npm - @tdfc/sunbreak-react - Versions diffs - 0.1.6 → 0.1.7 - Mend

@tdfc/sunbreak-react 0.1.6 → 0.1.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.cjs CHANGED Viewed

@@ -3,7 +3,7 @@
 var react = require('react');
 var jsxRuntime = require('react/jsx-runtime');
-var Yr=Object.defineProperty;var It=e=>{throw TypeError(e)};var Xr=(e,t,r)=>t in e?Yr(e,t,{enumerable:true,configurable:true,writable:true,value:r}):e[t]=r;var H=(e,t,r)=>Xr(e,typeof t!="symbol"?t+"":t,r),Dt=(e,t,r)=>t.has(e)||It("Cannot "+r);var y=(e,t,r)=>(Dt(e,t,"read from private field"),r?r.call(e):t.get(e)),O=(e,t,r)=>t.has(e)?It("Cannot add the same private member more than once"):t instanceof WeakSet?t.add(e):t.set(e,r),U=(e,t,r,n)=>(Dt(e,t,"write to private field"),t.set(e,r),r);var Pe=async(e,t,r)=>{switch(e.name){case "custom":return {method:"provider_jwt",issuer:"custom",token:t,meta:r||{}};case "privy":return {method:"provider_jwt",issuer:"privy",token:t,meta:{app_id:e.appId}};case "dynamic":return e.expectedAud?{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId,expected_aud:e.expectedAud}}:{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId}};default:throw new Error(`Unknown adapter: ${e}`)}};var Zr="sunbreak-kv",ve="kv",Ue="sunbreak_dpop_meta_v1",x="sunbreak_dpop_key_v1",Ke="ES256",E="P-256",Ae=e=>`${Ue}:${e}`,Wt=()=>new Promise((e,t)=>{let r=indexedDB.open(Zr,1);r.onupgradeneeded=()=>r.result.createObjectStore(ve),r.onsuccess=()=>e(r.result),r.onerror=()=>t(r.error);}),C=async e=>{try{let t=await Wt();return await new Promise((r,n)=>{let a=t.transaction(ve,"readonly").objectStore(ve).get(e);a.onsuccess=()=>r(a.result),a.onerror=()=>n(a.error);})}catch{return}},g=async(e,t)=>{let r=await Wt();await new Promise((n,o)=>{let i=r.transaction(ve,"readwrite").objectStore(ve).put(t,e);i.onsuccess=()=>n(),i.onerror=()=>o(i.error);});};var Qr=e=>{let t=new URL(e);if(t.protocol!=="https:"&&t.hostname!=="localhost"&&t.hostname!=="127.0.0.1")throw new Error("Sunbreak: insecure base URL");return t.hash="",t.origin},en=e=>e.replace(/\/+$/,""),it=e=>{let t=en(e);return Qr(t)};function ct(e){let t=new URL(e.baseUrl),r=t.host,n=e.meta.lastHost??null,o=tn(n);return e.setLastHost(o),t.host=`${o}.${r}`,t.origin}var tn=e=>{for(let t=0;t<st.length;t++){let r=st[Math.floor(Math.random()*st.length)].toLowerCase();if(r!==e)return r}return "alpha"},st=["Alpha","Bravo","Charlie","Delta","Echo","Foxtrot","Golf","Hotel","India","Juliett","Kilo","Lima","Mike","November","Oscar","Papa","Quebec","Romeo","Sierra","Tango","Uniform","Victor","Whiskey","X-ray","Yankee","Zulu"];var $=(e,t)=>{let r={clientId:e.clientId,wallet:e.wallet,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0,...t};Object.keys(r).forEach(o=>r[o]===void 0&&delete r[o]);let n=JSON.stringify(r);return btoa(n)};var rn=new Set(["connection","keep-alive","proxy-authenticate","proxy-authorization","te","trailer","transfer-encoding","upgrade","via"]),nn=new Set(["user-agent","referer","origin","host","content-length","sec-fetch-site","sec-fetch-mode","sec-fetch-dest","sec-fetch-user","sec-ch-ua","sec-ch-ua-mobile","sec-ch-ua-platform","sec-ch-ua-platform-version","sec-ch-ua-full-version","sec-ch-ua-arch","sec-ch-ua-model","sec-ch-ua-bitness","cookie","set-cookie"]),on=new Set(["dpop","x-sunbreak-meta"]),an=64,_t=2048,sn=64;function ut(e){let t={};if(!e)return t;let r=e instanceof Headers?Array.from(e.entries()):Object.entries(e),n=0;for(let[o,a]of r){if(n>=sn)break;if(o==null||a==null)continue;let i=String(o).toLowerCase().trim();if(!i||i.length>an||rn.has(i)||nn.has(i)||on.has(i))continue;let s=String(a);s.length>_t&&(s=s.slice(0,_t)),t[i]=s,n++;}return t}var Q=new TextEncoder,me=new TextDecoder;function Lt(...e){let t=e.reduce((o,{length:a})=>o+a,0),r=new Uint8Array(t),n=0;for(let o of e)r.set(o,n),n+=o.length;return r}function Ht(e){if(Uint8Array.prototype.toBase64)return e.toBase64();let t=32768,r=[];for(let n=0;n<e.length;n+=t)r.push(String.fromCharCode.apply(null,e.subarray(n,n+t)));return btoa(r.join(""))}function Mt(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(e);let t=atob(e),r=new Uint8Array(t.length);for(let n=0;n<t.length;n++)r[n]=t.charCodeAt(n);return r}function jt(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof e=="string"?e:me.decode(e),{alphabet:"base64url"});let t=e;t instanceof Uint8Array&&(t=me.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return Mt(t)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function $e(e){let t=e;return typeof t=="string"&&(t=Q.encode(t)),Uint8Array.prototype.toBase64?t.toBase64({alphabet:"base64url",omitPadding:true}):Ht(t).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var ue=class extends Error{constructor(r,n){super(r,n);H(this,"code","ERR_JOSE_GENERIC");this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor);}};H(ue,"code","ERR_JOSE_GENERIC");var D=class extends ue{constructor(){super(...arguments);H(this,"code","ERR_JOSE_NOT_SUPPORTED");}};H(D,"code","ERR_JOSE_NOT_SUPPORTED");var ee=class extends ue{constructor(){super(...arguments);H(this,"code","ERR_JWS_INVALID");}};H(ee,"code","ERR_JWS_INVALID");var xe=class extends ue{constructor(){super(...arguments);H(this,"code","ERR_JWT_INVALID");}};H(xe,"code","ERR_JWT_INVALID");var Ot,Ut,lt=class extends(Ut=ue,Ot=Symbol.asyncIterator,Ut){constructor(r="multiple matching keys found in the JSON Web Key Set",n){super(r,n);H(this,Ot);H(this,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");}};H(lt,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");function F(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function we(e,t){return e.name===t}function ft(e){return parseInt(e.name.slice(4),10)}function ln(e){switch(e){case "ES256":return "P-256";case "ES384":return "P-384";case "ES512":return "P-521";default:throw new Error("unreachable")}}function fn(e,t){if(!e.usages.includes(t))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${t}.`)}function $t(e,t,r){switch(t){case "HS256":case "HS384":case "HS512":{if(!we(e.algorithm,"HMAC"))throw F("HMAC");let n=parseInt(t.slice(2),10);if(ft(e.algorithm.hash)!==n)throw F(`SHA-${n}`,"algorithm.hash");break}case "RS256":case "RS384":case "RS512":{if(!we(e.algorithm,"RSASSA-PKCS1-v1_5"))throw F("RSASSA-PKCS1-v1_5");let n=parseInt(t.slice(2),10);if(ft(e.algorithm.hash)!==n)throw F(`SHA-${n}`,"algorithm.hash");break}case "PS256":case "PS384":case "PS512":{if(!we(e.algorithm,"RSA-PSS"))throw F("RSA-PSS");let n=parseInt(t.slice(2),10);if(ft(e.algorithm.hash)!==n)throw F(`SHA-${n}`,"algorithm.hash");break}case "Ed25519":case "EdDSA":{if(!we(e.algorithm,"Ed25519"))throw F("Ed25519");break}case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":{if(!we(e.algorithm,t))throw F(t);break}case "ES256":case "ES384":case "ES512":{if(!we(e.algorithm,"ECDSA"))throw F("ECDSA");let n=ln(t);if(e.algorithm.namedCurve!==n)throw F(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}fn(e,r);}function Nt(e,t,...r){if(r=r.filter(Boolean),r.length>2){let n=r.pop();e+=`one of type ${r.join(", ")}, or ${n}.`;}else r.length===2?e+=`one of type ${r[0]} or ${r[1]}.`:e+=`of type ${r[0]}.`;return t==null?e+=` Received ${t}`:typeof t=="function"&&t.name?e+=` Received function ${t.name}`:typeof t=="object"&&t!=null&&t.constructor?.name&&(e+=` Received an instance of ${t.constructor.name}`),e}var Bt=(e,...t)=>Nt("Key must be ",e,...t);function dt(e,t,...r){return Nt(`Key for the ${e} algorithm must be `,t,...r)}function pt(e){return e?.[Symbol.toStringTag]==="CryptoKey"}function yt(e){return e?.[Symbol.toStringTag]==="KeyObject"}var mt=e=>pt(e)||yt(e);var Vt=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return  true;let r;for(let n of t){let o=Object.keys(n);if(!r||r.size===0){r=new Set(o);continue}for(let a of o){if(r.has(a))return  false;r.add(a);}}return  true};function dn(e){return typeof e=="object"&&e!==null}var Ne=e=>{if(!dn(e)||Object.prototype.toString.call(e)!=="[object Object]")return  false;if(Object.getPrototypeOf(e)===null)return  true;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t};var Ft=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:r}=t.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};function pn(e){let t,r;switch(e.kty){case "AKP":{switch(e.alg){case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":t={name:e.alg},r=e.priv?["sign"]:["verify"];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "RSA":{switch(e.alg){case "PS256":case "PS384":case "PS512":t={name:"RSA-PSS",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RS256":case "RS384":case "RS512":t={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RSA-OAEP":case "RSA-OAEP-256":case "RSA-OAEP-384":case "RSA-OAEP-512":t={name:"RSA-OAEP",hash:`SHA-${parseInt(e.alg.slice(-3),10)||1}`},r=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "EC":{switch(e.alg){case "ES256":t={name:"ECDSA",namedCurve:"P-256"},r=e.d?["sign"]:["verify"];break;case "ES384":t={name:"ECDSA",namedCurve:"P-384"},r=e.d?["sign"]:["verify"];break;case "ES512":t={name:"ECDSA",namedCurve:"P-521"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "OKP":{switch(e.alg){case "Ed25519":case "EdDSA":t={name:"Ed25519"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}default:throw new D('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return {algorithm:t,keyUsages:r}}var Gt=async e=>{if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:t,keyUsages:r}=pn(e),n={...e};return n.kty!=="AKP"&&delete n.alg,delete n.use,crypto.subtle.importKey("jwk",n,t,e.ext??!(e.d||e.priv),e.key_ops??r)};var qt=(e,t,r,n,o)=>{if(o.crit!==void 0&&n?.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||n.crit===void 0)return new Set;if(!Array.isArray(n.crit)||n.crit.length===0||n.crit.some(i=>typeof i!="string"||i.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let a;r!==void 0?a=new Map([...Object.entries(r),...t.entries()]):a=t;for(let i of n.crit){if(!a.has(i))throw new D(`Extension Header Parameter "${i}" is not recognized`);if(o[i]===void 0)throw new e(`Extension Header Parameter "${i}" is missing`);if(a.get(i)&&n[i]===void 0)throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`)}return new Set(n.crit)};function Ce(e){return Ne(e)&&typeof e.kty=="string"}function zt(e){return e.kty!=="oct"&&(e.kty==="AKP"&&typeof e.priv=="string"||typeof e.d=="string")}function Yt(e){return e.kty!=="oct"&&typeof e.d>"u"&&typeof e.priv>"u"}function Xt(e){return e.kty==="oct"&&typeof e.k=="string"}var he,Zt=async(e,t,r,n=false)=>{he||(he=new WeakMap);let o=he.get(e);if(o?.[r])return o[r];let a=await Gt({...t,alg:r});return n&&Object.freeze(e),o?o[r]=a:he.set(e,{[r]:a}),a},mn=(e,t)=>{he||(he=new WeakMap);let r=he.get(e);if(r?.[t])return r[t];let n=e.type==="public",o=!!n,a;if(e.asymmetricKeyType==="x25519"){switch(t){case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}a=e.toCryptoKey(e.asymmetricKeyType,o,n?[]:["deriveBits"]);}if(e.asymmetricKeyType==="ed25519"){if(t!=="EdDSA"&&t!=="Ed25519")throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}switch(e.asymmetricKeyType){case "ml-dsa-44":case "ml-dsa-65":case "ml-dsa-87":{if(t!==e.asymmetricKeyType.toUpperCase())throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}}if(e.asymmetricKeyType==="rsa"){let i;switch(t){case "RSA-OAEP":i="SHA-1";break;case "RS256":case "PS256":case "RSA-OAEP-256":i="SHA-256";break;case "RS384":case "PS384":case "RSA-OAEP-384":i="SHA-384";break;case "RS512":case "PS512":case "RSA-OAEP-512":i="SHA-512";break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}if(t.startsWith("RSA-OAEP"))return e.toCryptoKey({name:"RSA-OAEP",hash:i},o,n?["encrypt"]:["decrypt"]);a=e.toCryptoKey({name:t.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:i},o,[n?"verify":"sign"]);}if(e.asymmetricKeyType==="ec"){let s=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(e.asymmetricKeyDetails?.namedCurve);if(!s)throw new TypeError("given KeyObject instance cannot be used for this algorithm");t==="ES256"&&s==="P-256"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t==="ES384"&&s==="P-384"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t==="ES512"&&s==="P-521"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t.startsWith("ECDH-ES")&&(a=e.toCryptoKey({name:"ECDH",namedCurve:s},o,n?[]:["deriveBits"]));}if(!a)throw new TypeError("given KeyObject instance cannot be used for this algorithm");return r?r[t]=a:he.set(e,{[t]:a}),a},Qt=async(e,t)=>{if(e instanceof Uint8Array||pt(e))return e;if(yt(e)){if(e.type==="secret")return e.export();if("toCryptoKey"in e&&typeof e.toCryptoKey=="function")try{return mn(e,t)}catch(n){if(n instanceof TypeError)throw n}let r=e.export({format:"jwk"});return Zt(e,r,t)}if(Ce(e))return e.k?jt(e.k):Zt(e,e,t,true);throw new Error("unreachable")};var be=e=>e?.[Symbol.toStringTag],wt=(e,t,r)=>{if(t.use!==void 0){let n;switch(r){case "sign":case "verify":n="sig";break;case "encrypt":case "decrypt":n="enc";break}if(t.use!==n)throw new TypeError(`Invalid key for this operation, its "use" must be "${n}" when present`)}if(t.alg!==void 0&&t.alg!==e)throw new TypeError(`Invalid key for this operation, its "alg" must be "${e}" when present`);if(Array.isArray(t.key_ops)){let n;switch(true){case(r==="sign"):case e==="dir":case e.includes("CBC-HS"):n=r;break;case e.startsWith("PBES2"):n="deriveBits";break;case /^A\d{3}(?:GCM)?(?:KW)?$/.test(e):!e.includes("GCM")&&e.endsWith("KW")?n="unwrapKey":n=r;break;case(r==="encrypt"):n="wrapKey";break;case r==="decrypt":n=e.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(n&&t.key_ops?.includes?.(n)===false)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${n}" when present`)}return  true},wn=(e,t,r)=>{if(!(t instanceof Uint8Array)){if(Ce(t)){if(Xt(t)&&wt(e,t,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!mt(t))throw new TypeError(dt(e,t,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(t.type!=="secret")throw new TypeError(`${be(t)} instances for symmetric algorithms must be of type "secret"`)}},hn=(e,t,r)=>{if(Ce(t))switch(r){case "decrypt":case "sign":if(zt(t)&&wt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a private JWK");case "encrypt":case "verify":if(Yt(t)&&wt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a public JWK")}if(!mt(t))throw new TypeError(dt(e,t,"CryptoKey","KeyObject","JSON Web Key"));if(t.type==="secret")throw new TypeError(`${be(t)} instances for asymmetric algorithms must not be of type "secret"`);if(t.type==="public")switch(r){case "sign":throw new TypeError(`${be(t)} instances for asymmetric algorithm signing must be of type "private"`);case "decrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm decryption must be of type "private"`);}if(t.type==="private")switch(r){case "verify":throw new TypeError(`${be(t)} instances for asymmetric algorithm verifying must be of type "public"`);case "encrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm encryption must be of type "public"`);}},er=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e)||/^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e)?wn(e,t,r):hn(e,t,r);};var tr=(e,t)=>{let r=`SHA-${e.slice(-3)}`;switch(e){case "HS256":case "HS384":case "HS512":return {hash:r,name:"HMAC"};case "PS256":case "PS384":case "PS512":return {hash:r,name:"RSA-PSS",saltLength:parseInt(e.slice(-3),10)>>3};case "RS256":case "RS384":case "RS512":return {hash:r,name:"RSASSA-PKCS1-v1_5"};case "ES256":case "ES384":case "ES512":return {hash:r,name:"ECDSA",namedCurve:t.namedCurve};case "Ed25519":case "EdDSA":return {name:"Ed25519"};case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":return {name:e};default:throw new D(`alg ${e} is not supported either by JOSE or your javascript runtime`)}};var rr=async(e,t,r)=>{if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(Bt(t,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",t,{hash:`SHA-${e.slice(-3)}`,name:"HMAC"},false,[r])}return $t(t,e,r),t};var ne=e=>Math.floor(e.getTime()/1e3);var bn=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i,Be=e=>{let t=bn.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");let r=parseFloat(t[2]),n=t[3].toLowerCase(),o;switch(n){case "sec":case "secs":case "second":case "seconds":case "s":o=Math.round(r);break;case "minute":case "minutes":case "min":case "mins":case "m":o=Math.round(r*60);break;case "hour":case "hours":case "hr":case "hrs":case "h":o=Math.round(r*3600);break;case "day":case "days":case "d":o=Math.round(r*86400);break;case "week":case "weeks":case "w":o=Math.round(r*604800);break;default:o=Math.round(r*31557600);break}return t[1]==="-"||t[4]==="ago"?-o:o};function le(e,t){if(!Number.isFinite(t))throw new TypeError(`Invalid ${e} input`);return t}var v,Ve=class{constructor(t){O(this,v);if(!Ne(t))throw new TypeError("JWT Claims Set MUST be an object");U(this,v,structuredClone(t));}data(){return Q.encode(JSON.stringify(y(this,v)))}get iss(){return y(this,v).iss}set iss(t){y(this,v).iss=t;}get sub(){return y(this,v).sub}set sub(t){y(this,v).sub=t;}get aud(){return y(this,v).aud}set aud(t){y(this,v).aud=t;}set jti(t){y(this,v).jti=t;}set nbf(t){typeof t=="number"?y(this,v).nbf=le("setNotBefore",t):t instanceof Date?y(this,v).nbf=le("setNotBefore",ne(t)):y(this,v).nbf=ne(new Date)+Be(t);}set exp(t){typeof t=="number"?y(this,v).exp=le("setExpirationTime",t):t instanceof Date?y(this,v).exp=le("setExpirationTime",ne(t)):y(this,v).exp=ne(new Date)+Be(t);}set iat(t){typeof t>"u"?y(this,v).iat=ne(new Date):t instanceof Date?y(this,v).iat=le("setIssuedAt",ne(t)):typeof t=="string"?y(this,v).iat=le("setIssuedAt",ne(new Date)+Be(t)):y(this,v).iat=le("setIssuedAt",t);}};v=new WeakMap;var nr=async(e,t,r)=>{let n=await rr(e,t,"sign");Ft(e,n);let o=await crypto.subtle.sign(tr(e,n.algorithm),n,r);return new Uint8Array(o)};var Te,W,G,Fe=class{constructor(t){O(this,Te);O(this,W);O(this,G);if(!(t instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");U(this,Te,t);}setProtectedHeader(t){if(y(this,W))throw new TypeError("setProtectedHeader can only be called once");return U(this,W,t),this}setUnprotectedHeader(t){if(y(this,G))throw new TypeError("setUnprotectedHeader can only be called once");return U(this,G,t),this}async sign(t,r){if(!y(this,W)&&!y(this,G))throw new ee("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Vt(y(this,W),y(this,G)))throw new ee("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let n={...y(this,W),...y(this,G)},o=qt(ee,new Map([["b64",true]]),r?.crit,y(this,W),n),a=true;if(o.has("b64")&&(a=y(this,W).b64,typeof a!="boolean"))throw new ee('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:i}=n;if(typeof i!="string"||!i)throw new ee('JWS "alg" (Algorithm) Header Parameter missing or invalid');er(i,t,"sign");let s=y(this,Te);a&&(s=Q.encode($e(s)));let c;y(this,W)?c=Q.encode($e(JSON.stringify(y(this,W)))):c=Q.encode("");let u=Lt(c,Q.encode("."),s),l=await Qt(t,i),f=await nr(i,l,u),d={signature:$e(f),payload:""};return a&&(d.payload=me.decode(s)),y(this,G)&&(d.header=y(this,G)),y(this,W)&&(d.protected=me.decode(c)),d}};Te=new WeakMap,W=new WeakMap,G=new WeakMap;var Se,Ge=class{constructor(t){O(this,Se);U(this,Se,new Fe(t));}setProtectedHeader(t){return y(this,Se).setProtectedHeader(t),this}async sign(t,r){let n=await y(this,Se).sign(t,r);if(n.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return `${n.protected}.${n.payload}.${n.signature}`}};Se=new WeakMap;var oe,M,fe=class{constructor(t={}){O(this,oe);O(this,M);U(this,M,new Ve(t));}setIssuer(t){return y(this,M).iss=t,this}setSubject(t){return y(this,M).sub=t,this}setAudience(t){return y(this,M).aud=t,this}setJti(t){return y(this,M).jti=t,this}setNotBefore(t){return y(this,M).nbf=t,this}setExpirationTime(t){return y(this,M).exp=t,this}setIssuedAt(t){return y(this,M).iat=t,this}setProtectedHeader(t){return U(this,oe,t),this}async sign(t,r){let n=new Ge(y(this,M).data());if(n.setProtectedHeader(y(this,oe)),Array.isArray(y(this,oe)?.crit)&&y(this,oe).crit.includes("b64")&&y(this,oe).b64===false)throw new xe("JWTs MUST NOT use unencoded payload");return n.sign(t,r)}};oe=new WeakMap,M=new WeakMap;var Sn=e=>btoa(String.fromCharCode(...new Uint8Array(e))).replaceAll("+","-").replaceAll("/","_").replaceAll("=",""),qe=async e=>{let t=new TextEncoder().encode(e),r=await crypto.subtle.digest("SHA-256",t);return Sn(r)},N=async e=>{let{method:t,url:r,nonce:n,ath:o,privateKey:a,publicJwk:i}=e,s={htm:t.toUpperCase(),htu:r,jti:crypto.randomUUID(),iat:Math.floor(Date.now()/1e3)};return n&&(s.nonce=n),o&&(s.ath=o),await new fe(s).setProtectedHeader({alg:"ES256",typ:"dpop+jwt",jwk:i}).sign(a)};var _=async e=>{let t={crv:e.crv,kty:"EC",x:e.x,y:e.y},r=JSON.stringify(t),n=new TextEncoder().encode(r),o=await crypto.subtle.digest("SHA-256",n);return btoa(String.fromCharCode(...new Uint8Array(o))).replaceAll("+","-").replaceAll("/","_").replaceAll("=","")};async function de(e){let{rootPrivateKey:t,rootPublicJwk:r,childJkt:n,clientId:o,sid:a,ttlSec:i=300}=e,s=Math.floor(Date.now()/1e3),c=s+Math.max(60,Math.min(i,3600)),u={child_jkt:n,client_id:o,aud:"issuer",iat:s,exp:c,jti:crypto.randomUUID()};return a&&(u.sid=a),await new fe(u).setProtectedHeader({alg:"ES256",typ:"pode+jwt",jwk:r}).sign(t)}function Je(e,t=300){return e.replace(/<[^>]*>/g,"").slice(0,t)}async function Ie(e){let t=e.status,r=Array.from(e.headers.keys()).some(s=>s.toLowerCase().startsWith("x-amzn-waf")),n,o,a=e.headers.get("content-type")||"";if(a.includes("application/json"))try{let s=await e.clone().json();n=typeof s?.error=="string"?s.error:void 0,o=typeof s?.detail=="string"?s.detail:void 0;}catch{}let i=t===403&&!r&&!a.includes("application/json");return {status:t,code:n,detail:o,waf:r,alb403:i}}function pe(e,t){let r=new Error(e);return r.status=t.status,r.code=t.code,r.detail=t.detail,r.waf=t.waf,r.alb403=t.alb403,r}var Re={boundWallet:null,clientId:null,jkt:null,refreshId:null,lastPolicyHash:null,lastPolicyProof:null,lastHost:null,rootJkt:null},ht=react.createContext(void 0);function cr(e){try{return JSON.parse(localStorage.getItem(e)||"null")??Re}catch{return Re}}function kn(e,t){try{localStorage.setItem(e,JSON.stringify(t));}catch{}}var bt=({children:e,clientId:t})=>{let[r,n]=react.useState(Re),o=react.useRef(false),[a,i]=react.useState(false),s=react.useMemo(()=>Ae(t),[t]);react.useEffect(()=>{let p=true;return (async()=>{let I=await C(s)??await C(Ue)??cr(s);p&&(n({...Re,...I}),o.current=true,i(true));})(),()=>{p=false;}},[s]),react.useEffect(()=>{o.current&&(async()=>(await g(s,r),kn(s,r)))();},[r,s]);let c=react.useCallback(p=>n(w=>({...w,refreshId:p})),[]),u=react.useCallback(p=>n(w=>({...w,lastPolicyHash:p})),[]),l=react.useCallback(p=>n(w=>({...w,lastPolicyProof:p})),[]),f=react.useCallback(p=>n(w=>({...w,lastHost:p})),[]),d=react.useCallback(p=>n(w=>({...w,rootJkt:p})),[]),h=async()=>{try{let p=localStorage.getItem(s);if(p){let w=JSON.parse(p);if(typeof w?.refreshId=="string"&&w.refreshId)return w.refreshId}}catch{}try{let p=await C(s);if(typeof p?.refreshId=="string"&&p.refreshId)return p.refreshId}catch{}return null},m=react.useCallback(p=>n(w=>({...w,boundWallet:p})),[]),R=react.useCallback(p=>n(w=>({...w,clientId:p})),[]),k=react.useCallback(p=>n(w=>({...w,jkt:p})),[]),P=react.useCallback(()=>n(Re),[]),b=react.useCallback(async()=>{let w=await C(s)??cr(s);n({...Re,...w});},[]),S=react.useMemo(()=>({meta:r,setBoundWallet:m,setClientId:R,setJkt:k,resetMeta:P,reload:b,setRefreshId:c,getRefreshId:h,ready:a,setLastPolicyHash:u,setLastPolicyProof:l,setLastHost:f,setRootJkt:d}),[r,m,R,k,P,b,a,c,h,u,l,f,d]);return jsxRuntime.jsx(ht.Provider,{value:S,children:e})};function St(){let e=react.useContext(ht);if(!e)throw new Error("useMeta must be used within <MetaProvider>");return e}var lr=`${x}:wrap`;async function ze(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!1,["sign","verify"]),t=`${x}:probe_safe`;await g(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await C(t);return await g(t,void 0),!!(r&&r.privKey)}catch{return  false}}async function vn(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!0,["sign","verify"]),t=`${x}:probe`;await g(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await C(t);return await g(t,void 0),!!