@tdfc/sunbreak-react 0.1.2 → 0.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/dist/index.cjs +3 -3
  2. package/dist/index.mjs +2 -2
  3. package/package.json +1 -1
package/dist/index.cjs CHANGED
@@ -3,7 +3,7 @@
3
3
  var react = require('react');
4
4
  var jsxRuntime = require('react/jsx-runtime');
5
5
 
6
- var zr=Object.defineProperty;var Jt=e=>{throw TypeError(e)};var Xr=(e,t,r)=>t in e?zr(e,t,{enumerable:true,configurable:true,writable:true,value:r}):e[t]=r;var D=(e,t,r)=>Xr(e,typeof t!="symbol"?t+"":t,r),It=(e,t,r)=>t.has(e)||Jt("Cannot "+r);var d=(e,t,r)=>(It(e,t,"read from private field"),r?r.call(e):t.get(e)),M=(e,t,r)=>t.has(e)?Jt("Cannot add the same private member more than once"):t instanceof WeakSet?t.add(e):t.set(e,r),O=(e,t,r,n)=>(It(e,t,"write to private field"),t.set(e,r),r);var ke=async(e,t,r)=>{switch(e.name){case "custom":return {method:"provider_jwt",issuer:"custom",token:t,meta:r||{}};case "privy":return {method:"provider_jwt",issuer:"privy",token:t,meta:{app_id:e.appId}};case "dynamic":return e.expectedAud?{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId,expected_aud:e.expectedAud}}:{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId}};default:throw new Error(`Unknown adapter: ${e}`)}};var Yr="sunbreak-kv",Pe="kv",je="sunbreak_dpop_meta_v1",K="sunbreak_dpop_key_v1",ve="ES256",T="P-256",Ae=e=>`${je}:${e}`,_t=()=>new Promise((e,t)=>{let r=indexedDB.open(Yr,1);r.onupgradeneeded=()=>r.result.createObjectStore(Pe),r.onsuccess=()=>e(r.result),r.onerror=()=>t(r.error);}),J=async e=>{try{let t=await _t();return await new Promise((r,n)=>{let a=t.transaction(Pe,"readonly").objectStore(Pe).get(e);a.onsuccess=()=>r(a.result),a.onerror=()=>n(a.error);})}catch{return}},R=async(e,t)=>{let r=await _t();await new Promise((n,o)=>{let i=r.transaction(Pe,"readwrite").objectStore(Pe).put(t,e);i.onsuccess=()=>n(),i.onerror=()=>o(i.error);});};var Zr=e=>{let t=new URL(e);if(t.protocol!=="https:"&&t.hostname!=="localhost"&&t.hostname!=="127.0.0.1")throw new Error("Sunbreak: insecure base URL");return t.hash="",t.origin},Qr=e=>e.replace(/\/+$/,""),rt=e=>{let t=Qr(e);return Zr(t)};function ot(e){let t=new URL(e.baseUrl),r=t.host,n=e.meta.lastHost??null,o=en(n);return e.setLastHost(o),t.host=`${o}.${r}`,t.origin}var en=e=>{for(let t=0;t<nt.length;t++){let r=nt[Math.floor(Math.random()*nt.length)].toLowerCase();if(r!==e)return r}return "alpha"},nt=["Alpha","Bravo","Charlie","Delta","Echo","Foxtrot","Golf","Hotel","India","Juliett","Kilo","Lima","Mike","November","Oscar","Papa","Quebec","Romeo","Sierra","Tango","Uniform","Victor","Whiskey","X-ray","Yankee","Zulu"];var j=(e,t)=>{let r={clientId:e.clientId,wallet:e.wallet,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0,...t};Object.keys(r).forEach(o=>r[o]===void 0&&delete r[o]);let n=JSON.stringify(r);return btoa(n)};var tn=new Set(["connection","keep-alive","proxy-authenticate","proxy-authorization","te","trailer","transfer-encoding","upgrade","via"]),rn=new Set(["user-agent","referer","origin","host","content-length","sec-fetch-site","sec-fetch-mode","sec-fetch-dest","sec-fetch-user","sec-ch-ua","sec-ch-ua-mobile","sec-ch-ua-platform","sec-ch-ua-platform-version","sec-ch-ua-full-version","sec-ch-ua-arch","sec-ch-ua-model","sec-ch-ua-bitness","cookie","set-cookie"]),nn=new Set(["dpop","x-sunbreak-meta"]),on=64,Wt=2048,an=64;function at(e){let t={};if(!e)return t;let r=e instanceof Headers?Array.from(e.entries()):Object.entries(e),n=0;for(let[o,a]of r){if(n>=an)break;if(o==null||a==null)continue;let i=String(o).toLowerCase().trim();if(!i||i.length>on||tn.has(i)||rn.has(i)||nn.has(i))continue;let c=String(a);c.length>Wt&&(c=c.slice(0,Wt)),t[i]=c,n++;}return t}var X=new TextEncoder,ye=new TextDecoder;function Dt(...e){let t=e.reduce((o,{length:a})=>o+a,0),r=new Uint8Array(t),n=0;for(let o of e)r.set(o,n),n+=o.length;return r}function Lt(e){if(Uint8Array.prototype.toBase64)return e.toBase64();let t=32768,r=[];for(let n=0;n<e.length;n+=t)r.push(String.fromCharCode.apply(null,e.subarray(n,n+t)));return btoa(r.join(""))}function Ht(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(e);let t=atob(e),r=new Uint8Array(t.length);for(let n=0;n<t.length;n++)r[n]=t.charCodeAt(n);return r}function Mt(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof e=="string"?e:ye.decode(e),{alphabet:"base64url"});let t=e;t instanceof Uint8Array&&(t=ye.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return Ht(t)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function Ue(e){let t=e;return typeof t=="string"&&(t=X.encode(t)),Uint8Array.prototype.toBase64?t.toBase64({alphabet:"base64url",omitPadding:true}):Lt(t).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var ce=class extends Error{constructor(r,n){super(r,n);D(this,"code","ERR_JOSE_GENERIC");this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor);}};D(ce,"code","ERR_JOSE_GENERIC");var _=class extends ce{constructor(){super(...arguments);D(this,"code","ERR_JOSE_NOT_SUPPORTED");}};D(_,"code","ERR_JOSE_NOT_SUPPORTED");var Y=class extends ce{constructor(){super(...arguments);D(this,"code","ERR_JWS_INVALID");}};D(Y,"code","ERR_JWS_INVALID");var Ke=class extends ce{constructor(){super(...arguments);D(this,"code","ERR_JWT_INVALID");}};D(Ke,"code","ERR_JWT_INVALID");var Ot,jt,it=class extends(jt=ce,Ot=Symbol.asyncIterator,jt){constructor(r="multiple matching keys found in the JSON Web Key Set",n){super(r,n);D(this,Ot);D(this,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");}};D(it,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");function B(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function me(e,t){return e.name===t}function st(e){return parseInt(e.name.slice(4),10)}function un(e){switch(e){case "ES256":return "P-256";case "ES384":return "P-384";case "ES512":return "P-521";default:throw new Error("unreachable")}}function ln(e,t){if(!e.usages.includes(t))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${t}.`)}function Ut(e,t,r){switch(t){case "HS256":case "HS384":case "HS512":{if(!me(e.algorithm,"HMAC"))throw B("HMAC");let n=parseInt(t.slice(2),10);if(st(e.algorithm.hash)!==n)throw B(`SHA-${n}`,"algorithm.hash");break}case "RS256":case "RS384":case "RS512":{if(!me(e.algorithm,"RSASSA-PKCS1-v1_5"))throw B("RSASSA-PKCS1-v1_5");let n=parseInt(t.slice(2),10);if(st(e.algorithm.hash)!==n)throw B(`SHA-${n}`,"algorithm.hash");break}case "PS256":case "PS384":case "PS512":{if(!me(e.algorithm,"RSA-PSS"))throw B("RSA-PSS");let n=parseInt(t.slice(2),10);if(st(e.algorithm.hash)!==n)throw B(`SHA-${n}`,"algorithm.hash");break}case "Ed25519":case "EdDSA":{if(!me(e.algorithm,"Ed25519"))throw B("Ed25519");break}case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":{if(!me(e.algorithm,t))throw B(t);break}case "ES256":case "ES384":case "ES512":{if(!me(e.algorithm,"ECDSA"))throw B("ECDSA");let n=un(t);if(e.algorithm.namedCurve!==n)throw B(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}ln(e,r);}function $t(e,t,...r){if(r=r.filter(Boolean),r.length>2){let n=r.pop();e+=`one of type ${r.join(", ")}, or ${n}.`;}else r.length===2?e+=`one of type ${r[0]} or ${r[1]}.`:e+=`of type ${r[0]}.`;return t==null?e+=` Received ${t}`:typeof t=="function"&&t.name?e+=` Received function ${t.name}`:typeof t=="object"&&t!=null&&t.constructor?.name&&(e+=` Received an instance of ${t.constructor.name}`),e}var Nt=(e,...t)=>$t("Key must be ",e,...t);function ct(e,t,...r){return $t(`Key for the ${e} algorithm must be `,t,...r)}function ut(e){return e?.[Symbol.toStringTag]==="CryptoKey"}function lt(e){return e?.[Symbol.toStringTag]==="KeyObject"}var ft=e=>ut(e)||lt(e);var Bt=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return true;let r;for(let n of t){let o=Object.keys(n);if(!r||r.size===0){r=new Set(o);continue}for(let a of o){if(r.has(a))return false;r.add(a);}}return true};function fn(e){return typeof e=="object"&&e!==null}var $e=e=>{if(!fn(e)||Object.prototype.toString.call(e)!=="[object Object]")return false;if(Object.getPrototypeOf(e)===null)return true;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t};var Ft=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:r}=t.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};function dn(e){let t,r;switch(e.kty){case "AKP":{switch(e.alg){case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":t={name:e.alg},r=e.priv?["sign"]:["verify"];break;default:throw new _('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "RSA":{switch(e.alg){case "PS256":case "PS384":case "PS512":t={name:"RSA-PSS",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RS256":case "RS384":case "RS512":t={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RSA-OAEP":case "RSA-OAEP-256":case "RSA-OAEP-384":case "RSA-OAEP-512":t={name:"RSA-OAEP",hash:`SHA-${parseInt(e.alg.slice(-3),10)||1}`},r=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new _('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "EC":{switch(e.alg){case "ES256":t={name:"ECDSA",namedCurve:"P-256"},r=e.d?["sign"]:["verify"];break;case "ES384":t={name:"ECDSA",namedCurve:"P-384"},r=e.d?["sign"]:["verify"];break;case "ES512":t={name:"ECDSA",namedCurve:"P-521"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new _('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "OKP":{switch(e.alg){case "Ed25519":case "EdDSA":t={name:"Ed25519"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new _('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}default:throw new _('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return {algorithm:t,keyUsages:r}}var Vt=async e=>{if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:t,keyUsages:r}=dn(e),n={...e};return n.kty!=="AKP"&&delete n.alg,delete n.use,crypto.subtle.importKey("jwk",n,t,e.ext??!(e.d||e.priv),e.key_ops??r)};var Gt=(e,t,r,n,o)=>{if(o.crit!==void 0&&n?.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||n.crit===void 0)return new Set;if(!Array.isArray(n.crit)||n.crit.length===0||n.crit.some(i=>typeof i!="string"||i.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let a;r!==void 0?a=new Map([...Object.entries(r),...t.entries()]):a=t;for(let i of n.crit){if(!a.has(i))throw new _(`Extension Header Parameter "${i}" is not recognized`);if(o[i]===void 0)throw new e(`Extension Header Parameter "${i}" is missing`);if(a.get(i)&&n[i]===void 0)throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`)}return new Set(n.crit)};function xe(e){return $e(e)&&typeof e.kty=="string"}function qt(e){return e.kty!=="oct"&&(e.kty==="AKP"&&typeof e.priv=="string"||typeof e.d=="string")}function zt(e){return e.kty!=="oct"&&typeof e.d>"u"&&typeof e.priv>"u"}function Xt(e){return e.kty==="oct"&&typeof e.k=="string"}var we,Yt=async(e,t,r,n=false)=>{we||(we=new WeakMap);let o=we.get(e);if(o?.[r])return o[r];let a=await Vt({...t,alg:r});return n&&Object.freeze(e),o?o[r]=a:we.set(e,{[r]:a}),a},yn=(e,t)=>{we||(we=new WeakMap);let r=we.get(e);if(r?.[t])return r[t];let n=e.type==="public",o=!!n,a;if(e.asymmetricKeyType==="x25519"){switch(t){case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}a=e.toCryptoKey(e.asymmetricKeyType,o,n?[]:["deriveBits"]);}if(e.asymmetricKeyType==="ed25519"){if(t!=="EdDSA"&&t!=="Ed25519")throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}switch(e.asymmetricKeyType){case "ml-dsa-44":case "ml-dsa-65":case "ml-dsa-87":{if(t!==e.asymmetricKeyType.toUpperCase())throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}}if(e.asymmetricKeyType==="rsa"){let i;switch(t){case "RSA-OAEP":i="SHA-1";break;case "RS256":case "PS256":case "RSA-OAEP-256":i="SHA-256";break;case "RS384":case "PS384":case "RSA-OAEP-384":i="SHA-384";break;case "RS512":case "PS512":case "RSA-OAEP-512":i="SHA-512";break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}if(t.startsWith("RSA-OAEP"))return e.toCryptoKey({name:"RSA-OAEP",hash:i},o,n?["encrypt"]:["decrypt"]);a=e.toCryptoKey({name:t.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:i},o,[n?"verify":"sign"]);}if(e.asymmetricKeyType==="ec"){let c=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(e.asymmetricKeyDetails?.namedCurve);if(!c)throw new TypeError("given KeyObject instance cannot be used for this algorithm");t==="ES256"&&c==="P-256"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:c},o,[n?"verify":"sign"])),t==="ES384"&&c==="P-384"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:c},o,[n?"verify":"sign"])),t==="ES512"&&c==="P-521"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:c},o,[n?"verify":"sign"])),t.startsWith("ECDH-ES")&&(a=e.toCryptoKey({name:"ECDH",namedCurve:c},o,n?[]:["deriveBits"]));}if(!a)throw new TypeError("given KeyObject instance cannot be used for this algorithm");return r?r[t]=a:we.set(e,{[t]:a}),a},Zt=async(e,t)=>{if(e instanceof Uint8Array||ut(e))return e;if(lt(e)){if(e.type==="secret")return e.export();if("toCryptoKey"in e&&typeof e.toCryptoKey=="function")try{return yn(e,t)}catch(n){if(n instanceof TypeError)throw n}let r=e.export({format:"jwk"});return Yt(e,r,t)}if(xe(e))return e.k?Mt(e.k):Yt(e,e,t,true);throw new Error("unreachable")};var he=e=>e?.[Symbol.toStringTag],dt=(e,t,r)=>{if(t.use!==void 0){let n;switch(r){case "sign":case "verify":n="sig";break;case "encrypt":case "decrypt":n="enc";break}if(t.use!==n)throw new TypeError(`Invalid key for this operation, its "use" must be "${n}" when present`)}if(t.alg!==void 0&&t.alg!==e)throw new TypeError(`Invalid key for this operation, its "alg" must be "${e}" when present`);if(Array.isArray(t.key_ops)){let n;switch(true){case(r==="sign"):case e==="dir":case e.includes("CBC-HS"):n=r;break;case e.startsWith("PBES2"):n="deriveBits";break;case /^A\d{3}(?:GCM)?(?:KW)?$/.test(e):!e.includes("GCM")&&e.endsWith("KW")?n="unwrapKey":n=r;break;case(r==="encrypt"):n="wrapKey";break;case r==="decrypt":n=e.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(n&&t.key_ops?.includes?.(n)===false)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${n}" when present`)}return true},mn=(e,t,r)=>{if(!(t instanceof Uint8Array)){if(xe(t)){if(Xt(t)&&dt(e,t,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!ft(t))throw new TypeError(ct(e,t,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(t.type!=="secret")throw new TypeError(`${he(t)} instances for symmetric algorithms must be of type "secret"`)}},wn=(e,t,r)=>{if(xe(t))switch(r){case "decrypt":case "sign":if(qt(t)&&dt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a private JWK");case "encrypt":case "verify":if(zt(t)&&dt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a public JWK")}if(!ft(t))throw new TypeError(ct(e,t,"CryptoKey","KeyObject","JSON Web Key"));if(t.type==="secret")throw new TypeError(`${he(t)} instances for asymmetric algorithms must not be of type "secret"`);if(t.type==="public")switch(r){case "sign":throw new TypeError(`${he(t)} instances for asymmetric algorithm signing must be of type "private"`);case "decrypt":throw new TypeError(`${he(t)} instances for asymmetric algorithm decryption must be of type "private"`);}if(t.type==="private")switch(r){case "verify":throw new TypeError(`${he(t)} instances for asymmetric algorithm verifying must be of type "public"`);case "encrypt":throw new TypeError(`${he(t)} instances for asymmetric algorithm encryption must be of type "public"`);}},Qt=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e)||/^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e)?mn(e,t,r):wn(e,t,r);};var er=(e,t)=>{let r=`SHA-${e.slice(-3)}`;switch(e){case "HS256":case "HS384":case "HS512":return {hash:r,name:"HMAC"};case "PS256":case "PS384":case "PS512":return {hash:r,name:"RSA-PSS",saltLength:parseInt(e.slice(-3),10)>>3};case "RS256":case "RS384":case "RS512":return {hash:r,name:"RSASSA-PKCS1-v1_5"};case "ES256":case "ES384":case "ES512":return {hash:r,name:"ECDSA",namedCurve:t.namedCurve};case "Ed25519":case "EdDSA":return {name:"Ed25519"};case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":return {name:e};default:throw new _(`alg ${e} is not supported either by JOSE or your javascript runtime`)}};var tr=async(e,t,r)=>{if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(Nt(t,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",t,{hash:`SHA-${e.slice(-3)}`,name:"HMAC"},false,[r])}return Ut(t,e,r),t};var te=e=>Math.floor(e.getTime()/1e3);var hn=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i,Ne=e=>{let t=hn.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");let r=parseFloat(t[2]),n=t[3].toLowerCase(),o;switch(n){case "sec":case "secs":case "second":case "seconds":case "s":o=Math.round(r);break;case "minute":case "minutes":case "min":case "mins":case "m":o=Math.round(r*60);break;case "hour":case "hours":case "hr":case "hrs":case "h":o=Math.round(r*3600);break;case "day":case "days":case "d":o=Math.round(r*86400);break;case "week":case "weeks":case "w":o=Math.round(r*604800);break;default:o=Math.round(r*31557600);break}return t[1]==="-"||t[4]==="ago"?-o:o};function ue(e,t){if(!Number.isFinite(t))throw new TypeError(`Invalid ${e} input`);return t}var k,Be=class{constructor(t){M(this,k);if(!$e(t))throw new TypeError("JWT Claims Set MUST be an object");O(this,k,structuredClone(t));}data(){return X.encode(JSON.stringify(d(this,k)))}get iss(){return d(this,k).iss}set iss(t){d(this,k).iss=t;}get sub(){return d(this,k).sub}set sub(t){d(this,k).sub=t;}get aud(){return d(this,k).aud}set aud(t){d(this,k).aud=t;}set jti(t){d(this,k).jti=t;}set nbf(t){typeof t=="number"?d(this,k).nbf=ue("setNotBefore",t):t instanceof Date?d(this,k).nbf=ue("setNotBefore",te(t)):d(this,k).nbf=te(new Date)+Ne(t);}set exp(t){typeof t=="number"?d(this,k).exp=ue("setExpirationTime",t):t instanceof Date?d(this,k).exp=ue("setExpirationTime",te(t)):d(this,k).exp=te(new Date)+Ne(t);}set iat(t){typeof t>"u"?d(this,k).iat=te(new Date):t instanceof Date?d(this,k).iat=ue("setIssuedAt",te(t)):typeof t=="string"?d(this,k).iat=ue("setIssuedAt",te(new Date)+Ne(t)):d(this,k).iat=ue("setIssuedAt",t);}};k=new WeakMap;var rr=async(e,t,r)=>{let n=await tr(e,t,"sign");Ft(e,n);let o=await crypto.subtle.sign(er(e,n.algorithm),n,r);return new Uint8Array(o)};var Ce,W,F,Fe=class{constructor(t){M(this,Ce);M(this,W);M(this,F);if(!(t instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");O(this,Ce,t);}setProtectedHeader(t){if(d(this,W))throw new TypeError("setProtectedHeader can only be called once");return O(this,W,t),this}setUnprotectedHeader(t){if(d(this,F))throw new TypeError("setUnprotectedHeader can only be called once");return O(this,F,t),this}async sign(t,r){if(!d(this,W)&&!d(this,F))throw new Y("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Bt(d(this,W),d(this,F)))throw new Y("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let n={...d(this,W),...d(this,F)},o=Gt(Y,new Map([["b64",true]]),r?.crit,d(this,W),n),a=true;if(o.has("b64")&&(a=d(this,W).b64,typeof a!="boolean"))throw new Y('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:i}=n;if(typeof i!="string"||!i)throw new Y('JWS "alg" (Algorithm) Header Parameter missing or invalid');Qt(i,t,"sign");let c=d(this,Ce);a&&(c=X.encode(Ue(c)));let s;d(this,W)?s=X.encode(Ue(JSON.stringify(d(this,W)))):s=X.encode("");let u=Dt(s,X.encode("."),c),l=await Zt(t,i),p=await rr(i,l,u),m={signature:Ue(p),payload:""};return a&&(m.payload=ye.decode(c)),d(this,F)&&(m.header=d(this,F)),d(this,W)&&(m.protected=ye.decode(s)),m}};Ce=new WeakMap,W=new WeakMap,F=new WeakMap;var be,Ve=class{constructor(t){M(this,be);O(this,be,new Fe(t));}setProtectedHeader(t){return d(this,be).setProtectedHeader(t),this}async sign(t,r){let n=await d(this,be).sign(t,r);if(n.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return `${n.protected}.${n.payload}.${n.signature}`}};be=new WeakMap;var re,L,le=class{constructor(t={}){M(this,re);M(this,L);O(this,L,new Be(t));}setIssuer(t){return d(this,L).iss=t,this}setSubject(t){return d(this,L).sub=t,this}setAudience(t){return d(this,L).aud=t,this}setJti(t){return d(this,L).jti=t,this}setNotBefore(t){return d(this,L).nbf=t,this}setExpirationTime(t){return d(this,L).exp=t,this}setIssuedAt(t){return d(this,L).iat=t,this}setProtectedHeader(t){return O(this,re,t),this}async sign(t,r){let n=new Ve(d(this,L).data());if(n.setProtectedHeader(d(this,re)),Array.isArray(d(this,re)?.crit)&&d(this,re).crit.includes("b64")&&d(this,re).b64===false)throw new Ke("JWTs MUST NOT use unencoded payload");return n.sign(t,r)}};re=new WeakMap,L=new WeakMap;var bn=e=>btoa(String.fromCharCode(...new Uint8Array(e))).replaceAll("+","-").replaceAll("/","_").replaceAll("=",""),Ge=async e=>{let t=new TextEncoder().encode(e),r=await crypto.subtle.digest("SHA-256",t);return bn(r)},U=async e=>{let{method:t,url:r,nonce:n,ath:o,privateKey:a,publicJwk:i}=e,c={htm:t.toUpperCase(),htu:r,jti:crypto.randomUUID(),iat:Math.floor(Date.now()/1e3)};return n&&(c.nonce=n),o&&(c.ath=o),await new le(c).setProtectedHeader({alg:"ES256",typ:"dpop+jwt",jwk:i}).sign(a)};var $=async e=>{let t={crv:e.crv,kty:"EC",x:e.x,y:e.y},r=JSON.stringify(t),n=new TextEncoder().encode(r),o=await crypto.subtle.digest("SHA-256",n);return btoa(String.fromCharCode(...new Uint8Array(o))).replaceAll("+","-").replaceAll("/","_").replaceAll("=","")};async function Te(e){let{rootPrivateKey:t,rootPublicJwk:r,childJkt:n,clientId:o,sid:a,ttlSec:i=300}=e,c=Math.floor(Date.now()/1e3),s=c+Math.max(60,Math.min(i,3600)),u={child_jkt:n,client_id:o,aud:"issuer",iat:c,exp:s,jti:crypto.randomUUID()};return a&&(u.sid=a),await new le(u).setProtectedHeader({alg:"ES256",typ:"pode+jwt",jwk:r}).sign(t)}function Je(e,t=300){return e.replace(/<[^>]*>/g,"").slice(0,t)}async function Ie(e){let t=e.status,r=Array.from(e.headers.keys()).some(c=>c.toLowerCase().startsWith("x-amzn-waf")),n,o,a=e.headers.get("content-type")||"";if(a.includes("application/json"))try{let c=await e.clone().json();n=typeof c?.error=="string"?c.error:void 0,o=typeof c?.detail=="string"?c.detail:void 0;}catch{}let i=t===403&&!r&&!a.includes("application/json");return {status:t,code:n,detail:o,waf:r,alb403:i}}function fe(e,t){let r=new Error(e);return r.status=t.status,r.code=t.code,r.detail=t.detail,r.waf=t.waf,r.alb403=t.alb403,r}var Se={boundWallet:null,clientId:null,jkt:null,refreshId:null,lastPolicyHash:null,lastPolicyProof:null,lastHost:null,rootJkt:null},pt=react.createContext(void 0);function sr(e){try{return JSON.parse(localStorage.getItem(e)||"null")??Se}catch{return Se}}function gn(e,t){try{localStorage.setItem(e,JSON.stringify(t));}catch{}}var yt=({children:e,clientId:t})=>{let[r,n]=react.useState(Se),o=react.useRef(false),[a,i]=react.useState(false),c=react.useMemo(()=>Ae(t),[t]);react.useEffect(()=>{let f=true;return (async()=>{let x=await J(c)??await J(je)??sr(c);f&&(n({...Se,...x}),o.current=true,i(true));})(),()=>{f=false;}},[c]),react.useEffect(()=>{o.current&&(async()=>(await R(c,r),gn(c,r)))();},[r,c]);let s=react.useCallback(f=>n(y=>({...y,refreshId:f})),[]),u=react.useCallback(f=>n(y=>({...y,lastPolicyHash:f})),[]),l=react.useCallback(f=>n(y=>({...y,lastPolicyProof:f})),[]),p=react.useCallback(f=>n(y=>({...y,lastHost:f})),[]),m=react.useCallback(f=>n(y=>({...y,rootJkt:f})),[]),h=async()=>{try{let f=localStorage.getItem(c);if(f){let y=JSON.parse(f);if(typeof y?.refreshId=="string"&&y.refreshId)return y.refreshId}}catch{}try{let f=await J(c);if(typeof f?.refreshId=="string"&&f.refreshId)return f.refreshId}catch{}return null},S=react.useCallback(f=>n(y=>({...y,boundWallet:f})),[]),g=react.useCallback(f=>n(y=>({...y,clientId:f})),[]),E=react.useCallback(f=>n(y=>({...y,jkt:f})),[]),A=react.useCallback(()=>n(Se),[]),b=react.useCallback(async()=>{let y=await J(c)??sr(c);n({...Se,...y});},[]),w=react.useMemo(()=>({meta:r,setBoundWallet:S,setClientId:g,setJkt:E,resetMeta:A,reload:b,setRefreshId:s,getRefreshId:h,ready:a,setLastPolicyHash:u,setLastPolicyProof:l,setLastHost:p,setRootJkt:m}),[r,S,g,E,A,b,a,s,h,u,l,p,m]);return jsxRuntime.jsx(pt.Provider,{value:w,children:e})};function mt(){let e=react.useContext(pt);if(!e)throw new Error("useMeta must be used within <MetaProvider>");return e}var ur=`${K}:wrap`;async function wt(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:T},!0,["sign","verify"]),t=`${K}:probe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await J(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return false}}function ge(e){let t={...e};return delete t.d,t.kty="EC",t.crv=T,t.alg=ve,t.use="sig",t}async function lr(){let e=await J(ur);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await R(ur,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function ht(e){let t=await lr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function Pn(e,t){let r=await lr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var bt=()=>{let e=react.useRef(null),t=react.useRef(null),r=react.useCallback(async()=>{let s=await J(K);if(!s)return false;if(s.fmt==="cryptokey"){let l=s;return l.privKey?