@superbuilders/primer-tives 4.0.5 → 5.0.0

package/dist/client/index.js

@@ -6461,14 +6461,14 @@ var FractionInputSubmissionDraft07Schema = {
       type: "object",
       additionalProperties: false,
       required: ["form", "whole"],
-      properties: { form: { const: "whole" }, whole: { type: "string" } }
+      properties: { form: { type: "string", const: "whole" }, whole: { type: "string" } }
     },
     {
       type: "object",
       additionalProperties: false,
       required: ["form", "numerator", "denominator"],
       properties: {
-        form: { const: "proper" },
+        form: { type: "string", const: "proper" },
         numerator: { type: "string" },
         denominator: { type: "string" }
       }
@@ -6478,7 +6478,7 @@ var FractionInputSubmissionDraft07Schema = {
       additionalProperties: false,
       required: ["form", "numerator", "denominator"],
       properties: {
-        form: { const: "improper" },
+        form: { type: "string", const: "improper" },
         numerator: { type: "string" },
         denominator: { type: "string" }
       }
@@ -6488,7 +6488,7 @@ var FractionInputSubmissionDraft07Schema = {
       additionalProperties: false,
       required: ["form", "whole", "numerator", "denominator"],
       properties: {
-        form: { const: "mixed" },
+        form: { type: "string", const: "mixed" },
         whole: { type: "string" },
         numerator: { type: "string" },
         denominator: { type: "string" }
@@ -6510,7 +6510,7 @@ var ChoiceSubmissionSchema = {
   additionalProperties: false,
   required: ["type", "selectedKeys"],
   properties: {
-    type: { const: "choice" },
+    type: { type: "string", const: "choice" },
     selectedKeys: { type: "array", items: { type: "string" } }
   }
 };
@@ -6518,14 +6518,14 @@ var TextEntrySubmissionSchema = {
   type: "object",
   additionalProperties: false,
   required: ["type", "value"],
-  properties: { type: { const: "text-entry" }, value: { type: "string" } }
+  properties: { type: { type: "string", const: "text-entry" }, value: { type: "string" } }
 };
 var ExtendedTextSubmissionSchema = {
   type: "object",
   additionalProperties: false,
   required: ["type", "values"],
   properties: {
-    type: { const: "extended-text" },
+    type: { type: "string", const: "extended-text" },
     values: { type: "array", minItems: 1, items: { type: "string" } }
   }
 };
@@ -6534,7 +6534,7 @@ var OrderSubmissionSchema = {
   additionalProperties: false,
   required: ["type", "orderedKeys"],
   properties: {
-    type: { const: "order" },
+    type: { type: "string", const: "order" },
     orderedKeys: { type: "array", items: { type: "string" } }
   }
 };
@@ -6543,7 +6543,7 @@ var MatchSubmissionSchema = {
   additionalProperties: false,
   required: ["type", "pairs"],
   properties: {
-    type: { const: "match" },
+    type: { type: "string", const: "match" },
     pairs: { type: "array", items: MatchPairSchema }
   }
 };
@@ -6552,8 +6552,8 @@ var FractionInputPciSubmissionSchema = {
   additionalProperties: false,
   required: ["type", "pciId", "value"],
   properties: {
-    type: { const: "portable-custom" },
-    pciId: { const: "urn:primer:pci:fraction-input" },
+    type: { type: "string", const: "portable-custom" },
+    pciId: { type: "string", const: "urn:primer:pci:fraction-input" },
     value: FractionInputSubmissionDraft07Schema
   }
 };
@@ -6779,217 +6779,518 @@ function validateSubmissionForInteraction(interaction, submission) {
 function submissionValidationMessage(result) {
   return result.issues.join("; ");
 }
-// src/client/transport.ts
-import * as errors3 from "@superbuilders/errors";
-
-// src/version.ts
-var SDK_VERSION = "4.0.5";
-var NPM_PACKAGE_URL = "https://www.npmjs.com/package/@superbuilders/primer-tives";
+// src/client/auth/provider.ts
+import * as errors4 from "@superbuilders/errors";
 
-// src/client/transport.ts
-var ADVANCE_PATH = "/api/v0/advance";
-function readStringField(value, key) {
-  if (!(key in value)) {
-    return;
-  }
-  const v = Reflect.get(value, key);
-  if (typeof v !== "string") {
-    return;
+// src/client/auth/access-token.ts
+import * as errors3 from "@superbuilders/errors";
+var ACCESS_TOKEN_PREFIX = "eyJ";
+var TOKEN_EXPIRY_SKEW_MS = 60000;
+var resolvedAccessTokenBrand = Symbol("primer resolved access token");
+function isMalformedJws(token) {
+  if (!token.startsWith(ACCESS_TOKEN_PREFIX)) {
+    return true;
   }
-  return v;
+  const dotCount = token.split(".").length - 1;
+  return dotCount !== 2;
 }
-function parseAdvanceErrorBody(body) {
-  if (body.length === 0) {
-    return null;
+function paddedBase64(base64Url) {
+  const normalized = base64Url.replaceAll("-", "+").replaceAll("_", "/");
+  const remainder = normalized.length % 4;
+  if (remainder === 0) {
+    return normalized;
   }
-  const parsed = errors3.trySync(function parseJson() {
-    return JSON.parse(body);
+  if (remainder === 2) {
+    return `${normalized}==`;
+  }
+  if (remainder === 3) {
+    return `${normalized}=`;
+  }
+  throw errors3.wrap(ErrMalformedAccessToken, "payload base64");
+}
+function decodeBase64UrlJson(segment) {
+  const decoded = errors3.trySync(function decodePayload() {
+    const json = globalThis.atob(paddedBase64(segment));
+    return JSON.parse(json);
   });
-  if (parsed.error) {
+  if (decoded.error) {
+    throw errors3.wrap(ErrMalformedAccessToken, "payload decode");
+  }
+  return decoded.data;
+}
+function numericClaim(payload, claim) {
+  if (typeof payload !== "object" || payload === null) {
     return null;
   }
-  const raw = parsed.data;
-  if (typeof raw !== "object" || raw === null) {
+  const value = Reflect.get(payload, claim);
+  if (typeof value !== "number" || !Number.isFinite(value)) {
     return null;
   }
-  const result = {};
-  const error = readStringField(raw, "error");
-  if (error !== undefined) {
-    result.error = error;
+  return value;
+}
+function validateAccessTokenTimestamp(token, logger) {
+  const segments = token.split(".");
+  const payloadSegment = segments[1];
+  if (payloadSegment === undefined || payloadSegment.length === 0) {
+    logger.error("access token payload missing");
+    throw errors3.wrap(ErrMalformedAccessToken, "payload missing");
   }
-  const detail = readStringField(raw, "detail");
-  if (detail !== undefined) {
-    result.detail = detail;
+  const payload = decodeBase64UrlJson(payloadSegment);
+  const exp = numericClaim(payload, "exp");
+  if (exp === null) {
+    logger.error("access token exp missing");
+    throw errors3.wrap(ErrMalformedAccessToken, "exp missing");
   }
-  const minimumSdkVersion = readStringField(raw, "minimumSdkVersion");
-  if (minimumSdkVersion !== undefined) {
-    result.minimumSdkVersion = minimumSdkVersion;
+  const expiresAtMs = exp * 1000;
+  if (expiresAtMs <= Date.now() + TOKEN_EXPIRY_SKEW_MS) {
+    logger.error("access token expired");
+    throw ErrTokenExpired;
   }
-  const receivedSdkVersion = readStringField(raw, "receivedSdkVersion");
-  if (receivedSdkVersion !== undefined) {
-    result.receivedSdkVersion = receivedSdkVersion;
+}
+function resolveAccessToken(token, logger) {
+  if (isMalformedJws(token)) {
+    logger.error({ prefix: ACCESS_TOKEN_PREFIX }, "malformed access token");
+    throw errors3.wrap(ErrMalformedAccessToken, `token must start with '${ACCESS_TOKEN_PREFIX}' and contain two dots`);
   }
-  const upgradeUrl = readStringField(raw, "upgradeUrl");
-  if (upgradeUrl !== undefined) {
-    result.upgradeUrl = upgradeUrl;
+  validateAccessTokenTimestamp(token, logger);
+  return { value: token, [resolvedAccessTokenBrand]: true };
+}
+
+// src/client/auth/browser.ts
+var POPUP_TARGET = "primer-auth";
+var POPUP_FEATURES = "popup,width=480,height=720";
+function currentUrl(logger) {
+  if (typeof globalThis.location === "undefined") {
+    logger.error("auth location unavailable");
+    throw ErrAuthUnavailable;
+  }
+  return new URL(globalThis.location.href);
+}
+function redirectUri(url) {
+  return `${url.origin}${url.pathname}${url.search}`;
+}
+function randomClientState(logger) {
+  if (typeof globalThis.crypto === "undefined") {
+    logger.error("auth crypto unavailable");
+    throw ErrAuthUnavailable;
+  }
+  const bytes = new Uint8Array(24);
+  globalThis.crypto.getRandomValues(bytes);
+  let result = "";
+  for (const byte of bytes) {
+    result += byte.toString(16).padStart(2, "0");
   }
   return result;
 }
-function httpSentinel(status, body) {
-  if (status === 400) {
-    const parsed = parseAdvanceErrorBody(body);
-    if (parsed?.error === "sdk_upgrade_required") {
-      return ErrSdkUpgradeRequired;
-    }
-    return ErrBadRequest;
+function openAuthPopup(url, logger) {
+  if (typeof globalThis.open === "undefined") {
+    logger.error("auth popup api unavailable");
+    throw ErrAuthUnavailable;
   }
-  if (status === 401) {
-    const parsed = parseAdvanceErrorBody(body);
-    if (parsed?.detail === "token_expired") {
-      return ErrTokenExpired;
-    }
-    return ErrInvalidAccessToken;
+  const popup = globalThis.open(url, POPUP_TARGET, POPUP_FEATURES);
+  if (popup === null) {
+    logger.error("auth popup blocked");
+    throw ErrAuthPopupBlocked;
   }
-  if (status === 403) {
-    return ErrForbidden;
+  return popup;
+}
+
+// src/client/auth/hosted-popup.ts
+var DEFAULT_POPUP_TIMEOUT_MS = 10 * 60 * 1000;
+var POPUP_POLL_MS = 250;
