@timeback/sdk 0.1.6 → 0.1.7

package/dist/index.js

@@ -15297,14 +15297,20 @@ var TimebackConfig = exports_external.object({
   message: "Duplicate courseCode found; each must be unique",
   path: ["courses"]
 }).refine((config2) => {
-  return config2.courses.every((c) => c.sensor !== undefined || config2.sensor !== undefined);
-}, {
-  message: "Each course must have an effective sensor; set a top-level `sensor` or per-course `sensor`",
-  path: ["courses"]
-}).refine((config2) => {
-  return config2.courses.every((c) => c.launchUrl !== undefined || config2.launchUrl !== undefined);
+  return config2.courses.every((c) => {
+    if (c.sensor !== undefined || config2.sensor !== undefined) {
+      return true;
+    }
+    const launchUrls = [
+      c.launchUrl,
+      config2.launchUrl,
+      c.overrides?.staging?.launchUrl,
+      c.overrides?.production?.launchUrl
+    ].filter(Boolean);
+    return launchUrls.length > 0;
+  });
 }, {
-  message: "Each course must have an effective launchUrl; set a top-level `launchUrl` or per-course `launchUrl`",
+  message: "Each course must have an effective sensor. Either set `sensor` explicitly (top-level or per-course), or provide a `launchUrl` so sensor can be derived from its origin.",
   path: ["courses"]
 });
 var EdubridgeDateString = exports_external.union([IsoDateString, IsoDateTimeString]);
@@ -31700,14 +31706,20 @@ var TimebackConfig2 = exports_external2.object({
   message: "Duplicate courseCode found; each must be unique",
   path: ["courses"]
 }).refine((config22) => {
-  return config22.courses.every((c) => c.sensor !== undefined || config22.sensor !== undefined);
-}, {
-  message: "Each course must have an effective sensor; set a top-level `sensor` or per-course `sensor`",
-  path: ["courses"]
-}).refine((config22) => {
-  return config22.courses.every((c) => c.launchUrl !== undefined || config22.launchUrl !== undefined);
+  return config22.courses.every((c) => {
+    if (c.sensor !== undefined || config22.sensor !== undefined) {
+      return true;
+    }
+    const launchUrls = [
+      c.launchUrl,
+      config22.launchUrl,
+      c.overrides?.staging?.launchUrl,
+      c.overrides?.production?.launchUrl
+    ].filter(Boolean);
+    return launchUrls.length > 0;
+  });
 }, {
-  message: "Each course must have an effective launchUrl; set a top-level `launchUrl` or per-course `launchUrl`",
+  message: "Each course must have an effective sensor. Either set `sensor` explicitly (top-level or per-course), or provide a `launchUrl` so sensor can be derived from its origin.",
   path: ["courses"]
 });
 var EdubridgeDateString2 = exports_external2.union([IsoDateString2, IsoDateTimeString2]);
@@ -49133,14 +49145,20 @@ var TimebackConfig3 = exports_external3.object({
   message: "Duplicate courseCode found; each must be unique",
   path: ["courses"]
 }).refine((config22) => {
-  return config22.courses.every((c) => c.sensor !== undefined || config22.sensor !== undefined);
-}, {
-  message: "Each course must have an effective sensor; set a top-level `sensor` or per-course `sensor`",
-  path: ["courses"]
-}).refine((config22) => {
-  return config22.courses.every((c) => c.launchUrl !== undefined || config22.launchUrl !== undefined);
+  return config22.courses.every((c) => {
+    if (c.sensor !== undefined || config22.sensor !== undefined) {
+      return true;
+    }
+    const launchUrls = [
+      c.launchUrl,
+      config22.launchUrl,
+      c.overrides?.staging?.launchUrl,
+      c.overrides?.production?.launchUrl
+    ].filter(Boolean);
+    return launchUrls.length > 0;
+  });
 }, {
-  message: "Each course must have an effective launchUrl; set a top-level `launchUrl` or per-course `launchUrl`",
+  message: "Each course must have an effective sensor. Either set `sensor` explicitly (top-level or per-course), or provide a `launchUrl` so sensor can be derived from its origin.",