(e.current=l.privKey,t.current=ge(l.pubJwk),true):(await R(K,void 0),false)}if(s.fmt==="encjwk"){let l=s;try{let p=await Pn(l.encPrivJwk,l.iv),m=await crypto.subtle.importKey("jwk",p,{name:"ECDSA",namedCurve:T},!1,["sign"]);return e.current=m,t.current=ge(l.pubJwk),!0}catch{return await R(K,void 0),false}}let u=s;if(u&&u.d)if(await wt()){let p=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:T},false,["sign"]),{d:m,...h}=u,S=ge(h);return await R(K,{fmt:"cryptokey",privKey:p,pubJwk:S}),e.current=p,t.current=S,true}else {let{d:p,...m}=u,h=ge(m),{encPrivJwk:S,iv:g}=await ht(u);await R(K,{fmt:"encjwk",encPrivJwk:S,iv:g,pubJwk:h});let E=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:T},false,["sign"]);return e.current=E,t.current=h,true}return await R(K,void 0),false},[]),n=react.useCallback(async(s,u)=>{await R(K,{fmt:"cryptokey",privKey:s,pubJwk:u});},[]),o=react.useCallback(async(s,u)=>{let{encPrivJwk:l,iv:p}=await ht(s);await R(K,{fmt:"encjwk",encPrivJwk:l,iv:p,pubJwk:u});},[]),a=react.useCallback(async()=>{if(e.current&&t.current||await r())return;let s=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:T},true,["sign","verify"]),u=ge(await crypto.subtle.exportKey("jwk",s.publicKey));if(await wt())await n(s.privateKey,u),e.current=s.privateKey,t.current=u;else {let l=await crypto.subtle.exportKey("jwk",s.privateKey);await o(l,u),e.current=s.privateKey,t.current=u;}},[r,n,o]),i=react.useCallback(async()=>{let s=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:T},true,["sign","verify"]),u=ge(await crypto.subtle.exportKey("jwk",s.publicKey));if(await wt())await R(K,{fmt:"cryptokey",privKey:s.privateKey,pubJwk:u});else {let l=await crypto.subtle.exportKey("jwk",s.privateKey),{encPrivJwk:p,iv:m}=await ht(l);await R(K,{fmt:"encjwk",encPrivJwk:p,iv:m,pubJwk:u});}e.current=s.privateKey,t.current=u;},[]),c=react.useCallback(async()=>{await R(K,void 0),e.current=null,t.current=null;},[]);return {ensureKeypair:a,rotate:i,clear:c,privRef:e,pubJwkRef:t}};var Z="sunbreak_root_key_v1",dr=`${Z}:wrap`;async function vn(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:T},!0,["sign","verify"]),t=`${Z}:probe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey,createdAt:Date.now(),pubJwk:{}});let r=await J(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return false}}function Rt(e){let t={...e};return delete t.d,t.kty="EC",t.crv=T,t.alg=ve,t.use="sig",t}async function pr(){let e=await J(dr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await R(dr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function An(e){let t=await pr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function Kn(e,t){let r=await pr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var gt=()=>{let e=react.useRef(null),t=react.useRef(null),r=react.useCallback(async()=>{let a=await J(Z);if(!a)return false;if(a.fmt==="cryptokey"){let i=a;return i.privKey?(e.current=i.privKey,t.current=Rt(i.pubJwk),true):(await R(Z,void 0),false)}if(a.fmt==="encjwk"){let i=a;try{let c=await Kn(i.encPrivJwk,i.iv),s=await crypto.subtle.importKey("jwk",c,{name:"ECDSA",namedCurve:T},!1,["sign"]);return e.current=s,t.current=Rt(i.pubJwk),!0}catch{return await R(Z,void 0),false}}return await R(Z,void 0),false},[]),n=react.useCallback(async()=>{if(e.current&&t.current||await r())return;let a=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:T},true,["sign","verify"]),i=Rt(await crypto.subtle.exportKey("jwk",a.publicKey)),c=Date.now();if(await vn())await R(Z,{fmt:"cryptokey",privKey:a.privateKey,pubJwk:i,createdAt:c});else {let s=await crypto.subtle.exportKey("jwk",a.privateKey),{encPrivJwk:u,iv:l}=await An(s);await R(Z,{fmt:"encjwk",encPrivJwk:u,iv:l,pubJwk:i,createdAt:c});}e.current=a.privateKey,t.current=i;},[r]),o=react.useCallback(async()=>{await R(Z,void 0),e.current=null,t.current=null;},[]);return {ensureRootKeypair:n,clear:o,rootPrivRef:e,rootPubJwkRef:t}};var xn=()=>crypto.randomUUID(),yr=e=>{let{clientId:t,wallet:r,base:n="https://api.tdfc.com",fetchImpl:o,timeoutMs:a=15e3,proof:i=null,providerAdapter:c,refreshDeps:s=[]}=e,u=rt(n),l=typeof window<"u"?(o??fetch).bind(window):o??fetch,{meta:p,setBoundWallet:m,setJkt:h,setRefreshId:S,getRefreshId:g,setLastPolicyHash:E,setLastPolicyProof:A,setLastHost:b,setRootJkt:w,ready:f}=mt(),{ensureRootKeypair:y,rootPrivRef:x,rootPubJwkRef:oe}=gt(),Q=react.useCallback(async()=>{await y();try{if(!p.rootJkt&&oe.current){let se=await $(oe.current);w(se);}}catch{}},[y,p.rootJkt,oe]),{ensureKeypair:Ee,rotate:P,privRef:We,pubJwkRef:De}=bt(),[vt,C]=react.useState(false),[N,H]=react.useState(0),[z,ae]=react.useState(null),[ee,Xe]=react.useState(null),[Ye,At]=react.useState(null),[vr,Ar]=react.useState(null),[Kr,xr]=react.useState(null),[Cr,Tr]=react.useState(null),Jr=react.useRef(null),Ir=react.useRef(null),_r=react.useRef(null),Wr=react.useRef(null),Dr=react.useRef(null),Lr=react.useRef(null),Hr=react.useRef(null),Mr=react.useRef(false),Or=react.useRef(false),jr=react.useRef(void 0),Le=react.useRef(false),Ze=react.useRef(false),Kt=react.useRef(null),ie=react.useRef(null);ie.current||(ie.current=new Promise(se=>{Kt.current=se;}));let Qe=react.useRef(null),Ur=react.useRef(i),He=react.useRef(null),xt=react.useRef(null),Me=react.useRef(null),Ct=()=>Date.now(),$r=()=>(Me.current??0)>0&&Me.current<Ct(),et=react.useCallback((se,qr=15e3)=>{let Tt=xn();return He.current=Tt,xt.current=se,Me.current=Ct()+Math.max(1e3,qr),Tt},[]),Nr=react.useCallback(()=>((!He.current||$r())&&et("adhoc",1e4),He.current),[et]),tt=react.useRef(null),Oe=react.useRef(null);Oe.current||(Oe.current=new Promise(se=>{tt.current=se;}));let Br=react.useCallback(async()=>{!Le.current&&Oe.current&&await Oe.current;},[]),Fr=react.useCallback(()=>{Le.current||(Le.current=true,tt.current?.(),tt.current=null);},[]),Vr=react.useCallback(async()=>{!Ze.current&&ie.current&&await ie.current;},[]),Gr=react.useCallback(async()=>{!Ze.current&&ie.current&&await ie.current,Qe.current&&await Qe.current;},[]);return {clientId:t,wallet:r,baseUrl:u,fetchImpl:l,timeoutMs:a,providerAdapter:c,refreshDeps:s,ensureKeypair:Ee,rotate:P,ensureRootKeypair:Q,rootPrivRef:x,rootPubJwkRef:oe,privRef:We,pubJwkRef:De,meta:p,setBoundWallet:m,setJkt:h,setRefreshId:S,accessTokenRef:_r,tokenExpRef:Wr,authenticated:vt,setAuthenticated:C,loadingCount:N,setLoadingCount:H,error:z,setError:ae,allowed:ee,setAllowed:Xe,denyReason:Ye,setDenyReason:At,sessionExpiry:vr,setSessionExpiry:Ar,sessionData:Kr,setSessionData:xr,verifyData:Cr,setVerifyData:Tr,authWalletRef:Ir,refreshLock:Dr,registerLock:Lr,sessionLock:Hr,didInitialRefresh:Mr,didInitialSession:Or,prevWalletRef:jr,initResolvedRef:Ze,initReady:ie,initResolveRef:Kt,rotateLock:Qe,waitReady:Vr,awaitKeyStable:Gr,proofRef:Ur,registerCooldownUntilRef:Jr,reqIdRef:He,flowLabelRef:xt,flowExpireRef:Me,beginFlow:et,currentReqId:Nr,awaitProbe:Br,markProbed:Fr,hasProbedRef:Le,getRefreshId:g,setLastPolicyHash:E,setLastPolicyProof:A,setLastHost:b,setRootJkt:w,metaReady:f}};var pe=e=>e.accessTokenRef.current??null,G=e=>{let t=e.privRef.current;if(!t)throw new Error("Sunbreak: private key not initialized");return t},I=e=>{let t=e.pubJwkRef.current;if(!t)throw new Error("Sunbreak: public JWK not initialized");return t};var Cn=(e,t)=>`${e.toUpperCase()} ${t}`;async function _e(e,t,r){if(!t)return false;let n=_e._nonceCacheRef||(_e._nonceCacheRef={map:new Map});try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair(),e.setError(null),e.beginFlow("register",2e4);let o;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let f=await $(e.rootPubJwkRef.current);e.setRootJkt?.(f);}catch{}let b=await $(I(e)),w=await e.getRefreshId();o=await Te({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:b,clientId:e.clientId,sid:w||void 0,ttlSec:300});}}catch{}let a=e.currentReqId(),i="/auth/register",c=`${e.baseUrl}${i}`,s=new URL(e.baseUrl).origin,u="POST",l=`${s}${i}`,p=Cn(u,l),m=n.map.get(p),h=await U({method:u,url:l,nonce:m,privateKey:G(e),publicJwk:I(e)}),S=async b=>e.fetchImpl(c,{method:u,headers:{"content-type":"application/json","x-sunbreak-meta":j(e,{reqId:a,pode:o||void 0}),...b},credentials:"include",body:JSON.stringify({wallet:t,proof:r})}),g=await S({DPoP:h}),E=b=>{let w=b.headers.get("dpop-nonce");w&&n.map.set(p,w);};if(g.status===401){let b=g.headers.get("www-authenticate"),f=(b&&b.match(/dpop-nonce="([^"]+)"/i))?.[1];if(f){n.map.set(p,f);let y=await U({method:u,url:l,nonce:f,privateKey:G(e),publicJwk:I(e)});g=await S({DPoP:y});}}if(E(g),!g.ok){let b=await Ie(g);if((g.headers.get("content-type")||"").includes("application/json")){let f;try{f=await g.clone().json();}catch{}let y=Je(f&&(f.error||f.message||f.detail)||`HTTP ${g.status}`);throw fe(y,b)}else {let f=b.waf?"Blocked by WAF (403)":b.alb403?"Blocked at origin (ALB 403)":`HTTP ${g.status}`;throw fe(f,b)}}let A=await g.json();e.accessTokenRef.current=A.access,e.authWalletRef.current=t.toLowerCase(),e.setAuthenticated(!0);try{let b=Math.floor(Date.now()/1e3);e.tokenExpRef.current=b+(A.expiresIn??0);}catch{}e.didInitialRefresh.current=!0,e.setBoundWallet(t),e.setLastPolicyHash(null),e.setLastPolicyProof(null);try{e.setJkt(await $(I(e)));}catch{}try{let b={...e.meta,boundWallet:t,clientId:e.meta.clientId??e.clientId,jkt:e.meta.jkt??null,refreshId:A.refreshId??null};e.setRefreshId(A.refreshId??null);let w=Ae(e.clientId);await R(w,b);try{localStorage.setItem(w,JSON.stringify(b));}catch{}}catch{}return !0}catch(o){let a=Number(o?.status||0),i=String(o?.code||""),c=String(o?.message||""),s=Math.floor(Math.random()*1e3);if((a===401||a===403)&&i.toLowerCase()==="replay"){if(e.providerAdapter)try{let u=await e.providerAdapter.getToken()??null;if(u)return await e.awaitKeyStable(),await e.ensureKeypair(),await e.rotate(),e.proofRef.current=await ke(e.providerAdapter,u),e.registerCooldownUntilRef.current=Date.now()+5e3+s,!1}catch{}else return e.proofRef.current=null,e.setError("Proof replayed; please sign a fresh proof."),e.registerCooldownUntilRef.current=Date.now()+1e4+s,false;return e.registerCooldownUntilRef.current=Date.now()+8e3+s,false}if(a===403&&(o?.waf||o?.alb403))return e.setError(c||"Forbidden at edge/origin"),e.registerCooldownUntilRef.current=Date.now()+3e4+s,false;if(a===403)return e.setError(i||c||"Forbidden"),e.registerCooldownUntilRef.current=Date.now()+15e3+s,false;if(a===429||a===503){e.setError(i||c||"Rate limited / unavailable");let u=a===429?5e3:8e3;return e.registerCooldownUntilRef.current=Date.now()+u+s,false}return e.setError(i||c||"Register failed"),e.registerCooldownUntilRef.current=Date.now()+5e3+s,false}}var Tn=(e,t)=>`${e.toUpperCase()} ${t}`;function qe(e){return e.refreshLock.current||(e.refreshLock.current=(async()=>{try{if(await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),e.wallet&&e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return e.accessTokenRef.current=null,e.setAuthenticated(!1),!1;let t=pe(e);if(t){let w=e.tokenExpRef.current,f=Math.floor(Date.now()/1e3);if(!!t&&!!w&&w-f>5)return !0}e.beginFlow("refresh",15e3);let r=e.currentReqId();await e.ensureKeypair();let n;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let y=await $(e.rootPubJwkRef.current);e.setRootJkt?.(y);}catch{}let w=await $(I(e)),f=await e.getRefreshId();n=await Te({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:w,clientId:e.clientId,sid:f||void 0,ttlSec:300});}}catch{}let o="/auth/refresh",a=`${e.baseUrl}${o}`,i=new URL(e.baseUrl).origin,c="POST",s=`${i}${o}`,u=Tn(c,s),l=qe._nonceCacheRef||(qe._nonceCacheRef={map:new Map}),p=async w=>await U({method:c,url:s,nonce:w,privateKey:G(e),publicJwk:I(e)}),m=await e.getRefreshId(),h={"x-sunbreak-meta":j(e,{reqId:r,refreshId:m||void 0,pode:n||void 0}),"content-type":"application/json"},S=async w=>e.fetchImpl(a,{method:c,headers:{DPoP:w,...h},credentials:"include",body:"{}"}),g=w=>{let f=w.headers.get("dpop-nonce");f&&l.map.set(u,f);},E=await S(await p(l.map.get(u)));if(E.status===401){let w=E.headers.get("www-authenticate"),y=(w&&w.match(/dpop-nonce="([^"]+)"/i))?.[1];y&&(l.map.set(u,y),E=await S(await p(y)));}if(g(E),!E.ok){try{if((E.headers.get("content-type")||"").includes("application/json")){let f=await E.clone().json().catch(()=>{}),y=f&&(f.error||f.code||f.message)||"",x=String(y).toLowerCase();if(x.includes("missing")&&x.includes("refresh")){try{e.setRefreshId?.(null);}catch{}try{e.setBoundWallet?.(null);}catch{}e.accessTokenRef.current=null,e.setAuthenticated(!1);}}}catch{}return !1}let A=await E.json();e.accessTokenRef.current=A.access,e.setAuthenticated(!0);let b=(e.wallet&&(!e.meta.boundWallet||e.meta.boundWallet===e.wallet)?e.wallet:e.meta.boundWallet)||null;e.authWalletRef.current=b?b.toLowerCase():null;try{let w=Math.floor(Date.now()/1e3);e.tokenExpRef.current=w+(A.expiresIn??0);}catch{}try{e.setJkt(await $(I(e)));}catch{}return A.refreshId&&e.setRefreshId(A.refreshId),!0}finally{e.refreshLock.current=null;}})()),e.refreshLock.current}var Jn=(e,t)=>`${e.toUpperCase()} ${t}`,Et=new Map,In="sunbreak_probe_v1",mr=e=>`${In}::${e}`,_n=(e,t=6*60*60*1e3)=>{try{let r=localStorage.getItem(mr(e));if(!r)return !0;let n=Number(r);return Number.isFinite(n)?Date.now()-n>=t:!0}catch{return true}},Wn=e=>{try{localStorage.setItem(mr(e),String(Date.now()));}catch{}};async function wr(e){let t=new URL(e.baseUrl).origin;if(!_n(t)){e.hasProbedRef.current||e.markProbed();return}try{await e.awaitKeyStable(),await e.ensureKeypair();let r="POST",n="/auth/probe",o=`${e.baseUrl}${n}`,a=new URL(e.baseUrl).origin,i=`${a}${n}`,c=Jn(r,i),s=async m=>e.fetchImpl(o,{method:r,headers:{DPoP:m,"x-sunbreak-meta":j(e),"content-type":"application/json"},credentials:"include",body:"{}"}),u=async m=>await U({method:r,url:i,nonce:m,privateKey:G(e),publicJwk:I(e)}),l=await s(await u(Et.get(c))),p=m=>{let h=m.headers.get("dpop-nonce");h&&Et.set(c,h);};if(p(l),l.status===401){let m=l.headers.get("www-authenticate"),S=(m&&m.match(/dpop-nonce="([^"]+)"/i))?.[1];S&&(Et.set(c,S),l=await s(await u(S)),p(l));}l.ok||l.status===204?(Wn(a),e.markProbed()):e.hasProbedRef.current||e.markProbed();}catch{e.hasProbedRef.current||e.markProbed();}}var hr=e=>{let t=react.useCallback(()=>qe(e),[e]),r=react.useCallback(async()=>{let o=Date.now(),a=e.registerCooldownUntilRef.current??0;if(o<a||!e.wallet||!e.initResolvedRef.current||e.refreshLock.current||!e.didInitialRefresh.current||e.registerLock.current)return;let i=e.proofRef.current;!i||!(!e.authenticated||e.meta.boundWallet!==e.wallet)||(await e.awaitKeyStable(),e.registerLock.current=(async()=>{try{await _e(e,e.wallet,i)&&(e.didInitialSession.current=!0);}catch(s){e.setError(s?.message||String(s)||"Register failed");}finally{e.registerLock.current=null;}})());},[e]),n=react.useCallback(async o=>{let a=()=>(e.registerCooldownUntilRef.current??0)>Date.now();if(!e.providerAdapter||a())return;let i=await ke(e.providerAdapter,o);e.proofRef.current=i;},[e]);return {refresh:t,register:(o,a)=>_e(e,o,a),attemptRegister:r,setProofFromAdapterToken:n}};var Dn=(e,t)=>`${e.toUpperCase()} ${t}`;async function ze(e,t,r,n,o,a={}){e.setLoadingCount(u=>u+1),e.setError(null);let i=n.startsWith("/api/session"),c=new AbortController,s=setTimeout(()=>c.abort(),e.timeoutMs);try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair();let l=`${i?ot(e):e.baseUrl}${n.startsWith("/")?"":"/"}${n}`,m=`${new URL(e.baseUrl).origin}${n.startsWith("/")?"":"/"}${n}`,h=Dn(r,m),S=n.startsWith("/auth/"),g=!1,E=!1,A=e.currentReqId(),b=ze._nonceCacheRef||(ze._nonceCacheRef={map:new Map}),w=C=>{let N=C.headers.get("dpop-nonce");N&&b.map.set(h,N);},f=!!e.wallet&&!!e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase(),y,x,oe=async()=>{if(S||f)return;try{let ae=pe(e),ee=e.tokenExpRef.current,Xe=Math.floor(Date.now()/1e3),Ye=!!ee&&ee-Xe<=60;if((!ae||Ye)&&!await t().catch(()=>!1))return}catch{}let C=pe(e);if(!C)return;let N=await Ge(C),H=b.map.get(h),z=await U({method:r,url:m,nonce:H,ath:N,privateKey:G(e),publicJwk:I(e)});y=`Bearer ${e.accessTokenRef.current}`,x=z;};await oe();let Q={"content-type":"application/json","x-sunbreak-auth":y||"","x-sunbreak-meta":j(e,{reqId:A,auth:y,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0}),...at(a.headers)};x&&(Q.DPoP=x);let Ee=async()=>e.fetchImpl(l,{...a,method:r,headers:Q,body:o!==void 0?JSON.stringify(o):void 0,credentials:"include",signal:c.signal}),P=await Ee(),We=P.headers.get("x-sunbreak-policy-hash"),De=P.headers.get("x-sunbreak-policy-proof");if(We&&e.setLastPolicyHash(We),De&&e.setLastPolicyProof(De),w(P),P.status===401&&!S){let C=pe(e),N=P.headers.get("www-authenticate"),z=(N&&N.match(/dpop-nonce="([^"]+)"/i))?.[1];if(!f&&z&&C&&!E){E=!0,b.map.set(h,z);let ae=await Ge(C),ee=await U({method:r,url:m,nonce:z,ath:ae,privateKey:G(e),publicJwk:I(e)});y=`Bearer ${e.accessTokenRef.current}`,x=ee,Q["x-sunbreak-meta"]=j(e,{reqId:A,auth:y}),Q.DPoP=x,P=await Ee(),w(P);}if(P.status===401&&!g){g=!0;let ae=await t(),ee=pe(e);ae&&ee&&!f&&(await oe(),Q["x-sunbreak-meta"]=j(e,{reqId:A,auth:y}),x&&(Q.DPoP=x),P=await Ee(),w(P));}if(P.status===401)throw new Error("Unauthorized")}if(!P.ok){let C=await Ie(P);if((P.headers.get("content-type")||"").includes("application/json")){let H=await P.json().catch(()=>{}),z=Je(H&&(H.error||H.message||H.detail)||`HTTP ${P.status}`);throw fe(z,C)}else {let H=C.waf?"Blocked by WAF (403)":C.alb403?"Blocked at origin (ALB 403)":`HTTP ${P.status}`;throw fe(H,C)}}return (P.headers.get("content-type")||"").includes("application/json")?await P.json():void 0}finally{clearTimeout(s),e.setLoadingCount(u=>Math.max(0,u-1));}}var br=(e,t)=>react.useCallback(async(r,n,o,a={})=>ze(e,t,r,n,o,a),[e,t]);async function Sr(e,t){let r=await t("GET","/api/session");if(r){e.setAllowed(!!r.allowed),e.setDenyReason(r.reason??null),e.setSessionData(r),e.setSessionExpiry(r.expiry??null);let n=r?.wallet;typeof n=="string"&&n&&e.setBoundWallet(n.toLowerCase());}return r}async function Rr(e,t){let r=await t("GET","/api/verify");return r&&(e.setSessionExpiry(r.expiry??null),e.setVerifyData(r)),r}var Er=(e,t)=>{let r=react.useCallback(async()=>{if(e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet))return e.sessionLock.current||(e.sessionLock.current=(async()=>{try{return await Sr(e,t)}finally{e.sessionLock.current=null;}})()),e.sessionLock.current},[e,t]),n=react.useCallback(async()=>{if(e.wallet)return await Rr(e,t)},[e,t]);return {session:r,verify:n}};var kr=(e,t)=>{let{refresh:r,session:n,attemptRegister:o,setProofFromAdapterToken:a,proofProp:i}=t;react.useEffect(()=>{return (async()=>{try{await e.waitReady(),await e.awaitKeyStable(),await e.ensureRootKeypair(),await wr(e);}catch{}})(),()=>{}},[]);let c=()=>(e.registerCooldownUntilRef.current??0)>Date.now();react.useEffect(()=>{if(!e.providerAdapter||c()||!e.metaReady)return;let s=e.wallet,u=e.meta.boundWallet;if(s&&u&&s.toLowerCase()===u.toLowerCase()&&!e.didInitialRefresh.current)return;let l=false;return (async()=>{try{let p=await e.providerAdapter.getToken()??null;if(await e.awaitKeyStable(),l||!p)return;await a(p),await o();}catch{}})(),()=>{l=true;}},[e.providerAdapter,e.wallet,e.meta.boundWallet,e.metaReady,e.registerCooldownUntilRef.current,e.didInitialRefresh.current,...e.refreshDeps]),react.useEffect(()=>{typeof i<"u"&&(e.proofRef.current=i??null);let s=e.wallet,u=e.meta.boundWallet;if(s&&u&&s.toLowerCase()===u.toLowerCase()&&!e.didInitialRefresh.current)return;let p=!!s,m=!!e.proofRef.current,h=!!s&&!!e.authWalletRef.current&&s.toLowerCase()!==e.authWalletRef.current.toLowerCase();p&&m&&!e.authenticated&&!h&&e.initResolvedRef.current&&!c()&&o();},[i,e.wallet,e.authenticated,e.meta.boundWallet,e.metaReady,e.providerAdapter,e.initResolvedRef.current,e.didInitialRefresh.current,o]),react.useEffect(()=>{let s=e.wallet,u=e.meta.boundWallet;if(!e.metaReady||e.didInitialRefresh.current)return;let l=true;return (async()=>{try{if(await e.waitReady(),e.accessTokenRef.current||e.authenticated){e.didInitialRefresh.current=!0,s&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());return}if(!(!s&&!u||s&&u&&s.toLowerCase()===u.toLowerCase()))return;e.didInitialRefresh.current=!0;let m=await r();if(!l)return;e.setAuthenticated(m),m&&s&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());}catch(p){if(!l)return;e.setAuthenticated(false),e.setError(p?.message||String(p)||"Unknown error");}})(),()=>{l=false;}},[e.wallet,e.meta.boundWallet,e.metaReady,e.didInitialRefresh.current,r,n]),react.useEffect(()=>{e.prevWalletRef.current===void 0&&(async()=>{if(await e.ensureKeypair(),!e.wallet){e.initResolvedRef.current=true,e.initResolveRef.current?.();return}e.meta.boundWallet&&e.meta.boundWallet!==e.wallet&&(e.rotateLock.current=(async()=>{e.accessTokenRef.current=null,e.setAuthenticated(false);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}),e.rotateLock.current&&await e.rotateLock.current),e.initResolvedRef.current=true,e.initResolveRef.current?.();})();},[e]),react.useEffect(()=>{(async()=>{if(e.authenticated&&e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)&&!e.didInitialSession.current){e.didInitialSession.current=true;try{await n();}catch(s){e.setError(s?.message||String(s));}}})();},[e.authenticated,e.wallet,e.meta.boundWallet,n]),react.useEffect(()=>{let s=e.prevWalletRef.current;if(e.prevWalletRef.current=e.wallet,e.wallet!==s&&(e.didInitialRefresh.current=false),!e.wallet){e.setAllowed(null),e.setDenyReason(null),e.setSessionExpiry(null),e.setSessionData(null),e.setAuthenticated(false),e.accessTokenRef.current=null,e.proofRef.current=null,e.setError(null),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null),e.didInitialRefresh.current=false;return}s&&e.wallet&&s!==e.wallet&&(e.rotateLock.current=(async()=>{await e.rotate(),e.accessTokenRef.current=null,e.setAuthenticated(false),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}));},[e.wallet]),react.useEffect(()=>{e.wallet&&e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase()&&(e.accessTokenRef.current=null,e.setAuthenticated(false));},[e.wallet,e.authWalletRef.current]),react.useEffect(()=>{let u=()=>{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return false;let m=e.tokenExpRef.current;if(!m)return false;let h=Math.floor(Date.now()/1e3);return m-h<=30},l=async()=>{try{u()&&await r();}catch{}},p=async()=>{document.visibilityState==="visible"&&await l();};return window.addEventListener("focus",l),document.addEventListener("visibilitychange",p),()=>{window.removeEventListener("focus",l),document.removeEventListener("visibilitychange",p);}},[e,r]),react.useEffect(()=>{let l=()=>{let h=Math.floor(Date.now()/1e3),S=e.tokenExpRef.current,g=e.sessionExpiry,E=!!S&&S-h<=30&&S-h>0,A=!!g&&g-h<=3600&&g-h>0;return {tokenSoon:E,sessionSoon:A}},p=async()=>{try{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return;let{tokenSoon:h,sessionSoon:S}=l();(h||S)&&await r()&&S&&await n();}catch{}},m=async()=>{document.visibilityState==="visible"&&await p();};return window.addEventListener("focus",p),document.addEventListener("visibilitychange",m),()=>{window.removeEventListener("focus",p),document.removeEventListener("visibilitychange",m);}},[e,e.sessionExpiry,r,n]);};var Pr=react.createContext(void 0),jn=e=>{let t=yr(e),{refresh:r,attemptRegister:n,setProofFromAdapterToken:o}=hr(t),a=br(t,r),{session:i,verify:c}=Er(t,a);kr(t,{refresh:r,session:i,attemptRegister:n,setProofFromAdapterToken:o,proofProp:e.proof});let s=react.useMemo(()=>({get:(u,l)=>a("GET",u,void 0,l),post:(u,l,p)=>a("POST",u,l,p),verify:c,session:i,refresh:r,authenticated:t.authenticated,loading:t.loadingCount>0,error:t.error,allowed:t.allowed,denyReason:t.denyReason,sessionExpiry:t.sessionExpiry,sessionData:t.sessionData,verifyData:t.verifyData,wallet:t.wallet}),[a,c,i,r,t.authenticated,t.loadingCount,t.error,t.allowed,t.denyReason,t.sessionExpiry,t.sessionData,t.verifyData,t.wallet]);return jsxRuntime.jsx(Pr.Provider,{value:s,children:e.children})},Un=e=>jsxRuntime.jsx(yt,{clientId:e.clientId,children:jsxRuntime.jsx(jn,{...e})}),$n=()=>{let e=react.useContext(Pr);if(!e)throw new Error("useSunbreak must be used within a SunbreakProvider");return e};
