@superbuilders/primer-tives 3.7.1 → 4.0.1

package/README.md

@@ -17,7 +17,7 @@ bun add @superbuilders/primer-tives
 
 ## Version
 
-The current SDK version is `3.7.1`.
+The current SDK version is `4.0.1`.
 
 ## Entrypoints
 
@@ -38,7 +38,7 @@ There is no package-root export. Import from the public subpath that owns the su
 Math content can require the fraction-input PCI capability, so a math renderer must declare it.
 
 ```ts
-import * as logger from "@superbuilders/slog"
+import { logger } from "@/logger"
 import { start, type PrimerOptions } from "@superbuilders/primer-tives/client"
 
 const options = {
@@ -133,7 +133,7 @@ Always switch on `state.phase`. Do not assume the first state is renderable lear
 
 ```ts
 import * as errors from "@superbuilders/errors"
-import * as logger from "@superbuilders/slog"
+import { logger } from "@/logger"
 import { start, type PrimerOptions } from "@superbuilders/primer-tives/client"
 import { ErrAuthUnavailable, ErrMalformedAccessToken } from "@superbuilders/primer-tives/errors"
 
@@ -222,7 +222,7 @@ Applications should handle user-actionable auth failures directly and log unexpe
 
 ```ts
 import * as errors from "@superbuilders/errors"
-import * as logger from "@superbuilders/slog"
+import { logger } from "@/logger"
 import {
 	ErrAuthCancelled,
 	ErrAuthPopupBlocked,
@@ -309,7 +309,7 @@ The runtime also protects the trust boundary. If Primer presents a portable cust
 Every renderer should switch on `state.phase`. Interaction rendering should then switch on `state.kind`.
 
 ```ts
-import * as logger from "@superbuilders/slog"
+import { logger } from "@/logger"
 import type { PrimerState } from "@superbuilders/primer-tives/client"
 
 async function runPrimer(initialState: PrimerState): Promise<void> {
@@ -916,7 +916,7 @@ Always use `safeParse` when parsing arbitrary input.
 
 ```ts
 import * as errors from "@superbuilders/errors"
-import * as logger from "@superbuilders/slog"
+import { logger } from "@/logger"
 import { RendererSubmissionSchema } from "@superbuilders/primer-tives/contracts"
 
 const parsed = RendererSubmissionSchema.safeParse(payload)
@@ -965,7 +965,7 @@ The built-in standard interaction state methods call this before submitting. Cus
 
 ```ts
 import * as errors from "@superbuilders/errors"
-import * as logger from "@superbuilders/slog"
+import { logger } from "@/logger"
 import {
 	submissionValidationMessage,
 	validateSubmissionForInteraction
@@ -1274,10 +1274,10 @@ interface PrimerLogger {
 }
 ```
 
-`@superbuilders/slog` matches this interface directly.
+Pino through the central `@/logger` module matches this interface directly.
 
 ```ts
-import * as logger from "@superbuilders/slog"
+import { logger } from "@/logger"
 import { start, type PrimerOptions } from "@superbuilders/primer-tives/client"
 
 const options = {

package/dist/client/auth/access-token.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"access-token.d.ts","sourceRoot":"","sources":["../../../src/client/auth/access-token.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAA;AAGtE,QAAA,MAAM,wBAAwB,EAAE,OAAO,MAA+C,CAAA;AAEtF,KAAK,mBAAmB,GAAG;IAC1B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAA;IACtB,QAAQ,CAAC,CAAC,wBAAwB,CAAC,EAAE,IAAI,CAAA;CACzC,CAAA;AAUD,iBAAS,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,YAAY,GAAG,mBAAmB,CASpF;AAED,OAAO,EAAE,kBAAkB,EAAE,CAAA;AAC7B,YAAY,EAAE,mBAAmB,EAAE,CAAA"}
+{"version":3,"file":"access-token.d.ts","sourceRoot":"","sources":["../../../src/client/auth/access-token.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAA;AAItE,QAAA,MAAM,wBAAwB,EAAE,OAAO,MAA+C,CAAA;AAEtF,KAAK,mBAAmB,GAAG;IAC1B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAA;IACtB,QAAQ,CAAC,CAAC,wBAAwB,CAAC,EAAE,IAAI,CAAA;CACzC,CAAA;AAmED,iBAAS,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,YAAY,GAAG,mBAAmB,CAUpF;AAED,OAAO,EAAE,kBAAkB,EAAE,CAAA;AAC7B,YAAY,EAAE,mBAAmB,EAAE,CAAA"}

