@replicated/portal-components 0.0.1 → 0.0.3

package/dist/actions/index.js

@@ -1,13 +1,1944 @@
 'use strict';
 
+var react = require('react');
+
 /**
  * Enterprise Portal Components
  * This file is generated by tsup. Do not edit manually.
  */
 
+
+// src/utils/api-client.ts
+async function authenticatedFetch(url, options = {}) {
+  const { token, ...fetchOptions } = options;
+  const headers = new Headers(fetchOptions.headers);
+  if (token) {
+    headers.set("authorization", `Bearer ${token}`);
+  }
+  const response = await fetch(url, {
+    ...fetchOptions,
+    headers
+  });
+  if (response.status === 401) {
+    await handle401();
+  }
+  if (response.status === 502 || response.status === 503 || response.status === 504) {
+    await handleServerError(response.status);
+  }
+  return response;
+}
+async function handle401() {
+  const { redirect } = await import('next/navigation');
+  return redirect("/?expired=1");
+}
+async function handleServerError(statusCode) {
+  const { redirect } = await import('next/navigation');
+  let sourceUrl;
+  try {
+    const { headers } = await import('next/headers');
+    const headersList = await headers();
+    const referer = headersList.get("referer");
+    const host = headersList.get("host");
+    const pathname = headersList.get("x-invoke-path") || headersList.get("x-forwarded-path");
+    if (referer) {
+      sourceUrl = referer;
+    } else if (host && pathname) {
+      const protocol = headersList.get("x-forwarded-proto") || "https";
+      sourceUrl = `${protocol}://${host}${pathname}`;
+    }
+  } catch (error) {
+    console.debug("[portal-components] Could not determine source URL", error);
+  }
+  const params = new URLSearchParams({ code: String(statusCode) });
+  if (sourceUrl) {
+    params.set("source", sourceUrl);
+  }
+  return redirect(`/error?${params.toString()}`);
+}
+
 // src/actions/index.ts
+var getApiOrigin = () => {
+  return (process.env.REPLICATED_APP_ORIGIN || "https://replicated.app").replace(/\/+$/, "");
+};
 var defineServerAction = (definition) => definition;
+var createServiceAccount = defineServerAction({
+  id: "service-account/create",
+  description: "Creates a service account for installing applications",
+  visibility: "customer",
+  tags: ["service-account", "install"],
+  async run({ token, name }) {
+    if (!token || typeof token !== "string") {
+      throw new Error("Service account creation requires a session token");
+    }
+    if (!name || typeof name !== "string" || !name.trim()) {
+      throw new Error("Service account name is required");
+    }
+    const endpoint = `${getApiOrigin()}/v3/service-account`;
+    if (process.env.NODE_ENV !== "production") {
+      console.debug(
+        "[portal-components] creating service account via %s",
+        endpoint
+      );
+    }
+    const response = await authenticatedFetch(endpoint, {
+      method: "POST",
+      token,
+      headers: {
+        "content-type": "application/json"
+      },
+      body: JSON.stringify({ account_name: name.trim() })
+    });
+    if (!response.ok) {
+      const errorText = await response.text();
+      throw new Error(
+        `Service account creation failed (${response.status} ${response.statusText}): ${errorText}`
+      );
+    }
+    const data = await response.json();
+    return data;
+  }
+});
+var initiateLogin = defineServerAction({
+  id: "auth/initiate-login",
+  description: "Begins the passwordless login flow by dispatching a magic link email.",
+  visibility: "customer",
+  tags: ["auth", "login", "session"],
+  async run(input) {
+    const endpoint = `${getApiOrigin()}/v3/login/magic-link`;
+    const appSlug = process.env.PORTAL_APP_SLUG;
+    if (!appSlug) {
+      throw new Error("PORTAL_APP_SLUG is not configured");
+    }
+    const portalOrigin = process.env.PORTAL_ORIGIN ?? "https://enterprise.replicated.com";
+    const redirectUri = `${portalOrigin.replace(/\/+$/, "")}/${appSlug}/login`;
+    const response = await fetch(endpoint, {
+      method: "POST",
+      headers: {
+        "content-type": "application/json"
+      },
+      body: JSON.stringify({
+        app_slug: appSlug,
+        email_address: input.email,
+        redirect_uri: redirectUri
+      })
+    });
+    if (!response.ok) {
+      throw new Error(
+        `Magic link request failed (${response.status} ${response.statusText})`
+      );
+    }
+    const data = await response.json();
+    if (data.saml_redirect_required && data.saml_customer_id) {
+      return {
+        status: "saml_redirect",
+        requestedAt: (/* @__PURE__ */ new Date()).toISOString(),
+        message: "SAML authentication required",
+        saml: {
+          redirectRequired: true,
+          customerId: data.saml_customer_id,
+          email: input.email,
+          appSlug
+        }
+      };
+    }
+    return {
+      status: "ok",
+      requestedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      message: `Magic link requested for ${input.email}`
+    };
+  }
+});
+var verifyMagicLink = defineServerAction({
+  id: "auth/verify-magic-link",
+  description: "Verifies the 12-digit code provided via email and returns a JWT.",
+  visibility: "customer",
+  tags: ["auth", "login", "verify"],
+  async run({ nonce }) {
+    const endpoint = `${getApiOrigin()}/v3/login/magic-link/verify`;
+    if (process.env.NODE_ENV !== "production") {
+      console.debug(
+        "[portal-components] verifying magic link via %s",
+        endpoint
+      );
+    }
+    const response = await fetch(endpoint, {
+      method: "POST",
+      headers: {
+        "content-type": "application/json"
+      },
+      body: JSON.stringify({ nonce })
+    });
+    if (!response.ok) {
+      if (response.status === 401) {
+        try {
+          const errorBody = await response.json();
+          if (errorBody?.is_expired === true) {
+            const error3 = {
+              code: "expired",
+              message: "Magic link has expired. A new link has been sent to your email.",
+              isExpired: true
+            };
+            throw error3;
+          }
+        } catch (parseError) {
+          if (parseError?.code === "expired") {
+            throw parseError;
+          }
+        }
+        const error2 = {
+          code: "invalid_code",
+          message: "Incorrect code, check your email and try again."
+        };
+        throw error2;
+      }
+      const error = {
+        code: "unknown",
+        message: `Magic link verification failed (${response.status} ${response.statusText})`
+      };
+      throw error;
+    }
+    const payload = await response.json();
+    const token = payload?.token ?? payload?.jwt ?? payload?.access_token;
+    if (typeof token !== "string") {
+      throw new Error("Magic link verification succeeded but no token returned");
+    }
+    return { token, raw: payload };
+  }
+});
+var fetchCustomBrandingImpl = async () => {
+  const appSlug = process.env.PORTAL_APP_SLUG;
+  if (!appSlug) {
+    throw new Error("PORTAL_APP_SLUG is not configured");
+  }
+  const url = `${getApiOrigin()}/v3/custom-branding?app_slug=${encodeURIComponent(
+    appSlug
+  )}`;
+  if (process.env.NODE_ENV !== "production") {
+    console.debug(
+      "[portal-components] fetching custom branding via %s",
+      url
+    );
+  }
+  const response = await fetch(url, {
+    headers: {
+      accept: "application/json"
+    }
+  });
+  if (!response.ok) {
+    throw new Error(
+      `Custom branding request failed (${response.status} ${response.statusText})`
+    );
+  }
+  const payload = await response.json();
+  const brandingData = payload?.branding_data;
+  if (typeof brandingData !== "string") {
+    throw new Error("Custom branding response missing branding_data string");
+  }
+  return {
+    brandingData,
+    documentation: payload?.documentation ?? null
+  };
+};
+var fetchCustomBranding = react.cache(fetchCustomBrandingImpl);
+var decodeJwtPayload = (token) => {
+  const parts = token.split(".");
+  if (parts.length !== 3) {
+    throw new Error("Invalid JWT received");
+  }
+  const payloadSegment = parts[1];
+  if (!payloadSegment) {
+    throw new Error("JWT payload segment missing");
+  }
+  const padded = payloadSegment.padEnd(
+    payloadSegment.length + (4 - payloadSegment.length % 4) % 4,
+    "="
+  );
+  const decoded = Buffer.from(padded, "base64").toString("utf-8");
+  return JSON.parse(decoded);
+};
+var getCustomerIdFromToken = (token) => {
+  const payload = decodeJwtPayload(token);
+  const customerId = payload?.customer_id || payload?.customerId;
+  if (typeof customerId !== "string" || !customerId.trim()) {
+    throw new Error("Unable to determine customer_id from session token");
+  }
+  return customerId.trim();
+};
+var resolveSupportBundlesEndpoint = () => {
+  const fallback = `${getApiOrigin()}/v3/supportbundles`;
+  const explicit = process.env.SUPPORT_BUNDLES_ENDPOINT;
+  if (!explicit) {
+    return new URL(fallback);
