@robelest/convex-auth 0.0.4-preview.1 → 0.0.4-preview.4

package/README.md

@@ -6,6 +6,7 @@ Component-first authentication for [Convex](https://convex.dev). One component,
 
 - **Class-based API** — `new Auth(components.auth, { providers })` gives you everything.
 - **OAuth via Arctic** — 50+ providers through [Arctic](https://arcticjs.dev), zero-dependency OAuth 2.0.
+- **Fluent Convex builders (recommended)** — cleaner auth-aware API handling with middleware and explicit `.public()` / `.internal()` exports.
 - **Password, passkeys, TOTP, magic links, OTP, phone, anonymous** — all built in.
 - **Device Authorization (RFC 8628)** — authenticate CLIs, smart TVs, and IoT devices.
 - **API keys** — scoped permissions, SHA-256 hashed storage, optional rate limiting.
@@ -16,13 +17,16 @@ Component-first authentication for [Convex](https://convex.dev). One component,
 ## Install
 
 ```bash
-npm install @robelest/convex-auth
+bun add @robelest/convex-auth
 ```
 
+> Renamed package: if you are migrating from earlier previews, replace
+> `@convex-dev/auth` with `@robelest/convex-auth` in imports and CLI commands.
+
 ## Quick Start
 
 ```bash
-npx @robelest/convex-auth
+bunx @robelest/convex-auth
 ```
 
 The interactive CLI sets up your Convex component, auth config, and HTTP routes in under a minute.
@@ -66,6 +70,33 @@ auth.http.add(http);
 export default http;
 ```
 
+## Recommended Convex API Handling (`fluent-convex`)
+
+For new projects, we recommend `fluent-convex` for auth middleware composition and cleaner API exports.
+
+```ts
+// convex/functions.ts
+import { createBuilder } from "fluent-convex";
+import { WithZod } from "fluent-convex/zod";
+import type { DataModel } from "./_generated/dataModel";
+import { auth } from "./auth";
+
+const convex = createBuilder<DataModel>();
+
+const withRequiredAuth = convex.createMiddleware<any, { auth: any }>(
+  async (ctx, next) => {
+    const userId = await auth.user.require(ctx);
+    const user = await auth.user.get(ctx, userId);
+    return next({ ...ctx, auth: { ...ctx.auth, userId, user } });
+  },
+);
+
+export const query = convex.query().use(withRequiredAuth).extend(WithZod);
+export const mutation = convex.mutation().use(withRequiredAuth).extend(WithZod);
+```
+
+`AuthCtx` from `@robelest/convex-auth/component` remains supported if your project already uses `convex-helpers`.
+
 ## Providers
 
 | Provider | Import |

package/dist/client/index.d.ts

@@ -292,7 +292,8 @@ declare function client(options: ClientOptions): {
      * @param userCode - The user code entered by the user (e.g. "WDJB-MJHT").
      */
     verify: (userCode: string) => Promise<void>;
-  };
+  }; /** Remove global listeners when disposing this client instance. */
+  destroy: () => void;
 };
 //#endregion
 export { AUTH_ERRORS, type AuthErrorCode, AuthState, ClientOptions, DeviceCodeResult, SignInResult, Storage, client, isAuthError, parseAuthError };

package/dist/client/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","names":[],"sources":["../../src/client/index.ts"],"mappings":";;;;;;AAS0B;;;;;;;UAWhB,eAAA;EACR,MAAA,CAAO,MAAA,OAAa,IAAA,QAAY,OAAA;EAChC,OAAA,CACE,UAAA,GAAa,IAAA;IACX,iBAAA;EAAA,MACI,OAAA,6BACN,QAAA,IAAY,eAAA;EAEd,SAAA;AAAA;;UAIe,OAAA;EACf,OAAA,CACE,GAAA,uCAC6B,OAAA;EAC/B,OAAA,CAAQ,GAAA,UAAa,KAAA,kBAAuB,OAAA;EAC5C,UAAA,CAAW,GAAA,kBAAqB,OAAA;AAAA;;;;;;;KActB,gBAAA;EAjBR,+DAmBF,UAAA,UAjBA;EAmBA,QAAA,UAnBqB;EAqBrB,eAAA,UApBA;EAsBA,uBAAA,UAtBgC;EAwBhC,SAAA,UAxBuC;EA0BvC,QAAA;AAAA;;;;;;;;;;KAYU,YAAA;EAAA,mEAEV,SAAA;EAEA,QAAA,GAAW,GAAA,EAFX;EAIA,YAAA,YAFW;EAIX,UAAA,GAAa,gBAAA,EAAb;EAEA,QAAA;AAAA;;KAIU,SAAA;EAAA,0EAEV,SAAA;EAEA,eAAA,WAFA;EAIA,KAAA;AAAA;;KAIU,aAAA;EAAA,iEAEV,MAAA,EAAQ,eAAA;;;;;EAKR,GAAA;EAUoD;;;;;;;EAFpD,OAAA,GAAU,OAAA,SAEmC;EAA7C,UAAA,IAAc,WAAA,oBAA+B,OAAA;EAkB7C;;;AA2DF;;;;;;EAnEE,KAAA;EAmSoB;;;;;;;EA3RpB,KAAA;AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBA2Dc,MAAA,CAAO,OAAA,EAAS,aAAA;EAkkBxB,mDAqfS,SAAA;8BAx1BI,IAAA,GACV,QAAA,GAAW,MAAA,SAAe,KAAA,MAChC,OAAA,CAAQ,YAAA,GAoWE;gCAkJA;kBAlSU,KAAA,EAAO,SAAA;;IAmSjB;;;;IAoHe;;;;;;;;;+BAlTK,OAAA;IAiV7B;;;;;;;;;;;;;;;;;;;;;;MA3SE,IAAA;MACA,KAAA;MACA,QAAA;MACA,eAAA;IAAA,MAED,OAAA,CAAQ,YAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;MAkJA,KAAA;MAAgB,QAAA;IAAA,MACxB,OAAA,CAAQ,YAAA;EAAA;;;;;;;;;;;;;;MAoHA,IAAA;MAAe,WAAA;IAAA,MACvB,OAAA;MAAU,GAAA;MAAa,MAAA;MAAgB,QAAA;MAAkB,MAAA;IAAA;;;;;;;;;MA4B1D,IAAA;MACA,QAAA;MACA,MAAA;IAAA,MACE,OAAA;;;;;;;;;;;;;;MA8CmB,IAAA;MAAc,QAAA;IAAA,MAAqB,OAAA;EAAA;;;;;;;;;;;;;;;;;;;;;iBAsDvC,gBAAA,KAAmB,OAAA;;;;;;;;;;;;;;kCAiFJ,OAAA;EAAA;AAAA"}
+{"version":3,"file":"index.d.ts","names":[],"sources":["../../src/client/index.ts"],"mappings":";;;;;;AAS0B;;;;;;;UAWhB,eAAA;EACR,MAAA,CAAO,MAAA,OAAa,IAAA,QAAY,OAAA;EAChC,OAAA,CACE,UAAA,GAAa,IAAA;IACX,iBAAA;EAAA,MACI,OAAA,6BACN,QAAA,IAAY,eAAA;EAEd,SAAA;AAAA;;UAIe,OAAA;EACf,OAAA,CACE,GAAA,uCAC6B,OAAA;EAC/B,OAAA,CAAQ,GAAA,UAAa,KAAA,kBAAuB,OAAA;EAC5C,UAAA,CAAW,GAAA,kBAAqB,OAAA;AAAA;;;;;;;KActB,gBAAA;EAjBR,+DAmBF,UAAA,UAjBA;EAmBA,QAAA,UAnBqB;EAqBrB,eAAA,UApBA;EAsBA,uBAAA,UAtBgC;EAwBhC,SAAA,UAxBuC;EA0BvC,QAAA;AAAA;;;;;;;;;;KAYU,YAAA;EAAA,mEAEV,SAAA;EAEA,QAAA,GAAW,GAAA,EAFX;EAIA,YAAA,YAFW;EAIX,UAAA,GAAa,gBAAA,EAAb;EAEA,QAAA;AAAA;;KAIU,SAAA;EAAA,0EAEV,SAAA;EAEA,eAAA,WAFA;EAIA,KAAA;AAAA;;KAIU,aAAA;EAAA,iEAEV,MAAA,EAAQ,eAAA;;;;;EAKR,GAAA;EAUoD;;;;;;;EAFpD,OAAA,GAAU,OAAA,SAEmC;EAA7C,UAAA,IAAc,WAAA,oBAA+B,OAAA;EAkB7C;;;AA2DF;;;;;;EAnEE,KAAA;EAoUoB;;;;;;;EA5TpB,KAAA;AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBA2Dc,MAAA,CAAO,OAAA,EAAS,aAAA;EAynBxB,mDAqfS,SAAA;8BA92BI,IAAA,GACV,QAAA,GAAW,MAAA,SAAe,KAAA,MAChC,OAAA,CAAQ,YAAA,GA0XE;gCAkJA;kBAxTU,KAAA,EAAO,SAAA;;IAyTjB;;;;IAoHe;;;;;;;;;+BAlTK,OAAA;IAiV7B;;;;;;;;;;;;;;;;;;;;;;MA3SE,IAAA;MACA,KAAA;MACA,QAAA;MACA,eAAA;IAAA,MAED,OAAA,CAAQ,YAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;MAkJA,KAAA;MAAgB,QAAA;IAAA,MACxB,OAAA,CAAQ,YAAA;EAAA;;;;;;;;;;;;;;MAoHA,IAAA;MAAe,WAAA;IAAA,MACvB,OAAA;MAAU,GAAA;MAAa,MAAA;MAAgB,QAAA;MAAkB,MAAA;IAAA;;;;;;;;;MA4B1D,IAAA;MACA,QAAA;MACA,MAAA;IAAA,MACE,OAAA;;;;;;;;;;;;;;MA8CmB,IAAA;MAAc,QAAA;IAAA,MAAqB,OAAA;EAAA;;;;;;;;;;;;;;;;;;;;;iBAsDvC,gBAAA,KAAmB,OAAA;;;;;;;;;;;;;;kCAiFJ,OAAA;EAAA"}

package/dist/client/index.js

@@ -64,8 +64,9 @@ function client(options) {
 	const escapedNamespace = proxy ? proxy.replace(/[^a-zA-Z0-9]/g, "") : url.replace(/[^a-zA-Z0-9]/g, "");
 	const key = (name) => `${name}_${escapedNamespace}`;
 	const subscribers = /* @__PURE__ */ new Set();
+	let disposeStorageListener = null;
 	const httpClient = proxy ? null : new ConvexHttpClient(url);
-	const serverToken = options.token ?? null;
+	const serverToken = typeof options.token === "string" && options.token.trim().length > 0 ? options.token : null;
 	const hasServerToken = serverToken !== null;
 	let token = serverToken;
 	let isLoading = !hasServerToken;
@@ -88,12 +89,30 @@ function client(options) {
 		snapshot = next;
 		return true;
 	};
-	const storageGet = async (name) => storage ? await storage.getItem(key(name)) ?? null : null;
+	const storageGet = async (name) => {
+		if (!storage) return null;
+		try {
+			return await storage.getItem(key(name)) ?? null;
+		} catch (error) {
+			console.error(`[convex-auth] Failed to read ${name} from storage:`, error);
+			return null;
+		}
+	};
 	const storageSet = async (name, value) => {
-		if (storage) await storage.setItem(key(name), value);
+		if (!storage) return;
+		try {
+			await storage.setItem(key(name), value);
+		} catch (error) {
+			console.error(`[convex-auth] Failed to write ${name} to storage:`, error);
+		}
 	};
 	const storageRemove = async (name) => {
-		if (storage) await storage.removeItem(key(name));
+		if (!storage) return;
+		try {
+			await storage.removeItem(key(name));
+		} catch (error) {
+			console.error(`[convex-auth] Failed to remove ${name} from storage:`, error);
+		}
 	};
 	const setToken = async (args) => {
 		if (args.tokens === null) {
@@ -113,7 +132,7 @@ function client(options) {
 		isLoading = false;
 		const changed = updateSnapshot();
 		if (hadPendingLoad || changed) {
-			if (!proxy) convex.setAuth(fetchAccessToken);
+			convex.setAuth(fetchAccessToken);
 			notify();
 		}
 	};
@@ -129,7 +148,11 @@ function client(options) {
 			if (typeof errorBody === "object" && errorBody !== null && "authError" in errorBody && typeof errorBody.authError === "object") throw new ConvexError(errorBody.authError);
 			throw new Error(errorBody.error ?? `Proxy request failed: ${response.status}`);
 		}
-		return response.json();
+		try {
+			return await response.json();
+		} catch {
+			throw new Error("Proxy response was not valid JSON");
+		}
 	};
 	const verifyCode = async (args) => {
 		let lastError;
@@ -141,7 +164,7 @@ function client(options) {
 			} : args);
 		} catch (e) {
 			lastError = e;
-			if (!(e instanceof Error && /network/i.test(e.message || ""))) break;
+			if (!(e instanceof TypeError || e instanceof Error && /(network|fetch|load failed|failed to fetch)/i.test(e.message || ""))) break;
 			const wait = RETRY_BACKOFF[retry] + RETRY_JITTER * Math.random();
 			retry++;
 			await new Promise((resolve) => setTimeout(resolve, wait));
@@ -367,6 +390,10 @@ function client(options) {
 		};
 	};
 	if (!proxy && typeof window !== "undefined") {
+		const registryKey = key(JWT_STORAGE_KEY);
+		const registry = getStorageListenerRegistry();
+		const existingListener = registry[registryKey];
+		if (existingListener !== void 0) window.removeEventListener("storage", existingListener);
 		const onStorage = (event) => {
 			(async () => {
 				if (event.key !== key(JWT_STORAGE_KEY)) return;
@@ -377,16 +404,32 @@ function client(options) {
 			})();
 		};
 		window.addEventListener("storage", onStorage);
+		registry[registryKey] = onStorage;
+		disposeStorageListener = () => {
+			if (registry[registryKey] === onStorage) delete registry[registryKey];
+			window.removeEventListener("storage", onStorage);
+		};
 	}
 	convex.setAuth(fetchAccessToken);
-	if (typeof window !== "undefined") if (proxy) if (!hasServerToken) fetchAccessToken({ forceRefreshToken: true });
+	if (typeof window !== "undefined") if (proxy) if (!hasServerToken) fetchAccessToken({ forceRefreshToken: true }).catch((error) => {
+		console.error("[convex-auth] Proxy token refresh failed:", error);
+	});
 	else {
 		isLoading = false;
 		updateSnapshot();
 	}
-	else hydrateFromStorage().then(() => handleCodeFlow().catch((error) => {
-		console.error("[convex-auth] Code exchange failed:", error);
-	}));
+	else (async () => {
+		try {
+			await hydrateFromStorage();
+			await handleCodeFlow();
+		} catch (error) {
+			console.error("[convex-auth] Client initialization failed:", error);
+			await setToken({
+				shouldStore: false,
+				tokens: null
+			});
+		}
+	})();
 	/**
 	* Base64url encode/decode helpers for the WebAuthn credential API.
 	* These run client-side only (browser context).
@@ -728,6 +771,10 @@ function client(options) {
 					params
 				});
 			}
+		},
+		destroy: () => {
+			disposeStorageListener?.();
+			subscribers.clear();
 		}
 	};
 }
@@ -735,44 +782,31 @@ async function browserMutex(key, callback) {
 	const lockManager = globalThis?.navigator?.locks;
 	return lockManager !== void 0 ? await lockManager.request(key, callback) : await manualMutex(key, callback);
 }
-function getMutexValue(key) {
-	if (globalThis.__convexAuthMutexes === void 0) globalThis.__convexAuthMutexes = {};
-	let mutex = globalThis.__convexAuthMutexes[key];
-	if (mutex === void 0) globalThis.__convexAuthMutexes[key] = {
-		currentlyRunning: null,
-		waiting: []
-	};
-	mutex = globalThis.__convexAuthMutexes[key];
-	return mutex;
-}
-function setMutexValue(key, value) {
-	globalThis.__convexAuthMutexes[key] = value;
+function getStorageListenerRegistry() {
+	const globalAny = globalThis;
+	if (globalAny.__convexAuthStorageListeners === void 0) globalAny.__convexAuthStorageListeners = {};
+	return globalAny.__convexAuthStorageListeners;
 }
-async function enqueueCallbackForMutex(key, callback) {
-	const mutex = getMutexValue(key);
-	if (mutex.currentlyRunning === null) setMutexValue(key, {
-		currentlyRunning: callback().finally(() => {
-			const nextCb = getMutexValue(key).waiting.shift();
-			getMutexValue(key).currentlyRunning = null;
-			setMutexValue(key, {
-				...getMutexValue(key),
-				currentlyRunning: nextCb === void 0 ? null : enqueueCallbackForMutex(key, nextCb)
-			});
-		}),
-		waiting: []
-	});
-	else setMutexValue(key, {
-		...mutex,
-		waiting: [...mutex.waiting, callback]
-	});
+function getManualMutexTails() {
+	const globalAny = globalThis;
+	if (globalAny.__convexAuthMutexTails === void 0) globalAny.__convexAuthMutexTails = {};
+	return globalAny.__convexAuthMutexTails;
 }
 async function manualMutex(key, callback) {
-	return new Promise((resolve, reject) => {
-		const wrappedCallback = () => {
-			return callback().then((v) => resolve(v)).catch((e) => reject(e));
-		};
-		enqueueCallbackForMutex(key, wrappedCallback);
+	const mutexTails = getManualMutexTails();
+	const previousTail = mutexTails[key] ?? Promise.resolve();
+	let releaseCurrent;
+	const currentTail = new Promise((resolve) => {
+		releaseCurrent = resolve;
 	});
+	mutexTails[key] = previousTail.then(() => currentTail, () => currentTail);
+	try {
+		await previousTail;
+		return await callback();
+	} finally {
+		releaseCurrent?.();
+		if (mutexTails[key] === currentTail) delete mutexTails[key];
+	}
 }
 
 //#endregion

package/dist/client/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","names":["url","result","options"],"sources":["../../src/client/index.ts"],"sourcesContent":["import { ConvexHttpClient } from \"convex/browser\";\nimport { ConvexError, Value } from \"convex/values\";\n\n// Re-export error utilities so consumers can import from `@robelest/convex-auth/client`.\nexport {\n  isAuthError,\n  parseAuthError,\n  AUTH_ERRORS,\n  type AuthErrorCode,\n} from \"../server/errors\";\n\n/**\n * Structural interface for any Convex client.\n * Satisfied by `ConvexClient` (`convex/browser`),\n * `ConvexReactClient` (`convex/react`), and similar transports.\n *\n * `clearAuth` is present on `ConvexReactClient` and `BaseConvexClient`\n * but not on the simplified `ConvexClient`. When available we call it\n * during sign-out for a clean deauthentication.\n */\ninterface ConvexTransport {\n  action(action: any, args: any): Promise<any>;\n  setAuth(\n    fetchToken: (args: {\n      forceRefreshToken: boolean;\n    }) => Promise<string | null | undefined>,\n    onChange?: (isAuthenticated: boolean) => void,\n  ): void;\n  clearAuth?(): void;\n}\n\n/** Pluggable key-value storage (defaults to `localStorage`). */\nexport interface Storage {\n  getItem(\n    key: string,\n  ): string | null | undefined | Promise<string | null | undefined>;\n  setItem(key: string, value: string): void | Promise<void>;\n  removeItem(key: string): void | Promise<void>;\n}\n\ntype AuthSession = {\n  token: string;\n  refreshToken: string;\n};\n\n/**\n * Device code response returned when signing in with the `\"device\"` provider.\n *\n * The device displays the `userCode` (or `verificationUriComplete`) and\n * polls via `auth.device.poll()` until the user authorizes.\n */\nexport type DeviceCodeResult = {\n  /** High-entropy device code used for polling (keep secret). */\n  deviceCode: string;\n  /** Short human-readable code the user enters (e.g. \"WDJB-MJHT\"). */\n  userCode: string;\n  /** Base verification URL (e.g. \"https://myapp.com/device\"). */\n  verificationUri: string;\n  /** Verification URL with user code pre-filled as `?code=XXXX-XXXX`. */\n  verificationUriComplete: string;\n  /** Lifetime of the codes in seconds. */\n  expiresIn: number;\n  /** Minimum polling interval in seconds. */\n  interval: number;\n};\n\n/**\n * Result of a `signIn` call.\n *\n * - `signingIn: true` — credentials were accepted and the user is authenticated.\n * - `redirect` — OAuth flow initiated; redirect the user to `redirect.toString()`.\n * - `totpRequired` — credentials valid but 2FA is needed; call `auth.totp.verify()`.\n * - `deviceCode` — device flow initiated; display the code and poll via `auth.device.poll()`.\n * - `verifier` — opaque string for multi-step flows (TOTP, passkey).\n */\nexport type SignInResult = {\n  /** `true` when sign-in completed and the user is authenticated. */\n  signingIn: boolean;\n  /** OAuth redirect URL. Present when the provider requires a browser redirect. */\n  redirect?: URL;\n  /** `true` when the account has TOTP enabled and a code is required. */\n  totpRequired?: boolean;\n  /** Device code response for the device authorization flow (RFC 8628). */\n  deviceCode?: DeviceCodeResult;\n  /** Opaque verifier for multi-step flows (pass to `totp.verify` or passkey phase 2). */\n  verifier?: string;\n};\n\n/** Reactive auth state snapshot returned by `auth.state` and `auth.onChange`. */\nexport type AuthState = {\n  /** `true` during initial hydration before the first token is resolved. */\n  isLoading: boolean;\n  /** `true` when a valid JWT exists (user is signed in). */\n  isAuthenticated: boolean;\n  /** The raw JWT string, or `null` when not authenticated. */\n  token: string | null;\n};\n\n/** Options for {@link client}. */\nexport type ClientOptions = {\n  /** Any Convex client (`ConvexClient` or `ConvexReactClient`). */\n  convex: ConvexTransport;\n  /**\n   * Convex deployment URL. Derived automatically from the client internals\n   * when omitted — pass explicitly only if auto-detection fails.