@superbuilders/primer-tives 3.6.0 → 3.7.1

package/README.md

@@ -17,7 +17,7 @@ bun add @superbuilders/primer-tives
 
 ## Version
 
-The current SDK version is `3.6.0`.
+The current SDK version is `3.7.1`.
 
 ## Entrypoints
 
@@ -42,7 +42,6 @@ import * as logger from "@superbuilders/slog"
 import { start, type PrimerOptions } from "@superbuilders/primer-tives/client"
 
 const options = {
-	origin: "https://primerlearn.dev",
 	publishableKey: "pk_...",
 	subject: "math",
 	supportedPcis: ["urn:primer:pci:fraction-input"],
@@ -56,7 +55,6 @@ If your application already has a learner access token, pass it directly. `start
 
 ```ts
 const options = {
-	origin: "https://primerlearn.dev",
 	publishableKey: "pk_...",
 	accessToken,
 	subject: "math",
@@ -92,7 +90,6 @@ Vocabulary and science currently have no required PCI capabilities, so `supporte
 
 ```ts
 const options = {
-	origin: "https://primerlearn.dev",
 	publishableKey: "pk_...",
 	subject: "vocabulary",
 	logger
@@ -105,7 +102,6 @@ Omitting `subject` means the SDK asks Primer for the all-subject runtime scope.
 
 ```ts
 const options = {
-	origin: "https://primerlearn.dev",
 	publishableKey: "pk_...",
 	supportedPcis: ["urn:primer:pci:fraction-input"],
 	logger
@@ -142,7 +138,6 @@ import { start, type PrimerOptions } from "@superbuilders/primer-tives/client"
 import { ErrAuthUnavailable, ErrMalformedAccessToken } from "@superbuilders/primer-tives/errors"
 
 const options = {
-	origin,
 	publishableKey,
 	accessToken,
 	subject: "math",
@@ -174,7 +169,6 @@ if (state.phase === "fatal") {
 
 ```ts
 type PrimerOptions<S extends Subject | undefined = undefined, Supported extends readonly PciId[] = []> = {
-	readonly origin: string
 	readonly publishableKey: string
 	readonly accessToken?: string
 	readonly subject?: S
@@ -187,7 +181,6 @@ type PrimerOptions<S extends Subject | undefined = undefined, Supported extends
 
 | Field | Required | Meaning |
 | --- | --- | --- |
-| `origin` | Yes | Primer deployment origin. |
 | `publishableKey` | Yes | Public key identifying the Primer frontend your runtime belongs to. |
 | `accessToken` | No | Learner access token. When present, `start` uses it for the learning runtime. |
 | `subject` | No | Public content scope: `"math"`, `"vocabulary"`, or `"science"`. Omitted means all-subject scope. |
@@ -198,6 +191,8 @@ type PrimerOptions<S extends Subject | undefined = undefined, Supported extends
 
 The presence or absence of `accessToken` selects startup auth semantics.
 
+The SDK uses Primer's production runtime by default.
+
 | Shape | Semantics |
 | --- | --- |
 | `accessToken` present | `start` validates the token shape locally and uses it for learning runtime state. |
@@ -288,7 +283,6 @@ This fails at compile time because math can emit a required PCI:
 
 ```ts
 await start({
-	origin,
 	publishableKey,
 	subject: "math",
 	logger
@@ -299,7 +293,6 @@ This passes:
 
 ```ts
 const options = {
-	origin,
 	publishableKey,
 	subject: "math",
 	supportedPcis: ["urn:primer:pci:fraction-input"],
@@ -1288,7 +1281,6 @@ import * as logger from "@superbuilders/slog"
 import { start, type PrimerOptions } from "@superbuilders/primer-tives/client"
 
 const options = {
-	origin,
 	publishableKey,
 	subject: "vocabulary",
 	logger
@@ -1341,7 +1333,6 @@ import { ErrUnsupportedPci } from "@superbuilders/primer-tives/errors"
 declare const fetchMock: typeof globalThis.fetch
 
 const options = {
-	origin: "https://primer.test",
 	publishableKey: "pk_test",
 	accessToken: "eyJ.test.token",
 	subject: "vocabulary",
@@ -1388,7 +1379,7 @@ grade level
 1. Import `start` and `PrimerOptions` from `@superbuilders/primer-tives/client`.
 2. Import shared renderer contracts from `@superbuilders/primer-tives/contracts`.
 3. Define options with `satisfies PrimerOptions<...>` so subject and PCI requirements stay visible at the declaration site.
-4. Pass `origin`, `publishableKey`, and `logger` to `start`.
+4. Pass `publishableKey` and `logger` to `start`.
 5. Either pass `accessToken` or handle `UnauthenticatedState`.
 6. Choose a public `subject`, or omit `subject` for all-subject runtime scope.
 7. Declare every required renderer PCI in `supportedPcis`.

