npm - @sylphx/sdk - Versions diffs - 0.11.0 → 0.11.2 - Mend

@sylphx/sdk 0.11.0 → 0.11.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/dist/index.mjs CHANGED Viewed

@@ -66,8 +66,11 @@ __export(errors_exports, {
   TimeoutError: () => TimeoutError,
   ValidationError: () => ValidationError,
   exponentialBackoff: () => exponentialBackoff,
-  getErrorCode: () => getErrorCode,
-  getErrorMessage: () => getErrorMessage,
+  getErrorCode: () => getErrorCode2,
+  getErrorDetails: () => getErrorDetails2,
+  getErrorMessage: () => getErrorMessage2,
+  getSafeErrorMessage: () => getSafeErrorMessage,
+  isChallengeRequired: () => isChallengeRequired,
   isRetryableError: () => isRetryableError,
   isSylphxError: () => isSylphxError,
   toSylphxError: () => toSylphxError
@@ -95,21 +98,91 @@ function isRetryableError(error) {
   }
   return false;
 }
-function getErrorMessage(error) {
+function getErrorMessage2(error, fallback = "An unknown error occurred") {
   if (error instanceof Error) {
     return error.message;
   }
   if (typeof error === "string") {
     return error;
   }
-  return "An unknown error occurred";
+  if (error && typeof error === "object" && "message" in error) {
+    const message2 = error.message;
+    if (typeof message2 === "string") return message2;
+  }
+  if (error && typeof error === "object" && "response" in error) {
+    const response = error.response;
+    if (response?.data?.message) return response.data.message;
+    if (response?.data?.error) return response.data.error;
+  }
+  return fallback;
 }
-function getErrorCode(error) {
+function getErrorCode2(error) {
   if (error instanceof SylphxError) {
     return error.code;
   }
   return "UNKNOWN";
 }
+function getErrorStatus(error) {
+  if (!error || typeof error !== "object") return void 0;
+  if ("status" in error && typeof error.status === "number") {
+    return error.status;
+  }
+  if ("statusCode" in error && typeof error.statusCode === "number") {
+    return error.statusCode;
+  }
+  return void 0;
+}
+function getSafeErrorKey(error) {
+  if (error instanceof SylphxError) return error.code;
+  if (!error || typeof error !== "object") return void 0;
+  if ("code" in error && typeof error.code === "string") {
+    return error.code;
+  }
+  const status = getErrorStatus(error);
+  return status == null ? void 0 : String(status);
+}
+function getErrorDetails2(error, fallbackMessage = "An unknown error occurred") {
+  const details = {
+    message: getErrorMessage2(error, fallbackMessage)
+  };
+  const code = getSafeErrorKey(error);
+  if (code) {
+    Object.assign(details, { code });
+  }
+  const status = getErrorStatus(error);
+  if (status != null) {
+    Object.assign(details, { status });
+  }
+  if (error instanceof Error) {
+    Object.assign(details, {
+      name: error.name,
+      stack: error.stack,
+      ...error.cause ? { cause: error.cause } : {}
+    });
+  }
+  return details;
+}
+function getSafeErrorMessage(error, fallback = "Something went wrong. Please try again.") {
+  const errorCode = getSafeErrorKey(error);
+  if (errorCode && SAFE_ERROR_MESSAGES[errorCode]) return SAFE_ERROR_MESSAGES[errorCode];
+  if (error && typeof error === "object") {
+    const coded = error;
+    if (coded.data?.code && SAFE_ERROR_MESSAGES[coded.data.code]) {
+      return SAFE_ERROR_MESSAGES[coded.data.code];
+    }
+  }
+  const rawMessage = getErrorMessage2(error, "");
+  if (rawMessage && rawMessage.length < 200 && !rawMessage.includes("\n") && !rawMessage.includes("at ") && !INTERNAL_ERROR_PATTERNS.some((pattern) => pattern.test(rawMessage))) {
+    return rawMessage;
+  }
+  return fallback;
+}
+function isChallengeRequired(err) {
+  if (!(err instanceof Error)) return false;
+  if (err.message.includes("challenge")) return true;
+  const errWithData = err;
+  return errWithData.data?.code === "FORBIDDEN";
+}
 function toSylphxError(error) {
   if (error instanceof SylphxError) {
     return error;
@@ -140,7 +213,7 @@ function toSylphxError(error) {
     }
     return new SylphxError(error.message, { cause: error });
   }
-  return new SylphxError(getErrorMessage(error));
+  return new SylphxError(getErrorMessage2(error));
 }
 function exponentialBackoff(attempt, baseDelay = BASE_RETRY_DELAY_MS, maxDelay = MAX_RETRY_DELAY_MS) {
   const exponentialDelay = baseDelay * 2 ** attempt;
@@ -148,7 +221,7 @@ function exponentialBackoff(attempt, baseDelay = BASE_RETRY_DELAY_MS, maxDelay =
   const jitter = cappedDelay * 0.25 * (Math.random() * 2 - 1);
   return Math.round(cappedDelay + jitter);
 }
-var ERROR_CODE_STATUS, RETRYABLE_CODES, SylphxError, NetworkError, TimeoutError, AuthenticationError, AuthorizationError, ValidationError, RateLimitError, NotFoundError;
+var ERROR_CODE_STATUS, RETRYABLE_CODES, SylphxError, NetworkError, TimeoutError, AuthenticationError, AuthorizationError, ValidationError, RateLimitError, NotFoundError, INTERNAL_ERROR_PATTERNS, SAFE_ERROR_MESSAGES;
 var init_errors = __esm({
   "src/errors.ts"() {
     "use strict";
@@ -376,6 +449,57 @@ var init_errors = __esm({
         this.resourceId = options?.resourceId;
       }
     };
+    INTERNAL_ERROR_PATTERNS = [
+      /sql/i,
+      /database/i,
+      /postgres/i,
+      /neon/i,
+      /drizzle/i,
+      /prisma/i,
+      /constraint/i,
+      /foreign key/i,
+      /unique violation/i,
+      /null value/i,
+      /column/i,
+      /table/i,
+      /relation/i,
+      /trpc/i,
+      /internal server/i,
+      /unexpected/i,
+      /cannot read propert/i,
+      /undefined is not/i,
+      /null is not/i,
+      /cannot find module/i,
+      /econnrefused/i,
+      /etimedout/i,
+      /enotfound/i
+    ];
+    SAFE_ERROR_MESSAGES = {
+      "400": "Invalid request. Please check your input and try again.",
+      "401": "Please sign in to continue.",
+      "403": "You don't have permission to perform this action.",
+      "404": "The requested resource was not found.",
+      "409": "This action conflicts with existing data. Please refresh and try again.",
+      "429": "Too many requests. Please wait a moment and try again.",
+      "500": "Something went wrong on our end. Please try again later.",
+      "502": "Service temporarily unavailable. Please try again in a moment.",
+      "503": "Service temporarily unavailable. Please try again in a moment.",
+      BAD_REQUEST: "Invalid request. Please check your input.",
+      UNAUTHORIZED: "Please sign in to continue.",
+      FORBIDDEN: "You don't have permission to perform this action.",
+      NOT_FOUND: "The requested item was not found.",
+      CONFLICT: "This action conflicts with existing data.",
+      TOO_MANY_REQUESTS: "Too many requests. Please wait a moment.",
+      INTERNAL_SERVER_ERROR: "Something went wrong. Please try again later.",
+      TIMEOUT: "Request timed out. Please try again.",
+      PRECONDITION_FAILED: "This action cannot be completed right now.",
+      QUOTA_EXCEEDED: "You've reached your usage limit. Please upgrade your plan.",
+      PAYMENT_REQUIRED: "Payment is required to continue.",
+      INVALID_CREDENTIALS: "Invalid email or password.",
+      EMAIL_NOT_VERIFIED: "Please verify your email address.",
+      ACCOUNT_LOCKED: "Your account has been locked. Please contact support.",
+      SESSION_EXPIRED: "Your session has expired. Please sign in again."
+    };
   }
 });
@@ -4780,8 +4904,112 @@ var init_webapi = __esm({
   }
 });
+// src/compute.ts
+import {
+  DEFAULT_MACHINE_SIZE,
+  isMachineSize,
+  MACHINE_CONFIGS,
+  MACHINE_MAX_INSTANCES,
+  MACHINE_RESOURCE_REQUIREMENTS,
+  MACHINE_SIZES,
+  parseMachineSize,
+  resolveMachineConfig,
+  resolveMachineMaxInstances,
+  resolveMachineResources,
+  resolveMachineTierResources,
+  toPublicMachineSize
+} from "@sylphx/contract/compute";
+// src/config/database-pricing.ts
+var COMPUTE_PRICE_PER_HOUR_MICRODOLLARS = 8e4;
+var FREE_COMPUTE_HOURS = 3;
+var STORAGE_PRICE_PER_GB_MONTH_MICRODOLLARS = 25e4;
+var FREE_STORAGE_GB = 0.25;
+var TRANSFER_PRICE_PER_GB_MICRODOLLARS = 9e4;
+var KV_FREE_STORAGE_GB = 0.25;
+var HOURS_PER_MONTH = 730;
+// src/config/referrals.ts
+var DEFAULT_POINTS_REWARD = 100;
+var DISCOUNT_DURATION_MONTHS = 3;
+var DISCOUNT_PERCENT = 20;
+var PREMIUM_TRIAL_DAYS = 7;
+var REFERRAL_CODE_LENGTH = 8;
+var REFERRAL_CODE_CHARS = "ABCDEFGHJKLMNPQRSTUVWXYZ23456789";
+function generateReferralCode() {
+  const bytes = new Uint8Array(REFERRAL_CODE_LENGTH);
+  crypto.getRandomValues(bytes);
+  let code = "";
+  for (let i = 0; i < REFERRAL_CODE_LENGTH; i++) {
+    code += REFERRAL_CODE_CHARS[bytes[i] % REFERRAL_CODE_CHARS.length];
+  }
+  return code;
+}
+// src/error-extract.ts
+function getErrorMessage(error, fallback = "Unknown error") {
+  if (error instanceof Error) {
+    return error.message;
+  }
+  if (typeof error === "string") {
+    return error;
+  }
+  if (error && typeof error === "object" && "message" in error) {
+    const message2 = error.message;
+    if (typeof message2 === "string") {
+      return message2;
+    }
+  }
+  if (error && typeof error === "object" && "response" in error) {
+    const response = error.response;
+    if (response?.data?.message) return response.data.message;
+    if (response?.data?.error) return response.data.error;
+  }
+  return fallback;
+}
+function getErrorCode(error) {
+  if (!error || typeof error !== "object") {
+    return void 0;
+  }
+  if ("code" in error && typeof error.code === "string") {
+    return error.code;
+  }
+  if ("status" in error && typeof error.status === "number") {
+    return String(error.status);
+  }
+  if ("statusCode" in error && typeof error.statusCode === "number") {
+    return String(error.statusCode);
+  }
+  return void 0;
+}
+function getErrorDetails(error, fallbackMessage = "Unknown error") {
+  const details = {
+    message: getErrorMessage(error, fallbackMessage)
+  };
+  if (error instanceof Error) {
+    details.name = error.name;
+    details.stack = error.stack;
+    if (error.cause) {
+      details.cause = error.cause;
+    }
+  }
+  const code = getErrorCode(error);
+  if (code) {
+    details.code = code;
+  }
+  if (error && typeof error === "object") {
+    if ("status" in error && typeof error.status === "number") {
+      details.status = error.status;
+    } else if ("statusCode" in error && typeof error.statusCode === "number") {
+      details.status = error.statusCode;
+    }
+  }
+  return details;
+}
 // src/connection-url.ts
 var SYLPHX_PROTOCOL = "sylphx:";
+var DEFAULT_DOMAIN = "api.sylphx.com";
 var DEFAULT_VERSION = "v1";
 var CREDENTIAL_REGEX = /^(pk|sk)_(dev|stg|prod|prev)(?:_[a-z0-9]{12})?_[a-f0-9]{32,64}$/;
 var VERSION_REGEX = /^v[0-9]+$/;
@@ -4813,6 +5041,33 @@ function validateSlug(candidate) {
   }
   return candidate;
 }
+function validateDomain(domain) {
+  if (!domain || domain.includes("/") || domain.includes("@") || domain.includes(" ")) {
+    fail(`domain "${domain}" is not a valid hostname suffix`);
+  }
+  if (domain.includes("://")) {
+    fail(`domain "${domain}" must not contain a scheme`);
+  }
+  return domain.toLowerCase();
+}
+function normaliseVersion(version) {
+  if (version === void 0) return DEFAULT_VERSION;
+  if (version === "") return "";
+  if (!VERSION_REGEX.test(version)) {
+    fail(`version "${version}" must match /^v[0-9]+$/`);
+  }
+  return version;
+}
+function buildConnectionUrl(input) {
+  const { credential, slug, domain = DEFAULT_DOMAIN, version = DEFAULT_VERSION } = input;
+  parseCredential(credential);
+  const safeSlug = validateSlug(slug);
+  const safeDomain = validateDomain(domain);
+  const safeVersion = normaliseVersion(version);
+  const host = `${safeSlug}.${safeDomain}`;
+  const pathSuffix = safeVersion ? `/${safeVersion}` : "";
+  return `${SYLPHX_PROTOCOL}//${credential}@${host}${pathSuffix}`;
+}
 function parseConnectionUrl(url) {
   if (typeof url !== "string" || url.length === 0) {
     fail("url must be a non-empty string");
@@ -5187,6 +5442,1044 @@ async function callApi(config, path, options = {}) {
   }
 }
+// src/csv.ts
+function escapeCsvField(value) {
+  if (value === null || value === void 0) {
+    return "";
+  }
+  if (value.includes(",") || value.includes('"') || value.includes("\n")) {
+    return `"${value.replace(/"/g, '""')}"`;
+  }
+  return value;
+}
+// src/formatting.ts
+function calculatePercentage(count, total, decimals = 2) {
+  if (total === 0) return 100;
+  const multiplier = 10 ** (decimals + 2);
+  return Math.round(count / total * multiplier) / 10 ** decimals;
+}
+function formatMicrodollars(microdollars, options) {
+  return new Intl.NumberFormat("en-US", {
+    style: "currency",
+    currency: "USD",
+    ...options
+  }).format(microdollars / 1e6);
+}
+function formatCents(cents) {
+  return new Intl.NumberFormat("en-US", {
+    style: "currency",
+    currency: "USD"
+  }).format(cents / 100);
+}
+function formatCurrency(amount, optsOrCompact = false) {
+  const opts = typeof optsOrCompact === "boolean" ? { compact: optsOrCompact } : optsOrCompact;
+  const currency = (opts.currency ?? "USD").toUpperCase();
+  const decimals = opts.decimals ?? 2;
+  if (opts.compact && Math.abs(amount) >= 1e3) {
+    return new Intl.NumberFormat("en-US", {
+      style: "currency",
+      currency,
+      notation: "compact",
+      minimumFractionDigits: 1,
+      maximumFractionDigits: 1
+    }).format(amount);
+  }
+  return new Intl.NumberFormat("en-US", {
+    style: "currency",
+    currency,
+    minimumFractionDigits: decimals,
+    maximumFractionDigits: decimals
+  }).format(amount);
+}
+function formatPercent(value) {
+  return `${value >= 0 ? "+" : ""}${value.toFixed(1)}%`;
+}
+function formatNumber(num, compact = false) {
+  if (compact && num >= 1e3) {
+    return new Intl.NumberFormat("en-US", {
+      notation: "compact",
+      maximumFractionDigits: 1
+    }).format(num);
+  }
+  if (num >= 1e9) return `${(num / 1e9).toFixed(1)}B`;
+  if (num >= 1e6) return `${(num / 1e6).toFixed(1)}M`;
+  if (num >= 1e3) return `${(num / 1e3).toFixed(1)}K`;
+  return num.toLocaleString();
+}
+function formatDuration(ms) {
+  if (ms < 1) return "<1ms";
+  if (ms < 1e3) return `${Math.round(ms)}ms`;
+  return `${(ms / 1e3).toFixed(2)}s`;
+}
+function formatBytes(bytes, decimals = 1) {
+  if (bytes == null || bytes === 0 || Number.isNaN(bytes)) return "0 B";
+  const k = 1024;
