@tenxyte/core 0.1.5 → 0.9.2

package/dist/index.cjs

@@ -1,497 +1,1882 @@
-"use strict";
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-var __copyProps = (to, from, except, desc) => {
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (let key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-
-// src/index.ts
-var index_exports = {};
-__export(index_exports, {
-  AuthModule: () => AuthModule,
-  RbacModule: () => RbacModule,
-  SecurityModule: () => SecurityModule,
-  TenxyteClient: () => TenxyteClient,
-  TenxyteHttpClient: () => TenxyteHttpClient,
-  UserModule: () => UserModule
-});
-module.exports = __toCommonJS(index_exports);
-
-// src/http/client.ts
-var TenxyteHttpClient = class {
-  baseUrl;
-  defaultHeaders;
-  // Interceptors
-  requestInterceptors = [];
-  responseInterceptors = [];
-  constructor(options) {
-    this.baseUrl = options.baseUrl.replace(/\/$/, "");
-    this.defaultHeaders = {
-      "Content-Type": "application/json",
-      Accept: "application/json",
-      ...options.headers
-    };
-  }
-  // Interceptor Registration
-  addRequestInterceptor(interceptor) {
-    this.requestInterceptors.push(interceptor);
-  }
-  addResponseInterceptor(interceptor) {
-    this.responseInterceptors.push(interceptor);
-  }
-  /**
-   * Main request method wrapping fetch
-   */
-  async request(endpoint, config = {}) {
-    const urlStr = endpoint.startsWith("http") ? endpoint : `${this.baseUrl}${endpoint.startsWith("/") ? "" : "/"}${endpoint}`;
-    let urlObj = new URL(urlStr);
-    if (config.params) {
-      Object.entries(config.params).forEach(([key, value]) => {
-        if (value !== void 0 && value !== null) {
-          urlObj.searchParams.append(key, String(value));
-        }
-      });
-    }
-    let requestContext = {
-      url: urlObj.toString(),
-      ...config,
-      headers: { ...this.defaultHeaders, ...config.headers || {} }
-    };
-    if (typeof FormData !== "undefined" && requestContext.body instanceof FormData) {
-      const headers = requestContext.headers;
-      delete headers["Content-Type"];
-      delete headers["content-type"];
-    } else if (requestContext.body && typeof requestContext.body === "object") {
-      const contentType = requestContext.headers["Content-Type"] || "";
-      if (contentType.toLowerCase().includes("application/json")) {
-        requestContext.body = JSON.stringify(requestContext.body);
-      }
-    }
-    for (const interceptor of this.requestInterceptors) {
-      requestContext = await interceptor(requestContext);
-    }
-    const { url, ...fetchConfig } = requestContext;
-    try {
-      let response = await fetch(url, fetchConfig);
-      for (const interceptor of this.responseInterceptors) {
-        response = await interceptor(response, { url, config: fetchConfig });
-      }
-      if (!response.ok) {
-        throw await this.normalizeError(response);
-      }
-      if (response.status === 204) {
-        return {};
-      }
-      const contentType = response.headers.get("content-type");
-      if (contentType && contentType.includes("application/json")) {
-        return await response.json();
-      }
-      return await response.text();
-    } catch (error) {
-      if (error && error.code) {
-        throw error;
-      }
-      throw {
-        error: error.message || "Network request failed",
-        code: "NETWORK_ERROR",
-        details: String(error)
-      };
-    }
-  }
-  async normalizeError(response) {
-    try {
-      const body = await response.json();
-      return {
-        error: body.error || body.detail || "API request failed",
-        code: body.code || `HTTP_${response.status}`,
-        details: body.details || body,
-        retry_after: response.headers.has("Retry-After") ? parseInt(response.headers.get("Retry-After"), 10) : void 0
-      };
-    } catch (e) {
-      return {
-        error: `HTTP Error ${response.status}: ${response.statusText}`,
-        code: `HTTP_${response.status}`
-      };
-    }
-  }
-  // Convenience methods
-  get(endpoint, config) {
-    return this.request(endpoint, { ...config, method: "GET" });
-  }
-  post(endpoint, data, config) {
-    return this.request(endpoint, { ...config, method: "POST", body: data });
-  }
-  put(endpoint, data, config) {
-    return this.request(endpoint, { ...config, method: "PUT", body: data });
-  }
-  patch(endpoint, data, config) {
-    return this.request(endpoint, { ...config, method: "PATCH", body: data });
-  }
-  delete(endpoint, config) {
-    return this.request(endpoint, { ...config, method: "DELETE" });
-  }
-};
-
-// src/modules/auth.ts
-var AuthModule = class {
-  constructor(client) {
-    this.client = client;
-  }
-  /**
-   * Authenticate user with email and password
-   */
-  async loginWithEmail(data) {
-    return this.client.post("/api/v1/auth/login/email/", data);
-  }
-  /**
-   * Authenticate user with international phone number and password
-   */
-  async loginWithPhone(data) {
-    return this.client.post("/api/v1/auth/login/phone/", data);
-  }
-  /**
-   * Register a new user
-   */
-  async register(data) {
-    return this.client.post("/api/v1/auth/register/", data);
-  }
-  /**
-   * Logout from the current session
-   */
-  async logout(refreshToken) {
-    return this.client.post("/api/v1/auth/logout/", { refresh_token: refreshToken });
-  }
-  /**
-   * Logout from all sessions (revokes all refresh tokens)
-   */
-  async logoutAll() {
-    return this.client.post("/api/v1/auth/logout/all/");
-  }
-  /**
-   * Request a magic link for sign-in
-   */
-  async requestMagicLink(data) {
-    return this.client.post("/api/v1/auth/magic-link/request/", data);
-  }
-  /**
-   * Verify a magic link token
-   */
-  async verifyMagicLink(token) {
-    return this.client.get(`/api/v1/auth/magic-link/verify/`, { params: { token } });
-  }
-  /**
-   * Perform OAuth2 Social Authentication (e.g. Google, GitHub)
-   */
-  async loginWithSocial(provider, data) {
-    return this.client.post(`/api/v1/auth/social/${provider}/`, data);
-  }
-  /**
-   * Handle Social Auth Callback (authorization code flow)
-   */
-  async handleSocialCallback(provider, code, redirectUri) {
-    return this.client.get(`/api/v1/auth/social/${provider}/callback/`, {
-      params: { code, redirect_uri: redirectUri }
-    });
-  }
-};
-
-// src/modules/security.ts
-var SecurityModule = class {
-  constructor(client) {
-    this.client = client;
-  }
-  // --- OTP Verification --- //
-  async requestOtp(data) {
-    return this.client.post("/api/v1/auth/otp/request/", data);
-  }
-  async verifyOtpEmail(data) {
-    return this.client.post("/api/v1/auth/otp/verify/email/", data);
-  }
-  async verifyOtpPhone(data) {
-    return this.client.post("/api/v1/auth/otp/verify/phone/", data);
-  }
-  // --- TOTP / 2FA --- //
-  async get2FAStatus() {
-    return this.client.get("/api/v1/auth/2fa/status/");
-  }
-  async setup2FA() {
-    return this.client.post("/api/v1/auth/2fa/setup/");
-  }
-  async confirm2FA(totp_code) {
-    return this.client.post("/api/v1/auth/2fa/confirm/", { totp_code });
-  }
-  async disable2FA(totp_code, password) {
-    return this.client.post("/api/v1/auth/2fa/disable/", { totp_code, password });
-  }
-  async regenerateBackupCodes(totp_code) {
-    return this.client.post("/api/v1/auth/2fa/backup-codes/", { totp_code });
-  }
-  // --- Password Management --- //
-  async resetPasswordRequest(data) {
-    return this.client.post("/api/v1/auth/password/reset/request/", data);
-  }
-  async resetPasswordConfirm(data) {
-    return this.client.post("/api/v1/auth/password/reset/confirm/", data);
-  }
-  async changePassword(data) {
-    return this.client.post("/api/v1/auth/password/change/", data);
-  }
-  async checkPasswordStrength(data) {
-    return this.client.post("/api/v1/auth/password/strength/", data);
-  }
-  async getPasswordRequirements() {
-    return this.client.get("/api/v1/auth/password/requirements/");
-  }
-  // --- WebAuthn / Passkeys --- //
-  async registerWebAuthnBegin() {
-    return this.client.post("/api/v1/auth/webauthn/register/begin/");
-  }
-  async registerWebAuthnComplete(data) {
-    return this.client.post("/api/v1/auth/webauthn/register/complete/", data);
-  }
-  async authenticateWebAuthnBegin(data) {
-    return this.client.post("/api/v1/auth/webauthn/authenticate/begin/", data || {});
-  }
-  async authenticateWebAuthnComplete(data) {
-    return this.client.post("/api/v1/auth/webauthn/authenticate/complete/", data);
-  }
-  async listWebAuthnCredentials() {
-    return this.client.get("/api/v1/auth/webauthn/credentials/");
-  }
-  async deleteWebAuthnCredential(credentialId) {
-    return this.client.delete(`/api/v1/auth/webauthn/credentials/${credentialId}/`);
-  }
-};
-
-// src/utils/jwt.ts
-function decodeJwt(token) {
-  try {
-    const parts = token.split(".");
-    if (parts.length !== 3) {
-      return null;
-    }
-    let base64Url = parts[1];
-    if (!base64Url) return null;
-    let base64 = base64Url.replace(/-/g, "+").replace(/_/g, "/");
-    while (base64.length % 4) {
-      base64 += "=";
-    }
-    const isBrowser = typeof window !== "undefined" && typeof window.atob === "function";
-    let jsonPayload;
-    if (isBrowser) {
-      jsonPayload = decodeURIComponent(
-        window.atob(base64).split("").map((c) => "%" + ("00" + c.charCodeAt(0).toString(16)).slice(-2)).join("")
-      );
-    } else {
-      jsonPayload = Buffer.from(base64, "base64").toString("utf8");
-    }
-    return JSON.parse(jsonPayload);
-  } catch (e) {
-    return null;
-  }
-}
-
-// src/modules/rbac.ts
-var RbacModule = class {
-  constructor(client) {
-    this.client = client;
-  }
-  cachedToken = null;
-  /**
-   * Cache a token to use for parameter-less synchronous checks.