package/dist/client/auth/provider.d.ts

@@ -11,6 +11,7 @@ type AccessTokenResolverOptions = {
 type ResolvedAccessTokenResult = {
     readonly kind: "resolved";
     readonly accessToken: ResolvedAccessToken;
+    readonly invalidate?: () => void;
 };
 type UnauthenticatedAccessTokenResult = {
     readonly kind: "unauthenticated";

package/dist/client/auth/provider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"provider.d.ts","sourceRoot":"","sources":["../../../src/client/auth/provider.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAA;AACtE,OAAO,EAIN,KAAK,iBAAiB,EACtB,MAAM,iDAAiD,CAAA;AAExD,OAAO,EAEN,KAAK,mBAAmB,EACxB,MAAM,sDAAsD,CAAA;AAS7D,KAAK,0BAA0B,GAAG;IACjC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;IACvB,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAA;IAC/B,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAA;IAC7B,QAAQ,CAAC,UAAU,CAAC,EAAE,iBAAiB,CAAA;IACvC,QAAQ,CAAC,MAAM,EAAE,YAAY,CAAA;CAC7B,CAAA;AAED,KAAK,yBAAyB,GAAG;IAChC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAA;IACzB,QAAQ,CAAC,WAAW,EAAE,mBAAmB,CAAA;CACzC,CAAA;AAED,KAAK,gCAAgC,GAAG;IACvC,QAAQ,CAAC,IAAI,EAAE,iBAAiB,CAAA;IAChC,QAAQ,CAAC,KAAK,EAAE,KAAK,GAAG,IAAI,CAAA;CAC5B,CAAA;AAED,KAAK,sBAAsB,GAAG;IAC7B,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAA;IACtB,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAA;CACrB,CAAA;AAED,KAAK,yBAAyB,GAC3B,yBAAyB,GACzB,gCAAgC,GAChC,sBAAsB,CAAA;AAEzB,KAAK,iBAAiB,GAAG,yBAAyB,GAAG,gCAAgC,CAAA;AA4DrF,iBAAS,0BAA0B,CAClC,OAAO,EAAE,0BAA0B,GACjC,yBAAyB,CAe3B;AAED,iBAAe,gBAAgB,CAAC,OAAO,EAAE,0BAA0B,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAqC/F;AAED,OAAO,EAAE,gBAAgB,EAAE,0BAA0B,EAAE,CAAA;AACvD,YAAY,EAAE,0BAA0B,EAAE,yBAAyB,EAAE,iBAAiB,EAAE,CAAA"}
+{"version":3,"file":"provider.d.ts","sourceRoot":"","sources":["../../../src/client/auth/provider.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAA;AACtE,OAAO,EAIN,KAAK,iBAAiB,EACtB,MAAM,iDAAiD,CAAA;AAExD,OAAO,EAEN,KAAK,mBAAmB,EACxB,MAAM,sDAAsD,CAAA;AAS7D,KAAK,0BAA0B,GAAG;IACjC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;IACvB,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAA;IAC/B,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAA;IAC7B,QAAQ,CAAC,UAAU,CAAC,EAAE,iBAAiB,CAAA;IACvC,QAAQ,CAAC,MAAM,EAAE,YAAY,CAAA;CAC7B,CAAA;AAED,KAAK,yBAAyB,GAAG;IAChC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAA;IACzB,QAAQ,CAAC,WAAW,EAAE,mBAAmB,CAAA;IACzC,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,IAAI,CAAA;CAChC,CAAA;AAED,KAAK,gCAAgC,GAAG;IACvC,QAAQ,CAAC,IAAI,EAAE,iBAAiB,CAAA;IAChC,QAAQ,CAAC,KAAK,EAAE,KAAK,GAAG,IAAI,CAAA;CAC5B,CAAA;AAED,KAAK,sBAAsB,GAAG;IAC7B,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAA;IACtB,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAA;CACrB,CAAA;AAED,KAAK,yBAAyB,GAC3B,yBAAyB,GACzB,gCAAgC,GAChC,sBAAsB,CAAA;AAEzB,KAAK,iBAAiB,GAAG,yBAAyB,GAAG,gCAAgC,CAAA;AAmErF,iBAAS,0BAA0B,CAClC,OAAO,EAAE,0BAA0B,GACjC,yBAAyB,CAe3B;AAED,iBAAe,gBAAgB,CAAC,OAAO,EAAE,0BAA0B,GAAG,OAAO,CAAC,iBAAiB,CAAC,CA0C/F;AAED,OAAO,EAAE,gBAAgB,EAAE,0BAA0B,EAAE,CAAA;AACvD,YAAY,EAAE,0BAA0B,EAAE,yBAAyB,EAAE,iBAAiB,EAAE,CAAA"}

