npm - @tdfc/sunbreak-react - Versions diffs - 0.1.6 → 0.1.8 - Mend

@tdfc/sunbreak-react 0.1.6 → 0.1.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.cjs CHANGED Viewed

@@ -3,7 +3,23 @@
 var react = require('react');
 var jsxRuntime = require('react/jsx-runtime');
-var Yr=Object.defineProperty;var It=e=>{throw TypeError(e)};var Xr=(e,t,r)=>t in e?Yr(e,t,{enumerable:true,configurable:true,writable:true,value:r}):e[t]=r;var H=(e,t,r)=>Xr(e,typeof t!="symbol"?t+"":t,r),Dt=(e,t,r)=>t.has(e)||It("Cannot "+r);var y=(e,t,r)=>(Dt(e,t,"read from private field"),r?r.call(e):t.get(e)),O=(e,t,r)=>t.has(e)?It("Cannot add the same private member more than once"):t instanceof WeakSet?t.add(e):t.set(e,r),U=(e,t,r,n)=>(Dt(e,t,"write to private field"),t.set(e,r),r);var Pe=async(e,t,r)=>{switch(e.name){case "custom":return {method:"provider_jwt",issuer:"custom",token:t,meta:r||{}};case "privy":return {method:"provider_jwt",issuer:"privy",token:t,meta:{app_id:e.appId}};case "dynamic":return e.expectedAud?{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId,expected_aud:e.expectedAud}}:{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId}};default:throw new Error(`Unknown adapter: ${e}`)}};var Zr="sunbreak-kv",ve="kv",Ue="sunbreak_dpop_meta_v1",x="sunbreak_dpop_key_v1",Ke="ES256",E="P-256",Ae=e=>`${Ue}:${e}`,Wt=()=>new Promise((e,t)=>{let r=indexedDB.open(Zr,1);r.onupgradeneeded=()=>r.result.createObjectStore(ve),r.onsuccess=()=>e(r.result),r.onerror=()=>t(r.error);}),C=async e=>{try{let t=await Wt();return await new Promise((r,n)=>{let a=t.transaction(ve,"readonly").objectStore(ve).get(e);a.onsuccess=()=>r(a.result),a.onerror=()=>n(a.error);})}catch{return}},g=async(e,t)=>{let r=await Wt();await new Promise((n,o)=>{let i=r.transaction(ve,"readwrite").objectStore(ve).put(t,e);i.onsuccess=()=>n(),i.onerror=()=>o(i.error);});};var Qr=e=>{let t=new URL(e);if(t.protocol!=="https:"&&t.hostname!=="localhost"&&t.hostname!=="127.0.0.1")throw new Error("Sunbreak: insecure base URL");return t.hash="",t.origin},en=e=>e.replace(/\/+$/,""),it=e=>{let t=en(e);return Qr(t)};function ct(e){let t=new URL(e.baseUrl),r=t.host,n=e.meta.lastHost??null,o=tn(n);return e.setLastHost(o),t.host=`${o}.${r}`,t.origin}var tn=e=>{for(let t=0;t<st.length;t++){let r=st[Math.floor(Math.random()*st.length)].toLowerCase();if(r!==e)return r}return "alpha"},st=["Alpha","Bravo","Charlie","Delta","Echo","Foxtrot","Golf","Hotel","India","Juliett","Kilo","Lima","Mike","November","Oscar","Papa","Quebec","Romeo","Sierra","Tango","Uniform","Victor","Whiskey","X-ray","Yankee","Zulu"];var $=(e,t)=>{let r={clientId:e.clientId,wallet:e.wallet,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0,...t};Object.keys(r).forEach(o=>r[o]===void 0&&delete r[o]);let n=JSON.stringify(r);return btoa(n)};var rn=new Set(["connection","keep-alive","proxy-authenticate","proxy-authorization","te","trailer","transfer-encoding","upgrade","via"]),nn=new Set(["user-agent","referer","origin","host","content-length","sec-fetch-site","sec-fetch-mode","sec-fetch-dest","sec-fetch-user","sec-ch-ua","sec-ch-ua-mobile","sec-ch-ua-platform","sec-ch-ua-platform-version","sec-ch-ua-full-version","sec-ch-ua-arch","sec-ch-ua-model","sec-ch-ua-bitness","cookie","set-cookie"]),on=new Set(["dpop","x-sunbreak-meta"]),an=64,_t=2048,sn=64;function ut(e){let t={};if(!e)return t;let r=e instanceof Headers?Array.from(e.entries()):Object.entries(e),n=0;for(let[o,a]of r){if(n>=sn)break;if(o==null||a==null)continue;let i=String(o).toLowerCase().trim();if(!i||i.length>an||rn.has(i)||nn.has(i)||on.has(i))continue;let s=String(a);s.length>_t&&(s=s.slice(0,_t)),t[i]=s,n++;}return t}var Q=new TextEncoder,me=new TextDecoder;function Lt(...e){let t=e.reduce((o,{length:a})=>o+a,0),r=new Uint8Array(t),n=0;for(let o of e)r.set(o,n),n+=o.length;return r}function Ht(e){if(Uint8Array.prototype.toBase64)return e.toBase64();let t=32768,r=[];for(let n=0;n<e.length;n+=t)r.push(String.fromCharCode.apply(null,e.subarray(n,n+t)));return btoa(r.join(""))}function Mt(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(e);let t=atob(e),r=new Uint8Array(t.length);for(let n=0;n<t.length;n++)r[n]=t.charCodeAt(n);return r}function jt(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof e=="string"?e:me.decode(e),{alphabet:"base64url"});let t=e;t instanceof Uint8Array&&(t=me.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return Mt(t)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function $e(e){let t=e;return typeof t=="string"&&(t=Q.encode(t)),Uint8Array.prototype.toBase64?t.toBase64({alphabet:"base64url",omitPadding:true}):Ht(t).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var ue=class extends Error{constructor(r,n){super(r,n);H(this,"code","ERR_JOSE_GENERIC");this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor);}};H(ue,"code","ERR_JOSE_GENERIC");var D=class extends ue{constructor(){super(...arguments);H(this,"code","ERR_JOSE_NOT_SUPPORTED");}};H(D,"code","ERR_JOSE_NOT_SUPPORTED");var ee=class extends ue{constructor(){super(...arguments);H(this,"code","ERR_JWS_INVALID");}};H(ee,"code","ERR_JWS_INVALID");var xe=class extends ue{constructor(){super(...arguments);H(this,"code","ERR_JWT_INVALID");}};H(xe,"code","ERR_JWT_INVALID");var Ot,Ut,lt=class extends(Ut=ue,Ot=Symbol.asyncIterator,Ut){constructor(r="multiple matching keys found in the JSON Web Key Set",n){super(r,n);H(this,Ot);H(this,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");}};H(lt,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");function F(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function we(e,t){return e.name===t}function ft(e){return parseInt(e.name.slice(4),10)}function ln(e){switch(e){case "ES256":return "P-256";case "ES384":return "P-384";case "ES512":return "P-521";default:throw new Error("unreachable")}}function fn(e,t){if(!e.usages.includes(t))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${t}.`)}function $t(e,t,r){switch(t){case "HS256":case "HS384":case "HS512":{if(!we(e.algorithm,"HMAC"))throw F("HMAC");let n=parseInt(t.slice(2),10);if(ft(e.algorithm.hash)!==n)throw F(`SHA-${n}`,"algorithm.hash");break}case "RS256":case "RS384":case "RS512":{if(!we(e.algorithm,"RSASSA-PKCS1-v1_5"))throw F("RSASSA-PKCS1-v1_5");let n=parseInt(t.slice(2),10);if(ft(e.algorithm.hash)!==n)throw F(`SHA-${n}`,"algorithm.hash");break}case "PS256":case "PS384":case "PS512":{if(!we(e.algorithm,"RSA-PSS"))throw F("RSA-PSS");let n=parseInt(t.slice(2),10);if(ft(e.algorithm.hash)!==n)throw F(`SHA-${n}`,"algorithm.hash");break}case "Ed25519":case "EdDSA":{if(!we(e.algorithm,"Ed25519"))throw F("Ed25519");break}case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":{if(!we(e.algorithm,t))throw F(t);break}case "ES256":case "ES384":case "ES512":{if(!we(e.algorithm,"ECDSA"))throw F("ECDSA");let n=ln(t);if(e.algorithm.namedCurve!==n)throw F(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}fn(e,r);}function Nt(e,t,...r){if(r=r.filter(Boolean),r.length>2){let n=r.pop();e+=`one of type ${r.join(", ")}, or ${n}.`;}else r.length===2?e+=`one of type ${r[0]} or ${r[1]}.`:e+=`of type ${r[0]}.`;return t==null?e+=` Received ${t}`:typeof t=="function"&&t.name?e+=` Received function ${t.name}`:typeof t=="object"&&t!=null&&t.constructor?.name&&(e+=` Received an instance of ${t.constructor.name}`),e}var Bt=(e,...t)=>Nt("Key must be ",e,...t);function dt(e,t,...r){return Nt(`Key for the ${e} algorithm must be `,t,...r)}function pt(e){return e?.[Symbol.toStringTag]==="CryptoKey"}function yt(e){return e?.[Symbol.toStringTag]==="KeyObject"}var mt=e=>pt(e)||yt(e);var Vt=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return  true;let r;for(let n of t){let o=Object.keys(n);if(!r||r.size===0){r=new Set(o);continue}for(let a of o){if(r.has(a))return  false;r.add(a);}}return  true};function dn(e){return typeof e=="object"&&e!==null}var Ne=e=>{if(!dn(e)||Object.prototype.toString.call(e)!=="[object Object]")return  false;if(Object.getPrototypeOf(e)===null)return  true;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t};var Ft=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:r}=t.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};function pn(e){let t,r;switch(e.kty){case "AKP":{switch(e.alg){case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":t={name:e.alg},r=e.priv?["sign"]:["verify"];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "RSA":{switch(e.alg){case "PS256":case "PS384":case "PS512":t={name:"RSA-PSS",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RS256":case "RS384":case "RS512":t={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RSA-OAEP":case "RSA-OAEP-256":case "RSA-OAEP-384":case "RSA-OAEP-512":t={name:"RSA-OAEP",hash:`SHA-${parseInt(e.alg.slice(-3),10)||1}`},r=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "EC":{switch(e.alg){case "ES256":t={name:"ECDSA",namedCurve:"P-256"},r=e.d?["sign"]:["verify"];break;case "ES384":t={name:"ECDSA",namedCurve:"P-384"},r=e.d?["sign"]:["verify"];break;case "ES512":t={name:"ECDSA",namedCurve:"P-521"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "OKP":{switch(e.alg){case "Ed25519":case "EdDSA":t={name:"Ed25519"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}default:throw new D('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return {algorithm:t,keyUsages:r}}var Gt=async e=>{if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:t,keyUsages:r}=pn(e),n={...e};return n.kty!=="AKP"&&delete n.alg,delete n.use,crypto.subtle.importKey("jwk",n,t,e.ext??!(e.d||e.priv),e.key_ops??r)};var qt=(e,t,r,n,o)=>{if(o.crit!==void 0&&n?.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||n.crit===void 0)return new Set;if(!Array.isArray(n.crit)||n.crit.length===0||n.crit.some(i=>typeof i!="string"||i.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let a;r!==void 0?a=new Map([...Object.entries(r),...t.entries()]):a=t;for(let i of n.crit){if(!a.has(i))throw new D(`Extension Header Parameter "${i}" is not recognized`);if(o[i]===void 0)throw new e(`Extension Header Parameter "${i}" is missing`);if(a.get(i)&&n[i]===void 0)throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`)}return new Set(n.crit)};function Ce(e){return Ne(e)&&typeof e.kty=="string"}function zt(e){return e.kty!=="oct"&&(e.kty==="AKP"&&typeof e.priv=="string"||typeof e.d=="string")}function Yt(e){return e.kty!=="oct"&&typeof e.d>"u"&&typeof e.priv>"u"}function Xt(e){return e.kty==="oct"&&typeof e.k=="string"}var he,Zt=async(e,t,r,n=false)=>{he||(he=new WeakMap);let o=he.get(e);if(o?.[r])return o[r];let a=await Gt({...t,alg:r});return n&&Object.freeze(e),o?o[r]=a:he.set(e,{[r]:a}),a},mn=(e,t)=>{he||(he=new WeakMap);let r=he.get(e);if(r?.[t])return r[t];let n=e.type==="public",o=!!n,a;if(e.asymmetricKeyType==="x25519"){switch(t){case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}a=e.toCryptoKey(e.asymmetricKeyType,o,n?[]:["deriveBits"]);}if(e.asymmetricKeyType==="ed25519"){if(t!=="EdDSA"&&t!=="Ed25519")throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}switch(e.asymmetricKeyType){case "ml-dsa-44":case "ml-dsa-65":case "ml-dsa-87":{if(t!==e.asymmetricKeyType.toUpperCase())throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}}if(e.asymmetricKeyType==="rsa"){let i;switch(t){case "RSA-OAEP":i="SHA-1";break;case "RS256":case "PS256":case "RSA-OAEP-256":i="SHA-256";break;case "RS384":case "PS384":case "RSA-OAEP-384":i="SHA-384";break;case "RS512":case "PS512":case "RSA-OAEP-512":i="SHA-512";break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}if(t.startsWith("RSA-OAEP"))return e.toCryptoKey({name:"RSA-OAEP",hash:i},o,n?["encrypt"]:["decrypt"]);a=e.toCryptoKey({name:t.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:i},o,[n?"verify":"sign"]);}if(e.asymmetricKeyType==="ec"){let s=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(e.asymmetricKeyDetails?.namedCurve);if(!s)throw new TypeError("given KeyObject instance cannot be used for this algorithm");t==="ES256"&&s==="P-256"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t==="ES384"&&s==="P-384"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t==="ES512"&&s==="P-521"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t.startsWith("ECDH-ES")&&(a=e.toCryptoKey({name:"ECDH",namedCurve:s},o,n?[]:["deriveBits"]));}if(!a)throw new TypeError("given KeyObject instance cannot be used for this algorithm");return r?r[t]=a:he.set(e,{[t]:a}),a},Qt=async(e,t)=>{if(e instanceof Uint8Array||pt(e))return e;if(yt(e)){if(e.type==="secret")return e.export();if("toCryptoKey"in e&&typeof e.toCryptoKey=="function")try{return mn(e,t)}catch(n){if(n instanceof TypeError)throw n}let r=e.export({format:"jwk"});return Zt(e,r,t)}if(Ce(e))return e.k?jt(e.k):Zt(e,e,t,true);throw new Error("unreachable")};var be=e=>e?.[Symbol.toStringTag],wt=(e,t,r)=>{if(t.use!==void 0){let n;switch(r){case "sign":case "verify":n="sig";break;case "encrypt":case "decrypt":n="enc";break}if(t.use!==n)throw new TypeError(`Invalid key for this operation, its "use" must be "${n}" when present`)}if(t.alg!==void 0&&t.alg!==e)throw new TypeError(`Invalid key for this operation, its "alg" must be "${e}" when present`);if(Array.isArray(t.key_ops)){let n;switch(true){case(r==="sign"):case e==="dir":case e.includes("CBC-HS"):n=r;break;case e.startsWith("PBES2"):n="deriveBits";break;case /^A\d{3}(?:GCM)?(?:KW)?$/.test(e):!e.includes("GCM")&&e.endsWith("KW")?n="unwrapKey":n=r;break;case(r==="encrypt"):n="wrapKey";break;case r==="decrypt":n=e.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(n&&t.key_ops?.includes?.(n)===false)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${n}" when present`)}return  true},wn=(e,t,r)=>{if(!(t instanceof Uint8Array)){if(Ce(t)){if(Xt(t)&&wt(e,t,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!mt(t))throw new TypeError(dt(e,t,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(t.type!=="secret")throw new TypeError(`${be(t)} instances for symmetric algorithms must be of type "secret"`)}},hn=(e,t,r)=>{if(Ce(t))switch(r){case "decrypt":case "sign":if(zt(t)&&wt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a private JWK");case "encrypt":case "verify":if(Yt(t)&&wt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a public JWK")}if(!mt(t))throw new TypeError(dt(e,t,"CryptoKey","KeyObject","JSON Web Key"));if(t.type==="secret")throw new TypeError(`${be(t)} instances for asymmetric algorithms must not be of type "secret"`);if(t.type==="public")switch(r){case "sign":throw new TypeError(`${be(t)} instances for asymmetric algorithm signing must be of type "private"`);case "decrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm decryption must be of type "private"`);}if(t.type==="private")switch(r){case "verify":throw new TypeError(`${be(t)} instances for asymmetric algorithm verifying must be of type "public"`);case "encrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm encryption must be of type "public"`);}},er=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e)||/^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e)?wn(e,t,r):hn(e,t,r);};var tr=(e,t)=>{let r=`SHA-${e.slice(-3)}`;switch(e){case "HS256":case "HS384":case "HS512":return {hash:r,name:"HMAC"};case "PS256":case "PS384":case "PS512":return {hash:r,name:"RSA-PSS",saltLength:parseInt(e.slice(-3),10)>>3};case "RS256":case "RS384":case "RS512":return {hash:r,name:"RSASSA-PKCS1-v1_5"};case "ES256":case "ES384":case "ES512":return {hash:r,name:"ECDSA",namedCurve:t.namedCurve};case "Ed25519":case "EdDSA":return {name:"Ed25519"};case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":return {name:e};default:throw new D(`alg ${e} is not supported either by JOSE or your javascript runtime`)}};var rr=async(e,t,r)=>{if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(Bt(t,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",t,{hash:`SHA-${e.slice(-3)}`,name:"HMAC"},false,[r])}return $t(t,e,r),t};var ne=e=>Math.floor(e.getTime()/1e3);var bn=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i,Be=e=>{let t=bn.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");let r=parseFloat(t[2]),n=t[3].toLowerCase(),o;switch(n){case "sec":case "secs":case "second":case "seconds":case "s":o=Math.round(r);break;case "minute":case "minutes":case "min":case "mins":case "m":o=Math.round(r*60);break;case "hour":case "hours":case "hr":case "hrs":case "h":o=Math.round(r*3600);break;case "day":case "days":case "d":o=Math.round(r*86400);break;case "week":case "weeks":case "w":o=Math.round(r*604800);break;default:o=Math.round(r*31557600);break}return t[1]==="-"||t[4]==="ago"?-o:o};function le(e,t){if(!Number.isFinite(t))throw new TypeError(`Invalid ${e} input`);return t}var v,Ve=class{constructor(t){O(this,v);if(!Ne(t))throw new TypeError("JWT Claims Set MUST be an object");U(this,v,structuredClone(t));}data(){return Q.encode(JSON.stringify(y(this,v)))}get iss(){return y(this,v).iss}set iss(t){y(this,v).iss=t;}get sub(){return y(this,v).sub}set sub(t){y(this,v).sub=t;}get aud(){return y(this,v).aud}set aud(t){y(this,v).aud=t;}set jti(t){y(this,v).jti=t;}set nbf(t){typeof t=="number"?y(this,v).nbf=le("setNotBefore",t):t instanceof Date?y(this,v).nbf=le("setNotBefore",ne(t)):y(this,v).nbf=ne(new Date)+Be(t);}set exp(t){typeof t=="number"?y(this,v).exp=le("setExpirationTime",t):t instanceof Date?y(this,v).exp=le("setExpirationTime",ne(t)):y(this,v).exp=ne(new Date)+Be(t);}set iat(t){typeof t>"u"?y(this,v).iat=ne(new Date):t instanceof Date?y(this,v).iat=le("setIssuedAt",ne(t)):typeof t=="string"?y(this,v).iat=le("setIssuedAt",ne(new Date)+Be(t)):y(this,v).iat=le("setIssuedAt",t);}};v=new WeakMap;var nr=async(e,t,r)=>{let n=await rr(e,t,"sign");Ft(e,n);let o=await crypto.subtle.sign(tr(e,n.algorithm),n,r);return new Uint8Array(o)};var Te,W,G,Fe=class{constructor(t){O(this,Te);O(this,W);O(this,G);if(!(t instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");U(this,Te,t);}setProtectedHeader(t){if(y(this,W))throw new TypeError("setProtectedHeader can only be called once");return U(this,W,t),this}setUnprotectedHeader(t){if(y(this,G))throw new TypeError("setUnprotectedHeader can only be called once");return U(this,G,t),this}async sign(t,r){if(!y(this,W)&&!y(this,G))throw new ee("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Vt(y(this,W),y(this,G)))throw new ee("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let n={...y(this,W),...y(this,G)},o=qt(ee,new Map([["b64",true]]),r?.crit,y(this,W),n),a=true;if(o.has("b64")&&(a=y(this,W).b64,typeof a!="boolean"))throw new ee('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:i}=n;if(typeof i!="string"||!i)throw new ee('JWS "alg" (Algorithm) Header Parameter missing or invalid');er(i,t,"sign");let s=y(this,Te);a&&(s=Q.encode($e(s)));let c;y(this,W)?c=Q.encode($e(JSON.stringify(y(this,W)))):c=Q.encode("");let u=Lt(c,Q.encode("."),s),l=await Qt(t,i),f=await nr(i,l,u),d={signature:$e(f),payload:""};return a&&(d.payload=me.decode(s)),y(this,G)&&(d.header=y(this,G)),y(this,W)&&(d.protected=me.decode(c)),d}};Te=new WeakMap,W=new WeakMap,G=new WeakMap;var Se,Ge=class{constructor(t){O(this,Se);U(this,Se,new Fe(t));}setProtectedHeader(t){return y(this,Se).setProtectedHeader(t),this}async sign(t,r){let n=await y(this,Se).sign(t,r);if(n.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return `${n.protected}.${n.payload}.${n.signature}`}};Se=new WeakMap;var oe,M,fe=class{constructor(t={}){O(this,oe);O(this,M);U(this,M,new Ve(t));}setIssuer(t){return y(this,M).iss=t,this}setSubject(t){return y(this,M).sub=t,this}setAudience(t){return y(this,M).aud=t,this}setJti(t){return y(this,M).jti=t,this}setNotBefore(t){return y(this,M).nbf=t,this}setExpirationTime(t){return y(this,M).exp=t,this}setIssuedAt(t){return y(this,M).iat=t,this}setProtectedHeader(t){return U(this,oe,t),this}async sign(t,r){let n=new Ge(y(this,M).data());if(n.setProtectedHeader(y(this,oe)),Array.isArray(y(this,oe)?.crit)&&y(this,oe).crit.includes("b64")&&y(this,oe).b64===false)throw new xe("JWTs MUST NOT use unencoded payload");return n.sign(t,r)}};oe=new WeakMap,M=new WeakMap;var Sn=e=>btoa(String.fromCharCode(...new Uint8Array(e))).replaceAll("+","-").replaceAll("/","_").replaceAll("=",""),qe=async e=>{let t=new TextEncoder().encode(e),r=await crypto.subtle.digest("SHA-256",t);return Sn(r)},N=async e=>{let{method:t,url:r,nonce:n,ath:o,privateKey:a,publicJwk:i}=e,s={htm:t.toUpperCase(),htu:r,jti:crypto.randomUUID(),iat:Math.floor(Date.now()/1e3)};return n&&(s.nonce=n),o&&(s.ath=o),await new fe(s).setProtectedHeader({alg:"ES256",typ:"dpop+jwt",jwk:i}).sign(a)};var _=async e=>{let t={crv:e.crv,kty:"EC",x:e.x,y:e.y},r=JSON.stringify(t),n=new TextEncoder().encode(r),o=await crypto.subtle.digest("SHA-256",n);return btoa(String.fromCharCode(...new Uint8Array(o))).replaceAll("+","-").replaceAll("/","_").replaceAll("=","")};async function de(e){let{rootPrivateKey:t,rootPublicJwk:r,childJkt:n,clientId:o,sid:a,ttlSec:i=300}=e,s=Math.floor(Date.now()/1e3),c=s+Math.max(60,Math.min(i,3600)),u={child_jkt:n,client_id:o,aud:"issuer",iat:s,exp:c,jti:crypto.randomUUID()};return a&&(u.sid=a),await new fe(u).setProtectedHeader({alg:"ES256",typ:"pode+jwt",jwk:r}).sign(t)}function Je(e,t=300){return e.replace(/<[^>]*>/g,"").slice(0,t)}async function Ie(e){let t=e.status,r=Array.from(e.headers.keys()).some(s=>s.toLowerCase().startsWith("x-amzn-waf")),n,o,a=e.headers.get("content-type")||"";if(a.includes("application/json"))try{let s=await e.clone().json();n=typeof s?.error=="string"?s.error:void 0,o=typeof s?.detail=="string"?s.detail:void 0;}catch{}let i=t===403&&!r&&!a.includes("application/json");return {status:t,code:n,detail:o,waf:r,alb403:i}}function pe(e,t){let r=new Error(e);return r.status=t.status,r.code=t.code,r.detail=t.detail,r.waf=t.waf,r.alb403=t.alb403,r}var Re={boundWallet:null,clientId:null,jkt:null,refreshId:null,lastPolicyHash:null,lastPolicyProof:null,lastHost:null,rootJkt:null},ht=react.createContext(void 0);function cr(e){try{return JSON.parse(localStorage.getItem(e)||"null")??Re}catch{return Re}}function kn(e,t){try{localStorage.setItem(e,JSON.stringify(t));}catch{}}var bt=({children:e,clientId:t})=>{let[r,n]=react.useState(Re),o=react.useRef(false),[a,i]=react.useState(false),s=react.useMemo(()=>Ae(t),[t]);react.useEffect(()=>{let p=true;return (async()=>{let I=await C(s)??await C(Ue)??cr(s);p&&(n({...Re,...I}),o.current=true,i(true));})(),()=>{p=false;}},[s]),react.useEffect(()=>{o.current&&(async()=>(await g(s,r),kn(s,r)))();},[r,s]);let c=react.useCallback(p=>n(w=>({...w,refreshId:p})),[]),u=react.useCallback(p=>n(w=>({...w,lastPolicyHash:p})),[]),l=react.useCallback(p=>n(w=>({...w,lastPolicyProof:p})),[]),f=react.useCallback(p=>n(w=>({...w,lastHost:p})),[]),d=react.useCallback(p=>n(w=>({...w,rootJkt:p})),[]),h=async()=>{try{let p=localStorage.getItem(s);if(p){let w=JSON.parse(p);if(typeof w?.refreshId=="string"&&w.refreshId)return w.refreshId}}catch{}try{let p=await C(s);if(typeof p?.refreshId=="string"&&p.refreshId)return p.refreshId}catch{}return null},m=react.useCallback(p=>n(w=>({...w,boundWallet:p})),[]),R=react.useCallback(p=>n(w=>({...w,clientId:p})),[]),k=react.useCallback(p=>n(w=>({...w,jkt:p})),[]),P=react.useCallback(()=>n(Re),[]),b=react.useCallback(async()=>{let w=await C(s)??cr(s);n({...Re,...w});},[]),S=react.useMemo(()=>({meta:r,setBoundWallet:m,setClientId:R,setJkt:k,resetMeta:P,reload:b,setRefreshId:c,getRefreshId:h,ready:a,setLastPolicyHash:u,setLastPolicyProof:l,setLastHost:f,setRootJkt:d}),[r,m,R,k,P,b,a,c,h,u,l,f,d]);return jsxRuntime.jsx(ht.Provider,{value:S,children:e})};function St(){let e=react.useContext(ht);if(!e)throw new Error("useMeta must be used within <MetaProvider>");return e}var lr=`${x}:wrap`;async function ze(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!1,["sign","verify"]),t=`${x}:probe_safe`;await g(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await C(t);return await g(t,void 0),!!(r&&r.privKey)}catch{return  false}}async function vn(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!0,["sign","verify"]),t=`${x}:probe`;await g(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await C(t);return await g(t,void 0),!!(r&&r.privKey)}catch{return  false}}function ke(e){let t={...e};return delete t.d,t.kty="EC",t.crv=E,t.alg=Ke,t.use="sig",t}async function fr(){let e=await C(lr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await g(lr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function Rt(e){let t=await fr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function Kn(e,t){let r=await fr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var gt=()=>{let e=react.useRef(null),t=react.useRef(null),r=react.useCallback(async()=>{let c=await C(x);if(!c)return  false;if(c.fmt==="cryptokey"){let l=c;if(!l.privKey)return await g(x,void 0),false;let f=l.privKey;try{if(f.extractable&&await ze()){let h=await crypto.subtle.exportKey("jwk",f),m=await crypto.subtle.importKey("jwk",h,{name:"ECDSA",namedCurve:E},!1,["sign"]),R={fmt:"cryptokey",privKey:m,pubJwk:ke(l.pubJwk)};await g(x,R),f=m;}}catch{}return e.current=f,t.current=ke(l.pubJwk),true}if(c.fmt==="encjwk"){let l=c;try{let f=await Kn(l.encPrivJwk,l.iv),d=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},!1,["sign"]);return e.current=d,t.current=ke(l.pubJwk),!0}catch{return await g(x,void 0),false}}let u=c;if(u&&u.d){let{d:l,...f}=u,d=ke(f),h=await ze(),m=h||await vn();if(m&&h){let b=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);return await g(x,{fmt:"cryptokey",privKey:b,pubJwk:d}),e.current=b,t.current=d,true}if(m){let b=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},true,["sign"]);return await g(x,{fmt:"cryptokey",privKey:b,pubJwk:d}),e.current=b,t.current=d,true}let{encPrivJwk:R,iv:k}=await Rt(u);await g(x,{fmt:"encjwk",encPrivJwk:R,iv:k,pubJwk:d});let P=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);return e.current=P,t.current=d,true}return await g(x,void 0),false},[]),n=react.useCallback(async(c,u)=>{await g(x,{fmt:"cryptokey",privKey:c,pubJwk:u});},[]),o=react.useCallback(async(c,u)=>{let{encPrivJwk:l,iv:f}=await Rt(c);await g(x,{fmt:"encjwk",encPrivJwk:l,iv:f,pubJwk:u});},[]),a=react.useCallback(async()=>{if(e.current&&t.current||await r())return;let c=await ze(),u=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",u.publicKey)),f=await crypto.subtle.exportKey("jwk",u.privateKey);if(c){let d=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);await n(d,l),e.current=d,t.current=l;}else {await o(f,l);let d=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=d,t.current=l;}},[r,n,o]),i=react.useCallback(async()=>{let c=await ze(),u=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",u.publicKey)),f=await crypto.subtle.exportKey("jwk",u.privateKey);if(c){let d=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);await g(x,{fmt:"cryptokey",privKey:d,pubJwk:l}),e.current=d,t.current=l;}else {let{encPrivJwk:d,iv:h}=await Rt(f);await g(x,{fmt:"encjwk",encPrivJwk:d,iv:h,pubJwk:l});let m=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=m,t.current=l;}},[]),s=react.useCallback(async()=>{await g(x,void 0),e.current=null,t.current=null;},[]);return {ensureKeypair:a,rotate:i,clear:s,privRef:e,pubJwkRef:t}};var z="sunbreak_root_key_v1",pr=`${z}:wrap`;async function yr(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!1,["sign","verify"]),t=`${z}:probe_safe`;await g(t,{fmt:"cryptokey",privKey:e.privateKey,createdAt:Date.now(),pubJwk:{}});let r=await C(t);return await g(t,void 0),!!(r&&r.privKey)}catch{return  false}}function Ye(e){let t={...e};return delete t.d,t.kty="EC",t.crv=E,t.alg=Ke,t.use="sig",t}async function mr(){let e=await C(pr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await g(pr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function An(e){let t=await mr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function xn(e,t){let r=await mr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var Et=()=>{let e=react.useRef(null),t=react.useRef(null),r=react.useCallback(async()=>{let a=await C(z);if(!a)return  false;if(a.fmt==="cryptokey"){let i=a;if(!i.privKey)return await g(z,void 0),false;let s=i.privKey;try{if(s.extractable&&await yr()){let u=await crypto.subtle.exportKey("jwk",s),l=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},!1,["sign"]),f={fmt:"cryptokey",privKey:l,pubJwk:Ye(i.pubJwk),createdAt:i.createdAt};await g(z,f),s=l;}}catch{}return e.current=s,t.current=Ye(i.pubJwk),true}if(a.fmt==="encjwk"){let i=a;try{let s=await xn(i.encPrivJwk,i.iv),c=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:E},!1,["sign"]);return e.current=c,t.current=Ye(i.pubJwk),!0}catch{return await g(z,void 0),false}}return await g(z,void 0),false},[]),n=react.useCallback(async()=>{if(e.current&&t.current||await r())return;let a=await yr(),i=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),s=Ye(await crypto.subtle.exportKey("jwk",i.publicKey)),c=Date.now(),u=await crypto.subtle.exportKey("jwk",i.privateKey);if(a){let l=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);await g(z,{fmt:"cryptokey",privKey:l,pubJwk:s,createdAt:c}),e.current=l,t.current=s;}else {let{encPrivJwk:l,iv:f}=await An(u);await g(z,{fmt:"encjwk",encPrivJwk:l,iv:f,pubJwk:s,createdAt:c});let h=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=h,t.current=s;}},[r]),o=react.useCallback(async()=>{await g(z,void 0),e.current=null,t.current=null;},[]);return {ensureRootKeypair:n,clear:o,rootPrivRef:e,rootPubJwkRef:t}};var Cn=()=>crypto.randomUUID(),wr=e=>{let{clientId:t,wallet:r,base:n="https://api.tdfc.com",fetchImpl:o,timeoutMs:a=15e3,proof:i=null,providerAdapter:s,refreshDeps:c=[]}=e,u=it(n),l=typeof window<"u"?