(r&&r.privKey)}catch{return  false}}function ke(e){let t={...e};return delete t.d,t.kty="EC",t.crv=E,t.alg=Ke,t.use="sig",t}async function fr(){let e=await C(lr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await g(lr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function Rt(e){let t=await fr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function Kn(e,t){let r=await fr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var gt=()=>{let e=react.useRef(null),t=react.useRef(null),r=react.useCallback(async()=>{let c=await C(x);if(!c)return  false;if(c.fmt==="cryptokey"){let l=c;if(!l.privKey)return await g(x,void 0),false;let f=l.privKey;try{if(f.extractable&&await ze()){let h=await crypto.subtle.exportKey("jwk",f),m=await crypto.subtle.importKey("jwk",h,{name:"ECDSA",namedCurve:E},!1,["sign"]),R={fmt:"cryptokey",privKey:m,pubJwk:ke(l.pubJwk)};await g(x,R),f=m;}}catch{}return e.current=f,t.current=ke(l.pubJwk),true}if(c.fmt==="encjwk"){let l=c;try{let f=await Kn(l.encPrivJwk,l.iv),d=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},!1,["sign"]);return e.current=d,t.current=ke(l.pubJwk),!0}catch{return await g(x,void 0),false}}let u=c;if(u&&u.d){let{d:l,...f}=u,d=ke(f),h=await ze(),m=h||await vn();if(m&&h){let b=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);return await g(x,{fmt:"cryptokey",privKey:b,pubJwk:d}),e.current=b,t.current=d,true}if(m){let b=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},true,["sign"]);return await g(x,{fmt:"cryptokey",privKey:b,pubJwk:d}),e.current=b,t.current=d,true}let{encPrivJwk:R,iv:k}=await Rt(u);await g(x,{fmt:"encjwk",encPrivJwk:R,iv:k,pubJwk:d});let P=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);return e.current=P,t.current=d,true}return await g(x,void 0),false},[]),n=react.useCallback(async(c,u)=>{await g(x,{fmt:"cryptokey",privKey:c,pubJwk:u});},[]),o=react.useCallback(async(c,u)=>{let{encPrivJwk:l,iv:f}=await Rt(c);await g(x,{fmt:"encjwk",encPrivJwk:l,iv:f,pubJwk:u});},[]),a=react.useCallback(async()=>{if(e.current&&t.current||await r())return;let c=await ze(),u=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",u.publicKey)),f=await crypto.subtle.exportKey("jwk",u.privateKey);if(c){let d=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);await n(d,l),e.current=d,t.current=l;}else {await o(f,l);let d=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=d,t.current=l;}},[r,n,o]),i=react.useCallback(async()=>{let c=await ze(),u=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",u.publicKey)),f=await crypto.subtle.exportKey("jwk",u.privateKey);if(c){let d=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);await g(x,{fmt:"cryptokey",privKey:d,pubJwk:l}),e.current=d,t.current=l;}else {let{encPrivJwk:d,iv:h}=await Rt(f);await g(x,{fmt:"encjwk",encPrivJwk:d,iv:h,pubJwk:l});let m=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=m,t.current=l;}},[]),s=react.useCallback(async()=>{await g(x,void 0),e.current=null,t.current=null;},[]);return {ensureKeypair:a,rotate:i,clear:s,privRef:e,pubJwkRef:t}};var z="sunbreak_root_key_v1",pr=`${z}:wrap`;async function yr(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!1,["sign","verify"]),t=`${z}:probe_safe`;await g(t,{fmt:"cryptokey",privKey:e.privateKey,createdAt:Date.now(),pubJwk:{}});let r=await C(t);return await g(t,void 0),!!(r&&r.privKey)}catch{return  false}}function Ye(e){let t={...e};return delete t.d,t.kty="EC",t.crv=E,t.alg=Ke,t.use="sig",t}async function mr(){let e=await C(pr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await g(pr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function An(e){let t=await mr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function xn(e,t){let r=await mr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var Et=()=>{let e=react.useRef(null),t=react.useRef(null),r=react.useCallback(async()=>{let a=await C(z);if(!a)return  false;if(a.fmt==="cryptokey"){let i=a;if(!i.privKey)return await g(z,void 0),false;let s=i.privKey;try{if(s.extractable&&await yr()){let u=await crypto.subtle.exportKey("jwk",s),l=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},!1,["sign"]),f={fmt:"cryptokey",privKey:l,pubJwk:Ye(i.pubJwk),createdAt:i.createdAt};await g(z,f),s=l;}}catch{}return e.current=s,t.current=Ye(i.pubJwk),true}if(a.fmt==="encjwk"){let i=a;try{let s=await xn(i.encPrivJwk,i.iv),c=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:E},!1,["sign"]);return e.current=c,t.current=Ye(i.pubJwk),!0}catch{return await g(z,void 0),false}}return await g(z,void 0),false},[]),n=react.useCallback(async()=>{if(e.current&&t.current||await r())return;let a=await yr(),i=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),s=Ye(await crypto.subtle.exportKey("jwk",i.publicKey)),c=Date.now(),u=await crypto.subtle.exportKey("jwk",i.privateKey);if(a){let l=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);await g(z,{fmt:"cryptokey",privKey:l,pubJwk:s,createdAt:c}),e.current=l,t.current=s;}else {let{encPrivJwk:l,iv:f}=await An(u);await g(z,{fmt:"encjwk",encPrivJwk:l,iv:f,pubJwk:s,createdAt:c});let h=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=h,t.current=s;}},[r]),o=react.useCallback(async()=>{await g(z,void 0),e.current=null,t.current=null;},[]);return {ensureRootKeypair:n,clear:o,rootPrivRef:e,rootPubJwkRef:t}};var Cn=()=>crypto.randomUUID(),wr=e=>{let{clientId:t,wallet:r,base:n="https://api.tdfc.com",fetchImpl:o,timeoutMs:a=15e3,proof:i=null,providerAdapter:s,refreshDeps:c=[]}=e,u=it(n),l=typeof window<"u"?(o??fetch).bind(window):o??fetch,{meta:f,setBoundWallet:d,setJkt:h,setRefreshId:m,getRefreshId:R,setLastPolicyHash:k,setLastPolicyProof:P,setLastHost:b,setRootJkt:S,ready:p}=St(),{ensureRootKeypair:w,rootPrivRef:I,rootPubJwkRef:L}=Et(),We=react.useCallback(async()=>{await w();try{if(!f.rootJkt&&L.current){let ce=await _(L.current);S(ce);}}catch{}},[w,f.rootJkt,L]),{ensureKeypair:te,rotate:Ee,privRef:A,pubJwkRef:_e}=gt(),[Le,At]=react.useState(false),[J,V]=react.useState(0),[j,Z]=react.useState(null),[ie,re]=react.useState(null),[Qe,et]=react.useState(null),[tt,Kr]=react.useState(null),[Ar,xr]=react.useState(null),[Cr,Tr]=react.useState(null),Jr=react.useRef(null),Ir=react.useRef(null),Dr=react.useRef(null),Wr=react.useRef(null),_r=react.useRef(null),Lr=react.useRef(null),Hr=react.useRef(null),Mr=react.useRef(false),jr=react.useRef(false),Or=react.useRef(void 0),He=react.useRef(false),rt=react.useRef(false),xt=react.useRef(null),se=react.useRef(null);se.current||(se.current=new Promise(ce=>{xt.current=ce;}));let nt=react.useRef(null),Ur=react.useRef(i),$r=react.useRef(null),Me=react.useRef(null),Ct=react.useRef(null),je=react.useRef(null),Tt=()=>Date.now(),Nr=()=>(je.current??0)>0&&je.current<Tt(),ot=react.useCallback((ce,zr=15e3)=>{let Jt=Cn();return Me.current=Jt,Ct.current=ce,je.current=Tt()+Math.max(1e3,zr),Jt},[]),Br=react.useCallback(()=>((!Me.current||Nr())&&ot("adhoc",1e4),Me.current),[ot]),at=react.useRef(null),Oe=react.useRef(null);Oe.current||(Oe.current=new Promise(ce=>{at.current=ce;}));let Vr=react.useCallback(async()=>{!He.current&&Oe.current&&await Oe.current;},[]),Fr=react.useCallback(()=>{He.current||(He.current=true,at.current?.(),at.current=null);},[]),Gr=react.useCallback(async()=>{!rt.current&&se.current&&await se.current;},[]),qr=react.useCallback(async()=>{!rt.current&&se.current&&await se.current,nt.current&&await nt.current;},[]);return {clientId:t,wallet:r,baseUrl:u,fetchImpl:l,timeoutMs:a,providerAdapter:s,refreshDeps:c,ensureKeypair:te,rotate:Ee,ensureRootKeypair:We,rootPrivRef:I,rootPubJwkRef:L,privRef:A,pubJwkRef:_e,meta:f,setBoundWallet:d,setJkt:h,setRefreshId:m,accessTokenRef:Dr,tokenExpRef:Wr,authenticated:Le,setAuthenticated:At,loadingCount:J,setLoadingCount:V,error:j,setError:Z,allowed:ie,setAllowed:re,denyReason:Qe,setDenyReason:et,sessionExpiry:tt,setSessionExpiry:Kr,sessionData:Ar,setSessionData:xr,verifyData:Cr,setVerifyData:Tr,authWalletRef:Ir,refreshLock:_r,registerLock:Lr,sessionLock:Hr,didInitialRefresh:Mr,didInitialSession:jr,prevWalletRef:Or,initResolvedRef:rt,initReady:se,initResolveRef:xt,rotateLock:nt,waitReady:Gr,awaitKeyStable:qr,proofRef:Ur,registerCooldownUntilRef:Jr,reqIdRef:Me,flowLabelRef:Ct,flowExpireRef:je,beginFlow:ot,currentReqId:Br,awaitProbe:Vr,markProbed:Fr,hasProbedRef:He,getRefreshId:R,setLastPolicyHash:k,setLastPolicyProof:P,setLastHost:b,setRootJkt:S,metaReady:p,probeLock:$r}};var B=e=>e.accessTokenRef.current??null,Y=e=>{let t=e.privRef.current;if(!t)throw new Error("Sunbreak: private key not initialized");return t},T=e=>{let t=e.pubJwkRef.current;if(!t)throw new Error("Sunbreak: public JWK not initialized");return t};var Tn=(e,t)=>`${e.toUpperCase()} ${t}`;async function De(e,t,r){if(!t)return  false;let n=De._nonceCacheRef||(De._nonceCacheRef={map:new Map});try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair(),e.setError(null),e.beginFlow("register",2e4);let o;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let p=await _(e.rootPubJwkRef.current);e.setRootJkt?.(p);}catch{}let b=await _(T(e)),S=await e.getRefreshId();o=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:b,clientId:e.clientId,sid:S||void 0,ttlSec:300});}}catch{}let a=e.currentReqId(),i="/auth/register",s=`${e.baseUrl}${i}`,c=new URL(e.baseUrl).origin,u="POST",l=`${c}${i}`,f=Tn(u,l),d=n.map.get(f),h=await N({method:u,url:l,nonce:d,privateKey:Y(e),publicJwk:T(e)}),m=async b=>e.fetchImpl(s,{method:u,headers:{"content-type":"application/json","x-sunbreak-meta":$(e,{reqId:a,pode:o||void 0}),...b},credentials:"include",body:JSON.stringify({wallet:t,proof:r})}),R=await m({DPoP:h}),k=b=>{let S=b.headers.get("dpop-nonce");S&&n.map.set(f,S);};if(R.status===401){let b=R.headers.get("www-authenticate"),p=(b&&b.match(/dpop-nonce="([^"]+)"/i))?.[1];if(p){n.map.set(f,p);let w=await N({method:u,url:l,nonce:p,privateKey:Y(e),publicJwk:T(e)});R=await m({DPoP:w});}}if(k(R),!R.ok){let b=await Ie(R);if((R.headers.get("content-type")||"").includes("application/json")){let p;try{p=await R.clone().json();}catch{}let w=Je(p&&(p.error||p.message||p.detail)||`HTTP ${R.status}`);throw pe(w,b)}else {let p=b.waf?"Blocked by WAF (403)":b.alb403?"Blocked at origin (ALB 403)":`HTTP ${R.status}`;throw pe(p,b)}}let P=await R.json();e.accessTokenRef.current=P.access,e.authWalletRef.current=t.toLowerCase(),e.setAuthenticated(!0);try{let b=Math.floor(Date.now()/1e3);e.tokenExpRef.current=b+(P.expiresIn??0);}catch{}e.didInitialRefresh.current=!0,e.setBoundWallet(t),e.setLastPolicyHash(null),e.setLastPolicyProof(null);try{e.setJkt(await _(T(e)));}catch{}try{let b={...e.meta,boundWallet:t,clientId:e.meta.clientId??e.clientId,jkt:e.meta.jkt??null,refreshId:P.refreshId??null};e.setRefreshId(P.refreshId??null);let S=Ae(e.clientId);await g(S,b);try{localStorage.setItem(S,JSON.stringify(b));}catch{}}catch{}return !0}catch(o){let a=Number(o?.status||0),i=String(o?.code||""),s=String(o?.message||""),c=Math.floor(Math.random()*1e3);if((a===401||a===403)&&i.toLowerCase()==="replay"){if(e.providerAdapter)try{let u=await e.providerAdapter.getToken()??null;if(u)return await e.awaitKeyStable(),await e.ensureKeypair(),await e.rotate(),e.proofRef.current=await Pe(e.providerAdapter,u),e.registerCooldownUntilRef.current=Date.now()+5e3+c,!1}catch{}else return e.proofRef.current=null,e.setError("Proof replayed; please sign a fresh proof."),e.registerCooldownUntilRef.current=Date.now()+1e4+c,false;return e.registerCooldownUntilRef.current=Date.now()+8e3+c,false}if(a===403&&(o?.waf||o?.alb403))return e.setError(s||"Forbidden at edge/origin"),e.registerCooldownUntilRef.current=Date.now()+3e4+c,false;if(a===403)return e.setError(i||s||"Forbidden"),e.registerCooldownUntilRef.current=Date.now()+15e3+c,false;if(a===429||a===503){e.setError(i||s||"Rate limited / unavailable");let u=a===429?5e3:8e3;return e.registerCooldownUntilRef.current=Date.now()+u+c,false}return e.setError(i||s||"Register failed"),e.registerCooldownUntilRef.current=Date.now()+5e3+c,false}}var Jn=(e,t)=>`${e.toUpperCase()} ${t}`;function Xe(e){if(e.refreshLock.current)return e.refreshLock.current;if(e.registerLock.current){let t=e.registerLock.current.then(()=>{if(e.authenticated&&B(e))return  true;if(B(e)){let n=e.tokenExpRef.current,o=Math.floor(Date.now()/1e3);if(!!n&&n-o>5)return  true}return  false});return e.refreshLock.current=t.finally(()=>{e.refreshLock.current=null;}),e.refreshLock.current}return e.refreshLock.current=(async()=>{try{if(await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),e.wallet&&e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return e.accessTokenRef.current=null,e.setAuthenticated(!1),!1;let t=B(e);if(t){let S=e.tokenExpRef.current,p=Math.floor(Date.now()/1e3);if(!!t&&!!S&&S-p>5)return !0}e.beginFlow("refresh",15e3);let r=e.currentReqId();await e.ensureKeypair();let n;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let w=await _(e.rootPubJwkRef.current);e.setRootJkt?.(w);}catch{}let S=await _(T(e)),p=await e.getRefreshId();n=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:S,clientId:e.clientId,sid:p||void 0,ttlSec:300});}}catch{}let o="/auth/refresh",a=`${e.baseUrl}${o}`,i=new URL(e.baseUrl).origin,s="POST",c=`${i}${o}`,u=Jn(s,c),l=Xe._nonceCacheRef||(Xe._nonceCacheRef={map:new Map}),f=async S=>await N({method:s,url:c,nonce:S,privateKey:Y(e),publicJwk:T(e)}),d=await e.getRefreshId(),h={"x-sunbreak-meta":$(e,{reqId:r,refreshId:d||void 0,pode:n||void 0}),"content-type":"application/json"},m=async S=>e.fetchImpl(a,{method:s,headers:{DPoP:S,...h},credentials:"include",body:"{}"}),R=S=>{let p=S.headers.get("dpop-nonce");p&&l.map.set(u,p);},k=await m(await f(l.map.get(u)));if(k.status===401){let S=k.headers.get("www-authenticate"),w=(S&&S.match(/dpop-nonce="([^"]+)"/i))?.[1];w&&(l.map.set(u,w),k=await m(await f(w)));}if(R(k),!k.ok){try{if((k.headers.get("content-type")||"").includes("application/json")){let p=await k.clone().json().catch(()=>{}),w=p&&(p.error||p.code||p.message)||"",I=String(w).toLowerCase();if(I.includes("missing")&&I.includes("refresh")){try{e.setRefreshId?.(null);}catch{}try{e.setBoundWallet?.(null);}catch{}e.accessTokenRef.current=null,e.setAuthenticated(!1);}}}catch{}return !1}let P=await k.json();e.accessTokenRef.current=P.access,e.setAuthenticated(!0);let b=(e.wallet&&(!e.meta.boundWallet||e.meta.boundWallet===e.wallet)?e.wallet:e.meta.boundWallet)||null;e.authWalletRef.current=b?b.toLowerCase():null;try{let S=Math.floor(Date.now()/1e3);e.tokenExpRef.current=S+(P.expiresIn??0);}catch{}try{e.setJkt(await _(T(e)));}catch{}return P.refreshId&&e.setRefreshId(P.refreshId),!0}finally{e.refreshLock.current=null;}})(),e.refreshLock.current}var In=(e,t)=>`${e.toUpperCase()} ${t}`,Pt=new Map;async function hr(e){if(e.probeLock?.current)return e.probeLock.current;if(e.hasProbedRef.current)return;let t=n=>{try{e.probeLock&&(e.probeLock.current=n);}catch{}},r=(async()=>{let n=new URL(e.baseUrl).origin;try{if(await e.awaitKeyStable(),await e.ensureKeypair(),!e.rootPrivRef.current)try{await e.ensureRootKeypair();}catch{}let o;if(e.rootPrivRef.current&&e.rootPubJwkRef.current)try{let m=await _(T(e));o=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:m,clientId:e.clientId,ttlSec:300});}catch{}let a="POST",i="/auth/probe",s=`${e.baseUrl}${i}`,c=`${n}${i}`,u=In(a,c),l=async m=>e.fetchImpl(s,{method:a,headers:{DPoP:m,"x-sunbreak-meta":$(e,{pode:o}),"content-type":"application/json"},credentials:"include",body:"{}"}),f=async m=>await N({method:a,url:c,nonce:m,privateKey:Y(e),publicJwk:T(e)}),d=await l(await f(Pt.get(u))),h=m=>{let R=m.headers.get("dpop-nonce");R&&Pt.set(u,R);};if(h(d),d.status===401){let m=d.headers.get("www-authenticate"),k=(m&&m.match(/dpop-nonce="([^"]+)"/i))?.[1];k&&(Pt.set(u,k),d=await l(await f(k)),h(d));}e.markProbed();}catch{e.markProbed();}})();t(r);try{await r;}finally{t(null);}}var br=e=>{let t=react.useCallback(()=>Xe(e),[e]),r=react.useCallback(async()=>{let o=Date.now(),a=e.registerCooldownUntilRef.current??0;if(o<a||!e.wallet||!e.initResolvedRef.current||e.refreshLock.current||e.registerLock.current)return;let i=e.wallet,s=e.meta.boundWallet;if(i&&s&&i.toLowerCase()===s.toLowerCase()&&!e.didInitialRefresh.current)return;let u=e.proofRef.current;!u||!(!B(e)||e.meta.boundWallet!==e.wallet)||(await e.awaitKeyStable(),e.registerLock.current=(async()=>{try{await De(e,e.wallet,u)&&(e.didInitialSession.current=!0);}catch(d){e.setError(d?.message||String(d)||"Register failed");}finally{e.registerLock.current=null;}})());},[e]),n=react.useCallback(async o=>{let a=()=>(e.registerCooldownUntilRef.current??0)>Date.now();if(!e.providerAdapter||a())return;let i=await Pe(e.providerAdapter,o);e.proofRef.current=i;},[e]);return {refresh:t,register:(o,a)=>De(e,o,a),attemptRegister:r,setProofFromAdapterToken:n}};var Dn=(e,t)=>`${e.toUpperCase()} ${t}`,Wn=(e,t)=>!!e&&!!t&&e.toLowerCase()===t.toLowerCase();async function Ze(e,t,r,n,o,a={}){e.setLoadingCount(u=>u+1),e.setError(null);let i=n.startsWith("/api/session"),s=new AbortController,c=setTimeout(()=>s.abort(),e.timeoutMs);try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair();let l=`${i?ct(e):e.baseUrl}${n.startsWith("/")?"":"/"}${n}`,d=`${new URL(e.baseUrl).origin}${n.startsWith("/")?"":"/"}${n}`,h=Dn(r,d),m=n.startsWith("/auth/"),R=!1,k=!1,P=e.currentReqId(),b=Ze._nonceCacheRef||(Ze._nonceCacheRef={map:new Map}),S=J=>{let V=J.headers.get("dpop-nonce");V&&b.map.set(h,V);},p=!!e.wallet&&!!e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase(),w=()=>m||!e.wallet?!1:!!(e.authenticated||Wn(e.wallet,e.meta.boundWallet)||typeof e.meta.refreshId=="string"&&e.meta.refreshId),I,L,We=async()=>{if(m||p)return;try{let ie=B(e),re=e.tokenExpRef.current,Qe=Math.floor(Date.now()/1e3),et=!!re&&re-Qe<=60;if(ie){if(et&&!await t().catch(()=>!1))return}else if(!w()||!await t().catch(()=>!1))return}catch{}let J=B(e);if(!J)return;let V=await qe(J),j=b.map.get(h),Z=await N({method:r,url:d,nonce:j,ath:V,privateKey:Y(e),publicJwk:T(e)});I=`Bearer ${e.accessTokenRef.current}`,L=Z;};await We();let te={"content-type":"application/json","x-sunbreak-auth":I||"","x-sunbreak-meta":$(e,{reqId:P,auth:I,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0}),...ut(a.headers)};L&&(te.DPoP=L);let Ee=async()=>e.fetchImpl(l,{...a,method:r,headers:te,body:o!==void 0?JSON.stringify(o):void 0,credentials:"include",signal:s.signal}),A=await Ee(),_e=A.headers.get("x-sunbreak-policy-hash"),Le=A.headers.get("x-sunbreak-policy-proof");if(_e&&e.setLastPolicyHash(_e),Le&&e.setLastPolicyProof(Le),S(A),A.status===401&&!m){let J=B(e),V=A.headers.get("www-authenticate"),Z=(V&&V.match(/dpop-nonce="([^"]+)"/i))?.[1];if(!p&&Z&&J&&!k){k=!0,b.map.set(h,Z);let ie=await qe(J),re=await N({method:r,url:d,nonce:Z,ath:ie,privateKey:Y(e),publicJwk:T(e)});I=`Bearer ${e.accessTokenRef.current}`,L=re,te["x-sunbreak-meta"]=$(e,{reqId:P,auth:I}),te.DPoP=L,A=await Ee(),S(A);}if(A.status===401&&!R&&(R=!0,!p&&w())){let ie=await t(),re=B(e);ie&&re&&!p&&(await We(),te["x-sunbreak-meta"]=$(e,{reqId:P,auth:I}),L&&(te.DPoP=L),A=await Ee(),S(A));}if(A.status===401)throw new Error("Unauthorized")}if(!A.ok){let J=await Ie(A);if((A.headers.get("content-type")||"").includes("application/json")){let j=await A.json().catch(()=>{}),Z=Je(j&&(j.error||j.message||j.detail)||`HTTP ${A.status}`);throw pe(Z,J)}else {let j=J.waf?"Blocked by WAF (403)":J.alb403?"Blocked at origin (ALB 403)":`HTTP ${A.status}`;throw pe(j,J)}}return (A.headers.get("content-type")||"").includes("application/json")?await A.json():void 0}finally{clearTimeout(c),e.setLoadingCount(u=>Math.max(0,u-1));}}var Sr=(e,t)=>react.useCallback(async(r,n,o,a={})=>Ze(e,t,r,n,o,a),[e,t]);async function Rr(e,t){let r=await t("GET","/api/session");if(r){e.setAllowed(!!r.allowed),e.setDenyReason(r.reason??null),e.setSessionData(r),e.setSessionExpiry(r.expiry??null);let n=r?.wallet;typeof n=="string"&&n&&e.setBoundWallet(n.toLowerCase());}return r}async function gr(e,t){let r=await t("GET","/api/verify");return r&&(e.setSessionExpiry(r.expiry??null),e.setVerifyData(r)),r}var Er=(e,t)=>{let r=react.useCallback(async()=>{if(e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet))return e.sessionLock.current||(e.sessionLock.current=(async()=>{try{return await Rr(e,t)}finally{e.sessionLock.current=null;}})()),e.sessionLock.current},[e,t]),n=react.useCallback(async()=>{if(e.wallet)return await gr(e,t)},[e,t]);return {session:r,verify:n}};var Pr=(e,t)=>{let{refresh:r,session:n,attemptRegister:o,setProofFromAdapterToken:a,proofProp:i}=t;react.useEffect(()=>{return (async()=>{try{await e.waitReady(),await e.awaitKeyStable(),await e.ensureRootKeypair(),await hr(e);}catch{}})(),()=>{}},[]);let s=()=>(e.registerCooldownUntilRef.current??0)>Date.now();react.useEffect(()=>{let c=e.prevWalletRef.current;if(e.prevWalletRef.current=e.wallet,e.wallet!==c&&(e.didInitialRefresh.current=false),!e.wallet){e.setAllowed(null),e.setDenyReason(null),e.setSessionExpiry(null),e.setSessionData(null),e.setAuthenticated(false),e.accessTokenRef.current=null,e.proofRef.current=null,e.setError(null),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null),e.didInitialRefresh.current=false;return}c&&e.wallet&&c!==e.wallet&&(e.rotateLock.current=(async()=>{await e.rotate(),e.accessTokenRef.current=null,e.setAuthenticated(false),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}));},[e.wallet]),react.useEffect(()=>{if(!e.providerAdapter||s()||!e.metaReady)return;let c=e.wallet,u=e.meta.boundWallet;if(c&&u&&c.toLowerCase()===u.toLowerCase()&&!e.didInitialRefresh.current)return;let l=false;return (async()=>{try{let f=await e.providerAdapter.getToken()??null;if(await e.awaitKeyStable(),l||!f)return;await a(f),await o();}catch{}})(),()=>{l=true;}},[e.providerAdapter,e.wallet,e.meta.boundWallet,e.metaReady,e.registerCooldownUntilRef,e.didInitialRefresh,...e.refreshDeps]),react.useEffect(()=>{if(typeof i<"u"&&(e.proofRef.current=i??null),!e.metaReady)return;let c=e.wallet,u=e.meta.boundWallet;if(c&&u&&c.toLowerCase()===u.toLowerCase()&&!e.didInitialRefresh.current)return;let f=!!c,d=!!e.proofRef.current,h=!!c&&!!e.authWalletRef.current&&c.toLowerCase()!==e.authWalletRef.current.toLowerCase();f&&d&&!e.authenticated&&!h&&e.initResolvedRef.current&&!s()&&o();},[i,e.wallet,e.authenticated,e.meta.boundWallet,e.metaReady,e.providerAdapter,e.initResolvedRef,e.didInitialRefresh,o]),react.useEffect(()=>{let c=e.wallet,u=e.meta.boundWallet,l=!!(u||e.meta.refreshId);if(!e.metaReady||e.didInitialRefresh.current)return;let f=true;return (async()=>{try{if(await e.waitReady(),e.accessTokenRef.current||e.authenticated){e.didInitialRefresh.current=!0,c&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());return}let d=!!c&&!l,h=!c&&!l;if(l&&!c){e.didInitialRefresh.current=!0;return}if(d||h){e.didInitialRefresh.current=!0;return}if(c&&u&&c.toLowerCase()!==u.toLowerCase()){e.didInitialRefresh.current=!0;return}e.didInitialRefresh.current=!0;let m=await r();if(!f)return;e.setAuthenticated(m),m&&c&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());}catch(d){if(!f)return;e.didInitialRefresh.current=true,e.setAuthenticated(false),e.setError(d?.message||String(d)||"Unknown error");}})(),()=>{f=false;}},[e.wallet,e.meta.boundWallet,e.meta.refreshId,e.metaReady,e.didInitialRefresh,r,n]),react.useEffect(()=>{e.initResolvedRef.current||(async()=>{if(await e.ensureKeypair(),!e.wallet){e.initResolvedRef.current=true,e.initResolveRef.current?.();return}e.meta.boundWallet&&e.meta.boundWallet!==e.wallet&&(e.rotateLock.current=(async()=>{e.accessTokenRef.current=null,e.setAuthenticated(false);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}),e.rotateLock.current&&await e.rotateLock.current),e.initResolvedRef.current=true,e.initResolveRef.current?.();})();},[e]),react.useEffect(()=>{(async()=>{if(e.authenticated&&e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)&&!e.didInitialSession.current){e.didInitialSession.current=true;try{await n();}catch(c){e.setError(c?.message||String(c));}}})();},[e.authenticated,e.wallet,e.meta.boundWallet,n]),react.useEffect(()=>{e.wallet&&e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase()&&(e.accessTokenRef.current=null,e.setAuthenticated(false));},[e.wallet,e.authWalletRef.current]),react.useEffect(()=>{let u=()=>{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return  false;let d=e.tokenExpRef.current;if(!d)return  false;let h=Math.floor(Date.now()/1e3);return d-h<=30},l=async()=>{try{u()&&await r();}catch{}},f=async()=>{document.visibilityState==="visible"&&await l();};return window.addEventListener("focus",l),document.addEventListener("visibilitychange",f),()=>{window.removeEventListener("focus",l),document.removeEventListener("visibilitychange",f);}},[e,r]),react.useEffect(()=>{let l=()=>{let h=Math.floor(Date.now()/1e3),m=e.tokenExpRef.current,R=e.sessionExpiry,k=!!m&&m-h<=30&&m-h>0,P=!!R&&R-h<=3600&&R-h>0;return {tokenSoon:k,sessionSoon:P}},f=async()=>{try{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return;let{tokenSoon:h,sessionSoon:m}=l();(h||m)&&await r()&&m&&await n();}catch{}},d=async()=>{document.visibilityState==="visible"&&await f();};return window.addEventListener("focus",f),document.addEventListener("visibilitychange",d),()=>{window.removeEventListener("focus",f),document.removeEventListener("visibilitychange",d);}},[e,e.sessionExpiry,r,n]);};var vr=react.createContext(void 0),jn=e=>{let t=wr(e),{refresh:r,attemptRegister:n,setProofFromAdapterToken:o}=br(t),a=Sr(t,r),{session:i,verify:s}=Er(t,a);Pr(t,{refresh:r,session:i,attemptRegister:n,setProofFromAdapterToken:o,proofProp:e.proof});let c=react.useMemo(()=>({get:(u,l)=>a("GET",u,void 0,l),post:(u,l,f)=>a("POST",u,l,f),verify:s,session:i,refresh:r,authenticated:t.authenticated,loading:t.loadingCount>0,error:t.error,allowed:t.allowed,denyReason:t.denyReason,sessionExpiry:t.sessionExpiry,sessionData:t.sessionData,verifyData:t.verifyData,wallet:t.wallet}),[a,s,i,r,t.authenticated,t.loadingCount,t.error,t.allowed,t.denyReason,t.sessionExpiry,t.sessionData,t.verifyData,t.wallet]);return jsxRuntime.jsx(vr.Provider,{value:c,children:e.children})},On=e=>jsxRuntime.jsx(bt,{clientId:e.clientId,children:jsxRuntime.jsx(jn,{...e})}),Un=()=>{let e=react.useContext(vr);if(!e)throw new Error("useSunbreak must be used within a SunbreakProvider");return e};