+  const sizes = ["B", "KB", "MB", "GB", "TB", "PB"];
+  const i = Math.floor(Math.log(bytes) / Math.log(k));
+  return `${Number.parseFloat((bytes / k ** i).toFixed(decimals))} ${sizes[i]}`;
+}
+var BILLING_STATUS_VARIANTS = /* @__PURE__ */ new Map([
+  // Active/healthy states
+  ["healthy", "default"],
+  ["active", "default"],
+  // Pending/low states
+  ["low", "secondary"],
+  ["pending", "secondary"],
+  // Success states
+  ["paid", "success"],
+  ["completed", "success"],
+  // Warning states
+  ["grace_period", "warning"],
+  ["overdue", "warning"],
+  // Error states
+  ["critical", "error"],
+  ["blocked", "error"],
+  ["suspended", "error"],
+  ["failed", "error"]
+]);
+function getBillingStatusVariant(status) {
+  return BILLING_STATUS_VARIANTS.get(status) ?? "outline";
+}
+var INVOICE_STATUS_VARIANTS = /* @__PURE__ */ new Map([
+  ["draft", "secondary"],
+  ["pending", "default"],
+  ["paid", "success"],
+  ["overdue", "warning"],
+  ["failed", "error"],
+  ["cancelled", "error"]
+]);
+function getInvoiceStatusVariant(status) {
+  return INVOICE_STATUS_VARIANTS.get(status) ?? "outline";
+}
+function parseDate(date) {
+  const d = typeof date === "string" ? new Date(date) : date;
+  return Number.isNaN(d.getTime()) ? null : d;
+}
+function formatDate(date, options, fallback = "-") {
+  if (!date) return fallback;
+  const d = parseDate(date);
+  if (!d) return fallback;
+  return d.toLocaleDateString("en-US", {
+    month: "short",
+    day: "numeric",
+    year: "numeric",
+    ...options
+  });
+}
+function formatDateTime(date, options, fallback = "-") {
+  if (!date) return fallback;
+  const d = parseDate(date);
+  if (!d) return fallback;
+  return d.toLocaleString("en-US", {
+    month: "short",
+    day: "numeric",
+    hour: "2-digit",
+    minute: "2-digit",
+    ...options
+  });
+}
+var relativeTimeFormatter = new Intl.RelativeTimeFormat("en", {
+  numeric: "auto"
+});
+var TIME_DIVISIONS = [
+  { amount: 60, unit: "second" },
+  { amount: 60, unit: "minute" },
+  { amount: 24, unit: "hour" },
+  { amount: 7, unit: "day" },
+  { amount: 4.34524, unit: "week" },
+  { amount: 12, unit: "month" },
+  { amount: Number.POSITIVE_INFINITY, unit: "year" }
+];
+function formatRelativeTime(date) {
+  if (!date) return "Never";
+  const d = parseDate(date);
+  if (!d) return "Never";
+  let seconds = (d.getTime() - Date.now()) / 1e3;
+  for (const { amount, unit } of TIME_DIVISIONS) {
+    if (Math.abs(seconds) < amount) {
+      return relativeTimeFormatter.format(Math.round(seconds), unit);
+    }
+    seconds /= amount;
+  }
+  return formatDate(d);
+}
+function formatRelativeTimeShort(date) {
+  if (!date) return "Never";
+  const d = parseDate(date);
+  if (!d) return "Never";
+  const diffMs = Date.now() - d.getTime();
+  const diffSecs = Math.floor(diffMs / 1e3);
+  const diffMins = Math.floor(diffMs / 6e4);
+  const diffHours = Math.floor(diffMs / 36e5);
+  const diffDays = Math.floor(diffMs / 864e5);
+  if (diffSecs < 10) return "Just now";
+  if (diffSecs < 60) return `${diffSecs}s ago`;
+  if (diffMins < 60) return `${diffMins}m ago`;
+  if (diffHours < 24) return `${diffHours}h ago`;
+  if (diffDays === 1) return "Yesterday";
+  if (diffDays < 7) return `${diffDays}d ago`;
+  if (diffDays < 30) return `${Math.floor(diffDays / 7)}w ago`;
+  return d.toLocaleDateString("en-US", { month: "short", day: "numeric" });
+}
+function formatMonthYear(date, fallback = "-") {
+  if (!date) return fallback;
+  const d = parseDate(date);
+  if (!d) return fallback;
+  return d.toLocaleDateString("en-US", { month: "long", year: "numeric" });
+}
+function formatTime(date, fallback = "-") {
+  if (!date) return fallback;
+  const d = parseDate(date);
+  if (!d) return fallback;
+  return d.toLocaleTimeString("en-US", { hour: "2-digit", minute: "2-digit" });
+}
+// src/json.ts
+function safeJsonParse(input, fallback) {
+  try {
+    return JSON.parse(input);
+  } catch {
+    return fallback ?? null;
+  }
+}
+// src/utils.ts
+function getBaseUrl(mode = "relative") {
+  if (typeof globalThis.window !== "undefined") {
+    return mode === "origin" ? globalThis.window.location.origin : "";
+  }
+  if (process.env.NEXT_PUBLIC_APP_URL) {
+    return process.env.NEXT_PUBLIC_APP_URL;
+  }
+  const port = process.env.PORT ?? "3000";
+  return `http://localhost:${port}`;
+}
+var HTML_ENTITIES = {
+  "&": "&amp;",
+  "<": "&lt;",
+  ">": "&gt;",
+  '"': "&quot;",
+  "'": "&#039;"
+};
+function escapeHtml(str) {
+  return str.replace(/[&<>"']/g, (char) => HTML_ENTITIES[char]);
+}
+function generateSlug(text, maxLength) {
+  const slug = text.toLowerCase().trim().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "").replace(/-{2,}/g, "-");
+  if (maxLength && slug.length > maxLength) {
+    return slug.slice(0, maxLength).replace(/-+$/, "");
+  }
+  return slug;
+}
+// src/utils/user-agent.ts
+function parseUserAgent(ua) {
+  if (!ua) {
+    return { browser: null, os: null, deviceType: null };
+  }
+  return {
+    browser: detectBrowser(ua),
+    os: detectOS(ua),
+    deviceType: detectDeviceType(ua)
+  };
+}
+function detectBrowser(ua) {
+  if (ua.includes("Edg/")) {
+    const match = ua.match(/Edg\/(\d+)/);
+    return match ? `Edge ${match[1]}` : "Edge";
+  }
+  if (ua.includes("OPR/") || ua.includes("Opera")) {
+    const match = ua.match(/OPR\/(\d+)/) || ua.match(/Opera\/(\d+)/);
+    return match ? `Opera ${match[1]}` : "Opera";
+  }
+  if (ua.includes("Brave")) {
+    return "Brave";
+  }
+  if (ua.includes("Chrome/")) {
+    const match = ua.match(/Chrome\/(\d+)/);
+    return match ? `Chrome ${match[1]}` : "Chrome";
+  }
+  if (ua.includes("Safari/") && !ua.includes("Chrome")) {
+    const match = ua.match(/Version\/(\d+)/);
+    return match ? `Safari ${match[1]}` : "Safari";
+  }
+  if (ua.includes("Firefox/")) {
+    const match = ua.match(/Firefox\/(\d+)/);
+    return match ? `Firefox ${match[1]}` : "Firefox";
+  }
+  if (ua.includes("MSIE") || ua.includes("Trident/")) {
+    const match = ua.match(/(?:MSIE |rv:)(\d+)/);
+    return match ? `IE ${match[1]}` : "Internet Explorer";
+  }
+  return null;
+}
+function detectOS(ua) {
+  if (ua.includes("iPhone") || ua.includes("iPad")) {
+    const match = ua.match(/OS (\d+[_\d]*)/);
+    if (match) {
+      const version = match[1].replace(/_/g, ".");
+      return `iOS ${version}`;
+    }
+    return "iOS";
+  }
+  if (ua.includes("Android")) {
+    const match = ua.match(/Android (\d+[.\d]*)/);
+    return match ? `Android ${match[1]}` : "Android";
+  }
+  if (ua.includes("Mac OS X") || ua.includes("macOS")) {
+    const match = ua.match(/Mac OS X (\d+[_\d]*)/) || ua.match(/macOS (\d+[_\d]*)/);
+    if (match) {
+      const version = match[1].replace(/_/g, ".");
+      return `macOS ${version}`;
+    }
+    return "macOS";
+  }
+  if (ua.includes("Windows NT")) {
+    const match = ua.match(/Windows NT ([\d.]+)/);
+    if (match) {
+      const ntVersion = match[1];
+      const windowsVersions = {
+        "10.0": "Windows 10/11",
+        "6.3": "Windows 8.1",
+        "6.2": "Windows 8",
+        "6.1": "Windows 7",
+        "6.0": "Windows Vista",
+        "5.1": "Windows XP"
+      };
+      return windowsVersions[ntVersion] || `Windows NT ${ntVersion}`;
+    }
+    return "Windows";
+  }
+  if (ua.includes("Linux")) {
+    if (ua.includes("Ubuntu")) return "Ubuntu";
+    if (ua.includes("Fedora")) return "Fedora";
+    if (ua.includes("Debian")) return "Debian";
+    return "Linux";
+  }
+  if (ua.includes("CrOS")) {
+    return "Chrome OS";
+  }
+  return null;
+}
+function detectDeviceType(ua) {
+  if (ua.includes("iPad") || ua.includes("Tablet") || ua.includes("Android") && !ua.includes("Mobile")) {
+    return "tablet";
+  }
+  if (ua.includes("iPhone") || ua.includes("iPod") || ua.includes("Android") || ua.includes("Mobile") || ua.includes("webOS") || ua.includes("BlackBerry") || ua.includes("IEMobile") || ua.includes("Opera Mini")) {
+    return "mobile";
+  }
+  if (ua.includes("Windows NT") || ua.includes("Mac OS X") || ua.includes("macOS") || ua.includes("Linux") || ua.includes("CrOS")) {
+    return "desktop";
+  }
+  return null;
+}
+// src/config/auth.ts
+var MIN_PASSWORD_LENGTH = 8;
+var MAX_PASSWORD_LENGTH = 128;
+var PASSWORD_REQUIREMENTS = {
+  minLength: MIN_PASSWORD_LENGTH,
+  maxLength: MAX_PASSWORD_LENGTH,
+  description: `Must be at least ${MIN_PASSWORD_LENGTH} characters`,
+  placeholder: `Min. ${MIN_PASSWORD_LENGTH} characters`
+};
+// src/config/billing.ts
+var BYTES_PER_GB = 1024 * 1024 * 1024;
+var MICRODOLLARS_PER_CENT = 1e4;
+var INVOICE_DUE_DAYS = 15;
+var SERVICE_METRICS = {
+  // KV (Key-Value Store)
+  kv: {
+    operations: "operations",
+    // User-friendly: "100K operations"
+    storage: "storage"
+    // GB-month
+  },
+  // Realtime (Pub/Sub Messaging)
+  realtime: {
+    messages: "messages",
+    // User-friendly: "100K messages"
+    connections: "connections"
+    // SSE subscribe connections
+  },
+  // Other services follow the same pattern
+  ai: {
+    tokens: "tokens"
+  },
+  email: {
+    emails: "emails",
+    marketingEmails: "marketing_emails"
+  },
+  notifications: {
+    sends: "sends"
+  },
+  analytics: {
+    events: "events",
+    forwarding: "forwarding"
+  },
+  storage: {
+    capacity: "capacity",
+    uploads: "uploads",
+    egress: "egress"
+  },
+  auth: {
+    mau: "mau"
+  },
+  flags: {
+    evaluations: "evaluations"
+  },
+  consent: {
+    records: "records"
+  },
+  referrals: {
+    conversions: "conversions"
+  },
+  engagement: {
+    operations: "operations"
+  },
+  billing: {
+    subscriptions: "subscriptions",
+    usageRecords: "usage_records"
+  },
+  search: {
+    documents: "documents",
+    searches: "searches"
+  },
+  webhooks: {
+    deliveries: "deliveries"
+  },
+  monitoring: {
+    errors: "errors"
+  },
+  jobs: {
+    invocations: "invocations",
+    cronSchedules: "cron_schedules"
+  },
+  database: {
+    computeSeconds: "compute_seconds",
+    storage: "storage",
+    dataTransferBytes: "data_transfer_bytes"
+  },
+  deploy: {
+    buildMinutes: "build_minutes"
+  }
+};
+var COMPUTE_VCPU_ACTIVE_RATE_MICRODOLLARS = 400;
+var COMPUTE_VCPU_IDLE_RATE_MICRODOLLARS = 50;
+var COMPUTE_RAM_RATE_MICRODOLLARS = 167;
+var BUILD_MINUTE_PRICES = {
+  standard: 14e3,
+  // $0.014/min
+  large: 3e4,
+  // $0.030/min
+  xlarge: 126e3
+  // $0.126/min
+};
+var BUILD_SIZE_MULTIPLIERS = {
+  standard: 1,
+  large: 2,
+  xlarge: 9
+};
+var BUILD_MINUTES_INCLUDED = {
+  free: 100,
+  pro: 500,
+  team: 2e3,
+  enterprise: 1e4
+};
+var CI_BUILD_MINUTE_PRICE_MICRODOLLARS = BUILD_MINUTE_PRICES.standard;
+var CI_FREE_MINUTES_PER_MONTH = BUILD_MINUTES_INCLUDED.team;
+var CI_SIZE_MULTIPLIERS = {
+  nano: 1,
+  small: 1,
+  standard: 1,
+  large: 2,
+  xlarge: 4,
+  "2xlarge": 8
+};
+var CI_MACOS_SIZE_MULTIPLIERS = {
+  standard: 10,
+  large: 20,
+  xlarge: 40
+};
+var CI_MACOS_MULTIPLIER = CI_MACOS_SIZE_MULTIPLIERS.standard;
+var CREDIT_EXPIRY_MONTHS = 12;
+var MAX_PAYMENT_ATTEMPTS = 3;
+var BILLING_ALLOWED_ROLES = ["super_admin", "admin", "billing"];
+function hasBillingAccess(role) {
+  return BILLING_ALLOWED_ROLES.includes(role);
+}
+// src/config/console-keys.ts
+var CONSOLE_APP_SLUG = "sylphx-console";
+function getEnvPrefix() {
+  const envType = process.env.NEXT_PUBLIC_ENV_TYPE;
+  if (envType === "development") return "dev";
+  if (envType === "staging") return "stg";
+  if (envType === "production") return "prod";
+  return process.env.NODE_ENV === "production" ? "prod" : "dev";
+}
+// src/config/instance-types.ts
+var VCPU_MINUTE_RATE = 463;
+var GIB_MINUTE_RATE = 232;
+var INSTANCE_TYPE_ALIASES = {
+  "starter-1x": "xs",
+  "standard-1x": "sm",
+  "standard-2x": "md",
+  "performance-m": "lg",
+  "performance-l": "xl",
+  "performance-xl": "2xl"
+};
+function resolveCanonicalInstanceType(id) {
+  return INSTANCE_TYPE_ALIASES[id] ?? id;
+}
+var INSTANCE_TYPES = {
+  // ---- Canonical T-shirt sizes (ADR-034) ----
+  xs: {
+    id: "xs",
+    name: "XS",
+    cpuLimit: "250m",
+    memoryLimit: "512Mi",
+    cpuRequest: "63m",
+    memoryRequest: "256Mi",
+    vcpus: 0.25,
+    memoryMib: 512,
+    vcpuMinuteRateMicrodollars: VCPU_MINUTE_RATE,
+    gbMinuteRateMicrodollars: GIB_MINUTE_RATE,
+    allowedPlans: ["free", "starter", "pro", "team", "enterprise"],
+    maxReplicas: 1,
+    highlights: ["0.25 vCPU, 0.5 GiB RAM", "Available on all plans", "Ideal for dev/staging"]
+  },
+  sm: {
+    id: "sm",
+    name: "SM",
+    cpuLimit: "500m",
+    memoryLimit: "1Gi",
+    cpuRequest: "125m",
+    memoryRequest: "512Mi",
+    vcpus: 0.5,
+    memoryMib: 1024,
+    vcpuMinuteRateMicrodollars: VCPU_MINUTE_RATE,
+    gbMinuteRateMicrodollars: GIB_MINUTE_RATE,
+    allowedPlans: ["starter", "pro", "team", "enterprise"],
+    maxReplicas: 3,
+    highlights: ["0.5 vCPU, 1 GiB RAM", "Good for lightweight services", "Starter plan default"]
+  },
+  md: {
+    id: "md",
+    name: "MD",
+    cpuLimit: "1000m",
+    memoryLimit: "2Gi",
+    cpuRequest: "250m",
+    memoryRequest: "1Gi",
+    vcpus: 1,
+    memoryMib: 2048,
+    vcpuMinuteRateMicrodollars: VCPU_MINUTE_RATE,
+    gbMinuteRateMicrodollars: GIB_MINUTE_RATE,
+    allowedPlans: ["starter", "pro", "team", "enterprise"],
+    maxReplicas: 5,
+    highlights: ["1 vCPU, 2 GiB RAM", "Good for web apps and APIs", "Pro plan default"]
+  },
+  lg: {
+    id: "lg",
+    name: "LG",
+    cpuLimit: "2000m",
+    memoryLimit: "4Gi",
+    cpuRequest: "500m",
+    memoryRequest: "2Gi",
+    vcpus: 2,
+    memoryMib: 4096,
+    vcpuMinuteRateMicrodollars: VCPU_MINUTE_RATE,
+    gbMinuteRateMicrodollars: GIB_MINUTE_RATE,
+    allowedPlans: ["pro", "team", "enterprise"],
+    maxReplicas: 10,
+    highlights: ["2 vCPUs, 4 GiB RAM", "High-throughput APIs and workers", "Team plan default"]
+  },
+  xl: {
+    id: "xl",
+    name: "XL",
+    cpuLimit: "4000m",
+    memoryLimit: "8Gi",
+    cpuRequest: "1000m",
+    memoryRequest: "4Gi",
+    vcpus: 4,
+    memoryMib: 8192,
+    vcpuMinuteRateMicrodollars: VCPU_MINUTE_RATE,
+    gbMinuteRateMicrodollars: GIB_MINUTE_RATE,
+    allowedPlans: ["team", "enterprise"],
+    maxReplicas: 10,
+    highlights: ["4 vCPUs, 8 GiB RAM", "CI builds and ML inference", "Enterprise plan default"]
+  },
+  "2xl": {
+    id: "2xl",
+    name: "2XL",
+    cpuLimit: "8000m",
+    memoryLimit: "16Gi",