\n   */\n  url?: string;\n  /**\n   * Key-value storage for persisting tokens.\n   *\n   * - Defaults to `localStorage` in SPA mode.\n   * - Defaults to `null` (in-memory only) when `proxy` is set,\n   *   since httpOnly cookies handle persistence.\n   */\n  storage?: Storage | null;\n  /** Override how the URL bar is updated after OAuth code exchange. */\n  replaceURL?: (relativeUrl: string) => void | Promise<void>;\n  /**\n   * SSR proxy endpoint (e.g. `\"/api/auth\"`).\n   *\n   * When set, `signIn`/`signOut`/token refresh POST to this URL\n   * (with `credentials: \"include\"`) instead of calling Convex directly.\n   * The server handles httpOnly cookies for token persistence.\n   *\n   * Pair with {@link ClientOptions.token} for flash-free SSR hydration.\n   */\n  proxy?: string;\n  /**\n   * JWT from server-side hydration.\n   *\n   * In proxy mode the server reads the JWT from an httpOnly cookie\n   * and passes it to the client during SSR. This avoids a loading\n   * flash on first render — the client is immediately authenticated.\n   */\n  token?: string | null;\n};\n\nconst VERIFIER_STORAGE_KEY = \"__convexAuthOAuthVerifier\";\nconst JWT_STORAGE_KEY = \"__convexAuthJWT\";\nconst REFRESH_TOKEN_STORAGE_KEY = \"__convexAuthRefreshToken\";\n\nconst RETRY_BACKOFF = [500, 2000];\nconst RETRY_JITTER = 100;\n\n/**\n * Resolve the Convex deployment URL from the client.\n *\n * `ConvexReactClient` exposes `.url` directly.\n * `ConvexClient` exposes `.client.url` via `BaseConvexClient`.\n */\nfunction resolveUrl(convex: ConvexTransport, explicit?: string): string {\n  if (explicit) return explicit;\n  const c = convex as any;\n  const url: unknown = c.url ?? c.client?.url;\n  if (typeof url === \"string\") return url;\n  throw new Error(\n    \"Could not determine Convex deployment URL. Pass `url` explicitly.\",\n  );\n}\n\n/**\n * Create a framework-agnostic auth client.\n *\n * Returns an object with `signIn`, `signOut`, `onChange`, `state`,\n * `passkey`, and `totp` — everything needed for client-side auth.\n *\n * ### SPA mode (default)\n *\n * ```ts\n * import { ConvexClient } from 'convex/browser';\n * import { client } from '@robelest/convex-auth/client';\n *\n * const convex = new ConvexClient(CONVEX_URL);\n * const auth = client({ convex });\n * ```\n *\n * ### SSR / proxy mode\n *\n * ```ts\n * const auth = client({\n *   convex,\n *   proxy: '/api/auth',\n *   token: tokenFromServer, // JWT read from httpOnly cookie during SSR\n * });\n * ```\n *\n * In proxy mode all auth operations go through the proxy URL.\n * Tokens are stored in httpOnly cookies server-side — the client\n * holds the JWT in memory only.\n *\n * @param options - Client configuration. See {@link ClientOptions}.\n * @returns Auth client with `signIn`, `signOut`, `onChange`, `state`, `passkey`, and `totp`.\n */\nexport function client(options: ClientOptions) {\n  const { convex, proxy } = options;\n\n  // In proxy mode, default storage to null (cookies handle persistence).\n  const storage =\n    options.storage !== undefined\n      ? options.storage\n      : proxy\n        ? null\n        : typeof window === \"undefined\"\n          ? null\n          : window.localStorage;\n\n  const replaceURL =\n    options.replaceURL ??\n    ((url: string) => {\n      if (typeof window !== \"undefined\") {\n        window.history.replaceState({}, \"\", url);\n      }\n    });\n\n  const url = proxy ? undefined : resolveUrl(convex, options.url);\n  const escapedNamespace = proxy\n    ? proxy.replace(/[^a-zA-Z0-9]/g, \"\")\n    : url!.replace(/[^a-zA-Z0-9]/g, \"\");\n  const key = (name: string) => `${name}_${escapedNamespace}`;\n  const subscribers = new Set<() => void>();\n\n  // Unauthenticated HTTP client for code verification & OAuth exchange.\n  // Only needed in SPA mode — proxy mode routes everything through the proxy.\n  const httpClient = proxy ? null : new ConvexHttpClient(url!);\n\n  // ---------------------------------------------------------------------------\n  // State\n  // ---------------------------------------------------------------------------\n\n  // If a server-provided token was supplied (SSR hydration), start authenticated.\n  const serverToken = options.token ?? null;\n  const hasServerToken = serverToken !== null;\n\n  let token: string | null = serverToken;\n  let isLoading = !hasServerToken;\n  let snapshot: AuthState = {\n    isLoading,\n    isAuthenticated: hasServerToken,\n    token,\n  };\n  let handlingCodeFlow = false;\n\n  const notify = () => {\n    for (const cb of subscribers) cb();\n  };\n\n  const updateSnapshot = () => {\n    const next: AuthState = {\n      isLoading,\n      isAuthenticated: token !== null,\n      token,\n    };\n    if (\n      snapshot.isLoading === next.isLoading &&\n      snapshot.isAuthenticated === next.isAuthenticated &&\n      snapshot.token === next.token\n    ) {\n      return false;\n    }\n    snapshot = next;\n    return true;\n  };\n\n  // ---------------------------------------------------------------------------\n  // Storage helpers (SPA mode only)\n  // ---------------------------------------------------------------------------\n\n  const storageGet = async (name: string) =>\n    storage ? ((await storage.getItem(key(name))) ?? null) : null;\n  const storageSet = async (name: string, value: string) => {\n    if (storage) await storage.setItem(key(name), value);\n  };\n  const storageRemove = async (name: string) => {\n    if (storage) await storage.removeItem(key(name));\n  };\n\n  // ---------------------------------------------------------------------------\n  // Token management\n  // ---------------------------------------------------------------------------\n\n  const setToken = async (\n    args:\n      | { shouldStore: true; tokens: AuthSession | null }\n      | { shouldStore: false; tokens: { token: string } | null },\n  ) => {\n    if (args.tokens === null) {\n      token = null;\n      if (args.shouldStore) {\n        await storageRemove(JWT_STORAGE_KEY);\n        await storageRemove(REFRESH_TOKEN_STORAGE_KEY);\n      }\n    } else {\n      token = args.tokens.token;\n      if (args.shouldStore && \"refreshToken\" in args.tokens) {\n        await storageSet(JWT_STORAGE_KEY, args.tokens.token);\n        await storageSet(REFRESH_TOKEN_STORAGE_KEY, args.tokens.refreshToken);\n      }\n    }\n    const hadPendingLoad = isLoading;\n    isLoading = false;\n    const changed = updateSnapshot();\n    if (hadPendingLoad || changed) {\n      // Re-sync the Convex client so it picks up the new token immediately.\n      // Without this, the initial convex.setAuth(fetchAccessToken) from\n      // initialization never re-polls and queries run unauthenticated after\n      // magic link code exchange.\n      if (!proxy) {\n        convex.setAuth(fetchAccessToken);\n      }\n      notify();\n    }\n  };\n\n  // ---------------------------------------------------------------------------\n  // Proxy fetch helper\n  // ---------------------------------------------------------------------------\n\n  const proxyFetch = async (body: Record<string, unknown>) => {\n    const response = await fetch(proxy!, {\n      method: \"POST\",\n      headers: { \"Content-Type\": \"application/json\" },\n      credentials: \"include\",\n      body: JSON.stringify(body),\n    });\n    if (!response.ok) {\n      const errorBody = await response.json().catch(() => ({} as Record<string, unknown>));\n      // Reconstruct ConvexError when the proxy forwards structured auth error data.\n      if (\n        typeof errorBody === \"object\" &&\n        errorBody !== null &&\n        \"authError\" in errorBody &&\n        typeof (errorBody as Record<string, unknown>).authError === \"object\"\n      ) {\n        throw new ConvexError((errorBody as Record<string, unknown>).authError as Value);\n      }\n      throw new Error(\n        (errorBody as Record<string, unknown>).error as string ??\n          `Proxy request failed: ${response.status}`,\n      );\n    }\n    return response.json();\n  };\n\n  // ---------------------------------------------------------------------------\n  // Code verification with retries (SPA mode only)\n  // ---------------------------------------------------------------------------\n\n  const verifyCode = async (\n    args: { code: string; verifier?: string } | { refreshToken: string },\n  ) => {\n    let lastError: unknown;\n    let retry = 0;\n    while (retry < RETRY_BACKOFF.length) {\n      try {\n        return await httpClient!.action(\n          \"auth:signIn\" as any,\n          \"code\" in args\n            ? { params: { code: args.code }, verifier: args.verifier }\n            : args,\n        );\n      } catch (e) {\n        lastError = e;\n        const isNetworkError =\n          e instanceof Error && /network/i.test(e.message || \"\");\n        if (!isNetworkError) break;\n        const wait = RETRY_BACKOFF[retry]! + RETRY_JITTER * Math.random();\n        retry++;\n        await new Promise((resolve) => setTimeout(resolve, wait));\n      }\n    }\n    throw lastError;\n  };\n\n  const verifyCodeAndSetToken = async (\n    args: { code: string; verifier?: string } | { refreshToken: string },\n  ) => {\n    const { tokens } = await verifyCode(args);\n    await setToken({\n      shouldStore: true,\n      tokens: (tokens as AuthSession | null) ?? null,\n    });\n    return tokens !== null;\n  };\n\n  // ---------------------------------------------------------------------------\n  // signIn\n  // ---------------------------------------------------------------------------\n\n  /**\n   * Sign in with a provider.\n   *\n   * @param provider - Provider ID (e.g. `\"email\"`, `\"password\"`, `\"google\"`).\n   *   Omit when exchanging an OAuth code (the code carries the provider info).\n   * @param args - Provider-specific arguments. Pass a `Record<string, Value>`\n   *   or `FormData`. Common fields: `email`, `password`, `code`, `redirectTo`.\n   * @returns A {@link SignInResult} indicating the outcome.\n   *\n   * @example Email magic link\n   * ```ts\n   * await auth.signIn('email', { email: 'user@example.com' });\n   * ```\n   *\n   * @example Password\n   * ```ts\n   * const result = await auth.signIn('password', { email, password, flow: 'signIn' });\n   * if (result.totpRequired) {\n   *   await auth.totp.verify({ code: totpCode, verifier: result.verifier! });\n   * }\n   * ```\n   *\n   * @example OAuth (triggers redirect)\n   * ```ts\n   * await auth.signIn('google'); // redirects to Google\n   * ```\n   */\n  const signIn = async (\n    provider?: string,\n    args?: FormData | Record<string, Value>,\n  ): Promise<SignInResult> => {\n    const params =\n      args instanceof FormData\n        ? Array.from(args.entries()).reduce(\n            (acc, [k, v]) => {\n              acc[k] = v as string;\n              return acc;\n            },\n            {} as Record<string, string>,\n          )\n        : args ?? {};\n\n    if (proxy) {\n      // Proxy mode: POST to the proxy endpoint.\n      const result = await proxyFetch({\n        action: \"auth:signIn\",\n        args: { provider, params },\n      });\n      if (result.redirect !== undefined) {\n        const redirectUrl = new URL(result.redirect);\n        // Verifier is stored server-side in an httpOnly cookie.\n        if (typeof window !== \"undefined\") {\n          window.location.href = redirectUrl.toString();\n        }\n        return { signingIn: false, redirect: redirectUrl };\n      }\n      if (result.totpRequired) {\n        return { signingIn: false, totpRequired: true, verifier: result.verifier };\n      }\n      if (result.deviceCode !== undefined) {\n        return { signingIn: false, deviceCode: result.deviceCode as DeviceCodeResult };\n      }\n      if (result.tokens !== undefined) {\n        // Proxy returns { token, refreshToken: \"dummy\" }.\n        // Store JWT in memory only — real refresh token is in httpOnly cookie.\n        await setToken({\n          shouldStore: false,\n          tokens:\n            result.tokens === null ? null : { token: result.tokens.token },\n        });\n        return { signingIn: result.tokens !== null };\n      }\n      return { signingIn: false };\n    }\n\n    // SPA mode: call Convex directly.\n    const verifier = (await storageGet(VERIFIER_STORAGE_KEY)) ?? undefined;\n    await storageRemove(VERIFIER_STORAGE_KEY);\n    const result = await convex.action(\"auth:signIn\" as any, {\n      provider,\n      params,\n      verifier,\n    });\n    if (result.redirect !== undefined) {\n      const redirectUrl = new URL(result.redirect);\n      await storageSet(VERIFIER_STORAGE_KEY, result.verifier!);\n      if (typeof window !== \"undefined\") {\n        window.location.href = redirectUrl.toString();\n      }\n      return { signingIn: false, redirect: redirectUrl };\n    }\n    if (result.totpRequired) {\n      return { signingIn: false, totpRequired: true, verifier: result.verifier };\n    }\n    if (result.deviceCode !== undefined) {\n      return { signingIn: false, deviceCode: result.deviceCode as DeviceCodeResult };\n    }\n    if (result.tokens !== undefined) {\n      await setToken({\n        shouldStore: true,\n        tokens: (result.tokens as AuthSession | null) ?? null,\n      });\n      return { signingIn: result.tokens !== null };\n    }\n    return { signingIn: false };\n  };\n\n  // ---------------------------------------------------------------------------\n  // signOut\n  // ---------------------------------------------------------------------------\n\n  /**\n   * Sign out the current user.\n   *\n   * Invalidates the server session and clears local token state.\n   * Errors are silently caught — calling `signOut` on an already\n   * signed-out user is a no-op.\n   */\n  const signOut = async () => {\n    if (proxy) {\n      try {\n        await proxyFetch({ action: \"auth:signOut\", args: {} });\n      } catch {\n        // Already signed out is fine.\n      }\n      await setToken({ shouldStore: false, tokens: null });\n      if (convex.clearAuth) convex.clearAuth();\n      return;\n    }\n\n    // SPA mode.\n    try {\n      await convex.action(\"auth:signOut\" as any, {});\n    } catch {\n      // Already signed out is fine.\n    }\n    await setToken({ shouldStore: true, tokens: null });\n    if (convex.clearAuth) convex.clearAuth();\n  };\n\n  // ---------------------------------------------------------------------------\n  // fetchAccessToken — called by convex.setAuth()\n  // ---------------------------------------------------------------------------\n\n  const fetchAccessToken = async ({\n    forceRefreshToken,\n  }: {\n    forceRefreshToken: boolean;\n  }): Promise<string | null> => {\n    if (!forceRefreshToken) return token;\n\n    if (proxy) {\n      // Proxy mode: POST to the proxy to refresh.\n      // The proxy reads the real refresh token from the httpOnly cookie.\n      const tokenBeforeRefresh = token;\n      return await browserMutex(\"__convexAuthProxyRefresh\", async () => {\n        // Another tab/call may have already refreshed.\n        if (token !== tokenBeforeRefresh) return token;\n        try {\n          const result = await proxyFetch({\n            action: \"auth:signIn\",\n            args: { refreshToken: true },\n          });\n          if (result.tokens) {\n            await setToken({\n              shouldStore: false,\n              tokens: { token: result.tokens.token },\n            });\n          } else {\n            await setToken({ shouldStore: false, tokens: null });\n          }\n        } catch {\n          await setToken({ shouldStore: false, tokens: null });\n        }\n        return token;\n      });\n    }\n\n    // SPA mode: refresh via localStorage + httpClient.\n    const tokenBeforeLockAcquisition = token;\n    return await browserMutex(REFRESH_TOKEN_STORAGE_KEY, async () => {\n      const tokenAfterLockAcquisition = token;\n      if (tokenAfterLockAcquisition !== tokenBeforeLockAcquisition) {\n        return tokenAfterLockAcquisition;\n      }\n      const refreshToken =\n        (await storageGet(REFRESH_TOKEN_STORAGE_KEY)) ?? null;\n      if (!refreshToken) {\n        return null;\n      }\n      await verifyCodeAndSetToken({ refreshToken });\n      return token;\n    });\n  };\n\n  // ---------------------------------------------------------------------------\n  // OAuth code flow (SPA mode only — server handles this in proxy mode)\n  // ---------------------------------------------------------------------------\n\n  const handleCodeFlow = async () => {\n    if (typeof window === \"undefined\") return;\n    if (handlingCodeFlow) return;\n    const code = new URLSearchParams(window.location.search).get(\"code\");\n    if (!code) return;\n    handlingCodeFlow = true;\n    const codeUrl = new URL(window.location.href);\n    codeUrl.searchParams.delete(\"code\");\n    try {\n      await replaceURL(codeUrl.pathname + codeUrl.search + codeUrl.hash);\n      await signIn(undefined, { code });\n    } finally {\n      handlingCodeFlow = false;\n    }\n  };\n\n  // ---------------------------------------------------------------------------\n  // Hydrate from storage (SPA mode only)\n  // ---------------------------------------------------------------------------\n\n  const hydrateFromStorage = async () => {\n    const storedToken = (await storageGet(JWT_STORAGE_KEY)) ?? null;\n    await setToken({\n      shouldStore: false,\n      tokens: storedToken === null ? null : { token: storedToken },\n    });\n  };\n\n  // ---------------------------------------------------------------------------\n  // Subscribe\n  // ---------------------------------------------------------------------------\n\n  /**\n   * Subscribe to auth state changes. Invokes the callback immediately\n   * with the current state, then again on every state transition.