@robelest/convex-auth 0.0.4-preview.2 → 0.0.4-preview.21

package/dist/client/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","names":["url","result","options"],"sources":["../../src/client/index.ts"],"sourcesContent":["import { ConvexHttpClient } from \"convex/browser\";\nimport { ConvexError, Value } from \"convex/values\";\n\n// Re-export error utilities so consumers can import from `@robelest/convex-auth/client`.\nexport {\n  isAuthError,\n  parseAuthError,\n  AUTH_ERRORS,\n  type AuthErrorCode,\n} from \"../server/errors\";\n\n/**\n * Structural interface for any Convex client.\n * Satisfied by `ConvexClient` (`convex/browser`),\n * `ConvexReactClient` (`convex/react`), and similar transports.\n *\n * `clearAuth` is present on `ConvexReactClient` and `BaseConvexClient`\n * but not on the simplified `ConvexClient`. When available we call it\n * during sign-out for a clean deauthentication.\n */\ninterface ConvexTransport {\n  action(action: any, args: any): Promise<any>;\n  setAuth(\n    fetchToken: (args: {\n      forceRefreshToken: boolean;\n    }) => Promise<string | null | undefined>,\n    onChange?: (isAuthenticated: boolean) => void,\n  ): void;\n  clearAuth?(): void;\n}\n\n/** Pluggable key-value storage (defaults to `localStorage`). */\nexport interface Storage {\n  getItem(\n    key: string,\n  ): string | null | undefined | Promise<string | null | undefined>;\n  setItem(key: string, value: string): void | Promise<void>;\n  removeItem(key: string): void | Promise<void>;\n}\n\ntype AuthSession = {\n  token: string;\n  refreshToken: string;\n};\n\n/**\n * Device code response returned when signing in with the `\"device\"` provider.\n *\n * The device displays the `userCode` (or `verificationUriComplete`) and\n * polls via `auth.device.poll()` until the user authorizes.\n */\nexport type DeviceCodeResult = {\n  /** High-entropy device code used for polling (keep secret). */\n  deviceCode: string;\n  /** Short human-readable code the user enters (e.g. \"WDJB-MJHT\"). */\n  userCode: string;\n  /** Base verification URL (e.g. \"https://myapp.com/device\"). */\n  verificationUri: string;\n  /** Verification URL with user code pre-filled as `?code=XXXX-XXXX`. */\n  verificationUriComplete: string;\n  /** Lifetime of the codes in seconds. */\n  expiresIn: number;\n  /** Minimum polling interval in seconds. */\n  interval: number;\n};\n\n/**\n * Result of a `signIn` call.\n *\n * - `signingIn: true` — credentials were accepted and the user is authenticated.\n * - `redirect` — OAuth flow initiated; redirect the user to `redirect.toString()`.\n * - `totpRequired` — credentials valid but 2FA is needed; call `auth.totp.verify()`.\n * - `deviceCode` — device flow initiated; display the code and poll via `auth.device.poll()`.\n * - `verifier` — opaque string for multi-step flows (TOTP, passkey).\n */\nexport type SignInResult = {\n  /** `true` when sign-in completed and the user is authenticated. */\n  signingIn: boolean;\n  /** OAuth redirect URL. Present when the provider requires a browser redirect. */\n  redirect?: URL;\n  /** `true` when the account has TOTP enabled and a code is required. */\n  totpRequired?: boolean;\n  /** Device code response for the device authorization flow (RFC 8628). */\n  deviceCode?: DeviceCodeResult;\n  /** Opaque verifier for multi-step flows (pass to `totp.verify` or passkey phase 2). */\n  verifier?: string;\n};\n\n/** Reactive auth state snapshot returned by `auth.state` and `auth.onChange`. */\nexport type AuthState = {\n  /** `true` during initial hydration before the first token is resolved. */\n  isLoading: boolean;\n  /** `true` when a valid JWT exists (user is signed in). */\n  isAuthenticated: boolean;\n  /** The raw JWT string, or `null` when not authenticated. */\n  token: string | null;\n};\n\n/** Options for {@link client}. */\nexport type ClientOptions = {\n  /** Any Convex client (`ConvexClient` or `ConvexReactClient`). */\n  convex: ConvexTransport;\n  /**\n   * Convex deployment URL. Derived automatically from the client internals\n   * when omitted — pass explicitly only if auto-detection fails.\n   */\n  url?: string;\n  /**\n   * Key-value storage for persisting tokens.\n   *\n   * - Defaults to `localStorage` in SPA mode.\n   * - Defaults to `null` (in-memory only) when `proxy` is set,\n   *   since httpOnly cookies handle persistence.\n   */\n  storage?: Storage | null;\n  /** Override how the URL bar is updated after OAuth code exchange. */\n  replaceURL?: (relativeUrl: string) => void | Promise<void>;\n  /**\n   * SSR proxy endpoint (e.g. `\"/api/auth\"`).\n   *\n   * When set, `signIn`/`signOut`/token refresh POST to this URL\n   * (with `credentials: \"include\"`) instead of calling Convex directly.\n   * The server handles httpOnly cookies for token persistence.\n   *\n   * Pair with {@link ClientOptions.token} for flash-free SSR hydration.\n   */\n  proxy?: string;\n  /**\n   * JWT from server-side hydration.\n   *\n   * In proxy mode the server reads the JWT from an httpOnly cookie\n   * and passes it to the client during SSR. This avoids a loading\n   * flash on first render — the client is immediately authenticated.\n   */\n  token?: string | null;\n};\n\nconst VERIFIER_STORAGE_KEY = \"__convexAuthOAuthVerifier\";\nconst JWT_STORAGE_KEY = \"__convexAuthJWT\";\nconst REFRESH_TOKEN_STORAGE_KEY = \"__convexAuthRefreshToken\";\n\nconst RETRY_BACKOFF = [500, 2000];\nconst RETRY_JITTER = 100;\n\n/**\n * Resolve the Convex deployment URL from the client.\n *\n * `ConvexReactClient` exposes `.url` directly.\n * `ConvexClient` exposes `.client.url` via `BaseConvexClient`.\n */\nfunction resolveUrl(convex: ConvexTransport, explicit?: string): string {\n  if (explicit) return explicit;\n  const c = convex as any;\n  const url: unknown = c.url ?? c.client?.url;\n  if (typeof url === \"string\") return url;\n  throw new Error(\n    \"Could not determine Convex deployment URL. Pass `url` explicitly.\",\n  );\n}\n\n/**\n * Create a framework-agnostic auth client.\n *\n * Returns an object with `signIn`, `signOut`, `onChange`, `state`,\n * `passkey`, and `totp` — everything needed for client-side auth.\n *\n * ### SPA mode (default)\n *\n * ```ts\n * import { ConvexClient } from 'convex/browser';\n * import { client } from '@robelest/convex-auth/client';\n *\n * const convex = new ConvexClient(CONVEX_URL);\n * const auth = client({ convex });\n * ```\n *\n * ### SSR / proxy mode\n *\n * ```ts\n * const auth = client({\n *   convex,\n *   proxy: '/api/auth',\n *   token: tokenFromServer, // JWT read from httpOnly cookie during SSR\n * });\n * ```\n *\n * In proxy mode all auth operations go through the proxy URL.\n * Tokens are stored in httpOnly cookies server-side — the client\n * holds the JWT in memory only.\n *\n * @param options - Client configuration. See {@link ClientOptions}.\n * @returns Auth client with `signIn`, `signOut`, `onChange`, `state`, `passkey`, and `totp`.\n */\nexport function client(options: ClientOptions) {\n  const { convex, proxy } = options;\n\n  // In proxy mode, default storage to null (cookies handle persistence).\n  const storage =\n    options.storage !== undefined\n      ? options.storage\n      : proxy\n        ? null\n        : typeof window === \"undefined\"\n          ? null\n          : window.localStorage;\n\n  const replaceURL =\n    options.replaceURL ??\n    ((url: string) => {\n      if (typeof window !== \"undefined\") {\n        window.history.replaceState({}, \"\", url);\n      }\n    });\n\n  const url = proxy ? undefined : resolveUrl(convex, options.url);\n  const escapedNamespace = proxy\n    ? proxy.replace(/[^a-zA-Z0-9]/g, \"\")\n    : url!.replace(/[^a-zA-Z0-9]/g, \"\");\n  const key = (name: string) => `${name}_${escapedNamespace}`;\n  const subscribers = new Set<() => void>();\n\n  // Unauthenticated HTTP client for code verification & OAuth exchange.\n  // Only needed in SPA mode — proxy mode routes everything through the proxy.\n  const httpClient = proxy ? null : new ConvexHttpClient(url!);\n\n  // ---------------------------------------------------------------------------\n  // State\n  // ---------------------------------------------------------------------------\n\n  // If a server-provided token was supplied (SSR hydration), start authenticated.\n  const serverToken = options.token ?? null;\n  const hasServerToken = serverToken !== null;\n\n  let token: string | null = serverToken;\n  let isLoading = !hasServerToken;\n  let snapshot: AuthState = {\n    isLoading,\n    isAuthenticated: hasServerToken,\n    token,\n  };\n  let handlingCodeFlow = false;\n\n  const notify = () => {\n    for (const cb of subscribers) cb();\n  };\n\n  const updateSnapshot = () => {\n    const next: AuthState = {\n      isLoading,\n      isAuthenticated: token !== null,\n      token,\n    };\n    if (\n      snapshot.isLoading === next.isLoading &&\n      snapshot.isAuthenticated === next.isAuthenticated &&\n      snapshot.token === next.token\n    ) {\n      return false;\n    }\n    snapshot = next;\n    return true;\n  };\n\n  // ---------------------------------------------------------------------------\n  // Storage helpers (SPA mode only)\n  // ---------------------------------------------------------------------------\n\n  const storageGet = async (name: string) =>\n    storage ? ((await storage.getItem(key(name))) ?? null) : null;\n  const storageSet = async (name: string, value: string) => {\n    if (storage) await storage.setItem(key(name), value);\n  };\n  const storageRemove = async (name: string) => {\n    if (storage) await storage.removeItem(key(name));\n  };\n\n  // ---------------------------------------------------------------------------\n  // Token management\n  // ---------------------------------------------------------------------------\n\n  const setToken = async (\n    args:\n      | { shouldStore: true; tokens: AuthSession | null }\n      | { shouldStore: false; tokens: { token: string } | null },\n  ) => {\n    if (args.tokens === null) {\n      token = null;\n      if (args.shouldStore) {\n        await storageRemove(JWT_STORAGE_KEY);\n        await storageRemove(REFRESH_TOKEN_STORAGE_KEY);\n      }\n    } else {\n      token = args.tokens.token;\n      if (args.shouldStore && \"refreshToken\" in args.tokens) {\n        await storageSet(JWT_STORAGE_KEY, args.tokens.token);\n        await storageSet(REFRESH_TOKEN_STORAGE_KEY, args.tokens.refreshToken);\n      }\n    }\n    const hadPendingLoad = isLoading;\n    isLoading = false;\n    const changed = updateSnapshot();\n    if (hadPendingLoad || changed) {\n      // Re-sync the Convex client so it picks up the new token immediately.\n      // Without this, the initial convex.setAuth(fetchAccessToken) from\n      // initialization never re-polls and queries run unauthenticated after\n      // magic link code exchange.\n      if (!proxy) {\n        convex.setAuth(fetchAccessToken);\n      }\n      notify();\n    }\n  };\n\n  // ---------------------------------------------------------------------------\n  // Proxy fetch helper\n  // ---------------------------------------------------------------------------\n\n  const proxyFetch = async (body: Record<string, unknown>) => {\n    const response = await fetch(proxy!, {\n      method: \"POST\",\n      headers: { \"Content-Type\": \"application/json\" },\n      credentials: \"include\",\n      body: JSON.stringify(body),\n    });\n    if (!response.ok) {\n      const errorBody = await response.json().catch(() => ({} as Record<string, unknown>));\n      // Reconstruct ConvexError when the proxy forwards structured auth error data.\n      if (\n        typeof errorBody === \"object\" &&\n        errorBody !== null &&\n        \"authError\" in errorBody &&\n        typeof (errorBody as Record<string, unknown>).authError === \"object\"\n      ) {\n        throw new ConvexError((errorBody as Record<string, unknown>).authError as Value);\n      }\n      throw new Error(\n        (errorBody as Record<string, unknown>).error as string ??\n          `Proxy request failed: ${response.status}`,\n      );\n    }\n    return response.json();\n  };\n\n  // ---------------------------------------------------------------------------\n  // Code verification with retries (SPA mode only)\n  // ---------------------------------------------------------------------------\n\n  const verifyCode = async (\n    args: { code: string; verifier?: string } | { refreshToken: string },\n  ) => {\n    let lastError: unknown;\n    let retry = 0;\n    while (retry < RETRY_BACKOFF.length) {\n      try {\n        return await httpClient!.action(\n          \"auth:signIn\" as any,\n          \"code\" in args\n            ? { params: { code: args.code }, verifier: args.verifier }\n            : args,\n        );\n      } catch (e) {\n        lastError = e;\n        const isNetworkError =\n          e instanceof Error && /network/i.test(e.message || \"\");\n        if (!isNetworkError) break;\n        const wait = RETRY_BACKOFF[retry]! + RETRY_JITTER * Math.random();\n        retry++;\n        await new Promise((resolve) => setTimeout(resolve, wait));\n      }\n    }\n    throw lastError;\n  };\n\n  const verifyCodeAndSetToken = async (\n    args: { code: string; verifier?: string } | { refreshToken: string },\n  ) => {\n    const { tokens } = await verifyCode(args);\n    await setToken({\n      shouldStore: true,\n      tokens: (tokens as AuthSession | null) ?? null,\n    });\n    return tokens !== null;\n  };\n\n  // ---------------------------------------------------------------------------\n  // signIn\n  // ---------------------------------------------------------------------------\n\n  /**\n   * Sign in with a provider.\n   *\n   * @param provider - Provider ID (e.g. `\"email\"`, `\"password\"`, `\"google\"`).\n   *   Omit when exchanging an OAuth code (the code carries the provider info).\n   * @param args - Provider-specific arguments. Pass a `Record<string, Value>`\n   *   or `FormData`. Common fields: `email`, `password`, `code`, `redirectTo`.\n   * @returns A {@link SignInResult} indicating the outcome.