+    cpuRequest: "2000m",
+    memoryRequest: "8Gi",
+    vcpus: 8,
+    memoryMib: 16384,
+    vcpuMinuteRateMicrodollars: VCPU_MINUTE_RATE,
+    gbMinuteRateMicrodollars: GIB_MINUTE_RATE,
+    allowedPlans: ["team", "enterprise"],
+    maxReplicas: 20,
+    highlights: ["8 vCPUs, 16 GiB RAM", "Heavy compute and large builds", "Team/Enterprise"]
+  },
+  "4xl": {
+    id: "4xl",
+    name: "4XL",
+    cpuLimit: "16000m",
+    memoryLimit: "32Gi",
+    cpuRequest: "4000m",
+    memoryRequest: "16Gi",
+    vcpus: 16,
+    memoryMib: 32768,
+    vcpuMinuteRateMicrodollars: VCPU_MINUTE_RATE,
+    gbMinuteRateMicrodollars: GIB_MINUTE_RATE,
+    allowedPlans: ["enterprise"],
+    maxReplicas: 20,
+    highlights: ["16 vCPUs, 32 GiB RAM", "Maximum compute power", "Enterprise exclusive"]
+  },
+  // ---- Legacy names (deprecated — kept for backward compat with DB values) ----
+  /** @deprecated Use 'xs' instead */
+  "starter-1x": {
+    id: "starter-1x",
+    name: "Starter 1x",
+    cpuLimit: "1000m",
+    memoryLimit: "2Gi",
+    cpuRequest: "250m",
+    memoryRequest: "1Gi",
+    vcpus: 1,
+    memoryMib: 2048,
+    vcpuMinuteRateMicrodollars: VCPU_MINUTE_RATE,
+    gbMinuteRateMicrodollars: GIB_MINUTE_RATE,
+    allowedPlans: ["free", "starter", "pro", "team", "enterprise"],
+    maxReplicas: 3,
+    highlights: ["1 vCPU, 2 GiB RAM", "Available on all plans", "Ideal for lightweight services"],
+    deprecated: true
+  },
+  /** @deprecated Use 'sm' instead */
+  "standard-1x": {
+    id: "standard-1x",
+    name: "Standard 1x",
+    cpuLimit: "2000m",
+    memoryLimit: "4Gi",
+    cpuRequest: "500m",
+    memoryRequest: "2Gi",
+    vcpus: 2,
+    memoryMib: 4096,
+    vcpuMinuteRateMicrodollars: VCPU_MINUTE_RATE,
+    gbMinuteRateMicrodollars: GIB_MINUTE_RATE,
+    allowedPlans: ["starter", "pro", "team", "enterprise"],
+    maxReplicas: 5,
+    highlights: ["2 vCPUs, 4 GiB RAM", "Good for web apps and APIs", "Starter plan default"],
+    deprecated: true
+  },
+  /** @deprecated Use 'md' instead */
+  "standard-2x": {
+    id: "standard-2x",
+    name: "Standard 2x",
+    cpuLimit: "2000m",
+    memoryLimit: "8Gi",
+    cpuRequest: "500m",
+    memoryRequest: "4Gi",
+    vcpus: 2,
+    memoryMib: 8192,
+    vcpuMinuteRateMicrodollars: VCPU_MINUTE_RATE,
+    gbMinuteRateMicrodollars: GIB_MINUTE_RATE,
+    allowedPlans: ["starter", "pro", "team", "enterprise"],
+    maxReplicas: 5,
+    highlights: [
+      "2 vCPUs, 8 GiB RAM",
+      "Double memory for data-heavy workloads",
+      "Pro plan default"
+    ],
+    deprecated: true
+  },
+  /** @deprecated Use 'lg' instead */
+  "performance-m": {
+    id: "performance-m",
+    name: "Performance M",
+    cpuLimit: "4000m",
+    memoryLimit: "16Gi",
+    cpuRequest: "1000m",
+    memoryRequest: "8Gi",
+    vcpus: 4,
+    memoryMib: 16384,
+    vcpuMinuteRateMicrodollars: VCPU_MINUTE_RATE,
+    gbMinuteRateMicrodollars: GIB_MINUTE_RATE,
+    allowedPlans: ["pro", "team", "enterprise"],
+    maxReplicas: 10,
+    highlights: ["4 vCPUs, 16 GiB RAM", "High-throughput APIs and workers", "Team plan default"],
+    deprecated: true
+  },
+  /** @deprecated Use 'xl' instead */
+  "performance-l": {
+    id: "performance-l",
+    name: "Performance L",
+    cpuLimit: "8000m",
+    memoryLimit: "32Gi",
+    cpuRequest: "2000m",
+    memoryRequest: "16Gi",
+    vcpus: 8,
+    memoryMib: 32768,
+    vcpuMinuteRateMicrodollars: VCPU_MINUTE_RATE,
+    gbMinuteRateMicrodollars: GIB_MINUTE_RATE,
+    allowedPlans: ["team", "enterprise"],
+    maxReplicas: 10,
+    highlights: ["8 vCPUs, 32 GiB RAM", "CI builds and ML inference", "Enterprise plan default"],
+    deprecated: true
+  },
+  /** @deprecated Use '2xl' instead */
+  "performance-xl": {
+    id: "performance-xl",
+    name: "Performance XL",
+    cpuLimit: "16000m",
+    memoryLimit: "64Gi",
+    cpuRequest: "4000m",
+    memoryRequest: "32Gi",
+    vcpus: 16,
+    memoryMib: 65536,
+    vcpuMinuteRateMicrodollars: VCPU_MINUTE_RATE,
+    gbMinuteRateMicrodollars: GIB_MINUTE_RATE,
+    allowedPlans: ["enterprise"],
+    maxReplicas: 20,
+    highlights: ["16 vCPUs, 64 GiB RAM", "Heavy compute and large builds", "Enterprise exclusive"],
+    deprecated: true
+  }
+};
+var INSTANCE_TYPE_ORDER = ["xs", "sm", "md", "lg", "xl", "2xl", "4xl"];
+var LEGACY_INSTANCE_TYPE_ORDER = [
+  "starter-1x",
+  "standard-1x",
+  "standard-2x",
+  "performance-m",
+  "performance-l",
+  "performance-xl"
+];
+var DEFAULT_INSTANCE_TYPE = {
+  free: "xs",
+  starter: "sm",
+  pro: "md",
+  team: "lg",
+  enterprise: "xl"
+};
+function getDefaultInstanceType(plan) {
+  return DEFAULT_INSTANCE_TYPE[plan];
+}
+function getAvailableInstanceTypes(plan) {
+  return INSTANCE_TYPE_ORDER.map((id) => INSTANCE_TYPES[id]).filter(
+    (t) => t.allowedPlans.includes(plan) && !t.deprecated
+  );
+}
+function resolveResources(id) {
+  const t = INSTANCE_TYPES[id];
+  return {
+    requests: { cpu: t.cpuRequest, memory: t.memoryRequest },
+    limits: { cpu: t.cpuLimit, memory: t.memoryLimit }
+  };
+}
+function resolveMaxReplicas(id) {
+  return INSTANCE_TYPES[id].maxReplicas;
+}
+var DEFAULT_MAX_REPLICAS = 10;
+function isValidInstanceType(id) {
+  return id in INSTANCE_TYPES;
+}
+function validateInstanceTypeForPlan(id, plan) {
+  const canonicalId = resolveCanonicalInstanceType(id);
+  if (!isValidInstanceType(canonicalId)) {
+    return { valid: false, error: `Unknown instance type: ${id}` };
+  }
+  const definition = INSTANCE_TYPES[canonicalId];
+  if (!definition.allowedPlans.includes(plan)) {
+    return {
+      valid: false,
+      error: `Instance type "${definition.name}" is not available on the ${plan} plan`
+    };
+  }
+  return { valid: true };
+}
+// src/config/platform-plans.ts
+var PLATFORM_PLANS = {
+  free: {
+    id: "free",
+    name: "Free",
+    priceMonthly: 0,
+    priceAnnual: 0,
+    includedCreditsMicrodollars: 5e6,
+    // $5
+    features: {
+      customDomains: false,
+      sso: false,
+      priorityCi: false,
+      macosCi: false,
+      support: "community",
+      sla: null,
+      rbac: false,
+      advancedAnalytics: false,
+      whiteLabel: false
+    },
+    limits: {
+      maxProjects: 1,
+      maxMembers: 1,
+      maxCustomDomains: 0,
+      maxConcurrentRunners: 1,
+      maxMacosRunners: 0,
+      maxDatabases: 1,
+      ciMaxJobDurationSeconds: 30 * 60,
+      // 30 min
+      apiRateLimitPerMin: 60,
+      auditLogDays: 0,
+      maxReplicas: 1,
+      includedBuildMinutes: 100,
+      includedBandwidthGb: 100,
+      logRetentionDays: 1,
+      buildMachineTier: "standard"
+    },
+    highlights: [
+      "1 project",
+      "$5 compute credits/mo",
+      "100 build minutes",
+      "100 GB bandwidth",
+      "Community support"
+    ],
+    cta: "Start free"
+  },
+  /**
+   * @deprecated ADR-034 removed the Starter tier. Retained for backward compatibility
+   * with existing subscribers. Not shown in pricing UI for new sign-ups.
+   */
+  starter: {
+    id: "starter",
+    name: "Starter",
+    deprecated: true,
+    priceMonthly: 1900,
+    // $19
+    priceAnnual: 18240,
+    // $19 x 12 x 0.80 = $182.40
+    includedCreditsMicrodollars: 19e6,
+    // $19
+    features: {
+      customDomains: true,
+      sso: false,
+      priorityCi: false,
+      macosCi: true,
+      support: "email",
+      sla: null,
+      rbac: false,
+      advancedAnalytics: false,
+      whiteLabel: false
+    },
+    limits: {
+      maxProjects: 10,
+      maxMembers: 10,
+      maxCustomDomains: 5,
+      maxConcurrentRunners: 5,
+      maxMacosRunners: 1,
+      maxDatabases: 10,
+      ciMaxJobDurationSeconds: 60 * 60,
+      // 1 hr
+      apiRateLimitPerMin: 300,
+      auditLogDays: 30,
+      maxReplicas: 3,
+      includedBuildMinutes: 250,
+      includedBandwidthGb: 500,
+      logRetentionDays: 7,
+      buildMachineTier: "standard"
+    },
+    highlights: ["$19 credits/mo", "10 projects", "Custom domains", "macOS CI", "Email support"],
+    cta: "Get started"
+  },
+  pro: {
+    id: "pro",
+    name: "Pro",
+    priceMonthly: 2e3,
+    // $20
+    priceAnnual: 19200,
+    // $20 x 12 x 0.80 = $192 ($16/mo)
+    includedCreditsMicrodollars: 2e7,
+    // $20
+    features: {
+      customDomains: true,
+      sso: false,
+      priorityCi: true,
+      macosCi: true,
+      support: "priority",
+      sla: "99.9%",
+      rbac: true,
+      advancedAnalytics: true,
+      whiteLabel: false
+    },
+    limits: {
+      maxProjects: null,
+      // unlimited
+      maxMembers: 25,
+      maxCustomDomains: null,
+      // unlimited
+      maxConcurrentRunners: 20,
+      maxMacosRunners: 5,
+      maxDatabases: null,
+      // unlimited
+      ciMaxJobDurationSeconds: 2 * 60 * 60,
+      // 2 hrs
+      apiRateLimitPerMin: 1e3,
+      auditLogDays: 90,
+      maxReplicas: 10,
+      includedBuildMinutes: 500,
+      includedBandwidthGb: 1e3,
+      logRetentionDays: 14,
+      buildMachineTier: "standard"
+    },
+    highlights: [
+      "Unlimited projects",
+      "$20 credits/mo",
+      "500 build minutes",
+      "1 TB bandwidth",
+      "Priority support",
+      "SLA 99.9%"
+    ],
+    badge: "Most Popular",
+    cta: "Start Pro"
+  },
+  team: {
+    id: "team",
+    name: "Team",
+    priceMonthly: 2e3,
+    // $20/user
+    priceAnnual: 19200,
+    // $192/user/yr ($16/user/mo)
+    includedCreditsMicrodollars: 2e7,
+    // $20/user
+    perSeat: true,
+    features: {
+      customDomains: true,
+      sso: true,
+      priorityCi: true,
+      macosCi: true,
+      support: "dedicated",
+      sla: "99.95%",
+      rbac: true,
+      advancedAnalytics: true,
+      whiteLabel: true
+    },
+    limits: {
+      maxProjects: null,
+      // unlimited
+      maxMembers: null,
+      // unlimited
+      maxCustomDomains: null,
+      // unlimited
+      maxConcurrentRunners: null,
+      // unlimited
+      maxMacosRunners: null,
+      // unlimited
+      maxDatabases: null,
+      // unlimited
+      ciMaxJobDurationSeconds: 6 * 60 * 60,
+      // 6 hrs
+      apiRateLimitPerMin: 5e3,
+      auditLogDays: 365,
+      maxReplicas: 20,
+      includedBuildMinutes: 2e3,
+      includedBandwidthGb: 5e3,
+      logRetentionDays: 30,
+      buildMachineTier: "large"
+    },
+    highlights: [
+      "$20/user/mo",
+      "SSO / SAML",
+      "2,000 large build minutes",
+      "5 TB bandwidth",
+      "Dedicated support",
+      "SLA 99.95%"
+    ],
+    cta: "Get Team"
+  },
+  enterprise: {
+    id: "enterprise",
+    name: "Enterprise",
+    priceMonthly: null,
+    // custom
+    priceAnnual: null,
+    // custom
+    includedCreditsMicrodollars: 0,
+    // negotiated
+    isCustom: true,
+    features: {
+      customDomains: true,
+      sso: true,
+      priorityCi: true,
+      macosCi: true,
+      support: "dedicated",
+      sla: "Custom",
+      rbac: true,
+      advancedAnalytics: true,
+      whiteLabel: true
+    },
+    limits: {
+      maxProjects: null,
+      maxMembers: null,
+      maxCustomDomains: null,
+      maxConcurrentRunners: null,
+      maxMacosRunners: null,
+      maxDatabases: null,
+      ciMaxJobDurationSeconds: 12 * 60 * 60,
+      apiRateLimitPerMin: 0,
+      // 0 = unlimited / negotiated
+      auditLogDays: 730,
+      maxReplicas: null,
+      // custom
+      includedBuildMinutes: 0,
+      // negotiated
+      includedBandwidthGb: 0,
+      // negotiated
+      logRetentionDays: 90,
+      buildMachineTier: "xlarge"
+    },
+    highlights: [
+      "Custom credit volume",
+      "Volume discounts",
+      "Dedicated infrastructure",
+      "Custom SLA",
+      "White-glove onboarding",
+      "Custom contracts"
+    ],
+    cta: "Contact sales"
+  }
+};
+var PLATFORM_PLAN_ORDER = ["free", "pro", "team", "enterprise"];
+var PLATFORM_PLAN_ORDER_ALL = [
+  "free",
+  "starter",
+  "pro",
+  "team",
+  "enterprise"
+];
+function isPlanDeprecated(planId) {
+  return PLATFORM_PLANS[planId].deprecated === true;
+}
+function getActivePlans() {
+  return PLATFORM_PLAN_ORDER.map((id) => PLATFORM_PLANS[id]);
+}
+function microsToDollars(microdollars) {
+  return `$${(microdollars / 1e6).toFixed(0)}`;
+}
+function centsToDollars(cents) {
+  return `$${(cents / 100).toFixed(0)}`;
+}
+function getPlanMonthlyPrice(plan, annual = false) {
+  if (plan.isCustom) return "Custom";
+  const cents = annual && plan.priceAnnual != null ? Math.round(plan.priceAnnual / 12) : plan.priceMonthly;
+  if (cents == null) return "Custom";
+  if (cents === 0) return "$0";
+  const base = centsToDollars(cents);
+  return plan.perSeat ? `${base}/user` : base;
+}
 // src/debug.ts
 var DEBUG_STORAGE_KEY = "sylphx_debug";
 function isDebugEnabled() {
@@ -5880,400 +7173,98 @@ init_errors();
 // src/auth.ts
 import { authEndpoints } from "@sylphx/contract";
-async function signIn(config, input) {
-  const body = input;
-  const endpoint = authEndpoints.signIn;
-  return callApi(config, endpoint.path, {
-    method: endpoint.method,
-    body
-  });
-}
-async function signUp(config, input) {
-  const endpoint = authEndpoints.signUp;
-  return callApi(config, endpoint.path, {
-    method: endpoint.method,
-    body: input
-  });
-}
-async function signOut(config) {
-  const endpoint = authEndpoints.signOut;
-  await callApi(config, endpoint.path, { method: endpoint.method });
-}
-async function refreshToken(config, token) {
-  return callApi(config, "/auth/token", {
-    method: "POST",
-    body: {
-      grant_type: "refresh_token",
-      refresh_token: token,
-      client_secret: config.secretKey
+// src/dpop.ts
+var dpop = {
+  /**
+   * Generate a fresh ES256 key pair. Private key is non-extractable
+   * (`extractable: false`) so it can be stored but never serialised.
+   */
+  async generateKeyPair() {
+    const { privateKey, publicKey } = await crypto.subtle.generateKey(
+      { name: "ECDSA", namedCurve: "P-256" },
+      false,
+      ["sign", "verify"]
+    );
+    const publicJwk = await crypto.subtle.exportKey("jwk", publicKey);
+    const thumbprint = await thumbprintFromJwk(sanitisePublicJwk(publicJwk));
+    return { privateKey, publicKey, thumbprint };
+  },
+  /**
+   * Sign a DPoP proof JWT. When `accessToken` is provided, the proof
+   * includes `ath = base64url(sha256(accessToken))` so the resource
+   * server can bind the proof to the token being presented.
