@payez/next-mvp 3.0.0

package/dist/types/recovery.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/types/security.d.ts

@@ -0,0 +1 @@
+export type TwoFactorMethod = 'email' | 'sms' | 'authenticator';

package/dist/types/security.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/utils/api.d.ts

@@ -0,0 +1,85 @@
+import { TwoFactorMethod } from '../types/security';
+export declare class ApiError extends Error {
+    type: string;
+    title: string;
+    status: number;
+    detail?: string;
+    traceId?: string;
+    errors?: Record<string, string[]>;
+    constructor(message: string, details: any);
+}
+export interface ApiOptions {
+    method?: string;
+    body?: any;
+    headers?: Record<string, string>;
+}
+export interface ApiResponse<T> {
+    success: boolean;
+    data?: T;
+    error?: string;
+    type?: string;
+    title?: string;
+    status?: number;
+    errors?: Record<string, string[]>;
+    traceId?: string;
+    message?: string;
+}
+export declare function apiFetch<T>(url: string, options?: ApiOptions): Promise<ApiResponse<T>>;
+export declare class AccountApi {
+    /**
+     * Get masked user info (email, phone, authenticator status)
+     * User identification comes from JWT token in Authorization header, not from request body
+     */
+    getMaskedInfo(accessToken?: string): Promise<{
+        maskedEmail: string;
+        maskedPhoneNumber: string;
+        hasAuthenticator: boolean;
+        method?: TwoFactorMethod;
+    }>;
+    initiateRecovery(email: string): Promise<any>;
+    sendRecoveryCode(recoveryToken: string, method: 'email' | 'sms' | 'authenticator'): Promise<any>;
+    verifyRecoveryCode(recoveryToken: string, code: string, method: string): Promise<any>;
+    resetPasswordWithToken(email: string, resetToken: string, newPassword: string, confirmPassword: string): Promise<any>;
+    resetPassword(data: {
+        email: string;
+        token: string;
+        password: string;
+        password_confirmation: string;
+    }): Promise<any>;
+    verifyWelcomeEmail(onboardToken: string, clientKey?: string): Promise<{
+        maskedEmail: string;
+        maskedPhoneNumber?: string;
+        hasAuthenticator?: boolean;
+        expiryMinutes: number;
+        clientKey: string;
+    }>;
+    sendOnboardingCode(onboardToken: string, clientKey?: string): Promise<{
+        maskedEmail: string;
+        maskedPhoneNumber?: string;
+        hasAuthenticator?: boolean;
+        expiryMinutes: number;
+        clientKey: string;
+    }>;
+    verifyOnboardingCode(onboardToken: string, code: string, clientKey?: string): Promise<{
+        success: boolean;
+        resetToken: string;
+        email: string;
+        clientKey: string;
+    }>;
+    verifyOnboardingSmsCode(onboardToken: string, code: string, clientKey?: string): Promise<{
+        success: boolean;
+        resetToken: string;
+        email: string;
+        clientKey: string;
+    }>;
+    setOnboardingPassword(data: {
+        onboardToken: string;
+        email: string;
+        resetToken: string;
+        newPassword: string;
+    }, clientKey?: string): Promise<{
+        success: boolean;
+        message?: string;
+    }>;
+}
+export declare const accountApi: AccountApi;

