@powerportalspro/core 5.0.0-beta.1

package/dist/index.cjs

@@ -0,0 +1,1263 @@
+'use strict';
+
+// src/routes.ts
+var apiRoot = "/api";
+var authRoot = `${apiRoot}/auth`;
+var manageRoot = `${authRoot}/manage`;
+var tables = {
+  /** Template: `/api/table/{tableLogicalName}`. POST creates a record. */
+  createRoute: `${apiRoot}/table/{tableLogicalName}`,
+  /** Template: `/api/table/{tableLogicalName}/{recordId}`. GET reads, PATCH updates, DELETE removes. */
+  readUpdateDeleteRoute: `${apiRoot}/table/{tableLogicalName}/{recordId}`,
+  /** Resolved URL for creating a record of the given table. */
+  getCreateRoute: (tableLogicalName) => `${apiRoot}/table/${tableLogicalName}`,
+  /**
+   * Resolved URL for retrieving a specific record, optionally with a column allow-list.
+   * @param columns Optional list of column logical names — joined with `,` and sent as `?columns=`.
+   */
+  getRetrieveRoute: (tableLogicalName, recordId, columns) => {
+    const base = `${apiRoot}/table/${tableLogicalName}/${recordId}`;
+    return columns && columns.length > 0 ? `${base}?columns=${columns.join(",")}` : base;
+  },
+  /** Resolved URL for updating a record (PATCH). */
+  getUpdateRoute: (tableLogicalName, recordId) => `${apiRoot}/table/${tableLogicalName}/${recordId}`,
+  /** Resolved URL for deleting a record (DELETE). */
+  getDeleteRoute: (tableLogicalName, recordId) => `${apiRoot}/table/${tableLogicalName}/${recordId}`
+};
+var manage = {
+  /** Base path under which all manage endpoints live (`/api/auth/manage`). */
+  root: manageRoot,
+  /** GET — read first/last/mobile from the linked Dataverse contact + Identity status flags. */
+  profile: `${manageRoot}/profile`,
+  /** POST — update first/last/mobile on the linked Dataverse contact. */
+  updateProfile: `${manageRoot}/profile`,
+  /** POST — add a local password to an account that doesn't have one. */
+  setPassword: `${manageRoot}/password/set`,
+  /** POST — change the local password (requires the current password). */
+  changePassword: `${manageRoot}/password/change`,
+  /** POST — start a change-email flow by emailing the new address a confirmation link. */
+  changeEmail: `${manageRoot}/email/change`,
+  /** POST — re-send the confirmation link to the user's current email. */
+  sendEmailConfirmation: `${manageRoot}/email/send-confirmation`,
+  /** GET — read 2FA status. */
+  twoFactorStatus: `${manageRoot}/2fa`,
+  /** GET — shared key + otpauth URI for the QR-code enrollment screen. */
+  authenticatorSetup: `${manageRoot}/authenticator/setup`,
+  /** POST — verify a code from the authenticator app. */
+  verifyAuthenticator: `${manageRoot}/authenticator/verify`,
+  /** POST — rotate the authenticator key (also disables 2FA). */
+  resetAuthenticator: `${manageRoot}/authenticator/reset`,
+  /** POST — disable 2FA on the account. */
+  disable2fa: `${manageRoot}/2fa/disable`,
+  /** POST — regenerate the user's recovery codes. */
+  generateRecoveryCodes: `${manageRoot}/2fa/recovery-codes/generate`,
+  /** POST — clear this browser's "trust this device" 2FA cookie. */
+  forget2faClient: `${manageRoot}/2fa/forget-browser`,
+  /** GET — list the signed-in user's linked external logins + available providers to add. */
+  externalLogins: `${manageRoot}/external-logins`,
+  /** GET — combined snapshot of sign-in paths (linked external logins + whether a local password exists). */
+  loginInfo: `${manageRoot}/login-info`,
+  /** GET — kicks off the OAuth flow that links an additional external login. Full-page navigate, do not fetch. */
+  linkExternalLogin: `${manageRoot}/external-logins/link`,
+  /** GET — OAuth callback target for {@link linkExternalLogin}. */
+  linkExternalLoginCallback: `${manageRoot}/external-logins/link/callback`,
+  /** POST — remove one external login by provider + key. */
+  removeExternalLogin: `${manageRoot}/external-logins/remove`,
+  /** GET — dump every `[PersonalData]` property + linked external logins. */
+  personalData: `${manageRoot}/personal-data`,
+  /** POST — permanently delete the user's account. */
+  deletePersonalData: `${manageRoot}/personal-data/delete`,
+  /** Resolved URL for {@link linkExternalLogin} with the provider + return URL pre-encoded. */
+  getLinkExternalLoginRoute: (provider, returnUrl) => {
+    const query = `?provider=${encodeURIComponent(provider)}`;
+    return returnUrl ? `${manageRoot}/external-logins/link${query}&returnUrl=${encodeURIComponent(returnUrl)}` : `${manageRoot}/external-logins/link${query}`;
+  }
+};
+var auth = {
+  /** Base path under which all auth endpoints live (`/api/auth`). */
+  root: authRoot,
+  /** POST — submit credentials. */
+  login: `${authRoot}/login`,
+  /** POST — submit the second-factor code after a Login that returned RequiresTwoFactor. */
+  loginTwoFactor: `${authRoot}/login/2fa`,
+  /** POST — clear the auth cookie. */
+  logout: `${authRoot}/logout`,
+  /** POST — create a new user account. */
+  register: `${authRoot}/register`,
+  /** POST — send a password-reset email. */
+  forgotPassword: `${authRoot}/forgot-password`,
+  /** POST — complete a password reset with the email-link token. */
+  resetPassword: `${authRoot}/reset-password`,
+  /** POST — confirm a registered user's email with the email-link token. */
+  confirmEmail: `${authRoot}/confirm-email`,
+  /** POST — send a fresh confirmation email. */
+  resendEmailConfirmation: `${authRoot}/resend-email-confirmation`,
+  /** GET — list of configured external (OAuth) login providers. */
+  externalProviders: `${authRoot}/external-providers`,
+  /** GET — kicks off the OAuth flow for the named external provider. Full-page navigate, do not fetch. */
+  externalLogin: `${authRoot}/external-login`,
+  /** GET — snapshot the in-flight external-login cookie set by the OAuth callback. */
+  externalLoginPending: `${authRoot}/external-login/pending`,
+  /** POST — complete an in-flight external login by registering / linking the account. */
+  externalLoginConfirm: `${authRoot}/external-login/confirm`,
+  /** POST — complete an in-flight external login when the user has chosen between multiple matching identities. */
+  externalLoginSelect: `${authRoot}/external-login/select`,
+  /** GET — write the chooser's "remember my choice" cookie + redirect to `returnUrl`. */
+  externalLoginRememberChoice: `${authRoot}/external-login/remember-choice`,
+  /** POST — swap the current cookie for the user's alt identity (the contact↔systemuser sibling). */
+  switchIdentity: `${authRoot}/switch-identity`,