+   */
+  async generateProof(opts) {
+    const publicJwkRaw = await crypto.subtle.exportKey("jwk", opts.publicKey);
+    const publicJwk = sanitisePublicJwk(publicJwkRaw);
+    const header = { typ: "dpop+jwt", alg: "ES256", jwk: publicJwk };
+    const payload = {
+      jti: randomJti(),
+      htm: opts.method.toUpperCase(),
+      htu: stripQueryAndFragment(opts.uri),
+      iat: Math.floor(Date.now() / 1e3)
+    };
+    if (opts.accessToken) {
+      payload.ath = await sha256Base64Url(new TextEncoder().encode(opts.accessToken));
     }
-  });
-}
-async function verifyEmail(config, token) {
-  await callApi(config, "/auth/verify-email", {
-    method: "POST",
-    body: { token }
-  });
-}
-async function forgotPassword(config, email, options = {}) {
-  await callApi(config, "/auth/forgot-password", {
-    method: "POST",
-    body: {
-      email,
-      ...options.redirectUrl ? { redirectUrl: options.redirectUrl } : {}
-    }
-  });
-}
-async function resendVerificationEmail(config, email) {
-  const endpoint = authEndpoints.resendEmailVerification;
-  const body = { email };
-  await callApi(config, endpoint.path, {
-    method: endpoint.method,
-    body
-  });
-}
-async function resetPassword(config, input) {
-  await callApi(config, "/auth/reset-password", {
-    method: "POST",
-    body: { token: input.token, password: input.password }
-  });
-}
-async function getSession(config) {
-  if (!config.accessToken) {
-    return { user: null };
-  }
-  const endpoint = authEndpoints.getSession;
-  try {
-    const user2 = await callApi(config, endpoint.path, {
-      method: endpoint.method
-    });
-    return { user: user2 };
-  } catch {
-    return { user: null };
-  }
-}
-async function verifyTwoFactor(config, userId, code) {
-  return callApi(config, "/auth/verify-2fa", {
-    method: "POST",
-    body: { userId, code }
-  });
-}
-async function introspectToken(config, token, tokenTypeHint) {
-  const response = await fetch(buildApiUrl(config, "/auth/introspect"), {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      // RFC 7662 §2: server-to-server call — authenticate with secret key
-      "x-app-secret": config.secretKey ?? ""
-    },
-    body: JSON.stringify({
-      token,
-      token_type_hint: tokenTypeHint
-    })
-  });
-  if (!response.ok) {
-    return { active: false };
-  }
-  return response.json();
-}
-async function revokeToken(config, token, options) {
-  await fetch(buildApiUrl(config, "/auth/revoke"), {
-    method: "POST",
-    headers: { "Content-Type": "application/json" },
-    body: JSON.stringify({
-      token: options?.revokeAll ? void 0 : token,
-      client_secret: config.secretKey,
-      user_id: options?.userId,
-      revoke_all: options?.revokeAll
-    })
-  });
-}
-async function revokeAllTokens(config, userId) {
-  await revokeToken(config, "", { revokeAll: true, userId });
-}
-async function extendedSignUp(config, input) {
-  return callApi(config, "/auth/register", {
-    method: "POST",
-    body: input
-  });
-}
-async function inviteUser(config, input) {
-  return callApi(config, "/auth/invite", {
-    method: "POST",
-    body: input
-  });
-}
-function normalizeOrgScopedTokenResponse(data) {
-  const accessToken = data.accessToken ?? data.access_token;
-  if (!accessToken) {
-    throw new Error("Invalid org-scoped token response: missing access token");
-  }
-  return {
-    token: accessToken,
-    accessToken,
-    expiresIn: data.expiresIn ?? data.expires_in,
-    tokenType: data.tokenType ?? data.token_type,
-    user: data.user
-  };
-}
-async function getOrgScopedToken(config, orgId) {
-  const data = await callApi(config, "/auth/switch-org", {
-    method: "POST",
-    body: { orgId }
-  });
-  return normalizeOrgScopedTokenResponse(data);
-}
-async function switchOrg(config, orgId) {
-  return getOrgScopedToken(config, orgId);
-}
-var device = {
-  /**
-   * Start a device authorization grant.
-   *
-   * Returns a `DeviceGrant` with `verification_uri_complete` (open this
-   * in the user's browser) and `device_code` (use for polling).
-   *
-   * @example
-   * ```typescript
-   * const grant = await device.init({
-   *   baseUrl: 'https://your-app.api.sylphx.com/v1',
-   *   clientId: 'sylphx-cli',
-   *   scope: ['org:read', 'project:*'],
-   * })
-   * openBrowser(grant.verification_uri_complete)
-   * ```
-   */
-  async init(opts) {
-    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/device`, {
-      method: "POST",
-      headers: buildDeviceHeaders(opts.userAgent),
-      body: JSON.stringify({
-        client_id: opts.clientId,
-        scope: opts.scope ?? []
-      })
-    });
-    if (!res.ok) throw await deviceError(res, "device.init");
-    return await res.json();
-  },
-  /**
-   * Poll a pending grant. Returns `status: 'pending' | 'approved' |
-   * 'denied' | 'expired'`. On `approved`, the result carries the OAuth
-   * pair (access_token + refresh_token).
-   *
-   * Callers MUST respect the `interval` returned by `init()` — polling
-   * faster than that may return 429 slow_down (RFC 8628 §5.5).
-   */
-  async poll(opts) {
-    const url = new URL(`${opts.baseUrl.replace(/\/$/, "")}/auth/device/poll`);
-    url.searchParams.set("device_code", opts.deviceCode);
-    const res = await fetch(url.toString(), {
-      method: "GET",
-      headers: buildDeviceHeaders(opts.userAgent)
-    });
-    if (!res.ok) throw await deviceError(res, "device.poll");
-    return await res.json();
-  },
-  /**
-   * Browser leg — the approving user confirms the grant.
-   *
-   * Requires a valid platform-issued access token (`Authorization:
-   * Bearer <accessToken>`) proving the user is logged in on the
-   * Console. Typically called by the Console's `/device` verification
-   * page server-side, forwarding the user's session JWT.
-   */
-  async approve(opts) {
-    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/device/approve`, {
-      method: "POST",
-      headers: {
-        ...buildDeviceHeaders(opts.userAgent),
-        Authorization: `Bearer ${opts.accessToken}`
-      },
-      body: JSON.stringify({ user_code: opts.userCode })
-    });
-    if (!res.ok) throw await deviceError(res, "device.approve");
-    return await res.json();
-  },
-  /**
-   * Browser leg — the user declines the grant.
-   *
-   * Requires a valid platform-issued access token just like `approve`.
-   */
-  async deny(opts) {
-    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/device/deny`, {
-      method: "POST",
-      headers: {
-        ...buildDeviceHeaders(opts.userAgent),
-        Authorization: `Bearer ${opts.accessToken}`
-      },
-      body: JSON.stringify({ user_code: opts.userCode })
-    });
-    if (!res.ok) throw await deviceError(res, "device.deny");
-    return await res.json();
-  }
-};
-function buildDeviceHeaders(userAgent) {
-  const headers = {
-    "Content-Type": "application/json"
-  };
-  if (userAgent) headers["User-Agent"] = userAgent;
-  return headers;
-}
-var sessions = {
-  /**
-   * List every active platform session for the authenticated user.
-   *
-   * Ordering: most-recently-active first.
-   *
-   * @example
-   * ```typescript
-   * const { sessions } = await auth.sessions.list({
-   *   baseUrl: 'https://your-app.api.sylphx.com/v1',
-   *   accessToken: platformJwt,
-   * })
-   * ```
-   */
-  async list(opts) {
-    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-sessions`, {
-      method: "GET",
-      headers: buildPlatformSessionsHeaders(opts.accessToken, opts.userAgent)
-    });
-    if (!res.ok) throw await platformSessionError(res, "sessions.list");
-    return await res.json();
-  },
-  /**
-   * Revoke a specific platform session by id.
-   *
-   * `sessionId` accepts either the prefixed TypeID (`sess_*`) or the
-   * raw UUID — the BaaS side normalises via `parseIdOrError`.
-   *
-   * @example
-   * ```typescript
-   * await auth.sessions.revoke({
-   *   baseUrl,
-   *   accessToken,
-   *   sessionId: 'sess_01hxyz...',
-   * })
-   * ```
-   */
-  async revoke(opts) {
-    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-sessions/revoke`, {
-      method: "POST",
-      headers: buildPlatformSessionsHeaders(opts.accessToken, opts.userAgent),
-      body: JSON.stringify({ sessionId: opts.sessionId })
-    });
-    if (!res.ok) throw await platformSessionError(res, "sessions.revoke");
-    return await res.json();
-  },
-  /**
-   * Revoke every platform session except the one presenting the
-   * current access token. Used by "sign me out of all other devices".
-   *
-   * When the caller's JWT has no `sid` claim (pure-Bearer CLI/CI
-   * flows), this degenerates to `revokeAll` — every session is
-   * wiped — because there's no "current" row to keep.
-   *
-   * @example
-   * ```typescript
-   * const { revokedCount } = await auth.sessions.revokeOther({
-   *   baseUrl,
-   *   accessToken,
-   * })
-   * ```
-   */
-  async revokeOther(opts) {
-    const res = await fetch(
-      `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-sessions/revoke-other`,
-      {
-        method: "POST",
-        headers: buildPlatformSessionsHeaders(opts.accessToken, opts.userAgent)
-      }
-    );
-    if (!res.ok) throw await platformSessionError(res, "sessions.revokeOther");
-    return await res.json();
-  },
-  /**
-   * Revoke every platform session for the user, including the
-   * caller's own. Used by "sign me out everywhere" — after a
-   * password change, a compromise scare, or GDPR-style erasure.
-   *
-   * The response includes the count of sessions that were
-   * revoked so the caller can surface it in a toast or audit UI.
-   *
-   * @example
-   * ```typescript
-   * const { count } = await auth.sessions.revokeAll({
-   *   baseUrl,
-   *   accessToken,
-   * })
-   * ```
-   */
-  async revokeAll(opts) {
-    const res = await fetch(
-      `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-sessions/revoke-all`,
-      {
-        method: "POST",
-        headers: buildPlatformSessionsHeaders(opts.accessToken, opts.userAgent)
-      }
+    if (opts.nonce) payload.nonce = opts.nonce;
+    const headerB64 = base64UrlEncode(new TextEncoder().encode(JSON.stringify(header)));
+    const payloadB64 = base64UrlEncode(new TextEncoder().encode(JSON.stringify(payload)));
+    const signingInput = `${headerB64}.${payloadB64}`;
+    const signingBytes = new TextEncoder().encode(signingInput);
+    const signingBuf = new Uint8Array(signingBytes.byteLength);
+    signingBuf.set(signingBytes);
+    const sigBuf = await crypto.subtle.sign(
+      { name: "ECDSA", hash: "SHA-256" },
+      opts.privateKey,
+      signingBuf.buffer
     );
-    if (!res.ok) throw await platformSessionError(res, "sessions.revokeAll");
-    return await res.json();
-  },
-  /**
-   * Rename a platform session (device label).
-   *
-   * `sessionId` accepts either the prefixed TypeID or the raw UUID;
-   * `name` is a user-supplied string (≤100 chars) surfaced in the
-   * "Active sessions" Console UI.
-   *
-   * @example
-   * ```typescript
-   * await auth.sessions.rename({
-   *   baseUrl,
-   *   accessToken,
-   *   sessionId,
-   *   name: 'MacBook (work)',
-   * })
-   * ```
-   */
-  async rename(opts) {
-    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-sessions/rename`, {
-      method: "POST",
-      headers: buildPlatformSessionsHeaders(opts.accessToken, opts.userAgent),
-      body: JSON.stringify({
-        sessionId: opts.sessionId,
-        name: opts.name
-      })
-    });
-    if (!res.ok) throw await platformSessionError(res, "sessions.rename");
-    return await res.json();
+    const sigB64 = base64UrlEncode(new Uint8Array(sigBuf));
+    return `${signingInput}.${sigB64}`;
   }
 };
-function buildPlatformSessionsHeaders(accessToken, userAgent) {
-  const headers = {
-    "Content-Type": "application/json",
-    Authorization: `Bearer ${accessToken}`
-  };
-  if (userAgent) headers["User-Agent"] = userAgent;
-  return headers;
+function sanitisePublicJwk(jwk) {
+  if (jwk.kty !== "EC" || jwk.crv !== "P-256" || !jwk.x || !jwk.y) {
+    throw new Error("DPoP expects ES256 (EC P-256) JWK");
+  }
+  return { kty: jwk.kty, crv: jwk.crv, x: jwk.x, y: jwk.y };
+}
+async function thumbprintFromJwk(jwk) {
+  const canonical = JSON.stringify({ crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y });
+  return sha256Base64Url(new TextEncoder().encode(canonical));
+}
+async function sha256Base64Url(data) {
+  const copy = new Uint8Array(data.byteLength);
+  copy.set(data);
+  const digest2 = await crypto.subtle.digest("SHA-256", copy.buffer);
+  return base64UrlEncode(new Uint8Array(digest2));
+}
+function base64UrlEncode(bytes) {
+  let s = "";
+  for (let i = 0; i < bytes.length; i++) s += String.fromCharCode(bytes[i]);
+  return btoa(s).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function stripQueryAndFragment(uri) {
+  try {
+    const u = new URL(uri);
+    return `${u.protocol}//${u.host}${u.pathname}`;
+  } catch {
+    const q = uri.indexOf("?");
+    const h = uri.indexOf("#");
+    const cut = [q, h].filter((i) => i >= 0).sort((a, b) => a - b)[0];
+    return cut === void 0 ? uri : uri.slice(0, cut);
+  }
+}
+function randomJti() {
+  const bytes = new Uint8Array(16);
+  crypto.getRandomValues(bytes);
+  return base64UrlEncode(bytes);
 }
+// src/platform-auth.ts
+init_errors();
 var platformAuth = {
-  /**
-   * Rotate a Platform refresh token. The presented token is consumed
-   * single-use; the response carries a fresh access JWT plus the
-   * rotated refresh token that supersedes it.
-   *
-   * On reuse-detection / expiry the server returns 401 — the SDK
-   * preserves the upstream message so callers can pattern-match
-   * `"reuse"` per RFC 6819 §5.2.2.3 and scrub local credentials.
-   *
-   * @example
-   * ```typescript
-   * const tokens = await auth.platformAuth.refresh({
-   *   baseUrl: 'https://sylphx.com',
-   *   refreshToken: stored.refreshToken,
-   * })
-   * ```
-   */
   async refresh(opts) {
     const headers = { "Content-Type": "application/json" };
     if (opts.userAgent) headers["User-Agent"] = opts.userAgent;
@@ -6286,19 +7277,6 @@ var platformAuth = {
     if (!res.ok) throw await platformAuthError(res, "platformAuth.refresh");
     return await res.json();
   },
-  /**
-   * Revoke a Platform refresh token (logout). Server-side revocation
-   * failure is the caller's call to surface — local-credential cleanup
-   * is the CLI's responsibility (logout must succeed offline).
-   *
-   * @example
-   * ```typescript
-   * await auth.platformAuth.logout({
-   *   baseUrl: 'https://sylphx.com',
-   *   refreshToken: stored.refreshToken,
-   * })
-   * ```
-   */
   async logout(opts) {
     const headers = { "Content-Type": "application/json" };
     if (opts.userAgent) headers["User-Agent"] = opts.userAgent;
@@ -6312,7 +7290,6 @@ var platformAuth = {
   }
 };
 async function platformAuthError(res, operation) {
-  const { SylphxError: SylphxError2 } = await Promise.resolve().then(() => (init_errors(), errors_exports));
   const body = await res.text().catch(() => "");
   let code = "platform_auth_error";
   let message2 = `${operation} failed: HTTP ${res.status}`;
@@ -6334,327 +7311,137 @@ async function platformAuthError(res, operation) {
   else if (res.status === 429) errorCode = "TOO_MANY_REQUESTS";
   else if (res.status >= 500) errorCode = "INTERNAL_SERVER_ERROR";
   else errorCode = "BAD_REQUEST";
-  return new SylphxError2(message2, {
-    code: errorCode,
-    status: res.status,
-    data: { operation, code }
-  });
-}
-async function platformSessionError(res, operation) {
-  const { SylphxError: SylphxError2 } = await Promise.resolve().then(() => (init_errors(), errors_exports));
-  const body = await res.text().catch(() => "");
-  let code = "platform_sessions_error";
-  let message2 = `${operation} failed: HTTP ${res.status}`;
-  try {
-    const parsed = JSON.parse(body);
-    if (parsed.error) code = parsed.error;
-    if (parsed.error_description) message2 = parsed.error_description;
-    else if (parsed.message) message2 = parsed.message;
-  } catch {
-  }
-  let errorCode;
-  if (res.status === 401) errorCode = "UNAUTHORIZED";
-  else if (res.status === 404) errorCode = "NOT_FOUND";
-  else if (res.status === 429) errorCode = "TOO_MANY_REQUESTS";
-  else if (res.status >= 500) errorCode = "INTERNAL_SERVER_ERROR";
-  else errorCode = "BAD_REQUEST";
-  return new SylphxError2(message2, {
+  return new SylphxError(message2, {
     code: errorCode,
     status: res.status,
     data: { operation, code }
   });
 }
-async function deviceError(res, operation) {
-  const { SylphxError: SylphxError2 } = await Promise.resolve().then(() => (init_errors(), errors_exports));
-  const body = await res.text().catch(() => "");
-  let code = "device_flow_error";
-  let message2 = `${operation} failed: HTTP ${res.status}`;
-  try {
-    const parsed = JSON.parse(body);
-    if (parsed.error) code = parsed.error;
-    if (parsed.error_description) message2 = parsed.error_description;
-  } catch {
-  }
-  return new SylphxError2(message2, {
-    code: res.status === 429 ? "TOO_MANY_REQUESTS" : "BAD_REQUEST",
-    status: res.status,
-    data: { operation, code }
-  });
-}
-var password = {
-  /**
-   * Check whether the authenticated platform user has a password set.