6
+ var qr=Object.defineProperty;var Jt=e=>{throw TypeError(e)};var zr=(e,t,r)=>t in e?qr(e,t,{enumerable:true,configurable:true,writable:true,value:r}):e[t]=r;var L=(e,t,r)=>zr(e,typeof t!="symbol"?t+"":t,r),It=(e,t,r)=>t.has(e)||Jt("Cannot "+r);var p=(e,t,r)=>(It(e,t,"read from private field"),r?r.call(e):t.get(e)),O=(e,t,r)=>t.has(e)?Jt("Cannot add the same private member more than once"):t instanceof WeakSet?t.add(e):t.set(e,r),j=(e,t,r,n)=>(It(e,t,"write to private field"),t.set(e,r),r);var Pe=async(e,t,r)=>{switch(e.name){case "custom":return {method:"provider_jwt",issuer:"custom",token:t,meta:r||{}};case "privy":return {method:"provider_jwt",issuer:"privy",token:t,meta:{app_id:e.appId}};case "dynamic":return e.expectedAud?{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId,expected_aud:e.expectedAud}}:{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId}};default:throw new Error(`Unknown adapter: ${e}`)}};var Yr="sunbreak-kv",ve="kv",je="sunbreak_dpop_meta_v1",K="sunbreak_dpop_key_v1",Ae="ES256",J="P-256",Ke=e=>`${je}:${e}`,Wt=()=>new Promise((e,t)=>{let r=indexedDB.open(Yr,1);r.onupgradeneeded=()=>r.result.createObjectStore(ve),r.onsuccess=()=>e(r.result),r.onerror=()=>t(r.error);}),I=async e=>{try{let t=await Wt();return await new Promise((r,n)=>{let a=t.transaction(ve,"readonly").objectStore(ve).get(e);a.onsuccess=()=>r(a.result),a.onerror=()=>n(a.error);})}catch{return}},R=async(e,t)=>{let r=await Wt();await new Promise((n,o)=>{let i=r.transaction(ve,"readwrite").objectStore(ve).put(t,e);i.onsuccess=()=>n(),i.onerror=()=>o(i.error);});};var Xr=e=>{let t=new URL(e);if(t.protocol!=="https:"&&t.hostname!=="localhost"&&t.hostname!=="127.0.0.1")throw new Error("Sunbreak: insecure base URL");return t.hash="",t.origin},Zr=e=>e.replace(/\/+$/,""),rt=e=>{let t=Zr(e);return Xr(t)};function ot(e){let t=new URL(e.baseUrl),r=t.host,n=e.meta.lastHost??null,o=Qr(n);return e.setLastHost(o),t.host=`${o}.${r}`,t.origin}var Qr=e=>{for(let t=0;t<nt.length;t++){let r=nt[Math.floor(Math.random()*nt.length)].toLowerCase();if(r!==e)return r}return "alpha"},nt=["Alpha","Bravo","Charlie","Delta","Echo","Foxtrot","Golf","Hotel","India","Juliett","Kilo","Lima","Mike","November","Oscar","Papa","Quebec","Romeo","Sierra","Tango","Uniform","Victor","Whiskey","X-ray","Yankee","Zulu"];var U=(e,t)=>{let r={clientId:e.clientId,wallet:e.wallet,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0,...t};Object.keys(r).forEach(o=>r[o]===void 0&&delete r[o]);let n=JSON.stringify(r);return btoa(n)};var en=new Set(["connection","keep-alive","proxy-authenticate","proxy-authorization","te","trailer","transfer-encoding","upgrade","via"]),tn=new Set(["user-agent","referer","origin","host","content-length","sec-fetch-site","sec-fetch-mode","sec-fetch-dest","sec-fetch-user","sec-ch-ua","sec-ch-ua-mobile","sec-ch-ua-platform","sec-ch-ua-platform-version","sec-ch-ua-full-version","sec-ch-ua-arch","sec-ch-ua-model","sec-ch-ua-bitness","cookie","set-cookie"]),rn=new Set(["dpop","x-sunbreak-meta"]),nn=64,_t=2048,on=64;function at(e){let t={};if(!e)return t;let r=e instanceof Headers?Array.from(e.entries()):Object.entries(e),n=0;for(let[o,a]of r){if(n>=on)break;if(o==null||a==null)continue;let i=String(o).toLowerCase().trim();if(!i||i.length>nn||en.has(i)||tn.has(i)||rn.has(i))continue;let c=String(a);c.length>_t&&(c=c.slice(0,_t)),t[i]=c,n++;}return t}var Y=new TextEncoder,me=new TextDecoder;function Dt(...e){let t=e.reduce((o,{length:a})=>o+a,0),r=new Uint8Array(t),n=0;for(let o of e)r.set(o,n),n+=o.length;return r}function Lt(e){if(Uint8Array.prototype.toBase64)return e.toBase64();let t=32768,r=[];for(let n=0;n<e.length;n+=t)r.push(String.fromCharCode.apply(null,e.subarray(n,n+t)));return btoa(r.join(""))}function Ht(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(e);let t=atob(e),r=new Uint8Array(t.length);for(let n=0;n<t.length;n++)r[n]=t.charCodeAt(n);return r}function Mt(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof e=="string"?e:me.decode(e),{alphabet:"base64url"});let t=e;t instanceof Uint8Array&&(t=me.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return Ht(t)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function Ue(e){let t=e;return typeof t=="string"&&(t=Y.encode(t)),Uint8Array.prototype.toBase64?t.toBase64({alphabet:"base64url",omitPadding:true}):Lt(t).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var ce=class extends Error{constructor(r,n){super(r,n);L(this,"code","ERR_JOSE_GENERIC");this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor);}};L(ce,"code","ERR_JOSE_GENERIC");var W=class extends ce{constructor(){super(...arguments);L(this,"code","ERR_JOSE_NOT_SUPPORTED");}};L(W,"code","ERR_JOSE_NOT_SUPPORTED");var X=class extends ce{constructor(){super(...arguments);L(this,"code","ERR_JWS_INVALID");}};L(X,"code","ERR_JWS_INVALID");var xe=class extends ce{constructor(){super(...arguments);L(this,"code","ERR_JWT_INVALID");}};L(xe,"code","ERR_JWT_INVALID");var Ot,jt,it=class extends(jt=ce,Ot=Symbol.asyncIterator,jt){constructor(r="multiple matching keys found in the JSON Web Key Set",n){super(r,n);L(this,Ot);L(this,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");}};L(it,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");function B(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function we(e,t){return e.name===t}function st(e){return parseInt(e.name.slice(4),10)}function cn(e){switch(e){case "ES256":return "P-256";case "ES384":return "P-384";case "ES512":return "P-521";default:throw new Error("unreachable")}}function un(e,t){if(!e.usages.includes(t))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${t}.`)}function Ut(e,t,r){switch(t){case "HS256":case "HS384":case "HS512":{if(!we(e.algorithm,"HMAC"))throw B("HMAC");let n=parseInt(t.slice(2),10);if(st(e.algorithm.hash)!==n)throw B(`SHA-${n}`,"algorithm.hash");break}case "RS256":case "RS384":case "RS512":{if(!we(e.algorithm,"RSASSA-PKCS1-v1_5"))throw B("RSASSA-PKCS1-v1_5");let n=parseInt(t.slice(2),10);if(st(e.algorithm.hash)!==n)throw B(`SHA-${n}`,"algorithm.hash");break}case "PS256":case "PS384":case "PS512":{if(!we(e.algorithm,"RSA-PSS"))throw B("RSA-PSS");let n=parseInt(t.slice(2),10);if(st(e.algorithm.hash)!==n)throw B(`SHA-${n}`,"algorithm.hash");break}case "Ed25519":case "EdDSA":{if(!we(e.algorithm,"Ed25519"))throw B("Ed25519");break}case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":{if(!we(e.algorithm,t))throw B(t);break}case "ES256":case "ES384":case "ES512":{if(!we(e.algorithm,"ECDSA"))throw B("ECDSA");let n=cn(t);if(e.algorithm.namedCurve!==n)throw B(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}un(e,r);}function $t(e,t,...r){if(r=r.filter(Boolean),r.length>2){let n=r.pop();e+=`one of type ${r.join(", ")}, or ${n}.`;}else r.length===2?e+=`one of type ${r[0]} or ${r[1]}.`:e+=`of type ${r[0]}.`;return t==null?e+=` Received ${t}`:typeof t=="function"&&t.name?e+=` Received function ${t.name}`:typeof t=="object"&&t!=null&&t.constructor?.name&&(e+=` Received an instance of ${t.constructor.name}`),e}var Nt=(e,...t)=>$t("Key must be ",e,...t);function ct(e,t,...r){return $t(`Key for the ${e} algorithm must be `,t,...r)}function ut(e){return e?.[Symbol.toStringTag]==="CryptoKey"}function lt(e){return e?.[Symbol.toStringTag]==="KeyObject"}var ft=e=>ut(e)||lt(e);var Bt=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return true;let r;for(let n of t){let o=Object.keys(n);if(!r||r.size===0){r=new Set(o);continue}for(let a of o){if(r.has(a))return false;r.add(a);}}return true};function ln(e){return typeof e=="object"&&e!==null}var $e=e=>{if(!ln(e)||Object.prototype.toString.call(e)!=="[object Object]")return false;if(Object.getPrototypeOf(e)===null)return true;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t};var Ft=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:r}=t.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};function fn(e){let t,r;switch(e.kty){case "AKP":{switch(e.alg){case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":t={name:e.alg},r=e.priv?["sign"]:["verify"];break;default:throw new W('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "RSA":{switch(e.alg){case "PS256":case "PS384":case "PS512":t={name:"RSA-PSS",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RS256":case "RS384":case "RS512":t={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RSA-OAEP":case "RSA-OAEP-256":case "RSA-OAEP-384":case "RSA-OAEP-512":t={name:"RSA-OAEP",hash:`SHA-${parseInt(e.alg.slice(-3),10)||1}`},r=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new W('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "EC":{switch(e.alg){case "ES256":t={name:"ECDSA",namedCurve:"P-256"},r=e.d?["sign"]:["verify"];break;case "ES384":t={name:"ECDSA",namedCurve:"P-384"},r=e.d?["sign"]:["verify"];break;case "ES512":t={name:"ECDSA",namedCurve:"P-521"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new W('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "OKP":{switch(e.alg){case "Ed25519":case "EdDSA":t={name:"Ed25519"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new W('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}default:throw new W('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return {algorithm:t,keyUsages:r}}var Vt=async e=>{if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:t,keyUsages:r}=fn(e),n={...e};return n.kty!=="AKP"&&delete n.alg,delete n.use,crypto.subtle.importKey("jwk",n,t,e.ext??!(e.d||e.priv),e.key_ops??r)};var Gt=(e,t,r,n,o)=>{if(o.crit!==void 0&&n?.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||n.crit===void 0)return new Set;if(!Array.isArray(n.crit)||n.crit.length===0||n.crit.some(i=>typeof i!="string"||i.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let a;r!==void 0?a=new Map([...Object.entries(r),...t.entries()]):a=t;for(let i of n.crit){if(!a.has(i))throw new W(`Extension Header Parameter "${i}" is not recognized`);if(o[i]===void 0)throw new e(`Extension Header Parameter "${i}" is missing`);if(a.get(i)&&n[i]===void 0)throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`)}return new Set(n.crit)};function Ce(e){return $e(e)&&typeof e.kty=="string"}function qt(e){return e.kty!=="oct"&&(e.kty==="AKP"&&typeof e.priv=="string"||typeof e.d=="string")}function zt(e){return e.kty!=="oct"&&typeof e.d>"u"&&typeof e.priv>"u"}function Yt(e){return e.kty==="oct"&&typeof e.k=="string"}var he,Xt=async(e,t,r,n=false)=>{he||(he=new WeakMap);let o=he.get(e);if(o?.[r])return o[r];let a=await Vt({...t,alg:r});return n&&Object.freeze(e),o?o[r]=a:he.set(e,{[r]:a}),a},pn=(e,t)=>{he||(he=new WeakMap);let r=he.get(e);if(r?.[t])return r[t];let n=e.type==="public",o=!!n,a;if(e.asymmetricKeyType==="x25519"){switch(t){case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}a=e.toCryptoKey(e.asymmetricKeyType,o,n?[]:["deriveBits"]);}if(e.asymmetricKeyType==="ed25519"){if(t!=="EdDSA"&&t!=="Ed25519")throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}switch(e.asymmetricKeyType){case "ml-dsa-44":case "ml-dsa-65":case "ml-dsa-87":{if(t!==e.asymmetricKeyType.toUpperCase())throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}}if(e.asymmetricKeyType==="rsa"){let i;switch(t){case "RSA-OAEP":i="SHA-1";break;case "RS256":case "PS256":case "RSA-OAEP-256":i="SHA-256";break;case "RS384":case "PS384":case "RSA-OAEP-384":i="SHA-384";break;case "RS512":case "PS512":case "RSA-OAEP-512":i="SHA-512";break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}if(t.startsWith("RSA-OAEP"))return e.toCryptoKey({name:"RSA-OAEP",hash:i},o,n?["encrypt"]:["decrypt"]);a=e.toCryptoKey({name:t.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:i},o,[n?"verify":"sign"]);}if(e.asymmetricKeyType==="ec"){let c=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(e.asymmetricKeyDetails?.namedCurve);if(!c)throw new TypeError("given KeyObject instance cannot be used for this algorithm");t==="ES256"&&c==="P-256"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:c},o,[n?"verify":"sign"])),t==="ES384"&&c==="P-384"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:c},o,[n?"verify":"sign"])),t==="ES512"&&c==="P-521"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:c},o,[n?"verify":"sign"])),t.startsWith("ECDH-ES")&&(a=e.toCryptoKey({name:"ECDH",namedCurve:c},o,n?[]:["deriveBits"]));}if(!a)throw new TypeError("given KeyObject instance cannot be used for this algorithm");return r?r[t]=a:he.set(e,{[t]:a}),a},Zt=async(e,t)=>{if(e instanceof Uint8Array||ut(e))return e;if(lt(e)){if(e.type==="secret")return e.export();if("toCryptoKey"in e&&typeof e.toCryptoKey=="function")try{return pn(e,t)}catch(n){if(n instanceof TypeError)throw n}let r=e.export({format:"jwk"});return Xt(e,r,t)}if(Ce(e))return e.k?Mt(e.k):Xt(e,e,t,true);throw new Error("unreachable")};var be=e=>e?.[Symbol.toStringTag],dt=(e,t,r)=>{if(t.use!==void 0){let n;switch(r){case "sign":case "verify":n="sig";break;case "encrypt":case "decrypt":n="enc";break}if(t.use!==n)throw new TypeError(`Invalid key for this operation, its "use" must be "${n}" when present`)}if(t.alg!==void 0&&t.alg!==e)throw new TypeError(`Invalid key for this operation, its "alg" must be "${e}" when present`);if(Array.isArray(t.key_ops)){let n;switch(true){case(r==="sign"):case e==="dir":case e.includes("CBC-HS"):n=r;break;case e.startsWith("PBES2"):n="deriveBits";break;case /^A\d{3}(?:GCM)?(?:KW)?$/.test(e):!e.includes("GCM")&&e.endsWith("KW")?n="unwrapKey":n=r;break;case(r==="encrypt"):n="wrapKey";break;case r==="decrypt":n=e.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(n&&t.key_ops?.includes?.(n)===false)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${n}" when present`)}return true},yn=(e,t,r)=>{if(!(t instanceof Uint8Array)){if(Ce(t)){if(Yt(t)&&dt(e,t,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!ft(t))throw new TypeError(ct(e,t,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(t.type!=="secret")throw new TypeError(`${be(t)} instances for symmetric algorithms must be of type "secret"`)}},mn=(e,t,r)=>{if(Ce(t))switch(r){case "decrypt":case "sign":if(qt(t)&&dt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a private JWK");case "encrypt":case "verify":if(zt(t)&&dt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a public JWK")}if(!ft(t))throw new TypeError(ct(e,t,"CryptoKey","KeyObject","JSON Web Key"));if(t.type==="secret")throw new TypeError(`${be(t)} instances for asymmetric algorithms must not be of type "secret"`);if(t.type==="public")switch(r){case "sign":throw new TypeError(`${be(t)} instances for asymmetric algorithm signing must be of type "private"`);case "decrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm decryption must be of type "private"`);}if(t.type==="private")switch(r){case "verify":throw new TypeError(`${be(t)} instances for asymmetric algorithm verifying must be of type "public"`);case "encrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm encryption must be of type "public"`);}},Qt=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e)||/^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e)?yn(e,t,r):mn(e,t,r);};var er=(e,t)=>{let r=`SHA-${e.slice(-3)}`;switch(e){case "HS256":case "HS384":case "HS512":return {hash:r,name:"HMAC"};case "PS256":case "PS384":case "PS512":return {hash:r,name:"RSA-PSS",saltLength:parseInt(e.slice(-3),10)>>3};case "RS256":case "RS384":case "RS512":return {hash:r,name:"RSASSA-PKCS1-v1_5"};case "ES256":case "ES384":case "ES512":return {hash:r,name:"ECDSA",namedCurve:t.namedCurve};case "Ed25519":case "EdDSA":return {name:"Ed25519"};case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":return {name:e};default:throw new W(`alg ${e} is not supported either by JOSE or your javascript runtime`)}};var tr=async(e,t,r)=>{if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(Nt(t,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",t,{hash:`SHA-${e.slice(-3)}`,name:"HMAC"},false,[r])}return Ut(t,e,r),t};var te=e=>Math.floor(e.getTime()/1e3);var wn=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i,Ne=e=>{let t=wn.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");let r=parseFloat(t[2]),n=t[3].toLowerCase(),o;switch(n){case "sec":case "secs":case "second":case "seconds":case "s":o=Math.round(r);break;case "minute":case "minutes":case "min":case "mins":case "m":o=Math.round(r*60);break;case "hour":case "hours":case "hr":case "hrs":case "h":o=Math.round(r*3600);break;case "day":case "days":case "d":o=Math.round(r*86400);break;case "week":case "weeks":case "w":o=Math.round(r*604800);break;default:o=Math.round(r*31557600);break}return t[1]==="-"||t[4]==="ago"?-o:o};function ue(e,t){if(!Number.isFinite(t))throw new TypeError(`Invalid ${e} input`);return t}var k,Be=class{constructor(t){O(this,k);if(!$e(t))throw new TypeError("JWT Claims Set MUST be an object");j(this,k,structuredClone(t));}data(){return Y.encode(JSON.stringify(p(this,k)))}get iss(){return p(this,k).iss}set iss(t){p(this,k).iss=t;}get sub(){return p(this,k).sub}set sub(t){p(this,k).sub=t;}get aud(){return p(this,k).aud}set aud(t){p(this,k).aud=t;}set jti(t){p(this,k).jti=t;}set nbf(t){typeof t=="number"?p(this,k).nbf=ue("setNotBefore",t):t instanceof Date?p(this,k).nbf=ue("setNotBefore",te(t)):p(this,k).nbf=te(new Date)+Ne(t);}set exp(t){typeof t=="number"?p(this,k).exp=ue("setExpirationTime",t):t instanceof Date?p(this,k).exp=ue("setExpirationTime",te(t)):p(this,k).exp=te(new Date)+Ne(t);}set iat(t){typeof t>"u"?p(this,k).iat=te(new Date):t instanceof Date?p(this,k).iat=ue("setIssuedAt",te(t)):typeof t=="string"?p(this,k).iat=ue("setIssuedAt",te(new Date)+Ne(t)):p(this,k).iat=ue("setIssuedAt",t);}};k=new WeakMap;var rr=async(e,t,r)=>{let n=await tr(e,t,"sign");Ft(e,n);let o=await crypto.subtle.sign(er(e,n.algorithm),n,r);return new Uint8Array(o)};var Te,_,F,Fe=class{constructor(t){O(this,Te);O(this,_);O(this,F);if(!(t instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");j(this,Te,t);}setProtectedHeader(t){if(p(this,_))throw new TypeError("setProtectedHeader can only be called once");return j(this,_,t),this}setUnprotectedHeader(t){if(p(this,F))throw new TypeError("setUnprotectedHeader can only be called once");return j(this,F,t),this}async sign(t,r){if(!p(this,_)&&!p(this,F))throw new X("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Bt(p(this,_),p(this,F)))throw new X("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let n={...p(this,_),...p(this,F)},o=Gt(X,new Map([["b64",true]]),r?.crit,p(this,_),n),a=true;if(o.has("b64")&&(a=p(this,_).b64,typeof a!="boolean"))throw new X('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:i}=n;if(typeof i!="string"||!i)throw new X('JWS "alg" (Algorithm) Header Parameter missing or invalid');Qt(i,t,"sign");let c=p(this,Te);a&&(c=Y.encode(Ue(c)));let s;p(this,_)?s=Y.encode(Ue(JSON.stringify(p(this,_)))):s=Y.encode("");let u=Dt(s,Y.encode("."),c),f=await Zt(t,i),d=await rr(i,f,u),y={signature:Ue(d),payload:""};return a&&(y.payload=me.decode(c)),p(this,F)&&(y.header=p(this,F)),p(this,_)&&(y.protected=me.decode(s)),y}};Te=new WeakMap,_=new WeakMap,F=new WeakMap;var Se,Ve=class{constructor(t){O(this,Se);j(this,Se,new Fe(t));}setProtectedHeader(t){return p(this,Se).setProtectedHeader(t),this}async sign(t,r){let n=await p(this,Se).sign(t,r);if(n.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return `${n.protected}.${n.payload}.${n.signature}`}};Se=new WeakMap;var re,H,le=class{constructor(t={}){O(this,re);O(this,H);j(this,H,new Be(t));}setIssuer(t){return p(this,H).iss=t,this}setSubject(t){return p(this,H).sub=t,this}setAudience(t){return p(this,H).aud=t,this}setJti(t){return p(this,H).jti=t,this}setNotBefore(t){return p(this,H).nbf=t,this}setExpirationTime(t){return p(this,H).exp=t,this}setIssuedAt(t){return p(this,H).iat=t,this}setProtectedHeader(t){return j(this,re,t),this}async sign(t,r){let n=new Ve(p(this,H).data());if(n.setProtectedHeader(p(this,re)),Array.isArray(p(this,re)?.crit)&&p(this,re).crit.includes("b64")&&p(this,re).b64===false)throw new xe("JWTs MUST NOT use unencoded payload");return n.sign(t,r)}};re=new WeakMap,H=new WeakMap;var hn=e=>btoa(String.fromCharCode(...new Uint8Array(e))).replaceAll("+","-").replaceAll("/","_").replaceAll("=",""),Ge=async e=>{let t=new TextEncoder().encode(e),r=await crypto.subtle.digest("SHA-256",t);return hn(r)},$=async e=>{let{method:t,url:r,nonce:n,ath:o,privateKey:a,publicJwk:i}=e,c={htm:t.toUpperCase(),htu:r,jti:crypto.randomUUID(),iat:Math.floor(Date.now()/1e3)};return n&&(c.nonce=n),o&&(c.ath=o),await new le(c).setProtectedHeader({alg:"ES256",typ:"dpop+jwt",jwk:i}).sign(a)};var D=async e=>{let t={crv:e.crv,kty:"EC",x:e.x,y:e.y},r=JSON.stringify(t),n=new TextEncoder().encode(r),o=await crypto.subtle.digest("SHA-256",n);return btoa(String.fromCharCode(...new Uint8Array(o))).replaceAll("+","-").replaceAll("/","_").replaceAll("=","")};async function fe(e){let{rootPrivateKey:t,rootPublicJwk:r,childJkt:n,clientId:o,sid:a,ttlSec:i=300}=e,c=Math.floor(Date.now()/1e3),s=c+Math.max(60,Math.min(i,3600)),u={child_jkt:n,client_id:o,aud:"issuer",iat:c,exp:s,jti:crypto.randomUUID()};return a&&(u.sid=a),await new le(u).setProtectedHeader({alg:"ES256",typ:"pode+jwt",jwk:r}).sign(t)}function Je(e,t=300){return e.replace(/<[^>]*>/g,"").slice(0,t)}async function Ie(e){let t=e.status,r=Array.from(e.headers.keys()).some(c=>c.toLowerCase().startsWith("x-amzn-waf")),n,o,a=e.headers.get("content-type")||"";if(a.includes("application/json"))try{let c=await e.clone().json();n=typeof c?.error=="string"?c.error:void 0,o=typeof c?.detail=="string"?c.detail:void 0;}catch{}let i=t===403&&!r&&!a.includes("application/json");return {status:t,code:n,detail:o,waf:r,alb403:i}}function de(e,t){let r=new Error(e);return r.status=t.status,r.code=t.code,r.detail=t.detail,r.waf=t.waf,r.alb403=t.alb403,r}var Re={boundWallet:null,clientId:null,jkt:null,refreshId:null,lastPolicyHash:null,lastPolicyProof:null,lastHost:null,rootJkt:null},pt=react.createContext(void 0);function sr(e){try{return JSON.parse(localStorage.getItem(e)||"null")??Re}catch{return Re}}function Rn(e,t){try{localStorage.setItem(e,JSON.stringify(t));}catch{}}var yt=({children:e,clientId:t})=>{let[r,n]=react.useState(Re),o=react.useRef(false),[a,i]=react.useState(false),c=react.useMemo(()=>Ke(t),[t]);react.useEffect(()=>{let l=true;return (async()=>{let C=await I(c)??await I(je)??sr(c);l&&(n({...Re,...C}),o.current=true,i(true));})(),()=>{l=false;}},[c]),react.useEffect(()=>{o.current&&(async()=>(await R(c,r),Rn(c,r)))();},[r,c]);let s=react.useCallback(l=>n(m=>({...m,refreshId:l})),[]),u=react.useCallback(l=>n(m=>({...m,lastPolicyHash:l})),[]),f=react.useCallback(l=>n(m=>({...m,lastPolicyProof:l})),[]),d=react.useCallback(l=>n(m=>({...m,lastHost:l})),[]),y=react.useCallback(l=>n(m=>({...m,rootJkt:l})),[]),h=async()=>{try{let l=localStorage.getItem(c);if(l){let m=JSON.parse(l);if(typeof m?.refreshId=="string"&&m.refreshId)return m.refreshId}}catch{}try{let l=await I(c);if(typeof l?.refreshId=="string"&&l.refreshId)return l.refreshId}catch{}return null},b=react.useCallback(l=>n(m=>({...m,boundWallet:l})),[]),g=react.useCallback(l=>n(m=>({...m,clientId:l})),[]),E=react.useCallback(l=>n(m=>({...m,jkt:l})),[]),A=react.useCallback(()=>n(Re),[]),S=react.useCallback(async()=>{let m=await I(c)??sr(c);n({...Re,...m});},[]),w=react.useMemo(()=>({meta:r,setBoundWallet:b,setClientId:g,setJkt:E,resetMeta:A,reload:S,setRefreshId:s,getRefreshId:h,ready:a,setLastPolicyHash:u,setLastPolicyProof:f,setLastHost:d,setRootJkt:y}),[r,b,g,E,A,S,a,s,h,u,f,d,y]);return jsxRuntime.jsx(pt.Provider,{value:w,children:e})};function mt(){let e=react.useContext(pt);if(!e)throw new Error("useMeta must be used within <MetaProvider>");return e}var ur=`${K}:wrap`;async function wt(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:J},!0,["sign","verify"]),t=`${K}:probe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await I(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return false}}function Ee(e){let t={...e};return delete t.d,t.kty="EC",t.crv=J,t.alg=Ae,t.use="sig",t}async function lr(){let e=await I(ur);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await R(ur,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function ht(e){let t=await lr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function kn(e,t){let r=await lr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var bt=()=>{let e=react.useRef(null),t=react.useRef(null),r=react.useCallback(async()=>{let s=await I(K);if(!s)return false;if(s.fmt==="cryptokey"){let f=s;return f.privKey?