package/dist/client/consumed.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"consumed.d.ts","sourceRoot":"","sources":["../../src/client/consumed.ts"],"names":[],"mappings":"AAEA,iBAAS,YAAY,IAAI,KAAK,CAG7B;AAED,OAAO,EAAE,YAAY,EAAE,CAAA"}
+{"version":3,"file":"consumed.d.ts","sourceRoot":"","sources":["../../src/client/consumed.ts"],"names":[],"mappings":"AAEA,iBAAS,YAAY,IAAI,KAAK,CAE7B;AAED,OAAO,EAAE,YAAY,EAAE,CAAA"}

package/dist/client/index.js

@@ -379,7 +379,7 @@ function submissionValidationMessage(result) {
 import * as errors2 from "@superbuilders/errors";
 
 // src/version.ts
-var SDK_VERSION = "3.7.1";
+var SDK_VERSION = "4.0.1";
 var NPM_PACKAGE_URL = "https://www.npmjs.com/package/@superbuilders/primer-tives";
 
 // src/client/transport.ts
@@ -466,11 +466,11 @@ function httpSentinel(status, body) {
 function buildSdkUpgradeRequiredError(sentinel, text, logger) {
   const parsed = parseAdvanceErrorBody(text);
   if (parsed === null) {
-    logger.error("sdk upgrade required", {
+    logger.error({
       receivedSdkVersion: null,
       minimumSdkVersion: "<unknown>",
       upgradeUrl: NPM_PACKAGE_URL
-    });
+    }, "sdk upgrade required");
     const message2 = `<missing> < <unknown>; bump @superbuilders/primer-tives at ${NPM_PACKAGE_URL}`;
     return errors2.wrap(sentinel, message2);
   }
@@ -478,11 +478,11 @@ function buildSdkUpgradeRequiredError(sentinel, text, logger) {
   const receivedSdkVersion = parsed.receivedSdkVersion === undefined ? null : parsed.receivedSdkVersion;
   const receivedDisplay = receivedSdkVersion === null ? "<missing>" : receivedSdkVersion;
   const upgradeUrl = parsed.upgradeUrl === undefined ? NPM_PACKAGE_URL : parsed.upgradeUrl;
-  logger.error("sdk upgrade required", {
+  logger.error({
     receivedSdkVersion,
     minimumSdkVersion,
     upgradeUrl
-  });
+  }, "sdk upgrade required");
   const message = `${receivedDisplay} < ${minimumSdkVersion}; bump @superbuilders/primer-tives at ${upgradeUrl}`;
   return errors2.wrap(sentinel, message);
 }
@@ -498,6 +498,7 @@ function isAbortError(err) {
 function createTransport(tc) {
   const fetchFn = tc.fetch ? tc.fetch : globalThis.fetch;
   const logger = tc.logger;
+  const advanceUrl = new URL(ADVANCE_PATH, tc.origin).toString();
   function transportSignal() {
     if (tc.abort) {
       return tc.abort.signal;
@@ -505,12 +506,11 @@ function createTransport(tc) {
     return;
   }
   async function transport(body) {
-    logger.debug("transport request", {
+    logger.debug({
       intentKind: body.intent.kind,
       subject: body.subject
-    });
-    const url = `${tc.origin}${ADVANCE_PATH}`;
-    const fetchResult = await fetchFn(url, {
+    }, "transport request");
+    const fetchResult = await fetchFn(advanceUrl, {
       method: "POST",
       mode: "cors",
       credentials: "omit",
@@ -529,14 +529,14 @@ function createTransport(tc) {
     });
     if (!fetchResult.ok) {
       if (isAbortError(fetchResult.error)) {
-        logger.error("transport timeout", {
+        logger.error({
           intentKind: body.intent.kind
-        });
+        }, "transport timeout");
         return { ok: false, error: errors2.wrap(ErrTimeout, fetchResult.error.message) };
       }
-      logger.error("transport network error", {
+      logger.error({
         error: fetchResult.error
-      });
+      }, "transport network error");
       return { ok: false, error: errors2.wrap(ErrNetwork, fetchResult.error.message) };
     }
     const res = fetchResult.response;
@@ -548,12 +548,12 @@ function createTransport(tc) {
       if (errors2.is(sentinel, ErrSdkUpgradeRequired)) {
         return { ok: false, error: buildSdkUpgradeRequiredError(sentinel, text, logger) };
       }
-      logger.error("transport http error", {
+      logger.error({
         status: res.status,
         body: text,
         intentKind: body.intent.kind,
         subject: body.subject
-      });
+      }, "transport http error");
       return { ok: false, error: errors2.wrap(sentinel, text) };
     }
     const jsonResult = await res.json().then(function ok(data) {