   path: ["courses"]
 });
 var EdubridgeDateString3 = exports_external3.union([IsoDateString3, IsoDateTimeString3]);
@@ -66765,14 +66783,20 @@ var TimebackConfig4 = exports_external4.object({
   message: "Duplicate courseCode found; each must be unique",
   path: ["courses"]
 }).refine((config22) => {
-  return config22.courses.every((c) => c.sensor !== undefined || config22.sensor !== undefined);
-}, {
-  message: "Each course must have an effective sensor; set a top-level `sensor` or per-course `sensor`",
-  path: ["courses"]
-}).refine((config22) => {
-  return config22.courses.every((c) => c.launchUrl !== undefined || config22.launchUrl !== undefined);
+  return config22.courses.every((c) => {
+    if (c.sensor !== undefined || config22.sensor !== undefined) {
+      return true;
+    }
+    const launchUrls = [
+      c.launchUrl,
+      config22.launchUrl,
+      c.overrides?.staging?.launchUrl,
+      c.overrides?.production?.launchUrl
+    ].filter(Boolean);
+    return launchUrls.length > 0;
+  });
 }, {
-  message: "Each course must have an effective launchUrl; set a top-level `launchUrl` or per-course `launchUrl`",
+  message: "Each course must have an effective sensor. Either set `sensor` explicitly (top-level or per-course), or provide a `launchUrl` so sensor can be derived from its origin.",
   path: ["courses"]
 });
 var EdubridgeDateString4 = exports_external4.union([IsoDateString4, IsoDateTimeString4]);
@@ -83427,14 +83451,20 @@ var TimebackConfig5 = exports_external5.object({
   message: "Duplicate courseCode found; each must be unique",
   path: ["courses"]
 }).refine((config22) => {
-  return config22.courses.every((c) => c.sensor !== undefined || config22.sensor !== undefined);
-}, {
-  message: "Each course must have an effective sensor; set a top-level `sensor` or per-course `sensor`",
-  path: ["courses"]
-}).refine((config22) => {
-  return config22.courses.every((c) => c.launchUrl !== undefined || config22.launchUrl !== undefined);
+  return config22.courses.every((c) => {
+    if (c.sensor !== undefined || config22.sensor !== undefined) {
+      return true;
+    }
+    const launchUrls = [
+      c.launchUrl,
+      config22.launchUrl,
+      c.overrides?.staging?.launchUrl,
+      c.overrides?.production?.launchUrl
+    ].filter(Boolean);
+    return launchUrls.length > 0;
+  });
 }, {
-  message: "Each course must have an effective launchUrl; set a top-level `launchUrl` or per-course `launchUrl`",
+  message: "Each course must have an effective sensor. Either set `sensor` explicitly (top-level or per-course), or provide a `launchUrl` so sensor can be derived from its origin.",
   path: ["courses"]
 });
 var EdubridgeDateString5 = exports_external5.union([IsoDateString5, IsoDateTimeString5]);
@@ -85556,14 +85586,20 @@ var TimebackConfig6 = z9.object({
   message: "Duplicate courseCode found; each must be unique",
   path: ["courses"]
 }).refine((config6) => {
-  return config6.courses.every((c) => c.sensor !== undefined || config6.sensor !== undefined);
-}, {
-  message: "Each course must have an effective sensor; set a top-level `sensor` or per-course `sensor`",
-  path: ["courses"]
-}).refine((config6) => {
-  return config6.courses.every((c) => c.launchUrl !== undefined || config6.launchUrl !== undefined);
+  return config6.courses.every((c) => {
+    if (c.sensor !== undefined || config6.sensor !== undefined) {
+      return true;
+    }
+    const launchUrls = [
+      c.launchUrl,
+      config6.launchUrl,
+      c.overrides?.staging?.launchUrl,
+      c.overrides?.production?.launchUrl
+    ].filter(Boolean);
+    return launchUrls.length > 0;
+  });
 }, {
-  message: "Each course must have an effective launchUrl; set a top-level `launchUrl` or per-course `launchUrl`",
+  message: "Each course must have an effective sensor. Either set `sensor` explicitly (top-level or per-course), or provide a `launchUrl` so sensor can be derived from its origin.",