package/dist/utils/api.js

@@ -0,0 +1,287 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.accountApi = exports.AccountApi = exports.ApiError = void 0;
+exports.apiFetch = apiFetch;
+const standardized_client_api_1 = require("../lib/standardized-client-api");
+class ApiError extends Error {
+    type;
+    title;
+    status;
+    detail;
+    traceId;
+    errors;
+    constructor(message, details) {
+        super(message);
+        this.name = 'ApiError';
+        this.type = details.type || 'UnknownError';
+        this.title = details.title || message;
+        this.status = details.status || 500;
+        this.detail = details.detail;
+        this.traceId = details.traceId;
+        this.errors = details.errors;
+    }
+}
+exports.ApiError = ApiError;
+async function apiFetch(url, options = {}) {
+    const { method = 'GET', body, headers = {} } = options;
+    let finalBody = body;
+    const fetchOptions = {
+        method,
+        headers: {
+            'Content-Type': 'application/json',
+            ...headers,
+        },
+        credentials: 'include',
+        ...(finalBody ? { body: JSON.stringify(finalBody) } : {}),
+    };
+    let res = await fetch(url, fetchOptions);
+    // If we get a 401, it may be a transient during server-side token refresh. Retry once after a short delay.
+    if (res.status === 401) {
+        await new Promise(resolve => setTimeout(resolve, 250));
+        res = await fetch(url, fetchOptions);
+    }
+    const raw = await res.json().catch(() => ({}));
+    if (!res.ok) {
+        throw new ApiError(raw?.message || 'API Error', raw);
+    }
+    // --- Universal normalization here ---
+    let normalized;
+    if (raw && typeof raw === 'object') {
+        if ('data' in raw && typeof raw.data === 'object' && raw.data !== null) {
+            // Already wrapped
+            normalized = { ...raw };
+        }
+        else {
+            // Not wrapped: move all fields except known meta to data
+            const { success, error, errors, message, type, title, status, traceId, ...data } = raw;
+            normalized = {
+                success: typeof success === 'boolean' ? success : true,
+                data: data,
+                error,
+                errors,
+                message,
+                type,
+                title,
+                status,
+                traceId,
+            };
+        }
+    }
+    else {
+        normalized = { success: true, data: raw };
+    }
+    return normalized;
+}
+// DELETED: apiFetchAuth - Use clientApi from @/lib/client-api instead for proper token refresh handling
+// Account API for masked info and 2FA
+class AccountApi {
+    /**
+     * Get masked user info (email, phone, authenticator status)
+     * User identification comes from JWT token in Authorization header, not from request body
+     */
+    async getMaskedInfo(accessToken) {
+        // Require authentication for masked info retrieval; do not infer from session or token locally
+        if (!accessToken) {
+            throw new ApiError('Not authenticated', { status: 401, title: 'Unauthorized' });
+        }
+        // Authenticated request - proxy through Next API to IDP
+        // Empty body: user info comes from JWT token
+        const result = await standardized_client_api_1.standardizedApi.post('/api/account/masked-info', {}, accessToken);
+        console.log('[DEBUG] getMaskedInfo result:', {
+            success: (0, standardized_client_api_1.isApiSuccess)(result),
+            hasData: (0, standardized_client_api_1.isApiSuccess)(result) && !!result.data,
+            rawData: (0, standardized_client_api_1.isApiSuccess)(result) ? result.data : null,
+            dataFields: (0, standardized_client_api_1.isApiSuccess)(result) && result.data ? Object.keys(result.data) : []
+        });
+        console.log('[DEBUG] getMaskedInfo raw data structure:', JSON.stringify((0, standardized_client_api_1.isApiSuccess)(result) ? result.data : result, null, 2));
+        if (!(0, standardized_client_api_1.isApiSuccess)(result)) {
+            const errorMessage = (0, standardized_client_api_1.isApiError)(result) ? result.message : 'Failed to get masked info';
+            console.error('[DEBUG] getMaskedInfo failed:', result);
+            throw new ApiError(errorMessage, result);
+        }
+        // Use only snake_case fields from backend response
+        const d = result.data.data || result.data; // Access the nested data object
+        const maskedInfoResult = {
+            maskedEmail: d.masked_email ?? '',
+            maskedPhoneNumber: d.masked_phone_number ?? '',
+            hasAuthenticator: d.has_authenticator ?? false,
+            method: d.method
+        };
+        console.log('[DEBUG] getMaskedInfo result:', maskedInfoResult);
+        return maskedInfoResult;
+    }
+    async initiateRecovery(email) {
+        const res = await fetch('/api/account/recovery/initiate', {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ email }),
+        });
+        if (!res.ok)
+            throw new Error('Failed to initiate recovery');
+        return res.json();
+    }
+    async sendRecoveryCode(recoveryToken, method) {
+        const res = await fetch('/api/account/recovery/send-code', {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'Authorization': `Bearer ${recoveryToken}`
+            },
+            body: JSON.stringify({ method }),
+        });
+        if (!res.ok)
+            throw new Error('Failed to send recovery code');
+        return res.json();
+    }
+    async verifyRecoveryCode(recoveryToken, code, method) {
+        const res = await fetch('/api/account/recovery/verify-code', {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'Authorization': `Bearer ${recoveryToken}`
+            },
+            body: JSON.stringify({ code, method }),
