@tdfc/sunbreak-react 0.1.8 → 0.1.11

package/dist/index.cjs

@@ -3,7 +3,7 @@
 var react = require('react');
 var jsxRuntime = require('react/jsx-runtime');
 
-var on=Object.defineProperty;var Mt=e=>{throw TypeError(e)};var an=(e,t,r)=>t in e?on(e,t,{enumerable:true,configurable:true,writable:true,value:r}):e[t]=r;var M=(e,t,r)=>an(e,typeof t!="symbol"?t+"":t,r),$t=(e,t,r)=>t.has(e)||Mt("Cannot "+r);var h=(e,t,r)=>($t(e,t,"read from private field"),r?r.call(e):t.get(e)),j=(e,t,r)=>t.has(e)?Mt("Cannot add the same private member more than once"):t instanceof WeakSet?t.add(e):t.set(e,r),N=(e,t,r,n)=>($t(e,t,"write to private field"),t.set(e,r),r);var ve=async(e,t,r)=>{switch(e.name){case "custom":return {method:"provider_jwt",issuer:"custom",token:t,meta:r||{}};case "privy":return {method:"provider_jwt",issuer:"privy",token:t,meta:{app_id:e.appId}};case "dynamic":return e.expectedAud?{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId,expected_aud:e.expectedAud}}:{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId}};default:throw new Error(`Unknown adapter: ${e}`)}};var sn="sunbreak-kv",Ae="kv",Fe="sunbreak_dpop_meta_v1",T="sunbreak_dpop_key_v1",xe="ES256",v="P-256",Ke=e=>`${Fe}:${e}`,Ot=()=>new Promise((e,t)=>{let r=indexedDB.open(sn,1);r.onupgradeneeded=()=>r.result.createObjectStore(Ae),r.onsuccess=()=>e(r.result),r.onerror=()=>t(r.error);}),I=async e=>{try{let t=await Ot();return await new Promise((r,n)=>{let a=t.transaction(Ae,"readonly").objectStore(Ae).get(e);a.onsuccess=()=>r(a.result),a.onerror=()=>n(a.error);})}catch{return}},R=async(e,t)=>{let r=await Ot();await new Promise((n,o)=>{let i=r.transaction(Ae,"readwrite").objectStore(Ae).put(t,e);i.onsuccess=()=>n(),i.onerror=()=>o(i.error);});};var cn=e=>{let t=new URL(e);if(t.protocol!=="https:"&&t.hostname!=="localhost"&&t.hostname!=="127.0.0.1")throw new Error("Sunbreak: insecure base URL");return t.hash="",t.origin},ln=e=>e.replace(/\/+$/,""),ft=e=>{let t=ln(e);return cn(t)};function pt(e){let t=new URL(e.baseUrl),r=t.host,n=e.meta.lastHost??null,o=un(n);return e.setLastHost(o),t.host=`${o}.${r}`,t.origin}var un=e=>{for(let t=0;t<dt.length;t++){let r=dt[Math.floor(Math.random()*dt.length)].toLowerCase();if(r!==e)return r}return "alpha"},dt=["Alpha","Bravo","Charlie","Delta","Echo","Foxtrot","Golf","Hotel","India","Juliett","Kilo","Lima","Mike","November","Oscar","Papa","Quebec","Romeo","Sierra","Tango","Uniform","Victor","Whiskey","X-ray","Yankee","Zulu"];var F=(e,t)=>{let r={clientId:e.clientId,wallet:e.wallet,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0,...t};Object.keys(r).forEach(o=>r[o]===void 0&&delete r[o]);let n=JSON.stringify(r);return btoa(n)};var fn=new Set(["connection","keep-alive","proxy-authenticate","proxy-authorization","te","trailer","transfer-encoding","upgrade","via"]),dn=new Set(["user-agent","referer","origin","host","content-length","sec-fetch-site","sec-fetch-mode","sec-fetch-dest","sec-fetch-user","sec-ch-ua","sec-ch-ua-mobile","sec-ch-ua-platform","sec-ch-ua-platform-version","sec-ch-ua-full-version","sec-ch-ua-arch","sec-ch-ua-model","sec-ch-ua-bitness","cookie","set-cookie"]),pn=new Set(["dpop","x-sunbreak-meta"]),hn=64,Ut=2048,yn=64;function ht(e){let t={};if(!e)return t;let r=e instanceof Headers?Array.from(e.entries()):Object.entries(e),n=0;for(let[o,a]of r){if(n>=yn)break;if(o==null||a==null)continue;let i=String(o).toLowerCase().trim();if(!i||i.length>hn||fn.has(i)||dn.has(i)||pn.has(i))continue;let c=String(a);c.length>Ut&&(c=c.slice(0,Ut)),t[i]=c,n++;}return t}var re=new TextEncoder,me=new TextDecoder;function jt(...e){let t=e.reduce((o,{length:a})=>o+a,0),r=new Uint8Array(t),n=0;for(let o of e)r.set(o,n),n+=o.length;return r}function Nt(e){if(Uint8Array.prototype.toBase64)return e.toBase64();let t=32768,r=[];for(let n=0;n<e.length;n+=t)r.push(String.fromCharCode.apply(null,e.subarray(n,n+t)));return btoa(r.join(""))}function Ft(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(e);let t=atob(e),r=new Uint8Array(t.length);for(let n=0;n<t.length;n++)r[n]=t.charCodeAt(n);return r}function Bt(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof e=="string"?e:me.decode(e),{alphabet:"base64url"});let t=e;t instanceof Uint8Array&&(t=me.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return Ft(t)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function Be(e){let t=e;return typeof t=="string"&&(t=re.encode(t)),Uint8Array.prototype.toBase64?t.toBase64({alphabet:"base64url",omitPadding:true}):Nt(t).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var ue=class extends Error{constructor(r,n){super(r,n);M(this,"code","ERR_JOSE_GENERIC");this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor);}};M(ue,"code","ERR_JOSE_GENERIC");var D=class extends ue{constructor(){super(...arguments);M(this,"code","ERR_JOSE_NOT_SUPPORTED");}};M(D,"code","ERR_JOSE_NOT_SUPPORTED");var ne=class extends ue{constructor(){super(...arguments);M(this,"code","ERR_JWS_INVALID");}};M(ne,"code","ERR_JWS_INVALID");var Ce=class extends ue{constructor(){super(...arguments);M(this,"code","ERR_JWT_INVALID");}};M(Ce,"code","ERR_JWT_INVALID");var Vt,Gt,yt=class extends(Gt=ue,Vt=Symbol.asyncIterator,Gt){constructor(r="multiple matching keys found in the JSON Web Key Set",n){super(r,n);M(this,Vt);M(this,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");}};M(yt,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");function q(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function we(e,t){return e.name===t}function mt(e){return parseInt(e.name.slice(4),10)}function gn(e){switch(e){case "ES256":return "P-256";case "ES384":return "P-384";case "ES512":return "P-521";default:throw new Error("unreachable")}}function bn(e,t){if(!e.usages.includes(t))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${t}.`)}function qt(e,t,r){switch(t){case "HS256":case "HS384":case "HS512":{if(!we(e.algorithm,"HMAC"))throw q("HMAC");let n=parseInt(t.slice(2),10);if(mt(e.algorithm.hash)!==n)throw q(`SHA-${n}`,"algorithm.hash");break}case "RS256":case "RS384":case "RS512":{if(!we(e.algorithm,"RSASSA-PKCS1-v1_5"))throw q("RSASSA-PKCS1-v1_5");let n=parseInt(t.slice(2),10);if(mt(e.algorithm.hash)!==n)throw q(`SHA-${n}`,"algorithm.hash");break}case "PS256":case "PS384":case "PS512":{if(!we(e.algorithm,"RSA-PSS"))throw q("RSA-PSS");let n=parseInt(t.slice(2),10);if(mt(e.algorithm.hash)!==n)throw q(`SHA-${n}`,"algorithm.hash");break}case "Ed25519":case "EdDSA":{if(!we(e.algorithm,"Ed25519"))throw q("Ed25519");break}case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":{if(!we(e.algorithm,t))throw q(t);break}case "ES256":case "ES384":case "ES512":{if(!we(e.algorithm,"ECDSA"))throw q("ECDSA");let n=gn(t);if(e.algorithm.namedCurve!==n)throw q(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}bn(e,r);}function zt(e,t,...r){if(r=r.filter(Boolean),r.length>2){let n=r.pop();e+=`one of type ${r.join(", ")}, or ${n}.`;}else r.length===2?e+=`one of type ${r[0]} or ${r[1]}.`:e+=`of type ${r[0]}.`;return t==null?e+=` Received ${t}`:typeof t=="function"&&t.name?e+=` Received function ${t.name}`:typeof t=="object"&&t!=null&&t.constructor?.name&&(e+=` Received an instance of ${t.constructor.name}`),e}var Xt=(e,...t)=>zt("Key must be ",e,...t);function wt(e,t,...r){return zt(`Key for the ${e} algorithm must be `,t,...r)}function gt(e){return e?.[Symbol.toStringTag]==="CryptoKey"}function bt(e){return e?.[Symbol.toStringTag]==="KeyObject"}var St=e=>gt(e)||bt(e);var Yt=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return  true;let r;for(let n of t){let o=Object.keys(n);if(!r||r.size===0){r=new Set(o);continue}for(let a of o){if(r.has(a))return  false;r.add(a);}}return  true};function Sn(e){return typeof e=="object"&&e!==null}var Ve=e=>{if(!Sn(e)||Object.prototype.toString.call(e)!=="[object Object]")return  false;if(Object.getPrototypeOf(e)===null)return  true;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t};var Zt=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:r}=t.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};function Rn(e){let t,r;switch(e.kty){case "AKP":{switch(e.alg){case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":t={name:e.alg},r=e.priv?["sign"]:["verify"];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "RSA":{switch(e.alg){case "PS256":case "PS384":case "PS512":t={name:"RSA-PSS",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RS256":case "RS384":case "RS512":t={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RSA-OAEP":case "RSA-OAEP-256":case "RSA-OAEP-384":case "RSA-OAEP-512":t={name:"RSA-OAEP",hash:`SHA-${parseInt(e.alg.slice(-3),10)||1}`},r=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "EC":{switch(e.alg){case "ES256":t={name:"ECDSA",namedCurve:"P-256"},r=e.d?["sign"]:["verify"];break;case "ES384":t={name:"ECDSA",namedCurve:"P-384"},r=e.d?["sign"]:["verify"];break;case "ES512":t={name:"ECDSA",namedCurve:"P-521"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "OKP":{switch(e.alg){case "Ed25519":case "EdDSA":t={name:"Ed25519"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}default:throw new D('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return {algorithm:t,keyUsages:r}}var Qt=async e=>{if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:t,keyUsages:r}=Rn(e),n={...e};return n.kty!=="AKP"&&delete n.alg,delete n.use,crypto.subtle.importKey("jwk",n,t,e.ext??!(e.d||e.priv),e.key_ops??r)};var er=(e,t,r,n,o)=>{if(o.crit!==void 0&&n?.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||n.crit===void 0)return new Set;if(!Array.isArray(n.crit)||n.crit.length===0||n.crit.some(i=>typeof i!="string"||i.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let a;r!==void 0?a=new Map([...Object.entries(r),...t.entries()]):a=t;for(let i of n.crit){if(!a.has(i))throw new D(`Extension Header Parameter "${i}" is not recognized`);if(o[i]===void 0)throw new e(`Extension Header Parameter "${i}" is missing`);if(a.get(i)&&n[i]===void 0)throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`)}return new Set(n.crit)};function Te(e){return Ve(e)&&typeof e.kty=="string"}function tr(e){return e.kty!=="oct"&&(e.kty==="AKP"&&typeof e.priv=="string"||typeof e.d=="string")}function rr(e){return e.kty!=="oct"&&typeof e.d>"u"&&typeof e.priv>"u"}function nr(e){return e.kty==="oct"&&typeof e.k=="string"}var ge,or=async(e,t,r,n=false)=>{ge||(ge=new WeakMap);let o=ge.get(e);if(o?.[r])return o[r];let a=await Qt({...t,alg:r});return n&&Object.freeze(e),o?o[r]=a:ge.set(e,{[r]:a}),a},kn=(e,t)=>{ge||(ge=new WeakMap);let r=ge.get(e);if(r?.[t])return r[t];let n=e.type==="public",o=!!n,a;if(e.asymmetricKeyType==="x25519"){switch(t){case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}a=e.toCryptoKey(e.asymmetricKeyType,o,n?[]:["deriveBits"]);}if(e.asymmetricKeyType==="ed25519"){if(t!=="EdDSA"&&t!=="Ed25519")throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}switch(e.asymmetricKeyType){case "ml-dsa-44":case "ml-dsa-65":case "ml-dsa-87":{if(t!==e.asymmetricKeyType.toUpperCase())throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}}if(e.asymmetricKeyType==="rsa"){let i;switch(t){case "RSA-OAEP":i="SHA-1";break;case "RS256":case "PS256":case "RSA-OAEP-256":i="SHA-256";break;case "RS384":case "PS384":case "RSA-OAEP-384":i="SHA-384";break;case "RS512":case "PS512":case "RSA-OAEP-512":i="SHA-512";break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}if(t.startsWith("RSA-OAEP"))return e.toCryptoKey({name:"RSA-OAEP",hash:i},o,n?["encrypt"]:["decrypt"]);a=e.toCryptoKey({name:t.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:i},o,[n?"verify":"sign"]);}if(e.asymmetricKeyType==="ec"){let c=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(e.asymmetricKeyDetails?.namedCurve);if(!c)throw new TypeError("given KeyObject instance cannot be used for this algorithm");t==="ES256"&&c==="P-256"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:c},o,[n?"verify":"sign"])),t==="ES384"&&c==="P-384"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:c},o,[n?"verify":"sign"])),t==="ES512"&&c==="P-521"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:c},o,[n?"verify":"sign"])),t.startsWith("ECDH-ES")&&(a=e.toCryptoKey({name:"ECDH",namedCurve:c},o,n?[]:["deriveBits"]));}if(!a)throw new TypeError("given KeyObject instance cannot be used for this algorithm");return r?r[t]=a:ge.set(e,{[t]:a}),a},ar=async(e,t)=>{if(e instanceof Uint8Array||gt(e))return e;if(bt(e)){if(e.type==="secret")return e.export();if("toCryptoKey"in e&&typeof e.toCryptoKey=="function")try{return kn(e,t)}catch(n){if(n instanceof TypeError)throw n}let r=e.export({format:"jwk"});return or(e,r,t)}if(Te(e))return e.k?Bt(e.k):or(e,e,t,true);throw new Error("unreachable")};var be=e=>e?.[Symbol.toStringTag],Rt=(e,t,r)=>{if(t.use!==void 0){let n;switch(r){case "sign":case "verify":n="sig";break;case "encrypt":case "decrypt":n="enc";break}if(t.use!==n)throw new TypeError(`Invalid key for this operation, its "use" must be "${n}" when present`)}if(t.alg!==void 0&&t.alg!==e)throw new TypeError(`Invalid key for this operation, its "alg" must be "${e}" when present`);if(Array.isArray(t.key_ops)){let n;switch(true){case(r==="sign"):case e==="dir":case e.includes("CBC-HS"):n=r;break;case e.startsWith("PBES2"):n="deriveBits";break;case /^A\d{3}(?:GCM)?(?:KW)?$/.test(e):!e.includes("GCM")&&e.endsWith("KW")?n="unwrapKey":n=r;break;case(r==="encrypt"):n="wrapKey";break;case r==="decrypt":n=e.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(n&&t.key_ops?.includes?.(n)===false)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${n}" when present`)}return  true},Pn=(e,t,r)=>{if(!(t instanceof Uint8Array)){if(Te(t)){if(nr(t)&&Rt(e,t,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!St(t))throw new TypeError(wt(e,t,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(t.type!=="secret")throw new TypeError(`${be(t)} instances for symmetric algorithms must be of type "secret"`)}},vn=(e,t,r)=>{if(Te(t))switch(r){case "decrypt":case "sign":if(tr(t)&&Rt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a private JWK");case "encrypt":case "verify":if(rr(t)&&Rt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a public JWK")}if(!St(t))throw new TypeError(wt(e,t,"CryptoKey","KeyObject","JSON Web Key"));if(t.type==="secret")throw new TypeError(`${be(t)} instances for asymmetric algorithms must not be of type "secret"`);if(t.type==="public")switch(r){case "sign":throw new TypeError(`${be(t)} instances for asymmetric algorithm signing must be of type "private"`);case "decrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm decryption must be of type "private"`);}if(t.type==="private")switch(r){case "verify":throw new TypeError(`${be(t)} instances for asymmetric algorithm verifying must be of type "public"`);case "encrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm encryption must be of type "public"`);}},ir=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e)||/^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e)?Pn(e,t,r):vn(e,t,r);};var sr=(e,t)=>{let r=`SHA-${e.slice(-3)}`;switch(e){case "HS256":case "HS384":case "HS512":return {hash:r,name:"HMAC"};case "PS256":case "PS384":case "PS512":return {hash:r,name:"RSA-PSS",saltLength:parseInt(e.slice(-3),10)>>3};case "RS256":case "RS384":case "RS512":return {hash:r,name:"RSASSA-PKCS1-v1_5"};case "ES256":case "ES384":case "ES512":return {hash:r,name:"ECDSA",namedCurve:t.namedCurve};case "Ed25519":case "EdDSA":return {name:"Ed25519"};case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":return {name:e};default:throw new D(`alg ${e} is not supported either by JOSE or your javascript runtime`)}};var cr=async(e,t,r)=>{if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(Xt(t,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",t,{hash:`SHA-${e.slice(-3)}`,name:"HMAC"},false,[r])}return qt(t,e,r),t};var ae=e=>Math.floor(e.getTime()/1e3);var An=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i,Ge=e=>{let t=An.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");let r=parseFloat(t[2]),n=t[3].toLowerCase(),o;switch(n){case "sec":case "secs":case "second":case "seconds":case "s":o=Math.round(r);break;case "minute":case "minutes":case "min":case "mins":case "m":o=Math.round(r*60);break;case "hour":case "hours":case "hr":case "hrs":case "h":o=Math.round(r*3600);break;case "day":case "days":case "d":o=Math.round(r*86400);break;case "week":case "weeks":case "w":o=Math.round(r*604800);break;default:o=Math.round(r*31557600);break}return t[1]==="-"||t[4]==="ago"?-o:o};function fe(e,t){if(!Number.isFinite(t))throw new TypeError(`Invalid ${e} input`);return t}var x,qe=class{constructor(t){j(this,x);if(!Ve(t))throw new TypeError("JWT Claims Set MUST be an object");N(this,x,structuredClone(t));}data(){return re.encode(JSON.stringify(h(this,x)))}get iss(){return h(this,x).iss}set iss(t){h(this,x).iss=t;}get sub(){return h(this,x).sub}set sub(t){h(this,x).sub=t;}get aud(){return h(this,x).aud}set aud(t){h(this,x).aud=t;}set jti(t){h(this,x).jti=t;}set nbf(t){typeof t=="number"?h(this,x).nbf=fe("setNotBefore",t):t instanceof Date?h(this,x).nbf=fe("setNotBefore",ae(t)):h(this,x).nbf=ae(new Date)+Ge(t);}set exp(t){typeof t=="number"?h(this,x).exp=fe("setExpirationTime",t):t instanceof Date?h(this,x).exp=fe("setExpirationTime",ae(t)):h(this,x).exp=ae(new Date)+Ge(t);}set iat(t){typeof t>"u"?h(this,x).iat=ae(new Date):t instanceof Date?h(this,x).iat=fe("setIssuedAt",ae(t)):typeof t=="string"?h(this,x).iat=fe("setIssuedAt",ae(new Date)+Ge(t)):h(this,x).iat=fe("setIssuedAt",t);}};x=new WeakMap;var lr=async(e,t,r)=>{let n=await cr(e,t,"sign");Zt(e,n);let o=await crypto.subtle.sign(sr(e,n.algorithm),n,r);return new Uint8Array(o)};var Ie,L,z,ze=class{constructor(t){j(this,Ie);j(this,L);j(this,z);if(!(t instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");N(this,Ie,t);}setProtectedHeader(t){if(h(this,L))throw new TypeError("setProtectedHeader can only be called once");return N(this,L,t),this}setUnprotectedHeader(t){if(h(this,z))throw new TypeError("setUnprotectedHeader can only be called once");return N(this,z,t),this}async sign(t,r){if(!h(this,L)&&!h(this,z))throw new ne("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Yt(h(this,L),h(this,z)))throw new ne("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let n={...h(this,L),...h(this,z)},o=er(ne,new Map([["b64",true]]),r?.crit,h(this,L),n),a=true;if(o.has("b64")&&(a=h(this,L).b64,typeof a!="boolean"))throw new ne('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:i}=n;if(typeof i!="string"||!i)throw new ne('JWS "alg" (Algorithm) Header Parameter missing or invalid');ir(i,t,"sign");let c=h(this,Ie);a&&(c=re.encode(Be(c)));let u;h(this,L)?u=re.encode(Be(JSON.stringify(h(this,L)))):u=re.encode("");let s=jt(u,re.encode("."),c),l=await ar(t,i),d=await lr(i,l,s),f={signature:Be(d),payload:""};return a&&(f.payload=me.decode(c)),h(this,z)&&(f.header=h(this,z)),h(this,L)&&(f.protected=me.decode(u)),f}};Ie=new WeakMap,L=new WeakMap,z=new WeakMap;var Se,Xe=class{constructor(t){j(this,Se);N(this,Se,new ze(t));}setProtectedHeader(t){return h(this,Se).setProtectedHeader(t),this}async sign(t,r){let n=await h(this,Se).sign(t,r);if(n.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return `${n.protected}.${n.payload}.${n.signature}`}};Se=new WeakMap;var ie,$,de=class{constructor(t={}){j(this,ie);j(this,$);N(this,$,new qe(t));}setIssuer(t){return h(this,$).iss=t,this}setSubject(t){return h(this,$).sub=t,this}setAudience(t){return h(this,$).aud=t,this}setJti(t){return h(this,$).jti=t,this}setNotBefore(t){return h(this,$).nbf=t,this}setExpirationTime(t){return h(this,$).exp=t,this}setIssuedAt(t){return h(this,$).iat=t,this}setProtectedHeader(t){return N(this,ie,t),this}async sign(t,r){let n=new Xe(h(this,$).data());if(n.setProtectedHeader(h(this,ie)),Array.isArray(h(this,ie)?.crit)&&h(this,ie).crit.includes("b64")&&h(this,ie).b64===false)throw new Ce("JWTs MUST NOT use unencoded payload");return n.sign(t,r)}};ie=new WeakMap,$=new WeakMap;var xn=e=>btoa(String.fromCharCode(...new Uint8Array(e))).replaceAll("+","-").replaceAll("/","_").replaceAll("=",""),Ye=async e=>{let t=new TextEncoder().encode(e),r=await crypto.subtle.digest("SHA-256",t);return xn(r)},B=async e=>{let{method:t,url:r,nonce:n,ath:o,privateKey:a,publicJwk:i}=e,c={htm:t.toUpperCase(),htu:r,jti:crypto.randomUUID(),iat:Math.floor(Date.now()/1e3)};return n&&(c.nonce=n),o&&(c.ath=o),await new de(c).setProtectedHeader({alg:"ES256",typ:"dpop+jwt",jwk:i}).sign(a)};var _=async e=>{let t={crv:e.crv,kty:"EC",x:e.x,y:e.y},r=JSON.stringify(t),n=new TextEncoder().encode(r),o=await crypto.subtle.digest("SHA-256",n);return btoa(String.fromCharCode(...new Uint8Array(o))).replaceAll("+","-").replaceAll("/","_").replaceAll("=","")};async function pe(e){let{rootPrivateKey:t,rootPublicJwk:r,childJkt:n,clientId:o,sid:a,ttlSec:i=300}=e,c=Math.floor(Date.now()/1e3),u=c+Math.max(60,Math.min(i,3600)),s={child_jkt:n,client_id:o,aud:"issuer",iat:c,exp:u,jti:crypto.randomUUID()};return a&&(s.sid=a),await new de(s).setProtectedHeader({alg:"ES256",typ:"pode+jwt",jwk:r}).sign(t)}function We(e,t=300){return e.replace(/<[^>]*>/g,"").slice(0,t)}async function Je(e){let t=e.status,r=Array.from(e.headers.keys()).some(c=>c.toLowerCase().startsWith("x-amzn-waf")),n,o,a=e.headers.get("content-type")||"";if(a.includes("application/json"))try{let c=await e.clone().json();n=typeof c?.error=="string"?c.error:void 0,o=typeof c?.detail=="string"?c.detail:void 0;}catch{}let i=t===403&&!r&&!a.includes("application/json");return {status:t,code:n,detail:o,waf:r,alb403:i}}function he(e,t){let r=new Error(e);return r.status=t.status,r.code=t.code,r.detail=t.detail,r.waf=t.waf,r.alb403=t.alb403,r}var Re={boundWallet:null,clientId:null,jkt:null,refreshId:null,lastPolicyHash:null,lastPolicyProof:null,lastHost:null,rootJkt:null},Et=react.createContext(void 0);function hr(e){try{return JSON.parse(localStorage.getItem(e)||"null")??Re}catch{return Re}}function Tn(e,t){try{localStorage.setItem(e,JSON.stringify(t));}catch{}}var kt=({children:e,clientId:t})=>{let[r,n]=react.useState(Re),o=react.useRef(false),[a,i]=react.useState(false),c=react.useMemo(()=>Ke(t),[t]);react.useEffect(()=>{let p=true;return (async()=>{let y=await I(c)??await I(Fe)??hr(c);p&&(n({...Re,...y}),o.current=true,i(true));})(),()=>{p=false;}},[c]),react.useEffect(()=>{o.current&&(async()=>(await R(c,r),Tn(c,r)))();},[r,c]);let u=react.useCallback(p=>n(g=>({...g,refreshId:p})),[]),s=react.useCallback(p=>n(g=>({...g,lastPolicyHash:p})),[]),l=react.useCallback(p=>n(g=>({...g,lastPolicyProof:p})),[]),d=react.useCallback(p=>n(g=>({...g,lastHost:p})),[]),f=react.useCallback(p=>n(g=>({...g,rootJkt:p})),[]),w=async()=>{try{let p=localStorage.getItem(c);if(p){let g=JSON.parse(p);if(typeof g?.refreshId=="string"&&g.refreshId)return g.refreshId}}catch{}try{let p=await I(c);if(typeof p?.refreshId=="string"&&p.refreshId)return p.refreshId}catch{}return null},S=react.useCallback(p=>n(g=>({...g,boundWallet:p})),[]),E=react.useCallback(p=>n(g=>({...g,clientId:p})),[]),m=react.useCallback(p=>n(g=>({...g,jkt:p})),[]),k=react.useCallback(()=>n(Re),[]),b=react.useCallback(async()=>{let g=await I(c)??hr(c);n({...Re,...g});},[]),H=react.useMemo(()=>({meta:r,setBoundWallet:S,setClientId:E,setJkt:m,resetMeta:k,reload:b,setRefreshId:u,getRefreshId:w,ready:a,setLastPolicyHash:s,setLastPolicyProof:l,setLastHost:d,setRootJkt:f}),[r,S,E,m,k,b,a,u,w,s,l,d,f]);return jsxRuntime.jsx(Et.Provider,{value:H,children:e})};function Pt(){let e=react.useContext(Et);if(!e)throw new Error("useMeta must be used within <MetaProvider>");return e}var mr=`${T}:wrap`;async function Ze(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:v},!1,["sign","verify"]),t=`${T}:probe_safe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await I(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return  false}}async function Jn(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:v},!0,["sign","verify"]),t=`${T}:probe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await I(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return  false}}function ke(e){let t={...e};return delete t.d,t.kty="EC",t.crv=v,t.alg=xe,t.use="sig",t}async function wr(){let e=await I(mr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await R(mr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function vt(e){let t=await wr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function Dn(e,t){let r=await wr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var At=()=>{let e=react.useRef(null),t=react.useRef(null),r=react.useCallback(async()=>{let u=await I(T);if(!u)return  false;if(u.fmt==="cryptokey"){let l=u;if(!l.privKey)return await R(T,void 0),false;let d=l.privKey;try{if(d.extractable&&await Ze()){let w=await crypto.subtle.exportKey("jwk",d),S=await crypto.subtle.importKey("jwk",w,{name:"ECDSA",namedCurve:v},!1,["sign"]),E={fmt:"cryptokey",privKey:S,pubJwk:ke(l.pubJwk)};await R(T,E),d=S;}}catch{}return e.current=d,t.current=ke(l.pubJwk),true}if(u.fmt==="encjwk"){let l=u;try{let d=await Dn(l.encPrivJwk,l.iv),f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:v},!1,["sign"]);return e.current=f,t.current=ke(l.pubJwk),!0}catch{return await R(T,void 0),false}}let s=u;if(s&&s.d){let{d:l,...d}=s,f=ke(d),w=await Ze(),S=w||await Jn();if(S&&w){let b=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:v},false,["sign"]);return await R(T,{fmt:"cryptokey",privKey:b,pubJwk:f}),e.current=b,t.current=f,true}if(S){let b=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:v},true,["sign"]);return await R(T,{fmt:"cryptokey",privKey:b,pubJwk:f}),e.current=b,t.current=f,true}let{encPrivJwk:E,iv:m}=await vt(s);await R(T,{fmt:"encjwk",encPrivJwk:E,iv:m,pubJwk:f});let k=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:v},false,["sign"]);return e.current=k,t.current=f,true}return await R(T,void 0),false},[]),n=react.useCallback(async(u,s)=>{await R(T,{fmt:"cryptokey",privKey:u,pubJwk:s});},[]),o=react.useCallback(async(u,s)=>{let{encPrivJwk:l,iv:d}=await vt(u);await R(T,{fmt:"encjwk",encPrivJwk:l,iv:d,pubJwk:s});},[]),a=react.useCallback(async()=>{if(e.current&&t.current||await r())return;let u=await Ze(),s=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:v},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",s.publicKey)),d=await crypto.subtle.exportKey("jwk",s.privateKey);if(u){let f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:v},false,["sign"]);await n(f,l),e.current=f,t.current=l;}else {await o(d,l);let f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:v},false,["sign"]);e.current=f,t.current=l;}},[r,n,o]),i=react.useCallback(async()=>{let u=await Ze(),s=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:v},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",s.publicKey)),d=await crypto.subtle.exportKey("jwk",s.privateKey);if(u){let f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:v},false,["sign"]);await R(T,{fmt:"cryptokey",privKey:f,pubJwk:l}),e.current=f,t.current=l;}else {let{encPrivJwk:f,iv:w}=await vt(d);await R(T,{fmt:"encjwk",encPrivJwk:f,iv:w,pubJwk:l});let S=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:v},false,["sign"]);e.current=S,t.current=l;}},[]),c=react.useCallback(async()=>{await R(T,void 0),e.current=null,t.current=null;},[]);return {ensureKeypair:a,rotate:i,clear:c,privRef:e,pubJwkRef:t}};var Y="sunbreak_root_key_v1",br=`${Y}:wrap`;async function Sr(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:v},!1,["sign","verify"]),t=`${Y}:probe_safe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey,createdAt:Date.now(),pubJwk:{}});let r=await I(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return  false}}function Qe(e){let t={...e};return delete t.d,t.kty="EC",t.crv=v,t.alg=xe,t.use="sig",t}async function Rr(){let e=await I(br);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await R(br,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function Ln(e){let t=await Rr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function _n(e,t){let r=await Rr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var Kt=()=>{let e=react.useRef(null),t=react.useRef(null),r=react.useCallback(async()=>{let a=await I(Y);if(!a)return  false;if(a.fmt==="cryptokey"){let i=a;if(!i.privKey)return await R(Y,void 0),false;let c=i.privKey;try{if(c.extractable&&await Sr()){let s=await crypto.subtle.exportKey("jwk",c),l=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:v},!1,["sign"]),d={fmt:"cryptokey",privKey:l,pubJwk:Qe(i.pubJwk),createdAt:i.createdAt};await R(Y,d),c=l;}}catch{}return e.current=c,t.current=Qe(i.pubJwk),true}if(a.fmt==="encjwk"){let i=a;try{let c=await _n(i.encPrivJwk,i.iv),u=await crypto.subtle.importKey("jwk",c,{name:"ECDSA",namedCurve:v},!1,["sign"]);return e.current=u,t.current=Qe(i.pubJwk),!0}catch{return await R(Y,void 0),false}}return await R(Y,void 0),false},[]),n=react.useCallback(async()=>{if(e.current&&t.current||await r())return;let a=await Sr(),i=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:v},true,["sign","verify"]),c=Qe(await crypto.subtle.exportKey("jwk",i.publicKey)),u=Date.now(),s=await crypto.subtle.exportKey("jwk",i.privateKey);if(a){let l=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:v},false,["sign"]);await R(Y,{fmt:"cryptokey",privKey:l,pubJwk:c,createdAt:u}),e.current=l,t.current=c;}else {let{encPrivJwk:l,iv:d}=await Ln(s);await R(Y,{fmt:"encjwk",encPrivJwk:l,iv:d,pubJwk:c,createdAt:u});let w=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:v},false,["sign"]);e.current=w,t.current=c;}},[r]),o=react.useCallback(async()=>{await R(Y,void 0),e.current=null,t.current=null;},[]);return {ensureRootKeypair:n,clear:o,rootPrivRef:e,rootPubJwkRef:t}};var De=class e{constructor(t,r=false){this.colors={flow:"#00D9FF",state:"#00FF88",decision:"#FFB800",api:"#B388FF",guard:"#FFEA00",error:"#FF5252",warn:"#FF9100",info:"#90CAF9"};this.enabled=r,this.prefix=t?`[Sunbreak:${t.slice(0,8)}]`:"[Sunbreak]";}log(t,r,n){if(!this.enabled)return;let o=this.colors[t],a=new Date().toISOString().slice(11,23),i=this.getEmoji(t);console.log(`%c${i} ${this.prefix} [${a}] [${t.toUpperCase()}]%c ${r}`,`color: ${o}; font-weight: bold`,"color: inherit; font-weight: normal",n!==void 0?n:"");}getEmoji(t){switch(t){case "flow":return "\u{1F504}";case "state":return "\u{1F500}";case "decision":return "\u{1F914}";case "api":return "\u{1F4E1}";case "guard":return "\u{1F6E1}\uFE0F";case "error":return "\u274C";case "warn":return "\u26A0\uFE0F";case "info":return "\u2139\uFE0F";default:return "\u2022"}}flow(t,r,n){this.log("flow",`[${t.toUpperCase()}] ${r}`,n);}state(t,r,n,o){this.log("state",`${t} \u2192 ${r}: ${n}`,o);}decision(t,r,n,o){this.log("decision",`${t} = ${r?"\u2713 YES":"\u2717 NO"} (${n})`,o);}api(t,r,n){let o=n.status,i=o>=200&&o<300?"\u2713":"\u2717";this.log("api",`${i} ${t} ${r} \u2192 ${o}${n.error?` (${n.error})`:""}`,n.data);}guard(t,r,n,o){this.log("guard",`${t}: ${r?"\u2713 PASS":"\u2717 BLOCK"} (${n})`,o);}error(t,r){this.log("error",t,r);}warn(t,r){this.log("warn",t,r);}info(t,r){this.log("info",t,r);}group(t){this.enabled&&console.group(`${this.prefix} ${t}`);}groupEnd(){this.enabled&&console.groupEnd();}child(t){let r=new e(void 0,this.enabled);return r.prefix=`${this.prefix}[${t}]`,r}},Ct=null;function Er(){return Ct||(Ct=new De(void 0,true)),Ct}var et=class{constructor(t){this.currentState="unknown";this.previousState="unknown";this.logger=Er();this.hadSessionHistory=false;this.inActiveSession=false;t&&this.initialize(t);}initialize(t){this.logger.group("\u{1F527} Initializing Session State Machine");let r=!!(t.boundWallet||t.refreshId);this.hadSessionHistory=r,this.logger.info("Initial context",{wallet:t.wallet,boundWallet:t.boundWallet,refreshId:t.refreshId?"present":"null",hasToken:t.hasToken,authenticated:t.authenticated,hasHistory:r}),t.authenticated&&t.hasToken?(this.transition("authenticated","Has valid token"),this.inActiveSession=true):r?this.transition("refreshable","Has session history"):this.transition("unregistered","No session history"),this.logger.groupEnd();}transition(t,r){if(this.currentState===t){this.logger.info(`State unchanged: ${t} (${r})`);return}this.previousState=this.currentState,this.currentState=t,this.logger.state(this.previousState,t,r);}getState(){return this.currentState}isInActiveSession(){return this.inActiveSession}markHadSession(){this.hadSessionHistory||(this.logger.info("Marked hadSessionHistory = true"),this.hadSessionHistory=true);}clearSessionHistory(){this.logger.info("Cleared session history"),this.hadSessionHistory=false,this.inActiveSession=false;}onProbeComplete(t){if(this.logger.flow("probe","Probe completed, determining initial state"),this.currentState!=="unknown"){this.logger.warn("Probe called but state is not UNKNOWN",{currentState:this.currentState});return}!!(t.boundWallet||t.refreshId)||this.hadSessionHistory?this.transition("refreshable","Session history found"):this.transition("unregistered","No session history");}onRegisterSuccess(t){this.logger.flow("register","Register succeeded"),this.transition("authenticated","Register succeeded"),this.inActiveSession=true,this.hadSessionHistory=true;}onRegisterFailure(t){this.logger.flow("register",`Register failed: ${t}`);}onRefreshSuccess(t){this.logger.flow("refresh","Refresh succeeded"),this.transition("authenticated","Refresh succeeded"),this.inActiveSession=true;}onRefreshExpired(){this.logger.flow("refresh","Refresh failed: session expired (missing refresh identifier)"),this.transition("expired","Session expired"),this.inActiveSession=false;}onRefreshFailure(t){this.logger.flow("refresh",`Refresh failed: ${t}`);}onTokenExpired(){this.logger.flow("token","Token expired"),this.currentState==="authenticated"&&this.transition("refreshable","Token expired");}onWalletChange(t,r,n){if(this.logger.flow("wallet",`Wallet changed: ${t||"null"} \u2192 ${r||"null"}`),!r){this.transition("unknown","Wallet disconnected"),this.inActiveSession=false;return}r.toLowerCase()===n.boundWallet?.toLowerCase()?this.hadSessionHistory&&this.transition("refreshable","Wallet reconnected with history"):(this.transition("unregistered","Wallet changed to different address"),this.inActiveSession=false);}onWalletDisconnect(){this.logger.flow("wallet","Wallet disconnected"),this.transition("unknown","Wallet disconnected"),this.inActiveSession=false;}shouldAttemptProbe(){let t=this.currentState==="unknown";return this.logger.decision("Should attempt probe?",t,`State is ${this.currentState}`),t}shouldAttemptRefresh(t){if(this.currentState!=="refreshable"&&this.currentState!=="authenticated")return this.logger.decision("Should attempt refresh?",false,`State is ${this.currentState}, not REFRESHABLE or AUTHENTICATED`),false;if(!(t.boundWallet||t.wallet))return this.logger.decision("Should attempt refresh?",false,"No wallet available (neither boundWallet nor current wallet)"),false;if(t.wallet&&t.boundWallet&&t.wallet.toLowerCase()!==t.boundWallet.toLowerCase())return this.logger.decision("Should attempt refresh?",false,"Wallet mismatch"),false;if(t.hasToken&&t.tokenExpiry){let n=Math.floor(Date.now()/1e3);if(t.tokenExpiry-n>5&&this.currentState==="authenticated")return this.logger.decision("Should attempt refresh?",false,"Token still valid"),false}return this.logger.decision("Should attempt refresh?",true,`State is ${this.currentState}, token ${t.hasToken?"present":"missing"}`),true}shouldAttemptRegister(t){return this.inActiveSession?(this.logger.decision("Should attempt register?",false,"Already in active session - proof changes ignored"),false):this.currentState!=="unregistered"&&this.currentState!=="expired"?(this.logger.decision("Should attempt register?",false,`State is ${this.currentState}, not UNREGISTERED or EXPIRED`),false):t.wallet?t.hasProof?t.authenticated&&t.hasToken?(this.logger.decision("Should attempt register?",false,"Already authenticated"),false):(this.logger.decision("Should attempt register?",true,`State is ${this.currentState}, have wallet + proof`),true):(this.logger.decision("Should attempt register?",false,"No proof available"),false):(this.logger.decision("Should attempt register?",false,"No wallet connected"),false)}shouldWaitForInitialRefresh(t,r){return this.currentState!=="refreshable"||t?false:r.wallet&&r.boundWallet&&r.wallet.toLowerCase()===r.boundWallet.toLowerCase()?(this.logger.decision("Should wait for initial refresh?",true,"Returning user - let refresh attempt first"),true):false}getStateReport(t){return `