   path: ["courses"]
 });
 // ../types/src/zod/edubridge.ts
@@ -86666,19 +86702,6 @@ ${err instanceof Error ? err.message : String(err)}`
     };
   }
 }
-// src/shared/constants.ts
-var ROUTES = {
-  ACTIVITY: "/activity",
-  IDENTITY: {
-    SIGNIN: "/identity/signin",
-    SIGNOUT: "/identity/signout",
-    CALLBACK: "/identity/callback"
-  },
-  USER: {
-    ME: "/user/me"
-  }
-};
-
 // ../internal/logger/src/debug.ts
 var patterns7 = null;
 var debugAll7 = false;
@@ -87096,12 +87119,32 @@ async function getUserInfo(params) {
   return response.json();
 }
 // src/server/lib/utils.ts
+function safeIdSegment(value) {
+  return encodeURIComponent(value).replace(/%/g, "_");
+}
+function hashSuffix64Base36(value) {
+  let hash6 = 0xcbf29ce484222325n;
+  const prime = 0x100000001b3n;
+  const mod64 = 0xffffffffffffffffn;
+  for (let i = 0;i < value.length; i++) {
+    hash6 ^= BigInt(value.charCodeAt(i));
+    hash6 = hash6 * prime & mod64;
+  }
+  const base36 = hash6.toString(36);
+  return base36.length > 12 ? base36.slice(-12) : base36;
+}
 function mapEnvForApi(env2) {
   if (env2 === "local" || env2 === "staging") {
     return "staging";
   }
   return "production";
 }
+function normalizeEnv(env2) {
+  if (env2 === "production" || env2 === "local" || env2 === "staging") {
+    return env2;
+  }
+  return "staging";
+}
 function jsonResponse(data, status = 200, headers) {
   const responseHeaders = new Headers(headers);
   responseHeaders.set("Content-Type", "application/json");
@@ -87236,164 +87279,21 @@ async function lookupTimebackIdByEmail(params) {
     throw new TimebackUserResolutionError(`Failed to lookup Timeback user: ${message}`, "timeback_user_lookup_failed");
   }
 }
-
-class ActivityCourseResolutionError extends Error {
-  code;
-  selector;
-  count;
-  constructor(code, selector, count) {
-    super(code);
-    this.code = code;
-    this.selector = selector;
-    this.count = count;
-  }
-  get selectorDescription() {
-    if ("grade" in this.selector) {
-      return `${this.selector.subject} grade ${this.selector.grade}`;
-    }
-    return `code "${this.selector.code}"`;
-  }
-}
-function resolveActivityCourse(courses, courseRef) {
-  let matches;
-  if ("grade" in courseRef) {
-    matches = courses.filter((c) => c.subject === courseRef.subject && c.grade === courseRef.grade);
-  } else {
-    matches = courses.filter((c) => c.courseCode === courseRef.code);
-  }
-  if (matches.length === 0) {
-    throw new ActivityCourseResolutionError("unknown_course", courseRef);
-  }
-  if (matches.length > 1) {
-    throw new ActivityCourseResolutionError("ambiguous_course", courseRef, matches.length);
-  }
-  return matches[0];
-}
-// src/server/lib/build-activity-events.ts
-class MissingSyncedCourseIdError extends Error {
-  course;
-  env;
-  constructor(course, env2) {
-    const identifier = course.grade === undefined ? course.courseCode ?? course.subject : `${course.subject} grade ${course.grade}`;
-    super(`Course "${identifier}" is missing a synced ID for ${env2}. Run \`timeback sync\` first.`);
-    this.name = "MissingSyncedCourseIdError";
-    this.course = course;
-    this.env = env2;
-  }
-}
-function buildCourseId(course, apiEnv) {
-  const courseId = course.ids?.[apiEnv];
-  if (!courseId) {
-    throw new MissingSyncedCourseIdError(course, apiEnv);
-  }
-  return courseId;
-}
-function buildCourseName(course) {
-  if (course.courseCode) {
-    return course.courseCode;
-  }
-  if (course.grade !== undefined) {
-    return `${course.subject} G${String(course.grade)}`;
+// src/shared/constants.ts
+var ROUTES = {
+  ACTIVITY: "/activity",
+  IDENTITY: {
+    SIGNIN: "/identity/signin",
+    SIGNOUT: "/identity/signout",
+    CALLBACK: "/identity/callback"
+  },
+  USER: {
+    ME: "/user/me",
+    VERIFY: "/user/verify"
   }