@@ -562,14 +562,14 @@ function createTransport(tc) {
       return { ok: false, error: err };
     });
     if (!jsonResult.ok) {
-      logger.error("transport json parse failed", {
+      logger.error({
         error: jsonResult.error
-      });
+      }, "transport json parse failed");
       return { ok: false, error: errors2.wrap(ErrJsonParse, jsonResult.error.message) };
     }
-    logger.debug("transport success", {
+    logger.debug({
       intentKind: body.intent.kind
-    });
+    }, "transport success");
     return { ok: true, data: jsonResult.data };
   }
   return transport;
@@ -603,7 +603,7 @@ function choiceState(ctx, body, stimulus, interaction, options, maxChoices, minC
     }
     const validation = validateSubmissionForInteraction(interaction, submission);
     if (!validation.ok) {
-      ctx.logger.error("choice submit invalid", { selectedKeys, issues: validation.issues });
+      ctx.logger.error({ selectedKeys, issues: validation.issues }, "choice submit invalid");
       return Promise.resolve(ctx.errored(errors3.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
     }
     submitKey = key;
@@ -659,7 +659,7 @@ function extendedTextState(ctx, body, stimulus, interaction) {
       }
       const validation = validateSubmissionForInteraction(interaction, submission);
       if (!validation.ok) {
-        ctx.logger.error("extended-text submit invalid", { value, issues: validation.issues });
+        ctx.logger.error({ value, issues: validation.issues }, "extended-text submit invalid");
         return Promise.resolve(ctx.errored(errors4.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
       }
       submitKey2 = key;
@@ -714,7 +714,7 @@ function extendedTextState(ctx, body, stimulus, interaction) {
     }
     const validation = validateSubmissionForInteraction(multi, submission);
     if (!validation.ok) {
-      ctx.logger.error("extended-text submit invalid", { values, issues: validation.issues });
+      ctx.logger.error({ values, issues: validation.issues }, "extended-text submit invalid");
       return Promise.resolve(ctx.errored(errors4.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
     }
     submitKey = key;
@@ -795,7 +795,7 @@ function matchState(ctx, body, stimulus, interaction) {
     }
     const validation = validateSubmissionForInteraction(interaction, submission);
     if (!validation.ok) {
-      ctx.logger.error("match submit invalid", { pairs, issues: validation.issues });
+      ctx.logger.error({ pairs, issues: validation.issues }, "match submit invalid");
       return Promise.resolve(ctx.errored(errors5.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
     }
     submitKey = key;
@@ -872,7 +872,7 @@ function orderState(ctx, body, stimulus, interaction) {
     }
     const validation = validateSubmissionForInteraction(interaction, submission);
     if (!validation.ok) {
-      ctx.logger.error("order submit invalid", { orderedKeys, issues: validation.issues });
+      ctx.logger.error({ orderedKeys, issues: validation.issues }, "order submit invalid");
       return Promise.resolve(ctx.errored(errors6.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
     }
     submitKey = key;
@@ -929,7 +929,7 @@ function pciInteractionState(ctx, body, stimulus, interaction) {
       }
       return Promise.resolve(ctx.errored(errors7.wrap(ErrConflict, "cannot submit a different pci payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
     }
-    ctx.logger.debug("pci submit", { pciId });
+    ctx.logger.debug({ pciId }, "pci submit");
     submitKey = key;
     submitPending = ctx.execute({ kind: "interaction", submission }, "interaction").finally(function clearPending() {
       submitPending = undefined;
@@ -945,7 +945,7 @@ function pciInteractionState(ctx, body, stimulus, interaction) {
     if (timeoutPending) {
       return timeoutPending;
     }
-    ctx.logger.debug("pci timeout", { pciId });
+    ctx.logger.debug({ pciId }, "pci timeout");
     timeoutPending = ctx.execute(intent, "timeout").finally(function clearPending() {