package/dist/client/auth/browser.d.ts

@@ -11,10 +11,7 @@ declare function browserStorage(options: HostedAuthOptions | undefined, logger:
 declare function currentUrl(options: HostedAuthOptions | undefined, logger: PrimerLogger): URL;
 declare function redirectUri(options: HostedAuthOptions | undefined, url: URL, logger: PrimerLogger): string;
 declare function randomClientState(logger: PrimerLogger): string;
-declare function clearCallbackHash(options: HostedAuthOptions | undefined, url: URL): void;
 declare function openAuthPopup(url: string, options: HostedAuthOptions | undefined, logger: PrimerLogger): Window;
-declare function readablePopupUrl(popup: Window): string | null;
-declare function sleep(ms: number): Promise<void>;
-export { browserStorage, clearCallbackHash, currentUrl, openAuthPopup, randomClientState, readablePopupUrl, redirectUri, sleep };
+export { browserStorage, currentUrl, openAuthPopup, randomClientState, redirectUri };
 export type { HostedAuthOptions };
 //# sourceMappingURL=browser.d.ts.map

package/dist/client/auth/browser.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"browser.d.ts","sourceRoot":"","sources":["../../../src/client/auth/browser.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAA;AAEtE,KAAK,iBAAiB,GAAG;IACxB,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAA;IAC7B,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,CAAA;IAC1B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAA;IAC5B,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAA;IAC7B,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAA;IAC/B,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAA;CAChC,CAAA;AAED,iBAAS,cAAc,CAAC,OAAO,EAAE,iBAAiB,GAAG,SAAS,EAAE,MAAM,EAAE,YAAY,GAAG,OAAO,CAS7F;AAED,iBAAS,UAAU,CAAC,OAAO,EAAE,iBAAiB,GAAG,SAAS,EAAE,MAAM,EAAE,YAAY,GAAG,GAAG,CAarF;AAED,iBAAS,WAAW,CACnB,OAAO,EAAE,iBAAiB,GAAG,SAAS,EACtC,GAAG,EAAE,GAAG,EACR,MAAM,EAAE,YAAY,GAClB,MAAM,CASR;AAED,iBAAS,iBAAiB,CAAC,MAAM,EAAE,YAAY,GAAG,MAAM,CAYvD;AAED,iBAAS,iBAAiB,CAAC,OAAO,EAAE,iBAAiB,GAAG,SAAS,EAAE,GAAG,EAAE,GAAG,GAAG,IAAI,CASjF;AAED,iBAAS,aAAa,CACrB,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,iBAAiB,GAAG,SAAS,EACtC,MAAM,EAAE,YAAY,GAClB,MAAM,CAmBR;AAED,iBAAS,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAQtD;AAED,iBAAS,KAAK,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAIxC;AAED,OAAO,EACN,cAAc,EACd,iBAAiB,EACjB,UAAU,EACV,aAAa,EACb,iBAAiB,EACjB,gBAAgB,EAChB,WAAW,EACX,KAAK,EACL,CAAA;AACD,YAAY,EAAE,iBAAiB,EAAE,CAAA"}
+{"version":3,"file":"browser.d.ts","sourceRoot":"","sources":["../../../src/client/auth/browser.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAA;AAEtE,KAAK,iBAAiB,GAAG;IACxB,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAA;IAC7B,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,CAAA;IAC1B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAA;IAC5B,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAA;IAC7B,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAA;IAC/B,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAA;CAChC,CAAA;AAED,iBAAS,cAAc,CAAC,OAAO,EAAE,iBAAiB,GAAG,SAAS,EAAE,MAAM,EAAE,YAAY,GAAG,OAAO,CAS7F;AAED,iBAAS,UAAU,CAAC,OAAO,EAAE,iBAAiB,GAAG,SAAS,EAAE,MAAM,EAAE,YAAY,GAAG,GAAG,CAarF;AAED,iBAAS,WAAW,CACnB,OAAO,EAAE,iBAAiB,GAAG,SAAS,EACtC,GAAG,EAAE,GAAG,EACR,MAAM,EAAE,YAAY,GAClB,MAAM,CASR;AAED,iBAAS,iBAAiB,CAAC,MAAM,EAAE,YAAY,GAAG,MAAM,CAYvD;AAED,iBAAS,aAAa,CACrB,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,iBAAiB,GAAG,SAAS,EACtC,MAAM,EAAE,YAAY,GAClB,MAAM,CAmBR;AAED,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,aAAa,EAAE,iBAAiB,EAAE,WAAW,EAAE,CAAA;AACpF,YAAY,EAAE,iBAAiB,EAAE,CAAA"}