\n   *\n   * @example Email magic link\n   * ```ts\n   * await auth.signIn('email', { email: 'user@example.com' });\n   * ```\n   *\n   * @example Password\n   * ```ts\n   * const result = await auth.signIn('password', { email, password, flow: 'signIn' });\n   * if (result.totpRequired) {\n   *   await auth.totp.verify({ code: totpCode, verifier: result.verifier! });\n   * }\n   * ```\n   *\n   * @example OAuth (triggers redirect)\n   * ```ts\n   * await auth.signIn('google'); // redirects to Google\n   * ```\n   */\n  const signIn = async (\n    provider?: string,\n    args?: FormData | Record<string, Value>,\n  ): Promise<SignInResult> => {\n    const params =\n      args instanceof FormData\n        ? Array.from(args.entries()).reduce(\n            (acc, [k, v]) => {\n              acc[k] = v as string;\n              return acc;\n            },\n            {} as Record<string, string>,\n          )\n        : args ?? {};\n\n    if (proxy) {\n      // Proxy mode: POST to the proxy endpoint.\n      const result = await proxyFetch({\n        action: \"auth:signIn\",\n        args: { provider, params },\n      });\n      if (result.redirect !== undefined) {\n        const redirectUrl = new URL(result.redirect);\n        // Verifier is stored server-side in an httpOnly cookie.\n        if (typeof window !== \"undefined\") {\n          window.location.href = redirectUrl.toString();\n        }\n        return { signingIn: false, redirect: redirectUrl };\n      }\n      if (result.totpRequired) {\n        return { signingIn: false, totpRequired: true, verifier: result.verifier };\n      }\n      if (result.deviceCode !== undefined) {\n        return { signingIn: false, deviceCode: result.deviceCode as DeviceCodeResult };\n      }\n      if (result.tokens !== undefined) {\n        // Proxy returns { token, refreshToken: \"dummy\" }.\n        // Store JWT in memory only — real refresh token is in httpOnly cookie.\n        await setToken({\n          shouldStore: false,\n          tokens:\n            result.tokens === null ? null : { token: result.tokens.token },\n        });\n        return { signingIn: result.tokens !== null };\n      }\n      return { signingIn: false };\n    }\n\n    // SPA mode: call Convex directly.\n    const verifier = (await storageGet(VERIFIER_STORAGE_KEY)) ?? undefined;\n    await storageRemove(VERIFIER_STORAGE_KEY);\n    const result = await convex.action(\"auth:signIn\" as any, {\n      provider,\n      params,\n      verifier,\n    });\n    if (result.redirect !== undefined) {\n      const redirectUrl = new URL(result.redirect);\n      await storageSet(VERIFIER_STORAGE_KEY, result.verifier!);\n      if (typeof window !== \"undefined\") {\n        window.location.href = redirectUrl.toString();\n      }\n      return { signingIn: false, redirect: redirectUrl };\n    }\n    if (result.totpRequired) {\n      return { signingIn: false, totpRequired: true, verifier: result.verifier };\n    }\n    if (result.deviceCode !== undefined) {\n      return { signingIn: false, deviceCode: result.deviceCode as DeviceCodeResult };\n    }\n    if (result.tokens !== undefined) {\n      await setToken({\n        shouldStore: true,\n        tokens: (result.tokens as AuthSession | null) ?? null,\n      });\n      return { signingIn: result.tokens !== null };\n    }\n    return { signingIn: false };\n  };\n\n  // ---------------------------------------------------------------------------\n  // signOut\n  // ---------------------------------------------------------------------------\n\n  /**\n   * Sign out the current user.\n   *\n   * Invalidates the server session and clears local token state.\n   * Errors are silently caught — calling `signOut` on an already\n   * signed-out user is a no-op.\n   */\n  const signOut = async () => {\n    if (proxy) {\n      try {\n        await proxyFetch({ action: \"auth:signOut\", args: {} });\n      } catch {\n        // Already signed out is fine.\n      }\n      await setToken({ shouldStore: false, tokens: null });\n      if (convex.clearAuth) convex.clearAuth();\n      return;\n    }\n\n    // SPA mode.\n    try {\n      await convex.action(\"auth:signOut\" as any, {});\n    } catch {\n      // Already signed out is fine.\n    }\n    await setToken({ shouldStore: true, tokens: null });\n    if (convex.clearAuth) convex.clearAuth();\n  };\n\n  // ---------------------------------------------------------------------------\n  // fetchAccessToken — called by convex.setAuth()\n  // ---------------------------------------------------------------------------\n\n  const fetchAccessToken = async ({\n    forceRefreshToken,\n  }: {\n    forceRefreshToken: boolean;\n  }): Promise<string | null> => {\n    if (!forceRefreshToken) return token;\n\n    if (proxy) {\n      // Proxy mode: POST to the proxy to refresh.\n      // The proxy reads the real refresh token from the httpOnly cookie.\n      const tokenBeforeRefresh = token;\n      return await browserMutex(\"__convexAuthProxyRefresh\", async () => {\n        // Another tab/call may have already refreshed.\n        if (token !== tokenBeforeRefresh) return token;\n        try {\n          const result = await proxyFetch({\n            action: \"auth:signIn\",\n            args: { refreshToken: true },\n          });\n          if (result.tokens) {\n            await setToken({\n              shouldStore: false,\n              tokens: { token: result.tokens.token },\n            });\n          } else {\n            await setToken({ shouldStore: false, tokens: null });\n          }\n        } catch {\n          await setToken({ shouldStore: false, tokens: null });\n        }\n        return token;\n      });\n    }\n\n    // SPA mode: refresh via localStorage + httpClient.\n    const tokenBeforeLockAcquisition = token;\n    return await browserMutex(REFRESH_TOKEN_STORAGE_KEY, async () => {\n      const tokenAfterLockAcquisition = token;\n      if (tokenAfterLockAcquisition !== tokenBeforeLockAcquisition) {\n        return tokenAfterLockAcquisition;\n      }\n      const refreshToken =\n        (await storageGet(REFRESH_TOKEN_STORAGE_KEY)) ?? null;\n      if (!refreshToken) {\n        return null;\n      }\n      await verifyCodeAndSetToken({ refreshToken });\n      return token;\n    });\n  };\n\n  // ---------------------------------------------------------------------------\n  // OAuth code flow (SPA mode only — server handles this in proxy mode)\n  // ---------------------------------------------------------------------------\n\n  const handleCodeFlow = async () => {\n    if (typeof window === \"undefined\") return;\n    if (handlingCodeFlow) return;\n    const code = new URLSearchParams(window.location.search).get(\"code\");\n    if (!code) return;\n    handlingCodeFlow = true;\n    const codeUrl = new URL(window.location.href);\n    codeUrl.searchParams.delete(\"code\");\n    try {\n      await replaceURL(codeUrl.pathname + codeUrl.search + codeUrl.hash);\n      await signIn(undefined, { code });\n    } finally {\n      handlingCodeFlow = false;\n    }\n  };\n\n  // ---------------------------------------------------------------------------\n  // Hydrate from storage (SPA mode only)\n  // ---------------------------------------------------------------------------\n\n  const hydrateFromStorage = async () => {\n    const storedToken = (await storageGet(JWT_STORAGE_KEY)) ?? null;\n    await setToken({\n      shouldStore: false,\n      tokens: storedToken === null ? null : { token: storedToken },\n    });\n  };\n\n  // ---------------------------------------------------------------------------\n  // Subscribe\n  // ---------------------------------------------------------------------------\n\n  /**\n   * Subscribe to auth state changes. Invokes the callback immediately\n   * with the current state, then again on every state transition.\n   *\n   * ```ts\n   * const unsub = auth.onChange(setState);\n   * ```\n   *\n   * @param cb - Callback receiving the latest {@link AuthState}.\n   * @returns An unsubscribe function.\n   */\n  const onChange = (cb: (state: AuthState) => void): (() => void) => {\n    cb(snapshot);\n    const wrapped = () => cb(snapshot);\n    subscribers.add(wrapped);\n    return () => {\n      subscribers.delete(wrapped);\n    };\n  };\n\n  // ---------------------------------------------------------------------------\n  // Initialization\n  // ---------------------------------------------------------------------------\n\n  // Cross-tab sync via storage events (SPA mode only).\n  if (!proxy && typeof window !== \"undefined\") {\n    const onStorage = (event: StorageEvent) => {\n      void (async () => {\n        if (event.key !== key(JWT_STORAGE_KEY)) return;\n        await setToken({\n          shouldStore: false,\n          tokens:\n            event.newValue === null ? null : { token: event.newValue },\n        });\n      })();\n    };\n    window.addEventListener(\"storage\", onStorage);\n  }\n\n  // Auto-wire: feed our tokens into the Convex client so\n  // queries and mutations are automatically authenticated.\n  convex.setAuth(fetchAccessToken);\n\n  // Auto-hydrate and handle code flow.\n  if (typeof window !== \"undefined\") {\n    if (proxy) {\n      // Proxy mode: if no initialToken was provided, try a refresh\n      // to pick up any existing session from httpOnly cookies.\n      if (!hasServerToken) {\n        void fetchAccessToken({ forceRefreshToken: true });\n      } else {\n        // initialToken already set — mark loading as done.\n        isLoading = false;\n        updateSnapshot();\n      }\n    } else {\n      // SPA mode: hydrate from localStorage, then handle OAuth code flow.\n      void hydrateFromStorage().then(() =>\n        handleCodeFlow().catch((error: unknown) => {\n          console.error(\"[convex-auth] Code exchange failed:\", error);\n        }),\n      );\n    }\n  }\n\n  // ---------------------------------------------------------------------------\n  // Passkey helpers\n  // ---------------------------------------------------------------------------\n\n  /**\n   * Base64url encode/decode helpers for the WebAuthn credential API.\n   * These run client-side only (browser context).\n   */\n  const base64urlEncode = (buffer: ArrayBuffer): string => {\n    const bytes = new Uint8Array(buffer);\n    let binary = \"\";\n    for (let i = 0; i < bytes.byteLength; i++) {\n      binary += String.fromCharCode(bytes[i]!);\n    }\n    return btoa(binary).replace(/\\+/g, \"-\").replace(/\\//g, \"_\").replace(/=+$/, \"\");\n  };\n\n  const base64urlDecode = (str: string): Uint8Array => {\n    const padded = str.replace(/-/g, \"+\").replace(/_/g, \"/\");\n    const binary = atob(padded);\n    const bytes = new Uint8Array(binary.length);\n    for (let i = 0; i < binary.length; i++) {\n      bytes[i] = binary.charCodeAt(i);\n    }\n    return bytes;\n  };\n\n  const passkey = {\n    /**\n     * Check if WebAuthn passkeys are supported in the current environment.\n     */\n    isSupported: (): boolean => {\n      return (\n        typeof window !== \"undefined\" &&\n        typeof window.PublicKeyCredential !== \"undefined\"\n      );\n    },\n\n    /**\n     * Check if conditional UI (autofill-assisted passkey sign-in) is supported.\n     *\n     * ```ts\n     * if (await auth.passkey.isAutofillSupported()) {\n     *   auth.passkey.authenticate({ autofill: true });\n     * }\n     * ```\n     */\n    isAutofillSupported: async (): Promise<boolean> => {\n      if (typeof window === \"undefined\") return false;\n      if (typeof window.PublicKeyCredential === \"undefined\") return false;\n      if (\n        typeof (\n          window.PublicKeyCredential as any\n        ).isConditionalMediationAvailable !== \"function\"\n      ) {\n        return false;\n      }\n      return (\n        window.PublicKeyCredential as any\n      ).isConditionalMediationAvailable();\n    },\n\n    /**\n     * Register a new passkey for the current or new user.\n     *\n     * Performs the full two-round-trip WebAuthn registration ceremony:\n     * 1. Requests creation options from the server (challenge, RP info)\n     * 2. Calls `navigator.credentials.create()` with the options\n     * 3. Sends the attestation back to the server for verification\n     * 4. Server creates user + account + passkey records and returns tokens\n     *\n     * Works in both SPA and proxy (SSR) modes.\n     *\n     * ```ts\n     * await auth.passkey.register({ name: \"MacBook Touch ID\" });\n     * ```\n     *\n     * @param opts.name - Friendly name for this passkey\n     * @param opts.email - Email to associate with the new account\n     * @param opts.userName - Username for the credential (defaults to email)\n     * @param opts.userDisplayName - Display name for the credential\n     * @returns `{ signingIn: true }` on success\n     */\n    register: async (\n      opts?: {\n        name?: string;\n        email?: string;\n        userName?: string;\n        userDisplayName?: string;\n      },\n    ): Promise<SignInResult> => {\n      const phase1Params = {\n        flow: \"register-options\",\n        email: opts?.email,\n        userName: opts?.userName,\n        userDisplayName: opts?.userDisplayName,\n      };\n\n      // Phase 1: Get registration options from server\n      let phase1Result: any;\n      if (proxy) {\n        phase1Result = await proxyFetch({\n          action: \"auth:signIn\",\n          args: { provider: \"passkey\", params: phase1Params },\n        });\n      } else {\n        phase1Result = await convex.action(\"auth:signIn\" as any, {\n          provider: \"passkey\",\n          params: phase1Params,\n        });\n      }\n\n      if (!phase1Result.options) {\n        throw new Error(\"Server did not return passkey registration options\");\n      }\n\n      const options = phase1Result.options;\n\n      // Convert base64url strings to ArrayBuffers for the credential API\n      const createOptions: CredentialCreationOptions = {\n        publicKey: {\n          rp: options.rp,\n          user: {\n            id: base64urlDecode(options.user.id).buffer as ArrayBuffer,\n            name: options.user.name,\n            displayName: options.user.displayName,\n          },\n          challenge: base64urlDecode(options.challenge).buffer as ArrayBuffer,\n          pubKeyCredParams: options.pubKeyCredParams,\n          timeout: options.timeout,\n          attestation: options.attestation,\n          authenticatorSelection: options.authenticatorSelection,\n          excludeCredentials: (options.excludeCredentials ?? []).map(\n            (cred: any) => ({\n              type: cred.type ?? \"public-key\",\n              id: base64urlDecode(cred.id).buffer as ArrayBuffer,\n              transports: cred.transports,\n            }),\n          ),\n        },\n      };\n\n      // Phase 2: Create credential via browser API\n      const credential = (await navigator.credentials.create(\n        createOptions,\n      )) as PublicKeyCredential | null;\n      if (!credential) {\n        throw new Error(\"Passkey registration was cancelled\");\n      }\n\n      const response =\n        credential.response as AuthenticatorAttestationResponse;\n\n      // Extract transports if available\n      const transports =\n        typeof response.getTransports === \"function\"\n          ? response.getTransports()\n          : undefined;\n\n      const phase2Params = {\n        flow: \"register-verify\",\n        clientDataJSON: base64urlEncode(response.clientDataJSON),\n        attestationObject: base64urlEncode(response.attestationObject),\n        transports,\n        passkeyName: opts?.name,\n        email: opts?.email,\n      };\n\n      // Phase 3: Send attestation to server for verification\n      let phase2Result: any;\n      if (proxy) {\n        // In proxy mode the verifier is stored in an httpOnly cookie by the proxy.