npm - @tdfc/sunbreak-react - Versions diffs - 0.1.14 → 0.1.15 - Mend

@tdfc/sunbreak-react 0.1.14 → 0.1.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.cjs CHANGED Viewed

@@ -3,7 +3,7 @@
 var react = require('react');
 var jsxRuntime = require('react/jsx-runtime');
-var yn=Object.defineProperty;var er=e=>{throw TypeError(e)};var gn=(e,t,r)=>t in e?yn(e,t,{enumerable:true,configurable:true,writable:true,value:r}):e[t]=r;var O=(e,t,r)=>gn(e,typeof t!="symbol"?t+"":t,r),tr=(e,t,r)=>t.has(e)||er("Cannot "+r);var m=(e,t,r)=>(tr(e,t,"read from private field"),r?r.call(e):t.get(e)),F=(e,t,r)=>t.has(e)?er("Cannot add the same private member more than once"):t instanceof WeakSet?t.add(e):t.set(e,r),B=(e,t,r,n)=>(tr(e,t,"write to private field"),t.set(e,r),r);var ze=e=>{let t=5381;for(let r=0;r<e.length;r++)t=t*33^e.charCodeAt(r);return (t>>>0).toString(16).padStart(8,"0")},Ke=e=>{try{return e.method==="provider_jwt"?`${e.issuer}:${ze(e.token)}`:e.method==="siwe"||e.method==="eip191"?`${e.method}:${ze(e.signature)}`:e.method==="ed25519"?`ed25519:${ze(e.signatureBase64)}`:null}catch{return null}},Ce=async(e,t,r)=>{switch(e.name){case "custom":return {method:"provider_jwt",issuer:"custom",token:t,meta:r||{}};case "privy":return {method:"provider_jwt",issuer:"privy",token:t,meta:{app_id:e.appId}};case "dynamic":return e.expectedAud?{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId,expected_aud:e.expectedAud}}:{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId}};default:throw new Error(`Unknown adapter: ${e}`)}};var bn="sunbreak-kv",Ie="kv",Xe="sunbreak_dpop_meta_v1",I="sunbreak_dpop_key_v1",Te="ES256",E="P-256",We=e=>`${Xe}:${e}`,rr=()=>new Promise((e,t)=>{let r=indexedDB.open(bn,1);r.onupgradeneeded=()=>r.result.createObjectStore(Ie),r.onsuccess=()=>e(r.result),r.onerror=()=>t(r.error);}),T=async e=>{try{let t=await rr();return await new Promise((r,n)=>{let a=t.transaction(Ie,"readonly").objectStore(Ie).get(e);a.onsuccess=()=>r(a.result),a.onerror=()=>n(a.error);})}catch{return}},S=async(e,t)=>{let r=await rr();await new Promise((n,o)=>{let i=r.transaction(Ie,"readwrite").objectStore(Ie).put(t,e);i.onsuccess=()=>n(),i.onerror=()=>o(i.error);});};var Sn=e=>{let t=new URL(e);if(t.protocol!=="https:"&&t.hostname!=="localhost"&&t.hostname!=="127.0.0.1")throw new Error("Sunbreak: insecure base URL");return t.hash="",t.origin},Rn=e=>e.replace(/\/+$/,""),yt=e=>{let t=Rn(e);return Sn(t)};function bt(e){let t=new URL(e.baseUrl),r=t.host,n=e.meta.lastHost??null,o=kn(n);return e.setLastHost(o),t.host=`${o}.${r}`,t.origin}var kn=e=>{for(let t=0;t<gt.length;t++){let r=gt[Math.floor(Math.random()*gt.length)].toLowerCase();if(r!==e)return r}return "alpha"},gt=["Alpha","Bravo","Charlie","Delta","Echo","Foxtrot","Golf","Hotel","India","Juliett","Kilo","Lima","Mike","November","Oscar","Papa","Quebec","Romeo","Sierra","Tango","Uniform","Victor","Whiskey","X-ray","Yankee","Zulu"];var G=(e,t)=>{let r={clientId:e.clientId,wallet:e.wallet,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0,...t};Object.keys(r).forEach(o=>r[o]===void 0&&delete r[o]);let n=JSON.stringify(r);return btoa(n)};var En=new Set(["connection","keep-alive","proxy-authenticate","proxy-authorization","te","trailer","transfer-encoding","upgrade","via"]),Pn=new Set(["user-agent","referer","origin","host","content-length","sec-fetch-site","sec-fetch-mode","sec-fetch-dest","sec-fetch-user","sec-ch-ua","sec-ch-ua-mobile","sec-ch-ua-platform","sec-ch-ua-platform-version","sec-ch-ua-full-version","sec-ch-ua-arch","sec-ch-ua-model","sec-ch-ua-bitness","cookie","set-cookie"]),vn=new Set(["dpop","x-sunbreak-meta"]),An=64,nr=2048,xn=64;function St(e){let t={};if(!e)return t;let r=e instanceof Headers?Array.from(e.entries()):Object.entries(e),n=0;for(let[o,a]of r){if(n>=xn)break;if(o==null||a==null)continue;let i=String(o).toLowerCase().trim();if(!i||i.length>An||En.has(i)||Pn.has(i)||vn.has(i))continue;let s=String(a);s.length>nr&&(s=s.slice(0,nr)),t[i]=s,n++;}return t}var ne=new TextEncoder,ge=new TextDecoder;function or(...e){let t=e.reduce((o,{length:a})=>o+a,0),r=new Uint8Array(t),n=0;for(let o of e)r.set(o,n),n+=o.length;return r}function ar(e){if(Uint8Array.prototype.toBase64)return e.toBase64();let t=32768,r=[];for(let n=0;n<e.length;n+=t)r.push(String.fromCharCode.apply(null,e.subarray(n,n+t)));return btoa(r.join(""))}function ir(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(e);let t=atob(e),r=new Uint8Array(t.length);for(let n=0;n<t.length;n++)r[n]=t.charCodeAt(n);return r}function sr(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof e=="string"?e:ge.decode(e),{alphabet:"base64url"});let t=e;t instanceof Uint8Array&&(t=ge.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return ir(t)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function Ye(e){let t=e;return typeof t=="string"&&(t=ne.encode(t)),Uint8Array.prototype.toBase64?t.toBase64({alphabet:"base64url",omitPadding:true}):ar(t).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var fe=class extends Error{constructor(r,n){super(r,n);O(this,"code","ERR_JOSE_GENERIC");this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor);}};O(fe,"code","ERR_JOSE_GENERIC");var L=class extends fe{constructor(){super(...arguments);O(this,"code","ERR_JOSE_NOT_SUPPORTED");}};O(L,"code","ERR_JOSE_NOT_SUPPORTED");var oe=class extends fe{constructor(){super(...arguments);O(this,"code","ERR_JWS_INVALID");}};O(oe,"code","ERR_JWS_INVALID");var Je=class extends fe{constructor(){super(...arguments);O(this,"code","ERR_JWT_INVALID");}};O(Je,"code","ERR_JWT_INVALID");var cr,lr,Rt=class extends(lr=fe,cr=Symbol.asyncIterator,lr){constructor(r="multiple matching keys found in the JSON Web Key Set",n){super(r,n);O(this,cr);O(this,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");}};O(Rt,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");function Y(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function be(e,t){return e.name===t}function kt(e){return parseInt(e.name.slice(4),10)}function In(e){switch(e){case "ES256":return "P-256";case "ES384":return "P-384";case "ES512":return "P-521";default:throw new Error("unreachable")}}function Tn(e,t){if(!e.usages.includes(t))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${t}.`)}function ur(e,t,r){switch(t){case "HS256":case "HS384":case "HS512":{if(!be(e.algorithm,"HMAC"))throw Y("HMAC");let n=parseInt(t.slice(2),10);if(kt(e.algorithm.hash)!==n)throw Y(`SHA-${n}`,"algorithm.hash");break}case "RS256":case "RS384":case "RS512":{if(!be(e.algorithm,"RSASSA-PKCS1-v1_5"))throw Y("RSASSA-PKCS1-v1_5");let n=parseInt(t.slice(2),10);if(kt(e.algorithm.hash)!==n)throw Y(`SHA-${n}`,"algorithm.hash");break}case "PS256":case "PS384":case "PS512":{if(!be(e.algorithm,"RSA-PSS"))throw Y("RSA-PSS");let n=parseInt(t.slice(2),10);if(kt(e.algorithm.hash)!==n)throw Y(`SHA-${n}`,"algorithm.hash");break}case "Ed25519":case "EdDSA":{if(!be(e.algorithm,"Ed25519"))throw Y("Ed25519");break}case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":{if(!be(e.algorithm,t))throw Y(t);break}case "ES256":case "ES384":case "ES512":{if(!be(e.algorithm,"ECDSA"))throw Y("ECDSA");let n=In(t);if(e.algorithm.namedCurve!==n)throw Y(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}Tn(e,r);}function fr(e,t,...r){if(r=r.filter(Boolean),r.length>2){let n=r.pop();e+=`one of type ${r.join(", ")}, or ${n}.`;}else r.length===2?e+=`one of type ${r[0]} or ${r[1]}.`:e+=`of type ${r[0]}.`;return t==null?e+=` Received ${t}`:typeof t=="function"&&t.name?e+=` Received function ${t.name}`:typeof t=="object"&&t!=null&&t.constructor?.name&&(e+=` Received an instance of ${t.constructor.name}`),e}var dr=(e,...t)=>fr("Key must be ",e,...t);function Et(e,t,...r){return fr(`Key for the ${e} algorithm must be `,t,...r)}function Pt(e){return e?.[Symbol.toStringTag]==="CryptoKey"}function vt(e){return e?.[Symbol.toStringTag]==="KeyObject"}var At=e=>Pt(e)||vt(e);var pr=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return  true;let r;for(let n of t){let o=Object.keys(n);if(!r||r.size===0){r=new Set(o);continue}for(let a of o){if(r.has(a))return  false;r.add(a);}}return  true};function Wn(e){return typeof e=="object"&&e!==null}var Ze=e=>{if(!Wn(e)||Object.prototype.toString.call(e)!=="[object Object]")return  false;if(Object.getPrototypeOf(e)===null)return  true;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t};var hr=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:r}=t.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};function Jn(e){let t,r;switch(e.kty){case "AKP":{switch(e.alg){case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":t={name:e.alg},r=e.priv?["sign"]:["verify"];break;default:throw new L('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "RSA":{switch(e.alg){case "PS256":case "PS384":case "PS512":t={name:"RSA-PSS",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RS256":case "RS384":case "RS512":t={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RSA-OAEP":case "RSA-OAEP-256":case "RSA-OAEP-384":case "RSA-OAEP-512":t={name:"RSA-OAEP",hash:`SHA-${parseInt(e.alg.slice(-3),10)||1}`},r=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new L('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "EC":{switch(e.alg){case "ES256":t={name:"ECDSA",namedCurve:"P-256"},r=e.d?["sign"]:["verify"];break;case "ES384":t={name:"ECDSA",namedCurve:"P-384"},r=e.d?["sign"]:["verify"];break;case "ES512":t={name:"ECDSA",namedCurve:"P-521"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new L('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "OKP":{switch(e.alg){case "Ed25519":case "EdDSA":t={name:"Ed25519"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new L('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}default:throw new L('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return {algorithm:t,keyUsages:r}}var mr=async e=>{if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:t,keyUsages:r}=Jn(e),n={...e};return n.kty!=="AKP"&&delete n.alg,delete n.use,crypto.subtle.importKey("jwk",n,t,e.ext??!(e.d||e.priv),e.key_ops??r)};var wr=(e,t,r,n,o)=>{if(o.crit!==void 0&&n?.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||n.crit===void 0)return new Set;if(!Array.isArray(n.crit)||n.crit.length===0||n.crit.some(i=>typeof i!="string"||i.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let a;r!==void 0?a=new Map([...Object.entries(r),...t.entries()]):a=t;for(let i of n.crit){if(!a.has(i))throw new L(`Extension Header Parameter "${i}" is not recognized`);if(o[i]===void 0)throw new e(`Extension Header Parameter "${i}" is missing`);if(a.get(i)&&n[i]===void 0)throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`)}return new Set(n.crit)};function De(e){return Ze(e)&&typeof e.kty=="string"}function yr(e){return e.kty!=="oct"&&(e.kty==="AKP"&&typeof e.priv=="string"||typeof e.d=="string")}function gr(e){return e.kty!=="oct"&&typeof e.d>"u"&&typeof e.priv>"u"}function br(e){return e.kty==="oct"&&typeof e.k=="string"}var Se,Sr=async(e,t,r,n=false)=>{Se||(Se=new WeakMap);let o=Se.get(e);if(o?.[r])return o[r];let a=await mr({...t,alg:r});return n&&Object.freeze(e),o?o[r]=a:Se.set(e,{[r]:a}),a},_n=(e,t)=>{Se||(Se=new WeakMap);let r=Se.get(e);if(r?.[t])return r[t];let n=e.type==="public",o=!!n,a;if(e.asymmetricKeyType==="x25519"){switch(t){case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}a=e.toCryptoKey(e.asymmetricKeyType,o,n?[]:["deriveBits"]);}if(e.asymmetricKeyType==="ed25519"){if(t!=="EdDSA"&&t!=="Ed25519")throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}switch(e.asymmetricKeyType){case "ml-dsa-44":case "ml-dsa-65":case "ml-dsa-87":{if(t!==e.asymmetricKeyType.toUpperCase())throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}}if(e.asymmetricKeyType==="rsa"){let i;switch(t){case "RSA-OAEP":i="SHA-1";break;case "RS256":case "PS256":case "RSA-OAEP-256":i="SHA-256";break;case "RS384":case "PS384":case "RSA-OAEP-384":i="SHA-384";break;case "RS512":case "PS512":case "RSA-OAEP-512":i="SHA-512";break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}if(t.startsWith("RSA-OAEP"))return e.toCryptoKey({name:"RSA-OAEP",hash:i},o,n?["encrypt"]:["decrypt"]);a=e.toCryptoKey({name:t.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:i},o,[n?"verify":"sign"]);}if(e.asymmetricKeyType==="ec"){let s=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(e.asymmetricKeyDetails?.namedCurve);if(!s)throw new TypeError("given KeyObject instance cannot be used for this algorithm");t==="ES256"&&s==="P-256"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t==="ES384"&&s==="P-384"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t==="ES512"&&s==="P-521"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t.startsWith("ECDH-ES")&&(a=e.toCryptoKey({name:"ECDH",namedCurve:s},o,n?[]:["deriveBits"]));}if(!a)throw new TypeError("given KeyObject instance cannot be used for this algorithm");return r?r[t]=a:Se.set(e,{[t]:a}),a},Rr=async(e,t)=>{if(e instanceof Uint8Array||Pt(e))return e;if(vt(e)){if(e.type==="secret")return e.export();if("toCryptoKey"in e&&typeof e.toCryptoKey=="function")try{return _n(e,t)}catch(n){if(n instanceof TypeError)throw n}let r=e.export({format:"jwk"});return Sr(e,r,t)}if(De(e))return e.k?sr(e.k):Sr(e,e,t,true);throw new Error("unreachable")};var Re=e=>e?.[Symbol.toStringTag],xt=(e,t,r)=>{if(t.use!==void 0){let n;switch(r){case "sign":case "verify":n="sig";break;case "encrypt":case "decrypt":n="enc";break}if(t.use!==n)throw new TypeError(`Invalid key for this operation, its "use" must be "${n}" when present`)}if(t.alg!==void 0&&t.alg!==e)throw new TypeError(`Invalid key for this operation, its "alg" must be "${e}" when present`);if(Array.isArray(t.key_ops)){let n;switch(true){case(r==="sign"):case e==="dir":case e.includes("CBC-HS"):n=r;break;case e.startsWith("PBES2"):n="deriveBits";break;case /^A\d{3}(?:GCM)?(?:KW)?$/.test(e):!e.includes("GCM")&&e.endsWith("KW")?n="unwrapKey":n=r;break;case(r==="encrypt"):n="wrapKey";break;case r==="decrypt":n=e.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(n&&t.key_ops?.includes?.(n)===false)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${n}" when present`)}return  true},Mn=(e,t,r)=>{if(!(t instanceof Uint8Array)){if(De(t)){if(br(t)&&xt(e,t,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!At(t))throw new TypeError(Et(e,t,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(t.type!=="secret")throw new TypeError(`${Re(t)} instances for symmetric algorithms must be of type "secret"`)}},Ln=(e,t,r)=>{if(De(t))switch(r){case "decrypt":case "sign":if(yr(t)&&xt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a private JWK");case "encrypt":case "verify":if(gr(t)&&xt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a public JWK")}if(!At(t))throw new TypeError(Et(e,t,"CryptoKey","KeyObject","JSON Web Key"));if(t.type==="secret")throw new TypeError(`${Re(t)} instances for asymmetric algorithms must not be of type "secret"`);if(t.type==="public")switch(r){case "sign":throw new TypeError(`${Re(t)} instances for asymmetric algorithm signing must be of type "private"`);case "decrypt":throw new TypeError(`${Re(t)} instances for asymmetric algorithm decryption must be of type "private"`);}if(t.type==="private")switch(r){case "verify":throw new TypeError(`${Re(t)} instances for asymmetric algorithm verifying must be of type "public"`);case "encrypt":throw new TypeError(`${Re(t)} instances for asymmetric algorithm encryption must be of type "public"`);}},kr=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e)||/^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e)?Mn(e,t,r):Ln(e,t,r);};var Er=(e,t)=>{let r=`SHA-${e.slice(-3)}`;switch(e){case "HS256":case "HS384":case "HS512":return {hash:r,name:"HMAC"};case "PS256":case "PS384":case "PS512":return {hash:r,name:"RSA-PSS",saltLength:parseInt(e.slice(-3),10)>>3};case "RS256":case "RS384":case "RS512":return {hash:r,name:"RSASSA-PKCS1-v1_5"};case "ES256":case "ES384":case "ES512":return {hash:r,name:"ECDSA",namedCurve:t.namedCurve};case "Ed25519":case "EdDSA":return {name:"Ed25519"};case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":return {name:e};default:throw new L(`alg ${e} is not supported either by JOSE or your javascript runtime`)}};var Pr=async(e,t,r)=>{if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(dr(t,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",t,{hash:`SHA-${e.slice(-3)}`,name:"HMAC"},false,[r])}return ur(t,e,r),t};var ie=e=>Math.floor(e.getTime()/1e3);var Hn=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i,Qe=e=>{let t=Hn.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");let r=parseFloat(t[2]),n=t[3].toLowerCase(),o;switch(n){case "sec":case "secs":case "second":case "seconds":case "s":o=Math.round(r);break;case "minute":case "minutes":case "min":case "mins":case "m":o=Math.round(r*60);break;case "hour":case "hours":case "hr":case "hrs":case "h":o=Math.round(r*3600);break;case "day":case "days":case "d":o=Math.round(r*86400);break;case "week":case "weeks":case "w":o=Math.round(r*604800);break;default:o=Math.round(r*31557600);break}return t[1]==="-"||t[4]==="ago"?-o:o};function de(e,t){if(!Number.isFinite(t))throw new TypeError(`Invalid ${e} input`);return t}var v,et=class{constructor(t){F(this,v);if(!Ze(t))throw new TypeError("JWT Claims Set MUST be an object");B(this,v,structuredClone(t));}data(){return ne.encode(JSON.stringify(m(this,v)))}get iss(){return m(this,v).iss}set iss(t){m(this,v).iss=t;}get sub(){return m(this,v).sub}set sub(t){m(this,v).sub=t;}get aud(){return m(this,v).aud}set aud(t){m(this,v).aud=t;}set jti(t){m(this,v).jti=t;}set nbf(t){typeof t=="number"?m(this,v).nbf=de("setNotBefore",t):t instanceof Date?m(this,v).nbf=de("setNotBefore",ie(t)):m(this,v).nbf=ie(new Date)+Qe(t);}set exp(t){typeof t=="number"?m(this,v).exp=de("setExpirationTime",t):t instanceof Date?m(this,v).exp=de("setExpirationTime",ie(t)):m(this,v).exp=ie(new Date)+Qe(t);}set iat(t){typeof t>"u"?m(this,v).iat=ie(new Date):t instanceof Date?m(this,v).iat=de("setIssuedAt",ie(t)):typeof t=="string"?m(this,v).iat=de("setIssuedAt",ie(new Date)+Qe(t)):m(this,v).iat=de("setIssuedAt",t);}};v=new WeakMap;var vr=async(e,t,r)=>{let n=await Pr(e,t,"sign");hr(e,n);let o=await crypto.subtle.sign(Er(e,n.algorithm),n,r);return new Uint8Array(o)};var _e,H,Z,tt=class{constructor(t){F(this,_e);F(this,H);F(this,Z);if(!(t instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");B(this,_e,t);}setProtectedHeader(t){if(m(this,H))throw new TypeError("setProtectedHeader can only be called once");return B(this,H,t),this}setUnprotectedHeader(t){if(m(this,Z))throw new TypeError("setUnprotectedHeader can only be called once");return B(this,Z,t),this}async sign(t,r){if(!m(this,H)&&!m(this,Z))throw new oe("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!pr(m(this,H),m(this,Z)))throw new oe("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let n={...m(this,H),...m(this,Z)},o=wr(oe,new Map([["b64",true]]),r?.crit,m(this,H),n),a=true;if(o.has("b64")&&(a=m(this,H).b64,typeof a!="boolean"))throw new oe('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:i}=n;if(typeof i!="string"||!i)throw new oe('JWS "alg" (Algorithm) Header Parameter missing or invalid');kr(i,t,"sign");let s=m(this,_e);a&&(s=ne.encode(Ye(s)));let u;m(this,H)?u=ne.encode(Ye(JSON.stringify(m(this,H)))):u=ne.encode("");let l=or(u,ne.encode("."),s),c=await Rr(t,i),p=await vr(i,c,l),d={signature:Ye(p),payload:""};return a&&(d.payload=ge.decode(s)),m(this,Z)&&(d.header=m(this,Z)),m(this,H)&&(d.protected=ge.decode(u)),d}};_e=new WeakMap,H=new WeakMap,Z=new WeakMap;var ke,rt=class{constructor(t){F(this,ke);B(this,ke,new tt(t));}setProtectedHeader(t){return m(this,ke).setProtectedHeader(t),this}async sign(t,r){let n=await m(this,ke).sign(t,r);if(n.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return `${n.protected}.${n.payload}.${n.signature}`}};ke=new WeakMap;var se,j,pe=class{constructor(t={}){F(this,se);F(this,j);B(this,j,new et(t));}setIssuer(t){return m(this,j).iss=t,this}setSubject(t){return m(this,j).sub=t,this}setAudience(t){return m(this,j).aud=t,this}setJti(t){return m(this,j).jti=t,this}setNotBefore(t){return m(this,j).nbf=t,this}setExpirationTime(t){return m(this,j).exp=t,this}setIssuedAt(t){return m(this,j).iat=t,this}setProtectedHeader(t){return B(this,se,t),this}async sign(t,r){let n=new rt(m(this,j).data());if(n.setProtectedHeader(m(this,se)),Array.isArray(m(this,se)?.crit)&&m(this,se).crit.includes("b64")&&m(this,se).b64===false)throw new Je("JWTs MUST NOT use unencoded payload");return n.sign(t,r)}};se=new WeakMap,j=new WeakMap;var $n=e=>btoa(String.fromCharCode(...new Uint8Array(e))).replaceAll("+","-").replaceAll("/","_").replaceAll("=",""),nt=async e=>{let t=new TextEncoder().encode(e),r=await crypto.subtle.digest("SHA-256",t);return $n(r)},V=async e=>{let{method:t,url:r,nonce:n,ath:o,privateKey:a,publicJwk:i}=e,s={htm:t.toUpperCase(),htu:r,jti:crypto.randomUUID(),iat:Math.floor(Date.now()/1e3)};return n&&(s.nonce=n),o&&(s.ath=o),await new pe(s).setProtectedHeader({alg:"ES256",typ:"dpop+jwt",jwk:i}).sign(a)};var $=async e=>{let t={crv:e.crv,kty:"EC",x:e.x,y:e.y},r=JSON.stringify(t),n=new TextEncoder().encode(r),o=await crypto.subtle.digest("SHA-256",n);return btoa(String.fromCharCode(...new Uint8Array(o))).replaceAll("+","-").replaceAll("/","_").replaceAll("=","")};async function he(e){let{rootPrivateKey:t,rootPublicJwk:r,childJkt:n,clientId:o,sid:a,ttlSec:i=300}=e,s=Math.floor(Date.now()/1e3),u=s+Math.max(60,Math.min(i,3600)),l={child_jkt:n,client_id:o,aud:"issuer",iat:s,exp:u,jti:crypto.randomUUID()};return a&&(l.sid=a),await new pe(l).setProtectedHeader({alg:"ES256",typ:"pode+jwt",jwk:r}).sign(t)}function Me(e,t=300){return e.replace(/<[^>]*>/g,"").slice(0,t)}async function Le(e){let t=e.status,r=Array.from(e.headers.keys()).some(s=>s.toLowerCase().startsWith("x-amzn-waf")),n,o,a=e.headers.get("content-type")||"";if(a.includes("application/json"))try{let s=await e.clone().json();n=typeof s?.error=="string"?s.error:void 0,o=typeof s?.detail=="string"?s.detail:void 0;}catch{}let i=t===403&&!r&&!a.includes("application/json");return {status:t,code:n,detail:o,waf:r,alb403:i}}function me(e,t){let r=new Error(e);return r.status=t.status,r.code=t.code,r.detail=t.detail,r.waf=t.waf,r.alb403=t.alb403,r}var ot=e=>/^0x[a-fA-F0-9]{40}$/.test(e),ce=e=>ot(e)?e.toLowerCase():e,A=(e,t)=>!e||!t?false:ot(e)&&ot(t)?e.toLowerCase()===t.toLowerCase():e===t;var Ee={boundWallet:null,clientId:null,jkt:null,refreshId:null,lastPolicyHash:null,lastPolicyProof:null,lastHost:null,rootJkt:null,registeredProofId:null},Kt=react.createContext(void 0);function Ir(e){try{return JSON.parse(localStorage.getItem(e)||"null")??Ee}catch{return Ee}}function Nn(e,t){try{localStorage.setItem(e,JSON.stringify(t));}catch{}}var Ct=({children:e,clientId:t})=>{let[r,n]=react.useState(Ee),o=react.useRef(false),[a,i]=react.useState(false),s=react.useMemo(()=>We(t),[t]);react.useEffect(()=>{let h=true;return (async()=>{let y=await T(s)??await T(Xe)??Ir(s);h&&(n({...Ee,...y}),o.current=true,i(true));})(),()=>{h=false;}},[s]),react.useEffect(()=>{o.current&&(async()=>(await S(s,r),Nn(s,r)))();},[r,s]);let u=react.useCallback(h=>n(f=>({...f,refreshId:h})),[]),l=react.useCallback(h=>n(f=>({...f,lastPolicyHash:h})),[]),c=react.useCallback(h=>n(f=>({...f,lastPolicyProof:h})),[]),p=react.useCallback(h=>n(f=>({...f,lastHost:h})),[]),d=react.useCallback(h=>n(f=>({...f,rootJkt:h})),[]),g=react.useCallback(h=>n(f=>({...f,registeredProofId:h})),[]),R=async()=>{try{let h=localStorage.getItem(s);if(h){let f=JSON.parse(h);if(typeof f?.refreshId=="string"&&f.refreshId)return f.refreshId}}catch{}try{let h=await T(s);if(typeof h?.refreshId=="string"&&h.refreshId)return h.refreshId}catch{}return null},K=react.useCallback(h=>n(f=>({...f,boundWallet:h})),[]),w=react.useCallback(h=>n(f=>({...f,clientId:h})),[]),k=react.useCallback(h=>n(f=>({...f,jkt:h})),[]),b=react.useCallback(()=>n(Ee),[]),J=react.useCallback(async()=>{let f=await T(s)??Ir(s);n({...Ee,...f});},[]),M=react.useMemo(()=>({meta:r,setBoundWallet:K,setClientId:w,setJkt:k,resetMeta:b,reload:J,setRefreshId:u,getRefreshId:R,ready:a,setLastPolicyHash:l,setLastPolicyProof:c,setLastHost:p,setRootJkt:d,setRegisteredProofId:g}),[r,K,w,k,b,J,a,u,R,l,c,p,d,g]);return jsxRuntime.jsx(Kt.Provider,{value:M,children:e})};function It(){let e=react.useContext(Kt);if(!e)throw new Error("useMeta must be used within <MetaProvider>");return e}var Wr=`${I}:wrap`;async function at(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!1,["sign","verify"]),t=`${I}:probe_safe`;await S(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await T(t);return await S(t,void 0),!!(r&&r.privKey)}catch{return  false}}async function Bn(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!0,["sign","verify"]),t=`${I}:probe`;await S(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await T(t);return await S(t,void 0),!!(r&&r.privKey)}catch{return  false}}function ve(e){let{d:t,...r}=e;return {...r,kty:"EC",crv:E,alg:Te,use:"sig"}}async function Jr(){let e=await T(Wr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await S(Wr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function Tt(e){let t=await Jr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function Gn(e,t){let r=await Jr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var Wt=()=>{let e=react.useRef(null),t=react.useRef(null),r=react.useCallback(async()=>{let u=await T(I);if(!u)return  false;if(u.fmt==="cryptokey"){let c=u;if(!c.privKey)return await S(I,void 0),false;let p=c.privKey;try{if(p.extractable&&await at()){let g=await crypto.subtle.exportKey("jwk",p),R=await crypto.subtle.importKey("jwk",g,{name:"ECDSA",namedCurve:E},!1,["sign"]),K={fmt:"cryptokey",privKey:R,pubJwk:ve(c.pubJwk)};await S(I,K),p=R;}}catch{}return e.current=p,t.current=ve(c.pubJwk),true}if(u.fmt==="encjwk"){let c=u;try{let p=await Gn(c.encPrivJwk,c.iv),d=await crypto.subtle.importKey("jwk",p,{name:"ECDSA",namedCurve:E},!1,["sign"]);return e.current=d,t.current=ve(c.pubJwk),!0}catch{return await S(I,void 0),false}}let l=u;if(l&&l.d){let{d:c,...p}=l,d=ve(p),g=await at(),R=g||await Bn();if(R&&g){let b=await crypto.subtle.importKey("jwk",l,{name:"ECDSA",namedCurve:E},false,["sign"]);return await S(I,{fmt:"cryptokey",privKey:b,pubJwk:d}),e.current=b,t.current=d,true}if(R){let b=await crypto.subtle.importKey("jwk",l,{name:"ECDSA",namedCurve:E},true,["sign"]);return await S(I,{fmt:"cryptokey",privKey:b,pubJwk:d}),e.current=b,t.current=d,true}let{encPrivJwk:K,iv:w}=await Tt(l);await S(I,{fmt:"encjwk",encPrivJwk:K,iv:w,pubJwk:d});let k=await crypto.subtle.importKey("jwk",l,{name:"ECDSA",namedCurve:E},false,["sign"]);return e.current=k,t.current=d,true}return await S(I,void 0),false},[]),n=react.useCallback(async(u,l)=>{await S(I,{fmt:"cryptokey",privKey:u,pubJwk:l});},[]),o=react.useCallback(async(u,l)=>{let{encPrivJwk:c,iv:p}=await Tt(u);await S(I,{fmt:"encjwk",encPrivJwk:c,iv:p,pubJwk:l});},[]),a=react.useCallback(async()=>{if(e.current&&t.current||await r())return;let u=await at(),l=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),c=ve(await crypto.subtle.exportKey("jwk",l.publicKey)),p=await crypto.subtle.exportKey("jwk",l.privateKey);if(u){let d=await crypto.subtle.importKey("jwk",p,{name:"ECDSA",namedCurve:E},false,["sign"]);await n(d,c),e.current=d,t.current=c;}else {await o(p,c);let d=await crypto.subtle.importKey("jwk",p,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=d,t.current=c;}},[r,n,o]),i=react.useCallback(async()=>{let u=await at(),l=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),c=ve(await crypto.subtle.exportKey("jwk",l.publicKey)),p=await crypto.subtle.exportKey("jwk",l.privateKey);if(u){let d=await crypto.subtle.importKey("jwk",p,{name:"ECDSA",namedCurve:E},false,["sign"]);await S(I,{fmt:"cryptokey",privKey:d,pubJwk:c}),e.current=d,t.current=c;}else {let{encPrivJwk:d,iv:g}=await Tt(p);await S(I,{fmt:"encjwk",encPrivJwk:d,iv:g,pubJwk:c});let R=await crypto.subtle.importKey("jwk",p,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=R,t.current=c;}},[]),s=react.useCallback(async()=>{await S(I,void 0),e.current=null,t.current=null;},[]);return {ensureKeypair:a,rotate:i,clear:s,privRef:e,pubJwkRef:t}};var Q="sunbreak_root_key_v1",_r=`${Q}:wrap`;async function Mr(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!1,["sign","verify"]),t=`${Q}:probe_safe`;await S(t,{fmt:"cryptokey",privKey:e.privateKey,createdAt:Date.now(),pubJwk:{}});let r=await T(t);return await S(t,void 0),!!(r&&r.privKey)}catch{return  false}}function it(e){let{d:t,...r}=e;return {...r,kty:"EC",crv:E,alg:Te,use:"sig"}}async function Lr(){let e=await T(_r);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await S(_r,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function Vn(e){let t=await Lr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function qn(e,t){let r=await Lr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var Dt=()=>{let e=react.useRef(null),t=react.useRef(null),r=react.useCallback(async()=>{let a=await T(Q);if(!a)return  false;if(a.fmt==="cryptokey"){let i=a;if(!i.privKey)return await S(Q,void 0),false;let s=i.privKey;try{if(s.extractable&&await Mr()){let l=await crypto.subtle.exportKey("jwk",s),c=await crypto.subtle.importKey("jwk",l,{name:"ECDSA",namedCurve:E},!1,["sign"]),p={fmt:"cryptokey",privKey:c,pubJwk:it(i.pubJwk),createdAt:i.createdAt};await S(Q,p),s=c;}}catch{}return e.current=s,t.current=it(i.pubJwk),true}if(a.fmt==="encjwk"){let i=a;try{let s=await qn(i.encPrivJwk,i.iv),u=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:E},!1,["sign"]);return e.current=u,t.current=it(i.pubJwk),!0}catch{return await S(Q,void 0),false}}return await S(Q,void 0),false},[]),n=react.useCallback(async()=>{if(e.current&&t.current||await r())return;let a=await Mr(),i=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),s=it(await crypto.subtle.exportKey("jwk",i.publicKey)),u=Date.now(),l=await crypto.subtle.exportKey("jwk",i.privateKey);if(a){let c=await crypto.subtle.importKey("jwk",l,{name:"ECDSA",namedCurve:E},false,["sign"]);await S(Q,{fmt:"cryptokey",privKey:c,pubJwk:s,createdAt:u}),e.current=c,t.current=s;}else {let{encPrivJwk:c,iv:p}=await Vn(l);await S(Q,{fmt:"encjwk",encPrivJwk:c,iv:p,pubJwk:s,createdAt:u});let g=await crypto.subtle.importKey("jwk",l,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=g,t.current=s;}},[r]),o=react.useCallback(async()=>{await S(Q,void 0),e.current=null,t.current=null;},[]);return {ensureRootKeypair:n,clear:o,rootPrivRef:e,rootPubJwkRef:t}};var He=class e{constructor(t,r=false){this.colors={flow:"#00D9FF",state:"#00FF88",decision:"#FFB800",api:"#B388FF",guard:"#FFEA00",error:"#FF5252",warn:"#FF9100",info:"#90CAF9"};this.enabled=r,this.prefix=t?`[Sunbreak:${t.slice(0,8)}]`:"[Sunbreak]";}log(t,r,n){if(!this.enabled)return;let o=this.colors[t],a=new Date().toISOString().slice(11,23),i=this.getEmoji(t);console.log(`%c${i} ${this.prefix} [${a}] [${t.toUpperCase()}]%c ${r}`,`color: ${o}; font-weight: bold`,"color: inherit; font-weight: normal",n!==void 0?n:"");}getEmoji(t){switch(t){case "flow":return "\u{1F504}";case "state":return "\u{1F500}";case "decision":return "\u{1F914}";case "api":return "\u{1F4E1}";case "guard":return "\u{1F6E1}\uFE0F";case "error":return "\u274C";case "warn":return "\u26A0\uFE0F";case "info":return "\u2139\uFE0F";default:return "\u2022"}}flow(t,r,n){this.log("flow",`[${t.toUpperCase()}] ${r}`,n);}state(t,r,n,o){this.log("state",`${t} \u2192 ${r}: ${n}`,o);}decision(t,r,n,o){this.log("decision",`${t} = ${r?"\u2713 YES":"\u2717 NO"} (${n})`,o);}api(t,r,n){let o=n.status,i=o>=200&&o<300?"\u2713":"\u2717";this.log("api",`${i} ${t} ${r} \u2192 ${o}${n.error?` (${n.error})`:""}`,n.data);}guard(t,r,n,o){this.log("guard",`${t}: ${r?"\u2713 PASS":"\u2717 BLOCK"} (${n})`,o);}error(t,r){this.log("error",t,r);}warn(t,r){this.log("warn",t,r);}info(t,r){this.log("info",t,r);}group(t){this.enabled&&console.group(`${this.prefix} ${t}`);}groupEnd(){this.enabled&&console.groupEnd();}child(t){let r=new e(void 0,this.enabled);return r.prefix=`${this.prefix}[${t}]`,r}},_t=null;function Hr(){return _t||(_t=new He(void 0,false)),_t}var $e=class{constructor(t){this.currentState="unknown";this.previousState="unknown";this.logger=Hr();this.hadSessionHistory=false;this.inActiveSession=false;t&&this.initialize(t);}initialize(t){if(this.currentState!=="unknown"){this.logger.info(`Skipping initialization - state already set to ${this.currentState}`);let n=!!(t.boundWallet||t.refreshId);this.hadSessionHistory=n;return}this.logger.group("\u{1F527} Initializing Session State Machine");let r=!!(t.boundWallet||t.refreshId);this.hadSessionHistory=r,this.logger.info("Initial context",{wallet:t.wallet,boundWallet:t.boundWallet,refreshId:t.refreshId?"present":"null",hasToken:t.hasToken,authenticated:t.authenticated,hasHistory:r}),t.authenticated&&t.hasToken?(this.transition("authenticated","Has valid token"),this.inActiveSession=true):r?this.transition("refreshable","Has session history"):this.transition("unregistered","No session history"),this.logger.groupEnd();}transition(t,r){if(this.currentState===t){this.logger.info(`State unchanged: ${t} (${r})`);return}this.previousState=this.currentState,this.currentState=t,this.logger.state(this.previousState,t,r);}getState(){return this.currentState}isInActiveSession(){return this.inActiveSession}markHadSession(){this.hadSessionHistory||(this.logger.info("Marked hadSessionHistory = true"),this.hadSessionHistory=true);}clearSessionHistory(){this.logger.info("Cleared session history"),this.hadSessionHistory=false,this.inActiveSession=false;}onNewCredentialsReceived(){this.inActiveSession&&(this.logger.info("New credentials received while in active session - allowing re-registration"),this.inActiveSession=false,this.transition("unregistered","New credentials received"));}onProbeComplete(t){if(this.logger.flow("probe","Probe completed, determining initial state"),this.currentState!=="unknown"){this.logger.warn("Probe called but state is not UNKNOWN",{currentState:this.currentState});return}!!(t.boundWallet||t.refreshId)||this.hadSessionHistory?this.transition("refreshable","Session history found"):this.transition("unregistered","No session history");}onRegisterSuccess(t){this.logger.flow("register","Register succeeded"),this.transition("authenticated","Register succeeded"),this.inActiveSession=true,this.hadSessionHistory=true;}onRegisterFailure(t){this.logger.flow("register",`Register failed: ${t}`);}onRefreshSuccess(t){this.logger.flow("refresh","Refresh succeeded"),this.transition("authenticated","Refresh succeeded"),this.inActiveSession=true;}onRefreshExpired(){this.logger.flow("refresh","Refresh failed: session expired (missing refresh identifier)"),this.transition("expired","Session expired"),this.inActiveSession=false;}onRefreshFailure(t){this.logger.flow("refresh",`Refresh failed: ${t}`);}onTokenExpired(){this.logger.flow("token","Token expired"),this.currentState==="authenticated"&&this.transition("refreshable","Token expired");}onWalletChange(t,r,n){if(this.logger.flow("wallet",`Wallet changed: ${t||"null"} \u2192 ${r||"null"}`),!r){this.transition("unknown","Wallet disconnected"),this.inActiveSession=false;return}A(r,n.boundWallet)?(this.hadSessionHistory=true,this.transition("refreshable","Wallet reconnected with session history")):(this.transition("unregistered","Wallet changed to different address"),this.inActiveSession=false);}onWalletDisconnect(){this.logger.flow("wallet","Wallet disconnected"),this.transition("unknown","Wallet disconnected"),this.inActiveSession=false;}shouldAttemptProbe(){let t=this.currentState==="unknown";return this.logger.decision("Should attempt probe?",t,`State is ${this.currentState}`),t}shouldAttemptRefresh(t){if(this.currentState!=="refreshable"&&this.currentState!=="authenticated")return this.logger.decision("Should attempt refresh?",false,`State is ${this.currentState}, not REFRESHABLE or AUTHENTICATED`),false;if(!(t.boundWallet||t.wallet))return this.logger.decision("Should attempt refresh?",false,"No wallet available (neither boundWallet nor current wallet)"),false;if(t.wallet&&t.boundWallet&&!A(t.wallet,t.boundWallet))return this.logger.decision("Should attempt refresh?",false,"Wallet mismatch"),false;if(t.hasToken&&t.tokenExpiry){let n=Math.floor(Date.now()/1e3);if(t.tokenExpiry-n>5&&this.currentState==="authenticated")return this.logger.decision("Should attempt refresh?",false,"Token still valid"),false}return this.logger.decision("Should attempt refresh?",true,`State is ${this.currentState}, token ${t.hasToken?"present":"missing"}`),true}shouldAttemptRegister(t){return this.inActiveSession?(this.logger.decision("Should attempt register?",false,"Already in active session - proof changes ignored"),false):this.currentState!=="unregistered"&&this.currentState!=="expired"?(this.logger.decision("Should attempt register?",false,`State is ${this.currentState}, not UNREGISTERED or EXPIRED`),false):t.wallet?t.hasProof?t.authenticated&&t.hasToken?(this.logger.decision("Should attempt register?",false,"Already authenticated"),false):(this.logger.decision("Should attempt register?",true,`State is ${this.currentState}, have wallet + proof`),true):(this.logger.decision("Should attempt register?",false,"No proof available"),false):(this.logger.decision("Should attempt register?",false,"No wallet connected"),false)}shouldWaitForInitialRefresh(t,r){return this.currentState!=="refreshable"||t?false:r.wallet&&r.boundWallet&&A(r.wallet,r.boundWallet)?(this.logger.decision("Should wait for initial refresh?",true,"Returning user - let refresh attempt first"),true):false}getStateReport(t){return `