+var AUTH_MESSAGE_TYPE = "primer-tives.auth.result.v1";
+function hostedAuthUrl(config) {
+  const logger = config.logger;
+  if (!URL.canParse(config.origin)) {
+    logger.error({ origin: config.origin }, "hosted auth origin invalid");
+    throw ErrAuthConfigInvalid;
   }
-  if (status === 404) {
-    return ErrNotFound;
+  const authUrl = new URL("/api/auth/timeback/start", config.origin);
+  authUrl.searchParams.set("publishableKey", config.publishableKey);
+  authUrl.searchParams.set("redirectUri", redirectUri(config.currentUrl));
+  authUrl.searchParams.set("state", config.clientState);
+  return authUrl.toString();
+}
+function isRecord(value) {
+  return typeof value === "object" && value !== null;
+}
+function stringField(value, key) {
+  const field = value[key];
+  if (typeof field !== "string" || field.length === 0) {
+    return null;
   }
-  if (status === 409) {
-    return ErrConflict;
+  return field;
+}
+function readPopupMessage(event, popup, config, expectedOrigin) {
+  if (event.source !== popup) {
+    return { kind: "ignore" };
   }
-  if (status === 429) {
-    return ErrRateLimited;
+  if (event.origin !== expectedOrigin) {
+    return { kind: "ignore" };
   }
-  if (status === 502 || status === 503 || status === 504) {
-    return ErrServiceUnavailable;
+  const data = event.data;
+  if (!isRecord(data)) {
+    return { kind: "ignore" };
   }
-  return ErrServerError;
-}
-function buildSdkUpgradeRequiredError(sentinel, text, logger) {
-  const parsed = parseAdvanceErrorBody(text);
-  if (parsed === null) {
-    logger.error({
-      receivedSdkVersion: null,
-      minimumSdkVersion: "<unknown>",
-      upgradeUrl: NPM_PACKAGE_URL
-    }, "sdk upgrade required");
-    const message2 = `<missing> < <unknown>; bump @superbuilders/primer-tives at ${NPM_PACKAGE_URL}`;
-    return errors3.wrap(sentinel, message2);
+  const messageType = stringField(data, "type");
+  if (messageType !== AUTH_MESSAGE_TYPE) {
+    return { kind: "ignore" };
   }
-  const minimumSdkVersion = parsed.minimumSdkVersion === undefined ? "<unknown>" : parsed.minimumSdkVersion;
-  const receivedSdkVersion = parsed.receivedSdkVersion === undefined ? null : parsed.receivedSdkVersion;
-  const receivedDisplay = receivedSdkVersion === null ? "<missing>" : receivedSdkVersion;
-  const upgradeUrl = parsed.upgradeUrl === undefined ? NPM_PACKAGE_URL : parsed.upgradeUrl;
-  logger.error({
-    receivedSdkVersion,
-    minimumSdkVersion,
-    upgradeUrl
-  }, "sdk upgrade required");
-  const message = `${receivedDisplay} < ${minimumSdkVersion}; bump @superbuilders/primer-tives at ${upgradeUrl}`;
-  return errors3.wrap(sentinel, message);
-}
-function isAbortError(err) {
-  if (err instanceof DOMException && err.name === "AbortError") {
-    return true;
+  const state = stringField(data, "state");
+  if (state === null) {
+    return { kind: "error", error: ErrAuthCallbackInvalid };
   }
-  if (err instanceof DOMException && err.name === "TimeoutError") {
-    return true;
+  if (state !== config.clientState) {
+    return { kind: "error", error: ErrAuthStateMismatch };
   }
-  return false;
-}
-function createTransport(tc) {
-  const fetchFn = tc.fetch ? tc.fetch : globalThis.fetch;
-  const logger = tc.logger;
-  const advanceUrl = new URL(ADVANCE_PATH, tc.origin).toString();
-  function transportSignal() {
-    if (tc.abort) {
-      return tc.abort.signal;
-    }
-    return;
+  const status = stringField(data, "status");
+  if (status === "error") {
+    return { kind: "error", error: ErrAuthCallbackInvalid };
   }
-  async function transport(body) {
-    logger.debug({
-      intentKind: body.intent.kind,
-      subject: body.subject
-    }, "transport request");
-    const fetchResult = await fetchFn(advanceUrl, {
-      method: "POST",
-      mode: "cors",
-      credentials: "omit",
-      headers: {
-        "Content-Type": "application/json",
-        Authorization: `Bearer ${tc.accessToken.value}`,
-        "X-Primer-Publishable-Key": tc.publishableKey,
-        "X-Primer-SDK-Version": SDK_VERSION
-      },
-      body: JSON.stringify(body),
-      signal: transportSignal()
-    }).then(function ok(r) {
-      return { ok: true, response: r };
-    }, function fail(err) {
-      return { ok: false, error: err };
-    });
-    if (!fetchResult.ok) {
-      if (isAbortError(fetchResult.error)) {
-        logger.error({
-          intentKind: body.intent.kind
-        }, "transport timeout");
-        return { ok: false, error: errors3.wrap(ErrTimeout, fetchResult.error.message) };
+  if (status !== "success") {
+    return { kind: "error", error: ErrAuthCallbackInvalid };
+  }
+  const accessToken = stringField(data, "accessToken");
+  if (accessToken === null) {
+    return { kind: "error", error: ErrAuthCallbackInvalid };
+  }
+  return { kind: "success", accessToken };
+}
+function supportsAsyncDisposableStack() {
+  return typeof Reflect.get(globalThis, "AsyncDisposableStack") === "function";
+}
+async function waitForPopupMessageWithAsyncDisposableStack(popup, config, expectedOrigin) {
+  let __stack = [];
+  try {
+    const logger = config.logger;
+    const stack = __using(__stack, new AsyncDisposableStack, 1);
+    stack.defer(function closePopup() {
+      popup.close();
+    });
+    const result = await new Promise(function waitForMessage(resolve, reject) {
+      let settled = false;
+      function finishWithError(error) {
+        if (settled) {
+          return;
+        }
+        settled = true;
+        reject(error);
       }
-      logger.error({
-        error: fetchResult.error
-      }, "transport network error");
-      return { ok: false, error: errors3.wrap(ErrNetwork, fetchResult.error.message) };
-    }
-    const res = fetchResult.response;
-    if (!res.ok) {
-      const text = await res.text().catch(function fallback() {
-        return "";
+      function finishWithToken(token) {
+        if (settled) {
+          return;
+        }
+        settled = true;
+        logger.debug("hosted auth popup completed");
+        resolve(token);
+      }
+      const timeoutId = globalThis.setTimeout(function timeout() {
+        logger.error("hosted auth popup timed out");
+        finishWithError(ErrAuthCancelled);
+      }, DEFAULT_POPUP_TIMEOUT_MS);
+      stack.defer(function clearPopupTimeout() {
+        globalThis.clearTimeout(timeoutId);
       });
-      const sentinel = httpSentinel(res.status, text);
-      if (errors3.is(sentinel, ErrSdkUpgradeRequired)) {
-        return { ok: false, error: buildSdkUpgradeRequiredError(sentinel, text, logger) };
+      const closedPollId = globalThis.setInterval(function checkClosed() {
+        if (!popup.closed) {
+          return;
+        }
+        logger.error("hosted auth popup closed");
+        finishWithError(ErrAuthCancelled);
+      }, POPUP_POLL_MS);
+      stack.defer(function clearClosedPoll() {
+        globalThis.clearInterval(closedPollId);
+      });
+      function handleMessage(event) {
+        const result2 = readPopupMessage(event, popup, config, expectedOrigin);
+        if (result2.kind === "ignore") {
+          return;
+        }
+        if (result2.kind === "error") {
+          logger.error({ error: result2.error }, "hosted auth popup failed");
+          finishWithError(result2.error);
+          return;
+        }
+        finishWithToken(result2.accessToken);
       }
-      logger.error({
-        status: res.status,
-        body: text,
-        intentKind: body.intent.kind,
-        subject: body.subject
-      }, "transport http error");
-      return { ok: false, error: errors3.wrap(sentinel, text) };
+      globalThis.addEventListener("message", handleMessage);
+      stack.defer(function removeMessageListener() {
+        globalThis.removeEventListener("message", handleMessage);
+      });
+    });
+    return result;
+  } catch (_catch) {
+    var _err = _catch, _hasErr = 1;
+  } finally {
+    var _promise = __callDispose(__stack, _err, _hasErr);
+    _promise && await _promise;
+  }
+}
+function cleanupManualPopupWait(cleanups) {
+  for (let index = cleanups.length - 1;index >= 0; index -= 1) {
+    const cleanup = cleanups[index];
+    if (cleanup === undefined) {
+      continue;
     }
-    const jsonResult = await res.json().then(function ok(data) {
-      return { ok: true, data };
-    }, function fail(err) {
-      return { ok: false, error: err };
+    cleanup();
+  }
+}
+async function waitForPopupMessageWithManualCleanup(popup, config, expectedOrigin) {
+  const logger = config.logger;
+  const cleanups = [];
+  cleanups.push(function closePopup() {
+    popup.close();
+  });
+  const pending = new Promise(function waitForMessage(resolve, reject) {
+    let settled = false;
+    function finishWithError(error) {
+      if (settled) {
+        return;
+      }
+      settled = true;
+      reject(error);
+    }
+    function finishWithToken(token) {
+      if (settled) {
+        return;
+      }
+      settled = true;
+      logger.debug("hosted auth popup completed");
+      resolve(token);
+    }
+    const timeoutId = globalThis.setTimeout(function timeout() {
+      logger.error("hosted auth popup timed out");
+      finishWithError(ErrAuthCancelled);
+    }, DEFAULT_POPUP_TIMEOUT_MS);
+    cleanups.push(function clearPopupTimeout() {
+      globalThis.clearTimeout(timeoutId);
     });
-    if (!jsonResult.ok) {
-      logger.error({