package/dist/client/auth/hosted-popup.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"hosted-popup.d.ts","sourceRoot":"","sources":["../../../src/client/auth/hosted-popup.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAA;AACtE,OAAO,EAKN,KAAK,iBAAiB,EACtB,MAAM,iDAAiD,CAAA;AAMxD,KAAK,iBAAiB,GAAG;IACxB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;IACvB,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAA;IAC/B,QAAQ,CAAC,UAAU,EAAE,GAAG,CAAA;IACxB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAA;IAC5B,QAAQ,CAAC,OAAO,CAAC,EAAE,iBAAiB,CAAA;IACpC,QAAQ,CAAC,MAAM,EAAE,YAAY,CAAA;CAC7B,CAAA;AA6CD,iBAAe,gBAAgB,CAAC,MAAM,EAAE,iBAAiB,GAAG,OAAO,CAAC,MAAM,CAAC,CA8B1E;AAED,OAAO,EAAE,gBAAgB,EAAE,CAAA;AAC3B,YAAY,EAAE,iBAAiB,EAAE,CAAA"}
+{"version":3,"file":"hosted-popup.d.ts","sourceRoot":"","sources":["../../../src/client/auth/hosted-popup.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAA;AACtE,OAAO,EAGN,KAAK,iBAAiB,EACtB,MAAM,iDAAiD,CAAA;AAOxD,KAAK,iBAAiB,GAAG;IACxB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;IACvB,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAA;IAC/B,QAAQ,CAAC,UAAU,EAAE,GAAG,CAAA;IACxB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAA;IAC5B,QAAQ,CAAC,OAAO,CAAC,EAAE,iBAAiB,CAAA;IACpC,QAAQ,CAAC,MAAM,EAAE,YAAY,CAAA;CAC7B,CAAA;AAwJD,iBAAe,gBAAgB,CAAC,MAAM,EAAE,iBAAiB,GAAG,OAAO,CAAC,MAAM,CAAC,CAU1E;AAED,OAAO,EAAE,gBAAgB,EAAE,CAAA;AAC3B,YAAY,EAAE,iBAAiB,EAAE,CAAA"}