(o??fetch).bind(window):o??fetch,{meta:f,setBoundWallet:d,setJkt:h,setRefreshId:m,getRefreshId:R,setLastPolicyHash:k,setLastPolicyProof:P,setLastHost:b,setRootJkt:S,ready:p}=St(),{ensureRootKeypair:w,rootPrivRef:I,rootPubJwkRef:L}=Et(),We=react.useCallback(async()=>{await w();try{if(!f.rootJkt&&L.current){let ce=await _(L.current);S(ce);}}catch{}},[w,f.rootJkt,L]),{ensureKeypair:te,rotate:Ee,privRef:A,pubJwkRef:_e}=gt(),[Le,At]=react.useState(false),[J,V]=react.useState(0),[j,Z]=react.useState(null),[ie,re]=react.useState(null),[Qe,et]=react.useState(null),[tt,Kr]=react.useState(null),[Ar,xr]=react.useState(null),[Cr,Tr]=react.useState(null),Jr=react.useRef(null),Ir=react.useRef(null),Dr=react.useRef(null),Wr=react.useRef(null),_r=react.useRef(null),Lr=react.useRef(null),Hr=react.useRef(null),Mr=react.useRef(false),jr=react.useRef(false),Or=react.useRef(void 0),He=react.useRef(false),rt=react.useRef(false),xt=react.useRef(null),se=react.useRef(null);se.current||(se.current=new Promise(ce=>{xt.current=ce;}));let nt=react.useRef(null),Ur=react.useRef(i),$r=react.useRef(null),Me=react.useRef(null),Ct=react.useRef(null),je=react.useRef(null),Tt=()=>Date.now(),Nr=()=>(je.current??0)>0&&je.current<Tt(),ot=react.useCallback((ce,zr=15e3)=>{let Jt=Cn();return Me.current=Jt,Ct.current=ce,je.current=Tt()+Math.max(1e3,zr),Jt},[]),Br=react.useCallback(()=>((!Me.current||Nr())&&ot("adhoc",1e4),Me.current),[ot]),at=react.useRef(null),Oe=react.useRef(null);Oe.current||(Oe.current=new Promise(ce=>{at.current=ce;}));let Vr=react.useCallback(async()=>{!He.current&&Oe.current&&await Oe.current;},[]),Fr=react.useCallback(()=>{He.current||(He.current=true,at.current?.(),at.current=null);},[]),Gr=react.useCallback(async()=>{!rt.current&&se.current&&await se.current;},[]),qr=react.useCallback(async()=>{!rt.current&&se.current&&await se.current,nt.current&&await nt.current;},[]);return {clientId:t,wallet:r,baseUrl:u,fetchImpl:l,timeoutMs:a,providerAdapter:s,refreshDeps:c,ensureKeypair:te,rotate:Ee,ensureRootKeypair:We,rootPrivRef:I,rootPubJwkRef:L,privRef:A,pubJwkRef:_e,meta:f,setBoundWallet:d,setJkt:h,setRefreshId:m,accessTokenRef:Dr,tokenExpRef:Wr,authenticated:Le,setAuthenticated:At,loadingCount:J,setLoadingCount:V,error:j,setError:Z,allowed:ie,setAllowed:re,denyReason:Qe,setDenyReason:et,sessionExpiry:tt,setSessionExpiry:Kr,sessionData:Ar,setSessionData:xr,verifyData:Cr,setVerifyData:Tr,authWalletRef:Ir,refreshLock:_r,registerLock:Lr,sessionLock:Hr,didInitialRefresh:Mr,didInitialSession:jr,prevWalletRef:Or,initResolvedRef:rt,initReady:se,initResolveRef:xt,rotateLock:nt,waitReady:Gr,awaitKeyStable:qr,proofRef:Ur,registerCooldownUntilRef:Jr,reqIdRef:Me,flowLabelRef:Ct,flowExpireRef:je,beginFlow:ot,currentReqId:Br,awaitProbe:Vr,markProbed:Fr,hasProbedRef:He,getRefreshId:R,setLastPolicyHash:k,setLastPolicyProof:P,setLastHost:b,setRootJkt:S,metaReady:p,probeLock:$r}};var B=e=>e.accessTokenRef.current??null,Y=e=>{let t=e.privRef.current;if(!t)throw new Error("Sunbreak: private key not initialized");return t},T=e=>{let t=e.pubJwkRef.current;if(!t)throw new Error("Sunbreak: public JWK not initialized");return t};var Tn=(e,t)=>`${e.toUpperCase()} ${t}`;async function De(e,t,r){if(!t)return  false;let n=De._nonceCacheRef||(De._nonceCacheRef={map:new Map});try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair(),e.setError(null),e.beginFlow("register",2e4);let o;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let p=await _(e.rootPubJwkRef.current);e.setRootJkt?.(p);}catch{}let b=await _(T(e)),S=await e.getRefreshId();o=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:b,clientId:e.clientId,sid:S||void 0,ttlSec:300});}}catch{}let a=e.currentReqId(),i="/auth/register",s=`${e.baseUrl}${i}`,c=new URL(e.baseUrl).origin,u="POST",l=`${c}${i}`,f=Tn(u,l),d=n.map.get(f),h=await N({method:u,url:l,nonce:d,privateKey:Y(e),publicJwk:T(e)}),m=async b=>e.fetchImpl(s,{method:u,headers:{"content-type":"application/json","x-sunbreak-meta":$(e,{reqId:a,pode:o||void 0}),...b},credentials:"include",body:JSON.stringify({wallet:t,proof:r})}),R=await m({DPoP:h}),k=b=>{let S=b.headers.get("dpop-nonce");S&&n.map.set(f,S);};if(R.status===401){let b=R.headers.get("www-authenticate"),p=(b&&b.match(/dpop-nonce="([^"]+)"/i))?.[1];if(p){n.map.set(f,p);let w=await N({method:u,url:l,nonce:p,privateKey:Y(e),publicJwk:T(e)});R=await m({DPoP:w});}}if(k(R),!R.ok){let b=await Ie(R);if((R.headers.get("content-type")||"").includes("application/json")){let p;try{p=await R.clone().json();}catch{}let w=Je(p&&(p.error||p.message||p.detail)||`HTTP ${R.status}`);throw pe(w,b)}else {let p=b.waf?"Blocked by WAF (403)":b.alb403?"Blocked at origin (ALB 403)":`HTTP ${R.status}`;throw pe(p,b)}}let P=await R.json();e.accessTokenRef.current=P.access,e.authWalletRef.current=t.toLowerCase(),e.setAuthenticated(!0);try{let b=Math.floor(Date.now()/1e3);e.tokenExpRef.current=b+(P.expiresIn??0);}catch{}e.didInitialRefresh.current=!0,e.setBoundWallet(t),e.setLastPolicyHash(null),e.setLastPolicyProof(null);try{e.setJkt(await _(T(e)));}catch{}try{let b={...e.meta,boundWallet:t,clientId:e.meta.clientId??e.clientId,jkt:e.meta.jkt??null,refreshId:P.refreshId??null};e.setRefreshId(P.refreshId??null);let S=Ae(e.clientId);await g(S,b);try{localStorage.setItem(S,JSON.stringify(b));}catch{}}catch{}return !0}catch(o){let a=Number(o?.status||0),i=String(o?.code||""),s=String(o?.message||""),c=Math.floor(Math.random()*1e3);if((a===401||a===403)&&i.toLowerCase()==="replay"){if(e.providerAdapter)try{let u=await e.providerAdapter.getToken()??null;if(u)return await e.awaitKeyStable(),await e.ensureKeypair(),await e.rotate(),e.proofRef.current=await Pe(e.providerAdapter,u),e.registerCooldownUntilRef.current=Date.now()+5e3+c,!1}catch{}else return e.proofRef.current=null,e.setError("Proof replayed; please sign a fresh proof."),e.registerCooldownUntilRef.current=Date.now()+1e4+c,false;return e.registerCooldownUntilRef.current=Date.now()+8e3+c,false}if(a===403&&(o?.waf||o?.alb403))return e.setError(s||"Forbidden at edge/origin"),e.registerCooldownUntilRef.current=Date.now()+3e4+c,false;if(a===403)return e.setError(i||s||"Forbidden"),e.registerCooldownUntilRef.current=Date.now()+15e3+c,false;if(a===429||a===503){e.setError(i||s||"Rate limited / unavailable");let u=a===429?5e3:8e3;return e.registerCooldownUntilRef.current=Date.now()+u+c,false}return e.setError(i||s||"Register failed"),e.registerCooldownUntilRef.current=Date.now()+5e3+c,false}}var Jn=(e,t)=>`${e.toUpperCase()} ${t}`;function Xe(e){if(e.refreshLock.current)return e.refreshLock.current;if(e.registerLock.current){let t=e.registerLock.current.then(()=>{if(e.authenticated&&B(e))return  true;if(B(e)){let n=e.tokenExpRef.current,o=Math.floor(Date.now()/1e3);if(!!n&&n-o>5)return  true}return  false});return e.refreshLock.current=t.finally(()=>{e.refreshLock.current=null;}),e.refreshLock.current}return e.refreshLock.current=(async()=>{try{if(await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),e.wallet&&e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return e.accessTokenRef.current=null,e.setAuthenticated(!1),!1;let t=B(e);if(t){let S=e.tokenExpRef.current,p=Math.floor(Date.now()/1e3);if(!!t&&!!S&&S-p>5)return !0}e.beginFlow("refresh",15e3);let r=e.currentReqId();await e.ensureKeypair();let n;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let w=await _(e.rootPubJwkRef.current);e.setRootJkt?.(w);}catch{}let S=await _(T(e)),p=await e.getRefreshId();n=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:S,clientId:e.clientId,sid:p||void 0,ttlSec:300});}}catch{}let o="/auth/refresh",a=`${e.baseUrl}${o}`,i=new URL(e.baseUrl).origin,s="POST",c=`${i}${o}`,u=Jn(s,c),l=Xe._nonceCacheRef||(Xe._nonceCacheRef={map:new Map}),f=async S=>await N({method:s,url:c,nonce:S,privateKey:Y(e),publicJwk:T(e)}),d=await e.getRefreshId(),h={"x-sunbreak-meta":$(e,{reqId:r,refreshId:d||void 0,pode:n||void 0}),"content-type":"application/json"},m=async S=>e.fetchImpl(a,{method:s,headers:{DPoP:S,...h},credentials:"include",body:"{}"}),R=S=>{let p=S.headers.get("dpop-nonce");p&&l.map.set(u,p);},k=await m(await f(l.map.get(u)));if(k.status===401){let S=k.headers.get("www-authenticate"),w=(S&&S.match(/dpop-nonce="([^"]+)"/i))?.[1];w&&(l.map.set(u,w),k=await m(await f(w)));}if(R(k),!k.ok){try{if((k.headers.get("content-type")||"").includes("application/json")){let p=await k.clone().json().catch(()=>{}),w=p&&(p.error||p.code||p.message)||"",I=String(w).toLowerCase();if(I.includes("missing")&&I.includes("refresh")){try{e.setRefreshId?.(null);}catch{}try{e.setBoundWallet?.(null);}catch{}e.accessTokenRef.current=null,e.setAuthenticated(!1);}}}catch{}return !1}let P=await k.json();e.accessTokenRef.current=P.access,e.setAuthenticated(!0);let b=(e.wallet&&(!e.meta.boundWallet||e.meta.boundWallet===e.wallet)?e.wallet:e.meta.boundWallet)||null;e.authWalletRef.current=b?b.toLowerCase():null;try{let S=Math.floor(Date.now()/1e3);e.tokenExpRef.current=S+(P.expiresIn??0);}catch{}try{e.setJkt(await _(T(e)));}catch{}return P.refreshId&&e.setRefreshId(P.refreshId),!0}finally{e.refreshLock.current=null;}})(),e.refreshLock.current}var In=(e,t)=>`${e.toUpperCase()} ${t}`,Pt=new Map;async function hr(e){if(e.probeLock?.current)return e.probeLock.current;if(e.hasProbedRef.current)return;let t=n=>{try{e.probeLock&&(e.probeLock.current=n);}catch{}},r=(async()=>{let n=new URL(e.baseUrl).origin;try{if(await e.awaitKeyStable(),await e.ensureKeypair(),!e.rootPrivRef.current)try{await e.ensureRootKeypair();}catch{}let o;if(e.rootPrivRef.current&&e.rootPubJwkRef.current)try{let m=await _(T(e));o=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:m,clientId:e.clientId,ttlSec:300});}catch{}let a="POST",i="/auth/probe",s=`${e.baseUrl}${i}`,c=`${n}${i}`,u=In(a,c),l=async m=>e.fetchImpl(s,{method:a,headers:{DPoP:m,"x-sunbreak-meta":$(e,{pode:o}),"content-type":"application/json"},credentials:"include",body:"{}"}),f=async m=>await N({method:a,url:c,nonce:m,privateKey:Y(e),publicJwk:T(e)}),d=await l(await f(Pt.get(u))),h=m=>{let R=m.headers.get("dpop-nonce");R&&Pt.set(u,R);};if(h(d),d.status===401){let m=d.headers.get("www-authenticate"),k=(m&&m.match(/dpop-nonce="([^"]+)"/i))?.[1];k&&(Pt.set(u,k),d=await l(await f(k)),h(d));}e.markProbed();}catch{e.markProbed();}})();t(r);try{await r;}finally{t(null);}}var br=e=>{let t=react.useCallback(()=>Xe(e),[e]),r=react.useCallback(async()=>{let o=Date.now(),a=e.registerCooldownUntilRef.current??0;if(o<a||!e.wallet||!e.initResolvedRef.current||e.refreshLock.current||e.registerLock.current)return;let i=e.wallet,s=e.meta.boundWallet;if(i&&s&&i.toLowerCase()===s.toLowerCase()&&!e.didInitialRefresh.current)return;let u=e.proofRef.current;!u||!(!B(e)||e.meta.boundWallet!==e.wallet)||(await e.awaitKeyStable(),e.registerLock.current=(async()=>{try{await De(e,e.wallet,u)&&(e.didInitialSession.current=!0);}catch(d){e.setError(d?.message||String(d)||"Register failed");}finally{e.registerLock.current=null;}})());},[e]),n=react.useCallback(async o=>{let a=()=>(e.registerCooldownUntilRef.current??0)>Date.now();if(!e.providerAdapter||a())return;let i=await Pe(e.providerAdapter,o);e.proofRef.current=i;},[e]);return {refresh:t,register:(o,a)=>De(e,o,a),attemptRegister:r,setProofFromAdapterToken:n}};var Dn=(e,t)=>`${e.toUpperCase()} ${t}`,Wn=(e,t)=>!!e&&!!t&&e.toLowerCase()===t.toLowerCase();async function Ze(e,t,r,n,o,a={}){e.setLoadingCount(u=>u+1),e.setError(null);let i=n.startsWith("/api/session"),s=new AbortController,c=setTimeout(()=>s.abort(),e.timeoutMs);try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair();let l=`${i?ct(e):e.baseUrl}${n.startsWith("/")?"":"/"}${n}`,d=`${new URL(e.baseUrl).origin}${n.startsWith("/")?"":"/"}${n}`,h=Dn(r,d),m=n.startsWith("/auth/"),R=!1,k=!1,P=e.currentReqId(),b=Ze._nonceCacheRef||(Ze._nonceCacheRef={map:new Map}),S=J=>{let V=J.headers.get("dpop-nonce");V&&b.map.set(h,V);},p=!!e.wallet&&!!e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase(),w=()=>m||!e.wallet?!1:!!(e.authenticated||Wn(e.wallet,e.meta.boundWallet)||typeof e.meta.refreshId=="string"&&e.meta.refreshId),I,L,We=async()=>{if(m||p)return;try{let ie=B(e),re=e.tokenExpRef.current,Qe=Math.floor(Date.now()/1e3),et=!!re&&re-Qe<=60;if(ie){if(et&&!await t().catch(()=>!1))return}else if(!w()||!await t().catch(()=>!1))return}catch{}let J=B(e);if(!J)return;let V=await qe(J),j=b.map.get(h),Z=await N({method:r,url:d,nonce:j,ath:V,privateKey:Y(e),publicJwk:T(e)});I=`Bearer ${e.accessTokenRef.current}`,L=Z;};await We();let te={"content-type":"application/json","x-sunbreak-auth":I||"","x-sunbreak-meta":$(e,{reqId:P,auth:I,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0}),...ut(a.headers)};L&&(te.DPoP=L);let Ee=async()=>e.fetchImpl(l,{...a,method:r,headers:te,body:o!==void 0?JSON.stringify(o):void 0,credentials:"include",signal:s.signal}),A=await Ee(),_e=A.headers.get("x-sunbreak-policy-hash"),Le=A.headers.get("x-sunbreak-policy-proof");if(_e&&e.setLastPolicyHash(_e),Le&&e.setLastPolicyProof(Le),S(A),A.status===401&&!m){let J=B(e),V=A.headers.get("www-authenticate"),Z=(V&&V.match(/dpop-nonce="([^"]+)"/i))?.[1];if(!p&&Z&&J&&!k){k=!0,b.map.set(h,Z);let ie=await qe(J),re=await N({method:r,url:d,nonce:Z,ath:ie,privateKey:Y(e),publicJwk:T(e)});I=`Bearer ${e.accessTokenRef.current}`,L=re,te["x-sunbreak-meta"]=$(e,{reqId:P,auth:I}),te.DPoP=L,A=await Ee(),S(A);}if(A.status===401&&!R&&(R=!0,!p&&w())){let ie=await t(),re=B(e);ie&&re&&!p&&(await We(),te["x-sunbreak-meta"]=$(e,{reqId:P,auth:I}),L&&(te.DPoP=L),A=await Ee(),S(A));}if(A.status===401)throw new Error("Unauthorized")}if(!A.ok){let J=await Ie(A);if((A.headers.get("content-type")||"").includes("application/json")){let j=await A.json().catch(()=>{}),Z=Je(j&&(j.error||j.message||j.detail)||`HTTP ${A.status}`);throw pe(Z,J)}else {let j=J.waf?"Blocked by WAF (403)":J.alb403?"Blocked at origin (ALB 403)":`HTTP ${A.status}`;throw pe(j,J)}}return (A.headers.get("content-type")||"").includes("application/json")?await A.json():void 0}finally{clearTimeout(c),e.setLoadingCount(u=>Math.max(0,u-1));}}var Sr=(e,t)=>react.useCallback(async(r,n,o,a={})=>Ze(e,t,r,n,o,a),[e,t]);async function Rr(e,t){let r=await t("GET","/api/session");if(r){e.setAllowed(!!r.allowed),e.setDenyReason(r.reason??null),e.setSessionData(r),e.setSessionExpiry(r.expiry??null);let n=r?.wallet;typeof n=="string"&&n&&e.setBoundWallet(n.toLowerCase());}return r}async function gr(e,t){let r=await t("GET","/api/verify");return r&&(e.setSessionExpiry(r.expiry??null),e.setVerifyData(r)),r}var Er=(e,t)=>{let r=react.useCallback(async()=>{if(e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet))return e.sessionLock.current||(e.sessionLock.current=(async()=>{try{return await Rr(e,t)}finally{e.sessionLock.current=null;}})()),e.sessionLock.current},[e,t]),n=react.useCallback(async()=>{if(e.wallet)return await gr(e,t)},[e,t]);return {session:r,verify:n}};var Pr=(e,t)=>{let{refresh:r,session:n,attemptRegister:o,setProofFromAdapterToken:a,proofProp:i}=t;react.useEffect(()=>{return (async()=>{try{await e.waitReady(),await e.awaitKeyStable(),await e.ensureRootKeypair(),await hr(e);}catch{}})(),()=>{}},[]);let s=()=>(e.registerCooldownUntilRef.current??0)>Date.now();react.useEffect(()=>{let c=e.prevWalletRef.current;if(e.prevWalletRef.current=e.wallet,e.wallet!==c&&(e.didInitialRefresh.current=false),!e.wallet){e.setAllowed(null),e.setDenyReason(null),e.setSessionExpiry(null),e.setSessionData(null),e.setAuthenticated(false),e.accessTokenRef.current=null,e.proofRef.current=null,e.setError(null),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null),e.didInitialRefresh.current=false;return}c&&e.wallet&&c!==e.wallet&&(e.rotateLock.current=(async()=>{await e.rotate(),e.accessTokenRef.current=null,e.setAuthenticated(false),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}));},[e.wallet]),react.useEffect(()=>{if(!e.providerAdapter||s()||!e.metaReady)return;let c=e.wallet,u=e.meta.boundWallet;if(c&&u&&c.toLowerCase()===u.toLowerCase()&&!e.didInitialRefresh.current)return;let l=false;return (async()=>{try{let f=await e.providerAdapter.getToken()??null;if(await e.awaitKeyStable(),l||!f)return;await a(f),await o();}catch{}})(),()=>{l=true;}},[e.providerAdapter,e.wallet,e.meta.boundWallet,e.metaReady,e.registerCooldownUntilRef,e.didInitialRefresh,...e.refreshDeps]),react.useEffect(()=>{if(typeof i<"u"&&(e.proofRef.current=i??null),!e.metaReady)return;let c=e.wallet,u=e.meta.boundWallet;if(c&&u&&c.toLowerCase()===u.toLowerCase()&&!e.didInitialRefresh.current)return;let f=!!c,d=!!e.proofRef.current,h=!!c&&!!e.authWalletRef.current&&c.toLowerCase()!==e.authWalletRef.current.toLowerCase();f&&d&&!e.authenticated&&!h&&e.initResolvedRef.current&&!s()&&o();},[i,e.wallet,e.authenticated,e.meta.boundWallet,e.metaReady,e.providerAdapter,e.initResolvedRef,e.didInitialRefresh,o]),react.useEffect(()=>{let c=e.wallet,u=e.meta.boundWallet,l=!!(u||e.meta.refreshId);if(!e.metaReady||e.didInitialRefresh.current)return;let f=true;return (async()=>{try{if(await e.waitReady(),e.accessTokenRef.current||e.authenticated){e.didInitialRefresh.current=!0,c&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());return}let d=!!c&&!l,h=!c&&!l;if(l&&!c){e.didInitialRefresh.current=!0;return}if(d||h){e.didInitialRefresh.current=!0;return}if(c&&u&&c.toLowerCase()!==u.toLowerCase()){e.didInitialRefresh.current=!0;return}e.didInitialRefresh.current=!0;let m=await r();if(!f)return;e.setAuthenticated(m),m&&c&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());}catch(d){if(!f)return;e.didInitialRefresh.current=true,e.setAuthenticated(false),e.setError(d?.message||String(d)||"Unknown error");}})(),()=>{f=false;}},[e.wallet,e.meta.boundWallet,e.meta.refreshId,e.metaReady,e.didInitialRefresh,r,n]),react.useEffect(()=>{e.initResolvedRef.current||(async()=>{if(await e.ensureKeypair(),!e.wallet){e.initResolvedRef.current=true,e.initResolveRef.current?.();return}e.meta.boundWallet&&e.meta.boundWallet!==e.wallet&&(e.rotateLock.current=(async()=>{e.accessTokenRef.current=null,e.setAuthenticated(false);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}),e.rotateLock.current&&await e.rotateLock.current),e.initResolvedRef.current=true,e.initResolveRef.current?.();})();},[e]),react.useEffect(()=>{(async()=>{if(e.authenticated&&e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)&&!e.didInitialSession.current){e.didInitialSession.current=true;try{await n();}catch(c){e.setError(c?.message||String(c));}}})();},[e.authenticated,e.wallet,e.meta.boundWallet,n]),react.useEffect(()=>{e.wallet&&e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase()&&(e.accessTokenRef.current=null,e.setAuthenticated(false));},[e.wallet,e.authWalletRef.current]),react.useEffect(()=>{let u=()=>{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return  false;let d=e.tokenExpRef.current;if(!d)return  false;let h=Math.floor(Date.now()/1e3);return d-h<=30},l=async()=>{try{u()&&await r();}catch{}},f=async()=>{document.visibilityState==="visible"&&await l();};return window.addEventListener("focus",l),document.addEventListener("visibilitychange",f),()=>{window.removeEventListener("focus",l),document.removeEventListener("visibilitychange",f);}},[e,r]),react.useEffect(()=>{let l=()=>{let h=Math.floor(Date.now()/1e3),m=e.tokenExpRef.current,R=e.sessionExpiry,k=!!m&&m-h<=30&&m-h>0,P=!!R&&R-h<=3600&&R-h>0;return {tokenSoon:k,sessionSoon:P}},f=async()=>{try{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return;let{tokenSoon:h,sessionSoon:m}=l();(h||m)&&await r()&&m&&await n();}catch{}},d=async()=>{document.visibilityState==="visible"&&await f();};return window.addEventListener("focus",f),document.addEventListener("visibilitychange",d),()=>{window.removeEventListener("focus",f),document.removeEventListener("visibilitychange",d);}},[e,e.sessionExpiry,r,n]);};var vr=react.createContext(void 0),jn=e=>{let t=wr(e),{refresh:r,attemptRegister:n,setProofFromAdapterToken:o}=br(t),a=Sr(t,r),{session:i,verify:s}=Er(t,a);Pr(t,{refresh:r,session:i,attemptRegister:n,setProofFromAdapterToken:o,proofProp:e.proof});let c=react.useMemo(()=>({get:(u,l)=>a("GET",u,void 0,l),post:(u,l,f)=>a("POST",u,l,f),verify:s,session:i,refresh:r,authenticated:t.authenticated,loading:t.loadingCount>0,error:t.error,allowed:t.allowed,denyReason:t.denyReason,sessionExpiry:t.sessionExpiry,sessionData:t.sessionData,verifyData:t.verifyData,wallet:t.wallet}),[a,s,i,r,t.authenticated,t.loadingCount,t.error,t.allowed,t.denyReason,t.sessionExpiry,t.sessionData,t.verifyData,t.wallet]);return jsxRuntime.jsx(vr.Provider,{value:c,children:e.children})},On=e=>jsxRuntime.jsx(bt,{clientId:e.clientId,children:jsxRuntime.jsx(jn,{...e})}),Un=()=>{let e=react.useContext(vr);if(!e)throw new Error("useSunbreak must be used within a SunbreakProvider");return e};
+var on=Object.defineProperty;var Mt=e=>{throw TypeError(e)};var an=(e,t,r)=>t in e?on(e,t,{enumerable:true,configurable:true,writable:true,value:r}):e[t]=r;var M=(e,t,r)=>an(e,typeof t!="symbol"?t+"":t,r),$t=(e,t,r)=>t.has(e)||Mt("Cannot "+r);var h=(e,t,r)=>($t(e,t,"read from private field"),r?r.call(e):t.get(e)),j=(e,t,r)=>t.has(e)?Mt("Cannot add the same private member more than once"):t instanceof WeakSet?t.add(e):t.set(e,r),N=(e,t,r,n)=>($t(e,t,"write to private field"),t.set(e,r),r);var ve=async(e,t,r)=>{switch(e.name){case "custom":return {method:"provider_jwt",issuer:"custom",token:t,meta:r||{}};case "privy":return {method:"provider_jwt",issuer:"privy",token:t,meta:{app_id:e.appId}};case "dynamic":return e.expectedAud?{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId,expected_aud:e.expectedAud}}:{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId}};default:throw new Error(`Unknown adapter: ${e}`)}};var sn="sunbreak-kv",Ae="kv",Fe="sunbreak_dpop_meta_v1",T="sunbreak_dpop_key_v1",xe="ES256",v="P-256",Ke=e=>`${Fe}:${e}`,Ot=()=>new Promise((e,t)=>{let r=indexedDB.open(sn,1);r.onupgradeneeded=()=>r.result.createObjectStore(Ae),r.onsuccess=()=>e(r.result),r.onerror=()=>t(r.error);}),I=async e=>{try{let t=await Ot();return await new Promise((r,n)=>{let a=t.transaction(Ae,"readonly").objectStore(Ae).get(e);a.onsuccess=()=>r(a.result),a.onerror=()=>n(a.error);})}catch{return}},R=async(e,t)=>{let r=await Ot();await new Promise((n,o)=>{let i=r.transaction(Ae,"readwrite").objectStore(Ae).put(t,e);i.onsuccess=()=>n(),i.onerror=()=>o(i.error);});};var cn=e=>{let t=new URL(e);if(t.protocol!=="https:"&&t.hostname!=="localhost"&&t.hostname!=="127.0.0.1")throw new Error("Sunbreak: insecure base URL");return t.hash="",t.origin},ln=e=>e.replace(/\/+$/,""),ft=e=>{let t=ln(e);return cn(t)};function pt(e){let t=new URL(e.baseUrl),r=t.host,n=e.meta.lastHost??null,o=un(n);return e.setLastHost(o),t.host=`${o}.${r}`,t.origin}var un=e=>{for(let t=0;t<dt.length;t++){let r=dt[Math.floor(Math.random()*dt.length)].toLowerCase();if(r!==e)return r}return "alpha"},dt=["Alpha","Bravo","Charlie","Delta","Echo","Foxtrot","Golf","Hotel","India","Juliett","Kilo","Lima","Mike","November","Oscar","Papa","Quebec","Romeo","Sierra","Tango","Uniform","Victor","Whiskey","X-ray","Yankee","Zulu"];var F=(e,t)=>{let r={clientId:e.clientId,wallet:e.wallet,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0,...t};Object.keys(r).forEach(o=>r[o]===void 0&&delete r[o]);let n=JSON.stringify(r);return btoa(n)};var fn=new Set(["connection","keep-alive","proxy-authenticate","proxy-authorization","te","trailer","transfer-encoding","upgrade","via"]),dn=new Set(["user-agent","referer","origin","host","content-length","sec-fetch-site","sec-fetch-mode","sec-fetch-dest","sec-fetch-user","sec-ch-ua","sec-ch-ua-mobile","sec-ch-ua-platform","sec-ch-ua-platform-version","sec-ch-ua-full-version","sec-ch-ua-arch","sec-ch-ua-model","sec-ch-ua-bitness","cookie","set-cookie"]),pn=new Set(["dpop","x-sunbreak-meta"]),hn=64,Ut=2048,yn=64;function ht(e){let t={};if(!e)return t;let r=e instanceof Headers?Array.from(e.entries()):Object.entries(e),n=0;for(let[o,a]of r){if(n>=yn)break;if(o==null||a==null)continue;let i=String(o).toLowerCase().trim();if(!i||i.length>hn||fn.has(i)||dn.has(i)||pn.has(i))continue;let c=String(a);c.length>Ut&&(c=c.slice(0,Ut)),t[i]=c,n++;}return t}var re=new TextEncoder,me=new TextDecoder;function jt(...e){let t=e.reduce((o,{length:a})=>o+a,0),r=new Uint8Array(t),n=0;for(let o of e)r.set(o,n),n+=o.length;return r}function Nt(e){if(Uint8Array.prototype.toBase64)return e.toBase64();let t=32768,r=[];for(let n=0;n<e.length;n+=t)r.push(String.fromCharCode.apply(null,e.subarray(n,n+t)));return btoa(r.join(""))}function Ft(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(e);let t=atob(e),r=new Uint8Array(t.length);for(let n=0;n<t.length;n++)r[n]=t.charCodeAt(n);return r}function Bt(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof e=="string"?e:me.decode(e),{alphabet:"base64url"});let t=e;t instanceof Uint8Array&&(t=me.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return Ft(t)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function Be(e){let t=e;return typeof t=="string"&&(t=re.encode(t)),Uint8Array.prototype.toBase64?t.toBase64({alphabet:"base64url",omitPadding:true}):Nt(t).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var ue=class extends Error{constructor(r,n){super(r,n);M(this,"code","ERR_JOSE_GENERIC");this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor);}};M(ue,"code","ERR_JOSE_GENERIC");var D=class extends ue{constructor(){super(...arguments);M(this,"code","ERR_JOSE_NOT_SUPPORTED");}};M(D,"code","ERR_JOSE_NOT_SUPPORTED");var ne=class extends ue{constructor(){super(...arguments);M(this,"code","ERR_JWS_INVALID");}};M(ne,"code","ERR_JWS_INVALID");var Ce=class extends ue{constructor(){super(...arguments);M(this,"code","ERR_JWT_INVALID");}};M(Ce,"code","ERR_JWT_INVALID");var Vt,Gt,yt=class extends(Gt=ue,Vt=Symbol.asyncIterator,Gt){constructor(r="multiple matching keys found in the JSON Web Key Set",n){super(r,n);M(this,Vt);M(this,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");}};M(yt,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");function q(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function we(e,t){return e.name===t}function mt(e){return parseInt(e.name.slice(4),10)}function gn(e){switch(e){case "ES256":return "P-256";case "ES384":return "P-384";case "ES512":return "P-521";default:throw new Error("unreachable")}}function bn(e,t){if(!e.usages.includes(t))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${t}.`)}function qt(e,t,r){switch(t){case "HS256":case "HS384":case "HS512":{if(!we(e.algorithm,"HMAC"))throw q("HMAC");let n=parseInt(t.slice(2),10);if(mt(e.algorithm.hash)!==n)throw q(`SHA-${n}`,"algorithm.hash");break}case "RS256":case "RS384":case "RS512":{if(!we(e.algorithm,"RSASSA-PKCS1-v1_5"))throw q("RSASSA-PKCS1-v1_5");let n=parseInt(t.slice(2),10);if(mt(e.algorithm.hash)!==n)throw q(`SHA-${n}`,"algorithm.hash");break}case "PS256":case "PS384":case "PS512":{if(!we(e.algorithm,"RSA-PSS"))throw q("RSA-PSS");let n=parseInt(t.slice(2),10);if(mt(e.algorithm.hash)!==n)throw q(`SHA-${n}`,"algorithm.hash");break}case "Ed25519":case "EdDSA":{if(!we(e.algorithm,"Ed25519"))throw q("Ed25519");break}case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":{if(!we(e.algorithm,t))throw q(t);break}case "ES256":case "ES384":case "ES512":{if(!we(e.algorithm,"ECDSA"))throw q("ECDSA");let n=gn(t);if(e.algorithm.namedCurve!==n)throw q(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}bn(e,r);}function zt(e,t,...r){if(r=r.filter(Boolean),r.length>2){let n=r.pop();e+=`one of type ${r.join(", ")}, or ${n}.`;}else r.length===2?e+=`one of type ${r[0]} or ${r[1]}.`:e+=`of type ${r[0]}.`;return t==null?e+=` Received ${t}`:typeof t=="function"&&t.name?e+=` Received function ${t.name}`:typeof t=="object"&&t!=null&&t.constructor?.name&&(e+=` Received an instance of ${t.constructor.name}`),e}var Xt=(e,...t)=>zt("Key must be ",e,...t);function wt(e,t,...r){return zt(`Key for the ${e} algorithm must be `,t,...r)}function gt(e){return e?.[Symbol.toStringTag]==="CryptoKey"}function bt(e){return e?.[Symbol.toStringTag]==="KeyObject"}var St=e=>gt(e)||bt(e);var Yt=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return  true;let r;for(let n of t){let o=Object.keys(n);if(!r||r.size===0){r=new Set(o);continue}for(let a of o){if(r.has(a))return  false;r.add(a);}}return  true};function Sn(e){return typeof e=="object"&&e!