+  /** GET — snapshot of the current user (or anonymous shape). */
+  me: `${authRoot}/me`,
+  /** Account-management endpoints under `/api/auth/manage/*`. */
+  manage,
+  /** Resolved URL for {@link externalLogin} with the provider + return URL pre-encoded. */
+  getExternalLoginRoute: (provider, returnUrl) => {
+    const query = `?provider=${encodeURIComponent(provider)}`;
+    return returnUrl ? `${authRoot}/external-login${query}&returnUrl=${encodeURIComponent(returnUrl)}` : `${authRoot}/external-login${query}`;
+  }
+};
+var api = {
+  /** Base path for the API (`/api`). */
+  root: apiRoot,
+  /** Template — POST a FetchXML query to retrieve multiple records. */
+  retrieveMultiple: `${apiRoot}/retrieveMultiple`,
+  /** Template — GET table metadata. */
+  retrieveTableMetadata: `${apiRoot}/tableMetadata/{tableLogicalName}`,
+  /** Template — GET view metadata by view id (Guid-constrained route). */
+  retrieveViewMetadata: `${apiRoot}/viewMetadata/{viewId}`,
+  /** Template — GET every view metadata record for a table. */
+  retrieveViewsForTable: `${apiRoot}/viewMetadata/{tableLogicalName}`,
+  /** Template — GET localized strings for a culture. */
+  retrieveLocalizedStrings: `${apiRoot}/localizedStrings/{culture}`,
+  /** Template — POST a batch of OrganizationRequest payloads. */
+  executeMultiple: `${apiRoot}/executeMultiple`,
+  /** GET — environment-wide file upload settings (blocked extensions, max upload size). */
+  environmentFileSettings: `${apiRoot}/environmentFileSettings`,
+  /** POST — clear all server-side caches. SystemAdmin-only. */
+  clearAllCaches: `${apiRoot}/caches/clear`,
+  /** GET — every server-side cache name. SystemAdmin-only. */
+  cacheNames: `${apiRoot}/caches`,
+  /** Template — POST to clear a single named cache. SystemAdmin-only. */
+  clearCache: `${apiRoot}/caches/{cacheName}/clear`,
+  /** Template — GET file metadata + (optionally) content for one record/column. */
+  retrieveFileInfo: `${apiRoot}/files/{tableLogicalName}/{recordId}/{columnName}`,
+  /** Template — POST record ids; returns file info + content for many records of one column. */
+  retrieveFilesBatch: `${apiRoot}/files/{tableLogicalName}/{columnName}/batch`,
+  /**
+   * POST — builds an archive containing the file payload of every supplied
+   * record id for the named table/column. Server returns the binary archive
+   * bytes (default) or a JSON envelope when `responseFormat` is `Json`.
+   */
+  createFileArchive: `${apiRoot}/files/createFileArchive`,
+  /** Resolved URL for retrieving multiple records via FetchXML. */
+  getRetrieveMultipleRoute: (fetchXml) => `${apiRoot}/retrieveMultiple?fetchXml=${encodeURIComponent(fetchXml)}`,
+  /**
+   * Template — POST a GridDataRequest (viewId / fetchXml input modes,
+   * searchText, sorts, paging, filters) and get back a shaped
+   * GridDataResponse. Server-side IGridService builds the FetchXML via
+   * the shared IFetchXmlQueryComposer and runs the query so the client
+   * never composes FetchXML directly.
+   */
+  gridData: `${apiRoot}/grids/data`,
+  /**
+   * Template — POST a ChartDataRequest (Aggregate / ViewId / FetchXml
+   * input modes) and get back a shaped ChartDataResponse. Server-side
+   * IChartService builds the FetchXML and runs the query so the
+   * client never composes FetchXML directly.
+   */
+  chartData: `${apiRoot}/charts/data`,
+  /** Resolved URL for retrieving metadata for one view. */
+  getRetrieveViewMetadataRoute: (viewId) => `${apiRoot}/viewMetadata/${viewId}`,
+  /** Resolved URL for retrieving every view metadata record for a table. */
+  getRetrieveViewsForTableRoute: (tableLogicalName) => `${apiRoot}/viewMetadata/${encodeURIComponent(tableLogicalName)}`,
+  /** Resolved URL for retrieving metadata for one table. Mirrors C# behavior of not encoding the segment. */
+  getRetrieveTableMetadataRoute: (tableLogicalName) => `${apiRoot}/tableMetadata/${tableLogicalName}`,
+  /**
+   * Resolved URL for retrieving the current user's combined
+   * `TableSecurityPermission` mask for a single table. Mirrors the
+   * server-side `ITablePermissionCache.GetPermissionForUserAsync` lookup
+   * the Blazor grid buttons already use via DI — exposed so the React
+   * client can read the same answer without firing a grid query.
+   * `GridDataResponse.tablePermissions` carries the same value when a
+   * grid query happens to be in flight; this endpoint covers the other
+   * cases (custom toolbars, conditional UI elsewhere on the page).
+   */
+  getRetrieveTablePermissionsRoute: (tableLogicalName) => `${apiRoot}/permissions/table/${tableLogicalName}`,
+  /** Resolved URL for retrieving localized strings for a culture. */
+  getRetrieveLocalizedStringsRoute: (culture) => `${apiRoot}/localizedStrings/${culture}`,
+  /** Resolved URL for the localization-bundle manifest endpoint (version + supported locales). */
+  getLocalizationBundleManifestRoute: () => `/localizations/version`,
+  /**
+   * Resolved URL for the per-locale thumbprints endpoint. Returns the
+   * content-derived thumbprint for the default bundle plus every loaded
+   * table / view at the requested locale. Mirrors C#
+   * `Routes.Localizations.GetThumbprintsRoute`.
+   */
+  getLocalizationThumbprintsRoute: (locale) => `/localizations/${encodeURIComponent(locale)}/thumbprints`,
+  /**
+   * Resolved URL for the default localization-bundle file (everything outside
+   * `tables.*` / `choices.*`) for a given locale + thumbprint. The thumbprint
+   * is purely for cache-busting — the server returns the current bundle for
+   * the locale regardless of what thumbprint is in the URL. Mirrors C#
+   * `Routes.Localizations.GetDefaultBundleRoute`.
+   */
+  getLocalizationBundleRoute: (locale, thumbprint) => `/localizations/default/${locale}.${thumbprint}.json`,
+  /**
+   * Resolved URL for the per-table localization-bundle file. Returns every
+   * `tables.{name}.*` string for the table plus the global `choices.*`
+   * strings any of its columns reference. Mirrors C#
+   * `Routes.Localizations.GetTableBundleRoute`.
+   */
+  getLocalizationTableBundleRoute: (tableName, locale, thumbprint) => `/localizations/tables/${encodeURIComponent(tableName)}/${locale}.${thumbprint}.json`,
+  /**
+   * Resolved URL for the per-view localization-bundle file. Returns every
+   * `tables.{owningTable}.views.{viewId}.*` string. Owning table is resolved
+   * server-side from the view id. Mirrors C# `Routes.Localizations.GetViewBundleRoute`.