-  return course.subject;
-}
+};
 
-class InvalidSensorUrlError extends Error {
-  sensor;
-  constructor(sensor) {
-    super(`Invalid sensor URL "${sensor}". Sensor must be a valid absolute URL (e.g., "https://sensor.example.com") to support slug-based activity IDs.`);
-    this.name = "InvalidSensorUrlError";
-    this.sensor = sensor;
-  }
-}
-function buildCanonicalActivityUrl(sensor, selector, slug) {
-  let base;
-  try {
-    base = new URL(sensor);
-  } catch {
-    throw new InvalidSensorUrlError(sensor);
-  }
-  const pathSegment = "grade" in selector ? `${selector.subject}/g${String(selector.grade)}` : selector.code;
-  const basePath = base.pathname.replace(/\/+$/, "");
-  base.pathname = `${basePath}/activities/${pathSegment}/${encodeURIComponent(slug)}`;
-  return base.toString();
-}
-function buildActivityContext(payload, course, appName, apiEnv, sensor) {
-  return {
-    id: buildCanonicalActivityUrl(sensor, payload.course, payload.id),
-    type: "TimebackActivityContext",
-    subject: course.subject,
-    app: { name: appName },
-    activity: { name: payload.name },
-    course: {
-      id: buildCourseId(course, apiEnv),
-      name: buildCourseName(course)
-    }
-  };
-}
-function buildActivityMetrics(metrics) {
-  const result = [];
-  if (metrics.totalQuestions !== undefined) {
-    result.push({ type: "totalQuestions", value: metrics.totalQuestions });
-  }
-  if (metrics.correctQuestions !== undefined) {
-    result.push({ type: "correctQuestions", value: metrics.correctQuestions });
-  }
-  if (metrics.xpEarned !== undefined) {
-    result.push({ type: "xpEarned", value: metrics.xpEarned });
-  }
-  if (metrics.masteredUnits !== undefined) {
-    result.push({ type: "masteredUnits", value: metrics.masteredUnits });
-  }
-  return result;
-}
-function buildTimeSpentMetrics(elapsedMs, pausedMs) {
-  const result = [{ type: "active", value: Math.max(0, elapsedMs) / 1000 }];
-  if (pausedMs > 0) {
-    result.push({ type: "inactive", value: Math.max(0, pausedMs) / 1000 });
-  }
-  return result;
-}
-async function sendCaliperEnvelope(client, sensor, activityEvent, timeSpentEvent) {
-  await client.caliper.events.send(sensor, [activityEvent, timeSpentEvent]);
-}
-// src/server/lib/build-user-profile.ts
-function buildCourseLookup(courses, apiEnv) {
-  const courseById = new Map;
-  for (const course of courses) {
-    const courseId = course.ids?.[apiEnv];
-    if (courseId) {
-      courseById.set(courseId, course);
-    }
-  }
-  return courseById;
-}
-function mapEnrollmentsToCourses(enrollments, courseById) {
-  return enrollments.map((enrollment) => {
-    const configuredCourse = courseById.get(enrollment.course.id);
-    return {
-      id: enrollment.course.id,
-      code: configuredCourse?.courseCode ?? enrollment.course.id,
-      name: enrollment.course.title
-    };
-  });
-}
-function pickGoalsFromEnrollments(enrollments) {
-  return enrollments.map((enrollment) => enrollment.metadata?.goals).find(Boolean);
-}
-function getUtcDayRange(date6) {
-  const start = new Date(Date.UTC(date6.getUTCFullYear(), date6.getUTCMonth(), date6.getUTCDate()));
-  const end = new Date(Date.UTC(date6.getUTCFullYear(), date6.getUTCMonth(), date6.getUTCDate(), 23, 59, 59, 999));
-  return { start, end };
-}
-function sumXp(facts) {
-  return Object.values(facts).reduce((dateTotal, subjects) => {
-    return dateTotal + Object.values(subjects).reduce((subjectTotal, metrics) => {
-      return subjectTotal + (metrics.activityMetrics?.xpEarned ?? 0);
-    }, 0);
-  }, 0);
-}
-// src/server/handlers/identity-full.ts
+// src/server/lib/sso.ts
 function buildErrorContext(error57, errorCode, state, req) {
   return {
     error: error57,
@@ -87412,123 +87312,59 @@ function tryDecodeState(stateParam) {
     return;
   }
 }
-function handleCallbackError(errorParam, url6, state, req, identity) {