==null}var Ve=e=>{if(!Sn(e)||Object.prototype.toString.call(e)!=="[object Object]")return  false;if(Object.getPrototypeOf(e)===null)return  true;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t};var Zt=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:r}=t.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};function Rn(e){let t,r;switch(e.kty){case "AKP":{switch(e.alg){case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":t={name:e.alg},r=e.priv?["sign"]:["verify"];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "RSA":{switch(e.alg){case "PS256":case "PS384":case "PS512":t={name:"RSA-PSS",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RS256":case "RS384":case "RS512":t={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RSA-OAEP":case "RSA-OAEP-256":case "RSA-OAEP-384":case "RSA-OAEP-512":t={name:"RSA-OAEP",hash:`SHA-${parseInt(e.alg.slice(-3),10)||1}`},r=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "EC":{switch(e.alg){case "ES256":t={name:"ECDSA",namedCurve:"P-256"},r=e.d?["sign"]:["verify"];break;case "ES384":t={name:"ECDSA",namedCurve:"P-384"},r=e.d?["sign"]:["verify"];break;case "ES512":t={name:"ECDSA",namedCurve:"P-521"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "OKP":{switch(e.alg){case "Ed25519":case "EdDSA":t={name:"Ed25519"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}default:throw new D('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return {algorithm:t,keyUsages:r}}var Qt=async e=>{if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:t,keyUsages:r}=Rn(e),n={...e};return n.kty!=="AKP"&&delete n.alg,delete n.use,crypto.subtle.importKey("jwk",n,t,e.ext??!(e.d||e.priv),e.key_ops??r)};var er=(e,t,r,n,o)=>{if(o.crit!==void 0&&n?.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||n.crit===void 0)return new Set;if(!Array.isArray(n.crit)||n.crit.length===0||n.crit.some(i=>typeof i!="string"||i.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let a;r!==void 0?a=new Map([...Object.entries(r),...t.entries()]):a=t;for(let i of n.crit){if(!a.has(i))throw new D(`Extension Header Parameter "${i}" is not recognized`);if(o[i]===void 0)throw new e(`Extension Header Parameter "${i}" is missing`);if(a.get(i)&&n[i]===void 0)throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`)}return new Set(n.crit)};function Te(e){return Ve(e)&&typeof e.kty=="string"}function tr(e){return e.kty!=="oct"&&(e.kty==="AKP"&&typeof e.priv=="string"||typeof e.d=="string")}function rr(e){return e.kty!=="oct"&&typeof e.d>"u"&&typeof e.priv>"u"}function nr(e){return e.kty==="oct"&&typeof e.k=="string"}var ge,or=async(e,t,r,n=false)=>{ge||(ge=new WeakMap);let o=ge.get(e);if(o?.[r])return o[r];let a=await Qt({...t,alg:r});return n&&Object.freeze(e),o?o[r]=a:ge.set(e,{[r]:a}),a},kn=(e,t)=>{ge||(ge=new WeakMap);let r=ge.get(e);if(r?.[t])return r[t];let n=e.type==="public",o=!!n,a;if(e.asymmetricKeyType==="x25519"){switch(t){case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}a=e.toCryptoKey(e.asymmetricKeyType,o,n?[]:["deriveBits"]);}if(e.asymmetricKeyType==="ed25519"){if(t!=="EdDSA"&&t!=="Ed25519")throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}switch(e.asymmetricKeyType){case "ml-dsa-44":case "ml-dsa-65":case "ml-dsa-87":{if(t!==e.asymmetricKeyType.toUpperCase())throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}}if(e.asymmetricKeyType==="rsa"){let i;switch(t){case "RSA-OAEP":i="SHA-1";break;case "RS256":case "PS256":case "RSA-OAEP-256":i="SHA-256";break;case "RS384":case "PS384":case "RSA-OAEP-384":i="SHA-384";break;case "RS512":case "PS512":case "RSA-OAEP-512":i="SHA-512";break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}if(t.startsWith("RSA-OAEP"))return e.toCryptoKey({name:"RSA-OAEP",hash:i},o,n?["encrypt"]:["decrypt"]);a=e.toCryptoKey({name:t.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:i},o,[n?"verify":"sign"]);}if(e.asymmetricKeyType==="ec"){let c=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(e.asymmetricKeyDetails?.namedCurve);if(!c)throw new TypeError("given KeyObject instance cannot be used for this algorithm");t==="ES256"&&c==="P-256"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:c},o,[n?"verify":"sign"])),t==="ES384"&&c==="P-384"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:c},o,[n?"verify":"sign"])),t==="ES512"&&c==="P-521"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:c},o,[n?"verify":"sign"])),t.startsWith("ECDH-ES")&&(a=e.toCryptoKey({name:"ECDH",namedCurve:c},o,n?[]:["deriveBits"]));}if(!a)throw new TypeError("given KeyObject instance cannot be used for this algorithm");return r?r[t]=a:ge.set(e,{[t]:a}),a},ar=async(e,t)=>{if(e instanceof Uint8Array||gt(e))return e;if(bt(e)){if(e.type==="secret")return e.export();if("toCryptoKey"in e&&typeof e.toCryptoKey=="function")try{return kn(e,t)}catch(n){if(n instanceof TypeError)throw n}let r=e.export({format:"jwk"});return or(e,r,t)}if(Te(e))return e.k?Bt(e.k):or(e,e,t,true);throw new Error("unreachable")};var be=e=>e?.[Symbol.toStringTag],Rt=(e,t,r)=>{if(t.use!==void 0){let n;switch(r){case "sign":case "verify":n="sig";break;case "encrypt":case "decrypt":n="enc";break}if(t.use!==n)throw new TypeError(`Invalid key for this operation, its "use" must be "${n}" when present`)}if(t.alg!==void 0&&t.alg!==e)throw new TypeError(`Invalid key for this operation, its "alg" must be "${e}" when present`);if(Array.isArray(t.key_ops)){let n;switch(true){case(r==="sign"):case e==="dir":case e.includes("CBC-HS"):n=r;break;case e.startsWith("PBES2"):n="deriveBits";break;case /^A\d{3}(?:GCM)?(?:KW)?$/.test(e):!e.includes("GCM")&&e.endsWith("KW")?n="unwrapKey":n=r;break;case(r==="encrypt"):n="wrapKey";break;case r==="decrypt":n=e.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(n&&t.key_ops?.includes?.(n)===false)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${n}" when present`)}return  true},Pn=(e,t,r)=>{if(!(t instanceof Uint8Array)){if(Te(t)){if(nr(t)&&Rt(e,t,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!St(t))throw new TypeError(wt(e,t,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(t.type!=="secret")throw new TypeError(`${be(t)} instances for symmetric algorithms must be of type "secret"`)}},vn=(e,t,r)=>{if(Te(t))switch(r){case "decrypt":case "sign":if(tr(t)&&Rt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a private JWK");case "encrypt":case "verify":if(rr(t)&&Rt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a public JWK")}if(!St(t))throw new TypeError(wt(e,t,"CryptoKey","KeyObject","JSON Web Key"));if(t.type==="secret")throw new TypeError(`${be(t)} instances for asymmetric algorithms must not be of type "secret"`);if(t.type==="public")switch(r){case "sign":throw new TypeError(`${be(t)} instances for asymmetric algorithm signing must be of type "private"`);case "decrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm decryption must be of type "private"`);}if(t.type==="private")switch(r){case "verify":throw new TypeError(`${be(t)} instances for asymmetric algorithm verifying must be of type "public"`);case "encrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm encryption must be of type "public"`);}},ir=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e)||/^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e)?Pn(e,t,r):vn(e,t,r);};var sr=(e,t)=>{let r=`SHA-${e.slice(-3)}`;switch(e){case "HS256":case "HS384":case "HS512":return {hash:r,name:"HMAC"};case "PS256":case "PS384":case "PS512":return {hash:r,name:"RSA-PSS",saltLength:parseInt(e.slice(-3),10)>>3};case "RS256":case "RS384":case "RS512":return {hash:r,name:"RSASSA-PKCS1-v1_5"};case "ES256":case "ES384":case "ES512":return {hash:r,name:"ECDSA",namedCurve:t.namedCurve};case "Ed25519":case "EdDSA":return {name:"Ed25519"};case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":return {name:e};default:throw new D(`alg ${e} is not supported either by JOSE or your javascript runtime`)}};var cr=async(e,t,r)=>{if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(Xt(t,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",t,{hash:`SHA-${e.slice(-3)}`,name:"HMAC"},false,[r])}return qt(t,e,r),t};var ae=e=>Math.floor(e.getTime()/1e3);var An=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i,Ge=e=>{let t=An.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");let r=parseFloat(t[2]),n=t[3].toLowerCase(),o;switch(n){case "sec":case "secs":case "second":case "seconds":case "s":o=Math.round(r);break;case "minute":case "minutes":case "min":case "mins":case "m":o=Math.round(r*60);break;case "hour":case "hours":case "hr":case "hrs":case "h":o=Math.round(r*3600);break;case "day":case "days":case "d":o=Math.round(r*86400);break;case "week":case "weeks":case "w":o=Math.round(r*604800);break;default:o=Math.round(r*31557600);break}return t[1]==="-"||t[4]==="ago"?-o:o};function fe(e,t){if(!Number.isFinite(t))throw new TypeError(`Invalid ${e} input`);return t}var x,qe=class{constructor(t){j(this,x);if(!Ve(t))throw new TypeError("JWT Claims Set MUST be an object");N(this,x,structuredClone(t));}data(){return re.encode(JSON.stringify(h(this,x)))}get iss(){return h(this,x).iss}set iss(t){h(this,x).iss=t;}get sub(){return h(this,x).sub}set sub(t){h(this,x).sub=t;}get aud(){return h(this,x).aud}set aud(t){h(this,x).aud=t;}set jti(t){h(this,x).jti=t;}set nbf(t){typeof t=="number"?h(this,x).nbf=fe("setNotBefore",t):t instanceof Date?h(this,x).nbf=fe("setNotBefore",ae(t)):h(this,x).nbf=ae(new Date)+Ge(t);}set exp(t){typeof t=="number"?h(this,x).exp=fe("setExpirationTime",t):t instanceof Date?h(this,x).exp=fe("setExpirationTime",ae(t)):h(this,x).exp=ae(new Date)+Ge(t);}set iat(t){typeof t>"u"?h(this,x).iat=ae(new Date):t instanceof Date?h(this,x).iat=fe("setIssuedAt",ae(t)):typeof t=="string"?h(this,x).iat=fe("setIssuedAt",ae(new Date)+Ge(t)):h(this,x).iat=fe("setIssuedAt",t);}};x=new WeakMap;var lr=async(e,t,r)=>{let n=await cr(e,t,"sign");Zt(e,n);let o=await crypto.subtle.sign(sr(e,n.algorithm),n,r);return new Uint8Array(o)};var Ie,L,z,ze=class{constructor(t){j(this,Ie);j(this,L);j(this,z);if(!(t instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");N(this,Ie,t);}setProtectedHeader(t){if(h(this,L))throw new TypeError("setProtectedHeader can only be called once");return N(this,L,t),this}setUnprotectedHeader(t){if(h(this,z))throw new TypeError("setUnprotectedHeader can only be called once");return N(this,z,t),this}async sign(t,r){if(!h(this,L)&&!h(this,z))throw new ne("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Yt(h(this,L),h(this,z)))throw new ne("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let n={...h(this,L),...h(this,z)},o=er(ne,new Map([["b64",true]]),r?.crit,h(this,L),n),a=true;if(o.has("b64")&&(a=h(this,L).b64,typeof a!="boolean"))throw new ne('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:i}=n;if(typeof i!="string"||!i)throw new ne('JWS "alg" (Algorithm) Header Parameter missing or invalid');ir(i,t,"sign");let c=h(this,Ie);a&&(c=re.encode(Be(c)));let u;h(this,L)?u=re.encode(Be(JSON.stringify(h(this,L)))):u=re.encode("");let s=jt(u,re.encode("."),c),l=await ar(t,i),d=await lr(i,l,s),f={signature:Be(d),payload:""};return a&&(f.payload=me.decode(c)),h(this,z)&&(f.header=h(this,z)),h(this,L)&&(f.protected=me.decode(u)),f}};Ie=new WeakMap,L=new WeakMap,z=new WeakMap;var Se,Xe=class{constructor(t){j(this,Se);N(this,Se,new ze(t));}setProtectedHeader(t){return h(this,Se).setProtectedHeader(t),this}async sign(t,r){let n=await h(this,Se).sign(t,r);if(n.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return `${n.protected}.${n.payload}.${n.signature}`}};Se=new WeakMap;var ie,$,de=class{constructor(t={}){j(this,ie);j(this,$);N(this,$,new qe(t));}setIssuer(t){return h(this,$).iss=t,this}setSubject(t){return h(this,$).sub=t,this}setAudience(t){return h(this,$).aud=t,this}setJti(t){return h(this,$).jti=t,this}setNotBefore(t){return h(this,$).nbf=t,this}setExpirationTime(t){return h(this,$).exp=t,this}setIssuedAt(t){return h(this,$).iat=t,this}setProtectedHeader(t){return N(this,ie,t),this}async sign(t,r){let n=new Xe(h(this,$).data());if(n.setProtectedHeader(h(this,ie)),Array.isArray(h(this,ie)?.crit)&&h(this,ie).crit.includes("b64")&&h(this,ie).b64===false)throw new Ce("JWTs MUST NOT use unencoded payload");return n.sign(t,r)}};ie=new WeakMap,$=new WeakMap;var xn=e=>btoa(String.fromCharCode(...new Uint8Array(e))).replaceAll("+","-").replaceAll("/","_").replaceAll("=",""),Ye=async e=>{let t=new TextEncoder().encode(e),r=await crypto.subtle.digest("SHA-256",t);return xn(r)},B=async e=>{let{method:t,url:r,nonce:n,ath:o,privateKey:a,publicJwk:i}=e,c={htm:t.toUpperCase(),htu:r,jti:crypto.randomUUID(),iat:Math.floor(Date.now()/1e3)};return n&&(c.nonce=n),o&&(c.ath=o),await new de(c).setProtectedHeader({alg:"ES256",typ:"dpop+jwt",jwk:i}).sign(a)};var _=async e=>{let t={crv:e.crv,kty:"EC",x:e.x,y:e.y},r=JSON.stringify(t),n=new TextEncoder().encode(r),o=await crypto.subtle.digest("SHA-256",n);return btoa(String.fromCharCode(...new Uint8Array(o))).replaceAll("+","-").replaceAll("/","_").replaceAll("=","")};async function pe(e){let{rootPrivateKey:t,rootPublicJwk:r,childJkt:n,clientId:o,sid:a,ttlSec:i=300}=e,c=Math.floor(Date.now()/1e3),u=c+Math.max(60,Math.min(i,3600)),s={child_jkt:n,client_id:o,aud:"issuer",iat:c,exp:u,jti:crypto.randomUUID()};return a&&(s.sid=a),await new de(s).setProtectedHeader({alg:"ES256",typ:"pode+jwt",jwk:r}).sign(t)}function We(e,t=300){return e.replace(/<[^>]*>/g,"").slice(0,t)}async function Je(e){let t=e.status,r=Array.from(e.headers.keys()).some(c=>c.toLowerCase().startsWith("x-amzn-waf")),n,o,a=e.headers.get("content-type")||"";if(a.includes("application/json"))try{let c=await e.clone().json();n=typeof c?.error=="string"?c.error:void 0,o=typeof c?.detail=="string"?c.detail:void 0;}catch{}let i=t===403&&!r&&!a.includes("application/json");return {status:t,code:n,detail:o,waf:r,alb403:i}}function he(e,t){let r=new Error(e);return r.status=t.status,r.code=t.code,r.detail=t.detail,r.waf=t.waf,r.alb403=t.alb403,r}var Re={boundWallet:null,clientId:null,jkt:null,refreshId:null,lastPolicyHash:null,lastPolicyProof:null,lastHost:null,rootJkt:null},Et=react.createContext(void 0);function hr(e){try{return JSON.parse(localStorage.getItem(e)||"null")??Re}catch{return Re}}function Tn(e,t){try{localStorage.setItem(e,JSON.stringify(t));}catch{}}var kt=({children:e,clientId:t})=>{let[r,n]=react.useState(Re),o=react.useRef(false),[a,i]=react.useState(false),c=react.useMemo(()=>Ke(t),[t]);react.useEffect(()=>{let p=true;return (async()=>{let y=await I(c)??await I(Fe)??hr(c);p&&(n({...Re,...y}),o.current=true,i(true));})(),()=>{p=false;}},[c]),react.useEffect(()=>{o.current&&(async()=>(await R(c,r),Tn(c,r)))();},[r,c]);let u=react.useCallback(p=>n(g=>({...g,refreshId:p})),[]),s=react.useCallback(p=>n(g=>({...g,lastPolicyHash:p})),[]),l=react.useCallback(p=>n(g=>({...g,lastPolicyProof:p})),[]),d=react.useCallback(p=>n(g=>({...g,lastHost:p})),[]),f=react.useCallback(p=>n(g=>({...g,rootJkt:p})),[]),w=async()=>{try{let p=localStorage.getItem(c);if(p){let g=JSON.parse(p);if(typeof g?.refreshId=="string"&&g.refreshId)return g.refreshId}}catch{}try{let p=await I(c);if(typeof p?.refreshId=="string"&&p.refreshId)return p.refreshId}catch{}return null},S=react.useCallback(p=>n(g=>({...g,boundWallet:p})),[]),E=react.useCallback(p=>n(g=>({...g,clientId:p})),[]),m=react.useCallback(p=>n(g=>({...g,jkt:p})),[]),k=react.useCallback(()=>n(Re),[]),b=react.useCallback(async()=>{let g=await I(c)??hr(c);n({...Re,...g});},[]),H=react.useMemo(()=>({meta:r,setBoundWallet:S,setClientId:E,setJkt:m,resetMeta:k,reload:b,setRefreshId:u,getRefreshId:w,ready:a,setLastPolicyHash:s,setLastPolicyProof:l,setLastHost:d,setRootJkt:f}),[r,S,E,m,k,b,a,u,w,s,l,d,f]);return jsxRuntime.jsx(Et.Provider,{value:H,children:e})};function Pt(){let e=react.useContext(Et);if(!e)throw new Error("useMeta must be used within <MetaProvider>");return e}var mr=`${T}:wrap`;async function Ze(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:v},!1,["sign","verify"]),t=`${T}:probe_safe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await I(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return  false}}async function Jn(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:v},!0,["sign","verify"]),t=`${T}:probe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await I(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return  false}}function ke(e){let t={...e};return delete t.d,t.kty="EC",t.crv=v,t.alg=xe,t.use="sig",t}async function wr(){let e=await I(mr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await R(mr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function vt(e){let t=await wr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function Dn(e,t){let r=await wr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var At=()=>{let e=react.useRef(null),t=react.useRef(null),r=react.useCallback(async()=>{let u=await I(T);if(!u)return  false;if(u.fmt==="cryptokey"){let l=u;if(!l.privKey)return await R(T,void 0),false;let d=l.privKey;try{if(d.extractable&&await Ze()){let w=await crypto.subtle.exportKey("jwk",d),S=await crypto.subtle.importKey("jwk",w,{name:"ECDSA",namedCurve:v},!1,["sign"]),E={fmt:"cryptokey",privKey:S,pubJwk:ke(l.pubJwk)};await R(T,E),d=S;}}catch{}return e.current=d,t.current=ke(l.pubJwk),true}if(u.fmt==="encjwk"){let l=u;try{let d=await Dn(l.encPrivJwk,l.iv),f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:v},!1,["sign"]);return e.current=f,t.current=ke(l.pubJwk),!0}catch{return await R(T,void 0),false}}let s=u;if(s&&s.d){let{d:l,...d}=s,f=ke(d),w=await Ze(),S=w||await Jn();if(S&&w){let b=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:v},false,["sign"]);return await R(T,{fmt:"cryptokey",privKey:b,pubJwk:f}),e.current=b,t.current=f,true}if(S){let b=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:v},true,["sign"]);return await R(T,{fmt:"cryptokey",privKey:b,pubJwk:f}),e.current=b,t.current=f,true}let{encPrivJwk:E,iv:m}=await vt(s);await R(T,{fmt:"encjwk",encPrivJwk:E,iv:m,pubJwk:f});let k=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:v},false,["sign"]);return e.current=k,t.current=f,true}return await R(T,void 0),false},[]),n=react.useCallback(async(u,s)=>{await R(T,{fmt:"cryptokey",privKey:u,pubJwk:s});},[]),o=react.useCallback(async(u,s)=>{let{encPrivJwk:l,iv:d}=await vt(u);await R(T,{fmt:"encjwk",encPrivJwk:l,iv:d,pubJwk:s});},[]),a=react.useCallback(async()=>{if(e.current&&t.current||await r())return;let u=await Ze(),s=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:v},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",s.publicKey)),d=await crypto.subtle.exportKey("jwk",s.privateKey);if(u){let f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:v},false,["sign"]);await n(f,l),e.current=f,t.current=l;}else {await o(d,l);let f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:v},false,["sign"]);e.current=f,t.current=l;}},[r,n,o]),i=react.useCallback(async()=>{let u=await Ze(),s=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:v},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",s.publicKey)),d=await crypto.subtle.exportKey("jwk",s.privateKey);if(u){let f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:v},false,["sign"]);await R(T,{fmt:"cryptokey",privKey:f,pubJwk:l}),e.current=f,t.current=l;}else {let{encPrivJwk:f,iv:w}=await vt(d);await R(T,{fmt:"encjwk",encPrivJwk:f,iv:w,pubJwk:l});let S=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:v},false,["sign"]);e.current=S,t.current=l;}},[]),c=react.useCallback(async()=>{await R(T,void 0),e.current=null,t.current=null;},[]);return {ensureKeypair:a,rotate:i,clear:c,privRef:e,pubJwkRef:t}};var Y="sunbreak_root_key_v1",br=`${Y}:wrap`;async function Sr(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:v},!1,["sign","verify"]),t=`${Y}:probe_safe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey,createdAt:Date.now(),pubJwk:{}});let r=await I(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return  false}}function Qe(e){let t={...e};return delete t.d,t.kty="EC",t.crv=v,t.alg=xe,t.use="sig",t}async function Rr(){let e=await I(br);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await R(br,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function Ln(e){let t=await Rr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function _n(e,t){let r=await Rr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var Kt=()=>{let e=react.useRef(null),t=react.useRef(null),r=react.useCallback(async()=>{let a=await I(Y);if(!a)return  false;if(a.fmt==="cryptokey"){let i=a;if(!i.privKey)return await R(Y,void 0),false;let c=i.privKey;try{if(c.extractable&&await Sr()){let s=await crypto.subtle.exportKey("jwk",c),l=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:v},!1,["sign"]),d={fmt:"cryptokey",privKey:l,pubJwk:Qe(i.pubJwk),createdAt:i.createdAt};await R(Y,d),c=l;}}catch{}return e.current=c,t.current=Qe(i.pubJwk),true}if(a.fmt==="encjwk"){let i=a;try{let c=await _n(i.encPrivJwk,i.iv),u=await crypto.subtle.importKey("jwk",c,{name:"ECDSA",namedCurve:v},!1,["sign"]);return e.current=u,t.current=Qe(i.pubJwk),!0}catch{return await R(Y,void 0),false}}return await R(Y,void 0),false},[]),n=react.useCallback(async()=>{if(e.current&&t.current||await r())return;let a=await Sr(),i=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:v},true,["sign","verify"]),c=Qe(await crypto.subtle.exportKey("jwk",i.publicKey)),u=Date.now(),s=await crypto.subtle.exportKey("jwk",i.privateKey);if(a){let l=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:v},false,["sign"]);await R(Y,{fmt:"cryptokey",privKey:l,pubJwk:c,createdAt:u}),e.current=l,t.current=c;}else {let{encPrivJwk:l,iv:d}=await Ln(s);await R(Y,{fmt:"encjwk",encPrivJwk:l,iv:d,pubJwk:c,createdAt:u});let w=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:v},false,["sign"]);e.current=w,t.current=c;}},[r]),o=react.useCallback(async()=>{await R(Y,void 0),e.current=null,t.current=null;},[]);return {ensureRootKeypair:n,clear:o,rootPrivRef:e,rootPubJwkRef:t}};var De=class e{constructor(t,r=false){this.colors={flow:"#00D9FF",state:"#00FF88",decision:"#FFB800",api:"#B388FF",guard:"#FFEA00",error:"#FF5252",warn:"#FF9100",info:"#90CAF9"};this.enabled=r,this.prefix=t?`[Sunbreak:${t.slice(0,8)}]`:"[Sunbreak]";}log(t,r,n){if(!this.enabled)return;let o=this.colors[t],a=new Date().toISOString().slice(11,23),i=this.getEmoji(t);console.log(`%c${i} ${this.prefix} [${a}] [${t.toUpperCase()}]%c ${r}`,`color: ${o}; font-weight: bold`,"color: inherit; font-weight: normal",n!==void 0?n:"");}getEmoji(t){switch(t){case "flow":return "\u{1F504}";case "state":return "\u{1F500}";case "decision":return "\u{1F914}";case "api":return "\u{1F4E1}";case "guard":return "\u{1F6E1}\uFE0F";case "error":return "\u274C";case "warn":return "\u26A0\uFE0F";case "info":return "\u2139\uFE0F";default:return "\u2022"}}flow(t,r,n){this.log("flow",`[${t.toUpperCase()}] ${r}`,n);}state(t,r,n,o){this.log("state",`${t} \u2192 ${r}: ${n}`,o);}decision(t,r,n,o){this.log("decision",`${t} = ${r?"\u2713 YES":"\u2717 NO"} (${n})`,o);}api(t,r,n){let o=n.status,i=o>=200&&o<300?"\u2713":"\u2717";this.log("api",`${i} ${t} ${r} \u2192 ${o}${n.error?` (${n.error})`:""}`,n.data);}guard(t,r,n,o){this.log("guard",`${t}: ${r?"\u2713 PASS":"\u2717 BLOCK"} (${n})`,o);}error(t,r){this.log("error",t,r);}warn(t,r){this.log("warn",t,r);}info(t,r){this.log("info",t,r);}group(t){this.enabled&&console.group(`${this.prefix} ${t}`);}groupEnd(){this.enabled&&console.groupEnd();}child(t){let r=new e(void 0,this.enabled);return r.prefix=`${this.prefix}[${t}]`,r}},Ct=null;function Er(){return Ct||(Ct=new De(void 0,true)),Ct}var et=class{constructor(t){this.currentState="unknown";this.previousState="unknown";this.logger=Er();this.hadSessionHistory=false;this.inActiveSession=false;t&&this.initialize(t);}initialize(t){this.logger.group("\u{1F527} Initializing Session State Machine");let r=!!(t.boundWallet||t.refreshId);this.hadSessionHistory=r,this.logger.info("Initial context",{wallet:t.wallet,boundWallet:t.boundWallet,refreshId:t.refreshId?"present":"null",hasToken:t.hasToken,authenticated:t.authenticated,hasHistory:r}),t.authenticated&&t.hasToken?(this.transition("authenticated","Has valid token"),this.inActiveSession=true):r?this.transition("refreshable","Has session history"):this.transition("unregistered","No session history"),this.logger.groupEnd();}transition(t,r){if(this.currentState===t){this.logger.info(`State unchanged: ${t} (${r})`);return}this.previousState=this.currentState,this.currentState=t,this.logger.state(this.previousState,t,r);}getState(){return this.currentState}isInActiveSession(){return this.inActiveSession}markHadSession(){this.hadSessionHistory||(this.logger.info("Marked hadSessionHistory = true"),this.hadSessionHistory=true);}clearSessionHistory(){this.logger.info("Cleared session history"),this.hadSessionHistory=false,this.inActiveSession=false;}onProbeComplete(t){if(this.logger.flow("probe","Probe completed, determining initial state"),this.currentState!=="unknown"){this.logger.warn("Probe called but state is not UNKNOWN",{currentState:this.currentState});return}!!(t.boundWallet||t.refreshId)||this.hadSessionHistory?this.transition("refreshable","Session history found"):this.transition("unregistered","No session history");}onRegisterSuccess(t){this.logger.flow("register","Register succeeded"),this.transition("authenticated","Register succeeded"),this.inActiveSession=true,this.hadSessionHistory=true;}onRegisterFailure(t){this.logger.flow("register",`Register failed: ${t}`);}onRefreshSuccess(t){this.logger.flow("refresh","Refresh succeeded"),this.transition("authenticated","Refresh succeeded"),this.inActiveSession=true;}onRefreshExpired(){this.logger.flow("refresh","Refresh failed: session expired (missing refresh identifier)"),this.transition("expired","Session expired"),this.inActiveSession=false;}onRefreshFailure(t){this.logger.flow("refresh",`Refresh failed: ${t}`);}onTokenExpired(){this.logger.flow("token","Token expired"),this.currentState==="authenticated"&&this.transition("refreshable","Token expired");}onWalletChange(t,r,n){if(this.logger.flow("wallet",`Wallet changed: ${t||"null"} \u2192 ${r||"null"}`),!r){this.transition("unknown","Wallet disconnected"),this.inActiveSession=false;return}r.toLowerCase()===n.boundWallet?.toLowerCase()?this.hadSessionHistory&&this.transition("refreshable","Wallet reconnected with history"):(this.transition("unregistered","Wallet changed to different address"),this.inActiveSession=false);}onWalletDisconnect(){this.logger.flow("wallet","Wallet disconnected"),this.transition("unknown","Wallet disconnected"),this.inActiveSession=false;}shouldAttemptProbe(){let t=this.currentState==="unknown";return this.logger.decision("Should attempt probe?",t,`State is ${this.currentState}`),t}shouldAttemptRefresh(t){if(this.currentState!=="refreshable"&&this.currentState!=="authenticated")return this.logger.decision("Should attempt refresh?",false,`State is ${this.currentState}, not REFRESHABLE or AUTHENTICATED`),false;if(!(t.boundWallet||t.wallet))return this.logger.decision("Should attempt refresh?",false,"No wallet available (neither boundWallet nor current wallet)"),false;if(t.wallet&&t.boundWallet&&t.wallet.toLowerCase()!==t.boundWallet.toLowerCase())return this.logger.decision("Should attempt refresh?",false,"Wallet mismatch"),false;if(t.hasToken&&t.tokenExpiry){let n=Math.floor(Date.now()/1e3);if(t.tokenExpiry-n>5&&this.currentState==="authenticated")return this.logger.decision("Should attempt refresh?",false,"Token still valid"),false}return this.logger.decision("Should attempt refresh?",true,`State is ${this.currentState}, token ${t.hasToken?"present":"missing"}`),true}shouldAttemptRegister(t){return this.inActiveSession?(this.logger.decision("Should attempt register?",false,"Already in active session - proof changes ignored"),false):this.currentState!=="unregistered"&&this.currentState!=="expired"?(this.logger.decision("Should attempt register?",false,`State is ${this.currentState}, not UNREGISTERED or EXPIRED`),false):t.wallet?t.hasProof?t.authenticated&&t.hasToken?(this.logger.decision("Should attempt register?",false,"Already authenticated"),false):(this.logger.decision("Should attempt register?",true,`State is ${this.currentState}, have wallet + proof`),true):(this.logger.decision("Should attempt register?",false,"No proof available"),false):(this.logger.decision("Should attempt register?",false,"No wallet connected"),false)}shouldWaitForInitialRefresh(t,r){return this.currentState!=="refreshable"||t?false:r.wallet&&r.boundWallet&&r.wallet.toLowerCase()===r.boundWallet.toLowerCase()?(this.logger.decision("Should wait for initial refresh?",true,"Returning user - let refresh attempt first"),true):false}getStateReport(t){return `
+\u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510