\n   *\n   * ```ts\n   * const unsub = auth.onChange(setState);\n   * ```\n   *\n   * @param cb - Callback receiving the latest {@link AuthState}.\n   * @returns An unsubscribe function.\n   */\n  const onChange = (cb: (state: AuthState) => void): (() => void) => {\n    cb(snapshot);\n    const wrapped = () => cb(snapshot);\n    subscribers.add(wrapped);\n    return () => {\n      subscribers.delete(wrapped);\n    };\n  };\n\n  // ---------------------------------------------------------------------------\n  // Initialization\n  // ---------------------------------------------------------------------------\n\n  // Cross-tab sync via storage events (SPA mode only).\n  if (!proxy && typeof window !== \"undefined\") {\n    const onStorage = (event: StorageEvent) => {\n      void (async () => {\n        if (event.key !== key(JWT_STORAGE_KEY)) return;\n        await setToken({\n          shouldStore: false,\n          tokens:\n            event.newValue === null ? null : { token: event.newValue },\n        });\n      })();\n    };\n    window.addEventListener(\"storage\", onStorage);\n  }\n\n  // Auto-wire: feed our tokens into the Convex client so\n  // queries and mutations are automatically authenticated.\n  convex.setAuth(fetchAccessToken);\n\n  // Auto-hydrate and handle code flow.\n  if (typeof window !== \"undefined\") {\n    if (proxy) {\n      // Proxy mode: if no initialToken was provided, try a refresh\n      // to pick up any existing session from httpOnly cookies.\n      if (!hasServerToken) {\n        void fetchAccessToken({ forceRefreshToken: true });\n      } else {\n        // initialToken already set — mark loading as done.\n        isLoading = false;\n        updateSnapshot();\n      }\n    } else {\n      // SPA mode: hydrate from localStorage, then handle OAuth code flow.\n      void hydrateFromStorage().then(() =>\n        handleCodeFlow().catch((error: unknown) => {\n          console.error(\"[convex-auth] Code exchange failed:\", error);\n        }),\n      );\n    }\n  }\n\n  // ---------------------------------------------------------------------------\n  // Passkey helpers\n  // ---------------------------------------------------------------------------\n\n  /**\n   * Base64url encode/decode helpers for the WebAuthn credential API.\n   * These run client-side only (browser context).\n   */\n  const base64urlEncode = (buffer: ArrayBuffer): string => {\n    const bytes = new Uint8Array(buffer);\n    let binary = \"\";\n    for (let i = 0; i < bytes.byteLength; i++) {\n      binary += String.fromCharCode(bytes[i]!);\n    }\n    return btoa(binary).replace(/\\+/g, \"-\").replace(/\\//g, \"_\").replace(/=+$/, \"\");\n  };\n\n  const base64urlDecode = (str: string): Uint8Array => {\n    const padded = str.replace(/-/g, \"+\").replace(/_/g, \"/\");\n    const binary = atob(padded);\n    const bytes = new Uint8Array(binary.length);\n    for (let i = 0; i < binary.length; i++) {\n      bytes[i] = binary.charCodeAt(i);\n    }\n    return bytes;\n  };\n\n  const passkey = {\n    /**\n     * Check if WebAuthn passkeys are supported in the current environment.\n     */\n    isSupported: (): boolean => {\n      return (\n        typeof window !== \"undefined\" &&\n        typeof window.PublicKeyCredential !== \"undefined\"\n      );\n    },\n\n    /**\n     * Check if conditional UI (autofill-assisted passkey sign-in) is supported.\n     *\n     * ```ts\n     * if (await auth.passkey.isAutofillSupported()) {\n     *   auth.passkey.authenticate({ autofill: true });\n     * }\n     * ```\n     */\n    isAutofillSupported: async (): Promise<boolean> => {\n      if (typeof window === \"undefined\") return false;\n      if (typeof window.PublicKeyCredential === \"undefined\") return false;\n      if (\n        typeof (\n          window.PublicKeyCredential as any\n        ).isConditionalMediationAvailable !== \"function\"\n      ) {\n        return false;\n      }\n      return (\n        window.PublicKeyCredential as any\n      ).isConditionalMediationAvailable();\n    },\n\n    /**\n     * Register a new passkey for the current or new user.\n     *\n     * Performs the full two-round-trip WebAuthn registration ceremony:\n     * 1. Requests creation options from the server (challenge, RP info)\n     * 2. Calls `navigator.credentials.create()` with the options\n     * 3. Sends the attestation back to the server for verification\n     * 4. Server creates user + account + passkey records and returns tokens\n     *\n     * Works in both SPA and proxy (SSR) modes.\n     *\n     * ```ts\n     * await auth.passkey.register({ name: \"MacBook Touch ID\" });\n     * ```\n     *\n     * @param opts.name - Friendly name for this passkey\n     * @param opts.email - Email to associate with the new account\n     * @param opts.userName - Username for the credential (defaults to email)\n     * @param opts.userDisplayName - Display name for the credential\n     * @returns `{ signingIn: true }` on success\n     */\n    register: async (\n      opts?: {\n        name?: string;\n        email?: string;\n        userName?: string;\n        userDisplayName?: string;\n      },\n    ): Promise<SignInResult> => {\n      const phase1Params = {\n        flow: \"register-options\",\n        email: opts?.email,\n        userName: opts?.userName,\n        userDisplayName: opts?.userDisplayName,\n      };\n\n      // Phase 1: Get registration options from server\n      let phase1Result: any;\n      if (proxy) {\n        phase1Result = await proxyFetch({\n          action: \"auth:signIn\",\n          args: { provider: \"passkey\", params: phase1Params },\n        });\n      } else {\n        phase1Result = await convex.action(\"auth:signIn\" as any, {\n          provider: \"passkey\",\n          params: phase1Params,\n        });\n      }\n\n      if (!phase1Result.options) {\n        throw new Error(\"Server did not return passkey registration options\");\n      }\n\n      const options = phase1Result.options;\n\n      // Convert base64url strings to ArrayBuffers for the credential API\n      const createOptions: CredentialCreationOptions = {\n        publicKey: {\n          rp: options.rp,\n          user: {\n            id: base64urlDecode(options.user.id).buffer as ArrayBuffer,\n            name: options.user.name,\n            displayName: options.user.displayName,\n          },\n          challenge: base64urlDecode(options.challenge).buffer as ArrayBuffer,\n          pubKeyCredParams: options.pubKeyCredParams,\n          timeout: options.timeout,\n          attestation: options.attestation,\n          authenticatorSelection: options.authenticatorSelection,\n          excludeCredentials: (options.excludeCredentials ?? []).map(\n            (cred: any) => ({\n              type: cred.type ?? \"public-key\",\n              id: base64urlDecode(cred.id).buffer as ArrayBuffer,\n              transports: cred.transports,\n            }),\n          ),\n        },\n      };\n\n      // Phase 2: Create credential via browser API\n      const credential = (await navigator.credentials.create(\n        createOptions,\n      )) as PublicKeyCredential | null;\n      if (!credential) {\n        throw new Error(\"Passkey registration was cancelled\");\n      }\n\n      const response =\n        credential.response as AuthenticatorAttestationResponse;\n\n      // Extract transports if available\n      const transports =\n        typeof response.getTransports === \"function\"\n          ? response.getTransports()\n          : undefined;\n\n      const phase2Params = {\n        flow: \"register-verify\",\n        clientDataJSON: base64urlEncode(response.clientDataJSON),\n        attestationObject: base64urlEncode(response.attestationObject),\n        transports,\n        passkeyName: opts?.name,\n        email: opts?.email,\n      };\n\n      // Phase 3: Send attestation to server for verification\n      let phase2Result: any;\n      if (proxy) {\n        // In proxy mode the verifier is stored in an httpOnly cookie by the proxy.\n        // We pass it back explicitly so the proxy can forward it to Convex.\n        phase2Result = await proxyFetch({\n          action: \"auth:signIn\",\n          args: {\n            provider: \"passkey\",\n            params: phase2Params,\n            verifier: phase1Result.verifier,\n          },\n        });\n      } else {\n        phase2Result = await convex.action(\"auth:signIn\" as any, {\n          provider: \"passkey\",\n          params: phase2Params,\n          verifier: phase1Result.verifier,\n        });\n      }\n\n      if (phase2Result.tokens) {\n        if (proxy) {\n          await setToken({\n            shouldStore: false,\n            tokens:\n              phase2Result.tokens === null\n                ? null\n                : { token: phase2Result.tokens.token },\n          });\n        } else {\n          await setToken({\n            shouldStore: true,\n            tokens: phase2Result.tokens as AuthSession,\n          });\n        }\n        return { signingIn: true };\n      }\n      return { signingIn: false };\n    },\n\n    /**\n     * Authenticate with an existing passkey.\n     *\n     * Performs the full two-round-trip WebAuthn authentication ceremony:\n     * 1. Requests assertion options from the server (challenge, allowed credentials)\n     * 2. Calls `navigator.credentials.get()` with the options\n     * 3. Sends the assertion back to the server for signature verification\n     * 4. Server verifies signature, updates counter, creates session, returns tokens\n     *\n     * Works in both SPA and proxy (SSR) modes.\n     *\n     * ```ts\n     * // Discoverable credential (no email needed)\n     * await auth.passkey.authenticate();\n     *\n     * // Scoped to a specific user's credentials\n     * await auth.passkey.authenticate({ email: \"user@example.com\" });\n     *\n     * // Autofill-assisted (conditional UI)\n     * await auth.passkey.authenticate({ autofill: true });\n     * ```\n     *\n     * @param opts.email - Scope to credentials for this email's user\n     * @param opts.autofill - Use conditional mediation (autofill UI)\n     * @returns `{ signingIn: true }` on success\n     */\n    authenticate: async (\n      opts?: { email?: string; autofill?: boolean },\n    ): Promise<SignInResult> => {\n      const phase1Params = {\n        flow: \"auth-options\",\n        email: opts?.email,\n      };\n\n      // Phase 1: Get assertion options from server\n      let phase1Result: any;\n      if (proxy) {\n        phase1Result = await proxyFetch({\n          action: \"auth:signIn\",\n          args: { provider: \"passkey\", params: phase1Params },\n        });\n      } else {\n        phase1Result = await convex.action(\"auth:signIn\" as any, {\n          provider: \"passkey\",\n          params: phase1Params,\n        });\n      }\n\n      if (!phase1Result.options) {\n        throw new Error(\"Server did not return passkey authentication options\");\n      }\n\n      const options = phase1Result.options;\n\n      // Convert base64url strings to ArrayBuffers for the credential API\n      const getOptions: CredentialRequestOptions = {\n        publicKey: {\n          challenge: base64urlDecode(options.challenge).buffer as ArrayBuffer,\n          timeout: options.timeout,\n          rpId: options.rpId,\n          userVerification: options.userVerification,\n          allowCredentials: (options.allowCredentials ?? []).map(\n            (cred: any) => ({\n              type: cred.type ?? \"public-key\",\n              id: base64urlDecode(cred.id).buffer as ArrayBuffer,\n              transports: cred.transports,\n            }),\n          ),\n        },\n        ...(opts?.autofill ? { mediation: \"conditional\" as any } : {}),\n      };\n\n      // Phase 2: Get credential via browser API\n      const credential = (await navigator.credentials.get(\n        getOptions,\n      )) as PublicKeyCredential | null;\n      if (!credential) {\n        throw new Error(\"Passkey authentication was cancelled\");\n      }\n\n      const response =\n        credential.response as AuthenticatorAssertionResponse;\n\n      const phase2Params = {\n        flow: \"auth-verify\",\n        credentialId: base64urlEncode(credential.rawId),\n        clientDataJSON: base64urlEncode(response.clientDataJSON),\n        authenticatorData: base64urlEncode(response.authenticatorData),\n        signature: base64urlEncode(response.signature),\n      };\n\n      // Phase 3: Send assertion to server for verification\n      let phase2Result: any;\n      if (proxy) {\n        phase2Result = await proxyFetch({\n          action: \"auth:signIn\",\n          args: {\n            provider: \"passkey\",\n            params: phase2Params,\n            verifier: phase1Result.verifier,\n          },\n        });\n      } else {\n        phase2Result = await convex.action(\"auth:signIn\" as any, {\n          provider: \"passkey\",\n          params: phase2Params,\n          verifier: phase1Result.verifier,\n        });\n      }\n\n      if (phase2Result.tokens) {\n        if (proxy) {\n          await setToken({\n            shouldStore: false,\n            tokens:\n              phase2Result.tokens === null\n                ? null\n                : { token: phase2Result.tokens.token },\n          });\n        } else {\n          await setToken({\n            shouldStore: true,\n            tokens: phase2Result.tokens as AuthSession,\n          });\n        }\n        return { signingIn: true };\n      }\n      return { signingIn: false };\n    },\n  };\n\n  const totp = {\n    /**\n     * Start TOTP enrollment. Must be authenticated.\n     *\n     * Returns a URI for QR code display and a base32 secret for manual entry.\n     *\n     * ```ts\n     * const setup = await auth.totp.setup();\n     * // Display QR code from setup.uri\n     * // Or show setup.secret for manual entry\n     * ```\n     */\n    setup: async (\n      opts?: { name?: string; accountName?: string },\n    ): Promise<{ uri: string; secret: string; verifier: string; totpId: string }> => {\n      const params: Record<string, any> = { flow: \"setup\" };\n      if (opts?.name) params.name = opts.name;\n      if (opts?.accountName) params.accountName = opts.accountName;\n\n      if (proxy) {\n        const result = await proxyFetch({\n          action: \"auth:signIn\",\n          args: { provider: \"totp\", params },\n        });\n        return { uri: result.totpSetup.uri, secret: result.totpSetup.secret, verifier: result.verifier, totpId: result.totpSetup.totpId };\n      }\n\n      const result = await convex.action(\"auth:signIn\" as any, {\n        provider: \"totp\",\n        params,\n      });\n      return { uri: result.totpSetup.uri, secret: result.totpSetup.secret, verifier: result.verifier, totpId: result.totpSetup.totpId };\n    },\n\n    /**\n     * Complete TOTP enrollment by verifying the first code from the authenticator app.\n     *\n     * ```ts\n     * await auth.totp.confirm({ code: \"123456\", verifier: setup.verifier, totpId: setup.totpId });\n     * ```\n     */\n    confirm: async (opts: {\n      code: string;\n      verifier: string;\n      totpId: string;\n    }): Promise<void> => {\n      const params: Record<string, any> = {\n        flow: \"confirm\",\n        code: opts.code,\n        totpId: opts.totpId,\n      };\n\n      if (proxy) {\n        const result = await proxyFetch({\n          action: \"auth:signIn\",\n          args: { provider: \"totp\", params, verifier: opts.verifier },\n        });\n        if (result.tokens) {\n          await setToken({\n            shouldStore: false,\n            tokens: result.tokens === null ? null : { token: result.tokens.token },\n          });\n        }\n        return;\n      }\n\n      const result = await convex.action(\"auth:signIn\" as any, {\n        provider: \"totp\",\n        params,\n        verifier: opts.verifier,\n      });\n      if (result.tokens) {\n        await setToken({\n          shouldStore: true,\n          tokens: (result.tokens as AuthSession | null) ?? null,\n        });\n      }\n    },\n\n    /**\n     * Complete 2FA verification during sign-in.\n     *\n     * Called after a credentials sign-in returns `totpRequired: true`.