@qlever-llc/trellis 0.10.17 → 0.10.18

package/esm/auth/browser/portal.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"portal.d.ts","sourceRoot":"","sources":["../../../src/auth/browser/portal.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,eAAe,EAAyB,MAAM,gBAAgB,CAAC;AAC7E,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACtD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAG7C,YAAY,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACtD,YAAY,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AAMtD,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,GAAG,GAAG,MAAM,GAAG,IAAI,CAE3D;AAED,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,UAAU,EAClB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,eAAe,CAAC,CAY1B;AAED,wBAAgB,sBAAsB,CACpC,MAAM,EAAE,UAAU,EAClB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,MAAM,GACb,MAAM,CAKR;AAED,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,UAAU,EAClB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,gBAAgB,GACzB,OAAO,CAAC,eAAe,CAAC,CAkB1B;AAED,wBAAgB,sBAAsB,CACpC,KAAK,EAAE,eAAe,GAAG,IAAI,GAC5B,MAAM,GAAG,IAAI,CAIf"}
+{"version":3,"file":"portal.d.ts","sourceRoot":"","sources":["../../../src/auth/browser/portal.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,eAAe,EAAyB,MAAM,gBAAgB,CAAC;AAC7E,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACtD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAG7C,YAAY,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACtD,YAAY,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AAMtD,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,GAAG,GAAG,MAAM,GAAG,IAAI,CAE3D;AAED,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,UAAU,EAClB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,eAAe,CAAC,CAY1B;AAED,wBAAgB,sBAAsB,CACpC,MAAM,EAAE,UAAU,EAClB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,MAAM,GACb,MAAM,CAKR;AAED,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,UAAU,EAClB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,gBAAgB,GACzB,OAAO,CAAC,eAAe,CAAC,CAkB1B;AAED,wBAAgB,sBAAsB,CACpC,KAAK,EAAE,eAAe,GAAG,IAAI,GAC5B,MAAM,GAAG,IAAI,CAKf"}

package/esm/auth/browser/portal.js

@@ -33,5 +33,7 @@ export function portalRedirectLocation(state) {
         return state.location;
     if (state?.status === "approval_denied")
         return state.returnLocation ?? null;
+    if (state?.status === "expired")
+        return state.returnLocation ?? null;
     return null;
 }

package/esm/auth/browser.d.ts

@@ -8,6 +8,8 @@ export { type AuthConfig, type AuthStartFlowResponse, type AuthStartRequest, typ
 export { type ApprovalDecision, fetchPortalFlowState, portalFlowIdFromUrl, type PortalFlowState, type PortalFlowState as BrowserPortalFlowState, portalProviderLoginUrl, portalRedirectLocation, submitPortalApproval, } from "./browser/portal.js";
 export { bindFlowSig, clearSessionKey, createRpcProof, generateSessionKey, getOrCreateSessionKey, getPublicSessionKey, hasSessionKey, loadSessionKey, natsConnectSigForIat, type SessionKeyHandle, type SessionKeyOptions, type SessionKeyPersistenceMode, signBytes, } from "./browser/session.js";
 export { deleteKeyPair, hasKeyPair } from "./browser/storage.js";
+export { classifyBrowserAuthError, isRecoverableBrowserAuthError, } from "./browser_recovery.js";
+export type { BrowserAuthRecoveryClassification, BrowserAuthRecoveryKind, } from "./browser_recovery.js";
 export { approvalCapabilityKeys, type ApprovalDecision as ApprovalDecisionData, ApprovalDecisionSchema, type AuthStartFlowResponse as AuthStartFlowResponseData, AuthStartFlowResponseSchema, type AuthStartRequest as AuthStartRequestData, AuthStartRequestSchema, type AuthStartResponse as AuthStartResponseData, AuthStartResponseSchema, type BindResponse as BindResponseData, BindResponseSchema, type BindSuccessResponse as BindSuccessResponseData, BindSuccessResponseSchema, type ClientTransportEndpoints as ClientTransportEndpointsData, ClientTransportEndpointsSchema, type ClientTransports as ClientTransportsData, ClientTransportsSchema, type ContractApproval as ContractApprovalData, type ContractApprovalCapability as ContractApprovalCapabilityData, ContractApprovalSchema, type NatsAuthTokenV1 as NatsAuthTokenV1Data, NatsAuthTokenV1Schema, type SentinelCreds as SentinelCredsData, SentinelCredsSchema, } from "./schemas.js";
 export type { NatsAuthTokenV1 } from "./types.js";
 export { base64urlDecode, base64urlEncode, sha256, toArrayBuffer, utf8, } from "./utils.js";

package/esm/auth/browser.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"browser.d.ts","sourceRoot":"","sources":["../../src/auth/browser.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,sBAAsB,CAAC;AAG9B,OAAO,EACL,KAAK,UAAU,EACf,KAAK,qBAAqB,EAC1B,KAAK,gBAAgB,EACrB,KAAK,iBAAiB,EACtB,QAAQ,EACR,KAAK,YAAY,EACjB,KAAK,mBAAmB,EACxB,aAAa,EACb,qBAAqB,EACrB,KAAK,aAAa,EAClB,gBAAgB,GACjB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,KAAK,gBAAgB,EACrB,oBAAoB,EACpB,mBAAmB,EACnB,KAAK,eAAe,EACpB,KAAK,eAAe,IAAI,sBAAsB,EAC9C,sBAAsB,EACtB,sBAAsB,EACtB,oBAAoB,GACrB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,WAAW,EACX,eAAe,EACf,cAAc,EACd,kBAAkB,EAClB,qBAAqB,EACrB,mBAAmB,EACnB,aAAa,EACb,cAAc,EACd,oBAAoB,EACpB,KAAK,gBAAgB,EACrB,KAAK,iBAAiB,EACtB,KAAK,yBAAyB,EAC9B,SAAS,GACV,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AACjE,OAAO,EACL,sBAAsB,EACtB,KAAK,gBAAgB,IAAI,oBAAoB,EAC7C,sBAAsB,EACtB,KAAK,qBAAqB,IAAI,yBAAyB,EACvD,2BAA2B,EAC3B,KAAK,gBAAgB,IAAI,oBAAoB,EAC7C,sBAAsB,EACtB,KAAK,iBAAiB,IAAI,qBAAqB,EAC/C,uBAAuB,EACvB,KAAK,YAAY,IAAI,gBAAgB,EACrC,kBAAkB,EAClB,KAAK,mBAAmB,IAAI,uBAAuB,EACnD,yBAAyB,EACzB,KAAK,wBAAwB,IAAI,4BAA4B,EAC7D,8BAA8B,EAC9B,KAAK,gBAAgB,IAAI,oBAAoB,EAC7C,sBAAsB,EACtB,KAAK,gBAAgB,IAAI,oBAAoB,EAC7C,KAAK,0BAA0B,IAAI,8BAA8B,EACjE,sBAAsB,EACtB,KAAK,eAAe,IAAI,mBAAmB,EAC3C,qBAAqB,EACrB,KAAK,aAAa,IAAI,iBAAiB,EACvC,mBAAmB,GACpB,MAAM,cAAc,CAAC;AAEtB,YAAY,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAClD,OAAO,EACL,eAAe,EACf,eAAe,EACf,MAAM,EACN,aAAa,EACb,IAAI,GACL,MAAM,YAAY,CAAC"}
+{"version":3,"file":"browser.d.ts","sourceRoot":"","sources":["../../src/auth/browser.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,sBAAsB,CAAC;AAG9B,OAAO,EACL,KAAK,UAAU,EACf,KAAK,qBAAqB,EAC1B,KAAK,gBAAgB,EACrB,KAAK,iBAAiB,EACtB,QAAQ,EACR,KAAK,YAAY,EACjB,KAAK,mBAAmB,EACxB,aAAa,EACb,qBAAqB,EACrB,KAAK,aAAa,EAClB,gBAAgB,GACjB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,KAAK,gBAAgB,EACrB,oBAAoB,EACpB,mBAAmB,EACnB,KAAK,eAAe,EACpB,KAAK,eAAe,IAAI,sBAAsB,EAC9C,sBAAsB,EACtB,sBAAsB,EACtB,oBAAoB,GACrB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,WAAW,EACX,eAAe,EACf,cAAc,EACd,kBAAkB,EAClB,qBAAqB,EACrB,mBAAmB,EACnB,aAAa,EACb,cAAc,EACd,oBAAoB,EACpB,KAAK,gBAAgB,EACrB,KAAK,iBAAiB,EACtB,KAAK,yBAAyB,EAC9B,SAAS,GACV,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AACjE,OAAO,EACL,wBAAwB,EACxB,6BAA6B,GAC9B,MAAM,uBAAuB,CAAC;AAC/B,YAAY,EACV,iCAAiC,EACjC,uBAAuB,GACxB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,sBAAsB,EACtB,KAAK,gBAAgB,IAAI,oBAAoB,EAC7C,sBAAsB,EACtB,KAAK,qBAAqB,IAAI,yBAAyB,EACvD,2BAA2B,EAC3B,KAAK,gBAAgB,IAAI,oBAAoB,EAC7C,sBAAsB,EACtB,KAAK,iBAAiB,IAAI,qBAAqB,EAC/C,uBAAuB,EACvB,KAAK,YAAY,IAAI,gBAAgB,EACrC,kBAAkB,EAClB,KAAK,mBAAmB,IAAI,uBAAuB,EACnD,yBAAyB,EACzB,KAAK,wBAAwB,IAAI,4BAA4B,EAC7D,8BAA8B,EAC9B,KAAK,gBAAgB,IAAI,oBAAoB,EAC7C,sBAAsB,EACtB,KAAK,gBAAgB,IAAI,oBAAoB,EAC7C,KAAK,0BAA0B,IAAI,8BAA8B,EACjE,sBAAsB,EACtB,KAAK,eAAe,IAAI,mBAAmB,EAC3C,qBAAqB,EACrB,KAAK,aAAa,IAAI,iBAAiB,EACvC,mBAAmB,GACpB,MAAM,cAAc,CAAC;AAEtB,YAAY,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAClD,OAAO,EACL,eAAe,EACf,eAAe,EACf,MAAM,EACN,aAAa,EACb,IAAI,GACL,MAAM,YAAY,CAAC"}

