@sylphx/sdk 0.0.1

package/dist/server/index.mjs

@@ -0,0 +1,2660 @@
+// ../../node_modules/jose/dist/webapi/lib/buffer_utils.js
+var encoder = new TextEncoder();
+var decoder = new TextDecoder();
+var MAX_INT32 = 2 ** 32;
+function concat(...buffers) {
+  const size = buffers.reduce((acc, { length }) => acc + length, 0);
+  const buf = new Uint8Array(size);
+  let i = 0;
+  for (const buffer of buffers) {
+    buf.set(buffer, i);
+    i += buffer.length;
+  }
+  return buf;
+}
+function encode(string) {
+  const bytes = new Uint8Array(string.length);
+  for (let i = 0; i < string.length; i++) {
+    const code = string.charCodeAt(i);
+    if (code > 127) {
+      throw new TypeError("non-ASCII string encountered in encode()");
+    }
+    bytes[i] = code;
+  }
+  return bytes;
+}
+
+// ../../node_modules/jose/dist/webapi/lib/base64.js
+function decodeBase64(encoded) {
+  if (Uint8Array.fromBase64) {
+    return Uint8Array.fromBase64(encoded);
+  }
+  const binary = atob(encoded);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+
+// ../../node_modules/jose/dist/webapi/util/base64url.js
+function decode(input) {
+  if (Uint8Array.fromBase64) {
+    return Uint8Array.fromBase64(typeof input === "string" ? input : decoder.decode(input), {
+      alphabet: "base64url"
+    });
+  }
+  let encoded = input;
+  if (encoded instanceof Uint8Array) {
+    encoded = decoder.decode(encoded);
+  }
+  encoded = encoded.replace(/-/g, "+").replace(/_/g, "/");
+  try {
+    return decodeBase64(encoded);
+  } catch {
+    throw new TypeError("The input to be decoded is not correctly encoded.");
+  }
+}
+
+// ../../node_modules/jose/dist/webapi/util/errors.js
+var JOSEError = class extends Error {
+  static code = "ERR_JOSE_GENERIC";
+  code = "ERR_JOSE_GENERIC";
+  constructor(message2, options) {
+    super(message2, options);
+    this.name = this.constructor.name;
+    Error.captureStackTrace?.(this, this.constructor);
+  }
+};
+var JWTClaimValidationFailed = class extends JOSEError {
+  static code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
+  code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
+  claim;
+  reason;
+  payload;
+  constructor(message2, payload, claim = "unspecified", reason = "unspecified") {
+    super(message2, { cause: { claim, reason, payload } });
+    this.claim = claim;
+    this.reason = reason;
+    this.payload = payload;
+  }
+};
+var JWTExpired = class extends JOSEError {
+  static code = "ERR_JWT_EXPIRED";
+  code = "ERR_JWT_EXPIRED";
+  claim;
+  reason;
+  payload;
+  constructor(message2, payload, claim = "unspecified", reason = "unspecified") {
+    super(message2, { cause: { claim, reason, payload } });
+    this.claim = claim;
+    this.reason = reason;
+    this.payload = payload;
+  }
+};
+var JOSEAlgNotAllowed = class extends JOSEError {
+  static code = "ERR_JOSE_ALG_NOT_ALLOWED";
+  code = "ERR_JOSE_ALG_NOT_ALLOWED";
+};
+var JOSENotSupported = class extends JOSEError {
+  static code = "ERR_JOSE_NOT_SUPPORTED";
+  code = "ERR_JOSE_NOT_SUPPORTED";
+};
+var JWSInvalid = class extends JOSEError {
+  static code = "ERR_JWS_INVALID";
+  code = "ERR_JWS_INVALID";
+};
+var JWTInvalid = class extends JOSEError {
+  static code = "ERR_JWT_INVALID";
+  code = "ERR_JWT_INVALID";
+};
+var JWSSignatureVerificationFailed = class extends JOSEError {
+  static code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
+  code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
+  constructor(message2 = "signature verification failed", options) {
+    super(message2, options);
+  }
+};
+
+// ../../node_modules/jose/dist/webapi/lib/crypto_key.js
+var unusable = (name, prop = "algorithm.name") => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);
+var isAlgorithm = (algorithm, name) => algorithm.name === name;
+function getHashLength(hash) {
+  return parseInt(hash.name.slice(4), 10);
+}
+function getNamedCurve(alg) {
+  switch (alg) {
+    case "ES256":
+      return "P-256";
+    case "ES384":
+      return "P-384";
+    case "ES512":
+      return "P-521";
+    default:
+      throw new Error("unreachable");
+  }
+}
+function checkUsage(key, usage) {
+  if (usage && !key.usages.includes(usage)) {
+    throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);
+  }
+}
+function checkSigCryptoKey(key, alg, usage) {
+  switch (alg) {
+    case "HS256":
+    case "HS384":
+    case "HS512": {
+      if (!isAlgorithm(key.algorithm, "HMAC"))
+        throw unusable("HMAC");
+      const expected = parseInt(alg.slice(2), 10);
+      const actual = getHashLength(key.algorithm.hash);
+      if (actual !== expected)
+        throw unusable(`SHA-${expected}`, "algorithm.hash");
+      break;
+    }
+    case "RS256":
+    case "RS384":
+    case "RS512": {
+      if (!isAlgorithm(key.algorithm, "RSASSA-PKCS1-v1_5"))
+        throw unusable("RSASSA-PKCS1-v1_5");
+      const expected = parseInt(alg.slice(2), 10);
+      const actual = getHashLength(key.algorithm.hash);
+      if (actual !== expected)
+        throw unusable(`SHA-${expected}`, "algorithm.hash");
+      break;
+    }
+    case "PS256":
+    case "PS384":
+    case "PS512": {
+      if (!isAlgorithm(key.algorithm, "RSA-PSS"))
+        throw unusable("RSA-PSS");
+      const expected = parseInt(alg.slice(2), 10);
+      const actual = getHashLength(key.algorithm.hash);
+      if (actual !== expected)
+        throw unusable(`SHA-${expected}`, "algorithm.hash");
+      break;
+    }
+    case "Ed25519":
+    case "EdDSA": {
+      if (!isAlgorithm(key.algorithm, "Ed25519"))
+        throw unusable("Ed25519");
+      break;
+    }
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87": {
+      if (!isAlgorithm(key.algorithm, alg))
+        throw unusable(alg);
+      break;
+    }
+    case "ES256":
+    case "ES384":
+    case "ES512": {
+      if (!isAlgorithm(key.algorithm, "ECDSA"))
+        throw unusable("ECDSA");
+      const expected = getNamedCurve(alg);
+      const actual = key.algorithm.namedCurve;
+      if (actual !== expected)
+        throw unusable(expected, "algorithm.namedCurve");
+      break;
+    }
+    default:
+      throw new TypeError("CryptoKey does not support this operation");
+  }
+  checkUsage(key, usage);
+}
+
+// ../../node_modules/jose/dist/webapi/lib/invalid_key_input.js
+function message(msg, actual, ...types) {
+  types = types.filter(Boolean);
+  if (types.length > 2) {
+    const last = types.pop();
+    msg += `one of type ${types.join(", ")}, or ${last}.`;
+  } else if (types.length === 2) {
+    msg += `one of type ${types[0]} or ${types[1]}.`;
+  } else {
+    msg += `of type ${types[0]}.`;
+  }
+  if (actual == null) {
+    msg += ` Received ${actual}`;
+  } else if (typeof actual === "function" && actual.name) {
+    msg += ` Received function ${actual.name}`;
+  } else if (typeof actual === "object" && actual != null) {
+    if (actual.constructor?.name) {
+      msg += ` Received an instance of ${actual.constructor.name}`;
+    }
+  }
+  return msg;
+}
+var invalidKeyInput = (actual, ...types) => message("Key must be ", actual, ...types);
+var withAlg = (alg, actual, ...types) => message(`Key for the ${alg} algorithm must be `, actual, ...types);
+
+// ../../node_modules/jose/dist/webapi/lib/is_key_like.js
+var isCryptoKey = (key) => {
+  if (key?.[Symbol.toStringTag] === "CryptoKey")
+    return true;
+  try {
+    return key instanceof CryptoKey;
+  } catch {
+    return false;
+  }
+};
+var isKeyObject = (key) => key?.[Symbol.toStringTag] === "KeyObject";
+var isKeyLike = (key) => isCryptoKey(key) || isKeyObject(key);
+
+// ../../node_modules/jose/dist/webapi/lib/is_disjoint.js
+function isDisjoint(...headers) {
+  const sources = headers.filter(Boolean);
+  if (sources.length === 0 || sources.length === 1) {
+    return true;
+  }
+  let acc;
+  for (const header of sources) {
+    const parameters = Object.keys(header);
+    if (!acc || acc.size === 0) {
+      acc = new Set(parameters);
+      continue;
+    }
+    for (const parameter of parameters) {
+      if (acc.has(parameter)) {
+        return false;
+      }
+      acc.add(parameter);
+    }
+  }
+  return true;
+}
+
+// ../../node_modules/jose/dist/webapi/lib/is_object.js
+var isObjectLike = (value) => typeof value === "object" && value !== null;
+function isObject(input) {
+  if (!isObjectLike(input) || Object.prototype.toString.call(input) !== "[object Object]") {
+    return false;
+  }
+  if (Object.getPrototypeOf(input) === null) {
+    return true;
+  }
+  let proto = input;
+  while (Object.getPrototypeOf(proto) !== null) {
+    proto = Object.getPrototypeOf(proto);
+  }
+  return Object.getPrototypeOf(input) === proto;
+}
+
+// ../../node_modules/jose/dist/webapi/lib/check_key_length.js
+function checkKeyLength(alg, key) {
+  if (alg.startsWith("RS") || alg.startsWith("PS")) {
+    const { modulusLength } = key.algorithm;
+    if (typeof modulusLength !== "number" || modulusLength < 2048) {
+      throw new TypeError(`${alg} requires key modulusLength to be 2048 bits or larger`);
+    }
+  }
+}
+
+// ../../node_modules/jose/dist/webapi/lib/jwk_to_key.js
+function subtleMapping(jwk) {
+  let algorithm;
+  let keyUsages;
+  switch (jwk.kty) {
+    case "AKP": {
+      switch (jwk.alg) {
+        case "ML-DSA-44":
+        case "ML-DSA-65":
+        case "ML-DSA-87":
+          algorithm = { name: jwk.alg };
+          keyUsages = jwk.priv ? ["sign"] : ["verify"];
+          break;
+        default:
+          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+      }
+      break;
+    }
+    case "RSA": {
+      switch (jwk.alg) {
+        case "PS256":
+        case "PS384":
+        case "PS512":
+          algorithm = { name: "RSA-PSS", hash: `SHA-${jwk.alg.slice(-3)}` };
+          keyUsages = jwk.d ? ["sign"] : ["verify"];
+          break;
+        case "RS256":
+        case "RS384":
+        case "RS512":
+          algorithm = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${jwk.alg.slice(-3)}` };
+          keyUsages = jwk.d ? ["sign"] : ["verify"];
+          break;
+        case "RSA-OAEP":
+        case "RSA-OAEP-256":
+        case "RSA-OAEP-384":
+        case "RSA-OAEP-512":
+          algorithm = {
+            name: "RSA-OAEP",
+            hash: `SHA-${parseInt(jwk.alg.slice(-3), 10) || 1}`
+          };
+          keyUsages = jwk.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
+          break;
+        default:
