@palbase/web 1.0.0

package/dist/next/index.cjs

@@ -0,0 +1,3680 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/next/index.ts
+var next_exports = {};
+__export(next_exports, {
+  SESSION_COOKIE_ATTRS: () => SESSION_COOKIE_ATTRS,
+  clearedSessionCookieNames: () => clearedSessionCookieNames,
+  decodeSessionCookies: () => decodeSessionCookies,
+  encodeSessionCookies: () => encodeSessionCookies,
+  encodeSessionCookiesDecoded: () => encodeSessionCookiesDecoded,
+  endpointRefFromApiKey: () => endpointRefFromApiKey,
+  handleAuthCallback: () => handleAuthCallback,
+  palbeMiddleware: () => palbeMiddleware,
+  pbServer: () => pbServer,
+  sessionCookieName: () => sessionCookieName
+});
+module.exports = __toCommonJS(next_exports);
+
+// src/auth-wire.ts
+function asWireAuthResult(raw) {
+  if (typeof raw !== "object" || raw === null) return null;
+  const obj = raw;
+  if (typeof obj.access_token !== "string") return null;
+  if (typeof obj.refresh_token !== "string") return null;
+  if (typeof obj.expires_in !== "number") return null;
+  const user = obj.user;
+  if (typeof user !== "object" || user === null) return null;
+  if (typeof user.id !== "string") return null;
+  return raw;
+}
+
+// src/api-key.ts
+function endpointRefFromApiKey(apiKey) {
+  const parts = apiKey.split("_");
+  return parts.length >= 3 && parts[0] === "pb" ? parts[1] ?? "" : "";
+}
+
+// src/next/cookie-codec.ts
+var MAX_COOKIE_VALUE = 3500;
+var SESSION_COOKIE_ATTRS = {
+  path: "/",
+  sameSite: "lax",
+  secure: true,
+  maxAge: 2592e3
+};
+function sessionCookieName(endpointRef) {
+  return `palbe-session-${endpointRef}`;
+}
+function encodeSessionCookies(endpointRef, session) {
+  const name = sessionCookieName(endpointRef);
+  const value = encodeURIComponent(
+    JSON.stringify({ a: session.accessToken, r: session.refreshToken, e: session.expiresAt })
+  );
+  if (value.length <= MAX_COOKIE_VALUE) {
+    return { set: [{ name, value }], clear: [`${name}.0`] };
+  }
+  const chunks = [];
+  for (let start = 0; start < value.length; ) {
+    let end = Math.min(start + MAX_COOKIE_VALUE, value.length);
+    if (end < value.length) {
+      if (value[end - 1] === "%") end -= 1;
+      else if (value[end - 2] === "%") end -= 2;
+    }
+    chunks.push({ name: `${name}.${chunks.length}`, value: value.slice(start, end) });
+    start = end;
+  }
+  return { set: chunks, clear: [`${name}.${chunks.length}`] };
+}
+function encodeSessionCookiesDecoded(endpointRef, session) {
+  const { set, clear } = encodeSessionCookies(endpointRef, session);
+  return {
+    set: set.map(({ name, value }) => ({ name, value: decodeURIComponent(value) })),
+    clear
+  };
+}
+function decodeSessionCookies(get, endpointRef) {
+  const base = sessionCookieName(endpointRef);
+  let encoded = get(base);
+  if (encoded === void 0) {
+    let joined = "";
+    for (let i = 0; ; i++) {
+      const part = get(`${base}.${i}`);
+      if (part === void 0) break;
+      joined += part;
+    }
+    if (joined === "") return null;
+    encoded = joined;
+  }
+  const raw = parseStoredSession(encoded);
+  if (raw !== null) return raw;
+  try {
+    return parseStoredSession(decodeURIComponent(encoded));
+  } catch {
+    return null;
+  }
+}
+function parseStoredSession(json) {
+  try {
+    const parsed = JSON.parse(json);
+    if (typeof parsed === "object" && parsed !== null && !Array.isArray(parsed)) {
+      const obj = parsed;
+      if (typeof obj.a === "string" && typeof obj.r === "string" && typeof obj.e === "number") {
+        return { accessToken: obj.a, refreshToken: obj.r, expiresAt: obj.e };
+      }
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+function clearedSessionCookieNames(endpointRef, present) {
+  const base = sessionCookieName(endpointRef);
+  const names = [];
+  if (present(base)) names.push(base);
+  for (let i = 0; ; i++) {
+    const chunk = `${base}.${i}`;
+    if (!present(chunk)) break;
+    names.push(chunk);
+  }
+  return names;
+}
+
+// ../core/dist/index.js
+var CACHE_TTL_MS = 5 * 60 * 1e3;
+var PalbaseError = class extends Error {
+  code;
+  status;
+  details;
+  constructor(code, message, status, details) {
+    super(message);
+    this.name = "PalbaseError";
+    this.code = code;
+    this.status = status;
+    this.details = details;
+  }
+};
+var PALBASE_DEFAULT_HOST = "api.palbase.studio";
+var REF_LEN = 8;
+var BASE62_RE = /^[0-9A-Za-z]+$/;
+function parseProjectRef(apiKey) {
+  if (apiKey.length < 13) return null;
+  if (!apiKey.startsWith("pb_")) return null;
+  if (apiKey[11] !== "_") return null;
+  const ref = apiKey.slice(3, 11);
+  if (ref.length !== REF_LEN) return null;
+  if (!BASE62_RE.test(ref)) return null;
+  const scope = apiKey[12];
+  if (scope !== "c") return null;
+  return ref;
+}
+var MAX_RETRIES = 3;
+var INITIAL_BACKOFF_MS = 200;
+var MAX_RETRY_DELAY_MS = 1e4;
+var HttpClient = class _HttpClient {
+  apiKey;
+  options;
+  tokenManager = null;
+  /**
+   * Admin JWT used for platform admin endpoints (/admin/*).
+   * When set, takes precedence over tokenManager access token in the
+   * Authorization header.
+   */
+  adminToken = null;
+  interceptors = [];
+  constructor(apiKey, options) {
+    this.apiKey = apiKey;
+    this.options = options;
+  }
+  /** Set (or clear) the admin JWT used on admin endpoints. */
+  setAdminToken(token) {
+    this.adminToken = token;
+  }
+  /**
+   * Create a scoped HttpClient that adds the given extra headers to every
+   * request. The returned client shares the admin token and token manager
+   * with the parent at runtime — later changes on the parent propagate to
+   * the scope and vice versa.
+   *
+   * Typical use: tagging admin calls with `x-palbase-project: <ref>` so the
+   * gateway can route them to the correct project's data plane.
+   */
+  withHeaders(extra) {
+    const mergedHeaders = { ...this.options?.headers ?? {}, ...extra };
+    const scoped = new _HttpClient(this.apiKey, {
+      ...this.options,
+      headers: mergedHeaders
+    });
+    scoped.tokenManager = this.tokenManager;
+    Object.defineProperty(scoped, "adminToken", {
+      get: () => this.adminToken,
+      set: (v) => {
+        this.adminToken = v;
+      },
+      configurable: true
+    });
+    return scoped;
+  }
+  /** Add a request interceptor. Runs before every request. */
+  addInterceptor(interceptor) {
+    this.interceptors.push(interceptor);
+  }
+  async request(method, path, options) {
+    if (this.tokenManager?.isExpired() && this.tokenManager.getRefreshToken() && this.tokenManager.refreshFunction) {
+      try {
+        await this.tokenManager.refreshSession();
+      } catch (e) {
+        const status = e instanceof PalbaseError ? e.status : 0;
+        if (status === 400 || status === 401 || status === 403) {
+          this.tokenManager.clearSession();
+        } else {
+          throw e;
+        }
+      }
+    }
+    return this.executeWithRetry(method, path, options, 0);
+  }
+  getBaseUrl() {
+    if (this.options?.url) {
+      return this.options.url;
+    }
+    if (this.apiKey && parseProjectRef(this.apiKey) === null) {
+      throw new PalbaseError(
+        "invalid_api_key",
+        'Invalid API key format. Expected pb_{ref}_{scope}{random}. For dev/staging pass `url: "https://api.dev.palbase.studio"` via options.',
+        0
+      );
+    }
+    return `https://${PALBASE_DEFAULT_HOST}`;
+  }
+  buildHeaders(options) {
+    const headers = {
+      "Content-Type": "application/json"
+    };
+    const effectiveKey = this.apiKey;
+    if (effectiveKey) {
+      headers["apikey"] = effectiveKey;
+      const ref = parseProjectRef(effectiveKey);
+      if (ref) {
+        headers["X-Project-Ref"] = ref;
+      }
+    }
+    const token = this.tokenManager?.getAccessToken();
+    if (token) {
+      headers["Authorization"] = `Bearer ${token}`;
+    }
+    if (this.adminToken) {
+      headers["Authorization"] = `Bearer ${this.adminToken}`;
+    }
+    if (this.options?.headers) {
+      Object.assign(headers, this.options.headers);
+    }
+    if (options?.headers) {
+      Object.assign(headers, options.headers);
+    }
+    return headers;
+  }
+  async executeWithRetry(method, path, options, attempt) {
+    const url = `${this.getBaseUrl()}${path}`;
+    const headers = this.buildHeaders(options);
+    for (const interceptor of this.interceptors) {
+      await interceptor({ headers, method, path });
+    }
+    const fetchOptions = {
+      method,
+      headers,
+      signal: options?.signal
+    };
+    if (options?.body !== void 0) {
+      fetchOptions.body = JSON.stringify(options.body);
+    }
+    let response;
+    try {
+      response = await fetch(url, fetchOptions);
+    } catch (error) {
+      if (attempt < MAX_RETRIES - 1) {
+        const backoff = INITIAL_BACKOFF_MS * 2 ** attempt;
+        await this.delay(backoff);
+        return this.executeWithRetry(method, path, options, attempt + 1);
+      }
+      throw new PalbaseError(
+        "network_error",
+        error instanceof Error ? error.message : "Network request failed",
+        0
+      );
+    }
+    if (response.status === 429) {
+      if (attempt < MAX_RETRIES - 1) {
+        const retryAfter = response.headers.get("Retry-After");
+        const parsed = retryAfter ? Number.parseInt(retryAfter, 10) : Number.NaN;
+        const delayMs = Number.isNaN(parsed) ? INITIAL_BACKOFF_MS * 2 ** attempt : Math.min(parsed * 1e3, MAX_RETRY_DELAY_MS);
+        await this.delay(delayMs);
+        return this.executeWithRetry(method, path, options, attempt + 1);
+      }
+    }
+    let data = null;
+    let errorBody;
+    const contentType = response.headers.get("Content-Type");
+    if (method !== "HEAD" && contentType?.includes("json")) {
+      const body = await response.json();
+      if (response.ok) {
+        data = body;
+      } else {
+        errorBody = body;
+      }
+    }
+    if (!response.ok) {
+      return {
+        data: null,
+        error: new PalbaseError(
+          errorBody?.error ?? "unknown_error",
+          errorBody?.error_description ?? response.statusText,
+          response.status,
+          errorBody
+        ),
+        status: response.status
+      };
+    }
+    const contentRange = response.headers.get("Content-Range");
+    let count;
+    if (contentRange) {
+      const slash = contentRange.lastIndexOf("/");
+      if (slash >= 0) {
+        const totalPart = contentRange.slice(slash + 1);
+        if (totalPart !== "*") {
+          const parsed = Number.parseInt(totalPart, 10);
+          if (!Number.isNaN(parsed)) {
+            count = parsed;
+          }
+        }
+      }
+    }
+    return {
+      data,
+      error: null,
+      status: response.status,
+      ...count !== void 0 ? { count } : {}
+    };
+  }
+  delay(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+  }
+};
+var TokenManager = class {
+  session = null;
+  listeners = /* @__PURE__ */ new Set();
+  refreshPromise = null;
+  refreshing = false;
+  refreshFunction = null;
+  setSession(session) {
+    this.session = session;
+    this.notify("SESSION_SET", session);
+  }
+  getAccessToken() {
+    return this.session?.accessToken ?? null;
+  }
+  getRefreshToken() {
+    return this.session?.refreshToken ?? null;
+  }
+  clearSession() {
+    this.session = null;
+    this.notify("SESSION_CLEARED", null);
+  }
+  isExpired() {
+    if (!this.session) return true;
+    return Date.now() >= this.session.expiresAt;
+  }
+  async refreshSession() {
+    if (!this.session?.refreshToken || !this.refreshFunction) {
+      return;
+    }
+    if (this.refreshPromise) {
+      return this.refreshPromise;
+    }
+    if (this.refreshing) {
+      return;
+    }
+    this.refreshing = true;
+    this.refreshPromise = this.executeRefresh(this.session.refreshToken);
+    try {
+      await this.refreshPromise;
+    } finally {
+      this.refreshPromise = null;
+      this.refreshing = false;
+    }
+  }
+  onAuthStateChange(callback) {
+    this.listeners.add(callback);
+    return () => {
+      this.listeners.delete(callback);
+    };
+  }
+  async executeRefresh(refreshToken) {
+    if (!this.refreshFunction) return;
+    const newSession = await this.refreshFunction(refreshToken);
+    this.setSession(newSession);
+  }
+  notify(event, session) {
+    for (const listener of this.listeners) {
+      listener(event, session);
+    }
+  }
+};
+
+// src/errors.ts
+var BackendError = class _BackendError extends Error {
+  kind;
+  code;
+  status;
+  requestId;
+  fields;
+  retryAfter;
+  data;
+  constructor(kind, params) {
+    super(params.message);
+    this.name = "BackendError";
+    this.kind = kind;
+    this.code = params.code;
+    this.status = params.status ?? 0;
+    this.requestId = params.requestId;
+    this.fields = params.fields;
+    this.retryAfter = params.retryAfter;
+    this.data = params.data;
+  }
+  static notConfigured() {
+    return new _BackendError("notConfigured", {
+      code: "not_configured",
+      message: "Palbe is not configured. Run 'palbase web link' in your project and make sure palbe.gen.ts is imported once at app startup."
+    });
+  }
+};
+function isFieldErrorArray(value) {
+  return Array.isArray(value) && value.length > 0 && value.every(
+    (v) => typeof v === "object" && v !== null && typeof v.field === "string" && typeof v.message === "string"
+  );
+}
+function pickField(value, key) {
+  if (typeof value === "object" && value !== null) {
+    return value[key];
+  }
+  return void 0;
+}
+function pickNumber(value, key) {
+  const n = pickField(value, key);
+  return typeof n === "number" ? n : void 0;
+}
+function pickString(value, key) {
+  const s = pickField(value, key);
+  return typeof s === "string" ? s : void 0;
+}
+function fromPalbaseError(err) {
+  const base = {
+    code: err.code,
+    message: err.message,
+    status: err.status,
+    requestId: pickString(err.details, "request_id"),
+    data: pickField(err.details, "data")
+  };
+  if (err.code === "network_error") return new BackendError("network", base);
+  if (err.status === 401) return new BackendError("unauthorized", base);
+  if (err.status === 429)
+    return new BackendError("rateLimited", {
+      ...base,
+      retryAfter: pickNumber(err.details, "retry_after")
+    });
+  const nested = pickField(err.details, "details");
+  if (err.status === 400 && isFieldErrorArray(nested))
+    return new BackendError("validation", { ...base, fields: nested });
+  return new BackendError("server", base);
+}
+function fromEnvelope(status, body) {
+  const code = pickString(body, "error") ?? "http_error";
+  const message = pickString(body, "error_description") ?? `HTTP ${status}`;
+  const requestId = pickString(body, "request_id");
+  const details = pickField(body, "details");
+  const params = {
+    code,
+    message,
+    status,
+    requestId,
+    data: pickField(body, "data")
+  };
+  if (status === 401) return new BackendError("unauthorized", params);
+  if (status === 429)
+    return new BackendError("rateLimited", {
+      ...params,
+      // Real 429 wire body has TOP-LEVEL retry_after; nested details is a fallback.