(e.current=f.privKey,t.current=Ee(f.pubJwk),true):(await R(K,void 0),false)}if(s.fmt==="encjwk"){let f=s;try{let d=await kn(f.encPrivJwk,f.iv),y=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:J},!1,["sign"]);return e.current=y,t.current=Ee(f.pubJwk),!0}catch{return await R(K,void 0),false}}let u=s;if(u&&u.d)if(await wt()){let d=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:J},false,["sign"]),{d:y,...h}=u,b=Ee(h);return await R(K,{fmt:"cryptokey",privKey:d,pubJwk:b}),e.current=d,t.current=b,true}else {let{d,...y}=u,h=Ee(y),{encPrivJwk:b,iv:g}=await ht(u);await R(K,{fmt:"encjwk",encPrivJwk:b,iv:g,pubJwk:h});let E=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:J},false,["sign"]);return e.current=E,t.current=h,true}return await R(K,void 0),false},[]),n=react.useCallback(async(s,u)=>{await R(K,{fmt:"cryptokey",privKey:s,pubJwk:u});},[]),o=react.useCallback(async(s,u)=>{let{encPrivJwk:f,iv:d}=await ht(s);await R(K,{fmt:"encjwk",encPrivJwk:f,iv:d,pubJwk:u});},[]),a=react.useCallback(async()=>{if(e.current&&t.current||await r())return;let s=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:J},true,["sign","verify"]),u=Ee(await crypto.subtle.exportKey("jwk",s.publicKey));if(await wt())await n(s.privateKey,u),e.current=s.privateKey,t.current=u;else {let f=await crypto.subtle.exportKey("jwk",s.privateKey);await o(f,u),e.current=s.privateKey,t.current=u;}},[r,n,o]),i=react.useCallback(async()=>{let s=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:J},true,["sign","verify"]),u=Ee(await crypto.subtle.exportKey("jwk",s.publicKey));if(await wt())await R(K,{fmt:"cryptokey",privKey:s.privateKey,pubJwk:u});else {let f=await crypto.subtle.exportKey("jwk",s.privateKey),{encPrivJwk:d,iv:y}=await ht(f);await R(K,{fmt:"encjwk",encPrivJwk:d,iv:y,pubJwk:u});}e.current=s.privateKey,t.current=u;},[]),c=react.useCallback(async()=>{await R(K,void 0),e.current=null,t.current=null;},[]);return {ensureKeypair:a,rotate:i,clear:c,privRef:e,pubJwkRef:t}};var Z="sunbreak_root_key_v1",dr=`${Z}:wrap`;async function Pn(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:J},!0,["sign","verify"]),t=`${Z}:probe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey,createdAt:Date.now(),pubJwk:{}});let r=await I(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return false}}function Rt(e){let t={...e};return delete t.d,t.kty="EC",t.crv=J,t.alg=Ae,t.use="sig",t}async function pr(){let e=await I(dr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await R(dr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function vn(e){let t=await pr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function An(e,t){let r=await pr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var gt=()=>{let e=react.useRef(null),t=react.useRef(null),r=react.useCallback(async()=>{let a=await I(Z);if(!a)return false;if(a.fmt==="cryptokey"){let i=a;return i.privKey?(e.current=i.privKey,t.current=Rt(i.pubJwk),true):(await R(Z,void 0),false)}if(a.fmt==="encjwk"){let i=a;try{let c=await An(i.encPrivJwk,i.iv),s=await crypto.subtle.importKey("jwk",c,{name:"ECDSA",namedCurve:J},!1,["sign"]);return e.current=s,t.current=Rt(i.pubJwk),!0}catch{return await R(Z,void 0),false}}return await R(Z,void 0),false},[]),n=react.useCallback(async()=>{if(e.current&&t.current||await r())return;let a=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:J},true,["sign","verify"]),i=Rt(await crypto.subtle.exportKey("jwk",a.publicKey)),c=Date.now();if(await Pn())await R(Z,{fmt:"cryptokey",privKey:a.privateKey,pubJwk:i,createdAt:c});else {let s=await crypto.subtle.exportKey("jwk",a.privateKey),{encPrivJwk:u,iv:f}=await vn(s);await R(Z,{fmt:"encjwk",encPrivJwk:u,iv:f,pubJwk:i,createdAt:c});}e.current=a.privateKey,t.current=i;},[r]),o=react.useCallback(async()=>{await R(Z,void 0),e.current=null,t.current=null;},[]);return {ensureRootKeypair:n,clear:o,rootPrivRef:e,rootPubJwkRef:t}};var Kn=()=>crypto.randomUUID(),yr=e=>{let{clientId:t,wallet:r,base:n="https://api.tdfc.com",fetchImpl:o,timeoutMs:a=15e3,proof:i=null,providerAdapter:c,refreshDeps:s=[]}=e,u=rt(n),f=typeof window<"u"?(o??fetch).bind(window):o??fetch,{meta:d,setBoundWallet:y,setJkt:h,setRefreshId:b,getRefreshId:g,setLastPolicyHash:E,setLastPolicyProof:A,setLastHost:S,setRootJkt:w,ready:l}=mt(),{ensureRootKeypair:m,rootPrivRef:C,rootPubJwkRef:oe}=gt(),Q=react.useCallback(async()=>{await m();try{if(!d.rootJkt&&oe.current){let se=await D(oe.current);w(se);}}catch{}},[m,d.rootJkt,oe]),{ensureKeypair:ke,rotate:P,privRef:_e,pubJwkRef:De}=bt(),[vt,T]=react.useState(false),[N,M]=react.useState(0),[z,ae]=react.useState(null),[ee,Ye]=react.useState(null),[Xe,At]=react.useState(null),[Pr,vr]=react.useState(null),[Ar,Kr]=react.useState(null),[xr,Cr]=react.useState(null),Tr=react.useRef(null),Jr=react.useRef(null),Ir=react.useRef(null),Wr=react.useRef(null),_r=react.useRef(null),Dr=react.useRef(null),Lr=react.useRef(null),Hr=react.useRef(false),Mr=react.useRef(false),Or=react.useRef(void 0),Le=react.useRef(false),Ze=react.useRef(false),Kt=react.useRef(null),ie=react.useRef(null);ie.current||(ie.current=new Promise(se=>{Kt.current=se;}));let Qe=react.useRef(null),jr=react.useRef(i),He=react.useRef(null),xt=react.useRef(null),Me=react.useRef(null),Ct=()=>Date.now(),Ur=()=>(Me.current??0)>0&&Me.current<Ct(),et=react.useCallback((se,Gr=15e3)=>{let Tt=Kn();return He.current=Tt,xt.current=se,Me.current=Ct()+Math.max(1e3,Gr),Tt},[]),$r=react.useCallback(()=>((!He.current||Ur())&&et("adhoc",1e4),He.current),[et]),tt=react.useRef(null),Oe=react.useRef(null);Oe.current||(Oe.current=new Promise(se=>{tt.current=se;}));let Nr=react.useCallback(async()=>{!Le.current&&Oe.current&&await Oe.current;},[]),Br=react.useCallback(()=>{Le.current||(Le.current=true,tt.current?.(),tt.current=null);},[]),Fr=react.useCallback(async()=>{!Ze.current&&ie.current&&await ie.current;},[]),Vr=react.useCallback(async()=>{!Ze.current&&ie.current&&await ie.current,Qe.current&&await Qe.current;},[]);return {clientId:t,wallet:r,baseUrl:u,fetchImpl:f,timeoutMs:a,providerAdapter:c,refreshDeps:s,ensureKeypair:ke,rotate:P,ensureRootKeypair:Q,rootPrivRef:C,rootPubJwkRef:oe,privRef:_e,pubJwkRef:De,meta:d,setBoundWallet:y,setJkt:h,setRefreshId:b,accessTokenRef:Ir,tokenExpRef:Wr,authenticated:vt,setAuthenticated:T,loadingCount:N,setLoadingCount:M,error:z,setError:ae,allowed:ee,setAllowed:Ye,denyReason:Xe,setDenyReason:At,sessionExpiry:Pr,setSessionExpiry:vr,sessionData:Ar,setSessionData:Kr,verifyData:xr,setVerifyData:Cr,authWalletRef:Jr,refreshLock:_r,registerLock:Dr,sessionLock:Lr,didInitialRefresh:Hr,didInitialSession:Mr,prevWalletRef:Or,initResolvedRef:Ze,initReady:ie,initResolveRef:Kt,rotateLock:Qe,waitReady:Fr,awaitKeyStable:Vr,proofRef:jr,registerCooldownUntilRef:Tr,reqIdRef:He,flowLabelRef:xt,flowExpireRef:Me,beginFlow:et,currentReqId:$r,awaitProbe:Nr,markProbed:Br,hasProbedRef:Le,getRefreshId:g,setLastPolicyHash:E,setLastPolicyProof:A,setLastHost:S,setRootJkt:w,metaReady:l}};var ye=e=>e.accessTokenRef.current??null,G=e=>{let t=e.privRef.current;if(!t)throw new Error("Sunbreak: private key not initialized");return t},x=e=>{let t=e.pubJwkRef.current;if(!t)throw new Error("Sunbreak: public JWK not initialized");return t};var xn=(e,t)=>`${e.toUpperCase()} ${t}`;async function We(e,t,r){if(!t)return false;let n=We._nonceCacheRef||(We._nonceCacheRef={map:new Map});try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair(),e.setError(null),e.beginFlow("register",2e4);let o;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let l=await D(e.rootPubJwkRef.current);e.setRootJkt?.(l);}catch{}let S=await D(x(e)),w=await e.getRefreshId();o=await fe({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:S,clientId:e.clientId,sid:w||void 0,ttlSec:300});}}catch{}let a=e.currentReqId(),i="/auth/register",c=`${e.baseUrl}${i}`,s=new URL(e.baseUrl).origin,u="POST",f=`${s}${i}`,d=xn(u,f),y=n.map.get(d),h=await $({method:u,url:f,nonce:y,privateKey:G(e),publicJwk:x(e)}),b=async S=>e.fetchImpl(c,{method:u,headers:{"content-type":"application/json","x-sunbreak-meta":U(e,{reqId:a,pode:o||void 0}),...S},credentials:"include",body:JSON.stringify({wallet:t,proof:r})}),g=await b({DPoP:h}),E=S=>{let w=S.headers.get("dpop-nonce");w&&n.map.set(d,w);};if(g.status===401){let S=g.headers.get("www-authenticate"),l=(S&&S.match(/dpop-nonce="([^"]+)"/i))?.[1];if(l){n.map.set(d,l);let m=await $({method:u,url:f,nonce:l,privateKey:G(e),publicJwk:x(e)});g=await b({DPoP:m});}}if(E(g),!g.ok){let S=await Ie(g);if((g.headers.get("content-type")||"").includes("application/json")){let l;try{l=await g.clone().json();}catch{}let m=Je(l&&(l.error||l.message||l.detail)||`HTTP ${g.status}`);throw de(m,S)}else {let l=S.waf?"Blocked by WAF (403)":S.alb403?"Blocked at origin (ALB 403)":`HTTP ${g.status}`;throw de(l,S)}}let A=await g.json();e.accessTokenRef.current=A.access,e.authWalletRef.current=t.toLowerCase(),e.setAuthenticated(!0);try{let S=Math.floor(Date.now()/1e3);e.tokenExpRef.current=S+(A.expiresIn??0);}catch{}e.didInitialRefresh.current=!0,e.setBoundWallet(t),e.setLastPolicyHash(null),e.setLastPolicyProof(null);try{e.setJkt(await D(x(e)));}catch{}try{let S={...e.meta,boundWallet:t,clientId:e.meta.clientId??e.clientId,jkt:e.meta.jkt??null,refreshId:A.refreshId??null};e.setRefreshId(A.refreshId??null);let w=Ke(e.clientId);await R(w,S);try{localStorage.setItem(w,JSON.stringify(S));}catch{}}catch{}return !0}catch(o){let a=Number(o?.status||0),i=String(o?.code||""),c=String(o?.message||""),s=Math.floor(Math.random()*1e3);if((a===401||a===403)&&i.toLowerCase()==="replay"){if(e.providerAdapter)try{let u=await e.providerAdapter.getToken()??null;if(u)return await e.awaitKeyStable(),await e.ensureKeypair(),await e.rotate(),e.proofRef.current=await Pe(e.providerAdapter,u),e.registerCooldownUntilRef.current=Date.now()+5e3+s,!1}catch{}else return e.proofRef.current=null,e.setError("Proof replayed; please sign a fresh proof."),e.registerCooldownUntilRef.current=Date.now()+1e4+s,false;return e.registerCooldownUntilRef.current=Date.now()+8e3+s,false}if(a===403&&(o?.waf||o?.alb403))return e.setError(c||"Forbidden at edge/origin"),e.registerCooldownUntilRef.current=Date.now()+3e4+s,false;if(a===403)return e.setError(i||c||"Forbidden"),e.registerCooldownUntilRef.current=Date.now()+15e3+s,false;if(a===429||a===503){e.setError(i||c||"Rate limited / unavailable");let u=a===429?5e3:8e3;return e.registerCooldownUntilRef.current=Date.now()+u+s,false}return e.setError(i||c||"Register failed"),e.registerCooldownUntilRef.current=Date.now()+5e3+s,false}}var Cn=(e,t)=>`${e.toUpperCase()} ${t}`;function qe(e){return e.refreshLock.current||(e.refreshLock.current=(async()=>{try{if(await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),e.wallet&&e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return e.accessTokenRef.current=null,e.setAuthenticated(!1),!1;let t=ye(e);if(t){let w=e.tokenExpRef.current,l=Math.floor(Date.now()/1e3);if(!!t&&!!w&&w-l>5)return !0}e.beginFlow("refresh",15e3);let r=e.currentReqId();await e.ensureKeypair();let n;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let m=await D(e.rootPubJwkRef.current);e.setRootJkt?.(m);}catch{}let w=await D(x(e)),l=await e.getRefreshId();n=await fe({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:w,clientId:e.clientId,sid:l||void 0,ttlSec:300});}}catch{}let o="/auth/refresh",a=`${e.baseUrl}${o}`,i=new URL(e.baseUrl).origin,c="POST",s=`${i}${o}`,u=Cn(c,s),f=qe._nonceCacheRef||(qe._nonceCacheRef={map:new Map}),d=async w=>await $({method:c,url:s,nonce:w,privateKey:G(e),publicJwk:x(e)}),y=await e.getRefreshId(),h={"x-sunbreak-meta":U(e,{reqId:r,refreshId:y||void 0,pode:n||void 0}),"content-type":"application/json"},b=async w=>e.fetchImpl(a,{method:c,headers:{DPoP:w,...h},credentials:"include",body:"{}"}),g=w=>{let l=w.headers.get("dpop-nonce");l&&f.map.set(u,l);},E=await b(await d(f.map.get(u)));if(E.status===401){let w=E.headers.get("www-authenticate"),m=(w&&w.match(/dpop-nonce="([^"]+)"/i))?.[1];m&&(f.map.set(u,m),E=await b(await d(m)));}if(g(E),!E.ok){try{if((E.headers.get("content-type")||"").includes("application/json")){let l=await E.clone().json().catch(()=>{}),m=l&&(l.error||l.code||l.message)||"",C=String(m).toLowerCase();if(C.includes("missing")&&C.includes("refresh")){try{e.setRefreshId?.(null);}catch{}try{e.setBoundWallet?.(null);}catch{}e.accessTokenRef.current=null,e.setAuthenticated(!1);}}}catch{}return !1}let A=await E.json();e.accessTokenRef.current=A.access,e.setAuthenticated(!0);let S=(e.wallet&&(!e.meta.boundWallet||e.meta.boundWallet===e.wallet)?e.wallet:e.meta.boundWallet)||null;e.authWalletRef.current=S?S.toLowerCase():null;try{let w=Math.floor(Date.now()/1e3);e.tokenExpRef.current=w+(A.expiresIn??0);}catch{}try{e.setJkt(await D(x(e)));}catch{}return A.refreshId&&e.setRefreshId(A.refreshId),!0}finally{e.refreshLock.current=null;}})()),e.refreshLock.current}var Tn=(e,t)=>`${e.toUpperCase()} ${t}`,Et=new Map;async function mr(e){if(e.hasProbedRef.current)return;let t=new URL(e.baseUrl).origin;try{if(await e.awaitKeyStable(),await e.ensureKeypair(),!e.rootPrivRef.current)try{await e.ensureRootKeypair();}catch{}let r;if(e.rootPrivRef.current&&e.rootPubJwkRef.current)try{let y=await D(x(e));r=await fe({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:y,clientId:e.clientId,ttlSec:300});}catch{}let n="POST",o="/auth/probe",a=`${e.baseUrl}${o}`,i=`${t}${o}`,c=Tn(n,i),s=async y=>e.fetchImpl(a,{method:n,headers:{DPoP:y,"x-sunbreak-meta":U(e,{pode:r}),"content-type":"application/json"},credentials:"include",body:"{}"}),u=async y=>await $({method:n,url:i,nonce:y,privateKey:G(e),publicJwk:x(e)}),f=await s(await u(Et.get(c))),d=y=>{let h=y.headers.get("dpop-nonce");h&&Et.set(c,h);};if(d(f),f.status===401){let y=f.headers.get("www-authenticate"),b=(y&&y.match(/dpop-nonce="([^"]+)"/i))?.[1];b&&(Et.set(c,b),f=await s(await u(b)),d(f));}e.markProbed();}catch{e.markProbed();}}var wr=e=>{let t=react.useCallback(()=>qe(e),[e]),r=react.useCallback(async()=>{let o=Date.now(),a=e.registerCooldownUntilRef.current??0;if(o<a||!e.wallet||!e.initResolvedRef.current||e.refreshLock.current||e.registerLock.current)return;let i=e.wallet,c=e.meta.boundWallet;if(i&&c&&i.toLowerCase()===c.toLowerCase()&&!e.didInitialRefresh.current)return;let u=e.proofRef.current;!u||!(!e.authenticated||e.meta.boundWallet!==e.wallet)||(await e.awaitKeyStable(),e.registerLock.current=(async()=>{try{await We(e,e.wallet,u)&&(e.didInitialSession.current=!0);}catch(d){e.setError(d?.message||String(d)||"Register failed");}finally{e.registerLock.current=null;}})());},[e]),n=react.useCallback(async o=>{let a=()=>(e.registerCooldownUntilRef.current??0)>Date.now();if(!e.providerAdapter||a())return;let i=await Pe(e.providerAdapter,o);e.proofRef.current=i;},[e]);return {refresh:t,register:(o,a)=>We(e,o,a),attemptRegister:r,setProofFromAdapterToken:n}};var Jn=(e,t)=>`${e.toUpperCase()} ${t}`;async function ze(e,t,r,n,o,a={}){e.setLoadingCount(u=>u+1),e.setError(null);let i=n.startsWith("/api/session"),c=new AbortController,s=setTimeout(()=>c.abort(),e.timeoutMs);try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair();let f=`${i?ot(e):e.baseUrl}${n.startsWith("/")?"":"/"}${n}`,y=`${new URL(e.baseUrl).origin}${n.startsWith("/")?"":"/"}${n}`,h=Jn(r,y),b=n.startsWith("/auth/"),g=!1,E=!1,A=e.currentReqId(),S=ze._nonceCacheRef||(ze._nonceCacheRef={map:new Map}),w=T=>{let N=T.headers.get("dpop-nonce");N&&S.map.set(h,N);},l=!!e.wallet&&!!e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase(),m,C,oe=async()=>{if(b||l)return;try{let ae=ye(e),ee=e.tokenExpRef.current,Ye=Math.floor(Date.now()/1e3),Xe=!!ee&&ee-Ye<=60;if((!ae||Xe)&&!await t().catch(()=>!1))return}catch{}let T=ye(e);if(!T)return;let N=await Ge(T),M=S.map.get(h),z=await $({method:r,url:y,nonce:M,ath:N,privateKey:G(e),publicJwk:x(e)});m=`Bearer ${e.accessTokenRef.current}`,C=z;};await oe();let Q={"content-type":"application/json","x-sunbreak-auth":m||"","x-sunbreak-meta":U(e,{reqId:A,auth:m,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0}),...at(a.headers)};C&&(Q.DPoP=C);let ke=async()=>e.fetchImpl(f,{...a,method:r,headers:Q,body:o!==void 0?JSON.stringify(o):void 0,credentials:"include",signal:c.signal}),P=await ke(),_e=P.headers.get("x-sunbreak-policy-hash"),De=P.headers.get("x-sunbreak-policy-proof");if(_e&&e.setLastPolicyHash(_e),De&&e.setLastPolicyProof(De),w(P),P.status===401&&!b){let T=ye(e),N=P.headers.get("www-authenticate"),z=(N&&N.match(/dpop-nonce="([^"]+)"/i))?.[1];if(!l&&z&&T&&!E){E=!0,S.map.set(h,z);let ae=await Ge(T),ee=await $({method:r,url:y,nonce:z,ath:ae,privateKey:G(e),publicJwk:x(e)});m=`Bearer ${e.accessTokenRef.current}`,C=ee,Q["x-sunbreak-meta"]=U(e,{reqId:A,auth:m}),Q.DPoP=C,P=await ke(),w(P);}if(P.status===401&&!g){g=!0;let ae=await t(),ee=ye(e);ae&&ee&&!l&&(await oe(),Q["x-sunbreak-meta"]=U(e,{reqId:A,auth:m}),C&&(Q.DPoP=C),P=await ke(),w(P));}if(P.status===401)throw new Error("Unauthorized")}if(!P.ok){let T=await Ie(P);if((P.headers.get("content-type")||"").includes("application/json")){let M=await P.json().catch(()=>{}),z=Je(M&&(M.error||M.message||M.detail)||`HTTP ${P.status}`);throw de(z,T)}else {let M=T.waf?"Blocked by WAF (403)":T.alb403?"Blocked at origin (ALB 403)":`HTTP ${P.status}`;throw de(M,T)}}return (P.headers.get("content-type")||"").includes("application/json")?await P.json():void 0}finally{clearTimeout(s),e.setLoadingCount(u=>Math.max(0,u-1));}}var hr=(e,t)=>react.useCallback(async(r,n,o,a={})=>ze(e,t,r,n,o,a),[e,t]);async function br(e,t){let r=await t("GET","/api/session");if(r){e.setAllowed(!!r.allowed),e.setDenyReason(r.reason??null),e.setSessionData(r),e.setSessionExpiry(r.expiry??null);let n=r?.wallet;typeof n=="string"&&n&&e.setBoundWallet(n.toLowerCase());}return r}async function Sr(e,t){let r=await t("GET","/api/verify");return r&&(e.setSessionExpiry(r.expiry??null),e.setVerifyData(r)),r}var gr=(e,t)=>{let r=react.useCallback(async()=>{if(e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet))return e.sessionLock.current||(e.sessionLock.current=(async()=>{try{return await br(e,t)}finally{e.sessionLock.current=null;}})()),e.sessionLock.current},[e,t]),n=react.useCallback(async()=>{if(e.wallet)return await Sr(e,t)},[e,t]);return {session:r,verify:n}};var Er=(e,t)=>{let{refresh:r,session:n,attemptRegister:o,setProofFromAdapterToken:a,proofProp:i}=t;react.useEffect(()=>{return (async()=>{try{await e.waitReady(),await e.awaitKeyStable(),await e.ensureRootKeypair(),await mr(e);}catch{}})(),()=>{}},[]);let c=()=>(e.registerCooldownUntilRef.current??0)>Date.now();react.useEffect(()=>{if(!e.providerAdapter||c()||!e.metaReady)return;let s=e.wallet,u=e.meta.boundWallet;if(s&&u&&s.toLowerCase()===u.toLowerCase()&&!e.didInitialRefresh.current)return;let f=false;return (async()=>{try{let d=await e.providerAdapter.getToken()??null;if(await e.awaitKeyStable(),f||!d)return;await a(d),await o();}catch{}})(),()=>{f=true;}},[e.providerAdapter,e.wallet,e.meta.boundWallet,e.metaReady,e.registerCooldownUntilRef.current,e.didInitialRefresh.current,...e.refreshDeps]),react.useEffect(()=>{typeof i<"u"&&(e.proofRef.current=i??null);let s=e.wallet,u=e.meta.boundWallet;if(s&&u&&s.toLowerCase()===u.toLowerCase()&&!e.didInitialRefresh.current)return;let d=!!s,y=!!e.proofRef.current,h=!!s&&!!e.authWalletRef.current&&s.toLowerCase()!==e.authWalletRef.current.toLowerCase();d&&y&&!e.authenticated&&!h&&e.initResolvedRef.current&&!c()&&o();},[i,e.wallet,e.authenticated,e.meta.boundWallet,e.metaReady,e.providerAdapter,e.initResolvedRef.current,e.didInitialRefresh.current,o]),react.useEffect(()=>{let s=e.wallet,u=e.meta.boundWallet;if(!e.metaReady||e.didInitialRefresh.current)return;let f=true;return (async()=>{try{if(await e.waitReady(),e.accessTokenRef.current||e.authenticated){e.didInitialRefresh.current=!0,s&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());return}let d=s&&u&&s.toLowerCase()===u.toLowerCase(),y=s&&!u,h=!s&&!u;if(y){e.didInitialRefresh.current=!0;return}if(!h&&!d){e.didInitialRefresh.current=!0;return}e.didInitialRefresh.current=!0;let b=await r();if(!f)return;e.setAuthenticated(b),b&&s&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());}catch(d){if(!f)return;e.didInitialRefresh.current=true,e.setAuthenticated(false),e.setError(d?.message||String(d)||"Unknown error");}})(),()=>{f=false;}},[e.wallet,e.meta.boundWallet,e.metaReady,e.didInitialRefresh.current,r,n]),react.useEffect(()=>{e.prevWalletRef.current===void 0&&(async()=>{if(await e.ensureKeypair(),!e.wallet){e.initResolvedRef.current=true,e.initResolveRef.current?.();return}e.meta.boundWallet&&e.meta.boundWallet!==e.wallet&&(e.rotateLock.current=(async()=>{e.accessTokenRef.current=null,e.setAuthenticated(false);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}),e.rotateLock.current&&await e.rotateLock.current),e.initResolvedRef.current=true,e.initResolveRef.current?.();})();},[e]),react.useEffect(()=>{(async()=>{if(e.authenticated&&e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)&&!e.didInitialSession.current){e.didInitialSession.current=true;try{await n();}catch(s){e.setError(s?.message||String(s));}}})();},[e.authenticated,e.wallet,e.meta.boundWallet,n]),react.useEffect(()=>{let s=e.prevWalletRef.current;if(e.prevWalletRef.current=e.wallet,e.wallet!==s&&(e.didInitialRefresh.current=false),!e.wallet){e.setAllowed(null),e.setDenyReason(null),e.setSessionExpiry(null),e.setSessionData(null),e.setAuthenticated(false),e.accessTokenRef.current=null,e.proofRef.current=null,e.setError(null),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null),e.didInitialRefresh.current=false;return}s&&e.wallet&&s!==e.wallet&&(e.rotateLock.current=(async()=>{await e.rotate(),e.accessTokenRef.current=null,e.setAuthenticated(false),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}));},[e.wallet]),react.useEffect(()=>{e.wallet&&e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase()&&(e.accessTokenRef.current=null,e.setAuthenticated(false));},[e.wallet,e.authWalletRef.current]),react.useEffect(()=>{let u=()=>{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return false;let y=e.tokenExpRef.current;if(!y)return false;let h=Math.floor(Date.now()/1e3);return y-h<=30},f=async()=>{try{u()&&await r();}catch{}},d=async()=>{document.visibilityState==="visible"&&await f();};return window.addEventListener("focus",f),document.addEventListener("visibilitychange",d),()=>{window.removeEventListener("focus",f),document.removeEventListener("visibilitychange",d);}},[e,r]),react.useEffect(()=>{let f=()=>{let h=Math.floor(Date.now()/1e3),b=e.tokenExpRef.current,g=e.sessionExpiry,E=!!b&&b-h<=30&&b-h>0,A=!!g&&g-h<=3600&&g-h>0;return {tokenSoon:E,sessionSoon:A}},d=async()=>{try{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return;let{tokenSoon:h,sessionSoon:b}=f();(h||b)&&await r()&&b&&await n();}catch{}},y=async()=>{document.visibilityState==="visible"&&await d();};return window.addEventListener("focus",d),document.addEventListener("visibilitychange",y),()=>{window.removeEventListener("focus",d),document.removeEventListener("visibilitychange",y);}},[e,e.sessionExpiry,r,n]);};var kr=react.createContext(void 0),Ln=e=>{let t=yr(e),{refresh:r,attemptRegister:n,setProofFromAdapterToken:o}=wr(t),a=hr(t,r),{session:i,verify:c}=gr(t,a);Er(t,{refresh:r,session:i,attemptRegister:n,setProofFromAdapterToken:o,proofProp:e.proof});let s=react.useMemo(()=>({get:(u,f)=>a("GET",u,void 0,f),post:(u,f,d)=>a("POST",u,f,d),verify:c,session:i,refresh:r,authenticated:t.authenticated,loading:t.loadingCount>0,error:t.error,allowed:t.allowed,denyReason:t.denyReason,sessionExpiry:t.sessionExpiry,sessionData:t.sessionData,verifyData:t.verifyData,wallet:t.wallet}),[a,c,i,r,t.authenticated,t.loadingCount,t.error,t.allowed,t.denyReason,t.sessionExpiry,t.sessionData,t.verifyData,t.wallet]);return jsxRuntime.jsx(kr.Provider,{value:s,children:e.children})},Hn=e=>jsxRuntime.jsx(yt,{clientId:e.clientId,children:jsxRuntime.jsx(Ln,{...e})}),Mn=()=>{let e=react.useContext(kr);if(!e)throw new Error("useSunbreak must be used within a SunbreakProvider");return e};
