@sylphx/sdk 0.10.7 → 0.11.1

package/dist/index.mjs

@@ -66,8 +66,11 @@ __export(errors_exports, {
   TimeoutError: () => TimeoutError,
   ValidationError: () => ValidationError,
   exponentialBackoff: () => exponentialBackoff,
-  getErrorCode: () => getErrorCode,
-  getErrorMessage: () => getErrorMessage,
+  getErrorCode: () => getErrorCode2,
+  getErrorDetails: () => getErrorDetails2,
+  getErrorMessage: () => getErrorMessage2,
+  getSafeErrorMessage: () => getSafeErrorMessage,
+  isChallengeRequired: () => isChallengeRequired,
   isRetryableError: () => isRetryableError,
   isSylphxError: () => isSylphxError,
   toSylphxError: () => toSylphxError
@@ -95,21 +98,91 @@ function isRetryableError(error) {
   }
   return false;
 }
-function getErrorMessage(error) {
+function getErrorMessage2(error, fallback = "An unknown error occurred") {
   if (error instanceof Error) {
     return error.message;
   }
   if (typeof error === "string") {
     return error;
   }
-  return "An unknown error occurred";
+  if (error && typeof error === "object" && "message" in error) {
+    const message2 = error.message;
+    if (typeof message2 === "string") return message2;
+  }
+  if (error && typeof error === "object" && "response" in error) {
+    const response = error.response;
+    if (response?.data?.message) return response.data.message;
+    if (response?.data?.error) return response.data.error;
+  }
+  return fallback;
 }
-function getErrorCode(error) {
+function getErrorCode2(error) {
   if (error instanceof SylphxError) {
     return error.code;
   }
   return "UNKNOWN";
 }
+function getErrorStatus(error) {
+  if (!error || typeof error !== "object") return void 0;
+  if ("status" in error && typeof error.status === "number") {
+    return error.status;
+  }
+  if ("statusCode" in error && typeof error.statusCode === "number") {
+    return error.statusCode;
+  }
+  return void 0;
+}
+function getSafeErrorKey(error) {
+  if (error instanceof SylphxError) return error.code;
+  if (!error || typeof error !== "object") return void 0;
+  if ("code" in error && typeof error.code === "string") {
+    return error.code;
+  }
+  const status = getErrorStatus(error);
+  return status == null ? void 0 : String(status);
+}
+function getErrorDetails2(error, fallbackMessage = "An unknown error occurred") {
+  const details = {
+    message: getErrorMessage2(error, fallbackMessage)
+  };
+  const code = getSafeErrorKey(error);
+  if (code) {
+    Object.assign(details, { code });
+  }
+  const status = getErrorStatus(error);
+  if (status != null) {
+    Object.assign(details, { status });
+  }
+  if (error instanceof Error) {
+    Object.assign(details, {
+      name: error.name,
+      stack: error.stack,
+      ...error.cause ? { cause: error.cause } : {}
+    });
+  }
+  return details;
+}
+function getSafeErrorMessage(error, fallback = "Something went wrong. Please try again.") {
+  const errorCode = getSafeErrorKey(error);
+  if (errorCode && SAFE_ERROR_MESSAGES[errorCode]) return SAFE_ERROR_MESSAGES[errorCode];
+  if (error && typeof error === "object") {
+    const coded = error;
+    if (coded.data?.code && SAFE_ERROR_MESSAGES[coded.data.code]) {
+      return SAFE_ERROR_MESSAGES[coded.data.code];
+    }
+  }
+  const rawMessage = getErrorMessage2(error, "");
+  if (rawMessage && rawMessage.length < 200 && !rawMessage.includes("\n") && !rawMessage.includes("at ") && !INTERNAL_ERROR_PATTERNS.some((pattern) => pattern.test(rawMessage))) {
+    return rawMessage;
+  }
+  return fallback;
+}
+function isChallengeRequired(err) {
+  if (!(err instanceof Error)) return false;
+  if (err.message.includes("challenge")) return true;
+  const errWithData = err;
+  return errWithData.data?.code === "FORBIDDEN";
+}
 function toSylphxError(error) {
   if (error instanceof SylphxError) {
     return error;
@@ -140,7 +213,7 @@ function toSylphxError(error) {
     }
     return new SylphxError(error.message, { cause: error });
   }
-  return new SylphxError(getErrorMessage(error));
+  return new SylphxError(getErrorMessage2(error));
 }
 function exponentialBackoff(attempt, baseDelay = BASE_RETRY_DELAY_MS, maxDelay = MAX_RETRY_DELAY_MS) {
   const exponentialDelay = baseDelay * 2 ** attempt;
@@ -148,7 +221,7 @@ function exponentialBackoff(attempt, baseDelay = BASE_RETRY_DELAY_MS, maxDelay =
   const jitter = cappedDelay * 0.25 * (Math.random() * 2 - 1);
   return Math.round(cappedDelay + jitter);
 }
-var ERROR_CODE_STATUS, RETRYABLE_CODES, SylphxError, NetworkError, TimeoutError, AuthenticationError, AuthorizationError, ValidationError, RateLimitError, NotFoundError;
+var ERROR_CODE_STATUS, RETRYABLE_CODES, SylphxError, NetworkError, TimeoutError, AuthenticationError, AuthorizationError, ValidationError, RateLimitError, NotFoundError, INTERNAL_ERROR_PATTERNS, SAFE_ERROR_MESSAGES;
 var init_errors = __esm({
   "src/errors.ts"() {
     "use strict";
@@ -376,6 +449,57 @@ var init_errors = __esm({
         this.resourceId = options?.resourceId;
       }
     };
+    INTERNAL_ERROR_PATTERNS = [
+      /sql/i,
+      /database/i,
+      /postgres/i,
+      /neon/i,
+      /drizzle/i,
+      /prisma/i,
+      /constraint/i,
+      /foreign key/i,
+      /unique violation/i,
+      /null value/i,
+      /column/i,
+      /table/i,
+      /relation/i,
+      /trpc/i,
+      /internal server/i,
+      /unexpected/i,
+      /cannot read propert/i,
+      /undefined is not/i,
+      /null is not/i,
+      /cannot find module/i,
+      /econnrefused/i,
+      /etimedout/i,
+      /enotfound/i
+    ];
+    SAFE_ERROR_MESSAGES = {
+      "400": "Invalid request. Please check your input and try again.",
+      "401": "Please sign in to continue.",
+      "403": "You don't have permission to perform this action.",
+      "404": "The requested resource was not found.",
+      "409": "This action conflicts with existing data. Please refresh and try again.",
+      "429": "Too many requests. Please wait a moment and try again.",
+      "500": "Something went wrong on our end. Please try again later.",
+      "502": "Service temporarily unavailable. Please try again in a moment.",
+      "503": "Service temporarily unavailable. Please try again in a moment.",
+      BAD_REQUEST: "Invalid request. Please check your input.",
+      UNAUTHORIZED: "Please sign in to continue.",
+      FORBIDDEN: "You don't have permission to perform this action.",
+      NOT_FOUND: "The requested item was not found.",
+      CONFLICT: "This action conflicts with existing data.",
+      TOO_MANY_REQUESTS: "Too many requests. Please wait a moment.",
+      INTERNAL_SERVER_ERROR: "Something went wrong. Please try again later.",
+      TIMEOUT: "Request timed out. Please try again.",
+      PRECONDITION_FAILED: "This action cannot be completed right now.",
+      QUOTA_EXCEEDED: "You've reached your usage limit. Please upgrade your plan.",
+      PAYMENT_REQUIRED: "Payment is required to continue.",
+      INVALID_CREDENTIALS: "Invalid email or password.",
+      EMAIL_NOT_VERIFIED: "Please verify your email address.",
+      ACCOUNT_LOCKED: "Your account has been locked. Please contact support.",
+      SESSION_EXPIRED: "Your session has expired. Please sign in again."
+    };
   }
 });
 
@@ -4780,8 +4904,112 @@ var init_webapi = __esm({
   }
 });
 
+// src/compute.ts
+import {
+  DEFAULT_MACHINE_SIZE,
+  isMachineSize,
+  MACHINE_CONFIGS,
+  MACHINE_MAX_INSTANCES,
+  MACHINE_RESOURCE_REQUIREMENTS,
+  MACHINE_SIZES,
+  parseMachineSize,
+  resolveMachineConfig,
+  resolveMachineMaxInstances,
+  resolveMachineResources,
+  resolveMachineTierResources,
+  toPublicMachineSize
+} from "@sylphx/contract/compute";
+
+// src/config/database-pricing.ts
+var COMPUTE_PRICE_PER_HOUR_MICRODOLLARS = 8e4;
+var FREE_COMPUTE_HOURS = 3;
+var STORAGE_PRICE_PER_GB_MONTH_MICRODOLLARS = 25e4;
+var FREE_STORAGE_GB = 0.25;
+var TRANSFER_PRICE_PER_GB_MICRODOLLARS = 9e4;
+var KV_FREE_STORAGE_GB = 0.25;
+var HOURS_PER_MONTH = 730;
+
+// src/config/referrals.ts
+var DEFAULT_POINTS_REWARD = 100;
+var DISCOUNT_DURATION_MONTHS = 3;
+var DISCOUNT_PERCENT = 20;
+var PREMIUM_TRIAL_DAYS = 7;
+var REFERRAL_CODE_LENGTH = 8;
+var REFERRAL_CODE_CHARS = "ABCDEFGHJKLMNPQRSTUVWXYZ23456789";
+function generateReferralCode() {
+  const bytes = new Uint8Array(REFERRAL_CODE_LENGTH);
+  crypto.getRandomValues(bytes);
+  let code = "";
+  for (let i = 0; i < REFERRAL_CODE_LENGTH; i++) {
+    code += REFERRAL_CODE_CHARS[bytes[i] % REFERRAL_CODE_CHARS.length];
+  }
+  return code;
+}
+
+// src/error-extract.ts
+function getErrorMessage(error, fallback = "Unknown error") {
+  if (error instanceof Error) {
+    return error.message;
+  }
+  if (typeof error === "string") {
+    return error;
+  }
+  if (error && typeof error === "object" && "message" in error) {
+    const message2 = error.message;
+    if (typeof message2 === "string") {
+      return message2;
+    }
+  }
+  if (error && typeof error === "object" && "response" in error) {
+    const response = error.response;
+    if (response?.data?.message) return response.data.message;
+    if (response?.data?.error) return response.data.error;
+  }
+  return fallback;
+}
+function getErrorCode(error) {
+  if (!error || typeof error !== "object") {
+    return void 0;
+  }
+  if ("code" in error && typeof error.code === "string") {
+    return error.code;
+  }
+  if ("status" in error && typeof error.status === "number") {
+    return String(error.status);
+  }
+  if ("statusCode" in error && typeof error.statusCode === "number") {
+    return String(error.statusCode);
+  }
+  return void 0;
+}
+function getErrorDetails(error, fallbackMessage = "Unknown error") {
+  const details = {
+    message: getErrorMessage(error, fallbackMessage)
+  };
+  if (error instanceof Error) {
+    details.name = error.name;
+    details.stack = error.stack;
+    if (error.cause) {
+      details.cause = error.cause;
+    }
+  }
+  const code = getErrorCode(error);
+  if (code) {
+    details.code = code;
+  }
+  if (error && typeof error === "object") {
+    if ("status" in error && typeof error.status === "number") {
+      details.status = error.status;
+    } else if ("statusCode" in error && typeof error.statusCode === "number") {
+      details.status = error.statusCode;
+    }
+  }
+  return details;
+}
+
 // src/connection-url.ts
 var SYLPHX_PROTOCOL = "sylphx:";
+var DEFAULT_DOMAIN = "api.sylphx.com";
 var DEFAULT_VERSION = "v1";
 var CREDENTIAL_REGEX = /^(pk|sk)_(dev|stg|prod|prev)(?:_[a-z0-9]{12})?_[a-f0-9]{32,64}$/;
 var VERSION_REGEX = /^v[0-9]+$/;
@@ -4813,6 +5041,33 @@ function validateSlug(candidate) {
   }
   return candidate;
 }
+function validateDomain(domain) {
+  if (!domain || domain.includes("/") || domain.includes("@") || domain.includes(" ")) {
+    fail(`domain "${domain}" is not a valid hostname suffix`);
+  }
+  if (domain.includes("://")) {
+    fail(`domain "${domain}" must not contain a scheme`);
+  }
+  return domain.toLowerCase();
+}
+function normaliseVersion(version) {
+  if (version === void 0) return DEFAULT_VERSION;
+  if (version === "") return "";
+  if (!VERSION_REGEX.test(version)) {
+    fail(`version "${version}" must match /^v[0-9]+$/`);
+  }
+  return version;
+}
+function buildConnectionUrl(input) {
+  const { credential, slug, domain = DEFAULT_DOMAIN, version = DEFAULT_VERSION } = input;
+  parseCredential(credential);
+  const safeSlug = validateSlug(slug);
+  const safeDomain = validateDomain(domain);
+  const safeVersion = normaliseVersion(version);
+  const host = `${safeSlug}.${safeDomain}`;
+  const pathSuffix = safeVersion ? `/${safeVersion}` : "";
+  return `${SYLPHX_PROTOCOL}//${credential}@${host}${pathSuffix}`;
+}
 function parseConnectionUrl(url) {
   if (typeof url !== "string" || url.length === 0) {
     fail("url must be a non-empty string");
@@ -5187,6 +5442,1044 @@ async function callApi(config, path, options = {}) {
   }
 }
 
+// src/csv.ts
+function escapeCsvField(value) {
+  if (value === null || value === void 0) {
+    return "";
+  }
+  if (value.includes(",") || value.includes('"') || value.includes("\n")) {
+    return `"${value.replace(/"/g, '""')}"`;
+  }
+  return value;
+}
+
+// src/formatting.ts
+function calculatePercentage(count, total, decimals = 2) {
+  if (total === 0) return 100;
+  const multiplier = 10 ** (decimals + 2);
+  return Math.round(count / total * multiplier) / 10 ** decimals;
+}
+function formatMicrodollars(microdollars, options) {
+  return new Intl.NumberFormat("en-US", {
+    style: "currency",
+    currency: "USD",
+    ...options
+  }).format(microdollars / 1e6);
+}
+function formatCents(cents) {
+  return new Intl.NumberFormat("en-US", {
+    style: "currency",
+    currency: "USD"
+  }).format(cents / 100);
+}
+function formatCurrency(amount, optsOrCompact = false) {
+  const opts = typeof optsOrCompact === "boolean" ? { compact: optsOrCompact } : optsOrCompact;
+  const currency = (opts.currency ?? "USD").toUpperCase();
+  const decimals = opts.decimals ?? 2;
+  if (opts.compact && Math.abs(amount) >= 1e3) {
+    return new Intl.NumberFormat("en-US", {
+      style: "currency",
+      currency,
+      notation: "compact",
+      minimumFractionDigits: 1,
+      maximumFractionDigits: 1
+    }).format(amount);
+  }
+  return new Intl.NumberFormat("en-US", {
+    style: "currency",
+    currency,
+    minimumFractionDigits: decimals,
+    maximumFractionDigits: decimals
+  }).format(amount);
+}
+function formatPercent(value) {
+  return `${value >= 0 ? "+" : ""}${value.toFixed(1)}%`;
+}
+function formatNumber(num, compact = false) {
+  if (compact && num >= 1e3) {
+    return new Intl.NumberFormat("en-US", {
+      notation: "compact",
+      maximumFractionDigits: 1
+    }).format(num);
+  }
+  if (num >= 1e9) return `${(num / 1e9).toFixed(1)}B`;
+  if (num >= 1e6) return `${(num / 1e6).toFixed(1)}M`;
+  if (num >= 1e3) return `${(num / 1e3).toFixed(1)}K`;
+  return num.toLocaleString();
+}
+function formatDuration(ms) {
+  if (ms < 1) return "<1ms";
+  if (ms < 1e3) return `${Math.round(ms)}ms`;
+  return `${(ms / 1e3).toFixed(2)}s`;
+}
+function formatBytes(bytes, decimals = 1) {
+  if (bytes == null || bytes === 0 || Number.isNaN(bytes)) return "0 B";
+  const k = 1024;
+  const sizes = ["B", "KB", "MB", "GB", "TB", "PB"];
+  const i = Math.floor(Math.log(bytes) / Math.log(k));
