;\n  baseUrl?: string;\n}\n\n/**\n * Options for postMessage authentication\n */\nexport interface PostMessageAuthOptions {\n  /** Required parent window origin for security (e.g., 'https://app.example.com'). Use '*' only in development! */\n  parentOrigin?: string;\n  /** Timeout in milliseconds (default: 5000) */\n  timeout?: number;\n  /** Number of retry attempts (default: 0) */\n  retries?: number;\n}\n\n/**\n * Result from successful postMessage authentication\n */\nexport interface PostMessageAuthResult {\n  apiKey?: string;\n  projectId?: string;\n  baseUrl?: string;\n  source: \"postmessage\";\n}\n\n/**\n * Custom error classes for postMessage authentication\n */\n\n/**\n * Error thrown when postMessage authentication times out\n */\nexport class PostMessageAuthTimeoutError extends Error {\n  constructor(timeout: number) {\n    super(\n      `Parent window did not respond to authentication request within ${timeout}ms.\\n\\n` +\n        `Possible causes:\\n` +\n        `- Parent window is not listening for 'OXY_AUTH_REQUEST' messages\\n` +\n        `- Parent origin mismatch\\n` +\n        `- Network/browser issues\\n\\n` +\n        `Troubleshooting:\\n` +\n        `1. Verify parent window has message listener set up\\n` +\n        `2. Check parentOrigin configuration matches parent window origin\\n` +\n        `3. Open browser console in parent window for errors`,\n    );\n    this.name = \"PostMessageAuthTimeoutError\";\n  }\n}\n\n/**\n * Error thrown when authentication response comes from unauthorized origin\n */\nexport class PostMessageAuthInvalidOriginError extends Error {\n  constructor(expected: string, actual: string) {\n    super(\n      `Received authentication response from unauthorized origin.\\n\\n` +\n        `Expected: ${expected}\\n` +\n        `Actual: ${actual}\\n\\n` +\n        `This is a security error. Verify your parentOrigin configuration.`,\n    );\n    this.name = \"PostMessageAuthInvalidOriginError\";\n  }\n}\n\n/**\n * Error thrown when postMessage authentication is attempted outside iframe context\n */\nexport class PostMessageAuthNotInIframeError extends Error {\n  constructor() {\n    const currentContext = getCurrentContext();\n    super(\n      `PostMessage authentication is only available when running in an iframe context.\\n\\n` +\n        `Current context: ${currentContext}\\n\\n` +\n        `If you're running in a regular browser window, use direct configuration instead:\\n` +\n        `const client = new OxyClient({ apiKey: 'your-key', ... })`,\n    );\n    this.name = \"PostMessageAuthNotInIframeError\";\n  }\n}\n\nfunction getCurrentContext(): string {\n  if (typeof window === \"undefined\") {\n    return \"non-browser (Node.js)\";\n  }\n  if (window === window.parent) {\n    return \"top-level window\";\n  }\n  return \"iframe\";\n}\n\n/**\n * Error thrown when authentication response is malformed or invalid\n */\nexport class PostMessageAuthInvalidResponseError extends Error {\n  constructor(reason: string) {\n    super(`Invalid authentication response from parent: ${reason}`);\n    this.name = \"PostMessageAuthInvalidResponseError\";\n  }\n}\n","/**\n * PostMessage-based authentication for iframe scenarios\n *\n * This module enables secure cross-origin authentication between an iframe\n * (running the Oxy SDK) and its parent window (holding the API key).