+   */
+  getLocalizationViewBundleRoute: (viewId, locale, thumbprint) => `/localizations/views/${viewId}/${locale}.${thumbprint}.json`,
+  /** Resolved URL for executing multiple requests. */
+  getExecuteMultipleRoute: (returnResponses) => `${apiRoot}/executeMultiple?returnResponses=${returnResponses}`,
+  /** Resolved URL for retrieving file info on one record/column. */
+  getRetrieveFileInfoRoute: (tableLogicalName, recordId, columnName, includeData) => `${apiRoot}/files/${encodeURIComponent(tableLogicalName)}/${recordId}/${encodeURIComponent(columnName)}?includeData=${includeData}`,
+  /** Resolved URL for the batch retrieve-files endpoint. Body is a JSON array of record ids. */
+  getRetrieveFilesBatchRoute: (tableLogicalName, columnName, includeData) => `${apiRoot}/files/${encodeURIComponent(tableLogicalName)}/${encodeURIComponent(columnName)}/batch?includeData=${includeData}`,
+  /** Resolved URL for clearing one named cache. */
+  getClearCacheRoute: (cacheName) => `${apiRoot}/caches/${encodeURIComponent(cacheName)}/clear`,
+  /** Table-scoped CRUD routes. */
+  tables,
+  /** SPA-facing authentication endpoints. */
+  auth
+};
+var ui = {
+  localization: {
+    /** Template — POST to set the culture cookie + redirect. */
+    culture: "Culture/{culture}",
+    /** Resolved URL for setting the culture cookie. Mirrors C# behavior of not encoding either segment. */
+    getCultureRoute: (culture, returnUrl) => `Culture/${culture}?redirectUri=${returnUrl}`
+  }
+};
+var Routes = {
+  api,
+  ui
+};
+
+// src/errors.ts
+var PowerPortalsProError = class extends Error {
+  status;
+  url;
+  title;
+  detail;
+  clrType;
+  problem;
+  constructor(message, init) {
+    super(message);
+    this.name = "PowerPortalsProError";
+    this.status = init.status;
+    this.url = init.url;
+    this.title = init.title;
+    this.detail = init.detail;
+    this.clrType = init.clrType;
+    this.problem = init.problem;
+  }
+};
+var UnauthorizedAccessError = class extends PowerPortalsProError {
+  constructor(message, init) {
+    super(message, init);
+    this.name = "UnauthorizedAccessError";
+  }
+};
+var ArgumentError = class extends PowerPortalsProError {
+  constructor(message, init) {
+    super(message, init);
+    this.name = "ArgumentError";
+  }
+};
+var ArgumentNullError = class extends ArgumentError {
+  constructor(message, init) {
+    super(message, init);
+    this.name = "ArgumentNullError";
+  }
+};
+var InvalidOperationError = class extends PowerPortalsProError {
+  constructor(message, init) {
+    super(message, init);
+    this.name = "InvalidOperationError";
+  }
+};
+function mapProblemDetails(problem, fallbackStatus, url) {
+  const message = problem.detail ?? problem.title ?? `${problem.status ?? fallbackStatus} ${problem.title ?? "HTTP error"}${url ? ` on ${url}` : ""}`;
+  const init = {
+    status: problem.status ?? fallbackStatus,
+    url,
+    title: problem.title,
+    detail: problem.detail,
+    clrType: problem.exceptionType,
+    problem
+  };
+  switch (problem.exceptionType) {
+    case "System.UnauthorizedAccessException":
+      return new UnauthorizedAccessError(message, init);
+    case "System.ArgumentNullException":
+      return new ArgumentNullError(message, init);
+    case "System.ArgumentException":
+      return new ArgumentError(message, init);
+    case "System.InvalidOperationException":
+      return new InvalidOperationError(message, init);
+    default:
+      return new PowerPortalsProError(message, init);
+  }
+}
+
+// src/transport.ts
+var Transport = class {
+  baseUrl;
+  fetchImpl;
+  constructor(options = {}) {
+    this.baseUrl = (options.baseUrl ?? "").replace(/\/+$/, "");
+    this.fetchImpl = options.fetchImpl ?? globalThis.fetch.bind(globalThis);
+  }
+  /** Sends a request and returns the parsed JSON response body. */
+  async sendJson(method, path, options = {}) {
+    const response = await this.send(method, path, options);
+    return await response.json();
+  }
+  /**
+   * Sends a request that may return 204 No Content. Returns `null` for the empty case
+   * so the caller can branch without inspecting status codes.
+   */
+  async sendNullableJson(method, path, options = {}) {
+    const response = await this.send(method, path, options);
+    if (response.status === 204) return null;
+    const text = await response.text();
+    if (text.length === 0) return null;
+    return JSON.parse(text);
+  }
+  /** Sends a request and discards the response body. */
+  async sendVoid(method, path, options = {}) {
+    const response = await this.send(method, path, options);
+    await response.arrayBuffer().catch(() => void 0);
+  }
+  /**
+   * Low-level send. Throws `PowerPortalsProError` (or a subclass) on non-2xx. Most
+   * callers should use {@link sendJson}, {@link sendNullableJson}, or {@link sendVoid}.
+   */
+  async send(method, path, options = {}) {
+    const url = this.baseUrl + path;
+    const hasBody = options.body !== void 0;
+    const headers = {
+      Accept: "application/json",
+      ...hasBody ? { "Content-Type": "application/json" } : {},
+      ...options.headers ?? {}
+    };
+    const init = {
+      method,
+      credentials: "include",
+      headers,
+      ...hasBody ? { body: JSON.stringify(options.body) } : {},
+      ...options.signal ? { signal: options.signal } : {}
+    };
+    const response = await this.fetchImpl(url, init);
+    if (response.ok) return response;
+    throw await this.errorFromResponse(response, url);
+  }
+  async errorFromResponse(response, url) {
+    const contentType = response.headers.get("Content-Type") ?? "";
+    if (contentType.toLowerCase().includes("application/problem+json")) {
+      try {
+        const problem = await response.json();
+        return mapProblemDetails(problem, response.status, url);
+      } catch {
+      }
+    }
+    let detail;
+    try {
+      const text = await response.text();
+      if (text.length > 0) detail = text;
+    } catch {
+    }
+    return new PowerPortalsProError(
+      `${response.status} ${response.statusText} on ${url}`,
+      {
+        status: response.status,
+        url,
+        title: response.statusText,
+        detail,
+        clrType: void 0,
+        problem: void 0
+      }
+    );
+  }
+};
+
+// src/auth-client.ts
+function bodyAndSignal(body, signal) {
+  return {
+    ...body !== void 0 ? { body } : {},
+    ...signal ? { signal } : {}
+  };
+}
+var AuthClient = class {
+  /**
+   * The underlying transport. Exposed so advanced consumers can hit auth endpoints not
+   * yet wrapped by a typed method, or share a single transport with a sibling
+   * {@link PowerPortalsProClient}.