\n        // We pass it back explicitly so the proxy can forward it to Convex.\n        phase2Result = await proxyFetch({\n          action: \"auth:signIn\",\n          args: {\n            provider: \"passkey\",\n            params: phase2Params,\n            verifier: phase1Result.verifier,\n          },\n        });\n      } else {\n        phase2Result = await convex.action(\"auth:signIn\" as any, {\n          provider: \"passkey\",\n          params: phase2Params,\n          verifier: phase1Result.verifier,\n        });\n      }\n\n      if (phase2Result.tokens) {\n        if (proxy) {\n          await setToken({\n            shouldStore: false,\n            tokens:\n              phase2Result.tokens === null\n                ? null\n                : { token: phase2Result.tokens.token },\n          });\n        } else {\n          await setToken({\n            shouldStore: true,\n            tokens: phase2Result.tokens as AuthSession,\n          });\n        }\n        return { signingIn: true };\n      }\n      return { signingIn: false };\n    },\n\n    /**\n     * Authenticate with an existing passkey.\n     *\n     * Performs the full two-round-trip WebAuthn authentication ceremony:\n     * 1. Requests assertion options from the server (challenge, allowed credentials)\n     * 2. Calls `navigator.credentials.get()` with the options\n     * 3. Sends the assertion back to the server for signature verification\n     * 4. Server verifies signature, updates counter, creates session, returns tokens\n     *\n     * Works in both SPA and proxy (SSR) modes.\n     *\n     * ```ts\n     * // Discoverable credential (no email needed)\n     * await auth.passkey.authenticate();\n     *\n     * // Scoped to a specific user's credentials\n     * await auth.passkey.authenticate({ email: \"user@example.com\" });\n     *\n     * // Autofill-assisted (conditional UI)\n     * await auth.passkey.authenticate({ autofill: true });\n     * ```\n     *\n     * @param opts.email - Scope to credentials for this email's user\n     * @param opts.autofill - Use conditional mediation (autofill UI)\n     * @returns `{ signingIn: true }` on success\n     */\n    authenticate: async (\n      opts?: { email?: string; autofill?: boolean },\n    ): Promise<SignInResult> => {\n      const phase1Params = {\n        flow: \"auth-options\",\n        email: opts?.email,\n      };\n\n      // Phase 1: Get assertion options from server\n      let phase1Result: any;\n      if (proxy) {\n        phase1Result = await proxyFetch({\n          action: \"auth:signIn\",\n          args: { provider: \"passkey\", params: phase1Params },\n        });\n      } else {\n        phase1Result = await convex.action(\"auth:signIn\" as any, {\n          provider: \"passkey\",\n          params: phase1Params,\n        });\n      }\n\n      if (!phase1Result.options) {\n        throw new Error(\"Server did not return passkey authentication options\");\n      }\n\n      const options = phase1Result.options;\n\n      // Convert base64url strings to ArrayBuffers for the credential API\n      const getOptions: CredentialRequestOptions = {\n        publicKey: {\n          challenge: base64urlDecode(options.challenge).buffer as ArrayBuffer,\n          timeout: options.timeout,\n          rpId: options.rpId,\n          userVerification: options.userVerification,\n          allowCredentials: (options.allowCredentials ?? []).map(\n            (cred: any) => ({\n              type: cred.type ?? \"public-key\",\n              id: base64urlDecode(cred.id).buffer as ArrayBuffer,\n              transports: cred.transports,\n            }),\n          ),\n        },\n        ...(opts?.autofill ? { mediation: \"conditional\" as any } : {}),\n      };\n\n      // Phase 2: Get credential via browser API\n      const credential = (await navigator.credentials.get(\n        getOptions,\n      )) as PublicKeyCredential | null;\n      if (!credential) {\n        throw new Error(\"Passkey authentication was cancelled\");\n      }\n\n      const response =\n        credential.response as AuthenticatorAssertionResponse;\n\n      const phase2Params = {\n        flow: \"auth-verify\",\n        credentialId: base64urlEncode(credential.rawId),\n        clientDataJSON: base64urlEncode(response.clientDataJSON),\n        authenticatorData: base64urlEncode(response.authenticatorData),\n        signature: base64urlEncode(response.signature),\n      };\n\n      // Phase 3: Send assertion to server for verification\n      let phase2Result: any;\n      if (proxy) {\n        phase2Result = await proxyFetch({\n          action: \"auth:signIn\",\n          args: {\n            provider: \"passkey\",\n            params: phase2Params,\n            verifier: phase1Result.verifier,\n          },\n        });\n      } else {\n        phase2Result = await convex.action(\"auth:signIn\" as any, {\n          provider: \"passkey\",\n          params: phase2Params,\n          verifier: phase1Result.verifier,\n        });\n      }\n\n      if (phase2Result.tokens) {\n        if (proxy) {\n          await setToken({\n            shouldStore: false,\n            tokens:\n              phase2Result.tokens === null\n                ? null\n                : { token: phase2Result.tokens.token },\n          });\n        } else {\n          await setToken({\n            shouldStore: true,\n            tokens: phase2Result.tokens as AuthSession,\n          });\n        }\n        return { signingIn: true };\n      }\n      return { signingIn: false };\n    },\n  };\n\n  const totp = {\n    /**\n     * Start TOTP enrollment. Must be authenticated.\n     *\n     * Returns a URI for QR code display and a base32 secret for manual entry.\n     *\n     * ```ts\n     * const setup = await auth.totp.setup();\n     * // Display QR code from setup.uri\n     * // Or show setup.secret for manual entry\n     * ```\n     */\n    setup: async (\n      opts?: { name?: string; accountName?: string },\n    ): Promise<{ uri: string; secret: string; verifier: string; totpId: string }> => {\n      const params: Record<string, any> = { flow: \"setup\" };\n      if (opts?.name) params.name = opts.name;\n      if (opts?.accountName) params.accountName = opts.accountName;\n\n      if (proxy) {\n        const result = await proxyFetch({\n          action: \"auth:signIn\",\n          args: { provider: \"totp\", params },\n        });\n        return { uri: result.totpSetup.uri, secret: result.totpSetup.secret, verifier: result.verifier, totpId: result.totpSetup.totpId };\n      }\n\n      const result = await convex.action(\"auth:signIn\" as any, {\n        provider: \"totp\",\n        params,\n      });\n      return { uri: result.totpSetup.uri, secret: result.totpSetup.secret, verifier: result.verifier, totpId: result.totpSetup.totpId };\n    },\n\n    /**\n     * Complete TOTP enrollment by verifying the first code from the authenticator app.\n     *\n     * ```ts\n     * await auth.totp.confirm({ code: \"123456\", verifier: setup.verifier, totpId: setup.totpId });\n     * ```\n     */\n    confirm: async (opts: {\n      code: string;\n      verifier: string;\n      totpId: string;\n    }): Promise<void> => {\n      const params: Record<string, any> = {\n        flow: \"confirm\",\n        code: opts.code,\n        totpId: opts.totpId,\n      };\n\n      if (proxy) {\n        const result = await proxyFetch({\n          action: \"auth:signIn\",\n          args: { provider: \"totp\", params, verifier: opts.verifier },\n        });\n        if (result.tokens) {\n          await setToken({\n            shouldStore: false,\n            tokens: result.tokens === null ? null : { token: result.tokens.token },\n          });\n        }\n        return;\n      }\n\n      const result = await convex.action(\"auth:signIn\" as any, {\n        provider: \"totp\",\n        params,\n        verifier: opts.verifier,\n      });\n      if (result.tokens) {\n        await setToken({\n          shouldStore: true,\n          tokens: (result.tokens as AuthSession | null) ?? null,\n        });\n      }\n    },\n\n    /**\n     * Complete 2FA verification during sign-in.\n     *\n     * Called after a credentials sign-in returns `totpRequired: true`.\n     *\n     * ```ts\n     * const result = await auth.signIn(\"password\", { email, password });\n     * if (result.totpRequired) {\n     *   await auth.totp.verify({ code: \"123456\", verifier: result.verifier! });\n     * }\n     * ```\n     */\n    verify: async (opts: { code: string; verifier: string }): Promise<void> => {\n      const params: Record<string, any> = {\n        flow: \"verify\",\n        code: opts.code,\n      };\n\n      if (proxy) {\n        const result = await proxyFetch({\n          action: \"auth:signIn\",\n          args: { provider: \"totp\", params, verifier: opts.verifier },\n        });\n        if (result.tokens) {\n          await setToken({\n            shouldStore: false,\n            tokens: result.tokens === null ? null : { token: result.tokens.token },\n          });\n        }\n        return;\n      }\n\n      const result = await convex.action(\"auth:signIn\" as any, {\n        provider: \"totp\",\n        params,\n        verifier: opts.verifier,\n      });\n      if (result.tokens) {\n        await setToken({\n          shouldStore: true,\n          tokens: (result.tokens as AuthSession | null) ?? null,\n        });\n      }\n    },\n  };\n\n  const device = {\n    /**\n     * Poll for device authorization status.\n     *\n     * The device calls this repeatedly (respecting `interval`) after\n     * initiating a device flow via `signIn(\"device\")`. Returns when\n     * the user authorizes, or throws on timeout/denial.\n     *\n     * ```ts\n     * const result = await auth.signIn(\"device\");\n     * const { deviceCode } = result;\n     * // Display deviceCode.userCode to the user, then poll:\n     * await auth.device.poll(deviceCode);\n     * // User is now signed in\n     * ```\n     *\n     * @param code - The {@link DeviceCodeResult} from `signIn(\"device\")`.\n     * @returns Resolves when the device is authorized and tokens are stored.\n     * @throws When the code expires, is denied, or polling encounters an error.\n     */\n    poll: async (code: DeviceCodeResult): Promise<void> => {\n      const intervalMs = code.interval * 1000;\n      const expiresAt = Date.now() + code.expiresIn * 1000;\n\n      while (Date.now() < expiresAt) {\n        await new Promise((resolve) => setTimeout(resolve, intervalMs));\n\n        try {\n          let result: any;\n          const params: Record<string, any> = {\n            flow: \"poll\",\n            deviceCode: code.deviceCode,\n          };\n\n          if (proxy) {\n            result = await proxyFetch({\n              action: \"auth:signIn\",\n              args: { provider: \"device\", params },\n            });\n          } else {\n            result = await convex.action(\"auth:signIn\" as any, {\n              provider: \"device\",\n              params,\n            });\n          }\n\n          // Authorized — tokens received\n          if (result.tokens) {\n            if (proxy) {\n              await setToken({\n                shouldStore: false,\n                tokens:\n                  result.tokens === null\n                    ? null\n                    : { token: result.tokens.token },\n              });\n            } else {\n              await setToken({\n                shouldStore: true,\n                tokens: (result.tokens as AuthSession | null) ?? null,\n              });\n            }\n            return;\n          }\n        } catch (e: unknown) {\n          // Handle expected polling errors\n          if (e instanceof ConvexError) {\n            const data = e.data as Record<string, unknown>;\n            const code_ = data?.code as string | undefined;\n            if (code_ === \"DEVICE_AUTHORIZATION_PENDING\") {\n              continue; // Keep polling\n            }\n            if (code_ === \"DEVICE_SLOW_DOWN\") {\n              // Back off by adding one interval\n              await new Promise((resolve) =>\n                setTimeout(resolve, intervalMs),\n              );\n              continue;\n            }\n          }\n          // Non-recoverable error — rethrow\n          throw e;\n        }\n      }\n\n      throw new Error(\"Device authorization timed out.\");\n    },\n\n    /**\n     * Authorize a device from the verification page.\n     *\n     * Called by an authenticated user on the verification page after\n     * they enter the user code displayed on the device.\n     *\n     * ```ts\n     * // On the /device verification page:\n     * await auth.device.verify(userCode);\n     * ```\n     *\n     * @param userCode - The user code entered by the user (e.g. \"WDJB-MJHT\").\n     */\n    verify: async (userCode: string): Promise<void> => {\n      const params: Record<string, any> = {\n        flow: \"verify\",\n        userCode,\n      };\n\n      if (proxy) {\n        await proxyFetch({\n          action: \"auth:signIn\",\n          args: { provider: \"device\", params },\n        });\n      } else {\n        await convex.action(\"auth:signIn\" as any, {\n          provider: \"device\",\n          params,\n        });\n      }\n    },\n  };\n\n  return {\n    /** Current auth state snapshot. */\n    get state(): AuthState {\n      return snapshot;\n    },\n    /** Sign in with a provider. See {@link SignInResult} for return shape. */\n    signIn,\n    /** Sign out and clear all token state. */\n    signOut,\n    /** Subscribe to auth state changes. Returns an unsubscribe function. */\n    onChange,\n    /** Passkey (WebAuthn) authentication helpers. */\n    passkey,\n    /** TOTP two-factor authentication helpers. */\n    totp,\n    /** Device authorization (RFC 8628) helpers. */\n    device,\n  };\n}\n\n// ---------------------------------------------------------------------------\n// Browser mutex — ensures only one tab refreshes a token at a time.