\n     *\n     * ```ts\n     * const result = await auth.signIn(\"password\", { email, password });\n     * if (result.totpRequired) {\n     *   await auth.totp.verify({ code: \"123456\", verifier: result.verifier! });\n     * }\n     * ```\n     */\n    verify: async (opts: { code: string; verifier: string }): Promise<void> => {\n      const params: Record<string, any> = {\n        flow: \"verify\",\n        code: opts.code,\n      };\n\n      if (proxy) {\n        const result = await proxyFetch({\n          action: \"auth:signIn\",\n          args: { provider: \"totp\", params, verifier: opts.verifier },\n        });\n        if (result.tokens) {\n          await setToken({\n            shouldStore: false,\n            tokens: result.tokens === null ? null : { token: result.tokens.token },\n          });\n        }\n        return;\n      }\n\n      const result = await convex.action(\"auth:signIn\" as any, {\n        provider: \"totp\",\n        params,\n        verifier: opts.verifier,\n      });\n      if (result.tokens) {\n        await setToken({\n          shouldStore: true,\n          tokens: (result.tokens as AuthSession | null) ?? null,\n        });\n      }\n    },\n  };\n\n  const device = {\n    /**\n     * Poll for device authorization status.\n     *\n     * The device calls this repeatedly (respecting `interval`) after\n     * initiating a device flow via `signIn(\"device\")`. Returns when\n     * the user authorizes, or throws on timeout/denial.\n     *\n     * ```ts\n     * const result = await auth.signIn(\"device\");\n     * const { deviceCode } = result;\n     * // Display deviceCode.userCode to the user, then poll:\n     * await auth.device.poll(deviceCode);\n     * // User is now signed in\n     * ```\n     *\n     * @param code - The {@link DeviceCodeResult} from `signIn(\"device\")`.\n     * @returns Resolves when the device is authorized and tokens are stored.\n     * @throws When the code expires, is denied, or polling encounters an error.\n     */\n    poll: async (code: DeviceCodeResult): Promise<void> => {\n      const intervalMs = code.interval * 1000;\n      const expiresAt = Date.now() + code.expiresIn * 1000;\n\n      while (Date.now() < expiresAt) {\n        await new Promise((resolve) => setTimeout(resolve, intervalMs));\n\n        try {\n          let result: any;\n          const params: Record<string, any> = {\n            flow: \"poll\",\n            deviceCode: code.deviceCode,\n          };\n\n          if (proxy) {\n            result = await proxyFetch({\n              action: \"auth:signIn\",\n              args: { provider: \"device\", params },\n            });\n          } else {\n            result = await convex.action(\"auth:signIn\" as any, {\n              provider: \"device\",\n              params,\n            });\n          }\n\n          // Authorized — tokens received\n          if (result.tokens) {\n            if (proxy) {\n              await setToken({\n                shouldStore: false,\n                tokens:\n                  result.tokens === null\n                    ? null\n                    : { token: result.tokens.token },\n              });\n            } else {\n              await setToken({\n                shouldStore: true,\n                tokens: (result.tokens as AuthSession | null) ?? null,\n              });\n            }\n            return;\n          }\n        } catch (e: unknown) {\n          // Handle expected polling errors\n          if (e instanceof ConvexError) {\n            const data = e.data as Record<string, unknown>;\n            const code_ = data?.code as string | undefined;\n            if (code_ === \"DEVICE_AUTHORIZATION_PENDING\") {\n              continue; // Keep polling\n            }\n            if (code_ === \"DEVICE_SLOW_DOWN\") {\n              // Back off by adding one interval\n              await new Promise((resolve) =>\n                setTimeout(resolve, intervalMs),\n              );\n              continue;\n            }\n          }\n          // Non-recoverable error — rethrow\n          throw e;\n        }\n      }\n\n      throw new Error(\"Device authorization timed out.\");\n    },\n\n    /**\n     * Authorize a device from the verification page.\n     *\n     * Called by an authenticated user on the verification page after\n     * they enter the user code displayed on the device.\n     *\n     * ```ts\n     * // On the /device verification page:\n     * await auth.device.verify(userCode);\n     * ```\n     *\n     * @param userCode - The user code entered by the user (e.g. \"WDJB-MJHT\").\n     */\n    verify: async (userCode: string): Promise<void> => {\n      const params: Record<string, any> = {\n        flow: \"verify\",\n        userCode,\n      };\n\n      if (proxy) {\n        await proxyFetch({\n          action: \"auth:signIn\",\n          args: { provider: \"device\", params },\n        });\n      } else {\n        await convex.action(\"auth:signIn\" as any, {\n          provider: \"device\",\n          params,\n        });\n      }\n    },\n  };\n\n  return {\n    /** Current auth state snapshot. */\n    get state(): AuthState {\n      return snapshot;\n    },\n    /** Sign in with a provider. See {@link SignInResult} for return shape. */\n    signIn,\n    /** Sign out and clear all token state. */\n    signOut,\n    /** Subscribe to auth state changes. Returns an unsubscribe function. */\n    onChange,\n    /** Passkey (WebAuthn) authentication helpers. */\n    passkey,\n    /** TOTP two-factor authentication helpers. */\n    totp,\n    /** Device authorization (RFC 8628) helpers. */\n    device,\n  };\n}\n\n// ---------------------------------------------------------------------------\n// Browser mutex — ensures only one tab refreshes a token at a time.\n// ---------------------------------------------------------------------------\n\nasync function browserMutex<T>(\n  key: string,\n  callback: () => Promise<T>,\n): Promise<T> {\n  const lockManager = (globalThis as any)?.navigator?.locks;\n  return lockManager !== undefined\n    ? await lockManager.request(key, callback)\n    : await manualMutex(key, callback);\n}\n\nfunction getMutexValue(key: string): {\n  currentlyRunning: Promise<void> | null;\n  waiting: Array<() => Promise<void>>;\n} {\n  if ((globalThis as any).__convexAuthMutexes === undefined) {\n    (globalThis as any).__convexAuthMutexes = {} as Record<\n      string,\n      {\n        currentlyRunning: Promise<void> | null;\n        waiting: Array<() => Promise<void>>;\n      }\n    >;\n  }\n  let mutex = (globalThis as any).__convexAuthMutexes[key];\n  if (mutex === undefined) {\n    (globalThis as any).__convexAuthMutexes[key] = {\n      currentlyRunning: null,\n      waiting: [],\n    };\n  }\n  mutex = (globalThis as any).__convexAuthMutexes[key];\n  return mutex;\n}\n\nfunction setMutexValue(\n  key: string,\n  value: {\n    currentlyRunning: Promise<void> | null;\n    waiting: Array<() => Promise<void>>;\n  },\n) {\n  (globalThis as any).__convexAuthMutexes[key] = value;\n}\n\nasync function enqueueCallbackForMutex(\n  key: string,\n  callback: () => Promise<void>,\n) {\n  const mutex = getMutexValue(key);\n  if (mutex.currentlyRunning === null) {\n    setMutexValue(key, {\n      currentlyRunning: callback().finally(() => {\n        const nextCb = getMutexValue(key).waiting.shift();\n        getMutexValue(key).currentlyRunning = null;\n        setMutexValue(key, {\n          ...getMutexValue(key),\n          currentlyRunning:\n            nextCb === undefined ? null : enqueueCallbackForMutex(key, nextCb),\n        });\n      }),\n      waiting: [],\n    });\n  } else {\n    setMutexValue(key, {\n      ...mutex,\n      waiting: [...mutex.waiting, callback],\n    });\n  }\n}\n\nasync function manualMutex<T>(\n  key: string,\n  callback: () => Promise<T>,\n): Promise<T> {\n  const outerPromise = new Promise<T>((resolve, reject) => {\n    const wrappedCallback: () => Promise<void> = () => {\n      return callback()\n        .then((v) => resolve(v))\n        .catch((e) => reject(e));\n    };\n    void enqueueCallbackForMutex(key, wrappedCallback);\n  });\n  return outerPromise;\n}\n"],"mappings":";;;;;AAyIA,MAAM,uBAAuB;AAC7B,MAAM,kBAAkB;AACxB,MAAM,4BAA4B;AAElC,MAAM,gBAAgB,CAAC,KAAK,IAAK;AACjC,MAAM,eAAe;;;;;;;AAQrB,SAAS,WAAW,QAAyB,UAA2B;AACtE,KAAI,SAAU,QAAO;CACrB,MAAM,IAAI;CACV,MAAM,MAAe,EAAE,OAAO,EAAE,QAAQ;AACxC,KAAI,OAAO,QAAQ,SAAU,QAAO;AACpC,OAAM,IAAI,MACR,oEACD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAoCH,SAAgB,OAAO,SAAwB;CAC7C,MAAM,EAAE,QAAQ,UAAU;CAG1B,MAAM,UACJ,QAAQ,YAAY,SAChB,QAAQ,UACR,QACE,OACA,OAAO,WAAW,cAChB,OACA,OAAO;CAEjB,MAAM,aACJ,QAAQ,gBACN,UAAgB;AAChB,MAAI,OAAO,WAAW,YACpB,QAAO,QAAQ,aAAa,EAAE,EAAE,IAAIA,MAAI;;CAI9C,MAAM,MAAM,QAAQ,SAAY,WAAW,QAAQ,QAAQ,IAAI;CAC/D,MAAM,mBAAmB,QACrB,MAAM,QAAQ,iBAAiB,GAAG,GAClC,IAAK,QAAQ,iBAAiB,GAAG;CACrC,MAAM,OAAO,SAAiB,GAAG,KAAK,GAAG;CACzC,MAAM,8BAAc,IAAI,KAAiB;CAIzC,MAAM,aAAa,QAAQ,OAAO,IAAI,iBAAiB,IAAK;CAO5D,MAAM,cAAc,QAAQ,SAAS;CACrC,MAAM,iBAAiB,gBAAgB;CAEvC,IAAI,QAAuB;CAC3B,IAAI,YAAY,CAAC;CACjB,IAAI,WAAsB;EACxB;EACA,iBAAiB;EACjB;EACD;CACD,IAAI,mBAAmB;CAEvB,MAAM,eAAe;AACnB,OAAK,MAAM,MAAM,YAAa,KAAI;;CAGpC,MAAM,uBAAuB;EAC3B,MAAM,OAAkB;GACtB;GACA,iBAAiB,UAAU;GAC3B;GACD;AACD,MACE,SAAS,cAAc,KAAK,aAC5B,SAAS,oBAAoB,KAAK,mBAClC,SAAS,UAAU,KAAK,MAExB,QAAO;AAET,aAAW;AACX,SAAO;;CAOT,MAAM,aAAa,OAAO,SACxB,UAAY,MAAM,QAAQ,QAAQ,IAAI,KAAK,CAAC,IAAK,OAAQ;CAC3D,MAAM,aAAa,OAAO,MAAc,UAAkB;AACxD,MAAI,QAAS,OAAM,QAAQ,QAAQ,IAAI,KAAK,EAAE,MAAM;;CAEtD,MAAM,gBAAgB,OAAO,SAAiB;AAC5C,MAAI,QAAS,OAAM,QAAQ,WAAW,IAAI,KAAK,CAAC;;CAOlD,MAAM,WAAW,OACf,SAGG;AACH,MAAI,KAAK,WAAW,MAAM;AACxB,WAAQ;AACR,OAAI,KAAK,aAAa;AACpB,UAAM,cAAc,gBAAgB;AACpC,UAAM,cAAc,0BAA0B;;SAE3C;AACL,WAAQ,KAAK,OAAO;AACpB,OAAI,KAAK,eAAe,kBAAkB,KAAK,QAAQ;AACrD,UAAM,WAAW,iBAAiB,KAAK,OAAO,MAAM;AACpD,UAAM,WAAW,2BAA2B,KAAK,OAAO,aAAa;;;EAGzE,MAAM,iBAAiB;AACvB,cAAY;EACZ,MAAM,UAAU,gBAAgB;AAChC,MAAI,kBAAkB,SAAS;AAK7B,OAAI,CAAC,MACH,QAAO,QAAQ,iBAAiB;AAElC,WAAQ;;;CAQZ,MAAM,aAAa,OAAO,SAAkC;EAC1D,MAAM,WAAW,MAAM,MAAM,OAAQ;GACnC,QAAQ;GACR,SAAS,EAAE,gBAAgB,oBAAoB;GAC/C,aAAa;GACb,MAAM,KAAK,UAAU,KAAK;GAC3B,CAAC;AACF,MAAI,CAAC,SAAS,IAAI;GAChB,MAAM,YAAY,MAAM,SAAS,MAAM,CAAC,aAAa,EAAE,EAA6B;AAEpF,OACE,OAAO,cAAc,YACrB,cAAc,QACd,eAAe,aACf,OAAQ,UAAsC,cAAc,SAE5D,OAAM,IAAI,YAAa,UAAsC,UAAmB;AAElF,SAAM,IAAI,MACP,UAAsC,SACrC,yBAAyB,SAAS,SACrC;;AAEH,SAAO,SAAS,MAAM;;CAOxB,MAAM,aAAa,OACjB,SACG;EACH,IAAI;EACJ,IAAI,QAAQ;AACZ,SAAO,QAAQ,cAAc,OAC3B,KAAI;AACF,UAAO,MAAM,WAAY,OACvB,eACA,UAAU,OACN;IAAE,QAAQ,EAAE,MAAM,KAAK,MAAM;IAAE,UAAU,KAAK;IAAU,GACxD,KACL;WACM,GAAG;AACV,eAAY;AAGZ,OAAI,EADF,aAAa,SAAS,WAAW,KAAK,EAAE,WAAW,GAAG,EACnC;GACrB,MAAM,OAAO,cAAc,SAAU,eAAe,KAAK,QAAQ;AACjE;AACA,SAAM,IAAI,SAAS,YAAY,WAAW,SAAS,KAAK,CAAC;;AAG7D,QAAM;;CAGR,MAAM,wBAAwB,OAC5B,SACG;EACH,MAAM,EAAE,WAAW,MAAM,WAAW,KAAK;AACzC,QAAM,SAAS;GACb,aAAa;GACb,QAAS,UAAiC;GAC3C,CAAC;AACF,SAAO,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAkCpB,MAAM,SAAS,OACb,UACA,SAC0B;EAC1B,MAAM,SACJ,gBAAgB,WACZ,MAAM,KAAK,KAAK,SAAS,CAAC,CAAC,QACxB,KAAK,CAAC,GAAG,OAAO;AACf,OAAI,KAAK;AACT,UAAO;KAET,EAAE,CACH,GACD,QAAQ,EAAE;AAEhB,MAAI,OAAO;GAET,MAAMC,WAAS,MAAM,WAAW;IAC9B,QAAQ;IACR,MAAM;KAAE;KAAU;KAAQ;IAC3B,CAAC;AACF,OAAIA,SAAO,aAAa,QAAW;IACjC,MAAM,cAAc,IAAI,IAAIA,SAAO,SAAS;AAE5C,QAAI,OAAO,WAAW,YACpB,QAAO,SAAS,OAAO,YAAY,UAAU;AAE/C,WAAO;KAAE,WAAW;KAAO,UAAU;KAAa;;AAEpD,OAAIA,SAAO,aACT,QAAO;IAAE,WAAW;IAAO,cAAc;IAAM,UAAUA,SAAO;IAAU;AAE5E,OAAIA,SAAO,eAAe,OACxB,QAAO;IAAE,WAAW;IAAO,YAAYA,SAAO;IAAgC;AAEhF,OAAIA,SAAO,WAAW,QAAW;AAG/B,UAAM,SAAS;KACb,aAAa;KACb,QACEA,SAAO,WAAW,OAAO,OAAO,EAAE,OAAOA,SAAO,OAAO,OAAO;KACjE,CAAC;AACF,WAAO,EAAE,WAAWA,SAAO,WAAW,MAAM;;AAE9C,UAAO,EAAE,WAAW,OAAO;;EAI7B,MAAM,WAAY,MAAM,WAAW,qBAAqB,IAAK;AAC7D,QAAM,cAAc,qBAAqB;EACzC,MAAM,SAAS,MAAM,OAAO,OAAO,eAAsB;GACvD;GACA;GACA;GACD,CAAC;AACF,MAAI,OAAO,aAAa,QAAW;GACjC,MAAM,cAAc,IAAI,IAAI,OAAO,SAAS;AAC5C,SAAM,WAAW,sBAAsB,OAAO,SAAU;AACxD,OAAI,OAAO,WAAW,YACpB,QAAO,SAAS,OAAO,YAAY,UAAU;AAE/C,UAAO;IAAE,WAAW;IAAO,UAAU;IAAa;;AAEpD,MAAI,OAAO,aACT,QAAO;GAAE,WAAW;GAAO,cAAc;GAAM,UAAU,OAAO;GAAU;AAE5E,MAAI,OAAO,eAAe,OACxB,QAAO;GAAE,WAAW;GAAO,YAAY,OAAO;GAAgC;AAEhF,MAAI,OAAO,WAAW,QAAW;AAC/B,SAAM,SAAS;IACb,aAAa;IACb,QAAS,OAAO,UAAiC;IAClD,CAAC;AACF,UAAO,EAAE,WAAW,OAAO,WAAW,MAAM;;AAE9C,SAAO,EAAE,WAAW,OAAO;;;;;;;;;CAc7B,MAAM,UAAU,YAAY;AAC1B,MAAI,OAAO;AACT,OAAI;AACF,UAAM,WAAW;KAAE,QAAQ;KAAgB,MAAM,EAAE;KAAE,CAAC;WAChD;AAGR,SAAM,SAAS;IAAE,aAAa;IAAO,QAAQ;IAAM,CAAC;AACpD,OAAI,OAAO,UAAW,QAAO,WAAW;AACxC;;AAIF,MAAI;AACF,SAAM,OAAO,OAAO,gBAAuB,EAAE,CAAC;UACxC;AAGR,QAAM,SAAS;GAAE,aAAa;GAAM,QAAQ;GAAM,CAAC;AACnD,MAAI,OAAO,UAAW,QAAO,WAAW;;CAO1C,MAAM,mBAAmB,OAAO,EAC9B,wBAG4B;AAC5B,MAAI,CAAC,kBAAmB,QAAO;AAE/B,MAAI,OAAO;GAGT,MAAM,qBAAqB;AAC3B,UAAO,MAAM,aAAa,4BAA4B,YAAY;AAEhE,QAAI,UAAU,mBAAoB,QAAO;AACzC,QAAI;KACF,MAAM,SAAS,MAAM,WAAW;MAC9B,QAAQ;MACR,MAAM,EAAE,cAAc,MAAM;MAC7B,CAAC;AACF,SAAI,OAAO,OACT,OAAM,SAAS;MACb,aAAa;MACb,QAAQ,EAAE,OAAO,OAAO,OAAO,OAAO;MACvC,CAAC;SAEF,OAAM,SAAS;MAAE,aAAa;MAAO,QAAQ;MAAM,CAAC;YAEhD;AACN,WAAM,SAAS;MAAE,aAAa;MAAO,QAAQ;MAAM,CAAC;;AAEtD,WAAO;KACP;;EAIJ,MAAM,6BAA6B;AACnC,SAAO,MAAM,aAAa,2BAA2B,YAAY;GAC/D,MAAM,4BAA4B;AAClC,OAAI,8BAA8B,2BAChC,QAAO;GAET,MAAM,eACH,MAAM,WAAW,0BAA0B,IAAK;AACnD,OAAI,CAAC,aACH,QAAO;AAET,SAAM,sBAAsB,EAAE,cAAc,CAAC;AAC7C,UAAO;IACP;;CAOJ,MAAM,iBAAiB,YAAY;AACjC,MAAI,OAAO,WAAW,YAAa;AACnC,MAAI,iBAAkB;EACtB,MAAM,OAAO,IAAI,gBAAgB,OAAO,SAAS,OAAO,CAAC,IAAI,OAAO;AACpE,MAAI,CAAC,KAAM;AACX,qBAAmB;EACnB,MAAM,UAAU,IAAI,IAAI,OAAO,SAAS,KAAK;AAC7C,UAAQ,aAAa,OAAO,OAAO;AACnC,MAAI;AACF,SAAM,WAAW,QAAQ,WAAW,QAAQ,SAAS,QAAQ,KAAK;AAClE,SAAM,OAAO,QAAW,EAAE,MAAM,CAAC;YACzB;AACR,sBAAmB;;;CAQvB,MAAM,qBAAqB,YAAY;EACrC,MAAM,cAAe,MAAM,WAAW,gBAAgB,IAAK;AAC3D,QAAM,SAAS;GACb,aAAa;GACb,QAAQ,gBAAgB,OAAO,OAAO,EAAE,OAAO,aAAa;GAC7D,CAAC;;;;;;;;;;;;;CAkBJ,MAAM,YAAY,OAAiD;AACjE,KAAG,SAAS;EACZ,MAAM,gBAAgB,GAAG,SAAS;AAClC,cAAY,IAAI,QAAQ;AACxB,eAAa;AACX,eAAY,OAAO,QAAQ;;;AAS/B,KAAI,CAAC,SAAS,OAAO,WAAW,aAAa;EAC3C,MAAM,aAAa,UAAwB;AACzC,IAAM,YAAY;AAChB,QAAI,MAAM,QAAQ,IAAI,gBAAgB,CAAE;AACxC,UAAM,SAAS;KACb,aAAa;KACb,QACE,MAAM,aAAa,OAAO,OAAO,EAAE,OAAO,MAAM,UAAU;KAC7D,CAAC;OACA;;AAEN,SAAO,iBAAiB,WAAW,UAAU;;AAK/C,QAAO,QAAQ,iBAAiB;AAGhC,KAAI,OAAO,WAAW,YACpB,KAAI,MAGF,KAAI,CAAC,eACH,CAAK,iBAAiB,EAAE,mBAAmB,MAAM,CAAC;MAC7C;AAEL,cAAY;AACZ,kBAAgB;;KAIlB,CAAK,oBAAoB,CAAC,WACxB,gBAAgB,CAAC,OAAO,UAAmB;AACzC,UAAQ,MAAM,uCAAuC,MAAM;GAC3D,CACH;;;;;CAYL,MAAM,mBAAmB,WAAgC;EACvD,MAAM,QAAQ,IAAI,WAAW,OAAO;EACpC,IAAI,SAAS;AACb,OAAK,IAAI,IAAI,GAAG,IAAI,MAAM,YAAY,IACpC,WAAU,OAAO,aAAa,MAAM,GAAI;AAE1C,SAAO,KAAK,OAAO,CAAC,QAAQ,OAAO,IAAI,CAAC,QAAQ,OAAO,IAAI,CAAC,QAAQ,OAAO,GAAG;;CAGhF,MAAM,mBAAmB,QAA4B;EACnD,MAAM,SAAS,IAAI,QAAQ,MAAM,IAAI,CAAC,QAAQ,MAAM,IAAI;EACxD,MAAM,SAAS,KAAK,OAAO;EAC3B,MAAM,QAAQ,IAAI,WAAW,OAAO,OAAO;AAC3C,OAAK,IAAI,IAAI,GAAG,IAAI,OAAO,QAAQ,IACjC,OAAM,KAAK,OAAO,WAAW,EAAE;AAEjC,SAAO;;AAkjBT,QAAO;EAEL,IAAI,QAAmB;AACrB,UAAO;;EAGT;EAEA;EAEA;EAEA,SA3jBc;GAId,mBAA4B;AAC1B,WACE,OAAO,WAAW,eAClB,OAAO,OAAO,wBAAwB;;GAa1C,qBAAqB,YAA8B;AACjD,QAAI,OAAO,WAAW,YAAa,QAAO;AAC1C,QAAI,OAAO,OAAO,wBAAwB,YAAa,QAAO;AAC9D,QACE,OACE,OAAO,oBACP,oCAAoC,WAEtC,QAAO;AAET,WACE,OAAO,oBACP,iCAAiC;;GAwBrC,UAAU,OACR,SAM0B;IAC1B,MAAM,eAAe;KACnB,MAAM;KACN,OAAO,MAAM;KACb,UAAU,MAAM;KAChB,iBAAiB,MAAM;KACxB;IAGD,IAAI;AACJ,QAAI,MACF,gBAAe,MAAM,WAAW;KAC9B,QAAQ;KACR,MAAM;MAAE,UAAU;MAAW,QAAQ;MAAc;KACpD,CAAC;QAEF,gBAAe,MAAM,OAAO,OAAO,eAAsB;KACvD,UAAU;KACV,QAAQ;KACT,CAAC;AAGJ,QAAI,CAAC,aAAa,QAChB,OAAM,IAAI,MAAM,qDAAqD;IAGvE,MAAMC,YAAU,aAAa;IAG7B,MAAM,gBAA2C,EAC/C,WAAW;KACT,IAAIA,UAAQ;KACZ,MAAM;MACJ,IAAI,gBAAgBA,UAAQ,KAAK,GAAG,CAAC;MACrC,MAAMA,UAAQ,KAAK;MACnB,aAAaA,UAAQ,KAAK;MAC3B;KACD,WAAW,gBAAgBA,UAAQ,UAAU,CAAC;KAC9C,kBAAkBA,UAAQ;KAC1B,SAASA,UAAQ;KACjB,aAAaA,UAAQ;KACrB,wBAAwBA,UAAQ;KAChC,qBAAqBA,UAAQ,sBAAsB,EAAE,EAAE,KACpD,UAAe;MACd,MAAM,KAAK,QAAQ;MACnB,IAAI,gBAAgB,KAAK,GAAG,CAAC;MAC7B,YAAY,KAAK;MAClB,EACF;KACF,EACF;IAGD,MAAM,aAAc,MAAM,UAAU,YAAY,OAC9C,cACD;AACD,QAAI,CAAC,WACH,OAAM,IAAI,MAAM,qCAAqC;IAGvD,MAAM,WACJ,WAAW;IAGb,MAAM,aACJ,OAAO,SAAS,kBAAkB,aAC9B,SAAS,eAAe,GACxB;IAEN,MAAM,eAAe;KACnB,MAAM;KACN,gBAAgB,gBAAgB,SAAS,eAAe;KACxD,mBAAmB,gBAAgB,SAAS,kBAAkB;KAC9D;KACA,aAAa,MAAM;KACnB,OAAO,MAAM;KACd;IAGD,IAAI;AACJ,QAAI,MAGF,gBAAe,MAAM,WAAW;KAC9B,QAAQ;KACR,MAAM;MACJ,UAAU;MACV,QAAQ;MACR,UAAU,aAAa;MACxB;KACF,CAAC;QAEF,gBAAe,MAAM,OAAO,OAAO,eAAsB;KACvD,UAAU;KACV,QAAQ;KACR,UAAU,aAAa;KACxB,CAAC;AAGJ,QAAI,aAAa,QAAQ;AACvB,SAAI,MACF,OAAM,SAAS;MACb,aAAa;MACb,QACE,aAAa,WAAW,OACpB,OACA,EAAE,OAAO,aAAa,OAAO,OAAO;MAC3C,CAAC;SAEF,OAAM,SAAS;MACb,aAAa;MACb,QAAQ,aAAa;MACtB,CAAC;AAEJ,YAAO,EAAE,WAAW,MAAM;;AAE5B,WAAO,EAAE,WAAW,OAAO;;GA6B7B,cAAc,OACZ,SAC0B;IAC1B,MAAM,eAAe;KACnB,MAAM;KACN,OAAO,MAAM;KACd;IAGD,IAAI;AACJ,QAAI,MACF,gBAAe,MAAM,WAAW;KAC9B,QAAQ;KACR,MAAM;MAAE,UAAU;MAAW,QAAQ;MAAc;KACpD,CAAC;QAEF,gBAAe,MAAM,OAAO,OAAO,eAAsB;KACvD,UAAU;KACV,QAAQ;KACT,CAAC;AAGJ,QAAI,CAAC,aAAa,QAChB,OAAM,IAAI,MAAM,uDAAuD;IAGzE,MAAMA,YAAU,aAAa;IAG7B,MAAM,aAAuC;KAC3C,WAAW;MACT,WAAW,gBAAgBA,UAAQ,UAAU,CAAC;MAC9C,SAASA,UAAQ;MACjB,MAAMA,UAAQ;MACd,kBAAkBA,UAAQ;MAC1B,mBAAmBA,UAAQ,oBAAoB,EAAE,EAAE,KAChD,UAAe;OACd,MAAM,KAAK,QAAQ;OACnB,IAAI,gBAAgB,KAAK,GAAG,CAAC;OAC7B,YAAY,KAAK;OAClB,EACF;MACF;KACD,GAAI,MAAM,WAAW,EAAE,WAAW,eAAsB,GAAG,EAAE;KAC9D;IAGD,MAAM,aAAc,MAAM,UAAU,YAAY,IAC9C,WACD;AACD,QAAI,CAAC,WACH,OAAM,IAAI,MAAM,uCAAuC;IAGzD,MAAM,WACJ,WAAW;IAEb,MAAM,eAAe;KACnB,MAAM;KACN,cAAc,gBAAgB,WAAW,MAAM;KAC/C,gBAAgB,gBAAgB,SAAS,eAAe;KACxD,mBAAmB,gBAAgB,SAAS,kBAAkB;KAC9D,WAAW,gBAAgB,SAAS,UAAU;KAC/C;IAGD,IAAI;AACJ,QAAI,MACF,gBAAe,MAAM,WAAW;KAC9B,QAAQ;KACR,MAAM;MACJ,UAAU;MACV,QAAQ;MACR,UAAU,aAAa;MACxB;KACF,CAAC;QAEF,gBAAe,MAAM,OAAO,OAAO,eAAsB;KACvD,UAAU;KACV,QAAQ;KACR,UAAU,aAAa;KACxB,CAAC;AAGJ,QAAI,aAAa,QAAQ;AACvB,SAAI,MACF,OAAM,SAAS;MACb,aAAa;MACb,QACE,aAAa,WAAW,OACpB