       timeoutPending = undefined;
     });
@@ -985,7 +985,7 @@ function textEntryState(ctx, body, stimulus, interaction) {
     }
     const validation = validateSubmissionForInteraction(interaction, submission);
     if (!validation.ok) {
-      ctx.logger.error("text-entry submit invalid", { value, issues: validation.issues });
+      ctx.logger.error({ value, issues: validation.issues }, "text-entry submit invalid");
       return Promise.resolve(ctx.errored(errors8.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
     }
     submitKey = key;
@@ -1073,13 +1073,13 @@ function makeSession(sc) {
       retriable,
       retry: function retry() {
         if (!retriable) {
-          logger.debug("retry ignored for non-retriable error", { failedPhase });
+          logger.debug({ failedPhase }, "retry ignored for non-retriable error");
           return Promise.resolve(state);
         }
         if (pending) {
           return pending;
         }
-        logger.debug("retrying from errored state", { failedPhase });
+        logger.debug({ failedPhase }, "retrying from errored state");
         pending = execute(intent, failedPhase);
         return pending;
       },
@@ -1088,23 +1088,27 @@ function makeSession(sc) {
     return state;
   }
   async function execute(intent, phase) {
-    logger.debug("session execute", {
+    logger.debug({
       phase,
       intentKind: intent.kind,
       subject: sc.subject
-    });
+    }, "session execute");
     const body = {
       subject: sc.subject,
       intent
     };
     const result = await sc.transport(body);
     if (!result.ok) {
+      if (errors9.is(result.error, ErrTokenExpired) && sc.reauthenticate !== null) {
+        logger.warn({ phase, intentKind: intent.kind }, "session token expired");
+        return sc.reauthenticate();
+      }
       if (isFatalError(result.error)) {
-        logger.error("fatal transport error", {
+        logger.error({
           error: result.error,
           phase,
           intentKind: intent.kind
-        });
+        }, "fatal transport error");
         return {
           phase: "fatal",
           error: result.error,
@@ -1112,20 +1116,20 @@ function makeSession(sc) {
           toJSON: poisonToJSON
         };
       }
-      logger.warn("retriable transport error", {
+      logger.warn({
         error: result.error,
         phase,
         intentKind: intent.kind
-      });
+      }, "retriable transport error");
       return errored(result.error, phase, intent);
     }
     const next = resolve(result.data);
-    logger.debug("session execute resolved", {
+    logger.debug({
       phase,
       intentKind: intent.kind,
       outcome: result.data.outcome,
       nextPhase: next.phase
-    });
+    }, "session execute resolved");
     return next;
   }
   function isPciSupported(pciId) {
@@ -1142,7 +1146,7 @@ function makeSession(sc) {
     }
     if (interaction.type === "portable-custom") {
       if (!isPciSupported(interaction.pciId)) {
-        logger.error("unsupported pci in frame", { pciId: interaction.pciId });
+        logger.error({ pciId: interaction.pciId }, "unsupported pci in frame");
         return {
           phase: "fatal",
           error: errors9.wrap(ErrUnsupportedPci, `pci '${interaction.pciId}'`),
@@ -1190,7 +1194,7 @@ function browserStorage(options, logger) {
 function currentUrl(options, logger) {
   if (options !== undefined && options.currentUrl !== undefined) {
     if (!URL.canParse(options.currentUrl)) {
-      logger.error("auth current url invalid", { currentUrl: options.currentUrl });
+      logger.error({ currentUrl: options.currentUrl }, "auth current url invalid");
       throw ErrAuthConfigInvalid;
     }
     return new URL(options.currentUrl);
@@ -1204,7 +1208,7 @@ function currentUrl(options, logger) {
 function redirectUri(options, url, logger) {
   if (options !== undefined && options.redirectUri !== undefined) {
     if (!URL.canParse(options.redirectUri)) {
-      logger.error("auth redirect uri invalid", { redirectUri: options.redirectUri });