-   *
-   * Returns `{ hasPassword: true }` for users that signed up with
-   * email+password (or later called `set`), `{ hasPassword: false }`
-   * for OAuth-only users (e.g. signed up via Google/GitHub).
-   *
-   * @example
-   * ```typescript
-   * const { hasPassword } = await auth.password.status({
-   *   baseUrl: 'https://your-app.api.sylphx.com/v1',
-   *   accessToken: platformJwt,
-   * })
-   * ```
-   */
-  async status(opts) {
-    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-password/status`, {
-      method: "GET",
-      headers: buildPlatformPasswordHeaders(opts.accessToken, opts.userAgent)
-    });
-    if (!res.ok) throw await platformPasswordError(res, "password.status");
+// src/platform-impersonation.ts
+init_errors();
+var impersonation = {
+  async start(opts) {
+    const res = await fetch(
+      `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-impersonation/start`,
+      {
+        method: "POST",
+        headers: buildImpersonationHeaders(opts.accessToken, opts.userAgent),
+        body: JSON.stringify({
+          targetUserId: opts.targetUserId,
+          ...opts.ipAddress !== void 0 && { ipAddress: opts.ipAddress },
+          ...opts.userAgent !== void 0 && { userAgent: opts.userAgent }
+        })
+      }
+    );
+    if (!res.ok) throw await impersonationError(res, "impersonation.start");
     return await res.json();
   },
-  /**
-   * Set an initial password for an OAuth-only user.
-   *
-   * Fails with 400 if the user already has a password (use `change`
-   * instead), if the password is <8 characters, or if HIBP reports
-   * the password as breached. BaaS invalidates every other session
-   * for the user (keeping the caller's current one) after a
-   * successful set.
-   *
-   * @example
-   * ```typescript
-   * await auth.password.set({
-   *   baseUrl,
-   *   accessToken,
-   *   password: 'correct-horse-battery-staple',
-   * })
-   * ```
-   */
-  async set(opts) {
-    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-password/set`, {
+  async end(opts) {
+    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-impersonation/end`, {
       method: "POST",
-      headers: buildPlatformPasswordHeaders(opts.accessToken, opts.userAgent),
-      body: JSON.stringify({
-        password: opts.password
-      })
+      headers: buildImpersonationHeaders(opts.accessToken, opts.userAgent),
+      body: JSON.stringify(opts.sessionId !== void 0 ? { sessionId: opts.sessionId } : {})
     });
-    if (!res.ok) throw await platformPasswordError(res, "password.set");
+    if (!res.ok) throw await impersonationError(res, "impersonation.end");
     return await res.json();
   },
-  /**
-   * Change an existing password.
-   *
-   * Verifies `currentPassword` server-side; a mismatch returns 401.
-   * OAuth-only users (no existing password) get 400 — use `set`
-   * instead. New password must be ≥8 characters and must not be in
-   * HIBP's breach database. BaaS invalidates every other session
-   * for the user (keeping the caller's current one) after a
-   * successful change.
-   *
-   * @example
-   * ```typescript
-   * await auth.password.change({
-   *   baseUrl,
-   *   accessToken,
-   *   currentPassword: 'old-plaintext',
-   *   newPassword: 'new-plaintext',
-   * })
-   * ```
-   */
-  async change(opts) {
-    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-password/change`, {
-      method: "POST",
-      headers: buildPlatformPasswordHeaders(opts.accessToken, opts.userAgent),
-      body: JSON.stringify({
-        currentPassword: opts.currentPassword,
-        newPassword: opts.newPassword
-      })
-    });
-    if (!res.ok) throw await platformPasswordError(res, "password.change");
+  async info(opts) {
+    const res = await fetch(
+      `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-impersonation/info/${encodeURIComponent(opts.sessionId)}`,
+      {
+        method: "GET",
+        headers: buildImpersonationHeaders(opts.accessToken, opts.userAgent)
+      }
+    );
+    if (!res.ok) throw await impersonationError(res, "impersonation.info");
+    return await res.json();
+  },
+  async active(opts) {
+    const res = await fetch(
+      `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-impersonation/active`,
+      {
+        method: "GET",
+        headers: buildImpersonationHeaders(opts.accessToken, opts.userAgent)
+      }
+    );
+    if (!res.ok) throw await impersonationError(res, "impersonation.active");
+    return await res.json();
+  },
+  async startChallenge(opts) {
+    const res = await fetch(
+      `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-impersonation/start-challenge`,
+      {
+        method: "POST",
+        headers: buildImpersonationHeaders(opts.accessToken, opts.userAgent),
+        body: JSON.stringify({
+          targetUserId: opts.targetUserId,
+          reason: opts.reason
+        })
+      }
+    );
+    if (!res.ok) throw await impersonationError(res, "impersonation.startChallenge");
+    return await res.json();
+  },
+  async startStepup(opts) {
+    const res = await fetch(
+      `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-impersonation/start`,
+      {
+        method: "POST",
+        headers: buildImpersonationHeaders(opts.accessToken, opts.userAgent),
+        body: JSON.stringify({
+          requestId: opts.requestId,
+          challengeKey: opts.challengeKey,
+          assertion: opts.assertion,
+          ...opts.emergencyBypass ? { emergencyBypass: true } : {}
+        })
+      }
+    );
+    if (!res.ok) throw await impersonationError(res, "impersonation.startStepup");
     return await res.json();
-  }
-};
-function buildPlatformPasswordHeaders(accessToken, userAgent) {
-  const headers = {
-    "Content-Type": "application/json",
-    Authorization: `Bearer ${accessToken}`
-  };
-  if (userAgent) headers["User-Agent"] = userAgent;
-  return headers;
-}
-async function platformPasswordError(res, operation) {
-  const { SylphxError: SylphxError2 } = await Promise.resolve().then(() => (init_errors(), errors_exports));
-  const body = await res.text().catch(() => "");
-  let code = "platform_password_error";
-  let message2 = `${operation} failed: HTTP ${res.status}`;
-  try {
-    const parsed = JSON.parse(body);
-    if (parsed.error) code = parsed.error;
-    if (parsed.error_description) message2 = parsed.error_description;
-    else if (parsed.message) message2 = parsed.message;
-  } catch {
-  }
-  let errorCode;
-  if (res.status === 401) errorCode = "UNAUTHORIZED";
-  else if (res.status === 404) errorCode = "NOT_FOUND";
-  else if (res.status === 429) errorCode = "TOO_MANY_REQUESTS";
-  else if (res.status >= 500) errorCode = "INTERNAL_SERVER_ERROR";
-  else errorCode = "BAD_REQUEST";
-  return new SylphxError2(message2, {
-    code: errorCode,
-    status: res.status,
-    data: { operation, code }
-  });
-}
-var user = {
-  /**
-   * Export every piece of personal data the platform holds about the
-   * authenticated user (GDPR Article 20 — right to data portability).
-   *
-   * The returned record is deliberately loose — it contains the user
-   * row, sessions, OAuth accounts, login history, security alerts,
-   * organization memberships, subscriptions, per-project memberships,
-   * and storage file metadata. Shape varies with customer provisioning.
-   *
-   * @example
-   * ```typescript
-   * const data = await auth.user.exportData({
-   *   baseUrl: 'https://your-app.api.sylphx.com/v1',
-   *   accessToken: platformJwt,
-   * })
-   * downloadAsJson(data, 'my-sylphx-data.json')
-   * ```
-   */
-  async exportData(opts) {
-    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-user/export`, {
-      method: "GET",
-      headers: buildPlatformUserHeaders(opts.accessToken, opts.userAgent)
-    });
-    if (!res.ok) throw await platformUserError(res, "user.exportData");
+  },
+  async respondConsent(opts) {
+    const res = await fetch(
+      `${opts.baseUrl.replace(/\/$/, "")}/auth/impersonation-consent/${encodeURIComponent(opts.requestId)}`,
+      {
+        method: "POST",
+        headers: buildImpersonationHeaders(opts.accessToken, opts.userAgent),
+        body: JSON.stringify({ decision: opts.decision })
+      }
+    );
+    if (!res.ok) throw await impersonationError(res, "impersonation.respondConsent");
     return await res.json();
   },
-  /**
-   * Permanently delete the authenticated user's account (GDPR Article
-   * 17 — right to erasure). Cascades through every provisioned project
-   * DB, cancels Stripe subscriptions, deletes S3 blobs, and anonymises
-   * billing transactions. Emits a `user.deleted` event so downstream
-   * systems can clean up their own state.
-   *
-   * Returns `{ success: true, deletedData: [...] }` on success where
-   * `deletedData` lists the resource kinds that were erased.
-   *
-   * @remarks
-   * This operation is irreversible. Production callers SHOULD require
-   * a challenge step (2FA / password confirm / WebAuthn) before
-   * invoking this — the BaaS route does NOT perform challenge
-   * verification in Phase 2d. ADR-089 Phase 5.11 lands passkey-primary
-   * with WebAuthn-required step-up and will add the check at the
-   * BaaS boundary.
-   *
-   * @example
-   * ```typescript
-   * const result = await auth.user.deleteAccount({
-   *   baseUrl,
-   *   accessToken,
-   *   reason: 'user_request',
-   * })
-   * if (result.success) signOutAndRedirect('/goodbye')
-   * ```
-   */
-  async deleteAccount(opts) {
-    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-user/account`, {
-      method: "DELETE",
-      headers: buildPlatformUserHeaders(opts.accessToken, opts.userAgent),
-      body: JSON.stringify({
-        ...opts.reason !== void 0 && { reason: opts.reason }
-      })
-    });
-    if (!res.ok) throw await platformUserError(res, "user.deleteAccount");
+  async listRequests(opts) {
+    const params = new URLSearchParams();
+    if (opts.filter?.operatorId) params.set("operatorId", opts.filter.operatorId);
+    if (opts.filter?.targetUserId) params.set("targetUserId", opts.filter.targetUserId);
+    if (opts.filter?.status) params.set("status", opts.filter.status);
+    if (opts.filter?.limit != null) params.set("limit", String(opts.filter.limit));
+    const qs = params.toString();
+    const res = await fetch(
+      `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-impersonation/requests${qs ? `?${qs}` : ""}`,
+      {
+        method: "GET",
+        headers: buildImpersonationHeaders(opts.accessToken, opts.userAgent)
+      }
+    );
+    if (!res.ok) throw await impersonationError(res, "impersonation.listRequests");
     return await res.json();
   },
-  /**
-   * Async GDPR Article 20 export job API (ADR-089 Phase 5.5).
-   *
-   * `user.exportData` above is the Phase 2d synchronous shortcut —
-   * kept for backward compat but production callers SHOULD prefer the
-   * async flow: large users routinely exceed a single HTTP deadline
-   * during enumeration.
-   *
-   * Typical flow:
-   *
-   * ```ts
-   * const job = await auth.user.exports.initiate({ baseUrl, accessToken })
-   * // Poll until terminal:
-   * while (true) {
-   *   const cur = await auth.user.exports.status({ baseUrl, accessToken, id: job.id })
-   *   if (cur.status === 'complete') break
-   *   if (cur.status === 'failed') throw new Error(cur.errorMessage ?? 'export failed')
-   *   await new Promise(r => setTimeout(r, 2000))
-   * }
-   * const blob = await auth.user.exports.download({ baseUrl, accessToken, id: job.id })
-   * saveAs(blob, 'sylphx-export.json')
-   * ```
-   *
-   * Rate limit: 1 `initiate` per 24h per user. Polling + downloading
-   * are NOT rate-limited through that bucket (they're cheap reads).
-   */
-  exports: {
-    /**
-     * Kick off an export job. Returns the job row in `pending` status
-     * with a 202-Accepted semantic — the HTTP layer has accepted the
-     * request but the payload is not yet materialized. Poll
-     * `status({ id })` until `status === 'complete'`.
-     */
-    async initiate(opts) {
-      const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-user/export`, {
+  async endSession(opts) {
+    const res = await fetch(
+      `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-impersonation/end/${encodeURIComponent(opts.requestId)}`,
+      {
         method: "POST",
-        headers: buildPlatformUserHeaders(opts.accessToken, opts.userAgent),
-        body: JSON.stringify(opts.format !== void 0 ? { format: opts.format } : {})
-      });
-      if (!res.ok) throw await platformUserError(res, "user.exports.initiate");
-      return await res.json();
-    },
-    /**
-     * Read the current state of an in-flight or completed export job.
-     * Returns 404 (via thrown `SylphxError`) if the job id is unknown
-     * OR owned by a different user — cross-user probes can't
-     * distinguish the two.
-     */
-    async status(opts) {
-      const res = await fetch(
-        `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-user/export/${encodeURIComponent(
-          opts.id
-        )}`,
-        {
-          method: "GET",
-          headers: buildPlatformUserHeaders(opts.accessToken, opts.userAgent)
-        }
-      );
-      if (!res.ok) throw await platformUserError(res, "user.exports.status");
-      return await res.json();
-    },
-    /**
-     * Download the completed export payload. The BaaS route returns a
-     * 302 to a freshly-signed object-storage URL; we follow the redirect
-     * (standard `fetch` default) and resolve to the raw `Blob`.
-     *
-     * The integrity headers `X-Sylphx-Export-Sha256` + `X-Sylphx-Export-Size`
-     * are available on the final response — CLI consumers SHOULD verify
-     * the SHA-256 client-side before handing the archive to the user.
-     */
-    async download(opts) {
-      const res = await fetch(
-        `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-user/export/${encodeURIComponent(
-          opts.id
-        )}/download`,
-        {
-          method: "GET",
-          headers: buildPlatformUserHeaders(opts.accessToken, opts.userAgent)
-        }
-      );
-      if (!res.ok) throw await platformUserError(res, "user.exports.download");
-      const sha256 = res.headers.get("X-Sylphx-Export-Sha256");
-      const sizeHeader = res.headers.get("X-Sylphx-Export-Size");
-      const sizeBytes = sizeHeader ? Number.parseInt(sizeHeader, 10) : null;
-      const blob = await res.blob();
-      return { blob, sha256, sizeBytes: Number.isFinite(sizeBytes) ? sizeBytes : null };
-    }
+        headers: buildImpersonationHeaders(opts.accessToken, opts.userAgent)
+      }
+    );
+    if (!res.ok) throw await impersonationError(res, "impersonation.endSession");
+    return await res.json();
   }
 };
-function buildPlatformUserHeaders(accessToken, userAgent) {
+function buildImpersonationHeaders(accessToken, userAgent) {
   const headers = {
     "Content-Type": "application/json",
     Authorization: `Bearer ${accessToken}`
@@ -6662,10 +7449,9 @@ function buildPlatformUserHeaders(accessToken, userAgent) {
   if (userAgent) headers["User-Agent"] = userAgent;
   return headers;
 }
-async function platformUserError(res, operation) {
-  const { SylphxError: SylphxError2 } = await Promise.resolve().then(() => (init_errors(), errors_exports));
+async function impersonationError(res, operation) {
   const body = await res.text().catch(() => "");
-  let code = "platform_user_error";
+  let code = "platform_impersonation_error";
   let message2 = `${operation} failed: HTTP ${res.status}`;
   try {
     const parsed = JSON.parse(body);
@@ -6676,16 +7462,20 @@ async function platformUserError(res, operation) {
   }
   let errorCode;
   if (res.status === 401) errorCode = "UNAUTHORIZED";
+  else if (res.status === 403) errorCode = "UNAUTHORIZED";
   else if (res.status === 404) errorCode = "NOT_FOUND";
+  else if (res.status === 409) errorCode = "CONFLICT";
   else if (res.status === 429) errorCode = "TOO_MANY_REQUESTS";
   else if (res.status >= 500) errorCode = "INTERNAL_SERVER_ERROR";
   else errorCode = "BAD_REQUEST";
-  return new SylphxError2(message2, {
+  return new SylphxError(message2, {
     code: errorCode,
     status: res.status,
     data: { operation, code }
   });
 }
+// src/platform-jwt.ts
 var jwtJwksCache = null;
 function resetPlatformJwksCache() {
   jwtJwksCache = null;
@@ -6797,24 +7587,167 @@ var cookies = {
     return body;
   }
 };
+// src/platform-oauth.ts
+init_errors();
+// src/oauth-token.ts
+init_errors();
+var OAUTH_TOKEN_ERROR_CODES = /* @__PURE__ */ new Set([
+  "invalid_request",
+  "invalid_client",
+  "invalid_grant",
+  "unauthorized_client",
+  "unsupported_grant_type",
+  "invalid_scope",
+  "authorization_pending",
+  "slow_down",
+  "access_denied",
+  "expired_token"
+]);
+function isRecord(value) {
+  return typeof value === "object" && value !== null;
+}
+function requireString(record, key) {
+  const value = record[key];
+  if (typeof value !== "string") throw new Error(`Invalid OAuth token field: ${key}`);
+  return value;
+}
+function optionalString(record, key) {
+  const value = record[key];
+  if (value === void 0) return void 0;
+  if (typeof value !== "string") throw new Error(`Invalid OAuth token field: ${key}`);
+  return value;
+}
+function optionalField(key, value) {
+  return value === void 0 ? {} : { [key]: value };
+}
+function requireNumber(record, key) {
+  const value = record[key];
+  if (typeof value !== "number") throw new Error(`Invalid OAuth token field: ${key}`);
+  return value;
+}
+function assertGrantType(record, grantType) {
+  if (record.grant_type !== grantType) {
+    throw new Error(`Invalid OAuth grant_type: expected ${grantType}`);
+  }
+}
+function decodeOAuthTokenRequest(input) {
+  if (!isRecord(input)) throw new Error("Invalid OAuth token request");
+  switch (input.grant_type) {
+    case "authorization_code":
+      assertGrantType(input, "authorization_code");
+      return {
+        grant_type: "authorization_code",
+        code: requireString(input, "code"),
+        redirect_uri: requireString(input, "redirect_uri"),
+        client_id: requireString(input, "client_id"),
+        code_verifier: requireString(input, "code_verifier"),
+        ...optionalField("client_secret", optionalString(input, "client_secret"))
+      };
+    case "refresh_token":
+      assertGrantType(input, "refresh_token");
+      return {
+        grant_type: "refresh_token",
+        refresh_token: requireString(input, "refresh_token"),
+        client_id: requireString(input, "client_id"),
+        ...optionalField("client_secret", optionalString(input, "client_secret")),
+        ...optionalField("scope", optionalString(input, "scope"))
+      };
+    case "urn:ietf:params:oauth:grant-type:device_code":
+      assertGrantType(input, "urn:ietf:params:oauth:grant-type:device_code");
+      return {
+        grant_type: "urn:ietf:params:oauth:grant-type:device_code",
+        device_code: requireString(input, "device_code"),
+        client_id: requireString(input, "client_id"),
+        ...optionalField("client_secret", optionalString(input, "client_secret"))
+      };
+    case "client_credentials":
+      assertGrantType(input, "client_credentials");
+      return {
+        grant_type: "client_credentials",
+        client_id: requireString(input, "client_id"),
+        client_secret: requireString(input, "client_secret"),
+        ...optionalField("scope", optionalString(input, "scope"))
+      };
+    default:
+      throw new Error("Unsupported OAuth grant_type");
+  }
+}
+function oauthTokenFormBody(input) {
+  const request = decodeOAuthTokenRequest(input);
+  return new URLSearchParams(
+    Object.entries(request).filter(
+      (entry) => typeof entry[1] === "string"
+    )
+  ).toString();
+}
+function decodeOAuthTokenResult(value) {
+  if (!isRecord(value)) throw new Error("Invalid OAuth token response");
+  const tokenType = requireString(value, "token_type");
+  if (tokenType !== "Bearer") throw new Error("Invalid OAuth token_type");
+  return {
+    access_token: requireString(value, "access_token"),
+    token_type: "Bearer",
+    expires_in: requireNumber(value, "expires_in"),
+    refresh_token: requireString(value, "refresh_token"),
+    refresh_expires_at: requireString(value, "refresh_expires_at"),
+    scope: requireString(value, "scope")
+  };
+}
+function decodeOAuthClientCredentialsResult(value) {
+  if (!isRecord(value)) throw new Error("Invalid OAuth client credentials response");
+  const tokenType = requireString(value, "token_type");
+  if (tokenType !== "Bearer") throw new Error("Invalid OAuth token_type");
+  return {
+    access_token: requireString(value, "access_token"),
+    token_type: "Bearer",
+    expires_in: requireNumber(value, "expires_in"),
+    scope: requireString(value, "scope")
+  };
+}
+function decodeOAuthTokenError(value) {
+  if (!isRecord(value)) throw new Error("Invalid OAuth token error response");
+  const error = requireString(value, "error");
+  if (!OAUTH_TOKEN_ERROR_CODES.has(error)) {
+    throw new Error("Invalid OAuth token error code");
+  }
+  return {
+    error,
+    ...optionalField("error_description", optionalString(value, "error_description")),
+    ...optionalField("error_uri", optionalString(value, "error_uri"))
+  };
+}
+async function oauthTokenError(res, operation) {
+  const body = await res.text().catch(() => "");
+  let code = "oauth_error";
+  let message2 = `${operation} failed: HTTP ${res.status}`;
+  try {
+    const parsed = decodeOAuthTokenError(JSON.parse(body));
+    code = parsed.error;
+    if (parsed.error_description) message2 = parsed.error_description;
+  } catch {
+  }
+  let errorCode;
+  if (res.status === 401) errorCode = "UNAUTHORIZED";
+  else if (res.status >= 500) errorCode = "INTERNAL_SERVER_ERROR";
+  else errorCode = "BAD_REQUEST";
+  return new SylphxError(message2, {
+    code: errorCode,
+    status: res.status,
+    data: { oauthError: code }
+  });
+}
+// src/platform-oauth.ts
 var oauth = {
   /**
    * Mint a platform-audience access token from supplied claims.