+var Qr=Object.defineProperty;var $t=e=>{throw TypeError(e)};var en=(e,t,r)=>t in e?Qr(e,t,{enumerable:true,configurable:true,writable:true,value:r}):e[t]=r;var M=(e,t,r)=>en(e,typeof t!="symbol"?t+"":t,r),Ot=(e,t,r)=>t.has(e)||$t("Cannot "+r);var h=(e,t,r)=>(Ot(e,t,"read from private field"),r?r.call(e):t.get(e)),U=(e,t,r)=>t.has(e)?$t("Cannot add the same private member more than once"):t instanceof WeakSet?t.add(e):t.set(e,r),N=(e,t,r,n)=>(Ot(e,t,"write to private field"),t.set(e,r),r);var Ae=async(e,t,r)=>{switch(e.name){case "custom":return {method:"provider_jwt",issuer:"custom",token:t,meta:r||{}};case "privy":return {method:"provider_jwt",issuer:"privy",token:t,meta:{app_id:e.appId}};case "dynamic":return e.expectedAud?{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId,expected_aud:e.expectedAud}}:{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId}};default:throw new Error(`Unknown adapter: ${e}`)}};var tn="sunbreak-kv",xe="kv",Be="sunbreak_dpop_meta_v1",T="sunbreak_dpop_key_v1",Ke="ES256",v="P-256",Ce=e=>`${Be}:${e}`,jt=()=>new Promise((e,t)=>{let r=indexedDB.open(tn,1);r.onupgradeneeded=()=>r.result.createObjectStore(xe),r.onsuccess=()=>e(r.result),r.onerror=()=>t(r.error);}),I=async e=>{try{let t=await jt();return await new Promise((r,n)=>{let a=t.transaction(xe,"readonly").objectStore(xe).get(e);a.onsuccess=()=>r(a.result),a.onerror=()=>n(a.error);})}catch{return}},E=async(e,t)=>{let r=await jt();await new Promise((n,o)=>{let i=r.transaction(xe,"readwrite").objectStore(xe).put(t,e);i.onsuccess=()=>n(),i.onerror=()=>o(i.error);});};var rn=e=>{let t=new URL(e);if(t.protocol!=="https:"&&t.hostname!=="localhost"&&t.hostname!=="127.0.0.1")throw new Error("Sunbreak: insecure base URL");return t.hash="",t.origin},nn=e=>e.replace(/\/+$/,""),ft=e=>{let t=nn(e);return rn(t)};function pt(e){let t=new URL(e.baseUrl),r=t.host,n=e.meta.lastHost??null,o=on(n);return e.setLastHost(o),t.host=`${o}.${r}`,t.origin}var on=e=>{for(let t=0;t<dt.length;t++){let r=dt[Math.floor(Math.random()*dt.length)].toLowerCase();if(r!==e)return r}return "alpha"},dt=["Alpha","Bravo","Charlie","Delta","Echo","Foxtrot","Golf","Hotel","India","Juliett","Kilo","Lima","Mike","November","Oscar","Papa","Quebec","Romeo","Sierra","Tango","Uniform","Victor","Whiskey","X-ray","Yankee","Zulu"];var F=(e,t)=>{let r={clientId:e.clientId,wallet:e.wallet,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0,...t};Object.keys(r).forEach(o=>r[o]===void 0&&delete r[o]);let n=JSON.stringify(r);return btoa(n)};var an=new Set(["connection","keep-alive","proxy-authenticate","proxy-authorization","te","trailer","transfer-encoding","upgrade","via"]),sn=new Set(["user-agent","referer","origin","host","content-length","sec-fetch-site","sec-fetch-mode","sec-fetch-dest","sec-fetch-user","sec-ch-ua","sec-ch-ua-mobile","sec-ch-ua-platform","sec-ch-ua-platform-version","sec-ch-ua-full-version","sec-ch-ua-arch","sec-ch-ua-model","sec-ch-ua-bitness","cookie","set-cookie"]),cn=new Set(["dpop","x-sunbreak-meta"]),ln=64,Ut=2048,un=64;function ht(e){let t={};if(!e)return t;let r=e instanceof Headers?Array.from(e.entries()):Object.entries(e),n=0;for(let[o,a]of r){if(n>=un)break;if(o==null||a==null)continue;let i=String(o).toLowerCase().trim();if(!i||i.length>ln||an.has(i)||sn.has(i)||cn.has(i))continue;let c=String(a);c.length>Ut&&(c=c.slice(0,Ut)),t[i]=c,n++;}return t}var re=new TextEncoder,me=new TextDecoder;function Nt(...e){let t=e.reduce((o,{length:a})=>o+a,0),r=new Uint8Array(t),n=0;for(let o of e)r.set(o,n),n+=o.length;return r}function Ft(e){if(Uint8Array.prototype.toBase64)return e.toBase64();let t=32768,r=[];for(let n=0;n<e.length;n+=t)r.push(String.fromCharCode.apply(null,e.subarray(n,n+t)));return btoa(r.join(""))}function Bt(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(e);let t=atob(e),r=new Uint8Array(t.length);for(let n=0;n<t.length;n++)r[n]=t.charCodeAt(n);return r}function Gt(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof e=="string"?e:me.decode(e),{alphabet:"base64url"});let t=e;t instanceof Uint8Array&&(t=me.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return Bt(t)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function Ge(e){let t=e;return typeof t=="string"&&(t=re.encode(t)),Uint8Array.prototype.toBase64?t.toBase64({alphabet:"base64url",omitPadding:true}):Ft(t).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var le=class extends Error{constructor(r,n){super(r,n);M(this,"code","ERR_JOSE_GENERIC");this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor);}};M(le,"code","ERR_JOSE_GENERIC");var D=class extends le{constructor(){super(...arguments);M(this,"code","ERR_JOSE_NOT_SUPPORTED");}};M(D,"code","ERR_JOSE_NOT_SUPPORTED");var ne=class extends le{constructor(){super(...arguments);M(this,"code","ERR_JWS_INVALID");}};M(ne,"code","ERR_JWS_INVALID");var Te=class extends le{constructor(){super(...arguments);M(this,"code","ERR_JWT_INVALID");}};M(Te,"code","ERR_JWT_INVALID");var Vt,qt,yt=class extends(qt=le,Vt=Symbol.asyncIterator,qt){constructor(r="multiple matching keys found in the JSON Web Key Set",n){super(r,n);M(this,Vt);M(this,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");}};M(yt,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");function q(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function we(e,t){return e.name===t}function mt(e){return parseInt(e.name.slice(4),10)}function pn(e){switch(e){case "ES256":return "P-256";case "ES384":return "P-384";case "ES512":return "P-521";default:throw new Error("unreachable")}}function hn(e,t){if(!e.usages.includes(t))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${t}.`)}function zt(e,t,r){switch(t){case "HS256":case "HS384":case "HS512":{if(!we(e.algorithm,"HMAC"))throw q("HMAC");let n=parseInt(t.slice(2),10);if(mt(e.algorithm.hash)!==n)throw q(`SHA-${n}`,"algorithm.hash");break}case "RS256":case "RS384":case "RS512":{if(!we(e.algorithm,"RSASSA-PKCS1-v1_5"))throw q("RSASSA-PKCS1-v1_5");let n=parseInt(t.slice(2),10);if(mt(e.algorithm.hash)!==n)throw q(`SHA-${n}`,"algorithm.hash");break}case "PS256":case "PS384":case "PS512":{if(!we(e.algorithm,"RSA-PSS"))throw q("RSA-PSS");let n=parseInt(t.slice(2),10);if(mt(e.algorithm.hash)!==n)throw q(`SHA-${n}`,"algorithm.hash");break}case "Ed25519":case "EdDSA":{if(!we(e.algorithm,"Ed25519"))throw q("Ed25519");break}case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":{if(!we(e.algorithm,t))throw q(t);break}case "ES256":case "ES384":case "ES512":{if(!we(e.algorithm,"ECDSA"))throw q("ECDSA");let n=pn(t);if(e.algorithm.namedCurve!==n)throw q(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}hn(e,r);}function Xt(e,t,...r){if(r=r.filter(Boolean),r.length>2){let n=r.pop();e+=`one of type ${r.join(", ")}, or ${n}.`;}else r.length===2?e+=`one of type ${r[0]} or ${r[1]}.`:e+=`of type ${r[0]}.`;return t==null?e+=` Received ${t}`:typeof t=="function"&&t.name?e+=` Received function ${t.name}`:typeof t=="object"&&t!=null&&t.constructor?.name&&(e+=` Received an instance of ${t.constructor.name}`),e}var Yt=(e,...t)=>Xt("Key must be ",e,...t);function wt(e,t,...r){return Xt(`Key for the ${e} algorithm must be `,t,...r)}function gt(e){return e?.[Symbol.toStringTag]==="CryptoKey"}function bt(e){return e?.[Symbol.toStringTag]==="KeyObject"}var St=e=>gt(e)||bt(e);var Zt=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return  true;let r;for(let n of t){let o=Object.keys(n);if(!r||r.size===0){r=new Set(o);continue}for(let a of o){if(r.has(a))return  false;r.add(a);}}return  true};function yn(e){return typeof e=="object"&&e!==null}var Ve=e=>{if(!yn(e)||Object.prototype.toString.call(e)!=="[object Object]")return  false;if(Object.getPrototypeOf(e)===null)return  true;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t};var Qt=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:r}=t.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};function mn(e){let t,r;switch(e.kty){case "AKP":{switch(e.alg){case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":t={name:e.alg},r=e.priv?["sign"]:["verify"];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "RSA":{switch(e.alg){case "PS256":case "PS384":case "PS512":t={name:"RSA-PSS",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RS256":case "RS384":case "RS512":t={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RSA-OAEP":case "RSA-OAEP-256":case "RSA-OAEP-384":case "RSA-OAEP-512":t={name:"RSA-OAEP",hash:`SHA-${parseInt(e.alg.slice(-3),10)||1}`},r=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "EC":{switch(e.alg){case "ES256":t={name:"ECDSA",namedCurve:"P-256"},r=e.d?["sign"]:["verify"];break;case "ES384":t={name:"ECDSA",namedCurve:"P-384"},r=e.d?["sign"]:["verify"];break;case "ES512":t={name:"ECDSA",namedCurve:"P-521"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "OKP":{switch(e.alg){case "Ed25519":case "EdDSA":t={name:"Ed25519"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}default:throw new D('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return {algorithm:t,keyUsages:r}}var er=async e=>{if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:t,keyUsages:r}=mn(e),n={...e};return n.kty!=="AKP"&&delete n.alg,delete n.use,crypto.subtle.importKey("jwk",n,t,e.ext??!(e.d||e.priv),e.key_ops??r)};var tr=(e,t,r,n,o)=>{if(o.crit!==void 0&&n?.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||n.crit===void 0)return new Set;if(!Array.isArray(n.crit)||n.crit.length===0||n.crit.some(i=>typeof i!="string"||i.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let a;r!==void 0?a=new Map([...Object.entries(r),...t.entries()]):a=t;for(let i of n.crit){if(!a.has(i))throw new D(`Extension Header Parameter "${i}" is not recognized`);if(o[i]===void 0)throw new e(`Extension Header Parameter "${i}" is missing`);if(a.get(i)&&n[i]===void 0)throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`)}return new Set(n.crit)};function Ie(e){return Ve(e)&&typeof e.kty=="string"}function rr(e){return e.kty!=="oct"&&(e.kty==="AKP"&&typeof e.priv=="string"||typeof e.d=="string")}function nr(e){return e.kty!=="oct"&&typeof e.d>"u"&&typeof e.priv>"u"}function or(e){return e.kty==="oct"&&typeof e.k=="string"}var ge,ar=async(e,t,r,n=false)=>{ge||(ge=new WeakMap);let o=ge.get(e);if(o?.[r])return o[r];let a=await er({...t,alg:r});return n&&Object.freeze(e),o?o[r]=a:ge.set(e,{[r]:a}),a},gn=(e,t)=>{ge||(ge=new WeakMap);let r=ge.get(e);if(r?.[t])return r[t];let n=e.type==="public",o=!!n,a;if(e.asymmetricKeyType==="x25519"){switch(t){case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}a=e.toCryptoKey(e.asymmetricKeyType,o,n?[]:["deriveBits"]);}if(e.asymmetricKeyType==="ed25519"){if(t!=="EdDSA"&&t!=="Ed25519")throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}switch(e.asymmetricKeyType){case "ml-dsa-44":case "ml-dsa-65":case "ml-dsa-87":{if(t!==e.asymmetricKeyType.toUpperCase())throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}}if(e.asymmetricKeyType==="rsa"){let i;switch(t){case "RSA-OAEP":i="SHA-1";break;case "RS256":case "PS256":case "RSA-OAEP-256":i="SHA-256";break;case "RS384":case "PS384":case "RSA-OAEP-384":i="SHA-384";break;case "RS512":case "PS512":case "RSA-OAEP-512":i="SHA-512";break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}if(t.startsWith("RSA-OAEP"))return e.toCryptoKey({name:"RSA-OAEP",hash:i},o,n?["encrypt"]:["decrypt"]);a=e.toCryptoKey({name:t.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:i},o,[n?"verify":"sign"]);}if(e.asymmetricKeyType==="ec"){let c=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(e.asymmetricKeyDetails?.namedCurve);if(!c)throw new TypeError("given KeyObject instance cannot be used for this algorithm");t==="ES256"&&c==="P-256"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:c},o,[n?"verify":"sign"])),t==="ES384"&&c==="P-384"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:c},o,[n?"verify":"sign"])),t==="ES512"&&c==="P-521"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:c},o,[n?"verify":"sign"])),t.startsWith("ECDH-ES")&&(a=e.toCryptoKey({name:"ECDH",namedCurve:c},o,n?[]:["deriveBits"]));}if(!a)throw new TypeError("given KeyObject instance cannot be used for this algorithm");return r?r[t]=a:ge.set(e,{[t]:a}),a},ir=async(e,t)=>{if(e instanceof Uint8Array||gt(e))return e;if(bt(e)){if(e.type==="secret")return e.export();if("toCryptoKey"in e&&typeof e.toCryptoKey=="function")try{return gn(e,t)}catch(n){if(n instanceof TypeError)throw n}let r=e.export({format:"jwk"});return ar(e,r,t)}if(Ie(e))return e.k?Gt(e.k):ar(e,e,t,true);throw new Error("unreachable")};var be=e=>e?.[Symbol.toStringTag],Rt=(e,t,r)=>{if(t.use!==void 0){let n;switch(r){case "sign":case "verify":n="sig";break;case "encrypt":case "decrypt":n="enc";break}if(t.use!==n)throw new TypeError(`Invalid key for this operation, its "use" must be "${n}" when present`)}if(t.alg!==void 0&&t.alg!==e)throw new TypeError(`Invalid key for this operation, its "alg" must be "${e}" when present`);if(Array.isArray(t.key_ops)){let n;switch(true){case(r==="sign"):case e==="dir":case e.includes("CBC-HS"):n=r;break;case e.startsWith("PBES2"):n="deriveBits";break;case /^A\d{3}(?:GCM)?(?:KW)?$/.test(e):!e.includes("GCM")&&e.endsWith("KW")?n="unwrapKey":n=r;break;case(r==="encrypt"):n="wrapKey";break;case r==="decrypt":n=e.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(n&&t.key_ops?.includes?.(n)===false)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${n}" when present`)}return  true},bn=(e,t,r)=>{if(!(t instanceof Uint8Array)){if(Ie(t)){if(or(t)&&Rt(e,t,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!St(t))throw new TypeError(wt(e,t,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(t.type!=="secret")throw new TypeError(`${be(t)} instances for symmetric algorithms must be of type "secret"`)}},Sn=(e,t,r)=>{if(Ie(t))switch(r){case "decrypt":case "sign":if(rr(t)&&Rt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a private JWK");case "encrypt":case "verify":if(nr(t)&&Rt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a public JWK")}if(!St(t))throw new TypeError(wt(e,t,"CryptoKey","KeyObject","JSON Web Key"));if(t.type==="secret")throw new TypeError(`${be(t)} instances for asymmetric algorithms must not be of type "secret"`);if(t.type==="public")switch(r){case "sign":throw new TypeError(`${be(t)} instances for asymmetric algorithm signing must be of type "private"`);case "decrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm decryption must be of type "private"`);}if(t.type==="private")switch(r){case "verify":throw new TypeError(`${be(t)} instances for asymmetric algorithm verifying must be of type "public"`);case "encrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm encryption must be of type "public"`);}},sr=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e)||/^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e)?bn(e,t,r):Sn(e,t,r);};var cr=(e,t)=>{let r=`SHA-${e.slice(-3)}`;switch(e){case "HS256":case "HS384":case "HS512":return {hash:r,name:"HMAC"};case "PS256":case "PS384":case "PS512":return {hash:r,name:"RSA-PSS",saltLength:parseInt(e.slice(-3),10)>>3};case "RS256":case "RS384":case "RS512":return {hash:r,name:"RSASSA-PKCS1-v1_5"};case "ES256":case "ES384":case "ES512":return {hash:r,name:"ECDSA",namedCurve:t.namedCurve};case "Ed25519":case "EdDSA":return {name:"Ed25519"};case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":return {name:e};default:throw new D(`alg ${e} is not supported either by JOSE or your javascript runtime`)}};var lr=async(e,t,r)=>{if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(Yt(t,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",t,{hash:`SHA-${e.slice(-3)}`,name:"HMAC"},false,[r])}return zt(t,e,r),t};var ae=e=>Math.floor(e.getTime()/1e3);var Rn=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i,qe=e=>{let t=Rn.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");let r=parseFloat(t[2]),n=t[3].toLowerCase(),o;switch(n){case "sec":case "secs":case "second":case "seconds":case "s":o=Math.round(r);break;case "minute":case "minutes":case "min":case "mins":case "m":o=Math.round(r*60);break;case "hour":case "hours":case "hr":case "hrs":case "h":o=Math.round(r*3600);break;case "day":case "days":case "d":o=Math.round(r*86400);break;case "week":case "weeks":case "w":o=Math.round(r*604800);break;default:o=Math.round(r*31557600);break}return t[1]==="-"||t[4]==="ago"?-o:o};function ue(e,t){if(!Number.isFinite(t))throw new TypeError(`Invalid ${e} input`);return t}var x,ze=class{constructor(t){U(this,x);if(!Ve(t))throw new TypeError("JWT Claims Set MUST be an object");N(this,x,structuredClone(t));}data(){return re.encode(JSON.stringify(h(this,x)))}get iss(){return h(this,x).iss}set iss(t){h(this,x).iss=t;}get sub(){return h(this,x).sub}set sub(t){h(this,x).sub=t;}get aud(){return h(this,x).aud}set aud(t){h(this,x).aud=t;}set jti(t){h(this,x).jti=t;}set nbf(t){typeof t=="number"?h(this,x).nbf=ue("setNotBefore",t):t instanceof Date?h(this,x).nbf=ue("setNotBefore",ae(t)):h(this,x).nbf=ae(new Date)+qe(t);}set exp(t){typeof t=="number"?h(this,x).exp=ue("setExpirationTime",t):t instanceof Date?h(this,x).exp=ue("setExpirationTime",ae(t)):h(this,x).exp=ae(new Date)+qe(t);}set iat(t){typeof t>"u"?h(this,x).iat=ae(new Date):t instanceof Date?h(this,x).iat=ue("setIssuedAt",ae(t)):typeof t=="string"?h(this,x).iat=ue("setIssuedAt",ae(new Date)+qe(t)):h(this,x).iat=ue("setIssuedAt",t);}};x=new WeakMap;var ur=async(e,t,r)=>{let n=await lr(e,t,"sign");Qt(e,n);let o=await crypto.subtle.sign(cr(e,n.algorithm),n,r);return new Uint8Array(o)};var We,L,z,Xe=class{constructor(t){U(this,We);U(this,L);U(this,z);if(!(t instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");N(this,We,t);}setProtectedHeader(t){if(h(this,L))throw new TypeError("setProtectedHeader can only be called once");return N(this,L,t),this}setUnprotectedHeader(t){if(h(this,z))throw new TypeError("setUnprotectedHeader can only be called once");return N(this,z,t),this}async sign(t,r){if(!h(this,L)&&!h(this,z))throw new ne("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Zt(h(this,L),h(this,z)))throw new ne("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let n={...h(this,L),...h(this,z)},o=tr(ne,new Map([["b64",true]]),r?.crit,h(this,L),n),a=true;if(o.has("b64")&&(a=h(this,L).b64,typeof a!="boolean"))throw new ne('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:i}=n;if(typeof i!="string"||!i)throw new ne('JWS "alg" (Algorithm) Header Parameter missing or invalid');sr(i,t,"sign");let c=h(this,We);a&&(c=re.encode(Ge(c)));let u;h(this,L)?u=re.encode(Ge(JSON.stringify(h(this,L)))):u=re.encode("");let s=Nt(u,re.encode("."),c),l=await ir(t,i),d=await ur(i,l,s),f={signature:Ge(d),payload:""};return a&&(f.payload=me.decode(c)),h(this,z)&&(f.header=h(this,z)),h(this,L)&&(f.protected=me.decode(u)),f}};We=new WeakMap,L=new WeakMap,z=new WeakMap;var Se,Ye=class{constructor(t){U(this,Se);N(this,Se,new Xe(t));}setProtectedHeader(t){return h(this,Se).setProtectedHeader(t),this}async sign(t,r){let n=await h(this,Se).sign(t,r);if(n.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return `${n.protected}.${n.payload}.${n.signature}`}};Se=new WeakMap;var ie,$,fe=class{constructor(t={}){U(this,ie);U(this,$);N(this,$,new ze(t));}setIssuer(t){return h(this,$).iss=t,this}setSubject(t){return h(this,$).sub=t,this}setAudience(t){return h(this,$).aud=t,this}setJti(t){return h(this,$).jti=t,this}setNotBefore(t){return h(this,$).nbf=t,this}setExpirationTime(t){return h(this,$).exp=t,this}setIssuedAt(t){return h(this,$).iat=t,this}setProtectedHeader(t){return N(this,ie,t),this}async sign(t,r){let n=new Ye(h(this,$).data());if(n.setProtectedHeader(h(this,ie)),Array.isArray(h(this,ie)?.crit)&&h(this,ie).crit.includes("b64")&&h(this,ie).b64===false)throw new Te("JWTs MUST NOT use unencoded payload");return n.sign(t,r)}};ie=new WeakMap,$=new WeakMap;var En=e=>btoa(String.fromCharCode(...new Uint8Array(e))).replaceAll("+","-").replaceAll("/","_").replaceAll("=",""),Ze=async e=>{let t=new TextEncoder().encode(e),r=await crypto.subtle.digest("SHA-256",t);return En(r)},B=async e=>{let{method:t,url:r,nonce:n,ath:o,privateKey:a,publicJwk:i}=e,c={htm:t.toUpperCase(),htu:r,jti:crypto.randomUUID(),iat:Math.floor(Date.now()/1e3)};return n&&(c.nonce=n),o&&(c.ath=o),await new fe(c).setProtectedHeader({alg:"ES256",typ:"dpop+jwt",jwk:i}).sign(a)};var _=async e=>{let t={crv:e.crv,kty:"EC",x:e.x,y:e.y},r=JSON.stringify(t),n=new TextEncoder().encode(r),o=await crypto.subtle.digest("SHA-256",n);return btoa(String.fromCharCode(...new Uint8Array(o))).replaceAll("+","-").replaceAll("/","_").replaceAll("=","")};async function de(e){let{rootPrivateKey:t,rootPublicJwk:r,childJkt:n,clientId:o,sid:a,ttlSec:i=300}=e,c=Math.floor(Date.now()/1e3),u=c+Math.max(60,Math.min(i,3600)),s={child_jkt:n,client_id:o,aud:"issuer",iat:c,exp:u,jti:crypto.randomUUID()};return a&&(s.sid=a),await new fe(s).setProtectedHeader({alg:"ES256",typ:"pode+jwt",jwk:r}).sign(t)}function Je(e,t=300){return e.replace(/<[^>]*>/g,"").slice(0,t)}async function De(e){let t=e.status,r=Array.from(e.headers.keys()).some(c=>c.toLowerCase().startsWith("x-amzn-waf")),n,o,a=e.headers.get("content-type")||"";if(a.includes("application/json"))try{let c=await e.clone().json();n=typeof c?.error=="string"?c.error:void 0,o=typeof c?.detail=="string"?c.detail:void 0;}catch{}let i=t===403&&!r&&!a.includes("application/json");return {status:t,code:n,detail:o,waf:r,alb403:i}}function pe(e,t){let r=new Error(e);return r.status=t.status,r.code=t.code,r.detail=t.detail,r.waf=t.waf,r.alb403=t.alb403,r}var Re={boundWallet:null,clientId:null,jkt:null,refreshId:null,lastPolicyHash:null,lastPolicyProof:null,lastHost:null,rootJkt:null},Et=react.createContext(void 0);function yr(e){try{return JSON.parse(localStorage.getItem(e)||"null")??Re}catch{return Re}}function vn(e,t){try{localStorage.setItem(e,JSON.stringify(t));}catch{}}var kt=({children:e,clientId:t})=>{let[r,n]=react.useState(Re),o=react.useRef(false),[a,i]=react.useState(false),c=react.useMemo(()=>Ce(t),[t]);react.useEffect(()=>{let p=true;return (async()=>{let y=await I(c)??await I(Be)??yr(c);p&&(n({...Re,...y}),o.current=true,i(true));})(),()=>{p=false;}},[c]),react.useEffect(()=>{o.current&&(async()=>(await E(c,r),vn(c,r)))();},[r,c]);let u=react.useCallback(p=>n(g=>({...g,refreshId:p})),[]),s=react.useCallback(p=>n(g=>({...g,lastPolicyHash:p})),[]),l=react.useCallback(p=>n(g=>({...g,lastPolicyProof:p})),[]),d=react.useCallback(p=>n(g=>({...g,lastHost:p})),[]),f=react.useCallback(p=>n(g=>({...g,rootJkt:p})),[]),w=async()=>{try{let p=localStorage.getItem(c);if(p){let g=JSON.parse(p);if(typeof g?.refreshId=="string"&&g.refreshId)return g.refreshId}}catch{}try{let p=await I(c);if(typeof p?.refreshId=="string"&&p.refreshId)return p.refreshId}catch{}return null},b=react.useCallback(p=>n(g=>({...g,boundWallet:p})),[]),R=react.useCallback(p=>n(g=>({...g,clientId:p})),[]),m=react.useCallback(p=>n(g=>({...g,jkt:p})),[]),k=react.useCallback(()=>n(Re),[]),S=react.useCallback(async()=>{let g=await I(c)??yr(c);n({...Re,...g});},[]),H=react.useMemo(()=>({meta:r,setBoundWallet:b,setClientId:R,setJkt:m,resetMeta:k,reload:S,setRefreshId:u,getRefreshId:w,ready:a,setLastPolicyHash:s,setLastPolicyProof:l,setLastHost:d,setRootJkt:f}),[r,b,R,m,k,S,a,u,w,s,l,d,f]);return jsxRuntime.jsx(Et.Provider,{value:H,children:e})};function Pt(){let e=react.useContext(Et);if(!e)throw new Error("useMeta must be used within <MetaProvider>");return e}var wr=`${T}:wrap`;async function Qe(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:v},!1,["sign","verify"]),t=`${T}:probe_safe`;await E(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await I(t);return await E(t,void 0),!!(r&&r.privKey)}catch{return  false}}async function Kn(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:v},!0,["sign","verify"]),t=`${T}:probe`;await E(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await I(t);return await E(t,void 0),!!(r&&r.privKey)}catch{return  false}}function ke(e){let t={...e};return delete t.d,t.kty="EC",t.crv=v,t.alg=Ke,t.use="sig",t}async function gr(){let e=await I(wr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await E(wr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function vt(e){let t=await gr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function Cn(e,t){let r=await gr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var At=()=>{let e=react.useRef(null),t=react.useRef(null),r=react.useCallback(async()=>{let u=await I(T);if(!u)return  false;if(u.fmt==="cryptokey"){let l=u;if(!l.privKey)return await E(T,void 0),false;let d=l.privKey;try{if(d.extractable&&await Qe()){let w=await crypto.subtle.exportKey("jwk",d),b=await crypto.subtle.importKey("jwk",w,{name:"ECDSA",namedCurve:v},!1,["sign"]),R={fmt:"cryptokey",privKey:b,pubJwk:ke(l.pubJwk)};await E(T,R),d=b;}}catch{}return e.current=d,t.current=ke(l.pubJwk),true}if(u.fmt==="encjwk"){let l=u;try{let d=await Cn(l.encPrivJwk,l.iv),f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:v},!1,["sign"]);return e.current=f,t.current=ke(l.pubJwk),!0}catch{return await E(T,void 0),false}}let s=u;if(s&&s.d){let{d:l,...d}=s,f=ke(d),w=await Qe(),b=w||await Kn();if(b&&w){let S=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:v},false,["sign"]);return await E(T,{fmt:"cryptokey",privKey:S,pubJwk:f}),e.current=S,t.current=f,true}if(b){let S=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:v},true,["sign"]);return await E(T,{fmt:"cryptokey",privKey:S,pubJwk:f}),e.current=S,t.current=f,true}let{encPrivJwk:R,iv:m}=await vt(s);await E(T,{fmt:"encjwk",encPrivJwk:R,iv:m,pubJwk:f});let k=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:v},false,["sign"]);return e.current=k,t.current=f,true}return await E(T,void 0),false},[]),n=react.useCallback(async(u,s)=>{await E(T,{fmt:"cryptokey",privKey:u,pubJwk:s});},[]),o=react.useCallback(async(u,s)=>{let{encPrivJwk:l,iv:d}=await vt(u);await E(T,{fmt:"encjwk",encPrivJwk:l,iv:d,pubJwk:s});},[]),a=react.useCallback(async()=>{if(e.current&&t.current||await r())return;let u=await Qe(),s=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:v},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",s.publicKey)),d=await crypto.subtle.exportKey("jwk",s.privateKey);if(u){let f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:v},false,["sign"]);await n(f,l),e.current=f,t.current=l;}else {await o(d,l);let f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:v},false,["sign"]);e.current=f,t.current=l;}},[r,n,o]),i=react.useCallback(async()=>{let u=await Qe(),s=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:v},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",s.publicKey)),d=await crypto.subtle.exportKey("jwk",s.privateKey);if(u){let f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:v},false,["sign"]);await E(T,{fmt:"cryptokey",privKey:f,pubJwk:l}),e.current=f,t.current=l;}else {let{encPrivJwk:f,iv:w}=await vt(d);await E(T,{fmt:"encjwk",encPrivJwk:f,iv:w,pubJwk:l});let b=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:v},false,["sign"]);e.current=b,t.current=l;}},[]),c=react.useCallback(async()=>{await E(T,void 0),e.current=null,t.current=null;},[]);return {ensureKeypair:a,rotate:i,clear:c,privRef:e,pubJwkRef:t}};var Y="sunbreak_root_key_v1",Sr=`${Y}:wrap`;async function Rr(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:v},!1,["sign","verify"]),t=`${Y}:probe_safe`;await E(t,{fmt:"cryptokey",privKey:e.privateKey,createdAt:Date.now(),pubJwk:{}});let r=await I(t);return await E(t,void 0),!!(r&&r.privKey)}catch{return  false}}function et(e){let t={...e};return delete t.d,t.kty="EC",t.crv=v,t.alg=Ke,t.use="sig",t}async function Er(){let e=await I(Sr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await E(Sr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function Tn(e){let t=await Er(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function In(e,t){let r=await Er(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var Kt=()=>{let e=react.useRef(null),t=react.useRef(null),r=react.useCallback(async()=>{let a=await I(Y);if(!a)return  false;if(a.fmt==="cryptokey"){let i=a;if(!i.privKey)return await E(Y,void 0),false;let c=i.privKey;try{if(c.extractable&&await Rr()){let s=await crypto.subtle.exportKey("jwk",c),l=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:v},!1,["sign"]),d={fmt:"cryptokey",privKey:l,pubJwk:et(i.pubJwk),createdAt:i.createdAt};await E(Y,d),c=l;}}catch{}return e.current=c,t.current=et(i.pubJwk),true}if(a.fmt==="encjwk"){let i=a;try{let c=await In(i.encPrivJwk,i.iv),u=await crypto.subtle.importKey("jwk",c,{name:"ECDSA",namedCurve:v},!1,["sign"]);return e.current=u,t.current=et(i.pubJwk),!0}catch{return await E(Y,void 0),false}}return await E(Y,void 0),false},[]),n=react.useCallback(async()=>{if(e.current&&t.current||await r())return;let a=await Rr(),i=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:v},true,["sign","verify"]),c=et(await crypto.subtle.exportKey("jwk",i.publicKey)),u=Date.now(),s=await crypto.subtle.exportKey("jwk",i.privateKey);if(a){let l=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:v},false,["sign"]);await E(Y,{fmt:"cryptokey",privKey:l,pubJwk:c,createdAt:u}),e.current=l,t.current=c;}else {let{encPrivJwk:l,iv:d}=await Tn(s);await E(Y,{fmt:"encjwk",encPrivJwk:l,iv:d,pubJwk:c,createdAt:u});let w=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:v},false,["sign"]);e.current=w,t.current=c;}},[r]),o=react.useCallback(async()=>{await E(Y,void 0),e.current=null,t.current=null;},[]);return {ensureRootKeypair:n,clear:o,rootPrivRef:e,rootPubJwkRef:t}};var Le=class e{constructor(t,r=false){this.colors={flow:"#00D9FF",state:"#00FF88",decision:"#FFB800",api:"#B388FF",guard:"#FFEA00",error:"#FF5252",warn:"#FF9100",info:"#90CAF9"};this.enabled=r,this.prefix=t?