+      logger.error({ redirectUri: options.redirectUri }, "auth redirect uri invalid");
       throw ErrAuthConfigInvalid;
     }
     return options.redirectUri;
@@ -1253,7 +1257,7 @@ var AUTH_RESPONSE_MODE = "web_message";
 function hostedAuthUrl(config) {
   const logger = config.logger;
   if (!URL.canParse(config.origin)) {
-    logger.error("hosted auth origin invalid", { origin: config.origin });
+    logger.error({ origin: config.origin }, "hosted auth origin invalid");
     throw ErrAuthCallbackInvalid;
   }
   const authUrl = new URL("/auth/timeback", config.origin);
@@ -1362,7 +1366,7 @@ async function waitForPopupMessage(popup, config, expectedOrigin) {
           return;
         }
         if (result2.kind === "error") {
-          logger.error("hosted auth popup failed", { error: result2.error });
+          logger.error({ error: result2.error }, "hosted auth popup failed");
           finishWithError(result2.error);
           return;
         }
@@ -1385,7 +1389,7 @@ async function beginHostedPopup(config) {
   const logger = config.logger;
   const url = hostedAuthUrl(config);
   if (!URL.canParse(config.origin)) {
-    logger.error("hosted auth origin invalid", { origin: config.origin });
+    logger.error({ origin: config.origin }, "hosted auth origin invalid");
     throw ErrAuthCallbackInvalid;
   }
   const expectedOrigin = new URL(config.origin).origin;
@@ -1396,6 +1400,7 @@ async function beginHostedPopup(config) {
 // src/client/auth/access-token.ts
 import * as errors10 from "@superbuilders/errors";
 var ACCESS_TOKEN_PREFIX = "eyJ";
+var TOKEN_EXPIRY_SKEW_MS = 60000;
 var resolvedAccessTokenBrand = Symbol("primer resolved access token");
 function isMalformedJws(token) {
   if (!token.startsWith(ACCESS_TOKEN_PREFIX)) {
@@ -1404,11 +1409,65 @@ function isMalformedJws(token) {
   const dotCount = token.split(".").length - 1;
   return dotCount !== 2;
 }
+function paddedBase64(base64Url) {
+  const normalized = base64Url.replaceAll("-", "+").replaceAll("_", "/");
+  const remainder = normalized.length % 4;
+  if (remainder === 0) {
+    return normalized;
+  }
+  if (remainder === 2) {
+    return `${normalized}==`;
+  }
+  if (remainder === 3) {
+    return `${normalized}=`;
+  }
+  throw errors10.wrap(ErrMalformedAccessToken, "payload base64");
+}
+function decodeBase64UrlJson(segment) {
+  const decoded = errors10.trySync(function decodePayload() {
+    const json = globalThis.atob(paddedBase64(segment));
+    return JSON.parse(json);
+  });
+  if (decoded.error) {
+    throw errors10.wrap(ErrMalformedAccessToken, "payload decode");
+  }
+  return decoded.data;
+}
+function numericClaim(payload, claim) {
+  if (typeof payload !== "object" || payload === null) {
+    return null;
+  }
+  const value = Reflect.get(payload, claim);
+  if (typeof value !== "number" || !Number.isFinite(value)) {
+    return null;
+  }
+  return value;
+}
+function validateAccessTokenTimestamp(token, logger) {
+  const segments = token.split(".");
+  const payloadSegment = segments[1];
+  if (payloadSegment === undefined || payloadSegment.length === 0) {
+    logger.error("access token payload missing");
+    throw errors10.wrap(ErrMalformedAccessToken, "payload missing");
+  }
+  const payload = decodeBase64UrlJson(payloadSegment);
+  const exp = numericClaim(payload, "exp");
+  if (exp === null) {
+    logger.error("access token exp missing");
+    throw errors10.wrap(ErrMalformedAccessToken, "exp missing");
+  }
+  const expiresAtMs = exp * 1000;
+  if (expiresAtMs <= Date.now() + TOKEN_EXPIRY_SKEW_MS) {
+    logger.error("access token expired");
+    throw ErrTokenExpired;
+  }
+}
 function resolveAccessToken(token, logger) {
   if (isMalformedJws(token)) {
-    logger.error("malformed access token", { prefix: ACCESS_TOKEN_PREFIX });
+    logger.error({ prefix: ACCESS_TOKEN_PREFIX }, "malformed access token");
     throw errors10.wrap(ErrMalformedAccessToken, `token must start with '${ACCESS_TOKEN_PREFIX}' and contain two dots`);
   }
+  validateAccessTokenTimestamp(token, logger);
   return { value: token, [resolvedAccessTokenBrand]: true };
 }
 