,OACA,EAAE,OAAO,aAAa,OAAO,OAAO;MAC3C,CAAC;SAEF,OAAM,SAAS;MACb,aAAa;MACb,QAAQ,aAAa;MACtB,CAAC;AAEJ,YAAO,EAAE,WAAW,MAAM;;AAE5B,WAAO,EAAE,WAAW,OAAO;;GAE9B;EAsQC,MApQW;GAYX,OAAO,OACL,SAC+E;IAC/E,MAAM,SAA8B,EAAE,MAAM,SAAS;AACrD,QAAI,MAAM,KAAM,QAAO,OAAO,KAAK;AACnC,QAAI,MAAM,YAAa,QAAO,cAAc,KAAK;AAEjD,QAAI,OAAO;KACT,MAAMD,WAAS,MAAM,WAAW;MAC9B,QAAQ;MACR,MAAM;OAAE,UAAU;OAAQ;OAAQ;MACnC,CAAC;AACF,YAAO;MAAE,KAAKA,SAAO,UAAU;MAAK,QAAQA,SAAO,UAAU;MAAQ,UAAUA,SAAO;MAAU,QAAQA,SAAO,UAAU;MAAQ;;IAGnI,MAAM,SAAS,MAAM,OAAO,OAAO,eAAsB;KACvD,UAAU;KACV;KACD,CAAC;AACF,WAAO;KAAE,KAAK,OAAO,UAAU;KAAK,QAAQ,OAAO,UAAU;KAAQ,UAAU,OAAO;KAAU,QAAQ,OAAO,UAAU;KAAQ;;GAUnI,SAAS,OAAO,SAIK;IACnB,MAAM,SAA8B;KAClC,MAAM;KACN,MAAM,KAAK;KACX,QAAQ,KAAK;KACd;AAED,QAAI,OAAO;KACT,MAAMA,WAAS,MAAM,WAAW;MAC9B,QAAQ;MACR,MAAM;OAAE,UAAU;OAAQ;OAAQ,UAAU,KAAK;OAAU;MAC5D,CAAC;AACF,SAAIA,SAAO,OACT,OAAM,SAAS;MACb,aAAa;MACb,QAAQA,SAAO,WAAW,OAAO,OAAO,EAAE,OAAOA,SAAO,OAAO,OAAO;MACvE,CAAC;AAEJ;;IAGF,MAAM,SAAS,MAAM,OAAO,OAAO,eAAsB;KACvD,UAAU;KACV;KACA,UAAU,KAAK;KAChB,CAAC;AACF,QAAI,OAAO,OACT,OAAM,SAAS;KACb,aAAa;KACb,QAAS,OAAO,UAAiC;KAClD,CAAC;;GAgBN,QAAQ,OAAO,SAA4D;IACzE,MAAM,SAA8B;KAClC,MAAM;KACN,MAAM,KAAK;KACZ;AAED,QAAI,OAAO;KACT,MAAMA,WAAS,MAAM,WAAW;MAC9B,QAAQ;MACR,MAAM;OAAE,UAAU;OAAQ;OAAQ,UAAU,KAAK;OAAU;MAC5D,CAAC;AACF,SAAIA,SAAO,OACT,OAAM,SAAS;MACb,aAAa;MACb,QAAQA,SAAO,WAAW,OAAO,OAAO,EAAE,OAAOA,SAAO,OAAO,OAAO;MACvE,CAAC;AAEJ;;IAGF,MAAM,SAAS,MAAM,OAAO,OAAO,eAAsB;KACvD,UAAU;KACV;KACA,UAAU,KAAK;KAChB,CAAC;AACF,QAAI,OAAO,OACT,OAAM,SAAS;KACb,aAAa;KACb,QAAS,OAAO,UAAiC;KAClD,CAAC;;GAGP;EA2IC,QAzIa;GAoBb,MAAM,OAAO,SAA0C;IACrD,MAAM,aAAa,KAAK,WAAW;IACnC,MAAM,YAAY,KAAK,KAAK,GAAG,KAAK,YAAY;AAEhD,WAAO,KAAK,KAAK,GAAG,WAAW;AAC7B,WAAM,IAAI,SAAS,YAAY,WAAW,SAAS,WAAW,CAAC;AAE/D,SAAI;MACF,IAAI;MACJ,MAAM,SAA8B;OAClC,MAAM;OACN,YAAY,KAAK;OAClB;AAED,UAAI,MACF,UAAS,MAAM,WAAW;OACxB,QAAQ;OACR,MAAM;QAAE,UAAU;QAAU;QAAQ;OACrC,CAAC;UAEF,UAAS,MAAM,OAAO,OAAO,eAAsB;OACjD,UAAU;OACV;OACD,CAAC;AAIJ,UAAI,OAAO,QAAQ;AACjB,WAAI,MACF,OAAM,SAAS;QACb,aAAa;QACb,QACE,OAAO,WAAW,OACd,OACA,EAAE,OAAO,OAAO,OAAO,OAAO;QACrC,CAAC;WAEF,OAAM,SAAS;QACb,aAAa;QACb,QAAS,OAAO,UAAiC;QAClD,CAAC;AAEJ;;cAEK,GAAY;AAEnB,UAAI,aAAa,aAAa;OAE5B,MAAM,QADO,EAAE,MACK;AACpB,WAAI,UAAU,+BACZ;AAEF,WAAI,UAAU,oBAAoB;AAEhC,cAAM,IAAI,SAAS,YACjB,WAAW,SAAS,WAAW,CAChC;AACD;;;AAIJ,YAAM;;;AAIV,UAAM,IAAI,MAAM,kCAAkC;;GAgBpD,QAAQ,OAAO,aAAoC;IACjD,MAAM,SAA8B;KAClC,MAAM;KACN;KACD;AAED,QAAI,MACF,OAAM,WAAW;KACf,QAAQ;KACR,MAAM;MAAE,UAAU;MAAU;MAAQ;KACrC,CAAC;QAEF,OAAM,OAAO,OAAO,eAAsB;KACxC,UAAU;KACV;KACD,CAAC;;GAGP;EAmBA;;AAOH,eAAe,aACb,KACA,UACY;CACZ,MAAM,cAAe,YAAoB,WAAW;AACpD,QAAO,gBAAgB,SACnB,MAAM,YAAY,QAAQ,KAAK,SAAS,GACxC,MAAM,YAAY,KAAK,SAAS;;AAGtC,SAAS,cAAc,KAGrB;AACA,KAAK,WAAmB,wBAAwB,OAC9C,CAAC,WAAmB,sBAAsB,EAAE;CAQ9C,IAAI,QAAS,WAAmB,oBAAoB;AACpD,KAAI,UAAU,OACZ,CAAC,WAAmB,oBAAoB,OAAO;EAC7C,kBAAkB;EAClB,SAAS,EAAE;EACZ;AAEH,SAAS,WAAmB,oBAAoB;AAChD,QAAO;;AAGT,SAAS,cACP,KACA,OAIA;AACA,CAAC,WAAmB,oBAAoB,OAAO;;AAGjD,eAAe,wBACb,KACA,UACA;CACA,MAAM,QAAQ,cAAc,IAAI;AAChC,KAAI,MAAM,qBAAqB,KAC7B,eAAc,KAAK;EACjB,kBAAkB,UAAU,CAAC,cAAc;GACzC,MAAM,SAAS,cAAc,IAAI,CAAC,QAAQ,OAAO;AACjD,iBAAc,IAAI,CAAC,mBAAmB;AACtC,iBAAc,KAAK;IACjB,GAAG,cAAc,IAAI;IACrB,kBACE,WAAW,SAAY,OAAO,wBAAwB,KAAK,OAAO;IACrE,CAAC;IACF;EACF,SAAS,EAAE;EACZ,CAAC;KAEF,eAAc,KAAK;EACjB,GAAG;EACH,SAAS,CAAC,GAAG,MAAM,SAAS,SAAS;EACtC,CAAC;;AAIN,eAAe,YACb,KACA,UACY;AASZ,QARqB,IAAI,SAAY,SAAS,WAAW;EACvD,MAAM,wBAA6C;AACjD,UAAO,UAAU,CACd,MAAM,MAAM,QAAQ,EAAE,CAAC,CACvB,OAAO,MAAM,OAAO,EAAE,CAAC;;AAE5B,EAAK,wBAAwB,KAAK,gBAAgB;GAClD"}
+{"version":3,"file":"index.js","names":["url","result","options"],"sources":["../../src/client/index.ts"],"sourcesContent":["import { ConvexHttpClient } from \"convex/browser\";\nimport { ConvexError, Value } from \"convex/values\";\n\n// Re-export error utilities so consumers can import from `@robelest/convex-auth/client`.\nexport {\n  isAuthError,\n  parseAuthError,\n  AUTH_ERRORS,\n  type AuthErrorCode,\n} from \"../server/errors\";\n\n/**\n * Structural interface for any Convex client.\n * Satisfied by `ConvexClient` (`convex/browser`),\n * `ConvexReactClient` (`convex/react`), and similar transports.\n *\n * `clearAuth` is present on `ConvexReactClient` and `BaseConvexClient`\n * but not on the simplified `ConvexClient`. When available we call it\n * during sign-out for a clean deauthentication.\n */\ninterface ConvexTransport {\n  action(action: any, args: any): Promise<any>;\n  setAuth(\n    fetchToken: (args: {\n      forceRefreshToken: boolean;\n    }) => Promise<string | null | undefined>,\n    onChange?: (isAuthenticated: boolean) => void,\n  ): void;\n  clearAuth?(): void;\n}\n\n/** Pluggable key-value storage (defaults to `localStorage`). */\nexport interface Storage {\n  getItem(\n    key: string,\n  ): string | null | undefined | Promise<string | null | undefined>;\n  setItem(key: string, value: string): void | Promise<void>;\n  removeItem(key: string): void | Promise<void>;\n}\n\ntype AuthSession = {\n  token: string;\n  refreshToken: string;\n};\n\n/**\n * Device code response returned when signing in with the `\"device\"` provider.\n *\n * The device displays the `userCode` (or `verificationUriComplete`) and\n * polls via `auth.device.poll()` until the user authorizes.\n */\nexport type DeviceCodeResult = {\n  /** High-entropy device code used for polling (keep secret). */\n  deviceCode: string;\n  /** Short human-readable code the user enters (e.g. \"WDJB-MJHT\"). */\n  userCode: string;\n  /** Base verification URL (e.g. \"https://myapp.com/device\"). */\n  verificationUri: string;\n  /** Verification URL with user code pre-filled as `?code=XXXX-XXXX`. */\n  verificationUriComplete: string;\n  /** Lifetime of the codes in seconds. */\n  expiresIn: number;\n  /** Minimum polling interval in seconds. */\n  interval: number;\n};\n\n/**\n * Result of a `signIn` call.\n *\n * - `signingIn: true` — credentials were accepted and the user is authenticated.\n * - `redirect` — OAuth flow initiated; redirect the user to `redirect.toString()`.\n * - `totpRequired` — credentials valid but 2FA is needed; call `auth.totp.verify()`.\n * - `deviceCode` — device flow initiated; display the code and poll via `auth.device.poll()`.\n * - `verifier` — opaque string for multi-step flows (TOTP, passkey).\n */\nexport type SignInResult = {\n  /** `true` when sign-in completed and the user is authenticated. */\n  signingIn: boolean;\n  /** OAuth redirect URL. Present when the provider requires a browser redirect. */\n  redirect?: URL;\n  /** `true` when the account has TOTP enabled and a code is required. */\n  totpRequired?: boolean;\n  /** Device code response for the device authorization flow (RFC 8628). */\n  deviceCode?: DeviceCodeResult;\n  /** Opaque verifier for multi-step flows (pass to `totp.verify` or passkey phase 2). */\n  verifier?: string;\n};\n\n/** Reactive auth state snapshot returned by `auth.state` and `auth.onChange`. */\nexport type AuthState = {\n  /** `true` during initial hydration before the first token is resolved. */\n  isLoading: boolean;\n  /** `true` when a valid JWT exists (user is signed in). */\n  isAuthenticated: boolean;\n  /** The raw JWT string, or `null` when not authenticated. */\n  token: string | null;\n};\n\n/** Options for {@link client}. */\nexport type ClientOptions = {\n  /** Any Convex client (`ConvexClient` or `ConvexReactClient`). */\n  convex: ConvexTransport;\n  /**\n   * Convex deployment URL. Derived automatically from the client internals\n   * when omitted — pass explicitly only if auto-detection fails.\n   */\n  url?: string;\n  /**\n   * Key-value storage for persisting tokens.\n   *\n   * - Defaults to `localStorage` in SPA mode.\n   * - Defaults to `null` (in-memory only) when `proxy` is set,\n   *   since httpOnly cookies handle persistence.\n   */\n  storage?: Storage | null;\n  /** Override how the URL bar is updated after OAuth code exchange. */\n  replaceURL?: (relativeUrl: string) => void | Promise<void>;\n  /**\n   * SSR proxy endpoint (e.g. `\"/api/auth\"`).\n   *\n   * When set, `signIn`/`signOut`/token refresh POST to this URL\n   * (with `credentials: \"include\"`) instead of calling Convex directly.\n   * The server handles httpOnly cookies for token persistence.\n   *\n   * Pair with {@link ClientOptions.token} for flash-free SSR hydration.\n   */\n  proxy?: string;\n  /**\n   * JWT from server-side hydration.\n   *\n   * In proxy mode the server reads the JWT from an httpOnly cookie\n   * and passes it to the client during SSR. This avoids a loading\n   * flash on first render — the client is immediately authenticated.\n   */\n  token?: string | null;\n};\n\nconst VERIFIER_STORAGE_KEY = \"__convexAuthOAuthVerifier\";\nconst JWT_STORAGE_KEY = \"__convexAuthJWT\";\nconst REFRESH_TOKEN_STORAGE_KEY = \"__convexAuthRefreshToken\";\n\nconst RETRY_BACKOFF = [500, 2000];\nconst RETRY_JITTER = 100;\n\n/**\n * Resolve the Convex deployment URL from the client.\n *\n * `ConvexReactClient` exposes `.url` directly.\n * `ConvexClient` exposes `.client.url` via `BaseConvexClient`.\n */\nfunction resolveUrl(convex: ConvexTransport, explicit?: string): string {\n  if (explicit) return explicit;\n  const c = convex as any;\n  const url: unknown = c.url ?? c.client?.url;\n  if (typeof url === \"string\") return url;\n  throw new Error(\n    \"Could not determine Convex deployment URL. Pass `url` explicitly.\",\n  );\n}\n\n/**\n * Create a framework-agnostic auth client.\n *\n * Returns an object with `signIn`, `signOut`, `onChange`, `state`,\n * `passkey`, and `totp` — everything needed for client-side auth.\n *\n * ### SPA mode (default)\n *\n * ```ts\n * import { ConvexClient } from 'convex/browser';\n * import { client } from '@robelest/convex-auth/client';\n *\n * const convex = new ConvexClient(CONVEX_URL);\n * const auth = client({ convex });\n * ```\n *\n * ### SSR / proxy mode\n *\n * ```ts\n * const auth = client({\n *   convex,\n *   proxy: '/api/auth',\n *   token: tokenFromServer, // JWT read from httpOnly cookie during SSR\n * });\n * ```\n *\n * In proxy mode all auth operations go through the proxy URL.\n * Tokens are stored in httpOnly cookies server-side — the client\n * holds the JWT in memory only.\n *\n * @param options - Client configuration. See {@link ClientOptions}.\n * @returns Auth client with `signIn`, `signOut`, `onChange`, `state`, `passkey`, and `totp`.\n */\nexport function client(options: ClientOptions) {\n  const { convex, proxy } = options;\n\n  // In proxy mode, default storage to null (cookies handle persistence).\n  const storage =\n    options.storage !== undefined\n      ? options.storage\n      : proxy\n        ? null\n        : typeof window === \"undefined\"\n          ? null\n          : window.localStorage;\n\n  const replaceURL =\n    options.replaceURL ??\n    ((url: string) => {\n      if (typeof window !== \"undefined\") {\n        window.history.replaceState({}, \"\", url);\n      }\n    });\n\n  const url = proxy ? undefined : resolveUrl(convex, options.url);\n  const escapedNamespace = proxy\n    ? proxy.replace(/[^a-zA-Z0-9]/g, \"\")\n    : url!.replace(/[^a-zA-Z0-9]/g, \"\");\n  const key = (name: string) => `${name}_${escapedNamespace}`;\n  const subscribers = new Set<() => void>();\n  let disposeStorageListener: (() => void) | null = null;\n\n  // Unauthenticated HTTP client for code verification & OAuth exchange.\n  // Only needed in SPA mode — proxy mode routes everything through the proxy.\n  const httpClient = proxy ? null : new ConvexHttpClient(url!);\n\n  // ---------------------------------------------------------------------------\n  // State\n  // ---------------------------------------------------------------------------\n\n  // If a server-provided token was supplied (SSR hydration), start authenticated.\n  const serverToken =\n    typeof options.token === \"string\" && options.token.trim().length > 0\n      ? options.token\n      : null;\n  const hasServerToken = serverToken !== null;\n\n  let token: string | null = serverToken;\n  let isLoading = !hasServerToken;\n  let snapshot: AuthState = {\n    isLoading,\n    isAuthenticated: hasServerToken,\n    token,\n  };\n  let handlingCodeFlow = false;\n\n  const notify = () => {\n    for (const cb of subscribers) cb();\n  };\n\n  const updateSnapshot = () => {\n    const next: AuthState = {\n      isLoading,\n      isAuthenticated: token !== null,\n      token,\n    };\n    if (\n      snapshot.isLoading === next.isLoading &&\n      snapshot.isAuthenticated === next.isAuthenticated &&\n      snapshot.token === next.token\n    ) {\n      return false;\n    }\n    snapshot = next;\n    return true;\n  };\n\n  // ---------------------------------------------------------------------------\n  // Storage helpers (SPA mode only)\n  // ---------------------------------------------------------------------------\n\n  const storageGet = async (name: string) => {\n    if (!storage) {\n      return null;\n    }\n    try {\n      return (await storage.getItem(key(name))) ?? null;\n    } catch (error) {\n      console.error(`[convex-auth] Failed to read ${name} from storage:`, error);\n      return null;\n    }\n  };\n  const storageSet = async (name: string, value: string) => {\n    if (!storage) {\n      return;\n    }\n    try {\n      await storage.setItem(key(name), value);\n    } catch (error) {\n      console.error(`[convex-auth] Failed to write ${name} to storage:`, error);\n    }\n  };\n  const storageRemove = async (name: string) => {\n    if (!storage) {\n      return;\n    }\n    try {\n      await storage.removeItem(key(name));\n    } catch (error) {\n      console.error(`[convex-auth] Failed to remove ${name} from storage:`, error);\n    }\n  };\n\n  // ---------------------------------------------------------------------------\n  // Token management\n  // ---------------------------------------------------------------------------\n\n  const setToken = async (\n    args:\n      | { shouldStore: true; tokens: AuthSession | null }\n      | { shouldStore: false; tokens: { token: string } | null },\n  ) => {\n    if (args.tokens === null) {\n      token = null;\n      if (args.shouldStore) {\n        await storageRemove(JWT_STORAGE_KEY);\n        await storageRemove(REFRESH_TOKEN_STORAGE_KEY);\n      }\n    } else {\n      token = args.tokens.token;\n      if (args.shouldStore && \"refreshToken\" in args.tokens) {\n        await storageSet(JWT_STORAGE_KEY, args.tokens.token);\n        await storageSet(REFRESH_TOKEN_STORAGE_KEY, args.tokens.refreshToken);\n      }\n    }\n    const hadPendingLoad = isLoading;\n    isLoading = false;\n    const changed = updateSnapshot();\n    if (hadPendingLoad || changed) {\n      // Re-sync the Convex client so it picks up the new token immediately.\n      // Without this, the initial convex.setAuth(fetchAccessToken) from\n      // initialization never re-polls and queries run unauthenticated after\n      // magic link code exchange.\n      convex.setAuth(fetchAccessToken);\n      notify();\n    }\n  };\n\n  // ---------------------------------------------------------------------------\n  // Proxy fetch helper\n  // ---------------------------------------------------------------------------\n\n  const proxyFetch = async (body: Record<string, unknown>) => {\n    const response = await fetch(proxy!, {\n      method: \"POST\",\n      headers: { \"Content-Type\": \"application/json\" },\n      credentials: \"include\",\n      body: JSON.stringify(body),\n    });\n    if (!response.ok) {\n      const errorBody = await response.json().catch(() => ({} as Record<string, unknown>));\n      // Reconstruct ConvexError when the proxy forwards structured auth error data.\n      if (\n        typeof errorBody === \"object\" &&\n        errorBody !== null &&\n        \"authError\" in errorBody &&\n        typeof (errorBody as Record<string, unknown>).authError === \"object\"\n      ) {\n        throw new ConvexError((errorBody as Record<string, unknown>).authError as Value);\n      }\n      throw new Error(\n        (errorBody as Record<string, unknown>).error as string ??\n          `Proxy request failed: ${response.status}`,\n      );\n    }\n    try {\n      return await response.json();\n    } catch {\n      throw new Error(\"Proxy response was not valid JSON\");\n    }\n  };\n\n  // ---------------------------------------------------------------------------\n  // Code verification with retries (SPA mode only)\n  // ---------------------------------------------------------------------------\n\n  const verifyCode = async (\n    args: { code: string; verifier?: string } | { refreshToken: string },\n  ) => {\n    let lastError: unknown;\n    let retry = 0;\n    while (retry < RETRY_BACKOFF.length) {\n      try {\n        return await httpClient!.action(\n          \"auth:signIn\" as any,\n          \"code\" in args\n            ? { params: { code: args.code }, verifier: args.verifier }\n            : args,\n        );\n      } catch (e) {\n        lastError = e;\n        const isNetworkError =\n          e instanceof TypeError ||\n          (e instanceof Error &&\n            /(network|fetch|load failed|failed to fetch)/i.test(\n              e.message || \"\",\n            ));\n        if (!isNetworkError) break;\n        const wait = RETRY_BACKOFF[retry]! + RETRY_JITTER * Math.random();\n        retry++;\n        await new Promise((resolve) => setTimeout(resolve, wait));\n      }\n    }\n    throw lastError;\n  };\n\n  const verifyCodeAndSetToken = async (\n    args: { code: string; verifier?: string } | { refreshToken: string },\n  ) => {\n    const { tokens } = await verifyCode(args);\n    await setToken({\n      shouldStore: true,\n      tokens: (tokens as AuthSession | null) ?? null,\n    });\n    return tokens !