`[Sunbreak:${t.slice(0,8)}]`:"[Sunbreak]";}log(t,r,n){if(!this.enabled)return;let o=this.colors[t],a=new Date().toISOString().slice(11,23),i=this.getEmoji(t);console.log(`%c${i} ${this.prefix} [${a}] [${t.toUpperCase()}]%c ${r}`,`color: ${o}; font-weight: bold`,"color: inherit; font-weight: normal",n!==void 0?n:"");}getEmoji(t){switch(t){case "flow":return "\u{1F504}";case "state":return "\u{1F500}";case "decision":return "\u{1F914}";case "api":return "\u{1F4E1}";case "guard":return "\u{1F6E1}\uFE0F";case "error":return "\u274C";case "warn":return "\u26A0\uFE0F";case "info":return "\u2139\uFE0F";default:return "\u2022"}}flow(t,r,n){this.log("flow",`[${t.toUpperCase()}] ${r}`,n);}state(t,r,n,o){this.log("state",`${t} \u2192 ${r}: ${n}`,o);}decision(t,r,n,o){this.log("decision",`${t} = ${r?"\u2713 YES":"\u2717 NO"} (${n})`,o);}api(t,r,n){let o=n.status,i=o>=200&&o<300?"\u2713":"\u2717";this.log("api",`${i} ${t} ${r} \u2192 ${o}${n.error?` (${n.error})`:""}`,n.data);}guard(t,r,n,o){this.log("guard",`${t}: ${r?"\u2713 PASS":"\u2717 BLOCK"} (${n})`,o);}error(t,r){this.log("error",t,r);}warn(t,r){this.log("warn",t,r);}info(t,r){this.log("info",t,r);}group(t){this.enabled&&console.group(`${this.prefix} ${t}`);}groupEnd(){this.enabled&&console.groupEnd();}child(t){let r=new e(void 0,this.enabled);return r.prefix=`${this.prefix}[${t}]`,r}},Ct=null;function kr(){return Ct||(Ct=new Le(void 0,false)),Ct}var tt=class{constructor(t){this.currentState="unknown";this.previousState="unknown";this.logger=kr();this.hadSessionHistory=false;this.inActiveSession=false;t&&this.initialize(t);}initialize(t){if(this.currentState!=="unknown"){this.logger.info(`Skipping initialization - state already set to ${this.currentState}`);let n=!!(t.boundWallet||t.refreshId);this.hadSessionHistory=n;return}this.logger.group("\u{1F527} Initializing Session State Machine");let r=!!(t.boundWallet||t.refreshId);this.hadSessionHistory=r,this.logger.info("Initial context",{wallet:t.wallet,boundWallet:t.boundWallet,refreshId:t.refreshId?"present":"null",hasToken:t.hasToken,authenticated:t.authenticated,hasHistory:r}),t.authenticated&&t.hasToken?(this.transition("authenticated","Has valid token"),this.inActiveSession=true):r?this.transition("refreshable","Has session history"):this.transition("unregistered","No session history"),this.logger.groupEnd();}transition(t,r){if(this.currentState===t){this.logger.info(`State unchanged: ${t} (${r})`);return}this.previousState=this.currentState,this.currentState=t,this.logger.state(this.previousState,t,r);}getState(){return this.currentState}isInActiveSession(){return this.inActiveSession}markHadSession(){this.hadSessionHistory||(this.logger.info("Marked hadSessionHistory = true"),this.hadSessionHistory=true);}clearSessionHistory(){this.logger.info("Cleared session history"),this.hadSessionHistory=false,this.inActiveSession=false;}onProbeComplete(t){if(this.logger.flow("probe","Probe completed, determining initial state"),this.currentState!=="unknown"){this.logger.warn("Probe called but state is not UNKNOWN",{currentState:this.currentState});return}!!(t.boundWallet||t.refreshId)||this.hadSessionHistory?this.transition("refreshable","Session history found"):this.transition("unregistered","No session history");}onRegisterSuccess(t){this.logger.flow("register","Register succeeded"),this.transition("authenticated","Register succeeded"),this.inActiveSession=true,this.hadSessionHistory=true;}onRegisterFailure(t){this.logger.flow("register",`Register failed: ${t}`);}onRefreshSuccess(t){this.logger.flow("refresh","Refresh succeeded"),this.transition("authenticated","Refresh succeeded"),this.inActiveSession=true;}onRefreshExpired(){this.logger.flow("refresh","Refresh failed: session expired (missing refresh identifier)"),this.transition("expired","Session expired"),this.inActiveSession=false;}onRefreshFailure(t){this.logger.flow("refresh",`Refresh failed: ${t}`);}onTokenExpired(){this.logger.flow("token","Token expired"),this.currentState==="authenticated"&&this.transition("refreshable","Token expired");}onWalletChange(t,r,n){if(this.logger.flow("wallet",`Wallet changed: ${t||"null"} \u2192 ${r||"null"}`),!r){this.transition("unknown","Wallet disconnected"),this.inActiveSession=false;return}r.toLowerCase()===n.boundWallet?.toLowerCase()?(this.hadSessionHistory=true,this.transition("refreshable","Wallet reconnected with session history")):(this.transition("unregistered","Wallet changed to different address"),this.inActiveSession=false);}onWalletDisconnect(){this.logger.flow("wallet","Wallet disconnected"),this.transition("unknown","Wallet disconnected"),this.inActiveSession=false;}shouldAttemptProbe(){let t=this.currentState==="unknown";return this.logger.decision("Should attempt probe?",t,`State is ${this.currentState}`),t}shouldAttemptRefresh(t){if(this.currentState!=="refreshable"&&this.currentState!=="authenticated")return this.logger.decision("Should attempt refresh?",false,`State is ${this.currentState}, not REFRESHABLE or AUTHENTICATED`),false;if(!(t.boundWallet||t.wallet))return this.logger.decision("Should attempt refresh?",false,"No wallet available (neither boundWallet nor current wallet)"),false;if(t.wallet&&t.boundWallet&&t.wallet.toLowerCase()!==t.boundWallet.toLowerCase())return this.logger.decision("Should attempt refresh?",false,"Wallet mismatch"),false;if(t.hasToken&&t.tokenExpiry){let n=Math.floor(Date.now()/1e3);if(t.tokenExpiry-n>5&&this.currentState==="authenticated")return this.logger.decision("Should attempt refresh?",false,"Token still valid"),false}return this.logger.decision("Should attempt refresh?",true,`State is ${this.currentState}, token ${t.hasToken?"present":"missing"}`),true}shouldAttemptRegister(t){return this.inActiveSession?(this.logger.decision("Should attempt register?",false,"Already in active session - proof changes ignored"),false):this.currentState!=="unregistered"&&this.currentState!=="expired"?(this.logger.decision("Should attempt register?",false,`State is ${this.currentState}, not UNREGISTERED or EXPIRED`),false):t.wallet?t.hasProof?t.authenticated&&t.hasToken?(this.logger.decision("Should attempt register?",false,"Already authenticated"),false):(this.logger.decision("Should attempt register?",true,`State is ${this.currentState}, have wallet + proof`),true):(this.logger.decision("Should attempt register?",false,"No proof available"),false):(this.logger.decision("Should attempt register?",false,"No wallet connected"),false)}shouldWaitForInitialRefresh(t,r){return this.currentState!=="refreshable"||t?false:r.wallet&&r.boundWallet&&r.wallet.toLowerCase()===r.boundWallet.toLowerCase()?(this.logger.decision("Should wait for initial refresh?",true,"Returning user - let refresh attempt first"),true):false}getStateReport(t){return `
 \u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510
 \u2502  Session State Machine Report          \u2502
 \u251C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524
@@ -19,7 +19,7 @@ var on=Object.defineProperty;var Mt=e=>{throw TypeError(e)};var an=(e,t,r)=>t in
 \u2502 Authenticated:    ${String(t.authenticated).padEnd(20)} \u2502
 \u2502 Has Proof:        ${String(t.hasProof).padEnd(20)} \u2502
 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518
-    `.trim()}};var Hn=()=>crypto.randomUUID(),kr=e=>{let{clientId:t,wallet:r,base:n="https://api.tdfc.com",fetchImpl:o,timeoutMs:a=15e3,proof:i=null,providerAdapter:c,refreshDeps:u=[],debug:s}=e,l=ft(n),d=typeof window<"u"?(o??fetch).bind(window):o??fetch,{meta:f,setBoundWallet:w,setJkt:S,setRefreshId:E,getRefreshId:m,setLastPolicyHash:k,setLastPolicyProof:b,setLastHost:H,setRootJkt:p,ready:g}=Pt(),{ensureRootKeypair:y,rootPrivRef:P,rootPubJwkRef:C}=Kt(),O=react.useCallback(async()=>{await y();try{if(!f.rootJkt&&C.current){let te=await _(C.current);p(te);}}catch{}},[y,f.rootJkt,C]),{ensureKeypair:Pe,rotate:K,privRef:Me,pubJwkRef:$e}=At(),[Jt,J]=react.useState(false),[G,U]=react.useState(0),[ee,ce]=react.useState(null),[oe,rt]=react.useState(null),[nt,ot]=react.useState(null),[Jr,Dr]=react.useState(null),[Lr,_r]=react.useState(null),[Hr,Mr]=react.useState(null),$r=react.useRef(null),Or=react.useRef(null),Ur=react.useRef(null),jr=react.useRef(null),Nr=react.useRef(null),Fr=react.useRef(null),Br=react.useRef(null),Vr=react.useRef(false),Gr=react.useRef(false),qr=react.useRef(void 0),Oe=react.useRef(false),at=react.useRef(false),Dt=react.useRef(null),le=react.useRef(null);le.current||(le.current=new Promise(te=>{Dt.current=te;}));let it=react.useRef(null),zr=react.useRef(i),Xr=react.useRef(null),st=react.useRef(null);if(!st.current){let te=s??false;st.current=new De(t,te);}let ct=react.useRef(null);ct.current||(ct.current=new et);let Ue=react.useRef(null),Lt=react.useRef(null),je=react.useRef(null),_t=()=>Date.now(),Yr=()=>(je.current??0)>0&&je.current<_t(),lt=react.useCallback((te,nn=15e3)=>{let Ht=Hn();return Ue.current=Ht,Lt.current=te,je.current=_t()+Math.max(1e3,nn),Ht},[]),Zr=react.useCallback(()=>((!Ue.current||Yr())&&lt("adhoc",1e4),Ue.current),[lt]),ut=react.useRef(null),Ne=react.useRef(null);Ne.current||(Ne.current=new Promise(te=>{ut.current=te;}));let Qr=react.useCallback(async()=>{!Oe.current&&Ne.current&&await Ne.current;},[]),en=react.useCallback(()=>{Oe.current||(Oe.current=true,ut.current?.(),ut.current=null);},[]),tn=react.useCallback(async()=>{!at.current&&le.current&&await le.current;},[]),rn=react.useCallback(async()=>{!at.current&&le.current&&await le.current,it.current&&await it.current;},[]);return {clientId:t,wallet:r,baseUrl:l,fetchImpl:d,timeoutMs:a,providerAdapter:c,refreshDeps:u,ensureKeypair:Pe,rotate:K,ensureRootKeypair:O,rootPrivRef:P,rootPubJwkRef:C,privRef:Me,pubJwkRef:$e,meta:f,setBoundWallet:w,setJkt:S,setRefreshId:E,accessTokenRef:Ur,tokenExpRef:jr,authenticated:Jt,setAuthenticated:J,loadingCount:G,setLoadingCount:U,error:ee,setError:ce,allowed:oe,setAllowed:rt,denyReason:nt,setDenyReason:ot,sessionExpiry:Jr,setSessionExpiry:Dr,sessionData:Lr,setSessionData:_r,verifyData:Hr,setVerifyData:Mr,authWalletRef:Or,refreshLock:Nr,registerLock:Fr,sessionLock:Br,didInitialRefresh:Vr,didInitialSession:Gr,prevWalletRef:qr,initResolvedRef:at,initReady:le,initResolveRef:Dt,rotateLock:it,waitReady:tn,awaitKeyStable:rn,proofRef:zr,registerCooldownUntilRef:$r,reqIdRef:Ue,flowLabelRef:Lt,flowExpireRef:je,beginFlow:lt,currentReqId:Zr,awaitProbe:Qr,markProbed:en,hasProbedRef:Oe,getRefreshId:m,setLastPolicyHash:k,setLastPolicyProof:b,setLastHost:H,setRootJkt:p,metaReady:g,probeLock:Xr,stateMachine:ct.current,logger:st.current}};var V=e=>e.accessTokenRef.current??null,Z=e=>{let t=e.privRef.current;if(!t)throw new Error("Sunbreak: private key not initialized");return t},W=e=>{let t=e.pubJwkRef.current;if(!t)throw new Error("Sunbreak: public JWK not initialized");return t};var Mn=(e,t)=>`${e.toUpperCase()} ${t}`;async function Le(e,t,r,n){if(!t)return e.logger.guard("register",false,"No wallet provided"),false;e.logger.flow("register","Starting register flow",{wallet:t});let o=Le._nonceCacheRef||(Le._nonceCacheRef={map:new Map});try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair(),e.setError(null),e.beginFlow("register",2e4);let a;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let y=await _(e.rootPubJwkRef.current);e.setRootJkt?.(y);}catch{}let p=await _(W(e)),g=await e.getRefreshId();a=await pe({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:p,clientId:e.clientId,sid:g||void 0,ttlSec:300});}}catch(p){e.logger.warn("Failed to create PODE for register",p);}let i=e.currentReqId(),c="/auth/register",u=`${e.baseUrl}${c}`,s=new URL(e.baseUrl).origin,l="POST",d=`${s}${c}`,f=Mn(l,d),w=o.map.get(f),S=await B({method:l,url:d,nonce:w,privateKey:Z(e),publicJwk:W(e)}),E=async p=>e.fetchImpl(u,{method:l,headers:{"content-type":"application/json","x-sunbreak-meta":F(e,{reqId:i,pode:a||void 0}),...p},credentials:"include",body:JSON.stringify({wallet:t,proof:r})}),m=await E({DPoP:S}),k=p=>{let g=p.headers.get("dpop-nonce");g&&o.map.set(f,g);};if(m.status===401){e.logger.info("Register got 401, retrying with nonce");let p=m.headers.get("www-authenticate"),y=(p&&p.match(/dpop-nonce="([^"]+)"/i))?.[1];if(y){o.map.set(f,y);let P=await B({method:l,url:d,nonce:y,privateKey:Z(e),publicJwk:W(e)});m=await E({DPoP:P});}}if(k(m),e.logger.api(l,c,{status:m.status}),!m.ok){let p=await Je(m);if((m.headers.get("content-type")||"").includes("application/json")){let y;try{y=await m.clone().json();}catch{}let P=We(y&&(y.error||y.message||y.detail)||`HTTP ${m.status}`);throw he(P,p)}else {let y=p.waf?"Blocked by WAF (403)":p.alb403?"Blocked at origin (ALB 403)":`HTTP ${m.status}`;throw he(y,p)}}let b=await m.json();e.logger.info("Register succeeded",{expiresIn:b.expiresIn,hasRefreshId:!!b.refreshId}),e.accessTokenRef.current=b.access,e.authWalletRef.current=t.toLowerCase(),e.setAuthenticated(!0);try{let p=Math.floor(Date.now()/1e3);e.tokenExpRef.current=p+(b.expiresIn??0);}catch{}e.didInitialRefresh.current=!0,e.setBoundWallet(t),e.setLastPolicyHash(null),e.setLastPolicyProof(null);try{e.setJkt(await _(W(e)));}catch{}try{let p={...e.meta,boundWallet:t,clientId:e.meta.clientId??e.clientId,jkt:e.meta.jkt??null,refreshId:b.refreshId??null};e.setRefreshId(b.refreshId??null);let g=Ke(e.clientId);await R(g,p);try{localStorage.setItem(g,JSON.stringify(p));}catch{}}catch{}let H={wallet:t,boundWallet:t,refreshId:b.refreshId??null,hasToken:!0,tokenExpiry:e.tokenExpRef.current,hasProof:!0,authenticated:!0};return e.stateMachine.onRegisterSuccess(H),!0}catch(a){let i=Number(a?.status||0),c=String(a?.code||"").toLowerCase(),u=String(a?.message||"").toLowerCase(),s=Math.floor(Math.random()*1e3);e.logger.error("Register failed",{status:i,code:c,msg:u}),e.stateMachine.onRegisterFailure(`${c||u||"Unknown error"}`);let l=c==="session_exists"||c==="already_authenticated"||u.includes("already")&&(u.includes("session")||u.includes("authenticated")),d=(i===401||i===403)&&c==="replay";if((l||d)&&n?.refreshFallback&&(!e.meta.boundWallet||e.meta.boundWallet.toLowerCase()===t.toLowerCase())){e.logger.info("Register failed with recoverable error, attempting refresh fallback",{code:c,isSessionExists:l,isReplay:d});try{if(await n.refreshFallback())return e.logger.info("Refresh fallback succeeded after register failure"),e.meta.boundWallet||e.setBoundWallet(t),!0}catch(w){e.logger.warn("Refresh fallback failed",w);}}if(d){if(e.providerAdapter)try{let f=await e.providerAdapter.getToken()??null;if(f)return await e.awaitKeyStable(),await e.ensureKeypair(),await e.rotate(),e.proofRef.current=await ve(e.providerAdapter,f),e.registerCooldownUntilRef.current=Date.now()+5e3+s,!1}catch{}else return e.proofRef.current=null,e.setError("Proof replayed; please sign a fresh proof."),e.registerCooldownUntilRef.current=Date.now()+1e4+s,false;return e.registerCooldownUntilRef.current=Date.now()+8e3+s,false}if(l)return e.setError("Session already exists. Try refreshing the page."),e.registerCooldownUntilRef.current=Date.now()+3e3+s,false;if(i===403&&(a?.waf||a?.alb403))return e.setError(u||"Forbidden at edge/origin"),e.registerCooldownUntilRef.current=Date.now()+3e4+s,false;if(i===403)return e.setError(c||u||"Forbidden"),e.registerCooldownUntilRef.current=Date.now()+15e3+s,false;if(i===429||i===503){e.setError(c||u||"Rate limited / unavailable");let f=i===429?5e3:8e3;return e.registerCooldownUntilRef.current=Date.now()+f+s,false}return e.setError(c||u||"Register failed"),e.registerCooldownUntilRef.current=Date.now()+5e3+s,false}}var $n=(e,t)=>`${e.toUpperCase()} ${t}`;function _e(e){if(e.refreshLock.current)return e.logger.guard("refreshLock",false,"Refresh already in progress"),e.refreshLock.current;if(e.registerLock.current){e.logger.guard("registerLock",false,"Registration in progress, waiting");let t=e.registerLock.current.then(()=>{if(e.authenticated&&V(e))return  true;if(V(e)){let n=e.tokenExpRef.current,o=Math.floor(Date.now()/1e3);if(!!n&&n-o>5)return  true}return  false});return e.refreshLock.current=t.finally(()=>{e.refreshLock.current=null;}),e.refreshLock.current}return e.logger.flow("refresh","Starting refresh flow"),e.refreshLock.current=(async()=>{try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe();let t=e.meta.boundWallet||e.wallet;if(!t)return e.logger.warn("No wallet available for refresh (neither boundWallet nor current wallet)"),!1;if(e.wallet&&e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return e.logger.warn("Wallet mismatch during refresh",{current:e.wallet,bound:e.meta.boundWallet}),e.accessTokenRef.current=null,e.setAuthenticated(!1),!1;let r=V(e);if(r){let y=e.tokenExpRef.current,P=Math.floor(Date.now()/1e3);if(!!r&&!!y&&y-P>5)return e.logger.info("Token still valid, skipping refresh"),!0}e.beginFlow("refresh",15e3);let n=e.currentReqId();await e.ensureKeypair();let o;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let C=await _(e.rootPubJwkRef.current);e.setRootJkt?.(C);}catch{}let y=await _(W(e)),P=await e.getRefreshId();o=await pe({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:y,clientId:e.clientId,sid:P||void 0,ttlSec:300});}}catch(y){e.logger.warn("Failed to create PODE for refresh",y);}let a="/auth/refresh",i=`${e.baseUrl}${a}`,c=new URL(e.baseUrl).origin,u="POST",s=`${c}${a}`,l=$n(u,s),d=_e._nonceCacheRef||(_e._nonceCacheRef={map:new Map}),f=async y=>await B({method:u,url:s,nonce:y,privateKey:Z(e),publicJwk:W(e)}),w=await e.getRefreshId(),S={"x-sunbreak-meta":F(e,{reqId:n,refreshId:w||void 0,pode:o||void 0,wallet:t}),"content-type":"application/json"},E=async y=>e.fetchImpl(i,{method:u,headers:{DPoP:y,...S},credentials:"include",body:"{}"}),m=y=>{let P=y.headers.get("dpop-nonce");P&&d.map.set(l,P);},k=await E(await f(d.map.get(l)));if(k.status===401){e.logger.info("Refresh got 401, retrying with nonce");let y=k.headers.get("www-authenticate"),C=(y&&y.match(/dpop-nonce="([^"]+)"/i))?.[1];C&&(d.map.set(l,C),k=await E(await f(C)));}if(m(k),e.logger.api(u,a,{status:k.status}),!k.ok){try{if((k.headers.get("content-type")||"").includes("application/json")){let P=await k.clone().json().catch(()=>{}),C=P&&(P.error||P.code||P.message)||"",O=String(C).toLowerCase();if(O.includes("missing")&&O.includes("refresh")){e.logger.warn("Refresh session expired (missing refresh identifier)"),e.stateMachine.onRefreshExpired();try{e.setRefreshId?.(null);}catch{}e.accessTokenRef.current=null,e.setAuthenticated(!1);}else e.logger.warn("Refresh failed",{error:C}),e.stateMachine.onRefreshFailure(String(C));}}catch{}return !1}let b=await k.json();e.logger.info("Refresh succeeded",{expiresIn:b.expiresIn,hasRefreshId:!!b.refreshId}),e.accessTokenRef.current=b.access,e.setAuthenticated(!0);let H=(e.wallet&&(!e.meta.boundWallet||e.meta.boundWallet===e.wallet)?e.wallet:e.meta.boundWallet)||null;e.authWalletRef.current=H?H.toLowerCase():null;try{let y=Math.floor(Date.now()/1e3);e.tokenExpRef.current=y+(b.expiresIn??0);}catch{}try{e.setJkt(await _(W(e)));}catch{}b.refreshId&&e.setRefreshId(b.refreshId);let p=y=>!y||y==="null"||y==="undefined"?null:y,g={wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:p(b.refreshId??e.meta.refreshId??null),hasToken:!0,tokenExpiry:e.tokenExpRef.current,hasProof:!!e.proofRef.current,authenticated:!0};return e.stateMachine.onRefreshSuccess(g),!0}finally{e.refreshLock.current=null;}})(),e.refreshLock.current}var On=(e,t)=>`${e.toUpperCase()} ${t}`,Tt=new Map,He;try{let e=globalThis;He=e.__sunbreak_page_probe_guard??(e.__sunbreak_page_probe_guard=new Set);}catch{He=new Set;}var Un=e=>{try{let t=new URL(e.baseUrl).origin;return `${e.clientId}::${t}`}catch{return `${e.clientId}::${e.baseUrl}`}};async function Pr(e){let t=Un(e);if(e.probeLock.current){e.logger.guard("probeLock",false,"Probe already in progress, waiting"),await e.probeLock.current,e.markProbed();return}if(e.hasProbedRef.current){e.logger.guard("hasProbedRef",false,"Already probed in this session"),e.markProbed();return}if(He.has(t)){e.logger.guard("pageProbeGuard",false,"Already probed for this page load"),e.markProbed();return}He.add(t),e.logger.flow("probe","Starting probe flow",{clientId:e.clientId,pageKey:t});let r=(async()=>{let n=new URL(e.baseUrl).origin;try{if(await e.awaitKeyStable(),await e.ensureKeypair(),!e.rootPrivRef.current)try{await e.ensureRootKeypair();}catch{}let o;if(e.rootPrivRef.current&&e.rootPubJwkRef.current)try{let m=await _(W(e));o=await pe({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:m,clientId:e.clientId,ttlSec:300});}catch(m){e.logger.warn("Failed to create PODE for probe",m);}let a="POST",i="/auth/probe",c=`${e.baseUrl}${i}`,u=`${n}${i}`,s=On(a,u),l=async m=>B({method:a,url:u,nonce:m,privateKey:Z(e),publicJwk:W(e)}),d=async m=>e.fetchImpl(c,{method:a,headers:{DPoP:m,"x-sunbreak-meta":F(e,{pode:o}),"content-type":"application/json"},credentials:"include",body:"{}"}),f=m=>{let k=m.headers.get("dpop-nonce");k&&Tt.set(s,k);},w=await d(await l(Tt.get(s)));if(f(w),w.status===401){e.logger.info("Probe got 401, retrying with nonce from www-authenticate");let m=w.headers.get("www-authenticate"),b=(m&&m.match(/dpop-nonce="([^"]+)"/i))?.[1];b&&(Tt.set(s,b),w=await d(await l(b)),f(w));}e.logger.api(a,i,{status:w.status});let S=m=>!m||m==="null"||m==="undefined"?null:m,E={wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:S(e.meta.refreshId),hasToken:!!e.accessTokenRef.current,tokenExpiry:e.tokenExpRef.current||null,hasProof:!!e.proofRef.current,authenticated:e.authenticated};e.stateMachine.onProbeComplete(E);}catch(o){e.logger.error("Probe failed",o);try{He.delete(t);}catch{}}finally{e.markProbed(),e.logger.flow("probe","Probe flow completed");}})();e.probeLock.current=r;try{await r;}finally{e.probeLock.current=null;}}var vr=e=>{let t=react.useCallback(()=>_e(e),[e]),r=react.useCallback(async()=>{let o=Date.now(),a=e.registerCooldownUntilRef.current??0;if(o<a){e.logger.guard("registerCooldown",false,"Cooldown active");return}if(!e.wallet){e.logger.guard("attemptRegister",false,"No wallet");return}if(!e.initResolvedRef.current){e.logger.guard("attemptRegister",false,"Not initialized");return}if(e.refreshLock.current){e.logger.guard("attemptRegister",false,"Refresh in progress");return}if(e.registerLock.current){e.logger.guard("attemptRegister",false,"Register already in progress");return}let i=s=>!s||s==="null"||s==="undefined"?null:s,c={wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:i(e.meta.refreshId),hasToken:!!V(e),tokenExpiry:e.tokenExpRef.current||null,hasProof:!!e.proofRef.current,authenticated:e.authenticated};if(!e.stateMachine.shouldAttemptRegister(c)){e.logger.guard("attemptRegister",false,`State machine blocked (state: ${e.stateMachine.getState()}, inActiveSession: ${e.stateMachine.isInActiveSession()})`);return}let u=e.proofRef.current;if(!u){e.logger.guard("attemptRegister",false,"No proof available");return}e.logger.guard("attemptRegister",true,"All guards passed, proceeding"),await e.awaitKeyStable(),e.registerLock.current=(async()=>{try{await Le(e,e.wallet,u,{refreshFallback:async()=>{e.logger.info("Attempting refresh as fallback after register failure");let l=!!e.meta.boundWallet;!l&&e.wallet&&e.setBoundWallet(e.wallet);try{return await _e(e)}catch{return l||e.setBoundWallet(null),!1}}})&&(e.didInitialSession.current=!0);}catch(s){e.setError(s?.message||String(s)||"Register failed");}finally{e.registerLock.current=null;}})();},[e]),n=react.useCallback(async o=>{let a=()=>(e.registerCooldownUntilRef.current??0)>Date.now();if(!e.providerAdapter||a())return;let i=await ve(e.providerAdapter,o);e.proofRef.current=i;},[e]);return {refresh:t,register:(o,a,i)=>Le(e,o,a,i),attemptRegister:r,setProofFromAdapterToken:n}};var jn=(e,t)=>`${e.toUpperCase()} ${t}`,Nn=(e,t)=>!!e&&!!t&&e.toLowerCase()===t.toLowerCase();async function tt(e,t,r,n,o,a={}){e.setLoadingCount(s=>s+1),e.setError(null);let i=n.startsWith("/api/session"),c=new AbortController,u=setTimeout(()=>c.abort(),e.timeoutMs);try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair();let l=`${i?pt(e):e.baseUrl}${n.startsWith("/")?"":"/"}${n}`,f=`${new URL(e.baseUrl).origin}${n.startsWith("/")?"":"/"}${n}`,w=jn(r,f),S=n.startsWith("/auth/"),E=!1,m=!1,k=e.currentReqId(),b=tt._nonceCacheRef||(tt._nonceCacheRef={map:new Map}),H=J=>{let G=J.headers.get("dpop-nonce");G&&b.map.set(w,G);},p=!!e.wallet&&!!e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase(),g=()=>S||!e.wallet?!1:!!(e.authenticated||Nn(e.wallet,e.meta.boundWallet)||typeof e.meta.refreshId=="string"&&e.meta.refreshId),y,P,C=async()=>{if(S||p)return;try{let ce=V(e),oe=e.tokenExpRef.current,rt=Math.floor(Date.now()/1e3),nt=!!oe&&oe-rt<=60;if(ce){if(nt&&!await t().catch(()=>!1))return}else if(!g()||!await t().catch(()=>!1))return}catch{}let J=V(e);if(!J)return;let G=await Ye(J),U=b.map.get(w),ee=await B({method:r,url:f,nonce:U,ath:G,privateKey:Z(e),publicJwk:W(e)});y=`Bearer ${e.accessTokenRef.current}`,P=ee;};await C();let O={"content-type":"application/json","x-sunbreak-auth":y||"","x-sunbreak-meta":F(e,{reqId:k,auth:y,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0}),...ht(a.headers)};P&&(O.DPoP=P);let Pe=async()=>e.fetchImpl(l,{...a,method:r,headers:O,body:o!==void 0?JSON.stringify(o):void 0,credentials:"include",signal:c.signal}),K=await Pe(),Me=K.headers.get("x-sunbreak-policy-hash"),$e=K.headers.get("x-sunbreak-policy-proof");if(Me&&e.setLastPolicyHash(Me),$e&&e.setLastPolicyProof($e),H(K),K.status===401&&!S){let J=V(e),G=K.headers.get("www-authenticate"),ee=(G&&G.match(/dpop-nonce="([^"]+)"/i))?.[1];if(!p&&ee&&J&&!m){m=!0,b.map.set(w,ee);let ce=await Ye(J),oe=await B({method:r,url:f,nonce:ee,ath:ce,privateKey:Z(e),publicJwk:W(e)});y=`Bearer ${e.accessTokenRef.current}`,P=oe,O["x-sunbreak-meta"]=F(e,{reqId:k,auth:y}),O.DPoP=P,K=await Pe(),H(K);}if(K.status===401&&!E&&(E=!0,!p&&g())){let ce=await t(),oe=V(e);ce&&oe&&!p&&(await C(),O["x-sunbreak-meta"]=F(e,{reqId:k,auth:y}),P&&(O.DPoP=P),K=await Pe(),H(K));}if(K.status===401)throw new Error("Unauthorized")}if(!K.ok){let J=await Je(K);if((K.headers.get("content-type")||"").includes("application/json")){let U=await K.json().catch(()=>{}),ee=We(U&&(U.error||U.message||U.detail)||`HTTP ${K.status}`);throw he(ee,J)}else {let U=J.waf?"Blocked by WAF (403)":J.alb403?"Blocked at origin (ALB 403)":`HTTP ${K.status}`;throw he(U,J)}}return (K.headers.get("content-type")||"").includes("application/json")?await K.json():void 0}finally{clearTimeout(u),e.setLoadingCount(s=>Math.max(0,s-1));}}var Ar=(e,t)=>react.useCallback(async(r,n,o,a={})=>tt(e,t,r,n,o,a),[e,t]);async function xr(e,t){let r=await t("GET","/api/session");if(r){e.setAllowed(!!r.allowed),e.setDenyReason(r.reason??null),e.setSessionData(r),e.setSessionExpiry(r.expiry??null);let n=r?.wallet;typeof n=="string"&&n&&e.setBoundWallet(n.toLowerCase());}return r}async function Kr(e,t){let r=await t("GET","/api/verify");return r&&(e.setSessionExpiry(r.expiry??null),e.setVerifyData(r)),r}var Tr=(e,t)=>{let r=react.useCallback(async()=>{if(e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet))return e.sessionLock.current||(e.sessionLock.current=(async()=>{try{return await xr(e,t)}catch(o){throw e.logger.error("Session request failed",o),o}finally{e.sessionLock.current=null;}})()),e.sessionLock.current},[e,t]),n=react.useCallback(async()=>{if(e.wallet)return await Kr(e,t)},[e,t]);return {session:r,verify:n}};var Ir=(e,t)=>{let{refresh:r,session:n,attemptRegister:o,setProofFromAdapterToken:a,proofProp:i}=t,c=()=>(e.registerCooldownUntilRef.current??0)>Date.now(),u=()=>{let s=l=>!l||l==="null"||l==="undefined"?null:l;return {wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:s(e.meta.refreshId),hasToken:!!e.accessTokenRef.current,tokenExpiry:e.tokenExpRef.current||null,hasProof:!!e.proofRef.current,authenticated:e.authenticated}};react.useEffect(()=>{if(!e.metaReady)return;let s=true;return (async()=>{try{if(await e.waitReady(),!s||(await e.awaitKeyStable(),!s)||(await e.ensureRootKeypair(),!s))return;let l=u();e.stateMachine.initialize(l),await Pr(e);}catch(l){if(!s)return;e.logger.error("Probe initialization failed",l);}})(),()=>{s=false;}},[e.metaReady]),react.useEffect(()=>{let s=e.prevWalletRef.current;if(e.prevWalletRef.current=e.wallet,e.wallet!==s&&(e.didInitialRefresh.current=false),!e.wallet){e.logger.flow("wallet","Wallet disconnected"),e.stateMachine.onWalletDisconnect(),e.setAllowed(null),e.setDenyReason(null),e.setSessionExpiry(null),e.setSessionData(null),e.setAuthenticated(false),e.accessTokenRef.current=null,e.proofRef.current=null,e.setError(null),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null),e.didInitialRefresh.current=false;return}if(s&&e.wallet&&s!==e.wallet){e.logger.flow("wallet",`Wallet changed: ${s} \u2192 ${e.wallet}`);let l=u();e.stateMachine.onWalletChange(s,e.wallet,l),e.rotateLock.current=(async()=>{await e.rotate(),e.accessTokenRef.current=null,e.setAuthenticated(false),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;});}},[e.wallet]),react.useEffect(()=>{if(!e.providerAdapter||c()||!e.metaReady||!e.wallet)return;if(e.stateMachine.isInActiveSession()){e.logger.decision("Provider adapter should trigger register?",false,"Already in active session");return}if(e.authenticated){e.logger.decision("Provider adapter should trigger register?",false,"Already authenticated");return}let s=u();if(e.stateMachine.shouldWaitForInitialRefresh(e.didInitialRefresh.current,s)){e.logger.decision("Provider adapter should wait for initial refresh?",true,"Returning user - refresh first");return}e.logger.decision("Provider adapter should trigger register?",true,`Fetching token (state: ${e.stateMachine.getState()})`);let l=false;return (async()=>{try{let d=e.providerAdapter.getToken(),f=new Promise((S,E)=>setTimeout(()=>E(new Error("Provider adapter timeout (30s)")),3e4)),w=await Promise.race([d,f]).catch(S=>(e.logger.warn("Provider adapter getToken failed",S),null))??null;if(await e.awaitKeyStable(),l||!w)return;e.logger.info("Provider adapter: got token, setting proof"),await a(w),await o();}catch(d){e.logger.error("Provider adapter flow failed",d);}})(),()=>{l=true;}},[e.providerAdapter,e.wallet,e.meta.boundWallet,e.metaReady,e.registerCooldownUntilRef,e.didInitialRefresh,e.authenticated,...e.refreshDeps]),react.useEffect(()=>{if(typeof i<"u"&&(e.proofRef.current=i??null,i&&e.logger.info("Proof prop updated",{hasProof:!!i})),!e.metaReady)return;let s=u();if(!e.stateMachine.shouldAttemptRegister(s)){e.logger.decision("Proof prop should trigger register?",false,`State machine says no (state: ${e.stateMachine.getState()}, inActiveSession: ${e.stateMachine.isInActiveSession()})`);return}if(e.stateMachine.shouldWaitForInitialRefresh(e.didInitialRefresh.current,s)){e.logger.decision("Proof prop should wait for initial refresh?",true,"Returning user - refresh first");return}let l=!!e.wallet,d=!!e.proofRef.current;l&&d&&e.initResolvedRef.current&&!c()&&(e.logger.info("Proof prop conditions met, attempting register"),o());},[i,e.wallet,e.authenticated,e.meta.boundWallet,e.metaReady,e.providerAdapter,e.initResolvedRef,e.didInitialRefresh,o]),react.useEffect(()=>{if(!e.metaReady||e.didInitialRefresh.current)return;let s=true;return (async()=>{try{await e.waitReady(),await e.awaitProbe();let l=u();if(e.accessTokenRef.current||e.authenticated){e.logger.info("Already authenticated, skipping initial refresh"),e.didInitialRefresh.current=!0,e.wallet&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());return}if(!e.stateMachine.shouldAttemptRefresh(l)){e.logger.decision("Should attempt initial refresh?",!1,`State: ${e.stateMachine.getState()}`),e.didInitialRefresh.current=!0;return}e.logger.decision("Should attempt initial refresh?",!0,`State: ${e.stateMachine.getState()}`),e.didInitialRefresh.current=!0;let f=await r();if(!s)return;e.setAuthenticated(f),f&&e.wallet&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());}catch(l){if(!s)return;e.didInitialRefresh.current=true,e.setAuthenticated(false),e.setError(l?.message||String(l)||"Unknown error");}})(),()=>{s=false;}},[e.wallet,e.meta.boundWallet,e.meta.refreshId,e.metaReady,e.didInitialRefresh,r,n]),react.useEffect(()=>{e.initResolvedRef.current||(async()=>{if(await e.ensureKeypair(),!e.wallet){e.initResolvedRef.current=true,e.initResolveRef.current?.();return}e.meta.boundWallet&&e.meta.boundWallet!==e.wallet&&(e.rotateLock.current=(async()=>{e.accessTokenRef.current=null,e.setAuthenticated(false);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}),e.rotateLock.current&&await e.rotateLock.current),e.initResolvedRef.current=true,e.initResolveRef.current?.();})();},[e]),react.useEffect(()=>{(async()=>{if(e.authenticated&&e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)&&!e.didInitialSession.current){e.didInitialSession.current=true;try{e.logger.flow("session","Calling session after authentication"),await n();}catch(s){e.setError(s?.message||String(s));}}})();},[e.authenticated,e.wallet,e.meta.boundWallet,n]),react.useEffect(()=>{e.wallet&&e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase()&&(e.logger.warn("Wallet mismatch detected, clearing auth",{current:e.wallet,authWallet:e.authWalletRef.current}),e.accessTokenRef.current=null,e.setAuthenticated(false));},[e.wallet,e.authWalletRef.current]),react.useEffect(()=>{let l=()=>{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return  false;let w=e.tokenExpRef.current;if(!w)return  false;let S=Math.floor(Date.now()/1e3);return w-S<=30},d=async()=>{try{l()&&(e.logger.info("Token expiring soon, refreshing on focus"),await r());}catch{}},f=async()=>{document.visibilityState==="visible"&&await d();};return window.addEventListener("focus",d),document.addEventListener("visibilitychange",f),()=>{window.removeEventListener("focus",d),document.removeEventListener("visibilitychange",f);}},[e,r]),react.useEffect(()=>{let d=()=>{let S=Math.floor(Date.now()/1e3),E=e.tokenExpRef.current,m=e.sessionExpiry,k=!!E&&E-S<=30&&E-S>0,b=!!m&&m-S<=3600&&m-S>0;return {tokenSoon:k,sessionSoon:b}},f=async()=>{try{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return;let{tokenSoon:S,sessionSoon:E}=d();(S||E)&&(e.logger.info("Refreshing on focus",{tokenSoon:S,sessionSoon:E}),await r()&&E&&await n());}catch{}},w=async()=>{document.visibilityState==="visible"&&await f();};return window.addEventListener("focus",f),document.addEventListener("visibilitychange",w),()=>{window.removeEventListener("focus",f),document.removeEventListener("visibilitychange",w);}},[e,e.sessionExpiry,r,n]);};var Wr=react.createContext(void 0),qn=e=>{let t=kr(e),{refresh:r,attemptRegister:n,setProofFromAdapterToken:o}=vr(t),a=Ar(t,r),{session:i,verify:c}=Tr(t,a);Ir(t,{refresh:r,session:i,attemptRegister:n,setProofFromAdapterToken:o,proofProp:e.proof});let u=react.useMemo(()=>({get:(s,l)=>a("GET",s,void 0,l),post:(s,l,d)=>a("POST",s,l,d),verify:c,session:i,refresh:r,authenticated:t.authenticated,loading:t.loadingCount>0,error:t.error,allowed:t.allowed,denyReason:t.denyReason,sessionExpiry:t.sessionExpiry,sessionData:t.sessionData,verifyData:t.verifyData,wallet:t.wallet}),[a,c,i,r,t.authenticated,t.loadingCount,t.error,t.allowed,t.denyReason,t.sessionExpiry,t.sessionData,t.verifyData,t.wallet]);return jsxRuntime.jsx(Wr.Provider,{value:u,children:e.children})},zn=e=>jsxRuntime.jsx(kt,{clientId:e.clientId,children:jsxRuntime.jsx(qn,{...e})}),Xn=()=>{let e=react.useContext(Wr);if(!e)throw new Error("useSunbreak must be used within a SunbreakProvider");return e};