+  }
+  try {
+    return new URL(explicit);
+  } catch (error) {
+    console.warn(
+      `[portal-components] invalid SUPPORT_BUNDLES_ENDPOINT, using fallback`,
+      error
+    );
+    return new URL(fallback);
+  }
+};
+var listSupportBundles = defineServerAction({
+  id: "support/list-bundles",
+  description: "Fetches support bundles associated with the customer found in the portal session JWT.",
+  visibility: "customer",
+  tags: ["support", "bundles"],
+  async run({ token }, context) {
+    if (!token || typeof token !== "string") {
+      throw new Error("Support bundle listing requires a session token");
+    }
+    const payload = decodeJwtPayload(token);
+    const customerId = payload?.customer_id;
+    if (typeof customerId !== "string" || !customerId.trim()) {
+      throw new Error("Unable to determine customer_id from session token");
+    }
+    const url = resolveSupportBundlesEndpoint();
+    url.searchParams.set("customer_id", customerId.trim());
+    if (process.env.NODE_ENV !== "production") {
+      console.debug("[portal-components] fetching support bundles via %s", url);
+    }
+    const response = await authenticatedFetch(url.toString(), {
+      token,
+      headers: {
+        accept: "application/json"
+      },
+      signal: context?.signal
+    });
+    if (context?.signal?.aborted) {
+      throw new Error("Support bundles request was aborted");
+    }
+    if (!response.ok) {
+      throw new Error(
+        `Support bundles request failed (${response.status} ${response.statusText})`
+      );
+    }
+    const raw = await response.json();
+    const rawRecord = raw && typeof raw === "object" ? raw : void 0;
+    const parseInsights = (raw2) => {
+      if (!Array.isArray(raw2)) return void 0;
+      return raw2.filter((i) => i && typeof i === "object").map((i) => ({
+        level: String(i.level ?? ""),
+        primary: String(i.primary ?? ""),
+        key: typeof i.key === "string" ? i.key : void 0,
+        detail: typeof i.detail === "string" ? i.detail : void 0
+      }));
+    };
+    const bundles = Array.isArray(
+      rawRecord?.supportBundles
+    ) ? (rawRecord?.supportBundles).map((item) => {
+      if (!item || typeof item !== "object") {
+        return {
+          id: "",
+          createdAt: void 0,
+          status: void 0,
+          size: void 0,
+          instanceId: void 0,
+          insights: void 0,
+          metadata: void 0
+        };
+      }
+      const record = item;
+      return {
+        id: String(record.id ?? ""),
+        createdAt: typeof record.createdAt === "string" ? record.createdAt : void 0,
+        status: typeof record.status === "string" ? record.status : void 0,
+        size: typeof record.size === "number" ? record.size : void 0,
+        instanceId: typeof record.instanceId === "string" ? record.instanceId : void 0,
+        insights: parseInsights(record.insights),
+        metadata: record
+      };
+    }) : Array.isArray(raw) ? raw.map((item) => {
+      if (!item || typeof item !== "object") {
+        return {
+          id: "",
+          createdAt: void 0,
+          status: void 0,
+          size: void 0,
+          instanceId: void 0,
+          insights: void 0,
+          metadata: void 0
+        };
+      }
+      const record = item;
+      return {
+        id: String(record.id ?? ""),
+        createdAt: typeof record.createdAt === "string" ? record.createdAt : void 0,
+        status: typeof record.status === "string" ? record.status : void 0,
+        size: typeof record.size === "number" ? record.size : void 0,
+        instanceId: typeof record.instanceId === "string" ? record.instanceId : void 0,
+        insights: parseInsights(record.insights),
+        metadata: record
+      };
+    }) : [];
+    const totalCount = (() => {
+      if (rawRecord) {
+        if (typeof rawRecord.totalCount === "number" && Number.isFinite(rawRecord.totalCount)) {
+          return rawRecord.totalCount;
+        }
+        if (Array.isArray(rawRecord.supportBundles)) {
+          return rawRecord.supportBundles.length;
+        }
+      }
+      if (Array.isArray(raw)) {
+        return raw.length;
+      }
+      return bundles.length;
+    })();
+    return {
+      bundles,
+      totalCount,
+      raw
+    };
+  }
+});
+var downloadSupportBundle = defineServerAction({
+  id: "support/download-bundle",
+  description: "Gets a signed URL for downloading a support bundle.",
+  visibility: "customer",
+  tags: ["support", "bundles", "download"],
+  async run({ token, bundleId }, context) {
+    if (!token || typeof token !== "string") {
+      throw new Error("Support bundle download requires a session token");
+    }
+    if (!bundleId || typeof bundleId !== "string") {
+      throw new Error("Support bundle download requires a bundle ID");
+    }
+    const payload = decodeJwtPayload(token);
+    const customerId = payload?.customer_id;
+    if (typeof customerId !== "string" || !customerId.trim()) {
+      throw new Error("Unable to determine customer_id from session token");
+    }
+    const endpoint = `${getApiOrigin()}/v3/supportbundle/${encodeURIComponent(bundleId)}/download?customer_id=${encodeURIComponent(customerId.trim())}`;
+    if (process.env.NODE_ENV !== "production") {
+      console.debug("[portal-components] getting support bundle download URL via %s", endpoint);
+    }
+    const response = await authenticatedFetch(endpoint, {
+      method: "GET",
+      token,
+      headers: {
+        accept: "application/json"
+      },
+      signal: context?.signal
+    });
+    if (!response.ok) {
+      const errorText = await response.text().catch(() => "");
+      throw new Error(
+        `Support bundle download URL request failed (${response.status} ${response.statusText}): ${errorText}`
+      );
+    }
+    const data = await response.json();
+    const signedUrl = data?.signedUrl;
+    if (typeof signedUrl !== "string" || !signedUrl) {
+      throw new Error("Support bundle download response missing signedUrl");
+    }
+    return { signedUrl };
+  }
+});
+var deleteSupportBundle = defineServerAction({
+  id: "support/delete-bundle",
+  description: "Deletes a support bundle.",
+  visibility: "customer",
+  tags: ["support", "bundles", "delete"],
+  async run({ token, bundleId }, context) {
+    if (!token || typeof token !== "string") {
+      throw new Error("Support bundle deletion requires a session token");
+    }
+    if (!bundleId || typeof bundleId !== "string") {
+      throw new Error("Support bundle deletion requires a bundle ID");
+    }
+    const payload = decodeJwtPayload(token);
+    const customerId = payload?.customer_id;
+    if (typeof customerId !== "string" || !customerId.trim()) {
+      throw new Error("Unable to determine customer_id from session token");
+    }
+    const endpoint = `${getApiOrigin()}/v3/supportbundle/${encodeURIComponent(bundleId)}?customer_id=${encodeURIComponent(customerId.trim())}`;
+    if (process.env.NODE_ENV !== "production") {
+      console.debug("[portal-components] deleting support bundle via %s", endpoint);
+    }
+    const response = await authenticatedFetch(endpoint, {
+      method: "DELETE",
+      token,
+      headers: {
+        accept: "application/json"
+      },
+      signal: context?.signal
+    });
+    if (!response.ok) {
+      const errorText = await response.text().catch(() => "");
+      if (response.status === 404) {
+        throw new Error("Support bundle not found");
+      }
+      throw new Error(
+        `Support bundle deletion failed (${response.status} ${response.statusText}): ${errorText}`
+      );
+    }
+    return { success: true };
+  }
+});
+var uploadSupportBundle = defineServerAction({
+  id: "support/upload-bundle",
+  description: "Uploads a support bundle to the server.",
+  visibility: "customer",
+  tags: ["support", "bundles", "upload"],
+  async run({ token, appId, fileContent, contentLength }, context) {
+    if (!token || typeof token !== "string") {
+      throw new Error("Support bundle upload requires a session token");
+    }
+    if (!appId || typeof appId !== "string") {
+      throw new Error("Support bundle upload requires an app ID");
+    }
+    if (!fileContent || !(fileContent instanceof ArrayBuffer)) {
+      throw new Error("Support bundle upload requires file content");
+    }
+    const endpoint = `${getApiOrigin()}/v3/supportbundle/upload/${encodeURIComponent(appId)}`;
+    if (process.env.NODE_ENV !== "production") {
+      console.debug("[portal-components] uploading support bundle via %s", endpoint);
+    }
+    const response = await authenticatedFetch(endpoint, {
+      method: "POST",
+      token,
+      headers: {
+        "content-type": "application/gzip",
+        "content-length": String(contentLength)
+      },
+      body: fileContent,
+      signal: context?.signal
+    });
+    if (!response.ok) {
+      const errorText = await response.text().catch(() => "");
+      throw new Error(