+\u2502  Session State Machine Report          \u2502
+\u251C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524
+\u2502 Current State:    ${this.currentState.padEnd(20)} \u2502
+\u2502 Previous State:   ${this.previousState.padEnd(20)} \u2502
+\u2502 Active Session:   ${String(this.inActiveSession).padEnd(20)} \u2502
+\u2502 Had History:      ${String(this.hadSessionHistory).padEnd(20)} \u2502
+\u251C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524
+\u2502 Wallet:           ${(t.wallet||"null").padEnd(20)} \u2502
+\u2502 Bound Wallet:     ${(t.boundWallet||"null").padEnd(20)} \u2502
+\u2502 Refresh ID:       ${(t.refreshId?"present":"null").padEnd(20)} \u2502
+\u2502 Has Token:        ${String(t.hasToken).padEnd(20)} \u2502
+\u2502 Authenticated:    ${String(t.authenticated).padEnd(20)} \u2502
+\u2502 Has Proof:        ${String(t.hasProof).padEnd(20)} \u2502
+\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518
+    `.trim()}};var Hn=()=>crypto.randomUUID(),kr=e=>{let{clientId:t,wallet:r,base:n="https://api.tdfc.com",fetchImpl:o,timeoutMs:a=15e3,proof:i=null,providerAdapter:c,refreshDeps:u=[],debug:s}=e,l=ft(n),d=typeof window<"u"?(o??fetch).bind(window):o??fetch,{meta:f,setBoundWallet:w,setJkt:S,setRefreshId:E,getRefreshId:m,setLastPolicyHash:k,setLastPolicyProof:b,setLastHost:H,setRootJkt:p,ready:g}=Pt(),{ensureRootKeypair:y,rootPrivRef:P,rootPubJwkRef:C}=Kt(),O=react.useCallback(async()=>{await y();try{if(!f.rootJkt&&C.current){let te=await _(C.current);p(te);}}catch{}},[y,f.rootJkt,C]),{ensureKeypair:Pe,rotate:K,privRef:Me,pubJwkRef:$e}=At(),[Jt,J]=react.useState(false),[G,U]=react.useState(0),[ee,ce]=react.useState(null),[oe,rt]=react.useState(null),[nt,ot]=react.useState(null),[Jr,Dr]=react.useState(null),[Lr,_r]=react.useState(null),[Hr,Mr]=react.useState(null),$r=react.useRef(null),Or=react.useRef(null),Ur=react.useRef(null),jr=react.useRef(null),Nr=react.useRef(null),Fr=react.useRef(null),Br=react.useRef(null),Vr=react.useRef(false),Gr=react.useRef(false),qr=react.useRef(void 0),Oe=react.useRef(false),at=react.useRef(false),Dt=react.useRef(null),le=react.useRef(null);le.current||(le.current=new Promise(te=>{Dt.current=te;}));let it=react.useRef(null),zr=react.useRef(i),Xr=react.useRef(null),st=react.useRef(null);if(!st.current){let te=s??false;st.current=new De(t,te);}let ct=react.useRef(null);ct.current||(ct.current=new et);let Ue=react.useRef(null),Lt=react.useRef(null),je=react.useRef(null),_t=()=>Date.now(),Yr=()=>(je.current??0)>0&&je.current<_t(),lt=react.useCallback((te,nn=15e3)=>{let Ht=Hn();return Ue.current=Ht,Lt.current=te,je.current=_t()+Math.max(1e3,nn),Ht},[]),Zr=react.useCallback(()=>((!Ue.current||Yr())&&lt("adhoc",1e4),Ue.current),[lt]),ut=react.useRef(null),Ne=react.useRef(null);Ne.current||(Ne.current=new Promise(te=>{ut.current=te;}));let Qr=react.useCallback(async()=>{!Oe.current&&Ne.current&&await Ne.current;},[]),en=react.useCallback(()=>{Oe.current||(Oe.current=true,ut.current?.(),ut.current=null);},[]),tn=react.useCallback(async()=>{!at.current&&le.current&&await le.current;},[]),rn=react.useCallback(async()=>{!at.current&&le.current&&await le.current,it.current&&await it.current;},[]);return {clientId:t,wallet:r,baseUrl:l,fetchImpl:d,timeoutMs:a,providerAdapter:c,refreshDeps:u,ensureKeypair:Pe,rotate:K,ensureRootKeypair:O,rootPrivRef:P,rootPubJwkRef:C,privRef:Me,pubJwkRef:$e,meta:f,setBoundWallet:w,setJkt:S,setRefreshId:E,accessTokenRef:Ur,tokenExpRef:jr,authenticated:Jt,setAuthenticated:J,loadingCount:G,setLoadingCount:U,error:ee,setError:ce,allowed:oe,setAllowed:rt,denyReason:nt,setDenyReason:ot,sessionExpiry:Jr,setSessionExpiry:Dr,sessionData:Lr,setSessionData:_r,verifyData:Hr,setVerifyData:Mr,authWalletRef:Or,refreshLock:Nr,registerLock:Fr,sessionLock:Br,didInitialRefresh:Vr,didInitialSession:Gr,prevWalletRef:qr,initResolvedRef:at,initReady:le,initResolveRef:Dt,rotateLock:it,waitReady:tn,awaitKeyStable:rn,proofRef:zr,registerCooldownUntilRef:$r,reqIdRef:Ue,flowLabelRef:Lt,flowExpireRef:je,beginFlow:lt,currentReqId:Zr,awaitProbe:Qr,markProbed:en,hasProbedRef:Oe,getRefreshId:m,setLastPolicyHash:k,setLastPolicyProof:b,setLastHost:H,setRootJkt:p,metaReady:g,probeLock:Xr,stateMachine:ct.current,logger:st.current}};var V=e=>e.accessTokenRef.current??null,Z=e=>{let t=e.privRef.current;if(!t)throw new Error("Sunbreak: private key not initialized");return t},W=e=>{let t=e.pubJwkRef.current;if(!t)throw new Error("Sunbreak: public JWK not initialized");return t};var Mn=(e,t)=>`${e.toUpperCase()} ${t}`;async function Le(e,t,r,n){if(!t)return e.logger.guard("register",false,"No wallet provided"),false;e.logger.flow("register","Starting register flow",{wallet:t});let o=Le._nonceCacheRef||(Le._nonceCacheRef={map:new Map});try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair(),e.setError(null),e.beginFlow("register",2e4);let a;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let y=await _(e.rootPubJwkRef.current);e.setRootJkt?.(y);}catch{}let p=await _(W(e)),g=await e.getRefreshId();a=await pe({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:p,clientId:e.clientId,sid:g||void 0,ttlSec:300});}}catch(p){e.logger.warn("Failed to create PODE for register",p);}let i=e.currentReqId(),c="/auth/register",u=`${e.baseUrl}${c}`,s=new URL(e.baseUrl).origin,l="POST",d=`${s}${c}`,f=Mn(l,d),w=o.map.get(f),S=await B({method:l,url:d,nonce:w,privateKey:Z(e),publicJwk:W(e)}),E=async p=>e.fetchImpl(u,{method:l,headers:{"content-type":"application/json","x-sunbreak-meta":F(e,{reqId:i,pode:a||void 0}),...p},credentials:"include",body:JSON.stringify({wallet:t,proof:r})}),m=await E({DPoP:S}),k=p=>{let g=p.headers.get("dpop-nonce");g&&o.map.set(f,g);};if(m.status===401){e.logger.info("Register got 401, retrying with nonce");let p=m.headers.get("www-authenticate"),y=(p&&p.match(/dpop-nonce="([^"]+)"/i))?.[1];if(y){o.map.set(f,y);let P=await B({method:l,url:d,nonce:y,privateKey:Z(e),publicJwk:W(e)});m=await E({DPoP:P});}}if(k(m),e.logger.api(l,c,{status:m.status}),!m.ok){let p=await Je(m);if((m.headers.get("content-type")||"").includes("application/json")){let y;try{y=await m.clone().json();}catch{}let P=We(y&&(y.error||y.message||y.detail)||`HTTP ${m.status}`);throw he(P,p)}else {let y=p.waf?"Blocked by WAF (403)":p.alb403?"Blocked at origin (ALB 403)":`HTTP ${m.status}`;throw he(y,p)}}let b=await m.json();e.logger.info("Register succeeded",{expiresIn:b.expiresIn,hasRefreshId:!!b.refreshId}),e.accessTokenRef.current=b.access,e.authWalletRef.current=t.toLowerCase(),e.setAuthenticated(!0);try{let p=Math.floor(Date.now()/1e3);e.tokenExpRef.current=p+(b.expiresIn??0);}catch{}e.didInitialRefresh.current=!0,e.setBoundWallet(t),e.setLastPolicyHash(null),e.setLastPolicyProof(null);try{e.setJkt(await _(W(e)));}catch{}try{let p={...e.meta,boundWallet:t,clientId:e.meta.clientId??e.clientId,jkt:e.meta.jkt??null,refreshId:b.refreshId??null};e.setRefreshId(b.refreshId??null);let g=Ke(e.clientId);await R(g,p);try{localStorage.setItem(g,JSON.stringify(p));}catch{}}catch{}let H={wallet:t,boundWallet:t,refreshId:b.refreshId??null,hasToken:!0,tokenExpiry:e.tokenExpRef.current,hasProof:!0,authenticated:!0};return e.stateMachine.onRegisterSuccess(H),!0}catch(a){let i=Number(a?.status||0),c=String(a?.code||"").toLowerCase(),u=String(a?.message||"").toLowerCase(),s=Math.floor(Math.random()*1e3);e.logger.error("Register failed",{status:i,code:c,msg:u}),e.stateMachine.onRegisterFailure(`${c||u||"Unknown error"}`);let l=c==="session_exists"||c==="already_authenticated"||u.includes("already")&&(u.includes("session")||u.includes("authenticated")),d=(i===401||i===403)&&c==="replay";if((l||d)&&n?.refreshFallback&&(!e.meta.boundWallet||e.meta.boundWallet.toLowerCase()===t.toLowerCase())){e.logger.info("Register failed with recoverable error, attempting refresh fallback",{code:c,isSessionExists:l,isReplay:d});try{if(await n.refreshFallback())return e.logger.info("Refresh fallback succeeded after register failure"),e.meta.boundWallet||e.setBoundWallet(t),!0}catch(w){e.logger.warn("Refresh fallback failed",w);}}if(d){if(e.providerAdapter)try{let f=await e.providerAdapter.getToken()??null;if(f)return await e.awaitKeyStable(),await e.ensureKeypair(),await e.rotate(),e.proofRef.current=await ve(e.providerAdapter,f),e.registerCooldownUntilRef.current=Date.now()+5e3+s,!1}catch{}else return e.proofRef.current=null,e.setError("Proof replayed; please sign a fresh proof."),e.registerCooldownUntilRef.current=Date.now()+1e4+s,false;return e.registerCooldownUntilRef.current=Date.now()+8e3+s,false}if(l)return e.setError("Session already exists. Try refreshing the page."),e.registerCooldownUntilRef.current=Date.now()+3e3+s,false;if(i===403&&(a?.waf||a?.alb403))return e.setError(u||"Forbidden at edge/origin"),e.registerCooldownUntilRef.current=Date.now()+3e4+s,false;if(i===403)return e.setError(c||u||"Forbidden"),e.registerCooldownUntilRef.current=Date.now()+15e3+s,false;if(i===429||i===503){e.setError(c||u||"Rate limited / unavailable");let f=i===429?5e3:8e3;return e.registerCooldownUntilRef.current=Date.now()+f+s,false}return e.setError(c||u||"Register failed"),e.registerCooldownUntilRef.current=Date.now()+5e3+s,false}}var $n=(e,t)=>`${e.toUpperCase()} ${t}`;function _e(e){if(e.refreshLock.current)return e.logger.guard("refreshLock",false,"Refresh already in progress"),e.refreshLock.current;if(e.registerLock.current){e.logger.guard("registerLock",false,"Registration in progress, waiting");let t=e.registerLock.current.then(()=>{if(e.authenticated&&V(e))return  true;if(V(e)){let n=e.tokenExpRef.current,o=Math.floor(Date.now()/1e3);if(!!n&&n-o>5)return  true}return  false});return e.refreshLock.current=t.finally(()=>{e.refreshLock.current=null;}),e.refreshLock.current}return e.logger.flow("refresh","Starting refresh flow"),e.refreshLock.current=(async()=>{try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe();let t=e.meta.boundWallet||e.wallet;if(!t)return e.logger.warn("No wallet available for refresh (neither boundWallet nor current wallet)"),!1;if(e.wallet&&e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return e.logger.warn("Wallet mismatch during refresh",{current:e.wallet,bound:e.meta.boundWallet}),e.accessTokenRef.current=null,e.setAuthenticated(!1),!1;let r=V(e);if(r){let y=e.tokenExpRef.current,P=Math.floor(Date.now()/1e3);if(!!r&&!!y&&y-P>5)return e.logger.info("Token still valid, skipping refresh"),!0}e.beginFlow("refresh",15e3);let n=e.currentReqId();await e.ensureKeypair();let o;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let C=await _(e.rootPubJwkRef.current);e.setRootJkt?.(C);}catch{}let y=await _(W(e)),P=await e.getRefreshId();o=await pe({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:y,clientId:e.clientId,sid:P||void 0,ttlSec:300});}}catch(y){e.logger.warn("Failed to create PODE for refresh",y);}let a="/auth/refresh",i=`${e.baseUrl}${a}`,c=new URL(e.baseUrl).origin,u="POST",s=`${c}${a}`,l=$n(u,s),d=_e._nonceCacheRef||(_e._nonceCacheRef={map:new Map}),f=async y=>await B({method:u,url:s,nonce:y,privateKey:Z(e),publicJwk:W(e)}),w=await e.getRefreshId(),S={"x-sunbreak-meta":F(e,{reqId:n,refreshId:w||void 0,pode:o||void 0,wallet:t}),"content-type":"application/json"},E=async y=>e.fetchImpl(i,{method:u,headers:{DPoP:y,...S},credentials:"include",body:"{}"}),m=y=>{let P=y.headers.get("dpop-nonce");P&&d.map.set(l,P);},k=await E(await f(d.map.get(l)));if(k.status===401){e.logger.info("Refresh got 401, retrying with nonce");let y=k.headers.get("www-authenticate"),C=(y&&y.match(/dpop-nonce="([^"]+)"/i))?.[1];C&&(d.map.set(l,C),k=await E(await f(C)));}if(m(k),e.logger.api(u,a,{status:k.status}),!k.ok){try{if((k.headers.get("content-type")||"").includes("application/json")){let P=await k.clone().json().catch(()=>{}),C=P&&(P.error||P.code||P.message)||"",O=String(C).toLowerCase();if(O.includes("missing")&&O.includes("refresh")){e.logger.warn("Refresh session expired (missing refresh identifier)"),e.stateMachine.onRefreshExpired();try{e.setRefreshId?.(null);}catch{}e.accessTokenRef.current=null,e.setAuthenticated(!1);}else e.logger.warn("Refresh failed",{error:C}),e.stateMachine.onRefreshFailure(String(C));}}catch{}return !1}let b=await k.json();e.logger.info("Refresh succeeded",{expiresIn:b.expiresIn,hasRefreshId:!!b.refreshId}),e.accessTokenRef.current=b.access,e.setAuthenticated(!0);let H=(e.wallet&&(!e.meta.boundWallet||e.meta.boundWallet===e.wallet)?e.wallet:e.meta.boundWallet)||null;e.authWalletRef.current=H?H.toLowerCase():null;try{let y=Math.floor(Date.now()/1e3);e.tokenExpRef.current=y+(b.expiresIn??0);}catch{}try{e.setJkt(await _(W(e)));}catch{}b.refreshId&&e.setRefreshId(b.refreshId);let p=y=>!y||y==="null"||y==="undefined"?null:y,g={wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:p(b.refreshId??e.meta.refreshId??null),hasToken:!0,tokenExpiry:e.tokenExpRef.current,hasProof:!!e.proofRef.current,authenticated:!0};return e.stateMachine.onRefreshSuccess(g),!0}finally{e.refreshLock.current=null;}})(),e.refreshLock.current}var On=(e,t)=>`${e.toUpperCase()} ${t}`,Tt=new Map,He;try{let e=globalThis;He=e.__sunbreak_page_probe_guard??(e.__sunbreak_page_probe_guard=new Set);}catch{He=new Set;}var Un=e=>{try{let t=new URL(e.baseUrl).origin;return `${e.clientId}::${t}`}catch{return `${e.clientId}::${e.baseUrl}`}};async function Pr(e){let t=Un(e);if(e.probeLock.current){e.logger.guard("probeLock",false,"Probe already in progress, waiting"),await e.probeLock.current,e.markProbed();return}if(e.hasProbedRef.current){e.logger.guard("hasProbedRef",false,"Already probed in this session"),e.markProbed();return}if(He.has(t)){e.logger.guard("pageProbeGuard",false,"Already probed for this page load"),e.markProbed();return}He.add(t),e.logger.flow("probe","Starting probe flow",{clientId:e.clientId,pageKey:t});let r=(async()=>{let n=new URL(e.baseUrl).origin;try{if(await e.awaitKeyStable(),await e.ensureKeypair(),!e.rootPrivRef.current)try{await e.ensureRootKeypair();}catch{}let o;if(e.rootPrivRef.current&&e.rootPubJwkRef.current)try{let m=await _(W(e));o=await pe({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:m,clientId:e.clientId,ttlSec:300});}catch(m){e.logger.warn("Failed to create PODE for probe",m);}let a="POST",i="/auth/probe",c=`${e.baseUrl}${i}`,u=`${n}${i}`,s=On(a,u),l=async m=>B({method:a,url:u,nonce:m,privateKey:Z(e),publicJwk:W(e)}),d=async m=>e.fetchImpl(c,{method:a,headers:{DPoP:m,"x-sunbreak-meta":F(e,{pode:o}),"content-type":"application/json"},credentials:"include",body:"{}"}),f=m=>{let k=m.headers.get("dpop-nonce");k&&Tt.set(s,k);},w=await d(await l(Tt.get(s)));if(f(w),w.status===401){e.logger.info("Probe got 401, retrying with nonce from www-authenticate");let m=w.headers.get("www-authenticate"),b=(m&&m.match(/dpop-nonce="([^"]+)"/i))?.[1];b&&(Tt.set(s,b),w=await d(await l(b)),f(w));}e.logger.api(a,i,{status:w.status});let S=m=>!m||m==="null"||m==="undefined"?null:m,E={wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:S(e.meta.refreshId),hasToken:!!e.accessTokenRef.current,tokenExpiry:e.tokenExpRef.current||null,hasProof:!!e.proofRef.current,authenticated:e.authenticated};e.stateMachine.onProbeComplete(E);}catch(o){e.logger.error("Probe failed",o);try{He.delete(t);}catch{}}finally{e.markProbed(),e.logger.flow("probe","Probe flow completed");}})();e.probeLock.current=r;try{await r;}finally{e.probeLock.current=null;}}var vr=e=>{let t=react.useCallback(()=>_e(e),[e]),r=react.useCallback(async()=>{let o=Date.now(),a=e.registerCooldownUntilRef.current??0;if(o<a){e.logger.guard("registerCooldown",false,"Cooldown active");return}if(!e.wallet){e.logger.guard("attemptRegister",false,"No wallet");return}if(!e.initResolvedRef.current){e.logger.guard("attemptRegister",false,"Not initialized");return}if(e.refreshLock.current){e.logger.guard("attemptRegister",false,"Refresh in progress");return}if(e.registerLock.current){e.logger.guard("attemptRegister",false,"Register already in progress");return}let i=s=>!s||s==="null"||s==="undefined"?null:s,c={wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:i(e.meta.refreshId),hasToken:!!V(e),tokenExpiry:e.tokenExpRef.current||null,hasProof:!!e.proofRef.current,authenticated:e.authenticated};if(!e.stateMachine.shouldAttemptRegister(c)){e.logger.guard("attemptRegister",false,`State machine blocked (state: ${e.stateMachine.getState()}, inActiveSession: ${e.stateMachine.isInActiveSession()})`);return}let u=e.proofRef.current;if(!u){e.logger.guard("attemptRegister",false,"No proof available");return}e.logger.guard("attemptRegister",true,"All guards passed, proceeding"),await e.awaitKeyStable(),e.registerLock.current=(async()=>{try{await Le(e,e.wallet,u,{refreshFallback:async()=>{e.logger.info("Attempting refresh as fallback after register failure");let l=!!e.meta.boundWallet;!l&&e.wallet&&e.setBoundWallet(e.wallet);try{return await _e(e)}catch{return l||e.setBoundWallet(null),!1}}})&&(e.didInitialSession.current=!0);}catch(s){e.setError(s?.message||String(s)||"Register failed");}finally{e.registerLock.current=null;}})();},[e]),n=react.useCallback(async o=>{let a=()=>(e.registerCooldownUntilRef.current??0)>Date.now();if(!e.providerAdapter||a())return;let i=await ve(e.providerAdapter,o);e.proofRef.current=i;},[e]);return {refresh:t,register:(o,a,i)=>Le(e,o,a,i),attemptRegister:r,setProofFromAdapterToken:n}};var jn=(e,t)=>`${e.toUpperCase()} ${t}`,Nn=(e,t)=>!!e&&!!t&&e.toLowerCase()===t.toLowerCase();async function tt(e,t,r,n,o,a={}){e.setLoadingCount(s=>s+1),e.setError(null);let i=n.startsWith("/api/session"),c=new AbortController,u=setTimeout(()=>c.abort(),e.timeoutMs);try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair();let l=`${i?pt(e):e.baseUrl}${n.startsWith("/")?"":"/"}${n}`,f=`${new URL(e.baseUrl).origin}${n.startsWith("/")?"":"/"}${n}`,w=jn(r,f),S=n.startsWith("/auth/"),E=!1,m=!1,k=e.currentReqId(),b=tt._nonceCacheRef||(tt._nonceCacheRef={map:new Map}),H=J=>{let G=J.headers.get("dpop-nonce");G&&b.map.set(w,G);},p=!!e.wallet&&!!e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase(),g=()=>S||!e.wallet?!1:!!(e.authenticated||Nn(e.wallet,e.meta.boundWallet)||typeof e.meta.refreshId=="string"&&e.meta.refreshId),y,P,C=async()=>{if(S||p)return;try{let ce=V(e),oe=e.tokenExpRef.current,rt=Math.floor(Date.now()/1e3),nt=!!oe&&oe-rt<=60;if(ce){if(nt&&!await t().catch(()=>!1))return}else if(!g()||!await t().catch(()=>!1))return}catch{}let J=V(e);if(!J)return;let G=await Ye(J),U=b.map.get(w),ee=await B({method:r,url:f,nonce:U,ath:G,privateKey:Z(e),publicJwk:W(e)});y=`Bearer ${e.accessTokenRef.current}`,P=ee;};await C();let O={"content-type":"application/json","x-sunbreak-auth":y||"","x-sunbreak-meta":F(e,{reqId:k,auth:y,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0}),...ht(a.headers)};P&&(O.DPoP=P);let Pe=async()=>e.fetchImpl(l,{...a,method:r,headers:O,body:o!==void 0?JSON.stringify(o):void 0,credentials:"include",signal:c.signal}),K=await Pe(),Me=K.headers.get("x-sunbreak-policy-hash"),$e=K.headers.get("x-sunbreak-policy-proof");if(Me&&e.setLastPolicyHash(Me),$e&&e.setLastPolicyProof($e),H(K),K.status===401&&!S){let J=V(e),G=K.headers.get("www-authenticate"),ee=(G&&G.match(/dpop-nonce="([^"]+)"/i))?.[1];if(!p&&ee&&J&&!m){m=!0,b.map.set(w,ee);let ce=await Ye(J),oe=await B({method:r,url:f,nonce:ee,ath:ce,privateKey:Z(e),publicJwk:W(e)});y=`Bearer ${e.accessTokenRef.current}`,P=oe,O["x-sunbreak-meta"]=F(e,{reqId:k,auth:y}),O.DPoP=P,K=await Pe(),H(K);}if(K.status===401&&!E&&(E=!0,!p&&g())){let ce=await t(),oe=V(e);ce&&oe&&!p&&(await C(),O["x-sunbreak-meta"]=F(e,{reqId:k,auth:y}),P&&(O.DPoP=P),K=await Pe(),H(K));}if(K.status===401)throw new Error("Unauthorized")}if(!K.ok){let J=await Je(K);if((K.headers.get("content-type")||"").includes("application/json")){let U=await K.json().catch(()=>{}),ee=We(U&&(U.error||U.message||U.detail)||`HTTP ${K.status}`);throw he(ee,J)}else {let U=J.waf?"Blocked by WAF (403)":J.alb403?"Blocked at origin (ALB 403)":`HTTP ${K.status}`;throw he(U,J)}}return (K.headers.get("content-type")||"").includes("application/json")?await K.json():void 0}finally{clearTimeout(u),e.setLoadingCount(s=>Math.max(0,s-1));}}var Ar=(e,t)=>react.useCallback(async(r,n,o,a={})=>tt(e,t,r,n,o,a),[e,t]);async function xr(e,t){let r=await t("GET","/api/session");if(r){e.setAllowed(!!r.allowed),e.setDenyReason(r.reason??null),e.setSessionData(r),e.setSessionExpiry(r.expiry??null);let n=r?.wallet;typeof n=="string"&&n&&e.setBoundWallet(n.toLowerCase());}return r}async function Kr(e,t){let r=await t("GET","/api/verify");return r&&(e.setSessionExpiry(r.expiry??null),e.setVerifyData(r)),r}var Tr=(e,t)=>{let r=react.useCallback(async()=>{if(e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet))return e.sessionLock.current||(e.sessionLock.current=(async()=>{try{return await xr(e,t)}catch(o){throw e.logger.error("Session request failed",o),o}finally{e.sessionLock.current=null;}})()),e.sessionLock.current},[e,t]),n=react.useCallback(async()=>{if(e.wallet)return await Kr(e,t)},[e,t]);return {session:r,verify:n}};var Ir=(e,t)=>{let{refresh:r,session:n,attemptRegister:o,setProofFromAdapterToken:a,proofProp:i}=t,c=()=>(e.registerCooldownUntilRef.current??0)>Date.now(),u=()=>{let s=l=>!l||l==="null"||l==="undefined"?null:l;return {wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:s(e.meta.refreshId),hasToken:!!e.accessTokenRef.current,tokenExpiry:e.tokenExpRef.current||null,hasProof:!!e.proofRef.current,authenticated:e.authenticated}};react.useEffect(()=>{if(!e.metaReady)return;let s=true;return (async()=>{try{if(await e.waitReady(),!s||(await e.awaitKeyStable(),!s)||(await e.ensureRootKeypair(),!s))return;let l=u();e.stateMachine.initialize(l),await Pr(e);}catch(l){if(!s)return;e.logger.error("Probe initialization failed",l);}})(),()=>{s=false;}},[e.metaReady]),react.useEffect(()=>{let s=e.prevWalletRef.current;if(e.prevWalletRef.current=e.wallet,e.wallet!==s&&(e.didInitialRefresh.current=false),!e.wallet){e.logger.flow("wallet","Wallet disconnected"),e.stateMachine.onWalletDisconnect(),e.setAllowed(null),e.setDenyReason(null),e.setSessionExpiry(null),e.setSessionData(null),e.setAuthenticated(false),e.accessTokenRef.current=null,e.proofRef.current=null,e.setError(null),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null),e.didInitialRefresh.current=false;return}if(s&&e.wallet&&s!==e.wallet){e.logger.flow("wallet",`Wallet changed: ${s} \u2192 ${e.wallet}`);let l=u();e.stateMachine.onWalletChange(s,e.wallet,l),e.rotateLock.current=(async()=>{await e.rotate(),e.accessTokenRef.current=null,e.setAuthenticated(false),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;});}},[e.wallet]),react.useEffect(()=>{if(!e.providerAdapter||c()||!e.metaReady||!e.wallet)return;if(e.stateMachine.isInActiveSession()){e.logger.decision("Provider adapter should trigger register?",false,"Already in active session");return}if(e.authenticated){e.logger.decision("Provider adapter should trigger register?",false,"Already authenticated");return}let s=u();if(e.stateMachine.shouldWaitForInitialRefresh(e.didInitialRefresh.current,s)){e.logger.decision("Provider adapter should wait for initial refresh?",true,"Returning user - refresh first");return}e.logger.decision("Provider adapter should trigger register?",true,`Fetching token (state: ${e.stateMachine.getState()})`);let l=false;return (async()=>{try{let d=e.providerAdapter.getToken(),f=new Promise((S,E)=>setTimeout(()=>E(new Error("Provider adapter timeout (30s)")),3e4)),w=await Promise.race([d,f]).catch(S=>(e.logger.warn("Provider adapter getToken failed",S),null))??null;if(await e.awaitKeyStable(),l||!w)return;e.logger.info("Provider adapter: got token, setting proof"),await a(w),await o();}catch(d){e.logger.error("Provider adapter flow failed",d);}})(),()=>{l=true;}},[e.providerAdapter,e.wallet,e.meta.boundWallet,e.metaReady,e.registerCooldownUntilRef,e.didInitialRefresh,e.authenticated,...e.refreshDeps]),react.useEffect(()=>{if(typeof i<"u"&&(e.proofRef.current=i??null,i&&e.logger.info("Proof prop updated",{hasProof:!!i})),!e.metaReady)return;let s=u();if(!e.stateMachine.shouldAttemptRegister(s)){e.logger.decision("Proof prop should trigger register?",false,`State machine says no (state: ${e.stateMachine.getState()}, inActiveSession: ${e.stateMachine.isInActiveSession()})`);return}if(e.stateMachine.shouldWaitForInitialRefresh(e.didInitialRefresh.current,s)){e.logger.decision("Proof prop should wait for initial refresh?",true,"Returning user - refresh first");return}let l=!!e.wallet,d=!!e.proofRef.current;l&&d&&e.initResolvedRef.current&&!c()&&(e.logger.info("Proof prop conditions met, attempting register"),o());},[i,e.wallet,e.authenticated,e.meta.boundWallet,e.metaReady,e.providerAdapter,e.initResolvedRef,e.didInitialRefresh,o]),react.useEffect(()=>{if(!e.metaReady||e.didInitialRefresh.current)return;let s=true;return (async()=>{try{await e.waitReady(),await e.awaitProbe();let l=u();if(e.accessTokenRef.current||e.authenticated){e.logger.info("Already authenticated, skipping initial refresh"),e.didInitialRefresh.current=!0,e.wallet&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());return}if(!e.stateMachine.shouldAttemptRefresh(l)){e.logger.decision("Should attempt initial refresh?",!1,`State: ${e.stateMachine.getState()}`),e.didInitialRefresh.current=!0;return}e.logger.decision("Should attempt initial refresh?",!0,`State: ${e.stateMachine.getState()}`),e.didInitialRefresh.current=!0;let f=await r();if(!s)return;e.setAuthenticated(f),f&&e.wallet&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());}catch(l){if(!s)return;e.didInitialRefresh.current=true,e.setAuthenticated(false),e.setError(l?.message||String(l)||"Unknown error");}})(),()=>{s=false;}},[e.wallet,e.meta.boundWallet,e.meta.refreshId,e.metaReady,e.didInitialRefresh,r,n]),react.useEffect(()=>{e.initResolvedRef.current||(async()=>{if(await e.ensureKeypair(),!e.wallet){e.initResolvedRef.current=true,e.initResolveRef.current?.();return}e.meta.boundWallet&&e.meta.boundWallet!==e.wallet&&(e.rotateLock.current=(async()=>{e.accessTokenRef.current=null,e.setAuthenticated(false);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}),e.rotateLock.current&&await e.rotateLock.current),e.initResolvedRef.current=true,e.initResolveRef.current?.();})();},[e]),react.useEffect(()=>{(async()=>{if(e.authenticated&&e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)&&!e.didInitialSession.current){e.didInitialSession.current=true;try{e.logger.flow("session","Calling session after authentication"),await n();}catch(s){e.setError(s?.message||String(s));}}})();},[e.authenticated,e.wallet,e.meta.boundWallet,n]),react.useEffect(()=>{e.wallet&&e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase()&&(e.logger.warn("Wallet mismatch detected, clearing auth",{current:e.wallet,authWallet:e.authWalletRef.current}),e.accessTokenRef.current=null,e.setAuthenticated(false));},[e.wallet,e.authWalletRef.current]),react.useEffect(()=>{let l=()=>{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return  false;let w=e.tokenExpRef.current;if(!w)return  false;let S=Math.floor(Date.now()/1e3);return w-S<=30},d=async()=>{try{l()&&(e.logger.info("Token expiring soon, refreshing on focus"),await r());}catch{}},f=async()=>{document.visibilityState==="visible"&&await d();};return window.addEventListener("focus",d),document.addEventListener("visibilitychange",f),()=>{window.removeEventListener("focus",d),document.removeEventListener("visibilitychange",f);}},[e,r]),react.useEffect(()=>{let d=()=>{let S=Math.floor(Date.now()/1e3),E=e.tokenExpRef.current,m=e.sessionExpiry,k=!!E&&E-S<=30&&E-S>0,b=!!m&&m-S<=3600&&m-S>0;return {tokenSoon:k,sessionSoon:b}},f=async()=>{try{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return;let{tokenSoon:S,sessionSoon:E}=d();(S||E)&&(e.logger.info("Refreshing on focus",{tokenSoon:S,sessionSoon:E}),await r()&&E&&await n());}catch{}},w=async()=>{document.visibilityState==="visible"&&await f();};return window.addEventListener("focus",f),document.addEventListener("visibilitychange",w),()=>{window.removeEventListener("focus",f),document.removeEventListener("visibilitychange",w);}},[e,e.sessionExpiry,r,n]);};var Wr=react.createContext(void 0),qn=e=>{let t=kr(e),{refresh:r,attemptRegister:n,setProofFromAdapterToken:o}=vr(t),a=Ar(t,r),{session:i,verify:c}=Tr(t,a);Ir(t,{refresh:r,session:i,attemptRegister:n,setProofFromAdapterToken:o,proofProp:e.proof});let u=react.useMemo(()=>({get:(s,l)=>a("GET",s,void 0,l),post:(s,l,d)=>a("POST",s,l,d),verify:c,session:i,refresh:r,authenticated:t.authenticated,loading:t.loadingCount>0,error:t.error,allowed:t.allowed,denyReason:t.denyReason,sessionExpiry:t.sessionExpiry,sessionData:t.sessionData,verifyData:t.verifyData,wallet:t.wallet}),[a,c,i,r,t.authenticated,t.loadingCount,t.error,t.allowed,t.denyReason,t.sessionExpiry,t.sessionData,t.verifyData,t.wallet]);return jsxRuntime.jsx(Wr.Provider,{value:u,children:e.children})},zn=e=>jsxRuntime.jsx(kt,{clientId:e.clientId,children:jsxRuntime.jsx(qn,{...e})}),Xn=()=>{let e=react.useContext(Wr);if(!e)throw new Error("useSunbreak must be used within a SunbreakProvider");return e};