+        });
+        if (!res.ok) {
+            const e = await res.json().catch(() => null);
+            throw new Error(e?.error?.message || 'Invalid verification code');
+        }
+        return res.json();
+    }
+    async resetPasswordWithToken(email, resetToken, newPassword, confirmPassword) {
+        const res = await fetch('/api/account/reset-password', {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+                email,
+                password_reset_token: resetToken,
+                new_password: newPassword,
+                confirm_password: confirmPassword,
+            }),
+        });
+        if (!res.ok)
+            throw new Error('Failed to reset password');
+        return res.json();
+    }
+    async resetPassword(data) {
+        // Proxy to server API which in turn proxies to IDP
+        const res = await fetch('/api/account/reset-password', {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+                email: data.email,
+                token: data.token,
+                password: data.password,
+                password_confirmation: data.password_confirmation
+            })
+        });
+        const result = await res.json().catch(() => ({}));
+        if (!res.ok || (result && result.success === false)) {
+            const msg = result?.message || 'Failed to reset password';
+            throw new ApiError(msg, result);
+        }
+        return result;
+    }
+    // Onboarding flow methods
+    async verifyWelcomeEmail(onboardToken, clientKey) {
+        const qs = clientKey ? `?client_id=${encodeURIComponent(clientKey)}` : '';
+        console.log('[accountApi.verifyWelcomeEmail] POST /api/onboarding/verify-welcome-email', { qs, onboardTokenLen: onboardToken?.length });
+        const res = await fetch(`/api/onboarding/verify-welcome-email${qs}`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ onboard_token: onboardToken })
+        });
+        const result = await res.json().catch(() => ({}));
+        console.log('[accountApi.verifyWelcomeEmail] Response status:', res.status, 'body keys:', result && typeof result === 'object' ? Object.keys(result) : typeof result);
+        if (!res.ok || (result && result.success === false)) {
+            const msg = result?.message || 'Failed to verify welcome email';
+            throw new ApiError(msg, result);
+        }
+        // Extract from nested data structure
+        const data = result.data?.data || result.data || {};
+        const masked = data.masked_user_info || {};
+        return {
+            maskedEmail: masked.masked_email || '',
+            maskedPhoneNumber: masked.masked_phone_number || '',
+            hasAuthenticator: masked.has_authenticator ?? undefined,
+            expiryMinutes: data.expiry_minutes || 10,
+            clientKey: data.client_key || ''
+        };
+    }
+    // Back-compat alias
+    async sendOnboardingCode(onboardToken, clientKey) {
+        return this.verifyWelcomeEmail(onboardToken, clientKey);
+    }
+    async verifyOnboardingCode(onboardToken, code, clientKey) {
+        const qs = clientKey ? `?clientId=${encodeURIComponent(clientKey)}` : '';
+        const res = await fetch(`/api/onboarding/verify-code${qs}`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+                onboard_token: onboardToken,
+                code: code
+            })
+        });
+        const result = await res.json().catch(() => ({}));
+        if (!res.ok || (result && result.success === false)) {
+            const msg = result?.message || 'Invalid verification code';
+            throw new ApiError(msg, result);
+        }
+        // Extract from nested data structure
+        const data = result.data?.data || result.data || {};
+        return {
+            success: data.success !== false,
+            resetToken: data.reset_token || '',
+            email: data.email || '',
+            clientKey: data.client_key || ''
+        };
+    }
+    async verifyOnboardingSmsCode(onboardToken, code, clientKey) {
+        const qs = clientKey ? `?clientId=${encodeURIComponent(clientKey)}` : '';
+        const res = await fetch(`/api/onboarding/verify-sms-code${qs}`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+                onboard_token: onboardToken,
+                code: code
+            })
+        });
+        const result = await res.json().catch(() => ({}));
+        if (!res.ok || (result && result.success === false)) {
+            const msg = result?.message || 'Invalid verification code';
+            throw new ApiError(msg, result);
+        }
+        // Extract from nested data structure
+        const data = result.data?.data || result.data || {};
+        return {
+            success: data.success !== false,
+            resetToken: data.reset_token || '',
+            email: data.email || '',
+            clientKey: data.client_key || ''
+        };
+    }
+    async setOnboardingPassword(data, clientKey) {
+        const qs = clientKey ? `?clientId=${encodeURIComponent(clientKey)}` : '';
+        const res = await fetch(`/api/onboarding/set-password${qs}`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+                onboard_token: data.onboardToken,
+                email: data.email,
+                reset_token: data.resetToken,
+                new_password: data.newPassword
+            })
+        });
+        const result = await res.json().catch(() => ({}));
+        if (!res.ok || (result && result.success === false)) {
+            const msg = result?.message || 'Failed to set password';
+            throw new ApiError(msg, result);
+        }
+        return {
+            success: result.success !== false,
+            message: result.message || result.data?.message
+        };
+    }
+}
+exports.AccountApi = AccountApi;
+exports.accountApi = new AccountApi();

