@rio.js/enterprise 1.4.0

package/dist/json-oFuWgANh-O1U6k3bL.mjs

@@ -0,0 +1,3811 @@
+import { f as logger, g as BetterAuthError } from "./env-DwlNAN_D-C1zHd0cf-Cdlw8sNp.mjs";
+import { B as uint32be, C as JOSENotSupported, E as JWKInvalid, F as decode, H as base64, I as encode, L as concat, M as JWTClaimValidationFailed, P as JWTInvalid, R as decoder, T as JWEInvalid, U as base64Url, V as uint64be, _ as isKeyLike, a as subtleAlgorithm, b as checkEncCryptoKey, c as isJWK, d as importJWK, f as checkKeyLength, g as isCryptoKey, h as assertCryptoKey, i as getSigKey, j as JWSInvalid, l as validateAlgorithms, m as isDisjoint, n as JWTClaimsBuilder, o as checkKeyType, p as isObject, r as validateClaimsSet, s as normalizeKey, t as jwtVerify, u as validateCrit, v as isKeyObject, w as JWEDecryptionFailed, x as JOSEAlgNotAllowed, y as invalidKeyInput, z as encode$1 } from "./verify-CN5Qc0e-.mjs";
+import { APIError } from "better-call";
+import * as z$2 from "zod";
+
+//#region ../better-auth/dist/context-BcO8kAU0-Crm4egyw.mjs
+const AsyncLocalStoragePromise = import(
+	/* @vite-ignore */
+	/* webpackIgnore: true */
+	"node:async_hooks"
+).then((mod) => mod.AsyncLocalStorage).catch((err) => {
+	if ("AsyncLocalStorage" in globalThis) return globalThis.AsyncLocalStorage;
+	console.warn("[better-auth] Warning: AsyncLocalStorage is not available in this environment. Some features may not work as expected.");
+	console.warn("[better-auth] Please read more about this warning at https://better-auth.com/docs/installation#mount-handler");
+	console.warn("[better-auth] If you are using Cloudflare Workers, please see: https://developers.cloudflare.com/workers/configuration/compatibility-flags/#nodejs-compatibility-flag");
+	throw err;
+});
+async function getAsyncLocalStorage() {
+	return AsyncLocalStoragePromise;
+}
+let currentContextAsyncStorage$1 = null;
+const ensureAsyncStorage$3 = async () => {
+	if (!currentContextAsyncStorage$1) currentContextAsyncStorage$1 = new (await (getAsyncLocalStorage()))();
+	return currentContextAsyncStorage$1;
+};
+async function getCurrentAuthContext() {
+	const context = (await ensureAsyncStorage$3()).getStore();
+	if (!context) throw new Error("No auth context found. Please make sure you are calling this function within a `runWithEndpointContext` callback.");
+	return context;
+}
+async function runWithEndpointContext(context, fn) {
+	return (await ensureAsyncStorage$3()).run(context, fn);
+}
+let requestStateAsyncStorage = null;
+const ensureAsyncStorage$2 = async () => {
+	if (!requestStateAsyncStorage) requestStateAsyncStorage = new (await (getAsyncLocalStorage()))();
+	return requestStateAsyncStorage;
+};
+async function hasRequestState() {
+	return (await ensureAsyncStorage$2()).getStore() !== void 0;
+}
+async function getCurrentRequestState() {
+	const store = (await ensureAsyncStorage$2()).getStore();
+	if (!store) throw new Error("No request state found. Please make sure you are calling this function within a `runWithRequestState` callback.");
+	return store;
+}
+async function runWithRequestState(store, fn) {
+	return (await ensureAsyncStorage$2()).run(store, fn);
+}
+function defineRequestState(initFn) {
+	const ref = Object.freeze({});
+	return {
+		get ref() {
+			return ref;
+		},
+		async get() {
+			const store = await getCurrentRequestState();
+			if (!store.has(ref)) {
+				const initialValue = await initFn();
+				store.set(ref, initialValue);
+				return initialValue;
+			}
+			return store.get(ref);
+		},
+		async set(value) {
+			(await getCurrentRequestState()).set(ref, value);
+		}
+	};
+}
+let currentAdapterAsyncStorage = null;
+const ensureAsyncStorage$1 = async () => {
+	if (!currentAdapterAsyncStorage) currentAdapterAsyncStorage = new (await (getAsyncLocalStorage()))();
+	return currentAdapterAsyncStorage;
+};
+const getCurrentAdapter = async (fallback) => {
+	return ensureAsyncStorage$1().then((als) => {
+		return als.getStore() || fallback;
+	}).catch(() => {
+		return fallback;
+	});
+};
+async function getCurrentTransactionAdapter() {
+	return getCurrentAdapter((await getCurrentAuthContext()).context.adapter);
+}
+const runWithAdapter = async (adapter, fn) => {
+	let called = true;
+	return ensureAsyncStorage$1().then((als) => {
+		called = true;
+		return als.run(adapter, fn);
+	}).catch((err) => {
+		if (!called) return fn();
+		throw err;
+	});
+};
+const runWithTransaction = async (adapter, fn) => {
+	let called = true;
+	return ensureAsyncStorage$1().then((als) => {
+		called = true;
+		return adapter.transaction(async (trx) => {
+			return als.run(trx, fn);
+		});
+	}).catch((err) => {
+		if (!called) return fn();
+		throw err;
+	});
+};
+let currentContextAsyncStorage = null;
+const ensureAsyncStorage = async () => {
+	if (!currentContextAsyncStorage) currentContextAsyncStorage = new (await (getAsyncLocalStorage()))();
+	return currentContextAsyncStorage;
+};
+async function getCurrentGraphContext(graphAdapter) {
+	const context = (await ensureAsyncStorage()).getStore();
+	if (context) return context;
+	if (graphAdapter) return graphAdapter;
+	throw new Error("No graph context found. Please make sure you are calling this function within a `runWithEndpointContext` callback.");
+}
+async function runWithGraphContext(adapter, fn) {
+	const als = await ensureAsyncStorage();
+	const transactionAdapter = adapter.transaction();
+	console.log("running with graph id", transactionAdapter.id);
+	const result = await als.run(transactionAdapter, fn);
+	console.log("committing graph transaction", transactionAdapter.id);
+	await transactionAdapter.commit();
+	return result;
+}
+function withTransaction(endpoint) {
+	return async (ctx) => {
+		return await runWithTransaction(ctx.context.adapter, async () => {
+			return await runWithGraphContext(ctx.context.graphAdapter, async () => {
+				return await endpoint(ctx);
+			});
+		});
+	};
+}
+function runWithGraphTransaction(dbAdapter, graphAdapter, fn) {
+	console.log("running with graph transaction", dbAdapter.id, graphAdapter.id);
+	return runWithTransaction(dbAdapter, async () => {
+		return await runWithGraphContext(graphAdapter, fn);
+	});
+}
+async function authorize(ctx, subjectType, subjectId, permissionName, objectType, objectId, message) {
+	const graphAdapter = await getCurrentGraphContext(ctx.context.graphAdapter);
+	if (ctx.context.options.graph?.enabled) {
+		if (!await graphAdapter.check(subjectType, subjectId, permissionName, objectType, objectId)) throw new APIError("FORBIDDEN", { message });
+	}
+}
+
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.1.2/node_modules/jose/dist/webapi/lib/iv.js
+function bitLength(alg$1) {
+	switch (alg$1) {
+		case "A128GCM":
+		case "A128GCMKW":
+		case "A192GCM":
+		case "A192GCMKW":
+		case "A256GCM":
+		case "A256GCMKW": return 96;
+		case "A128CBC-HS256":
+		case "A192CBC-HS384":
+		case "A256CBC-HS512": return 128;
+		default: throw new JOSENotSupported(`Unsupported JWE Algorithm: ${alg$1}`);
+	}
+}
+const generateIv = (alg$1) => crypto.getRandomValues(new Uint8Array(bitLength(alg$1) >> 3));
+
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.1.2/node_modules/jose/dist/webapi/lib/check_iv_length.js
+function checkIvLength(enc$1, iv) {
+	if (iv.length << 3 !== bitLength(enc$1)) throw new JWEInvalid("Invalid Initialization Vector length");
+}
+
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.1.2/node_modules/jose/dist/webapi/lib/check_cek_length.js
+function checkCekLength(cek, expected) {
+	const actual = cek.byteLength << 3;
+	if (actual !== expected) throw new JWEInvalid(`Invalid Content Encryption Key length. Expected ${expected} bits, got ${actual} bits`);
+}
+
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.1.2/node_modules/jose/dist/webapi/lib/decrypt.js
+async function timingSafeEqual(a, b) {
+	if (!(a instanceof Uint8Array)) throw new TypeError("First argument must be a buffer");
+	if (!(b instanceof Uint8Array)) throw new TypeError("Second argument must be a buffer");
+	const algorithm = {
+		name: "HMAC",
+		hash: "SHA-256"
+	};
+	const key = await crypto.subtle.generateKey(algorithm, false, ["sign"]);
+	const aHmac = new Uint8Array(await crypto.subtle.sign(algorithm, key, a));
+	const bHmac = new Uint8Array(await crypto.subtle.sign(algorithm, key, b));
+	let out = 0;
+	let i = -1;
+	while (++i < 32) out |= aHmac[i] ^ bHmac[i];
+	return out === 0;
+}
+async function cbcDecrypt(enc$1, cek, ciphertext, iv, tag, aad) {
+	if (!(cek instanceof Uint8Array)) throw new TypeError(invalidKeyInput(cek, "Uint8Array"));
+	const keySize = parseInt(enc$1.slice(1, 4), 10);
+	const encKey = await crypto.subtle.importKey("raw", cek.subarray(keySize >> 3), "AES-CBC", false, ["decrypt"]);
+	const macKey = await crypto.subtle.importKey("raw", cek.subarray(0, keySize >> 3), {
+		hash: `SHA-${keySize << 1}`,
+		name: "HMAC"
+	}, false, ["sign"]);
+	const macData = concat(aad, iv, ciphertext, uint64be(aad.length << 3));
+	const expectedTag = new Uint8Array((await crypto.subtle.sign("HMAC", macKey, macData)).slice(0, keySize >> 3));
+	let macCheckPassed;
+	try {
+		macCheckPassed = await timingSafeEqual(tag, expectedTag);
+	} catch {}
+	if (!macCheckPassed) throw new JWEDecryptionFailed();
+	let plaintext;
+	try {
+		plaintext = new Uint8Array(await crypto.subtle.decrypt({
+			iv,
+			name: "AES-CBC"
+		}, encKey, ciphertext));
+	} catch {}
+	if (!plaintext) throw new JWEDecryptionFailed();
+	return plaintext;
+}
+async function gcmDecrypt(enc$1, cek, ciphertext, iv, tag, aad) {
+	let encKey;
+	if (cek instanceof Uint8Array) encKey = await crypto.subtle.importKey("raw", cek, "AES-GCM", false, ["decrypt"]);
+	else {
+		checkEncCryptoKey(cek, enc$1, "decrypt");
+		encKey = cek;
+	}
+	try {
+		return new Uint8Array(await crypto.subtle.decrypt({
+			additionalData: aad,
+			iv,
+			name: "AES-GCM",
+			tagLength: 128
+		}, encKey, concat(ciphertext, tag)));
+	} catch {
+		throw new JWEDecryptionFailed();
+	}
+}
+async function decrypt(enc$1, cek, ciphertext, iv, tag, aad) {
+	if (!isCryptoKey(cek) && !(cek instanceof Uint8Array)) throw new TypeError(invalidKeyInput(cek, "CryptoKey", "KeyObject", "Uint8Array", "JSON Web Key"));
+	if (!iv) throw new JWEInvalid("JWE Initialization Vector missing");
+	if (!tag) throw new JWEInvalid("JWE Authentication Tag missing");
+	checkIvLength(enc$1, iv);
+	switch (enc$1) {
+		case "A128CBC-HS256":
+		case "A192CBC-HS384":
+		case "A256CBC-HS512":
+			if (cek instanceof Uint8Array) checkCekLength(cek, parseInt(enc$1.slice(-3), 10));
+			return cbcDecrypt(enc$1, cek, ciphertext, iv, tag, aad);
+		case "A128GCM":
+		case "A192GCM":
+		case "A256GCM":
+			if (cek instanceof Uint8Array) checkCekLength(cek, parseInt(enc$1.slice(1, 4), 10));
+			return gcmDecrypt(enc$1, cek, ciphertext, iv, tag, aad);
+		default: throw new JOSENotSupported("Unsupported JWE Content Encryption Algorithm");
+	}
+}
+
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.1.2/node_modules/jose/dist/webapi/lib/aeskw.js
+function checkKeySize(key, alg$1) {
+	if (key.algorithm.length !== parseInt(alg$1.slice(1, 4), 10)) throw new TypeError(`Invalid key size for alg: ${alg$1}`);
+}
+function getCryptoKey$1(key, alg$1, usage) {
+	if (key instanceof Uint8Array) return crypto.subtle.importKey("raw", key, "AES-KW", true, [usage]);
+	checkEncCryptoKey(key, alg$1, usage);
+	return key;
+}
+async function wrap$2(alg$1, key, cek) {
+	const cryptoKey = await getCryptoKey$1(key, alg$1, "wrapKey");
+	checkKeySize(cryptoKey, alg$1);
+	const cryptoKeyCek = await crypto.subtle.importKey("raw", cek, {
+		hash: "SHA-256",
+		name: "HMAC"
+	}, true, ["sign"]);
+	return new Uint8Array(await crypto.subtle.wrapKey("raw", cryptoKeyCek, cryptoKey, "AES-KW"));
+}
+async function unwrap$2(alg$1, key, encryptedKey) {
+	const cryptoKey = await getCryptoKey$1(key, alg$1, "unwrapKey");
+	checkKeySize(cryptoKey, alg$1);
+	const cryptoKeyCek = await crypto.subtle.unwrapKey("raw", encryptedKey, cryptoKey, "AES-KW", {
+		hash: "SHA-256",
+		name: "HMAC"
+	}, true, ["sign"]);
+	return new Uint8Array(await crypto.subtle.exportKey("raw", cryptoKeyCek));
+}
+
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.1.2/node_modules/jose/dist/webapi/lib/digest.js
+async function digest(algorithm, data) {
+	const subtleDigest = `SHA-${algorithm.slice(-3)}`;
+	return new Uint8Array(await crypto.subtle.digest(subtleDigest, data));
+}
+
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.1.2/node_modules/jose/dist/webapi/lib/ecdhes.js
+function lengthAndInput(input) {
+	return concat(uint32be(input.length), input);
+}
+async function concatKdf(Z, L, OtherInfo) {
+	const dkLen = L >> 3;
+	const hashLen = 32;
+	const reps = Math.ceil(dkLen / hashLen);
+	const dk = new Uint8Array(reps * hashLen);
+	for (let i = 1; i <= reps; i++) {
+		const hashInput = new Uint8Array(4 + Z.length + OtherInfo.length);
+		hashInput.set(uint32be(i), 0);
+		hashInput.set(Z, 4);
+		hashInput.set(OtherInfo, 4 + Z.length);
+		const hashResult = await digest("sha256", hashInput);
+		dk.set(hashResult, (i - 1) * hashLen);
+	}
+	return dk.slice(0, dkLen);
+}
+async function deriveKey$1(publicKey, privateKey, algorithm, keyLength, apu = new Uint8Array(), apv = new Uint8Array()) {
+	checkEncCryptoKey(publicKey, "ECDH");
+	checkEncCryptoKey(privateKey, "ECDH", "deriveBits");
+	const otherInfo = concat(lengthAndInput(encode$1(algorithm)), lengthAndInput(apu), lengthAndInput(apv), uint32be(keyLength), new Uint8Array());
+	return concatKdf(new Uint8Array(await crypto.subtle.deriveBits({
+		name: publicKey.algorithm.name,
+		public: publicKey
+	}, privateKey, getEcdhBitLength(publicKey))), keyLength, otherInfo);
+}
+function getEcdhBitLength(publicKey) {
+	if (publicKey.algorithm.name === "X25519") return 256;
+	return Math.ceil(parseInt(publicKey.algorithm.namedCurve.slice(-3), 10) / 8) << 3;
+}
+function allowed(key) {
+	switch (key.algorithm.namedCurve) {
+		case "P-256":
+		case "P-384":
+		case "P-521": return true;
+		default: return key.algorithm.name === "X25519";
+	}
+}
+
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.1.2/node_modules/jose/dist/webapi/lib/pbes2kw.js
+function getCryptoKey(key, alg$1) {
+	if (key instanceof Uint8Array) return crypto.subtle.importKey("raw", key, "PBKDF2", false, ["deriveBits"]);
+	checkEncCryptoKey(key, alg$1, "deriveBits");
+	return key;
+}
+const concatSalt = (alg$1, p2sInput) => concat(encode$1(alg$1), Uint8Array.of(0), p2sInput);
+async function deriveKey(p2s, alg$1, p2c, key) {
+	if (!(p2s instanceof Uint8Array) || p2s.length < 8) throw new JWEInvalid("PBES2 Salt Input must be 8 or more octets");
+	const salt = concatSalt(alg$1, p2s);
+	const keylen = parseInt(alg$1.slice(13, 16), 10);
+	const subtleAlg = {
+		hash: `SHA-${alg$1.slice(8, 11)}`,
+		iterations: p2c,
+		name: "PBKDF2",
+		salt
+	};
+	const cryptoKey = await getCryptoKey(key, alg$1);
+	return new Uint8Array(await crypto.subtle.deriveBits(subtleAlg, cryptoKey, keylen));
+}
+async function wrap$1(alg$1, key, cek, p2c = 2048, p2s = crypto.getRandomValues(new Uint8Array(16))) {
+	const derived = await deriveKey(p2s, alg$1, p2c, key);
+	return {
+		encryptedKey: await wrap$2(alg$1.slice(-6), derived, cek),
+		p2c,
+		p2s: encode(p2s)
+	};
+}
+async function unwrap$1(alg$1, key, encryptedKey, p2c, p2s) {
+	const derived = await deriveKey(p2s, alg$1, p2c, key);
+	return unwrap$2(alg$1.slice(-6), derived, encryptedKey);
+}
+
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.1.2/node_modules/jose/dist/webapi/lib/rsaes.js
+const subtleAlgorithm$1 = (alg$1) => {
+	switch (alg$1) {
+		case "RSA-OAEP":
+		case "RSA-OAEP-256":
+		case "RSA-OAEP-384":
+		case "RSA-OAEP-512": return "RSA-OAEP";
+		default: throw new JOSENotSupported(`alg ${alg$1} is not supported either by JOSE or your javascript runtime`);
+	}
+};
+async function encrypt$1(alg$1, key, cek) {
+	checkEncCryptoKey(key, alg$1, "encrypt");
+	checkKeyLength(alg$1, key);
+	return new Uint8Array(await crypto.subtle.encrypt(subtleAlgorithm$1(alg$1), key, cek));
+}
+async function decrypt$1(alg$1, key, encryptedKey) {
+	checkEncCryptoKey(key, alg$1, "decrypt");
+	checkKeyLength(alg$1, key);
+	return new Uint8Array(await crypto.subtle.decrypt(subtleAlgorithm$1(alg$1), key, encryptedKey));
+}
+
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.1.2/node_modules/jose/dist/webapi/lib/cek.js
+function cekLength(alg$1) {
+	switch (alg$1) {
+		case "A128GCM": return 128;
+		case "A192GCM": return 192;
+		case "A256GCM":
+		case "A128CBC-HS256": return 256;
+		case "A192CBC-HS384": return 384;
+		case "A256CBC-HS512": return 512;
+		default: throw new JOSENotSupported(`Unsupported JWE Algorithm: ${alg$1}`);
+	}
+}
+const generateCek = (alg$1) => crypto.getRandomValues(new Uint8Array(cekLength(alg$1) >> 3));
+
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.1.2/node_modules/jose/dist/webapi/lib/encrypt.js
+async function cbcEncrypt(enc$1, plaintext, cek, iv, aad) {
+	if (!(cek instanceof Uint8Array)) throw new TypeError(invalidKeyInput(cek, "Uint8Array"));
+	const keySize = parseInt(enc$1.slice(1, 4), 10);
+	const encKey = await crypto.subtle.importKey("raw", cek.subarray(keySize >> 3), "AES-CBC", false, ["encrypt"]);
+	const macKey = await crypto.subtle.importKey("raw", cek.subarray(0, keySize >> 3), {
+		hash: `SHA-${keySize << 1}`,
+		name: "HMAC"
+	}, false, ["sign"]);
+	const ciphertext = new Uint8Array(await crypto.subtle.encrypt({
+		iv,
+		name: "AES-CBC"
+	}, encKey, plaintext));
+	const macData = concat(aad, iv, ciphertext, uint64be(aad.length << 3));
+	return {
+		ciphertext,
+		tag: new Uint8Array((await crypto.subtle.sign("HMAC", macKey, macData)).slice(0, keySize >> 3)),
+		iv
+	};
+}
+async function gcmEncrypt(enc$1, plaintext, cek, iv, aad) {
+	let encKey;