\n */\n\nimport type {\n  OxyAuthRequestMessage,\n  OxyAuthResponseMessage,\n  PostMessageAuthOptions,\n  PostMessageAuthResult,\n} from \"../types\";\n\nimport {\n  PostMessageAuthTimeoutError,\n  PostMessageAuthNotInIframeError,\n  PostMessageAuthInvalidResponseError,\n} from \"../types\";\n\n/**\n * Check if the current context is running inside an iframe\n *\n * @returns true if running in an iframe, false otherwise (including Node.js)\n */\nexport function isInIframe(): boolean {\n  // Check if we're in a browser environment\n  if (typeof window === \"undefined\") {\n    return false;\n  }\n\n  // Check if window has a parent and it's different from itself\n  try {\n    return window !== window.parent && window.parent !== null;\n  } catch {\n    // Cross-origin access might throw an error, but we're still in an iframe\n    return true;\n  }\n}\n\n/**\n * Generate a unique request ID for tracking auth requests\n *\n * @returns A unique identifier string\n */\nexport function generateRequestId(): string {\n  // Use crypto.randomUUID if available (modern browsers)\n  if (typeof crypto !== \"undefined\" && crypto.randomUUID) {\n    return crypto.randomUUID();\n  }\n\n  // Fallback for older environments: timestamp + random\n  // Note: Math.random() is used here as a fallback for environments without crypto.randomUUID\n  // This is acceptable for non-security-critical request IDs (used only for message correlation)\n  /* eslint-disable sonarjs/pseudo-random */\n  return `${Date.now()}-${Math.random().toString(36).substring(2, 11)}`;\n  /* eslint-enable sonarjs/pseudo-random */\n}\n\n/**\n * Validate that a message origin matches the expected origin\n *\n * @param messageOrigin - The origin from the message event\n * @param allowedOrigin - The expected/allowed origin\n * @returns true if origin is valid, false otherwise\n */\nexport function validateOrigin(\n  messageOrigin: string,\n  allowedOrigin?: string,\n): boolean {\n  // If no allowed origin is specified, reject (security)\n  if (!allowedOrigin) {\n    return false;\n  }\n\n  // Wildcard - allow any origin (development only!)\n  if (allowedOrigin === \"*\") {\n    return true;\n  }\n\n  // Exact match\n  if (messageOrigin === allowedOrigin) {\n    return true;\n  }\n\n  // Try URL parsing for more flexible matching\n  try {\n    const messageUrl = new URL(messageOrigin);\n    const allowedUrl = new URL(allowedOrigin);\n    return messageUrl.origin === allowedUrl.origin;\n  } catch {\n    // If URL parsing fails, do simple string match\n    return messageOrigin === allowedOrigin;\n  }\n}\n\n/**\n * Create a promise that listens for an authentication response\n *\n * @param requestId - The request ID to match against\n * @param origin - The expected parent origin\n * @param timeout - Timeout in milliseconds\n * @returns Promise that resolves with the auth response\n */\nfunction createAuthListener(\n  requestId: string,\n  origin: string | undefined,\n  timeout: number,\n): Promise<OxyAuthResponseMessage> {\n  return new Promise((resolve, reject) => {\n    // Set up message listener\n    const listener = (event: MessageEvent) => {\n      // Validate origin\n      if (!validateOrigin(event.origin, origin)) {\n        // Don't reject here - might be other postMessage traffic\n        // Just ignore messages from wrong origins\n        return;\n      }\n\n      // Check message type\n      if (!event.data || event.data.type !