package/esm/auth/browser.js

@@ -7,5 +7,6 @@ export { bindFlow, buildLoginUrl, isBindSuccessResponse, startAuthRequest, } fro
 export { fetchPortalFlowState, portalFlowIdFromUrl, portalProviderLoginUrl, portalRedirectLocation, submitPortalApproval, } from "./browser/portal.js";
 export { bindFlowSig, clearSessionKey, createRpcProof, generateSessionKey, getOrCreateSessionKey, getPublicSessionKey, hasSessionKey, loadSessionKey, natsConnectSigForIat, signBytes, } from "./browser/session.js";
 export { deleteKeyPair, hasKeyPair } from "./browser/storage.js";
+export { classifyBrowserAuthError, isRecoverableBrowserAuthError, } from "./browser_recovery.js";
 export { approvalCapabilityKeys, ApprovalDecisionSchema, AuthStartFlowResponseSchema, AuthStartRequestSchema, AuthStartResponseSchema, BindResponseSchema, BindSuccessResponseSchema, ClientTransportEndpointsSchema, ClientTransportsSchema, ContractApprovalSchema, NatsAuthTokenV1Schema, SentinelCredsSchema, } from "./schemas.js";
 export { base64urlDecode, base64urlEncode, sha256, toArrayBuffer, utf8, } from "./utils.js";

package/esm/auth/browser_recovery.d.ts

@@ -0,0 +1,22 @@
+/** Browser auth recovery classification helpers. */
+/** Stable browser-auth recovery categories for app-owned recovery flows. */
+export type BrowserAuthRecoveryKind = "recoverable_stale_session" | "recoverable_expired_flow" | "recoverable_auth_required" | "policy_denied" | "insufficient_capabilities" | "runtime_unavailable" | "unknown";
+/** Classification result for a browser-auth related failure. */
+export type BrowserAuthRecoveryClassification = {
+    kind: BrowserAuthRecoveryKind;
+    recoverable: boolean;
+    reason?: string;
+    code?: string;
+};
+/**
+ * Classifies browser auth, bootstrap, callback, and transport-like failures.
+ *
+ * The classifier accepts raw errors, serialized Trellis errors, nested causes,
+ * and nested remote errors. Recoverable classifications are intended for
+ * app-owned flows that can clear stale auth and restart sign-in without showing a
+ * user-facing terminal error.
+ */
+export declare function classifyBrowserAuthError(error: unknown): BrowserAuthRecoveryClassification;
+/** Returns whether a browser auth error can silently restart sign-in. */
+export declare function isRecoverableBrowserAuthError(error: unknown): boolean;
+//# sourceMappingURL=browser_recovery.d.ts.map

package/esm/auth/browser_recovery.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"browser_recovery.d.ts","sourceRoot":"","sources":["../../src/auth/browser_recovery.ts"],"names":[],"mappings":"AAAA,oDAAoD;AAEpD,4EAA4E;AAC5E,MAAM,MAAM,uBAAuB,GAC/B,2BAA2B,GAC3B,0BAA0B,GAC1B,2BAA2B,GAC3B,eAAe,GACf,2BAA2B,GAC3B,qBAAqB,GACrB,SAAS,CAAC;AAEd,gEAAgE;AAChE,MAAM,MAAM,iCAAiC,GAAG;IAC9C,IAAI,EAAE,uBAAuB,CAAC;IAC9B,WAAW,EAAE,OAAO,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf,CAAC;AAsNF;;;;;;;GAOG;AACH,wBAAgB,wBAAwB,CACtC,KAAK,EAAE,OAAO,GACb,iCAAiC,CAuEnC;AAED,yEAAyE;AACzE,wBAAgB,6BAA6B,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAErE"}

package/esm/auth/browser_recovery.js

@@ -0,0 +1,238 @@
+/** Browser auth recovery classification helpers. */
+const MAX_ERROR_DEPTH = 8;
+function isRecord(value) {
+    return value !== null && typeof value === "object";
+}
+function stringProperty(record, property) {
+    const value = record[property];
+    return typeof value === "string" ? value : undefined;
+}
+function normalize(value) {
+    return value.trim().toLowerCase().replaceAll("-", "_").replaceAll(" ", "_");
+}
+function signalValue(signal) {
+    return signal.code ?? signal.reason ?? signal.message;
+}
+function classification(kind, recoverable, signal) {
+    const reason = signal?.reason ?? signalValue(signal ?? {});
+    return {
+        kind,
+        recoverable,
+        ...(reason ? { reason } : {}),
+        ...(signal?.code ? { code: signal.code } : {}),
+    };
+}
+function maybeSerializable(value) {
+    if (!isRecord(value))
+        return undefined;
+    const toSerializable = value.toSerializable;
+    if (typeof toSerializable !== "function")
+        return undefined;
+    try {
+        return toSerializable.call(value);
+    }
+    catch {
+        return undefined;
+    }
+}
+function pushRecordSignals(record, signals, queue) {
+    const message = stringProperty(record, "message");
+    const code = stringProperty(record, "code") ??
+        stringProperty(record, "error");
+    const reason = stringProperty(record, "reason") ??
+        stringProperty(record, "status");
+    if (message || code || reason) {
+        signals.push({
+            ...(code ? { code } : {}),
+            ...(reason ? { reason } : {}),
+            ...(message ? { message } : {}),
+        });
+    }
+    const context = record.context;
+    if (isRecord(context)) {
+        const contextReason = stringProperty(context, "reason");
+        const causeMessage = stringProperty(context, "causeMessage");
+        const contextCode = stringProperty(context, "code");
+        const contextMessage = stringProperty(context, "message");
+        if (contextReason || causeMessage || contextCode || contextMessage) {
+            signals.push({
+                ...(contextCode ? { code: contextCode } : {}),
+                ...(contextReason ? { reason: contextReason } : {}),
+                ...(causeMessage ?? contextMessage
+                    ? { message: causeMessage ?? contextMessage }
+                    : {}),
+            });
+        }
+        for (const nested of [context.cause, context.error, context.remoteError]) {
+            if (nested !== undefined)
+                queue.push(nested);
+        }
+    }
+    for (const nested of [record.cause, record.error, record.remoteError]) {
+        if (nested !== undefined)
+            queue.push(nested);
+    }
+}
+function collectErrorSignals(error) {
+    const signals = [];
+    const queue = [error];
+    const seen = new WeakSet();
+    let depth = 0;
+    while (queue.length > 0 && depth < MAX_ERROR_DEPTH) {
+        depth += 1;
+        const value = queue.shift();
+        if (typeof value === "string") {
+            signals.push({ message: value });
+            continue;
+        }
+        if (!isRecord(value))
+            continue;
+        if (seen.has(value))
+            continue;
+        seen.add(value);
+        if (value instanceof Error) {
+            signals.push({ message: value.message });
+        }
+        pushRecordSignals(value, signals, queue);
+        const serialized = maybeSerializable(value);
+        if (serialized && serialized !== value)
+            queue.push(serialized);
+    }
+    return signals;
+}
+function hasNormalizedValue(signals, values) {
+    for (const signal of signals) {
+        for (const value of [signal.code, signal.reason]) {
+            if (value && values.has(normalize(value)))
+                return signal;
+        }
+    }
+    return undefined;
+}
+function hasMessagePattern(signals, patterns) {
+    for (const signal of signals) {
+        const message = signal.message;
+        if (!message)
+            continue;
+        const normalized = message.toLowerCase();
+        if (patterns.some((pattern) => pattern.test(normalized)))
+            return signal;
+    }
+    return undefined;
+}
+function insufficientPermissionsAuthSignal(signals) {
+    for (const signal of signals) {
+        const reason = signal.reason ? normalize(signal.reason) : undefined;
+        const code = signal.code ? normalize(signal.code) : undefined;
+        if (reason !== "insufficient_permissions")
+            continue;
+        if (code === "trellis.bootstrap.auth_required")
+            return signal;
+        const message = signal.message?.toLowerCase() ?? "";
+        if (message.includes("auth required") ||
+            message.includes("requires sign-in") ||
+            message.includes("requires signin") ||
+            message.includes("stale") ||
+            message.includes("session")) {
+            return signal;
+        }
+    }
+    return undefined;
+}
+const APPROVAL_DENIED_VALUES = new Set([
+    "approval_denied",
+    "trellis.auth.approval_denied",
+]);
+const INSUFFICIENT_CAPABILITIES_VALUES = new Set([
+    "insufficient_capabilities",
+    "trellis.auth.insufficient_capabilities",
+]);
+const RUNTIME_UNAVAILABLE_VALUES = new Set([
+    "trellis.bootstrap.not_ready",
+    "trellis.runtime.unavailable",
+    "runtime_unavailable",
+]);
+const EXPIRED_FLOW_VALUES = new Set([
+    "flow_expired",
+    "expired",
+    "trellis.auth.bind_expired",
+    "trellis.auth.flow_expired",
+]);
+const STALE_SESSION_VALUES = new Set([
+    "session_not_found",
+    "session_expired",
+    "user_not_found",
+    "contract_not_active",
+    "trellis.auth.session_not_found",
+    "trellis.auth.session_expired",
+    "trellis.auth.user_not_found",
+    "trellis.auth.contract_not_active",
+]);
+const AUTH_REQUIRED_VALUES = new Set([
+    "auth_required",
+    "trellis.bootstrap.auth_required",
+    "trellis.auth.login_failed",
+]);
+/**
+ * Classifies browser auth, bootstrap, callback, and transport-like failures.
+ *
+ * The classifier accepts raw errors, serialized Trellis errors, nested causes,
+ * and nested remote errors. Recoverable classifications are intended for
+ * app-owned flows that can clear stale auth and restart sign-in without showing a
+ * user-facing terminal error.
+ */
+export function classifyBrowserAuthError(error) {
+    const signals = collectErrorSignals(error);
+    const approvalDenied = hasNormalizedValue(signals, APPROVAL_DENIED_VALUES) ??
+        hasMessagePattern(signals, [/approval .*denied/, /access .*denied/]);
+    if (approvalDenied) {
+        return classification("policy_denied", false, approvalDenied);
+    }
+    const inactiveOrInvalid = hasNormalizedValue(signals, new Set(["invalid_credentials", "user_inactive", "inactive_account"])) ?? hasMessagePattern(signals, [
+        /invalid credential/,
+        /inactive account/,
+        /user inactive/,
+    ]);
+    if (inactiveOrInvalid) {
+        return classification("policy_denied", false, inactiveOrInvalid);
+    }
+    const insufficientCapabilities = hasNormalizedValue(signals, INSUFFICIENT_CAPABILITIES_VALUES) ?? hasMessagePattern(signals, [/insufficient capabilit/]);
+    if (insufficientCapabilities) {
+        return classification("insufficient_capabilities", false, insufficientCapabilities);
+    }
+    const runtimeUnavailable = hasNormalizedValue(signals, RUNTIME_UNAVAILABLE_VALUES) ?? hasMessagePattern(signals, [/runtime unavailable/]);
+    if (runtimeUnavailable) {
+        return classification("runtime_unavailable", false, runtimeUnavailable);
+    }
+    const expiredFlow = hasNormalizedValue(signals, EXPIRED_FLOW_VALUES) ??
+        hasMessagePattern(signals, [/flow .*expired/, /sign\-in .*expired/]);
+    if (expiredFlow) {
+        return classification("recoverable_expired_flow", true, expiredFlow);
+    }
+    const staleSession = hasNormalizedValue(signals, STALE_SESSION_VALUES) ??
+        hasMessagePattern(signals, [
+            /session .*expired/,
+            /session .*not found/,
+            /user .*not found/,
+            /contract .*not active/,
+        ]);
+    if (staleSession) {
+        return classification("recoverable_stale_session", true, staleSession);
+    }
+    const authRequired = hasNormalizedValue(signals, AUTH_REQUIRED_VALUES) ??
+        insufficientPermissionsAuthSignal(signals) ??
+        hasMessagePattern(signals, [
+            /auth required/,
+            /requires sign\-in/,
+            /requires signin/,
+            /requires authentication/,
+        ]);
+    if (authRequired) {
+        return classification("recoverable_auth_required", true, authRequired);
+    }
+    return classification("unknown", false);
+}
+/** Returns whether a browser auth error can silently restart sign-in. */
+export function isRecoverableBrowserAuthError(error) {
+    return classifyBrowserAuthError(error).recoverable;
+}