+   */
+  transport;
+  constructor(transportOrOptions) {
+    this.transport = transportOrOptions instanceof Transport ? transportOrOptions : new Transport(transportOrOptions);
+  }
+  // --- Login + 2FA + logout --------------------------------------------------------
+  /**
+   * Submits credentials. On success the auth cookie is set and the next
+   * {@link getCurrentUserAsync} will report the user as signed in. The returned
+   * `result` enum tells the caller whether to navigate (Success), prompt for 2FA
+   * (RequiresTwoFactor), or show a generic error (others).
+   */
+  loginAsync(request, signal) {
+    return this.transport.sendJson("POST", Routes.api.auth.login, bodyAndSignal(request, signal));
+  }
+  /** Submits the 2FA code after a {@link loginAsync} that returned `RequiresTwoFactor`. */
+  verifyTwoFactorAsync(request, signal) {
+    return this.transport.sendJson("POST", Routes.api.auth.loginTwoFactor, bodyAndSignal(request, signal));
+  }
+  /** Clears the auth cookie. Idempotent — calling on an already-anonymous session is a no-op. */
+  logoutAsync(signal) {
+    return this.transport.sendVoid("POST", Routes.api.auth.logout, bodyAndSignal(void 0, signal));
+  }
+  // --- Registration + email confirmation -------------------------------------------
+  /**
+   * Creates a new user. When the host configured `RequireConfirmedAccount` (the default),
+   * the response carries `RegisterResult.ConfirmationEmailSent` and the user is NOT
+   * signed in yet — the client should surface "check your email."
+   */
+  registerAsync(request, signal) {
+    return this.transport.sendJson("POST", Routes.api.auth.register, bodyAndSignal(request, signal));
+  }
+  /** Confirms a registered email via the registration-link token. */
+  confirmEmailAsync(request, signal) {
+    return this.transport.sendJson("POST", Routes.api.auth.confirmEmail, bodyAndSignal(request, signal));
+  }
+  /** Sends a fresh confirmation email. Always 200 — the server doesn't reveal whether the email exists. */
+  resendEmailConfirmationAsync(request, signal) {
+    return this.transport.sendVoid("POST", Routes.api.auth.resendEmailConfirmation, bodyAndSignal(request, signal));
+  }
+  // --- Password reset --------------------------------------------------------------
+  /** Requests a password-reset email. Always 200 — no enumeration. */
+  requestPasswordResetAsync(request, signal) {
+    return this.transport.sendVoid("POST", Routes.api.auth.forgotPassword, bodyAndSignal(request, signal));
+  }
+  /** Completes a password reset using the token from the reset email link. */
+  resetPasswordAsync(request, signal) {
+    return this.transport.sendJson("POST", Routes.api.auth.resetPassword, bodyAndSignal(request, signal));
+  }
+  // --- Session ---------------------------------------------------------------------
+  /**
+   * Snapshot of the current user. Anonymous requests get a non-null `CurrentUserInfo`
+   * with `isAuthenticated: false` and the rest of the fields empty — call this on app
+   * startup to decide whether to render signed-in UI vs. the login flow.
+   */
+  getCurrentUserAsync(signal) {
+    return this.transport.sendJson("GET", Routes.api.auth.me, bodyAndSignal(void 0, signal));
+  }
+  /** Lists the configured external (OAuth) login providers (Microsoft, Google, …). */
+  getExternalLoginProvidersAsync(signal) {
+    return this.transport.sendJson(
+      "GET",
+      Routes.api.auth.externalProviders,
+      bodyAndSignal(void 0, signal)
+    );
+  }
+  // --- External login flow ---------------------------------------------------------
+  /**
+   * Reads the in-flight external-login cookie set by an OAuth callback. Returns
+   * `null` when no callback is in flight (the endpoint replies 204) — the client
+   * should redirect back to login in that case.
+   */
+  getPendingExternalLoginAsync(signal) {
+    return this.transport.sendNullableJson(
+      "GET",
+      Routes.api.auth.externalLoginPending,
+      bodyAndSignal(void 0, signal)
+    );
+  }
+  /**
+   * Completes an in-flight external login: registers a new local account (or links
+   * the external login to an existing account with the same email) and signs the
+   * user in.
+   */
+  confirmExternalLoginAsync(request, signal) {
+    return this.transport.sendJson(
+      "POST",
+      Routes.api.auth.externalLoginConfirm,
+      bodyAndSignal(request, signal)
+    );
+  }
+  /**
+   * Completes an in-flight external login when the OAuth identity matched more than
+   * one portal user (typically a `systemuser` AND a `contact`). Body carries only
+   * the `ExternalLoginCandidateKind` the user picked from the chooser; the server
+   * re-resolves the underlying record so a malicious caller can't supply an arbitrary id.
+   */
+  selectExternalLoginAsync(request, signal) {
+    return this.transport.sendJson(
+      "POST",
+      Routes.api.auth.externalLoginSelect,
+      bodyAndSignal(request, signal)
+    );
+  }
+  /**
+   * Swaps the current auth cookie for the user's alt identity (the contact↔systemuser
+   * sibling). The alt id is read from the cookie's claims server-side, so the client
+   * supplies no parameters.
+   */
+  switchIdentityAsync(signal) {
+    return this.transport.sendJson(
+      "POST",
+      Routes.api.auth.switchIdentity,
+      bodyAndSignal(void 0, signal)
+    );
+  }
+  // --- Profile ---------------------------------------------------------------------
+  /** Reads the signed-in user's manage-profile snapshot (Identity status + linked contact fields). */
+  getProfileAsync(signal) {
+    return this.transport.sendJson("GET", Routes.api.auth.manage.profile, bodyAndSignal(void 0, signal));
+  }
+  /** Updates first/last/mobile on the signed-in user's linked Dataverse contact. */
+  updateProfileAsync(request, signal) {
+    return this.transport.sendVoid("POST", Routes.api.auth.manage.updateProfile, bodyAndSignal(request, signal));
+  }
+  // --- Password (set + change) -----------------------------------------------------
+  /** Adds a local password to an account that doesn't have one (typically external-login-only). */
+  setPasswordAsync(request, signal) {
+    return this.transport.sendJson("POST", Routes.api.auth.manage.setPassword, bodyAndSignal(request, signal));
+  }
+  /**
+   * Changes the local password (requires the current password). On success the auth
+   * cookie is refreshed so other sessions are invalidated by the security stamp rotation.