\n// ---------------------------------------------------------------------------\n\nasync function browserMutex<T>(\n  key: string,\n  callback: () => Promise<T>,\n): Promise<T> {\n  const lockManager = (globalThis as any)?.navigator?.locks;\n  return lockManager !== undefined\n    ? await lockManager.request(key, callback)\n    : await manualMutex(key, callback);\n}\n\nfunction getMutexValue(key: string): {\n  currentlyRunning: Promise<void> | null;\n  waiting: Array<() => Promise<void>>;\n} {\n  if ((globalThis as any).__convexAuthMutexes === undefined) {\n    (globalThis as any).__convexAuthMutexes = {} as Record<\n      string,\n      {\n        currentlyRunning: Promise<void> | null;\n        waiting: Array<() => Promise<void>>;\n      }\n    >;\n  }\n  let mutex = (globalThis as any).__convexAuthMutexes[key];\n  if (mutex === undefined) {\n    (globalThis as any).__convexAuthMutexes[key] = {\n      currentlyRunning: null,\n      waiting: [],\n    };\n  }\n  mutex = (globalThis as any).__convexAuthMutexes[key];\n  return mutex;\n}\n\nfunction setMutexValue(\n  key: string,\n  value: {\n    currentlyRunning: Promise<void> | null;\n    waiting: Array<() => Promise<void>>;\n  },\n) {\n  (globalThis as any).__convexAuthMutexes[key] = value;\n}\n\nasync function enqueueCallbackForMutex(\n  key: string,\n  callback: () => Promise<void>,\n) {\n  const mutex = getMutexValue(key);\n  if (mutex.currentlyRunning === null) {\n    setMutexValue(key, {\n      currentlyRunning: callback().finally(() => {\n        const nextCb = getMutexValue(key).waiting.shift();\n        getMutexValue(key).currentlyRunning = null;\n        setMutexValue(key, {\n          ...getMutexValue(key),\n          currentlyRunning:\n            nextCb === undefined ? null : enqueueCallbackForMutex(key, nextCb),\n        });\n      }),\n      waiting: [],\n    });\n  } else {\n    setMutexValue(key, {\n      ...mutex,\n      waiting: [...mutex.waiting, callback],\n    });\n  }\n}\n\nasync function manualMutex<T>(\n  key: string,\n  callback: () => Promise<T>,\n): Promise<T> {\n  const outerPromise = new Promise<T>((resolve, reject) => {\n    const wrappedCallback: () => Promise<void> = () => {\n      return callback()\n        .then((v) => resolve(v))\n        .catch((e) => reject(e));\n    };\n    void enqueueCallbackForMutex(key, wrappedCallback);\n  });\n  return outerPromise;\n}\n"],"mappings":";;;;;AAyIA,MAAM,uBAAuB;AAC7B,MAAM,kBAAkB;AACxB,MAAM,4BAA4B;AAElC,MAAM,gBAAgB,CAAC,KAAK,IAAK;AACjC,MAAM,eAAe;;;;;;;AAQrB,SAAS,WAAW,QAAyB,UAA2B;AACtE,KAAI,SAAU,QAAO;CACrB,MAAM,IAAI;CACV,MAAM,MAAe,EAAE,OAAO,EAAE,QAAQ;AACxC,KAAI,OAAO,QAAQ,SAAU,QAAO;AACpC,OAAM,IAAI,MACR,oEACD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAoCH,SAAgB,OAAO,SAAwB;CAC7C,MAAM,EAAE,QAAQ,UAAU;CAG1B,MAAM,UACJ,QAAQ,YAAY,SAChB,QAAQ,UACR,QACE,OACA,OAAO,WAAW,cAChB,OACA,OAAO;CAEjB,MAAM,aACJ,QAAQ,gBACN,UAAgB;AAChB,MAAI,OAAO,WAAW,YACpB,QAAO,QAAQ,aAAa,EAAE,EAAE,IAAIA,MAAI;;CAI9C,MAAM,MAAM,QAAQ,SAAY,WAAW,QAAQ,QAAQ,IAAI;CAC/D,MAAM,mBAAmB,QACrB,MAAM,QAAQ,iBAAiB,GAAG,GAClC,IAAK,QAAQ,iBAAiB,GAAG;CACrC,MAAM,OAAO,SAAiB,GAAG,KAAK,GAAG;CACzC,MAAM,8BAAc,IAAI,KAAiB;CAIzC,MAAM,aAAa,QAAQ,OAAO,IAAI,iBAAiB,IAAK;CAO5D,MAAM,cAAc,QAAQ,SAAS;CACrC,MAAM,iBAAiB,gBAAgB;CAEvC,IAAI,QAAuB;CAC3B,IAAI,YAAY,CAAC;CACjB,IAAI,WAAsB;EACxB;EACA,iBAAiB;EACjB;EACD;CACD,IAAI,mBAAmB;CAEvB,MAAM,eAAe;AACnB,OAAK,MAAM,MAAM,YAAa,KAAI;;CAGpC,MAAM,uBAAuB;EAC3B,MAAM,OAAkB;GACtB;GACA,iBAAiB,UAAU;GAC3B;GACD;AACD,MACE,SAAS,cAAc,KAAK,aAC5B,SAAS,oBAAoB,KAAK,mBAClC,SAAS,UAAU,KAAK,MAExB,QAAO;AAET,aAAW;AACX,SAAO;;CAOT,MAAM,aAAa,OAAO,SACxB,UAAY,MAAM,QAAQ,QAAQ,IAAI,KAAK,CAAC,IAAK,OAAQ;CAC3D,MAAM,aAAa,OAAO,MAAc,UAAkB;AACxD,MAAI,QAAS,OAAM,QAAQ,QAAQ,IAAI,KAAK,EAAE,MAAM;;CAEtD,MAAM,gBAAgB,OAAO,SAAiB;AAC5C,MAAI,QAAS,OAAM,QAAQ,WAAW,IAAI,KAAK,CAAC;;CAOlD,MAAM,WAAW,OACf,SAGG;AACH,MAAI,KAAK,WAAW,MAAM;AACxB,WAAQ;AACR,OAAI,KAAK,aAAa;AACpB,UAAM,cAAc,gBAAgB;AACpC,UAAM,cAAc,0BAA0B;;SAE3C;AACL,WAAQ,KAAK,OAAO;AACpB,OAAI,KAAK,eAAe,kBAAkB,KAAK,QAAQ;AACrD,UAAM,WAAW,iBAAiB,KAAK,OAAO,MAAM;AACpD,UAAM,WAAW,2BAA2B,KAAK,OAAO,aAAa;;;EAGzE,MAAM,iBAAiB;AACvB,cAAY;EACZ,MAAM,UAAU,gBAAgB;AAChC,MAAI,kBAAkB,SAAS;AAK7B,OAAI,CAAC,MACH,QAAO,QAAQ,iBAAiB;AAElC,WAAQ;;;CAQZ,MAAM,aAAa,OAAO,SAAkC;EAC1D,MAAM,WAAW,MAAM,MAAM,OAAQ;GACnC,QAAQ;GACR,SAAS,EAAE,gBAAgB,oBAAoB;GAC/C,aAAa;GACb,MAAM,KAAK,UAAU,KAAK;GAC3B,CAAC;AACF,MAAI,CAAC,SAAS,IAAI;GAChB,MAAM,YAAY,MAAM,SAAS,MAAM,CAAC,aAAa,EAAE,EAA6B;AAEpF,OACE,OAAO,cAAc,YACrB,cAAc,QACd,eAAe,aACf,OAAQ,UAAsC,cAAc,SAE5D,OAAM,IAAI,YAAa,UAAsC,UAAmB;AAElF,SAAM,IAAI,MACP,UAAsC,SACrC,yBAAyB,SAAS,SACrC;;AAEH,SAAO,SAAS,MAAM;;CAOxB,MAAM,aAAa,OACjB,SACG;EACH,IAAI;EACJ,IAAI,QAAQ;AACZ,SAAO,QAAQ,cAAc,OAC3B,KAAI;AACF,UAAO,MAAM,WAAY,OACvB,eACA,UAAU,OACN;IAAE,QAAQ,EAAE,MAAM,KAAK,MAAM;IAAE,UAAU,KAAK;IAAU,GACxD,KACL;WACM,GAAG;AACV,eAAY;AAGZ,OAAI,EADF,aAAa,SAAS,WAAW,KAAK,EAAE,WAAW,GAAG,EACnC;GACrB,MAAM,OAAO,cAAc,SAAU,eAAe,KAAK,QAAQ;AACjE;AACA,SAAM,IAAI,SAAS,YAAY,WAAW,SAAS,KAAK,CAAC;;AAG7D,QAAM;;CAGR,MAAM,wBAAwB,OAC5B,SACG;EACH,MAAM,EAAE,WAAW,MAAM,WAAW,KAAK;AACzC,QAAM,SAAS;GACb,aAAa;GACb,QAAS,UAAiC;GAC3C,CAAC;AACF,SAAO,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAkCpB,MAAM,SAAS,OACb,UACA,SAC0B;EAC1B,MAAM,SACJ,gBAAgB,WACZ,MAAM,KAAK,KAAK,SAAS,CAAC,CAAC,QACxB,KAAK,CAAC,GAAG,OAAO;AACf,OAAI,KAAK;AACT,UAAO;KAET,EAAE,CACH,GACD,QAAQ,EAAE;AAEhB,MAAI,OAAO;GAET,MAAMC,WAAS,MAAM,WAAW;IAC9B,QAAQ;IACR,MAAM;KAAE;KAAU;KAAQ;IAC3B,CAAC;AACF,OAAIA,SAAO,aAAa,QAAW;IACjC,MAAM,cAAc,IAAI,IAAIA,SAAO,SAAS;AAE5C,QAAI,OAAO,WAAW,YACpB,QAAO,SAAS,OAAO,YAAY,UAAU;AAE/C,WAAO;KAAE,WAAW;KAAO,UAAU;KAAa;;AAEpD,OAAIA,SAAO,aACT,QAAO;IAAE,WAAW;IAAO,cAAc;IAAM,UAAUA,SAAO;IAAU;AAE5E,OAAIA,SAAO,eAAe,OACxB,QAAO;IAAE,WAAW;IAAO,YAAYA,SAAO;IAAgC;AAEhF,OAAIA,SAAO,WAAW,QAAW;AAG/B,UAAM,SAAS;KACb,aAAa;KACb,QACEA,SAAO,WAAW,OAAO,OAAO,EAAE,OAAOA,SAAO,OAAO,OAAO;KACjE,CAAC;AACF,WAAO,EAAE,WAAWA,SAAO,WAAW,MAAM;;AAE9C,UAAO,EAAE,WAAW,OAAO;;EAI7B,MAAM,WAAY,MAAM,WAAW,qBAAqB,IAAK;AAC7D,QAAM,cAAc,qBAAqB;EACzC,MAAM,SAAS,MAAM,OAAO,OAAO,eAAsB;GACvD;GACA;GACA;GACD,CAAC;AACF,MAAI,OAAO,aAAa,QAAW;GACjC,MAAM,cAAc,IAAI,IAAI,OAAO,SAAS;AAC5C,SAAM,WAAW,sBAAsB,OAAO,SAAU;AACxD,OAAI,OAAO,WAAW,YACpB,QAAO,SAAS,OAAO,YAAY,UAAU;AAE/C,UAAO;IAAE,WAAW;IAAO,UAAU;IAAa;;AAEpD,MAAI,OAAO,aACT,QAAO;GAAE,WAAW;GAAO,cAAc;GAAM,UAAU,OAAO;GAAU;AAE5E,MAAI,OAAO,eAAe,OACxB,QAAO;GAAE,WAAW;GAAO,YAAY,OAAO;GAAgC;AAEhF,MAAI,OAAO,WAAW,QAAW;AAC/B,SAAM,SAAS;IACb,aAAa;IACb,QAAS,OAAO,UAAiC;IAClD,CAAC;AACF,UAAO,EAAE,WAAW,OAAO,WAAW,MAAM;;AAE9C,SAAO,EAAE,WAAW,OAAO;;;;;;;;;CAc7B,MAAM,UAAU,YAAY;AAC1B,MAAI,OAAO;AACT,OAAI;AACF,UAAM,WAAW;KAAE,QAAQ;KAAgB,MAAM,EAAE;KAAE,CAAC;WAChD;AAGR,SAAM,SAAS;IAAE,aAAa;IAAO,QAAQ;IAAM,CAAC;AACpD,OAAI,OAAO,UAAW,QAAO,WAAW;AACxC;;AAIF,MAAI;AACF,SAAM,OAAO,OAAO,gBAAuB,EAAE,CAAC;UACxC;AAGR,QAAM,SAAS;GAAE,aAAa;GAAM,QAAQ;GAAM,CAAC;AACnD,MAAI,OAAO,UAAW,QAAO,WAAW;;CAO1C,MAAM,mBAAmB,OAAO,EAC9B,wBAG4B;AAC5B,MAAI,CAAC,kBAAmB,QAAO;AAE/B,MAAI,OAAO;GAGT,MAAM,qBAAqB;AAC3B,UAAO,MAAM,aAAa,4BAA4B,YAAY;AAEhE,QAAI,UAAU,mBAAoB,QAAO;AACzC,QAAI;KACF,MAAM,SAAS,MAAM,WAAW;MAC9B,QAAQ;MACR,MAAM,EAAE,cAAc,MAAM;MAC7B,CAAC;AACF,SAAI,OAAO,OACT,OAAM,SAAS;MACb,aAAa;MACb,QAAQ,EAAE,OAAO,OAAO,OAAO,OAAO;MACvC,CAAC;SAEF,OAAM,SAAS;MAAE,aAAa;MAAO,QAAQ;MAAM,CAAC;YAEhD;AACN,WAAM,SAAS;MAAE,aAAa;MAAO,QAAQ;MAAM,CAAC;;AAEtD,WAAO;KACP;;EAIJ,MAAM,6BAA6B;AACnC,SAAO,MAAM,aAAa,2BAA2B,YAAY;GAC/D,MAAM,4BAA4B;AAClC,OAAI,8BAA8B,2BAChC,QAAO;GAET,MAAM,eACH,MAAM,WAAW,0BAA0B,IAAK;AACnD,OAAI,CAAC,aACH,QAAO;AAET,SAAM,sBAAsB,EAAE,cAAc,CAAC;AAC7C,UAAO;IACP;;CAOJ,MAAM,iBAAiB,YAAY;AACjC,MAAI,OAAO,WAAW,YAAa;AACnC,MAAI,iBAAkB;EACtB,MAAM,OAAO,IAAI,gBAAgB,OAAO,SAAS,OAAO,CAAC,IAAI,OAAO;AACpE,MAAI,CAAC,KAAM;AACX,qBAAmB;EACnB,MAAM,UAAU,IAAI,IAAI,OAAO,SAAS,KAAK;AAC7C,UAAQ,aAAa,OAAO,OAAO;AACnC,MAAI;AACF,SAAM,WAAW,QAAQ,WAAW,QAAQ,SAAS,QAAQ,KAAK;AAClE,SAAM,OAAO,QAAW,EAAE,MAAM,CAAC;YACzB;AACR,sBAAmB;;;CAQvB,MAAM,qBAAqB,YAAY;EACrC,MAAM,cAAe,MAAM,WAAW,gBAAgB,IAAK;AAC3D,QAAM,SAAS;GACb,aAAa;GACb,QAAQ,gBAAgB,OAAO,OAAO,EAAE,OAAO,aAAa;GAC7D,CAAC;;;;;;;;;;;;;CAkBJ,MAAM,YAAY,OAAiD;AACjE,KAAG,SAAS;EACZ,MAAM,gBAAgB,GAAG,SAAS;AAClC,cAAY,IAAI,QAAQ;AACxB,eAAa;AACX,eAAY,OAAO,QAAQ;;;AAS/B,KAAI,CAAC,SAAS,OAAO,WAAW,aAAa;EAC3C,MAAM,aAAa,UAAwB;AACzC,IAAM,YAAY;AAChB,QAAI,MAAM,QAAQ,IAAI,gBAAgB,CAAE;AACxC,UAAM,SAAS;KACb,aAAa;KACb,QACE,MAAM,aAAa,OAAO,OAAO,EAAE,OAAO,MAAM,UAAU;KAC7D,CAAC;OACA;;AAEN,SAAO,iBAAiB,WAAW,UAAU;;AAK/C,QAAO,QAAQ,iBAAiB;AAGhC,KAAI,OAAO,WAAW,YACpB,KAAI,MAGF,KAAI,CAAC,eACH,CAAK,iBAAiB,EAAE,mBAAmB,MAAM,CAAC;MAC7C;AAEL,cAAY;AACZ,kBAAgB;;KAIlB,CAAK,oBAAoB,CAAC,WACxB,gBAAgB,CAAC,OAAO,UAAmB;AACzC,UAAQ,MAAM,uCAAuC,MAAM;GAC3D,CACH;;;;;CAYL,MAAM,mBAAmB,WAAgC;EACvD,MAAM,QAAQ,IAAI,WAAW,OAAO;EACpC,IAAI,SAAS;AACb,OAAK,IAAI,IAAI,GAAG,IAAI,MAAM,YAAY,IACpC,WAAU,OAAO,aAAa,MAAM,GAAI;AAE1C,SAAO,KAAK,OAAO,CAAC,QAAQ,OAAO,IAAI,CAAC,QAAQ,OAAO,IAAI,CAAC,QAAQ,OAAO,GAAG;;CAGhF,MAAM,mBAAmB,QAA4B;EACnD,MAAM,SAAS,IAAI,QAAQ,MAAM,IAAI,CAAC,QAAQ,MAAM,IAAI;EACxD,MAAM,SAAS,KAAK,OAAO;EAC3B,MAAM,QAAQ,IAAI,WAAW,OAAO,OAAO;AAC3C,OAAK,IAAI,IAAI,GAAG,IAAI,OAAO,QAAQ,IACjC,OAAM,KAAK,OAAO,WAAW,EAAE;AAEjC,SAAO;;AAkjBT,QAAO;EAEL,IAAI,QAAmB;AACrB,UAAO;;EAGT;EAEA;EAEA;EAEA,SA3jBc;GAId,mBAA4B;AAC1B,WACE,OAAO,WAAW,eAClB,OAAO,OAAO,wBAAwB;;GAa1C,qBAAqB,YAA8B;AACjD,QAAI,OAAO,WAAW,YAAa,QAAO;AAC1C,QAAI,OAAO,OAAO,wBAAwB,YAAa,QAAO;AAC9D,QACE,OACE,OAAO,oBACP,oCAAoC,WAEtC,QAAO;AAET,WACE,OAAO,oBACP,iCAAiC;;GAwBrC,UAAU,OACR,SAM0B;IAC1B,MAAM,eAAe;KACnB,MAAM;KACN,OAAO,MAAM;KACb,UAAU,MAAM;KAChB,iBAAiB,MAAM;KACxB;IAGD,IAAI;AACJ,QAAI,MACF,gBAAe,MAAM,WAAW;KAC9B,QAAQ;KACR,MAAM;MAAE,UAAU;MAAW,QAAQ;MAAc;KACpD,CAAC;QAEF,gBAAe,MAAM,OAAO,OAAO,eAAsB;KACvD,UAAU;KACV,QAAQ;KACT,CAAC;AAGJ,QAAI,CAAC,aAAa,QAChB,OAAM,IAAI,MAAM,qDAAqD;IAGvE,MAAMC,YAAU,aAAa;IAG7B,MAAM,gBAA2C,EAC/C,WAAW;KACT,IAAIA,UAAQ;KACZ,MAAM;MACJ,IAAI,gBAAgBA,UAAQ,KAAK,GAAG,CAAC;MACrC,MAAMA,UAAQ,KAAK;MACnB,aAAaA,UAAQ,KAAK;MAC3B;KACD,WAAW,gBAAgBA,UAAQ,UAAU,CAAC;KAC9C,kBAAkBA,UAAQ;KAC1B,SAASA,UAAQ;KACjB,aAAaA,UAAQ;KACrB,wBAAwBA,UAAQ;KAChC,qBAAqBA,UAAQ,sBAAsB,EAAE,EAAE,KACpD,UAAe;MACd,MAAM,KAAK,QAAQ;MACnB,IAAI,gBAAgB,KAAK,GAAG,CAAC;MAC7B,YAAY,KAAK;MAClB,EACF;KACF,EACF;IAGD,MAAM,aAAc,MAAM,UAAU,YAAY,OAC9C,cACD;AACD,QAAI,CAAC,WACH,OAAM,IAAI,MAAM,qCAAqC;IAGvD,MAAM,WACJ,WAAW;IAGb,MAAM,aACJ,OAAO,SAAS,kBAAkB,aAC9B,SAAS,eAAe,GACxB;IAEN,MAAM,eAAe;KACnB,MAAM;KACN,gBAAgB,gBAAgB,SAAS,eAAe;KACxD,mBAAmB,gBAAgB,SAAS,kBAAkB;KAC9D;KACA,aAAa,MAAM;KACnB,OAAO,MAAM;KACd;IAGD,IAAI;AACJ,QAAI,MAGF,gBAAe,MAAM,WAAW;KAC9B,QAAQ;KACR,MAAM;MACJ,UAAU;MACV,QAAQ;MACR,UAAU,aAAa;MACxB;KACF,CAAC;QAEF,gBAAe,MAAM,OAAO,OAAO,eAAsB;KACvD,UAAU;KACV,QAAQ;KACR,UAAU,aAAa;KACxB,CAAC;AAGJ,QAAI,aAAa,QAAQ;AACvB,SAAI,MACF,OAAM,SAAS;MACb,aAAa;MACb,QACE,aAAa,WAAW,OACpB,OACA,EAAE,OAAO,aAAa,OAAO,OAAO;MAC3C,CAAC;SAEF,OAAM,SAAS;MACb,aAAa;MACb,QAAQ,aAAa;MACtB,CAAC;AAEJ,YAAO,EAAE,WAAW,MAAM;;AAE5B,WAAO,EAAE,WAAW,OAAO;;GA6B7B,cAAc,OACZ,SAC0B;IAC1B,MAAM,eAAe;KACnB,MAAM;KACN,OAAO,MAAM;KACd;IAGD,IAAI;AACJ,QAAI,MACF,gBAAe,MAAM,WAAW;KAC9B,QAAQ;KACR,MAAM;MAAE,UAAU;MAAW,QAAQ;MAAc;KACpD,CAAC;QAEF,gBAAe,MAAM,OAAO,OAAO,eAAsB;KACvD,UAAU;KACV,QAAQ;KACT,CAAC;AAGJ,QAAI,CAAC,aAAa,QAChB,OAAM,IAAI,MAAM,uDAAuD;IAGzE,MAAMA,YAAU,aAAa;IAG7B,MAAM,aAAuC;KAC3C,WAAW;MACT,WAAW,gBAAgBA,UAAQ,UAAU,CAAC;MAC9C,SAASA,UAAQ;MACjB,MAAMA,UAAQ;MACd,kBAAkBA,UAAQ;MAC1B,mBAAmBA,UAAQ,oBAAoB,EAAE,EAAE,KAChD,UAAe;OACd,MAAM,KAAK,QAAQ;OACnB,IAAI,gBAAgB,KAAK,GAAG,CAAC;OAC7B,YAAY,KAAK;OAClB,EACF;MACF;KACD,GAAI,MAAM,WAAW,EAAE,WAAW,eAAsB,GAAG,EAAE;KAC9D;IAGD,MAAM,aAAc,MAAM,UAAU,YAAY,IAC9C,WACD;AACD,QAAI,CAAC,WACH,OAAM,IAAI,MAAM,uCAAuC;IAGzD,MAAM,WACJ,WAAW;IAEb,MAAM,eAAe;KACnB,MAAM;KACN,cAAc,gBAAgB,WAAW,MAAM;KAC/C,gBAAgB,gBAAgB,SAAS,eAAe;KACxD,mBAAmB,gBAAgB,SAAS,kBAAkB;KAC9D,WAAW,gBAAgB,SAAS,UAAU;KAC/C;IAGD,IAAI;AACJ,QAAI,MACF,gBAAe,MAAM,WAAW;KAC9B,QAAQ;KACR,MAAM;MACJ,UAAU;MACV,QAAQ;MACR,UAAU,aAAa;MACxB;KACF,CAAC;QAEF,gBAAe,MAAM,OAAO,OAAO,eAAsB;KACvD,UAAU;KACV,QAAQ;KACR,UAAU,aAAa;KACxB,CAAC;AAGJ,QAAI,aAAa,QAAQ;AACvB,SAAI,MACF,OAAM,SAAS;MACb,aAAa;MACb,QACE,aAAa,WAAW,OACpB,OACA,EAAE,OAAO,aAAa,OAAO,OAAO;MAC3C,CAAC;SAEF,OAAM,SAAS;MACb,aAAa;MACb,QAAQ,aAAa;MACtB,CAAC;AAEJ,YAAO,EAAE,WAAW,MAAM;;AAE5B,WAAO,EAAE,WAAW,OAAO;;GAE9B;EAsQC,MApQW;GAYX,OAAO,OACL,SAC+E;IAC/E,MAAM,SAA8B,EAAE,MAAM,SAAS;AACrD,QAAI,MAAM,KAAM,QAAO,OAAO,KAAK;AACnC,QAAI,MAAM,YAAa,QAAO,cAAc,KAAK;AAEjD,QAAI,OAAO;KACT,MAAMD,WAAS,MAAM,WAAW;MAC9B,QAAQ;MACR,MAAM;OAAE,UAAU;OAAQ;OAAQ;MACnC,CAAC;AACF,YAAO;MAAE,KAAKA,SAAO,UAAU;MAAK,QAAQA,SAAO,UAAU;MAAQ,UAAUA,SAAO;MAAU,QAAQA,SAAO,UAAU;MAAQ;;IAGnI,MAAM,SAAS,MAAM,OAAO,OAAO,eAAsB;KACvD,UAAU;KACV;KACD,CAAC;AACF,WAAO;KAAE,KAAK,OAAO,UAAU;KAAK,QAAQ,OAAO,UAAU;KAAQ,UAAU,OAAO;KAAU,QAAQ,OAAO,UAAU;KAAQ;;GAUnI,SAAS,OAAO,SAIK;IACnB,MAAM,SAA8B;KAClC,MAAM;KACN,MAAM,KAAK;KACX,QAAQ,KAAK;KACd;AAED,QAAI,OAAO;KACT,MAAMA,WAAS,MAAM,WAAW;MAC9B,QAAQ;MACR,MAAM;OAAE,UAAU;OAAQ;OAAQ,UAAU,KAAK;OAAU;MAC5D,CAAC;AACF,SAAIA,SAAO,OACT,OAAM,SAAS;MACb,aAAa;MACb,QAAQA,SAAO,WAAW,OAAO,OAAO,EAAE,OAAOA,SAAO,OAAO,OAAO;MACvE,CAAC;AAEJ;;IAGF,MAAM,SAAS,MAAM,OAAO,OAAO,eAAsB;KACvD,UAAU;KACV;KACA,UAAU,KAAK;KAChB,CAAC;AACF,QAAI,OAAO,OACT,OAAM,SAAS;KACb,aAAa;KACb,QAAS,OAAO,UAAiC;KAClD,CAAC;;GAgBN,QAAQ,OAAO,SAA4D;IACzE,MAAM,SAA8B;KAClC,MAAM;KACN,MAAM,KAAK;KACZ;AAED,QAAI,OAAO;KACT,MAAMA,WAAS,MAAM,WAAW;MAC9B,QAAQ;MACR,MAAM;OAAE,UAAU;OAAQ;OAAQ,UAAU,KAAK;OAAU;MAC5D,CAAC;AACF,SAAIA,SAAO,OACT,OAAM,SAAS;MACb,aAAa;MACb,QAAQA,SAAO,WAAW,OAAO,OAAO,EAAE,OAAOA,SAAO,OAAO,OAAO;MACvE,CAAC;AAEJ;;IAGF,MAAM,SAAS,MAAM,OAAO,OAAO,eAAsB;KACvD,UAAU;KACV;KACA,UAAU,KAAK;KAChB,CAAC;AACF,QAAI,OAAO,OACT,OAAM,SAAS;KACb,aAAa;KACb,QAAS,OAAO,UAAiC;KAClD,CAAC;;GAGP;EA2IC,QAzIa;GAoBb,MAAM,OAAO,SAA0C;IACrD,MAAM,aAAa,KAAK,WAAW;IACnC,MAAM,YAAY,KAAK,KAAK,GAAG,KAAK,YAAY;AAEhD,WAAO,KAAK,KAAK,GAAG,WAAW;AAC7B,WAAM,IAAI,SAAS,YAAY,WAAW,SAAS,WAAW,CAAC;AAE/D,SAAI;MACF,IAAI;MACJ,MAAM,SAA8B;OAClC,MAAM;OACN,YAAY,KAAK;OAClB;AAED,UAAI,MACF,UAAS,MAAM,WAAW;OACxB,QAAQ;OACR,MAAM;QAAE,UAAU;QAAU;QAAQ;OACrC,CAAC;UAEF,UAAS,MAAM,OAAO,OAAO,eAAsB;OACjD,UAAU;OACV;OACD,CAAC;AAIJ,UAAI,OAAO,QAAQ;AACjB,WAAI,MACF,OAAM,SAAS;QACb,aAAa;QACb,QACE,OAAO,WAAW,OACd,OACA,EAAE,OAAO,OAAO,OAAO,OAAO;QACrC,CAAC;WAEF,OAAM,SAAS;QACb,aAAa;QACb,QAAS,OAAO,UAAiC;QAClD,CAAC;AAEJ;;cAEK,GAAY;AAEnB,UAAI,aAAa,aAAa;OAE5B,MAAM,QADO,EAAE,MACK;AACpB,WAAI,UAAU,+BACZ;AAEF,WAAI,UAAU,oBAAoB;AAEhC,cAAM,IAAI,SAAS,YACjB,WAAW,SAAS,WAAW,CAChC;AACD;;;AAIJ,YAAM;;;AAIV,UAAM,IAAI,MAAM,kCAAkC;;GAgBpD,QAAQ,OAAO,aAAoC;IACjD,MAAM,SAA8B;KAClC,MAAM;KACN;KACD;AAED,QAAI,MACF,OAAM,WAAW;KACf,QAAQ;KACR,MAAM;MAAE,UAAU;MAAU;MAAQ;KACrC,CAAC;QAEF,OAAM,OAAO,OAAO,eAAsB;KACxC,UAAU;KACV;KACD,CAAC;;GAGP;EAmBA;;AAOH,eAAe,aACb,KACA,UACY;CACZ,MAAM,cAAe,YAAoB,WAAW;AACpD,QAAO,gBAAgB,SACnB,MAAM,YAAY,QAAQ,KAAK,SAAS,GACxC,MAAM,YAAY,KAAK,SAAS;;AAGtC,SAAS,cAAc,KAGrB;AACA,KAAK,WAAmB,wBAAwB,OAC9C,CAAC,WAAmB,sBAAsB,EAAE;CAQ9C,IAAI,QAAS,WAAmB,oBAAoB;AACpD,KAAI,UAAU,OACZ,CAAC,WAAmB,oBAAoB,OAAO;EAC7C,kBAAkB;EAClB,SAAS,EAAE;EACZ;AAEH,SAAS,WAAmB,oBAAoB;AAChD,QAAO;;AAGT,SAAS,cACP,KACA,OAIA;AACA,CAAC,WAAmB,oBAAoB,OAAO;;AAGjD,eAAe,wBACb,KACA,UACA;CACA,MAAM,QAAQ,cAAc,IAAI;AAChC,KAAI,MAAM,qBAAqB,KAC7B,eAAc,KAAK;EACjB,kBAAkB,UAAU,CAAC,cAAc;GACzC,MAAM,SAAS,cAAc,IAAI,CAAC,QAAQ,OAAO;AACjD,iBAAc,IAAI,CAAC,mBAAmB;AACtC,iBAAc,KAAK;IACjB,GAAG,cAAc,IAAI;IACrB,kBACE,WAAW,SAAY,OAAO,wBAAwB,KAAK,OAAO;IACrE,CAAC;IACF;EACF,SAAS,EAAE;EACZ,CAAC;KAEF,eAAc,KAAK;EACjB,GAAG;EACH,SAAS,CAAC,GAAG,MAAM,SAAS,SAAS;EACtC,CAAC;;AAIN,eAAe,YACb,KACA,UACY;AASZ,QARqB,IAAI,SAAY,SAAS,WAAW;EACvD,MAAM,wBAA6C;AACjD,UAAO,UAAU,CACd,MAAM,MAAM,QAAQ,EAAE,CAAC,CACvB,OAAO,MAAM,OAAO,EAAE,CAAC;;AAE5B,EAAK,wBAAwB,KAAK,gBAAgB;GAClD"}