+	if (cek instanceof Uint8Array) encKey = await crypto.subtle.importKey("raw", cek, "AES-GCM", false, ["encrypt"]);
+	else {
+		checkEncCryptoKey(cek, enc$1, "encrypt");
+		encKey = cek;
+	}
+	const encrypted = new Uint8Array(await crypto.subtle.encrypt({
+		additionalData: aad,
+		iv,
+		name: "AES-GCM",
+		tagLength: 128
+	}, encKey, plaintext));
+	const tag = encrypted.slice(-16);
+	return {
+		ciphertext: encrypted.slice(0, -16),
+		tag,
+		iv
+	};
+}
+async function encrypt(enc$1, plaintext, cek, iv, aad) {
+	if (!isCryptoKey(cek) && !(cek instanceof Uint8Array)) throw new TypeError(invalidKeyInput(cek, "CryptoKey", "KeyObject", "Uint8Array", "JSON Web Key"));
+	if (iv) checkIvLength(enc$1, iv);
+	else iv = generateIv(enc$1);
+	switch (enc$1) {
+		case "A128CBC-HS256":
+		case "A192CBC-HS384":
+		case "A256CBC-HS512":
+			if (cek instanceof Uint8Array) checkCekLength(cek, parseInt(enc$1.slice(-3), 10));
+			return cbcEncrypt(enc$1, plaintext, cek, iv, aad);
+		case "A128GCM":
+		case "A192GCM":
+		case "A256GCM":
+			if (cek instanceof Uint8Array) checkCekLength(cek, parseInt(enc$1.slice(1, 4), 10));
+			return gcmEncrypt(enc$1, plaintext, cek, iv, aad);
+		default: throw new JOSENotSupported("Unsupported JWE Content Encryption Algorithm");
+	}
+}
+
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.1.2/node_modules/jose/dist/webapi/lib/aesgcmkw.js
+async function wrap(alg$1, key, cek, iv) {
+	const wrapped = await encrypt(alg$1.slice(0, 7), cek, key, iv, new Uint8Array());
+	return {
+		encryptedKey: wrapped.ciphertext,
+		iv: encode(wrapped.iv),
+		tag: encode(wrapped.tag)
+	};
+}
+async function unwrap(alg$1, key, encryptedKey, iv, tag) {
+	return decrypt(alg$1.slice(0, 7), key, encryptedKey, iv, tag, new Uint8Array());
+}
+
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.1.2/node_modules/jose/dist/webapi/lib/decrypt_key_management.js
+async function decryptKeyManagement(alg$1, key, encryptedKey, joseHeader, options) {
+	switch (alg$1) {
+		case "dir":
+			if (encryptedKey !== void 0) throw new JWEInvalid("Encountered unexpected JWE Encrypted Key");
+			return key;
+		case "ECDH-ES": if (encryptedKey !== void 0) throw new JWEInvalid("Encountered unexpected JWE Encrypted Key");
+		case "ECDH-ES+A128KW":
+		case "ECDH-ES+A192KW":
+		case "ECDH-ES+A256KW": {
+			if (!isObject(joseHeader.epk)) throw new JWEInvalid(`JOSE Header "epk" (Ephemeral Public Key) missing or invalid`);
+			assertCryptoKey(key);
+			if (!allowed(key)) throw new JOSENotSupported("ECDH with the provided key is not allowed or not supported by your javascript runtime");
+			const epk = await importJWK(joseHeader.epk, alg$1);
+			assertCryptoKey(epk);
+			let partyUInfo;
+			let partyVInfo;
+			if (joseHeader.apu !== void 0) {
+				if (typeof joseHeader.apu !== "string") throw new JWEInvalid(`JOSE Header "apu" (Agreement PartyUInfo) invalid`);
+				try {
+					partyUInfo = decode(joseHeader.apu);
+				} catch {
+					throw new JWEInvalid("Failed to base64url decode the apu");
+				}
+			}
+			if (joseHeader.apv !== void 0) {
+				if (typeof joseHeader.apv !== "string") throw new JWEInvalid(`JOSE Header "apv" (Agreement PartyVInfo) invalid`);
+				try {
+					partyVInfo = decode(joseHeader.apv);
+				} catch {
+					throw new JWEInvalid("Failed to base64url decode the apv");
+				}
+			}
+			const sharedSecret = await deriveKey$1(epk, key, alg$1 === "ECDH-ES" ? joseHeader.enc : alg$1, alg$1 === "ECDH-ES" ? cekLength(joseHeader.enc) : parseInt(alg$1.slice(-5, -2), 10), partyUInfo, partyVInfo);
+			if (alg$1 === "ECDH-ES") return sharedSecret;
+			if (encryptedKey === void 0) throw new JWEInvalid("JWE Encrypted Key missing");
+			return unwrap$2(alg$1.slice(-6), sharedSecret, encryptedKey);
+		}
+		case "RSA-OAEP":
+		case "RSA-OAEP-256":
+		case "RSA-OAEP-384":
+		case "RSA-OAEP-512":
+			if (encryptedKey === void 0) throw new JWEInvalid("JWE Encrypted Key missing");
+			assertCryptoKey(key);
+			return decrypt$1(alg$1, key, encryptedKey);
+		case "PBES2-HS256+A128KW":
+		case "PBES2-HS384+A192KW":
+		case "PBES2-HS512+A256KW": {
+			if (encryptedKey === void 0) throw new JWEInvalid("JWE Encrypted Key missing");
+			if (typeof joseHeader.p2c !== "number") throw new JWEInvalid(`JOSE Header "p2c" (PBES2 Count) missing or invalid`);
+			const p2cLimit = options?.maxPBES2Count || 1e4;
+			if (joseHeader.p2c > p2cLimit) throw new JWEInvalid(`JOSE Header "p2c" (PBES2 Count) out is of acceptable bounds`);
+			if (typeof joseHeader.p2s !== "string") throw new JWEInvalid(`JOSE Header "p2s" (PBES2 Salt) missing or invalid`);
+			let p2s;
+			try {
+				p2s = decode(joseHeader.p2s);
+			} catch {
+				throw new JWEInvalid("Failed to base64url decode the p2s");
+			}
+			return unwrap$1(alg$1, key, encryptedKey, joseHeader.p2c, p2s);
+		}
+		case "A128KW":
+		case "A192KW":
+		case "A256KW":
+			if (encryptedKey === void 0) throw new JWEInvalid("JWE Encrypted Key missing");
+			return unwrap$2(alg$1, key, encryptedKey);
+		case "A128GCMKW":
+		case "A192GCMKW":
+		case "A256GCMKW": {
+			if (encryptedKey === void 0) throw new JWEInvalid("JWE Encrypted Key missing");
+			if (typeof joseHeader.iv !== "string") throw new JWEInvalid(`JOSE Header "iv" (Initialization Vector) missing or invalid`);
+			if (typeof joseHeader.tag !== "string") throw new JWEInvalid(`JOSE Header "tag" (Authentication Tag) missing or invalid`);
+			let iv;
+			try {
+				iv = decode(joseHeader.iv);
+			} catch {
+				throw new JWEInvalid("Failed to base64url decode the iv");
+			}
+			let tag;
+			try {
+				tag = decode(joseHeader.tag);
+			} catch {
+				throw new JWEInvalid("Failed to base64url decode the tag");
+			}
+			return unwrap(alg$1, key, encryptedKey, iv, tag);
+		}
+		default: throw new JOSENotSupported("Invalid or unsupported \"alg\" (JWE Algorithm) header value");
+	}
+}
+
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.1.2/node_modules/jose/dist/webapi/jwe/flattened/decrypt.js
+async function flattenedDecrypt(jwe, key, options) {
+	if (!isObject(jwe)) throw new JWEInvalid("Flattened JWE must be an object");
+	if (jwe.protected === void 0 && jwe.header === void 0 && jwe.unprotected === void 0) throw new JWEInvalid("JOSE Header missing");
+	if (jwe.iv !== void 0 && typeof jwe.iv !== "string") throw new JWEInvalid("JWE Initialization Vector incorrect type");
+	if (typeof jwe.ciphertext !== "string") throw new JWEInvalid("JWE Ciphertext missing or incorrect type");
+	if (jwe.tag !== void 0 && typeof jwe.tag !== "string") throw new JWEInvalid("JWE Authentication Tag incorrect type");
+	if (jwe.protected !== void 0 && typeof jwe.protected !== "string") throw new JWEInvalid("JWE Protected Header incorrect type");
+	if (jwe.encrypted_key !== void 0 && typeof jwe.encrypted_key !== "string") throw new JWEInvalid("JWE Encrypted Key incorrect type");
+	if (jwe.aad !== void 0 && typeof jwe.aad !== "string") throw new JWEInvalid("JWE AAD incorrect type");
+	if (jwe.header !== void 0 && !isObject(jwe.header)) throw new JWEInvalid("JWE Shared Unprotected Header incorrect type");
+	if (jwe.unprotected !== void 0 && !isObject(jwe.unprotected)) throw new JWEInvalid("JWE Per-Recipient Unprotected Header incorrect type");
+	let parsedProt;
+	if (jwe.protected) try {
+		const protectedHeader$1 = decode(jwe.protected);
+		parsedProt = JSON.parse(decoder.decode(protectedHeader$1));
+	} catch {
+		throw new JWEInvalid("JWE Protected Header is invalid");
+	}
+	if (!isDisjoint(parsedProt, jwe.header, jwe.unprotected)) throw new JWEInvalid("JWE Protected, JWE Unprotected Header, and JWE Per-Recipient Unprotected Header Parameter names must be disjoint");
+	const joseHeader = {
+		...parsedProt,
+		...jwe.header,
+		...jwe.unprotected
+	};
+	validateCrit(JWEInvalid, /* @__PURE__ */ new Map(), options?.crit, parsedProt, joseHeader);
+	if (joseHeader.zip !== void 0) throw new JOSENotSupported("JWE \"zip\" (Compression Algorithm) Header Parameter is not supported.");
+	const { alg: alg$1, enc: enc$1 } = joseHeader;
+	if (typeof alg$1 !== "string" || !alg$1) throw new JWEInvalid("missing JWE Algorithm (alg) in JWE Header");
+	if (typeof enc$1 !== "string" || !enc$1) throw new JWEInvalid("missing JWE Encryption Algorithm (enc) in JWE Header");
+	const keyManagementAlgorithms = options && validateAlgorithms("keyManagementAlgorithms", options.keyManagementAlgorithms);
+	const contentEncryptionAlgorithms = options && validateAlgorithms("contentEncryptionAlgorithms", options.contentEncryptionAlgorithms);
+	if (keyManagementAlgorithms && !keyManagementAlgorithms.has(alg$1) || !keyManagementAlgorithms && alg$1.startsWith("PBES2")) throw new JOSEAlgNotAllowed("\"alg\" (Algorithm) Header Parameter value not allowed");
+	if (contentEncryptionAlgorithms && !contentEncryptionAlgorithms.has(enc$1)) throw new JOSEAlgNotAllowed("\"enc\" (Encryption Algorithm) Header Parameter value not allowed");
+	let encryptedKey;
+	if (jwe.encrypted_key !== void 0) try {
+		encryptedKey = decode(jwe.encrypted_key);
+	} catch {
+		throw new JWEInvalid("Failed to base64url decode the encrypted_key");
+	}
+	let resolvedKey = false;
+	if (typeof key === "function") {
+		key = await key(parsedProt, jwe);
+		resolvedKey = true;
+	}
+	checkKeyType(alg$1 === "dir" ? enc$1 : alg$1, key, "decrypt");
+	const k = await normalizeKey(key, alg$1);
+	let cek;
+	try {
+		cek = await decryptKeyManagement(alg$1, k, encryptedKey, joseHeader, options);
+	} catch (err) {
+		if (err instanceof TypeError || err instanceof JWEInvalid || err instanceof JOSENotSupported) throw err;
+		cek = generateCek(enc$1);
+	}
+	let iv;
+	let tag;
+	if (jwe.iv !== void 0) try {
+		iv = decode(jwe.iv);
+	} catch {
+		throw new JWEInvalid("Failed to base64url decode the iv");
+	}
+	if (jwe.tag !== void 0) try {
+		tag = decode(jwe.tag);
+	} catch {
+		throw new JWEInvalid("Failed to base64url decode the tag");
+	}
+	const protectedHeader = jwe.protected !== void 0 ? encode$1(jwe.protected) : new Uint8Array();
+	let additionalData;
+	if (jwe.aad !== void 0) additionalData = concat(protectedHeader, encode$1("."), encode$1(jwe.aad));
+	else additionalData = protectedHeader;
+	let ciphertext;
+	try {
+		ciphertext = decode(jwe.ciphertext);
+	} catch {
+		throw new JWEInvalid("Failed to base64url decode the ciphertext");
+	}
+	const result = { plaintext: await decrypt(enc$1, cek, ciphertext, iv, tag, additionalData) };
+	if (jwe.protected !== void 0) result.protectedHeader = parsedProt;
+	if (jwe.aad !== void 0) try {
+		result.additionalAuthenticatedData = decode(jwe.aad);
+	} catch {
+		throw new JWEInvalid("Failed to base64url decode the aad");
+	}
+	if (jwe.unprotected !== void 0) result.sharedUnprotectedHeader = jwe.unprotected;
+	if (jwe.header !== void 0) result.unprotectedHeader = jwe.header;
+	if (resolvedKey) return {
+		...result,
+		key: k
+	};
+	return result;
+}
+
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.1.2/node_modules/jose/dist/webapi/jwe/compact/decrypt.js
+async function compactDecrypt(jwe, key, options) {
+	if (jwe instanceof Uint8Array) jwe = decoder.decode(jwe);
+	if (typeof jwe !== "string") throw new JWEInvalid("Compact JWE must be a string or Uint8Array");
+	const { 0: protectedHeader, 1: encryptedKey, 2: iv, 3: ciphertext, 4: tag, length } = jwe.split(".");
+	if (length !== 5) throw new JWEInvalid("Invalid Compact JWE");
+	const decrypted = await flattenedDecrypt({
+		ciphertext,
+		iv: iv || void 0,
+		protected: protectedHeader,
+		tag: tag || void 0,
+		encrypted_key: encryptedKey || void 0
+	}, key, options);
+	const result = {
+		plaintext: decrypted.plaintext,
+		protectedHeader: decrypted.protectedHeader
+	};
+	if (typeof key === "function") return {
+		...result,
+		key: decrypted.key
+	};
+	return result;
+}
+
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.1.2/node_modules/jose/dist/webapi/lib/private_symbols.js
+const unprotected = Symbol();
+
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.1.2/node_modules/jose/dist/webapi/lib/key_to_jwk.js
+async function keyToJWK(key) {
+	if (isKeyObject(key)) if (key.type === "secret") key = key.export();
+	else return key.export({ format: "jwk" });
+	if (key instanceof Uint8Array) return {
+		kty: "oct",
+		k: encode(key)
+	};
+	if (!isCryptoKey(key)) throw new TypeError(invalidKeyInput(key, "CryptoKey", "KeyObject", "Uint8Array"));
+	if (!key.extractable) throw new TypeError("non-extractable CryptoKey cannot be exported as a JWK");
+	const { ext, key_ops, alg: alg$1, use, ...jwk } = await crypto.subtle.exportKey("jwk", key);
+	if (jwk.kty === "AKP") jwk.alg = alg$1;
+	return jwk;
+}
+
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.1.2/node_modules/jose/dist/webapi/key/export.js
+async function exportJWK(key) {
+	return keyToJWK(key);
+}
+
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.1.2/node_modules/jose/dist/webapi/lib/encrypt_key_management.js
+async function encryptKeyManagement(alg$1, enc$1, key, providedCek, providedParameters = {}) {
+	let encryptedKey;
+	let parameters;
+	let cek;
+	switch (alg$1) {
+		case "dir":
+			cek = key;
+			break;
+		case "ECDH-ES":
+		case "ECDH-ES+A128KW":
+		case "ECDH-ES+A192KW":
+		case "ECDH-ES+A256KW": {
+			assertCryptoKey(key);
+			if (!allowed(key)) throw new JOSENotSupported("ECDH with the provided key is not allowed or not supported by your javascript runtime");
+			const { apu, apv } = providedParameters;
+			let ephemeralKey;
+			if (providedParameters.epk) ephemeralKey = await normalizeKey(providedParameters.epk, alg$1);
+			else ephemeralKey = (await crypto.subtle.generateKey(key.algorithm, true, ["deriveBits"])).privateKey;
+			const { x, y, crv, kty } = await exportJWK(ephemeralKey);
+			const sharedSecret = await deriveKey$1(key, ephemeralKey, alg$1 === "ECDH-ES" ? enc$1 : alg$1, alg$1 === "ECDH-ES" ? cekLength(enc$1) : parseInt(alg$1.slice(-5, -2), 10), apu, apv);
+			parameters = { epk: {
+				x,
+				crv,
+				kty
+			} };
+			if (kty === "EC") parameters.epk.y = y;
+			if (apu) parameters.apu = encode(apu);
+			if (apv) parameters.apv = encode(apv);
+			if (alg$1 === "ECDH-ES") {
+				cek = sharedSecret;
+				break;
+			}
+			cek = providedCek || generateCek(enc$1);
+			const kwAlg = alg$1.slice(-6);
+			encryptedKey = await wrap$2(kwAlg, sharedSecret, cek);
+			break;
+		}
+		case "RSA-OAEP":
+		case "RSA-OAEP-256":
+		case "RSA-OAEP-384":
+		case "RSA-OAEP-512":
+			cek = providedCek || generateCek(enc$1);
+			assertCryptoKey(key);
+			encryptedKey = await encrypt$1(alg$1, key, cek);
+			break;
+		case "PBES2-HS256+A128KW":
+		case "PBES2-HS384+A192KW":
+		case "PBES2-HS512+A256KW": {
+			cek = providedCek || generateCek(enc$1);
+			const { p2c, p2s } = providedParameters;
+			({encryptedKey, ...parameters} = await wrap$1(alg$1, key, cek, p2c, p2s));
+			break;
+		}
+		case "A128KW":
+		case "A192KW":
+		case "A256KW":
+			cek = providedCek || generateCek(enc$1);
+			encryptedKey = await wrap$2(alg$1, key, cek);
+			break;
+		case "A128GCMKW":
+		case "A192GCMKW":
+		case "A256GCMKW": {
+			cek = providedCek || generateCek(enc$1);
+			const { iv } = providedParameters;
+			({encryptedKey, ...parameters} = await wrap(alg$1, key, cek, iv));
+			break;
+		}
+		default: throw new JOSENotSupported("Invalid or unsupported \"alg\" (JWE Algorithm) header value");
+	}
+	return {
+		cek,
+		encryptedKey,
+		parameters
+	};
+}
+
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.1.2/node_modules/jose/dist/webapi/jwe/flattened/encrypt.js
+var FlattenedEncrypt = class {
+	#plaintext;
+	#protectedHeader;
+	#sharedUnprotectedHeader;
+	#unprotectedHeader;
+	#aad;
+	#cek;
+	#iv;
+	#keyManagementParameters;
+	constructor(plaintext) {
+		if (!(plaintext instanceof Uint8Array)) throw new TypeError("plaintext must be an instance of Uint8Array");
+		this.#plaintext = plaintext;
+	}
+	setKeyManagementParameters(parameters) {
+		if (this.#keyManagementParameters) throw new TypeError("setKeyManagementParameters can only be called once");
+		this.#keyManagementParameters = parameters;
+		return this;
+	}
+	setProtectedHeader(protectedHeader) {
+		if (this.#protectedHeader) throw new TypeError("setProtectedHeader can only be called once");
+		this.#protectedHeader = protectedHeader;
+		return this;
+	}
+	setSharedUnprotectedHeader(sharedUnprotectedHeader) {
+		if (this.#sharedUnprotectedHeader) throw new TypeError("setSharedUnprotectedHeader can only be called once");
+		this.#sharedUnprotectedHeader = sharedUnprotectedHeader;
+		return this;
+	}
+	setUnprotectedHeader(unprotectedHeader) {
+		if (this.#unprotectedHeader) throw new TypeError("setUnprotectedHeader can only be called once");
+		this.#unprotectedHeader = unprotectedHeader;
+		return this;
+	}
+	setAdditionalAuthenticatedData(aad) {
+		this.#aad = aad;
+		return this;
+	}
+	setContentEncryptionKey(cek) {
+		if (this.#cek) throw new TypeError("setContentEncryptionKey can only be called once");
+		this.#cek = cek;
+		return this;
+	}
+	setInitializationVector(iv) {
+		if (this.#iv) throw new TypeError("setInitializationVector can only be called once");
+		this.#iv = iv;
+		return this;
+	}
+	async encrypt(key, options) {
+		if (!this.#protectedHeader && !this.#unprotectedHeader && !this.#sharedUnprotectedHeader) throw new JWEInvalid("either setProtectedHeader, setUnprotectedHeader, or sharedUnprotectedHeader must be called before #encrypt()");
+		if (!isDisjoint(this.#protectedHeader, this.#unprotectedHeader, this.#sharedUnprotectedHeader)) throw new JWEInvalid("JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint");
+		const joseHeader = {
+			...this.#protectedHeader,
+			...this.#unprotectedHeader,
+			...this.#sharedUnprotectedHeader
+		};
+		validateCrit(JWEInvalid, /* @__PURE__ */ new Map(), options?.crit, this.#protectedHeader, joseHeader);
