@superbuilders/primer-tives 4.0.4 → 4.1.0

package/dist/client/index.js

@@ -6461,14 +6461,14 @@ var FractionInputSubmissionDraft07Schema = {
       type: "object",
       additionalProperties: false,
       required: ["form", "whole"],
-      properties: { form: { const: "whole" }, whole: { type: "string" } }
+      properties: { form: { type: "string", const: "whole" }, whole: { type: "string" } }
     },
     {
       type: "object",
       additionalProperties: false,
       required: ["form", "numerator", "denominator"],
       properties: {
-        form: { const: "proper" },
+        form: { type: "string", const: "proper" },
         numerator: { type: "string" },
         denominator: { type: "string" }
       }
@@ -6478,7 +6478,7 @@ var FractionInputSubmissionDraft07Schema = {
       additionalProperties: false,
       required: ["form", "numerator", "denominator"],
       properties: {
-        form: { const: "improper" },
+        form: { type: "string", const: "improper" },
         numerator: { type: "string" },
         denominator: { type: "string" }
       }
@@ -6488,7 +6488,7 @@ var FractionInputSubmissionDraft07Schema = {
       additionalProperties: false,
       required: ["form", "whole", "numerator", "denominator"],
       properties: {
-        form: { const: "mixed" },
+        form: { type: "string", const: "mixed" },
         whole: { type: "string" },
         numerator: { type: "string" },
         denominator: { type: "string" }
@@ -6510,7 +6510,7 @@ var ChoiceSubmissionSchema = {
   additionalProperties: false,
   required: ["type", "selectedKeys"],
   properties: {
-    type: { const: "choice" },
+    type: { type: "string", const: "choice" },
     selectedKeys: { type: "array", items: { type: "string" } }
   }
 };
@@ -6518,14 +6518,14 @@ var TextEntrySubmissionSchema = {
   type: "object",
   additionalProperties: false,
   required: ["type", "value"],
-  properties: { type: { const: "text-entry" }, value: { type: "string" } }
+  properties: { type: { type: "string", const: "text-entry" }, value: { type: "string" } }
 };
 var ExtendedTextSubmissionSchema = {
   type: "object",
   additionalProperties: false,
   required: ["type", "values"],
   properties: {
-    type: { const: "extended-text" },
+    type: { type: "string", const: "extended-text" },
     values: { type: "array", minItems: 1, items: { type: "string" } }
   }
 };
@@ -6534,7 +6534,7 @@ var OrderSubmissionSchema = {
   additionalProperties: false,
   required: ["type", "orderedKeys"],
   properties: {
-    type: { const: "order" },
+    type: { type: "string", const: "order" },
     orderedKeys: { type: "array", items: { type: "string" } }
   }
 };
@@ -6543,7 +6543,7 @@ var MatchSubmissionSchema = {
   additionalProperties: false,
   required: ["type", "pairs"],
   properties: {
-    type: { const: "match" },
+    type: { type: "string", const: "match" },
     pairs: { type: "array", items: MatchPairSchema }
   }
 };
@@ -6552,8 +6552,8 @@ var FractionInputPciSubmissionSchema = {
   additionalProperties: false,
   required: ["type", "pciId", "value"],
   properties: {
-    type: { const: "portable-custom" },
-    pciId: { const: "urn:primer:pci:fraction-input" },
+    type: { type: "string", const: "portable-custom" },
+    pciId: { type: "string", const: "urn:primer:pci:fraction-input" },
     value: FractionInputSubmissionDraft07Schema
   }
 };
@@ -6779,216 +6779,434 @@ function validateSubmissionForInteraction(interaction, submission) {
 function submissionValidationMessage(result) {
   return result.issues.join("; ");
 }
-// src/client/transport.ts
-import * as errors3 from "@superbuilders/errors";
-
-// src/version.ts
-var SDK_VERSION = "4.0.4";
-var NPM_PACKAGE_URL = "https://www.npmjs.com/package/@superbuilders/primer-tives";
+// src/client/auth/provider.ts
+import * as errors4 from "@superbuilders/errors";
 