+      retryAfter: pickNumber(body, "retry_after") ?? pickNumber(details, "retry_after")
+    });
+  if (status === 400 && isFieldErrorArray(details))
+    return new BackendError("validation", { ...params, fields: details });
+  return new BackendError("server", params);
+}
+function isBackendError(e) {
+  return e instanceof BackendError || typeof e === "object" && e !== null && e.name === "BackendError" && typeof e.kind === "string";
+}
+function asPalbaseError(e) {
+  if (e instanceof PalbaseError) return e;
+  if (e instanceof Error && e.name === "PalbaseError") return e;
+  return null;
+}
+function unwrap(res) {
+  if (res.error) throw fromPalbaseError(res.error);
+  return res.data;
+}
+
+// src/request.ts
+var MUTATING = /* @__PURE__ */ new Set(["POST", "PUT", "PATCH", "DELETE"]);
+async function palbeRequest(rt, method, path, spec = {}) {
+  const headers = { ...spec.headers };
+  const callerHasKey = Object.keys(headers).some((k) => k.toLowerCase() === "idempotency-key");
+  if (MUTATING.has(method) && !callerHasKey) {
+    headers["Idempotency-Key"] = crypto.randomUUID();
+  }
+  const attempt = async () => {
+    try {
+      return await rt.http.request(method, path, {
+        body: spec.body,
+        headers,
+        signal: spec.signal
+      });
+    } catch (e) {
+      const pe = asPalbaseError(e);
+      throw pe ? fromPalbaseError(pe) : e;
+    }
+  };
+  let res = await attempt();
+  if (res.error?.status === 401 && rt.tokenManager.getRefreshToken() && rt.tokenManager.refreshFunction) {
+    try {
+      await rt.tokenManager.refreshSession();
+    } catch (refreshErr) {
+      const pe = asPalbaseError(refreshErr);
+      const status = pe?.status ?? 0;
+      if (status === 400 || status === 401 || status === 403) {
+        rt.tokenManager.clearSession();
+        throw fromPalbaseError(res.error);
+      }
+      throw pe ? fromPalbaseError(pe) : refreshErr;
+    }
+    res = await attempt();
+  }
+  return unwrap(res);
+}
+
+// src/state.ts
+var STATE_KEY = /* @__PURE__ */ Symbol.for("palbe.state.v1");
+function palbeState() {
+  const g = globalThis;
+  let state = g[STATE_KEY];
+  if (!state) {
+    state = { runtime: null, registry: {}, nsCache: {}, configuredListeners: /* @__PURE__ */ new Set() };
+    g[STATE_KEY] = state;
+  }
+  return state;
+}
+
+// src/namespaces.ts
+function isDescriptor(node) {
+  return typeof node.path === "string" && typeof node.method === "string";
+}
+function getRegistry() {
+  return palbeState().registry;
+}
+function serializeQuery(input) {
+  if (input === void 0 || input === null) return "";
+  const entries = Object.entries(input).filter(([, v]) => v !== void 0 && v !== null).sort(([a], [b]) => a < b ? -1 : a > b ? 1 : 0);
+  if (entries.length === 0) return "";
+  const parts = entries.map(([k, v]) => {
+    if (typeof v !== "string" && typeof v !== "number" && typeof v !== "boolean") {
+      throw new BackendError("validation", {
+        code: "invalid_query_value",
+        message: `Query parameter '${k}' must be a string, number, or boolean.`
+      });
+    }
+    return `${encodeURIComponent(k)}=${encodeURIComponent(String(v))}`;
+  });
+  return `?${parts.join("&")}`;
+}
+async function invokeDescriptor(rt, d, args) {
+  const params = d.pathParams ?? [];
+  let path = d.path;
+  for (let i = 0; i < params.length; i++) {
+    const v = args[i];
+    if (typeof v !== "string" && typeof v !== "number") {
+      throw new BackendError("validation", {
+        code: "missing_path_param",
+        message: `${d.path}: path parameter '${params[i]}' must be a string or number`
+      });
+    }
+    path = path.replace(`{${params[i]}}`, encodeURIComponent(String(v)));
+  }
+  if (d.input === "none" && args.length > params.length + 1) {
+    throw new BackendError("validation", {
+      code: "unexpected_argument",
+      message: `${d.path}: endpoint takes no input \u2014 pass only path params and options`
+    });
+  }
+  const input = d.input === "none" ? void 0 : args[params.length];
+  const optionsSlot = d.input === "none" ? params.length : params.length + 1;
+  const options = args[optionsSlot];
+  let body;
+  if (d.input === "query") {
+    path += serializeQuery(input);
+  } else if (d.input !== "none") {
+    if (d.method === "GET") {
+      if (input !== void 0) {
+        throw new BackendError("validation", {
+          code: "unsupported_get_input",
+          message: `${d.path}: GET endpoints take no body input`
+        });
+      }
+    } else {
+      body = input;
+    }
+  }
+  try {
+    return await palbeRequest(rt, d.method, path, {
+      body,
+      headers: options?.headers,
+      signal: options?.signal
+    });
+  } catch (e) {
+    if (d.errors && isBackendError(e)) {
+      const lift = d.errors[e.code];
+      if (lift) throw lift(e);
+    }
+    throw e;
+  }
+}
+function materialize(node, resolveRt) {
+  if (isDescriptor(node)) {
+    return async (...args) => invokeDescriptor(resolveRt(), node, args);
+  }
+  const out = {};
+  for (const [key, child] of Object.entries(node)) {
+    out[key] = materialize(child, resolveRt);
+  }
+  return out;
+}
+function getNamespace(name) {
+  const state = palbeState();
+  const cached = state.nsCache[name];
+  if (cached !== void 0) return cached;
+  const node = state.registry[name];
+  if (node === void 0) return void 0;
+  const ns = materialize(node, getRuntime);
+  state.nsCache[name] = ns;
+  return ns;
+}
+function boundNamespaceAccessor(rt) {
+  let cacheRegistry = palbeState().registry;
+  let cache = {};
+  return (name) => {
+    const registry = palbeState().registry;
+    if (registry !== cacheRegistry) {
+      cacheRegistry = registry;
+      cache = {};
+    }
+    const cached = cache[name];
+    if (cached !== void 0) return cached;
+    const node = registry[name];
+    if (node === void 0) return void 0;
+    const ns = materialize(node, () => rt);
+    cache[name] = ns;
+    return ns;
+  };
+}
+
+// ../modules/auth/dist/index.js
+function validatePathParam(name, value) {
+  if (value.includes("/") || value.includes("..") || value.includes("%")) {
+    throw new Error(`Invalid ${name}: must not contain path separators`);
+  }
+}
+var TOKEN_BUFFER_MS = 5 * 60 * 1e3;
+var DeviceClient = class {
+  httpClient;
+  cachedToken = null;
+  refreshTimer = null;
+  constructor(httpClient) {
+    this.httpClient = httpClient;
+  }
+  /** Generate a device attestation challenge. */
+  async generateChallenge() {
+    return this.httpClient.request("POST", "/auth/devices/challenge");
+  }
+  /** Attest an Android device with a Play Integrity verdict token. */
+  async attestAndroid(params) {
+    return this.httpClient.request("POST", "/auth/devices/attest/android", {
+      body: params
+    });
+  }
+  /** Attest an iOS device with App Attest attestation data. */
+  async attestiOS(params) {
+    return this.httpClient.request("POST", "/auth/devices/attest/ios", {
+      body: params
+    });
+  }
+  /** Bind a verified device with a public key for request signing. */
+  async bind(params) {
+    return this.httpClient.request("POST", "/auth/devices/bind", {
+      body: params
+    });
+  }
+  /** List all devices for the current user. */
+  async list() {
+    return this.httpClient.request("GET", "/auth/devices");
+  }
+  /** Delete a device by ID. */
+  async delete(deviceId) {
+    validatePathParam("deviceId", deviceId);
+    return this.httpClient.request("DELETE", `/auth/devices/${deviceId}`);
+  }
+  /**
+   * Verify a request signature from a device (server-only).
+   * Should NOT be exposed in client SDK.
+   */
+  async verifyRequestSignature(deviceId, params) {
+    validatePathParam("deviceId", deviceId);
+    return this.httpClient.request(
+      "POST",
+      `/auth/devices/${deviceId}/verify`,
+      { body: params }
+    );
+  }
+  /** Get the cached App Check token, or null if not available / expired. */
+  getToken() {
+    if (!this.cachedToken) return null;
+    if (Date.now() >= this.cachedToken.expiresAt) return null;
+    return this.cachedToken.token;
+  }
+  /** Whether App Check is active (token cached and not expired). */
+  get isActive() {
+    return this.getToken() !== null;
+  }
+  /** Set a cached App Check token manually (e.g. after attest flow). */
+  setCachedToken(token, expiresInMs) {
+    this.cachedToken = {
+      token,
+      expiresAt: Date.now() + expiresInMs
+    };
+    this.scheduleRefresh(expiresInMs);
+  }
+  /** Clean up timers and cached state. */
+  dispose() {
+    if (this.refreshTimer) {
+      clearTimeout(this.refreshTimer);
+      this.refreshTimer = null;
+    }
+    this.cachedToken = null;
+  }
+  scheduleRefresh(ttlMs) {
+    if (this.refreshTimer) {
+      clearTimeout(this.refreshTimer);
+    }
+    const refreshIn = Math.max(ttlMs - TOKEN_BUFFER_MS, 0);
+    this.refreshTimer = setTimeout(() => {
+      this.cachedToken = null;
+    }, refreshIn);
+  }
+};
+var PROVIDER_RE = /^[a-zA-Z0-9_-]+$/;
+function validatePathParam2(name, value) {
+  if (value.includes("/") || value.includes("..") || value.includes("%")) {
+    throw new Error(`Invalid ${name}: must not contain path separators`);
+  }
+}
+function toSession(result) {
+  return {
+    accessToken: result.access_token,
+    refreshToken: result.refresh_token,
+    expiresAt: Date.now() + result.expires_in * 1e3
+  };
+}
+function toUser(result) {
+  return {
+    id: result.user.id,
+    email: result.user.email,
+    emailVerified: result.user.email_verified,
+    createdAt: result.user.created_at,
+    updatedAt: result.user.created_at
+  };
+}
+var AuthClient = class {
+  httpClient;
+  tokenManager;
+  apiKey;
+  baseUrl;
+  currentSession = null;
+  hasSession = false;
+  _mfa = null;
+  /** Device attestation */
+  device;
+  constructor(httpClient, tokenManager, apiKey, baseUrl, _options) {
+    this.httpClient = httpClient;
+    this.tokenManager = tokenManager;
+    this.apiKey = apiKey ?? "";
+    this.baseUrl = baseUrl ?? "";
+    this.device = new DeviceClient(httpClient);
+    this.tokenManager.onAuthStateChange((event, session) => {
+      if (event === "SESSION_SET") {
+        this.currentSession = session;
+      } else {
+        this.currentSession = null;
+      }
+    });
+  }
+  // ── Core Auth ───────────────────────────────────────────
+  async signUp(credentials) {
+    const response = await this.httpClient.request("POST", "/auth/signup", {
+      body: credentials
+    });
+    if (response.data) {
+      const session = toSession(response.data);
+      const user = toUser(response.data);
+      this.setSessionAndWireRefresh(session);
+      return { data: { user, session }, error: null, status: response.status };
+    }
+    return { data: null, error: response.error, status: response.status };
+  }
+  async signIn(credentials) {
+    const response = await this.httpClient.request("POST", "/auth/login", {
+      body: credentials
+    });
+    if (response.data) {
+      const session = toSession(response.data);
+      const user = toUser(response.data);
+      this.setSessionAndWireRefresh(session);
+      return { data: { user, session }, error: null, status: response.status };
+    }
+    return { data: null, error: response.error, status: response.status };
+  }
+  async signOut() {
+    const response = await this.httpClient.request("POST", "/auth/logout");
+    this.tokenManager.clearSession();
+    this.hasSession = false;
+    return response;
+  }
+  // ── Email Verification ──────────────────────────────────
+  async verifyEmail(params) {
+    return this.httpClient.request("POST", "/auth/verify-email", {
+      body: params
+    });
+  }
+  async resendVerification(email) {
+    return this.httpClient.request(
+      "POST",
+      "/auth/resend-verification",
+      { body: { email } }
+    );
+  }
+  // ── Password ────────────────────────────────────────────
+  async requestPasswordReset(params) {
+    return this.httpClient.request("POST", "/auth/password/reset", {
+      body: params
+    });
+  }
+  async confirmPasswordReset(params) {
+    return this.httpClient.request("POST", "/auth/password/reset/confirm", {
+      body: params
+    });
+  }
+  async changePassword(params) {
+    return this.httpClient.request("POST", "/auth/password/change", {
+      body: params
+    });
+  }
+  // ── Token ───────────────────────────────────────────────
+  async refresh() {
+    const refreshToken = this.tokenManager.getRefreshToken();
+    if (!refreshToken) {
+      return {
+        data: null,
+        error: new PalbaseError("no_refresh_token", "No refresh token available", 0),
+        status: 0
+      };
+    }
+    const response = await this.httpClient.request("POST", "/auth/token/refresh", {
+      body: { refresh_token: refreshToken }
+    });
+    if (response.data) {
+      const session = {
+        accessToken: response.data.access_token,
+        refreshToken: response.data.refresh_token,
+        expiresAt: Date.now() + response.data.expires_in * 1e3
+      };
+      this.tokenManager.setSession(session);
+    }
+    return response;
+  }
+  getAccessToken() {
+    return this.tokenManager.getAccessToken();
+  }
+  onTokenChange(callback) {
+    return this.tokenManager.onAuthStateChange((event, session) => {
+      if (event === "SESSION_SET" && session) {
+        callback({ accessToken: session.accessToken, refreshToken: session.refreshToken });
+      } else {
+        callback({ accessToken: null, refreshToken: null });
+      }
+    });
+  }
+  setTokens(accessToken, refreshToken, expiresIn = 3600) {
+    const session = {
+      accessToken,
+      refreshToken,
+      // Default 1h when the caller has no TTL; corrected on next refresh anyway.