+          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+      }
+      break;
+    }
+    case "EC": {
+      switch (jwk.alg) {
+        case "ES256":
+          algorithm = { name: "ECDSA", namedCurve: "P-256" };
+          keyUsages = jwk.d ? ["sign"] : ["verify"];
+          break;
+        case "ES384":
+          algorithm = { name: "ECDSA", namedCurve: "P-384" };
+          keyUsages = jwk.d ? ["sign"] : ["verify"];
+          break;
+        case "ES512":
+          algorithm = { name: "ECDSA", namedCurve: "P-521" };
+          keyUsages = jwk.d ? ["sign"] : ["verify"];
+          break;
+        case "ECDH-ES":
+        case "ECDH-ES+A128KW":
+        case "ECDH-ES+A192KW":
+        case "ECDH-ES+A256KW":
+          algorithm = { name: "ECDH", namedCurve: jwk.crv };
+          keyUsages = jwk.d ? ["deriveBits"] : [];
+          break;
+        default:
+          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+      }
+      break;
+    }
+    case "OKP": {
+      switch (jwk.alg) {
+        case "Ed25519":
+        case "EdDSA":
+          algorithm = { name: "Ed25519" };
+          keyUsages = jwk.d ? ["sign"] : ["verify"];
+          break;
+        case "ECDH-ES":
+        case "ECDH-ES+A128KW":
+        case "ECDH-ES+A192KW":
+        case "ECDH-ES+A256KW":
+          algorithm = { name: jwk.crv };
+          keyUsages = jwk.d ? ["deriveBits"] : [];
+          break;
+        default:
+          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+      }
+      break;
+    }
+    default:
+      throw new JOSENotSupported('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
+  }
+  return { algorithm, keyUsages };
+}
+async function jwkToKey(jwk) {
+  if (!jwk.alg) {
+    throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
+  }
+  const { algorithm, keyUsages } = subtleMapping(jwk);
+  const keyData = { ...jwk };
+  if (keyData.kty !== "AKP") {
+    delete keyData.alg;
+  }
+  delete keyData.use;
+  return crypto.subtle.importKey("jwk", keyData, algorithm, jwk.ext ?? (jwk.d || jwk.priv ? false : true), jwk.key_ops ?? keyUsages);
+}
+
+// ../../node_modules/jose/dist/webapi/key/import.js
+async function importJWK(jwk, alg, options) {
+  if (!isObject(jwk)) {
+    throw new TypeError("JWK must be an object");
+  }
+  let ext;
+  alg ??= jwk.alg;
+  ext ??= options?.extractable ?? jwk.ext;
+  switch (jwk.kty) {
+    case "oct":
+      if (typeof jwk.k !== "string" || !jwk.k) {
+        throw new TypeError('missing "k" (Key Value) Parameter value');
+      }
+      return decode(jwk.k);
+    case "RSA":
+      if ("oth" in jwk && jwk.oth !== void 0) {
+        throw new JOSENotSupported('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
+      }
+      return jwkToKey({ ...jwk, alg, ext });
+    case "AKP": {
+      if (typeof jwk.alg !== "string" || !jwk.alg) {
+        throw new TypeError('missing "alg" (Algorithm) Parameter value');
+      }
+      if (alg !== void 0 && alg !== jwk.alg) {
+        throw new TypeError("JWK alg and alg option value mismatch");
+      }
+      return jwkToKey({ ...jwk, ext });
+    }
+    case "EC":
+    case "OKP":
+      return jwkToKey({ ...jwk, alg, ext });
+    default:
+      throw new JOSENotSupported('Unsupported "kty" (Key Type) Parameter value');
+  }
+}
+
+// ../../node_modules/jose/dist/webapi/lib/validate_crit.js
+function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
+  if (joseHeader.crit !== void 0 && protectedHeader?.crit === void 0) {
+    throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
+  }
+  if (!protectedHeader || protectedHeader.crit === void 0) {
+    return /* @__PURE__ */ new Set();
+  }
+  if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input) => typeof input !== "string" || input.length === 0)) {
+    throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
+  }
+  let recognized;
+  if (recognizedOption !== void 0) {
+    recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);
+  } else {
+    recognized = recognizedDefault;
+  }
+  for (const parameter of protectedHeader.crit) {
+    if (!recognized.has(parameter)) {
+      throw new JOSENotSupported(`Extension Header Parameter "${parameter}" is not recognized`);
+    }
+    if (joseHeader[parameter] === void 0) {
+      throw new Err(`Extension Header Parameter "${parameter}" is missing`);
+    }
+    if (recognized.get(parameter) && protectedHeader[parameter] === void 0) {
+      throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
+    }
+  }
+  return new Set(protectedHeader.crit);
+}
+
+// ../../node_modules/jose/dist/webapi/lib/validate_algorithms.js
+function validateAlgorithms(option, algorithms) {
+  if (algorithms !== void 0 && (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== "string"))) {
+    throw new TypeError(`"${option}" option must be an array of strings`);
+  }
+  if (!algorithms) {
+    return void 0;
+  }
+  return new Set(algorithms);
+}
+
+// ../../node_modules/jose/dist/webapi/lib/is_jwk.js
+var isJWK = (key) => isObject(key) && typeof key.kty === "string";
+var isPrivateJWK = (key) => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string");
+var isPublicJWK = (key) => key.kty !== "oct" && key.d === void 0 && key.priv === void 0;
+var isSecretJWK = (key) => key.kty === "oct" && typeof key.k === "string";
+
+// ../../node_modules/jose/dist/webapi/lib/normalize_key.js
+var cache;
+var handleJWK = async (key, jwk, alg, freeze = false) => {
+  cache ||= /* @__PURE__ */ new WeakMap();
+  let cached = cache.get(key);
+  if (cached?.[alg]) {
+    return cached[alg];
+  }
+  const cryptoKey = await jwkToKey({ ...jwk, alg });
+  if (freeze)
+    Object.freeze(key);
+  if (!cached) {
+    cache.set(key, { [alg]: cryptoKey });
+  } else {
+    cached[alg] = cryptoKey;
+  }
+  return cryptoKey;
+};
+var handleKeyObject = (keyObject, alg) => {
+  cache ||= /* @__PURE__ */ new WeakMap();
+  let cached = cache.get(keyObject);
+  if (cached?.[alg]) {
+    return cached[alg];
+  }
+  const isPublic = keyObject.type === "public";
+  const extractable = isPublic ? true : false;
+  let cryptoKey;
+  if (keyObject.asymmetricKeyType === "x25519") {
+    switch (alg) {
+      case "ECDH-ES":
+      case "ECDH-ES+A128KW":
+      case "ECDH-ES+A192KW":
+      case "ECDH-ES+A256KW":
+        break;
+      default:
+        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+    }
+    cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : ["deriveBits"]);
+  }
+  if (keyObject.asymmetricKeyType === "ed25519") {
+    if (alg !== "EdDSA" && alg !== "Ed25519") {
+      throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+    }
+    cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
+      isPublic ? "verify" : "sign"
+    ]);
+  }
+  switch (keyObject.asymmetricKeyType) {
+    case "ml-dsa-44":
+    case "ml-dsa-65":
+    case "ml-dsa-87": {
+      if (alg !== keyObject.asymmetricKeyType.toUpperCase()) {
+        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+      }
+      cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
+        isPublic ? "verify" : "sign"
+      ]);
+    }
+  }
+  if (keyObject.asymmetricKeyType === "rsa") {
+    let hash;
+    switch (alg) {
+      case "RSA-OAEP":
+        hash = "SHA-1";
+        break;
+      case "RS256":
+      case "PS256":
+      case "RSA-OAEP-256":
+        hash = "SHA-256";
+        break;
+      case "RS384":
+      case "PS384":
+      case "RSA-OAEP-384":
+        hash = "SHA-384";
+        break;
+      case "RS512":
+      case "PS512":
+      case "RSA-OAEP-512":
+        hash = "SHA-512";
+        break;
+      default:
+        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+    }
+    if (alg.startsWith("RSA-OAEP")) {
+      return keyObject.toCryptoKey({
+        name: "RSA-OAEP",
+        hash
+      }, extractable, isPublic ? ["encrypt"] : ["decrypt"]);
+    }
+    cryptoKey = keyObject.toCryptoKey({
+      name: alg.startsWith("PS") ? "RSA-PSS" : "RSASSA-PKCS1-v1_5",
+      hash
+    }, extractable, [isPublic ? "verify" : "sign"]);
+  }
+  if (keyObject.asymmetricKeyType === "ec") {
+    const nist = /* @__PURE__ */ new Map([
+      ["prime256v1", "P-256"],
+      ["secp384r1", "P-384"],
+      ["secp521r1", "P-521"]
+    ]);
+    const namedCurve = nist.get(keyObject.asymmetricKeyDetails?.namedCurve);
+    if (!namedCurve) {
+      throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+    }
+    if (alg === "ES256" && namedCurve === "P-256") {
+      cryptoKey = keyObject.toCryptoKey({
+        name: "ECDSA",
+        namedCurve
+      }, extractable, [isPublic ? "verify" : "sign"]);
+    }
+    if (alg === "ES384" && namedCurve === "P-384") {
+      cryptoKey = keyObject.toCryptoKey({
+        name: "ECDSA",
+        namedCurve
+      }, extractable, [isPublic ? "verify" : "sign"]);
+    }
+    if (alg === "ES512" && namedCurve === "P-521") {
+      cryptoKey = keyObject.toCryptoKey({
+        name: "ECDSA",
+        namedCurve
+      }, extractable, [isPublic ? "verify" : "sign"]);
+    }
+    if (alg.startsWith("ECDH-ES")) {
+      cryptoKey = keyObject.toCryptoKey({
+        name: "ECDH",
+        namedCurve
+      }, extractable, isPublic ? [] : ["deriveBits"]);
+    }
+  }
+  if (!cryptoKey) {
+    throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+  }
+  if (!cached) {
+    cache.set(keyObject, { [alg]: cryptoKey });
+  } else {
+    cached[alg] = cryptoKey;
+  }
+  return cryptoKey;
+};
+async function normalizeKey(key, alg) {
+  if (key instanceof Uint8Array) {
+    return key;
+  }
+  if (isCryptoKey(key)) {
+    return key;
+  }
+  if (isKeyObject(key)) {
+    if (key.type === "secret") {
+      return key.export();
+    }
+    if ("toCryptoKey" in key && typeof key.toCryptoKey === "function") {
+      try {
+        return handleKeyObject(key, alg);
+      } catch (err) {
+        if (err instanceof TypeError) {
+          throw err;
+        }
+      }
+    }
+    let jwk = key.export({ format: "jwk" });
+    return handleJWK(key, jwk, alg);
+  }
+  if (isJWK(key)) {
+    if (key.k) {
+      return decode(key.k);
+    }
+    return handleJWK(key, key, alg, true);
+  }
+  throw new Error("unreachable");
+}
+
+// ../../node_modules/jose/dist/webapi/lib/check_key_type.js
+var tag = (key) => key?.[Symbol.toStringTag];
+var jwkMatchesOp = (alg, key, usage) => {
+  if (key.use !== void 0) {
+    let expected;
+    switch (usage) {