package/dist/client/auth/provider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"provider.d.ts","sourceRoot":"","sources":["../../../src/client/auth/provider.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAA;AACtE,OAAO,EAKN,KAAK,iBAAiB,EACtB,MAAM,iDAAiD,CAAA;AAMxD,OAAO,EAEN,KAAK,mBAAmB,EACxB,MAAM,sDAAsD,CAAA;AAU7D,KAAK,0BAA0B,GAAG;IACjC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;IACvB,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAA;IAC/B,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAA;IAC7B,QAAQ,CAAC,UAAU,CAAC,EAAE,iBAAiB,CAAA;IACvC,QAAQ,CAAC,MAAM,EAAE,YAAY,CAAA;CAC7B,CAAA;AAED,KAAK,yBAAyB,GAAG;IAChC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAA;IACzB,QAAQ,CAAC,WAAW,EAAE,mBAAmB,CAAA;CACzC,CAAA;AAED,KAAK,gCAAgC,GAAG;IACvC,QAAQ,CAAC,IAAI,EAAE,iBAAiB,CAAA;IAChC,QAAQ,CAAC,KAAK,EAAE,KAAK,GAAG,IAAI,CAAA;CAC5B,CAAA;AAED,KAAK,sBAAsB,GAAG;IAC7B,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAA;IACtB,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAA;CACrB,CAAA;AAED,KAAK,yBAAyB,GAC3B,yBAAyB,GACzB,gCAAgC,GAChC,sBAAsB,CAAA;AAEzB,KAAK,iBAAiB,GAAG,yBAAyB,GAAG,gCAAgC,CAAA;AAkGrF,iBAAS,0BAA0B,CAClC,OAAO,EAAE,0BAA0B,GACjC,yBAAyB,CAqB3B;AAED,iBAAe,gBAAgB,CAAC,OAAO,EAAE,0BAA0B,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAqC/F;AAED,OAAO,EAAE,gBAAgB,EAAE,0BAA0B,EAAE,CAAA;AACvD,YAAY,EAAE,0BAA0B,EAAE,yBAAyB,EAAE,iBAAiB,EAAE,CAAA"}
+{"version":3,"file":"provider.d.ts","sourceRoot":"","sources":["../../../src/client/auth/provider.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAA;AACtE,OAAO,EAIN,KAAK,iBAAiB,EACtB,MAAM,iDAAiD,CAAA;AAExD,OAAO,EAEN,KAAK,mBAAmB,EACxB,MAAM,sDAAsD,CAAA;AAS7D,KAAK,0BAA0B,GAAG;IACjC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;IACvB,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAA;IAC/B,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAA;IAC7B,QAAQ,CAAC,UAAU,CAAC,EAAE,iBAAiB,CAAA;IACvC,QAAQ,CAAC,MAAM,EAAE,YAAY,CAAA;CAC7B,CAAA;AAED,KAAK,yBAAyB,GAAG;IAChC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAA;IACzB,QAAQ,CAAC,WAAW,EAAE,mBAAmB,CAAA;CACzC,CAAA;AAED,KAAK,gCAAgC,GAAG;IACvC,QAAQ,CAAC,IAAI,EAAE,iBAAiB,CAAA;IAChC,QAAQ,CAAC,KAAK,EAAE,KAAK,GAAG,IAAI,CAAA;CAC5B,CAAA;AAED,KAAK,sBAAsB,GAAG;IAC7B,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAA;IACtB,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAA;CACrB,CAAA;AAED,KAAK,yBAAyB,GAC3B,yBAAyB,GACzB,gCAAgC,GAChC,sBAAsB,CAAA;AAEzB,KAAK,iBAAiB,GAAG,yBAAyB,GAAG,gCAAgC,CAAA;AA4DrF,iBAAS,0BAA0B,CAClC,OAAO,EAAE,0BAA0B,GACjC,yBAAyB,CAe3B;AAED,iBAAe,gBAAgB,CAAC,OAAO,EAAE,0BAA0B,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAqC/F;AAED,OAAO,EAAE,gBAAgB,EAAE,0BAA0B,EAAE,CAAA;AACvD,YAAY,EAAE,0BAA0B,EAAE,yBAAyB,EAAE,iBAAiB,EAAE,CAAA"}

package/dist/client/index.js

@@ -1,3 +1,41 @@
+var __dispose = Symbol.dispose || /* @__PURE__ */ Symbol.for("Symbol.dispose");
+var __asyncDispose = Symbol.asyncDispose || /* @__PURE__ */ Symbol.for("Symbol.asyncDispose");
+var __using = (stack, value, async) => {
+  if (value != null) {
+    if (typeof value !== "object" && typeof value !== "function")
+      throw TypeError('Object expected to be assigned to "using" declaration');
+    var dispose;
+    if (async)
+      dispose = value[__asyncDispose];
+    if (dispose === undefined)
+      dispose = value[__dispose];
+    if (typeof dispose !== "function")
+      throw TypeError("Object not disposable");
+    stack.push([async, dispose, value]);
+  } else if (async) {
+    stack.push([async]);
+  }
+  return value;
+};
+var __callDispose = (stack, error, hasError) => {
+  var E = typeof SuppressedError === "function" ? SuppressedError : function(e, s, m, _) {
+    return _ = Error(m), _.name = "SuppressedError", _.error = e, _.suppressed = s, _;
+  }, fail = (e) => error = hasError ? new E(e, error, "An error was suppressed during disposal") : (hasError = true, e), next = (it) => {
+    while (it = stack.pop()) {
+      try {
+        var result = it[1] && it[1].call(it[2]);
+        if (it[0])
+          return Promise.resolve(result).then(next, (e) => (fail(e), next()));
+      } catch (e) {
+        fail(e);
+      }
+    }
+    if (hasError)
+      throw error;
+  };
+  return next();
+};
+
 // src/errors.ts
 import * as errors from "@superbuilders/errors";
 var ErrNetwork = errors.new("network");
@@ -341,7 +379,7 @@ function submissionValidationMessage(result) {
 import * as errors2 from "@superbuilders/errors";
 
 // src/version.ts
-var SDK_VERSION = "3.6.0";
+var SDK_VERSION = "3.7.1";
 var NPM_PACKAGE_URL = "https://www.npmjs.com/package/@superbuilders/primer-tives";
 