+var bn=Object.defineProperty;var er=e=>{throw TypeError(e)};var Sn=(e,t,r)=>t in e?bn(e,t,{enumerable:true,configurable:true,writable:true,value:r}):e[t]=r;var O=(e,t,r)=>Sn(e,typeof t!="symbol"?t+"":t,r),tr=(e,t,r)=>t.has(e)||er("Cannot "+r);var m=(e,t,r)=>(tr(e,t,"read from private field"),r?r.call(e):t.get(e)),F=(e,t,r)=>t.has(e)?er("Cannot add the same private member more than once"):t instanceof WeakSet?t.add(e):t.set(e,r),B=(e,t,r,n)=>(tr(e,t,"write to private field"),t.set(e,r),r);var ze=e=>{let t=5381;for(let r=0;r<e.length;r++)t=t*33^e.charCodeAt(r);return (t>>>0).toString(16).padStart(8,"0")},Ce=e=>{try{return e.method==="provider_jwt"?`${e.issuer}:${ze(e.token)}`:e.method==="siwe"||e.method==="eip191"?`${e.method}:${ze(e.signature)}`:e.method==="ed25519"?`ed25519:${ze(e.signatureBase64)}`:null}catch{return null}},ye=async(e,t,r)=>{switch(e.name){case "custom":return {method:"provider_jwt",issuer:"custom",token:t,meta:r||{}};case "privy":return {method:"provider_jwt",issuer:"privy",token:t,meta:{app_id:e.appId}};case "dynamic":return e.expectedAud?{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId,expected_aud:e.expectedAud}}:{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId}};default:throw new Error(`Unknown adapter: ${e}`)}};var Rn="sunbreak-kv",Ie="kv",Xe="sunbreak_dpop_meta_v1",I="sunbreak_dpop_key_v1",Te="ES256",E="P-256",We=e=>`${Xe}:${e}`,rr=()=>new Promise((e,t)=>{let r=indexedDB.open(Rn,1);r.onupgradeneeded=()=>r.result.createObjectStore(Ie),r.onsuccess=()=>e(r.result),r.onerror=()=>t(r.error);}),T=async e=>{try{let t=await rr();return await new Promise((r,n)=>{let i=t.transaction(Ie,"readonly").objectStore(Ie).get(e);i.onsuccess=()=>r(i.result),i.onerror=()=>n(i.error);})}catch{return}},R=async(e,t)=>{let r=await rr();await new Promise((n,a)=>{let o=r.transaction(Ie,"readwrite").objectStore(Ie).put(t,e);o.onsuccess=()=>n(),o.onerror=()=>a(o.error);});};var kn=e=>{let t=new URL(e);if(t.protocol!=="https:"&&t.hostname!=="localhost"&&t.hostname!=="127.0.0.1")throw new Error("Sunbreak: insecure base URL");return t.hash="",t.origin},En=e=>e.replace(/\/+$/,""),yt=e=>{let t=En(e);return kn(t)};function St(e){let t=new URL(e.baseUrl),r=t.host,n=e.meta.lastHost??null,a=Pn(n);return e.setLastHost(a),t.host=`${a}.${r}`,t.origin}var Pn=e=>{for(let t=0;t<bt.length;t++){let r=bt[Math.floor(Math.random()*bt.length)].toLowerCase();if(r!==e)return r}return "alpha"},bt=["Alpha","Bravo","Charlie","Delta","Echo","Foxtrot","Golf","Hotel","India","Juliett","Kilo","Lima","Mike","November","Oscar","Papa","Quebec","Romeo","Sierra","Tango","Uniform","Victor","Whiskey","X-ray","Yankee","Zulu"];var G=(e,t)=>{let r={clientId:e.clientId,wallet:e.wallet,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0,...t};Object.keys(r).forEach(a=>r[a]===void 0&&delete r[a]);let n=JSON.stringify(r);return btoa(n)};var vn=new Set(["connection","keep-alive","proxy-authenticate","proxy-authorization","te","trailer","transfer-encoding","upgrade","via"]),An=new Set(["user-agent","referer","origin","host","content-length","sec-fetch-site","sec-fetch-mode","sec-fetch-dest","sec-fetch-user","sec-ch-ua","sec-ch-ua-mobile","sec-ch-ua-platform","sec-ch-ua-platform-version","sec-ch-ua-full-version","sec-ch-ua-arch","sec-ch-ua-model","sec-ch-ua-bitness","cookie","set-cookie"]),xn=new Set(["dpop","x-sunbreak-meta"]),Kn=64,nr=2048,Cn=64;function Rt(e){let t={};if(!e)return t;let r=e instanceof Headers?Array.from(e.entries()):Object.entries(e),n=0;for(let[a,i]of r){if(n>=Cn)break;if(a==null||i==null)continue;let o=String(a).toLowerCase().trim();if(!o||o.length>Kn||vn.has(o)||An.has(o)||xn.has(o))continue;let s=String(i);s.length>nr&&(s=s.slice(0,nr)),t[o]=s,n++;}return t}var ne=new TextEncoder,be=new TextDecoder;function or(...e){let t=e.reduce((a,{length:i})=>a+i,0),r=new Uint8Array(t),n=0;for(let a of e)r.set(a,n),n+=a.length;return r}function ar(e){if(Uint8Array.prototype.toBase64)return e.toBase64();let t=32768,r=[];for(let n=0;n<e.length;n+=t)r.push(String.fromCharCode.apply(null,e.subarray(n,n+t)));return btoa(r.join(""))}function ir(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(e);let t=atob(e),r=new Uint8Array(t.length);for(let n=0;n<t.length;n++)r[n]=t.charCodeAt(n);return r}function sr(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof e=="string"?e:be.decode(e),{alphabet:"base64url"});let t=e;t instanceof Uint8Array&&(t=be.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return ir(t)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function Ye(e){let t=e;return typeof t=="string"&&(t=ne.encode(t)),Uint8Array.prototype.toBase64?t.toBase64({alphabet:"base64url",omitPadding:true}):ar(t).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var fe=class extends Error{constructor(r,n){super(r,n);O(this,"code","ERR_JOSE_GENERIC");this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor);}};O(fe,"code","ERR_JOSE_GENERIC");var L=class extends fe{constructor(){super(...arguments);O(this,"code","ERR_JOSE_NOT_SUPPORTED");}};O(L,"code","ERR_JOSE_NOT_SUPPORTED");var oe=class extends fe{constructor(){super(...arguments);O(this,"code","ERR_JWS_INVALID");}};O(oe,"code","ERR_JWS_INVALID");var Je=class extends fe{constructor(){super(...arguments);O(this,"code","ERR_JWT_INVALID");}};O(Je,"code","ERR_JWT_INVALID");var cr,lr,kt=class extends(lr=fe,cr=Symbol.asyncIterator,lr){constructor(r="multiple matching keys found in the JSON Web Key Set",n){super(r,n);O(this,cr);O(this,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");}};O(kt,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");function Y(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function Se(e,t){return e.name===t}function Et(e){return parseInt(e.name.slice(4),10)}function Wn(e){switch(e){case "ES256":return "P-256";case "ES384":return "P-384";case "ES512":return "P-521";default:throw new Error("unreachable")}}function Jn(e,t){if(!e.usages.includes(t))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${t}.`)}function ur(e,t,r){switch(t){case "HS256":case "HS384":case "HS512":{if(!Se(e.algorithm,"HMAC"))throw Y("HMAC");let n=parseInt(t.slice(2),10);if(Et(e.algorithm.hash)!==n)throw Y(`SHA-${n}`,"algorithm.hash");break}case "RS256":case "RS384":case "RS512":{if(!Se(e.algorithm,"RSASSA-PKCS1-v1_5"))throw Y("RSASSA-PKCS1-v1_5");let n=parseInt(t.slice(2),10);if(Et(e.algorithm.hash)!==n)throw Y(`SHA-${n}`,"algorithm.hash");break}case "PS256":case "PS384":case "PS512":{if(!Se(e.algorithm,"RSA-PSS"))throw Y("RSA-PSS");let n=parseInt(t.slice(2),10);if(Et(e.algorithm.hash)!==n)throw Y(`SHA-${n}`,"algorithm.hash");break}case "Ed25519":case "EdDSA":{if(!Se(e.algorithm,"Ed25519"))throw Y("Ed25519");break}case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":{if(!Se(e.algorithm,t))throw Y(t);break}case "ES256":case "ES384":case "ES512":{if(!Se(e.algorithm,"ECDSA"))throw Y("ECDSA");let n=Wn(t);if(e.algorithm.namedCurve!==n)throw Y(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}Jn(e,r);}function fr(e,t,...r){if(r=r.filter(Boolean),r.length>2){let n=r.pop();e+=`one of type ${r.join(", ")}, or ${n}.`;}else r.length===2?e+=`one of type ${r[0]} or ${r[1]}.`:e+=`of type ${r[0]}.`;return t==null?e+=` Received ${t}`:typeof t=="function"&&t.name?e+=` Received function ${t.name}`:typeof t=="object"&&t!=null&&t.constructor?.name&&(e+=` Received an instance of ${t.constructor.name}`),e}var dr=(e,...t)=>fr("Key must be ",e,...t);function Pt(e,t,...r){return fr(`Key for the ${e} algorithm must be `,t,...r)}function vt(e){return e?.[Symbol.toStringTag]==="CryptoKey"}function At(e){return e?.[Symbol.toStringTag]==="KeyObject"}var xt=e=>vt(e)||At(e);var pr=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return  true;let r;for(let n of t){let a=Object.keys(n);if(!r||r.size===0){r=new Set(a);continue}for(let i of a){if(r.has(i))return  false;r.add(i);}}return  true};function Dn(e){return typeof e=="object"&&e!==null}var Ze=e=>{if(!Dn(e)||Object.prototype.toString.call(e)!=="[object Object]")return  false;if(Object.getPrototypeOf(e)===null)return  true;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t};var hr=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:r}=t.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};function _n(e){let t,r;switch(e.kty){case "AKP":{switch(e.alg){case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":t={name:e.alg},r=e.priv?["sign"]:["verify"];break;default:throw new L('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "RSA":{switch(e.alg){case "PS256":case "PS384":case "PS512":t={name:"RSA-PSS",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RS256":case "RS384":case "RS512":t={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RSA-OAEP":case "RSA-OAEP-256":case "RSA-OAEP-384":case "RSA-OAEP-512":t={name:"RSA-OAEP",hash:`SHA-${parseInt(e.alg.slice(-3),10)||1}`},r=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new L('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "EC":{switch(e.alg){case "ES256":t={name:"ECDSA",namedCurve:"P-256"},r=e.d?["sign"]:["verify"];break;case "ES384":t={name:"ECDSA",namedCurve:"P-384"},r=e.d?["sign"]:["verify"];break;case "ES512":t={name:"ECDSA",namedCurve:"P-521"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new L('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "OKP":{switch(e.alg){case "Ed25519":case "EdDSA":t={name:"Ed25519"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new L('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}default:throw new L('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return {algorithm:t,keyUsages:r}}var mr=async e=>{if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:t,keyUsages:r}=_n(e),n={...e};return n.kty!=="AKP"&&delete n.alg,delete n.use,crypto.subtle.importKey("jwk",n,t,e.ext??!(e.d||e.priv),e.key_ops??r)};var wr=(e,t,r,n,a)=>{if(a.crit!==void 0&&n?.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||n.crit===void 0)return new Set;if(!Array.isArray(n.crit)||n.crit.length===0||n.crit.some(o=>typeof o!="string"||o.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let i;r!==void 0?i=new Map([...Object.entries(r),...t.entries()]):i=t;for(let o of n.crit){if(!i.has(o))throw new L(`Extension Header Parameter "${o}" is not recognized`);if(a[o]===void 0)throw new e(`Extension Header Parameter "${o}" is missing`);if(i.get(o)&&n[o]===void 0)throw new e(`Extension Header Parameter "${o}" MUST be integrity protected`)}return new Set(n.crit)};function De(e){return Ze(e)&&typeof e.kty=="string"}function gr(e){return e.kty!=="oct"&&(e.kty==="AKP"&&typeof e.priv=="string"||typeof e.d=="string")}function yr(e){return e.kty!=="oct"&&typeof e.d>"u"&&typeof e.priv>"u"}function br(e){return e.kty==="oct"&&typeof e.k=="string"}var Re,Sr=async(e,t,r,n=false)=>{Re||(Re=new WeakMap);let a=Re.get(e);if(a?.[r])return a[r];let i=await mr({...t,alg:r});return n&&Object.freeze(e),a?a[r]=i:Re.set(e,{[r]:i}),i},Ln=(e,t)=>{Re||(Re=new WeakMap);let r=Re.get(e);if(r?.[t])return r[t];let n=e.type==="public",a=!!n,i;if(e.asymmetricKeyType==="x25519"){switch(t){case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}i=e.toCryptoKey(e.asymmetricKeyType,a,n?[]:["deriveBits"]);}if(e.asymmetricKeyType==="ed25519"){if(t!=="EdDSA"&&t!=="Ed25519")throw new TypeError("given KeyObject instance cannot be used for this algorithm");i=e.toCryptoKey(e.asymmetricKeyType,a,[n?"verify":"sign"]);}switch(e.asymmetricKeyType){case "ml-dsa-44":case "ml-dsa-65":case "ml-dsa-87":{if(t!==e.asymmetricKeyType.toUpperCase())throw new TypeError("given KeyObject instance cannot be used for this algorithm");i=e.toCryptoKey(e.asymmetricKeyType,a,[n?"verify":"sign"]);}}if(e.asymmetricKeyType==="rsa"){let o;switch(t){case "RSA-OAEP":o="SHA-1";break;case "RS256":case "PS256":case "RSA-OAEP-256":o="SHA-256";break;case "RS384":case "PS384":case "RSA-OAEP-384":o="SHA-384";break;case "RS512":case "PS512":case "RSA-OAEP-512":o="SHA-512";break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}if(t.startsWith("RSA-OAEP"))return e.toCryptoKey({name:"RSA-OAEP",hash:o},a,n?["encrypt"]:["decrypt"]);i=e.toCryptoKey({name:t.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:o},a,[n?"verify":"sign"]);}if(e.asymmetricKeyType==="ec"){let s=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(e.asymmetricKeyDetails?.namedCurve);if(!s)throw new TypeError("given KeyObject instance cannot be used for this algorithm");t==="ES256"&&s==="P-256"&&(i=e.toCryptoKey({name:"ECDSA",namedCurve:s},a,[n?"verify":"sign"])),t==="ES384"&&s==="P-384"&&(i=e.toCryptoKey({name:"ECDSA",namedCurve:s},a,[n?"verify":"sign"])),t==="ES512"&&s==="P-521"&&(i=e.toCryptoKey({name:"ECDSA",namedCurve:s},a,[n?"verify":"sign"])),t.startsWith("ECDH-ES")&&(i=e.toCryptoKey({name:"ECDH",namedCurve:s},a,n?[]:["deriveBits"]));}if(!i)throw new TypeError("given KeyObject instance cannot be used for this algorithm");return r?r[t]=i:Re.set(e,{[t]:i}),i},Rr=async(e,t)=>{if(e instanceof Uint8Array||vt(e))return e;if(At(e)){if(e.type==="secret")return e.export();if("toCryptoKey"in e&&typeof e.toCryptoKey=="function")try{return Ln(e,t)}catch(n){if(n instanceof TypeError)throw n}let r=e.export({format:"jwk"});return Sr(e,r,t)}if(De(e))return e.k?sr(e.k):Sr(e,e,t,true);throw new Error("unreachable")};var ke=e=>e?.[Symbol.toStringTag],Kt=(e,t,r)=>{if(t.use!==void 0){let n;switch(r){case "sign":case "verify":n="sig";break;case "encrypt":case "decrypt":n="enc";break}if(t.use!==n)throw new TypeError(`Invalid key for this operation, its "use" must be "${n}" when present`)}if(t.alg!==void 0&&t.alg!==e)throw new TypeError(`Invalid key for this operation, its "alg" must be "${e}" when present`);if(Array.isArray(t.key_ops)){let n;switch(true){case(r==="sign"):case e==="dir":case e.includes("CBC-HS"):n=r;break;case e.startsWith("PBES2"):n="deriveBits";break;case /^A\d{3}(?:GCM)?(?:KW)?$/.test(e):!e.includes("GCM")&&e.endsWith("KW")?n="unwrapKey":n=r;break;case(r==="encrypt"):n="wrapKey";break;case r==="decrypt":n=e.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(n&&t.key_ops?.includes?.(n)===false)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${n}" when present`)}return  true},Hn=(e,t,r)=>{if(!(t instanceof Uint8Array)){if(De(t)){if(br(t)&&Kt(e,t,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!xt(t))throw new TypeError(Pt(e,t,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(t.type!=="secret")throw new TypeError(`${ke(t)} instances for symmetric algorithms must be of type "secret"`)}},$n=(e,t,r)=>{if(De(t))switch(r){case "decrypt":case "sign":if(gr(t)&&Kt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a private JWK");case "encrypt":case "verify":if(yr(t)&&Kt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a public JWK")}if(!xt(t))throw new TypeError(Pt(e,t,"CryptoKey","KeyObject","JSON Web Key"));if(t.type==="secret")throw new TypeError(`${ke(t)} instances for asymmetric algorithms must not be of type "secret"`);if(t.type==="public")switch(r){case "sign":throw new TypeError(`${ke(t)} instances for asymmetric algorithm signing must be of type "private"`);case "decrypt":throw new TypeError(`${ke(t)} instances for asymmetric algorithm decryption must be of type "private"`);}if(t.type==="private")switch(r){case "verify":throw new TypeError(`${ke(t)} instances for asymmetric algorithm verifying must be of type "public"`);case "encrypt":throw new TypeError(`${ke(t)} instances for asymmetric algorithm encryption must be of type "public"`);}},kr=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e)||/^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e)?Hn(e,t,r):$n(e,t,r);};var Er=(e,t)=>{let r=`SHA-${e.slice(-3)}`;switch(e){case "HS256":case "HS384":case "HS512":return {hash:r,name:"HMAC"};case "PS256":case "PS384":case "PS512":return {hash:r,name:"RSA-PSS",saltLength:parseInt(e.slice(-3),10)>>3};case "RS256":case "RS384":case "RS512":return {hash:r,name:"RSASSA-PKCS1-v1_5"};case "ES256":case "ES384":case "ES512":return {hash:r,name:"ECDSA",namedCurve:t.namedCurve};case "Ed25519":case "EdDSA":return {name:"Ed25519"};case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":return {name:e};default:throw new L(`alg ${e} is not supported either by JOSE or your javascript runtime`)}};var Pr=async(e,t,r)=>{if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(dr(t,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",t,{hash:`SHA-${e.slice(-3)}`,name:"HMAC"},false,[r])}return ur(t,e,r),t};var ie=e=>Math.floor(e.getTime()/1e3);var On=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i,Qe=e=>{let t=On.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");let r=parseFloat(t[2]),n=t[3].toLowerCase(),a;switch(n){case "sec":case "secs":case "second":case "seconds":case "s":a=Math.round(r);break;case "minute":case "minutes":case "min":case "mins":case "m":a=Math.round(r*60);break;case "hour":case "hours":case "hr":case "hrs":case "h":a=Math.round(r*3600);break;case "day":case "days":case "d":a=Math.round(r*86400);break;case "week":case "weeks":case "w":a=Math.round(r*604800);break;default:a=Math.round(r*31557600);break}return t[1]==="-"||t[4]==="ago"?-a:a};function de(e,t){if(!Number.isFinite(t))throw new TypeError(`Invalid ${e} input`);return t}var A,et=class{constructor(t){F(this,A);if(!Ze(t))throw new TypeError("JWT Claims Set MUST be an object");B(this,A,structuredClone(t));}data(){return ne.encode(JSON.stringify(m(this,A)))}get iss(){return m(this,A).iss}set iss(t){m(this,A).iss=t;}get sub(){return m(this,A).sub}set sub(t){m(this,A).sub=t;}get aud(){return m(this,A).aud}set aud(t){m(this,A).aud=t;}set jti(t){m(this,A).jti=t;}set nbf(t){typeof t=="number"?m(this,A).nbf=de("setNotBefore",t):t instanceof Date?m(this,A).nbf=de("setNotBefore",ie(t)):m(this,A).nbf=ie(new Date)+Qe(t);}set exp(t){typeof t=="number"?m(this,A).exp=de("setExpirationTime",t):t instanceof Date?m(this,A).exp=de("setExpirationTime",ie(t)):m(this,A).exp=ie(new Date)+Qe(t);}set iat(t){typeof t>"u"?m(this,A).iat=ie(new Date):t instanceof Date?m(this,A).iat=de("setIssuedAt",ie(t)):typeof t=="string"?m(this,A).iat=de("setIssuedAt",ie(new Date)+Qe(t)):m(this,A).iat=de("setIssuedAt",t);}};A=new WeakMap;var vr=async(e,t,r)=>{let n=await Pr(e,t,"sign");hr(e,n);let a=await crypto.subtle.sign(Er(e,n.algorithm),n,r);return new Uint8Array(a)};var _e,H,Z,tt=class{constructor(t){F(this,_e);F(this,H);F(this,Z);if(!(t instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");B(this,_e,t);}setProtectedHeader(t){if(m(this,H))throw new TypeError("setProtectedHeader can only be called once");return B(this,H,t),this}setUnprotectedHeader(t){if(m(this,Z))throw new TypeError("setUnprotectedHeader can only be called once");return B(this,Z,t),this}async sign(t,r){if(!m(this,H)&&!m(this,Z))throw new oe("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!pr(m(this,H),m(this,Z)))throw new oe("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let n={...m(this,H),...m(this,Z)},a=wr(oe,new Map([["b64",true]]),r?.crit,m(this,H),n),i=true;if(a.has("b64")&&(i=m(this,H).b64,typeof i!="boolean"))throw new oe('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:o}=n;if(typeof o!="string"||!o)throw new oe('JWS "alg" (Algorithm) Header Parameter missing or invalid');kr(o,t,"sign");let s=m(this,_e);i&&(s=ne.encode(Ye(s)));let u;m(this,H)?u=ne.encode(Ye(JSON.stringify(m(this,H)))):u=ne.encode("");let l=or(u,ne.encode("."),s),c=await Rr(t,o),p=await vr(o,c,l),d={signature:Ye(p),payload:""};return i&&(d.payload=be.decode(s)),m(this,Z)&&(d.header=m(this,Z)),m(this,H)&&(d.protected=be.decode(u)),d}};_e=new WeakMap,H=new WeakMap,Z=new WeakMap;var Ee,rt=class{constructor(t){F(this,Ee);B(this,Ee,new tt(t));}setProtectedHeader(t){return m(this,Ee).setProtectedHeader(t),this}async sign(t,r){let n=await m(this,Ee).sign(t,r);if(n.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return `${n.protected}.${n.payload}.${n.signature}`}};Ee=new WeakMap;var se,j,pe=class{constructor(t={}){F(this,se);F(this,j);B(this,j,new et(t));}setIssuer(t){return m(this,j).iss=t,this}setSubject(t){return m(this,j).sub=t,this}setAudience(t){return m(this,j).aud=t,this}setJti(t){return m(this,j).jti=t,this}setNotBefore(t){return m(this,j).nbf=t,this}setExpirationTime(t){return m(this,j).exp=t,this}setIssuedAt(t){return m(this,j).iat=t,this}setProtectedHeader(t){return B(this,se,t),this}async sign(t,r){let n=new rt(m(this,j).data());if(n.setProtectedHeader(m(this,se)),Array.isArray(m(this,se)?.crit)&&m(this,se).crit.includes("b64")&&m(this,se).b64===false)throw new Je("JWTs MUST NOT use unencoded payload");return n.sign(t,r)}};se=new WeakMap,j=new WeakMap;var jn=e=>btoa(String.fromCharCode(...new Uint8Array(e))).replaceAll("+","-").replaceAll("/","_").replaceAll("=",""),nt=async e=>{let t=new TextEncoder().encode(e),r=await crypto.subtle.digest("SHA-256",t);return jn(r)},V=async e=>{let{method:t,url:r,nonce:n,ath:a,privateKey:i,publicJwk:o}=e,s={htm:t.toUpperCase(),htu:r,jti:crypto.randomUUID(),iat:Math.floor(Date.now()/1e3)};return n&&(s.nonce=n),a&&(s.ath=a),await new pe(s).setProtectedHeader({alg:"ES256",typ:"dpop+jwt",jwk:o}).sign(i)};var $=async e=>{let t={crv:e.crv,kty:"EC",x:e.x,y:e.y},r=JSON.stringify(t),n=new TextEncoder().encode(r),a=await crypto.subtle.digest("SHA-256",n);return btoa(String.fromCharCode(...new Uint8Array(a))).replaceAll("+","-").replaceAll("/","_").replaceAll("=","")};async function he(e){let{rootPrivateKey:t,rootPublicJwk:r,childJkt:n,clientId:a,sid:i,ttlSec:o=300}=e,s=Math.floor(Date.now()/1e3),u=s+Math.max(60,Math.min(o,3600)),l={child_jkt:n,client_id:a,aud:"issuer",iat:s,exp:u,jti:crypto.randomUUID()};return i&&(l.sid=i),await new pe(l).setProtectedHeader({alg:"ES256",typ:"pode+jwt",jwk:r}).sign(t)}function Me(e,t=300){return e.replace(/<[^>]*>/g,"").slice(0,t)}async function Le(e){let t=e.status,r=Array.from(e.headers.keys()).some(s=>s.toLowerCase().startsWith("x-amzn-waf")),n,a,i=e.headers.get("content-type")||"";if(i.includes("application/json"))try{let s=await e.clone().json();n=typeof s?.error=="string"?s.error:void 0,a=typeof s?.detail=="string"?s.detail:void 0;}catch{}let o=t===403&&!r&&!i.includes("application/json");return {status:t,code:n,detail:a,waf:r,alb403:o}}function me(e,t){let r=new Error(e);return r.status=t.status,r.code=t.code,r.detail=t.detail,r.waf=t.waf,r.alb403=t.alb403,r}var ot=e=>/^0x[a-fA-F0-9]{40}$/.test(e),ce=e=>ot(e)?e.toLowerCase():e,x=(e,t)=>!e||!t?false:ot(e)&&ot(t)?e.toLowerCase()===t.toLowerCase():e===t;var Pe={boundWallet:null,clientId:null,jkt:null,refreshId:null,lastPolicyHash:null,lastPolicyProof:null,lastHost:null,rootJkt:null,registeredProofId:null},Ct=react.createContext(void 0);function Ir(e){try{return JSON.parse(localStorage.getItem(e)||"null")??Pe}catch{return Pe}}function Fn(e,t){try{localStorage.setItem(e,JSON.stringify(t));}catch{}}var It=({children:e,clientId:t})=>{let[r,n]=react.useState(Pe),a=react.useRef(false),[i,o]=react.useState(false),s=react.useMemo(()=>We(t),[t]);react.useEffect(()=>{let h=true;return (async()=>{let y=await T(s)??await T(Xe)??Ir(s);h&&(n({...Pe,...y}),a.current=true,o(true));})(),()=>{h=false;}},[s]),react.useEffect(()=>{a.current&&(async()=>(await R(s,r),Fn(s,r)))();},[r,s]);let u=react.useCallback(h=>n(f=>({...f,refreshId:h})),[]),l=react.useCallback(h=>n(f=>({...f,lastPolicyHash:h})),[]),c=react.useCallback(h=>n(f=>({...f,lastPolicyProof:h})),[]),p=react.useCallback(h=>n(f=>({...f,lastHost:h})),[]),d=react.useCallback(h=>n(f=>({...f,rootJkt:h})),[]),w=react.useCallback(h=>n(f=>({...f,registeredProofId:h})),[]),b=async()=>{try{let h=localStorage.getItem(s);if(h){let f=JSON.parse(h);if(typeof f?.refreshId=="string"&&f.refreshId)return f.refreshId}}catch{}try{let h=await T(s);if(typeof h?.refreshId=="string"&&h.refreshId)return h.refreshId}catch{}return null},v=react.useCallback(h=>n(f=>({...f,boundWallet:h})),[]),g=react.useCallback(h=>n(f=>({...f,clientId:h})),[]),k=react.useCallback(h=>n(f=>({...f,jkt:h})),[]),S=react.useCallback(()=>n(Pe),[]),J=react.useCallback(async()=>{let f=await T(s)??Ir(s);n({...Pe,...f});},[]),M=react.useMemo(()=>({meta:r,setBoundWallet:v,setClientId:g,setJkt:k,resetMeta:S,reload:J,setRefreshId:u,getRefreshId:b,ready:i,setLastPolicyHash:l,setLastPolicyProof:c,setLastHost:p,setRootJkt:d,setRegisteredProofId:w}),[r,v,g,k,S,J,i,u,b,l,c,p,d,w]);return jsxRuntime.jsx(Ct.Provider,{value:M,children:e})};function Tt(){let e=react.useContext(Ct);if(!e)throw new Error("useMeta must be used within <MetaProvider>");return e}var Wr=`${I}:wrap`;async function at(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!1,["sign","verify"]),t=`${I}:probe_safe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await T(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return  false}}async function Vn(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!0,["sign","verify"]),t=`${I}:probe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await T(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return  false}}function Ae(e){let{d:t,...r}=e;return {...r,kty:"EC",crv:E,alg:Te,use:"sig"}}async function Jr(){let e=await T(Wr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await R(Wr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function Wt(e){let t=await Jr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function qn(e,t){let r=await Jr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var Jt=()=>{let e=react.useRef(null),t=react.useRef(null),r=react.useCallback(async()=>{let u=await T(I);if(!u)return  false;if(u.fmt==="cryptokey"){let c=u;if(!c.privKey)return await R(I,void 0),false;let p=c.privKey;try{if(p.extractable&&await at()){let w=await crypto.subtle.exportKey("jwk",p),b=await crypto.subtle.importKey("jwk",w,{name:"ECDSA",namedCurve:E},!1,["sign"]),v={fmt:"cryptokey",privKey:b,pubJwk:Ae(c.pubJwk)};await R(I,v),p=b;}}catch{}return e.current=p,t.current=Ae(c.pubJwk),true}if(u.fmt==="encjwk"){let c=u;try{let p=await qn(c.encPrivJwk,c.iv),d=await crypto.subtle.importKey("jwk",p,{name:"ECDSA",namedCurve:E},!1,["sign"]);return e.current=d,t.current=Ae(c.pubJwk),!0}catch{return await R(I,void 0),false}}let l=u;if(l&&l.d){let{d:c,...p}=l,d=Ae(p),w=await at(),b=w||await Vn();if(b&&w){let S=await crypto.subtle.importKey("jwk",l,{name:"ECDSA",namedCurve:E},false,["sign"]);return await R(I,{fmt:"cryptokey",privKey:S,pubJwk:d}),e.current=S,t.current=d,true}if(b){let S=await crypto.subtle.importKey("jwk",l,{name:"ECDSA",namedCurve:E},true,["sign"]);return await R(I,{fmt:"cryptokey",privKey:S,pubJwk:d}),e.current=S,t.current=d,true}let{encPrivJwk:v,iv:g}=await Wt(l);await R(I,{fmt:"encjwk",encPrivJwk:v,iv:g,pubJwk:d});let k=await crypto.subtle.importKey("jwk",l,{name:"ECDSA",namedCurve:E},false,["sign"]);return e.current=k,t.current=d,true}return await R(I,void 0),false},[]),n=react.useCallback(async(u,l)=>{await R(I,{fmt:"cryptokey",privKey:u,pubJwk:l});},[]),a=react.useCallback(async(u,l)=>{let{encPrivJwk:c,iv:p}=await Wt(u);await R(I,{fmt:"encjwk",encPrivJwk:c,iv:p,pubJwk:l});},[]),i=react.useCallback(async()=>{if(e.current&&t.current||await r())return;let u=await at(),l=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),c=Ae(await crypto.subtle.exportKey("jwk",l.publicKey)),p=await crypto.subtle.exportKey("jwk",l.privateKey);if(u){let d=await crypto.subtle.importKey("jwk",p,{name:"ECDSA",namedCurve:E},false,["sign"]);await n(d,c),e.current=d,t.current=c;}else {await a(p,c);let d=await crypto.subtle.importKey("jwk",p,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=d,t.current=c;}},[r,n,a]),o=react.useCallback(async()=>{let u=await at(),l=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),c=Ae(await crypto.subtle.exportKey("jwk",l.publicKey)),p=await crypto.subtle.exportKey("jwk",l.privateKey);if(u){let d=await crypto.subtle.importKey("jwk",p,{name:"ECDSA",namedCurve:E},false,["sign"]);await R(I,{fmt:"cryptokey",privKey:d,pubJwk:c}),e.current=d,t.current=c;}else {let{encPrivJwk:d,iv:w}=await Wt(p);await R(I,{fmt:"encjwk",encPrivJwk:d,iv:w,pubJwk:c});let b=await crypto.subtle.importKey("jwk",p,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=b,t.current=c;}},[]),s=react.useCallback(async()=>{await R(I,void 0),e.current=null,t.current=null;},[]);return {ensureKeypair:i,rotate:o,clear:s,privRef:e,pubJwkRef:t}};var Q="sunbreak_root_key_v1",_r=`${Q}:wrap`;async function Mr(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!1,["sign","verify"]),t=`${Q}:probe_safe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey,createdAt:Date.now(),pubJwk:{}});let r=await T(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return  false}}function it(e){let{d:t,...r}=e;return {...r,kty:"EC",crv:E,alg:Te,use:"sig"}}async function Lr(){let e=await T(_r);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await R(_r,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function zn(e){let t=await Lr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function Xn(e,t){let r=await Lr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var _t=()=>{let e=react.useRef(null),t=react.useRef(null),r=react.useCallback(async()=>{let i=await T(Q);if(!i)return  false;if(i.fmt==="cryptokey"){let o=i;if(!o.privKey)return await R(Q,void 0),false;let s=o.privKey;try{if(s.extractable&&await Mr()){let l=await crypto.subtle.exportKey("jwk",s),c=await crypto.subtle.importKey("jwk",l,{name:"ECDSA",namedCurve:E},!1,["sign"]),p={fmt:"cryptokey",privKey:c,pubJwk:it(o.pubJwk),createdAt:o.createdAt};await R(Q,p),s=c;}}catch{}return e.current=s,t.current=it(o.pubJwk),true}if(i.fmt==="encjwk"){let o=i;try{let s=await Xn(o.encPrivJwk,o.iv),u=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:E},!1,["sign"]);return e.current=u,t.current=it(o.pubJwk),!0}catch{return await R(Q,void 0),false}}return await R(Q,void 0),false},[]),n=react.useCallback(async()=>{if(e.current&&t.current||await r())return;let i=await Mr(),o=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),s=it(await crypto.subtle.exportKey("jwk",o.publicKey)),u=Date.now(),l=await crypto.subtle.exportKey("jwk",o.privateKey);if(i){let c=await crypto.subtle.importKey("jwk",l,{name:"ECDSA",namedCurve:E},false,["sign"]);await R(Q,{fmt:"cryptokey",privKey:c,pubJwk:s,createdAt:u}),e.current=c,t.current=s;}else {let{encPrivJwk:c,iv:p}=await zn(l);await R(Q,{fmt:"encjwk",encPrivJwk:c,iv:p,pubJwk:s,createdAt:u});let w=await crypto.subtle.importKey("jwk",l,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=w,t.current=s;}},[r]),a=react.useCallback(async()=>{await R(Q,void 0),e.current=null,t.current=null;},[]);return {ensureRootKeypair:n,clear:a,rootPrivRef:e,rootPubJwkRef:t}};var He=class e{constructor(t,r=false){this.colors={flow:"#00D9FF",state:"#00FF88",decision:"#FFB800",api:"#B388FF",guard:"#FFEA00",error:"#FF5252",warn:"#FF9100",info:"#90CAF9"};this.enabled=r,this.prefix=t?