npm - @superbuilders/primer-tives - Versions diffs - 4.0.5 → 4.1.0 - Mend

@superbuilders/primer-tives 4.0.5 → 4.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (62) hide show

package/README.md +12 -4
package/dist/client/auth/access-token.d.ts +1 -1
package/dist/client/auth/access-token.d.ts.map +1 -1
package/dist/client/auth/hosted-popup.d.ts +1 -1
package/dist/client/auth/hosted-popup.d.ts.map +1 -1
package/dist/client/auth/provider.d.ts +2 -2
package/dist/client/auth/provider.d.ts.map +1 -1
package/dist/client/auth-state.d.ts +2 -2
package/dist/client/auth-state.d.ts.map +1 -1
package/dist/client/choice-state.d.ts +2 -2
package/dist/client/choice-state.d.ts.map +1 -1
package/dist/client/extended-text-state.d.ts +2 -2
package/dist/client/extended-text-state.d.ts.map +1 -1
package/dist/client/feedback-state.d.ts +4 -4
package/dist/client/feedback-state.d.ts.map +1 -1
package/dist/client/index.d.ts +2 -2
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +828 -812
package/dist/client/index.js.map +24 -24
package/dist/client/match-state.d.ts +2 -2
package/dist/client/match-state.d.ts.map +1 -1
package/dist/client/observation-state.d.ts +1 -1
package/dist/client/observation-state.d.ts.map +1 -1
package/dist/client/order-state.d.ts +2 -2
package/dist/client/order-state.d.ts.map +1 -1
package/dist/client/pci-state.d.ts +2 -2
package/dist/client/pci-state.d.ts.map +1 -1
package/dist/client/session-context.d.ts +2 -2
package/dist/client/session-context.d.ts.map +1 -1
package/dist/client/session.d.ts +4 -4
package/dist/client/session.d.ts.map +1 -1
package/dist/client/start.d.ts +3 -3
package/dist/client/start.d.ts.map +1 -1
package/dist/client/text-entry-state.d.ts +2 -2
package/dist/client/text-entry-state.d.ts.map +1 -1
package/dist/client/transport.d.ts +7 -6
package/dist/client/transport.d.ts.map +1 -1
package/dist/client/types.d.ts +8 -2
package/dist/client/types.d.ts.map +1 -1
package/dist/contracts/index.d.ts +4 -4
package/dist/contracts/index.d.ts.map +1 -1
package/dist/contracts/index.js +12 -12
package/dist/contracts/index.js.map +6 -6
package/dist/contracts/pci-schemas.d.ts +4 -0
package/dist/contracts/pci-schemas.d.ts.map +1 -1
package/dist/contracts/pci.d.ts +1 -1
package/dist/contracts/pci.d.ts.map +1 -1
package/dist/contracts/review.d.ts +1 -1
package/dist/contracts/review.d.ts.map +1 -1
package/dist/contracts/validation.d.ts +24 -2
package/dist/contracts/validation.d.ts.map +1 -1
package/dist/grade-level.d.ts +1 -1
package/dist/grade-level.d.ts.map +1 -1
package/dist/grade-level.js.map +1 -1
package/dist/subject-pcis.d.ts +1 -1
package/dist/subject-pcis.d.ts.map +1 -1
package/dist/subject-pcis.js.map +2 -2
package/dist/subject.d.ts +1 -1
package/dist/subject.d.ts.map +1 -1
package/dist/subject.js.map +1 -1
package/dist/version.d.ts +1 -1
package/package.json +1 -1

package/dist/client/index.js CHANGED Viewed

@@ -6461,14 +6461,14 @@ var FractionInputSubmissionDraft07Schema = {
       type: "object",
       additionalProperties: false,
       required: ["form", "whole"],
-      properties: { form: { const: "whole" }, whole: { type: "string" } }
+      properties: { form: { type: "string", const: "whole" }, whole: { type: "string" } }
     },
     {
       type: "object",
       additionalProperties: false,
       required: ["form", "numerator", "denominator"],
       properties: {
-        form: { const: "proper" },
+        form: { type: "string", const: "proper" },
         numerator: { type: "string" },
         denominator: { type: "string" }
       }
@@ -6478,7 +6478,7 @@ var FractionInputSubmissionDraft07Schema = {
       additionalProperties: false,
       required: ["form", "numerator", "denominator"],
       properties: {
-        form: { const: "improper" },
+        form: { type: "string", const: "improper" },
         numerator: { type: "string" },
         denominator: { type: "string" }
       }
@@ -6488,7 +6488,7 @@ var FractionInputSubmissionDraft07Schema = {
       additionalProperties: false,
       required: ["form", "whole", "numerator", "denominator"],
       properties: {
-        form: { const: "mixed" },
+        form: { type: "string", const: "mixed" },
         whole: { type: "string" },
         numerator: { type: "string" },
         denominator: { type: "string" }
@@ -6510,7 +6510,7 @@ var ChoiceSubmissionSchema = {
   additionalProperties: false,
   required: ["type", "selectedKeys"],
   properties: {
-    type: { const: "choice" },
+    type: { type: "string", const: "choice" },
     selectedKeys: { type: "array", items: { type: "string" } }
   }
 };
@@ -6518,14 +6518,14 @@ var TextEntrySubmissionSchema = {
   type: "object",
   additionalProperties: false,
   required: ["type", "value"],
-  properties: { type: { const: "text-entry" }, value: { type: "string" } }
+  properties: { type: { type: "string", const: "text-entry" }, value: { type: "string" } }
 };
 var ExtendedTextSubmissionSchema = {
   type: "object",
   additionalProperties: false,
   required: ["type", "values"],
   properties: {
-    type: { const: "extended-text" },
+    type: { type: "string", const: "extended-text" },
     values: { type: "array", minItems: 1, items: { type: "string" } }
   }
 };
@@ -6534,7 +6534,7 @@ var OrderSubmissionSchema = {
   additionalProperties: false,
   required: ["type", "orderedKeys"],
   properties: {
-    type: { const: "order" },
+    type: { type: "string", const: "order" },
     orderedKeys: { type: "array", items: { type: "string" } }
   }
 };
@@ -6543,7 +6543,7 @@ var MatchSubmissionSchema = {
   additionalProperties: false,
   required: ["type", "pairs"],
   properties: {
-    type: { const: "match" },
+    type: { type: "string", const: "match" },
     pairs: { type: "array", items: MatchPairSchema }
   }
 };
@@ -6552,8 +6552,8 @@ var FractionInputPciSubmissionSchema = {
   additionalProperties: false,
   required: ["type", "pciId", "value"],
   properties: {
-    type: { const: "portable-custom" },
-    pciId: { const: "urn:primer:pci:fraction-input" },
+    type: { type: "string", const: "portable-custom" },
+    pciId: { type: "string", const: "urn:primer:pci:fraction-input" },
     value: FractionInputSubmissionDraft07Schema
   }
 };
@@ -6779,303 +6779,521 @@ function validateSubmissionForInteraction(interaction, submission) {
 function submissionValidationMessage(result) {
   return result.issues.join("; ");
 }
-// src/client/transport.ts
-import * as errors3 from "@superbuilders/errors";
-// src/version.ts
-var SDK_VERSION = "4.0.5";
-var NPM_PACKAGE_URL = "https://www.npmjs.com/package/@superbuilders/primer-tives";
+// src/client/auth/provider.ts
+import * as errors4 from "@superbuilders/errors";
-// src/client/transport.ts
-var ADVANCE_PATH = "/api/v0/advance";
-function readStringField(value, key) {
-  if (!(key in value)) {
-    return;
-  }
-  const v = Reflect.get(value, key);
-  if (typeof v !== "string") {
-    return;
+// src/client/auth/access-token.ts
+import * as errors3 from "@superbuilders/errors";
+var ACCESS_TOKEN_PREFIX = "eyJ";
+var TOKEN_EXPIRY_SKEW_MS = 60000;
+var resolvedAccessTokenBrand = Symbol("primer resolved access token");
+function isMalformedJws(token) {
+  if (!token.startsWith(ACCESS_TOKEN_PREFIX)) {
+    return true;
   }
-  return v;
+  const dotCount = token.split(".").length - 1;
+  return dotCount !== 2;
 }
-function parseAdvanceErrorBody(body) {
-  if (body.length === 0) {
-    return null;
+function paddedBase64(base64Url) {
+  const normalized = base64Url.replaceAll("-", "+").replaceAll("_", "/");
+  const remainder = normalized.length % 4;
+  if (remainder === 0) {
+    return normalized;
   }
-  const parsed = errors3.trySync(function parseJson() {
-    return JSON.parse(body);
+  if (remainder === 2) {
+    return `${normalized}==`;
+  }
+  if (remainder === 3) {
+    return `${normalized}=`;
+  }
+  throw errors3.wrap(ErrMalformedAccessToken, "payload base64");
+}
+function decodeBase64UrlJson(segment) {
+  const decoded = errors3.trySync(function decodePayload() {
+    const json = globalThis.atob(paddedBase64(segment));
+    return JSON.parse(json);
   });
-  if (parsed.error) {
+  if (decoded.error) {
+    throw errors3.wrap(ErrMalformedAccessToken, "payload decode");
+  }
+  return decoded.data;
+}
+function numericClaim(payload, claim) {
+  if (typeof payload !== "object" || payload === null) {
     return null;
   }
-  const raw = parsed.data;
-  if (typeof raw !== "object" || raw === null) {
+  const value = Reflect.get(payload, claim);
+  if (typeof value !== "number" || !Number.isFinite(value)) {
     return null;
   }
-  const result = {};
-  const error = readStringField(raw, "error");
-  if (error !== undefined) {
-    result.error = error;
+  return value;
+}
+function validateAccessTokenTimestamp(token, logger) {
+  const segments = token.split(".");
+  const payloadSegment = segments[1];
+  if (payloadSegment === undefined || payloadSegment.length === 0) {
+    logger.error("access token payload missing");
+    throw errors3.wrap(ErrMalformedAccessToken, "payload missing");
   }
-  const detail = readStringField(raw, "detail");
-  if (detail !== undefined) {
-    result.detail = detail;
+  const payload = decodeBase64UrlJson(payloadSegment);