== null;\n  };\n\n  // ---------------------------------------------------------------------------\n  // signIn\n  // ---------------------------------------------------------------------------\n\n  /**\n   * Sign in with a provider.\n   *\n   * @param provider - Provider ID (e.g. `\"email\"`, `\"password\"`, `\"google\"`).\n   *   Omit when exchanging an OAuth code (the code carries the provider info).\n   * @param args - Provider-specific arguments. Pass a `Record<string, Value>`\n   *   or `FormData`. Common fields: `email`, `password`, `code`, `redirectTo`.\n   * @returns A {@link SignInResult} indicating the outcome.\n   *\n   * @example Email magic link\n   * ```ts\n   * await auth.signIn('email', { email: 'user@example.com' });\n   * ```\n   *\n   * @example Password\n   * ```ts\n   * const result = await auth.signIn('password', { email, password, flow: 'signIn' });\n   * if (result.totpRequired) {\n   *   await auth.totp.verify({ code: totpCode, verifier: result.verifier! });\n   * }\n   * ```\n   *\n   * @example OAuth (triggers redirect)\n   * ```ts\n   * await auth.signIn('google'); // redirects to Google\n   * ```\n   */\n  const signIn = async (\n    provider?: string,\n    args?: FormData | Record<string, Value>,\n  ): Promise<SignInResult> => {\n    const params =\n      args instanceof FormData\n        ? Array.from(args.entries()).reduce(\n            (acc, [k, v]) => {\n              acc[k] = v as string;\n              return acc;\n            },\n            {} as Record<string, string>,\n          )\n        : args ?? {};\n\n    if (proxy) {\n      // Proxy mode: POST to the proxy endpoint.\n      const result = await proxyFetch({\n        action: \"auth:signIn\",\n        args: { provider, params },\n      });\n      if (result.redirect !== undefined) {\n        const redirectUrl = new URL(result.redirect);\n        // Verifier is stored server-side in an httpOnly cookie.\n        if (typeof window !== \"undefined\") {\n          window.location.href = redirectUrl.toString();\n        }\n        return { signingIn: false, redirect: redirectUrl };\n      }\n      if (result.totpRequired) {\n        return { signingIn: false, totpRequired: true, verifier: result.verifier };\n      }\n      if (result.deviceCode !== undefined) {\n        return { signingIn: false, deviceCode: result.deviceCode as DeviceCodeResult };\n      }\n      if (result.tokens !== undefined) {\n        // Proxy returns { token, refreshToken: \"dummy\" }.\n        // Store JWT in memory only — real refresh token is in httpOnly cookie.\n        await setToken({\n          shouldStore: false,\n          tokens:\n            result.tokens === null ? null : { token: result.tokens.token },\n        });\n        return { signingIn: result.tokens !== null };\n      }\n      return { signingIn: false };\n    }\n\n    // SPA mode: call Convex directly.\n    const verifier = (await storageGet(VERIFIER_STORAGE_KEY)) ?? undefined;\n    await storageRemove(VERIFIER_STORAGE_KEY);\n    const result = await convex.action(\"auth:signIn\" as any, {\n      provider,\n      params,\n      verifier,\n    });\n    if (result.redirect !== undefined) {\n      const redirectUrl = new URL(result.redirect);\n      await storageSet(VERIFIER_STORAGE_KEY, result.verifier!);\n      if (typeof window !== \"undefined\") {\n        window.location.href = redirectUrl.toString();\n      }\n      return { signingIn: false, redirect: redirectUrl };\n    }\n    if (result.totpRequired) {\n      return { signingIn: false, totpRequired: true, verifier: result.verifier };\n    }\n    if (result.deviceCode !== undefined) {\n      return { signingIn: false, deviceCode: result.deviceCode as DeviceCodeResult };\n    }\n    if (result.tokens !== undefined) {\n      await setToken({\n        shouldStore: true,\n        tokens: (result.tokens as AuthSession | null) ?? null,\n      });\n      return { signingIn: result.tokens !== null };\n    }\n    return { signingIn: false };\n  };\n\n  // ---------------------------------------------------------------------------\n  // signOut\n  // ---------------------------------------------------------------------------\n\n  /**\n   * Sign out the current user.\n   *\n   * Invalidates the server session and clears local token state.\n   * Errors are silently caught — calling `signOut` on an already\n   * signed-out user is a no-op.\n   */\n  const signOut = async () => {\n    if (proxy) {\n      try {\n        await proxyFetch({ action: \"auth:signOut\", args: {} });\n      } catch {\n        // Already signed out is fine.\n      }\n      await setToken({ shouldStore: false, tokens: null });\n      if (convex.clearAuth) convex.clearAuth();\n      return;\n    }\n\n    // SPA mode.\n    try {\n      await convex.action(\"auth:signOut\" as any, {});\n    } catch {\n      // Already signed out is fine.\n    }\n    await setToken({ shouldStore: true, tokens: null });\n    if (convex.clearAuth) convex.clearAuth();\n  };\n\n  // ---------------------------------------------------------------------------\n  // fetchAccessToken — called by convex.setAuth()\n  // ---------------------------------------------------------------------------\n\n  const fetchAccessToken = async ({\n    forceRefreshToken,\n  }: {\n    forceRefreshToken: boolean;\n  }): Promise<string | null> => {\n    if (!forceRefreshToken) return token;\n\n    if (proxy) {\n      // Proxy mode: POST to the proxy to refresh.\n      // The proxy reads the real refresh token from the httpOnly cookie.\n      const tokenBeforeRefresh = token;\n      return await browserMutex(\"__convexAuthProxyRefresh\", async () => {\n        // Another tab/call may have already refreshed.\n        if (token !== tokenBeforeRefresh) return token;\n        try {\n          const result = await proxyFetch({\n            action: \"auth:signIn\",\n            args: { refreshToken: true },\n          });\n          if (result.tokens) {\n            await setToken({\n              shouldStore: false,\n              tokens: { token: result.tokens.token },\n            });\n          } else {\n            await setToken({ shouldStore: false, tokens: null });\n          }\n        } catch {\n          await setToken({ shouldStore: false, tokens: null });\n        }\n        return token;\n      });\n    }\n\n    // SPA mode: refresh via localStorage + httpClient.\n    const tokenBeforeLockAcquisition = token;\n    return await browserMutex(REFRESH_TOKEN_STORAGE_KEY, async () => {\n      const tokenAfterLockAcquisition = token;\n      if (tokenAfterLockAcquisition !== tokenBeforeLockAcquisition) {\n        return tokenAfterLockAcquisition;\n      }\n      const refreshToken =\n        (await storageGet(REFRESH_TOKEN_STORAGE_KEY)) ?? null;\n      if (!refreshToken) {\n        return null;\n      }\n      await verifyCodeAndSetToken({ refreshToken });\n      return token;\n    });\n  };\n\n  // ---------------------------------------------------------------------------\n  // OAuth code flow (SPA mode only — server handles this in proxy mode)\n  // ---------------------------------------------------------------------------\n\n  const handleCodeFlow = async () => {\n    if (typeof window === \"undefined\") return;\n    if (handlingCodeFlow) return;\n    const code = new URLSearchParams(window.location.search).get(\"code\");\n    if (!code) return;\n    handlingCodeFlow = true;\n    const codeUrl = new URL(window.location.href);\n    codeUrl.searchParams.delete(\"code\");\n    try {\n      await replaceURL(codeUrl.pathname + codeUrl.search + codeUrl.hash);\n      await signIn(undefined, { code });\n    } finally {\n      handlingCodeFlow = false;\n    }\n  };\n\n  // ---------------------------------------------------------------------------\n  // Hydrate from storage (SPA mode only)\n  // ---------------------------------------------------------------------------\n\n  const hydrateFromStorage = async () => {\n    const storedToken = (await storageGet(JWT_STORAGE_KEY)) ?? null;\n    await setToken({\n      shouldStore: false,\n      tokens: storedToken === null ? null : { token: storedToken },\n    });\n  };\n\n  // ---------------------------------------------------------------------------\n  // Subscribe\n  // ---------------------------------------------------------------------------\n\n  /**\n   * Subscribe to auth state changes. Invokes the callback immediately\n   * with the current state, then again on every state transition.\n   *\n   * ```ts\n   * const unsub = auth.onChange(setState);\n   * ```\n   *\n   * @param cb - Callback receiving the latest {@link AuthState}.\n   * @returns An unsubscribe function.\n   */\n  const onChange = (cb: (state: AuthState) => void): (() => void) => {\n    cb(snapshot);\n    const wrapped = () => cb(snapshot);\n    subscribers.add(wrapped);\n    return () => {\n      subscribers.delete(wrapped);\n    };\n  };\n\n  // ---------------------------------------------------------------------------\n  // Initialization\n  // ---------------------------------------------------------------------------\n\n  // Cross-tab sync via storage events (SPA mode only).\n  if (!proxy && typeof window !== \"undefined\") {\n    const registryKey = key(JWT_STORAGE_KEY);\n    const registry = getStorageListenerRegistry();\n    const existingListener = registry[registryKey];\n    if (existingListener !== undefined) {\n      window.removeEventListener(\"storage\", existingListener);\n    }\n\n    const onStorage = (event: StorageEvent) => {\n      void (async () => {\n        if (event.key !== key(JWT_STORAGE_KEY)) return;\n        await setToken({\n          shouldStore: false,\n          tokens:\n            event.newValue === null ? null : { token: event.newValue },\n        });\n      })();\n    };\n    window.addEventListener(\"storage\", onStorage);\n    registry[registryKey] = onStorage;\n    disposeStorageListener = () => {\n      if (registry[registryKey] === onStorage) {\n        delete registry[registryKey];\n      }\n      window.removeEventListener(\"storage\", onStorage);\n    };\n  }\n\n  // Auto-wire: feed our tokens into the Convex client so\n  // queries and mutations are automatically authenticated.\n  convex.setAuth(fetchAccessToken);\n\n  // Auto-hydrate and handle code flow.\n  if (typeof window !== \"undefined\") {\n    if (proxy) {\n      // Proxy mode: if no initialToken was provided, try a refresh\n      // to pick up any existing session from httpOnly cookies.\n      if (!hasServerToken) {\n        void fetchAccessToken({ forceRefreshToken: true }).catch(\n          (error: unknown) => {\n            console.error(\"[convex-auth] Proxy token refresh failed:\", error);\n          },\n        );\n      } else {\n        // initialToken already set — mark loading as done.\n        isLoading = false;\n        updateSnapshot();\n      }\n    } else {\n      // SPA mode: hydrate from localStorage, then handle OAuth code flow.\n      void (async () => {\n        try {\n          await hydrateFromStorage();\n          await handleCodeFlow();\n        } catch (error: unknown) {\n          console.error(\"[convex-auth] Client initialization failed:\", error);\n          await setToken({ shouldStore: false, tokens: null });\n        }\n      })();\n    }\n  }\n\n  // ---------------------------------------------------------------------------\n  // Passkey helpers\n  // ---------------------------------------------------------------------------\n\n  /**\n   * Base64url encode/decode helpers for the WebAuthn credential API.\n   * These run client-side only (browser context).\n   */\n  const base64urlEncode = (buffer: ArrayBuffer): string => {\n    const bytes = new Uint8Array(buffer);\n    let binary = \"\";\n    for (let i = 0; i < bytes.byteLength; i++) {\n      binary += String.fromCharCode(bytes[i]!);\n    }\n    return btoa(binary).replace(/\\+/g, \"-\").replace(/\\//g, \"_\").replace(/=+$/, \"\");\n  };\n\n  const base64urlDecode = (str: string): Uint8Array => {\n    const padded = str.replace(/-/g, \"+\").replace(/_/g, \"/\");\n    const binary = atob(padded);\n    const bytes = new Uint8Array(binary.length);\n    for (let i = 0; i < binary.length; i++) {\n      bytes[i] = binary.charCodeAt(i);\n    }\n    return bytes;\n  };\n\n  const passkey = {\n    /**\n     * Check if WebAuthn passkeys are supported in the current environment.\n     */\n    isSupported: (): boolean => {\n      return (\n        typeof window !== \"undefined\" &&\n        typeof window.PublicKeyCredential !== \"undefined\"\n      );\n    },\n\n    /**\n     * Check if conditional UI (autofill-assisted passkey sign-in) is supported.\n     *\n     * ```ts\n     * if (await auth.passkey.isAutofillSupported()) {\n     *   auth.passkey.authenticate({ autofill: true });\n     * }\n     * ```\n     */\n    isAutofillSupported: async (): Promise<boolean> => {\n      if (typeof window === \"undefined\") return false;\n      if (typeof window.PublicKeyCredential === \"undefined\") return false;\n      if (\n        typeof (\n          window.PublicKeyCredential as any\n        ).isConditionalMediationAvailable !== \"function\"\n      ) {\n        return false;\n      }\n      return (\n        window.PublicKeyCredential as any\n      ).isConditionalMediationAvailable();\n    },\n\n    /**\n     * Register a new passkey for the current or new user.\n     *\n     * Performs the full two-round-trip WebAuthn registration ceremony:\n     * 1. Requests creation options from the server (challenge, RP info)\n     * 2. Calls `navigator.credentials.create()` with the options\n     * 3. Sends the attestation back to the server for verification\n     * 4. Server creates user + account + passkey records and returns tokens\n     *\n     * Works in both SPA and proxy (SSR) modes.\n     *\n     * ```ts\n     * await auth.passkey.register({ name: \"MacBook Touch ID\" });\n     * ```\n     *\n     * @param opts.name - Friendly name for this passkey\n     * @param opts.email - Email to associate with the new account\n     * @param opts.userName - Username for the credential (defaults to email)\n     * @param opts.userDisplayName - Display name for the credential\n     * @returns `{ signingIn: true }` on success\n     */\n    register: async (\n      opts?: {\n        name?: string;\n        email?: string;\n        userName?: string;\n        userDisplayName?: string;\n      },\n    ): Promise<SignInResult> => {\n      const phase1Params = {\n        flow: \"register-options\",\n        email: opts?.email,\n        userName: opts?.userName,\n        userDisplayName: opts?.userDisplayName,\n      };\n\n      // Phase 1: Get registration options from server\n      let phase1Result: any;\n      if (proxy) {\n        phase1Result = await proxyFetch({\n          action: \"auth:signIn\",\n          args: { provider: \"passkey\", params: phase1Params },\n        });\n      } else {\n        phase1Result = await convex.action(\"auth:signIn\" as any, {\n          provider: \"passkey\",\n          params: phase1Params,\n        });\n      }\n\n      if (!phase1Result.options) {\n        throw new Error(\"Server did not return passkey registration options\");\n      }\n\n      const options = phase1Result.options;\n\n      // Convert base64url strings to ArrayBuffers for the credential API\n      const createOptions: CredentialCreationOptions = {\n        publicKey: {\n          rp: options.rp,\n          user: {\n            id: base64urlDecode(options.user.id).buffer as ArrayBuffer,\n            name: options.user.name,\n            displayName: options.user.displayName,\n          },\n          challenge: base64urlDecode(options.challenge).buffer as ArrayBuffer,\n          pubKeyCredParams: options.pubKeyCredParams,\n          timeout: options.timeout,\n          attestation: options.attestation,\n          authenticatorSelection: options.authenticatorSelection,\n          excludeCredentials: (options.excludeCredentials ?? []).map(\n            (cred: any) => ({\n              type: cred.type ?? \"public-key\",\n              id: base64urlDecode(cred.id).buffer as ArrayBuffer,\n              transports: cred.transports,\n            }),\n          ),\n        },\n      };\n\n      // Phase 2: Create credential via browser API\n      const credential = (await navigator.credentials.create(\n        createOptions,\n      )) as PublicKeyCredential | null;\n      if (!credential) {\n        throw new Error(\"Passkey registration was cancelled\");\n      }\n\n      const response =\n        credential.response as AuthenticatorAttestationResponse;\n\n      // Extract transports if available\n      const transports =\n        typeof response.getTransports === \"function\"\n          ? response.getTransports()\n          : undefined;\n\n      const phase2Params = {\n        flow: \"register-verify\",\n        clientDataJSON: base64urlEncode(response.clientDataJSON),\n        attestationObject: base64urlEncode(response.attestationObject),\n        transports,\n        passkeyName: opts?.name,\n        email: opts?.email,\n      };\n\n      // Phase 3: Send attestation to server for verification\n      let phase2Result: any;\n      if (proxy) {\n        // In proxy mode the verifier is stored in an httpOnly cookie by the proxy.