-   */
-  setToken(token) {
-    this.cachedToken = token;
-  }
-  getDecodedToken(token) {
-    const t = token || this.cachedToken;
-    if (!t) return null;
-    return decodeJwt(t);
-  }
-  // --- Synchronous Checks --- //
-  hasRole(role, token) {
-    const decoded = this.getDecodedToken(token);
-    if (!decoded?.roles) return false;
-    return decoded.roles.includes(role);
-  }
-  hasAnyRole(roles, token) {
-    const decoded = this.getDecodedToken(token);
-    if (!decoded?.roles) return false;
-    return roles.some((r) => decoded.roles.includes(r));
-  }
-  hasAllRoles(roles, token) {
-    const decoded = this.getDecodedToken(token);
-    if (!decoded?.roles) return false;
-    return roles.every((r) => decoded.roles.includes(r));
-  }
-  hasPermission(permission, token) {
-    const decoded = this.getDecodedToken(token);
-    if (!decoded?.permissions) return false;
-    return decoded.permissions.includes(permission);
-  }
-  hasAnyPermission(permissions, token) {
-    const decoded = this.getDecodedToken(token);
-    if (!decoded?.permissions) return false;
-    return permissions.some((p) => decoded.permissions.includes(p));
-  }
-  hasAllPermissions(permissions, token) {
-    const decoded = this.getDecodedToken(token);
-    if (!decoded?.permissions) return false;
-    return permissions.every((p) => decoded.permissions.includes(p));
-  }
-  // --- Roles CRUD --- //
-  async listRoles() {
-    return this.client.get("/api/v1/auth/roles/");
-  }
-  async createRole(data) {
-    return this.client.post("/api/v1/auth/roles/", data);
-  }
-  async getRole(roleId) {
-    return this.client.get(`/api/v1/auth/roles/${roleId}/`);
-  }
-  async updateRole(roleId, data) {
-    return this.client.put(`/api/v1/auth/roles/${roleId}/`, data);
-  }
-  async deleteRole(roleId) {
-    return this.client.delete(`/api/v1/auth/roles/${roleId}/`);
-  }
-  // --- Role Permissions Management --- //
-  async getRolePermissions(roleId) {
-    return this.client.get(`/api/v1/auth/roles/${roleId}/permissions/`);
-  }
-  async addPermissionsToRole(roleId, permission_codes) {
-    return this.client.post(`/api/v1/auth/roles/${roleId}/permissions/`, { permission_codes });
-  }
-  async removePermissionsFromRole(roleId, permission_codes) {
-    return this.client.delete(`/api/v1/auth/roles/${roleId}/permissions/`, {
-      // Note: DELETE request with body is supported via our fetch wrapper if enabled,
-      // or we might need to rely on query strings. The schema specifies body or query.
-      // Let's pass it in body via a custom config or URL params.
-      body: { permission_codes }
-    });
-  }
-  // --- Permissions CRUD --- //
-  async listPermissions() {
-    return this.client.get("/api/v1/auth/permissions/");
-  }
-  async createPermission(data) {
-    return this.client.post("/api/v1/auth/permissions/", data);
-  }
-  async getPermission(permissionId) {
-    return this.client.get(`/api/v1/auth/permissions/${permissionId}/`);
-  }
-  async updatePermission(permissionId, data) {
-    return this.client.put(`/api/v1/auth/permissions/${permissionId}/`, data);
-  }
-  async deletePermission(permissionId) {
-    return this.client.delete(`/api/v1/auth/permissions/${permissionId}/`);
-  }
-  // --- Direct Assignment (Users) --- //
-  async assignRoleToUser(userId, roleCode) {
-    return this.client.post(`/api/v1/auth/users/${userId}/roles/`, { role_code: roleCode });
-  }
-  async removeRoleFromUser(userId, roleCode) {
-    return this.client.delete(`/api/v1/auth/users/${userId}/roles/`, {
-      params: { role_code: roleCode }
-    });
-  }
-  async assignPermissionsToUser(userId, permissionCodes) {
-    return this.client.post(`/api/v1/auth/users/${userId}/permissions/`, { permission_codes: permissionCodes });
-  }
-  async removePermissionsFromUser(userId, permissionCodes) {
-    return this.client.delete(`/api/v1/auth/users/${userId}/permissions/`, {
-      body: { permission_codes: permissionCodes }
-    });
-  }
-};
-
-// src/modules/user.ts
-var UserModule = class {
-  constructor(client) {
-    this.client = client;
-  }
-  // --- Standard Profile Actions --- //
-  async getProfile() {
-    return this.client.get("/api/v1/auth/me/");
-  }
-  async updateProfile(data) {
-    return this.client.patch("/api/v1/auth/me/", data);
-  }
-  /**
-   * Upload an avatar using FormData.
-   * Ensure the environment supports FormData (browser or Node.js v18+).
-   * @param formData The FormData object containing the 'avatar' field.
-   */
-  async uploadAvatar(formData) {
-    return this.client.patch("/api/v1/auth/me/", formData);
-  }
-  async deleteAccount(password, otpCode) {
-    return this.client.post("/api/v1/auth/request-account-deletion/", {
-      password,
-      otp_code: otpCode
-    });
-  }
-  // --- Admin Actions Mapping --- //
-  async listUsers(params) {
-    return this.client.get("/api/v1/auth/admin/users/", { params });
-  }
-  async getUser(userId) {
-    return this.client.get(`/api/v1/auth/admin/users/${userId}/`);
-  }
-  async adminUpdateUser(userId, data) {
-    return this.client.patch(`/api/v1/auth/admin/users/${userId}/`, data);
-  }
-  async adminDeleteUser(userId) {
-    return this.client.delete(`/api/v1/auth/admin/users/${userId}/`);
-  }
-  async banUser(userId, reason = "") {
-    return this.client.post(`/api/v1/auth/admin/users/${userId}/ban/`, { reason });
-  }
-  async unbanUser(userId) {
-    return this.client.post(`/api/v1/auth/admin/users/${userId}/unban/`);
-  }
-  async lockUser(userId, durationMinutes = 30, reason = "") {
-    return this.client.post(`/api/v1/auth/admin/users/${userId}/lock/`, { duration_minutes: durationMinutes, reason });
-  }
-  async unlockUser(userId) {
-    return this.client.post(`/api/v1/auth/admin/users/${userId}/unlock/`);
-  }
-};
-
-// src/client.ts
-var TenxyteClient = class {
-  http;
-  auth;
-  security;
-  rbac;
-  user;
-  constructor(options) {
-    this.http = new TenxyteHttpClient(options);
-    this.auth = new AuthModule(this.http);
-    this.security = new SecurityModule(this.http);
-    this.rbac = new RbacModule(this.http);
-    this.user = new UserModule(this.http);
-  }
-};
-// Annotate the CommonJS export names for ESM import in node:
-0 && (module.exports = {
-  AuthModule,
-  RbacModule,
-  SecurityModule,
-  TenxyteClient,
-  TenxyteHttpClient,
-  UserModule
-});
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  AdminModule: () => AdminModule,
+  AiModule: () => AiModule,
+  ApplicationsModule: () => ApplicationsModule,
+  AuthModule: () => AuthModule,
+  B2bModule: () => B2bModule,
+  CookieStorage: () => CookieStorage,
+  DashboardModule: () => DashboardModule,
+  EventEmitter: () => EventEmitter,
+  GdprModule: () => GdprModule,
+  LocalStorage: () => LocalStorage,
+  MemoryStorage: () => MemoryStorage,
+  NOOP_LOGGER: () => NOOP_LOGGER,
+  RbacModule: () => RbacModule,
+  SDK_VERSION: () => SDK_VERSION,
+  SecurityModule: () => SecurityModule,
+  TenxyteClient: () => TenxyteClient,
+  TenxyteHttpClient: () => TenxyteHttpClient,
+  UserModule: () => UserModule,
+  buildDeviceInfo: () => buildDeviceInfo,
+  createAuthInterceptor: () => createAuthInterceptor,
+  createDeviceInfoInterceptor: () => createDeviceInfoInterceptor,
+  createRefreshInterceptor: () => createRefreshInterceptor,
+  createRetryInterceptor: () => createRetryInterceptor,
+  decodeJwt: () => decodeJwt,
+  resolveConfig: () => resolveConfig
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/storage/memory.ts
+var MemoryStorage = class {
+  store;
+  constructor() {
+    this.store = /* @__PURE__ */ new Map();
+  }
+  getItem(key) {
+    const value = this.store.get(key);
+    return value !== void 0 ? value : null;
+  }
+  setItem(key, value) {
+    this.store.set(key, value);
+  }
+  removeItem(key) {
+    this.store.delete(key);
+  }
+  clear() {
+    this.store.clear();
+  }
+};
+
+// src/storage/localStorage.ts
+var LocalStorage = class {
+  fallbackMemoryStore = null;
+  isAvailable;
+  constructor() {
+    this.isAvailable = this.checkAvailability();
+    if (!this.isAvailable) {
+      this.fallbackMemoryStore = new MemoryStorage();
+    }
+  }
+  checkAvailability() {
+    try {
+      if (typeof window === "undefined" || !window.localStorage) {
+        return false;
+      }
+      const testKey = "__tenxyte_test__";
+      window.localStorage.setItem(testKey, "1");
+      window.localStorage.removeItem(testKey);
+      return true;
+    } catch (_e) {
+      return false;
+    }
+  }
+  getItem(key) {
+    if (!this.isAvailable && this.fallbackMemoryStore) {
+      return this.fallbackMemoryStore.getItem(key);
+    }
+    return window.localStorage.getItem(key);
+  }
+  setItem(key, value) {
+    if (!this.isAvailable && this.fallbackMemoryStore) {
+      this.fallbackMemoryStore.setItem(key, value);
+      return;
+    }
+    try {
+      window.localStorage.setItem(key, value);
+    } catch (_e) {
+      console.warn(`[Tenxyte SDK] Warning: failed to write to localStorage for key ${key}`);
+    }
+  }
+  removeItem(key) {
+    if (!this.isAvailable && this.fallbackMemoryStore) {
+      this.fallbackMemoryStore.removeItem(key);
+      return;
+    }
+    window.localStorage.removeItem(key);
+  }
+  clear() {
+    if (!this.isAvailable && this.fallbackMemoryStore) {
+      this.fallbackMemoryStore.clear();
+      return;
+    }
+    window.localStorage.clear();
+  }
+};
+
+// src/storage/cookie.ts
+var CookieStorage = class {
+  defaultOptions;
+  constructor(options = {}) {
+    const secure = options.secure ?? true;
+    const sameSite = options.sameSite ?? "Lax";
+    this.defaultOptions = `path=/; SameSite=${sameSite}${secure ? "; Secure" : ""}`;
+  }
+  getItem(key) {
+    if (typeof document === "undefined") return null;
+    const match = document.cookie.match(new RegExp(`(^| )${key}=([^;]+)`));
+    return match ? decodeURIComponent(match[2]) : null;
+  }
+  setItem(key, value) {
+    if (typeof document === "undefined") return;
+    document.cookie = `${key}=${encodeURIComponent(value)}; ${this.defaultOptions}`;
+  }
+  removeItem(key) {
+    if (typeof document === "undefined") return;
+    document.cookie = `${key}=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/`;
+  }
+  clear() {
+    this.removeItem("tx_access");
+    this.removeItem("tx_refresh");