-        error: jsonResult.error
-      }, "transport json parse failed");
-      return { ok: false, error: errors3.wrap(ErrJsonParse, jsonResult.error.message) };
+    const closedPollId = globalThis.setInterval(function checkClosed() {
+      if (!popup.closed) {
+        return;
+      }
+      logger.error("hosted auth popup closed");
+      finishWithError(ErrAuthCancelled);
+    }, POPUP_POLL_MS);
+    cleanups.push(function clearClosedPoll() {
+      globalThis.clearInterval(closedPollId);
+    });
+    function handleMessage(event) {
+      const result = readPopupMessage(event, popup, config, expectedOrigin);
+      if (result.kind === "ignore") {
+        return;
+      }
+      if (result.kind === "error") {
+        logger.error({ error: result.error }, "hosted auth popup failed");
+        finishWithError(result.error);
+        return;
+      }
+      finishWithToken(result.accessToken);
     }
-    logger.debug({
-      intentKind: body.intent.kind
-    }, "transport success");
-    return { ok: true, data: jsonResult.data };
+    globalThis.addEventListener("message", handleMessage);
+    cleanups.push(function removeMessageListener() {
+      globalThis.removeEventListener("message", handleMessage);
+    });
+  });
+  return pending.then(function cleanupSuccess(token) {
+    cleanupManualPopupWait(cleanups);
+    return token;
+  }, function cleanupFailure(error) {
+    cleanupManualPopupWait(cleanups);
+    throw error;
+  });
+}
+async function waitForPopupMessage(popup, config, expectedOrigin) {
+  if (supportsAsyncDisposableStack()) {
+    return waitForPopupMessageWithAsyncDisposableStack(popup, config, expectedOrigin);
   }
-  return transport;
+  return waitForPopupMessageWithManualCleanup(popup, config, expectedOrigin);
+}
+async function beginHostedPopup(config) {
+  const logger = config.logger;
+  const url = hostedAuthUrl(config);
+  if (!URL.canParse(config.origin)) {
+    logger.error({ origin: config.origin }, "hosted auth origin invalid");
+    throw ErrAuthConfigInvalid;
+  }
+  const expectedOrigin = new URL(config.origin).origin;
+  const popup = openAuthPopup(url, logger);
+  return waitForPopupMessage(popup, config, expectedOrigin);
 }
 
-// src/client/session.ts
-import * as errors10 from "@superbuilders/errors";
+// src/client/auth/storage.ts
+var MANAGED_AUTH_ACCESS_TOKEN_KEY_PREFIX = "primer:access-token";
+function managedAuthAccessTokenStorageKey(publishableKey) {
+  return `${MANAGED_AUTH_ACCESS_TOKEN_KEY_PREFIX}:${publishableKey}`;
+}
+function managedAuthStorage(logger) {
+  if (typeof globalThis.sessionStorage === "undefined") {
+    logger.error("managed auth storage unavailable");
+    throw ErrAuthUnavailable;
+  }
+  return globalThis.sessionStorage;
+}
+function loadManagedAuthAccessToken(storage, publishableKey) {
+  const token = storage.getItem(managedAuthAccessTokenStorageKey(publishableKey));
+  if (token === null || token.length === 0) {
+    return null;
+  }
+  return token;
+}
+function storeManagedAuthAccessToken(storage, publishableKey, accessToken) {
+  storage.setItem(managedAuthAccessTokenStorageKey(publishableKey), accessToken);
+}
+function clearManagedAuthAccessToken(storage, publishableKey) {
+  storage.removeItem(managedAuthAccessTokenStorageKey(publishableKey));
+}
+
+// src/client/auth/provider.ts
+function resolveProvidedAccessToken(token, logger) {
+  const result = errors4.trySync(function resolveProvidedToken() {
+    return resolveAccessToken(token, logger);
+  });
+  if (result.error) {
+    return { kind: "fatal", error: result.error };
+  }
+  return { kind: "resolved", accessToken: result.data };
+}
+function resolveHostedAccessToken(token, storage, options) {
+  const result = errors4.trySync(function resolveHostedToken() {
+    return resolveAccessToken(token, options.logger);
+  });
+  if (result.error) {
+    return { kind: "sign-in-failed", error: result.error };
+  }
+  storeManagedAuthAccessToken(storage, options.publishableKey, token);
+  return {
+    kind: "resolved",
+    accessToken: result.data,
+    clearCachedAccessToken: function clearCachedAccessToken() {
+      clearManagedAuthAccessToken(storage, options.publishableKey);
+    }
+  };
+}
+function resolveStoredAccessToken(storage, options) {
+  const stored = loadManagedAuthAccessToken(storage, options.publishableKey);
+  if (stored === null) {
+    return { kind: "missing" };
+  }
+  const result = errors4.trySync(function resolveStoredToken() {
+    return resolveAccessToken(stored, options.logger);
+  });
+  if (result.error) {
+    clearManagedAuthAccessToken(storage, options.publishableKey);
+    return { kind: "missing" };
+  }
+  return {
+    kind: "resolved",
+    accessToken: result.data,
+    clearCachedAccessToken: function clearCachedAccessToken() {
+      clearManagedAuthAccessToken(storage, options.publishableKey);
+    }
+  };
+}
+function resolveExistingAccessToken(options) {
+  if (options.accessToken !== undefined) {
+    return resolveProvidedAccessToken(options.accessToken, options.logger);
+  }
+  const storageResult = errors4.trySync(function readManagedAuthStorage() {
+    return managedAuthStorage(options.logger);
+  });
+  if (storageResult.error) {
+    return { kind: "auth-unavailable", error: storageResult.error };
+  }
+  return resolveStoredAccessToken(storageResult.data, options);
+}
+function authFailureResult(error) {
+  if (errors4.is(error, ErrAuthConfigInvalid)) {
+    return { kind: "auth-config-invalid", error };
+  }
+  if (errors4.is(error, ErrAuthUnavailable)) {
+    return { kind: "auth-unavailable", error };
+  }
+  return { kind: "sign-in-failed", error };
+}
+async function beginHostedLogin(options) {
+  const logger = options.logger;
+  const contextResult = errors4.trySync(function readContext() {
+    const storage = managedAuthStorage(logger);
+    const url = currentUrl(logger);
+    const clientState = randomClientState(logger);
+    return { storage, url, clientState };
+  });
+  if (contextResult.error) {
+    return authFailureResult(contextResult.error);
+  }
+  const context = contextResult.data;
+  const accessTokenResult = await errors4.try(beginHostedPopup({
+    origin: options.origin,
+    publishableKey: options.publishableKey,
+    currentUrl: context.url,
+    clientState: context.clientState,
+    logger
+  }));
+  if (accessTokenResult.error) {
+    return authFailureResult(accessTokenResult.error);
+  }
+  return resolveHostedAccessToken(accessTokenResult.data, context.storage, options);
+}
 
 // src/client/consumed.ts
 function poisonToJSON() {
   throw ErrNotSerializable;
 }
 
+// src/client/auth-state.ts
+function pendingLogin(config) {
+  let pending;
+  function login() {
+    if (pending !== undefined) {
+      return pending;
+    }
+    pending = config.login().finally(function clearPending() {
+      pending = undefined;
+    });
+    return pending;
+  }
+  return login;
+}
+function signInRequiredState(config) {
+  return {
+    phase: "sign-in-required",
+    login: pendingLogin(config),
+    toJSON: poisonToJSON
+  };
+}
+function signInFailedState(config) {
+  return {
+    phase: "sign-in-failed",
+    error: config.error,
+    login: pendingLogin(config),
+    toJSON: poisonToJSON
+  };
+}
+function authUnavailableState(error) {
+  return {
+    phase: "auth-unavailable",
+    error,
+    toJSON: poisonToJSON
+  };
+}
+function authConfigInvalidState(error) {
+  return {
+    phase: "auth-config-invalid",
+    error,
+    toJSON: poisonToJSON
+  };
+}
+
+// src/client/session.ts
+import * as errors11 from "@superbuilders/errors";
+
 // src/client/choice-state.ts
-import * as errors4 from "@superbuilders/errors";
-function choiceState(ctx, body, stimulus, interaction, options, maxChoices, minChoices) {
+import * as errors5 from "@superbuilders/errors";
+function choiceState(ctx, body, stimulus, interaction, options, maxChoices, minChoices, feedback) {
   let submitPending;
   let submitKey;
   let timeoutPending;
@@ -6997,18 +7298,18 @@ function choiceState(ctx, body, stimulus, interaction, options, maxChoices, minC
     const submission = { type: "choice", selectedKeys };
     const key = JSON.stringify(submission);
     if (timeoutPending) {
-      return Promise.resolve(ctx.errored(errors4.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors5.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
     }
     if (submitPending) {
       if (submitKey === key) {
         return submitPending;
       }
-      return Promise.resolve(ctx.errored(errors4.wrap(ErrConflict, "cannot submit a different choice payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors5.wrap(ErrConflict, "cannot submit a different choice payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
     }
     const validation = validateSubmissionForInteraction(interaction, submission);
     if (!validation.ok) {
       ctx.logger.error({ selectedKeys, issues: validation.issues }, "choice submit invalid");
-      return Promise.resolve(ctx.errored(errors4.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors5.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
     }
     submitKey = key;
     submitPending = ctx.execute({ kind: "interaction", submission }, "interaction").finally(function clearPending() {
@@ -7020,7 +7321,7 @@ function choiceState(ctx, body, stimulus, interaction, options, maxChoices, minC
   function beginTimeout() {