+{"version":3,"file":"index.js","names":["url","key","options"],"sources":["../../src/client/index.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport { ConvexHttpClient } from \"convex/browser\";\nimport { ConvexError, Value } from \"convex/values\";\n\nimport { AUTH_ERRORS } from \"../server/errors\";\nimport { browserMutex, getStorageListenerRegistry } from \"./runtime/browser\";\nimport { createDeviceClient } from \"./factors/device\";\nimport { createInviteManager } from \"./runtime/invite\";\nimport { createPasskeyClient } from \"./factors/passkey\";\nimport {\n  createProxyHelpers,\n  isRetriableProxyRefreshError,\n  isTransientNetworkError,\n} from \"./runtime/proxy\";\nimport { createStorageHelpers } from \"./runtime/storage\";\nimport { createTotpClient } from \"./factors/totp\";\nimport type {\n  AuthApiRefs,\n  AuthClient,\n  AuthFlowContext,\n  AuthHandshakeErrorCode,\n  AuthSession,\n  AuthState,\n  ClientOptions,\n  ConvexTransport,\n  DeviceClient,\n  DeviceCodeResult,\n  HandshakeWaiter,\n  PasskeyClient,\n  PendingInvite,\n  SignInActionResult,\n  SignInResult,\n  Storage,\n  TotpClient,\n} from \"./core/types\";\n\n// Re-export error utilities so consumers can import from `@robelest/convex-auth/client`.\nexport {\n  isAuthError,\n  parseAuthError,\n  AUTH_ERRORS,\n  type AuthErrorCode,\n} from \"../server/errors\";\nexport type {\n  AuthApiRefs,\n  AuthClient,\n  AuthState,\n  ClientOptions,\n  DeviceClient,\n  DeviceCodeResult,\n  PasskeyClient,\n  PendingInvite,\n  SignInResult,\n  Storage,\n  TotpClient,\n} from \"./core/types\";\n\nconst VERIFIER_STORAGE_KEY = \"__convexAuthOAuthVerifier\";\nconst JWT_STORAGE_KEY = \"__convexAuthJWT\";\nconst REFRESH_TOKEN_STORAGE_KEY = \"__convexAuthRefreshToken\";\nconst INVITE_TOKEN_KEY = \"__convexAuthPendingInvite\";\nconst INVITE_EMAIL_KEY = \"__convexAuthPendingInviteEmail\";\n\nconst RETRY_BASE_MS = 500;\nconst RETRY_MAX_RETRIES = 2;\nconst AUTH_HANDSHAKE_TIMEOUT_MS = 5000;\n\n/**\n * Resolve the Convex deployment URL from the client.\n *\n * `ConvexReactClient` exposes `.url` directly.\n * `ConvexClient` exposes `.client.url` via `BaseConvexClient`.\n */\nfunction resolveUrl(convex: ConvexTransport, explicit?: string): string {\n  if (explicit) return explicit;\n  const c = convex as any;\n  const url: unknown = c.url ?? c.client?.url;\n  if (typeof url === \"string\") return url;\n  throw new Error(\n    \"Could not determine Convex deployment URL. Pass `url` explicitly.\",\n  );\n}\n\n/**\n * Create a framework-agnostic auth client.\n *\n * Returns an object with `signIn`, `signOut`, `onChange`, `state`,\n * `passkey`, and `totp` — everything needed for client-side auth.\n *\n * ### SPA mode (default)\n *\n * ```ts\n * import { ConvexClient } from 'convex/browser';\n * import { client } from '@robelest/convex-auth/client';\n * import { api } from '../convex/_generated/api';\n *\n * const convex = new ConvexClient(CONVEX_URL);\n * const auth = client({ convex, api: api.auth });\n * ```\n *\n * ### SSR / proxy mode\n *\n * ```ts\n * const auth = client({\n *   convex,\n *   proxyPath: '/api/auth',\n *   tokenSeed: tokenFromServer, // JWT read from httpOnly cookie during SSR\n * });\n * ```\n *\n * In proxy mode all auth operations go through the proxy URL.\n * Tokens are stored in httpOnly cookies server-side — the client\n * holds the JWT in memory only.\n *\n * @param options - Client configuration. See {@link ClientOptions}.\n * @typeParam Api - An AuthApiRefs type determining which factor helpers are available.\n * @returns Auth client with conditional `passkey`, `totp`, and `device` helpers.\n * @throws {Error} When the Convex deployment URL cannot be determined and `url` is not passed explicitly.\n * @throws {Error} When `proxyPath` is not set and the `api` option is missing.\n */\nexport function client<\n  Api extends AuthApiRefs<boolean, boolean, boolean> = AuthApiRefs,\n>(options: ClientOptions<Api>): AuthClient<Api> {\n  const { convex, proxyPath, api: apiRefs } = options;\n  const proxy = proxyPath;\n\n  function requireApiRefs() {\n    if (!apiRefs) {\n      throw new Error(\n        \"The `api` option is required when `proxyPath` is not set. \" +\n          \"Pass { api: api.auth }.\",\n      );\n    }\n    return apiRefs;\n  }\n\n  // In proxy mode, default storage to null (cookies handle persistence).\n  const storage =\n    options.storage !== undefined\n      ? options.storage\n      : proxy\n        ? null\n        : typeof window === \"undefined\"\n          ? null\n          : window.localStorage;\n\n  const replaceUrl =\n    options.replaceUrl ??\n    ((url: string) => {\n      if (typeof window !== \"undefined\") {\n        window.history.replaceState({}, \"\", url);\n      }\n    });\n\n  // ---------------------------------------------------------------------------\n  // Location — SSR-safe URL reading\n  // ---------------------------------------------------------------------------\n\n  function getLocation(): URL | null {\n    if (typeof options.location === \"function\") return options.location();\n    if (options.location instanceof URL) return options.location;\n    if (typeof window !== \"undefined\") return new URL(window.location.href);\n    return null;\n  }\n\n  /**\n   * SSR-safe URL parameter reader.\n   *\n   * Uses the `location` option if provided, otherwise falls back to\n   * `window.location` (returns `null` during SSR where `window` is unavailable).\n   *\n   * @param name - The query parameter name.\n   * @returns The parameter value, or `null` if not present or in SSR.\n   *\n   * @example\n   * ```ts\n   * const workspaceId = auth.param(\"workspace\");\n   * const tab = auth.param(\"tab\") ?? \"issues\";\n   * ```\n   */\n  function param(name: string): string | null {\n    const loc = getLocation();\n    return loc?.searchParams.get(name) ?? null;\n  }\n\n  function cleanUrlParams(params: string[]) {\n    const loc = getLocation();\n    if (!loc) return;\n    const searchParams = new URLSearchParams(loc.search);\n    let changed = false;\n    for (const p of params) {\n      if (searchParams.has(p)) {\n        searchParams.delete(p);\n        changed = true;\n      }\n    }\n    if (changed) {\n      const next = searchParams.toString()\n        ? `${loc.pathname}?${searchParams}`\n        : loc.pathname;\n      void replaceUrl(next);\n    }\n  }\n\n  const url = proxy ? undefined : resolveUrl(convex, options.url);\n  const escapedNamespace = proxy\n    ? proxy.replace(/[^a-zA-Z0-9]/g, \"\")\n    : url!.replace(/[^a-zA-Z0-9]/g, \"\");\n  const key = (name: string) => `${name}_${escapedNamespace}`;\n  const {\n    get: storageGet,\n    set: storageSet,\n    remove: storageRemove,\n  } = createStorageHelpers({ storage, key });\n  const { isAbsoluteUrl, proxyFetch, resolveProxyUrl } = createProxyHelpers({\n    proxy,\n  });\n  const subscribers = new Set<() => void>();\n  let disposeStorageListener: (() => void) | null = null;\n\n  // Unauthenticated HTTP client for code verification & OAuth exchange.\n  // Only needed in SPA mode — proxy mode routes everything through the proxy.\n  const httpClient = proxy ? null : new ConvexHttpClient(url!);\n\n  // ---------------------------------------------------------------------------\n  // State\n  // ---------------------------------------------------------------------------\n\n  // If a server-provided token was supplied (SSR hydration), treat it as\n  // immediately authenticated to avoid a handshake-only loading screen.\n  const serverToken =\n    typeof options.tokenSeed === \"string\" && options.tokenSeed.trim().length > 0\n      ? options.tokenSeed\n      : null;\n  const hasServerToken = serverToken !== null;\n\n  let token: string | null = serverToken;\n  let isLoading = !hasServerToken;\n  let authConfirmed = hasServerToken;\n  let handshakePending = false;\n  let authEpoch = 0;\n  let destroyed = false;\n  const handshakeWaiters = new Set<HandshakeWaiter>();\n  let snapshot: AuthState = {\n    phase: hasServerToken\n      ? \"authenticated\"\n      : isLoading\n        ? \"loading\"\n        : \"unauthenticated\",\n    isLoading,\n    isAuthenticated: hasServerToken,\n    token,\n  };\n  let handlingCodeFlow = false;\n\n  const createHandshakeError = (\n    code: AuthHandshakeErrorCode,\n    context: Record<string, unknown>,\n  ) => {\n    return new ConvexError({\n      code,\n      message: AUTH_ERRORS[code],\n      ...context,\n    } as Value);\n  };\n\n  const settleHandshakeWaiters = (\n    epoch: number,\n    outcome:\n      | { type: \"resolve\" }\n      | { type: \"reject\"; error: ConvexError<Value> },\n  ) => {\n    for (const waiter of Array.from(handshakeWaiters)) {\n      if (waiter.epoch !== epoch) {\n        continue;\n      }\n      clearTimeout(waiter.timeoutId);\n      handshakeWaiters.delete(waiter);\n      if (outcome.type === \"resolve\") {\n        waiter.resolve();\n      } else {\n        waiter.reject(outcome.error);\n      }\n    }\n  };\n\n  const rejectObsoleteHandshakeWaiters = (activeEpoch: number) => {\n    for (const waiter of Array.from(handshakeWaiters)) {\n      if (waiter.epoch >= activeEpoch) {\n        continue;\n      }\n      clearTimeout(waiter.timeoutId);\n      handshakeWaiters.delete(waiter);\n      waiter.reject(\n        createHandshakeError(\"AUTH_HANDSHAKE_REJECTED\", {\n          ...waiter.context,\n          reason: \"token_changed\",\n        }),\n      );\n    }\n  };\n\n  const waitForAuthHandshake = async (context: AuthFlowContext) => {\n    if (token === null) {\n      return;\n    }\n    if (authConfirmed && !handshakePending) {\n      return;\n    }\n    if (!handshakePending) {\n      throw createHandshakeError(\"AUTH_HANDSHAKE_REJECTED\", {\n        ...context,\n        reason: \"auth_rejected\",\n      });\n    }\n\n    const epoch = authEpoch;\n    await new Promise<void>((resolve, reject) => {\n      const waiterRef: { current: HandshakeWaiter | null } = { current: null };\n      const timeoutId = setTimeout(() => {\n        if (waiterRef.current !== null) {\n          handshakeWaiters.delete(waiterRef.current);\n        }\n        reject(\n          createHandshakeError(\"AUTH_HANDSHAKE_TIMEOUT\", {\n            ...context,\n            timeoutMs: AUTH_HANDSHAKE_TIMEOUT_MS,\n          }),\n        );\n      }, AUTH_HANDSHAKE_TIMEOUT_MS);\n\n      const waiter: HandshakeWaiter = {\n        epoch,\n        context,\n        resolve,\n        reject,\n        timeoutId,\n      };\n      waiterRef.current = waiter;\n      handshakeWaiters.add(waiter);\n    });\n  };\n\n  const handleConvexAuthChange = (isAuthenticated: boolean) => {\n    if (destroyed) {\n      return;\n    }\n\n    if (isAuthenticated) {\n      authConfirmed = true;\n      handshakePending = false;\n      settleHandshakeWaiters(authEpoch, { type: \"resolve\" });\n    } else {\n      authConfirmed = false;\n      // Do not reject immediately while a handshake is pending.\n      // Convex can transiently emit `false` while reauth is still in flight,\n      // and a subsequent `true` confirms the same session.\n    }\n\n    if (updateSnapshot()) {\n      notify();\n    }\n  };\n\n  const notify = () => {\n    for (const cb of subscribers) cb();\n  };\n\n  const updateSnapshot = () => {\n    const phaseDispatch = {\n      tag:\n        token !== null && handshakePending\n          ? \"handshake\"\n          : isLoading\n            ? \"loading\"\n            : token !== null && authConfirmed\n              ? \"authenticated\"\n              : \"unauthenticated\",\n    } as const;\n\n    const phase = {\n      handshake: \"handshake\",\n      loading: \"loading\",\n      authenticated: \"authenticated\",\n      unauthenticated: \"unauthenticated\",\n    }[phaseDispatch.tag] as AuthState[\"phase\"];\n\n    const next: AuthState = {\n      phase,\n      isLoading: phase === \"loading\" || phase === \"handshake\",\n      isAuthenticated: phase === \"authenticated\",\n      token,\n    };\n    if (\n      snapshot.phase === next.phase &&\n      snapshot.isLoading === next.isLoading &&\n      snapshot.isAuthenticated === next.isAuthenticated &&\n      snapshot.token === next.token\n    ) {\n      return false;\n    }\n    snapshot = next;\n    return true;\n  };\n\n  const finalizeLoadingState = () => {\n    if (!isLoading) {\n      return;\n    }\n    isLoading = false;\n    if (updateSnapshot()) {\n      notify();\n    }\n  };\n\n  const inviteManager = createInviteManager({\n    param,\n    storageGet,\n    storageSet,\n    storageRemove,\n    cleanUrlParams,\n    tokenKey: INVITE_TOKEN_KEY,\n    emailKey: INVITE_EMAIL_KEY,\n  });\n  const getPendingInvite = () => inviteManager.getPendingInvite();\n  const persistInvite = () => inviteManager.persistInvite();\n  const acceptInvite = () => inviteManager.acceptInvite();\n\n  // ---------------------------------------------------------------------------\n  // Token management\n  // ---------------------------------------------------------------------------\n\n  const bindConvexAuth = () => {\n    convex.setAuth(fetchAccessToken, handleConvexAuthChange);\n  };\n\n  const setToken = async (\n    args:\n      | {\n          shouldStore: true;\n          tokens: AuthSession | null;\n          requireHandshake?: boolean;\n          resyncConvexAuth?: boolean;\n        }\n      | {\n          shouldStore: false;\n          tokens: { token: string } | null;\n          requireHandshake?: boolean;\n          resyncConvexAuth?: boolean;\n        },\n  ) => {\n    const previousToken = token;\n\n    if (args.tokens === null) {\n      token = null;\n      if (args.shouldStore) {\n        await storageRemove(JWT_STORAGE_KEY);\n        await storageRemove(REFRESH_TOKEN_STORAGE_KEY);\n      }\n    } else {\n      token = args.tokens.token;\n      if (args.shouldStore && \"refreshToken\" in args.tokens) {\n        await storageSet(JWT_STORAGE_KEY, args.tokens.token);\n        await storageSet(REFRESH_TOKEN_STORAGE_KEY, args.tokens.refreshToken);\n      }\n    }\n\n    if (token !