+   */
+  changePasswordAsync(request, signal) {
+    return this.transport.sendJson(
+      "POST",
+      Routes.api.auth.manage.changePassword,
+      bodyAndSignal(request, signal)
+    );
+  }
+  // --- Email (change + resend confirmation) ----------------------------------------
+  /** Starts a change-email flow by sending a confirmation link to the new address. */
+  changeEmailAsync(request, signal) {
+    return this.transport.sendJson("POST", Routes.api.auth.manage.changeEmail, bodyAndSignal(request, signal));
+  }
+  /** Re-sends the confirmation link to the user's current (unconfirmed) email. */
+  sendEmailConfirmationAsync(signal) {
+    return this.transport.sendJson(
+      "POST",
+      Routes.api.auth.manage.sendEmailConfirmation,
+      bodyAndSignal(void 0, signal)
+    );
+  }
+  // --- 2FA management --------------------------------------------------------------
+  /** Reads the user's two-factor configuration snapshot (enabled, has authenticator, recovery codes left). */
+  getTwoFactorStatusAsync(signal) {
+    return this.transport.sendJson(
+      "GET",
+      Routes.api.auth.manage.twoFactorStatus,
+      bodyAndSignal(void 0, signal)
+    );
+  }
+  /** Reads (and creates if missing) the authenticator key + QR-code URI for TOTP enrollment. */
+  getAuthenticatorSetupAsync(signal) {
+    return this.transport.sendJson(
+      "GET",
+      Routes.api.auth.manage.authenticatorSetup,
+      bodyAndSignal(void 0, signal)
+    );
+  }
+  /**
+   * Verifies a code from the authenticator app to finish enabling 2FA. On success and
+   * when the user has zero existing recovery codes, a fresh batch is returned in
+   * `recoveryCodes`.
+   */
+  verifyAuthenticatorAsync(request, signal) {
+    return this.transport.sendJson(
+      "POST",
+      Routes.api.auth.manage.verifyAuthenticator,
+      bodyAndSignal(request, signal)
+    );
+  }
+  /** Rotates the authenticator key and disables 2FA — the user must re-enroll to re-enable. */
+  resetAuthenticatorAsync(signal) {
+    return this.transport.sendJson(
+      "POST",
+      Routes.api.auth.manage.resetAuthenticator,
+      bodyAndSignal(void 0, signal)
+    );
+  }
+  /** Disables 2FA on the account. */
+  disable2faAsync(signal) {
+    return this.transport.sendJson("POST", Routes.api.auth.manage.disable2fa, bodyAndSignal(void 0, signal));
+  }
+  /** Regenerates recovery codes — invalidates the previous set. The new codes are returned once and only here. */
+  generateRecoveryCodesAsync(signal) {
+    return this.transport.sendJson(
+      "POST",
+      Routes.api.auth.manage.generateRecoveryCodes,
+      bodyAndSignal(void 0, signal)
+    );
+  }
+  /** Clears this browser's "remember this machine" 2FA cookie. */
+  forget2faClientAsync(signal) {
+    return this.transport.sendJson(
+      "POST",
+      Routes.api.auth.manage.forget2faClient,
+      bodyAndSignal(void 0, signal)
+    );
+  }
+  // --- External logins management --------------------------------------------------
+  /** Lists the user's linked external logins plus available providers to add. */
+  getExternalLoginsAsync(signal) {
+    return this.transport.sendJson(
+      "GET",
+      Routes.api.auth.manage.externalLogins,
+      bodyAndSignal(void 0, signal)
+    );
+  }
+  /**
+   * Reads the combined sign-in-paths snapshot (linked external logins + whether the
+   * account has a local password). Used by the manage-external-logins UI to decide
+   * whether unlinking a given external login would lock the user out.
+   */
+  getCurrentLoginInfoAsync(signal) {
+    return this.transport.sendJson(
+      "GET",
+      Routes.api.auth.manage.loginInfo,
+      bodyAndSignal(void 0, signal)
+    );
+  }
+  /** Removes one external login from the signed-in user. */
+  removeExternalLoginAsync(request, signal) {
+    return this.transport.sendJson(
+      "POST",
+      Routes.api.auth.manage.removeExternalLogin,
+      bodyAndSignal(request, signal)
+    );
+  }
+  // --- Personal data ---------------------------------------------------------------
+  /** Returns every `[PersonalData]`-marked Identity property + linked external logins. */
+  getPersonalDataAsync(signal) {
+    return this.transport.sendJson(
+      "GET",
+      Routes.api.auth.manage.personalData,
+      bodyAndSignal(void 0, signal)
+    );
+  }
+  /**
+   * Permanently deletes the user's account. When the account has a local password,
+   * `request.password` is required — `RequireLocalPassword` in the response means
+   * the client should prompt and retry.
+   */
+  deletePersonalDataAsync(request, signal) {
+    return this.transport.sendJson(
+      "POST",
+      Routes.api.auth.manage.deletePersonalData,
+      bodyAndSignal(request, signal)
+    );
+  }
+};
+
+// src/powerportalspro-client.ts
+var PowerPortalsProClient = class {
+  /**
+   * The underlying transport. Exposed so advanced consumers can hit endpoints not yet
+   * wrapped by a typed method (caches, executeMultiple, associate/disassociate, …).
+   * Cookie auth, JSON in/out, and problem+json error rehydration apply automatically
+   * because the transport owns those concerns.
+   */
+  transport;
+  constructor(transportOrOptions) {
+    this.transport = transportOrOptions instanceof Transport ? transportOrOptions : new Transport(transportOrOptions);
+  }
+  // --- Records (CRUD + FetchXML) ---------------------------------------------------
+  /**
+   * Creates a new record. URL is derived from `record.tableName`. Server marks all
+   * properties as modified before applying so column values arriving from JSON
+   * (which carry no dirty flags) round-trip the same way they do from Blazor's
+   * dirty-tracked records.
+   */
+  createRecordAsync(record, signal) {
+    return this.transport.sendJson(
+      "POST",
+      Routes.api.tables.getCreateRoute(record.tableName),
+      { body: record, ...signal ? { signal } : {} }
+    );
+  }
+  /**
+   * Reads a single record. `columns` (logical names) narrows the projection to a subset;
+   * omit it for the table's full set of columns visible to the caller.
+   */
+  retrieveRecordAsync(tableLogicalName, recordId, columns, signal) {
+    return this.transport.sendJson(
+      "GET",
+      Routes.api.tables.getRetrieveRoute(tableLogicalName, recordId, columns),
+      signal ? { signal } : {}
+    );
+  }
+  /**
+   * Runs a FetchXML query and returns the matching records plus paging info.
+   * The query is the FetchXML XML literal — the same format Dataverse natively accepts.
+   */
+  retrieveRecordsAsync(fetchXml, signal) {
+    return this.transport.sendJson(
+      "GET",
+      Routes.api.getRetrieveMultipleRoute(fetchXml),
+      signal ? { signal } : {}
+    );
+  }
+  /**
+   * Loads grid data via the server-side <c>IGridService</c>. The request
+   * picks a base query — a stored Dataverse view (<c>viewId</c>) or a
+   * caller-supplied FetchXML (<c>fetchXml</c>) — and the server applies
+   * the framework's <c>*</c>/<c>%</c> wildcard convention, AND-merges
+   * the search filter into the source's existing filter, dispatches to
+   * per-column-type search semantics (string <c>like</c>, choice label
+   * match → integer <c>in</c>, lookup link-entity + primary-name match,
+   * etc.), and projects each column to a {@link ResolvedColumn} so the
+   * client can render headers + dispatch cells without a separate
+   * metadata round-trip.