+  const exp = numericClaim(payload, "exp");
+  if (exp === null) {
+    logger.error("access token exp missing");
+    throw errors3.wrap(ErrMalformedAccessToken, "exp missing");
   }
-  const minimumSdkVersion = readStringField(raw, "minimumSdkVersion");
-  if (minimumSdkVersion !== undefined) {
-    result.minimumSdkVersion = minimumSdkVersion;
+  const expiresAtMs = exp * 1000;
+  if (expiresAtMs <= Date.now() + TOKEN_EXPIRY_SKEW_MS) {
+    logger.error("access token expired");
+    throw ErrTokenExpired;
   }
-  const receivedSdkVersion = readStringField(raw, "receivedSdkVersion");
-  if (receivedSdkVersion !== undefined) {
-    result.receivedSdkVersion = receivedSdkVersion;
+}
+function resolveAccessToken(token, logger) {
+  if (isMalformedJws(token)) {
+    logger.error({ prefix: ACCESS_TOKEN_PREFIX }, "malformed access token");
+    throw errors3.wrap(ErrMalformedAccessToken, `token must start with '${ACCESS_TOKEN_PREFIX}' and contain two dots`);
   }
-  const upgradeUrl = readStringField(raw, "upgradeUrl");
-  if (upgradeUrl !== undefined) {
-    result.upgradeUrl = upgradeUrl;
+  validateAccessTokenTimestamp(token, logger);
+  return { value: token, [resolvedAccessTokenBrand]: true };
+}
+// src/client/auth/browser.ts
+var POPUP_TARGET = "primer-auth";
+var POPUP_FEATURES = "popup,width=480,height=720";
+function currentUrl(logger) {
+  if (typeof globalThis.location === "undefined") {
+    logger.error("auth location unavailable");
+    throw ErrAuthUnavailable;
+  }
+  return new URL(globalThis.location.href);
+}
+function redirectUri(url) {
+  return `${url.origin}${url.pathname}${url.search}`;
+}
+function randomClientState(logger) {
+  if (typeof globalThis.crypto === "undefined") {
+    logger.error("auth crypto unavailable");
+    throw ErrAuthUnavailable;
+  }
+  const bytes = new Uint8Array(24);
+  globalThis.crypto.getRandomValues(bytes);
+  let result = "";
+  for (const byte of bytes) {
+    result += byte.toString(16).padStart(2, "0");
   }
   return result;
 }
-function httpSentinel(status, body) {
-  if (status === 400) {
-    const parsed = parseAdvanceErrorBody(body);
-    if (parsed?.error === "sdk_upgrade_required") {
-      return ErrSdkUpgradeRequired;
-    }
-    return ErrBadRequest;
+function openAuthPopup(url, logger) {
+  if (typeof globalThis.open === "undefined") {
+    logger.error("auth popup api unavailable");
+    throw ErrAuthUnavailable;
   }
-  if (status === 401) {
-    const parsed = parseAdvanceErrorBody(body);
-    if (parsed?.detail === "token_expired") {
-      return ErrTokenExpired;
-    }
-    return ErrInvalidAccessToken;
+  const popup = globalThis.open(url, POPUP_TARGET, POPUP_FEATURES);
+  if (popup === null) {
+    logger.error("auth popup blocked");
+    throw ErrAuthPopupBlocked;
   }
-  if (status === 403) {
-    return ErrForbidden;
+  return popup;
+}
+// src/client/auth/hosted-popup.ts
+var DEFAULT_POPUP_TIMEOUT_MS = 10 * 60 * 1000;
+var POPUP_POLL_MS = 250;
+var AUTH_MESSAGE_TYPE = "primer-tives.auth.result.v1";
+function hostedAuthUrl(config) {
+  const logger = config.logger;
+  if (!URL.canParse(config.origin)) {
+    logger.error({ origin: config.origin }, "hosted auth origin invalid");
+    throw ErrAuthConfigInvalid;
   }
-  if (status === 404) {
-    return ErrNotFound;
+  const authUrl = new URL("/api/auth/timeback/start", config.origin);
+  authUrl.searchParams.set("publishableKey", config.publishableKey);
+  authUrl.searchParams.set("redirectUri", redirectUri(config.currentUrl));
+  authUrl.searchParams.set("state", config.clientState);
+  return authUrl.toString();
+}
+function isRecord(value) {
+  return typeof value === "object" && value !== null;
+}
+function stringField(value, key) {
+  const field = value[key];
+  if (typeof field !== "string" || field.length === 0) {
+    return null;
   }
-  if (status === 409) {
-    return ErrConflict;
+  return field;
+}
+function readPopupMessage(event, popup, config, expectedOrigin) {
+  if (event.source !== popup) {
+    return { kind: "ignore" };
   }
-  if (status === 429) {
-    return ErrRateLimited;
+  if (event.origin !== expectedOrigin) {
+    return { kind: "ignore" };
   }
-  if (status === 502 || status === 503 || status === 504) {
-    return ErrServiceUnavailable;
+  const data = event.data;
+  if (!isRecord(data)) {
+    return { kind: "ignore" };
   }
-  return ErrServerError;
-}
-function buildSdkUpgradeRequiredError(sentinel, text, logger) {
-  const parsed = parseAdvanceErrorBody(text);
-  if (parsed === null) {
-    logger.error({
-      receivedSdkVersion: null,
-      minimumSdkVersion: "<unknown>",
-      upgradeUrl: NPM_PACKAGE_URL
-    }, "sdk upgrade required");
-    const message2 = `<missing> < <unknown>; bump @superbuilders/primer-tives at ${NPM_PACKAGE_URL}`;
-    return errors3.wrap(sentinel, message2);
+  const messageType = stringField(data, "type");
+  if (messageType !== AUTH_MESSAGE_TYPE) {
+    return { kind: "ignore" };
   }
-  const minimumSdkVersion = parsed.minimumSdkVersion === undefined ? "<unknown>" : parsed.minimumSdkVersion;
-  const receivedSdkVersion = parsed.receivedSdkVersion === undefined ? null : parsed.receivedSdkVersion;
-  const receivedDisplay = receivedSdkVersion === null ? "<missing>" : receivedSdkVersion;
-  const upgradeUrl = parsed.upgradeUrl === undefined ? NPM_PACKAGE_URL : parsed.upgradeUrl;
-  logger.error({
-    receivedSdkVersion,
-    minimumSdkVersion,
-    upgradeUrl
-  }, "sdk upgrade required");
-  const message = `${receivedDisplay} < ${minimumSdkVersion}; bump @superbuilders/primer-tives at ${upgradeUrl}`;
-  return errors3.wrap(sentinel, message);
-}
-function isAbortError(err) {
-  if (err instanceof DOMException && err.name === "AbortError") {
-    return true;
+  const state = stringField(data, "state");
+  if (state === null) {
+    return { kind: "error", error: ErrAuthCallbackInvalid };
   }
-  if (err instanceof DOMException && err.name === "TimeoutError") {
-    return true;
+  if (state !== config.clientState) {
+    return { kind: "error", error: ErrAuthStateMismatch };
   }
-  return false;
-}
-function createTransport(tc) {
-  const fetchFn = tc.fetch ? tc.fetch : globalThis.fetch;
-  const logger = tc.logger;
-  const advanceUrl = new URL(ADVANCE_PATH, tc.origin).toString();
-  function transportSignal() {
-    if (tc.abort) {
-      return tc.abort.signal;
-    }
-    return;
+  const status = stringField(data, "status");
+  if (status === "error") {
+    return { kind: "error", error: ErrAuthCallbackInvalid };
   }
-  async function transport(body) {
-    logger.debug({
-      intentKind: body.intent.kind,
-      subject: body.subject
-    }, "transport request");
-    const fetchResult = await fetchFn(advanceUrl, {
-      method: "POST",
-      mode: "cors",
-      credentials: "omit",
-      headers: {
-        "Content-Type": "application/json",
-        Authorization: `Bearer ${tc.accessToken.value}`,
-        "X-Primer-Publishable-Key": tc.publishableKey,
-        "X-Primer-SDK-Version": SDK_VERSION
-      },
-      body: JSON.stringify(body),
-      signal: transportSignal()
-    }).then(function ok(r) {
-      return { ok: true, response: r };
-    }, function fail(err) {
-      return { ok: false, error: err };
-    });
-    if (!fetchResult.ok) {
-      if (isAbortError(fetchResult.error)) {
-        logger.error({
-          intentKind: body.intent.kind
-        }, "transport timeout");
-        return { ok: false, error: errors3.wrap(ErrTimeout, fetchResult.error.message) };
+  if (status !== "success") {
+    return { kind: "error", error: ErrAuthCallbackInvalid };
+  }
+  const accessToken = stringField(data, "accessToken");
+  if (accessToken === null) {
+    return { kind: "error", error: ErrAuthCallbackInvalid };
+  }
+  return { kind: "success", accessToken };
+}
+async function waitForPopupMessage(popup, config, expectedOrigin) {
+  let __stack = [];
+  try {
+    const logger = config.logger;
+    const stack = __using(__stack, new AsyncDisposableStack, 1);
+    stack.defer(function closePopup() {
+      popup.close();
+    });
+    const result = await new Promise(function waitForMessage(resolve, reject) {
+      let settled = false;
+      function finishWithError(error) {
+        if (settled) {
+          return;
+        }
+        settled = true;
+        reject(error);
       }
-      logger.error({
-        error: fetchResult.error
-      }, "transport network error");
-      return { ok: false, error: errors3.wrap(ErrNetwork, fetchResult.error.message) };
-    }
-    const res = fetchResult.response;
-    if (!res.ok) {
-      const text = await res.text().catch(function fallback() {
-        return "";
+      function finishWithToken(token) {
+        if (settled) {
+          return;
+        }
+        settled = true;
+        logger.debug("hosted auth popup completed");
+        resolve(token);
+      }
+      const timeoutId = globalThis.setTimeout(function timeout() {
+        logger.error("hosted auth popup timed out");
+        finishWithError(ErrAuthCancelled);
+      }, DEFAULT_POPUP_TIMEOUT_MS);
+      stack.defer(function clearPopupTimeout() {
+        globalThis.clearTimeout(timeoutId);
       });
-      const sentinel = httpSentinel(res.status, text);