`[Sunbreak:${t.slice(0,8)}]`:"[Sunbreak]";}log(t,r,n){if(!this.enabled)return;let a=this.colors[t],i=new Date().toISOString().slice(11,23),o=this.getEmoji(t);console.log(`%c${o} ${this.prefix} [${i}] [${t.toUpperCase()}]%c ${r}`,`color: ${a}; font-weight: bold`,"color: inherit; font-weight: normal",n!==void 0?n:"");}getEmoji(t){switch(t){case "flow":return "\u{1F504}";case "state":return "\u{1F500}";case "decision":return "\u{1F914}";case "api":return "\u{1F4E1}";case "guard":return "\u{1F6E1}\uFE0F";case "error":return "\u274C";case "warn":return "\u26A0\uFE0F";case "info":return "\u2139\uFE0F";default:return "\u2022"}}flow(t,r,n){this.log("flow",`[${t.toUpperCase()}] ${r}`,n);}state(t,r,n,a){this.log("state",`${t} \u2192 ${r}: ${n}`,a);}decision(t,r,n,a){this.log("decision",`${t} = ${r?"\u2713 YES":"\u2717 NO"} (${n})`,a);}api(t,r,n){let a=n.status,o=a>=200&&a<300?"\u2713":"\u2717";this.log("api",`${o} ${t} ${r} \u2192 ${a}${n.error?` (${n.error})`:""}`,n.data);}guard(t,r,n,a){this.log("guard",`${t}: ${r?"\u2713 PASS":"\u2717 BLOCK"} (${n})`,a);}error(t,r){this.log("error",t,r);}warn(t,r){this.log("warn",t,r);}info(t,r){this.log("info",t,r);}group(t){this.enabled&&console.group(`${this.prefix} ${t}`);}groupEnd(){this.enabled&&console.groupEnd();}child(t){let r=new e(void 0,this.enabled);return r.prefix=`${this.prefix}[${t}]`,r}},Mt=null;function Hr(){return Mt||(Mt=new He(void 0,false)),Mt}var $e=class{constructor(t){this.currentState="unknown";this.previousState="unknown";this.logger=Hr();this.hadSessionHistory=false;this.inActiveSession=false;t&&this.initialize(t);}initialize(t){if(this.currentState!=="unknown"){this.logger.info(`Skipping initialization - state already set to ${this.currentState}`);let n=!!(t.boundWallet||t.refreshId);this.hadSessionHistory=n;return}this.logger.group("\u{1F527} Initializing Session State Machine");let r=!!(t.boundWallet||t.refreshId);this.hadSessionHistory=r,this.logger.info("Initial context",{wallet:t.wallet,boundWallet:t.boundWallet,refreshId:t.refreshId?"present":"null",hasToken:t.hasToken,authenticated:t.authenticated,hasHistory:r}),t.authenticated&&t.hasToken?(this.transition("authenticated","Has valid token"),this.inActiveSession=true):r?this.transition("refreshable","Has session history"):this.transition("unregistered","No session history"),this.logger.groupEnd();}transition(t,r){if(this.currentState===t){this.logger.info(`State unchanged: ${t} (${r})`);return}this.previousState=this.currentState,this.currentState=t,this.logger.state(this.previousState,t,r);}getState(){return this.currentState}isInActiveSession(){return this.inActiveSession}markHadSession(){this.hadSessionHistory||(this.logger.info("Marked hadSessionHistory = true"),this.hadSessionHistory=true);}clearSessionHistory(){this.logger.info("Cleared session history"),this.hadSessionHistory=false,this.inActiveSession=false;}onNewCredentialsReceived(){this.inActiveSession&&(this.logger.info("New credentials received while in active session - allowing re-registration"),this.inActiveSession=false,this.transition("unregistered","New credentials received"));}onProbeComplete(t){if(this.logger.flow("probe","Probe completed, determining initial state"),this.currentState!=="unknown"){this.logger.warn("Probe called but state is not UNKNOWN",{currentState:this.currentState});return}!!(t.boundWallet||t.refreshId)||this.hadSessionHistory?this.transition("refreshable","Session history found"):this.transition("unregistered","No session history");}onRegisterSuccess(t){this.logger.flow("register","Register succeeded"),this.transition("authenticated","Register succeeded"),this.inActiveSession=true,this.hadSessionHistory=true;}onRegisterFailure(t){this.logger.flow("register",`Register failed: ${t}`);}onRefreshSuccess(t){this.logger.flow("refresh","Refresh succeeded"),this.transition("authenticated","Refresh succeeded"),this.inActiveSession=true;}onRefreshExpired(){this.logger.flow("refresh","Refresh failed: session expired (missing refresh identifier)"),this.transition("expired","Session expired"),this.inActiveSession=false;}onRefreshFailure(t){this.logger.flow("refresh",`Refresh failed: ${t}`);}onTokenExpired(){this.logger.flow("token","Token expired"),this.currentState==="authenticated"&&this.transition("refreshable","Token expired");}onWalletChange(t,r,n){if(this.logger.flow("wallet",`Wallet changed: ${t||"null"} \u2192 ${r||"null"}`),!r){this.transition("unknown","Wallet disconnected"),this.inActiveSession=false;return}x(r,n.boundWallet)?(this.hadSessionHistory=true,this.transition("refreshable","Wallet reconnected with session history")):(this.transition("unregistered","Wallet changed to different address"),this.inActiveSession=false);}onWalletDisconnect(){this.logger.flow("wallet","Wallet disconnected"),this.transition("unknown","Wallet disconnected"),this.inActiveSession=false;}shouldAttemptProbe(){let t=this.currentState==="unknown";return this.logger.decision("Should attempt probe?",t,`State is ${this.currentState}`),t}shouldAttemptRefresh(t){if(this.currentState!=="refreshable"&&this.currentState!=="authenticated")return this.logger.decision("Should attempt refresh?",false,`State is ${this.currentState}, not REFRESHABLE or AUTHENTICATED`),false;if(!(t.boundWallet||t.wallet))return this.logger.decision("Should attempt refresh?",false,"No wallet available (neither boundWallet nor current wallet)"),false;if(t.wallet&&t.boundWallet&&!x(t.wallet,t.boundWallet))return this.logger.decision("Should attempt refresh?",false,"Wallet mismatch"),false;if(t.hasToken&&t.tokenExpiry){let n=Math.floor(Date.now()/1e3);if(t.tokenExpiry-n>5&&this.currentState==="authenticated")return this.logger.decision("Should attempt refresh?",false,"Token still valid"),false}return this.logger.decision("Should attempt refresh?",true,`State is ${this.currentState}, token ${t.hasToken?"present":"missing"}`),true}shouldAttemptRegister(t){return this.inActiveSession?(this.logger.decision("Should attempt register?",false,"Already in active session - proof changes ignored"),false):this.currentState!=="unregistered"&&this.currentState!=="expired"?(this.logger.decision("Should attempt register?",false,`State is ${this.currentState}, not UNREGISTERED or EXPIRED`),false):t.wallet?t.hasProof?t.authenticated&&t.hasToken?(this.logger.decision("Should attempt register?",false,"Already authenticated"),false):(this.logger.decision("Should attempt register?",true,`State is ${this.currentState}, have wallet + proof`),true):(this.logger.decision("Should attempt register?",false,"No proof available"),false):(this.logger.decision("Should attempt register?",false,"No wallet connected"),false)}shouldWaitForInitialRefresh(t,r){return this.currentState!=="refreshable"||t?false:r.wallet&&r.boundWallet&&x(r.wallet,r.boundWallet)?(this.logger.decision("Should wait for initial refresh?",true,"Returning user - let refresh attempt first"),true):false}getStateReport(t){return `
 \u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510
 \u2502  Session State Machine Report          \u2502
 \u251C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524
@@ -19,7 +19,7 @@ var yn=Object.defineProperty;var er=e=>{throw TypeError(e)};var gn=(e,t,r)=>t in
 \u2502 Authenticated:    ${String(t.authenticated).padEnd(20)} \u2502
 \u2502 Has Proof:        ${String(t.hasProof).padEnd(20)} \u2502
 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518
-    `.trim()}};var zn=()=>crypto.randomUUID(),$r=e=>{let{clientId:t,wallet:r,base:n="https://api.sunbreak.com",fetchImpl:o,timeoutMs:a=15e3,proof:i=null,providerAdapter:s,refreshDeps:u=[],debug:l}=e,c=yt(n),p=typeof window<"u"?(o??fetch).bind(window):o??fetch,{meta:d,setBoundWallet:g,setJkt:R,setRefreshId:K,getRefreshId:w,setLastPolicyHash:k,setLastPolicyProof:b,setLastHost:J,setRootJkt:M,setRegisteredProofId:h,ready:f}=It(),{ensureRootKeypair:y,rootPrivRef:C,rootPubJwkRef:D}=Dt(),xe=react.useCallback(async()=>{await y();try{if(!d.rootJkt&&D.current){let re=await $(D.current);M(re);}}catch{}},[y,d.rootJkt,D]),{ensureKeypair:x,rotate:Ue,privRef:Fe,pubJwkRef:qt}=Wt(),[_,X]=react.useState(false),[U,te]=react.useState(0),[le,ae]=react.useState(null),[lt,ut]=react.useState(null),[ft,qr]=react.useState(null),[zr,Xr]=react.useState(null),Yr=react.useRef(null),Zr=react.useRef(null),Qr=react.useRef(null),en=react.useRef(null),tn=react.useRef(null),rn=react.useRef(null),nn=react.useRef(null),on=react.useRef(false),an=react.useRef(false),sn=react.useRef(void 0),Be=react.useRef(false),dt=react.useRef(false),zt=react.useRef(null),ue=react.useRef(null);ue.current||(ue.current=new Promise(re=>{zt.current=re;}));let pt=react.useRef(null),cn=react.useRef(i),ln=react.useRef(null),ye=react.useRef(null);if(!ye.current){let re=l??false;ye.current=new He(t,re);}let Xt=l??false;ye.current&&ye.current.enabled!==Xt&&(ye.current.enabled=Xt);let ht=react.useRef(null);ht.current||(ht.current=new $e);let Ge=react.useRef(null),Yt=react.useRef(null),Ve=react.useRef(null),Zt=()=>Date.now(),un=()=>(Ve.current??0)>0&&Ve.current<Zt(),mt=react.useCallback((re,wn=15e3)=>{let Qt=zn();return Ge.current=Qt,Yt.current=re,Ve.current=Zt()+Math.max(1e3,wn),Qt},[]),fn=react.useCallback(()=>((!Ge.current||un())&&mt("adhoc",1e4),Ge.current),[mt]),wt=react.useRef(null),qe=react.useRef(null);qe.current||(qe.current=new Promise(re=>{wt.current=re;}));let dn=react.useCallback(async()=>{!Be.current&&qe.current&&await qe.current;},[]),pn=react.useCallback(()=>{Be.current||(Be.current=true,wt.current?.(),wt.current=null);},[]),hn=react.useCallback(async()=>{!dt.current&&ue.current&&await ue.current;},[]),mn=react.useCallback(async()=>{!dt.current&&ue.current&&await ue.current,pt.current&&await pt.current;},[]);return {clientId:t,wallet:r,baseUrl:c,fetchImpl:p,timeoutMs:a,providerAdapter:s,refreshDeps:u,ensureKeypair:x,rotate:Ue,ensureRootKeypair:xe,rootPrivRef:C,rootPubJwkRef:D,privRef:Fe,pubJwkRef:qt,meta:d,setBoundWallet:g,setJkt:R,setRefreshId:K,accessTokenRef:Qr,tokenExpRef:en,authenticated:_,setAuthenticated:X,loadingCount:U,setLoadingCount:te,error:le,setError:ae,allowed:lt,setAllowed:ut,sessionExpiry:ft,setSessionExpiry:qr,sessionData:zr,setSessionData:Xr,authWalletRef:Zr,refreshLock:tn,registerLock:rn,sessionLock:nn,didInitialRefresh:on,didInitialSession:an,prevWalletRef:sn,initResolvedRef:dt,initReady:ue,initResolveRef:zt,rotateLock:pt,waitReady:hn,awaitKeyStable:mn,proofRef:cn,registerCooldownUntilRef:Yr,reqIdRef:Ge,flowLabelRef:Yt,flowExpireRef:Ve,beginFlow:mt,currentReqId:fn,awaitProbe:dn,markProbed:pn,hasProbedRef:Be,getRefreshId:w,setLastPolicyHash:k,setLastPolicyProof:b,setLastHost:J,setRootJkt:M,setRegisteredProofId:h,metaReady:f,probeLock:ln,stateMachine:ht.current,logger:ye.current}};var z=e=>e.accessTokenRef.current??null,ee=e=>{let t=e.privRef.current;if(!t)throw new Error("Sunbreak: private key not initialized");return t},W=e=>{let t=e.pubJwkRef.current;if(!t)throw new Error("Sunbreak: public JWK not initialized");return t};var Xn=(e,t)=>`${e.toUpperCase()} ${t}`;async function Oe(e,t,r,n){if(!t)return e.logger.guard("register",false,"No wallet provided"),false;e.logger.flow("register","Starting register flow",{wallet:t});let o=Oe._nonceCacheRef||(Oe._nonceCacheRef={map:new Map});try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair(),e.setError(null),e.beginFlow("register",2e4);let a;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let y=await $(e.rootPubJwkRef.current);e.setRootJkt?.(y);}catch{}let h=await $(W(e)),f=await e.getRefreshId();a=await he({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:h,clientId:e.clientId,sid:f||void 0,ttlSec:300});}}catch(h){e.logger.warn("Failed to create PODE for register",h);}let i=e.currentReqId(),s="/auth/register",u=`${e.baseUrl}${s}`,l=new URL(e.baseUrl).origin,c="POST",p=`${l}${s}`,d=Xn(c,p),g=o.map.get(d),R=await V({method:c,url:p,nonce:g,privateKey:ee(e),publicJwk:W(e)}),K=async h=>e.fetchImpl(u,{method:c,headers:{"content-type":"application/json","x-sunbreak-meta":G(e,{reqId:i,pode:a||void 0}),...h},credentials:"include",body:JSON.stringify({wallet:t,proof:r})}),w=await K({DPoP:R}),k=h=>{let f=h.headers.get("dpop-nonce");f&&o.map.set(d,f);};if(w.status===401){e.logger.info("Register got 401, retrying with nonce");let h=w.headers.get("www-authenticate"),y=(h&&h.match(/dpop-nonce="([^"]+)"/i))?.[1];if(y){o.map.set(d,y);let C=await V({method:c,url:p,nonce:y,privateKey:ee(e),publicJwk:W(e)});w=await K({DPoP:C});}}if(k(w),e.logger.api(c,s,{status:w.status}),!w.ok){let h=await Le(w);if((w.headers.get("content-type")||"").includes("application/json")){let y;try{y=await w.clone().json();}catch{}let C=Me(y&&(y.error||y.message||y.detail)||`HTTP ${w.status}`);throw me(C,h)}else {let y=h.waf?"Blocked by WAF (403)":h.alb403?"Blocked at origin (ALB 403)":`HTTP ${w.status}`;throw me(y,h)}}let b=await w.json();e.logger.info("Register succeeded",{expiresIn:b.expiresIn,hasRefreshId:!!b.refreshId}),e.accessTokenRef.current=b.access,e.authWalletRef.current=ce(t),e.setAuthenticated(!0);try{let h=Math.floor(Date.now()/1e3);e.tokenExpRef.current=h+(b.expiresIn??0);}catch{}e.didInitialRefresh.current=!0,e.setBoundWallet(ce(t)),e.setLastPolicyHash(null),e.setLastPolicyProof(null);try{e.setJkt(await $(W(e)));}catch{}let J=Ke(r);e.setRegisteredProofId(J);try{let h={...e.meta,boundWallet:t,clientId:e.meta.clientId??e.clientId,jkt:e.meta.jkt??null,refreshId:b.refreshId??null,registeredProofId:J};e.setRefreshId(b.refreshId??null);let f=We(e.clientId);await S(f,h);try{localStorage.setItem(f,JSON.stringify(h));}catch(y){e.logger.warn("Failed to persist meta to localStorage",y);}}catch(h){e.logger.warn("Failed to persist session metadata",h);}let M={wallet:t,boundWallet:t,refreshId:b.refreshId??null,hasToken:!0,tokenExpiry:e.tokenExpRef.current,hasProof:!0,authenticated:!0};return e.stateMachine.onRegisterSuccess(M),!0}catch(a){let i=a,s=Number(i?.status||0),u=String(i?.code||"").toLowerCase(),l=String(i?.message||"").toLowerCase(),c=Math.floor(Math.random()*1e3);e.logger.error("Register failed",{status:s,code:u,msg:l}),e.stateMachine.onRegisterFailure(`${u||l||"Unknown error"}`);let p=u==="session_exists"||u==="already_authenticated"||l.includes("already")&&(l.includes("session")||l.includes("authenticated")),d=(s===401||s===403)&&u==="replay";if((p||d)&&n?.refreshFallback&&(!e.meta.boundWallet||A(e.meta.boundWallet,t))){e.logger.info("Register failed with recoverable error, attempting refresh fallback",{code:u,isSessionExists:p,isReplay:d});try{if(await n.refreshFallback())return e.logger.info("Refresh fallback succeeded after register failure"),e.meta.boundWallet||e.setBoundWallet(t),!0}catch(R){e.logger.warn("Refresh fallback failed",R);}}if(d){if(e.providerAdapter)try{let g=await e.providerAdapter.getToken()??null;if(g)return await e.awaitKeyStable(),await e.ensureKeypair(),await e.rotate(),e.proofRef.current=await Ce(e.providerAdapter,g),e.registerCooldownUntilRef.current=Date.now()+5e3+c,!1}catch{}else return e.proofRef.current=null,e.setError("Proof replayed; please sign a fresh proof."),e.registerCooldownUntilRef.current=Date.now()+1e4+c,false;return e.registerCooldownUntilRef.current=Date.now()+8e3+c,false}if(p)return e.setError("Session already exists. Try refreshing the page."),e.registerCooldownUntilRef.current=Date.now()+3e3+c,false;if(s===403&&(i?.waf||i?.alb403))return e.setError(l||"Forbidden at edge/origin"),e.registerCooldownUntilRef.current=Date.now()+3e4+c,false;if(s===403)return e.setError(u||l||"Forbidden"),e.registerCooldownUntilRef.current=Date.now()+15e3+c,false;if(s===429||s===503){e.setError(u||l||"Rate limited / unavailable");let g=s===429?5e3:8e3;return e.registerCooldownUntilRef.current=Date.now()+g+c,false}return e.setError(u||l||"Register failed"),e.registerCooldownUntilRef.current=Date.now()+5e3+c,false}}var Yn=(e,t)=>`${e.toUpperCase()} ${t}`;function je(e){if(e.refreshLock.current)return e.logger.guard("refreshLock",false,"Refresh already in progress"),e.refreshLock.current;if(e.registerLock.current){e.logger.guard("registerLock",false,"Registration in progress, waiting");let t=e.registerLock.current.then(()=>{if(e.authenticated&&z(e))return  true;if(z(e)){let n=e.tokenExpRef.current,o=Math.floor(Date.now()/1e3);if(!!n&&n-o>5)return  true}return  false});return e.refreshLock.current=t.finally(()=>{e.refreshLock.current=null;}),e.refreshLock.current}return e.logger.flow("refresh","Starting refresh flow"),e.refreshLock.current=(async()=>{try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe();let t=e.meta.boundWallet||e.wallet;if(!t)return e.logger.warn("No wallet available for refresh (neither boundWallet nor current wallet)"),!1;if(e.wallet&&e.meta.boundWallet&&!A(e.wallet,e.meta.boundWallet))return e.logger.warn("Wallet mismatch during refresh",{current:e.wallet,bound:e.meta.boundWallet}),e.accessTokenRef.current=null,e.setAuthenticated(!1),!1;let r=z(e);if(r){let f=e.tokenExpRef.current,y=Math.floor(Date.now()/1e3);if(!!r&&!!f&&f-y>5)return e.logger.info("Token still valid, skipping refresh"),!0}e.beginFlow("refresh",15e3);let n=e.currentReqId();await e.ensureKeypair();let o;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let C=await $(e.rootPubJwkRef.current);e.setRootJkt?.(C);}catch{}let f=await $(W(e)),y=await e.getRefreshId();o=await he({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:f,clientId:e.clientId,sid:y||void 0,ttlSec:300});}}catch(f){e.logger.warn("Failed to create PODE for refresh",f);}let a="/auth/refresh",i=`${e.baseUrl}${a}`,s=new URL(e.baseUrl).origin,u="POST",l=`${s}${a}`,c=Yn(u,l),p=je._nonceCacheRef||(je._nonceCacheRef={map:new Map}),d=async f=>await V({method:u,url:l,nonce:f,privateKey:ee(e),publicJwk:W(e)}),g=await e.getRefreshId(),R={"x-sunbreak-meta":G(e,{reqId:n,refreshId:g||void 0,pode:o||void 0,wallet:t}),"content-type":"application/json"},K=async f=>e.fetchImpl(i,{method:u,headers:{DPoP:f,...R},credentials:"include",body:"{}"}),w=f=>{let y=f.headers.get("dpop-nonce");y&&p.map.set(c,y);},k=await K(await d(p.map.get(c)));if(k.status===401){e.logger.info("Refresh got 401, retrying with nonce");let f=k.headers.get("www-authenticate"),C=(f&&f.match(/dpop-nonce="([^"]+)"/i))?.[1];C&&(p.map.set(c,C),k=await K(await d(C)));}if(w(k),e.logger.api(u,a,{status:k.status}),!k.ok){try{if((k.headers.get("content-type")||"").includes("application/json")){let y=await k.clone().json().catch(()=>{}),C=y&&(y.error||y.code||y.message)||"",D=String(C).toLowerCase();if(D.includes("missing")&&D.includes("refresh")){e.logger.warn("Refresh session expired (missing refresh identifier)"),e.stateMachine.onRefreshExpired();try{e.setRefreshId?.(null);}catch{}e.accessTokenRef.current=null,e.setAuthenticated(!1);}else e.logger.warn("Refresh failed",{error:C}),e.stateMachine.onRefreshFailure(String(C));}}catch{}return !1}let b=await k.json();e.logger.info("Refresh succeeded",{expiresIn:b.expiresIn,hasRefreshId:!!b.refreshId}),e.accessTokenRef.current=b.access,e.setAuthenticated(!0);let J=(e.wallet&&(!e.meta.boundWallet||e.meta.boundWallet===e.wallet)?e.wallet:e.meta.boundWallet)||null;e.authWalletRef.current=J?ce(J):null;try{let f=Math.floor(Date.now()/1e3);e.tokenExpRef.current=f+(b.expiresIn??0);}catch{}try{e.setJkt(await $(W(e)));}catch{}b.refreshId&&e.setRefreshId(b.refreshId);let M=f=>!f||f==="null"||f==="undefined"?null:f,h={wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:M(b.refreshId??e.meta.refreshId??null),hasToken:!0,tokenExpiry:e.tokenExpRef.current,hasProof:!!e.proofRef.current,authenticated:!0};return e.stateMachine.onRefreshSuccess(h),!0}finally{e.refreshLock.current=null;}})(),e.refreshLock.current}var Zn=(e,t)=>`${e.toUpperCase()} ${t}`,Mt=new Map,Ne;try{let e=globalThis;Ne=e.__sunbreak_page_probe_guard??(e.__sunbreak_page_probe_guard=new Set);}catch{Ne=new Set;}var Qn=e=>{try{let t=new URL(e.baseUrl).origin;return `${e.clientId}::${t}`}catch{return `${e.clientId}::${e.baseUrl}`}};async function Or(e){let t=Qn(e);if(e.probeLock.current){e.logger.guard("probeLock",false,"Probe already in progress, waiting"),await e.probeLock.current,e.markProbed();return}if(e.hasProbedRef.current){e.logger.guard("hasProbedRef",false,"Already probed in this session"),e.markProbed();return}if(Ne.has(t)){e.logger.guard("pageProbeGuard",false,"Already probed for this page load"),e.markProbed();return}Ne.add(t),e.logger.flow("probe","Starting probe flow",{clientId:e.clientId,pageKey:t});let r=(async()=>{let n=new URL(e.baseUrl).origin;try{if(await e.awaitKeyStable(),await e.ensureKeypair(),!e.rootPrivRef.current)try{await e.ensureRootKeypair();}catch{}let o;if(e.rootPrivRef.current&&e.rootPubJwkRef.current)try{let w=await $(W(e));o=await he({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:w,clientId:e.clientId,ttlSec:300});}catch(w){e.logger.warn("Failed to create PODE for probe",w);}let a="POST",i="/auth/probe",s=`${e.baseUrl}${i}`,u=`${n}${i}`,l=Zn(a,u),c=async w=>V({method:a,url:u,nonce:w,privateKey:ee(e),publicJwk:W(e)}),p=async w=>e.fetchImpl(s,{method:a,headers:{DPoP:w,"x-sunbreak-meta":G(e,{pode:o}),"content-type":"application/json"},credentials:"include",body:"{}"}),d=w=>{let k=w.headers.get("dpop-nonce");k&&Mt.set(l,k);},g=await p(await c(Mt.get(l)));if(d(g),g.status===401){e.logger.info("Probe got 401, retrying with nonce from www-authenticate");let w=g.headers.get("www-authenticate"),b=(w&&w.match(/dpop-nonce="([^"]+)"/i))?.[1];b&&(Mt.set(l,b),g=await p(await c(b)),d(g));}e.logger.api(a,i,{status:g.status});let R=w=>!w||w==="null"||w==="undefined"?null:w,K={wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:R(e.meta.refreshId),hasToken:!!e.accessTokenRef.current,tokenExpiry:e.tokenExpRef.current||null,hasProof:!!e.proofRef.current,authenticated:e.authenticated};e.stateMachine.onProbeComplete(K);}catch(o){e.logger.error("Probe failed",o);try{Ne.delete(t);}catch{}}finally{e.markProbed(),e.logger.flow("probe","Probe flow completed");}})();e.probeLock.current=r;try{await r;}finally{e.probeLock.current=null;}}var jr=e=>{let t=react.useCallback(()=>je(e),[e]),r=react.useCallback(async()=>{let o=Date.now(),a=e.registerCooldownUntilRef.current??0;if(o<a){e.logger.guard("registerCooldown",false,"Cooldown active");return}if(!e.wallet){e.logger.guard("attemptRegister",false,"No wallet");return}if(!e.initResolvedRef.current){e.logger.guard("attemptRegister",false,"Not initialized");return}if(e.refreshLock.current){e.logger.guard("attemptRegister",false,"Refresh in progress");return}if(e.registerLock.current){e.logger.guard("attemptRegister",false,"Register already in progress");return}let i=c=>!c||c==="null"||c==="undefined"?null:c,s={wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:i(e.meta.refreshId),hasToken:!!z(e),tokenExpiry:e.tokenExpRef.current||null,hasProof:!!e.proofRef.current,authenticated:e.authenticated};if(!e.stateMachine.shouldAttemptRegister(s)){e.logger.guard("attemptRegister",false,`State machine blocked (state: ${e.stateMachine.getState()}, inActiveSession: ${e.stateMachine.isInActiveSession()})`);return}let u=e.proofRef.current;if(!u){e.logger.guard("attemptRegister",false,"No proof available");return}e.logger.guard("attemptRegister",true,"All guards passed, proceeding");let l=(async()=>{try{await e.awaitKeyStable(),await Oe(e,e.wallet,u,{refreshFallback:async()=>{e.logger.info("Attempting refresh as fallback after register failure");let c=!!e.meta.boundWallet;!c&&e.wallet&&e.setBoundWallet(e.wallet);try{return await je(e)}catch{return c||e.setBoundWallet(null),!1}}});}catch(c){let p=c;e.setError(p?.message||String(c)||"Register failed");}finally{e.registerLock.current=null;}})();e.registerLock.current=l;},[e]),n=react.useCallback(async o=>{let a=()=>(e.registerCooldownUntilRef.current??0)>Date.now();if(!e.providerAdapter||a())return;let i=await Ce(e.providerAdapter,o);e.proofRef.current=i;},[e]);return {refresh:t,register:(o,a,i)=>Oe(e,o,a,i),attemptRegister:r,setProofFromAdapterToken:n}};var eo=(e,t)=>`${e.toUpperCase()} ${t}`;async function st(e,t,r,n,o,a={}){e.setLoadingCount(l=>l+1),e.setError(null);let i=n.startsWith("/api/session"),s=new AbortController,u=setTimeout(()=>s.abort(),e.timeoutMs);try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair();let c=`${i?bt(e):e.baseUrl}${n.startsWith("/")?"":"/"}${n}`,d=`${new URL(e.baseUrl).origin}${n.startsWith("/")?"":"/"}${n}`,g=eo(r,d),R=n.startsWith("/auth/"),K=!1,w=!1,k=e.currentReqId(),b=st._nonceCacheRef||(st._nonceCacheRef={map:new Map}),J=_=>{let X=_.headers.get("dpop-nonce");X&&b.map.set(g,X);},M=!!e.wallet&&!!e.authWalletRef.current&&!A(e.wallet,e.authWalletRef.current),h=()=>R||!e.wallet?!1:!!(e.authenticated||A(e.wallet,e.meta.boundWallet)||typeof e.meta.refreshId=="string"&&e.meta.refreshId),f,y,C=async()=>{if(R||M)return;try{let le=z(e),ae=e.tokenExpRef.current,lt=Math.floor(Date.now()/1e3),ut=!!ae&&ae-lt<=60;if(le){if(ut&&!await t().catch(()=>!1))return}else if(!h()||!await t().catch(()=>!1))return}catch{}let _=z(e);if(!_)return;let X=await nt(_),U=b.map.get(g),te=await V({method:r,url:d,nonce:U,ath:X,privateKey:ee(e),publicJwk:W(e)});f=`Bearer ${e.accessTokenRef.current}`,y=te;};await C();let D={"content-type":"application/json","x-sunbreak-auth":f||"","x-sunbreak-meta":G(e,{reqId:k,auth:f,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0}),...St(a.headers)};y&&(D.DPoP=y);let xe=async()=>e.fetchImpl(c,{...a,method:r,headers:D,body:o!==void 0?JSON.stringify(o):void 0,credentials:"include",signal:s.signal}),x=await xe(),Ue=x.headers.get("x-sunbreak-policy-hash"),Fe=x.headers.get("x-sunbreak-policy-proof");if(Ue&&e.setLastPolicyHash(Ue),Fe&&e.setLastPolicyProof(Fe),J(x),x.status===401&&!R){let _=z(e),X=x.headers.get("www-authenticate"),te=(X&&X.match(/dpop-nonce="([^"]+)"/i))?.[1];if(!M&&te&&_&&!w){w=!0,b.map.set(g,te);let le=await nt(_),ae=await V({method:r,url:d,nonce:te,ath:le,privateKey:ee(e),publicJwk:W(e)});f=`Bearer ${e.accessTokenRef.current}`,y=ae,D["x-sunbreak-meta"]=G(e,{reqId:k,auth:f}),D.DPoP=y,x=await xe(),J(x);}if(x.status===401&&!K&&(K=!0,!M&&h())){let le=await t(),ae=z(e);le&&ae&&!M&&(await C(),D["x-sunbreak-meta"]=G(e,{reqId:k,auth:f}),y&&(D.DPoP=y),x=await xe(),J(x));}if(x.status===401)throw new Error("Unauthorized")}if(!x.ok){let _=await Le(x);if((x.headers.get("content-type")||"").includes("application/json")){let U=await x.json().catch(()=>{}),te=Me(U&&(U.error||U.message||U.detail)||`HTTP ${x.status}`);throw me(te,_)}else {let U=_.waf?"Blocked by WAF (403)":_.alb403?"Blocked at origin (ALB 403)":`HTTP ${x.status}`;throw me(U,_)}}return (x.headers.get("content-type")||"").includes("application/json")?await x.json():void 0}finally{clearTimeout(u),e.setLoadingCount(l=>Math.max(0,l-1));}}var Nr=(e,t)=>react.useCallback(async(r,n,o,a={})=>st(e,t,r,n,o,a),[e,t]);async function Ur(e,t){let r=await t("GET","/api/session");if(r){e.setAllowed(!!r.allowed),e.setSessionData(r),e.setSessionExpiry(r.expiry??null);let n=r?.wallet;typeof n=="string"&&n&&e.setBoundWallet(ce(n));}return r}var Fr=(e,t)=>({session:react.useCallback(async()=>{if(e.wallet&&!(e.meta.boundWallet&&!A(e.wallet,e.meta.boundWallet)))return e.sessionLock.current||(e.sessionLock.current=(async()=>{try{return await Ur(e,t)}catch(n){throw e.logger.error("Session request failed",n),n}finally{e.sessionLock.current=null;}})()),e.sessionLock.current},[e,t])});var ct=e=>(e.registerCooldownUntilRef.current??0)>Date.now(),Br=e=>{if(!e)return null;let t=e.indexOf(":");return t>0?e.slice(0,t):null},no=e=>!e||e==="null"||e==="undefined"?null:e,N=e=>({wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:no(e.meta.refreshId),hasToken:!!e.accessTokenRef.current,tokenExpiry:e.tokenExpRef.current||null,hasProof:!!e.proofRef.current,authenticated:e.authenticated});var Ht=e=>{react.useEffect(()=>{if(!e.metaReady)return;let t=true;return (async()=>{try{if(await e.waitReady(),!t||(await e.awaitKeyStable(),!t)||(await e.ensureRootKeypair(),!t))return;let r=N(e);e.stateMachine.initialize(r),await Or(e);}catch(r){if(!t)return;e.logger.error("Probe initialization failed",r);}})(),()=>{t=false;}},[e.metaReady]);};var $t=e=>{react.useEffect(()=>{let t=e.prevWalletRef.current;if(e.prevWalletRef.current=e.wallet,e.wallet!==t&&e.hasProbedRef.current&&!e.refreshLock.current&&(e.didInitialRefresh.current=false),!e.wallet){e.logger.flow("wallet","Wallet disconnected"),e.stateMachine.onWalletDisconnect(),e.setAllowed(null),e.setSessionExpiry(null),e.setSessionData(null),e.setAuthenticated(false),e.accessTokenRef.current=null,e.proofRef.current=null,e.setError(null),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null),e.hasProbedRef.current&&!e.refreshLock.current&&(e.didInitialRefresh.current=false);return}if(t&&e.wallet&&t!==e.wallet){e.logger.flow("wallet",`Wallet changed: ${t} \u2192 ${e.wallet}`);let r=N(e);e.stateMachine.onWalletChange(t,e.wallet,r),e.proofRef.current=null,e.accessTokenRef.current=null,e.setAuthenticated(false),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null),e.rotateLock.current=(async()=>{await e.rotate();})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;});}if(!t&&e.wallet){if(e.logger.flow("wallet",`Wallet connected: ${e.wallet}`),e.didInitialSession.current=false,!e.metaReady){e.logger.info("Wallet connected but meta not ready, deferring state machine update");return}let r=N(e);e.stateMachine.onWalletChange(null,e.wallet,r);}},[e.wallet,e.metaReady]);};var Ot=(e,t)=>{let{attemptRegister:r,setProofFromAdapterToken:n}=t;react.useEffect(()=>{if(!e.providerAdapter||ct(e)||!e.metaReady||!e.wallet)return;let o=N(e);if(e.stateMachine.isInActiveSession()){e.logger.decision("Provider adapter should trigger register?",false,`Already in active session (state: ${e.stateMachine.getState()})`);return}if(e.stateMachine.shouldWaitForInitialRefresh(e.didInitialRefresh.current,o)){e.logger.decision("Provider adapter should wait for initial refresh?",true,"Returning user - refresh first");return}e.logger.decision("Provider adapter should trigger register?",true,`Fetching token (state: ${e.stateMachine.getState()})`);let a=false;return (async()=>{try{let i=e.providerAdapter.getToken(),s=new Promise((l,c)=>setTimeout(()=>c(new Error("Provider adapter timeout (30s)")),3e4)),u=await Promise.race([i,s]).catch(l=>(e.logger.warn("Provider adapter getToken failed",l),null))??null;if(await e.awaitKeyStable(),a||!u)return;try{let l=u.split(".");if(l[1]){let c=JSON.parse(atob(l[1]));e.logger.info("Provider adapter: got token",{wallet:e.wallet,jwtSub:c.sub,jwtWallet:c.wallet||c.linked_accounts?.[0]?.address,jwtExp:c.exp,jwtIat:c.iat});}}catch{e.logger.info("Provider adapter: got token (could not decode)");}await n(u),await r();}catch(i){e.logger.error("Provider adapter flow failed",i);}})(),()=>{a=true;}},[e.providerAdapter,e.wallet,e.meta.boundWallet,e.metaReady,e.registerCooldownUntilRef,e.didInitialRefresh,...e.refreshDeps]);};var jt=(e,t)=>{let{proofProp:r,attemptRegister:n}=t;react.useEffect(()=>{if(typeof r<"u"&&(e.proofRef.current=r??null,r&&e.logger.info("Proof prop updated",{hasProof:!!r})),!e.metaReady)return;let o=N(e),a=!!e.wallet,i=!!e.proofRef.current,s=false,u=e.proofRef.current?.method,l=u==="siwe"||u==="eip191";if(i&&e.stateMachine.isInActiveSession())if(l){let p=Ke(e.proofRef.current),d=e.meta.registeredProofId;if(p&&d){let g=Br(d),R=g==="siwe"||g==="eip191";if(R&&p!==d)e.logger.info("Proof prop: SIWE/EIP191 credentials changed, allowing re-registration",{old:d,new:p}),e.stateMachine.onNewCredentialsReceived(),e.accessTokenRef.current=null,e.setAuthenticated(false),e.didInitialSession.current=false,s=true;else if(R){e.logger.decision("Proof prop should trigger register?",false,"Already authenticated with same SIWE/EIP191 credentials");return}else e.logger.info("Proof prop: switching from provider JWT to SIWE/EIP191, allowing re-registration",{old:d,new:p}),e.stateMachine.onNewCredentialsReceived(),e.accessTokenRef.current=null,e.setAuthenticated(false),e.didInitialSession.current=false,s=true;}}else {e.logger.decision("Proof prop should trigger register?",false,`Already in active session, no credential change detection for ${u}`);return}let c=s?N(e):o;if(!e.stateMachine.shouldAttemptRegister(c)){e.logger.decision("Proof prop should trigger register?",false,`State machine says no (state: ${e.stateMachine.getState()}, inActiveSession: ${e.stateMachine.isInActiveSession()})`);return}if(e.stateMachine.shouldWaitForInitialRefresh(e.didInitialRefresh.current,c)){e.logger.decision("Proof prop should wait for initial refresh?",true,"Returning user - refresh first");return}a&&i&&e.initResolvedRef.current&&!ct(e)&&(e.logger.info("Proof prop conditions met, attempting register"),n());},[r,e.wallet,e.authenticated,e.meta.boundWallet,e.meta.registeredProofId,e.metaReady,e.providerAdapter,e.initResolvedRef,e.didInitialRefresh,n]);};var Nt=(e,t)=>{let{refresh:r,session:n}=t;react.useEffect(()=>{if(!e.metaReady||e.didInitialRefresh.current)return;e.didInitialRefresh.current=true;let o=true;return (async()=>{try{await e.waitReady(),await e.awaitProbe();let a=N(e);if(e.accessTokenRef.current||e.authenticated){e.logger.info("Already authenticated, skipping initial refresh"),e.wallet&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());return}if(!e.stateMachine.shouldAttemptRefresh(a)){e.logger.decision("Should attempt initial refresh?",!1,`State: ${e.stateMachine.getState()}`);return}e.logger.decision("Should attempt initial refresh?",!0,`State: ${e.stateMachine.getState()}`);let s=await r();if(!o)return;e.setAuthenticated(s),s&&e.wallet&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());}catch(a){if(!o)return;let i=a;e.setAuthenticated(false),e.setError(i?.message||String(a)||"Unknown error");}})(),()=>{o=false;}},[e.wallet,e.meta.boundWallet,e.meta.refreshId,e.metaReady,e.didInitialRefresh,r,n]);};var Ut=e=>{react.useEffect(()=>{e.initResolvedRef.current||(async()=>{if(await e.ensureKeypair(),!e.wallet){e.initResolvedRef.current=true,e.initResolveRef.current?.();return}e.meta.boundWallet&&!A(e.meta.boundWallet,e.wallet)&&(e.rotateLock.current=(async()=>{e.accessTokenRef.current=null,e.setAuthenticated(false);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}),e.rotateLock.current&&await e.rotateLock.current),e.initResolvedRef.current=true,e.initResolveRef.current?.();})();},[e]);};var Ft=(e,t)=>{let{session:r}=t;react.useEffect(()=>{(async()=>{if(e.authenticated&&e.wallet&&e.accessTokenRef.current&&!(e.meta.boundWallet&&!A(e.wallet,e.meta.boundWallet))&&!e.didInitialSession.current){e.didInitialSession.current=true;try{e.logger.flow("session","Calling session after authentication"),await r();}catch(n){let o=n;e.setError(o?.message||String(n));}}})();},[e.authenticated,e.wallet,e.meta.boundWallet,r]);};var Bt=e=>{react.useEffect(()=>{e.wallet&&e.authWalletRef.current&&!A(e.wallet,e.authWalletRef.current)&&(e.logger.warn("Wallet mismatch detected, clearing auth",{current:e.wallet,authWallet:e.authWalletRef.current}),e.accessTokenRef.current=null,e.setAuthenticated(false));},[e.wallet,e.authWalletRef.current]);};var Gt=(e,t)=>{let{refresh:r,session:n}=t;react.useEffect(()=>{let i=()=>{let l=Math.floor(Date.now()/1e3),c=e.tokenExpRef.current,p=e.sessionExpiry,d=!!c&&c-l<=30&&c-l>0,g=!!p&&p-l<=3600&&p-l>0;return {tokenSoon:d,sessionSoon:g}},s=async()=>{try{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&!A(e.wallet,e.meta.boundWallet))return;let{tokenSoon:l,sessionSoon:c}=i();(l||c)&&(e.logger.info("Refreshing on focus",{tokenSoon:l,sessionSoon:c}),await r()&&c&&await n());}catch{}},u=async()=>{document.visibilityState==="visible"&&await s();};return window.addEventListener("focus",s),document.addEventListener("visibilitychange",u),()=>{window.removeEventListener("focus",s),document.removeEventListener("visibilitychange",u);}},[e,e.sessionExpiry,r,n]);};var Gr=(e,t)=>{let{refresh:r,session:n,attemptRegister:o,setProofFromAdapterToken:a,proofProp:i}=t;Ht(e),$t(e),Ot(e,{attemptRegister:o,setProofFromAdapterToken:a}),jt(e,{proofProp:i,attemptRegister:o}),Nt(e,{refresh:r,session:n}),Ut(e),Ft(e,{session:n}),Bt(e),Gt(e,{refresh:r,session:n});};var Vr=react.createContext(void 0),yo=e=>{let t=$r(e),{refresh:r,attemptRegister:n,setProofFromAdapterToken:o}=jr(t),a=Nr(t,r),{session:i}=Fr(t,a);Gr(t,{refresh:r,session:i,attemptRegister:n,setProofFromAdapterToken:o,proofProp:e.proof});let s=react.useMemo(()=>({get:(u,l)=>a("GET",u,void 0,l),post:(u,l,c)=>a("POST",u,l,c),session:i,refresh:r,authenticated:t.authenticated,loading:t.loadingCount>0,error:t.error,allowed:t.allowed,sessionExpiry:t.sessionExpiry,sessionData:t.sessionData,wallet:t.wallet}),[a,i,r,t.authenticated,t.loadingCount,t.error,t.allowed,t.sessionExpiry,t.sessionData,t.wallet]);return jsxRuntime.jsx(Vr.Provider,{value:s,children:e.children})},go=e=>jsxRuntime.jsx(Ct,{clientId:e.clientId,children:jsxRuntime.jsx(yo,{...e})}),bo=()=>{let e=react.useContext(Vr);if(!e)throw new Error("useSunbreak must be used within a SunbreakProvider");return e};