+   *
+   * Exactly one of <c>request.viewId</c> or <c>request.fetchXml</c> must
+   * be supplied; sending both or neither returns a 400.
+   *
+   * Mirrors how the Blazor `IGridService` is consumed —
+   * `@powerportalspro/react`'s `useGridData` hook calls this method
+   * internally, so most consumers don't invoke it directly.
+   */
+  loadGridAsync(request, signal) {
+    return this.transport.sendJson(
+      "POST",
+      Routes.api.gridData,
+      { body: request, ...signal ? { signal } : {} }
+    );
+  }
+  /**
+   * Updates an existing record. URL is derived from `record.tableName` and `record.id` —
+   * `record.id` must be set. For a new record, use {@link createRecordAsync} instead.
+   */
+  updateRecordAsync(record, signal) {
+    if (!record.id) {
+      throw new Error(
+        "PowerPortalsProClient.updateRecordAsync requires record.id. Use createRecordAsync for new records."
+      );
+    }
+    return this.transport.sendJson(
+      "PATCH",
+      Routes.api.tables.getUpdateRoute(record.tableName, record.id),
+      { body: record, ...signal ? { signal } : {} }
+    );
+  }
+  /**
+   * Executes a batch of {@link OrganizationRequest}s as a single round-trip,
+   * matching Blazor's `IPowerPortalsProService.ExecuteMultipleAsync`. The
+   * MainContext save flow uses this to ship every dirty descendant's
+   * requests in one shot so a multi-record save lands transactionally
+   * server-side.
+   *
+   * When `returnResponses` is `true` (default), the response array carries
+   * one `OrganizationResponse` per request in submission order — useful for
+   * `CreateRequest` cases that need the newly-allocated record id. Pass
+   * `false` for fire-and-forget batches to skip the response payload.
+   */
+  executeMultipleAsync(requests, options) {
+    const returnResponses = options?.returnResponses ?? true;
+    return this.transport.sendJson(
+      "POST",
+      Routes.api.getExecuteMultipleRoute(returnResponses),
+      {
+        body: requests,
+        ...options?.signal ? { signal: options.signal } : {}
+      }
+    );
+  }
+  /** Deletes the record with the given id from the given table. */
+  deleteRecordAsync(tableLogicalName, recordId, signal) {
+    return this.transport.sendJson(
+      "DELETE",
+      Routes.api.tables.getDeleteRoute(tableLogicalName, recordId),
+      signal ? { signal } : {}
+    );
+  }
+  // --- Charts ----------------------------------------------------------------------
+  /**
+   * Loads chart data via the server-side <c>IChartService</c>. The
+   * request body picks one of three input modes — typed aggregate
+   * config, saved-view id, or raw FetchXML — plus the label/value
+   * columns to shape the response. Server builds the FetchXML, runs the
+   * query, performs the multi-series pivot, and applies combined
+   * date-label formatting using the request culture.
+   *
+   * Mirrors how the Blazor `IChartService` is consumed —
+   * `@powerportalspro/react-charts`'s `DataverseChartDataSource` family
+   * calls this method internally, so most consumers don't invoke it
+   * directly.
+   */
+  loadChartAsync(request, signal) {
+    return this.transport.sendJson(
+      "POST",
+      Routes.api.chartData,
+      { body: request, ...signal ? { signal } : {} }
+    );
+  }
+  // --- Metadata --------------------------------------------------------------------
+  /** Reads the metadata describing the columns and relationships of a single Dataverse table. */
+  retrieveTableMetadataAsync(tableLogicalName, signal) {
+    return this.transport.sendJson(
+      "GET",
+      Routes.api.getRetrieveTableMetadataRoute(tableLogicalName),
+      signal ? { signal } : {}
+    );
+  }
+  /**
+   * Returns the current user's combined table-level `TableSecurityPermission`
+   * bitmask for `tableLogicalName` — the bitwise union of Read / Create /
+   * Write / Delete / Append / AppendTo flags any registered
+   * `ITablePermissionHandler` allows for that user on that table. Mirrors
+   * the cached `ITablePermissionCache.GetPermissionForUserAsync` lookup
+   * Blazor's grid buttons already use directly via DI. Wrapped client-side
+   * by the `useTablePermissions(tableName)` React hook with in-flight-promise
+   * dedup; reach for the raw client only when you're outside React (e.g.
+   * a sample stand-alone script) or need an imperative one-off check.
+   *
+   * Returns `0` (`TableSecurityPermission.None`) when the user has no
+   * permissions on the table; consumers compare via bit math (e.g.
+   * `(permissions & TableSecurityPermission.Create) === TableSecurityPermission.Create`).
+   */
+  retrieveTablePermissionsAsync(tableLogicalName, signal) {
+    return this.transport.sendJson(
+      "GET",
+      Routes.api.getRetrieveTablePermissionsRoute(tableLogicalName),
+      signal ? { signal } : {}
+    );
+  }
+  /** Reads metadata for a single view by its Dataverse view id (a GUID). */
+  retrieveViewMetadataAsync(viewId, signal) {
+    return this.transport.sendJson(
+      "GET",
+      Routes.api.getRetrieveViewMetadataRoute(viewId),
+      signal ? { signal } : {}
+    );
+  }
+  /**
+   * Lists every view metadata record for a table — used by view-pickers and default-view
+   * resolution. Server-side caching means this is a single Dataverse hit per table per
+   * server lifetime.
+   */
+  retrieveViewsForTableAsync(tableLogicalName, signal) {
+    return this.transport.sendJson(
+      "GET",
+      Routes.api.getRetrieveViewsForTableRoute(tableLogicalName),
+      signal ? { signal } : {}
+    );
+  }
+  // --- Localization ----------------------------------------------------------------
+  /**
+   * Retrieves the version manifest — just the supported-locale codes.
+   * Clients fetch this on app startup, resolve which locale to use, then
+   * call {@link retrieveLocalizationThumbprintsAsync} for the per-resource
+   * thumbprints at that locale. Cached `no-cache` server-side so a new
+   * release is detected on next page load.
+   */
+  retrieveLocalizationBundleManifestAsync(signal) {
+    return this.transport.sendJson(
+      "GET",
+      Routes.api.getLocalizationBundleManifestRoute(),
+      signal ? { signal } : {}
+    );
+  }
+  /**
+   * Retrieves the per-resource thumbprints for a single locale — the
+   * default-bundle thumbprint plus thumbprints for every loaded table / view.
+   * Returned from a separate endpoint (vs being baked into the version
+   * manifest) so the manifest stays small even at large environment scale.
+   * Cached `no-cache` server-side; the per-resource immutable URLs do the
+   * heavy caching once these are read.
+   */
+  retrieveLocalizationThumbprintsAsync(locale, signal) {
+    return this.transport.sendJson(
+      "GET",
+      Routes.api.getLocalizationThumbprintsRoute(locale),
+      signal ? { signal } : {}
+    );
+  }
+  /**
+   * Resolved URL for the default localization-bundle file at the given
+   * locale + thumbprint. Convenience wrapper around the {@link Routes}
+   * helper.