+		if (joseHeader.zip !== void 0) throw new JOSENotSupported("JWE \"zip\" (Compression Algorithm) Header Parameter is not supported.");
+		const { alg: alg$1, enc: enc$1 } = joseHeader;
+		if (typeof alg$1 !== "string" || !alg$1) throw new JWEInvalid("JWE \"alg\" (Algorithm) Header Parameter missing or invalid");
+		if (typeof enc$1 !== "string" || !enc$1) throw new JWEInvalid("JWE \"enc\" (Encryption Algorithm) Header Parameter missing or invalid");
+		let encryptedKey;
+		if (this.#cek && (alg$1 === "dir" || alg$1 === "ECDH-ES")) throw new TypeError(`setContentEncryptionKey cannot be called with JWE "alg" (Algorithm) Header ${alg$1}`);
+		checkKeyType(alg$1 === "dir" ? enc$1 : alg$1, key, "encrypt");
+		let cek;
+		{
+			let parameters;
+			const k = await normalizeKey(key, alg$1);
+			({cek, encryptedKey, parameters} = await encryptKeyManagement(alg$1, enc$1, k, this.#cek, this.#keyManagementParameters));
+			if (parameters) if (options && unprotected in options) if (!this.#unprotectedHeader) this.setUnprotectedHeader(parameters);
+			else this.#unprotectedHeader = {
+				...this.#unprotectedHeader,
+				...parameters
+			};
+			else if (!this.#protectedHeader) this.setProtectedHeader(parameters);
+			else this.#protectedHeader = {
+				...this.#protectedHeader,
+				...parameters
+			};
+		}
+		let additionalData;
+		let protectedHeaderS;
+		let protectedHeaderB;
+		let aadMember;
+		if (this.#protectedHeader) {
+			protectedHeaderS = encode(JSON.stringify(this.#protectedHeader));
+			protectedHeaderB = encode$1(protectedHeaderS);
+		} else {
+			protectedHeaderS = "";
+			protectedHeaderB = new Uint8Array();
+		}
+		if (this.#aad) {
+			aadMember = encode(this.#aad);
+			const aadMemberBytes = encode$1(aadMember);
+			additionalData = concat(protectedHeaderB, encode$1("."), aadMemberBytes);
+		} else additionalData = protectedHeaderB;
+		const { ciphertext, tag, iv } = await encrypt(enc$1, this.#plaintext, cek, this.#iv, additionalData);
+		const jwe = { ciphertext: encode(ciphertext) };
+		if (iv) jwe.iv = encode(iv);
+		if (tag) jwe.tag = encode(tag);
+		if (encryptedKey) jwe.encrypted_key = encode(encryptedKey);
+		if (aadMember) jwe.aad = aadMember;
+		if (this.#protectedHeader) jwe.protected = protectedHeaderS;
+		if (this.#sharedUnprotectedHeader) jwe.unprotected = this.#sharedUnprotectedHeader;
+		if (this.#unprotectedHeader) jwe.header = this.#unprotectedHeader;
+		return jwe;
+	}
+};
+
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.1.2/node_modules/jose/dist/webapi/jwt/decrypt.js
+async function jwtDecrypt(jwt, key, options) {
+	const decrypted = await compactDecrypt(jwt, key, options);
+	const payload = validateClaimsSet(decrypted.protectedHeader, decrypted.plaintext, options);
+	const { protectedHeader } = decrypted;
+	if (protectedHeader.iss !== void 0 && protectedHeader.iss !== payload.iss) throw new JWTClaimValidationFailed("replicated \"iss\" claim header parameter mismatch", payload, "iss", "mismatch");
+	if (protectedHeader.sub !== void 0 && protectedHeader.sub !== payload.sub) throw new JWTClaimValidationFailed("replicated \"sub\" claim header parameter mismatch", payload, "sub", "mismatch");
+	if (protectedHeader.aud !== void 0 && JSON.stringify(protectedHeader.aud) !== JSON.stringify(payload.aud)) throw new JWTClaimValidationFailed("replicated \"aud\" claim header parameter mismatch", payload, "aud", "mismatch");
+	const result = {
+		payload,
+		protectedHeader
+	};
+	if (typeof key === "function") return {
+		...result,
+		key: decrypted.key
+	};
+	return result;
+}
+
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.1.2/node_modules/jose/dist/webapi/jwe/compact/encrypt.js
+var CompactEncrypt = class {
+	#flattened;
+	constructor(plaintext) {
+		this.#flattened = new FlattenedEncrypt(plaintext);
+	}
+	setContentEncryptionKey(cek) {
+		this.#flattened.setContentEncryptionKey(cek);
+		return this;
+	}
+	setInitializationVector(iv) {
+		this.#flattened.setInitializationVector(iv);
+		return this;
+	}
+	setProtectedHeader(protectedHeader) {
+		this.#flattened.setProtectedHeader(protectedHeader);
+		return this;
+	}
+	setKeyManagementParameters(parameters) {
+		this.#flattened.setKeyManagementParameters(parameters);
+		return this;
+	}
+	async encrypt(key, options) {
+		const jwe = await this.#flattened.encrypt(key, options);
+		return [
+			jwe.protected,
+			jwe.encrypted_key,
+			jwe.iv,
+			jwe.ciphertext,
+			jwe.tag
+		].join(".");
+	}
+};
+
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.1.2/node_modules/jose/dist/webapi/lib/sign.js
+async function sign(alg$1, key, data) {
+	const cryptoKey = await getSigKey(alg$1, key, "sign");
+	checkKeyLength(alg$1, cryptoKey);
+	const signature = await crypto.subtle.sign(subtleAlgorithm(alg$1, cryptoKey.algorithm), cryptoKey, data);
+	return new Uint8Array(signature);
+}
+
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.1.2/node_modules/jose/dist/webapi/jws/flattened/sign.js
+var FlattenedSign = class {
+	#payload;
+	#protectedHeader;
+	#unprotectedHeader;
+	constructor(payload) {
+		if (!(payload instanceof Uint8Array)) throw new TypeError("payload must be an instance of Uint8Array");
+		this.#payload = payload;
+	}
+	setProtectedHeader(protectedHeader) {
+		if (this.#protectedHeader) throw new TypeError("setProtectedHeader can only be called once");
+		this.#protectedHeader = protectedHeader;
+		return this;
+	}
+	setUnprotectedHeader(unprotectedHeader) {
+		if (this.#unprotectedHeader) throw new TypeError("setUnprotectedHeader can only be called once");
+		this.#unprotectedHeader = unprotectedHeader;
+		return this;
+	}
+	async sign(key, options) {
+		if (!this.#protectedHeader && !this.#unprotectedHeader) throw new JWSInvalid("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");
+		if (!isDisjoint(this.#protectedHeader, this.#unprotectedHeader)) throw new JWSInvalid("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
+		const joseHeader = {
+			...this.#protectedHeader,
+			...this.#unprotectedHeader
+		};
+		const extensions = validateCrit(JWSInvalid, new Map([["b64", true]]), options?.crit, this.#protectedHeader, joseHeader);
+		let b64 = true;
+		if (extensions.has("b64")) {
+			b64 = this.#protectedHeader.b64;
+			if (typeof b64 !== "boolean") throw new JWSInvalid("The \"b64\" (base64url-encode payload) Header Parameter must be a boolean");
+		}
+		const { alg: alg$1 } = joseHeader;
+		if (typeof alg$1 !== "string" || !alg$1) throw new JWSInvalid("JWS \"alg\" (Algorithm) Header Parameter missing or invalid");
+		checkKeyType(alg$1, key, "sign");
+		let payloadS;
+		let payloadB;
+		if (b64) {
+			payloadS = encode(this.#payload);
+			payloadB = encode$1(payloadS);
+		} else {
+			payloadB = this.#payload;
+			payloadS = "";
+		}
+		let protectedHeaderString;
+		let protectedHeaderBytes;
+		if (this.#protectedHeader) {
+			protectedHeaderString = encode(JSON.stringify(this.#protectedHeader));
+			protectedHeaderBytes = encode$1(protectedHeaderString);
+		} else {
+			protectedHeaderString = "";
+			protectedHeaderBytes = new Uint8Array();
+		}
+		const data = concat(protectedHeaderBytes, encode$1("."), payloadB);
+		const jws = {
+			signature: encode(await sign(alg$1, await normalizeKey(key, alg$1), data)),
+			payload: payloadS
+		};
+		if (this.#unprotectedHeader) jws.header = this.#unprotectedHeader;
+		if (this.#protectedHeader) jws.protected = protectedHeaderString;
+		return jws;
+	}
+};
+
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.1.2/node_modules/jose/dist/webapi/jws/compact/sign.js
+var CompactSign = class {
+	#flattened;
+	constructor(payload) {
+		this.#flattened = new FlattenedSign(payload);
+	}
+	setProtectedHeader(protectedHeader) {
+		this.#flattened.setProtectedHeader(protectedHeader);
+		return this;
+	}
+	async sign(key, options) {
+		const jws = await this.#flattened.sign(key, options);
+		if (jws.payload === void 0) throw new TypeError("use the flattened module for creating JWS with b64: false");
+		return `${jws.protected}.${jws.payload}.${jws.signature}`;
+	}
+};
+
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.1.2/node_modules/jose/dist/webapi/jwt/sign.js
+var SignJWT = class {
+	#protectedHeader;
+	#jwt;
+	constructor(payload = {}) {
+		this.#jwt = new JWTClaimsBuilder(payload);
+	}
+	setIssuer(issuer) {
+		this.#jwt.iss = issuer;
+		return this;
+	}
+	setSubject(subject) {
+		this.#jwt.sub = subject;
+		return this;
+	}
+	setAudience(audience) {
+		this.#jwt.aud = audience;
+		return this;
+	}
+	setJti(jwtId) {
+		this.#jwt.jti = jwtId;
+		return this;
+	}
+	setNotBefore(input) {
+		this.#jwt.nbf = input;
+		return this;
+	}
+	setExpirationTime(input) {
+		this.#jwt.exp = input;
+		return this;
+	}
+	setIssuedAt(input) {
+		this.#jwt.iat = input;
+		return this;
+	}
+	setProtectedHeader(protectedHeader) {
+		this.#protectedHeader = protectedHeader;
+		return this;
+	}
+	async sign(key, options) {
+		const sig = new CompactSign(this.#jwt.data());
+		sig.setProtectedHeader(this.#protectedHeader);
+		if (Array.isArray(this.#protectedHeader?.crit) && this.#protectedHeader.crit.includes("b64") && this.#protectedHeader.b64 === false) throw new JWTInvalid("JWTs MUST NOT use unencoded payload");
+		return sig.sign(key, options);
+	}
+};
+
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.1.2/node_modules/jose/dist/webapi/jwt/encrypt.js
+var EncryptJWT = class {
+	#cek;
+	#iv;
+	#keyManagementParameters;
+	#protectedHeader;
+	#replicateIssuerAsHeader;
+	#replicateSubjectAsHeader;
+	#replicateAudienceAsHeader;
+	#jwt;
+	constructor(payload = {}) {
+		this.#jwt = new JWTClaimsBuilder(payload);
+	}
+	setIssuer(issuer) {
+		this.#jwt.iss = issuer;
+		return this;
+	}
+	setSubject(subject) {
+		this.#jwt.sub = subject;
+		return this;
+	}
+	setAudience(audience) {
+		this.#jwt.aud = audience;
+		return this;
+	}
+	setJti(jwtId) {
+		this.#jwt.jti = jwtId;
+		return this;
+	}
+	setNotBefore(input) {
+		this.#jwt.nbf = input;
+		return this;
+	}
+	setExpirationTime(input) {
+		this.#jwt.exp = input;
+		return this;
+	}
+	setIssuedAt(input) {
+		this.#jwt.iat = input;
+		return this;
+	}
+	setProtectedHeader(protectedHeader) {
+		if (this.#protectedHeader) throw new TypeError("setProtectedHeader can only be called once");
+		this.#protectedHeader = protectedHeader;
+		return this;
+	}
+	setKeyManagementParameters(parameters) {
+		if (this.#keyManagementParameters) throw new TypeError("setKeyManagementParameters can only be called once");
+		this.#keyManagementParameters = parameters;
+		return this;
+	}
+	setContentEncryptionKey(cek) {
+		if (this.#cek) throw new TypeError("setContentEncryptionKey can only be called once");
+		this.#cek = cek;
+		return this;
+	}
+	setInitializationVector(iv) {
+		if (this.#iv) throw new TypeError("setInitializationVector can only be called once");
+		this.#iv = iv;
+		return this;
+	}
+	replicateIssuerAsHeader() {
+		this.#replicateIssuerAsHeader = true;
+		return this;
+	}
+	replicateSubjectAsHeader() {
+		this.#replicateSubjectAsHeader = true;
+		return this;
+	}
+	replicateAudienceAsHeader() {
+		this.#replicateAudienceAsHeader = true;
+		return this;
+	}
+	async encrypt(key, options) {
+		const enc$1 = new CompactEncrypt(this.#jwt.data());
+		if (this.#protectedHeader && (this.#replicateIssuerAsHeader || this.#replicateSubjectAsHeader || this.#replicateAudienceAsHeader)) this.#protectedHeader = {
+			...this.#protectedHeader,
+			iss: this.#replicateIssuerAsHeader ? this.#jwt.iss : void 0,
+			sub: this.#replicateSubjectAsHeader ? this.#jwt.sub : void 0,
+			aud: this.#replicateAudienceAsHeader ? this.#jwt.aud : void 0
+		};
+		enc$1.setProtectedHeader(this.#protectedHeader);
+		if (this.#iv) enc$1.setInitializationVector(this.#iv);
+		if (this.#cek) enc$1.setContentEncryptionKey(this.#cek);
+		if (this.#keyManagementParameters) enc$1.setKeyManagementParameters(this.#keyManagementParameters);
+		return enc$1.encrypt(key, options);
+	}
+};
+
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.1.2/node_modules/jose/dist/webapi/jwk/thumbprint.js
+const check = (value, description) => {
+	if (typeof value !== "string" || !value) throw new JWKInvalid(`${description} missing or invalid`);
+};
+async function calculateJwkThumbprint(key, digestAlgorithm) {
+	let jwk;
+	if (isJWK(key)) jwk = key;
+	else if (isKeyLike(key)) jwk = await exportJWK(key);
+	else throw new TypeError(invalidKeyInput(key, "CryptoKey", "KeyObject", "JSON Web Key"));
+	digestAlgorithm ??= "sha256";
+	if (digestAlgorithm !== "sha256" && digestAlgorithm !== "sha384" && digestAlgorithm !== "sha512") throw new TypeError("digestAlgorithm must one of \"sha256\", \"sha384\", or \"sha512\"");
+	let components;
+	switch (jwk.kty) {
+		case "AKP":
+			check(jwk.alg, "\"alg\" (Algorithm) Parameter");
+			check(jwk.pub, "\"pub\" (Public key) Parameter");
+			components = {
+				alg: jwk.alg,
+				kty: jwk.kty,
+				pub: jwk.pub
+			};
+			break;
+		case "EC":
+			check(jwk.crv, "\"crv\" (Curve) Parameter");
+			check(jwk.x, "\"x\" (X Coordinate) Parameter");
+			check(jwk.y, "\"y\" (Y Coordinate) Parameter");
+			components = {
+				crv: jwk.crv,
+				kty: jwk.kty,
+				x: jwk.x,
+				y: jwk.y
+			};
+			break;
+		case "OKP":
+			check(jwk.crv, "\"crv\" (Subtype of Key Pair) Parameter");
+			check(jwk.x, "\"x\" (Public Key) Parameter");
+			components = {
+				crv: jwk.crv,
+				kty: jwk.kty,
+				x: jwk.x
+			};
+			break;
+		case "RSA":
+			check(jwk.e, "\"e\" (Exponent) Parameter");
+			check(jwk.n, "\"n\" (Modulus) Parameter");
+			components = {
+				e: jwk.e,
+				kty: jwk.kty,
+				n: jwk.n
+			};
+			break;
+		case "oct":
+			check(jwk.k, "\"k\" (Key Value) Parameter");
+			components = {
+				k: jwk.k,
+				kty: jwk.kty
+			};
+			break;
+		default: throw new JOSENotSupported("\"kty\" (Key Type) Parameter missing or unsupported");
+	}
+	const data = encode$1(JSON.stringify(components));
+	return encode(await digest(digestAlgorithm, data));
+}
+
+//#endregion
+//#region ../../node_modules/.pnpm/@noble+hashes@2.0.1/node_modules/@noble/hashes/utils.js
+/**
+* Utilities for hex, bytes, CSPRNG.
+* @module
+*/
+/*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+/** Checks if something is Uint8Array. Be careful: nodejs Buffer will return true. */
+function isBytes$1(a) {
+	return a instanceof Uint8Array || ArrayBuffer.isView(a) && a.constructor.name === "Uint8Array";
+}
+/** Asserts something is positive integer. */
+function anumber(n, title = "") {
+	if (!Number.isSafeInteger(n) || n < 0) {
+		const prefix = title && `"${title}" `;
+		throw new Error(`${prefix}expected integer >= 0, got ${n}`);
+	}
+}
+/** Asserts something is Uint8Array. */
+function abytes$1(value, length, title = "") {
+	const bytes = isBytes$1(value);
+	const len = value?.length;
+	const needsLen = length !== void 0;
+	if (!bytes || needsLen && len !== length) {
+		const prefix = title && `"${title}" `;
+		const ofLen = needsLen ? ` of length ${length}` : "";
+		const got = bytes ? `length=${len}` : `type=${typeof value}`;
+		throw new Error(prefix + "expected Uint8Array" + ofLen + ", got " + got);
+	}
+	return value;
+}
+/** Asserts something is hash */
+function ahash(h) {
+	if (typeof h !== "function" || typeof h.create !== "function") throw new Error("Hash must wrapped by utils.createHasher");
+	anumber(h.outputLen);
+	anumber(h.blockLen);
+}
+/** Asserts a hash instance has not been destroyed / finished */
+function aexists$1(instance, checkFinished = true) {
+	if (instance.destroyed) throw new Error("Hash instance has been destroyed");
+	if (checkFinished && instance.finished) throw new Error("Hash#digest() has already been called");
+}
+/** Asserts output is properly-sized byte array */
+function aoutput$1(out, instance) {
+	abytes$1(out, void 0, "digestInto() output");
+	const min = instance.outputLen;
+	if (out.length < min) throw new Error("\"digestInto() output\" expected to be of length >=" + min);
+}
+/** Cast u8 / u16 / u32 to u32. */
+function u32(arr) {
+	return new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4));
+}
+/** Zeroize a byte array. Warning: JS provides no guarantees. */
+function clean(...arrays) {
+	for (let i = 0; i < arrays.length; i++) arrays[i].fill(0);
+}
+/** Create DataView of an array for easy byte-level manipulation. */
+function createView(arr) {
+	return new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
+}
+/** The rotate right (circular right shift) operation for uint32 */
+function rotr(word, shift) {
+	return word << 32 - shift | word >>> shift;
+}
+/** The rotate left (circular left shift) operation for uint32 */
+function rotl(word, shift) {
+	return word << shift | word >>> 32 - shift >>> 0;
+}
+/** Is current platform little-endian? Most are. Big-Endian platform: IBM */
+const isLE$1 = /* @__PURE__ */ (() => new Uint8Array(new Uint32Array([287454020]).buffer)[0] === 68)();
+/** The byte swap operation for uint32 */
+function byteSwap(word) {
+	return word << 24 & 4278190080 | word << 8 & 16711680 | word >>> 8 & 65280 | word >>> 24 & 255;
+}
+/** In place byte swap for Uint32Array */
+function byteSwap32(arr) {
+	for (let i = 0; i < arr.length; i++) arr[i] = byteSwap(arr[i]);
+	return arr;
+}
+const swap32IfBE = isLE$1 ? (u) => u : byteSwap32;
+const hasHexBuiltin$1 = /* @__PURE__ */ (() => typeof Uint8Array.from([]).toHex === "function" && typeof Uint8Array.fromHex === "function")();
+const asciis$1 = {
+	_0: 48,
+	_9: 57,
+	A: 65,
+	F: 70,
+	a: 97,
+	f: 102
+};
+function asciiToBase16$1(ch) {
+	if (ch >= asciis$1._0 && ch <= asciis$1._9) return ch - asciis$1._0;
+	if (ch >= asciis$1.A && ch <= asciis$1.F) return ch - (asciis$1.A - 10);
+	if (ch >= asciis$1.a && ch <= asciis$1.f) return ch - (asciis$1.a - 10);
+}
+/**
+* Convert hex string to byte array. Uses built-in function, when available.