package/dist/utils/circuitBreaker.d.ts

@@ -0,0 +1,43 @@
+export declare enum CircuitBreakerStateType {
+    CLOSED = "CLOSED",
+    OPEN = "OPEN",
+    HALF_OPEN = "HALF_OPEN"
+}
+export interface CircuitBreakerState {
+    failures: number;
+    lastFailure: number;
+    isOpen: boolean;
+    state: CircuitBreakerStateType;
+    recoveryTime: number;
+    testRequestInProgress: boolean;
+    recoveryAttempts: number;
+}
+export declare function getCircuitBreakerState(): CircuitBreakerState;
+export declare function canAttemptRefresh(): boolean;
+export declare function recordFailure(error?: any): void;
+export declare function recordSuccess(): void;
+export declare function isConnectionRefusedError(error: any): boolean;
+export declare function isNetworkError(error: any): boolean;
+export declare function getCircuitBreakerStateName(): string;
+export declare function isCircuitBreakerOpen(): boolean;
+export declare function isCircuitBreakerHalfOpen(): boolean;
+export declare function isCircuitBreakerClosed(): boolean;
+export declare function attemptRecovery(): boolean;
+export declare function getTimeUntilRecovery(): number;
+export declare function resetCircuitBreaker(): void;
+export declare function clearCircuitBreakerStore(): void;
+export declare const circuitBreaker: {
+    getCircuitBreakerState: typeof getCircuitBreakerState;
+    recordFailure: typeof recordFailure;
+    recordSuccess: typeof recordSuccess;
+    isNetworkError: typeof isNetworkError;
+    isConnectionRefusedError: typeof isConnectionRefusedError;
+    canAttemptRefresh: typeof canAttemptRefresh;
+    getCircuitBreakerStateName: typeof getCircuitBreakerStateName;
+    isCircuitBreakerOpen: typeof isCircuitBreakerOpen;
+    isCircuitBreakerHalfOpen: typeof isCircuitBreakerHalfOpen;
+    isCircuitBreakerClosed: typeof isCircuitBreakerClosed;
+    resetCircuitBreaker: typeof resetCircuitBreaker;
+    attemptRecovery: typeof attemptRecovery;
+    getTimeUntilRecovery: typeof getTimeUntilRecovery;
+};