-// src/client/transport.ts
-var ADVANCE_PATH = "/api/v0/advance";
-function readStringField(value, key) {
-  if (!(key in value)) {
-    return;
-  }
-  const v = Reflect.get(value, key);
-  if (typeof v !== "string") {
-    return;
+// src/client/auth/access-token.ts
+import * as errors3 from "@superbuilders/errors";
+var ACCESS_TOKEN_PREFIX = "eyJ";
+var TOKEN_EXPIRY_SKEW_MS = 60000;
+var resolvedAccessTokenBrand = Symbol("primer resolved access token");
+function isMalformedJws(token) {
+  if (!token.startsWith(ACCESS_TOKEN_PREFIX)) {
+    return true;
   }
-  return v;
+  const dotCount = token.split(".").length - 1;
+  return dotCount !== 2;
 }
-function parseAdvanceErrorBody(body) {
-  if (body.length === 0) {
-    return null;
+function paddedBase64(base64Url) {
+  const normalized = base64Url.replaceAll("-", "+").replaceAll("_", "/");
+  const remainder = normalized.length % 4;
+  if (remainder === 0) {
+    return normalized;
   }
-  const parsed = errors3.trySync(function parseJson() {
-    return JSON.parse(body);
+  if (remainder === 2) {
+    return `${normalized}==`;
+  }
+  if (remainder === 3) {
+    return `${normalized}=`;
+  }
+  throw errors3.wrap(ErrMalformedAccessToken, "payload base64");
+}
+function decodeBase64UrlJson(segment) {
+  const decoded = errors3.trySync(function decodePayload() {
+    const json = globalThis.atob(paddedBase64(segment));
+    return JSON.parse(json);
   });
-  if (parsed.error) {
+  if (decoded.error) {
+    throw errors3.wrap(ErrMalformedAccessToken, "payload decode");
+  }
+  return decoded.data;
+}
+function numericClaim(payload, claim) {
+  if (typeof payload !== "object" || payload === null) {
     return null;
   }
-  const raw = parsed.data;
-  if (typeof raw !== "object" || raw === null) {
+  const value = Reflect.get(payload, claim);
+  if (typeof value !== "number" || !Number.isFinite(value)) {
     return null;
   }
-  const result = {};
-  const error = readStringField(raw, "error");
-  if (error !== undefined) {
-    result.error = error;
+  return value;
+}
+function validateAccessTokenTimestamp(token, logger) {
+  const segments = token.split(".");
+  const payloadSegment = segments[1];
+  if (payloadSegment === undefined || payloadSegment.length === 0) {
+    logger.error("access token payload missing");
+    throw errors3.wrap(ErrMalformedAccessToken, "payload missing");
   }
-  const detail = readStringField(raw, "detail");
-  if (detail !== undefined) {
-    result.detail = detail;
+  const payload = decodeBase64UrlJson(payloadSegment);
+  const exp = numericClaim(payload, "exp");
+  if (exp === null) {
+    logger.error("access token exp missing");
+    throw errors3.wrap(ErrMalformedAccessToken, "exp missing");
   }
-  const minimumSdkVersion = readStringField(raw, "minimumSdkVersion");
-  if (minimumSdkVersion !== undefined) {
-    result.minimumSdkVersion = minimumSdkVersion;
+  const expiresAtMs = exp * 1000;
+  if (expiresAtMs <= Date.now() + TOKEN_EXPIRY_SKEW_MS) {
+    logger.error("access token expired");
+    throw ErrTokenExpired;
   }
-  const receivedSdkVersion = readStringField(raw, "receivedSdkVersion");
-  if (receivedSdkVersion !== undefined) {
-    result.receivedSdkVersion = receivedSdkVersion;
+}
+function resolveAccessToken(token, logger) {
+  if (isMalformedJws(token)) {
+    logger.error({ prefix: ACCESS_TOKEN_PREFIX }, "malformed access token");
+    throw errors3.wrap(ErrMalformedAccessToken, `token must start with '${ACCESS_TOKEN_PREFIX}' and contain two dots`);
   }
-  const upgradeUrl = readStringField(raw, "upgradeUrl");
-  if (upgradeUrl !== undefined) {
-    result.upgradeUrl = upgradeUrl;
+  validateAccessTokenTimestamp(token, logger);
+  return { value: token, [resolvedAccessTokenBrand]: true };
+}
+
+// src/client/auth/browser.ts
+var POPUP_TARGET = "primer-auth";
+var POPUP_FEATURES = "popup,width=480,height=720";
+function currentUrl(logger) {
+  if (typeof globalThis.location === "undefined") {
+    logger.error("auth location unavailable");
+    throw ErrAuthUnavailable;
+  }
+  return new URL(globalThis.location.href);
+}
+function redirectUri(url) {
+  return `${url.origin}${url.pathname}${url.search}`;
+}
+function randomClientState(logger) {
+  if (typeof globalThis.crypto === "undefined") {
+    logger.error("auth crypto unavailable");
+    throw ErrAuthUnavailable;
+  }
+  const bytes = new Uint8Array(24);
+  globalThis.crypto.getRandomValues(bytes);
+  let result = "";
+  for (const byte of bytes) {
+    result += byte.toString(16).padStart(2, "0");
   }
   return result;
 }
-function httpSentinel(status, body) {
-  if (status === 400) {
-    const parsed = parseAdvanceErrorBody(body);
-    if (parsed?.error === "sdk_upgrade_required") {
-      return ErrSdkUpgradeRequired;
-    }
-    return ErrBadRequest;
+function openAuthPopup(url, logger) {
+  if (typeof globalThis.open === "undefined") {
+    logger.error("auth popup api unavailable");
+    throw ErrAuthUnavailable;
   }
-  if (status === 401) {
-    const parsed = parseAdvanceErrorBody(body);
-    if (parsed?.detail === "token_expired") {
-      return ErrTokenExpired;
-    }
-    return ErrInvalidAccessToken;
+  const popup = globalThis.open(url, POPUP_TARGET, POPUP_FEATURES);
+  if (popup === null) {
+    logger.error("auth popup blocked");
+    throw ErrAuthPopupBlocked;
   }
-  if (status === 403) {
-    return ErrForbidden;
+  return popup;
+}
+
+// src/client/auth/hosted-popup.ts
+var DEFAULT_POPUP_TIMEOUT_MS = 10 * 60 * 1000;
+var POPUP_POLL_MS = 250;
+var AUTH_MESSAGE_TYPE = "primer-tives.auth.result.v1";
+function hostedAuthUrl(config) {
+  const logger = config.logger;
+  if (!URL.canParse(config.origin)) {
+    logger.error({ origin: config.origin }, "hosted auth origin invalid");
+    throw ErrAuthConfigInvalid;
   }
-  if (status === 404) {
-    return ErrNotFound;
+  const authUrl = new URL("/api/auth/timeback/start", config.origin);
+  authUrl.searchParams.set("publishableKey", config.publishableKey);
+  authUrl.searchParams.set("redirectUri", redirectUri(config.currentUrl));
+  authUrl.searchParams.set("state", config.clientState);
+  return authUrl.toString();
+}
+function isRecord(value) {
+  return typeof value === "object" && value !== null;
+}
+function stringField(value, key) {
+  const field = value[key];
+  if (typeof field !== "string" || field.length === 0) {
+    return null;
   }
-  if (status === 409) {
-    return ErrConflict;
+  return field;
+}
+function readPopupMessage(event, popup, config, expectedOrigin) {
+  if (event.source !== popup) {
+    return { kind: "ignore" };
   }
-  if (status === 429) {
-    return ErrRateLimited;
+  if (event.origin !== expectedOrigin) {
+    return { kind: "ignore" };
   }
-  if (status === 502 || status === 503 || status === 504) {
-    return ErrServiceUnavailable;
+  const data = event.data;
+  if (!isRecord(data)) {
+    return { kind: "ignore" };
   }
-  return ErrServerError;
-}
-function buildSdkUpgradeRequiredError(sentinel, text, logger) {
-  const parsed = parseAdvanceErrorBody(text);
-  if (parsed === null) {
-    logger.error({
-      receivedSdkVersion: null,
-      minimumSdkVersion: "<unknown>",
-      upgradeUrl: NPM_PACKAGE_URL
-    }, "sdk upgrade required");
-    const message2 = `<missing> < <unknown>; bump @superbuilders/primer-tives at ${NPM_PACKAGE_URL}`;
-    return errors3.wrap(sentinel, message2);
+  const messageType = stringField(data, "type");
+  if (messageType !== AUTH_MESSAGE_TYPE) {
+    return { kind: "ignore" };
   }
-  const minimumSdkVersion = parsed.minimumSdkVersion === undefined ? "<unknown>" : parsed.minimumSdkVersion;
-  const receivedSdkVersion = parsed.receivedSdkVersion === undefined ? null : parsed.receivedSdkVersion;
-  const receivedDisplay = receivedSdkVersion === null ? "<missing>" : receivedSdkVersion;
-  const upgradeUrl = parsed.upgradeUrl === undefined ? NPM_PACKAGE_URL : parsed.upgradeUrl;
-  logger.error({
-    receivedSdkVersion,
-    minimumSdkVersion,
-    upgradeUrl
-  }, "sdk upgrade required");
-  const message = `${receivedDisplay} < ${minimumSdkVersion}; bump @superbuilders/primer-tives at ${upgradeUrl}`;
-  return errors3.wrap(sentinel, message);
-}
-function isAbortError(err) {
-  if (err instanceof DOMException && err.name === "AbortError") {
-    return true;
+  const state = stringField(data, "state");
+  if (state === null) {
+    return { kind: "error", error: ErrAuthCallbackInvalid };
   }
-  if (err instanceof DOMException && err.name === "TimeoutError") {
-    return true;
+  if (state !== config.clientState) {
+    return { kind: "error", error: ErrAuthStateMismatch };
   }
-  return false;
-}
-function createTransport(tc) {
-  const fetchFn = tc.fetch ? tc.fetch : globalThis.fetch;
-  const logger = tc.logger;
-  const advanceUrl = new URL(ADVANCE_PATH, tc.origin).toString();
-  function transportSignal() {
-    if (tc.abort) {
-      return tc.abort.signal;
-    }
-    return;
+  const status = stringField(data, "status");
+  if (status === "error") {
+    return { kind: "error", error: ErrAuthCallbackInvalid };
   }
-  async function transport(body) {
-    logger.debug({
-      intentKind: body.intent.kind,
-      subject: body.subject
-    }, "transport request");
-    const fetchResult = await fetchFn(advanceUrl, {
-      method: "POST",
-      mode: "cors",
-      credentials: "omit",
-      headers: {
-        "Content-Type": "application/json",
-        Authorization: `Bearer ${tc.accessToken.value}`,
-        "X-Primer-Publishable-Key": tc.publishableKey,
-        "X-Primer-SDK-Version": SDK_VERSION
-      },
-      body: JSON.stringify(body),
-      signal: transportSignal()
-    }).then(function ok(r) {
-      return { ok: true, response: r };
-    }, function fail(err) {
-      return { ok: false, error: err };
+  if (status !== "success") {
+    return { kind: "error", error: ErrAuthCallbackInvalid };
+  }
+  const accessToken = stringField(data, "accessToken");
+  if (accessToken === null) {
+    return { kind: "error", error: ErrAuthCallbackInvalid };
+  }
+  return { kind: "success", accessToken };
+}
+async function waitForPopupMessage(popup, config, expectedOrigin) {
+  let __stack = [];
+  try {
+    const logger = config.logger;
+    const stack = __using(__stack, new AsyncDisposableStack, 1);
+    stack.defer(function closePopup() {
+      popup.close();
     });
-    if (!fetchResult.ok) {
-      if (isAbortError(fetchResult.error)) {
-        logger.error({
-          intentKind: body.intent.kind
-        }, "transport timeout");
-        return { ok: false, error: errors3.wrap(ErrTimeout, fetchResult.error.message) };
+    const result = await new Promise(function waitForMessage(resolve, reject) {
+      let settled = false;
+      function finishWithError(error) {
+        if (settled) {
+          return;
+        }
+        settled = true;
+        reject(error);
       }
-      logger.error({
-        error: fetchResult.error
-      }, "transport network error");
-      return { ok: false, error: errors3.wrap(ErrNetwork, fetchResult.error.message) };
-    }
-    const res = fetchResult.response;
-    if (!res.ok) {
-      const text = await res.text().catch(function fallback() {
-        return "";
+      function finishWithToken(token) {
+        if (settled) {
+          return;
+        }
+        settled = true;
+        logger.debug("hosted auth popup completed");
+        resolve(token);
+      }
+      const timeoutId = globalThis.setTimeout(function timeout() {
+        logger.error("hosted auth popup timed out");
+        finishWithError(ErrAuthCancelled);
+      }, DEFAULT_POPUP_TIMEOUT_MS);
+      stack.defer(function clearPopupTimeout() {
+        globalThis.clearTimeout(timeoutId);
       });
-      const sentinel = httpSentinel(res.status, text);
-      if (errors3.is(sentinel, ErrSdkUpgradeRequired)) {
-        return { ok: false, error: buildSdkUpgradeRequiredError(sentinel, text, logger) };
+      const closedPollId = globalThis.setInterval(function checkClosed() {
+        if (!popup.closed) {
+          return;
+        }
+        logger.error("hosted auth popup closed");
+        finishWithError(ErrAuthCancelled);
+      }, POPUP_POLL_MS);
+      stack.defer(function clearClosedPoll() {
+        globalThis.clearInterval(closedPollId);
+      });
+      function handleMessage(event) {
+        const result2 = readPopupMessage(event, popup, config, expectedOrigin);
+        if (result2.kind === "ignore") {
+          return;
+        }
+        if (result2.kind === "error") {
+          logger.error({ error: result2.error }, "hosted auth popup failed");
+          finishWithError(result2.error);
+          return;
+        }
+        finishWithToken(result2.accessToken);
       }
-      logger.error({
-        status: res.status,
-        body: text,
-        intentKind: body.intent.kind,
-        subject: body.subject
-      }, "transport http error");
-      return { ok: false, error: errors3.wrap(sentinel, text) };
-    }
-    const jsonResult = await res.json().then(function ok(data) {
-      return { ok: true, data };
-    }, function fail(err) {
-      return { ok: false, error: err };
+      globalThis.addEventListener("message", handleMessage);
+      stack.defer(function removeMessageListener() {
+        globalThis.removeEventListener("message", handleMessage);
+      });
     });
-    if (!jsonResult.ok) {
-      logger.error({
-        error: jsonResult.error
-      }, "transport json parse failed");
-      return { ok: false, error: errors3.wrap(ErrJsonParse, jsonResult.error.message) };
-    }
-    logger.debug({
-      intentKind: body.intent.kind
-    }, "transport success");
-    return { ok: true, data: jsonResult.data };
+    return result;
+  } catch (_catch) {
+    var _err = _catch, _hasErr = 1;
+  } finally {
+    var _promise = __callDispose(__stack, _err, _hasErr);
+    _promise && await _promise;
   }
-  return transport;
+}
+async function beginHostedPopup(config) {
+  const logger = config.logger;
+  const url = hostedAuthUrl(config);
+  if (!URL.canParse(config.origin)) {
+    logger.error({ origin: config.origin }, "hosted auth origin invalid");
+    throw ErrAuthConfigInvalid;
+  }
+  const expectedOrigin = new URL(config.origin).origin;
+  const popup = openAuthPopup(url, logger);
+  return waitForPopupMessage(popup, config, expectedOrigin);
 }
 