+* @example hexToBytes('cafe0123') // Uint8Array.from([0xca, 0xfe, 0x01, 0x23])
+*/
+function hexToBytes$1(hex$1) {
+	if (typeof hex$1 !== "string") throw new Error("hex string expected, got " + typeof hex$1);
+	if (hasHexBuiltin$1) return Uint8Array.fromHex(hex$1);
+	const hl = hex$1.length;
+	const al = hl / 2;
+	if (hl % 2) throw new Error("hex string expected, got unpadded hex of length " + hl);
+	const array = new Uint8Array(al);
+	for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {
+		const n1 = asciiToBase16$1(hex$1.charCodeAt(hi));
+		const n2 = asciiToBase16$1(hex$1.charCodeAt(hi + 1));
+		if (n1 === void 0 || n2 === void 0) {
+			const char = hex$1[hi] + hex$1[hi + 1];
+			throw new Error("hex string expected, got non-hex character \"" + char + "\" at index " + hi);
+		}
+		array[ai] = n1 * 16 + n2;
+	}
+	return array;
+}
+/**
+* There is no setImmediate in browser and setTimeout is slow.
+* Call of async fn will return Promise, which will be fullfiled only on
+* next scheduler queue processing step and this is exactly what we need.
+*/
+const nextTick = async () => {};
+/** Returns control to thread each 'tick' ms to avoid blocking. */
+async function asyncLoop(iters, tick, cb) {
+	let ts = Date.now();
+	for (let i = 0; i < iters; i++) {
+		cb(i);
+		const diff = Date.now() - ts;
+		if (diff >= 0 && diff < tick) continue;
+		await /* @__PURE__ */ nextTick();
+		ts += diff;
+	}
+}
+/**
+* Converts string to bytes using UTF8 encoding.
+* Built-in doesn't validate input to be string: we do the check.
+* @example utf8ToBytes('abc') // Uint8Array.from([97, 98, 99])
+*/
+function utf8ToBytes$1(str) {
+	if (typeof str !== "string") throw new Error("string expected");
+	return new Uint8Array(new TextEncoder().encode(str));
+}
+/**
+* Helper for KDFs: consumes uint8array or string.
+* When string is passed, does utf8 decoding, using TextDecoder.
+*/
+function kdfInputToBytes(data, errorTitle = "") {
+	if (typeof data === "string") return utf8ToBytes$1(data);
+	return abytes$1(data, void 0, errorTitle);
+}
+/** Merges default options and passed options. */
+function checkOpts(defaults, opts) {
+	if (opts !== void 0 && {}.toString.call(opts) !== "[object Object]") throw new Error("options must be object or undefined");
+	return Object.assign(defaults, opts);
+}
+/** Creates function with outputLen, blockLen, create properties from a class constructor. */
+function createHasher(hashCons, info$1 = {}) {
+	const hashC = (msg, opts) => hashCons(opts).update(msg).digest();
+	const tmp = hashCons(void 0);
+	hashC.outputLen = tmp.outputLen;
+	hashC.blockLen = tmp.blockLen;
+	hashC.create = (opts) => hashCons(opts);
+	Object.assign(hashC, info$1);
+	return Object.freeze(hashC);
+}
+/** Creates OID opts for NIST hashes, with prefix 06 09 60 86 48 01 65 03 04 02. */
+const oidNist = (suffix) => ({ oid: Uint8Array.from([
+	6,
+	9,
+	96,
+	134,
+	72,
+	1,
+	101,
+	3,
+	4,
+	2,
+	suffix
+]) });
+
+//#endregion
+//#region ../../node_modules/.pnpm/@noble+hashes@2.0.1/node_modules/@noble/hashes/hmac.js
+/**
+* HMAC: RFC2104 message authentication code.
+* @module
+*/
+/** Internal class for HMAC. */
+var _HMAC = class {
+	oHash;
+	iHash;
+	blockLen;
+	outputLen;
+	finished = false;
+	destroyed = false;
+	constructor(hash, key) {
+		ahash(hash);
+		abytes$1(key, void 0, "key");
+		this.iHash = hash.create();
+		if (typeof this.iHash.update !== "function") throw new Error("Expected instance of class which extends utils.Hash");
+		this.blockLen = this.iHash.blockLen;
+		this.outputLen = this.iHash.outputLen;
+		const blockLen = this.blockLen;
+		const pad = new Uint8Array(blockLen);
+		pad.set(key.length > blockLen ? hash.create().update(key).digest() : key);
+		for (let i = 0; i < pad.length; i++) pad[i] ^= 54;
+		this.iHash.update(pad);
+		this.oHash = hash.create();
+		for (let i = 0; i < pad.length; i++) pad[i] ^= 106;
+		this.oHash.update(pad);
+		clean(pad);
+	}
+	update(buf) {
+		aexists$1(this);
+		this.iHash.update(buf);
+		return this;
+	}
+	digestInto(out) {
+		aexists$1(this);
+		abytes$1(out, this.outputLen, "output");
+		this.finished = true;
+		this.iHash.digestInto(out);
+		this.oHash.update(out);
+		this.oHash.digestInto(out);
+		this.destroy();
+	}
+	digest() {
+		const out = new Uint8Array(this.oHash.outputLen);
+		this.digestInto(out);
+		return out;
+	}
+	_cloneInto(to) {
+		to ||= Object.create(Object.getPrototypeOf(this), {});
+		const { oHash, iHash, finished, destroyed, blockLen, outputLen } = this;
+		to = to;
+		to.finished = finished;
+		to.destroyed = destroyed;
+		to.blockLen = blockLen;
+		to.outputLen = outputLen;
+		to.oHash = oHash._cloneInto(to.oHash);
+		to.iHash = iHash._cloneInto(to.iHash);
+		return to;
+	}
+	clone() {
+		return this._cloneInto();
+	}
+	destroy() {
+		this.destroyed = true;
+		this.oHash.destroy();
+		this.iHash.destroy();
+	}
+};
+/**
+* HMAC: RFC2104 message authentication code.
+* @param hash - function that would be used e.g. sha256
+* @param key - message key
+* @param message - message data
+* @example
+* import { hmac } from '@noble/hashes/hmac';
+* import { sha256 } from '@noble/hashes/sha2';
+* const mac1 = hmac(sha256, 'key', 'message');
+*/
+const hmac = (hash, key, message) => new _HMAC(hash, key).update(message).digest();
+hmac.create = (hash, key) => new _HMAC(hash, key);
+
+//#endregion
+//#region ../../node_modules/.pnpm/@noble+hashes@2.0.1/node_modules/@noble/hashes/hkdf.js
+/**
+* HKDF (RFC 5869): extract + expand in one step.
+* See https://soatok.blog/2021/11/17/understanding-hkdf/.
+* @module
+*/
+/**
+* HKDF-extract from spec. Less important part. `HKDF-Extract(IKM, salt) -> PRK`
+* Arguments position differs from spec (IKM is first one, since it is not optional)
+* @param hash - hash function that would be used (e.g. sha256)
+* @param ikm - input keying material, the initial key
+* @param salt - optional salt value (a non-secret random value)
+*/
+function extract(hash, ikm, salt) {
+	ahash(hash);
+	if (salt === void 0) salt = new Uint8Array(hash.outputLen);
+	return hmac(hash, salt, ikm);
+}
+const HKDF_COUNTER = /* @__PURE__ */ Uint8Array.of(0);
+const EMPTY_BUFFER = /* @__PURE__ */ Uint8Array.of();
+/**
+* HKDF-expand from the spec. The most important part. `HKDF-Expand(PRK, info, L) -> OKM`
+* @param hash - hash function that would be used (e.g. sha256)
+* @param prk - a pseudorandom key of at least HashLen octets (usually, the output from the extract step)
+* @param info - optional context and application specific information (can be a zero-length string)
+* @param length - length of output keying material in bytes
+*/
+function expand(hash, prk, info$1, length = 32) {
+	ahash(hash);
+	anumber(length, "length");
+	const olen = hash.outputLen;
+	if (length > 255 * olen) throw new Error("Length must be <= 255*HashLen");
+	const blocks = Math.ceil(length / olen);
+	if (info$1 === void 0) info$1 = EMPTY_BUFFER;
+	else abytes$1(info$1, void 0, "info");
+	const okm = new Uint8Array(blocks * olen);
+	const HMAC = hmac.create(hash, prk);
+	const HMACTmp = HMAC._cloneInto();
+	const T = new Uint8Array(HMAC.outputLen);
+	for (let counter = 0; counter < blocks; counter++) {
+		HKDF_COUNTER[0] = counter + 1;
+		HMACTmp.update(counter === 0 ? EMPTY_BUFFER : T).update(info$1).update(HKDF_COUNTER).digestInto(T);
+		okm.set(T, olen * counter);
+		HMAC._cloneInto(HMACTmp);
+	}
+	HMAC.destroy();
+	HMACTmp.destroy();
+	clean(T, HKDF_COUNTER);
+	return okm.slice(0, length);
+}
+/**
+* HKDF (RFC 5869): derive keys from an initial input.
+* Combines hkdf_extract + hkdf_expand in one step
+* @param hash - hash function that would be used (e.g. sha256)
+* @param ikm - input keying material, the initial key
+* @param salt - optional salt value (a non-secret random value)
+* @param info - optional context and application specific information (can be a zero-length string)
+* @param length - length of output keying material in bytes
+* @example
+* import { hkdf } from '@noble/hashes/hkdf';
+* import { sha256 } from '@noble/hashes/sha2';
+* import { randomBytes } from '@noble/hashes/utils';
+* const inputKey = randomBytes(32);
+* const salt = randomBytes(32);
+* const info = 'application-key';
+* const hk1 = hkdf(sha256, inputKey, salt, info, 32);
+*/
+const hkdf = (hash, ikm, salt, info$1, length) => expand(hash, extract(hash, ikm, salt), info$1, length);
+
+//#endregion
+//#region ../../node_modules/.pnpm/@noble+hashes@2.0.1/node_modules/@noble/hashes/_md.js
+/**
+* Internal Merkle-Damgard hash utils.
+* @module
+*/
+/** Choice: a ? b : c */
+function Chi(a, b, c) {
+	return a & b ^ ~a & c;
+}
+/** Majority function, true if any two inputs is true. */
+function Maj(a, b, c) {
+	return a & b ^ a & c ^ b & c;
+}
+/**
+* Merkle-Damgard hash construction base class.
+* Could be used to create MD5, RIPEMD, SHA1, SHA2.
+*/
+var HashMD = class {
+	blockLen;
+	outputLen;
+	padOffset;
+	isLE;
+	buffer;
+	view;
+	finished = false;
+	length = 0;
+	pos = 0;
+	destroyed = false;
+	constructor(blockLen, outputLen, padOffset, isLE$2) {
+		this.blockLen = blockLen;
+		this.outputLen = outputLen;
+		this.padOffset = padOffset;
+		this.isLE = isLE$2;
+		this.buffer = new Uint8Array(blockLen);
+		this.view = createView(this.buffer);
+	}
+	update(data) {
+		aexists$1(this);
+		abytes$1(data);
+		const { view, buffer, blockLen } = this;
+		const len = data.length;
+		for (let pos = 0; pos < len;) {
+			const take = Math.min(blockLen - this.pos, len - pos);
+			if (take === blockLen) {
+				const dataView = createView(data);
+				for (; blockLen <= len - pos; pos += blockLen) this.process(dataView, pos);
+				continue;
+			}
+			buffer.set(data.subarray(pos, pos + take), this.pos);
+			this.pos += take;
+			pos += take;
+			if (this.pos === blockLen) {
+				this.process(view, 0);
+				this.pos = 0;
+			}
+		}
+		this.length += data.length;
+		this.roundClean();
+		return this;
+	}
+	digestInto(out) {
+		aexists$1(this);
+		aoutput$1(out, this);
+		this.finished = true;
+		const { buffer, view, blockLen, isLE: isLE$2 } = this;
+		let { pos } = this;
+		buffer[pos++] = 128;
+		clean(this.buffer.subarray(pos));
+		if (this.padOffset > blockLen - pos) {
+			this.process(view, 0);
+			pos = 0;
+		}
+		for (let i = pos; i < blockLen; i++) buffer[i] = 0;
+		view.setBigUint64(blockLen - 8, BigInt(this.length * 8), isLE$2);
+		this.process(view, 0);
+		const oview = createView(out);
+		const len = this.outputLen;
+		if (len % 4) throw new Error("_sha2: outputLen must be aligned to 32bit");
+		const outLen = len / 4;
+		const state = this.get();
+		if (outLen > state.length) throw new Error("_sha2: outputLen bigger than state");
+		for (let i = 0; i < outLen; i++) oview.setUint32(4 * i, state[i], isLE$2);
+	}
+	digest() {
+		const { buffer, outputLen } = this;
+		this.digestInto(buffer);
+		const res = buffer.slice(0, outputLen);
+		this.destroy();
+		return res;
+	}
+	_cloneInto(to) {
+		to ||= new this.constructor();
+		to.set(...this.get());
+		const { blockLen, buffer, length, finished, destroyed, pos } = this;
+		to.destroyed = destroyed;
+		to.finished = finished;
+		to.length = length;
+		to.pos = pos;
+		if (length % blockLen) to.buffer.set(buffer);
+		return to;
+	}
+	clone() {
+		return this._cloneInto();
+	}
+};
+/**
+* Initial SHA-2 state: fractional parts of square roots of first 16 primes 2..53.
+* Check out `test/misc/sha2-gen-iv.js` for recomputation guide.
+*/
+/** Initial SHA256 state. Bits 0..32 of frac part of sqrt of primes 2..19 */
+const SHA256_IV = /* @__PURE__ */ Uint32Array.from([
+	1779033703,
+	3144134277,
+	1013904242,
+	2773480762,
+	1359893119,
+	2600822924,
+	528734635,
+	1541459225
+]);
+
+//#endregion
+//#region ../../node_modules/.pnpm/@noble+hashes@2.0.1/node_modules/@noble/hashes/_u64.js
+/**
+* Internal helpers for u64. BigUint64Array is too slow as per 2025, so we implement it using Uint32Array.
+* @todo re-check https://issues.chromium.org/issues/42212588
+* @module
+*/
+const U32_MASK64 = /* @__PURE__ */ BigInt(2 ** 32 - 1);
+const _32n = /* @__PURE__ */ BigInt(32);
+function fromBig(n, le = false) {
+	if (le) return {
+		h: Number(n & U32_MASK64),
+		l: Number(n >> _32n & U32_MASK64)
+	};
+	return {
+		h: Number(n >> _32n & U32_MASK64) | 0,
+		l: Number(n & U32_MASK64) | 0
+	};
+}
+function split(lst, le = false) {
+	const len = lst.length;
+	let Ah = new Uint32Array(len);
+	let Al = new Uint32Array(len);
+	for (let i = 0; i < len; i++) {
+		const { h, l } = fromBig(lst[i], le);
+		[Ah[i], Al[i]] = [h, l];
+	}
+	return [Ah, Al];
+}
+const rotlSH = (h, l, s) => h << s | l >>> 32 - s;
+const rotlSL = (h, l, s) => l << s | h >>> 32 - s;
+const rotlBH = (h, l, s) => l << s - 32 | h >>> 64 - s;
+const rotlBL = (h, l, s) => h << s - 32 | l >>> 64 - s;
+
+//#endregion
+//#region ../../node_modules/.pnpm/@noble+hashes@2.0.1/node_modules/@noble/hashes/sha2.js
+/**
+* SHA2 hash function. A.k.a. sha256, sha384, sha512, sha512_224, sha512_256.
+* SHA256 is the fastest hash implementable in JS, even faster than Blake3.
+* Check out [RFC 4634](https://www.rfc-editor.org/rfc/rfc4634) and
+* [FIPS 180-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf).
+* @module
+*/
+/**
+* Round constants:
+* First 32 bits of fractional parts of the cube roots of the first 64 primes 2..311)
+*/
+const SHA256_K = /* @__PURE__ */ Uint32Array.from([
+	1116352408,
+	1899447441,
+	3049323471,
+	3921009573,
+	961987163,
+	1508970993,
+	2453635748,
+	2870763221,
+	3624381080,
+	310598401,
+	607225278,
+	1426881987,
+	1925078388,
+	2162078206,
+	2614888103,
+	3248222580,
+	3835390401,
+	4022224774,
+	264347078,
+	604807628,
+	770255983,
+	1249150122,
+	1555081692,
+	1996064986,
+	2554220882,
+	2821834349,
+	2952996808,
+	3210313671,
+	3336571891,
+	3584528711,
+	113926993,
+	338241895,
+	666307205,
+	773529912,
+	1294757372,
+	1396182291,
+	1695183700,
+	1986661051,
+	2177026350,
+	2456956037,
+	2730485921,
+	2820302411,
+	3259730800,
+	3345764771,
+	3516065817,
+	3600352804,
+	4094571909,
+	275423344,
+	430227734,
+	506948616,
+	659060556,
+	883997877,
+	958139571,
+	1322822218,
+	1537002063,
+	1747873779,
+	1955562222,
+	2024104815,
+	2227730452,
+	2361852424,
+	2428436474,
+	2756734187,
+	3204031479,
+	3329325298
+]);
+/** Reusable temporary buffer. "W" comes straight from spec. */
+const SHA256_W = /* @__PURE__ */ new Uint32Array(64);
+/** Internal 32-byte base SHA2 hash class. */
+var SHA2_32B = class extends HashMD {
+	constructor(outputLen) {
+		super(64, outputLen, 8, false);
+	}
+	get() {
+		const { A, B, C, D, E, F, G, H } = this;
+		return [
+			A,
+			B,
+			C,
+			D,
+			E,
+			F,
+			G,
+			H
+		];
+	}
+	set(A, B, C, D, E, F, G, H) {
+		this.A = A | 0;
+		this.B = B | 0;
+		this.C = C | 0;
+		this.D = D | 0;
+		this.E = E | 0;
+		this.F = F | 0;
+		this.G = G | 0;
+		this.H = H | 0;
+	}
+	process(view, offset) {
+		for (let i = 0; i < 16; i++, offset += 4) SHA256_W[i] = view.getUint32(offset, false);
+		for (let i = 16; i < 64; i++) {
+			const W15 = SHA256_W[i - 15];
+			const W2 = SHA256_W[i - 2];
+			const s0 = rotr(W15, 7) ^ rotr(W15, 18) ^ W15 >>> 3;
+			SHA256_W[i] = (rotr(W2, 17) ^ rotr(W2, 19) ^ W2 >>> 10) + SHA256_W[i - 7] + s0 + SHA256_W[i - 16] | 0;
+		}
+		let { A, B, C, D, E, F, G, H } = this;
+		for (let i = 0; i < 64; i++) {
+			const sigma1 = rotr(E, 6) ^ rotr(E, 11) ^ rotr(E, 25);
+			const T1 = H + sigma1 + Chi(E, F, G) + SHA256_K[i] + SHA256_W[i] | 0;
+			const T2 = (rotr(A, 2) ^ rotr(A, 13) ^ rotr(A, 22)) + Maj(A, B, C) | 0;
+			H = G;
+			G = F;
+			F = E;
+			E = D + T1 | 0;
+			D = C;
+			C = B;
+			B = A;
+			A = T1 + T2 | 0;
+		}
+		A = A + this.A | 0;
+		B = B + this.B | 0;
+		C = C + this.C | 0;
+		D = D + this.D | 0;
+		E = E + this.E | 0;
+		F = F + this.F | 0;
+		G = G + this.G | 0;
+		H = H + this.H | 0;
+		this.set(A, B, C, D, E, F, G, H);
+	}
+	roundClean() {
+		clean(SHA256_W);
+	}
+	destroy() {
+		this.set(0, 0, 0, 0, 0, 0, 0, 0);
+		clean(this.buffer);
+	}
+};
+/** Internal SHA2-256 hash class. */
+var _SHA256 = class extends SHA2_32B {
+	A = SHA256_IV[0] | 0;
+	B = SHA256_IV[1] | 0;
+	C = SHA256_IV[2] | 0;
+	D = SHA256_IV[3] | 0;
+	E = SHA256_IV[4] | 0;
+	F = SHA256_IV[5] | 0;
+	G = SHA256_IV[6] | 0;
+	H = SHA256_IV[7] | 0;
+	constructor() {
+		super(32);
+	}
+};
+/**
+* SHA2-256 hash function from RFC 4634. In JS it's the fastest: even faster than Blake3. Some info:
+*
+* - Trying 2^128 hashes would get 50% chance of collision, using birthday attack.