package/esm/auth/mod.d.ts

@@ -8,9 +8,9 @@
  * - Services load their session key seed from `TRELLIS_SESSION_KEY_SEED`.
  */
 export { type AuthDeviceUserAuthoritiesListInput, type AuthDeviceUserAuthoritiesListOutput, type AuthDeviceUserAuthoritiesRevokeInput, type AuthDeviceUserAuthoritiesRevokeResponse, type AuthResolveDeviceUserAuthoritiesInput, type AuthResolveDeviceUserAuthoritiesOperation, type AuthResolveDeviceUserAuthoritiesOutput, type AuthResolveDeviceUserAuthoritiesProgress, buildDeviceActivationPayload, buildDeviceWaitProofInput, createDeviceActivationClient, createDeviceNatsAuthToken, deriveDeviceConfirmationCode, deriveDeviceIdentity, deriveDeviceQrMac, type DeviceActivationPayload, type DeviceActivationTransport, type DeviceActivationWaitRequest, type DeviceIdentity, encodeDeviceActivationPayload, getDeviceConnectInfo, type GetDeviceConnectInfoInput, type GetDeviceConnectInfoOutput, parseDeviceActivationPayload, signDeviceWaitRequest, startDeviceActivationRequest, verifyDeviceConfirmationCode, verifyDeviceWaitSignature, waitForDeviceActivation, type WaitForDeviceActivationResponse, } from "./device_activation.js";
-export { type AuthConfig, bindFlow, buildLoginUrl, clearSessionKey, createRpcProof, fetchPortalFlowState, generateSessionKey, getOrCreateSessionKey, getPublicSessionKey, hasSessionKey, isBindSuccessResponse, loadSessionKey, natsConnectSigForIat, portalFlowIdFromUrl, portalProviderLoginUrl, portalRedirectLocation, type SessionKeyHandle, type SessionKeyOptions, type SessionKeyPersistenceMode, signBytes, startAuthRequest, submitPortalApproval, } from "./browser.js";
+export { type AuthConfig, bindFlow, type BrowserAuthRecoveryClassification, type BrowserAuthRecoveryKind, buildLoginUrl, classifyBrowserAuthError, clearSessionKey, createRpcProof, fetchPortalFlowState, generateSessionKey, getOrCreateSessionKey, getPublicSessionKey, hasSessionKey, isBindSuccessResponse, isRecoverableBrowserAuthError, loadSessionKey, natsConnectSigForIat, portalFlowIdFromUrl, portalProviderLoginUrl, portalRedirectLocation, type SessionKeyHandle, type SessionKeyOptions, type SessionKeyPersistenceMode, signBytes, startAuthRequest, submitPortalApproval, } from "./browser.js";
 export { buildProofInput, createProof, type ProofParams, verifyProof, } from "./proof.js";
-export { ApprovalRecordViewSchema, AuthCapabilitiesListResponseSchema, AuthCapabilitiesListSchema, AuthCapabilityGroupsDeleteResponseSchema, AuthCapabilityGroupsDeleteSchema, AuthCapabilityGroupsGetResponseSchema, AuthCapabilityGroupsGetSchema, AuthCapabilityGroupsListResponseSchema, AuthCapabilityGroupsListSchema, AuthCapabilityGroupsPutResponseSchema, AuthCapabilityGroupsPutSchema, type AuthDeployment, type AuthDeploymentAuthorityAcceptMigrationInput, AuthDeploymentAuthorityAcceptMigrationSchema, type AuthDeploymentAuthorityAcceptResponse, AuthDeploymentAuthorityAcceptResponseSchema, type AuthDeploymentAuthorityAcceptUpdateInput, AuthDeploymentAuthorityAcceptUpdateSchema, type AuthDeploymentAuthorityGetInput, type AuthDeploymentAuthorityGetResponse, AuthDeploymentAuthorityGetResponseSchema, AuthDeploymentAuthorityGetSchema, type AuthDeploymentAuthorityGrantOverridesListInput, type AuthDeploymentAuthorityGrantOverridesListResponse, AuthDeploymentAuthorityGrantOverridesListResponseSchema, AuthDeploymentAuthorityGrantOverridesListSchema, type AuthDeploymentAuthorityGrantOverridesPutInput, AuthDeploymentAuthorityGrantOverridesPutSchema, type AuthDeploymentAuthorityGrantOverridesRemoveInput, AuthDeploymentAuthorityGrantOverridesRemoveSchema, type AuthDeploymentAuthorityGrantOverridesResponse, AuthDeploymentAuthorityGrantOverridesResponseSchema, type AuthDeploymentAuthorityListInput, type AuthDeploymentAuthorityListResponse, AuthDeploymentAuthorityListResponseSchema, AuthDeploymentAuthorityListSchema, type AuthDeploymentAuthorityPlanInput, type AuthDeploymentAuthorityPlanResponse, AuthDeploymentAuthorityPlanResponseSchema, AuthDeploymentAuthorityPlanSchema, type AuthDeploymentAuthorityPlansGetInput, type AuthDeploymentAuthorityPlansGetResponse, AuthDeploymentAuthorityPlansGetResponseSchema, AuthDeploymentAuthorityPlansGetSchema, type AuthDeploymentAuthorityPlansListInput, type AuthDeploymentAuthorityPlansListResponse, AuthDeploymentAuthorityPlansListResponseSchema, AuthDeploymentAuthorityPlansListSchema, type AuthDeploymentAuthorityReconcileInput, type AuthDeploymentAuthorityReconcileResponse, AuthDeploymentAuthorityReconcileResponseSchema, AuthDeploymentAuthorityReconcileSchema, type AuthDeploymentAuthorityRejectInput, type AuthDeploymentAuthorityRejectResponse, AuthDeploymentAuthorityRejectResponseSchema, AuthDeploymentAuthorityRejectSchema, type AuthDeploymentKind, AuthDeploymentKindSchema, AuthDeploymentSchema, AuthDeploymentsCreateResponseSchema, AuthDeploymentsCreateSchema, AuthDeploymentsDisableResponseSchema, AuthDeploymentsDisableSchema, AuthDeploymentsEnableResponseSchema, AuthDeploymentsEnableSchema, AuthDeploymentsListResponseSchema, AuthDeploymentsListSchema, AuthDeploymentsRemoveResponseSchema, AuthDeploymentsRemoveSchema, AuthDevicesConnectInfoGetResponseSchema, AuthDevicesConnectInfoGetSchema, AuthDevicesDisableResponseSchema, AuthDevicesDisableSchema, AuthDevicesEnableResponseSchema, AuthDevicesEnableSchema, AuthDevicesListResponseSchema, AuthDevicesListSchema, AuthDevicesProvisionResponseSchema, AuthDevicesProvisionSchema, AuthDevicesRemoveResponseSchema, AuthDevicesRemoveSchema, AuthDeviceUserAuthoritiesApprovedEventSchema, AuthDeviceUserAuthoritiesListResponseSchema, AuthDeviceUserAuthoritiesListSchema, AuthDeviceUserAuthoritiesRequestedEventSchema, AuthDeviceUserAuthoritiesResolvedEventSchema, AuthDeviceUserAuthoritiesReviewRequestedEventSchema, AuthDeviceUserAuthoritiesReviewsDecideResponseSchema, AuthDeviceUserAuthoritiesReviewsDecideSchema, AuthDeviceUserAuthoritiesReviewsListResponseSchema, AuthDeviceUserAuthoritiesReviewsListSchema, AuthDeviceUserAuthoritiesRevokeResponseSchema, AuthDeviceUserAuthoritiesRevokeSchema, type AuthenticatedDevice, AuthenticatedDeviceSchema, type AuthenticatedService, type AuthenticatedUser, AuthIdentitiesListResponseSchema, AuthIdentitiesListSchema, AuthIdentityGrantsListResponseSchema, AuthIdentityGrantsListSchema, AuthIdentityGrantsRevokeResponseSchema, AuthIdentityGrantsRevokeSchema, AuthPortalsGetResponseSchema, AuthPortalsGetSchema, AuthPortalsListResponseSchema, AuthPortalsListSchema, AuthPortalsLoginSettingsGetSchema, AuthPortalsLoginSettingsResponseSchema, AuthPortalsLoginSettingsUpdateSchema, AuthPortalsRoutesPutResponseSchema, AuthPortalsRoutesPutSchema, AuthPortalsRoutesRemoveResponseSchema, AuthPortalsRoutesRemoveSchema, AuthRequestsValidateResponseSchema, AuthRequestsValidateSchema, AuthResolveDeviceUserAuthoritiesProgressSchema, AuthResolveDeviceUserAuthoritiesResponseSchema, AuthResolveDeviceUserAuthoritiesSchema, AuthServiceInstancesDisableResponseSchema, AuthServiceInstancesDisableSchema, AuthServiceInstancesEnableResponseSchema, AuthServiceInstancesEnableSchema, AuthServiceInstancesListResponseSchema, AuthServiceInstancesListSchema, AuthServiceInstancesProvisionResponseSchema, AuthServiceInstancesProvisionSchema, AuthServiceInstancesRemoveResponseSchema, AuthServiceInstancesRemoveSchema, type AuthSessionsMeResponse, AuthSessionsMeResponseSchema, AuthSessionsMeSchema, AuthUserIdentitiesListResponseSchema, AuthUserIdentitiesListSchema, AuthUserIdentitiesUnlinkResponseSchema, AuthUserIdentitiesUnlinkSchema, AuthUsersAccountFlowCreateResponseSchema, AuthUsersCreateResponseSchema, AuthUsersCreateSchema, AuthUsersGetResponseSchema, AuthUsersGetSchema, AuthUsersIdentityLinkCreateSchema, AuthUsersListResponseSchema, AuthUsersListSchema, AuthUsersPasswordChangeResponseSchema, AuthUsersPasswordChangeSchema, AuthUsersPasswordResetCreateSchema, AuthUsersUpdateResponseSchema, AuthUsersUpdateSchema, CallerViewSchema, ContractAnalysisSchema, ContractAnalysisSummarySchema, type DeploymentAuthority, type DeploymentAuthorityCapability, DeploymentAuthorityCapabilitySchema, type DeploymentAuthorityGrantOverride, DeploymentAuthorityGrantOverrideSchema, type DeploymentAuthorityKind, DeploymentAuthorityKindSchema, type DeploymentAuthorityMaterialization, DeploymentAuthorityMaterializationSchema, type DeploymentAuthorityMigration, DeploymentAuthorityMigrationSchema, type DeploymentAuthorityNeed, DeploymentAuthorityNeedSchema, type DeploymentAuthorityPlan, DeploymentAuthorityPlanSchema, type DeploymentAuthorityProposal, DeploymentAuthorityProposalSchema, type DeploymentAuthorityReconciliationStatus, DeploymentAuthorityReconciliationStatusSchema, type DeploymentAuthorityResource, DeploymentAuthorityResourceKindSchema, DeploymentAuthorityResourceSchema, DeploymentAuthoritySchema, type DeploymentAuthoritySurface, DeploymentAuthoritySurfaceActionSchema, DeploymentAuthoritySurfaceKindSchema, DeploymentAuthoritySurfaceSchema, type DeploymentAuthorityUpdate, DeploymentAuthorityUpdateSchema, DeploymentPortalRouteSchema, DeploymentResourceBindingSchema, type DeviceActivationRecord, DeviceActivationRecordSchema, DeviceActivationReviewSchema, DeviceConnectInfoSchema, DeviceDeploymentSchema, DeviceSchema, DigestSchema, type FlowRegistrationAvailability, FlowRegistrationAvailabilitySchema, IdentityGrantViewSchema, ImplementationOfferSchema, type LoginPortalRecord, LoginPortalRecordSchema, type LoginPortalRoute, LoginPortalRouteSchema, type LoginPortalSettings, LoginPortalSettingsSchema, type LoginPortalSummary, LoginPortalSummarySchema, OpenObjectSchema, type ParticipantKind, ParticipantKindSchema, type PortalFlowApp, type PortalFlowApproval, type PortalFlowApprovalDeniedState, type PortalFlowApprovalRequiredState, type PortalFlowChooseProviderState, type PortalFlowExpiredState, type PortalFlowInsufficientCapabilitiesState, type PortalFlowProvider, type PortalFlowRedirectState, type PortalFlowState, PortalFlowStateSchema, type PortalFlowUser, ServiceDeploymentSchema, ServiceInstanceSchema, UserViewSchema, WaitForDeviceActivationRequestSchema, WaitForDeviceActivationResponseSchema, } from "./protocol.js";