     const intent = { kind: "timeout" };
     if (submitPending) {
-      return Promise.resolve(ctx.errored(errors4.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
+      return Promise.resolve(ctx.errored(errors5.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
     }
     if (timeoutPending) {
       return timeoutPending;
@@ -7036,6 +7337,7 @@ function choiceState(ctx, body, stimulus, interaction, options, maxChoices, minC
     body,
     stimulus,
     interaction,
+    feedback,
     options,
     maxChoices,
     minChoices,
@@ -7046,25 +7348,25 @@ function choiceState(ctx, body, stimulus, interaction, options, maxChoices, minC
 }
 
 // src/client/extended-text-state.ts
-import * as errors5 from "@superbuilders/errors";
-function extendedTextState(ctx, body, stimulus, interaction) {
+import * as errors6 from "@superbuilders/errors";
+function extendedTextState(ctx, body, stimulus, interaction, feedback) {
   if (interaction.cardinality === "single") {
     let submitText = function(value) {
       const submission = { type: "extended-text", values: [value] };
       const key = JSON.stringify(submission);
       if (timeoutPending2) {
-        return Promise.resolve(ctx.errored(errors5.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
+        return Promise.resolve(ctx.errored(errors6.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
       }
       if (submitPending2) {
         if (submitKey2 === key) {
           return submitPending2;
         }
-        return Promise.resolve(ctx.errored(errors5.wrap(ErrConflict, "cannot submit a different extended-text payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
+        return Promise.resolve(ctx.errored(errors6.wrap(ErrConflict, "cannot submit a different extended-text payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
       }
       const validation = validateSubmissionForInteraction(interaction, submission);
       if (!validation.ok) {
         ctx.logger.error({ value, issues: validation.issues }, "extended-text submit invalid");
-        return Promise.resolve(ctx.errored(errors5.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
+        return Promise.resolve(ctx.errored(errors6.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
       }
       submitKey2 = key;
       submitPending2 = ctx.execute({ kind: "interaction", submission }, "interaction").finally(function clearPending() {
@@ -7075,7 +7377,7 @@ function extendedTextState(ctx, body, stimulus, interaction) {
     }, timeout2 = function() {
       const intent = { kind: "timeout" };
       if (submitPending2) {
-        return Promise.resolve(ctx.errored(errors5.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
+        return Promise.resolve(ctx.errored(errors6.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
       }
       if (timeoutPending2) {
         return timeoutPending2;
@@ -7095,6 +7397,7 @@ function extendedTextState(ctx, body, stimulus, interaction) {
       body,
       stimulus,
       interaction,
+      feedback,
       submitText,
       timeout: timeout2,
       toJSON: poisonToJSON
@@ -7108,18 +7411,18 @@ function extendedTextState(ctx, body, stimulus, interaction) {
     const submission = { type: "extended-text", values };
     const key = JSON.stringify(submission);
     if (timeoutPending) {
-      return Promise.resolve(ctx.errored(errors5.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors6.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
     }
     if (submitPending) {
       if (submitKey === key) {
         return submitPending;
       }
-      return Promise.resolve(ctx.errored(errors5.wrap(ErrConflict, "cannot submit a different extended-text payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors6.wrap(ErrConflict, "cannot submit a different extended-text payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
     }
     const validation = validateSubmissionForInteraction(multi, submission);
     if (!validation.ok) {
       ctx.logger.error({ values, issues: validation.issues }, "extended-text submit invalid");
-      return Promise.resolve(ctx.errored(errors5.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors6.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
     }
     submitKey = key;
     submitPending = ctx.execute({ kind: "interaction", submission }, "interaction").finally(function clearPending() {
@@ -7131,7 +7434,7 @@ function extendedTextState(ctx, body, stimulus, interaction) {
   function timeout() {
     const intent = { kind: "timeout" };
     if (submitPending) {
-      return Promise.resolve(ctx.errored(errors5.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
+      return Promise.resolve(ctx.errored(errors6.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
     }
     if (timeoutPending) {
       return timeoutPending;
@@ -7148,6 +7451,7 @@ function extendedTextState(ctx, body, stimulus, interaction) {
     body,
     stimulus,
     interaction: multi,
+    feedback,
     maxStrings: multi.maxStrings,
     minStrings: multi.minStrings,
     submitTexts,
@@ -7157,31 +7461,47 @@ function extendedTextState(ctx, body, stimulus, interaction) {
 }
 
 // src/client/feedback-state.ts
-function feedbackState(ctx, body, stimulus, interaction, submission, isCorrect, feedbackContent, review) {
+function createAdvance(ctx) {
   let pending;
+  return function advance() {
+    if (pending) {
+      return pending;
+    }
+    pending = ctx.execute({ kind: "observation" }, "observation");
+    return pending;
+  };
+}
+function submittedFeedbackState(ctx, body, stimulus, interaction, submission, assessmentOutcome, feedbackContent, review) {
   return {
     phase: "feedback",
+    feedbackKind: "submitted",
     body,
     stimulus,
     interaction,
     submission,
-    isCorrect,
+    assessmentOutcome,
     feedbackContent,
     review,
-    advance: function advance() {
-      if (pending) {
-        return pending;
-      }
-      pending = ctx.execute({ kind: "observation" }, "observation");
-      return pending;
-    },
+    advance: createAdvance(ctx),
+    toJSON: poisonToJSON
+  };
+}
+function timedOutFeedbackState(ctx, body, stimulus, interaction, feedbackContent) {
+  return {
+    phase: "feedback",
+    feedbackKind: "timedOut",
+    body,
+    stimulus,
+    interaction,
+    feedbackContent,
+    advance: createAdvance(ctx),
     toJSON: poisonToJSON
   };
 }
 
 // src/client/match-state.ts
-import * as errors6 from "@superbuilders/errors";
-function matchState(ctx, body, stimulus, interaction) {
+import * as errors7 from "@superbuilders/errors";
+function matchState(ctx, body, stimulus, interaction, feedback) {
   let submitPending;
   let submitKey;
   let timeoutPending;
@@ -7189,18 +7509,18 @@ function matchState(ctx, body, stimulus, interaction) {
     const submission = { type: "match", pairs };
     const key = JSON.stringify(submission);
     if (timeoutPending) {
-      return Promise.resolve(ctx.errored(errors6.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors7.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
     }
     if (submitPending) {
       if (submitKey === key) {
         return submitPending;
       }
-      return Promise.resolve(ctx.errored(errors6.wrap(ErrConflict, "cannot submit a different match payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors7.wrap(ErrConflict, "cannot submit a different match payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
     }
     const validation = validateSubmissionForInteraction(interaction, submission);
     if (!validation.ok) {
       ctx.logger.error({ pairs, issues: validation.issues }, "match submit invalid");
-      return Promise.resolve(ctx.errored(errors6.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors7.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
     }
     submitKey = key;
     submitPending = ctx.execute({ kind: "interaction", submission }, "interaction").finally(function clearPending() {
@@ -7212,7 +7532,7 @@ function matchState(ctx, body, stimulus, interaction) {
   function timeout() {
     const intent = { kind: "timeout" };
     if (submitPending) {
-      return Promise.resolve(ctx.errored(errors6.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
+      return Promise.resolve(ctx.errored(errors7.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
     }
     if (timeoutPending) {
       return timeoutPending;
@@ -7228,6 +7548,7 @@ function matchState(ctx, body, stimulus, interaction) {
     body,
     stimulus,
     interaction,
+    feedback,
     sourceChoices: interaction.sourceChoices,
     targetChoices: interaction.targetChoices,
     minAssociations: interaction.minAssociations,
@@ -7257,8 +7578,8 @@ function observationState(ctx, body, stimulus) {
 }
 
 // src/client/order-state.ts
-import * as errors7 from "@superbuilders/errors";
-function orderState(ctx, body, stimulus, interaction) {
+import * as errors8 from "@superbuilders/errors";
+function orderState(ctx, body, stimulus, interaction, feedback) {
   let submitPending;
   let submitKey;
   let timeoutPending;
@@ -7266,18 +7587,18 @@ function orderState(ctx, body, stimulus, interaction) {
     const submission = { type: "order", orderedKeys };
     const key = JSON.stringify(submission);
     if (timeoutPending) {
-      return Promise.resolve(ctx.errored(errors7.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors8.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