+        `Support bundle upload failed (${response.status} ${response.statusText}): ${errorText}`
+      );
+    }
+    const data = await response.json();
+    return {
+      bundleId: data?.bundleId ?? data?.bundle_id ?? "",
+      slug: data?.slug ?? ""
+    };
+  }
+});
+var getSupportBundleUploadUrl = (appId) => {
+  return `${getApiOrigin()}/v3/supportbundle/upload/${encodeURIComponent(appId)}`;
+};
+var listReleases = defineServerAction({
+  id: "releases/list",
+  description: "Lists available releases for the authenticated customer.",
+  visibility: "customer",
+  tags: ["releases"],
+  async run({ token }, context) {
+    if (!token || typeof token !== "string") {
+      throw new Error("List releases requires a session token");
+    }
+    const endpoint = `${getApiOrigin()}/v3/release-history`;
+    console.log("[portal-components] listReleases request", {
+      endpoint
+    });
+    const response = await authenticatedFetch(endpoint, {
+      method: "GET",
+      token,
+      headers: {
+        accept: "application/json"
+      },
+      signal: context?.signal
+    });
+    const bodyText = await response.text().catch((error) => {
+      console.warn("[portal-components] listReleases read error", error);
+      return null;
+    });
+    console.log("[portal-components] listReleases response", response.status, bodyText);
+    if (!response.ok) {
+      throw new Error(
+        `List releases request failed (${response.status} ${response.statusText})`
+      );
+    }
+    return {
+      status: response.status,
+      body: bodyText
+    };
+  }
+});
+var asRecord = (value) => {
+  if (value && typeof value === "object") {
+    return value;
+  }
+  return void 0;
+};
+var getValue = (record, key) => record ? record[key] : void 0;
+var getString = (record, key) => {
+  const value = getValue(record, key);
+  return typeof value === "string" ? value : void 0;
+};
+var getBoolean = (record, key) => {
+  const value = getValue(record, key);
+  if (typeof value === "boolean") {
+    return value;
+  }
+  if (typeof value === "number") {
+    return value === 1;
+  }
+  if (typeof value === "string") {
+    const normalized = value.trim().toLowerCase();
+    if (["true", "1", "yes"].includes(normalized)) {
+      return true;
+    }
+    if (["false", "0", "no"].includes(normalized)) {
+      return false;
+    }
+  }
+  return void 0;
+};
+var toDisplayValue = (value) => {
+  if (value === null || value === void 0) {
+    return null;
+  }
+  if (typeof value === "string") {
+    return value;
+  }
+  if (typeof value === "number" || typeof value === "boolean") {
+    return String(value);
+  }
+  try {
+    return JSON.stringify(value);
+  } catch {
+    return String(value);
+  }
+};
+var normalizeStringArray = (value) => {
+  if (Array.isArray(value)) {
+    const normalized = value.map(
+      (item) => typeof item === "string" ? item.trim() : ""
+    ).filter((item) => item.length > 0);
+    return normalized.length ? normalized : void 0;
+  }
+  if (typeof value === "string") {
+    const normalized = value.split(",").map((item) => item.trim()).filter((item) => item.length > 0);
+    return normalized.length ? normalized : void 0;
+  }
+  return void 0;
+};
+var normalizeLicenseFields = (input) => {
+  if (!input) {
+    return [];
+  }
+  if (Array.isArray(input)) {
+    return input.map((field, index) => {
+      if (!field || typeof field !== "object") {
+        return null;
+      }
+      const candidate = field;
+      const key = typeof candidate.key === "string" && candidate.key.trim().length ? candidate.key.trim() : typeof candidate.name === "string" && candidate.name.trim().length ? candidate.name.trim() : typeof candidate.label === "string" && candidate.label.trim().length ? candidate.label.trim() : `field-${index}`;
+      const label = typeof candidate.label === "string" && candidate.label.trim().length ? candidate.label.trim() : typeof candidate.name === "string" && candidate.name.trim().length ? candidate.name.trim() : key;
+      let value = candidate.value ?? candidate.data ?? candidate.content;
+      if ((value === void 0 || value === null) && typeof candidate.text === "string") {
+        value = candidate.text;
+      }
+      if ((value === void 0 || value === null) && typeof candidate.defaultValue === "string") {
+        value = candidate.defaultValue;
+      }
+      const isSecret = Boolean(
+        candidate.isSecret ?? candidate.secret ?? candidate.masked
+      );
+      const resolved = toDisplayValue(value);
+      return {
+        key,
+        label,
+        value: resolved,
+        isSecret
+      };
+    }).filter((field) => Boolean(field));
+  }
+  if (typeof input === "object") {
+    return Object.entries(input).map(
+      ([key, value]) => {
+        let resolvedValue = value;
+        let isSecret = false;
+        if (value && typeof value === "object") {
+          const obj = value;
+          if ("value" in obj) {
+            resolvedValue = obj.value;
+          }
+          isSecret = Boolean(obj.isSecret ?? obj.secret ?? obj.masked);
+        }
+        const normalized = toDisplayValue(resolvedValue);
+        return {
+          key,
+          label: key,
+          value: normalized,
+          isSecret
+        };
+      }
+    );
+  }
+  return [];
+};
+var extractChannelNames = (input) => {
+  if (!Array.isArray(input)) {
+    return void 0;
+  }
+  const names = input.map((item) => {
+    if (typeof item === "string") {
+      return item.trim();
+    }
+    const record = asRecord(item);
+    if (!record) {
+      return null;
+    }
+    return getString(record, "name") ?? getString(record, "channelName") ?? getString(record, "channel") ?? getString(record, "channelSlug") ?? getString(record, "slug") ?? void 0;
+  }).filter((name) => Boolean(name && name.length));
+  return names.length ? names : void 0;
+};
+var normalizeEntitlementFields = (fieldsInput, valuesInput) => {
+  const valuesMap = /* @__PURE__ */ new Map();
+  const assignValue = (key, value) => {
+    if (!key) {
+      return;
+    }
+    valuesMap.set(key, toDisplayValue(value));
+  };
+  if (Array.isArray(valuesInput)) {
+    valuesInput.forEach((item) => {
+      const record = asRecord(item);
+      if (!record) {
+        if (typeof item === "string") {
+          assignValue(item, item);
+        }
+        return;
+      }
+      const key = getString(record, "name") ?? getString(record, "field") ?? getString(record, "title") ?? getString(record, "label") ?? getString(record, "slug") ?? (() => {
+        const idValue = getValue(record, "id");
+        if (typeof idValue === "string" || typeof idValue === "number") {
+          return String(idValue);
+        }
+        return void 0;
+      })();
+      const value = getValue(record, "value") ?? getValue(record, "currentValue") ?? getValue(record, "entitlementValue") ?? getValue(record, "content") ?? getValue(record, "data") ?? getValue(record, "defaultVal") ?? getValue(record, "defaultValue");
+      assignValue(key, value);
+    });
+  } else if (valuesInput && typeof valuesInput === "object") {
+    Object.entries(valuesInput).forEach(
+      ([key, value]) => assignValue(key, value)
+    );
+  }
+  const normalized = [];
+  if (Array.isArray(fieldsInput)) {
+    fieldsInput.forEach((item, index) => {
+      const record = asRecord(item);
+      if (!record) {
+        return;
+      }
+      const baseKey = getString(record, "name") ?? getString(record, "field") ?? getString(record, "slug") ?? `entitlement-${index}`;
+      const key = `entitlement-${baseKey}`;
+      const label = getString(record, "title") ?? getString(record, "label") ?? baseKey;
+      const defaultValue = getString(record, "defaultVal") ?? getString(record, "default") ?? getString(record, "defaultValue");
+      const value = valuesMap.get(baseKey) ?? valuesMap.get(label) ?? defaultValue ?? null;
+      const isSecret = Boolean(
+        getBoolean(record, "secret") ?? getBoolean(record, "isSecret") ?? getBoolean(record, "masked")
+      );
+      normalized.push({
+        key,
+        label,
+        value,
+        isSecret
+      });
+    });
+  }
+  valuesMap.forEach((value, key) => {
+    const normalizedKey = `entitlement-${key}`;
+    if (!normalized.some((field) => field.key === normalizedKey)) {
+      normalized.push({
+        key: normalizedKey,
+        label: key,
+        value
+      });
+    }
+  });
+  return normalized;
+};
+var normalizeLicensePayload = (payload) => {
+  const payloadRecord = asRecord(payload);
+  const rootRecord = asRecord(getValue(payloadRecord, "license")) ?? asRecord(getValue(payloadRecord, "data")) ?? payloadRecord ?? {};
+  const sourceRecord = asRecord(getValue(rootRecord, "metadata")) ?? rootRecord;
+  const customer = asRecord(getValue(rootRecord, "customer")) ?? asRecord(getValue(sourceRecord, "customer")) ?? asRecord(getValue(payloadRecord, "customer")) ?? {};
+  let releaseChannels = normalizeStringArray(