+      expiresAt: Date.now() + expiresIn * 1e3
+    };
+    this.setSessionAndWireRefresh(session);
+  }
+  // ── Sessions ────────────────────────────────────────────
+  async listSessions() {
+    const response = await this.httpClient.request(
+      "GET",
+      "/auth/sessions"
+    );
+    if (response.data) {
+      return { data: response.data.sessions, error: null, status: response.status };
+    }
+    return { data: null, error: response.error, status: response.status };
+  }
+  async revokeSession(sessionId) {
+    validatePathParam2("sessionId", sessionId);
+    return this.httpClient.request("DELETE", `/auth/sessions/${sessionId}`);
+  }
+  async revokeAllSessions() {
+    return this.httpClient.request("DELETE", "/auth/sessions");
+  }
+  // ── MFA ─────────────────────────────────────────────────
+  get mfa() {
+    this._mfa ??= this.buildMfa();
+    return this._mfa;
+  }
+  buildMfa() {
+    return {
+      enroll: (params) => this.httpClient.request("POST", "/auth/mfa/enroll", { body: params }),
+      verifyEnrollment: (code) => this.httpClient.request("POST", "/auth/mfa/verify", { body: { code } }),
+      challenge: (params) => this.httpClient.request("POST", "/auth/mfa/challenge", { body: params }),
+      recovery: (params) => this.httpClient.request("POST", "/auth/mfa/recovery", { body: params }),
+      listFactors: () => this.httpClient.request("GET", "/auth/mfa/factors"),
+      removeFactor: (factorId, currentPassword) => {
+        validatePathParam2("factorId", factorId);
+        return this.httpClient.request("DELETE", `/auth/mfa/factors/${factorId}`, {
+          body: { current_password: currentPassword }
+        });
+      },
+      regenerateRecoveryCodes: () => this.httpClient.request("POST", "/auth/mfa/recovery-codes/regenerate"),
+      emailEnroll: () => this.httpClient.request("POST", "/auth/mfa/email/enroll"),
+      emailChallenge: (params) => this.httpClient.request("POST", "/auth/mfa/email/challenge", { body: params }),
+      emailVerify: (params) => this.httpClient.request("POST", "/auth/mfa/email/verify", { body: params })
+    };
+  }
+  // ── OAuth / Social ──────────────────────────────────────
+  async getOAuthURL(options) {
+    if (!PROVIDER_RE.test(options.provider)) {
+      return {
+        data: null,
+        error: new PalbaseError("invalid_provider", "Invalid OAuth provider name", 0),
+        status: 0
+      };
+    }
+    const params = new URLSearchParams();
+    if (options.redirectTo) {
+      params.set("redirect_uri", options.redirectTo);
+    }
+    const query = params.toString();
+    const path = `/auth/oauth/${options.provider}/authorize${query ? `?${query}` : ""}`;
+    return this.httpClient.request("GET", path);
+  }
+  async signInWithCredential(params) {
+    const response = await this.httpClient.request("POST", "/auth/oauth/credential", {
+      body: params
+    });
+    if (response.data?.access_token) {
+      const session = toSession(response.data);
+      const user = toUser(response.data);
+      this.setSessionAndWireRefresh(session);
+      return { data: { user, session }, error: null, status: response.status };
+    }
+    return { data: null, error: response.error, status: response.status };
+  }
+  // ── Identities ──────────────────────────────────────────
+  async listIdentities() {
+    return this.httpClient.request("GET", "/auth/identities");
+  }
+  async linkIdentity(params) {
+    return this.httpClient.request("POST", "/auth/identities/link", {
+      body: params
+    });
+  }
+  async unlinkIdentity(identityId) {
+    validatePathParam2("identityId", identityId);
+    return this.httpClient.request(
+      "DELETE",
+      `/auth/identities/${identityId}`
+    );
+  }
+  // ── Magic Link ──────────────────────────────────────────
+  async requestMagicLink(params) {
+    return this.httpClient.request("POST", "/auth/magic-link", {
+      body: params
+    });
+  }
+  async verifyMagicLink(params) {
+    const response = await this.httpClient.request("POST", "/auth/magic-link/verify", {
+      body: params
+    });
+    if (response.data?.access_token) {
+      const session = toSession(response.data);
+      const user = toUser(response.data);
+      this.setSessionAndWireRefresh(session);
+      return { data: { user, session }, error: null, status: response.status };
+    }
+    return { data: null, error: response.error, status: response.status };
+  }
+  // ── Trusted Devices ─────────────────────────────────────
+  async listTrustedDevices() {
+    return this.httpClient.request(
+      "GET",
+      "/auth/trusted-devices"
+    );
+  }
+  async registerTrustedDevice(params) {
+    return this.httpClient.request(
+      "POST",
+      "/auth/trusted-devices",
+      { body: params }
+    );
+  }
+  async revokeTrustedDevice(deviceId) {
+    validatePathParam2("deviceId", deviceId);
+    return this.httpClient.request(
+      "DELETE",
+      `/auth/trusted-devices/${deviceId}`
+    );
+  }
+  // ── Session State ───────────────────────────────────────
+  getSession() {
+    return { data: this.currentSession, error: null };
+  }
+  onAuthStateChange(callback) {
+    const unsubscribe = this.tokenManager.onAuthStateChange((event, session) => {
+      let authEvent;
+      if (event === "SESSION_SET") {
+        authEvent = this.hasSession ? "TOKEN_REFRESHED" : "SIGNED_IN";
+        this.hasSession = true;
+      } else {
+        authEvent = "SIGNED_OUT";
+        this.hasSession = false;
+      }
+      callback(authEvent, session);
+    });
+    return { data: { subscription: { unsubscribe } } };
+  }
+  // ── Server-only ─────────────────────────────────────────
+  /**
+   * Verify a user's JWT token by calling GET /auth/user with their token.
+   * Server-only — should NOT be exposed in client SDK.
+   */
+  async verifyUserToken(jwt) {
+    const url = `${this.baseUrl}/auth/user`;
+    let response;
+    try {
+      response = await fetch(url, {
+        method: "GET",
+        headers: {
+          apikey: this.apiKey,
+          Authorization: `Bearer ${jwt}`,
+          "Content-Type": "application/json"
+        }
+      });
+    } catch (error) {
+      throw new PalbaseError(
+        "network_error",
+        error instanceof Error ? error.message : "Network request failed",
+        0
+      );
+    }
+    const contentType = response.headers.get("Content-Type");
+    if (response.ok && contentType?.includes("application/json")) {
+      const data = await response.json();
+      return { data, error: null, status: response.status };
+    }
+    let errorBody;
+    if (contentType?.includes("application/json")) {
+      errorBody = await response.json();
+    }
+    return {
+      data: null,
+      error: new PalbaseError(
+        errorBody?.error ?? "invalid_token",
+        errorBody?.error_description ?? "Token verification failed",
+        response.status,
+        errorBody
+      ),
+      status: response.status
+    };
+  }
+  // ── Private ─────────────────────────────────────────────
+  setSessionAndWireRefresh(session) {
+    this.tokenManager.setSession(session);
+    this.hasSession = true;
+    this.tokenManager.refreshFunction = async (refreshToken) => {
+      const response = await this.httpClient.request("POST", "/auth/token/refresh", {
+        body: { refresh_token: refreshToken }
+      });
+      if (response.error || !response.data) {
+        throw response.error ?? new Error("Failed to refresh token");
+      }
+      return {
+        accessToken: response.data.access_token,
+        refreshToken: response.data.refresh_token,
+        expiresAt: Date.now() + response.data.expires_in * 1e3
+      };
+    };
+  }
+};
+
+// src/analytics-facade.ts
+var EVENT_NAME_RE = /^[a-zA-Z$][a-zA-Z0-9_.:$-]{0,63}$/;
+var FLUSH_AT = 20;
+var FLUSH_INTERVAL_MS = 1e4;
+var MAX_BATCH_SIZE = 100;
+var warnedInvalidEventName = false;
+function warnInvalidEventName(name) {
+  if (warnedInvalidEventName) return;
+  warnedInvalidEventName = true;
+  console.warn(
+    `palbe analytics: dropping event "${name}" \u2014 names must match ^[a-zA-Z$][a-zA-Z0-9_.:$-]{0,63}$ (warned once per process)`
+  );
+}
+function defaultStringStore() {
+  if (typeof document !== "undefined" && typeof localStorage !== "undefined") {
+    return {
+      get: (key) => {
+        try {
+          return localStorage.getItem(key);
+        } catch {
+          return null;
+        }
+      },
+      set: (key, value) => {
+        try {
+          localStorage.setItem(key, value);
+        } catch {
+        }
+      },
+      remove: (key) => {
+        try {
+          localStorage.removeItem(key);
+        } catch {
+        }
+      }
+    };
+  }
+  const mem = /* @__PURE__ */ new Map();
+  return {
+    get: (key) => mem.get(key) ?? null,
+    set: (key, value) => {
+      mem.set(key, value);
+    },
+    remove: (key) => {
+      mem.delete(key);
+    }
+  };
+}
+var AnalyticsState = class {
+  identifiedUserId = null;
+  /** Set by PalbeAnalytics on construction — delegates auth events to it. */
+  facadeAuthHandler = null;
+  anonId = null;
+  store = defaultStringStore();
+  idKey;
+  optOutKey;
+  constructor(rt) {
+    const ref = endpointRefFromApiKey(rt.config.apiKey);
+    this.idKey = ref ? `palbe.analytics.id.${ref}` : "palbe.analytics.id";
+    this.optOutKey = ref ? `palbe.analytics.optout.${ref}` : "palbe.analytics.optout";
+    rt.auth.onAuthEvent((event) => {
+      if (this.facadeAuthHandler) {
+        this.facadeAuthHandler(event);
+        return;
+      }
+      if (event.type === "signedIn") {
+        if (!this.isOptedOut()) this.identifiedUserId = event.user.id;
+      } else if (event.type === "signedOut" && event.reason === "userInitiated") {
+        this.identifiedUserId = null;
+        this.rotateAnonymousId();
+      }
+    });
+  }
+  /** User id when identified, else the stable anon id. NEVER empty —
+   * this is what `identify()` links, so stamping it on every request lets
+   * the trace pipeline stitch pre-login activity to the user. */
+  distinctId() {
+    return this.identifiedUserId ?? this.anonymousId();
+  }
+  anonymousId() {
+    if (this.anonId) return this.anonId;
+    const stored = this.store.get(this.idKey);
+    if (stored) {
+      this.anonId = stored;
+      return stored;
+    }
+    return this.rotateAnonymousId();
+  }
+  rotateAnonymousId() {
+    const fresh = crypto.randomUUID();
+    this.store.set(this.idKey, fresh);
+    this.anonId = fresh;
+    return fresh;
+  }
+  isOptedOut() {
+    return this.store.get(this.optOutKey) === "true";
+  }
+  setOptOut(on) {
+    if (on) this.store.set(this.optOutKey, "true");
+    else this.store.remove(this.optOutKey);
+  }
+};
+var PalbeAnalytics = class {
+  constructor(rt, state) {
+    this.rt = rt;
+    this.state = state;
+    this.state.facadeAuthHandler = (event) => {
+      this.handleAuthEvent(event);
+    };
+  }
+  rt;
+  state;
+  buffer = [];
+  flushTimer = null;
+  /** Browser → buffer + size/timer flush. Server (no document) → immediate
+   * per-call POST, zero timers (nothing leaks into RSC/route handlers). */
+  browser = typeof document !== "undefined";
+  /** Record an event. Invalid names are dropped (one warn per process). */
+  capture(event, properties) {
+    if (this.state.isOptedOut()) return;
+    if (!EVENT_NAME_RE.test(event)) {
+      warnInvalidEventName(event);
+      return;
+    }
+    this.ingest(event, properties);
+  }
+  /** Record a screen view — server-canonical `$screen` + `screen_name`.
+   * Validates non-empty only (the live wire at /v1/analytics/screen requires
+   * non-empty screen_name; the event-name regex does NOT apply here). */
+  screen(name, properties) {
+    if (this.state.isOptedOut()) return;
+    if (name.trim() === "") {
+      console.warn("palbe analytics: dropping screen() \u2014 name must be non-empty");
+      return;
+    }
+    this.ingest("$screen", { ...properties, screen_name: name });
+  }
+  /** Link the current anon id to `userId` and adopt it as the distinct id.
+   * Immediate POST (not buffered). Re-identifying a DIFFERENT user
+   * auto-resets first (iOS K10) so one anon id never links two users. */
+  identify(userId, traits) {
+    if (this.state.isOptedOut()) return;
+    const existing = this.state.identifiedUserId;
+    if (existing && existing !== userId) {
+      console.warn(
+        `palbe analytics: re-identify changes the user from ${existing} to ${userId} \u2014 auto-resetting (call reset() first if this is intentional)`
+      );
+      this.reset();
+    }
+    const ts = Date.now();
+    const body = {
+      distinct_id: userId,
+      anonymous_id: this.state.anonymousId(),
+      timestamp: ts,
+      sent_at: ts
+    };
+    if (traits) body.traits = traits;
+    this.state.identifiedUserId = userId;
+    void this.post("/v1/analytics/identify", body);
+  }
+  /** Merge distinct id `from` into `to` (identity stitching). Immediate POST. */
+  alias(from, to) {
+    if (this.state.isOptedOut()) return;
+    const ts = Date.now();
+    void this.post("/v1/analytics/alias", { from, to, timestamp: ts, sent_at: ts });
+  }
+  /** Drop the buffer, clear the identified user and rotate the anon id
+   * (sign-out hygiene). Callers wanting pending events delivered flush first
+   * — the auth binding does. */
+  reset() {
+    this.buffer.length = 0;
+    this.cancelTimer();
+    this.state.identifiedUserId = null;
+    this.state.rotateAnonymousId();
+  }
+  /** Persisted GDPR opt-out. Opting out drops anything pending so nothing
+   * already-buffered leaks after the user said stop. */
+  setOptOut(on) {
+    this.state.setOptOut(on);
+    if (on) {
+      this.buffer.length = 0;
+      this.cancelTimer();
+    }
+  }
+  /** Drain the buffer to /v1/analytics/batch (≤100 per request, sequential).
+   * Resolves when delivery finished; NEVER rejects — failed slices are
+   * dropped with one warn per flush. 207 partial-reject is also warned once
+   * (fire-and-forget: no retry for already-delivered batches). */
+  async flush() {
+    this.cancelTimer();
+    if (this.buffer.length === 0) return;
+    const sentAt = Date.now();
+    let warned = false;
+    while (this.buffer.length > 0) {
+      const slice = this.buffer.splice(0, MAX_BATCH_SIZE);
+      try {
+        const result = await palbeRequest(
+          this.rt,
+          "POST",
+          "/v1/analytics/batch",
+          { body: { events: slice.map((e) => ({ ...e, sent_at: sentAt })) } }
+        );
+        if (Array.isArray(result?.rejected) && result.rejected.length > 0) {
+          console.warn(
+            `palbe analytics: batch partial-reject \u2014 ${result.rejected.length} event(s) rejected by server`
+          );
+        }
+      } catch (err) {
+        if (!warned) {
+          warned = true;
+          console.warn("palbe analytics: batch flush failed \u2014 events dropped", err);
+        }
+      }
+    }
+  }
+  // ── internals ──────────────────────────────────────────
+  ingest(event, properties) {
+    const wire = {
+      event,
+      distinct_id: this.state.distinctId(),
+      // stamped at capture time
+      timestamp: Date.now()
+    };
+    if (properties) wire.properties = properties;
+    if (!this.browser) {
+      void this.post("/v1/analytics/capture", { ...wire, sent_at: wire.timestamp });
+      return;
+    }
+    this.buffer.push(wire);
+    if (this.buffer.length >= FLUSH_AT) void this.flush();
+    else this.startTimer();
+  }
+  /** iOS PalBackend auth-binding parity: signedIn → flush + identify;
+   * userInitiated signedOut → flush + reset; sessionExpired → flush only. */
+  handleAuthEvent(event) {
+    if (event.type === "signedIn") {
+      void this.flush().then(() => {
+        this.identify(event.user.id);
+      });
+    } else if (event.type === "signedOut") {
+      if (event.reason === "userInitiated") {
+        void this.flush().then(() => {
+          this.reset();
+        });
+      } else {
+        void this.flush();
+      }
+    }
+  }
+  startTimer() {
+    if (this.flushTimer !== null) return;
+    this.flushTimer = setTimeout(() => {
+      this.flushTimer = null;
+      void this.flush();
+    }, FLUSH_INTERVAL_MS);
+  }
+  cancelTimer() {
+    if (this.flushTimer !== null) {
+      clearTimeout(this.flushTimer);
+      this.flushTimer = null;
+    }
+  }
+  async post(path, body) {
+    try {
+      await palbeRequest(this.rt, "POST", path, { body });
+    } catch (err) {
+      console.warn(`palbe analytics: POST ${path} failed`, err);
+    }
+  }
+};
+
+// src/auth-facade.ts
+function mapWireUser(raw) {
+  return {
+    id: raw.id,
+    email: raw.email ?? null,
+    emailVerified: raw.email_verified,
+    createdAt: raw.created_at
+  };
+}
+function mapClientUser(u) {
+  return {
+    id: u.id,
+    email: u.email || null,
+    emailVerified: u.emailVerified,
+    createdAt: u.createdAt
+  };
+}
+function usersEqual(a, b) {
+  return b !== null && a.id === b.id && a.email === b.email && a.emailVerified === b.emailVerified && a.createdAt === b.createdAt;
+}
+var PalbeAuth = class {
+  constructor(rt) {
+    this.rt = rt;
+    rt.authClient.onAuthStateChange((event, _session) => {
+      if (event === "SIGNED_OUT") {
+        if (!this.signedInState) return;
+        this.signedInState = false;
+        this.cachedUser = null;
+        const reason = this.signingOut ? "userInitiated" : "sessionExpired";
+        this.emitState({ status: "signedOut" });
+        this.emitEvent({ type: "signedOut", reason });
+      } else if (event === "TOKEN_REFRESHED") {
+        if (this.signingIn) return;
+        this.emitEvent({ type: "tokenRefreshed" });
+      }
+    });
+    this.signedInState = rt.tokenManager.getRefreshToken() !== null;
+  }
+  rt;
+  cachedUser = null;
+  signingOut = false;
+  signingIn = false;
+  // suppresses AuthClient's TOKEN_REFRESHED during re-signIn
+  signedInState = false;
+  // dedupes AuthClient's repeated SIGNED_OUT events
+  stateListeners = /* @__PURE__ */ new Set();
+  eventListeners = /* @__PURE__ */ new Set();
+  userListeners = /* @__PURE__ */ new Set();
+  // ── state ──────────────────────────────────────────────
+  get currentUser() {
+    return this.cachedUser;
+  }
+  get isSignedIn() {
+    return this.rt.tokenManager.getRefreshToken() !== null;
+  }
+  // ── core flows ─────────────────────────────────────────
+  async signUp(params) {
+    this.signingIn = true;
+    try {
+      const data = unwrap(await this.rt.authClient.signUp(params));
+      return this.adopt(data);
+    } finally {
+      this.signingIn = false;
+    }
+  }
+  async signIn(params) {
+    this.signingIn = true;
+    try {
+      const data = unwrap(await this.rt.authClient.signIn(params));
+      return this.adopt(data);
+    } finally {
+      this.signingIn = false;
+    }
+  }
+  async signOut() {
+    this.signingOut = true;
+    try {
+      await this.rt.authClient.signOut();
+    } catch {
+    } finally {
+      this.rt.tokenManager.clearSession();
+      this.signingOut = false;
+      this.rt.storage.clear();
+      this.cachedUser = null;
+    }
+  }
+  async getUser() {
+    const raw = await palbeRequest(this.rt, "GET", "/auth/user");
+    return mapWireUser(raw);
+  }
+  async refreshUser() {
+    const user = await this.getUser();
+    const changed = !usersEqual(user, this.cachedUser);
+    this.cachedUser = user;
+    if (changed) for (const cb of this.userListeners) this.safeInvoke(() => cb(user));
+    return user;
+  }
+  // ── listeners ──────────────────────────────────────────
+  /**
+   * Subscribe to signed-in/signed-out state. Fires immediately with the
+   * current snapshot (iOS parity). NOTE: a restored session (page reload) has
+   * no cached user yet, so the immediate snapshot reports signedOut even when
+   * `isSignedIn` is true — call `refreshUser()` on boot to populate the user
+   * and rely on `isSignedIn` for the session truth.