+var Xr=Object.defineProperty;var _t=e=>{throw TypeError(e)};var Zr=(e,t,r)=>t in e?Xr(e,t,{enumerable:true,configurable:true,writable:true,value:r}):e[t]=r;var H=(e,t,r)=>Zr(e,typeof t!="symbol"?t+"":t,r),Dt=(e,t,r)=>t.has(e)||_t("Cannot "+r);var y=(e,t,r)=>(Dt(e,t,"read from private field"),r?r.call(e):t.get(e)),O=(e,t,r)=>t.has(e)?_t("Cannot add the same private member more than once"):t instanceof WeakSet?t.add(e):t.set(e,r),U=(e,t,r,n)=>(Dt(e,t,"write to private field"),t.set(e,r),r);var Pe=async(e,t,r)=>{switch(e.name){case "custom":return {method:"provider_jwt",issuer:"custom",token:t,meta:r||{}};case "privy":return {method:"provider_jwt",issuer:"privy",token:t,meta:{app_id:e.appId}};case "dynamic":return e.expectedAud?{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId,expected_aud:e.expectedAud}}:{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId}};default:throw new Error(`Unknown adapter: ${e}`)}};var Qr="sunbreak-kv",ve="kv",$e="sunbreak_dpop_meta_v1",x="sunbreak_dpop_key_v1",Ke="ES256",E="P-256",Ae=e=>`${$e}:${e}`,Wt=()=>new Promise((e,t)=>{let r=indexedDB.open(Qr,1);r.onupgradeneeded=()=>r.result.createObjectStore(ve),r.onsuccess=()=>e(r.result),r.onerror=()=>t(r.error);}),C=async e=>{try{let t=await Wt();return await new Promise((r,n)=>{let a=t.transaction(ve,"readonly").objectStore(ve).get(e);a.onsuccess=()=>r(a.result),a.onerror=()=>n(a.error);})}catch{return}},g=async(e,t)=>{let r=await Wt();await new Promise((n,o)=>{let i=r.transaction(ve,"readwrite").objectStore(ve).put(t,e);i.onsuccess=()=>n(),i.onerror=()=>o(i.error);});};var en=e=>{let t=new URL(e);if(t.protocol!=="https:"&&t.hostname!=="localhost"&&t.hostname!=="127.0.0.1")throw new Error("Sunbreak: insecure base URL");return t.hash="",t.origin},tn=e=>e.replace(/\/+$/,""),st=e=>{let t=tn(e);return en(t)};function ut(e){let t=new URL(e.baseUrl),r=t.host,n=e.meta.lastHost??null,o=rn(n);return e.setLastHost(o),t.host=`${o}.${r}`,t.origin}var rn=e=>{for(let t=0;t<ct.length;t++){let r=ct[Math.floor(Math.random()*ct.length)].toLowerCase();if(r!==e)return r}return "alpha"},ct=["Alpha","Bravo","Charlie","Delta","Echo","Foxtrot","Golf","Hotel","India","Juliett","Kilo","Lima","Mike","November","Oscar","Papa","Quebec","Romeo","Sierra","Tango","Uniform","Victor","Whiskey","X-ray","Yankee","Zulu"];var $=(e,t)=>{let r={clientId:e.clientId,wallet:e.wallet,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0,...t};Object.keys(r).forEach(o=>r[o]===void 0&&delete r[o]);let n=JSON.stringify(r);return btoa(n)};var nn=new Set(["connection","keep-alive","proxy-authenticate","proxy-authorization","te","trailer","transfer-encoding","upgrade","via"]),on=new Set(["user-agent","referer","origin","host","content-length","sec-fetch-site","sec-fetch-mode","sec-fetch-dest","sec-fetch-user","sec-ch-ua","sec-ch-ua-mobile","sec-ch-ua-platform","sec-ch-ua-platform-version","sec-ch-ua-full-version","sec-ch-ua-arch","sec-ch-ua-model","sec-ch-ua-bitness","cookie","set-cookie"]),an=new Set(["dpop","x-sunbreak-meta"]),sn=64,Lt=2048,cn=64;function lt(e){let t={};if(!e)return t;let r=e instanceof Headers?Array.from(e.entries()):Object.entries(e),n=0;for(let[o,a]of r){if(n>=cn)break;if(o==null||a==null)continue;let i=String(o).toLowerCase().trim();if(!i||i.length>sn||nn.has(i)||on.has(i)||an.has(i))continue;let s=String(a);s.length>Lt&&(s=s.slice(0,Lt)),t[i]=s,n++;}return t}var Q=new TextEncoder,me=new TextDecoder;function Ht(...e){let t=e.reduce((o,{length:a})=>o+a,0),r=new Uint8Array(t),n=0;for(let o of e)r.set(o,n),n+=o.length;return r}function Mt(e){if(Uint8Array.prototype.toBase64)return e.toBase64();let t=32768,r=[];for(let n=0;n<e.length;n+=t)r.push(String.fromCharCode.apply(null,e.subarray(n,n+t)));return btoa(r.join(""))}function jt(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(e);let t=atob(e),r=new Uint8Array(t.length);for(let n=0;n<t.length;n++)r[n]=t.charCodeAt(n);return r}function Ot(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof e=="string"?e:me.decode(e),{alphabet:"base64url"});let t=e;t instanceof Uint8Array&&(t=me.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return jt(t)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function Ne(e){let t=e;return typeof t=="string"&&(t=Q.encode(t)),Uint8Array.prototype.toBase64?t.toBase64({alphabet:"base64url",omitPadding:true}):Mt(t).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var ue=class extends Error{constructor(r,n){super(r,n);H(this,"code","ERR_JOSE_GENERIC");this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor);}};H(ue,"code","ERR_JOSE_GENERIC");var _=class extends ue{constructor(){super(...arguments);H(this,"code","ERR_JOSE_NOT_SUPPORTED");}};H(_,"code","ERR_JOSE_NOT_SUPPORTED");var ee=class extends ue{constructor(){super(...arguments);H(this,"code","ERR_JWS_INVALID");}};H(ee,"code","ERR_JWS_INVALID");var xe=class extends ue{constructor(){super(...arguments);H(this,"code","ERR_JWT_INVALID");}};H(xe,"code","ERR_JWT_INVALID");var Ut,$t,ft=class extends($t=ue,Ut=Symbol.asyncIterator,$t){constructor(r="multiple matching keys found in the JSON Web Key Set",n){super(r,n);H(this,Ut);H(this,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");}};H(ft,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");function F(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function we(e,t){return e.name===t}function dt(e){return parseInt(e.name.slice(4),10)}function fn(e){switch(e){case "ES256":return "P-256";case "ES384":return "P-384";case "ES512":return "P-521";default:throw new Error("unreachable")}}function dn(e,t){if(!e.usages.includes(t))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${t}.`)}function Nt(e,t,r){switch(t){case "HS256":case "HS384":case "HS512":{if(!we(e.algorithm,"HMAC"))throw F("HMAC");let n=parseInt(t.slice(2),10);if(dt(e.algorithm.hash)!==n)throw F(`SHA-${n}`,"algorithm.hash");break}case "RS256":case "RS384":case "RS512":{if(!we(e.algorithm,"RSASSA-PKCS1-v1_5"))throw F("RSASSA-PKCS1-v1_5");let n=parseInt(t.slice(2),10);if(dt(e.algorithm.hash)!==n)throw F(`SHA-${n}`,"algorithm.hash");break}case "PS256":case "PS384":case "PS512":{if(!we(e.algorithm,"RSA-PSS"))throw F("RSA-PSS");let n=parseInt(t.slice(2),10);if(dt(e.algorithm.hash)!==n)throw F(`SHA-${n}`,"algorithm.hash");break}case "Ed25519":case "EdDSA":{if(!we(e.algorithm,"Ed25519"))throw F("Ed25519");break}case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":{if(!we(e.algorithm,t))throw F(t);break}case "ES256":case "ES384":case "ES512":{if(!we(e.algorithm,"ECDSA"))throw F("ECDSA");let n=fn(t);if(e.algorithm.namedCurve!==n)throw F(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}dn(e,r);}function Bt(e,t,...r){if(r=r.filter(Boolean),r.length>2){let n=r.pop();e+=`one of type ${r.join(", ")}, or ${n}.`;}else r.length===2?e+=`one of type ${r[0]} or ${r[1]}.`:e+=`of type ${r[0]}.`;return t==null?e+=` Received ${t}`:typeof t=="function"&&t.name?e+=` Received function ${t.name}`:typeof t=="object"&&t!=null&&t.constructor?.name&&(e+=` Received an instance of ${t.constructor.name}`),e}var Vt=(e,...t)=>Bt("Key must be ",e,...t);function pt(e,t,...r){return Bt(`Key for the ${e} algorithm must be `,t,...r)}function yt(e){return e?.[Symbol.toStringTag]==="CryptoKey"}function mt(e){return e?.[Symbol.toStringTag]==="KeyObject"}var wt=e=>yt(e)||mt(e);var Ft=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return  true;let r;for(let n of t){let o=Object.keys(n);if(!r||r.size===0){r=new Set(o);continue}for(let a of o){if(r.has(a))return  false;r.add(a);}}return  true};function pn(e){return typeof e=="object"&&e!==null}var Be=e=>{if(!pn(e)||Object.prototype.toString.call(e)!=="[object Object]")return  false;if(Object.getPrototypeOf(e)===null)return  true;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t};var Gt=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:r}=t.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};function yn(e){let t,r;switch(e.kty){case "AKP":{switch(e.alg){case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":t={name:e.alg},r=e.priv?["sign"]:["verify"];break;default:throw new _('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "RSA":{switch(e.alg){case "PS256":case "PS384":case "PS512":t={name:"RSA-PSS",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RS256":case "RS384":case "RS512":t={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RSA-OAEP":case "RSA-OAEP-256":case "RSA-OAEP-384":case "RSA-OAEP-512":t={name:"RSA-OAEP",hash:`SHA-${parseInt(e.alg.slice(-3),10)||1}`},r=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new _('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "EC":{switch(e.alg){case "ES256":t={name:"ECDSA",namedCurve:"P-256"},r=e.d?["sign"]:["verify"];break;case "ES384":t={name:"ECDSA",namedCurve:"P-384"},r=e.d?["sign"]:["verify"];break;case "ES512":t={name:"ECDSA",namedCurve:"P-521"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new _('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "OKP":{switch(e.alg){case "Ed25519":case "EdDSA":t={name:"Ed25519"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new _('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}default:throw new _('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return {algorithm:t,keyUsages:r}}var qt=async e=>{if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:t,keyUsages:r}=yn(e),n={...e};return n.kty!=="AKP"&&delete n.alg,delete n.use,crypto.subtle.importKey("jwk",n,t,e.ext??!(e.d||e.priv),e.key_ops??r)};var zt=(e,t,r,n,o)=>{if(o.crit!==void 0&&n?.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||n.crit===void 0)return new Set;if(!Array.isArray(n.crit)||n.crit.length===0||n.crit.some(i=>typeof i!="string"||i.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let a;r!==void 0?a=new Map([...Object.entries(r),...t.entries()]):a=t;for(let i of n.crit){if(!a.has(i))throw new _(`Extension Header Parameter "${i}" is not recognized`);if(o[i]===void 0)throw new e(`Extension Header Parameter "${i}" is missing`);if(a.get(i)&&n[i]===void 0)throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`)}return new Set(n.crit)};function Ce(e){return Be(e)&&typeof e.kty=="string"}function Yt(e){return e.kty!=="oct"&&(e.kty==="AKP"&&typeof e.priv=="string"||typeof e.d=="string")}function Xt(e){return e.kty!=="oct"&&typeof e.d>"u"&&typeof e.priv>"u"}function Zt(e){return e.kty==="oct"&&typeof e.k=="string"}var he,Qt=async(e,t,r,n=false)=>{he||(he=new WeakMap);let o=he.get(e);if(o?.[r])return o[r];let a=await qt({...t,alg:r});return n&&Object.freeze(e),o?o[r]=a:he.set(e,{[r]:a}),a},wn=(e,t)=>{he||(he=new WeakMap);let r=he.get(e);if(r?.[t])return r[t];let n=e.type==="public",o=!!n,a;if(e.asymmetricKeyType==="x25519"){switch(t){case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}a=e.toCryptoKey(e.asymmetricKeyType,o,n?[]:["deriveBits"]);}if(e.asymmetricKeyType==="ed25519"){if(t!=="EdDSA"&&t!=="Ed25519")throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}switch(e.asymmetricKeyType){case "ml-dsa-44":case "ml-dsa-65":case "ml-dsa-87":{if(t!==e.asymmetricKeyType.toUpperCase())throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}}if(e.asymmetricKeyType==="rsa"){let i;switch(t){case "RSA-OAEP":i="SHA-1";break;case "RS256":case "PS256":case "RSA-OAEP-256":i="SHA-256";break;case "RS384":case "PS384":case "RSA-OAEP-384":i="SHA-384";break;case "RS512":case "PS512":case "RSA-OAEP-512":i="SHA-512";break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}if(t.startsWith("RSA-OAEP"))return e.toCryptoKey({name:"RSA-OAEP",hash:i},o,n?["encrypt"]:["decrypt"]);a=e.toCryptoKey({name:t.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:i},o,[n?"verify":"sign"]);}if(e.asymmetricKeyType==="ec"){let s=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(e.asymmetricKeyDetails?.namedCurve);if(!s)throw new TypeError("given KeyObject instance cannot be used for this algorithm");t==="ES256"&&s==="P-256"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t==="ES384"&&s==="P-384"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t==="ES512"&&s==="P-521"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t.startsWith("ECDH-ES")&&(a=e.toCryptoKey({name:"ECDH",namedCurve:s},o,n?[]:["deriveBits"]));}if(!a)throw new TypeError("given KeyObject instance cannot be used for this algorithm");return r?r[t]=a:he.set(e,{[t]:a}),a},er=async(e,t)=>{if(e instanceof Uint8Array||yt(e))return e;if(mt(e)){if(e.type==="secret")return e.export();if("toCryptoKey"in e&&typeof e.toCryptoKey=="function")try{return wn(e,t)}catch(n){if(n instanceof TypeError)throw n}let r=e.export({format:"jwk"});return Qt(e,r,t)}if(Ce(e))return e.k?Ot(e.k):Qt(e,e,t,true);throw new Error("unreachable")};var be=e=>e?.[Symbol.toStringTag],ht=(e,t,r)=>{if(t.use!==void 0){let n;switch(r){case "sign":case "verify":n="sig";break;case "encrypt":case "decrypt":n="enc";break}if(t.use!==n)throw new TypeError(`Invalid key for this operation, its "use" must be "${n}" when present`)}if(t.alg!==void 0&&t.alg!==e)throw new TypeError(`Invalid key for this operation, its "alg" must be "${e}" when present`);if(Array.isArray(t.key_ops)){let n;switch(true){case(r==="sign"):case e==="dir":case e.includes("CBC-HS"):n=r;break;case e.startsWith("PBES2"):n="deriveBits";break;case /^A\d{3}(?:GCM)?(?:KW)?$/.test(e):!e.includes("GCM")&&e.endsWith("KW")?n="unwrapKey":n=r;break;case(r==="encrypt"):n="wrapKey";break;case r==="decrypt":n=e.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(n&&t.key_ops?.includes?.(n)===false)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${n}" when present`)}return  true},hn=(e,t,r)=>{if(!(t instanceof Uint8Array)){if(Ce(t)){if(Zt(t)&&ht(e,t,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!wt(t))throw new TypeError(pt(e,t,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(t.type!=="secret")throw new TypeError(`${be(t)} instances for symmetric algorithms must be of type "secret"`)}},bn=(e,t,r)=>{if(Ce(t))switch(r){case "decrypt":case "sign":if(Yt(t)&&ht(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a private JWK");case "encrypt":case "verify":if(Xt(t)&&ht(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a public JWK")}if(!wt(t))throw new TypeError(pt(e,t,"CryptoKey","KeyObject","JSON Web Key"));if(t.type==="secret")throw new TypeError(`${be(t)} instances for asymmetric algorithms must not be of type "secret"`);if(t.type==="public")switch(r){case "sign":throw new TypeError(`${be(t)} instances for asymmetric algorithm signing must be of type "private"`);case "decrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm decryption must be of type "private"`);}if(t.type==="private")switch(r){case "verify":throw new TypeError(`${be(t)} instances for asymmetric algorithm verifying must be of type "public"`);case "encrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm encryption must be of type "public"`);}},tr=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e)||/^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e)?hn(e,t,r):bn(e,t,r);};var rr=(e,t)=>{let r=`SHA-${e.slice(-3)}`;switch(e){case "HS256":case "HS384":case "HS512":return {hash:r,name:"HMAC"};case "PS256":case "PS384":case "PS512":return {hash:r,name:"RSA-PSS",saltLength:parseInt(e.slice(-3),10)>>3};case "RS256":case "RS384":case "RS512":return {hash:r,name:"RSASSA-PKCS1-v1_5"};case "ES256":case "ES384":case "ES512":return {hash:r,name:"ECDSA",namedCurve:t.namedCurve};case "Ed25519":case "EdDSA":return {name:"Ed25519"};case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":return {name:e};default:throw new _(`alg ${e} is not supported either by JOSE or your javascript runtime`)}};var nr=async(e,t,r)=>{if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(Vt(t,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",t,{hash:`SHA-${e.slice(-3)}`,name:"HMAC"},false,[r])}return Nt(t,e,r),t};var ne=e=>Math.floor(e.getTime()/1e3);var Sn=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i,Ve=e=>{let t=Sn.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");let r=parseFloat(t[2]),n=t[3].toLowerCase(),o;switch(n){case "sec":case "secs":case "second":case "seconds":case "s":o=Math.round(r);break;case "minute":case "minutes":case "min":case "mins":case "m":o=Math.round(r*60);break;case "hour":case "hours":case "hr":case "hrs":case "h":o=Math.round(r*3600);break;case "day":case "days":case "d":o=Math.round(r*86400);break;case "week":case "weeks":case "w":o=Math.round(r*604800);break;default:o=Math.round(r*31557600);break}return t[1]==="-"||t[4]==="ago"?-o:o};function le(e,t){if(!Number.isFinite(t))throw new TypeError(`Invalid ${e} input`);return t}var v,Fe=class{constructor(t){O(this,v);if(!Be(t))throw new TypeError("JWT Claims Set MUST be an object");U(this,v,structuredClone(t));}data(){return Q.encode(JSON.stringify(y(this,v)))}get iss(){return y(this,v).iss}set iss(t){y(this,v).iss=t;}get sub(){return y(this,v).sub}set sub(t){y(this,v).sub=t;}get aud(){return y(this,v).aud}set aud(t){y(this,v).aud=t;}set jti(t){y(this,v).jti=t;}set nbf(t){typeof t=="number"?y(this,v).nbf=le("setNotBefore",t):t instanceof Date?y(this,v).nbf=le("setNotBefore",ne(t)):y(this,v).nbf=ne(new Date)+Ve(t);}set exp(t){typeof t=="number"?y(this,v).exp=le("setExpirationTime",t):t instanceof Date?y(this,v).exp=le("setExpirationTime",ne(t)):y(this,v).exp=ne(new Date)+Ve(t);}set iat(t){typeof t>"u"?y(this,v).iat=ne(new Date):t instanceof Date?y(this,v).iat=le("setIssuedAt",ne(t)):typeof t=="string"?y(this,v).iat=le("setIssuedAt",ne(new Date)+Ve(t)):y(this,v).iat=le("setIssuedAt",t);}};v=new WeakMap;var or=async(e,t,r)=>{let n=await nr(e,t,"sign");Gt(e,n);let o=await crypto.subtle.sign(rr(e,n.algorithm),n,r);return new Uint8Array(o)};var Te,D,G,Ge=class{constructor(t){O(this,Te);O(this,D);O(this,G);if(!(t instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");U(this,Te,t);}setProtectedHeader(t){if(y(this,D))throw new TypeError("setProtectedHeader can only be called once");return U(this,D,t),this}setUnprotectedHeader(t){if(y(this,G))throw new TypeError("setUnprotectedHeader can only be called once");return U(this,G,t),this}async sign(t,r){if(!y(this,D)&&!y(this,G))throw new ee("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Ft(y(this,D),y(this,G)))throw new ee("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let n={...y(this,D),...y(this,G)},o=zt(ee,new Map([["b64",true]]),r?.crit,y(this,D),n),a=true;if(o.has("b64")&&(a=y(this,D).b64,typeof a!="boolean"))throw new ee('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:i}=n;if(typeof i!="string"||!i)throw new ee('JWS "alg" (Algorithm) Header Parameter missing or invalid');tr(i,t,"sign");let s=y(this,Te);a&&(s=Q.encode(Ne(s)));let c;y(this,D)?c=Q.encode(Ne(JSON.stringify(y(this,D)))):c=Q.encode("");let u=Ht(c,Q.encode("."),s),l=await er(t,i),f=await or(i,l,u),p={signature:Ne(f),payload:""};return a&&(p.payload=me.decode(s)),y(this,G)&&(p.header=y(this,G)),y(this,D)&&(p.protected=me.decode(c)),p}};Te=new WeakMap,D=new WeakMap,G=new WeakMap;var Se,qe=class{constructor(t){O(this,Se);U(this,Se,new Ge(t));}setProtectedHeader(t){return y(this,Se).setProtectedHeader(t),this}async sign(t,r){let n=await y(this,Se).sign(t,r);if(n.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return `${n.protected}.${n.payload}.${n.signature}`}};Se=new WeakMap;var oe,M,fe=class{constructor(t={}){O(this,oe);O(this,M);U(this,M,new Fe(t));}setIssuer(t){return y(this,M).iss=t,this}setSubject(t){return y(this,M).sub=t,this}setAudience(t){return y(this,M).aud=t,this}setJti(t){return y(this,M).jti=t,this}setNotBefore(t){return y(this,M).nbf=t,this}setExpirationTime(t){return y(this,M).exp=t,this}setIssuedAt(t){return y(this,M).iat=t,this}setProtectedHeader(t){return U(this,oe,t),this}async sign(t,r){let n=new qe(y(this,M).data());if(n.setProtectedHeader(y(this,oe)),Array.isArray(y(this,oe)?.crit)&&y(this,oe).crit.includes("b64")&&y(this,oe).b64===false)throw new xe("JWTs MUST NOT use unencoded payload");return n.sign(t,r)}};oe=new WeakMap,M=new WeakMap;var Rn=e=>btoa(String.fromCharCode(...new Uint8Array(e))).replaceAll("+","-").replaceAll("/","_").replaceAll("=",""),ze=async e=>{let t=new TextEncoder().encode(e),r=await crypto.subtle.digest("SHA-256",t);return Rn(r)},N=async e=>{let{method:t,url:r,nonce:n,ath:o,privateKey:a,publicJwk:i}=e,s={htm:t.toUpperCase(),htu:r,jti:crypto.randomUUID(),iat:Math.floor(Date.now()/1e3)};return n&&(s.nonce=n),o&&(s.ath=o),await new fe(s).setProtectedHeader({alg:"ES256",typ:"dpop+jwt",jwk:i}).sign(a)};var W=async e=>{let t={crv:e.crv,kty:"EC",x:e.x,y:e.y},r=JSON.stringify(t),n=new TextEncoder().encode(r),o=await crypto.subtle.digest("SHA-256",n);return btoa(String.fromCharCode(...new Uint8Array(o))).replaceAll("+","-").replaceAll("/","_").replaceAll("=","")};async function de(e){let{rootPrivateKey:t,rootPublicJwk:r,childJkt:n,clientId:o,sid:a,ttlSec:i=300}=e,s=Math.floor(Date.now()/1e3),c=s+Math.max(60,Math.min(i,3600)),u={child_jkt:n,client_id:o,aud:"issuer",iat:s,exp:c,jti:crypto.randomUUID()};return a&&(u.sid=a),await new fe(u).setProtectedHeader({alg:"ES256",typ:"pode+jwt",jwk:r}).sign(t)}function Je(e,t=300){return e.replace(/<[^>]*>/g,"").slice(0,t)}async function Ie(e){let t=e.status,r=Array.from(e.headers.keys()).some(s=>s.toLowerCase().startsWith("x-amzn-waf")),n,o,a=e.headers.get("content-type")||"";if(a.includes("application/json"))try{let s=await e.clone().json();n=typeof s?.error=="string"?s.error:void 0,o=typeof s?.detail=="string"?s.detail:void 0;}catch{}let i=t===403&&!r&&!a.includes("application/json");return {status:t,code:n,detail:o,waf:r,alb403:i}}function pe(e,t){let r=new Error(e);return r.status=t.status,r.code=t.code,r.detail=t.detail,r.waf=t.waf,r.alb403=t.alb403,r}var Re={boundWallet:null,clientId:null,jkt:null,refreshId:null,lastPolicyHash:null,lastPolicyProof:null,lastHost:null,rootJkt:null},bt=react.createContext(void 0);function ur(e){try{return JSON.parse(localStorage.getItem(e)||"null")??Re}catch{return Re}}function En(e,t){try{localStorage.setItem(e,JSON.stringify(t));}catch{}}var St=({children:e,clientId:t})=>{let[r,n]=react.useState(Re),o=react.useRef(false),[a,i]=react.useState(false),s=react.useMemo(()=>Ae(t),[t]);react.useEffect(()=>{let d=true;return (async()=>{let I=await C(s)??await C($e)??ur(s);d&&(n({...Re,...I}),o.current=true,i(true));})(),()=>{d=false;}},[s]),react.useEffect(()=>{o.current&&(async()=>(await g(s,r),En(s,r)))();},[r,s]);let c=react.useCallback(d=>n(w=>({...w,refreshId:d})),[]),u=react.useCallback(d=>n(w=>({...w,lastPolicyHash:d})),[]),l=react.useCallback(d=>n(w=>({...w,lastPolicyProof:d})),[]),f=react.useCallback(d=>n(w=>({...w,lastHost:d})),[]),p=react.useCallback(d=>n(w=>({...w,rootJkt:d})),[]),h=async()=>{try{let d=localStorage.getItem(s);if(d){let w=JSON.parse(d);if(typeof w?.refreshId=="string"&&w.refreshId)return w.refreshId}}catch{}try{let d=await C(s);if(typeof d?.refreshId=="string"&&d.refreshId)return d.refreshId}catch{}return null},m=react.useCallback(d=>n(w=>({...w,boundWallet:d})),[]),R=react.useCallback(d=>n(w=>({...w,clientId:d})),[]),k=react.useCallback(d=>n(w=>({...w,jkt:d})),[]),P=react.useCallback(()=>n(Re),[]),b=react.useCallback(async()=>{let w=await C(s)??ur(s);n({...Re,...w});},[]),S=react.useMemo(()=>({meta:r,setBoundWallet:m,setClientId:R,setJkt:k,resetMeta:P,reload:b,setRefreshId:c,getRefreshId:h,ready:a,setLastPolicyHash:u,setLastPolicyProof:l,setLastHost:f,setRootJkt:p}),[r,m,R,k,P,b,a,c,h,u,l,f,p]);return jsxRuntime.jsx(bt.Provider,{value:S,children:e})};function Rt(){let e=react.useContext(bt);if(!e)throw new Error("useMeta must be used within <MetaProvider>");return e}var fr=`${x}:wrap`;async function Ye(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!1,["sign","verify"]),t=`${x}:probe_safe`;await g(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await C(t);return await g(t,void 0),!!(r&&r.privKey)}catch{return  false}}async function Kn(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!0,["sign","verify"]),t=`${x}:probe`;await g(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await C(t);return await g(t,void 0),!!