+    getValue(rootRecord, "releaseChannels") ?? getValue(sourceRecord, "releaseChannels") ?? getValue(sourceRecord, "channels") ?? getValue(rootRecord, "channels") ?? getValue(sourceRecord, "channel") ?? getValue(rootRecord, "channel")
+  ) ?? void 0;
+  if (!releaseChannels) {
+    releaseChannels = extractChannelNames(getValue(rootRecord, "channels")) ?? extractChannelNames(getValue(sourceRecord, "channels")) ?? void 0;
+  }
+  let installMethods = normalizeStringArray(
+    getValue(rootRecord, "installMethods") ?? getValue(sourceRecord, "installMethods") ?? getValue(sourceRecord, "install_options") ?? getValue(rootRecord, "install_options") ?? getValue(sourceRecord, "installOptions")
+  ) ?? void 0;
+  if (!installMethods || installMethods.length === 0) {
+    const resolved = [];
+    const flag = (key) => getBoolean(rootRecord, key) ?? getBoolean(sourceRecord, key) ?? false;
+    if (flag("isKotsInstallEnabled")) {
+      resolved.push("Replicated KOTS");
+    }
+    if (flag("isHelmInstallEnabled")) {
+      resolved.push("Helm");
+    }
+    if (flag("isHelmAirgapEnabled")) {
+      resolved.push("Helm Airgap");
+    }
+    if (flag("isEmbeddedClusterDownloadEnabled") || flag("isEmbeddedClusterMultiNodeEnabled")) {
+      resolved.push("Embedded Cluster");
+    }
+    if (flag("isKurlInstallEnabled")) {
+      resolved.push("kURL");
+    }
+    if (flag("isGitopsSupported")) {
+      resolved.push("GitOps");
+    }
+    if (resolved.length) {
+      installMethods = Array.from(new Set(resolved));
+    }
+  }
+  const expiresAtSource = getValue(sourceRecord, "expiresAt") ?? getValue(sourceRecord, "expireAt") ?? getValue(sourceRecord, "expire_at") ?? getValue(sourceRecord, "expiration") ?? getValue(sourceRecord, "expirationDate") ?? getValue(sourceRecord, "expires_on") ?? getValue(rootRecord, "expiresAt") ?? getValue(rootRecord, "expireAt") ?? getValue(rootRecord, "expire_at") ?? getValue(rootRecord, "expiration");
+  const expiresAt = typeof expiresAtSource === "string" && expiresAtSource.trim().length ? expiresAtSource : expiresAtSource === null ? null : void 0;
+  const baseFields = normalizeLicenseFields(
+    getValue(rootRecord, "additionalFields") ?? getValue(sourceRecord, "additionalFields") ?? getValue(sourceRecord, "fields") ?? getValue(rootRecord, "fields") ?? getValue(payloadRecord, "fields") ?? getValue(payloadRecord, "additional_fields")
+  );
+  const entitlementFields = normalizeEntitlementFields(
+    getValue(rootRecord, "entitlementFields") ?? getValue(sourceRecord, "entitlementFields"),
+    getValue(rootRecord, "entitlementValues") ?? getValue(sourceRecord, "entitlementValues")
+  );
+  const fields = [
+    ...baseFields,
+    ...entitlementFields.filter(
+      (field) => !baseFields.some((existing) => existing.key === field.key)
+    )
+  ];
+  const statusFromSource = getString(sourceRecord, "status") ?? getString(sourceRecord, "state");
+  const statusLabelFromSource = getString(sourceRecord, "statusLabel") ?? getString(sourceRecord, "stateLabel");
+  const expiredFlag = getBoolean(sourceRecord, "isExpired") ?? getBoolean(rootRecord, "isExpired");
+  const derivedStatus = statusFromSource ?? (typeof expiredFlag === "boolean" ? expiredFlag ? "expired" : "active" : void 0);
+  const statusLabel = statusLabelFromSource ?? (derivedStatus ? derivedStatus.charAt(0).toUpperCase() + derivedStatus.slice(1) : void 0);
+  const licenseType = getString(sourceRecord, "licenseType") ?? getString(rootRecord, "licenseType");
+  const status = derivedStatus;
+  const license = {
+    id: getString(rootRecord, "id") ?? getString(sourceRecord, "id") ?? getString(sourceRecord, "licenseId") ?? getString(customer, "licenseId") ?? void 0,
+    status,
+    statusLabel,
+    environment: getString(sourceRecord, "environment") ?? getString(sourceRecord, "tier") ?? licenseType ?? void 0,
+    expiresAt: expiresAt ?? null,
+    releaseChannels: releaseChannels ?? [
+      getString(rootRecord, "channelName") ?? getString(rootRecord, "channel") ?? void 0
+    ].filter((value) => Boolean(value)),
+    installMethods,
+    installNotes: getString(sourceRecord, "installNotes"),
+    customerName: getString(sourceRecord, "customerName") ?? getString(customer, "name") ?? void 0,
+    customerId: getString(sourceRecord, "customerId") ?? getString(customer, "id") ?? getString(rootRecord, "customerId") ?? void 0,
+    customerOrganization: getString(customer, "organization") ?? getString(sourceRecord, "customerOrganization") ?? getString(rootRecord, "customerOrganization") ?? void 0,
+    fields
+  };
+  return license;
+};
+var fetchLicenseDetails = defineServerAction({
+  id: "license/fetch-details",
+  description: "Fetches the authenticated user's enterprise license details.",
+  visibility: "customer",
+  tags: ["license", "entitlements"],
+  async run({ token }, context) {
+    if (typeof token !== "string" || token.trim().length === 0) {
+      throw new Error("fetchLicenseDetails requires a non-empty token");
+    }
+    const endpoint = `${getApiOrigin()}/v3/license`;
+    const response = await authenticatedFetch(endpoint, {
+      method: "GET",
+      token,
+      headers: {
+        accept: "application/json"
+      },
+      signal: context?.signal
+    });
+    if (!response.ok) {
+      throw new Error(
+        `License request failed (${response.status} ${response.statusText})`
+      );
+    }
+    const payload = await response.json();
+    const license = normalizeLicensePayload(payload);
+    return {
+      license,
+      raw: payload ?? null
+    };
+  }
+});
+var fetchInstallOptions = defineServerAction({
+  id: "license/fetch-install-options",
+  description: "Fetches install options based on license entitlements.",
+  visibility: "customer",
+  tags: ["license", "install"],
+  async run({ token }, context) {
+    if (typeof token !== "string" || token.trim().length === 0) {
+      throw new Error("fetchInstallOptions requires a non-empty token");
+    }
+    const endpoint = `${getApiOrigin()}/v3/license`;
+    const response = await authenticatedFetch(endpoint, {
+      method: "GET",
+      token,
+      headers: {
+        accept: "application/json"
+      },
+      signal: context?.signal
+    });
+    if (!response.ok) {
+      throw new Error(
+        `License request failed (${response.status} ${response.statusText})`
+      );
+    }
+    const payload = await response.json();
+    const getBoolean2 = (obj, key) => {
+      if (obj && typeof obj === "object" && key in obj) {
+        const val = obj[key];
+        return val === true || val === "true";
+      }
+      return false;
+    };
+    const license = payload?.license ?? payload ?? {};
+    const showLinux = getBoolean2(license, "isEmbeddedClusterDownloadEnabled");
+    const showHelm = getBoolean2(license, "isHelmInstallEnabled");
+    return {
+      showLinux,
+      showHelm
+    };
+  }
+});
+var fetchLicenseSummary = defineServerAction({
+  id: "license/fetch-summary",
+  description: "Fetches license summary for the license card.",
+  visibility: "customer",
+  tags: ["license"],
+  async run({ token }, context) {
+    if (typeof token !== "string" || token.trim().length === 0) {
+      throw new Error("fetchLicenseSummary requires a non-empty token");
+    }
+    const endpoint = `${getApiOrigin()}/v3/license`;
+    const response = await authenticatedFetch(endpoint, {
+      method: "GET",
+      token,
+      headers: {
+        accept: "application/json"
+      },
+      signal: context?.signal
+    });
+    if (!response.ok) {
+      throw new Error(
+        `License request failed (${response.status} ${response.statusText})`
+      );
+    }
+    const payload = await response.json();
+    const license = normalizeLicensePayload(payload);
+    const type = license.environment || "Unknown";
+    const expiresAt = license.expiresAt || null;
+    return {
+      type,
+      expiresAt
+    };
+  }
+});
+var fetchCustomers = defineServerAction({
+  id: "auth/fetch-customers",
+  description: "Fetches the list of customers/teams for the authenticated user.",
+  visibility: "customer",
+  tags: ["auth", "customers"],
+  async run({ token }, context) {
+    if (typeof token !== "string" || token.trim().length === 0) {
+      throw new Error("fetchCustomers requires a non-empty token");
+    }
+    const endpoint = `${getApiOrigin()}/v3/customers`;
+    const response = await authenticatedFetch(endpoint, {
+      method: "GET",
+      token,
+      headers: {
+        accept: "application/json"
+      },
+      signal: context?.signal
+    });
+    if (!response.ok) {
+      throw new Error(
+        `Fetch customers request failed (${response.status} ${response.statusText})`
+      );
+    }
+    const payload = await response.json();
+    return {
+      customers: payload.customers || []
+    };
+  }
+});
+var switchCustomer = defineServerAction({
+  id: "auth/switch-customer",
+  description: "Switches the JWT to a different customer/team.",