+  }
+};
+
+// src/config.ts
+var SDK_VERSION = "0.9.0";
+var NOOP_LOGGER = {
+  debug() {
+  },
+  warn() {
+  },
+  error() {
+  }
+};
+function resolveConfig(config) {
+  return {
+    baseUrl: config.baseUrl,
+    headers: config.headers ?? {},
+    storage: config.storage ?? new MemoryStorage(),
+    autoRefresh: config.autoRefresh ?? true,
+    autoDeviceInfo: config.autoDeviceInfo ?? true,
+    timeoutMs: config.timeoutMs,
+    onSessionExpired: config.onSessionExpired,
+    logger: config.logger ?? NOOP_LOGGER,
+    logLevel: config.logLevel ?? "silent",
+    deviceInfoOverride: config.deviceInfoOverride,
+    retryConfig: config.retryConfig
+  };
+}
+
+// src/http/client.ts
+var TenxyteHttpClient = class {
+  baseUrl;
+  defaultHeaders;
+  timeoutMs;
+  // Interceptors
+  requestInterceptors = [];
+  responseInterceptors = [];
+  constructor(options) {
+    this.baseUrl = options.baseUrl.replace(/\/$/, "");
+    this.timeoutMs = options.timeoutMs;
+    this.defaultHeaders = {
+      "Content-Type": "application/json",
+      Accept: "application/json",
+      ...options.headers
+    };
+  }
+  // Interceptor Registration
+  addRequestInterceptor(interceptor) {
+    this.requestInterceptors.push(interceptor);
+  }
+  addResponseInterceptor(interceptor) {
+    this.responseInterceptors.push(interceptor);
+  }
+  /**
+   * Main request method wrapping fetch
+   */
+  async request(endpoint, config = {}) {
+    const urlStr = endpoint.startsWith("http") ? endpoint : `${this.baseUrl}${endpoint.startsWith("/") ? "" : "/"}${endpoint}`;
+    const urlObj = new URL(urlStr);
+    if (config.params) {
+      Object.entries(config.params).forEach(([key, value]) => {
+        if (value !== void 0 && value !== null) {
+          urlObj.searchParams.append(key, String(value));
+        }
+      });
+    }
+    let requestContext = {
+      url: urlObj.toString(),
+      ...config,
+      headers: { ...this.defaultHeaders, ...config.headers || {} }
+    };
+    if (typeof FormData !== "undefined" && requestContext.body instanceof FormData) {
+      const headers = requestContext.headers;
+      delete headers["Content-Type"];
+      delete headers["content-type"];
+    } else if (requestContext.body && typeof requestContext.body === "object") {
+      const contentType = requestContext.headers["Content-Type"] || "";
+      if (contentType.toLowerCase().includes("application/json")) {
+        requestContext.body = JSON.stringify(requestContext.body);
+      }
+    }
+    for (const interceptor of this.requestInterceptors) {
+      requestContext = await interceptor(requestContext);
+    }
+    const { url, ...fetchConfig } = requestContext;
+    let controller;
+    let timeoutId;
+    if (this.timeoutMs) {
+      controller = new AbortController();
+      fetchConfig.signal = controller.signal;
+      timeoutId = setTimeout(() => controller.abort(), this.timeoutMs);
+    }
+    try {
+      let response = await fetch(url, fetchConfig);
+      for (const interceptor of this.responseInterceptors) {
+        response = await interceptor(response, { url, config: fetchConfig });
+      }
+      if (!response.ok) {
+        throw await this.normalizeError(response);
+      }
+      if (response.status === 204) {
+        return {};
+      }
+      const contentType = response.headers.get("content-type");
+      if (contentType && contentType.includes("application/json")) {
+        return await response.json();
+      }
+      return await response.text();
+    } catch (error) {
+      if (error?.name === "AbortError") {
+        throw {
+          error: `Request timed out after ${this.timeoutMs}ms`,
+          code: "TIMEOUT",
+          details: url
+        };
+      }
+      if (error && error.code) {
+        throw error;
+      }
+      throw {
+        error: error.message || "Network request failed",
+        code: "NETWORK_ERROR",
+        details: String(error)
+      };
+    } finally {
+      if (timeoutId !== void 0) {
+        clearTimeout(timeoutId);
+      }
+    }
+  }
+  async normalizeError(response) {
+    try {
+      const body = await response.json();
+      return {
+        error: body.error || body.detail || "API request failed",
+        code: body.code || `HTTP_${response.status}`,
+        details: body.details || body,
+        retry_after: response.headers.has("Retry-After") ? parseInt(response.headers.get("Retry-After"), 10) : void 0
+      };
+    } catch (_e) {
+      return {
+        error: `HTTP Error ${response.status}: ${response.statusText}`,
+        code: `HTTP_${response.status}`
+      };
+    }
+  }
+  // Convenience methods
+  get(endpoint, config) {
+    return this.request(endpoint, { ...config, method: "GET" });
+  }
+  post(endpoint, data, config) {
+    return this.request(endpoint, { ...config, method: "POST", body: data });
+  }
+  put(endpoint, data, config) {
+    return this.request(endpoint, { ...config, method: "PUT", body: data });
+  }
+  patch(endpoint, data, config) {
+    return this.request(endpoint, { ...config, method: "PATCH", body: data });
+  }
+  delete(endpoint, data, config) {
+    return this.request(endpoint, { ...config, method: "DELETE", body: data });
+  }
+};
+
+// src/utils/device_info.ts
+function buildDeviceInfo(customInfo = {}) {
+  const autoInfo = getAutoInfo();
+  const v = "1";
+  const os = customInfo.os || autoInfo.os;
+  const osv = customInfo.osVersion || autoInfo.osVersion;
+  const device = customInfo.device || autoInfo.device;
+  const arch = customInfo.arch || autoInfo.arch;
+  const app = customInfo.app || autoInfo.app;
+  const appv = customInfo.appVersion || autoInfo.appVersion;
+  const runtime = customInfo.runtime || autoInfo.runtime;
+  const rtv = customInfo.runtimeVersion || autoInfo.runtimeVersion;
+  const tz = customInfo.timezone || autoInfo.timezone;
+  const parts = [
+    `v=${v}`,
+    `os=${os}` + (osv ? `;osv=${osv}` : ""),
+    `device=${device}`,
+    arch ? `arch=${arch}` : "",
+    app ? `app=${app}${appv ? `;appv=${appv}` : ""}` : "",
+    `runtime=${runtime}` + (rtv ? `;rtv=${rtv}` : ""),
+    tz ? `tz=${tz}` : ""
+  ];
+  return parts.filter(Boolean).join("|");
+}
+function getAutoInfo() {
+  const info = {
+    os: "unknown",
+    osVersion: "",
+    device: "desktop",
+    // default
+    arch: "",
+    app: "sdk",
+    appVersion: "0.1.0",
+    runtime: "unknown",
+    runtimeVersion: "",
+    timezone: ""
+  };
+  try {
+    if (typeof Intl !== "undefined") {
+      info.timezone = Intl.DateTimeFormat().resolvedOptions().timeZone;
+    }
+    if (typeof process !== "undefined" && process.version) {
+      info.runtime = "node";
+      info.runtimeVersion = process.version;
+      info.os = process.platform;
+      info.arch = process.arch;
+      info.device = "server";
+    } else if (typeof window !== "undefined" && window.navigator) {
+      const ua = window.navigator.userAgent.toLowerCase();
+      if (ua.includes("windows")) info.os = "windows";
+      else if (ua.includes("mac")) info.os = "macos";
+      else if (ua.includes("linux")) info.os = "linux";
+      else if (ua.includes("android")) info.os = "android";
+      else if (ua.includes("ios") || ua.includes("iphone") || ua.includes("ipad")) info.os = "ios";
+      if (/mobi|android|touch|mini/i.test(ua)) info.device = "mobile";
+      if (/tablet|ipad/i.test(ua)) info.device = "tablet";
+      if (ua.includes("firefox")) info.runtime = "firefox";
+      else if (ua.includes("edg/")) info.runtime = "edge";
+      else if (ua.includes("chrome")) info.runtime = "chrome";
+      else if (ua.includes("safari")) info.runtime = "safari";
+    }
+  } catch (_e) {
+  }
+  return info;
+}
+
+// src/http/interceptors.ts
+function createAuthInterceptor(storage, context) {
+  return async (request) => {
+    const token = await storage.getItem("tx_access");
+    const headers = { ...request.headers || {} };
+    if (token && !headers["Authorization"]) {
+      headers["Authorization"] = `Bearer ${token}`;
+    }
+    if (context.activeOrgSlug && !headers["X-Org-Slug"]) {
+      headers["X-Org-Slug"] = context.activeOrgSlug;
+    }
+    if (context.agentTraceId && !headers["X-Prompt-Trace-ID"]) {
+      headers["X-Prompt-Trace-ID"] = context.agentTraceId;
+    }
+    return { ...request, headers };
+  };
+}
+function createRefreshInterceptor(client, storage, onSessionExpired, onTokenRefreshed) {
+  let isRefreshing = false;
+  let refreshQueue = [];
+  const processQueue = (error, token = null) => {
+    refreshQueue.forEach((prom) => prom(token));
+    refreshQueue = [];
+  };
+  return async (response, request) => {
+    if (response.status === 401 && !request.url.includes("/auth/refresh") && !request.url.includes("/auth/login")) {
+      const refreshToken = await storage.getItem("tx_refresh");
+      if (!refreshToken) {
+        onSessionExpired();
+        return response;
+      }
+      if (isRefreshing) {
+        return new Promise((resolve) => {
+          refreshQueue.push((newToken) => {
+            if (newToken) {
+              const retryHeaders = { ...request.config.headers, Authorization: `Bearer ${newToken}` };
+              resolve(fetch(request.url, { ...request.config, headers: retryHeaders }));
+            } else {
+              resolve(response);
+            }
+          });
+        });
+      }
+      isRefreshing = true;
+      try {
+        const refreshResponse = await fetch(`${client["baseUrl"]}/auth/refresh/`, {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({ refresh_token: refreshToken })
+        });
+        if (!refreshResponse.ok) {
+          throw new Error("Refresh failed");
+        }
+        const data = await refreshResponse.json();
+        await storage.setItem("tx_access", data.access);
+        if (data.refresh) {
+          await storage.setItem("tx_refresh", data.refresh);
+        }
+        isRefreshing = false;
+        onTokenRefreshed?.(data.access, data.refresh);
+        processQueue(null, data.access);
+        const retryHeaders = { ...request.config.headers, Authorization: `Bearer ${data.access}` };
+        const r = await fetch(request.url, { ...request.config, headers: retryHeaders });
+        return r;
+      } catch (err) {
+        isRefreshing = false;
+        await storage.removeItem("tx_access");