+   */
+  onAuthStateChange(callback) {
+    this.stateListeners.add(callback);
+    this.safeInvoke(() => callback(this.snapshotState()));
+    return () => this.stateListeners.delete(callback);
+  }
+  onAuthEvent(callback) {
+    this.eventListeners.add(callback);
+    return () => this.eventListeners.delete(callback);
+  }
+  /** Subscribe to user-profile changes. Replays the cached user on subscribe (iOS parity). */
+  onUserChange(callback) {
+    this.userListeners.add(callback);
+    const u = this.cachedUser;
+    if (u) this.safeInvoke(() => callback(u));
+    return () => this.userListeners.delete(callback);
+  }
+  // ── internals ──────────────────────────────────────────
+  snapshotState() {
+    return this.cachedUser && this.isSignedIn ? { status: "signedIn", user: this.cachedUser } : { status: "signedOut" };
+  }
+  /**
+   * Listener exception isolation: a throwing consumer callback must never
+   * break delivery to other listeners nor propagate into the emit caller
+   * (tokenManager.clearSession callers, pb.call paths, signOut, ...).
+   */
+  safeInvoke(fn) {
+    try {
+      fn();
+    } catch {
+    }
+  }
+  emitState(state) {
+    for (const cb of this.stateListeners) this.safeInvoke(() => cb(state));
+  }
+  emitEvent(event) {
+    for (const cb of this.eventListeners) this.safeInvoke(() => cb(event));
+  }
+  /** Cache the user + announce sign-in. Session was already set by AuthClient. */
+  adopt(data) {
+    const user = mapClientUser(data.user);
+    this.cachedUser = user;
+    this.signedInState = true;
+    this.emitState({ status: "signedIn", user });
+    this.emitEvent({ type: "signedIn", user });
+    return { user, session: data.session };
+  }
+  /** Adopt a raw palauth AuthResult wire shape: wire tokens, cache user, announce. */
+  adoptWire(raw) {
+    this.rt.authClient.setTokens(raw.access_token, raw.refresh_token, raw.expires_in);
+    const user = mapWireUser(raw.user);
+    this.cachedUser = user;
+    this.signedInState = true;
+    this.emitState({ status: "signedIn", user });
+    this.emitEvent({ type: "signedIn", user });
+    const session = {
+      accessToken: raw.access_token,
+      refreshToken: raw.refresh_token,
+      expiresAt: Date.now() + raw.expires_in * 1e3
+    };
+    return { user, session };
+  }
+  /** Run a sign-in flow under the signingIn flag to suppress spurious tokenRefreshed. */
+  async withSigningIn(fn) {
+    this.signingIn = true;
+    try {
+      return await fn();
+    } finally {
+      this.signingIn = false;
+    }
+  }
+  /**
+   * Defensively decode a 200 union body (AuthResult | mfa-required) and
+   * complete the flow. The wire contract promises one of the two shapes, but
+   * a literal-`null` (or otherwise malformed) JSON body must surface as
+   * BackendError('decode') — never a raw TypeError from probing a non-object.
+   * The mfa branch validates its fields: `mfa_token` is required; the factor
+   * list (named `factors` by magic-link verify, `mfa_factors` by the OAuth
+   * callback — extraction-verified against palauth) tolerates a missing or
+   * malformed value as []. The signedIn branch validates the FULL AuthResult
+   * shape (asWireAuthResult) — an incomplete body falls through to decode,
+   * never half-adopts.
+   */
+  completeAuthUnion(raw, factorsKey, context) {
+    if (typeof raw === "object" && raw !== null) {
+      const obj = raw;
+      if (obj.mfa_required === true) {
+        if (typeof obj.mfa_token === "string") {
+          const list = obj[factorsKey];
+          const factors = Array.isArray(list) ? list.filter((f) => typeof f === "string") : [];
+          return { status: "mfaRequired", mfaToken: obj.mfa_token, factors };
+        }
+      } else {
+        const wire = asWireAuthResult(raw);
+        if (wire) return { status: "signedIn", ...this.adoptWire(wire) };
+      }
+    }
+    throw this.decodeError(context);
+  }
+  decodeError(context) {
+    return new BackendError("decode", {
+      code: "decode_error",
+      message: `Unexpected ${context} response`
+    });
+  }
+  // ── additional auth flows ──────────────────────────────
+  async signInWithOTP(params) {
+    await palbeRequest(this.rt, "POST", "/auth/otp", {
+      body: { phone: params.phone, channel: "sms" }
+    });
+  }
+  async verifyOTP(params) {
+    return this.withSigningIn(async () => {
+      const raw = await palbeRequest(this.rt, "POST", "/auth/otp/verify", {
+        body: params
+      });
+      const wire = asWireAuthResult(raw);
+      if (!wire) throw this.decodeError("OTP verify");
+      return this.adoptWire(wire);
+    });
+  }
+  async resetPassword(email) {
+    unwrap(await this.rt.authClient.requestPasswordReset({ email }));
+  }
+  async confirmPasswordReset(params) {
+    unwrap(
+      await this.rt.authClient.confirmPasswordReset({
+        token: params.token,
+        new_password: params.newPassword
+      })
+    );
+  }
+  async updatePassword(params) {
+    unwrap(
+      await this.rt.authClient.changePassword({
+        current_password: params.currentPassword,
+        new_password: params.newPassword
+      })
+    );
+  }
+  async verifyEmail(params) {
+    unwrap(await this.rt.authClient.verifyEmail(params));
+  }
+  async resendVerification(email) {
+    unwrap(await this.rt.authClient.resendVerification(email));
+  }
+  async signInWithMagicLink(email) {
+    unwrap(await this.rt.authClient.requestMagicLink({ email }));
+  }
+  async verifyMagicLink(token) {
+    return this.withSigningIn(async () => {
+      const raw = await palbeRequest(this.rt, "POST", "/auth/magic-link/verify", {
+        body: { token }
+      });
+      return this.completeAuthUnion(raw, "factors", "magic-link verify");
+    });
+  }
+  async signInWithCredential(params) {
+    return this.withSigningIn(async () => {
+      const data = unwrap(await this.rt.authClient.signInWithCredential(params));
+      return this.adopt(data);
+    });
+  }
+  async signInWithOAuth(params) {
+    const { redirect = true, ...opts } = params;
+    const { url } = unwrap(await this.rt.authClient.getOAuthURL(opts));
+    if (redirect && typeof window !== "undefined" && typeof window.location !== "undefined") {
+      window.location.assign(url);
+    }
+    return { url };
+  }
+  /**
+   * Complete the OAuth redirect flow: trade the provider's `code` + `state`
+   * (from the app's redirect_uri query) for a session. PKCE verifier + state
+   * live server-side in palauth — the client only relays the two values.
+   */
+  async exchangeCodeForSession(params) {
+    return this.withSigningIn(async () => {
+      const path = `/auth/oauth/${encodeURIComponent(params.provider)}/callback?code=${encodeURIComponent(params.code)}&state=${encodeURIComponent(params.state)}`;
+      const raw = await palbeRequest(this.rt, "GET", path);
+      return this.completeAuthUnion(raw, "mfa_factors", "OAuth code-exchange");
+    });
+  }
+  /** Config-as-code gate for the zero-arg provider sugar. */
+  requireProvider(name, label) {
+    if (!this.rt.config.oauth?.[name]?.enabled) {
+      throw new BackendError("validation", {
+        code: `${name}_not_configured`,
+        message: `${label} sign-in is not configured: enable the ${label} provider for this project, then regenerate palbe.gen.ts.`
+      });
+    }
+  }
+  async signInWithGoogle(opts) {
+    this.requireProvider("google", "Google");
+    return this.signInWithOAuth({ provider: "google", ...opts });
+  }
+  async signInWithApple(opts) {
+    this.requireProvider("apple", "Apple");
+    return this.signInWithOAuth({ provider: "apple", ...opts });
+  }
+};
+
+// ../modules/flags/dist/index.js
+var FLAG_NAME_RE = /^[a-zA-Z0-9_-]+$/;
+var FlagsClient = class {
+  httpClient;
+  getCurrentUserId;
+  /**
+   * @param httpClient transport.
+   * @param getCurrentUserId optional getter resolving the signed-in user's id
+   *   for {@link setOverride}. When omitted (or it returns no id), `setOverride`
+   *   errors and the caller must use {@link asService} for cross-user writes.
+   */
+  constructor(httpClient, getCurrentUserId) {
+    this.httpClient = httpClient;
+    this.getCurrentUserId = getCurrentUserId;
+  }
+  async isEnabled(flagName, context) {
+    if (!FLAG_NAME_RE.test(flagName)) {
+      throw new Error(
+        `Invalid flag name: "${flagName}". Flag names must match ${FLAG_NAME_RE.source}`
+      );
+    }
+    const params = this.buildContextParams(context);
+    const query = params.toString();
+    const path = `/v1/flags/${flagName}/enabled${query ? `?${query}` : ""}`;
+    return this.httpClient.request("GET", path);
+  }
+  async getVariant(flagName, context) {
+    if (!FLAG_NAME_RE.test(flagName)) {
+      throw new Error(
+        `Invalid flag name: "${flagName}". Flag names must match ${FLAG_NAME_RE.source}`
+      );
+    }
+    const params = this.buildContextParams(context);
+    const query = params.toString();
+    const path = `/v1/flags/${flagName}/variant${query ? `?${query}` : ""}`;
+    return this.httpClient.request("GET", path);
+  }
+  async getAll(context) {
+    const params = this.buildContextParams(context);
+    const query = params.toString();
+    const path = `/v1/flags${query ? `?${query}` : ""}`;
+    return this.httpClient.request("GET", path);
+  }
+  /**
+   * Cold-start read: the full merged flag set for the current auth identity.
+   * With a Bearer token the backend returns the user-merged view; without one
+   * it returns project (system) defaults.
+   */
+  snapshot() {
+    return this.httpClient.request("GET", "/v1/user-flags/snapshot");
+  }
+  /**
+   * Incremental read of version-ordered ops since `sinceVersion`.
+   *
+   * Sends `If-None-Match: <sinceVersion>` so an unchanged server can answer
+   * `304 Not Modified` cheaply. The 304 surfaces as a `PalbaseResponse` with
+   * `status === 304` (the core http client maps non-2xx to an error/empty body);
+   * callers treat that as "no change".
+   */
+  delta(sinceVersion) {
+    return this.httpClient.request(
+      "GET",
+      `/v1/user-flags/delta?since=${encodeURIComponent(sinceVersion)}`,
+      { headers: { "If-None-Match": sinceVersion } }
+    );
+  }
+  /**
+   * Set (or replace) a single feature-flag override for the CURRENT USER.
+   *
+   * Resolves the signed-in user from the `getCurrentUserId` getter supplied at
+   * construction and issues `PUT /v1/user-flags/users/{uid}/{key}` with body
+   * `{ value }`. No userId argument — the override is bound to the current
+   * user, so no admin power is required.
+   *
+   * Errors when there is no signed-in user (anonymous, or no getter supplied);
+   * use {@link asService}`.setOverrideForUser(userId, key, value)` to write a
+   * flag override for an arbitrary (cross-user) target.
+   */
+  setOverride(key, value) {
+    const userId = this.getCurrentUserId?.();
+    if (!userId) {
+      throw new Error(
+        "setOverride requires a signed-in user; use FlagsClient.asService().setOverrideForUser(userId, key, value) for cross-user writes"
+      );
+    }
+    return this.httpClient.request(
+      "PUT",
+      `/v1/user-flags/users/${encodeURIComponent(userId)}/${encodeURIComponent(key)}`,
+      { body: { value } }
+    );
+  }
+  /**
+   * Return the cross-user admin write surface ({@link FlagsServiceClient}).
+   *
+   * Use sparingly and explicitly — the default {@link setOverride} path is
+   * bound to the current user; `asService()` is how you write a flag override
+   * for an ARBITRARY user. Mirrors `Database.asService()`. The returned client
+   * shares this client's transport (the privileged service_role key).