+function handleIdpError(errorParam, url6, state, req, onCallbackError) {
   const errorDesc = url6.searchParams.get("error_description");
   ssoLog.error("IdP returned error", { error: errorParam, description: errorDesc });
   const error57 = new Error(errorDesc ?? errorParam);
-  if (identity.onCallbackError) {
-    return identity.onCallbackError(buildErrorContext(error57, errorParam, state, req));
+  if (onCallbackError) {
+    return onCallbackError(buildErrorContext(error57, errorParam, state, req));
   }
   return jsonResponse({ error: errorParam }, 400);
 }
-function handleMissingCode(state, req, identity) {
+function handleMissingCode(state, req, onCallbackError) {
   ssoLog.error("Missing authorization code in callback");
   const error57 = new Error("Missing authorization code");
-  if (identity.onCallbackError) {
-    return identity.onCallbackError(buildErrorContext(error57, "missing_code", state, req));
+  if (onCallbackError) {
+    return onCallbackError(buildErrorContext(error57, "missing_code", state, req));
   }
   return jsonResponse({ error: "Missing authorization code" }, 400);
 }
-async function handleSignIn(req, env2, identity) {
-  if (identity.mode !== "sso") {
-    ssoLog.warn("SSO not configured");
-    return jsonResponse({ error: "SSO not configured" }, 400);
-  }
-  const issuer = identity.issuer ?? getIssuer(env2);
+async function initiateSignIn(params) {
+  const { req, env: env2, clientId, buildState } = params;
+  const issuer = params.issuer ?? getIssuer(env2);
   const url6 = new URL(req.url);
-  let redirectUri = identity.redirectUri;
+  let redirectUri = params.redirectUri;
   if (!redirectUri) {
     const basePath = url6.pathname.replace(ROUTES.IDENTITY.SIGNIN, "");
     redirectUri = `${url6.origin}${basePath}${ROUTES.IDENTITY.CALLBACK}`;
   }
-  ssoLog.debug("SSO sign-in initiated", { env: env2, issuer, clientId: identity.clientId, redirectUri });
-  const stateData = identity.buildState ? identity.buildState({ req, url: url6 }) : {};
+  ssoLog.debug("SSO sign-in initiated", { env: env2, issuer, clientId, redirectUri });
+  const stateData = buildState ? buildState({ req, url: url6 }) : {};
   const state = encodeBase64Url(stateData);
   const authUrl = await buildAuthorizationUrl({
     issuer,
-    clientId: identity.clientId,
+    clientId,
     redirectUri,
     state
   });
   return redirectResponse(authUrl);
 }
-async function completeCallback(code, url6, state, req, env2, identity, api) {
-  try {
-    const issuer = identity.issuer ?? getIssuer(env2);
-    let redirectUri = identity.redirectUri;
-    if (!redirectUri) {
-      const basePath = url6.pathname.replace(ROUTES.IDENTITY.CALLBACK, "");
-      redirectUri = `${url6.origin}${basePath}${ROUTES.IDENTITY.CALLBACK}`;
-    }
-    ssoLog.debug("Exchanging auth code for tokens", { issuer, clientId: identity.clientId });
-    const tokens = await exchangeCodeForTokens({
-      issuer,
-      clientId: identity.clientId,
-      clientSecret: identity.clientSecret,
-      code,
-      redirectUri
-    });
-    const userInfo = await getUserInfo({ issuer, accessToken: tokens.access_token });
-    const identities = typeof userInfo.identities === "string" ? JSON.parse(userInfo.identities) : userInfo.identities;
-    ssoLog.debug("SSO completed, resolving Timeback user", {
-      user: { ...userInfo, identities }
-    });
-    const authUser = await resolveTimebackUserByEmail({
-      env: env2,
-      apiCredentials: api.credentials,
-      userInfo,
-      client: api.getClient()
-    });
-    ssoLog.debug("Timeback user resolved", { timebackId: authUser.id });
-    const ctx = {
-      user: authUser,
-      idp: { tokens, userInfo },
-      state,
-      req,
-      redirect: redirectResponse,
-      json: jsonResponse
-    };
-    return identity.onCallbackSuccess(ctx);
-  } catch (err) {
-    const error57 = err instanceof Error ? err : new Error("Unknown error");