+  visibility: "customer",
+  tags: ["auth", "customers"],
+  async run({ token, customerId }, context) {
+    if (typeof token !== "string" || token.trim().length === 0) {
+      throw new Error("switchCustomer requires a non-empty token");
+    }
+    if (typeof customerId !== "string" || customerId.trim().length === 0) {
+      throw new Error("switchCustomer requires a non-empty customerId");
+    }
+    const endpoint = `${getApiOrigin()}/v3/select-customer`;
+    const requestBody = { customer_id: customerId };
+    const response = await authenticatedFetch(endpoint, {
+      method: "PUT",
+      token,
+      headers: {
+        "content-type": "application/json",
+        accept: "application/json"
+      },
+      body: JSON.stringify(requestBody),
+      signal: context?.signal
+    });
+    console.log("[portal-components] switchCustomer response status:", response.status);
+    if (!response.ok) {
+      const errorText = await response.text();
+      console.error("[portal-components] switchCustomer error response:", errorText);
+      throw new Error(
+        `Switch customer request failed (${response.status} ${response.statusText}): ${errorText}`
+      );
+    }
+    const payload = await response.json();
+    console.log("[portal-components] switchCustomer response payload:", payload);
+    const newToken = payload.jwt || payload.token || token;
+    console.log("[portal-components] switchCustomer using token field:", payload.jwt ? "jwt" : payload.token ? "token" : "fallback");
+    return {
+      token: newToken
+    };
+  }
+});
+var getSecurityInfo = defineServerAction({
+  id: "security/get-info",
+  description: "Fetches CVE security scan results for a specific release",
+  visibility: "customer",
+  tags: ["security", "cve"],
+  async run({ token, installType, channelSequence, isAirgap = false }, context) {
+    if (!token || typeof token !== "string") {
+      throw new Error("Security info request requires a session token");
+    }
+    const customerId = getCustomerIdFromToken(token);
+    const params = new URLSearchParams({
+      customer_id: customerId,
+      install_type: installType,
+      channel_sequence: channelSequence.toString(),
+      is_airgap: isAirgap.toString()
+    });
+    const url = `${getApiOrigin()}/v3/security-info?${params.toString()}`;
+    if (process.env.NODE_ENV !== "production") {
+      console.debug("[portal-components] fetching security info via %s", url);
+    }
+    const response = await authenticatedFetch(url, {
+      token,
+      headers: { accept: "application/json" },
+      signal: context?.signal
+    });
+    if (!response.ok) {
+      throw new Error(
+        `Security info request failed (${response.status} ${response.statusText})`
+      );
+    }
+    const data = await response.json();
+    return data;
+  }
+});
+var getSecurityInfoDiff = defineServerAction({
+  id: "security/get-info-diff",
+  description: "Fetches CVE diff between two releases showing fixed and added vulnerabilities",
+  visibility: "customer",
+  tags: ["security", "cve", "diff"],
+  async run({ token, installType, fromChannelSequence, toChannelSequence, isAirgap = false }, context) {
+    if (!token || typeof token !== "string") {
+      throw new Error("Security info diff request requires a session token");
+    }
+    const customerId = getCustomerIdFromToken(token);
+    const params = new URLSearchParams({
+      customer_id: customerId,
+      install_type: installType,
+      from_channel_sequence: fromChannelSequence.toString(),
+      to_channel_sequence: toChannelSequence.toString(),
+      is_airgap: isAirgap.toString()
+    });
+    const url = `${getApiOrigin()}/v3/security-info-diff?${params.toString()}`;
+    if (process.env.NODE_ENV !== "production") {
+      console.debug("[portal-components] fetching security info diff via %s", url);
+    }
+    const response = await authenticatedFetch(url, {
+      token,
+      headers: { accept: "application/json" },
+      signal: context?.signal
+    });
+    if (!response.ok) {
+      throw new Error(
+        `Security info diff request failed (${response.status} ${response.statusText})`
+      );
+    }
+    const data = await response.json();
+    return data;
+  }
+});
+var getSecurityInfoSBOM = defineServerAction({
+  id: "security/get-sbom",
+  description: "Fetches Software Bill of Materials (SBOM) for a specific release",
+  visibility: "customer",
+  tags: ["security", "sbom"],
+  async run({ token, installType, channelSequence, isAirgap = false, unifiedSbom = true }, context) {
+    if (!token || typeof token !== "string") {
+      throw new Error("Security SBOM request requires a session token");
+    }
+    const customerId = getCustomerIdFromToken(token);
+    const params = new URLSearchParams({
+      customer_id: customerId,
+      install_type: installType,
+      channel_sequence: channelSequence.toString(),
+      is_airgap: isAirgap.toString(),
+      unified_sbom: unifiedSbom.toString()
+    });
+    const url = `${getApiOrigin()}/v3/security-info-sbom?${params.toString()}`;
+    if (process.env.NODE_ENV !== "production") {
+      console.debug("[portal-components] fetching security SBOM via %s", url);
+    }
+    const response = await authenticatedFetch(url, {
+      token,
+      headers: { accept: "application/json" },
+      signal: context?.signal
+    });
+    if (response.status === 204) {
+      return { sboms: {} };
+    }
+    if (!response.ok) {
+      throw new Error(
+        `Security SBOM request failed (${response.status} ${response.statusText})`
+      );
+    }
+    const data = await response.json();
+    return data;
+  }
+});
+var fetchTeamStats = defineServerAction({
+  id: "dashboard/fetch-team-stats",
+  description: "Fetches user and service account counts for the dashboard",
+  visibility: "customer",
+  tags: ["dashboard", "team"],
+  async run({ token }, context) {
+    if (!token || typeof token !== "string") {
+      throw new Error("Team stats request requires a session token");
+    }
+    const customerId = getCustomerIdFromToken(token);
+    const origin = getApiOrigin();
+    let userCount = 0;
+    try {
+      const usersUrl = `${origin}/v3/users?exclude_invites=false&customer_id=${encodeURIComponent(customerId)}`;
+      if (process.env.NODE_ENV !== "production") {
+        console.debug("[portal-components] fetching team users via %s", usersUrl);
+      }
+      const usersResponse = await authenticatedFetch(usersUrl, {
+        method: "GET",
+        token,
+        headers: { accept: "application/json" },
+        signal: context?.signal
+      });
+      if (usersResponse.ok) {
+        const usersData = await usersResponse.json();
+        userCount = Array.isArray(usersData.users) ? usersData.users.length : 0;
+      }
+    } catch (error) {
+      console.error("[portal-components] Error fetching users:", error);
+    }
+    let serviceAccountCount = 0;
+    try {
+      const saUrl = `${origin}/v3/service-accounts?customer_id=${encodeURIComponent(customerId)}`;
+      if (process.env.NODE_ENV !== "production") {
+        console.debug("[portal-components] fetching service accounts via %s", saUrl);
+      }
+      const saResponse = await authenticatedFetch(saUrl, {
+        method: "GET",
+        token,
+        headers: { accept: "application/json" },
+        signal: context?.signal
+      });
+      if (saResponse.ok) {
+        const saData = await saResponse.json();
+        serviceAccountCount = Array.isArray(saData.serviceAccounts) ? saData.serviceAccounts.length : 0;
+      }
+    } catch (error) {
+      console.error("[portal-components] Error fetching service accounts:", error);
+    }
+    return {
+      userCount,
+      serviceAccountCount
+    };
+  }
+});
+var fetchDashboardInstances = defineServerAction({
+  id: "dashboard/fetch-instances",
+  description: "Fetches instance counts and update availability for the dashboard",
+  visibility: "customer",
+  tags: ["dashboard", "instances", "updates"],
+  async run({ token }, context) {
+    if (!token || typeof token !== "string") {
+      throw new Error("Dashboard instances request requires a session token");
+    }
+    const customerId = getCustomerIdFromToken(token);
+    const origin = getApiOrigin();
+    const instancesUrl = `${origin}/v3/instances?customer_id=${encodeURIComponent(customerId)}`;
+    if (process.env.NODE_ENV !== "production") {
+      console.debug("[portal-components] fetching instances via %s", instancesUrl);
+    }
+    const instancesResponse = await authenticatedFetch(instancesUrl, {
+      method: "GET",
+      token,
+      headers: { accept: "application/json" },
+      signal: context?.signal
+    });
+    if (!instancesResponse.ok) {
+      throw new Error(
+        `Instances request failed (${instancesResponse.status} ${instancesResponse.statusText})`
+      );
+    }
+    const instancesData = await instancesResponse.json();
+    const allInstances = instancesData.instances || [];