+  return `${Number.parseFloat((bytes / k ** i).toFixed(decimals))} ${sizes[i]}`;
+}
+var BILLING_STATUS_VARIANTS = /* @__PURE__ */ new Map([
+  // Active/healthy states
+  ["healthy", "default"],
+  ["active", "default"],
+  // Pending/low states
+  ["low", "secondary"],
+  ["pending", "secondary"],
+  // Success states
+  ["paid", "success"],
+  ["completed", "success"],
+  // Warning states
+  ["grace_period", "warning"],
+  ["overdue", "warning"],
+  // Error states
+  ["critical", "error"],
+  ["blocked", "error"],
+  ["suspended", "error"],
+  ["failed", "error"]
+]);
+function getBillingStatusVariant(status) {
+  return BILLING_STATUS_VARIANTS.get(status) ?? "outline";
+}
+var INVOICE_STATUS_VARIANTS = /* @__PURE__ */ new Map([
+  ["draft", "secondary"],
+  ["pending", "default"],
+  ["paid", "success"],
+  ["overdue", "warning"],
+  ["failed", "error"],
+  ["cancelled", "error"]
+]);
+function getInvoiceStatusVariant(status) {
+  return INVOICE_STATUS_VARIANTS.get(status) ?? "outline";
+}
+function parseDate(date) {
+  const d = typeof date === "string" ? new Date(date) : date;
+  return Number.isNaN(d.getTime()) ? null : d;
+}
+function formatDate(date, options, fallback = "-") {
+  if (!date) return fallback;
+  const d = parseDate(date);
+  if (!d) return fallback;
+  return d.toLocaleDateString("en-US", {
+    month: "short",
+    day: "numeric",
+    year: "numeric",
+    ...options
+  });
+}
+function formatDateTime(date, options, fallback = "-") {
+  if (!date) return fallback;
+  const d = parseDate(date);
+  if (!d) return fallback;
+  return d.toLocaleString("en-US", {
+    month: "short",
+    day: "numeric",
+    hour: "2-digit",
+    minute: "2-digit",
+    ...options
+  });
+}
+var relativeTimeFormatter = new Intl.RelativeTimeFormat("en", {
+  numeric: "auto"
+});
+var TIME_DIVISIONS = [
+  { amount: 60, unit: "second" },
+  { amount: 60, unit: "minute" },
+  { amount: 24, unit: "hour" },
+  { amount: 7, unit: "day" },
+  { amount: 4.34524, unit: "week" },
+  { amount: 12, unit: "month" },
+  { amount: Number.POSITIVE_INFINITY, unit: "year" }
+];
+function formatRelativeTime(date) {
+  if (!date) return "Never";
+  const d = parseDate(date);
+  if (!d) return "Never";
+  let seconds = (d.getTime() - Date.now()) / 1e3;
+  for (const { amount, unit } of TIME_DIVISIONS) {
+    if (Math.abs(seconds) < amount) {
+      return relativeTimeFormatter.format(Math.round(seconds), unit);
+    }
+    seconds /= amount;
+  }
+  return formatDate(d);
+}
+function formatRelativeTimeShort(date) {
+  if (!date) return "Never";
+  const d = parseDate(date);
+  if (!d) return "Never";
+  const diffMs = Date.now() - d.getTime();
+  const diffSecs = Math.floor(diffMs / 1e3);
+  const diffMins = Math.floor(diffMs / 6e4);
+  const diffHours = Math.floor(diffMs / 36e5);
+  const diffDays = Math.floor(diffMs / 864e5);
+  if (diffSecs < 10) return "Just now";
+  if (diffSecs < 60) return `${diffSecs}s ago`;
+  if (diffMins < 60) return `${diffMins}m ago`;
+  if (diffHours < 24) return `${diffHours}h ago`;
+  if (diffDays === 1) return "Yesterday";
+  if (diffDays < 7) return `${diffDays}d ago`;
+  if (diffDays < 30) return `${Math.floor(diffDays / 7)}w ago`;
+  return d.toLocaleDateString("en-US", { month: "short", day: "numeric" });
+}
+function formatMonthYear(date, fallback = "-") {
+  if (!date) return fallback;
+  const d = parseDate(date);
+  if (!d) return fallback;
+  return d.toLocaleDateString("en-US", { month: "long", year: "numeric" });
+}
+function formatTime(date, fallback = "-") {
+  if (!date) return fallback;
+  const d = parseDate(date);
+  if (!d) return fallback;
+  return d.toLocaleTimeString("en-US", { hour: "2-digit", minute: "2-digit" });
+}
+
+// src/json.ts
+function safeJsonParse(input, fallback) {
+  try {
+    return JSON.parse(input);
+  } catch {
+    return fallback ?? null;
+  }
+}
+
+// src/utils.ts
+function getBaseUrl(mode = "relative") {
+  if (typeof globalThis.window !== "undefined") {
+    return mode === "origin" ? globalThis.window.location.origin : "";
+  }
+  if (process.env.NEXT_PUBLIC_APP_URL) {
+    return process.env.NEXT_PUBLIC_APP_URL;
+  }
+  const port = process.env.PORT ?? "3000";
+  return `http://localhost:${port}`;
+}
+var HTML_ENTITIES = {
+  "&": "&amp;",
+  "<": "&lt;",
+  ">": "&gt;",
+  '"': "&quot;",
+  "'": "&#039;"
+};
+function escapeHtml(str) {
+  return str.replace(/[&<>"']/g, (char) => HTML_ENTITIES[char]);
+}
+function generateSlug(text, maxLength) {
+  const slug = text.toLowerCase().trim().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "").replace(/-{2,}/g, "-");
+  if (maxLength && slug.length > maxLength) {
+    return slug.slice(0, maxLength).replace(/-+$/, "");
+  }
+  return slug;
+}
+
+// src/utils/user-agent.ts
+function parseUserAgent(ua) {
+  if (!ua) {
+    return { browser: null, os: null, deviceType: null };
+  }
+  return {
+    browser: detectBrowser(ua),
+    os: detectOS(ua),
+    deviceType: detectDeviceType(ua)
+  };
+}
+function detectBrowser(ua) {
+  if (ua.includes("Edg/")) {
+    const match = ua.match(/Edg\/(\d+)/);
+    return match ? `Edge ${match[1]}` : "Edge";
+  }
+  if (ua.includes("OPR/") || ua.includes("Opera")) {
+    const match = ua.match(/OPR\/(\d+)/) || ua.match(/Opera\/(\d+)/);
+    return match ? `Opera ${match[1]}` : "Opera";
+  }
+  if (ua.includes("Brave")) {
+    return "Brave";
+  }
+  if (ua.includes("Chrome/")) {
+    const match = ua.match(/Chrome\/(\d+)/);
+    return match ? `Chrome ${match[1]}` : "Chrome";
+  }
+  if (ua.includes("Safari/") && !ua.includes("Chrome")) {
+    const match = ua.match(/Version\/(\d+)/);
+    return match ? `Safari ${match[1]}` : "Safari";
+  }
+  if (ua.includes("Firefox/")) {
+    const match = ua.match(/Firefox\/(\d+)/);
+    return match ? `Firefox ${match[1]}` : "Firefox";
+  }
+  if (ua.includes("MSIE") || ua.includes("Trident/")) {
+    const match = ua.match(/(?:MSIE |rv:)(\d+)/);
+    return match ? `IE ${match[1]}` : "Internet Explorer";
+  }
+  return null;
+}
+function detectOS(ua) {
+  if (ua.includes("iPhone") || ua.includes("iPad")) {
+    const match = ua.match(/OS (\d+[_\d]*)/);
+    if (match) {
+      const version = match[1].replace(/_/g, ".");
+      return `iOS ${version}`;
+    }
+    return "iOS";
+  }
+  if (ua.includes("Android")) {
+    const match = ua.match(/Android (\d+[.\d]*)/);
+    return match ? `Android ${match[1]}` : "Android";
+  }
+  if (ua.includes("Mac OS X") || ua.includes("macOS")) {
+    const match = ua.match(/Mac OS X (\d+[_\d]*)/) || ua.match(/macOS (\d+[_\d]*)/);
+    if (match) {
+      const version = match[1].replace(/_/g, ".");
+      return `macOS ${version}`;
+    }
+    return "macOS";
+  }
+  if (ua.includes("Windows NT")) {
+    const match = ua.match(/Windows NT ([\d.]+)/);
+    if (match) {
+      const ntVersion = match[1];
+      const windowsVersions = {
+        "10.0": "Windows 10/11",
+        "6.3": "Windows 8.1",
+        "6.2": "Windows 8",
+        "6.1": "Windows 7",
+        "6.0": "Windows Vista",
+        "5.1": "Windows XP"
+      };
+      return windowsVersions[ntVersion] || `Windows NT ${ntVersion}`;
+    }
+    return "Windows";
+  }
+  if (ua.includes("Linux")) {
+    if (ua.includes("Ubuntu")) return "Ubuntu";
+    if (ua.includes("Fedora")) return "Fedora";
+    if (ua.includes("Debian")) return "Debian";
+    return "Linux";
+  }
+  if (ua.includes("CrOS")) {
+    return "Chrome OS";
+  }
+  return null;
+}
+function detectDeviceType(ua) {
+  if (ua.includes("iPad") || ua.includes("Tablet") || ua.includes("Android") && !ua.includes("Mobile")) {
+    return "tablet";
+  }
+  if (ua.includes("iPhone") || ua.includes("iPod") || ua.includes("Android") || ua.includes("Mobile") || ua.includes("webOS") || ua.includes("BlackBerry") || ua.includes("IEMobile") || ua.includes("Opera Mini")) {
+    return "mobile";
+  }
+  if (ua.includes("Windows NT") || ua.includes("Mac OS X") || ua.includes("macOS") || ua.includes("Linux") || ua.includes("CrOS")) {
+    return "desktop";
+  }
+  return null;
+}
+
+// src/config/auth.ts
+var MIN_PASSWORD_LENGTH = 8;
+var MAX_PASSWORD_LENGTH = 128;
+var PASSWORD_REQUIREMENTS = {
+  minLength: MIN_PASSWORD_LENGTH,
+  maxLength: MAX_PASSWORD_LENGTH,
+  description: `Must be at least ${MIN_PASSWORD_LENGTH} characters`,
+  placeholder: `Min. ${MIN_PASSWORD_LENGTH} characters`
+};
+
+// src/config/billing.ts
+var BYTES_PER_GB = 1024 * 1024 * 1024;
+var MICRODOLLARS_PER_CENT = 1e4;
+var INVOICE_DUE_DAYS = 15;
+var SERVICE_METRICS = {
+  // KV (Key-Value Store)
+  kv: {
+    operations: "operations",
+    // User-friendly: "100K operations"
+    storage: "storage"
+    // GB-month
+  },
+  // Realtime (Pub/Sub Messaging)
+  realtime: {
+    messages: "messages",
+    // User-friendly: "100K messages"
+    connections: "connections"
+    // SSE subscribe connections
+  },
+  // Other services follow the same pattern
+  ai: {
+    tokens: "tokens"
+  },
+  email: {
+    emails: "emails",
+    marketingEmails: "marketing_emails"
+  },
+  notifications: {
+    sends: "sends"
+  },
+  analytics: {
+    events: "events",
+    forwarding: "forwarding"
+  },
+  storage: {
+    capacity: "capacity",
+    uploads: "uploads",
+    egress: "egress"
+  },
+  auth: {
+    mau: "mau"
+  },
+  flags: {
+    evaluations: "evaluations"
+  },
+  consent: {
+    records: "records"
+  },
+  referrals: {
+    conversions: "conversions"
+  },
+  engagement: {
+    operations: "operations"
+  },
+  billing: {
+    subscriptions: "subscriptions",
+    usageRecords: "usage_records"
+  },
+  search: {
+    documents: "documents",
+    searches: "searches"
+  },
+  webhooks: {
+    deliveries: "deliveries"
+  },
+  monitoring: {
+    errors: "errors"
+  },
+  jobs: {
+    invocations: "invocations",
+    cronSchedules: "cron_schedules"
+  },
+  database: {
+    computeSeconds: "compute_seconds",
+    storage: "storage",
+    dataTransferBytes: "data_transfer_bytes"
+  },
+  deploy: {
+    buildMinutes: "build_minutes"
+  }
+};
+var COMPUTE_VCPU_ACTIVE_RATE_MICRODOLLARS = 400;
+var COMPUTE_VCPU_IDLE_RATE_MICRODOLLARS = 50;
+var COMPUTE_RAM_RATE_MICRODOLLARS = 167;
+var BUILD_MINUTE_PRICES = {
+  standard: 14e3,
+  // $0.014/min
+  large: 3e4,
+  // $0.030/min
+  xlarge: 126e3
+  // $0.126/min
+};
+var BUILD_SIZE_MULTIPLIERS = {
+  standard: 1,
+  large: 2,
+  xlarge: 9
+};
+var BUILD_MINUTES_INCLUDED = {
+  free: 100,
+  pro: 500,
+  team: 2e3,
+  enterprise: 1e4
+};
+var CI_BUILD_MINUTE_PRICE_MICRODOLLARS = BUILD_MINUTE_PRICES.standard;
+var CI_FREE_MINUTES_PER_MONTH = BUILD_MINUTES_INCLUDED.team;
+var CI_SIZE_MULTIPLIERS = {
+  nano: 1,
+  small: 1,
+  standard: 1,
+  large: 2,
+  xlarge: 4,
+  "2xlarge": 8
+};
+var CI_MACOS_SIZE_MULTIPLIERS = {
+  standard: 10,
+  large: 20,
+  xlarge: 40
+};
+var CI_MACOS_MULTIPLIER = CI_MACOS_SIZE_MULTIPLIERS.standard;
+var CREDIT_EXPIRY_MONTHS = 12;
+var MAX_PAYMENT_ATTEMPTS = 3;
+var BILLING_ALLOWED_ROLES = ["super_admin", "admin", "billing"];
+function hasBillingAccess(role) {
+  return BILLING_ALLOWED_ROLES.includes(role);
+}
+
+// src/config/console-keys.ts
+var CONSOLE_APP_SLUG = "sylphx-console";
+function getEnvPrefix() {
+  const envType = process.env.NEXT_PUBLIC_ENV_TYPE;
+  if (envType === "development") return "dev";
+  if (envType === "staging") return "stg";
+  if (envType === "production") return "prod";
+  return process.env.NODE_ENV === "production" ? "prod" : "dev";
+}
+
+// src/config/instance-types.ts
+var VCPU_MINUTE_RATE = 463;
+var GIB_MINUTE_RATE = 232;
+var INSTANCE_TYPE_ALIASES = {
+  "starter-1x": "xs",
+  "standard-1x": "sm",
+  "standard-2x": "md",
+  "performance-m": "lg",
+  "performance-l": "xl",
+  "performance-xl": "2xl"
+};
+function resolveCanonicalInstanceType(id) {
+  return INSTANCE_TYPE_ALIASES[id] ?? id;
+}
+var INSTANCE_TYPES = {
+  // ---- Canonical T-shirt sizes (ADR-034) ----
+  xs: {
+    id: "xs",
+    name: "XS",
+    cpuLimit: "250m",
+    memoryLimit: "512Mi",
+    cpuRequest: "63m",
+    memoryRequest: "256Mi",
+    vcpus: 0.25,
+    memoryMib: 512,
+    vcpuMinuteRateMicrodollars: VCPU_MINUTE_RATE,
+    gbMinuteRateMicrodollars: GIB_MINUTE_RATE,
+    allowedPlans: ["free", "starter", "pro", "team", "enterprise"],
+    maxReplicas: 1,
+    highlights: ["0.25 vCPU, 0.5 GiB RAM", "Available on all plans", "Ideal for dev/staging"]
+  },
+  sm: {
+    id: "sm",
+    name: "SM",
+    cpuLimit: "500m",
+    memoryLimit: "1Gi",
+    cpuRequest: "125m",
+    memoryRequest: "512Mi",
+    vcpus: 0.5,
+    memoryMib: 1024,
+    vcpuMinuteRateMicrodollars: VCPU_MINUTE_RATE,
+    gbMinuteRateMicrodollars: GIB_MINUTE_RATE,
+    allowedPlans: ["starter", "pro", "team", "enterprise"],
+    maxReplicas: 3,
+    highlights: ["0.5 vCPU, 1 GiB RAM", "Good for lightweight services", "Starter plan default"]
+  },
+  md: {
+    id: "md",
+    name: "MD",
+    cpuLimit: "1000m",
+    memoryLimit: "2Gi",
+    cpuRequest: "250m",
+    memoryRequest: "1Gi",
+    vcpus: 1,
+    memoryMib: 2048,
+    vcpuMinuteRateMicrodollars: VCPU_MINUTE_RATE,
+    gbMinuteRateMicrodollars: GIB_MINUTE_RATE,
+    allowedPlans: ["starter", "pro", "team", "enterprise"],
+    maxReplicas: 5,
+    highlights: ["1 vCPU, 2 GiB RAM", "Good for web apps and APIs", "Pro plan default"]
+  },
+  lg: {
+    id: "lg",
+    name: "LG",
+    cpuLimit: "2000m",
+    memoryLimit: "4Gi",
+    cpuRequest: "500m",
+    memoryRequest: "2Gi",
+    vcpus: 2,
+    memoryMib: 4096,
+    vcpuMinuteRateMicrodollars: VCPU_MINUTE_RATE,
+    gbMinuteRateMicrodollars: GIB_MINUTE_RATE,
+    allowedPlans: ["pro", "team", "enterprise"],
+    maxReplicas: 10,
+    highlights: ["2 vCPUs, 4 GiB RAM", "High-throughput APIs and workers", "Team plan default"]
+  },
+  xl: {
+    id: "xl",
+    name: "XL",
+    cpuLimit: "4000m",
+    memoryLimit: "8Gi",
+    cpuRequest: "1000m",
+    memoryRequest: "4Gi",
+    vcpus: 4,
+    memoryMib: 8192,
+    vcpuMinuteRateMicrodollars: VCPU_MINUTE_RATE,
+    gbMinuteRateMicrodollars: GIB_MINUTE_RATE,
+    allowedPlans: ["team", "enterprise"],
+    maxReplicas: 10,
+    highlights: ["4 vCPUs, 8 GiB RAM", "CI builds and ML inference", "Enterprise plan default"]
+  },
+  "2xl": {
+    id: "2xl",
+    name: "2XL",
+    cpuLimit: "8000m",
+    memoryLimit: "16Gi",
+    cpuRequest: "2000m",