+    `.trim()}};var Wn=()=>crypto.randomUUID(),Pr=e=>{let{clientId:t,wallet:r,base:n="https://api.tdfc.com",fetchImpl:o,timeoutMs:a=15e3,proof:i=null,providerAdapter:c,refreshDeps:u=[],debug:s}=e,l=ft(n),d=typeof window<"u"?(o??fetch).bind(window):o??fetch,{meta:f,setBoundWallet:w,setJkt:b,setRefreshId:R,getRefreshId:m,setLastPolicyHash:k,setLastPolicyProof:S,setLastHost:H,setRootJkt:p,ready:g}=Pt(),{ensureRootKeypair:y,rootPrivRef:P,rootPubJwkRef:C}=Kt(),O=react.useCallback(async()=>{await y();try{if(!f.rootJkt&&C.current){let te=await _(C.current);p(te);}}catch{}},[y,f.rootJkt,C]),{ensureKeypair:ve,rotate:K,privRef:$e,pubJwkRef:Oe}=At(),[Jt,J]=react.useState(false),[V,j]=react.useState(0),[ee,se]=react.useState(null),[oe,nt]=react.useState(null),[ot,at]=react.useState(null),[Wr,Jr]=react.useState(null),Dr=react.useRef(null),Lr=react.useRef(null),_r=react.useRef(null),Hr=react.useRef(null),Mr=react.useRef(null),$r=react.useRef(null),Or=react.useRef(null),jr=react.useRef(false),Ur=react.useRef(false),Nr=react.useRef(void 0),je=react.useRef(false),it=react.useRef(false),Dt=react.useRef(null),ce=react.useRef(null);ce.current||(ce.current=new Promise(te=>{Dt.current=te;}));let st=react.useRef(null),Fr=react.useRef(i),Br=react.useRef(null),ye=react.useRef(null);if(!ye.current){let te=s??false;ye.current=new Le(t,te);}let Lt=s??false;ye.current&&ye.current.enabled!==Lt&&(ye.current.enabled=Lt);let ct=react.useRef(null);ct.current||(ct.current=new tt);let Ue=react.useRef(null),_t=react.useRef(null),Ne=react.useRef(null),Ht=()=>Date.now(),Gr=()=>(Ne.current??0)>0&&Ne.current<Ht(),lt=react.useCallback((te,Zr=15e3)=>{let Mt=Wn();return Ue.current=Mt,_t.current=te,Ne.current=Ht()+Math.max(1e3,Zr),Mt},[]),Vr=react.useCallback(()=>((!Ue.current||Gr())&&lt("adhoc",1e4),Ue.current),[lt]),ut=react.useRef(null),Fe=react.useRef(null);Fe.current||(Fe.current=new Promise(te=>{ut.current=te;}));let qr=react.useCallback(async()=>{!je.current&&Fe.current&&await Fe.current;},[]),zr=react.useCallback(()=>{je.current||(je.current=true,ut.current?.(),ut.current=null);},[]),Xr=react.useCallback(async()=>{!it.current&&ce.current&&await ce.current;},[]),Yr=react.useCallback(async()=>{!it.current&&ce.current&&await ce.current,st.current&&await st.current;},[]);return {clientId:t,wallet:r,baseUrl:l,fetchImpl:d,timeoutMs:a,providerAdapter:c,refreshDeps:u,ensureKeypair:ve,rotate:K,ensureRootKeypair:O,rootPrivRef:P,rootPubJwkRef:C,privRef:$e,pubJwkRef:Oe,meta:f,setBoundWallet:w,setJkt:b,setRefreshId:R,accessTokenRef:_r,tokenExpRef:Hr,authenticated:Jt,setAuthenticated:J,loadingCount:V,setLoadingCount:j,error:ee,setError:se,allowed:oe,setAllowed:nt,sessionExpiry:ot,setSessionExpiry:at,sessionData:Wr,setSessionData:Jr,authWalletRef:Lr,refreshLock:Mr,registerLock:$r,sessionLock:Or,didInitialRefresh:jr,didInitialSession:Ur,prevWalletRef:Nr,initResolvedRef:it,initReady:ce,initResolveRef:Dt,rotateLock:st,waitReady:Xr,awaitKeyStable:Yr,proofRef:Fr,registerCooldownUntilRef:Dr,reqIdRef:Ue,flowLabelRef:_t,flowExpireRef:Ne,beginFlow:lt,currentReqId:Vr,awaitProbe:qr,markProbed:zr,hasProbedRef:je,getRefreshId:m,setLastPolicyHash:k,setLastPolicyProof:S,setLastHost:H,setRootJkt:p,metaReady:g,probeLock:Br,stateMachine:ct.current,logger:ye.current}};var G=e=>e.accessTokenRef.current??null,Z=e=>{let t=e.privRef.current;if(!t)throw new Error("Sunbreak: private key not initialized");return t},W=e=>{let t=e.pubJwkRef.current;if(!t)throw new Error("Sunbreak: public JWK not initialized");return t};var Jn=(e,t)=>`${e.toUpperCase()} ${t}`;async function _e(e,t,r,n){if(!t)return e.logger.guard("register",false,"No wallet provided"),false;e.logger.flow("register","Starting register flow",{wallet:t});let o=_e._nonceCacheRef||(_e._nonceCacheRef={map:new Map});try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair(),e.setError(null),e.beginFlow("register",2e4);let a;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let y=await _(e.rootPubJwkRef.current);e.setRootJkt?.(y);}catch{}let p=await _(W(e)),g=await e.getRefreshId();a=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:p,clientId:e.clientId,sid:g||void 0,ttlSec:300});}}catch(p){e.logger.warn("Failed to create PODE for register",p);}let i=e.currentReqId(),c="/auth/register",u=`${e.baseUrl}${c}`,s=new URL(e.baseUrl).origin,l="POST",d=`${s}${c}`,f=Jn(l,d),w=o.map.get(f),b=await B({method:l,url:d,nonce:w,privateKey:Z(e),publicJwk:W(e)}),R=async p=>e.fetchImpl(u,{method:l,headers:{"content-type":"application/json","x-sunbreak-meta":F(e,{reqId:i,pode:a||void 0}),...p},credentials:"include",body:JSON.stringify({wallet:t,proof:r})}),m=await R({DPoP:b}),k=p=>{let g=p.headers.get("dpop-nonce");g&&o.map.set(f,g);};if(m.status===401){e.logger.info("Register got 401, retrying with nonce");let p=m.headers.get("www-authenticate"),y=(p&&p.match(/dpop-nonce="([^"]+)"/i))?.[1];if(y){o.map.set(f,y);let P=await B({method:l,url:d,nonce:y,privateKey:Z(e),publicJwk:W(e)});m=await R({DPoP:P});}}if(k(m),e.logger.api(l,c,{status:m.status}),!m.ok){let p=await De(m);if((m.headers.get("content-type")||"").includes("application/json")){let y;try{y=await m.clone().json();}catch{}let P=Je(y&&(y.error||y.message||y.detail)||`HTTP ${m.status}`);throw pe(P,p)}else {let y=p.waf?"Blocked by WAF (403)":p.alb403?"Blocked at origin (ALB 403)":`HTTP ${m.status}`;throw pe(y,p)}}let S=await m.json();e.logger.info("Register succeeded",{expiresIn:S.expiresIn,hasRefreshId:!!S.refreshId}),e.accessTokenRef.current=S.access,e.authWalletRef.current=t.toLowerCase(),e.setAuthenticated(!0);try{let p=Math.floor(Date.now()/1e3);e.tokenExpRef.current=p+(S.expiresIn??0);}catch{}e.didInitialRefresh.current=!0,e.setBoundWallet(t),e.setLastPolicyHash(null),e.setLastPolicyProof(null);try{e.setJkt(await _(W(e)));}catch{}try{let p={...e.meta,boundWallet:t,clientId:e.meta.clientId??e.clientId,jkt:e.meta.jkt??null,refreshId:S.refreshId??null};e.setRefreshId(S.refreshId??null);let g=Ce(e.clientId);await E(g,p);try{localStorage.setItem(g,JSON.stringify(p));}catch{}}catch{}let H={wallet:t,boundWallet:t,refreshId:S.refreshId??null,hasToken:!0,tokenExpiry:e.tokenExpRef.current,hasProof:!0,authenticated:!0};return e.stateMachine.onRegisterSuccess(H),!0}catch(a){let i=Number(a?.status||0),c=String(a?.code||"").toLowerCase(),u=String(a?.message||"").toLowerCase(),s=Math.floor(Math.random()*1e3);e.logger.error("Register failed",{status:i,code:c,msg:u}),e.stateMachine.onRegisterFailure(`${c||u||"Unknown error"}`);let l=c==="session_exists"||c==="already_authenticated"||u.includes("already")&&(u.includes("session")||u.includes("authenticated")),d=(i===401||i===403)&&c==="replay";if((l||d)&&n?.refreshFallback&&(!e.meta.boundWallet||e.meta.boundWallet.toLowerCase()===t.toLowerCase())){e.logger.info("Register failed with recoverable error, attempting refresh fallback",{code:c,isSessionExists:l,isReplay:d});try{if(await n.refreshFallback())return e.logger.info("Refresh fallback succeeded after register failure"),e.meta.boundWallet||e.setBoundWallet(t),!0}catch(w){e.logger.warn("Refresh fallback failed",w);}}if(d){if(e.providerAdapter)try{let f=await e.providerAdapter.getToken()??null;if(f)return await e.awaitKeyStable(),await e.ensureKeypair(),await e.rotate(),e.proofRef.current=await Ae(e.providerAdapter,f),e.registerCooldownUntilRef.current=Date.now()+5e3+s,!1}catch{}else return e.proofRef.current=null,e.setError("Proof replayed; please sign a fresh proof."),e.registerCooldownUntilRef.current=Date.now()+1e4+s,false;return e.registerCooldownUntilRef.current=Date.now()+8e3+s,false}if(l)return e.setError("Session already exists. Try refreshing the page."),e.registerCooldownUntilRef.current=Date.now()+3e3+s,false;if(i===403&&(a?.waf||a?.alb403))return e.setError(u||"Forbidden at edge/origin"),e.registerCooldownUntilRef.current=Date.now()+3e4+s,false;if(i===403)return e.setError(c||u||"Forbidden"),e.registerCooldownUntilRef.current=Date.now()+15e3+s,false;if(i===429||i===503){e.setError(c||u||"Rate limited / unavailable");let f=i===429?5e3:8e3;return e.registerCooldownUntilRef.current=Date.now()+f+s,false}return e.setError(c||u||"Register failed"),e.registerCooldownUntilRef.current=Date.now()+5e3+s,false}}var Dn=(e,t)=>`${e.toUpperCase()} ${t}`;function He(e){if(e.refreshLock.current)return e.logger.guard("refreshLock",false,"Refresh already in progress"),e.refreshLock.current;if(e.registerLock.current){e.logger.guard("registerLock",false,"Registration in progress, waiting");let t=e.registerLock.current.then(()=>{if(e.authenticated&&G(e))return  true;if(G(e)){let n=e.tokenExpRef.current,o=Math.floor(Date.now()/1e3);if(!!n&&n-o>5)return  true}return  false});return e.refreshLock.current=t.finally(()=>{e.refreshLock.current=null;}),e.refreshLock.current}return e.logger.flow("refresh","Starting refresh flow"),e.refreshLock.current=(async()=>{try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe();let t=e.meta.boundWallet||e.wallet;if(!t)return e.logger.warn("No wallet available for refresh (neither boundWallet nor current wallet)"),!1;if(e.wallet&&e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return e.logger.warn("Wallet mismatch during refresh",{current:e.wallet,bound:e.meta.boundWallet}),e.accessTokenRef.current=null,e.setAuthenticated(!1),!1;let r=G(e);if(r){let y=e.tokenExpRef.current,P=Math.floor(Date.now()/1e3);if(!!r&&!!y&&y-P>5)return e.logger.info("Token still valid, skipping refresh"),!0}e.beginFlow("refresh",15e3);let n=e.currentReqId();await e.ensureKeypair();let o;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let C=await _(e.rootPubJwkRef.current);e.setRootJkt?.(C);}catch{}let y=await _(W(e)),P=await e.getRefreshId();o=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:y,clientId:e.clientId,sid:P||void 0,ttlSec:300});}}catch(y){e.logger.warn("Failed to create PODE for refresh",y);}let a="/auth/refresh",i=`${e.baseUrl}${a}`,c=new URL(e.baseUrl).origin,u="POST",s=`${c}${a}`,l=Dn(u,s),d=He._nonceCacheRef||(He._nonceCacheRef={map:new Map}),f=async y=>await B({method:u,url:s,nonce:y,privateKey:Z(e),publicJwk:W(e)}),w=await e.getRefreshId(),b={"x-sunbreak-meta":F(e,{reqId:n,refreshId:w||void 0,pode:o||void 0,wallet:t}),"content-type":"application/json"},R=async y=>e.fetchImpl(i,{method:u,headers:{DPoP:y,...b},credentials:"include",body:"{}"}),m=y=>{let P=y.headers.get("dpop-nonce");P&&d.map.set(l,P);},k=await R(await f(d.map.get(l)));if(k.status===401){e.logger.info("Refresh got 401, retrying with nonce");let y=k.headers.get("www-authenticate"),C=(y&&y.match(/dpop-nonce="([^"]+)"/i))?.[1];C&&(d.map.set(l,C),k=await R(await f(C)));}if(m(k),e.logger.api(u,a,{status:k.status}),!k.ok){try{if((k.headers.get("content-type")||"").includes("application/json")){let P=await k.clone().json().catch(()=>{}),C=P&&(P.error||P.code||P.message)||"",O=String(C).toLowerCase();if(O.includes("missing")&&O.includes("refresh")){e.logger.warn("Refresh session expired (missing refresh identifier)"),e.stateMachine.onRefreshExpired();try{e.setRefreshId?.(null);}catch{}e.accessTokenRef.current=null,e.setAuthenticated(!1);}else e.logger.warn("Refresh failed",{error:C}),e.stateMachine.onRefreshFailure(String(C));}}catch{}return !1}let S=await k.json();e.logger.info("Refresh succeeded",{expiresIn:S.expiresIn,hasRefreshId:!!S.refreshId}),e.accessTokenRef.current=S.access,e.setAuthenticated(!0);let H=(e.wallet&&(!e.meta.boundWallet||e.meta.boundWallet===e.wallet)?e.wallet:e.meta.boundWallet)||null;e.authWalletRef.current=H?H.toLowerCase():null;try{let y=Math.floor(Date.now()/1e3);e.tokenExpRef.current=y+(S.expiresIn??0);}catch{}try{e.setJkt(await _(W(e)));}catch{}S.refreshId&&e.setRefreshId(S.refreshId);let p=y=>!y||y==="null"||y==="undefined"?null:y,g={wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:p(S.refreshId??e.meta.refreshId??null),hasToken:!0,tokenExpiry:e.tokenExpRef.current,hasProof:!!e.proofRef.current,authenticated:!0};return e.stateMachine.onRefreshSuccess(g),!0}finally{e.refreshLock.current=null;}})(),e.refreshLock.current}var Ln=(e,t)=>`${e.toUpperCase()} ${t}`,Tt=new Map,Me;try{let e=globalThis;Me=e.__sunbreak_page_probe_guard??(e.__sunbreak_page_probe_guard=new Set);}catch{Me=new Set;}var _n=e=>{try{let t=new URL(e.baseUrl).origin;return `${e.clientId}::${t}`}catch{return `${e.clientId}::${e.baseUrl}`}};async function vr(e){let t=_n(e);if(e.probeLock.current){e.logger.guard("probeLock",false,"Probe already in progress, waiting"),await e.probeLock.current,e.markProbed();return}if(e.hasProbedRef.current){e.logger.guard("hasProbedRef",false,"Already probed in this session"),e.markProbed();return}if(Me.has(t)){e.logger.guard("pageProbeGuard",false,"Already probed for this page load"),e.markProbed();return}Me.add(t),e.logger.flow("probe","Starting probe flow",{clientId:e.clientId,pageKey:t});let r=(async()=>{let n=new URL(e.baseUrl).origin;try{if(await e.awaitKeyStable(),await e.ensureKeypair(),!e.rootPrivRef.current)try{await e.ensureRootKeypair();}catch{}let o;if(e.rootPrivRef.current&&e.rootPubJwkRef.current)try{let m=await _(W(e));o=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:m,clientId:e.clientId,ttlSec:300});}catch(m){e.logger.warn("Failed to create PODE for probe",m);}let a="POST",i="/auth/probe",c=`${e.baseUrl}${i}`,u=`${n}${i}`,s=Ln(a,u),l=async m=>B({method:a,url:u,nonce:m,privateKey:Z(e),publicJwk:W(e)}),d=async m=>e.fetchImpl(c,{method:a,headers:{DPoP:m,"x-sunbreak-meta":F(e,{pode:o}),"content-type":"application/json"},credentials:"include",body:"{}"}),f=m=>{let k=m.headers.get("dpop-nonce");k&&Tt.set(s,k);},w=await d(await l(Tt.get(s)));if(f(w),w.status===401){e.logger.info("Probe got 401, retrying with nonce from www-authenticate");let m=w.headers.get("www-authenticate"),S=(m&&m.match(/dpop-nonce="([^"]+)"/i))?.[1];S&&(Tt.set(s,S),w=await d(await l(S)),f(w));}e.logger.api(a,i,{status:w.status});let b=m=>!m||m==="null"||m==="undefined"?null:m,R={wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:b(e.meta.refreshId),hasToken:!!e.accessTokenRef.current,tokenExpiry:e.tokenExpRef.current||null,hasProof:!!e.proofRef.current,authenticated:e.authenticated};e.stateMachine.onProbeComplete(R);}catch(o){e.logger.error("Probe failed",o);try{Me.delete(t);}catch{}}finally{e.markProbed(),e.logger.flow("probe","Probe flow completed");}})();e.probeLock.current=r;try{await r;}finally{e.probeLock.current=null;}}var Ar=e=>{let t=react.useCallback(()=>He(e),[e]),r=react.useCallback(async()=>{let o=Date.now(),a=e.registerCooldownUntilRef.current??0;if(o<a){e.logger.guard("registerCooldown",false,"Cooldown active");return}if(!e.wallet){e.logger.guard("attemptRegister",false,"No wallet");return}if(!e.initResolvedRef.current){e.logger.guard("attemptRegister",false,"Not initialized");return}if(e.refreshLock.current){e.logger.guard("attemptRegister",false,"Refresh in progress");return}if(e.registerLock.current){e.logger.guard("attemptRegister",false,"Register already in progress");return}let i=s=>!s||s==="null"||s==="undefined"?null:s,c={wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:i(e.meta.refreshId),hasToken:!!G(e),tokenExpiry:e.tokenExpRef.current||null,hasProof:!!e.proofRef.current,authenticated:e.authenticated};if(!e.stateMachine.shouldAttemptRegister(c)){e.logger.guard("attemptRegister",false,`State machine blocked (state: ${e.stateMachine.getState()}, inActiveSession: ${e.stateMachine.isInActiveSession()})`);return}let u=e.proofRef.current;if(!u){e.logger.guard("attemptRegister",false,"No proof available");return}e.logger.guard("attemptRegister",true,"All guards passed, proceeding"),await e.awaitKeyStable(),e.registerLock.current=(async()=>{try{await _e(e,e.wallet,u,{refreshFallback:async()=>{e.logger.info("Attempting refresh as fallback after register failure");let l=!!e.meta.boundWallet;!l&&e.wallet&&e.setBoundWallet(e.wallet);try{return await He(e)}catch{return l||e.setBoundWallet(null),!1}}})&&(e.didInitialSession.current=!0);}catch(s){e.setError(s?.message||String(s)||"Register failed");}finally{e.registerLock.current=null;}})();},[e]),n=react.useCallback(async o=>{let a=()=>(e.registerCooldownUntilRef.current??0)>Date.now();if(!e.providerAdapter||a())return;let i=await Ae(e.providerAdapter,o);e.proofRef.current=i;},[e]);return {refresh:t,register:(o,a,i)=>_e(e,o,a,i),attemptRegister:r,setProofFromAdapterToken:n}};var Hn=(e,t)=>`${e.toUpperCase()} ${t}`,Mn=(e,t)=>!!e&&!!t&&e.toLowerCase()===t.toLowerCase();async function rt(e,t,r,n,o,a={}){e.setLoadingCount(s=>s+1),e.setError(null);let i=n.startsWith("/api/session"),c=new AbortController,u=setTimeout(()=>c.abort(),e.timeoutMs);try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair();let l=`${i?pt(e):e.baseUrl}${n.startsWith("/")?"":"/"}${n}`,f=`${new URL(e.baseUrl).origin}${n.startsWith("/")?"":"/"}${n}`,w=Hn(r,f),b=n.startsWith("/auth/"),R=!1,m=!1,k=e.currentReqId(),S=rt._nonceCacheRef||(rt._nonceCacheRef={map:new Map}),H=J=>{let V=J.headers.get("dpop-nonce");V&&S.map.set(w,V);},p=!!e.wallet&&!!e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase(),g=()=>b||!e.wallet?!1:!!(e.authenticated||Mn(e.wallet,e.meta.boundWallet)||typeof e.meta.refreshId=="string"&&e.meta.refreshId),y,P,C=async()=>{if(b||p)return;try{let se=G(e),oe=e.tokenExpRef.current,nt=Math.floor(Date.now()/1e3),ot=!!oe&&oe-nt<=60;if(se){if(ot&&!await t().catch(()=>!1))return}else if(!g()||!await t().catch(()=>!1))return}catch{}let J=G(e);if(!J)return;let V=await Ze(J),j=S.map.get(w),ee=await B({method:r,url:f,nonce:j,ath:V,privateKey:Z(e),publicJwk:W(e)});y=`Bearer ${e.accessTokenRef.current}`,P=ee;};await C();let O={"content-type":"application/json","x-sunbreak-auth":y||"","x-sunbreak-meta":F(e,{reqId:k,auth:y,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0}),...ht(a.headers)};P&&(O.DPoP=P);let ve=async()=>e.fetchImpl(l,{...a,method:r,headers:O,body:o!==void 0?JSON.stringify(o):void 0,credentials:"include",signal:c.signal}),K=await ve(),$e=K.headers.get("x-sunbreak-policy-hash"),Oe=K.headers.get("x-sunbreak-policy-proof");if($e&&e.setLastPolicyHash($e),Oe&&e.setLastPolicyProof(Oe),H(K),K.status===401&&!b){let J=G(e),V=K.headers.get("www-authenticate"),ee=(V&&V.match(/dpop-nonce="([^"]+)"/i))?.[1];if(!p&&ee&&J&&!m){m=!0,S.map.set(w,ee);let se=await Ze(J),oe=await B({method:r,url:f,nonce:ee,ath:se,privateKey:Z(e),publicJwk:W(e)});y=`Bearer ${e.accessTokenRef.current}`,P=oe,O["x-sunbreak-meta"]=F(e,{reqId:k,auth:y}),O.DPoP=P,K=await ve(),H(K);}if(K.status===401&&!R&&(R=!0,!p&&g())){let se=await t(),oe=G(e);se&&oe&&!p&&(await C(),O["x-sunbreak-meta"]=F(e,{reqId:k,auth:y}),P&&(O.DPoP=P),K=await ve(),H(K));}if(K.status===401)throw new Error("Unauthorized")}if(!K.ok){let J=await De(K);if((K.headers.get("content-type")||"").includes("application/json")){let j=await K.json().catch(()=>{}),ee=Je(j&&(j.error||j.message||j.detail)||`HTTP ${K.status}`);throw pe(ee,J)}else {let j=J.waf?"Blocked by WAF (403)":J.alb403?"Blocked at origin (ALB 403)":`HTTP ${K.status}`;throw pe(j,J)}}return (K.headers.get("content-type")||"").includes("application/json")?await K.json():void 0}finally{clearTimeout(u),e.setLoadingCount(s=>Math.max(0,s-1));}}var xr=(e,t)=>react.useCallback(async(r,n,o,a={})=>rt(e,t,r,n,o,a),[e,t]);async function Kr(e,t){let r=await t("GET","/api/session");if(r){e.setAllowed(!!r.allowed),e.setSessionData(r),e.setSessionExpiry(r.expiry??null);let n=r?.wallet;typeof n=="string"&&n&&e.setBoundWallet(n.toLowerCase());}return r}var Cr=(e,t)=>({session:react.useCallback(async()=>{if(e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet))return e.sessionLock.current||(e.sessionLock.current=(async()=>{try{return await Kr(e,t)}catch(n){throw e.logger.error("Session request failed",n),n}finally{e.sessionLock.current=null;}})()),e.sessionLock.current},[e,t])});var Tr=(e,t)=>{let{refresh:r,session:n,attemptRegister:o,setProofFromAdapterToken:a,proofProp:i}=t,c=()=>(e.registerCooldownUntilRef.current??0)>Date.now(),u=()=>{let s=l=>!l||l==="null"||l==="undefined"?null:l;return {wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:s(e.meta.refreshId),hasToken:!!e.accessTokenRef.current,tokenExpiry:e.tokenExpRef.current||null,hasProof:!!e.proofRef.current,authenticated:e.authenticated}};react.useEffect(()=>{if(!e.metaReady)return;let s=true;return (async()=>{try{if(await e.waitReady(),!s||(await e.awaitKeyStable(),!s)||(await e.ensureRootKeypair(),!s))return;let l=u();e.stateMachine.initialize(l),await vr(e);}catch(l){if(!s)return;e.logger.error("Probe initialization failed",l);}})(),()=>{s=false;}},[e.metaReady]),react.useEffect(()=>{let s=e.prevWalletRef.current;if(e.prevWalletRef.current=e.wallet,e.wallet!==s&&(e.didInitialRefresh.current=false),!e.wallet){e.logger.flow("wallet","Wallet disconnected"),e.stateMachine.onWalletDisconnect(),e.setAllowed(null),e.setSessionExpiry(null),e.setSessionData(null),e.setAuthenticated(false),e.accessTokenRef.current=null,e.proofRef.current=null,e.setError(null),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null),e.didInitialRefresh.current=false;return}if(s&&e.wallet&&s!==e.wallet){e.logger.flow("wallet",`Wallet changed: ${s} \u2192 ${e.wallet}`);let l=u();e.stateMachine.onWalletChange(s,e.wallet,l),e.proofRef.current=null,e.accessTokenRef.current=null,e.setAuthenticated(false),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null),e.rotateLock.current=(async()=>{await e.rotate();})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;});}if(!s&&e.wallet){if(e.logger.flow("wallet",`Wallet connected: ${e.wallet}`),e.didInitialSession.current=false,!e.metaReady){e.logger.info("Wallet connected but meta not ready, deferring state machine update");return}let l=u();e.stateMachine.onWalletChange(null,e.wallet,l);}},[e.wallet,e.metaReady]),react.useEffect(()=>{if(!e.providerAdapter||c()||!e.metaReady||!e.wallet)return;if(e.stateMachine.isInActiveSession()){e.logger.decision("Provider adapter should trigger register?",false,"Already in active session");return}if(e.authenticated){e.logger.decision("Provider adapter should trigger register?",false,"Already authenticated");return}let s=u();if(e.stateMachine.shouldWaitForInitialRefresh(e.didInitialRefresh.current,s)){e.logger.decision("Provider adapter should wait for initial refresh?",true,"Returning user - refresh first");return}e.logger.decision("Provider adapter should trigger register?",true,`Fetching token (state: ${e.stateMachine.getState()})`);let l=false;return (async()=>{try{let d=e.providerAdapter.getToken(),f=new Promise((b,R)=>setTimeout(()=>R(new Error("Provider adapter timeout (30s)")),3e4)),w=await Promise.race([d,f]).catch(b=>(e.logger.warn("Provider adapter getToken failed",b),null))??null;if(await e.awaitKeyStable(),l||!w)return;try{let b=w.split(".");if(b[1]){let R=JSON.parse(atob(b[1]));e.logger.info("Provider adapter: got token",{wallet:e.wallet,jwtSub:R.sub,jwtWallet:R.wallet||R.linked_accounts?.[0]?.address,jwtExp:R.exp,jwtIat:R.iat});}}catch{e.logger.info("Provider adapter: got token (could not decode)");}await a(w),await o();}catch(d){e.logger.error("Provider adapter flow failed",d);}})(),()=>{l=true;}},[e.providerAdapter,e.wallet,e.meta.boundWallet,e.metaReady,e.registerCooldownUntilRef,e.didInitialRefresh,e.authenticated,...e.refreshDeps]),react.useEffect(()=>{if(typeof i<"u"&&(e.proofRef.current=i??null,i&&e.logger.info("Proof prop updated",{hasProof:!!i})),!e.metaReady)return;let s=u();if(!e.stateMachine.shouldAttemptRegister(s)){e.logger.decision("Proof prop should trigger register?",false,`State machine says no (state: ${e.stateMachine.getState()}, inActiveSession: ${e.stateMachine.isInActiveSession()})`);return}if(e.stateMachine.shouldWaitForInitialRefresh(e.didInitialRefresh.current,s)){e.logger.decision("Proof prop should wait for initial refresh?",true,"Returning user - refresh first");return}let l=!!e.wallet,d=!!e.proofRef.current;l&&d&&e.initResolvedRef.current&&!c()&&(e.logger.info("Proof prop conditions met, attempting register"),o());},[i,e.wallet,e.authenticated,e.meta.boundWallet,e.metaReady,e.providerAdapter,e.initResolvedRef,e.didInitialRefresh,o]),react.useEffect(()=>{if(!e.metaReady||e.didInitialRefresh.current)return;let s=true;return (async()=>{try{await e.waitReady(),await e.awaitProbe();let l=u();if(e.accessTokenRef.current||e.authenticated){e.logger.info("Already authenticated, skipping initial refresh"),e.didInitialRefresh.current=!0,e.wallet&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());return}if(!e.stateMachine.shouldAttemptRefresh(l)){e.logger.decision("Should attempt initial refresh?",!1,`State: ${e.stateMachine.getState()}`),e.didInitialRefresh.current=!0;return}e.logger.decision("Should attempt initial refresh?",!0,`State: ${e.stateMachine.getState()}`),e.didInitialRefresh.current=!0;let f=await r();if(!s)return;e.setAuthenticated(f),f&&e.wallet&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());}catch(l){if(!s)return;e.didInitialRefresh.current=true,e.setAuthenticated(false),e.setError(l?.message||String(l)||"Unknown error");}})(),()=>{s=false;}},[e.wallet,e.meta.boundWallet,e.meta.refreshId,e.metaReady,e.didInitialRefresh,r,n]),react.useEffect(()=>{e.initResolvedRef.current||(async()=>{if(await e.ensureKeypair(),!e.wallet){e.initResolvedRef.current=true,e.initResolveRef.current?.();return}e.meta.boundWallet&&e.meta.boundWallet!==e.wallet&&(e.rotateLock.current=(async()=>{e.accessTokenRef.current=null,e.setAuthenticated(false);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}),e.rotateLock.current&&await e.rotateLock.current),e.initResolvedRef.current=true,e.initResolveRef.current?.();})();},[e]),react.useEffect(()=>{(async()=>{if(e.authenticated&&e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)&&!e.didInitialSession.current){e.didInitialSession.current=true;try{e.logger.flow("session","Calling session after authentication"),await n();}catch(s){e.setError(s?.message||String(s));}}})();},[e.authenticated,e.wallet,e.meta.boundWallet,n]),react.useEffect(()=>{e.wallet&&e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase()&&(e.logger.warn("Wallet mismatch detected, clearing auth",{current:e.wallet,authWallet:e.authWalletRef.current}),e.accessTokenRef.current=null,e.setAuthenticated(false));},[e.wallet,e.authWalletRef.current]),react.useEffect(()=>{let l=()=>{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return  false;let w=e.tokenExpRef.current;if(!w)return  false;let b=Math.floor(Date.now()/1e3);return w-b<=30},d=async()=>{try{l()&&(e.logger.info("Token expiring soon, refreshing on focus"),await r());}catch{}},f=async()=>{document.visibilityState==="visible"&&await d();};return window.addEventListener("focus",d),document.addEventListener("visibilitychange",f),()=>{window.removeEventListener("focus",d),document.removeEventListener("visibilitychange",f);}},[e,r]),react.useEffect(()=>{let d=()=>{let b=Math.floor(Date.now()/1e3),R=e.tokenExpRef.current,m=e.sessionExpiry,k=!!R&&R-b<=30&&R-b>0,S=!!m&&m-b<=3600&&m-b>0;return {tokenSoon:k,sessionSoon:S}},f=async()=>{try{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return;let{tokenSoon:b,sessionSoon:R}=d();(b||R)&&(e.logger.info("Refreshing on focus",{tokenSoon:b,sessionSoon:R}),await r()&&R&&await n());}catch{}},w=async()=>{document.visibilityState==="visible"&&await f();};return window.addEventListener("focus",f),document.addEventListener("visibilitychange",w),()=>{window.removeEventListener("focus",f),document.removeEventListener("visibilitychange",w);}},[e,e.sessionExpiry,r,n]);};var Ir=react.createContext(void 0),Fn=e=>{let t=Pr(e),{refresh:r,attemptRegister:n,setProofFromAdapterToken:o}=Ar(t),a=xr(t,r),{session:i}=Cr(t,a);Tr(t,{refresh:r,session:i,attemptRegister:n,setProofFromAdapterToken:o,proofProp:e.proof});let c=react.useMemo(()=>({get:(u,s)=>a("GET",u,void 0,s),post:(u,s,l)=>a("POST",u,s,l),session:i,refresh:r,authenticated:t.authenticated,loading:t.loadingCount>0,error:t.error,allowed:t.allowed,sessionExpiry:t.sessionExpiry,sessionData:t.sessionData,wallet:t.wallet}),[a,i,r,t.authenticated,t.loadingCount,t.error,t.allowed,t.sessionExpiry,t.sessionData,t.wallet]);return jsxRuntime.jsx(Ir.Provider,{value:c,children:e.children})},Bn=e=>jsxRuntime.jsx(kt,{clientId:e.clientId,children:jsxRuntime.jsx(Fn,{...e})}),Gn=()=>{let e=react.useContext(Ir);if(!e)throw new Error("useSunbreak must be used within a SunbreakProvider");return e};
 
-exports.SunbreakProvider = zn;
-exports.useSunbreak = Xn;
+exports.SunbreakProvider = Bn;
+exports.useSunbreak = Gn;

package/dist/index.d.cts

@@ -52,32 +52,23 @@ type ProviderAdapter = {
     getToken: () => Promise<string | null | undefined>;
     meta: any;
 };
-type Reason = "region" | "vpn" | "ofac" | "ofac_region";
 interface SessionResp {
-    allowed: boolean;
-    reason?: Reason | null;
-    expiry: number | null;
-    country: string | null;
-}
-interface VerifyResp {
     allowed: boolean;
     expiry: number;
+    country: string;
     wallet: string;
 }
 interface SunbreakContextType {
     get: <T = unknown>(path: string, opts?: RequestInit) => Promise<T | undefined>;
     post: <T = unknown>(path: string, body?: unknown, opts?: RequestInit) => Promise<T | undefined>;
-    verify: () => Promise<VerifyResp | undefined>;
     session: () => Promise<SessionResp | undefined>;
     refresh: () => Promise<boolean>;
     authenticated: boolean;
     loading: boolean;
     error: string | null;
     allowed: boolean | null;
-    denyReason: Reason | null;
     sessionExpiry: number | null;
     sessionData: SessionResp | null;
-    verifyData: VerifyResp | null;
     wallet?: string;
 }
 interface SunbreakProviderProps {
@@ -111,4 +102,4 @@ interface SunbreakProviderProps {
 declare const SunbreakProvider: React$1.FC<SunbreakProviderProps>;