     }
     if (submitPending) {
       if (submitKey === key) {
         return submitPending;
       }
-      return Promise.resolve(ctx.errored(errors7.wrap(ErrConflict, "cannot submit a different order payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors8.wrap(ErrConflict, "cannot submit a different order payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
     }
     const validation = validateSubmissionForInteraction(interaction, submission);
     if (!validation.ok) {
       ctx.logger.error({ orderedKeys, issues: validation.issues }, "order submit invalid");
-      return Promise.resolve(ctx.errored(errors7.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors8.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
     }
     submitKey = key;
     submitPending = ctx.execute({ kind: "interaction", submission }, "interaction").finally(function clearPending() {
@@ -7289,7 +7610,7 @@ function orderState(ctx, body, stimulus, interaction) {
   function timeout() {
     const intent = { kind: "timeout" };
     if (submitPending) {
-      return Promise.resolve(ctx.errored(errors7.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
+      return Promise.resolve(ctx.errored(errors8.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
     }
     if (timeoutPending) {
       return timeoutPending;
@@ -7305,6 +7626,7 @@ function orderState(ctx, body, stimulus, interaction) {
     body,
     stimulus,
     interaction,
+    feedback,
     choices: interaction.choices,
     minChoices: interaction.minChoices,
     maxChoices: interaction.maxChoices,
@@ -7315,8 +7637,8 @@ function orderState(ctx, body, stimulus, interaction) {
 }
 
 // src/client/pci-state.ts
-import * as errors8 from "@superbuilders/errors";
-function pciInteractionState(ctx, body, stimulus, interaction) {
+import * as errors9 from "@superbuilders/errors";
+function pciInteractionState(ctx, body, stimulus, interaction, feedback) {
   let submitPending;
   let submitKey;
   let timeoutPending;
@@ -7325,13 +7647,13 @@ function pciInteractionState(ctx, body, stimulus, interaction) {
     const submission = { type: "portable-custom", pciId, value };
     const key = JSON.stringify(submission);
     if (timeoutPending) {
-      return Promise.resolve(ctx.errored(errors8.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors9.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
     }
     if (submitPending) {
       if (submitKey === key) {
         return submitPending;
       }
-      return Promise.resolve(ctx.errored(errors8.wrap(ErrConflict, "cannot submit a different pci payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors9.wrap(ErrConflict, "cannot submit a different pci payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
     }
     ctx.logger.debug({ pciId }, "pci submit");
     submitKey = key;
@@ -7344,7 +7666,7 @@ function pciInteractionState(ctx, body, stimulus, interaction) {
   function timeout() {
     const intent = { kind: "timeout" };
     if (submitPending) {
-      return Promise.resolve(ctx.errored(errors8.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
+      return Promise.resolve(ctx.errored(errors9.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
     }
     if (timeoutPending) {
       return timeoutPending;
@@ -7361,6 +7683,7 @@ function pciInteractionState(ctx, body, stimulus, interaction) {
     body,
     stimulus,
     interaction,
+    feedback,
     pciId,
     properties,
     submit,
@@ -7370,8 +7693,8 @@ function pciInteractionState(ctx, body, stimulus, interaction) {
 }
 
 // src/client/text-entry-state.ts
-import * as errors9 from "@superbuilders/errors";
-function textEntryState(ctx, body, stimulus, interaction) {
+import * as errors10 from "@superbuilders/errors";
+function textEntryState(ctx, body, stimulus, interaction, feedback) {
   let submitPending;
   let submitKey;
   let timeoutPending;
@@ -7379,18 +7702,18 @@ function textEntryState(ctx, body, stimulus, interaction) {
     const submission = { type: "text-entry", value };
     const key = JSON.stringify(submission);
     if (timeoutPending) {
-      return Promise.resolve(ctx.errored(errors9.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors10.wrap(ErrConflict, "cannot submit while timeout is in flight"), "interaction", { kind: "interaction", submission }));
     }
     if (submitPending) {
       if (submitKey === key) {
         return submitPending;
       }
-      return Promise.resolve(ctx.errored(errors9.wrap(ErrConflict, "cannot submit a different text payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors10.wrap(ErrConflict, "cannot submit a different text payload while submit is in flight"), "interaction", { kind: "interaction", submission }));
     }
     const validation = validateSubmissionForInteraction(interaction, submission);
     if (!validation.ok) {
       ctx.logger.error({ value, issues: validation.issues }, "text-entry submit invalid");
-      return Promise.resolve(ctx.errored(errors9.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
+      return Promise.resolve(ctx.errored(errors10.wrap(ErrInvalidSubmission, submissionValidationMessage(validation)), "interaction", { kind: "interaction", submission }));
     }
     submitKey = key;
     submitPending = ctx.execute({ kind: "interaction", submission }, "interaction").finally(function clearPending() {
@@ -7402,7 +7725,7 @@ function textEntryState(ctx, body, stimulus, interaction) {
   function timeout() {
     const intent = { kind: "timeout" };
     if (submitPending) {
-      return Promise.resolve(ctx.errored(errors9.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
+      return Promise.resolve(ctx.errored(errors10.wrap(ErrConflict, "cannot timeout while submission is in flight"), "timeout", intent));
     }
     if (timeoutPending) {
       return timeoutPending;
@@ -7418,6 +7741,7 @@ function textEntryState(ctx, body, stimulus, interaction) {
     body,
     stimulus,
     interaction,
+    feedback,
     submitText,
     timeout,
     toJSON: poisonToJSON
@@ -7436,571 +7760,386 @@ var FATAL_SENTINELS = [
 ];
 function isFatalError(err) {
   for (const sentinel of FATAL_SENTINELS) {
-    if (errors10.is(err, sentinel)) {
+    if (errors11.is(err, sentinel)) {
       return true;
     }
   }
   return false;
 }
 function isRetriableError(err) {
-  return !errors10.is(err, ErrInvalidSubmission);
+  return !errors11.is(err, ErrInvalidSubmission);
 }
 function makeSession(sc) {
   const logger = sc.logger;
   function resolve(result) {
     switch (result.outcome) {
       case "advanced":
-        return fromAdvanced(result.frame.body, result.frame.stimulus, result.frame.interaction);
+        return fromAdvanced(result.frame.body, result.frame.stimulus, result.frame.interaction, result.frame.feedback);
       case "submitted": {
         const interaction = result.frame.interaction;
         if (interaction === null) {
           logger.error("submitted result without interaction");
-          return {
-            phase: "fatal",
-            error: errors10.wrap(ErrBadRequest, "submitted result missing interaction"),
-            retriable: false,
-            toJSON: poisonToJSON
-          };
-        }
-        return feedbackState(ctx, result.frame.body, result.frame.stimulus, interaction, result.submission, result.isCorrect, result.feedbackContent, result.review);
-      }
-      case "completed":
-        return { phase: "completed", toJSON: poisonToJSON };
-    }
-  }
-  function errored(error, failedPhase, intent) {
-    let pending;
-    const retriable = isRetriableError(error);
-    if (!retriable) {
-      return {
-        phase: "errored",
-        error,
-        retriable: false,
-        toJSON: poisonToJSON
-      };
-    }
-    const state = {
-      phase: "errored",
-      error,
-      retriable: true,
-      retry: function retry() {
-        if (pending) {
-          return pending;
-        }
-        logger.debug({ failedPhase }, "retrying from errored state");
-        pending = execute(intent, failedPhase);
-        return pending;
-      },
-      toJSON: poisonToJSON
-    };
-    return state;
-  }
-  async function execute(intent, phase) {
-    logger.debug({
-      phase,
-      intentKind: intent.kind,
-      subject: sc.subject
-    }, "session execute");
-    const body = {
-      subject: sc.subject,
-      intent
-    };
-    const result = await sc.transport(body);
-    if (!result.ok) {
-      if ((errors10.is(result.error, ErrTokenExpired) || errors10.is(result.error, ErrInvalidAccessToken)) && sc.reauthenticate !== null) {
-        logger.warn({ phase, intentKind: intent.kind }, "session token rejected");
-        return sc.reauthenticate(result.error);
-      }
-      if (isFatalError(result.error)) {
-        logger.error({
-          error: result.error,
-          phase,
-          intentKind: intent.kind
-        }, "fatal transport error");
-        return {
-          phase: "fatal",
-          error: result.error,
-          retriable: false,
-          toJSON: poisonToJSON
-        };
-      }
-      logger.warn({
-        error: result.error,
-        phase,
-        intentKind: intent.kind
-      }, "retriable transport error");
-      return errored(result.error, phase, intent);
-    }
-    const next = resolve(result.data);
-    logger.debug({