-      if (errors3.is(sentinel, ErrSdkUpgradeRequired)) {
-        return { ok: false, error: buildSdkUpgradeRequiredError(sentinel, text, logger) };
+      const closedPollId = globalThis.setInterval(function checkClosed() {
+        if (!popup.closed) {
+          return;
+        }
+        logger.error("hosted auth popup closed");
+        finishWithError(ErrAuthCancelled);
+      }, POPUP_POLL_MS);
+      stack.defer(function clearClosedPoll() {
+        globalThis.clearInterval(closedPollId);
+      });
+      function handleMessage(event) {
+        const result2 = readPopupMessage(event, popup, config, expectedOrigin);
+        if (result2.kind === "ignore") {
+          return;
+        }
+        if (result2.kind === "error") {
+          logger.error({ error: result2.error }, "hosted auth popup failed");
+          finishWithError(result2.error);
+          return;
+        }
+        finishWithToken(result2.accessToken);
       }
-      logger.error({
-        status: res.status,
-        body: text,
-        intentKind: body.intent.kind,
-        subject: body.subject
-      }, "transport http error");
-      return { ok: false, error: errors3.wrap(sentinel, text) };
-    }
-    const jsonResult = await res.json().then(function ok(data) {
-      return { ok: true, data };
-    }, function fail(err) {
-      return { ok: false, error: err };
+      globalThis.addEventListener("message", handleMessage);
+      stack.defer(function removeMessageListener() {
+        globalThis.removeEventListener("message", handleMessage);
+      });
     });
-    if (!jsonResult.ok) {
-      logger.error({
-        error: jsonResult.error
-      }, "transport json parse failed");
-      return { ok: false, error: errors3.wrap(ErrJsonParse, jsonResult.error.message) };
-    }
-    logger.debug({
-      intentKind: body.intent.kind
-    }, "transport success");
-    return { ok: true, data: jsonResult.data };
+    return result;
+  } catch (_catch) {
+    var _err = _catch, _hasErr = 1;
+  } finally {
+    var _promise = __callDispose(__stack, _err, _hasErr);
+    _promise && await _promise;
   }
-  return transport;
+}
+async function beginHostedPopup(config) {
+  const logger = config.logger;
+  const url = hostedAuthUrl(config);
+  if (!URL.canParse(config.origin)) {
+    logger.error({ origin: config.origin }, "hosted auth origin invalid");
+    throw ErrAuthConfigInvalid;
+  }
+  const expectedOrigin = new URL(config.origin).origin;
+  const popup = openAuthPopup(url, logger);
+  return waitForPopupMessage(popup, config, expectedOrigin);
 }
-// src/client/session.ts
-import * as errors10 from "@superbuilders/errors";
-// src/client/consumed.ts
-function poisonToJSON() {
-  throw ErrNotSerializable;
+// src/client/auth/storage.ts
+var MANAGED_AUTH_ACCESS_TOKEN_KEY_PREFIX = "primer:access-token";
+function managedAuthAccessTokenStorageKey(publishableKey) {
+  return `${MANAGED_AUTH_ACCESS_TOKEN_KEY_PREFIX}:${publishableKey}`;
+}
+function managedAuthStorage(logger) {
+  if (typeof globalThis.sessionStorage === "undefined") {
+    logger.error("managed auth storage unavailable");
+    throw ErrAuthUnavailable;
+  }
+  return globalThis.sessionStorage;
+}
+function loadManagedAuthAccessToken(storage, publishableKey) {
+  const token = storage.getItem(managedAuthAccessTokenStorageKey(publishableKey));
+  if (token === null || token.length === 0) {
+    return null;
+  }
+  return token;
+}
+function storeManagedAuthAccessToken(storage, publishableKey, accessToken) {
+  storage.setItem(managedAuthAccessTokenStorageKey(publishableKey), accessToken);
+}
+function clearManagedAuthAccessToken(storage, publishableKey) {
+  storage.removeItem(managedAuthAccessTokenStorageKey(publishableKey));
 }
-// src/client/choice-state.ts
-import * as errors4 from "@superbuilders/errors";
-function choiceState(ctx, body, stimulus, interaction, options, maxChoices, minChoices) {
-  let submitPending;
-  let submitKey;
-  let timeoutPending;
-  function beginSubmit(selectedKeys) {
-    const submission = { type: "choice", selectedKeys };
-    const key = JSON.stringify(submission);
-    if (timeoutPending) {
-      return Promise.resolve(ctx.errored(errors4.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
-    }
-    if (submitPending) {
-      if (submitKey === key) {
-        return submitPending;
-      }
-      return Promise.resolve(ctx.errored(errors4.wrap(ErrConflict, "cannot submit a different choice payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
-    }
-    const validation = validateSubmissionForInteraction(interaction, submission);
-    if (!validation.ok) {
-      ctx.logger.error({ selectedKeys, issues: validation.issues }, "choice submit invalid");
-      return Promise.resolve(ctx.errored(errors4.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
-    }
-    submitKey = key;
-    submitPending = ctx.execute({ kind: "interaction", submission }, "interaction").finally(function clearPending() {
-      submitPending = undefined;
-      submitKey = undefined;
-    });
-    return submitPending;
+// src/client/auth/provider.ts
+function resolveProvidedAccessToken(token, logger) {
+  const result = errors4.trySync(function resolveProvidedToken() {
+    return resolveAccessToken(token, logger);
+  });
+  if (result.error) {
+    return { kind: "fatal", error: result.error };
   }
-  function beginTimeout() {
-    const intent = { kind: "timeout" };
-    if (submitPending) {
-      return Promise.resolve(ctx.errored(errors4.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
-    }
-    if (timeoutPending) {
-      return timeoutPending;
+  return { kind: "resolved", accessToken: result.data };
+}
+function resolveHostedAccessToken(token, storage, options) {
+  const result = errors4.trySync(function resolveHostedToken() {
+    return resolveAccessToken(token, options.logger);
+  });
+  if (result.error) {
+    return { kind: "sign-in-failed", error: result.error };
+  }
+  storeManagedAuthAccessToken(storage, options.publishableKey, token);
+  return {
+    kind: "resolved",
+    accessToken: result.data,
+    clearCachedAccessToken: function clearCachedAccessToken() {
+      clearManagedAuthAccessToken(storage, options.publishableKey);
     }
-    timeoutPending = ctx.execute(intent, "timeout").finally(function clearPending() {
-      timeoutPending = undefined;
-    });
-    return timeoutPending;
+  };
+}
+function resolveStoredAccessToken(storage, options) {
+  const stored = loadManagedAuthAccessToken(storage, options.publishableKey);
+  if (stored === null) {
+    return { kind: "missing" };
+  }
+  const result = errors4.trySync(function resolveStoredToken() {
+    return resolveAccessToken(stored, options.logger);
+  });
+  if (result.error) {
+    clearManagedAuthAccessToken(storage, options.publishableKey);
+    return { kind: "missing" };
   }
   return {
-    phase: "interaction",
-    kind: "choice",
-    body,
-    stimulus,
-    interaction,
-    options,
-    maxChoices,
-    minChoices,
-    submitChoice: beginSubmit,
-    timeout: beginTimeout,
-    toJSON: poisonToJSON
+    kind: "resolved",
+    accessToken: result.data,
+    clearCachedAccessToken: function clearCachedAccessToken() {
+      clearManagedAuthAccessToken(storage, options.publishableKey);
+    }
   };
 }
-// src/client/extended-text-state.ts
-import * as errors5 from "@superbuilders/errors";
-function extendedTextState(ctx, body, stimulus, interaction) {
-  if (interaction.cardinality === "single") {
-    let submitText = function(value) {
-      const submission = { type: "extended-text", values: [value] };
-      const key = JSON.stringify(submission);
-      if (timeoutPending2) {
-        return Promise.resolve(ctx.errored(errors5.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
-      }
-      if (submitPending2) {
-        if (submitKey2 === key) {
-          return submitPending2;
-        }
-        return Promise.resolve(ctx.errored(errors5.wrap(ErrConflict, "cannot submit a different extended-text payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
-      }
-      const validation = validateSubmissionForInteraction(interaction, submission);
-      if (!validation.ok) {
-        ctx.logger.error({ value, issues: validation.issues }, "extended-text submit invalid");
-        return Promise.resolve(ctx.errored(errors5.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
-      }
-      submitKey2 = key;
-      submitPending2 = ctx.execute({ kind: "interaction", submission }, "interaction").finally(function clearPending() {
-        submitPending2 = undefined;
-        submitKey2 = undefined;
-      });
-      return submitPending2;
+function resolveExistingAccessToken(options) {
+  if (options.accessToken !== undefined) {
+    return resolveProvidedAccessToken(options.accessToken, options.logger);
+  }
+  const storageResult = errors4.trySync(function readManagedAuthStorage() {
+    return managedAuthStorage(options.logger);
+  });
+  if (storageResult.error) {
+    return { kind: "auth-unavailable", error: storageResult.error };
+  }
+  return resolveStoredAccessToken(storageResult.data, options);
+}
+function authFailureResult(error) {