+export { ApprovalRecordViewSchema, AuthCapabilitiesListResponseSchema, AuthCapabilitiesListSchema, AuthCapabilityGroupsDeleteResponseSchema, AuthCapabilityGroupsDeleteSchema, AuthCapabilityGroupsGetResponseSchema, AuthCapabilityGroupsGetSchema, AuthCapabilityGroupsListResponseSchema, AuthCapabilityGroupsListSchema, AuthCapabilityGroupsPutResponseSchema, AuthCapabilityGroupsPutSchema, type AuthDeployment, type AuthDeploymentAuthorityAcceptMigrationInput, AuthDeploymentAuthorityAcceptMigrationSchema, type AuthDeploymentAuthorityAcceptResponse, AuthDeploymentAuthorityAcceptResponseSchema, type AuthDeploymentAuthorityAcceptUpdateInput, AuthDeploymentAuthorityAcceptUpdateSchema, type AuthDeploymentAuthorityGetInput, type AuthDeploymentAuthorityGetResponse, AuthDeploymentAuthorityGetResponseSchema, AuthDeploymentAuthorityGetSchema, type AuthDeploymentAuthorityGrantOverridesListInput, type AuthDeploymentAuthorityGrantOverridesListResponse, AuthDeploymentAuthorityGrantOverridesListResponseSchema, AuthDeploymentAuthorityGrantOverridesListSchema, type AuthDeploymentAuthorityGrantOverridesPutInput, AuthDeploymentAuthorityGrantOverridesPutSchema, type AuthDeploymentAuthorityGrantOverridesRemoveInput, AuthDeploymentAuthorityGrantOverridesRemoveSchema, type AuthDeploymentAuthorityGrantOverridesResponse, AuthDeploymentAuthorityGrantOverridesResponseSchema, type AuthDeploymentAuthorityListInput, type AuthDeploymentAuthorityListResponse, AuthDeploymentAuthorityListResponseSchema, AuthDeploymentAuthorityListSchema, type AuthDeploymentAuthorityPlanInput, type AuthDeploymentAuthorityPlanResponse, AuthDeploymentAuthorityPlanResponseSchema, AuthDeploymentAuthorityPlanSchema, type AuthDeploymentAuthorityPlansGetInput, type AuthDeploymentAuthorityPlansGetResponse, AuthDeploymentAuthorityPlansGetResponseSchema, AuthDeploymentAuthorityPlansGetSchema, type AuthDeploymentAuthorityPlansListInput, type AuthDeploymentAuthorityPlansListResponse, AuthDeploymentAuthorityPlansListResponseSchema, AuthDeploymentAuthorityPlansListSchema, type AuthDeploymentAuthorityReconcileInput, type AuthDeploymentAuthorityReconcileResponse, AuthDeploymentAuthorityReconcileResponseSchema, AuthDeploymentAuthorityReconcileSchema, type AuthDeploymentAuthorityRejectInput, type AuthDeploymentAuthorityRejectResponse, AuthDeploymentAuthorityRejectResponseSchema, AuthDeploymentAuthorityRejectSchema, type AuthDeploymentKind, AuthDeploymentKindSchema, AuthDeploymentSchema, AuthDeploymentsCreateResponseSchema, AuthDeploymentsCreateSchema, AuthDeploymentsDisableResponseSchema, AuthDeploymentsDisableSchema, AuthDeploymentsEnableResponseSchema, AuthDeploymentsEnableSchema, AuthDeploymentsListResponseSchema, AuthDeploymentsListSchema, AuthDeploymentsRemoveResponseSchema, AuthDeploymentsRemoveSchema, AuthDevicesConnectInfoGetResponseSchema, AuthDevicesConnectInfoGetSchema, AuthDevicesDisableResponseSchema, AuthDevicesDisableSchema, AuthDevicesEnableResponseSchema, AuthDevicesEnableSchema, AuthDevicesListResponseSchema, AuthDevicesListSchema, AuthDevicesProvisionResponseSchema, AuthDevicesProvisionSchema, AuthDevicesRemoveResponseSchema, AuthDevicesRemoveSchema, AuthDeviceUserAuthoritiesApprovedEventSchema, AuthDeviceUserAuthoritiesListResponseSchema, AuthDeviceUserAuthoritiesListSchema, AuthDeviceUserAuthoritiesRequestedEventSchema, AuthDeviceUserAuthoritiesResolvedEventSchema, AuthDeviceUserAuthoritiesReviewRequestedEventSchema, AuthDeviceUserAuthoritiesReviewsDecideResponseSchema, AuthDeviceUserAuthoritiesReviewsDecideSchema, AuthDeviceUserAuthoritiesReviewsListResponseSchema, AuthDeviceUserAuthoritiesReviewsListSchema, AuthDeviceUserAuthoritiesRevokeResponseSchema, AuthDeviceUserAuthoritiesRevokeSchema, type AuthenticatedDevice, AuthenticatedDeviceSchema, type AuthenticatedService, type AuthenticatedUser, AuthIdentitiesListResponseSchema, AuthIdentitiesListSchema, AuthIdentityGrantsListResponseSchema, AuthIdentityGrantsListSchema, AuthIdentityGrantsRevokeResponseSchema, AuthIdentityGrantsRevokeSchema, AuthPortalsGetResponseSchema, AuthPortalsGetSchema, AuthPortalsListResponseSchema, AuthPortalsListSchema, AuthPortalsLoginSettingsGetSchema, AuthPortalsLoginSettingsResponseSchema, AuthPortalsLoginSettingsUpdateSchema, AuthPortalsRoutesPutResponseSchema, AuthPortalsRoutesPutSchema, AuthPortalsRoutesRemoveResponseSchema, AuthPortalsRoutesRemoveSchema, AuthRequestsValidateResponseSchema, AuthRequestsValidateSchema, AuthResolveDeviceUserAuthoritiesProgressSchema, AuthResolveDeviceUserAuthoritiesResponseSchema, AuthResolveDeviceUserAuthoritiesSchema, AuthServiceInstancesDisableResponseSchema, AuthServiceInstancesDisableSchema, AuthServiceInstancesEnableResponseSchema, AuthServiceInstancesEnableSchema, AuthServiceInstancesListResponseSchema, AuthServiceInstancesListSchema, AuthServiceInstancesProvisionResponseSchema, AuthServiceInstancesProvisionSchema, AuthServiceInstancesRemoveResponseSchema, AuthServiceInstancesRemoveSchema, type AuthSessionsMeResponse, AuthSessionsMeResponseSchema, AuthSessionsMeSchema, AuthUserIdentitiesListResponseSchema, AuthUserIdentitiesListSchema, AuthUserIdentitiesUnlinkResponseSchema, AuthUserIdentitiesUnlinkSchema, AuthUsersAccountFlowCreateResponseSchema, AuthUsersCreateResponseSchema, AuthUsersCreateSchema, AuthUsersGetResponseSchema, AuthUsersGetSchema, AuthUsersIdentityLinkCreateSchema, AuthUsersListResponseSchema, AuthUsersListSchema, AuthUsersPasswordChangeResponseSchema, AuthUsersPasswordChangeSchema, AuthUsersPasswordResetCreateSchema, AuthUsersUpdateResponseSchema, AuthUsersUpdateSchema, CallerViewSchema, ContractAnalysisSchema, ContractAnalysisSummarySchema, type DeploymentAuthority, type DeploymentAuthorityCapability, type DeploymentAuthorityCapabilityNeed, DeploymentAuthorityCapabilityNeedSchema, DeploymentAuthorityCapabilitySchema, type DeploymentAuthorityContractNeed, DeploymentAuthorityContractNeedSchema, type DeploymentAuthorityGrantOverride, DeploymentAuthorityGrantOverrideSchema, type DeploymentAuthorityKind, DeploymentAuthorityKindSchema, type DeploymentAuthorityMaterialization, DeploymentAuthorityMaterializationSchema, type DeploymentAuthorityMigration, DeploymentAuthorityMigrationSchema, type DeploymentAuthorityNeeds, DeploymentAuthorityNeedsSchema, type DeploymentAuthorityPlan, DeploymentAuthorityPlanSchema, type DeploymentAuthorityProposal, DeploymentAuthorityProposalSchema, type DeploymentAuthorityReconciliationStatus, DeploymentAuthorityReconciliationStatusSchema, type DeploymentAuthorityResource, DeploymentAuthorityResourceKindSchema, type DeploymentAuthorityResourceNeed, DeploymentAuthorityResourceNeedSchema, DeploymentAuthorityResourceSchema, DeploymentAuthoritySchema, type DeploymentAuthoritySurface, DeploymentAuthoritySurfaceActionSchema, DeploymentAuthoritySurfaceKindSchema, type DeploymentAuthoritySurfaceNeed, DeploymentAuthoritySurfaceNeedSchema, DeploymentAuthoritySurfaceSchema, type DeploymentAuthorityUpdate, DeploymentAuthorityUpdateSchema, DeploymentPortalRouteSchema, DeploymentResourceBindingSchema, type DeviceActivationRecord, DeviceActivationRecordSchema, DeviceActivationReviewSchema, DeviceConnectInfoSchema, DeviceDeploymentSchema, DeviceSchema, DigestSchema, type FlowRegistrationAvailability, FlowRegistrationAvailabilitySchema, IdentityGrantViewSchema, ImplementationOfferSchema, type LoginPortalRecord, LoginPortalRecordSchema, type LoginPortalRoute, LoginPortalRouteSchema, type LoginPortalSettings, LoginPortalSettingsSchema, type LoginPortalSummary, LoginPortalSummarySchema, type MaterializedAuthorityCapabilityGrant, MaterializedAuthorityCapabilityGrantSchema, type MaterializedAuthorityGrant, type MaterializedAuthorityGrants, MaterializedAuthorityGrantsSchema, type MaterializedAuthorityNatsGrant, MaterializedAuthorityNatsGrantSchema, type MaterializedAuthorityNatsGrantSource, MaterializedAuthorityNatsGrantSourceSchema, type MaterializedAuthoritySurfaceGrant, MaterializedAuthoritySurfaceGrantSchema, OpenObjectSchema, type ParticipantKind, ParticipantKindSchema, type PortalFlowApp, type PortalFlowApproval, type PortalFlowApprovalDeniedState, type PortalFlowApprovalRequiredState, type PortalFlowChooseProviderState, type PortalFlowExpiredState, type PortalFlowInsufficientCapabilitiesState, type PortalFlowProvider, type PortalFlowRedirectState, type PortalFlowState, PortalFlowStateSchema, type PortalFlowUser, ServiceDeploymentSchema, ServiceInstanceSchema, UserViewSchema, WaitForDeviceActivationRequestSchema, WaitForDeviceActivationResponseSchema, } from "./protocol.js";
 export { approvalCapabilityKeys, type ApprovalDecision, ApprovalDecisionSchema, type AuthStartFlowResponse, AuthStartFlowResponseSchema, type AuthStartRequest, AuthStartRequestSchema, type AuthStartResponse, AuthStartResponseSchema, type BindResponse, BindResponseSchema, type BindSuccessResponse, BindSuccessResponseSchema, type ClientTransportEndpoints, ClientTransportEndpointsSchema, type ClientTransports, ClientTransportsSchema, type ContractApproval, type ContractApprovalCapability, ContractApprovalSchema, type NatsAuthTokenV1, NatsAuthTokenV1Schema, type SentinelCreds, SentinelCredsSchema, type UserParticipantKind, UserParticipantKindSchema, } from "./schemas.js";
 export { buildNatsConnectSignaturePayload, createAuth, type NatsConnectOptions, type TrellisAuth, } from "./session_auth.js";
 export { correctedIatSeconds, estimateMidpointClockOffsetMs } from "./time.js";