+    memoryRequest: "8Gi",
+    vcpus: 8,
+    memoryMib: 16384,
+    vcpuMinuteRateMicrodollars: VCPU_MINUTE_RATE,
+    gbMinuteRateMicrodollars: GIB_MINUTE_RATE,
+    allowedPlans: ["team", "enterprise"],
+    maxReplicas: 20,
+    highlights: ["8 vCPUs, 16 GiB RAM", "Heavy compute and large builds", "Team/Enterprise"]
+  },
+  "4xl": {
+    id: "4xl",
+    name: "4XL",
+    cpuLimit: "16000m",
+    memoryLimit: "32Gi",
+    cpuRequest: "4000m",
+    memoryRequest: "16Gi",
+    vcpus: 16,
+    memoryMib: 32768,
+    vcpuMinuteRateMicrodollars: VCPU_MINUTE_RATE,
+    gbMinuteRateMicrodollars: GIB_MINUTE_RATE,
+    allowedPlans: ["enterprise"],
+    maxReplicas: 20,
+    highlights: ["16 vCPUs, 32 GiB RAM", "Maximum compute power", "Enterprise exclusive"]
+  },
+  // ---- Legacy names (deprecated — kept for backward compat with DB values) ----
+  /** @deprecated Use 'xs' instead */
+  "starter-1x": {
+    id: "starter-1x",
+    name: "Starter 1x",
+    cpuLimit: "1000m",
+    memoryLimit: "2Gi",
+    cpuRequest: "250m",
+    memoryRequest: "1Gi",
+    vcpus: 1,
+    memoryMib: 2048,
+    vcpuMinuteRateMicrodollars: VCPU_MINUTE_RATE,
+    gbMinuteRateMicrodollars: GIB_MINUTE_RATE,
+    allowedPlans: ["free", "starter", "pro", "team", "enterprise"],
+    maxReplicas: 3,
+    highlights: ["1 vCPU, 2 GiB RAM", "Available on all plans", "Ideal for lightweight services"],
+    deprecated: true
+  },
+  /** @deprecated Use 'sm' instead */
+  "standard-1x": {
+    id: "standard-1x",
+    name: "Standard 1x",
+    cpuLimit: "2000m",
+    memoryLimit: "4Gi",
+    cpuRequest: "500m",
+    memoryRequest: "2Gi",
+    vcpus: 2,
+    memoryMib: 4096,
+    vcpuMinuteRateMicrodollars: VCPU_MINUTE_RATE,
+    gbMinuteRateMicrodollars: GIB_MINUTE_RATE,
+    allowedPlans: ["starter", "pro", "team", "enterprise"],
+    maxReplicas: 5,
+    highlights: ["2 vCPUs, 4 GiB RAM", "Good for web apps and APIs", "Starter plan default"],
+    deprecated: true
+  },
+  /** @deprecated Use 'md' instead */
+  "standard-2x": {
+    id: "standard-2x",
+    name: "Standard 2x",
+    cpuLimit: "2000m",
+    memoryLimit: "8Gi",
+    cpuRequest: "500m",
+    memoryRequest: "4Gi",
+    vcpus: 2,
+    memoryMib: 8192,
+    vcpuMinuteRateMicrodollars: VCPU_MINUTE_RATE,
+    gbMinuteRateMicrodollars: GIB_MINUTE_RATE,
+    allowedPlans: ["starter", "pro", "team", "enterprise"],
+    maxReplicas: 5,
+    highlights: [
+      "2 vCPUs, 8 GiB RAM",
+      "Double memory for data-heavy workloads",
+      "Pro plan default"
+    ],
+    deprecated: true
+  },
+  /** @deprecated Use 'lg' instead */
+  "performance-m": {
+    id: "performance-m",
+    name: "Performance M",
+    cpuLimit: "4000m",
+    memoryLimit: "16Gi",
+    cpuRequest: "1000m",
+    memoryRequest: "8Gi",
+    vcpus: 4,
+    memoryMib: 16384,
+    vcpuMinuteRateMicrodollars: VCPU_MINUTE_RATE,
+    gbMinuteRateMicrodollars: GIB_MINUTE_RATE,
+    allowedPlans: ["pro", "team", "enterprise"],
+    maxReplicas: 10,
+    highlights: ["4 vCPUs, 16 GiB RAM", "High-throughput APIs and workers", "Team plan default"],
+    deprecated: true
+  },
+  /** @deprecated Use 'xl' instead */
+  "performance-l": {
+    id: "performance-l",
+    name: "Performance L",
+    cpuLimit: "8000m",
+    memoryLimit: "32Gi",
+    cpuRequest: "2000m",
+    memoryRequest: "16Gi",
+    vcpus: 8,
+    memoryMib: 32768,
+    vcpuMinuteRateMicrodollars: VCPU_MINUTE_RATE,
+    gbMinuteRateMicrodollars: GIB_MINUTE_RATE,
+    allowedPlans: ["team", "enterprise"],
+    maxReplicas: 10,
+    highlights: ["8 vCPUs, 32 GiB RAM", "CI builds and ML inference", "Enterprise plan default"],
+    deprecated: true
+  },
+  /** @deprecated Use '2xl' instead */
+  "performance-xl": {
+    id: "performance-xl",
+    name: "Performance XL",
+    cpuLimit: "16000m",
+    memoryLimit: "64Gi",
+    cpuRequest: "4000m",
+    memoryRequest: "32Gi",
+    vcpus: 16,
+    memoryMib: 65536,
+    vcpuMinuteRateMicrodollars: VCPU_MINUTE_RATE,
+    gbMinuteRateMicrodollars: GIB_MINUTE_RATE,
+    allowedPlans: ["enterprise"],
+    maxReplicas: 20,
+    highlights: ["16 vCPUs, 64 GiB RAM", "Heavy compute and large builds", "Enterprise exclusive"],
+    deprecated: true
+  }
+};
+var INSTANCE_TYPE_ORDER = ["xs", "sm", "md", "lg", "xl", "2xl", "4xl"];
+var LEGACY_INSTANCE_TYPE_ORDER = [
+  "starter-1x",
+  "standard-1x",
+  "standard-2x",
+  "performance-m",
+  "performance-l",
+  "performance-xl"
+];
+var DEFAULT_INSTANCE_TYPE = {
+  free: "xs",
+  starter: "sm",
+  pro: "md",
+  team: "lg",
+  enterprise: "xl"
+};
+function getDefaultInstanceType(plan) {
+  return DEFAULT_INSTANCE_TYPE[plan];
+}
+function getAvailableInstanceTypes(plan) {
+  return INSTANCE_TYPE_ORDER.map((id) => INSTANCE_TYPES[id]).filter(
+    (t) => t.allowedPlans.includes(plan) && !t.deprecated
+  );
+}
+function resolveResources(id) {
+  const t = INSTANCE_TYPES[id];
+  return {
+    requests: { cpu: t.cpuRequest, memory: t.memoryRequest },
+    limits: { cpu: t.cpuLimit, memory: t.memoryLimit }
+  };
+}
+function resolveMaxReplicas(id) {
+  return INSTANCE_TYPES[id].maxReplicas;
+}
+var DEFAULT_MAX_REPLICAS = 10;
+function isValidInstanceType(id) {
+  return id in INSTANCE_TYPES;
+}
+function validateInstanceTypeForPlan(id, plan) {
+  const canonicalId = resolveCanonicalInstanceType(id);
+  if (!isValidInstanceType(canonicalId)) {
+    return { valid: false, error: `Unknown instance type: ${id}` };
+  }
+  const definition = INSTANCE_TYPES[canonicalId];
+  if (!definition.allowedPlans.includes(plan)) {
+    return {
+      valid: false,
+      error: `Instance type "${definition.name}" is not available on the ${plan} plan`
+    };
+  }
+  return { valid: true };
+}
+
+// src/config/platform-plans.ts
+var PLATFORM_PLANS = {
+  free: {
+    id: "free",
+    name: "Free",
+    priceMonthly: 0,
+    priceAnnual: 0,
+    includedCreditsMicrodollars: 5e6,
+    // $5
+    features: {
+      customDomains: false,
+      sso: false,
+      priorityCi: false,
+      macosCi: false,
+      support: "community",
+      sla: null,
+      rbac: false,
+      advancedAnalytics: false,
+      whiteLabel: false
+    },
+    limits: {
+      maxProjects: 1,
+      maxMembers: 1,
+      maxCustomDomains: 0,
+      maxConcurrentRunners: 1,
+      maxMacosRunners: 0,
+      maxDatabases: 1,
+      ciMaxJobDurationSeconds: 30 * 60,
+      // 30 min
+      apiRateLimitPerMin: 60,
+      auditLogDays: 0,
+      maxReplicas: 1,
+      includedBuildMinutes: 100,
+      includedBandwidthGb: 100,
+      logRetentionDays: 1,
+      buildMachineTier: "standard"
+    },
+    highlights: [
+      "1 project",
+      "$5 compute credits/mo",
+      "100 build minutes",
+      "100 GB bandwidth",
+      "Community support"
+    ],
+    cta: "Start free"
+  },
+  /**
+   * @deprecated ADR-034 removed the Starter tier. Retained for backward compatibility
+   * with existing subscribers. Not shown in pricing UI for new sign-ups.
+   */
+  starter: {
+    id: "starter",
+    name: "Starter",
+    deprecated: true,
+    priceMonthly: 1900,
+    // $19
+    priceAnnual: 18240,
+    // $19 x 12 x 0.80 = $182.40
+    includedCreditsMicrodollars: 19e6,
+    // $19
+    features: {
+      customDomains: true,
+      sso: false,
+      priorityCi: false,
+      macosCi: true,
+      support: "email",
+      sla: null,
+      rbac: false,
+      advancedAnalytics: false,
+      whiteLabel: false
+    },
+    limits: {
+      maxProjects: 10,
+      maxMembers: 10,
+      maxCustomDomains: 5,
+      maxConcurrentRunners: 5,
+      maxMacosRunners: 1,
+      maxDatabases: 10,
+      ciMaxJobDurationSeconds: 60 * 60,
+      // 1 hr
+      apiRateLimitPerMin: 300,
+      auditLogDays: 30,
+      maxReplicas: 3,
+      includedBuildMinutes: 250,
+      includedBandwidthGb: 500,
+      logRetentionDays: 7,
+      buildMachineTier: "standard"
+    },
+    highlights: ["$19 credits/mo", "10 projects", "Custom domains", "macOS CI", "Email support"],
+    cta: "Get started"
+  },
+  pro: {
+    id: "pro",
+    name: "Pro",
+    priceMonthly: 2e3,
+    // $20
+    priceAnnual: 19200,
+    // $20 x 12 x 0.80 = $192 ($16/mo)
+    includedCreditsMicrodollars: 2e7,
+    // $20
+    features: {
+      customDomains: true,
+      sso: false,
+      priorityCi: true,
+      macosCi: true,
+      support: "priority",
+      sla: "99.9%",
+      rbac: true,
+      advancedAnalytics: true,
+      whiteLabel: false
+    },
+    limits: {
+      maxProjects: null,
+      // unlimited
+      maxMembers: 25,
+      maxCustomDomains: null,
+      // unlimited
+      maxConcurrentRunners: 20,
+      maxMacosRunners: 5,
+      maxDatabases: null,
+      // unlimited
+      ciMaxJobDurationSeconds: 2 * 60 * 60,
+      // 2 hrs
+      apiRateLimitPerMin: 1e3,
+      auditLogDays: 90,
+      maxReplicas: 10,
+      includedBuildMinutes: 500,
+      includedBandwidthGb: 1e3,
+      logRetentionDays: 14,
+      buildMachineTier: "standard"
+    },
+    highlights: [
+      "Unlimited projects",
+      "$20 credits/mo",
+      "500 build minutes",
+      "1 TB bandwidth",
+      "Priority support",
+      "SLA 99.9%"
+    ],
+    badge: "Most Popular",
+    cta: "Start Pro"
+  },
+  team: {
+    id: "team",
+    name: "Team",
+    priceMonthly: 2e3,
+    // $20/user
+    priceAnnual: 19200,
+    // $192/user/yr ($16/user/mo)
+    includedCreditsMicrodollars: 2e7,
+    // $20/user
+    perSeat: true,
+    features: {
+      customDomains: true,
+      sso: true,
+      priorityCi: true,
+      macosCi: true,
+      support: "dedicated",
+      sla: "99.95%",
+      rbac: true,
+      advancedAnalytics: true,
+      whiteLabel: true
+    },
+    limits: {
+      maxProjects: null,
+      // unlimited
+      maxMembers: null,
+      // unlimited
+      maxCustomDomains: null,
+      // unlimited
+      maxConcurrentRunners: null,
+      // unlimited
+      maxMacosRunners: null,
+      // unlimited
+      maxDatabases: null,
+      // unlimited
+      ciMaxJobDurationSeconds: 6 * 60 * 60,
+      // 6 hrs
+      apiRateLimitPerMin: 5e3,
+      auditLogDays: 365,
+      maxReplicas: 20,
+      includedBuildMinutes: 2e3,
+      includedBandwidthGb: 5e3,
+      logRetentionDays: 30,
+      buildMachineTier: "large"
+    },
+    highlights: [
+      "$20/user/mo",
+      "SSO / SAML",
+      "2,000 large build minutes",
+      "5 TB bandwidth",
+      "Dedicated support",
+      "SLA 99.95%"
+    ],
+    cta: "Get Team"
+  },
+  enterprise: {
+    id: "enterprise",
+    name: "Enterprise",
+    priceMonthly: null,
+    // custom
+    priceAnnual: null,
+    // custom
+    includedCreditsMicrodollars: 0,
+    // negotiated
+    isCustom: true,
+    features: {
+      customDomains: true,
+      sso: true,
+      priorityCi: true,
+      macosCi: true,
+      support: "dedicated",
+      sla: "Custom",
+      rbac: true,
+      advancedAnalytics: true,
+      whiteLabel: true
+    },
+    limits: {
+      maxProjects: null,
+      maxMembers: null,
+      maxCustomDomains: null,
+      maxConcurrentRunners: null,
+      maxMacosRunners: null,
+      maxDatabases: null,
+      ciMaxJobDurationSeconds: 12 * 60 * 60,
+      apiRateLimitPerMin: 0,
+      // 0 = unlimited / negotiated
+      auditLogDays: 730,
+      maxReplicas: null,
+      // custom
+      includedBuildMinutes: 0,
+      // negotiated
+      includedBandwidthGb: 0,
+      // negotiated
+      logRetentionDays: 90,
+      buildMachineTier: "xlarge"
+    },
+    highlights: [
+      "Custom credit volume",
+      "Volume discounts",
+      "Dedicated infrastructure",
+      "Custom SLA",
+      "White-glove onboarding",
+      "Custom contracts"
+    ],
+    cta: "Contact sales"
+  }
+};
+var PLATFORM_PLAN_ORDER = ["free", "pro", "team", "enterprise"];
+var PLATFORM_PLAN_ORDER_ALL = [
+  "free",
+  "starter",
+  "pro",
+  "team",
+  "enterprise"
+];
+function isPlanDeprecated(planId) {
+  return PLATFORM_PLANS[planId].deprecated === true;
+}
+function getActivePlans() {
+  return PLATFORM_PLAN_ORDER.map((id) => PLATFORM_PLANS[id]);
+}
+function microsToDollars(microdollars) {
+  return `$${(microdollars / 1e6).toFixed(0)}`;
+}
+function centsToDollars(cents) {
+  return `$${(cents / 100).toFixed(0)}`;
+}
+function getPlanMonthlyPrice(plan, annual = false) {
+  if (plan.isCustom) return "Custom";
+  const cents = annual && plan.priceAnnual != null ? Math.round(plan.priceAnnual / 12) : plan.priceMonthly;
+  if (cents == null) return "Custom";
+  if (cents === 0) return "$0";
+  const base = centsToDollars(cents);
+  return plan.perSeat ? `${base}/user` : base;
+}
+
 // src/debug.ts
 var DEBUG_STORAGE_KEY = "sylphx_debug";
 function isDebugEnabled() {
@@ -5880,400 +7173,98 @@ init_errors();
 
 // src/auth.ts
 import { authEndpoints } from "@sylphx/contract";
-async function signIn(config, input) {
-  const body = input;
-  const endpoint = authEndpoints.signIn;
-  return callApi(config, endpoint.path, {
-    method: endpoint.method,
-    body
-  });
-}
-async function signUp(config, input) {
-  const endpoint = authEndpoints.signUp;
-  return callApi(config, endpoint.path, {
-    method: endpoint.method,
-    body: input
-  });
-}
-async function signOut(config) {
-  const endpoint = authEndpoints.signOut;
-  await callApi(config, endpoint.path, { method: endpoint.method });
-}
-async function refreshToken(config, token) {
-  return callApi(config, "/auth/token", {
-    method: "POST",
-    body: {
-      grant_type: "refresh_token",
-      refresh_token: token,
-      client_secret: config.secretKey
+
+// src/dpop.ts
+var dpop = {
+  /**
+   * Generate a fresh ES256 key pair. Private key is non-extractable
+   * (`extractable: false`) so it can be stored but never serialised.
+   */
+  async generateKeyPair() {
+    const { privateKey, publicKey } = await crypto.subtle.generateKey(
+      { name: "ECDSA", namedCurve: "P-256" },
+      false,
+      ["sign", "verify"]
+    );
+    const publicJwk = await crypto.subtle.exportKey("jwk", publicKey);
+    const thumbprint = await thumbprintFromJwk(sanitisePublicJwk(publicJwk));
+    return { privateKey, publicKey, thumbprint };
+  },
+  /**
+   * Sign a DPoP proof JWT. When `accessToken` is provided, the proof
+   * includes `ath = base64url(sha256(accessToken))` so the resource
+   * server can bind the proof to the token being presented.