 declare const useSunbreak: () => SunbreakContextType;
 
-export { type Proof, type ProviderAdapter, type ProviderJwtProof, type SessionResp, type SunbreakContextType, SunbreakProvider, type SunbreakProviderProps, type VerifyResp, useSunbreak };
+export { type Proof, type ProviderAdapter, type ProviderJwtProof, type SessionResp, type SunbreakContextType, SunbreakProvider, type SunbreakProviderProps, useSunbreak };

package/dist/index.d.ts

@@ -52,32 +52,23 @@ type ProviderAdapter = {
     getToken: () => Promise<string | null | undefined>;
     meta: any;
 };
-type Reason = "region" | "vpn" | "ofac" | "ofac_region";
 interface SessionResp {
-    allowed: boolean;
-    reason?: Reason | null;
-    expiry: number | null;
-    country: string | null;
-}
-interface VerifyResp {
     allowed: boolean;
     expiry: number;
+    country: string;
     wallet: string;
 }
 interface SunbreakContextType {
     get: <T = unknown>(path: string, opts?: RequestInit) => Promise<T | undefined>;
     post: <T = unknown>(path: string, body?: unknown, opts?: RequestInit) => Promise<T | undefined>;
-    verify: () => Promise<VerifyResp | undefined>;
     session: () => Promise<SessionResp | undefined>;
     refresh: () => Promise<boolean>;
     authenticated: boolean;
     loading: boolean;
     error: string | null;
     allowed: boolean | null;
-    denyReason: Reason | null;
     sessionExpiry: number | null;
     sessionData: SessionResp | null;
-    verifyData: VerifyResp | null;
     wallet?: string;
 }
 interface SunbreakProviderProps {
@@ -111,4 +102,4 @@ interface SunbreakProviderProps {
 declare const SunbreakProvider: React$1.FC<SunbreakProviderProps>;
 declare const useSunbreak: () => SunbreakContextType;
 
-export { type Proof, type ProviderAdapter, type ProviderJwtProof, type SessionResp, type SunbreakContextType, SunbreakProvider, type SunbreakProviderProps, type VerifyResp, useSunbreak };
+export { type Proof, type ProviderAdapter, type ProviderJwtProof, type SessionResp, type SunbreakContextType, SunbreakProvider, type SunbreakProviderProps, useSunbreak };

package/dist/index.mjs

@@ -1,7 +1,7 @@
 import { createContext, useContext, useState, useRef, useMemo, useEffect, useCallback } from 'react';
 import { jsx } from 'react/jsx-runtime';
 
-var on=Object.defineProperty;var Mt=e=>{throw TypeError(e)};var an=(e,t,r)=>t in e?on(e,t,{enumerable:true,configurable:true,writable:true,value:r}):e[t]=r;var M=(e,t,r)=>an(e,typeof t!="symbol"?t+"":t,r),$t=(e,t,r)=>t.has(e)||Mt("Cannot "+r);var h=(e,t,r)=>($t(e,t,"read from private field"),r?r.call(e):t.get(e)),j=(e,t,r)=>t.has(e)?Mt("Cannot add the same private member more than once"):t instanceof WeakSet?t.add(e):t.set(e,r),N=(e,t,r,n)=>($t(e,t,"write to private field"),t.set(e,r),r);var ve=async(e,t,r)=>{switch(e.name){case "custom":return {method:"provider_jwt",issuer:"custom",token:t,meta:r||{}};case "privy":return {method:"provider_jwt",issuer:"privy",token:t,meta:{app_id:e.appId}};case "dynamic":return e.expectedAud?{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId,expected_aud:e.expectedAud}}:{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId}};default:throw new Error(`Unknown adapter: ${e}`)}};var sn="sunbreak-kv",Ae="kv",Fe="sunbreak_dpop_meta_v1",T="sunbreak_dpop_key_v1",xe="ES256",v="P-256",Ke=e=>`${Fe}:${e}`,Ot=()=>new Promise((e,t)=>{let r=indexedDB.open(sn,1);r.onupgradeneeded=()=>r.result.createObjectStore(Ae),r.onsuccess=()=>e(r.result),r.onerror=()=>t(r.error);}),I=async e=>{try{let t=await Ot();return await new Promise((r,n)=>{let a=t.transaction(Ae,"readonly").objectStore(Ae).get(e);a.onsuccess=()=>r(a.result),a.onerror=()=>n(a.error);})}catch{return}},R=async(e,t)=>{let r=await Ot();await new Promise((n,o)=>{let i=r.transaction(Ae,"readwrite").objectStore(Ae).put(t,e);i.onsuccess=()=>n(),i.onerror=()=>o(i.error);});};var cn=e=>{let t=new URL(e);if(t.protocol!=="https:"&&t.hostname!=="localhost"&&t.hostname!=="127.0.0.1")throw new Error("Sunbreak: insecure base URL");return t.hash="",t.origin},ln=e=>e.replace(/\/+$/,""),ft=e=>{let t=ln(e);return cn(t)};function pt(e){let t=new URL(e.baseUrl),r=t.host,n=e.meta.lastHost??null,o=un(n);return e.setLastHost(o),t.host=`${o}.${r}`,t.origin}var un=e=>{for(let t=0;t<dt.length;t++){let r=dt[Math.floor(Math.random()*dt.length)].toLowerCase();if(r!==e)return r}return "alpha"},dt=["Alpha","Bravo","Charlie","Delta","Echo","Foxtrot","Golf","Hotel","India","Juliett","Kilo","Lima","Mike","November","Oscar","Papa","Quebec","Romeo","Sierra","Tango","Uniform","Victor","Whiskey","X-ray","Yankee","Zulu"];var F=(e,t)=>{let r={clientId:e.clientId,wallet:e.wallet,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0,...t};Object.keys(r).forEach(o=>r[o]===void 0&&delete r[o]);let n=JSON.stringify(r);return btoa(n)};var fn=new Set(["connection","keep-alive","proxy-authenticate","proxy-authorization","te","trailer","transfer-encoding","upgrade","via"]),dn=new Set(["user-agent","referer","origin","host","content-length","sec-fetch-site","sec-fetch-mode","sec-fetch-dest","sec-fetch-user","sec-ch-ua","sec-ch-ua-mobile","sec-ch-ua-platform","sec-ch-ua-platform-version","sec-ch-ua-full-version","sec-ch-ua-arch","sec-ch-ua-model","sec-ch-ua-bitness","cookie","set-cookie"]),pn=new Set(["dpop","x-sunbreak-meta"]),hn=64,Ut=2048,yn=64;function ht(e){let t={};if(!e)return t;let r=e instanceof Headers?Array.from(e.entries()):Object.entries(e),n=0;for(let[o,a]of r){if(n>=yn)break;if(o==null||a==null)continue;let i=String(o).toLowerCase().trim();if(!i||i.length>hn||fn.has(i)||dn.has(i)||pn.has(i))continue;let c=String(a);c.length>Ut&&(c=c.slice(0,Ut)),t[i]=c,n++;}return t}var re=new TextEncoder,me=new TextDecoder;function jt(...e){let t=e.reduce((o,{length:a})=>o+a,0),r=new Uint8Array(t),n=0;for(let o of e)r.set(o,n),n+=o.length;return r}function Nt(e){if(Uint8Array.prototype.toBase64)return e.toBase64();let t=32768,r=[];for(let n=0;n<e.length;n+=t)r.push(String.fromCharCode.apply(null,e.subarray(n,n+t)));return btoa(r.join(""))}function Ft(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(e);let t=atob(e),r=new Uint8Array(t.length);for(let n=0;n<t.length;n++)r[n]=t.charCodeAt(n);return r}function Bt(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof e=="string"?e:me.decode(e),{alphabet:"base64url"});let t=e;t instanceof Uint8Array&&(t=me.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return Ft(t)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function Be(e){let t=e;return typeof t=="string"&&(t=re.encode(t)),Uint8Array.prototype.toBase64?t.toBase64({alphabet:"base64url",omitPadding:true}):Nt(t).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var ue=class extends Error{constructor(r,n){super(r,n);M(this,"code","ERR_JOSE_GENERIC");this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor);}};M(ue,"code","ERR_JOSE_GENERIC");var D=class extends ue{constructor(){super(...arguments);M(this,"code","ERR_JOSE_NOT_SUPPORTED");}};M(D,"code","ERR_JOSE_NOT_SUPPORTED");var ne=class extends ue{constructor(){super(...arguments);M(this,"code","ERR_JWS_INVALID");}};M(ne,"code","ERR_JWS_INVALID");var Ce=class extends ue{constructor(){super(...arguments);M(this,"code","ERR_JWT_INVALID");}};M(Ce,"code","ERR_JWT_INVALID");var Vt,Gt,yt=class extends(Gt=ue,Vt=Symbol.asyncIterator,Gt){constructor(r="multiple matching keys found in the JSON Web Key Set",n){super(r,n);M(this,Vt);M(this,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");}};M(yt,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");function q(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function we(e,t){return e.name===t}function mt(e){return parseInt(e.name.slice(4),10)}function gn(e){switch(e){case "ES256":return "P-256";case "ES384":return "P-384";case "ES512":return "P-521";default:throw new Error("unreachable")}}function bn(e,t){if(!e.usages.includes(t))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${t}.`)}function qt(e,t,r){switch(t){case "HS256":case "HS384":case "HS512":{if(!we(e.algorithm,"HMAC"))throw q("HMAC");let n=parseInt(t.slice(2),10);if(mt(e.algorithm.hash)!==n)throw q(`SHA-${n}`,"algorithm.hash");break}case "RS256":case "RS384":case "RS512":{if(!we(e.algorithm,"RSASSA-PKCS1-v1_5"))throw q("RSASSA-PKCS1-v1_5");let n=parseInt(t.slice(2),10);if(mt(e.algorithm.hash)!==n)throw q(`SHA-${n}`,"algorithm.hash");break}case "PS256":case "PS384":case "PS512":{if(!we(e.algorithm,"RSA-PSS"))throw q("RSA-PSS");let n=parseInt(t.slice(2),10);if(mt(e.algorithm.hash)!==n)throw q(`SHA-${n}`,"algorithm.hash");break}case "Ed25519":case "EdDSA":{if(!we(e.algorithm,"Ed25519"))throw q("Ed25519");break}case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":{if(!we(e.algorithm,t))throw q(t);break}case "ES256":case "ES384":case "ES512":{if(!we(e.algorithm,"ECDSA"))throw q("ECDSA");let n=gn(t);if(e.algorithm.namedCurve!==n)throw q(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}bn(e,r);}function zt(e,t,...r){if(r=r.filter(Boolean),r.length>2){let n=r.pop();e+=`one of type ${r.join(", ")}, or ${n}.`;}else r.length===2?e+=`one of type ${r[0]} or ${r[1]}.`:e+=`of type ${r[0]}.`;return t==null?e+=` Received ${t}`:typeof t=="function"&&t.name?e+=` Received function ${t.name}`:typeof t=="object"&&t!=null&&t.constructor?.name&&(e+=` Received an instance of ${t.constructor.name}`),e}var Xt=(e,...t)=>zt("Key must be ",e,...t);function wt(e,t,...r){return zt(`Key for the ${e} algorithm must be `,t,...r)}function gt(e){return e?.[Symbol.toStringTag]==="CryptoKey"}function bt(e){return e?.[Symbol.toStringTag]==="KeyObject"}var St=e=>gt(e)||bt(e);var Yt=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return  true;let r;for(let n of t){let o=Object.keys(n);if(!r||r.size===0){r=new Set(o);continue}for(let a of o){if(r.has(a))return  false;r.add(a);}}return  true};function Sn(e){return typeof e=="object"&&e!==null}var Ve=e=>{if(!Sn(e)||Object.prototype.toString.call(e)!=="[object Object]")return  false;if(Object.getPrototypeOf(e)===null)return  true;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t};var Zt=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:r}=t.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};function Rn(e){let t,r;switch(e.kty){case "AKP":{switch(e.alg){case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":t={name:e.alg},r=e.priv?["sign"]:["verify"];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "RSA":{switch(e.alg){case "PS256":case "PS384":case "PS512":t={name:"RSA-PSS",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RS256":case "RS384":case "RS512":t={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RSA-OAEP":case "RSA-OAEP-256":case "RSA-OAEP-384":case "RSA-OAEP-512":t={name:"RSA-OAEP",hash:`SHA-${parseInt(e.alg.slice(-3),10)||1}`},r=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "EC":{switch(e.alg){case "ES256":t={name:"ECDSA",namedCurve:"P-256"},r=e.d?["sign"]:["verify"];break;case "ES384":t={name:"ECDSA",namedCurve:"P-384"},r=e.d?["sign"]:["verify"];break;case "ES512":t={name:"ECDSA",namedCurve:"P-521"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "OKP":{switch(e.alg){case "Ed25519":case "EdDSA":t={name:"Ed25519"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}default:throw new D('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return {algorithm:t,keyUsages:r}}var Qt=async e=>{if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:t,keyUsages:r}=Rn(e),n={...e};return n.kty!=="AKP"&&delete n.alg,delete n.use,crypto.subtle.importKey("jwk",n,t,e.ext??!(e.d||e.priv),e.key_ops??r)};var er=(e,t,r,n,o)=>{if(o.crit!==void 0&&n?.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||n.crit===void 0)return new Set;if(!Array.isArray(n.crit)||n.crit.length===0||n.crit.some(i=>typeof i!="string"||i.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let a;r!==void 0?a=new Map([...Object.entries(r),...t.entries()]):a=t;for(let i of n.crit){if(!a.has(i))throw new D(`Extension Header Parameter "${i}" is not recognized`);if(o[i]===void 0)throw new e(`Extension Header Parameter "${i}" is missing`);if(a.get(i)&&n[i]===void 0)throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`)}return new Set(n.crit)};function Te(e){return Ve(e)&&typeof e.kty=="string"}function tr(e){return e.kty!=="oct"&&(e.kty==="AKP"&&typeof e.priv=="string"||typeof e.d=="string")}function rr(e){return e.kty!=="oct"&&typeof e.d>"u"&&typeof e.priv>"u"}function nr(e){return e.kty==="oct"&&typeof e.k=="string"}var ge,or=async(e,t,r,n=false)=>{ge||(ge=new WeakMap);let o=ge.get(e);if(o?.[r])return o[r];let a=await Qt({...t,alg:r});return n&&Object.freeze(e),o?o[r]=a:ge.set(e,{[r]:a}),a},kn=(e,t)=>{ge||(ge=new WeakMap);let r=ge.get(e);if(r?.[t])return r[t];let n=e.type==="public",o=!!n,a;if(e.asymmetricKeyType==="x25519"){switch(t){case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}a=e.toCryptoKey(e.asymmetricKeyType,o,n?[]:["deriveBits"]);}if(e.asymmetricKeyType==="ed25519"){if(t!=="EdDSA"&&t!=="Ed25519")throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}switch(e.asymmetricKeyType){case "ml-dsa-44":case "ml-dsa-65":case "ml-dsa-87":{if(t!==e.asymmetricKeyType.toUpperCase())throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}}if(e.asymmetricKeyType==="rsa"){let i;switch(t){case "RSA-OAEP":i="SHA-1";break;case "RS256":case "PS256":case "RSA-OAEP-256":i="SHA-256";break;case "RS384":case "PS384":case "RSA-OAEP-384":i="SHA-384";break;case "RS512":case "PS512":case "RSA-OAEP-512":i="SHA-512";break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}if(t.startsWith("RSA-OAEP"))return e.toCryptoKey({name:"RSA-OAEP",hash:i},o,n?["encrypt"]:["decrypt"]);a=e.toCryptoKey({name:t.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:i},o,[n?"verify":"sign"]);}if(e.asymmetricKeyType==="ec"){let c=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(e.asymmetricKeyDetails?.namedCurve);if(!c)throw new TypeError("given KeyObject instance cannot be used for this algorithm");t==="ES256"&&c==="P-256"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:c},o,[n?"verify":"sign"])),t==="ES384"&&c==="P-384"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:c},o,[n?"verify":"sign"])),t==="ES512"&&c==="P-521"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:c},o,[n?"verify":"sign"])),t.startsWith("ECDH-ES")&&(a=e.toCryptoKey({name:"ECDH",namedCurve:c},o,n?[]:["deriveBits"]));}if(!a)throw new TypeError("given KeyObject instance cannot be used for this algorithm");return r?r[t]=a:ge.set(e,{[t]:a}),a},ar=async(e,t)=>{if(e instanceof Uint8Array||gt(e))return e;if(bt(e)){if(e.type==="secret")return e.export();if("toCryptoKey"in e&&typeof e.toCryptoKey=="function")try{return kn(e,t)}catch(n){if(n instanceof TypeError)throw n}let r=e.export({format:"jwk"});return or(e,r,t)}if(Te(e))return e.k?Bt(e.k):or(e,e,t,true);throw new Error("unreachable")};var be=e=>e?.[Symbol.toStringTag],Rt=(e,t,r)=>{if(t.use!==void 0){let n;switch(r){case "sign":case "verify":n="sig";break;case "encrypt":case "decrypt":n="enc";break}if(t.use!==n)throw new TypeError(`Invalid key for this operation, its "use" must be "${n}" when present`)}if(t.alg!==void 0&&t.alg!==e)throw new TypeError(`Invalid key for this operation, its "alg" must be "${e}" when present`);if(Array.isArray(t.key_ops)){let n;switch(true){case(r==="sign"):case e==="dir":case e.includes("CBC-HS"):n=r;break;case e.startsWith("PBES2"):n="deriveBits";break;case /^A\d{3}(?:GCM)?(?:KW)?$/.test(e):!e.includes("GCM")&&e.endsWith("KW")?n="unwrapKey":n=r;break;case(r==="encrypt"):n="wrapKey";break;case r==="decrypt":n=e.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(n&&t.key_ops?.includes?.(n)===false)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${n}" when present`)}return  true},Pn=(e,t,r)=>{if(!(t instanceof Uint8Array)){if(Te(t)){if(nr(t)&&Rt(e,t,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!St(t))throw new TypeError(wt(e,t,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(t.type!=="secret")throw new TypeError(`${be(t)} instances for symmetric algorithms must be of type "secret"`)}},vn=(e,t,r)=>{if(Te(t))switch(r){case "decrypt":case "sign":if(tr(t)&&Rt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a private JWK");case "encrypt":case "verify":if(rr(t)&&Rt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a public JWK")}if(!St(t))throw new TypeError(wt(e,t,"CryptoKey","KeyObject","JSON Web Key"));if(t.type==="secret")throw new TypeError(`${be(t)} instances for asymmetric algorithms must not be of type "secret"`);if(t.type==="public")switch(r){case "sign":throw new TypeError(`${be(t)} instances for asymmetric algorithm signing must be of type "private"`);case "decrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm decryption must be of type "private"`);}if(t.type==="private")switch(r){case "verify":throw new TypeError(`${be(t)} instances for asymmetric algorithm verifying must be of type "public"`);case "encrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm encryption must be of type "public"`);}},ir=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e)||/^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e)?Pn(e,t,r):vn(e,t,r);};var sr=(e,t)=>{let r=`SHA-${e.slice(-3)}`;switch(e){case "HS256":case "HS384":case "HS512":return {hash:r,name:"HMAC"};case "PS256":case "PS384":case "PS512":return {hash:r,name:"RSA-PSS",saltLength:parseInt(e.slice(-3),10)>>3};case "RS256":case "RS384":case "RS512":return {hash:r,name:"RSASSA-PKCS1-v1_5"};case "ES256":case "ES384":case "ES512":return {hash:r,name:"ECDSA",namedCurve:t.namedCurve};case "Ed25519":case "EdDSA":return {name:"Ed25519"};case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":return {name:e};default:throw new D(`alg ${e} is not supported either by JOSE or your javascript runtime`)}};var cr=async(e,t,r)=>{if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(Xt(t,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",t,{hash:`SHA-${e.slice(-3)}`,name:"HMAC"},false,[r])}return qt(t,e,r),t};var ae=e=>Math.floor(e.getTime()/1e3);var An=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i,Ge=e=>{let t=An.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");let r=parseFloat(t[2]),n=t[3].toLowerCase(),o;switch(n){case "sec":case "secs":case "second":case "seconds":case "s":o=Math.round(r);break;case "minute":case "minutes":case "min":case "mins":case "m":o=Math.round(r*60);break;case "hour":case "hours":case "hr":case "hrs":case "h":o=Math.round(r*3600);break;case "day":case "days":case "d":o=Math.round(r*86400);break;case "week":case "weeks":case "w":o=Math.round(r*604800);break;default:o=Math.round(r*31557600);break}return t[1]==="-"||t[4]==="ago"?-o:o};function fe(e,t){if(!Number.isFinite(t))throw new TypeError(`Invalid ${e} input`);return t}var x,qe=class{constructor(t){j(this,x);if(!Ve(t))throw new TypeError("JWT Claims Set MUST be an object");N(this,x,structuredClone(t));}data(){return re.encode(JSON.stringify(h(this,x)))}get iss(){return h(this,x).iss}set iss(t){h(this,x).iss=t;}get sub(){return h(this,x).sub}set sub(t){h(this,x).sub=t;}get aud(){return h(this,x).aud}set aud(t){h(this,x).aud=t;}set jti(t){h(this,x).jti=t;}set nbf(t){typeof t=="number"?h(this,x).nbf=fe("setNotBefore",t):t instanceof Date?h(this,x).nbf=fe("setNotBefore",ae(t)):h(this,x).nbf=ae(new Date)+Ge(t);}set exp(t){typeof t=="number"?h(this,x).exp=fe("setExpirationTime",t):t instanceof Date?h(this,x).exp=fe("setExpirationTime",ae(t)):h(this,x).exp=ae(new Date)+Ge(t);}set iat(t){typeof t>"u"?h(this,x).iat=ae(new Date):t instanceof Date?h(this,x).iat=fe("setIssuedAt",ae(t)):typeof t=="string"?h(this,x).iat=fe("setIssuedAt",ae(new Date)+Ge(t)):h(this,x).iat=fe("setIssuedAt",t);}};x=new WeakMap;var lr=async(e,t,r)=>{let n=await cr(e,t,"sign");Zt(e,n);let o=await crypto.subtle.sign(sr(e,n.algorithm),n,r);return new Uint8Array(o)};var Ie,L,z,ze=class{constructor(t){j(this,Ie);j(this,L);j(this,z);if(!(t instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");N(this,Ie,t);}setProtectedHeader(t){if(h(this,L))throw new TypeError("setProtectedHeader can only be called once");return N(this,L,t),this}setUnprotectedHeader(t){if(h(this,z))throw new TypeError("setUnprotectedHeader can only be called once");return N(this,z,t),this}async sign(t,r){if(!h(this,L)&&!h(this,z))throw new ne("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Yt(h(this,L),h(this,z)))throw new ne("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let n={...h(this,L),...h(this,z)},o=er(ne,new Map([["b64",true]]),r?.crit,h(this,L),n),a=true;if(o.has("b64")&&(a=h(this,L).b64,typeof a!="boolean"))throw new ne('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:i}=n;if(typeof i!="string"||!i)throw new ne('JWS "alg" (Algorithm) Header Parameter missing or invalid');ir(i,t,"sign");let c=h(this,Ie);a&&(c=re.encode(Be(c)));let u;h(this,L)?u=re.encode(Be(JSON.stringify(h(this,L)))):u=re.encode("");let s=jt(u,re.encode("."),c),l=await ar(t,i),d=await lr(i,l,s),f={signature:Be(d),payload:""};return a&&(f.payload=me.decode(c)),h(this,z)&&(f.header=h(this,z)),h(this,L)&&(f.protected=me.decode(u)),f}};Ie=new WeakMap,L=new WeakMap,z=new WeakMap;var Se,Xe=class{constructor(t){j(this,Se);N(this,Se,new ze(t));}setProtectedHeader(t){return h(this,Se).setProtectedHeader(t),this}async sign(t,r){let n=await h(this,Se).sign(t,r);if(n.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return `${n.protected}.${n.payload}.${n.signature}`}};Se=new WeakMap;var ie,$,de=class{constructor(t={}){j(this,ie);j(this,$);N(this,$,new qe(t));}setIssuer(t){return h(this,$).iss=t,this}setSubject(t){return h(this,$).sub=t,this}setAudience(t){return h(this,$).aud=t,this}setJti(t){return h(this,$).jti=t,this}setNotBefore(t){return h(this,$).nbf=t,this}setExpirationTime(t){return h(this,$).exp=t,this}setIssuedAt(t){return h(this,$).iat=t,this}setProtectedHeader(t){return N(this,ie,t),this}async sign(t,r){let n=new Xe(h(this,$).data());if(n.setProtectedHeader(h(this,ie)),Array.isArray(h(this,ie)?.crit)&&h(this,ie).crit.includes("b64")&&h(this,ie).b64===false)throw new Ce("JWTs MUST NOT use unencoded payload");return n.sign(t,r)}};ie=new WeakMap,$=new WeakMap;var xn=e=>btoa(String.fromCharCode(...new Uint8Array(e))).replaceAll("+","-").replaceAll("/","_").replaceAll("=",""),Ye=async e=>{let t=new TextEncoder().encode(e),r=await crypto.subtle.digest("SHA-256",t);return xn(r)},B=async e=>{let{method:t,url:r,nonce:n,ath:o,privateKey:a,publicJwk:i}=e,c={htm:t.toUpperCase(),htu:r,jti:crypto.randomUUID(),iat:Math.floor(Date.now()/1e3)};return n&&(c.nonce=n),o&&(c.ath=o),await new de(c).setProtectedHeader({alg:"ES256",typ:"dpop+jwt",jwk:i}).sign(a)};var _=async e=>{let t={crv:e.crv,kty:"EC",x:e.x,y:e.y},r=JSON.stringify(t),n=new TextEncoder().encode(r),o=await crypto.subtle.digest("SHA-256",n);return btoa(String.fromCharCode(...new Uint8Array(o))).replaceAll("+","-").replaceAll("/","_").replaceAll("=","")};async function pe(e){let{rootPrivateKey:t,rootPublicJwk:r,childJkt:n,clientId:o,sid:a,ttlSec:i=300}=e,c=Math.floor(Date.now()/1e3),u=c+Math.max(60,Math.min(i,3600)),s={child_jkt:n,client_id:o,aud:"issuer",iat:c,exp:u,jti:crypto.randomUUID()};return a&&(s.sid=a),await new de(s).setProtectedHeader({alg:"ES256",typ:"pode+jwt",jwk:r}).sign(t)}function We(e,t=300){return e.replace(/<[^>]*>/g,"").slice(0,t)}async function Je(e){let t=e.status,r=Array.from(e.headers.keys()).some(c=>c.toLowerCase().startsWith("x-amzn-waf")),n,o,a=e.headers.get("content-type")||"";if(a.includes("application/json"))try{let c=await e.clone().json();n=typeof c?.error=="string"?c.error:void 0,o=typeof c?.detail=="string"?c.detail:void 0;}catch{}let i=t===403&&!r&&!a.includes("application/json");return {status:t,code:n,detail:o,waf:r,alb403:i}}function he(e,t){let r=new Error(e);return r.status=t.status,r.code=t.code,r.detail=t.detail,r.waf=t.waf,r.alb403=t.alb403,r}var Re={boundWallet:null,clientId:null,jkt:null,refreshId:null,lastPolicyHash:null,lastPolicyProof:null,lastHost:null,rootJkt:null},Et=createContext(void 0);function hr(e){try{return JSON.parse(localStorage.getItem(e)||"null")??Re}catch{return Re}}function Tn(e,t){try{localStorage.setItem(e,JSON.stringify(t));}catch{}}var kt=({children:e,clientId:t})=>{let[r,n]=useState(Re),o=useRef(false),[a,i]=useState(false),c=useMemo(()=>Ke(t),[t]);useEffect(()=>{let p=true;return (async()=>{let y=await I(c)??await I(Fe)??hr(c);p&&(n({...Re,...y}),o.current=true,i(true));})(),()=>{p=false;}},[c]),useEffect(()=>{o.current&&(async()=>(await R(c,r),Tn(c,r)))();},[r,c]);let u=useCallback(p=>n(g=>({...g,refreshId:p})),[]),s=useCallback(p=>n(g=>({...g,lastPolicyHash:p})),[]),l=useCallback(p=>n(g=>({...g,lastPolicyProof:p})),[]),d=useCallback(p=>n(g=>({...g,lastHost:p})),[]),f=useCallback(p=>n(g=>({...g,rootJkt:p})),[]),w=async()=>{try{let p=localStorage.getItem(c);if(p){let g=JSON.parse(p);if(typeof g?.refreshId=="string"&&g.refreshId)return g.refreshId}}catch{}try{let p=await I(c);if(typeof p?.refreshId=="string"&&p.refreshId)return p.refreshId}catch{}return null},S=useCallback(p=>n(g=>({...g,boundWallet:p})),[]),E=useCallback(p=>n(g=>({...g,clientId:p})),[]),m=useCallback(p=>n(g=>({...g,jkt:p})),[]),k=useCallback(()=>n(Re),[]),b=useCallback(async()=>{let g=await I(c)??hr(c);n({...Re,...g});},[]),H=useMemo(()=>({meta:r,setBoundWallet:S,setClientId:E,setJkt:m,resetMeta:k,reload:b,setRefreshId:u,getRefreshId:w,ready:a,setLastPolicyHash:s,setLastPolicyProof:l,setLastHost:d,setRootJkt:f}),[r,S,E,m,k,b,a,u,w,s,l,d,f]);return jsx(Et.Provider,{value:H,children:e})};function Pt(){let e=useContext(Et);if(!e)throw new Error("useMeta must be used within <MetaProvider>");return e}var mr=`${T}:wrap`;async function Ze(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:v},!1,["sign","verify"]),t=`${T}:probe_safe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await I(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return  false}}async function Jn(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:v},!0,["sign","verify"]),t=`${T}:probe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await I(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return  false}}function ke(e){let t={...e};return delete t.d,t.kty="EC",t.crv=v,t.alg=xe,t.use="sig",t}async function wr(){let e=await I(mr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await R(mr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function vt(e){let t=await wr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function Dn(e,t){let r=await wr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var At=()=>{let e=useRef(null),t=useRef(null),r=useCallback(async()=>{let u=await I(T);if(!u)return  false;if(u.fmt==="cryptokey"){let l=u;if(!l.privKey)return await R(T,void 0),false;let d=l.privKey;try{if(d.extractable&&await Ze()){let w=await crypto.subtle.exportKey("jwk",d),S=await crypto.subtle.importKey("jwk",w,{name:"ECDSA",namedCurve:v},!1,["sign"]),E={fmt:"cryptokey",privKey:S,pubJwk:ke(l.pubJwk)};await R(T,E),d=S;}}catch{}return e.current=d,t.current=ke(l.pubJwk),true}if(u.fmt==="encjwk"){let l=u;try{let d=await Dn(l.encPrivJwk,l.iv),f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:v},!1,["sign"]);return e.current=f,t.current=ke(l.pubJwk),!0}catch{return await R(T,void 0),false}}let s=u;if(s&&s.d){let{d:l,...d}=s,f=ke(d),w=await Ze(),S=w||await Jn();if(S&&w){let b=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:v},false,["sign"]);return await R(T,{fmt:"cryptokey",privKey:b,pubJwk:f}),e.current=b,t.current=f,true}if(S){let b=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:v},true,["sign"]);return await R(T,{fmt:"cryptokey",privKey:b,pubJwk:f}),e.current=b,t.current=f,true}let{encPrivJwk:E,iv:m}=await vt(s);await R(T,{fmt:"encjwk",encPrivJwk:E,iv:m,pubJwk:f});let k=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:v},false,["sign"]);return e.current=k,t.current=f,true}return await R(T,void 0),false},[]),n=useCallback(async(u,s)=>{await R(T,{fmt:"cryptokey",privKey:u,pubJwk:s});},[]),o=useCallback(async(u,s)=>{let{encPrivJwk:l,iv:d}=await vt(u);await R(T,{fmt:"encjwk",encPrivJwk:l,iv:d,pubJwk:s});},[]),a=useCallback(async()=>{if(e.current&&t.current||await r())return;let u=await Ze(),s=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:v},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",s.publicKey)),d=await crypto.subtle.exportKey("jwk",s.privateKey);if(u){let f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:v},false,["sign"]);await n(f,l),e.current=f,t.current=l;}else {await o(d,l);let f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:v},false,["sign"]);e.current=f,t.current=l;}},[r,n,o]),i=useCallback(async()=>{let u=await Ze(),s=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:v},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",s.publicKey)),d=await crypto.subtle.exportKey("jwk",s.privateKey);if(u){let f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:v},false,["sign"]);await R(T,{fmt:"cryptokey",privKey:f,pubJwk:l}),e.current=f,t.current=l;}else {let{encPrivJwk:f,iv:w}=await vt(d);await R(T,{fmt:"encjwk",encPrivJwk:f,iv:w,pubJwk:l});let S=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:v},false,["sign"]);e.current=S,t.current=l;}},[]),c=useCallback(async()=>{await R(T,void 0),e.current=null,t.current=null;},[]);return {ensureKeypair:a,rotate:i,clear:c,privRef:e,pubJwkRef:t}};var Y="sunbreak_root_key_v1",br=`${Y}:wrap`;async function Sr(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:v},!1,["sign","verify"]),t=`${Y}:probe_safe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey,createdAt:Date.now(),pubJwk:{}});let r=await I(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return  false}}function Qe(e){let t={...e};return delete t.d,t.kty="EC",t.crv=v,t.alg=xe,t.use="sig",t}async function Rr(){let e=await I(br);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await R(br,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function Ln(e){let t=await Rr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function _n(e,t){let r=await Rr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var Kt=()=>{let e=useRef(null),t=useRef(null),r=useCallback(async()=>{let a=await I(Y);if(!a)return  false;if(a.fmt==="cryptokey"){let i=a;if(!i.privKey)return await R(Y,void 0),false;let c=i.privKey;try{if(c.extractable&&await Sr()){let s=await crypto.subtle.exportKey("jwk",c),l=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:v},!1,["sign"]),d={fmt:"cryptokey",privKey:l,pubJwk:Qe(i.pubJwk),createdAt:i.createdAt};await R(Y,d),c=l;}}catch{}return e.current=c,t.current=Qe(i.pubJwk),true}if(a.fmt==="encjwk"){let i=a;try{let c=await _n(i.encPrivJwk,i.iv),u=await crypto.subtle.importKey("jwk",c,{name:"ECDSA",namedCurve:v},!1,["sign"]);return e.current=u,t.current=Qe(i.pubJwk),!0}catch{return await R(Y,void 0),false}}return await R(Y,void 0),false},[]),n=useCallback(async()=>{if(e.current&&t.current||await r())return;let a=await Sr(),i=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:v},true,["sign","verify"]),c=Qe(await crypto.subtle.exportKey("jwk",i.publicKey)),u=Date.now(),s=await crypto.subtle.exportKey("jwk",i.privateKey);if(a){let l=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:v},false,["sign"]);await R(Y,{fmt:"cryptokey",privKey:l,pubJwk:c,createdAt:u}),e.current=l,t.current=c;}else {let{encPrivJwk:l,iv:d}=await Ln(s);await R(Y,{fmt:"encjwk",encPrivJwk:l,iv:d,pubJwk:c,createdAt:u});let w=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:v},false,["sign"]);e.current=w,t.current=c;}},[r]),o=useCallback(async()=>{await R(Y,void 0),e.current=null,t.current=null;},[]);return {ensureRootKeypair:n,clear:o,rootPrivRef:e,rootPubJwkRef:t}};var De=class e{constructor(t,r=false){this.colors={flow:"#00D9FF",state:"#00FF88",decision:"#FFB800",api:"#B388FF",guard:"#FFEA00",error:"#FF5252",warn:"#FF9100",info:"#90CAF9"};this.enabled=r,this.prefix=t?`[Sunbreak:${t.slice(0,8)}]`:"[Sunbreak]";}log(t,r,n){if(!this.enabled)return;let o=this.colors[t],a=new Date().toISOString().slice(11,23),i=this.getEmoji(t);console.log(`%c${i} ${this.prefix} [${a}] [${t.toUpperCase()}]%c ${r}`,`color: ${o}; font-weight: bold`,"color: inherit; font-weight: normal",n!==void 0?n:"");}getEmoji(t){switch(t){case "flow":return "\u{1F504}";case "state":return "\u{1F500}";case "decision":return "\u{1F914}";case "api":return "\u{1F4E1}";case "guard":return "\u{1F6E1}\uFE0F";case "error":return "\u274C";case "warn":return "\u26A0\uFE0F";case "info":return "\u2139\uFE0F";default:return "\u2022"}}flow(t,r,n){this.log("flow",`[${t.toUpperCase()}] ${r}`,n);}state(t,r,n,o){this.log("state",`${t} \u2192 ${r}: ${n}`,o);}decision(t,r,n,o){this.log("decision",`${t} = ${r?"\u2713 YES":"\u2717 NO"} (${n})`,o);}api(t,r,n){let o=n.status,i=o>=200&&o<300?"\u2713":"\u2717";this.log("api",`${i} ${t} ${r} \u2192 ${o}${n.error?` (${n.error})`:""}`,n.data);}guard(t,r,n,o){this.log("guard",`${t}: ${r?"