-// src/client/session.ts
-import * as errors10 from "@superbuilders/errors";
+// src/client/auth/storage.ts
+var MANAGED_AUTH_ACCESS_TOKEN_KEY_PREFIX = "primer:access-token";
+function managedAuthAccessTokenStorageKey(publishableKey) {
+  return `${MANAGED_AUTH_ACCESS_TOKEN_KEY_PREFIX}:${publishableKey}`;
+}
+function managedAuthStorage(logger) {
+  if (typeof globalThis.sessionStorage === "undefined") {
+    logger.error("managed auth storage unavailable");
+    throw ErrAuthUnavailable;
+  }
+  return globalThis.sessionStorage;
+}
+function loadManagedAuthAccessToken(storage, publishableKey) {
+  const token = storage.getItem(managedAuthAccessTokenStorageKey(publishableKey));
+  if (token === null || token.length === 0) {
+    return null;
+  }
+  return token;
+}
+function storeManagedAuthAccessToken(storage, publishableKey, accessToken) {
+  storage.setItem(managedAuthAccessTokenStorageKey(publishableKey), accessToken);
+}
+function clearManagedAuthAccessToken(storage, publishableKey) {
+  storage.removeItem(managedAuthAccessTokenStorageKey(publishableKey));
+}
+
+// src/client/auth/provider.ts
+function resolveProvidedAccessToken(token, logger) {
+  const result = errors4.trySync(function resolveProvidedToken() {
+    return resolveAccessToken(token, logger);
+  });
+  if (result.error) {
+    return { kind: "fatal", error: result.error };
+  }
+  return { kind: "resolved", accessToken: result.data };
+}
+function resolveHostedAccessToken(token, storage, options) {
+  const result = errors4.trySync(function resolveHostedToken() {
+    return resolveAccessToken(token, options.logger);
+  });
+  if (result.error) {
+    return { kind: "sign-in-failed", error: result.error };
+  }
+  storeManagedAuthAccessToken(storage, options.publishableKey, token);
+  return {
+    kind: "resolved",
+    accessToken: result.data,
+    clearCachedAccessToken: function clearCachedAccessToken() {
+      clearManagedAuthAccessToken(storage, options.publishableKey);
+    }
+  };
+}
+function resolveStoredAccessToken(storage, options) {
+  const stored = loadManagedAuthAccessToken(storage, options.publishableKey);
+  if (stored === null) {
+    return { kind: "missing" };
+  }
+  const result = errors4.trySync(function resolveStoredToken() {
+    return resolveAccessToken(stored, options.logger);
+  });
+  if (result.error) {
+    clearManagedAuthAccessToken(storage, options.publishableKey);
+    return { kind: "missing" };
+  }
+  return {
+    kind: "resolved",
+    accessToken: result.data,
+    clearCachedAccessToken: function clearCachedAccessToken() {
+      clearManagedAuthAccessToken(storage, options.publishableKey);
+    }
+  };
+}
+function resolveExistingAccessToken(options) {
+  if (options.accessToken !== undefined) {
+    return resolveProvidedAccessToken(options.accessToken, options.logger);
+  }
+  const storageResult = errors4.trySync(function readManagedAuthStorage() {
+    return managedAuthStorage(options.logger);
+  });
+  if (storageResult.error) {
+    return { kind: "auth-unavailable", error: storageResult.error };
+  }
+  return resolveStoredAccessToken(storageResult.data, options);
+}
+function authFailureResult(error) {
+  if (errors4.is(error, ErrAuthConfigInvalid)) {
+    return { kind: "auth-config-invalid", error };
+  }
+  if (errors4.is(error, ErrAuthUnavailable)) {
+    return { kind: "auth-unavailable", error };
+  }
+  return { kind: "sign-in-failed", error };
+}
+async function beginHostedLogin(options) {
+  const logger = options.logger;
+  const contextResult = errors4.trySync(function readContext() {
+    const storage = managedAuthStorage(logger);
+    const url = currentUrl(logger);
+    const clientState = randomClientState(logger);
+    return { storage, url, clientState };
+  });
+  if (contextResult.error) {
+    return authFailureResult(contextResult.error);
+  }
+  const context = contextResult.data;
+  const accessTokenResult = await errors4.try(beginHostedPopup({
+    origin: options.origin,
+    publishableKey: options.publishableKey,
+    currentUrl: context.url,
+    clientState: context.clientState,
+    logger
+  }));
+  if (accessTokenResult.error) {
+    return authFailureResult(accessTokenResult.error);
+  }
+  return resolveHostedAccessToken(accessTokenResult.data, context.storage, options);
+}
 