+  if (errors4.is(error, ErrAuthConfigInvalid)) {
+    return { kind: "auth-config-invalid", error };
+  }
+  if (errors4.is(error, ErrAuthUnavailable)) {
+    return { kind: "auth-unavailable", error };
+  }
+  return { kind: "sign-in-failed", error };
+}
+async function beginHostedLogin(options) {
+  const logger = options.logger;
+  const contextResult = errors4.trySync(function readContext() {
+    const storage = managedAuthStorage(logger);
+    const url = currentUrl(logger);
+    const clientState = randomClientState(logger);
+    return { storage, url, clientState };
+  });
+  if (contextResult.error) {
+    return authFailureResult(contextResult.error);
+  }
+  const context = contextResult.data;
+  const accessTokenResult = await errors4.try(beginHostedPopup({
+    origin: options.origin,
+    publishableKey: options.publishableKey,
+    currentUrl: context.url,
+    clientState: context.clientState,
+    logger
+  }));
+  if (accessTokenResult.error) {
+    return authFailureResult(accessTokenResult.error);
+  }
+  return resolveHostedAccessToken(accessTokenResult.data, context.storage, options);
+}
+// src/client/consumed.ts
+function poisonToJSON() {
+  throw ErrNotSerializable;
+}
+// src/client/auth-state.ts
+function pendingLogin(config) {
+  let pending;
+  function login() {
+    if (pending !== undefined) {
+      return pending;
+    }
+    pending = config.login().finally(function clearPending() {
+      pending = undefined;
+    });
+    return pending;
+  }
+  return login;
+}
+function signInRequiredState(config) {
+  return {
+    phase: "sign-in-required",
+    login: pendingLogin(config),
+    toJSON: poisonToJSON
+  };
+}
+function signInFailedState(config) {
+  return {
+    phase: "sign-in-failed",
+    error: config.error,
+    login: pendingLogin(config),
+    toJSON: poisonToJSON
+  };
+}
+function authUnavailableState(error) {
+  return {
+    phase: "auth-unavailable",
+    error,
+    toJSON: poisonToJSON
+  };
+}
+function authConfigInvalidState(error) {
+  return {
+    phase: "auth-config-invalid",
+    error,
+    toJSON: poisonToJSON
+  };
+}
+// src/client/session.ts
+import * as errors11 from "@superbuilders/errors";
+// src/client/choice-state.ts
+import * as errors5 from "@superbuilders/errors";
+function choiceState(ctx, body, stimulus, interaction, options, maxChoices, minChoices) {
+  let submitPending;
+  let submitKey;
+  let timeoutPending;
+  function beginSubmit(selectedKeys) {
+    const submission = { type: "choice", selectedKeys };
+    const key = JSON.stringify(submission);
+    if (timeoutPending) {
+      return Promise.resolve(ctx.errored(errors5.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
+    }
+    if (submitPending) {
+      if (submitKey === key) {
+        return submitPending;
+      }
+      return Promise.resolve(ctx.errored(errors5.wrap(ErrConflict, "cannot submit a different choice payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
+    }
+    const validation = validateSubmissionForInteraction(interaction, submission);
+    if (!validation.ok) {
+      ctx.logger.error({ selectedKeys, issues: validation.issues }, "choice submit invalid");
+      return Promise.resolve(ctx.errored(errors5.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
+    }
+    submitKey = key;
+    submitPending = ctx.execute({ kind: "interaction", submission }, "interaction").finally(function clearPending() {
+      submitPending = undefined;
+      submitKey = undefined;
+    });
+    return submitPending;
+  }
+  function beginTimeout() {
+    const intent = { kind: "timeout" };
+    if (submitPending) {
+      return Promise.resolve(ctx.errored(errors5.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
+    }
+    if (timeoutPending) {
+      return timeoutPending;
+    }
+    timeoutPending = ctx.execute(intent, "timeout").finally(function clearPending() {
+      timeoutPending = undefined;
+    });
+    return timeoutPending;
+  }
+  return {
+    phase: "interaction",
+    kind: "choice",
+    body,
+    stimulus,
+    interaction,
+    options,
+    maxChoices,
+    minChoices,
+    submitChoice: beginSubmit,
+    timeout: beginTimeout,
+    toJSON: poisonToJSON
+  };
+}
+// src/client/extended-text-state.ts
+import * as errors6 from "@superbuilders/errors";
+function extendedTextState(ctx, body, stimulus, interaction) {
+  if (interaction.cardinality === "single") {
+    let submitText = function(value) {
+      const submission = { type: "extended-text", values: [value] };
+      const key = JSON.stringify(submission);
+      if (timeoutPending2) {
+        return Promise.resolve(ctx.errored(errors6.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
+      }
+      if (submitPending2) {
+        if (submitKey2 === key) {
+          return submitPending2;
+        }
+        return Promise.resolve(ctx.errored(errors6.wrap(ErrConflict, "cannot submit a different extended-text payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
+      }
+      const validation = validateSubmissionForInteraction(interaction, submission);
+      if (!validation.ok) {
+        ctx.logger.error({ value, issues: validation.issues }, "extended-text submit invalid");
+        return Promise.resolve(ctx.errored(errors6.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
+      }
+      submitKey2 = key;
+      submitPending2 = ctx.execute({ kind: "interaction", submission }, "interaction").finally(function clearPending() {
+        submitPending2 = undefined;
+        submitKey2 = undefined;
+      });
+      return submitPending2;
     }, timeout2 = function() {
       const intent = { kind: "timeout" };
       if (submitPending2) {
-        return Promise.resolve(ctx.errored(errors5.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
+        return Promise.resolve(ctx.errored(errors6.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
       }
       if (timeoutPending2) {
         return timeoutPending2;
@@ -7108,18 +7326,18 @@ function extendedTextState(ctx, body, stimulus, interaction) {
     const submission = { type: "extended-text", values };
     const key = JSON.stringify(submission);
     if (timeoutPending) {
-      return Promise.resolve(ctx.errored(errors5.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors6.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
     }
     if (submitPending) {
       if (submitKey === key) {
         return submitPending;
       }
-      return Promise.resolve(ctx.errored(errors5.wrap(ErrConflict, "cannot submit a different extended-text payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors6.wrap(ErrConflict, "cannot submit a different extended-text payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
     }
     const validation = validateSubmissionForInteraction(multi, submission);
     if (!validation.ok) {
       ctx.logger.error({ values, issues: validation.issues }, "extended-text submit invalid");
-      return Promise.resolve(ctx.errored(errors5.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors6.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
     }
     submitKey = key;
     submitPending = ctx.execute({ kind: "interaction", submission }, "interaction").finally(function clearPending() {
@@ -7131,7 +7349,7 @@ function extendedTextState(ctx, body, stimulus, interaction) {
   function timeout() {
     const intent = { kind: "timeout" };
     if (submitPending) {
-      return Promise.resolve(ctx.errored(errors5.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
+      return Promise.resolve(ctx.errored(errors6.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
     }
     if (timeoutPending) {
       return timeoutPending;
@@ -7157,7 +7375,7 @@ function extendedTextState(ctx, body, stimulus, interaction) {
 }
 // src/client/feedback-state.ts
-function feedbackState(ctx, body, stimulus, interaction, submission, isCorrect, feedbackContent, review) {
+function feedbackState(ctx, body, stimulus, interaction, submission, assessmentOutcome, feedbackContent, review) {
   let pending;
   return {
     phase: "feedback",
@@ -7165,7 +7383,7 @@ function feedbackState(ctx, body, stimulus, interaction, submission, isCorrect,
     stimulus,
     interaction,
     submission,
-    isCorrect,
+    assessmentOutcome,
     feedbackContent,
     review,
     advance: function advance() {
@@ -7180,7 +7398,7 @@ function feedbackState(ctx, body, stimulus, interaction, submission, isCorrect,
 }
 // src/client/match-state.ts
-import * as errors6 from "@superbuilders/errors";
+import * as errors7 from "@superbuilders/errors";
 function matchState(ctx, body, stimulus, interaction) {
   let submitPending;
   let submitKey;
@@ -7189,18 +7407,18 @@ function matchState(ctx, body, stimulus, interaction) {
     const submission = { type: "match", pairs };
     const key = JSON.stringify(submission);
     if (timeoutPending) {
-      return Promise.resolve(ctx.errored(errors6.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors7.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
     }
     if (submitPending) {
       if (submitKey === key) {
         return submitPending;
       }