-      phase,
-      intentKind: intent.kind,
-      outcome: result.data.outcome,
-      nextPhase: next.phase
-    }, "session execute resolved");
-    return next;
-  }
-  function isPciSupported(pciId) {
-    for (const id of sc.supportedPcis) {
-      if (id === pciId) {
-        return true;
-      }
-    }
-    return false;
-  }
-  function fromAdvanced(body, stimulus, interaction) {
-    if (interaction === null) {
-      return observationState(ctx, body, stimulus);
-    }
-    if (interaction.type === "portable-custom") {
-      if (!isPciSupported(interaction.pciId)) {
-        logger.error({ pciId: interaction.pciId }, "unsupported pci in frame");
-        return {
-          phase: "fatal",
-          error: errors10.wrap(ErrUnsupportedPci, `pci '${interaction.pciId}'`),
-          retriable: false,
-          toJSON: poisonToJSON
-        };
-      }
-    }
-    return pendingInteractionState(body, stimulus, interaction);
-  }
-  function pendingInteractionState(body, stimulus, interaction) {
-    switch (interaction.type) {
-      case "choice":
-        return choiceState(ctx, body, stimulus, interaction, interaction.options, interaction.maxChoices, interaction.minChoices);
-      case "text-entry":
-        return textEntryState(ctx, body, stimulus, interaction);
-      case "extended-text":
-        return extendedTextState(ctx, body, stimulus, interaction);
-      case "order":
-        return orderState(ctx, body, stimulus, interaction);
-      case "match":
-        return matchState(ctx, body, stimulus, interaction);
-      case "portable-custom":
-        return pciInteractionState(ctx, body, stimulus, interaction);
-    }
-  }
-  const ctx = { logger, execute, errored };
-  return { execute };
-}
-
-// src/client/auth/provider.ts
-import * as errors12 from "@superbuilders/errors";
-
-// src/client/auth/browser.ts
-var POPUP_TARGET = "primer-auth";
-var POPUP_FEATURES = "popup,width=480,height=720";
-function currentUrl(logger) {
-  if (typeof globalThis.location === "undefined") {
-    logger.error("auth location unavailable");
-    throw ErrAuthUnavailable;
-  }
-  return new URL(globalThis.location.href);
-}
-function redirectUri(url) {
-  return `${url.origin}${url.pathname}${url.search}`;
-}
-function randomClientState(logger) {
-  if (typeof globalThis.crypto === "undefined") {
-    logger.error("auth crypto unavailable");
-    throw ErrAuthUnavailable;
-  }
-  const bytes = new Uint8Array(24);
-  globalThis.crypto.getRandomValues(bytes);
-  let result = "";
-  for (const byte of bytes) {
-    result += byte.toString(16).padStart(2, "0");
-  }
-  return result;
-}
-function openAuthPopup(url, logger) {
-  if (typeof globalThis.open === "undefined") {
-    logger.error("auth popup api unavailable");
-    throw ErrAuthUnavailable;
-  }
-  const popup = globalThis.open(url, POPUP_TARGET, POPUP_FEATURES);
-  if (popup === null) {
-    logger.error("auth popup blocked");
-    throw ErrAuthPopupBlocked;
-  }
-  return popup;
-}
-
-// src/client/auth/hosted-popup.ts
-var DEFAULT_POPUP_TIMEOUT_MS = 10 * 60 * 1000;
-var POPUP_POLL_MS = 250;
-var AUTH_MESSAGE_TYPE = "primer-tives.auth.result.v1";
-function hostedAuthUrl(config) {
-  const logger = config.logger;
-  if (!URL.canParse(config.origin)) {
-    logger.error({ origin: config.origin }, "hosted auth origin invalid");
-    throw ErrAuthConfigInvalid;
-  }
-  const authUrl = new URL("/api/auth/timeback/start", config.origin);
-  authUrl.searchParams.set("publishableKey", config.publishableKey);
-  authUrl.searchParams.set("redirectUri", redirectUri(config.currentUrl));
-  authUrl.searchParams.set("state", config.clientState);
-  return authUrl.toString();
-}
-function isRecord(value) {
-  return typeof value === "object" && value !== null;
-}
-function stringField(value, key) {
-  const field = value[key];
-  if (typeof field !== "string" || field.length === 0) {
-    return null;
-  }
-  return field;
-}
-function readPopupMessage(event, popup, config, expectedOrigin) {
-  if (event.source !== popup) {
-    return { kind: "ignore" };
-  }
-  if (event.origin !== expectedOrigin) {
-    return { kind: "ignore" };
-  }
-  const data = event.data;
-  if (!isRecord(data)) {
-    return { kind: "ignore" };
-  }
-  const messageType = stringField(data, "type");
-  if (messageType !== AUTH_MESSAGE_TYPE) {
-    return { kind: "ignore" };
-  }
-  const state = stringField(data, "state");
-  if (state === null) {
-    return { kind: "error", error: ErrAuthCallbackInvalid };
-  }
-  if (state !== config.clientState) {
-    return { kind: "error", error: ErrAuthStateMismatch };
-  }
-  const status = stringField(data, "status");
-  if (status === "error") {
-    return { kind: "error", error: ErrAuthCallbackInvalid };
-  }
-  if (status !== "success") {
-    return { kind: "error", error: ErrAuthCallbackInvalid };
-  }
-  const accessToken = stringField(data, "accessToken");
-  if (accessToken === null) {
-    return { kind: "error", error: ErrAuthCallbackInvalid };
-  }
-  return { kind: "success", accessToken };
-}
-async function waitForPopupMessage(popup, config, expectedOrigin) {
-  let __stack = [];
-  try {
-    const logger = config.logger;
-    const stack = __using(__stack, new AsyncDisposableStack, 1);
-    stack.defer(function closePopup() {
-      popup.close();
-    });
-    const result = await new Promise(function waitForMessage(resolve, reject) {
-      let settled = false;
-      function finishWithError(error) {
-        if (settled) {
-          return;
-        }
-        settled = true;
-        reject(error);
-      }
-      function finishWithToken(token) {
-        if (settled) {
-          return;
-        }
-        settled = true;
-        logger.debug("hosted auth popup completed");
-        resolve(token);
-      }
-      const timeoutId = globalThis.setTimeout(function timeout() {
-        logger.error("hosted auth popup timed out");
-        finishWithError(ErrAuthCancelled);
-      }, DEFAULT_POPUP_TIMEOUT_MS);
-      stack.defer(function clearPopupTimeout() {
-        globalThis.clearTimeout(timeoutId);
-      });
-      const closedPollId = globalThis.setInterval(function checkClosed() {
-        if (!popup.closed) {
-          return;
+          return {
+            phase: "fatal",
+            error: errors11.wrap(ErrBadRequest, "submitted result missing interaction"),
+            retriable: false,
+            toJSON: poisonToJSON
+          };
         }
-        logger.error("hosted auth popup closed");
-        finishWithError(ErrAuthCancelled);
-      }, POPUP_POLL_MS);
-      stack.defer(function clearClosedPoll() {
-        globalThis.clearInterval(closedPollId);
-      });
-      function handleMessage(event) {
-        const result2 = readPopupMessage(event, popup, config, expectedOrigin);
-        if (result2.kind === "ignore") {
-          return;
+        if (result.assessmentOutcome.value === "revisionRequested") {
+          const feedback = {
+            assessmentOutcome: result.assessmentOutcome,
+            feedbackContent: result.feedbackContent
+          };
+          return fromAdvanced(result.frame.body, result.frame.stimulus, interaction, feedback);
         }
-        if (result2.kind === "error") {
-          logger.error({ error: result2.error }, "hosted auth popup failed");
-          finishWithError(result2.error);
-          return;
+        return submittedFeedbackState(ctx, result.frame.body, result.frame.stimulus, interaction, result.submission, result.assessmentOutcome, result.feedbackContent, result.review);
+      }
+      case "timedOut": {
+        const interaction = result.frame.interaction;
+        if (interaction === null) {
+          logger.error("timed out result without interaction");
+          return {
+            phase: "fatal",
+            error: errors11.wrap(ErrBadRequest, "timed out result missing interaction"),
+            retriable: false,
+            toJSON: poisonToJSON
+          };
         }
-        finishWithToken(result2.accessToken);
+        return timedOutFeedbackState(ctx, result.frame.body, result.frame.stimulus, interaction, result.feedbackContent);
       }
-      globalThis.addEventListener("message", handleMessage);
-      stack.defer(function removeMessageListener() {
-        globalThis.removeEventListener("message", handleMessage);
-      });
-    });
-    return result;
-  } catch (_catch) {
-    var _err = _catch, _hasErr = 1;
-  } finally {
-    var _promise = __callDispose(__stack, _err, _hasErr);
-    _promise && await _promise;
+      case "completed":
+        return { phase: "completed", toJSON: poisonToJSON };
+    }
   }
-}
-async function beginHostedPopup(config) {
-  const logger = config.logger;
-  const url = hostedAuthUrl(config);
-  if (!URL.canParse(config.origin)) {
-    logger.error({ origin: config.origin }, "hosted auth origin invalid");
-    throw ErrAuthConfigInvalid;
+  function errored(error, failedPhase, intent) {
+    let pending;
+    const retriable = isRetriableError(error);
+    if (!retriable) {
+      return {
+        phase: "errored",
+        error,
+        retriable: false,
+        toJSON: poisonToJSON
+      };
+    }
+    const state = {
+      phase: "errored",
+      error,
+      retriable: true,
+      retry: function retry() {
+        if (pending) {
+          return pending;
+        }