 // src/client/consumed.ts
 function poisonToJSON() {
   throw ErrNotSerializable;
 }
 
+// src/client/auth-state.ts
+function pendingLogin(config) {
+  let pending;
+  function login() {
+    if (pending !== undefined) {
+      return pending;
+    }
+    pending = config.login().finally(function clearPending() {
+      pending = undefined;
+    });
+    return pending;
+  }
+  return login;
+}
+function signInRequiredState(config) {
+  return {
+    phase: "sign-in-required",
+    login: pendingLogin(config),
+    toJSON: poisonToJSON
+  };
+}
+function signInFailedState(config) {
+  return {
+    phase: "sign-in-failed",
+    error: config.error,
+    login: pendingLogin(config),
+    toJSON: poisonToJSON
+  };
+}
+function authUnavailableState(error) {
+  return {
+    phase: "auth-unavailable",
+    error,
+    toJSON: poisonToJSON
+  };
+}
+function authConfigInvalidState(error) {
+  return {
+    phase: "auth-config-invalid",
+    error,
+    toJSON: poisonToJSON
+  };
+}
+
+// src/client/session.ts
+import * as errors11 from "@superbuilders/errors";
+
 // src/client/choice-state.ts
-import * as errors4 from "@superbuilders/errors";
+import * as errors5 from "@superbuilders/errors";
 function choiceState(ctx, body, stimulus, interaction, options, maxChoices, minChoices) {
   let submitPending;
   let submitKey;
@@ -6997,18 +7215,18 @@ function choiceState(ctx, body, stimulus, interaction, options, maxChoices, minC
     const submission = { type: "choice", selectedKeys };
     const key = JSON.stringify(submission);
     if (timeoutPending) {
-      return Promise.resolve(ctx.errored(errors4.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors5.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
     }
     if (submitPending) {
       if (submitKey === key) {
         return submitPending;
       }
-      return Promise.resolve(ctx.errored(errors4.wrap(ErrConflict, "cannot submit a different choice payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors5.wrap(ErrConflict, "cannot submit a different choice payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
     }
     const validation = validateSubmissionForInteraction(interaction, submission);
     if (!validation.ok) {
       ctx.logger.error({ selectedKeys, issues: validation.issues }, "choice submit invalid");
-      return Promise.resolve(ctx.errored(errors4.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors5.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
     }
     submitKey = key;
     submitPending = ctx.execute({ kind: "interaction", submission }, "interaction").finally(function clearPending() {
@@ -7020,7 +7238,7 @@ function choiceState(ctx, body, stimulus, interaction, options, maxChoices, minC
   function beginTimeout() {
     const intent = { kind: "timeout" };
     if (submitPending) {
-      return Promise.resolve(ctx.errored(errors4.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
+      return Promise.resolve(ctx.errored(errors5.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
     }
     if (timeoutPending) {
       return timeoutPending;
@@ -7046,25 +7264,25 @@ function choiceState(ctx, body, stimulus, interaction, options, maxChoices, minC
 }
 
 // src/client/extended-text-state.ts
-import * as errors5 from "@superbuilders/errors";
+import * as errors6 from "@superbuilders/errors";
 function extendedTextState(ctx, body, stimulus, interaction) {
   if (interaction.cardinality === "single") {
     let submitText = function(value) {
       const submission = { type: "extended-text", values: [value] };
       const key = JSON.stringify(submission);
       if (timeoutPending2) {
-        return Promise.resolve(ctx.errored(errors5.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
+        return Promise.resolve(ctx.errored(errors6.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
       }
       if (submitPending2) {
         if (submitKey2 === key) {
           return submitPending2;
         }
-        return Promise.resolve(ctx.errored(errors5.wrap(ErrConflict, "cannot submit a different extended-text payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
+        return Promise.resolve(ctx.errored(errors6.wrap(ErrConflict, "cannot submit a different extended-text payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
       }
       const validation = validateSubmissionForInteraction(interaction, submission);
       if (!validation.ok) {
         ctx.logger.error({ value, issues: validation.issues }, "extended-text submit invalid");
-        return Promise.resolve(ctx.errored(errors5.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
+        return Promise.resolve(ctx.errored(errors6.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
       }
       submitKey2 = key;
       submitPending2 = ctx.execute({ kind: "interaction", submission }, "interaction").finally(function clearPending() {
@@ -7075,7 +7293,7 @@ function extendedTextState(ctx, body, stimulus, interaction) {
     }, timeout2 = function() {
       const intent = { kind: "timeout" };
       if (submitPending2) {
-        return Promise.resolve(ctx.errored(errors5.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
+        return Promise.resolve(ctx.errored(errors6.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
       }
       if (timeoutPending2) {
         return timeoutPending2;
@@ -7108,18 +7326,18 @@ function extendedTextState(ctx, body, stimulus, interaction) {
     const submission = { type: "extended-text", values };
     const key = JSON.stringify(submission);
     if (timeoutPending) {
-      return Promise.resolve(ctx.errored(errors5.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors6.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
     }
     if (submitPending) {
       if (submitKey === key) {
         return submitPending;
       }
-      return Promise.resolve(ctx.errored(errors5.wrap(ErrConflict, "cannot submit a different extended-text payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors6.wrap(ErrConflict, "cannot submit a different extended-text payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
     }
     const validation = validateSubmissionForInteraction(multi, submission);
     if (!validation.ok) {
       ctx.logger.error({ values, issues: validation.issues }, "extended-text submit invalid");
-      return Promise.resolve(ctx.errored(errors5.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors6.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
     }
     submitKey = key;
     submitPending = ctx.execute({ kind: "interaction", submission }, "interaction").finally(function clearPending() {
@@ -7131,7 +7349,7 @@ function extendedTextState(ctx, body, stimulus, interaction) {
   function timeout() {
     const intent = { kind: "timeout" };
     if (submitPending) {
-      return Promise.resolve(ctx.errored(errors5.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
+      return Promise.resolve(ctx.errored(errors6.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
     }
     if (timeoutPending) {
       return timeoutPending;
@@ -7157,7 +7375,7 @@ function extendedTextState(ctx, body, stimulus, interaction) {
 }
 
 // src/client/feedback-state.ts
-function feedbackState(ctx, body, stimulus, interaction, submission, isCorrect, feedbackContent, review) {
+function feedbackState(ctx, body, stimulus, interaction, submission, assessmentOutcome, feedbackContent, review) {
   let pending;
   return {
     phase: "feedback",
@@ -7165,7 +7383,7 @@ function feedbackState(ctx, body, stimulus, interaction, submission, isCorrect,
     stimulus,
     interaction,
     submission,
-    isCorrect,
+    assessmentOutcome,
     feedbackContent,
     review,
     advance: function advance() {
@@ -7180,7 +7398,7 @@ function feedbackState(ctx, body, stimulus, interaction, submission, isCorrect,
 }
 