+    `.trim()}};var Yn=()=>crypto.randomUUID(),$r=e=>{let{clientId:t,wallet:r,base:n="https://api.sunbreak.com",fetchImpl:a,timeoutMs:i=15e3,proof:o=null,providerAdapter:s,refreshDeps:u=[],debug:l}=e,c=yt(n),p=typeof window<"u"?(a??fetch).bind(window):a??fetch,{meta:d,setBoundWallet:w,setJkt:b,setRefreshId:v,getRefreshId:g,setLastPolicyHash:k,setLastPolicyProof:S,setLastHost:J,setRootJkt:M,setRegisteredProofId:h,ready:f}=Tt(),{ensureRootKeypair:y,rootPrivRef:C,rootPubJwkRef:D}=_t(),Ke=react.useCallback(async()=>{await y();try{if(!d.rootJkt&&D.current){let re=await $(D.current);M(re);}}catch{}},[y,d.rootJkt,D]),{ensureKeypair:K,rotate:Ue,privRef:Fe,pubJwkRef:qt}=Jt(),[_,X]=react.useState(false),[U,te]=react.useState(0),[le,ae]=react.useState(null),[ut,ft]=react.useState(null),[dt,Xr]=react.useState(null),[Yr,Zr]=react.useState(null),Qr=react.useRef(null),en=react.useRef(null),tn=react.useRef(null),rn=react.useRef(null),nn=react.useRef(null),on=react.useRef(null),an=react.useRef(null),sn=react.useRef(false),cn=react.useRef(false),ln=react.useRef(void 0),Be=react.useRef(false),pt=react.useRef(false),zt=react.useRef(null),ue=react.useRef(null);ue.current||(ue.current=new Promise(re=>{zt.current=re;}));let ht=react.useRef(null),un=react.useRef(o),fn=react.useRef(null),ge=react.useRef(null);if(!ge.current){let re=l??false;ge.current=new He(t,re);}let Xt=l??false;ge.current&&ge.current.enabled!==Xt&&(ge.current.enabled=Xt);let mt=react.useRef(null);mt.current||(mt.current=new $e);let Ge=react.useRef(null),Yt=react.useRef(null),Ve=react.useRef(null),Zt=()=>Date.now(),dn=()=>(Ve.current??0)>0&&Ve.current<Zt(),wt=react.useCallback((re,yn=15e3)=>{let Qt=Yn();return Ge.current=Qt,Yt.current=re,Ve.current=Zt()+Math.max(1e3,yn),Qt},[]),pn=react.useCallback(()=>((!Ge.current||dn())&&wt("adhoc",1e4),Ge.current),[wt]),gt=react.useRef(null),qe=react.useRef(null);qe.current||(qe.current=new Promise(re=>{gt.current=re;}));let hn=react.useCallback(async()=>{!Be.current&&qe.current&&await qe.current;},[]),mn=react.useCallback(()=>{Be.current||(Be.current=true,gt.current?.(),gt.current=null);},[]),wn=react.useCallback(async()=>{!pt.current&&ue.current&&await ue.current;},[]),gn=react.useCallback(async()=>{!pt.current&&ue.current&&await ue.current,ht.current&&await ht.current;},[]);return {clientId:t,wallet:r,baseUrl:c,fetchImpl:p,timeoutMs:i,providerAdapter:s,refreshDeps:u,ensureKeypair:K,rotate:Ue,ensureRootKeypair:Ke,rootPrivRef:C,rootPubJwkRef:D,privRef:Fe,pubJwkRef:qt,meta:d,setBoundWallet:w,setJkt:b,setRefreshId:v,accessTokenRef:tn,tokenExpRef:rn,authenticated:_,setAuthenticated:X,loadingCount:U,setLoadingCount:te,error:le,setError:ae,allowed:ut,setAllowed:ft,sessionExpiry:dt,setSessionExpiry:Xr,sessionData:Yr,setSessionData:Zr,authWalletRef:en,refreshLock:nn,registerLock:on,sessionLock:an,didInitialRefresh:sn,didInitialSession:cn,prevWalletRef:ln,initResolvedRef:pt,initReady:ue,initResolveRef:zt,rotateLock:ht,waitReady:wn,awaitKeyStable:gn,proofRef:un,registerCooldownUntilRef:Qr,reqIdRef:Ge,flowLabelRef:Yt,flowExpireRef:Ve,beginFlow:wt,currentReqId:pn,awaitProbe:hn,markProbed:mn,hasProbedRef:Be,getRefreshId:g,setLastPolicyHash:k,setLastPolicyProof:S,setLastHost:J,setRootJkt:M,setRegisteredProofId:h,metaReady:f,probeLock:fn,stateMachine:mt.current,logger:ge.current}};var z=e=>e.accessTokenRef.current??null,ee=e=>{let t=e.privRef.current;if(!t)throw new Error("Sunbreak: private key not initialized");return t},W=e=>{let t=e.pubJwkRef.current;if(!t)throw new Error("Sunbreak: public JWK not initialized");return t};var Zn=(e,t)=>`${e.toUpperCase()} ${t}`;async function Oe(e,t,r,n){if(!t)return e.logger.guard("register",false,"No wallet provided"),false;if(!e.clientId)return e.logger.guard("register",false,"No client ID configured"),e.setError("Missing client ID. Please configure a valid client ID."),false;e.logger.flow("register","Starting register flow",{wallet:t});let a=Oe._nonceCacheRef||(Oe._nonceCacheRef={map:new Map});try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair(),e.setError(null),e.beginFlow("register",2e4);let i;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let y=await $(e.rootPubJwkRef.current);e.setRootJkt?.(y);}catch{}let h=await $(W(e)),f=await e.getRefreshId();i=await he({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:h,clientId:e.clientId,sid:f||void 0,ttlSec:300});}}catch(h){e.logger.warn("Failed to create PODE for register",h);}let o=e.currentReqId(),s="/auth/register",u=`${e.baseUrl}${s}`,l=new URL(e.baseUrl).origin,c="POST",p=`${l}${s}`,d=Zn(c,p),w=a.map.get(d),b=await V({method:c,url:p,nonce:w,privateKey:ee(e),publicJwk:W(e)}),v=async h=>e.fetchImpl(u,{method:c,headers:{"content-type":"application/json","x-sunbreak-meta":G(e,{reqId:o,pode:i||void 0,wallet:t}),...h},credentials:"include",body:JSON.stringify({wallet:t,proof:r})}),g=await v({DPoP:b}),k=h=>{let f=h.headers.get("dpop-nonce");f&&a.map.set(d,f);};if(g.status===401){e.logger.info("Register got 401, retrying with nonce");let h=g.headers.get("www-authenticate"),y=(h&&h.match(/dpop-nonce="([^"]+)"/i))?.[1];if(y){a.map.set(d,y);let C=await V({method:c,url:p,nonce:y,privateKey:ee(e),publicJwk:W(e)});g=await v({DPoP:C});}}if(k(g),e.logger.api(c,s,{status:g.status}),!g.ok){let h=await Le(g);if((g.headers.get("content-type")||"").includes("application/json")){let y;try{y=await g.clone().json();}catch{}let C=Me(y&&(y.error||y.message||y.detail)||`HTTP ${g.status}`);throw me(C,h)}else {let y=h.waf?"Blocked by WAF (403)":h.alb403?"Blocked at origin (ALB 403)":`HTTP ${g.status}`;throw me(y,h)}}let S=await g.json();e.logger.info("Register succeeded",{expiresIn:S.expiresIn,hasRefreshId:!!S.refreshId}),e.accessTokenRef.current=S.access,e.authWalletRef.current=ce(t),e.setAuthenticated(!0);try{let h=Math.floor(Date.now()/1e3);e.tokenExpRef.current=h+(S.expiresIn??0);}catch{}e.didInitialRefresh.current=!0,e.setBoundWallet(ce(t)),e.setLastPolicyHash(null),e.setLastPolicyProof(null);try{e.setJkt(await $(W(e)));}catch{}let J=Ce(r);e.setRegisteredProofId(J);try{let h={...e.meta,boundWallet:t,clientId:e.meta.clientId??e.clientId,jkt:e.meta.jkt??null,refreshId:S.refreshId??null,registeredProofId:J};e.setRefreshId(S.refreshId??null);let f=We(e.clientId);await R(f,h);try{localStorage.setItem(f,JSON.stringify(h));}catch(y){e.logger.warn("Failed to persist meta to localStorage",y);}}catch(h){e.logger.warn("Failed to persist session metadata",h);}let M={wallet:t,boundWallet:t,refreshId:S.refreshId??null,hasToken:!0,tokenExpiry:e.tokenExpRef.current,hasProof:!0,authenticated:!0};return e.stateMachine.onRegisterSuccess(M),!0}catch(i){let o=i,s=Number(o?.status||0),u=String(o?.code||"").toLowerCase(),l=String(o?.message||"").toLowerCase(),c=Math.floor(Math.random()*1e3);e.logger.error("Register failed",{status:s,code:u,msg:l}),e.stateMachine.onRegisterFailure(`${u||l||"Unknown error"}`);let p=u==="session_exists"||u==="already_authenticated"||l.includes("already")&&(l.includes("session")||l.includes("authenticated")),d=(s===401||s===403)&&u==="replay";if((p||d)&&n?.refreshFallback&&(!e.meta.boundWallet||x(e.meta.boundWallet,t))){e.logger.info("Register failed with recoverable error, attempting refresh fallback",{code:u,isSessionExists:p,isReplay:d});try{if(await n.refreshFallback())return e.logger.info("Refresh fallback succeeded after register failure"),e.meta.boundWallet||e.setBoundWallet(t),!0}catch(v){e.logger.warn("Refresh fallback failed",v);}}if(d){if(e.providerAdapter)try{let b=await e.providerAdapter.getToken()??null;if(b)return await e.awaitKeyStable(),await e.ensureKeypair(),await e.rotate(),e.proofRef.current=await ye(e.providerAdapter,b),e.registerCooldownUntilRef.current=Date.now()+5e3+c,!1}catch{}else return e.proofRef.current=null,e.setError("Proof replayed; please sign a fresh proof."),e.registerCooldownUntilRef.current=Date.now()+1e4+c,false;return e.registerCooldownUntilRef.current=Date.now()+8e3+c,false}if(p)return e.setError("Session already exists. Try refreshing the page."),e.registerCooldownUntilRef.current=Date.now()+3e3+c,false;if(u==="siwe_invalid"||u==="eip191_invalid"||u==="ed25519_invalid"||u==="sig_wallet_mismatch"||l.includes("invalid")&&l.includes("signature")){if(e.logger.warn("Proof invalid for wallet, clearing proof",{code:u,msg:l}),e.proofRef.current=null,e.providerAdapter)try{let b=await e.providerAdapter.getToken()??null;if(b)return e.proofRef.current=await ye(e.providerAdapter,b),e.registerCooldownUntilRef.current=Date.now()+3e3+c,!1}catch{}return e.setError("Proof doesn't match wallet. Please sign again."),e.registerCooldownUntilRef.current=Date.now()+5e3+c,false}if(s===403&&(o?.waf||o?.alb403))return e.setError(l||"Forbidden at edge/origin"),e.registerCooldownUntilRef.current=Date.now()+3e4+c,false;if(s===403)return e.setError(u||l||"Forbidden"),e.registerCooldownUntilRef.current=Date.now()+15e3+c,false;if(s===429||s===503){e.setError(u||l||"Rate limited / unavailable");let b=s===429?5e3:8e3;return e.registerCooldownUntilRef.current=Date.now()+b+c,false}return e.setError(u||l||"Register failed"),e.registerCooldownUntilRef.current=Date.now()+5e3+c,false}}var Qn=(e,t)=>`${e.toUpperCase()} ${t}`;function je(e){if(e.refreshLock.current)return e.logger.guard("refreshLock",false,"Refresh already in progress"),e.refreshLock.current;if(e.registerLock.current){e.logger.guard("registerLock",false,"Registration in progress, waiting");let t=e.registerLock.current.then(()=>{if(e.authenticated&&z(e))return  true;if(z(e)){let n=e.tokenExpRef.current,a=Math.floor(Date.now()/1e3);if(!!n&&n-a>5)return  true}return  false});return e.refreshLock.current=t.finally(()=>{e.refreshLock.current=null;}),e.refreshLock.current}return e.logger.flow("refresh","Starting refresh flow"),e.refreshLock.current=(async()=>{try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe();let t=e.meta.boundWallet||e.wallet;if(!t)return e.logger.warn("No wallet available for refresh (neither boundWallet nor current wallet)"),!1;if(!e.clientId)return e.logger.warn("No client ID configured for refresh"),e.setError("Missing client ID. Please configure a valid client ID."),!1;if(e.wallet&&e.meta.boundWallet&&!x(e.wallet,e.meta.boundWallet))return e.logger.warn("Wallet mismatch during refresh",{current:e.wallet,bound:e.meta.boundWallet}),e.accessTokenRef.current=null,e.setAuthenticated(!1),!1;let r=z(e);if(r){let f=e.tokenExpRef.current,y=Math.floor(Date.now()/1e3);if(!!r&&!!f&&f-y>5)return e.logger.info("Token still valid, skipping refresh"),!0}e.beginFlow("refresh",15e3);let n=e.currentReqId();await e.ensureKeypair();let a;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let C=await $(e.rootPubJwkRef.current);e.setRootJkt?.(C);}catch{}let f=await $(W(e)),y=await e.getRefreshId();a=await he({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:f,clientId:e.clientId,sid:y||void 0,ttlSec:300});}}catch(f){e.logger.warn("Failed to create PODE for refresh",f);}let i="/auth/refresh",o=`${e.baseUrl}${i}`,s=new URL(e.baseUrl).origin,u="POST",l=`${s}${i}`,c=Qn(u,l),p=je._nonceCacheRef||(je._nonceCacheRef={map:new Map}),d=async f=>await V({method:u,url:l,nonce:f,privateKey:ee(e),publicJwk:W(e)}),w=await e.getRefreshId(),b={"x-sunbreak-meta":G(e,{reqId:n,refreshId:w||void 0,pode:a||void 0,wallet:t}),"content-type":"application/json"},v=async f=>e.fetchImpl(o,{method:u,headers:{DPoP:f,...b},credentials:"include",body:"{}"}),g=f=>{let y=f.headers.get("dpop-nonce");y&&p.map.set(c,y);},k=await v(await d(p.map.get(c)));if(k.status===401){e.logger.info("Refresh got 401, retrying with nonce");let f=k.headers.get("www-authenticate"),C=(f&&f.match(/dpop-nonce="([^"]+)"/i))?.[1];C&&(p.map.set(c,C),k=await v(await d(C)));}if(g(k),e.logger.api(u,i,{status:k.status}),!k.ok){try{if((k.headers.get("content-type")||"").includes("application/json")){let y=await k.clone().json().catch(()=>{}),C=y&&(y.error||y.code||y.message)||"",D=String(C).toLowerCase();if(D.includes("missing")&&D.includes("refresh")){e.logger.warn("Refresh session expired (missing refresh identifier)"),e.stateMachine.onRefreshExpired();try{e.setRefreshId?.(null);}catch{}e.accessTokenRef.current=null,e.setAuthenticated(!1);}else e.logger.warn("Refresh failed",{error:C}),e.stateMachine.onRefreshFailure(String(C));}}catch{}return !1}let S=await k.json();e.logger.info("Refresh succeeded",{expiresIn:S.expiresIn,hasRefreshId:!!S.refreshId}),e.accessTokenRef.current=S.access,e.setAuthenticated(!0);let J=(e.wallet&&(!e.meta.boundWallet||e.meta.boundWallet===e.wallet)?e.wallet:e.meta.boundWallet)||null;e.authWalletRef.current=J?ce(J):null;try{let f=Math.floor(Date.now()/1e3);e.tokenExpRef.current=f+(S.expiresIn??0);}catch{}try{e.setJkt(await $(W(e)));}catch{}S.refreshId&&e.setRefreshId(S.refreshId);let M=f=>!f||f==="null"||f==="undefined"?null:f,h={wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:M(S.refreshId??e.meta.refreshId??null),hasToken:!0,tokenExpiry:e.tokenExpRef.current,hasProof:!!e.proofRef.current,authenticated:!0};return e.stateMachine.onRefreshSuccess(h),!0}finally{e.refreshLock.current=null;}})(),e.refreshLock.current}var eo=(e,t)=>`${e.toUpperCase()} ${t}`,Lt=new Map,Ne;try{let e=globalThis;Ne=e.__sunbreak_page_probe_guard??(e.__sunbreak_page_probe_guard=new Set);}catch{Ne=new Set;}var to=e=>{try{let t=new URL(e.baseUrl).origin;return `${e.clientId}::${t}`}catch{return `${e.clientId}::${e.baseUrl}`}};async function Or(e){let t=to(e);if(e.probeLock.current){e.logger.guard("probeLock",false,"Probe already in progress, waiting"),await e.probeLock.current,e.markProbed();return}if(e.hasProbedRef.current){e.logger.guard("hasProbedRef",false,"Already probed in this session"),e.markProbed();return}if(Ne.has(t)){e.logger.guard("pageProbeGuard",false,"Already probed for this page load"),e.markProbed();return}if(Ne.add(t),!e.clientId){e.logger.warn("No client ID configured, skipping probe"),e.markProbed();return}e.logger.flow("probe","Starting probe flow",{clientId:e.clientId,pageKey:t});let r=(async()=>{let n=new URL(e.baseUrl).origin;try{if(await e.awaitKeyStable(),await e.ensureKeypair(),!e.rootPrivRef.current)try{await e.ensureRootKeypair();}catch{}let a;if(e.rootPrivRef.current&&e.rootPubJwkRef.current)try{let g=await $(W(e));a=await he({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:g,clientId:e.clientId,ttlSec:300});}catch(g){e.logger.warn("Failed to create PODE for probe",g);}let i="POST",o="/auth/probe",s=`${e.baseUrl}${o}`,u=`${n}${o}`,l=eo(i,u),c=async g=>V({method:i,url:u,nonce:g,privateKey:ee(e),publicJwk:W(e)}),p=async g=>e.fetchImpl(s,{method:i,headers:{DPoP:g,"x-sunbreak-meta":G(e,{pode:a}),"content-type":"application/json"},credentials:"include",body:"{}"}),d=g=>{let k=g.headers.get("dpop-nonce");k&&Lt.set(l,k);},w=await p(await c(Lt.get(l)));if(d(w),w.status===401){e.logger.info("Probe got 401, retrying with nonce from www-authenticate");let g=w.headers.get("www-authenticate"),S=(g&&g.match(/dpop-nonce="([^"]+)"/i))?.[1];S&&(Lt.set(l,S),w=await p(await c(S)),d(w));}e.logger.api(i,o,{status:w.status});let b=g=>!g||g==="null"||g==="undefined"?null:g,v={wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:b(e.meta.refreshId),hasToken:!!e.accessTokenRef.current,tokenExpiry:e.tokenExpRef.current||null,hasProof:!!e.proofRef.current,authenticated:e.authenticated};e.stateMachine.onProbeComplete(v);}catch(a){e.logger.error("Probe failed",a);try{Ne.delete(t);}catch{}}finally{e.markProbed(),e.logger.flow("probe","Probe flow completed");}})();e.probeLock.current=r;try{await r;}finally{e.probeLock.current=null;}}var jr=e=>{let t=react.useRef(e);t.current=e;let r=react.useCallback(()=>je(t.current),[]),n=react.useCallback(async()=>{let o=t.current,s=Date.now(),u=o.registerCooldownUntilRef.current??0;if(s<u){o.logger.guard("registerCooldown",false,"Cooldown active");return}if(!o.wallet){o.logger.guard("attemptRegister",false,"No wallet");return}if(!o.initResolvedRef.current){o.logger.guard("attemptRegister",false,"Not initialized");return}if(o.refreshLock.current){o.logger.guard("attemptRegister",false,"Refresh in progress");return}if(o.registerLock.current){o.logger.guard("attemptRegister",false,"Register already in progress");return}let l=w=>!w||w==="null"||w==="undefined"?null:w,c={wallet:o.wallet||null,boundWallet:o.meta.boundWallet||null,refreshId:l(o.meta.refreshId),hasToken:!!z(o),tokenExpiry:o.tokenExpRef.current||null,hasProof:!!o.proofRef.current,authenticated:o.authenticated};if(!o.stateMachine.shouldAttemptRegister(c)){o.logger.guard("attemptRegister",false,`State machine blocked (state: ${o.stateMachine.getState()}, inActiveSession: ${o.stateMachine.isInActiveSession()})`);return}let p=o.proofRef.current;if(!p){o.logger.guard("attemptRegister",false,"No proof available");return}o.logger.guard("attemptRegister",true,"All guards passed, proceeding");let d=(async()=>{try{await o.awaitKeyStable(),await Oe(o,o.wallet,p,{refreshFallback:async()=>{o.logger.info("Attempting refresh as fallback after register failure");let w=!!o.meta.boundWallet;!w&&o.wallet&&o.setBoundWallet(o.wallet);try{return await je(o)}catch{return w||o.setBoundWallet(null),!1}}});}catch(w){let b=w;o.setError(b?.message||String(w)||"Register failed");}finally{o.registerLock.current=null;}})();o.registerLock.current=d;},[]),a=react.useCallback(async o=>{let s=t.current,u=()=>(s.registerCooldownUntilRef.current??0)>Date.now();if(!s.providerAdapter||u())return;let l=await ye(s.providerAdapter,o);s.proofRef.current=l;},[]),i=react.useCallback((o,s,u)=>Oe(t.current,o,s,u),[]);return {refresh:r,register:i,attemptRegister:n,setProofFromAdapterToken:a}};var no=(e,t)=>`${e.toUpperCase()} ${t}`;async function ct(e,t,r,n,a,i={}){e.setLoadingCount(l=>l+1),e.setError(null);let o=n.startsWith("/api/session"),s=new AbortController,u=setTimeout(()=>s.abort(),e.timeoutMs);try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair();let c=`${o?St(e):e.baseUrl}${n.startsWith("/")?"":"/"}${n}`,d=`${new URL(e.baseUrl).origin}${n.startsWith("/")?"":"/"}${n}`,w=no(r,d),b=n.startsWith("/auth/"),v=!1,g=!1,k=e.currentReqId(),S=ct._nonceCacheRef||(ct._nonceCacheRef={map:new Map}),J=_=>{let X=_.headers.get("dpop-nonce");X&&S.map.set(w,X);},M=!!e.wallet&&!!e.authWalletRef.current&&!x(e.wallet,e.authWalletRef.current),h=()=>b||!e.wallet?!1:!!(e.authenticated||x(e.wallet,e.meta.boundWallet)||typeof e.meta.refreshId=="string"&&e.meta.refreshId),f,y,C=async()=>{if(b||M)return;try{let le=z(e),ae=e.tokenExpRef.current,ut=Math.floor(Date.now()/1e3),ft=!!ae&&ae-ut<=60;if(le){if(ft&&!await t().catch(()=>!1))return}else if(!h()||!await t().catch(()=>!1))return}catch{}let _=z(e);if(!_)return;let X=await nt(_),U=S.map.get(w),te=await V({method:r,url:d,nonce:U,ath:X,privateKey:ee(e),publicJwk:W(e)});f=`Bearer ${e.accessTokenRef.current}`,y=te;};await C();let D={"content-type":"application/json","x-sunbreak-auth":f||"","x-sunbreak-meta":G(e,{reqId:k,auth:f,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0}),...Rt(i.headers)};y&&(D.DPoP=y);let Ke=async()=>e.fetchImpl(c,{...i,method:r,headers:D,body:a!==void 0?JSON.stringify(a):void 0,credentials:"include",signal:s.signal}),K=await Ke(),Ue=K.headers.get("x-sunbreak-policy-hash"),Fe=K.headers.get("x-sunbreak-policy-proof");if(Ue&&e.setLastPolicyHash(Ue),Fe&&e.setLastPolicyProof(Fe),J(K),K.status===401&&!b){let _=z(e),X=K.headers.get("www-authenticate"),te=(X&&X.match(/dpop-nonce="([^"]+)"/i))?.[1];if(!M&&te&&_&&!g){g=!0,S.map.set(w,te);let le=await nt(_),ae=await V({method:r,url:d,nonce:te,ath:le,privateKey:ee(e),publicJwk:W(e)});f=`Bearer ${e.accessTokenRef.current}`,y=ae,D["x-sunbreak-meta"]=G(e,{reqId:k,auth:f}),D.DPoP=y,K=await Ke(),J(K);}if(K.status===401&&!v&&(v=!0,!M&&h())){let le=await t(),ae=z(e);le&&ae&&!M&&(await C(),D["x-sunbreak-meta"]=G(e,{reqId:k,auth:f}),y&&(D.DPoP=y),K=await Ke(),J(K));}if(K.status===401)throw new Error("Unauthorized")}if(!K.ok){let _=await Le(K);if((K.headers.get("content-type")||"").includes("application/json")){let U=await K.json().catch(()=>{}),te=Me(U&&(U.error||U.message||U.detail)||`HTTP ${K.status}`);throw me(te,_)}else {let U=_.waf?"Blocked by WAF (403)":_.alb403?"Blocked at origin (ALB 403)":`HTTP ${K.status}`;throw me(U,_)}}return (K.headers.get("content-type")||"").includes("application/json")?await K.json():void 0}finally{clearTimeout(u),e.setLoadingCount(l=>Math.max(0,l-1));}}var Ur=(e,t)=>{let r=react.useRef(e),n=react.useRef(t);return r.current=e,n.current=t,react.useCallback(async(a,i,o,s={})=>ct(r.current,n.current,a,i,o,s),[])};async function Fr(e,t){let r=await t("GET","/api/session");if(r){e.setAllowed(!!r.allowed),e.setSessionData(r),e.setSessionExpiry(r.expiry??null);let n=r?.wallet;typeof n=="string"&&n&&e.setBoundWallet(ce(n));}return r}var Gr=(e,t)=>{let r=react.useRef(e),n=react.useRef(t);return r.current=e,n.current=t,{session:react.useCallback(async()=>{let i=r.current,o=n.current;if(i.wallet&&!(i.meta.boundWallet&&!x(i.wallet,i.meta.boundWallet)))return i.sessionLock.current||(i.sessionLock.current=(async()=>{try{return await Fr(i,o)}catch(s){throw i.logger.error("Session request failed",s),s}finally{i.sessionLock.current=null;}})()),i.sessionLock.current},[])}};var lt=e=>(e.registerCooldownUntilRef.current??0)>Date.now(),Vr=e=>{if(!e)return null;let t=e.indexOf(":");return t>0?e.slice(0,t):null},io=e=>!e||e==="null"||e==="undefined"?null:e,N=e=>({wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:io(e.meta.refreshId),hasToken:!!e.accessTokenRef.current,tokenExpiry:e.tokenExpRef.current||null,hasProof:!!e.proofRef.current,authenticated:e.authenticated});var Ht=e=>{react.useEffect(()=>{if(!e.metaReady)return;let t=true;return (async()=>{try{if(await e.waitReady(),!t||(await e.awaitKeyStable(),!t)||(await e.ensureRootKeypair(),!t))return;let r=N(e);e.stateMachine.initialize(r),await Or(e);}catch(r){if(!t)return;e.logger.error("Probe initialization failed",r);}})(),()=>{t=false;}},[e.metaReady]);};var $t=e=>{react.useEffect(()=>{let t=e.prevWalletRef.current;if(e.prevWalletRef.current=e.wallet,e.wallet!==t&&e.hasProbedRef.current&&!e.refreshLock.current&&(e.didInitialRefresh.current=false),!e.wallet){e.logger.flow("wallet","Wallet disconnected"),e.stateMachine.onWalletDisconnect(),e.setAllowed(null),e.setSessionExpiry(null),e.setSessionData(null),e.setAuthenticated(false),e.accessTokenRef.current=null,e.proofRef.current=null,e.setError(null),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null),e.hasProbedRef.current&&!e.refreshLock.current&&(e.didInitialRefresh.current=false);return}if(t&&e.wallet&&t!==e.wallet){e.logger.flow("wallet",`Wallet changed: ${t} \u2192 ${e.wallet}`);let r=N(e);e.stateMachine.onWalletChange(t,e.wallet,r),e.proofRef.current=null,e.accessTokenRef.current=null,e.setAuthenticated(false),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null),e.rotateLock.current=(async()=>{await e.rotate();})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;});}if(!t&&e.wallet){if(e.logger.flow("wallet",`Wallet connected: ${e.wallet}`),e.didInitialSession.current=false,!e.metaReady){e.logger.info("Wallet connected but meta not ready, deferring state machine update");return}let r=N(e);e.stateMachine.onWalletChange(null,e.wallet,r);}},[e.wallet,e.metaReady]);};var Ot=(e,t)=>{let{attemptRegister:r,setProofFromAdapterToken:n}=t;react.useEffect(()=>{if(!e.providerAdapter||lt(e)||!e.metaReady||!e.wallet)return;let a=N(e);if(e.stateMachine.isInActiveSession()){e.logger.decision("Provider adapter should trigger register?",false,`Already in active session (state: ${e.stateMachine.getState()})`);return}if(e.stateMachine.shouldWaitForInitialRefresh(e.didInitialRefresh.current,a)){e.logger.decision("Provider adapter should wait for initial refresh?",true,"Returning user - refresh first");return}e.logger.decision("Provider adapter should trigger register?",true,`Fetching token (state: ${e.stateMachine.getState()})`);let i=false;return (async()=>{try{let o=e.providerAdapter.getToken(),s=new Promise((l,c)=>setTimeout(()=>c(new Error("Provider adapter timeout (30s)")),3e4)),u=await Promise.race([o,s]).catch(l=>(e.logger.warn("Provider adapter getToken failed",l),null))??null;if(await e.awaitKeyStable(),i||!u)return;try{let l=u.split(".");if(l[1]){let c=JSON.parse(atob(l[1]));e.logger.info("Provider adapter: got token",{wallet:e.wallet,jwtSub:c.sub,jwtWallet:c.wallet||c.linked_accounts?.[0]?.address,jwtExp:c.exp,jwtIat:c.iat});}}catch{e.logger.info("Provider adapter: got token (could not decode)");}await n(u),await r();}catch(o){e.logger.error("Provider adapter flow failed",o);}})(),()=>{i=true;}},[e.providerAdapter,e.wallet,e.meta.boundWallet,e.metaReady,...e.refreshDeps]);};var jt=(e,t)=>{let{proofProp:r,attemptRegister:n}=t;react.useEffect(()=>{if(typeof r<"u"&&(e.proofRef.current=r??null,r&&e.logger.info("Proof prop updated",{hasProof:!!r})),!e.metaReady)return;let a=N(e),i=!!e.wallet,o=!!e.proofRef.current,s=false,u=e.proofRef.current?.method,l=u==="siwe"||u==="eip191";if(o&&e.stateMachine.isInActiveSession())if(l){let p=Ce(e.proofRef.current),d=e.meta.registeredProofId;if(p&&d){let w=Vr(d),b=w==="siwe"||w==="eip191";if(b&&p!==d)e.logger.info("Proof prop: SIWE/EIP191 credentials changed, allowing re-registration",{old:d,new:p}),e.stateMachine.onNewCredentialsReceived(),e.accessTokenRef.current=null,e.setAuthenticated(false),e.didInitialSession.current=false,s=true;else if(b){e.logger.decision("Proof prop should trigger register?",false,"Already authenticated with same SIWE/EIP191 credentials");return}else e.logger.info("Proof prop: switching from provider JWT to SIWE/EIP191, allowing re-registration",{old:d,new:p}),e.stateMachine.onNewCredentialsReceived(),e.accessTokenRef.current=null,e.setAuthenticated(false),e.didInitialSession.current=false,s=true;}}else {e.logger.decision("Proof prop should trigger register?",false,`Already in active session, no credential change detection for ${u}`);return}let c=s?N(e):a;if(!e.stateMachine.shouldAttemptRegister(c)){e.logger.decision("Proof prop should trigger register?",false,`State machine says no (state: ${e.stateMachine.getState()}, inActiveSession: ${e.stateMachine.isInActiveSession()})`);return}if(e.stateMachine.shouldWaitForInitialRefresh(e.didInitialRefresh.current,c)){e.logger.decision("Proof prop should wait for initial refresh?",true,"Returning user - refresh first");return}i&&o&&e.initResolvedRef.current&&!lt(e)&&(e.logger.info("Proof prop conditions met, attempting register"),n());},[r,e.wallet,e.authenticated,e.meta.boundWallet,e.meta.registeredProofId,e.metaReady,e.providerAdapter,n]);};var Nt=(e,t)=>{let{refresh:r,session:n}=t;react.useEffect(()=>{if(!e.metaReady||e.didInitialRefresh.current)return;e.didInitialRefresh.current=true;let a=true;return (async()=>{try{await e.waitReady(),await e.awaitProbe();let i=N(e);if(e.accessTokenRef.current||e.authenticated){e.logger.info("Already authenticated, skipping initial refresh"),e.wallet&&!e.didInitialSession.current&&await n()!==void 0&&(e.didInitialSession.current=!0);return}if(!e.stateMachine.shouldAttemptRefresh(i)){e.logger.decision("Should attempt initial refresh?",!1,`State: ${e.stateMachine.getState()}`);return}e.logger.decision("Should attempt initial refresh?",!0,`State: ${e.stateMachine.getState()}`);let s=await r();if(!a)return;e.setAuthenticated(s),s&&e.wallet&&!e.didInitialSession.current&&await n()!==void 0&&(e.didInitialSession.current=!0);}catch(i){if(!a)return;let o=i;e.setAuthenticated(false),e.setError(o?.message||String(i)||"Unknown error");}})(),()=>{a=false;}},[e.wallet,e.meta.boundWallet,e.meta.refreshId,e.metaReady,r,n]);};var Ut=e=>{react.useEffect(()=>{e.initResolvedRef.current||(async()=>{if(await e.ensureKeypair(),!e.wallet){e.initResolvedRef.current=true,e.initResolveRef.current?.();return}e.meta.boundWallet&&!x(e.meta.boundWallet,e.wallet)&&(e.rotateLock.current=(async()=>{e.accessTokenRef.current=null,e.setAuthenticated(false);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}),e.rotateLock.current&&await e.rotateLock.current),e.initResolvedRef.current=true,e.initResolveRef.current?.();})();},[e]);};var Ft=(e,t)=>{let{session:r}=t;react.useEffect(()=>{(async()=>{if(e.authenticated&&e.wallet&&e.accessTokenRef.current&&!(e.meta.boundWallet&&!x(e.wallet,e.meta.boundWallet))&&!e.didInitialSession.current)try{e.logger.flow("session","Calling session after authentication"),await r()!==void 0&&(e.didInitialSession.current=!0);}catch(n){let a=n;e.setError(a?.message||String(n));}})();},[e.authenticated,e.wallet,e.meta.boundWallet,r]);};var Bt=e=>{react.useEffect(()=>{e.wallet&&e.authWalletRef.current&&!x(e.wallet,e.authWalletRef.current)&&(e.logger.warn("Wallet mismatch detected, clearing auth and proof",{current:e.wallet,authWallet:e.authWalletRef.current}),e.accessTokenRef.current=null,e.setAuthenticated(false),e.proofRef.current=null);},[e.wallet,e.authWalletRef.current]);};var Gt=(e,t)=>{let{refresh:r,session:n}=t;react.useEffect(()=>{let o=()=>{let l=Math.floor(Date.now()/1e3),c=e.tokenExpRef.current,p=e.sessionExpiry,d=!!c&&c-l<=30&&c-l>0,w=!!p&&p-l<=3600&&p-l>0;return {tokenSoon:d,sessionSoon:w}},s=async()=>{try{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&!x(e.wallet,e.meta.boundWallet))return;let{tokenSoon:l,sessionSoon:c}=o();(l||c)&&(e.logger.info("Refreshing on focus",{tokenSoon:l,sessionSoon:c}),await r()&&c&&await n());}catch{}},u=async()=>{document.visibilityState==="visible"&&await s();};return window.addEventListener("focus",s),document.addEventListener("visibilitychange",u),()=>{window.removeEventListener("focus",s),document.removeEventListener("visibilitychange",u);}},[e,e.sessionExpiry,r,n]);};var qr=(e,t)=>{let{refresh:r,session:n,attemptRegister:a,setProofFromAdapterToken:i,proofProp:o}=t;Ht(e),$t(e),Ot(e,{attemptRegister:a,setProofFromAdapterToken:i}),jt(e,{proofProp:o,attemptRegister:a}),Nt(e,{refresh:r,session:n}),Ut(e),Ft(e,{session:n}),Bt(e),Gt(e,{refresh:r,session:n});};var zr=react.createContext(void 0),So=e=>{let t=$r(e),{refresh:r,attemptRegister:n,setProofFromAdapterToken:a}=jr(t),i=Ur(t,r),{session:o}=Gr(t,i);qr(t,{refresh:r,session:o,attemptRegister:n,setProofFromAdapterToken:a,proofProp:e.proof});let s=react.useMemo(()=>({get:(u,l)=>i("GET",u,void 0,l),post:(u,l,c)=>i("POST",u,l,c),session:o,refresh:r,authenticated:t.authenticated,loading:t.loadingCount>0,error:t.error,allowed:t.allowed,sessionExpiry:t.sessionExpiry,sessionData:t.sessionData,wallet:t.wallet}),[i,o,r,t.authenticated,t.loadingCount,t.error,t.allowed,t.sessionExpiry,t.sessionData,t.wallet]);return jsxRuntime.jsx(zr.Provider,{value:s,children:e.children})},Ro=e=>jsxRuntime.jsx(It,{clientId:e.clientId,children:jsxRuntime.jsx(So,{...e})}),ko=()=>{let e=react.useContext(zr);if(!e)throw new Error("useSunbreak must be used within a SunbreakProvider");return e};