7
7
 
8
- exports.SunbreakProvider = Un;
9
- exports.useSunbreak = $n;
8
+ exports.SunbreakProvider = Hn;
9
+ exports.useSunbreak = Mn;
package/dist/index.mjs CHANGED
@@ -1,6 +1,6 @@
1
1
  import { createContext, useContext, useState, useRef, useMemo, useEffect, useCallback } from 'react';
2
2
  import { jsx } from 'react/jsx-runtime';
3
3
 
4
- var zr=Object.defineProperty;var Jt=e=>{throw TypeError(e)};var Xr=(e,t,r)=>t in e?zr(e,t,{enumerable:true,configurable:true,writable:true,value:r}):e[t]=r;var D=(e,t,r)=>Xr(e,typeof t!="symbol"?t+"":t,r),It=(e,t,r)=>t.has(e)||Jt("Cannot "+r);var d=(e,t,r)=>(It(e,t,"read from private field"),r?r.call(e):t.get(e)),M=(e,t,r)=>t.has(e)?Jt("Cannot add the same private member more than once"):t instanceof WeakSet?t.add(e):t.set(e,r),O=(e,t,r,n)=>(It(e,t,"write to private field"),t.set(e,r),r);var ke=async(e,t,r)=>{switch(e.name){case "custom":return {method:"provider_jwt",issuer:"custom",token:t,meta:r||{}};case "privy":return {method:"provider_jwt",issuer:"privy",token:t,meta:{app_id:e.appId}};case "dynamic":return e.expectedAud?{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId,expected_aud:e.expectedAud}}:{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId}};default:throw new Error(`Unknown adapter: ${e}`)}};var Yr="sunbreak-kv",Pe="kv",je="sunbreak_dpop_meta_v1",K="sunbreak_dpop_key_v1",ve="ES256",T="P-256",Ae=e=>`${je}:${e}`,_t=()=>new Promise((e,t)=>{let r=indexedDB.open(Yr,1);r.onupgradeneeded=()=>r.result.createObjectStore(Pe),r.onsuccess=()=>e(r.result),r.onerror=()=>t(r.error);}),J=async e=>{try{let t=await _t();return await new Promise((r,n)=>{let a=t.transaction(Pe,"readonly").objectStore(Pe).get(e);a.onsuccess=()=>r(a.result),a.onerror=()=>n(a.error);})}catch{return}},R=async(e,t)=>{let r=await _t();await new Promise((n,o)=>{let i=r.transaction(Pe,"readwrite").objectStore(Pe).put(t,e);i.onsuccess=()=>n(),i.onerror=()=>o(i.error);});};var Zr=e=>{let t=new URL(e);if(t.protocol!=="https:"&&t.hostname!=="localhost"&&t.hostname!=="127.0.0.1")throw new Error("Sunbreak: insecure base URL");return t.hash="",t.origin},Qr=e=>e.replace(/\/+$/,""),rt=e=>{let t=Qr(e);return Zr(t)};function ot(e){let t=new URL(e.baseUrl),r=t.host,n=e.meta.lastHost??null,o=en(n);return e.setLastHost(o),t.host=`${o}.${r}`,t.origin}var en=e=>{for(let t=0;t<nt.length;t++){let r=nt[Math.floor(Math.random()*nt.length)].toLowerCase();if(r!==e)return r}return "alpha"},nt=["Alpha","Bravo","Charlie","Delta","Echo","Foxtrot","Golf","Hotel","India","Juliett","Kilo","Lima","Mike","November","Oscar","Papa","Quebec","Romeo","Sierra","Tango","Uniform","Victor","Whiskey","X-ray","Yankee","Zulu"];var j=(e,t)=>{let r={clientId:e.clientId,wallet:e.wallet,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0,...t};Object.keys(r).forEach(o=>r[o]===void 0&&delete r[o]);let n=JSON.stringify(r);return btoa(n)};var tn=new Set(["connection","keep-alive","proxy-authenticate","proxy-authorization","te","trailer","transfer-encoding","upgrade","via"]),rn=new Set(["user-agent","referer","origin","host","content-length","sec-fetch-site","sec-fetch-mode","sec-fetch-dest","sec-fetch-user","sec-ch-ua","sec-ch-ua-mobile","sec-ch-ua-platform","sec-ch-ua-platform-version","sec-ch-ua-full-version","sec-ch-ua-arch","sec-ch-ua-model","sec-ch-ua-bitness","cookie","set-cookie"]),nn=new Set(["dpop","x-sunbreak-meta"]),on=64,Wt=2048,an=64;function at(e){let t={};if(!e)return t;let r=e instanceof Headers?Array.from(e.entries()):Object.entries(e),n=0;for(let[o,a]of r){if(n>=an)break;if(o==null||a==null)continue;let i=String(o).toLowerCase().trim();if(!i||i.length>on||tn.has(i)||rn.has(i)||nn.has(i))continue;let c=String(a);c.length>Wt&&(c=c.slice(0,Wt)),t[i]=c,n++;}return t}var X=new TextEncoder,ye=new TextDecoder;function Dt(...e){let t=e.reduce((o,{length:a})=>o+a,0),r=new Uint8Array(t),n=0;for(let o of e)r.set(o,n),n+=o.length;return r}function Lt(e){if(Uint8Array.prototype.toBase64)return e.toBase64();let t=32768,r=[];for(let n=0;n<e.length;n+=t)r.push(String.fromCharCode.apply(null,e.subarray(n,n+t)));return btoa(r.join(""))}function Ht(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(e);let t=atob(e),r=new Uint8Array(t.length);for(let n=0;n<t.length;n++)r[n]=t.charCodeAt(n);return r}function Mt(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof e=="string"?e:ye.decode(e),{alphabet:"base64url"});let t=e;t instanceof Uint8Array&&(t=ye.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return Ht(t)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function Ue(e){let t=e;return typeof t=="string"&&(t=X.encode(t)),Uint8Array.prototype.toBase64?t.toBase64({alphabet:"base64url",omitPadding:true}):Lt(t).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var ce=class extends Error{constructor(r,n){super(r,n);D(this,"code","ERR_JOSE_GENERIC");this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor);}};D(ce,"code","ERR_JOSE_GENERIC");var _=class extends ce{constructor(){super(...arguments);D(this,"code","ERR_JOSE_NOT_SUPPORTED");}};D(_,"code","ERR_JOSE_NOT_SUPPORTED");var Y=class extends ce{constructor(){super(...arguments);D(this,"code","ERR_JWS_INVALID");}};D(Y,"code","ERR_JWS_INVALID");var Ke=class extends ce{constructor(){super(...arguments);D(this,"code","ERR_JWT_INVALID");}};D(Ke,"code","ERR_JWT_INVALID");var Ot,jt,it=class extends(jt=ce,Ot=Symbol.asyncIterator,jt){constructor(r="multiple matching keys found in the JSON Web Key Set",n){super(r,n);D(this,Ot);D(this,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");}};D(it,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");function B(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function me(e,t){return e.name===t}function st(e){return parseInt(e.name.slice(4),10)}function un(e){switch(e){case "ES256":return "P-256";case "ES384":return "P-384";case "ES512":return "P-521";default:throw new Error("unreachable")}}function ln(e,t){if(!e.usages.includes(t))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${t}.`)}function Ut(e,t,r){switch(t){case "HS256":case "HS384":case "HS512":{if(!me(e.algorithm,"HMAC"))throw B("HMAC");let n=parseInt(t.slice(2),10);if(st(e.algorithm.hash)!==n)throw B(`SHA-${n}`,"algorithm.hash");break}case "RS256":case "RS384":case "RS512":{if(!me(e.algorithm,"RSASSA-PKCS1-v1_5"))throw B("RSASSA-PKCS1-v1_5");let n=parseInt(t.slice(2),10);if(st(e.algorithm.hash)!==n)throw B(`SHA-${n}`,"algorithm.hash");break}case "PS256":case "PS384":case "PS512":{if(!me(e.algorithm,"RSA-PSS"))throw B("RSA-PSS");let n=parseInt(t.slice(2),10);if(st(e.algorithm.hash)!==n)throw B(`SHA-${n}`,"algorithm.hash");break}case "Ed25519":case "EdDSA":{if(!me(e.algorithm,"Ed25519"))throw B("Ed25519");break}case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":{if(!me(e.algorithm,t))throw B(t);break}case "ES256":case "ES384":case "ES512":{if(!me(e.algorithm,"ECDSA"))throw B("ECDSA");let n=un(t);if(e.algorithm.namedCurve!==n)throw B(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}ln(e,r);}function $t(e,t,...r){if(r=r.filter(Boolean),r.length>2){let n=r.pop();e+=`one of type ${r.join(", ")}, or ${n}.`;}else r.length===2?e+=`one of type ${r[0]} or ${r[1]}.`:e+=`of type ${r[0]}.`;return t==null?e+=` Received ${t}`:typeof t=="function"&&t.name?e+=` Received function ${t.name}`:typeof t=="object"&&t!=null&&t.constructor?.name&&(e+=` Received an instance of ${t.constructor.name}`),e}var Nt=(e,...t)=>$t("Key must be ",e,...t);function ct(e,t,...r){return $t(`Key for the ${e} algorithm must be `,t,...r)}function ut(e){return e?.[Symbol.toStringTag]==="CryptoKey"}function lt(e){return e?.[Symbol.toStringTag]==="KeyObject"}var ft=e=>ut(e)||lt(e);var Bt=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return true;let r;for(let n of t){let o=Object.keys(n);if(!r||r.size===0){r=new Set(o);continue}for(let a of o){if(r.has(a))return false;r.add(a);}}return true};function fn(e){return typeof e=="object"&&e!==null}var $e=e=>{if(!fn(e)||Object.prototype.toString.call(e)!=="[object Object]")return false;if(Object.getPrototypeOf(e)===null)return true;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t};var Ft=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:r}=t.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};function dn(e){let t,r;switch(e.kty){case "AKP":{switch(e.alg){case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":t={name:e.alg},r=e.priv?["sign"]:["verify"];break;default:throw new _('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "RSA":{switch(e.alg){case "PS256":case "PS384":case "PS512":t={name:"RSA-PSS",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RS256":case "RS384":case "RS512":t={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RSA-OAEP":case "RSA-OAEP-256":case "RSA-OAEP-384":case "RSA-OAEP-512":t={name:"RSA-OAEP",hash:`SHA-${parseInt(e.alg.slice(-3),10)||1}`},r=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new _('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "EC":{switch(e.alg){case "ES256":t={name:"ECDSA",namedCurve:"P-256"},r=e.d?["sign"]:["verify"];break;case "ES384":t={name:"ECDSA",namedCurve:"P-384"},r=e.d?["sign"]:["verify"];break;case "ES512":t={name:"ECDSA",namedCurve:"P-521"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new _('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "OKP":{switch(e.alg){case "Ed25519":case "EdDSA":t={name:"Ed25519"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new _('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}default:throw new _('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return {algorithm:t,keyUsages:r}}var Vt=async e=>{if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:t,keyUsages:r}=dn(e),n={...e};return n.kty!=="AKP"&&delete n.alg,delete n.use,crypto.subtle.importKey("jwk",n,t,e.ext??!(e.d||e.priv),e.key_ops??r)};var Gt=(e,t,r,n,o)=>{if(o.crit!==void 0&&n?.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||n.crit===void 0)return new Set;if(!Array.isArray(n.crit)||n.crit.length===0||n.crit.some(i=>typeof i!="string"||i.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let a;r!==void 0?a=new Map([...Object.entries(r),...t.entries()]):a=t;for(let i of n.crit){if(!a.has(i))throw new _(`Extension Header Parameter "${i}" is not recognized`);if(o[i]===void 0)throw new e(`Extension Header Parameter "${i}" is missing`);if(a.get(i)&&n[i]===void 0)throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`)}return new Set(n.crit)};function xe(e){return $e(e)&&typeof e.kty=="string"}function qt(e){return e.kty!=="oct"&&(e.kty==="AKP"&&typeof e.priv=="string"||typeof e.d=="string")}function zt(e){return e.kty!=="oct"&&typeof e.d>"u"&&typeof e.priv>"u"}function Xt(e){return e.kty==="oct"&&typeof e.k=="string"}var we,Yt=async(e,t,r,n=false)=>{we||(we=new WeakMap);let o=we.get(e);if(o?.[r])return o[r];let a=await Vt({...t,alg:r});return n&&Object.freeze(e),o?o[r]=a:we.set(e,{[r]:a}),a},yn=(e,t)=>{we||(we=new WeakMap);let r=we.get(e);if(r?.[t])return r[t];let n=e.type==="public",o=!!n,a;if(e.asymmetricKeyType==="x25519"){switch(t){case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}a=e.toCryptoKey(e.asymmetricKeyType,o,n?[]:["deriveBits"]);}if(e.asymmetricKeyType==="ed25519"){if(t!=="EdDSA"&&t!=="Ed25519")throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}switch(e.asymmetricKeyType){case "ml-dsa-44":case "ml-dsa-65":case "ml-dsa-87":{if(t!==e.asymmetricKeyType.toUpperCase())throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}}if(e.asymmetricKeyType==="rsa"){let i;switch(t){case "RSA-OAEP":i="SHA-1";break;case "RS256":case "PS256":case "RSA-OAEP-256":i="SHA-256";break;case "RS384":case "PS384":case "RSA-OAEP-384":i="SHA-384";break;case "RS512":case "PS512":case "RSA-OAEP-512":i="SHA-512";break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}if(t.startsWith("RSA-OAEP"))return e.toCryptoKey({name:"RSA-OAEP",hash:i},o,n?["encrypt"]:["decrypt"]);a=e.toCryptoKey({name:t.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:i},o,[n?"verify":"sign"]);}if(e.asymmetricKeyType==="ec"){let c=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(e.asymmetricKeyDetails?.namedCurve);if(!c)throw new TypeError("given KeyObject instance cannot be used for this algorithm");t==="ES256"&&c==="P-256"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:c},o,[n?"verify":"sign"])),t==="ES384"&&c==="P-384"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:c},o,[n?"verify":"sign"])),t==="ES512"&&c==="P-521"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:c},o,[n?"verify":"sign"])),t.startsWith("ECDH-ES")&&(a=e.toCryptoKey({name:"ECDH",namedCurve:c},o,n?[]:["deriveBits"]));}if(!a)throw new TypeError("given KeyObject instance cannot be used for this algorithm");return r?r[t]=a:we.set(e,{[t]:a}),a},Zt=async(e,t)=>{if(e instanceof Uint8Array||ut(e))return e;if(lt(e)){if(e.type==="secret")return e.export();if("toCryptoKey"in e&&typeof e.toCryptoKey=="function")try{return yn(e,t)}catch(n){if(n instanceof TypeError)throw n}let r=e.export({format:"jwk"});return Yt(e,r,t)}if(xe(e))return e.k?Mt(e.k):Yt(e,e,t,true);throw new Error("unreachable")};var he=e=>e?.[Symbol.toStringTag],dt=(e,t,r)=>{if(t.use!==void 0){let n;switch(r){case "sign":case "verify":n="sig";break;case "encrypt":case "decrypt":n="enc";break}if(t.use!==n)throw new TypeError(`Invalid key for this operation, its "use" must be "${n}" when present`)}if(t.alg!==void 0&&t.alg!==e)throw new TypeError(`Invalid key for this operation, its "alg" must be "${e}" when present`);if(Array.isArray(t.key_ops)){let n;switch(true){case(r==="sign"):case e==="dir":case e.includes("CBC-HS"):n=r;break;case e.startsWith("PBES2"):n="deriveBits";break;case /^A\d{3}(?:GCM)?(?:KW)?$/.test(e):!e.includes("GCM")&&e.endsWith("KW")?n="unwrapKey":n=r;break;case(r==="encrypt"):n="wrapKey";break;case r==="decrypt":n=e.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(n&&t.key_ops?.includes?.(n)===false)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${n}" when present`)}return true},mn=(e,t,r)=>{if(!(t instanceof Uint8Array)){if(xe(t)){if(Xt(t)&&dt(e,t,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!ft(t))throw new TypeError(ct(e,t,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(t.type!=="secret")throw new TypeError(`${he(t)} instances for symmetric algorithms must be of type "secret"`)}},wn=(e,t,r)=>{if(xe(t))switch(r){case "decrypt":case "sign":if(qt(t)&&dt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a private JWK");case "encrypt":case "verify":if(zt(t)&&dt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a public JWK")}if(!ft(t))throw new TypeError(ct(e,t,"CryptoKey","KeyObject","JSON Web Key"));if(t.type==="secret")throw new TypeError(`${he(t)} instances for asymmetric algorithms must not be of type "secret"`);if(t.type==="public")switch(r){case "sign":throw new TypeError(`${he(t)} instances for asymmetric algorithm signing must be of type "private"`);case "decrypt":throw new TypeError(`${he(t)} instances for asymmetric algorithm decryption must be of type "private"`);}if(t.type==="private")switch(r){case "verify":throw new TypeError(`${he(t)} instances for asymmetric algorithm verifying must be of type "public"`);case "encrypt":throw new TypeError(`${he(t)} instances for asymmetric algorithm encryption must be of type "public"`);}},Qt=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e)||/^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e)?mn(e,t,r):wn(e,t,r);};var er=(e,t)=>{let r=`SHA-${e.slice(-3)}`;switch(e){case "HS256":case "HS384":case "HS512":return {hash:r,name:"HMAC"};case "PS256":case "PS384":case "PS512":return {hash:r,name:"RSA-PSS",saltLength:parseInt(e.slice(-3),10)>>3};case "RS256":case "RS384":case "RS512":return {hash:r,name:"RSASSA-PKCS1-v1_5"};case "ES256":case "ES384":case "ES512":return {hash:r,name:"ECDSA",namedCurve:t.namedCurve};case "Ed25519":case "EdDSA":return {name:"Ed25519"};case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":return {name:e};default:throw new _(`alg ${e} is not supported either by JOSE or your javascript runtime`)}};var tr=async(e,t,r)=>{if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(Nt(t,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",t,{hash:`SHA-${e.slice(-3)}`,name:"HMAC"},false,[r])}return Ut(t,e,r),t};var te=e=>Math.floor(e.getTime()/1e3);var hn=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i,Ne=e=>{let t=hn.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");let r=parseFloat(t[2]),n=t[3].toLowerCase(),o;switch(n){case "sec":case "secs":case "second":case "seconds":case "s":o=Math.round(r);break;case "minute":case "minutes":case "min":case "mins":case "m":o=Math.round(r*60);break;case "hour":case "hours":case "hr":case "hrs":case "h":o=Math.round(r*3600);break;case "day":case "days":case "d":o=Math.round(r*86400);break;case "week":case "weeks":case "w":o=Math.round(r*604800);break;default:o=Math.round(r*31557600);break}return t[1]==="-"||t[4]==="ago"?-o:o};function ue(e,t){if(!Number.isFinite(t))throw new TypeError(`Invalid ${e} input`);return t}var k,Be=class{constructor(t){M(this,k);if(!$e(t))throw new TypeError("JWT Claims Set MUST be an object");O(this,k,structuredClone(t));}data(){return X.encode(JSON.stringify(d(this,k)))}get iss(){return d(this,k).iss}set iss(t){d(this,k).iss=t;}get sub(){return d(this,k).sub}set sub(t){d(this,k).sub=t;}get aud(){return d(this,k).aud}set aud(t){d(this,k).aud=t;}set jti(t){d(this,k).jti=t;}set nbf(t){typeof t=="number"?d(this,k).nbf=ue("setNotBefore",t):t instanceof Date?d(this,k).nbf=ue("setNotBefore",te(t)):d(this,k).nbf=te(new Date)+Ne(t);}set exp(t){typeof t=="number"?d(this,k).exp=ue("setExpirationTime",t):t instanceof Date?d(this,k).exp=ue("setExpirationTime",te(t)):d(this,k).exp=te(new Date)+Ne(t);}set iat(t){typeof t>"u"?d(this,k).iat=te(new Date):t instanceof Date?d(this,k).iat=ue("setIssuedAt",te(t)):typeof t=="string"?d(this,k).iat=ue("setIssuedAt",te(new Date)+Ne(t)):d(this,k).iat=ue("setIssuedAt",t);}};k=new WeakMap;var rr=async(e,t,r)=>{let n=await tr(e,t,"sign");Ft(e,n);let o=await crypto.subtle.sign(er(e,n.algorithm),n,r);return new Uint8Array(o)};var Ce,W,F,Fe=class{constructor(t){M(this,Ce);M(this,W);M(this,F);if(!(t instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");O(this,Ce,t);}setProtectedHeader(t){if(d(this,W))throw new TypeError("setProtectedHeader can only be called once");return O(this,W,t),this}setUnprotectedHeader(t){if(d(this,F))throw new TypeError("setUnprotectedHeader can only be called once");return O(this,F,t),this}async sign(t,r){if(!d(this,W)&&!d(this,F))throw new Y("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Bt(d(this,W),d(this,F)))throw new Y("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let n={...d(this,W),...d(this,F)},o=Gt(Y,new Map([["b64",true]]),r?.crit,d(this,W),n),a=true;if(o.has("b64")&&(a=d(this,W).b64,typeof a!="boolean"))throw new Y('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:i}=n;if(typeof i!="string"||!i)throw new Y('JWS "alg" (Algorithm) Header Parameter missing or invalid');Qt(i,t,"sign");let c=d(this,Ce);a&&(c=X.encode(Ue(c)));let s;d(this,W)?s=X.encode(Ue(JSON.stringify(d(this,W)))):s=X.encode("");let u=Dt(s,X.encode("."),c),l=await Zt(t,i),p=await rr(i,l,u),m={signature:Ue(p),payload:""};return a&&(m.payload=ye.decode(c)),d(this,F)&&(m.header=d(this,F)),d(this,W)&&(m.protected=ye.decode(s)),m}};Ce=new WeakMap,W=new WeakMap,F=new WeakMap;var be,Ve=class{constructor(t){M(this,be);O(this,be,new Fe(t));}setProtectedHeader(t){return d(this,be).setProtectedHeader(t),this}async sign(t,r){let n=await d(this,be).sign(t,r);if(n.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return `${n.protected}.${n.payload}.${n.signature}`}};be=new WeakMap;var re,L,le=class{constructor(t={}){M(this,re);M(this,L);O(this,L,new Be(t));}setIssuer(t){return d(this,L).iss=t,this}setSubject(t){return d(this,L).sub=t,this}setAudience(t){return d(this,L).aud=t,this}setJti(t){return d(this,L).jti=t,this}setNotBefore(t){return d(this,L).nbf=t,this}setExpirationTime(t){return d(this,L).exp=t,this}setIssuedAt(t){return d(this,L).iat=t,this}setProtectedHeader(t){return O(this,re,t),this}async sign(t,r){let n=new Ve(d(this,L).data());if(n.setProtectedHeader(d(this,re)),Array.isArray(d(this,re)?.crit)&&d(this,re).crit.includes("b64")&&d(this,re).b64===false)throw new Ke("JWTs MUST NOT use unencoded payload");return n.sign(t,r)}};re=new WeakMap,L=new WeakMap;var bn=e=>btoa(String.fromCharCode(...new Uint8Array(e))).replaceAll("+","-").replaceAll("/","_").replaceAll("=",""),Ge=async e=>{let t=new TextEncoder().encode(e),r=await crypto.subtle.digest("SHA-256",t);return bn(r)},U=async e=>{let{method:t,url:r,nonce:n,ath:o,privateKey:a,publicJwk:i}=e,c={htm:t.toUpperCase(),htu:r,jti:crypto.randomUUID(),iat:Math.floor(Date.now()/1e3)};return n&&(c.nonce=n),o&&(c.ath=o),await new le(c).setProtectedHeader({alg:"ES256",typ:"dpop+jwt",jwk:i}).sign(a)};var $=async e=>{let t={crv:e.crv,kty:"EC",x:e.x,y:e.y},r=JSON.stringify(t),n=new TextEncoder().encode(r),o=await crypto.subtle.digest("SHA-256",n);return btoa(String.fromCharCode(...new Uint8Array(o))).replaceAll("+","-").replaceAll("/","_").replaceAll("=","")};async function Te(e){let{rootPrivateKey:t,rootPublicJwk:r,childJkt:n,clientId:o,sid:a,ttlSec:i=300}=e,c=Math.floor(Date.now()/1e3),s=c+Math.max(60,Math.min(i,3600)),u={child_jkt:n,client_id:o,aud:"issuer",iat:c,exp:s,jti:crypto.randomUUID()};return a&&(u.sid=a),await new le(u).setProtectedHeader({alg:"ES256",typ:"pode+jwt",jwk:r}).sign(t)}function Je(e,t=300){return e.replace(/<[^>]*>/g,"").slice(0,t)}async function Ie(e){let t=e.status,r=Array.from(e.headers.keys()).some(c=>c.toLowerCase().startsWith("x-amzn-waf")),n,o,a=e.headers.get("content-type")||"";if(a.includes("application/json"))try{let c=await e.clone().json();n=typeof c?.error=="string"?c.error:void 0,o=typeof c?.detail=="string"?c.detail:void 0;}catch{}let i=t===403&&!r&&!a.includes("application/json");return {status:t,code:n,detail:o,waf:r,alb403:i}}function fe(e,t){let r=new Error(e);return r.status=t.status,r.code=t.code,r.detail=t.detail,r.waf=t.waf,r.alb403=t.alb403,r}var Se={boundWallet:null,clientId:null,jkt:null,refreshId:null,lastPolicyHash:null,lastPolicyProof:null,lastHost:null,rootJkt:null},pt=createContext(void 0);function sr(e){try{return JSON.parse(localStorage.getItem(e)||"null")??Se}catch{return Se}}function gn(e,t){try{localStorage.setItem(e,JSON.stringify(t));}catch{}}var yt=({children:e,clientId:t})=>{let[r,n]=useState(Se),o=useRef(false),[a,i]=useState(false),c=useMemo(()=>Ae(t),[t]);useEffect(()=>{let f=true;return (async()=>{let x=await J(c)??await J(je)??sr(c);f&&(n({...Se,...x}),o.current=true,i(true));})(),()=>{f=false;}},[c]),useEffect(()=>{o.current&&(async()=>(await R(c,r),gn(c,r)))();},[r,c]);let s=useCallback(f=>n(y=>({...y,refreshId:f})),[]),u=useCallback(f=>n(y=>({...y,lastPolicyHash:f})),[]),l=useCallback(f=>n(y=>({...y,lastPolicyProof:f})),[]),p=useCallback(f=>n(y=>({...y,lastHost:f})),[]),m=useCallback(f=>n(y=>({...y,rootJkt:f})),[]),h=async()=>{try{let f=localStorage.getItem(c);if(f){let y=JSON.parse(f);if(typeof y?.refreshId=="string"&&y.refreshId)return y.refreshId}}catch{}try{let f=await J(c);if(typeof f?.refreshId=="string"&&f.refreshId)return f.refreshId}catch{}return null},S=useCallback(f=>n(y=>({...y,boundWallet:f})),[]),g=useCallback(f=>n(y=>({...y,clientId:f})),[]),E=useCallback(f=>n(y=>({...y,jkt:f})),[]),A=useCallback(()=>n(Se),[]),b=useCallback(async()=>{let y=await J(c)??sr(c);n({...Se,...y});},[]),w=useMemo(()=>({meta:r,setBoundWallet:S,setClientId:g,setJkt:E,resetMeta:A,reload:b,setRefreshId:s,getRefreshId:h,ready:a,setLastPolicyHash:u,setLastPolicyProof:l,setLastHost:p,setRootJkt:m}),[r,S,g,E,A,b,a,s,h,u,l,p,m]);return jsx(pt.Provider,{value:w,children:e})};function mt(){let e=useContext(pt);if(!e)throw new Error("useMeta must be used within <MetaProvider>");return e}var ur=`${K}:wrap`;async function wt(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:T},!0,["sign","verify"]),t=`${K}:probe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await J(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return false}}function ge(e){let t={...e};return delete t.d,t.kty="EC",t.crv=T,t.alg=ve,t.use="sig",t}async function lr(){let e=await J(ur);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await R(ur,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function ht(e){let t=await lr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function Pn(e,t){let r=await lr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var bt=()=>{let e=useRef(null),t=useRef(null),r=useCallback(async()=>{let s=await J(K);if(!s)return false;if(s.fmt==="cryptokey"){let l=s;return l.privKey?