-      return Promise.resolve(ctx.errored(errors6.wrap(ErrConflict, "cannot submit a different match payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors7.wrap(ErrConflict, "cannot submit a different match payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
     }
     const validation = validateSubmissionForInteraction(interaction, submission);
     if (!validation.ok) {
       ctx.logger.error({ pairs, issues: validation.issues }, "match submit invalid");
-      return Promise.resolve(ctx.errored(errors6.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors7.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
     }
     submitKey = key;
     submitPending = ctx.execute({ kind: "interaction", submission }, "interaction").finally(function clearPending() {
@@ -7212,7 +7430,7 @@ function matchState(ctx, body, stimulus, interaction) {
   function timeout() {
     const intent = { kind: "timeout" };
     if (submitPending) {
-      return Promise.resolve(ctx.errored(errors6.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
+      return Promise.resolve(ctx.errored(errors7.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
     }
     if (timeoutPending) {
       return timeoutPending;
@@ -7257,7 +7475,7 @@ function observationState(ctx, body, stimulus) {
 }
 // src/client/order-state.ts
-import * as errors7 from "@superbuilders/errors";
+import * as errors8 from "@superbuilders/errors";
 function orderState(ctx, body, stimulus, interaction) {
   let submitPending;
   let submitKey;
@@ -7266,18 +7484,18 @@ function orderState(ctx, body, stimulus, interaction) {
     const submission = { type: "order", orderedKeys };
     const key = JSON.stringify(submission);
     if (timeoutPending) {
-      return Promise.resolve(ctx.errored(errors7.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors8.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
     }
     if (submitPending) {
       if (submitKey === key) {
         return submitPending;
       }
-      return Promise.resolve(ctx.errored(errors7.wrap(ErrConflict, "cannot submit a different order payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors8.wrap(ErrConflict, "cannot submit a different order payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
     }
     const validation = validateSubmissionForInteraction(interaction, submission);
     if (!validation.ok) {
       ctx.logger.error({ orderedKeys, issues: validation.issues }, "order submit invalid");
-      return Promise.resolve(ctx.errored(errors7.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors8.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
     }
     submitKey = key;
     submitPending = ctx.execute({ kind: "interaction", submission }, "interaction").finally(function clearPending() {
@@ -7289,7 +7507,7 @@ function orderState(ctx, body, stimulus, interaction) {
   function timeout() {
     const intent = { kind: "timeout" };
     if (submitPending) {
-      return Promise.resolve(ctx.errored(errors7.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
+      return Promise.resolve(ctx.errored(errors8.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
     }
     if (timeoutPending) {
       return timeoutPending;
@@ -7315,7 +7533,7 @@ function orderState(ctx, body, stimulus, interaction) {
 }
 // src/client/pci-state.ts
-import * as errors8 from "@superbuilders/errors";
+import * as errors9 from "@superbuilders/errors";
 function pciInteractionState(ctx, body, stimulus, interaction) {
   let submitPending;
   let submitKey;
@@ -7325,13 +7543,13 @@ function pciInteractionState(ctx, body, stimulus, interaction) {
     const submission = { type: "portable-custom", pciId, value };
     const key = JSON.stringify(submission);
     if (timeoutPending) {
-      return Promise.resolve(ctx.errored(errors8.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors9.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
     }
     if (submitPending) {
       if (submitKey === key) {
         return submitPending;
       }
-      return Promise.resolve(ctx.errored(errors8.wrap(ErrConflict, "cannot submit a different pci payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors9.wrap(ErrConflict, "cannot submit a different pci payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
     }
     ctx.logger.debug({ pciId }, "pci submit");
     submitKey = key;
@@ -7344,7 +7562,7 @@ function pciInteractionState(ctx, body, stimulus, interaction) {
   function timeout() {
     const intent = { kind: "timeout" };
     if (submitPending) {
-      return Promise.resolve(ctx.errored(errors8.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
+      return Promise.resolve(ctx.errored(errors9.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
     }
     if (timeoutPending) {
       return timeoutPending;
@@ -7370,7 +7588,7 @@ function pciInteractionState(ctx, body, stimulus, interaction) {
 }
 // src/client/text-entry-state.ts
-import * as errors9 from "@superbuilders/errors";
+import * as errors10 from "@superbuilders/errors";
 function textEntryState(ctx, body, stimulus, interaction) {
   let submitPending;
   let submitKey;
@@ -7379,18 +7597,18 @@ function textEntryState(ctx, body, stimulus, interaction) {
     const submission = { type: "text-entry", value };
     const key = JSON.stringify(submission);
     if (timeoutPending) {
-      return Promise.resolve(ctx.errored(errors9.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors10.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
     }
     if (submitPending) {
       if (submitKey === key) {
         return submitPending;
       }
-      return Promise.resolve(ctx.errored(errors9.wrap(ErrConflict, "cannot submit a different text payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors10.wrap(ErrConflict, "cannot submit a different text payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
     }
     const validation = validateSubmissionForInteraction(interaction, submission);
     if (!validation.ok) {
       ctx.logger.error({ value, issues: validation.issues }, "text-entry submit invalid");
-      return Promise.resolve(ctx.errored(errors9.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors10.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
     }
     submitKey = key;
     submitPending = ctx.execute({ kind: "interaction", submission }, "interaction").finally(function clearPending() {
@@ -7402,7 +7620,7 @@ function textEntryState(ctx, body, stimulus, interaction) {
   function timeout() {
     const intent = { kind: "timeout" };
     if (submitPending) {
-      return Promise.resolve(ctx.errored(errors9.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
+      return Promise.resolve(ctx.errored(errors10.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
     }
     if (timeoutPending) {
       return timeoutPending;
@@ -7436,571 +7654,369 @@ var FATAL_SENTINELS = [
 ];
 function isFatalError(err) {
   for (const sentinel of FATAL_SENTINELS) {
-    if (errors10.is(err, sentinel)) {
+    if (errors11.is(err, sentinel)) {
       return true;
     }
   }
   return false;
 }
-function isRetriableError(err) {
-  return !errors10.is(err, ErrInvalidSubmission);
-}
-function makeSession(sc) {
-  const logger = sc.logger;
-  function resolve(result) {
-    switch (result.outcome) {
-      case "advanced":
-        return fromAdvanced(result.frame.body, result.frame.stimulus, result.frame.interaction);
-      case "submitted": {
-        const interaction = result.frame.interaction;
-        if (interaction === null) {
-          logger.error("submitted result without interaction");
-          return {
-            phase: "fatal",
-            error: errors10.wrap(ErrBadRequest, "submitted result missing interaction"),
-            retriable: false,
-            toJSON: poisonToJSON
-          };
-        }
-        return feedbackState(ctx, result.frame.body, result.frame.stimulus, interaction, result.submission, result.isCorrect, result.feedbackContent, result.review);
-      }
-      case "completed":
-        return { phase: "completed", toJSON: poisonToJSON };
-    }
-  }
-  function errored(error, failedPhase, intent) {
-    let pending;
-    const retriable = isRetriableError(error);
-    if (!retriable) {
-      return {
-        phase: "errored",
-        error,
-        retriable: false,
-        toJSON: poisonToJSON
-      };
-    }
-    const state = {
-      phase: "errored",
-      error,
-      retriable: true,
-      retry: function retry() {
-        if (pending) {
-          return pending;
-        }
-        logger.debug({ failedPhase }, "retrying from errored state");
-        pending = execute(intent, failedPhase);
-        return pending;
-      },
-      toJSON: poisonToJSON
-    };
-    return state;
-  }
-  async function execute(intent, phase) {
-    logger.debug({
-      phase,
-      intentKind: intent.kind,
-      subject: sc.subject
-    }, "session execute");
-    const body = {
-      subject: sc.subject,
-      intent
-    };
-    const result = await sc.transport(body);
-    if (!result.ok) {
-      if ((errors10.is(result.error, ErrTokenExpired) || errors10.is(result.error, ErrInvalidAccessToken)) && sc.reauthenticate !== null) {
-        logger.warn({ phase, intentKind: intent.kind }, "session token rejected");