+* - BTC network is doing 2^70 hashes/sec (2^95 hashes/year) as per 2025.
+* - Each sha256 hash is executing 2^18 bit operations.
+* - Good 2024 ASICs can do 200Th/sec with 3500 watts of power, corresponding to 2^36 hashes/joule.
+*/
+const sha256 = /* @__PURE__ */ createHasher(() => new _SHA256(), /* @__PURE__ */ oidNist(1));
+
+//#endregion
+//#region ../better-auth/dist/hex-Bu7BHRzh.mjs
+function getWebcryptoSubtle() {
+	const cr = typeof globalThis !== "undefined" && globalThis.crypto;
+	if (cr && typeof cr.subtle === "object" && cr.subtle != null) return cr.subtle;
+	throw new Error("crypto.subtle must be defined");
+}
+async function signJWT(payload, secret, expiresIn = 3600) {
+	return await new SignJWT(payload).setProtectedHeader({ alg: "HS256" }).setIssuedAt().setExpirationTime(Math.floor(Date.now() / 1e3) + expiresIn).sign(new TextEncoder().encode(secret));
+}
+async function verifyJWT(token, secret) {
+	try {
+		return (await jwtVerify(token, new TextEncoder().encode(secret))).payload;
+	} catch (error) {
+		return null;
+	}
+}
+const info = new Uint8Array([
+	66,
+	101,
+	116,
+	116,
+	101,
+	114,
+	65,
+	117,
+	116,
+	104,
+	46,
+	106,
+	115,
+	32,
+	71,
+	101,
+	110,
+	101,
+	114,
+	97,
+	116,
+	101,
+	100,
+	32,
+	69,
+	110,
+	99,
+	114,
+	121,
+	112,
+	116,
+	105,
+	111,
+	110,
+	32,
+	75,
+	101,
+	121
+]);
+const now = () => Date.now() / 1e3 | 0;
+const alg = "dir";
+const enc = "A256CBC-HS512";
+async function symmetricEncodeJWT(payload, secret, salt, expiresIn = 3600) {
+	const encryptionSecret = hkdf(sha256, new TextEncoder().encode(secret), new TextEncoder().encode(salt), info, 64);
+	const thumbprint = await calculateJwkThumbprint({
+		kty: "oct",
+		k: encode(encryptionSecret)
+	}, "sha256");
+	return await new EncryptJWT(payload).setProtectedHeader({
+		alg,
+		enc,
+		kid: thumbprint
+	}).setIssuedAt().setExpirationTime(now() + expiresIn).setJti(crypto.randomUUID()).encrypt(encryptionSecret);
+}
+async function symmetricDecodeJWT(token, secret, salt) {
+	if (!token) return null;
+	try {
+		const { payload } = await jwtDecrypt(token, async ({ kid }) => {
+			const encryptionSecret = hkdf(sha256, new TextEncoder().encode(secret), new TextEncoder().encode(salt), info, 64);
+			if (kid === void 0) return encryptionSecret;
+			if (kid === await calculateJwkThumbprint({
+				kty: "oct",
+				k: encode(encryptionSecret)
+			}, "sha256")) return encryptionSecret;
+			throw new Error("no matching decryption secret");
+		}, {
+			clockTolerance: 15,
+			keyManagementAlgorithms: [alg],
+			contentEncryptionAlgorithms: [enc, "A256GCM"]
+		});
+		return payload;
+	} catch (error) {
+		return null;
+	}
+}
+const hexadecimal = "0123456789abcdef";
+const hex = {
+	encode: (data) => {
+		if (typeof data === "string") data = new TextEncoder().encode(data);
+		if (data.byteLength === 0) return "";
+		const buffer = new Uint8Array(data);
+		let result = "";
+		for (const byte of buffer) result += byte.toString(16).padStart(2, "0");
+		return result;
+	},
+	decode: (data) => {
+		if (!data) return "";
+		if (typeof data === "string") {
+			if (data.length % 2 !== 0) throw new Error("Invalid hexadecimal string");
+			if (!(/* @__PURE__ */ new RegExp(`^[${hexadecimal}]+$`)).test(data)) throw new Error("Invalid hexadecimal string");
+			const result = new Uint8Array(data.length / 2);
+			for (let i = 0; i < data.length; i += 2) result[i / 2] = parseInt(data.slice(i, i + 2), 16);
+			return new TextDecoder().decode(result);
+		}
+		return new TextDecoder().decode(data);
+	}
+};
+
+//#endregion
+//#region ../../node_modules/.pnpm/@noble+ciphers@2.0.1/node_modules/@noble/ciphers/utils.js
+/**
+* Utilities for hex, bytes, CSPRNG.
+* @module
+*/
+/*! noble-ciphers - MIT License (c) 2023 Paul Miller (paulmillr.com) */
+/** Checks if something is Uint8Array. Be careful: nodejs Buffer will return true. */
+function isBytes(a) {
+	return a instanceof Uint8Array || ArrayBuffer.isView(a) && a.constructor.name === "Uint8Array";
+}
+/** Asserts something is boolean. */
+function abool(b) {
+	if (typeof b !== "boolean") throw new Error(`boolean expected, not ${b}`);
+}
+/** Asserts something is positive integer. */
+function anumber$1(n) {
+	if (!Number.isSafeInteger(n) || n < 0) throw new Error("positive integer expected, got " + n);
+}
+/** Asserts something is Uint8Array. */
+function abytes(value, length, title = "") {
+	const bytes = isBytes(value);
+	const len = value?.length;
+	const needsLen = length !== void 0;
+	if (!bytes || needsLen && len !== length) {
+		const prefix = title && `"${title}" `;
+		const ofLen = needsLen ? ` of length ${length}` : "";
+		const got = bytes ? `length=${len}` : `type=${typeof value}`;
+		throw new Error(prefix + "expected Uint8Array" + ofLen + ", got " + got);
+	}
+	return value;
+}
+/** Asserts a hash instance has not been destroyed / finished */
+function aexists(instance, checkFinished = true) {
+	if (instance.destroyed) throw new Error("Hash instance has been destroyed");
+	if (checkFinished && instance.finished) throw new Error("Hash#digest() has already been called");
+}
+/** Asserts output is properly-sized byte array */
+function aoutput(out, instance) {
+	abytes(out, void 0, "output");
+	const min = instance.outputLen;
+	if (out.length < min) throw new Error("digestInto() expects output buffer of length at least " + min);
+}
+/** Cast u8 / u16 / u32 to u32. */
+function u32$1(arr) {
+	return new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4));
+}
+/** Zeroize a byte array. Warning: JS provides no guarantees. */
+function clean$1(...arrays) {
+	for (let i = 0; i < arrays.length; i++) arrays[i].fill(0);
+}
+/** Create DataView of an array for easy byte-level manipulation. */
+function createView$1(arr) {
+	return new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
+}
+/** Is current platform little-endian? Most are. Big-Endian platform: IBM */
+const isLE = /* @__PURE__ */ (() => new Uint8Array(new Uint32Array([287454020]).buffer)[0] === 68)();
+const hasHexBuiltin = /* @__PURE__ */ (() => typeof Uint8Array.from([]).toHex === "function" && typeof Uint8Array.fromHex === "function")();
+const hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, "0"));
+/**
+* Convert byte array to hex string. Uses built-in function, when available.
+* @example bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23])) // 'cafe0123'
+*/
+function bytesToHex(bytes) {
+	abytes(bytes);
+	if (hasHexBuiltin) return bytes.toHex();
+	let hex$1 = "";
+	for (let i = 0; i < bytes.length; i++) hex$1 += hexes[bytes[i]];
+	return hex$1;
+}
+const asciis = {
+	_0: 48,
+	_9: 57,
+	A: 65,
+	F: 70,
+	a: 97,
+	f: 102
+};
+function asciiToBase16(ch) {
+	if (ch >= asciis._0 && ch <= asciis._9) return ch - asciis._0;
+	if (ch >= asciis.A && ch <= asciis.F) return ch - (asciis.A - 10);
+	if (ch >= asciis.a && ch <= asciis.f) return ch - (asciis.a - 10);
+}
+/**
+* Convert hex string to byte array. Uses built-in function, when available.
+* @example hexToBytes('cafe0123') // Uint8Array.from([0xca, 0xfe, 0x01, 0x23])
+*/
+function hexToBytes(hex$1) {
+	if (typeof hex$1 !== "string") throw new Error("hex string expected, got " + typeof hex$1);
+	if (hasHexBuiltin) return Uint8Array.fromHex(hex$1);
+	const hl = hex$1.length;
+	const al = hl / 2;
+	if (hl % 2) throw new Error("hex string expected, got unpadded hex of length " + hl);
+	const array = new Uint8Array(al);
+	for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {
+		const n1 = asciiToBase16(hex$1.charCodeAt(hi));
+		const n2 = asciiToBase16(hex$1.charCodeAt(hi + 1));
+		if (n1 === void 0 || n2 === void 0) {
+			const char = hex$1[hi] + hex$1[hi + 1];
+			throw new Error("hex string expected, got non-hex character \"" + char + "\" at index " + hi);
+		}
+		array[ai] = n1 * 16 + n2;
+	}
+	return array;
+}
+/**
+* Converts string to bytes using UTF8 encoding.
+* @example utf8ToBytes('abc') // new Uint8Array([97, 98, 99])
+*/
+function utf8ToBytes(str) {
+	if (typeof str !== "string") throw new Error("string expected");
+	return new Uint8Array(new TextEncoder().encode(str));
+}
+/**
+* Copies several Uint8Arrays into one.
+*/
+function concatBytes(...arrays) {
+	let sum = 0;
+	for (let i = 0; i < arrays.length; i++) {
+		const a = arrays[i];
+		abytes(a);
+		sum += a.length;
+	}
+	const res = new Uint8Array(sum);
+	for (let i = 0, pad = 0; i < arrays.length; i++) {
+		const a = arrays[i];
+		res.set(a, pad);
+		pad += a.length;
+	}
+	return res;
+}
+function checkOpts$1(defaults, opts) {
+	if (opts == null || typeof opts !== "object") throw new Error("options must be defined");
+	return Object.assign(defaults, opts);
+}
+/** Compares 2 uint8array-s in kinda constant time. */
+function equalBytes(a, b) {
+	if (a.length !== b.length) return false;
+	let diff = 0;
+	for (let i = 0; i < a.length; i++) diff |= a[i] ^ b[i];
+	return diff === 0;
+}
+/**
+* Wraps a cipher: validates args, ensures encrypt() can only be called once.
+* @__NO_SIDE_EFFECTS__
+*/
+const wrapCipher = (params, constructor) => {
+	function wrappedCipher(key, ...args) {
+		abytes(key, void 0, "key");
+		if (!isLE) throw new Error("Non little-endian hardware is not yet supported");
+		if (params.nonceLength !== void 0) {
+			const nonce = args[0];
+			abytes(nonce, params.varSizeNonce ? void 0 : params.nonceLength, "nonce");
+		}
+		const tagl = params.tagLength;
+		if (tagl && args[1] !== void 0) abytes(args[1], void 0, "AAD");
+		const cipher = constructor(key, ...args);
+		const checkOutput = (fnLength, output) => {
+			if (output !== void 0) {
+				if (fnLength !== 2) throw new Error("cipher output not supported");
+				abytes(output, void 0, "output");
+			}
+		};
+		let called = false;
+		return {
+			encrypt(data, output) {
+				if (called) throw new Error("cannot encrypt() twice with same key + nonce");
+				called = true;
+				abytes(data);
+				checkOutput(cipher.encrypt.length, output);
+				return cipher.encrypt(data, output);
+			},
+			decrypt(data, output) {
+				abytes(data);
+				if (tagl && data.length < tagl) throw new Error("\"ciphertext\" expected length bigger than tagLength=" + tagl);
+				checkOutput(cipher.decrypt.length, output);
+				return cipher.decrypt(data, output);
+			}
+		};
+	}
+	Object.assign(wrappedCipher, params);
+	return wrappedCipher;
+};
+/**
+* By default, returns u8a of length.
+* When out is available, it checks it for validity and uses it.
+*/
+function getOutput(expectedLength, out, onlyAligned = true) {
+	if (out === void 0) return new Uint8Array(expectedLength);
+	if (out.length !== expectedLength) throw new Error("\"output\" expected Uint8Array of length " + expectedLength + ", got: " + out.length);
+	if (onlyAligned && !isAligned32$1(out)) throw new Error("invalid output, must be aligned");
+	return out;
+}
+function u64Lengths(dataLength, aadLength, isLE$2) {
+	abool(isLE$2);
+	const num = new Uint8Array(16);
+	const view = createView$1(num);
+	view.setBigUint64(0, BigInt(aadLength), isLE$2);
+	view.setBigUint64(8, BigInt(dataLength), isLE$2);
+	return num;
+}
+function isAligned32$1(bytes) {
+	return bytes.byteOffset % 4 === 0;
+}
+function copyBytes(bytes) {
+	return Uint8Array.from(bytes);
+}
+/** Cryptographically secure PRNG. Uses internal OS-level `crypto.getRandomValues`. */
+function randomBytes(bytesLength = 32) {
+	const cr = typeof globalThis === "object" ? globalThis.crypto : null;
+	if (typeof cr?.getRandomValues !== "function") throw new Error("crypto.getRandomValues must be defined");
+	return cr.getRandomValues(new Uint8Array(bytesLength));
+}
+/**
+* Uses CSPRG for nonce, nonce injected in ciphertext.
+* For `encrypt`, a `nonceBytes`-length buffer is fetched from CSPRNG and
+* prepended to encrypted ciphertext. For `decrypt`, first `nonceBytes` of ciphertext
+* are treated as nonce.
+*
+* NOTE: Under the same key, using random nonces (e.g. `managedNonce`) with AES-GCM and ChaCha
+* should be limited to `2**23` (8M) messages to get a collision chance of `2**-50`. Stretching to  * `2**32` (4B) messages, chance would become `2**-33` - still negligible, but creeping up.
+* @example
+* const gcm = managedNonce(aes.gcm);
+* const ciphr = gcm(key).encrypt(data);
+* const plain = gcm(key).decrypt(ciph);
+*/
+function managedNonce(fn, randomBytes_ = randomBytes) {
+	const { nonceLength } = fn;
+	anumber$1(nonceLength);
+	const addNonce = (nonce, ciphertext) => {
+		const out = concatBytes(nonce, ciphertext);
+		ciphertext.fill(0);
+		return out;
+	};
+	return ((key, ...args) => ({
+		encrypt(plaintext) {
+			abytes(plaintext);
+			const nonce = randomBytes_(nonceLength);
+			const encrypted = fn(key, nonce, ...args).encrypt(plaintext);
+			if (encrypted instanceof Promise) return encrypted.then((ct) => addNonce(nonce, ct));
+			return addNonce(nonce, encrypted);
+		},
+		decrypt(ciphertext) {
+			abytes(ciphertext);
+			const nonce = ciphertext.subarray(0, nonceLength);
+			const decrypted = ciphertext.subarray(nonceLength);
+			return fn(key, nonce, ...args).decrypt(decrypted);
+		}
+	}));
+}
+
+//#endregion
+//#region ../../node_modules/.pnpm/@noble+ciphers@2.0.1/node_modules/@noble/ciphers/_arx.js
+/**
+* Basic utils for ARX (add-rotate-xor) salsa and chacha ciphers.
+
+RFC8439 requires multi-step cipher stream, where
+authKey starts with counter: 0, actual msg with counter: 1.
+
+For this, we need a way to re-use nonce / counter:
+
+const counter = new Uint8Array(4);
+chacha(..., counter, ...); // counter is now 1
+chacha(..., counter, ...); // counter is now 2
+
+This is complicated:
+
+- 32-bit counters are enough, no need for 64-bit: max ArrayBuffer size in JS is 4GB
+- Original papers don't allow mutating counters
+- Counter overflow is undefined [^1]
+- Idea A: allow providing (nonce | counter) instead of just nonce, re-use it
+- Caveat: Cannot be re-used through all cases:
+- * chacha has (counter | nonce)
+- * xchacha has (nonce16 | counter | nonce16)
+- Idea B: separate nonce / counter and provide separate API for counter re-use
+- Caveat: there are different counter sizes depending on an algorithm.
+- salsa & chacha also differ in structures of key & sigma:
+salsa20:      s[0] | k(4) | s[1] | nonce(2) | cnt(2) | s[2] | k(4) | s[3]
+chacha:       s(4) | k(8) | cnt(1) | nonce(3)
+chacha20orig: s(4) | k(8) | cnt(2) | nonce(2)
+- Idea C: helper method such as `setSalsaState(key, nonce, sigma, data)`
+- Caveat: we can't re-use counter array
+
+xchacha [^2] uses the subkey and remaining 8 byte nonce with ChaCha20 as normal
+(prefixed by 4 NUL bytes, since [RFC8439] specifies a 12-byte nonce).
+
+[^1]: https://mailarchive.ietf.org/arch/msg/cfrg/gsOnTJzcbgG6OqD8Sc0GO5aR_tU/
+[^2]: https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha#appendix-A.2
+
+* @module
+*/
+const encodeStr = (str) => Uint8Array.from(str.split(""), (c) => c.charCodeAt(0));
+const sigma16 = encodeStr("expand 16-byte k");
+const sigma32 = encodeStr("expand 32-byte k");
+const sigma16_32 = u32$1(sigma16);
+const sigma32_32 = u32$1(sigma32);
+/** Rotate left. */
+function rotl$1(a, b) {
+	return a << b | a >>> 32 - b;
+}
+function isAligned32(b) {
+	return b.byteOffset % 4 === 0;
+}
+const BLOCK_LEN = 64;
+const BLOCK_LEN32 = 16;
+const MAX_COUNTER = 2 ** 32 - 1;
+const U32_EMPTY = Uint32Array.of();
+function runCipher(core, sigma, key, nonce, data, output, counter, rounds) {
+	const len = data.length;
+	const block = new Uint8Array(BLOCK_LEN);
+	const b32 = u32$1(block);
+	const isAligned = isAligned32(data) && isAligned32(output);
+	const d32 = isAligned ? u32$1(data) : U32_EMPTY;
+	const o32 = isAligned ? u32$1(output) : U32_EMPTY;
+	for (let pos = 0; pos < len; counter++) {
+		core(sigma, key, nonce, b32, counter, rounds);
+		if (counter >= MAX_COUNTER) throw new Error("arx: counter overflow");
+		const take = Math.min(BLOCK_LEN, len - pos);
+		if (isAligned && take === BLOCK_LEN) {
+			const pos32 = pos / 4;
+			if (pos % 4 !== 0) throw new Error("arx: invalid block position");
+			for (let j = 0, posj; j < BLOCK_LEN32; j++) {
+				posj = pos32 + j;
+				o32[posj] = d32[posj] ^ b32[j];
+			}
+			pos += BLOCK_LEN;
+			continue;
+		}
+		for (let j = 0, posj; j < take; j++) {
+			posj = pos + j;
+			output[posj] = data[posj] ^ block[j];
+		}
+		pos += take;
+	}
+}
+/** Creates ARX-like (ChaCha, Salsa) cipher stream from core function. */
+function createCipher(core, opts) {
+	const { allowShortKeys, extendNonceFn, counterLength, counterRight, rounds } = checkOpts$1({
+		allowShortKeys: false,
+		counterLength: 8,
+		counterRight: false,
+		rounds: 20
+	}, opts);
+	if (typeof core !== "function") throw new Error("core must be a function");
+	anumber$1(counterLength);
+	anumber$1(rounds);
+	abool(counterRight);
+	abool(allowShortKeys);
+	return (key, nonce, data, output, counter = 0) => {
+		abytes(key, void 0, "key");
+		abytes(nonce, void 0, "nonce");
+		abytes(data, void 0, "data");
+		const len = data.length;
+		if (output === void 0) output = new Uint8Array(len);
+		abytes(output, void 0, "output");
+		anumber$1(counter);
+		if (counter < 0 || counter >= MAX_COUNTER) throw new Error("arx: counter overflow");
+		if (output.length < len) throw new Error(`arx: output (${output.length}) is shorter than data (${len})`);
+		const toClean = [];
+		let l = key.length;
+		let k;
+		let sigma;
+		if (l === 32) {
+			toClean.push(k = copyBytes(key));
+			sigma = sigma32_32;
+		} else if (l === 16 && allowShortKeys) {
+			k = new Uint8Array(32);
+			k.set(key);
+			k.set(key, 16);
+			sigma = sigma16_32;
+			toClean.push(k);
+		} else {
+			abytes(key, 32, "arx key");
+			throw new Error("invalid key size");
+		}
+		if (!isAligned32(nonce)) toClean.push(nonce = copyBytes(nonce));
+		const k32 = u32$1(k);
+		if (extendNonceFn) {
+			if (nonce.length !== 24) throw new Error(`arx: extended nonce must be 24 bytes`);
+			extendNonceFn(sigma, k32, u32$1(nonce.subarray(0, 16)), k32);
+			nonce = nonce.subarray(16);
+		}
+		const nonceNcLen = 16 - counterLength;
+		if (nonceNcLen !== nonce.length) throw new Error(`arx: nonce must be ${nonceNcLen} or 16 bytes`);
+		if (nonceNcLen !== 12) {
+			const nc = new Uint8Array(12);
+			nc.set(nonce, counterRight ? 0 : 12 - nonce.length);
+			nonce = nc;
+			toClean.push(nonce);
+		}
+		const n32 = u32$1(nonce);
+		runCipher(core, sigma, k32, n32, data, output, counter, rounds);
+		clean$1(...toClean);
+		return output;
+	};
+}
+
+//#endregion
+//#region ../../node_modules/.pnpm/@noble+ciphers@2.0.1/node_modules/@noble/ciphers/_poly1305.js
+/**
+* Poly1305 ([PDF](https://cr.yp.to/mac/poly1305-20050329.pdf),
+* [wiki](https://en.wikipedia.org/wiki/Poly1305))
+* is a fast and parallel secret-key message-authentication code suitable for
+* a wide variety of applications. It was standardized in
+* [RFC 8439](https://www.rfc-editor.org/rfc/rfc8439) and is now used in TLS 1.3.