+        await storage.removeItem("tx_refresh");
+        processQueue(err, null);
+        onSessionExpired();
+        return response;
+      }
+    }
+    return response;
+  };
+}
+var DEVICE_INFO_ENDPOINTS = [
+  "/login/email/",
+  "/login/phone/",
+  "/register/",
+  "/social/"
+];
+var DEFAULT_RETRY = {
+  maxRetries: 3,
+  retryOn429: true,
+  retryOnNetworkError: true,
+  baseDelayMs: 1e3
+};
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function createRetryInterceptor(config = {}, logger) {
+  const opts = { ...DEFAULT_RETRY, ...config };
+  return async (response, request) => {
+    const shouldRetry429 = opts.retryOn429 && response.status === 429;
+    const shouldRetryServer = response.status >= 500;
+    if (!shouldRetry429 && !shouldRetryServer) {
+      return response;
+    }
+    let lastResponse = response;
+    for (let attempt = 1; attempt <= opts.maxRetries; attempt++) {
+      let delayMs = opts.baseDelayMs * Math.pow(2, attempt - 1);
+      const retryAfter = lastResponse.headers.get("Retry-After");
+      if (retryAfter) {
+        const parsed = Number(retryAfter);
+        if (!isNaN(parsed)) {
+          delayMs = parsed * 1e3;
+        }
+      }
+      logger?.debug(`[Tenxyte Retry] Attempt ${attempt}/${opts.maxRetries} after ${delayMs}ms for ${request.url}`);
+      await sleep(delayMs);
+      try {
+        const retryResponse = await fetch(request.url, request.config);
+        if (retryResponse.status === 429 && opts.retryOn429 && attempt < opts.maxRetries) {
+          lastResponse = retryResponse;
+          continue;
+        }
+        if (retryResponse.status >= 500 && attempt < opts.maxRetries) {
+          lastResponse = retryResponse;
+          continue;
+        }
+        return retryResponse;
+      } catch (err) {
+        if (!opts.retryOnNetworkError || attempt >= opts.maxRetries) {
+          throw err;
+        }
+        logger?.warn(`[Tenxyte Retry] Network error on attempt ${attempt}/${opts.maxRetries}`, err);
+      }
+    }
+    return lastResponse;
+  };
+}
+function createDeviceInfoInterceptor(override) {
+  const fingerprint = buildDeviceInfo(override);
+  return (request) => {
+    const isPost = !request.method || request.method === "POST";
+    const matchesEndpoint = DEVICE_INFO_ENDPOINTS.some((ep) => request.url.includes(ep));
+    if (isPost && matchesEndpoint && request.body && typeof request.body === "object") {
+      const body = request.body;
+      if (!body.device_info) {
+        return { ...request, body: { ...body, device_info: fingerprint } };
+      }
+    }
+    return request;
+  };
+}
+
+// src/modules/auth.ts
+var AuthModule = class {
+  constructor(client, storage, onTokens, onLogout) {
+    this.client = client;
+    this.storage = storage;
+    this.onTokens = onTokens;
+    this.onLogout = onLogout;
+  }
+  async clearTokens() {
+    if (this.storage) {
+      await this.storage.removeItem("tx_access");
+      await this.storage.removeItem("tx_refresh");
+      this.onLogout?.();
+    }
+  }
+  async persistTokens(tokens) {
+    if (this.storage) {
+      await this.storage.setItem("tx_access", tokens.access_token);
+      if (tokens.refresh_token) {
+        await this.storage.setItem("tx_refresh", tokens.refresh_token);
+      }
+      this.onTokens?.(tokens.access_token, tokens.refresh_token);
+    }
+    return tokens;
+  }
+  /**
+   * Authenticate a user with their email and password.
+   * @param data - The login credentials and optional TOTP code if 2FA is required.
+   * @returns A pair of Access and Refresh tokens upon successful authentication.
+   * @throws {TenxyteError} If credentials are invalid, or if `2FA_REQUIRED` without a valid `totp_code`.
+   */
+  async loginWithEmail(data) {
+    const tokens = await this.client.post("/api/v1/auth/login/email/", data);
+    return this.persistTokens(tokens);
+  }
+  /**
+   * Authenticate a user with an international phone number and password.
+   * @param data - The login credentials and optional TOTP code if 2FA is required.
+   * @returns A pair of Access and Refresh tokens.
+   */
+  async loginWithPhone(data) {
+    const tokens = await this.client.post("/api/v1/auth/login/phone/", data);
+    return this.persistTokens(tokens);
+  }
+  /**
+   * Registers a new user account.
+   * @param data - The registration details (email, password, etc.).
+   * @returns The registered user data or a confirmation message.
+   */
+  async register(data) {
+    const result = await this.client.post("/api/v1/auth/register/", data);
+    if (result?.access_token) {
+      await this.persistTokens(result);
+    }
+    return result;
+  }
+  /**
+   * Logout from the current session.
+   * Informs the backend to immediately revoke the specified refresh token.
+   * @param refreshToken - The refresh token to revoke.
+   */
+  async logout(refreshToken) {
+    await this.client.post("/api/v1/auth/logout/", { refresh_token: refreshToken });
+    await this.clearTokens();
+  }
+  /**
+   * Logout from all sessions across all devices.
+   * Revokes all refresh tokens currently assigned to the user.
+   */
+  async logoutAll() {
+    await this.client.post("/api/v1/auth/logout/all/");
+    await this.clearTokens();
+  }
+  /**
+   * Manually refresh the access token using a valid refresh token.
+   * The refresh token is automatically rotated for improved security.
+   * @param refreshToken - The current refresh token.
+   * @returns A new token pair (access + rotated refresh).
+   */
+  async refreshToken(refreshToken) {
+    const tokens = await this.client.post("/api/v1/auth/refresh/", { refresh_token: refreshToken });
+    return this.persistTokens(tokens);
+  }
+  /**
+   * Request a Magic Link for passwordless sign-in.
+   * @param data - The email to send the logic link to.
+   */
+  async requestMagicLink(data) {
+    return this.client.post("/api/v1/auth/magic-link/request/", data);
+  }
+  /**
+   * Verifies a magic link token extracted from the URL.
+   * @param token - The cryptographic token received via email.
+   * @returns A session token pair if the token is valid and unexpired.
+   */
+  async verifyMagicLink(token) {
+    const tokens = await this.client.get(`/api/v1/auth/magic-link/verify/`, { params: { token } });
+    return this.persistTokens(tokens);
+  }
+  /**
+   * Submits OAuth2 Social Authentication payloads to the backend.
+   * Can be used with native mobile SDK tokens (like Apple Sign-In JWTs).
+   * @param provider - The OAuth provider ('google', 'github', etc.)
+   * @param data - The OAuth tokens (access_token, id_token, etc.)
+   * @returns An active session token pair.
+   */
+  async loginWithSocial(provider, data) {
+    const tokens = await this.client.post(`/api/v1/auth/social/${provider}/`, data);
+    return this.persistTokens(tokens);
+  }
+  /**
+   * Handle Social Auth Callbacks (Authorization Code flow).
+   * @param provider - The OAuth provider ('google', 'github', etc.)
+   * @param code - The authorization code retrieved from the query string parameters.
+   * @param redirectUri - The original redirect URI that was requested.
+   * @returns An active session token pair after successful code exchange.
+   */
+  async handleSocialCallback(provider, code, redirectUri) {
+    const tokens = await this.client.get(`/api/v1/auth/social/${provider}/callback/`, {
+      params: { code, redirect_uri: redirectUri }
+    });
+    return this.persistTokens(tokens);
+  }
+};
+
+// src/utils/base64url.ts
+function bufferToBase64url(buffer) {
+  const bytes = new Uint8Array(buffer);
+  let binary = "";
+  for (let i = 0; i < bytes.byteLength; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+function base64urlToBuffer(base64url) {
+  const base64 = base64url.replace(/-/g, "+").replace(/_/g, "/");
+  const padLen = (4 - base64.length % 4) % 4;
+  const padded = base64 + "=".repeat(padLen);
+  const binary = atob(padded);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+
+// src/modules/security.ts
+var SecurityModule = class {
+  constructor(client) {
+    this.client = client;
+  }
+  // ─── 2FA (TOTP) Management ───
+  /**
+   * Get the current 2FA status for the authenticated user.
+   * @returns Information about whether 2FA is enabled and how many backup codes remain.
+   */
+  async get2FAStatus() {
+    return this.client.get("/api/v1/auth/2fa/status/");
+  }
+  /**
+   * Start the 2FA enrollment process.
+   * @returns The secret key and QR code URL to be scanned by an Authenticator app.
+   */
+  async setup2FA() {
+    return this.client.post("/api/v1/auth/2fa/setup/");
+  }
+  /**
+   * Confirm the 2FA setup by providing the first TOTP code generated by the Authenticator app.
+   * @param totpCode - The 6-digit code.
+   */
+  async confirm2FA(totpCode) {
+    return this.client.post("/api/v1/auth/2fa/confirm/", { totp_code: totpCode });
+  }
+  /**
+   * Disable 2FA for the current user.
+   * Usually requires re-authentication or providing the active password/totp code.
+   * @param totpCode - The current 6-digit code to verify intent.
+   * @param password - (Optional) The user's password if required by backend policy.
+   */
+  async disable2FA(totpCode, password) {
+    return this.client.post("/api/v1/auth/2fa/disable/", { totp_code: totpCode, password });
+  }
+  /**
+   * Invalidate old backup codes and explicitly generate a new batch.
+   * @param totpCode - An active TOTP code to verify intent.
+   */
+  async regenerateBackupCodes(totpCode) {
+    return this.client.post("/api/v1/auth/2fa/backup-codes/", { totp_code: totpCode });
+  }
+  // ─── Verification OTP (Email / Phone) ───
+  /**
+   * Request an OTP code to be dispatched to the user's primary contact method.
+   * @param type - The channel type ('email' or 'phone').
+   */
+  async requestOtp(type) {
+    return this.client.post("/api/v1/auth/otp/request/", { type: type === "email" ? "email_verification" : "phone_verification" });
+  }
+  /**
+   * Verify an email confirmation OTP.
+   * @param code - The numeric code received via email.
+   */
+  async verifyOtpEmail(code) {
+    return this.client.post("/api/v1/auth/otp/verify/email/", { code });
+  }
+  /**
+   * Verify a phone confirmation OTP (SMS dispatch).
+   * @param code - The numeric code received via SMS.