+   */
+  getLocalizationBundleUrl(locale, thumbprint) {
+    return Routes.api.getLocalizationBundleRoute(locale, thumbprint);
+  }
+  /**
+   * Fetches the default localization-bundle file (everything outside
+   * `tables.*` / `choices.*`) for the given locale + thumbprint. Returns
+   * the nested-object shape the source JSON files use
+   * (`{ app: { buttons: { … } } }`).
+   *
+   * Per-table and per-view strings come from
+   * {@link retrieveLocalizationTableBundleAsync} and
+   * {@link retrieveLocalizationViewBundleAsync} — fetched in parallel by the
+   * runtime when source-generator-emitted `tables.{name}` / `views.{viewId}`
+   * tokens are passed to the localizer's prefix-load hook.
+   *
+   * The thumbprint is purely cosmetic (server doesn't validate it). Pass
+   * the thumbprint from the manifest so the URL is unique per release and
+   * the browser's HTTP cache serves subsequent loads from disk.
+   */
+  retrieveLocalizationBundleAsync(locale, thumbprint, signal) {
+    return this.transport.sendJson(
+      "GET",
+      Routes.api.getLocalizationBundleRoute(locale, thumbprint),
+      signal ? { signal } : {}
+    );
+  }
+  /**
+   * Fetches a per-table localization bundle. Returns every `tables.{name}.*`
+   * string for the table plus the global `choices.*` strings any of its
+   * columns reference. Owning-side resolution: the server reads the table's
+   * column metadata to find which global option sets to include.
+   *
+   * Pass the thumbprint from the matching locale entry of the manifest so
+   * the URL is unique per release; the browser caches the response under
+   * `Cache-Control: immutable, max-age=31536000`.
+   */
+  retrieveLocalizationTableBundleAsync(tableName, locale, thumbprint, signal) {
+    return this.transport.sendJson(
+      "GET",
+      Routes.api.getLocalizationTableBundleRoute(tableName, locale, thumbprint),
+      signal ? { signal } : {}
+    );
+  }
+  /**
+   * Fetches a per-view localization bundle. Returns every
+   * `tables.{owningTable}.views.{viewId}.*` string. The owning table is
+   * resolved server-side from the view id, so the client only needs to pass
+   * the id (lowercased GUID, no braces).
+   *
+   * Pass the thumbprint from the matching locale entry of the manifest so
+   * the URL is unique per release; the browser caches the response under
+   * `Cache-Control: immutable, max-age=31536000`.
+   */
+  retrieveLocalizationViewBundleAsync(viewId, locale, thumbprint, signal) {
+    return this.transport.sendJson(
+      "GET",
+      Routes.api.getLocalizationViewBundleRoute(viewId, locale, thumbprint),
+      signal ? { signal } : {}
+    );
+  }
+  /**
+   * Retrieves the FULL localized-strings catalog for a culture. The server
+   * already merges Dataverse-metadata-derived strings (table / column /
+   * choice-option labels) with the framework JSON files and any consumer
+   * override files (last-wins). Use this to seed the React-side localizer
+   * with one round-trip.
+   *
+   * Returned shape is a nested object that mirrors the source JSON files —
+   * `{ app: { buttons: { save: { label: "Save" } } }, tables: { contact: ... } }`.
+   * The client typically flattens this to dotted-key form for `t()` lookup
+   * (see {@link flattenStrings} in `@powerportalspro/react`).
+   *
+   * @param culture culture code matching what server-side ASP.NET request
+   *   localization recognizes — e.g. `"en"`, `"es"`, `"fr-CA"`. Falls back
+   *   to the default culture server-side when the value isn't supported.
+   */
+  retrieveLocalizedStringsAsync(culture, signal) {
+    return this.transport.sendJson(
+      "GET",
+      Routes.api.getRetrieveLocalizedStringsRoute(culture),
+      signal ? { signal } : {}
+    );
+  }
+  // --- Files -----------------------------------------------------------------------
+  /**
+   * Reads file metadata for one record/column pair, optionally including the binary
+   * payload. When `includeData` is false (the default), the response carries name,
+   * size, and content type but not the bytes — useful for rendering a download link
+   * that fetches lazily on click.
+   */
+  getFileInfoAsync(tableLogicalName, recordId, columnName, includeData = false, signal) {
+    return this.transport.sendJson(
+      "GET",
+      Routes.api.getRetrieveFileInfoRoute(tableLogicalName, recordId, columnName, includeData),
+      signal ? { signal } : {}
+    );
+  }
+  /**
+   * Batched read for many records of the same table/column — feeds the FileGrid's
+   * "Download All" / "Download Selected" flows in one round-trip. Permission checks
+   * still apply per-record server-side, so dropped rows (deleted, unauthorized,
+   * file-missing) just don't appear in the response.
+   */
+  getFileInfosAsync(tableLogicalName, recordIds, columnName, includeData = false, signal) {
+    return this.transport.sendJson(
+      "POST",
+      Routes.api.getRetrieveFilesBatchRoute(tableLogicalName, columnName, includeData),
+      { body: recordIds, ...signal ? { signal } : {} }
+    );
+  }
+  /**
+   * Builds an archive containing the file payload of every supplied record id for the
+   * named table/column. Replaces the older client-side "fetch each file + zip in the
+   * browser" path with a single server-side step — no base64 round-trip on the wire.
+   *
+   * Two response shapes, selected by `request.responseFormat`:
+   *
+   * - **BinaryStream** (default): the server returns the raw archive bytes; this
+   *   method reads them via `response.arrayBuffer()` and wraps the result in a
+   *   {@link FileArchiveResult}, deriving `fileName` from the `Content-Disposition`
+   *   header and `contentType` from `Content-Type`. Most consumers want this path.
+   * - **Json**: the server returns a {@link FileArchiveJsonResponse} envelope with
+   *   the archive bytes base64-encoded. Useful for test harnesses, service workers,
+   *   or callers that need to inspect filename/size before triggering a download.
+   *
+   * Either way, the returned `data` is empty (`Uint8Array(0)`) when none of the
+   * supplied records produced a usable file — the caller can surface a "nothing to
+   * download" message instead of streaming an empty archive.
+   */
+  async createFileArchiveAsync(request, signal) {
+    if (request.responseFormat === 1) {
+      const json = await this.transport.sendJson(
+        "POST",
+        Routes.api.createFileArchive,
+        { body: request, ...signal ? { signal } : {} }
+      );
+      return {
+        fileName: json.fileName,
+        contentType: json.contentType,
+        data: base64ToUint8Array(json.data)
+      };
+    }
+    const response = await this.transport.send(
+      "POST",
+      Routes.api.createFileArchive,
+      { body: request, ...signal ? { signal } : {} }
+    );
+    const fileName = parseContentDispositionFileName(response.headers.get("Content-Disposition")) ?? `${request.tableName}-files.zip`;
+    const contentType = response.headers.get("Content-Type")?.split(";")[0]?.trim() ?? "application/octet-stream";
+    const buffer = await response.arrayBuffer();
+    return { fileName, contentType, data: new Uint8Array(buffer) };
+  }
+  /**
+   * Reads the environment-wide file upload settings (blocked extension list, max
+   * upload size in KB). UI consumers use this to validate uploads client-side before
+   * the round-trip, mirroring what the server enforces.