+*
+* Polynomial MACs are not perfect for every situation:
+* they lack Random Key Robustness: the MAC can be forged, and can't be used in PAKE schemes.
+* See [invisible salamanders attack](https://keymaterial.net/2020/09/07/invisible-salamanders-in-aes-gcm-siv/).
+* To combat invisible salamanders, `hash(key)` can be included in ciphertext,
+* however, this would violate ciphertext indistinguishability:
+* an attacker would know which key was used - so `HKDF(key, i)`
+* could be used instead.
+*
+* Check out [original website](https://cr.yp.to/mac.html).
+* Based on Public Domain [poly1305-donna](https://github.com/floodyberry/poly1305-donna).
+* @module
+*/
+function u8to16(a, i) {
+	return a[i++] & 255 | (a[i++] & 255) << 8;
+}
+/** Poly1305 class. Prefer poly1305() function instead. */
+var Poly1305 = class {
+	blockLen = 16;
+	outputLen = 16;
+	buffer = new Uint8Array(16);
+	r = new Uint16Array(10);
+	h = new Uint16Array(10);
+	pad = new Uint16Array(8);
+	pos = 0;
+	finished = false;
+	constructor(key) {
+		key = copyBytes(abytes(key, 32, "key"));
+		const t0 = u8to16(key, 0);
+		const t1 = u8to16(key, 2);
+		const t2 = u8to16(key, 4);
+		const t3 = u8to16(key, 6);
+		const t4 = u8to16(key, 8);
+		const t5 = u8to16(key, 10);
+		const t6 = u8to16(key, 12);
+		const t7 = u8to16(key, 14);
+		this.r[0] = t0 & 8191;
+		this.r[1] = (t0 >>> 13 | t1 << 3) & 8191;
+		this.r[2] = (t1 >>> 10 | t2 << 6) & 7939;
+		this.r[3] = (t2 >>> 7 | t3 << 9) & 8191;
+		this.r[4] = (t3 >>> 4 | t4 << 12) & 255;
+		this.r[5] = t4 >>> 1 & 8190;
+		this.r[6] = (t4 >>> 14 | t5 << 2) & 8191;
+		this.r[7] = (t5 >>> 11 | t6 << 5) & 8065;
+		this.r[8] = (t6 >>> 8 | t7 << 8) & 8191;
+		this.r[9] = t7 >>> 5 & 127;
+		for (let i = 0; i < 8; i++) this.pad[i] = u8to16(key, 16 + 2 * i);
+	}
+	process(data, offset, isLast = false) {
+		const hibit = isLast ? 0 : 2048;
+		const { h, r } = this;
+		const r0 = r[0];
+		const r1 = r[1];
+		const r2 = r[2];
+		const r3 = r[3];
+		const r4 = r[4];
+		const r5 = r[5];
+		const r6 = r[6];
+		const r7 = r[7];
+		const r8 = r[8];
+		const r9 = r[9];
+		const t0 = u8to16(data, offset + 0);
+		const t1 = u8to16(data, offset + 2);
+		const t2 = u8to16(data, offset + 4);
+		const t3 = u8to16(data, offset + 6);
+		const t4 = u8to16(data, offset + 8);
+		const t5 = u8to16(data, offset + 10);
+		const t6 = u8to16(data, offset + 12);
+		const t7 = u8to16(data, offset + 14);
+		let h0 = h[0] + (t0 & 8191);
+		let h1 = h[1] + ((t0 >>> 13 | t1 << 3) & 8191);
+		let h2 = h[2] + ((t1 >>> 10 | t2 << 6) & 8191);
+		let h3 = h[3] + ((t2 >>> 7 | t3 << 9) & 8191);
+		let h4 = h[4] + ((t3 >>> 4 | t4 << 12) & 8191);
+		let h5 = h[5] + (t4 >>> 1 & 8191);
+		let h6 = h[6] + ((t4 >>> 14 | t5 << 2) & 8191);
+		let h7 = h[7] + ((t5 >>> 11 | t6 << 5) & 8191);
+		let h8 = h[8] + ((t6 >>> 8 | t7 << 8) & 8191);
+		let h9 = h[9] + (t7 >>> 5 | hibit);
+		let c = 0;
+		let d0 = c + h0 * r0 + h1 * (5 * r9) + h2 * (5 * r8) + h3 * (5 * r7) + h4 * (5 * r6);
+		c = d0 >>> 13;
+		d0 &= 8191;
+		d0 += h5 * (5 * r5) + h6 * (5 * r4) + h7 * (5 * r3) + h8 * (5 * r2) + h9 * (5 * r1);
+		c += d0 >>> 13;
+		d0 &= 8191;
+		let d1 = c + h0 * r1 + h1 * r0 + h2 * (5 * r9) + h3 * (5 * r8) + h4 * (5 * r7);
+		c = d1 >>> 13;
+		d1 &= 8191;
+		d1 += h5 * (5 * r6) + h6 * (5 * r5) + h7 * (5 * r4) + h8 * (5 * r3) + h9 * (5 * r2);
+		c += d1 >>> 13;
+		d1 &= 8191;
+		let d2 = c + h0 * r2 + h1 * r1 + h2 * r0 + h3 * (5 * r9) + h4 * (5 * r8);
+		c = d2 >>> 13;
+		d2 &= 8191;
+		d2 += h5 * (5 * r7) + h6 * (5 * r6) + h7 * (5 * r5) + h8 * (5 * r4) + h9 * (5 * r3);
+		c += d2 >>> 13;
+		d2 &= 8191;
+		let d3 = c + h0 * r3 + h1 * r2 + h2 * r1 + h3 * r0 + h4 * (5 * r9);
+		c = d3 >>> 13;
+		d3 &= 8191;
+		d3 += h5 * (5 * r8) + h6 * (5 * r7) + h7 * (5 * r6) + h8 * (5 * r5) + h9 * (5 * r4);
+		c += d3 >>> 13;
+		d3 &= 8191;
+		let d4 = c + h0 * r4 + h1 * r3 + h2 * r2 + h3 * r1 + h4 * r0;
+		c = d4 >>> 13;
+		d4 &= 8191;
+		d4 += h5 * (5 * r9) + h6 * (5 * r8) + h7 * (5 * r7) + h8 * (5 * r6) + h9 * (5 * r5);
+		c += d4 >>> 13;
+		d4 &= 8191;
+		let d5 = c + h0 * r5 + h1 * r4 + h2 * r3 + h3 * r2 + h4 * r1;
+		c = d5 >>> 13;
+		d5 &= 8191;
+		d5 += h5 * r0 + h6 * (5 * r9) + h7 * (5 * r8) + h8 * (5 * r7) + h9 * (5 * r6);
+		c += d5 >>> 13;
+		d5 &= 8191;
+		let d6 = c + h0 * r6 + h1 * r5 + h2 * r4 + h3 * r3 + h4 * r2;
+		c = d6 >>> 13;
+		d6 &= 8191;
+		d6 += h5 * r1 + h6 * r0 + h7 * (5 * r9) + h8 * (5 * r8) + h9 * (5 * r7);
+		c += d6 >>> 13;
+		d6 &= 8191;
+		let d7 = c + h0 * r7 + h1 * r6 + h2 * r5 + h3 * r4 + h4 * r3;
+		c = d7 >>> 13;
+		d7 &= 8191;
+		d7 += h5 * r2 + h6 * r1 + h7 * r0 + h8 * (5 * r9) + h9 * (5 * r8);
+		c += d7 >>> 13;
+		d7 &= 8191;
+		let d8 = c + h0 * r8 + h1 * r7 + h2 * r6 + h3 * r5 + h4 * r4;
+		c = d8 >>> 13;
+		d8 &= 8191;
+		d8 += h5 * r3 + h6 * r2 + h7 * r1 + h8 * r0 + h9 * (5 * r9);
+		c += d8 >>> 13;
+		d8 &= 8191;
+		let d9 = c + h0 * r9 + h1 * r8 + h2 * r7 + h3 * r6 + h4 * r5;
+		c = d9 >>> 13;
+		d9 &= 8191;
+		d9 += h5 * r4 + h6 * r3 + h7 * r2 + h8 * r1 + h9 * r0;
+		c += d9 >>> 13;
+		d9 &= 8191;
+		c = (c << 2) + c | 0;
+		c = c + d0 | 0;
+		d0 = c & 8191;
+		c = c >>> 13;
+		d1 += c;
+		h[0] = d0;
+		h[1] = d1;
+		h[2] = d2;
+		h[3] = d3;
+		h[4] = d4;
+		h[5] = d5;
+		h[6] = d6;
+		h[7] = d7;
+		h[8] = d8;
+		h[9] = d9;
+	}
+	finalize() {
+		const { h, pad } = this;
+		const g = new Uint16Array(10);
+		let c = h[1] >>> 13;
+		h[1] &= 8191;
+		for (let i = 2; i < 10; i++) {
+			h[i] += c;
+			c = h[i] >>> 13;
+			h[i] &= 8191;
+		}
+		h[0] += c * 5;
+		c = h[0] >>> 13;
+		h[0] &= 8191;
+		h[1] += c;
+		c = h[1] >>> 13;
+		h[1] &= 8191;
+		h[2] += c;
+		g[0] = h[0] + 5;
+		c = g[0] >>> 13;
+		g[0] &= 8191;
+		for (let i = 1; i < 10; i++) {
+			g[i] = h[i] + c;
+			c = g[i] >>> 13;
+			g[i] &= 8191;
+		}
+		g[9] -= 8192;
+		let mask = (c ^ 1) - 1;
+		for (let i = 0; i < 10; i++) g[i] &= mask;
+		mask = ~mask;
+		for (let i = 0; i < 10; i++) h[i] = h[i] & mask | g[i];
+		h[0] = (h[0] | h[1] << 13) & 65535;
+		h[1] = (h[1] >>> 3 | h[2] << 10) & 65535;
+		h[2] = (h[2] >>> 6 | h[3] << 7) & 65535;
+		h[3] = (h[3] >>> 9 | h[4] << 4) & 65535;
+		h[4] = (h[4] >>> 12 | h[5] << 1 | h[6] << 14) & 65535;
+		h[5] = (h[6] >>> 2 | h[7] << 11) & 65535;
+		h[6] = (h[7] >>> 5 | h[8] << 8) & 65535;
+		h[7] = (h[8] >>> 8 | h[9] << 5) & 65535;
+		let f = h[0] + pad[0];
+		h[0] = f & 65535;
+		for (let i = 1; i < 8; i++) {
+			f = (h[i] + pad[i] | 0) + (f >>> 16) | 0;
+			h[i] = f & 65535;
+		}
+		clean$1(g);
+	}
+	update(data) {
+		aexists(this);
+		abytes(data);
+		data = copyBytes(data);
+		const { buffer, blockLen } = this;
+		const len = data.length;
+		for (let pos = 0; pos < len;) {
+			const take = Math.min(blockLen - this.pos, len - pos);
+			if (take === blockLen) {
+				for (; blockLen <= len - pos; pos += blockLen) this.process(data, pos);
+				continue;
+			}
+			buffer.set(data.subarray(pos, pos + take), this.pos);
+			this.pos += take;
+			pos += take;
+			if (this.pos === blockLen) {
+				this.process(buffer, 0, false);
+				this.pos = 0;
+			}
+		}
+		return this;
+	}
+	destroy() {
+		clean$1(this.h, this.r, this.buffer, this.pad);
+	}
+	digestInto(out) {
+		aexists(this);
+		aoutput(out, this);
+		this.finished = true;
+		const { buffer, h } = this;
+		let { pos } = this;
+		if (pos) {
+			buffer[pos++] = 1;
+			for (; pos < 16; pos++) buffer[pos] = 0;
+			this.process(buffer, 0, true);
+		}
+		this.finalize();
+		let opos = 0;
+		for (let i = 0; i < 8; i++) {
+			out[opos++] = h[i] >>> 0;
+			out[opos++] = h[i] >>> 8;
+		}
+		return out;
+	}
+	digest() {
+		const { buffer, outputLen } = this;
+		this.digestInto(buffer);
+		const res = buffer.slice(0, outputLen);
+		this.destroy();
+		return res;
+	}
+};
+function wrapConstructorWithKey(hashCons) {
+	const hashC = (msg, key) => hashCons(key).update(msg).digest();
+	const tmp = hashCons(new Uint8Array(32));
+	hashC.outputLen = tmp.outputLen;
+	hashC.blockLen = tmp.blockLen;
+	hashC.create = (key) => hashCons(key);
+	return hashC;
+}
+/** Poly1305 MAC from RFC 8439. */
+const poly1305 = (() => wrapConstructorWithKey((key) => new Poly1305(key)))();
+
+//#endregion
+//#region ../../node_modules/.pnpm/@noble+ciphers@2.0.1/node_modules/@noble/ciphers/chacha.js
+/**
+* ChaCha stream cipher, released
+* in 2008. Developed after Salsa20, ChaCha aims to increase diffusion per round.
+* It was standardized in [RFC 8439](https://www.rfc-editor.org/rfc/rfc8439) and
+* is now used in TLS 1.3.
+*
+* [XChaCha20](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha)
+* extended-nonce variant is also provided. Similar to XSalsa, it's safe to use with
+* randomly-generated nonces.
+*
+* Check out [PDF](http://cr.yp.to/chacha/chacha-20080128.pdf) and
+* [wiki](https://en.wikipedia.org/wiki/Salsa20) and
+* [website](https://cr.yp.to/chacha.html).
+*
+* @module
+*/
+/** Identical to `chachaCore_small`. Unused. */
+function chachaCore(s, k, n, out, cnt, rounds = 20) {
+	let y00 = s[0], y01 = s[1], y02 = s[2], y03 = s[3], y04 = k[0], y05 = k[1], y06 = k[2], y07 = k[3], y08 = k[4], y09 = k[5], y10 = k[6], y11 = k[7], y12 = cnt, y13 = n[0], y14 = n[1], y15 = n[2];
+	let x00 = y00, x01 = y01, x02 = y02, x03 = y03, x04 = y04, x05 = y05, x06 = y06, x07 = y07, x08 = y08, x09 = y09, x10 = y10, x11 = y11, x12 = y12, x13 = y13, x14 = y14, x15 = y15;
+	for (let r = 0; r < rounds; r += 2) {
+		x00 = x00 + x04 | 0;
+		x12 = rotl$1(x12 ^ x00, 16);
+		x08 = x08 + x12 | 0;
+		x04 = rotl$1(x04 ^ x08, 12);
+		x00 = x00 + x04 | 0;
+		x12 = rotl$1(x12 ^ x00, 8);
+		x08 = x08 + x12 | 0;
+		x04 = rotl$1(x04 ^ x08, 7);
+		x01 = x01 + x05 | 0;
+		x13 = rotl$1(x13 ^ x01, 16);
+		x09 = x09 + x13 | 0;
+		x05 = rotl$1(x05 ^ x09, 12);
+		x01 = x01 + x05 | 0;
+		x13 = rotl$1(x13 ^ x01, 8);
+		x09 = x09 + x13 | 0;
+		x05 = rotl$1(x05 ^ x09, 7);
+		x02 = x02 + x06 | 0;
+		x14 = rotl$1(x14 ^ x02, 16);
+		x10 = x10 + x14 | 0;
+		x06 = rotl$1(x06 ^ x10, 12);
+		x02 = x02 + x06 | 0;
+		x14 = rotl$1(x14 ^ x02, 8);
+		x10 = x10 + x14 | 0;
+		x06 = rotl$1(x06 ^ x10, 7);
+		x03 = x03 + x07 | 0;
+		x15 = rotl$1(x15 ^ x03, 16);
+		x11 = x11 + x15 | 0;
+		x07 = rotl$1(x07 ^ x11, 12);
+		x03 = x03 + x07 | 0;
+		x15 = rotl$1(x15 ^ x03, 8);
+		x11 = x11 + x15 | 0;
+		x07 = rotl$1(x07 ^ x11, 7);
+		x00 = x00 + x05 | 0;
+		x15 = rotl$1(x15 ^ x00, 16);
+		x10 = x10 + x15 | 0;
+		x05 = rotl$1(x05 ^ x10, 12);
+		x00 = x00 + x05 | 0;
+		x15 = rotl$1(x15 ^ x00, 8);
+		x10 = x10 + x15 | 0;
+		x05 = rotl$1(x05 ^ x10, 7);
+		x01 = x01 + x06 | 0;
+		x12 = rotl$1(x12 ^ x01, 16);
+		x11 = x11 + x12 | 0;
+		x06 = rotl$1(x06 ^ x11, 12);
+		x01 = x01 + x06 | 0;
+		x12 = rotl$1(x12 ^ x01, 8);
+		x11 = x11 + x12 | 0;
+		x06 = rotl$1(x06 ^ x11, 7);
+		x02 = x02 + x07 | 0;
+		x13 = rotl$1(x13 ^ x02, 16);
+		x08 = x08 + x13 | 0;
+		x07 = rotl$1(x07 ^ x08, 12);
+		x02 = x02 + x07 | 0;
+		x13 = rotl$1(x13 ^ x02, 8);
+		x08 = x08 + x13 | 0;
+		x07 = rotl$1(x07 ^ x08, 7);
+		x03 = x03 + x04 | 0;
+		x14 = rotl$1(x14 ^ x03, 16);
+		x09 = x09 + x14 | 0;
+		x04 = rotl$1(x04 ^ x09, 12);
+		x03 = x03 + x04 | 0;
+		x14 = rotl$1(x14 ^ x03, 8);
+		x09 = x09 + x14 | 0;
+		x04 = rotl$1(x04 ^ x09, 7);
+	}
+	let oi = 0;
+	out[oi++] = y00 + x00 | 0;
+	out[oi++] = y01 + x01 | 0;
+	out[oi++] = y02 + x02 | 0;
+	out[oi++] = y03 + x03 | 0;
+	out[oi++] = y04 + x04 | 0;
+	out[oi++] = y05 + x05 | 0;
+	out[oi++] = y06 + x06 | 0;
+	out[oi++] = y07 + x07 | 0;
+	out[oi++] = y08 + x08 | 0;
+	out[oi++] = y09 + x09 | 0;
+	out[oi++] = y10 + x10 | 0;
+	out[oi++] = y11 + x11 | 0;
+	out[oi++] = y12 + x12 | 0;
+	out[oi++] = y13 + x13 | 0;
+	out[oi++] = y14 + x14 | 0;
+	out[oi++] = y15 + x15 | 0;
+}
+/**
+* hchacha hashes key and nonce into key' and nonce' for xchacha20.
+* Identical to `hchacha_small`.
+* Need to find a way to merge it with `chachaCore` without 25% performance hit.