+   */
+  async verifyOtpPhone(code) {
+    return this.client.post("/api/v1/auth/otp/verify/phone/", { code });
+  }
+  // ─── Password Sub-module ───
+  /**
+   * Triggers a password reset flow, dispatching an OTP to the target.
+   * @param target - Either an email address or a phone configuration payload.
+   */
+  async resetPasswordRequest(target) {
+    return this.client.post("/api/v1/auth/password/reset/request/", target);
+  }
+  /**
+   * Confirm a password reset using the OTP dispatched by `resetPasswordRequest`.
+   * @param data - The OTP code and the new matching password fields.
+   */
+  async resetPasswordConfirm(data) {
+    return this.client.post("/api/v1/auth/password/reset/confirm/", data);
+  }
+  /**
+   * Change password for an already authenticated user.
+   * @param currentPassword - The existing password to verify intent.
+   * @param newPassword - The distinct new password.
+   */
+  async changePassword(currentPassword, newPassword) {
+    return this.client.post("/api/v1/auth/password/change/", {
+      current_password: currentPassword,
+      new_password: newPassword
+    });
+  }
+  /**
+   * Evaluate the strength of a potential password against backend policies.
+   * @param password - The password string to test.
+   * @param email - (Optional) The user's email to ensure the password doesn't contain it.
+   */
+  async checkPasswordStrength(password, email) {
+    return this.client.post("/api/v1/auth/password/strength/", { password, email });
+  }
+  /**
+   * Fetch the password complexity requirements enforced by the Tenxyte backend.
+   */
+  async getPasswordRequirements() {
+    return this.client.get("/api/v1/auth/password/requirements/");
+  }
+  // ─── WebAuthn / Passkeys (FIDO2) ───
+  /**
+   * Register a new WebAuthn device (Passkey/Biometrics/Security Key) for the authenticated user.
+   * Integrates transparently with the browser `navigator.credentials` API.
+   * @param deviceName - Optional human-readable name for the device being registered.
+   */
+  async registerWebAuthn(deviceName) {
+    const optionsResponse = await this.client.post("/api/v1/auth/webauthn/register/begin/");
+    const publicKeyOpts = optionsResponse.publicKey;
+    publicKeyOpts.challenge = base64urlToBuffer(publicKeyOpts.challenge);
+    publicKeyOpts.user.id = base64urlToBuffer(publicKeyOpts.user.id);
+    if (publicKeyOpts.excludeCredentials) {
+      publicKeyOpts.excludeCredentials.forEach((cred2) => {
+        cred2.id = base64urlToBuffer(cred2.id);
+      });
+    }
+    const cred = await navigator.credentials.create({ publicKey: publicKeyOpts });
+    if (!cred) {
+      throw new Error("WebAuthn registration was aborted or failed.");
+    }
+    const response = cred.response;
+    const completionPayload = {
+      device_name: deviceName,
+      credential: {
+        id: cred.id,
+        type: cred.type,
+        rawId: bufferToBase64url(cred.rawId),
+        response: {
+          attestationObject: bufferToBase64url(response.attestationObject),
+          clientDataJSON: bufferToBase64url(response.clientDataJSON)
+        }
+      }
+    };
+    return this.client.post("/api/v1/auth/webauthn/register/complete/", completionPayload);
+  }
+  /**
+   * Authenticate via WebAuthn (Passkey) without requiring a password.
+   * Integrates transparently with the browser `navigator.credentials` API.
+   * @param email - The email address identifying the user account (optional if discoverable credentials are used).
+   * @returns A session token pair and the user context upon successful cryptographic challenge verification.
+   */
+  async authenticateWebAuthn(email) {
+    const optionsResponse = await this.client.post("/api/v1/auth/webauthn/authenticate/begin/", email ? { email } : {});
+    const publicKeyOpts = optionsResponse.publicKey;
+    publicKeyOpts.challenge = base64urlToBuffer(publicKeyOpts.challenge);
+    if (publicKeyOpts.allowCredentials) {
+      publicKeyOpts.allowCredentials.forEach((cred2) => {
+        cred2.id = base64urlToBuffer(cred2.id);
+      });
+    }
+    const cred = await navigator.credentials.get({ publicKey: publicKeyOpts });
+    if (!cred) {
+      throw new Error("WebAuthn authentication was aborted or failed.");
+    }
+    const response = cred.response;
+    const completionPayload = {
+      credential: {
+        id: cred.id,
+        type: cred.type,
+        rawId: bufferToBase64url(cred.rawId),
+        response: {
+          authenticatorData: bufferToBase64url(response.authenticatorData),
+          clientDataJSON: bufferToBase64url(response.clientDataJSON),
+          signature: bufferToBase64url(response.signature),
+          userHandle: response.userHandle ? bufferToBase64url(response.userHandle) : null
+        }
+      }
+    };
+    return this.client.post("/api/v1/auth/webauthn/authenticate/complete/", completionPayload);
+  }
+  /**
+   * List all registered WebAuthn credentials for the active user.
+   */
+  async listWebAuthnCredentials() {
+    return this.client.get("/api/v1/auth/webauthn/credentials/");
+  }
+  /**
+   * Delete a specific WebAuthn credential, removing its capability to sign in.
+   * @param credentialId - The internal ID of the credential to delete.
+   */
+  async deleteWebAuthnCredential(credentialId) {
+    return this.client.delete(`/api/v1/auth/webauthn/credentials/${credentialId}/`);
+  }
+};
+
+// src/utils/jwt.ts
+function decodeJwt(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) {
+      return null;
+    }
+    const base64Url = parts[1];
+    if (!base64Url) return null;
+    let base64 = base64Url.replace(/-/g, "+").replace(/_/g, "/");
+    while (base64.length % 4) {
+      base64 += "=";
+    }
+    const isBrowser = typeof window !== "undefined" && typeof window.atob === "function";
+    let jsonPayload;
+    if (isBrowser) {
+      jsonPayload = decodeURIComponent(
+        window.atob(base64).split("").map((c) => "%" + ("00" + c.charCodeAt(0).toString(16)).slice(-2)).join("")
+      );
+    } else {
+      jsonPayload = Buffer.from(base64, "base64").toString("utf8");
+    }
+    return JSON.parse(jsonPayload);
+  } catch (_e) {
+    return null;
+  }
+}
+
+// src/modules/rbac.ts
+var RbacModule = class {
+  constructor(client) {
+    this.client = client;
+  }
+  cachedToken = null;
+  /**
+   * Cache a decoded JWT payload locally to perform parameter-less synchronous permission checks.
+   * Usually invoked automatically by the system upon login or token refresh.
+   * @param token - The raw JWT access token encoded string.
+   */
+  setToken(token) {
+    this.cachedToken = token;
+  }
+  getDecodedToken(token) {
+    const t = token || this.cachedToken;
+    if (!t) return null;
+    return decodeJwt(t);
+  }
+  // --- Synchronous Checks --- //
+  /**
+   * Synchronously deeply inspects the cached (or provided) JWT to determine if the user has a specific Role.
+   * @param role - The exact code name of the Role.
+   * @param token - (Optional) Provide a specific token overriding the cached one.
+   */
+  hasRole(role, token) {
+    const decoded = this.getDecodedToken(token);
+    if (!decoded?.roles) return false;
+    return decoded.roles.includes(role);
+  }
+  /**
+   * Evaluates if the active session holds AT LEAST ONE of the listed Roles.
+   * @param roles - An array of Role codes.
+   */
+  hasAnyRole(roles, token) {
+    const decoded = this.getDecodedToken(token);
+    if (!decoded?.roles) return false;
+    return roles.some((r) => decoded.roles.includes(r));
+  }
+  /**
+   * Evaluates if the active session holds ALL of the listed Roles concurrently.
+   * @param roles - An array of Role codes.
+   */
+  hasAllRoles(roles, token) {
+    const decoded = this.getDecodedToken(token);
+    if (!decoded?.roles) return false;
+    return roles.every((r) => decoded.roles.includes(r));
+  }
+  /**
+   * Synchronously deeply inspects the cached (or provided) JWT to determine if the user has a specific granular Permission.
+   * @param permission - The exact code name of the Permission (e.g., 'invoices.read').
+   */
+  hasPermission(permission, token) {
+    const decoded = this.getDecodedToken(token);
+    if (!decoded?.permissions) return false;
+    return decoded.permissions.includes(permission);
+  }
+  /**
+   * Evaluates if the active session holds AT LEAST ONE of the listed Permissions.
+   */
+  hasAnyPermission(permissions, token) {
+    const decoded = this.getDecodedToken(token);
+    if (!decoded?.permissions) return false;
+    return permissions.some((p) => decoded.permissions.includes(p));
+  }
+  /**
+   * Evaluates if the active session holds ALL of the listed Permissions concurrently.
+   */
+  hasAllPermissions(permissions, token) {
+    const decoded = this.getDecodedToken(token);
+    if (!decoded?.permissions) return false;
+    return permissions.every((p) => decoded.permissions.includes(p));
+  }
+  // --- Roles CRUD --- //
+  /** Fetch all application global Roles structure */
+  async listRoles() {
+    return this.client.get("/api/v1/auth/roles/");
+  }
+  /** Create a new architectural Role inside Tenxyte */
+  async createRole(data) {
+    return this.client.post("/api/v1/auth/roles/", data);
+  }
+  /** Get detailed metadata defining a single bounded Role */
+  async getRole(roleId) {
+    return this.client.get(`/api/v1/auth/roles/${roleId}/`);
+  }
+  /** Modify properties bounding a Role */
+  async updateRole(roleId, data) {
+    return this.client.put(`/api/v1/auth/roles/${roleId}/`, data);
+  }
+  /** Unbind and destruct a Role from the global Tenant. (Dangerous, implies cascading permission unbindings) */
+  async deleteRole(roleId) {
+    return this.client.delete(`/api/v1/auth/roles/${roleId}/`);
+  }
+  // --- Role Permissions Management --- //
+  async getRolePermissions(roleId) {
+    return this.client.get(`/api/v1/auth/roles/${roleId}/permissions/`);
+  }
+  async addPermissionsToRole(roleId, permission_codes) {
+    return this.client.post(`/api/v1/auth/roles/${roleId}/permissions/`, { permission_codes });
+  }
+  async removePermissionsFromRole(roleId, permission_codes) {
+    return this.client.delete(`/api/v1/auth/roles/${roleId}/permissions/`, { permission_codes });
+  }
+  // --- Permissions CRUD --- //
+  /** Enumerates all available fine-grained Permissions inside this Tenant scope. */
+  async listPermissions() {
+    return this.client.get("/api/v1/auth/permissions/");
+  }
+  /** Bootstraps a new granular Permission flag (e.g. `billing.refund`). */
+  async createPermission(data) {
+    return this.client.post("/api/v1/auth/permissions/", data);
+  }
+  /** Retrieves an existing atomic Permission construct. */
+  async getPermission(permissionId) {
+    return this.client.get(`/api/v1/auth/permissions/${permissionId}/`);
+  }
+  /** Edits the human readable description or structural dependencies of a Permission. */
+  async updatePermission(permissionId, data) {
+    return this.client.put(`/api/v1/auth/permissions/${permissionId}/`, data);
+  }
+  /** Destroys an atomic Permission permanently. Any Roles referencing it will be stripped of this grant automatically. */
+  async deletePermission(permissionId) {
+    return this.client.delete(`/api/v1/auth/permissions/${permissionId}/`);
+  }
+  // --- Direct Assignment (Users) --- //
+  /**
+   * Retrieve all roles assigned to a specific user.