+    const onlineInstances = allInstances.filter((i) => !i.isAirgap);
+    const airgapInstances = allInstances.filter((i) => i.isAirgap);
+    const twentyFourHoursAgo = Date.now() - 24 * 60 * 60 * 1e3;
+    const activeOnlineInstances = onlineInstances.filter((instance) => {
+      const lastCheckin = instance.lastCheckin ? new Date(instance.lastCheckin).getTime() : 0;
+      return lastCheckin > twentyFourHoursAgo;
+    });
+    const onlineActiveCount = activeOnlineInstances.length;
+    const airgapCount = airgapInstances.length;
+    let channelReleases = [];
+    try {
+      const releasesUrl = `${origin}/v3/channel-releases?customer_id=${encodeURIComponent(customerId)}`;
+      if (process.env.NODE_ENV !== "production") {
+        console.debug("[portal-components] fetching channel releases via %s", releasesUrl);
+      }
+      const releasesResponse = await authenticatedFetch(releasesUrl, {
+        method: "GET",
+        token,
+        headers: { accept: "application/json" },
+        signal: context?.signal
+      });
+      if (releasesResponse.ok) {
+        const releasesData = await releasesResponse.json();
+        channelReleases = releasesData.channelReleases || [];
+      }
+    } catch (error) {
+      console.error("[portal-components] Error fetching channel releases:", error);
+    }
+    const calculateUpdates = (instances) => {
+      if (!channelReleases.length) return 0;
+      let numUpdates = 0;
+      for (const instance of instances) {
+        const instanceSequence = instance.channelSequence ?? 0;
+        const matchingReleases = channelReleases.filter(
+          (release) => release.channelId === instance.channelId
+        );
+        for (const release of matchingReleases) {
+          if (release.channelSequence > instanceSequence) {
+            numUpdates++;
+          }
+        }
+      }
+      return numUpdates;
+    };
+    const onlineUpdates = calculateUpdates(activeOnlineInstances);
+    const airgapUpdates = calculateUpdates(airgapInstances);
+    return {
+      onlineActiveCount,
+      airgapCount,
+      onlineUpdates,
+      airgapUpdates
+    };
+  }
+});
+var fetchCurrentUser = defineServerAction({
+  id: "user/fetch-current",
+  description: "Fetches the current user's profile information",
+  visibility: "customer",
+  tags: ["user", "profile"],
+  async run({ token }, context) {
+    if (!token || typeof token !== "string") {
+      throw new Error("Fetch current user requires a session token");
+    }
+    const endpoint = `${getApiOrigin()}/v3/user`;
+    if (process.env.NODE_ENV !== "production") {
+      console.debug("[portal-components] fetching current user via %s", endpoint);
+    }
+    const response = await authenticatedFetch(endpoint, {
+      method: "GET",
+      token,
+      headers: { accept: "application/json" },
+      signal: context?.signal
+    });
+    if (!response.ok) {
+      throw new Error(
+        `Fetch current user request failed (${response.status} ${response.statusText})`
+      );
+    }
+    const data = await response.json();
+    return {
+      user: {
+        emailAddress: data.emailAddress || "",
+        firstName: data.firstName || "",
+        lastName: data.lastName || ""
+      }
+    };
+  }
+});
+var updateUser = defineServerAction({
+  id: "user/update",
+  description: "Updates the current user's first and/or last name",
+  visibility: "customer",
+  tags: ["user", "profile"],
+  async run({ token, firstName, lastName }, context) {
+    if (!token || typeof token !== "string") {
+      throw new Error("Update user requires a session token");
+    }
+    if (!firstName && !lastName) {
+      throw new Error("At least one of firstName or lastName must be provided");
+    }
+    const endpoint = `${getApiOrigin()}/v3/user`;
+    if (process.env.NODE_ENV !== "production") {
+      console.debug("[portal-components] updating user via %s", endpoint);
+    }
+    const body = {};
+    if (firstName !== void 0) body.firstName = firstName;
+    if (lastName !== void 0) body.lastName = lastName;
+    const response = await authenticatedFetch(endpoint, {
+      method: "POST",
+      token,
+      headers: {
+        "content-type": "application/json",
+        accept: "application/json"
+      },
+      body: JSON.stringify(body),
+      signal: context?.signal
+    });
+    if (!response.ok) {
+      const errorText = await response.text().catch(() => "");
+      throw new Error(
+        `Update user request failed (${response.status} ${response.statusText}): ${errorText}`
+      );
+    }
+    return { success: true };
+  }
+});
+var fetchNotifications = defineServerAction({
+  id: "notifications/fetch",
+  description: "Fetches notification preferences for a specific team",
+  visibility: "customer",
+  tags: ["notifications", "user"],
+  async run({ token, customerId }, context) {
+    if (!token || typeof token !== "string") {
+      throw new Error("Fetch notifications requires a session token");
+    }
+    if (!customerId || typeof customerId !== "string") {
+      throw new Error("Fetch notifications requires a customerId");
+    }
+    const endpoint = `${getApiOrigin()}/v3/notifications?customer_id=${encodeURIComponent(customerId)}`;
+    if (process.env.NODE_ENV !== "production") {
+      console.debug("[portal-components] fetching notifications via %s", endpoint);
+    }
+    const response = await authenticatedFetch(endpoint, {
+      method: "GET",
+      token,
+      headers: { accept: "application/json" },
+      signal: context?.signal
+    });
+    if (!response.ok) {
+      throw new Error(
+        `Fetch notifications request failed (${response.status} ${response.statusText})`
+      );
+    }
+    const data = await response.json();
+    return {
+      notifications: data.notifications || []
+    };
+  }
+});
+var updateNotifications = defineServerAction({
+  id: "notifications/update",
+  description: "Updates notification preferences for a specific team",
+  visibility: "customer",
+  tags: ["notifications", "user"],
+  async run({ token, customerId, notifications }, context) {
+    if (!token || typeof token !== "string") {
+      throw new Error("Update notifications requires a session token");
+    }
+    if (!customerId || typeof customerId !== "string") {
+      throw new Error("Update notifications requires a customerId");
+    }
+    if (!Array.isArray(notifications)) {
+      throw new Error("Update notifications requires a notifications array");
+    }
+    const endpoint = `${getApiOrigin()}/v3/notifications?customer_id=${encodeURIComponent(customerId)}`;
+    if (process.env.NODE_ENV !== "production") {
+      console.debug("[portal-components] updating notifications via %s", endpoint);
+    }
+    const response = await authenticatedFetch(endpoint, {
+      method: "PUT",
+      token,
+      headers: {
+        "content-type": "application/json",
+        accept: "application/json"
+      },
+      body: JSON.stringify({ notifications }),
+      signal: context?.signal
+    });
+    if (!response.ok) {
+      const errorText = await response.text().catch(() => "");
+      throw new Error(
+        `Update notifications request failed (${response.status} ${response.statusText}): ${errorText}`
+      );
+    }
+    const data = await response.json();
+    return {
+      notifications: data.notifications || []
+    };
+  }
+});
+var fetchTeamUsers = defineServerAction({
+  id: "team/fetch-users",
+  description: "Fetches paginated list of team users and pending invites",
+  visibility: "customer",
+  tags: ["team", "users"],
+  async run({ token, limit = 25, offset = 0 }, context) {
+    if (!token || typeof token !== "string") {
+      throw new Error("Fetch team users requires a session token");
+    }
+    const customerId = getCustomerIdFromToken(token);
+    const params = new URLSearchParams({
+      customer_id: customerId,
+      limit: limit.toString(),
+      offset: offset.toString()
+    });
+    const endpoint = `${getApiOrigin()}/v3/users?${params.toString()}`;
+    if (process.env.NODE_ENV !== "production") {
+      console.debug("[portal-components] fetching team users via %s", endpoint);
+    }
+    const response = await authenticatedFetch(endpoint, {
+      method: "GET",
+      token,
+      headers: { accept: "application/json" },
+      signal: context?.signal
+    });
+    if (!response.ok) {
+      throw new Error(
+        `Fetch team users request failed (${response.status} ${response.statusText})`
+      );
+    }
+    const data = await response.json();
+    return {
+      users: data.users || [],
+      total: data.total || 0
+    };
+  }
+});
+var inviteUser = defineServerAction({
+  id: "team/invite-user",
+  description: "Sends an invitation email to join the team",
+  visibility: "customer",
+  tags: ["team", "users", "invite"],
+  async run({ token, email }, context) {
+    if (!token || typeof token !== "string") {