== previousToken) {\n      authEpoch += 1;\n      rejectObsoleteHandshakeWaiters(authEpoch);\n    }\n\n    if (token === null) {\n      authConfirmed = false;\n      handshakePending = false;\n      settleHandshakeWaiters(authEpoch, {\n        type: \"reject\",\n        error: createHandshakeError(\"AUTH_HANDSHAKE_REJECTED\", {\n          reason: \"token_cleared\",\n        }),\n      });\n    } else {\n      const shouldEnterHandshake =\n        args.requireHandshake === true || !authConfirmed;\n      if (shouldEnterHandshake) {\n        authConfirmed = false;\n        handshakePending = true;\n      } else {\n        handshakePending = false;\n      }\n    }\n\n    const hadPendingLoad = isLoading;\n    isLoading = false;\n    const changed = updateSnapshot();\n    if (args.resyncConvexAuth !== false) {\n      bindConvexAuth();\n    }\n    if (hadPendingLoad || changed) {\n      notify();\n    }\n  };\n\n  const setTokenAndMaybeWait = async (\n    args:\n      | {\n          shouldStore: true;\n          tokens: AuthSession | null;\n          waitForHandshake: boolean;\n          context: AuthFlowContext;\n        }\n      | {\n          shouldStore: false;\n          tokens: { token: string } | null;\n          waitForHandshake: boolean;\n          context: AuthFlowContext;\n        },\n  ): Promise<boolean> => {\n    const { waitForHandshake, context, ...tokenArgs } = args;\n    await setToken({\n      ...(tokenArgs as\n        | { shouldStore: true; tokens: AuthSession | null }\n        | { shouldStore: false; tokens: { token: string } | null }),\n      requireHandshake: waitForHandshake,\n    });\n    if (tokenArgs.tokens === null) {\n      return false;\n    }\n    if (waitForHandshake) {\n      await waitForAuthHandshake(context);\n    }\n    return true;\n  };\n\n  // ---------------------------------------------------------------------------\n  // Code verification with retries (SPA mode only)\n  // ---------------------------------------------------------------------------\n\n  const verifyCode = async (\n    args: { code: string; verifier?: string } | { refreshToken: string },\n  ) => {\n    const verifyCodeRetryPolicy = Fx.retry.while(\n      Fx.retry.compose(\n        Fx.retry.jittered(Fx.retry.exponential(RETRY_BASE_MS)),\n        Fx.retry.recurs(RETRY_MAX_RETRIES),\n      ),\n      (meta) => isTransientNetworkError(meta.input),\n    );\n\n    return Fx.run(\n      Fx.from({\n        ok: () =>\n          httpClient!.action(\n            requireApiRefs().signIn,\n            \"code\" in args\n              ? { params: { code: args.code }, verifier: args.verifier }\n              : args,\n          ),\n        err: (e) => e,\n      }).pipe(\n        Fx.retry(verifyCodeRetryPolicy),\n        Fx.recover((e) => Fx.fatal(e)),\n      ),\n    );\n  };\n\n  const verifyCodeAndSetToken = async (\n    args: { code: string; verifier?: string } | { refreshToken: string },\n    opts?: { resyncConvexAuth?: boolean },\n  ) => {\n    const { tokens } = await verifyCode(args);\n    await setToken({\n      shouldStore: true,\n      tokens: (tokens as AuthSession | null) ?? null,\n      resyncConvexAuth: opts?.resyncConvexAuth,\n    });\n    return tokens !== null;\n  };\n\n  const normalizeDeviceCodeResult = (device_code: any): DeviceCodeResult => {\n    return {\n      deviceCode: device_code.deviceCode,\n      userCode: device_code.userCode,\n      verificationUri:\n        device_code.verification_uri ?? device_code.verificationUri,\n      verificationUriComplete:\n        device_code.verification_uri_complete ??\n        device_code.verificationUriComplete,\n      expiresIn: device_code.expiresIn,\n      interval: device_code.interval,\n    };\n  };\n\n  // ---------------------------------------------------------------------------\n  // signIn\n  // ---------------------------------------------------------------------------\n\n  /**\n   * Sign in with a provider.\n   *\n   * @param provider - Provider ID (e.g. `\"email\"`, `\"password\"`, `\"google\"`).\n   *   Omit when exchanging an OAuth code (the code carries the provider info).\n   * @param args - Provider-specific arguments. Pass a `Record<string, Value>`\n   *   or `FormData`. Common fields: `email`, `password`, `code`, `redirectTo`.\n   * @returns A {@link SignInResult} indicating the outcome.\n   * @throws {ConvexError} When the server action rejects the sign-in attempt (e.g. invalid credentials, provider error, or rate limiting).\n   *\n   * @example Email magic link\n   * ```ts\n   * await auth.signIn('email', { email: 'user@example.com' });\n   * ```\n   *\n   * @example Password\n   * ```ts\n   * const result = await auth.signIn('password', { email, password, flow: 'signIn' });\n   * if (result.kind === 'totpRequired') {\n   *   await auth.totp.verify({ code: totpCode, verifier: result.verifier });\n   * }\n   * ```\n   *\n   * @example OAuth (triggers redirect)\n   * ```ts\n   * await auth.signIn('google'); // redirects to Google\n   * ```\n   */\n  const signIn = async (\n    provider?: string,\n    args?: FormData | Record<string, Value>,\n  ): Promise<SignInResult> => {\n    // Persist invite before potential OAuth redirect\n    await persistInvite();\n\n    const params =\n      args instanceof FormData\n        ? (() => {\n            const formParams: Record<string, Value> = {};\n            args.forEach((value, key) => {\n              formParams[key] = typeof value === \"string\" ? value : value.name;\n            });\n            return formParams;\n          })()\n        : (args ?? {});\n    const flow =\n      typeof params.flow === \"string\" && params.flow.length > 0\n        ? params.flow\n        : \"signIn\";\n\n    const handleSignInActionResult = async (\n      result: SignInActionResult,\n      options: { shouldStore: boolean; persistVerifier: boolean },\n    ): Promise<SignInResult> =>\n      Fx.run(\n        Fx.match(result, result.kind, {\n          redirect: (redirectResult) =>\n            Fx.from({\n              ok: async () => {\n                const redirectUrl = new URL(redirectResult.redirect);\n                if (options.persistVerifier) {\n                  await storageSet(\n                    VERIFIER_STORAGE_KEY,\n                    redirectResult.verifier,\n                  );\n                }\n                if (typeof window !== \"undefined\") {\n                  window.location.href = redirectUrl.toString();\n                }\n                return {\n                  kind: \"redirect\" as const,\n                  redirect: redirectUrl,\n                  verifier: redirectResult.verifier,\n                };\n              },\n              err: (e) => e as never,\n            }),\n          totpRequired: (totpRequiredResult) =>\n            Fx.succeed({\n              kind: \"totpRequired\" as const,\n              verifier: totpRequiredResult.verifier,\n            }),\n          deviceCode: (deviceCodeResult) =>\n            Fx.succeed({\n              kind: \"deviceCode\" as const,\n              deviceCode: normalizeDeviceCodeResult(\n                deviceCodeResult.deviceCode,\n              ),\n            }),\n          signedIn: (signedInResult) =>\n            Fx.from({\n              ok: async () => {\n                const signingIn = await setTokenAndMaybeWait(\n                  options.shouldStore\n                    ? {\n                        shouldStore: true as const,\n                        tokens: signedInResult.tokens,\n                        waitForHandshake: true,\n                        context: { provider, flow },\n                      }\n                    : {\n                        shouldStore: false as const,\n                        tokens:\n                          signedInResult.tokens === null\n                            ? null\n                            : { token: signedInResult.tokens.token },\n                        waitForHandshake: true,\n                        context: { provider, flow },\n                      },\n                );\n                return signingIn\n                  ? ({ kind: \"signedIn\" as const } as SignInResult)\n                  : ({ kind: \"started\" as const } as SignInResult);\n              },\n              err: (e) => e as never,\n            }),\n          started: (_startedResult) => Fx.succeed({ kind: \"started\" as const }),\n          passkeyOptions: (_passkeyOptionsResult) =>\n            Fx.succeed({ kind: \"started\" as const }),\n          totpSetup: (_totpSetupResult) =>\n            Fx.succeed({ kind: \"started\" as const }),\n        }),\n      );\n\n    if (proxy) {\n      const result = (await proxyFetch({\n        action: \"auth:signIn\",\n        args: { provider, params },\n      })) as SignInActionResult;\n      return handleSignInActionResult(result, {\n        shouldStore: false,\n        persistVerifier: false,\n      });\n    }\n\n    // SPA mode: call Convex directly.\n    const verifier = (await storageGet(VERIFIER_STORAGE_KEY)) ?? undefined;\n    await storageRemove(VERIFIER_STORAGE_KEY);\n    const result = (await convex.action(requireApiRefs().signIn, {\n      provider,\n      params,\n      verifier,\n    })) as SignInActionResult;\n    return handleSignInActionResult(result, {\n      shouldStore: true,\n      persistVerifier: true,\n    });\n  };\n\n  // ---------------------------------------------------------------------------\n  // signOut\n  // ---------------------------------------------------------------------------\n\n  /**\n   * Sign out the current user.\n   *\n   * Invalidates the server session and clears local token state.\n   * Errors are silently caught — calling `signOut` on an already\n   * signed-out user is a no-op.\n   */\n  const signOut = async () => {\n    if (proxy) {\n      await Fx.run(\n        Fx.from({\n          ok: () => proxyFetch({ action: \"auth:signOut\", args: {} }),\n          err: () => undefined,\n        }).pipe(Fx.recover(() => Fx.succeed(undefined))),\n      );\n      await setToken({ shouldStore: false, tokens: null });\n      if (convex.clearAuth) convex.clearAuth();\n      return;\n    }\n\n    // SPA mode.\n    await Fx.run(\n      Fx.from({\n        ok: () => convex.action(requireApiRefs().signOut, {}),\n        err: () => undefined,\n      }).pipe(Fx.recover(() => Fx.succeed(undefined))),\n    );\n    await setToken({ shouldStore: true, tokens: null });\n    if (convex.clearAuth) convex.clearAuth();\n  };\n\n  // ---------------------------------------------------------------------------\n  // fetchAccessToken — called by convex.setAuth()\n  // ---------------------------------------------------------------------------\n\n  const fetchAccessToken = async ({\n    forceRefreshToken,\n  }: {\n    forceRefreshToken: boolean;\n  }): Promise<string | null> => {\n    if (!forceRefreshToken) return token;\n\n    if (proxy) {\n      // Proxy mode: POST to the proxy to refresh.\n      // The proxy reads the real refresh token from the httpOnly cookie.\n      const resolvedProxyUrl = await resolveProxyUrl();\n      if (\n        typeof window === \"undefined\" &&\n        !(await isAbsoluteUrl(resolvedProxyUrl))\n      ) {\n        finalizeLoadingState();\n        return token;\n      }\n\n      const tokenBeforeRefresh = token;\n      return await browserMutex(\"__convexAuthProxyRefresh\", async () => {\n        // Another tab/call may have already refreshed.\n        if (token !== tokenBeforeRefresh) return token;\n\n        const proxyRefreshRetryPolicy = Fx.retry.while(\n          Fx.retry.compose(\n            Fx.retry.jittered(Fx.retry.exponential(RETRY_BASE_MS)),\n            Fx.retry.recurs(RETRY_MAX_RETRIES),\n          ),\n          (meta) => isRetriableProxyRefreshError(meta.input),\n        );\n\n        await Fx.run(\n          Fx.from({\n            ok: () =>\n              proxyFetch({\n                action: \"auth:signIn\",\n                args: { refreshToken: true },\n              }),\n            err: (e) => e,\n          }).pipe(\n            Fx.retry(proxyRefreshRetryPolicy),\n            Fx.chain((result: any) =>\n              Fx.from({\n                ok: async () => {\n                  if (result.tokens) {\n                    await setToken({\n                      shouldStore: false,\n                      tokens: { token: result.tokens.token },\n                      resyncConvexAuth: false,\n                    });\n                  } else {\n                    await setToken({\n                      shouldStore: false,\n                      tokens: null,\n                      resyncConvexAuth: false,\n                    });\n                  }\n                },\n                err: (e) => e,\n              }),\n            ),\n            Fx.inspect((error) =>\n              Fx.sync(() =>\n                console.error(\"[convex-auth] Proxy refresh failed:\", error),\n              ),\n            ),\n            Fx.recover(() => {\n              if (token === null) {\n                finalizeLoadingState();\n              }\n              return Fx.succeed(undefined);\n            }),\n          ),\n        );\n        return token;\n      });\n    }\n\n    // SPA mode: refresh via localStorage + httpClient.\n    const tokenBeforeLockAcquisition = token;\n    return await browserMutex(REFRESH_TOKEN_STORAGE_KEY, async () => {\n      const tokenAfterLockAcquisition = token;\n      if (tokenAfterLockAcquisition !