@@ -1451,14 +1510,14 @@ function resolveProvidedAccessToken(token, logger) {
   }
   return { kind: "resolved", accessToken: result.data };
 }
-function resolveManagedAccessToken(token, logger) {
+function resolveManagedAccessToken(token, logger, invalidate) {
   const result = errors11.trySync(function resolveManagedToken() {
     return resolveAccessToken(token, logger);
   });
   if (result.error) {
     return { kind: "unauthenticated", error: result.error };
   }
-  return { kind: "resolved", accessToken: result.data };
+  return { kind: "resolved", accessToken: result.data, invalidate };
 }
 function readBrowserAuthContext(options) {
   const logger = options.logger;
@@ -1477,10 +1536,13 @@ function resolveStoredAccessToken(context, options) {
   if (stored === null) {
     return null;
   }
-  const resolved = resolveManagedAccessToken(stored, options.logger);
-  if (resolved.kind === "unauthenticated") {
+  function invalidate() {
     clearStoredAccessToken(context.storage, options.publishableKey);
   }
+  const resolved = resolveManagedAccessToken(stored, options.logger, invalidate);
+  if (resolved.kind === "unauthenticated") {
+    invalidate();
+  }
   return resolved;
 }
 function resolveExistingAccessToken(options) {
@@ -1503,9 +1565,11 @@ async function beginHostedLogin(options) {
   if ("kind" in context) {
     return context;
   }
+  const storage = context.storage;
+  const url = context.url;
   const clientStateResult = errors11.trySync(function prepareHostedLogin() {
     const clientState2 = randomClientState(logger);
-    storeAuthState(context.storage, options.publishableKey, clientState2);
+    storeAuthState(storage, options.publishableKey, clientState2);
     return clientState2;
   });
   if (clientStateResult.error) {
@@ -1515,22 +1579,25 @@ async function beginHostedLogin(options) {
   const accessTokenResult = await errors11.try(beginHostedPopup({
     origin: options.origin,
     publishableKey: options.publishableKey,
-    currentUrl: context.url,
+    currentUrl: url,
     clientState,
     options: options.hostedAuth,
     logger
   }));
   if (accessTokenResult.error) {
-    clearAuthState(context.storage, options.publishableKey);
+    clearAuthState(storage, options.publishableKey);
     return { kind: "unauthenticated", error: accessTokenResult.error };
   }
-  const resolved = resolveManagedAccessToken(accessTokenResult.data, logger);
+  function invalidate() {
+    clearStoredAccessToken(storage, options.publishableKey);
+  }
+  const resolved = resolveManagedAccessToken(accessTokenResult.data, logger, invalidate);
   if (resolved.kind === "unauthenticated") {
-    clearAuthState(context.storage, options.publishableKey);
+    clearAuthState(storage, options.publishableKey);
     return resolved;
   }
-  storeAccessToken(context.storage, options.publishableKey, accessTokenResult.data);
-  clearAuthState(context.storage, options.publishableKey);
+  storeAccessToken(storage, options.publishableKey, accessTokenResult.data);
+  clearAuthState(storage, options.publishableKey);
   return resolved;
 }
 