+   */
+  asService() {
+    const http = this.httpClient;
+    return {
+      setOverrideForUser(userId, key, value) {
+        return http.request(
+          "PUT",
+          `/v1/user-flags/users/${encodeURIComponent(userId)}/${encodeURIComponent(key)}`,
+          { body: { value } }
+        );
+      },
+      setOverridesForUser(userId, values) {
+        return http.request(
+          "PUT",
+          `/v1/user-flags/users/${encodeURIComponent(userId)}`,
+          { body: { values } }
+        );
+      },
+      clearOverrideForUser(userId, key) {
+        return http.request(
+          "DELETE",
+          `/v1/user-flags/users/${encodeURIComponent(userId)}/${encodeURIComponent(key)}`
+        );
+      },
+      clearAllOverridesForUser(userId) {
+        return http.request(
+          "DELETE",
+          `/v1/user-flags/users/${encodeURIComponent(userId)}`
+        );
+      },
+      batchSetOverrides(operations) {
+        return http.request("POST", "/v1/user-flags/batch", {
+          body: {
+            operations: operations.map((op) => ({
+              user_id: op.userId,
+              values: op.values
+            }))
+          }
+        });
+      }
+    };
+  }
+  buildContextParams(context) {
+    const params = new URLSearchParams();
+    if (context?.userId) {
+      params.set("userId", context.userId);
+    }
+    if (context?.properties) {
+      params.set("properties", JSON.stringify(context.properties));
+    }
+    return params;
+  }
+};
+var DEFAULT_POLL_MS = 3e4;
+var DEFAULT_STORAGE_KEY = "palbase.flags.snapshot";
+var EMPTY_STATE = {
+  values: {},
+  sources: {},
+  syncVersion: null
+};
+var FlagsPool = class {
+  transport;
+  pollIntervalMs;
+  storageKey;
+  persist;
+  env;
+  state = EMPTY_STATE;
+  listeners = /* @__PURE__ */ new Set();
+  timer = null;
+  polling = false;
+  started = false;
+  destroyed = false;
+  readyPromise;
+  resolveReady = null;
+  firstLoadDone = false;
+  authUnsub = null;
+  visibilityUnsub = null;
+  lastAuthHasSession = null;
+  /** Cached frozen view for `getSnapshot` identity stability (React). */
+  frozenView = Object.freeze({});
+  viewDirty = true;
+  constructor(transport, options = {}) {
+    this.transport = transport;
+    this.pollIntervalMs = options.pollIntervalMs ?? DEFAULT_POLL_MS;
+    this.storageKey = options.storageKey ?? DEFAULT_STORAGE_KEY;
+    this.persist = options.persist ?? true;
+    this.env = options.env ?? defaultEnv();
+    this.readyPromise = new Promise((resolve) => {
+      this.resolveReady = resolve;
+    });
+    this.hydrateFromStorage();
+    if (options.auth) {
+      this.bindAuth(options.auth);
+    }
+  }
+  // ---- public surface -----------------------------------------------------
+  /** Start cold-start fetch + polling + visibility binding. Idempotent. */
+  start() {
+    if (this.started || this.destroyed) {
+      return;
+    }
+    this.started = true;
+    void this.refresh();
+    this.startPolling();
+    this.bindVisibility();
+  }
+  /** Resolves once the first snapshot (or persisted hydrate) is available. */
+  ready() {
+    if (this.firstLoadDone) {
+      return Promise.resolve();
+    }
+    if (!this.started) {
+      this.start();
+    }
+    return this.readyPromise;
+  }
+  /** Returns the cached value for `key`, or `fallback` when absent. */
+  get(key, fallback) {
+    const value = this.state.values[key];
+    return value === void 0 ? fallback : value;
+  }
+  /** Boolean convenience: cached value strictly equals `true`, else `fallback`. */
+  isEnabled(key, fallback = false) {
+    const value = this.state.values[key];
+    if (value === void 0) {
+      return fallback;
+    }
+    return value === true;
+  }
+  /** Returns the cached value's source (`system`/`user`) when known. */
+  getSource(key) {
+    return this.state.sources[key];
+  }
+  /** Returns a frozen snapshot of all cached values (stable identity). */
+  all() {
+    if (this.viewDirty) {
+      this.frozenView = Object.freeze({ ...this.state.values });
+      this.viewDirty = false;
+    }
+    return this.frozenView;
+  }
+  /** Current opaque sync version (null before first load). */
+  get syncVersion() {
+    return this.state.syncVersion;
+  }
+  /** Subscribe to any change in the cached set. Returns unsubscribe. */
+  onChange(listener) {
+    this.listeners.add(listener);
+    return () => {
+      this.listeners.delete(listener);
+    };
+  }
+  /**
+   * `useSyncExternalStore`-compatible subscribe. Auto-starts the pool on first
+   * subscription so a React component mount triggers cold-start.
+   */
+  subscribe = (listener) => {
+    if (!this.started) {
+      this.start();
+    }
+    return this.onChange(listener);
+  };
+  /** Force an immediate re-snapshot (used on auth change / manual refresh). */
+  async refresh() {
+    if (this.destroyed) {
+      return;
+    }
+    const res = await this.transport.snapshot();
+    if (res.error || res.data == null) {
+      this.markFirstLoadDone();
+      return;
+    }
+    this.applySnapshot(res.data);
+    this.markFirstLoadDone();
+  }
+  /** Stop timers and detach all auth/visibility listeners. */
+  destroy() {
+    this.destroyed = true;
+    this.stopPolling();
+    this.authUnsub?.();
+    this.authUnsub = null;
+    this.visibilityUnsub?.();
+    this.visibilityUnsub = null;
+    this.listeners.clear();
+  }
+  // ---- internals ----------------------------------------------------------
+  async poll() {
+    if (this.polling || this.destroyed) {
+      return;
+    }
+    const since = this.state.syncVersion;
+    if (since == null) {
+      await this.refresh();
+      return;
+    }
+    this.polling = true;
+    try {
+      const res = await this.transport.delta(since);
+      if (res.status === 304) {
+        return;
+      }
+      if (res.error || res.data == null) {
+        if (res.status === 409 || res.status === 410) {
+          await this.refresh();
+        }
+        return;
+      }
+      this.applyDelta(res.data.ops, res.data.sync_version);
+    } finally {
+      this.polling = false;
+    }
+  }
+  applySnapshot(snapshot) {
+    this.state = {
+      values: { ...snapshot.values },
+      sources: { ...snapshot.sources ?? {} },
+      syncVersion: snapshot.sync_version
+    };
+    this.viewDirty = true;
+    this.persistState();
+    this.notify();
+  }
+  applyDelta(ops, nextVersion) {
+    const values = { ...this.state.values };
+    const sources = { ...this.state.sources };
+    let changed = false;
+    for (const raw of ops) {
+      if (!isDeltaOp(raw)) {
+        continue;
+      }
+      if (raw.op === "delete") {
+        if (raw.key in values) {
+          delete values[raw.key];
+          delete sources[raw.key];
+          changed = true;
+        }
+      } else {
+        values[raw.key] = raw.value;
+        if (raw.source) {
+          sources[raw.key] = raw.source;
+        }
+        changed = true;
+      }
+    }
+    this.state = { values, sources, syncVersion: nextVersion };
+    if (changed) {
+      this.viewDirty = true;
+      this.persistState();
+      this.notify();
+    } else {
+      this.persistState();
+    }
+  }
+  startPolling() {
+    if (this.pollIntervalMs <= 0 || this.timer != null) {
+      return;
+    }
+    this.timer = this.env.setInterval(() => {
+      void this.poll();
+    }, this.pollIntervalMs);
+  }
+  stopPolling() {
+    if (this.timer != null) {
+      this.env.clearInterval(this.timer);
+      this.timer = null;
+    }
+  }
+  bindVisibility() {
+    const vis = this.env.visibility;
+    if (!vis) {
+      return;
+    }
+    this.visibilityUnsub = vis.onVisibilityChange(() => {
+      if (vis.isHidden()) {
+        this.stopPolling();
+      } else {
+        void this.poll();
+        this.startPolling();
+      }
+    });
+  }
+  bindAuth(auth) {
+    const handle = auth.onAuthStateChange((_event, session) => {
+      const hasSession = session != null;
+      if (this.lastAuthHasSession === null) {
+        this.lastAuthHasSession = hasSession;
+        return;
+      }
+      if (hasSession !== this.lastAuthHasSession) {
+        this.lastAuthHasSession = hasSession;
+        if (this.started) {
+          void this.refresh();
+        }
+      }
+    });
+    this.authUnsub = () => handle.data.subscription.unsubscribe();
+  }
+  notify() {
+    for (const listener of this.listeners) {
+      listener();
+    }
+  }
+  markFirstLoadDone() {
+    if (!this.firstLoadDone) {
+      this.firstLoadDone = true;
+      this.resolveReady?.();
+      this.resolveReady = null;
+    }
+  }
+  hydrateFromStorage() {
+    if (!this.persist) {
+      return;
+    }
+    const store = this.env.storage;
+    if (!store) {
+      return;
+    }
+    const raw = store.getItem(this.storageKey);
+    if (!raw) {
+      return;
+    }
+    const parsed = parsePersisted(raw);
+    if (!parsed) {
+      return;
+    }
+    this.state = parsed;
+    this.viewDirty = true;
+    this.markFirstLoadDone();
+  }
+  persistState() {
+    if (!this.persist) {
+      return;
+    }
+    const store = this.env.storage;
+    if (!store || this.state.syncVersion == null) {
+      return;
+    }
+    try {
+      store.setItem(this.storageKey, JSON.stringify(this.state));
+    } catch {
+    }
+  }
+};
+function isDeltaOp(value) {
+  if (typeof value !== "object" || value === null) {
+    return false;
+  }
+  const rec = value;
+  if (typeof rec.key !== "string") {
+    return false;
+  }
+  if (rec.op === "delete") {
+    return true;
+  }
+  return rec.op === "put" && "value" in rec;
+}
+function parsePersisted(raw) {
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    return null;
+  }
+  if (typeof parsed !== "object" || parsed === null) {
+    return null;
+  }
+  const rec = parsed;
+  if (typeof rec.syncVersion !== "string") {
+    return null;
+  }
+  if (typeof rec.values !== "object" || rec.values === null) {
+    return null;
+  }
+  const sources = typeof rec.sources === "object" && rec.sources !== null ? rec.sources : {};
+  return {
+    values: rec.values,
+    sources,
+    syncVersion: rec.syncVersion
+  };
+}
+function defaultEnv() {
+  const storage = resolveStorage();
+  const visibility = resolveVisibility();
+  return {
+    now: () => Date.now(),
+    setInterval: (handler, ms) => setInterval(handler, ms),
+    clearInterval: (handle) => clearInterval(handle),
+    storage,
+    visibility
+  };
+}
+function resolveStorage() {
+  try {
+    if (typeof localStorage === "undefined") {
+      return null;
+    }
+    const probe = "__palbase_flags_probe__";
+    localStorage.setItem(probe, "1");
+    localStorage.removeItem(probe);
+    return localStorage;
+  } catch {
+    return null;
+  }
+}
+function resolveVisibility() {
+  if (typeof document === "undefined") {
+    return null;
+  }
+  const doc = document;
+  return {
+    isHidden: () => doc.visibilityState === "hidden",
+    onVisibilityChange: (cb) => {
+      doc.addEventListener("visibilitychange", cb);
+      return () => doc.removeEventListener("visibilitychange", cb);
+    }
+  };
+}
+
+// src/flags-facade.ts
+function palbeAuthAdapter(auth) {
+  return {
+    onAuthStateChange(callback) {
+      const unsubscribe = auth.onAuthStateChange(() => {
+        const signedIn = auth.isSignedIn;
+        callback(signedIn ? "SIGNED_IN" : "SIGNED_OUT", signedIn ? { signedIn } : null);
+      });
+      return { data: { subscription: { unsubscribe } } };
+    }
+  };
+}
+function serverPoolEnv() {
+  return {
+    now: () => Date.now(),
+    setInterval: () => {
+      throw new Error("palbe flags: polling is disabled server-side");
+    },
+    clearInterval: () => {
+    },
+    storage: null,
+    visibility: null
+  };
+}
+function sameFlagValue(a, b) {
+  if (Object.is(a, b)) return true;
+  if (typeof a === "object" && a !== null && typeof b === "object" && b !== null) {
+    return JSON.stringify(a) === JSON.stringify(b);
+  }
+  return false;
+}
+var PalbeFlags = class {
+  transport;
+  pool;
+  constructor(rt) {
+    this.transport = new FlagsClient(rt.http);
+    const browser = typeof document !== "undefined";
+    const ref = endpointRefFromApiKey(rt.config.apiKey);
+    const options = {
+      auth: palbeAuthAdapter(rt.auth),
+      ...ref ? { storageKey: `palbe.flags.${ref}` } : {},
+      ...browser ? {} : { pollIntervalMs: 0, env: serverPoolEnv() }
+    };
+    this.pool = new FlagsPool(this.transport, options);
+    if (browser) this.pool.start();
+  }
+  /** Resolves once the first snapshot (or persisted hydrate) is available. Auto-starts the pool. */
+  ready() {
+    return this.pool.ready();
+  }
+  /** Force an immediate re-snapshot. */
+  refresh() {
+    return this.pool.refresh();
+  }
+  /** Frozen snapshot of all cached values (identity-stable until a change). */
+  all() {
+    return this.pool.all();
+  }
+  /** Raw cached value for `key`, or `undefined` when not in the cache. */
+  get(key) {
+    return this.pool.all()[key];
+  }
+  /** `true` only when the cached value is strictly `true`; `fallback` when the key is absent. */
+  isEnabled(key, fallback = false) {
+    return this.pool.isEnabled(key, fallback);
+  }
+  /** Alias of {@link isEnabled} (iOS parity). */
+  bool(key, fallback = false) {
+    return this.isEnabled(key, fallback);
+  }
+  /** Cached value when it is a string, else `fallback`. */
+  getString(key, fallback) {
+    const value = this.pool.all()[key];
+    return typeof value === "string" ? value : fallback;
+  }
+  /** Cached value when it is an integer number, else `fallback`. */
+  getInt(key, fallback) {
+    const value = this.pool.all()[key];
+    return typeof value === "number" && Number.isInteger(value) ? value : fallback;
+  }
+  /** Cached value when it is a number (integers included), else `fallback`. */
+  getDouble(key, fallback) {
+    const value = this.pool.all()[key];
+    return typeof value === "number" ? value : fallback;
+  }
+  /**
+   * Resolve the multivariate variant for `key` — the variant name, or `null`
+   * when the flag has no variant (or the read fails).
+   *
+   * Wire failures (network errors, 404, etc.) resolve to `null`.
+   * Invalid flag names throw `BackendError('validation', { code: 'invalid_flag_name' })`.
+   *
+   * DEVIATION from iOS sync-cache parity: the platform does not propagate
+   * variant metadata into the user-flags snapshot/delta cache, so this is an
+   * ASYNC transport read (`GET /v1/flags/{key}/variant`), not a cache lookup.
+   */
+  async getVariant(key) {
+    let res;
+    try {
+      res = await this.transport.getVariant(key);
+    } catch (err) {
+      throw new BackendError("validation", {
+        code: "invalid_flag_name",
+        message: err instanceof Error ? err.message : String(err)
+      });
+    }
+    return res.data?.name ?? null;
+  }
+  /** Subscribe to any change in the cached flag set. */
+  onChange(callback) {
+    return this.pool.onChange(callback);
+  }
+  /**
+   * Observe ONE key: fires only when that key's value actually changes
+   * (per {@link sameFlagValue} — structural compare for objects), with the
+   * new value (`undefined` = deleted). P5 React-hook substrate.
+   */
+  subscribeKey(key, callback) {
+    let last = this.pool.all()[key];
+    return this.pool.onChange(() => {
+      const next = this.pool.all()[key];
+      if (sameFlagValue(last, next)) return;
+      last = next;
+      callback(next);
+    });
+  }
+  /**
+   * Async iteration over flag changes: yields the new {@link all} view on
+   * every pool change notification. The listener is detached when the
+   * consumer `break`s/`return`s/`throw`s — including while a `next()` is
+   * still pending (it resolves `{ done: true }` instead of hanging, which a
+   * plain async-generator `finally` would not guarantee).