package/dist/utils/circuitBreaker.js

@@ -0,0 +1,91 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.circuitBreaker = exports.CircuitBreakerStateType = void 0;
+exports.getCircuitBreakerState = getCircuitBreakerState;
+exports.canAttemptRefresh = canAttemptRefresh;
+exports.recordFailure = recordFailure;
+exports.recordSuccess = recordSuccess;
+exports.isConnectionRefusedError = isConnectionRefusedError;
+exports.isNetworkError = isNetworkError;
+exports.getCircuitBreakerStateName = getCircuitBreakerStateName;
+exports.isCircuitBreakerOpen = isCircuitBreakerOpen;
+exports.isCircuitBreakerHalfOpen = isCircuitBreakerHalfOpen;
+exports.isCircuitBreakerClosed = isCircuitBreakerClosed;
+exports.attemptRecovery = attemptRecovery;
+exports.getTimeUntilRecovery = getTimeUntilRecovery;
+exports.resetCircuitBreaker = resetCircuitBreaker;
+exports.clearCircuitBreakerStore = clearCircuitBreakerStore;
+const CIRCUIT_BREAKER_KEY = 'idp-circuit-breaker';
+const isDev = process.env.NODE_ENV === 'development';
+const isTest = process.env.NODE_ENV === 'test';
+const DEV_CONFIG = { FAILURE_THRESHOLD: 5, RECOVERY_TIME: 10000, RECOVERY_BACKOFF_MULTIPLIER: 1.5, MAX_RECOVERY_TIME: 120000 };
+const PROD_CONFIG = { FAILURE_THRESHOLD: 3, RECOVERY_TIME: 30000, RECOVERY_BACKOFF_MULTIPLIER: 2, MAX_RECOVERY_TIME: 300000 };
+const TEST_CONFIG = { FAILURE_THRESHOLD: 3, RECOVERY_TIME: 30000, RECOVERY_BACKOFF_MULTIPLIER: 2, MAX_RECOVERY_TIME: 300000 };
+const config = isTest ? TEST_CONFIG : (isDev ? DEV_CONFIG : PROD_CONFIG);
+const FAILURE_THRESHOLD = config.FAILURE_THRESHOLD;
+const RECOVERY_TIME = config.RECOVERY_TIME;
+const RECOVERY_BACKOFF_MULTIPLIER = config.RECOVERY_BACKOFF_MULTIPLIER;
+const MAX_RECOVERY_TIME = config.MAX_RECOVERY_TIME;
+var CircuitBreakerStateType;
+(function (CircuitBreakerStateType) {
+    CircuitBreakerStateType["CLOSED"] = "CLOSED";
+    CircuitBreakerStateType["OPEN"] = "OPEN";
+    CircuitBreakerStateType["HALF_OPEN"] = "HALF_OPEN";
+})(CircuitBreakerStateType || (exports.CircuitBreakerStateType = CircuitBreakerStateType = {}));
+const circuitBreakerStore = new Map();
+function getCircuitBreakerState() {
+    const state = circuitBreakerStore.get(CIRCUIT_BREAKER_KEY);
+    if (!state) {
+        const newState = { failures: 0, lastFailure: 0, isOpen: false, state: CircuitBreakerStateType.CLOSED, recoveryTime: RECOVERY_TIME, testRequestInProgress: false, recoveryAttempts: 0 };
+        circuitBreakerStore.set(CIRCUIT_BREAKER_KEY, newState);
+        return newState;
+    }
+    if (state.state === CircuitBreakerStateType.OPEN && Date.now() - state.lastFailure > state.recoveryTime) {
+        state.state = CircuitBreakerStateType.HALF_OPEN;
+        state.isOpen = true;
+        state.testRequestInProgress = false;
+    }
+    return state;
+}
+function canAttemptRefresh() { const state = getCircuitBreakerState(); if (state.state === CircuitBreakerStateType.CLOSED)
+    return true; if (state.state === CircuitBreakerStateType.HALF_OPEN && !state.testRequestInProgress) {
+    state.testRequestInProgress = true;
+    return true;
+} return false; }
+function recordFailure(error) { const state = getCircuitBreakerState(); if (state.state === CircuitBreakerStateType.HALF_OPEN) {