(e.current=l.privKey,t.current=ge(l.pubJwk),true):(await R(K,void 0),false)}if(s.fmt==="encjwk"){let l=s;try{let p=await Pn(l.encPrivJwk,l.iv),m=await crypto.subtle.importKey("jwk",p,{name:"ECDSA",namedCurve:T},!1,["sign"]);return e.current=m,t.current=ge(l.pubJwk),!0}catch{return await R(K,void 0),false}}let u=s;if(u&&u.d)if(await wt()){let p=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:T},false,["sign"]),{d:m,...h}=u,S=ge(h);return await R(K,{fmt:"cryptokey",privKey:p,pubJwk:S}),e.current=p,t.current=S,true}else {let{d:p,...m}=u,h=ge(m),{encPrivJwk:S,iv:g}=await ht(u);await R(K,{fmt:"encjwk",encPrivJwk:S,iv:g,pubJwk:h});let E=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:T},false,["sign"]);return e.current=E,t.current=h,true}return await R(K,void 0),false},[]),n=useCallback(async(s,u)=>{await R(K,{fmt:"cryptokey",privKey:s,pubJwk:u});},[]),o=useCallback(async(s,u)=>{let{encPrivJwk:l,iv:p}=await ht(s);await R(K,{fmt:"encjwk",encPrivJwk:l,iv:p,pubJwk:u});},[]),a=useCallback(async()=>{if(e.current&&t.current||await r())return;let s=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:T},true,["sign","verify"]),u=ge(await crypto.subtle.exportKey("jwk",s.publicKey));if(await wt())await n(s.privateKey,u),e.current=s.privateKey,t.current=u;else {let l=await crypto.subtle.exportKey("jwk",s.privateKey);await o(l,u),e.current=s.privateKey,t.current=u;}},[r,n,o]),i=useCallback(async()=>{let s=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:T},true,["sign","verify"]),u=ge(await crypto.subtle.exportKey("jwk",s.publicKey));if(await wt())await R(K,{fmt:"cryptokey",privKey:s.privateKey,pubJwk:u});else {let l=await crypto.subtle.exportKey("jwk",s.privateKey),{encPrivJwk:p,iv:m}=await ht(l);await R(K,{fmt:"encjwk",encPrivJwk:p,iv:m,pubJwk:u});}e.current=s.privateKey,t.current=u;},[]),c=useCallback(async()=>{await R(K,void 0),e.current=null,t.current=null;},[]);return {ensureKeypair:a,rotate:i,clear:c,privRef:e,pubJwkRef:t}};var Z="sunbreak_root_key_v1",dr=`${Z}:wrap`;async function vn(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:T},!0,["sign","verify"]),t=`${Z}:probe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey,createdAt:Date.now(),pubJwk:{}});let r=await J(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return false}}function Rt(e){let t={...e};return delete t.d,t.kty="EC",t.crv=T,t.alg=ve,t.use="sig",t}async function pr(){let e=await J(dr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await R(dr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function An(e){let t=await pr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function Kn(e,t){let r=await pr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var gt=()=>{let e=useRef(null),t=useRef(null),r=useCallback(async()=>{let a=await J(Z);if(!a)return false;if(a.fmt==="cryptokey"){let i=a;return i.privKey?(e.current=i.privKey,t.current=Rt(i.pubJwk),true):(await R(Z,void 0),false)}if(a.fmt==="encjwk"){let i=a;try{let c=await Kn(i.encPrivJwk,i.iv),s=await crypto.subtle.importKey("jwk",c,{name:"ECDSA",namedCurve:T},!1,["sign"]);return e.current=s,t.current=Rt(i.pubJwk),!0}catch{return await R(Z,void 0),false}}return await R(Z,void 0),false},[]),n=useCallback(async()=>{if(e.current&&t.current||await r())return;let a=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:T},true,["sign","verify"]),i=Rt(await crypto.subtle.exportKey("jwk",a.publicKey)),c=Date.now();if(await vn())await R(Z,{fmt:"cryptokey",privKey:a.privateKey,pubJwk:i,createdAt:c});else {let s=await crypto.subtle.exportKey("jwk",a.privateKey),{encPrivJwk:u,iv:l}=await An(s);await R(Z,{fmt:"encjwk",encPrivJwk:u,iv:l,pubJwk:i,createdAt:c});}e.current=a.privateKey,t.current=i;},[r]),o=useCallback(async()=>{await R(Z,void 0),e.current=null,t.current=null;},[]);return {ensureRootKeypair:n,clear:o,rootPrivRef:e,rootPubJwkRef:t}};var xn=()=>crypto.randomUUID(),yr=e=>{let{clientId:t,wallet:r,base:n="https://api.tdfc.com",fetchImpl:o,timeoutMs:a=15e3,proof:i=null,providerAdapter:c,refreshDeps:s=[]}=e,u=rt(n),l=typeof window<"u"?(o??fetch).bind(window):o??fetch,{meta:p,setBoundWallet:m,setJkt:h,setRefreshId:S,getRefreshId:g,setLastPolicyHash:E,setLastPolicyProof:A,setLastHost:b,setRootJkt:w,ready:f}=mt(),{ensureRootKeypair:y,rootPrivRef:x,rootPubJwkRef:oe}=gt(),Q=useCallback(async()=>{await y();try{if(!p.rootJkt&&oe.current){let se=await $(oe.current);w(se);}}catch{}},[y,p.rootJkt,oe]),{ensureKeypair:Ee,rotate:P,privRef:We,pubJwkRef:De}=bt(),[vt,C]=useState(false),[N,H]=useState(0),[z,ae]=useState(null),[ee,Xe]=useState(null),[Ye,At]=useState(null),[vr,Ar]=useState(null),[Kr,xr]=useState(null),[Cr,Tr]=useState(null),Jr=useRef(null),Ir=useRef(null),_r=useRef(null),Wr=useRef(null),Dr=useRef(null),Lr=useRef(null),Hr=useRef(null),Mr=useRef(false),Or=useRef(false),jr=useRef(void 0),Le=useRef(false),Ze=useRef(false),Kt=useRef(null),ie=useRef(null);ie.current||(ie.current=new Promise(se=>{Kt.current=se;}));let Qe=useRef(null),Ur=useRef(i),He=useRef(null),xt=useRef(null),Me=useRef(null),Ct=()=>Date.now(),$r=()=>(Me.current??0)>0&&Me.current<Ct(),et=useCallback((se,qr=15e3)=>{let Tt=xn();return He.current=Tt,xt.current=se,Me.current=Ct()+Math.max(1e3,qr),Tt},[]),Nr=useCallback(()=>((!He.current||$r())&&et("adhoc",1e4),He.current),[et]),tt=useRef(null),Oe=useRef(null);Oe.current||(Oe.current=new Promise(se=>{tt.current=se;}));let Br=useCallback(async()=>{!Le.current&&Oe.current&&await Oe.current;},[]),Fr=useCallback(()=>{Le.current||(Le.current=true,tt.current?.(),tt.current=null);},[]),Vr=useCallback(async()=>{!Ze.current&&ie.current&&await ie.current;},[]),Gr=useCallback(async()=>{!Ze.current&&ie.current&&await ie.current,Qe.current&&await Qe.current;},[]);return {clientId:t,wallet:r,baseUrl:u,fetchImpl:l,timeoutMs:a,providerAdapter:c,refreshDeps:s,ensureKeypair:Ee,rotate:P,ensureRootKeypair:Q,rootPrivRef:x,rootPubJwkRef:oe,privRef:We,pubJwkRef:De,meta:p,setBoundWallet:m,setJkt:h,setRefreshId:S,accessTokenRef:_r,tokenExpRef:Wr,authenticated:vt,setAuthenticated:C,loadingCount:N,setLoadingCount:H,error:z,setError:ae,allowed:ee,setAllowed:Xe,denyReason:Ye,setDenyReason:At,sessionExpiry:vr,setSessionExpiry:Ar,sessionData:Kr,setSessionData:xr,verifyData:Cr,setVerifyData:Tr,authWalletRef:Ir,refreshLock:Dr,registerLock:Lr,sessionLock:Hr,didInitialRefresh:Mr,didInitialSession:Or,prevWalletRef:jr,initResolvedRef:Ze,initReady:ie,initResolveRef:Kt,rotateLock:Qe,waitReady:Vr,awaitKeyStable:Gr,proofRef:Ur,registerCooldownUntilRef:Jr,reqIdRef:He,flowLabelRef:xt,flowExpireRef:Me,beginFlow:et,currentReqId:Nr,awaitProbe:Br,markProbed:Fr,hasProbedRef:Le,getRefreshId:g,setLastPolicyHash:E,setLastPolicyProof:A,setLastHost:b,setRootJkt:w,metaReady:f}};var pe=e=>e.accessTokenRef.current??null,G=e=>{let t=e.privRef.current;if(!t)throw new Error("Sunbreak: private key not initialized");return t},I=e=>{let t=e.pubJwkRef.current;if(!t)throw new Error("Sunbreak: public JWK not initialized");return t};var Cn=(e,t)=>`${e.toUpperCase()} ${t}`;async function _e(e,t,r){if(!t)return false;let n=_e._nonceCacheRef||(_e._nonceCacheRef={map:new Map});try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair(),e.setError(null),e.beginFlow("register",2e4);let o;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let f=await $(e.rootPubJwkRef.current);e.setRootJkt?.(f);}catch{}let b=await $(I(e)),w=await e.getRefreshId();o=await Te({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:b,clientId:e.clientId,sid:w||void 0,ttlSec:300});}}catch{}let a=e.currentReqId(),i="/auth/register",c=`${e.baseUrl}${i}`,s=new URL(e.baseUrl).origin,u="POST",l=`${s}${i}`,p=Cn(u,l),m=n.map.get(p),h=await U({method:u,url:l,nonce:m,privateKey:G(e),publicJwk:I(e)}),S=async b=>e.fetchImpl(c,{method:u,headers:{"content-type":"application/json","x-sunbreak-meta":j(e,{reqId:a,pode:o||void 0}),...b},credentials:"include",body:JSON.stringify({wallet:t,proof:r})}),g=await S({DPoP:h}),E=b=>{let w=b.headers.get("dpop-nonce");w&&n.map.set(p,w);};if(g.status===401){let b=g.headers.get("www-authenticate"),f=(b&&b.match(/dpop-nonce="([^"]+)"/i))?.[1];if(f){n.map.set(p,f);let y=await U({method:u,url:l,nonce:f,privateKey:G(e),publicJwk:I(e)});g=await S({DPoP:y});}}if(E(g),!g.ok){let b=await Ie(g);if((g.headers.get("content-type")||"").includes("application/json")){let f;try{f=await g.clone().json();}catch{}let y=Je(f&&(f.error||f.message||f.detail)||`HTTP ${g.status}`);throw fe(y,b)}else {let f=b.waf?"Blocked by WAF (403)":b.alb403?"Blocked at origin (ALB 403)":`HTTP ${g.status}`;throw fe(f,b)}}let A=await g.json();e.accessTokenRef.current=A.access,e.authWalletRef.current=t.toLowerCase(),e.setAuthenticated(!0);try{let b=Math.floor(Date.now()/1e3);e.tokenExpRef.current=b+(A.expiresIn??0);}catch{}e.didInitialRefresh.current=!0,e.setBoundWallet(t),e.setLastPolicyHash(null),e.setLastPolicyProof(null);try{e.setJkt(await $(I(e)));}catch{}try{let b={...e.meta,boundWallet:t,clientId:e.meta.clientId??e.clientId,jkt:e.meta.jkt??null,refreshId:A.refreshId??null};e.setRefreshId(A.refreshId??null);let w=Ae(e.clientId);await R(w,b);try{localStorage.setItem(w,JSON.stringify(b));}catch{}}catch{}return !0}catch(o){let a=Number(o?.status||0),i=String(o?.code||""),c=String(o?.message||""),s=Math.floor(Math.random()*1e3);if((a===401||a===403)&&i.toLowerCase()==="replay"){if(e.providerAdapter)try{let u=await e.providerAdapter.getToken()??null;if(u)return await e.awaitKeyStable(),await e.ensureKeypair(),await e.rotate(),e.proofRef.current=await ke(e.providerAdapter,u),e.registerCooldownUntilRef.current=Date.now()+5e3+s,!1}catch{}else return e.proofRef.current=null,e.setError("Proof replayed; please sign a fresh proof."),e.registerCooldownUntilRef.current=Date.now()+1e4+s,false;return e.registerCooldownUntilRef.current=Date.now()+8e3+s,false}if(a===403&&(o?.waf||o?.alb403))return e.setError(c||"Forbidden at edge/origin"),e.registerCooldownUntilRef.current=Date.now()+3e4+s,false;if(a===403)return e.setError(i||c||"Forbidden"),e.registerCooldownUntilRef.current=Date.now()+15e3+s,false;if(a===429||a===503){e.setError(i||c||"Rate limited / unavailable");let u=a===429?5e3:8e3;return e.registerCooldownUntilRef.current=Date.now()+u+s,false}return e.setError(i||c||"Register failed"),e.registerCooldownUntilRef.current=Date.now()+5e3+s,false}}var Tn=(e,t)=>`${e.toUpperCase()} ${t}`;function qe(e){return e.refreshLock.current||(e.refreshLock.current=(async()=>{try{if(await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),e.wallet&&e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return e.accessTokenRef.current=null,e.setAuthenticated(!1),!1;let t=pe(e);if(t){let w=e.tokenExpRef.current,f=Math.floor(Date.now()/1e3);if(!!t&&!!w&&w-f>5)return !0}e.beginFlow("refresh",15e3);let r=e.currentReqId();await e.ensureKeypair();let n;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let y=await $(e.rootPubJwkRef.current);e.setRootJkt?.(y);}catch{}let w=await $(I(e)),f=await e.getRefreshId();n=await Te({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:w,clientId:e.clientId,sid:f||void 0,ttlSec:300});}}catch{}let o="/auth/refresh",a=`${e.baseUrl}${o}`,i=new URL(e.baseUrl).origin,c="POST",s=`${i}${o}`,u=Tn(c,s),l=qe._nonceCacheRef||(qe._nonceCacheRef={map:new Map}),p=async w=>await U({method:c,url:s,nonce:w,privateKey:G(e),publicJwk:I(e)}),m=await e.getRefreshId(),h={"x-sunbreak-meta":j(e,{reqId:r,refreshId:m||void 0,pode:n||void 0}),"content-type":"application/json"},S=async w=>e.fetchImpl(a,{method:c,headers:{DPoP:w,...h},credentials:"include",body:"{}"}),g=w=>{let f=w.headers.get("dpop-nonce");f&&l.map.set(u,f);},E=await S(await p(l.map.get(u)));if(E.status===401){let w=E.headers.get("www-authenticate"),y=(w&&w.match(/dpop-nonce="([^"]+)"/i))?.[1];y&&(l.map.set(u,y),E=await S(await p(y)));}if(g(E),!E.ok){try{if((E.headers.get("content-type")||"").includes("application/json")){let f=await E.clone().json().catch(()=>{}),y=f&&(f.error||f.code||f.message)||"",x=String(y).toLowerCase();if(x.includes("missing")&&x.includes("refresh")){try{e.setRefreshId?.(null);}catch{}try{e.setBoundWallet?.(null);}catch{}e.accessTokenRef.current=null,e.setAuthenticated(!1);}}}catch{}return !1}let A=await E.json();e.accessTokenRef.current=A.access,e.setAuthenticated(!0);let b=(e.wallet&&(!e.meta.boundWallet||e.meta.boundWallet===e.wallet)?e.wallet:e.meta.boundWallet)||null;e.authWalletRef.current=b?b.toLowerCase():null;try{let w=Math.floor(Date.now()/1e3);e.tokenExpRef.current=w+(A.expiresIn??0);}catch{}try{e.setJkt(await $(I(e)));}catch{}return A.refreshId&&e.setRefreshId(A.refreshId),!0}finally{e.refreshLock.current=null;}})()),e.refreshLock.current}var Jn=(e,t)=>`${e.toUpperCase()} ${t}`,Et=new Map,In="sunbreak_probe_v1",mr=e=>`${In}::${e}`,_n=(e,t=6*60*60*1e3)=>{try{let r=localStorage.getItem(mr(e));if(!r)return !0;let n=Number(r);return Number.isFinite(n)?Date.now()-n>=t:!0}catch{return true}},Wn=e=>{try{localStorage.setItem(mr(e),String(Date.now()));}catch{}};async function wr(e){let t=new URL(e.baseUrl).origin;if(!_n(t)){e.hasProbedRef.current||e.markProbed();return}try{await e.awaitKeyStable(),await e.ensureKeypair();let r="POST",n="/auth/probe",o=`${e.baseUrl}${n}`,a=new URL(e.baseUrl).origin,i=`${a}${n}`,c=Jn(r,i),s=async m=>e.fetchImpl(o,{method:r,headers:{DPoP:m,"x-sunbreak-meta":j(e),"content-type":"application/json"},credentials:"include",body:"{}"}),u=async m=>await U({method:r,url:i,nonce:m,privateKey:G(e),publicJwk:I(e)}),l=await s(await u(Et.get(c))),p=m=>{let h=m.headers.get("dpop-nonce");h&&Et.set(c,h);};if(p(l),l.status===401){let m=l.headers.get("www-authenticate"),S=(m&&m.match(/dpop-nonce="([^"]+)"/i))?.[1];S&&(Et.set(c,S),l=await s(await u(S)),p(l));}l.ok||l.status===204?(Wn(a),e.markProbed()):e.hasProbedRef.current||e.markProbed();}catch{e.hasProbedRef.current||e.markProbed();}}var hr=e=>{let t=useCallback(()=>qe(e),[e]),r=useCallback(async()=>{let o=Date.now(),a=e.registerCooldownUntilRef.current??0;if(o<a||!e.wallet||!e.initResolvedRef.current||e.refreshLock.current||!e.didInitialRefresh.current||e.registerLock.current)return;let i=e.proofRef.current;!i||!(!e.authenticated||e.meta.boundWallet!==e.wallet)||(await e.awaitKeyStable(),e.registerLock.current=(async()=>{try{await _e(e,e.wallet,i)&&(e.didInitialSession.current=!0);}catch(s){e.setError(s?.message||String(s)||"Register failed");}finally{e.registerLock.current=null;}})());},[e]),n=useCallback(async o=>{let a=()=>(e.registerCooldownUntilRef.current??0)>Date.now();if(!e.providerAdapter||a())return;let i=await ke(e.providerAdapter,o);e.proofRef.current=i;},[e]);return {refresh:t,register:(o,a)=>_e(e,o,a),attemptRegister:r,setProofFromAdapterToken:n}};var Dn=(e,t)=>`${e.toUpperCase()} ${t}`;async function ze(e,t,r,n,o,a={}){e.setLoadingCount(u=>u+1),e.setError(null);let i=n.startsWith("/api/session"),c=new AbortController,s=setTimeout(()=>c.abort(),e.timeoutMs);try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair();let l=`${i?ot(e):e.baseUrl}${n.startsWith("/")?"":"/"}${n}`,m=`${new URL(e.baseUrl).origin}${n.startsWith("/")?"":"/"}${n}`,h=Dn(r,m),S=n.startsWith("/auth/"),g=!1,E=!1,A=e.currentReqId(),b=ze._nonceCacheRef||(ze._nonceCacheRef={map:new Map}),w=C=>{let N=C.headers.get("dpop-nonce");N&&b.map.set(h,N);},f=!!e.wallet&&!!e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase(),y,x,oe=async()=>{if(S||f)return;try{let ae=pe(e),ee=e.tokenExpRef.current,Xe=Math.floor(Date.now()/1e3),Ye=!!ee&&ee-Xe<=60;if((!ae||Ye)&&!await t().catch(()=>!1))return}catch{}let C=pe(e);if(!C)return;let N=await Ge(C),H=b.map.get(h),z=await U({method:r,url:m,nonce:H,ath:N,privateKey:G(e),publicJwk:I(e)});y=`Bearer ${e.accessTokenRef.current}`,x=z;};await oe();let Q={"content-type":"application/json","x-sunbreak-auth":y||"","x-sunbreak-meta":j(e,{reqId:A,auth:y,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0}),...at(a.headers)};x&&(Q.DPoP=x);let Ee=async()=>e.fetchImpl(l,{...a,method:r,headers:Q,body:o!==void 0?JSON.stringify(o):void 0,credentials:"include",signal:c.signal}),P=await Ee(),We=P.headers.get("x-sunbreak-policy-hash"),De=P.headers.get("x-sunbreak-policy-proof");if(We&&e.setLastPolicyHash(We),De&&e.setLastPolicyProof(De),w(P),P.status===401&&!S){let C=pe(e),N=P.headers.get("www-authenticate"),z=(N&&N.match(/dpop-nonce="([^"]+)"/i))?.[1];if(!f&&z&&C&&!E){E=!0,b.map.set(h,z);let ae=await Ge(C),ee=await U({method:r,url:m,nonce:z,ath:ae,privateKey:G(e),publicJwk:I(e)});y=`Bearer ${e.accessTokenRef.current}`,x=ee,Q["x-sunbreak-meta"]=j(e,{reqId:A,auth:y}),Q.DPoP=x,P=await Ee(),w(P);}if(P.status===401&&!g){g=!0;let ae=await t(),ee=pe(e);ae&&ee&&!f&&(await oe(),Q["x-sunbreak-meta"]=j(e,{reqId:A,auth:y}),x&&(Q.DPoP=x),P=await Ee(),w(P));}if(P.status===401)throw new Error("Unauthorized")}if(!P.ok){let C=await Ie(P);if((P.headers.get("content-type")||"").includes("application/json")){let H=await P.json().catch(()=>{}),z=Je(H&&(H.error||H.message||H.detail)||`HTTP ${P.status}`);throw fe(z,C)}else {let H=C.waf?"Blocked by WAF (403)":C.alb403?"Blocked at origin (ALB 403)":`HTTP ${P.status}`;throw fe(H,C)}}return (P.headers.get("content-type")||"").includes("application/json")?await P.json():void 0}finally{clearTimeout(s),e.setLoadingCount(u=>Math.max(0,u-1));}}var br=(e,t)=>useCallback(async(r,n,o,a={})=>ze(e,t,r,n,o,a),[e,t]);async function Sr(e,t){let r=await t("GET","/api/session");if(r){e.setAllowed(!!r.allowed),e.setDenyReason(r.reason??null),e.setSessionData(r),e.setSessionExpiry(r.expiry??null);let n=r?.wallet;typeof n=="string"&&n&&e.setBoundWallet(n.toLowerCase());}return r}async function Rr(e,t){let r=await t("GET","/api/verify");return r&&(e.setSessionExpiry(r.expiry??null),e.setVerifyData(r)),r}var Er=(e,t)=>{let r=useCallback(async()=>{if(e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet))return e.sessionLock.current||(e.sessionLock.current=(async()=>{try{return await Sr(e,t)}finally{e.sessionLock.current=null;}})()),e.sessionLock.current},[e,t]),n=useCallback(async()=>{if(e.wallet)return await Rr(e,t)},[e,t]);return {session:r,verify:n}};var kr=(e,t)=>{let{refresh:r,session:n,attemptRegister:o,setProofFromAdapterToken:a,proofProp:i}=t;useEffect(()=>{return (async()=>{try{await e.waitReady(),await e.awaitKeyStable(),await e.ensureRootKeypair(),await wr(e);}catch{}})(),()=>{}},[]);let c=()=>(e.registerCooldownUntilRef.current??0)>Date.now();useEffect(()=>{if(!e.providerAdapter||c()||!e.metaReady)return;let s=e.wallet,u=e.meta.boundWallet;if(s&&u&&s.toLowerCase()===u.toLowerCase()&&!e.didInitialRefresh.current)return;let l=false;return (async()=>{try{let p=await e.providerAdapter.getToken()??null;if(await e.awaitKeyStable(),l||!p)return;await a(p),await o();}catch{}})(),()=>{l=true;}},[e.providerAdapter,e.wallet,e.meta.boundWallet,e.metaReady,e.registerCooldownUntilRef.current,e.didInitialRefresh.current,...e.refreshDeps]),useEffect(()=>{typeof i<"u"&&(e.proofRef.current=i??null);let s=e.wallet,u=e.meta.boundWallet;if(s&&u&&s.toLowerCase()===u.toLowerCase()&&!e.didInitialRefresh.current)return;let p=!!s,m=!!e.proofRef.current,h=!!s&&!!e.authWalletRef.current&&s.toLowerCase()!==e.authWalletRef.current.toLowerCase();p&&m&&!e.authenticated&&!h&&e.initResolvedRef.current&&!c()&&o();},[i,e.wallet,e.authenticated,e.meta.boundWallet,e.metaReady,e.providerAdapter,e.initResolvedRef.current,e.didInitialRefresh.current,o]),useEffect(()=>{let s=e.wallet,u=e.meta.boundWallet;if(!e.metaReady||e.didInitialRefresh.current)return;let l=true;return (async()=>{try{if(await e.waitReady(),e.accessTokenRef.current||e.authenticated){e.didInitialRefresh.current=!0,s&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());return}if(!(!s&&!u||s&&u&&s.toLowerCase()===u.toLowerCase()))return;e.didInitialRefresh.current=!0;let m=await r();if(!l)return;e.setAuthenticated(m),m&&s&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());}catch(p){if(!l)return;e.setAuthenticated(false),e.setError(p?.message||String(p)||"Unknown error");}})(),()=>{l=false;}},[e.wallet,e.meta.boundWallet,e.metaReady,e.didInitialRefresh.current,r,n]),useEffect(()=>{e.prevWalletRef.current===void 0&&(async()=>{if(await e.ensureKeypair(),!e.wallet){e.initResolvedRef.current=true,e.initResolveRef.current?.();return}e.meta.boundWallet&&e.meta.boundWallet!==e.wallet&&(e.rotateLock.current=(async()=>{e.accessTokenRef.current=null,e.setAuthenticated(false);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}),e.rotateLock.current&&await e.rotateLock.current),e.initResolvedRef.current=true,e.initResolveRef.current?.();})();},[e]),useEffect(()=>{(async()=>{if(e.authenticated&&e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)&&!e.didInitialSession.current){e.didInitialSession.current=true;try{await n();}catch(s){e.setError(s?.message||String(s));}}})();},[e.authenticated,e.wallet,e.meta.boundWallet,n]),useEffect(()=>{let s=e.prevWalletRef.current;if(e.prevWalletRef.current=e.wallet,e.wallet!==s&&(e.didInitialRefresh.current=false),!e.wallet){e.setAllowed(null),e.setDenyReason(null),e.setSessionExpiry(null),e.setSessionData(null),e.setAuthenticated(false),e.accessTokenRef.current=null,e.proofRef.current=null,e.setError(null),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null),e.didInitialRefresh.current=false;return}s&&e.wallet&&s!==e.wallet&&(e.rotateLock.current=(async()=>{await e.rotate(),e.accessTokenRef.current=null,e.setAuthenticated(false),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}));},[e.wallet]),useEffect(()=>{e.wallet&&e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase()&&(e.accessTokenRef.current=null,e.setAuthenticated(false));},[e.wallet,e.authWalletRef.current]),useEffect(()=>{let u=()=>{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return false;let m=e.tokenExpRef.current;if(!m)return false;let h=Math.floor(Date.now()/1e3);return m-h<=30},l=async()=>{try{u()&&await r();}catch{}},p=async()=>{document.visibilityState==="visible"&&await l();};return window.addEventListener("focus",l),document.addEventListener("visibilitychange",p),()=>{window.removeEventListener("focus",l),document.removeEventListener("visibilitychange",p);}},[e,r]),useEffect(()=>{let l=()=>{let h=Math.floor(Date.now()/1e3),S=e.tokenExpRef.current,g=e.sessionExpiry,E=!!S&&S-h<=30&&S-h>0,A=!!g&&g-h<=3600&&g-h>0;return {tokenSoon:E,sessionSoon:A}},p=async()=>{try{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return;let{tokenSoon:h,sessionSoon:S}=l();(h||S)&&await r()&&S&&await n();}catch{}},m=async()=>{document.visibilityState==="visible"&&await p();};return window.addEventListener("focus",p),document.addEventListener("visibilitychange",m),()=>{window.removeEventListener("focus",p),document.removeEventListener("visibilitychange",m);}},[e,e.sessionExpiry,r,n]);};var Pr=createContext(void 0),jn=e=>{let t=yr(e),{refresh:r,attemptRegister:n,setProofFromAdapterToken:o}=hr(t),a=br(t,r),{session:i,verify:c}=Er(t,a);kr(t,{refresh:r,session:i,attemptRegister:n,setProofFromAdapterToken:o,proofProp:e.proof});let s=useMemo(()=>({get:(u,l)=>a("GET",u,void 0,l),post:(u,l,p)=>a("POST",u,l,p),verify:c,session:i,refresh:r,authenticated:t.authenticated,loading:t.loadingCount>0,error:t.error,allowed:t.allowed,denyReason:t.denyReason,sessionExpiry:t.sessionExpiry,sessionData:t.sessionData,verifyData:t.verifyData,wallet:t.wallet}),[a,c,i,r,t.authenticated,t.loadingCount,t.error,t.allowed,t.denyReason,t.sessionExpiry,t.sessionData,t.verifyData,t.wallet]);return jsx(Pr.Provider,{value:s,children:e.children})},Un=e=>jsx(yt,{clientId:e.clientId,children:jsx(jn,{...e})}),$n=()=>{let e=useContext(Pr);if(!e)throw new Error("useSunbreak must be used within a SunbreakProvider");return e};