-exports.SunbreakProvider = On;
-exports.useSunbreak = Un;
+exports.SunbreakProvider = zn;
+exports.useSunbreak = Xn;

package/dist/index.d.cts CHANGED Viewed

@@ -90,6 +90,7 @@ interface SunbreakProviderProps {
     proof?: Proof | null;
     providerAdapter?: ProviderAdapter;
     refreshDeps?: unknown[];
+    debug?: boolean;
 }
 /**

package/dist/index.d.ts CHANGED Viewed

@@ -90,6 +90,7 @@ interface SunbreakProviderProps {
     proof?: Proof | null;
     providerAdapter?: ProviderAdapter;
     refreshDeps?: unknown[];
+    debug?: boolean;
 }
 /**

package/dist/index.mjs CHANGED Viewed

@@ -1,6 +1,22 @@
 import { createContext, useContext, useState, useRef, useMemo, useEffect, useCallback } from 'react';
 import { jsx } from 'react/jsx-runtime';
-var Yr=Object.defineProperty;var It=e=>{throw TypeError(e)};var Xr=(e,t,r)=>t in e?Yr(e,t,{enumerable:true,configurable:true,writable:true,value:r}):e[t]=r;var H=(e,t,r)=>Xr(e,typeof t!="symbol"?t+"":t,r),Dt=(e,t,r)=>t.has(e)||It("Cannot "+r);var y=(e,t,r)=>(Dt(e,t,"read from private field"),r?r.call(e):t.get(e)),O=(e,t,r)=>t.has(e)?It("Cannot add the same private member more than once"):t instanceof WeakSet?t.add(e):t.set(e,r),U=(e,t,r,n)=>(Dt(e,t,"write to private field"),t.set(e,r),r);var Pe=async(e,t,r)=>{switch(e.name){case "custom":return {method:"provider_jwt",issuer:"custom",token:t,meta:r||{}};case "privy":return {method:"provider_jwt",issuer:"privy",token:t,meta:{app_id:e.appId}};case "dynamic":return e.expectedAud?{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId,expected_aud:e.expectedAud}}:{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId}};default:throw new Error(`Unknown adapter: ${e}`)}};var Zr="sunbreak-kv",ve="kv",Ue="sunbreak_dpop_meta_v1",x="sunbreak_dpop_key_v1",Ke="ES256",E="P-256",Ae=e=>`${Ue}:${e}`,Wt=()=>new Promise((e,t)=>{let r=indexedDB.open(Zr,1);r.onupgradeneeded=()=>r.result.createObjectStore(ve),r.onsuccess=()=>e(r.result),r.onerror=()=>t(r.error);}),C=async e=>{try{let t=await Wt();return await new Promise((r,n)=>{let a=t.transaction(ve,"readonly").objectStore(ve).get(e);a.onsuccess=()=>r(a.result),a.onerror=()=>n(a.error);})}catch{return}},g=async(e,t)=>{let r=await Wt();await new Promise((n,o)=>{let i=r.transaction(ve,"readwrite").objectStore(ve).put(t,e);i.onsuccess=()=>n(),i.onerror=()=>o(i.error);});};var Qr=e=>{let t=new URL(e);if(t.protocol!=="https:"&&t.hostname!=="localhost"&&t.hostname!=="127.0.0.1")throw new Error("Sunbreak: insecure base URL");return t.hash="",t.origin},en=e=>e.replace(/\/+$/,""),it=e=>{let t=en(e);return Qr(t)};function ct(e){let t=new URL(e.baseUrl),r=t.host,n=e.meta.lastHost??null,o=tn(n);return e.setLastHost(o),t.host=`${o}.${r}`,t.origin}var tn=e=>{for(let t=0;t<st.length;t++){let r=st[Math.floor(Math.random()*st.length)].toLowerCase();if(r!==e)return r}return "alpha"},st=["Alpha","Bravo","Charlie","Delta","Echo","Foxtrot","Golf","Hotel","India","Juliett","Kilo","Lima","Mike","November","Oscar","Papa","Quebec","Romeo","Sierra","Tango","Uniform","Victor","Whiskey","X-ray","Yankee","Zulu"];var $=(e,t)=>{let r={clientId:e.clientId,wallet:e.wallet,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0,...t};Object.keys(r).forEach(o=>r[o]===void 0&&delete r[o]);let n=JSON.stringify(r);return btoa(n)};var rn=new Set(["connection","keep-alive","proxy-authenticate","proxy-authorization","te","trailer","transfer-encoding","upgrade","via"]),nn=new Set(["user-agent","referer","origin","host","content-length","sec-fetch-site","sec-fetch-mode","sec-fetch-dest","sec-fetch-user","sec-ch-ua","sec-ch-ua-mobile","sec-ch-ua-platform","sec-ch-ua-platform-version","sec-ch-ua-full-version","sec-ch-ua-arch","sec-ch-ua-model","sec-ch-ua-bitness","cookie","set-cookie"]),on=new Set(["dpop","x-sunbreak-meta"]),an=64,_t=2048,sn=64;function ut(e){let t={};if(!e)return t;let r=e instanceof Headers?Array.from(e.entries()):Object.entries(e),n=0;for(let[o,a]of r){if(n>=sn)break;if(o==null||a==null)continue;let i=String(o).toLowerCase().trim();if(!i||i.length>an||rn.has(i)||nn.has(i)||on.has(i))continue;let s=String(a);s.length>_t&&(s=s.slice(0,_t)),t[i]=s,n++;}return t}var Q=new TextEncoder,me=new TextDecoder;function Lt(...e){let t=e.reduce((o,{length:a})=>o+a,0),r=new Uint8Array(t),n=0;for(let o of e)r.set(o,n),n+=o.length;return r}function Ht(e){if(Uint8Array.prototype.toBase64)return e.toBase64();let t=32768,r=[];for(let n=0;n<e.length;n+=t)r.push(String.fromCharCode.apply(null,e.subarray(n,n+t)));return btoa(r.join(""))}function Mt(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(e);let t=atob(e),r=new Uint8Array(t.length);for(let n=0;n<t.length;n++)r[n]=t.charCodeAt(n);return r}function jt(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof e=="string"?e:me.decode(e),{alphabet:"base64url"});let t=e;t instanceof Uint8Array&&(t=me.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return Mt(t)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function $e(e){let t=e;return typeof t=="string"&&(t=Q.encode(t)),Uint8Array.prototype.toBase64?t.toBase64({alphabet:"base64url",omitPadding:true}):Ht(t).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var ue=class extends Error{constructor(r,n){super(r,n);H(this,"code","ERR_JOSE_GENERIC");this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor);}};H(ue,"code","ERR_JOSE_GENERIC");var D=class extends ue{constructor(){super(...arguments);H(this,"code","ERR_JOSE_NOT_SUPPORTED");}};H(D,"code","ERR_JOSE_NOT_SUPPORTED");var ee=class extends ue{constructor(){super(...arguments);H(this,"code","ERR_JWS_INVALID");}};H(ee,"code","ERR_JWS_INVALID");var xe=class extends ue{constructor(){super(...arguments);H(this,"code","ERR_JWT_INVALID");}};H(xe,"code","ERR_JWT_INVALID");var Ot,Ut,lt=class extends(Ut=ue,Ot=Symbol.asyncIterator,Ut){constructor(r="multiple matching keys found in the JSON Web Key Set",n){super(r,n);H(this,Ot);H(this,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");}};H(lt,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");function F(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function we(e,t){return e.name===t}function ft(e){return parseInt(e.name.slice(4),10)}function ln(e){switch(e){case "ES256":return "P-256";case "ES384":return "P-384";case "ES512":return "P-521";default:throw new Error("unreachable")}}function fn(e,t){if(!e.usages.includes(t))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${t}.`)}function $t(e,t,r){switch(t){case "HS256":case "HS384":case "HS512":{if(!we(e.algorithm,"HMAC"))throw F("HMAC");let n=parseInt(t.slice(2),10);if(ft(e.algorithm.hash)!==n)throw F(`SHA-${n}`,"algorithm.hash");break}case "RS256":case "RS384":case "RS512":{if(!we(e.algorithm,"RSASSA-PKCS1-v1_5"))throw F("RSASSA-PKCS1-v1_5");let n=parseInt(t.slice(2),10);if(ft(e.algorithm.hash)!==n)throw F(`SHA-${n}`,"algorithm.hash");break}case "PS256":case "PS384":case "PS512":{if(!we(e.algorithm,"RSA-PSS"))throw F("RSA-PSS");let n=parseInt(t.slice(2),10);if(ft(e.algorithm.hash)!==n)throw F(`SHA-${n}`,"algorithm.hash");break}case "Ed25519":case "EdDSA":{if(!we(e.algorithm,"Ed25519"))throw F("Ed25519");break}case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":{if(!we(e.algorithm,t))throw F(t);break}case "ES256":case "ES384":case "ES512":{if(!we(e.algorithm,"ECDSA"))throw F("ECDSA");let n=ln(t);if(e.algorithm.namedCurve!==n)throw F(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}fn(e,r);}function Nt(e,t,...r){if(r=r.filter(Boolean),r.length>2){let n=r.pop();e+=`one of type ${r.join(", ")}, or ${n}.`;}else r.length===2?e+=`one of type ${r[0]} or ${r[1]}.`:e+=`of type ${r[0]}.`;return t==null?e+=` Received ${t}`:typeof t=="function"&&t.name?e+=` Received function ${t.name}`:typeof t=="object"&&t!=null&&t.constructor?.name&&(e+=` Received an instance of ${t.constructor.name}`),e}var Bt=(e,...t)=>Nt("Key must be ",e,...t);function dt(e,t,...r){return Nt(`Key for the ${e} algorithm must be `,t,...r)}function pt(e){return e?.[Symbol.toStringTag]==="CryptoKey"}function yt(e){return e?.[Symbol.toStringTag]==="KeyObject"}var mt=e=>pt(e)||yt(e);var Vt=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return  true;let r;for(let n of t){let o=Object.keys(n);if(!r||r.size===0){r=new Set(o);continue}for(let a of o){if(r.has(a))return  false;r.add(a);}}return  true};function dn(e){return typeof e=="object"&&e!==null}var Ne=e=>{if(!dn(e)||Object.prototype.toString.call(e)!=="[object Object]")return  false;if(Object.getPrototypeOf(e)===null)return  true;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t};var Ft=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:r}=t.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};function pn(e){let t,r;switch(e.kty){case "AKP":{switch(e.alg){case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":t={name:e.alg},r=e.priv?["sign"]:["verify"];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "RSA":{switch(e.alg){case "PS256":case "PS384":case "PS512":t={name:"RSA-PSS",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RS256":case "RS384":case "RS512":t={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RSA-OAEP":case "RSA-OAEP-256":case "RSA-OAEP-384":case "RSA-OAEP-512":t={name:"RSA-OAEP",hash:`SHA-${parseInt(e.alg.slice(-3),10)||1}`},r=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "EC":{switch(e.alg){case "ES256":t={name:"ECDSA",namedCurve:"P-256"},r=e.d?["sign"]:["verify"];break;case "ES384":t={name:"ECDSA",namedCurve:"P-384"},r=e.d?["sign"]:["verify"];break;case "ES512":t={name:"ECDSA",namedCurve:"P-521"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "OKP":{switch(e.alg){case "Ed25519":case "EdDSA":t={name:"Ed25519"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}default:throw new D('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return {algorithm:t,keyUsages:r}}var Gt=async e=>{if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:t,keyUsages:r}=pn(e),n={...e};return n.kty!=="AKP"&&delete n.alg,delete n.use,crypto.subtle.importKey("jwk",n,t,e.ext??!(e.d||e.priv),e.key_ops??r)};var qt=(e,t,r,n,o)=>{if(o.crit!==void 0&&n?.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||n.crit===void 0)return new Set;if(!Array.isArray(n.crit)||n.crit.length===0||n.crit.some(i=>typeof i!="string"||i.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let a;r!==void 0?a=new Map([...Object.entries(r),...t.entries()]):a=t;for(let i of n.crit){if(!a.has(i))throw new D(`Extension Header Parameter "${i}" is not recognized`);if(o[i]===void 0)throw new e(`Extension Header Parameter "${i}" is missing`);if(a.get(i)&&n[i]===void 0)throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`)}return new Set(n.crit)};function Ce(e){return Ne(e)&&typeof e.kty=="string"}function zt(e){return e.kty!=="oct"&&(e.kty==="AKP"&&typeof e.priv=="string"||typeof e.d=="string")}function Yt(e){return e.kty!=="oct"&&typeof e.d>"u"&&typeof e.priv>"u"}function Xt(e){return e.kty==="oct"&&typeof e.k=="string"}var he,Zt=async(e,t,r,n=false)=>{he||(he=new WeakMap);let o=he.get(e);if(o?.[r])return o[r];let a=await Gt({...t,alg:r});return n&&Object.freeze(e),o?o[r]=a:he.set(e,{[r]:a}),a},mn=(e,t)=>{he||(he=new WeakMap);let r=he.get(e);if(r?.[t])return r[t];let n=e.type==="public",o=!!n,a;if(e.asymmetricKeyType==="x25519"){switch(t){case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}a=e.toCryptoKey(e.asymmetricKeyType,o,n?[]:["deriveBits"]);}if(e.asymmetricKeyType==="ed25519"){if(t!=="EdDSA"&&t!=="Ed25519")throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}switch(e.asymmetricKeyType){case "ml-dsa-44":case "ml-dsa-65":case "ml-dsa-87":{if(t!==e.asymmetricKeyType.toUpperCase())throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}}if(e.asymmetricKeyType==="rsa"){let i;switch(t){case "RSA-OAEP":i="SHA-1";break;case "RS256":case "PS256":case "RSA-OAEP-256":i="SHA-256";break;case "RS384":case "PS384":case "RSA-OAEP-384":i="SHA-384";break;case "RS512":case "PS512":case "RSA-OAEP-512":i="SHA-512";break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}if(t.startsWith("RSA-OAEP"))return e.toCryptoKey({name:"RSA-OAEP",hash:i},o,n?["encrypt"]:["decrypt"]);a=e.toCryptoKey({name:t.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:i},o,[n?"verify":"sign"]);}if(e.asymmetricKeyType==="ec"){let s=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(e.asymmetricKeyDetails?.namedCurve);if(!s)throw new TypeError("given KeyObject instance cannot be used for this algorithm");t==="ES256"&&s==="P-256"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t==="ES384"&&s==="P-384"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t==="ES512"&&s==="P-521"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t.startsWith("ECDH-ES")&&(a=e.toCryptoKey({name:"ECDH",namedCurve:s},o,n?[]:["deriveBits"]));}if(!a)throw new TypeError("given KeyObject instance cannot be used for this algorithm");return r?r[t]=a:he.set(e,{[t]:a}),a},Qt=async(e,t)=>{if(e instanceof Uint8Array||pt(e))return e;if(yt(e)){if(e.type==="secret")return e.export();if("toCryptoKey"in e&&typeof e.toCryptoKey=="function")try{return mn(e,t)}catch(n){if(n instanceof TypeError)throw n}let r=e.export({format:"jwk"});return Zt(e,r,t)}if(Ce(e))return e.k?jt(e.k):Zt(e,e,t,true);throw new Error("unreachable")};var be=e=>e?.[Symbol.toStringTag],wt=(e,t,r)=>{if(t.use!==void 0){let n;switch(r){case "sign":case "verify":n="sig";break;case "encrypt":case "decrypt":n="enc";break}if(t.use!==n)throw new TypeError(`Invalid key for this operation, its "use" must be "${n}" when present`)}if(t.alg!==void 0&&t.alg!==e)throw new TypeError(`Invalid key for this operation, its "alg" must be "${e}" when present`);if(Array.isArray(t.key_ops)){let n;switch(true){case(r==="sign"):case e==="dir":case e.includes("CBC-HS"):n=r;break;case e.startsWith("PBES2"):n="deriveBits";break;case /^A\d{3}(?:GCM)?(?:KW)?$/.test(e):!e.includes("GCM")&&e.endsWith("KW")?n="unwrapKey":n=r;break;case(r==="encrypt"):n="wrapKey";break;case r==="decrypt":n=e.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(n&&t.key_ops?.includes?.(n)===false)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${n}" when present`)}return  true},wn=(e,t,r)=>{if(!(t instanceof Uint8Array)){if(Ce(t)){if(Xt(t)&&wt(e,t,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!mt(t))throw new TypeError(dt(e,t,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(t.type!=="secret")throw new TypeError(`${be(t)} instances for symmetric algorithms must be of type "secret"`)}},hn=(e,t,r)=>{if(Ce(t))switch(r){case "decrypt":case "sign":if(zt(t)&&wt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a private JWK");case "encrypt":case "verify":if(Yt(t)&&wt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a public JWK")}if(!mt(t))throw new TypeError(dt(e,t,"CryptoKey","KeyObject","JSON Web Key"));if(t.type==="secret")throw new TypeError(`${be(t)} instances for asymmetric algorithms must not be of type "secret"`);if(t.type==="public")switch(r){case "sign":throw new TypeError(`${be(t)} instances for asymmetric algorithm signing must be of type "private"`);case "decrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm decryption must be of type "private"`);}if(t.type==="private")switch(r){case "verify":throw new TypeError(`${be(t)} instances for asymmetric algorithm verifying must be of type "public"`);case "encrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm encryption must be of type "public"`);}},er=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e)||/^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e)?wn(e,t,r):hn(e,t,r);};var tr=(e,t)=>{let r=`SHA-${e.slice(-3)}`;switch(e){case "HS256":case "HS384":case "HS512":return {hash:r,name:"HMAC"};case "PS256":case "PS384":case "PS512":return {hash:r,name:"RSA-PSS",saltLength:parseInt(e.slice(-3),10)>>3};case "RS256":case "RS384":case "RS512":return {hash:r,name:"RSASSA-PKCS1-v1_5"};case "ES256":case "ES384":case "ES512":return {hash:r,name:"ECDSA",namedCurve:t.namedCurve};case "Ed25519":case "EdDSA":return {name:"Ed25519"};case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":return {name:e};default:throw new D(`alg ${e} is not supported either by JOSE or your javascript runtime`)}};var rr=async(e,t,r)=>{if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(Bt(t,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",t,{hash:`SHA-${e.slice(-3)}`,name:"HMAC"},false,[r])}return $t(t,e,r),t};var ne=e=>Math.floor(e.getTime()/1e3);var bn=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i,Be=e=>{let t=bn.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");let r=parseFloat(t[2]),n=t[3].toLowerCase(),o;switch(n){case "sec":case "secs":case "second":case "seconds":case "s":o=Math.round(r);break;case "minute":case "minutes":case "min":case "mins":case "m":o=Math.round(r*60);break;case "hour":case "hours":case "hr":case "hrs":case "h":o=Math.round(r*3600);break;case "day":case "days":case "d":o=Math.round(r*86400);break;case "week":case "weeks":case "w":o=Math.round(r*604800);break;default:o=Math.round(r*31557600);break}return t[1]==="-"||t[4]==="ago"?-o:o};function le(e,t){if(!Number.isFinite(t))throw new TypeError(`Invalid ${e} input`);return t}var v,Ve=class{constructor(t){O(this,v);if(!Ne(t))throw new TypeError("JWT Claims Set MUST be an object");U(this,v,structuredClone(t));}data(){return Q.encode(JSON.stringify(y(this,v)))}get iss(){return y(this,v).iss}set iss(t){y(this,v).iss=t;}get sub(){return y(this,v).sub}set sub(t){y(this,v).sub=t;}get aud(){return y(this,v).aud}set aud(t){y(this,v).aud=t;}set jti(t){y(this,v).jti=t;}set nbf(t){typeof t=="number"?y(this,v).nbf=le("setNotBefore",t):t instanceof Date?y(this,v).nbf=le("setNotBefore",ne(t)):y(this,v).nbf=ne(new Date)+Be(t);}set exp(t){typeof t=="number"?y(this,v).exp=le("setExpirationTime",t):t instanceof Date?y(this,v).exp=le("setExpirationTime",ne(t)):y(this,v).exp=ne(new Date)+Be(t);}set iat(t){typeof t>"u"?y(this,v).iat=ne(new Date):t instanceof Date?y(this,v).iat=le("setIssuedAt",ne(t)):typeof t=="string"?y(this,v).iat=le("setIssuedAt",ne(new Date)+Be(t)):y(this,v).iat=le("setIssuedAt",t);}};v=new WeakMap;var nr=async(e,t,r)=>{let n=await rr(e,t,"sign");Ft(e,n);let o=await crypto.subtle.sign(tr(e,n.algorithm),n,r);return new Uint8Array(o)};var Te,W,G,Fe=class{constructor(t){O(this,Te);O(this,W);O(this,G);if(!(t instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");U(this,Te,t);}setProtectedHeader(t){if(y(this,W))throw new TypeError("setProtectedHeader can only be called once");return U(this,W,t),this}setUnprotectedHeader(t){if(y(this,G))throw new TypeError("setUnprotectedHeader can only be called once");return U(this,G,t),this}async sign(t,r){if(!y(this,W)&&!y(this,G))throw new ee("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Vt(y(this,W),y(this,G)))throw new ee("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let n={...y(this,W),...y(this,G)},o=qt(ee,new Map([["b64",true]]),r?.crit,y(this,W),n),a=true;if(o.has("b64")&&(a=y(this,W).b64,typeof a!="boolean"))throw new ee('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:i}=n;if(typeof i!="string"||!i)throw new ee('JWS "alg" (Algorithm) Header Parameter missing or invalid');er(i,t,"sign");let s=y(this,Te);a&&(s=Q.encode($e(s)));let c;y(this,W)?c=Q.encode($e(JSON.stringify(y(this,W)))):c=Q.encode("");let u=Lt(c,Q.encode("."),s),l=await Qt(t,i),f=await nr(i,l,u),d={signature:$e(f),payload:""};return a&&(d.payload=me.decode(s)),y(this,G)&&(d.header=y(this,G)),y(this,W)&&(d.protected=me.decode(c)),d}};Te=new WeakMap,W=new WeakMap,G=new WeakMap;var Se,Ge=class{constructor(t){O(this,Se);U(this,Se,new Fe(t));}setProtectedHeader(t){return y(this,Se).setProtectedHeader(t),this}async sign(t,r){let n=await y(this,Se).sign(t,r);if(n.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return `${n.protected}.${n.payload}.${n.signature}`}};Se=new WeakMap;var oe,M,fe=class{constructor(t={}){O(this,oe);O(this,M);U(this,M,new Ve(t));}setIssuer(t){return y(this,M).iss=t,this}setSubject(t){return y(this,M).sub=t,this}setAudience(t){return y(this,M).aud=t,this}setJti(t){return y(this,M).jti=t,this}setNotBefore(t){return y(this,M).nbf=t,this}setExpirationTime(t){return y(this,M).exp=t,this}setIssuedAt(t){return y(this,M).iat=t,this}setProtectedHeader(t){return U(this,oe,t),this}async sign(t,r){let n=new Ge(y(this,M).data());if(n.setProtectedHeader(y(this,oe)),Array.isArray(y(this,oe)?.crit)&&y(this,oe).crit.includes("b64")&&y(this,oe).b64===false)throw new xe("JWTs MUST NOT use unencoded payload");return n.sign(t,r)}};oe=new WeakMap,M=new WeakMap;var Sn=e=>btoa(String.fromCharCode(...new Uint8Array(e))).replaceAll("+","-").replaceAll("/","_").replaceAll("=",""),qe=async e=>{let t=new TextEncoder().encode(e),r=await crypto.subtle.digest("SHA-256",t);return Sn(r)},N=async e=>{let{method:t,url:r,nonce:n,ath:o,privateKey:a,publicJwk:i}=e,s={htm:t.toUpperCase(),htu:r,jti:crypto.randomUUID(),iat:Math.floor(Date.now()/1e3)};return n&&(s.nonce=n),o&&(s.ath=o),await new fe(s).setProtectedHeader({alg:"ES256",typ:"dpop+jwt",jwk:i}).sign(a)};var _=async e=>{let t={crv:e.crv,kty:"EC",x:e.x,y:e.y},r=JSON.stringify(t),n=new TextEncoder().encode(r),o=await crypto.subtle.digest("SHA-256",n);return btoa(String.fromCharCode(...new Uint8Array(o))).replaceAll("+","-").replaceAll("/","_").replaceAll("=","")};async function de(e){let{rootPrivateKey:t,rootPublicJwk:r,childJkt:n,clientId:o,sid:a,ttlSec:i=300}=e,s=Math.floor(Date.now()/1e3),c=s+Math.max(60,Math.min(i,3600)),u={child_jkt:n,client_id:o,aud:"issuer",iat:s,exp:c,jti:crypto.randomUUID()};return a&&(u.sid=a),await new fe(u).setProtectedHeader({alg:"ES256",typ:"pode+jwt",jwk:r}).sign(t)}function Je(e,t=300){return e.replace(/<[^>]*>/g,"").slice(0,t)}async function Ie(e){let t=e.status,r=Array.from(e.headers.keys()).some(s=>s.toLowerCase().startsWith("x-amzn-waf")),n,o,a=e.headers.get("content-type")||"";if(a.includes("application/json"))try{let s=await e.clone().json();n=typeof s?.error=="string"?s.error:void 0,o=typeof s?.detail=="string"?s.detail:void 0;}catch{}let i=t===403&&!r&&!a.includes("application/json");return {status:t,code:n,detail:o,waf:r,alb403:i}}function pe(e,t){let r=new Error(e);return r.status=t.status,r.code=t.code,r.detail=t.detail,r.waf=t.waf,r.alb403=t.alb403,r}var Re={boundWallet:null,clientId:null,jkt:null,refreshId:null,lastPolicyHash:null,lastPolicyProof:null,lastHost:null,rootJkt:null},ht=createContext(void 0);function cr(e){try{return JSON.parse(localStorage.getItem(e)||"null")??Re}catch{return Re}}function kn(e,t){try{localStorage.setItem(e,JSON.stringify(t));}catch{}}var bt=({children:e,clientId:t})=>{let[r,n]=useState(Re),o=useRef(false),[a,i]=useState(false),s=useMemo(()=>Ae(t),[t]);useEffect(()=>{let p=true;return (async()=>{let I=await C(s)??await C(Ue)??cr(s);p&&(n({...Re,...I}),o.current=true,i(true));})(),()=>{p=false;}},[s]),useEffect(()=>{o.current&&(async()=>(await g(s,r),kn(s,r)))();},[r,s]);let c=useCallback(p=>n(w=>({...w,refreshId:p})),[]),u=useCallback(p=>n(w=>({...w,lastPolicyHash:p})),[]),l=useCallback(p=>n(w=>({...w,lastPolicyProof:p})),[]),f=useCallback(p=>n(w=>({...w,lastHost:p})),[]),d=useCallback(p=>n(w=>({...w,rootJkt:p})),[]),h=async()=>{try{let p=localStorage.getItem(s);if(p){let w=JSON.parse(p);if(typeof w?.refreshId=="string"&&w.refreshId)return w.refreshId}}catch{}try{let p=await C(s);if(typeof p?.refreshId=="string"&&p.refreshId)return p.refreshId}catch{}return null},m=useCallback(p=>n(w=>({...w,boundWallet:p})),[]),R=useCallback(p=>n(w=>({...w,clientId:p})),[]),k=useCallback(p=>n(w=>({...w,jkt:p})),[]),P=useCallback(()=>n(Re),[]),b=useCallback(async()=>{let w=await C(s)??cr(s);n({...Re,...w});},[]),S=useMemo(()=>({meta:r,setBoundWallet:m,setClientId:R,setJkt:k,resetMeta:P,reload:b,setRefreshId:c,getRefreshId:h,ready:a,setLastPolicyHash:u,setLastPolicyProof:l,setLastHost:f,setRootJkt:d}),[r,m,R,k,P,b,a,c,h,u,l,f,d]);return jsx(ht.Provider,{value:S,children:e})};function St(){let e=useContext(ht);if(!e)throw new Error("useMeta must be used within <MetaProvider>");return e}var lr=`${x}:wrap`;async function ze(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!1,["sign","verify"]),t=`${x}:probe_safe`;await g(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await C(t);return await g(t,void 0),!!(r&&r.privKey)}catch{return  false}}async function vn(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!0,["sign","verify"]),t=`${x}:probe`;await g(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await C(t);return await g(t,void 0),!!(r&&r.privKey)}catch{return  false}}function ke(e){let t={...e};return delete t.d,t.kty="EC",t.crv=E,t.alg=Ke,t.use="sig",t}async function fr(){let e=await C(lr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await g(lr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function Rt(e){let t=await fr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function Kn(e,t){let r=await fr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var gt=()=>{let e=useRef(null),t=useRef(null),r=useCallback(async()=>{let c=await C(x);if(!c)return  false;if(c.fmt==="cryptokey"){let l=c;if(!l.privKey)return await g(x,void 0),false;let f=l.privKey;try{if(f.extractable&&await ze()){let h=await crypto.subtle.exportKey("jwk",f),m=await crypto.subtle.importKey("jwk",h,{name:"ECDSA",namedCurve:E},!1,["sign"]),R={fmt:"cryptokey",privKey:m,pubJwk:ke(l.pubJwk)};await g(x,R),f=m;}}catch{}return e.current=f,t.current=ke(l.pubJwk),true}if(c.fmt==="encjwk"){let l=c;try{let f=await Kn(l.encPrivJwk,l.iv),d=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},!1,["sign"]);return e.current=d,t.current=ke(l.pubJwk),!0}catch{return await g(x,void 0),false}}let u=c;if(u&&u.d){let{d:l,...f}=u,d=ke(f),h=await ze(),m=h||await vn();if(m&&h){let b=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);return await g(x,{fmt:"cryptokey",privKey:b,pubJwk:d}),e.current=b,t.current=d,true}if(m){let b=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},true,["sign"]);return await g(x,{fmt:"cryptokey",privKey:b,pubJwk:d}),e.current=b,t.current=d,true}let{encPrivJwk:R,iv:k}=await Rt(u);await g(x,{fmt:"encjwk",encPrivJwk:R,iv:k,pubJwk:d});let P=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);return e.current=P,t.current=d,true}return await g(x,void 0),false},[]),n=useCallback(async(c,u)=>{await g(x,{fmt:"cryptokey",privKey:c,pubJwk:u});},[]),o=useCallback(async(c,u)=>{let{encPrivJwk:l,iv:f}=await Rt(c);await g(x,{fmt:"encjwk",encPrivJwk:l,iv:f,pubJwk:u});},[]),a=useCallback(async()=>{if(e.current&&t.current||await r())return;let c=await ze(),u=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",u.publicKey)),f=await crypto.subtle.exportKey("jwk",u.privateKey);if(c){let d=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);await n(d,l),e.current=d,t.current=l;}else {await o(f,l);let d=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=d,t.current=l;}},[r,n,o]),i=useCallback(async()=>{let c=await ze(),u=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",u.publicKey)),f=await crypto.subtle.exportKey("jwk",u.privateKey);if(c){let d=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);await g(x,{fmt:"cryptokey",privKey:d,pubJwk:l}),e.current=d,t.current=l;}else {let{encPrivJwk:d,iv:h}=await Rt(f);await g(x,{fmt:"encjwk",encPrivJwk:d,iv:h,pubJwk:l});let m=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=m,t.current=l;}},[]),s=useCallback(async()=>{await g(x,void 0),e.current=null,t.current=null;},[]);return {ensureKeypair:a,rotate:i,clear:s,privRef:e,pubJwkRef:t}};var z="sunbreak_root_key_v1",pr=`${z}:wrap`;async function yr(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!1,["sign","verify"]),t=`${z}:probe_safe`;await g(t,{fmt:"cryptokey",privKey:e.privateKey,createdAt:Date.now(),pubJwk:{}});let r=await C(t);return await g(t,void 0),!!