+      case "sign":
+      case "verify":
+        expected = "sig";
+        break;
+      case "encrypt":
+      case "decrypt":
+        expected = "enc";
+        break;
+    }
+    if (key.use !== expected) {
+      throw new TypeError(`Invalid key for this operation, its "use" must be "${expected}" when present`);
+    }
+  }
+  if (key.alg !== void 0 && key.alg !== alg) {
+    throw new TypeError(`Invalid key for this operation, its "alg" must be "${alg}" when present`);
+  }
+  if (Array.isArray(key.key_ops)) {
+    let expectedKeyOp;
+    switch (true) {
+      case (usage === "sign" || usage === "verify"):
+      case alg === "dir":
+      case alg.includes("CBC-HS"):
+        expectedKeyOp = usage;
+        break;
+      case alg.startsWith("PBES2"):
+        expectedKeyOp = "deriveBits";
+        break;
+      case /^A\d{3}(?:GCM)?(?:KW)?$/.test(alg):
+        if (!alg.includes("GCM") && alg.endsWith("KW")) {
+          expectedKeyOp = usage === "encrypt" ? "wrapKey" : "unwrapKey";
+        } else {
+          expectedKeyOp = usage;
+        }
+        break;
+      case (usage === "encrypt" && alg.startsWith("RSA")):
+        expectedKeyOp = "wrapKey";
+        break;
+      case usage === "decrypt":
+        expectedKeyOp = alg.startsWith("RSA") ? "unwrapKey" : "deriveBits";
+        break;
+    }
+    if (expectedKeyOp && key.key_ops?.includes?.(expectedKeyOp) === false) {
+      throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${expectedKeyOp}" when present`);
+    }
+  }
+  return true;
+};
+var symmetricTypeCheck = (alg, key, usage) => {
+  if (key instanceof Uint8Array)
+    return;
+  if (isJWK(key)) {
+    if (isSecretJWK(key) && jwkMatchesOp(alg, key, usage))
+      return;
+    throw new TypeError(`JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present`);
+  }
+  if (!isKeyLike(key)) {
+    throw new TypeError(withAlg(alg, key, "CryptoKey", "KeyObject", "JSON Web Key", "Uint8Array"));
+  }
+  if (key.type !== "secret") {
+    throw new TypeError(`${tag(key)} instances for symmetric algorithms must be of type "secret"`);
+  }
+};
+var asymmetricTypeCheck = (alg, key, usage) => {
+  if (isJWK(key)) {
+    switch (usage) {
+      case "decrypt":
+      case "sign":
+        if (isPrivateJWK(key) && jwkMatchesOp(alg, key, usage))
+          return;
+        throw new TypeError(`JSON Web Key for this operation must be a private JWK`);
+      case "encrypt":
+      case "verify":
+        if (isPublicJWK(key) && jwkMatchesOp(alg, key, usage))
+          return;
+        throw new TypeError(`JSON Web Key for this operation must be a public JWK`);
+    }
+  }
+  if (!isKeyLike(key)) {
+    throw new TypeError(withAlg(alg, key, "CryptoKey", "KeyObject", "JSON Web Key"));
+  }
+  if (key.type === "secret") {
+    throw new TypeError(`${tag(key)} instances for asymmetric algorithms must not be of type "secret"`);
+  }
+  if (key.type === "public") {
+    switch (usage) {
+      case "sign":
+        throw new TypeError(`${tag(key)} instances for asymmetric algorithm signing must be of type "private"`);
+      case "decrypt":
+        throw new TypeError(`${tag(key)} instances for asymmetric algorithm decryption must be of type "private"`);
+    }
+  }
+  if (key.type === "private") {
+    switch (usage) {
+      case "verify":
+        throw new TypeError(`${tag(key)} instances for asymmetric algorithm verifying must be of type "public"`);
+      case "encrypt":
+        throw new TypeError(`${tag(key)} instances for asymmetric algorithm encryption must be of type "public"`);
+    }
+  }
+};
+function checkKeyType(alg, key, usage) {
+  switch (alg.substring(0, 2)) {
+    case "A1":
+    case "A2":
+    case "di":
+    case "HS":
+    case "PB":
+      symmetricTypeCheck(alg, key, usage);
+      break;
+    default:
+      asymmetricTypeCheck(alg, key, usage);
+  }
+}
+
+// ../../node_modules/jose/dist/webapi/lib/subtle_dsa.js
+function subtleAlgorithm(alg, algorithm) {
+  const hash = `SHA-${alg.slice(-3)}`;
+  switch (alg) {
+    case "HS256":
+    case "HS384":
+    case "HS512":
+      return { hash, name: "HMAC" };
+    case "PS256":
+    case "PS384":
+    case "PS512":
+      return { hash, name: "RSA-PSS", saltLength: parseInt(alg.slice(-3), 10) >> 3 };
+    case "RS256":
+    case "RS384":
+    case "RS512":
+      return { hash, name: "RSASSA-PKCS1-v1_5" };
+    case "ES256":
+    case "ES384":
+    case "ES512":
+      return { hash, name: "ECDSA", namedCurve: algorithm.namedCurve };
+    case "Ed25519":
+    case "EdDSA":
+      return { name: "Ed25519" };
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+      return { name: alg };
+    default:
+      throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
+  }
+}
+
+// ../../node_modules/jose/dist/webapi/lib/get_sign_verify_key.js
+async function getSigKey(alg, key, usage) {
+  if (key instanceof Uint8Array) {
+    if (!alg.startsWith("HS")) {
+      throw new TypeError(invalidKeyInput(key, "CryptoKey", "KeyObject", "JSON Web Key"));
+    }
+    return crypto.subtle.importKey("raw", key, { hash: `SHA-${alg.slice(-3)}`, name: "HMAC" }, false, [usage]);
+  }
+  checkSigCryptoKey(key, alg, usage);
+  return key;
+}
+
+// ../../node_modules/jose/dist/webapi/lib/verify.js
+async function verify(alg, key, signature, data) {
+  const cryptoKey = await getSigKey(alg, key, "verify");
+  checkKeyLength(alg, cryptoKey);
+  const algorithm = subtleAlgorithm(alg, cryptoKey.algorithm);
+  try {
+    return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
+  } catch {
+    return false;
+  }
+}
+
+// ../../node_modules/jose/dist/webapi/jws/flattened/verify.js
+async function flattenedVerify(jws, key, options) {
+  if (!isObject(jws)) {
+    throw new JWSInvalid("Flattened JWS must be an object");
+  }
+  if (jws.protected === void 0 && jws.header === void 0) {
+    throw new JWSInvalid('Flattened JWS must have either of the "protected" or "header" members');
+  }
+  if (jws.protected !== void 0 && typeof jws.protected !== "string") {
+    throw new JWSInvalid("JWS Protected Header incorrect type");
+  }
+  if (jws.payload === void 0) {
+    throw new JWSInvalid("JWS Payload missing");
+  }
+  if (typeof jws.signature !== "string") {
+    throw new JWSInvalid("JWS Signature missing or incorrect type");
+  }
+  if (jws.header !== void 0 && !isObject(jws.header)) {
+    throw new JWSInvalid("JWS Unprotected Header incorrect type");
+  }
+  let parsedProt = {};
+  if (jws.protected) {
+    try {
+      const protectedHeader = decode(jws.protected);
+      parsedProt = JSON.parse(decoder.decode(protectedHeader));
+    } catch {
+      throw new JWSInvalid("JWS Protected Header is invalid");
+    }
+  }
+  if (!isDisjoint(parsedProt, jws.header)) {
+    throw new JWSInvalid("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
+  }
+  const joseHeader = {
+    ...parsedProt,
+    ...jws.header
+  };
+  const extensions = validateCrit(JWSInvalid, /* @__PURE__ */ new Map([["b64", true]]), options?.crit, parsedProt, joseHeader);
+  let b64 = true;
+  if (extensions.has("b64")) {
+    b64 = parsedProt.b64;
+    if (typeof b64 !== "boolean") {
+      throw new JWSInvalid('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
+    }
+  }
+  const { alg } = joseHeader;
+  if (typeof alg !== "string" || !alg) {
+    throw new JWSInvalid('JWS "alg" (Algorithm) Header Parameter missing or invalid');
+  }
+  const algorithms = options && validateAlgorithms("algorithms", options.algorithms);
+  if (algorithms && !algorithms.has(alg)) {
+    throw new JOSEAlgNotAllowed('"alg" (Algorithm) Header Parameter value not allowed');
+  }
+  if (b64) {
+    if (typeof jws.payload !== "string") {
+      throw new JWSInvalid("JWS Payload must be a string");
+    }
+  } else if (typeof jws.payload !== "string" && !(jws.payload instanceof Uint8Array)) {
+    throw new JWSInvalid("JWS Payload must be a string or an Uint8Array instance");
+  }
+  let resolvedKey = false;
+  if (typeof key === "function") {
+    key = await key(parsedProt, jws);
+    resolvedKey = true;
+  }
+  checkKeyType(alg, key, "verify");
+  const data = concat(jws.protected !== void 0 ? encode(jws.protected) : new Uint8Array(), encode("."), typeof jws.payload === "string" ? b64 ? encode(jws.payload) : encoder.encode(jws.payload) : jws.payload);
+  let signature;
+  try {
+    signature = decode(jws.signature);
+  } catch {
+    throw new JWSInvalid("Failed to base64url decode the signature");
+  }
+  const k = await normalizeKey(key, alg);
+  const verified = await verify(alg, k, signature, data);
+  if (!verified) {
+    throw new JWSSignatureVerificationFailed();
+  }
+  let payload;
+  if (b64) {
+    try {
+      payload = decode(jws.payload);
+    } catch {
+      throw new JWSInvalid("Failed to base64url decode the payload");
+    }
+  } else if (typeof jws.payload === "string") {
+    payload = encoder.encode(jws.payload);
+  } else {
+    payload = jws.payload;
+  }
+  const result = { payload };
+  if (jws.protected !== void 0) {
+    result.protectedHeader = parsedProt;
+  }
+  if (jws.header !== void 0) {
+    result.unprotectedHeader = jws.header;
+  }
+  if (resolvedKey) {
+    return { ...result, key: k };
+  }
+  return result;
+}
+
+// ../../node_modules/jose/dist/webapi/jws/compact/verify.js
+async function compactVerify(jws, key, options) {
+  if (jws instanceof Uint8Array) {
+    jws = decoder.decode(jws);
+  }
+  if (typeof jws !== "string") {
+    throw new JWSInvalid("Compact JWS must be a string or Uint8Array");
+  }
+  const { 0: protectedHeader, 1: payload, 2: signature, length } = jws.split(".");
+  if (length !== 3) {
+    throw new JWSInvalid("Invalid Compact JWS");
+  }
+  const verified = await flattenedVerify({ payload, protected: protectedHeader, signature }, key, options);
+  const result = { payload: verified.payload, protectedHeader: verified.protectedHeader };
+  if (typeof key === "function") {
+    return { ...result, key: verified.key };
+  }
+  return result;
+}
+
+// ../../node_modules/jose/dist/webapi/lib/jwt_claims_set.js
+var epoch = (date) => Math.floor(date.getTime() / 1e3);
+var minute = 60;
+var hour = minute * 60;
+var day = hour * 24;
+var week = day * 7;
+var year = day * 365.25;
+var REGEX = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;
+function secs(str) {
+  const matched = REGEX.exec(str);
+  if (!matched || matched[4] && matched[1]) {
+    throw new TypeError("Invalid time period format");