4
+ var qr=Object.defineProperty;var Jt=e=>{throw TypeError(e)};var zr=(e,t,r)=>t in e?qr(e,t,{enumerable:true,configurable:true,writable:true,value:r}):e[t]=r;var L=(e,t,r)=>zr(e,typeof t!="symbol"?t+"":t,r),It=(e,t,r)=>t.has(e)||Jt("Cannot "+r);var p=(e,t,r)=>(It(e,t,"read from private field"),r?r.call(e):t.get(e)),O=(e,t,r)=>t.has(e)?Jt("Cannot add the same private member more than once"):t instanceof WeakSet?t.add(e):t.set(e,r),j=(e,t,r,n)=>(It(e,t,"write to private field"),t.set(e,r),r);var Pe=async(e,t,r)=>{switch(e.name){case "custom":return {method:"provider_jwt",issuer:"custom",token:t,meta:r||{}};case "privy":return {method:"provider_jwt",issuer:"privy",token:t,meta:{app_id:e.appId}};case "dynamic":return e.expectedAud?{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId,expected_aud:e.expectedAud}}:{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId}};default:throw new Error(`Unknown adapter: ${e}`)}};var Yr="sunbreak-kv",ve="kv",je="sunbreak_dpop_meta_v1",K="sunbreak_dpop_key_v1",Ae="ES256",J="P-256",Ke=e=>`${je}:${e}`,Wt=()=>new Promise((e,t)=>{let r=indexedDB.open(Yr,1);r.onupgradeneeded=()=>r.result.createObjectStore(ve),r.onsuccess=()=>e(r.result),r.onerror=()=>t(r.error);}),I=async e=>{try{let t=await Wt();return await new Promise((r,n)=>{let a=t.transaction(ve,"readonly").objectStore(ve).get(e);a.onsuccess=()=>r(a.result),a.onerror=()=>n(a.error);})}catch{return}},R=async(e,t)=>{let r=await Wt();await new Promise((n,o)=>{let i=r.transaction(ve,"readwrite").objectStore(ve).put(t,e);i.onsuccess=()=>n(),i.onerror=()=>o(i.error);});};var Xr=e=>{let t=new URL(e);if(t.protocol!=="https:"&&t.hostname!=="localhost"&&t.hostname!=="127.0.0.1")throw new Error("Sunbreak: insecure base URL");return t.hash="",t.origin},Zr=e=>e.replace(/\/+$/,""),rt=e=>{let t=Zr(e);return Xr(t)};function ot(e){let t=new URL(e.baseUrl),r=t.host,n=e.meta.lastHost??null,o=Qr(n);return e.setLastHost(o),t.host=`${o}.${r}`,t.origin}var Qr=e=>{for(let t=0;t<nt.length;t++){let r=nt[Math.floor(Math.random()*nt.length)].toLowerCase();if(r!==e)return r}return "alpha"},nt=["Alpha","Bravo","Charlie","Delta","Echo","Foxtrot","Golf","Hotel","India","Juliett","Kilo","Lima","Mike","November","Oscar","Papa","Quebec","Romeo","Sierra","Tango","Uniform","Victor","Whiskey","X-ray","Yankee","Zulu"];var U=(e,t)=>{let r={clientId:e.clientId,wallet:e.wallet,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0,...t};Object.keys(r).forEach(o=>r[o]===void 0&&delete r[o]);let n=JSON.stringify(r);return btoa(n)};var en=new Set(["connection","keep-alive","proxy-authenticate","proxy-authorization","te","trailer","transfer-encoding","upgrade","via"]),tn=new Set(["user-agent","referer","origin","host","content-length","sec-fetch-site","sec-fetch-mode","sec-fetch-dest","sec-fetch-user","sec-ch-ua","sec-ch-ua-mobile","sec-ch-ua-platform","sec-ch-ua-platform-version","sec-ch-ua-full-version","sec-ch-ua-arch","sec-ch-ua-model","sec-ch-ua-bitness","cookie","set-cookie"]),rn=new Set(["dpop","x-sunbreak-meta"]),nn=64,_t=2048,on=64;function at(e){let t={};if(!e)return t;let r=e instanceof Headers?Array.from(e.entries()):Object.entries(e),n=0;for(let[o,a]of r){if(n>=on)break;if(o==null||a==null)continue;let i=String(o).toLowerCase().trim();if(!i||i.length>nn||en.has(i)||tn.has(i)||rn.has(i))continue;let c=String(a);c.length>_t&&(c=c.slice(0,_t)),t[i]=c,n++;}return t}var Y=new TextEncoder,me=new TextDecoder;function Dt(...e){let t=e.reduce((o,{length:a})=>o+a,0),r=new Uint8Array(t),n=0;for(let o of e)r.set(o,n),n+=o.length;return r}function Lt(e){if(Uint8Array.prototype.toBase64)return e.toBase64();let t=32768,r=[];for(let n=0;n<e.length;n+=t)r.push(String.fromCharCode.apply(null,e.subarray(n,n+t)));return btoa(r.join(""))}function Ht(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(e);let t=atob(e),r=new Uint8Array(t.length);for(let n=0;n<t.length;n++)r[n]=t.charCodeAt(n);return r}function Mt(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof e=="string"?e:me.decode(e),{alphabet:"base64url"});let t=e;t instanceof Uint8Array&&(t=me.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return Ht(t)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function Ue(e){let t=e;return typeof t=="string"&&(t=Y.encode(t)),Uint8Array.prototype.toBase64?t.toBase64({alphabet:"base64url",omitPadding:true}):Lt(t).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var ce=class extends Error{constructor(r,n){super(r,n);L(this,"code","ERR_JOSE_GENERIC");this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor);}};L(ce,"code","ERR_JOSE_GENERIC");var W=class extends ce{constructor(){super(...arguments);L(this,"code","ERR_JOSE_NOT_SUPPORTED");}};L(W,"code","ERR_JOSE_NOT_SUPPORTED");var X=class extends ce{constructor(){super(...arguments);L(this,"code","ERR_JWS_INVALID");}};L(X,"code","ERR_JWS_INVALID");var xe=class extends ce{constructor(){super(...arguments);L(this,"code","ERR_JWT_INVALID");}};L(xe,"code","ERR_JWT_INVALID");var Ot,jt,it=class extends(jt=ce,Ot=Symbol.asyncIterator,jt){constructor(r="multiple matching keys found in the JSON Web Key Set",n){super(r,n);L(this,Ot);L(this,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");}};L(it,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");function B(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function we(e,t){return e.name===t}function st(e){return parseInt(e.name.slice(4),10)}function cn(e){switch(e){case "ES256":return "P-256";case "ES384":return "P-384";case "ES512":return "P-521";default:throw new Error("unreachable")}}function un(e,t){if(!e.usages.includes(t))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${t}.`)}function Ut(e,t,r){switch(t){case "HS256":case "HS384":case "HS512":{if(!we(e.algorithm,"HMAC"))throw B("HMAC");let n=parseInt(t.slice(2),10);if(st(e.algorithm.hash)!==n)throw B(`SHA-${n}`,"algorithm.hash");break}case "RS256":case "RS384":case "RS512":{if(!we(e.algorithm,"RSASSA-PKCS1-v1_5"))throw B("RSASSA-PKCS1-v1_5");let n=parseInt(t.slice(2),10);if(st(e.algorithm.hash)!==n)throw B(`SHA-${n}`,"algorithm.hash");break}case "PS256":case "PS384":case "PS512":{if(!we(e.algorithm,"RSA-PSS"))throw B("RSA-PSS");let n=parseInt(t.slice(2),10);if(st(e.algorithm.hash)!==n)throw B(`SHA-${n}`,"algorithm.hash");break}case "Ed25519":case "EdDSA":{if(!we(e.algorithm,"Ed25519"))throw B("Ed25519");break}case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":{if(!we(e.algorithm,t))throw B(t);break}case "ES256":case "ES384":case "ES512":{if(!we(e.algorithm,"ECDSA"))throw B("ECDSA");let n=cn(t);if(e.algorithm.namedCurve!==n)throw B(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}un(e,r);}function $t(e,t,...r){if(r=r.filter(Boolean),r.length>2){let n=r.pop();e+=`one of type ${r.join(", ")}, or ${n}.`;}else r.length===2?e+=`one of type ${r[0]} or ${r[1]}.`:e+=`of type ${r[0]}.`;return t==null?e+=` Received ${t}`:typeof t=="function"&&t.name?e+=` Received function ${t.name}`:typeof t=="object"&&t!=null&&t.constructor?.name&&(e+=` Received an instance of ${t.constructor.name}`),e}var Nt=(e,...t)=>$t("Key must be ",e,...t);function ct(e,t,...r){return $t(`Key for the ${e} algorithm must be `,t,...r)}function ut(e){return e?.[Symbol.toStringTag]==="CryptoKey"}function lt(e){return e?.[Symbol.toStringTag]==="KeyObject"}var ft=e=>ut(e)||lt(e);var Bt=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return true;let r;for(let n of t){let o=Object.keys(n);if(!r||r.size===0){r=new Set(o);continue}for(let a of o){if(r.has(a))return false;r.add(a);}}return true};function ln(e){return typeof e=="object"&&e!==null}var $e=e=>{if(!ln(e)||Object.prototype.toString.call(e)!=="[object Object]")return false;if(Object.getPrototypeOf(e)===null)return true;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t};var Ft=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:r}=t.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};function fn(e){let t,r;switch(e.kty){case "AKP":{switch(e.alg){case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":t={name:e.alg},r=e.priv?["sign"]:["verify"];break;default:throw new W('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "RSA":{switch(e.alg){case "PS256":case "PS384":case "PS512":t={name:"RSA-PSS",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RS256":case "RS384":case "RS512":t={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RSA-OAEP":case "RSA-OAEP-256":case "RSA-OAEP-384":case "RSA-OAEP-512":t={name:"RSA-OAEP",hash:`SHA-${parseInt(e.alg.slice(-3),10)||1}`},r=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new W('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "EC":{switch(e.alg){case "ES256":t={name:"ECDSA",namedCurve:"P-256"},r=e.d?["sign"]:["verify"];break;case "ES384":t={name:"ECDSA",namedCurve:"P-384"},r=e.d?["sign"]:["verify"];break;case "ES512":t={name:"ECDSA",namedCurve:"P-521"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new W('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "OKP":{switch(e.alg){case "Ed25519":case "EdDSA":t={name:"Ed25519"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new W('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}default:throw new W('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return {algorithm:t,keyUsages:r}}var Vt=async e=>{if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:t,keyUsages:r}=fn(e),n={...e};return n.kty!=="AKP"&&delete n.alg,delete n.use,crypto.subtle.importKey("jwk",n,t,e.ext??!(e.d||e.priv),e.key_ops??r)};var Gt=(e,t,r,n,o)=>{if(o.crit!==void 0&&n?.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||n.crit===void 0)return new Set;if(!Array.isArray(n.crit)||n.crit.length===0||n.crit.some(i=>typeof i!="string"||i.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let a;r!==void 0?a=new Map([...Object.entries(r),...t.entries()]):a=t;for(let i of n.crit){if(!a.has(i))throw new W(`Extension Header Parameter "${i}" is not recognized`);if(o[i]===void 0)throw new e(`Extension Header Parameter "${i}" is missing`);if(a.get(i)&&n[i]===void 0)throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`)}return new Set(n.crit)};function Ce(e){return $e(e)&&typeof e.kty=="string"}function qt(e){return e.kty!=="oct"&&(e.kty==="AKP"&&typeof e.priv=="string"||typeof e.d=="string")}function zt(e){return e.kty!=="oct"&&typeof e.d>"u"&&typeof e.priv>"u"}function Yt(e){return e.kty==="oct"&&typeof e.k=="string"}var he,Xt=async(e,t,r,n=false)=>{he||(he=new WeakMap);let o=he.get(e);if(o?.[r])return o[r];let a=await Vt({...t,alg:r});return n&&Object.freeze(e),o?o[r]=a:he.set(e,{[r]:a}),a},pn=(e,t)=>{he||(he=new WeakMap);let r=he.get(e);if(r?.[t])return r[t];let n=e.type==="public",o=!!n,a;if(e.asymmetricKeyType==="x25519"){switch(t){case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}a=e.toCryptoKey(e.asymmetricKeyType,o,n?[]:["deriveBits"]);}if(e.asymmetricKeyType==="ed25519"){if(t!=="EdDSA"&&t!=="Ed25519")throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}switch(e.asymmetricKeyType){case "ml-dsa-44":case "ml-dsa-65":case "ml-dsa-87":{if(t!==e.asymmetricKeyType.toUpperCase())throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}}if(e.asymmetricKeyType==="rsa"){let i;switch(t){case "RSA-OAEP":i="SHA-1";break;case "RS256":case "PS256":case "RSA-OAEP-256":i="SHA-256";break;case "RS384":case "PS384":case "RSA-OAEP-384":i="SHA-384";break;case "RS512":case "PS512":case "RSA-OAEP-512":i="SHA-512";break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}if(t.startsWith("RSA-OAEP"))return e.toCryptoKey({name:"RSA-OAEP",hash:i},o,n?["encrypt"]:["decrypt"]);a=e.toCryptoKey({name:t.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:i},o,[n?"verify":"sign"]);}if(e.asymmetricKeyType==="ec"){let c=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(e.asymmetricKeyDetails?.namedCurve);if(!c)throw new TypeError("given KeyObject instance cannot be used for this algorithm");t==="ES256"&&c==="P-256"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:c},o,[n?"verify":"sign"])),t==="ES384"&&c==="P-384"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:c},o,[n?"verify":"sign"])),t==="ES512"&&c==="P-521"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:c},o,[n?"verify":"sign"])),t.startsWith("ECDH-ES")&&(a=e.toCryptoKey({name:"ECDH",namedCurve:c},o,n?[]:["deriveBits"]));}if(!a)throw new TypeError("given KeyObject instance cannot be used for this algorithm");return r?r[t]=a:he.set(e,{[t]:a}),a},Zt=async(e,t)=>{if(e instanceof Uint8Array||ut(e))return e;if(lt(e)){if(e.type==="secret")return e.export();if("toCryptoKey"in e&&typeof e.toCryptoKey=="function")try{return pn(e,t)}catch(n){if(n instanceof TypeError)throw n}let r=e.export({format:"jwk"});return Xt(e,r,t)}if(Ce(e))return e.k?Mt(e.k):Xt(e,e,t,true);throw new Error("unreachable")};var be=e=>e?.[Symbol.toStringTag],dt=(e,t,r)=>{if(t.use!==void 0){let n;switch(r){case "sign":case "verify":n="sig";break;case "encrypt":case "decrypt":n="enc";break}if(t.use!==n)throw new TypeError(`Invalid key for this operation, its "use" must be "${n}" when present`)}if(t.alg!==void 0&&t.alg!==e)throw new TypeError(`Invalid key for this operation, its "alg" must be "${e}" when present`);if(Array.isArray(t.key_ops)){let n;switch(true){case(r==="sign"):case e==="dir":case e.includes("CBC-HS"):n=r;break;case e.startsWith("PBES2"):n="deriveBits";break;case /^A\d{3}(?:GCM)?(?:KW)?$/.test(e):!e.includes("GCM")&&e.endsWith("KW")?n="unwrapKey":n=r;break;case(r==="encrypt"):n="wrapKey";break;case r==="decrypt":n=e.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(n&&t.key_ops?.includes?.(n)===false)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${n}" when present`)}return true},yn=(e,t,r)=>{if(!(t instanceof Uint8Array)){if(Ce(t)){if(Yt(t)&&dt(e,t,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!ft(t))throw new TypeError(ct(e,t,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(t.type!=="secret")throw new TypeError(`${be(t)} instances for symmetric algorithms must be of type "secret"`)}},mn=(e,t,r)=>{if(Ce(t))switch(r){case "decrypt":case "sign":if(qt(t)&&dt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a private JWK");case "encrypt":case "verify":if(zt(t)&&dt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a public JWK")}if(!ft(t))throw new TypeError(ct(e,t,"CryptoKey","KeyObject","JSON Web Key"));if(t.type==="secret")throw new TypeError(`${be(t)} instances for asymmetric algorithms must not be of type "secret"`);if(t.type==="public")switch(r){case "sign":throw new TypeError(`${be(t)} instances for asymmetric algorithm signing must be of type "private"`);case "decrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm decryption must be of type "private"`);}if(t.type==="private")switch(r){case "verify":throw new TypeError(`${be(t)} instances for asymmetric algorithm verifying must be of type "public"`);case "encrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm encryption must be of type "public"`);}},Qt=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e)||/^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e)?yn(e,t,r):mn(e,t,r);};var er=(e,t)=>{let r=`SHA-${e.slice(-3)}`;switch(e){case "HS256":case "HS384":case "HS512":return {hash:r,name:"HMAC"};case "PS256":case "PS384":case "PS512":return {hash:r,name:"RSA-PSS",saltLength:parseInt(e.slice(-3),10)>>3};case "RS256":case "RS384":case "RS512":return {hash:r,name:"RSASSA-PKCS1-v1_5"};case "ES256":case "ES384":case "ES512":return {hash:r,name:"ECDSA",namedCurve:t.namedCurve};case "Ed25519":case "EdDSA":return {name:"Ed25519"};case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":return {name:e};default:throw new W(`alg ${e} is not supported either by JOSE or your javascript runtime`)}};var tr=async(e,t,r)=>{if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(Nt(t,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",t,{hash:`SHA-${e.slice(-3)}`,name:"HMAC"},false,[r])}return Ut(t,e,r),t};var te=e=>Math.floor(e.getTime()/1e3);var wn=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i,Ne=e=>{let t=wn.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");let r=parseFloat(t[2]),n=t[3].toLowerCase(),o;switch(n){case "sec":case "secs":case "second":case "seconds":case "s":o=Math.round(r);break;case "minute":case "minutes":case "min":case "mins":case "m":o=Math.round(r*60);break;case "hour":case "hours":case "hr":case "hrs":case "h":o=Math.round(r*3600);break;case "day":case "days":case "d":o=Math.round(r*86400);break;case "week":case "weeks":case "w":o=Math.round(r*604800);break;default:o=Math.round(r*31557600);break}return t[1]==="-"||t[4]==="ago"?-o:o};function ue(e,t){if(!Number.isFinite(t))throw new TypeError(`Invalid ${e} input`);return t}var k,Be=class{constructor(t){O(this,k);if(!$e(t))throw new TypeError("JWT Claims Set MUST be an object");j(this,k,structuredClone(t));}data(){return Y.encode(JSON.stringify(p(this,k)))}get iss(){return p(this,k).iss}set iss(t){p(this,k).iss=t;}get sub(){return p(this,k).sub}set sub(t){p(this,k).sub=t;}get aud(){return p(this,k).aud}set aud(t){p(this,k).aud=t;}set jti(t){p(this,k).jti=t;}set nbf(t){typeof t=="number"?p(this,k).nbf=ue("setNotBefore",t):t instanceof Date?p(this,k).nbf=ue("setNotBefore",te(t)):p(this,k).nbf=te(new Date)+Ne(t);}set exp(t){typeof t=="number"?p(this,k).exp=ue("setExpirationTime",t):t instanceof Date?p(this,k).exp=ue("setExpirationTime",te(t)):p(this,k).exp=te(new Date)+Ne(t);}set iat(t){typeof t>"u"?p(this,k).iat=te(new Date):t instanceof Date?p(this,k).iat=ue("setIssuedAt",te(t)):typeof t=="string"?p(this,k).iat=ue("setIssuedAt",te(new Date)+Ne(t)):p(this,k).iat=ue("setIssuedAt",t);}};k=new WeakMap;var rr=async(e,t,r)=>{let n=await tr(e,t,"sign");Ft(e,n);let o=await crypto.subtle.sign(er(e,n.algorithm),n,r);return new Uint8Array(o)};var Te,_,F,Fe=class{constructor(t){O(this,Te);O(this,_);O(this,F);if(!(t instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");j(this,Te,t);}setProtectedHeader(t){if(p(this,_))throw new TypeError("setProtectedHeader can only be called once");return j(this,_,t),this}setUnprotectedHeader(t){if(p(this,F))throw new TypeError("setUnprotectedHeader can only be called once");return j(this,F,t),this}async sign(t,r){if(!p(this,_)&&!p(this,F))throw new X("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Bt(p(this,_),p(this,F)))throw new X("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let n={...p(this,_),...p(this,F)},o=Gt(X,new Map([["b64",true]]),r?.crit,p(this,_),n),a=true;if(o.has("b64")&&(a=p(this,_).b64,typeof a!="boolean"))throw new X('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:i}=n;if(typeof i!="string"||!i)throw new X('JWS "alg" (Algorithm) Header Parameter missing or invalid');Qt(i,t,"sign");let c=p(this,Te);a&&(c=Y.encode(Ue(c)));let s;p(this,_)?s=Y.encode(Ue(JSON.stringify(p(this,_)))):s=Y.encode("");let u=Dt(s,Y.encode("."),c),f=await Zt(t,i),d=await rr(i,f,u),y={signature:Ue(d),payload:""};return a&&(y.payload=me.decode(c)),p(this,F)&&(y.header=p(this,F)),p(this,_)&&(y.protected=me.decode(s)),y}};Te=new WeakMap,_=new WeakMap,F=new WeakMap;var Se,Ve=class{constructor(t){O(this,Se);j(this,Se,new Fe(t));}setProtectedHeader(t){return p(this,Se).setProtectedHeader(t),this}async sign(t,r){let n=await p(this,Se).sign(t,r);if(n.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return `${n.protected}.${n.payload}.${n.signature}`}};Se=new WeakMap;var re,H,le=class{constructor(t={}){O(this,re);O(this,H);j(this,H,new Be(t));}setIssuer(t){return p(this,H).iss=t,this}setSubject(t){return p(this,H).sub=t,this}setAudience(t){return p(this,H).aud=t,this}setJti(t){return p(this,H).jti=t,this}setNotBefore(t){return p(this,H).nbf=t,this}setExpirationTime(t){return p(this,H).exp=t,this}setIssuedAt(t){return p(this,H).iat=t,this}setProtectedHeader(t){return j(this,re,t),this}async sign(t,r){let n=new Ve(p(this,H).data());if(n.setProtectedHeader(p(this,re)),Array.isArray(p(this,re)?.crit)&&p(this,re).crit.includes("b64")&&p(this,re).b64===false)throw new xe("JWTs MUST NOT use unencoded payload");return n.sign(t,r)}};re=new WeakMap,H=new WeakMap;var hn=e=>btoa(String.fromCharCode(...new Uint8Array(e))).replaceAll("+","-").replaceAll("/","_").replaceAll("=",""),Ge=async e=>{let t=new TextEncoder().encode(e),r=await crypto.subtle.digest("SHA-256",t);return hn(r)},$=async e=>{let{method:t,url:r,nonce:n,ath:o,privateKey:a,publicJwk:i}=e,c={htm:t.toUpperCase(),htu:r,jti:crypto.randomUUID(),iat:Math.floor(Date.now()/1e3)};return n&&(c.nonce=n),o&&(c.ath=o),await new le(c).setProtectedHeader({alg:"ES256",typ:"dpop+jwt",jwk:i}).sign(a)};var D=async e=>{let t={crv:e.crv,kty:"EC",x:e.x,y:e.y},r=JSON.stringify(t),n=new TextEncoder().encode(r),o=await crypto.subtle.digest("SHA-256",n);return btoa(String.fromCharCode(...new Uint8Array(o))).replaceAll("+","-").replaceAll("/","_").replaceAll("=","")};async function fe(e){let{rootPrivateKey:t,rootPublicJwk:r,childJkt:n,clientId:o,sid:a,ttlSec:i=300}=e,c=Math.floor(Date.now()/1e3),s=c+Math.max(60,Math.min(i,3600)),u={child_jkt:n,client_id:o,aud:"issuer",iat:c,exp:s,jti:crypto.randomUUID()};return a&&(u.sid=a),await new le(u).setProtectedHeader({alg:"ES256",typ:"pode+jwt",jwk:r}).sign(t)}function Je(e,t=300){return e.replace(/<[^>]*>/g,"").slice(0,t)}async function Ie(e){let t=e.status,r=Array.from(e.headers.keys()).some(c=>c.toLowerCase().startsWith("x-amzn-waf")),n,o,a=e.headers.get("content-type")||"";if(a.includes("application/json"))try{let c=await e.clone().json();n=typeof c?.error=="string"?c.error:void 0,o=typeof c?.detail=="string"?c.detail:void 0;}catch{}let i=t===403&&!r&&!a.includes("application/json");return {status:t,code:n,detail:o,waf:r,alb403:i}}function de(e,t){let r=new Error(e);return r.status=t.status,r.code=t.code,r.detail=t.detail,r.waf=t.waf,r.alb403=t.alb403,r}var Re={boundWallet:null,clientId:null,jkt:null,refreshId:null,lastPolicyHash:null,lastPolicyProof:null,lastHost:null,rootJkt:null},pt=createContext(void 0);function sr(e){try{return JSON.parse(localStorage.getItem(e)||"null")??Re}catch{return Re}}function Rn(e,t){try{localStorage.setItem(e,JSON.stringify(t));}catch{}}var yt=({children:e,clientId:t})=>{let[r,n]=useState(Re),o=useRef(false),[a,i]=useState(false),c=useMemo(()=>Ke(t),[t]);useEffect(()=>{let l=true;return (async()=>{let C=await I(c)??await I(je)??sr(c);l&&(n({...Re,...C}),o.current=true,i(true));})(),()=>{l=false;}},[c]),useEffect(()=>{o.current&&(async()=>(await R(c,r),Rn(c,r)))();},[r,c]);let s=useCallback(l=>n(m=>({...m,refreshId:l})),[]),u=useCallback(l=>n(m=>({...m,lastPolicyHash:l})),[]),f=useCallback(l=>n(m=>({...m,lastPolicyProof:l})),[]),d=useCallback(l=>n(m=>({...m,lastHost:l})),[]),y=useCallback(l=>n(m=>({...m,rootJkt:l})),[]),h=async()=>{try{let l=localStorage.getItem(c);if(l){let m=JSON.parse(l);if(typeof m?.refreshId=="string"&&m.refreshId)return m.refreshId}}catch{}try{let l=await I(c);if(typeof l?.refreshId=="string"&&l.refreshId)return l.refreshId}catch{}return null},b=useCallback(l=>n(m=>({...m,boundWallet:l})),[]),g=useCallback(l=>n(m=>({...m,clientId:l})),[]),E=useCallback(l=>n(m=>({...m,jkt:l})),[]),A=useCallback(()=>n(Re),[]),S=useCallback(async()=>{let m=await I(c)??sr(c);n({...Re,...m});},[]),w=useMemo(()=>({meta:r,setBoundWallet:b,setClientId:g,setJkt:E,resetMeta:A,reload:S,setRefreshId:s,getRefreshId:h,ready:a,setLastPolicyHash:u,setLastPolicyProof:f,setLastHost:d,setRootJkt:y}),[r,b,g,E,A,S,a,s,h,u,f,d,y]);return jsx(pt.Provider,{value:w,children:e})};function mt(){let e=useContext(pt);if(!e)throw new Error("useMeta must be used within <MetaProvider>");return e}var ur=`${K}:wrap`;async function wt(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:J},!0,["sign","verify"]),t=`${K}:probe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await I(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return false}}function Ee(e){let t={...e};return delete t.d,t.kty="EC",t.crv=J,t.alg=Ae,t.use="sig",t}async function lr(){let e=await I(ur);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await R(ur,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function ht(e){let t=await lr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function kn(e,t){let r=await lr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var bt=()=>{let e=useRef(null),t=useRef(null),r=useCallback(async()=>{let s=await I(K);if(!s)return false;if(s.fmt==="cryptokey"){let f=s;return f.privKey?