+   * @param userId - The target user ID.
+   */
+  async getUserRoles(userId) {
+    return this.client.get(`/api/v1/auth/users/${userId}/roles/`);
+  }
+  /**
+   * Retrieve all permissions directly assigned to a specific user (excluding role-based permissions).
+   * @param userId - The target user ID.
+   */
+  async getUserPermissions(userId) {
+    return this.client.get(`/api/v1/auth/users/${userId}/permissions/`);
+  }
+  /**
+   * Attach a given Role globally to a user entity.
+   * Use sparingly if B2B multi-tenancy contexts are preferred.
+   */
+  async assignRoleToUser(userId, roleCode) {
+    return this.client.post(`/api/v1/auth/users/${userId}/roles/`, { role_code: roleCode });
+  }
+  /**
+   * Unbind a global Role from a user entity.
+   */
+  async removeRoleFromUser(userId, roleCode) {
+    return this.client.delete(`/api/v1/auth/users/${userId}/roles/`, void 0, {
+      params: { role_code: roleCode }
+    });
+  }
+  /**
+   * Ad-Hoc directly attach specific granular Permissions to a single User, bypassing Role boundaries.
+   */
+  async assignPermissionsToUser(userId, permissionCodes) {
+    return this.client.post(`/api/v1/auth/users/${userId}/permissions/`, { permission_codes: permissionCodes });
+  }
+  /**
+   * Ad-Hoc strip direct granular Permissions bindings from a specific User.
+   */
+  async removePermissionsFromUser(userId, permissionCodes) {
+    return this.client.delete(`/api/v1/auth/users/${userId}/permissions/`, { permission_codes: permissionCodes });
+  }
+};
+
+// src/modules/user.ts
+var UserModule = class {
+  constructor(client) {
+    this.client = client;
+  }
+  // --- Standard Profile Actions --- //
+  /** Retrieve your current comprehensive Profile metadata matching the active network bearer token. */
+  async getProfile() {
+    return this.client.get("/api/v1/auth/me/");
+  }
+  /** Modify your active profile core details or injected application metadata. */
+  async updateProfile(data) {
+    return this.client.patch("/api/v1/auth/me/", data);
+  }
+  /**
+   * Upload an avatar using FormData.
+   * Ensure the environment supports FormData (browser or Node.js v18+).
+   * @param formData The FormData object containing the 'avatar' field.
+   */
+  async uploadAvatar(formData) {
+    return this.client.patch("/api/v1/auth/me/", formData);
+  }
+  /**
+   * @deprecated Use `gdpr.requestAccountDeletion()` instead. This proxy will be removed in a future release.
+   * Trigger self-deletion of an entire account data boundary.
+   * @param password - Requires the active system password as destructive proof of intent.
+   * @param otpCode - (Optional) If an OTP was queried prior to attempting account deletion.
+   */
+  async deleteAccount(password, otpCode) {
+    return this.client.post("/api/v1/auth/request-account-deletion/", {
+      password,
+      otp_code: otpCode
+    });
+  }
+  /**
+   * Retrieve the roles and permissions of the currently authenticated user.
+   * @returns An object containing `roles[]` and `permissions[]`.
+   */
+  async getMyRoles() {
+    return this.client.get("/api/v1/auth/me/roles/");
+  }
+  // --- Admin Actions Mapping --- //
+  /** (Admin only) Lists users paginated matching criteria. */
+  async listUsers(params) {
+    return this.client.get("/api/v1/auth/admin/users/", { params });
+  }
+  /** (Admin only) Gets deterministic data related to a remote unassociated user. */
+  async getUser(userId) {
+    return this.client.get(`/api/v1/auth/admin/users/${userId}/`);
+  }
+  /** (Admin only) Modifies configuration/details or capacity bounds related to a remote unassociated user. */
+  async adminUpdateUser(userId, data) {
+    return this.client.patch(`/api/v1/auth/admin/users/${userId}/`, data);
+  }
+  /** (Admin only) Force obliterate a User boundary. Can affect relational database stability if not bound carefully. */
+  async adminDeleteUser(userId) {
+    return this.client.delete(`/api/v1/auth/admin/users/${userId}/`);
+  }
+  /** (Admin only) Apply a permanent suspension / ban state globally on a user token footprint. */
+  async banUser(userId, reason = "") {
+    return this.client.post(`/api/v1/auth/admin/users/${userId}/ban/`, { reason });
+  }
+  /** (Admin only) Recover a user footprint from a global ban state. */
+  async unbanUser(userId) {
+    return this.client.post(`/api/v1/auth/admin/users/${userId}/unban/`);
+  }
+  /** (Admin only) Apply a temporary lock bounding block on a user interaction footprint. */
+  async lockUser(userId, durationMinutes = 30, reason = "") {
+    return this.client.post(`/api/v1/auth/admin/users/${userId}/lock/`, { duration_minutes: durationMinutes, reason });
+  }
+  /** (Admin only) Releases an arbitrary temporary system lock placed on a user bounds. */
+  async unlockUser(userId) {
+    return this.client.post(`/api/v1/auth/admin/users/${userId}/unlock/`);
+  }
+};
+
+// src/modules/b2b.ts
+var B2bModule = class {
+  constructor(client) {
+    this.client = client;
+    this.client.addRequestInterceptor((config) => {
+      if (this.currentOrgSlug) {
+        config.headers = {
+          ...config.headers,
+          "X-Org-Slug": this.currentOrgSlug
+        };
+      }
+      return config;
+    });
+  }
+  currentOrgSlug = null;
+  // ─── Context Management ───
+  /**
+   * Set the active Organization context.
+   * Subsequent API requests will automatically include the `X-Org-Slug` header.
+   * @param slug - The unique string identifier of the organization.
+   */
+  switchOrganization(slug) {
+    this.currentOrgSlug = slug;
+  }
+  /**
+   * Clear the active Organization context, dropping the `X-Org-Slug` header for standard User operations.
+   */
+  clearOrganization() {
+    this.currentOrgSlug = null;
+  }
+  /** Get the currently active Organization slug context if set. */
+  getCurrentOrganizationSlug() {
+    return this.currentOrgSlug;
+  }
+  // ─── Organizations CRUD ───
+  /** Create a new top-level or child Organization in the backend. */
+  async createOrganization(data) {
+    return this.client.post("/api/v1/auth/organizations/", data);
+  }
+  /** List organizations the currently authenticated user belongs to. */
+  async listMyOrganizations(params) {
+    return this.client.get("/api/v1/auth/organizations/", { params });
+  }
+  /** Retrieve details about a specific organization by slug. */
+  async getOrganization(slug) {
+    return this.client.get(`/api/v1/auth/organizations/${slug}/`);
+  }
+  /** Update configuration and metadata of an Organization. */
+  async updateOrganization(slug, data) {
+    return this.client.patch(`/api/v1/auth/organizations/${slug}/`, data);
+  }
+  /** Permanently delete an Organization. */
+  async deleteOrganization(slug) {
+    return this.client.delete(`/api/v1/auth/organizations/${slug}/`);
+  }
+  /** Retrieve the topology subtree extending downward from this point. */
+  async getOrganizationTree(slug) {
+    return this.client.get(`/api/v1/auth/organizations/${slug}/tree/`);
+  }
+  // ─── Member Management ───
+  /** List users bound to a specific Organization. */
+  async listMembers(slug, params) {
+    return this.client.get(`/api/v1/auth/organizations/${slug}/members/`, { params });
+  }
+  /** Add a user directly into an Organization with a designated role. */
+  async addMember(slug, data) {
+    return this.client.post(`/api/v1/auth/organizations/${slug}/members/`, data);
+  }
+  /** Evolve or demote an existing member's role within the Organization. */
+  async updateMemberRole(slug, userId, roleCode) {
+    return this.client.patch(`/api/v1/auth/organizations/${slug}/members/${userId}/`, { role_code: roleCode });
+  }
+  /** Kick a user out of the Organization. */
+  async removeMember(slug, userId) {
+    return this.client.delete(`/api/v1/auth/organizations/${slug}/members/${userId}/`);
+  }
+  // ─── Invitations ───
+  /** Send an onboarding email invitation to join an Organization. */
+  async inviteMember(slug, data) {
+    return this.client.post(`/api/v1/auth/organizations/${slug}/invitations/`, data);
+  }
+  /** Fetch a definition matrix of what Organization-level roles can be assigned. */
+  async listOrgRoles() {
+    return this.client.get("/api/v1/auth/organizations/roles/");
+  }
+};
+
+// src/modules/ai.ts
+var AiModule = class {
+  constructor(client, logger) {
+    this.client = client;
+    this.logger = logger;
+    this.client.addRequestInterceptor((config) => {
+      const headers = { ...config.headers };
+      if (this.agentToken) {
+        headers["Authorization"] = `AgentBearer ${this.agentToken}`;
+      }
+      if (this.traceId) {
+        headers["X-Prompt-Trace-ID"] = this.traceId;
+      }
+      return { ...config, headers };
+    });
+    this.client.addResponseInterceptor(async (response, _request) => {
+      if (response.status === 202) {
+        const cloned = response.clone();
+        try {
+          const data = await cloned.json();
+          this.logger?.debug("[Tenxyte AI] Received 202 Awaiting Approval:", data);
+        } catch {
+        }
+      } else if (response.status === 403) {
+        const cloned = response.clone();
+        try {
+          const data = await cloned.json();
+          if (data.code === "BUDGET_EXCEEDED") {
+            this.logger?.warn("[Tenxyte AI] Network responded with Budget Exceeded for Agent.");
+          } else if (data.status === "suspended") {
+            this.logger?.warn("[Tenxyte AI] Circuit breaker open for Agent.");
+          }
+        } catch {
+        }
+      }
+      return response;
+    });
+  }
+  agentToken = null;
+  traceId = null;
+  logger;
+  // ─── AgentToken Lifecycle ───
+  /**
+   * Create an AgentToken granting specific deterministic limits to an AI Agent.