\n        // We pass it back explicitly so the proxy can forward it to Convex.\n        phase2Result = await proxyFetch({\n          action: \"auth:signIn\",\n          args: {\n            provider: \"passkey\",\n            params: phase2Params,\n            verifier: phase1Result.verifier,\n          },\n        });\n      } else {\n        phase2Result = await convex.action(\"auth:signIn\" as any, {\n          provider: \"passkey\",\n          params: phase2Params,\n          verifier: phase1Result.verifier,\n        });\n      }\n\n      if (phase2Result.tokens) {\n        if (proxy) {\n          await setToken({\n            shouldStore: false,\n            tokens:\n              phase2Result.tokens === null\n                ? null\n                : { token: phase2Result.tokens.token },\n          });\n        } else {\n          await setToken({\n            shouldStore: true,\n            tokens: phase2Result.tokens as AuthSession,\n          });\n        }\n        return { signingIn: true };\n      }\n      return { signingIn: false };\n    },\n\n    /**\n     * Authenticate with an existing passkey.\n     *\n     * Performs the full two-round-trip WebAuthn authentication ceremony:\n     * 1. Requests assertion options from the server (challenge, allowed credentials)\n     * 2. Calls `navigator.credentials.get()` with the options\n     * 3. Sends the assertion back to the server for signature verification\n     * 4. Server verifies signature, updates counter, creates session, returns tokens\n     *\n     * Works in both SPA and proxy (SSR) modes.\n     *\n     * ```ts\n     * // Discoverable credential (no email needed)\n     * await auth.passkey.authenticate();\n     *\n     * // Scoped to a specific user's credentials\n     * await auth.passkey.authenticate({ email: \"user@example.com\" });\n     *\n     * // Autofill-assisted (conditional UI)\n     * await auth.passkey.authenticate({ autofill: true });\n     * ```\n     *\n     * @param opts.email - Scope to credentials for this email's user\n     * @param opts.autofill - Use conditional mediation (autofill UI)\n     * @returns `{ signingIn: true }` on success\n     */\n    authenticate: async (\n      opts?: { email?: string; autofill?: boolean },\n    ): Promise<SignInResult> => {\n      const phase1Params = {\n        flow: \"auth-options\",\n        email: opts?.email,\n      };\n\n      // Phase 1: Get assertion options from server\n      let phase1Result: any;\n      if (proxy) {\n        phase1Result = await proxyFetch({\n          action: \"auth:signIn\",\n          args: { provider: \"passkey\", params: phase1Params },\n        });\n      } else {\n        phase1Result = await convex.action(\"auth:signIn\" as any, {\n          provider: \"passkey\",\n          params: phase1Params,\n        });\n      }\n\n      if (!phase1Result.options) {\n        throw new Error(\"Server did not return passkey authentication options\");\n      }\n\n      const options = phase1Result.options;\n\n      // Convert base64url strings to ArrayBuffers for the credential API\n      const getOptions: CredentialRequestOptions = {\n        publicKey: {\n          challenge: base64urlDecode(options.challenge).buffer as ArrayBuffer,\n          timeout: options.timeout,\n          rpId: options.rpId,\n          userVerification: options.userVerification,\n          allowCredentials: (options.allowCredentials ?? []).map(\n            (cred: any) => ({\n              type: cred.type ?? \"public-key\",\n              id: base64urlDecode(cred.id).buffer as ArrayBuffer,\n              transports: cred.transports,\n            }),\n          ),\n        },\n        ...(opts?.autofill ? { mediation: \"conditional\" as any } : {}),\n      };\n\n      // Phase 2: Get credential via browser API\n      const credential = (await navigator.credentials.get(\n        getOptions,\n      )) as PublicKeyCredential | null;\n      if (!credential) {\n        throw new Error(\"Passkey authentication was cancelled\");\n      }\n\n      const response =\n        credential.response as AuthenticatorAssertionResponse;\n\n      const phase2Params = {\n        flow: \"auth-verify\",\n        credentialId: base64urlEncode(credential.rawId),\n        clientDataJSON: base64urlEncode(response.clientDataJSON),\n        authenticatorData: base64urlEncode(response.authenticatorData),\n        signature: base64urlEncode(response.signature),\n      };\n\n      // Phase 3: Send assertion to server for verification\n      let phase2Result: any;\n      if (proxy) {\n        phase2Result = await proxyFetch({\n          action: \"auth:signIn\",\n          args: {\n            provider: \"passkey\",\n            params: phase2Params,\n            verifier: phase1Result.verifier,\n          },\n        });\n      } else {\n        phase2Result = await convex.action(\"auth:signIn\" as any, {\n          provider: \"passkey\",\n          params: phase2Params,\n          verifier: phase1Result.verifier,\n        });\n      }\n\n      if (phase2Result.tokens) {\n        if (proxy) {\n          await setToken({\n            shouldStore: false,\n            tokens:\n              phase2Result.tokens === null\n                ? null\n                : { token: phase2Result.tokens.token },\n          });\n        } else {\n          await setToken({\n            shouldStore: true,\n            tokens: phase2Result.tokens as AuthSession,\n          });\n        }\n        return { signingIn: true };\n      }\n      return { signingIn: false };\n    },\n  };\n\n  const totp = {\n    /**\n     * Start TOTP enrollment. Must be authenticated.\n     *\n     * Returns a URI for QR code display and a base32 secret for manual entry.\n     *\n     * ```ts\n     * const setup = await auth.totp.setup();\n     * // Display QR code from setup.uri\n     * // Or show setup.secret for manual entry\n     * ```\n     */\n    setup: async (\n      opts?: { name?: string; accountName?: string },\n    ): Promise<{ uri: string; secret: string; verifier: string; totpId: string }> => {\n      const params: Record<string, any> = { flow: \"setup\" };\n      if (opts?.name) params.name = opts.name;\n      if (opts?.accountName) params.accountName = opts.accountName;\n\n      if (proxy) {\n        const result = await proxyFetch({\n          action: \"auth:signIn\",\n          args: { provider: \"totp\", params },\n        });\n        return { uri: result.totpSetup.uri, secret: result.totpSetup.secret, verifier: result.verifier, totpId: result.totpSetup.totpId };\n      }\n\n      const result = await convex.action(\"auth:signIn\" as any, {\n        provider: \"totp\",\n        params,\n      });\n      return { uri: result.totpSetup.uri, secret: result.totpSetup.secret, verifier: result.verifier, totpId: result.totpSetup.totpId };\n    },\n\n    /**\n     * Complete TOTP enrollment by verifying the first code from the authenticator app.\n     *\n     * ```ts\n     * await auth.totp.confirm({ code: \"123456\", verifier: setup.verifier, totpId: setup.totpId });\n     * ```\n     */\n    confirm: async (opts: {\n      code: string;\n      verifier: string;\n      totpId: string;\n    }): Promise<void> => {\n      const params: Record<string, any> = {\n        flow: \"confirm\",\n        code: opts.code,\n        totpId: opts.totpId,\n      };\n\n      if (proxy) {\n        const result = await proxyFetch({\n          action: \"auth:signIn\",\n          args: { provider: \"totp\", params, verifier: opts.verifier },\n        });\n        if (result.tokens) {\n          await setToken({\n            shouldStore: false,\n            tokens: result.tokens === null ? null : { token: result.tokens.token },\n          });\n        }\n        return;\n      }\n\n      const result = await convex.action(\"auth:signIn\" as any, {\n        provider: \"totp\",\n        params,\n        verifier: opts.verifier,\n      });\n      if (result.tokens) {\n        await setToken({\n          shouldStore: true,\n          tokens: (result.tokens as AuthSession | null) ?? null,\n        });\n      }\n    },\n\n    /**\n     * Complete 2FA verification during sign-in.\n     *\n     * Called after a credentials sign-in returns `totpRequired: true`.\n     *\n     * ```ts\n     * const result = await auth.signIn(\"password\", { email, password });\n     * if (result.totpRequired) {\n     *   await auth.totp.verify({ code: \"123456\", verifier: result.verifier! });\n     * }\n     * ```\n     */\n    verify: async (opts: { code: string; verifier: string }): Promise<void> => {\n      const params: Record<string, any> = {\n        flow: \"verify\",\n        code: opts.code,\n      };\n\n      if (proxy) {\n        const result = await proxyFetch({\n          action: \"auth:signIn\",\n          args: { provider: \"totp\", params, verifier: opts.verifier },\n        });\n        if (result.tokens) {\n          await setToken({\n            shouldStore: false,\n            tokens: result.tokens === null ? null : { token: result.tokens.token },\n          });\n        }\n        return;\n      }\n\n      const result = await convex.action(\"auth:signIn\" as any, {\n        provider: \"totp\",\n        params,\n        verifier: opts.verifier,\n      });\n      if (result.tokens) {\n        await setToken({\n          shouldStore: true,\n          tokens: (result.tokens as AuthSession | null) ?? null,\n        });\n      }\n    },\n  };\n\n  const device = {\n    /**\n     * Poll for device authorization status.\n     *\n     * The device calls this repeatedly (respecting `interval`) after\n     * initiating a device flow via `signIn(\"device\")`. Returns when\n     * the user authorizes, or throws on timeout/denial.\n     *\n     * ```ts\n     * const result = await auth.signIn(\"device\");\n     * const { deviceCode } = result;\n     * // Display deviceCode.userCode to the user, then poll:\n     * await auth.device.poll(deviceCode);\n     * // User is now signed in\n     * ```\n     *\n     * @param code - The {@link DeviceCodeResult} from `signIn(\"device\")`.\n     * @returns Resolves when the device is authorized and tokens are stored.\n     * @throws When the code expires, is denied, or polling encounters an error.\n     */\n    poll: async (code: DeviceCodeResult): Promise<void> => {\n      const intervalMs = code.interval * 1000;\n      const expiresAt = Date.now() + code.expiresIn * 1000;\n\n      while (Date.now() < expiresAt) {\n        await new Promise((resolve) => setTimeout(resolve, intervalMs));\n\n        try {\n          let result: any;\n          const params: Record<string, any> = {\n            flow: \"poll\",\n            deviceCode: code.deviceCode,\n          };\n\n          if (proxy) {\n            result = await proxyFetch({\n              action: \"auth:signIn\",\n              args: { provider: \"device\", params },\n            });\n          } else {\n            result = await convex.action(\"auth:signIn\" as any, {\n              provider: \"device\",\n              params,\n            });\n          }\n\n          // Authorized — tokens received\n          if (result.tokens) {\n            if (proxy) {\n              await setToken({\n                shouldStore: false,\n                tokens:\n                  result.tokens === null\n                    ? null\n                    : { token: result.tokens.token },\n              });\n            } else {\n              await setToken({\n                shouldStore: true,\n                tokens: (result.tokens as AuthSession | null) ?? null,\n              });\n            }\n            return;\n          }\n        } catch (e: unknown) {\n          // Handle expected polling errors\n          if (e instanceof ConvexError) {\n            const data = e.data as Record<string, unknown>;\n            const code_ = data?.code as string | undefined;\n            if (code_ === \"DEVICE_AUTHORIZATION_PENDING\") {\n              continue; // Keep polling\n            }\n            if (code_ === \"DEVICE_SLOW_DOWN\") {\n              // Back off by adding one interval\n              await new Promise((resolve) =>\n                setTimeout(resolve, intervalMs),\n              );\n              continue;\n            }\n          }\n          // Non-recoverable error — rethrow\n          throw e;\n        }\n      }\n\n      throw new Error(\"Device authorization timed out.\");\n    },\n\n    /**\n     * Authorize a device from the verification page.\n     *\n     * Called by an authenticated user on the verification page after\n     * they enter the user code displayed on the device.\n     *\n     * ```ts\n     * // On the /device verification page:\n     * await auth.device.verify(userCode);\n     * ```\n     *\n     * @param userCode - The user code entered by the user (e.g. \"WDJB-MJHT\").\n     */\n    verify: async (userCode: string): Promise<void> => {\n      const params: Record<string, any> = {\n        flow: \"verify\",\n        userCode,\n      };\n\n      if (proxy) {\n        await proxyFetch({\n          action: \"auth:signIn\",\n          args: { provider: \"device\", params },\n        });\n      } else {\n        await convex.action(\"auth:signIn\" as any, {\n          provider: \"device\",\n          params,\n        });\n      }\n    },\n  };\n\n  return {\n    /** Current auth state snapshot. */\n    get state(): AuthState {\n      return snapshot;\n    },\n    /** Sign in with a provider. See {@link SignInResult} for return shape. */\n    signIn,\n    /** Sign out and clear all token state. */\n    signOut,\n    /** Subscribe to auth state changes. Returns an unsubscribe function. */\n    onChange,\n    /** Passkey (WebAuthn) authentication helpers. */\n    passkey,\n    /** TOTP two-factor authentication helpers. */\n    totp,\n    /** Device authorization (RFC 8628) helpers. */\n    device,\n    /** Remove global listeners when disposing this client instance. */\n    destroy: () => {\n      disposeStorageListener?.();\n      subscribers.clear();\n    },\n  };\n}\n\n// ---------------------------------------------------------------------------\n// Browser mutex — ensures only one tab refreshes a token at a time.\n// ---------------------------------------------------------------------------\n\nasync function browserMutex<T>(\n  key: string,\n  callback: () => Promise<T>,\n): Promise<T> {\n  const lockManager = (globalThis as any)?.navigator?.locks;\n  return lockManager !== undefined\n    ? await lockManager.request(key, callback)\n    : await manualMutex(key, callback);\n}\n\nfunction getStorageListenerRegistry(): Record<string, (event: StorageEvent) => void> {\n  const globalAny = globalThis as any;\n  if (globalAny.__convexAuthStorageListeners === undefined) {\n    globalAny.__convexAuthStorageListeners = {} as Record<\n      string,\n      (event: StorageEvent) => void\n    >;\n  }\n  return globalAny.__convexAuthStorageListeners as Record<\n    string,\n    (event: StorageEvent) => void\n  >;\n}\n\nfunction getManualMutexTails(): Record<string, Promise<void>> {\n  const globalAny = globalThis as any;\n  if (globalAny.__convexAuthMutexTails === undefined) {\n    globalAny.__convexAuthMutexTails = {} as Record<string, Promise<void>>;\n  }\n  return globalAny.__convexAuthMutexTails as Record<string, Promise<void>>;\n}\n\nasync function manualMutex<T>(\n  key: string,\n  callback: () => Promise<T>,\n): Promise<T> {\n  const mutexTails = getManualMutexTails();\n  const previousTail = mutexTails[key] ?? Promise.resolve();\n\n  let releaseCurrent: (() => void) | undefined;\n  const currentTail = new Promise<void>((resolve) => {\n    releaseCurrent = resolve;\n  });\n\n  mutexTails[key] = previousTail.then(\n    () => currentTail,\n    () => currentTail,\n  );\n\n  try {\n    await previousTail;\n    return await callback();\n  } finally {\n    releaseCurrent?.