-        return sc.reauthenticate(result.error);
-      }
-      if (isFatalError(result.error)) {
-        logger.error({
-          error: result.error,
-          phase,
-          intentKind: intent.kind
-        }, "fatal transport error");
-        return {
-          phase: "fatal",
-          error: result.error,
-          retriable: false,
-          toJSON: poisonToJSON
-        };
-      }
-      logger.warn({
-        error: result.error,
-        phase,
-        intentKind: intent.kind
-      }, "retriable transport error");
-      return errored(result.error, phase, intent);
-    }
-    const next = resolve(result.data);
-    logger.debug({
-      phase,
-      intentKind: intent.kind,
-      outcome: result.data.outcome,
-      nextPhase: next.phase
-    }, "session execute resolved");
-    return next;
-  }
-  function isPciSupported(pciId) {
-    for (const id of sc.supportedPcis) {
-      if (id === pciId) {
-        return true;
-      }
-    }
-    return false;
-  }
-  function fromAdvanced(body, stimulus, interaction) {
-    if (interaction === null) {
-      return observationState(ctx, body, stimulus);
-    }
-    if (interaction.type === "portable-custom") {
-      if (!isPciSupported(interaction.pciId)) {
-        logger.error({ pciId: interaction.pciId }, "unsupported pci in frame");
-        return {
-          phase: "fatal",
-          error: errors10.wrap(ErrUnsupportedPci, `pci '${interaction.pciId}'`),
-          retriable: false,
-          toJSON: poisonToJSON
-        };
-      }
-    }
-    return pendingInteractionState(body, stimulus, interaction);
-  }
-  function pendingInteractionState(body, stimulus, interaction) {
-    switch (interaction.type) {
-      case "choice":
-        return choiceState(ctx, body, stimulus, interaction, interaction.options, interaction.maxChoices, interaction.minChoices);
-      case "text-entry":
-        return textEntryState(ctx, body, stimulus, interaction);
-      case "extended-text":
-        return extendedTextState(ctx, body, stimulus, interaction);
-      case "order":
-        return orderState(ctx, body, stimulus, interaction);
-      case "match":
-        return matchState(ctx, body, stimulus, interaction);
-      case "portable-custom":
-        return pciInteractionState(ctx, body, stimulus, interaction);
-    }
-  }
-  const ctx = { logger, execute, errored };
-  return { execute };
-}
-// src/client/auth/provider.ts
-import * as errors12 from "@superbuilders/errors";
-// src/client/auth/browser.ts
-var POPUP_TARGET = "primer-auth";
-var POPUP_FEATURES = "popup,width=480,height=720";
-function currentUrl(logger) {
-  if (typeof globalThis.location === "undefined") {
-    logger.error("auth location unavailable");
-    throw ErrAuthUnavailable;
-  }
-  return new URL(globalThis.location.href);
-}
-function redirectUri(url) {
-  return `${url.origin}${url.pathname}${url.search}`;
-}
-function randomClientState(logger) {
-  if (typeof globalThis.crypto === "undefined") {
-    logger.error("auth crypto unavailable");
-    throw ErrAuthUnavailable;
-  }
-  const bytes = new Uint8Array(24);
-  globalThis.crypto.getRandomValues(bytes);
-  let result = "";
-  for (const byte of bytes) {
-    result += byte.toString(16).padStart(2, "0");
-  }
-  return result;
-}
-function openAuthPopup(url, logger) {
-  if (typeof globalThis.open === "undefined") {
-    logger.error("auth popup api unavailable");
-    throw ErrAuthUnavailable;
-  }
-  const popup = globalThis.open(url, POPUP_TARGET, POPUP_FEATURES);
-  if (popup === null) {
-    logger.error("auth popup blocked");
-    throw ErrAuthPopupBlocked;
-  }
-  return popup;
-}
-// src/client/auth/hosted-popup.ts
-var DEFAULT_POPUP_TIMEOUT_MS = 10 * 60 * 1000;
-var POPUP_POLL_MS = 250;
-var AUTH_MESSAGE_TYPE = "primer-tives.auth.result.v1";
-function hostedAuthUrl(config) {
-  const logger = config.logger;
-  if (!URL.canParse(config.origin)) {
-    logger.error({ origin: config.origin }, "hosted auth origin invalid");
-    throw ErrAuthConfigInvalid;
-  }
-  const authUrl = new URL("/api/auth/timeback/start", config.origin);
-  authUrl.searchParams.set("publishableKey", config.publishableKey);
-  authUrl.searchParams.set("redirectUri", redirectUri(config.currentUrl));
-  authUrl.searchParams.set("state", config.clientState);
-  return authUrl.toString();
-}
-function isRecord(value) {
-  return typeof value === "object" && value !== null;
-}
-function stringField(value, key) {
-  const field = value[key];
-  if (typeof field !== "string" || field.length === 0) {
-    return null;
-  }
-  return field;
-}
-function readPopupMessage(event, popup, config, expectedOrigin) {
-  if (event.source !== popup) {
-    return { kind: "ignore" };
-  }
-  if (event.origin !== expectedOrigin) {
-    return { kind: "ignore" };
-  }
-  const data = event.data;
-  if (!isRecord(data)) {
-    return { kind: "ignore" };
-  }
-  const messageType = stringField(data, "type");
-  if (messageType !== AUTH_MESSAGE_TYPE) {
-    return { kind: "ignore" };
-  }
-  const state = stringField(data, "state");
-  if (state === null) {
-    return { kind: "error", error: ErrAuthCallbackInvalid };
-  }
-  if (state !== config.clientState) {
-    return { kind: "error", error: ErrAuthStateMismatch };
-  }
-  const status = stringField(data, "status");
-  if (status === "error") {
-    return { kind: "error", error: ErrAuthCallbackInvalid };
-  }
-  if (status !== "success") {
-    return { kind: "error", error: ErrAuthCallbackInvalid };
-  }
-  const accessToken = stringField(data, "accessToken");
-  if (accessToken === null) {
-    return { kind: "error", error: ErrAuthCallbackInvalid };
-  }
-  return { kind: "success", accessToken };
-}
-async function waitForPopupMessage(popup, config, expectedOrigin) {
-  let __stack = [];
-  try {
-    const logger = config.logger;
-    const stack = __using(__stack, new AsyncDisposableStack, 1);
-    stack.defer(function closePopup() {
-      popup.close();
-    });
-    const result = await new Promise(function waitForMessage(resolve, reject) {
-      let settled = false;
-      function finishWithError(error) {
-        if (settled) {
-          return;
-        }
-        settled = true;
-        reject(error);
-      }
-      function finishWithToken(token) {
-        if (settled) {
-          return;
-        }
-        settled = true;
-        logger.debug("hosted auth popup completed");
-        resolve(token);
-      }
-      const timeoutId = globalThis.setTimeout(function timeout() {
-        logger.error("hosted auth popup timed out");
-        finishWithError(ErrAuthCancelled);
-      }, DEFAULT_POPUP_TIMEOUT_MS);
-      stack.defer(function clearPopupTimeout() {
-        globalThis.clearTimeout(timeoutId);
-      });
-      const closedPollId = globalThis.setInterval(function checkClosed() {
-        if (!popup.closed) {
-          return;
-        }
-        logger.error("hosted auth popup closed");
-        finishWithError(ErrAuthCancelled);
-      }, POPUP_POLL_MS);
-      stack.defer(function clearClosedPoll() {
-        globalThis.clearInterval(closedPollId);
-      });
-      function handleMessage(event) {
-        const result2 = readPopupMessage(event, popup, config, expectedOrigin);
-        if (result2.kind === "ignore") {
-          return;
+function isRetriableError(err) {
+  return !errors11.is(err, ErrInvalidSubmission);
+}
+function makeSession(sc) {
+  const logger = sc.logger;
+  function resolve(result) {
+    switch (result.outcome) {
+      case "advanced":
+        return fromAdvanced(result.frame.body, result.frame.stimulus, result.frame.interaction);
+      case "submitted": {
+        const interaction = result.frame.interaction;
+        if (interaction === null) {
+          logger.error("submitted result without interaction");
+          return {
+            phase: "fatal",
+            error: errors11.wrap(ErrBadRequest, "submitted result missing interaction"),
+            retriable: false,
+            toJSON: poisonToJSON
+          };
         }
-        if (result2.kind === "error") {
-          logger.error({ error: result2.error }, "hosted auth popup failed");
-          finishWithError(result2.error);
-          return;
+        if (result.assessmentOutcome.value === "revisionRequested") {
+          return fromAdvanced(result.frame.body, result.frame.stimulus, interaction);
         }
-        finishWithToken(result2.accessToken);
+        return feedbackState(ctx, result.frame.body, result.frame.stimulus, interaction, result.submission, result.assessmentOutcome, result.feedbackContent, result.review);
       }
-      globalThis.addEventListener("message", handleMessage);
-      stack.defer(function removeMessageListener() {
-        globalThis.removeEventListener("message", handleMessage);
-      });
-    });
-    return result;
-  } catch (_catch) {
-    var _err = _catch, _hasErr = 1;
-  } finally {
-    var _promise = __callDispose(__stack, _err, _hasErr);
-    _promise && await _promise;
+      case "completed":
+        return { phase: "completed", toJSON: poisonToJSON };
+    }
   }
-}
-async function beginHostedPopup(config) {
-  const logger = config.logger;