+      throw new Error("Invite user requires a session token");
+    }
+    if (!email || typeof email !== "string") {
+      throw new Error("Invite user requires an email address");
+    }
+    const customerId = getCustomerIdFromToken(token);
+    const params = new URLSearchParams({
+      customer_id: customerId,
+      email_address: email
+    });
+    const endpoint = `${getApiOrigin()}/v3/invite?${params.toString()}`;
+    if (process.env.NODE_ENV !== "production") {
+      console.debug("[portal-components] inviting user via %s", endpoint);
+    }
+    const response = await authenticatedFetch(endpoint, {
+      method: "POST",
+      token,
+      headers: { accept: "application/json" },
+      signal: context?.signal
+    });
+    if (!response.ok) {
+      let errorMessage = "Failed to invite user";
+      try {
+        const data = await response.json();
+        errorMessage = data.message || data.error || errorMessage;
+      } catch {
+      }
+      throw new Error(errorMessage);
+    }
+    return { success: true };
+  }
+});
+var deleteUser = defineServerAction({
+  id: "team/delete-user",
+  description: "Removes a user from the team",
+  visibility: "customer",
+  tags: ["team", "users", "delete"],
+  async run({ token, email }, context) {
+    if (!token || typeof token !== "string") {
+      throw new Error("Delete user requires a session token");
+    }
+    if (!email || typeof email !== "string") {
+      throw new Error("Delete user requires an email address");
+    }
+    const customerId = getCustomerIdFromToken(token);
+    const params = new URLSearchParams({
+      customer_id: customerId,
+      email_address: email
+    });
+    const endpoint = `${getApiOrigin()}/v3/user?${params.toString()}`;
+    if (process.env.NODE_ENV !== "production") {
+      console.debug("[portal-components] deleting user via %s", endpoint);
+    }
+    const response = await authenticatedFetch(endpoint, {
+      method: "DELETE",
+      token,
+      headers: { accept: "application/json" },
+      signal: context?.signal
+    });
+    if (!response.ok) {
+      let errorMessage = "Failed to delete user";
+      try {
+        const data = await response.json();
+        errorMessage = data.message || data.error || errorMessage;
+      } catch {
+      }
+      throw new Error(errorMessage);
+    }
+    return { success: true };
+  }
+});
+var fetchServiceAccounts = defineServerAction({
+  id: "team/fetch-service-accounts",
+  description: "Fetches paginated list of service accounts",
+  visibility: "customer",
+  tags: ["team", "service-accounts"],
+  async run({ token, limit = 50, offset = 0, includeRevoked = false }, context) {
+    if (!token || typeof token !== "string") {
+      throw new Error("Fetch service accounts requires a session token");
+    }
+    const customerId = getCustomerIdFromToken(token);
+    const params = new URLSearchParams({
+      customer_id: customerId,
+      limit: limit.toString(),
+      offset: offset.toString()
+    });
+    if (!includeRevoked) {
+      params.set("filterRevoked", "false");
+    }
+    const endpoint = `${getApiOrigin()}/v3/service-accounts?${params.toString()}`;
+    if (process.env.NODE_ENV !== "production") {
+      console.debug("[portal-components] fetching service accounts via %s", endpoint);
+    }
+    const response = await authenticatedFetch(endpoint, {
+      method: "GET",
+      token,
+      headers: { accept: "application/json" },
+      signal: context?.signal
+    });
+    if (!response.ok) {
+      throw new Error(
+        `Fetch service accounts request failed (${response.status} ${response.statusText})`
+      );
+    }
+    const data = await response.json();
+    return {
+      serviceAccounts: data.serviceAccounts || [],
+      total: data.total || 0
+    };
+  }
+});
+var revokeServiceAccount = defineServerAction({
+  id: "team/revoke-service-account",
+  description: "Revokes a service account (soft delete)",
+  visibility: "customer",
+  tags: ["team", "service-accounts", "revoke"],
+  async run({ token, accountId }, context) {
+    if (!token || typeof token !== "string") {
+      throw new Error("Revoke service account requires a session token");
+    }
+    if (!accountId || typeof accountId !== "string") {
+      throw new Error("Revoke service account requires an account ID");
+    }
+    const customerId = getCustomerIdFromToken(token);
+    const endpoint = `${getApiOrigin()}/v3/service-account/${encodeURIComponent(accountId)}?customer_id=${encodeURIComponent(customerId)}`;
+    if (process.env.NODE_ENV !== "production") {
+      console.debug("[portal-components] revoking service account via %s", endpoint);
+    }
+    const response = await authenticatedFetch(endpoint, {
+      method: "DELETE",
+      token,
+      headers: { accept: "application/json" },
+      signal: context?.signal
+    });
+    if (!response.ok) {
+      let errorMessage = "Failed to revoke service account";
+      try {
+        const data = await response.json();
+        errorMessage = data.message || data.error || errorMessage;
+      } catch {
+      }
+      throw new Error(errorMessage);
+    }
+    return { success: true };
+  }
+});
+var rotateServiceAccountToken = defineServerAction({
+  id: "team/rotate-service-account-token",
+  description: "Generates a new token for a service account",
+  visibility: "customer",
+  tags: ["team", "service-accounts", "rotate"],
+  async run({ token, accountId }, context) {
+    if (!token || typeof token !== "string") {
+      throw new Error("Rotate service account token requires a session token");
+    }
+    if (!accountId || typeof accountId !== "string") {
+      throw new Error("Rotate service account token requires an account ID");
+    }
+    const customerId = getCustomerIdFromToken(token);
+    const endpoint = `${getApiOrigin()}/v3/service-account/${encodeURIComponent(accountId)}/rotate-token?customer_id=${encodeURIComponent(customerId)}`;
+    if (process.env.NODE_ENV !== "production") {
+      console.debug("[portal-components] rotating service account token via %s", endpoint);
+    }
+    const response = await authenticatedFetch(endpoint, {
+      method: "POST",
+      token,
+      headers: { accept: "application/json" },
+      signal: context?.signal
+    });
+    if (!response.ok) {
+      let errorMessage = "Failed to rotate service account token";
+      try {
+        const data2 = await response.json();
+        errorMessage = data2.message || data2.error || errorMessage;
+      } catch {
+      }
+      throw new Error(errorMessage);
+    }
+    const data = await response.json();
+    return {
+      serviceAccount: data.service_account,
+      helmLoginCommand: data.helm_login_cmd || "",
+      redeployHelm: data.redeploy_helm || []
+    };
+  }
+});
+var fetchInstances = defineServerAction({
+  id: "team/fetch-instances",
+  description: "Fetches instances to determine service account usage",
+  visibility: "customer",
+  tags: ["team", "instances"],
+  async run({ token }, context) {
+    if (!token || typeof token !== "string") {
+      throw new Error("Fetch instances requires a session token");
+    }
+    const customerId = getCustomerIdFromToken(token);
+    const endpoint = `${getApiOrigin()}/v3/instances?customer_id=${encodeURIComponent(customerId)}`;
+    if (process.env.NODE_ENV !== "production") {
+      console.debug("[portal-components] fetching instances via %s", endpoint);
+    }
+    const response = await authenticatedFetch(endpoint, {
+      method: "GET",
+      token,
+      headers: { accept: "application/json" },
+      signal: context?.signal
+    });
+    if (!response.ok) {
+      throw new Error(
+        `Fetch instances request failed (${response.status} ${response.statusText})`
+      );
+    }
+    const data = await response.json();
+    return {
+      instances: data.instances || []
+    };
+  }
+});
+var fetchSamlConfig = defineServerAction({
+  id: "team/fetch-saml-config",
+  description: "Fetches SAML SSO configuration for the team",
+  visibility: "customer",
+  tags: ["team", "saml"],
+  async run({ token }, context) {
+    if (!token || typeof token !== "string") {
+      throw new Error("Fetch SAML config requires a session token");
+    }
+    const customerId = getCustomerIdFromToken(token);
+    const endpoint = `${getApiOrigin()}/v3/customer/saml/config?customer_id=${encodeURIComponent(customerId)}`;
+    if (process.env.NODE_ENV !== "production") {
+      console.debug("[portal-components] fetching SAML config via %s", endpoint);
+    }
+    const response = await authenticatedFetch(endpoint, {
+      method: "GET",
+      token,
+      headers: { accept: "application/json" },
+      signal: context?.signal
+    });
+    if (!response.ok) {
+      throw new Error(
+        `Fetch SAML config request failed (${response.status} ${response.statusText})`
+      );
+    }
+    const data = await response.json();
+    return {
+      config: {
+        samlAllowed: data.samlAllowed || false,