-exports.SunbreakProvider = go;
-exports.useSunbreak = bo;
+exports.SunbreakProvider = Ro;
+exports.useSunbreak = ko;

package/dist/index.mjs CHANGED Viewed

@@ -1,7 +1,7 @@
 import { createContext, useContext, useState, useRef, useMemo, useEffect, useCallback } from 'react';
 import { jsx } from 'react/jsx-runtime';
-var yn=Object.defineProperty;var er=e=>{throw TypeError(e)};var gn=(e,t,r)=>t in e?yn(e,t,{enumerable:true,configurable:true,writable:true,value:r}):e[t]=r;var O=(e,t,r)=>gn(e,typeof t!="symbol"?t+"":t,r),tr=(e,t,r)=>t.has(e)||er("Cannot "+r);var m=(e,t,r)=>(tr(e,t,"read from private field"),r?r.call(e):t.get(e)),F=(e,t,r)=>t.has(e)?er("Cannot add the same private member more than once"):t instanceof WeakSet?t.add(e):t.set(e,r),B=(e,t,r,n)=>(tr(e,t,"write to private field"),t.set(e,r),r);var ze=e=>{let t=5381;for(let r=0;r<e.length;r++)t=t*33^e.charCodeAt(r);return (t>>>0).toString(16).padStart(8,"0")},Ke=e=>{try{return e.method==="provider_jwt"?`${e.issuer}:${ze(e.token)}`:e.method==="siwe"||e.method==="eip191"?`${e.method}:${ze(e.signature)}`:e.method==="ed25519"?`ed25519:${ze(e.signatureBase64)}`:null}catch{return null}},Ce=async(e,t,r)=>{switch(e.name){case "custom":return {method:"provider_jwt",issuer:"custom",token:t,meta:r||{}};case "privy":return {method:"provider_jwt",issuer:"privy",token:t,meta:{app_id:e.appId}};case "dynamic":return e.expectedAud?{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId,expected_aud:e.expectedAud}}:{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId}};default:throw new Error(`Unknown adapter: ${e}`)}};var bn="sunbreak-kv",Ie="kv",Xe="sunbreak_dpop_meta_v1",I="sunbreak_dpop_key_v1",Te="ES256",E="P-256",We=e=>`${Xe}:${e}`,rr=()=>new Promise((e,t)=>{let r=indexedDB.open(bn,1);r.onupgradeneeded=()=>r.result.createObjectStore(Ie),r.onsuccess=()=>e(r.result),r.onerror=()=>t(r.error);}),T=async e=>{try{let t=await rr();return await new Promise((r,n)=>{let a=t.transaction(Ie,"readonly").objectStore(Ie).get(e);a.onsuccess=()=>r(a.result),a.onerror=()=>n(a.error);})}catch{return}},S=async(e,t)=>{let r=await rr();await new Promise((n,o)=>{let i=r.transaction(Ie,"readwrite").objectStore(Ie).put(t,e);i.onsuccess=()=>n(),i.onerror=()=>o(i.error);});};var Sn=e=>{let t=new URL(e);if(t.protocol!=="https:"&&t.hostname!=="localhost"&&t.hostname!=="127.0.0.1")throw new Error("Sunbreak: insecure base URL");return t.hash="",t.origin},Rn=e=>e.replace(/\/+$/,""),yt=e=>{let t=Rn(e);return Sn(t)};function bt(e){let t=new URL(e.baseUrl),r=t.host,n=e.meta.lastHost??null,o=kn(n);return e.setLastHost(o),t.host=`${o}.${r}`,t.origin}var kn=e=>{for(let t=0;t<gt.length;t++){let r=gt[Math.floor(Math.random()*gt.length)].toLowerCase();if(r!==e)return r}return "alpha"},gt=["Alpha","Bravo","Charlie","Delta","Echo","Foxtrot","Golf","Hotel","India","Juliett","Kilo","Lima","Mike","November","Oscar","Papa","Quebec","Romeo","Sierra","Tango","Uniform","Victor","Whiskey","X-ray","Yankee","Zulu"];var G=(e,t)=>{let r={clientId:e.clientId,wallet:e.wallet,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0,...t};Object.keys(r).forEach(o=>r[o]===void 0&&delete r[o]);let n=JSON.stringify(r);return btoa(n)};var En=new Set(["connection","keep-alive","proxy-authenticate","proxy-authorization","te","trailer","transfer-encoding","upgrade","via"]),Pn=new Set(["user-agent","referer","origin","host","content-length","sec-fetch-site","sec-fetch-mode","sec-fetch-dest","sec-fetch-user","sec-ch-ua","sec-ch-ua-mobile","sec-ch-ua-platform","sec-ch-ua-platform-version","sec-ch-ua-full-version","sec-ch-ua-arch","sec-ch-ua-model","sec-ch-ua-bitness","cookie","set-cookie"]),vn=new Set(["dpop","x-sunbreak-meta"]),An=64,nr=2048,xn=64;function St(e){let t={};if(!e)return t;let r=e instanceof Headers?Array.from(e.entries()):Object.entries(e),n=0;for(let[o,a]of r){if(n>=xn)break;if(o==null||a==null)continue;let i=String(o).toLowerCase().trim();if(!i||i.length>An||En.has(i)||Pn.has(i)||vn.has(i))continue;let s=String(a);s.length>nr&&(s=s.slice(0,nr)),t[i]=s,n++;}return t}var ne=new TextEncoder,ge=new TextDecoder;function or(...e){let t=e.reduce((o,{length:a})=>o+a,0),r=new Uint8Array(t),n=0;for(let o of e)r.set(o,n),n+=o.length;return r}function ar(e){if(Uint8Array.prototype.toBase64)return e.toBase64();let t=32768,r=[];for(let n=0;n<e.length;n+=t)r.push(String.fromCharCode.apply(null,e.subarray(n,n+t)));return btoa(r.join(""))}function ir(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(e);let t=atob(e),r=new Uint8Array(t.length);for(let n=0;n<t.length;n++)r[n]=t.charCodeAt(n);return r}function sr(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof e=="string"?e:ge.decode(e),{alphabet:"base64url"});let t=e;t instanceof Uint8Array&&(t=ge.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return ir(t)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function Ye(e){let t=e;return typeof t=="string"&&(t=ne.encode(t)),Uint8Array.prototype.toBase64?t.toBase64({alphabet:"base64url",omitPadding:true}):ar(t).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var fe=class extends Error{constructor(r,n){super(r,n);O(this,"code","ERR_JOSE_GENERIC");this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor);}};O(fe,"code","ERR_JOSE_GENERIC");var L=class extends fe{constructor(){super(...arguments);O(this,"code","ERR_JOSE_NOT_SUPPORTED");}};O(L,"code","ERR_JOSE_NOT_SUPPORTED");var oe=class extends fe{constructor(){super(...arguments);O(this,"code","ERR_JWS_INVALID");}};O(oe,"code","ERR_JWS_INVALID");var Je=class extends fe{constructor(){super(...arguments);O(this,"code","ERR_JWT_INVALID");}};O(Je,"code","ERR_JWT_INVALID");var cr,lr,Rt=class extends(lr=fe,cr=Symbol.asyncIterator,lr){constructor(r="multiple matching keys found in the JSON Web Key Set",n){super(r,n);O(this,cr);O(this,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");}};O(Rt,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");function Y(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function be(e,t){return e.name===t}function kt(e){return parseInt(e.name.slice(4),10)}function In(e){switch(e){case "ES256":return "P-256";case "ES384":return "P-384";case "ES512":return "P-521";default:throw new Error("unreachable")}}function Tn(e,t){if(!e.usages.includes(t))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${t}.`)}function ur(e,t,r){switch(t){case "HS256":case "HS384":case "HS512":{if(!be(e.algorithm,"HMAC"))throw Y("HMAC");let n=parseInt(t.slice(2),10);if(kt(e.algorithm.hash)!==n)throw Y(`SHA-${n}`,"algorithm.hash");break}case "RS256":case "RS384":case "RS512":{if(!be(e.algorithm,"RSASSA-PKCS1-v1_5"))throw Y("RSASSA-PKCS1-v1_5");let n=parseInt(t.slice(2),10);if(kt(e.algorithm.hash)!==n)throw Y(`SHA-${n}`,"algorithm.hash");break}case "PS256":case "PS384":case "PS512":{if(!be(e.algorithm,"RSA-PSS"))throw Y("RSA-PSS");let n=parseInt(t.slice(2),10);if(kt(e.algorithm.hash)!==n)throw Y(`SHA-${n}`,"algorithm.hash");break}case "Ed25519":case "EdDSA":{if(!be(e.algorithm,"Ed25519"))throw Y("Ed25519");break}case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":{if(!be(e.algorithm,t))throw Y(t);break}case "ES256":case "ES384":case "ES512":{if(!be(e.algorithm,"ECDSA"))throw Y("ECDSA");let n=In(t);if(e.algorithm.namedCurve!==n)throw Y(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}Tn(e,r);}function fr(e,t,...r){if(r=r.filter(Boolean),r.length>2){let n=r.pop();e+=`one of type ${r.join(", ")}, or ${n}.`;}else r.length===2?e+=`one of type ${r[0]} or ${r[1]}.`:e+=`of type ${r[0]}.`;return t==null?e+=` Received ${t}`:typeof t=="function"&&t.name?e+=` Received function ${t.name}`:typeof t=="object"&&t!=null&&t.constructor?.name&&(e+=` Received an instance of ${t.constructor.name}`),e}var dr=(e,...t)=>fr("Key must be ",e,...t);function Et(e,t,...r){return fr(`Key for the ${e} algorithm must be `,t,...r)}function Pt(e){return e?.[Symbol.toStringTag]==="CryptoKey"}function vt(e){return e?.[Symbol.toStringTag]==="KeyObject"}var At=e=>Pt(e)||vt(e);var pr=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return  true;let r;for(let n of t){let o=Object.keys(n);if(!r||r.size===0){r=new Set(o);continue}for(let a of o){if(r.has(a))return  false;r.add(a);}}return  true};function Wn(e){return typeof e=="object"&&e!==null}var Ze=e=>{if(!Wn(e)||Object.prototype.toString.call(e)!=="[object Object]")return  false;if(Object.getPrototypeOf(e)===null)return  true;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t};var hr=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:r}=t.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};function Jn(e){let t,r;switch(e.kty){case "AKP":{switch(e.alg){case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":t={name:e.alg},r=e.priv?["sign"]:["verify"];break;default:throw new L('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "RSA":{switch(e.alg){case "PS256":case "PS384":case "PS512":t={name:"RSA-PSS",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RS256":case "RS384":case "RS512":t={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RSA-OAEP":case "RSA-OAEP-256":case "RSA-OAEP-384":case "RSA-OAEP-512":t={name:"RSA-OAEP",hash:`SHA-${parseInt(e.alg.slice(-3),10)||1}`},r=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new L('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "EC":{switch(e.alg){case "ES256":t={name:"ECDSA",namedCurve:"P-256"},r=e.d?["sign"]:["verify"];break;case "ES384":t={name:"ECDSA",namedCurve:"P-384"},r=e.d?["sign"]:["verify"];break;case "ES512":t={name:"ECDSA",namedCurve:"P-521"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new L('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "OKP":{switch(e.alg){case "Ed25519":case "EdDSA":t={name:"Ed25519"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new L('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}default:throw new L('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return {algorithm:t,keyUsages:r}}var mr=async e=>{if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:t,keyUsages:r}=Jn(e),n={...e};return n.kty!=="AKP"&&delete n.alg,delete n.use,crypto.subtle.importKey("jwk",n,t,e.ext??!(e.d||e.priv),e.key_ops??r)};var wr=(e,t,r,n,o)=>{if(o.crit!==void 0&&n?.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||n.crit===void 0)return new Set;if(!Array.isArray(n.crit)||n.crit.length===0||n.crit.some(i=>typeof i!="string"||i.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let a;r!==void 0?a=new Map([...Object.entries(r),...t.entries()]):a=t;for(let i of n.crit){if(!a.has(i))throw new L(`Extension Header Parameter "${i}" is not recognized`);if(o[i]===void 0)throw new e(`Extension Header Parameter "${i}" is missing`);if(a.get(i)&&n[i]===void 0)throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`)}return new Set(n.crit)};function De(e){return Ze(e)&&typeof e.kty=="string"}function yr(e){return e.kty!=="oct"&&(e.kty==="AKP"&&typeof e.priv=="string"||typeof e.d=="string")}function gr(e){return e.kty!=="oct"&&typeof e.d>"u"&&typeof e.priv>"u"}function br(e){return e.kty==="oct"&&typeof e.k=="string"}var Se,Sr=async(e,t,r,n=false)=>{Se||(Se=new WeakMap);let o=Se.get(e);if(o?.[r])return o[r];let a=await mr({...t,alg:r});return n&&Object.freeze(e),o?o[r]=a:Se.set(e,{[r]:a}),a},_n=(e,t)=>{Se||(Se=new WeakMap);let r=Se.get(e);if(r?.[t])return r[t];let n=e.type==="public",o=!!n,a;if(e.asymmetricKeyType==="x25519"){switch(t){case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}a=e.toCryptoKey(e.asymmetricKeyType,o,n?[]:["deriveBits"]);}if(e.asymmetricKeyType==="ed25519"){if(t!=="EdDSA"&&t!=="Ed25519")throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}switch(e.asymmetricKeyType){case "ml-dsa-44":case "ml-dsa-65":case "ml-dsa-87":{if(t!==e.asymmetricKeyType.toUpperCase())throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}}if(e.asymmetricKeyType==="rsa"){let i;switch(t){case "RSA-OAEP":i="SHA-1";break;case "RS256":case "PS256":case "RSA-OAEP-256":i="SHA-256";break;case "RS384":case "PS384":case "RSA-OAEP-384":i="SHA-384";break;case "RS512":case "PS512":case "RSA-OAEP-512":i="SHA-512";break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}if(t.startsWith("RSA-OAEP"))return e.toCryptoKey({name:"RSA-OAEP",hash:i},o,n?["encrypt"]:["decrypt"]);a=e.toCryptoKey({name:t.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:i},o,[n?"verify":"sign"]);}if(e.asymmetricKeyType==="ec"){let s=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(e.asymmetricKeyDetails?.namedCurve);if(!s)throw new TypeError("given KeyObject instance cannot be used for this algorithm");t==="ES256"&&s==="P-256"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t==="ES384"&&s==="P-384"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t==="ES512"&&s==="P-521"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t.startsWith("ECDH-ES")&&(a=e.toCryptoKey({name:"ECDH",namedCurve:s},o,n?[]:["deriveBits"]));}if(!a)throw new TypeError("given KeyObject instance cannot be used for this algorithm");return r?r[t]=a:Se.set(e,{[t]:a}),a},Rr=async(e,t)=>{if(e instanceof Uint8Array||Pt(e))return e;if(vt(e)){if(e.type==="secret")return e.export();if("toCryptoKey"in e&&typeof e.toCryptoKey=="function")try{return _n(e,t)}catch(n){if(n instanceof TypeError)throw n}let r=e.export({format:"jwk"});return Sr(e,r,t)}if(De(e))return e.k?sr(e.k):Sr(e,e,t,true);throw new Error("unreachable")};var Re=e=>e?.[Symbol.toStringTag],xt=(e,t,r)=>{if(t.use!==void 0){let n;switch(r){case "sign":case "verify":n="sig";break;case "encrypt":case "decrypt":n="enc";break}if(t.use!==n)throw new TypeError(`Invalid key for this operation, its "use" must be "${n}" when present`)}if(t.alg!==void 0&&t.alg!==e)throw new TypeError(`Invalid key for this operation, its "alg" must be "${e}" when present`);if(Array.isArray(t.key_ops)){let n;switch(true){case(r==="sign"):case e==="dir":case e.includes("CBC-HS"):n=r;break;case e.startsWith("PBES2"):n="deriveBits";break;case /^A\d{3}(?:GCM)?(?:KW)?$/.test(e):!e.includes("GCM")&&e.endsWith("KW")?n="unwrapKey":n=r;break;case(r==="encrypt"):n="wrapKey";break;case r==="decrypt":n=e.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(n&&t.key_ops?.includes?.(n)===false)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${n}" when present`)}return  true},Mn=(e,t,r)=>{if(!(t instanceof Uint8Array)){if(De(t)){if(br(t)&&xt(e,t,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!At(t))throw new TypeError(Et(e,t,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(t.type!=="secret")throw new TypeError(`${Re(t)} instances for symmetric algorithms must be of type "secret"`)}},Ln=(e,t,r)=>{if(De(t))switch(r){case "decrypt":case "sign":if(yr(t)&&xt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a private JWK");case "encrypt":case "verify":if(gr(t)&&xt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a public JWK")}if(!At(t))throw new TypeError(Et(e,t,"CryptoKey","KeyObject","JSON Web Key"));if(t.type==="secret")throw new TypeError(`${Re(t)} instances for asymmetric algorithms must not be of type "secret"`);if(t.type==="public")switch(r){case "sign":throw new TypeError(`${Re(t)} instances for asymmetric algorithm signing must be of type "private"`);case "decrypt":throw new TypeError(`${Re(t)} instances for asymmetric algorithm decryption must be of type "private"`);}if(t.type==="private")switch(r){case "verify":throw new TypeError(`${Re(t)} instances for asymmetric algorithm verifying must be of type "public"`);case "encrypt":throw new TypeError(`${Re(t)} instances for asymmetric algorithm encryption must be of type "public"`);}},kr=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e)||/^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e)?Mn(e,t,r):Ln(e,t,r);};var Er=(e,t)=>{let r=`SHA-${e.slice(-3)}`;switch(e){case "HS256":case "HS384":case "HS512":return {hash:r,name:"HMAC"};case "PS256":case "PS384":case "PS512":return {hash:r,name:"RSA-PSS",saltLength:parseInt(e.slice(-3),10)>>3};case "RS256":case "RS384":case "RS512":return {hash:r,name:"RSASSA-PKCS1-v1_5"};case "ES256":case "ES384":case "ES512":return {hash:r,name:"ECDSA",namedCurve:t.namedCurve};case "Ed25519":case "EdDSA":return {name:"Ed25519"};case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":return {name:e};default:throw new L(`alg ${e} is not supported either by JOSE or your javascript runtime`)}};var Pr=async(e,t,r)=>{if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(dr(t,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",t,{hash:`SHA-${e.slice(-3)}`,name:"HMAC"},false,[r])}return ur(t,e,r),t};var ie=e=>Math.floor(e.getTime()/1e3);var Hn=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i,Qe=e=>{let t=Hn.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");let r=parseFloat(t[2]),n=t[3].toLowerCase(),o;switch(n){case "sec":case "secs":case "second":case "seconds":case "s":o=Math.round(r);break;case "minute":case "minutes":case "min":case "mins":case "m":o=Math.round(r*60);break;case "hour":case "hours":case "hr":case "hrs":case "h":o=Math.round(r*3600);break;case "day":case "days":case "d":o=Math.round(r*86400);break;case "week":case "weeks":case "w":o=Math.round(r*604800);break;default:o=Math.round(r*31557600);break}return t[1]==="-"||t[4]==="ago"?-o:o};function de(e,t){if(!Number.isFinite(t))throw new TypeError(`Invalid ${e} input`);return t}var v,et=class{constructor(t){F(this,v);if(!Ze(t))throw new TypeError("JWT Claims Set MUST be an object");B(this,v,structuredClone(t));}data(){return ne.encode(JSON.stringify(m(this,v)))}get iss(){return m(this,v).iss}set iss(t){m(this,v).iss=t;}get sub(){return m(this,v).sub}set sub(t){m(this,v).sub=t;}get aud(){return m(this,v).aud}set aud(t){m(this,v).aud=t;}set jti(t){m(this,v).jti=t;}set nbf(t){typeof t=="number"?m(this,v).nbf=de("setNotBefore",t):t instanceof Date?m(this,v).nbf=de("setNotBefore",ie(t)):m(this,v).nbf=ie(new Date)+Qe(t);}set exp(t){typeof t=="number"?m(this,v).exp=de("setExpirationTime",t):t instanceof Date?m(this,v).exp=de("setExpirationTime",ie(t)):m(this,v).exp=ie(new Date)+Qe(t);}set iat(t){typeof t>"u"?m(this,v).iat=ie(new Date):t instanceof Date?m(this,v).iat=de("setIssuedAt",ie(t)):typeof t=="string"?m(this,v).iat=de("setIssuedAt",ie(new Date)+Qe(t)):m(this,v).iat=de("setIssuedAt",t);}};v=new WeakMap;var vr=async(e,t,r)=>{let n=await Pr(e,t,"sign");hr(e,n);let o=await crypto.subtle.sign(Er(e,n.algorithm),n,r);return new Uint8Array(o)};var _e,H,Z,tt=class{constructor(t){F(this,_e);F(this,H);F(this,Z);if(!(t instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");B(this,_e,t);}setProtectedHeader(t){if(m(this,H))throw new TypeError("setProtectedHeader can only be called once");return B(this,H,t),this}setUnprotectedHeader(t){if(m(this,Z))throw new TypeError("setUnprotectedHeader can only be called once");return B(this,Z,t),this}async sign(t,r){if(!m(this,H)&&!m(this,Z))throw new oe("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!pr(m(this,H),m(this,Z)))throw new oe("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let n={...m(this,H),...m(this,Z)},o=wr(oe,new Map([["b64",true]]),r?.crit,m(this,H),n),a=true;if(o.has("b64")&&(a=m(this,H).b64,typeof a!="boolean"))throw new oe('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:i}=n;if(typeof i!="string"||!i)throw new oe('JWS "alg" (Algorithm) Header Parameter missing or invalid');kr(i,t,"sign");let s=m(this,_e);a&&(s=ne.encode(Ye(s)));let u;m(this,H)?u=ne.encode(Ye(JSON.stringify(m(this,H)))):u=ne.encode("");let l=or(u,ne.encode("."),s),c=await Rr(t,i),p=await vr(i,c,l),d={signature:Ye(p),payload:""};return a&&(d.payload=ge.decode(s)),m(this,Z)&&(d.header=m(this,Z)),m(this,H)&&(d.protected=ge.decode(u)),d}};_e=new WeakMap,H=new WeakMap,Z=new WeakMap;var ke,rt=class{constructor(t){F(this,ke);B(this,ke,new tt(t));}setProtectedHeader(t){return m(this,ke).setProtectedHeader(t),this}async sign(t,r){let n=await m(this,ke).sign(t,r);if(n.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return `${n.protected}.${n.payload}.${n.signature}`}};ke=new WeakMap;var se,j,pe=class{constructor(t={}){F(this,se);F(this,j);B(this,j,new et(t));}setIssuer(t){return m(this,j).iss=t,this}setSubject(t){return m(this,j).sub=t,this}setAudience(t){return m(this,j).aud=t,this}setJti(t){return m(this,j).jti=t,this}setNotBefore(t){return m(this,j).nbf=t,this}setExpirationTime(t){return m(this,j).exp=t,this}setIssuedAt(t){return m(this,j).iat=t,this}setProtectedHeader(t){return B(this,se,t),this}async sign(t,r){let n=new rt(m(this,j).data());if(n.setProtectedHeader(m(this,se)),Array.isArray(m(this,se)?.crit)&&m(this,se).crit.includes("b64")&&m(this,se).b64===false)throw new Je("JWTs MUST NOT use unencoded payload");return n.sign(t,r)}};se=new WeakMap,j=new WeakMap;var $n=e=>btoa(String.fromCharCode(...new Uint8Array(e))).replaceAll("+","-").replaceAll("/","_").replaceAll("=",""),nt=async e=>{let t=new TextEncoder().encode(e),r=await crypto.subtle.digest("SHA-256",t);return $n(r)},V=async e=>{let{method:t,url:r,nonce:n,ath:o,privateKey:a,publicJwk:i}=e,s={htm:t.toUpperCase(),htu:r,jti:crypto.randomUUID(),iat:Math.floor(Date.now()/1e3)};return n&&(s.nonce=n),o&&(s.ath=o),await new pe(s).setProtectedHeader({alg:"ES256",typ:"dpop+jwt",jwk:i}).sign(a)};var $=async e=>{let t={crv:e.crv,kty:"EC",x:e.x,y:e.y},r=JSON.stringify(t),n=new TextEncoder().encode(r),o=await crypto.subtle.digest("SHA-256",n);return btoa(String.fromCharCode(...new Uint8Array(o))).replaceAll("+","-").replaceAll("/","_").replaceAll("=","")};async function he(e){let{rootPrivateKey:t,rootPublicJwk:r,childJkt:n,clientId:o,sid:a,ttlSec:i=300}=e,s=Math.floor(Date.now()/1e3),u=s+Math.max(60,Math.min(i,3600)),l={child_jkt:n,client_id:o,aud:"issuer",iat:s,exp:u,jti:crypto.randomUUID()};return a&&(l.sid=a),await new pe(l).setProtectedHeader({alg:"ES256",typ:"pode+jwt",jwk:r}).sign(t)}function Me(e,t=300){return e.replace(/<[^>]*>/g,"").slice(0,t)}async function Le(e){let t=e.status,r=Array.from(e.headers.keys()).some(s=>s.toLowerCase().startsWith("x-amzn-waf")),n,o,a=e.headers.get("content-type")||"";if(a.includes("application/json"))try{let s=await e.clone().json();n=typeof s?.error=="string"?s.error:void 0,o=typeof s?.detail=="string"?s.detail:void 0;}catch{}let i=t===403&&!r&&!a.includes("application/json");return {status:t,code:n,detail:o,waf:r,alb403:i}}function me(e,t){let r=new Error(e);return r.status=t.status,r.code=t.code,r.detail=t.detail,r.waf=t.waf,r.alb403=t.alb403,r}var ot=e=>/^0x[a-fA-F0-9]{40}$/.test(e),ce=e=>ot(e)?e.toLowerCase():e,A=(e,t)=>!e||!t?false:ot(e)&&ot(t)?e.toLowerCase()===t.toLowerCase():e===t;var Ee={boundWallet:null,clientId:null,jkt:null,refreshId:null,lastPolicyHash:null,lastPolicyProof:null,lastHost:null,rootJkt:null,registeredProofId:null},Kt=createContext(void 0);function Ir(e){try{return JSON.parse(localStorage.getItem(e)||"null")??Ee}catch{return Ee}}function Nn(e,t){try{localStorage.setItem(e,JSON.stringify(t));}catch{}}var Ct=({children:e,clientId:t})=>{let[r,n]=useState(Ee),o=useRef(false),[a,i]=useState(false),s=useMemo(()=>We(t),[t]);useEffect(()=>{let h=true;return (async()=>{let y=await T(s)??await T(Xe)??Ir(s);h&&(n({...Ee,...y}),o.current=true,i(true));})(),()=>{h=false;}},[s]),useEffect(()=>{o.current&&(async()=>(await S(s,r),Nn(s,r)))();},[r,s]);let u=useCallback(h=>n(f=>({...f,refreshId:h})),[]),l=useCallback(h=>n(f=>({...f,lastPolicyHash:h})),[]),c=useCallback(h=>n(f=>({...f,lastPolicyProof:h})),[]),p=useCallback(h=>n(f=>({...f,lastHost:h})),[]),d=useCallback(h=>n(f=>({...f,rootJkt:h})),[]),g=useCallback(h=>n(f=>({...f,registeredProofId:h})),[]),R=async()=>{try{let h=localStorage.getItem(s);if(h){let f=JSON.parse(h);if(typeof f?.refreshId=="string"&&f.refreshId)return f.refreshId}}catch{}try{let h=await T(s);if(typeof h?.refreshId=="string"&&h.refreshId)return h.refreshId}catch{}return null},K=useCallback(h=>n(f=>({...f,boundWallet:h})),[]),w=useCallback(h=>n(f=>({...f,clientId:h})),[]),k=useCallback(h=>n(f=>({...f,jkt:h})),[]),b=useCallback(()=>n(Ee),[]),J=useCallback(async()=>{let f=await T(s)??Ir(s);n({...Ee,...f});},[]),M=useMemo(()=>({meta:r,setBoundWallet:K,setClientId:w,setJkt:k,resetMeta:b,reload:J,setRefreshId:u,getRefreshId:R,ready:a,setLastPolicyHash:l,setLastPolicyProof:c,setLastHost:p,setRootJkt:d,setRegisteredProofId:g}),[r,K,w,k,b,J,a,u,R,l,c,p,d,g]);return jsx(Kt.Provider,{value:M,children:e})};function It(){let e=useContext(Kt);if(!e)throw new Error("useMeta must be used within <MetaProvider>");return e}var Wr=`${I}:wrap`;async function at(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!1,["sign","verify"]),t=`${I}:probe_safe`;await S(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await T(t);return await S(t,void 0),!!(r&&r.privKey)}catch{return  false}}async function Bn(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!0,["sign","verify"]),t=`${I}:probe`;await S(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await T(t);return await S(t,void 0),!!(r&&r.privKey)}catch{return  false}}function ve(e){let{d:t,...r}=e;return {...r,kty:"EC",crv:E,alg:Te,use:"sig"}}async function Jr(){let e=await T(Wr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await S(Wr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function Tt(e){let t=await Jr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function Gn(e,t){let r=await Jr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var Wt=()=>{let e=useRef(null),t=useRef(null),r=useCallback(async()=>{let u=await T(I);if(!u)return  false;if(u.fmt==="cryptokey"){let c=u;if(!c.privKey)return await S(I,void 0),false;let p=c.privKey;try{if(p.extractable&&await at()){let g=await crypto.subtle.exportKey("jwk",p),R=await crypto.subtle.importKey("jwk",g,{name:"ECDSA",namedCurve:E},!1,["sign"]),K={fmt:"cryptokey",privKey:R,pubJwk:ve(c.pubJwk)};await S(I,K),p=R;}}catch{}return e.current=p,t.current=ve(c.pubJwk),true}if(u.fmt==="encjwk"){let c=u;try{let p=await Gn(c.encPrivJwk,c.iv),d=await crypto.subtle.importKey("jwk",p,{name:"ECDSA",namedCurve:E},!1,["sign"]);return e.current=d,t.current=ve(c.pubJwk),!0}catch{return await S(I,void 0),false}}let l=u;if(l&&l.d){let{d:c,...p}=l,d=ve(p),g=await at(),R=g||await Bn();if(R&&g){let b=await crypto.subtle.importKey("jwk",l,{name:"ECDSA",namedCurve:E},false,["sign"]);return await S(I,{fmt:"cryptokey",privKey:b,pubJwk:d}),e.current=b,t.current=d,true}if(R){let b=await crypto.subtle.importKey("jwk",l,{name:"ECDSA",namedCurve:E},true,["sign"]);return await S(I,{fmt:"cryptokey",privKey:b,pubJwk:d}),e.current=b,t.current=d,true}let{encPrivJwk:K,iv:w}=await Tt(l);await S(I,{fmt:"encjwk",encPrivJwk:K,iv:w,pubJwk:d});let k=await crypto.subtle.importKey("jwk",l,{name:"ECDSA",namedCurve:E},false,["sign"]);return e.current=k,t.current=d,true}return await S(I,void 0),false},[]),n=useCallback(async(u,l)=>{await S(I,{fmt:"cryptokey",privKey:u,pubJwk:l});},[]),o=useCallback(async(u,l)=>{let{encPrivJwk:c,iv:p}=await Tt(u);await S(I,{fmt:"encjwk",encPrivJwk:c,iv:p,pubJwk:l});},[]),a=useCallback(async()=>{if(e.current&&t.current||await r())return;let u=await at(),l=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),c=ve(await crypto.subtle.exportKey("jwk",l.publicKey)),p=await crypto.subtle.exportKey("jwk",l.privateKey);if(u){let d=await crypto.subtle.importKey("jwk",p,{name:"ECDSA",namedCurve:E},false,["sign"]);await n(d,c),e.current=d,t.current=c;}else {await o(p,c);let d=await crypto.subtle.importKey("jwk",p,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=d,t.current=c;}},[r,n,o]),i=useCallback(async()=>{let u=await at(),l=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),c=ve(await crypto.subtle.exportKey("jwk",l.publicKey)),p=await crypto.subtle.exportKey("jwk",l.privateKey);if(u){let d=await crypto.subtle.importKey("jwk",p,{name:"ECDSA",namedCurve:E},false,["sign"]);await S(I,{fmt:"cryptokey",privKey:d,pubJwk:c}),e.current=d,t.current=c;}else {let{encPrivJwk:d,iv:g}=await Tt(p);await S(I,{fmt:"encjwk",encPrivJwk:d,iv:g,pubJwk:c});let R=await crypto.subtle.importKey("jwk",p,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=R,t.current=c;}},[]),s=useCallback(async()=>{await S(I,void 0),e.current=null,t.current=null;},[]);return {ensureKeypair:a,rotate:i,clear:s,privRef:e,pubJwkRef:t}};var Q="sunbreak_root_key_v1",_r=`${Q}:wrap`;async function Mr(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!1,["sign","verify"]),t=`${Q}:probe_safe`;await S(t,{fmt:"cryptokey",privKey:e.privateKey,createdAt:Date.now(),pubJwk:{}});let r=await T(t);return await S(t,void 0),!!(r&&r.privKey)}catch{return  false}}function it(e){let{d:t,...r}=e;return {...r,kty:"EC",crv:E,alg:Te,use:"sig"}}async function Lr(){let e=await T(_r);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await S(_r,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function Vn(e){let t=await Lr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function qn(e,t){let r=await Lr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var Dt=()=>{let e=useRef(null),t=useRef(null),r=useCallback(async()=>{let a=await T(Q);if(!a)return  false;if(a.fmt==="cryptokey"){let i=a;if(!i.privKey)return await S(Q,void 0),false;let s=i.privKey;try{if(s.extractable&&await Mr()){let l=await crypto.subtle.exportKey("jwk",s),c=await crypto.subtle.importKey("jwk",l,{name:"ECDSA",namedCurve:E},!1,["sign"]),p={fmt:"cryptokey",privKey:c,pubJwk:it(i.pubJwk),createdAt:i.createdAt};await S(Q,p),s=c;}}catch{}return e.current=s,t.current=it(i.pubJwk),true}if(a.fmt==="encjwk"){let i=a;try{let s=await qn(i.encPrivJwk,i.iv),u=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:E},!1,["sign"]);return e.current=u,t.current=it(i.pubJwk),!0}catch{return await S(Q,void 0),false}}return await S(Q,void 0),false},[]),n=useCallback(async()=>{if(e.current&&t.current||await r())return;let a=await Mr(),i=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),s=it(await crypto.subtle.exportKey("jwk",i.publicKey)),u=Date.now(),l=await crypto.subtle.exportKey("jwk",i.privateKey);if(a){let c=await crypto.subtle.importKey("jwk",l,{name:"ECDSA",namedCurve:E},false,["sign"]);await S(Q,{fmt:"cryptokey",privKey:c,pubJwk:s,createdAt:u}),e.current=c,t.current=s;}else {let{encPrivJwk:c,iv:p}=await Vn(l);await S(Q,{fmt:"encjwk",encPrivJwk:c,iv:p,pubJwk:s,createdAt:u});let g=await crypto.subtle.importKey("jwk",l,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=g,t.current=s;}},[r]),o=useCallback(async()=>{await S(Q,void 0),e.current=null,t.current=null;},[]);return {ensureRootKeypair:n,clear:o,rootPrivRef:e,rootPubJwkRef:t}};var He=class e{constructor(t,r=false){this.colors={flow:"#00D9FF",state:"#00FF88",decision:"#FFB800",api:"#B388FF",guard:"#FFEA00",error:"#FF5252",warn:"#FF9100",info:"#90CAF9"};this.enabled=r,this.prefix=t?`[Sunbreak:${t.slice(0,8)}]`:"[Sunbreak]";}log(t,r,n){if(!this.enabled)return;let o=this.colors[t],a=new Date().toISOString().slice(11,23),i=this.getEmoji(t);console.log(`%c${i} ${this.prefix} [${a}] [${t.toUpperCase()}]%c ${r}`,`color: ${o}; font-weight: bold`,"color: inherit; font-weight: normal",n!==void 0?n:"");}getEmoji(t){switch(t){case "flow":return "\u{1F504}";case "state":return "\u{1F500}";case "decision":return "\u{1F914}";case "api":return "\u{1F4E1}";case "guard":return "\u{1F6E1}\uFE0F";case "error":return "\u274C";case "warn":return "\u26A0\uFE0F";case "info":return "\u2139\uFE0F";default:return "\u2022"}}flow(t,r,n){this.log("flow",`[${t.toUpperCase()}] ${r}`,n);}state(t,r,n,o){this.log("state",`${t} \u2192 ${r}: ${n}`,o);}decision(t,r,n,o){this.log("decision",`${t} = ${r?"\u2713 YES":"\u2717 NO"} (${n})`,o);}api(t,r,n){let o=n.status,i=o>=200&&o<300?"\u2713":"\u2717";this.log("api",`${i} ${t} ${r} \u2192 ${o}${n.error?` (${n.error})`:""}`,n.data);}guard(t,r,n,o){this.log("guard",`${t}: ${r?"\u2713 PASS":"\u2717 BLOCK"} (${n})`,o);}error(t,r){this.log("error",t,r);}warn(t,r){this.log("warn",t,r);}info(t,r){this.log("info",t,r);}group(t){this.enabled&&console.group(`${this.prefix} ${t}`);}groupEnd(){this.enabled&&console.groupEnd();}child(t){let r=new e(void 0,this.enabled);return r.prefix=`${this.prefix}[${t}]`,r}},_t=null;function Hr(){return _t||(_t=new He(void 0,false)),_t}var $e=class{constructor(t){this.currentState="unknown";this.previousState="unknown";this.logger=Hr();this.hadSessionHistory=false;this.inActiveSession=false;t&&this.initialize(t);}initialize(t){if(this.currentState!=="unknown"){this.logger.info(`Skipping initialization - state already set to ${this.currentState}`);let n=!!(t.boundWallet||t.refreshId);this.hadSessionHistory=n;return}this.logger.group("\u{1F527} Initializing Session State Machine");let r=!!(t.boundWallet||t.refreshId);this.hadSessionHistory=r,this.logger.info("Initial context",{wallet:t.wallet,boundWallet:t.boundWallet,refreshId:t.refreshId?"present":"null",hasToken:t.hasToken,authenticated:t.authenticated,hasHistory:r}),t.authenticated&&t.hasToken?(this.transition("authenticated","Has valid token"),this.inActiveSession=true):r?this.transition("refreshable","Has session history"):this.transition("unregistered","No session history"),this.logger.groupEnd();}transition(t,r){if(this.currentState===t){this.logger.info(`State unchanged: ${t} (${r})`);return}this.previousState=this.currentState,this.currentState=t,this.logger.state(this.previousState,t,r);}getState(){return this.currentState}isInActiveSession(){return this.inActiveSession}markHadSession(){this.hadSessionHistory||(this.logger.info("Marked hadSessionHistory = true"),this.hadSessionHistory=true);}clearSessionHistory(){this.logger.info("Cleared session history"),this.hadSessionHistory=false,this.inActiveSession=false;}onNewCredentialsReceived(){this.inActiveSession&&(this.logger.info("New credentials received while in active session - allowing re-registration"),this.inActiveSession=false,this.transition("unregistered","New credentials received"));}onProbeComplete(t){if(this.logger.flow("probe","Probe completed, determining initial state"),this.currentState!=="unknown"){this.logger.warn("Probe called but state is not UNKNOWN",{currentState:this.currentState});return}!!(t.boundWallet||t.refreshId)||this.hadSessionHistory?this.transition("refreshable","Session history found"):this.transition("unregistered","No session history");}onRegisterSuccess(t){this.logger.flow("register","Register succeeded"),this.transition("authenticated","Register succeeded"),this.inActiveSession=true,this.hadSessionHistory=true;}onRegisterFailure(t){this.logger.flow("register",`Register failed: ${t}`);}onRefreshSuccess(t){this.logger.flow("refresh","Refresh succeeded"),this.transition("authenticated","Refresh succeeded"),this.inActiveSession=true;}onRefreshExpired(){this.logger.flow("refresh","Refresh failed: session expired (missing refresh identifier)"),this.transition("expired","Session expired"),this.inActiveSession=false;}onRefreshFailure(t){this.logger.flow("refresh",`Refresh failed: ${t}`);}onTokenExpired(){this.logger.flow("token","Token expired"),this.currentState==="authenticated"&&this.transition("refreshable","Token expired");}onWalletChange(t,r,n){if(this.logger.flow("wallet",`Wallet changed: ${t||"null"} \u2192 ${r||"null"}`),!r){this.transition("unknown","Wallet disconnected"),this.inActiveSession=false;return}A(r,n.boundWallet)?(this.hadSessionHistory=true,this.transition("refreshable","Wallet reconnected with session history")):(this.transition("unregistered","Wallet changed to different address"),this.inActiveSession=false);}onWalletDisconnect(){this.logger.flow("wallet","Wallet disconnected"),this.transition("unknown","Wallet disconnected"),this.inActiveSession=false;}shouldAttemptProbe(){let t=this.currentState==="unknown";return this.logger.decision("Should attempt probe?",t,`State is ${this.currentState}`),t}shouldAttemptRefresh(t){if(this.currentState!=="refreshable"&&this.currentState!=="authenticated")return this.logger.decision("Should attempt refresh?",false,`State is ${this.currentState}, not REFRESHABLE or AUTHENTICATED`),false;if(!(t.boundWallet||t.wallet))return this.logger.decision("Should attempt refresh?",false,"No wallet available (neither boundWallet nor current wallet)"),false;if(t.wallet&&t.boundWallet&&!A(t.wallet,t.boundWallet))return this.logger.decision("Should attempt refresh?",false,"Wallet mismatch"),false;if(t.hasToken&&t.tokenExpiry){let n=Math.floor(Date.now()/1e3);if(t.tokenExpiry-n>5&&this.currentState==="authenticated")return this.logger.decision("Should attempt refresh?",false,"Token still valid"),false}return this.logger.decision("Should attempt refresh?",true,`State is ${this.currentState}, token ${t.hasToken?"present":"missing"}`),true}shouldAttemptRegister(t){return this.inActiveSession?(this.logger.decision("Should attempt register?",false,"Already in active session - proof changes ignored"),false):this.currentState!=="unregistered"&&this.currentState!=="expired"?(this.logger.decision("Should attempt register?",false,`State is ${this.currentState}, not UNREGISTERED or EXPIRED`),false):t.wallet?t.hasProof?t.authenticated&&t.hasToken?(this.logger.decision("Should attempt register?",false,"Already authenticated"),false):(this.logger.decision("Should attempt register?",true,`State is ${this.currentState}, have wallet + proof`),true):(this.logger.decision("Should attempt register?",false,"No proof available"),false):(this.logger.decision("Should attempt register?",false,"No wallet connected"),false)}shouldWaitForInitialRefresh(t,r){return this.currentState!=="refreshable"||t?false:r.wallet&&r.boundWallet&&A(r.wallet,r.boundWallet)?(this.logger.decision("Should wait for initial refresh?",true,"Returning user - let refresh attempt first"),true):false}getStateReport(t){return `