 // src/client/match-state.ts
-import * as errors6 from "@superbuilders/errors";
+import * as errors7 from "@superbuilders/errors";
 function matchState(ctx, body, stimulus, interaction) {
   let submitPending;
   let submitKey;
@@ -7189,18 +7407,18 @@ function matchState(ctx, body, stimulus, interaction) {
     const submission = { type: "match", pairs };
     const key = JSON.stringify(submission);
     if (timeoutPending) {
-      return Promise.resolve(ctx.errored(errors6.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors7.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
     }
     if (submitPending) {
       if (submitKey === key) {
         return submitPending;
       }
-      return Promise.resolve(ctx.errored(errors6.wrap(ErrConflict, "cannot submit a different match payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors7.wrap(ErrConflict, "cannot submit a different match payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
     }
     const validation = validateSubmissionForInteraction(interaction, submission);
     if (!validation.ok) {
       ctx.logger.error({ pairs, issues: validation.issues }, "match submit invalid");
-      return Promise.resolve(ctx.errored(errors6.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors7.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
     }
     submitKey = key;
     submitPending = ctx.execute({ kind: "interaction", submission }, "interaction").finally(function clearPending() {
@@ -7212,7 +7430,7 @@ function matchState(ctx, body, stimulus, interaction) {
   function timeout() {
     const intent = { kind: "timeout" };
     if (submitPending) {
-      return Promise.resolve(ctx.errored(errors6.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
+      return Promise.resolve(ctx.errored(errors7.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
     }
     if (timeoutPending) {
       return timeoutPending;
@@ -7257,7 +7475,7 @@ function observationState(ctx, body, stimulus) {
 }
 
 // src/client/order-state.ts
-import * as errors7 from "@superbuilders/errors";
+import * as errors8 from "@superbuilders/errors";
 function orderState(ctx, body, stimulus, interaction) {
   let submitPending;
   let submitKey;
@@ -7266,18 +7484,18 @@ function orderState(ctx, body, stimulus, interaction) {
     const submission = { type: "order", orderedKeys };
     const key = JSON.stringify(submission);
     if (timeoutPending) {
-      return Promise.resolve(ctx.errored(errors7.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors8.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
     }
     if (submitPending) {
       if (submitKey === key) {
         return submitPending;
       }
-      return Promise.resolve(ctx.errored(errors7.wrap(ErrConflict, "cannot submit a different order payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors8.wrap(ErrConflict, "cannot submit a different order payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
     }
     const validation = validateSubmissionForInteraction(interaction, submission);
     if (!validation.ok) {
       ctx.logger.error({ orderedKeys, issues: validation.issues }, "order submit invalid");
-      return Promise.resolve(ctx.errored(errors7.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors8.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
     }
     submitKey = key;
     submitPending = ctx.execute({ kind: "interaction", submission }, "interaction").finally(function clearPending() {
@@ -7289,7 +7507,7 @@ function orderState(ctx, body, stimulus, interaction) {
   function timeout() {
     const intent = { kind: "timeout" };
     if (submitPending) {
-      return Promise.resolve(ctx.errored(errors7.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
+      return Promise.resolve(ctx.errored(errors8.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
     }
     if (timeoutPending) {
       return timeoutPending;
@@ -7315,7 +7533,7 @@ function orderState(ctx, body, stimulus, interaction) {
 }
 
 // src/client/pci-state.ts
-import * as errors8 from "@superbuilders/errors";
+import * as errors9 from "@superbuilders/errors";
 function pciInteractionState(ctx, body, stimulus, interaction) {
   let submitPending;
   let submitKey;
@@ -7325,13 +7543,13 @@ function pciInteractionState(ctx, body, stimulus, interaction) {
     const submission = { type: "portable-custom", pciId, value };
     const key = JSON.stringify(submission);
     if (timeoutPending) {
-      return Promise.resolve(ctx.errored(errors8.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors9.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
     }
     if (submitPending) {
       if (submitKey === key) {
         return submitPending;
       }
-      return Promise.resolve(ctx.errored(errors8.wrap(ErrConflict, "cannot submit a different pci payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors9.wrap(ErrConflict, "cannot submit a different pci payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
     }
     ctx.logger.debug({ pciId }, "pci submit");
     submitKey = key;
@@ -7344,7 +7562,7 @@ function pciInteractionState(ctx, body, stimulus, interaction) {
   function timeout() {
     const intent = { kind: "timeout" };
     if (submitPending) {
-      return Promise.resolve(ctx.errored(errors8.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
+      return Promise.resolve(ctx.errored(errors9.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
     }
     if (timeoutPending) {
       return timeoutPending;
@@ -7370,7 +7588,7 @@ function pciInteractionState(ctx, body, stimulus, interaction) {
 }
 
 // src/client/text-entry-state.ts
-import * as errors9 from "@superbuilders/errors";
+import * as errors10 from "@superbuilders/errors";
 function textEntryState(ctx, body, stimulus, interaction) {
   let submitPending;
   let submitKey;
@@ -7379,18 +7597,18 @@ function textEntryState(ctx, body, stimulus, interaction) {
     const submission = { type: "text-entry", value };
     const key = JSON.stringify(submission);
     if (timeoutPending) {
-      return Promise.resolve(ctx.errored(errors9.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors10.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
     }
     if (submitPending) {
       if (submitKey === key) {
         return submitPending;
       }
-      return Promise.resolve(ctx.errored(errors9.wrap(ErrConflict, "cannot submit a different text payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors10.wrap(ErrConflict, "cannot submit a different text payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
     }
     const validation = validateSubmissionForInteraction(interaction, submission);
     if (!validation.ok) {
       ctx.logger.error({ value, issues: validation.issues }, "text-entry submit invalid");
-      return Promise.resolve(ctx.errored(errors9.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors10.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
     }
     submitKey = key;
     submitPending = ctx.execute({ kind: "interaction", submission }, "interaction").finally(function clearPending() {
@@ -7402,7 +7620,7 @@ function textEntryState(ctx, body, stimulus, interaction) {
   function timeout() {
     const intent = { kind: "timeout" };
     if (submitPending) {
-      return Promise.resolve(ctx.errored(errors9.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
+      return Promise.resolve(ctx.errored(errors10.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
     }
     if (timeoutPending) {
       return timeoutPending;
@@ -7436,14 +7654,14 @@ var FATAL_SENTINELS = [
 ];
 function isFatalError(err) {
   for (const sentinel of FATAL_SENTINELS) {
-    if (errors10.is(err, sentinel)) {
+    if (errors11.is(err, sentinel)) {
       return true;
     }
   }
   return false;
 }
 function isRetriableError(err) {
-  return !errors10.is(err, ErrInvalidSubmission);
+  return !errors11.is(err, ErrInvalidSubmission);
 }
 function makeSession(sc) {
   const logger = sc.logger;
@@ -7457,12 +7675,15 @@ function makeSession(sc) {
           logger.error("submitted result without interaction");
           return {
             phase: "fatal",
-            error: errors10.wrap(ErrBadRequest, "submitted result missing interaction"),
+            error: errors11.wrap(ErrBadRequest, "submitted result missing interaction"),
             retriable: false,
             toJSON: poisonToJSON
           };
         }
-        return feedbackState(ctx, result.frame.body, result.frame.stimulus, interaction, result.submission, result.isCorrect, result.feedbackContent, result.review);
+        if (result.assessmentOutcome.value === "revisionRequested") {
+          return fromAdvanced(result.frame.body, result.frame.stimulus, interaction);
+        }
+        return feedbackState(ctx, result.frame.body, result.frame.stimulus, interaction, result.submission, result.assessmentOutcome, result.feedbackContent, result.review);
       }
       case "completed":
         return { phase: "completed", toJSON: poisonToJSON };
@@ -7507,9 +7728,9 @@ function makeSession(sc) {
     };
     const result = await sc.transport(body);
     if (!result.ok) {
-      if (errors10.is(result.error, ErrTokenExpired) && sc.reauthenticate !== null) {
-        logger.warn({ phase, intentKind: intent.kind }, "session token expired");
-        return sc.reauthenticate();
+      if ((errors11.is(result.error, ErrTokenExpired) || errors11.is(result.error, ErrInvalidAccessToken)) && sc.reauthenticate !== null) {
+        logger.warn({ phase, intentKind: intent.kind }, "session token rejected");
+        return sc.reauthenticate(result.error);
       }
       if (isFatalError(result.error)) {
         logger.error({
@@ -7557,7 +7778,7 @@ function makeSession(sc) {
         logger.error({ pciId: interaction.pciId }, "unsupported pci in frame");
         return {
           phase: "fatal",
-          error: errors10.wrap(ErrUnsupportedPci, `pci '${interaction.pciId}'`),
+          error: errors11.wrap(ErrUnsupportedPci, `pci '${interaction.pciId}'`),
           retriable: false,
           toJSON: poisonToJSON
         };
@@ -7565,6 +7786,19 @@ function makeSession(sc) {
     }
     return pendingInteractionState(body, stimulus, interaction);
   }
+  function extendedTextInteractionState(body, stimulus, interaction) {
+    if (!("cardinality" in interaction)) {
+      logger.error("extended-text interaction is unsupported");
+      return {
+        phase: "fatal",
+        error: errors11.wrap(ErrBadRequest, "extended-text interaction unsupported"),
+        retriable: false,
+        toJSON: poisonToJSON
+      };
+    }
+    const extendedInteraction = interaction;
+    return extendedTextState(ctx, body, stimulus, extendedInteraction);
+  }
   function pendingInteractionState(body, stimulus, interaction) {
     switch (interaction.type) {
       case "choice":
@@ -7572,7 +7806,7 @@ function makeSession(sc) {
       case "text-entry":
         return textEntryState(ctx, body, stimulus, interaction);
       case "extended-text":
-        return extendedTextState(ctx, body, stimulus, interaction);
+        return extendedTextInteractionState(body, stimulus, interaction);
       case "order":
         return orderState(ctx, body, stimulus, interaction);
       case "match":
@@ -7585,362 +7819,204 @@ function makeSession(sc) {
   return { execute };
 }
 