+   */
+  async generateProof(opts) {
+    const publicJwkRaw = await crypto.subtle.exportKey("jwk", opts.publicKey);
+    const publicJwk = sanitisePublicJwk(publicJwkRaw);
+    const header = { typ: "dpop+jwt", alg: "ES256", jwk: publicJwk };
+    const payload = {
+      jti: randomJti(),
+      htm: opts.method.toUpperCase(),
+      htu: stripQueryAndFragment(opts.uri),
+      iat: Math.floor(Date.now() / 1e3)
+    };
+    if (opts.accessToken) {
+      payload.ath = await sha256Base64Url(new TextEncoder().encode(opts.accessToken));
     }
-  });
-}
-async function verifyEmail(config, token) {
-  await callApi(config, "/auth/verify-email", {
-    method: "POST",
-    body: { token }
-  });
-}
-async function forgotPassword(config, email, options = {}) {
-  await callApi(config, "/auth/forgot-password", {
-    method: "POST",
-    body: {
-      email,
-      ...options.redirectUrl ? { redirectUrl: options.redirectUrl } : {}
-    }
-  });
-}
-async function resendVerificationEmail(config, email) {
-  const endpoint = authEndpoints.resendEmailVerification;
-  const body = { email };
-  await callApi(config, endpoint.path, {
-    method: endpoint.method,
-    body
-  });
-}
-async function resetPassword(config, input) {
-  await callApi(config, "/auth/reset-password", {
-    method: "POST",
-    body: { token: input.token, password: input.password }
-  });
-}
-async function getSession(config) {
-  if (!config.accessToken) {
-    return { user: null };
-  }
-  const endpoint = authEndpoints.getSession;
-  try {
-    const user2 = await callApi(config, endpoint.path, {
-      method: endpoint.method
-    });
-    return { user: user2 };
-  } catch {
-    return { user: null };
-  }
-}
-async function verifyTwoFactor(config, userId, code) {
-  return callApi(config, "/auth/verify-2fa", {
-    method: "POST",
-    body: { userId, code }
-  });
-}
-async function introspectToken(config, token, tokenTypeHint) {
-  const response = await fetch(buildApiUrl(config, "/auth/introspect"), {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      // RFC 7662 §2: server-to-server call — authenticate with secret key
-      "x-app-secret": config.secretKey ?? ""
-    },
-    body: JSON.stringify({
-      token,
-      token_type_hint: tokenTypeHint
-    })
-  });
-  if (!response.ok) {
-    return { active: false };
-  }
-  return response.json();
-}
-async function revokeToken(config, token, options) {
-  await fetch(buildApiUrl(config, "/auth/revoke"), {
-    method: "POST",
-    headers: { "Content-Type": "application/json" },
-    body: JSON.stringify({
-      token: options?.revokeAll ? void 0 : token,
-      client_secret: config.secretKey,
-      user_id: options?.userId,
-      revoke_all: options?.revokeAll
-    })
-  });
-}
-async function revokeAllTokens(config, userId) {
-  await revokeToken(config, "", { revokeAll: true, userId });
-}
-async function extendedSignUp(config, input) {
-  return callApi(config, "/auth/register", {
-    method: "POST",
-    body: input
-  });
-}
-async function inviteUser(config, input) {
-  return callApi(config, "/auth/invite", {
-    method: "POST",
-    body: input
-  });
-}
-function normalizeOrgScopedTokenResponse(data) {
-  const accessToken = data.accessToken ?? data.access_token;
-  if (!accessToken) {
-    throw new Error("Invalid org-scoped token response: missing access token");
-  }
-  return {
-    token: accessToken,
-    accessToken,
-    expiresIn: data.expiresIn ?? data.expires_in,
-    tokenType: data.tokenType ?? data.token_type,
-    user: data.user
-  };
-}
-async function getOrgScopedToken(config, orgId) {
-  const data = await callApi(config, "/auth/switch-org", {
-    method: "POST",
-    body: { orgId }
-  });
-  return normalizeOrgScopedTokenResponse(data);
-}
-async function switchOrg(config, orgId) {
-  return getOrgScopedToken(config, orgId);
-}
-var device = {
-  /**
-   * Start a device authorization grant.
-   *
-   * Returns a `DeviceGrant` with `verification_uri_complete` (open this
-   * in the user's browser) and `device_code` (use for polling).
-   *
-   * @example
-   * ```typescript
-   * const grant = await device.init({
-   *   baseUrl: 'https://your-app.api.sylphx.com/v1',
-   *   clientId: 'sylphx-cli',
-   *   scope: ['org:read', 'project:*'],
-   * })
-   * openBrowser(grant.verification_uri_complete)
-   * ```
-   */
-  async init(opts) {
-    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/device`, {
-      method: "POST",
-      headers: buildDeviceHeaders(opts.userAgent),
-      body: JSON.stringify({
-        client_id: opts.clientId,
-        scope: opts.scope ?? []
-      })
-    });
-    if (!res.ok) throw await deviceError(res, "device.init");
-    return await res.json();
-  },
-  /**
-   * Poll a pending grant. Returns `status: 'pending' | 'approved' |
-   * 'denied' | 'expired'`. On `approved`, the result carries the OAuth
-   * pair (access_token + refresh_token).
-   *
-   * Callers MUST respect the `interval` returned by `init()` — polling
-   * faster than that may return 429 slow_down (RFC 8628 §5.5).
-   */
-  async poll(opts) {
-    const url = new URL(`${opts.baseUrl.replace(/\/$/, "")}/auth/device/poll`);
-    url.searchParams.set("device_code", opts.deviceCode);
-    const res = await fetch(url.toString(), {
-      method: "GET",
-      headers: buildDeviceHeaders(opts.userAgent)
-    });
-    if (!res.ok) throw await deviceError(res, "device.poll");
-    return await res.json();
-  },
-  /**
-   * Browser leg — the approving user confirms the grant.
-   *
-   * Requires a valid platform-issued access token (`Authorization:
-   * Bearer <accessToken>`) proving the user is logged in on the
-   * Console. Typically called by the Console's `/device` verification
-   * page server-side, forwarding the user's session JWT.
-   */
-  async approve(opts) {
-    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/device/approve`, {
-      method: "POST",
-      headers: {
-        ...buildDeviceHeaders(opts.userAgent),
-        Authorization: `Bearer ${opts.accessToken}`
-      },
-      body: JSON.stringify({ user_code: opts.userCode })
-    });
-    if (!res.ok) throw await deviceError(res, "device.approve");
-    return await res.json();
-  },
-  /**
-   * Browser leg — the user declines the grant.
-   *
-   * Requires a valid platform-issued access token just like `approve`.
-   */
-  async deny(opts) {
-    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/device/deny`, {
-      method: "POST",
-      headers: {
-        ...buildDeviceHeaders(opts.userAgent),
-        Authorization: `Bearer ${opts.accessToken}`
-      },
-      body: JSON.stringify({ user_code: opts.userCode })
-    });
-    if (!res.ok) throw await deviceError(res, "device.deny");
-    return await res.json();
-  }
-};
-function buildDeviceHeaders(userAgent) {
-  const headers = {
-    "Content-Type": "application/json"
-  };
-  if (userAgent) headers["User-Agent"] = userAgent;
-  return headers;
-}
-var sessions = {
-  /**
-   * List every active platform session for the authenticated user.
-   *
-   * Ordering: most-recently-active first.
-   *
-   * @example
-   * ```typescript
-   * const { sessions } = await auth.sessions.list({
-   *   baseUrl: 'https://your-app.api.sylphx.com/v1',
-   *   accessToken: platformJwt,
-   * })
-   * ```
-   */
-  async list(opts) {
-    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-sessions`, {
-      method: "GET",
-      headers: buildPlatformSessionsHeaders(opts.accessToken, opts.userAgent)
-    });
-    if (!res.ok) throw await platformSessionError(res, "sessions.list");
-    return await res.json();
-  },
-  /**
-   * Revoke a specific platform session by id.
-   *
-   * `sessionId` accepts either the prefixed TypeID (`sess_*`) or the
-   * raw UUID — the BaaS side normalises via `parseIdOrError`.
-   *
-   * @example
-   * ```typescript
-   * await auth.sessions.revoke({
-   *   baseUrl,
-   *   accessToken,
-   *   sessionId: 'sess_01hxyz...',
-   * })
-   * ```
-   */
-  async revoke(opts) {
-    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-sessions/revoke`, {
-      method: "POST",
-      headers: buildPlatformSessionsHeaders(opts.accessToken, opts.userAgent),
-      body: JSON.stringify({ sessionId: opts.sessionId })
-    });
-    if (!res.ok) throw await platformSessionError(res, "sessions.revoke");
-    return await res.json();
-  },
-  /**
-   * Revoke every platform session except the one presenting the
-   * current access token. Used by "sign me out of all other devices".
-   *
-   * When the caller's JWT has no `sid` claim (pure-Bearer CLI/CI
-   * flows), this degenerates to `revokeAll` — every session is
-   * wiped — because there's no "current" row to keep.
-   *
-   * @example
-   * ```typescript
-   * const { revokedCount } = await auth.sessions.revokeOther({
-   *   baseUrl,
-   *   accessToken,
-   * })
-   * ```
-   */
-  async revokeOther(opts) {
-    const res = await fetch(
-      `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-sessions/revoke-other`,
-      {
-        method: "POST",
-        headers: buildPlatformSessionsHeaders(opts.accessToken, opts.userAgent)
-      }
-    );
-    if (!res.ok) throw await platformSessionError(res, "sessions.revokeOther");
-    return await res.json();
-  },
-  /**
-   * Revoke every platform session for the user, including the
-   * caller's own. Used by "sign me out everywhere" — after a
-   * password change, a compromise scare, or GDPR-style erasure.
-   *
-   * The response includes the count of sessions that were
-   * revoked so the caller can surface it in a toast or audit UI.
-   *
-   * @example
-   * ```typescript
-   * const { count } = await auth.sessions.revokeAll({
-   *   baseUrl,
-   *   accessToken,
-   * })
-   * ```
-   */
-  async revokeAll(opts) {
-    const res = await fetch(
-      `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-sessions/revoke-all`,
-      {
-        method: "POST",
-        headers: buildPlatformSessionsHeaders(opts.accessToken, opts.userAgent)
-      }
+    if (opts.nonce) payload.nonce = opts.nonce;
+    const headerB64 = base64UrlEncode(new TextEncoder().encode(JSON.stringify(header)));
+    const payloadB64 = base64UrlEncode(new TextEncoder().encode(JSON.stringify(payload)));
+    const signingInput = `${headerB64}.${payloadB64}`;
+    const signingBytes = new TextEncoder().encode(signingInput);
+    const signingBuf = new Uint8Array(signingBytes.byteLength);
+    signingBuf.set(signingBytes);
+    const sigBuf = await crypto.subtle.sign(
+      { name: "ECDSA", hash: "SHA-256" },
+      opts.privateKey,
+      signingBuf.buffer
     );
-    if (!res.ok) throw await platformSessionError(res, "sessions.revokeAll");
-    return await res.json();
-  },
-  /**
-   * Rename a platform session (device label).
-   *
-   * `sessionId` accepts either the prefixed TypeID or the raw UUID;
-   * `name` is a user-supplied string (≤100 chars) surfaced in the
-   * "Active sessions" Console UI.
-   *
-   * @example
-   * ```typescript
-   * await auth.sessions.rename({
-   *   baseUrl,
-   *   accessToken,
-   *   sessionId,
-   *   name: 'MacBook (work)',
-   * })
-   * ```
-   */
-  async rename(opts) {
-    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-sessions/rename`, {
-      method: "POST",
-      headers: buildPlatformSessionsHeaders(opts.accessToken, opts.userAgent),
-      body: JSON.stringify({
-        sessionId: opts.sessionId,
-        name: opts.name
-      })
-    });
-    if (!res.ok) throw await platformSessionError(res, "sessions.rename");
-    return await res.json();
+    const sigB64 = base64UrlEncode(new Uint8Array(sigBuf));
+    return `${signingInput}.${sigB64}`;
   }
 };
-function buildPlatformSessionsHeaders(accessToken, userAgent) {
-  const headers = {
-    "Content-Type": "application/json",
-    Authorization: `Bearer ${accessToken}`
-  };
-  if (userAgent) headers["User-Agent"] = userAgent;
-  return headers;
+function sanitisePublicJwk(jwk) {
+  if (jwk.kty !== "EC" || jwk.crv !== "P-256" || !jwk.x || !jwk.y) {
+    throw new Error("DPoP expects ES256 (EC P-256) JWK");
+  }
+  return { kty: jwk.kty, crv: jwk.crv, x: jwk.x, y: jwk.y };
+}
+async function thumbprintFromJwk(jwk) {
+  const canonical = JSON.stringify({ crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y });
+  return sha256Base64Url(new TextEncoder().encode(canonical));
+}
+async function sha256Base64Url(data) {
+  const copy = new Uint8Array(data.byteLength);
+  copy.set(data);
+  const digest2 = await crypto.subtle.digest("SHA-256", copy.buffer);
+  return base64UrlEncode(new Uint8Array(digest2));
+}
+function base64UrlEncode(bytes) {
+  let s = "";
+  for (let i = 0; i < bytes.length; i++) s += String.fromCharCode(bytes[i]);
+  return btoa(s).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function stripQueryAndFragment(uri) {
+  try {
+    const u = new URL(uri);
+    return `${u.protocol}//${u.host}${u.pathname}`;
+  } catch {
+    const q = uri.indexOf("?");
+    const h = uri.indexOf("#");
+    const cut = [q, h].filter((i) => i >= 0).sort((a, b) => a - b)[0];
+    return cut === void 0 ? uri : uri.slice(0, cut);
+  }
+}
+function randomJti() {
+  const bytes = new Uint8Array(16);
+  crypto.getRandomValues(bytes);
+  return base64UrlEncode(bytes);
 }
+
+// src/platform-auth.ts
+init_errors();
 var platformAuth = {
-  /**
-   * Rotate a Platform refresh token. The presented token is consumed
-   * single-use; the response carries a fresh access JWT plus the
-   * rotated refresh token that supersedes it.
-   *
-   * On reuse-detection / expiry the server returns 401 — the SDK
-   * preserves the upstream message so callers can pattern-match
-   * `"reuse"` per RFC 6819 §5.2.2.3 and scrub local credentials.
-   *
-   * @example
-   * ```typescript
-   * const tokens = await auth.platformAuth.refresh({
-   *   baseUrl: 'https://sylphx.com',
-   *   refreshToken: stored.refreshToken,
-   * })
-   * ```
-   */
   async refresh(opts) {
     const headers = { "Content-Type": "application/json" };
     if (opts.userAgent) headers["User-Agent"] = opts.userAgent;
@@ -6286,19 +7277,6 @@ var platformAuth = {
     if (!res.ok) throw await platformAuthError(res, "platformAuth.refresh");
     return await res.json();
   },
-  /**
-   * Revoke a Platform refresh token (logout). Server-side revocation
-   * failure is the caller's call to surface — local-credential cleanup
-   * is the CLI's responsibility (logout must succeed offline).
-   *
-   * @example
-   * ```typescript
-   * await auth.platformAuth.logout({
-   *   baseUrl: 'https://sylphx.com',
-   *   refreshToken: stored.refreshToken,
-   * })
-   * ```
-   */
   async logout(opts) {
     const headers = { "Content-Type": "application/json" };
     if (opts.userAgent) headers["User-Agent"] = opts.userAgent;
@@ -6312,7 +7290,6 @@ var platformAuth = {
   }
 };
 async function platformAuthError(res, operation) {
-  const { SylphxError: SylphxError2 } = await Promise.resolve().then(() => (init_errors(), errors_exports));
   const body = await res.text().catch(() => "");
   let code = "platform_auth_error";
   let message2 = `${operation} failed: HTTP ${res.status}`;
@@ -6334,327 +7311,137 @@ async function platformAuthError(res, operation) {
   else if (res.status === 429) errorCode = "TOO_MANY_REQUESTS";
   else if (res.status >= 500) errorCode = "INTERNAL_SERVER_ERROR";
   else errorCode = "BAD_REQUEST";
-  return new SylphxError2(message2, {
-    code: errorCode,
-    status: res.status,
-    data: { operation, code }
-  });
-}
-async function platformSessionError(res, operation) {
-  const { SylphxError: SylphxError2 } = await Promise.resolve().then(() => (init_errors(), errors_exports));
-  const body = await res.text().catch(() => "");
-  let code = "platform_sessions_error";
-  let message2 = `${operation} failed: HTTP ${res.status}`;
-  try {
-    const parsed = JSON.parse(body);
-    if (parsed.error) code = parsed.error;
-    if (parsed.error_description) message2 = parsed.error_description;
-    else if (parsed.message) message2 = parsed.message;
-  } catch {
-  }
-  let errorCode;
-  if (res.status === 401) errorCode = "UNAUTHORIZED";
-  else if (res.status === 404) errorCode = "NOT_FOUND";
-  else if (res.status === 429) errorCode = "TOO_MANY_REQUESTS";
-  else if (res.status >= 500) errorCode = "INTERNAL_SERVER_ERROR";
-  else errorCode = "BAD_REQUEST";
-  return new SylphxError2(message2, {
+  return new SylphxError(message2, {
     code: errorCode,
     status: res.status,
     data: { operation, code }
   });
 }
-async function deviceError(res, operation) {
-  const { SylphxError: SylphxError2 } = await Promise.resolve().then(() => (init_errors(), errors_exports));
-  const body = await res.text().catch(() => "");
-  let code = "device_flow_error";
-  let message2 = `${operation} failed: HTTP ${res.status}`;
-  try {
-    const parsed = JSON.parse(body);
-    if (parsed.error) code = parsed.error;
-    if (parsed.error_description) message2 = parsed.error_description;
-  } catch {
-  }
-  return new SylphxError2(message2, {
-    code: res.status === 429 ? "TOO_MANY_REQUESTS" : "BAD_REQUEST",
-    status: res.status,
-    data: { operation, code }
-  });
-}
-var password = {
-  /**
-   * Check whether the authenticated platform user has a password set.
-   *
-   * Returns `{ hasPassword: true }` for users that signed up with
-   * email+password (or later called `set`), `{ hasPassword: false }`
-   * for OAuth-only users (e.g. signed up via Google/GitHub).
-   *
-   * @example
-   * ```typescript
-   * const { hasPassword } = await auth.password.status({
-   *   baseUrl: 'https://your-app.api.sylphx.com/v1',
-   *   accessToken: platformJwt,
-   * })
-   * ```
-   */
-  async status(opts) {
-    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-password/status`, {
-      method: "GET",
-      headers: buildPlatformPasswordHeaders(opts.accessToken, opts.userAgent)
-    });
-    if (!res.ok) throw await platformPasswordError(res, "password.status");
-    return await res.json();
-  },
-  /**
-   * Set an initial password for an OAuth-only user.
-   *
-   * Fails with 400 if the user already has a password (use `change`
-   * instead), if the password is <8 characters, or if HIBP reports
-   * the password as breached. BaaS invalidates every other session
-   * for the user (keeping the caller's current one) after a
-   * successful set.
-   *
-   * @example
-   * ```typescript
-   * await auth.password.set({
-   *   baseUrl,
-   *   accessToken,
-   *   password: 'correct-horse-battery-staple',
-   * })
-   * ```
-   */
-  async set(opts) {
-    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-password/set`, {
-      method: "POST",
-      headers: buildPlatformPasswordHeaders(opts.accessToken, opts.userAgent),
-      body: JSON.stringify({
-        password: opts.password
-      })
-    });
-    if (!res.ok) throw await platformPasswordError(res, "password.set");
+
+// src/platform-impersonation.ts
+init_errors();
+var impersonation = {
+  async start(opts) {
+    const res = await fetch(
+      `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-impersonation/start`,
+      {
+        method: "POST",
+        headers: buildImpersonationHeaders(opts.accessToken, opts.userAgent),
+        body: JSON.stringify({
+          targetUserId: opts.targetUserId,
+          ...opts.ipAddress !== void 0 && { ipAddress: opts.ipAddress },
+          ...opts.userAgent !== void 0 && { userAgent: opts.userAgent }
+        })
+      }
+    );
+    if (!res.ok) throw await impersonationError(res, "impersonation.start");
     return await res.json();
   },
-  /**
-   * Change an existing password.