+var bn=Object.defineProperty;var er=e=>{throw TypeError(e)};var Sn=(e,t,r)=>t in e?bn(e,t,{enumerable:true,configurable:true,writable:true,value:r}):e[t]=r;var O=(e,t,r)=>Sn(e,typeof t!="symbol"?t+"":t,r),tr=(e,t,r)=>t.has(e)||er("Cannot "+r);var m=(e,t,r)=>(tr(e,t,"read from private field"),r?r.call(e):t.get(e)),F=(e,t,r)=>t.has(e)?er("Cannot add the same private member more than once"):t instanceof WeakSet?t.add(e):t.set(e,r),B=(e,t,r,n)=>(tr(e,t,"write to private field"),t.set(e,r),r);var ze=e=>{let t=5381;for(let r=0;r<e.length;r++)t=t*33^e.charCodeAt(r);return (t>>>0).toString(16).padStart(8,"0")},Ce=e=>{try{return e.method==="provider_jwt"?`${e.issuer}:${ze(e.token)}`:e.method==="siwe"||e.method==="eip191"?`${e.method}:${ze(e.signature)}`:e.method==="ed25519"?`ed25519:${ze(e.signatureBase64)}`:null}catch{return null}},ye=async(e,t,r)=>{switch(e.name){case "custom":return {method:"provider_jwt",issuer:"custom",token:t,meta:r||{}};case "privy":return {method:"provider_jwt",issuer:"privy",token:t,meta:{app_id:e.appId}};case "dynamic":return e.expectedAud?{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId,expected_aud:e.expectedAud}}:{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId}};default:throw new Error(`Unknown adapter: ${e}`)}};var Rn="sunbreak-kv",Ie="kv",Xe="sunbreak_dpop_meta_v1",I="sunbreak_dpop_key_v1",Te="ES256",E="P-256",We=e=>`${Xe}:${e}`,rr=()=>new Promise((e,t)=>{let r=indexedDB.open(Rn,1);r.onupgradeneeded=()=>r.result.createObjectStore(Ie),r.onsuccess=()=>e(r.result),r.onerror=()=>t(r.error);}),T=async e=>{try{let t=await rr();return await new Promise((r,n)=>{let i=t.transaction(Ie,"readonly").objectStore(Ie).get(e);i.onsuccess=()=>r(i.result),i.onerror=()=>n(i.error);})}catch{return}},R=async(e,t)=>{let r=await rr();await new Promise((n,a)=>{let o=r.transaction(Ie,"readwrite").objectStore(Ie).put(t,e);o.onsuccess=()=>n(),o.onerror=()=>a(o.error);});};var kn=e=>{let t=new URL(e);if(t.protocol!=="https:"&&t.hostname!=="localhost"&&t.hostname!=="127.0.0.1")throw new Error("Sunbreak: insecure base URL");return t.hash="",t.origin},En=e=>e.replace(/\/+$/,""),yt=e=>{let t=En(e);return kn(t)};function St(e){let t=new URL(e.baseUrl),r=t.host,n=e.meta.lastHost??null,a=Pn(n);return e.setLastHost(a),t.host=`${a}.${r}`,t.origin}var Pn=e=>{for(let t=0;t<bt.length;t++){let r=bt[Math.floor(Math.random()*bt.length)].toLowerCase();if(r!==e)return r}return "alpha"},bt=["Alpha","Bravo","Charlie","Delta","Echo","Foxtrot","Golf","Hotel","India","Juliett","Kilo","Lima","Mike","November","Oscar","Papa","Quebec","Romeo","Sierra","Tango","Uniform","Victor","Whiskey","X-ray","Yankee","Zulu"];var G=(e,t)=>{let r={clientId:e.clientId,wallet:e.wallet,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0,...t};Object.keys(r).forEach(a=>r[a]===void 0&&delete r[a]);let n=JSON.stringify(r);return btoa(n)};var vn=new Set(["connection","keep-alive","proxy-authenticate","proxy-authorization","te","trailer","transfer-encoding","upgrade","via"]),An=new Set(["user-agent","referer","origin","host","content-length","sec-fetch-site","sec-fetch-mode","sec-fetch-dest","sec-fetch-user","sec-ch-ua","sec-ch-ua-mobile","sec-ch-ua-platform","sec-ch-ua-platform-version","sec-ch-ua-full-version","sec-ch-ua-arch","sec-ch-ua-model","sec-ch-ua-bitness","cookie","set-cookie"]),xn=new Set(["dpop","x-sunbreak-meta"]),Kn=64,nr=2048,Cn=64;function Rt(e){let t={};if(!e)return t;let r=e instanceof Headers?Array.from(e.entries()):Object.entries(e),n=0;for(let[a,i]of r){if(n>=Cn)break;if(a==null||i==null)continue;let o=String(a).toLowerCase().trim();if(!o||o.length>Kn||vn.has(o)||An.has(o)||xn.has(o))continue;let s=String(i);s.length>nr&&(s=s.slice(0,nr)),t[o]=s,n++;}return t}var ne=new TextEncoder,be=new TextDecoder;function or(...e){let t=e.reduce((a,{length:i})=>a+i,0),r=new Uint8Array(t),n=0;for(let a of e)r.set(a,n),n+=a.length;return r}function ar(e){if(Uint8Array.prototype.toBase64)return e.toBase64();let t=32768,r=[];for(let n=0;n<e.length;n+=t)r.push(String.fromCharCode.apply(null,e.subarray(n,n+t)));return btoa(r.join(""))}function ir(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(e);let t=atob(e),r=new Uint8Array(t.length);for(let n=0;n<t.length;n++)r[n]=t.charCodeAt(n);return r}function sr(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof e=="string"?e:be.decode(e),{alphabet:"base64url"});let t=e;t instanceof Uint8Array&&(t=be.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return ir(t)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function Ye(e){let t=e;return typeof t=="string"&&(t=ne.encode(t)),Uint8Array.prototype.toBase64?t.toBase64({alphabet:"base64url",omitPadding:true}):ar(t).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var fe=class extends Error{constructor(r,n){super(r,n);O(this,"code","ERR_JOSE_GENERIC");this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor);}};O(fe,"code","ERR_JOSE_GENERIC");var L=class extends fe{constructor(){super(...arguments);O(this,"code","ERR_JOSE_NOT_SUPPORTED");}};O(L,"code","ERR_JOSE_NOT_SUPPORTED");var oe=class extends fe{constructor(){super(...arguments);O(this,"code","ERR_JWS_INVALID");}};O(oe,"code","ERR_JWS_INVALID");var Je=class extends fe{constructor(){super(...arguments);O(this,"code","ERR_JWT_INVALID");}};O(Je,"code","ERR_JWT_INVALID");var cr,lr,kt=class extends(lr=fe,cr=Symbol.asyncIterator,lr){constructor(r="multiple matching keys found in the JSON Web Key Set",n){super(r,n);O(this,cr);O(this,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");}};O(kt,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");function Y(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function Se(e,t){return e.name===t}function Et(e){return parseInt(e.name.slice(4),10)}function Wn(e){switch(e){case "ES256":return "P-256";case "ES384":return "P-384";case "ES512":return "P-521";default:throw new Error("unreachable")}}function Jn(e,t){if(!e.usages.includes(t))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${t}.`)}function ur(e,t,r){switch(t){case "HS256":case "HS384":case "HS512":{if(!Se(e.algorithm,"HMAC"))throw Y("HMAC");let n=parseInt(t.slice(2),10);if(Et(e.algorithm.hash)!==n)throw Y(`SHA-${n}`,"algorithm.hash");break}case "RS256":case "RS384":case "RS512":{if(!Se(e.algorithm,"RSASSA-PKCS1-v1_5"))throw Y("RSASSA-PKCS1-v1_5");let n=parseInt(t.slice(2),10);if(Et(e.algorithm.hash)!==n)throw Y(`SHA-${n}`,"algorithm.hash");break}case "PS256":case "PS384":case "PS512":{if(!Se(e.algorithm,"RSA-PSS"))throw Y("RSA-PSS");let n=parseInt(t.slice(2),10);if(Et(e.algorithm.hash)!==n)throw Y(`SHA-${n}`,"algorithm.hash");break}case "Ed25519":case "EdDSA":{if(!Se(e.algorithm,"Ed25519"))throw Y("Ed25519");break}case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":{if(!Se(e.algorithm,t))throw Y(t);break}case "ES256":case "ES384":case "ES512":{if(!Se(e.algorithm,"ECDSA"))throw Y("ECDSA");let n=Wn(t);if(e.algorithm.namedCurve!==n)throw Y(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}Jn(e,r);}function fr(e,t,...r){if(r=r.filter(Boolean),r.length>2){let n=r.pop();e+=`one of type ${r.join(", ")}, or ${n}.`;}else r.length===2?e+=`one of type ${r[0]} or ${r[1]}.`:e+=`of type ${r[0]}.`;return t==null?e+=` Received ${t}`:typeof t=="function"&&t.name?e+=` Received function ${t.name}`:typeof t=="object"&&t!=null&&t.constructor?.name&&(e+=` Received an instance of ${t.constructor.name}`),e}var dr=(e,...t)=>fr("Key must be ",e,...t);function Pt(e,t,...r){return fr(`Key for the ${e} algorithm must be `,t,...r)}function vt(e){return e?.[Symbol.toStringTag]==="CryptoKey"}function At(e){return e?.[Symbol.toStringTag]==="KeyObject"}var xt=e=>vt(e)||At(e);var pr=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return  true;let r;for(let n of t){let a=Object.keys(n);if(!r||r.size===0){r=new Set(a);continue}for(let i of a){if(r.has(i))return  false;r.add(i);}}return  true};function Dn(e){return typeof e=="object"&&e!==null}var Ze=e=>{if(!Dn(e)||Object.prototype.toString.call(e)!=="[object Object]")return  false;if(Object.getPrototypeOf(e)===null)return  true;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t};var hr=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:r}=t.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};function _n(e){let t,r;switch(e.kty){case "AKP":{switch(e.alg){case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":t={name:e.alg},r=e.priv?["sign"]:["verify"];break;default:throw new L('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "RSA":{switch(e.alg){case "PS256":case "PS384":case "PS512":t={name:"RSA-PSS",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RS256":case "RS384":case "RS512":t={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RSA-OAEP":case "RSA-OAEP-256":case "RSA-OAEP-384":case "RSA-OAEP-512":t={name:"RSA-OAEP",hash:`SHA-${parseInt(e.alg.slice(-3),10)||1}`},r=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new L('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "EC":{switch(e.alg){case "ES256":t={name:"ECDSA",namedCurve:"P-256"},r=e.d?["sign"]:["verify"];break;case "ES384":t={name:"ECDSA",namedCurve:"P-384"},r=e.d?["sign"]:["verify"];break;case "ES512":t={name:"ECDSA",namedCurve:"P-521"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new L('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "OKP":{switch(e.alg){case "Ed25519":case "EdDSA":t={name:"Ed25519"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new L('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}default:throw new L('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return {algorithm:t,keyUsages:r}}var mr=async e=>{if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:t,keyUsages:r}=_n(e),n={...e};return n.kty!=="AKP"&&delete n.alg,delete n.use,crypto.subtle.importKey("jwk",n,t,e.ext??!(e.d||e.priv),e.key_ops??r)};var wr=(e,t,r,n,a)=>{if(a.crit!==void 0&&n?.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||n.crit===void 0)return new Set;if(!Array.isArray(n.crit)||n.crit.length===0||n.crit.some(o=>typeof o!="string"||o.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let i;r!==void 0?i=new Map([...Object.entries(r),...t.entries()]):i=t;for(let o of n.crit){if(!i.has(o))throw new L(`Extension Header Parameter "${o}" is not recognized`);if(a[o]===void 0)throw new e(`Extension Header Parameter "${o}" is missing`);if(i.get(o)&&n[o]===void 0)throw new e(`Extension Header Parameter "${o}" MUST be integrity protected`)}return new Set(n.crit)};function De(e){return Ze(e)&&typeof e.kty=="string"}function gr(e){return e.kty!=="oct"&&(e.kty==="AKP"&&typeof e.priv=="string"||typeof e.d=="string")}function yr(e){return e.kty!=="oct"&&typeof e.d>"u"&&typeof e.priv>"u"}function br(e){return e.kty==="oct"&&typeof e.k=="string"}var Re,Sr=async(e,t,r,n=false)=>{Re||(Re=new WeakMap);let a=Re.get(e);if(a?.[r])return a[r];let i=await mr({...t,alg:r});return n&&Object.freeze(e),a?a[r]=i:Re.set(e,{[r]:i}),i},Ln=(e,t)=>{Re||(Re=new WeakMap);let r=Re.get(e);if(r?.[t])return r[t];let n=e.type==="public",a=!!n,i;if(e.asymmetricKeyType==="x25519"){switch(t){case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}i=e.toCryptoKey(e.asymmetricKeyType,a,n?[]:["deriveBits"]);}if(e.asymmetricKeyType==="ed25519"){if(t!=="EdDSA"&&t!=="Ed25519")throw new TypeError("given KeyObject instance cannot be used for this algorithm");i=e.toCryptoKey(e.asymmetricKeyType,a,[n?"verify":"sign"]);}switch(e.asymmetricKeyType){case "ml-dsa-44":case "ml-dsa-65":case "ml-dsa-87":{if(t!==e.asymmetricKeyType.toUpperCase())throw new TypeError("given KeyObject instance cannot be used for this algorithm");i=e.toCryptoKey(e.asymmetricKeyType,a,[n?"verify":"sign"]);}}if(e.asymmetricKeyType==="rsa"){let o;switch(t){case "RSA-OAEP":o="SHA-1";break;case "RS256":case "PS256":case "RSA-OAEP-256":o="SHA-256";break;case "RS384":case "PS384":case "RSA-OAEP-384":o="SHA-384";break;case "RS512":case "PS512":case "RSA-OAEP-512":o="SHA-512";break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}if(t.startsWith("RSA-OAEP"))return e.toCryptoKey({name:"RSA-OAEP",hash:o},a,n?["encrypt"]:["decrypt"]);i=e.toCryptoKey({name:t.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:o},a,[n?"verify":"sign"]);}if(e.asymmetricKeyType==="ec"){let s=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(e.asymmetricKeyDetails?.namedCurve);if(!s)throw new TypeError("given KeyObject instance cannot be used for this algorithm");t==="ES256"&&s==="P-256"&&(i=e.toCryptoKey({name:"ECDSA",namedCurve:s},a,[n?"verify":"sign"])),t==="ES384"&&s==="P-384"&&(i=e.toCryptoKey({name:"ECDSA",namedCurve:s},a,[n?"verify":"sign"])),t==="ES512"&&s==="P-521"&&(i=e.toCryptoKey({name:"ECDSA",namedCurve:s},a,[n?"verify":"sign"])),t.startsWith("ECDH-ES")&&(i=e.toCryptoKey({name:"ECDH",namedCurve:s},a,n?[]:["deriveBits"]));}if(!i)throw new TypeError("given KeyObject instance cannot be used for this algorithm");return r?r[t]=i:Re.set(e,{[t]:i}),i},Rr=async(e,t)=>{if(e instanceof Uint8Array||vt(e))return e;if(At(e)){if(e.type==="secret")return e.export();if("toCryptoKey"in e&&typeof e.toCryptoKey=="function")try{return Ln(e,t)}catch(n){if(n instanceof TypeError)throw n}let r=e.export({format:"jwk"});return Sr(e,r,t)}if(De(e))return e.k?sr(e.k):Sr(e,e,t,true);throw new Error("unreachable")};var ke=e=>e?.[Symbol.toStringTag],Kt=(e,t,r)=>{if(t.use!==void 0){let n;switch(r){case "sign":case "verify":n="sig";break;case "encrypt":case "decrypt":n="enc";break}if(t.use!==n)throw new TypeError(`Invalid key for this operation, its "use" must be "${n}" when present`)}if(t.alg!==void 0&&t.alg!==e)throw new TypeError(`Invalid key for this operation, its "alg" must be "${e}" when present`);if(Array.isArray(t.key_ops)){let n;switch(true){case(r==="sign"):case e==="dir":case e.includes("CBC-HS"):n=r;break;case e.startsWith("PBES2"):n="deriveBits";break;case /^A\d{3}(?:GCM)?(?:KW)?$/.test(e):!e.includes("GCM")&&e.endsWith("KW")?n="unwrapKey":n=r;break;case(r==="encrypt"):n="wrapKey";break;case r==="decrypt":n=e.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(n&&t.key_ops?.includes?.(n)===false)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${n}" when present`)}return  true},Hn=(e,t,r)=>{if(!(t instanceof Uint8Array)){if(De(t)){if(br(t)&&Kt(e,t,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!xt(t))throw new TypeError(Pt(e,t,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(t.type!=="secret")throw new TypeError(`${ke(t)} instances for symmetric algorithms must be of type "secret"`)}},$n=(e,t,r)=>{if(De(t))switch(r){case "decrypt":case "sign":if(gr(t)&&Kt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a private JWK");case "encrypt":case "verify":if(yr(t)&&Kt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a public JWK")}if(!xt(t))throw new TypeError(Pt(e,t,"CryptoKey","KeyObject","JSON Web Key"));if(t.type==="secret")throw new TypeError(`${ke(t)} instances for asymmetric algorithms must not be of type "secret"`);if(t.type==="public")switch(r){case "sign":throw new TypeError(`${ke(t)} instances for asymmetric algorithm signing must be of type "private"`);case "decrypt":throw new TypeError(`${ke(t)} instances for asymmetric algorithm decryption must be of type "private"`);}if(t.type==="private")switch(r){case "verify":throw new TypeError(`${ke(t)} instances for asymmetric algorithm verifying must be of type "public"`);case "encrypt":throw new TypeError(`${ke(t)} instances for asymmetric algorithm encryption must be of type "public"`);}},kr=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e)||/^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e)?Hn(e,t,r):$n(e,t,r);};var Er=(e,t)=>{let r=`SHA-${e.slice(-3)}`;switch(e){case "HS256":case "HS384":case "HS512":return {hash:r,name:"HMAC"};case "PS256":case "PS384":case "PS512":return {hash:r,name:"RSA-PSS",saltLength:parseInt(e.slice(-3),10)>>3};case "RS256":case "RS384":case "RS512":return {hash:r,name:"RSASSA-PKCS1-v1_5"};case "ES256":case "ES384":case "ES512":return {hash:r,name:"ECDSA",namedCurve:t.namedCurve};case "Ed25519":case "EdDSA":return {name:"Ed25519"};case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":return {name:e};default:throw new L(`alg ${e} is not supported either by JOSE or your javascript runtime`)}};var Pr=async(e,t,r)=>{if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(dr(t,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",t,{hash:`SHA-${e.slice(-3)}`,name:"HMAC"},false,[r])}return ur(t,e,r),t};var ie=e=>Math.floor(e.getTime()/1e3);var On=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i,Qe=e=>{let t=On.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");let r=parseFloat(t[2]),n=t[3].toLowerCase(),a;switch(n){case "sec":case "secs":case "second":case "seconds":case "s":a=Math.round(r);break;case "minute":case "minutes":case "min":case "mins":case "m":a=Math.round(r*60);break;case "hour":case "hours":case "hr":case "hrs":case "h":a=Math.round(r*3600);break;case "day":case "days":case "d":a=Math.round(r*86400);break;case "week":case "weeks":case "w":a=Math.round(r*604800);break;default:a=Math.round(r*31557600);break}return t[1]==="-"||t[4]==="ago"?-a:a};function de(e,t){if(!Number.isFinite(t))throw new TypeError(`Invalid ${e} input`);return t}var A,et=class{constructor(t){F(this,A);if(!Ze(t))throw new TypeError("JWT Claims Set MUST be an object");B(this,A,structuredClone(t));}data(){return ne.encode(JSON.stringify(m(this,A)))}get iss(){return m(this,A).iss}set iss(t){m(this,A).iss=t;}get sub(){return m(this,A).sub}set sub(t){m(this,A).sub=t;}get aud(){return m(this,A).aud}set aud(t){m(this,A).aud=t;}set jti(t){m(this,A).jti=t;}set nbf(t){typeof t=="number"?m(this,A).nbf=de("setNotBefore",t):t instanceof Date?m(this,A).nbf=de("setNotBefore",ie(t)):m(this,A).nbf=ie(new Date)+Qe(t);}set exp(t){typeof t=="number"?m(this,A).exp=de("setExpirationTime",t):t instanceof Date?m(this,A).exp=de("setExpirationTime",ie(t)):m(this,A).exp=ie(new Date)+Qe(t);}set iat(t){typeof t>"u"?m(this,A).iat=ie(new Date):t instanceof Date?m(this,A).iat=de("setIssuedAt",ie(t)):typeof t=="string"?m(this,A).iat=de("setIssuedAt",ie(new Date)+Qe(t)):m(this,A).iat=de("setIssuedAt",t);}};A=new WeakMap;var vr=async(e,t,r)=>{let n=await Pr(e,t,"sign");hr(e,n);let a=await crypto.subtle.sign(Er(e,n.algorithm),n,r);return new Uint8Array(a)};var _e,H,Z,tt=class{constructor(t){F(this,_e);F(this,H);F(this,Z);if(!(t instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");B(this,_e,t);}setProtectedHeader(t){if(m(this,H))throw new TypeError("setProtectedHeader can only be called once");return B(this,H,t),this}setUnprotectedHeader(t){if(m(this,Z))throw new TypeError("setUnprotectedHeader can only be called once");return B(this,Z,t),this}async sign(t,r){if(!m(this,H)&&!m(this,Z))throw new oe("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!pr(m(this,H),m(this,Z)))throw new oe("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let n={...m(this,H),...m(this,Z)},a=wr(oe,new Map([["b64",true]]),r?.crit,m(this,H),n),i=true;if(a.has("b64")&&(i=m(this,H).b64,typeof i!="boolean"))throw new oe('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:o}=n;if(typeof o!="string"||!o)throw new oe('JWS "alg" (Algorithm) Header Parameter missing or invalid');kr(o,t,"sign");let s=m(this,_e);i&&(s=ne.encode(Ye(s)));let u;m(this,H)?u=ne.encode(Ye(JSON.stringify(m(this,H)))):u=ne.encode("");let l=or(u,ne.encode("."),s),c=await Rr(t,o),p=await vr(o,c,l),d={signature:Ye(p),payload:""};return i&&(d.payload=be.decode(s)),m(this,Z)&&(d.header=m(this,Z)),m(this,H)&&(d.protected=be.decode(u)),d}};_e=new WeakMap,H=new WeakMap,Z=new WeakMap;var Ee,rt=class{constructor(t){F(this,Ee);B(this,Ee,new tt(t));}setProtectedHeader(t){return m(this,Ee).setProtectedHeader(t),this}async sign(t,r){let n=await m(this,Ee).sign(t,r);if(n.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return `${n.protected}.${n.payload}.${n.signature}`}};Ee=new WeakMap;var se,j,pe=class{constructor(t={}){F(this,se);F(this,j);B(this,j,new et(t));}setIssuer(t){return m(this,j).iss=t,this}setSubject(t){return m(this,j).sub=t,this}setAudience(t){return m(this,j).aud=t,this}setJti(t){return m(this,j).jti=t,this}setNotBefore(t){return m(this,j).nbf=t,this}setExpirationTime(t){return m(this,j).exp=t,this}setIssuedAt(t){return m(this,j).iat=t,this}setProtectedHeader(t){return B(this,se,t),this}async sign(t,r){let n=new rt(m(this,j).data());if(n.setProtectedHeader(m(this,se)),Array.isArray(m(this,se)?.crit)&&m(this,se).crit.includes("b64")&&m(this,se).b64===false)throw new Je("JWTs MUST NOT use unencoded payload");return n.sign(t,r)}};se=new WeakMap,j=new WeakMap;var jn=e=>btoa(String.fromCharCode(...new Uint8Array(e))).replaceAll("+","-").replaceAll("/","_").replaceAll("=",""),nt=async e=>{let t=new TextEncoder().encode(e),r=await crypto.subtle.digest("SHA-256",t);return jn(r)},V=async e=>{let{method:t,url:r,nonce:n,ath:a,privateKey:i,publicJwk:o}=e,s={htm:t.toUpperCase(),htu:r,jti:crypto.randomUUID(),iat:Math.floor(Date.now()/1e3)};return n&&(s.nonce=n),a&&(s.ath=a),await new pe(s).setProtectedHeader({alg:"ES256",typ:"dpop+jwt",jwk:o}).sign(i)};var $=async e=>{let t={crv:e.crv,kty:"EC",x:e.x,y:e.y},r=JSON.stringify(t),n=new TextEncoder().encode(r),a=await crypto.subtle.digest("SHA-256",n);return btoa(String.fromCharCode(...new Uint8Array(a))).replaceAll("+","-").replaceAll("/","_").replaceAll("=","")};async function he(e){let{rootPrivateKey:t,rootPublicJwk:r,childJkt:n,clientId:a,sid:i,ttlSec:o=300}=e,s=Math.floor(Date.now()/1e3),u=s+Math.max(60,Math.min(o,3600)),l={child_jkt:n,client_id:a,aud:"issuer",iat:s,exp:u,jti:crypto.randomUUID()};return i&&(l.sid=i),await new pe(l).setProtectedHeader({alg:"ES256",typ:"pode+jwt",jwk:r}).sign(t)}function Me(e,t=300){return e.replace(/<[^>]*>/g,"").slice(0,t)}async function Le(e){let t=e.status,r=Array.from(e.headers.keys()).some(s=>s.toLowerCase().startsWith("x-amzn-waf")),n,a,i=e.headers.get("content-type")||"";if(i.includes("application/json"))try{let s=await e.clone().json();n=typeof s?.error=="string"?s.error:void 0,a=typeof s?.detail=="string"?s.detail:void 0;}catch{}let o=t===403&&!r&&!i.includes("application/json");return {status:t,code:n,detail:a,waf:r,alb403:o}}function me(e,t){let r=new Error(e);return r.status=t.status,r.code=t.code,r.detail=t.detail,r.waf=t.waf,r.alb403=t.alb403,r}var ot=e=>/^0x[a-fA-F0-9]{40}$/.test(e),ce=e=>ot(e)?e.toLowerCase():e,x=(e,t)=>!e||!t?false:ot(e)&&ot(t)?e.toLowerCase()===t.toLowerCase():e===t;var Pe={boundWallet:null,clientId:null,jkt:null,refreshId:null,lastPolicyHash:null,lastPolicyProof:null,lastHost:null,rootJkt:null,registeredProofId:null},Ct=createContext(void 0);function Ir(e){try{return JSON.parse(localStorage.getItem(e)||"null")??Pe}catch{return Pe}}function Fn(e,t){try{localStorage.setItem(e,JSON.stringify(t));}catch{}}var It=({children:e,clientId:t})=>{let[r,n]=useState(Pe),a=useRef(false),[i,o]=useState(false),s=useMemo(()=>We(t),[t]);useEffect(()=>{let h=true;return (async()=>{let y=await T(s)??await T(Xe)??Ir(s);h&&(n({...Pe,...y}),a.current=true,o(true));})(),()=>{h=false;}},[s]),useEffect(()=>{a.current&&(async()=>(await R(s,r),Fn(s,r)))();},[r,s]);let u=useCallback(h=>n(f=>({...f,refreshId:h})),[]),l=useCallback(h=>n(f=>({...f,lastPolicyHash:h})),[]),c=useCallback(h=>n(f=>({...f,lastPolicyProof:h})),[]),p=useCallback(h=>n(f=>({...f,lastHost:h})),[]),d=useCallback(h=>n(f=>({...f,rootJkt:h})),[]),w=useCallback(h=>n(f=>({...f,registeredProofId:h})),[]),b=async()=>{try{let h=localStorage.getItem(s);if(h){let f=JSON.parse(h);if(typeof f?.refreshId=="string"&&f.refreshId)return f.refreshId}}catch{}try{let h=await T(s);if(typeof h?.refreshId=="string"&&h.refreshId)return h.refreshId}catch{}return null},v=useCallback(h=>n(f=>({...f,boundWallet:h})),[]),g=useCallback(h=>n(f=>({...f,clientId:h})),[]),k=useCallback(h=>n(f=>({...f,jkt:h})),[]),S=useCallback(()=>n(Pe),[]),J=useCallback(async()=>{let f=await T(s)??Ir(s);n({...Pe,...f});},[]),M=useMemo(()=>({meta:r,setBoundWallet:v,setClientId:g,setJkt:k,resetMeta:S,reload:J,setRefreshId:u,getRefreshId:b,ready:i,setLastPolicyHash:l,setLastPolicyProof:c,setLastHost:p,setRootJkt:d,setRegisteredProofId:w}),[r,v,g,k,S,J,i,u,b,l,c,p,d,w]);return jsx(Ct.Provider,{value:M,children:e})};function Tt(){let e=useContext(Ct);if(!e)throw new Error("useMeta must be used within <MetaProvider>");return e}var Wr=`${I}:wrap`;async function at(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!1,["sign","verify"]),t=`${I}:probe_safe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await T(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return  false}}async function Vn(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!0,["sign","verify"]),t=`${I}:probe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await T(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return  false}}function Ae(e){let{d:t,...r}=e;return {...r,kty:"EC",crv:E,alg:Te,use:"sig"}}async function Jr(){let e=await T(Wr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await R(Wr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function Wt(e){let t=await Jr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function qn(e,t){let r=await Jr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var Jt=()=>{let e=useRef(null),t=useRef(null),r=useCallback(async()=>{let u=await T(I);if(!u)return  false;if(u.fmt==="cryptokey"){let c=u;if(!c.privKey)return await R(I,void 0),false;let p=c.privKey;try{if(p.extractable&&await at()){let w=await crypto.subtle.exportKey("jwk",p),b=await crypto.subtle.importKey("jwk",w,{name:"ECDSA",namedCurve:E},!1,["sign"]),v={fmt:"cryptokey",privKey:b,pubJwk:Ae(c.pubJwk)};await R(I,v),p=b;}}catch{}return e.current=p,t.current=Ae(c.pubJwk),true}if(u.fmt==="encjwk"){let c=u;try{let p=await qn(c.encPrivJwk,c.iv),d=await crypto.subtle.importKey("jwk",p,{name:"ECDSA",namedCurve:E},!1,["sign"]);return e.current=d,t.current=Ae(c.pubJwk),!0}catch{return await R(I,void 0),false}}let l=u;if(l&&l.d){let{d:c,...p}=l,d=Ae(p),w=await at(),b=w||await Vn();if(b&&w){let S=await crypto.subtle.importKey("jwk",l,{name:"ECDSA",namedCurve:E},false,["sign"]);return await R(I,{fmt:"cryptokey",privKey:S,pubJwk:d}),e.current=S,t.current=d,true}if(b){let S=await crypto.subtle.importKey("jwk",l,{name:"ECDSA",namedCurve:E},true,["sign"]);return await R(I,{fmt:"cryptokey",privKey:S,pubJwk:d}),e.current=S,t.current=d,true}let{encPrivJwk:v,iv:g}=await Wt(l);await R(I,{fmt:"encjwk",encPrivJwk:v,iv:g,pubJwk:d});let k=await crypto.subtle.importKey("jwk",l,{name:"ECDSA",namedCurve:E},false,["sign"]);return e.current=k,t.current=d,true}return await R(I,void 0),false},[]),n=useCallback(async(u,l)=>{await R(I,{fmt:"cryptokey",privKey:u,pubJwk:l});},[]),a=useCallback(async(u,l)=>{let{encPrivJwk:c,iv:p}=await Wt(u);await R(I,{fmt:"encjwk",encPrivJwk:c,iv:p,pubJwk:l});},[]),i=useCallback(async()=>{if(e.current&&t.current||await r())return;let u=await at(),l=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),c=Ae(await crypto.subtle.exportKey("jwk",l.publicKey)),p=await crypto.subtle.exportKey("jwk",l.privateKey);if(u){let d=await crypto.subtle.importKey("jwk",p,{name:"ECDSA",namedCurve:E},false,["sign"]);await n(d,c),e.current=d,t.current=c;}else {await a(p,c);let d=await crypto.subtle.importKey("jwk",p,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=d,t.current=c;}},[r,n,a]),o=useCallback(async()=>{let u=await at(),l=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),c=Ae(await crypto.subtle.exportKey("jwk",l.publicKey)),p=await crypto.subtle.exportKey("jwk",l.privateKey);if(u){let d=await crypto.subtle.importKey("jwk",p,{name:"ECDSA",namedCurve:E},false,["sign"]);await R(I,{fmt:"cryptokey",privKey:d,pubJwk:c}),e.current=d,t.current=c;}else {let{encPrivJwk:d,iv:w}=await Wt(p);await R(I,{fmt:"encjwk",encPrivJwk:d,iv:w,pubJwk:c});let b=await crypto.subtle.importKey("jwk",p,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=b,t.current=c;}},[]),s=useCallback(async()=>{await R(I,void 0),e.current=null,t.current=null;},[]);return {ensureKeypair:i,rotate:o,clear:s,privRef:e,pubJwkRef:t}};var Q="sunbreak_root_key_v1",_r=`${Q}:wrap`;async function Mr(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!1,["sign","verify"]),t=`${Q}:probe_safe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey,createdAt:Date.now(),pubJwk:{}});let r=await T(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return  false}}function it(e){let{d:t,...r}=e;return {...r,kty:"EC",crv:E,alg:Te,use:"sig"}}async function Lr(){let e=await T(_r);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await R(_r,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function zn(e){let t=await Lr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function Xn(e,t){let r=await Lr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var _t=()=>{let e=useRef(null),t=useRef(null),r=useCallback(async()=>{let i=await T(Q);if(!i)return  false;if(i.fmt==="cryptokey"){let o=i;if(!o.privKey)return await R(Q,void 0),false;let s=o.privKey;try{if(s.extractable&&await Mr()){let l=await crypto.subtle.exportKey("jwk",s),c=await crypto.subtle.importKey("jwk",l,{name:"ECDSA",namedCurve:E},!1,["sign"]),p={fmt:"cryptokey",privKey:c,pubJwk:it(o.pubJwk),createdAt:o.createdAt};await R(Q,p),s=c;}}catch{}return e.current=s,t.current=it(o.pubJwk),true}if(i.fmt==="encjwk"){let o=i;try{let s=await Xn(o.encPrivJwk,o.iv),u=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:E},!1,["sign"]);return e.current=u,t.current=it(o.pubJwk),!0}catch{return await R(Q,void 0),false}}return await R(Q,void 0),false},[]),n=useCallback(async()=>{if(e.current&&t.current||await r())return;let i=await Mr(),o=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),s=it(await crypto.subtle.exportKey("jwk",o.publicKey)),u=Date.now(),l=await crypto.subtle.exportKey("jwk",o.privateKey);if(i){let c=await crypto.subtle.importKey("jwk",l,{name:"ECDSA",namedCurve:E},false,["sign"]);await R(Q,{fmt:"cryptokey",privKey:c,pubJwk:s,createdAt:u}),e.current=c,t.current=s;}else {let{encPrivJwk:c,iv:p}=await zn(l);await R(Q,{fmt:"encjwk",encPrivJwk:c,iv:p,pubJwk:s,createdAt:u});let w=await crypto.subtle.importKey("jwk",l,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=w,t.current=s;}},[r]),a=useCallback(async()=>{await R(Q,void 0),e.current=null,t.current=null;},[]);return {ensureRootKeypair:n,clear:a,rootPrivRef:e,rootPubJwkRef:t}};var He=class e{constructor(t,r=false){this.colors={flow:"#00D9FF",state:"#00FF88",decision:"#FFB800",api:"#B388FF",guard:"#FFEA00",error:"#FF5252",warn:"#FF9100",info:"#90CAF9"};this.enabled=r,this.prefix=t?