(r&&r.privKey)}catch{return  false}}function Ye(e){let t={...e};return delete t.d,t.kty="EC",t.crv=E,t.alg=Ke,t.use="sig",t}async function mr(){let e=await C(pr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await g(pr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function An(e){let t=await mr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function xn(e,t){let r=await mr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var Et=()=>{let e=useRef(null),t=useRef(null),r=useCallback(async()=>{let a=await C(z);if(!a)return  false;if(a.fmt==="cryptokey"){let i=a;if(!i.privKey)return await g(z,void 0),false;let s=i.privKey;try{if(s.extractable&&await yr()){let u=await crypto.subtle.exportKey("jwk",s),l=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},!1,["sign"]),f={fmt:"cryptokey",privKey:l,pubJwk:Ye(i.pubJwk),createdAt:i.createdAt};await g(z,f),s=l;}}catch{}return e.current=s,t.current=Ye(i.pubJwk),true}if(a.fmt==="encjwk"){let i=a;try{let s=await xn(i.encPrivJwk,i.iv),c=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:E},!1,["sign"]);return e.current=c,t.current=Ye(i.pubJwk),!0}catch{return await g(z,void 0),false}}return await g(z,void 0),false},[]),n=useCallback(async()=>{if(e.current&&t.current||await r())return;let a=await yr(),i=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),s=Ye(await crypto.subtle.exportKey("jwk",i.publicKey)),c=Date.now(),u=await crypto.subtle.exportKey("jwk",i.privateKey);if(a){let l=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);await g(z,{fmt:"cryptokey",privKey:l,pubJwk:s,createdAt:c}),e.current=l,t.current=s;}else {let{encPrivJwk:l,iv:f}=await An(u);await g(z,{fmt:"encjwk",encPrivJwk:l,iv:f,pubJwk:s,createdAt:c});let h=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=h,t.current=s;}},[r]),o=useCallback(async()=>{await g(z,void 0),e.current=null,t.current=null;},[]);return {ensureRootKeypair:n,clear:o,rootPrivRef:e,rootPubJwkRef:t}};var Cn=()=>crypto.randomUUID(),wr=e=>{let{clientId:t,wallet:r,base:n="https://api.tdfc.com",fetchImpl:o,timeoutMs:a=15e3,proof:i=null,providerAdapter:s,refreshDeps:c=[]}=e,u=it(n),l=typeof window<"u"?(o??fetch).bind(window):o??fetch,{meta:f,setBoundWallet:d,setJkt:h,setRefreshId:m,getRefreshId:R,setLastPolicyHash:k,setLastPolicyProof:P,setLastHost:b,setRootJkt:S,ready:p}=St(),{ensureRootKeypair:w,rootPrivRef:I,rootPubJwkRef:L}=Et(),We=useCallback(async()=>{await w();try{if(!f.rootJkt&&L.current){let ce=await _(L.current);S(ce);}}catch{}},[w,f.rootJkt,L]),{ensureKeypair:te,rotate:Ee,privRef:A,pubJwkRef:_e}=gt(),[Le,At]=useState(false),[J,V]=useState(0),[j,Z]=useState(null),[ie,re]=useState(null),[Qe,et]=useState(null),[tt,Kr]=useState(null),[Ar,xr]=useState(null),[Cr,Tr]=useState(null),Jr=useRef(null),Ir=useRef(null),Dr=useRef(null),Wr=useRef(null),_r=useRef(null),Lr=useRef(null),Hr=useRef(null),Mr=useRef(false),jr=useRef(false),Or=useRef(void 0),He=useRef(false),rt=useRef(false),xt=useRef(null),se=useRef(null);se.current||(se.current=new Promise(ce=>{xt.current=ce;}));let nt=useRef(null),Ur=useRef(i),$r=useRef(null),Me=useRef(null),Ct=useRef(null),je=useRef(null),Tt=()=>Date.now(),Nr=()=>(je.current??0)>0&&je.current<Tt(),ot=useCallback((ce,zr=15e3)=>{let Jt=Cn();return Me.current=Jt,Ct.current=ce,je.current=Tt()+Math.max(1e3,zr),Jt},[]),Br=useCallback(()=>((!Me.current||Nr())&&ot("adhoc",1e4),Me.current),[ot]),at=useRef(null),Oe=useRef(null);Oe.current||(Oe.current=new Promise(ce=>{at.current=ce;}));let Vr=useCallback(async()=>{!He.current&&Oe.current&&await Oe.current;},[]),Fr=useCallback(()=>{He.current||(He.current=true,at.current?.(),at.current=null);},[]),Gr=useCallback(async()=>{!rt.current&&se.current&&await se.current;},[]),qr=useCallback(async()=>{!rt.current&&se.current&&await se.current,nt.current&&await nt.current;},[]);return {clientId:t,wallet:r,baseUrl:u,fetchImpl:l,timeoutMs:a,providerAdapter:s,refreshDeps:c,ensureKeypair:te,rotate:Ee,ensureRootKeypair:We,rootPrivRef:I,rootPubJwkRef:L,privRef:A,pubJwkRef:_e,meta:f,setBoundWallet:d,setJkt:h,setRefreshId:m,accessTokenRef:Dr,tokenExpRef:Wr,authenticated:Le,setAuthenticated:At,loadingCount:J,setLoadingCount:V,error:j,setError:Z,allowed:ie,setAllowed:re,denyReason:Qe,setDenyReason:et,sessionExpiry:tt,setSessionExpiry:Kr,sessionData:Ar,setSessionData:xr,verifyData:Cr,setVerifyData:Tr,authWalletRef:Ir,refreshLock:_r,registerLock:Lr,sessionLock:Hr,didInitialRefresh:Mr,didInitialSession:jr,prevWalletRef:Or,initResolvedRef:rt,initReady:se,initResolveRef:xt,rotateLock:nt,waitReady:Gr,awaitKeyStable:qr,proofRef:Ur,registerCooldownUntilRef:Jr,reqIdRef:Me,flowLabelRef:Ct,flowExpireRef:je,beginFlow:ot,currentReqId:Br,awaitProbe:Vr,markProbed:Fr,hasProbedRef:He,getRefreshId:R,setLastPolicyHash:k,setLastPolicyProof:P,setLastHost:b,setRootJkt:S,metaReady:p,probeLock:$r}};var B=e=>e.accessTokenRef.current??null,Y=e=>{let t=e.privRef.current;if(!t)throw new Error("Sunbreak: private key not initialized");return t},T=e=>{let t=e.pubJwkRef.current;if(!t)throw new Error("Sunbreak: public JWK not initialized");return t};var Tn=(e,t)=>`${e.toUpperCase()} ${t}`;async function De(e,t,r){if(!t)return  false;let n=De._nonceCacheRef||(De._nonceCacheRef={map:new Map});try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair(),e.setError(null),e.beginFlow("register",2e4);let o;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let p=await _(e.rootPubJwkRef.current);e.setRootJkt?.(p);}catch{}let b=await _(T(e)),S=await e.getRefreshId();o=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:b,clientId:e.clientId,sid:S||void 0,ttlSec:300});}}catch{}let a=e.currentReqId(),i="/auth/register",s=`${e.baseUrl}${i}`,c=new URL(e.baseUrl).origin,u="POST",l=`${c}${i}`,f=Tn(u,l),d=n.map.get(f),h=await N({method:u,url:l,nonce:d,privateKey:Y(e),publicJwk:T(e)}),m=async b=>e.fetchImpl(s,{method:u,headers:{"content-type":"application/json","x-sunbreak-meta":$(e,{reqId:a,pode:o||void 0}),...b},credentials:"include",body:JSON.stringify({wallet:t,proof:r})}),R=await m({DPoP:h}),k=b=>{let S=b.headers.get("dpop-nonce");S&&n.map.set(f,S);};if(R.status===401){let b=R.headers.get("www-authenticate"),p=(b&&b.match(/dpop-nonce="([^"]+)"/i))?.[1];if(p){n.map.set(f,p);let w=await N({method:u,url:l,nonce:p,privateKey:Y(e),publicJwk:T(e)});R=await m({DPoP:w});}}if(k(R),!R.ok){let b=await Ie(R);if((R.headers.get("content-type")||"").includes("application/json")){let p;try{p=await R.clone().json();}catch{}let w=Je(p&&(p.error||p.message||p.detail)||`HTTP ${R.status}`);throw pe(w,b)}else {let p=b.waf?"Blocked by WAF (403)":b.alb403?"Blocked at origin (ALB 403)":`HTTP ${R.status}`;throw pe(p,b)}}let P=await R.json();e.accessTokenRef.current=P.access,e.authWalletRef.current=t.toLowerCase(),e.setAuthenticated(!0);try{let b=Math.floor(Date.now()/1e3);e.tokenExpRef.current=b+(P.expiresIn??0);}catch{}e.didInitialRefresh.current=!0,e.setBoundWallet(t),e.setLastPolicyHash(null),e.setLastPolicyProof(null);try{e.setJkt(await _(T(e)));}catch{}try{let b={...e.meta,boundWallet:t,clientId:e.meta.clientId??e.clientId,jkt:e.meta.jkt??null,refreshId:P.refreshId??null};e.setRefreshId(P.refreshId??null);let S=Ae(e.clientId);await g(S,b);try{localStorage.setItem(S,JSON.stringify(b));}catch{}}catch{}return !0}catch(o){let a=Number(o?.status||0),i=String(o?.code||""),s=String(o?.message||""),c=Math.floor(Math.random()*1e3);if((a===401||a===403)&&i.toLowerCase()==="replay"){if(e.providerAdapter)try{let u=await e.providerAdapter.getToken()??null;if(u)return await e.awaitKeyStable(),await e.ensureKeypair(),await e.rotate(),e.proofRef.current=await Pe(e.providerAdapter,u),e.registerCooldownUntilRef.current=Date.now()+5e3+c,!1}catch{}else return e.proofRef.current=null,e.setError("Proof replayed; please sign a fresh proof."),e.registerCooldownUntilRef.current=Date.now()+1e4+c,false;return e.registerCooldownUntilRef.current=Date.now()+8e3+c,false}if(a===403&&(o?.waf||o?.alb403))return e.setError(s||"Forbidden at edge/origin"),e.registerCooldownUntilRef.current=Date.now()+3e4+c,false;if(a===403)return e.setError(i||s||"Forbidden"),e.registerCooldownUntilRef.current=Date.now()+15e3+c,false;if(a===429||a===503){e.setError(i||s||"Rate limited / unavailable");let u=a===429?5e3:8e3;return e.registerCooldownUntilRef.current=Date.now()+u+c,false}return e.setError(i||s||"Register failed"),e.registerCooldownUntilRef.current=Date.now()+5e3+c,false}}var Jn=(e,t)=>`${e.toUpperCase()} ${t}`;function Xe(e){if(e.refreshLock.current)return e.refreshLock.current;if(e.registerLock.current){let t=e.registerLock.current.then(()=>{if(e.authenticated&&B(e))return  true;if(B(e)){let n=e.tokenExpRef.current,o=Math.floor(Date.now()/1e3);if(!!n&&n-o>5)return  true}return  false});return e.refreshLock.current=t.finally(()=>{e.refreshLock.current=null;}),e.refreshLock.current}return e.refreshLock.current=(async()=>{try{if(await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),e.wallet&&e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return e.accessTokenRef.current=null,e.setAuthenticated(!1),!1;let t=B(e);if(t){let S=e.tokenExpRef.current,p=Math.floor(Date.now()/1e3);if(!!t&&!!S&&S-p>5)return !0}e.beginFlow("refresh",15e3);let r=e.currentReqId();await e.ensureKeypair();let n;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let w=await _(e.rootPubJwkRef.current);e.setRootJkt?.(w);}catch{}let S=await _(T(e)),p=await e.getRefreshId();n=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:S,clientId:e.clientId,sid:p||void 0,ttlSec:300});}}catch{}let o="/auth/refresh",a=`${e.baseUrl}${o}`,i=new URL(e.baseUrl).origin,s="POST",c=`${i}${o}`,u=Jn(s,c),l=Xe._nonceCacheRef||(Xe._nonceCacheRef={map:new Map}),f=async S=>await N({method:s,url:c,nonce:S,privateKey:Y(e),publicJwk:T(e)}),d=await e.getRefreshId(),h={"x-sunbreak-meta":$(e,{reqId:r,refreshId:d||void 0,pode:n||void 0}),"content-type":"application/json"},m=async S=>e.fetchImpl(a,{method:s,headers:{DPoP:S,...h},credentials:"include",body:"{}"}),R=S=>{let p=S.headers.get("dpop-nonce");p&&l.map.set(u,p);},k=await m(await f(l.map.get(u)));if(k.status===401){let S=k.headers.get("www-authenticate"),w=(S&&S.match(/dpop-nonce="([^"]+)"/i))?.[1];w&&(l.map.set(u,w),k=await m(await f(w)));}if(R(k),!k.ok){try{if((k.headers.get("content-type")||"").includes("application/json")){let p=await k.clone().json().catch(()=>{}),w=p&&(p.error||p.code||p.message)||"",I=String(w).toLowerCase();if(I.includes("missing")&&I.includes("refresh")){try{e.setRefreshId?.(null);}catch{}try{e.setBoundWallet?.(null);}catch{}e.accessTokenRef.current=null,e.setAuthenticated(!1);}}}catch{}return !1}let P=await k.json();e.accessTokenRef.current=P.access,e.setAuthenticated(!0);let b=(e.wallet&&(!e.meta.boundWallet||e.meta.boundWallet===e.wallet)?e.wallet:e.meta.boundWallet)||null;e.authWalletRef.current=b?b.toLowerCase():null;try{let S=Math.floor(Date.now()/1e3);e.tokenExpRef.current=S+(P.expiresIn??0);}catch{}try{e.setJkt(await _(T(e)));}catch{}return P.refreshId&&e.setRefreshId(P.refreshId),!0}finally{e.refreshLock.current=null;}})(),e.refreshLock.current}var In=(e,t)=>`${e.toUpperCase()} ${t}`,Pt=new Map;async function hr(e){if(e.probeLock?.current)return e.probeLock.current;if(e.hasProbedRef.current)return;let t=n=>{try{e.probeLock&&(e.probeLock.current=n);}catch{}},r=(async()=>{let n=new URL(e.baseUrl).origin;try{if(await e.awaitKeyStable(),await e.ensureKeypair(),!e.rootPrivRef.current)try{await e.ensureRootKeypair();}catch{}let o;if(e.rootPrivRef.current&&e.rootPubJwkRef.current)try{let m=await _(T(e));o=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:m,clientId:e.clientId,ttlSec:300});}catch{}let a="POST",i="/auth/probe",s=`${e.baseUrl}${i}`,c=`${n}${i}`,u=In(a,c),l=async m=>e.fetchImpl(s,{method:a,headers:{DPoP:m,"x-sunbreak-meta":$(e,{pode:o}),"content-type":"application/json"},credentials:"include",body:"{}"}),f=async m=>await N({method:a,url:c,nonce:m,privateKey:Y(e),publicJwk:T(e)}),d=await l(await f(Pt.get(u))),h=m=>{let R=m.headers.get("dpop-nonce");R&&Pt.set(u,R);};if(h(d),d.status===401){let m=d.headers.get("www-authenticate"),k=(m&&m.match(/dpop-nonce="([^"]+)"/i))?.[1];k&&(Pt.set(u,k),d=await l(await f(k)),h(d));}e.markProbed();}catch{e.markProbed();}})();t(r);try{await r;}finally{t(null);}}var br=e=>{let t=useCallback(()=>Xe(e),[e]),r=useCallback(async()=>{let o=Date.now(),a=e.registerCooldownUntilRef.current??0;if(o<a||!e.wallet||!e.initResolvedRef.current||e.refreshLock.current||e.registerLock.current)return;let i=e.wallet,s=e.meta.boundWallet;if(i&&s&&i.toLowerCase()===s.toLowerCase()&&!e.didInitialRefresh.current)return;let u=e.proofRef.current;!u||!(!B(e)||e.meta.boundWallet!==e.wallet)||(await e.awaitKeyStable(),e.registerLock.current=(async()=>{try{await De(e,e.wallet,u)&&(e.didInitialSession.current=!0);}catch(d){e.setError(d?.message||String(d)||"Register failed");}finally{e.registerLock.current=null;}})());},[e]),n=useCallback(async o=>{let a=()=>(e.registerCooldownUntilRef.current??0)>Date.now();if(!e.providerAdapter||a())return;let i=await Pe(e.providerAdapter,o);e.proofRef.current=i;},[e]);return {refresh:t,register:(o,a)=>De(e,o,a),attemptRegister:r,setProofFromAdapterToken:n}};var Dn=(e,t)=>`${e.toUpperCase()} ${t}`,Wn=(e,t)=>!!e&&!!t&&e.toLowerCase()===t.toLowerCase();async function Ze(e,t,r,n,o,a={}){e.setLoadingCount(u=>u+1),e.setError(null);let i=n.startsWith("/api/session"),s=new AbortController,c=setTimeout(()=>s.abort(),e.timeoutMs);try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair();let l=`${i?ct(e):e.baseUrl}${n.startsWith("/")?"":"/"}${n}`,d=`${new URL(e.baseUrl).origin}${n.startsWith("/")?"":"/"}${n}`,h=Dn(r,d),m=n.startsWith("/auth/"),R=!1,k=!1,P=e.currentReqId(),b=Ze._nonceCacheRef||(Ze._nonceCacheRef={map:new Map}),S=J=>{let V=J.headers.get("dpop-nonce");V&&b.map.set(h,V);},p=!!e.wallet&&!!e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase(),w=()=>m||!e.wallet?!1:!!(e.authenticated||Wn(e.wallet,e.meta.boundWallet)||typeof e.meta.refreshId=="string"&&e.meta.refreshId),I,L,We=async()=>{if(m||p)return;try{let ie=B(e),re=e.tokenExpRef.current,Qe=Math.floor(Date.now()/1e3),et=!!re&&re-Qe<=60;if(ie){if(et&&!await t().catch(()=>!1))return}else if(!w()||!await t().catch(()=>!1))return}catch{}let J=B(e);if(!J)return;let V=await qe(J),j=b.map.get(h),Z=await N({method:r,url:d,nonce:j,ath:V,privateKey:Y(e),publicJwk:T(e)});I=`Bearer ${e.accessTokenRef.current}`,L=Z;};await We();let te={"content-type":"application/json","x-sunbreak-auth":I||"","x-sunbreak-meta":$(e,{reqId:P,auth:I,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0}),...ut(a.headers)};L&&(te.DPoP=L);let Ee=async()=>e.fetchImpl(l,{...a,method:r,headers:te,body:o!==void 0?JSON.stringify(o):void 0,credentials:"include",signal:s.signal}),A=await Ee(),_e=A.headers.get("x-sunbreak-policy-hash"),Le=A.headers.get("x-sunbreak-policy-proof");if(_e&&e.setLastPolicyHash(_e),Le&&e.setLastPolicyProof(Le),S(A),A.status===401&&!m){let J=B(e),V=A.headers.get("www-authenticate"),Z=(V&&V.match(/dpop-nonce="([^"]+)"/i))?.[1];if(!p&&Z&&J&&!k){k=!0,b.map.set(h,Z);let ie=await qe(J),re=await N({method:r,url:d,nonce:Z,ath:ie,privateKey:Y(e),publicJwk:T(e)});I=`Bearer ${e.accessTokenRef.current}`,L=re,te["x-sunbreak-meta"]=$(e,{reqId:P,auth:I}),te.DPoP=L,A=await Ee(),S(A);}if(A.status===401&&!R&&(R=!0,!p&&w())){let ie=await t(),re=B(e);ie&&re&&!p&&(await We(),te["x-sunbreak-meta"]=$(e,{reqId:P,auth:I}),L&&(te.DPoP=L),A=await Ee(),S(A));}if(A.status===401)throw new Error("Unauthorized")}if(!A.ok){let J=await Ie(A);if((A.headers.get("content-type")||"").includes("application/json")){let j=await A.json().catch(()=>{}),Z=Je(j&&(j.error||j.message||j.detail)||`HTTP ${A.status}`);throw pe(Z,J)}else {let j=J.waf?"Blocked by WAF (403)":J.alb403?"Blocked at origin (ALB 403)":`HTTP ${A.status}`;throw pe(j,J)}}return (A.headers.get("content-type")||"").includes("application/json")?await A.json():void 0}finally{clearTimeout(c),e.setLoadingCount(u=>Math.max(0,u-1));}}var Sr=(e,t)=>useCallback(async(r,n,o,a={})=>Ze(e,t,r,n,o,a),[e,t]);async function Rr(e,t){let r=await t("GET","/api/session");if(r){e.setAllowed(!!r.allowed),e.setDenyReason(r.reason??null),e.setSessionData(r),e.setSessionExpiry(r.expiry??null);let n=r?.wallet;typeof n=="string"&&n&&e.setBoundWallet(n.toLowerCase());}return r}async function gr(e,t){let r=await t("GET","/api/verify");return r&&(e.setSessionExpiry(r.expiry??null),e.setVerifyData(r)),r}var Er=(e,t)=>{let r=useCallback(async()=>{if(e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet))return e.sessionLock.current||(e.sessionLock.current=(async()=>{try{return await Rr(e,t)}finally{e.sessionLock.current=null;}})()),e.sessionLock.current},[e,t]),n=useCallback(async()=>{if(e.wallet)return await gr(e,t)},[e,t]);return {session:r,verify:n}};var Pr=(e,t)=>{let{refresh:r,session:n,attemptRegister:o,setProofFromAdapterToken:a,proofProp:i}=t;useEffect(()=>{return (async()=>{try{await e.waitReady(),await e.awaitKeyStable(),await e.ensureRootKeypair(),await hr(e);}catch{}})(),()=>{}},[]);let s=()=>(e.registerCooldownUntilRef.current??0)>Date.now();useEffect(()=>{let c=e.prevWalletRef.current;if(e.prevWalletRef.current=e.wallet,e.wallet!==c&&(e.didInitialRefresh.current=false),!e.wallet){e.setAllowed(null),e.setDenyReason(null),e.setSessionExpiry(null),e.setSessionData(null),e.setAuthenticated(false),e.accessTokenRef.current=null,e.proofRef.current=null,e.setError(null),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null),e.didInitialRefresh.current=false;return}c&&e.wallet&&c!==e.wallet&&(e.rotateLock.current=(async()=>{await e.rotate(),e.accessTokenRef.current=null,e.setAuthenticated(false),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}));},[e.wallet]),useEffect(()=>{if(!e.providerAdapter||s()||!e.metaReady)return;let c=e.wallet,u=e.meta.boundWallet;if(c&&u&&c.toLowerCase()===u.toLowerCase()&&!e.didInitialRefresh.current)return;let l=false;return (async()=>{try{let f=await e.providerAdapter.getToken()??null;if(await e.awaitKeyStable(),l||!f)return;await a(f),await o();}catch{}})(),()=>{l=true;}},[e.providerAdapter,e.wallet,e.meta.boundWallet,e.metaReady,e.registerCooldownUntilRef,e.didInitialRefresh,...e.refreshDeps]),useEffect(()=>{if(typeof i<"u"&&(e.proofRef.current=i??null),!e.metaReady)return;let c=e.wallet,u=e.meta.boundWallet;if(c&&u&&c.toLowerCase()===u.toLowerCase()&&!e.didInitialRefresh.current)return;let f=!!c,d=!!e.proofRef.current,h=!!c&&!!e.authWalletRef.current&&c.toLowerCase()!==e.authWalletRef.current.toLowerCase();f&&d&&!e.authenticated&&!h&&e.initResolvedRef.current&&!s()&&o();},[i,e.wallet,e.authenticated,e.meta.boundWallet,e.metaReady,e.providerAdapter,e.initResolvedRef,e.didInitialRefresh,o]),useEffect(()=>{let c=e.wallet,u=e.meta.boundWallet,l=!!(u||e.meta.refreshId);if(!e.metaReady||e.didInitialRefresh.current)return;let f=true;return (async()=>{try{if(await e.waitReady(),e.accessTokenRef.current||e.authenticated){e.didInitialRefresh.current=!0,c&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());return}let d=!!c&&!l,h=!c&&!l;if(l&&!c){e.didInitialRefresh.current=!0;return}if(d||h){e.didInitialRefresh.current=!0;return}if(c&&u&&c.toLowerCase()!==u.toLowerCase()){e.didInitialRefresh.current=!0;return}e.didInitialRefresh.current=!0;let m=await r();if(!f)return;e.setAuthenticated(m),m&&c&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());}catch(d){if(!f)return;e.didInitialRefresh.current=true,e.setAuthenticated(false),e.setError(d?.message||String(d)||"Unknown error");}})(),()=>{f=false;}},[e.wallet,e.meta.boundWallet,e.meta.refreshId,e.metaReady,e.didInitialRefresh,r,n]),useEffect(()=>{e.initResolvedRef.current||(async()=>{if(await e.ensureKeypair(),!e.wallet){e.initResolvedRef.current=true,e.initResolveRef.current?.();return}e.meta.boundWallet&&e.meta.boundWallet!==e.wallet&&(e.rotateLock.current=(async()=>{e.accessTokenRef.current=null,e.setAuthenticated(false);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}),e.rotateLock.current&&await e.rotateLock.current),e.initResolvedRef.current=true,e.initResolveRef.current?.();})();},[e]),useEffect(()=>{(async()=>{if(e.authenticated&&e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)&&!e.didInitialSession.current){e.didInitialSession.current=true;try{await n();}catch(c){e.setError(c?.message||String(c));}}})();},[e.authenticated,e.wallet,e.meta.boundWallet,n]),useEffect(()=>{e.wallet&&e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase()&&(e.accessTokenRef.current=null,e.setAuthenticated(false));},[e.wallet,e.authWalletRef.current]),useEffect(()=>{let u=()=>{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return  false;let d=e.tokenExpRef.current;if(!d)return  false;let h=Math.floor(Date.now()/1e3);return d-h<=30},l=async()=>{try{u()&&await r();}catch{}},f=async()=>{document.visibilityState==="visible"&&await l();};return window.addEventListener("focus",l),document.addEventListener("visibilitychange",f),()=>{window.removeEventListener("focus",l),document.removeEventListener("visibilitychange",f);}},[e,r]),useEffect(()=>{let l=()=>{let h=Math.floor(Date.now()/1e3),m=e.tokenExpRef.current,R=e.sessionExpiry,k=!!m&&m-h<=30&&m-h>0,P=!!R&&R-h<=3600&&R-h>0;return {tokenSoon:k,sessionSoon:P}},f=async()=>{try{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return;let{tokenSoon:h,sessionSoon:m}=l();(h||m)&&await r()&&m&&await n();}catch{}},d=async()=>{document.visibilityState==="visible"&&await f();};return window.addEventListener("focus",f),document.addEventListener("visibilitychange",d),()=>{window.removeEventListener("focus",f),document.removeEventListener("visibilitychange",d);}},[e,e.sessionExpiry,r,n]);};var vr=createContext(void 0),jn=e=>{let t=wr(e),{refresh:r,attemptRegister:n,setProofFromAdapterToken:o}=br(t),a=Sr(t,r),{session:i,verify:s}=Er(t,a);Pr(t,{refresh:r,session:i,attemptRegister:n,setProofFromAdapterToken:o,proofProp:e.proof});let c=useMemo(()=>({get:(u,l)=>a("GET",u,void 0,l),post:(u,l,f)=>a("POST",u,l,f),verify:s,session:i,refresh:r,authenticated:t.authenticated,loading:t.loadingCount>0,error:t.error,allowed:t.allowed,denyReason:t.denyReason,sessionExpiry:t.sessionExpiry,sessionData:t.sessionData,verifyData:t.verifyData,wallet:t.wallet}),[a,s,i,r,t.authenticated,t.loadingCount,t.error,t.allowed,t.denyReason,t.sessionExpiry,t.sessionData,t.verifyData,t.wallet]);return jsx(vr.Provider,{value:c,children:e.children})},On=e=>jsx(bt,{clientId:e.clientId,children:jsx(jn,{...e})}),Un=()=>{let e=useContext(vr);if(!e)throw new Error("useSunbreak must be used within a SunbreakProvider");return e};
+var on=Object.defineProperty;var Mt=e=>{throw TypeError(e)};var an=(e,t,r)=>t in e?on(e,t,{enumerable:true,configurable:true,writable:true,value:r}):e[t]=r;var M=(e,t,r)=>an(e,typeof t!="symbol"?t+"":t,r),$t=(e,t,r)=>t.has(e)||Mt("Cannot "+r);var h=(e,t,r)=>($t(e,t,"read from private field"),r?r.call(e):t.get(e)),j=(e,t,r)=>t.has(e)?Mt("Cannot add the same private member more than once"):t instanceof WeakSet?t.add(e):t.set(e,r),N=(e,t,r,n)=>($t(e,t,"write to private field"),t.set(e,r),r);var ve=async(e,t,r)=>{switch(e.name){case "custom":return {method:"provider_jwt",issuer:"custom",token:t,meta:r||{}};case "privy":return {method:"provider_jwt",issuer:"privy",token:t,meta:{app_id:e.appId}};case "dynamic":return e.expectedAud?{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId,expected_aud:e.expectedAud}}:{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId}};default:throw new Error(`Unknown adapter: ${e}`)}};var sn="sunbreak-kv",Ae="kv",Fe="sunbreak_dpop_meta_v1",T="sunbreak_dpop_key_v1",xe="ES256",v="P-256",Ke=e=>`${Fe}:${e}`,Ot=()=>new Promise((e,t)=>{let r=indexedDB.open(sn,1);r.onupgradeneeded=()=>r.result.createObjectStore(Ae),r.onsuccess=()=>e(r.result),r.onerror=()=>t(r.error);}),I=async e=>{try{let t=await Ot();return await new Promise((r,n)=>{let a=t.transaction(Ae,"readonly").objectStore(Ae).get(e);a.onsuccess=()=>r(a.result),a.onerror=()=>n(a.error);})}catch{return}},R=async(e,t)=>{let r=await Ot();await new Promise((n,o)=>{let i=r.transaction(Ae,"readwrite").objectStore(Ae).put(t,e);i.onsuccess=()=>n(),i.onerror=()=>o(i.error);});};var cn=e=>{let t=new URL(e);if(t.protocol!=="https:"&&t.hostname!=="localhost"&&t.hostname!=="127.0.0.1")throw new Error("Sunbreak: insecure base URL");return t.hash="",t.origin},ln=e=>e.replace(/\/+$/,""),ft=e=>{let t=ln(e);return cn(t)};function pt(e){let t=new URL(e.baseUrl),r=t.host,n=e.meta.lastHost??null,o=un(n);return e.setLastHost(o),t.host=`${o}.${r}`,t.origin}var un=e=>{for(let t=0;t<dt.length;t++){let r=dt[Math.floor(Math.random()*dt.length)].toLowerCase();if(r!==e)return r}return "alpha"},dt=["Alpha","Bravo","Charlie","Delta","Echo","Foxtrot","Golf","Hotel","India","Juliett","Kilo","Lima","Mike","November","Oscar","Papa","Quebec","Romeo","Sierra","Tango","Uniform","Victor","Whiskey","X-ray","Yankee","Zulu"];var F=(e,t)=>{let r={clientId:e.clientId,wallet:e.wallet,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0,...t};Object.keys(r).forEach(o=>r[o]===void 0&&delete r[o]);let n=JSON.stringify(r);return btoa(n)};var fn=new Set(["connection","keep-alive","proxy-authenticate","proxy-authorization","te","trailer","transfer-encoding","upgrade","via"]),dn=new Set(["user-agent","referer","origin","host","content-length","sec-fetch-site","sec-fetch-mode","sec-fetch-dest","sec-fetch-user","sec-ch-ua","sec-ch-ua-mobile","sec-ch-ua-platform","sec-ch-ua-platform-version","sec-ch-ua-full-version","sec-ch-ua-arch","sec-ch-ua-model","sec-ch-ua-bitness","cookie","set-cookie"]),pn=new Set(["dpop","x-sunbreak-meta"]),hn=64,Ut=2048,yn=64;function ht(e){let t={};if(!e)return t;let r=e instanceof Headers?Array.from(e.entries()):Object.entries(e),n=0;for(let[o,a]of r){if(n>=yn)break;if(o==null||a==null)continue;let i=String(o).toLowerCase().trim();if(!i||i.length>hn||fn.has(i)||dn.has(i)||pn.has(i))continue;let c=String(a);c.length>Ut&&(c=c.slice(0,Ut)),t[i]=c,n++;}return t}var re=new TextEncoder,me=new TextDecoder;function jt(...e){let t=e.reduce((o,{length:a})=>o+a,0),r=new Uint8Array(t),n=0;for(let o of e)r.set(o,n),n+=o.length;return r}function Nt(e){if(Uint8Array.prototype.toBase64)return e.toBase64();let t=32768,r=[];for(let n=0;n<e.length;n+=t)r.push(String.fromCharCode.apply(null,e.subarray(n,n+t)));return btoa(r.join(""))}function Ft(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(e);let t=atob(e),r=new Uint8Array(t.length);for(let n=0;n<t.length;n++)r[n]=t.charCodeAt(n);return r}function Bt(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof e=="string"?e:me.decode(e),{alphabet:"base64url"});let t=e;t instanceof Uint8Array&&(t=me.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return Ft(t)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function Be(e){let t=e;return typeof t=="string"&&(t=re.encode(t)),Uint8Array.prototype.toBase64?t.toBase64({alphabet:"base64url",omitPadding:true}):Nt(t).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var ue=class extends Error{constructor(r,n){super(r,n);M(this,"code","ERR_JOSE_GENERIC");this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor);}};M(ue,"code","ERR_JOSE_GENERIC");var D=class extends ue{constructor(){super(...arguments);M(this,"code","ERR_JOSE_NOT_SUPPORTED");}};M(D,"code","ERR_JOSE_NOT_SUPPORTED");var ne=class extends ue{constructor(){super(...arguments);M(this,"code","ERR_JWS_INVALID");}};M(ne,"code","ERR_JWS_INVALID");var Ce=class extends ue{constructor(){super(...arguments);M(this,"code","ERR_JWT_INVALID");}};M(Ce,"code","ERR_JWT_INVALID");var Vt,Gt,yt=class extends(Gt=ue,Vt=Symbol.asyncIterator,Gt){constructor(r="multiple matching keys found in the JSON Web Key Set",n){super(r,n);M(this,Vt);M(this,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");}};M(yt,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");function q(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function we(e,t){return e.name===t}function mt(e){return parseInt(e.name.slice(4),10)}function gn(e){switch(e){case "ES256":return "P-256";case "ES384":return "P-384";case "ES512":return "P-521";default:throw new Error("unreachable")}}function bn(e,t){if(!e.usages.includes(t))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${t}.`)}function qt(e,t,r){switch(t){case "HS256":case "HS384":case "HS512":{if(!we(e.algorithm,"HMAC"))throw q("HMAC");let n=parseInt(t.slice(2),10);if(mt(e.algorithm.hash)!==n)throw q(`SHA-${n}`,"algorithm.hash");break}case "RS256":case "RS384":case "RS512":{if(!we(e.algorithm,"RSASSA-PKCS1-v1_5"))throw q("RSASSA-PKCS1-v1_5");let n=parseInt(t.slice(2),10);if(mt(e.algorithm.hash)!==n)throw q(`SHA-${n}`,"algorithm.hash");break}case "PS256":case "PS384":case "PS512":{if(!we(e.algorithm,"RSA-PSS"))throw q("RSA-PSS");let n=parseInt(t.slice(2),10);if(mt(e.algorithm.hash)!==n)throw q(`SHA-${n}`,"algorithm.hash");break}case "Ed25519":case "EdDSA":{if(!we(e.algorithm,"Ed25519"))throw q("Ed25519");break}case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":{if(!we(e.algorithm,t))throw q(t);break}case "ES256":case "ES384":case "ES512":{if(!we(e.algorithm,"ECDSA"))throw q("ECDSA");let n=gn(t);if(e.algorithm.namedCurve!==n)throw q(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}bn(e,r);}function zt(e,t,...r){if(r=r.filter(Boolean),r.length>2){let n=r.pop();e+=`one of type ${r.join(", ")}, or ${n}.`;}else r.length===2?e+=`one of type ${r[0]} or ${r[1]}.`:e+=`of type ${r[0]}.`;return t==null?e+=` Received ${t}`:typeof t=="function"&&t.name?e+=` Received function ${t.name}`:typeof t=="object"&&t!=null&&t.constructor?.name&&(e+=` Received an instance of ${t.constructor.name}`),e}var Xt=(e,...t)=>zt("Key must be ",e,...t);function wt(e,t,...r){return zt(`Key for the ${e} algorithm must be `,t,...r)}function gt(e){return e?.[Symbol.toStringTag]==="CryptoKey"}function bt(e){return e?.[Symbol.toStringTag]==="KeyObject"}var St=e=>gt(e)||bt(e);var Yt=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return  true;let r;for(let n of t){let o=Object.keys(n);if(!r||r.size===0){r=new Set(o);continue}for(let a of o){if(r.has(a))return  false;r.add(a);}}return  true};function Sn(e){return typeof e=="object"&&e!