package/esm/auth/mod.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"mod.d.ts","sourceRoot":"","sources":["../../src/auth/mod.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EACL,KAAK,kCAAkC,EACvC,KAAK,mCAAmC,EACxC,KAAK,oCAAoC,EACzC,KAAK,uCAAuC,EAC5C,KAAK,qCAAqC,EAC1C,KAAK,yCAAyC,EAC9C,KAAK,sCAAsC,EAC3C,KAAK,wCAAwC,EAC7C,4BAA4B,EAC5B,yBAAyB,EACzB,4BAA4B,EAC5B,yBAAyB,EACzB,4BAA4B,EAC5B,oBAAoB,EACpB,iBAAiB,EACjB,KAAK,uBAAuB,EAC5B,KAAK,yBAAyB,EAC9B,KAAK,2BAA2B,EAChC,KAAK,cAAc,EACnB,6BAA6B,EAC7B,oBAAoB,EACpB,KAAK,yBAAyB,EAC9B,KAAK,0BAA0B,EAC/B,4BAA4B,EAC5B,qBAAqB,EACrB,4BAA4B,EAC5B,4BAA4B,EAC5B,yBAAyB,EACzB,uBAAuB,EACvB,KAAK,+BAA+B,GACrC,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,KAAK,UAAU,EACf,QAAQ,EACR,aAAa,EACb,eAAe,EACf,cAAc,EACd,oBAAoB,EACpB,kBAAkB,EAClB,qBAAqB,EACrB,mBAAmB,EACnB,aAAa,EACb,qBAAqB,EACrB,cAAc,EACd,oBAAoB,EACpB,mBAAmB,EACnB,sBAAsB,EACtB,sBAAsB,EACtB,KAAK,gBAAgB,EACrB,KAAK,iBAAiB,EACtB,KAAK,yBAAyB,EAC9B,SAAS,EACT,gBAAgB,EAChB,oBAAoB,GACrB,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,eAAe,EACf,WAAW,EACX,KAAK,WAAW,EAChB,WAAW,GACZ,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,wBAAwB,EACxB,kCAAkC,EAClC,0BAA0B,EAC1B,wCAAwC,EACxC,gCAAgC,EAChC,qCAAqC,EACrC,6BAA6B,EAC7B,sCAAsC,EACtC,8BAA8B,EAC9B,qCAAqC,EACrC,6BAA6B,EAC7B,KAAK,cAAc,EACnB,KAAK,2CAA2C,EAChD,4CAA4C,EAC5C,KAAK,qCAAqC,EAC1C,2CAA2C,EAC3C,KAAK,wCAAwC,EAC7C,yCAAyC,EACzC,KAAK,+BAA+B,EACpC,KAAK,kCAAkC,EACvC,wCAAwC,EACxC,gCAAgC,EAChC,KAAK,8CAA8C,EACnD,KAAK,iDAAiD,EACtD,uDAAuD,EACvD,+CAA+C,EAC/C,KAAK,6CAA6C,EAClD,8CAA8C,EAC9C,KAAK,gDAAgD,EACrD,iDAAiD,EACjD,KAAK,6CAA6C,EAClD,mDAAmD,EACnD,KAAK,gCAAgC,EACrC,KAAK,mCAAmC,EACxC,yCAAyC,EACzC,iCAAiC,EACjC,KAAK,gCAAgC,EACrC,KAAK,mCAAmC,EACxC,yCAAyC,EACzC,iCAAiC,EACjC,KAAK,oCAAoC,EACzC,KAAK,uCAAuC,EAC5C,6CAA6C,EAC7C,qCAAqC,EACrC,KAAK,qCAAqC,EAC1C,KAAK,wCAAwC,EAC7C,8CAA8C,EAC9C,sCAAsC,EACtC,KAAK,qCAAqC,EAC1C,KAAK,wCAAwC,EAC7C,8CAA8C,EAC9C,sCAAsC,EACtC,KAAK,kCAAkC,EACvC,KAAK,qCAAqC,EAC1C,2CAA2C,EAC3C,mCAAmC,EACnC,KAAK,kBAAkB,EACvB,wBAAwB,EACxB,oBAAoB,EACpB,mCAAmC,EACnC,2BAA2B,EAC3B,oCAAoC,EACpC,4BAA4B,EAC5B,mCAAmC,EACnC,2BAA2B,EAC3B,iCAAiC,EACjC,yBAAyB,EACzB,mCAAmC,EACnC,2BAA2B,EAC3B,uCAAuC,EACvC,+BAA+B,EAC/B,gCAAgC,EAChC,wBAAwB,EACxB,+BAA+B,EAC/B,uBAAuB,EACvB,6BAA6B,EAC7B,qBAAqB,EACrB,kCAAkC,EAClC,0BAA0B,EAC1B,+BAA+B,EAC/B,uBAAuB,EACvB,4CAA4C,EAC5C,2CAA2C,EAC3C,mCAAmC,EACnC,6CAA6C,EAC7C,4CAA4C,EAC5C,mDAAmD,EACnD,oDAAoD,EACpD,4CAA4C,EAC5C,kDAAkD,EAClD,0CAA0C,EAC1C,6CAA6C,EAC7C,qCAAqC,EACrC,KAAK,mBAAmB,EACxB,yBAAyB,EACzB,KAAK,oBAAoB,EACzB,KAAK,iBAAiB,EACtB,gCAAgC,EAChC,wBAAwB,EACxB,oCAAoC,EACpC,4BAA4B,EAC5B,sCAAsC,EACtC,8BAA8B,EAC9B,4BAA4B,EAC5B,oBAAoB,EACpB,6BAA6B,EAC7B,qBAAqB,EACrB,iCAAiC,EACjC,sCAAsC,EACtC,oCAAoC,EACpC,kCAAkC,EAClC,0BAA0B,EAC1B,qCAAqC,EACrC,6BAA6B,EAC7B,kCAAkC,EAClC,0BAA0B,EAC1B,8CAA8C,EAC9C,8CAA8C,EAC9C,sCAAsC,EACtC,yCAAyC,EACzC,iCAAiC,EACjC,wCAAwC,EACxC,gCAAgC,EAChC,sCAAsC,EACtC,8BAA8B,EAC9B,2CAA2C,EAC3C,mCAAmC,EACnC,wCAAwC,EACxC,gCAAgC,EAChC,KAAK,sBAAsB,EAC3B,4BAA4B,EAC5B,oBAAoB,EACpB,oCAAoC,EACpC,4BAA4B,EAC5B,sCAAsC,EACtC,8BAA8B,EAC9B,wCAAwC,EACxC,6BAA6B,EAC7B,qBAAqB,EACrB,0BAA0B,EAC1B,kBAAkB,EAClB,iCAAiC,EACjC,2BAA2B,EAC3B,mBAAmB,EACnB,qCAAqC,EACrC,6BAA6B,EAC7B,kCAAkC,EAClC,6BAA6B,EAC7B,qBAAqB,EACrB,gBAAgB,EAChB,sBAAsB,EACtB,6BAA6B,EAC7B,KAAK,mBAAmB,EACxB,KAAK,6BAA6B,EAClC,mCAAmC,EACnC,KAAK,gCAAgC,EACrC,sCAAsC,EACtC,KAAK,uBAAuB,EAC5B,6BAA6B,EAC7B,KAAK,kCAAkC,EACvC,wCAAwC,EACxC,KAAK,4BAA4B,EACjC,kCAAkC,EAClC,KAAK,uBAAuB,EAC5B,6BAA6B,EAC7B,KAAK,uBAAuB,EAC5B,6BAA6B,EAC7B,KAAK,2BAA2B,EAChC,iCAAiC,EACjC,KAAK,uCAAuC,EAC5C,6CAA6C,EAC7C,KAAK,2BAA2B,EAChC,qCAAqC,EACrC,iCAAiC,EACjC,yBAAyB,EACzB,KAAK,0BAA0B,EAC/B,sCAAsC,EACtC,oCAAoC,EACpC,gCAAgC,EAChC,KAAK,yBAAyB,EAC9B,+BAA+B,EAC/B,2BAA2B,EAC3B,+BAA+B,EAC/B,KAAK,sBAAsB,EAC3B,4BAA4B,EAC5B,4BAA4B,EAC5B,uBAAuB,EACvB,sBAAsB,EACtB,YAAY,EACZ,YAAY,EACZ,KAAK,4BAA4B,EACjC,kCAAkC,EAClC,uBAAuB,EACvB,yBAAyB,EACzB,KAAK,iBAAiB,EACtB,uBAAuB,EACvB,KAAK,gBAAgB,EACrB,sBAAsB,EACtB,KAAK,mBAAmB,EACxB,yBAAyB,EACzB,KAAK,kBAAkB,EACvB,wBAAwB,EACxB,gBAAgB,EAChB,KAAK,eAAe,EACpB,qBAAqB,EACrB,KAAK,aAAa,EAClB,KAAK,kBAAkB,EACvB,KAAK,6BAA6B,EAClC,KAAK,+BAA+B,EACpC,KAAK,6BAA6B,EAClC,KAAK,sBAAsB,EAC3B,KAAK,uCAAuC,EAC5C,KAAK,kBAAkB,EACvB,KAAK,uBAAuB,EAC5B,KAAK,eAAe,EACpB,qBAAqB,EACrB,KAAK,cAAc,EACnB,uBAAuB,EACvB,qBAAqB,EACrB,cAAc,EACd,oCAAoC,EACpC,qCAAqC,GACtC,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,sBAAsB,EACtB,KAAK,gBAAgB,EACrB,sBAAsB,EACtB,KAAK,qBAAqB,EAC1B,2BAA2B,EAC3B,KAAK,gBAAgB,EACrB,sBAAsB,EACtB,KAAK,iBAAiB,EACtB,uBAAuB,EACvB,KAAK,YAAY,EACjB,kBAAkB,EAClB,KAAK,mBAAmB,EACxB,yBAAyB,EACzB,KAAK,wBAAwB,EAC7B,8BAA8B,EAC9B,KAAK,gBAAgB,EACrB,sBAAsB,EACtB,KAAK,gBAAgB,EACrB,KAAK,0BAA0B,EAC/B,sBAAsB,EACtB,KAAK,eAAe,EACpB,qBAAqB,EACrB,KAAK,aAAa,EAClB,mBAAmB,EACnB,KAAK,mBAAmB,EACxB,yBAAyB,GAC1B,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,gCAAgC,EAChC,UAAU,EACV,KAAK,kBAAkB,EACvB,KAAK,WAAW,GACjB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,mBAAmB,EAAE,6BAA6B,EAAE,MAAM,WAAW,CAAC;AAC/E,OAAO,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AACxD,OAAO,EACL,eAAe,EACf,eAAe,EACf,qBAAqB,EACrB,MAAM,EACN,aAAa,EACb,IAAI,GACL,MAAM,YAAY,CAAC"}