`[Sunbreak:${t.slice(0,8)}]`:"[Sunbreak]";}log(t,r,n){if(!this.enabled)return;let a=this.colors[t],i=new Date().toISOString().slice(11,23),o=this.getEmoji(t);console.log(`%c${o} ${this.prefix} [${i}] [${t.toUpperCase()}]%c ${r}`,`color: ${a}; font-weight: bold`,"color: inherit; font-weight: normal",n!==void 0?n:"");}getEmoji(t){switch(t){case "flow":return "\u{1F504}";case "state":return "\u{1F500}";case "decision":return "\u{1F914}";case "api":return "\u{1F4E1}";case "guard":return "\u{1F6E1}\uFE0F";case "error":return "\u274C";case "warn":return "\u26A0\uFE0F";case "info":return "\u2139\uFE0F";default:return "\u2022"}}flow(t,r,n){this.log("flow",`[${t.toUpperCase()}] ${r}`,n);}state(t,r,n,a){this.log("state",`${t} \u2192 ${r}: ${n}`,a);}decision(t,r,n,a){this.log("decision",`${t} = ${r?"\u2713 YES":"\u2717 NO"} (${n})`,a);}api(t,r,n){let a=n.status,o=a>=200&&a<300?"\u2713":"\u2717";this.log("api",`${o} ${t} ${r} \u2192 ${a}${n.error?` (${n.error})`:""}`,n.data);}guard(t,r,n,a){this.log("guard",`${t}: ${r?"\u2713 PASS":"\u2717 BLOCK"} (${n})`,a);}error(t,r){this.log("error",t,r);}warn(t,r){this.log("warn",t,r);}info(t,r){this.log("info",t,r);}group(t){this.enabled&&console.group(`${this.prefix} ${t}`);}groupEnd(){this.enabled&&console.groupEnd();}child(t){let r=new e(void 0,this.enabled);return r.prefix=`${this.prefix}[${t}]`,r}},Mt=null;function Hr(){return Mt||(Mt=new He(void 0,false)),Mt}var $e=class{constructor(t){this.currentState="unknown";this.previousState="unknown";this.logger=Hr();this.hadSessionHistory=false;this.inActiveSession=false;t&&this.initialize(t);}initialize(t){if(this.currentState!=="unknown"){this.logger.info(`Skipping initialization - state already set to ${this.currentState}`);let n=!!(t.boundWallet||t.refreshId);this.hadSessionHistory=n;return}this.logger.group("\u{1F527} Initializing Session State Machine");let r=!!(t.boundWallet||t.refreshId);this.hadSessionHistory=r,this.logger.info("Initial context",{wallet:t.wallet,boundWallet:t.boundWallet,refreshId:t.refreshId?"present":"null",hasToken:t.hasToken,authenticated:t.authenticated,hasHistory:r}),t.authenticated&&t.hasToken?(this.transition("authenticated","Has valid token"),this.inActiveSession=true):r?this.transition("refreshable","Has session history"):this.transition("unregistered","No session history"),this.logger.groupEnd();}transition(t,r){if(this.currentState===t){this.logger.info(`State unchanged: ${t} (${r})`);return}this.previousState=this.currentState,this.currentState=t,this.logger.state(this.previousState,t,r);}getState(){return this.currentState}isInActiveSession(){return this.inActiveSession}markHadSession(){this.hadSessionHistory||(this.logger.info("Marked hadSessionHistory = true"),this.hadSessionHistory=true);}clearSessionHistory(){this.logger.info("Cleared session history"),this.hadSessionHistory=false,this.inActiveSession=false;}onNewCredentialsReceived(){this.inActiveSession&&(this.logger.info("New credentials received while in active session - allowing re-registration"),this.inActiveSession=false,this.transition("unregistered","New credentials received"));}onProbeComplete(t){if(this.logger.flow("probe","Probe completed, determining initial state"),this.currentState!=="unknown"){this.logger.warn("Probe called but state is not UNKNOWN",{currentState:this.currentState});return}!!(t.boundWallet||t.refreshId)||this.hadSessionHistory?this.transition("refreshable","Session history found"):this.transition("unregistered","No session history");}onRegisterSuccess(t){this.logger.flow("register","Register succeeded"),this.transition("authenticated","Register succeeded"),this.inActiveSession=true,this.hadSessionHistory=true;}onRegisterFailure(t){this.logger.flow("register",`Register failed: ${t}`);}onRefreshSuccess(t){this.logger.flow("refresh","Refresh succeeded"),this.transition("authenticated","Refresh succeeded"),this.inActiveSession=true;}onRefreshExpired(){this.logger.flow("refresh","Refresh failed: session expired (missing refresh identifier)"),this.transition("expired","Session expired"),this.inActiveSession=false;}onRefreshFailure(t){this.logger.flow("refresh",`Refresh failed: ${t}`);}onTokenExpired(){this.logger.flow("token","Token expired"),this.currentState==="authenticated"&&this.transition("refreshable","Token expired");}onWalletChange(t,r,n){if(this.logger.flow("wallet",`Wallet changed: ${t||"null"} \u2192 ${r||"null"}`),!r){this.transition("unknown","Wallet disconnected"),this.inActiveSession=false;return}x(r,n.boundWallet)?(this.hadSessionHistory=true,this.transition("refreshable","Wallet reconnected with session history")):(this.transition("unregistered","Wallet changed to different address"),this.inActiveSession=false);}onWalletDisconnect(){this.logger.flow("wallet","Wallet disconnected"),this.transition("unknown","Wallet disconnected"),this.inActiveSession=false;}shouldAttemptProbe(){let t=this.currentState==="unknown";return this.logger.decision("Should attempt probe?",t,`State is ${this.currentState}`),t}shouldAttemptRefresh(t){if(this.currentState!=="refreshable"&&this.currentState!=="authenticated")return this.logger.decision("Should attempt refresh?",false,`State is ${this.currentState}, not REFRESHABLE or AUTHENTICATED`),false;if(!(t.boundWallet||t.wallet))return this.logger.decision("Should attempt refresh?",false,"No wallet available (neither boundWallet nor current wallet)"),false;if(t.wallet&&t.boundWallet&&!x(t.wallet,t.boundWallet))return this.logger.decision("Should attempt refresh?",false,"Wallet mismatch"),false;if(t.hasToken&&t.tokenExpiry){let n=Math.floor(Date.now()/1e3);if(t.tokenExpiry-n>5&&this.currentState==="authenticated")return this.logger.decision("Should attempt refresh?",false,"Token still valid"),false}return this.logger.decision("Should attempt refresh?",true,`State is ${this.currentState}, token ${t.hasToken?"present":"missing"}`),true}shouldAttemptRegister(t){return this.inActiveSession?(this.logger.decision("Should attempt register?",false,"Already in active session - proof changes ignored"),false):this.currentState!=="unregistered"&&this.currentState!=="expired"?(this.logger.decision("Should attempt register?",false,`State is ${this.currentState}, not UNREGISTERED or EXPIRED`),false):t.wallet?t.hasProof?t.authenticated&&t.hasToken?(this.logger.decision("Should attempt register?",false,"Already authenticated"),false):(this.logger.decision("Should attempt register?",true,`State is ${this.currentState}, have wallet + proof`),true):(this.logger.decision("Should attempt register?",false,"No proof available"),false):(this.logger.decision("Should attempt register?",false,"No wallet connected"),false)}shouldWaitForInitialRefresh(t,r){return this.currentState!=="refreshable"||t?false:r.wallet&&r.boundWallet&&x(r.wallet,r.boundWallet)?(this.logger.decision("Should wait for initial refresh?",true,"Returning user - let refresh attempt first"),true):false}getStateReport(t){return `
 \u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510
 \u2502  Session State Machine Report          \u2502
 \u251C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524
@@ -17,6 +17,6 @@ var yn=Object.defineProperty;var er=e=>{throw TypeError(e)};var gn=(e,t,r)=>t in
 \u2502 Authenticated:    ${String(t.authenticated).padEnd(20)} \u2502
 \u2502 Has Proof:        ${String(t.hasProof).padEnd(20)} \u2502
 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518
-    `.trim()}};var zn=()=>crypto.randomUUID(),$r=e=>{let{clientId:t,wallet:r,base:n="https://api.sunbreak.com",fetchImpl:o,timeoutMs:a=15e3,proof:i=null,providerAdapter:s,refreshDeps:u=[],debug:l}=e,c=yt(n),p=typeof window<"u"?(o??fetch).bind(window):o??fetch,{meta:d,setBoundWallet:g,setJkt:R,setRefreshId:K,getRefreshId:w,setLastPolicyHash:k,setLastPolicyProof:b,setLastHost:J,setRootJkt:M,setRegisteredProofId:h,ready:f}=It(),{ensureRootKeypair:y,rootPrivRef:C,rootPubJwkRef:D}=Dt(),xe=useCallback(async()=>{await y();try{if(!d.rootJkt&&D.current){let re=await $(D.current);M(re);}}catch{}},[y,d.rootJkt,D]),{ensureKeypair:x,rotate:Ue,privRef:Fe,pubJwkRef:qt}=Wt(),[_,X]=useState(false),[U,te]=useState(0),[le,ae]=useState(null),[lt,ut]=useState(null),[ft,qr]=useState(null),[zr,Xr]=useState(null),Yr=useRef(null),Zr=useRef(null),Qr=useRef(null),en=useRef(null),tn=useRef(null),rn=useRef(null),nn=useRef(null),on=useRef(false),an=useRef(false),sn=useRef(void 0),Be=useRef(false),dt=useRef(false),zt=useRef(null),ue=useRef(null);ue.current||(ue.current=new Promise(re=>{zt.current=re;}));let pt=useRef(null),cn=useRef(i),ln=useRef(null),ye=useRef(null);if(!ye.current){let re=l??false;ye.current=new He(t,re);}let Xt=l??false;ye.current&&ye.current.enabled!==Xt&&(ye.current.enabled=Xt);let ht=useRef(null);ht.current||(ht.current=new $e);let Ge=useRef(null),Yt=useRef(null),Ve=useRef(null),Zt=()=>Date.now(),un=()=>(Ve.current??0)>0&&Ve.current<Zt(),mt=useCallback((re,wn=15e3)=>{let Qt=zn();return Ge.current=Qt,Yt.current=re,Ve.current=Zt()+Math.max(1e3,wn),Qt},[]),fn=useCallback(()=>((!Ge.current||un())&&mt("adhoc",1e4),Ge.current),[mt]),wt=useRef(null),qe=useRef(null);qe.current||(qe.current=new Promise(re=>{wt.current=re;}));let dn=useCallback(async()=>{!Be.current&&qe.current&&await qe.current;},[]),pn=useCallback(()=>{Be.current||(Be.current=true,wt.current?.(),wt.current=null);},[]),hn=useCallback(async()=>{!dt.current&&ue.current&&await ue.current;},[]),mn=useCallback(async()=>{!dt.current&&ue.current&&await ue.current,pt.current&&await pt.current;},[]);return {clientId:t,wallet:r,baseUrl:c,fetchImpl:p,timeoutMs:a,providerAdapter:s,refreshDeps:u,ensureKeypair:x,rotate:Ue,ensureRootKeypair:xe,rootPrivRef:C,rootPubJwkRef:D,privRef:Fe,pubJwkRef:qt,meta:d,setBoundWallet:g,setJkt:R,setRefreshId:K,accessTokenRef:Qr,tokenExpRef:en,authenticated:_,setAuthenticated:X,loadingCount:U,setLoadingCount:te,error:le,setError:ae,allowed:lt,setAllowed:ut,sessionExpiry:ft,setSessionExpiry:qr,sessionData:zr,setSessionData:Xr,authWalletRef:Zr,refreshLock:tn,registerLock:rn,sessionLock:nn,didInitialRefresh:on,didInitialSession:an,prevWalletRef:sn,initResolvedRef:dt,initReady:ue,initResolveRef:zt,rotateLock:pt,waitReady:hn,awaitKeyStable:mn,proofRef:cn,registerCooldownUntilRef:Yr,reqIdRef:Ge,flowLabelRef:Yt,flowExpireRef:Ve,beginFlow:mt,currentReqId:fn,awaitProbe:dn,markProbed:pn,hasProbedRef:Be,getRefreshId:w,setLastPolicyHash:k,setLastPolicyProof:b,setLastHost:J,setRootJkt:M,setRegisteredProofId:h,metaReady:f,probeLock:ln,stateMachine:ht.current,logger:ye.current}};var z=e=>e.accessTokenRef.current??null,ee=e=>{let t=e.privRef.current;if(!t)throw new Error("Sunbreak: private key not initialized");return t},W=e=>{let t=e.pubJwkRef.current;if(!t)throw new Error("Sunbreak: public JWK not initialized");return t};var Xn=(e,t)=>`${e.toUpperCase()} ${t}`;async function Oe(e,t,r,n){if(!t)return e.logger.guard("register",false,"No wallet provided"),false;e.logger.flow("register","Starting register flow",{wallet:t});let o=Oe._nonceCacheRef||(Oe._nonceCacheRef={map:new Map});try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair(),e.setError(null),e.beginFlow("register",2e4);let a;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let y=await $(e.rootPubJwkRef.current);e.setRootJkt?.(y);}catch{}let h=await $(W(e)),f=await e.getRefreshId();a=await he({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:h,clientId:e.clientId,sid:f||void 0,ttlSec:300});}}catch(h){e.logger.warn("Failed to create PODE for register",h);}let i=e.currentReqId(),s="/auth/register",u=`${e.baseUrl}${s}`,l=new URL(e.baseUrl).origin,c="POST",p=`${l}${s}`,d=Xn(c,p),g=o.map.get(d),R=await V({method:c,url:p,nonce:g,privateKey:ee(e),publicJwk:W(e)}),K=async h=>e.fetchImpl(u,{method:c,headers:{"content-type":"application/json","x-sunbreak-meta":G(e,{reqId:i,pode:a||void 0}),...h},credentials:"include",body:JSON.stringify({wallet:t,proof:r})}),w=await K({DPoP:R}),k=h=>{let f=h.headers.get("dpop-nonce");f&&o.map.set(d,f);};if(w.status===401){e.logger.info("Register got 401, retrying with nonce");let h=w.headers.get("www-authenticate"),y=(h&&h.match(/dpop-nonce="([^"]+)"/i))?.[1];if(y){o.map.set(d,y);let C=await V({method:c,url:p,nonce:y,privateKey:ee(e),publicJwk:W(e)});w=await K({DPoP:C});}}if(k(w),e.logger.api(c,s,{status:w.status}),!w.ok){let h=await Le(w);if((w.headers.get("content-type")||"").includes("application/json")){let y;try{y=await w.clone().json();}catch{}let C=Me(y&&(y.error||y.message||y.detail)||`HTTP ${w.status}`);throw me(C,h)}else {let y=h.waf?"Blocked by WAF (403)":h.alb403?"Blocked at origin (ALB 403)":`HTTP ${w.status}`;throw me(y,h)}}let b=await w.json();e.logger.info("Register succeeded",{expiresIn:b.expiresIn,hasRefreshId:!!b.refreshId}),e.accessTokenRef.current=b.access,e.authWalletRef.current=ce(t),e.setAuthenticated(!0);try{let h=Math.floor(Date.now()/1e3);e.tokenExpRef.current=h+(b.expiresIn??0);}catch{}e.didInitialRefresh.current=!0,e.setBoundWallet(ce(t)),e.setLastPolicyHash(null),e.setLastPolicyProof(null);try{e.setJkt(await $(W(e)));}catch{}let J=Ke(r);e.setRegisteredProofId(J);try{let h={...e.meta,boundWallet:t,clientId:e.meta.clientId??e.clientId,jkt:e.meta.jkt??null,refreshId:b.refreshId??null,registeredProofId:J};e.setRefreshId(b.refreshId??null);let f=We(e.clientId);await S(f,h);try{localStorage.setItem(f,JSON.stringify(h));}catch(y){e.logger.warn("Failed to persist meta to localStorage",y);}}catch(h){e.logger.warn("Failed to persist session metadata",h);}let M={wallet:t,boundWallet:t,refreshId:b.refreshId??null,hasToken:!0,tokenExpiry:e.tokenExpRef.current,hasProof:!0,authenticated:!0};return e.stateMachine.onRegisterSuccess(M),!0}catch(a){let i=a,s=Number(i?.status||0),u=String(i?.code||"").toLowerCase(),l=String(i?.message||"").toLowerCase(),c=Math.floor(Math.random()*1e3);e.logger.error("Register failed",{status:s,code:u,msg:l}),e.stateMachine.onRegisterFailure(`${u||l||"Unknown error"}`);let p=u==="session_exists"||u==="already_authenticated"||l.includes("already")&&(l.includes("session")||l.includes("authenticated")),d=(s===401||s===403)&&u==="replay";if((p||d)&&n?.refreshFallback&&(!e.meta.boundWallet||A(e.meta.boundWallet,t))){e.logger.info("Register failed with recoverable error, attempting refresh fallback",{code:u,isSessionExists:p,isReplay:d});try{if(await n.refreshFallback())return e.logger.info("Refresh fallback succeeded after register failure"),e.meta.boundWallet||e.setBoundWallet(t),!0}catch(R){e.logger.warn("Refresh fallback failed",R);}}if(d){if(e.providerAdapter)try{let g=await e.providerAdapter.getToken()??null;if(g)return await e.awaitKeyStable(),await e.ensureKeypair(),await e.rotate(),e.proofRef.current=await Ce(e.providerAdapter,g),e.registerCooldownUntilRef.current=Date.now()+5e3+c,!1}catch{}else return e.proofRef.current=null,e.setError("Proof replayed; please sign a fresh proof."),e.registerCooldownUntilRef.current=Date.now()+1e4+c,false;return e.registerCooldownUntilRef.current=Date.now()+8e3+c,false}if(p)return e.setError("Session already exists. Try refreshing the page."),e.registerCooldownUntilRef.current=Date.now()+3e3+c,false;if(s===403&&(i?.waf||i?.alb403))return e.setError(l||"Forbidden at edge/origin"),e.registerCooldownUntilRef.current=Date.now()+3e4+c,false;if(s===403)return e.setError(u||l||"Forbidden"),e.registerCooldownUntilRef.current=Date.now()+15e3+c,false;if(s===429||s===503){e.setError(u||l||"Rate limited / unavailable");let g=s===429?5e3:8e3;return e.registerCooldownUntilRef.current=Date.now()+g+c,false}return e.setError(u||l||"Register failed"),e.registerCooldownUntilRef.current=Date.now()+5e3+c,false}}var Yn=(e,t)=>`${e.toUpperCase()} ${t}`;function je(e){if(e.refreshLock.current)return e.logger.guard("refreshLock",false,"Refresh already in progress"),e.refreshLock.current;if(e.registerLock.current){e.logger.guard("registerLock",false,"Registration in progress, waiting");let t=e.registerLock.current.then(()=>{if(e.authenticated&&z(e))return  true;if(z(e)){let n=e.tokenExpRef.current,o=Math.floor(Date.now()/1e3);if(!!n&&n-o>5)return  true}return  false});return e.refreshLock.current=t.finally(()=>{e.refreshLock.current=null;}),e.refreshLock.current}return e.logger.flow("refresh","Starting refresh flow"),e.refreshLock.current=(async()=>{try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe();let t=e.meta.boundWallet||e.wallet;if(!t)return e.logger.warn("No wallet available for refresh (neither boundWallet nor current wallet)"),!1;if(e.wallet&&e.meta.boundWallet&&!A(e.wallet,e.meta.boundWallet))return e.logger.warn("Wallet mismatch during refresh",{current:e.wallet,bound:e.meta.boundWallet}),e.accessTokenRef.current=null,e.setAuthenticated(!1),!1;let r=z(e);if(r){let f=e.tokenExpRef.current,y=Math.floor(Date.now()/1e3);if(!!r&&!!f&&f-y>5)return e.logger.info("Token still valid, skipping refresh"),!0}e.beginFlow("refresh",15e3);let n=e.currentReqId();await e.ensureKeypair();let o;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let C=await $(e.rootPubJwkRef.current);e.setRootJkt?.(C);}catch{}let f=await $(W(e)),y=await e.getRefreshId();o=await he({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:f,clientId:e.clientId,sid:y||void 0,ttlSec:300});}}catch(f){e.logger.warn("Failed to create PODE for refresh",f);}let a="/auth/refresh",i=`${e.baseUrl}${a}`,s=new URL(e.baseUrl).origin,u="POST",l=`${s}${a}`,c=Yn(u,l),p=je._nonceCacheRef||(je._nonceCacheRef={map:new Map}),d=async f=>await V({method:u,url:l,nonce:f,privateKey:ee(e),publicJwk:W(e)}),g=await e.getRefreshId(),R={"x-sunbreak-meta":G(e,{reqId:n,refreshId:g||void 0,pode:o||void 0,wallet:t}),"content-type":"application/json"},K=async f=>e.fetchImpl(i,{method:u,headers:{DPoP:f,...R},credentials:"include",body:"{}"}),w=f=>{let y=f.headers.get("dpop-nonce");y&&p.map.set(c,y);},k=await K(await d(p.map.get(c)));if(k.status===401){e.logger.info("Refresh got 401, retrying with nonce");let f=k.headers.get("www-authenticate"),C=(f&&f.match(/dpop-nonce="([^"]+)"/i))?.[1];C&&(p.map.set(c,C),k=await K(await d(C)));}if(w(k),e.logger.api(u,a,{status:k.status}),!k.ok){try{if((k.headers.get("content-type")||"").includes("application/json")){let y=await k.clone().json().catch(()=>{}),C=y&&(y.error||y.code||y.message)||"",D=String(C).toLowerCase();if(D.includes("missing")&&D.includes("refresh")){e.logger.warn("Refresh session expired (missing refresh identifier)"),e.stateMachine.onRefreshExpired();try{e.setRefreshId?.(null);}catch{}e.accessTokenRef.current=null,e.setAuthenticated(!1);}else e.logger.warn("Refresh failed",{error:C}),e.stateMachine.onRefreshFailure(String(C));}}catch{}return !1}let b=await k.json();e.logger.info("Refresh succeeded",{expiresIn:b.expiresIn,hasRefreshId:!!b.refreshId}),e.accessTokenRef.current=b.access,e.setAuthenticated(!0);let J=(e.wallet&&(!e.meta.boundWallet||e.meta.boundWallet===e.wallet)?e.wallet:e.meta.boundWallet)||null;e.authWalletRef.current=J?ce(J):null;try{let f=Math.floor(Date.now()/1e3);e.tokenExpRef.current=f+(b.expiresIn??0);}catch{}try{e.setJkt(await $(W(e)));}catch{}b.refreshId&&e.setRefreshId(b.refreshId);let M=f=>!f||f==="null"||f==="undefined"?null:f,h={wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:M(b.refreshId??e.meta.refreshId??null),hasToken:!0,tokenExpiry:e.tokenExpRef.current,hasProof:!!e.proofRef.current,authenticated:!0};return e.stateMachine.onRefreshSuccess(h),!0}finally{e.refreshLock.current=null;}})(),e.refreshLock.current}var Zn=(e,t)=>`${e.toUpperCase()} ${t}`,Mt=new Map,Ne;try{let e=globalThis;Ne=e.__sunbreak_page_probe_guard??(e.__sunbreak_page_probe_guard=new Set);}catch{Ne=new Set;}var Qn=e=>{try{let t=new URL(e.baseUrl).origin;return `${e.clientId}::${t}`}catch{return `${e.clientId}::${e.baseUrl}`}};async function Or(e){let t=Qn(e);if(e.probeLock.current){e.logger.guard("probeLock",false,"Probe already in progress, waiting"),await e.probeLock.current,e.markProbed();return}if(e.hasProbedRef.current){e.logger.guard("hasProbedRef",false,"Already probed in this session"),e.markProbed();return}if(Ne.has(t)){e.logger.guard("pageProbeGuard",false,"Already probed for this page load"),e.markProbed();return}Ne.add(t),e.logger.flow("probe","Starting probe flow",{clientId:e.clientId,pageKey:t});let r=(async()=>{let n=new URL(e.baseUrl).origin;try{if(await e.awaitKeyStable(),await e.ensureKeypair(),!e.rootPrivRef.current)try{await e.ensureRootKeypair();}catch{}let o;if(e.rootPrivRef.current&&e.rootPubJwkRef.current)try{let w=await $(W(e));o=await he({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:w,clientId:e.clientId,ttlSec:300});}catch(w){e.logger.warn("Failed to create PODE for probe",w);}let a="POST",i="/auth/probe",s=`${e.baseUrl}${i}`,u=`${n}${i}`,l=Zn(a,u),c=async w=>V({method:a,url:u,nonce:w,privateKey:ee(e),publicJwk:W(e)}),p=async w=>e.fetchImpl(s,{method:a,headers:{DPoP:w,"x-sunbreak-meta":G(e,{pode:o}),"content-type":"application/json"},credentials:"include",body:"{}"}),d=w=>{let k=w.headers.get("dpop-nonce");k&&Mt.set(l,k);},g=await p(await c(Mt.get(l)));if(d(g),g.status===401){e.logger.info("Probe got 401, retrying with nonce from www-authenticate");let w=g.headers.get("www-authenticate"),b=(w&&w.match(/dpop-nonce="([^"]+)"/i))?.[1];b&&(Mt.set(l,b),g=await p(await c(b)),d(g));}e.logger.api(a,i,{status:g.status});let R=w=>!w||w==="null"||w==="undefined"?null:w,K={wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:R(e.meta.refreshId),hasToken:!!e.accessTokenRef.current,tokenExpiry:e.tokenExpRef.current||null,hasProof:!!e.proofRef.current,authenticated:e.authenticated};e.stateMachine.onProbeComplete(K);}catch(o){e.logger.error("Probe failed",o);try{Ne.delete(t);}catch{}}finally{e.markProbed(),e.logger.flow("probe","Probe flow completed");}})();e.probeLock.current=r;try{await r;}finally{e.probeLock.current=null;}}var jr=e=>{let t=useCallback(()=>je(e),[e]),r=useCallback(async()=>{let o=Date.now(),a=e.registerCooldownUntilRef.current??0;if(o<a){e.logger.guard("registerCooldown",false,"Cooldown active");return}if(!e.wallet){e.logger.guard("attemptRegister",false,"No wallet");return}if(!e.initResolvedRef.current){e.logger.guard("attemptRegister",false,"Not initialized");return}if(e.refreshLock.current){e.logger.guard("attemptRegister",false,"Refresh in progress");return}if(e.registerLock.current){e.logger.guard("attemptRegister",false,"Register already in progress");return}let i=c=>!c||c==="null"||c==="undefined"?null:c,s={wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:i(e.meta.refreshId),hasToken:!!z(e),tokenExpiry:e.tokenExpRef.current||null,hasProof:!!e.proofRef.current,authenticated:e.authenticated};if(!e.stateMachine.shouldAttemptRegister(s)){e.logger.guard("attemptRegister",false,`State machine blocked (state: ${e.stateMachine.getState()}, inActiveSession: ${e.stateMachine.isInActiveSession()})`);return}let u=e.proofRef.current;if(!u){e.logger.guard("attemptRegister",false,"No proof available");return}e.logger.guard("attemptRegister",true,"All guards passed, proceeding");let l=(async()=>{try{await e.awaitKeyStable(),await Oe(e,e.wallet,u,{refreshFallback:async()=>{e.logger.info("Attempting refresh as fallback after register failure");let c=!!e.meta.boundWallet;!c&&e.wallet&&e.setBoundWallet(e.wallet);try{return await je(e)}catch{return c||e.setBoundWallet(null),!1}}});}catch(c){let p=c;e.setError(p?.message||String(c)||"Register failed");}finally{e.registerLock.current=null;}})();e.registerLock.current=l;},[e]),n=useCallback(async o=>{let a=()=>(e.registerCooldownUntilRef.current??0)>Date.now();if(!e.providerAdapter||a())return;let i=await Ce(e.providerAdapter,o);e.proofRef.current=i;},[e]);return {refresh:t,register:(o,a,i)=>Oe(e,o,a,i),attemptRegister:r,setProofFromAdapterToken:n}};var eo=(e,t)=>`${e.toUpperCase()} ${t}`;async function st(e,t,r,n,o,a={}){e.setLoadingCount(l=>l+1),e.setError(null);let i=n.startsWith("/api/session"),s=new AbortController,u=setTimeout(()=>s.abort(),e.timeoutMs);try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair();let c=`${i?bt(e):e.baseUrl}${n.startsWith("/")?"":"/"}${n}`,d=`${new URL(e.baseUrl).origin}${n.startsWith("/")?"":"/"}${n}`,g=eo(r,d),R=n.startsWith("/auth/"),K=!1,w=!1,k=e.currentReqId(),b=st._nonceCacheRef||(st._nonceCacheRef={map:new Map}),J=_=>{let X=_.headers.get("dpop-nonce");X&&b.map.set(g,X);},M=!!e.wallet&&!!e.authWalletRef.current&&!A(e.wallet,e.authWalletRef.current),h=()=>R||!e.wallet?!1:!!(e.authenticated||A(e.wallet,e.meta.boundWallet)||typeof e.meta.refreshId=="string"&&e.meta.refreshId),f,y,C=async()=>{if(R||M)return;try{let le=z(e),ae=e.tokenExpRef.current,lt=Math.floor(Date.now()/1e3),ut=!!ae&&ae-lt<=60;if(le){if(ut&&!await t().catch(()=>!1))return}else if(!h()||!await t().catch(()=>!1))return}catch{}let _=z(e);if(!_)return;let X=await nt(_),U=b.map.get(g),te=await V({method:r,url:d,nonce:U,ath:X,privateKey:ee(e),publicJwk:W(e)});f=`Bearer ${e.accessTokenRef.current}`,y=te;};await C();let D={"content-type":"application/json","x-sunbreak-auth":f||"","x-sunbreak-meta":G(e,{reqId:k,auth:f,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0}),...St(a.headers)};y&&(D.DPoP=y);let xe=async()=>e.fetchImpl(c,{...a,method:r,headers:D,body:o!==void 0?JSON.stringify(o):void 0,credentials:"include",signal:s.signal}),x=await xe(),Ue=x.headers.get("x-sunbreak-policy-hash"),Fe=x.headers.get("x-sunbreak-policy-proof");if(Ue&&e.setLastPolicyHash(Ue),Fe&&e.setLastPolicyProof(Fe),J(x),x.status===401&&!R){let _=z(e),X=x.headers.get("www-authenticate"),te=(X&&X.match(/dpop-nonce="([^"]+)"/i))?.[1];if(!M&&te&&_&&!w){w=!0,b.map.set(g,te);let le=await nt(_),ae=await V({method:r,url:d,nonce:te,ath:le,privateKey:ee(e),publicJwk:W(e)});f=`Bearer ${e.accessTokenRef.current}`,y=ae,D["x-sunbreak-meta"]=G(e,{reqId:k,auth:f}),D.DPoP=y,x=await xe(),J(x);}if(x.status===401&&!K&&(K=!0,!M&&h())){let le=await t(),ae=z(e);le&&ae&&!M&&(await C(),D["x-sunbreak-meta"]=G(e,{reqId:k,auth:f}),y&&(D.DPoP=y),x=await xe(),J(x));}if(x.status===401)throw new Error("Unauthorized")}if(!x.ok){let _=await Le(x);if((x.headers.get("content-type")||"").includes("application/json")){let U=await x.json().catch(()=>{}),te=Me(U&&(U.error||U.message||U.detail)||`HTTP ${x.status}`);throw me(te,_)}else {let U=_.waf?"Blocked by WAF (403)":_.alb403?"Blocked at origin (ALB 403)":`HTTP ${x.status}`;throw me(U,_)}}return (x.headers.get("content-type")||"").includes("application/json")?await x.json():void 0}finally{clearTimeout(u),e.setLoadingCount(l=>Math.max(0,l-1));}}var Nr=(e,t)=>useCallback(async(r,n,o,a={})=>st(e,t,r,n,o,a),[e,t]);async function Ur(e,t){let r=await t("GET","/api/session");if(r){e.setAllowed(!!r.allowed),e.setSessionData(r),e.setSessionExpiry(r.expiry??null);let n=r?.wallet;typeof n=="string"&&n&&e.setBoundWallet(ce(n));}return r}var Fr=(e,t)=>({session:useCallback(async()=>{if(e.wallet&&!(e.meta.boundWallet&&!A(e.wallet,e.meta.boundWallet)))return e.sessionLock.current||(e.sessionLock.current=(async()=>{try{return await Ur(e,t)}catch(n){throw e.logger.error("Session request failed",n),n}finally{e.sessionLock.current=null;}})()),e.sessionLock.current},[e,t])});var ct=e=>(e.registerCooldownUntilRef.current??0)>Date.now(),Br=e=>{if(!e)return null;let t=e.indexOf(":");return t>0?e.slice(0,t):null},no=e=>!e||e==="null"||e==="undefined"?null:e,N=e=>({wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:no(e.meta.refreshId),hasToken:!!e.accessTokenRef.current,tokenExpiry:e.tokenExpRef.current||null,hasProof:!!e.proofRef.current,authenticated:e.authenticated});var Ht=e=>{useEffect(()=>{if(!e.metaReady)return;let t=true;return (async()=>{try{if(await e.waitReady(),!t||(await e.awaitKeyStable(),!t)||(await e.ensureRootKeypair(),!t))return;let r=N(e);e.stateMachine.initialize(r),await Or(e);}catch(r){if(!t)return;e.logger.error("Probe initialization failed",r);}})(),()=>{t=false;}},[e.metaReady]);};var $t=e=>{useEffect(()=>{let t=e.prevWalletRef.current;if(e.prevWalletRef.current=e.wallet,e.wallet!==t&&e.hasProbedRef.current&&!e.refreshLock.current&&(e.didInitialRefresh.current=false),!e.wallet){e.logger.flow("wallet","Wallet disconnected"),e.stateMachine.onWalletDisconnect(),e.setAllowed(null),e.setSessionExpiry(null),e.setSessionData(null),e.setAuthenticated(false),e.accessTokenRef.current=null,e.proofRef.current=null,e.setError(null),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null),e.hasProbedRef.current&&!e.refreshLock.current&&(e.didInitialRefresh.current=false);return}if(t&&e.wallet&&t!==e.wallet){e.logger.flow("wallet",`Wallet changed: ${t} \u2192 ${e.wallet}`);let r=N(e);e.stateMachine.onWalletChange(t,e.wallet,r),e.proofRef.current=null,e.accessTokenRef.current=null,e.setAuthenticated(false),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null),e.rotateLock.current=(async()=>{await e.rotate();})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;});}if(!t&&e.wallet){if(e.logger.flow("wallet",`Wallet connected: ${e.wallet}`),e.didInitialSession.current=false,!e.metaReady){e.logger.info("Wallet connected but meta not ready, deferring state machine update");return}let r=N(e);e.stateMachine.onWalletChange(null,e.wallet,r);}},[e.wallet,e.metaReady]);};var Ot=(e,t)=>{let{attemptRegister:r,setProofFromAdapterToken:n}=t;useEffect(()=>{if(!e.providerAdapter||ct(e)||!e.metaReady||!e.wallet)return;let o=N(e);if(e.stateMachine.isInActiveSession()){e.logger.decision("Provider adapter should trigger register?",false,`Already in active session (state: ${e.stateMachine.getState()})`);return}if(e.stateMachine.shouldWaitForInitialRefresh(e.didInitialRefresh.current,o)){e.logger.decision("Provider adapter should wait for initial refresh?",true,"Returning user - refresh first");return}e.logger.decision("Provider adapter should trigger register?",true,`Fetching token (state: ${e.stateMachine.getState()})`);let a=false;return (async()=>{try{let i=e.providerAdapter.getToken(),s=new Promise((l,c)=>setTimeout(()=>c(new Error("Provider adapter timeout (30s)")),3e4)),u=await Promise.race([i,s]).catch(l=>(e.logger.warn("Provider adapter getToken failed",l),null))??null;if(await e.awaitKeyStable(),a||!u)return;try{let l=u.split(".");if(l[1]){let c=JSON.parse(atob(l[1]));e.logger.info("Provider adapter: got token",{wallet:e.wallet,jwtSub:c.sub,jwtWallet:c.wallet||c.linked_accounts?.[0]?.address,jwtExp:c.exp,jwtIat:c.iat});}}catch{e.logger.info("Provider adapter: got token (could not decode)");}await n(u),await r();}catch(i){e.logger.error("Provider adapter flow failed",i);}})(),()=>{a=true;}},[e.providerAdapter,e.wallet,e.meta.boundWallet,e.metaReady,e.registerCooldownUntilRef,e.didInitialRefresh,...e.refreshDeps]);};var jt=(e,t)=>{let{proofProp:r,attemptRegister:n}=t;useEffect(()=>{if(typeof r<"u"&&(e.proofRef.current=r??null,r&&e.logger.info("Proof prop updated",{hasProof:!!r})),!e.metaReady)return;let o=N(e),a=!!e.wallet,i=!!e.proofRef.current,s=false,u=e.proofRef.current?.method,l=u==="siwe"||u==="eip191";if(i&&e.stateMachine.isInActiveSession())if(l){let p=Ke(e.proofRef.current),d=e.meta.registeredProofId;if(p&&d){let g=Br(d),R=g==="siwe"||g==="eip191";if(R&&p!==d)e.logger.info("Proof prop: SIWE/EIP191 credentials changed, allowing re-registration",{old:d,new:p}),e.stateMachine.onNewCredentialsReceived(),e.accessTokenRef.current=null,e.setAuthenticated(false),e.didInitialSession.current=false,s=true;else if(R){e.logger.decision("Proof prop should trigger register?",false,"Already authenticated with same SIWE/EIP191 credentials");return}else e.logger.info("Proof prop: switching from provider JWT to SIWE/EIP191, allowing re-registration",{old:d,new:p}),e.stateMachine.onNewCredentialsReceived(),e.accessTokenRef.current=null,e.setAuthenticated(false),e.didInitialSession.current=false,s=true;}}else {e.logger.decision("Proof prop should trigger register?",false,`Already in active session, no credential change detection for ${u}`);return}let c=s?N(e):o;if(!e.stateMachine.shouldAttemptRegister(c)){e.logger.decision("Proof prop should trigger register?",false,`State machine says no (state: ${e.stateMachine.getState()}, inActiveSession: ${e.stateMachine.isInActiveSession()})`);return}if(e.stateMachine.shouldWaitForInitialRefresh(e.didInitialRefresh.current,c)){e.logger.decision("Proof prop should wait for initial refresh?",true,"Returning user - refresh first");return}a&&i&&e.initResolvedRef.current&&!ct(e)&&(e.logger.info("Proof prop conditions met, attempting register"),n());},[r,e.wallet,e.authenticated,e.meta.boundWallet,e.meta.registeredProofId,e.metaReady,e.providerAdapter,e.initResolvedRef,e.didInitialRefresh,n]);};var Nt=(e,t)=>{let{refresh:r,session:n}=t;useEffect(()=>{if(!e.metaReady||e.didInitialRefresh.current)return;e.didInitialRefresh.current=true;let o=true;return (async()=>{try{await e.waitReady(),await e.awaitProbe();let a=N(e);if(e.accessTokenRef.current||e.authenticated){e.logger.info("Already authenticated, skipping initial refresh"),e.wallet&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());return}if(!e.stateMachine.shouldAttemptRefresh(a)){e.logger.decision("Should attempt initial refresh?",!1,`State: ${e.stateMachine.getState()}`);return}e.logger.decision("Should attempt initial refresh?",!0,`State: ${e.stateMachine.getState()}`);let s=await r();if(!o)return;e.setAuthenticated(s),s&&e.wallet&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());}catch(a){if(!o)return;let i=a;e.setAuthenticated(false),e.setError(i?.message||String(a)||"Unknown error");}})(),()=>{o=false;}},[e.wallet,e.meta.boundWallet,e.meta.refreshId,e.metaReady,e.didInitialRefresh,r,n]);};var Ut=e=>{useEffect(()=>{e.initResolvedRef.current||(async()=>{if(await e.ensureKeypair(),!e.wallet){e.initResolvedRef.current=true,e.initResolveRef.current?.();return}e.meta.boundWallet&&!A(e.meta.boundWallet,e.wallet)&&(e.rotateLock.current=(async()=>{e.accessTokenRef.current=null,e.setAuthenticated(false);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}),e.rotateLock.current&&await e.rotateLock.current),e.initResolvedRef.current=true,e.initResolveRef.current?.();})();},[e]);};var Ft=(e,t)=>{let{session:r}=t;useEffect(()=>{(async()=>{if(e.authenticated&&e.wallet&&e.accessTokenRef.current&&!(e.meta.boundWallet&&!A(e.wallet,e.meta.boundWallet))&&!e.didInitialSession.current){e.didInitialSession.current=true;try{e.logger.flow("session","Calling session after authentication"),await r();}catch(n){let o=n;e.setError(o?.message||String(n));}}})();},[e.authenticated,e.wallet,e.meta.boundWallet,r]);};var Bt=e=>{useEffect(()=>{e.wallet&&e.authWalletRef.current&&!A(e.wallet,e.authWalletRef.current)&&(e.logger.warn("Wallet mismatch detected, clearing auth",{current:e.wallet,authWallet:e.authWalletRef.current}),e.accessTokenRef.current=null,e.setAuthenticated(false));},[e.wallet,e.authWalletRef.current]);};var Gt=(e,t)=>{let{refresh:r,session:n}=t;useEffect(()=>{let i=()=>{let l=Math.floor(Date.now()/1e3),c=e.tokenExpRef.current,p=e.sessionExpiry,d=!!c&&c-l<=30&&c-l>0,g=!!p&&p-l<=3600&&p-l>0;return {tokenSoon:d,sessionSoon:g}},s=async()=>{try{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&!A(e.wallet,e.meta.boundWallet))return;let{tokenSoon:l,sessionSoon:c}=i();(l||c)&&(e.logger.info("Refreshing on focus",{tokenSoon:l,sessionSoon:c}),await r()&&c&&await n());}catch{}},u=async()=>{document.visibilityState==="visible"&&await s();};return window.addEventListener("focus",s),document.addEventListener("visibilitychange",u),()=>{window.removeEventListener("focus",s),document.removeEventListener("visibilitychange",u);}},[e,e.sessionExpiry,r,n]);};var Gr=(e,t)=>{let{refresh:r,session:n,attemptRegister:o,setProofFromAdapterToken:a,proofProp:i}=t;Ht(e),$t(e),Ot(e,{attemptRegister:o,setProofFromAdapterToken:a}),jt(e,{proofProp:i,attemptRegister:o}),Nt(e,{refresh:r,session:n}),Ut(e),Ft(e,{session:n}),Bt(e),Gt(e,{refresh:r,session:n});};var Vr=createContext(void 0),yo=e=>{let t=$r(e),{refresh:r,attemptRegister:n,setProofFromAdapterToken:o}=jr(t),a=Nr(t,r),{session:i}=Fr(t,a);Gr(t,{refresh:r,session:i,attemptRegister:n,setProofFromAdapterToken:o,proofProp:e.proof});let s=useMemo(()=>({get:(u,l)=>a("GET",u,void 0,l),post:(u,l,c)=>a("POST",u,l,c),session:i,refresh:r,authenticated:t.authenticated,loading:t.loadingCount>0,error:t.error,allowed:t.allowed,sessionExpiry:t.sessionExpiry,sessionData:t.sessionData,wallet:t.wallet}),[a,i,r,t.authenticated,t.loadingCount,t.error,t.allowed,t.sessionExpiry,t.sessionData,t.wallet]);return jsx(Vr.Provider,{value:s,children:e.children})},go=e=>jsx(Ct,{clientId:e.clientId,children:jsx(yo,{...e})}),bo=()=>{let e=useContext(Vr);if(!e)throw new Error("useSunbreak must be used within a SunbreakProvider");return e};