==null}var Ve=e=>{if(!Sn(e)||Object.prototype.toString.call(e)!=="[object Object]")return  false;if(Object.getPrototypeOf(e)===null)return  true;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t};var Zt=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:r}=t.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};function Rn(e){let t,r;switch(e.kty){case "AKP":{switch(e.alg){case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":t={name:e.alg},r=e.priv?["sign"]:["verify"];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "RSA":{switch(e.alg){case "PS256":case "PS384":case "PS512":t={name:"RSA-PSS",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RS256":case "RS384":case "RS512":t={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RSA-OAEP":case "RSA-OAEP-256":case "RSA-OAEP-384":case "RSA-OAEP-512":t={name:"RSA-OAEP",hash:`SHA-${parseInt(e.alg.slice(-3),10)||1}`},r=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "EC":{switch(e.alg){case "ES256":t={name:"ECDSA",namedCurve:"P-256"},r=e.d?["sign"]:["verify"];break;case "ES384":t={name:"ECDSA",namedCurve:"P-384"},r=e.d?["sign"]:["verify"];break;case "ES512":t={name:"ECDSA",namedCurve:"P-521"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "OKP":{switch(e.alg){case "Ed25519":case "EdDSA":t={name:"Ed25519"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}default:throw new D('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return {algorithm:t,keyUsages:r}}var Qt=async e=>{if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:t,keyUsages:r}=Rn(e),n={...e};return n.kty!=="AKP"&&delete n.alg,delete n.use,crypto.subtle.importKey("jwk",n,t,e.ext??!(e.d||e.priv),e.key_ops??r)};var er=(e,t,r,n,o)=>{if(o.crit!==void 0&&n?.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||n.crit===void 0)return new Set;if(!Array.isArray(n.crit)||n.crit.length===0||n.crit.some(i=>typeof i!="string"||i.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let a;r!==void 0?a=new Map([...Object.entries(r),...t.entries()]):a=t;for(let i of n.crit){if(!a.has(i))throw new D(`Extension Header Parameter "${i}" is not recognized`);if(o[i]===void 0)throw new e(`Extension Header Parameter "${i}" is missing`);if(a.get(i)&&n[i]===void 0)throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`)}return new Set(n.crit)};function Te(e){return Ve(e)&&typeof e.kty=="string"}function tr(e){return e.kty!=="oct"&&(e.kty==="AKP"&&typeof e.priv=="string"||typeof e.d=="string")}function rr(e){return e.kty!=="oct"&&typeof e.d>"u"&&typeof e.priv>"u"}function nr(e){return e.kty==="oct"&&typeof e.k=="string"}var ge,or=async(e,t,r,n=false)=>{ge||(ge=new WeakMap);let o=ge.get(e);if(o?.[r])return o[r];let a=await Qt({...t,alg:r});return n&&Object.freeze(e),o?o[r]=a:ge.set(e,{[r]:a}),a},kn=(e,t)=>{ge||(ge=new WeakMap);let r=ge.get(e);if(r?.[t])return r[t];let n=e.type==="public",o=!!n,a;if(e.asymmetricKeyType==="x25519"){switch(t){case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}a=e.toCryptoKey(e.asymmetricKeyType,o,n?[]:["deriveBits"]);}if(e.asymmetricKeyType==="ed25519"){if(t!=="EdDSA"&&t!=="Ed25519")throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}switch(e.asymmetricKeyType){case "ml-dsa-44":case "ml-dsa-65":case "ml-dsa-87":{if(t!==e.asymmetricKeyType.toUpperCase())throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}}if(e.asymmetricKeyType==="rsa"){let i;switch(t){case "RSA-OAEP":i="SHA-1";break;case "RS256":case "PS256":case "RSA-OAEP-256":i="SHA-256";break;case "RS384":case "PS384":case "RSA-OAEP-384":i="SHA-384";break;case "RS512":case "PS512":case "RSA-OAEP-512":i="SHA-512";break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}if(t.startsWith("RSA-OAEP"))return e.toCryptoKey({name:"RSA-OAEP",hash:i},o,n?["encrypt"]:["decrypt"]);a=e.toCryptoKey({name:t.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:i},o,[n?"verify":"sign"]);}if(e.asymmetricKeyType==="ec"){let c=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(e.asymmetricKeyDetails?.namedCurve);if(!c)throw new TypeError("given KeyObject instance cannot be used for this algorithm");t==="ES256"&&c==="P-256"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:c},o,[n?"verify":"sign"])),t==="ES384"&&c==="P-384"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:c},o,[n?"verify":"sign"])),t==="ES512"&&c==="P-521"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:c},o,[n?"verify":"sign"])),t.startsWith("ECDH-ES")&&(a=e.toCryptoKey({name:"ECDH",namedCurve:c},o,n?[]:["deriveBits"]));}if(!a)throw new TypeError("given KeyObject instance cannot be used for this algorithm");return r?r[t]=a:ge.set(e,{[t]:a}),a},ar=async(e,t)=>{if(e instanceof Uint8Array||gt(e))return e;if(bt(e)){if(e.type==="secret")return e.export();if("toCryptoKey"in e&&typeof e.toCryptoKey=="function")try{return kn(e,t)}catch(n){if(n instanceof TypeError)throw n}let r=e.export({format:"jwk"});return or(e,r,t)}if(Te(e))return e.k?Bt(e.k):or(e,e,t,true);throw new Error("unreachable")};var be=e=>e?.[Symbol.toStringTag],Rt=(e,t,r)=>{if(t.use!==void 0){let n;switch(r){case "sign":case "verify":n="sig";break;case "encrypt":case "decrypt":n="enc";break}if(t.use!==n)throw new TypeError(`Invalid key for this operation, its "use" must be "${n}" when present`)}if(t.alg!==void 0&&t.alg!==e)throw new TypeError(`Invalid key for this operation, its "alg" must be "${e}" when present`);if(Array.isArray(t.key_ops)){let n;switch(true){case(r==="sign"):case e==="dir":case e.includes("CBC-HS"):n=r;break;case e.startsWith("PBES2"):n="deriveBits";break;case /^A\d{3}(?:GCM)?(?:KW)?$/.test(e):!e.includes("GCM")&&e.endsWith("KW")?n="unwrapKey":n=r;break;case(r==="encrypt"):n="wrapKey";break;case r==="decrypt":n=e.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(n&&t.key_ops?.includes?.(n)===false)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${n}" when present`)}return  true},Pn=(e,t,r)=>{if(!(t instanceof Uint8Array)){if(Te(t)){if(nr(t)&&Rt(e,t,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!St(t))throw new TypeError(wt(e,t,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(t.type!=="secret")throw new TypeError(`${be(t)} instances for symmetric algorithms must be of type "secret"`)}},vn=(e,t,r)=>{if(Te(t))switch(r){case "decrypt":case "sign":if(tr(t)&&Rt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a private JWK");case "encrypt":case "verify":if(rr(t)&&Rt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a public JWK")}if(!St(t))throw new TypeError(wt(e,t,"CryptoKey","KeyObject","JSON Web Key"));if(t.type==="secret")throw new TypeError(`${be(t)} instances for asymmetric algorithms must not be of type "secret"`);if(t.type==="public")switch(r){case "sign":throw new TypeError(`${be(t)} instances for asymmetric algorithm signing must be of type "private"`);case "decrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm decryption must be of type "private"`);}if(t.type==="private")switch(r){case "verify":throw new TypeError(`${be(t)} instances for asymmetric algorithm verifying must be of type "public"`);case "encrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm encryption must be of type "public"`);}},ir=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e)||/^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e)?Pn(e,t,r):vn(e,t,r);};var sr=(e,t)=>{let r=`SHA-${e.slice(-3)}`;switch(e){case "HS256":case "HS384":case "HS512":return {hash:r,name:"HMAC"};case "PS256":case "PS384":case "PS512":return {hash:r,name:"RSA-PSS",saltLength:parseInt(e.slice(-3),10)>>3};case "RS256":case "RS384":case "RS512":return {hash:r,name:"RSASSA-PKCS1-v1_5"};case "ES256":case "ES384":case "ES512":return {hash:r,name:"ECDSA",namedCurve:t.namedCurve};case "Ed25519":case "EdDSA":return {name:"Ed25519"};case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":return {name:e};default:throw new D(`alg ${e} is not supported either by JOSE or your javascript runtime`)}};var cr=async(e,t,r)=>{if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(Xt(t,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",t,{hash:`SHA-${e.slice(-3)}`,name:"HMAC"},false,[r])}return qt(t,e,r),t};var ae=e=>Math.floor(e.getTime()/1e3);var An=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i,Ge=e=>{let t=An.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");let r=parseFloat(t[2]),n=t[3].toLowerCase(),o;switch(n){case "sec":case "secs":case "second":case "seconds":case "s":o=Math.round(r);break;case "minute":case "minutes":case "min":case "mins":case "m":o=Math.round(r*60);break;case "hour":case "hours":case "hr":case "hrs":case "h":o=Math.round(r*3600);break;case "day":case "days":case "d":o=Math.round(r*86400);break;case "week":case "weeks":case "w":o=Math.round(r*604800);break;default:o=Math.round(r*31557600);break}return t[1]==="-"||t[4]==="ago"?-o:o};function fe(e,t){if(!Number.isFinite(t))throw new TypeError(`Invalid ${e} input`);return t}var x,qe=class{constructor(t){j(this,x);if(!Ve(t))throw new TypeError("JWT Claims Set MUST be an object");N(this,x,structuredClone(t));}data(){return re.encode(JSON.stringify(h(this,x)))}get iss(){return h(this,x).iss}set iss(t){h(this,x).iss=t;}get sub(){return h(this,x).sub}set sub(t){h(this,x).sub=t;}get aud(){return h(this,x).aud}set aud(t){h(this,x).aud=t;}set jti(t){h(this,x).jti=t;}set nbf(t){typeof t=="number"?h(this,x).nbf=fe("setNotBefore",t):t instanceof Date?h(this,x).nbf=fe("setNotBefore",ae(t)):h(this,x).nbf=ae(new Date)+Ge(t);}set exp(t){typeof t=="number"?h(this,x).exp=fe("setExpirationTime",t):t instanceof Date?h(this,x).exp=fe("setExpirationTime",ae(t)):h(this,x).exp=ae(new Date)+Ge(t);}set iat(t){typeof t>"u"?h(this,x).iat=ae(new Date):t instanceof Date?h(this,x).iat=fe("setIssuedAt",ae(t)):typeof t=="string"?h(this,x).iat=fe("setIssuedAt",ae(new Date)+Ge(t)):h(this,x).iat=fe("setIssuedAt",t);}};x=new WeakMap;var lr=async(e,t,r)=>{let n=await cr(e,t,"sign");Zt(e,n);let o=await crypto.subtle.sign(sr(e,n.algorithm),n,r);return new Uint8Array(o)};var Ie,L,z,ze=class{constructor(t){j(this,Ie);j(this,L);j(this,z);if(!(t instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");N(this,Ie,t);}setProtectedHeader(t){if(h(this,L))throw new TypeError("setProtectedHeader can only be called once");return N(this,L,t),this}setUnprotectedHeader(t){if(h(this,z))throw new TypeError("setUnprotectedHeader can only be called once");return N(this,z,t),this}async sign(t,r){if(!h(this,L)&&!h(this,z))throw new ne("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Yt(h(this,L),h(this,z)))throw new ne("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let n={...h(this,L),...h(this,z)},o=er(ne,new Map([["b64",true]]),r?.crit,h(this,L),n),a=true;if(o.has("b64")&&(a=h(this,L).b64,typeof a!="boolean"))throw new ne('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:i}=n;if(typeof i!="string"||!i)throw new ne('JWS "alg" (Algorithm) Header Parameter missing or invalid');ir(i,t,"sign");let c=h(this,Ie);a&&(c=re.encode(Be(c)));let u;h(this,L)?u=re.encode(Be(JSON.stringify(h(this,L)))):u=re.encode("");let s=jt(u,re.encode("."),c),l=await ar(t,i),d=await lr(i,l,s),f={signature:Be(d),payload:""};return a&&(f.payload=me.decode(c)),h(this,z)&&(f.header=h(this,z)),h(this,L)&&(f.protected=me.decode(u)),f}};Ie=new WeakMap,L=new WeakMap,z=new WeakMap;var Se,Xe=class{constructor(t){j(this,Se);N(this,Se,new ze(t));}setProtectedHeader(t){return h(this,Se).setProtectedHeader(t),this}async sign(t,r){let n=await h(this,Se).sign(t,r);if(n.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return `${n.protected}.${n.payload}.${n.signature}`}};Se=new WeakMap;var ie,$,de=class{constructor(t={}){j(this,ie);j(this,$);N(this,$,new qe(t));}setIssuer(t){return h(this,$).iss=t,this}setSubject(t){return h(this,$).sub=t,this}setAudience(t){return h(this,$).aud=t,this}setJti(t){return h(this,$).jti=t,this}setNotBefore(t){return h(this,$).nbf=t,this}setExpirationTime(t){return h(this,$).exp=t,this}setIssuedAt(t){return h(this,$).iat=t,this}setProtectedHeader(t){return N(this,ie,t),this}async sign(t,r){let n=new Xe(h(this,$).data());if(n.setProtectedHeader(h(this,ie)),Array.isArray(h(this,ie)?.crit)&&h(this,ie).crit.includes("b64")&&h(this,ie).b64===false)throw new Ce("JWTs MUST NOT use unencoded payload");return n.sign(t,r)}};ie=new WeakMap,$=new WeakMap;var xn=e=>btoa(String.fromCharCode(...new Uint8Array(e))).replaceAll("+","-").replaceAll("/","_").replaceAll("=",""),Ye=async e=>{let t=new TextEncoder().encode(e),r=await crypto.subtle.digest("SHA-256",t);return xn(r)},B=async e=>{let{method:t,url:r,nonce:n,ath:o,privateKey:a,publicJwk:i}=e,c={htm:t.toUpperCase(),htu:r,jti:crypto.randomUUID(),iat:Math.floor(Date.now()/1e3)};return n&&(c.nonce=n),o&&(c.ath=o),await new de(c).setProtectedHeader({alg:"ES256",typ:"dpop+jwt",jwk:i}).sign(a)};var _=async e=>{let t={crv:e.crv,kty:"EC",x:e.x,y:e.y},r=JSON.stringify(t),n=new TextEncoder().encode(r),o=await crypto.subtle.digest("SHA-256",n);return btoa(String.fromCharCode(...new Uint8Array(o))).replaceAll("+","-").replaceAll("/","_").replaceAll("=","")};async function pe(e){let{rootPrivateKey:t,rootPublicJwk:r,childJkt:n,clientId:o,sid:a,ttlSec:i=300}=e,c=Math.floor(Date.now()/1e3),u=c+Math.max(60,Math.min(i,3600)),s={child_jkt:n,client_id:o,aud:"issuer",iat:c,exp:u,jti:crypto.randomUUID()};return a&&(s.sid=a),await new de(s).setProtectedHeader({alg:"ES256",typ:"pode+jwt",jwk:r}).sign(t)}function We(e,t=300){return e.replace(/<[^>]*>/g,"").slice(0,t)}async function Je(e){let t=e.status,r=Array.from(e.headers.keys()).some(c=>c.toLowerCase().startsWith("x-amzn-waf")),n,o,a=e.headers.get("content-type")||"";if(a.includes("application/json"))try{let c=await e.clone().json();n=typeof c?.error=="string"?c.error:void 0,o=typeof c?.detail=="string"?c.detail:void 0;}catch{}let i=t===403&&!r&&!a.includes("application/json");return {status:t,code:n,detail:o,waf:r,alb403:i}}function he(e,t){let r=new Error(e);return r.status=t.status,r.code=t.code,r.detail=t.detail,r.waf=t.waf,r.alb403=t.alb403,r}var Re={boundWallet:null,clientId:null,jkt:null,refreshId:null,lastPolicyHash:null,lastPolicyProof:null,lastHost:null,rootJkt:null},Et=createContext(void 0);function hr(e){try{return JSON.parse(localStorage.getItem(e)||"null")??Re}catch{return Re}}function Tn(e,t){try{localStorage.setItem(e,JSON.stringify(t));}catch{}}var kt=({children:e,clientId:t})=>{let[r,n]=useState(Re),o=useRef(false),[a,i]=useState(false),c=useMemo(()=>Ke(t),[t]);useEffect(()=>{let p=true;return (async()=>{let y=await I(c)??await I(Fe)??hr(c);p&&(n({...Re,...y}),o.current=true,i(true));})(),()=>{p=false;}},[c]),useEffect(()=>{o.current&&(async()=>(await R(c,r),Tn(c,r)))();},[r,c]);let u=useCallback(p=>n(g=>({...g,refreshId:p})),[]),s=useCallback(p=>n(g=>({...g,lastPolicyHash:p})),[]),l=useCallback(p=>n(g=>({...g,lastPolicyProof:p})),[]),d=useCallback(p=>n(g=>({...g,lastHost:p})),[]),f=useCallback(p=>n(g=>({...g,rootJkt:p})),[]),w=async()=>{try{let p=localStorage.getItem(c);if(p){let g=JSON.parse(p);if(typeof g?.refreshId=="string"&&g.refreshId)return g.refreshId}}catch{}try{let p=await I(c);if(typeof p?.refreshId=="string"&&p.refreshId)return p.refreshId}catch{}return null},S=useCallback(p=>n(g=>({...g,boundWallet:p})),[]),E=useCallback(p=>n(g=>({...g,clientId:p})),[]),m=useCallback(p=>n(g=>({...g,jkt:p})),[]),k=useCallback(()=>n(Re),[]),b=useCallback(async()=>{let g=await I(c)??hr(c);n({...Re,...g});},[]),H=useMemo(()=>({meta:r,setBoundWallet:S,setClientId:E,setJkt:m,resetMeta:k,reload:b,setRefreshId:u,getRefreshId:w,ready:a,setLastPolicyHash:s,setLastPolicyProof:l,setLastHost:d,setRootJkt:f}),[r,S,E,m,k,b,a,u,w,s,l,d,f]);return jsx(Et.Provider,{value:H,children:e})};function Pt(){let e=useContext(Et);if(!e)throw new Error("useMeta must be used within <MetaProvider>");return e}var mr=`${T}:wrap`;async function Ze(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:v},!1,["sign","verify"]),t=`${T}:probe_safe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await I(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return  false}}async function Jn(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:v},!0,["sign","verify"]),t=`${T}:probe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await I(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return  false}}function ke(e){let t={...e};return delete t.d,t.kty="EC",t.crv=v,t.alg=xe,t.use="sig",t}async function wr(){let e=await I(mr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await R(mr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function vt(e){let t=await wr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function Dn(e,t){let r=await wr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var At=()=>{let e=useRef(null),t=useRef(null),r=useCallback(async()=>{let u=await I(T);if(!u)return  false;if(u.fmt==="cryptokey"){let l=u;if(!l.privKey)return await R(T,void 0),false;let d=l.privKey;try{if(d.extractable&&await Ze()){let w=await crypto.subtle.exportKey("jwk",d),S=await crypto.subtle.importKey("jwk",w,{name:"ECDSA",namedCurve:v},!1,["sign"]),E={fmt:"cryptokey",privKey:S,pubJwk:ke(l.pubJwk)};await R(T,E),d=S;}}catch{}return e.current=d,t.current=ke(l.pubJwk),true}if(u.fmt==="encjwk"){let l=u;try{let d=await Dn(l.encPrivJwk,l.iv),f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:v},!1,["sign"]);return e.current=f,t.current=ke(l.pubJwk),!0}catch{return await R(T,void 0),false}}let s=u;if(s&&s.d){let{d:l,...d}=s,f=ke(d),w=await Ze(),S=w||await Jn();if(S&&w){let b=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:v},false,["sign"]);return await R(T,{fmt:"cryptokey",privKey:b,pubJwk:f}),e.current=b,t.current=f,true}if(S){let b=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:v},true,["sign"]);return await R(T,{fmt:"cryptokey",privKey:b,pubJwk:f}),e.current=b,t.current=f,true}let{encPrivJwk:E,iv:m}=await vt(s);await R(T,{fmt:"encjwk",encPrivJwk:E,iv:m,pubJwk:f});let k=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:v},false,["sign"]);return e.current=k,t.current=f,true}return await R(T,void 0),false},[]),n=useCallback(async(u,s)=>{await R(T,{fmt:"cryptokey",privKey:u,pubJwk:s});},[]),o=useCallback(async(u,s)=>{let{encPrivJwk:l,iv:d}=await vt(u);await R(T,{fmt:"encjwk",encPrivJwk:l,iv:d,pubJwk:s});},[]),a=useCallback(async()=>{if(e.current&&t.current||await r())return;let u=await Ze(),s=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:v},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",s.publicKey)),d=await crypto.subtle.exportKey("jwk",s.privateKey);if(u){let f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:v},false,["sign"]);await n(f,l),e.current=f,t.current=l;}else {await o(d,l);let f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:v},false,["sign"]);e.current=f,t.current=l;}},[r,n,o]),i=useCallback(async()=>{let u=await Ze(),s=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:v},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",s.publicKey)),d=await crypto.subtle.exportKey("jwk",s.privateKey);if(u){let f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:v},false,["sign"]);await R(T,{fmt:"cryptokey",privKey:f,pubJwk:l}),e.current=f,t.current=l;}else {let{encPrivJwk:f,iv:w}=await vt(d);await R(T,{fmt:"encjwk",encPrivJwk:f,iv:w,pubJwk:l});let S=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:v},false,["sign"]);e.current=S,t.current=l;}},[]),c=useCallback(async()=>{await R(T,void 0),e.current=null,t.current=null;},[]);return {ensureKeypair:a,rotate:i,clear:c,privRef:e,pubJwkRef:t}};var Y="sunbreak_root_key_v1",br=`${Y}:wrap`;async function Sr(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:v},!1,["sign","verify"]),t=`${Y}:probe_safe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey,createdAt:Date.now(),pubJwk:{}});let r=await I(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return  false}}function Qe(e){let t={...e};return delete t.d,t.kty="EC",t.crv=v,t.alg=xe,t.use="sig",t}async function Rr(){let e=await I(br);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await R(br,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function Ln(e){let t=await Rr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function _n(e,t){let r=await Rr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var Kt=()=>{let e=useRef(null),t=useRef(null),r=useCallback(async()=>{let a=await I(Y);if(!a)return  false;if(a.fmt==="cryptokey"){let i=a;if(!i.privKey)return await R(Y,void 0),false;let c=i.privKey;try{if(c.extractable&&await Sr()){let s=await crypto.subtle.exportKey("jwk",c),l=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:v},!1,["sign"]),d={fmt:"cryptokey",privKey:l,pubJwk:Qe(i.pubJwk),createdAt:i.createdAt};await R(Y,d),c=l;}}catch{}return e.current=c,t.current=Qe(i.pubJwk),true}if(a.fmt==="encjwk"){let i=a;try{let c=await _n(i.encPrivJwk,i.iv),u=await crypto.subtle.importKey("jwk",c,{name:"ECDSA",namedCurve:v},!1,["sign"]);return e.current=u,t.current=Qe(i.pubJwk),!0}catch{return await R(Y,void 0),false}}return await R(Y,void 0),false},[]),n=useCallback(async()=>{if(e.current&&t.current||await r())return;let a=await Sr(),i=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:v},true,["sign","verify"]),c=Qe(await crypto.subtle.exportKey("jwk",i.publicKey)),u=Date.now(),s=await crypto.subtle.exportKey("jwk",i.privateKey);if(a){let l=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:v},false,["sign"]);await R(Y,{fmt:"cryptokey",privKey:l,pubJwk:c,createdAt:u}),e.current=l,t.current=c;}else {let{encPrivJwk:l,iv:d}=await Ln(s);await R(Y,{fmt:"encjwk",encPrivJwk:l,iv:d,pubJwk:c,createdAt:u});let w=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:v},false,["sign"]);e.current=w,t.current=c;}},[r]),o=useCallback(async()=>{await R(Y,void 0),e.current=null,t.current=null;},[]);return {ensureRootKeypair:n,clear:o,rootPrivRef:e,rootPubJwkRef:t}};var De=class e{constructor(t,r=false){this.colors={flow:"#00D9FF",state:"#00FF88",decision:"#FFB800",api:"#B388FF",guard:"#FFEA00",error:"#FF5252",warn:"#FF9100",info:"#90CAF9"};this.enabled=r,this.prefix=t?`[Sunbreak:${t.slice(0,8)}]`:"[Sunbreak]";}log(t,r,n){if(!this.enabled)return;let o=this.colors[t],a=new Date().toISOString().slice(11,23),i=this.getEmoji(t);console.log(`%c${i} ${this.prefix} [${a}] [${t.toUpperCase()}]%c ${r}`,`color: ${o}; font-weight: bold`,"color: inherit; font-weight: normal",n!==void 0?n:"");}getEmoji(t){switch(t){case "flow":return "\u{1F504}";case "state":return "\u{1F500}";case "decision":return "\u{1F914}";case "api":return "\u{1F4E1}";case "guard":return "\u{1F6E1}\uFE0F";case "error":return "\u274C";case "warn":return "\u26A0\uFE0F";case "info":return "\u2139\uFE0F";default:return "\u2022"}}flow(t,r,n){this.log("flow",`[${t.toUpperCase()}] ${r}`,n);}state(t,r,n,o){this.log("state",`${t} \u2192 ${r}: ${n}`,o);}decision(t,r,n,o){this.log("decision",`${t} = ${r?"\u2713 YES":"\u2717 NO"} (${n})`,o);}api(t,r,n){let o=n.status,i=o>=200&&o<300?"\u2713":"\u2717";this.log("api",`${i} ${t} ${r} \u2192 ${o}${n.error?` (${n.error})`:""}`,n.data);}guard(t,r,n,o){this.log("guard",`${t}: ${r?"\u2713 PASS":"\u2717 BLOCK"} (${n})`,o);}error(t,r){this.log("error",t,r);}warn(t,r){this.log("warn",t,r);}info(t,r){this.log("info",t,r);}group(t){this.enabled&&console.group(`${this.prefix} ${t}`);}groupEnd(){this.enabled&&console.groupEnd();}child(t){let r=new e(void 0,this.enabled);return r.prefix=`${this.prefix}[${t}]`,r}},Ct=null;function Er(){return Ct||(Ct=new De(void 0,true)),Ct}var et=class{constructor(t){this.currentState="unknown";this.previousState="unknown";this.logger=Er();this.hadSessionHistory=false;this.inActiveSession=false;t&&this.initialize(t);}initialize(t){this.logger.group("\u{1F527} Initializing Session State Machine");let r=!!(t.boundWallet||t.refreshId);this.hadSessionHistory=r,this.logger.info("Initial context",{wallet:t.wallet,boundWallet:t.boundWallet,refreshId:t.refreshId?"present":"null",hasToken:t.hasToken,authenticated:t.authenticated,hasHistory:r}),t.authenticated&&t.hasToken?(this.transition("authenticated","Has valid token"),this.inActiveSession=true):r?this.transition("refreshable","Has session history"):this.transition("unregistered","No session history"),this.logger.groupEnd();}transition(t,r){if(this.currentState===t){this.logger.info(`State unchanged: ${t} (${r})`);return}this.previousState=this.currentState,this.currentState=t,this.logger.state(this.previousState,t,r);}getState(){return this.currentState}isInActiveSession(){return this.inActiveSession}markHadSession(){this.hadSessionHistory||(this.logger.info("Marked hadSessionHistory = true"),this.hadSessionHistory=true);}clearSessionHistory(){this.logger.info("Cleared session history"),this.hadSessionHistory=false,this.inActiveSession=false;}onProbeComplete(t){if(this.logger.flow("probe","Probe completed, determining initial state"),this.currentState!=="unknown"){this.logger.warn("Probe called but state is not UNKNOWN",{currentState:this.currentState});return}!!(t.boundWallet||t.refreshId)||this.hadSessionHistory?this.transition("refreshable","Session history found"):this.transition("unregistered","No session history");}onRegisterSuccess(t){this.logger.flow("register","Register succeeded"),this.transition("authenticated","Register succeeded"),this.inActiveSession=true,this.hadSessionHistory=true;}onRegisterFailure(t){this.logger.flow("register",`Register failed: ${t}`);}onRefreshSuccess(t){this.logger.flow("refresh","Refresh succeeded"),this.transition("authenticated","Refresh succeeded"),this.inActiveSession=true;}onRefreshExpired(){this.logger.flow("refresh","Refresh failed: session expired (missing refresh identifier)"),this.transition("expired","Session expired"),this.inActiveSession=false;}onRefreshFailure(t){this.logger.flow("refresh",`Refresh failed: ${t}`);}onTokenExpired(){this.logger.flow("token","Token expired"),this.currentState==="authenticated"&&this.transition("refreshable","Token expired");}onWalletChange(t,r,n){if(this.logger.flow("wallet",`Wallet changed: ${t||"null"} \u2192 ${r||"null"}`),!r){this.transition("unknown","Wallet disconnected"),this.inActiveSession=false;return}r.toLowerCase()===n.boundWallet?.toLowerCase()?this.hadSessionHistory&&this.transition("refreshable","Wallet reconnected with history"):(this.transition("unregistered","Wallet changed to different address"),this.inActiveSession=false);}onWalletDisconnect(){this.logger.flow("wallet","Wallet disconnected"),this.transition("unknown","Wallet disconnected"),this.inActiveSession=false;}shouldAttemptProbe(){let t=this.currentState==="unknown";return this.logger.decision("Should attempt probe?",t,`State is ${this.currentState}`),t}shouldAttemptRefresh(t){if(this.currentState!=="refreshable"&&this.currentState!=="authenticated")return this.logger.decision("Should attempt refresh?",false,`State is ${this.currentState}, not REFRESHABLE or AUTHENTICATED`),false;if(!(t.boundWallet||t.wallet))return this.logger.decision("Should attempt refresh?",false,"No wallet available (neither boundWallet nor current wallet)"),false;if(t.wallet&&t.boundWallet&&t.wallet.toLowerCase()!==t.boundWallet.toLowerCase())return this.logger.decision("Should attempt refresh?",false,"Wallet mismatch"),false;if(t.hasToken&&t.tokenExpiry){let n=Math.floor(Date.now()/1e3);if(t.tokenExpiry-n>5&&this.currentState==="authenticated")return this.logger.decision("Should attempt refresh?",false,"Token still valid"),false}return this.logger.decision("Should attempt refresh?",true,`State is ${this.currentState}, token ${t.hasToken?"present":"missing"}`),true}shouldAttemptRegister(t){return this.inActiveSession?(this.logger.decision("Should attempt register?",false,"Already in active session - proof changes ignored"),false):this.currentState!=="unregistered"&&this.currentState!=="expired"?(this.logger.decision("Should attempt register?",false,`State is ${this.currentState}, not UNREGISTERED or EXPIRED`),false):t.wallet?t.hasProof?t.authenticated&&t.hasToken?(this.logger.decision("Should attempt register?",false,"Already authenticated"),false):(this.logger.decision("Should attempt register?",true,`State is ${this.currentState}, have wallet + proof`),true):(this.logger.decision("Should attempt register?",false,"No proof available"),false):(this.logger.decision("Should attempt register?",false,"No wallet connected"),false)}shouldWaitForInitialRefresh(t,r){return this.currentState!=="refreshable"||t?false:r.wallet&&r.boundWallet&&r.wallet.toLowerCase()===r.boundWallet.toLowerCase()?(this.logger.decision("Should wait for initial refresh?",true,"Returning user - let refresh attempt first"),true):false}getStateReport(t){return `
+\u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510
+\u2502  Session State Machine Report          \u2502
+\u251C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524
+\u2502 Current State:    ${this.currentState.padEnd(20)} \u2502