 // src/client/transport.ts
@@ -474,6 +512,8 @@ function createTransport(tc) {
     const url = `${tc.origin}${ADVANCE_PATH}`;
     const fetchResult = await fetchFn(url, {
       method: "POST",
+      mode: "cors",
+      credentials: "omit",
       headers: {
         "Content-Type": "application/json",
         Authorization: `Bearer ${tc.accessToken.value}`,
@@ -1134,10 +1174,9 @@ function makeSession(sc) {
 }
 
 // src/client/auth/provider.ts
-import * as errors13 from "@superbuilders/errors";
+import * as errors11 from "@superbuilders/errors";
 
 // src/client/auth/browser.ts
-import * as errors10 from "@superbuilders/errors";
 function browserStorage(options, logger) {
   if (options !== undefined && options.storage !== undefined) {
     return options.storage;
@@ -1185,16 +1224,6 @@ function randomClientState(logger) {
   }
   return result;
 }
-function clearCallbackHash(options, url) {
-  if (options !== undefined && options.currentUrl !== undefined) {
-    return;
-  }
-  if (typeof globalThis.history === "undefined") {
-    return;
-  }
-  const cleanUrl = `${url.pathname}${url.search}`;
-  globalThis.history.replaceState(globalThis.history.state, "", cleanUrl);
-}
 function openAuthPopup(url, options, logger) {
   if (typeof globalThis.open === "undefined") {
     logger.error("auth popup api unavailable");
@@ -1215,67 +1244,12 @@ function openAuthPopup(url, options, logger) {
   }
   return popup;
 }
-function readablePopupUrl(popup) {
-  const result = errors10.trySync(function readLocation() {
-    return popup.location.href;
-  });
-  if (result.error) {
-    return null;
-  }
-  return result.data;
-}
-function sleep(ms) {
-  return new Promise(function resolveLater(resolve) {
-    setTimeout(resolve, ms);
-  });
-}
-
-// src/client/auth/callback.ts
-var ACCESS_TOKEN_HASH_PARAM = "primer_access_token";
-var AUTH_STATUS_HASH_PARAM = "primer_auth";
-var AUTH_STATE_HASH_PARAM = "primer_state";
-var AUTH_SUCCESS = "success";
-var AUTH_ERROR = "error";
-function readAuthCallback(url, logger) {
-  if (url.hash.length === 0) {
-    return null;
-  }
-  const hash = new URLSearchParams(url.hash.slice(1));
-  const authStatus = hash.get(AUTH_STATUS_HASH_PARAM);
-  if (authStatus === null) {
-    return null;
-  }
-  if (authStatus === AUTH_ERROR) {
-    logger.error("auth callback returned error");
-    throw ErrAuthCallbackInvalid;
-  }
-  if (authStatus !== AUTH_SUCCESS) {
-    logger.error("auth callback status invalid", { authStatus });
-    throw ErrAuthCallbackInvalid;
-  }
-  const accessToken = hash.get(ACCESS_TOKEN_HASH_PARAM);
-  const state = hash.get(AUTH_STATE_HASH_PARAM);
-  if (accessToken === null || accessToken.length === 0 || state === null || state.length === 0) {
-    logger.error("auth callback missing token or state");
-    throw ErrAuthCallbackInvalid;
-  }
-  return { accessToken, state };
-}
-function requireMatchingCallbackState(callback, expectedState, logger) {
-  if (expectedState === null) {
-    logger.error("auth callback expected state missing");
-    throw ErrAuthCallbackInvalid;
-  }
-  if (callback.state !== expectedState) {
-    logger.error("auth callback state mismatch");
-    throw ErrAuthStateMismatch;
-  }
-}
 