(r&&r.privKey)}catch{return  false}}function ke(e){let t={...e};return delete t.d,t.kty="EC",t.crv=E,t.alg=Ke,t.use="sig",t}async function dr(){let e=await C(fr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await g(fr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function gt(e){let t=await dr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function An(e,t){let r=await dr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var kt=()=>{let e=react.useRef(null),t=react.useRef(null),r=react.useCallback(async()=>{let c=await C(x);if(!c)return  false;if(c.fmt==="cryptokey"){let l=c;if(!l.privKey)return await g(x,void 0),false;let f=l.privKey;try{if(f.extractable&&await Ye()){let h=await crypto.subtle.exportKey("jwk",f),m=await crypto.subtle.importKey("jwk",h,{name:"ECDSA",namedCurve:E},!1,["sign"]),R={fmt:"cryptokey",privKey:m,pubJwk:ke(l.pubJwk)};await g(x,R),f=m;}}catch{}return e.current=f,t.current=ke(l.pubJwk),true}if(c.fmt==="encjwk"){let l=c;try{let f=await An(l.encPrivJwk,l.iv),p=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},!1,["sign"]);return e.current=p,t.current=ke(l.pubJwk),!0}catch{return await g(x,void 0),false}}let u=c;if(u&&u.d){let{d:l,...f}=u,p=ke(f),h=await Ye(),m=h||await Kn();if(m&&h){let b=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);return await g(x,{fmt:"cryptokey",privKey:b,pubJwk:p}),e.current=b,t.current=p,true}if(m){let b=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},true,["sign"]);return await g(x,{fmt:"cryptokey",privKey:b,pubJwk:p}),e.current=b,t.current=p,true}let{encPrivJwk:R,iv:k}=await gt(u);await g(x,{fmt:"encjwk",encPrivJwk:R,iv:k,pubJwk:p});let P=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);return e.current=P,t.current=p,true}return await g(x,void 0),false},[]),n=react.useCallback(async(c,u)=>{await g(x,{fmt:"cryptokey",privKey:c,pubJwk:u});},[]),o=react.useCallback(async(c,u)=>{let{encPrivJwk:l,iv:f}=await gt(c);await g(x,{fmt:"encjwk",encPrivJwk:l,iv:f,pubJwk:u});},[]),a=react.useCallback(async()=>{if(e.current&&t.current||await r())return;let c=await Ye(),u=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",u.publicKey)),f=await crypto.subtle.exportKey("jwk",u.privateKey);if(c){let p=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);await n(p,l),e.current=p,t.current=l;}else {await o(f,l);let p=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=p,t.current=l;}},[r,n,o]),i=react.useCallback(async()=>{let c=await Ye(),u=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",u.publicKey)),f=await crypto.subtle.exportKey("jwk",u.privateKey);if(c){let p=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);await g(x,{fmt:"cryptokey",privKey:p,pubJwk:l}),e.current=p,t.current=l;}else {let{encPrivJwk:p,iv:h}=await gt(f);await g(x,{fmt:"encjwk",encPrivJwk:p,iv:h,pubJwk:l});let m=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=m,t.current=l;}},[]),s=react.useCallback(async()=>{await g(x,void 0),e.current=null,t.current=null;},[]);return {ensureKeypair:a,rotate:i,clear:s,privRef:e,pubJwkRef:t}};var z="sunbreak_root_key_v1",yr=`${z}:wrap`;async function mr(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!1,["sign","verify"]),t=`${z}:probe_safe`;await g(t,{fmt:"cryptokey",privKey:e.privateKey,createdAt:Date.now(),pubJwk:{}});let r=await C(t);return await g(t,void 0),!!(r&&r.privKey)}catch{return  false}}function Xe(e){let t={...e};return delete t.d,t.kty="EC",t.crv=E,t.alg=Ke,t.use="sig",t}async function wr(){let e=await C(yr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await g(yr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function xn(e){let t=await wr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function Cn(e,t){let r=await wr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var Pt=()=>{let e=react.useRef(null),t=react.useRef(null),r=react.useCallback(async()=>{let a=await C(z);if(!a)return  false;if(a.fmt==="cryptokey"){let i=a;if(!i.privKey)return await g(z,void 0),false;let s=i.privKey;try{if(s.extractable&&await mr()){let u=await crypto.subtle.exportKey("jwk",s),l=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},!1,["sign"]),f={fmt:"cryptokey",privKey:l,pubJwk:Xe(i.pubJwk),createdAt:i.createdAt};await g(z,f),s=l;}}catch{}return e.current=s,t.current=Xe(i.pubJwk),true}if(a.fmt==="encjwk"){let i=a;try{let s=await Cn(i.encPrivJwk,i.iv),c=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:E},!1,["sign"]);return e.current=c,t.current=Xe(i.pubJwk),!0}catch{return await g(z,void 0),false}}return await g(z,void 0),false},[]),n=react.useCallback(async()=>{if(e.current&&t.current||await r())return;let a=await mr(),i=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),s=Xe(await crypto.subtle.exportKey("jwk",i.publicKey)),c=Date.now(),u=await crypto.subtle.exportKey("jwk",i.privateKey);if(a){let l=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);await g(z,{fmt:"cryptokey",privKey:l,pubJwk:s,createdAt:c}),e.current=l,t.current=s;}else {let{encPrivJwk:l,iv:f}=await xn(u);await g(z,{fmt:"encjwk",encPrivJwk:l,iv:f,pubJwk:s,createdAt:c});let h=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=h,t.current=s;}},[r]),o=react.useCallback(async()=>{await g(z,void 0),e.current=null,t.current=null;},[]);return {ensureRootKeypair:n,clear:o,rootPrivRef:e,rootPubJwkRef:t}};var Tn=()=>crypto.randomUUID(),hr=e=>{let{clientId:t,wallet:r,base:n="https://api.tdfc.com",fetchImpl:o,timeoutMs:a=15e3,proof:i=null,providerAdapter:s,refreshDeps:c=[]}=e,u=st(n),l=typeof window<"u"?(o??fetch).bind(window):o??fetch,{meta:f,setBoundWallet:p,setJkt:h,setRefreshId:m,getRefreshId:R,setLastPolicyHash:k,setLastPolicyProof:P,setLastHost:b,setRootJkt:S,ready:d}=Rt(),{ensureRootKeypair:w,rootPrivRef:I,rootPubJwkRef:L}=Pt(),We=react.useCallback(async()=>{await w();try{if(!f.rootJkt&&L.current){let ce=await W(L.current);S(ce);}}catch{}},[w,f.rootJkt,L]),{ensureKeypair:te,rotate:Ee,privRef:A,pubJwkRef:Le}=kt(),[He,xt]=react.useState(false),[J,V]=react.useState(0),[j,Z]=react.useState(null),[ie,re]=react.useState(null),[et,tt]=react.useState(null),[rt,Ar]=react.useState(null),[xr,Cr]=react.useState(null),[Tr,Jr]=react.useState(null),Ir=react.useRef(null),_r=react.useRef(null),Dr=react.useRef(null),Wr=react.useRef(null),Lr=react.useRef(null),Hr=react.useRef(null),Mr=react.useRef(null),jr=react.useRef(false),Or=react.useRef(false),Ur=react.useRef(void 0),Me=react.useRef(false),nt=react.useRef(false),Ct=react.useRef(null),se=react.useRef(null);se.current||(se.current=new Promise(ce=>{Ct.current=ce;}));let ot=react.useRef(null),$r=react.useRef(i),Nr=react.useRef(null),je=react.useRef(null),Tt=react.useRef(null),Oe=react.useRef(null),Jt=()=>Date.now(),Br=()=>(Oe.current??0)>0&&Oe.current<Jt(),at=react.useCallback((ce,Yr=15e3)=>{let It=Tn();return je.current=It,Tt.current=ce,Oe.current=Jt()+Math.max(1e3,Yr),It},[]),Vr=react.useCallback(()=>((!je.current||Br())&&at("adhoc",1e4),je.current),[at]),it=react.useRef(null),Ue=react.useRef(null);Ue.current||(Ue.current=new Promise(ce=>{it.current=ce;}));let Fr=react.useCallback(async()=>{!Me.current&&Ue.current&&await Ue.current;},[]),Gr=react.useCallback(()=>{Me.current||(Me.current=true,it.current?.(),it.current=null);},[]),qr=react.useCallback(async()=>{!nt.current&&se.current&&await se.current;},[]),zr=react.useCallback(async()=>{!nt.current&&se.current&&await se.current,ot.current&&await ot.current;},[]);return {clientId:t,wallet:r,baseUrl:u,fetchImpl:l,timeoutMs:a,providerAdapter:s,refreshDeps:c,ensureKeypair:te,rotate:Ee,ensureRootKeypair:We,rootPrivRef:I,rootPubJwkRef:L,privRef:A,pubJwkRef:Le,meta:f,setBoundWallet:p,setJkt:h,setRefreshId:m,accessTokenRef:Dr,tokenExpRef:Wr,authenticated:He,setAuthenticated:xt,loadingCount:J,setLoadingCount:V,error:j,setError:Z,allowed:ie,setAllowed:re,denyReason:et,setDenyReason:tt,sessionExpiry:rt,setSessionExpiry:Ar,sessionData:xr,setSessionData:Cr,verifyData:Tr,setVerifyData:Jr,authWalletRef:_r,refreshLock:Lr,registerLock:Hr,sessionLock:Mr,didInitialRefresh:jr,didInitialSession:Or,prevWalletRef:Ur,initResolvedRef:nt,initReady:se,initResolveRef:Ct,rotateLock:ot,waitReady:qr,awaitKeyStable:zr,proofRef:$r,registerCooldownUntilRef:Ir,reqIdRef:je,flowLabelRef:Tt,flowExpireRef:Oe,beginFlow:at,currentReqId:Vr,awaitProbe:Fr,markProbed:Gr,hasProbedRef:Me,getRefreshId:R,setLastPolicyHash:k,setLastPolicyProof:P,setLastHost:b,setRootJkt:S,metaReady:d,probeLock:Nr}};var B=e=>e.accessTokenRef.current??null,Y=e=>{let t=e.privRef.current;if(!t)throw new Error("Sunbreak: private key not initialized");return t},T=e=>{let t=e.pubJwkRef.current;if(!t)throw new Error("Sunbreak: public JWK not initialized");return t};var Jn=(e,t)=>`${e.toUpperCase()} ${t}`;async function _e(e,t,r){if(!t)return  false;let n=_e._nonceCacheRef||(_e._nonceCacheRef={map:new Map});try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair(),e.setError(null),e.beginFlow("register",2e4);let o;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let d=await W(e.rootPubJwkRef.current);e.setRootJkt?.(d);}catch{}let b=await W(T(e)),S=await e.getRefreshId();o=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:b,clientId:e.clientId,sid:S||void 0,ttlSec:300});}}catch{}let a=e.currentReqId(),i="/auth/register",s=`${e.baseUrl}${i}`,c=new URL(e.baseUrl).origin,u="POST",l=`${c}${i}`,f=Jn(u,l),p=n.map.get(f),h=await N({method:u,url:l,nonce:p,privateKey:Y(e),publicJwk:T(e)}),m=async b=>e.fetchImpl(s,{method:u,headers:{"content-type":"application/json","x-sunbreak-meta":$(e,{reqId:a,pode:o||void 0}),...b},credentials:"include",body:JSON.stringify({wallet:t,proof:r})}),R=await m({DPoP:h}),k=b=>{let S=b.headers.get("dpop-nonce");S&&n.map.set(f,S);};if(R.status===401){let b=R.headers.get("www-authenticate"),d=(b&&b.match(/dpop-nonce="([^"]+)"/i))?.[1];if(d){n.map.set(f,d);let w=await N({method:u,url:l,nonce:d,privateKey:Y(e),publicJwk:T(e)});R=await m({DPoP:w});}}if(k(R),!R.ok){let b=await Ie(R);if((R.headers.get("content-type")||"").includes("application/json")){let d;try{d=await R.clone().json();}catch{}let w=Je(d&&(d.error||d.message||d.detail)||`HTTP ${R.status}`);throw pe(w,b)}else {let d=b.waf?"Blocked by WAF (403)":b.alb403?"Blocked at origin (ALB 403)":`HTTP ${R.status}`;throw pe(d,b)}}let P=await R.json();e.accessTokenRef.current=P.access,e.authWalletRef.current=t.toLowerCase(),e.setAuthenticated(!0);try{let b=Math.floor(Date.now()/1e3);e.tokenExpRef.current=b+(P.expiresIn??0);}catch{}e.didInitialRefresh.current=!0,e.setBoundWallet(t),e.setLastPolicyHash(null),e.setLastPolicyProof(null);try{e.setJkt(await W(T(e)));}catch{}try{let b={...e.meta,boundWallet:t,clientId:e.meta.clientId??e.clientId,jkt:e.meta.jkt??null,refreshId:P.refreshId??null};e.setRefreshId(P.refreshId??null);let S=Ae(e.clientId);await g(S,b);try{localStorage.setItem(S,JSON.stringify(b));}catch{}}catch{}return !0}catch(o){let a=Number(o?.status||0),i=String(o?.code||""),s=String(o?.message||""),c=Math.floor(Math.random()*1e3);if((a===401||a===403)&&i.toLowerCase()==="replay"){if(e.providerAdapter)try{let u=await e.providerAdapter.getToken()??null;if(u)return await e.awaitKeyStable(),await e.ensureKeypair(),await e.rotate(),e.proofRef.current=await Pe(e.providerAdapter,u),e.registerCooldownUntilRef.current=Date.now()+5e3+c,!1}catch{}else return e.proofRef.current=null,e.setError("Proof replayed; please sign a fresh proof."),e.registerCooldownUntilRef.current=Date.now()+1e4+c,false;return e.registerCooldownUntilRef.current=Date.now()+8e3+c,false}if(a===403&&(o?.waf||o?.alb403))return e.setError(s||"Forbidden at edge/origin"),e.registerCooldownUntilRef.current=Date.now()+3e4+c,false;if(a===403)return e.setError(i||s||"Forbidden"),e.registerCooldownUntilRef.current=Date.now()+15e3+c,false;if(a===429||a===503){e.setError(i||s||"Rate limited / unavailable");let u=a===429?5e3:8e3;return e.registerCooldownUntilRef.current=Date.now()+u+c,false}return e.setError(i||s||"Register failed"),e.registerCooldownUntilRef.current=Date.now()+5e3+c,false}}var In=(e,t)=>`${e.toUpperCase()} ${t}`;function Ze(e){if(e.refreshLock.current)return e.refreshLock.current;if(e.registerLock.current){let t=e.registerLock.current.then(()=>{if(e.authenticated&&B(e))return  true;if(B(e)){let n=e.tokenExpRef.current,o=Math.floor(Date.now()/1e3);if(!!n&&n-o>5)return  true}return  false});return e.refreshLock.current=t.finally(()=>{e.refreshLock.current=null;}),e.refreshLock.current}return e.refreshLock.current=(async()=>{try{if(await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),e.wallet&&e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return e.accessTokenRef.current=null,e.setAuthenticated(!1),!1;let t=B(e);if(t){let S=e.tokenExpRef.current,d=Math.floor(Date.now()/1e3);if(!!t&&!!S&&S-d>5)return !0}e.beginFlow("refresh",15e3);let r=e.currentReqId();await e.ensureKeypair();let n;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let w=await W(e.rootPubJwkRef.current);e.setRootJkt?.(w);}catch{}let S=await W(T(e)),d=await e.getRefreshId();n=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:S,clientId:e.clientId,sid:d||void 0,ttlSec:300});}}catch{}let o="/auth/refresh",a=`${e.baseUrl}${o}`,i=new URL(e.baseUrl).origin,s="POST",c=`${i}${o}`,u=In(s,c),l=Ze._nonceCacheRef||(Ze._nonceCacheRef={map:new Map}),f=async S=>await N({method:s,url:c,nonce:S,privateKey:Y(e),publicJwk:T(e)}),p=await e.getRefreshId(),h={"x-sunbreak-meta":$(e,{reqId:r,refreshId:p||void 0,pode:n||void 0}),"content-type":"application/json"},m=async S=>e.fetchImpl(a,{method:s,headers:{DPoP:S,...h},credentials:"include",body:"{}"}),R=S=>{let d=S.headers.get("dpop-nonce");d&&l.map.set(u,d);},k=await m(await f(l.map.get(u)));if(k.status===401){let S=k.headers.get("www-authenticate"),w=(S&&S.match(/dpop-nonce="([^"]+)"/i))?.[1];w&&(l.map.set(u,w),k=await m(await f(w)));}if(R(k),!k.ok){try{if((k.headers.get("content-type")||"").includes("application/json")){let d=await k.clone().json().catch(()=>{}),w=d&&(d.error||d.code||d.message)||"",I=String(w).toLowerCase();if(I.includes("missing")&&I.includes("refresh")){try{e.setRefreshId?.(null);}catch{}try{e.setBoundWallet?.(null);}catch{}e.accessTokenRef.current=null,e.setAuthenticated(!1);}}}catch{}return !1}let P=await k.json();e.accessTokenRef.current=P.access,e.setAuthenticated(!0);let b=(e.wallet&&(!e.meta.boundWallet||e.meta.boundWallet===e.wallet)?e.wallet:e.meta.boundWallet)||null;e.authWalletRef.current=b?b.toLowerCase():null;try{let S=Math.floor(Date.now()/1e3);e.tokenExpRef.current=S+(P.expiresIn??0);}catch{}try{e.setJkt(await W(T(e)));}catch{}return P.refreshId&&e.setRefreshId(P.refreshId),!0}finally{e.refreshLock.current=null;}})(),e.refreshLock.current}var _n=(e,t)=>`${e.toUpperCase()} ${t}`,vt=new Map,De;try{let e=globalThis;De=e.__sunbreak_page_probe_guard??(e.__sunbreak_page_probe_guard=new Set);}catch{De=new Set;}var Dn=e=>{try{let t=new URL(e.baseUrl).origin;return `${e.clientId}::${t}`}catch{return `${e.clientId}::${e.baseUrl}`}};async function br(e){let t=Dn(e);if(e.probeLock.current){await e.probeLock.current,e.markProbed();return}if(e.hasProbedRef.current){e.markProbed();return}if(De.has(t)){e.markProbed();return}De.add(t);let r=(async()=>{let n=new URL(e.baseUrl).origin;try{if(await e.awaitKeyStable(),await e.ensureKeypair(),!e.rootPrivRef.current)try{await e.ensureRootKeypair();}catch{}let o;if(e.rootPrivRef.current&&e.rootPubJwkRef.current)try{let m=await W(T(e));o=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:m,clientId:e.clientId,ttlSec:300});}catch{}let a="POST",i="/auth/probe",s=`${e.baseUrl}${i}`,c=`${n}${i}`,u=_n(a,c),l=async m=>N({method:a,url:c,nonce:m,privateKey:Y(e),publicJwk:T(e)}),f=async m=>e.fetchImpl(s,{method:a,headers:{DPoP:m,"x-sunbreak-meta":$(e,{pode:o}),"content-type":"application/json"},credentials:"include",body:"{}"}),p=m=>{let R=m.headers.get("dpop-nonce");R&&vt.set(u,R);},h=await f(await l(vt.get(u)));if(p(h),h.status===401){let m=h.headers.get("www-authenticate"),k=(m&&m.match(/dpop-nonce="([^"]+)"/i))?.[1];k&&(vt.set(u,k),h=await f(await l(k)),p(h));}}catch{try{De.delete(t);}catch{}}finally{e.markProbed();}})();e.probeLock.current=r;try{await r;}finally{e.probeLock.current=null;}}var Sr=e=>{let t=react.useCallback(()=>Ze(e),[e]),r=react.useCallback(async()=>{let o=Date.now(),a=e.registerCooldownUntilRef.current??0;if(o<a||!e.wallet||!e.initResolvedRef.current||e.refreshLock.current||e.registerLock.current)return;let i=e.wallet,s=e.meta.boundWallet;if(i&&s&&i.toLowerCase()===s.toLowerCase()&&!e.didInitialRefresh.current)return;let u=e.proofRef.current;!u||!(!B(e)||e.meta.boundWallet!==e.wallet)||(await e.awaitKeyStable(),e.registerLock.current=(async()=>{try{await _e(e,e.wallet,u)&&(e.didInitialSession.current=!0);}catch(p){e.setError(p?.message||String(p)||"Register failed");}finally{e.registerLock.current=null;}})());},[e]),n=react.useCallback(async o=>{let a=()=>(e.registerCooldownUntilRef.current??0)>Date.now();if(!e.providerAdapter||a())return;let i=await Pe(e.providerAdapter,o);e.proofRef.current=i;},[e]);return {refresh:t,register:(o,a)=>_e(e,o,a),attemptRegister:r,setProofFromAdapterToken:n}};var Wn=(e,t)=>`${e.toUpperCase()} ${t}`,Ln=(e,t)=>!!e&&!!t&&e.toLowerCase()===t.toLowerCase();async function Qe(e,t,r,n,o,a={}){e.setLoadingCount(u=>u+1),e.setError(null);let i=n.startsWith("/api/session"),s=new AbortController,c=setTimeout(()=>s.abort(),e.timeoutMs);try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair();let l=`${i?ut(e):e.baseUrl}${n.startsWith("/")?"":"/"}${n}`,p=`${new URL(e.baseUrl).origin}${n.startsWith("/")?"":"/"}${n}`,h=Wn(r,p),m=n.startsWith("/auth/"),R=!1,k=!1,P=e.currentReqId(),b=Qe._nonceCacheRef||(Qe._nonceCacheRef={map:new Map}),S=J=>{let V=J.headers.get("dpop-nonce");V&&b.map.set(h,V);},d=!!e.wallet&&!!e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase(),w=()=>m||!e.wallet?!1:!!(e.authenticated||Ln(e.wallet,e.meta.boundWallet)||typeof e.meta.refreshId=="string"&&e.meta.refreshId),I,L,We=async()=>{if(m||d)return;try{let ie=B(e),re=e.tokenExpRef.current,et=Math.floor(Date.now()/1e3),tt=!!re&&re-et<=60;if(ie){if(tt&&!await t().catch(()=>!1))return}else if(!w()||!await t().catch(()=>!1))return}catch{}let J=B(e);if(!J)return;let V=await ze(J),j=b.map.get(h),Z=await N({method:r,url:p,nonce:j,ath:V,privateKey:Y(e),publicJwk:T(e)});I=`Bearer ${e.accessTokenRef.current}`,L=Z;};await We();let te={"content-type":"application/json","x-sunbreak-auth":I||"","x-sunbreak-meta":$(e,{reqId:P,auth:I,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0}),...lt(a.headers)};L&&(te.DPoP=L);let Ee=async()=>e.fetchImpl(l,{...a,method:r,headers:te,body:o!==void 0?JSON.stringify(o):void 0,credentials:"include",signal:s.signal}),A=await Ee(),Le=A.headers.get("x-sunbreak-policy-hash"),He=A.headers.get("x-sunbreak-policy-proof");if(Le&&e.setLastPolicyHash(Le),He&&e.setLastPolicyProof(He),S(A),A.status===401&&!m){let J=B(e),V=A.headers.get("www-authenticate"),Z=(V&&V.match(/dpop-nonce="([^"]+)"/i))?.[1];if(!d&&Z&&J&&!k){k=!0,b.map.set(h,Z);let ie=await ze(J),re=await N({method:r,url:p,nonce:Z,ath:ie,privateKey:Y(e),publicJwk:T(e)});I=`Bearer ${e.accessTokenRef.current}`,L=re,te["x-sunbreak-meta"]=$(e,{reqId:P,auth:I}),te.DPoP=L,A=await Ee(),S(A);}if(A.status===401&&!R&&(R=!0,!d&&w())){let ie=await t(),re=B(e);ie&&re&&!d&&(await We(),te["x-sunbreak-meta"]=$(e,{reqId:P,auth:I}),L&&(te.DPoP=L),A=await Ee(),S(A));}if(A.status===401)throw new Error("Unauthorized")}if(!A.ok){let J=await Ie(A);if((A.headers.get("content-type")||"").includes("application/json")){let j=await A.json().catch(()=>{}),Z=Je(j&&(j.error||j.message||j.detail)||`HTTP ${A.status}`);throw pe(Z,J)}else {let j=J.waf?"Blocked by WAF (403)":J.alb403?"Blocked at origin (ALB 403)":`HTTP ${A.status}`;throw pe(j,J)}}return (A.headers.get("content-type")||"").includes("application/json")?await A.json():void 0}finally{clearTimeout(c),e.setLoadingCount(u=>Math.max(0,u-1));}}var Rr=(e,t)=>react.useCallback(async(r,n,o,a={})=>Qe(e,t,r,n,o,a),[e,t]);async function gr(e,t){let r=await t("GET","/api/session");if(r){e.setAllowed(!!r.allowed),e.setDenyReason(r.reason??null),e.setSessionData(r),e.setSessionExpiry(r.expiry??null);let n=r?.wallet;typeof n=="string"&&n&&e.setBoundWallet(n.toLowerCase());}return r}async function kr(e,t){let r=await t("GET","/api/verify");return r&&(e.setSessionExpiry(r.expiry??null),e.setVerifyData(r)),r}var Pr=(e,t)=>{let r=react.useCallback(async()=>{if(e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet))return e.sessionLock.current||(e.sessionLock.current=(async()=>{try{return await gr(e,t)}finally{e.sessionLock.current=null;}})()),e.sessionLock.current},[e,t]),n=react.useCallback(async()=>{if(e.wallet)return await kr(e,t)},[e,t]);return {session:r,verify:n}};var vr=(e,t)=>{let{refresh:r,session:n,attemptRegister:o,setProofFromAdapterToken:a,proofProp:i}=t;react.useEffect(()=>{return (async()=>{try{await e.waitReady(),await e.awaitKeyStable(),await e.ensureRootKeypair(),await br(e);}catch{}})(),()=>{}},[]);let s=()=>(e.registerCooldownUntilRef.current??0)>Date.now();react.useEffect(()=>{let c=e.prevWalletRef.current;if(e.prevWalletRef.current=e.wallet,e.wallet!==c&&(e.didInitialRefresh.current=false),!e.wallet){e.setAllowed(null),e.setDenyReason(null),e.setSessionExpiry(null),e.setSessionData(null),e.setAuthenticated(false),e.accessTokenRef.current=null,e.proofRef.current=null,e.setError(null),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null),e.didInitialRefresh.current=false;return}c&&e.wallet&&c!==e.wallet&&(e.rotateLock.current=(async()=>{await e.rotate(),e.accessTokenRef.current=null,e.setAuthenticated(false),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}));},[e.wallet]),react.useEffect(()=>{if(!e.providerAdapter||s()||!e.metaReady)return;let c=e.wallet,u=e.meta.boundWallet;if(c&&u&&c.toLowerCase()===u.toLowerCase()&&!e.didInitialRefresh.current)return;let l=false;return (async()=>{try{let f=await e.providerAdapter.getToken()??null;if(await e.awaitKeyStable(),l||!f)return;await a(f),await o();}catch{}})(),()=>{l=true;}},[e.providerAdapter,e.wallet,e.meta.boundWallet,e.metaReady,e.registerCooldownUntilRef,e.didInitialRefresh,...e.refreshDeps]),react.useEffect(()=>{if(typeof i<"u"&&(e.proofRef.current=i??null),!e.metaReady)return;let c=e.wallet,u=e.meta.boundWallet;if(c&&u&&c.toLowerCase()===u.toLowerCase()&&!e.didInitialRefresh.current)return;let f=!!c,p=!!e.proofRef.current,h=!!c&&!!e.authWalletRef.current&&c.toLowerCase()!==e.authWalletRef.current.toLowerCase();f&&p&&!e.authenticated&&!h&&e.initResolvedRef.current&&!s()&&o();},[i,e.wallet,e.authenticated,e.meta.boundWallet,e.metaReady,e.providerAdapter,e.initResolvedRef,e.didInitialRefresh,o]),react.useEffect(()=>{let c=e.wallet,u=e.meta.boundWallet,l=!!(u||e.meta.refreshId);if(!e.metaReady||e.didInitialRefresh.current)return;let f=true;return (async()=>{try{if(await e.waitReady(),e.accessTokenRef.current||e.authenticated){e.didInitialRefresh.current=!0,c&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());return}let p=!!c&&!l,h=!c&&!l;if(l&&!c){e.didInitialRefresh.current=!0;return}if(p||h){e.didInitialRefresh.current=!0;return}if(c&&u&&c.toLowerCase()!==u.toLowerCase()){e.didInitialRefresh.current=!0;return}e.didInitialRefresh.current=!0;let m=await r();if(!f)return;e.setAuthenticated(m),m&&c&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());}catch(p){if(!f)return;e.didInitialRefresh.current=true,e.setAuthenticated(false),e.setError(p?.message||String(p)||"Unknown error");}})(),()=>{f=false;}},[e.wallet,e.meta.boundWallet,e.meta.refreshId,e.metaReady,e.didInitialRefresh,r,n]),react.useEffect(()=>{e.initResolvedRef.current||(async()=>{if(await e.ensureKeypair(),!e.wallet){e.initResolvedRef.current=true,e.initResolveRef.current?.();return}e.meta.boundWallet&&e.meta.boundWallet!==e.wallet&&(e.rotateLock.current=(async()=>{e.accessTokenRef.current=null,e.setAuthenticated(false);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}),e.rotateLock.current&&await e.rotateLock.current),e.initResolvedRef.current=true,e.initResolveRef.current?.();})();},[e]),react.useEffect(()=>{(async()=>{if(e.authenticated&&e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)&&!e.didInitialSession.current){e.didInitialSession.current=true;try{await n();}catch(c){e.setError(c?.message||String(c));}}})();},[e.authenticated,e.wallet,e.meta.boundWallet,n]),react.useEffect(()=>{e.wallet&&e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase()&&(e.accessTokenRef.current=null,e.setAuthenticated(false));},[e.wallet,e.authWalletRef.current]),react.useEffect(()=>{let u=()=>{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return  false;let p=e.tokenExpRef.current;if(!p)return  false;let h=Math.floor(Date.now()/1e3);return p-h<=30},l=async()=>{try{u()&&await r();}catch{}},f=async()=>{document.visibilityState==="visible"&&await l();};return window.addEventListener("focus",l),document.addEventListener("visibilitychange",f),()=>{window.removeEventListener("focus",l),document.removeEventListener("visibilitychange",f);}},[e,r]),react.useEffect(()=>{let l=()=>{let h=Math.floor(Date.now()/1e3),m=e.tokenExpRef.current,R=e.sessionExpiry,k=!!m&&m-h<=30&&m-h>0,P=!!R&&R-h<=3600&&R-h>0;return {tokenSoon:k,sessionSoon:P}},f=async()=>{try{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return;let{tokenSoon:h,sessionSoon:m}=l();(h||m)&&await r()&&m&&await n();}catch{}},p=async()=>{document.visibilityState==="visible"&&await f();};return window.addEventListener("focus",f),document.addEventListener("visibilitychange",p),()=>{window.removeEventListener("focus",f),document.removeEventListener("visibilitychange",p);}},[e,e.sessionExpiry,r,n]);};var Kr=react.createContext(void 0),Un=e=>{let t=hr(e),{refresh:r,attemptRegister:n,setProofFromAdapterToken:o}=Sr(t),a=Rr(t,r),{session:i,verify:s}=Pr(t,a);vr(t,{refresh:r,session:i,attemptRegister:n,setProofFromAdapterToken:o,proofProp:e.proof});let c=react.useMemo(()=>({get:(u,l)=>a("GET",u,void 0,l),post:(u,l,f)=>a("POST",u,l,f),verify:s,session:i,refresh:r,authenticated:t.authenticated,loading:t.loadingCount>0,error:t.error,allowed:t.allowed,denyReason:t.denyReason,sessionExpiry:t.sessionExpiry,sessionData:t.sessionData,verifyData:t.verifyData,wallet:t.wallet}),[a,s,i,r,t.authenticated,t.loadingCount,t.error,t.allowed,t.denyReason,t.sessionExpiry,t.sessionData,t.verifyData,t.wallet]);return jsxRuntime.jsx(Kr.Provider,{value:c,children:e.children})},$n=e=>jsxRuntime.jsx(St,{clientId:e.clientId,children:jsxRuntime.jsx(Un,{...e})}),Nn=()=>{let e=react.useContext(Kr);if(!e)throw new Error("useSunbreak must be used within a SunbreakProvider");return e};