+        samlEnabled: data.samlEnabled || false,
+        entityId: data.entityId || "",
+        acsUrl: data.acsUrl || "",
+        hasIdpMetadata: data.hasIdpMetadata || false,
+        hasIdpCert: data.hasIdpCert || false
+      }
+    };
+  }
+});
+var updateSamlConfig = defineServerAction({
+  id: "team/update-saml-config",
+  description: "Uploads IdP metadata and certificate for SAML SSO",
+  visibility: "customer",
+  tags: ["team", "saml", "update"],
+  async run({ token, idpMetadataXml, idpPublicCert }, context) {
+    if (!token || typeof token !== "string") {
+      throw new Error("Update SAML config requires a session token");
+    }
+    if (!idpMetadataXml || !idpPublicCert) {
+      throw new Error("Both IdP metadata and certificate are required");
+    }
+    const customerId = getCustomerIdFromToken(token);
+    const endpoint = `${getApiOrigin()}/v3/customer/saml/config?customer_id=${encodeURIComponent(customerId)}`;
+    if (process.env.NODE_ENV !== "production") {
+      console.debug("[portal-components] updating SAML config via %s", endpoint);
+    }
+    const response = await authenticatedFetch(endpoint, {
+      method: "PUT",
+      token,
+      headers: {
+        "content-type": "application/json",
+        accept: "application/json"
+      },
+      body: JSON.stringify({
+        idpMetadataXml,
+        idpPublicCert
+      }),
+      signal: context?.signal
+    });
+    if (!response.ok) {
+      let errorMessage = "Failed to update SAML configuration";
+      try {
+        const data = await response.json();
+        errorMessage = data.message || data.error || errorMessage;
+      } catch {
+      }
+      throw new Error(errorMessage);
+    }
+    return { success: true };
+  }
+});
+var toggleSamlEnabled = defineServerAction({
+  id: "team/toggle-saml-enabled",
+  description: "Enables or disables SAML authentication",
+  visibility: "customer",
+  tags: ["team", "saml", "toggle"],
+  async run({ token, enabled }, context) {
+    if (!token || typeof token !== "string") {
+      throw new Error("Toggle SAML enabled requires a session token");
+    }
+    const customerId = getCustomerIdFromToken(token);
+    const endpoint = `${getApiOrigin()}/v3/customer/saml/enable?customer_id=${encodeURIComponent(customerId)}`;
+    if (process.env.NODE_ENV !== "production") {
+      console.debug("[portal-components] toggling SAML enabled via %s", endpoint);
+    }
+    const response = await authenticatedFetch(endpoint, {
+      method: "PUT",
+      token,
+      headers: {
+        "content-type": "application/json",
+        accept: "application/json"
+      },
+      body: JSON.stringify({ enabled }),
+      signal: context?.signal
+    });
+    if (!response.ok) {
+      let errorMessage = "Failed to toggle SAML";
+      try {
+        const data2 = await response.json();
+        errorMessage = data2.message || data2.error || errorMessage;
+      } catch {
+      }
+      throw new Error(errorMessage);
+    }
+    const data = await response.json();
+    return {
+      success: true,
+      samlEnabled: data.samlEnabled || enabled
+    };
+  }
+});
+var deprovisionSaml = defineServerAction({
+  id: "team/deprovision-saml",
+  description: "Removes all SAML configuration",
+  visibility: "customer",
+  tags: ["team", "saml", "delete"],
+  async run({ token }, context) {
+    if (!token || typeof token !== "string") {
+      throw new Error("Deprovision SAML requires a session token");
+    }
+    const customerId = getCustomerIdFromToken(token);
+    const endpoint = `${getApiOrigin()}/v3/customer/saml/config?customer_id=${encodeURIComponent(customerId)}`;
+    if (process.env.NODE_ENV !== "production") {
+      console.debug("[portal-components] deprovisioning SAML via %s", endpoint);
+    }
+    const response = await authenticatedFetch(endpoint, {
+      method: "DELETE",
+      token,
+      headers: { accept: "application/json" },
+      signal: context?.signal
+    });
+    if (!response.ok) {
+      let errorMessage = "Failed to remove SAML configuration";
+      try {
+        const data = await response.json();
+        errorMessage = data.message || data.error || errorMessage;
+      } catch {
+      }
+      throw new Error(errorMessage);
+    }
+    return { success: true };
+  }
+});
+var acceptInvite = defineServerAction({
+  id: "auth/accept-invite",
+  description: "Accepts a team invitation and returns a session token",
+  visibility: "customer",
+  tags: ["auth", "invite", "join"],
+  async run({ code }) {
+    if (!code || typeof code !== "string") {
+      const error = {
+        code: "invalid_code",
+        message: "Invite code is required"
+      };
+      throw error;
+    }
+    const endpoint = `${getApiOrigin()}/v3/invite/accept`;
+    if (process.env.NODE_ENV !== "production") {
+      console.debug("[portal-components] accepting invite via %s", endpoint);
+    }
+    const response = await fetch(endpoint, {
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+        accept: "application/json"
+      },
+      body: JSON.stringify({ code })
+    });
+    if (!response.ok) {
+      if (response.status === 404) {
+        const error2 = {
+          code: "invalid_code",
+          message: "Invalid or expired invite code. Please check your code and try again."
+        };
+        throw error2;
+      }
+      let errorMessage = "Failed to accept invitation";
+      try {
+        const data = await response.json();
+        errorMessage = data.message || data.error || errorMessage;
+      } catch {
+      }
+      const error = {
+        code: "unknown",
+        message: errorMessage
+      };
+      throw error;
+    }
+    const payload = await response.json();
+    const token = payload?.jwt ?? payload?.token;
+    if (typeof token !== "string") {
+      throw new Error("Invite accepted but no token returned");
+    }
+    return { token };
+  }
+});
+var refreshInvite = defineServerAction({
+  id: "auth/refresh-invite",
+  description: "Refreshes an expired invite and resends the invitation email",
+  visibility: "customer",
+  tags: ["auth", "invite", "refresh"],
+  async run({ code }) {
+    if (!code || typeof code !== "string") {
+      throw new Error("Invite code is required");
+    }
+    const endpoint = `${getApiOrigin()}/v3/invite/refresh`;
+    if (process.env.NODE_ENV !== "production") {
+      console.debug("[portal-components] refreshing invite via %s", endpoint);
+    }
+    const response = await fetch(endpoint, {
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+        accept: "application/json"
+      },
+      body: JSON.stringify({ code })
+    });
+    if (!response.ok) {
+      let errorMessage = "Failed to refresh invitation";
+      try {
+        const data = await response.json();
+        errorMessage = data.message || data.error || errorMessage;
+      } catch {
+      }
+      throw new Error(errorMessage);
+    }
+    return { success: true };
+  }
+});
 
+exports.acceptInvite = acceptInvite;
+exports.createServiceAccount = createServiceAccount;
+exports.decodeJwtPayload = decodeJwtPayload;
 exports.defineServerAction = defineServerAction;
+exports.deleteSupportBundle = deleteSupportBundle;
+exports.deleteUser = deleteUser;
+exports.deprovisionSaml = deprovisionSaml;
+exports.downloadSupportBundle = downloadSupportBundle;
+exports.fetchCurrentUser = fetchCurrentUser;
+exports.fetchCustomBranding = fetchCustomBranding;
+exports.fetchCustomers = fetchCustomers;
+exports.fetchDashboardInstances = fetchDashboardInstances;
+exports.fetchInstallOptions = fetchInstallOptions;
+exports.fetchInstances = fetchInstances;
+exports.fetchLicenseDetails = fetchLicenseDetails;
+exports.fetchLicenseSummary = fetchLicenseSummary;
+exports.fetchNotifications = fetchNotifications;
+exports.fetchSamlConfig = fetchSamlConfig;
+exports.fetchServiceAccounts = fetchServiceAccounts;
+exports.fetchTeamStats = fetchTeamStats;
+exports.fetchTeamUsers = fetchTeamUsers;
+exports.getApiOrigin = getApiOrigin;
+exports.getCustomerIdFromToken = getCustomerIdFromToken;
+exports.getSecurityInfo = getSecurityInfo;
+exports.getSecurityInfoDiff = getSecurityInfoDiff;
+exports.getSecurityInfoSBOM = getSecurityInfoSBOM;
+exports.getSupportBundleUploadUrl = getSupportBundleUploadUrl;
+exports.initiateLogin = initiateLogin;
+exports.inviteUser = inviteUser;
+exports.listReleases = listReleases;
+exports.listSupportBundles = listSupportBundles;
+exports.refreshInvite = refreshInvite;
+exports.revokeServiceAccount = revokeServiceAccount;
+exports.rotateServiceAccountToken = rotateServiceAccountToken;
+exports.switchCustomer = switchCustomer;
+exports.toggleSamlEnabled = toggleSamlEnabled;
+exports.updateNotifications = updateNotifications;
+exports.updateSamlConfig = updateSamlConfig;
+exports.updateUser = updateUser;
+exports.uploadSupportBundle = uploadSupportBundle;
+exports.verifyMagicLink = verifyMagicLink;
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map