-   *
-   * Verifies `currentPassword` server-side; a mismatch returns 401.
-   * OAuth-only users (no existing password) get 400 — use `set`
-   * instead. New password must be ≥8 characters and must not be in
-   * HIBP's breach database. BaaS invalidates every other session
-   * for the user (keeping the caller's current one) after a
-   * successful change.
-   *
-   * @example
-   * ```typescript
-   * await auth.password.change({
-   *   baseUrl,
-   *   accessToken,
-   *   currentPassword: 'old-plaintext',
-   *   newPassword: 'new-plaintext',
-   * })
-   * ```
-   */
-  async change(opts) {
-    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-password/change`, {
+  async end(opts) {
+    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-impersonation/end`, {
       method: "POST",
-      headers: buildPlatformPasswordHeaders(opts.accessToken, opts.userAgent),
-      body: JSON.stringify({
-        currentPassword: opts.currentPassword,
-        newPassword: opts.newPassword
-      })
-    });
-    if (!res.ok) throw await platformPasswordError(res, "password.change");
-    return await res.json();
-  }
-};
-function buildPlatformPasswordHeaders(accessToken, userAgent) {
-  const headers = {
-    "Content-Type": "application/json",
-    Authorization: `Bearer ${accessToken}`
-  };
-  if (userAgent) headers["User-Agent"] = userAgent;
-  return headers;
-}
-async function platformPasswordError(res, operation) {
-  const { SylphxError: SylphxError2 } = await Promise.resolve().then(() => (init_errors(), errors_exports));
-  const body = await res.text().catch(() => "");
-  let code = "platform_password_error";
-  let message2 = `${operation} failed: HTTP ${res.status}`;
-  try {
-    const parsed = JSON.parse(body);
-    if (parsed.error) code = parsed.error;
-    if (parsed.error_description) message2 = parsed.error_description;
-    else if (parsed.message) message2 = parsed.message;
-  } catch {
-  }
-  let errorCode;
-  if (res.status === 401) errorCode = "UNAUTHORIZED";
-  else if (res.status === 404) errorCode = "NOT_FOUND";
-  else if (res.status === 429) errorCode = "TOO_MANY_REQUESTS";
-  else if (res.status >= 500) errorCode = "INTERNAL_SERVER_ERROR";
-  else errorCode = "BAD_REQUEST";
-  return new SylphxError2(message2, {
-    code: errorCode,
-    status: res.status,
-    data: { operation, code }
-  });
-}
-var user = {
-  /**
-   * Export every piece of personal data the platform holds about the
-   * authenticated user (GDPR Article 20 — right to data portability).
-   *
-   * The returned record is deliberately loose — it contains the user
-   * row, sessions, OAuth accounts, login history, security alerts,
-   * organization memberships, subscriptions, per-project memberships,
-   * and storage file metadata. Shape varies with customer provisioning.
-   *
-   * @example
-   * ```typescript
-   * const data = await auth.user.exportData({
-   *   baseUrl: 'https://your-app.api.sylphx.com/v1',
-   *   accessToken: platformJwt,
-   * })
-   * downloadAsJson(data, 'my-sylphx-data.json')
-   * ```
-   */
-  async exportData(opts) {
-    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-user/export`, {
-      method: "GET",
-      headers: buildPlatformUserHeaders(opts.accessToken, opts.userAgent)
+      headers: buildImpersonationHeaders(opts.accessToken, opts.userAgent),
+      body: JSON.stringify(opts.sessionId !== void 0 ? { sessionId: opts.sessionId } : {})
     });
-    if (!res.ok) throw await platformUserError(res, "user.exportData");
+    if (!res.ok) throw await impersonationError(res, "impersonation.end");
     return await res.json();
   },
-  /**
-   * Permanently delete the authenticated user's account (GDPR Article
-   * 17 — right to erasure). Cascades through every provisioned project
-   * DB, cancels Stripe subscriptions, deletes S3 blobs, and anonymises
-   * billing transactions. Emits a `user.deleted` event so downstream
-   * systems can clean up their own state.
-   *
-   * Returns `{ success: true, deletedData: [...] }` on success where
-   * `deletedData` lists the resource kinds that were erased.
-   *
-   * @remarks
-   * This operation is irreversible. Production callers SHOULD require
-   * a challenge step (2FA / password confirm / WebAuthn) before
-   * invoking this — the BaaS route does NOT perform challenge
-   * verification in Phase 2d. ADR-089 Phase 5.11 lands passkey-primary
-   * with WebAuthn-required step-up and will add the check at the
-   * BaaS boundary.
-   *
-   * @example
-   * ```typescript
-   * const result = await auth.user.deleteAccount({
-   *   baseUrl,
-   *   accessToken,
-   *   reason: 'user_request',
-   * })
-   * if (result.success) signOutAndRedirect('/goodbye')
-   * ```
-   */
-  async deleteAccount(opts) {
-    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-user/account`, {
-      method: "DELETE",
-      headers: buildPlatformUserHeaders(opts.accessToken, opts.userAgent),
-      body: JSON.stringify({
-        ...opts.reason !== void 0 && { reason: opts.reason }
-      })
-    });
-    if (!res.ok) throw await platformUserError(res, "user.deleteAccount");
+  async info(opts) {
+    const res = await fetch(
+      `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-impersonation/info/${encodeURIComponent(opts.sessionId)}`,
+      {
+        method: "GET",
+        headers: buildImpersonationHeaders(opts.accessToken, opts.userAgent)
+      }
+    );
+    if (!res.ok) throw await impersonationError(res, "impersonation.info");
     return await res.json();
   },
-  /**
-   * Async GDPR Article 20 export job API (ADR-089 Phase 5.5).
-   *
-   * `user.exportData` above is the Phase 2d synchronous shortcut —
-   * kept for backward compat but production callers SHOULD prefer the
-   * async flow: large users routinely exceed a single HTTP deadline
-   * during enumeration.
-   *
-   * Typical flow:
-   *
-   * ```ts
-   * const job = await auth.user.exports.initiate({ baseUrl, accessToken })
-   * // Poll until terminal:
-   * while (true) {
-   *   const cur = await auth.user.exports.status({ baseUrl, accessToken, id: job.id })
-   *   if (cur.status === 'complete') break
-   *   if (cur.status === 'failed') throw new Error(cur.errorMessage ?? 'export failed')
-   *   await new Promise(r => setTimeout(r, 2000))
-   * }
-   * const blob = await auth.user.exports.download({ baseUrl, accessToken, id: job.id })
-   * saveAs(blob, 'sylphx-export.json')
-   * ```
-   *
-   * Rate limit: 1 `initiate` per 24h per user. Polling + downloading
-   * are NOT rate-limited through that bucket (they're cheap reads).
-   */
-  exports: {
-    /**
-     * Kick off an export job. Returns the job row in `pending` status
-     * with a 202-Accepted semantic — the HTTP layer has accepted the
-     * request but the payload is not yet materialized. Poll
-     * `status({ id })` until `status === 'complete'`.
-     */
-    async initiate(opts) {
-      const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-user/export`, {
+  async active(opts) {
+    const res = await fetch(
+      `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-impersonation/active`,
+      {
+        method: "GET",
+        headers: buildImpersonationHeaders(opts.accessToken, opts.userAgent)
+      }
+    );
+    if (!res.ok) throw await impersonationError(res, "impersonation.active");
+    return await res.json();
+  },
+  async startChallenge(opts) {
+    const res = await fetch(
+      `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-impersonation/start-challenge`,
+      {
         method: "POST",
-        headers: buildPlatformUserHeaders(opts.accessToken, opts.userAgent),
-        body: JSON.stringify(opts.format !== void 0 ? { format: opts.format } : {})
-      });
-      if (!res.ok) throw await platformUserError(res, "user.exports.initiate");
-      return await res.json();
-    },
-    /**
-     * Read the current state of an in-flight or completed export job.
-     * Returns 404 (via thrown `SylphxError`) if the job id is unknown
-     * OR owned by a different user — cross-user probes can't
-     * distinguish the two.
-     */
-    async status(opts) {
-      const res = await fetch(
-        `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-user/export/${encodeURIComponent(
-          opts.id
-        )}`,
-        {
-          method: "GET",
-          headers: buildPlatformUserHeaders(opts.accessToken, opts.userAgent)
-        }
-      );
-      if (!res.ok) throw await platformUserError(res, "user.exports.status");
-      return await res.json();
-    },
-    /**
-     * Download the completed export payload. The BaaS route returns a
-     * 302 to a freshly-signed object-storage URL; we follow the redirect
-     * (standard `fetch` default) and resolve to the raw `Blob`.
-     *
-     * The integrity headers `X-Sylphx-Export-Sha256` + `X-Sylphx-Export-Size`
-     * are available on the final response — CLI consumers SHOULD verify
-     * the SHA-256 client-side before handing the archive to the user.
-     */
-    async download(opts) {
-      const res = await fetch(
-        `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-user/export/${encodeURIComponent(
-          opts.id
-        )}/download`,
-        {
-          method: "GET",
-          headers: buildPlatformUserHeaders(opts.accessToken, opts.userAgent)
-        }
-      );
-      if (!res.ok) throw await platformUserError(res, "user.exports.download");
-      const sha256 = res.headers.get("X-Sylphx-Export-Sha256");
-      const sizeHeader = res.headers.get("X-Sylphx-Export-Size");
-      const sizeBytes = sizeHeader ? Number.parseInt(sizeHeader, 10) : null;
-      const blob = await res.blob();
-      return { blob, sha256, sizeBytes: Number.isFinite(sizeBytes) ? sizeBytes : null };
-    }
+        headers: buildImpersonationHeaders(opts.accessToken, opts.userAgent),
+        body: JSON.stringify({
+          targetUserId: opts.targetUserId,
+          reason: opts.reason
+        })
+      }
+    );
+    if (!res.ok) throw await impersonationError(res, "impersonation.startChallenge");
+    return await res.json();
+  },
+  async startStepup(opts) {
+    const res = await fetch(
+      `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-impersonation/start`,
+      {
+        method: "POST",
+        headers: buildImpersonationHeaders(opts.accessToken, opts.userAgent),
+        body: JSON.stringify({
+          requestId: opts.requestId,
+          challengeKey: opts.challengeKey,
+          assertion: opts.assertion,
+          ...opts.emergencyBypass ? { emergencyBypass: true } : {}
+        })
+      }
+    );
+    if (!res.ok) throw await impersonationError(res, "impersonation.startStepup");
+    return await res.json();
+  },
+  async respondConsent(opts) {
+    const res = await fetch(
+      `${opts.baseUrl.replace(/\/$/, "")}/auth/impersonation-consent/${encodeURIComponent(opts.requestId)}`,
+      {
+        method: "POST",
+        headers: buildImpersonationHeaders(opts.accessToken, opts.userAgent),
+        body: JSON.stringify({ decision: opts.decision })
+      }
+    );
+    if (!res.ok) throw await impersonationError(res, "impersonation.respondConsent");
+    return await res.json();
+  },
+  async listRequests(opts) {
+    const params = new URLSearchParams();
+    if (opts.filter?.operatorId) params.set("operatorId", opts.filter.operatorId);
+    if (opts.filter?.targetUserId) params.set("targetUserId", opts.filter.targetUserId);
+    if (opts.filter?.status) params.set("status", opts.filter.status);
+    if (opts.filter?.limit != null) params.set("limit", String(opts.filter.limit));
+    const qs = params.toString();
+    const res = await fetch(
+      `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-impersonation/requests${qs ? `?${qs}` : ""}`,
+      {
+        method: "GET",
+        headers: buildImpersonationHeaders(opts.accessToken, opts.userAgent)
+      }
+    );
+    if (!res.ok) throw await impersonationError(res, "impersonation.listRequests");
+    return await res.json();
+  },
+  async endSession(opts) {
+    const res = await fetch(
+      `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-impersonation/end/${encodeURIComponent(opts.requestId)}`,
+      {
+        method: "POST",
+        headers: buildImpersonationHeaders(opts.accessToken, opts.userAgent)
+      }
+    );
+    if (!res.ok) throw await impersonationError(res, "impersonation.endSession");
+    return await res.json();
   }
 };
-function buildPlatformUserHeaders(accessToken, userAgent) {
+function buildImpersonationHeaders(accessToken, userAgent) {
   const headers = {
     "Content-Type": "application/json",
     Authorization: `Bearer ${accessToken}`
@@ -6662,10 +7449,9 @@ function buildPlatformUserHeaders(accessToken, userAgent) {
   if (userAgent) headers["User-Agent"] = userAgent;
   return headers;
 }
-async function platformUserError(res, operation) {
-  const { SylphxError: SylphxError2 } = await Promise.resolve().then(() => (init_errors(), errors_exports));
+async function impersonationError(res, operation) {
   const body = await res.text().catch(() => "");
-  let code = "platform_user_error";
+  let code = "platform_impersonation_error";
   let message2 = `${operation} failed: HTTP ${res.status}`;
   try {
     const parsed = JSON.parse(body);
@@ -6676,16 +7462,20 @@ async function platformUserError(res, operation) {
   }
   let errorCode;
   if (res.status === 401) errorCode = "UNAUTHORIZED";
+  else if (res.status === 403) errorCode = "UNAUTHORIZED";
   else if (res.status === 404) errorCode = "NOT_FOUND";
+  else if (res.status === 409) errorCode = "CONFLICT";
   else if (res.status === 429) errorCode = "TOO_MANY_REQUESTS";
   else if (res.status >= 500) errorCode = "INTERNAL_SERVER_ERROR";
   else errorCode = "BAD_REQUEST";
-  return new SylphxError2(message2, {
+  return new SylphxError(message2, {
     code: errorCode,
     status: res.status,
     data: { operation, code }
   });
 }
+
+// src/platform-jwt.ts
 var jwtJwksCache = null;
 function resetPlatformJwksCache() {
   jwtJwksCache = null;
@@ -6797,24 +7587,167 @@ var cookies = {
     return body;
   }
 };
+
+// src/platform-oauth.ts
+init_errors();
+
+// src/oauth-token.ts
+init_errors();
+var OAUTH_TOKEN_ERROR_CODES = /* @__PURE__ */ new Set([
+  "invalid_request",
+  "invalid_client",
+  "invalid_grant",
+  "unauthorized_client",
+  "unsupported_grant_type",
+  "invalid_scope",
+  "authorization_pending",
+  "slow_down",
+  "access_denied",
+  "expired_token"
+]);
+function isRecord(value) {
+  return typeof value === "object" && value !== null;
+}
+function requireString(record, key) {
+  const value = record[key];
+  if (typeof value !== "string") throw new Error(`Invalid OAuth token field: ${key}`);
+  return value;
+}
+function optionalString(record, key) {
+  const value = record[key];
+  if (value === void 0) return void 0;
+  if (typeof value !== "string") throw new Error(`Invalid OAuth token field: ${key}`);
+  return value;
+}
+function optionalField(key, value) {
+  return value === void 0 ? {} : { [key]: value };
+}
+function requireNumber(record, key) {
+  const value = record[key];
+  if (typeof value !== "number") throw new Error(`Invalid OAuth token field: ${key}`);
+  return value;
+}
+function assertGrantType(record, grantType) {
+  if (record.grant_type !== grantType) {
+    throw new Error(`Invalid OAuth grant_type: expected ${grantType}`);
+  }
+}
+function decodeOAuthTokenRequest(input) {
+  if (!isRecord(input)) throw new Error("Invalid OAuth token request");
+  switch (input.grant_type) {
+    case "authorization_code":
+      assertGrantType(input, "authorization_code");
+      return {
+        grant_type: "authorization_code",
+        code: requireString(input, "code"),
+        redirect_uri: requireString(input, "redirect_uri"),
+        client_id: requireString(input, "client_id"),
+        code_verifier: requireString(input, "code_verifier"),
+        ...optionalField("client_secret", optionalString(input, "client_secret"))
+      };
+    case "refresh_token":
+      assertGrantType(input, "refresh_token");
+      return {
+        grant_type: "refresh_token",
+        refresh_token: requireString(input, "refresh_token"),
+        client_id: requireString(input, "client_id"),
+        ...optionalField("client_secret", optionalString(input, "client_secret")),
+        ...optionalField("scope", optionalString(input, "scope"))
+      };
+    case "urn:ietf:params:oauth:grant-type:device_code":
+      assertGrantType(input, "urn:ietf:params:oauth:grant-type:device_code");
+      return {
+        grant_type: "urn:ietf:params:oauth:grant-type:device_code",
+        device_code: requireString(input, "device_code"),
+        client_id: requireString(input, "client_id"),
+        ...optionalField("client_secret", optionalString(input, "client_secret"))
+      };
+    case "client_credentials":
+      assertGrantType(input, "client_credentials");
+      return {
+        grant_type: "client_credentials",
+        client_id: requireString(input, "client_id"),
+        client_secret: requireString(input, "client_secret"),
+        ...optionalField("scope", optionalString(input, "scope"))
+      };
+    default:
+      throw new Error("Unsupported OAuth grant_type");
+  }
+}
+function oauthTokenFormBody(input) {
+  const request = decodeOAuthTokenRequest(input);
+  return new URLSearchParams(
+    Object.entries(request).filter(
+      (entry) => typeof entry[1] === "string"
+    )
+  ).toString();
+}
+function decodeOAuthTokenResult(value) {
+  if (!isRecord(value)) throw new Error("Invalid OAuth token response");
+  const tokenType = requireString(value, "token_type");
+  if (tokenType !== "Bearer") throw new Error("Invalid OAuth token_type");
+  return {
+    access_token: requireString(value, "access_token"),
+    token_type: "Bearer",
+    expires_in: requireNumber(value, "expires_in"),
+    refresh_token: requireString(value, "refresh_token"),
+    refresh_expires_at: requireString(value, "refresh_expires_at"),
+    scope: requireString(value, "scope")
+  };
+}
+function decodeOAuthClientCredentialsResult(value) {
+  if (!isRecord(value)) throw new Error("Invalid OAuth client credentials response");
+  const tokenType = requireString(value, "token_type");
+  if (tokenType !== "Bearer") throw new Error("Invalid OAuth token_type");
+  return {
+    access_token: requireString(value, "access_token"),
+    token_type: "Bearer",
+    expires_in: requireNumber(value, "expires_in"),
+    scope: requireString(value, "scope")
+  };
+}
+function decodeOAuthTokenError(value) {
+  if (!isRecord(value)) throw new Error("Invalid OAuth token error response");
+  const error = requireString(value, "error");
+  if (!OAUTH_TOKEN_ERROR_CODES.has(error)) {
+    throw new Error("Invalid OAuth token error code");
+  }
+  return {
+    error,
+    ...optionalField("error_description", optionalString(value, "error_description")),
+    ...optionalField("error_uri", optionalString(value, "error_uri"))
+  };
+}
+async function oauthTokenError(res, operation) {
+  const body = await res.text().catch(() => "");
+  let code = "oauth_error";
+  let message2 = `${operation} failed: HTTP ${res.status}`;
+  try {
+    const parsed = decodeOAuthTokenError(JSON.parse(body));
+    code = parsed.error;
+    if (parsed.error_description) message2 = parsed.error_description;
+  } catch {
+  }
+  let errorCode;
+  if (res.status === 401) errorCode = "UNAUTHORIZED";
+  else if (res.status >= 500) errorCode = "INTERNAL_SERVER_ERROR";
+  else errorCode = "BAD_REQUEST";
+  return new SylphxError(message2, {
+    code: errorCode,
+    status: res.status,
+    data: { oauthError: code }
+  });
+}
+
+// src/platform-oauth.ts
 var oauth = {
   /**
    * Mint a platform-audience access token from supplied claims.