-  const url = hostedAuthUrl(config);
-  if (!URL.canParse(config.origin)) {
-    logger.error({ origin: config.origin }, "hosted auth origin invalid");
-    throw ErrAuthConfigInvalid;
+  function errored(error, failedPhase, intent) {
+    let pending;
+    const retriable = isRetriableError(error);
+    if (!retriable) {
+      return {
+        phase: "errored",
+        error,
+        retriable: false,
+        toJSON: poisonToJSON
+      };
+    }
+    const state = {
+      phase: "errored",
+      error,
+      retriable: true,
+      retry: function retry() {
+        if (pending) {
+          return pending;
+        }
+        logger.debug({ failedPhase }, "retrying from errored state");
+        pending = execute(intent, failedPhase);
+        return pending;
+      },
+      toJSON: poisonToJSON
+    };
+    return state;
   }
-  const expectedOrigin = new URL(config.origin).origin;
-  const popup = openAuthPopup(url, logger);
-  return waitForPopupMessage(popup, config, expectedOrigin);
-}
-// src/client/auth/access-token.ts
-import * as errors11 from "@superbuilders/errors";
-var ACCESS_TOKEN_PREFIX = "eyJ";
-var TOKEN_EXPIRY_SKEW_MS = 60000;
-var resolvedAccessTokenBrand = Symbol("primer resolved access token");
-function isMalformedJws(token) {
-  if (!token.startsWith(ACCESS_TOKEN_PREFIX)) {
-    return true;
+  async function execute(intent, phase) {
+    logger.debug({
+      phase,
+      intentKind: intent.kind,
+      subject: sc.subject
+    }, "session execute");
+    const body = {
+      subject: sc.subject,
+      intent
+    };
+    const result = await sc.transport(body);
+    if (!result.ok) {
+      if ((errors11.is(result.error, ErrTokenExpired) || errors11.is(result.error, ErrInvalidAccessToken)) && sc.reauthenticate !== null) {
+        logger.warn({ phase, intentKind: intent.kind }, "session token rejected");
+        return sc.reauthenticate(result.error);
+      }
+      if (isFatalError(result.error)) {
+        logger.error({
+          error: result.error,
+          phase,
+          intentKind: intent.kind
+        }, "fatal transport error");
+        return {
+          phase: "fatal",
+          error: result.error,
+          retriable: false,
+          toJSON: poisonToJSON
+        };
+      }
+      logger.warn({
+        error: result.error,
+        phase,
+        intentKind: intent.kind
+      }, "retriable transport error");
+      return errored(result.error, phase, intent);
+    }
+    const next = resolve(result.data);
+    logger.debug({
+      phase,
+      intentKind: intent.kind,
+      outcome: result.data.outcome,
+      nextPhase: next.phase
+    }, "session execute resolved");
+    return next;
   }
-  const dotCount = token.split(".").length - 1;
-  return dotCount !== 2;
-}
-function paddedBase64(base64Url) {
-  const normalized = base64Url.replaceAll("-", "+").replaceAll("_", "/");
-  const remainder = normalized.length % 4;
-  if (remainder === 0) {
-    return normalized;
+  function isPciSupported(pciId) {
+    for (const id of sc.supportedPcis) {
+      if (id === pciId) {
+        return true;
+      }
+    }
+    return false;
   }
-  if (remainder === 2) {
-    return `${normalized}==`;
+  function fromAdvanced(body, stimulus, interaction) {
+    if (interaction === null) {
+      return observationState(ctx, body, stimulus);
+    }
+    if (interaction.type === "portable-custom") {
+      if (!isPciSupported(interaction.pciId)) {
+        logger.error({ pciId: interaction.pciId }, "unsupported pci in frame");
+        return {
+          phase: "fatal",
+          error: errors11.wrap(ErrUnsupportedPci, `pci '${interaction.pciId}'`),
+          retriable: false,
+          toJSON: poisonToJSON
+        };
+      }
+    }
+    return pendingInteractionState(body, stimulus, interaction);
   }
-  if (remainder === 3) {
-    return `${normalized}=`;
+  function extendedTextInteractionState(body, stimulus, interaction) {
+    if (!("cardinality" in interaction)) {
+      logger.error("extended-text interaction is unsupported");
+      return {
+        phase: "fatal",
+        error: errors11.wrap(ErrBadRequest, "extended-text interaction unsupported"),
+        retriable: false,
+        toJSON: poisonToJSON
+      };
+    }
+    const extendedInteraction = interaction;
+    return extendedTextState(ctx, body, stimulus, extendedInteraction);
   }
-  throw errors11.wrap(ErrMalformedAccessToken, "payload base64");
-}
-function decodeBase64UrlJson(segment) {
-  const decoded = errors11.trySync(function decodePayload() {
-    const json = globalThis.atob(paddedBase64(segment));
-    return JSON.parse(json);
-  });
-  if (decoded.error) {
-    throw errors11.wrap(ErrMalformedAccessToken, "payload decode");
+  function pendingInteractionState(body, stimulus, interaction) {
+    switch (interaction.type) {
+      case "choice":
+        return choiceState(ctx, body, stimulus, interaction, interaction.options, interaction.maxChoices, interaction.minChoices);
+      case "text-entry":
+        return textEntryState(ctx, body, stimulus, interaction);
+      case "extended-text":
+        return extendedTextInteractionState(body, stimulus, interaction);
+      case "order":
+        return orderState(ctx, body, stimulus, interaction);
+      case "match":
+        return matchState(ctx, body, stimulus, interaction);
+      case "portable-custom":
+        return pciInteractionState(ctx, body, stimulus, interaction);
+    }
   }
-  return decoded.data;
+  const ctx = { logger, execute, errored };
+  return { execute };
 }
-function numericClaim(payload, claim) {
-  if (typeof payload !== "object" || payload === null) {
-    return null;
+// src/client/transport.ts
+import * as errors12 from "@superbuilders/errors";
+// src/version.ts
+var SDK_VERSION = "4.1.0";
+var NPM_PACKAGE_URL = "https://www.npmjs.com/package/@superbuilders/primer-tives";
+// src/client/transport.ts
+var ADVANCE_PATH = "/api/v0/advance";
+function readStringField(value, key) {
+  if (!(key in value)) {
+    return;
   }
-  const value = Reflect.get(payload, claim);
-  if (typeof value !== "number" || !Number.isFinite(value)) {
-    return null;
+  const v = Reflect.get(value, key);
+  if (typeof v !== "string") {
+    return;
   }
-  return value;
+  return v;
 }
-function validateAccessTokenTimestamp(token, logger) {
-  const segments = token.split(".");
-  const payloadSegment = segments[1];
-  if (payloadSegment === undefined || payloadSegment.length === 0) {
-    logger.error("access token payload missing");
-    throw errors11.wrap(ErrMalformedAccessToken, "payload missing");
+function parseAdvanceErrorBody(body) {
+  if (body.length === 0) {
+    return null;
   }
-  const payload = decodeBase64UrlJson(payloadSegment);
-  const exp = numericClaim(payload, "exp");
-  if (exp === null) {
-    logger.error("access token exp missing");
-    throw errors11.wrap(ErrMalformedAccessToken, "exp missing");
+  const parsed = errors12.trySync(function parseJson() {
+    return JSON.parse(body);
+  });
+  if (parsed.error) {
+    return null;
   }
-  const expiresAtMs = exp * 1000;
-  if (expiresAtMs <= Date.now() + TOKEN_EXPIRY_SKEW_MS) {
-    logger.error("access token expired");
-    throw ErrTokenExpired;
+  const raw = parsed.data;
+  if (typeof raw !== "object" || raw === null) {
+    return null;
   }
-}
-function resolveAccessToken(token, logger) {
-  if (isMalformedJws(token)) {
-    logger.error({ prefix: ACCESS_TOKEN_PREFIX }, "malformed access token");
-    throw errors11.wrap(ErrMalformedAccessToken, `token must start with '${ACCESS_TOKEN_PREFIX}' and contain two dots`);
+  const result = {};
+  const error = readStringField(raw, "error");
+  if (error !== undefined) {
+    result.error = error;
   }
-  validateAccessTokenTimestamp(token, logger);
-  return { value: token, [resolvedAccessTokenBrand]: true };
-}
-// src/client/auth/storage.ts
-var MANAGED_AUTH_ACCESS_TOKEN_KEY_PREFIX = "primer:access-token";
-function managedAuthAccessTokenStorageKey(publishableKey) {
-  return `${MANAGED_AUTH_ACCESS_TOKEN_KEY_PREFIX}:${publishableKey}`;
-}
-function managedAuthStorage(logger) {
-  if (typeof globalThis.sessionStorage === "undefined") {
-    logger.error("managed auth storage unavailable");
-    throw ErrAuthUnavailable;
+  const detail = readStringField(raw, "detail");
+  if (detail !== undefined) {
+    result.detail = detail;
   }
-  return globalThis.sessionStorage;
-}
-function loadManagedAuthAccessToken(storage, publishableKey) {
-  const token = storage.getItem(managedAuthAccessTokenStorageKey(publishableKey));
-  if (token === null || token.length === 0) {
-    return null;
+  const minimumSdkVersion = readStringField(raw, "minimumSdkVersion");
+  if (minimumSdkVersion !== undefined) {
+    result.minimumSdkVersion = minimumSdkVersion;
   }
-  return token;
-}
-function storeManagedAuthAccessToken(storage, publishableKey, accessToken) {
-  storage.setItem(managedAuthAccessTokenStorageKey(publishableKey), accessToken);
-}
-function clearManagedAuthAccessToken(storage, publishableKey) {
-  storage.removeItem(managedAuthAccessTokenStorageKey(publishableKey));
-}
-// src/client/auth/provider.ts
-function resolveProvidedAccessToken(token, logger) {