== \"OXY_AUTH_RESPONSE\") {\n        // Not our message type, ignore\n        return;\n      }\n\n      const response = event.data as OxyAuthResponseMessage;\n\n      // Validate request ID matches\n      if (response.requestId !== requestId) {\n        // Wrong request ID, ignore (might be another auth in progress)\n        return;\n      }\n\n      // Validate version\n      if (response.version !== \"1.0\") {\n        clearTimeout(timeoutId);\n        window.removeEventListener(\"message\", listener);\n        reject(\n          new PostMessageAuthInvalidResponseError(\n            `Unsupported protocol version: ${response.version}`,\n          ),\n        );\n        return;\n      }\n\n      // Success!\n      clearTimeout(timeoutId);\n      window.removeEventListener(\"message\", listener);\n      resolve(response);\n    };\n\n    // Set up timeout\n    const timeoutId = setTimeout(() => {\n      window.removeEventListener(\"message\", listener);\n      reject(new PostMessageAuthTimeoutError(timeout));\n    }, timeout);\n\n    // Start listening\n    window.addEventListener(\"message\", listener);\n  });\n}\n\n/**\n * Request authentication from parent window via postMessage\n *\n * This is the main entry point for iframe-based authentication.\n * It sends a request to the parent window and waits for a response.\n *\n * @param options - Configuration options for the auth request\n * @returns Promise that resolves with authentication credentials\n * @throws {PostMessageAuthNotInIframeError} If not in an iframe\n * @throws {PostMessageAuthTimeoutError} If parent doesn't respond in time\n * @throws {PostMessageAuthInvalidOriginError} If response from wrong origin\n * @throws {PostMessageAuthInvalidResponseError} If response is malformed\n *\n * @example\n * ```typescript\n * const auth = await requestAuthFromParent({\n *   parentOrigin: 'https://app.example.com',\n *   timeout: 5000\n * });\n * console.log('Received API key:', auth.apiKey);\n * ```\n */\nexport async function requestAuthFromParent(\n  options: PostMessageAuthOptions = {},\n): Promise<PostMessageAuthResult> {\n  const { parentOrigin, timeout = 5000, retries = 0 } = options;\n\n  // Validate we're in an iframe\n  if (!isInIframe()) {\n    throw new PostMessageAuthNotInIframeError();\n  }\n\n  // Validate we're in a browser environment\n  if (typeof window === \"undefined\") {\n    throw new PostMessageAuthNotInIframeError();\n  }\n\n  // Generate request ID\n  const requestId = generateRequestId();\n\n  // Create request message\n  const request: OxyAuthRequestMessage = {\n    type: \"OXY_AUTH_REQUEST\",\n    version: \"1.0\",\n    timestamp: Date.now(),\n    requestId,\n  };\n\n  // Attempt authentication with retries\n  let lastError: Error | null = null;\n  const maxAttempts = retries + 1;\n\n  for (let attempt = 0; attempt < maxAttempts; attempt++) {\n    try {\n      // Set up listener before sending request to avoid race condition\n      const responsePromise = createAuthListener(\n        requestId,\n        parentOrigin,\n        timeout,\n      );\n\n      // Send request to parent\n      const targetOrigin = parentOrigin || \"*\";\n      window.parent.postMessage(request, targetOrigin);\n\n      // Wait for response\n      const response = await responsePromise;\n\n      // Return successful result\n      return {\n        apiKey: response.apiKey,\n        projectId: response.projectId,\n        baseUrl: response.baseUrl,\n        source: \"postmessage\",\n      };\n    } catch (error) {\n      lastError = error as Error;\n\n      // If this isn't a timeout, don't retry\n      if (!