 // src/client/auth/hosted-popup.ts
-import * as errors11 from "@superbuilders/errors";
 var DEFAULT_POPUP_TIMEOUT_MS = 10 * 60 * 1000;
 var POPUP_POLL_MS = 250;
+var AUTH_MESSAGE_TYPE = "primer-tives.auth.result.v1";
+var AUTH_RESPONSE_MODE = "web_message";
 function hostedAuthUrl(config) {
   const logger = config.logger;
   if (!URL.canParse(config.origin)) {
@@ -1286,6 +1260,7 @@ function hostedAuthUrl(config) {
   authUrl.searchParams.set("publishableKey", config.publishableKey);
   authUrl.searchParams.set("redirectUri", redirectUri(config.options, config.currentUrl, logger));
   authUrl.searchParams.set("state", config.clientState);
+  authUrl.searchParams.set("responseMode", AUTH_RESPONSE_MODE);
   return authUrl.toString();
 }
 function popupTimeoutMs(options) {
@@ -1294,62 +1269,132 @@ function popupTimeoutMs(options) {
   }
   return DEFAULT_POPUP_TIMEOUT_MS;
 }
-function readPopupCallback(href, config) {
-  const logger = config.logger;
-  if (!URL.canParse(href)) {
+function isRecord(value) {
+  return typeof value === "object" && value !== null;
+}
+function stringField(value, key) {
+  const field = value[key];
+  if (typeof field !== "string" || field.length === 0) {
     return null;
   }
-  const callbackResult = errors11.trySync(function readCallback() {
-    return readAuthCallback(new URL(href), logger);
-  });
-  if (callbackResult.error) {
-    logger.error("hosted auth popup callback invalid", { error: callbackResult.error });
-    throw callbackResult.error;
+  return field;
+}
+function readPopupMessage(event, popup, config, expectedOrigin) {
+  if (event.source !== popup) {
+    return { kind: "ignore" };
   }
-  const callback = callbackResult.data;
-  if (callback === null) {
-    return null;
+  if (event.origin !== expectedOrigin) {
+    return { kind: "ignore" };
+  }
+  const data = event.data;
+  if (!isRecord(data)) {
+    return { kind: "ignore" };
+  }
+  const messageType = stringField(data, "type");
+  if (messageType !== AUTH_MESSAGE_TYPE) {
+    return { kind: "ignore" };
+  }
+  const state = stringField(data, "state");
+  if (state === null) {
+    return { kind: "error", error: ErrAuthCallbackInvalid };
+  }
+  if (state !== config.clientState) {
+    return { kind: "error", error: ErrAuthStateMismatch };
+  }
+  const status = stringField(data, "status");
+  if (status === "error") {
+    return { kind: "error", error: ErrAuthCallbackInvalid };
+  }
+  if (status !== "success") {
+    return { kind: "error", error: ErrAuthCallbackInvalid };
   }
-  if (callback.state !== config.clientState) {
-    logger.error("hosted auth popup state mismatch");
-    throw ErrAuthStateMismatch;
+  const accessToken = stringField(data, "accessToken");
+  if (accessToken === null) {
+    return { kind: "error", error: ErrAuthCallbackInvalid };
   }
-  return callback.accessToken;
+  return { kind: "success", accessToken };
 }
-async function beginHostedPopup(config) {
-  const logger = config.logger;
-  const popup = openAuthPopup(hostedAuthUrl(config), config.options, logger);
-  const expiresAt = Date.now() + popupTimeoutMs(config.options);
-  while (Date.now() < expiresAt) {
-    if (popup.closed) {
-      logger.error("hosted auth popup closed");
-      throw ErrAuthCancelled;
-    }
-    const href = readablePopupUrl(popup);
-    if (href !== null) {
-      const accessTokenResult = errors11.trySync(function readAccessToken() {
-        return readPopupCallback(href, config);
-      });
-      if (accessTokenResult.error) {
-        popup.close();
-        logger.error("hosted auth popup failed", { error: accessTokenResult.error });
-        throw accessTokenResult.error;
+async function waitForPopupMessage(popup, config, expectedOrigin) {
+  let __stack = [];
+  try {
+    const logger = config.logger;
+    const stack = __using(__stack, new AsyncDisposableStack, 1);
+    stack.defer(function closePopup() {
+      popup.close();
+    });
+    const result = await new Promise(function waitForMessage(resolve, reject) {
+      let settled = false;
+      function finishWithError(error) {
+        if (settled) {
+          return;
+        }
+        settled = true;
+        reject(error);
       }
-      if (accessTokenResult.data !== null) {
-        popup.close();
+      function finishWithToken(token) {
+        if (settled) {
+          return;
+        }
+        settled = true;
         logger.debug("hosted auth popup completed");
-        return accessTokenResult.data;
+        resolve(token);
       }
-    }
-    await sleep(POPUP_POLL_MS);
+      const timeoutId = globalThis.setTimeout(function timeout() {
+        logger.error("hosted auth popup timed out");
+        finishWithError(ErrAuthCancelled);
+      }, popupTimeoutMs(config.options));
+      stack.defer(function clearPopupTimeout() {
+        globalThis.clearTimeout(timeoutId);
+      });
+      const closedPollId = globalThis.setInterval(function checkClosed() {
+        if (!popup.closed) {
+          return;
+        }
+        logger.error("hosted auth popup closed");
+        finishWithError(ErrAuthCancelled);
+      }, POPUP_POLL_MS);
+      stack.defer(function clearClosedPoll() {
+        globalThis.clearInterval(closedPollId);
+      });
+      function handleMessage(event) {
+        const result2 = readPopupMessage(event, popup, config, expectedOrigin);
+        if (result2.kind === "ignore") {
+          return;
+        }
+        if (result2.kind === "error") {
+          logger.error("hosted auth popup failed", { error: result2.error });
+          finishWithError(result2.error);
+          return;
+        }
+        finishWithToken(result2.accessToken);
+      }
+      globalThis.addEventListener("message", handleMessage);
+      stack.defer(function removeMessageListener() {
+        globalThis.removeEventListener("message", handleMessage);
+      });
+    });
+    return result;
+  } catch (_catch) {
+    var _err = _catch, _hasErr = 1;
+  } finally {
+    var _promise = __callDispose(__stack, _err, _hasErr);
+    _promise && await _promise;
+  }
+}
+async function beginHostedPopup(config) {
+  const logger = config.logger;
+  const url = hostedAuthUrl(config);
+  if (!URL.canParse(config.origin)) {
+    logger.error("hosted auth origin invalid", { origin: config.origin });
+    throw ErrAuthCallbackInvalid;
   }
-  popup.close();
-  logger.error("hosted auth popup timed out");
-  throw ErrAuthCancelled;
+  const expectedOrigin = new URL(config.origin).origin;
+  const popup = openAuthPopup(url, config.options, logger);
+  return waitForPopupMessage(popup, config, expectedOrigin);
 }
 