+\u2502 Previous State:   ${this.previousState.padEnd(20)} \u2502
+\u2502 Active Session:   ${String(this.inActiveSession).padEnd(20)} \u2502
+\u2502 Had History:      ${String(this.hadSessionHistory).padEnd(20)} \u2502
+\u251C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524
+\u2502 Wallet:           ${(t.wallet||"null").padEnd(20)} \u2502
+\u2502 Bound Wallet:     ${(t.boundWallet||"null").padEnd(20)} \u2502
+\u2502 Refresh ID:       ${(t.refreshId?"present":"null").padEnd(20)} \u2502
+\u2502 Has Token:        ${String(t.hasToken).padEnd(20)} \u2502
+\u2502 Authenticated:    ${String(t.authenticated).padEnd(20)} \u2502
+\u2502 Has Proof:        ${String(t.hasProof).padEnd(20)} \u2502
+\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518
+    `.trim()}};var Hn=()=>crypto.randomUUID(),kr=e=>{let{clientId:t,wallet:r,base:n="https://api.tdfc.com",fetchImpl:o,timeoutMs:a=15e3,proof:i=null,providerAdapter:c,refreshDeps:u=[],debug:s}=e,l=ft(n),d=typeof window<"u"?(o??fetch).bind(window):o??fetch,{meta:f,setBoundWallet:w,setJkt:S,setRefreshId:E,getRefreshId:m,setLastPolicyHash:k,setLastPolicyProof:b,setLastHost:H,setRootJkt:p,ready:g}=Pt(),{ensureRootKeypair:y,rootPrivRef:P,rootPubJwkRef:C}=Kt(),O=useCallback(async()=>{await y();try{if(!f.rootJkt&&C.current){let te=await _(C.current);p(te);}}catch{}},[y,f.rootJkt,C]),{ensureKeypair:Pe,rotate:K,privRef:Me,pubJwkRef:$e}=At(),[Jt,J]=useState(false),[G,U]=useState(0),[ee,ce]=useState(null),[oe,rt]=useState(null),[nt,ot]=useState(null),[Jr,Dr]=useState(null),[Lr,_r]=useState(null),[Hr,Mr]=useState(null),$r=useRef(null),Or=useRef(null),Ur=useRef(null),jr=useRef(null),Nr=useRef(null),Fr=useRef(null),Br=useRef(null),Vr=useRef(false),Gr=useRef(false),qr=useRef(void 0),Oe=useRef(false),at=useRef(false),Dt=useRef(null),le=useRef(null);le.current||(le.current=new Promise(te=>{Dt.current=te;}));let it=useRef(null),zr=useRef(i),Xr=useRef(null),st=useRef(null);if(!st.current){let te=s??false;st.current=new De(t,te);}let ct=useRef(null);ct.current||(ct.current=new et);let Ue=useRef(null),Lt=useRef(null),je=useRef(null),_t=()=>Date.now(),Yr=()=>(je.current??0)>0&&je.current<_t(),lt=useCallback((te,nn=15e3)=>{let Ht=Hn();return Ue.current=Ht,Lt.current=te,je.current=_t()+Math.max(1e3,nn),Ht},[]),Zr=useCallback(()=>((!Ue.current||Yr())&&lt("adhoc",1e4),Ue.current),[lt]),ut=useRef(null),Ne=useRef(null);Ne.current||(Ne.current=new Promise(te=>{ut.current=te;}));let Qr=useCallback(async()=>{!Oe.current&&Ne.current&&await Ne.current;},[]),en=useCallback(()=>{Oe.current||(Oe.current=true,ut.current?.(),ut.current=null);},[]),tn=useCallback(async()=>{!at.current&&le.current&&await le.current;},[]),rn=useCallback(async()=>{!at.current&&le.current&&await le.current,it.current&&await it.current;},[]);return {clientId:t,wallet:r,baseUrl:l,fetchImpl:d,timeoutMs:a,providerAdapter:c,refreshDeps:u,ensureKeypair:Pe,rotate:K,ensureRootKeypair:O,rootPrivRef:P,rootPubJwkRef:C,privRef:Me,pubJwkRef:$e,meta:f,setBoundWallet:w,setJkt:S,setRefreshId:E,accessTokenRef:Ur,tokenExpRef:jr,authenticated:Jt,setAuthenticated:J,loadingCount:G,setLoadingCount:U,error:ee,setError:ce,allowed:oe,setAllowed:rt,denyReason:nt,setDenyReason:ot,sessionExpiry:Jr,setSessionExpiry:Dr,sessionData:Lr,setSessionData:_r,verifyData:Hr,setVerifyData:Mr,authWalletRef:Or,refreshLock:Nr,registerLock:Fr,sessionLock:Br,didInitialRefresh:Vr,didInitialSession:Gr,prevWalletRef:qr,initResolvedRef:at,initReady:le,initResolveRef:Dt,rotateLock:it,waitReady:tn,awaitKeyStable:rn,proofRef:zr,registerCooldownUntilRef:$r,reqIdRef:Ue,flowLabelRef:Lt,flowExpireRef:je,beginFlow:lt,currentReqId:Zr,awaitProbe:Qr,markProbed:en,hasProbedRef:Oe,getRefreshId:m,setLastPolicyHash:k,setLastPolicyProof:b,setLastHost:H,setRootJkt:p,metaReady:g,probeLock:Xr,stateMachine:ct.current,logger:st.current}};var V=e=>e.accessTokenRef.current??null,Z=e=>{let t=e.privRef.current;if(!t)throw new Error("Sunbreak: private key not initialized");return t},W=e=>{let t=e.pubJwkRef.current;if(!t)throw new Error("Sunbreak: public JWK not initialized");return t};var Mn=(e,t)=>`${e.toUpperCase()} ${t}`;async function Le(e,t,r,n){if(!t)return e.logger.guard("register",false,"No wallet provided"),false;e.logger.flow("register","Starting register flow",{wallet:t});let o=Le._nonceCacheRef||(Le._nonceCacheRef={map:new Map});try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair(),e.setError(null),e.beginFlow("register",2e4);let a;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let y=await _(e.rootPubJwkRef.current);e.setRootJkt?.(y);}catch{}let p=await _(W(e)),g=await e.getRefreshId();a=await pe({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:p,clientId:e.clientId,sid:g||void 0,ttlSec:300});}}catch(p){e.logger.warn("Failed to create PODE for register",p);}let i=e.currentReqId(),c="/auth/register",u=`${e.baseUrl}${c}`,s=new URL(e.baseUrl).origin,l="POST",d=`${s}${c}`,f=Mn(l,d),w=o.map.get(f),S=await B({method:l,url:d,nonce:w,privateKey:Z(e),publicJwk:W(e)}),E=async p=>e.fetchImpl(u,{method:l,headers:{"content-type":"application/json","x-sunbreak-meta":F(e,{reqId:i,pode:a||void 0}),...p},credentials:"include",body:JSON.stringify({wallet:t,proof:r})}),m=await E({DPoP:S}),k=p=>{let g=p.headers.get("dpop-nonce");g&&o.map.set(f,g);};if(m.status===401){e.logger.info("Register got 401, retrying with nonce");let p=m.headers.get("www-authenticate"),y=(p&&p.match(/dpop-nonce="([^"]+)"/i))?.[1];if(y){o.map.set(f,y);let P=await B({method:l,url:d,nonce:y,privateKey:Z(e),publicJwk:W(e)});m=await E({DPoP:P});}}if(k(m),e.logger.api(l,c,{status:m.status}),!m.ok){let p=await Je(m);if((m.headers.get("content-type")||"").includes("application/json")){let y;try{y=await m.clone().json();}catch{}let P=We(y&&(y.error||y.message||y.detail)||`HTTP ${m.status}`);throw he(P,p)}else {let y=p.waf?"Blocked by WAF (403)":p.alb403?"Blocked at origin (ALB 403)":`HTTP ${m.status}`;throw he(y,p)}}let b=await m.json();e.logger.info("Register succeeded",{expiresIn:b.expiresIn,hasRefreshId:!!b.refreshId}),e.accessTokenRef.current=b.access,e.authWalletRef.current=t.toLowerCase(),e.setAuthenticated(!0);try{let p=Math.floor(Date.now()/1e3);e.tokenExpRef.current=p+(b.expiresIn??0);}catch{}e.didInitialRefresh.current=!0,e.setBoundWallet(t),e.setLastPolicyHash(null),e.setLastPolicyProof(null);try{e.setJkt(await _(W(e)));}catch{}try{let p={...e.meta,boundWallet:t,clientId:e.meta.clientId??e.clientId,jkt:e.meta.jkt??null,refreshId:b.refreshId??null};e.setRefreshId(b.refreshId??null);let g=Ke(e.clientId);await R(g,p);try{localStorage.setItem(g,JSON.stringify(p));}catch{}}catch{}let H={wallet:t,boundWallet:t,refreshId:b.refreshId??null,hasToken:!0,tokenExpiry:e.tokenExpRef.current,hasProof:!0,authenticated:!0};return e.stateMachine.onRegisterSuccess(H),!0}catch(a){let i=Number(a?.status||0),c=String(a?.code||"").toLowerCase(),u=String(a?.message||"").toLowerCase(),s=Math.floor(Math.random()*1e3);e.logger.error("Register failed",{status:i,code:c,msg:u}),e.stateMachine.onRegisterFailure(`${c||u||"Unknown error"}`);let l=c==="session_exists"||c==="already_authenticated"||u.includes("already")&&(u.includes("session")||u.includes("authenticated")),d=(i===401||i===403)&&c==="replay";if((l||d)&&n?.refreshFallback&&(!e.meta.boundWallet||e.meta.boundWallet.toLowerCase()===t.toLowerCase())){e.logger.info("Register failed with recoverable error, attempting refresh fallback",{code:c,isSessionExists:l,isReplay:d});try{if(await n.refreshFallback())return e.logger.info("Refresh fallback succeeded after register failure"),e.meta.boundWallet||e.setBoundWallet(t),!0}catch(w){e.logger.warn("Refresh fallback failed",w);}}if(d){if(e.providerAdapter)try{let f=await e.providerAdapter.getToken()??null;if(f)return await e.awaitKeyStable(),await e.ensureKeypair(),await e.rotate(),e.proofRef.current=await ve(e.providerAdapter,f),e.registerCooldownUntilRef.current=Date.now()+5e3+s,!1}catch{}else return e.proofRef.current=null,e.setError("Proof replayed; please sign a fresh proof."),e.registerCooldownUntilRef.current=Date.now()+1e4+s,false;return e.registerCooldownUntilRef.current=Date.now()+8e3+s,false}if(l)return e.setError("Session already exists. Try refreshing the page."),e.registerCooldownUntilRef.current=Date.now()+3e3+s,false;if(i===403&&(a?.waf||a?.alb403))return e.setError(u||"Forbidden at edge/origin"),e.registerCooldownUntilRef.current=Date.now()+3e4+s,false;if(i===403)return e.setError(c||u||"Forbidden"),e.registerCooldownUntilRef.current=Date.now()+15e3+s,false;if(i===429||i===503){e.setError(c||u||"Rate limited / unavailable");let f=i===429?5e3:8e3;return e.registerCooldownUntilRef.current=Date.now()+f+s,false}return e.setError(c||u||"Register failed"),e.registerCooldownUntilRef.current=Date.now()+5e3+s,false}}var $n=(e,t)=>`${e.toUpperCase()} ${t}`;function _e(e){if(e.refreshLock.current)return e.logger.guard("refreshLock",false,"Refresh already in progress"),e.refreshLock.current;if(e.registerLock.current){e.logger.guard("registerLock",false,"Registration in progress, waiting");let t=e.registerLock.current.then(()=>{if(e.authenticated&&V(e))return  true;if(V(e)){let n=e.tokenExpRef.current,o=Math.floor(Date.now()/1e3);if(!!n&&n-o>5)return  true}return  false});return e.refreshLock.current=t.finally(()=>{e.refreshLock.current=null;}),e.refreshLock.current}return e.logger.flow("refresh","Starting refresh flow"),e.refreshLock.current=(async()=>{try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe();let t=e.meta.boundWallet||e.wallet;if(!t)return e.logger.warn("No wallet available for refresh (neither boundWallet nor current wallet)"),!1;if(e.wallet&&e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return e.logger.warn("Wallet mismatch during refresh",{current:e.wallet,bound:e.meta.boundWallet}),e.accessTokenRef.current=null,e.setAuthenticated(!1),!1;let r=V(e);if(r){let y=e.tokenExpRef.current,P=Math.floor(Date.now()/1e3);if(!!r&&!!y&&y-P>5)return e.logger.info("Token still valid, skipping refresh"),!0}e.beginFlow("refresh",15e3);let n=e.currentReqId();await e.ensureKeypair();let o;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let C=await _(e.rootPubJwkRef.current);e.setRootJkt?.(C);}catch{}let y=await _(W(e)),P=await e.getRefreshId();o=await pe({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:y,clientId:e.clientId,sid:P||void 0,ttlSec:300});}}catch(y){e.logger.warn("Failed to create PODE for refresh",y);}let a="/auth/refresh",i=`${e.baseUrl}${a}`,c=new URL(e.baseUrl).origin,u="POST",s=`${c}${a}`,l=$n(u,s),d=_e._nonceCacheRef||(_e._nonceCacheRef={map:new Map}),f=async y=>await B({method:u,url:s,nonce:y,privateKey:Z(e),publicJwk:W(e)}),w=await e.getRefreshId(),S={"x-sunbreak-meta":F(e,{reqId:n,refreshId:w||void 0,pode:o||void 0,wallet:t}),"content-type":"application/json"},E=async y=>e.fetchImpl(i,{method:u,headers:{DPoP:y,...S},credentials:"include",body:"{}"}),m=y=>{let P=y.headers.get("dpop-nonce");P&&d.map.set(l,P);},k=await E(await f(d.map.get(l)));if(k.status===401){e.logger.info("Refresh got 401, retrying with nonce");let y=k.headers.get("www-authenticate"),C=(y&&y.match(/dpop-nonce="([^"]+)"/i))?.[1];C&&(d.map.set(l,C),k=await E(await f(C)));}if(m(k),e.logger.api(u,a,{status:k.status}),!k.ok){try{if((k.headers.get("content-type")||"").includes("application/json")){let P=await k.clone().json().catch(()=>{}),C=P&&(P.error||P.code||P.message)||"",O=String(C).toLowerCase();if(O.includes("missing")&&O.includes("refresh")){e.logger.warn("Refresh session expired (missing refresh identifier)"),e.stateMachine.onRefreshExpired();try{e.setRefreshId?.(null);}catch{}e.accessTokenRef.current=null,e.setAuthenticated(!1);}else e.logger.warn("Refresh failed",{error:C}),e.stateMachine.onRefreshFailure(String(C));}}catch{}return !1}let b=await k.json();e.logger.info("Refresh succeeded",{expiresIn:b.expiresIn,hasRefreshId:!!b.refreshId}),e.accessTokenRef.current=b.access,e.setAuthenticated(!0);let H=(e.wallet&&(!e.meta.boundWallet||e.meta.boundWallet===e.wallet)?e.wallet:e.meta.boundWallet)||null;e.authWalletRef.current=H?H.toLowerCase():null;try{let y=Math.floor(Date.now()/1e3);e.tokenExpRef.current=y+(b.expiresIn??0);}catch{}try{e.setJkt(await _(W(e)));}catch{}b.refreshId&&e.setRefreshId(b.refreshId);let p=y=>!y||y==="null"||y==="undefined"?null:y,g={wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:p(b.refreshId??e.meta.refreshId??null),hasToken:!0,tokenExpiry:e.tokenExpRef.current,hasProof:!!e.proofRef.current,authenticated:!0};return e.stateMachine.onRefreshSuccess(g),!0}finally{e.refreshLock.current=null;}})(),e.refreshLock.current}var On=(e,t)=>`${e.toUpperCase()} ${t}`,Tt=new Map,He;try{let e=globalThis;He=e.__sunbreak_page_probe_guard??(e.__sunbreak_page_probe_guard=new Set);}catch{He=new Set;}var Un=e=>{try{let t=new URL(e.baseUrl).origin;return `${e.clientId}::${t}`}catch{return `${e.clientId}::${e.baseUrl}`}};async function Pr(e){let t=Un(e);if(e.probeLock.current){e.logger.guard("probeLock",false,"Probe already in progress, waiting"),await e.probeLock.current,e.markProbed();return}if(e.hasProbedRef.current){e.logger.guard("hasProbedRef",false,"Already probed in this session"),e.markProbed();return}if(He.has(t)){e.logger.guard("pageProbeGuard",false,"Already probed for this page load"),e.markProbed();return}He.add(t),e.logger.flow("probe","Starting probe flow",{clientId:e.clientId,pageKey:t});let r=(async()=>{let n=new URL(e.baseUrl).origin;try{if(await e.awaitKeyStable(),await e.ensureKeypair(),!e.rootPrivRef.current)try{await e.ensureRootKeypair();}catch{}let o;if(e.rootPrivRef.current&&e.rootPubJwkRef.current)try{let m=await _(W(e));o=await pe({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:m,clientId:e.clientId,ttlSec:300});}catch(m){e.logger.warn("Failed to create PODE for probe",m);}let a="POST",i="/auth/probe",c=`${e.baseUrl}${i}`,u=`${n}${i}`,s=On(a,u),l=async m=>B({method:a,url:u,nonce:m,privateKey:Z(e),publicJwk:W(e)}),d=async m=>e.fetchImpl(c,{method:a,headers:{DPoP:m,"x-sunbreak-meta":F(e,{pode:o}),"content-type":"application/json"},credentials:"include",body:"{}"}),f=m=>{let k=m.headers.get("dpop-nonce");k&&Tt.set(s,k);},w=await d(await l(Tt.get(s)));if(f(w),w.status===401){e.logger.info("Probe got 401, retrying with nonce from www-authenticate");let m=w.headers.get("www-authenticate"),b=(m&&m.match(/dpop-nonce="([^"]+)"/i))?.[1];b&&(Tt.set(s,b),w=await d(await l(b)),f(w));}e.logger.api(a,i,{status:w.status});let S=m=>!m||m==="null"||m==="undefined"?null:m,E={wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:S(e.meta.refreshId),hasToken:!!e.accessTokenRef.current,tokenExpiry:e.tokenExpRef.current||null,hasProof:!!e.proofRef.current,authenticated:e.authenticated};e.stateMachine.onProbeComplete(E);}catch(o){e.logger.error("Probe failed",o);try{He.delete(t);}catch{}}finally{e.markProbed(),e.logger.flow("probe","Probe flow completed");}})();e.probeLock.current=r;try{await r;}finally{e.probeLock.current=null;}}var vr=e=>{let t=useCallback(()=>_e(e),[e]),r=useCallback(async()=>{let o=Date.now(),a=e.registerCooldownUntilRef.current??0;if(o<a){e.logger.guard("registerCooldown",false,"Cooldown active");return}if(!e.wallet){e.logger.guard("attemptRegister",false,"No wallet");return}if(!e.initResolvedRef.current){e.logger.guard("attemptRegister",false,"Not initialized");return}if(e.refreshLock.current){e.logger.guard("attemptRegister",false,"Refresh in progress");return}if(e.registerLock.current){e.logger.guard("attemptRegister",false,"Register already in progress");return}let i=s=>!s||s==="null"||s==="undefined"?null:s,c={wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:i(e.meta.refreshId),hasToken:!!V(e),tokenExpiry:e.tokenExpRef.current||null,hasProof:!!e.proofRef.current,authenticated:e.authenticated};if(!e.stateMachine.shouldAttemptRegister(c)){e.logger.guard("attemptRegister",false,`State machine blocked (state: ${e.stateMachine.getState()}, inActiveSession: ${e.stateMachine.isInActiveSession()})`);return}let u=e.proofRef.current;if(!u){e.logger.guard("attemptRegister",false,"No proof available");return}e.logger.guard("attemptRegister",true,"All guards passed, proceeding"),await e.awaitKeyStable(),e.registerLock.current=(async()=>{try{await Le(e,e.wallet,u,{refreshFallback:async()=>{e.logger.info("Attempting refresh as fallback after register failure");let l=!!e.meta.boundWallet;!l&&e.wallet&&e.setBoundWallet(e.wallet);try{return await _e(e)}catch{return l||e.setBoundWallet(null),!1}}})&&(e.didInitialSession.current=!0);}catch(s){e.setError(s?.message||String(s)||"Register failed");}finally{e.registerLock.current=null;}})();},[e]),n=useCallback(async o=>{let a=()=>(e.registerCooldownUntilRef.current??0)>Date.now();if(!e.providerAdapter||a())return;let i=await ve(e.providerAdapter,o);e.proofRef.current=i;},[e]);return {refresh:t,register:(o,a,i)=>Le(e,o,a,i),attemptRegister:r,setProofFromAdapterToken:n}};var jn=(e,t)=>`${e.toUpperCase()} ${t}`,Nn=(e,t)=>!!e&&!!t&&e.toLowerCase()===t.toLowerCase();async function tt(e,t,r,n,o,a={}){e.setLoadingCount(s=>s+1),e.setError(null);let i=n.startsWith("/api/session"),c=new AbortController,u=setTimeout(()=>c.abort(),e.timeoutMs);try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair();let l=`${i?pt(e):e.baseUrl}${n.startsWith("/")?"":"/"}${n}`,f=`${new URL(e.baseUrl).origin}${n.startsWith("/")?"":"/"}${n}`,w=jn(r,f),S=n.startsWith("/auth/"),E=!1,m=!1,k=e.currentReqId(),b=tt._nonceCacheRef||(tt._nonceCacheRef={map:new Map}),H=J=>{let G=J.headers.get("dpop-nonce");G&&b.map.set(w,G);},p=!!e.wallet&&!!e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase(),g=()=>S||!e.wallet?!1:!!(e.authenticated||Nn(e.wallet,e.meta.boundWallet)||typeof e.meta.refreshId=="string"&&e.meta.refreshId),y,P,C=async()=>{if(S||p)return;try{let ce=V(e),oe=e.tokenExpRef.current,rt=Math.floor(Date.now()/1e3),nt=!!oe&&oe-rt<=60;if(ce){if(nt&&!await t().catch(()=>!1))return}else if(!g()||!await t().catch(()=>!1))return}catch{}let J=V(e);if(!J)return;let G=await Ye(J),U=b.map.get(w),ee=await B({method:r,url:f,nonce:U,ath:G,privateKey:Z(e),publicJwk:W(e)});y=`Bearer ${e.accessTokenRef.current}`,P=ee;};await C();let O={"content-type":"application/json","x-sunbreak-auth":y||"","x-sunbreak-meta":F(e,{reqId:k,auth:y,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0}),...ht(a.headers)};P&&(O.DPoP=P);let Pe=async()=>e.fetchImpl(l,{...a,method:r,headers:O,body:o!==void 0?JSON.stringify(o):void 0,credentials:"include",signal:c.signal}),K=await Pe(),Me=K.headers.get("x-sunbreak-policy-hash"),$e=K.headers.get("x-sunbreak-policy-proof");if(Me&&e.setLastPolicyHash(Me),$e&&e.setLastPolicyProof($e),H(K),K.status===401&&!S){let J=V(e),G=K.headers.get("www-authenticate"),ee=(G&&G.match(/dpop-nonce="([^"]+)"/i))?.[1];if(!p&&ee&&J&&!m){m=!0,b.map.set(w,ee);let ce=await Ye(J),oe=await B({method:r,url:f,nonce:ee,ath:ce,privateKey:Z(e),publicJwk:W(e)});y=`Bearer ${e.accessTokenRef.current}`,P=oe,O["x-sunbreak-meta"]=F(e,{reqId:k,auth:y}),O.DPoP=P,K=await Pe(),H(K);}if(K.status===401&&!E&&(E=!0,!p&&g())){let ce=await t(),oe=V(e);ce&&oe&&!p&&(await C(),O["x-sunbreak-meta"]=F(e,{reqId:k,auth:y}),P&&(O.DPoP=P),K=await Pe(),H(K));}if(K.status===401)throw new Error("Unauthorized")}if(!K.ok){let J=await Je(K);if((K.headers.get("content-type")||"").includes("application/json")){let U=await K.json().catch(()=>{}),ee=We(U&&(U.error||U.message||U.detail)||`HTTP ${K.status}`);throw he(ee,J)}else {let U=J.waf?"Blocked by WAF (403)":J.alb403?"Blocked at origin (ALB 403)":`HTTP ${K.status}`;throw he(U,J)}}return (K.headers.get("content-type")||"").includes("application/json")?await K.json():void 0}finally{clearTimeout(u),e.setLoadingCount(s=>Math.max(0,s-1));}}var Ar=(e,t)=>useCallback(async(r,n,o,a={})=>tt(e,t,r,n,o,a),[e,t]);async function xr(e,t){let r=await t("GET","/api/session");if(r){e.setAllowed(!!r.allowed),e.setDenyReason(r.reason??null),e.setSessionData(r),e.setSessionExpiry(r.expiry??null);let n=r?.wallet;typeof n=="string"&&n&&e.setBoundWallet(n.toLowerCase());}return r}async function Kr(e,t){let r=await t("GET","/api/verify");return r&&(e.setSessionExpiry(r.expiry??null),e.setVerifyData(r)),r}var Tr=(e,t)=>{let r=useCallback(async()=>{if(e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet))return e.sessionLock.current||(e.sessionLock.current=(async()=>{try{return await xr(e,t)}catch(o){throw e.logger.error("Session request failed",o),o}finally{e.sessionLock.current=null;}})()),e.sessionLock.current},[e,t]),n=useCallback(async()=>{if(e.wallet)return await Kr(e,t)},[e,t]);return {session:r,verify:n}};var Ir=(e,t)=>{let{refresh:r,session:n,attemptRegister:o,setProofFromAdapterToken:a,proofProp:i}=t,c=()=>(e.registerCooldownUntilRef.current??0)>Date.now(),u=()=>{let s=l=>!l||l==="null"||l==="undefined"?null:l;return {wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:s(e.meta.refreshId),hasToken:!!e.accessTokenRef.current,tokenExpiry:e.tokenExpRef.current||null,hasProof:!!e.proofRef.current,authenticated:e.authenticated}};useEffect(()=>{if(!e.metaReady)return;let s=true;return (async()=>{try{if(await e.waitReady(),!s||(await e.awaitKeyStable(),!s)||(await e.ensureRootKeypair(),!s))return;let l=u();e.stateMachine.initialize(l),await Pr(e);}catch(l){if(!s)return;e.logger.error("Probe initialization failed",l);}})(),()=>{s=false;}},[e.metaReady]),useEffect(()=>{let s=e.prevWalletRef.current;if(e.prevWalletRef.current=e.wallet,e.wallet!==s&&(e.didInitialRefresh.current=false),!e.wallet){e.logger.flow("wallet","Wallet disconnected"),e.stateMachine.onWalletDisconnect(),e.setAllowed(null),e.setDenyReason(null),e.setSessionExpiry(null),e.setSessionData(null),e.setAuthenticated(false),e.accessTokenRef.current=null,e.proofRef.current=null,e.setError(null),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null),e.didInitialRefresh.current=false;return}if(s&&e.wallet&&s!==e.wallet){e.logger.flow("wallet",`Wallet changed: ${s} \u2192 ${e.wallet}`);let l=u();e.stateMachine.onWalletChange(s,e.wallet,l),e.rotateLock.current=(async()=>{await e.rotate(),e.accessTokenRef.current=null,e.setAuthenticated(false),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;});}},[e.wallet]),useEffect(()=>{if(!e.providerAdapter||c()||!e.metaReady||!e.wallet)return;if(e.stateMachine.isInActiveSession()){e.logger.decision("Provider adapter should trigger register?",false,"Already in active session");return}if(e.authenticated){e.logger.decision("Provider adapter should trigger register?",false,"Already authenticated");return}let s=u();if(e.stateMachine.shouldWaitForInitialRefresh(e.didInitialRefresh.current,s)){e.logger.decision("Provider adapter should wait for initial refresh?",true,"Returning user - refresh first");return}e.logger.decision("Provider adapter should trigger register?",true,`Fetching token (state: ${e.stateMachine.getState()})`);let l=false;return (async()=>{try{let d=e.providerAdapter.getToken(),f=new Promise((S,E)=>setTimeout(()=>E(new Error("Provider adapter timeout (30s)")),3e4)),w=await Promise.race([d,f]).catch(S=>(e.logger.warn("Provider adapter getToken failed",S),null))??null;if(await e.awaitKeyStable(),l||!w)return;e.logger.info("Provider adapter: got token, setting proof"),await a(w),await o();}catch(d){e.logger.error("Provider adapter flow failed",d);}})(),()=>{l=true;}},[e.providerAdapter,e.wallet,e.meta.boundWallet,e.metaReady,e.registerCooldownUntilRef,e.didInitialRefresh,e.authenticated,...e.refreshDeps]),useEffect(()=>{if(typeof i<"u"&&(e.proofRef.current=i??null,i&&e.logger.info("Proof prop updated",{hasProof:!!i})),!e.metaReady)return;let s=u();if(!e.stateMachine.shouldAttemptRegister(s)){e.logger.decision("Proof prop should trigger register?",false,`State machine says no (state: ${e.stateMachine.getState()}, inActiveSession: ${e.stateMachine.isInActiveSession()})`);return}if(e.stateMachine.shouldWaitForInitialRefresh(e.didInitialRefresh.current,s)){e.logger.decision("Proof prop should wait for initial refresh?",true,"Returning user - refresh first");return}let l=!!e.wallet,d=!!e.proofRef.current;l&&d&&e.initResolvedRef.current&&!c()&&(e.logger.info("Proof prop conditions met, attempting register"),o());},[i,e.wallet,e.authenticated,e.meta.boundWallet,e.metaReady,e.providerAdapter,e.initResolvedRef,e.didInitialRefresh,o]),useEffect(()=>{if(!e.metaReady||e.didInitialRefresh.current)return;let s=true;return (async()=>{try{await e.waitReady(),await e.awaitProbe();let l=u();if(e.accessTokenRef.current||e.authenticated){e.logger.info("Already authenticated, skipping initial refresh"),e.didInitialRefresh.current=!0,e.wallet&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());return}if(!e.stateMachine.shouldAttemptRefresh(l)){e.logger.decision("Should attempt initial refresh?",!1,`State: ${e.stateMachine.getState()}`),e.didInitialRefresh.current=!0;return}e.logger.decision("Should attempt initial refresh?",!0,`State: ${e.stateMachine.getState()}`),e.didInitialRefresh.current=!0;let f=await r();if(!s)return;e.setAuthenticated(f),f&&e.wallet&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());}catch(l){if(!s)return;e.didInitialRefresh.current=true,e.setAuthenticated(false),e.setError(l?.message||String(l)||"Unknown error");}})(),()=>{s=false;}},[e.wallet,e.meta.boundWallet,e.meta.refreshId,e.metaReady,e.didInitialRefresh,r,n]),useEffect(()=>{e.initResolvedRef.current||(async()=>{if(await e.ensureKeypair(),!e.wallet){e.initResolvedRef.current=true,e.initResolveRef.current?.();return}e.meta.boundWallet&&e.meta.boundWallet!==e.wallet&&(e.rotateLock.current=(async()=>{e.accessTokenRef.current=null,e.setAuthenticated(false);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}),e.rotateLock.current&&await e.rotateLock.current),e.initResolvedRef.current=true,e.initResolveRef.current?.();})();},[e]),useEffect(()=>{(async()=>{if(e.authenticated&&e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)&&!e.didInitialSession.current){e.didInitialSession.current=true;try{e.logger.flow("session","Calling session after authentication"),await n();}catch(s){e.setError(s?.message||String(s));}}})();},[e.authenticated,e.wallet,e.meta.boundWallet,n]),useEffect(()=>{e.wallet&&e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase()&&(e.logger.warn("Wallet mismatch detected, clearing auth",{current:e.wallet,authWallet:e.authWalletRef.current}),e.accessTokenRef.current=null,e.setAuthenticated(false));},[e.wallet,e.authWalletRef.current]),useEffect(()=>{let l=()=>{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return  false;let w=e.tokenExpRef.current;if(!w)return  false;let S=Math.floor(Date.now()/1e3);return w-S<=30},d=async()=>{try{l()&&(e.logger.info("Token expiring soon, refreshing on focus"),await r());}catch{}},f=async()=>{document.visibilityState==="visible"&&await d();};return window.addEventListener("focus",d),document.addEventListener("visibilitychange",f),()=>{window.removeEventListener("focus",d),document.removeEventListener("visibilitychange",f);}},[e,r]),useEffect(()=>{let d=()=>{let S=Math.floor(Date.now()/1e3),E=e.tokenExpRef.current,m=e.sessionExpiry,k=!!E&&E-S<=30&&E-S>0,b=!!m&&m-S<=3600&&m-S>0;return {tokenSoon:k,sessionSoon:b}},f=async()=>{try{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return;let{tokenSoon:S,sessionSoon:E}=d();(S||E)&&(e.logger.info("Refreshing on focus",{tokenSoon:S,sessionSoon:E}),await r()&&E&&await n());}catch{}},w=async()=>{document.visibilityState==="visible"&&await f();};return window.addEventListener("focus",f),document.addEventListener("visibilitychange",w),()=>{window.removeEventListener("focus",f),document.removeEventListener("visibilitychange",w);}},[e,e.sessionExpiry,r,n]);};var Wr=createContext(void 0),qn=e=>{let t=kr(e),{refresh:r,attemptRegister:n,setProofFromAdapterToken:o}=vr(t),a=Ar(t,r),{session:i,verify:c}=Tr(t,a);Ir(t,{refresh:r,session:i,attemptRegister:n,setProofFromAdapterToken:o,proofProp:e.proof});let u=useMemo(()=>({get:(s,l)=>a("GET",s,void 0,l),post:(s,l,d)=>a("POST",s,l,d),verify:c,session:i,refresh:r,authenticated:t.authenticated,loading:t.loadingCount>0,error:t.error,allowed:t.allowed,denyReason:t.denyReason,sessionExpiry:t.sessionExpiry,sessionData:t.sessionData,verifyData:t.verifyData,wallet:t.wallet}),[a,c,i,r,t.authenticated,t.loadingCount,t.error,t.allowed,t.denyReason,t.sessionExpiry,t.sessionData,t.verifyData,t.wallet]);return jsx(Wr.Provider,{value:u,children:e.children})},zn=e=>jsx(kt,{clientId:e.clientId,children:jsx(qn,{...e})}),Xn=()=>{let e=useContext(Wr);if(!e)throw new Error("useSunbreak must be used within a SunbreakProvider");return e};
-export { On as SunbreakProvider, Un as useSunbreak };
+export { zn as SunbreakProvider, Xn as useSunbreak };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@tdfc/sunbreak-react",
-  "version": "0.1.6",
+  "version": "0.1.8",
   "description": "SDK for connecting to the Sunbreak API",
   "license": "UNLICENSED",
   "repository": "github:thedigitalfinancecompany/sunbreak-react",