    *
    * Service-to-service call — authenticated via
-   * `SYLPHX_INTERNAL_TOKEN` shared secret. Phase 6 will migrate this
-   * to SPIFFE SVID mTLS (ADR-068).
-   *
-   * TODO: Phase 6 — prefer SPIFFE SVID over shared-secret auth.
-   *
-   * @example
-   * ```typescript
-   * const { accessToken, expiresIn } = await auth.oauth.mintAccessToken({
-   *   baseUrl: 'https://your-app.api.sylphx.com/v1',
-   *   internalToken: process.env.SYLPHX_INTERNAL_TOKEN!,
-   *   claims: { sub: user.id, email: user.email, app_id: 'platform', role: 'member', email_verified: true },
-   * })
-   * ```
+   * `SYLPHX_INTERNAL_TOKEN` shared secret until ADR-068's
+   * SPIFFE SVID mTLS platform-auth flip makes workload identity the
+   * only accepted internal caller credential.
    */
   async mintAccessToken(opts) {
     const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-jwt/mint`, {
@@ -6829,181 +7762,78 @@ var oauth = {
     if (!res.ok) throw await platformJwtError(res, "oauth.mintAccessToken");
     return await res.json();
   },
-  /**
-   * Exchange an OAuth 2.0 authorization_code for an access + refresh token
-   * pair (ADR-089 Phase 5.1b — RFC 6749 §4.1.3). PKCE S256 mandatory per
-   * OAuth 2.1 baseline.
-   *
-   * @example
-   * ```typescript
-   * const { verifier, challenge } = await generatePkce()
-   * // user redirected to /oauth/authorize?...&code_challenge=<challenge>
-   * // ...user approves, browser hits your redirect_uri with ?code=<code>
-   * const tokens = await auth.oauth.exchangeAuthorizationCode({
-   *   baseUrl: 'https://api.sylphx.com/v1',
-   *   clientId: 'sylphx-console',
-   *   clientSecret: process.env.CONSOLE_CLIENT_SECRET,
-   *   code,
-   *   redirectUri: 'https://console.sylphx.com/auth/callback',
-   *   codeVerifier: verifier,
-   * })
-   * ```
-   */
   async exchangeAuthorizationCode(opts) {
-    const body = {
+    const body = oauthTokenFormBody({
       grant_type: "authorization_code",
       code: opts.code,
       redirect_uri: opts.redirectUri,
       client_id: opts.clientId,
-      code_verifier: opts.codeVerifier
-    };
-    if (opts.clientSecret) body.client_secret = opts.clientSecret;
+      code_verifier: opts.codeVerifier,
+      ...opts.clientSecret ? { client_secret: opts.clientSecret } : {}
+    });
     const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/oauth/token`, {
       method: "POST",
       headers: { "Content-Type": "application/x-www-form-urlencoded" },
-      body: new URLSearchParams(body).toString()
+      body
     });
     if (!res.ok) throw await oauthTokenError(res, "oauth.exchangeAuthorizationCode");
-    return await res.json();
+    return decodeOAuthTokenResult(await res.json());
   },
-  /**
-   * Refresh a platform access token using a refresh_token
-   * (ADR-089 Phase 5.1b — RFC 6749 §6). Rotation is mandatory — the
-   * presented refresh token is consumed and a new one returned.
-   *
-   * @example
-   * ```typescript
-   * const tokens = await auth.oauth.refreshAccessToken({
-   *   baseUrl: 'https://api.sylphx.com/v1',
-   *   clientId: 'sylphx-console',
-   *   clientSecret: process.env.CONSOLE_CLIENT_SECRET,
-   *   refreshToken: stored.refresh_token,
-   * })
-   * ```
-   */
   async refreshAccessToken(opts) {
-    const body = {
+    const body = oauthTokenFormBody({
       grant_type: "refresh_token",
       refresh_token: opts.refreshToken,
-      client_id: opts.clientId
-    };
-    if (opts.clientSecret) body.client_secret = opts.clientSecret;
-    if (opts.scope) body.scope = opts.scope;
+      client_id: opts.clientId,
+      ...opts.clientSecret ? { client_secret: opts.clientSecret } : {},
+      ...opts.scope ? { scope: opts.scope } : {}
+    });
     const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/oauth/token`, {
       method: "POST",
       headers: { "Content-Type": "application/x-www-form-urlencoded" },
-      body: new URLSearchParams(body).toString()
+      body
     });
     if (!res.ok) throw await oauthTokenError(res, "oauth.refreshAccessToken");
-    return await res.json();
+    return decodeOAuthTokenResult(await res.json());
   },
-  /**
-   * Poll the OAuth token endpoint for a device-code grant (ADR-089 Phase
-   * 5.1c — RFC 8628 §3.4). The preferred way to exchange an approved
-   * device grant for tokens — returns an RFC 6749 error envelope on the
-   * `{pending, slow_down, denied, expired}` states so callers can
-   * distinguish precisely without parsing Phase 2a's `/auth/device/poll`
-   * status string.
-   *
-   * Returns `{ ok: true, tokens }` on success or `{ ok: false, error }`
-   * for every RFC-defined polling outcome. Callers MUST honour the
-   * polling `interval` returned by `/auth/device` — polling faster yields
-   * `{ ok: false, error: 'slow_down' }`.
-   *
-   * @example
-   * ```typescript
-   * while (true) {
-   *   await sleep(interval * 1000)
-   *   const r = await auth.oauth.pollDeviceToken({
-   *     baseUrl: 'https://api.sylphx.com/v1',
-   *     clientId: 'sylphx-cli',
-   *     deviceCode,
-   *   })
-   *   if (r.ok) return r.tokens
-   *   if (r.error === 'authorization_pending' || r.error === 'slow_down') continue
-   *   throw new Error(r.error) // access_denied | expired_token
-   * }
-   * ```
-   */
   async pollDeviceToken(opts) {
-    const body = new URLSearchParams({
+    const body = oauthTokenFormBody({
       grant_type: "urn:ietf:params:oauth:grant-type:device_code",
       device_code: opts.deviceCode,
       client_id: opts.clientId
-    }).toString();
+    });
     const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/oauth/token`, {
       method: "POST",
       headers: { "Content-Type": "application/x-www-form-urlencoded" },
       body
     });
-    if (res.ok) {
-      return { ok: true, tokens: await res.json() };
-    }
+    if (res.ok) return { ok: true, tokens: decodeOAuthTokenResult(await res.json()) };
     const text = await res.text().catch(() => "");
     let code = "oauth_error";
     try {
-      const parsed = JSON.parse(text);
-      if (parsed.error) code = parsed.error;
+      code = decodeOAuthTokenError(JSON.parse(text)).error;
     } catch {
     }
     return { ok: false, error: code, status: res.status };
   },
-  /**
-   * Mint a service-principal access token via the `client_credentials`
-   * grant (ADR-089 Phase 5.1c — RFC 6749 §4.4). Requires a confidential
-   * client (public clients cannot use this grant). No refresh token is
-   * issued per §4.4.3 — callers re-run this exchange on expiry.
-   *
-   * Typical use: CI integrations, server-to-server automation that has
-   * no human owner and cannot run a device flow.
-   *
-   * @example
-   * ```typescript
-   * const { access_token } = await auth.oauth.clientCredentialsToken({
-   *   baseUrl: 'https://api.sylphx.com/v1',
-   *   clientId: process.env.SYLPHX_CLIENT_ID!,
-   *   clientSecret: process.env.SYLPHX_CLIENT_SECRET!,
-   *   scope: 'tenants:provision',
-   * })
-   * ```
-   */
   async clientCredentialsToken(opts) {
-    const body = {
+    const body = oauthTokenFormBody({
       grant_type: "client_credentials",
       client_id: opts.clientId,
-      client_secret: opts.clientSecret
-    };
-    if (opts.scope) body.scope = opts.scope;
+      client_secret: opts.clientSecret,
+      ...opts.scope ? { scope: opts.scope } : {}
+    });
     const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/oauth/token`, {
       method: "POST",
       headers: { "Content-Type": "application/x-www-form-urlencoded" },
-      body: new URLSearchParams(body).toString()
+      body
     });
     if (!res.ok) throw await oauthTokenError(res, "oauth.clientCredentialsToken");
-    return await res.json();
+    return decodeOAuthClientCredentialsResult(await res.json());
   },
-  /**
-   * Revoke an OAuth access or refresh token (RFC 7009 — ADR-089 Phase 5.1d).
-   *
-   * Per §2.2 this always resolves successfully — the server returns 200
-   * whether the token existed, was already revoked, or belonged to a
-   * different client. Only true protocol-level failures (malformed
-   * request, bad client credentials) throw.
-   *
-   * @example
-   * ```typescript
-   * await auth.oauth.revokeToken({
-   *   baseUrl: 'https://your-app.api.sylphx.com/v1',
-   *   clientId: 'sylphx-cli',
-   *   token: refreshToken,
-   *   tokenTypeHint: 'refresh_token',
-   * })
-   * ```
-   */
   async revokeToken(opts) {
     const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/oauth/revoke`, {
       method: "POST",
-      headers: buildDeviceHeaders(opts.userAgent),
+      headers: buildJsonHeaders(opts.userAgent),
       body: JSON.stringify({
         token: opts.token,
         token_type_hint: opts.tokenTypeHint,
@@ -7016,29 +7846,10 @@ var oauth = {
       throw new Error(`oauth.revokeToken failed (${res.status}): ${body}`);
     }
   },
-  /**
-   * Introspect an OAuth access or refresh token (RFC 7662 — ADR-089 Phase 5.1d).
-   *
-   * Returns `{ active: false }` for expired / revoked / unknown /
-   * not-owned tokens (without revealing which); `{ active: true, ... }`
-   * with full claims for live ones. Only protocol-level failures
-   * (4xx on the revocation envelope itself) throw.
-   *
-   * @example
-   * ```typescript
-   * const result = await auth.oauth.introspectToken({
-   *   baseUrl: 'https://your-app.api.sylphx.com/v1',
-   *   clientId: 'gateway',
-   *   clientSecret: process.env.GATEWAY_SECRET,
-   *   token: accessToken,
-   * })
-   * if (!result.active) throw new Error('token not accepted')
-   * ```
-   */
   async introspectToken(opts) {
     const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/oauth/introspect`, {
       method: "POST",
-      headers: buildDeviceHeaders(opts.userAgent),
+      headers: buildJsonHeaders(opts.userAgent),
       body: JSON.stringify({
         token: opts.token,
         token_type_hint: opts.tokenTypeHint,
@@ -7051,318 +7862,572 @@ var oauth = {
       throw new Error(`oauth.introspectToken failed (${res.status}): ${body}`);
     }
     return await res.json();
-  }
-};
-var dpop = {
-  /**
-   * Generate a fresh ES256 key pair. Private key is non-extractable
-   * (`extractable: false`) so it can be stored but never serialised —
-   * the only legal operation is `sign`. Clients that need to
-   * hibernate the keypair across restarts must use a host-provided
-   * secure store (Keychain, Credential Manager, IndexedDB + CryptoKey
-   * wrapping).