-// src/client/auth/provider.ts
+// src/client/transport.ts
 import * as errors12 from "@superbuilders/errors";
 
-// src/client/auth/browser.ts
-var POPUP_TARGET = "primer-auth";
-var POPUP_FEATURES = "popup,width=480,height=720";
-function currentUrl(logger) {
-  if (typeof globalThis.location === "undefined") {
-    logger.error("auth location unavailable");
-    throw ErrAuthUnavailable;
-  }
-  return new URL(globalThis.location.href);
-}
-function redirectUri(url) {
-  return `${url.origin}${url.pathname}${url.search}`;
-}
-function randomClientState(logger) {
-  if (typeof globalThis.crypto === "undefined") {
-    logger.error("auth crypto unavailable");
-    throw ErrAuthUnavailable;
-  }
-  const bytes = new Uint8Array(24);
-  globalThis.crypto.getRandomValues(bytes);
-  let result = "";
-  for (const byte of bytes) {
-    result += byte.toString(16).padStart(2, "0");
-  }
-  return result;
-}
-function openAuthPopup(url, logger) {
-  if (typeof globalThis.open === "undefined") {
-    logger.error("auth popup api unavailable");
-    throw ErrAuthUnavailable;
-  }
-  const popup = globalThis.open(url, POPUP_TARGET, POPUP_FEATURES);
-  if (popup === null) {
-    logger.error("auth popup blocked");
-    throw ErrAuthPopupBlocked;
-  }
-  return popup;
-}
-
-// src/client/auth/hosted-popup.ts
-var DEFAULT_POPUP_TIMEOUT_MS = 10 * 60 * 1000;
-var POPUP_POLL_MS = 250;
-var AUTH_MESSAGE_TYPE = "primer-tives.auth.result.v1";
-function hostedAuthUrl(config) {
-  const logger = config.logger;
-  if (!URL.canParse(config.origin)) {
-    logger.error({ origin: config.origin }, "hosted auth origin invalid");
-    throw ErrAuthConfigInvalid;
-  }
-  const authUrl = new URL("/api/auth/timeback/start", config.origin);
-  authUrl.searchParams.set("publishableKey", config.publishableKey);
-  authUrl.searchParams.set("redirectUri", redirectUri(config.currentUrl));
-  authUrl.searchParams.set("state", config.clientState);
-  return authUrl.toString();
-}
-function isRecord(value) {
-  return typeof value === "object" && value !== null;
-}
-function stringField(value, key) {
-  const field = value[key];
-  if (typeof field !== "string" || field.length === 0) {
-    return null;
-  }
-  return field;
-}
-function readPopupMessage(event, popup, config, expectedOrigin) {
-  if (event.source !== popup) {
-    return { kind: "ignore" };
-  }
-  if (event.origin !== expectedOrigin) {
-    return { kind: "ignore" };
-  }
-  const data = event.data;
-  if (!isRecord(data)) {
-    return { kind: "ignore" };
-  }
-  const messageType = stringField(data, "type");
-  if (messageType !== AUTH_MESSAGE_TYPE) {
-    return { kind: "ignore" };
-  }
-  const state = stringField(data, "state");
-  if (state === null) {
-    return { kind: "error", error: ErrAuthCallbackInvalid };
-  }
-  if (state !== config.clientState) {
-    return { kind: "error", error: ErrAuthStateMismatch };
-  }
-  const status = stringField(data, "status");
-  if (status === "error") {
-    return { kind: "error", error: ErrAuthCallbackInvalid };
-  }
-  if (status !== "success") {
-    return { kind: "error", error: ErrAuthCallbackInvalid };
-  }
-  const accessToken = stringField(data, "accessToken");
-  if (accessToken === null) {
-    return { kind: "error", error: ErrAuthCallbackInvalid };
-  }
-  return { kind: "success", accessToken };
-}
-async function waitForPopupMessage(popup, config, expectedOrigin) {
-  let __stack = [];
-  try {
-    const logger = config.logger;
-    const stack = __using(__stack, new AsyncDisposableStack, 1);
-    stack.defer(function closePopup() {
-      popup.close();
-    });
-    const result = await new Promise(function waitForMessage(resolve, reject) {
-      let settled = false;
-      function finishWithError(error) {
-        if (settled) {
-          return;
-        }
-        settled = true;
-        reject(error);
-      }
-      function finishWithToken(token) {
-        if (settled) {
-          return;
-        }
-        settled = true;
-        logger.debug("hosted auth popup completed");
-        resolve(token);
-      }
-      const timeoutId = globalThis.setTimeout(function timeout() {
-        logger.error("hosted auth popup timed out");
-        finishWithError(ErrAuthCancelled);
-      }, DEFAULT_POPUP_TIMEOUT_MS);
-      stack.defer(function clearPopupTimeout() {
-        globalThis.clearTimeout(timeoutId);
-      });
-      const closedPollId = globalThis.setInterval(function checkClosed() {
-        if (!popup.closed) {
-          return;
-        }
-        logger.error("hosted auth popup closed");
-        finishWithError(ErrAuthCancelled);
-      }, POPUP_POLL_MS);
-      stack.defer(function clearClosedPoll() {
-        globalThis.clearInterval(closedPollId);
-      });
-      function handleMessage(event) {
-        const result2 = readPopupMessage(event, popup, config, expectedOrigin);
-        if (result2.kind === "ignore") {
-          return;
-        }
-        if (result2.kind === "error") {
-          logger.error({ error: result2.error }, "hosted auth popup failed");
-          finishWithError(result2.error);
-          return;
-        }
-        finishWithToken(result2.accessToken);
-      }
-      globalThis.addEventListener("message", handleMessage);
-      stack.defer(function removeMessageListener() {
-        globalThis.removeEventListener("message", handleMessage);
-      });
-    });
-    return result;
-  } catch (_catch) {
-    var _err = _catch, _hasErr = 1;
-  } finally {
-    var _promise = __callDispose(__stack, _err, _hasErr);
-    _promise && await _promise;
-  }
-}
-async function beginHostedPopup(config) {
-  const logger = config.logger;
-  const url = hostedAuthUrl(config);
-  if (!URL.canParse(config.origin)) {
-    logger.error({ origin: config.origin }, "hosted auth origin invalid");
-    throw ErrAuthConfigInvalid;
-  }
-  const expectedOrigin = new URL(config.origin).origin;
-  const popup = openAuthPopup(url, logger);
-  return waitForPopupMessage(popup, config, expectedOrigin);
-}
+// src/version.ts
+var SDK_VERSION = "4.1.0";
+var NPM_PACKAGE_URL = "https://www.npmjs.com/package/@superbuilders/primer-tives";
 