+   */
+  changes() {
+    const queue = [];
+    const pending = [];
+    let finished = false;
+    const unsubscribe = this.pool.onChange(() => {
+      const snapshot = this.pool.all();
+      const resolve = pending.shift();
+      if (resolve) resolve({ value: snapshot, done: false });
+      else queue.push(snapshot);
+    });
+    const finish = () => {
+      if (finished) return;
+      finished = true;
+      unsubscribe();
+      while (pending.length > 0) pending.shift()?.({ value: void 0, done: true });
+    };
+    return {
+      next: () => {
+        if (finished) return Promise.resolve({ value: void 0, done: true });
+        const head = queue.shift();
+        if (head !== void 0) return Promise.resolve({ value: head, done: false });
+        return new Promise((resolve) => {
+          pending.push(resolve);
+        });
+      },
+      return: () => {
+        finish();
+        return Promise.resolve({ value: void 0, done: true });
+      },
+      throw: (error) => {
+        finish();
+        return Promise.reject(error);
+      },
+      [Symbol.asyncIterator]() {
+        return this;
+      }
+    };
+  }
+  /** Stop polling and detach all listeners (auth + visibility + subscribers). */
+  destroy() {
+    this.pool.destroy();
+  }
+};
+
+// src/realtime/anon-token.ts
+var REFRESH_SKEW_MS = 6e4;
+var AnonTokenProvider = class {
+  rt;
+  cached = null;
+  inFlight = null;
+  constructor(rt) {
+    this.rt = rt;
+  }
+  /**
+   * Return a valid anonymous access token, minting (or re-minting) one when
+   * the cache is empty or within the skew of expiry. Concurrent callers
+   * collapse onto a single in-flight mint.
+   */
+  token() {
+    if (this.cached && Date.now() < this.cached.expiresAt - REFRESH_SKEW_MS) {
+      return Promise.resolve(this.cached.accessToken);
+    }
+    if (this.inFlight) return this.inFlight;
+    const mint = this.mint().then(
+      (token) => {
+        this.cached = token;
+        this.inFlight = null;
+        return token.accessToken;
+      },
+      (e) => {
+        this.inFlight = null;
+        throw e;
+      }
+    );
+    this.inFlight = mint;
+    return mint;
+  }
+  /**
+   * Raw fetch, deliberately NOT through HttpClient/palbeRequest: the mint
+   * must carry the project apikey and NEVER a Bearer (iOS keeps
+   * `/auth/anonymous` on the unauthenticated-path list), and HttpClient's
+   * pre-flight would try to refresh a stale session before an anon mint —
+   * exactly the entanglement this provider exists to avoid.
+   */
+  async mint() {
+    const base = this.rt.config.url.replace(/\/+$/, "");
+    let response;
+    try {
+      response = await fetch(`${base}/auth/anonymous`, {
+        method: "POST",
+        headers: { apikey: this.rt.config.apiKey }
+      });
+    } catch (e) {
+      throw new BackendError("network", {
+        code: "network_error",
+        message: e instanceof Error ? e.message : "Network request failed"
+      });
+    }
+    const body = await response.json().catch(() => null);
+    if (!response.ok) throw fromEnvelope(response.status, body);
+    const obj = typeof body === "object" && body !== null ? body : {};
+    const accessToken = obj.access_token;
+    const expiresIn = obj.expires_in;
+    if (typeof accessToken !== "string" || accessToken === "" || typeof expiresIn !== "number") {
+      throw new BackendError("decode", {
+        code: "decode_error",
+        message: "POST /auth/anonymous returned an unexpected shape (expected {access_token, expires_in})."
+      });
+    }
+    return { accessToken, expiresAt: Date.now() + expiresIn * 1e3 };
+  }
+};
+function realtimeTokenProvider(rt, anon) {
+  return async () => {
+    const bearer = rt.tokenManager.getAccessToken();
+    if (bearer && !rt.tokenManager.isExpired()) return bearer;
+    try {
+      return await anon.token();
+    } catch {
+      return rt.config.apiKey;
+    }
+  };
+}
+
+// src/realtime/frames.ts
+var REALTIME_PREFIX = "realtime:";
+function encodeJoin(ref, topic, accessToken) {
+  const r = String(ref);
+  return JSON.stringify([
+    r,
+    r,
+    REALTIME_PREFIX + topic,
+    "phx_join",
+    {
+      access_token: accessToken,
+      config: {
+        broadcast: { self: false },
+        presence: { key: "" },
+        private: false,
+        postgres_changes: []
+      }
+    }
+  ]);
+}
+function encodeLeave(ref, topic) {
+  return JSON.stringify([null, String(ref), REALTIME_PREFIX + topic, "phx_leave", {}]);
+}
+function encodeHeartbeat(ref) {
+  return JSON.stringify([null, String(ref), "phoenix", "heartbeat", {}]);
+}
+function encodeBroadcast(joinRef, ref, topic, event, payload) {
+  return JSON.stringify([
+    joinRef,
+    String(ref),
+    REALTIME_PREFIX + topic,
+    "broadcast",
+    { type: "broadcast", event, payload }
+  ]);
+}
+function decodeFrame(text) {
+  let parsed;
+  try {
+    parsed = JSON.parse(text);
+  } catch {
+    return null;
+  }
+  if (!Array.isArray(parsed)) return null;
+  const [joinRef, ref, topic, event, payload] = parsed;
+  if (typeof topic !== "string" || typeof event !== "string") return null;
+  return { joinRef, ref, topic, event, payload };
+}
+function asObject(value) {
+  if (typeof value !== "object" || value === null || Array.isArray(value)) return null;
+  return value;
+}
+function unwrapBroadcast(frame) {
+  if (frame.event !== "broadcast") return null;
+  const body = asObject(frame.payload);
+  if (!body) return null;
+  const event = typeof body.event === "string" ? body.event : "";
+  const payload = asObject(body.payload) ?? {};
+  return { topic: stripRealtimePrefix(frame.topic), event, payload };
+}
+function stripRealtimePrefix(topic) {
+  return topic.startsWith(REALTIME_PREFIX) ? topic.slice(REALTIME_PREFIX.length) : topic;
+}
+
+// src/realtime/connection.ts
+var WS_OPEN = 1;
+var DEFAULT_HEARTBEAT_MS = 25e3;
+var DEFAULT_MAX_BACKOFF_SECONDS = 30;
+var MAX_CHANNEL_REJOIN_ATTEMPTS = 3;
+function websocketUrl(base, token) {
+  let s = base;
+  if (s.startsWith("https://")) {
+    s = `wss://${s.slice("https://".length)}`;
+  } else if (s.startsWith("http://")) {
+    s = `ws://${s.slice("http://".length)}`;
+  }
+  while (s.endsWith("/")) s = s.slice(0, -1);
+  return `${s}/realtime/v1/websocket?apikey=${encodeURIComponent(token)}&vsn=2.0.0`;
+}
+function backoffDelaySeconds(attempt, refCounter, cap) {
+  const base = Math.min(2 ** attempt, cap);
+  const jitter = refCounter % 1e3 / 1e3;
+  return base + jitter;
+}
+var RealtimeSocket = class {
+  options;
+  handlers = null;
+  ws = null;
+  // Membership intent (bare sub-topics): re-joined on every (re)connect. A
+  // topic stays in this set from joinTopic() until leaveTopic().
+  joinedTopics = /* @__PURE__ */ new Set();
+  // topic → join_ref of the LIVE join on the current socket. Phoenix drops
+  // channel messages whose join_ref doesn't match, so broadcasts carry this.
+  // Cleared on disconnect (the next socket gets fresh joins/refs).
+  joinRefs = /* @__PURE__ */ new Map();
+  // Broadcasts pushed before the topic's join is live — flushed right after it.
+  pendingBroadcasts = [];
+  // Per-topic rejoin attempt counter for the token-expiry channel-death guard.
+  // Bumped on every channel rejoin; reset to 0 when the topic delivers a live
+  // broadcast (proof the channel recovered). At MAX_CHANNEL_REJOIN_ATTEMPTS the
+  // channel is given up on (onChannelError) instead of looping forever.
+  channelRejoinAttempts = /* @__PURE__ */ new Map();
+  // Pending per-topic rejoin backoff timers — separate from the socket-level
+  // reconnectTimer so a channel backoff never clobbers socket reconnection.
+  channelRejoinTimers = /* @__PURE__ */ new Map();
+  // Monotonic Phoenix message ref. Every outbound frame carries a unique ref.
+  refCounter = 0;
+  connected = false;
+  started = false;
+  stopped = false;
+  // Reset ONLY on a genuine open, so a never-opening socket walks
+  // attempt 0,1,2,… → delays 1,2,4,…,cap instead of hammering (iOS parity).
+  reconnectAttempt = 0;
+  // Invalidates async continuations (token awaits) from a superseded connect.
+  connectEpoch = 0;
+  heartbeatTimer = null;
+  reconnectTimer = null;
+  constructor(options) {
+    this.options = options;
+  }
+  // MARK: lifecycle
+  /** Install handlers and open the socket. Idempotent while started. */
+  start(handlers) {
+    this.handlers = handlers;
+    if (this.started) return;
+    this.started = true;
+    this.stopped = false;
+    void this.connect();
+  }
+  /** Tear down the socket, stop reconnecting, emit `idle`. Idempotent. */
+  stop() {
+    this.stopped = true;
+    this.started = false;
+    this.connected = false;
+    this.connectEpoch += 1;
+    this.stopHeartbeat();
+    if (this.reconnectTimer !== null) {
+      clearTimeout(this.reconnectTimer);
+      this.reconnectTimer = null;
+    }
+    this.clearAllChannelRejoins();
+    const ws = this.ws;
+    this.ws = null;
+    this.joinRefs.clear();
+    ws?.close(1e3);
+    this.handlers?.onStateChange("idle");
+  }
+  // MARK: topic membership
+  /**
+   * Join a topic (bare sub-topic, no "realtime:" prefix). Idempotent. Sent
+   * immediately when the socket is up, else on the next (re)connect.
+   */
+  joinTopic(topic) {
+    if (this.joinedTopics.has(topic)) return;
+    this.joinedTopics.add(topic);
+    if (this.connected) void this.sendJoin(topic);
+  }
+  /**
+   * Leave a topic: sends `phx_leave` when connected and always drops it from
+   * the re-join set (a future reconnect won't restore it). Pending broadcasts
+   * for the topic are discarded.
+   */
+  leaveTopic(topic) {
+    if (!this.joinedTopics.delete(topic)) return;
+    this.joinRefs.delete(topic);
+    this.pendingBroadcasts = this.pendingBroadcasts.filter((p) => p.topic !== topic);
+    this.clearChannelRejoin(topic);
+    if (this.isOpen()) this.send(encodeLeave(this.nextRef(), topic));
+  }
+  /**
+   * Push a broadcast onto a topic (web addition — iOS is receive-only). Sent
+   * synchronously when the topic's join is live on the current socket;
+   * otherwise queued and flushed right after the join goes out.
+   */
+  sendBroadcast(topic, event, payload) {
+    const joinRef = this.joinRefs.get(topic);
+    if (joinRef !== void 0 && this.isOpen()) {
+      this.send(encodeBroadcast(joinRef, this.nextRef(), topic, event, payload));
+    } else {
+      this.pendingBroadcasts.push({ topic, event, payload });
+    }
+  }
+  // MARK: connect / reconnect
+  async connect() {
+    if (this.stopped) return;
+    const epoch = ++this.connectEpoch;
+    let token;
+    try {
+      token = await this.options.tokenProvider();
+    } catch {
+      this.scheduleReconnect();
+      return;
+    }
+    if (this.stopped || epoch !== this.connectEpoch) return;
+    const Ctor = this.options.webSocket ?? globalThis.WebSocket;
+    if (!Ctor) {
+      this.scheduleReconnect();
+      return;
+    }
+    const ws = new Ctor(websocketUrl(this.options.baseUrl, token));
+    this.ws = ws;
+    ws.onopen = () => {
+      if (ws === this.ws) void this.handleOpen();
+    };
+    ws.onmessage = (event) => {
+      if (ws === this.ws) this.handleMessage(event.data);
+    };
+    ws.onclose = () => {
+      if (ws === this.ws) this.handleClose();
+    };
+    ws.onerror = () => {
+    };
+  }
+  /**
+   * The browser `open` event proves the HTTP-101 handshake completed (the
+   * analogue of iOS promoteToConnected): flip connected, announce, then
+   * (re)join every topic with a fresh token + fresh refs. Backoff is NOT
+   * reset here — it resets on the first inbound frame (iOS parity), so a
+   * server that opens but immediately closes still grows the backoff.
+   */
+  async handleOpen() {
+    if (this.stopped) return;
+    this.connected = true;
+    this.handlers?.onStateChange("connected");
+    this.handlers?.onReconnect();
+    this.startHeartbeat();
+    for (const topic of this.joinedTopics) {
+      await this.sendJoin(topic);
+    }
+  }
+  handleClose() {
+    if (this.stopped) return;
+    this.ws = null;
+    this.joinRefs.clear();
+    this.clearAllChannelRejoins();
+    this.stopHeartbeat();
+    this.scheduleReconnect();
+  }
+  scheduleReconnect() {
+    if (this.stopped || !this.started) return;
+    this.connected = false;
+    this.handlers?.onStateChange("reconnecting");
+    const attempt = this.reconnectAttempt;
+    this.reconnectAttempt += 1;
+    const cap = this.options.maxBackoffSeconds ?? DEFAULT_MAX_BACKOFF_SECONDS;
+    const delaySeconds = backoffDelaySeconds(attempt, this.refCounter, cap);
+    this.reconnectTimer = setTimeout(() => {
+      this.reconnectTimer = null;
+      void this.connect();
+    }, delaySeconds * 1e3);
+  }
+  // MARK: frames out
+  /**
+   * Join carries a freshly-resolved token (iOS parity — `sendJoin` awaits the
+   * provider), so a Bearer rotated while offline rides the next rejoin.
+   */
+  async sendJoin(topic) {
+    const token = await this.options.tokenProvider();
+    if (!this.isOpen() || !this.joinedTopics.has(topic)) return;
+    const ref = this.nextRef();
+    this.joinRefs.set(topic, String(ref));
+    this.send(encodeJoin(ref, topic, token));
+    this.flushPending(topic);
+  }
+  flushPending(topic) {
+    const ready = this.pendingBroadcasts.filter((p) => p.topic === topic);
+    if (ready.length === 0) return;
+    this.pendingBroadcasts = this.pendingBroadcasts.filter((p) => p.topic !== topic);
+    for (const p of ready) this.sendBroadcast(p.topic, p.event, p.payload);
+  }
+  startHeartbeat() {
+    this.stopHeartbeat();
+    const interval = this.options.heartbeatIntervalMs ?? DEFAULT_HEARTBEAT_MS;
+    this.heartbeatTimer = setInterval(() => {
+      if (this.isOpen()) this.send(encodeHeartbeat(this.nextRef()));
+    }, interval);
+  }
+  stopHeartbeat() {
+    if (this.heartbeatTimer !== null) {
+      clearInterval(this.heartbeatTimer);
+      this.heartbeatTimer = null;
+    }
+  }
+  /** Drop-if-not-open: a send racing a disconnect is recovered by the rejoin-all on reconnect. */
+  send(text) {
+    if (this.ws && this.ws.readyState === WS_OPEN) this.ws.send(text);
+  }
+  // MARK: frames in
+  handleMessage(data) {
+    if (typeof data !== "string") return;
+    const frame = decodeFrame(data);
+    if (!frame) return;
+    this.reconnectAttempt = 0;
+    if (frame.event === "phx_close" || frame.event === "phx_error") {
+      this.handleChannelClose(frame);
+      return;
+    }
+    const inbound = unwrapBroadcast(frame);
+    if (inbound) {
+      this.channelRejoinAttempts.delete(inbound.topic);
+      this.handlers?.onInbound(inbound);
+    }
+  }
+  /**
+   * Recover (or give up on) a single channel the server closed for token
+   * reasons. Ignored unless the close targets a topic we still intend to be
+   * joined AND its join_ref matches the LIVE join — so a stale close from a
+   * superseded join, or a close arriving after our OWN phx_leave (the topic is
+   * already dropped from joinedTopics/joinRefs), does NOT trigger a rejoin.