+   */
+  async createAgentToken(data) {
+    return this.client.post("/api/v1/auth/ai/tokens/", data);
+  }
+  /**
+   * Set the SDK to operate on behalf of an Agent using the generated Agent Token payload.
+   * Overrides standard `Authorization` headers with `AgentBearer`.
+   */
+  setAgentToken(token) {
+    this.agentToken = token;
+  }
+  /** Disables the active Agent override and reverts to standard User session requests. */
+  clearAgentToken() {
+    this.agentToken = null;
+  }
+  /** Check if the SDK is currently mocking requests as an AI Agent. */
+  isAgentMode() {
+    return this.agentToken !== null;
+  }
+  /** List previously provisioned active Agent tokens. */
+  async listAgentTokens() {
+    return this.client.get("/api/v1/auth/ai/tokens/");
+  }
+  /** Fetch the status and configuration of a specific AgentToken. */
+  async getAgentToken(tokenId) {
+    return this.client.get(`/api/v1/auth/ai/tokens/${tokenId}/`);
+  }
+  /** Irreversibly revoke a targeted AgentToken from acting upon the Tenant. */
+  async revokeAgentToken(tokenId) {
+    return this.client.post(`/api/v1/auth/ai/tokens/${tokenId}/revoke/`);
+  }
+  /** Temporarily freeze an AgentToken by forcibly closing its Circuit Breaker. */
+  async suspendAgentToken(tokenId) {
+    return this.client.post(`/api/v1/auth/ai/tokens/${tokenId}/suspend/`);
+  }
+  /** Emergency kill-switch to wipe all operational Agent Tokens. */
+  async revokeAllAgentTokens() {
+    return this.client.post("/api/v1/auth/ai/tokens/revoke-all/");
+  }
+  // ─── Circuit Breaker ───
+  /** Satisfy an Agent's Dead-Man's switch heartbeat requirement to prevent suspension. */
+  async sendHeartbeat(tokenId) {
+    return this.client.post(`/api/v1/auth/ai/tokens/${tokenId}/heartbeat/`);
+  }
+  // ─── Human in the Loop (HITL) ───
+  /** List intercepted HTTP 202 actions waiting for Human interaction / approval. */
+  async listPendingActions() {
+    return this.client.get("/api/v1/auth/ai/pending-actions/");
+  }
+  /** Complete a pending HITL authorization to finally flush the Agent action to backend systems. */
+  async confirmPendingAction(confirmationToken) {
+    return this.client.post("/api/v1/auth/ai/pending-actions/confirm/", { token: confirmationToken });
+  }
+  /** Block an Agent action permanently. */
+  async denyPendingAction(confirmationToken) {
+    return this.client.post("/api/v1/auth/ai/pending-actions/deny/", { token: confirmationToken });
+  }
+  // ─── Traceability and Budget ───
+  /** Start piping the `X-Prompt-Trace-ID` custom header outwards for tracing logs against LLM inputs. */
+  setTraceId(traceId) {
+    this.traceId = traceId;
+  }
+  /** Disable trace forwarding context. */
+  clearTraceId() {
+    this.traceId = null;
+  }
+  /** 
+   * Report consumption costs associated with a backend invocation back to Tenxyte for strict circuit budgeting.
+   * @param tokenId - AgentToken evaluating ID.
+   * @param usage - Sunk token costs or explicit USD derivations.
+   */
+  async reportUsage(tokenId, usage) {
+    return this.client.post(`/api/v1/auth/ai/tokens/${tokenId}/report-usage/`, usage);
+  }
+};
+
+// src/modules/applications.ts
+var ApplicationsModule = class {
+  constructor(client) {
+    this.client = client;
+  }
+  /**
+   * List all registered applications (paginated).
+   * @param params - Optional filters: `search`, `is_active`, `ordering`, `page`, `page_size`.
+   * @returns A paginated list of applications.
+   */
+  async listApplications(params) {
+    return this.client.get("/api/v1/auth/applications/", {
+      params
+    });
+  }
+  /**
+   * Create a new application.
+   * @param data - The application name and optional description.
+   * @returns The created application including one-time `client_secret`.
+   */
+  async createApplication(data) {
+    return this.client.post("/api/v1/auth/applications/", data);
+  }
+  /**
+   * Get a single application by its ID.
+   * @param appId - The application ID.
+   * @returns The application details (secret is never included).
+   */
+  async getApplication(appId) {
+    return this.client.get(`/api/v1/auth/applications/${appId}/`);
+  }
+  /**
+   * Fully update an application (PUT — all fields replaced).
+   * @param appId - The application ID.
+   * @param data - The full updated application data.
+   * @returns The updated application.
+   */
+  async updateApplication(appId, data) {
+    return this.client.put(`/api/v1/auth/applications/${appId}/`, data);
+  }
+  /**
+   * Partially update an application (PATCH — only provided fields are changed).
+   * @param appId - The application ID.
+   * @param data - The fields to update.
+   * @returns The updated application.
+   */
+  async patchApplication(appId, data) {
+    return this.client.patch(`/api/v1/auth/applications/${appId}/`, data);
+  }
+  /**
+   * Delete an application permanently.
+   * @param appId - The application ID.
+   */
+  async deleteApplication(appId) {
+    return this.client.delete(`/api/v1/auth/applications/${appId}/`);
+  }
+  /**
+   * Regenerate credentials for an application.
+   * **Warning:** Old credentials are immediately invalidated. The new secret is shown only once.
+   * @param appId - The application ID.
+   * @param confirmation - Must be the string `"REGENERATE"` to confirm the irreversible action.
+   * @returns The new credentials (access_key + access_secret shown once).
+   */
+  async regenerateCredentials(appId, confirmation = "REGENERATE") {
+    return this.client.post(`/api/v1/auth/applications/${appId}/regenerate/`, { confirmation });
+  }
+};
+
+// src/modules/admin.ts
+var AdminModule = class {
+  constructor(client) {
+    this.client = client;
+  }
+  // ─── Audit Logs ───
+  /**
+   * List audit log entries (paginated).
+   * @param params - Optional filters and pagination.
+   */
+  async listAuditLogs(params) {
+    return this.client.get("/api/v1/auth/admin/audit-logs/", {
+      params
+    });
+  }
+  /**
+   * Get a single audit log entry by ID.
+   * @param logId - The audit log entry ID.
+   */
+  async getAuditLog(logId) {
+    return this.client.get(`/api/v1/auth/admin/audit-logs/${logId}/`);
+  }
+  // ─── Login Attempts ───
+  /**
+   * List login attempt records (paginated).
+   * @param params - Optional filters and pagination.
+   */
+  async listLoginAttempts(params) {
+    return this.client.get("/api/v1/auth/admin/login-attempts/", {
+      params
+    });
+  }
+  // ─── Blacklisted Tokens ───
+  /**
+   * List blacklisted (revoked) JWT tokens (paginated).
+   * @param params - Optional filters and pagination.
+   */
+  async listBlacklistedTokens(params) {
+    return this.client.get("/api/v1/auth/admin/blacklisted-tokens/", {
+      params
+    });
+  }
+  /**
+   * Remove expired blacklisted tokens.
+   * @returns A summary object with cleanup results.
+   */
+  async cleanupBlacklistedTokens() {
+    return this.client.post("/api/v1/auth/admin/blacklisted-tokens/cleanup/");
+  }
+  // ─── Refresh Tokens ───
+  /**
+   * List refresh tokens (admin view — token values are hidden).
+   * @param params - Optional filters and pagination.
+   */
+  async listRefreshTokens(params) {
+    return this.client.get("/api/v1/auth/admin/refresh-tokens/", {
+      params
+    });
+  }
+  /**
+   * Revoke a specific refresh token.
+   * @param tokenId - The refresh token ID.
+   * @returns The updated refresh token record.
+   */
+  async revokeRefreshToken(tokenId) {
+    return this.client.post(`/api/v1/auth/admin/refresh-tokens/${tokenId}/revoke/`);
+  }
+};
+
+// src/modules/gdpr.ts
+var GdprModule = class {
+  constructor(client) {
+    this.client = client;
+  }
+  // ─── User-facing ───
+  /**
+   * Request account deletion (GDPR-compliant).
+   * Initiates a 30-day grace period during which the user can cancel.
+   * @param data - Password (+ optional OTP code and reason).
+   */
+  async requestAccountDeletion(data) {
+    return this.client.post("/api/v1/auth/request-account-deletion/", data);
+  }
+  /**
+   * Confirm the account deletion using the token received by email.
+   * The token is valid for 24 hours. After confirmation the account enters the 30-day grace period.
+   * @param token - The confirmation token from the email.
+   */
+  async confirmAccountDeletion(token) {
+    return this.client.post("/api/v1/auth/confirm-account-deletion/", { token });
+  }
+  /**
+   * Cancel a pending account deletion during the grace period.
+   * The account is immediately reactivated.
+   * @param password - The current password for security.
+   */
+  async cancelAccountDeletion(password) {
+    return this.client.post("/api/v1/auth/cancel-account-deletion/", { password });
+  }
+  /**
+   * Get the deletion status for the current user.
+   * Includes pending, confirmed, or cancelled requests.
+   */
+  async getAccountDeletionStatus() {
+    return this.client.get("/api/v1/auth/account-deletion-status/");
+  }
+  /**
+   * Export all personal data (GDPR right to data portability).
+   * @param password - The current password for security.
+   */
+  async exportUserData(password) {
+    return this.client.post("/api/v1/auth/export-user-data/", { password });
+  }
+  // ─── Admin-facing ───
+  /**
+   * List deletion requests (admin, paginated).
+   * @param params - Optional filters and pagination.
+   */
+  async listDeletionRequests(params) {
+    return this.client.get("/api/v1/auth/admin/deletion-requests/", {
+      params
+    });
+  }
+  /**
+   * Get a single deletion request by ID.
+   * @param requestId - The deletion request ID.
+   */
+  async getDeletionRequest(requestId) {
+    return this.client.get(`/api/v1/auth/admin/deletion-requests/${requestId}/`);
+  }
+  /**
+   * Process (execute) a confirmed deletion request.
+   * **WARNING:** This is irreversible and permanently destroys all user data.
+   * @param requestId - The deletion request ID.
+   * @param data - Must include `{ confirmation: "PERMANENTLY DELETE" }`.
+   */
+  async processDeletionRequest(requestId, data) {
+    return this.client.post(`/api/v1/auth/admin/deletion-requests/${requestId}/process/`, data);
+  }
+  /**
+   * Batch-process all confirmed deletion requests whose 30-day grace period has expired.
+   * Typically run by a daily cron job.