-// src/client/auth/access-token.ts
-import * as errors11 from "@superbuilders/errors";
-var ACCESS_TOKEN_PREFIX = "eyJ";
-var TOKEN_EXPIRY_SKEW_MS = 60000;
-var resolvedAccessTokenBrand = Symbol("primer resolved access token");
-function isMalformedJws(token) {
-  if (!token.startsWith(ACCESS_TOKEN_PREFIX)) {
-    return true;
-  }
-  const dotCount = token.split(".").length - 1;
-  return dotCount !== 2;
-}
-function paddedBase64(base64Url) {
-  const normalized = base64Url.replaceAll("-", "+").replaceAll("_", "/");
-  const remainder = normalized.length % 4;
-  if (remainder === 0) {
-    return normalized;
-  }
-  if (remainder === 2) {
-    return `${normalized}==`;
+// src/client/transport.ts
+var ADVANCE_PATH = "/api/v0/advance";
+function readStringField(value, key) {
+  if (!(key in value)) {
+    return;
   }
-  if (remainder === 3) {
-    return `${normalized}=`;
+  const v = Reflect.get(value, key);
+  if (typeof v !== "string") {
+    return;
   }
-  throw errors11.wrap(ErrMalformedAccessToken, "payload base64");
+  return v;
 }
-function decodeBase64UrlJson(segment) {
-  const decoded = errors11.trySync(function decodePayload() {
-    const json = globalThis.atob(paddedBase64(segment));
-    return JSON.parse(json);
-  });
-  if (decoded.error) {
-    throw errors11.wrap(ErrMalformedAccessToken, "payload decode");
+function parseAdvanceErrorBody(body) {
+  if (body.length === 0) {
+    return null;
   }
-  return decoded.data;
-}
-function numericClaim(payload, claim) {
-  if (typeof payload !== "object" || payload === null) {
+  const parsed = errors12.trySync(function parseJson() {
+    return JSON.parse(body);
+  });
+  if (parsed.error) {
     return null;
   }
-  const value = Reflect.get(payload, claim);
-  if (typeof value !== "number" || !Number.isFinite(value)) {
+  const raw = parsed.data;
+  if (typeof raw !== "object" || raw === null) {
     return null;
   }
-  return value;
-}
-function validateAccessTokenTimestamp(token, logger) {
-  const segments = token.split(".");
-  const payloadSegment = segments[1];
-  if (payloadSegment === undefined || payloadSegment.length === 0) {
-    logger.error("access token payload missing");
-    throw errors11.wrap(ErrMalformedAccessToken, "payload missing");
+  const result = {};
+  const error = readStringField(raw, "error");
+  if (error !== undefined) {
+    result.error = error;
   }
-  const payload = decodeBase64UrlJson(payloadSegment);
-  const exp = numericClaim(payload, "exp");
-  if (exp === null) {
-    logger.error("access token exp missing");
-    throw errors11.wrap(ErrMalformedAccessToken, "exp missing");
+  const detail = readStringField(raw, "detail");
+  if (detail !== undefined) {
+    result.detail = detail;
   }
-  const expiresAtMs = exp * 1000;
-  if (expiresAtMs <= Date.now() + TOKEN_EXPIRY_SKEW_MS) {
-    logger.error("access token expired");
-    throw ErrTokenExpired;
+  const minimumSdkVersion = readStringField(raw, "minimumSdkVersion");
+  if (minimumSdkVersion !== undefined) {
+    result.minimumSdkVersion = minimumSdkVersion;
   }
-}
-function resolveAccessToken(token, logger) {
-  if (isMalformedJws(token)) {
-    logger.error({ prefix: ACCESS_TOKEN_PREFIX }, "malformed access token");
-    throw errors11.wrap(ErrMalformedAccessToken, `token must start with '${ACCESS_TOKEN_PREFIX}' and contain two dots`);
+  const receivedSdkVersion = readStringField(raw, "receivedSdkVersion");
+  if (receivedSdkVersion !== undefined) {
+    result.receivedSdkVersion = receivedSdkVersion;
   }
-  validateAccessTokenTimestamp(token, logger);
-  return { value: token, [resolvedAccessTokenBrand]: true };
-}
-
-// src/client/auth/provider.ts
-function resolveProvidedAccessToken(token, logger) {
-  const result = errors12.trySync(function resolveProvidedToken() {
-    return resolveAccessToken(token, logger);
-  });
-  if (result.error) {
-    return { kind: "fatal", error: result.error };
+  const upgradeUrl = readStringField(raw, "upgradeUrl");
+  if (upgradeUrl !== undefined) {
+    result.upgradeUrl = upgradeUrl;
   }
-  return { kind: "resolved", accessToken: result.data };
+  return result;
 }
-function resolveHostedAccessToken(token, logger) {
-  const result = errors12.trySync(function resolveHostedToken() {
-    return resolveAccessToken(token, logger);
-  });
-  if (result.error) {
-    return { kind: "sign-in-failed", error: result.error };
+function httpSentinel(status, body) {
+  if (status === 400) {
+    const parsed = parseAdvanceErrorBody(body);
+    if (parsed?.error === "sdk_upgrade_required") {
+      return ErrSdkUpgradeRequired;
+    }
+    return ErrBadRequest;
   }
-  return { kind: "resolved", accessToken: result.data };
-}
-function resolveExistingAccessToken(options) {
-  if (options.accessToken !== undefined) {
-    return resolveProvidedAccessToken(options.accessToken, options.logger);
+  if (status === 401) {
+    const parsed = parseAdvanceErrorBody(body);
+    if (parsed?.detail === "token_expired") {
+      return ErrTokenExpired;
+    }
+    return ErrInvalidAccessToken;
   }
-  return { kind: "missing" };
-}
-function authFailureResult(error) {
-  if (errors12.is(error, ErrAuthConfigInvalid)) {
-    return { kind: "auth-config-invalid", error };
+  if (status === 403) {
+    return ErrForbidden;
   }
-  if (errors12.is(error, ErrAuthUnavailable)) {
-    return { kind: "auth-unavailable", error };
+  if (status === 404) {
+    return ErrNotFound;
   }
-  return { kind: "sign-in-failed", error };
+  if (status === 409) {
+    return ErrConflict;
+  }
+  if (status === 429) {
+    return ErrRateLimited;
+  }
+  if (status === 502 || status === 503 || status === 504) {
+    return ErrServiceUnavailable;
+  }
+  return ErrServerError;
 }
-async function beginHostedLogin(options) {
-  const logger = options.logger;
-  const contextResult = errors12.trySync(function readContext() {
-    const url = currentUrl(logger);
-    const clientState = randomClientState(logger);
-    return { url, clientState };
-  });
-  if (contextResult.error) {
-    return authFailureResult(contextResult.error);
+function buildSdkUpgradeRequiredError(sentinel, text, logger) {
+  const parsed = parseAdvanceErrorBody(text);
+  if (parsed === null) {
+    logger.error({
+      receivedSdkVersion: null,
+      minimumSdkVersion: "<unknown>",
+      upgradeUrl: NPM_PACKAGE_URL
+    }, "sdk upgrade required");
+    const message2 = `<missing> < <unknown>; bump @superbuilders/primer-tives at ${NPM_PACKAGE_URL}`;
+    return errors12.wrap(sentinel, message2);
   }
-  const context = contextResult.data;
-  const accessTokenResult = await errors12.try(beginHostedPopup({
-    origin: options.origin,
-    publishableKey: options.publishableKey,
-    currentUrl: context.url,
-    clientState: context.clientState,
-    logger
-  }));
-  if (accessTokenResult.error) {
-    return authFailureResult(accessTokenResult.error);
+  const minimumSdkVersion = parsed.minimumSdkVersion === undefined ? "<unknown>" : parsed.minimumSdkVersion;
+  const receivedSdkVersion = parsed.receivedSdkVersion === undefined ? null : parsed.receivedSdkVersion;
+  const receivedDisplay = receivedSdkVersion === null ? "<missing>" : receivedSdkVersion;
+  const upgradeUrl = parsed.upgradeUrl === undefined ? NPM_PACKAGE_URL : parsed.upgradeUrl;
+  logger.error({
+    receivedSdkVersion,
+    minimumSdkVersion,
+    upgradeUrl
+  }, "sdk upgrade required");
+  const message = `${receivedDisplay} < ${minimumSdkVersion}; bump @superbuilders/primer-tives at ${upgradeUrl}`;
+  return errors12.wrap(sentinel, message);
+}
+function isAbortError(err) {
+  if (err instanceof DOMException && err.name === "AbortError") {
+    return true;
+  }
+  if (err instanceof DOMException && err.name === "TimeoutError") {
+    return true;
   }
-  return resolveHostedAccessToken(accessTokenResult.data, logger);
+  return false;
 }
-
-// src/client/auth-state.ts
-function pendingLogin(config) {
-  let pending;
-  function login() {
-    if (pending !== undefined) {
-      return pending;
+function createTransport(tc) {
+  const fetchFn = tc.fetch ? tc.fetch : globalThis.fetch;
+  const logger = tc.logger;
+  const advanceUrl = new URL(ADVANCE_PATH, tc.origin).toString();
+  function transportSignal() {
+    if (tc.abort) {
+      return tc.abort.signal;
     }
-    pending = config.login().finally(function clearPending() {
-      pending = undefined;
+    return;
+  }
+  async function transport(body) {
+    logger.debug({
+      intentKind: body.intent.kind,
+      subject: body.subject
+    }, "transport request");
+    const fetchResult = await fetchFn(advanceUrl, {
+      method: "POST",
+      mode: "cors",
+      credentials: "omit",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${tc.accessToken.value}`,
+        "X-Primer-Publishable-Key": tc.publishableKey,
+        "X-Primer-SDK-Version": SDK_VERSION
+      },
+      body: JSON.stringify(body),
+      signal: transportSignal()
+    }).then(function ok(r) {
+      return { ok: true, response: r };
+    }, function fail(err) {
+      return { ok: false, error: err };
     });
-    return pending;
+    if (!fetchResult.ok) {
+      if (isAbortError(fetchResult.error)) {
+        logger.error({
+          intentKind: body.intent.kind
+        }, "transport timeout");
+        return { ok: false, error: errors12.wrap(ErrTimeout, fetchResult.error.message) };
+      }
+      logger.error({
+        error: fetchResult.error
+      }, "transport network error");
+      return { ok: false, error: errors12.wrap(ErrNetwork, fetchResult.error.message) };
+    }
+    const res = fetchResult.response;
+    if (!res.ok) {
+      const text = await res.text().catch(function fallback() {
+        return "";
+      });
+      const sentinel = httpSentinel(res.status, text);
+      if (errors12.is(sentinel, ErrSdkUpgradeRequired)) {
+        return { ok: false, error: buildSdkUpgradeRequiredError(sentinel, text, logger) };
+      }
+      logger.error({
+        status: res.status,
+        body: text,
+        intentKind: body.intent.kind,
+        subject: body.subject
+      }, "transport http error");
+      return { ok: false, error: errors12.wrap(sentinel, text) };
+    }
+    const jsonResult = await res.json().then(function ok(data) {
+      return { ok: true, data };
+    }, function fail(err) {
+      return { ok: false, error: err };
+    });
+    if (!jsonResult.ok) {
+      logger.error({
+        error: jsonResult.error
+      }, "transport json parse failed");
+      return { ok: false, error: errors12.wrap(ErrJsonParse, jsonResult.error.message) };
+    }
+    logger.debug({
+      intentKind: body.intent.kind
+    }, "transport success");
+    return { ok: true, data: jsonResult.data };
   }
-  return login;
-}
-function signInRequiredState(config) {
-  return {
-    phase: "sign-in-required",
-    login: pendingLogin(config),
-    toJSON: poisonToJSON
-  };
-}
-function signInFailedState(config) {
-  return {
-    phase: "sign-in-failed",
-    error: config.error,
-    login: pendingLogin(config),
-    toJSON: poisonToJSON
-  };
-}
-function authUnavailableState(error) {
-  return {
-    phase: "auth-unavailable",
-    error,
-    toJSON: poisonToJSON
-  };
-}
-function authConfigInvalidState(error) {
-  return {
-    phase: "auth-config-invalid",
-    error,
-    toJSON: poisonToJSON
-  };
+  return transport;
 }
 