+{"version":3,"file":"mod.d.ts","sourceRoot":"","sources":["../../src/auth/mod.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EACL,KAAK,kCAAkC,EACvC,KAAK,mCAAmC,EACxC,KAAK,oCAAoC,EACzC,KAAK,uCAAuC,EAC5C,KAAK,qCAAqC,EAC1C,KAAK,yCAAyC,EAC9C,KAAK,sCAAsC,EAC3C,KAAK,wCAAwC,EAC7C,4BAA4B,EAC5B,yBAAyB,EACzB,4BAA4B,EAC5B,yBAAyB,EACzB,4BAA4B,EAC5B,oBAAoB,EACpB,iBAAiB,EACjB,KAAK,uBAAuB,EAC5B,KAAK,yBAAyB,EAC9B,KAAK,2BAA2B,EAChC,KAAK,cAAc,EACnB,6BAA6B,EAC7B,oBAAoB,EACpB,KAAK,yBAAyB,EAC9B,KAAK,0BAA0B,EAC/B,4BAA4B,EAC5B,qBAAqB,EACrB,4BAA4B,EAC5B,4BAA4B,EAC5B,yBAAyB,EACzB,uBAAuB,EACvB,KAAK,+BAA+B,GACrC,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,KAAK,UAAU,EACf,QAAQ,EACR,KAAK,iCAAiC,EACtC,KAAK,uBAAuB,EAC5B,aAAa,EACb,wBAAwB,EACxB,eAAe,EACf,cAAc,EACd,oBAAoB,EACpB,kBAAkB,EAClB,qBAAqB,EACrB,mBAAmB,EACnB,aAAa,EACb,qBAAqB,EACrB,6BAA6B,EAC7B,cAAc,EACd,oBAAoB,EACpB,mBAAmB,EACnB,sBAAsB,EACtB,sBAAsB,EACtB,KAAK,gBAAgB,EACrB,KAAK,iBAAiB,EACtB,KAAK,yBAAyB,EAC9B,SAAS,EACT,gBAAgB,EAChB,oBAAoB,GACrB,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,eAAe,EACf,WAAW,EACX,KAAK,WAAW,EAChB,WAAW,GACZ,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,wBAAwB,EACxB,kCAAkC,EAClC,0BAA0B,EAC1B,wCAAwC,EACxC,gCAAgC,EAChC,qCAAqC,EACrC,6BAA6B,EAC7B,sCAAsC,EACtC,8BAA8B,EAC9B,qCAAqC,EACrC,6BAA6B,EAC7B,KAAK,cAAc,EACnB,KAAK,2CAA2C,EAChD,4CAA4C,EAC5C,KAAK,qCAAqC,EAC1C,2CAA2C,EAC3C,KAAK,wCAAwC,EAC7C,yCAAyC,EACzC,KAAK,+BAA+B,EACpC,KAAK,kCAAkC,EACvC,wCAAwC,EACxC,gCAAgC,EAChC,KAAK,8CAA8C,EACnD,KAAK,iDAAiD,EACtD,uDAAuD,EACvD,+CAA+C,EAC/C,KAAK,6CAA6C,EAClD,8CAA8C,EAC9C,KAAK,gDAAgD,EACrD,iDAAiD,EACjD,KAAK,6CAA6C,EAClD,mDAAmD,EACnD,KAAK,gCAAgC,EACrC,KAAK,mCAAmC,EACxC,yCAAyC,EACzC,iCAAiC,EACjC,KAAK,gCAAgC,EACrC,KAAK,mCAAmC,EACxC,yCAAyC,EACzC,iCAAiC,EACjC,KAAK,oCAAoC,EACzC,KAAK,uCAAuC,EAC5C,6CAA6C,EAC7C,qCAAqC,EACrC,KAAK,qCAAqC,EAC1C,KAAK,wCAAwC,EAC7C,8CAA8C,EAC9C,sCAAsC,EACtC,KAAK,qCAAqC,EAC1C,KAAK,wCAAwC,EAC7C,8CAA8C,EAC9C,sCAAsC,EACtC,KAAK,kCAAkC,EACvC,KAAK,qCAAqC,EAC1C,2CAA2C,EAC3C,mCAAmC,EACnC,KAAK,kBAAkB,EACvB,wBAAwB,EACxB,oBAAoB,EACpB,mCAAmC,EACnC,2BAA2B,EAC3B,oCAAoC,EACpC,4BAA4B,EAC5B,mCAAmC,EACnC,2BAA2B,EAC3B,iCAAiC,EACjC,yBAAyB,EACzB,mCAAmC,EACnC,2BAA2B,EAC3B,uCAAuC,EACvC,+BAA+B,EAC/B,gCAAgC,EAChC,wBAAwB,EACxB,+BAA+B,EAC/B,uBAAuB,EACvB,6BAA6B,EAC7B,qBAAqB,EACrB,kCAAkC,EAClC,0BAA0B,EAC1B,+BAA+B,EAC/B,uBAAuB,EACvB,4CAA4C,EAC5C,2CAA2C,EAC3C,mCAAmC,EACnC,6CAA6C,EAC7C,4CAA4C,EAC5C,mDAAmD,EACnD,oDAAoD,EACpD,4CAA4C,EAC5C,kDAAkD,EAClD,0CAA0C,EAC1C,6CAA6C,EAC7C,qCAAqC,EACrC,KAAK,mBAAmB,EACxB,yBAAyB,EACzB,KAAK,oBAAoB,EACzB,KAAK,iBAAiB,EACtB,gCAAgC,EAChC,wBAAwB,EACxB,oCAAoC,EACpC,4BAA4B,EAC5B,sCAAsC,EACtC,8BAA8B,EAC9B,4BAA4B,EAC5B,oBAAoB,EACpB,6BAA6B,EAC7B,qBAAqB,EACrB,iCAAiC,EACjC,sCAAsC,EACtC,oCAAoC,EACpC,kCAAkC,EAClC,0BAA0B,EAC1B,qCAAqC,EACrC,6BAA6B,EAC7B,kCAAkC,EAClC,0BAA0B,EAC1B,8CAA8C,EAC9C,8CAA8C,EAC9C,sCAAsC,EACtC,yCAAyC,EACzC,iCAAiC,EACjC,wCAAwC,EACxC,gCAAgC,EAChC,sCAAsC,EACtC,8BAA8B,EAC9B,2CAA2C,EAC3C,mCAAmC,EACnC,wCAAwC,EACxC,gCAAgC,EAChC,KAAK,sBAAsB,EAC3B,4BAA4B,EAC5B,oBAAoB,EACpB,oCAAoC,EACpC,4BAA4B,EAC5B,sCAAsC,EACtC,8BAA8B,EAC9B,wCAAwC,EACxC,6BAA6B,EAC7B,qBAAqB,EACrB,0BAA0B,EAC1B,kBAAkB,EAClB,iCAAiC,EACjC,2BAA2B,EAC3B,mBAAmB,EACnB,qCAAqC,EACrC,6BAA6B,EAC7B,kCAAkC,EAClC,6BAA6B,EAC7B,qBAAqB,EACrB,gBAAgB,EAChB,sBAAsB,EACtB,6BAA6B,EAC7B,KAAK,mBAAmB,EACxB,KAAK,6BAA6B,EAClC,KAAK,iCAAiC,EACtC,uCAAuC,EACvC,mCAAmC,EACnC,KAAK,+BAA+B,EACpC,qCAAqC,EACrC,KAAK,gCAAgC,EACrC,sCAAsC,EACtC,KAAK,uBAAuB,EAC5B,6BAA6B,EAC7B,KAAK,kCAAkC,EACvC,wCAAwC,EACxC,KAAK,4BAA4B,EACjC,kCAAkC,EAClC,KAAK,wBAAwB,EAC7B,8BAA8B,EAC9B,KAAK,uBAAuB,EAC5B,6BAA6B,EAC7B,KAAK,2BAA2B,EAChC,iCAAiC,EACjC,KAAK,uCAAuC,EAC5C,6CAA6C,EAC7C,KAAK,2BAA2B,EAChC,qCAAqC,EACrC,KAAK,+BAA+B,EACpC,qCAAqC,EACrC,iCAAiC,EACjC,yBAAyB,EACzB,KAAK,0BAA0B,EAC/B,sCAAsC,EACtC,oCAAoC,EACpC,KAAK,8BAA8B,EACnC,oCAAoC,EACpC,gCAAgC,EAChC,KAAK,yBAAyB,EAC9B,+BAA+B,EAC/B,2BAA2B,EAC3B,+BAA+B,EAC/B,KAAK,sBAAsB,EAC3B,4BAA4B,EAC5B,4BAA4B,EAC5B,uBAAuB,EACvB,sBAAsB,EACtB,YAAY,EACZ,YAAY,EACZ,KAAK,4BAA4B,EACjC,kCAAkC,EAClC,uBAAuB,EACvB,yBAAyB,EACzB,KAAK,iBAAiB,EACtB,uBAAuB,EACvB,KAAK,gBAAgB,EACrB,sBAAsB,EACtB,KAAK,mBAAmB,EACxB,yBAAyB,EACzB,KAAK,kBAAkB,EACvB,wBAAwB,EACxB,KAAK,oCAAoC,EACzC,0CAA0C,EAC1C,KAAK,0BAA0B,EAC/B,KAAK,2BAA2B,EAChC,iCAAiC,EACjC,KAAK,8BAA8B,EACnC,oCAAoC,EACpC,KAAK,oCAAoC,EACzC,0CAA0C,EAC1C,KAAK,iCAAiC,EACtC,uCAAuC,EACvC,gBAAgB,EAChB,KAAK,eAAe,EACpB,qBAAqB,EACrB,KAAK,aAAa,EAClB,KAAK,kBAAkB,EACvB,KAAK,6BAA6B,EAClC,KAAK,+BAA+B,EACpC,KAAK,6BAA6B,EAClC,KAAK,sBAAsB,EAC3B,KAAK,uCAAuC,EAC5C,KAAK,kBAAkB,EACvB,KAAK,uBAAuB,EAC5B,KAAK,eAAe,EACpB,qBAAqB,EACrB,KAAK,cAAc,EACnB,uBAAuB,EACvB,qBAAqB,EACrB,cAAc,EACd,oCAAoC,EACpC,qCAAqC,GACtC,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,sBAAsB,EACtB,KAAK,gBAAgB,EACrB,sBAAsB,EACtB,KAAK,qBAAqB,EAC1B,2BAA2B,EAC3B,KAAK,gBAAgB,EACrB,sBAAsB,EACtB,KAAK,iBAAiB,EACtB,uBAAuB,EACvB,KAAK,YAAY,EACjB,kBAAkB,EAClB,KAAK,mBAAmB,EACxB,yBAAyB,EACzB,KAAK,wBAAwB,EAC7B,8BAA8B,EAC9B,KAAK,gBAAgB,EACrB,sBAAsB,EACtB,KAAK,gBAAgB,EACrB,KAAK,0BAA0B,EAC/B,sBAAsB,EACtB,KAAK,eAAe,EACpB,qBAAqB,EACrB,KAAK,aAAa,EAClB,mBAAmB,EACnB,KAAK,mBAAmB,EACxB,yBAAyB,GAC1B,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,gCAAgC,EAChC,UAAU,EACV,KAAK,kBAAkB,EACvB,KAAK,WAAW,GACjB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,mBAAmB,EAAE,6BAA6B,EAAE,MAAM,WAAW,CAAC;AAC/E,OAAO,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AACxD,OAAO,EACL,eAAe,EACf,eAAe,EACf,qBAAqB,EACrB,MAAM,EACN,aAAa,EACb,IAAI,GACL,MAAM,YAAY,CAAC"}