== tokenBeforeLockAcquisition) {\n        return tokenAfterLockAcquisition;\n      }\n      const refreshToken =\n        (await storageGet(REFRESH_TOKEN_STORAGE_KEY)) ?? null;\n      if (!refreshToken) {\n        finalizeLoadingState();\n        return null;\n      }\n      await verifyCodeAndSetToken(\n        { refreshToken },\n        { resyncConvexAuth: false },\n      );\n      return token;\n    });\n  };\n\n  // ---------------------------------------------------------------------------\n  // OAuth code flow (SPA mode only — server handles this in proxy mode)\n  // ---------------------------------------------------------------------------\n\n  const handleCodeFlow = async () => {\n    if (typeof window === \"undefined\") return;\n    if (handlingCodeFlow) return;\n    const code = new URLSearchParams(window.location.search).get(\"code\");\n    if (!code) return;\n    handlingCodeFlow = true;\n    await Fx.run(\n      Fx.from({\n        ok: async () => {\n          await signIn(undefined, { code });\n          const codeUrl = new URL(window.location.href);\n          codeUrl.searchParams.delete(\"code\");\n          await replaceUrl(codeUrl.pathname + codeUrl.search + codeUrl.hash);\n        },\n        err: (e) => e,\n      }).pipe(\n        Fx.recover(() => Fx.succeed(undefined)),\n        Fx.tap(() =>\n          Fx.sync(() => {\n            handlingCodeFlow = false;\n          }),\n        ),\n        Fx.inspect(() =>\n          Fx.sync(() => {\n            handlingCodeFlow = false;\n          }),\n        ),\n      ),\n    );\n    // The flag is always reset — Fx.recover above ensures success path,\n    // but reset defensively here too.\n    handlingCodeFlow = false;\n  };\n\n  // ---------------------------------------------------------------------------\n  // Hydrate from storage (SPA mode only)\n  // ---------------------------------------------------------------------------\n\n  const hydrateFromStorage = async () => {\n    const storedToken = (await storageGet(JWT_STORAGE_KEY)) ?? null;\n    await setToken({\n      shouldStore: false,\n      tokens: storedToken === null ? null : { token: storedToken },\n    });\n  };\n\n  // ---------------------------------------------------------------------------\n  // Subscribe\n  // ---------------------------------------------------------------------------\n\n  /**\n   * Subscribe to auth state changes. Invokes the callback immediately\n   * with the current state, then again on every state transition.\n   *\n   * ```ts\n   * const unsub = auth.onChange(setState);\n   * ```\n   *\n   * @param cb - Callback receiving the latest {@link AuthState}.\n   * @returns An unsubscribe function.\n   */\n  const onChange = (cb: (state: AuthState) => void): (() => void) => {\n    cb(snapshot);\n    const wrapped = () => cb(snapshot);\n    subscribers.add(wrapped);\n    return () => {\n      subscribers.delete(wrapped);\n    };\n  };\n\n  // ---------------------------------------------------------------------------\n  // Initialization\n  // ---------------------------------------------------------------------------\n\n  // Cross-tab sync via storage events (SPA mode only).\n  if (!proxy && typeof window !== \"undefined\") {\n    const registryKey = key(JWT_STORAGE_KEY);\n    const registry = getStorageListenerRegistry();\n    const existingListener = registry[registryKey];\n    if (existingListener !== undefined) {\n      window.removeEventListener(\"storage\", existingListener);\n    }\n\n    const onStorage = (event: StorageEvent) => {\n      Fx.detach(async () => {\n        if (event.key !== key(JWT_STORAGE_KEY)) return;\n        await setToken({\n          shouldStore: false,\n          tokens: event.newValue === null ? null : { token: event.newValue },\n        });\n      }, \"[convex-auth] Storage event handler failed:\");\n    };\n    window.addEventListener(\"storage\", onStorage);\n    registry[registryKey] = onStorage;\n    disposeStorageListener = () => {\n      if (registry[registryKey] === onStorage) {\n        delete registry[registryKey];\n      }\n      window.removeEventListener(\"storage\", onStorage);\n    };\n  }\n\n  // Auto-wire: feed our tokens into the Convex client so\n  // queries and mutations are automatically authenticated.\n  bindConvexAuth();\n\n  // Auto-hydrate and handle code flow.\n  if (typeof window !== \"undefined\") {\n    if (proxy) {\n      // Proxy mode: eagerly resolve auth once on startup so routes that only\n      // read auth state (and do not issue Convex queries yet) don't stay in\n      // the initial loading phase.\n      if (!hasServerToken) {\n        Fx.detach(\n          () => fetchAccessToken({ forceRefreshToken: true }),\n          \"[convex-auth] Proxy token refresh failed:\",\n        );\n      }\n    } else {\n      // SPA mode: hydrate from localStorage, then handle OAuth code flow.\n      Fx.detach(async () => {\n        await Fx.run(\n          Fx.from({\n            ok: async () => {\n              await hydrateFromStorage();\n              await handleCodeFlow();\n            },\n            err: (e) => e,\n          }).pipe(\n            Fx.inspect((error) =>\n              Fx.sync(() =>\n                console.error(\n                  \"[convex-auth] Client initialization failed:\",\n                  error,\n                ),\n              ),\n            ),\n            Fx.recover((_error) =>\n              Fx.from({\n                ok: () => setToken({ shouldStore: false, tokens: null }),\n                err: (e) => e,\n              }).pipe(Fx.recover(() => Fx.succeed(undefined))),\n            ),\n          ),\n        );\n      }, \"[convex-auth] SPA initialization failed:\");\n    }\n  }\n\n  // ---------------------------------------------------------------------------\n  // Auth factor helpers\n  // ---------------------------------------------------------------------------\n\n  const passkey = createPasskeyClient({\n    proxy,\n    convex,\n    requireApiRefs,\n    proxyFetch,\n    setTokenAndMaybeWait,\n  });\n\n  const totp = createTotpClient({\n    proxy,\n    convex,\n    requireApiRefs,\n    proxyFetch,\n    setTokenAndMaybeWait,\n  });\n\n  const device = createDeviceClient({\n    proxy,\n    convex,\n    requireApiRefs,\n    proxyFetch,\n    setTokenAndMaybeWait,\n  });\n\n  return {\n    /** Current auth state snapshot. */\n    get state(): AuthState {\n      return snapshot;\n    },\n    /** SSR-safe URL param reader. */\n    param,\n    /** Pending invite from URL or recovered from storage. Null if none. */\n    get invite(): PendingInvite | null {\n      const pendingInvite = getPendingInvite();\n      if (!pendingInvite) return null;\n      return {\n        token: pendingInvite.token,\n        email: pendingInvite.email,\n        accept: acceptInvite,\n      };\n    },\n    /** Sign in with a provider. See {@link SignInResult} for return shape. */\n    signIn,\n    /** Sign out and clear all token state. */\n    signOut,\n    /** Subscribe to auth state changes. Returns an unsubscribe function. */\n    onChange,\n    /** Passkey (WebAuthn) authentication helpers. */\n    passkey,\n    /** TOTP two-factor authentication helpers. */\n    totp,\n    /** Device authorization (RFC 8628) helpers. */\n    device,\n    /**\n     * Tear down this auth client instance.\n     *\n     * Removes the cross-tab `storage` event listener, clears all\n     * `onChange` subscribers, and rejects any in-flight handshake\n     * waiters. Call this when the client is no longer needed\n     * (e.g. on SPA unmount or hot-module replacement) to prevent\n     * memory leaks and stale callbacks.\n     *\n     * @example\n     * ```ts\n     * // SvelteKit onDestroy\n     * import { onDestroy } from \"svelte\";\n     * const auth = client({ convex, api: api.auth });\n     * onDestroy(() => auth.destroy());\n     * ```\n     *\n     * @example\n     * ```ts\n     * const unsubscribe = auth.onChange((state) => console.log(state.phase));\n     *\n     * // Later, during cleanup:\n     * unsubscribe();\n     * auth.destroy();\n     * ```\n     */\n    destroy: () => {\n      destroyed = true;\n      settleHandshakeWaiters(authEpoch, {\n        type: \"reject\",\n        error: createHandshakeError(\"AUTH_HANDSHAKE_REJECTED\", {\n          reason: \"destroyed\",\n        }),\n      });\n      disposeStorageListener?.();\n      subscribers.clear();\n    },\n  } as AuthClient<Api>;\n}\n"],"mappings":";;;;;;;;;;;;;AAyDA,MAAM,uBAAuB;AAC7B,MAAM,kBAAkB;AACxB,MAAM,4BAA4B;AAClC,MAAM,mBAAmB;AACzB,MAAM,mBAAmB;AAEzB,MAAM,gBAAgB;AACtB,MAAM,oBAAoB;AAC1B,MAAM,4BAA4B;;;;;;;AAQlC,SAAS,WAAW,QAAyB,UAA2B;AACtE,KAAI,SAAU,QAAO;CACrB,MAAM,IAAI;CACV,MAAM,MAAe,EAAE,OAAO,EAAE,QAAQ;AACxC,KAAI,OAAO,QAAQ,SAAU,QAAO;AACpC,OAAM,IAAI,MACR,oEACD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAwCH,SAAgB,OAEd,SAA8C;CAC9C,MAAM,EAAE,QAAQ,WAAW,KAAK,YAAY;CAC5C,MAAM,QAAQ;CAEd,SAAS,iBAAiB;AACxB,MAAI,CAAC,QACH,OAAM,IAAI,MACR,oFAED;AAEH,SAAO;;CAIT,MAAM,UACJ,QAAQ,YAAY,SAChB,QAAQ,UACR,QACE,OACA,OAAO,WAAW,cAChB,OACA,OAAO;CAEjB,MAAM,aACJ,QAAQ,gBACN,UAAgB;AAChB,MAAI,OAAO,WAAW,YACpB,QAAO,QAAQ,aAAa,EAAE,EAAE,IAAIA,MAAI;;CAQ9C,SAAS,cAA0B;AACjC,MAAI,OAAO,QAAQ,aAAa,WAAY,QAAO,QAAQ,UAAU;AACrE,MAAI,QAAQ,oBAAoB,IAAK,QAAO,QAAQ;AACpD,MAAI,OAAO,WAAW,YAAa,QAAO,IAAI,IAAI,OAAO,SAAS,KAAK;AACvE,SAAO;;;;;;;;;;;;;;;;;CAkBT,SAAS,MAAM,MAA6B;AAE1C,SADY,aAAa,EACb,aAAa,IAAI,KAAK,IAAI;;CAGxC,SAAS,eAAe,QAAkB;EACxC,MAAM,MAAM,aAAa;AACzB,MAAI,CAAC,IAAK;EACV,MAAM,eAAe,IAAI,gBAAgB,IAAI,OAAO;EACpD,IAAI,UAAU;AACd,OAAK,MAAM,KAAK,OACd,KAAI,aAAa,IAAI,EAAE,EAAE;AACvB,gBAAa,OAAO,EAAE;AACtB,aAAU;;AAGd,MAAI,QAIF,CAAK,WAHQ,aAAa,UAAU,GAChC,GAAG,IAAI,SAAS,GAAG,iBACnB,IAAI,SACa;;CAIzB,MAAM,MAAM,QAAQ,SAAY,WAAW,QAAQ,QAAQ,IAAI;CAC/D,MAAM,mBAAmB,QACrB,MAAM,QAAQ,iBAAiB,GAAG,GAClC,IAAK,QAAQ,iBAAiB,GAAG;CACrC,MAAM,OAAO,SAAiB,GAAG,KAAK,GAAG;CACzC,MAAM,EACJ,KAAK,YACL,KAAK,YACL,QAAQ,kBACN,qBAAqB;EAAE;EAAS;EAAK,CAAC;CAC1C,MAAM,EAAE,eAAe,YAAY,oBAAoB,mBAAmB,EACxE,OACD,CAAC;CACF,MAAM,8BAAc,IAAI,KAAiB;CACzC,IAAI,yBAA8C;CAIlD,MAAM,aAAa,QAAQ,OAAO,IAAI,iBAAiB,IAAK;CAQ5D,MAAM,cACJ,OAAO,QAAQ,cAAc,YAAY,QAAQ,UAAU,MAAM,CAAC,SAAS,IACvE,QAAQ,YACR;CACN,MAAM,iBAAiB,gBAAgB;CAEvC,IAAI,QAAuB;CAC3B,IAAI,YAAY,CAAC;CACjB,IAAI,gBAAgB;CACpB,IAAI,mBAAmB;CACvB,IAAI,YAAY;CAChB,IAAI,YAAY;CAChB,MAAM,mCAAmB,IAAI,KAAsB;CACnD,IAAI,WAAsB;EACxB,OAAO,iBACH,kBACA,YACE,YACA;EACN;EACA,iBAAiB;EACjB;EACD;CACD,IAAI,mBAAmB;CAEvB,MAAM,wBACJ,MACA,YACG;AACH,SAAO,IAAI,YAAY;GACrB;GACA,SAAS,YAAY;GACrB,GAAG;GACJ,CAAU;;CAGb,MAAM,0BACJ,OACA,YAGG;AACH,OAAK,MAAM,UAAU,MAAM,KAAK,iBAAiB,EAAE;AACjD,OAAI,OAAO,UAAU,MACnB;AAEF,gBAAa,OAAO,UAAU;AAC9B,oBAAiB,OAAO,OAAO;AAC/B,OAAI,QAAQ,SAAS,UACnB,QAAO,SAAS;OAEhB,QAAO,OAAO,QAAQ,MAAM;;;CAKlC,MAAM,kCAAkC,gBAAwB;AAC9D,OAAK,MAAM,UAAU,MAAM,KAAK,iBAAiB,EAAE;AACjD,OAAI,OAAO,SAAS,YAClB;AAEF,gBAAa,OAAO,UAAU;AAC9B,oBAAiB,OAAO,OAAO;AAC/B,UAAO,OACL,qBAAqB,2BAA2B;IAC9C,GAAG,OAAO;IACV,QAAQ;IACT,CAAC,CACH;;;CAIL,MAAM,uBAAuB,OAAO,YAA6B;AAC/D,MAAI,UAAU,KACZ;AAEF,MAAI,iBAAiB,CAAC,iBACpB;AAEF,MAAI,CAAC,iBACH,OAAM,qBAAqB,2BAA2B;GACpD,GAAG;GACH,QAAQ;GACT,CAAC;EAGJ,MAAM,QAAQ;AACd,QAAM,IAAI,SAAe,SAAS,WAAW;GAC3C,MAAM,YAAiD,EAAE,SAAS,MAAM;GAaxE,MAAM,SAA0B;IAC9B;IACA;IACA;IACA;IACA,WAjBgB,iBAAiB;AACjC,SAAI,UAAU,YAAY,KACxB,kBAAiB,OAAO,UAAU,QAAQ;AAE5C,YACE,qBAAqB,0BAA0B;MAC7C,GAAG;MACH,WAAW;MACZ,CAAC,CACH;OACA,0BAA0B;IAQ5B;AACD,aAAU,UAAU;AACpB,oBAAiB,IAAI,OAAO;IAC5B;;CAGJ,MAAM,0BAA0B,oBAA6B;AAC3D,MAAI,UACF;AAGF,MAAI,iBAAiB;AACnB,mBAAgB;AAChB,sBAAmB;AACnB,0BAAuB,WAAW,EAAE,MAAM,WAAW,CAAC;QAEtD,iBAAgB;AAMlB,MAAI,gBAAgB,CAClB,SAAQ;;CAIZ,MAAM,eAAe;AACnB,OAAK,MAAM,MAAM,YAAa,KAAI;;CAGpC,MAAM,uBAAuB;EAY3B,MAAM,QAAQ;GACZ,WAAW;GACX,SAAS;GACT,eAAe;GACf,iBAAiB;GAClB,CAhBqB,EACpB,KACE,UAAU,QAAQ,mBACd,cACA,YACE,YACA,UAAU,QAAQ,gBAChB,kBACA,mBACX,CAOe;EAEhB,MAAM,OAAkB;GACtB;GACA,WAAW,UAAU,aAAa,UAAU;GAC5C,iBAAiB,UAAU;GAC3B;GACD;AACD,MACE,SAAS,UAAU,KAAK,SACxB,SAAS,cAAc,KAAK,aAC5B,SAAS,oBAAoB,KAAK,mBAClC,SAAS,UAAU,KAAK,MAExB,QAAO;AAET,aAAW;AACX,SAAO;;CAGT,MAAM,6BAA6B;AACjC,MAAI,CAAC,UACH;AAEF,cAAY;AACZ,MAAI,gBAAgB,CAClB,SAAQ;;CAIZ,MAAM,gBAAgB,oBAAoB;EACxC;EACA;EACA;EACA;EACA;EACA,UAAU;EACV,UAAU;EACX,CAAC;CACF,MAAM,yBAAyB,cAAc,kBAAkB;CAC/D,MAAM,sBAAsB,cAAc,eAAe;CACzD,MAAM,qBAAqB,cAAc,cAAc;CAMvD,MAAM,uBAAuB;AAC3B,SAAO,QAAQ,kBAAkB,uBAAuB;;CAG1D,MAAM,WAAW,OACf,SAaG;EACH,MAAM,gBAAgB;AAEtB,MAAI,KAAK,WAAW,MAAM;AACxB,WAAQ;AACR,OAAI,KAAK,aAAa;AACpB,UAAM,cAAc,gBAAgB;AACpC,UAAM,cAAc,0BAA0B;;SAE3C;AACL,WAAQ,KAAK,OAAO;AACpB,OAAI,KAAK,eAAe,kBAAkB,KAAK,QAAQ;AACrD,UAAM,WAAW,iBAAiB,KAAK,OAAO,MAAM;AACpD,UAAM,WAAW,2BAA2B,KAAK,OAAO,aAAa;;;AAIzE,MAAI,UAAU,eAAe;AAC3B,gBAAa;AACb,kCAA+B,UAAU;;AAG3C,MAAI,UAAU,MAAM;AAClB,mBAAgB;AAChB,sBAAmB;AACnB,0BAAuB,WAAW;IAChC,MAAM;IACN,OAAO,qBAAqB,2BAA2B,EACrD,QAAQ,iBACT,CAAC;IACH,CAAC;aAGA,KAAK,qBAAqB,QAAQ,CAAC,eACX;AACxB,mBAAgB;AAChB,sBAAmB;QAEnB,oBAAmB;EAIvB,MAAM,iBAAiB;AACvB,cAAY;EACZ,MAAM,UAAU,gBAAgB;AAChC,MAAI,KAAK,qBAAqB,MAC5B,iBAAgB;AAElB,MAAI,kBAAkB,QACpB,SAAQ;;CAIZ,MAAM,uBAAuB,OAC3B,SAaqB;EACrB,MAAM,EAAE,kBAAkB,SAAS,GAAG,cAAc;AACpD,QAAM,SAAS;GACb,GAAI;GAGJ,kBAAkB;GACnB,CAAC;AACF,MAAI,UAAU,WAAW,KACvB,QAAO;AAET,MAAI,iBACF,OAAM,qBAAqB,QAAQ;AAErC,SAAO;;CAOT,MAAM,aAAa,OACjB,SACG;EACH,MAAM,wBAAwB,GAAG,MAAM,MACrC,GAAG,MAAM,QACP,GAAG,MAAM,SAAS,GAAG,MAAM,YAAY,cAAc,CAAC,EACtD,GAAG,MAAM,OAAO,kBAAkB,CACnC,GACA,SAAS,wBAAwB,KAAK,MAAM,CAC9C;AAED,SAAO,GAAG,IACR,GAAG,KAAK;GACN,UACE,WAAY,OACV,gBAAgB,CAAC,QACjB,UAAU,OACN;IAAE,QAAQ,EAAE,MAAM,KAAK,MAAM;IAAE,UAAU,KAAK;IAAU,GACxD,KACL;GACH,MAAM,MAAM;GACb,CAAC,CAAC,KACD,GAAG,MAAM,sBAAsB,EAC/B,GAAG,SAAS,MAAM,GAAG,MAAM,EAAE,CAAC,CAC/B,CACF;;CAGH,MAAM,wBAAwB,OAC5B,MACA,SACG;EACH,MAAM,EAAE,WAAW,MAAM,WAAW,KAAK;AACzC,QAAM,SAAS;GACb,aAAa;GACb,QAAS,UAAiC;GAC1C,kBAAkB,MAAM;GACzB,CAAC;AACF,SAAO,WAAW;;CAGpB,MAAM,6BAA6B,gBAAuC;AACxE,SAAO;GACL,YAAY,YAAY;GACxB,UAAU,YAAY;GACtB,iBACE,YAAY,oBAAoB,YAAY;GAC9C,yBACE,YAAY,6BACZ,YAAY;GACd,WAAW,YAAY;GACvB,UAAU,YAAY;GACvB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAmCH,MAAM,SAAS,OACb,UACA,SAC0B;AAE1B,QAAM,eAAe;EAErB,MAAM,SACJ,gBAAgB,kBACL;GACL,MAAM,aAAoC,EAAE;AAC5C,QAAK,SAAS,OAAO,UAAQ;AAC3B,eAAWC,SAAO,OAAO,UAAU,WAAW,QAAQ,MAAM;KAC5D;AACF,UAAO;MACL,GACH,QAAQ,EAAE;EACjB,MAAM,OACJ,OAAO,OAAO,SAAS,YAAY,OAAO,KAAK,SAAS,IACpD,OAAO,OACP;EAEN,MAAM,2BAA2B,OAC/B,QACA,cAEA,GAAG,IACD,GAAG,MAAM,QAAQ,OAAO,MAAM;GAC5B,WAAW,mBACT,GAAG,KAAK;IACN,IAAI,YAAY;KACd,MAAM,cAAc,IAAI,IAAI,eAAe,SAAS;AACpD,SAAIC,UAAQ,gBACV,OAAM,WACJ,sBACA,eAAe,SAChB;AAEH,SAAI,OAAO,WAAW,YACpB,QAAO,SAAS,OAAO,YAAY,UAAU;AAE/C,YAAO;MACL,MAAM;MACN,UAAU;MACV,UAAU,eAAe;MAC1B;;IAEH,MAAM,MAAM;IACb,CAAC;GACJ,eAAe,uBACb,GAAG,QAAQ;IACT,MAAM;IACN,UAAU,mBAAmB;IAC9B,CAAC;GACJ,aAAa,qBACX,GAAG,QAAQ;IACT,MAAM;IACN,YAAY,0BACV,iBAAiB,WAClB;IACF,CAAC;GACJ,WAAW,mBACT,GAAG,KAAK;IACN,IAAI,YAAY;AAmBd,YAlBkB,MAAM,qBACtBA,UAAQ,cACJ;MACE,aAAa;MACb,QAAQ,eAAe;MACvB,kBAAkB;MAClB,SAAS;OAAE;OAAU;OAAM;MAC5B,GACD;MACE,aAAa;MACb,QACE,eAAe,WAAW,OACtB,OACA,EAAE,OAAO,eAAe,OAAO,OAAO;MAC5C,kBAAkB;MAClB,SAAS;OAAE;OAAU;OAAM;MAC5B,CACN,GAEI,EAAE,MAAM,YAAqB,GAC7B,EAAE,MAAM,WAAoB;;IAEnC,MAAM,MAAM;IACb,CAAC;GACJ,UAAU,mBAAmB,GAAG,QAAQ,EAAE,MAAM,WAAoB,CAAC;GACrE,iBAAiB,0BACf,GAAG,QAAQ,EAAE,MAAM,WAAoB,CAAC;GAC1C,YAAY,qBACV,GAAG,QAAQ,EAAE,MAAM,WAAoB,CAAC;GAC3C,CAAC,CACH;AAEH,MAAI,MAKF,QAAO,yBAJS,MAAM,WAAW;GAC/B,QAAQ;GACR,MAAM;IAAE;IAAU;IAAQ;GAC3B,CAAC,EACsC;GACtC,aAAa;GACb,iBAAiB;GAClB,CAAC;EAIJ,MAAM,WAAY,MAAM,WAAW,qBAAqB,IAAK;AAC7D,QAAM,cAAc,qBAAqB;AAMzC,SAAO,yBALS,MAAM,OAAO,OAAO,gBAAgB,CAAC,QAAQ;GAC3D;GACA;GACA;GACD,CAAC,EACsC;GACtC,aAAa;GACb,iBAAiB;GAClB,CAAC;;;;;;;;;CAcJ,MAAM,UAAU,YAAY;AAC1B,MAAI,OAAO;AACT,SAAM,GAAG,IACP,GAAG,KAAK;IACN,UAAU,WAAW;KAAE,QAAQ;KAAgB,MAAM,EAAE;KAAE,CAAC;IAC1D,WAAW;IACZ,CAAC,CAAC,KAAK,GAAG,cAAc,GAAG,QAAQ,OAAU,CAAC,CAAC,CACjD;AACD,SAAM,SAAS;IAAE,aAAa;IAAO,QAAQ;IAAM,CAAC;AACpD,OAAI,OAAO,UAAW,QAAO,WAAW;AACxC;;AAIF,QAAM,GAAG,IACP,GAAG,KAAK;GACN,UAAU,OAAO,OAAO,gBAAgB,CAAC,SAAS,EAAE,CAAC;GACrD,WAAW;GACZ,CAAC,CAAC,KAAK,GAAG,cAAc,GAAG,QAAQ,OAAU,CAAC,CAAC,CACjD;AACD,QAAM,SAAS;GAAE,aAAa;GAAM,QAAQ;GAAM,CAAC;AACnD,MAAI,OAAO,UAAW,QAAO,WAAW;;CAO1C,MAAM,mBAAmB,OAAO,EAC9B,wBAG4B;AAC5B,MAAI,CAAC,kBAAmB,QAAO;AAE/B,MAAI,OAAO;GAGT,MAAM,mBAAmB,MAAM,iBAAiB;AAChD,OACE,OAAO,WAAW,eAClB,CAAE,MAAM,cAAc,iBAAiB,EACvC;AACA,0BAAsB;AACtB,WAAO;;GAGT,MAAM,qBAAqB;AAC3B,UAAO,MAAM,aAAa,4BAA4B,YAAY;AAEhE,QAAI,UAAU,mBAAoB,QAAO;IAEzC,MAAM,0BAA0B,GAAG,MAAM,MACvC,GAAG,MAAM,QACP,GAAG,MAAM,SAAS,GAAG,MAAM,YAAY,cAAc,CAAC,EACtD,GAAG,MAAM,OAAO,kBAAkB,CACnC,GACA,SAAS,6BAA6B,KAAK,MAAM,CACnD;AAED,UAAM,GAAG,IACP,GAAG,KAAK;KACN,UACE,WAAW;MACT,QAAQ;MACR,MAAM,EAAE,cAAc,MAAM;MAC7B,CAAC;KACJ,MAAM,MAAM;KACb,CAAC,CAAC,KACD,GAAG,MAAM,wBAAwB,EACjC,GAAG,OAAO,WACR,GAAG,KAAK;KACN,IAAI,YAAY;AACd,UAAI,OAAO,OACT,OAAM,SAAS;OACb,aAAa;OACb,QAAQ,EAAE,OAAO,OAAO,OAAO,OAAO;OACtC,kBAAkB;OACnB,CAAC;UAEF,OAAM,SAAS;OACb,aAAa;OACb,QAAQ;OACR,kBAAkB;OACnB,CAAC;;KAGN,MAAM,MAAM;KACb,CAAC,CACH,EACD,GAAG,SAAS,UACV,GAAG,WACD,QAAQ,MAAM,uCAAuC,MAAM,CAC5D,CACF,EACD,GAAG,cAAc;AACf,SAAI,UAAU,KACZ,uBAAsB;AAExB,YAAO,GAAG,QAAQ,OAAU;MAC5B,CACH,CACF;AACD,WAAO;KACP;;EAIJ,MAAM,6BAA6B;AACnC,SAAO,MAAM,aAAa,2BAA2B,YAAY;GAC/D,MAAM,4BAA4B;AAClC,OAAI,8BAA8B,2BAChC,QAAO;GAET,MAAM,eACH,MAAM,WAAW,0BAA0B,IAAK;AACnD,OAAI,CAAC,cAAc;AACjB,0BAAsB;AACtB,WAAO;;AAET,SAAM,sBACJ,EAAE,cAAc,EAChB,EAAE,kBAAkB,OAAO,CAC5B;AACD,UAAO;IACP;;CAOJ,MAAM,iBAAiB,YAAY;AACjC,MAAI,OAAO,WAAW,YAAa;AACnC,MAAI,iBAAkB;EACtB,MAAM,OAAO,IAAI,gBAAgB,OAAO,SAAS,OAAO,CAAC,IAAI,OAAO;AACpE,MAAI,CAAC,KAAM;AACX,qBAAmB;AACnB,QAAM,GAAG,IACP,GAAG,KAAK;GACN,IAAI,YAAY;AACd,UAAM,OAAO,QAAW,EAAE,MAAM,CAAC;IACjC,MAAM,UAAU,IAAI,IAAI,OAAO,SAAS,KAAK;AAC7C,YAAQ,aAAa,OAAO,OAAO;AACnC,UAAM,WAAW,QAAQ,WAAW,QAAQ,SAAS,QAAQ,KAAK;;GAEpE,MAAM,MAAM;GACb,CAAC,CAAC,KACD,GAAG,cAAc,GAAG,QAAQ,OAAU,CAAC,EACvC,GAAG,UACD,GAAG,WAAW;AACZ,sBAAmB;IACnB,CACH,EACD,GAAG,cACD,GAAG,WAAW;AACZ,sBAAmB;IACnB,CACH,CACF,CACF;AAGD,qBAAmB;;CAOrB,MAAM,qBAAqB,YAAY;EACrC,MAAM,cAAe,MAAM,WAAW,gBAAgB,IAAK;AAC3D,QAAM,SAAS;GACb,aAAa;GACb,QAAQ,gBAAgB,OAAO,OAAO,EAAE,OAAO,aAAa;GAC7D,CAAC;;;;;;;;;;;;;CAkBJ,MAAM,YAAY,OAAiD;AACjE,KAAG,SAAS;EACZ,MAAM,gBAAgB,GAAG,SAAS;AAClC,cAAY,IAAI,QAAQ;AACxB,eAAa;AACX,eAAY,OAAO,QAAQ;;;AAS/B,KAAI,CAAC,SAAS,OAAO,WAAW,aAAa;EAC3C,MAAM,cAAc,IAAI,gBAAgB;EACxC,MAAM,WAAW,4BAA4B;EAC7C,MAAM,mBAAmB,SAAS;AAClC,MAAI,qBAAqB,OACvB,QAAO,oBAAoB,WAAW,iBAAiB;EAGzD,MAAM,aAAa,UAAwB;AACzC,MAAG,OAAO,YAAY;AACpB,QAAI,MAAM,QAAQ,IAAI,gBAAgB,CAAE;AACxC,UAAM,SAAS;KACb,aAAa;KACb,QAAQ,MAAM,aAAa,OAAO,OAAO,EAAE,OAAO,MAAM,UAAU;KACnE,CAAC;MACD,8CAA8C;;AAEnD,SAAO,iBAAiB,WAAW,UAAU;AAC7C,WAAS,eAAe;AACxB,iCAA+B;AAC7B,OAAI,SAAS,iBAAiB,UAC5B,QAAO,SAAS;AAElB,UAAO,oBAAoB,WAAW,UAAU;;;AAMpD,iBAAgB;AAGhB,KAAI,OAAO,WAAW,YACpB,KAAI,OAIF;MAAI,CAAC,eACH,IAAG,aACK,iBAAiB,EAAE,mBAAmB,MAAM,CAAC,EACnD,4CACD;OAIH,IAAG,OAAO,YAAY;AACpB,QAAM,GAAG,IACP,GAAG,KAAK;GACN,IAAI,YAAY;AACd,UAAM,oBAAoB;AAC1B,UAAM,gBAAgB;;GAExB,MAAM,MAAM;GACb,CAAC,CAAC,KACD,GAAG,SAAS,UACV,GAAG,WACD,QAAQ,MACN,+CACA,MACD,CACF,CACF,EACD,GAAG,SAAS,WACV,GAAG,KAAK;GACN,UAAU,SAAS;IAAE,aAAa;IAAO,QAAQ;IAAM,CAAC;GACxD,MAAM,MAAM;GACb,CAAC,CAAC,KAAK,GAAG,cAAc,GAAG,QAAQ,OAAU,CAAC,CAAC,CACjD,CACF,CACF;IACA,2CAA2C;AAgClD,QAAO;EAEL,IAAI,QAAmB;AACrB,UAAO;;EAGT;EAEA,IAAI,SAA+B;GACjC,MAAM,gBAAgB,kBAAkB;AACxC,OAAI,CAAC,cAAe,QAAO;AAC3B,UAAO;IACL,OAAO,cAAc;IACrB,OAAO,cAAc;IACrB,QAAQ;IACT;;EAGH;EAEA;EAEA;EAEA,SAhDc,oBAAoB;GAClC;GACA;GACA;GACA;GACA;GACD,CAAC;EA4CA,MA1CW,iBAAiB;GAC5B;GACA;GACA;GACA;GACA;GACD,CAAC;EAsCA,QApCa,mBAAmB;GAChC;GACA;GACA;GACA;GACA;GACD,CAAC;EAyDA,eAAe;AACb,eAAY;AACZ,0BAAuB,WAAW;IAChC,MAAM;IACN,OAAO,qBAAqB,2BAA2B,EACrD,QAAQ,aACT,CAAC;IACH,CAAC;AACF,6BAA0B;AAC1B,eAAY,OAAO;;EAEtB"}

package/dist/component/_generated/api.d.ts

@@ -1,5 +1,26 @@
 import { functions_d_exports } from "../functions.js";
+import { model_d_exports } from "../model.js";
 import { index_d_exports } from "../index.js";
+import { accounts_d_exports } from "../public/identity/accounts.js";
+import { devices_d_exports } from "../public/factors/devices.js";
+import { audit_d_exports } from "../public/enterprise/audit.js";
+import { core_d_exports } from "../public/enterprise/core.js";
+import { domains_d_exports } from "../public/enterprise/domains.js";
+import { scim_d_exports } from "../public/enterprise/scim.js";
+import { secrets_d_exports } from "../public/enterprise/secrets.js";
+import { webhooks_d_exports } from "../public/enterprise/webhooks.js";
+import { core_d_exports as core_d_exports$1 } from "../public/groups/core.js";
+import { invites_d_exports } from "../public/groups/invites.js";
+import { members_d_exports } from "../public/groups/members.js";
+import { keys_d_exports } from "../public/security/keys.js";
+import { passkeys_d_exports } from "../public/factors/passkeys.js";
+import { limits_d_exports } from "../public/security/limits.js";
+import { tokens_d_exports } from "../public/identity/tokens.js";
+import { sessions_d_exports } from "../public/identity/sessions.js";
+import { totp_d_exports } from "../public/factors/totp.js";
+import { users_d_exports } from "../public/identity/users.js";
+import { codes_d_exports } from "../public/identity/codes.js";
+import { verifiers_d_exports } from "../public/identity/verifiers.js";
 import { public_d_exports } from "../public.js";
 import { ApiFromModules, FilterApi, FunctionReference } from "convex/server";
 
@@ -7,7 +28,28 @@ import { ApiFromModules, FilterApi, FunctionReference } from "convex/server";
 declare const fullApi: ApiFromModules<{
   functions: typeof functions_d_exports;
   index: typeof index_d_exports;
+  model: typeof model_d_exports;
   public: typeof public_d_exports;
+  "public/enterprise/audit": typeof audit_d_exports;
+  "public/enterprise/core": typeof core_d_exports;
+  "public/enterprise/domains": typeof domains_d_exports;
+  "public/enterprise/scim": typeof scim_d_exports;
+  "public/enterprise/secrets": typeof secrets_d_exports;
+  "public/enterprise/webhooks": typeof webhooks_d_exports;
+  "public/factors/devices": typeof devices_d_exports;
+  "public/factors/passkeys": typeof passkeys_d_exports;
+  "public/factors/totp": typeof totp_d_exports;
+  "public/groups/core": typeof core_d_exports$1;
+  "public/groups/invites": typeof invites_d_exports;
+  "public/groups/members": typeof members_d_exports;
+  "public/identity/accounts": typeof accounts_d_exports;
+  "public/identity/codes": typeof codes_d_exports;
+  "public/identity/sessions": typeof sessions_d_exports;
+  "public/identity/tokens": typeof tokens_d_exports;
+  "public/identity/users": typeof users_d_exports;
+  "public/identity/verifiers": typeof verifiers_d_exports;
+  "public/security/keys": typeof keys_d_exports;
+  "public/security/limits": typeof limits_d_exports;
 }>;
 /**
  * A utility for referencing Convex functions in your app's public API.

package/dist/component/_generated/api.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"api.d.ts","names":[],"sources":["../../../src/component/_generated/api.ts"],"mappings":";;;;;;cAqBM,OAAA,EAAS,cAAA;EACb,SAAA,SAAkB,mBAAA;EAClB,KAAA,SAAc,eAAA;EACd,MAAA,SAAe,gBAAA;AAAA;;;;;;;;AAWjB;cAAa,GAAA,EAAK,SAAA,QACT,OAAA,EACP,iBAAA;;;;;;;;;cAWW,QAAA,EAAU,SAAA,QACd,OAAA,EACP,iBAAA;AAAA,cAGW,UAAA"}
+{"version":3,"file":"api.d.ts","names":[],"sources":["../../../src/component/_generated/api.ts"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;cA0CM,OAAA,EAAS,cAAA;EACb,SAAA,SAAkB,mBAAA;EAClB,KAAA,SAAc,eAAA;EACd,KAAA,SAAc,eAAA;EACd,MAAA,SAAe,gBAAA;EACf,yBAAA,SAAkC,eAAA;EAClC,wBAAA,SAAiC,cAAA;EACjC,2BAAA,SAAoC,iBAAA;EACpC,wBAAA,SAAiC,cAAA;EACjC,2BAAA,SAAoC,iBAAA;EACpC,4BAAA,SAAqC,kBAAA;EACrC,wBAAA,SAAiC,iBAAA;EACjC,yBAAA,SAAkC,kBAAA;EAClC,qBAAA,SAA8B,cAAA;EAC9B,oBAAA,SAA6B,gBAAA;EAC7B,uBAAA,SAAgC,iBAAA;EAChC,uBAAA,SAAgC,iBAAA;EAChC,0BAAA,SAAmC,kBAAA;EACnC,uBAAA,SAAgC,eAAA;EAChC,0BAAA,SAAmC,kBAAA;EACnC,wBAAA,SAAiC,gBAAA;EACjC,uBAAA,SAAgC,eAAA;EAChC,2BAAA,SAAoC,mBAAA;EACpC,sBAAA,SAA+B,cAAA;EAC/B,wBAAA,SAAiC,gBAAA;AAAA;;;;;;;;;cAWtB,GAAA,EAAK,SAAA,QACT,OAAA,EACP,iBAAA;;;;;;;;;cAWW,QAAA,EAAU,SAAA,QACd,OAAA,EACP,iBAAA;AAAA,cAGW,UAAA"}

package/dist/component/_generated/api.js.map

@@ -1 +1 @@
-{"version":3,"file":"api.js","names":[],"sources":["../../../src/component/_generated/api.ts"],"sourcesContent":["/* eslint-disable */\n/**\n * Generated `api` utility.\n *\n * THIS CODE IS AUTOMATICALLY GENERATED.\n *\n * To regenerate, run `npx convex dev`.\n * @module\n */\n\nimport type * as functions from \"../functions.js\";\nimport type * as index from \"../index.js\";\nimport type * as public_ from \"../public.js\";\n\nimport type {\n  ApiFromModules,\n  FilterApi,\n  FunctionReference,\n} from \"convex/server\";\nimport { anyApi, componentsGeneric } from \"convex/server\";\n\nconst fullApi: ApiFromModules<{\n  functions: typeof functions;\n  index: typeof index;\n  public: typeof public_;\n}> = anyApi as any;\n\n/**\n * A utility for referencing Convex functions in your app's public API.\n *\n * Usage:\n * ```js\n * const myFunctionReference = api.myModule.myFunction;\n * ```\n */\nexport const api: FilterApi<\n  typeof fullApi,\n  FunctionReference<any, \"public\">\n> = anyApi as any;\n\n/**\n * A utility for referencing Convex functions in your app's internal API.\n *\n * Usage:\n * ```js\n * const myFunctionReference = internal.myModule.myFunction;\n * ```\n */\nexport const internal: FilterApi<\n  typeof fullApi,\n  FunctionReference<any, \"internal\">\n> = anyApi as any;\n\nexport const components = componentsGeneric() as unknown as {};\n"],"mappings":";;;;;;;;;;;AAmCA,MAAa,MAGT;;;;;;;;;AAUJ,MAAa,WAGT;AAEJ,MAAa,aAAa,mBAAmB"}
+{"version":3,"file":"api.js","names":[],"sources":["../../../src/component/_generated/api.ts"],"sourcesContent":["/* eslint-disable */\n/**\n * Generated `api` utility.\n *\n * THIS CODE IS AUTOMATICALLY GENERATED.\n *\n * To regenerate, run `npx convex dev`.\n * @module\n */\n\nimport type * as functions from \"../functions.js\";\nimport type * as index from \"../index.js\";\nimport type * as model from \"../model.js\";\nimport type * as public_ from \"../public.js\";\nimport type * as public_enterprise_audit from \"../public/enterprise/audit.js\";\nimport type * as public_enterprise_core from \"../public/enterprise/core.js\";\nimport type * as public_enterprise_domains from \"../public/enterprise/domains.js\";\nimport type * as public_enterprise_scim from \"../public/enterprise/scim.js\";\nimport type * as public_enterprise_secrets from \"../public/enterprise/secrets.js\";\nimport type * as public_enterprise_webhooks from \"../public/enterprise/webhooks.js\";\nimport type * as public_factors_devices from \"../public/factors/devices.js\";\nimport type * as public_factors_passkeys from \"../public/factors/passkeys.js\";\nimport type * as public_factors_totp from \"../public/factors/totp.js\";\nimport type * as public_groups_core from \"../public/groups/core.js\";\nimport type * as public_groups_invites from \"../public/groups/invites.js\";\nimport type * as public_groups_members from \"../public/groups/members.js\";\nimport type * as public_identity_accounts from \"../public/identity/accounts.js\";\nimport type * as public_identity_codes from \"../public/identity/codes.js\";\nimport type * as public_identity_sessions from \"../public/identity/sessions.js\";\nimport type * as public_identity_tokens from \"../public/identity/tokens.js\";\nimport type * as public_identity_users from \"../public/identity/users.js\";\nimport type * as public_identity_verifiers from \"../public/identity/verifiers.js\";\nimport type * as public_security_keys from \"../public/security/keys.js\";\nimport type * as public_security_limits from \"../public/security/limits.js\";\n\nimport type {\n  ApiFromModules,\n  FilterApi,\n  FunctionReference,\n} from \"convex/server\";\nimport { anyApi, componentsGeneric } from \"convex/server\";\n\nconst fullApi: ApiFromModules<{\n  functions: typeof functions;\n  index: typeof index;\n  model: typeof model;\n  public: typeof public_;\n  \"public/enterprise/audit\": typeof public_enterprise_audit;\n  \"public/enterprise/core\": typeof public_enterprise_core;\n  \"public/enterprise/domains\": typeof public_enterprise_domains;\n  \"public/enterprise/scim\": typeof public_enterprise_scim;\n  \"public/enterprise/secrets\": typeof public_enterprise_secrets;\n  \"public/enterprise/webhooks\": typeof public_enterprise_webhooks;\n  \"public/factors/devices\": typeof public_factors_devices;\n  \"public/factors/passkeys\": typeof public_factors_passkeys;\n  \"public/factors/totp\": typeof public_factors_totp;\n  \"public/groups/core\": typeof public_groups_core;\n  \"public/groups/invites\": typeof public_groups_invites;\n  \"public/groups/members\": typeof public_groups_members;\n  \"public/identity/accounts\": typeof public_identity_accounts;\n  \"public/identity/codes\": typeof public_identity_codes;\n  \"public/identity/sessions\": typeof public_identity_sessions;\n  \"public/identity/tokens\": typeof public_identity_tokens;\n  \"public/identity/users\": typeof public_identity_users;\n  \"public/identity/verifiers\": typeof public_identity_verifiers;\n  \"public/security/keys\": typeof public_security_keys;\n  \"public/security/limits\": typeof public_security_limits;\n}> = anyApi as any;\n\n/**\n * A utility for referencing Convex functions in your app's public API.\n *\n * Usage:\n * ```js\n * const myFunctionReference = api.myModule.myFunction;\n * ```\n */\nexport const api: FilterApi<\n  typeof fullApi,\n  FunctionReference<any, \"public\">\n> = anyApi as any;\n\n/**\n * A utility for referencing Convex functions in your app's internal API.\n *\n * Usage:\n * ```js\n * const myFunctionReference = internal.myModule.myFunction;\n * ```\n */\nexport const internal: FilterApi<\n  typeof fullApi,\n  FunctionReference<any, \"internal\">\n> = anyApi as any;\n\nexport const components = componentsGeneric() as unknown as {};\n"],"mappings":";;;;;;;;;;;AA6EA,MAAa,MAGT;;;;;;;;;AAUJ,MAAa,WAGT;AAEJ,MAAa,aAAa,mBAAmB"}