+*/
+function hchacha(s, k, i, out) {
+	let x00 = s[0], x01 = s[1], x02 = s[2], x03 = s[3], x04 = k[0], x05 = k[1], x06 = k[2], x07 = k[3], x08 = k[4], x09 = k[5], x10 = k[6], x11 = k[7], x12 = i[0], x13 = i[1], x14 = i[2], x15 = i[3];
+	for (let r = 0; r < 20; r += 2) {
+		x00 = x00 + x04 | 0;
+		x12 = rotl$1(x12 ^ x00, 16);
+		x08 = x08 + x12 | 0;
+		x04 = rotl$1(x04 ^ x08, 12);
+		x00 = x00 + x04 | 0;
+		x12 = rotl$1(x12 ^ x00, 8);
+		x08 = x08 + x12 | 0;
+		x04 = rotl$1(x04 ^ x08, 7);
+		x01 = x01 + x05 | 0;
+		x13 = rotl$1(x13 ^ x01, 16);
+		x09 = x09 + x13 | 0;
+		x05 = rotl$1(x05 ^ x09, 12);
+		x01 = x01 + x05 | 0;
+		x13 = rotl$1(x13 ^ x01, 8);
+		x09 = x09 + x13 | 0;
+		x05 = rotl$1(x05 ^ x09, 7);
+		x02 = x02 + x06 | 0;
+		x14 = rotl$1(x14 ^ x02, 16);
+		x10 = x10 + x14 | 0;
+		x06 = rotl$1(x06 ^ x10, 12);
+		x02 = x02 + x06 | 0;
+		x14 = rotl$1(x14 ^ x02, 8);
+		x10 = x10 + x14 | 0;
+		x06 = rotl$1(x06 ^ x10, 7);
+		x03 = x03 + x07 | 0;
+		x15 = rotl$1(x15 ^ x03, 16);
+		x11 = x11 + x15 | 0;
+		x07 = rotl$1(x07 ^ x11, 12);
+		x03 = x03 + x07 | 0;
+		x15 = rotl$1(x15 ^ x03, 8);
+		x11 = x11 + x15 | 0;
+		x07 = rotl$1(x07 ^ x11, 7);
+		x00 = x00 + x05 | 0;
+		x15 = rotl$1(x15 ^ x00, 16);
+		x10 = x10 + x15 | 0;
+		x05 = rotl$1(x05 ^ x10, 12);
+		x00 = x00 + x05 | 0;
+		x15 = rotl$1(x15 ^ x00, 8);
+		x10 = x10 + x15 | 0;
+		x05 = rotl$1(x05 ^ x10, 7);
+		x01 = x01 + x06 | 0;
+		x12 = rotl$1(x12 ^ x01, 16);
+		x11 = x11 + x12 | 0;
+		x06 = rotl$1(x06 ^ x11, 12);
+		x01 = x01 + x06 | 0;
+		x12 = rotl$1(x12 ^ x01, 8);
+		x11 = x11 + x12 | 0;
+		x06 = rotl$1(x06 ^ x11, 7);
+		x02 = x02 + x07 | 0;
+		x13 = rotl$1(x13 ^ x02, 16);
+		x08 = x08 + x13 | 0;
+		x07 = rotl$1(x07 ^ x08, 12);
+		x02 = x02 + x07 | 0;
+		x13 = rotl$1(x13 ^ x02, 8);
+		x08 = x08 + x13 | 0;
+		x07 = rotl$1(x07 ^ x08, 7);
+		x03 = x03 + x04 | 0;
+		x14 = rotl$1(x14 ^ x03, 16);
+		x09 = x09 + x14 | 0;
+		x04 = rotl$1(x04 ^ x09, 12);
+		x03 = x03 + x04 | 0;
+		x14 = rotl$1(x14 ^ x03, 8);
+		x09 = x09 + x14 | 0;
+		x04 = rotl$1(x04 ^ x09, 7);
+	}
+	let oi = 0;
+	out[oi++] = x00;
+	out[oi++] = x01;
+	out[oi++] = x02;
+	out[oi++] = x03;
+	out[oi++] = x12;
+	out[oi++] = x13;
+	out[oi++] = x14;
+	out[oi++] = x15;
+}
+/**
+* ChaCha stream cipher. Conforms to RFC 8439 (IETF, TLS). 12-byte nonce, 4-byte counter.
+* With smaller nonce, it's not safe to make it random (CSPRNG), due to collision chance.
+*/
+const chacha20 = /* @__PURE__ */ createCipher(chachaCore, {
+	counterRight: false,
+	counterLength: 4,
+	allowShortKeys: false
+});
+/**
+* XChaCha eXtended-nonce ChaCha. With 24-byte nonce, it's safe to make it random (CSPRNG).
+* See [IRTF draft](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha).
+*/
+const xchacha20 = /* @__PURE__ */ createCipher(chachaCore, {
+	counterRight: false,
+	counterLength: 8,
+	extendNonceFn: hchacha,
+	allowShortKeys: false
+});
+const ZEROS16 = /* @__PURE__ */ new Uint8Array(16);
+const updatePadded = (h, msg) => {
+	h.update(msg);
+	const leftover = msg.length % 16;
+	if (leftover) h.update(ZEROS16.subarray(leftover));
+};
+const ZEROS32 = /* @__PURE__ */ new Uint8Array(32);
+function computeTag(fn, key, nonce, ciphertext, AAD) {
+	if (AAD !== void 0) abytes(AAD, void 0, "AAD");
+	const authKey = fn(key, nonce, ZEROS32);
+	const lengths = u64Lengths(ciphertext.length, AAD ? AAD.length : 0, true);
+	const h = poly1305.create(authKey);
+	if (AAD) updatePadded(h, AAD);
+	updatePadded(h, ciphertext);
+	h.update(lengths);
+	const res = h.digest();
+	clean$1(authKey, lengths);
+	return res;
+}
+/**
+* AEAD algorithm from RFC 8439.
+* Salsa20 and chacha (RFC 8439) use poly1305 differently.
+* We could have composed them, but it's hard because of authKey:
+* In salsa20, authKey changes position in salsa stream.
+* In chacha, authKey can't be computed inside computeTag, it modifies the counter.
+*/
+const _poly1305_aead = (xorStream) => (key, nonce, AAD) => {
+	const tagLength = 16;
+	return {
+		encrypt(plaintext, output) {
+			const plength = plaintext.length;
+			output = getOutput(plength + tagLength, output, false);
+			output.set(plaintext);
+			const oPlain = output.subarray(0, -tagLength);
+			xorStream(key, nonce, oPlain, oPlain, 1);
+			const tag = computeTag(xorStream, key, nonce, oPlain, AAD);
+			output.set(tag, plength);
+			clean$1(tag);
+			return output;
+		},
+		decrypt(ciphertext, output) {
+			output = getOutput(ciphertext.length - tagLength, output, false);
+			const data = ciphertext.subarray(0, -tagLength);
+			const passedTag = ciphertext.subarray(-tagLength);
+			const tag = computeTag(xorStream, key, nonce, data, AAD);
+			if (!equalBytes(passedTag, tag)) throw new Error("invalid tag");
+			output.set(ciphertext.subarray(0, -tagLength));
+			xorStream(key, nonce, output, output, 1);
+			clean$1(tag);
+			return output;
+		}
+	};
+};
+/**
+* ChaCha20-Poly1305 from RFC 8439.
+*
+* Unsafe to use random nonces under the same key, due to collision chance.
+* Prefer XChaCha instead.
+*/
+const chacha20poly1305 = /* @__PURE__ */ wrapCipher({
+	blockSize: 64,
+	nonceLength: 12,
+	tagLength: 16
+}, _poly1305_aead(chacha20));
+/**
+* XChaCha20-Poly1305 extended-nonce chacha.
+*
+* Can be safely used with random nonces (CSPRNG).
+* See [IRTF draft](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha).
+*/
+const xchacha20poly1305 = /* @__PURE__ */ wrapCipher({
+	blockSize: 64,
+	nonceLength: 24,
+	tagLength: 16
+}, _poly1305_aead(xchacha20));
+
+//#endregion
+//#region ../../node_modules/.pnpm/@noble+hashes@2.0.1/node_modules/@noble/hashes/pbkdf2.js
+/**
+* PBKDF (RFC 2898). Can be used to create a key from password and salt.
+* @module
+*/
+function pbkdf2Init(hash, _password, _salt, _opts) {
+	ahash(hash);
+	const { c, dkLen, asyncTick } = checkOpts({
+		dkLen: 32,
+		asyncTick: 10
+	}, _opts);
+	anumber(c, "c");
+	anumber(dkLen, "dkLen");
+	anumber(asyncTick, "asyncTick");
+	if (c < 1) throw new Error("iterations (c) must be >= 1");
+	const password = kdfInputToBytes(_password, "password");
+	const salt = kdfInputToBytes(_salt, "salt");
+	const DK = new Uint8Array(dkLen);
+	const PRF = hmac.create(hash, password);
+	return {
+		c,
+		dkLen,
+		asyncTick,
+		DK,
+		PRF,
+		PRFSalt: PRF._cloneInto().update(salt)
+	};
+}
+function pbkdf2Output(PRF, PRFSalt, DK, prfW, u) {
+	PRF.destroy();
+	PRFSalt.destroy();
+	if (prfW) prfW.destroy();
+	clean(u);
+	return DK;
+}
+/**
+* PBKDF2-HMAC: RFC 2898 key derivation function
+* @param hash - hash function that would be used e.g. sha256
+* @param password - password from which a derived key is generated
+* @param salt - cryptographic salt
+* @param opts - {c, dkLen} where c is work factor and dkLen is output message size
+* @example
+* const key = pbkdf2(sha256, 'password', 'salt', { dkLen: 32, c: Math.pow(2, 18) });
+*/
+function pbkdf2(hash, password, salt, opts) {
+	const { c, dkLen, DK, PRF, PRFSalt } = pbkdf2Init(hash, password, salt, opts);
+	let prfW;
+	const arr = new Uint8Array(4);
+	const view = createView(arr);
+	const u = new Uint8Array(PRF.outputLen);
+	for (let ti = 1, pos = 0; pos < dkLen; ti++, pos += PRF.outputLen) {
+		const Ti = DK.subarray(pos, pos + PRF.outputLen);
+		view.setInt32(0, ti, false);
+		(prfW = PRFSalt._cloneInto(prfW)).update(arr).digestInto(u);
+		Ti.set(u.subarray(0, Ti.length));
+		for (let ui = 1; ui < c; ui++) {
+			PRF._cloneInto(prfW).update(u).digestInto(u);
+			for (let i = 0; i < Ti.length; i++) Ti[i] ^= u[i];
+		}
+	}
+	return pbkdf2Output(PRF, PRFSalt, DK, prfW, u);
+}
+
+//#endregion
+//#region ../../node_modules/.pnpm/@noble+hashes@2.0.1/node_modules/@noble/hashes/scrypt.js
+/**
+* RFC 7914 Scrypt KDF. Can be used to create a key from password and salt.
+* @module
+*/
+function XorAndSalsa(prev, pi, input, ii, out, oi) {
+	let y00 = prev[pi++] ^ input[ii++], y01 = prev[pi++] ^ input[ii++];
+	let y02 = prev[pi++] ^ input[ii++], y03 = prev[pi++] ^ input[ii++];
+	let y04 = prev[pi++] ^ input[ii++], y05 = prev[pi++] ^ input[ii++];
+	let y06 = prev[pi++] ^ input[ii++], y07 = prev[pi++] ^ input[ii++];
+	let y08 = prev[pi++] ^ input[ii++], y09 = prev[pi++] ^ input[ii++];
+	let y10 = prev[pi++] ^ input[ii++], y11 = prev[pi++] ^ input[ii++];
+	let y12 = prev[pi++] ^ input[ii++], y13 = prev[pi++] ^ input[ii++];
+	let y14 = prev[pi++] ^ input[ii++], y15 = prev[pi++] ^ input[ii++];
+	let x00 = y00, x01 = y01, x02 = y02, x03 = y03, x04 = y04, x05 = y05, x06 = y06, x07 = y07, x08 = y08, x09 = y09, x10 = y10, x11 = y11, x12 = y12, x13 = y13, x14 = y14, x15 = y15;
+	for (let i = 0; i < 8; i += 2) {
+		x04 ^= rotl(x00 + x12 | 0, 7);
+		x08 ^= rotl(x04 + x00 | 0, 9);
+		x12 ^= rotl(x08 + x04 | 0, 13);
+		x00 ^= rotl(x12 + x08 | 0, 18);
+		x09 ^= rotl(x05 + x01 | 0, 7);
+		x13 ^= rotl(x09 + x05 | 0, 9);
+		x01 ^= rotl(x13 + x09 | 0, 13);
+		x05 ^= rotl(x01 + x13 | 0, 18);
+		x14 ^= rotl(x10 + x06 | 0, 7);
+		x02 ^= rotl(x14 + x10 | 0, 9);
+		x06 ^= rotl(x02 + x14 | 0, 13);
+		x10 ^= rotl(x06 + x02 | 0, 18);
+		x03 ^= rotl(x15 + x11 | 0, 7);
+		x07 ^= rotl(x03 + x15 | 0, 9);
+		x11 ^= rotl(x07 + x03 | 0, 13);
+		x15 ^= rotl(x11 + x07 | 0, 18);
+		x01 ^= rotl(x00 + x03 | 0, 7);
+		x02 ^= rotl(x01 + x00 | 0, 9);
+		x03 ^= rotl(x02 + x01 | 0, 13);
+		x00 ^= rotl(x03 + x02 | 0, 18);
+		x06 ^= rotl(x05 + x04 | 0, 7);
+		x07 ^= rotl(x06 + x05 | 0, 9);
+		x04 ^= rotl(x07 + x06 | 0, 13);
+		x05 ^= rotl(x04 + x07 | 0, 18);
+		x11 ^= rotl(x10 + x09 | 0, 7);
+		x08 ^= rotl(x11 + x10 | 0, 9);
+		x09 ^= rotl(x08 + x11 | 0, 13);
+		x10 ^= rotl(x09 + x08 | 0, 18);
+		x12 ^= rotl(x15 + x14 | 0, 7);
+		x13 ^= rotl(x12 + x15 | 0, 9);
+		x14 ^= rotl(x13 + x12 | 0, 13);
+		x15 ^= rotl(x14 + x13 | 0, 18);
+	}
+	out[oi++] = y00 + x00 | 0;
+	out[oi++] = y01 + x01 | 0;
+	out[oi++] = y02 + x02 | 0;
+	out[oi++] = y03 + x03 | 0;
+	out[oi++] = y04 + x04 | 0;
+	out[oi++] = y05 + x05 | 0;
+	out[oi++] = y06 + x06 | 0;
+	out[oi++] = y07 + x07 | 0;
+	out[oi++] = y08 + x08 | 0;
+	out[oi++] = y09 + x09 | 0;
+	out[oi++] = y10 + x10 | 0;
+	out[oi++] = y11 + x11 | 0;
+	out[oi++] = y12 + x12 | 0;
+	out[oi++] = y13 + x13 | 0;
+	out[oi++] = y14 + x14 | 0;
+	out[oi++] = y15 + x15 | 0;
+}
+function BlockMix(input, ii, out, oi, r) {
+	let head = oi + 0;
+	let tail = oi + 16 * r;
+	for (let i = 0; i < 16; i++) out[tail + i] = input[ii + (2 * r - 1) * 16 + i];
+	for (let i = 0; i < r; i++, head += 16, ii += 16) {
+		XorAndSalsa(out, tail, input, ii, out, head);
+		if (i > 0) tail += 16;
+		XorAndSalsa(out, head, input, ii += 16, out, tail);
+	}
+}
+function scryptInit(password, salt, _opts) {
+	const { N, r, p, dkLen, asyncTick, maxmem, onProgress } = checkOpts({
+		dkLen: 32,
+		asyncTick: 10,
+		maxmem: 1024 ** 3 + 1024
+	}, _opts);
+	anumber(N, "N");
+	anumber(r, "r");
+	anumber(p, "p");
+	anumber(dkLen, "dkLen");
+	anumber(asyncTick, "asyncTick");
+	anumber(maxmem, "maxmem");
+	if (onProgress !== void 0 && typeof onProgress !== "function") throw new Error("progressCb must be a function");
+	const blockSize = 128 * r;
+	const blockSize32 = blockSize / 4;
+	const pow32 = Math.pow(2, 32);
+	if (N <= 1 || (N & N - 1) !== 0 || N > pow32) throw new Error("\"N\" expected a power of 2, and 2^1 <= N <= 2^32");
+	if (p < 1 || p > (pow32 - 1) * 32 / blockSize) throw new Error("\"p\" expected integer 1..((2^32 - 1) * 32) / (128 * r)");
+	if (dkLen < 1 || dkLen > (pow32 - 1) * 32) throw new Error("\"dkLen\" expected integer 1..(2^32 - 1) * 32");
+	if (blockSize * (N + p) > maxmem) throw new Error("\"maxmem\" limit was hit, expected 128*r*(N+p) <= \"maxmem\"=" + maxmem);
+	const B = pbkdf2(sha256, password, salt, {
+		c: 1,
+		dkLen: blockSize * p
+	});
+	const B32 = u32(B);
+	const V = u32(new Uint8Array(blockSize * N));
+	const tmp = u32(new Uint8Array(blockSize));
+	let blockMixCb = () => {};
+	if (onProgress) {
+		const totalBlockMix = 2 * N * p;
+		const callbackPer = Math.max(Math.floor(totalBlockMix / 1e4), 1);
+		let blockMixCnt = 0;
+		blockMixCb = () => {
+			blockMixCnt++;
+			if (onProgress && (!(blockMixCnt % callbackPer) || blockMixCnt === totalBlockMix)) onProgress(blockMixCnt / totalBlockMix);
+		};
+	}
+	return {
+		N,
+		r,
+		p,
+		dkLen,
+		blockSize32,
+		V,
+		B32,
+		B,
+		tmp,
+		blockMixCb,
+		asyncTick
+	};
+}
+function scryptOutput(password, dkLen, B, V, tmp) {
+	const res = pbkdf2(sha256, password, B, {
+		c: 1,
+		dkLen
+	});
+	clean(B, V, tmp);
+	return res;
+}
+/**
+* Scrypt KDF from RFC 7914. Async version. See {@link ScryptOpts}.
+* @example
+* await scryptAsync('password', 'salt', { N: 2**18, r: 8, p: 1, dkLen: 32 });
+*/
+async function scryptAsync(password, salt, opts) {
+	const { N, r, p, dkLen, blockSize32, V, B32, B, tmp, blockMixCb, asyncTick } = scryptInit(password, salt, opts);
+	swap32IfBE(B32);
+	for (let pi = 0; pi < p; pi++) {
+		const Pi = blockSize32 * pi;
+		for (let i = 0; i < blockSize32; i++) V[i] = B32[Pi + i];
+		let pos = 0;
+		await asyncLoop(N - 1, asyncTick, () => {
+			BlockMix(V, pos, V, pos += blockSize32, r);
+			blockMixCb();
+		});
+		BlockMix(V, (N - 1) * blockSize32, B32, Pi, r);
+		blockMixCb();
+		await asyncLoop(N, asyncTick, () => {
+			const j = (B32[Pi + blockSize32 - 16] & N - 1) >>> 0;
+			for (let k = 0; k < blockSize32; k++) tmp[k] = B32[Pi + k] ^ V[j * blockSize32 + k];
+			BlockMix(tmp, 0, B32, Pi, r);
+			blockMixCb();
+		});
+	}
+	swap32IfBE(B32);
+	return scryptOutput(password, dkLen, B, V, tmp);
+}
+
+//#endregion
+//#region ../better-auth/dist/crypto-BVDG04BB.mjs
+function createHash(algorithm, encoding) {
+	return { digest: async (input) => {
+		const encoder = new TextEncoder();
+		const data = typeof input === "string" ? encoder.encode(input) : input;
+		const hashBuffer = await getWebcryptoSubtle().digest(algorithm, data);
+		if (encoding === "hex") return Array.from(new Uint8Array(hashBuffer)).map((b) => b.toString(16).padStart(2, "0")).join("");
+		if (encoding === "base64" || encoding === "base64url" || encoding === "base64urlnopad") {
+			if (encoding.includes("url")) return base64Url.encode(hashBuffer, { padding: encoding !== "base64urlnopad" });
+			return base64.encode(hashBuffer);
+		}
+		return hashBuffer;
+	} };
+}
+/**
+* Compare two buffers in constant time.