-exports.SunbreakProvider = On;
-exports.useSunbreak = Un;
+exports.SunbreakProvider = $n;
+exports.useSunbreak = Nn;

package/dist/index.mjs CHANGED Viewed

@@ -1,6 +1,6 @@
 import { createContext, useContext, useState, useRef, useMemo, useEffect, useCallback } from 'react';
 import { jsx } from 'react/jsx-runtime';
-var Yr=Object.defineProperty;var It=e=>{throw TypeError(e)};var Xr=(e,t,r)=>t in e?Yr(e,t,{enumerable:true,configurable:true,writable:true,value:r}):e[t]=r;var H=(e,t,r)=>Xr(e,typeof t!="symbol"?t+"":t,r),Dt=(e,t,r)=>t.has(e)||It("Cannot "+r);var y=(e,t,r)=>(Dt(e,t,"read from private field"),r?r.call(e):t.get(e)),O=(e,t,r)=>t.has(e)?It("Cannot add the same private member more than once"):t instanceof WeakSet?t.add(e):t.set(e,r),U=(e,t,r,n)=>(Dt(e,t,"write to private field"),t.set(e,r),r);var Pe=async(e,t,r)=>{switch(e.name){case "custom":return {method:"provider_jwt",issuer:"custom",token:t,meta:r||{}};case "privy":return {method:"provider_jwt",issuer:"privy",token:t,meta:{app_id:e.appId}};case "dynamic":return e.expectedAud?{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId,expected_aud:e.expectedAud}}:{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId}};default:throw new Error(`Unknown adapter: ${e}`)}};var Zr="sunbreak-kv",ve="kv",Ue="sunbreak_dpop_meta_v1",x="sunbreak_dpop_key_v1",Ke="ES256",E="P-256",Ae=e=>`${Ue}:${e}`,Wt=()=>new Promise((e,t)=>{let r=indexedDB.open(Zr,1);r.onupgradeneeded=()=>r.result.createObjectStore(ve),r.onsuccess=()=>e(r.result),r.onerror=()=>t(r.error);}),C=async e=>{try{let t=await Wt();return await new Promise((r,n)=>{let a=t.transaction(ve,"readonly").objectStore(ve).get(e);a.onsuccess=()=>r(a.result),a.onerror=()=>n(a.error);})}catch{return}},g=async(e,t)=>{let r=await Wt();await new Promise((n,o)=>{let i=r.transaction(ve,"readwrite").objectStore(ve).put(t,e);i.onsuccess=()=>n(),i.onerror=()=>o(i.error);});};var Qr=e=>{let t=new URL(e);if(t.protocol!=="https:"&&t.hostname!=="localhost"&&t.hostname!=="127.0.0.1")throw new Error("Sunbreak: insecure base URL");return t.hash="",t.origin},en=e=>e.replace(/\/+$/,""),it=e=>{let t=en(e);return Qr(t)};function ct(e){let t=new URL(e.baseUrl),r=t.host,n=e.meta.lastHost??null,o=tn(n);return e.setLastHost(o),t.host=`${o}.${r}`,t.origin}var tn=e=>{for(let t=0;t<st.length;t++){let r=st[Math.floor(Math.random()*st.length)].toLowerCase();if(r!==e)return r}return "alpha"},st=["Alpha","Bravo","Charlie","Delta","Echo","Foxtrot","Golf","Hotel","India","Juliett","Kilo","Lima","Mike","November","Oscar","Papa","Quebec","Romeo","Sierra","Tango","Uniform","Victor","Whiskey","X-ray","Yankee","Zulu"];var $=(e,t)=>{let r={clientId:e.clientId,wallet:e.wallet,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0,...t};Object.keys(r).forEach(o=>r[o]===void 0&&delete r[o]);let n=JSON.stringify(r);return btoa(n)};var rn=new Set(["connection","keep-alive","proxy-authenticate","proxy-authorization","te","trailer","transfer-encoding","upgrade","via"]),nn=new Set(["user-agent","referer","origin","host","content-length","sec-fetch-site","sec-fetch-mode","sec-fetch-dest","sec-fetch-user","sec-ch-ua","sec-ch-ua-mobile","sec-ch-ua-platform","sec-ch-ua-platform-version","sec-ch-ua-full-version","sec-ch-ua-arch","sec-ch-ua-model","sec-ch-ua-bitness","cookie","set-cookie"]),on=new Set(["dpop","x-sunbreak-meta"]),an=64,_t=2048,sn=64;function ut(e){let t={};if(!e)return t;let r=e instanceof Headers?Array.from(e.entries()):Object.entries(e),n=0;for(let[o,a]of r){if(n>=sn)break;if(o==null||a==null)continue;let i=String(o).toLowerCase().trim();if(!i||i.length>an||rn.has(i)||nn.has(i)||on.has(i))continue;let s=String(a);s.length>_t&&(s=s.slice(0,_t)),t[i]=s,n++;}return t}var Q=new TextEncoder,me=new TextDecoder;function Lt(...e){let t=e.reduce((o,{length:a})=>o+a,0),r=new Uint8Array(t),n=0;for(let o of e)r.set(o,n),n+=o.length;return r}function Ht(e){if(Uint8Array.prototype.toBase64)return e.toBase64();let t=32768,r=[];for(let n=0;n<e.length;n+=t)r.push(String.fromCharCode.apply(null,e.subarray(n,n+t)));return btoa(r.join(""))}function Mt(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(e);let t=atob(e),r=new Uint8Array(t.length);for(let n=0;n<t.length;n++)r[n]=t.charCodeAt(n);return r}function jt(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof e=="string"?e:me.decode(e),{alphabet:"base64url"});let t=e;t instanceof Uint8Array&&(t=me.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return Mt(t)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function $e(e){let t=e;return typeof t=="string"&&(t=Q.encode(t)),Uint8Array.prototype.toBase64?t.toBase64({alphabet:"base64url",omitPadding:true}):Ht(t).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var ue=class extends Error{constructor(r,n){super(r,n);H(this,"code","ERR_JOSE_GENERIC");this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor);}};H(ue,"code","ERR_JOSE_GENERIC");var D=class extends ue{constructor(){super(...arguments);H(this,"code","ERR_JOSE_NOT_SUPPORTED");}};H(D,"code","ERR_JOSE_NOT_SUPPORTED");var ee=class extends ue{constructor(){super(...arguments);H(this,"code","ERR_JWS_INVALID");}};H(ee,"code","ERR_JWS_INVALID");var xe=class extends ue{constructor(){super(...arguments);H(this,"code","ERR_JWT_INVALID");}};H(xe,"code","ERR_JWT_INVALID");var Ot,Ut,lt=class extends(Ut=ue,Ot=Symbol.asyncIterator,Ut){constructor(r="multiple matching keys found in the JSON Web Key Set",n){super(r,n);H(this,Ot);H(this,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");}};H(lt,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");function F(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function we(e,t){return e.name===t}function ft(e){return parseInt(e.name.slice(4),10)}function ln(e){switch(e){case "ES256":return "P-256";case "ES384":return "P-384";case "ES512":return "P-521";default:throw new Error("unreachable")}}function fn(e,t){if(!e.usages.includes(t))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${t}.`)}function $t(e,t,r){switch(t){case "HS256":case "HS384":case "HS512":{if(!we(e.algorithm,"HMAC"))throw F("HMAC");let n=parseInt(t.slice(2),10);if(ft(e.algorithm.hash)!==n)throw F(`SHA-${n}`,"algorithm.hash");break}case "RS256":case "RS384":case "RS512":{if(!we(e.algorithm,"RSASSA-PKCS1-v1_5"))throw F("RSASSA-PKCS1-v1_5");let n=parseInt(t.slice(2),10);if(ft(e.algorithm.hash)!==n)throw F(`SHA-${n}`,"algorithm.hash");break}case "PS256":case "PS384":case "PS512":{if(!we(e.algorithm,"RSA-PSS"))throw F("RSA-PSS");let n=parseInt(t.slice(2),10);if(ft(e.algorithm.hash)!==n)throw F(`SHA-${n}`,"algorithm.hash");break}case "Ed25519":case "EdDSA":{if(!we(e.algorithm,"Ed25519"))throw F("Ed25519");break}case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":{if(!we(e.algorithm,t))throw F(t);break}case "ES256":case "ES384":case "ES512":{if(!we(e.algorithm,"ECDSA"))throw F("ECDSA");let n=ln(t);if(e.algorithm.namedCurve!==n)throw F(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}fn(e,r);}function Nt(e,t,...r){if(r=r.filter(Boolean),r.length>2){let n=r.pop();e+=`one of type ${r.join(", ")}, or ${n}.`;}else r.length===2?e+=`one of type ${r[0]} or ${r[1]}.`:e+=`of type ${r[0]}.`;return t==null?e+=` Received ${t}`:typeof t=="function"&&t.name?e+=` Received function ${t.name}`:typeof t=="object"&&t!=null&&t.constructor?.name&&(e+=` Received an instance of ${t.constructor.name}`),e}var Bt=(e,...t)=>Nt("Key must be ",e,...t);function dt(e,t,...r){return Nt(`Key for the ${e} algorithm must be `,t,...r)}function pt(e){return e?.[Symbol.toStringTag]==="CryptoKey"}function yt(e){return e?.[Symbol.toStringTag]==="KeyObject"}var mt=e=>pt(e)||yt(e);var Vt=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return  true;let r;for(let n of t){let o=Object.keys(n);if(!r||r.size===0){r=new Set(o);continue}for(let a of o){if(r.has(a))return  false;r.add(a);}}return  true};function dn(e){return typeof e=="object"&&e!==null}var Ne=e=>{if(!dn(e)||Object.prototype.toString.call(e)!=="[object Object]")return  false;if(Object.getPrototypeOf(e)===null)return  true;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t};var Ft=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:r}=t.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};function pn(e){let t,r;switch(e.kty){case "AKP":{switch(e.alg){case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":t={name:e.alg},r=e.priv?["sign"]:["verify"];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "RSA":{switch(e.alg){case "PS256":case "PS384":case "PS512":t={name:"RSA-PSS",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RS256":case "RS384":case "RS512":t={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RSA-OAEP":case "RSA-OAEP-256":case "RSA-OAEP-384":case "RSA-OAEP-512":t={name:"RSA-OAEP",hash:`SHA-${parseInt(e.alg.slice(-3),10)||1}`},r=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "EC":{switch(e.alg){case "ES256":t={name:"ECDSA",namedCurve:"P-256"},r=e.d?["sign"]:["verify"];break;case "ES384":t={name:"ECDSA",namedCurve:"P-384"},r=e.d?["sign"]:["verify"];break;case "ES512":t={name:"ECDSA",namedCurve:"P-521"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "OKP":{switch(e.alg){case "Ed25519":case "EdDSA":t={name:"Ed25519"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}default:throw new D('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return {algorithm:t,keyUsages:r}}var Gt=async e=>{if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:t,keyUsages:r}=pn(e),n={...e};return n.kty!=="AKP"&&delete n.alg,delete n.use,crypto.subtle.importKey("jwk",n,t,e.ext??!(e.d||e.priv),e.key_ops??r)};var qt=(e,t,r,n,o)=>{if(o.crit!==void 0&&n?.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||n.crit===void 0)return new Set;if(!Array.isArray(n.crit)||n.crit.length===0||n.crit.some(i=>typeof i!="string"||i.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let a;r!==void 0?a=new Map([...Object.entries(r),...t.entries()]):a=t;for(let i of n.crit){if(!a.has(i))throw new D(`Extension Header Parameter "${i}" is not recognized`);if(o[i]===void 0)throw new e(`Extension Header Parameter "${i}" is missing`);if(a.get(i)&&n[i]===void 0)throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`)}return new Set(n.crit)};function Ce(e){return Ne(e)&&typeof e.kty=="string"}function zt(e){return e.kty!=="oct"&&(e.kty==="AKP"&&typeof e.priv=="string"||typeof e.d=="string")}function Yt(e){return e.kty!=="oct"&&typeof e.d>"u"&&typeof e.priv>"u"}function Xt(e){return e.kty==="oct"&&typeof e.k=="string"}var he,Zt=async(e,t,r,n=false)=>{he||(he=new WeakMap);let o=he.get(e);if(o?.[r])return o[r];let a=await Gt({...t,alg:r});return n&&Object.freeze(e),o?o[r]=a:he.set(e,{[r]:a}),a},mn=(e,t)=>{he||(he=new WeakMap);let r=he.get(e);if(r?.[t])return r[t];let n=e.type==="public",o=!!n,a;if(e.asymmetricKeyType==="x25519"){switch(t){case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}a=e.toCryptoKey(e.asymmetricKeyType,o,n?[]:["deriveBits"]);}if(e.asymmetricKeyType==="ed25519"){if(t!=="EdDSA"&&t!=="Ed25519")throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}switch(e.asymmetricKeyType){case "ml-dsa-44":case "ml-dsa-65":case "ml-dsa-87":{if(t!==e.asymmetricKeyType.toUpperCase())throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}}if(e.asymmetricKeyType==="rsa"){let i;switch(t){case "RSA-OAEP":i="SHA-1";break;case "RS256":case "PS256":case "RSA-OAEP-256":i="SHA-256";break;case "RS384":case "PS384":case "RSA-OAEP-384":i="SHA-384";break;case "RS512":case "PS512":case "RSA-OAEP-512":i="SHA-512";break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}if(t.startsWith("RSA-OAEP"))return e.toCryptoKey({name:"RSA-OAEP",hash:i},o,n?["encrypt"]:["decrypt"]);a=e.toCryptoKey({name:t.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:i},o,[n?"verify":"sign"]);}if(e.asymmetricKeyType==="ec"){let s=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(e.asymmetricKeyDetails?.namedCurve);if(!s)throw new TypeError("given KeyObject instance cannot be used for this algorithm");t==="ES256"&&s==="P-256"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t==="ES384"&&s==="P-384"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t==="ES512"&&s==="P-521"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t.startsWith("ECDH-ES")&&(a=e.toCryptoKey({name:"ECDH",namedCurve:s},o,n?[]:["deriveBits"]));}if(!a)throw new TypeError("given KeyObject instance cannot be used for this algorithm");return r?r[t]=a:he.set(e,{[t]:a}),a},Qt=async(e,t)=>{if(e instanceof Uint8Array||pt(e))return e;if(yt(e)){if(e.type==="secret")return e.export();if("toCryptoKey"in e&&typeof e.toCryptoKey=="function")try{return mn(e,t)}catch(n){if(n instanceof TypeError)throw n}let r=e.export({format:"jwk"});return Zt(e,r,t)}if(Ce(e))return e.k?jt(e.k):Zt(e,e,t,true);throw new Error("unreachable")};var be=e=>e?.[Symbol.toStringTag],wt=(e,t,r)=>{if(t.use!==void 0){let n;switch(r){case "sign":case "verify":n="sig";break;case "encrypt":case "decrypt":n="enc";break}if(t.use!==n)throw new TypeError(`Invalid key for this operation, its "use" must be "${n}" when present`)}if(t.alg!==void 0&&t.alg!==e)throw new TypeError(`Invalid key for this operation, its "alg" must be "${e}" when present`);if(Array.isArray(t.key_ops)){let n;switch(true){case(r==="sign"):case e==="dir":case e.includes("CBC-HS"):n=r;break;case e.startsWith("PBES2"):n="deriveBits";break;case /^A\d{3}(?:GCM)?(?:KW)?$/.test(e):!e.includes("GCM")&&e.endsWith("KW")?n="unwrapKey":n=r;break;case(r==="encrypt"):n="wrapKey";break;case r==="decrypt":n=e.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(n&&t.key_ops?.includes?.(n)===false)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${n}" when present`)}return  true},wn=(e,t,r)=>{if(!(t instanceof Uint8Array)){if(Ce(t)){if(Xt(t)&&wt(e,t,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!mt(t))throw new TypeError(dt(e,t,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(t.type!=="secret")throw new TypeError(`${be(t)} instances for symmetric algorithms must be of type "secret"`)}},hn=(e,t,r)=>{if(Ce(t))switch(r){case "decrypt":case "sign":if(zt(t)&&wt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a private JWK");case "encrypt":case "verify":if(Yt(t)&&wt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a public JWK")}if(!mt(t))throw new TypeError(dt(e,t,"CryptoKey","KeyObject","JSON Web Key"));if(t.type==="secret")throw new TypeError(`${be(t)} instances for asymmetric algorithms must not be of type "secret"`);if(t.type==="public")switch(r){case "sign":throw new TypeError(`${be(t)} instances for asymmetric algorithm signing must be of type "private"`);case "decrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm decryption must be of type "private"`);}if(t.type==="private")switch(r){case "verify":throw new TypeError(`${be(t)} instances for asymmetric algorithm verifying must be of type "public"`);case "encrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm encryption must be of type "public"`);}},er=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e)||/^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e)?wn(e,t,r):hn(e,t,r);};var tr=(e,t)=>{let r=`SHA-${e.slice(-3)}`;switch(e){case "HS256":case "HS384":case "HS512":return {hash:r,name:"HMAC"};case "PS256":case "PS384":case "PS512":return {hash:r,name:"RSA-PSS",saltLength:parseInt(e.slice(-3),10)>>3};case "RS256":case "RS384":case "RS512":return {hash:r,name:"RSASSA-PKCS1-v1_5"};case "ES256":case "ES384":case "ES512":return {hash:r,name:"ECDSA",namedCurve:t.namedCurve};case "Ed25519":case "EdDSA":return {name:"Ed25519"};case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":return {name:e};default:throw new D(`alg ${e} is not supported either by JOSE or your javascript runtime`)}};var rr=async(e,t,r)=>{if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(Bt(t,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",t,{hash:`SHA-${e.slice(-3)}`,name:"HMAC"},false,[r])}return $t(t,e,r),t};var ne=e=>Math.floor(e.getTime()/1e3);var bn=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i,Be=e=>{let t=bn.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");let r=parseFloat(t[2]),n=t[3].toLowerCase(),o;switch(n){case "sec":case "secs":case "second":case "seconds":case "s":o=Math.round(r);break;case "minute":case "minutes":case "min":case "mins":case "m":o=Math.round(r*60);break;case "hour":case "hours":case "hr":case "hrs":case "h":o=Math.round(r*3600);break;case "day":case "days":case "d":o=Math.round(r*86400);break;case "week":case "weeks":case "w":o=Math.round(r*604800);break;default:o=Math.round(r*31557600);break}return t[1]==="-"||t[4]==="ago"?-o:o};function le(e,t){if(!Number.isFinite(t))throw new TypeError(`Invalid ${e} input`);return t}var v,Ve=class{constructor(t){O(this,v);if(!Ne(t))throw new TypeError("JWT Claims Set MUST be an object");U(this,v,structuredClone(t));}data(){return Q.encode(JSON.stringify(y(this,v)))}get iss(){return y(this,v).iss}set iss(t){y(this,v).iss=t;}get sub(){return y(this,v).sub}set sub(t){y(this,v).sub=t;}get aud(){return y(this,v).aud}set aud(t){y(this,v).aud=t;}set jti(t){y(this,v).jti=t;}set nbf(t){typeof t=="number"?y(this,v).nbf=le("setNotBefore",t):t instanceof Date?y(this,v).nbf=le("setNotBefore",ne(t)):y(this,v).nbf=ne(new Date)+Be(t);}set exp(t){typeof t=="number"?y(this,v).exp=le("setExpirationTime",t):t instanceof Date?y(this,v).exp=le("setExpirationTime",ne(t)):y(this,v).exp=ne(new Date)+Be(t);}set iat(t){typeof t>"u"?y(this,v).iat=ne(new Date):t instanceof Date?y(this,v).iat=le("setIssuedAt",ne(t)):typeof t=="string"?y(this,v).iat=le("setIssuedAt",ne(new Date)+Be(t)):y(this,v).iat=le("setIssuedAt",t);}};v=new WeakMap;var nr=async(e,t,r)=>{let n=await rr(e,t,"sign");Ft(e,n);let o=await crypto.subtle.sign(tr(e,n.algorithm),n,r);return new Uint8Array(o)};var Te,W,G,Fe=class{constructor(t){O(this,Te);O(this,W);O(this,G);if(!(t instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");U(this,Te,t);}setProtectedHeader(t){if(y(this,W))throw new TypeError("setProtectedHeader can only be called once");return U(this,W,t),this}setUnprotectedHeader(t){if(y(this,G))throw new TypeError("setUnprotectedHeader can only be called once");return U(this,G,t),this}async sign(t,r){if(!y(this,W)&&!y(this,G))throw new ee("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Vt(y(this,W),y(this,G)))throw new ee("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let n={...y(this,W),...y(this,G)},o=qt(ee,new Map([["b64",true]]),r?.crit,y(this,W),n),a=true;if(o.has("b64")&&(a=y(this,W).b64,typeof a!="boolean"))throw new ee('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:i}=n;if(typeof i!="string"||!i)throw new ee('JWS "alg" (Algorithm) Header Parameter missing or invalid');er(i,t,"sign");let s=y(this,Te);a&&(s=Q.encode($e(s)));let c;y(this,W)?c=Q.encode($e(JSON.stringify(y(this,W)))):c=Q.encode("");let u=Lt(c,Q.encode("."),s),l=await Qt(t,i),f=await nr(i,l,u),d={signature:$e(f),payload:""};return a&&(d.payload=me.decode(s)),y(this,G)&&(d.header=y(this,G)),y(this,W)&&(d.protected=me.decode(c)),d}};Te=new WeakMap,W=new WeakMap,G=new WeakMap;var Se,Ge=class{constructor(t){O(this,Se);U(this,Se,new Fe(t));}setProtectedHeader(t){return y(this,Se).setProtectedHeader(t),this}async sign(t,r){let n=await y(this,Se).sign(t,r);if(n.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return `${n.protected}.${n.payload}.${n.signature}`}};Se=new WeakMap;var oe,M,fe=class{constructor(t={}){O(this,oe);O(this,M);U(this,M,new Ve(t));}setIssuer(t){return y(this,M).iss=t,this}setSubject(t){return y(this,M).sub=t,this}setAudience(t){return y(this,M).aud=t,this}setJti(t){return y(this,M).jti=t,this}setNotBefore(t){return y(this,M).nbf=t,this}setExpirationTime(t){return y(this,M).exp=t,this}setIssuedAt(t){return y(this,M).iat=t,this}setProtectedHeader(t){return U(this,oe,t),this}async sign(t,r){let n=new Ge(y(this,M).data());if(n.setProtectedHeader(y(this,oe)),Array.isArray(y(this,oe)?.crit)&&y(this,oe).crit.includes("b64")&&y(this,oe).b64===false)throw new xe("JWTs MUST NOT use unencoded payload");return n.sign(t,r)}};oe=new WeakMap,M=new WeakMap;var Sn=e=>btoa(String.fromCharCode(...new Uint8Array(e))).replaceAll("+","-").replaceAll("/","_").replaceAll("=",""),qe=async e=>{let t=new TextEncoder().encode(e),r=await crypto.subtle.digest("SHA-256",t);return Sn(r)},N=async e=>{let{method:t,url:r,nonce:n,ath:o,privateKey:a,publicJwk:i}=e,s={htm:t.toUpperCase(),htu:r,jti:crypto.randomUUID(),iat:Math.floor(Date.now()/1e3)};return n&&(s.nonce=n),o&&(s.ath=o),await new fe(s).setProtectedHeader({alg:"ES256",typ:"dpop+jwt",jwk:i}).sign(a)};var _=async e=>{let t={crv:e.crv,kty:"EC",x:e.x,y:e.y},r=JSON.stringify(t),n=new TextEncoder().encode(r),o=await crypto.subtle.digest("SHA-256",n);return btoa(String.fromCharCode(...new Uint8Array(o))).replaceAll("+","-").replaceAll("/","_").replaceAll("=","")};async function de(e){let{rootPrivateKey:t,rootPublicJwk:r,childJkt:n,clientId:o,sid:a,ttlSec:i=300}=e,s=Math.floor(Date.now()/1e3),c=s+Math.max(60,Math.min(i,3600)),u={child_jkt:n,client_id:o,aud:"issuer",iat:s,exp:c,jti:crypto.randomUUID()};return a&&(u.sid=a),await new fe(u).setProtectedHeader({alg:"ES256",typ:"pode+jwt",jwk:r}).sign(t)}function Je(e,t=300){return e.replace(/<[^>]*>/g,"").slice(0,t)}async function Ie(e){let t=e.status,r=Array.from(e.headers.keys()).some(s=>s.toLowerCase().startsWith("x-amzn-waf")),n,o,a=e.headers.get("content-type")||"";if(a.includes("application/json"))try{let s=await e.clone().json();n=typeof s?.error=="string"?s.error:void 0,o=typeof s?.detail=="string"?s.detail:void 0;}catch{}let i=t===403&&!r&&!a.includes("application/json");return {status:t,code:n,detail:o,waf:r,alb403:i}}function pe(e,t){let r=new Error(e);return r.status=t.status,r.code=t.code,r.detail=t.detail,r.waf=t.waf,r.alb403=t.alb403,r}var Re={boundWallet:null,clientId:null,jkt:null,refreshId:null,lastPolicyHash:null,lastPolicyProof:null,lastHost:null,rootJkt:null},ht=createContext(void 0);function cr(e){try{return JSON.parse(localStorage.getItem(e)||"null")??Re}catch{return Re}}function kn(e,t){try{localStorage.setItem(e,JSON.stringify(t));}catch{}}var bt=({children:e,clientId:t})=>{let[r,n]=useState(Re),o=useRef(false),[a,i]=useState(false),s=useMemo(()=>Ae(t),[t]);useEffect(()=>{let p=true;return (async()=>{let I=await C(s)??await C(Ue)??cr(s);p&&(n({...Re,...I}),o.current=true,i(true));})(),()=>{p=false;}},[s]),useEffect(()=>{o.current&&(async()=>(await g(s,r),kn(s,r)))();},[r,s]);let c=useCallback(p=>n(w=>({...w,refreshId:p})),[]),u=useCallback(p=>n(w=>({...w,lastPolicyHash:p})),[]),l=useCallback(p=>n(w=>({...w,lastPolicyProof:p})),[]),f=useCallback(p=>n(w=>({...w,lastHost:p})),[]),d=useCallback(p=>n(w=>({...w,rootJkt:p})),[]),h=async()=>{try{let p=localStorage.getItem(s);if(p){let w=JSON.parse(p);if(typeof w?.refreshId=="string"&&w.refreshId)return w.refreshId}}catch{}try{let p=await C(s);if(typeof p?.refreshId=="string"&&p.refreshId)return p.refreshId}catch{}return null},m=useCallback(p=>n(w=>({...w,boundWallet:p})),[]),R=useCallback(p=>n(w=>({...w,clientId:p})),[]),k=useCallback(p=>n(w=>({...w,jkt:p})),[]),P=useCallback(()=>n(Re),[]),b=useCallback(async()=>{let w=await C(s)??cr(s);n({...Re,...w});},[]),S=useMemo(()=>({meta:r,setBoundWallet:m,setClientId:R,setJkt:k,resetMeta:P,reload:b,setRefreshId:c,getRefreshId:h,ready:a,setLastPolicyHash:u,setLastPolicyProof:l,setLastHost:f,setRootJkt:d}),[r,m,R,k,P,b,a,c,h,u,l,f,d]);return jsx(ht.Provider,{value:S,children:e})};function St(){let e=useContext(ht);if(!e)throw new Error("useMeta must be used within <MetaProvider>");return e}var lr=`${x}:wrap`;async function ze(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!1,["sign","verify"]),t=`${x}:probe_safe`;await g(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await C(t);return await g(t,void 0),!!(r&&r.privKey)}catch{return  false}}async function vn(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!0,["sign","verify"]),t=`${x}:probe`;await g(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await C(t);return await g(t,void 0),!!