@@ -1574,9 +1641,17 @@ function primerOrigin(origin) {
   }
   return DEFAULT_PRIMER_ORIGIN;
 }
-async function startRuntime(config, accessToken) {
+async function startRuntime(config, resolved) {
+  let reauthenticate = null;
+  const invalidate = resolved.invalidate;
+  if (invalidate !== undefined) {
+    reauthenticate = function reauthenticate2() {
+      invalidate();
+      return Promise.resolve(makeUnauthenticatedState(config, ErrTokenExpired));
+    };
+  }
   const transport = createTransport({
-    accessToken,
+    accessToken: resolved.accessToken,
     publishableKey: config.publishableKey,
     subject: config.subject,
     origin: config.origin,
@@ -1588,7 +1663,8 @@ async function startRuntime(config, accessToken) {
     subject: config.subject,
     supportedPcis: config.supportedPcis,
     logger: config.logger,
-    transport
+    transport,
+    reauthenticate
   });
   return session.execute({ kind: "observation" }, "start");
 }
@@ -1609,7 +1685,7 @@ async function loginAndStart(config) {
   if (result.kind === "unauthenticated") {
     return makeUnauthenticatedState(config, result.error);
   }
-  return startRuntime(config, result.accessToken);
+  return startRuntime(config, result);
 }
 async function start(options) {
   const logger = options.logger;
@@ -1641,10 +1717,10 @@ async function start(options) {
   if (accessToken.kind === "unauthenticated") {
     return makeUnauthenticatedState(config, accessToken.error);
   }
-  return startRuntime(config, accessToken.accessToken);
+  return startRuntime(config, accessToken);
 }
 export {
   start
 };
 
-//# debugId=F2A9711D50B754AA64756E2164756E21
+//# debugId=F138BD9662B6EC5C64756E2164756E21