+  }
+  const value = parseFloat(matched[2]);
+  const unit = matched[3].toLowerCase();
+  let numericDate;
+  switch (unit) {
+    case "sec":
+    case "secs":
+    case "second":
+    case "seconds":
+    case "s":
+      numericDate = Math.round(value);
+      break;
+    case "minute":
+    case "minutes":
+    case "min":
+    case "mins":
+    case "m":
+      numericDate = Math.round(value * minute);
+      break;
+    case "hour":
+    case "hours":
+    case "hr":
+    case "hrs":
+    case "h":
+      numericDate = Math.round(value * hour);
+      break;
+    case "day":
+    case "days":
+    case "d":
+      numericDate = Math.round(value * day);
+      break;
+    case "week":
+    case "weeks":
+    case "w":
+      numericDate = Math.round(value * week);
+      break;
+    default:
+      numericDate = Math.round(value * year);
+      break;
+  }
+  if (matched[1] === "-" || matched[4] === "ago") {
+    return -numericDate;
+  }
+  return numericDate;
+}
+var normalizeTyp = (value) => {
+  if (value.includes("/")) {
+    return value.toLowerCase();
+  }
+  return `application/${value.toLowerCase()}`;
+};
+var checkAudiencePresence = (audPayload, audOption) => {
+  if (typeof audPayload === "string") {
+    return audOption.includes(audPayload);
+  }
+  if (Array.isArray(audPayload)) {
+    return audOption.some(Set.prototype.has.bind(new Set(audPayload)));
+  }
+  return false;
+};
+function validateClaimsSet(protectedHeader, encodedPayload, options = {}) {
+  let payload;
+  try {
+    payload = JSON.parse(decoder.decode(encodedPayload));
+  } catch {
+  }
+  if (!isObject(payload)) {
+    throw new JWTInvalid("JWT Claims Set must be a top-level JSON object");
+  }
+  const { typ } = options;
+  if (typ && (typeof protectedHeader.typ !== "string" || normalizeTyp(protectedHeader.typ) !== normalizeTyp(typ))) {
+    throw new JWTClaimValidationFailed('unexpected "typ" JWT header value', payload, "typ", "check_failed");
+  }
+  const { requiredClaims = [], issuer, subject, audience, maxTokenAge } = options;
+  const presenceCheck = [...requiredClaims];
+  if (maxTokenAge !== void 0)
+    presenceCheck.push("iat");
+  if (audience !== void 0)
+    presenceCheck.push("aud");
+  if (subject !== void 0)
+    presenceCheck.push("sub");
+  if (issuer !== void 0)
+    presenceCheck.push("iss");
+  for (const claim of new Set(presenceCheck.reverse())) {
+    if (!(claim in payload)) {
+      throw new JWTClaimValidationFailed(`missing required "${claim}" claim`, payload, claim, "missing");
+    }
+  }
+  if (issuer && !(Array.isArray(issuer) ? issuer : [issuer]).includes(payload.iss)) {
+    throw new JWTClaimValidationFailed('unexpected "iss" claim value', payload, "iss", "check_failed");
+  }
+  if (subject && payload.sub !== subject) {
+    throw new JWTClaimValidationFailed('unexpected "sub" claim value', payload, "sub", "check_failed");
+  }
+  if (audience && !checkAudiencePresence(payload.aud, typeof audience === "string" ? [audience] : audience)) {
+    throw new JWTClaimValidationFailed('unexpected "aud" claim value', payload, "aud", "check_failed");
+  }
+  let tolerance;
+  switch (typeof options.clockTolerance) {
+    case "string":
+      tolerance = secs(options.clockTolerance);
+      break;
+    case "number":
+      tolerance = options.clockTolerance;
+      break;
+    case "undefined":
+      tolerance = 0;
+      break;
+    default:
+      throw new TypeError("Invalid clockTolerance option type");
+  }
+  const { currentDate } = options;
+  const now = epoch(currentDate || /* @__PURE__ */ new Date());
+  if ((payload.iat !== void 0 || maxTokenAge) && typeof payload.iat !== "number") {
+    throw new JWTClaimValidationFailed('"iat" claim must be a number', payload, "iat", "invalid");
+  }
+  if (payload.nbf !== void 0) {
+    if (typeof payload.nbf !== "number") {
+      throw new JWTClaimValidationFailed('"nbf" claim must be a number', payload, "nbf", "invalid");
+    }
+    if (payload.nbf > now + tolerance) {
+      throw new JWTClaimValidationFailed('"nbf" claim timestamp check failed', payload, "nbf", "check_failed");
+    }
+  }
+  if (payload.exp !== void 0) {
+    if (typeof payload.exp !== "number") {
+      throw new JWTClaimValidationFailed('"exp" claim must be a number', payload, "exp", "invalid");
+    }
+    if (payload.exp <= now - tolerance) {
+      throw new JWTExpired('"exp" claim timestamp check failed', payload, "exp", "check_failed");
+    }
+  }
+  if (maxTokenAge) {
+    const age = now - payload.iat;
+    const max = typeof maxTokenAge === "number" ? maxTokenAge : secs(maxTokenAge);
+    if (age - tolerance > max) {
+      throw new JWTExpired('"iat" claim timestamp check failed (too far in the past)', payload, "iat", "check_failed");
+    }
+    if (age < 0 - tolerance) {
+      throw new JWTClaimValidationFailed('"iat" claim timestamp check failed (it should be in the past)', payload, "iat", "check_failed");
+    }
+  }
+  return payload;
+}
+
+// ../../node_modules/jose/dist/webapi/jwt/verify.js
+async function jwtVerify(jwt, key, options) {
+  const verified = await compactVerify(jwt, key, options);
+  if (verified.protectedHeader.crit?.includes("b64") && verified.protectedHeader.b64 === false) {
+    throw new JWTInvalid("JWTs MUST NOT use unencoded payload");
+  }
+  const payload = validateClaimsSet(verified.protectedHeader, verified.payload, options);
+  const result = { payload, protectedHeader: verified.protectedHeader };
+  if (typeof key === "function") {
+    return { ...result, key: verified.key };
+  }
+  return result;
+}
+
+// src/constants.ts
+var DEFAULT_PLATFORM_URL = "https://sylphx.com";
+var ENV_PLATFORM_URL = "SYLPHX_PLATFORM_URL";
+var ENV_PLATFORM_URL_LEGACY = "SYLPHX_URL";
+var ENV_SECRET_KEY = "SYLPHX_SECRET_KEY";
+function resolvePlatformUrl(explicit) {
+  return (explicit || process.env[ENV_PLATFORM_URL] || process.env[ENV_PLATFORM_URL_LEGACY] || DEFAULT_PLATFORM_URL).trim();
+}
+function resolveSecretKey(explicit) {
+  return explicit || process.env[ENV_SECRET_KEY];
+}
+var SDK_API_PATH = `/api/app/v1`;
+var SDK_VERSION = "0.1.0";
+var SDK_PLATFORM = typeof window !== "undefined" ? "browser" : typeof process !== "undefined" && process.versions?.node ? "node" : "unknown";
+var DEFAULT_TIMEOUT_MS = 3e4;
+var SESSION_TOKEN_LIFETIME_SECONDS = 5 * 60;
+var SESSION_TOKEN_LIFETIME_MS = SESSION_TOKEN_LIFETIME_SECONDS * 1e3;
+var REFRESH_TOKEN_LIFETIME_SECONDS = 30 * 24 * 60 * 60;
+var FLAGS_CACHE_TTL_MS = 5 * 60 * 1e3;
+var FLAGS_STALE_WHILE_REVALIDATE_MS = 60 * 1e3;
+var MAX_RETRY_DELAY_MS = 3e4;
+var BASE_RETRY_DELAY_MS = 1e3;
+var MAX_RETRIES = 3;
+var ANALYTICS_SESSION_TIMEOUT_MS = 30 * 60 * 1e3;
+var WEBHOOK_MAX_AGE_MS = 5 * 60 * 1e3;
+var WEBHOOK_CLOCK_SKEW_MS = 30 * 1e3;
+var PKCE_CODE_TTL_MS = 10 * 60 * 1e3;
+var JOBS_DLQ_MAX_AGE_MS = 7 * 24 * 60 * 60 * 1e3;
+var SESSION_REPLAY_MAX_DURATION_MS = 60 * 60 * 1e3;
+var FLAGS_EXPOSURE_DEDUPE_WINDOW_MS = 60 * 60 * 1e3;
+var CLICK_ID_EXPIRY_MS = 90 * 24 * 60 * 60 * 1e3;
+var STALE_TIME_FREQUENT_MS = 60 * 1e3;
+var STALE_TIME_MODERATE_MS = 2 * 60 * 1e3;
+var STALE_TIME_STABLE_MS = 5 * 60 * 1e3;
+var STALE_TIME_STATS_MS = 30 * 1e3;
+var NEW_USER_THRESHOLD_MS = 60 * 1e3;
+var STORAGE_MULTIPART_THRESHOLD_BYTES = 5 * 1024 * 1024;
+var STORAGE_DEFAULT_MAX_SIZE_BYTES = 5 * 1024 * 1024;
+var STORAGE_AVATAR_MAX_SIZE_BYTES = 2 * 1024 * 1024;
+var STORAGE_LARGE_MAX_SIZE_BYTES = 10 * 1024 * 1024;
+var JWK_CACHE_TTL_MS = 60 * 60 * 1e3;
+var CIRCUIT_BREAKER_FAILURE_THRESHOLD = 5;
+var CIRCUIT_BREAKER_WINDOW_MS = 1e4;
+var CIRCUIT_BREAKER_OPEN_DURATION_MS = 3e4;
+var ETAG_CACHE_MAX_ENTRIES = 100;
+var ETAG_CACHE_TTL_MS = 5 * 60 * 1e3;
+
+// src/rest-client.ts
+import createClient from "openapi-fetch";
+
+// src/errors.ts
+var ERROR_CODE_STATUS = {
+  BAD_REQUEST: 400,
+  UNAUTHORIZED: 401,
+  FORBIDDEN: 403,
+  NOT_FOUND: 404,
+  CONFLICT: 409,
+  PAYLOAD_TOO_LARGE: 413,
+  UNPROCESSABLE_ENTITY: 422,
+  TOO_MANY_REQUESTS: 429,
+  INTERNAL_SERVER_ERROR: 500,
+  NOT_IMPLEMENTED: 501,
+  BAD_GATEWAY: 502,
+  SERVICE_UNAVAILABLE: 503,
+  GATEWAY_TIMEOUT: 504,
+  NETWORK_ERROR: 0,
+  TIMEOUT: 0,
+  ABORTED: 0,
+  PARSE_ERROR: 0,
+  UNKNOWN: 0
+};
+var RETRYABLE_CODES = /* @__PURE__ */ new Set([
+  "NETWORK_ERROR",
+  "TIMEOUT",
+  "BAD_GATEWAY",
+  "SERVICE_UNAVAILABLE",
+  "GATEWAY_TIMEOUT",
+  "TOO_MANY_REQUESTS",
+  // With backoff
+  "INTERNAL_SERVER_ERROR"
+  // Sometimes transient
+]);
+var SylphxError = class _SylphxError extends Error {
+  /** Error code for programmatic handling */
+  code;
+  /** HTTP status code */
+  status;
+  /** Additional context data */
+  data;
+  /** Whether this error is safe to retry */
+  isRetryable;
+  /** Retry-After value in seconds (for rate limiting) */
+  retryAfter;
+  /** Timestamp when error occurred */
+  timestamp;
+  constructor(message2, options = {}) {
+    super(message2, { cause: options.cause });
+    this.name = "SylphxError";
+    this.code = options.code ?? "UNKNOWN";
+    this.status = options.status ?? ERROR_CODE_STATUS[this.code];
+    this.data = options.data;
+    this.isRetryable = RETRYABLE_CODES.has(this.code);
+    this.retryAfter = options.retryAfter;
+    this.timestamp = /* @__PURE__ */ new Date();
+    if (Error.captureStackTrace) {
+      Error.captureStackTrace(this, _SylphxError);
+    }
+  }
+  /**
+   * Convert to JSON-serializable object
+   */
+  toJSON() {
+    return {
+      name: this.name,
+      message: this.message,
+      code: this.code,
+      status: this.status,
+      data: this.data,
+      isRetryable: this.isRetryable,
+      retryAfter: this.retryAfter,
+      timestamp: this.timestamp.toISOString()
+    };
+  }
+};
+var RateLimitError = class extends SylphxError {
+  /** Maximum requests allowed in window */
+  limit;
+  /** Remaining requests in current window */
+  remaining;
+  /** Unix timestamp (seconds) when limit resets */
+  resetAt;
+  constructor(message2 = "Too many requests", options) {
+    super(message2, { ...options, code: "TOO_MANY_REQUESTS" });
+    this.name = "RateLimitError";
+    this.limit = options?.limit;
+    this.remaining = options?.remaining;
+    this.resetAt = options?.resetAt;
+  }
+  /**
+   * Get Date when rate limit resets
+   */
+  getResetDate() {
+    return this.resetAt ? new Date(this.resetAt * 1e3) : void 0;
+  }
+  /**
+   * Get human-readable retry message
+   */
+  getRetryMessage() {