(r&&r.privKey)}catch{return  false}}function ke(e){let t={...e};return delete t.d,t.kty="EC",t.crv=E,t.alg=Ke,t.use="sig",t}async function fr(){let e=await C(lr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await g(lr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function Rt(e){let t=await fr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function Kn(e,t){let r=await fr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var gt=()=>{let e=useRef(null),t=useRef(null),r=useCallback(async()=>{let c=await C(x);if(!c)return  false;if(c.fmt==="cryptokey"){let l=c;if(!l.privKey)return await g(x,void 0),false;let f=l.privKey;try{if(f.extractable&&await ze()){let h=await crypto.subtle.exportKey("jwk",f),m=await crypto.subtle.importKey("jwk",h,{name:"ECDSA",namedCurve:E},!1,["sign"]),R={fmt:"cryptokey",privKey:m,pubJwk:ke(l.pubJwk)};await g(x,R),f=m;}}catch{}return e.current=f,t.current=ke(l.pubJwk),true}if(c.fmt==="encjwk"){let l=c;try{let f=await Kn(l.encPrivJwk,l.iv),d=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},!1,["sign"]);return e.current=d,t.current=ke(l.pubJwk),!0}catch{return await g(x,void 0),false}}let u=c;if(u&&u.d){let{d:l,...f}=u,d=ke(f),h=await ze(),m=h||await vn();if(m&&h){let b=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);return await g(x,{fmt:"cryptokey",privKey:b,pubJwk:d}),e.current=b,t.current=d,true}if(m){let b=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},true,["sign"]);return await g(x,{fmt:"cryptokey",privKey:b,pubJwk:d}),e.current=b,t.current=d,true}let{encPrivJwk:R,iv:k}=await Rt(u);await g(x,{fmt:"encjwk",encPrivJwk:R,iv:k,pubJwk:d});let P=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);return e.current=P,t.current=d,true}return await g(x,void 0),false},[]),n=useCallback(async(c,u)=>{await g(x,{fmt:"cryptokey",privKey:c,pubJwk:u});},[]),o=useCallback(async(c,u)=>{let{encPrivJwk:l,iv:f}=await Rt(c);await g(x,{fmt:"encjwk",encPrivJwk:l,iv:f,pubJwk:u});},[]),a=useCallback(async()=>{if(e.current&&t.current||await r())return;let c=await ze(),u=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",u.publicKey)),f=await crypto.subtle.exportKey("jwk",u.privateKey);if(c){let d=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);await n(d,l),e.current=d,t.current=l;}else {await o(f,l);let d=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=d,t.current=l;}},[r,n,o]),i=useCallback(async()=>{let c=await ze(),u=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",u.publicKey)),f=await crypto.subtle.exportKey("jwk",u.privateKey);if(c){let d=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);await g(x,{fmt:"cryptokey",privKey:d,pubJwk:l}),e.current=d,t.current=l;}else {let{encPrivJwk:d,iv:h}=await Rt(f);await g(x,{fmt:"encjwk",encPrivJwk:d,iv:h,pubJwk:l});let m=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=m,t.current=l;}},[]),s=useCallback(async()=>{await g(x,void 0),e.current=null,t.current=null;},[]);return {ensureKeypair:a,rotate:i,clear:s,privRef:e,pubJwkRef:t}};var z="sunbreak_root_key_v1",pr=`${z}:wrap`;async function yr(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!1,["sign","verify"]),t=`${z}:probe_safe`;await g(t,{fmt:"cryptokey",privKey:e.privateKey,createdAt:Date.now(),pubJwk:{}});let r=await C(t);return await g(t,void 0),!!(r&&r.privKey)}catch{return  false}}function Ye(e){let t={...e};return delete t.d,t.kty="EC",t.crv=E,t.alg=Ke,t.use="sig",t}async function mr(){let e=await C(pr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await g(pr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function An(e){let t=await mr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function xn(e,t){let r=await mr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var Et=()=>{let e=useRef(null),t=useRef(null),r=useCallback(async()=>{let a=await C(z);if(!a)return  false;if(a.fmt==="cryptokey"){let i=a;if(!i.privKey)return await g(z,void 0),false;let s=i.privKey;try{if(s.extractable&&await yr()){let u=await crypto.subtle.exportKey("jwk",s),l=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},!1,["sign"]),f={fmt:"cryptokey",privKey:l,pubJwk:Ye(i.pubJwk),createdAt:i.createdAt};await g(z,f),s=l;}}catch{}return e.current=s,t.current=Ye(i.pubJwk),true}if(a.fmt==="encjwk"){let i=a;try{let s=await xn(i.encPrivJwk,i.iv),c=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:E},!1,["sign"]);return e.current=c,t.current=Ye(i.pubJwk),!0}catch{return await g(z,void 0),false}}return await g(z,void 0),false},[]),n=useCallback(async()=>{if(e.current&&t.current||await r())return;let a=await yr(),i=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),s=Ye(await crypto.subtle.exportKey("jwk",i.publicKey)),c=Date.now(),u=await crypto.subtle.exportKey("jwk",i.privateKey);if(a){let l=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);await g(z,{fmt:"cryptokey",privKey:l,pubJwk:s,createdAt:c}),e.current=l,t.current=s;}else {let{encPrivJwk:l,iv:f}=await An(u);await g(z,{fmt:"encjwk",encPrivJwk:l,iv:f,pubJwk:s,createdAt:c});let h=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=h,t.current=s;}},[r]),o=useCallback(async()=>{await g(z,void 0),e.current=null,t.current=null;},[]);return {ensureRootKeypair:n,clear:o,rootPrivRef:e,rootPubJwkRef:t}};var Cn=()=>crypto.randomUUID(),wr=e=>{let{clientId:t,wallet:r,base:n="https://api.tdfc.com",fetchImpl:o,timeoutMs:a=15e3,proof:i=null,providerAdapter:s,refreshDeps:c=[]}=e,u=it(n),l=typeof window<"u"?(o??fetch).bind(window):o??fetch,{meta:f,setBoundWallet:d,setJkt:h,setRefreshId:m,getRefreshId:R,setLastPolicyHash:k,setLastPolicyProof:P,setLastHost:b,setRootJkt:S,ready:p}=St(),{ensureRootKeypair:w,rootPrivRef:I,rootPubJwkRef:L}=Et(),We=useCallback(async()=>{await w();try{if(!f.rootJkt&&L.current){let ce=await _(L.current);S(ce);}}catch{}},[w,f.rootJkt,L]),{ensureKeypair:te,rotate:Ee,privRef:A,pubJwkRef:_e}=gt(),[Le,At]=useState(false),[J,V]=useState(0),[j,Z]=useState(null),[ie,re]=useState(null),[Qe,et]=useState(null),[tt,Kr]=useState(null),[Ar,xr]=useState(null),[Cr,Tr]=useState(null),Jr=useRef(null),Ir=useRef(null),Dr=useRef(null),Wr=useRef(null),_r=useRef(null),Lr=useRef(null),Hr=useRef(null),Mr=useRef(false),jr=useRef(false),Or=useRef(void 0),He=useRef(false),rt=useRef(false),xt=useRef(null),se=useRef(null);se.current||(se.current=new Promise(ce=>{xt.current=ce;}));let nt=useRef(null),Ur=useRef(i),$r=useRef(null),Me=useRef(null),Ct=useRef(null),je=useRef(null),Tt=()=>Date.now(),Nr=()=>(je.current??0)>0&&je.current<Tt(),ot=useCallback((ce,zr=15e3)=>{let Jt=Cn();return Me.current=Jt,Ct.current=ce,je.current=Tt()+Math.max(1e3,zr),Jt},[]),Br=useCallback(()=>((!Me.current||Nr())&&ot("adhoc",1e4),Me.current),[ot]),at=useRef(null),Oe=useRef(null);Oe.current||(Oe.current=new Promise(ce=>{at.current=ce;}));let Vr=useCallback(async()=>{!He.current&&Oe.current&&await Oe.current;},[]),Fr=useCallback(()=>{He.current||(He.current=true,at.current?.(),at.current=null);},[]),Gr=useCallback(async()=>{!rt.current&&se.current&&await se.current;},[]),qr=useCallback(async()=>{!rt.current&&se.current&&await se.current,nt.current&&await nt.current;},[]);return {clientId:t,wallet:r,baseUrl:u,fetchImpl:l,timeoutMs:a,providerAdapter:s,refreshDeps:c,ensureKeypair:te,rotate:Ee,ensureRootKeypair:We,rootPrivRef:I,rootPubJwkRef:L,privRef:A,pubJwkRef:_e,meta:f,setBoundWallet:d,setJkt:h,setRefreshId:m,accessTokenRef:Dr,tokenExpRef:Wr,authenticated:Le,setAuthenticated:At,loadingCount:J,setLoadingCount:V,error:j,setError:Z,allowed:ie,setAllowed:re,denyReason:Qe,setDenyReason:et,sessionExpiry:tt,setSessionExpiry:Kr,sessionData:Ar,setSessionData:xr,verifyData:Cr,setVerifyData:Tr,authWalletRef:Ir,refreshLock:_r,registerLock:Lr,sessionLock:Hr,didInitialRefresh:Mr,didInitialSession:jr,prevWalletRef:Or,initResolvedRef:rt,initReady:se,initResolveRef:xt,rotateLock:nt,waitReady:Gr,awaitKeyStable:qr,proofRef:Ur,registerCooldownUntilRef:Jr,reqIdRef:Me,flowLabelRef:Ct,flowExpireRef:je,beginFlow:ot,currentReqId:Br,awaitProbe:Vr,markProbed:Fr,hasProbedRef:He,getRefreshId:R,setLastPolicyHash:k,setLastPolicyProof:P,setLastHost:b,setRootJkt:S,metaReady:p,probeLock:$r}};var B=e=>e.accessTokenRef.current??null,Y=e=>{let t=e.privRef.current;if(!t)throw new Error("Sunbreak: private key not initialized");return t},T=e=>{let t=e.pubJwkRef.current;if(!t)throw new Error("Sunbreak: public JWK not initialized");return t};var Tn=(e,t)=>`${e.toUpperCase()} ${t}`;async function De(e,t,r){if(!t)return  false;let n=De._nonceCacheRef||(De._nonceCacheRef={map:new Map});try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair(),e.setError(null),e.beginFlow("register",2e4);let o;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let p=await _(e.rootPubJwkRef.current);e.setRootJkt?.(p);}catch{}let b=await _(T(e)),S=await e.getRefreshId();o=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:b,clientId:e.clientId,sid:S||void 0,ttlSec:300});}}catch{}let a=e.currentReqId(),i="/auth/register",s=`${e.baseUrl}${i}`,c=new URL(e.baseUrl).origin,u="POST",l=`${c}${i}`,f=Tn(u,l),d=n.map.get(f),h=await N({method:u,url:l,nonce:d,privateKey:Y(e),publicJwk:T(e)}),m=async b=>e.fetchImpl(s,{method:u,headers:{"content-type":"application/json","x-sunbreak-meta":$(e,{reqId:a,pode:o||void 0}),...b},credentials:"include",body:JSON.stringify({wallet:t,proof:r})}),R=await m({DPoP:h}),k=b=>{let S=b.headers.get("dpop-nonce");S&&n.map.set(f,S);};if(R.status===401){let b=R.headers.get("www-authenticate"),p=(b&&b.match(/dpop-nonce="([^"]+)"/i))?.[1];if(p){n.map.set(f,p);let w=await N({method:u,url:l,nonce:p,privateKey:Y(e),publicJwk:T(e)});R=await m({DPoP:w});}}if(k(R),!R.ok){let b=await Ie(R);if((R.headers.get("content-type")||"").includes("application/json")){let p;try{p=await R.clone().json();}catch{}let w=Je(p&&(p.error||p.message||p.detail)||`HTTP ${R.status}`);throw pe(w,b)}else {let p=b.waf?"Blocked by WAF (403)":b.alb403?"Blocked at origin (ALB 403)":`HTTP ${R.status}`;throw pe(p,b)}}let P=await R.json();e.accessTokenRef.current=P.access,e.authWalletRef.current=t.toLowerCase(),e.setAuthenticated(!0);try{let b=Math.floor(Date.now()/1e3);e.tokenExpRef.current=b+(P.expiresIn??0);}catch{}e.didInitialRefresh.current=!0,e.setBoundWallet(t),e.setLastPolicyHash(null),e.setLastPolicyProof(null);try{e.setJkt(await _(T(e)));}catch{}try{let b={...e.meta,boundWallet:t,clientId:e.meta.clientId??e.clientId,jkt:e.meta.jkt??null,refreshId:P.refreshId??null};e.setRefreshId(P.refreshId??null);let S=Ae(e.clientId);await g(S,b);try{localStorage.setItem(S,JSON.stringify(b));}catch{}}catch{}return !0}catch(o){let a=Number(o?.status||0),i=String(o?.code||""),s=String(o?.message||""),c=Math.floor(Math.random()*1e3);if((a===401||a===403)&&i.toLowerCase()==="replay"){if(e.providerAdapter)try{let u=await e.providerAdapter.getToken()??null;if(u)return await e.awaitKeyStable(),await e.ensureKeypair(),await e.rotate(),e.proofRef.current=await Pe(e.providerAdapter,u),e.registerCooldownUntilRef.current=Date.now()+5e3+c,!1}catch{}else return e.proofRef.current=null,e.setError("Proof replayed; please sign a fresh proof."),e.registerCooldownUntilRef.current=Date.now()+1e4+c,false;return e.registerCooldownUntilRef.current=Date.now()+8e3+c,false}if(a===403&&(o?.waf||o?.alb403))return e.setError(s||"Forbidden at edge/origin"),e.registerCooldownUntilRef.current=Date.now()+3e4+c,false;if(a===403)return e.setError(i||s||"Forbidden"),e.registerCooldownUntilRef.current=Date.now()+15e3+c,false;if(a===429||a===503){e.setError(i||s||"Rate limited / unavailable");let u=a===429?5e3:8e3;return e.registerCooldownUntilRef.current=Date.now()+u+c,false}return e.setError(i||s||"Register failed"),e.registerCooldownUntilRef.current=Date.now()+5e3+c,false}}var Jn=(e,t)=>`${e.toUpperCase()} ${t}`;function Xe(e){if(e.refreshLock.current)return e.refreshLock.current;if(e.registerLock.current){let t=e.registerLock.current.then(()=>{if(e.authenticated&&B(e))return  true;if(B(e)){let n=e.tokenExpRef.current,o=Math.floor(Date.now()/1e3);if(!!n&&n-o>5)return  true}return  false});return e.refreshLock.current=t.finally(()=>{e.refreshLock.current=null;}),e.refreshLock.current}return e.refreshLock.current=(async()=>{try{if(await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),e.wallet&&e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return e.accessTokenRef.current=null,e.setAuthenticated(!1),!1;let t=B(e);if(t){let S=e.tokenExpRef.current,p=Math.floor(Date.now()/1e3);if(!!t&&!!S&&S-p>5)return !0}e.beginFlow("refresh",15e3);let r=e.currentReqId();await e.ensureKeypair();let n;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let w=await _(e.rootPubJwkRef.current);e.setRootJkt?.(w);}catch{}let S=await _(T(e)),p=await e.getRefreshId();n=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:S,clientId:e.clientId,sid:p||void 0,ttlSec:300});}}catch{}let o="/auth/refresh",a=`${e.baseUrl}${o}`,i=new URL(e.baseUrl).origin,s="POST",c=`${i}${o}`,u=Jn(s,c),l=Xe._nonceCacheRef||(Xe._nonceCacheRef={map:new Map}),f=async S=>await N({method:s,url:c,nonce:S,privateKey:Y(e),publicJwk:T(e)}),d=await e.getRefreshId(),h={"x-sunbreak-meta":$(e,{reqId:r,refreshId:d||void 0,pode:n||void 0}),"content-type":"application/json"},m=async S=>e.fetchImpl(a,{method:s,headers:{DPoP:S,...h},credentials:"include",body:"{}"}),R=S=>{let p=S.headers.get("dpop-nonce");p&&l.map.set(u,p);},k=await m(await f(l.map.get(u)));if(k.status===401){let S=k.headers.get("www-authenticate"),w=(S&&S.match(/dpop-nonce="([^"]+)"/i))?.[1];w&&(l.map.set(u,w),k=await m(await f(w)));}if(R(k),!k.ok){try{if((k.headers.get("content-type")||"").includes("application/json")){let p=await k.clone().json().catch(()=>{}),w=p&&(p.error||p.code||p.message)||"",I=String(w).toLowerCase();if(I.includes("missing")&&I.includes("refresh")){try{e.setRefreshId?.(null);}catch{}try{e.setBoundWallet?.(null);}catch{}e.accessTokenRef.current=null,e.setAuthenticated(!1);}}}catch{}return !1}let P=await k.json();e.accessTokenRef.current=P.access,e.setAuthenticated(!0);let b=(e.wallet&&(!e.meta.boundWallet||e.meta.boundWallet===e.wallet)?e.wallet:e.meta.boundWallet)||null;e.authWalletRef.current=b?b.toLowerCase():null;try{let S=Math.floor(Date.now()/1e3);e.tokenExpRef.current=S+(P.expiresIn??0);}catch{}try{e.setJkt(await _(T(e)));}catch{}return P.refreshId&&e.setRefreshId(P.refreshId),!0}finally{e.refreshLock.current=null;}})(),e.refreshLock.current}var In=(e,t)=>`${e.toUpperCase()} ${t}`,Pt=new Map;async function hr(e){if(e.probeLock?.current)return e.probeLock.current;if(e.hasProbedRef.current)return;let t=n=>{try{e.probeLock&&(e.probeLock.current=n);}catch{}},r=(async()=>{let n=new URL(e.baseUrl).origin;try{if(await e.awaitKeyStable(),await e.ensureKeypair(),!e.rootPrivRef.current)try{await e.ensureRootKeypair();}catch{}let o;if(e.rootPrivRef.current&&e.rootPubJwkRef.current)try{let m=await _(T(e));o=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:m,clientId:e.clientId,ttlSec:300});}catch{}let a="POST",i="/auth/probe",s=`${e.baseUrl}${i}`,c=`${n}${i}`,u=In(a,c),l=async m=>e.fetchImpl(s,{method:a,headers:{DPoP:m,"x-sunbreak-meta":$(e,{pode:o}),"content-type":"application/json"},credentials:"include",body:"{}"}),f=async m=>await N({method:a,url:c,nonce:m,privateKey:Y(e),publicJwk:T(e)}),d=await l(await f(Pt.get(u))),h=m=>{let R=m.headers.get("dpop-nonce");R&&Pt.set(u,R);};if(h(d),d.status===401){let m=d.headers.get("www-authenticate"),k=(m&&m.match(/dpop-nonce="([^"]+)"/i))?.[1];k&&(Pt.set(u,k),d=await l(await f(k)),h(d));}e.markProbed();}catch{e.markProbed();}})();t(r);try{await r;}finally{t(null);}}var br=e=>{let t=useCallback(()=>Xe(e),[e]),r=useCallback(async()=>{let o=Date.now(),a=e.registerCooldownUntilRef.current??0;if(o<a||!e.wallet||!e.initResolvedRef.current||e.refreshLock.current||e.registerLock.current)return;let i=e.wallet,s=e.meta.boundWallet;if(i&&s&&i.toLowerCase()===s.toLowerCase()&&!e.didInitialRefresh.current)return;let u=e.proofRef.current;!u||!(!B(e)||e.meta.boundWallet!==e.wallet)||(await e.awaitKeyStable(),e.registerLock.current=(async()=>{try{await De(e,e.wallet,u)&&(e.didInitialSession.current=!0);}catch(d){e.setError(d?.message||String(d)||"Register failed");}finally{e.registerLock.current=null;}})());},[e]),n=useCallback(async o=>{let a=()=>(e.registerCooldownUntilRef.current??0)>Date.now();if(!e.providerAdapter||a())return;let i=await Pe(e.providerAdapter,o);e.proofRef.current=i;},[e]);return {refresh:t,register:(o,a)=>De(e,o,a),attemptRegister:r,setProofFromAdapterToken:n}};var Dn=(e,t)=>`${e.toUpperCase()} ${t}`,Wn=(e,t)=>!!e&&!!t&&e.toLowerCase()===t.toLowerCase();async function Ze(e,t,r,n,o,a={}){e.setLoadingCount(u=>u+1),e.setError(null);let i=n.startsWith("/api/session"),s=new AbortController,c=setTimeout(()=>s.abort(),e.timeoutMs);try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair();let l=`${i?ct(e):e.baseUrl}${n.startsWith("/")?"":"/"}${n}`,d=`${new URL(e.baseUrl).origin}${n.startsWith("/")?"":"/"}${n}`,h=Dn(r,d),m=n.startsWith("/auth/"),R=!1,k=!1,P=e.currentReqId(),b=Ze._nonceCacheRef||(Ze._nonceCacheRef={map:new Map}),S=J=>{let V=J.headers.get("dpop-nonce");V&&b.map.set(h,V);},p=!!e.wallet&&!!e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase(),w=()=>m||!e.wallet?!1:!!(e.authenticated||Wn(e.wallet,e.meta.boundWallet)||typeof e.meta.refreshId=="string"&&e.meta.refreshId),I,L,We=async()=>{if(m||p)return;try{let ie=B(e),re=e.tokenExpRef.current,Qe=Math.floor(Date.now()/1e3),et=!!re&&re-Qe<=60;if(ie){if(et&&!await t().catch(()=>!1))return}else if(!w()||!await t().catch(()=>!1))return}catch{}let J=B(e);if(!J)return;let V=await qe(J),j=b.map.get(h),Z=await N({method:r,url:d,nonce:j,ath:V,privateKey:Y(e),publicJwk:T(e)});I=`Bearer ${e.accessTokenRef.current}`,L=Z;};await We();let te={"content-type":"application/json","x-sunbreak-auth":I||"","x-sunbreak-meta":$(e,{reqId:P,auth:I,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0}),...ut(a.headers)};L&&(te.DPoP=L);let Ee=async()=>e.fetchImpl(l,{...a,method:r,headers:te,body:o!==void 0?JSON.stringify(o):void 0,credentials:"include",signal:s.signal}),A=await Ee(),_e=A.headers.get("x-sunbreak-policy-hash"),Le=A.headers.get("x-sunbreak-policy-proof");if(_e&&e.setLastPolicyHash(_e),Le&&e.setLastPolicyProof(Le),S(A),A.status===401&&!m){let J=B(e),V=A.headers.get("www-authenticate"),Z=(V&&V.match(/dpop-nonce="([^"]+)"/i))?.[1];if(!p&&Z&&J&&!k){k=!0,b.map.set(h,Z);let ie=await qe(J),re=await N({method:r,url:d,nonce:Z,ath:ie,privateKey:Y(e),publicJwk:T(e)});I=`Bearer ${e.accessTokenRef.current}`,L=re,te["x-sunbreak-meta"]=$(e,{reqId:P,auth:I}),te.DPoP=L,A=await Ee(),S(A);}if(A.status===401&&!R&&(R=!0,!p&&w())){let ie=await t(),re=B(e);ie&&re&&!p&&(await We(),te["x-sunbreak-meta"]=$(e,{reqId:P,auth:I}),L&&(te.DPoP=L),A=await Ee(),S(A));}if(A.status===401)throw new Error("Unauthorized")}if(!A.ok){let J=await Ie(A);if((A.headers.get("content-type")||"").includes("application/json")){let j=await A.json().catch(()=>{}),Z=Je(j&&(j.error||j.message||j.detail)||`HTTP ${A.status}`);throw pe(Z,J)}else {let j=J.waf?"Blocked by WAF (403)":J.alb403?"Blocked at origin (ALB 403)":`HTTP ${A.status}`;throw pe(j,J)}}return (A.headers.get("content-type")||"").includes("application/json")?await A.json():void 0}finally{clearTimeout(c),e.setLoadingCount(u=>Math.max(0,u-1));}}var Sr=(e,t)=>useCallback(async(r,n,o,a={})=>Ze(e,t,r,n,o,a),[e,t]);async function Rr(e,t){let r=await t("GET","/api/session");if(r){e.setAllowed(!!r.allowed),e.setDenyReason(r.reason??null),e.setSessionData(r),e.setSessionExpiry(r.expiry??null);let n=r?.wallet;typeof n=="string"&&n&&e.setBoundWallet(n.toLowerCase());}return r}async function gr(e,t){let r=await t("GET","/api/verify");return r&&(e.setSessionExpiry(r.expiry??null),e.setVerifyData(r)),r}var Er=(e,t)=>{let r=useCallback(async()=>{if(e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet))return e.sessionLock.current||(e.sessionLock.current=(async()=>{try{return await Rr(e,t)}finally{e.sessionLock.current=null;}})()),e.sessionLock.current},[e,t]),n=useCallback(async()=>{if(e.wallet)return await gr(e,t)},[e,t]);return {session:r,verify:n}};var Pr=(e,t)=>{let{refresh:r,session:n,attemptRegister:o,setProofFromAdapterToken:a,proofProp:i}=t;useEffect(()=>{return (async()=>{try{await e.waitReady(),await e.awaitKeyStable(),await e.ensureRootKeypair(),await hr(e);}catch{}})(),()=>{}},[]);let s=()=>(e.registerCooldownUntilRef.current??0)>Date.now();useEffect(()=>{let c=e.prevWalletRef.current;if(e.prevWalletRef.current=e.wallet,e.wallet!==c&&(e.didInitialRefresh.current=false),!e.wallet){e.setAllowed(null),e.setDenyReason(null),e.setSessionExpiry(null),e.setSessionData(null),e.setAuthenticated(false),e.accessTokenRef.current=null,e.proofRef.current=null,e.setError(null),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null),e.didInitialRefresh.current=false;return}c&&e.wallet&&c!==e.wallet&&(e.rotateLock.current=(async()=>{await e.rotate(),e.accessTokenRef.current=null,e.setAuthenticated(false),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}));},[e.wallet]),useEffect(()=>{if(!e.providerAdapter||s()||!e.metaReady)return;let c=e.wallet,u=e.meta.boundWallet;if(c&&u&&c.toLowerCase()===u.toLowerCase()&&!e.didInitialRefresh.current)return;let l=false;return (async()=>{try{let f=await e.providerAdapter.getToken()??null;if(await e.awaitKeyStable(),l||!f)return;await a(f),await o();}catch{}})(),()=>{l=true;}},[e.providerAdapter,e.wallet,e.meta.boundWallet,e.metaReady,e.registerCooldownUntilRef,e.didInitialRefresh,...e.refreshDeps]),useEffect(()=>{if(typeof i<"u"&&(e.proofRef.current=i??null),!e.metaReady)return;let c=e.wallet,u=e.meta.boundWallet;if(c&&u&&c.toLowerCase()===u.toLowerCase()&&!e.didInitialRefresh.current)return;let f=!!c,d=!!e.proofRef.current,h=!!c&&!!e.authWalletRef.current&&c.toLowerCase()!==e.authWalletRef.current.toLowerCase();f&&d&&!e.authenticated&&!h&&e.initResolvedRef.current&&!s()&&o();},[i,e.wallet,e.authenticated,e.meta.boundWallet,e.metaReady,e.providerAdapter,e.initResolvedRef,e.didInitialRefresh,o]),useEffect(()=>{let c=e.wallet,u=e.meta.boundWallet,l=!!(u||e.meta.refreshId);if(!e.metaReady||e.didInitialRefresh.current)return;let f=true;return (async()=>{try{if(await e.waitReady(),e.accessTokenRef.current||e.authenticated){e.didInitialRefresh.current=!0,c&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());return}let d=!!c&&!l,h=!c&&!l;if(l&&!c){e.didInitialRefresh.current=!0;return}if(d||h){e.didInitialRefresh.current=!0;return}if(c&&u&&c.toLowerCase()!==u.toLowerCase()){e.didInitialRefresh.current=!0;return}e.didInitialRefresh.current=!0;let m=await r();if(!f)return;e.setAuthenticated(m),m&&c&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());}catch(d){if(!f)return;e.didInitialRefresh.current=true,e.setAuthenticated(false),e.setError(d?.message||String(d)||"Unknown error");}})(),()=>{f=false;}},[e.wallet,e.meta.boundWallet,e.meta.refreshId,e.metaReady,e.didInitialRefresh,r,n]),useEffect(()=>{e.initResolvedRef.current||(async()=>{if(await e.ensureKeypair(),!e.wallet){e.initResolvedRef.current=true,e.initResolveRef.current?.();return}e.meta.boundWallet&&e.meta.boundWallet!==e.wallet&&(e.rotateLock.current=(async()=>{e.accessTokenRef.current=null,e.setAuthenticated(false);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}),e.rotateLock.current&&await e.rotateLock.current),e.initResolvedRef.current=true,e.initResolveRef.current?.();})();},[e]),useEffect(()=>{(async()=>{if(e.authenticated&&e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)&&!e.didInitialSession.current){e.didInitialSession.current=true;try{await n();}catch(c){e.setError(c?.message||String(c));}}})();},[e.authenticated,e.wallet,e.meta.boundWallet,n]),useEffect(()=>{e.wallet&&e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase()&&(e.accessTokenRef.current=null,e.setAuthenticated(false));},[e.wallet,e.authWalletRef.current]),useEffect(()=>{let u=()=>{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return  false;let d=e.tokenExpRef.current;if(!d)return  false;let h=Math.floor(Date.now()/1e3);return d-h<=30},l=async()=>{try{u()&&await r();}catch{}},f=async()=>{document.visibilityState==="visible"&&await l();};return window.addEventListener("focus",l),document.addEventListener("visibilitychange",f),()=>{window.removeEventListener("focus",l),document.removeEventListener("visibilitychange",f);}},[e,r]),useEffect(()=>{let l=()=>{let h=Math.floor(Date.now()/1e3),m=e.tokenExpRef.current,R=e.sessionExpiry,k=!!m&&m-h<=30&&m-h>0,P=!!R&&R-h<=3600&&R-h>0;return {tokenSoon:k,sessionSoon:P}},f=async()=>{try{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return;let{tokenSoon:h,sessionSoon:m}=l();(h||m)&&await r()&&m&&await n();}catch{}},d=async()=>{document.visibilityState==="visible"&&await f();};return window.addEventListener("focus",f),document.addEventListener("visibilitychange",d),()=>{window.removeEventListener("focus",f),document.removeEventListener("visibilitychange",d);}},[e,e.sessionExpiry,r,n]);};var vr=createContext(void 0),jn=e=>{let t=wr(e),{refresh:r,attemptRegister:n,setProofFromAdapterToken:o}=br(t),a=Sr(t,r),{session:i,verify:s}=Er(t,a);Pr(t,{refresh:r,session:i,attemptRegister:n,setProofFromAdapterToken:o,proofProp:e.proof});let c=useMemo(()=>({get:(u,l)=>a("GET",u,void 0,l),post:(u,l,f)=>a("POST",u,l,f),verify:s,session:i,refresh:r,authenticated:t.authenticated,loading:t.loadingCount>0,error:t.error,allowed:t.allowed,denyReason:t.denyReason,sessionExpiry:t.sessionExpiry,sessionData:t.sessionData,verifyData:t.verifyData,wallet:t.wallet}),[a,s,i,r,t.authenticated,t.loadingCount,t.error,t.allowed,t.denyReason,t.sessionExpiry,t.sessionData,t.verifyData,t.wallet]);return jsx(vr.Provider,{value:c,children:e.children})},On=e=>jsx(bt,{clientId:e.clientId,children:jsx(jn,{...e})}),Un=()=>{let e=useContext(vr);if(!e)throw new Error("useSunbreak must be used within a SunbreakProvider");return e};