(error instanceof PostMessageAuthTimeoutError)) {\n        throw error;\n      }\n\n      // If we have more attempts, continue\n      if (attempt < maxAttempts - 1) {\n        // Optional: Add a small delay before retry\n        await new Promise((resolve) => setTimeout(resolve, 100));\n        continue;\n      }\n\n      // All retries exhausted\n      throw error;\n    }\n  }\n\n  // Should never reach here, but TypeScript needs this\n  throw lastError || new Error(\"Authentication failed\");\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AA0HA,IAAa,8BAAb,cAAiD,MAAM;CACrD,YAAY,SAAiB;AAC3B,QACE,kEAAkE,QAAQ,+UAS3E;AACD,OAAK,OAAO;;;;;;AAOhB,IAAa,oCAAb,cAAuD,MAAM;CAC3D,YAAY,UAAkB,QAAgB;AAC5C,QACE,2EACe,SAAS,YACX,OAAO,uEAErB;AACD,OAAK,OAAO;;;;;;AAOhB,IAAa,kCAAb,cAAqD,MAAM;CACzD,cAAc;EACZ,MAAM,iBAAiB,mBAAmB;AAC1C,QACE,uGACsB,eAAe,iJAGtC;AACD,OAAK,OAAO;;;AAIhB,SAAS,oBAA4B;AACnC,KAAI,OAAO,WAAW,YACpB,QAAO;AAET,KAAI,WAAW,OAAO,OACpB,QAAO;AAET,QAAO;;;;;AAMT,IAAa,sCAAb,cAAyD,MAAM;CAC7D,YAAY,QAAgB;AAC1B,QAAM,gDAAgD,SAAS;AAC/D,OAAK,OAAO;;;;;;;;;;;;;;;;;ACjKhB,SAAgB,aAAsB;AAEpC,KAAI,OAAO,WAAW,YACpB,QAAO;AAIT,KAAI;AACF,SAAO,WAAW,OAAO,UAAU,OAAO,WAAW;SAC/C;AAEN,SAAO;;;;;;;;AASX,SAAgB,oBAA4B;AAE1C,KAAI,OAAO,WAAW,eAAe,OAAO,WAC1C,QAAO,OAAO,YAAY;AAO5B,QAAO,GAAG,KAAK,KAAK,CAAC,GAAG,KAAK,QAAQ,CAAC,SAAS,GAAG,CAAC,UAAU,GAAG,GAAG;;;;;;;;;AAWrE,SAAgB,eACd,eACA,eACS;AAET,KAAI,CAAC,cACH,QAAO;AAIT,KAAI,kBAAkB,IACpB,QAAO;AAIT,KAAI,kBAAkB,cACpB,QAAO;AAIT,KAAI;EACF,MAAM,aAAa,IAAI,IAAI,cAAc;EACzC,MAAM,aAAa,IAAI,IAAI,cAAc;AACzC,SAAO,WAAW,WAAW,WAAW;SAClC;AAEN,SAAO,kBAAkB;;;;;;;;;;;AAY7B,SAAS,mBACP,WACA,QACA,SACiC;AACjC,QAAO,IAAI,SAAS,SAAS,WAAW;EAEtC,MAAM,YAAY,UAAwB;AAExC,OAAI,CAAC,eAAe,MAAM,QAAQ,OAAO,CAGvC;AAIF,OAAI,CAAC,MAAM,QAAQ,MAAM,KAAK,SAAS,oBAErC;GAGF,MAAM,WAAW,MAAM;AAGvB,OAAI,SAAS,cAAc,UAEzB;AAIF,OAAI,SAAS,YAAY,OAAO;AAC9B,iBAAa,UAAU;AACvB,WAAO,oBAAoB,WAAW,SAAS;AAC/C,WACE,IAAI,oCACF,iCAAiC,SAAS,UAC3C,CACF;AACD;;AAIF,gBAAa,UAAU;AACvB,UAAO,oBAAoB,WAAW,SAAS;AAC/C,WAAQ,SAAS;;EAInB,MAAM,YAAY,iBAAiB;AACjC,UAAO,oBAAoB,WAAW,SAAS;AAC/C,UAAO,IAAI,4BAA4B,QAAQ,CAAC;KAC/C,QAAQ;AAGX,SAAO,iBAAiB,WAAW,SAAS;GAC5C;;;;;;;;;;;;;;;;;;;;;;;;AAyBJ,eAAsB,sBACpB,UAAkC,EAAE,EACJ;CAChC,MAAM,EAAE,cAAc,UAAU,KAAM,UAAU,MAAM;AAGtD,KAAI,CAAC,YAAY,CACf,OAAM,IAAI,iCAAiC;AAI7C,KAAI,OAAO,WAAW,YACpB,OAAM,IAAI,iCAAiC;CAI7C,MAAM,YAAY,mBAAmB;CAGrC,MAAM,UAAiC;EACrC,MAAM;EACN,SAAS;EACT,WAAW,KAAK,KAAK;EACrB;EACD;CAGD,IAAI,YAA0B;CAC9B,MAAM,cAAc,UAAU;AAE9B,MAAK,IAAI,UAAU,GAAG,UAAU,aAAa,UAC3C,KAAI;EAEF,MAAM,kBAAkB,mBACtB,WACA,cACA,QACD;EAGD,MAAM,eAAe,gBAAgB;AACrC,SAAO,OAAO,YAAY,SAAS,aAAa;EAGhD,MAAM,WAAW,MAAM;AAGvB,SAAO;GACL,QAAQ,SAAS;GACjB,WAAW,SAAS;GACpB,SAAS,SAAS;GAClB,QAAQ;GACT;UACM,OAAO;AACd,cAAY;AAGZ,MAAI,EAAE,iBAAiB,6BACrB,OAAM;AAIR,MAAI,UAAU,cAAc,GAAG;AAE7B,SAAM,IAAI,SAAS,YAAY,WAAW,SAAS,IAAI,CAAC;AACxD;;AAIF,QAAM;;AAKV,OAAM,6BAAa,IAAI,MAAM,wBAAwB"}