(e.current=f.privKey,t.current=Ee(f.pubJwk),true):(await R(K,void 0),false)}if(s.fmt==="encjwk"){let f=s;try{let d=await kn(f.encPrivJwk,f.iv),y=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:J},!1,["sign"]);return e.current=y,t.current=Ee(f.pubJwk),!0}catch{return await R(K,void 0),false}}let u=s;if(u&&u.d)if(await wt()){let d=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:J},false,["sign"]),{d:y,...h}=u,b=Ee(h);return await R(K,{fmt:"cryptokey",privKey:d,pubJwk:b}),e.current=d,t.current=b,true}else {let{d,...y}=u,h=Ee(y),{encPrivJwk:b,iv:g}=await ht(u);await R(K,{fmt:"encjwk",encPrivJwk:b,iv:g,pubJwk:h});let E=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:J},false,["sign"]);return e.current=E,t.current=h,true}return await R(K,void 0),false},[]),n=useCallback(async(s,u)=>{await R(K,{fmt:"cryptokey",privKey:s,pubJwk:u});},[]),o=useCallback(async(s,u)=>{let{encPrivJwk:f,iv:d}=await ht(s);await R(K,{fmt:"encjwk",encPrivJwk:f,iv:d,pubJwk:u});},[]),a=useCallback(async()=>{if(e.current&&t.current||await r())return;let s=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:J},true,["sign","verify"]),u=Ee(await crypto.subtle.exportKey("jwk",s.publicKey));if(await wt())await n(s.privateKey,u),e.current=s.privateKey,t.current=u;else {let f=await crypto.subtle.exportKey("jwk",s.privateKey);await o(f,u),e.current=s.privateKey,t.current=u;}},[r,n,o]),i=useCallback(async()=>{let s=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:J},true,["sign","verify"]),u=Ee(await crypto.subtle.exportKey("jwk",s.publicKey));if(await wt())await R(K,{fmt:"cryptokey",privKey:s.privateKey,pubJwk:u});else {let f=await crypto.subtle.exportKey("jwk",s.privateKey),{encPrivJwk:d,iv:y}=await ht(f);await R(K,{fmt:"encjwk",encPrivJwk:d,iv:y,pubJwk:u});}e.current=s.privateKey,t.current=u;},[]),c=useCallback(async()=>{await R(K,void 0),e.current=null,t.current=null;},[]);return {ensureKeypair:a,rotate:i,clear:c,privRef:e,pubJwkRef:t}};var Z="sunbreak_root_key_v1",dr=`${Z}:wrap`;async function Pn(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:J},!0,["sign","verify"]),t=`${Z}:probe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey,createdAt:Date.now(),pubJwk:{}});let r=await I(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return false}}function Rt(e){let t={...e};return delete t.d,t.kty="EC",t.crv=J,t.alg=Ae,t.use="sig",t}async function pr(){let e=await I(dr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await R(dr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function vn(e){let t=await pr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function An(e,t){let r=await pr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var gt=()=>{let e=useRef(null),t=useRef(null),r=useCallback(async()=>{let a=await I(Z);if(!a)return false;if(a.fmt==="cryptokey"){let i=a;return i.privKey?(e.current=i.privKey,t.current=Rt(i.pubJwk),true):(await R(Z,void 0),false)}if(a.fmt==="encjwk"){let i=a;try{let c=await An(i.encPrivJwk,i.iv),s=await crypto.subtle.importKey("jwk",c,{name:"ECDSA",namedCurve:J},!1,["sign"]);return e.current=s,t.current=Rt(i.pubJwk),!0}catch{return await R(Z,void 0),false}}return await R(Z,void 0),false},[]),n=useCallback(async()=>{if(e.current&&t.current||await r())return;let a=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:J},true,["sign","verify"]),i=Rt(await crypto.subtle.exportKey("jwk",a.publicKey)),c=Date.now();if(await Pn())await R(Z,{fmt:"cryptokey",privKey:a.privateKey,pubJwk:i,createdAt:c});else {let s=await crypto.subtle.exportKey("jwk",a.privateKey),{encPrivJwk:u,iv:f}=await vn(s);await R(Z,{fmt:"encjwk",encPrivJwk:u,iv:f,pubJwk:i,createdAt:c});}e.current=a.privateKey,t.current=i;},[r]),o=useCallback(async()=>{await R(Z,void 0),e.current=null,t.current=null;},[]);return {ensureRootKeypair:n,clear:o,rootPrivRef:e,rootPubJwkRef:t}};var Kn=()=>crypto.randomUUID(),yr=e=>{let{clientId:t,wallet:r,base:n="https://api.tdfc.com",fetchImpl:o,timeoutMs:a=15e3,proof:i=null,providerAdapter:c,refreshDeps:s=[]}=e,u=rt(n),f=typeof window<"u"?(o??fetch).bind(window):o??fetch,{meta:d,setBoundWallet:y,setJkt:h,setRefreshId:b,getRefreshId:g,setLastPolicyHash:E,setLastPolicyProof:A,setLastHost:S,setRootJkt:w,ready:l}=mt(),{ensureRootKeypair:m,rootPrivRef:C,rootPubJwkRef:oe}=gt(),Q=useCallback(async()=>{await m();try{if(!d.rootJkt&&oe.current){let se=await D(oe.current);w(se);}}catch{}},[m,d.rootJkt,oe]),{ensureKeypair:ke,rotate:P,privRef:_e,pubJwkRef:De}=bt(),[vt,T]=useState(false),[N,M]=useState(0),[z,ae]=useState(null),[ee,Ye]=useState(null),[Xe,At]=useState(null),[Pr,vr]=useState(null),[Ar,Kr]=useState(null),[xr,Cr]=useState(null),Tr=useRef(null),Jr=useRef(null),Ir=useRef(null),Wr=useRef(null),_r=useRef(null),Dr=useRef(null),Lr=useRef(null),Hr=useRef(false),Mr=useRef(false),Or=useRef(void 0),Le=useRef(false),Ze=useRef(false),Kt=useRef(null),ie=useRef(null);ie.current||(ie.current=new Promise(se=>{Kt.current=se;}));let Qe=useRef(null),jr=useRef(i),He=useRef(null),xt=useRef(null),Me=useRef(null),Ct=()=>Date.now(),Ur=()=>(Me.current??0)>0&&Me.current<Ct(),et=useCallback((se,Gr=15e3)=>{let Tt=Kn();return He.current=Tt,xt.current=se,Me.current=Ct()+Math.max(1e3,Gr),Tt},[]),$r=useCallback(()=>((!He.current||Ur())&&et("adhoc",1e4),He.current),[et]),tt=useRef(null),Oe=useRef(null);Oe.current||(Oe.current=new Promise(se=>{tt.current=se;}));let Nr=useCallback(async()=>{!Le.current&&Oe.current&&await Oe.current;},[]),Br=useCallback(()=>{Le.current||(Le.current=true,tt.current?.(),tt.current=null);},[]),Fr=useCallback(async()=>{!Ze.current&&ie.current&&await ie.current;},[]),Vr=useCallback(async()=>{!Ze.current&&ie.current&&await ie.current,Qe.current&&await Qe.current;},[]);return {clientId:t,wallet:r,baseUrl:u,fetchImpl:f,timeoutMs:a,providerAdapter:c,refreshDeps:s,ensureKeypair:ke,rotate:P,ensureRootKeypair:Q,rootPrivRef:C,rootPubJwkRef:oe,privRef:_e,pubJwkRef:De,meta:d,setBoundWallet:y,setJkt:h,setRefreshId:b,accessTokenRef:Ir,tokenExpRef:Wr,authenticated:vt,setAuthenticated:T,loadingCount:N,setLoadingCount:M,error:z,setError:ae,allowed:ee,setAllowed:Ye,denyReason:Xe,setDenyReason:At,sessionExpiry:Pr,setSessionExpiry:vr,sessionData:Ar,setSessionData:Kr,verifyData:xr,setVerifyData:Cr,authWalletRef:Jr,refreshLock:_r,registerLock:Dr,sessionLock:Lr,didInitialRefresh:Hr,didInitialSession:Mr,prevWalletRef:Or,initResolvedRef:Ze,initReady:ie,initResolveRef:Kt,rotateLock:Qe,waitReady:Fr,awaitKeyStable:Vr,proofRef:jr,registerCooldownUntilRef:Tr,reqIdRef:He,flowLabelRef:xt,flowExpireRef:Me,beginFlow:et,currentReqId:$r,awaitProbe:Nr,markProbed:Br,hasProbedRef:Le,getRefreshId:g,setLastPolicyHash:E,setLastPolicyProof:A,setLastHost:S,setRootJkt:w,metaReady:l}};var ye=e=>e.accessTokenRef.current??null,G=e=>{let t=e.privRef.current;if(!t)throw new Error("Sunbreak: private key not initialized");return t},x=e=>{let t=e.pubJwkRef.current;if(!t)throw new Error("Sunbreak: public JWK not initialized");return t};var xn=(e,t)=>`${e.toUpperCase()} ${t}`;async function We(e,t,r){if(!t)return false;let n=We._nonceCacheRef||(We._nonceCacheRef={map:new Map});try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair(),e.setError(null),e.beginFlow("register",2e4);let o;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let l=await D(e.rootPubJwkRef.current);e.setRootJkt?.(l);}catch{}let S=await D(x(e)),w=await e.getRefreshId();o=await fe({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:S,clientId:e.clientId,sid:w||void 0,ttlSec:300});}}catch{}let a=e.currentReqId(),i="/auth/register",c=`${e.baseUrl}${i}`,s=new URL(e.baseUrl).origin,u="POST",f=`${s}${i}`,d=xn(u,f),y=n.map.get(d),h=await $({method:u,url:f,nonce:y,privateKey:G(e),publicJwk:x(e)}),b=async S=>e.fetchImpl(c,{method:u,headers:{"content-type":"application/json","x-sunbreak-meta":U(e,{reqId:a,pode:o||void 0}),...S},credentials:"include",body:JSON.stringify({wallet:t,proof:r})}),g=await b({DPoP:h}),E=S=>{let w=S.headers.get("dpop-nonce");w&&n.map.set(d,w);};if(g.status===401){let S=g.headers.get("www-authenticate"),l=(S&&S.match(/dpop-nonce="([^"]+)"/i))?.[1];if(l){n.map.set(d,l);let m=await $({method:u,url:f,nonce:l,privateKey:G(e),publicJwk:x(e)});g=await b({DPoP:m});}}if(E(g),!g.ok){let S=await Ie(g);if((g.headers.get("content-type")||"").includes("application/json")){let l;try{l=await g.clone().json();}catch{}let m=Je(l&&(l.error||l.message||l.detail)||`HTTP ${g.status}`);throw de(m,S)}else {let l=S.waf?"Blocked by WAF (403)":S.alb403?"Blocked at origin (ALB 403)":`HTTP ${g.status}`;throw de(l,S)}}let A=await g.json();e.accessTokenRef.current=A.access,e.authWalletRef.current=t.toLowerCase(),e.setAuthenticated(!0);try{let S=Math.floor(Date.now()/1e3);e.tokenExpRef.current=S+(A.expiresIn??0);}catch{}e.didInitialRefresh.current=!0,e.setBoundWallet(t),e.setLastPolicyHash(null),e.setLastPolicyProof(null);try{e.setJkt(await D(x(e)));}catch{}try{let S={...e.meta,boundWallet:t,clientId:e.meta.clientId??e.clientId,jkt:e.meta.jkt??null,refreshId:A.refreshId??null};e.setRefreshId(A.refreshId??null);let w=Ke(e.clientId);await R(w,S);try{localStorage.setItem(w,JSON.stringify(S));}catch{}}catch{}return !0}catch(o){let a=Number(o?.status||0),i=String(o?.code||""),c=String(o?.message||""),s=Math.floor(Math.random()*1e3);if((a===401||a===403)&&i.toLowerCase()==="replay"){if(e.providerAdapter)try{let u=await e.providerAdapter.getToken()??null;if(u)return await e.awaitKeyStable(),await e.ensureKeypair(),await e.rotate(),e.proofRef.current=await Pe(e.providerAdapter,u),e.registerCooldownUntilRef.current=Date.now()+5e3+s,!1}catch{}else return e.proofRef.current=null,e.setError("Proof replayed; please sign a fresh proof."),e.registerCooldownUntilRef.current=Date.now()+1e4+s,false;return e.registerCooldownUntilRef.current=Date.now()+8e3+s,false}if(a===403&&(o?.waf||o?.alb403))return e.setError(c||"Forbidden at edge/origin"),e.registerCooldownUntilRef.current=Date.now()+3e4+s,false;if(a===403)return e.setError(i||c||"Forbidden"),e.registerCooldownUntilRef.current=Date.now()+15e3+s,false;if(a===429||a===503){e.setError(i||c||"Rate limited / unavailable");let u=a===429?5e3:8e3;return e.registerCooldownUntilRef.current=Date.now()+u+s,false}return e.setError(i||c||"Register failed"),e.registerCooldownUntilRef.current=Date.now()+5e3+s,false}}var Cn=(e,t)=>`${e.toUpperCase()} ${t}`;function qe(e){return e.refreshLock.current||(e.refreshLock.current=(async()=>{try{if(await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),e.wallet&&e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return e.accessTokenRef.current=null,e.setAuthenticated(!1),!1;let t=ye(e);if(t){let w=e.tokenExpRef.current,l=Math.floor(Date.now()/1e3);if(!!t&&!!w&&w-l>5)return !0}e.beginFlow("refresh",15e3);let r=e.currentReqId();await e.ensureKeypair();let n;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let m=await D(e.rootPubJwkRef.current);e.setRootJkt?.(m);}catch{}let w=await D(x(e)),l=await e.getRefreshId();n=await fe({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:w,clientId:e.clientId,sid:l||void 0,ttlSec:300});}}catch{}let o="/auth/refresh",a=`${e.baseUrl}${o}`,i=new URL(e.baseUrl).origin,c="POST",s=`${i}${o}`,u=Cn(c,s),f=qe._nonceCacheRef||(qe._nonceCacheRef={map:new Map}),d=async w=>await $({method:c,url:s,nonce:w,privateKey:G(e),publicJwk:x(e)}),y=await e.getRefreshId(),h={"x-sunbreak-meta":U(e,{reqId:r,refreshId:y||void 0,pode:n||void 0}),"content-type":"application/json"},b=async w=>e.fetchImpl(a,{method:c,headers:{DPoP:w,...h},credentials:"include",body:"{}"}),g=w=>{let l=w.headers.get("dpop-nonce");l&&f.map.set(u,l);},E=await b(await d(f.map.get(u)));if(E.status===401){let w=E.headers.get("www-authenticate"),m=(w&&w.match(/dpop-nonce="([^"]+)"/i))?.[1];m&&(f.map.set(u,m),E=await b(await d(m)));}if(g(E),!E.ok){try{if((E.headers.get("content-type")||"").includes("application/json")){let l=await E.clone().json().catch(()=>{}),m=l&&(l.error||l.code||l.message)||"",C=String(m).toLowerCase();if(C.includes("missing")&&C.includes("refresh")){try{e.setRefreshId?.(null);}catch{}try{e.setBoundWallet?.(null);}catch{}e.accessTokenRef.current=null,e.setAuthenticated(!1);}}}catch{}return !1}let A=await E.json();e.accessTokenRef.current=A.access,e.setAuthenticated(!0);let S=(e.wallet&&(!e.meta.boundWallet||e.meta.boundWallet===e.wallet)?e.wallet:e.meta.boundWallet)||null;e.authWalletRef.current=S?S.toLowerCase():null;try{let w=Math.floor(Date.now()/1e3);e.tokenExpRef.current=w+(A.expiresIn??0);}catch{}try{e.setJkt(await D(x(e)));}catch{}return A.refreshId&&e.setRefreshId(A.refreshId),!0}finally{e.refreshLock.current=null;}})()),e.refreshLock.current}var Tn=(e,t)=>`${e.toUpperCase()} ${t}`,Et=new Map;async function mr(e){if(e.hasProbedRef.current)return;let t=new URL(e.baseUrl).origin;try{if(await e.awaitKeyStable(),await e.ensureKeypair(),!e.rootPrivRef.current)try{await e.ensureRootKeypair();}catch{}let r;if(e.rootPrivRef.current&&e.rootPubJwkRef.current)try{let y=await D(x(e));r=await fe({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:y,clientId:e.clientId,ttlSec:300});}catch{}let n="POST",o="/auth/probe",a=`${e.baseUrl}${o}`,i=`${t}${o}`,c=Tn(n,i),s=async y=>e.fetchImpl(a,{method:n,headers:{DPoP:y,"x-sunbreak-meta":U(e,{pode:r}),"content-type":"application/json"},credentials:"include",body:"{}"}),u=async y=>await $({method:n,url:i,nonce:y,privateKey:G(e),publicJwk:x(e)}),f=await s(await u(Et.get(c))),d=y=>{let h=y.headers.get("dpop-nonce");h&&Et.set(c,h);};if(d(f),f.status===401){let y=f.headers.get("www-authenticate"),b=(y&&y.match(/dpop-nonce="([^"]+)"/i))?.[1];b&&(Et.set(c,b),f=await s(await u(b)),d(f));}e.markProbed();}catch{e.markProbed();}}var wr=e=>{let t=useCallback(()=>qe(e),[e]),r=useCallback(async()=>{let o=Date.now(),a=e.registerCooldownUntilRef.current??0;if(o<a||!e.wallet||!e.initResolvedRef.current||e.refreshLock.current||e.registerLock.current)return;let i=e.wallet,c=e.meta.boundWallet;if(i&&c&&i.toLowerCase()===c.toLowerCase()&&!e.didInitialRefresh.current)return;let u=e.proofRef.current;!u||!(!e.authenticated||e.meta.boundWallet!==e.wallet)||(await e.awaitKeyStable(),e.registerLock.current=(async()=>{try{await We(e,e.wallet,u)&&(e.didInitialSession.current=!0);}catch(d){e.setError(d?.message||String(d)||"Register failed");}finally{e.registerLock.current=null;}})());},[e]),n=useCallback(async o=>{let a=()=>(e.registerCooldownUntilRef.current??0)>Date.now();if(!e.providerAdapter||a())return;let i=await Pe(e.providerAdapter,o);e.proofRef.current=i;},[e]);return {refresh:t,register:(o,a)=>We(e,o,a),attemptRegister:r,setProofFromAdapterToken:n}};var Jn=(e,t)=>`${e.toUpperCase()} ${t}`;async function ze(e,t,r,n,o,a={}){e.setLoadingCount(u=>u+1),e.setError(null);let i=n.startsWith("/api/session"),c=new AbortController,s=setTimeout(()=>c.abort(),e.timeoutMs);try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair();let f=`${i?ot(e):e.baseUrl}${n.startsWith("/")?"":"/"}${n}`,y=`${new URL(e.baseUrl).origin}${n.startsWith("/")?"":"/"}${n}`,h=Jn(r,y),b=n.startsWith("/auth/"),g=!1,E=!1,A=e.currentReqId(),S=ze._nonceCacheRef||(ze._nonceCacheRef={map:new Map}),w=T=>{let N=T.headers.get("dpop-nonce");N&&S.map.set(h,N);},l=!!e.wallet&&!!e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase(),m,C,oe=async()=>{if(b||l)return;try{let ae=ye(e),ee=e.tokenExpRef.current,Ye=Math.floor(Date.now()/1e3),Xe=!!ee&&ee-Ye<=60;if((!ae||Xe)&&!await t().catch(()=>!1))return}catch{}let T=ye(e);if(!T)return;let N=await Ge(T),M=S.map.get(h),z=await $({method:r,url:y,nonce:M,ath:N,privateKey:G(e),publicJwk:x(e)});m=`Bearer ${e.accessTokenRef.current}`,C=z;};await oe();let Q={"content-type":"application/json","x-sunbreak-auth":m||"","x-sunbreak-meta":U(e,{reqId:A,auth:m,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0}),...at(a.headers)};C&&(Q.DPoP=C);let ke=async()=>e.fetchImpl(f,{...a,method:r,headers:Q,body:o!==void 0?JSON.stringify(o):void 0,credentials:"include",signal:c.signal}),P=await ke(),_e=P.headers.get("x-sunbreak-policy-hash"),De=P.headers.get("x-sunbreak-policy-proof");if(_e&&e.setLastPolicyHash(_e),De&&e.setLastPolicyProof(De),w(P),P.status===401&&!b){let T=ye(e),N=P.headers.get("www-authenticate"),z=(N&&N.match(/dpop-nonce="([^"]+)"/i))?.[1];if(!l&&z&&T&&!E){E=!0,S.map.set(h,z);let ae=await Ge(T),ee=await $({method:r,url:y,nonce:z,ath:ae,privateKey:G(e),publicJwk:x(e)});m=`Bearer ${e.accessTokenRef.current}`,C=ee,Q["x-sunbreak-meta"]=U(e,{reqId:A,auth:m}),Q.DPoP=C,P=await ke(),w(P);}if(P.status===401&&!g){g=!0;let ae=await t(),ee=ye(e);ae&&ee&&!l&&(await oe(),Q["x-sunbreak-meta"]=U(e,{reqId:A,auth:m}),C&&(Q.DPoP=C),P=await ke(),w(P));}if(P.status===401)throw new Error("Unauthorized")}if(!P.ok){let T=await Ie(P);if((P.headers.get("content-type")||"").includes("application/json")){let M=await P.json().catch(()=>{}),z=Je(M&&(M.error||M.message||M.detail)||`HTTP ${P.status}`);throw de(z,T)}else {let M=T.waf?"Blocked by WAF (403)":T.alb403?"Blocked at origin (ALB 403)":`HTTP ${P.status}`;throw de(M,T)}}return (P.headers.get("content-type")||"").includes("application/json")?await P.json():void 0}finally{clearTimeout(s),e.setLoadingCount(u=>Math.max(0,u-1));}}var hr=(e,t)=>useCallback(async(r,n,o,a={})=>ze(e,t,r,n,o,a),[e,t]);async function br(e,t){let r=await t("GET","/api/session");if(r){e.setAllowed(!!r.allowed),e.setDenyReason(r.reason??null),e.setSessionData(r),e.setSessionExpiry(r.expiry??null);let n=r?.wallet;typeof n=="string"&&n&&e.setBoundWallet(n.toLowerCase());}return r}async function Sr(e,t){let r=await t("GET","/api/verify");return r&&(e.setSessionExpiry(r.expiry??null),e.setVerifyData(r)),r}var gr=(e,t)=>{let r=useCallback(async()=>{if(e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet))return e.sessionLock.current||(e.sessionLock.current=(async()=>{try{return await br(e,t)}finally{e.sessionLock.current=null;}})()),e.sessionLock.current},[e,t]),n=useCallback(async()=>{if(e.wallet)return await Sr(e,t)},[e,t]);return {session:r,verify:n}};var Er=(e,t)=>{let{refresh:r,session:n,attemptRegister:o,setProofFromAdapterToken:a,proofProp:i}=t;useEffect(()=>{return (async()=>{try{await e.waitReady(),await e.awaitKeyStable(),await e.ensureRootKeypair(),await mr(e);}catch{}})(),()=>{}},[]);let c=()=>(e.registerCooldownUntilRef.current??0)>Date.now();useEffect(()=>{if(!e.providerAdapter||c()||!e.metaReady)return;let s=e.wallet,u=e.meta.boundWallet;if(s&&u&&s.toLowerCase()===u.toLowerCase()&&!e.didInitialRefresh.current)return;let f=false;return (async()=>{try{let d=await e.providerAdapter.getToken()??null;if(await e.awaitKeyStable(),f||!d)return;await a(d),await o();}catch{}})(),()=>{f=true;}},[e.providerAdapter,e.wallet,e.meta.boundWallet,e.metaReady,e.registerCooldownUntilRef.current,e.didInitialRefresh.current,...e.refreshDeps]),useEffect(()=>{typeof i<"u"&&(e.proofRef.current=i??null);let s=e.wallet,u=e.meta.boundWallet;if(s&&u&&s.toLowerCase()===u.toLowerCase()&&!e.didInitialRefresh.current)return;let d=!!s,y=!!e.proofRef.current,h=!!s&&!!e.authWalletRef.current&&s.toLowerCase()!==e.authWalletRef.current.toLowerCase();d&&y&&!e.authenticated&&!h&&e.initResolvedRef.current&&!c()&&o();},[i,e.wallet,e.authenticated,e.meta.boundWallet,e.metaReady,e.providerAdapter,e.initResolvedRef.current,e.didInitialRefresh.current,o]),useEffect(()=>{let s=e.wallet,u=e.meta.boundWallet;if(!e.metaReady||e.didInitialRefresh.current)return;let f=true;return (async()=>{try{if(await e.waitReady(),e.accessTokenRef.current||e.authenticated){e.didInitialRefresh.current=!0,s&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());return}let d=s&&u&&s.toLowerCase()===u.toLowerCase(),y=s&&!u,h=!s&&!u;if(y){e.didInitialRefresh.current=!0;return}if(!h&&!d){e.didInitialRefresh.current=!0;return}e.didInitialRefresh.current=!0;let b=await r();if(!f)return;e.setAuthenticated(b),b&&s&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());}catch(d){if(!f)return;e.didInitialRefresh.current=true,e.setAuthenticated(false),e.setError(d?.message||String(d)||"Unknown error");}})(),()=>{f=false;}},[e.wallet,e.meta.boundWallet,e.metaReady,e.didInitialRefresh.current,r,n]),useEffect(()=>{e.prevWalletRef.current===void 0&&(async()=>{if(await e.ensureKeypair(),!e.wallet){e.initResolvedRef.current=true,e.initResolveRef.current?.();return}e.meta.boundWallet&&e.meta.boundWallet!==e.wallet&&(e.rotateLock.current=(async()=>{e.accessTokenRef.current=null,e.setAuthenticated(false);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}),e.rotateLock.current&&await e.rotateLock.current),e.initResolvedRef.current=true,e.initResolveRef.current?.();})();},[e]),useEffect(()=>{(async()=>{if(e.authenticated&&e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)&&!e.didInitialSession.current){e.didInitialSession.current=true;try{await n();}catch(s){e.setError(s?.message||String(s));}}})();},[e.authenticated,e.wallet,e.meta.boundWallet,n]),useEffect(()=>{let s=e.prevWalletRef.current;if(e.prevWalletRef.current=e.wallet,e.wallet!==s&&(e.didInitialRefresh.current=false),!e.wallet){e.setAllowed(null),e.setDenyReason(null),e.setSessionExpiry(null),e.setSessionData(null),e.setAuthenticated(false),e.accessTokenRef.current=null,e.proofRef.current=null,e.setError(null),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null),e.didInitialRefresh.current=false;return}s&&e.wallet&&s!==e.wallet&&(e.rotateLock.current=(async()=>{await e.rotate(),e.accessTokenRef.current=null,e.setAuthenticated(false),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}));},[e.wallet]),useEffect(()=>{e.wallet&&e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase()&&(e.accessTokenRef.current=null,e.setAuthenticated(false));},[e.wallet,e.authWalletRef.current]),useEffect(()=>{let u=()=>{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return false;let y=e.tokenExpRef.current;if(!y)return false;let h=Math.floor(Date.now()/1e3);return y-h<=30},f=async()=>{try{u()&&await r();}catch{}},d=async()=>{document.visibilityState==="visible"&&await f();};return window.addEventListener("focus",f),document.addEventListener("visibilitychange",d),()=>{window.removeEventListener("focus",f),document.removeEventListener("visibilitychange",d);}},[e,r]),useEffect(()=>{let f=()=>{let h=Math.floor(Date.now()/1e3),b=e.tokenExpRef.current,g=e.sessionExpiry,E=!!b&&b-h<=30&&b-h>0,A=!!g&&g-h<=3600&&g-h>0;return {tokenSoon:E,sessionSoon:A}},d=async()=>{try{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return;let{tokenSoon:h,sessionSoon:b}=f();(h||b)&&await r()&&b&&await n();}catch{}},y=async()=>{document.visibilityState==="visible"&&await d();};return window.addEventListener("focus",d),document.addEventListener("visibilitychange",y),()=>{window.removeEventListener("focus",d),document.removeEventListener("visibilitychange",y);}},[e,e.sessionExpiry,r,n]);};var kr=createContext(void 0),Ln=e=>{let t=yr(e),{refresh:r,attemptRegister:n,setProofFromAdapterToken:o}=wr(t),a=hr(t,r),{session:i,verify:c}=gr(t,a);Er(t,{refresh:r,session:i,attemptRegister:n,setProofFromAdapterToken:o,proofProp:e.proof});let s=useMemo(()=>({get:(u,f)=>a("GET",u,void 0,f),post:(u,f,d)=>a("POST",u,f,d),verify:c,session:i,refresh:r,authenticated:t.authenticated,loading:t.loadingCount>0,error:t.error,allowed:t.allowed,denyReason:t.denyReason,sessionExpiry:t.sessionExpiry,sessionData:t.sessionData,verifyData:t.verifyData,wallet:t.wallet}),[a,c,i,r,t.authenticated,t.loadingCount,t.error,t.allowed,t.denyReason,t.sessionExpiry,t.sessionData,t.verifyData,t.wallet]);return jsx(kr.Provider,{value:s,children:e.children})},Hn=e=>jsx(yt,{clientId:e.clientId,children:jsx(Ln,{...e})}),Mn=()=>{let e=useContext(kr);if(!e)throw new Error("useSunbreak must be used within a SunbreakProvider");return e};
5
5
 
6
- export { Un as SunbreakProvider, $n as useSunbreak };
6
+ export { Hn as SunbreakProvider, Mn as useSunbreak };
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@tdfc/sunbreak-react",
3
- "version": "0.1.2",
3
+ "version": "0.1.3",
4
4
  "description": "SDK for connecting to the Sunbreak API",
5
5
  "license": "UNLICENSED",
6
6
  "repository": "github:thedigitalfinancecompany/sunbreak-react",