    *
    * Service-to-service call — authenticated via
-   * `SYLPHX_INTERNAL_TOKEN` shared secret. Phase 6 will migrate this
-   * to SPIFFE SVID mTLS (ADR-068).
-   *
-   * TODO: Phase 6 — prefer SPIFFE SVID over shared-secret auth.
-   *
-   * @example
-   * ```typescript
-   * const { accessToken, expiresIn } = await auth.oauth.mintAccessToken({
-   *   baseUrl: 'https://your-app.api.sylphx.com/v1',
-   *   internalToken: process.env.SYLPHX_INTERNAL_TOKEN!,
-   *   claims: { sub: user.id, email: user.email, app_id: 'platform', role: 'member', email_verified: true },
-   * })
-   * ```
+   * `SYLPHX_INTERNAL_TOKEN` shared secret until ADR-068's
+   * SPIFFE SVID mTLS platform-auth flip makes workload identity the
+   * only accepted internal caller credential.
    */
   async mintAccessToken(opts) {
     const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-jwt/mint`, {
@@ -6829,181 +7762,78 @@ var oauth = {
     if (!res.ok) throw await platformJwtError(res, "oauth.mintAccessToken");
     return await res.json();
   },
-  /**
-   * Exchange an OAuth 2.0 authorization_code for an access + refresh token
-   * pair (ADR-089 Phase 5.1b — RFC 6749 §4.1.3). PKCE S256 mandatory per
-   * OAuth 2.1 baseline.
-   *
-   * @example
-   * ```typescript
-   * const { verifier, challenge } = await generatePkce()
-   * // user redirected to /oauth/authorize?...&code_challenge=<challenge>
-   * // ...user approves, browser hits your redirect_uri with ?code=<code>
-   * const tokens = await auth.oauth.exchangeAuthorizationCode({
-   *   baseUrl: 'https://api.sylphx.com/v1',
-   *   clientId: 'sylphx-console',
-   *   clientSecret: process.env.CONSOLE_CLIENT_SECRET,
-   *   code,
-   *   redirectUri: 'https://console.sylphx.com/auth/callback',
-   *   codeVerifier: verifier,
-   * })
-   * ```
-   */
   async exchangeAuthorizationCode(opts) {
-    const body = {
+    const body = oauthTokenFormBody({
       grant_type: "authorization_code",
       code: opts.code,
       redirect_uri: opts.redirectUri,
       client_id: opts.clientId,
-      code_verifier: opts.codeVerifier
-    };
-    if (opts.clientSecret) body.client_secret = opts.clientSecret;
+      code_verifier: opts.codeVerifier,
+      ...opts.clientSecret ? { client_secret: opts.clientSecret } : {}
+    });
     const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/oauth/token`, {
       method: "POST",
       headers: { "Content-Type": "application/x-www-form-urlencoded" },
-      body: new URLSearchParams(body).toString()
+      body
     });
     if (!res.ok) throw await oauthTokenError(res, "oauth.exchangeAuthorizationCode");
-    return await res.json();
-  },
-  /**
-   * Refresh a platform access token using a refresh_token
-   * (ADR-089 Phase 5.1b — RFC 6749 §6). Rotation is mandatory — the
-   * presented refresh token is consumed and a new one returned.
-   *
-   * @example
-   * ```typescript
-   * const tokens = await auth.oauth.refreshAccessToken({
-   *   baseUrl: 'https://api.sylphx.com/v1',
-   *   clientId: 'sylphx-console',
-   *   clientSecret: process.env.CONSOLE_CLIENT_SECRET,
-   *   refreshToken: stored.refresh_token,
-   * })
-   * ```
-   */
+    return decodeOAuthTokenResult(await res.json());
+  },
   async refreshAccessToken(opts) {
-    const body = {
+    const body = oauthTokenFormBody({
       grant_type: "refresh_token",
       refresh_token: opts.refreshToken,
-      client_id: opts.clientId
-    };
-    if (opts.clientSecret) body.client_secret = opts.clientSecret;
-    if (opts.scope) body.scope = opts.scope;
+      client_id: opts.clientId,
+      ...opts.clientSecret ? { client_secret: opts.clientSecret } : {},
+      ...opts.scope ? { scope: opts.scope } : {}
+    });
     const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/oauth/token`, {
       method: "POST",
       headers: { "Content-Type": "application/x-www-form-urlencoded" },
-      body: new URLSearchParams(body).toString()
+      body
     });
     if (!res.ok) throw await oauthTokenError(res, "oauth.refreshAccessToken");
-    return await res.json();
+    return decodeOAuthTokenResult(await res.json());
   },
-  /**
-   * Poll the OAuth token endpoint for a device-code grant (ADR-089 Phase
-   * 5.1c — RFC 8628 §3.4). The preferred way to exchange an approved
-   * device grant for tokens — returns an RFC 6749 error envelope on the
-   * `{pending, slow_down, denied, expired}` states so callers can
-   * distinguish precisely without parsing Phase 2a's `/auth/device/poll`
-   * status string.
-   *
-   * Returns `{ ok: true, tokens }` on success or `{ ok: false, error }`
-   * for every RFC-defined polling outcome. Callers MUST honour the
-   * polling `interval` returned by `/auth/device` — polling faster yields
-   * `{ ok: false, error: 'slow_down' }`.
-   *
-   * @example
-   * ```typescript
-   * while (true) {
-   *   await sleep(interval * 1000)
-   *   const r = await auth.oauth.pollDeviceToken({
-   *     baseUrl: 'https://api.sylphx.com/v1',
-   *     clientId: 'sylphx-cli',
-   *     deviceCode,
-   *   })
-   *   if (r.ok) return r.tokens
-   *   if (r.error === 'authorization_pending' || r.error === 'slow_down') continue
-   *   throw new Error(r.error) // access_denied | expired_token
-   * }
-   * ```
-   */
   async pollDeviceToken(opts) {
-    const body = new URLSearchParams({
+    const body = oauthTokenFormBody({
       grant_type: "urn:ietf:params:oauth:grant-type:device_code",
       device_code: opts.deviceCode,
       client_id: opts.clientId
-    }).toString();
+    });
     const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/oauth/token`, {
       method: "POST",
       headers: { "Content-Type": "application/x-www-form-urlencoded" },
       body
     });
-    if (res.ok) {
-      return { ok: true, tokens: await res.json() };
-    }
+    if (res.ok) return { ok: true, tokens: decodeOAuthTokenResult(await res.json()) };
     const text = await res.text().catch(() => "");
     let code = "oauth_error";
     try {
-      const parsed = JSON.parse(text);
-      if (parsed.error) code = parsed.error;
+      code = decodeOAuthTokenError(JSON.parse(text)).error;
     } catch {
     }
     return { ok: false, error: code, status: res.status };
   },
-  /**
-   * Mint a service-principal access token via the `client_credentials`
-   * grant (ADR-089 Phase 5.1c — RFC 6749 §4.4). Requires a confidential
-   * client (public clients cannot use this grant). No refresh token is
-   * issued per §4.4.3 — callers re-run this exchange on expiry.
-   *
-   * Typical use: CI integrations, server-to-server automation that has
-   * no human owner and cannot run a device flow.
-   *
-   * @example
-   * ```typescript
-   * const { access_token } = await auth.oauth.clientCredentialsToken({
-   *   baseUrl: 'https://api.sylphx.com/v1',
-   *   clientId: process.env.SYLPHX_CLIENT_ID!,
-   *   clientSecret: process.env.SYLPHX_CLIENT_SECRET!,
-   *   scope: 'tenants:provision',
-   * })
-   * ```
-   */
   async clientCredentialsToken(opts) {
-    const body = {
+    const body = oauthTokenFormBody({
       grant_type: "client_credentials",
       client_id: opts.clientId,
-      client_secret: opts.clientSecret
-    };
-    if (opts.scope) body.scope = opts.scope;
+      client_secret: opts.clientSecret,
+      ...opts.scope ? { scope: opts.scope } : {}
+    });
     const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/oauth/token`, {
       method: "POST",
       headers: { "Content-Type": "application/x-www-form-urlencoded" },
-      body: new URLSearchParams(body).toString()
+      body
     });
     if (!res.ok) throw await oauthTokenError(res, "oauth.clientCredentialsToken");
-    return await res.json();
+    return decodeOAuthClientCredentialsResult(await res.json());
   },
-  /**
-   * Revoke an OAuth access or refresh token (RFC 7009 — ADR-089 Phase 5.1d).
-   *
-   * Per §2.2 this always resolves successfully — the server returns 200
-   * whether the token existed, was already revoked, or belonged to a
-   * different client. Only true protocol-level failures (malformed
-   * request, bad client credentials) throw.
-   *
-   * @example
-   * ```typescript
-   * await auth.oauth.revokeToken({
-   *   baseUrl: 'https://your-app.api.sylphx.com/v1',
-   *   clientId: 'sylphx-cli',
-   *   token: refreshToken,
-   *   tokenTypeHint: 'refresh_token',
-   * })
-   * ```
-   */
   async revokeToken(opts) {
     const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/oauth/revoke`, {
       method: "POST",
-      headers: buildDeviceHeaders(opts.userAgent),
+      headers: buildJsonHeaders(opts.userAgent),
       body: JSON.stringify({
         token: opts.token,
         token_type_hint: opts.tokenTypeHint,
@@ -7016,29 +7846,10 @@ var oauth = {
       throw new Error(`oauth.revokeToken failed (${res.status}): ${body}`);
     }
   },
-  /**
-   * Introspect an OAuth access or refresh token (RFC 7662 — ADR-089 Phase 5.1d).
-   *
-   * Returns `{ active: false }` for expired / revoked / unknown /
-   * not-owned tokens (without revealing which); `{ active: true, ... }`
-   * with full claims for live ones. Only protocol-level failures
-   * (4xx on the revocation envelope itself) throw.
-   *
-   * @example
-   * ```typescript
-   * const result = await auth.oauth.introspectToken({
-   *   baseUrl: 'https://your-app.api.sylphx.com/v1',
-   *   clientId: 'gateway',
-   *   clientSecret: process.env.GATEWAY_SECRET,
-   *   token: accessToken,
-   * })
-   * if (!result.active) throw new Error('token not accepted')
-   * ```
-   */
   async introspectToken(opts) {
     const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/oauth/introspect`, {
       method: "POST",
-      headers: buildDeviceHeaders(opts.userAgent),
+      headers: buildJsonHeaders(opts.userAgent),
       body: JSON.stringify({
         token: opts.token,
         token_type_hint: opts.tokenTypeHint,
@@ -7053,316 +7864,570 @@ var oauth = {
     return await res.json();
   }
 };
-var dpop = {
+function buildJsonHeaders(userAgent) {
+  return {
+    "Content-Type": "application/json",
+    ...userAgent ? { "User-Agent": userAgent } : {}
+  };
+}
+async function platformJwtError(res, operation) {
+  const body = await res.text().catch(() => "");
+  let code = "platform_jwt_error";
+  let message2 = `${operation} failed: HTTP ${res.status}`;
+  try {
+    const parsed = JSON.parse(body);
+    if (parsed.error) code = parsed.error;
+    if (parsed.error_description) message2 = parsed.error_description;
+    else if (parsed.message) message2 = parsed.message;
+  } catch {
+  }
+  let errorCode;
+  if (res.status === 401) errorCode = "UNAUTHORIZED";
+  else if (res.status === 429) errorCode = "TOO_MANY_REQUESTS";
+  else if (res.status >= 500) errorCode = "INTERNAL_SERVER_ERROR";
+  else errorCode = "BAD_REQUEST";
+  return new SylphxError(message2, {
+    code: errorCode,
+    status: res.status,
+    data: { operation, code }
+  });
+}
+
+// src/platform-password.ts
+init_errors();
+var password = {
+  async status(opts) {
+    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-password/status`, {
+      method: "GET",
+      headers: buildPlatformPasswordHeaders(opts.accessToken, opts.userAgent)
+    });
+    if (!res.ok) throw await platformPasswordError(res, "password.status");
+    return await res.json();
+  },
+  async set(opts) {
+    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-password/set`, {
+      method: "POST",
+      headers: buildPlatformPasswordHeaders(opts.accessToken, opts.userAgent),
+      body: JSON.stringify({
+        password: opts.password
+      })
+    });
+    if (!res.ok) throw await platformPasswordError(res, "password.set");
+    return await res.json();
+  },
+  async change(opts) {
+    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-password/change`, {
+      method: "POST",
+      headers: buildPlatformPasswordHeaders(opts.accessToken, opts.userAgent),
+      body: JSON.stringify({
+        currentPassword: opts.currentPassword,
+        newPassword: opts.newPassword
+      })
+    });
+    if (!res.ok) throw await platformPasswordError(res, "password.change");
+    return await res.json();
+  }
+};
+function buildPlatformPasswordHeaders(accessToken, userAgent) {
+  const headers = {
+    "Content-Type": "application/json",
+    Authorization: `Bearer ${accessToken}`
+  };
+  if (userAgent) headers["User-Agent"] = userAgent;
+  return headers;
+}
+async function platformPasswordError(res, operation) {
+  const body = await res.text().catch(() => "");
+  let code = "platform_password_error";
+  let message2 = `${operation} failed: HTTP ${res.status}`;
+  try {
+    const parsed = JSON.parse(body);
+    if (parsed.error) code = parsed.error;
+    if (parsed.error_description) message2 = parsed.error_description;
+    else if (parsed.message) message2 = parsed.message;
+  } catch {
+  }
+  let errorCode;
+  if (res.status === 401) errorCode = "UNAUTHORIZED";
+  else if (res.status === 404) errorCode = "NOT_FOUND";
+  else if (res.status === 429) errorCode = "TOO_MANY_REQUESTS";
+  else if (res.status >= 500) errorCode = "INTERNAL_SERVER_ERROR";
+  else errorCode = "BAD_REQUEST";
+  return new SylphxError(message2, {
+    code: errorCode,
+    status: res.status,
+    data: { operation, code }
+  });
+}
+
+// src/platform-sessions.ts
+init_errors();
+var sessions = {
+  async list(opts) {
+    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-sessions`, {
+      method: "GET",
+      headers: buildPlatformSessionsHeaders(opts.accessToken, opts.userAgent)
+    });
+    if (!res.ok) throw await platformSessionError(res, "sessions.list");
+    return await res.json();
+  },
+  async revoke(opts) {
+    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-sessions/revoke`, {
+      method: "POST",
+      headers: buildPlatformSessionsHeaders(opts.accessToken, opts.userAgent),
+      body: JSON.stringify({ sessionId: opts.sessionId })
+    });
+    if (!res.ok) throw await platformSessionError(res, "sessions.revoke");
+    return await res.json();
+  },
+  async revokeOther(opts) {
+    const res = await fetch(
+      `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-sessions/revoke-other`,
+      {
+        method: "POST",
+        headers: buildPlatformSessionsHeaders(opts.accessToken, opts.userAgent)
+      }
+    );
+    if (!res.ok) throw await platformSessionError(res, "sessions.revokeOther");
+    return await res.json();
+  },
+  async revokeAll(opts) {
+    const res = await fetch(
+      `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-sessions/revoke-all`,
+      {
+        method: "POST",
+        headers: buildPlatformSessionsHeaders(opts.accessToken, opts.userAgent)
+      }
+    );
+    if (!res.ok) throw await platformSessionError(res, "sessions.revokeAll");
+    return await res.json();
+  },
+  async rename(opts) {
+    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-sessions/rename`, {
+      method: "POST",
+      headers: buildPlatformSessionsHeaders(opts.accessToken, opts.userAgent),
+      body: JSON.stringify({
+        sessionId: opts.sessionId,
+        name: opts.name
+      })
+    });
+    if (!res.ok) throw await platformSessionError(res, "sessions.rename");
+    return await res.json();
+  }
+};
+function buildPlatformSessionsHeaders(accessToken, userAgent) {
+  const headers = {
+    "Content-Type": "application/json",
+    Authorization: `Bearer ${accessToken}`
+  };
+  if (userAgent) headers["User-Agent"] = userAgent;
+  return headers;
+}
+async function platformSessionError(res, operation) {
+  const body = await res.text().catch(() => "");
+  let code = "platform_sessions_error";
+  let message2 = `${operation} failed: HTTP ${res.status}`;
+  try {
+    const parsed = JSON.parse(body);
+    if (parsed.error) code = parsed.error;
+    if (parsed.error_description) message2 = parsed.error_description;
+    else if (parsed.message) message2 = parsed.message;
+  } catch {
+  }
+  let errorCode;
+  if (res.status === 401) errorCode = "UNAUTHORIZED";
+  else if (res.status === 404) errorCode = "NOT_FOUND";
+  else if (res.status === 429) errorCode = "TOO_MANY_REQUESTS";
+  else if (res.status >= 500) errorCode = "INTERNAL_SERVER_ERROR";
+  else errorCode = "BAD_REQUEST";
+  return new SylphxError(message2, {
+    code: errorCode,
+    status: res.status,
+    data: { operation, code }
+  });
+}
+
+// src/platform-user.ts
+init_errors();
+var user = {
   /**
-   * Generate a fresh ES256 key pair. Private key is non-extractable
-   * (`extractable: false`) so it can be stored but never serialised —
-   * the only legal operation is `sign`. Clients that need to
-   * hibernate the keypair across restarts must use a host-provided
-   * secure store (Keychain, Credential Manager, IndexedDB + CryptoKey
-   * wrapping).