+   */
+  getEnvironmentFileSettingsAsync(signal) {
+    return this.transport.sendJson(
+      "GET",
+      Routes.api.environmentFileSettings,
+      signal ? { signal } : {}
+    );
+  }
+};
+function base64ToUint8Array(base64) {
+  const binary = atob(base64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+  return bytes;
+}
+function parseContentDispositionFileName(header) {
+  if (!header) return null;
+  const star = /filename\*=(?:UTF-8'')?([^;]+)/i.exec(header);
+  if (star?.[1]) {
+    try {
+      return decodeURIComponent(star[1]);
+    } catch {
+    }
+  }
+  const plain = /filename="?([^";]+)"?/i.exec(header);
+  return plain?.[1] ?? null;
+}
+
+// src/generated/result-codes.ts
+var AggregateType = {
+  None: 0,
+  Count: 1,
+  CountColumn: 2,
+  Sum: 3,
+  Avg: 4,
+  Min: 5,
+  Max: 6
+};
+var ArchiveFormat = {
+  Zip: 0
+};
+var ChangeEmailResult = {
+  ConfirmationEmailSent: 0,
+  SameAsCurrentEmail: 1
+};
+var ChangePasswordResult = {
+  Success: 0,
+  IncorrectOldPassword: 1,
+  InvalidPassword: 2
+};
+var ChartDateGrouping = {
+  None: 0,
+  Day: 1,
+  Week: 2,
+  Month: 3,
+  Quarter: 4,
+  Year: 5,
+  MonthAndYear: 6,
+  DayAndMonth: 7,
+  DayAndMonthAndYear: 8,
+  WeekAndYear: 9,
+  QuarterAndYear: 10
+};
+var ColumnType = {
+  Boolean: 0,
+  Customer: 1,
+  DateTime: 2,
+  Decimal: 3,
+  Double: 4,
+  Integer: 5,
+  Lookup: 6,
+  Memo: 7,
+  Money: 8,
+  Owner: 9,
+  PartyList: 10,
+  Choice: 11,
+  State: 12,
+  Status: 13,
+  String: 14,
+  Uniqueidentifier: 15,
+  CalendarRules: 16,
+  Virtual: 17,
+  BigInt: 18,
+  ManagedProperty: 19,
+  EntityName: 20,
+  MultiSelectChoice: 40,
+  File: 41,
+  Image: 42
+};
+var ConfirmExternalLoginResult = {
+  SignedIn: 0,
+  ConfirmationEmailSent: 1,
+  NoPendingExternalLogin: 2,
+  Failure: 3
+};
+var DateTimeBehavior = {
+  DateOnly: 1,
+  UserLocal: 2,
+  TimeZoneIndependent: 3
+};
+var DeletePersonalDataResult = {
+  Success: 0,
+  IncorrectPassword: 1,
+  RequireLocalPassword: 2
+};
+var ExternalLoginCandidateKind = {
+  Contact: 0,
+  SystemUser: 1
+};
+var FileArchiveResponseFormat = {
+  BinaryStream: 0,
+  Json: 1
+};
+var JoinOperator = {
+  Inner: 0,
+  LeftOuter: 1,
+  Natural: 2,
+  MatchFirstRowUsingCrossApply: 3,
+  In: 4,
+  Exists: 5,
+  Any: 6,
+  NotAny: 7,
+  All: 8,
+  NotAll: 9
+};
+var LoginResult = {
+  Success: 0,
+  RequiresTwoFactor: 1,
+  InvalidCredentials: 2,
+  EmailNotConfirmed: 3,
+  LockedOut: 4
+};
+var RegisterResult = {
+  ConfirmationEmailSent: 0,
+  SignedIn: 1,
+  EmailAlreadyInUse: 2
+};
+var RelationshipFilterMode = {
+  IncludeExistingRecords: 0,
+  ExcludeExistingRecords: 1
+};
+var RequiredLevel = {
+  None: 0,
+  SystemRequired: 1,
+  ApplicationRequired: 2,
+  Recommended: 3
+};
+var ResetPasswordResult = {
+  Success: 0,
+  InvalidOrExpiredToken: 1,
+  InvalidPassword: 2
+};
+var SwitchIdentityResult = {
+  Switched: 0,
+  NoAltIdentity: 1,
+  AltIdentityNotFound: 2,
+  NotAuthenticated: 3
+};
+var TableSecurityPermission = {
+  None: 0,
+  Read: 1,
+  Create: 2,
+  Write: 4,
+  Delete: 8,
+  Append: 16,
+  AppendTo: 32,
+  All: 63
+};
+
+// src/record-id.ts
+var EMPTY_GUID = "00000000-0000-0000-0000-000000000000";
+function getRecordReferenceId(record) {
+  if (!record) return void 0;
+  if (record.id && record.id !== EMPTY_GUID) return record.id;
+  return record._idForCreate ?? void 0;
+}
+
+// src/index.ts
+var VERSION = "0.1.0";
+
+exports.AggregateType = AggregateType;
+exports.ArchiveFormat = ArchiveFormat;
+exports.ArgumentError = ArgumentError;
+exports.ArgumentNullError = ArgumentNullError;
+exports.AuthClient = AuthClient;
+exports.ChangeEmailResult = ChangeEmailResult;
+exports.ChangePasswordResult = ChangePasswordResult;
+exports.ChartDateGrouping = ChartDateGrouping;
+exports.ColumnType = ColumnType;
+exports.ConfirmExternalLoginResult = ConfirmExternalLoginResult;
+exports.DateTimeBehavior = DateTimeBehavior;
+exports.DeletePersonalDataResult = DeletePersonalDataResult;
+exports.ExternalLoginCandidateKind = ExternalLoginCandidateKind;
+exports.FileArchiveResponseFormat = FileArchiveResponseFormat;
+exports.InvalidOperationError = InvalidOperationError;
+exports.JoinOperator = JoinOperator;
+exports.LoginResult = LoginResult;
+exports.PowerPortalsProClient = PowerPortalsProClient;
+exports.PowerPortalsProError = PowerPortalsProError;
+exports.RegisterResult = RegisterResult;
+exports.RelationshipFilterMode = RelationshipFilterMode;
+exports.RequiredLevel = RequiredLevel;
+exports.ResetPasswordResult = ResetPasswordResult;
+exports.Routes = Routes;
+exports.SwitchIdentityResult = SwitchIdentityResult;
+exports.TableSecurityPermission = TableSecurityPermission;
+exports.Transport = Transport;
+exports.UnauthorizedAccessError = UnauthorizedAccessError;
+exports.VERSION = VERSION;
+exports.getRecordReferenceId = getRecordReferenceId;
+exports.mapProblemDetails = mapProblemDetails;
+//# sourceMappingURL=index.cjs.map
+//# sourceMappingURL=index.cjs.map