-   */
-  async generateKeyPair() {
-    const { privateKey, publicKey } = await crypto.subtle.generateKey(
-      { name: "ECDSA", namedCurve: "P-256" },
-      false,
-      ["sign", "verify"]
-    );
-    const publicJwk = await crypto.subtle.exportKey("jwk", publicKey);
-    const thumbprint = await thumbprintFromJwk(sanitisePublicJwk(publicJwk));
-    return { privateKey, publicKey, thumbprint };
+  }
+};
+function buildJsonHeaders(userAgent) {
+  return {
+    "Content-Type": "application/json",
+    ...userAgent ? { "User-Agent": userAgent } : {}
+  };
+}
+async function platformJwtError(res, operation) {
+  const body = await res.text().catch(() => "");
+  let code = "platform_jwt_error";
+  let message2 = `${operation} failed: HTTP ${res.status}`;
+  try {
+    const parsed = JSON.parse(body);
+    if (parsed.error) code = parsed.error;
+    if (parsed.error_description) message2 = parsed.error_description;
+    else if (parsed.message) message2 = parsed.message;
+  } catch {
+  }
+  let errorCode;
+  if (res.status === 401) errorCode = "UNAUTHORIZED";
+  else if (res.status === 429) errorCode = "TOO_MANY_REQUESTS";
+  else if (res.status >= 500) errorCode = "INTERNAL_SERVER_ERROR";
+  else errorCode = "BAD_REQUEST";
+  return new SylphxError(message2, {
+    code: errorCode,
+    status: res.status,
+    data: { operation, code }
+  });
+}
+// src/platform-password.ts
+init_errors();
+var password = {
+  async status(opts) {
+    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-password/status`, {
+      method: "GET",
+      headers: buildPlatformPasswordHeaders(opts.accessToken, opts.userAgent)
+    });
+    if (!res.ok) throw await platformPasswordError(res, "password.status");
+    return await res.json();
+  },
+  async set(opts) {
+    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-password/set`, {
+      method: "POST",
+      headers: buildPlatformPasswordHeaders(opts.accessToken, opts.userAgent),
+      body: JSON.stringify({
+        password: opts.password
+      })
+    });
+    if (!res.ok) throw await platformPasswordError(res, "password.set");
+    return await res.json();
+  },
+  async change(opts) {
+    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-password/change`, {
+      method: "POST",
+      headers: buildPlatformPasswordHeaders(opts.accessToken, opts.userAgent),
+      body: JSON.stringify({
+        currentPassword: opts.currentPassword,
+        newPassword: opts.newPassword
+      })
+    });
+    if (!res.ok) throw await platformPasswordError(res, "password.change");
+    return await res.json();
+  }
+};
+function buildPlatformPasswordHeaders(accessToken, userAgent) {
+  const headers = {
+    "Content-Type": "application/json",
+    Authorization: `Bearer ${accessToken}`
+  };
+  if (userAgent) headers["User-Agent"] = userAgent;
+  return headers;
+}
+async function platformPasswordError(res, operation) {
+  const body = await res.text().catch(() => "");
+  let code = "platform_password_error";
+  let message2 = `${operation} failed: HTTP ${res.status}`;
+  try {
+    const parsed = JSON.parse(body);
+    if (parsed.error) code = parsed.error;
+    if (parsed.error_description) message2 = parsed.error_description;
+    else if (parsed.message) message2 = parsed.message;
+  } catch {
+  }
+  let errorCode;
+  if (res.status === 401) errorCode = "UNAUTHORIZED";
+  else if (res.status === 404) errorCode = "NOT_FOUND";
+  else if (res.status === 429) errorCode = "TOO_MANY_REQUESTS";
+  else if (res.status >= 500) errorCode = "INTERNAL_SERVER_ERROR";
+  else errorCode = "BAD_REQUEST";
+  return new SylphxError(message2, {
+    code: errorCode,
+    status: res.status,
+    data: { operation, code }
+  });
+}
+// src/platform-sessions.ts
+init_errors();
+var sessions = {
+  async list(opts) {
+    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-sessions`, {
+      method: "GET",
+      headers: buildPlatformSessionsHeaders(opts.accessToken, opts.userAgent)
+    });
+    if (!res.ok) throw await platformSessionError(res, "sessions.list");
+    return await res.json();
+  },
+  async revoke(opts) {
+    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-sessions/revoke`, {
+      method: "POST",
+      headers: buildPlatformSessionsHeaders(opts.accessToken, opts.userAgent),
+      body: JSON.stringify({ sessionId: opts.sessionId })
+    });
+    if (!res.ok) throw await platformSessionError(res, "sessions.revoke");
+    return await res.json();
+  },
+  async revokeOther(opts) {
+    const res = await fetch(
+      `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-sessions/revoke-other`,
+      {
+        method: "POST",
+        headers: buildPlatformSessionsHeaders(opts.accessToken, opts.userAgent)
+      }
+    );
+    if (!res.ok) throw await platformSessionError(res, "sessions.revokeOther");
+    return await res.json();
+  },
+  async revokeAll(opts) {
+    const res = await fetch(
+      `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-sessions/revoke-all`,
+      {
+        method: "POST",
+        headers: buildPlatformSessionsHeaders(opts.accessToken, opts.userAgent)
+      }
+    );
+    if (!res.ok) throw await platformSessionError(res, "sessions.revokeAll");
+    return await res.json();
+  },
+  async rename(opts) {
+    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-sessions/rename`, {
+      method: "POST",
+      headers: buildPlatformSessionsHeaders(opts.accessToken, opts.userAgent),
+      body: JSON.stringify({
+        sessionId: opts.sessionId,
+        name: opts.name
+      })
+    });
+    if (!res.ok) throw await platformSessionError(res, "sessions.rename");
+    return await res.json();
+  }
+};
+function buildPlatformSessionsHeaders(accessToken, userAgent) {
+  const headers = {
+    "Content-Type": "application/json",
+    Authorization: `Bearer ${accessToken}`
+  };
+  if (userAgent) headers["User-Agent"] = userAgent;
+  return headers;
+}
+async function platformSessionError(res, operation) {
+  const body = await res.text().catch(() => "");
+  let code = "platform_sessions_error";
+  let message2 = `${operation} failed: HTTP ${res.status}`;
+  try {
+    const parsed = JSON.parse(body);
+    if (parsed.error) code = parsed.error;
+    if (parsed.error_description) message2 = parsed.error_description;
+    else if (parsed.message) message2 = parsed.message;
+  } catch {
+  }
+  let errorCode;
+  if (res.status === 401) errorCode = "UNAUTHORIZED";
+  else if (res.status === 404) errorCode = "NOT_FOUND";
+  else if (res.status === 429) errorCode = "TOO_MANY_REQUESTS";
+  else if (res.status >= 500) errorCode = "INTERNAL_SERVER_ERROR";
+  else errorCode = "BAD_REQUEST";
+  return new SylphxError(message2, {
+    code: errorCode,
+    status: res.status,
+    data: { operation, code }
+  });
+}
+// src/platform-user.ts
+init_errors();
+var user = {
+  /**
+   * Export every piece of personal data the platform holds about the
+   * authenticated user (GDPR Article 20 — right to data portability).
+   *
+   * The returned record is deliberately loose — it contains the user
+   * row, sessions, OAuth accounts, login history, security alerts,
+   * organization memberships, subscriptions, per-project memberships,
+   * and storage file metadata. Shape varies with customer provisioning.
+   */
+  async exportData(opts) {
+    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-user/export`, {
+      method: "GET",
+      headers: buildPlatformUserHeaders(opts.accessToken, opts.userAgent)
+    });
+    if (!res.ok) throw await platformUserError(res, "user.exportData");
+    return await res.json();
+  },
+  /**
+   * Permanently delete the authenticated user's account (GDPR Article
+   * 17 — right to erasure). Cascades through every provisioned project
+   * DB, cancels Stripe subscriptions, deletes S3 blobs, and anonymises
+   * billing transactions.
+   */
+  async deleteAccount(opts) {
+    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-user/account`, {
+      method: "DELETE",
+      headers: buildPlatformUserHeaders(opts.accessToken, opts.userAgent),
+      body: JSON.stringify({
+        ...opts.reason !== void 0 && { reason: opts.reason }
+      })
+    });
+    if (!res.ok) throw await platformUserError(res, "user.deleteAccount");
+    return await res.json();
   },
   /**
-   * Sign a DPoP proof JWT. When `accessToken` is provided, the proof
-   * includes `ath = base64url(sha256(accessToken))` so the resource
-   * server can bind the proof to the token being presented (RFC 9449
-   * §4.3 step 11).
+   * Async GDPR Article 20 export job API (ADR-089 Phase 5.5).
+   *
+   * `user.exportData` is the Phase 2d synchronous shortcut; production
+   * callers should prefer the async flow for large accounts.
    */
-  async generateProof(opts) {
-    const publicJwkRaw = await crypto.subtle.exportKey("jwk", opts.publicKey);
-    const publicJwk = sanitisePublicJwk(publicJwkRaw);
-    const header = { typ: "dpop+jwt", alg: "ES256", jwk: publicJwk };
-    const payload = {
-      jti: randomJti(),
-      htm: opts.method.toUpperCase(),
-      htu: stripQueryAndFragment(opts.uri),
-      iat: Math.floor(Date.now() / 1e3)
-    };
-    if (opts.accessToken) {
-      payload.ath = await sha256Base64Url(new TextEncoder().encode(opts.accessToken));
+  exports: {
+    /**
+     * Kick off an export job. Poll `status({ id })` until
+     * `status === 'complete'`.
+     */
+    async initiate(opts) {
+      const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-user/export`, {
+        method: "POST",
+        headers: buildPlatformUserHeaders(opts.accessToken, opts.userAgent),
+        body: JSON.stringify(opts.format !== void 0 ? { format: opts.format } : {})
+      });
+      if (!res.ok) throw await platformUserError(res, "user.exports.initiate");
+      return await res.json();
+    },
+    /**
+     * Read the current state of an in-flight or completed export job.
+     */
+    async status(opts) {
+      const res = await fetch(
+        `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-user/export/${encodeURIComponent(
+          opts.id
+        )}`,
+        {
+          method: "GET",
+          headers: buildPlatformUserHeaders(opts.accessToken, opts.userAgent)
+        }
+      );
+      if (!res.ok) throw await platformUserError(res, "user.exports.status");
+      return await res.json();
+    },
+    /**
+     * Download the completed export payload. The BaaS route returns a
+     * 302 to a freshly-signed object-storage URL; `fetch` follows it
+     * and resolves to the raw `Blob`.
+     */
+    async download(opts) {
+      const res = await fetch(
+        `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-user/export/${encodeURIComponent(
+          opts.id
+        )}/download`,
+        {
+          method: "GET",
+          headers: buildPlatformUserHeaders(opts.accessToken, opts.userAgent)
+        }
+      );
+      if (!res.ok) throw await platformUserError(res, "user.exports.download");
+      const sha256 = res.headers.get("X-Sylphx-Export-Sha256");
+      const sizeHeader = res.headers.get("X-Sylphx-Export-Size");
+      const sizeBytes = sizeHeader ? Number.parseInt(sizeHeader, 10) : null;
+      const blob = await res.blob();
+      return { blob, sha256, sizeBytes: Number.isFinite(sizeBytes) ? sizeBytes : null };
     }
-    if (opts.nonce) payload.nonce = opts.nonce;
-    const headerB64 = base64UrlEncode(new TextEncoder().encode(JSON.stringify(header)));
-    const payloadB64 = base64UrlEncode(new TextEncoder().encode(JSON.stringify(payload)));
-    const signingInput = `${headerB64}.${payloadB64}`;
-    const signingBytes = new TextEncoder().encode(signingInput);
-    const signingBuf = new Uint8Array(signingBytes.byteLength);
-    signingBuf.set(signingBytes);
-    const sigBuf = await crypto.subtle.sign(
-      { name: "ECDSA", hash: "SHA-256" },
-      opts.privateKey,
-      signingBuf.buffer
-    );
-    const sigB64 = base64UrlEncode(new Uint8Array(sigBuf));
-    return `${signingInput}.${sigB64}`;
   }
 };
-function sanitisePublicJwk(jwk) {
-  if (jwk.kty !== "EC" || jwk.crv !== "P-256" || !jwk.x || !jwk.y) {
-    throw new Error("DPoP expects ES256 (EC P-256) JWK");
-  }
-  return { kty: jwk.kty, crv: jwk.crv, x: jwk.x, y: jwk.y };
-}
-async function thumbprintFromJwk(jwk) {
-  const canonical = JSON.stringify({ crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y });
-  return sha256Base64Url(new TextEncoder().encode(canonical));
-}
-async function sha256Base64Url(data) {
-  const copy = new Uint8Array(data.byteLength);
-  copy.set(data);
-  const digest2 = await crypto.subtle.digest("SHA-256", copy.buffer);
-  return base64UrlEncode(new Uint8Array(digest2));
-}
-function base64UrlEncode(bytes) {
-  let s = "";
-  for (let i = 0; i < bytes.length; i++) s += String.fromCharCode(bytes[i]);
-  return btoa(s).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
-}
-function stripQueryAndFragment(uri) {
-  try {
-    const u = new URL(uri);
-    return `${u.protocol}//${u.host}${u.pathname}`;
-  } catch {
-    const q = uri.indexOf("?");
-    const h = uri.indexOf("#");
-    const cut = [q, h].filter((i) => i >= 0).sort((a, b) => a - b)[0];
-    return cut === void 0 ? uri : uri.slice(0, cut);
-  }
-}
-function randomJti() {
-  const bytes = new Uint8Array(16);
-  crypto.getRandomValues(bytes);
-  return base64UrlEncode(bytes);
+function buildPlatformUserHeaders(accessToken, userAgent) {
+  const headers = {
+    "Content-Type": "application/json",
+    Authorization: `Bearer ${accessToken}`
+  };
+  if (userAgent) headers["User-Agent"] = userAgent;
+  return headers;
 }
-async function oauthTokenError(res, operation) {
-  const { SylphxError: SylphxError2 } = await Promise.resolve().then(() => (init_errors(), errors_exports));
+async function platformUserError(res, operation) {
   const body = await res.text().catch(() => "");
-  let code = "oauth_error";
+  let code = "platform_user_error";
   let message2 = `${operation} failed: HTTP ${res.status}`;
   try {
     const parsed = JSON.parse(body);
     if (parsed.error) code = parsed.error;
     if (parsed.error_description) message2 = parsed.error_description;
+    else if (parsed.message) message2 = parsed.message;
   } catch {
   }
   let errorCode;
   if (res.status === 401) errorCode = "UNAUTHORIZED";
+  else if (res.status === 404) errorCode = "NOT_FOUND";
+  else if (res.status === 429) errorCode = "TOO_MANY_REQUESTS";
   else if (res.status >= 500) errorCode = "INTERNAL_SERVER_ERROR";
   else errorCode = "BAD_REQUEST";
-  return new SylphxError2(message2, {
+  return new SylphxError(message2, {
     code: errorCode,
     status: res.status,
-    data: { oauthError: code }
+    data: { operation, code }
+  });
+}
+// src/auth.ts
+async function signIn(config, input) {
+  const body = input;
+  const endpoint = authEndpoints.signIn;
+  return callApi(config, endpoint.path, {
+    method: endpoint.method,
+    body
+  });
+}
+async function signUp(config, input) {
+  const endpoint = authEndpoints.signUp;
+  return callApi(config, endpoint.path, {
+    method: endpoint.method,
+    body: input
+  });
+}
+async function signOut(config) {
+  const endpoint = authEndpoints.signOut;
+  await callApi(config, endpoint.path, { method: endpoint.method });
+}
+async function refreshToken(config, token) {
+  return callApi(config, "/auth/token", {
+    method: "POST",
+    body: {
+      grant_type: "refresh_token",
+      refresh_token: token,
+      client_secret: config.secretKey
+    }
+  });
+}
+async function verifyEmail(config, token) {
+  await callApi(config, "/auth/verify-email", {
+    method: "POST",
+    body: { token }
+  });
+}
+async function forgotPassword(config, email, options = {}) {
+  await callApi(config, "/auth/forgot-password", {
+    method: "POST",
+    body: {
+      email,
+      ...options.redirectUrl ? { redirectUrl: options.redirectUrl } : {}
+    }
+  });
+}
+async function resendVerificationEmail(config, email) {
+  const endpoint = authEndpoints.resendEmailVerification;
+  const body = { email };
+  await callApi(config, endpoint.path, {
+    method: endpoint.method,
+    body
+  });
+}
+async function resetPassword(config, input) {
+  await callApi(config, "/auth/reset-password", {
+    method: "POST",
+    body: { token: input.token, password: input.password }
+  });
+}
+async function getSession(config) {
+  if (!config.accessToken) {
+    return { user: null };
+  }
+  const endpoint = authEndpoints.getSession;
+  try {
+    const user2 = await callApi(config, endpoint.path, {
+      method: endpoint.method
+    });
+    return { user: user2 };
+  } catch {
+    return { user: null };
+  }
+}
+async function verifyTwoFactor(config, userId, code) {
+  return callApi(config, "/auth/verify-2fa", {
+    method: "POST",
+    body: { userId, code }
+  });
+}
+async function introspectToken(config, token, tokenTypeHint) {
+  const response = await fetch(buildApiUrl(config, "/auth/introspect"), {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      // RFC 7662 §2: server-to-server call — authenticate with secret key
+      "x-app-secret": config.secretKey ?? ""
+    },
+    body: JSON.stringify({
+      token,
+      token_type_hint: tokenTypeHint
+    })
+  });
+  if (!response.ok) {
+    return { active: false };
+  }
+  return response.json();
+}
+async function revokeToken(config, token, options) {
+  await fetch(buildApiUrl(config, "/auth/revoke"), {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      token: options?.revokeAll ? void 0 : token,
+      client_secret: config.secretKey,
+      user_id: options?.userId,
+      revoke_all: options?.revokeAll
+    })
   });
 }
-async function platformJwtError(res, operation) {
-  const { SylphxError: SylphxError2 } = await Promise.resolve().then(() => (init_errors(), errors_exports));
-  const body = await res.text().catch(() => "");
-  let code = "platform_jwt_error";
-  let message2 = `${operation} failed: HTTP ${res.status}`;
-  try {
-    const parsed = JSON.parse(body);
-    if (parsed.error) code = parsed.error;
-    if (parsed.error_description) message2 = parsed.error_description;
-    else if (parsed.message) message2 = parsed.message;
-  } catch {
+async function revokeAllTokens(config, userId) {
+  await revokeToken(config, "", { revokeAll: true, userId });
+}
+async function extendedSignUp(config, input) {
+  return callApi(config, "/auth/register", {
+    method: "POST",
+    body: input
+  });
+}
+async function inviteUser(config, input) {
+  return callApi(config, "/auth/invite", {
+    method: "POST",
+    body: input
+  });
+}
+function normalizeOrgScopedTokenResponse(data) {
+  const accessToken = data.accessToken ?? data.access_token;
+  if (!accessToken) {
+    throw new Error("Invalid org-scoped token response: missing access token");
   }
-  let errorCode;
-  if (res.status === 401) errorCode = "UNAUTHORIZED";
-  else if (res.status === 429) errorCode = "TOO_MANY_REQUESTS";
-  else if (res.status >= 500) errorCode = "INTERNAL_SERVER_ERROR";
-  else errorCode = "BAD_REQUEST";
-  return new SylphxError2(message2, {
-    code: errorCode,
-    status: res.status,
-    data: { operation, code }
+  return {
+    token: accessToken,
+    accessToken,
+    expiresIn: data.expiresIn ?? data.expires_in,
+    tokenType: data.tokenType ?? data.token_type,
+    user: data.user
+  };
+}
+async function getOrgScopedToken(config, orgId) {
+  const data = await callApi(config, "/auth/switch-org", {
+    method: "POST",
+    body: { orgId }
   });
+  return normalizeOrgScopedTokenResponse(data);
 }
-var impersonation = {
-  async start(opts) {
-    const res = await fetch(
-      `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-impersonation/start`,
-      {
-        method: "POST",
-        headers: buildImpersonationHeaders(opts.accessToken, opts.userAgent),
-        body: JSON.stringify({
-          targetUserId: opts.targetUserId,
-          ...opts.ipAddress !== void 0 && { ipAddress: opts.ipAddress },
-          ...opts.userAgent !== void 0 && { userAgent: opts.userAgent }
-        })
-      }
-    );
-    if (!res.ok) throw await impersonationError(res, "impersonation.start");
-    return await res.json();
-  },
-  async end(opts) {
-    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/platform-impersonation/end`, {
-      method: "POST",
-      headers: buildImpersonationHeaders(opts.accessToken, opts.userAgent),
-      body: JSON.stringify(opts.sessionId !== void 0 ? { sessionId: opts.sessionId } : {})
-    });
-    if (!res.ok) throw await impersonationError(res, "impersonation.end");
-    return await res.json();
-  },
-  async info(opts) {
-    const res = await fetch(
-      `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-impersonation/info/${encodeURIComponent(opts.sessionId)}`,
-      {
-        method: "GET",
-        headers: buildImpersonationHeaders(opts.accessToken, opts.userAgent)
-      }
-    );
-    if (!res.ok) throw await impersonationError(res, "impersonation.info");
-    return await res.json();
-  },
-  async active(opts) {
-    const res = await fetch(
-      `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-impersonation/active`,
-      {
-        method: "GET",
-        headers: buildImpersonationHeaders(opts.accessToken, opts.userAgent)
-      }
-    );
-    if (!res.ok) throw await impersonationError(res, "impersonation.active");
-    return await res.json();
-  },
-  // ── Phase 5.9 ──────────────────────────────────────────────────────
+async function switchOrg(config, orgId) {
+  return getOrgScopedToken(config, orgId);
+}
+var device = {
   /**
-   * Phase 5.9 step 1 of 2 — request a WebAuthn assertion challenge.