+   * Export every piece of personal data the platform holds about the
+   * authenticated user (GDPR Article 20 — right to data portability).
+   *
+   * The returned record is deliberately loose — it contains the user
+   * row, sessions, OAuth accounts, login history, security alerts,
+   * organization memberships, subscriptions, per-project memberships,
+   * and storage file metadata. Shape varies with customer provisioning.
    */
-  async generateKeyPair() {
-    const { privateKey, publicKey } = await crypto.subtle.generateKey(
-      { name: "ECDSA", namedCurve: "P-256" },
-      false,
-      ["sign", "verify"]
-    );
-    const publicJwk = await crypto.subtle.exportKey("jwk", publicKey);
-    const thumbprint = await thumbprintFromJwk(sanitisePublicJwk(publicJwk));
-    return { privateKey, publicKey, thumbprint };
+  async exportData(opts) {
+    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-user/export`, {
+      method: "GET",
+      headers: buildPlatformUserHeaders(opts.accessToken, opts.userAgent)
+    });
+    if (!res.ok) throw await platformUserError(res, "user.exportData");
+    return await res.json();
+  },
+  /**
+   * Permanently delete the authenticated user's account (GDPR Article
+   * 17 — right to erasure). Cascades through every provisioned project
+   * DB, cancels Stripe subscriptions, deletes S3 blobs, and anonymises
+   * billing transactions.
+   */
+  async deleteAccount(opts) {
+    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-user/account`, {
+      method: "DELETE",
+      headers: buildPlatformUserHeaders(opts.accessToken, opts.userAgent),
+      body: JSON.stringify({
+        ...opts.reason !== void 0 && { reason: opts.reason }
+      })
+    });
+    if (!res.ok) throw await platformUserError(res, "user.deleteAccount");
+    return await res.json();
   },
   /**
-   * Sign a DPoP proof JWT. When `accessToken` is provided, the proof
-   * includes `ath = base64url(sha256(accessToken))` so the resource
-   * server can bind the proof to the token being presented (RFC 9449
-   * §4.3 step 11).
+   * Async GDPR Article 20 export job API (ADR-089 Phase 5.5).
+   *
+   * `user.exportData` is the Phase 2d synchronous shortcut; production
+   * callers should prefer the async flow for large accounts.
    */
-  async generateProof(opts) {
-    const publicJwkRaw = await crypto.subtle.exportKey("jwk", opts.publicKey);
-    const publicJwk = sanitisePublicJwk(publicJwkRaw);
-    const header = { typ: "dpop+jwt", alg: "ES256", jwk: publicJwk };
-    const payload = {
-      jti: randomJti(),
-      htm: opts.method.toUpperCase(),
-      htu: stripQueryAndFragment(opts.uri),
-      iat: Math.floor(Date.now() / 1e3)
-    };
-    if (opts.accessToken) {
-      payload.ath = await sha256Base64Url(new TextEncoder().encode(opts.accessToken));
+  exports: {
+    /**
+     * Kick off an export job. Poll `status({ id })` until
+     * `status === 'complete'`.
+     */
+    async initiate(opts) {
+      const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-user/export`, {
+        method: "POST",
+        headers: buildPlatformUserHeaders(opts.accessToken, opts.userAgent),
+        body: JSON.stringify(opts.format !== void 0 ? { format: opts.format } : {})
+      });
+      if (!res.ok) throw await platformUserError(res, "user.exports.initiate");
+      return await res.json();
+    },
+    /**
+     * Read the current state of an in-flight or completed export job.
+     */
+    async status(opts) {
+      const res = await fetch(
+        `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-user/export/${encodeURIComponent(
+          opts.id
+        )}`,
+        {
+          method: "GET",
+          headers: buildPlatformUserHeaders(opts.accessToken, opts.userAgent)
+        }
+      );
+      if (!res.ok) throw await platformUserError(res, "user.exports.status");
+      return await res.json();
+    },
+    /**
+     * Download the completed export payload. The BaaS route returns a
+     * 302 to a freshly-signed object-storage URL; `fetch` follows it
+     * and resolves to the raw `Blob`.
+     */
+    async download(opts) {
+      const res = await fetch(
+        `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-user/export/${encodeURIComponent(
+          opts.id
+        )}/download`,
+        {
+          method: "GET",
+          headers: buildPlatformUserHeaders(opts.accessToken, opts.userAgent)
+        }
+      );
+      if (!res.ok) throw await platformUserError(res, "user.exports.download");
+      const sha256 = res.headers.get("X-Sylphx-Export-Sha256");
+      const sizeHeader = res.headers.get("X-Sylphx-Export-Size");
+      const sizeBytes = sizeHeader ? Number.parseInt(sizeHeader, 10) : null;
+      const blob = await res.blob();
+      return { blob, sha256, sizeBytes: Number.isFinite(sizeBytes) ? sizeBytes : null };
     }
-    if (opts.nonce) payload.nonce = opts.nonce;
-    const headerB64 = base64UrlEncode(new TextEncoder().encode(JSON.stringify(header)));
-    const payloadB64 = base64UrlEncode(new TextEncoder().encode(JSON.stringify(payload)));
-    const signingInput = `${headerB64}.${payloadB64}`;
-    const signingBytes = new TextEncoder().encode(signingInput);
-    const signingBuf = new Uint8Array(signingBytes.byteLength);
-    signingBuf.set(signingBytes);
-    const sigBuf = await crypto.subtle.sign(
-      { name: "ECDSA", hash: "SHA-256" },
-      opts.privateKey,
-      signingBuf.buffer
-    );
-    const sigB64 = base64UrlEncode(new Uint8Array(sigBuf));
-    return `${signingInput}.${sigB64}`;
   }
 };
-function sanitisePublicJwk(jwk) {
-  if (jwk.kty !== "EC" || jwk.crv !== "P-256" || !jwk.x || !jwk.y) {
-    throw new Error("DPoP expects ES256 (EC P-256) JWK");
-  }
-  return { kty: jwk.kty, crv: jwk.crv, x: jwk.x, y: jwk.y };
-}
-async function thumbprintFromJwk(jwk) {
-  const canonical = JSON.stringify({ crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y });
-  return sha256Base64Url(new TextEncoder().encode(canonical));
-}
-async function sha256Base64Url(data) {
-  const copy = new Uint8Array(data.byteLength);
-  copy.set(data);
-  const digest2 = await crypto.subtle.digest("SHA-256", copy.buffer);
-  return base64UrlEncode(new Uint8Array(digest2));
-}
-function base64UrlEncode(bytes) {
-  let s = "";
-  for (let i = 0; i < bytes.length; i++) s += String.fromCharCode(bytes[i]);
-  return btoa(s).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
-}
-function stripQueryAndFragment(uri) {
-  try {
-    const u = new URL(uri);
-    return `${u.protocol}//${u.host}${u.pathname}`;
-  } catch {
-    const q = uri.indexOf("?");
-    const h = uri.indexOf("#");
-    const cut = [q, h].filter((i) => i >= 0).sort((a, b) => a - b)[0];
-    return cut === void 0 ? uri : uri.slice(0, cut);
-  }
-}
-function randomJti() {
-  const bytes = new Uint8Array(16);
-  crypto.getRandomValues(bytes);
-  return base64UrlEncode(bytes);
+function buildPlatformUserHeaders(accessToken, userAgent) {
+  const headers = {
+    "Content-Type": "application/json",
+    Authorization: `Bearer ${accessToken}`
+  };
+  if (userAgent) headers["User-Agent"] = userAgent;
+  return headers;
 }
-async function oauthTokenError(res, operation) {
-  const { SylphxError: SylphxError2 } = await Promise.resolve().then(() => (init_errors(), errors_exports));
+async function platformUserError(res, operation) {
   const body = await res.text().catch(() => "");
-  let code = "oauth_error";
+  let code = "platform_user_error";
   let message2 = `${operation} failed: HTTP ${res.status}`;
   try {
     const parsed = JSON.parse(body);
     if (parsed.error) code = parsed.error;
     if (parsed.error_description) message2 = parsed.error_description;
+    else if (parsed.message) message2 = parsed.message;
   } catch {
   }
   let errorCode;
   if (res.status === 401) errorCode = "UNAUTHORIZED";
+  else if (res.status === 404) errorCode = "NOT_FOUND";
+  else if (res.status === 429) errorCode = "TOO_MANY_REQUESTS";
   else if (res.status >= 500) errorCode = "INTERNAL_SERVER_ERROR";
   else errorCode = "BAD_REQUEST";
-  return new SylphxError2(message2, {
+  return new SylphxError(message2, {
     code: errorCode,
     status: res.status,
-    data: { oauthError: code }
+    data: { operation, code }
+  });
+}
+
+// src/auth.ts
+async function signIn(config, input) {
+  const body = input;
+  const endpoint = authEndpoints.signIn;
+  return callApi(config, endpoint.path, {
+    method: endpoint.method,
+    body
+  });
+}
+async function signUp(config, input) {
+  const endpoint = authEndpoints.signUp;
+  return callApi(config, endpoint.path, {
+    method: endpoint.method,
+    body: input
+  });
+}
+async function signOut(config) {
+  const endpoint = authEndpoints.signOut;
+  await callApi(config, endpoint.path, { method: endpoint.method });
+}
+async function refreshToken(config, token) {
+  return callApi(config, "/auth/token", {
+    method: "POST",
+    body: {
+      grant_type: "refresh_token",
+      refresh_token: token,
+      client_secret: config.secretKey
+    }
+  });
+}
+async function verifyEmail(config, token) {
+  await callApi(config, "/auth/verify-email", {
+    method: "POST",
+    body: { token }
+  });
+}
+async function forgotPassword(config, email, options = {}) {
+  await callApi(config, "/auth/forgot-password", {
+    method: "POST",
+    body: {
+      email,
+      ...options.redirectUrl ? { redirectUrl: options.redirectUrl } : {}
+    }
+  });
+}
+async function resendVerificationEmail(config, email) {
+  const endpoint = authEndpoints.resendEmailVerification;
+  const body = { email };
+  await callApi(config, endpoint.path, {
+    method: endpoint.method,
+    body
+  });
+}
+async function resetPassword(config, input) {
+  await callApi(config, "/auth/reset-password", {
+    method: "POST",
+    body: { token: input.token, password: input.password }
+  });
+}
+async function getSession(config) {
+  if (!config.accessToken) {
+    return { user: null };
+  }
+  const endpoint = authEndpoints.getSession;
+  try {
+    const user2 = await callApi(config, endpoint.path, {
+      method: endpoint.method
+    });
+    return { user: user2 };
+  } catch {
+    return { user: null };
+  }
+}
+async function verifyTwoFactor(config, userId, code) {
+  return callApi(config, "/auth/verify-2fa", {
+    method: "POST",
+    body: { userId, code }
+  });
+}
+async function introspectToken(config, token, tokenTypeHint) {
+  const response = await fetch(buildApiUrl(config, "/auth/introspect"), {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      // RFC 7662 §2: server-to-server call — authenticate with secret key
+      "x-app-secret": config.secretKey ?? ""
+    },
+    body: JSON.stringify({
+      token,
+      token_type_hint: tokenTypeHint
+    })
+  });
+  if (!response.ok) {
+    return { active: false };
+  }
+  return response.json();
+}
+async function revokeToken(config, token, options) {
+  await fetch(buildApiUrl(config, "/auth/revoke"), {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      token: options?.revokeAll ? void 0 : token,
+      client_secret: config.secretKey,
+      user_id: options?.userId,
+      revoke_all: options?.revokeAll
+    })
+  });
+}
+async function revokeAllTokens(config, userId) {
+  await revokeToken(config, "", { revokeAll: true, userId });
+}
+async function extendedSignUp(config, input) {
+  return callApi(config, "/auth/register", {
+    method: "POST",
+    body: input
   });
 }
-async function platformJwtError(res, operation) {
-  const { SylphxError: SylphxError2 } = await Promise.resolve().then(() => (init_errors(), errors_exports));
-  const body = await res.text().catch(() => "");
-  let code = "platform_jwt_error";
-  let message2 = `${operation} failed: HTTP ${res.status}`;
-  try {
-    const parsed = JSON.parse(body);
-    if (parsed.error) code = parsed.error;
-    if (parsed.error_description) message2 = parsed.error_description;
-    else if (parsed.message) message2 = parsed.message;
-  } catch {
+async function inviteUser(config, input) {
+  return callApi(config, "/auth/invite", {
+    method: "POST",
+    body: input
+  });
+}
+function normalizeOrgScopedTokenResponse(data) {
+  const accessToken = data.accessToken ?? data.access_token;
+  if (!accessToken) {
+    throw new Error("Invalid org-scoped token response: missing access token");
   }
-  let errorCode;
-  if (res.status === 401) errorCode = "UNAUTHORIZED";
-  else if (res.status === 429) errorCode = "TOO_MANY_REQUESTS";
-  else if (res.status >= 500) errorCode = "INTERNAL_SERVER_ERROR";
-  else errorCode = "BAD_REQUEST";
-  return new SylphxError2(message2, {
-    code: errorCode,
-    status: res.status,
-    data: { operation, code }
+  return {
+    token: accessToken,
+    accessToken,
+    expiresIn: data.expiresIn ?? data.expires_in,
+    tokenType: data.tokenType ?? data.token_type,
+    user: data.user
+  };
+}
+async function getOrgScopedToken(config, orgId) {
+  const data = await callApi(config, "/auth/switch-org", {
+    method: "POST",
+    body: { orgId }
   });
+  return normalizeOrgScopedTokenResponse(data);
 }
-var impersonation = {
-  async start(opts) {
-    const res = await fetch(
-      `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-impersonation/start`,
-      {
-        method: "POST",
-        headers: buildImpersonationHeaders(opts.accessToken, opts.userAgent),
-        body: JSON.stringify({
-          targetUserId: opts.targetUserId,
-          ...opts.ipAddress !== void 0 && { ipAddress: opts.ipAddress },
-          ...opts.userAgent !== void 0 && { userAgent: opts.userAgent }
-        })
-      }
-    );
-    if (!res.ok) throw await impersonationError(res, "impersonation.start");
-    return await res.json();
-  },
-  async end(opts) {
-    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-impersonation/end`, {
-      method: "POST",
-      headers: buildImpersonationHeaders(opts.accessToken, opts.userAgent),
-      body: JSON.stringify(opts.sessionId !== void 0 ? { sessionId: opts.sessionId } : {})
-    });
-    if (!res.ok) throw await impersonationError(res, "impersonation.end");
-    return await res.json();
-  },
-  async info(opts) {
-    const res = await fetch(
-      `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-impersonation/info/${encodeURIComponent(opts.sessionId)}`,
-      {
-        method: "GET",
-        headers: buildImpersonationHeaders(opts.accessToken, opts.userAgent)
-      }
-    );
-    if (!res.ok) throw await impersonationError(res, "impersonation.info");
-    return await res.json();
-  },
-  async active(opts) {
-    const res = await fetch(
-      `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-impersonation/active`,
-      {
-        method: "GET",
-        headers: buildImpersonationHeaders(opts.accessToken, opts.userAgent)
-      }
-    );
-    if (!res.ok) throw await impersonationError(res, "impersonation.active");
-    return await res.json();
-  },
-  // ── Phase 5.9 ──────────────────────────────────────────────────────
+async function switchOrg(config, orgId) {
+  return getOrgScopedToken(config, orgId);
+}
+var device = {
   /**
-   * Phase 5.9 step 1 of 2 — request a WebAuthn assertion challenge.
-   * Returns the pending-request id plus options ready for
-   * `navigator.credentials.get(...)`. Caller is expected to post the
-   * resulting assertion to {@link impersonation.startStepup}.
+   * Start a device authorization grant.
+   *
+   * Returns a `DeviceGrant` with `verification_uri_complete` (open this
+   * in the user's browser) and `device_code` (use for polling).
+   *
+   * @example
+   * ```typescript
+   * const grant = await device.init({
+   *   baseUrl: 'https://your-app.api.sylphx.com/v1',
+   *   clientId: 'sylphx-cli',
+   *   scope: ['org:read', 'project:*'],
+   * })
+   * openBrowser(grant.verification_uri_complete)
+   * ```
    */
-  async startChallenge(opts) {
-    const res = await fetch(
-      `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-impersonation/start-challenge`,
-      {
-        method: "POST",
-        headers: buildImpersonationHeaders(opts.accessToken, opts.userAgent),
-        body: JSON.stringify({
-          targetUserId: opts.targetUserId,
-          reason: opts.reason
-        })
-      }
-    );
-    if (!res.ok) throw await impersonationError(res, "impersonation.startChallenge");
+  async init(opts) {
+    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/device`, {
+      method: "POST",
+      headers: buildDeviceHeaders(opts.userAgent),
+      body: JSON.stringify({
+        client_id: opts.clientId,
+        scope: opts.scope ?? []
+      })
+    });
+    if (!res.ok) throw await deviceError(res, "device.init");
     return await res.json();
   },
   /**
-   * Phase 5.9 step 2 of 2 — complete the WebAuthn step-up. Returns
-   * either the active session (emergency bypass) or the
-   * consent deadline (regular flow). Phase 3b `start` is superseded
-   * by this method; old callers should migrate to
-   * `startChallenge` → `startStepup`.