 // src/client/auth/access-token.ts
-import * as errors12 from "@superbuilders/errors";
+import * as errors10 from "@superbuilders/errors";
 var ACCESS_TOKEN_PREFIX = "eyJ";
 var resolvedAccessTokenBrand = Symbol("primer resolved access token");
 function isMalformedJws(token) {
@@ -1362,7 +1407,7 @@ function isMalformedJws(token) {
 function resolveAccessToken(token, logger) {
   if (isMalformedJws(token)) {
     logger.error("malformed access token", { prefix: ACCESS_TOKEN_PREFIX });
-    throw errors12.wrap(ErrMalformedAccessToken, `token must start with '${ACCESS_TOKEN_PREFIX}' and contain two dots`);
+    throw errors10.wrap(ErrMalformedAccessToken, `token must start with '${ACCESS_TOKEN_PREFIX}' and contain two dots`);
   }
   return { value: token, [resolvedAccessTokenBrand]: true };
 }
@@ -1389,13 +1434,6 @@ function storeAccessToken(storage, publishableKey, accessToken) {
 function clearStoredAccessToken(storage, publishableKey) {
   storage.removeItem(accessTokenStorageKey(publishableKey));
 }
-function loadAuthState(storage, publishableKey) {
-  const state = storage.getItem(authStateStorageKey(publishableKey));
-  if (state === null || state.length === 0) {
-    return null;
-  }
-  return state;
-}
 function storeAuthState(storage, publishableKey, state) {
   storage.setItem(authStateStorageKey(publishableKey), state);
 }
@@ -1405,7 +1443,7 @@ function clearAuthState(storage, publishableKey) {
 