+    if (this.retryAfter) {
+      return `Please retry after ${this.retryAfter} seconds`;
+    }
+    if (this.resetAt) {
+      const seconds = Math.max(0, this.resetAt - Math.floor(Date.now() / 1e3));
+      return `Rate limit resets in ${seconds} seconds`;
+    }
+    return "Please wait before retrying";
+  }
+};
+function exponentialBackoff(attempt, baseDelay = BASE_RETRY_DELAY_MS, maxDelay = MAX_RETRY_DELAY_MS) {
+  const exponentialDelay = baseDelay * Math.pow(2, attempt);
+  const cappedDelay = Math.min(exponentialDelay, maxDelay);
+  const jitter = cappedDelay * 0.25 * (Math.random() * 2 - 1);
+  return Math.round(cappedDelay + jitter);
+}
+
+// src/key-validation.ts
+var APP_ID_PATTERN = /^app_(dev|stg|prod)_[a-z0-9_-]+$/;
+var SECRET_KEY_PATTERN = /^sk_(dev|stg|prod)_[a-z0-9_-]+$/;
+var ENV_PREFIX_MAP = {
+  dev: "development",
+  stg: "staging",
+  prod: "production"
+};
+function detectKeyIssues(key) {
+  const issues = [];
+  if (key !== key.trim()) issues.push("whitespace");
+  if (key.includes("\n")) issues.push("newline");
+  if (key.includes("\r")) issues.push("carriage-return");
+  if (key.includes(" ")) issues.push("space");
+  if (key !== key.toLowerCase()) issues.push("uppercase-chars");
+  return issues;
+}
+function createSanitizationWarning(keyType, issues, envVarName) {
+  const keyTypeName = keyType === "appId" ? "App ID" : "Secret Key";
+  return `[Sylphx] ${keyTypeName} contains ${issues.join(", ")}. This is commonly caused by Vercel CLI's 'env pull' command.
+
+To fix permanently:
+1. Go to Vercel Dashboard \u2192 Your Project \u2192 Settings \u2192 Environment Variables
+2. Edit ${envVarName}
+3. Remove any trailing whitespace or newline characters
+4. Redeploy your application
+
+The SDK will automatically sanitize the key, but fixing the source is recommended.`;
+}
+function createInvalidKeyError(keyType, key, envVarName) {
+  const prefix = keyType === "appId" ? "app" : "sk";
+  const maskedKey = key.length > 20 ? `${key.slice(0, 20)}...` : key;
+  const formatHint = `${prefix}_(dev|stg|prod)_[identifier]`;
+  const keyTypeName = keyType === "appId" ? "App ID" : "Secret Key";
+  return `[Sylphx] Invalid ${keyTypeName} format.
+
+Expected format: ${formatHint}
+Received: "${maskedKey}"
+
+Please check your ${envVarName} environment variable.
+You can find your keys in the Sylphx Console \u2192 API Keys.
+
+Common issues:
+\u2022 Key has uppercase characters (must be lowercase)
+\u2022 Key has wrong prefix (App ID: app_, Secret Key: sk_)
+\u2022 Key has invalid environment (must be dev, stg, or prod)
+\u2022 Key was copied with extra whitespace`;
+}
+function extractEnvironment(key) {
+  const match = key.match(/^(?:app|sk)_(dev|stg|prod)_/);
+  if (!match) return void 0;
+  return ENV_PREFIX_MAP[match[1]];
+}
+function validateKeyForType(key, keyType, pattern, envVarName) {
+  const keyTypeName = keyType === "appId" ? "App ID" : "Secret Key";
+  if (!key) {
+    return {
+      valid: false,
+      sanitizedKey: "",
+      error: `[Sylphx] ${keyTypeName} is required. Set ${envVarName} in your environment variables.`,
+      issues: ["missing"]
+    };
+  }
+  const issues = detectKeyIssues(key);
+  if (pattern.test(key)) {
+    return {
+      valid: true,
+      sanitizedKey: key,
+      keyType,
+      environment: extractEnvironment(key),
+      issues: []
+    };
+  }
+  const sanitized = key.trim().toLowerCase();
+  if (pattern.test(sanitized)) {
+    return {
+      valid: true,
+      sanitizedKey: sanitized,
+      keyType,
+      environment: extractEnvironment(sanitized),
+      warning: createSanitizationWarning(keyType, issues, envVarName),
+      issues
+    };
+  }
+  return {
+    valid: false,
+    sanitizedKey: "",
+    error: createInvalidKeyError(keyType, key, envVarName),
+    issues: [...issues, "invalid-format"]
+  };
+}
+function validateAppId(key) {
+  return validateKeyForType(
+    key,
+    "appId",
+    APP_ID_PATTERN,
+    "NEXT_PUBLIC_SYLPHX_APP_ID"
+  );
+}
+function validateAndSanitizeAppId(key) {
+  const result = validateAppId(key);
+  if (!result.valid) {
+    throw new Error(result.error);
+  }
+  if (result.warning) {
+    console.warn(result.warning);
+  }
+  return result.sanitizedKey;
+}
+function validateSecretKey(key) {
+  return validateKeyForType(
+    key,
+    "secret",
+    SECRET_KEY_PATTERN,
+    "SYLPHX_SECRET_KEY"
+  );
+}
+function validateAndSanitizeSecretKey(key) {
+  const result = validateSecretKey(key);
+  if (!result.valid) {
+    throw new Error(result.error);
+  }
+  if (result.warning) {
+    console.warn(result.warning);
+  }
+  return result.sanitizedKey;
+}
+function detectEnvironment(key) {
+  const sanitized = key.trim().toLowerCase();
+  if (sanitized.startsWith("sk_")) {
+    const result = validateSecretKey(sanitized);
+    if (!result.valid) {
+      throw new Error(result.error);
+    }
+    return result.environment;
+  }
+  if (sanitized.startsWith("app_")) {
+    const result = validateAppId(sanitized);
+    if (!result.valid) {
+      throw new Error(result.error);
+    }
+    return result.environment;
+  }
+  throw new Error(
+    `[Sylphx] Invalid key format. Key must start with 'sk_' (secret) or 'app_' (App ID).`
+  );
+}
+function isDevelopmentKey(key) {
+  return detectEnvironment(key) === "development";
+}
+function isProductionKey(key) {
+  return detectEnvironment(key) === "production";
+}
+function getCookieNamespace(secretKey) {
+  const env = detectEnvironment(secretKey);
+  const shortEnv = env === "development" ? "dev" : env === "staging" ? "stg" : "prod";
+  return `sylphx_${shortEnv}`;
+}
+function detectKeyType(key) {
+  const sanitized = key.trim().toLowerCase();
+  if (sanitized.startsWith("app_")) return "appId";
+  if (sanitized.startsWith("sk_")) return "secret";
+  return null;
+}
+function isAppId(key) {
+  return detectKeyType(key) === "appId";
+}
+function isSecretKey(key) {
+  return detectKeyType(key) === "secret";
+}
+function validateKey(key) {
+  const keyType = key ? detectKeyType(key) : null;
+  if (keyType === "appId") {
+    return validateAppId(key);
+  }
+  if (keyType === "secret") {
+    return validateSecretKey(key);
+  }
+  return {
+    valid: false,
+    sanitizedKey: "",
+    error: key ? `Invalid key format. Keys must start with 'app_' (App ID) or 'sk_' (Secret Key), followed by environment (dev/stg/prod) and identifier. Got: ${key.slice(0, 20)}...` : "API key is required but was not provided.",
+    issues: key ? ["invalid_format"] : ["missing"]
+  };
+}
+function validateAndSanitizeKey(key) {
+  const result = validateKey(key);
+  if (!result.valid) {
+    throw new Error(result.error);
+  }
+  if (result.warning) {
+    console.warn(`[Sylphx] ${result.warning}`);
+  }
+  return result.sanitizedKey;
+}
+function isDevelopmentRuntime() {
+  if (typeof process !== "undefined" && process.env) {
+    return process.env.NODE_ENV === "development";
+  }
+  if (typeof window !== "undefined") {
+    return window.location.hostname === "localhost" || window.location.hostname === "127.0.0.1";
+  }
+  return false;
+}
+
+// src/rest-client.ts
+function createAuthMiddleware(config) {
+  return {
+    async onRequest({ request }) {
+      request.headers.set("X-SDK-Version", SDK_VERSION);
+      request.headers.set("X-SDK-Platform", SDK_PLATFORM);
+      if (config.secretKey) {
+        request.headers.set("x-app-secret", config.secretKey);
+      }
+      const token = config.getAccessToken?.();
+      if (token) {
+        request.headers.set("Authorization", `Bearer ${token}`);
+      }
+      return request;
+    }
+  };
+}
+function isRetryableStatus(status) {
+  return status >= 500 || status === 429;
+}
+var inFlightRequests = /* @__PURE__ */ new Map();
+async function getRequestKey(request) {
+  const body = request.body ? await request.clone().text() : "";
+  return `${request.method}:${request.url}:${body}`;
+}
+function createDeduplicationMiddleware(config = {}) {
+  const { enabled = true, methods = ["GET"] } = config;
+  if (!enabled) {
+    return {
+      async onRequest({ request }) {
+        return request;
+      }
+    };
+  }
+  return {
+    async onRequest({ request }) {
+      if (!methods.includes(request.method)) {
+        return request;
+      }
+      const key = await getRequestKey(request);
+      const existing = inFlightRequests.get(key);
+      if (existing) {
+        const deduped = request.clone();
+        deduped._dedupKey = key;
+        return deduped;
+      }
+      request._dedupKey = key;
+      return request;
+    },
+    async onResponse({ request, response }) {
+      const key = request._dedupKey;
+      if (!key) return response;
+      const existing = inFlightRequests.get(key);
+      if (existing && inFlightRequests.get(key) !== void 0) {
+        const cachedResponse = await existing;
+        return cachedResponse.clone();
+      }
+      const responsePromise = Promise.resolve(response.clone());
+      inFlightRequests.set(key, responsePromise);
+      responsePromise.finally(() => {
+        setTimeout(() => inFlightRequests.delete(key), 100);
+      });
+      return response;
+    }
+  };
+}
+var CircuitBreakerOpenError = class extends Error {
+  remainingMs;
+  constructor(remainingMs) {
+    super(
+      `Circuit breaker is open. Retry after ${Math.ceil(remainingMs / 1e3)}s`
+    );
+    this.name = "CircuitBreakerOpenError";
+    this.remainingMs = remainingMs;
+  }
+};
+var circuitBreaker = null;
+function getCircuitBreaker(config = {}) {
+  if (!circuitBreaker) {
+    circuitBreaker = {
+      state: "CLOSED",
+      failures: [],
+      openedAt: null,
+      config: {
+        enabled: config.enabled ?? true,
+        failureThreshold: config.failureThreshold ?? CIRCUIT_BREAKER_FAILURE_THRESHOLD,
+        windowMs: config.windowMs ?? CIRCUIT_BREAKER_WINDOW_MS,
+        openDurationMs: config.openDurationMs ?? CIRCUIT_BREAKER_OPEN_DURATION_MS,
+        isFailure: config.isFailure ?? ((status) => status >= 500 || status === 429)
+      }
+    };
+  }
+  return circuitBreaker;
+}
+function recordFailure(cb) {
+  const now = Date.now();
+  cb.failures = cb.failures.filter((t) => now - t < cb.config.windowMs);
+  cb.failures.push(now);
+  if (cb.failures.length >= cb.config.failureThreshold) {
+    cb.state = "OPEN";
+    cb.openedAt = now;
+  }
+}
+function recordSuccess(cb) {
+  if (cb.state === "HALF_OPEN") {
+    cb.state = "CLOSED";