+   */
+  handleChannelClose(frame) {
+    const topic = stripRealtimePrefix(frame.topic);
+    if (!this.joinedTopics.has(topic)) return;
+    if (this.joinRefs.get(topic) !== frame.joinRef) return;
+    this.joinRefs.delete(topic);
+    const attempt = this.channelRejoinAttempts.get(topic) ?? 0;
+    if (attempt >= MAX_CHANNEL_REJOIN_ATTEMPTS) {
+      this.joinedTopics.delete(topic);
+      this.channelRejoinAttempts.delete(topic);
+      this.handlers?.onChannelError(topic);
+      return;
+    }
+    this.channelRejoinAttempts.set(topic, attempt + 1);
+    if (attempt === 0) {
+      void this.sendJoin(topic);
+      return;
+    }
+    const cap = this.options.maxBackoffSeconds ?? DEFAULT_MAX_BACKOFF_SECONDS;
+    const delayMs = backoffDelaySeconds(attempt, this.refCounter, cap) * 1e3;
+    const existing = this.channelRejoinTimers.get(topic);
+    if (existing !== void 0) clearTimeout(existing);
+    const timer = setTimeout(() => {
+      this.channelRejoinTimers.delete(topic);
+      if (this.joinedTopics.has(topic)) void this.sendJoin(topic);
+    }, delayMs);
+    this.channelRejoinTimers.set(topic, timer);
+  }
+  // MARK: helpers
+  /** Drop a single topic's token-expiry rejoin state (cancel its pending timer). */
+  clearChannelRejoin(topic) {
+    const timer = this.channelRejoinTimers.get(topic);
+    if (timer !== void 0) {
+      clearTimeout(timer);
+      this.channelRejoinTimers.delete(topic);
+    }
+    this.channelRejoinAttempts.delete(topic);
+  }
+  /** Drop all per-channel rejoin state (socket teardown / full reconnect). */
+  clearAllChannelRejoins() {
+    for (const timer of this.channelRejoinTimers.values()) clearTimeout(timer);
+    this.channelRejoinTimers.clear();
+    this.channelRejoinAttempts.clear();
+  }
+  isOpen() {
+    return this.connected && this.ws !== null && this.ws.readyState === WS_OPEN;
+  }
+  nextRef() {
+    this.refCounter += 1;
+    return this.refCounter;
+  }
+};
+
+// src/realtime/facade.ts
+var StatusStore = class {
+  currentState = "idle";
+  lastEvent = null;
+  listeners = /* @__PURE__ */ new Set();
+  get state() {
+    return this.currentState;
+  }
+  get lastEventAt() {
+    return this.lastEvent;
+  }
+  onChange(callback) {
+    this.listeners.add(callback);
+    return () => {
+      this.listeners.delete(callback);
+    };
+  }
+  /** No-op on equal state (iOS setState guard) — listeners see transitions only. */
+  setState(state) {
+    if (state === this.currentState) return;
+    this.currentState = state;
+    this.emit();
+  }
+  recordEvent(at) {
+    this.lastEvent = at;
+    this.emit();
+  }
+  emit() {
+    const snapshot = {
+      state: this.currentState,
+      lastEventAt: this.lastEvent
+    };
+    for (const listener of this.listeners) listener(snapshot);
+  }
+};
+var RealtimeChannel = class {
+  /** The app-defined channel name (bare sub-topic, no "realtime:" prefix). */
+  name;
+  owner;
+  /** @internal — obtain channels via `pb.realtime.channel(name)`. */
+  constructor(name, owner) {
+    this.name = name;
+    this.owner = owner;
+  }
+  /**
+   * Subscribe `handler` to `event` on this channel. Fire-and-forget: the
+   * join rides the shared socket asynchronously. Hold the returned
+   * subscription and `cancel()` it to stop.
+   */
+  on(event, handler) {
+    return this.owner.subscribe(this.name, event, handler);
+  }
+  /**
+   * Broadcast `payload` to the channel's other subscribers (web addition —
+   * iOS is receive-only). Joins the channel if it isn't already; queued
+   * until the join is live on the socket.
+   */
+  send(event, payload = {}) {
+    this.owner.send(this.name, event, payload);
+  }
+};
+var PalbeRealtime = class {
+  rt;
+  socket = null;
+  channels = /* @__PURE__ */ new Map();
+  statusStore = new StatusStore();
+  // Per-(topic, event) handlers — an event may have multiple handlers
+  // (multiple .on calls); entry identity is the unsubscribe token.
+  handlers = /* @__PURE__ */ new Set();
+  // Joins are refcounted per topic so the socket only leaves a topic when
+  // its last handler cancels (iOS RealtimeClient parity).
+  topicRefcount = /* @__PURE__ */ new Map();
+  constructor(rt) {
+    this.rt = rt;
+  }
+  /**
+   * Get the handle for an app-defined channel (e.g. "room:42"). The same
+   * name returns the SAME instance. Throws a guided error on server-side
+   * hosts (SSR/RSC/Node) — realtime is client-only.
+   */
+  channel(name) {
+    if (typeof document === "undefined" && typeof window === "undefined") {
+      throw new BackendError("validation", {
+        code: "realtime_unavailable",
+        message: "pb.realtime requires a browser environment: document and window are not defined (server/SSR/RSC). Subscribe from browser code instead \u2014 e.g. a client component or useEffect."
+      });
+    }
+    if (typeof WebSocket === "undefined") {
+      throw new BackendError("validation", {
+        code: "realtime_unavailable",
+        message: "pb.realtime is client-only: this environment has no WebSocket. Subscribe from browser code instead \u2014 e.g. a client component or useEffect."
+      });
+    }
+    let channel = this.channels.get(name);
+    if (!channel) {
+      channel = new RealtimeChannel(name, this);
+      this.channels.set(name, channel);
+    }
+    return channel;
+  }
+  /**
+   * Tear down the shared socket and clear all channel state. Called by
+   * `__configure` and `__reset` when the runtime is replaced, so old sockets
+   * are not left open and heartbeat timers do not leak.
+   */
+  destroy() {
+    this.socket?.stop();
+    this.socket = null;
+    this.channels.clear();
+  }
+  /** The observable connection status. Safe to read anywhere (reports `idle` until a socket exists). */
+  get status() {
+    return this.statusStore;
+  }
+  /** @internal */
+  subscribe(topic, event, handler) {
+    const socket = this.ensureSocket();
+    const entry = { topic, event, handler };
+    this.handlers.add(entry);
+    const count = (this.topicRefcount.get(topic) ?? 0) + 1;
+    this.topicRefcount.set(topic, count);
+    if (count === 1) socket.joinTopic(topic);
+    let cancelled = false;
+    return {
+      cancel: () => {
+        if (cancelled) return;
+        cancelled = true;
+        this.handlers.delete(entry);
+        const next = (this.topicRefcount.get(topic) ?? 1) - 1;
+        if (next <= 0) {
+          this.topicRefcount.delete(topic);
+          socket.leaveTopic(topic);
+        } else {
+          this.topicRefcount.set(topic, next);
+        }
+      }
+    };
+  }
+  /** @internal */
+  send(topic, event, payload) {
+    const socket = this.ensureSocket();
+    socket.joinTopic(topic);
+    socket.sendBroadcast(topic, event, payload);
+  }
+  /** Lazily build + start the shared socket on first subscription/send. */
+  ensureSocket() {
+    if (!this.socket) {
+      const anon = new AnonTokenProvider(this.rt);
+      this.socket = new RealtimeSocket({
+        baseUrl: this.rt.config.url,
+        tokenProvider: realtimeTokenProvider(this.rt, anon)
+      });
+      this.socket.start({
+        onInbound: (inbound) => this.route(inbound),
+        // Rejoin-all already happens inside the socket; nothing to refresh
+        // here (no managed flags-sync on web yet — pb.flags polls).
+        onReconnect: () => {
+        },
+        onStateChange: (state) => this.statusStore.setState(state),
+        onChannelError: (topic) => this.handleChannelError(topic)
+      });
+    }
+    return this.socket;
+  }
+  route(inbound) {
+    this.statusStore.recordEvent(/* @__PURE__ */ new Date());
+    for (const entry of this.handlers) {
+      if (entry.topic === inbound.topic && entry.event === inbound.event) {
+        entry.handler(inbound.payload);
+      }
+    }
+  }
+  /**
+   * A channel died for good (token-expiry rejoin exhausted N attempts). Drop its
+   * handlers + refcount so the app stops expecting events on it, and flip the
+   * status observable to `'error'` (the React `useChannel` hook reports this).
+   * A later `.on()` for the same topic re-joins from scratch (refcount 1).
+   */
+  handleChannelError(topic) {
+    for (const entry of this.handlers) {
+      if (entry.topic === topic) this.handlers.delete(entry);
+    }
+    this.topicRefcount.delete(topic);
+    this.statusStore.setState("error");
+  }
+};
+
+// src/storage.ts
+function memorySessionStorage() {
+  let current = null;
+  return {
+    load: () => current,
+    save: (s) => {
+      current = s;
+    },
+    clear: () => {
+      current = null;
+    }
+  };
+}
+var DEFAULT_KEY = "palbe.session";
+function localStorageSessionStorage(key = DEFAULT_KEY) {
+  return {
+    load: () => {
+      try {
+        const raw = localStorage.getItem(key);
+        if (!raw) return null;
+        const parsed = JSON.parse(raw);
+        if (typeof parsed === "object" && parsed !== null) {
+          const obj = parsed;
+          if (typeof obj.refreshToken === "string") {
+            if (typeof obj.accessToken === "string" && typeof obj.expiresAt === "number") {
+              return {
+                refreshToken: obj.refreshToken,
+                accessToken: obj.accessToken,
+                expiresAt: obj.expiresAt
+              };
+            }
+            return { refreshToken: obj.refreshToken };
+          }
+        }
+        return null;
+      } catch {
+        return null;
+      }
+    },
+    save: (s) => {
+      try {
+        localStorage.setItem(key, JSON.stringify(s));
+      } catch {
+      }
+    },
+    clear: () => {
+      try {
+        localStorage.removeItem(key);
+      } catch {
+      }
+    }
+  };
+}
+function defaultSessionStorage(key) {
+  if (typeof localStorage !== "undefined") return localStorageSessionStorage(key);
+  return memorySessionStorage();
+}
+
+// src/version.ts
+var VERSION = "1.0.0";
+
+// src/runtime.ts
+function buildRuntime(config) {
+  const http = new HttpClient(config.apiKey, {
+    url: config.url,
+    headers: { "X-Client-Info": `palbe-web/${VERSION}`, ...config.headers }
+  });
+  const tokenManager = new TokenManager();
+  http.tokenManager = tokenManager;
+  const authClient = new AuthClient(http, tokenManager);
+  const ref = endpointRefFromApiKey(config.apiKey);
+  const storage = config.storage ?? defaultSessionStorage(ref ? `palbe.session.${ref}` : void 0);
+  const persisted = storage.load();
+  if (persisted) {
+    const { accessToken, expiresAt } = persisted;
+    if (accessToken && expiresAt && expiresAt > Date.now()) {
+      authClient.setTokens(
+        accessToken,
+        persisted.refreshToken,
+        Math.floor((expiresAt - Date.now()) / 1e3)
+      );
+    } else {
+      authClient.setTokens("", persisted.refreshToken);
+      tokenManager.setSession({
+        accessToken: "",
+        refreshToken: persisted.refreshToken,
+        expiresAt: 0
+      });
+    }
+  }
+  authClient.onTokenChange(({ refreshToken }) => {
+    if (refreshToken) {
+      const session = authClient.getSession().data;
+      if (session) {
+        storage.save({
+          refreshToken,
+          accessToken: session.accessToken,
+          expiresAt: session.expiresAt
+        });
+      } else {
+        storage.save({ refreshToken });
+      }
+    } else {
+      storage.clear();
+    }
+  });
+  let auth;
+  let flags;
+  let realtime;
+  let analytics;
+  const rt = {
+    config,
+    http,
+    tokenManager,
+    authClient,
+    storage,
+    get auth() {
+      if (!auth) auth = new PalbeAuth(rt);
+      return auth;
+    },
+    // Same lazy pattern as `auth`: the pool is constructed (and, in the
+    // browser, started) only when `pb.flags` is actually touched — a pbServer
+    // request that never reads flags pays nothing.
+    get flags() {
+      if (!flags) flags = new PalbeFlags(rt);
+      return flags;
+    },
+    // Lazy like `auth`/`flags` — but constructing PalbeRealtime is itself
+    // inert: the WebSocket only opens on the first channel subscription/send.
+    get realtime() {
+      if (!realtime) realtime = new PalbeRealtime(rt);
+      return realtime;
+    },
+    destroyRealtime() {
+      realtime?.destroy();
+      realtime = void 0;
+    },
+    // The buffering facade is lazy; its identity state is NOT (below).