package/esm/auth/mod.js

@@ -8,9 +8,9 @@
  * - Services load their session key seed from `TRELLIS_SESSION_KEY_SEED`.
  */
 export { buildDeviceActivationPayload, buildDeviceWaitProofInput, createDeviceActivationClient, createDeviceNatsAuthToken, deriveDeviceConfirmationCode, deriveDeviceIdentity, deriveDeviceQrMac, encodeDeviceActivationPayload, getDeviceConnectInfo, parseDeviceActivationPayload, signDeviceWaitRequest, startDeviceActivationRequest, verifyDeviceConfirmationCode, verifyDeviceWaitSignature, waitForDeviceActivation, } from "./device_activation.js";
-export { bindFlow, buildLoginUrl, clearSessionKey, createRpcProof, fetchPortalFlowState, generateSessionKey, getOrCreateSessionKey, getPublicSessionKey, hasSessionKey, isBindSuccessResponse, loadSessionKey, natsConnectSigForIat, portalFlowIdFromUrl, portalProviderLoginUrl, portalRedirectLocation, signBytes, startAuthRequest, submitPortalApproval, } from "./browser.js";
+export { bindFlow, buildLoginUrl, classifyBrowserAuthError, clearSessionKey, createRpcProof, fetchPortalFlowState, generateSessionKey, getOrCreateSessionKey, getPublicSessionKey, hasSessionKey, isBindSuccessResponse, isRecoverableBrowserAuthError, loadSessionKey, natsConnectSigForIat, portalFlowIdFromUrl, portalProviderLoginUrl, portalRedirectLocation, signBytes, startAuthRequest, submitPortalApproval, } from "./browser.js";
 export { buildProofInput, createProof, verifyProof, } from "./proof.js";
-export { ApprovalRecordViewSchema, AuthCapabilitiesListResponseSchema, AuthCapabilitiesListSchema, AuthCapabilityGroupsDeleteResponseSchema, AuthCapabilityGroupsDeleteSchema, AuthCapabilityGroupsGetResponseSchema, AuthCapabilityGroupsGetSchema, AuthCapabilityGroupsListResponseSchema, AuthCapabilityGroupsListSchema, AuthCapabilityGroupsPutResponseSchema, AuthCapabilityGroupsPutSchema, AuthDeploymentAuthorityAcceptMigrationSchema, AuthDeploymentAuthorityAcceptResponseSchema, AuthDeploymentAuthorityAcceptUpdateSchema, AuthDeploymentAuthorityGetResponseSchema, AuthDeploymentAuthorityGetSchema, AuthDeploymentAuthorityGrantOverridesListResponseSchema, AuthDeploymentAuthorityGrantOverridesListSchema, AuthDeploymentAuthorityGrantOverridesPutSchema, AuthDeploymentAuthorityGrantOverridesRemoveSchema, AuthDeploymentAuthorityGrantOverridesResponseSchema, AuthDeploymentAuthorityListResponseSchema, AuthDeploymentAuthorityListSchema, AuthDeploymentAuthorityPlanResponseSchema, AuthDeploymentAuthorityPlanSchema, AuthDeploymentAuthorityPlansGetResponseSchema, AuthDeploymentAuthorityPlansGetSchema, AuthDeploymentAuthorityPlansListResponseSchema, AuthDeploymentAuthorityPlansListSchema, AuthDeploymentAuthorityReconcileResponseSchema, AuthDeploymentAuthorityReconcileSchema, AuthDeploymentAuthorityRejectResponseSchema, AuthDeploymentAuthorityRejectSchema, AuthDeploymentKindSchema, AuthDeploymentSchema, AuthDeploymentsCreateResponseSchema, AuthDeploymentsCreateSchema, AuthDeploymentsDisableResponseSchema, AuthDeploymentsDisableSchema, AuthDeploymentsEnableResponseSchema, AuthDeploymentsEnableSchema, AuthDeploymentsListResponseSchema, AuthDeploymentsListSchema, AuthDeploymentsRemoveResponseSchema, AuthDeploymentsRemoveSchema, AuthDevicesConnectInfoGetResponseSchema, AuthDevicesConnectInfoGetSchema, AuthDevicesDisableResponseSchema, AuthDevicesDisableSchema, AuthDevicesEnableResponseSchema, AuthDevicesEnableSchema, AuthDevicesListResponseSchema, AuthDevicesListSchema, AuthDevicesProvisionResponseSchema, AuthDevicesProvisionSchema, AuthDevicesRemoveResponseSchema, AuthDevicesRemoveSchema, AuthDeviceUserAuthoritiesApprovedEventSchema, AuthDeviceUserAuthoritiesListResponseSchema, AuthDeviceUserAuthoritiesListSchema, AuthDeviceUserAuthoritiesRequestedEventSchema, AuthDeviceUserAuthoritiesResolvedEventSchema, AuthDeviceUserAuthoritiesReviewRequestedEventSchema, AuthDeviceUserAuthoritiesReviewsDecideResponseSchema, AuthDeviceUserAuthoritiesReviewsDecideSchema, AuthDeviceUserAuthoritiesReviewsListResponseSchema, AuthDeviceUserAuthoritiesReviewsListSchema, AuthDeviceUserAuthoritiesRevokeResponseSchema, AuthDeviceUserAuthoritiesRevokeSchema, AuthenticatedDeviceSchema, AuthIdentitiesListResponseSchema, AuthIdentitiesListSchema, AuthIdentityGrantsListResponseSchema, AuthIdentityGrantsListSchema, AuthIdentityGrantsRevokeResponseSchema, AuthIdentityGrantsRevokeSchema, AuthPortalsGetResponseSchema, AuthPortalsGetSchema, AuthPortalsListResponseSchema, AuthPortalsListSchema, AuthPortalsLoginSettingsGetSchema, AuthPortalsLoginSettingsResponseSchema, AuthPortalsLoginSettingsUpdateSchema, AuthPortalsRoutesPutResponseSchema, AuthPortalsRoutesPutSchema, AuthPortalsRoutesRemoveResponseSchema, AuthPortalsRoutesRemoveSchema, AuthRequestsValidateResponseSchema, AuthRequestsValidateSchema, AuthResolveDeviceUserAuthoritiesProgressSchema, AuthResolveDeviceUserAuthoritiesResponseSchema, AuthResolveDeviceUserAuthoritiesSchema, AuthServiceInstancesDisableResponseSchema, AuthServiceInstancesDisableSchema, AuthServiceInstancesEnableResponseSchema, AuthServiceInstancesEnableSchema, AuthServiceInstancesListResponseSchema, AuthServiceInstancesListSchema, AuthServiceInstancesProvisionResponseSchema, AuthServiceInstancesProvisionSchema, AuthServiceInstancesRemoveResponseSchema, AuthServiceInstancesRemoveSchema, AuthSessionsMeResponseSchema, AuthSessionsMeSchema, AuthUserIdentitiesListResponseSchema, AuthUserIdentitiesListSchema, AuthUserIdentitiesUnlinkResponseSchema, AuthUserIdentitiesUnlinkSchema, AuthUsersAccountFlowCreateResponseSchema, AuthUsersCreateResponseSchema, AuthUsersCreateSchema, AuthUsersGetResponseSchema, AuthUsersGetSchema, AuthUsersIdentityLinkCreateSchema, AuthUsersListResponseSchema, AuthUsersListSchema, AuthUsersPasswordChangeResponseSchema, AuthUsersPasswordChangeSchema, AuthUsersPasswordResetCreateSchema, AuthUsersUpdateResponseSchema, AuthUsersUpdateSchema, CallerViewSchema, ContractAnalysisSchema, ContractAnalysisSummarySchema, DeploymentAuthorityCapabilitySchema, DeploymentAuthorityGrantOverrideSchema, DeploymentAuthorityKindSchema, DeploymentAuthorityMaterializationSchema, DeploymentAuthorityMigrationSchema, DeploymentAuthorityNeedSchema, DeploymentAuthorityPlanSchema, DeploymentAuthorityProposalSchema, DeploymentAuthorityReconciliationStatusSchema, DeploymentAuthorityResourceKindSchema, DeploymentAuthorityResourceSchema, DeploymentAuthoritySchema, DeploymentAuthoritySurfaceActionSchema, DeploymentAuthoritySurfaceKindSchema, DeploymentAuthoritySurfaceSchema, DeploymentAuthorityUpdateSchema, DeploymentPortalRouteSchema, DeploymentResourceBindingSchema, DeviceActivationRecordSchema, DeviceActivationReviewSchema, DeviceConnectInfoSchema, DeviceDeploymentSchema, DeviceSchema, DigestSchema, FlowRegistrationAvailabilitySchema, IdentityGrantViewSchema, ImplementationOfferSchema, LoginPortalRecordSchema, LoginPortalRouteSchema, LoginPortalSettingsSchema, LoginPortalSummarySchema, OpenObjectSchema, ParticipantKindSchema, PortalFlowStateSchema, ServiceDeploymentSchema, ServiceInstanceSchema, UserViewSchema, WaitForDeviceActivationRequestSchema, WaitForDeviceActivationResponseSchema, } from "./protocol.js";