 // src/client/auth/provider.ts
 function resolveProvidedAccessToken(token, logger) {
-  const result = errors13.trySync(function resolveProvidedToken() {
+  const result = errors11.trySync(function resolveProvidedToken() {
     return resolveAccessToken(token, logger);
   });
   if (result.error) {
@@ -1414,7 +1452,7 @@ function resolveProvidedAccessToken(token, logger) {
   return { kind: "resolved", accessToken: result.data };
 }
 function resolveManagedAccessToken(token, logger) {
-  const result = errors13.trySync(function resolveManagedToken() {
+  const result = errors11.trySync(function resolveManagedToken() {
     return resolveAccessToken(token, logger);
   });
   if (result.error) {
@@ -1424,7 +1462,7 @@ function resolveManagedAccessToken(token, logger) {
 }
 function readBrowserAuthContext(options) {
   const logger = options.logger;
-  const contextResult = errors13.trySync(function readContext() {
+  const contextResult = errors11.trySync(function readContext() {
     const storage = browserStorage(options.hostedAuth, logger);
     const url = currentUrl(options.hostedAuth, logger);
     return { storage, url };
@@ -1434,36 +1472,6 @@ function readBrowserAuthContext(options) {
   }
   return contextResult.data;
 }
-function resolveCallbackAccessToken(context, options) {
-  const logger = options.logger;
-  const callbackResult = errors13.trySync(function readCallback() {
-    return readAuthCallback(context.url, logger);
-  });
-  if (callbackResult.error) {
-    clearAuthState(context.storage, options.publishableKey);
-    return { kind: "unauthenticated", error: callbackResult.error };
-  }
-  const callback = callbackResult.data;
-  if (callback === null) {
-    return null;
-  }
-  const stateResult = errors13.trySync(function requireState() {
-    requireMatchingCallbackState(callback, loadAuthState(context.storage, options.publishableKey), logger);
-  });
-  if (stateResult.error) {
-    clearAuthState(context.storage, options.publishableKey);
-    return { kind: "unauthenticated", error: stateResult.error };
-  }
-  const resolved = resolveManagedAccessToken(callback.accessToken, logger);
-  if (resolved.kind === "unauthenticated") {
-    clearAuthState(context.storage, options.publishableKey);
-    return resolved;
-  }
-  storeAccessToken(context.storage, options.publishableKey, callback.accessToken);
-  clearAuthState(context.storage, options.publishableKey);
-  clearCallbackHash(options.hostedAuth, context.url);
-  return resolved;
-}
 function resolveStoredAccessToken(context, options) {
   const stored = loadStoredAccessToken(context.storage, options.publishableKey);
   if (stored === null) {
@@ -1483,10 +1491,6 @@ function resolveExistingAccessToken(options) {
   if ("kind" in context) {
     return context;
   }
-  const callback = resolveCallbackAccessToken(context, options);
-  if (callback !== null) {
-    return callback;
-  }
   const stored = resolveStoredAccessToken(context, options);
   if (stored !== null) {
     return stored;
@@ -1499,7 +1503,7 @@ async function beginHostedLogin(options) {
   if ("kind" in context) {
     return context;
   }
-  const clientStateResult = errors13.trySync(function prepareHostedLogin() {
+  const clientStateResult = errors11.trySync(function prepareHostedLogin() {
     const clientState2 = randomClientState(logger);
     storeAuthState(context.storage, options.publishableKey, clientState2);
     return clientState2;
@@ -1508,7 +1512,7 @@ async function beginHostedLogin(options) {
     return { kind: "unauthenticated", error: clientStateResult.error };
   }
   const clientState = clientStateResult.data;
-  const accessTokenResult = await errors13.try(beginHostedPopup({
+  const accessTokenResult = await errors11.try(beginHostedPopup({
     origin: options.origin,
     publishableKey: options.publishableKey,
     currentUrl: context.url,
@@ -1551,6 +1555,7 @@ function unauthenticatedState(config) {
 }
 
 // src/client/start.ts
+var DEFAULT_PRIMER_ORIGIN = "https://primerlearn.dev";
 function supportedPcisOrEmpty(supportedPcis) {
   if (supportedPcis !== undefined) {
     return supportedPcis;
@@ -1563,6 +1568,12 @@ function runtimeSubject(subject) {
   }
   return subject;
 }
+function primerOrigin(origin) {
+  if (origin !== undefined) {
+    return origin;
+  }
+  return DEFAULT_PRIMER_ORIGIN;
+}
 async function startRuntime(config, accessToken) {
   const transport = createTransport({
     accessToken,
@@ -1603,9 +1614,10 @@ async function loginAndStart(config) {
 async function start(options) {
   const logger = options.logger;
   logger.debug("start");
+  const origin = primerOrigin(options.origin);
   const config = {
     publishableKey: options.publishableKey,
-    origin: options.origin,
+    origin,
     fetch: options.fetch,
     abort: options.abort,
     logger,
@@ -1615,7 +1627,7 @@ async function start(options) {
   const accessToken = resolveExistingAccessToken({
     accessToken: options.accessToken,
     publishableKey: options.publishableKey,
-    origin: options.origin,
+    origin,
     logger
   });
   if (accessToken.kind === "fatal") {
@@ -1635,4 +1647,4 @@ export {
   start
 };
 
-//# debugId=94171F205AFFEEE264756E2164756E21
+//# debugId=F2A9711D50B754AA64756E2164756E21