+    `.trim()}};var Yn=()=>crypto.randomUUID(),$r=e=>{let{clientId:t,wallet:r,base:n="https://api.sunbreak.com",fetchImpl:a,timeoutMs:i=15e3,proof:o=null,providerAdapter:s,refreshDeps:u=[],debug:l}=e,c=yt(n),p=typeof window<"u"?(a??fetch).bind(window):a??fetch,{meta:d,setBoundWallet:w,setJkt:b,setRefreshId:v,getRefreshId:g,setLastPolicyHash:k,setLastPolicyProof:S,setLastHost:J,setRootJkt:M,setRegisteredProofId:h,ready:f}=Tt(),{ensureRootKeypair:y,rootPrivRef:C,rootPubJwkRef:D}=_t(),Ke=useCallback(async()=>{await y();try{if(!d.rootJkt&&D.current){let re=await $(D.current);M(re);}}catch{}},[y,d.rootJkt,D]),{ensureKeypair:K,rotate:Ue,privRef:Fe,pubJwkRef:qt}=Jt(),[_,X]=useState(false),[U,te]=useState(0),[le,ae]=useState(null),[ut,ft]=useState(null),[dt,Xr]=useState(null),[Yr,Zr]=useState(null),Qr=useRef(null),en=useRef(null),tn=useRef(null),rn=useRef(null),nn=useRef(null),on=useRef(null),an=useRef(null),sn=useRef(false),cn=useRef(false),ln=useRef(void 0),Be=useRef(false),pt=useRef(false),zt=useRef(null),ue=useRef(null);ue.current||(ue.current=new Promise(re=>{zt.current=re;}));let ht=useRef(null),un=useRef(o),fn=useRef(null),ge=useRef(null);if(!ge.current){let re=l??false;ge.current=new He(t,re);}let Xt=l??false;ge.current&&ge.current.enabled!==Xt&&(ge.current.enabled=Xt);let mt=useRef(null);mt.current||(mt.current=new $e);let Ge=useRef(null),Yt=useRef(null),Ve=useRef(null),Zt=()=>Date.now(),dn=()=>(Ve.current??0)>0&&Ve.current<Zt(),wt=useCallback((re,yn=15e3)=>{let Qt=Yn();return Ge.current=Qt,Yt.current=re,Ve.current=Zt()+Math.max(1e3,yn),Qt},[]),pn=useCallback(()=>((!Ge.current||dn())&&wt("adhoc",1e4),Ge.current),[wt]),gt=useRef(null),qe=useRef(null);qe.current||(qe.current=new Promise(re=>{gt.current=re;}));let hn=useCallback(async()=>{!Be.current&&qe.current&&await qe.current;},[]),mn=useCallback(()=>{Be.current||(Be.current=true,gt.current?.(),gt.current=null);},[]),wn=useCallback(async()=>{!pt.current&&ue.current&&await ue.current;},[]),gn=useCallback(async()=>{!pt.current&&ue.current&&await ue.current,ht.current&&await ht.current;},[]);return {clientId:t,wallet:r,baseUrl:c,fetchImpl:p,timeoutMs:i,providerAdapter:s,refreshDeps:u,ensureKeypair:K,rotate:Ue,ensureRootKeypair:Ke,rootPrivRef:C,rootPubJwkRef:D,privRef:Fe,pubJwkRef:qt,meta:d,setBoundWallet:w,setJkt:b,setRefreshId:v,accessTokenRef:tn,tokenExpRef:rn,authenticated:_,setAuthenticated:X,loadingCount:U,setLoadingCount:te,error:le,setError:ae,allowed:ut,setAllowed:ft,sessionExpiry:dt,setSessionExpiry:Xr,sessionData:Yr,setSessionData:Zr,authWalletRef:en,refreshLock:nn,registerLock:on,sessionLock:an,didInitialRefresh:sn,didInitialSession:cn,prevWalletRef:ln,initResolvedRef:pt,initReady:ue,initResolveRef:zt,rotateLock:ht,waitReady:wn,awaitKeyStable:gn,proofRef:un,registerCooldownUntilRef:Qr,reqIdRef:Ge,flowLabelRef:Yt,flowExpireRef:Ve,beginFlow:wt,currentReqId:pn,awaitProbe:hn,markProbed:mn,hasProbedRef:Be,getRefreshId:g,setLastPolicyHash:k,setLastPolicyProof:S,setLastHost:J,setRootJkt:M,setRegisteredProofId:h,metaReady:f,probeLock:fn,stateMachine:mt.current,logger:ge.current}};var z=e=>e.accessTokenRef.current??null,ee=e=>{let t=e.privRef.current;if(!t)throw new Error("Sunbreak: private key not initialized");return t},W=e=>{let t=e.pubJwkRef.current;if(!t)throw new Error("Sunbreak: public JWK not initialized");return t};var Zn=(e,t)=>`${e.toUpperCase()} ${t}`;async function Oe(e,t,r,n){if(!t)return e.logger.guard("register",false,"No wallet provided"),false;if(!e.clientId)return e.logger.guard("register",false,"No client ID configured"),e.setError("Missing client ID. Please configure a valid client ID."),false;e.logger.flow("register","Starting register flow",{wallet:t});let a=Oe._nonceCacheRef||(Oe._nonceCacheRef={map:new Map});try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair(),e.setError(null),e.beginFlow("register",2e4);let i;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let y=await $(e.rootPubJwkRef.current);e.setRootJkt?.(y);}catch{}let h=await $(W(e)),f=await e.getRefreshId();i=await he({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:h,clientId:e.clientId,sid:f||void 0,ttlSec:300});}}catch(h){e.logger.warn("Failed to create PODE for register",h);}let o=e.currentReqId(),s="/auth/register",u=`${e.baseUrl}${s}`,l=new URL(e.baseUrl).origin,c="POST",p=`${l}${s}`,d=Zn(c,p),w=a.map.get(d),b=await V({method:c,url:p,nonce:w,privateKey:ee(e),publicJwk:W(e)}),v=async h=>e.fetchImpl(u,{method:c,headers:{"content-type":"application/json","x-sunbreak-meta":G(e,{reqId:o,pode:i||void 0,wallet:t}),...h},credentials:"include",body:JSON.stringify({wallet:t,proof:r})}),g=await v({DPoP:b}),k=h=>{let f=h.headers.get("dpop-nonce");f&&a.map.set(d,f);};if(g.status===401){e.logger.info("Register got 401, retrying with nonce");let h=g.headers.get("www-authenticate"),y=(h&&h.match(/dpop-nonce="([^"]+)"/i))?.[1];if(y){a.map.set(d,y);let C=await V({method:c,url:p,nonce:y,privateKey:ee(e),publicJwk:W(e)});g=await v({DPoP:C});}}if(k(g),e.logger.api(c,s,{status:g.status}),!g.ok){let h=await Le(g);if((g.headers.get("content-type")||"").includes("application/json")){let y;try{y=await g.clone().json();}catch{}let C=Me(y&&(y.error||y.message||y.detail)||`HTTP ${g.status}`);throw me(C,h)}else {let y=h.waf?"Blocked by WAF (403)":h.alb403?"Blocked at origin (ALB 403)":`HTTP ${g.status}`;throw me(y,h)}}let S=await g.json();e.logger.info("Register succeeded",{expiresIn:S.expiresIn,hasRefreshId:!!S.refreshId}),e.accessTokenRef.current=S.access,e.authWalletRef.current=ce(t),e.setAuthenticated(!0);try{let h=Math.floor(Date.now()/1e3);e.tokenExpRef.current=h+(S.expiresIn??0);}catch{}e.didInitialRefresh.current=!0,e.setBoundWallet(ce(t)),e.setLastPolicyHash(null),e.setLastPolicyProof(null);try{e.setJkt(await $(W(e)));}catch{}let J=Ce(r);e.setRegisteredProofId(J);try{let h={...e.meta,boundWallet:t,clientId:e.meta.clientId??e.clientId,jkt:e.meta.jkt??null,refreshId:S.refreshId??null,registeredProofId:J};e.setRefreshId(S.refreshId??null);let f=We(e.clientId);await R(f,h);try{localStorage.setItem(f,JSON.stringify(h));}catch(y){e.logger.warn("Failed to persist meta to localStorage",y);}}catch(h){e.logger.warn("Failed to persist session metadata",h);}let M={wallet:t,boundWallet:t,refreshId:S.refreshId??null,hasToken:!0,tokenExpiry:e.tokenExpRef.current,hasProof:!0,authenticated:!0};return e.stateMachine.onRegisterSuccess(M),!0}catch(i){let o=i,s=Number(o?.status||0),u=String(o?.code||"").toLowerCase(),l=String(o?.message||"").toLowerCase(),c=Math.floor(Math.random()*1e3);e.logger.error("Register failed",{status:s,code:u,msg:l}),e.stateMachine.onRegisterFailure(`${u||l||"Unknown error"}`);let p=u==="session_exists"||u==="already_authenticated"||l.includes("already")&&(l.includes("session")||l.includes("authenticated")),d=(s===401||s===403)&&u==="replay";if((p||d)&&n?.refreshFallback&&(!e.meta.boundWallet||x(e.meta.boundWallet,t))){e.logger.info("Register failed with recoverable error, attempting refresh fallback",{code:u,isSessionExists:p,isReplay:d});try{if(await n.refreshFallback())return e.logger.info("Refresh fallback succeeded after register failure"),e.meta.boundWallet||e.setBoundWallet(t),!0}catch(v){e.logger.warn("Refresh fallback failed",v);}}if(d){if(e.providerAdapter)try{let b=await e.providerAdapter.getToken()??null;if(b)return await e.awaitKeyStable(),await e.ensureKeypair(),await e.rotate(),e.proofRef.current=await ye(e.providerAdapter,b),e.registerCooldownUntilRef.current=Date.now()+5e3+c,!1}catch{}else return e.proofRef.current=null,e.setError("Proof replayed; please sign a fresh proof."),e.registerCooldownUntilRef.current=Date.now()+1e4+c,false;return e.registerCooldownUntilRef.current=Date.now()+8e3+c,false}if(p)return e.setError("Session already exists. Try refreshing the page."),e.registerCooldownUntilRef.current=Date.now()+3e3+c,false;if(u==="siwe_invalid"||u==="eip191_invalid"||u==="ed25519_invalid"||u==="sig_wallet_mismatch"||l.includes("invalid")&&l.includes("signature")){if(e.logger.warn("Proof invalid for wallet, clearing proof",{code:u,msg:l}),e.proofRef.current=null,e.providerAdapter)try{let b=await e.providerAdapter.getToken()??null;if(b)return e.proofRef.current=await ye(e.providerAdapter,b),e.registerCooldownUntilRef.current=Date.now()+3e3+c,!1}catch{}return e.setError("Proof doesn't match wallet. Please sign again."),e.registerCooldownUntilRef.current=Date.now()+5e3+c,false}if(s===403&&(o?.waf||o?.alb403))return e.setError(l||"Forbidden at edge/origin"),e.registerCooldownUntilRef.current=Date.now()+3e4+c,false;if(s===403)return e.setError(u||l||"Forbidden"),e.registerCooldownUntilRef.current=Date.now()+15e3+c,false;if(s===429||s===503){e.setError(u||l||"Rate limited / unavailable");let b=s===429?5e3:8e3;return e.registerCooldownUntilRef.current=Date.now()+b+c,false}return e.setError(u||l||"Register failed"),e.registerCooldownUntilRef.current=Date.now()+5e3+c,false}}var Qn=(e,t)=>`${e.toUpperCase()} ${t}`;function je(e){if(e.refreshLock.current)return e.logger.guard("refreshLock",false,"Refresh already in progress"),e.refreshLock.current;if(e.registerLock.current){e.logger.guard("registerLock",false,"Registration in progress, waiting");let t=e.registerLock.current.then(()=>{if(e.authenticated&&z(e))return  true;if(z(e)){let n=e.tokenExpRef.current,a=Math.floor(Date.now()/1e3);if(!!n&&n-a>5)return  true}return  false});return e.refreshLock.current=t.finally(()=>{e.refreshLock.current=null;}),e.refreshLock.current}return e.logger.flow("refresh","Starting refresh flow"),e.refreshLock.current=(async()=>{try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe();let t=e.meta.boundWallet||e.wallet;if(!t)return e.logger.warn("No wallet available for refresh (neither boundWallet nor current wallet)"),!1;if(!e.clientId)return e.logger.warn("No client ID configured for refresh"),e.setError("Missing client ID. Please configure a valid client ID."),!1;if(e.wallet&&e.meta.boundWallet&&!x(e.wallet,e.meta.boundWallet))return e.logger.warn("Wallet mismatch during refresh",{current:e.wallet,bound:e.meta.boundWallet}),e.accessTokenRef.current=null,e.setAuthenticated(!1),!1;let r=z(e);if(r){let f=e.tokenExpRef.current,y=Math.floor(Date.now()/1e3);if(!!r&&!!f&&f-y>5)return e.logger.info("Token still valid, skipping refresh"),!0}e.beginFlow("refresh",15e3);let n=e.currentReqId();await e.ensureKeypair();let a;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let C=await $(e.rootPubJwkRef.current);e.setRootJkt?.(C);}catch{}let f=await $(W(e)),y=await e.getRefreshId();a=await he({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:f,clientId:e.clientId,sid:y||void 0,ttlSec:300});}}catch(f){e.logger.warn("Failed to create PODE for refresh",f);}let i="/auth/refresh",o=`${e.baseUrl}${i}`,s=new URL(e.baseUrl).origin,u="POST",l=`${s}${i}`,c=Qn(u,l),p=je._nonceCacheRef||(je._nonceCacheRef={map:new Map}),d=async f=>await V({method:u,url:l,nonce:f,privateKey:ee(e),publicJwk:W(e)}),w=await e.getRefreshId(),b={"x-sunbreak-meta":G(e,{reqId:n,refreshId:w||void 0,pode:a||void 0,wallet:t}),"content-type":"application/json"},v=async f=>e.fetchImpl(o,{method:u,headers:{DPoP:f,...b},credentials:"include",body:"{}"}),g=f=>{let y=f.headers.get("dpop-nonce");y&&p.map.set(c,y);},k=await v(await d(p.map.get(c)));if(k.status===401){e.logger.info("Refresh got 401, retrying with nonce");let f=k.headers.get("www-authenticate"),C=(f&&f.match(/dpop-nonce="([^"]+)"/i))?.[1];C&&(p.map.set(c,C),k=await v(await d(C)));}if(g(k),e.logger.api(u,i,{status:k.status}),!k.ok){try{if((k.headers.get("content-type")||"").includes("application/json")){let y=await k.clone().json().catch(()=>{}),C=y&&(y.error||y.code||y.message)||"",D=String(C).toLowerCase();if(D.includes("missing")&&D.includes("refresh")){e.logger.warn("Refresh session expired (missing refresh identifier)"),e.stateMachine.onRefreshExpired();try{e.setRefreshId?.(null);}catch{}e.accessTokenRef.current=null,e.setAuthenticated(!1);}else e.logger.warn("Refresh failed",{error:C}),e.stateMachine.onRefreshFailure(String(C));}}catch{}return !1}let S=await k.json();e.logger.info("Refresh succeeded",{expiresIn:S.expiresIn,hasRefreshId:!!S.refreshId}),e.accessTokenRef.current=S.access,e.setAuthenticated(!0);let J=(e.wallet&&(!e.meta.boundWallet||e.meta.boundWallet===e.wallet)?e.wallet:e.meta.boundWallet)||null;e.authWalletRef.current=J?ce(J):null;try{let f=Math.floor(Date.now()/1e3);e.tokenExpRef.current=f+(S.expiresIn??0);}catch{}try{e.setJkt(await $(W(e)));}catch{}S.refreshId&&e.setRefreshId(S.refreshId);let M=f=>!f||f==="null"||f==="undefined"?null:f,h={wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:M(S.refreshId??e.meta.refreshId??null),hasToken:!0,tokenExpiry:e.tokenExpRef.current,hasProof:!!e.proofRef.current,authenticated:!0};return e.stateMachine.onRefreshSuccess(h),!0}finally{e.refreshLock.current=null;}})(),e.refreshLock.current}var eo=(e,t)=>`${e.toUpperCase()} ${t}`,Lt=new Map,Ne;try{let e=globalThis;Ne=e.__sunbreak_page_probe_guard??(e.__sunbreak_page_probe_guard=new Set);}catch{Ne=new Set;}var to=e=>{try{let t=new URL(e.baseUrl).origin;return `${e.clientId}::${t}`}catch{return `${e.clientId}::${e.baseUrl}`}};async function Or(e){let t=to(e);if(e.probeLock.current){e.logger.guard("probeLock",false,"Probe already in progress, waiting"),await e.probeLock.current,e.markProbed();return}if(e.hasProbedRef.current){e.logger.guard("hasProbedRef",false,"Already probed in this session"),e.markProbed();return}if(Ne.has(t)){e.logger.guard("pageProbeGuard",false,"Already probed for this page load"),e.markProbed();return}if(Ne.add(t),!e.clientId){e.logger.warn("No client ID configured, skipping probe"),e.markProbed();return}e.logger.flow("probe","Starting probe flow",{clientId:e.clientId,pageKey:t});let r=(async()=>{let n=new URL(e.baseUrl).origin;try{if(await e.awaitKeyStable(),await e.ensureKeypair(),!e.rootPrivRef.current)try{await e.ensureRootKeypair();}catch{}let a;if(e.rootPrivRef.current&&e.rootPubJwkRef.current)try{let g=await $(W(e));a=await he({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:g,clientId:e.clientId,ttlSec:300});}catch(g){e.logger.warn("Failed to create PODE for probe",g);}let i="POST",o="/auth/probe",s=`${e.baseUrl}${o}`,u=`${n}${o}`,l=eo(i,u),c=async g=>V({method:i,url:u,nonce:g,privateKey:ee(e),publicJwk:W(e)}),p=async g=>e.fetchImpl(s,{method:i,headers:{DPoP:g,"x-sunbreak-meta":G(e,{pode:a}),"content-type":"application/json"},credentials:"include",body:"{}"}),d=g=>{let k=g.headers.get("dpop-nonce");k&&Lt.set(l,k);},w=await p(await c(Lt.get(l)));if(d(w),w.status===401){e.logger.info("Probe got 401, retrying with nonce from www-authenticate");let g=w.headers.get("www-authenticate"),S=(g&&g.match(/dpop-nonce="([^"]+)"/i))?.[1];S&&(Lt.set(l,S),w=await p(await c(S)),d(w));}e.logger.api(i,o,{status:w.status});let b=g=>!g||g==="null"||g==="undefined"?null:g,v={wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:b(e.meta.refreshId),hasToken:!!e.accessTokenRef.current,tokenExpiry:e.tokenExpRef.current||null,hasProof:!!e.proofRef.current,authenticated:e.authenticated};e.stateMachine.onProbeComplete(v);}catch(a){e.logger.error("Probe failed",a);try{Ne.delete(t);}catch{}}finally{e.markProbed(),e.logger.flow("probe","Probe flow completed");}})();e.probeLock.current=r;try{await r;}finally{e.probeLock.current=null;}}var jr=e=>{let t=useRef(e);t.current=e;let r=useCallback(()=>je(t.current),[]),n=useCallback(async()=>{let o=t.current,s=Date.now(),u=o.registerCooldownUntilRef.current??0;if(s<u){o.logger.guard("registerCooldown",false,"Cooldown active");return}if(!o.wallet){o.logger.guard("attemptRegister",false,"No wallet");return}if(!o.initResolvedRef.current){o.logger.guard("attemptRegister",false,"Not initialized");return}if(o.refreshLock.current){o.logger.guard("attemptRegister",false,"Refresh in progress");return}if(o.registerLock.current){o.logger.guard("attemptRegister",false,"Register already in progress");return}let l=w=>!w||w==="null"||w==="undefined"?null:w,c={wallet:o.wallet||null,boundWallet:o.meta.boundWallet||null,refreshId:l(o.meta.refreshId),hasToken:!!z(o),tokenExpiry:o.tokenExpRef.current||null,hasProof:!!o.proofRef.current,authenticated:o.authenticated};if(!o.stateMachine.shouldAttemptRegister(c)){o.logger.guard("attemptRegister",false,`State machine blocked (state: ${o.stateMachine.getState()}, inActiveSession: ${o.stateMachine.isInActiveSession()})`);return}let p=o.proofRef.current;if(!p){o.logger.guard("attemptRegister",false,"No proof available");return}o.logger.guard("attemptRegister",true,"All guards passed, proceeding");let d=(async()=>{try{await o.awaitKeyStable(),await Oe(o,o.wallet,p,{refreshFallback:async()=>{o.logger.info("Attempting refresh as fallback after register failure");let w=!!o.meta.boundWallet;!w&&o.wallet&&o.setBoundWallet(o.wallet);try{return await je(o)}catch{return w||o.setBoundWallet(null),!1}}});}catch(w){let b=w;o.setError(b?.message||String(w)||"Register failed");}finally{o.registerLock.current=null;}})();o.registerLock.current=d;},[]),a=useCallback(async o=>{let s=t.current,u=()=>(s.registerCooldownUntilRef.current??0)>Date.now();if(!s.providerAdapter||u())return;let l=await ye(s.providerAdapter,o);s.proofRef.current=l;},[]),i=useCallback((o,s,u)=>Oe(t.current,o,s,u),[]);return {refresh:r,register:i,attemptRegister:n,setProofFromAdapterToken:a}};var no=(e,t)=>`${e.toUpperCase()} ${t}`;async function ct(e,t,r,n,a,i={}){e.setLoadingCount(l=>l+1),e.setError(null);let o=n.startsWith("/api/session"),s=new AbortController,u=setTimeout(()=>s.abort(),e.timeoutMs);try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair();let c=`${o?St(e):e.baseUrl}${n.startsWith("/")?"":"/"}${n}`,d=`${new URL(e.baseUrl).origin}${n.startsWith("/")?"":"/"}${n}`,w=no(r,d),b=n.startsWith("/auth/"),v=!1,g=!1,k=e.currentReqId(),S=ct._nonceCacheRef||(ct._nonceCacheRef={map:new Map}),J=_=>{let X=_.headers.get("dpop-nonce");X&&S.map.set(w,X);},M=!!e.wallet&&!!e.authWalletRef.current&&!x(e.wallet,e.authWalletRef.current),h=()=>b||!e.wallet?!1:!!(e.authenticated||x(e.wallet,e.meta.boundWallet)||typeof e.meta.refreshId=="string"&&e.meta.refreshId),f,y,C=async()=>{if(b||M)return;try{let le=z(e),ae=e.tokenExpRef.current,ut=Math.floor(Date.now()/1e3),ft=!!ae&&ae-ut<=60;if(le){if(ft&&!await t().catch(()=>!1))return}else if(!h()||!await t().catch(()=>!1))return}catch{}let _=z(e);if(!_)return;let X=await nt(_),U=S.map.get(w),te=await V({method:r,url:d,nonce:U,ath:X,privateKey:ee(e),publicJwk:W(e)});f=`Bearer ${e.accessTokenRef.current}`,y=te;};await C();let D={"content-type":"application/json","x-sunbreak-auth":f||"","x-sunbreak-meta":G(e,{reqId:k,auth:f,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0}),...Rt(i.headers)};y&&(D.DPoP=y);let Ke=async()=>e.fetchImpl(c,{...i,method:r,headers:D,body:a!==void 0?JSON.stringify(a):void 0,credentials:"include",signal:s.signal}),K=await Ke(),Ue=K.headers.get("x-sunbreak-policy-hash"),Fe=K.headers.get("x-sunbreak-policy-proof");if(Ue&&e.setLastPolicyHash(Ue),Fe&&e.setLastPolicyProof(Fe),J(K),K.status===401&&!b){let _=z(e),X=K.headers.get("www-authenticate"),te=(X&&X.match(/dpop-nonce="([^"]+)"/i))?.[1];if(!M&&te&&_&&!g){g=!0,S.map.set(w,te);let le=await nt(_),ae=await V({method:r,url:d,nonce:te,ath:le,privateKey:ee(e),publicJwk:W(e)});f=`Bearer ${e.accessTokenRef.current}`,y=ae,D["x-sunbreak-meta"]=G(e,{reqId:k,auth:f}),D.DPoP=y,K=await Ke(),J(K);}if(K.status===401&&!v&&(v=!0,!M&&h())){let le=await t(),ae=z(e);le&&ae&&!M&&(await C(),D["x-sunbreak-meta"]=G(e,{reqId:k,auth:f}),y&&(D.DPoP=y),K=await Ke(),J(K));}if(K.status===401)throw new Error("Unauthorized")}if(!K.ok){let _=await Le(K);if((K.headers.get("content-type")||"").includes("application/json")){let U=await K.json().catch(()=>{}),te=Me(U&&(U.error||U.message||U.detail)||`HTTP ${K.status}`);throw me(te,_)}else {let U=_.waf?"Blocked by WAF (403)":_.alb403?"Blocked at origin (ALB 403)":`HTTP ${K.status}`;throw me(U,_)}}return (K.headers.get("content-type")||"").includes("application/json")?await K.json():void 0}finally{clearTimeout(u),e.setLoadingCount(l=>Math.max(0,l-1));}}var Ur=(e,t)=>{let r=useRef(e),n=useRef(t);return r.current=e,n.current=t,useCallback(async(a,i,o,s={})=>ct(r.current,n.current,a,i,o,s),[])};async function Fr(e,t){let r=await t("GET","/api/session");if(r){e.setAllowed(!!r.allowed),e.setSessionData(r),e.setSessionExpiry(r.expiry??null);let n=r?.wallet;typeof n=="string"&&n&&e.setBoundWallet(ce(n));}return r}var Gr=(e,t)=>{let r=useRef(e),n=useRef(t);return r.current=e,n.current=t,{session:useCallback(async()=>{let i=r.current,o=n.current;if(i.wallet&&!(i.meta.boundWallet&&!x(i.wallet,i.meta.boundWallet)))return i.sessionLock.current||(i.sessionLock.current=(async()=>{try{return await Fr(i,o)}catch(s){throw i.logger.error("Session request failed",s),s}finally{i.sessionLock.current=null;}})()),i.sessionLock.current},[])}};var lt=e=>(e.registerCooldownUntilRef.current??0)>Date.now(),Vr=e=>{if(!e)return null;let t=e.indexOf(":");return t>0?e.slice(0,t):null},io=e=>!e||e==="null"||e==="undefined"?null:e,N=e=>({wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:io(e.meta.refreshId),hasToken:!!e.accessTokenRef.current,tokenExpiry:e.tokenExpRef.current||null,hasProof:!!e.proofRef.current,authenticated:e.authenticated});var Ht=e=>{useEffect(()=>{if(!e.metaReady)return;let t=true;return (async()=>{try{if(await e.waitReady(),!t||(await e.awaitKeyStable(),!t)||(await e.ensureRootKeypair(),!t))return;let r=N(e);e.stateMachine.initialize(r),await Or(e);}catch(r){if(!t)return;e.logger.error("Probe initialization failed",r);}})(),()=>{t=false;}},[e.metaReady]);};var $t=e=>{useEffect(()=>{let t=e.prevWalletRef.current;if(e.prevWalletRef.current=e.wallet,e.wallet!==t&&e.hasProbedRef.current&&!e.refreshLock.current&&(e.didInitialRefresh.current=false),!e.wallet){e.logger.flow("wallet","Wallet disconnected"),e.stateMachine.onWalletDisconnect(),e.setAllowed(null),e.setSessionExpiry(null),e.setSessionData(null),e.setAuthenticated(false),e.accessTokenRef.current=null,e.proofRef.current=null,e.setError(null),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null),e.hasProbedRef.current&&!e.refreshLock.current&&(e.didInitialRefresh.current=false);return}if(t&&e.wallet&&t!==e.wallet){e.logger.flow("wallet",`Wallet changed: ${t} \u2192 ${e.wallet}`);let r=N(e);e.stateMachine.onWalletChange(t,e.wallet,r),e.proofRef.current=null,e.accessTokenRef.current=null,e.setAuthenticated(false),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null),e.rotateLock.current=(async()=>{await e.rotate();})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;});}if(!t&&e.wallet){if(e.logger.flow("wallet",`Wallet connected: ${e.wallet}`),e.didInitialSession.current=false,!e.metaReady){e.logger.info("Wallet connected but meta not ready, deferring state machine update");return}let r=N(e);e.stateMachine.onWalletChange(null,e.wallet,r);}},[e.wallet,e.metaReady]);};var Ot=(e,t)=>{let{attemptRegister:r,setProofFromAdapterToken:n}=t;useEffect(()=>{if(!e.providerAdapter||lt(e)||!e.metaReady||!e.wallet)return;let a=N(e);if(e.stateMachine.isInActiveSession()){e.logger.decision("Provider adapter should trigger register?",false,`Already in active session (state: ${e.stateMachine.getState()})`);return}if(e.stateMachine.shouldWaitForInitialRefresh(e.didInitialRefresh.current,a)){e.logger.decision("Provider adapter should wait for initial refresh?",true,"Returning user - refresh first");return}e.logger.decision("Provider adapter should trigger register?",true,`Fetching token (state: ${e.stateMachine.getState()})`);let i=false;return (async()=>{try{let o=e.providerAdapter.getToken(),s=new Promise((l,c)=>setTimeout(()=>c(new Error("Provider adapter timeout (30s)")),3e4)),u=await Promise.race([o,s]).catch(l=>(e.logger.warn("Provider adapter getToken failed",l),null))??null;if(await e.awaitKeyStable(),i||!u)return;try{let l=u.split(".");if(l[1]){let c=JSON.parse(atob(l[1]));e.logger.info("Provider adapter: got token",{wallet:e.wallet,jwtSub:c.sub,jwtWallet:c.wallet||c.linked_accounts?.[0]?.address,jwtExp:c.exp,jwtIat:c.iat});}}catch{e.logger.info("Provider adapter: got token (could not decode)");}await n(u),await r();}catch(o){e.logger.error("Provider adapter flow failed",o);}})(),()=>{i=true;}},[e.providerAdapter,e.wallet,e.meta.boundWallet,e.metaReady,...e.refreshDeps]);};var jt=(e,t)=>{let{proofProp:r,attemptRegister:n}=t;useEffect(()=>{if(typeof r<"u"&&(e.proofRef.current=r??null,r&&e.logger.info("Proof prop updated",{hasProof:!!r})),!e.metaReady)return;let a=N(e),i=!!e.wallet,o=!!e.proofRef.current,s=false,u=e.proofRef.current?.method,l=u==="siwe"||u==="eip191";if(o&&e.stateMachine.isInActiveSession())if(l){let p=Ce(e.proofRef.current),d=e.meta.registeredProofId;if(p&&d){let w=Vr(d),b=w==="siwe"||w==="eip191";if(b&&p!==d)e.logger.info("Proof prop: SIWE/EIP191 credentials changed, allowing re-registration",{old:d,new:p}),e.stateMachine.onNewCredentialsReceived(),e.accessTokenRef.current=null,e.setAuthenticated(false),e.didInitialSession.current=false,s=true;else if(b){e.logger.decision("Proof prop should trigger register?",false,"Already authenticated with same SIWE/EIP191 credentials");return}else e.logger.info("Proof prop: switching from provider JWT to SIWE/EIP191, allowing re-registration",{old:d,new:p}),e.stateMachine.onNewCredentialsReceived(),e.accessTokenRef.current=null,e.setAuthenticated(false),e.didInitialSession.current=false,s=true;}}else {e.logger.decision("Proof prop should trigger register?",false,`Already in active session, no credential change detection for ${u}`);return}let c=s?N(e):a;if(!e.stateMachine.shouldAttemptRegister(c)){e.logger.decision("Proof prop should trigger register?",false,`State machine says no (state: ${e.stateMachine.getState()}, inActiveSession: ${e.stateMachine.isInActiveSession()})`);return}if(e.stateMachine.shouldWaitForInitialRefresh(e.didInitialRefresh.current,c)){e.logger.decision("Proof prop should wait for initial refresh?",true,"Returning user - refresh first");return}i&&o&&e.initResolvedRef.current&&!lt(e)&&(e.logger.info("Proof prop conditions met, attempting register"),n());},[r,e.wallet,e.authenticated,e.meta.boundWallet,e.meta.registeredProofId,e.metaReady,e.providerAdapter,n]);};var Nt=(e,t)=>{let{refresh:r,session:n}=t;useEffect(()=>{if(!e.metaReady||e.didInitialRefresh.current)return;e.didInitialRefresh.current=true;let a=true;return (async()=>{try{await e.waitReady(),await e.awaitProbe();let i=N(e);if(e.accessTokenRef.current||e.authenticated){e.logger.info("Already authenticated, skipping initial refresh"),e.wallet&&!e.didInitialSession.current&&await n()!==void 0&&(e.didInitialSession.current=!0);return}if(!e.stateMachine.shouldAttemptRefresh(i)){e.logger.decision("Should attempt initial refresh?",!1,`State: ${e.stateMachine.getState()}`);return}e.logger.decision("Should attempt initial refresh?",!0,`State: ${e.stateMachine.getState()}`);let s=await r();if(!a)return;e.setAuthenticated(s),s&&e.wallet&&!e.didInitialSession.current&&await n()!==void 0&&(e.didInitialSession.current=!0);}catch(i){if(!a)return;let o=i;e.setAuthenticated(false),e.setError(o?.message||String(i)||"Unknown error");}})(),()=>{a=false;}},[e.wallet,e.meta.boundWallet,e.meta.refreshId,e.metaReady,r,n]);};var Ut=e=>{useEffect(()=>{e.initResolvedRef.current||(async()=>{if(await e.ensureKeypair(),!e.wallet){e.initResolvedRef.current=true,e.initResolveRef.current?.();return}e.meta.boundWallet&&!x(e.meta.boundWallet,e.wallet)&&(e.rotateLock.current=(async()=>{e.accessTokenRef.current=null,e.setAuthenticated(false);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}),e.rotateLock.current&&await e.rotateLock.current),e.initResolvedRef.current=true,e.initResolveRef.current?.();})();},[e]);};var Ft=(e,t)=>{let{session:r}=t;useEffect(()=>{(async()=>{if(e.authenticated&&e.wallet&&e.accessTokenRef.current&&!(e.meta.boundWallet&&!x(e.wallet,e.meta.boundWallet))&&!e.didInitialSession.current)try{e.logger.flow("session","Calling session after authentication"),await r()!==void 0&&(e.didInitialSession.current=!0);}catch(n){let a=n;e.setError(a?.message||String(n));}})();},[e.authenticated,e.wallet,e.meta.boundWallet,r]);};var Bt=e=>{useEffect(()=>{e.wallet&&e.authWalletRef.current&&!x(e.wallet,e.authWalletRef.current)&&(e.logger.warn("Wallet mismatch detected, clearing auth and proof",{current:e.wallet,authWallet:e.authWalletRef.current}),e.accessTokenRef.current=null,e.setAuthenticated(false),e.proofRef.current=null);},[e.wallet,e.authWalletRef.current]);};var Gt=(e,t)=>{let{refresh:r,session:n}=t;useEffect(()=>{let o=()=>{let l=Math.floor(Date.now()/1e3),c=e.tokenExpRef.current,p=e.sessionExpiry,d=!!c&&c-l<=30&&c-l>0,w=!!p&&p-l<=3600&&p-l>0;return {tokenSoon:d,sessionSoon:w}},s=async()=>{try{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&!x(e.wallet,e.meta.boundWallet))return;let{tokenSoon:l,sessionSoon:c}=o();(l||c)&&(e.logger.info("Refreshing on focus",{tokenSoon:l,sessionSoon:c}),await r()&&c&&await n());}catch{}},u=async()=>{document.visibilityState==="visible"&&await s();};return window.addEventListener("focus",s),document.addEventListener("visibilitychange",u),()=>{window.removeEventListener("focus",s),document.removeEventListener("visibilitychange",u);}},[e,e.sessionExpiry,r,n]);};var qr=(e,t)=>{let{refresh:r,session:n,attemptRegister:a,setProofFromAdapterToken:i,proofProp:o}=t;Ht(e),$t(e),Ot(e,{attemptRegister:a,setProofFromAdapterToken:i}),jt(e,{proofProp:o,attemptRegister:a}),Nt(e,{refresh:r,session:n}),Ut(e),Ft(e,{session:n}),Bt(e),Gt(e,{refresh:r,session:n});};var zr=createContext(void 0),So=e=>{let t=$r(e),{refresh:r,attemptRegister:n,setProofFromAdapterToken:a}=jr(t),i=Ur(t,r),{session:o}=Gr(t,i);qr(t,{refresh:r,session:o,attemptRegister:n,setProofFromAdapterToken:a,proofProp:e.proof});let s=useMemo(()=>({get:(u,l)=>i("GET",u,void 0,l),post:(u,l,c)=>i("POST",u,l,c),session:o,refresh:r,authenticated:t.authenticated,loading:t.loadingCount>0,error:t.error,allowed:t.allowed,sessionExpiry:t.sessionExpiry,sessionData:t.sessionData,wallet:t.wallet}),[i,o,r,t.authenticated,t.loadingCount,t.error,t.allowed,t.sessionExpiry,t.sessionData,t.wallet]);return jsx(zr.Provider,{value:s,children:e.children})},Ro=e=>jsx(It,{clientId:e.clientId,children:jsx(So,{...e})}),ko=()=>{let e=useContext(zr);if(!e)throw new Error("useSunbreak must be used within a SunbreakProvider");return e};
-export { go as SunbreakProvider, bo as useSunbreak };
+export { Ro as SunbreakProvider, ko as useSunbreak };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@tdfc/sunbreak-react",
-  "version": "0.1.14",
+  "version": "0.1.15",
   "description": "SDK for connecting to the Sunbreak API",
   "license": "UNLICENSED",
   "repository": "github:thedigitalfinancecompany/sunbreak-react",