+export { ApprovalRecordViewSchema, AuthCapabilitiesListResponseSchema, AuthCapabilitiesListSchema, AuthCapabilityGroupsDeleteResponseSchema, AuthCapabilityGroupsDeleteSchema, AuthCapabilityGroupsGetResponseSchema, AuthCapabilityGroupsGetSchema, AuthCapabilityGroupsListResponseSchema, AuthCapabilityGroupsListSchema, AuthCapabilityGroupsPutResponseSchema, AuthCapabilityGroupsPutSchema, AuthDeploymentAuthorityAcceptMigrationSchema, AuthDeploymentAuthorityAcceptResponseSchema, AuthDeploymentAuthorityAcceptUpdateSchema, AuthDeploymentAuthorityGetResponseSchema, AuthDeploymentAuthorityGetSchema, AuthDeploymentAuthorityGrantOverridesListResponseSchema, AuthDeploymentAuthorityGrantOverridesListSchema, AuthDeploymentAuthorityGrantOverridesPutSchema, AuthDeploymentAuthorityGrantOverridesRemoveSchema, AuthDeploymentAuthorityGrantOverridesResponseSchema, AuthDeploymentAuthorityListResponseSchema, AuthDeploymentAuthorityListSchema, AuthDeploymentAuthorityPlanResponseSchema, AuthDeploymentAuthorityPlanSchema, AuthDeploymentAuthorityPlansGetResponseSchema, AuthDeploymentAuthorityPlansGetSchema, AuthDeploymentAuthorityPlansListResponseSchema, AuthDeploymentAuthorityPlansListSchema, AuthDeploymentAuthorityReconcileResponseSchema, AuthDeploymentAuthorityReconcileSchema, AuthDeploymentAuthorityRejectResponseSchema, AuthDeploymentAuthorityRejectSchema, AuthDeploymentKindSchema, AuthDeploymentSchema, AuthDeploymentsCreateResponseSchema, AuthDeploymentsCreateSchema, AuthDeploymentsDisableResponseSchema, AuthDeploymentsDisableSchema, AuthDeploymentsEnableResponseSchema, AuthDeploymentsEnableSchema, AuthDeploymentsListResponseSchema, AuthDeploymentsListSchema, AuthDeploymentsRemoveResponseSchema, AuthDeploymentsRemoveSchema, AuthDevicesConnectInfoGetResponseSchema, AuthDevicesConnectInfoGetSchema, AuthDevicesDisableResponseSchema, AuthDevicesDisableSchema, AuthDevicesEnableResponseSchema, AuthDevicesEnableSchema, AuthDevicesListResponseSchema, AuthDevicesListSchema, AuthDevicesProvisionResponseSchema, AuthDevicesProvisionSchema, AuthDevicesRemoveResponseSchema, AuthDevicesRemoveSchema, AuthDeviceUserAuthoritiesApprovedEventSchema, AuthDeviceUserAuthoritiesListResponseSchema, AuthDeviceUserAuthoritiesListSchema, AuthDeviceUserAuthoritiesRequestedEventSchema, AuthDeviceUserAuthoritiesResolvedEventSchema, AuthDeviceUserAuthoritiesReviewRequestedEventSchema, AuthDeviceUserAuthoritiesReviewsDecideResponseSchema, AuthDeviceUserAuthoritiesReviewsDecideSchema, AuthDeviceUserAuthoritiesReviewsListResponseSchema, AuthDeviceUserAuthoritiesReviewsListSchema, AuthDeviceUserAuthoritiesRevokeResponseSchema, AuthDeviceUserAuthoritiesRevokeSchema, AuthenticatedDeviceSchema, AuthIdentitiesListResponseSchema, AuthIdentitiesListSchema, AuthIdentityGrantsListResponseSchema, AuthIdentityGrantsListSchema, AuthIdentityGrantsRevokeResponseSchema, AuthIdentityGrantsRevokeSchema, AuthPortalsGetResponseSchema, AuthPortalsGetSchema, AuthPortalsListResponseSchema, AuthPortalsListSchema, AuthPortalsLoginSettingsGetSchema, AuthPortalsLoginSettingsResponseSchema, AuthPortalsLoginSettingsUpdateSchema, AuthPortalsRoutesPutResponseSchema, AuthPortalsRoutesPutSchema, AuthPortalsRoutesRemoveResponseSchema, AuthPortalsRoutesRemoveSchema, AuthRequestsValidateResponseSchema, AuthRequestsValidateSchema, AuthResolveDeviceUserAuthoritiesProgressSchema, AuthResolveDeviceUserAuthoritiesResponseSchema, AuthResolveDeviceUserAuthoritiesSchema, AuthServiceInstancesDisableResponseSchema, AuthServiceInstancesDisableSchema, AuthServiceInstancesEnableResponseSchema, AuthServiceInstancesEnableSchema, AuthServiceInstancesListResponseSchema, AuthServiceInstancesListSchema, AuthServiceInstancesProvisionResponseSchema, AuthServiceInstancesProvisionSchema, AuthServiceInstancesRemoveResponseSchema, AuthServiceInstancesRemoveSchema, AuthSessionsMeResponseSchema, AuthSessionsMeSchema, AuthUserIdentitiesListResponseSchema, AuthUserIdentitiesListSchema, AuthUserIdentitiesUnlinkResponseSchema, AuthUserIdentitiesUnlinkSchema, AuthUsersAccountFlowCreateResponseSchema, AuthUsersCreateResponseSchema, AuthUsersCreateSchema, AuthUsersGetResponseSchema, AuthUsersGetSchema, AuthUsersIdentityLinkCreateSchema, AuthUsersListResponseSchema, AuthUsersListSchema, AuthUsersPasswordChangeResponseSchema, AuthUsersPasswordChangeSchema, AuthUsersPasswordResetCreateSchema, AuthUsersUpdateResponseSchema, AuthUsersUpdateSchema, CallerViewSchema, ContractAnalysisSchema, ContractAnalysisSummarySchema, DeploymentAuthorityCapabilityNeedSchema, DeploymentAuthorityCapabilitySchema, DeploymentAuthorityContractNeedSchema, DeploymentAuthorityGrantOverrideSchema, DeploymentAuthorityKindSchema, DeploymentAuthorityMaterializationSchema, DeploymentAuthorityMigrationSchema, DeploymentAuthorityNeedsSchema, DeploymentAuthorityPlanSchema, DeploymentAuthorityProposalSchema, DeploymentAuthorityReconciliationStatusSchema, DeploymentAuthorityResourceKindSchema, DeploymentAuthorityResourceNeedSchema, DeploymentAuthorityResourceSchema, DeploymentAuthoritySchema, DeploymentAuthoritySurfaceActionSchema, DeploymentAuthoritySurfaceKindSchema, DeploymentAuthoritySurfaceNeedSchema, DeploymentAuthoritySurfaceSchema, DeploymentAuthorityUpdateSchema, DeploymentPortalRouteSchema, DeploymentResourceBindingSchema, DeviceActivationRecordSchema, DeviceActivationReviewSchema, DeviceConnectInfoSchema, DeviceDeploymentSchema, DeviceSchema, DigestSchema, FlowRegistrationAvailabilitySchema, IdentityGrantViewSchema, ImplementationOfferSchema, LoginPortalRecordSchema, LoginPortalRouteSchema, LoginPortalSettingsSchema, LoginPortalSummarySchema, MaterializedAuthorityCapabilityGrantSchema, MaterializedAuthorityGrantsSchema, MaterializedAuthorityNatsGrantSchema, MaterializedAuthorityNatsGrantSourceSchema, MaterializedAuthoritySurfaceGrantSchema, OpenObjectSchema, ParticipantKindSchema, PortalFlowStateSchema, ServiceDeploymentSchema, ServiceInstanceSchema, UserViewSchema, WaitForDeviceActivationRequestSchema, WaitForDeviceActivationResponseSchema, } from "./protocol.js";
 export { approvalCapabilityKeys, ApprovalDecisionSchema, AuthStartFlowResponseSchema, AuthStartRequestSchema, AuthStartResponseSchema, BindResponseSchema, BindSuccessResponseSchema, ClientTransportEndpointsSchema, ClientTransportsSchema, ContractApprovalSchema, NatsAuthTokenV1Schema, SentinelCredsSchema, UserParticipantKindSchema, } from "./schemas.js";
 export { buildNatsConnectSignaturePayload, createAuth, } from "./session_auth.js";
 export { correctedIatSeconds, estimateMidpointClockOffsetMs } from "./time.js";