+    get analytics() {
+      if (!analytics) analytics = new PalbeAnalytics(rt, analyticsState);
+      return analytics;
+    }
+  };
+  const analyticsState = new AnalyticsState(rt);
+  http.addInterceptor((request) => {
+    const hasOwn = Object.keys(request.headers).some((k) => k.toLowerCase() === "x-distinct-id");
+    if (!hasOwn) request.headers["X-Distinct-Id"] = analyticsState.distinctId();
+  });
+  return rt;
+}
+
+// src/call.ts
+async function callEndpoint(resolveRt, name, input, options) {
+  if (!name || name === "/") {
+    throw new BackendError("validation", {
+      code: "invalid_endpoint_name",
+      message: 'Endpoint name must be a non-empty path like "todos/create"'
+    });
+  }
+  const rt = resolveRt();
+  const path = name.startsWith("/") ? name : `/${name}`;
+  return palbeRequest(rt, "POST", path, {
+    body: input,
+    headers: options?.headers,
+    signal: options?.signal
+  });
+}
+
+// src/upload.ts
+function abortError() {
+  return new BackendError("network", { code: "aborted", message: "Upload aborted" });
+}
+function checkConstraints(options) {
+  const c = options.constraints;
+  if (!c) return;
+  if (c.maxSize !== void 0 && options.file.size > c.maxSize) {
+    const message = `File size ${options.file.size} exceeds max ${c.maxSize} bytes`;
+    throw new BackendError("validation", {
+      code: "file_too_large",
+      message,
+      fields: [{ field: "file", message }]
+    });
+  }
+  const effType = options.contentType ?? options.file.type;
+  if (c.allowedTypes && c.allowedTypes.length > 0 && !c.allowedTypes.includes(effType)) {
+    const message = `File type '${effType}' is not allowed`;
+    throw new BackendError("validation", {
+      code: "file_type_not_allowed",
+      message,
+      fields: [{ field: "file", message }]
+    });
+  }
+}
+async function buildHeaders(rt, extra) {
+  if (rt.tokenManager.isExpired() && rt.tokenManager.getRefreshToken() && rt.tokenManager.refreshFunction) {
+    try {
+      await rt.tokenManager.refreshSession();
+    } catch (e) {
+      const pe = asPalbaseError(e);
+      const status = pe?.status ?? 0;
+      if (status === 400 || status === 401 || status === 403) {
+        rt.tokenManager.clearSession();
+      } else {
+        throw pe ? fromPalbaseError(pe) : e;
+      }
+    }
+  }
+  const headers = {
+    apikey: rt.config.apiKey,
+    "X-Client-Info": `palbe-web/${VERSION}`,
+    ...rt.config.headers
+  };
+  const token = rt.tokenManager.getAccessToken();
+  if (token) headers.Authorization = `Bearer ${token}`;
+  const callerHasKey = Object.keys(extra ?? {}).some((k) => k.toLowerCase() === "idempotency-key");
+  if (!callerHasKey) headers["Idempotency-Key"] = crypto.randomUUID();
+  return { ...headers, ...extra };
+}
+function buildForm(options) {
+  const form = new FormData();
+  for (const [k, v] of Object.entries(options.fields ?? {})) form.append(k, v);
+  const file = options.contentType && options.file.type !== options.contentType ? new Blob([options.file], { type: options.contentType }) : options.file;
+  const filename = options.filename ?? (typeof File !== "undefined" && options.file instanceof File ? options.file.name : "file");
+  form.append("file", file, filename);
+  return form;
+}
+function decode(status, text) {
+  let body;
+  try {
+    body = text === "" ? null : JSON.parse(text);
+  } catch {
+    if (status >= 200 && status < 300) {
+      throw new BackendError("decode", {
+        code: "decode_error",
+        message: "Invalid JSON in response",
+        status
+      });
+    }
+    body = text;
+  }
+  if (status < 200 || status >= 300) throw fromEnvelope(status, body);
+  return body;
+}
+function uploadViaXHR(url, form, headers, options) {
+  return new Promise((resolve, reject) => {
+    if (options.signal?.aborted) {
+      reject(abortError());
+      return;
+    }
+    const xhr = new XMLHttpRequest();
+    xhr.open("POST", url);
+    for (const [k, v] of Object.entries(headers)) xhr.setRequestHeader(k, v);
+    xhr.upload.onprogress = (e) => {
+      if (!e.lengthComputable) return;
+      options.onProgress?.({ sent: e.loaded, total: e.total });
+    };
+    const onAbort = () => xhr.abort();
+    const cleanup = () => options.signal?.removeEventListener("abort", onAbort);
+    xhr.onload = () => {
+      cleanup();
+      try {
+        resolve(decode(xhr.status, xhr.responseText));
+      } catch (err) {
+        reject(err);
+      }
+    };
+    xhr.onerror = () => {
+      cleanup();
+      reject(new BackendError("network", { code: "network_error", message: "Upload failed" }));
+    };
+    xhr.onabort = () => {
+      cleanup();
+      reject(abortError());
+    };
+    options.signal?.addEventListener("abort", onAbort, { once: true });
+    xhr.send(form);
+  });
+}
+async function uploadViaFetch(url, form, headers, options) {
+  let res;
+  try {
+    res = await fetch(url, { method: "POST", body: form, headers, signal: options.signal });
+  } catch (e) {
+    if (e instanceof Error && e.name === "AbortError") throw abortError();
+    throw new BackendError("network", {
+      code: "network_error",
+      message: e instanceof Error ? e.message : "Upload failed"
+    });
+  }
+  return decode(res.status, await res.text());
+}
+async function uploadEndpoint(resolveRt, name, options) {
+  const rt = resolveRt();
+  checkConstraints(options);
+  const path = name.startsWith("/") ? name : `/${name}`;
+  const url = `${rt.config.url}${path}`;
+  const headers = await buildHeaders(rt, options.headers);
+  const form = buildForm(options);
+  const useXHR = options.onProgress !== void 0 && typeof XMLHttpRequest !== "undefined";
+  return useXHR ? uploadViaXHR(url, form, headers, options) : uploadViaFetch(url, form, headers, options);
+}
+
+// src/pb.ts
+function createClientProxy(resolveRt, nsAccessor) {
+  const base = {
+    call(name, input, options) {
+      return callEndpoint(resolveRt, name, input, options);
+    },
+    upload(name, options) {
+      return uploadEndpoint(resolveRt, name, options);
+    },
+    get auth() {
+      return resolveRt().auth;
+    },
+    get flags() {
+      return resolveRt().flags;
+    },
+    get realtime() {
+      return resolveRt().realtime;
+    },
+    get analytics() {
+      return resolveRt().analytics;
+    }
+  };
+  return new Proxy(base, {
+    get(target, prop, receiver) {
+      if (prop in target) return Reflect.get(target, prop, receiver);
+      if (prop === "then") return void 0;
+      if (typeof prop === "string") {
+        const ns = nsAccessor(prop);
+        if (ns !== void 0) return ns;
+      }
+      return void 0;
+    },
+    has(target, prop) {
+      if (prop in target) return true;
+      return typeof prop === "string" && prop !== "then" && getRegistry()[prop] !== void 0;
+    }
+  });
+}
+var pb = createClientProxy(getRuntime, getNamespace);
+function createBoundClient(rt) {
+  return createClientProxy(() => rt, boundNamespaceAccessor(rt));
+}
+
+// src/internal.ts
+function getRuntime() {
+  const rt = palbeState().runtime;
+  if (!rt) throw BackendError.notConfigured();
+  return rt;
+}
+
+// src/next/shared.ts
+function requireGlobalConfig(hint) {
+  try {
+    return getRuntime().config;
+  } catch {
+    throw new BackendError("notConfigured", {
+      code: "not_configured",
+      message: `Palbe is not configured in this module graph. Run 'palbase web link' and ${hint}`
+    });
+  }
+}
+var nextServerModule;
+async function importNextServer(caller) {
+  nextServerModule ??= import("next/server");
+  try {
+    return await nextServerModule;
+  } catch (cause) {
+    nextServerModule = void 0;
+    const detail = cause instanceof Error && cause.message ? ` (${cause.message})` : "";
+    throw new BackendError("validation", {
+      code: "next_required",
+      message: `${caller}() requires Next.js \u2014 'next/server' could not be resolved${detail}.`
+    });
+  }
+}
+
+// src/next/callback.ts
+function safeNextPath(next) {
+  if (!next?.startsWith("/")) return null;
+  if (next[1] === "/" || next[1] === "\\") return null;
+  return next;
+}
+function wireErrorCode(raw) {
+  if (typeof raw === "object" && raw !== null) {
+    const code = raw.error;
+    if (typeof code === "string" && code !== "") return code;
+  }
+  return "oauth_exchange_failed";
+}
+function handleAuthCallback(opts) {
+  return async (request) => {
+    const config = requireGlobalConfig(
+      "import the generated palbe.gen.ts once in app/layout.tsx \u2014 route handlers share the server module graph with the root layout."
+    );
+    const { NextResponse } = await importNextServer("handleAuthCallback");
+    const fallback = opts?.defaultNext ?? "/";
+    const redirect = (path, query) => {
+      const url = new URL(path, request.nextUrl);
+      for (const [key, value] of Object.entries(query ?? {})) url.searchParams.set(key, value);
+      const response2 = NextResponse.redirect(url);
+      response2.headers.set("cache-control", "private, no-store");
+      return response2;
+    };
+    const params = request.nextUrl.searchParams;
+    const providerError = params.get("error");
+    if (providerError) {
+      const query = { auth_error: providerError };
+      const description = params.get("error_description");
+      if (description) query.auth_error_description = description;
+      return redirect(fallback, query);
+    }
+    const code = params.get("code");
+    const state = params.get("state");
+    const provider = params.get("provider");
+    if (!code || !state || !provider) {
+      return redirect(fallback, { auth_error: "invalid_callback" });
+    }
+    let exchange;
+    try {
+      exchange = await fetch(
+        `${config.url}/auth/oauth/${encodeURIComponent(provider)}/callback?code=${encodeURIComponent(code)}&state=${encodeURIComponent(state)}`,
+        { headers: { apikey: config.apiKey } }
+      );
+    } catch {
+      return redirect(fallback, { auth_error: "oauth_exchange_failed" });
+    }
+    let raw = null;
+    try {
+      raw = await exchange.json();
+    } catch {
+    }
+    if (!exchange.ok) return redirect(fallback, { auth_error: wireErrorCode(raw) });
+    if (typeof raw === "object" && raw !== null) {
+      const obj = raw;
+      if (obj.mfa_required === true && typeof obj.mfa_token === "string") {
+        const factors = Array.isArray(obj.mfa_factors) ? obj.mfa_factors.filter((f) => typeof f === "string") : [];
+        return redirect(fallback, { mfa_token: obj.mfa_token, mfa_factors: factors.join(",") });
+      }
+    }
+    const wire = asWireAuthResult(raw);
+    if (!wire) return redirect(fallback, { auth_error: "oauth_exchange_failed" });
+    const response = redirect(safeNextPath(params.get("next")) ?? fallback);
+    const write = encodeSessionCookiesDecoded(endpointRefFromApiKey(config.apiKey), {
+      accessToken: wire.access_token,
+      refreshToken: wire.refresh_token,
+      expiresAt: Date.now() + wire.expires_in * 1e3
+    });
+    for (const { name, value } of write.set) {
+      response.cookies.set(name, value, SESSION_COOKIE_ATTRS);
+    }
+    for (const name of write.clear) {
+      response.cookies.set(name, "", { ...SESSION_COOKIE_ATTRS, maxAge: 0 });
+    }
+    return response;
+  };
+}
+
+// src/next/middleware.ts
+var DEFAULT_REFRESH_MARGIN_MS = 6e4;
+var inflightRefreshes = /* @__PURE__ */ new Map();
+function refreshSingleFlight(config, refreshToken) {
+  const existing = inflightRefreshes.get(refreshToken);
+  if (existing) return existing;
+  const pending = refresh(config, refreshToken).finally(() => {
+    inflightRefreshes.delete(refreshToken);
+  });
+  inflightRefreshes.set(refreshToken, pending);
+  return pending;
+}
+async function refresh(config, refreshToken) {
+  try {
+    const res = await fetch(`${config.url}/auth/token/refresh`, {
+      method: "POST",
+      headers: { apikey: config.apiKey, "content-type": "application/json" },
+      body: JSON.stringify({ refresh_token: refreshToken })
+    });
+    if (res.status === 400 || res.status === 401 || res.status === 403) {
+      return { kind: "terminal" };
+    }
+    if (!res.ok) return { kind: "transient" };
+    const raw = await res.json();
+    if (typeof raw === "object" && raw !== null) {
+      const obj = raw;
+      if (typeof obj.access_token === "string" && typeof obj.refresh_token === "string" && typeof obj.expires_in === "number") {
+        return {
+          kind: "rotated",
+          session: {
+            accessToken: obj.access_token,
+            refreshToken: obj.refresh_token,
+            expiresAt: Date.now() + obj.expires_in * 1e3
+          }
+        };
+      }
+    }
+    return { kind: "transient" };
+  } catch {
+    return { kind: "transient" };
+  }
+}
+async function palbeMiddleware(request, opts) {
+  const config = requireGlobalConfig(
+    "import the generated palbe.gen.ts at the top of middleware.ts \u2014 Next bundles middleware as its own module graph, so the layout.tsx import does not reach it."
+  );
+  const { NextResponse } = await importNextServer("palbeMiddleware");
+  const passThrough = () => opts?.response ?? NextResponse.next({ request });
+  const ref = endpointRefFromApiKey(config.apiKey);
+  const session = decodeSessionCookies((name) => request.cookies.get(name)?.value, ref);
+  if (!session) return passThrough();
+  if (session.expiresAt - Date.now() > (opts?.refreshMarginMs ?? DEFAULT_REFRESH_MARGIN_MS)) {
+    return passThrough();
+  }
+  const outcome = await refreshSingleFlight(config, session.refreshToken);
+  if (outcome.kind === "transient") return passThrough();
+  const staleNames = clearedSessionCookieNames(ref, (name) => request.cookies.has(name));
+  if (outcome.kind === "terminal") {
+    for (const name of staleNames) request.cookies.delete(name);
+    const response2 = opts?.response ?? NextResponse.next({ request });
+    for (const name of staleNames) {
+      response2.cookies.set(name, "", { ...SESSION_COOKIE_ATTRS, maxAge: 0 });
+    }
+    response2.headers.set("cache-control", "private, no-store");
+    return response2;
+  }
+  const write = encodeSessionCookiesDecoded(ref, outcome.session);
+  for (const name of staleNames) request.cookies.delete(name);
+  for (const { name, value } of write.set) request.cookies.set(name, value);
+  for (const name of write.clear) request.cookies.delete(name);
+  const response = opts?.response ?? NextResponse.next({ request });
+  const written = new Set(write.set.map((c) => c.name));
+  for (const { name, value } of write.set) {
+    response.cookies.set(name, value, SESSION_COOKIE_ATTRS);
+  }
+  for (const name of /* @__PURE__ */ new Set([...write.clear, ...staleNames])) {
+    if (!written.has(name)) {
+      response.cookies.set(name, "", { ...SESSION_COOKIE_ATTRS, maxAge: 0 });
+    }
+  }
+  response.headers.set("cache-control", "private, no-store");
+  return response;
+}
+
+// src/next/server.ts
+function nextRequired(cause) {
+  const detail = cause instanceof Error && cause.message ? ` (${cause.message})` : "";
+  return new BackendError("validation", {
+    code: "next_required",
+    message: `pbServer() could not resolve a Next.js request cookie store: call it inside a Server Component, Server Action or Route Handler \u2014 or pass a store explicitly via pbServer({ cookies })${detail}.`
+  });
+}
+function isNextControlFlowError(err) {
+  if (typeof err !== "object" || err === null) return false;
+  const digest = err.digest;
+  return typeof digest === "string" && (digest === "DYNAMIC_SERVER_USAGE" || digest.startsWith("NEXT_"));
+}
+async function nextCookieStore() {
+  let cookies;
+  try {
+    ({ cookies } = await import("next/headers"));
+  } catch (cause) {
+    throw nextRequired(cause);
+  }
+  try {
+    return await cookies();
+  } catch (cause) {
+    if (isNextControlFlowError(cause)) throw cause;
+    throw nextRequired(cause);
+  }
+}
+function removeCookie(store, name) {
+  try {
+    if (store.set) store.set(name, "", { ...SESSION_COOKIE_ATTRS, maxAge: 0 });
+    else store.delete?.(name);
+  } catch {
+  }
+}
+function serverCookieAdapter(store, endpointRef) {
+  const present = (name) => store.get(name) !== void 0;
+  return {
+    load() {
+      const stored = decodeSessionCookies((name) => store.get(name)?.value, endpointRef);
+      if (!stored) return null;
+      return stored.accessToken && stored.expiresAt > 0 ? {
+        refreshToken: stored.refreshToken,
+        accessToken: stored.accessToken,
+        expiresAt: stored.expiresAt
+      } : { refreshToken: stored.refreshToken };
+    },
+    save(session) {
+      if (!session.accessToken || !session.expiresAt) return;
+      for (const name of clearedSessionCookieNames(endpointRef, present)) {
+        removeCookie(store, name);
+      }
+      const { set, clear } = encodeSessionCookiesDecoded(endpointRef, {
+        accessToken: session.accessToken,
+        refreshToken: session.refreshToken,
+        expiresAt: session.expiresAt
+      });
+      for (const { name, value } of set) {
+        try {
+          store.set?.(name, value, { ...SESSION_COOKIE_ATTRS });
+        } catch {
+        }
+      }
+      for (const name of clear) removeCookie(store, name);
+    },
+    clear() {
+      for (const name of clearedSessionCookieNames(endpointRef, present)) {
+        removeCookie(store, name);
+      }
+    }
+  };
+}
+async function pbServer(opts) {
+  const config = requireGlobalConfig(
+    "import the generated palbe.gen.ts once in app/layout.tsx \u2014 the root-layout import configures Server Components and Route Handlers too."
+  );
+  const store = opts?.cookies ?? await nextCookieStore();
+  const ref = endpointRefFromApiKey(config.apiKey);
+  const rt = buildRuntime({ ...config, storage: serverCookieAdapter(store, ref) });
+  return createBoundClient(rt);
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  SESSION_COOKIE_ATTRS,
+  clearedSessionCookieNames,
+  decodeSessionCookies,
+  encodeSessionCookies,
+  encodeSessionCookiesDecoded,
+  endpointRefFromApiKey,
+  handleAuthCallback,
+  palbeMiddleware,
+  pbServer,
+  sessionCookieName
+});
+//# sourceMappingURL=index.cjs.map