+var Xr=Object.defineProperty;var _t=e=>{throw TypeError(e)};var Zr=(e,t,r)=>t in e?Xr(e,t,{enumerable:true,configurable:true,writable:true,value:r}):e[t]=r;var H=(e,t,r)=>Zr(e,typeof t!="symbol"?t+"":t,r),Dt=(e,t,r)=>t.has(e)||_t("Cannot "+r);var y=(e,t,r)=>(Dt(e,t,"read from private field"),r?r.call(e):t.get(e)),O=(e,t,r)=>t.has(e)?_t("Cannot add the same private member more than once"):t instanceof WeakSet?t.add(e):t.set(e,r),U=(e,t,r,n)=>(Dt(e,t,"write to private field"),t.set(e,r),r);var Pe=async(e,t,r)=>{switch(e.name){case "custom":return {method:"provider_jwt",issuer:"custom",token:t,meta:r||{}};case "privy":return {method:"provider_jwt",issuer:"privy",token:t,meta:{app_id:e.appId}};case "dynamic":return e.expectedAud?{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId,expected_aud:e.expectedAud}}:{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId}};default:throw new Error(`Unknown adapter: ${e}`)}};var Qr="sunbreak-kv",ve="kv",$e="sunbreak_dpop_meta_v1",x="sunbreak_dpop_key_v1",Ke="ES256",E="P-256",Ae=e=>`${$e}:${e}`,Wt=()=>new Promise((e,t)=>{let r=indexedDB.open(Qr,1);r.onupgradeneeded=()=>r.result.createObjectStore(ve),r.onsuccess=()=>e(r.result),r.onerror=()=>t(r.error);}),C=async e=>{try{let t=await Wt();return await new Promise((r,n)=>{let a=t.transaction(ve,"readonly").objectStore(ve).get(e);a.onsuccess=()=>r(a.result),a.onerror=()=>n(a.error);})}catch{return}},g=async(e,t)=>{let r=await Wt();await new Promise((n,o)=>{let i=r.transaction(ve,"readwrite").objectStore(ve).put(t,e);i.onsuccess=()=>n(),i.onerror=()=>o(i.error);});};var en=e=>{let t=new URL(e);if(t.protocol!=="https:"&&t.hostname!=="localhost"&&t.hostname!=="127.0.0.1")throw new Error("Sunbreak: insecure base URL");return t.hash="",t.origin},tn=e=>e.replace(/\/+$/,""),st=e=>{let t=tn(e);return en(t)};function ut(e){let t=new URL(e.baseUrl),r=t.host,n=e.meta.lastHost??null,o=rn(n);return e.setLastHost(o),t.host=`${o}.${r}`,t.origin}var rn=e=>{for(let t=0;t<ct.length;t++){let r=ct[Math.floor(Math.random()*ct.length)].toLowerCase();if(r!==e)return r}return "alpha"},ct=["Alpha","Bravo","Charlie","Delta","Echo","Foxtrot","Golf","Hotel","India","Juliett","Kilo","Lima","Mike","November","Oscar","Papa","Quebec","Romeo","Sierra","Tango","Uniform","Victor","Whiskey","X-ray","Yankee","Zulu"];var $=(e,t)=>{let r={clientId:e.clientId,wallet:e.wallet,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0,...t};Object.keys(r).forEach(o=>r[o]===void 0&&delete r[o]);let n=JSON.stringify(r);return btoa(n)};var nn=new Set(["connection","keep-alive","proxy-authenticate","proxy-authorization","te","trailer","transfer-encoding","upgrade","via"]),on=new Set(["user-agent","referer","origin","host","content-length","sec-fetch-site","sec-fetch-mode","sec-fetch-dest","sec-fetch-user","sec-ch-ua","sec-ch-ua-mobile","sec-ch-ua-platform","sec-ch-ua-platform-version","sec-ch-ua-full-version","sec-ch-ua-arch","sec-ch-ua-model","sec-ch-ua-bitness","cookie","set-cookie"]),an=new Set(["dpop","x-sunbreak-meta"]),sn=64,Lt=2048,cn=64;function lt(e){let t={};if(!e)return t;let r=e instanceof Headers?Array.from(e.entries()):Object.entries(e),n=0;for(let[o,a]of r){if(n>=cn)break;if(o==null||a==null)continue;let i=String(o).toLowerCase().trim();if(!i||i.length>sn||nn.has(i)||on.has(i)||an.has(i))continue;let s=String(a);s.length>Lt&&(s=s.slice(0,Lt)),t[i]=s,n++;}return t}var Q=new TextEncoder,me=new TextDecoder;function Ht(...e){let t=e.reduce((o,{length:a})=>o+a,0),r=new Uint8Array(t),n=0;for(let o of e)r.set(o,n),n+=o.length;return r}function Mt(e){if(Uint8Array.prototype.toBase64)return e.toBase64();let t=32768,r=[];for(let n=0;n<e.length;n+=t)r.push(String.fromCharCode.apply(null,e.subarray(n,n+t)));return btoa(r.join(""))}function jt(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(e);let t=atob(e),r=new Uint8Array(t.length);for(let n=0;n<t.length;n++)r[n]=t.charCodeAt(n);return r}function Ot(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof e=="string"?e:me.decode(e),{alphabet:"base64url"});let t=e;t instanceof Uint8Array&&(t=me.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return jt(t)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function Ne(e){let t=e;return typeof t=="string"&&(t=Q.encode(t)),Uint8Array.prototype.toBase64?t.toBase64({alphabet:"base64url",omitPadding:true}):Mt(t).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var ue=class extends Error{constructor(r,n){super(r,n);H(this,"code","ERR_JOSE_GENERIC");this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor);}};H(ue,"code","ERR_JOSE_GENERIC");var _=class extends ue{constructor(){super(...arguments);H(this,"code","ERR_JOSE_NOT_SUPPORTED");}};H(_,"code","ERR_JOSE_NOT_SUPPORTED");var ee=class extends ue{constructor(){super(...arguments);H(this,"code","ERR_JWS_INVALID");}};H(ee,"code","ERR_JWS_INVALID");var xe=class extends ue{constructor(){super(...arguments);H(this,"code","ERR_JWT_INVALID");}};H(xe,"code","ERR_JWT_INVALID");var Ut,$t,ft=class extends($t=ue,Ut=Symbol.asyncIterator,$t){constructor(r="multiple matching keys found in the JSON Web Key Set",n){super(r,n);H(this,Ut);H(this,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");}};H(ft,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");function F(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function we(e,t){return e.name===t}function dt(e){return parseInt(e.name.slice(4),10)}function fn(e){switch(e){case "ES256":return "P-256";case "ES384":return "P-384";case "ES512":return "P-521";default:throw new Error("unreachable")}}function dn(e,t){if(!e.usages.includes(t))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${t}.`)}function Nt(e,t,r){switch(t){case "HS256":case "HS384":case "HS512":{if(!we(e.algorithm,"HMAC"))throw F("HMAC");let n=parseInt(t.slice(2),10);if(dt(e.algorithm.hash)!==n)throw F(`SHA-${n}`,"algorithm.hash");break}case "RS256":case "RS384":case "RS512":{if(!we(e.algorithm,"RSASSA-PKCS1-v1_5"))throw F("RSASSA-PKCS1-v1_5");let n=parseInt(t.slice(2),10);if(dt(e.algorithm.hash)!==n)throw F(`SHA-${n}`,"algorithm.hash");break}case "PS256":case "PS384":case "PS512":{if(!we(e.algorithm,"RSA-PSS"))throw F("RSA-PSS");let n=parseInt(t.slice(2),10);if(dt(e.algorithm.hash)!==n)throw F(`SHA-${n}`,"algorithm.hash");break}case "Ed25519":case "EdDSA":{if(!we(e.algorithm,"Ed25519"))throw F("Ed25519");break}case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":{if(!we(e.algorithm,t))throw F(t);break}case "ES256":case "ES384":case "ES512":{if(!we(e.algorithm,"ECDSA"))throw F("ECDSA");let n=fn(t);if(e.algorithm.namedCurve!==n)throw F(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}dn(e,r);}function Bt(e,t,...r){if(r=r.filter(Boolean),r.length>2){let n=r.pop();e+=`one of type ${r.join(", ")}, or ${n}.`;}else r.length===2?e+=`one of type ${r[0]} or ${r[1]}.`:e+=`of type ${r[0]}.`;return t==null?e+=` Received ${t}`:typeof t=="function"&&t.name?e+=` Received function ${t.name}`:typeof t=="object"&&t!=null&&t.constructor?.name&&(e+=` Received an instance of ${t.constructor.name}`),e}var Vt=(e,...t)=>Bt("Key must be ",e,...t);function pt(e,t,...r){return Bt(`Key for the ${e} algorithm must be `,t,...r)}function yt(e){return e?.[Symbol.toStringTag]==="CryptoKey"}function mt(e){return e?.[Symbol.toStringTag]==="KeyObject"}var wt=e=>yt(e)||mt(e);var Ft=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return  true;let r;for(let n of t){let o=Object.keys(n);if(!r||r.size===0){r=new Set(o);continue}for(let a of o){if(r.has(a))return  false;r.add(a);}}return  true};function pn(e){return typeof e=="object"&&e!==null}var Be=e=>{if(!pn(e)||Object.prototype.toString.call(e)!=="[object Object]")return  false;if(Object.getPrototypeOf(e)===null)return  true;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t};var Gt=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:r}=t.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};function yn(e){let t,r;switch(e.kty){case "AKP":{switch(e.alg){case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":t={name:e.alg},r=e.priv?["sign"]:["verify"];break;default:throw new _('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "RSA":{switch(e.alg){case "PS256":case "PS384":case "PS512":t={name:"RSA-PSS",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RS256":case "RS384":case "RS512":t={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RSA-OAEP":case "RSA-OAEP-256":case "RSA-OAEP-384":case "RSA-OAEP-512":t={name:"RSA-OAEP",hash:`SHA-${parseInt(e.alg.slice(-3),10)||1}`},r=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new _('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "EC":{switch(e.alg){case "ES256":t={name:"ECDSA",namedCurve:"P-256"},r=e.d?["sign"]:["verify"];break;case "ES384":t={name:"ECDSA",namedCurve:"P-384"},r=e.d?["sign"]:["verify"];break;case "ES512":t={name:"ECDSA",namedCurve:"P-521"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new _('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "OKP":{switch(e.alg){case "Ed25519":case "EdDSA":t={name:"Ed25519"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new _('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}default:throw new _('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return {algorithm:t,keyUsages:r}}var qt=async e=>{if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:t,keyUsages:r}=yn(e),n={...e};return n.kty!=="AKP"&&delete n.alg,delete n.use,crypto.subtle.importKey("jwk",n,t,e.ext??!(e.d||e.priv),e.key_ops??r)};var zt=(e,t,r,n,o)=>{if(o.crit!==void 0&&n?.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||n.crit===void 0)return new Set;if(!Array.isArray(n.crit)||n.crit.length===0||n.crit.some(i=>typeof i!="string"||i.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let a;r!==void 0?a=new Map([...Object.entries(r),...t.entries()]):a=t;for(let i of n.crit){if(!a.has(i))throw new _(`Extension Header Parameter "${i}" is not recognized`);if(o[i]===void 0)throw new e(`Extension Header Parameter "${i}" is missing`);if(a.get(i)&&n[i]===void 0)throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`)}return new Set(n.crit)};function Ce(e){return Be(e)&&typeof e.kty=="string"}function Yt(e){return e.kty!=="oct"&&(e.kty==="AKP"&&typeof e.priv=="string"||typeof e.d=="string")}function Xt(e){return e.kty!=="oct"&&typeof e.d>"u"&&typeof e.priv>"u"}function Zt(e){return e.kty==="oct"&&typeof e.k=="string"}var he,Qt=async(e,t,r,n=false)=>{he||(he=new WeakMap);let o=he.get(e);if(o?.[r])return o[r];let a=await qt({...t,alg:r});return n&&Object.freeze(e),o?o[r]=a:he.set(e,{[r]:a}),a},wn=(e,t)=>{he||(he=new WeakMap);let r=he.get(e);if(r?.[t])return r[t];let n=e.type==="public",o=!!n,a;if(e.asymmetricKeyType==="x25519"){switch(t){case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}a=e.toCryptoKey(e.asymmetricKeyType,o,n?[]:["deriveBits"]);}if(e.asymmetricKeyType==="ed25519"){if(t!=="EdDSA"&&t!=="Ed25519")throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}switch(e.asymmetricKeyType){case "ml-dsa-44":case "ml-dsa-65":case "ml-dsa-87":{if(t!==e.asymmetricKeyType.toUpperCase())throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}}if(e.asymmetricKeyType==="rsa"){let i;switch(t){case "RSA-OAEP":i="SHA-1";break;case "RS256":case "PS256":case "RSA-OAEP-256":i="SHA-256";break;case "RS384":case "PS384":case "RSA-OAEP-384":i="SHA-384";break;case "RS512":case "PS512":case "RSA-OAEP-512":i="SHA-512";break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}if(t.startsWith("RSA-OAEP"))return e.toCryptoKey({name:"RSA-OAEP",hash:i},o,n?["encrypt"]:["decrypt"]);a=e.toCryptoKey({name:t.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:i},o,[n?"verify":"sign"]);}if(e.asymmetricKeyType==="ec"){let s=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(e.asymmetricKeyDetails?.namedCurve);if(!s)throw new TypeError("given KeyObject instance cannot be used for this algorithm");t==="ES256"&&s==="P-256"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t==="ES384"&&s==="P-384"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t==="ES512"&&s==="P-521"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t.startsWith("ECDH-ES")&&(a=e.toCryptoKey({name:"ECDH",namedCurve:s},o,n?[]:["deriveBits"]));}if(!a)throw new TypeError("given KeyObject instance cannot be used for this algorithm");return r?r[t]=a:he.set(e,{[t]:a}),a},er=async(e,t)=>{if(e instanceof Uint8Array||yt(e))return e;if(mt(e)){if(e.type==="secret")return e.export();if("toCryptoKey"in e&&typeof e.toCryptoKey=="function")try{return wn(e,t)}catch(n){if(n instanceof TypeError)throw n}let r=e.export({format:"jwk"});return Qt(e,r,t)}if(Ce(e))return e.k?Ot(e.k):Qt(e,e,t,true);throw new Error("unreachable")};var be=e=>e?.[Symbol.toStringTag],ht=(e,t,r)=>{if(t.use!==void 0){let n;switch(r){case "sign":case "verify":n="sig";break;case "encrypt":case "decrypt":n="enc";break}if(t.use!==n)throw new TypeError(`Invalid key for this operation, its "use" must be "${n}" when present`)}if(t.alg!==void 0&&t.alg!==e)throw new TypeError(`Invalid key for this operation, its "alg" must be "${e}" when present`);if(Array.isArray(t.key_ops)){let n;switch(true){case(r==="sign"):case e==="dir":case e.includes("CBC-HS"):n=r;break;case e.startsWith("PBES2"):n="deriveBits";break;case /^A\d{3}(?:GCM)?(?:KW)?$/.test(e):!e.includes("GCM")&&e.endsWith("KW")?n="unwrapKey":n=r;break;case(r==="encrypt"):n="wrapKey";break;case r==="decrypt":n=e.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(n&&t.key_ops?.includes?.(n)===false)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${n}" when present`)}return  true},hn=(e,t,r)=>{if(!(t instanceof Uint8Array)){if(Ce(t)){if(Zt(t)&&ht(e,t,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!wt(t))throw new TypeError(pt(e,t,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(t.type!=="secret")throw new TypeError(`${be(t)} instances for symmetric algorithms must be of type "secret"`)}},bn=(e,t,r)=>{if(Ce(t))switch(r){case "decrypt":case "sign":if(Yt(t)&&ht(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a private JWK");case "encrypt":case "verify":if(Xt(t)&&ht(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a public JWK")}if(!wt(t))throw new TypeError(pt(e,t,"CryptoKey","KeyObject","JSON Web Key"));if(t.type==="secret")throw new TypeError(`${be(t)} instances for asymmetric algorithms must not be of type "secret"`);if(t.type==="public")switch(r){case "sign":throw new TypeError(`${be(t)} instances for asymmetric algorithm signing must be of type "private"`);case "decrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm decryption must be of type "private"`);}if(t.type==="private")switch(r){case "verify":throw new TypeError(`${be(t)} instances for asymmetric algorithm verifying must be of type "public"`);case "encrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm encryption must be of type "public"`);}},tr=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e)||/^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e)?hn(e,t,r):bn(e,t,r);};var rr=(e,t)=>{let r=`SHA-${e.slice(-3)}`;switch(e){case "HS256":case "HS384":case "HS512":return {hash:r,name:"HMAC"};case "PS256":case "PS384":case "PS512":return {hash:r,name:"RSA-PSS",saltLength:parseInt(e.slice(-3),10)>>3};case "RS256":case "RS384":case "RS512":return {hash:r,name:"RSASSA-PKCS1-v1_5"};case "ES256":case "ES384":case "ES512":return {hash:r,name:"ECDSA",namedCurve:t.namedCurve};case "Ed25519":case "EdDSA":return {name:"Ed25519"};case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":return {name:e};default:throw new _(`alg ${e} is not supported either by JOSE or your javascript runtime`)}};var nr=async(e,t,r)=>{if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(Vt(t,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",t,{hash:`SHA-${e.slice(-3)}`,name:"HMAC"},false,[r])}return Nt(t,e,r),t};var ne=e=>Math.floor(e.getTime()/1e3);var Sn=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i,Ve=e=>{let t=Sn.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");let r=parseFloat(t[2]),n=t[3].toLowerCase(),o;switch(n){case "sec":case "secs":case "second":case "seconds":case "s":o=Math.round(r);break;case "minute":case "minutes":case "min":case "mins":case "m":o=Math.round(r*60);break;case "hour":case "hours":case "hr":case "hrs":case "h":o=Math.round(r*3600);break;case "day":case "days":case "d":o=Math.round(r*86400);break;case "week":case "weeks":case "w":o=Math.round(r*604800);break;default:o=Math.round(r*31557600);break}return t[1]==="-"||t[4]==="ago"?-o:o};function le(e,t){if(!Number.isFinite(t))throw new TypeError(`Invalid ${e} input`);return t}var v,Fe=class{constructor(t){O(this,v);if(!Be(t))throw new TypeError("JWT Claims Set MUST be an object");U(this,v,structuredClone(t));}data(){return Q.encode(JSON.stringify(y(this,v)))}get iss(){return y(this,v).iss}set iss(t){y(this,v).iss=t;}get sub(){return y(this,v).sub}set sub(t){y(this,v).sub=t;}get aud(){return y(this,v).aud}set aud(t){y(this,v).aud=t;}set jti(t){y(this,v).jti=t;}set nbf(t){typeof t=="number"?y(this,v).nbf=le("setNotBefore",t):t instanceof Date?y(this,v).nbf=le("setNotBefore",ne(t)):y(this,v).nbf=ne(new Date)+Ve(t);}set exp(t){typeof t=="number"?y(this,v).exp=le("setExpirationTime",t):t instanceof Date?y(this,v).exp=le("setExpirationTime",ne(t)):y(this,v).exp=ne(new Date)+Ve(t);}set iat(t){typeof t>"u"?y(this,v).iat=ne(new Date):t instanceof Date?y(this,v).iat=le("setIssuedAt",ne(t)):typeof t=="string"?y(this,v).iat=le("setIssuedAt",ne(new Date)+Ve(t)):y(this,v).iat=le("setIssuedAt",t);}};v=new WeakMap;var or=async(e,t,r)=>{let n=await nr(e,t,"sign");Gt(e,n);let o=await crypto.subtle.sign(rr(e,n.algorithm),n,r);return new Uint8Array(o)};var Te,D,G,Ge=class{constructor(t){O(this,Te);O(this,D);O(this,G);if(!(t instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");U(this,Te,t);}setProtectedHeader(t){if(y(this,D))throw new TypeError("setProtectedHeader can only be called once");return U(this,D,t),this}setUnprotectedHeader(t){if(y(this,G))throw new TypeError("setUnprotectedHeader can only be called once");return U(this,G,t),this}async sign(t,r){if(!y(this,D)&&!y(this,G))throw new ee("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Ft(y(this,D),y(this,G)))throw new ee("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let n={...y(this,D),...y(this,G)},o=zt(ee,new Map([["b64",true]]),r?.crit,y(this,D),n),a=true;if(o.has("b64")&&(a=y(this,D).b64,typeof a!="boolean"))throw new ee('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:i}=n;if(typeof i!="string"||!i)throw new ee('JWS "alg" (Algorithm) Header Parameter missing or invalid');tr(i,t,"sign");let s=y(this,Te);a&&(s=Q.encode(Ne(s)));let c;y(this,D)?c=Q.encode(Ne(JSON.stringify(y(this,D)))):c=Q.encode("");let u=Ht(c,Q.encode("."),s),l=await er(t,i),f=await or(i,l,u),p={signature:Ne(f),payload:""};return a&&(p.payload=me.decode(s)),y(this,G)&&(p.header=y(this,G)),y(this,D)&&(p.protected=me.decode(c)),p}};Te=new WeakMap,D=new WeakMap,G=new WeakMap;var Se,qe=class{constructor(t){O(this,Se);U(this,Se,new Ge(t));}setProtectedHeader(t){return y(this,Se).setProtectedHeader(t),this}async sign(t,r){let n=await y(this,Se).sign(t,r);if(n.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return `${n.protected}.${n.payload}.${n.signature}`}};Se=new WeakMap;var oe,M,fe=class{constructor(t={}){O(this,oe);O(this,M);U(this,M,new Fe(t));}setIssuer(t){return y(this,M).iss=t,this}setSubject(t){return y(this,M).sub=t,this}setAudience(t){return y(this,M).aud=t,this}setJti(t){return y(this,M).jti=t,this}setNotBefore(t){return y(this,M).nbf=t,this}setExpirationTime(t){return y(this,M).exp=t,this}setIssuedAt(t){return y(this,M).iat=t,this}setProtectedHeader(t){return U(this,oe,t),this}async sign(t,r){let n=new qe(y(this,M).data());if(n.setProtectedHeader(y(this,oe)),Array.isArray(y(this,oe)?.crit)&&y(this,oe).crit.includes("b64")&&y(this,oe).b64===false)throw new xe("JWTs MUST NOT use unencoded payload");return n.sign(t,r)}};oe=new WeakMap,M=new WeakMap;var Rn=e=>btoa(String.fromCharCode(...new Uint8Array(e))).replaceAll("+","-").replaceAll("/","_").replaceAll("=",""),ze=async e=>{let t=new TextEncoder().encode(e),r=await crypto.subtle.digest("SHA-256",t);return Rn(r)},N=async e=>{let{method:t,url:r,nonce:n,ath:o,privateKey:a,publicJwk:i}=e,s={htm:t.toUpperCase(),htu:r,jti:crypto.randomUUID(),iat:Math.floor(Date.now()/1e3)};return n&&(s.nonce=n),o&&(s.ath=o),await new fe(s).setProtectedHeader({alg:"ES256",typ:"dpop+jwt",jwk:i}).sign(a)};var W=async e=>{let t={crv:e.crv,kty:"EC",x:e.x,y:e.y},r=JSON.stringify(t),n=new TextEncoder().encode(r),o=await crypto.subtle.digest("SHA-256",n);return btoa(String.fromCharCode(...new Uint8Array(o))).replaceAll("+","-").replaceAll("/","_").replaceAll("=","")};async function de(e){let{rootPrivateKey:t,rootPublicJwk:r,childJkt:n,clientId:o,sid:a,ttlSec:i=300}=e,s=Math.floor(Date.now()/1e3),c=s+Math.max(60,Math.min(i,3600)),u={child_jkt:n,client_id:o,aud:"issuer",iat:s,exp:c,jti:crypto.randomUUID()};return a&&(u.sid=a),await new fe(u).setProtectedHeader({alg:"ES256",typ:"pode+jwt",jwk:r}).sign(t)}function Je(e,t=300){return e.replace(/<[^>]*>/g,"").slice(0,t)}async function Ie(e){let t=e.status,r=Array.from(e.headers.keys()).some(s=>s.toLowerCase().startsWith("x-amzn-waf")),n,o,a=e.headers.get("content-type")||"";if(a.includes("application/json"))try{let s=await e.clone().json();n=typeof s?.error=="string"?s.error:void 0,o=typeof s?.detail=="string"?s.detail:void 0;}catch{}let i=t===403&&!r&&!a.includes("application/json");return {status:t,code:n,detail:o,waf:r,alb403:i}}function pe(e,t){let r=new Error(e);return r.status=t.status,r.code=t.code,r.detail=t.detail,r.waf=t.waf,r.alb403=t.alb403,r}var Re={boundWallet:null,clientId:null,jkt:null,refreshId:null,lastPolicyHash:null,lastPolicyProof:null,lastHost:null,rootJkt:null},bt=createContext(void 0);function ur(e){try{return JSON.parse(localStorage.getItem(e)||"null")??Re}catch{return Re}}function En(e,t){try{localStorage.setItem(e,JSON.stringify(t));}catch{}}var St=({children:e,clientId:t})=>{let[r,n]=useState(Re),o=useRef(false),[a,i]=useState(false),s=useMemo(()=>Ae(t),[t]);useEffect(()=>{let d=true;return (async()=>{let I=await C(s)??await C($e)??ur(s);d&&(n({...Re,...I}),o.current=true,i(true));})(),()=>{d=false;}},[s]),useEffect(()=>{o.current&&(async()=>(await g(s,r),En(s,r)))();},[r,s]);let c=useCallback(d=>n(w=>({...w,refreshId:d})),[]),u=useCallback(d=>n(w=>({...w,lastPolicyHash:d})),[]),l=useCallback(d=>n(w=>({...w,lastPolicyProof:d})),[]),f=useCallback(d=>n(w=>({...w,lastHost:d})),[]),p=useCallback(d=>n(w=>({...w,rootJkt:d})),[]),h=async()=>{try{let d=localStorage.getItem(s);if(d){let w=JSON.parse(d);if(typeof w?.refreshId=="string"&&w.refreshId)return w.refreshId}}catch{}try{let d=await C(s);if(typeof d?.refreshId=="string"&&d.refreshId)return d.refreshId}catch{}return null},m=useCallback(d=>n(w=>({...w,boundWallet:d})),[]),R=useCallback(d=>n(w=>({...w,clientId:d})),[]),k=useCallback(d=>n(w=>({...w,jkt:d})),[]),P=useCallback(()=>n(Re),[]),b=useCallback(async()=>{let w=await C(s)??ur(s);n({...Re,...w});},[]),S=useMemo(()=>({meta:r,setBoundWallet:m,setClientId:R,setJkt:k,resetMeta:P,reload:b,setRefreshId:c,getRefreshId:h,ready:a,setLastPolicyHash:u,setLastPolicyProof:l,setLastHost:f,setRootJkt:p}),[r,m,R,k,P,b,a,c,h,u,l,f,p]);return jsx(bt.Provider,{value:S,children:e})};function Rt(){let e=useContext(bt);if(!e)throw new Error("useMeta must be used within <MetaProvider>");return e}var fr=`${x}:wrap`;async function Ye(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!1,["sign","verify"]),t=`${x}:probe_safe`;await g(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await C(t);return await g(t,void 0),!!(r&&r.privKey)}catch{return  false}}async function Kn(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!0,["sign","verify"]),t=`${x}:probe`;await g(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await C(t);return await g(t,void 0),!!