 // src/client/start.ts
@@ -7965,8 +8041,11 @@ function primerOrigin(origin) {
 }
 async function startRuntime(config, resolved) {
   let reauthenticate = null;
-  if (resolved.reauthenticate !== undefined) {
-    reauthenticate = resolved.reauthenticate;
+  if (resolved.clearCachedAccessToken !== undefined) {
+    reauthenticate = function reauthenticateManagedAuth(error) {
+      resolved.clearCachedAccessToken?.();
+      return Promise.resolve(makeSignInFailedState(config, error));
+    };
   }
   const transport = createTransport({
     accessToken: resolved.accessToken,
@@ -8018,9 +8097,7 @@ async function loginAndStart(config) {
   }
   return startRuntime(config, {
     accessToken: result.accessToken,
-    reauthenticate: function reauthenticate() {
-      return Promise.resolve(makeSignInFailedState(config, ErrTokenExpired));
-    }
+    clearCachedAccessToken: result.clearCachedAccessToken
   });
 }
 async function start(options) {
@@ -8050,6 +8127,9 @@ async function start(options) {
       toJSON: poisonToJSON
     };
   }
+  if (accessToken.kind === "auth-unavailable") {
+    return authUnavailableState(accessToken.error);
+  }
   if (accessToken.kind === "missing") {
     return makeSignInRequiredState(config);
   }
@@ -8059,4 +8139,4 @@ export {
   start
 };
 
-//# debugId=1270BDB9A874B19364756E2164756E21
+//# debugId=8BB175F09E303E4A64756E2164756E21