-  const result = errors12.trySync(function resolveProvidedToken() {
-    return resolveAccessToken(token, logger);
-  });
-  if (result.error) {
-    return { kind: "fatal", error: result.error };
+  const receivedSdkVersion = readStringField(raw, "receivedSdkVersion");
+  if (receivedSdkVersion !== undefined) {
+    result.receivedSdkVersion = receivedSdkVersion;
   }
-  return { kind: "resolved", accessToken: result.data };
+  const upgradeUrl = readStringField(raw, "upgradeUrl");
+  if (upgradeUrl !== undefined) {
+    result.upgradeUrl = upgradeUrl;
+  }
+  return result;
 }
-function resolveHostedAccessToken(token, storage, options) {
-  const result = errors12.trySync(function resolveHostedToken() {
-    return resolveAccessToken(token, options.logger);
-  });
-  if (result.error) {
-    return { kind: "sign-in-failed", error: result.error };
+function httpSentinel(status, body) {
+  if (status === 400) {
+    const parsed = parseAdvanceErrorBody(body);
+    if (parsed?.error === "sdk_upgrade_required") {
+      return ErrSdkUpgradeRequired;
+    }
+    return ErrBadRequest;
   }
-  storeManagedAuthAccessToken(storage, options.publishableKey, token);
-  return {
-    kind: "resolved",
-    accessToken: result.data,
-    clearCachedAccessToken: function clearCachedAccessToken() {
-      clearManagedAuthAccessToken(storage, options.publishableKey);
+  if (status === 401) {
+    const parsed = parseAdvanceErrorBody(body);
+    if (parsed?.detail === "token_expired") {
+      return ErrTokenExpired;
     }
-  };
-}
-function resolveStoredAccessToken(storage, options) {
-  const stored = loadManagedAuthAccessToken(storage, options.publishableKey);
-  if (stored === null) {
-    return { kind: "missing" };
+    return ErrInvalidAccessToken;
   }
-  const result = errors12.trySync(function resolveStoredToken() {
-    return resolveAccessToken(stored, options.logger);
-  });
-  if (result.error) {
-    clearManagedAuthAccessToken(storage, options.publishableKey);
-    return { kind: "missing" };
+  if (status === 403) {
+    return ErrForbidden;
   }
-  return {
-    kind: "resolved",
-    accessToken: result.data,
-    clearCachedAccessToken: function clearCachedAccessToken() {
-      clearManagedAuthAccessToken(storage, options.publishableKey);
-    }
-  };
-}
-function resolveExistingAccessToken(options) {
-  if (options.accessToken !== undefined) {
-    return resolveProvidedAccessToken(options.accessToken, options.logger);
+  if (status === 404) {
+    return ErrNotFound;
   }
-  const storageResult = errors12.trySync(function readManagedAuthStorage() {
-    return managedAuthStorage(options.logger);
-  });
-  if (storageResult.error) {
-    return { kind: "auth-unavailable", error: storageResult.error };
+  if (status === 409) {
+    return ErrConflict;
   }
-  return resolveStoredAccessToken(storageResult.data, options);
-}
-function authFailureResult(error) {
-  if (errors12.is(error, ErrAuthConfigInvalid)) {
-    return { kind: "auth-config-invalid", error };
+  if (status === 429) {
+    return ErrRateLimited;
   }
-  if (errors12.is(error, ErrAuthUnavailable)) {
-    return { kind: "auth-unavailable", error };
+  if (status === 502 || status === 503 || status === 504) {
+    return ErrServiceUnavailable;
   }
-  return { kind: "sign-in-failed", error };
+  return ErrServerError;
 }
-async function beginHostedLogin(options) {
-  const logger = options.logger;
-  const contextResult = errors12.trySync(function readContext() {
-    const storage = managedAuthStorage(logger);
-    const url = currentUrl(logger);
-    const clientState = randomClientState(logger);
-    return { storage, url, clientState };
-  });
-  if (contextResult.error) {
-    return authFailureResult(contextResult.error);
+function buildSdkUpgradeRequiredError(sentinel, text, logger) {
+  const parsed = parseAdvanceErrorBody(text);
+  if (parsed === null) {
+    logger.error({
+      receivedSdkVersion: null,
+      minimumSdkVersion: "<unknown>",
+      upgradeUrl: NPM_PACKAGE_URL
+    }, "sdk upgrade required");
+    const message2 = `<missing> < <unknown>; bump @superbuilders/primer-tives at ${NPM_PACKAGE_URL}`;
+    return errors12.wrap(sentinel, message2);
   }
-  const context = contextResult.data;
-  const accessTokenResult = await errors12.try(beginHostedPopup({
-    origin: options.origin,
-    publishableKey: options.publishableKey,
-    currentUrl: context.url,
-    clientState: context.clientState,
-    logger
-  }));
-  if (accessTokenResult.error) {
-    return authFailureResult(accessTokenResult.error);
+  const minimumSdkVersion = parsed.minimumSdkVersion === undefined ? "<unknown>" : parsed.minimumSdkVersion;
+  const receivedSdkVersion = parsed.receivedSdkVersion === undefined ? null : parsed.receivedSdkVersion;
+  const receivedDisplay = receivedSdkVersion === null ? "<missing>" : receivedSdkVersion;
+  const upgradeUrl = parsed.upgradeUrl === undefined ? NPM_PACKAGE_URL : parsed.upgradeUrl;
+  logger.error({
+    receivedSdkVersion,
+    minimumSdkVersion,
+    upgradeUrl
+  }, "sdk upgrade required");
+  const message = `${receivedDisplay} < ${minimumSdkVersion}; bump @superbuilders/primer-tives at ${upgradeUrl}`;
+  return errors12.wrap(sentinel, message);
+}
+function isAbortError(err) {
+  if (err instanceof DOMException && err.name === "AbortError") {
+    return true;
   }
-  return resolveHostedAccessToken(accessTokenResult.data, context.storage, options);
+  if (err instanceof DOMException && err.name === "TimeoutError") {
+    return true;
+  }
+  return false;
 }
-// src/client/auth-state.ts
-function pendingLogin(config) {
-  let pending;
-  function login() {
-    if (pending !== undefined) {
-      return pending;
+function createTransport(tc) {
+  const fetchFn = tc.fetch ? tc.fetch : globalThis.fetch;
+  const logger = tc.logger;
+  const advanceUrl = new URL(ADVANCE_PATH, tc.origin).toString();
+  function transportSignal() {
+    if (tc.abort) {
+      return tc.abort.signal;
     }
-    pending = config.login().finally(function clearPending() {
-      pending = undefined;
+    return;
+  }
+  async function transport(body) {
+    logger.debug({
+      intentKind: body.intent.kind,
+      subject: body.subject
+    }, "transport request");
+    const fetchResult = await fetchFn(advanceUrl, {
+      method: "POST",
+      mode: "cors",
+      credentials: "omit",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${tc.accessToken.value}`,
+        "X-Primer-Publishable-Key": tc.publishableKey,
+        "X-Primer-SDK-Version": SDK_VERSION
+      },
+      body: JSON.stringify(body),
+      signal: transportSignal()
+    }).then(function ok(r) {
+      return { ok: true, response: r };
+    }, function fail(err) {
+      return { ok: false, error: err };
     });
-    return pending;
+    if (!fetchResult.ok) {
+      if (isAbortError(fetchResult.error)) {
+        logger.error({
+          intentKind: body.intent.kind
+        }, "transport timeout");
+        return { ok: false, error: errors12.wrap(ErrTimeout, fetchResult.error.message) };
+      }
+      logger.error({
+        error: fetchResult.error
+      }, "transport network error");
+      return { ok: false, error: errors12.wrap(ErrNetwork, fetchResult.error.message) };
+    }
+    const res = fetchResult.response;
+    if (!res.ok) {
+      const text = await res.text().catch(function fallback() {
+        return "";
+      });
+      const sentinel = httpSentinel(res.status, text);
+      if (errors12.is(sentinel, ErrSdkUpgradeRequired)) {
+        return { ok: false, error: buildSdkUpgradeRequiredError(sentinel, text, logger) };
+      }
+      logger.error({
+        status: res.status,
+        body: text,
+        intentKind: body.intent.kind,
+        subject: body.subject
+      }, "transport http error");
+      return { ok: false, error: errors12.wrap(sentinel, text) };
+    }
+    const jsonResult = await res.json().then(function ok(data) {
+      return { ok: true, data };
+    }, function fail(err) {
+      return { ok: false, error: err };
+    });
+    if (!jsonResult.ok) {
+      logger.error({
+        error: jsonResult.error
+      }, "transport json parse failed");
+      return { ok: false, error: errors12.wrap(ErrJsonParse, jsonResult.error.message) };
+    }
+    logger.debug({
+      intentKind: body.intent.kind
+    }, "transport success");
+    return { ok: true, data: jsonResult.data };
   }
-  return login;
-}
-function signInRequiredState(config) {
-  return {
-    phase: "sign-in-required",
-    login: pendingLogin(config),
-    toJSON: poisonToJSON
-  };
-}
-function signInFailedState(config) {
-  return {
-    phase: "sign-in-failed",
-    error: config.error,
-    login: pendingLogin(config),
-    toJSON: poisonToJSON
-  };
-}
-function authUnavailableState(error) {
-  return {
-    phase: "auth-unavailable",
-    error,
-    toJSON: poisonToJSON
-  };
-}
-function authConfigInvalidState(error) {
-  return {
-    phase: "auth-config-invalid",
-    error,
-    toJSON: poisonToJSON
-  };
+  return transport;
 }
 // src/client/start.ts
@@ -8123,4 +8139,4 @@ export {
   start
 };
-//# debugId=D2887B68B961EF6364756E2164756E21
+//# debugId=8BB175F09E303E4A64756E2164756E21