+    cb.failures = [];
+    cb.openedAt = null;
+  }
+}
+function shouldAllowRequest(cb) {
+  const now = Date.now();
+  switch (cb.state) {
+    case "CLOSED":
+      return { allowed: true };
+    case "OPEN": {
+      const elapsed = now - (cb.openedAt ?? now);
+      if (elapsed >= cb.config.openDurationMs) {
+        cb.state = "HALF_OPEN";
+        return { allowed: true };
+      }
+      return {
+        allowed: false,
+        remainingMs: cb.config.openDurationMs - elapsed
+      };
+    }
+    case "HALF_OPEN":
+      return { allowed: true };
+    default:
+      return { allowed: true };
+  }
+}
+function createCircuitBreakerMiddleware(config) {
+  if (config === false) {
+    return {
+      async onRequest({ request }) {
+        return request;
+      }
+    };
+  }
+  const cb = getCircuitBreaker(config ?? {});
+  return {
+    async onRequest({ request }) {
+      if (!cb.config.enabled) {
+        return request;
+      }
+      const check = shouldAllowRequest(cb);
+      if (!check.allowed) {
+        throw new CircuitBreakerOpenError(check.remainingMs);
+      }
+      return request;
+    },
+    async onResponse({ response }) {
+      if (!cb.config.enabled) {
+        return response;
+      }
+      if (cb.config.isFailure(response.status)) {
+        recordFailure(cb);
+      } else {
+        recordSuccess(cb);
+      }
+      return response;
+    }
+  };
+}
+var etagCache = /* @__PURE__ */ new Map();
+function getETagCacheKey(request) {
+  return `${request.method}:${request.url}`;
+}
+function evictOldEntries(maxEntries, ttlMs) {
+  const now = Date.now();
+  for (const [key, entry] of etagCache) {
+    if (now - entry.timestamp > ttlMs) {
+      etagCache.delete(key);
+    }
+  }
+  if (etagCache.size > maxEntries) {
+    const entries = Array.from(etagCache.entries());
+    entries.sort((a, b) => a[1].timestamp - b[1].timestamp);
+    const toRemove = entries.slice(0, entries.length - maxEntries);
+    for (const [key] of toRemove) {
+      etagCache.delete(key);
+    }
+  }
+}
+function createETagMiddleware(config) {
+  if (config === false) {
+    return {
+      async onRequest({ request }) {
+        return request;
+      }
+    };
+  }
+  const {
+    enabled = true,
+    maxEntries = ETAG_CACHE_MAX_ENTRIES,
+    ttlMs = ETAG_CACHE_TTL_MS
+  } = config ?? {};
+  if (!enabled) {
+    return {
+      async onRequest({ request }) {
+        return request;
+      }
+    };
+  }
+  return {
+    async onRequest({ request }) {
+      if (request.method !== "GET") {
+        return request;
+      }
+      const cacheKey = getETagCacheKey(request);
+      const cached = etagCache.get(cacheKey);
+      if (cached) {
+        if (Date.now() - cached.timestamp > ttlMs) {
+          etagCache.delete(cacheKey);
+        } else {
+          request.headers.set("If-None-Match", cached.etag);
+        }
+      }
+      return request;
+    },
+    async onResponse({ request, response }) {
+      if (request.method !== "GET") {
+        return response;
+      }
+      const cacheKey = getETagCacheKey(request);
+      if (response.status === 304) {
+        const cached = etagCache.get(cacheKey);
+        if (cached) {
+          cached.timestamp = Date.now();
+          return new Response(cached.body, {
+            status: 200,
+            headers: response.headers
+          });
+        }
+        return response;
+      }
+      if (response.ok) {
+        const etag = response.headers.get("ETag");
+        if (etag) {
+          const cloned = response.clone();
+          const body = await cloned.text();
+          evictOldEntries(maxEntries, ttlMs);
+          etagCache.set(cacheKey, {
+            etag,
+            body,
+            timestamp: Date.now()
+          });
+        }
+      }
+      return response;
+    }
+  };
+}
+function createRetryMiddleware(retryConfig) {
+  if (retryConfig === false) {
+    return {
+      async onResponse({ response }) {
+        return response;
+      }
+    };
+  }
+  const {
+    maxRetries = 3,
+    baseDelay = BASE_RETRY_DELAY_MS,
+    maxDelay = MAX_RETRY_DELAY_MS,
+    shouldRetry = isRetryableStatus,
+    timeout = DEFAULT_TIMEOUT_MS
+  } = retryConfig ?? {};
+  let originalBody = null;
+  return {
+    async onRequest({ request }) {
+      if (request.body) {
+        originalBody = await request.clone().text();
+      } else {
+        originalBody = null;
+      }
+      if (!request.signal) {
+        const controller = new AbortController();
+        setTimeout(() => controller.abort(), timeout);
+        return new Request(request.url, {
+          method: request.method,
+          headers: request.headers,
+          body: originalBody,
+          signal: controller.signal
+        });
+      }
+      return request;
+    },
+    async onResponse({ response, request }) {
+      let attempt = 0;
+      let currentResponse = response;
+      while (attempt < maxRetries && shouldRetry(currentResponse.status, attempt)) {
+        const retryAfter = currentResponse.headers.get("Retry-After");
+        const delay = retryAfter ? Number.parseInt(retryAfter, 10) * 1e3 : exponentialBackoff(attempt, baseDelay, maxDelay);
+        await new Promise((resolve) => setTimeout(resolve, delay));
+        attempt++;
+        const controller = new AbortController();
+        const timeoutId = setTimeout(() => controller.abort(), timeout);
+        try {
+          const retryRequest = new Request(request.url, {
+            method: request.method,
+            headers: request.headers,
+            body: originalBody,
+            signal: controller.signal
+          });
+          const newResponse = await fetch(retryRequest);
+          clearTimeout(timeoutId);
+          if (newResponse.ok || !shouldRetry(newResponse.status, attempt)) {
+            return newResponse;
+          }
+          currentResponse = newResponse;
+        } catch (error) {
+          clearTimeout(timeoutId);
+          if (attempt >= maxRetries) {
+            throw error;
+          }
+        }
+      }
+      return currentResponse;
+    }
+  };
+}
+function validateClientConfig(config) {
+  return {
+    secretKey: validateAndSanitizeSecretKey(config.secretKey),
+    baseUrl: (config.platformUrl || DEFAULT_PLATFORM_URL).trim()
+  };
+}
+function createRestClient(config) {
+  const { secretKey, baseUrl } = validateClientConfig(config);
+  const client = createClient({
+    baseUrl: `${baseUrl}${SDK_API_PATH}`,
+    headers: {
+      "Content-Type": "application/json",
+      "x-app-secret": secretKey
+    }
+  });
+  if (config.deduplication !== false) {
+    client.use(createDeduplicationMiddleware(config.deduplication));
+  }
+  if (config.circuitBreaker !== false) {
+    client.use(createCircuitBreakerMiddleware(config.circuitBreaker));
+  }
+  if (config.etag !== false) {
+    client.use(createETagMiddleware(config.etag));
+  }
+  client.use(createRetryMiddleware(config.retry));
+  return client;
+}
+function createDynamicRestClient(config) {
+  const { secretKey, baseUrl } = validateClientConfig(config);
+  const validatedConfig = {
+    ...config,
+    secretKey,
+    platformUrl: baseUrl
+  };
+  const client = createClient({
+    baseUrl: `${baseUrl}${SDK_API_PATH}`,
+    headers: {
+      "Content-Type": "application/json"
+    }
+  });
+  if (config.deduplication !== false) {
+    client.use(createDeduplicationMiddleware(config.deduplication));
+  }
+  client.use(createAuthMiddleware(validatedConfig));
+  if (config.circuitBreaker !== false) {
+    client.use(createCircuitBreakerMiddleware(config.circuitBreaker));
+  }
+  if (config.etag !== false) {
+    client.use(createETagMiddleware(config.etag));
+  }
+  client.use(createRetryMiddleware(config.retry));
+  return client;
+}
+
+// src/server/ai.ts
+function createAI(options = {}) {
+  const baseURL = (options.platformUrl || process.env.SYLPHX_PLATFORM_URL || DEFAULT_PLATFORM_URL).trim();
+  const rawApiKey = options.secretKey || process.env.SYLPHX_SECRET_KEY;
+  const apiKey = validateAndSanitizeSecretKey(rawApiKey);
+  const headers = {
+    "Content-Type": "application/json",
+    Authorization: `Bearer ${apiKey}`
+  };
+  async function chat(opts) {
+    const response = await fetch(`${baseURL}/api/v1/chat/completions`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify(opts)
+    });
+    if (!response.ok) {
+      const error = await response.json().catch(() => ({ error: { message: "Chat failed" } }));
+      throw new Error(error.error?.message || "Chat failed");
+    }
+    if (opts.stream) {
+      return parseSSEStream(response);
+    }
+    return response.json();
+  }
+  async function embed(opts) {
+    const response = await fetch(`${baseURL}/api/v1/embeddings`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify(opts)
+    });
+    if (!response.ok) {
+      const error = await response.json().catch(() => ({ error: { message: "Embedding failed" } }));
+      throw new Error(error.error?.message || "Embedding failed");
+    }
+    return response.json();
+  }
+  async function listModels(opts) {
+    const params = new URLSearchParams();
+    if (opts?.capability) params.set("capability", opts.capability);
+    if (opts?.search) params.set("search", opts.search);
+    const query = params.toString();
+    const response = await fetch(
+      `${baseURL}/api/v1/models${query ? `?${query}` : ""}`
+    );
+    if (!response.ok) {
+      throw new Error("Failed to fetch models");
+    }
+    return response.json();
+  }
+  return {
+    chat,
+    embed,
+    listModels
+  };
+}
+async function* parseSSEStream(response) {
+  const reader = response.body?.getReader();
+  if (!reader) {
+    throw new Error("Response body is not readable");
+  }
+  const decoder2 = new TextDecoder();
+  let buffer = "";
+  try {
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+      buffer += decoder2.decode(value, { stream: true });
+      const lines = buffer.split("\n");
+      buffer = lines.pop() || "";
+      for (const line of lines) {
+        if (line.startsWith("data: ")) {
+          const data = line.slice(6);
+          if (data === "[DONE]") {
+            return;
+          }
+          try {
+            const chunk = JSON.parse(data);
+            yield chunk;
+          } catch {
+          }
+        }
+      }
+    }
+  } finally {
+    reader.releaseLock();
+  }
+}
+var defaultClient = null;
+function getAI() {