();\n    if (mutexTails[key] === currentTail) {\n      delete mutexTails[key];\n    }\n  }\n}\n"],"mappings":";;;;;AAyIA,MAAM,uBAAuB;AAC7B,MAAM,kBAAkB;AACxB,MAAM,4BAA4B;AAElC,MAAM,gBAAgB,CAAC,KAAK,IAAK;AACjC,MAAM,eAAe;;;;;;;AAQrB,SAAS,WAAW,QAAyB,UAA2B;AACtE,KAAI,SAAU,QAAO;CACrB,MAAM,IAAI;CACV,MAAM,MAAe,EAAE,OAAO,EAAE,QAAQ;AACxC,KAAI,OAAO,QAAQ,SAAU,QAAO;AACpC,OAAM,IAAI,MACR,oEACD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAoCH,SAAgB,OAAO,SAAwB;CAC7C,MAAM,EAAE,QAAQ,UAAU;CAG1B,MAAM,UACJ,QAAQ,YAAY,SAChB,QAAQ,UACR,QACE,OACA,OAAO,WAAW,cAChB,OACA,OAAO;CAEjB,MAAM,aACJ,QAAQ,gBACN,UAAgB;AAChB,MAAI,OAAO,WAAW,YACpB,QAAO,QAAQ,aAAa,EAAE,EAAE,IAAIA,MAAI;;CAI9C,MAAM,MAAM,QAAQ,SAAY,WAAW,QAAQ,QAAQ,IAAI;CAC/D,MAAM,mBAAmB,QACrB,MAAM,QAAQ,iBAAiB,GAAG,GAClC,IAAK,QAAQ,iBAAiB,GAAG;CACrC,MAAM,OAAO,SAAiB,GAAG,KAAK,GAAG;CACzC,MAAM,8BAAc,IAAI,KAAiB;CACzC,IAAI,yBAA8C;CAIlD,MAAM,aAAa,QAAQ,OAAO,IAAI,iBAAiB,IAAK;CAO5D,MAAM,cACJ,OAAO,QAAQ,UAAU,YAAY,QAAQ,MAAM,MAAM,CAAC,SAAS,IAC/D,QAAQ,QACR;CACN,MAAM,iBAAiB,gBAAgB;CAEvC,IAAI,QAAuB;CAC3B,IAAI,YAAY,CAAC;CACjB,IAAI,WAAsB;EACxB;EACA,iBAAiB;EACjB;EACD;CACD,IAAI,mBAAmB;CAEvB,MAAM,eAAe;AACnB,OAAK,MAAM,MAAM,YAAa,KAAI;;CAGpC,MAAM,uBAAuB;EAC3B,MAAM,OAAkB;GACtB;GACA,iBAAiB,UAAU;GAC3B;GACD;AACD,MACE,SAAS,cAAc,KAAK,aAC5B,SAAS,oBAAoB,KAAK,mBAClC,SAAS,UAAU,KAAK,MAExB,QAAO;AAET,aAAW;AACX,SAAO;;CAOT,MAAM,aAAa,OAAO,SAAiB;AACzC,MAAI,CAAC,QACH,QAAO;AAET,MAAI;AACF,UAAQ,MAAM,QAAQ,QAAQ,IAAI,KAAK,CAAC,IAAK;WACtC,OAAO;AACd,WAAQ,MAAM,gCAAgC,KAAK,iBAAiB,MAAM;AAC1E,UAAO;;;CAGX,MAAM,aAAa,OAAO,MAAc,UAAkB;AACxD,MAAI,CAAC,QACH;AAEF,MAAI;AACF,SAAM,QAAQ,QAAQ,IAAI,KAAK,EAAE,MAAM;WAChC,OAAO;AACd,WAAQ,MAAM,iCAAiC,KAAK,eAAe,MAAM;;;CAG7E,MAAM,gBAAgB,OAAO,SAAiB;AAC5C,MAAI,CAAC,QACH;AAEF,MAAI;AACF,SAAM,QAAQ,WAAW,IAAI,KAAK,CAAC;WAC5B,OAAO;AACd,WAAQ,MAAM,kCAAkC,KAAK,iBAAiB,MAAM;;;CAQhF,MAAM,WAAW,OACf,SAGG;AACH,MAAI,KAAK,WAAW,MAAM;AACxB,WAAQ;AACR,OAAI,KAAK,aAAa;AACpB,UAAM,cAAc,gBAAgB;AACpC,UAAM,cAAc,0BAA0B;;SAE3C;AACL,WAAQ,KAAK,OAAO;AACpB,OAAI,KAAK,eAAe,kBAAkB,KAAK,QAAQ;AACrD,UAAM,WAAW,iBAAiB,KAAK,OAAO,MAAM;AACpD,UAAM,WAAW,2BAA2B,KAAK,OAAO,aAAa;;;EAGzE,MAAM,iBAAiB;AACvB,cAAY;EACZ,MAAM,UAAU,gBAAgB;AAChC,MAAI,kBAAkB,SAAS;AAK7B,UAAO,QAAQ,iBAAiB;AAChC,WAAQ;;;CAQZ,MAAM,aAAa,OAAO,SAAkC;EAC1D,MAAM,WAAW,MAAM,MAAM,OAAQ;GACnC,QAAQ;GACR,SAAS,EAAE,gBAAgB,oBAAoB;GAC/C,aAAa;GACb,MAAM,KAAK,UAAU,KAAK;GAC3B,CAAC;AACF,MAAI,CAAC,SAAS,IAAI;GAChB,MAAM,YAAY,MAAM,SAAS,MAAM,CAAC,aAAa,EAAE,EAA6B;AAEpF,OACE,OAAO,cAAc,YACrB,cAAc,QACd,eAAe,aACf,OAAQ,UAAsC,cAAc,SAE5D,OAAM,IAAI,YAAa,UAAsC,UAAmB;AAElF,SAAM,IAAI,MACP,UAAsC,SACrC,yBAAyB,SAAS,SACrC;;AAEH,MAAI;AACF,UAAO,MAAM,SAAS,MAAM;UACtB;AACN,SAAM,IAAI,MAAM,oCAAoC;;;CAQxD,MAAM,aAAa,OACjB,SACG;EACH,IAAI;EACJ,IAAI,QAAQ;AACZ,SAAO,QAAQ,cAAc,OAC3B,KAAI;AACF,UAAO,MAAM,WAAY,OACvB,eACA,UAAU,OACN;IAAE,QAAQ,EAAE,MAAM,KAAK,MAAM;IAAE,UAAU,KAAK;IAAU,GACxD,KACL;WACM,GAAG;AACV,eAAY;AAOZ,OAAI,EALF,aAAa,aACZ,aAAa,SACZ,+CAA+C,KAC7C,EAAE,WAAW,GACd,EACgB;GACrB,MAAM,OAAO,cAAc,SAAU,eAAe,KAAK,QAAQ;AACjE;AACA,SAAM,IAAI,SAAS,YAAY,WAAW,SAAS,KAAK,CAAC;;AAG7D,QAAM;;CAGR,MAAM,wBAAwB,OAC5B,SACG;EACH,MAAM,EAAE,WAAW,MAAM,WAAW,KAAK;AACzC,QAAM,SAAS;GACb,aAAa;GACb,QAAS,UAAiC;GAC3C,CAAC;AACF,SAAO,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAkCpB,MAAM,SAAS,OACb,UACA,SAC0B;EAC1B,MAAM,SACJ,gBAAgB,WACZ,MAAM,KAAK,KAAK,SAAS,CAAC,CAAC,QACxB,KAAK,CAAC,GAAG,OAAO;AACf,OAAI,KAAK;AACT,UAAO;KAET,EAAE,CACH,GACD,QAAQ,EAAE;AAEhB,MAAI,OAAO;GAET,MAAMC,WAAS,MAAM,WAAW;IAC9B,QAAQ;IACR,MAAM;KAAE;KAAU;KAAQ;IAC3B,CAAC;AACF,OAAIA,SAAO,aAAa,QAAW;IACjC,MAAM,cAAc,IAAI,IAAIA,SAAO,SAAS;AAE5C,QAAI,OAAO,WAAW,YACpB,QAAO,SAAS,OAAO,YAAY,UAAU;AAE/C,WAAO;KAAE,WAAW;KAAO,UAAU;KAAa;;AAEpD,OAAIA,SAAO,aACT,QAAO;IAAE,WAAW;IAAO,cAAc;IAAM,UAAUA,SAAO;IAAU;AAE5E,OAAIA,SAAO,eAAe,OACxB,QAAO;IAAE,WAAW;IAAO,YAAYA,SAAO;IAAgC;AAEhF,OAAIA,SAAO,WAAW,QAAW;AAG/B,UAAM,SAAS;KACb,aAAa;KACb,QACEA,SAAO,WAAW,OAAO,OAAO,EAAE,OAAOA,SAAO,OAAO,OAAO;KACjE,CAAC;AACF,WAAO,EAAE,WAAWA,SAAO,WAAW,MAAM;;AAE9C,UAAO,EAAE,WAAW,OAAO;;EAI7B,MAAM,WAAY,MAAM,WAAW,qBAAqB,IAAK;AAC7D,QAAM,cAAc,qBAAqB;EACzC,MAAM,SAAS,MAAM,OAAO,OAAO,eAAsB;GACvD;GACA;GACA;GACD,CAAC;AACF,MAAI,OAAO,aAAa,QAAW;GACjC,MAAM,cAAc,IAAI,IAAI,OAAO,SAAS;AAC5C,SAAM,WAAW,sBAAsB,OAAO,SAAU;AACxD,OAAI,OAAO,WAAW,YACpB,QAAO,SAAS,OAAO,YAAY,UAAU;AAE/C,UAAO;IAAE,WAAW;IAAO,UAAU;IAAa;;AAEpD,MAAI,OAAO,aACT,QAAO;GAAE,WAAW;GAAO,cAAc;GAAM,UAAU,OAAO;GAAU;AAE5E,MAAI,OAAO,eAAe,OACxB,QAAO;GAAE,WAAW;GAAO,YAAY,OAAO;GAAgC;AAEhF,MAAI,OAAO,WAAW,QAAW;AAC/B,SAAM,SAAS;IACb,aAAa;IACb,QAAS,OAAO,UAAiC;IAClD,CAAC;AACF,UAAO,EAAE,WAAW,OAAO,WAAW,MAAM;;AAE9C,SAAO,EAAE,WAAW,OAAO;;;;;;;;;CAc7B,MAAM,UAAU,YAAY;AAC1B,MAAI,OAAO;AACT,OAAI;AACF,UAAM,WAAW;KAAE,QAAQ;KAAgB,MAAM,EAAE;KAAE,CAAC;WAChD;AAGR,SAAM,SAAS;IAAE,aAAa;IAAO,QAAQ;IAAM,CAAC;AACpD,OAAI,OAAO,UAAW,QAAO,WAAW;AACxC;;AAIF,MAAI;AACF,SAAM,OAAO,OAAO,gBAAuB,EAAE,CAAC;UACxC;AAGR,QAAM,SAAS;GAAE,aAAa;GAAM,QAAQ;GAAM,CAAC;AACnD,MAAI,OAAO,UAAW,QAAO,WAAW;;CAO1C,MAAM,mBAAmB,OAAO,EAC9B,wBAG4B;AAC5B,MAAI,CAAC,kBAAmB,QAAO;AAE/B,MAAI,OAAO;GAGT,MAAM,qBAAqB;AAC3B,UAAO,MAAM,aAAa,4BAA4B,YAAY;AAEhE,QAAI,UAAU,mBAAoB,QAAO;AACzC,QAAI;KACF,MAAM,SAAS,MAAM,WAAW;MAC9B,QAAQ;MACR,MAAM,EAAE,cAAc,MAAM;MAC7B,CAAC;AACF,SAAI,OAAO,OACT,OAAM,SAAS;MACb,aAAa;MACb,QAAQ,EAAE,OAAO,OAAO,OAAO,OAAO;MACvC,CAAC;SAEF,OAAM,SAAS;MAAE,aAAa;MAAO,QAAQ;MAAM,CAAC;YAEhD;AACN,WAAM,SAAS;MAAE,aAAa;MAAO,QAAQ;MAAM,CAAC;;AAEtD,WAAO;KACP;;EAIJ,MAAM,6BAA6B;AACnC,SAAO,MAAM,aAAa,2BAA2B,YAAY;GAC/D,MAAM,4BAA4B;AAClC,OAAI,8BAA8B,2BAChC,QAAO;GAET,MAAM,eACH,MAAM,WAAW,0BAA0B,IAAK;AACnD,OAAI,CAAC,aACH,QAAO;AAET,SAAM,sBAAsB,EAAE,cAAc,CAAC;AAC7C,UAAO;IACP;;CAOJ,MAAM,iBAAiB,YAAY;AACjC,MAAI,OAAO,WAAW,YAAa;AACnC,MAAI,iBAAkB;EACtB,MAAM,OAAO,IAAI,gBAAgB,OAAO,SAAS,OAAO,CAAC,IAAI,OAAO;AACpE,MAAI,CAAC,KAAM;AACX,qBAAmB;EACnB,MAAM,UAAU,IAAI,IAAI,OAAO,SAAS,KAAK;AAC7C,UAAQ,aAAa,OAAO,OAAO;AACnC,MAAI;AACF,SAAM,WAAW,QAAQ,WAAW,QAAQ,SAAS,QAAQ,KAAK;AAClE,SAAM,OAAO,QAAW,EAAE,MAAM,CAAC;YACzB;AACR,sBAAmB;;;CAQvB,MAAM,qBAAqB,YAAY;EACrC,MAAM,cAAe,MAAM,WAAW,gBAAgB,IAAK;AAC3D,QAAM,SAAS;GACb,aAAa;GACb,QAAQ,gBAAgB,OAAO,OAAO,EAAE,OAAO,aAAa;GAC7D,CAAC;;;;;;;;;;;;;CAkBJ,MAAM,YAAY,OAAiD;AACjE,KAAG,SAAS;EACZ,MAAM,gBAAgB,GAAG,SAAS;AAClC,cAAY,IAAI,QAAQ;AACxB,eAAa;AACX,eAAY,OAAO,QAAQ;;;AAS/B,KAAI,CAAC,SAAS,OAAO,WAAW,aAAa;EAC3C,MAAM,cAAc,IAAI,gBAAgB;EACxC,MAAM,WAAW,4BAA4B;EAC7C,MAAM,mBAAmB,SAAS;AAClC,MAAI,qBAAqB,OACvB,QAAO,oBAAoB,WAAW,iBAAiB;EAGzD,MAAM,aAAa,UAAwB;AACzC,IAAM,YAAY;AAChB,QAAI,MAAM,QAAQ,IAAI,gBAAgB,CAAE;AACxC,UAAM,SAAS;KACb,aAAa;KACb,QACE,MAAM,aAAa,OAAO,OAAO,EAAE,OAAO,MAAM,UAAU;KAC7D,CAAC;OACA;;AAEN,SAAO,iBAAiB,WAAW,UAAU;AAC7C,WAAS,eAAe;AACxB,iCAA+B;AAC7B,OAAI,SAAS,iBAAiB,UAC5B,QAAO,SAAS;AAElB,UAAO,oBAAoB,WAAW,UAAU;;;AAMpD,QAAO,QAAQ,iBAAiB;AAGhC,KAAI,OAAO,WAAW,YACpB,KAAI,MAGF,KAAI,CAAC,eACH,CAAK,iBAAiB,EAAE,mBAAmB,MAAM,CAAC,CAAC,OAChD,UAAmB;AAClB,UAAQ,MAAM,6CAA6C,MAAM;GAEpE;MACI;AAEL,cAAY;AACZ,kBAAgB;;KAIlB,EAAM,YAAY;AAChB,MAAI;AACF,SAAM,oBAAoB;AAC1B,SAAM,gBAAgB;WACf,OAAgB;AACvB,WAAQ,MAAM,+CAA+C,MAAM;AACnE,SAAM,SAAS;IAAE,aAAa;IAAO,QAAQ;IAAM,CAAC;;KAEpD;;;;;CAYR,MAAM,mBAAmB,WAAgC;EACvD,MAAM,QAAQ,IAAI,WAAW,OAAO;EACpC,IAAI,SAAS;AACb,OAAK,IAAI,IAAI,GAAG,IAAI,MAAM,YAAY,IACpC,WAAU,OAAO,aAAa,MAAM,GAAI;AAE1C,SAAO,KAAK,OAAO,CAAC,QAAQ,OAAO,IAAI,CAAC,QAAQ,OAAO,IAAI,CAAC,QAAQ,OAAO,GAAG;;CAGhF,MAAM,mBAAmB,QAA4B;EACnD,MAAM,SAAS,IAAI,QAAQ,MAAM,IAAI,CAAC,QAAQ,MAAM,IAAI;EACxD,MAAM,SAAS,KAAK,OAAO;EAC3B,MAAM,QAAQ,IAAI,WAAW,OAAO,OAAO;AAC3C,OAAK,IAAI,IAAI,GAAG,IAAI,OAAO,QAAQ,IACjC,OAAM,KAAK,OAAO,WAAW,EAAE;AAEjC,SAAO;;AAkjBT,QAAO;EAEL,IAAI,QAAmB;AACrB,UAAO;;EAGT;EAEA;EAEA;EAEA,SA3jBc;GAId,mBAA4B;AAC1B,WACE,OAAO,WAAW,eAClB,OAAO,OAAO,wBAAwB;;GAa1C,qBAAqB,YAA8B;AACjD,QAAI,OAAO,WAAW,YAAa,QAAO;AAC1C,QAAI,OAAO,OAAO,wBAAwB,YAAa,QAAO;AAC9D,QACE,OACE,OAAO,oBACP,oCAAoC,WAEtC,QAAO;AAET,WACE,OAAO,oBACP,iCAAiC;;GAwBrC,UAAU,OACR,SAM0B;IAC1B,MAAM,eAAe;KACnB,MAAM;KACN,OAAO,MAAM;KACb,UAAU,MAAM;KAChB,iBAAiB,MAAM;KACxB;IAGD,IAAI;AACJ,QAAI,MACF,gBAAe,MAAM,WAAW;KAC9B,QAAQ;KACR,MAAM;MAAE,UAAU;MAAW,QAAQ;MAAc;KACpD,CAAC;QAEF,gBAAe,MAAM,OAAO,OAAO,eAAsB;KACvD,UAAU;KACV,QAAQ;KACT,CAAC;AAGJ,QAAI,CAAC,aAAa,QAChB,OAAM,IAAI,MAAM,qDAAqD;IAGvE,MAAMC,YAAU,aAAa;IAG7B,MAAM,gBAA2C,EAC/C,WAAW;KACT,IAAIA,UAAQ;KACZ,MAAM;MACJ,IAAI,gBAAgBA,UAAQ,KAAK,GAAG,CAAC;MACrC,MAAMA,UAAQ,KAAK;MACnB,aAAaA,UAAQ,KAAK;MAC3B;KACD,WAAW,gBAAgBA,UAAQ,UAAU,CAAC;KAC9C,kBAAkBA,UAAQ;KAC1B,SAASA,UAAQ;KACjB,aAAaA,UAAQ;KACrB,wBAAwBA,UAAQ;KAChC,qBAAqBA,UAAQ,sBAAsB,EAAE,EAAE,KACpD,UAAe;MACd,MAAM,KAAK,QAAQ;MACnB,IAAI,gBAAgB,KAAK,GAAG,CAAC;MAC7B,YAAY,KAAK;MAClB,EACF;KACF,EACF;IAGD,MAAM,aAAc,MAAM,UAAU,YAAY,OAC9C,cACD;AACD,QAAI,CAAC,WACH,OAAM,IAAI,MAAM,qCAAqC;IAGvD,MAAM,WACJ,WAAW;IAGb,MAAM,aACJ,OAAO,SAAS,kBAAkB,aAC9B,SAAS,eAAe,GACxB;IAEN,MAAM,eAAe;KACnB,MAAM;KACN,gBAAgB,gBAAgB,SAAS,eAAe;KACxD,mBAAmB,gBAAgB,SAAS,kBAAkB;KAC9D;KACA,aAAa,MAAM;KACnB,OAAO,MAAM;KACd;IAGD,IAAI;AACJ,QAAI,MAGF,gBAAe,MAAM,WAAW;KAC9B,QAAQ;KACR,MAAM;MACJ,UAAU;MACV,QAAQ;MACR,UAAU,aAAa;MACxB;KACF,CAAC;QAEF,gBAAe,MAAM,OAAO,OAAO,eAAsB;KACvD,UAAU;KACV,QAAQ;KACR,UAAU,aAAa;KACxB,CAAC;AAGJ,QAAI,aAAa,QAAQ;AACvB,SAAI,MACF,OAAM,SAAS;MACb,aAAa;MACb,QACE,aAAa,WAAW,OACpB,OACA,EAAE,OAAO,aAAa,OAAO,OAAO;MAC3C,CAAC;SAEF,OAAM,SAAS;MACb,aAAa;MACb,QAAQ,aAAa;MACtB,CAAC;AAEJ,YAAO,EAAE,WAAW,MAAM;;AAE5B,WAAO,EAAE,WAAW,OAAO;;GA6B7B,cAAc,OACZ,SAC0B;IAC1B,MAAM,eAAe;KACnB,MAAM;KACN,OAAO,MAAM;KACd;IAGD,IAAI;AACJ,QAAI,MACF,gBAAe,MAAM,WAAW;KAC9B,QAAQ;KACR,MAAM;MAAE,UAAU;MAAW,QAAQ;MAAc;KACpD,CAAC;QAEF,gBAAe,MAAM,OAAO,OAAO,eAAsB;KACvD,UAAU;KACV,QAAQ;KACT,CAAC;AAGJ,QAAI,CAAC,aAAa,QAChB,OAAM,IAAI,MAAM,uDAAuD;IAGzE,MAAMA,YAAU,aAAa;IAG7B,MAAM,aAAuC;KAC3C,WAAW;MACT,WAAW,gBAAgBA,UAAQ,UAAU,CAAC;MAC9C,SAASA,UAAQ;MACjB,MAAMA,UAAQ;MACd,kBAAkBA,UAAQ;MAC1B,mBAAmBA,UAAQ,oBAAoB,EAAE,EAAE,KAChD,UAAe;OACd,MAAM,KAAK,QAAQ;OACnB,IAAI,gBAAgB,KAAK,GAAG,CAAC;OAC7B,YAAY,KAAK;OAClB,EACF;MACF;KACD,GAAI,MAAM,WAAW,EAAE,WAAW,eAAsB,GAAG,EAAE;KAC9D;IAGD,MAAM,aAAc,MAAM,UAAU,YAAY,IAC9C,WACD;AACD,QAAI,CAAC,WACH,OAAM,IAAI,MAAM,uCAAuC;IAGzD,MAAM,WACJ,WAAW;IAEb,MAAM,eAAe;KACnB,MAAM;KACN,cAAc,gBAAgB,WAAW,MAAM;KAC/C,gBAAgB,gBAAgB,SAAS,eAAe;KACxD,mBAAmB,gBAAgB,SAAS,kBAAkB;KAC9D,WAAW,gBAAgB,SAAS,UAAU;KAC/C;IAGD,IAAI;AACJ,QAAI,MACF,gBAAe,MAAM,WAAW;KAC9B,QAAQ;KACR,MAAM;MACJ,UAAU;MACV,QAAQ;MACR,UAAU,aAAa;MACxB;KACF,CAAC;QAEF,gBAAe,MAAM,OAAO,OAAO,eAAsB;KACvD,UAAU;KACV,QAAQ;KACR,UAAU,aAAa;KACxB,CAAC;AAGJ,QAAI,aAAa,QAAQ;AACvB,SAAI,MACF,OAAM,SAAS;MACb,aAAa;MACb,QACE,aAAa,WAAW,OACpB,OACA,EAAE,OAAO,aAAa,OAAO,OAAO;MAC3C,CAAC;SAEF,OAAM,SAAS;MACb,aAAa;MACb,QAAQ,aAAa;MACtB,CAAC;AAEJ,YAAO,EAAE,WAAW,MAAM;;AAE5B,WAAO,EAAE,WAAW,OAAO;;GAE9B;EAsQC,MApQW;GAYX,OAAO,OACL,SAC+E;IAC/E,MAAM,SAA8B,EAAE,MAAM,SAAS;AACrD,QAAI,MAAM,KAAM,QAAO,OAAO,KAAK;AACnC,QAAI,MAAM,YAAa,QAAO,cAAc,KAAK;AAEjD,QAAI,OAAO;KACT,MAAMD,WAAS,MAAM,WAAW;MAC9B,QAAQ;MACR,MAAM;OAAE,UAAU;OAAQ;OAAQ;MACnC,CAAC;AACF,YAAO;MAAE,KAAKA,SAAO,UAAU;MAAK,QAAQA,SAAO,UAAU;MAAQ,UAAUA,SAAO;MAAU,QAAQA,SAAO,UAAU;MAAQ;;IAGnI,MAAM,SAAS,MAAM,OAAO,OAAO,eAAsB;KACvD,UAAU;KACV;KACD,CAAC;AACF,WAAO;KAAE,KAAK,OAAO,UAAU;KAAK,QAAQ,OAAO,UAAU;KAAQ,UAAU,OAAO;KAAU,QAAQ,OAAO,UAAU;KAAQ;;GAUnI,SAAS,OAAO,SAIK;IACnB,MAAM,SAA8B;KAClC,MAAM;KACN,MAAM,KAAK;KACX,QAAQ,KAAK;KACd;AAED,QAAI,OAAO;KACT,MAAMA,WAAS,MAAM,WAAW;MAC9B,QAAQ;MACR,MAAM;OAAE,UAAU;OAAQ;OAAQ,UAAU,KAAK;OAAU;MAC5D,CAAC;AACF,SAAIA,SAAO,OACT,OAAM,SAAS;MACb,aAAa;MACb,QAAQA,SAAO,WAAW,OAAO,OAAO,EAAE,OAAOA,SAAO,OAAO,OAAO;MACvE,CAAC;AAEJ;;IAGF,MAAM,SAAS,MAAM,OAAO,OAAO,eAAsB;KACvD,UAAU;KACV;KACA,UAAU,KAAK;KAChB,CAAC;AACF,QAAI,OAAO,OACT,OAAM,SAAS;KACb,aAAa;KACb,QAAS,OAAO,UAAiC;KAClD,CAAC;;GAgBN,QAAQ,OAAO,SAA4D;IACzE,MAAM,SAA8B;KAClC,MAAM;KACN,MAAM,KAAK;KACZ;AAED,QAAI,OAAO;KACT,MAAMA,WAAS,MAAM,WAAW;MAC9B,QAAQ;MACR,MAAM;OAAE,UAAU;OAAQ;OAAQ,UAAU,KAAK;OAAU;MAC5D,CAAC;AACF,SAAIA,SAAO,OACT,OAAM,SAAS;MACb,aAAa;MACb,QAAQA,SAAO,WAAW,OAAO,OAAO,EAAE,OAAOA,SAAO,OAAO,OAAO;MACvE,CAAC;AAEJ;;IAGF,MAAM,SAAS,MAAM,OAAO,OAAO,eAAsB;KACvD,UAAU;KACV;KACA,UAAU,KAAK;KAChB,CAAC;AACF,QAAI,OAAO,OACT,OAAM,SAAS;KACb,aAAa;KACb,QAAS,OAAO,UAAiC;KAClD,CAAC;;GAGP;EA2IC,QAzIa;GAoBb,MAAM,OAAO,SAA0C;IACrD,MAAM,aAAa,KAAK,WAAW;IACnC,MAAM,YAAY,KAAK,KAAK,GAAG,KAAK,YAAY;AAEhD,WAAO,KAAK,KAAK,GAAG,WAAW;AAC7B,WAAM,IAAI,SAAS,YAAY,WAAW,SAAS,WAAW,CAAC;AAE/D,SAAI;MACF,IAAI;MACJ,MAAM,SAA8B;OAClC,MAAM;OACN,YAAY,KAAK;OAClB;AAED,UAAI,MACF,UAAS,MAAM,WAAW;OACxB,QAAQ;OACR,MAAM;QAAE,UAAU;QAAU;QAAQ;OACrC,CAAC;UAEF,UAAS,MAAM,OAAO,OAAO,eAAsB;OACjD,UAAU;OACV;OACD,CAAC;AAIJ,UAAI,OAAO,QAAQ;AACjB,WAAI,MACF,OAAM,SAAS;QACb,aAAa;QACb,QACE,OAAO,WAAW,OACd,OACA,EAAE,OAAO,OAAO,OAAO,OAAO;QACrC,CAAC;WAEF,OAAM,SAAS;QACb,aAAa;QACb,QAAS,OAAO,UAAiC;QAClD,CAAC;AAEJ;;cAEK,GAAY;AAEnB,UAAI,aAAa,aAAa;OAE5B,MAAM,QADO,EAAE,MACK;AACpB,WAAI,UAAU,+BACZ;AAEF,WAAI,UAAU,oBAAoB;AAEhC,cAAM,IAAI,SAAS,YACjB,WAAW,SAAS,WAAW,CAChC;AACD;;;AAIJ,YAAM;;;AAIV,UAAM,IAAI,MAAM,kCAAkC;;GAgBpD,QAAQ,OAAO,aAAoC;IACjD,MAAM,SAA8B;KAClC,MAAM;KACN;KACD;AAED,QAAI,MACF,OAAM,WAAW;KACf,QAAQ;KACR,MAAM;MAAE,UAAU;MAAU;MAAQ;KACrC,CAAC;QAEF,OAAM,OAAO,OAAO,eAAsB;KACxC,UAAU;KACV;KACD,CAAC;;GAGP;EAoBC,eAAe;AACb,6BAA0B;AAC1B,eAAY,OAAO;;EAEtB;;AAOH,eAAe,aACb,KACA,UACY;CACZ,MAAM,cAAe,YAAoB,WAAW;AACpD,QAAO,gBAAgB,SACnB,MAAM,YAAY,QAAQ,KAAK,SAAS,GACxC,MAAM,YAAY,KAAK,SAAS;;AAGtC,SAAS,6BAA4E;CACnF,MAAM,YAAY;AAClB,KAAI,UAAU,iCAAiC,OAC7C,WAAU,+BAA+B,EAAE;AAK7C,QAAO,UAAU;;AAMnB,SAAS,sBAAqD;CAC5D,MAAM,YAAY;AAClB,KAAI,UAAU,2BAA2B,OACvC,WAAU,yBAAyB,EAAE;AAEvC,QAAO,UAAU;;AAGnB,eAAe,YACb,KACA,UACY;CACZ,MAAM,aAAa,qBAAqB;CACxC,MAAM,eAAe,WAAW,QAAQ,QAAQ,SAAS;CAEzD,IAAI;CACJ,MAAM,cAAc,IAAI,SAAe,YAAY;AACjD,mBAAiB;GACjB;AAEF,YAAW,OAAO,aAAa,WACvB,mBACA,YACP;AAED,KAAI;AACF,QAAM;AACN,SAAO,MAAM,UAAU;WACf;AACR,oBAAkB;AAClB,MAAI,WAAW,SAAS,YACtB,QAAO,WAAW"}

package/dist/component/_generated/api.d.ts

@@ -1,9 +1,12 @@
+import { functions_d_exports } from "../functions.js";
 import { index_d_exports } from "../index.js";
 import { public_d_exports } from "../public.js";
+import * as convex_server0 from "convex/server";
 import { ApiFromModules, FilterApi, FunctionReference } from "convex/server";
 
 //#region src/component/_generated/api.d.ts
 declare const fullApi: ApiFromModules<{
+  functions: typeof functions_d_exports;
   index: typeof index_d_exports;
   public: typeof public_d_exports;
 }>;
@@ -25,7 +28,7 @@ declare const api: FilterApi<typeof fullApi, FunctionReference<any, "public">>;
  * ```
  */
 declare const internal: FilterApi<typeof fullApi, FunctionReference<any, "internal">>;
-declare const components: {};
+declare const components: convex_server0.AnyChildComponents;
 //#endregion
 export { api, components, internal };
 //# sourceMappingURL=api.d.ts.map

package/dist/component/_generated/api.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"api.d.ts","names":[],"sources":["../../../src/component/_generated/api.ts"],"mappings":";;;;;cAoBM,OAAA,EAAS,cAAA;EACb,KAAA,SAAc,eAAA;EACd,MAAA,SAAe,gBAAA;AAAA;;;;;;AAWjB;;;cAAa,GAAA,EAAK,SAAA,QACT,OAAA,EACP,iBAAA;;;;;;;;;cAWW,QAAA,EAAU,SAAA,QACd,OAAA,EACP,iBAAA;AAAA,cAGW,UAAA"}
+{"version":3,"file":"api.d.ts","names":[],"sources":["../../../src/component/_generated/api.ts"],"mappings":";;;;;;;cAqBM,OAAA,EAAS,cAAA;EACb,SAAA,SAAkB,mBAAA;EAClB,KAAA,SAAc,eAAA;EACd,MAAA,SAAe,gBAAA;AAAA;;;;;;;;;cAWJ,GAAA,EAAK,SAAA,QACT,OAAA,EACP,iBAAA;;;;;;;;;cAWW,QAAA,EAAU,SAAA,QACd,OAAA,EACP,iBAAA;AAAA,cAGW,UAAA,EAAgC,cAAA,CAAtB,kBAAA"}

package/dist/component/_generated/api.js.map

@@ -1 +1 @@
-{"version":3,"file":"api.js","names":[],"sources":["../../../src/component/_generated/api.ts"],"sourcesContent":["/* eslint-disable */\n/**\n * Generated `api` utility.\n *\n * THIS CODE IS AUTOMATICALLY GENERATED.\n *\n * To regenerate, run `npx convex dev`.\n * @module\n */\n\nimport type * as index from \"../index.js\";\nimport type * as public_ from \"../public.js\";\n\nimport type {\n  ApiFromModules,\n  FilterApi,\n  FunctionReference,\n} from \"convex/server\";\nimport { anyApi, componentsGeneric } from \"convex/server\";\n\nconst fullApi: ApiFromModules<{\n  index: typeof index;\n  public: typeof public_;\n}> = anyApi as any;\n\n/**\n * A utility for referencing Convex functions in your app's public API.\n *\n * Usage:\n * ```js\n * const myFunctionReference = api.myModule.myFunction;\n * ```\n */\nexport const api: FilterApi<\n  typeof fullApi,\n  FunctionReference<any, \"public\">\n> = anyApi as any;\n\n/**\n * A utility for referencing Convex functions in your app's internal API.\n *\n * Usage:\n * ```js\n * const myFunctionReference = internal.myModule.myFunction;\n * ```\n */\nexport const internal: FilterApi<\n  typeof fullApi,\n  FunctionReference<any, \"internal\">\n> = anyApi as any;\n\nexport const components = componentsGeneric() as unknown as {};\n"],"mappings":";;;;;;;;;;;AAiCA,MAAa,MAGT;;;;;;;;;AAUJ,MAAa,WAGT;AAEJ,MAAa,aAAa,mBAAmB"}
+{"version":3,"file":"api.js","names":[],"sources":["../../../src/component/_generated/api.ts"],"sourcesContent":["/* eslint-disable */\n/**\n * Generated `api` utility.\n *\n * THIS CODE IS AUTOMATICALLY GENERATED.\n *\n * To regenerate, run `npx convex dev`.\n * @module\n */\n\nimport type * as functions from \"../functions.js\";\nimport type * as index from \"../index.js\";\nimport type * as public_ from \"../public.js\";\n\nimport type {\n  ApiFromModules,\n  FilterApi,\n  FunctionReference,\n} from \"convex/server\";\nimport { anyApi, componentsGeneric } from \"convex/server\";\n\nconst fullApi: ApiFromModules<{\n  functions: typeof functions;\n  index: typeof index;\n  public: typeof public_;\n}> = anyApi as any;\n\n/**\n * A utility for referencing Convex functions in your app's public API.\n *\n * Usage:\n * ```js\n * const myFunctionReference = api.myModule.myFunction;\n * ```\n */\nexport const api: FilterApi<\n  typeof fullApi,\n  FunctionReference<any, \"public\">\n> = anyApi as any;\n\n/**\n * A utility for referencing Convex functions in your app's internal API.\n *\n * Usage:\n * ```js\n * const myFunctionReference = internal.myModule.myFunction;\n * ```\n */\nexport const internal: FilterApi<\n  typeof fullApi,\n  FunctionReference<any, \"internal\">\n> = anyApi as any;\n\nexport const components = componentsGeneric();\n"],"mappings":";;;;;;;;;;;AAmCA,MAAa,MAGT;;;;;;;;;AAUJ,MAAa,WAGT;AAEJ,MAAa,aAAa,mBAAmB"}

package/dist/component/convex.config.d.ts

@@ -1,7 +1,7 @@
-import * as convex_server0 from "convex/server";
+import * as convex_server16 from "convex/server";
 
 //#region src/component/convex.config.d.ts
-declare const component: convex_server0.ComponentDefinition<any>;
+declare const component: convex_server16.ComponentDefinition<any>;
 //#endregion
 export { component as default };
 //# sourceMappingURL=convex.config.d.ts.map