+        logger.debug({ failedPhase }, "retrying from errored state");
+        pending = execute(intent, failedPhase);
+        return pending;
+      },
+      toJSON: poisonToJSON
+    };
+    return state;
   }
-  const expectedOrigin = new URL(config.origin).origin;
-  const popup = openAuthPopup(url, logger);
-  return waitForPopupMessage(popup, config, expectedOrigin);
-}
-
-// src/client/auth/access-token.ts
-import * as errors11 from "@superbuilders/errors";
-var ACCESS_TOKEN_PREFIX = "eyJ";
-var TOKEN_EXPIRY_SKEW_MS = 60000;
-var resolvedAccessTokenBrand = Symbol("primer resolved access token");
-function isMalformedJws(token) {
-  if (!token.startsWith(ACCESS_TOKEN_PREFIX)) {
-    return true;
+  async function execute(intent, phase) {
+    logger.debug({
+      phase,
+      intentKind: intent.kind,
+      subject: sc.subject
+    }, "session execute");
+    const body = {
+      subject: sc.subject,
+      intent
+    };
+    const result = await sc.transport(body);
+    if (!result.ok) {
+      if ((errors11.is(result.error, ErrTokenExpired) || errors11.is(result.error, ErrInvalidAccessToken)) && sc.reauthenticate !== null) {
+        logger.warn({ phase, intentKind: intent.kind }, "session token rejected");
+        return sc.reauthenticate(result.error);
+      }
+      if (isFatalError(result.error)) {
+        logger.error({
+          error: result.error,
+          phase,
+          intentKind: intent.kind
+        }, "fatal transport error");
+        return {
+          phase: "fatal",
+          error: result.error,
+          retriable: false,
+          toJSON: poisonToJSON
+        };
+      }
+      logger.warn({
+        error: result.error,
+        phase,
+        intentKind: intent.kind
+      }, "retriable transport error");
+      return errored(result.error, phase, intent);
+    }
+    const next = resolve(result.data);
+    logger.debug({
+      phase,
+      intentKind: intent.kind,
+      outcome: result.data.outcome,
+      nextPhase: next.phase
+    }, "session execute resolved");
+    return next;
   }
-  const dotCount = token.split(".").length - 1;
-  return dotCount !== 2;
-}
-function paddedBase64(base64Url) {
-  const normalized = base64Url.replaceAll("-", "+").replaceAll("_", "/");
-  const remainder = normalized.length % 4;
-  if (remainder === 0) {
-    return normalized;
+  function isPciSupported(pciId) {
+    for (const id of sc.supportedPcis) {
+      if (id === pciId) {
+        return true;
+      }
+    }
+    return false;
   }
-  if (remainder === 2) {
-    return `${normalized}==`;
+  function fromAdvanced(body, stimulus, interaction, feedback) {
+    if (interaction === null) {
+      return observationState(ctx, body, stimulus);
+    }
+    if (interaction.type === "portable-custom") {
+      if (!isPciSupported(interaction.pciId)) {
+        logger.error({ pciId: interaction.pciId }, "unsupported pci in frame");
+        return {
+          phase: "fatal",
+          error: errors11.wrap(ErrUnsupportedPci, `pci '${interaction.pciId}'`),
+          retriable: false,
+          toJSON: poisonToJSON
+        };
+      }
+    }
+    return pendingInteractionState(body, stimulus, interaction, feedback);
   }
-  if (remainder === 3) {
-    return `${normalized}=`;
+  function extendedTextInteractionState(body, stimulus, interaction, feedback) {
+    if (!("cardinality" in interaction)) {
+      logger.error("extended-text interaction is unsupported");
+      return {
+        phase: "fatal",
+        error: errors11.wrap(ErrBadRequest, "extended-text interaction unsupported"),
+        retriable: false,
+        toJSON: poisonToJSON
+      };
+    }
+    const extendedInteraction = interaction;
+    return extendedTextState(ctx, body, stimulus, extendedInteraction, feedback);
+  }
+  function pendingInteractionState(body, stimulus, interaction, feedback) {
+    switch (interaction.type) {
+      case "choice":
+        return choiceState(ctx, body, stimulus, interaction, interaction.options, interaction.maxChoices, interaction.minChoices, feedback);
+      case "text-entry":
+        return textEntryState(ctx, body, stimulus, interaction, feedback);
+      case "extended-text":
+        return extendedTextInteractionState(body, stimulus, interaction, feedback);
+      case "order":
+        return orderState(ctx, body, stimulus, interaction, feedback);
+      case "match":
+        return matchState(ctx, body, stimulus, interaction, feedback);
+      case "portable-custom":
+        return pciInteractionState(ctx, body, stimulus, interaction, feedback);
+    }
   }
-  throw errors11.wrap(ErrMalformedAccessToken, "payload base64");
+  const ctx = { logger, execute, errored };
+  return { execute };
 }
-function decodeBase64UrlJson(segment) {
-  const decoded = errors11.trySync(function decodePayload() {
-    const json = globalThis.atob(paddedBase64(segment));
-    return JSON.parse(json);
-  });
-  if (decoded.error) {
-    throw errors11.wrap(ErrMalformedAccessToken, "payload decode");
+
+// src/client/transport.ts
+import * as errors12 from "@superbuilders/errors";
+
+// src/version.ts
+var SDK_VERSION = "5.0.0";
+var NPM_PACKAGE_URL = "https://www.npmjs.com/package/@superbuilders/primer-tives";
+
+// src/client/transport.ts
+var ADVANCE_PATH = "/api/v0/advance";
+function readStringField(value, key) {
+  if (!(key in value)) {
+    return;
   }
-  return decoded.data;
+  const v = Reflect.get(value, key);
+  if (typeof v !== "string") {
+    return;
+  }
+  return v;
 }
-function numericClaim(payload, claim) {
-  if (typeof payload !== "object" || payload === null) {
+function parseAdvanceErrorBody(body) {
+  if (body.length === 0) {
     return null;
   }
-  const value = Reflect.get(payload, claim);
-  if (typeof value !== "number" || !Number.isFinite(value)) {
+  const parsed = errors12.trySync(function parseJson() {
+    return JSON.parse(body);
+  });
+  if (parsed.error) {
     return null;
   }
-  return value;
-}
-function validateAccessTokenTimestamp(token, logger) {
-  const segments = token.split(".");
-  const payloadSegment = segments[1];
-  if (payloadSegment === undefined || payloadSegment.length === 0) {
-    logger.error("access token payload missing");
-    throw errors11.wrap(ErrMalformedAccessToken, "payload missing");
-  }
-  const payload = decodeBase64UrlJson(payloadSegment);
-  const exp = numericClaim(payload, "exp");
-  if (exp === null) {
-    logger.error("access token exp missing");
-    throw errors11.wrap(ErrMalformedAccessToken, "exp missing");
+  const raw = parsed.data;
+  if (typeof raw !== "object" || raw === null) {
+    return null;
   }
-  const expiresAtMs = exp * 1000;
-  if (expiresAtMs <= Date.now() + TOKEN_EXPIRY_SKEW_MS) {
-    logger.error("access token expired");
-    throw ErrTokenExpired;
+  const result = {};
+  const error = readStringField(raw, "error");
+  if (error !== undefined) {
+    result.error = error;
   }
-}
-function resolveAccessToken(token, logger) {
-  if (isMalformedJws(token)) {
-    logger.error({ prefix: ACCESS_TOKEN_PREFIX }, "malformed access token");
-    throw errors11.wrap(ErrMalformedAccessToken, `token must start with '${ACCESS_TOKEN_PREFIX}' and contain two dots`);
+  const detail = readStringField(raw, "detail");
+  if (detail !== undefined) {
+    result.detail = detail;
   }
-  validateAccessTokenTimestamp(token, logger);
-  return { value: token, [resolvedAccessTokenBrand]: true };
-}
-
-// src/client/auth/storage.ts
-var MANAGED_AUTH_ACCESS_TOKEN_KEY_PREFIX = "primer:access-token";
-function managedAuthAccessTokenStorageKey(publishableKey) {
-  return `${MANAGED_AUTH_ACCESS_TOKEN_KEY_PREFIX}:${publishableKey}`;
-}
-function managedAuthStorage(logger) {
-  if (typeof globalThis.sessionStorage === "undefined") {
-    logger.error("managed auth storage unavailable");
-    throw ErrAuthUnavailable;
+  const minimumSdkVersion = readStringField(raw, "minimumSdkVersion");
+  if (minimumSdkVersion !== undefined) {
+    result.minimumSdkVersion = minimumSdkVersion;
   }
-  return globalThis.sessionStorage;
-}
-function loadManagedAuthAccessToken(storage, publishableKey) {
-  const token = storage.getItem(managedAuthAccessTokenStorageKey(publishableKey));
-  if (token === null || token.length === 0) {
-    return null;
+  const receivedSdkVersion = readStringField(raw, "receivedSdkVersion");
+  if (receivedSdkVersion !== undefined) {
+    result.receivedSdkVersion = receivedSdkVersion;
   }
-  return token;
-}
-function storeManagedAuthAccessToken(storage, publishableKey, accessToken) {
-  storage.setItem(managedAuthAccessTokenStorageKey(publishableKey), accessToken);
-}
-function clearManagedAuthAccessToken(storage, publishableKey) {
-  storage.removeItem(managedAuthAccessTokenStorageKey(publishableKey));
-}
-
-// src/client/auth/provider.ts
-function resolveProvidedAccessToken(token, logger) {
-  const result = errors12.trySync(function resolveProvidedToken() {
-    return resolveAccessToken(token, logger);
-  });
-  if (result.error) {
-    return { kind: "fatal", error: result.error };
+  const upgradeUrl = readStringField(raw, "upgradeUrl");
+  if (upgradeUrl !== undefined) {
+    result.upgradeUrl = upgradeUrl;
   }
-  return { kind: "resolved", accessToken: result.data };
+  return result;
 }
-function resolveHostedAccessToken(token, storage, options) {
-  const result = errors12.trySync(function resolveHostedToken() {
-    return resolveAccessToken(token, options.logger);