-   * Returns the pending-request id plus options ready for
-   * `navigator.credentials.get(...)`. Caller is expected to post the
-   * resulting assertion to {@link impersonation.startStepup}.
+   * Start a device authorization grant.
+   *
+   * Returns a `DeviceGrant` with `verification_uri_complete` (open this
+   * in the user's browser) and `device_code` (use for polling).
+   *
+   * @example
+   * ```typescript
+   * const grant = await device.init({
+   *   baseUrl: 'https://your-app.api.sylphx.com/v1',
+   *   clientId: 'sylphx-cli',
+   *   scope: ['org:read', 'project:*'],
+   * })
+   * openBrowser(grant.verification_uri_complete)
+   * ```
    */
-  async startChallenge(opts) {
-    const res = await fetch(
-      `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-impersonation/start-challenge`,
-      {
-        method: "POST",
-        headers: buildImpersonationHeaders(opts.accessToken, opts.userAgent),
-        body: JSON.stringify({
-          targetUserId: opts.targetUserId,
-          reason: opts.reason
-        })
-      }
-    );
-    if (!res.ok) throw await impersonationError(res, "impersonation.startChallenge");
+  async init(opts) {
+    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/device`, {
+      method: "POST",
+      headers: buildDeviceHeaders(opts.userAgent),
+      body: JSON.stringify({
+        client_id: opts.clientId,
+        scope: opts.scope ?? []
+      })
+    });
+    if (!res.ok) throw await deviceError(res, "device.init");
     return await res.json();
   },
   /**
-   * Phase 5.9 step 2 of 2 — complete the WebAuthn step-up. Returns
-   * either the active session (emergency bypass) or the
-   * consent deadline (regular flow). Phase 3b `start` is superseded
-   * by this method; old callers should migrate to
-   * `startChallenge` → `startStepup`.
+   * Poll a pending grant. Returns `status: 'pending' | 'approved' |
+   * 'denied' | 'expired'`. On `approved`, the result carries the OAuth
+   * pair (access_token + refresh_token).
+   *
+   * Callers MUST respect the `interval` returned by `init()` — polling
+   * faster than that may return 429 slow_down (RFC 8628 §5.5).
    */
-  async startStepup(opts) {
-    const res = await fetch(
-      `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-impersonation/start`,
-      {
-        method: "POST",
-        headers: buildImpersonationHeaders(opts.accessToken, opts.userAgent),
-        body: JSON.stringify({
-          requestId: opts.requestId,
-          challengeKey: opts.challengeKey,
-          assertion: opts.assertion,
-          ...opts.emergencyBypass ? { emergencyBypass: true } : {}
-        })
-      }
-    );
-    if (!res.ok) throw await impersonationError(res, "impersonation.startStepup");
+  async poll(opts) {
+    const url = new URL(`${opts.baseUrl.replace(/\/$/, "")}/auth/device/poll`);
+    url.searchParams.set("device_code", opts.deviceCode);
+    const res = await fetch(url.toString(), {
+      method: "GET",
+      headers: buildDeviceHeaders(opts.userAgent)
+    });
+    if (!res.ok) throw await deviceError(res, "device.poll");
     return await res.json();
   },
   /**
-   * Target user's consent decision. Approve mints the session token;
-   * deny transitions the request to `denied`.
+   * Browser leg — the approving user confirms the grant.
+   *
+   * Requires a valid platform-issued access token (`Authorization:
+   * Bearer <accessToken>`) proving the user is logged in on the
+   * Console. Typically called by the Console's `/device` verification
+   * page server-side, forwarding the user's session JWT.
    */
-  async respondConsent(opts) {
-    const res = await fetch(
-      `${opts.baseUrl.replace(/\/$/, "")}/auth/impersonation-consent/${encodeURIComponent(opts.requestId)}`,
-      {
-        method: "POST",
-        headers: buildImpersonationHeaders(opts.accessToken, opts.userAgent),
-        body: JSON.stringify({ decision: opts.decision })
-      }
-    );
-    if (!res.ok) throw await impersonationError(res, "impersonation.respondConsent");
-    return await res.json();
-  },
-  /** List impersonation requests. Non-super_admin sees only their own. */
-  async listRequests(opts) {
-    const params = new URLSearchParams();
-    if (opts.filter?.operatorId) params.set("operatorId", opts.filter.operatorId);
-    if (opts.filter?.targetUserId) params.set("targetUserId", opts.filter.targetUserId);
-    if (opts.filter?.status) params.set("status", opts.filter.status);
-    if (opts.filter?.limit != null) params.set("limit", String(opts.filter.limit));
-    const qs = params.toString();
-    const res = await fetch(
-      `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-impersonation/requests${qs ? `?${qs}` : ""}`,
-      {
-        method: "GET",
-        headers: buildImpersonationHeaders(opts.accessToken, opts.userAgent)
-      }
-    );
-    if (!res.ok) throw await impersonationError(res, "impersonation.listRequests");
+  async approve(opts) {
+    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/device/approve`, {
+      method: "POST",
+      headers: {
+        ...buildDeviceHeaders(opts.userAgent),
+        Authorization: `Bearer ${opts.accessToken}`
+      },
+      body: JSON.stringify({ user_code: opts.userCode })
+    });
+    if (!res.ok) throw await deviceError(res, "device.approve");
     return await res.json();
   },
   /**
-   * End an active impersonation session by request id. Emits a CAEP
-   * `session-revoked` event via the Phase 5.Z outbox so every in-flight
-   * verifier invalidates the token within ≤1s.
+   * Browser leg — the user declines the grant.
+   *
+   * Requires a valid platform-issued access token just like `approve`.
    */
-  async endSession(opts) {
-    const res = await fetch(
-      `${opts.baseUrl.replace(/\/$/, "")}/auth/platform-impersonation/end/${encodeURIComponent(opts.requestId)}`,
-      {
-        method: "POST",
-        headers: buildImpersonationHeaders(opts.accessToken, opts.userAgent)
-      }
-    );
-    if (!res.ok) throw await impersonationError(res, "impersonation.endSession");
+  async deny(opts) {
+    const res = await fetch(`${opts.baseUrl.replace(/\/$/, "")}/auth/device/deny`, {
+      method: "POST",
+      headers: {
+        ...buildDeviceHeaders(opts.userAgent),
+        Authorization: `Bearer ${opts.accessToken}`
+      },
+      body: JSON.stringify({ user_code: opts.userCode })
+    });
+    if (!res.ok) throw await deviceError(res, "device.deny");
     return await res.json();
   }
 };
-function buildImpersonationHeaders(accessToken, userAgent) {
+function buildDeviceHeaders(userAgent) {
   const headers = {
-    "Content-Type": "application/json",
-    Authorization: `Bearer ${accessToken}`
+    "Content-Type": "application/json"
   };
   if (userAgent) headers["User-Agent"] = userAgent;
   return headers;
 }
-async function impersonationError(res, operation) {
+async function deviceError(res, operation) {
   const { SylphxError: SylphxError2 } = await Promise.resolve().then(() => (init_errors(), errors_exports));
   const body = await res.text().catch(() => "");
-  let code = "platform_impersonation_error";
+  let code = "device_flow_error";
   let message2 = `${operation} failed: HTTP ${res.status}`;
   try {
     const parsed = JSON.parse(body);
     if (parsed.error) code = parsed.error;
     if (parsed.error_description) message2 = parsed.error_description;
-    else if (parsed.message) message2 = parsed.message;
   } catch {
   }
-  let errorCode;
-  if (res.status === 401) errorCode = "UNAUTHORIZED";
-  else if (res.status === 403) errorCode = "UNAUTHORIZED";
-  else if (res.status === 404) errorCode = "NOT_FOUND";
-  else if (res.status === 409) errorCode = "CONFLICT";
-  else if (res.status === 429) errorCode = "TOO_MANY_REQUESTS";
-  else if (res.status >= 500) errorCode = "INTERNAL_SERVER_ERROR";
-  else errorCode = "BAD_REQUEST";
   return new SylphxError2(message2, {
-    code: errorCode,
+    code: res.status === 429 ? "TOO_MANY_REQUESTS" : "BAD_REQUEST",
     status: res.status,
     data: { operation, code }
   });
@@ -10989,15 +12054,61 @@ export {
   ACHIEVEMENT_TIER_CONFIG,
   AuthenticationError,
   AuthorizationError,
+  BILLING_ALLOWED_ROLES,
+  BUILD_MINUTES_INCLUDED,
+  BUILD_MINUTE_PRICES,
+  BUILD_SIZE_MULTIPLIERS,
+  BYTES_PER_GB,
+  CI_BUILD_MINUTE_PRICE_MICRODOLLARS,
+  CI_FREE_MINUTES_PER_MONTH,
+  CI_MACOS_MULTIPLIER,
+  CI_MACOS_SIZE_MULTIPLIERS,
+  CI_SIZE_MULTIPLIERS,
+  COMPUTE_PRICE_PER_HOUR_MICRODOLLARS,
+  COMPUTE_RAM_RATE_MICRODOLLARS,
+  COMPUTE_VCPU_ACTIVE_RATE_MICRODOLLARS,
+  COMPUTE_VCPU_IDLE_RATE_MICRODOLLARS,
+  CONSOLE_APP_SLUG,
+  CREDENTIAL_REGEX,
+  CREDIT_EXPIRY_MONTHS,
   CircuitBreakerOpenError,
+  DEFAULT_MACHINE_SIZE,
+  DEFAULT_MAX_REPLICAS,
+  DEFAULT_POINTS_REWARD,
+  DISCOUNT_DURATION_MONTHS,
+  DISCOUNT_PERCENT,
   ERROR_CODE_STATUS,
+  FREE_COMPUTE_HOURS,
+  FREE_STORAGE_GB,
+  HOURS_PER_MONTH,
+  INSTANCE_TYPES,
+  INSTANCE_TYPE_ALIASES,
+  INSTANCE_TYPE_ORDER,
+  INVOICE_DUE_DAYS,
   InvalidConnectionUrlError,
+  KV_FREE_STORAGE_GB,
+  LEGACY_INSTANCE_TYPE_ORDER,
+  MACHINE_CONFIGS,
+  MACHINE_MAX_INSTANCES,
+  MACHINE_RESOURCE_REQUIREMENTS,
+  MACHINE_SIZES,
+  MAX_PASSWORD_LENGTH,
+  MAX_PAYMENT_ATTEMPTS,
+  MICRODOLLARS_PER_CENT,
+  MIN_PASSWORD_LENGTH,
   NetworkError,
   NotFoundError,
+  PASSWORD_REQUIREMENTS,
+  PLATFORM_PLANS,
+  PLATFORM_PLAN_ORDER,
+  PLATFORM_PLAN_ORDER_ALL,
+  PREMIUM_TRIAL_DAYS,
   RETRYABLE_CODES,
   RateLimitError,
   RunHandle,
   RunsClient,
+  SERVICE_METRICS,
+  STORAGE_PRICE_PER_GB_MONTH_MICRODOLLARS,
   SandboxClient,
   SandboxFiles,
   SandboxProcesses,
@@ -11005,6 +12116,7 @@ export {
   StepCompleteSignal,
   StepSleepSignal,
   SylphxError,
+  TRANSFER_PRICE_PER_GB_MICRODOLLARS,
   TimeoutError,
   TriggersClient,
   ValidationError,
@@ -11016,6 +12128,8 @@ export {
   audit,
   authorizeOAuth,
   batchIndex,
+  buildConnectionUrl,
+  calculatePercentage,
   canDeleteOrganization,
   canManageMembers,
   canManageSettings,
@@ -11024,6 +12138,7 @@ export {
   captureException,
   captureExceptionRaw,
   captureMessage,
+  centsToDollars,
   chat,
   chatStream,
   checkFlag,
@@ -11068,22 +12183,45 @@ export {
   dpop,
   embed,
   enableDebug,
+  escapeCsvField,
+  escapeHtml,
   exchangeOAuthCode,
   exponentialBackoff,
   exportUserData,
   extendedSignUp,
+  getErrorDetails as extractErrorDetails,
+  getErrorMessage as extractErrorMessage,
   forgotPassword,
+  formatBytes,
+  formatCents,
+  formatCurrency,
+  formatDate,
+  formatDateTime,
+  formatDuration,
+  formatMicrodollars,
+  formatMonthYear,
+  formatNumber,
+  formatPercent,
+  formatRelativeTime,
+  formatRelativeTimeShort,
+  formatTime,
   functions,
   generateAnonymousId,
   generatePkce,
+  generateReferralCode,
+  generateSlug,
   getAchievement,
   getAchievementPoints,
   getAchievements,
+  getActivePlans,
   getAllFlags,
   getAllSecrets,
   getAllStreaks,
+  getAvailableInstanceTypes,
   getBackupCodes,
+  getBaseUrl,
   getBillingBalance,
+  getBillingStatusVariant,
   getBillingUsage,
   getBuildLogHistory,
   getCircuitBreakerState,
@@ -11092,13 +12230,17 @@ export {
   getDatabaseConnectionString,
   getDatabaseStatus,
   getDebugMode,
+  getDefaultInstanceType,
   getDeployHistory,
   getDeployStatus,
-  getErrorCode,
-  getErrorMessage,
+  getEnvPrefix,
+  getErrorCode2 as getErrorCode,
+  getErrorDetails2 as getErrorDetails,
+  getErrorMessage2 as getErrorMessage,
   getFacets,
   getFlagPayload,
   getFlags,
+  getInvoiceStatusVariant,
   getLeaderboard,
   getMemberPermissions,
   getMyReferralCode,
@@ -11108,6 +12250,7 @@ export {
   getOrganizationInvitations,
   getOrganizationMembers,
   getOrganizations,
+  getPlanMonthlyPrice,
   getPlans,
   getProjectMetadata,
   getPromo,
@@ -11117,6 +12260,7 @@ export {
   getReferralStats,
   getRestErrorMessage,
   getRole,
+  getSafeErrorMessage,
   getScheduledEmail,
   getScheduledEmailStats,
   getSearchStats,
@@ -11140,6 +12284,7 @@ export {
   getWebhookStats,
   hasAllPermissions,
   hasAnyPermission,
+  hasBillingAccess,
   hasConsent,
   hasError,
   hasPermission,
@@ -11155,10 +12300,14 @@ export {
   introspectToken,
   inviteOrganizationMember,
   inviteUser,
+  isChallengeRequired,
   isEmailConfigured,
   isEnabled,
+  isMachineSize,
+  isPlanDeprecated,
   isRetryableError,
   isSylphxError,
+  isValidInstanceType,
   kvDelete,
   kvExists,
   kvExpire,
@@ -11196,9 +12345,13 @@ export {
   listUsers,
   markAllSecurityAlertsRead,
   markSecurityAlertRead,
+  microsToDollars,
   oauth,
   page,
+  parseConnectionUrl,
+  parseMachineSize,
   parseOAuthCallback,
+  parseUserAgent,
   password,
   pauseCron,
   platformAuth,
@@ -11229,12 +12382,20 @@ export {
   resetPassword,
   resetPlatformCookieCache,
   resetPlatformJwksCache,
+  resolveCanonicalInstanceType,
+  resolveMachineConfig,
+  resolveMachineMaxInstances,
+  resolveMachineResources,
+  resolveMachineTierResources,
+  resolveMaxReplicas,
+  resolveResources,
   resumeCron,
   revokeAllTokens,
   revokeOrganizationInvitation,
   revokeToken,
   revokeUserSession,
   rollbackDeploy,
+  safeJsonParse,
   scheduleEmail,
   scheduleTask,
   search,
@@ -11256,6 +12417,7 @@ export {
   submitScore,
   suspendUser,
   switchOrg,
+  toPublicMachineSize,
   toSylphxError,
   track,
   trackBatch,
@@ -11275,6 +12437,7 @@ export {
   upsertDocument,
   user,
   userInfo,
+  validateInstanceTypeForPlan,
   validatePromo,
   verifyAccessToken,
   verifyChallenge,