+  if (!defaultClient) {
+    defaultClient = createAI();
+  }
+  return defaultClient;
+}
+
+// src/server/kv.ts
+function createKv(options = {}) {
+  const platformUrl = resolvePlatformUrl(options.platformUrl);
+  const secretKey = validateAndSanitizeSecretKey(
+    resolveSecretKey(options.secretKey)
+  );
+  const headers = {
+    "Content-Type": "application/json",
+    "x-app-secret": secretKey,
+    "X-SDK-Version": SDK_VERSION,
+    "X-SDK-Platform": SDK_PLATFORM
+  };
+  async function request(method, path, body) {
+    let lastError;
+    for (let attempt = 0; attempt <= MAX_RETRIES; attempt++) {
+      try {
+        const response = await fetch(
+          `${platformUrl}${SDK_API_PATH}/kv${path}`,
+          {
+            method,
+            headers,
+            body: body ? JSON.stringify(body) : void 0
+          }
+        );
+        if (!response.ok) {
+          const errorBody = await response.json().catch(() => ({ error: "Request failed" }));
+          const message2 = typeof errorBody.error === "string" ? errorBody.error : errorBody.error?.message ?? "Request failed";
+          if (response.status === 429) {
+            const retryAfter = Number(response.headers.get("Retry-After")) || void 0;
+            throw new RateLimitError(message2, {
+              retryAfter,
+              limit: Number(response.headers.get("X-RateLimit-Limit")) || void 0,
+              remaining: Number(response.headers.get("X-RateLimit-Remaining")) || void 0
+            });
+          }
+          const codeMap = {
+            400: "BAD_REQUEST",
+            401: "UNAUTHORIZED",
+            403: "FORBIDDEN",
+            404: "NOT_FOUND",
+            409: "CONFLICT",
+            422: "UNPROCESSABLE_ENTITY",
+            500: "INTERNAL_SERVER_ERROR",
+            502: "BAD_GATEWAY",
+            503: "SERVICE_UNAVAILABLE",
+            504: "GATEWAY_TIMEOUT"
+          };
+          throw new SylphxError(message2, {
+            code: codeMap[response.status] ?? "UNKNOWN",
+            status: response.status,
+            data: errorBody.data
+          });
+        }
+        return response.json();
+      } catch (error) {
+        lastError = error instanceof Error ? error : new Error(String(error));
+        const isServerOrNetworkError = error instanceof SylphxError ? error.isRetryable && error.code !== "TOO_MANY_REQUESTS" : error instanceof TypeError;
+        if (!isServerOrNetworkError || attempt >= MAX_RETRIES) {
+          throw error instanceof SylphxError ? error : new SylphxError(lastError.message, {
+            code: "NETWORK_ERROR",
+            cause: lastError
+          });
+        }
+        await new Promise(
+          (resolve) => setTimeout(resolve, exponentialBackoff(attempt))
+        );
+      }
+    }
+    throw lastError ?? new SylphxError("Request failed", { code: "UNKNOWN" });
+  }
+  async function get(key) {
+    return request(
+      "GET",
+      `/${encodeURIComponent(key)}`
+    );
+  }
+  async function set(key, value, options2) {
+    const result = await request("POST", "", {
+      key,
+      value,
+      ...options2
+    });
+    return result.success;
+  }
+  async function del(key) {
+    const result = await request(
+      "DELETE",
+      `/${encodeURIComponent(key)}`
+    );
+    return result.deleted;
+  }
+  async function exists(key) {
+    const result = await request(
+      "GET",
+      `/exists/${encodeURIComponent(key)}`
+    );
+    return result.exists;
+  }
+  async function mget(keys) {
+    const result = await request(
+      "POST",
+      "/mget",
+      { keys }
+    );
+    return result.values;
+  }
+  async function mset(entries, options2) {
+    await request("POST", "/mset", {
+      entries,
+      ...options2
+    });
+  }
+  async function incr(key, by = 1) {
+    const result = await request("POST", "/incr", {
+      key,
+      by
+    });
+    return result.value;
+  }
+  async function expire(key, seconds) {
+    const result = await request("POST", "/expire", {
+      key,
+      seconds
+    });
+    return result.success;
+  }
+  async function ratelimit(key, options2) {
+    return request("POST", "/ratelimit", {
+      key,
+      ...options2
+    });
+  }
+  async function hset(key, fields) {
+    const result = await request("POST", "/hset", {
+      key,
+      fields
+    });
+    return result.created;
+  }
+  async function hget(key, field) {
+    const result = await request("POST", "/hget", {
+      key,
+      field
+    });
+    return result.value;
+  }
+  async function hgetall(key) {
+    const result = await request(
+      "POST",
+      "/hgetall",
+      { key }
+    );
+    return result.fields;
+  }
+  async function lpush(key, ...values) {
+    const result = await request("POST", "/lpush", {
+      key,
+      values
+    });
+    return result.length;
+  }
+  async function lrange(key, start = 0, stop = -1) {
+    const result = await request("POST", "/lrange", {
+      key,
+      start,
+      stop
+    });
+    return result.values;
+  }
+  async function zadd(key, ...members) {
+    const result = await request("POST", "/zadd", {
+      key,
+      members
+    });
+    return result.added;
+  }
+  async function zrange(key, start = 0, stop = 9, options2) {
+    const result = await request("POST", "/zrange", {
+      key,
+      start,
+      stop,
+      withScores: options2?.withScores ?? false,
+      rev: options2?.rev ?? false
+    });
+    return result.members;
+  }
+  return {
+    get,
+    set,
+    del,
+    exists,
+    mget,
+    mset,
+    incr,
+    expire,
+    ratelimit,
+    hset,
+    hget,
+    hgetall,
+    lpush,
+    lrange,
+    zadd,
+    zrange
+  };
+}
+var defaultClient2 = null;
+function getKv() {
+  if (!defaultClient2) {
+    defaultClient2 = createKv();
+  }
+  return defaultClient2;
+}
+
+// src/server/streams.ts
+function createStreams(options = {}) {
+  const baseURL = (options.platformUrl || process.env.SYLPHX_PLATFORM_URL || DEFAULT_PLATFORM_URL).trim();
+  const rawApiKey = options.secretKey || process.env.SYLPHX_SECRET_KEY;
+  const apiKey = validateAndSanitizeSecretKey(rawApiKey);
+  const headers = {
+    "Content-Type": "application/json",
+    "x-app-secret": apiKey
+  };
+  async function emit(channel, event, data) {
+    const response = await fetch(`${baseURL}${SDK_API_PATH}/realtime/emit`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify({ channel, event, data })
+    });
+    if (!response.ok) {
+      const error = await response.json().catch(() => ({ error: "Emit failed" }));
+      throw new Error(
+        typeof error.error === "string" ? error.error : "Emit failed"
+      );
+    }
+    const result = await response.json();
+    return result.id;
+  }
+  async function history(channel, options2) {
+    const response = await fetch(`${baseURL}${SDK_API_PATH}/realtime/history`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify({
+        channel,
+        start: options2?.start,
+        end: options2?.end,
+        limit: options2?.limit
+      })
+    });
+    if (!response.ok) {
+      const error = await response.json().catch(() => ({ error: "History fetch failed" }));
+      throw new Error(
+        typeof error.error === "string" ? error.error : "History fetch failed"
+      );
+    }
+    const result = await response.json();
+    return result.messages;
+  }
+  function channelHelper(name) {
+    return {
+      emit: (event, data) => emit(name, event, data),
+      history: (options2) => history(name, options2)
+    };
+  }
+  return {
+    emit,
+    history,
+    channel: channelHelper
+  };
+}
+var defaultClient3 = null;
+function getStreams() {
+  if (!defaultClient3) {
+    defaultClient3 = createStreams();
+  }
+  return defaultClient3;
+}
+
+// src/server/index.ts
+function createServerClient(config) {
+  const secretKey = validateAndSanitizeSecretKey(config.secretKey);
+  return createRestClient({
+    secretKey,
+    platformUrl: config.platformUrl?.trim()
+  });
+}
+function createAuthenticatedServerClient(config, accessToken) {
+  return createDynamicRestClient({
+    secretKey: config.secretKey,
+    platformUrl: config.platformUrl,
+    getAccessToken: () => accessToken
+  });
+}
+function isJwksResponse(data) {
+  return typeof data === "object" && data !== null && "keys" in data && Array.isArray(data.keys);
+}
+function isAccessTokenPayload(payload) {
+  return typeof payload.sub === "string" && typeof payload.email === "string" && typeof payload.app_id === "string" && typeof payload.iat === "number" && typeof payload.exp === "number";
+}
+var jwksCache = null;
+async function getJwks(platformUrl = DEFAULT_PLATFORM_URL) {
+  const now = Date.now();
+  if (jwksCache && jwksCache.expiresAt > now) {
+    return jwksCache.keys;
+  }
+  const response = await fetch(`${platformUrl}/api/v1/auth/.well-known/jwks.json`);
+  if (!response.ok) {
+    throw new Error("Failed to fetch JWKS");
+  }
+  const data = await response.json();
+  if (!isJwksResponse(data)) {
+    throw new Error("Invalid JWKS response format");
+  }
+  jwksCache = {
+    keys: data.keys,
+    expiresAt: now + JWK_CACHE_TTL_MS
+    // Cache for 1 hour
+  };
+  return data.keys;
+}
+async function verifyAccessToken(token, options) {
+  const platformUrl = options.platformUrl || DEFAULT_PLATFORM_URL;
+  const keys = await getJwks(platformUrl);
+  if (!keys.length) {
+    throw new Error("No keys in JWKS");
+  }
+  let lastError = null;
+  for (const key of keys) {
+    try {
+      const jwk = await importJWK(key, "RS256");
+      const { payload } = await jwtVerify(token, jwk, {
+        issuer: platformUrl
+      });
+      if (!isAccessTokenPayload(payload)) {
+        throw new Error("Invalid token payload structure");
+      }
+      return {
+        sub: payload.sub,
+        email: payload.email,
+        name: payload.name,
+        picture: payload.picture,
+        email_verified: payload.email_verified,
+        app_id: payload.app_id,
+        role: payload.role,
+        iat: payload.iat,
+        exp: payload.exp
+      };
+    } catch (err) {
+      lastError = err;
+    }
+  }
+  throw lastError || new Error("Token verification failed");
+}
+async function verifyWebhook(options) {
+  const { payload, secret, verifyOptions = {} } = options;
+  const { maxAge = WEBHOOK_MAX_AGE_MS, clockSkew = WEBHOOK_CLOCK_SKEW_MS } = verifyOptions;