+   */
+  async processExpiredDeletions() {
+    return this.client.post("/api/v1/auth/admin/deletion-requests/process-expired/");
+  }
+};
+
+// src/modules/dashboard.ts
+var DashboardModule = class {
+  constructor(client) {
+    this.client = client;
+  }
+  /**
+   * Get global cross-module dashboard statistics.
+   * Data varies based on the organizational context (`X-Org-Slug`) and permissions.
+   * Covers users, authentication, applications, security, and GDPR metrics.
+   * Charts span the last 7 days with previous-period comparisons.
+   * @param params - Optional period and comparison flag.
+   */
+  async getStats(params) {
+    return this.client.get("/api/v1/auth/dashboard/stats/", {
+      params
+    });
+  }
+  /**
+   * Get authentication-specific statistics.
+   * Includes login stats, methods breakdown, registrations, tokens, top failure reasons, and 7-day graphs.
+   */
+  async getAuthStats() {
+    return this.client.get("/api/v1/auth/dashboard/auth/");
+  }
+  /**
+   * Get security-specific statistics.
+   * Includes audit summary, blacklisted tokens, suspicious activity, and 2FA adoption.
+   */
+  async getSecurityStats() {
+    return this.client.get("/api/v1/auth/dashboard/security/");
+  }
+  /**
+   * Get GDPR-specific statistics.
+   * Includes deletion requests by status and data export metrics.
+   */
+  async getGdprStats() {
+    return this.client.get("/api/v1/auth/dashboard/gdpr/");
+  }
+  /**
+   * Get organization-specific statistics.
+   * Includes organizations, members, roles, and top organizations.
+   */
+  async getOrganizationStats() {
+    return this.client.get("/api/v1/auth/dashboard/organizations/");
+  }
+};
+
+// src/utils/events.ts
+var EventEmitter = class {
+  // eslint-disable-next-line @typescript-eslint/no-unsafe-function-type
+  events;
+  constructor() {
+    this.events = /* @__PURE__ */ new Map();
+  }
+  /**
+   * Subscribe to an event.
+   * @param event The event name
+   * @param callback The callback function
+   * @returns Unsubscribe function
+   */
+  on(event, callback) {
+    if (!this.events.has(event)) {
+      this.events.set(event, []);
+    }
+    this.events.get(event).push(callback);
+    return () => this.off(event, callback);
+  }
+  /**
+   * Unsubscribe from an event.
+   * @param event The event name
+   * @param callback The exact callback function that was passed to .on()
+   */
+  off(event, callback) {
+    const callbacks = this.events.get(event);
+    if (!callbacks) return;
+    const index = callbacks.indexOf(callback);
+    if (index !== -1) {
+      callbacks.splice(index, 1);
+    }
+  }
+  /**
+   * Subscribe to an event exactly once.
+   */
+  once(event, callback) {
+    const wrapped = (payload) => {
+      this.off(event, wrapped);
+      callback(payload);
+    };
+    return this.on(event, wrapped);
+  }
+  /**
+   * Emit an event internally.
+   */
+  emit(event, payload) {
+    const callbacks = this.events.get(event);
+    if (!callbacks) return;
+    const copy = [...callbacks];
+    for (const callback of copy) {
+      try {
+        callback(payload);
+      } catch (err) {
+        console.error(`[Tenxyte EventEmitter] Error executing callback for event ${String(event)}`, err);
+      }
+    }
+  }
+  removeAllListeners() {
+    this.events.clear();
+  }
+};
+
+// src/client.ts
+var TenxyteClient = class {
+  /** Fully resolved configuration (all defaults applied). */
+  config;
+  /** Persistent token storage back-end (defaults to MemoryStorage). */
+  storage;
+  /** Shared mutable context used by interceptors (org slug, agent trace ID). */
+  context;
+  /** The core HTTP wrapper handling network interception and parsing */
+  http;
+  /** Authentication module (Login, Signup, Magic link, session handling) */
+  auth;
+  /** Security module (2FA, WebAuthn, Passwords, OTPs) */
+  security;
+  /** Role-Based Access Control and permission checking module */
+  rbac;
+  /** Connected user's profile and management module */
+  user;
+  /** Business-to-Business organizations module (multi-tenant environments) */
+  b2b;
+  /** AIRS - AI Responsibility & Security module (Agent tokens, Circuit breakers, HITL) */
+  ai;
+  /** Applications module (API client CRUD, credential management) */
+  applications;
+  /** Admin module (audit logs, login attempts, blacklisted tokens, refresh tokens) */
+  admin;
+  /** GDPR module (account deletion, data export, deletion request management) */
+  gdpr;
+  /** Dashboard module (global, auth, security, GDPR, organization statistics) */
+  dashboard;
+  /** Internal event emitter used via composition. */
+  emitter;
+  /**
+   * Initializes the SDK with connection details for your Tenxyte-powered API.
+   *
+   * Accepts the full TenxyteClientConfig. Minimal usage with just { baseUrl }
+   * is still supported for backward compatibility.
+   *
+   * @param options Configuration options including `baseUrl` and custom headers like `X-Access-Key`
+   * 
+   * @example
+   * ```typescript
+   * const tx = new TenxyteClient({ 
+   *     baseUrl: 'https://api.my-service.com',
+   *     headers: { 'X-Access-Key': 'pkg_abc123' }
+   * });
+   * ```
+   */
+  constructor(options) {
+    this.config = resolveConfig(options);
+    this.storage = this.config.storage;
+    this.emitter = new EventEmitter();
+    this.context = { activeOrgSlug: null, agentTraceId: null };
+    this.http = new TenxyteHttpClient({
+      baseUrl: this.config.baseUrl,
+      headers: this.config.headers,
+      timeoutMs: this.config.timeoutMs
+    });
+    this.http.addRequestInterceptor(createAuthInterceptor(this.storage, this.context));
+    if (this.config.autoDeviceInfo) {
+      this.http.addRequestInterceptor(createDeviceInfoInterceptor(this.config.deviceInfoOverride));
+    }
+    if (this.config.retryConfig) {
+      this.http.addResponseInterceptor(
+        createRetryInterceptor(this.config.retryConfig, this.config.logger)
+      );
+    }
+    if (this.config.autoRefresh) {
+      this.http.addResponseInterceptor(
+        createRefreshInterceptor(
+          this.http,
+          this.storage,
+          () => {
+            this.emit("session:expired", void 0);
+            this.config.onSessionExpired?.();
+          },
+          (accessToken, refreshToken) => {
+            this.rbac.setToken(accessToken);
+            this.emit("token:refreshed", { accessToken });
+            this.emit("token:stored", { accessToken, refreshToken });
+          }
+        )
+      );
+    }
+    this.rbac = new RbacModule(this.http);
+    this.auth = new AuthModule(
+      this.http,
+      this.storage,
+      (accessToken, refreshToken) => {
+        this.rbac.setToken(accessToken);
+        this.emit("token:stored", { accessToken, refreshToken });
+      },
+      () => {
+        this.rbac.setToken(null);
+        this.emit("session:expired", void 0);
+      }
+    );
+    this.security = new SecurityModule(this.http);
+    this.user = new UserModule(this.http);
+    this.b2b = new B2bModule(this.http);
+    this.ai = new AiModule(this.http, this.config.logger);
+    this.applications = new ApplicationsModule(this.http);
+    this.admin = new AdminModule(this.http);
+    this.gdpr = new GdprModule(this.http);
+    this.dashboard = new DashboardModule(this.http);
+  }
+  // ─── Event delegation ───
+  /** Subscribe to an SDK event. Returns an unsubscribe function. */
+  on(event, callback) {
+    return this.emitter.on(event, callback);
+  }
+  /** Subscribe to an SDK event exactly once. Returns an unsubscribe function. */
+  once(event, callback) {
+    return this.emitter.once(event, callback);
+  }
+  /** Unsubscribe a previously registered callback from an SDK event. */
+  off(event, callback) {
+    this.emitter.off(event, callback);
+  }
+  /** Emit an SDK event (internal use). */
+  emit(event, payload) {
+    this.emitter.emit(event, payload);
+  }
+  // ─── High-level helpers ───
+  /**
+   * Check whether a valid (non-expired) access token exists in storage.
+   * Performs a synchronous JWT expiry check — no network call.
+   */
+  async isAuthenticated() {
+    const token = await this.storage.getItem("tx_access");
+    if (!token) return false;
+    return !this.isTokenExpiredSync(token);
+  }
+  /**
+   * Return the current access token from storage, or `null` if absent.
+   */
+  async getAccessToken() {
+    return this.storage.getItem("tx_access");
+  }
+  /**
+   * Decode the current access token and return the JWT payload.
+   * Returns `null` if no token is stored or if decoding fails.
+   * No network call is made — this reads from the cached JWT.
+   */
+  async getCurrentUser() {
+    const token = await this.storage.getItem("tx_access");
+    if (!token) return null;
+    return decodeJwt(token);
+  }
+  /**
+   * Check whether the stored access token is expired without making a network call.
+   * Returns `true` if expired or if no token is present.
+   */
+  async isTokenExpired() {
+    const token = await this.storage.getItem("tx_access");
+    if (!token) return true;
+    return this.isTokenExpiredSync(token);
+  }
+  /** Synchronous helper: checks JWT `exp` claim against current time. */
+  isTokenExpiredSync(token) {
+    const decoded = decodeJwt(token);
+    if (!decoded?.exp) return true;
+    return decoded.exp * 1e3 < Date.now() - 3e4;
+  }
+  // ─── Framework wrapper interface ───
+  /**
+   * Returns a synchronous snapshot of the SDK state.
+   * Designed for consumption by framework wrappers (React, Vue, etc.).
+   * Note: This is async because storage access may be async.
+   */
+  async getState() {
+    const token = await this.storage.getItem("tx_access");
+    const isAuthenticated = token ? !this.isTokenExpiredSync(token) : false;
+    const user = token ? decodeJwt(token) : null;
+    return {
+      isAuthenticated,
+      user,
+      accessToken: token,
+      activeOrg: this.context.activeOrgSlug,
+      isAgentMode: this.ai.isAgentMode()
+    };
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  AdminModule,
+  AiModule,
+  ApplicationsModule,
+  AuthModule,
+  B2bModule,
+  CookieStorage,
+  DashboardModule,
+  EventEmitter,
+  GdprModule,
+  LocalStorage,
+  MemoryStorage,
+  NOOP_LOGGER,
+  RbacModule,
+  SDK_VERSION,
+  SecurityModule,
+  TenxyteClient,
+  TenxyteHttpClient,
+  UserModule,
+  buildDeviceInfo,
+  createAuthInterceptor,
+  createDeviceInfoInterceptor,
+  createRefreshInterceptor,
+  createRetryInterceptor,
+  decodeJwt,
+  resolveConfig
+});
 //# sourceMappingURL=index.cjs.map