+    state.state = CircuitBreakerStateType.OPEN;
+    state.isOpen = true;
+    state.testRequestInProgress = false;
+    state.failures++;
+    state.lastFailure = Date.now();
+    state.recoveryAttempts++;
+    state.recoveryTime = Math.min(RECOVERY_TIME * Math.pow(RECOVERY_BACKOFF_MULTIPLIER, state.recoveryAttempts), MAX_RECOVERY_TIME);
+}
+else {
+    state.failures++;
+    state.lastFailure = Date.now();
+    if (state.failures >= FAILURE_THRESHOLD) {
+        state.state = CircuitBreakerStateType.OPEN;
+        state.isOpen = true;
+        state.testRequestInProgress = false;
+        state.recoveryAttempts = 0;
+    }
+} }
+function recordSuccess() { const state = getCircuitBreakerState(); state.state = CircuitBreakerStateType.CLOSED; state.isOpen = false; state.failures = 0; state.testRequestInProgress = false; state.recoveryTime = RECOVERY_TIME; state.recoveryAttempts = 0; }
+function isConnectionRefusedError(error) { return error?.cause?.code === 'ECONNREFUSED' || error?.code === 'ECONNREFUSED' || error?.message?.includes('ECONNREFUSED'); }
+function isNetworkError(error) { return isConnectionRefusedError(error) || error?.message?.includes('fetch failed') || error?.message?.includes('ENOTFOUND') || error?.message?.includes('ETIMEDOUT') || error?.message?.includes('ECONNRESET') || error?.code === 'ENOTFOUND' || error?.code === 'ETIMEDOUT' || error?.code === 'ECONNRESET'; }
+function getCircuitBreakerStateName() { const state = getCircuitBreakerState(); return state.state; }
+function isCircuitBreakerOpen() { const state = getCircuitBreakerState(); return state.state === CircuitBreakerStateType.OPEN; }
+function isCircuitBreakerHalfOpen() { const state = getCircuitBreakerState(); return state.state === CircuitBreakerStateType.HALF_OPEN; }
+function isCircuitBreakerClosed() { const state = getCircuitBreakerState(); return state.state === CircuitBreakerStateType.CLOSED; }
+function attemptRecovery() { const state = getCircuitBreakerState(); if (state.state === CircuitBreakerStateType.OPEN && Date.now() - state.lastFailure > state.recoveryTime) {
+    state.state = CircuitBreakerStateType.HALF_OPEN;
+    state.isOpen = true;
+    state.testRequestInProgress = false;
+    return true;
+} return false; }
+function getTimeUntilRecovery() { const state = getCircuitBreakerState(); if (state.state !== CircuitBreakerStateType.OPEN)
+    return 0; const timeSinceLastFailure = Date.now() - state.lastFailure; const timeUntilRecovery = state.recoveryTime - timeSinceLastFailure; return Math.max(0, timeUntilRecovery); }
+function resetCircuitBreaker() { const state = getCircuitBreakerState(); state.state = CircuitBreakerStateType.CLOSED; state.isOpen = false; state.failures = 0; state.testRequestInProgress = false; state.recoveryTime = RECOVERY_TIME; state.lastFailure = 0; state.recoveryAttempts = 0; }
+function clearCircuitBreakerStore() { circuitBreakerStore.clear(); }
+exports.circuitBreaker = { getCircuitBreakerState, recordFailure, recordSuccess, isNetworkError, isConnectionRefusedError, canAttemptRefresh, getCircuitBreakerStateName, isCircuitBreakerOpen, isCircuitBreakerHalfOpen, isCircuitBreakerClosed, resetCircuitBreaker, attemptRecovery, getTimeUntilRecovery };