+   * Poll a pending grant. Returns `status: 'pending' | 'approved' |
+   * 'denied' | 'expired'`. On `approved`, the result carries the OAuth
+   * pair (access_token + refresh_token).
+   *
+   * Callers MUST respect the `interval` returned by `init()` — polling
+   * faster than that may return 429 slow_down (RFC 8628 §5.5).
    */
-  async startStepup(opts) {
-    const res = await fetch(
-      `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-impersonation/start`,
-      {
-        method: "POST",
-        headers: buildImpersonationHeaders(opts.accessToken, opts.userAgent),
-        body: JSON.stringify({
-          requestId: opts.requestId,
-          challengeKey: opts.challengeKey,
-          assertion: opts.assertion,
-          ...opts.emergencyBypass ? { emergencyBypass: true } : {}
-        })
-      }
-    );
-    if (!res.ok) throw await impersonationError(res, "impersonation.startStepup");
+  async poll(opts) {
+    const url = new URL(`${opts.baseUrl.replace(/\/$/, "")}/auth/device/poll`);
+    url.searchParams.set("device_code", opts.deviceCode);
+    const res = await fetch(url.toString(), {
+      method: "GET",
+      headers: buildDeviceHeaders(opts.userAgent)
+    });
+    if (!res.ok) throw await deviceError(res, "device.poll");
     return await res.json();
   },
   /**
-   * Target user's consent decision. Approve mints the session token;
-   * deny transitions the request to `denied`.
+   * Browser leg — the approving user confirms the grant.
+   *
+   * Requires a valid platform-issued access token (`Authorization:
+   * Bearer <accessToken>`) proving the user is logged in on the
+   * Console. Typically called by the Console's `/device` verification
+   * page server-side, forwarding the user's session JWT.
    */
-  async respondConsent(opts) {
-    const res = await fetch(
-      `${opts.baseUrl.replace(/\/$/, "")}/auth/impersonation-consent/${encodeURIComponent(opts.requestId)}`,
-      {
-        method: "POST",
-        headers: buildImpersonationHeaders(opts.accessToken, opts.userAgent),
-        body: JSON.stringify({ decision: opts.decision })
-      }
-    );
-    if (!res.ok) throw await impersonationError(res, "impersonation.respondConsent");
-    return await res.json();
-  },
-  /** List impersonation requests. Non-super_admin sees only their own. */
-  async listRequests(opts) {
-    const params = new URLSearchParams();
-    if (opts.filter?.operatorId) params.set("operatorId", opts.filter.operatorId);
-    if (opts.filter?.targetUserId) params.set("targetUserId", opts.filter.targetUserId);
-    if (opts.filter?.status) params.set("status", opts.filter.status);
-    if (opts.filter?.limit != null) params.set("limit", String(opts.filter.limit));
-    const qs = params.toString();
-    const res = await fetch(
-      `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-impersonation/requests${qs ? `?${qs}` : ""}`,
-      {
-        method: "GET",
-        headers: buildImpersonationHeaders(opts.accessToken, opts.userAgent)
-      }
-    );
-    if (!res.ok) throw await impersonationError(res, "impersonation.listRequests");
+  async approve(opts) {
+    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/device/approve`, {
+      method: "POST",
+      headers: {
+        ...buildDeviceHeaders(opts.userAgent),
+        Authorization: `Bearer ${opts.accessToken}`
+      },
+      body: JSON.stringify({ user_code: opts.userCode })
+    });
+    if (!res.ok) throw await deviceError(res, "device.approve");
     return await res.json();
   },
   /**
-   * End an active impersonation session by request id. Emits a CAEP
-   * `session-revoked` event via the Phase 5.Z outbox so every in-flight
-   * verifier invalidates the token within ≤1s.
+   * Browser leg — the user declines the grant.
+   *
+   * Requires a valid platform-issued access token just like `approve`.
    */
-  async endSession(opts) {
-    const res = await fetch(
-      `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-impersonation/end/${encodeURIComponent(opts.requestId)}`,
-      {
-        method: "POST",
-        headers: buildImpersonationHeaders(opts.accessToken, opts.userAgent)
-      }
-    );
-    if (!res.ok) throw await impersonationError(res, "impersonation.endSession");
+  async deny(opts) {
+    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/device/deny`, {
+      method: "POST",
+      headers: {
+        ...buildDeviceHeaders(opts.userAgent),
+        Authorization: `Bearer ${opts.accessToken}`
+      },
+      body: JSON.stringify({ user_code: opts.userCode })
+    });
+    if (!res.ok) throw await deviceError(res, "device.deny");
     return await res.json();
   }
 };
-function buildImpersonationHeaders(accessToken, userAgent) {
+function buildDeviceHeaders(userAgent) {
   const headers = {
-    "Content-Type": "application/json",
-    Authorization: `Bearer ${accessToken}`
+    "Content-Type": "application/json"
   };
   if (userAgent) headers["User-Agent"] = userAgent;
   return headers;
 }
-async function impersonationError(res, operation) {
+async function deviceError(res, operation) {
   const { SylphxError: SylphxError2 } = await Promise.resolve().then(() => (init_errors(), errors_exports));
   const body = await res.text().catch(() => "");
-  let code = "platform_impersonation_error";
+  let code = "device_flow_error";
   let message2 = `${operation} failed: HTTP ${res.status}`;
   try {
     const parsed = JSON.parse(body);
     if (parsed.error) code = parsed.error;
     if (parsed.error_description) message2 = parsed.error_description;
-    else if (parsed.message) message2 = parsed.message;
   } catch {
   }
-  let errorCode;
-  if (res.status === 401) errorCode = "UNAUTHORIZED";
-  else if (res.status === 403) errorCode = "UNAUTHORIZED";
-  else if (res.status === 404) errorCode = "NOT_FOUND";
-  else if (res.status === 409) errorCode = "CONFLICT";
-  else if (res.status === 429) errorCode = "TOO_MANY_REQUESTS";
-  else if (res.status >= 500) errorCode = "INTERNAL_SERVER_ERROR";
-  else errorCode = "BAD_REQUEST";
   return new SylphxError2(message2, {
-    code: errorCode,
+    code: res.status === 429 ? "TOO_MANY_REQUESTS" : "BAD_REQUEST",
     status: res.status,
     data: { operation, code }
   });
@@ -7646,8 +8711,8 @@ var realtimeAdmin = {
     /**
      * List registered channels for a project.
      *
-     * Returns an empty list when the project's hidden Redis hasn't
-     * been provisioned yet — BaaS side soft-fails because absent
+     * Returns an empty list when the project's hidden realtime store has
+     * not been provisioned yet — BaaS side soft-fails because absent
      * registrations are semantically equivalent to "none registered".
      */
     async list(opts) {
@@ -9417,8 +10482,9 @@ async function getOrganization(config, orgIdOrSlug) {
   return callApi(config, `/orgs/${orgIdOrSlug}`);
 }
 async function createOrganization(config, input) {
-  return callApi(config, "/orgs", {
-    method: "POST",
+  const endpoint = organizationsEndpoints.create;
+  return callApi(config, endpoint.path, {
+    method: endpoint.method,
     body: input
   });
 }
@@ -10272,7 +11338,7 @@ var SandboxClient = class _SandboxClient {
       body: {
         image: options?.image,
         idleTimeoutMs: options?.idleTimeoutMs ?? 3e5,
-        resources: options?.resources,
+        machine: options?.machine ?? "standard",
         env: options?.env,
         storage: options?.storageGi !== void 0 ? { enabled: true, sizeGi: options.storageGi } : void 0,
         volumeMounts: options?.volumeMounts
@@ -10515,7 +11581,7 @@ var RunHandle = class {
    *
    * @example
    * ```typescript
-   * const result = await worker.wait()
+   * const result = await run.wait()
    * if (result.exitCode !== 0) {
    *   throw new Error(`Worker failed: ${result.errorMessage ?? result.stderr}`)
    * }
@@ -10590,13 +11656,13 @@ var RunsClient = {
    *
    * @example
    * ```typescript
-   * const run = await RunsClient.create(config, {
-   *   image: 'registry.sylphx.com/sylphx/trainer:abc123',
+   * const run = await RunsClient.run(config, {
+   *   image: 'ghcr.io/acme/trainer:sha-abc123',
    *   command: ['python', 'train.py', '--fold', '3'],
-   *   resources: { requests: { cpu: '4', memory: '16Gi' } },
+   *   machine: 'large',
    *   volumeMounts: [{ volumeId: cacheVolumeId, mountPath: '/cache' }],
    * })
-   * const result = await worker.wait()
+   * const result = await run.wait()
    * ```
    */
   async run(config, options) {
@@ -10606,7 +11672,7 @@ var RunsClient = {
         image: options.image,
         command: options.command,
         env: options.env,
-        resources: options.resources,
+        machine: options.machine ?? "standard",
         timeoutSeconds: options.timeoutSeconds ?? 3600,
         volumeMounts: options.volumeMounts
       }
@@ -10639,8 +11705,8 @@ var RunsClient = {
    *
    * @example
    * ```typescript
-   * const { workers } = await RunsClient.list(config, { status: 'running' })
-   * console.log(`${workers.length} workers currently running`)
+   * const { data } = await RunsClient.list(config, { status: 'running' })
+   * console.log(`${data.length} runs currently running`)
    * ```
    */
   async list(config, options) {
@@ -10655,12 +11721,12 @@ var RunsClient = {
   /**
    * Spawn a worker and wait for it to complete in one call.
    *
-   * Equivalent to `(await RunsClient.create(config, options)).wait(waitOptions)`.
+   * Equivalent to `(await RunsClient.run(config, options)).wait(waitOptions)`.
    *
    * @example
    * ```typescript
    * const result = await RunsClient.runAndWait(config, {
-   *   image: 'registry.sylphx.com/sylphx/process:abc',
+   *   image: 'ghcr.io/acme/process:sha-abc123',
    *   command: ['node', 'dist/process.js'],
    * })
    * if (result.exitCode !== 0) throw new Error(result.errorMessage ?? 'worker failed')
@@ -10988,15 +12054,61 @@ export {
   ACHIEVEMENT_TIER_CONFIG,
   AuthenticationError,
   AuthorizationError,
+  BILLING_ALLOWED_ROLES,
+  BUILD_MINUTES_INCLUDED,
+  BUILD_MINUTE_PRICES,
+  BUILD_SIZE_MULTIPLIERS,
+  BYTES_PER_GB,
+  CI_BUILD_MINUTE_PRICE_MICRODOLLARS,
+  CI_FREE_MINUTES_PER_MONTH,
+  CI_MACOS_MULTIPLIER,
+  CI_MACOS_SIZE_MULTIPLIERS,
+  CI_SIZE_MULTIPLIERS,
+  COMPUTE_PRICE_PER_HOUR_MICRODOLLARS,
+  COMPUTE_RAM_RATE_MICRODOLLARS,
+  COMPUTE_VCPU_ACTIVE_RATE_MICRODOLLARS,
+  COMPUTE_VCPU_IDLE_RATE_MICRODOLLARS,
+  CONSOLE_APP_SLUG,
+  CREDENTIAL_REGEX,
+  CREDIT_EXPIRY_MONTHS,
   CircuitBreakerOpenError,
+  DEFAULT_MACHINE_SIZE,
+  DEFAULT_MAX_REPLICAS,
+  DEFAULT_POINTS_REWARD,
+  DISCOUNT_DURATION_MONTHS,
+  DISCOUNT_PERCENT,
   ERROR_CODE_STATUS,
+  FREE_COMPUTE_HOURS,
+  FREE_STORAGE_GB,
+  HOURS_PER_MONTH,
+  INSTANCE_TYPES,
+  INSTANCE_TYPE_ALIASES,
+  INSTANCE_TYPE_ORDER,
+  INVOICE_DUE_DAYS,
   InvalidConnectionUrlError,
+  KV_FREE_STORAGE_GB,
+  LEGACY_INSTANCE_TYPE_ORDER,
+  MACHINE_CONFIGS,
+  MACHINE_MAX_INSTANCES,
+  MACHINE_RESOURCE_REQUIREMENTS,
+  MACHINE_SIZES,
+  MAX_PASSWORD_LENGTH,
+  MAX_PAYMENT_ATTEMPTS,
+  MICRODOLLARS_PER_CENT,
+  MIN_PASSWORD_LENGTH,
   NetworkError,
   NotFoundError,
+  PASSWORD_REQUIREMENTS,
+  PLATFORM_PLANS,
+  PLATFORM_PLAN_ORDER,
+  PLATFORM_PLAN_ORDER_ALL,
+  PREMIUM_TRIAL_DAYS,
   RETRYABLE_CODES,
   RateLimitError,
   RunHandle,
   RunsClient,
+  SERVICE_METRICS,
+  STORAGE_PRICE_PER_GB_MONTH_MICRODOLLARS,
   SandboxClient,
   SandboxFiles,
   SandboxProcesses,
@@ -11004,6 +12116,7 @@ export {
   StepCompleteSignal,
   StepSleepSignal,
   SylphxError,
+  TRANSFER_PRICE_PER_GB_MICRODOLLARS,
   TimeoutError,
   TriggersClient,
   ValidationError,
@@ -11015,6 +12128,8 @@ export {
   audit,
   authorizeOAuth,
   batchIndex,
+  buildConnectionUrl,
+  calculatePercentage,
   canDeleteOrganization,
   canManageMembers,
   canManageSettings,
@@ -11023,6 +12138,7 @@ export {
   captureException,
   captureExceptionRaw,
   captureMessage,
+  centsToDollars,
   chat,
   chatStream,
   checkFlag,
@@ -11067,22 +12183,45 @@ export {
   dpop,
   embed,
   enableDebug,
+  escapeCsvField,
+  escapeHtml,
   exchangeOAuthCode,
   exponentialBackoff,
   exportUserData,
   extendedSignUp,
+  getErrorDetails as extractErrorDetails,
+  getErrorMessage as extractErrorMessage,
   forgotPassword,
+  formatBytes,
+  formatCents,
+  formatCurrency,
+  formatDate,
+  formatDateTime,
+  formatDuration,
+  formatMicrodollars,
+  formatMonthYear,
+  formatNumber,
+  formatPercent,
+  formatRelativeTime,
+  formatRelativeTimeShort,
+  formatTime,
   functions,
   generateAnonymousId,
   generatePkce,
+  generateReferralCode,
+  generateSlug,
   getAchievement,
   getAchievementPoints,
   getAchievements,
+  getActivePlans,
   getAllFlags,
   getAllSecrets,
   getAllStreaks,
+  getAvailableInstanceTypes,
   getBackupCodes,
+  getBaseUrl,
   getBillingBalance,
+  getBillingStatusVariant,
   getBillingUsage,
   getBuildLogHistory,
   getCircuitBreakerState,
@@ -11091,13 +12230,17 @@ export {
   getDatabaseConnectionString,
   getDatabaseStatus,
   getDebugMode,
+  getDefaultInstanceType,
   getDeployHistory,
   getDeployStatus,
-  getErrorCode,
-  getErrorMessage,
+  getEnvPrefix,
+  getErrorCode2 as getErrorCode,
+  getErrorDetails2 as getErrorDetails,
+  getErrorMessage2 as getErrorMessage,
   getFacets,
   getFlagPayload,
   getFlags,
+  getInvoiceStatusVariant,
   getLeaderboard,
   getMemberPermissions,
   getMyReferralCode,
@@ -11107,6 +12250,7 @@ export {
   getOrganizationInvitations,
   getOrganizationMembers,
   getOrganizations,
+  getPlanMonthlyPrice,
   getPlans,
   getProjectMetadata,
   getPromo,
@@ -11116,6 +12260,7 @@ export {
   getReferralStats,
   getRestErrorMessage,
   getRole,
+  getSafeErrorMessage,
   getScheduledEmail,
   getScheduledEmailStats,
   getSearchStats,
@@ -11139,6 +12284,7 @@ export {
   getWebhookStats,
   hasAllPermissions,
   hasAnyPermission,
+  hasBillingAccess,
   hasConsent,
   hasError,
   hasPermission,
@@ -11154,10 +12300,14 @@ export {
   introspectToken,
   inviteOrganizationMember,
   inviteUser,
+  isChallengeRequired,
   isEmailConfigured,
   isEnabled,
+  isMachineSize,
+  isPlanDeprecated,
   isRetryableError,
   isSylphxError,
+  isValidInstanceType,
   kvDelete,
   kvExists,
   kvExpire,
@@ -11195,9 +12345,13 @@ export {
   listUsers,
   markAllSecurityAlertsRead,
   markSecurityAlertRead,
+  microsToDollars,
   oauth,
   page,
+  parseConnectionUrl,
+  parseMachineSize,
   parseOAuthCallback,
+  parseUserAgent,
   password,
   pauseCron,
   platformAuth,
@@ -11228,12 +12382,20 @@ export {
   resetPassword,
   resetPlatformCookieCache,
   resetPlatformJwksCache,
+  resolveCanonicalInstanceType,
+  resolveMachineConfig,
+  resolveMachineMaxInstances,
+  resolveMachineResources,
+  resolveMachineTierResources,
+  resolveMaxReplicas,
+  resolveResources,
   resumeCron,
   revokeAllTokens,
   revokeOrganizationInvitation,
   revokeToken,
   revokeUserSession,
   rollbackDeploy,
+  safeJsonParse,
   scheduleEmail,
   scheduleTask,
   search,
@@ -11255,6 +12417,7 @@ export {
   submitScore,
   suspendUser,
   switchOrg,
+  toPublicMachineSize,
   toSylphxError,
   track,
   trackBatch,
@@ -11274,6 +12437,7 @@ export {
   upsertDocument,
   user,
   userInfo,
+  validateInstanceTypeForPlan,
   validatePromo,
   verifyAccessToken,
   verifyChallenge,