+*/
+function constantTimeEqual(a, b) {
+	if (typeof a === "string") a = new TextEncoder().encode(a);
+	if (typeof b === "string") b = new TextEncoder().encode(b);
+	const aBuffer = new Uint8Array(a);
+	const bBuffer = new Uint8Array(b);
+	let c = aBuffer.length ^ bBuffer.length;
+	const length = Math.max(aBuffer.length, bBuffer.length);
+	for (let i = 0; i < length; i++) c |= (i < aBuffer.length ? aBuffer[i] : 0) ^ (i < bBuffer.length ? bBuffer[i] : 0);
+	return c === 0;
+}
+const config = {
+	N: 16384,
+	r: 16,
+	p: 1,
+	dkLen: 64
+};
+async function generateKey(password, salt) {
+	return await scryptAsync(password.normalize("NFKC"), salt, {
+		N: config.N,
+		p: config.p,
+		r: config.r,
+		dkLen: config.dkLen,
+		maxmem: 128 * config.N * config.r * 2
+	});
+}
+const hashPassword = async (password) => {
+	const salt = hex.encode(crypto.getRandomValues(new Uint8Array(16)));
+	const key = await generateKey(password, salt);
+	return `${salt}:${hex.encode(key)}`;
+};
+const verifyPassword = async ({ hash, password }) => {
+	const [salt, key] = hash.split(":");
+	if (!salt || !key) throw new BetterAuthError("Invalid password hash");
+	return constantTimeEqual(await generateKey(password, salt), hexToBytes$1(key));
+};
+function expandAlphabet(alphabet) {
+	switch (alphabet) {
+		case "a-z": return "abcdefghijklmnopqrstuvwxyz";
+		case "A-Z": return "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+		case "0-9": return "0123456789";
+		case "-_": return "-_";
+		default: throw new Error(`Unsupported alphabet: ${alphabet}`);
+	}
+}
+function createRandomStringGenerator(...baseAlphabets) {
+	const baseCharSet = baseAlphabets.map(expandAlphabet).join("");
+	if (baseCharSet.length === 0) throw new Error("No valid characters provided for random string generation.");
+	const baseCharSetLength = baseCharSet.length;
+	return (length, ...alphabets) => {
+		if (length <= 0) throw new Error("Length must be a positive integer.");
+		let charSet = baseCharSet;
+		let charSetLength = baseCharSetLength;
+		if (alphabets.length > 0) {
+			charSet = alphabets.map(expandAlphabet).join("");
+			charSetLength = charSet.length;
+		}
+		const maxValid = Math.floor(256 / charSetLength) * charSetLength;
+		const buf = new Uint8Array(length * 2);
+		const bufLength = buf.length;
+		let result = "";
+		let bufIndex = bufLength;
+		let rand;
+		while (result.length < length) {
+			if (bufIndex >= bufLength) {
+				crypto.getRandomValues(buf);
+				bufIndex = 0;
+			}
+			rand = buf[bufIndex++];
+			if (rand < maxValid) result += charSet[rand % charSetLength];
+		}
+		return result;
+	};
+}
+const generateRandomString = createRandomStringGenerator("a-z", "0-9", "A-Z", "-_");
+const symmetricEncrypt = async ({ key, data }) => {
+	const keyAsBytes = await createHash("SHA-256").digest(key);
+	const dataAsBytes = utf8ToBytes(data);
+	return bytesToHex(managedNonce(xchacha20poly1305)(new Uint8Array(keyAsBytes)).encrypt(dataAsBytes));
+};
+const symmetricDecrypt = async ({ key, data }) => {
+	const keyAsBytes = await createHash("SHA-256").digest(key);
+	const dataAsBytes = hexToBytes(data);
+	const chacha = managedNonce(xchacha20poly1305)(new Uint8Array(keyAsBytes));
+	return new TextDecoder().decode(chacha.decrypt(dataAsBytes));
+};
+
+//#endregion
+//#region ../better-auth/dist/utils-BqZRXR74.mjs
+const { get: getOAuthState, set: setOAuthState } = defineRequestState(() => null);
+async function generateState(c, link, additionalData) {
+	const callbackURL = c.body?.callbackURL || c.context.options.baseURL;
+	if (!callbackURL) throw new APIError("BAD_REQUEST", { message: "callbackURL is required" });
+	const codeVerifier = generateRandomString(128);
+	const state = generateRandomString(32);
+	const storeStateStrategy = c.context.oauthConfig?.storeStateStrategy || "cookie";
+	const stateData = {
+		...additionalData ? additionalData : {},
+		callbackURL,
+		codeVerifier,
+		errorURL: c.body?.errorCallbackURL,
+		newUserURL: c.body?.newUserCallbackURL,
+		link,
+		expiresAt: Date.now() + 600 * 1e3,
+		requestSignUp: c.body?.requestSignUp
+	};
+	await setOAuthState(stateData);
+	if (storeStateStrategy === "cookie") {
+		const encryptedData = await symmetricEncrypt({
+			key: c.context.secret,
+			data: JSON.stringify(stateData)
+		});
+		const stateCookie$1 = c.context.createAuthCookie("oauth_state", { maxAge: 600 * 1e3 });
+		c.setCookie(stateCookie$1.name, encryptedData, stateCookie$1.attributes);
+		return {
+			state,
+			codeVerifier
+		};
+	}
+	const stateCookie = c.context.createAuthCookie("state", { maxAge: 300 * 1e3 });
+	await c.setSignedCookie(stateCookie.name, state, c.context.secret, stateCookie.attributes);
+	const expiresAt = /* @__PURE__ */ new Date();
+	expiresAt.setMinutes(expiresAt.getMinutes() + 10);
+	const verification = await c.context.internalAdapter.createVerificationValue({
+		value: JSON.stringify(stateData),
+		identifier: state,
+		expiresAt
+	});
+	if (!verification) {
+		c.context.logger.error("Unable to create verification. Make sure the database adapter is properly working and there is a verification table in the database");
+		throw new APIError("INTERNAL_SERVER_ERROR", { message: "Unable to create verification" });
+	}
+	return {
+		state: verification.identifier,
+		codeVerifier
+	};
+}
+async function parseState(c) {
+	const state = c.query.state || c.body.state;
+	const storeStateStrategy = c.context.oauthConfig.storeStateStrategy || "cookie";
+	const stateDataSchema = z$2.looseObject({
+		callbackURL: z$2.string(),
+		codeVerifier: z$2.string(),
+		errorURL: z$2.string().optional(),
+		newUserURL: z$2.string().optional(),
+		expiresAt: z$2.number(),
+		link: z$2.object({
+			email: z$2.string(),
+			userId: z$2.coerce.string()
+		}).optional(),
+		requestSignUp: z$2.boolean().optional()
+	});
+	let parsedData;
+	if (storeStateStrategy === "cookie") {
+		const stateCookie = c.context.createAuthCookie("oauth_state");
+		const encryptedData = c.getCookie(stateCookie.name);
+		if (!encryptedData) {
+			c.context.logger.error("State Mismatch. OAuth state cookie not found", { state });
+			const errorURL = c.context.options.onAPIError?.errorURL || `${c.context.baseURL}/error`;
+			throw c.redirect(`${errorURL}?error=please_restart_the_process`);
+		}
+		try {
+			const decryptedData = await symmetricDecrypt({
+				key: c.context.secret,
+				data: encryptedData
+			});
+			parsedData = stateDataSchema.parse(JSON.parse(decryptedData));
+		} catch (error) {
+			c.context.logger.error("Failed to decrypt or parse OAuth state cookie", { error });
+			const errorURL = c.context.options.onAPIError?.errorURL || `${c.context.baseURL}/error`;
+			throw c.redirect(`${errorURL}?error=please_restart_the_process`);
+		}
+		c.setCookie(stateCookie.name, "", { maxAge: 0 });
+	} else {
+		const data = await c.context.internalAdapter.findVerificationValue(state);
+		if (!data) {
+			c.context.logger.error("State Mismatch. Verification not found", { state });
+			const errorURL = c.context.options.onAPIError?.errorURL || `${c.context.baseURL}/error`;
+			throw c.redirect(`${errorURL}?error=please_restart_the_process`);
+		}
+		parsedData = stateDataSchema.parse(JSON.parse(data.value));
+		const stateCookie = c.context.createAuthCookie("state");
+		const stateCookieValue = await c.getSignedCookie(stateCookie.name, c.context.secret);
+		if (!c.context.oauthConfig?.skipStateCookieCheck && (!stateCookieValue || stateCookieValue !== state)) {
+			const errorURL = c.context.options.onAPIError?.errorURL || `${c.context.baseURL}/error`;
+			throw c.redirect(`${errorURL}?error=state_mismatch`);
+		}
+		c.setCookie(stateCookie.name, "", { maxAge: 0 });
+		await c.context.internalAdapter.deleteVerificationValue(data.id);
+	}
+	if (!parsedData.errorURL) parsedData.errorURL = c.context.options.onAPIError?.errorURL || `${c.context.baseURL}/error`;
+	if (parsedData.expiresAt < Date.now()) {
+		const errorURL = c.context.options.onAPIError?.errorURL || `${c.context.baseURL}/error`;
+		throw c.redirect(`${errorURL}?error=please_restart_the_process`);
+	}
+	if (parsedData) await setOAuthState(parsedData);
+	return parsedData;
+}
+const HIDE_METADATA = { isAction: false };
+const generateId = (size) => {
+	return createRandomStringGenerator("a-z", "A-Z", "0-9")(size || 32);
+};
+
+//#endregion
+//#region ../better-auth/dist/get-model-name-DGZmxvj1.mjs
+const getAuthTables = (options) => {
+	const pluginSchema = (options.plugins ?? []).reduce((acc, plugin) => {
+		const schema = plugin.schema;
+		if (!schema) return acc;
+		for (const [key, value] of Object.entries(schema)) acc[key] = {
+			fields: {
+				...acc[key]?.fields,
+				...value.fields
+			},
+			modelName: value.modelName || key
+		};
+		return acc;
+	}, {});
+	const shouldAddRateLimitTable = options.rateLimit?.storage === "database";
+	const rateLimitTable = { rateLimit: {
+		modelName: options.rateLimit?.modelName || "rateLimit",
+		fields: {
+			key: {
+				type: "string",
+				fieldName: options.rateLimit?.fields?.key || "key"
+			},
+			count: {
+				type: "number",
+				fieldName: options.rateLimit?.fields?.count || "count"
+			},
+			lastRequest: {
+				type: "number",
+				bigint: true,
+				fieldName: options.rateLimit?.fields?.lastRequest || "lastRequest"
+			}
+		}
+	} };
+	const { user, session, account, ...pluginTables } = pluginSchema;
+	const sessionTable = { session: {
+		modelName: options.session?.modelName || "session",
+		fields: {
+			expiresAt: {
+				type: "date",
+				required: true,
+				fieldName: options.session?.fields?.expiresAt || "expiresAt"
+			},
+			token: {
+				type: "string",
+				required: true,
+				fieldName: options.session?.fields?.token || "token",
+				unique: true
+			},
+			createdAt: {
+				type: "date",
+				required: true,
+				fieldName: options.session?.fields?.createdAt || "createdAt",
+				defaultValue: () => /* @__PURE__ */ new Date()
+			},
+			updatedAt: {
+				type: "date",
+				required: true,
+				fieldName: options.session?.fields?.updatedAt || "updatedAt",
+				onUpdate: () => /* @__PURE__ */ new Date()
+			},
+			ipAddress: {
+				type: "string",
+				required: false,
+				fieldName: options.session?.fields?.ipAddress || "ipAddress"
+			},
+			userAgent: {
+				type: "string",
+				required: false,
+				fieldName: options.session?.fields?.userAgent || "userAgent"
+			},
+			userId: {
+				type: "string",
+				fieldName: options.session?.fields?.userId || "userId",
+				references: {
+					model: options.user?.modelName || "user",
+					field: "id",
+					onDelete: "cascade"
+				},
+				required: true,
+				index: true
+			},
+			...session?.fields,
+			...options.session?.additionalFields
+		},
+		order: 2
+	} };
+	return {
+		user: {
+			modelName: options.user?.modelName || "user",
+			fields: {
+				name: {
+					type: "string",
+					required: true,
+					fieldName: options.user?.fields?.name || "name",
+					sortable: true
+				},
+				email: {
+					type: "string",
+					unique: true,
+					required: true,
+					fieldName: options.user?.fields?.email || "email",
+					sortable: true
+				},
+				emailVerified: {
+					type: "boolean",
+					defaultValue: false,
+					required: true,
+					fieldName: options.user?.fields?.emailVerified || "emailVerified",
+					input: false
+				},
+				image: {
+					type: "string",
+					required: false,
+					fieldName: options.user?.fields?.image || "image"
+				},
+				createdAt: {
+					type: "date",
+					defaultValue: () => /* @__PURE__ */ new Date(),
+					required: true,
+					fieldName: options.user?.fields?.createdAt || "createdAt"
+				},
+				updatedAt: {
+					type: "date",
+					defaultValue: () => /* @__PURE__ */ new Date(),
+					onUpdate: () => /* @__PURE__ */ new Date(),
+					required: true,
+					fieldName: options.user?.fields?.updatedAt || "updatedAt"
+				},
+				...user?.fields,
+				...options.user?.additionalFields
+			},
+			order: 1
+		},
+		...!options.secondaryStorage || options.session?.storeSessionInDatabase ? sessionTable : {},
+		account: {
+			modelName: options.account?.modelName || "account",
+			fields: {
+				accountId: {
+					type: "string",
+					required: true,
+					fieldName: options.account?.fields?.accountId || "accountId"
+				},
+				providerId: {
+					type: "string",
+					required: true,
+					fieldName: options.account?.fields?.providerId || "providerId"
+				},
+				userId: {
+					type: "string",
+					references: {
+						model: options.user?.modelName || "user",
+						field: "id",
+						onDelete: "cascade"
+					},
+					required: true,
+					fieldName: options.account?.fields?.userId || "userId",
+					index: true
+				},
+				accessToken: {
+					type: "string",
+					required: false,
+					fieldName: options.account?.fields?.accessToken || "accessToken"
+				},
+				refreshToken: {
+					type: "string",
+					required: false,
+					fieldName: options.account?.fields?.refreshToken || "refreshToken"
+				},
+				idToken: {
+					type: "string",
+					required: false,
+					fieldName: options.account?.fields?.idToken || "idToken"
+				},
+				accessTokenExpiresAt: {
+					type: "date",
+					required: false,
+					fieldName: options.account?.fields?.accessTokenExpiresAt || "accessTokenExpiresAt"
+				},
+				refreshTokenExpiresAt: {
+					type: "date",
+					required: false,
+					fieldName: options.account?.fields?.refreshTokenExpiresAt || "refreshTokenExpiresAt"
+				},
+				scope: {
+					type: "string",
+					required: false,
+					fieldName: options.account?.fields?.scope || "scope"
+				},
+				password: {
+					type: "string",
+					required: false,
+					fieldName: options.account?.fields?.password || "password"
+				},
+				createdAt: {
+					type: "date",
+					required: true,
+					fieldName: options.account?.fields?.createdAt || "createdAt",
+					defaultValue: () => /* @__PURE__ */ new Date()
+				},
+				updatedAt: {
+					type: "date",
+					required: true,
+					fieldName: options.account?.fields?.updatedAt || "updatedAt",
+					onUpdate: () => /* @__PURE__ */ new Date()
+				},
+				...account?.fields,
+				...options.account?.additionalFields
+			},
+			order: 3
+		},
+		verification: {
+			modelName: options.verification?.modelName || "verification",
+			fields: {
+				identifier: {
+					type: "string",
+					required: true,
+					fieldName: options.verification?.fields?.identifier || "identifier",
+					index: true
+				},
+				value: {
+					type: "string",
+					required: true,
+					fieldName: options.verification?.fields?.value || "value"
+				},
+				expiresAt: {
+					type: "date",
+					required: true,
+					fieldName: options.verification?.fields?.expiresAt || "expiresAt"
+				},
+				createdAt: {
+					type: "date",
+					required: true,
+					defaultValue: () => /* @__PURE__ */ new Date(),
+					fieldName: options.verification?.fields?.createdAt || "createdAt"
+				},
+				updatedAt: {
+					type: "date",
+					required: true,
+					defaultValue: () => /* @__PURE__ */ new Date(),
+					onUpdate: () => /* @__PURE__ */ new Date(),
+					fieldName: options.verification?.fields?.updatedAt || "updatedAt"
+				}
+			},
+			order: 4
+		},
+		...pluginTables,
+		...shouldAddRateLimitTable ? rateLimitTable : {}
+	};
+};
+const initGetDefaultModelName = ({ usePlural, schema }) => {
+	/**
+	* This function helps us get the default model name from the schema defined by devs.
+	* Often times, the user will be using the `modelName` which could had been customized by the users.
+	* This function helps us get the actual model name useful to match against the schema. (eg: schema[model])
+	*
+	* If it's still unclear what this does:
+	*
+	* 1. User can define a custom modelName.
+	* 2. When using a custom modelName, doing something like `schema[model]` will not work.
+	* 3. Using this function helps us get the actual model name based on the user's defined custom modelName.
+	*/
+	const getDefaultModelName = (model) => {
+		if (usePlural && model.charAt(model.length - 1) === "s") {
+			let pluralessModel = model.slice(0, -1);
+			let m$1 = schema[pluralessModel] ? pluralessModel : void 0;
+			if (!m$1) m$1 = Object.entries(schema).find(([_, f]) => f.modelName === pluralessModel)?.[0];
+			if (m$1) return m$1;
+		}
+		let m = schema[model] ? model : void 0;
+		if (!m) m = Object.entries(schema).find(([_, f]) => f.modelName === model)?.[0];
+		if (!m) throw new BetterAuthError(`Model "${model}" not found in schema`);
+		return m;
+	};
+	return getDefaultModelName;
+};
+const initGetDefaultFieldName = ({ schema, usePlural }) => {
+	const getDefaultModelName = initGetDefaultModelName({
+		schema,
+		usePlural
+	});
+	/**
+	* This function helps us get the default field name from the schema defined by devs.
+	* Often times, the user will be using the `fieldName` which could had been customized by the users.
+	* This function helps us get the actual field name useful to match against the schema. (eg: schema[model].fields[field])
+	*
+	* If it's still unclear what this does:
+	*
+	* 1. User can define a custom fieldName.
+	* 2. When using a custom fieldName, doing something like `schema[model].fields[field]` will not work.
+	*/
+	const getDefaultFieldName = ({ field, model: unsafeModel }) => {
+		if (field === "id" || field === "_id") return "id";
+		const model = getDefaultModelName(unsafeModel);
+		let f = schema[model]?.fields[field];
+		if (!f) {
+			const result = Object.entries(schema[model].fields).find(([_, f$1]) => f$1.fieldName === field);
+			if (result) {
+				f = result[1];
+				field = result[0];
+			}
+		}
+		if (!f) throw new BetterAuthError(`Field ${field} not found in model ${model}`);
+		return field;
+	};
+	return getDefaultFieldName;
+};
+const initGetFieldName = ({ schema, usePlural }) => {
+	const getDefaultModelName = initGetDefaultModelName({
+		schema,
+		usePlural
+	});
+	const getDefaultFieldName = initGetDefaultFieldName({
+		schema,
+		usePlural
+	});
+	/**
+	* Get the field name which is expected to be saved in the database based on the user's schema.
+	*
+	* This function is useful if you need to save the field name to the database.
+	*
+	* For example, if the user has defined a custom field name for the `user` model, then you can use this function to get the actual field name from the schema.
+	*/
+	function getFieldName({ model: modelName, field: fieldName }) {
+		const model = getDefaultModelName(modelName);
+		const field = getDefaultFieldName({
+			model,
+			field: fieldName
+		});
+		return schema[model]?.fields[field]?.fieldName || field;
+	}
+	return getFieldName;
+};
+const initGetModelName = ({ usePlural, schema }) => {
+	const getDefaultModelName = initGetDefaultModelName({
+		schema,
+		usePlural
+	});
+	/**
+	* Users can overwrite the default model of some tables. This function helps find the correct model name.
+	* Furthermore, if the user passes `usePlural` as true in their adapter config,
+	* then we should return the model name ending with an `s`.
+	*/
+	const getModelName = (model) => {
+		const defaultModelKey = getDefaultModelName(model);
+		if (schema && schema[defaultModelKey] && schema[defaultModelKey].modelName !== model) return usePlural ? `${schema[defaultModelKey].modelName}s` : schema[defaultModelKey].modelName;
+		return usePlural ? `${model}s` : model;
+	};
+	return getModelName;
+};
+
+//#endregion
+//#region ../better-auth/dist/json-oFuWgANh.mjs
+function safeJSONParse(data) {
+	function reviver(_, value) {
+		if (typeof value === "string") {
+			if (/^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?Z$/.test(value)) {
+				const date = new Date(value);
+				if (!isNaN(date.getTime())) return date;
+			}
+		}
+		return value;
+	}
+	try {
+		if (typeof data !== "string") return data;
+		return JSON.parse(data, reviver);
+	} catch (e) {
+		logger.error("Error parsing JSON", { error: e });
+		return null;
+	}
+}
+
+//#endregion
+export { abytes$1 as A, exportJWK as B, symmetricEncodeJWT as C, rotlSH as D, rotlBL as E, createHasher as F, getCurrentTransactionAdapter as G, getCurrentAdapter as H, swap32IfBE as I, runWithEndpointContext as J, hasRequestState as K, u32 as L, anumber as M, aoutput$1 as N, rotlSL as O, clean as P, utf8ToBytes$1 as R, symmetricDecodeJWT as S, rotlBH as T, getCurrentAuthContext as U, authorize as V, getCurrentGraphContext as W, runWithRequestState as X, runWithGraphTransaction as Y, withTransaction as Z, symmetricEncrypt as _, initGetFieldName as a, hex as b, generateId as c, constantTimeEqual as d, createHash as f, symmetricDecrypt as g, hashPassword as h, initGetDefaultModelName as i, aexists$1 as j, split as k, generateState as l, generateRandomString as m, getAuthTables as n, initGetModelName as o, createRandomStringGenerator as p, runWithAdapter as q, initGetDefaultFieldName as r, HIDE_METADATA as s, safeJSONParse as t, parseState as u, verifyPassword as v, verifyJWT as w, signJWT as x, getWebcryptoSubtle as y, SignJWT as z };