package/dist/utils/error-message.d.ts

@@ -0,0 +1 @@
+export declare function toFriendlyErrorMessage(err: unknown): string;

package/dist/utils/error-message.js

@@ -0,0 +1,103 @@
+"use strict";
+// Utility to convert unknown errors or standardized API JSON into a friendly string
+// Keeps UI clean by avoiding raw JSON rendering.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.toFriendlyErrorMessage = toFriendlyErrorMessage;
+function toFriendlyErrorMessage(err) {
+    try {
+        // If it's already a string, try to parse JSON first
+        if (typeof err === 'string') {
+            const trimmed = err.trim();
+            if (looksLikeJson(trimmed)) {
+                const parsed = JSON.parse(trimmed);
+                return fromStructured(parsed);
+            }
+            return normalizeMessage(trimmed);
+        }
+        // If it's an Error
+        if (err instanceof Error) {
+            return normalizeMessage(err.message);
+        }
+        // Try to handle plain objects
+        if (err && typeof err === 'object') {
+            return fromStructured(err);
+        }
+        // Fallback
+        return 'Something went wrong. Please try again.';
+    }
+    catch {
+        return 'Something went wrong. Please try again.';
+    }
+}
+function looksLikeJson(input) {
+    return (input.startsWith('{') && input.endsWith('}')) || (input.startsWith('[') && input.endsWith(']'));
+}
+function fromStructured(obj) {
+    // StandardizedResponse shapes we use across the app
+    const success = get(obj, ['success']);
+    const message = get(obj, ['message']) || get(obj, ['error', 'message']);
+    const code = get(obj, ['error', 'code']) || get(obj, ['error_code']);
+    const status = get(obj, ['status']) || get(obj, ['error', 'status']);
+    // Prefer the message if present
+    if (message) {
+        return normalizeMessage(message, code, status);
+    }
+    // If we have a code or status, map it
+    if (code || status) {
+        return normalizeMessage(undefined, code, status);
+    }
+    // As a last resort, do not dump raw JSON — provide generic fallback
+    return 'We could not complete your request. Please try again.';
+}
+function normalizeMessage(message, code, status) {
+    const msg = (message || '').toLowerCase();
+    const c = (code || '').toUpperCase();
+    // Map well-known codes first
+    switch (c) {
+        case 'TIMEOUT':
+        case 'REQUEST_TIMEOUT':
+            return 'Request timed out. Please try again.';
+        case 'TOO_MANY_REQUESTS':
+        case 'RATE_LIMIT_EXCEEDED':
+            return 'Too many attempts. Please wait a moment and try again.';
+        case 'SERVICE_UNAVAILABLE':
+            return 'Service temporarily unavailable. Please try again shortly.';
+        case 'UNAUTHORIZED':
+        case 'INVALID_SESSION':
+        case 'TOKEN_EXPIRED':
+            return 'Your session has expired. Please log in again.';
+        case 'VALIDATION_ERROR':
+            return 'Please check the code and try again.';
+    }
+    // Map by HTTP-ish status if provided
+    if (status === 408)
+        return 'Request timed out. Please try again.';
+    if (status === 429)
+        return 'Too many attempts. Please wait a moment and try again.';
+    if (status === 401)
+        return 'Your session has expired. Please log in again.';
+    if (status === 503)
+        return 'Service temporarily unavailable. Please try again shortly.';
+    // Heuristic by message content
+    if (msg.includes('timeout'))
+        return 'Request timed out. Please try again.';
+    if (msg.includes('too many request') || msg.includes('rate limit'))
+        return 'Too many attempts. Please wait a moment and try again.';
+    if (msg.includes('unauthorized') || msg.includes('authentication failed') || msg.includes('session expired'))
+        return 'Your session has expired. Please log in again.';
+    if (msg.includes('network') || msg.includes('failed to fetch'))
+        return 'Network error. Check your connection and try again.';
+    // Default to the original message if we have one
+    if (message && message.trim())
+        return message;
+    return 'We could not complete your request. Please try again.';
+}
+function get(obj, path) {
+    let cur = obj;
+    for (const p of path) {
+        if (cur == null || typeof cur !== 'object' || !(p in cur))
+            return undefined;
+        cur = cur[p];
+    }
+    return cur;
+}