+  let signatureHex = options.signature ?? null;
+  let timestampStr = options.timestamp ?? null;
+  if (options.signatureHeader) {
+    const tMatch = options.signatureHeader.match(/t=(\d+)/);
+    const vMatch = options.signatureHeader.match(/v1=([a-f0-9]+)/);
+    if (tMatch) timestampStr = tMatch[1];
+    if (vMatch) signatureHex = vMatch[1];
+  }
+  if (!signatureHex) {
+    return { valid: false, error: "Missing signature" };
+  }
+  if (!timestampStr) {
+    return { valid: false, error: "Missing timestamp" };
+  }
+  const webhookTimeSeconds = Number.parseInt(timestampStr, 10);
+  if (Number.isNaN(webhookTimeSeconds)) {
+    return { valid: false, error: "Invalid timestamp format" };
+  }
+  const webhookTimeMs = webhookTimeSeconds * 1e3;
+  const now = Date.now();
+  const age = now - webhookTimeMs;
+  if (age > maxAge) {
+    return { valid: false, error: `Webhook too old: ${age}ms` };
+  }
+  if (age < -clockSkew) {
+    return { valid: false, error: "Webhook timestamp is in the future" };
+  }
+  const signedPayload = `${timestampStr}.${payload}`;
+  try {
+    const expectedSignature = await computeHmacSha256(signedPayload, secret);
+    if (!timingSafeEqual(signatureHex, expectedSignature)) {
+      return { valid: false, error: "Invalid signature" };
+    }
+    const parsedPayload = JSON.parse(payload);
+    return { valid: true, payload: parsedPayload };
+  } catch (error) {
+    return {
+      valid: false,
+      error: error instanceof Error ? error.message : "Verification failed"
+    };
+  }
+}
+async function computeHmacSha256(message2, secret) {
+  const encoder2 = new TextEncoder();
+  const keyData = encoder2.encode(secret);
+  const messageData = encoder2.encode(message2);
+  const cryptoKey = await crypto.subtle.importKey(
+    "raw",
+    keyData,
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const signature = await crypto.subtle.sign("HMAC", cryptoKey, messageData);
+  return Buffer.from(signature).toString("hex");
+}
+function timingSafeEqual(a, b) {
+  const target = a.length === b.length ? b : a;
+  let result = a.length ^ b.length;
+  for (let i = 0; i < a.length; i++) {
+    result |= a.charCodeAt(i) ^ target.charCodeAt(i);
+  }
+  return result === 0;
+}
+function createWebhookHandler(config) {
+  return async (request) => {
+    const signatureHeader = request.headers.get("x-webhook-signature");
+    const body = await request.text();
+    const result = await verifyWebhook({
+      payload: body,
+      signatureHeader,
+      secret: config.secret,
+      verifyOptions: config.verifyOptions
+    });
+    if (!result.valid) {
+      return new Response(JSON.stringify({ error: result.error }), {
+        status: 401,
+        headers: { "Content-Type": "application/json" }
+      });
+    }
+    if (!result.payload) {
+      return new Response(JSON.stringify({ error: "Missing payload" }), {
+        status: 400,
+        headers: { "Content-Type": "application/json" }
+      });
+    }
+    const { event, data } = result.payload;
+    const handler = config.handlers[event];
+    if (!handler) {
+      return new Response(JSON.stringify({ received: true, handled: false }), {
+        status: 200,
+        headers: { "Content-Type": "application/json" }
+      });
+    }
+    try {
+      await handler(data);
+      return new Response(JSON.stringify({ received: true, handled: true }), {
+        status: 200,
+        headers: { "Content-Type": "application/json" }
+      });
+    } catch (error) {
+      return new Response(
+        JSON.stringify({
+          error: "Handler failed",
+          message: error instanceof Error ? error.message : "Unknown error"
+        }),
+        {
+          status: 500,
+          headers: { "Content-Type": "application/json" }
+        }
+      );
+    }
+  };
+}
+async function cachedFetch(params) {
+  const { url, headers, fallback, label, revalidate = 60 } = params;
+  try {
+    const response = await fetch(url, {
+      headers,
+      // @ts-expect-error - Next.js extended fetch option
+      next: { revalidate }
+      // Next.js Data Cache with TTL
+    });
+    if (!response.ok) {
+      console.warn(`[Sylphx] Failed to fetch ${label}:`, response.status);
+      return fallback;
+    }
+    const data = await response.json();
+    return data ?? fallback;
+  } catch (error) {
+    console.warn(`[Sylphx] Failed to fetch ${label}:`, error);
+    return fallback;
+  }
+}
+function sanitizeOptions(options) {
+  return {
+    ...options,
+    secretKey: validateAndSanitizeSecretKey(options.secretKey),
+    platformUrl: (options.platformUrl ?? DEFAULT_PLATFORM_URL).trim()
+  };
+}
+function sdkHeaders(secretKey) {
+  return { "x-app-secret": secretKey };
+}
+async function getOAuthProviders(options) {
+  const data = await fetchOAuthProviders(options);
+  return (data.providers || []).map((p) => p.id);
+}
+async function getOAuthProvidersWithInfo(options) {
+  const data = await fetchOAuthProviders(options);
+  return data.providers || [];
+}
+async function fetchOAuthProviders(options) {
+  const baseURL = (options.platformUrl ?? DEFAULT_PLATFORM_URL).trim();
+  const appId = validateAndSanitizeAppId(options.appId);
+  return cachedFetch({
+    url: `${baseURL}/api/auth/providers`,
+    headers: { "X-App-Id": appId },
+    fallback: { providers: [] },
+    label: "OAuth providers"
+  });
+}
+async function getPlans(options) {
+  const { secretKey, platformUrl = DEFAULT_PLATFORM_URL } = sanitizeOptions(options);
+  return cachedFetch({
+    url: `${platformUrl}${SDK_API_PATH}/billing/plans`,
+    headers: sdkHeaders(secretKey),
+    fallback: [],
+    label: "plans"
+  });
+}
+async function getConsentTypes(options) {
+  const { secretKey, platformUrl = DEFAULT_PLATFORM_URL } = sanitizeOptions(options);
+  return cachedFetch({
+    url: `${platformUrl}${SDK_API_PATH}/consent/types`,
+    headers: sdkHeaders(secretKey),
+    fallback: [],
+    label: "consent types"
+  });
+}
+async function getFeatureFlags(options) {
+  const { secretKey, platformUrl = DEFAULT_PLATFORM_URL } = sanitizeOptions(options);
+  return cachedFetch({
+    url: `${platformUrl}${SDK_API_PATH}/flags`,
+    headers: sdkHeaders(secretKey),
+    fallback: [],
+    label: "feature flags"
+  });
+}
+async function getAppMetadata(options) {
+  const { secretKey, platformUrl = DEFAULT_PLATFORM_URL } = sanitizeOptions(options);
+  return cachedFetch({
+    url: `${platformUrl}${SDK_API_PATH}/app`,
+    headers: sdkHeaders(secretKey),
+    fallback: { id: "", name: "", slug: "" },
+    label: "app metadata"
+  });
+}
+async function getAppConfig(options) {
+  const { secretKey, appId, platformUrl } = options;
+  const [plans, consentTypes, oauthProviders, featureFlags, app] = await Promise.all([
+    getPlans({ secretKey, platformUrl }),
+    getConsentTypes({ secretKey, platformUrl }),
+    getOAuthProvidersWithInfo({ appId, platformUrl }),
+    getFeatureFlags({ secretKey, platformUrl }),
+    getAppMetadata({ secretKey, platformUrl })
+  ]);
+  return {
+    plans,
+    consentTypes,
+    oauthProviders,
+    featureFlags,
+    app,
+    fetchedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+async function getReferralLeaderboard(options) {
+  const {
+    secretKey,
+    platformUrl = DEFAULT_PLATFORM_URL,
+    limit = 10,
+    period = "all"
+  } = sanitizeOptions(options);
+  const url = new URL(`${platformUrl}${SDK_API_PATH}/referrals/leaderboard`);
+  url.searchParams.set("limit", String(limit));
+  url.searchParams.set("period", period);
+  return cachedFetch({
+    url: url.toString(),
+    headers: sdkHeaders(secretKey),
+    fallback: { entries: [], total: 0, period },
+    label: "referral leaderboard"
+  });
+}
+async function getEngagementLeaderboard(options) {
+  const {
+    secretKey,
+    leaderboardId,
+    platformUrl = DEFAULT_PLATFORM_URL,
+    limit = 10
+  } = sanitizeOptions(options);
+  const url = new URL(
+    `${platformUrl}${SDK_API_PATH}/engagement/leaderboards/${encodeURIComponent(leaderboardId)}`
+  );
+  url.searchParams.set("limit", String(limit));
+  return cachedFetch({
+    url: url.toString(),
+    headers: sdkHeaders(secretKey),
+    fallback: {
+      leaderboardId,
+      entries: [],
+      period: "all",
+      resetTime: null,
+      userEntry: null
+    },
+    label: "engagement leaderboard"
+  });
+}
+async function getDatabaseConnection(options) {
+  const { secretKey, platformUrl = DEFAULT_PLATFORM_URL } = sanitizeOptions(options);
+  try {
+    const response = await fetch(`${platformUrl}${SDK_API_PATH}/database/connection-string`, {
+      headers: sdkHeaders(secretKey),
+      cache: "no-store"
+      // Always fetch fresh connection string
+    });
+    if (!response.ok) {
+      if (response.status === 404) {
+        return null;
+      }
+      if (response.status === 412) {
+        console.warn("[Sylphx] Database not ready:", await response.text());
+        return null;
+      }
+      console.warn("[Sylphx] Failed to fetch database connection:", response.status);
+      return null;
+    }
+    return await response.json();
+  } catch (error) {
+    console.warn("[Sylphx] Failed to fetch database connection:", error);
+    return null;
+  }
+}
+async function getDatabaseStatus(options) {
+  const { secretKey, platformUrl = DEFAULT_PLATFORM_URL } = sanitizeOptions(options);
+  return cachedFetch({
+    url: `${platformUrl}${SDK_API_PATH}/database/status`,
+    headers: sdkHeaders(secretKey),
+    fallback: {
+      status: "not_provisioned",
+      region: null,
+      pgVersion: null,
+      databaseName: null
+    },
+    label: "database status"
+  });
+}
+export {
+  createAI,
+  createAuthenticatedServerClient,
+  createKv,
+  createServerClient,
+  createStreams,
+  createWebhookHandler,
+  detectEnvironment,
+  detectKeyType,
+  getAI,
+  getAppConfig,
+  getAppMetadata,
+  getConsentTypes,
+  getCookieNamespace,
+  getDatabaseConnection,
+  getDatabaseStatus,
+  getEngagementLeaderboard,
+  getFeatureFlags,
+  getJwks,
+  getKv,
+  getOAuthProviders,
+  getOAuthProvidersWithInfo,
+  getPlans,
+  getReferralLeaderboard,
+  getStreams,
+  isAppId,
+  isDevelopmentKey,
+  isDevelopmentRuntime,
+  isProductionKey,
+  isSecretKey,
+  validateAndSanitizeAppId,
+  validateAndSanitizeKey,
+  validateAndSanitizeSecretKey,
+  validateAppId,
+  validateKey,
+  validateSecretKey,
+  verifyAccessToken,
+  verifyWebhook
+};
+//# sourceMappingURL=index.mjs.map