\u2713 PASS":"\u2717 BLOCK"} (${n})`,o);}error(t,r){this.log("error",t,r);}warn(t,r){this.log("warn",t,r);}info(t,r){this.log("info",t,r);}group(t){this.enabled&&console.group(`${this.prefix} ${t}`);}groupEnd(){this.enabled&&console.groupEnd();}child(t){let r=new e(void 0,this.enabled);return r.prefix=`${this.prefix}[${t}]`,r}},Ct=null;function Er(){return Ct||(Ct=new De(void 0,true)),Ct}var et=class{constructor(t){this.currentState="unknown";this.previousState="unknown";this.logger=Er();this.hadSessionHistory=false;this.inActiveSession=false;t&&this.initialize(t);}initialize(t){this.logger.group("\u{1F527} Initializing Session State Machine");let r=!!(t.boundWallet||t.refreshId);this.hadSessionHistory=r,this.logger.info("Initial context",{wallet:t.wallet,boundWallet:t.boundWallet,refreshId:t.refreshId?"present":"null",hasToken:t.hasToken,authenticated:t.authenticated,hasHistory:r}),t.authenticated&&t.hasToken?(this.transition("authenticated","Has valid token"),this.inActiveSession=true):r?this.transition("refreshable","Has session history"):this.transition("unregistered","No session history"),this.logger.groupEnd();}transition(t,r){if(this.currentState===t){this.logger.info(`State unchanged: ${t} (${r})`);return}this.previousState=this.currentState,this.currentState=t,this.logger.state(this.previousState,t,r);}getState(){return this.currentState}isInActiveSession(){return this.inActiveSession}markHadSession(){this.hadSessionHistory||(this.logger.info("Marked hadSessionHistory = true"),this.hadSessionHistory=true);}clearSessionHistory(){this.logger.info("Cleared session history"),this.hadSessionHistory=false,this.inActiveSession=false;}onProbeComplete(t){if(this.logger.flow("probe","Probe completed, determining initial state"),this.currentState!=="unknown"){this.logger.warn("Probe called but state is not UNKNOWN",{currentState:this.currentState});return}!!(t.boundWallet||t.refreshId)||this.hadSessionHistory?this.transition("refreshable","Session history found"):this.transition("unregistered","No session history");}onRegisterSuccess(t){this.logger.flow("register","Register succeeded"),this.transition("authenticated","Register succeeded"),this.inActiveSession=true,this.hadSessionHistory=true;}onRegisterFailure(t){this.logger.flow("register",`Register failed: ${t}`);}onRefreshSuccess(t){this.logger.flow("refresh","Refresh succeeded"),this.transition("authenticated","Refresh succeeded"),this.inActiveSession=true;}onRefreshExpired(){this.logger.flow("refresh","Refresh failed: session expired (missing refresh identifier)"),this.transition("expired","Session expired"),this.inActiveSession=false;}onRefreshFailure(t){this.logger.flow("refresh",`Refresh failed: ${t}`);}onTokenExpired(){this.logger.flow("token","Token expired"),this.currentState==="authenticated"&&this.transition("refreshable","Token expired");}onWalletChange(t,r,n){if(this.logger.flow("wallet",`Wallet changed: ${t||"null"} \u2192 ${r||"null"}`),!r){this.transition("unknown","Wallet disconnected"),this.inActiveSession=false;return}r.toLowerCase()===n.boundWallet?.toLowerCase()?this.hadSessionHistory&&this.transition("refreshable","Wallet reconnected with history"):(this.transition("unregistered","Wallet changed to different address"),this.inActiveSession=false);}onWalletDisconnect(){this.logger.flow("wallet","Wallet disconnected"),this.transition("unknown","Wallet disconnected"),this.inActiveSession=false;}shouldAttemptProbe(){let t=this.currentState==="unknown";return this.logger.decision("Should attempt probe?",t,`State is ${this.currentState}`),t}shouldAttemptRefresh(t){if(this.currentState!=="refreshable"&&this.currentState!=="authenticated")return this.logger.decision("Should attempt refresh?",false,`State is ${this.currentState}, not REFRESHABLE or AUTHENTICATED`),false;if(!(t.boundWallet||t.wallet))return this.logger.decision("Should attempt refresh?",false,"No wallet available (neither boundWallet nor current wallet)"),false;if(t.wallet&&t.boundWallet&&t.wallet.toLowerCase()!==t.boundWallet.toLowerCase())return this.logger.decision("Should attempt refresh?",false,"Wallet mismatch"),false;if(t.hasToken&&t.tokenExpiry){let n=Math.floor(Date.now()/1e3);if(t.tokenExpiry-n>5&&this.currentState==="authenticated")return this.logger.decision("Should attempt refresh?",false,"Token still valid"),false}return this.logger.decision("Should attempt refresh?",true,`State is ${this.currentState}, token ${t.hasToken?"present":"missing"}`),true}shouldAttemptRegister(t){return this.inActiveSession?(this.logger.decision("Should attempt register?",false,"Already in active session - proof changes ignored"),false):this.currentState!=="unregistered"&&this.currentState!=="expired"?(this.logger.decision("Should attempt register?",false,`State is ${this.currentState}, not UNREGISTERED or EXPIRED`),false):t.wallet?t.hasProof?t.authenticated&&t.hasToken?(this.logger.decision("Should attempt register?",false,"Already authenticated"),false):(this.logger.decision("Should attempt register?",true,`State is ${this.currentState}, have wallet + proof`),true):(this.logger.decision("Should attempt register?",false,"No proof available"),false):(this.logger.decision("Should attempt register?",false,"No wallet connected"),false)}shouldWaitForInitialRefresh(t,r){return this.currentState!=="refreshable"||t?false:r.wallet&&r.boundWallet&&r.wallet.toLowerCase()===r.boundWallet.toLowerCase()?(this.logger.decision("Should wait for initial refresh?",true,"Returning user - let refresh attempt first"),true):false}getStateReport(t){return `
+var Qr=Object.defineProperty;var $t=e=>{throw TypeError(e)};var en=(e,t,r)=>t in e?Qr(e,t,{enumerable:true,configurable:true,writable:true,value:r}):e[t]=r;var M=(e,t,r)=>en(e,typeof t!="symbol"?t+"":t,r),Ot=(e,t,r)=>t.has(e)||$t("Cannot "+r);var h=(e,t,r)=>(Ot(e,t,"read from private field"),r?r.call(e):t.get(e)),U=(e,t,r)=>t.has(e)?$t("Cannot add the same private member more than once"):t instanceof WeakSet?t.add(e):t.set(e,r),N=(e,t,r,n)=>(Ot(e,t,"write to private field"),t.set(e,r),r);var Ae=async(e,t,r)=>{switch(e.name){case "custom":return {method:"provider_jwt",issuer:"custom",token:t,meta:r||{}};case "privy":return {method:"provider_jwt",issuer:"privy",token:t,meta:{app_id:e.appId}};case "dynamic":return e.expectedAud?{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId,expected_aud:e.expectedAud}}:{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId}};default:throw new Error(`Unknown adapter: ${e}`)}};var tn="sunbreak-kv",xe="kv",Be="sunbreak_dpop_meta_v1",T="sunbreak_dpop_key_v1",Ke="ES256",v="P-256",Ce=e=>`${Be}:${e}`,jt=()=>new Promise((e,t)=>{let r=indexedDB.open(tn,1);r.onupgradeneeded=()=>r.result.createObjectStore(xe),r.onsuccess=()=>e(r.result),r.onerror=()=>t(r.error);}),I=async e=>{try{let t=await jt();return await new Promise((r,n)=>{let a=t.transaction(xe,"readonly").objectStore(xe).get(e);a.onsuccess=()=>r(a.result),a.onerror=()=>n(a.error);})}catch{return}},E=async(e,t)=>{let r=await jt();await new Promise((n,o)=>{let i=r.transaction(xe,"readwrite").objectStore(xe).put(t,e);i.onsuccess=()=>n(),i.onerror=()=>o(i.error);});};var rn=e=>{let t=new URL(e);if(t.protocol!=="https:"&&t.hostname!=="localhost"&&t.hostname!=="127.0.0.1")throw new Error("Sunbreak: insecure base URL");return t.hash="",t.origin},nn=e=>e.replace(/\/+$/,""),ft=e=>{let t=nn(e);return rn(t)};function pt(e){let t=new URL(e.baseUrl),r=t.host,n=e.meta.lastHost??null,o=on(n);return e.setLastHost(o),t.host=`${o}.${r}`,t.origin}var on=e=>{for(let t=0;t<dt.length;t++){let r=dt[Math.floor(Math.random()*dt.length)].toLowerCase();if(r!==e)return r}return "alpha"},dt=["Alpha","Bravo","Charlie","Delta","Echo","Foxtrot","Golf","Hotel","India","Juliett","Kilo","Lima","Mike","November","Oscar","Papa","Quebec","Romeo","Sierra","Tango","Uniform","Victor","Whiskey","X-ray","Yankee","Zulu"];var F=(e,t)=>{let r={clientId:e.clientId,wallet:e.wallet,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0,...t};Object.keys(r).forEach(o=>r[o]===void 0&&delete r[o]);let n=JSON.stringify(r);return btoa(n)};var an=new Set(["connection","keep-alive","proxy-authenticate","proxy-authorization","te","trailer","transfer-encoding","upgrade","via"]),sn=new Set(["user-agent","referer","origin","host","content-length","sec-fetch-site","sec-fetch-mode","sec-fetch-dest","sec-fetch-user","sec-ch-ua","sec-ch-ua-mobile","sec-ch-ua-platform","sec-ch-ua-platform-version","sec-ch-ua-full-version","sec-ch-ua-arch","sec-ch-ua-model","sec-ch-ua-bitness","cookie","set-cookie"]),cn=new Set(["dpop","x-sunbreak-meta"]),ln=64,Ut=2048,un=64;function ht(e){let t={};if(!e)return t;let r=e instanceof Headers?Array.from(e.entries()):Object.entries(e),n=0;for(let[o,a]of r){if(n>=un)break;if(o==null||a==null)continue;let i=String(o).toLowerCase().trim();if(!i||i.length>ln||an.has(i)||sn.has(i)||cn.has(i))continue;let c=String(a);c.length>Ut&&(c=c.slice(0,Ut)),t[i]=c,n++;}return t}var re=new TextEncoder,me=new TextDecoder;function Nt(...e){let t=e.reduce((o,{length:a})=>o+a,0),r=new Uint8Array(t),n=0;for(let o of e)r.set(o,n),n+=o.length;return r}function Ft(e){if(Uint8Array.prototype.toBase64)return e.toBase64();let t=32768,r=[];for(let n=0;n<e.length;n+=t)r.push(String.fromCharCode.apply(null,e.subarray(n,n+t)));return btoa(r.join(""))}function Bt(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(e);let t=atob(e),r=new Uint8Array(t.length);for(let n=0;n<t.length;n++)r[n]=t.charCodeAt(n);return r}function Gt(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof e=="string"?e:me.decode(e),{alphabet:"base64url"});let t=e;t instanceof Uint8Array&&(t=me.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return Bt(t)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function Ge(e){let t=e;return typeof t=="string"&&(t=re.encode(t)),Uint8Array.prototype.toBase64?t.toBase64({alphabet:"base64url",omitPadding:true}):Ft(t).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var le=class extends Error{constructor(r,n){super(r,n);M(this,"code","ERR_JOSE_GENERIC");this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor);}};M(le,"code","ERR_JOSE_GENERIC");var D=class extends le{constructor(){super(...arguments);M(this,"code","ERR_JOSE_NOT_SUPPORTED");}};M(D,"code","ERR_JOSE_NOT_SUPPORTED");var ne=class extends le{constructor(){super(...arguments);M(this,"code","ERR_JWS_INVALID");}};M(ne,"code","ERR_JWS_INVALID");var Te=class extends le{constructor(){super(...arguments);M(this,"code","ERR_JWT_INVALID");}};M(Te,"code","ERR_JWT_INVALID");var Vt,qt,yt=class extends(qt=le,Vt=Symbol.asyncIterator,qt){constructor(r="multiple matching keys found in the JSON Web Key Set",n){super(r,n);M(this,Vt);M(this,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");}};M(yt,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");function q(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function we(e,t){return e.name===t}function mt(e){return parseInt(e.name.slice(4),10)}function pn(e){switch(e){case "ES256":return "P-256";case "ES384":return "P-384";case "ES512":return "P-521";default:throw new Error("unreachable")}}function hn(e,t){if(!e.usages.includes(t))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${t}.`)}function zt(e,t,r){switch(t){case "HS256":case "HS384":case "HS512":{if(!we(e.algorithm,"HMAC"))throw q("HMAC");let n=parseInt(t.slice(2),10);if(mt(e.algorithm.hash)!==n)throw q(`SHA-${n}`,"algorithm.hash");break}case "RS256":case "RS384":case "RS512":{if(!we(e.algorithm,"RSASSA-PKCS1-v1_5"))throw q("RSASSA-PKCS1-v1_5");let n=parseInt(t.slice(2),10);if(mt(e.algorithm.hash)!==n)throw q(`SHA-${n}`,"algorithm.hash");break}case "PS256":case "PS384":case "PS512":{if(!we(e.algorithm,"RSA-PSS"))throw q("RSA-PSS");let n=parseInt(t.slice(2),10);if(mt(e.algorithm.hash)!==n)throw q(`SHA-${n}`,"algorithm.hash");break}case "Ed25519":case "EdDSA":{if(!we(e.algorithm,"Ed25519"))throw q("Ed25519");break}case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":{if(!we(e.algorithm,t))throw q(t);break}case "ES256":case "ES384":case "ES512":{if(!we(e.algorithm,"ECDSA"))throw q("ECDSA");let n=pn(t);if(e.algorithm.namedCurve!==n)throw q(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}hn(e,r);}function Xt(e,t,...r){if(r=r.filter(Boolean),r.length>2){let n=r.pop();e+=`one of type ${r.join(", ")}, or ${n}.`;}else r.length===2?e+=`one of type ${r[0]} or ${r[1]}.`:e+=`of type ${r[0]}.`;return t==null?e+=` Received ${t}`:typeof t=="function"&&t.name?e+=` Received function ${t.name}`:typeof t=="object"&&t!=null&&t.constructor?.name&&(e+=` Received an instance of ${t.constructor.name}`),e}var Yt=(e,...t)=>Xt("Key must be ",e,...t);function wt(e,t,...r){return Xt(`Key for the ${e} algorithm must be `,t,...r)}function gt(e){return e?.[Symbol.toStringTag]==="CryptoKey"}function bt(e){return e?.[Symbol.toStringTag]==="KeyObject"}var St=e=>gt(e)||bt(e);var Zt=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return  true;let r;for(let n of t){let o=Object.keys(n);if(!r||r.size===0){r=new Set(o);continue}for(let a of o){if(r.has(a))return  false;r.add(a);}}return  true};function yn(e){return typeof e=="object"&&e!==null}var Ve=e=>{if(!yn(e)||Object.prototype.toString.call(e)!=="[object Object]")return  false;if(Object.getPrototypeOf(e)===null)return  true;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t};var Qt=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:r}=t.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};function mn(e){let t,r;switch(e.kty){case "AKP":{switch(e.alg){case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":t={name:e.alg},r=e.priv?["sign"]:["verify"];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "RSA":{switch(e.alg){case "PS256":case "PS384":case "PS512":t={name:"RSA-PSS",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RS256":case "RS384":case "RS512":t={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RSA-OAEP":case "RSA-OAEP-256":case "RSA-OAEP-384":case "RSA-OAEP-512":t={name:"RSA-OAEP",hash:`SHA-${parseInt(e.alg.slice(-3),10)||1}`},r=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "EC":{switch(e.alg){case "ES256":t={name:"ECDSA",namedCurve:"P-256"},r=e.d?["sign"]:["verify"];break;case "ES384":t={name:"ECDSA",namedCurve:"P-384"},r=e.d?["sign"]:["verify"];break;case "ES512":t={name:"ECDSA",namedCurve:"P-521"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "OKP":{switch(e.alg){case "Ed25519":case "EdDSA":t={name:"Ed25519"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}default:throw new D('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return {algorithm:t,keyUsages:r}}var er=async e=>{if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:t,keyUsages:r}=mn(e),n={...e};return n.kty!=="AKP"&&delete n.alg,delete n.use,crypto.subtle.importKey("jwk",n,t,e.ext??!(e.d||e.priv),e.key_ops??r)};var tr=(e,t,r,n,o)=>{if(o.crit!==void 0&&n?.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||n.crit===void 0)return new Set;if(!Array.isArray(n.crit)||n.crit.length===0||n.crit.some(i=>typeof i!="string"||i.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let a;r!==void 0?a=new Map([...Object.entries(r),...t.entries()]):a=t;for(let i of n.crit){if(!a.has(i))throw new D(`Extension Header Parameter "${i}" is not recognized`);if(o[i]===void 0)throw new e(`Extension Header Parameter "${i}" is missing`);if(a.get(i)&&n[i]===void 0)throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`)}return new Set(n.crit)};function Ie(e){return Ve(e)&&typeof e.kty=="string"}function rr(e){return e.kty!=="oct"&&(e.kty==="AKP"&&typeof e.priv=="string"||typeof e.d=="string")}function nr(e){return e.kty!=="oct"&&typeof e.d>"u"&&typeof e.priv>"u"}function or(e){return e.kty==="oct"&&typeof e.k=="string"}var ge,ar=async(e,t,r,n=false)=>{ge||(ge=new WeakMap);let o=ge.get(e);if(o?.[r])return o[r];let a=await er({...t,alg:r});return n&&Object.freeze(e),o?o[r]=a:ge.set(e,{[r]:a}),a},gn=(e,t)=>{ge||(ge=new WeakMap);let r=ge.get(e);if(r?.[t])return r[t];let n=e.type==="public",o=!!n,a;if(e.asymmetricKeyType==="x25519"){switch(t){case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}a=e.toCryptoKey(e.asymmetricKeyType,o,n?[]:["deriveBits"]);}if(e.asymmetricKeyType==="ed25519"){if(t!=="EdDSA"&&t!=="Ed25519")throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}switch(e.asymmetricKeyType){case "ml-dsa-44":case "ml-dsa-65":case "ml-dsa-87":{if(t!==e.asymmetricKeyType.toUpperCase())throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}}if(e.asymmetricKeyType==="rsa"){let i;switch(t){case "RSA-OAEP":i="SHA-1";break;case "RS256":case "PS256":case "RSA-OAEP-256":i="SHA-256";break;case "RS384":case "PS384":case "RSA-OAEP-384":i="SHA-384";break;case "RS512":case "PS512":case "RSA-OAEP-512":i="SHA-512";break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}if(t.startsWith("RSA-OAEP"))return e.toCryptoKey({name:"RSA-OAEP",hash:i},o,n?["encrypt"]:["decrypt"]);a=e.toCryptoKey({name:t.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:i},o,[n?"verify":"sign"]);}if(e.asymmetricKeyType==="ec"){let c=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(e.asymmetricKeyDetails?.namedCurve);if(!c)throw new TypeError("given KeyObject instance cannot be used for this algorithm");t==="ES256"&&c==="P-256"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:c},o,[n?"verify":"sign"])),t==="ES384"&&c==="P-384"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:c},o,[n?"verify":"sign"])),t==="ES512"&&c==="P-521"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:c},o,[n?"verify":"sign"])),t.startsWith("ECDH-ES")&&(a=e.toCryptoKey({name:"ECDH",namedCurve:c},o,n?[]:["deriveBits"]));}if(!a)throw new TypeError("given KeyObject instance cannot be used for this algorithm");return r?r[t]=a:ge.set(e,{[t]:a}),a},ir=async(e,t)=>{if(e instanceof Uint8Array||gt(e))return e;if(bt(e)){if(e.type==="secret")return e.export();if("toCryptoKey"in e&&typeof e.toCryptoKey=="function")try{return gn(e,t)}catch(n){if(n instanceof TypeError)throw n}let r=e.export({format:"jwk"});return ar(e,r,t)}if(Ie(e))return e.k?Gt(e.k):ar(e,e,t,true);throw new Error("unreachable")};var be=e=>e?.[Symbol.toStringTag],Rt=(e,t,r)=>{if(t.use!==void 0){let n;switch(r){case "sign":case "verify":n="sig";break;case "encrypt":case "decrypt":n="enc";break}if(t.use!==n)throw new TypeError(`Invalid key for this operation, its "use" must be "${n}" when present`)}if(t.alg!==void 0&&t.alg!==e)throw new TypeError(`Invalid key for this operation, its "alg" must be "${e}" when present`);if(Array.isArray(t.key_ops)){let n;switch(true){case(r==="sign"):case e==="dir":case e.includes("CBC-HS"):n=r;break;case e.startsWith("PBES2"):n="deriveBits";break;case /^A\d{3}(?:GCM)?(?:KW)?$/.test(e):!e.includes("GCM")&&e.endsWith("KW")?n="unwrapKey":n=r;break;case(r==="encrypt"):n="wrapKey";break;case r==="decrypt":n=e.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(n&&t.key_ops?.includes?.(n)===false)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${n}" when present`)}return  true},bn=(e,t,r)=>{if(!(t instanceof Uint8Array)){if(Ie(t)){if(or(t)&&Rt(e,t,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!St(t))throw new TypeError(wt(e,t,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(t.type!=="secret")throw new TypeError(`${be(t)} instances for symmetric algorithms must be of type "secret"`)}},Sn=(e,t,r)=>{if(Ie(t))switch(r){case "decrypt":case "sign":if(rr(t)&&Rt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a private JWK");case "encrypt":case "verify":if(nr(t)&&Rt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a public JWK")}if(!St(t))throw new TypeError(wt(e,t,"CryptoKey","KeyObject","JSON Web Key"));if(t.type==="secret")throw new TypeError(`${be(t)} instances for asymmetric algorithms must not be of type "secret"`);if(t.type==="public")switch(r){case "sign":throw new TypeError(`${be(t)} instances for asymmetric algorithm signing must be of type "private"`);case "decrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm decryption must be of type "private"`);}if(t.type==="private")switch(r){case "verify":throw new TypeError(`${be(t)} instances for asymmetric algorithm verifying must be of type "public"`);case "encrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm encryption must be of type "public"`);}},sr=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e)||/^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e)?bn(e,t,r):Sn(e,t,r);};var cr=(e,t)=>{let r=`SHA-${e.slice(-3)}`;switch(e){case "HS256":case "HS384":case "HS512":return {hash:r,name:"HMAC"};case "PS256":case "PS384":case "PS512":return {hash:r,name:"RSA-PSS",saltLength:parseInt(e.slice(-3),10)>>3};case "RS256":case "RS384":case "RS512":return {hash:r,name:"RSASSA-PKCS1-v1_5"};case "ES256":case "ES384":case "ES512":return {hash:r,name:"ECDSA",namedCurve:t.namedCurve};case "Ed25519":case "EdDSA":return {name:"Ed25519"};case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":return {name:e};default:throw new D(`alg ${e} is not supported either by JOSE or your javascript runtime`)}};var lr=async(e,t,r)=>{if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(Yt(t,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",t,{hash:`SHA-${e.slice(-3)}`,name:"HMAC"},false,[r])}return zt(t,e,r),t};var ae=e=>Math.floor(e.getTime()/1e3);var Rn=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i,qe=e=>{let t=Rn.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");let r=parseFloat(t[2]),n=t[3].toLowerCase(),o;switch(n){case "sec":case "secs":case "second":case "seconds":case "s":o=Math.round(r);break;case "minute":case "minutes":case "min":case "mins":case "m":o=Math.round(r*60);break;case "hour":case "hours":case "hr":case "hrs":case "h":o=Math.round(r*3600);break;case "day":case "days":case "d":o=Math.round(r*86400);break;case "week":case "weeks":case "w":o=Math.round(r*604800);break;default:o=Math.round(r*31557600);break}return t[1]==="-"||t[4]==="ago"?-o:o};function ue(e,t){if(!Number.isFinite(t))throw new TypeError(`Invalid ${e} input`);return t}var x,ze=class{constructor(t){U(this,x);if(!Ve(t))throw new TypeError("JWT Claims Set MUST be an object");N(this,x,structuredClone(t));}data(){return re.encode(JSON.stringify(h(this,x)))}get iss(){return h(this,x).iss}set iss(t){h(this,x).iss=t;}get sub(){return h(this,x).sub}set sub(t){h(this,x).sub=t;}get aud(){return h(this,x).aud}set aud(t){h(this,x).aud=t;}set jti(t){h(this,x).jti=t;}set nbf(t){typeof t=="number"?h(this,x).nbf=ue("setNotBefore",t):t instanceof Date?h(this,x).nbf=ue("setNotBefore",ae(t)):h(this,x).nbf=ae(new Date)+qe(t);}set exp(t){typeof t=="number"?h(this,x).exp=ue("setExpirationTime",t):t instanceof Date?h(this,x).exp=ue("setExpirationTime",ae(t)):h(this,x).exp=ae(new Date)+qe(t);}set iat(t){typeof t>"u"?h(this,x).iat=ae(new Date):t instanceof Date?h(this,x).iat=ue("setIssuedAt",ae(t)):typeof t=="string"?h(this,x).iat=ue("setIssuedAt",ae(new Date)+qe(t)):h(this,x).iat=ue("setIssuedAt",t);}};x=new WeakMap;var ur=async(e,t,r)=>{let n=await lr(e,t,"sign");Qt(e,n);let o=await crypto.subtle.sign(cr(e,n.algorithm),n,r);return new Uint8Array(o)};var We,L,z,Xe=class{constructor(t){U(this,We);U(this,L);U(this,z);if(!(t instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");N(this,We,t);}setProtectedHeader(t){if(h(this,L))throw new TypeError("setProtectedHeader can only be called once");return N(this,L,t),this}setUnprotectedHeader(t){if(h(this,z))throw new TypeError("setUnprotectedHeader can only be called once");return N(this,z,t),this}async sign(t,r){if(!h(this,L)&&!h(this,z))throw new ne("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Zt(h(this,L),h(this,z)))throw new ne("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let n={...h(this,L),...h(this,z)},o=tr(ne,new Map([["b64",true]]),r?.crit,h(this,L),n),a=true;if(o.has("b64")&&(a=h(this,L).b64,typeof a!="boolean"))throw new ne('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:i}=n;if(typeof i!="string"||!i)throw new ne('JWS "alg" (Algorithm) Header Parameter missing or invalid');sr(i,t,"sign");let c=h(this,We);a&&(c=re.encode(Ge(c)));let u;h(this,L)?u=re.encode(Ge(JSON.stringify(h(this,L)))):u=re.encode("");let s=Nt(u,re.encode("."),c),l=await ir(t,i),d=await ur(i,l,s),f={signature:Ge(d),payload:""};return a&&(f.payload=me.decode(c)),h(this,z)&&(f.header=h(this,z)),h(this,L)&&(f.protected=me.decode(u)),f}};We=new WeakMap,L=new WeakMap,z=new WeakMap;var Se,Ye=class{constructor(t){U(this,Se);N(this,Se,new Xe(t));}setProtectedHeader(t){return h(this,Se).setProtectedHeader(t),this}async sign(t,r){let n=await h(this,Se).sign(t,r);if(n.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return `${n.protected}.${n.payload}.${n.signature}`}};Se=new WeakMap;var ie,$,fe=class{constructor(t={}){U(this,ie);U(this,$);N(this,$,new ze(t));}setIssuer(t){return h(this,$).iss=t,this}setSubject(t){return h(this,$).sub=t,this}setAudience(t){return h(this,$).aud=t,this}setJti(t){return h(this,$).jti=t,this}setNotBefore(t){return h(this,$).nbf=t,this}setExpirationTime(t){return h(this,$).exp=t,this}setIssuedAt(t){return h(this,$).iat=t,this}setProtectedHeader(t){return N(this,ie,t),this}async sign(t,r){let n=new Ye(h(this,$).data());if(n.setProtectedHeader(h(this,ie)),Array.isArray(h(this,ie)?.crit)&&h(this,ie).crit.includes("b64")&&h(this,ie).b64===false)throw new Te("JWTs MUST NOT use unencoded payload");return n.sign(t,r)}};ie=new WeakMap,$=new WeakMap;var En=e=>btoa(String.fromCharCode(...new Uint8Array(e))).replaceAll("+","-").replaceAll("/","_").replaceAll("=",""),Ze=async e=>{let t=new TextEncoder().encode(e),r=await crypto.subtle.digest("SHA-256",t);return En(r)},B=async e=>{let{method:t,url:r,nonce:n,ath:o,privateKey:a,publicJwk:i}=e,c={htm:t.toUpperCase(),htu:r,jti:crypto.randomUUID(),iat:Math.floor(Date.now()/1e3)};return n&&(c.nonce=n),o&&(c.ath=o),await new fe(c).setProtectedHeader({alg:"ES256",typ:"dpop+jwt",jwk:i}).sign(a)};var _=async e=>{let t={crv:e.crv,kty:"EC",x:e.x,y:e.y},r=JSON.stringify(t),n=new TextEncoder().encode(r),o=await crypto.subtle.digest("SHA-256",n);return btoa(String.fromCharCode(...new Uint8Array(o))).replaceAll("+","-").replaceAll("/","_").replaceAll("=","")};async function de(e){let{rootPrivateKey:t,rootPublicJwk:r,childJkt:n,clientId:o,sid:a,ttlSec:i=300}=e,c=Math.floor(Date.now()/1e3),u=c+Math.max(60,Math.min(i,3600)),s={child_jkt:n,client_id:o,aud:"issuer",iat:c,exp:u,jti:crypto.randomUUID()};return a&&(s.sid=a),await new fe(s).setProtectedHeader({alg:"ES256",typ:"pode+jwt",jwk:r}).sign(t)}function Je(e,t=300){return e.replace(/<[^>]*>/g,"").slice(0,t)}async function De(e){let t=e.status,r=Array.from(e.headers.keys()).some(c=>c.toLowerCase().startsWith("x-amzn-waf")),n,o,a=e.headers.get("content-type")||"";if(a.includes("application/json"))try{let c=await e.clone().json();n=typeof c?.error=="string"?c.error:void 0,o=typeof c?.detail=="string"?c.detail:void 0;}catch{}let i=t===403&&!r&&!a.includes("application/json");return {status:t,code:n,detail:o,waf:r,alb403:i}}function pe(e,t){let r=new Error(e);return r.status=t.status,r.code=t.code,r.detail=t.detail,r.waf=t.waf,r.alb403=t.alb403,r}var Re={boundWallet:null,clientId:null,jkt:null,refreshId:null,lastPolicyHash:null,lastPolicyProof:null,lastHost:null,rootJkt:null},Et=createContext(void 0);function yr(e){try{return JSON.parse(localStorage.getItem(e)||"null")??Re}catch{return Re}}function vn(e,t){try{localStorage.setItem(e,JSON.stringify(t));}catch{}}var kt=({children:e,clientId:t})=>{let[r,n]=useState(Re),o=useRef(false),[a,i]=useState(false),c=useMemo(()=>Ce(t),[t]);useEffect(()=>{let p=true;return (async()=>{let y=await I(c)??await I(Be)??yr(c);p&&(n({...Re,...y}),o.current=true,i(true));})(),()=>{p=false;}},[c]),useEffect(()=>{o.current&&(async()=>(await E(c,r),vn(c,r)))();},[r,c]);let u=useCallback(p=>n(g=>({...g,refreshId:p})),[]),s=useCallback(p=>n(g=>({...g,lastPolicyHash:p})),[]),l=useCallback(p=>n(g=>({...g,lastPolicyProof:p})),[]),d=useCallback(p=>n(g=>({...g,lastHost:p})),[]),f=useCallback(p=>n(g=>({...g,rootJkt:p})),[]),w=async()=>{try{let p=localStorage.getItem(c);if(p){let g=JSON.parse(p);if(typeof g?.refreshId=="string"&&g.refreshId)return g.refreshId}}catch{}try{let p=await I(c);if(typeof p?.refreshId=="string"&&p.refreshId)return p.refreshId}catch{}return null},b=useCallback(p=>n(g=>({...g,boundWallet:p})),[]),R=useCallback(p=>n(g=>({...g,clientId:p})),[]),m=useCallback(p=>n(g=>({...g,jkt:p})),[]),k=useCallback(()=>n(Re),[]),S=useCallback(async()=>{let g=await I(c)??yr(c);n({...Re,...g});},[]),H=useMemo(()=>({meta:r,setBoundWallet:b,setClientId:R,setJkt:m,resetMeta:k,reload:S,setRefreshId:u,getRefreshId:w,ready:a,setLastPolicyHash:s,setLastPolicyProof:l,setLastHost:d,setRootJkt:f}),[r,b,R,m,k,S,a,u,w,s,l,d,f]);return jsx(Et.Provider,{value:H,children:e})};function Pt(){let e=useContext(Et);if(!e)throw new Error("useMeta must be used within <MetaProvider>");return e}var wr=`${T}:wrap`;async function Qe(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:v},!1,["sign","verify"]),t=`${T}:probe_safe`;await E(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await I(t);return await E(t,void 0),!!(r&&r.privKey)}catch{return  false}}async function Kn(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:v},!0,["sign","verify"]),t=`${T}:probe`;await E(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await I(t);return await E(t,void 0),!!(r&&r.privKey)}catch{return  false}}function ke(e){let t={...e};return delete t.d,t.kty="EC",t.crv=v,t.alg=Ke,t.use="sig",t}async function gr(){let e=await I(wr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await E(wr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function vt(e){let t=await gr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function Cn(e,t){let r=await gr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var At=()=>{let e=useRef(null),t=useRef(null),r=useCallback(async()=>{let u=await I(T);if(!u)return  false;if(u.fmt==="cryptokey"){let l=u;if(!l.privKey)return await E(T,void 0),false;let d=l.privKey;try{if(d.extractable&&await Qe()){let w=await crypto.subtle.exportKey("jwk",d),b=await crypto.subtle.importKey("jwk",w,{name:"ECDSA",namedCurve:v},!1,["sign"]),R={fmt:"cryptokey",privKey:b,pubJwk:ke(l.pubJwk)};await E(T,R),d=b;}}catch{}return e.current=d,t.current=ke(l.pubJwk),true}if(u.fmt==="encjwk"){let l=u;try{let d=await Cn(l.encPrivJwk,l.iv),f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:v},!1,["sign"]);return e.current=f,t.current=ke(l.pubJwk),!0}catch{return await E(T,void 0),false}}let s=u;if(s&&s.d){let{d:l,...d}=s,f=ke(d),w=await Qe(),b=w||await Kn();if(b&&w){let S=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:v},false,["sign"]);return await E(T,{fmt:"cryptokey",privKey:S,pubJwk:f}),e.current=S,t.current=f,true}if(b){let S=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:v},true,["sign"]);return await E(T,{fmt:"cryptokey",privKey:S,pubJwk:f}),e.current=S,t.current=f,true}let{encPrivJwk:R,iv:m}=await vt(s);await E(T,{fmt:"encjwk",encPrivJwk:R,iv:m,pubJwk:f});let k=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:v},false,["sign"]);return e.current=k,t.current=f,true}return await E(T,void 0),false},[]),n=useCallback(async(u,s)=>{await E(T,{fmt:"cryptokey",privKey:u,pubJwk:s});},[]),o=useCallback(async(u,s)=>{let{encPrivJwk:l,iv:d}=await vt(u);await E(T,{fmt:"encjwk",encPrivJwk:l,iv:d,pubJwk:s});},[]),a=useCallback(async()=>{if(e.current&&t.current||await r())return;let u=await Qe(),s=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:v},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",s.publicKey)),d=await crypto.subtle.exportKey("jwk",s.privateKey);if(u){let f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:v},false,["sign"]);await n(f,l),e.current=f,t.current=l;}else {await o(d,l);let f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:v},false,["sign"]);e.current=f,t.current=l;}},[r,n,o]),i=useCallback(async()=>{let u=await Qe(),s=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:v},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",s.publicKey)),d=await crypto.subtle.exportKey("jwk",s.privateKey);if(u){let f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:v},false,["sign"]);await E(T,{fmt:"cryptokey",privKey:f,pubJwk:l}),e.current=f,t.current=l;}else {let{encPrivJwk:f,iv:w}=await vt(d);await E(T,{fmt:"encjwk",encPrivJwk:f,iv:w,pubJwk:l});let b=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:v},false,["sign"]);e.current=b,t.current=l;}},[]),c=useCallback(async()=>{await E(T,void 0),e.current=null,t.current=null;},[]);return {ensureKeypair:a,rotate:i,clear:c,privRef:e,pubJwkRef:t}};var Y="sunbreak_root_key_v1",Sr=`${Y}:wrap`;async function Rr(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:v},!1,["sign","verify"]),t=`${Y}:probe_safe`;await E(t,{fmt:"cryptokey",privKey:e.privateKey,createdAt:Date.now(),pubJwk:{}});let r=await I(t);return await E(t,void 0),!!