-  });
-  if (result.error) {
-    return { kind: "sign-in-failed", error: result.error };
+function httpSentinel(status, body) {
+  if (status === 400) {
+    const parsed = parseAdvanceErrorBody(body);
+    if (parsed?.error === "sdk_upgrade_required") {
+      return ErrSdkUpgradeRequired;
+    }
+    return ErrBadRequest;
   }
-  storeManagedAuthAccessToken(storage, options.publishableKey, token);
-  return {
-    kind: "resolved",
-    accessToken: result.data,
-    clearCachedAccessToken: function clearCachedAccessToken() {
-      clearManagedAuthAccessToken(storage, options.publishableKey);
+  if (status === 401) {
+    const parsed = parseAdvanceErrorBody(body);
+    if (parsed?.detail === "token_expired") {
+      return ErrTokenExpired;
     }
-  };
-}
-function resolveStoredAccessToken(storage, options) {
-  const stored = loadManagedAuthAccessToken(storage, options.publishableKey);
-  if (stored === null) {
-    return { kind: "missing" };
+    return ErrInvalidAccessToken;
   }
-  const result = errors12.trySync(function resolveStoredToken() {
-    return resolveAccessToken(stored, options.logger);
-  });
-  if (result.error) {
-    clearManagedAuthAccessToken(storage, options.publishableKey);
-    return { kind: "missing" };
+  if (status === 403) {
+    return ErrForbidden;
   }
-  return {
-    kind: "resolved",
-    accessToken: result.data,
-    clearCachedAccessToken: function clearCachedAccessToken() {
-      clearManagedAuthAccessToken(storage, options.publishableKey);
-    }
-  };
-}
-function resolveExistingAccessToken(options) {
-  if (options.accessToken !== undefined) {
-    return resolveProvidedAccessToken(options.accessToken, options.logger);
+  if (status === 404) {
+    return ErrNotFound;
   }
-  const storageResult = errors12.trySync(function readManagedAuthStorage() {
-    return managedAuthStorage(options.logger);
-  });
-  if (storageResult.error) {
-    return { kind: "auth-unavailable", error: storageResult.error };
+  if (status === 409) {
+    return ErrConflict;
   }
-  return resolveStoredAccessToken(storageResult.data, options);
-}
-function authFailureResult(error) {
-  if (errors12.is(error, ErrAuthConfigInvalid)) {
-    return { kind: "auth-config-invalid", error };
+  if (status === 429) {
+    return ErrRateLimited;
   }
-  if (errors12.is(error, ErrAuthUnavailable)) {
-    return { kind: "auth-unavailable", error };
+  if (status === 502 || status === 503 || status === 504) {
+    return ErrServiceUnavailable;
   }
-  return { kind: "sign-in-failed", error };
+  return ErrServerError;
 }
-async function beginHostedLogin(options) {
-  const logger = options.logger;
-  const contextResult = errors12.trySync(function readContext() {
-    const storage = managedAuthStorage(logger);
-    const url = currentUrl(logger);
-    const clientState = randomClientState(logger);
-    return { storage, url, clientState };
-  });
-  if (contextResult.error) {
-    return authFailureResult(contextResult.error);
+function buildSdkUpgradeRequiredError(sentinel, text, logger) {
+  const parsed = parseAdvanceErrorBody(text);
+  if (parsed === null) {
+    logger.error({
+      receivedSdkVersion: null,
+      minimumSdkVersion: "<unknown>",
+      upgradeUrl: NPM_PACKAGE_URL
+    }, "sdk upgrade required");
+    const message2 = `<missing> < <unknown>; bump @superbuilders/primer-tives at ${NPM_PACKAGE_URL}`;
+    return errors12.wrap(sentinel, message2);
   }
-  const context = contextResult.data;
-  const accessTokenResult = await errors12.try(beginHostedPopup({
-    origin: options.origin,
-    publishableKey: options.publishableKey,
-    currentUrl: context.url,
-    clientState: context.clientState,
-    logger
-  }));
-  if (accessTokenResult.error) {
-    return authFailureResult(accessTokenResult.error);
+  const minimumSdkVersion = parsed.minimumSdkVersion === undefined ? "<unknown>" : parsed.minimumSdkVersion;
+  const receivedSdkVersion = parsed.receivedSdkVersion === undefined ? null : parsed.receivedSdkVersion;
+  const receivedDisplay = receivedSdkVersion === null ? "<missing>" : receivedSdkVersion;
+  const upgradeUrl = parsed.upgradeUrl === undefined ? NPM_PACKAGE_URL : parsed.upgradeUrl;
+  logger.error({
+    receivedSdkVersion,
+    minimumSdkVersion,
+    upgradeUrl
+  }, "sdk upgrade required");
+  const message = `${receivedDisplay} < ${minimumSdkVersion}; bump @superbuilders/primer-tives at ${upgradeUrl}`;
+  return errors12.wrap(sentinel, message);
+}
+function isAbortError(err) {
+  if (err instanceof DOMException && err.name === "AbortError") {
+    return true;
   }
-  return resolveHostedAccessToken(accessTokenResult.data, context.storage, options);
+  if (err instanceof DOMException && err.name === "TimeoutError") {
+    return true;
+  }
+  return false;
 }
-
-// src/client/auth-state.ts
-function pendingLogin(config) {
-  let pending;
-  function login() {
-    if (pending !== undefined) {
-      return pending;
+function createTransport(tc) {
+  const fetchFn = tc.fetch ? tc.fetch : globalThis.fetch;
+  const logger = tc.logger;
+  const advanceUrl = new URL(ADVANCE_PATH, tc.origin).toString();
+  function transportSignal() {
+    if (tc.abort) {
+      return tc.abort.signal;
     }
-    pending = config.login().finally(function clearPending() {
-      pending = undefined;
+    return;
+  }
+  async function transport(body) {
+    logger.debug({
+      intentKind: body.intent.kind,
+      subject: body.subject
+    }, "transport request");
+    const fetchResult = await fetchFn(advanceUrl, {
+      method: "POST",
+      mode: "cors",
+      credentials: "omit",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${tc.accessToken.value}`,
+        "X-Primer-Publishable-Key": tc.publishableKey,
+        "X-Primer-SDK-Version": SDK_VERSION
+      },
+      body: JSON.stringify(body),
+      signal: transportSignal()
+    }).then(function ok(r) {
+      return { ok: true, response: r };
+    }, function fail(err) {
+      return { ok: false, error: err };
     });
-    return pending;
+    if (!fetchResult.ok) {
+      if (isAbortError(fetchResult.error)) {
+        logger.error({
+          intentKind: body.intent.kind
+        }, "transport timeout");
+        return { ok: false, error: errors12.wrap(ErrTimeout, fetchResult.error.message) };
+      }
+      logger.error({
+        error: fetchResult.error
+      }, "transport network error");
+      return { ok: false, error: errors12.wrap(ErrNetwork, fetchResult.error.message) };
+    }
+    const res = fetchResult.response;
+    if (!res.ok) {
+      const text = await res.text().catch(function fallback() {
+        return "";
+      });
+      const sentinel = httpSentinel(res.status, text);
+      if (errors12.is(sentinel, ErrSdkUpgradeRequired)) {
+        return { ok: false, error: buildSdkUpgradeRequiredError(sentinel, text, logger) };
+      }
+      logger.error({
+        status: res.status,
+        body: text,
+        intentKind: body.intent.kind,
+        subject: body.subject
+      }, "transport http error");
+      return { ok: false, error: errors12.wrap(sentinel, text) };
+    }
+    const jsonResult = await res.json().then(function ok(data) {
+      return { ok: true, data };
+    }, function fail(err) {
+      return { ok: false, error: err };
+    });
+    if (!jsonResult.ok) {
+      logger.error({
+        error: jsonResult.error
+      }, "transport json parse failed");
+      return { ok: false, error: errors12.wrap(ErrJsonParse, jsonResult.error.message) };
+    }
+    logger.debug({
+      intentKind: body.intent.kind
+    }, "transport success");
+    return { ok: true, data: jsonResult.data };
   }
-  return login;
-}
-function signInRequiredState(config) {
-  return {
-    phase: "sign-in-required",
-    login: pendingLogin(config),
-    toJSON: poisonToJSON
-  };
-}
-function signInFailedState(config) {
-  return {
-    phase: "sign-in-failed",
-    error: config.error,
-    login: pendingLogin(config),
-    toJSON: poisonToJSON
-  };
-}
-function authUnavailableState(error) {
-  return {
-    phase: "auth-unavailable",
-    error,
-    toJSON: poisonToJSON
-  };
-}
-function authConfigInvalidState(error) {
-  return {
-    phase: "auth-config-invalid",
-    error,
-    toJSON: poisonToJSON
-  };
+  return transport;
 }
 
 // src/client/start.ts
@@ -8023,6 +8162,12 @@ function primerOrigin(origin) {
   }
   return DEFAULT_PRIMER_ORIGIN;
 }
+function primerAuthOrigin(authOrigin, origin) {
+  if (authOrigin !== undefined) {
+    return authOrigin;
+  }
+  return origin;
+}
 async function startRuntime(config, resolved) {
   let reauthenticate = null;
   if (resolved.clearCachedAccessToken !== undefined) {
@@ -8066,7 +8211,7 @@ function makeSignInFailedState(config, error) {
 }
 async function loginAndStart(config) {
   const result = await beginHostedLogin({
-    origin: config.origin,
+    origin: config.authOrigin,
     publishableKey: config.publishableKey,
     logger: config.logger
   });
@@ -8091,6 +8236,7 @@ async function start(options) {
   const config = {
     publishableKey: options.publishableKey,
     origin,
+    authOrigin: primerAuthOrigin(options.authOrigin, origin),
     fetch: options.fetch,
     abort: options.abort,
     logger,
@@ -8123,4 +8269,4 @@ export {
   start
 };
 
-//# debugId=D2887B68B961EF6364756E2164756E21
+//# debugId=9849F045A465657964756E2164756E21