(r&&r.privKey)}catch{return  false}}function ke(e){let t={...e};return delete t.d,t.kty="EC",t.crv=E,t.alg=Ke,t.use="sig",t}async function dr(){let e=await C(fr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await g(fr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function gt(e){let t=await dr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function An(e,t){let r=await dr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var kt=()=>{let e=useRef(null),t=useRef(null),r=useCallback(async()=>{let c=await C(x);if(!c)return  false;if(c.fmt==="cryptokey"){let l=c;if(!l.privKey)return await g(x,void 0),false;let f=l.privKey;try{if(f.extractable&&await Ye()){let h=await crypto.subtle.exportKey("jwk",f),m=await crypto.subtle.importKey("jwk",h,{name:"ECDSA",namedCurve:E},!1,["sign"]),R={fmt:"cryptokey",privKey:m,pubJwk:ke(l.pubJwk)};await g(x,R),f=m;}}catch{}return e.current=f,t.current=ke(l.pubJwk),true}if(c.fmt==="encjwk"){let l=c;try{let f=await An(l.encPrivJwk,l.iv),p=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},!1,["sign"]);return e.current=p,t.current=ke(l.pubJwk),!0}catch{return await g(x,void 0),false}}let u=c;if(u&&u.d){let{d:l,...f}=u,p=ke(f),h=await Ye(),m=h||await Kn();if(m&&h){let b=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);return await g(x,{fmt:"cryptokey",privKey:b,pubJwk:p}),e.current=b,t.current=p,true}if(m){let b=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},true,["sign"]);return await g(x,{fmt:"cryptokey",privKey:b,pubJwk:p}),e.current=b,t.current=p,true}let{encPrivJwk:R,iv:k}=await gt(u);await g(x,{fmt:"encjwk",encPrivJwk:R,iv:k,pubJwk:p});let P=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);return e.current=P,t.current=p,true}return await g(x,void 0),false},[]),n=useCallback(async(c,u)=>{await g(x,{fmt:"cryptokey",privKey:c,pubJwk:u});},[]),o=useCallback(async(c,u)=>{let{encPrivJwk:l,iv:f}=await gt(c);await g(x,{fmt:"encjwk",encPrivJwk:l,iv:f,pubJwk:u});},[]),a=useCallback(async()=>{if(e.current&&t.current||await r())return;let c=await Ye(),u=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",u.publicKey)),f=await crypto.subtle.exportKey("jwk",u.privateKey);if(c){let p=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);await n(p,l),e.current=p,t.current=l;}else {await o(f,l);let p=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=p,t.current=l;}},[r,n,o]),i=useCallback(async()=>{let c=await Ye(),u=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",u.publicKey)),f=await crypto.subtle.exportKey("jwk",u.privateKey);if(c){let p=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);await g(x,{fmt:"cryptokey",privKey:p,pubJwk:l}),e.current=p,t.current=l;}else {let{encPrivJwk:p,iv:h}=await gt(f);await g(x,{fmt:"encjwk",encPrivJwk:p,iv:h,pubJwk:l});let m=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=m,t.current=l;}},[]),s=useCallback(async()=>{await g(x,void 0),e.current=null,t.current=null;},[]);return {ensureKeypair:a,rotate:i,clear:s,privRef:e,pubJwkRef:t}};var z="sunbreak_root_key_v1",yr=`${z}:wrap`;async function mr(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!1,["sign","verify"]),t=`${z}:probe_safe`;await g(t,{fmt:"cryptokey",privKey:e.privateKey,createdAt:Date.now(),pubJwk:{}});let r=await C(t);return await g(t,void 0),!!(r&&r.privKey)}catch{return  false}}function Xe(e){let t={...e};return delete t.d,t.kty="EC",t.crv=E,t.alg=Ke,t.use="sig",t}async function wr(){let e=await C(yr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await g(yr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function xn(e){let t=await wr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function Cn(e,t){let r=await wr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var Pt=()=>{let e=useRef(null),t=useRef(null),r=useCallback(async()=>{let a=await C(z);if(!a)return  false;if(a.fmt==="cryptokey"){let i=a;if(!i.privKey)return await g(z,void 0),false;let s=i.privKey;try{if(s.extractable&&await mr()){let u=await crypto.subtle.exportKey("jwk",s),l=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},!1,["sign"]),f={fmt:"cryptokey",privKey:l,pubJwk:Xe(i.pubJwk),createdAt:i.createdAt};await g(z,f),s=l;}}catch{}return e.current=s,t.current=Xe(i.pubJwk),true}if(a.fmt==="encjwk"){let i=a;try{let s=await Cn(i.encPrivJwk,i.iv),c=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:E},!1,["sign"]);return e.current=c,t.current=Xe(i.pubJwk),!0}catch{return await g(z,void 0),false}}return await g(z,void 0),false},[]),n=useCallback(async()=>{if(e.current&&t.current||await r())return;let a=await mr(),i=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),s=Xe(await crypto.subtle.exportKey("jwk",i.publicKey)),c=Date.now(),u=await crypto.subtle.exportKey("jwk",i.privateKey);if(a){let l=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);await g(z,{fmt:"cryptokey",privKey:l,pubJwk:s,createdAt:c}),e.current=l,t.current=s;}else {let{encPrivJwk:l,iv:f}=await xn(u);await g(z,{fmt:"encjwk",encPrivJwk:l,iv:f,pubJwk:s,createdAt:c});let h=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=h,t.current=s;}},[r]),o=useCallback(async()=>{await g(z,void 0),e.current=null,t.current=null;},[]);return {ensureRootKeypair:n,clear:o,rootPrivRef:e,rootPubJwkRef:t}};var Tn=()=>crypto.randomUUID(),hr=e=>{let{clientId:t,wallet:r,base:n="https://api.tdfc.com",fetchImpl:o,timeoutMs:a=15e3,proof:i=null,providerAdapter:s,refreshDeps:c=[]}=e,u=st(n),l=typeof window<"u"?(o??fetch).bind(window):o??fetch,{meta:f,setBoundWallet:p,setJkt:h,setRefreshId:m,getRefreshId:R,setLastPolicyHash:k,setLastPolicyProof:P,setLastHost:b,setRootJkt:S,ready:d}=Rt(),{ensureRootKeypair:w,rootPrivRef:I,rootPubJwkRef:L}=Pt(),We=useCallback(async()=>{await w();try{if(!f.rootJkt&&L.current){let ce=await W(L.current);S(ce);}}catch{}},[w,f.rootJkt,L]),{ensureKeypair:te,rotate:Ee,privRef:A,pubJwkRef:Le}=kt(),[He,xt]=useState(false),[J,V]=useState(0),[j,Z]=useState(null),[ie,re]=useState(null),[et,tt]=useState(null),[rt,Ar]=useState(null),[xr,Cr]=useState(null),[Tr,Jr]=useState(null),Ir=useRef(null),_r=useRef(null),Dr=useRef(null),Wr=useRef(null),Lr=useRef(null),Hr=useRef(null),Mr=useRef(null),jr=useRef(false),Or=useRef(false),Ur=useRef(void 0),Me=useRef(false),nt=useRef(false),Ct=useRef(null),se=useRef(null);se.current||(se.current=new Promise(ce=>{Ct.current=ce;}));let ot=useRef(null),$r=useRef(i),Nr=useRef(null),je=useRef(null),Tt=useRef(null),Oe=useRef(null),Jt=()=>Date.now(),Br=()=>(Oe.current??0)>0&&Oe.current<Jt(),at=useCallback((ce,Yr=15e3)=>{let It=Tn();return je.current=It,Tt.current=ce,Oe.current=Jt()+Math.max(1e3,Yr),It},[]),Vr=useCallback(()=>((!je.current||Br())&&at("adhoc",1e4),je.current),[at]),it=useRef(null),Ue=useRef(null);Ue.current||(Ue.current=new Promise(ce=>{it.current=ce;}));let Fr=useCallback(async()=>{!Me.current&&Ue.current&&await Ue.current;},[]),Gr=useCallback(()=>{Me.current||(Me.current=true,it.current?.(),it.current=null);},[]),qr=useCallback(async()=>{!nt.current&&se.current&&await se.current;},[]),zr=useCallback(async()=>{!nt.current&&se.current&&await se.current,ot.current&&await ot.current;},[]);return {clientId:t,wallet:r,baseUrl:u,fetchImpl:l,timeoutMs:a,providerAdapter:s,refreshDeps:c,ensureKeypair:te,rotate:Ee,ensureRootKeypair:We,rootPrivRef:I,rootPubJwkRef:L,privRef:A,pubJwkRef:Le,meta:f,setBoundWallet:p,setJkt:h,setRefreshId:m,accessTokenRef:Dr,tokenExpRef:Wr,authenticated:He,setAuthenticated:xt,loadingCount:J,setLoadingCount:V,error:j,setError:Z,allowed:ie,setAllowed:re,denyReason:et,setDenyReason:tt,sessionExpiry:rt,setSessionExpiry:Ar,sessionData:xr,setSessionData:Cr,verifyData:Tr,setVerifyData:Jr,authWalletRef:_r,refreshLock:Lr,registerLock:Hr,sessionLock:Mr,didInitialRefresh:jr,didInitialSession:Or,prevWalletRef:Ur,initResolvedRef:nt,initReady:se,initResolveRef:Ct,rotateLock:ot,waitReady:qr,awaitKeyStable:zr,proofRef:$r,registerCooldownUntilRef:Ir,reqIdRef:je,flowLabelRef:Tt,flowExpireRef:Oe,beginFlow:at,currentReqId:Vr,awaitProbe:Fr,markProbed:Gr,hasProbedRef:Me,getRefreshId:R,setLastPolicyHash:k,setLastPolicyProof:P,setLastHost:b,setRootJkt:S,metaReady:d,probeLock:Nr}};var B=e=>e.accessTokenRef.current??null,Y=e=>{let t=e.privRef.current;if(!t)throw new Error("Sunbreak: private key not initialized");return t},T=e=>{let t=e.pubJwkRef.current;if(!t)throw new Error("Sunbreak: public JWK not initialized");return t};var Jn=(e,t)=>`${e.toUpperCase()} ${t}`;async function _e(e,t,r){if(!t)return  false;let n=_e._nonceCacheRef||(_e._nonceCacheRef={map:new Map});try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair(),e.setError(null),e.beginFlow("register",2e4);let o;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let d=await W(e.rootPubJwkRef.current);e.setRootJkt?.(d);}catch{}let b=await W(T(e)),S=await e.getRefreshId();o=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:b,clientId:e.clientId,sid:S||void 0,ttlSec:300});}}catch{}let a=e.currentReqId(),i="/auth/register",s=`${e.baseUrl}${i}`,c=new URL(e.baseUrl).origin,u="POST",l=`${c}${i}`,f=Jn(u,l),p=n.map.get(f),h=await N({method:u,url:l,nonce:p,privateKey:Y(e),publicJwk:T(e)}),m=async b=>e.fetchImpl(s,{method:u,headers:{"content-type":"application/json","x-sunbreak-meta":$(e,{reqId:a,pode:o||void 0}),...b},credentials:"include",body:JSON.stringify({wallet:t,proof:r})}),R=await m({DPoP:h}),k=b=>{let S=b.headers.get("dpop-nonce");S&&n.map.set(f,S);};if(R.status===401){let b=R.headers.get("www-authenticate"),d=(b&&b.match(/dpop-nonce="([^"]+)"/i))?.[1];if(d){n.map.set(f,d);let w=await N({method:u,url:l,nonce:d,privateKey:Y(e),publicJwk:T(e)});R=await m({DPoP:w});}}if(k(R),!R.ok){let b=await Ie(R);if((R.headers.get("content-type")||"").includes("application/json")){let d;try{d=await R.clone().json();}catch{}let w=Je(d&&(d.error||d.message||d.detail)||`HTTP ${R.status}`);throw pe(w,b)}else {let d=b.waf?"Blocked by WAF (403)":b.alb403?"Blocked at origin (ALB 403)":`HTTP ${R.status}`;throw pe(d,b)}}let P=await R.json();e.accessTokenRef.current=P.access,e.authWalletRef.current=t.toLowerCase(),e.setAuthenticated(!0);try{let b=Math.floor(Date.now()/1e3);e.tokenExpRef.current=b+(P.expiresIn??0);}catch{}e.didInitialRefresh.current=!0,e.setBoundWallet(t),e.setLastPolicyHash(null),e.setLastPolicyProof(null);try{e.setJkt(await W(T(e)));}catch{}try{let b={...e.meta,boundWallet:t,clientId:e.meta.clientId??e.clientId,jkt:e.meta.jkt??null,refreshId:P.refreshId??null};e.setRefreshId(P.refreshId??null);let S=Ae(e.clientId);await g(S,b);try{localStorage.setItem(S,JSON.stringify(b));}catch{}}catch{}return !0}catch(o){let a=Number(o?.status||0),i=String(o?.code||""),s=String(o?.message||""),c=Math.floor(Math.random()*1e3);if((a===401||a===403)&&i.toLowerCase()==="replay"){if(e.providerAdapter)try{let u=await e.providerAdapter.getToken()??null;if(u)return await e.awaitKeyStable(),await e.ensureKeypair(),await e.rotate(),e.proofRef.current=await Pe(e.providerAdapter,u),e.registerCooldownUntilRef.current=Date.now()+5e3+c,!1}catch{}else return e.proofRef.current=null,e.setError("Proof replayed; please sign a fresh proof."),e.registerCooldownUntilRef.current=Date.now()+1e4+c,false;return e.registerCooldownUntilRef.current=Date.now()+8e3+c,false}if(a===403&&(o?.waf||o?.alb403))return e.setError(s||"Forbidden at edge/origin"),e.registerCooldownUntilRef.current=Date.now()+3e4+c,false;if(a===403)return e.setError(i||s||"Forbidden"),e.registerCooldownUntilRef.current=Date.now()+15e3+c,false;if(a===429||a===503){e.setError(i||s||"Rate limited / unavailable");let u=a===429?5e3:8e3;return e.registerCooldownUntilRef.current=Date.now()+u+c,false}return e.setError(i||s||"Register failed"),e.registerCooldownUntilRef.current=Date.now()+5e3+c,false}}var In=(e,t)=>`${e.toUpperCase()} ${t}`;function Ze(e){if(e.refreshLock.current)return e.refreshLock.current;if(e.registerLock.current){let t=e.registerLock.current.then(()=>{if(e.authenticated&&B(e))return  true;if(B(e)){let n=e.tokenExpRef.current,o=Math.floor(Date.now()/1e3);if(!!n&&n-o>5)return  true}return  false});return e.refreshLock.current=t.finally(()=>{e.refreshLock.current=null;}),e.refreshLock.current}return e.refreshLock.current=(async()=>{try{if(await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),e.wallet&&e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return e.accessTokenRef.current=null,e.setAuthenticated(!1),!1;let t=B(e);if(t){let S=e.tokenExpRef.current,d=Math.floor(Date.now()/1e3);if(!!t&&!!S&&S-d>5)return !0}e.beginFlow("refresh",15e3);let r=e.currentReqId();await e.ensureKeypair();let n;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let w=await W(e.rootPubJwkRef.current);e.setRootJkt?.(w);}catch{}let S=await W(T(e)),d=await e.getRefreshId();n=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:S,clientId:e.clientId,sid:d||void 0,ttlSec:300});}}catch{}let o="/auth/refresh",a=`${e.baseUrl}${o}`,i=new URL(e.baseUrl).origin,s="POST",c=`${i}${o}`,u=In(s,c),l=Ze._nonceCacheRef||(Ze._nonceCacheRef={map:new Map}),f=async S=>await N({method:s,url:c,nonce:S,privateKey:Y(e),publicJwk:T(e)}),p=await e.getRefreshId(),h={"x-sunbreak-meta":$(e,{reqId:r,refreshId:p||void 0,pode:n||void 0}),"content-type":"application/json"},m=async S=>e.fetchImpl(a,{method:s,headers:{DPoP:S,...h},credentials:"include",body:"{}"}),R=S=>{let d=S.headers.get("dpop-nonce");d&&l.map.set(u,d);},k=await m(await f(l.map.get(u)));if(k.status===401){let S=k.headers.get("www-authenticate"),w=(S&&S.match(/dpop-nonce="([^"]+)"/i))?.[1];w&&(l.map.set(u,w),k=await m(await f(w)));}if(R(k),!k.ok){try{if((k.headers.get("content-type")||"").includes("application/json")){let d=await k.clone().json().catch(()=>{}),w=d&&(d.error||d.code||d.message)||"",I=String(w).toLowerCase();if(I.includes("missing")&&I.includes("refresh")){try{e.setRefreshId?.(null);}catch{}try{e.setBoundWallet?.(null);}catch{}e.accessTokenRef.current=null,e.setAuthenticated(!1);}}}catch{}return !1}let P=await k.json();e.accessTokenRef.current=P.access,e.setAuthenticated(!0);let b=(e.wallet&&(!e.meta.boundWallet||e.meta.boundWallet===e.wallet)?e.wallet:e.meta.boundWallet)||null;e.authWalletRef.current=b?b.toLowerCase():null;try{let S=Math.floor(Date.now()/1e3);e.tokenExpRef.current=S+(P.expiresIn??0);}catch{}try{e.setJkt(await W(T(e)));}catch{}return P.refreshId&&e.setRefreshId(P.refreshId),!0}finally{e.refreshLock.current=null;}})(),e.refreshLock.current}var _n=(e,t)=>`${e.toUpperCase()} ${t}`,vt=new Map,De;try{let e=globalThis;De=e.__sunbreak_page_probe_guard??(e.__sunbreak_page_probe_guard=new Set);}catch{De=new Set;}var Dn=e=>{try{let t=new URL(e.baseUrl).origin;return `${e.clientId}::${t}`}catch{return `${e.clientId}::${e.baseUrl}`}};async function br(e){let t=Dn(e);if(e.probeLock.current){await e.probeLock.current,e.markProbed();return}if(e.hasProbedRef.current){e.markProbed();return}if(De.has(t)){e.markProbed();return}De.add(t);let r=(async()=>{let n=new URL(e.baseUrl).origin;try{if(await e.awaitKeyStable(),await e.ensureKeypair(),!e.rootPrivRef.current)try{await e.ensureRootKeypair();}catch{}let o;if(e.rootPrivRef.current&&e.rootPubJwkRef.current)try{let m=await W(T(e));o=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:m,clientId:e.clientId,ttlSec:300});}catch{}let a="POST",i="/auth/probe",s=`${e.baseUrl}${i}`,c=`${n}${i}`,u=_n(a,c),l=async m=>N({method:a,url:c,nonce:m,privateKey:Y(e),publicJwk:T(e)}),f=async m=>e.fetchImpl(s,{method:a,headers:{DPoP:m,"x-sunbreak-meta":$(e,{pode:o}),"content-type":"application/json"},credentials:"include",body:"{}"}),p=m=>{let R=m.headers.get("dpop-nonce");R&&vt.set(u,R);},h=await f(await l(vt.get(u)));if(p(h),h.status===401){let m=h.headers.get("www-authenticate"),k=(m&&m.match(/dpop-nonce="([^"]+)"/i))?.[1];k&&(vt.set(u,k),h=await f(await l(k)),p(h));}}catch{try{De.delete(t);}catch{}}finally{e.markProbed();}})();e.probeLock.current=r;try{await r;}finally{e.probeLock.current=null;}}var Sr=e=>{let t=useCallback(()=>Ze(e),[e]),r=useCallback(async()=>{let o=Date.now(),a=e.registerCooldownUntilRef.current??0;if(o<a||!e.wallet||!e.initResolvedRef.current||e.refreshLock.current||e.registerLock.current)return;let i=e.wallet,s=e.meta.boundWallet;if(i&&s&&i.toLowerCase()===s.toLowerCase()&&!e.didInitialRefresh.current)return;let u=e.proofRef.current;!u||!(!B(e)||e.meta.boundWallet!==e.wallet)||(await e.awaitKeyStable(),e.registerLock.current=(async()=>{try{await _e(e,e.wallet,u)&&(e.didInitialSession.current=!0);}catch(p){e.setError(p?.message||String(p)||"Register failed");}finally{e.registerLock.current=null;}})());},[e]),n=useCallback(async o=>{let a=()=>(e.registerCooldownUntilRef.current??0)>Date.now();if(!e.providerAdapter||a())return;let i=await Pe(e.providerAdapter,o);e.proofRef.current=i;},[e]);return {refresh:t,register:(o,a)=>_e(e,o,a),attemptRegister:r,setProofFromAdapterToken:n}};var Wn=(e,t)=>`${e.toUpperCase()} ${t}`,Ln=(e,t)=>!!e&&!!t&&e.toLowerCase()===t.toLowerCase();async function Qe(e,t,r,n,o,a={}){e.setLoadingCount(u=>u+1),e.setError(null);let i=n.startsWith("/api/session"),s=new AbortController,c=setTimeout(()=>s.abort(),e.timeoutMs);try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair();let l=`${i?ut(e):e.baseUrl}${n.startsWith("/")?"":"/"}${n}`,p=`${new URL(e.baseUrl).origin}${n.startsWith("/")?"":"/"}${n}`,h=Wn(r,p),m=n.startsWith("/auth/"),R=!1,k=!1,P=e.currentReqId(),b=Qe._nonceCacheRef||(Qe._nonceCacheRef={map:new Map}),S=J=>{let V=J.headers.get("dpop-nonce");V&&b.map.set(h,V);},d=!!e.wallet&&!!e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase(),w=()=>m||!e.wallet?!1:!!(e.authenticated||Ln(e.wallet,e.meta.boundWallet)||typeof e.meta.refreshId=="string"&&e.meta.refreshId),I,L,We=async()=>{if(m||d)return;try{let ie=B(e),re=e.tokenExpRef.current,et=Math.floor(Date.now()/1e3),tt=!!re&&re-et<=60;if(ie){if(tt&&!await t().catch(()=>!1))return}else if(!w()||!await t().catch(()=>!1))return}catch{}let J=B(e);if(!J)return;let V=await ze(J),j=b.map.get(h),Z=await N({method:r,url:p,nonce:j,ath:V,privateKey:Y(e),publicJwk:T(e)});I=`Bearer ${e.accessTokenRef.current}`,L=Z;};await We();let te={"content-type":"application/json","x-sunbreak-auth":I||"","x-sunbreak-meta":$(e,{reqId:P,auth:I,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0}),...lt(a.headers)};L&&(te.DPoP=L);let Ee=async()=>e.fetchImpl(l,{...a,method:r,headers:te,body:o!==void 0?JSON.stringify(o):void 0,credentials:"include",signal:s.signal}),A=await Ee(),Le=A.headers.get("x-sunbreak-policy-hash"),He=A.headers.get("x-sunbreak-policy-proof");if(Le&&e.setLastPolicyHash(Le),He&&e.setLastPolicyProof(He),S(A),A.status===401&&!m){let J=B(e),V=A.headers.get("www-authenticate"),Z=(V&&V.match(/dpop-nonce="([^"]+)"/i))?.[1];if(!d&&Z&&J&&!k){k=!0,b.map.set(h,Z);let ie=await ze(J),re=await N({method:r,url:p,nonce:Z,ath:ie,privateKey:Y(e),publicJwk:T(e)});I=`Bearer ${e.accessTokenRef.current}`,L=re,te["x-sunbreak-meta"]=$(e,{reqId:P,auth:I}),te.DPoP=L,A=await Ee(),S(A);}if(A.status===401&&!R&&(R=!0,!d&&w())){let ie=await t(),re=B(e);ie&&re&&!d&&(await We(),te["x-sunbreak-meta"]=$(e,{reqId:P,auth:I}),L&&(te.DPoP=L),A=await Ee(),S(A));}if(A.status===401)throw new Error("Unauthorized")}if(!A.ok){let J=await Ie(A);if((A.headers.get("content-type")||"").includes("application/json")){let j=await A.json().catch(()=>{}),Z=Je(j&&(j.error||j.message||j.detail)||`HTTP ${A.status}`);throw pe(Z,J)}else {let j=J.waf?"Blocked by WAF (403)":J.alb403?"Blocked at origin (ALB 403)":`HTTP ${A.status}`;throw pe(j,J)}}return (A.headers.get("content-type")||"").includes("application/json")?await A.json():void 0}finally{clearTimeout(c),e.setLoadingCount(u=>Math.max(0,u-1));}}var Rr=(e,t)=>useCallback(async(r,n,o,a={})=>Qe(e,t,r,n,o,a),[e,t]);async function gr(e,t){let r=await t("GET","/api/session");if(r){e.setAllowed(!!r.allowed),e.setDenyReason(r.reason??null),e.setSessionData(r),e.setSessionExpiry(r.expiry??null);let n=r?.wallet;typeof n=="string"&&n&&e.setBoundWallet(n.toLowerCase());}return r}async function kr(e,t){let r=await t("GET","/api/verify");return r&&(e.setSessionExpiry(r.expiry??null),e.setVerifyData(r)),r}var Pr=(e,t)=>{let r=useCallback(async()=>{if(e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet))return e.sessionLock.current||(e.sessionLock.current=(async()=>{try{return await gr(e,t)}finally{e.sessionLock.current=null;}})()),e.sessionLock.current},[e,t]),n=useCallback(async()=>{if(e.wallet)return await kr(e,t)},[e,t]);return {session:r,verify:n}};var vr=(e,t)=>{let{refresh:r,session:n,attemptRegister:o,setProofFromAdapterToken:a,proofProp:i}=t;useEffect(()=>{return (async()=>{try{await e.waitReady(),await e.awaitKeyStable(),await e.ensureRootKeypair(),await br(e);}catch{}})(),()=>{}},[]);let s=()=>(e.registerCooldownUntilRef.current??0)>Date.now();useEffect(()=>{let c=e.prevWalletRef.current;if(e.prevWalletRef.current=e.wallet,e.wallet!==c&&(e.didInitialRefresh.current=false),!e.wallet){e.setAllowed(null),e.setDenyReason(null),e.setSessionExpiry(null),e.setSessionData(null),e.setAuthenticated(false),e.accessTokenRef.current=null,e.proofRef.current=null,e.setError(null),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null),e.didInitialRefresh.current=false;return}c&&e.wallet&&c!==e.wallet&&(e.rotateLock.current=(async()=>{await e.rotate(),e.accessTokenRef.current=null,e.setAuthenticated(false),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}));},[e.wallet]),useEffect(()=>{if(!e.providerAdapter||s()||!e.metaReady)return;let c=e.wallet,u=e.meta.boundWallet;if(c&&u&&c.toLowerCase()===u.toLowerCase()&&!e.didInitialRefresh.current)return;let l=false;return (async()=>{try{let f=await e.providerAdapter.getToken()??null;if(await e.awaitKeyStable(),l||!f)return;await a(f),await o();}catch{}})(),()=>{l=true;}},[e.providerAdapter,e.wallet,e.meta.boundWallet,e.metaReady,e.registerCooldownUntilRef,e.didInitialRefresh,...e.refreshDeps]),useEffect(()=>{if(typeof i<"u"&&(e.proofRef.current=i??null),!e.metaReady)return;let c=e.wallet,u=e.meta.boundWallet;if(c&&u&&c.toLowerCase()===u.toLowerCase()&&!e.didInitialRefresh.current)return;let f=!!c,p=!!e.proofRef.current,h=!!c&&!!e.authWalletRef.current&&c.toLowerCase()!==e.authWalletRef.current.toLowerCase();f&&p&&!e.authenticated&&!h&&e.initResolvedRef.current&&!s()&&o();},[i,e.wallet,e.authenticated,e.meta.boundWallet,e.metaReady,e.providerAdapter,e.initResolvedRef,e.didInitialRefresh,o]),useEffect(()=>{let c=e.wallet,u=e.meta.boundWallet,l=!!(u||e.meta.refreshId);if(!e.metaReady||e.didInitialRefresh.current)return;let f=true;return (async()=>{try{if(await e.waitReady(),e.accessTokenRef.current||e.authenticated){e.didInitialRefresh.current=!0,c&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());return}let p=!!c&&!l,h=!c&&!l;if(l&&!c){e.didInitialRefresh.current=!0;return}if(p||h){e.didInitialRefresh.current=!0;return}if(c&&u&&c.toLowerCase()!==u.toLowerCase()){e.didInitialRefresh.current=!0;return}e.didInitialRefresh.current=!0;let m=await r();if(!f)return;e.setAuthenticated(m),m&&c&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());}catch(p){if(!f)return;e.didInitialRefresh.current=true,e.setAuthenticated(false),e.setError(p?.message||String(p)||"Unknown error");}})(),()=>{f=false;}},[e.wallet,e.meta.boundWallet,e.meta.refreshId,e.metaReady,e.didInitialRefresh,r,n]),useEffect(()=>{e.initResolvedRef.current||(async()=>{if(await e.ensureKeypair(),!e.wallet){e.initResolvedRef.current=true,e.initResolveRef.current?.();return}e.meta.boundWallet&&e.meta.boundWallet!==e.wallet&&(e.rotateLock.current=(async()=>{e.accessTokenRef.current=null,e.setAuthenticated(false);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}),e.rotateLock.current&&await e.rotateLock.current),e.initResolvedRef.current=true,e.initResolveRef.current?.();})();},[e]),useEffect(()=>{(async()=>{if(e.authenticated&&e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)&&!e.didInitialSession.current){e.didInitialSession.current=true;try{await n();}catch(c){e.setError(c?.message||String(c));}}})();},[e.authenticated,e.wallet,e.meta.boundWallet,n]),useEffect(()=>{e.wallet&&e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase()&&(e.accessTokenRef.current=null,e.setAuthenticated(false));},[e.wallet,e.authWalletRef.current]),useEffect(()=>{let u=()=>{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return  false;let p=e.tokenExpRef.current;if(!p)return  false;let h=Math.floor(Date.now()/1e3);return p-h<=30},l=async()=>{try{u()&&await r();}catch{}},f=async()=>{document.visibilityState==="visible"&&await l();};return window.addEventListener("focus",l),document.addEventListener("visibilitychange",f),()=>{window.removeEventListener("focus",l),document.removeEventListener("visibilitychange",f);}},[e,r]),useEffect(()=>{let l=()=>{let h=Math.floor(Date.now()/1e3),m=e.tokenExpRef.current,R=e.sessionExpiry,k=!!m&&m-h<=30&&m-h>0,P=!!R&&R-h<=3600&&R-h>0;return {tokenSoon:k,sessionSoon:P}},f=async()=>{try{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return;let{tokenSoon:h,sessionSoon:m}=l();(h||m)&&await r()&&m&&await n();}catch{}},p=async()=>{document.visibilityState==="visible"&&await f();};return window.addEventListener("focus",f),document.addEventListener("visibilitychange",p),()=>{window.removeEventListener("focus",f),document.removeEventListener("visibilitychange",p);}},[e,e.sessionExpiry,r,n]);};var Kr=createContext(void 0),Un=e=>{let t=hr(e),{refresh:r,attemptRegister:n,setProofFromAdapterToken:o}=Sr(t),a=Rr(t,r),{session:i,verify:s}=Pr(t,a);vr(t,{refresh:r,session:i,attemptRegister:n,setProofFromAdapterToken:o,proofProp:e.proof});let c=useMemo(()=>({get:(u,l)=>a("GET",u,void 0,l),post:(u,l,f)=>a("POST",u,l,f),verify:s,session:i,refresh:r,authenticated:t.authenticated,loading:t.loadingCount>0,error:t.error,allowed:t.allowed,denyReason:t.denyReason,sessionExpiry:t.sessionExpiry,sessionData:t.sessionData,verifyData:t.verifyData,wallet:t.wallet}),[a,s,i,r,t.authenticated,t.loadingCount,t.error,t.allowed,t.denyReason,t.sessionExpiry,t.sessionData,t.verifyData,t.wallet]);return jsx(Kr.Provider,{value:c,children:e.children})},$n=e=>jsx(St,{clientId:e.clientId,children:jsx(Un,{...e})}),Nn=()=>{let e=useContext(Kr);if(!e)throw new Error("useSunbreak must be used within a SunbreakProvider");return e};
-export { On as SunbreakProvider, Un as useSunbreak };
+export { $n as SunbreakProvider, Nn as useSunbreak };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@tdfc/sunbreak-react",
-  "version": "0.1.6",
+  "version": "0.1.7",
   "description": "SDK for connecting to the Sunbreak API",
   "license": "UNLICENSED",
   "repository": "github:thedigitalfinancecompany/sunbreak-react",