(r&&r.privKey)}catch{return  false}}function et(e){let t={...e};return delete t.d,t.kty="EC",t.crv=v,t.alg=Ke,t.use="sig",t}async function Er(){let e=await I(Sr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await E(Sr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function Tn(e){let t=await Er(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function In(e,t){let r=await Er(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var Kt=()=>{let e=useRef(null),t=useRef(null),r=useCallback(async()=>{let a=await I(Y);if(!a)return  false;if(a.fmt==="cryptokey"){let i=a;if(!i.privKey)return await E(Y,void 0),false;let c=i.privKey;try{if(c.extractable&&await Rr()){let s=await crypto.subtle.exportKey("jwk",c),l=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:v},!1,["sign"]),d={fmt:"cryptokey",privKey:l,pubJwk:et(i.pubJwk),createdAt:i.createdAt};await E(Y,d),c=l;}}catch{}return e.current=c,t.current=et(i.pubJwk),true}if(a.fmt==="encjwk"){let i=a;try{let c=await In(i.encPrivJwk,i.iv),u=await crypto.subtle.importKey("jwk",c,{name:"ECDSA",namedCurve:v},!1,["sign"]);return e.current=u,t.current=et(i.pubJwk),!0}catch{return await E(Y,void 0),false}}return await E(Y,void 0),false},[]),n=useCallback(async()=>{if(e.current&&t.current||await r())return;let a=await Rr(),i=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:v},true,["sign","verify"]),c=et(await crypto.subtle.exportKey("jwk",i.publicKey)),u=Date.now(),s=await crypto.subtle.exportKey("jwk",i.privateKey);if(a){let l=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:v},false,["sign"]);await E(Y,{fmt:"cryptokey",privKey:l,pubJwk:c,createdAt:u}),e.current=l,t.current=c;}else {let{encPrivJwk:l,iv:d}=await Tn(s);await E(Y,{fmt:"encjwk",encPrivJwk:l,iv:d,pubJwk:c,createdAt:u});let w=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:v},false,["sign"]);e.current=w,t.current=c;}},[r]),o=useCallback(async()=>{await E(Y,void 0),e.current=null,t.current=null;},[]);return {ensureRootKeypair:n,clear:o,rootPrivRef:e,rootPubJwkRef:t}};var Le=class e{constructor(t,r=false){this.colors={flow:"#00D9FF",state:"#00FF88",decision:"#FFB800",api:"#B388FF",guard:"#FFEA00",error:"#FF5252",warn:"#FF9100",info:"#90CAF9"};this.enabled=r,this.prefix=t?`[Sunbreak:${t.slice(0,8)}]`:"[Sunbreak]";}log(t,r,n){if(!this.enabled)return;let o=this.colors[t],a=new Date().toISOString().slice(11,23),i=this.getEmoji(t);console.log(`%c${i} ${this.prefix} [${a}] [${t.toUpperCase()}]%c ${r}`,`color: ${o}; font-weight: bold`,"color: inherit; font-weight: normal",n!==void 0?n:"");}getEmoji(t){switch(t){case "flow":return "\u{1F504}";case "state":return "\u{1F500}";case "decision":return "\u{1F914}";case "api":return "\u{1F4E1}";case "guard":return "\u{1F6E1}\uFE0F";case "error":return "\u274C";case "warn":return "\u26A0\uFE0F";case "info":return "\u2139\uFE0F";default:return "\u2022"}}flow(t,r,n){this.log("flow",`[${t.toUpperCase()}] ${r}`,n);}state(t,r,n,o){this.log("state",`${t} \u2192 ${r}: ${n}`,o);}decision(t,r,n,o){this.log("decision",`${t} = ${r?"\u2713 YES":"\u2717 NO"} (${n})`,o);}api(t,r,n){let o=n.status,i=o>=200&&o<300?"\u2713":"\u2717";this.log("api",`${i} ${t} ${r} \u2192 ${o}${n.error?` (${n.error})`:""}`,n.data);}guard(t,r,n,o){this.log("guard",`${t}: ${r?"\u2713 PASS":"\u2717 BLOCK"} (${n})`,o);}error(t,r){this.log("error",t,r);}warn(t,r){this.log("warn",t,r);}info(t,r){this.log("info",t,r);}group(t){this.enabled&&console.group(`${this.prefix} ${t}`);}groupEnd(){this.enabled&&console.groupEnd();}child(t){let r=new e(void 0,this.enabled);return r.prefix=`${this.prefix}[${t}]`,r}},Ct=null;function kr(){return Ct||(Ct=new Le(void 0,false)),Ct}var tt=class{constructor(t){this.currentState="unknown";this.previousState="unknown";this.logger=kr();this.hadSessionHistory=false;this.inActiveSession=false;t&&this.initialize(t);}initialize(t){if(this.currentState!=="unknown"){this.logger.info(`Skipping initialization - state already set to ${this.currentState}`);let n=!!(t.boundWallet||t.refreshId);this.hadSessionHistory=n;return}this.logger.group("\u{1F527} Initializing Session State Machine");let r=!!(t.boundWallet||t.refreshId);this.hadSessionHistory=r,this.logger.info("Initial context",{wallet:t.wallet,boundWallet:t.boundWallet,refreshId:t.refreshId?"present":"null",hasToken:t.hasToken,authenticated:t.authenticated,hasHistory:r}),t.authenticated&&t.hasToken?(this.transition("authenticated","Has valid token"),this.inActiveSession=true):r?this.transition("refreshable","Has session history"):this.transition("unregistered","No session history"),this.logger.groupEnd();}transition(t,r){if(this.currentState===t){this.logger.info(`State unchanged: ${t} (${r})`);return}this.previousState=this.currentState,this.currentState=t,this.logger.state(this.previousState,t,r);}getState(){return this.currentState}isInActiveSession(){return this.inActiveSession}markHadSession(){this.hadSessionHistory||(this.logger.info("Marked hadSessionHistory = true"),this.hadSessionHistory=true);}clearSessionHistory(){this.logger.info("Cleared session history"),this.hadSessionHistory=false,this.inActiveSession=false;}onProbeComplete(t){if(this.logger.flow("probe","Probe completed, determining initial state"),this.currentState!=="unknown"){this.logger.warn("Probe called but state is not UNKNOWN",{currentState:this.currentState});return}!!(t.boundWallet||t.refreshId)||this.hadSessionHistory?this.transition("refreshable","Session history found"):this.transition("unregistered","No session history");}onRegisterSuccess(t){this.logger.flow("register","Register succeeded"),this.transition("authenticated","Register succeeded"),this.inActiveSession=true,this.hadSessionHistory=true;}onRegisterFailure(t){this.logger.flow("register",`Register failed: ${t}`);}onRefreshSuccess(t){this.logger.flow("refresh","Refresh succeeded"),this.transition("authenticated","Refresh succeeded"),this.inActiveSession=true;}onRefreshExpired(){this.logger.flow("refresh","Refresh failed: session expired (missing refresh identifier)"),this.transition("expired","Session expired"),this.inActiveSession=false;}onRefreshFailure(t){this.logger.flow("refresh",`Refresh failed: ${t}`);}onTokenExpired(){this.logger.flow("token","Token expired"),this.currentState==="authenticated"&&this.transition("refreshable","Token expired");}onWalletChange(t,r,n){if(this.logger.flow("wallet",`Wallet changed: ${t||"null"} \u2192 ${r||"null"}`),!r){this.transition("unknown","Wallet disconnected"),this.inActiveSession=false;return}r.toLowerCase()===n.boundWallet?.toLowerCase()?(this.hadSessionHistory=true,this.transition("refreshable","Wallet reconnected with session history")):(this.transition("unregistered","Wallet changed to different address"),this.inActiveSession=false);}onWalletDisconnect(){this.logger.flow("wallet","Wallet disconnected"),this.transition("unknown","Wallet disconnected"),this.inActiveSession=false;}shouldAttemptProbe(){let t=this.currentState==="unknown";return this.logger.decision("Should attempt probe?",t,`State is ${this.currentState}`),t}shouldAttemptRefresh(t){if(this.currentState!=="refreshable"&&this.currentState!=="authenticated")return this.logger.decision("Should attempt refresh?",false,`State is ${this.currentState}, not REFRESHABLE or AUTHENTICATED`),false;if(!(t.boundWallet||t.wallet))return this.logger.decision("Should attempt refresh?",false,"No wallet available (neither boundWallet nor current wallet)"),false;if(t.wallet&&t.boundWallet&&t.wallet.toLowerCase()!==t.boundWallet.toLowerCase())return this.logger.decision("Should attempt refresh?",false,"Wallet mismatch"),false;if(t.hasToken&&t.tokenExpiry){let n=Math.floor(Date.now()/1e3);if(t.tokenExpiry-n>5&&this.currentState==="authenticated")return this.logger.decision("Should attempt refresh?",false,"Token still valid"),false}return this.logger.decision("Should attempt refresh?",true,`State is ${this.currentState}, token ${t.hasToken?"present":"missing"}`),true}shouldAttemptRegister(t){return this.inActiveSession?(this.logger.decision("Should attempt register?",false,"Already in active session - proof changes ignored"),false):this.currentState!=="unregistered"&&this.currentState!=="expired"?(this.logger.decision("Should attempt register?",false,`State is ${this.currentState}, not UNREGISTERED or EXPIRED`),false):t.wallet?t.hasProof?t.authenticated&&t.hasToken?(this.logger.decision("Should attempt register?",false,"Already authenticated"),false):(this.logger.decision("Should attempt register?",true,`State is ${this.currentState}, have wallet + proof`),true):(this.logger.decision("Should attempt register?",false,"No proof available"),false):(this.logger.decision("Should attempt register?",false,"No wallet connected"),false)}shouldWaitForInitialRefresh(t,r){return this.currentState!=="refreshable"||t?false:r.wallet&&r.boundWallet&&r.wallet.toLowerCase()===r.boundWallet.toLowerCase()?(this.logger.decision("Should wait for initial refresh?",true,"Returning user - let refresh attempt first"),true):false}getStateReport(t){return `
 \u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510
 \u2502  Session State Machine Report          \u2502
 \u251C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524
@@ -17,6 +17,6 @@ var on=Object.defineProperty;var Mt=e=>{throw TypeError(e)};var an=(e,t,r)=>t in
 \u2502 Authenticated:    ${String(t.authenticated).padEnd(20)} \u2502
 \u2502 Has Proof:        ${String(t.hasProof).padEnd(20)} \u2502
 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518
-    `.trim()}};var Hn=()=>crypto.randomUUID(),kr=e=>{let{clientId:t,wallet:r,base:n="https://api.tdfc.com",fetchImpl:o,timeoutMs:a=15e3,proof:i=null,providerAdapter:c,refreshDeps:u=[],debug:s}=e,l=ft(n),d=typeof window<"u"?(o??fetch).bind(window):o??fetch,{meta:f,setBoundWallet:w,setJkt:S,setRefreshId:E,getRefreshId:m,setLastPolicyHash:k,setLastPolicyProof:b,setLastHost:H,setRootJkt:p,ready:g}=Pt(),{ensureRootKeypair:y,rootPrivRef:P,rootPubJwkRef:C}=Kt(),O=useCallback(async()=>{await y();try{if(!f.rootJkt&&C.current){let te=await _(C.current);p(te);}}catch{}},[y,f.rootJkt,C]),{ensureKeypair:Pe,rotate:K,privRef:Me,pubJwkRef:$e}=At(),[Jt,J]=useState(false),[G,U]=useState(0),[ee,ce]=useState(null),[oe,rt]=useState(null),[nt,ot]=useState(null),[Jr,Dr]=useState(null),[Lr,_r]=useState(null),[Hr,Mr]=useState(null),$r=useRef(null),Or=useRef(null),Ur=useRef(null),jr=useRef(null),Nr=useRef(null),Fr=useRef(null),Br=useRef(null),Vr=useRef(false),Gr=useRef(false),qr=useRef(void 0),Oe=useRef(false),at=useRef(false),Dt=useRef(null),le=useRef(null);le.current||(le.current=new Promise(te=>{Dt.current=te;}));let it=useRef(null),zr=useRef(i),Xr=useRef(null),st=useRef(null);if(!st.current){let te=s??false;st.current=new De(t,te);}let ct=useRef(null);ct.current||(ct.current=new et);let Ue=useRef(null),Lt=useRef(null),je=useRef(null),_t=()=>Date.now(),Yr=()=>(je.current??0)>0&&je.current<_t(),lt=useCallback((te,nn=15e3)=>{let Ht=Hn();return Ue.current=Ht,Lt.current=te,je.current=_t()+Math.max(1e3,nn),Ht},[]),Zr=useCallback(()=>((!Ue.current||Yr())&&lt("adhoc",1e4),Ue.current),[lt]),ut=useRef(null),Ne=useRef(null);Ne.current||(Ne.current=new Promise(te=>{ut.current=te;}));let Qr=useCallback(async()=>{!Oe.current&&Ne.current&&await Ne.current;},[]),en=useCallback(()=>{Oe.current||(Oe.current=true,ut.current?.(),ut.current=null);},[]),tn=useCallback(async()=>{!at.current&&le.current&&await le.current;},[]),rn=useCallback(async()=>{!at.current&&le.current&&await le.current,it.current&&await it.current;},[]);return {clientId:t,wallet:r,baseUrl:l,fetchImpl:d,timeoutMs:a,providerAdapter:c,refreshDeps:u,ensureKeypair:Pe,rotate:K,ensureRootKeypair:O,rootPrivRef:P,rootPubJwkRef:C,privRef:Me,pubJwkRef:$e,meta:f,setBoundWallet:w,setJkt:S,setRefreshId:E,accessTokenRef:Ur,tokenExpRef:jr,authenticated:Jt,setAuthenticated:J,loadingCount:G,setLoadingCount:U,error:ee,setError:ce,allowed:oe,setAllowed:rt,denyReason:nt,setDenyReason:ot,sessionExpiry:Jr,setSessionExpiry:Dr,sessionData:Lr,setSessionData:_r,verifyData:Hr,setVerifyData:Mr,authWalletRef:Or,refreshLock:Nr,registerLock:Fr,sessionLock:Br,didInitialRefresh:Vr,didInitialSession:Gr,prevWalletRef:qr,initResolvedRef:at,initReady:le,initResolveRef:Dt,rotateLock:it,waitReady:tn,awaitKeyStable:rn,proofRef:zr,registerCooldownUntilRef:$r,reqIdRef:Ue,flowLabelRef:Lt,flowExpireRef:je,beginFlow:lt,currentReqId:Zr,awaitProbe:Qr,markProbed:en,hasProbedRef:Oe,getRefreshId:m,setLastPolicyHash:k,setLastPolicyProof:b,setLastHost:H,setRootJkt:p,metaReady:g,probeLock:Xr,stateMachine:ct.current,logger:st.current}};var V=e=>e.accessTokenRef.current??null,Z=e=>{let t=e.privRef.current;if(!t)throw new Error("Sunbreak: private key not initialized");return t},W=e=>{let t=e.pubJwkRef.current;if(!t)throw new Error("Sunbreak: public JWK not initialized");return t};var Mn=(e,t)=>`${e.toUpperCase()} ${t}`;async function Le(e,t,r,n){if(!t)return e.logger.guard("register",false,"No wallet provided"),false;e.logger.flow("register","Starting register flow",{wallet:t});let o=Le._nonceCacheRef||(Le._nonceCacheRef={map:new Map});try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair(),e.setError(null),e.beginFlow("register",2e4);let a;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let y=await _(e.rootPubJwkRef.current);e.setRootJkt?.(y);}catch{}let p=await _(W(e)),g=await e.getRefreshId();a=await pe({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:p,clientId:e.clientId,sid:g||void 0,ttlSec:300});}}catch(p){e.logger.warn("Failed to create PODE for register",p);}let i=e.currentReqId(),c="/auth/register",u=`${e.baseUrl}${c}`,s=new URL(e.baseUrl).origin,l="POST",d=`${s}${c}`,f=Mn(l,d),w=o.map.get(f),S=await B({method:l,url:d,nonce:w,privateKey:Z(e),publicJwk:W(e)}),E=async p=>e.fetchImpl(u,{method:l,headers:{"content-type":"application/json","x-sunbreak-meta":F(e,{reqId:i,pode:a||void 0}),...p},credentials:"include",body:JSON.stringify({wallet:t,proof:r})}),m=await E({DPoP:S}),k=p=>{let g=p.headers.get("dpop-nonce");g&&o.map.set(f,g);};if(m.status===401){e.logger.info("Register got 401, retrying with nonce");let p=m.headers.get("www-authenticate"),y=(p&&p.match(/dpop-nonce="([^"]+)"/i))?.[1];if(y){o.map.set(f,y);let P=await B({method:l,url:d,nonce:y,privateKey:Z(e),publicJwk:W(e)});m=await E({DPoP:P});}}if(k(m),e.logger.api(l,c,{status:m.status}),!m.ok){let p=await Je(m);if((m.headers.get("content-type")||"").includes("application/json")){let y;try{y=await m.clone().json();}catch{}let P=We(y&&(y.error||y.message||y.detail)||`HTTP ${m.status}`);throw he(P,p)}else {let y=p.waf?"Blocked by WAF (403)":p.alb403?"Blocked at origin (ALB 403)":`HTTP ${m.status}`;throw he(y,p)}}let b=await m.json();e.logger.info("Register succeeded",{expiresIn:b.expiresIn,hasRefreshId:!!b.refreshId}),e.accessTokenRef.current=b.access,e.authWalletRef.current=t.toLowerCase(),e.setAuthenticated(!0);try{let p=Math.floor(Date.now()/1e3);e.tokenExpRef.current=p+(b.expiresIn??0);}catch{}e.didInitialRefresh.current=!0,e.setBoundWallet(t),e.setLastPolicyHash(null),e.setLastPolicyProof(null);try{e.setJkt(await _(W(e)));}catch{}try{let p={...e.meta,boundWallet:t,clientId:e.meta.clientId??e.clientId,jkt:e.meta.jkt??null,refreshId:b.refreshId??null};e.setRefreshId(b.refreshId??null);let g=Ke(e.clientId);await R(g,p);try{localStorage.setItem(g,JSON.stringify(p));}catch{}}catch{}let H={wallet:t,boundWallet:t,refreshId:b.refreshId??null,hasToken:!0,tokenExpiry:e.tokenExpRef.current,hasProof:!0,authenticated:!0};return e.stateMachine.onRegisterSuccess(H),!0}catch(a){let i=Number(a?.status||0),c=String(a?.code||"").toLowerCase(),u=String(a?.message||"").toLowerCase(),s=Math.floor(Math.random()*1e3);e.logger.error("Register failed",{status:i,code:c,msg:u}),e.stateMachine.onRegisterFailure(`${c||u||"Unknown error"}`);let l=c==="session_exists"||c==="already_authenticated"||u.includes("already")&&(u.includes("session")||u.includes("authenticated")),d=(i===401||i===403)&&c==="replay";if((l||d)&&n?.refreshFallback&&(!e.meta.boundWallet||e.meta.boundWallet.toLowerCase()===t.toLowerCase())){e.logger.info("Register failed with recoverable error, attempting refresh fallback",{code:c,isSessionExists:l,isReplay:d});try{if(await n.refreshFallback())return e.logger.info("Refresh fallback succeeded after register failure"),e.meta.boundWallet||e.setBoundWallet(t),!0}catch(w){e.logger.warn("Refresh fallback failed",w);}}if(d){if(e.providerAdapter)try{let f=await e.providerAdapter.getToken()??null;if(f)return await e.awaitKeyStable(),await e.ensureKeypair(),await e.rotate(),e.proofRef.current=await ve(e.providerAdapter,f),e.registerCooldownUntilRef.current=Date.now()+5e3+s,!1}catch{}else return e.proofRef.current=null,e.setError("Proof replayed; please sign a fresh proof."),e.registerCooldownUntilRef.current=Date.now()+1e4+s,false;return e.registerCooldownUntilRef.current=Date.now()+8e3+s,false}if(l)return e.setError("Session already exists. Try refreshing the page."),e.registerCooldownUntilRef.current=Date.now()+3e3+s,false;if(i===403&&(a?.waf||a?.alb403))return e.setError(u||"Forbidden at edge/origin"),e.registerCooldownUntilRef.current=Date.now()+3e4+s,false;if(i===403)return e.setError(c||u||"Forbidden"),e.registerCooldownUntilRef.current=Date.now()+15e3+s,false;if(i===429||i===503){e.setError(c||u||"Rate limited / unavailable");let f=i===429?5e3:8e3;return e.registerCooldownUntilRef.current=Date.now()+f+s,false}return e.setError(c||u||"Register failed"),e.registerCooldownUntilRef.current=Date.now()+5e3+s,false}}var $n=(e,t)=>`${e.toUpperCase()} ${t}`;function _e(e){if(e.refreshLock.current)return e.logger.guard("refreshLock",false,"Refresh already in progress"),e.refreshLock.current;if(e.registerLock.current){e.logger.guard("registerLock",false,"Registration in progress, waiting");let t=e.registerLock.current.then(()=>{if(e.authenticated&&V(e))return  true;if(V(e)){let n=e.tokenExpRef.current,o=Math.floor(Date.now()/1e3);if(!!n&&n-o>5)return  true}return  false});return e.refreshLock.current=t.finally(()=>{e.refreshLock.current=null;}),e.refreshLock.current}return e.logger.flow("refresh","Starting refresh flow"),e.refreshLock.current=(async()=>{try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe();let t=e.meta.boundWallet||e.wallet;if(!t)return e.logger.warn("No wallet available for refresh (neither boundWallet nor current wallet)"),!1;if(e.wallet&&e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return e.logger.warn("Wallet mismatch during refresh",{current:e.wallet,bound:e.meta.boundWallet}),e.accessTokenRef.current=null,e.setAuthenticated(!1),!1;let r=V(e);if(r){let y=e.tokenExpRef.current,P=Math.floor(Date.now()/1e3);if(!!r&&!!y&&y-P>5)return e.logger.info("Token still valid, skipping refresh"),!0}e.beginFlow("refresh",15e3);let n=e.currentReqId();await e.ensureKeypair();let o;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let C=await _(e.rootPubJwkRef.current);e.setRootJkt?.(C);}catch{}let y=await _(W(e)),P=await e.getRefreshId();o=await pe({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:y,clientId:e.clientId,sid:P||void 0,ttlSec:300});}}catch(y){e.logger.warn("Failed to create PODE for refresh",y);}let a="/auth/refresh",i=`${e.baseUrl}${a}`,c=new URL(e.baseUrl).origin,u="POST",s=`${c}${a}`,l=$n(u,s),d=_e._nonceCacheRef||(_e._nonceCacheRef={map:new Map}),f=async y=>await B({method:u,url:s,nonce:y,privateKey:Z(e),publicJwk:W(e)}),w=await e.getRefreshId(),S={"x-sunbreak-meta":F(e,{reqId:n,refreshId:w||void 0,pode:o||void 0,wallet:t}),"content-type":"application/json"},E=async y=>e.fetchImpl(i,{method:u,headers:{DPoP:y,...S},credentials:"include",body:"{}"}),m=y=>{let P=y.headers.get("dpop-nonce");P&&d.map.set(l,P);},k=await E(await f(d.map.get(l)));if(k.status===401){e.logger.info("Refresh got 401, retrying with nonce");let y=k.headers.get("www-authenticate"),C=(y&&y.match(/dpop-nonce="([^"]+)"/i))?.[1];C&&(d.map.set(l,C),k=await E(await f(C)));}if(m(k),e.logger.api(u,a,{status:k.status}),!k.ok){try{if((k.headers.get("content-type")||"").includes("application/json")){let P=await k.clone().json().catch(()=>{}),C=P&&(P.error||P.code||P.message)||"",O=String(C).toLowerCase();if(O.includes("missing")&&O.includes("refresh")){e.logger.warn("Refresh session expired (missing refresh identifier)"),e.stateMachine.onRefreshExpired();try{e.setRefreshId?.(null);}catch{}e.accessTokenRef.current=null,e.setAuthenticated(!1);}else e.logger.warn("Refresh failed",{error:C}),e.stateMachine.onRefreshFailure(String(C));}}catch{}return !1}let b=await k.json();e.logger.info("Refresh succeeded",{expiresIn:b.expiresIn,hasRefreshId:!!b.refreshId}),e.accessTokenRef.current=b.access,e.setAuthenticated(!0);let H=(e.wallet&&(!e.meta.boundWallet||e.meta.boundWallet===e.wallet)?e.wallet:e.meta.boundWallet)||null;e.authWalletRef.current=H?H.toLowerCase():null;try{let y=Math.floor(Date.now()/1e3);e.tokenExpRef.current=y+(b.expiresIn??0);}catch{}try{e.setJkt(await _(W(e)));}catch{}b.refreshId&&e.setRefreshId(b.refreshId);let p=y=>!y||y==="null"||y==="undefined"?null:y,g={wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:p(b.refreshId??e.meta.refreshId??null),hasToken:!0,tokenExpiry:e.tokenExpRef.current,hasProof:!!e.proofRef.current,authenticated:!0};return e.stateMachine.onRefreshSuccess(g),!0}finally{e.refreshLock.current=null;}})(),e.refreshLock.current}var On=(e,t)=>`${e.toUpperCase()} ${t}`,Tt=new Map,He;try{let e=globalThis;He=e.__sunbreak_page_probe_guard??(e.__sunbreak_page_probe_guard=new Set);}catch{He=new Set;}var Un=e=>{try{let t=new URL(e.baseUrl).origin;return `${e.clientId}::${t}`}catch{return `${e.clientId}::${e.baseUrl}`}};async function Pr(e){let t=Un(e);if(e.probeLock.current){e.logger.guard("probeLock",false,"Probe already in progress, waiting"),await e.probeLock.current,e.markProbed();return}if(e.hasProbedRef.current){e.logger.guard("hasProbedRef",false,"Already probed in this session"),e.markProbed();return}if(He.has(t)){e.logger.guard("pageProbeGuard",false,"Already probed for this page load"),e.markProbed();return}He.add(t),e.logger.flow("probe","Starting probe flow",{clientId:e.clientId,pageKey:t});let r=(async()=>{let n=new URL(e.baseUrl).origin;try{if(await e.awaitKeyStable(),await e.ensureKeypair(),!e.rootPrivRef.current)try{await e.ensureRootKeypair();}catch{}let o;if(e.rootPrivRef.current&&e.rootPubJwkRef.current)try{let m=await _(W(e));o=await pe({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:m,clientId:e.clientId,ttlSec:300});}catch(m){e.logger.warn("Failed to create PODE for probe",m);}let a="POST",i="/auth/probe",c=`${e.baseUrl}${i}`,u=`${n}${i}`,s=On(a,u),l=async m=>B({method:a,url:u,nonce:m,privateKey:Z(e),publicJwk:W(e)}),d=async m=>e.fetchImpl(c,{method:a,headers:{DPoP:m,"x-sunbreak-meta":F(e,{pode:o}),"content-type":"application/json"},credentials:"include",body:"{}"}),f=m=>{let k=m.headers.get("dpop-nonce");k&&Tt.set(s,k);},w=await d(await l(Tt.get(s)));if(f(w),w.status===401){e.logger.info("Probe got 401, retrying with nonce from www-authenticate");let m=w.headers.get("www-authenticate"),b=(m&&m.match(/dpop-nonce="([^"]+)"/i))?.[1];b&&(Tt.set(s,b),w=await d(await l(b)),f(w));}e.logger.api(a,i,{status:w.status});let S=m=>!m||m==="null"||m==="undefined"?null:m,E={wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:S(e.meta.refreshId),hasToken:!!e.accessTokenRef.current,tokenExpiry:e.tokenExpRef.current||null,hasProof:!!e.proofRef.current,authenticated:e.authenticated};e.stateMachine.onProbeComplete(E);}catch(o){e.logger.error("Probe failed",o);try{He.delete(t);}catch{}}finally{e.markProbed(),e.logger.flow("probe","Probe flow completed");}})();e.probeLock.current=r;try{await r;}finally{e.probeLock.current=null;}}var vr=e=>{let t=useCallback(()=>_e(e),[e]),r=useCallback(async()=>{let o=Date.now(),a=e.registerCooldownUntilRef.current??0;if(o<a){e.logger.guard("registerCooldown",false,"Cooldown active");return}if(!e.wallet){e.logger.guard("attemptRegister",false,"No wallet");return}if(!e.initResolvedRef.current){e.logger.guard("attemptRegister",false,"Not initialized");return}if(e.refreshLock.current){e.logger.guard("attemptRegister",false,"Refresh in progress");return}if(e.registerLock.current){e.logger.guard("attemptRegister",false,"Register already in progress");return}let i=s=>!s||s==="null"||s==="undefined"?null:s,c={wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:i(e.meta.refreshId),hasToken:!!V(e),tokenExpiry:e.tokenExpRef.current||null,hasProof:!!e.proofRef.current,authenticated:e.authenticated};if(!e.stateMachine.shouldAttemptRegister(c)){e.logger.guard("attemptRegister",false,`State machine blocked (state: ${e.stateMachine.getState()}, inActiveSession: ${e.stateMachine.isInActiveSession()})`);return}let u=e.proofRef.current;if(!u){e.logger.guard("attemptRegister",false,"No proof available");return}e.logger.guard("attemptRegister",true,"All guards passed, proceeding"),await e.awaitKeyStable(),e.registerLock.current=(async()=>{try{await Le(e,e.wallet,u,{refreshFallback:async()=>{e.logger.info("Attempting refresh as fallback after register failure");let l=!!e.meta.boundWallet;!l&&e.wallet&&e.setBoundWallet(e.wallet);try{return await _e(e)}catch{return l||e.setBoundWallet(null),!1}}})&&(e.didInitialSession.current=!0);}catch(s){e.setError(s?.message||String(s)||"Register failed");}finally{e.registerLock.current=null;}})();},[e]),n=useCallback(async o=>{let a=()=>(e.registerCooldownUntilRef.current??0)>Date.now();if(!e.providerAdapter||a())return;let i=await ve(e.providerAdapter,o);e.proofRef.current=i;},[e]);return {refresh:t,register:(o,a,i)=>Le(e,o,a,i),attemptRegister:r,setProofFromAdapterToken:n}};var jn=(e,t)=>`${e.toUpperCase()} ${t}`,Nn=(e,t)=>!!e&&!!t&&e.toLowerCase()===t.toLowerCase();async function tt(e,t,r,n,o,a={}){e.setLoadingCount(s=>s+1),e.setError(null);let i=n.startsWith("/api/session"),c=new AbortController,u=setTimeout(()=>c.abort(),e.timeoutMs);try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair();let l=`${i?pt(e):e.baseUrl}${n.startsWith("/")?"":"/"}${n}`,f=`${new URL(e.baseUrl).origin}${n.startsWith("/")?"":"/"}${n}`,w=jn(r,f),S=n.startsWith("/auth/"),E=!1,m=!1,k=e.currentReqId(),b=tt._nonceCacheRef||(tt._nonceCacheRef={map:new Map}),H=J=>{let G=J.headers.get("dpop-nonce");G&&b.map.set(w,G);},p=!!e.wallet&&!!e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase(),g=()=>S||!e.wallet?!1:!!(e.authenticated||Nn(e.wallet,e.meta.boundWallet)||typeof e.meta.refreshId=="string"&&e.meta.refreshId),y,P,C=async()=>{if(S||p)return;try{let ce=V(e),oe=e.tokenExpRef.current,rt=Math.floor(Date.now()/1e3),nt=!!oe&&oe-rt<=60;if(ce){if(nt&&!await t().catch(()=>!1))return}else if(!g()||!await t().catch(()=>!1))return}catch{}let J=V(e);if(!J)return;let G=await Ye(J),U=b.map.get(w),ee=await B({method:r,url:f,nonce:U,ath:G,privateKey:Z(e),publicJwk:W(e)});y=`Bearer ${e.accessTokenRef.current}`,P=ee;};await C();let O={"content-type":"application/json","x-sunbreak-auth":y||"","x-sunbreak-meta":F(e,{reqId:k,auth:y,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0}),...ht(a.headers)};P&&(O.DPoP=P);let Pe=async()=>e.fetchImpl(l,{...a,method:r,headers:O,body:o!==void 0?JSON.stringify(o):void 0,credentials:"include",signal:c.signal}),K=await Pe(),Me=K.headers.get("x-sunbreak-policy-hash"),$e=K.headers.get("x-sunbreak-policy-proof");if(Me&&e.setLastPolicyHash(Me),$e&&e.setLastPolicyProof($e),H(K),K.status===401&&!S){let J=V(e),G=K.headers.get("www-authenticate"),ee=(G&&G.match(/dpop-nonce="([^"]+)"/i))?.[1];if(!p&&ee&&J&&!m){m=!0,b.map.set(w,ee);let ce=await Ye(J),oe=await B({method:r,url:f,nonce:ee,ath:ce,privateKey:Z(e),publicJwk:W(e)});y=`Bearer ${e.accessTokenRef.current}`,P=oe,O["x-sunbreak-meta"]=F(e,{reqId:k,auth:y}),O.DPoP=P,K=await Pe(),H(K);}if(K.status===401&&!E&&(E=!0,!p&&g())){let ce=await t(),oe=V(e);ce&&oe&&!p&&(await C(),O["x-sunbreak-meta"]=F(e,{reqId:k,auth:y}),P&&(O.DPoP=P),K=await Pe(),H(K));}if(K.status===401)throw new Error("Unauthorized")}if(!K.ok){let J=await Je(K);if((K.headers.get("content-type")||"").includes("application/json")){let U=await K.json().catch(()=>{}),ee=We(U&&(U.error||U.message||U.detail)||`HTTP ${K.status}`);throw he(ee,J)}else {let U=J.waf?"Blocked by WAF (403)":J.alb403?"Blocked at origin (ALB 403)":`HTTP ${K.status}`;throw he(U,J)}}return (K.headers.get("content-type")||"").includes("application/json")?await K.json():void 0}finally{clearTimeout(u),e.setLoadingCount(s=>Math.max(0,s-1));}}var Ar=(e,t)=>useCallback(async(r,n,o,a={})=>tt(e,t,r,n,o,a),[e,t]);async function xr(e,t){let r=await t("GET","/api/session");if(r){e.setAllowed(!!r.allowed),e.setDenyReason(r.reason??null),e.setSessionData(r),e.setSessionExpiry(r.expiry??null);let n=r?.wallet;typeof n=="string"&&n&&e.setBoundWallet(n.toLowerCase());}return r}async function Kr(e,t){let r=await t("GET","/api/verify");return r&&(e.setSessionExpiry(r.expiry??null),e.setVerifyData(r)),r}var Tr=(e,t)=>{let r=useCallback(async()=>{if(e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet))return e.sessionLock.current||(e.sessionLock.current=(async()=>{try{return await xr(e,t)}catch(o){throw e.logger.error("Session request failed",o),o}finally{e.sessionLock.current=null;}})()),e.sessionLock.current},[e,t]),n=useCallback(async()=>{if(e.wallet)return await Kr(e,t)},[e,t]);return {session:r,verify:n}};var Ir=(e,t)=>{let{refresh:r,session:n,attemptRegister:o,setProofFromAdapterToken:a,proofProp:i}=t,c=()=>(e.registerCooldownUntilRef.current??0)>Date.now(),u=()=>{let s=l=>!l||l==="null"||l==="undefined"?null:l;return {wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:s(e.meta.refreshId),hasToken:!!e.accessTokenRef.current,tokenExpiry:e.tokenExpRef.current||null,hasProof:!!e.proofRef.current,authenticated:e.authenticated}};useEffect(()=>{if(!e.metaReady)return;let s=true;return (async()=>{try{if(await e.waitReady(),!s||(await e.awaitKeyStable(),!s)||(await e.ensureRootKeypair(),!s))return;let l=u();e.stateMachine.initialize(l),await Pr(e);}catch(l){if(!s)return;e.logger.error("Probe initialization failed",l);}})(),()=>{s=false;}},[e.metaReady]),useEffect(()=>{let s=e.prevWalletRef.current;if(e.prevWalletRef.current=e.wallet,e.wallet!==s&&(e.didInitialRefresh.current=false),!e.wallet){e.logger.flow("wallet","Wallet disconnected"),e.stateMachine.onWalletDisconnect(),e.setAllowed(null),e.setDenyReason(null),e.setSessionExpiry(null),e.setSessionData(null),e.setAuthenticated(false),e.accessTokenRef.current=null,e.proofRef.current=null,e.setError(null),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null),e.didInitialRefresh.current=false;return}if(s&&e.wallet&&s!==e.wallet){e.logger.flow("wallet",`Wallet changed: ${s} \u2192 ${e.wallet}`);let l=u();e.stateMachine.onWalletChange(s,e.wallet,l),e.rotateLock.current=(async()=>{await e.rotate(),e.accessTokenRef.current=null,e.setAuthenticated(false),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;});}},[e.wallet]),useEffect(()=>{if(!e.providerAdapter||c()||!e.metaReady||!e.wallet)return;if(e.stateMachine.isInActiveSession()){e.logger.decision("Provider adapter should trigger register?",false,"Already in active session");return}if(e.authenticated){e.logger.decision("Provider adapter should trigger register?",false,"Already authenticated");return}let s=u();if(e.stateMachine.shouldWaitForInitialRefresh(e.didInitialRefresh.current,s)){e.logger.decision("Provider adapter should wait for initial refresh?",true,"Returning user - refresh first");return}e.logger.decision("Provider adapter should trigger register?",true,`Fetching token (state: ${e.stateMachine.getState()})`);let l=false;return (async()=>{try{let d=e.providerAdapter.getToken(),f=new Promise((S,E)=>setTimeout(()=>E(new Error("Provider adapter timeout (30s)")),3e4)),w=await Promise.race([d,f]).catch(S=>(e.logger.warn("Provider adapter getToken failed",S),null))??null;if(await e.awaitKeyStable(),l||!w)return;e.logger.info("Provider adapter: got token, setting proof"),await a(w),await o();}catch(d){e.logger.error("Provider adapter flow failed",d);}})(),()=>{l=true;}},[e.providerAdapter,e.wallet,e.meta.boundWallet,e.metaReady,e.registerCooldownUntilRef,e.didInitialRefresh,e.authenticated,...e.refreshDeps]),useEffect(()=>{if(typeof i<"u"&&(e.proofRef.current=i??null,i&&e.logger.info("Proof prop updated",{hasProof:!!i})),!e.metaReady)return;let s=u();if(!e.stateMachine.shouldAttemptRegister(s)){e.logger.decision("Proof prop should trigger register?",false,`State machine says no (state: ${e.stateMachine.getState()}, inActiveSession: ${e.stateMachine.isInActiveSession()})`);return}if(e.stateMachine.shouldWaitForInitialRefresh(e.didInitialRefresh.current,s)){e.logger.decision("Proof prop should wait for initial refresh?",true,"Returning user - refresh first");return}let l=!!e.wallet,d=!!e.proofRef.current;l&&d&&e.initResolvedRef.current&&!c()&&(e.logger.info("Proof prop conditions met, attempting register"),o());},[i,e.wallet,e.authenticated,e.meta.boundWallet,e.metaReady,e.providerAdapter,e.initResolvedRef,e.didInitialRefresh,o]),useEffect(()=>{if(!e.metaReady||e.didInitialRefresh.current)return;let s=true;return (async()=>{try{await e.waitReady(),await e.awaitProbe();let l=u();if(e.accessTokenRef.current||e.authenticated){e.logger.info("Already authenticated, skipping initial refresh"),e.didInitialRefresh.current=!0,e.wallet&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());return}if(!e.stateMachine.shouldAttemptRefresh(l)){e.logger.decision("Should attempt initial refresh?",!1,`State: ${e.stateMachine.getState()}`),e.didInitialRefresh.current=!0;return}e.logger.decision("Should attempt initial refresh?",!0,`State: ${e.stateMachine.getState()}`),e.didInitialRefresh.current=!0;let f=await r();if(!s)return;e.setAuthenticated(f),f&&e.wallet&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());}catch(l){if(!s)return;e.didInitialRefresh.current=true,e.setAuthenticated(false),e.setError(l?.message||String(l)||"Unknown error");}})(),()=>{s=false;}},[e.wallet,e.meta.boundWallet,e.meta.refreshId,e.metaReady,e.didInitialRefresh,r,n]),useEffect(()=>{e.initResolvedRef.current||(async()=>{if(await e.ensureKeypair(),!e.wallet){e.initResolvedRef.current=true,e.initResolveRef.current?.();return}e.meta.boundWallet&&e.meta.boundWallet!==e.wallet&&(e.rotateLock.current=(async()=>{e.accessTokenRef.current=null,e.setAuthenticated(false);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}),e.rotateLock.current&&await e.rotateLock.current),e.initResolvedRef.current=true,e.initResolveRef.current?.();})();},[e]),useEffect(()=>{(async()=>{if(e.authenticated&&e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)&&!e.didInitialSession.current){e.didInitialSession.current=true;try{e.logger.flow("session","Calling session after authentication"),await n();}catch(s){e.setError(s?.message||String(s));}}})();},[e.authenticated,e.wallet,e.meta.boundWallet,n]),useEffect(()=>{e.wallet&&e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase()&&(e.logger.warn("Wallet mismatch detected, clearing auth",{current:e.wallet,authWallet:e.authWalletRef.current}),e.accessTokenRef.current=null,e.setAuthenticated(false));},[e.wallet,e.authWalletRef.current]),useEffect(()=>{let l=()=>{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return  false;let w=e.tokenExpRef.current;if(!w)return  false;let S=Math.floor(Date.now()/1e3);return w-S<=30},d=async()=>{try{l()&&(e.logger.info("Token expiring soon, refreshing on focus"),await r());}catch{}},f=async()=>{document.visibilityState==="visible"&&await d();};return window.addEventListener("focus",d),document.addEventListener("visibilitychange",f),()=>{window.removeEventListener("focus",d),document.removeEventListener("visibilitychange",f);}},[e,r]),useEffect(()=>{let d=()=>{let S=Math.floor(Date.now()/1e3),E=e.tokenExpRef.current,m=e.sessionExpiry,k=!!E&&E-S<=30&&E-S>0,b=!!m&&m-S<=3600&&m-S>0;return {tokenSoon:k,sessionSoon:b}},f=async()=>{try{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return;let{tokenSoon:S,sessionSoon:E}=d();(S||E)&&(e.logger.info("Refreshing on focus",{tokenSoon:S,sessionSoon:E}),await r()&&E&&await n());}catch{}},w=async()=>{document.visibilityState==="visible"&&await f();};return window.addEventListener("focus",f),document.addEventListener("visibilitychange",w),()=>{window.removeEventListener("focus",f),document.removeEventListener("visibilitychange",w);}},[e,e.sessionExpiry,r,n]);};var Wr=createContext(void 0),qn=e=>{let t=kr(e),{refresh:r,attemptRegister:n,setProofFromAdapterToken:o}=vr(t),a=Ar(t,r),{session:i,verify:c}=Tr(t,a);Ir(t,{refresh:r,session:i,attemptRegister:n,setProofFromAdapterToken:o,proofProp:e.proof});let u=useMemo(()=>({get:(s,l)=>a("GET",s,void 0,l),post:(s,l,d)=>a("POST",s,l,d),verify:c,session:i,refresh:r,authenticated:t.authenticated,loading:t.loadingCount>0,error:t.error,allowed:t.allowed,denyReason:t.denyReason,sessionExpiry:t.sessionExpiry,sessionData:t.sessionData,verifyData:t.verifyData,wallet:t.wallet}),[a,c,i,r,t.authenticated,t.loadingCount,t.error,t.allowed,t.denyReason,t.sessionExpiry,t.sessionData,t.verifyData,t.wallet]);return jsx(Wr.Provider,{value:u,children:e.children})},zn=e=>jsx(kt,{clientId:e.clientId,children:jsx(qn,{...e})}),Xn=()=>{let e=useContext(Wr);if(!e)throw new Error("useSunbreak must be used within a SunbreakProvider");return e};
+    `.trim()}};var Wn=()=>crypto.randomUUID(),Pr=e=>{let{clientId:t,wallet:r,base:n="https://api.tdfc.com",fetchImpl:o,timeoutMs:a=15e3,proof:i=null,providerAdapter:c,refreshDeps:u=[],debug:s}=e,l=ft(n),d=typeof window<"u"?(o??fetch).bind(window):o??fetch,{meta:f,setBoundWallet:w,setJkt:b,setRefreshId:R,getRefreshId:m,setLastPolicyHash:k,setLastPolicyProof:S,setLastHost:H,setRootJkt:p,ready:g}=Pt(),{ensureRootKeypair:y,rootPrivRef:P,rootPubJwkRef:C}=Kt(),O=useCallback(async()=>{await y();try{if(!f.rootJkt&&C.current){let te=await _(C.current);p(te);}}catch{}},[y,f.rootJkt,C]),{ensureKeypair:ve,rotate:K,privRef:$e,pubJwkRef:Oe}=At(),[Jt,J]=useState(false),[V,j]=useState(0),[ee,se]=useState(null),[oe,nt]=useState(null),[ot,at]=useState(null),[Wr,Jr]=useState(null),Dr=useRef(null),Lr=useRef(null),_r=useRef(null),Hr=useRef(null),Mr=useRef(null),$r=useRef(null),Or=useRef(null),jr=useRef(false),Ur=useRef(false),Nr=useRef(void 0),je=useRef(false),it=useRef(false),Dt=useRef(null),ce=useRef(null);ce.current||(ce.current=new Promise(te=>{Dt.current=te;}));let st=useRef(null),Fr=useRef(i),Br=useRef(null),ye=useRef(null);if(!ye.current){let te=s??false;ye.current=new Le(t,te);}let Lt=s??false;ye.current&&ye.current.enabled!==Lt&&(ye.current.enabled=Lt);let ct=useRef(null);ct.current||(ct.current=new tt);let Ue=useRef(null),_t=useRef(null),Ne=useRef(null),Ht=()=>Date.now(),Gr=()=>(Ne.current??0)>0&&Ne.current<Ht(),lt=useCallback((te,Zr=15e3)=>{let Mt=Wn();return Ue.current=Mt,_t.current=te,Ne.current=Ht()+Math.max(1e3,Zr),Mt},[]),Vr=useCallback(()=>((!Ue.current||Gr())&&lt("adhoc",1e4),Ue.current),[lt]),ut=useRef(null),Fe=useRef(null);Fe.current||(Fe.current=new Promise(te=>{ut.current=te;}));let qr=useCallback(async()=>{!je.current&&Fe.current&&await Fe.current;},[]),zr=useCallback(()=>{je.current||(je.current=true,ut.current?.(),ut.current=null);},[]),Xr=useCallback(async()=>{!it.current&&ce.current&&await ce.current;},[]),Yr=useCallback(async()=>{!it.current&&ce.current&&await ce.current,st.current&&await st.current;},[]);return {clientId:t,wallet:r,baseUrl:l,fetchImpl:d,timeoutMs:a,providerAdapter:c,refreshDeps:u,ensureKeypair:ve,rotate:K,ensureRootKeypair:O,rootPrivRef:P,rootPubJwkRef:C,privRef:$e,pubJwkRef:Oe,meta:f,setBoundWallet:w,setJkt:b,setRefreshId:R,accessTokenRef:_r,tokenExpRef:Hr,authenticated:Jt,setAuthenticated:J,loadingCount:V,setLoadingCount:j,error:ee,setError:se,allowed:oe,setAllowed:nt,sessionExpiry:ot,setSessionExpiry:at,sessionData:Wr,setSessionData:Jr,authWalletRef:Lr,refreshLock:Mr,registerLock:$r,sessionLock:Or,didInitialRefresh:jr,didInitialSession:Ur,prevWalletRef:Nr,initResolvedRef:it,initReady:ce,initResolveRef:Dt,rotateLock:st,waitReady:Xr,awaitKeyStable:Yr,proofRef:Fr,registerCooldownUntilRef:Dr,reqIdRef:Ue,flowLabelRef:_t,flowExpireRef:Ne,beginFlow:lt,currentReqId:Vr,awaitProbe:qr,markProbed:zr,hasProbedRef:je,getRefreshId:m,setLastPolicyHash:k,setLastPolicyProof:S,setLastHost:H,setRootJkt:p,metaReady:g,probeLock:Br,stateMachine:ct.current,logger:ye.current}};var G=e=>e.accessTokenRef.current??null,Z=e=>{let t=e.privRef.current;if(!t)throw new Error("Sunbreak: private key not initialized");return t},W=e=>{let t=e.pubJwkRef.current;if(!t)throw new Error("Sunbreak: public JWK not initialized");return t};var Jn=(e,t)=>`${e.toUpperCase()} ${t}`;async function _e(e,t,r,n){if(!t)return e.logger.guard("register",false,"No wallet provided"),false;e.logger.flow("register","Starting register flow",{wallet:t});let o=_e._nonceCacheRef||(_e._nonceCacheRef={map:new Map});try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair(),e.setError(null),e.beginFlow("register",2e4);let a;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let y=await _(e.rootPubJwkRef.current);e.setRootJkt?.(y);}catch{}let p=await _(W(e)),g=await e.getRefreshId();a=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:p,clientId:e.clientId,sid:g||void 0,ttlSec:300});}}catch(p){e.logger.warn("Failed to create PODE for register",p);}let i=e.currentReqId(),c="/auth/register",u=`${e.baseUrl}${c}`,s=new URL(e.baseUrl).origin,l="POST",d=`${s}${c}`,f=Jn(l,d),w=o.map.get(f),b=await B({method:l,url:d,nonce:w,privateKey:Z(e),publicJwk:W(e)}),R=async p=>e.fetchImpl(u,{method:l,headers:{"content-type":"application/json","x-sunbreak-meta":F(e,{reqId:i,pode:a||void 0}),...p},credentials:"include",body:JSON.stringify({wallet:t,proof:r})}),m=await R({DPoP:b}),k=p=>{let g=p.headers.get("dpop-nonce");g&&o.map.set(f,g);};if(m.status===401){e.logger.info("Register got 401, retrying with nonce");let p=m.headers.get("www-authenticate"),y=(p&&p.match(/dpop-nonce="([^"]+)"/i))?.[1];if(y){o.map.set(f,y);let P=await B({method:l,url:d,nonce:y,privateKey:Z(e),publicJwk:W(e)});m=await R({DPoP:P});}}if(k(m),e.logger.api(l,c,{status:m.status}),!m.ok){let p=await De(m);if((m.headers.get("content-type")||"").includes("application/json")){let y;try{y=await m.clone().json();}catch{}let P=Je(y&&(y.error||y.message||y.detail)||`HTTP ${m.status}`);throw pe(P,p)}else {let y=p.waf?"Blocked by WAF (403)":p.alb403?"Blocked at origin (ALB 403)":`HTTP ${m.status}`;throw pe(y,p)}}let S=await m.json();e.logger.info("Register succeeded",{expiresIn:S.expiresIn,hasRefreshId:!!S.refreshId}),e.accessTokenRef.current=S.access,e.authWalletRef.current=t.toLowerCase(),e.setAuthenticated(!0);try{let p=Math.floor(Date.now()/1e3);e.tokenExpRef.current=p+(S.expiresIn??0);}catch{}e.didInitialRefresh.current=!0,e.setBoundWallet(t),e.setLastPolicyHash(null),e.setLastPolicyProof(null);try{e.setJkt(await _(W(e)));}catch{}try{let p={...e.meta,boundWallet:t,clientId:e.meta.clientId??e.clientId,jkt:e.meta.jkt??null,refreshId:S.refreshId??null};e.setRefreshId(S.refreshId??null);let g=Ce(e.clientId);await E(g,p);try{localStorage.setItem(g,JSON.stringify(p));}catch{}}catch{}let H={wallet:t,boundWallet:t,refreshId:S.refreshId??null,hasToken:!0,tokenExpiry:e.tokenExpRef.current,hasProof:!0,authenticated:!0};return e.stateMachine.onRegisterSuccess(H),!0}catch(a){let i=Number(a?.status||0),c=String(a?.code||"").toLowerCase(),u=String(a?.message||"").toLowerCase(),s=Math.floor(Math.random()*1e3);e.logger.error("Register failed",{status:i,code:c,msg:u}),e.stateMachine.onRegisterFailure(`${c||u||"Unknown error"}`);let l=c==="session_exists"||c==="already_authenticated"||u.includes("already")&&(u.includes("session")||u.includes("authenticated")),d=(i===401||i===403)&&c==="replay";if((l||d)&&n?.refreshFallback&&(!e.meta.boundWallet||e.meta.boundWallet.toLowerCase()===t.toLowerCase())){e.logger.info("Register failed with recoverable error, attempting refresh fallback",{code:c,isSessionExists:l,isReplay:d});try{if(await n.refreshFallback())return e.logger.info("Refresh fallback succeeded after register failure"),e.meta.boundWallet||e.setBoundWallet(t),!0}catch(w){e.logger.warn("Refresh fallback failed",w);}}if(d){if(e.providerAdapter)try{let f=await e.providerAdapter.getToken()??null;if(f)return await e.awaitKeyStable(),await e.ensureKeypair(),await e.rotate(),e.proofRef.current=await Ae(e.providerAdapter,f),e.registerCooldownUntilRef.current=Date.now()+5e3+s,!1}catch{}else return e.proofRef.current=null,e.setError("Proof replayed; please sign a fresh proof."),e.registerCooldownUntilRef.current=Date.now()+1e4+s,false;return e.registerCooldownUntilRef.current=Date.now()+8e3+s,false}if(l)return e.setError("Session already exists. Try refreshing the page."),e.registerCooldownUntilRef.current=Date.now()+3e3+s,false;if(i===403&&(a?.waf||a?.alb403))return e.setError(u||"Forbidden at edge/origin"),e.registerCooldownUntilRef.current=Date.now()+3e4+s,false;if(i===403)return e.setError(c||u||"Forbidden"),e.registerCooldownUntilRef.current=Date.now()+15e3+s,false;if(i===429||i===503){e.setError(c||u||"Rate limited / unavailable");let f=i===429?5e3:8e3;return e.registerCooldownUntilRef.current=Date.now()+f+s,false}return e.setError(c||u||"Register failed"),e.registerCooldownUntilRef.current=Date.now()+5e3+s,false}}var Dn=(e,t)=>`${e.toUpperCase()} ${t}`;function He(e){if(e.refreshLock.current)return e.logger.guard("refreshLock",false,"Refresh already in progress"),e.refreshLock.current;if(e.registerLock.current){e.logger.guard("registerLock",false,"Registration in progress, waiting");let t=e.registerLock.current.then(()=>{if(e.authenticated&&G(e))return  true;if(G(e)){let n=e.tokenExpRef.current,o=Math.floor(Date.now()/1e3);if(!!n&&n-o>5)return  true}return  false});return e.refreshLock.current=t.finally(()=>{e.refreshLock.current=null;}),e.refreshLock.current}return e.logger.flow("refresh","Starting refresh flow"),e.refreshLock.current=(async()=>{try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe();let t=e.meta.boundWallet||e.wallet;if(!t)return e.logger.warn("No wallet available for refresh (neither boundWallet nor current wallet)"),!1;if(e.wallet&&e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return e.logger.warn("Wallet mismatch during refresh",{current:e.wallet,bound:e.meta.boundWallet}),e.accessTokenRef.current=null,e.setAuthenticated(!1),!1;let r=G(e);if(r){let y=e.tokenExpRef.current,P=Math.floor(Date.now()/1e3);if(!!r&&!!y&&y-P>5)return e.logger.info("Token still valid, skipping refresh"),!0}e.beginFlow("refresh",15e3);let n=e.currentReqId();await e.ensureKeypair();let o;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let C=await _(e.rootPubJwkRef.current);e.setRootJkt?.(C);}catch{}let y=await _(W(e)),P=await e.getRefreshId();o=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:y,clientId:e.clientId,sid:P||void 0,ttlSec:300});}}catch(y){e.logger.warn("Failed to create PODE for refresh",y);}let a="/auth/refresh",i=`${e.baseUrl}${a}`,c=new URL(e.baseUrl).origin,u="POST",s=`${c}${a}`,l=Dn(u,s),d=He._nonceCacheRef||(He._nonceCacheRef={map:new Map}),f=async y=>await B({method:u,url:s,nonce:y,privateKey:Z(e),publicJwk:W(e)}),w=await e.getRefreshId(),b={"x-sunbreak-meta":F(e,{reqId:n,refreshId:w||void 0,pode:o||void 0,wallet:t}),"content-type":"application/json"},R=async y=>e.fetchImpl(i,{method:u,headers:{DPoP:y,...b},credentials:"include",body:"{}"}),m=y=>{let P=y.headers.get("dpop-nonce");P&&d.map.set(l,P);},k=await R(await f(d.map.get(l)));if(k.status===401){e.logger.info("Refresh got 401, retrying with nonce");let y=k.headers.get("www-authenticate"),C=(y&&y.match(/dpop-nonce="([^"]+)"/i))?.[1];C&&(d.map.set(l,C),k=await R(await f(C)));}if(m(k),e.logger.api(u,a,{status:k.status}),!k.ok){try{if((k.headers.get("content-type")||"").includes("application/json")){let P=await k.clone().json().catch(()=>{}),C=P&&(P.error||P.code||P.message)||"",O=String(C).toLowerCase();if(O.includes("missing")&&O.includes("refresh")){e.logger.warn("Refresh session expired (missing refresh identifier)"),e.stateMachine.onRefreshExpired();try{e.setRefreshId?.(null);}catch{}e.accessTokenRef.current=null,e.setAuthenticated(!1);}else e.logger.warn("Refresh failed",{error:C}),e.stateMachine.onRefreshFailure(String(C));}}catch{}return !1}let S=await k.json();e.logger.info("Refresh succeeded",{expiresIn:S.expiresIn,hasRefreshId:!!S.refreshId}),e.accessTokenRef.current=S.access,e.setAuthenticated(!0);let H=(e.wallet&&(!e.meta.boundWallet||e.meta.boundWallet===e.wallet)?e.wallet:e.meta.boundWallet)||null;e.authWalletRef.current=H?H.toLowerCase():null;try{let y=Math.floor(Date.now()/1e3);e.tokenExpRef.current=y+(S.expiresIn??0);}catch{}try{e.setJkt(await _(W(e)));}catch{}S.refreshId&&e.setRefreshId(S.refreshId);let p=y=>!y||y==="null"||y==="undefined"?null:y,g={wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:p(S.refreshId??e.meta.refreshId??null),hasToken:!0,tokenExpiry:e.tokenExpRef.current,hasProof:!!e.proofRef.current,authenticated:!0};return e.stateMachine.onRefreshSuccess(g),!0}finally{e.refreshLock.current=null;}})(),e.refreshLock.current}var Ln=(e,t)=>`${e.toUpperCase()} ${t}`,Tt=new Map,Me;try{let e=globalThis;Me=e.__sunbreak_page_probe_guard??(e.__sunbreak_page_probe_guard=new Set);}catch{Me=new Set;}var _n=e=>{try{let t=new URL(e.baseUrl).origin;return `${e.clientId}::${t}`}catch{return `${e.clientId}::${e.baseUrl}`}};async function vr(e){let t=_n(e);if(e.probeLock.current){e.logger.guard("probeLock",false,"Probe already in progress, waiting"),await e.probeLock.current,e.markProbed();return}if(e.hasProbedRef.current){e.logger.guard("hasProbedRef",false,"Already probed in this session"),e.markProbed();return}if(Me.has(t)){e.logger.guard("pageProbeGuard",false,"Already probed for this page load"),e.markProbed();return}Me.add(t),e.logger.flow("probe","Starting probe flow",{clientId:e.clientId,pageKey:t});let r=(async()=>{let n=new URL(e.baseUrl).origin;try{if(await e.awaitKeyStable(),await e.ensureKeypair(),!e.rootPrivRef.current)try{await e.ensureRootKeypair();}catch{}let o;if(e.rootPrivRef.current&&e.rootPubJwkRef.current)try{let m=await _(W(e));o=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:m,clientId:e.clientId,ttlSec:300});}catch(m){e.logger.warn("Failed to create PODE for probe",m);}let a="POST",i="/auth/probe",c=`${e.baseUrl}${i}`,u=`${n}${i}`,s=Ln(a,u),l=async m=>B({method:a,url:u,nonce:m,privateKey:Z(e),publicJwk:W(e)}),d=async m=>e.fetchImpl(c,{method:a,headers:{DPoP:m,"x-sunbreak-meta":F(e,{pode:o}),"content-type":"application/json"},credentials:"include",body:"{}"}),f=m=>{let k=m.headers.get("dpop-nonce");k&&Tt.set(s,k);},w=await d(await l(Tt.get(s)));if(f(w),w.status===401){e.logger.info("Probe got 401, retrying with nonce from www-authenticate");let m=w.headers.get("www-authenticate"),S=(m&&m.match(/dpop-nonce="([^"]+)"/i))?.[1];S&&(Tt.set(s,S),w=await d(await l(S)),f(w));}e.logger.api(a,i,{status:w.status});let b=m=>!m||m==="null"||m==="undefined"?null:m,R={wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:b(e.meta.refreshId),hasToken:!!e.accessTokenRef.current,tokenExpiry:e.tokenExpRef.current||null,hasProof:!!e.proofRef.current,authenticated:e.authenticated};e.stateMachine.onProbeComplete(R);}catch(o){e.logger.error("Probe failed",o);try{Me.delete(t);}catch{}}finally{e.markProbed(),e.logger.flow("probe","Probe flow completed");}})();e.probeLock.current=r;try{await r;}finally{e.probeLock.current=null;}}var Ar=e=>{let t=useCallback(()=>He(e),[e]),r=useCallback(async()=>{let o=Date.now(),a=e.registerCooldownUntilRef.current??0;if(o<a){e.logger.guard("registerCooldown",false,"Cooldown active");return}if(!e.wallet){e.logger.guard("attemptRegister",false,"No wallet");return}if(!e.initResolvedRef.current){e.logger.guard("attemptRegister",false,"Not initialized");return}if(e.refreshLock.current){e.logger.guard("attemptRegister",false,"Refresh in progress");return}if(e.registerLock.current){e.logger.guard("attemptRegister",false,"Register already in progress");return}let i=s=>!s||s==="null"||s==="undefined"?null:s,c={wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:i(e.meta.refreshId),hasToken:!!G(e),tokenExpiry:e.tokenExpRef.current||null,hasProof:!!e.proofRef.current,authenticated:e.authenticated};if(!e.stateMachine.shouldAttemptRegister(c)){e.logger.guard("attemptRegister",false,`State machine blocked (state: ${e.stateMachine.getState()}, inActiveSession: ${e.stateMachine.isInActiveSession()})`);return}let u=e.proofRef.current;if(!u){e.logger.guard("attemptRegister",false,"No proof available");return}e.logger.guard("attemptRegister",true,"All guards passed, proceeding"),await e.awaitKeyStable(),e.registerLock.current=(async()=>{try{await _e(e,e.wallet,u,{refreshFallback:async()=>{e.logger.info("Attempting refresh as fallback after register failure");let l=!!e.meta.boundWallet;!l&&e.wallet&&e.setBoundWallet(e.wallet);try{return await He(e)}catch{return l||e.setBoundWallet(null),!1}}})&&(e.didInitialSession.current=!0);}catch(s){e.setError(s?.message||String(s)||"Register failed");}finally{e.registerLock.current=null;}})();},[e]),n=useCallback(async o=>{let a=()=>(e.registerCooldownUntilRef.current??0)>Date.now();if(!e.providerAdapter||a())return;let i=await Ae(e.providerAdapter,o);e.proofRef.current=i;},[e]);return {refresh:t,register:(o,a,i)=>_e(e,o,a,i),attemptRegister:r,setProofFromAdapterToken:n}};var Hn=(e,t)=>`${e.toUpperCase()} ${t}`,Mn=(e,t)=>!!e&&!!t&&e.toLowerCase()===t.toLowerCase();async function rt(e,t,r,n,o,a={}){e.setLoadingCount(s=>s+1),e.setError(null);let i=n.startsWith("/api/session"),c=new AbortController,u=setTimeout(()=>c.abort(),e.timeoutMs);try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair();let l=`${i?pt(e):e.baseUrl}${n.startsWith("/")?"":"/"}${n}`,f=`${new URL(e.baseUrl).origin}${n.startsWith("/")?"":"/"}${n}`,w=Hn(r,f),b=n.startsWith("/auth/"),R=!1,m=!1,k=e.currentReqId(),S=rt._nonceCacheRef||(rt._nonceCacheRef={map:new Map}),H=J=>{let V=J.headers.get("dpop-nonce");V&&S.map.set(w,V);},p=!!e.wallet&&!!e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase(),g=()=>b||!e.wallet?!1:!!(e.authenticated||Mn(e.wallet,e.meta.boundWallet)||typeof e.meta.refreshId=="string"&&e.meta.refreshId),y,P,C=async()=>{if(b||p)return;try{let se=G(e),oe=e.tokenExpRef.current,nt=Math.floor(Date.now()/1e3),ot=!!oe&&oe-nt<=60;if(se){if(ot&&!await t().catch(()=>!1))return}else if(!g()||!await t().catch(()=>!1))return}catch{}let J=G(e);if(!J)return;let V=await Ze(J),j=S.map.get(w),ee=await B({method:r,url:f,nonce:j,ath:V,privateKey:Z(e),publicJwk:W(e)});y=`Bearer ${e.accessTokenRef.current}`,P=ee;};await C();let O={"content-type":"application/json","x-sunbreak-auth":y||"","x-sunbreak-meta":F(e,{reqId:k,auth:y,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0}),...ht(a.headers)};P&&(O.DPoP=P);let ve=async()=>e.fetchImpl(l,{...a,method:r,headers:O,body:o!==void 0?JSON.stringify(o):void 0,credentials:"include",signal:c.signal}),K=await ve(),$e=K.headers.get("x-sunbreak-policy-hash"),Oe=K.headers.get("x-sunbreak-policy-proof");if($e&&e.setLastPolicyHash($e),Oe&&e.setLastPolicyProof(Oe),H(K),K.status===401&&!b){let J=G(e),V=K.headers.get("www-authenticate"),ee=(V&&V.match(/dpop-nonce="([^"]+)"/i))?.[1];if(!p&&ee&&J&&!m){m=!0,S.map.set(w,ee);let se=await Ze(J),oe=await B({method:r,url:f,nonce:ee,ath:se,privateKey:Z(e),publicJwk:W(e)});y=`Bearer ${e.accessTokenRef.current}`,P=oe,O["x-sunbreak-meta"]=F(e,{reqId:k,auth:y}),O.DPoP=P,K=await ve(),H(K);}if(K.status===401&&!R&&(R=!0,!p&&g())){let se=await t(),oe=G(e);se&&oe&&!p&&(await C(),O["x-sunbreak-meta"]=F(e,{reqId:k,auth:y}),P&&(O.DPoP=P),K=await ve(),H(K));}if(K.status===401)throw new Error("Unauthorized")}if(!K.ok){let J=await De(K);if((K.headers.get("content-type")||"").includes("application/json")){let j=await K.json().catch(()=>{}),ee=Je(j&&(j.error||j.message||j.detail)||`HTTP ${K.status}`);throw pe(ee,J)}else {let j=J.waf?"Blocked by WAF (403)":J.alb403?"Blocked at origin (ALB 403)":`HTTP ${K.status}`;throw pe(j,J)}}return (K.headers.get("content-type")||"").includes("application/json")?await K.json():void 0}finally{clearTimeout(u),e.setLoadingCount(s=>Math.max(0,s-1));}}var xr=(e,t)=>useCallback(async(r,n,o,a={})=>rt(e,t,r,n,o,a),[e,t]);async function Kr(e,t){let r=await t("GET","/api/session");if(r){e.setAllowed(!!r.allowed),e.setSessionData(r),e.setSessionExpiry(r.expiry??null);let n=r?.wallet;typeof n=="string"&&n&&e.setBoundWallet(n.toLowerCase());}return r}var Cr=(e,t)=>({session:useCallback(async()=>{if(e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet))return e.sessionLock.current||(e.sessionLock.current=(async()=>{try{return await Kr(e,t)}catch(n){throw e.logger.error("Session request failed",n),n}finally{e.sessionLock.current=null;}})()),e.sessionLock.current},[e,t])});var Tr=(e,t)=>{let{refresh:r,session:n,attemptRegister:o,setProofFromAdapterToken:a,proofProp:i}=t,c=()=>(e.registerCooldownUntilRef.current??0)>Date.now(),u=()=>{let s=l=>!l||l==="null"||l==="undefined"?null:l;return {wallet:e.wallet||null,boundWallet:e.meta.boundWallet||null,refreshId:s(e.meta.refreshId),hasToken:!!e.accessTokenRef.current,tokenExpiry:e.tokenExpRef.current||null,hasProof:!!e.proofRef.current,authenticated:e.authenticated}};useEffect(()=>{if(!e.metaReady)return;let s=true;return (async()=>{try{if(await e.waitReady(),!s||(await e.awaitKeyStable(),!s)||(await e.ensureRootKeypair(),!s))return;let l=u();e.stateMachine.initialize(l),await vr(e);}catch(l){if(!s)return;e.logger.error("Probe initialization failed",l);}})(),()=>{s=false;}},[e.metaReady]),useEffect(()=>{let s=e.prevWalletRef.current;if(e.prevWalletRef.current=e.wallet,e.wallet!==s&&(e.didInitialRefresh.current=false),!e.wallet){e.logger.flow("wallet","Wallet disconnected"),e.stateMachine.onWalletDisconnect(),e.setAllowed(null),e.setSessionExpiry(null),e.setSessionData(null),e.setAuthenticated(false),e.accessTokenRef.current=null,e.proofRef.current=null,e.setError(null),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null),e.didInitialRefresh.current=false;return}if(s&&e.wallet&&s!==e.wallet){e.logger.flow("wallet",`Wallet changed: ${s} \u2192 ${e.wallet}`);let l=u();e.stateMachine.onWalletChange(s,e.wallet,l),e.proofRef.current=null,e.accessTokenRef.current=null,e.setAuthenticated(false),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null),e.rotateLock.current=(async()=>{await e.rotate();})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;});}if(!s&&e.wallet){if(e.logger.flow("wallet",`Wallet connected: ${e.wallet}`),e.didInitialSession.current=false,!e.metaReady){e.logger.info("Wallet connected but meta not ready, deferring state machine update");return}let l=u();e.stateMachine.onWalletChange(null,e.wallet,l);}},[e.wallet,e.metaReady]),useEffect(()=>{if(!e.providerAdapter||c()||!e.metaReady||!e.wallet)return;if(e.stateMachine.isInActiveSession()){e.logger.decision("Provider adapter should trigger register?",false,"Already in active session");return}if(e.authenticated){e.logger.decision("Provider adapter should trigger register?",false,"Already authenticated");return}let s=u();if(e.stateMachine.shouldWaitForInitialRefresh(e.didInitialRefresh.current,s)){e.logger.decision("Provider adapter should wait for initial refresh?",true,"Returning user - refresh first");return}e.logger.decision("Provider adapter should trigger register?",true,`Fetching token (state: ${e.stateMachine.getState()})`);let l=false;return (async()=>{try{let d=e.providerAdapter.getToken(),f=new Promise((b,R)=>setTimeout(()=>R(new Error("Provider adapter timeout (30s)")),3e4)),w=await Promise.race([d,f]).catch(b=>(e.logger.warn("Provider adapter getToken failed",b),null))??null;if(await e.awaitKeyStable(),l||!w)return;try{let b=w.split(".");if(b[1]){let R=JSON.parse(atob(b[1]));e.logger.info("Provider adapter: got token",{wallet:e.wallet,jwtSub:R.sub,jwtWallet:R.wallet||R.linked_accounts?.[0]?.address,jwtExp:R.exp,jwtIat:R.iat});}}catch{e.logger.info("Provider adapter: got token (could not decode)");}await a(w),await o();}catch(d){e.logger.error("Provider adapter flow failed",d);}})(),()=>{l=true;}},[e.providerAdapter,e.wallet,e.meta.boundWallet,e.metaReady,e.registerCooldownUntilRef,e.didInitialRefresh,e.authenticated,...e.refreshDeps]),useEffect(()=>{if(typeof i<"u"&&(e.proofRef.current=i??null,i&&e.logger.info("Proof prop updated",{hasProof:!!i})),!e.metaReady)return;let s=u();if(!e.stateMachine.shouldAttemptRegister(s)){e.logger.decision("Proof prop should trigger register?",false,`State machine says no (state: ${e.stateMachine.getState()}, inActiveSession: ${e.stateMachine.isInActiveSession()})`);return}if(e.stateMachine.shouldWaitForInitialRefresh(e.didInitialRefresh.current,s)){e.logger.decision("Proof prop should wait for initial refresh?",true,"Returning user - refresh first");return}let l=!!e.wallet,d=!!e.proofRef.current;l&&d&&e.initResolvedRef.current&&!c()&&(e.logger.info("Proof prop conditions met, attempting register"),o());},[i,e.wallet,e.authenticated,e.meta.boundWallet,e.metaReady,e.providerAdapter,e.initResolvedRef,e.didInitialRefresh,o]),useEffect(()=>{if(!e.metaReady||e.didInitialRefresh.current)return;let s=true;return (async()=>{try{await e.waitReady(),await e.awaitProbe();let l=u();if(e.accessTokenRef.current||e.authenticated){e.logger.info("Already authenticated, skipping initial refresh"),e.didInitialRefresh.current=!0,e.wallet&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());return}if(!e.stateMachine.shouldAttemptRefresh(l)){e.logger.decision("Should attempt initial refresh?",!1,`State: ${e.stateMachine.getState()}`),e.didInitialRefresh.current=!0;return}e.logger.decision("Should attempt initial refresh?",!0,`State: ${e.stateMachine.getState()}`),e.didInitialRefresh.current=!0;let f=await r();if(!s)return;e.setAuthenticated(f),f&&e.wallet&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());}catch(l){if(!s)return;e.didInitialRefresh.current=true,e.setAuthenticated(false),e.setError(l?.message||String(l)||"Unknown error");}})(),()=>{s=false;}},[e.wallet,e.meta.boundWallet,e.meta.refreshId,e.metaReady,e.didInitialRefresh,r,n]),useEffect(()=>{e.initResolvedRef.current||(async()=>{if(await e.ensureKeypair(),!e.wallet){e.initResolvedRef.current=true,e.initResolveRef.current?.();return}e.meta.boundWallet&&e.meta.boundWallet!==e.wallet&&(e.rotateLock.current=(async()=>{e.accessTokenRef.current=null,e.setAuthenticated(false);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}),e.rotateLock.current&&await e.rotateLock.current),e.initResolvedRef.current=true,e.initResolveRef.current?.();})();},[e]),useEffect(()=>{(async()=>{if(e.authenticated&&e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)&&!e.didInitialSession.current){e.didInitialSession.current=true;try{e.logger.flow("session","Calling session after authentication"),await n();}catch(s){e.setError(s?.message||String(s));}}})();},[e.authenticated,e.wallet,e.meta.boundWallet,n]),useEffect(()=>{e.wallet&&e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase()&&(e.logger.warn("Wallet mismatch detected, clearing auth",{current:e.wallet,authWallet:e.authWalletRef.current}),e.accessTokenRef.current=null,e.setAuthenticated(false));},[e.wallet,e.authWalletRef.current]),useEffect(()=>{let l=()=>{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return  false;let w=e.tokenExpRef.current;if(!w)return  false;let b=Math.floor(Date.now()/1e3);return w-b<=30},d=async()=>{try{l()&&(e.logger.info("Token expiring soon, refreshing on focus"),await r());}catch{}},f=async()=>{document.visibilityState==="visible"&&await d();};return window.addEventListener("focus",d),document.addEventListener("visibilitychange",f),()=>{window.removeEventListener("focus",d),document.removeEventListener("visibilitychange",f);}},[e,r]),useEffect(()=>{let d=()=>{let b=Math.floor(Date.now()/1e3),R=e.tokenExpRef.current,m=e.sessionExpiry,k=!!R&&R-b<=30&&R-b>0,S=!!m&&m-b<=3600&&m-b>0;return {tokenSoon:k,sessionSoon:S}},f=async()=>{try{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return;let{tokenSoon:b,sessionSoon:R}=d();(b||R)&&(e.logger.info("Refreshing on focus",{tokenSoon:b,sessionSoon:R}),await r()&&R&&await n());}catch{}},w=async()=>{document.visibilityState==="visible"&&await f();};return window.addEventListener("focus",f),document.addEventListener("visibilitychange",w),()=>{window.removeEventListener("focus",f),document.removeEventListener("visibilitychange",w);}},[e,e.sessionExpiry,r,n]);};var Ir=createContext(void 0),Fn=e=>{let t=Pr(e),{refresh:r,attemptRegister:n,setProofFromAdapterToken:o}=Ar(t),a=xr(t,r),{session:i}=Cr(t,a);Tr(t,{refresh:r,session:i,attemptRegister:n,setProofFromAdapterToken:o,proofProp:e.proof});let c=useMemo(()=>({get:(u,s)=>a("GET",u,void 0,s),post:(u,s,l)=>a("POST",u,s,l),session:i,refresh:r,authenticated:t.authenticated,loading:t.loadingCount>0,error:t.error,allowed:t.allowed,sessionExpiry:t.sessionExpiry,sessionData:t.sessionData,wallet:t.wallet}),[a,i,r,t.authenticated,t.loadingCount,t.error,t.allowed,t.sessionExpiry,t.sessionData,t.wallet]);return jsx(Ir.Provider,{value:c,children:e.children})},Bn=e=>jsx(kt,{clientId:e.clientId,children:jsx(Fn,{...e})}),Gn=()=>{let e=useContext(Ir);if(!e)throw new Error("useSunbreak must be used within a SunbreakProvider");return e};
 
-export { zn as SunbreakProvider, Xn as useSunbreak };
+export { Bn as SunbreakProvider, Gn as useSunbreak };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tdfc/sunbreak-react",
-  "version": "0.1.8",
+  "version": "0.1.11",
   "description": "SDK for connecting to the Sunbreak API",
   "license": "UNLICENSED",
   "repository": "github:thedigitalfinancecompany/sunbreak-react",