-    const errorCode = err instanceof TimebackUserResolutionError ? err.code : "token_exchange_failed";
-    ssoLog.error("SSO callback failed", { error: error57.message, errorCode });
-    if (identity.onCallbackError) {
-      return identity.onCallbackError(buildErrorContext(error57, errorCode, state, req));
-    }
-    return jsonResponse({ error: error57.message }, 500);
-  }
-}
-async function handleCallback(req, env2, identity, api) {
-  if (identity.mode !== "sso") {
-    ssoLog.warn("SSO not configured");
-    return jsonResponse({ error: "SSO not configured" }, 400);
-  }
+function parseCallback(req) {
   const url6 = new URL(req.url);
   const code = url6.searchParams.get("code");
   const errorParam = url6.searchParams.get("error");
   const stateParam = url6.searchParams.get("state");
   ssoLog.debug("Received callback from IdP", { hasCode: !!code, error: errorParam });
   const state = stateParam ? tryDecodeState(stateParam) : undefined;
-  if (errorParam) {
-    return await handleCallbackError(errorParam, url6, state, req, identity);
-  }
-  if (!code) {
-    return await handleMissingCode(state, req, identity);
-  }
-  return await completeCallback(code, url6, state, req, env2, identity, api);
+  return { url: url6, code, errorParam, state };
 }
-function createIdentityHandlers(params) {
-  const { env: env2, identity, api } = params;
-  return {
-    signIn: (req) => handleSignIn(req, env2, identity),
-    callback: (req) => handleCallback(req, env2, identity, api),
-    signOut: () => redirectResponse("/")
-  };
+function computeRedirectUri(url6, configuredRedirectUri) {
+  if (configuredRedirectUri) {
+    return configuredRedirectUri;
+  }
+  const basePath = url6.pathname.replace(ROUTES.IDENTITY.CALLBACK, "");
+  return `${url6.origin}${basePath}${ROUTES.IDENTITY.CALLBACK}`;
 }
-// src/server/handlers/activity.ts
-import * as z16 from "zod";
-
 // ../clients/caliper/dist/index.js
 var __defProp7 = Object.defineProperty;
 var __export = (target, all) => {
@@ -102809,14 +102645,20 @@ var TimebackConfig8 = exports_external6.object({
   message: "Duplicate courseCode found; each must be unique",
   path: ["courses"]
 }).refine((config22) => {
-  return config22.courses.every((c) => c.sensor !== undefined || config22.sensor !== undefined);
-}, {
-  message: "Each course must have an effective sensor; set a top-level `sensor` or per-course `sensor`",
-  path: ["courses"]
-}).refine((config22) => {
-  return config22.courses.every((c) => c.launchUrl !== undefined || config22.launchUrl !== undefined);
+  return config22.courses.every((c) => {
+    if (c.sensor !== undefined || config22.sensor !== undefined) {
+      return true;
+    }
+    const launchUrls = [
+      c.launchUrl,
+      config22.launchUrl,
+      c.overrides?.staging?.launchUrl,
+      c.overrides?.production?.launchUrl
+    ].filter(Boolean);
+    return launchUrls.length > 0;
+  });
 }, {
-  message: "Each course must have an effective launchUrl; set a top-level `launchUrl` or per-course `launchUrl`",
+  message: "Each course must have an effective sensor. Either set `sensor` explicitly (top-level or per-course), or provide a `launchUrl` so sensor can be derived from its origin.",
   path: ["courses"]
 });
 var EdubridgeDateString8 = exports_external6.union([IsoDateString8, IsoDateTimeString8]);
@@ -104099,8 +103941,337 @@ function createCaliperClient2(registry22 = DEFAULT_PROVIDER_REGISTRY7) {
 }
 var CaliperClient2 = createCaliperClient2();
 
-// src/server/handlers/activity.ts
-var log11 = createScopedLogger3("handlers:activity");
+// src/server/handlers/activity/caliper.ts
+class MissingSyncedCourseIdError extends Error {
+  course;
+  env;
+  constructor(course, env2) {
+    const identifier = course.grade === undefined ? course.courseCode ?? course.subject : `${course.subject} grade ${course.grade}`;
+    super(`Course "${identifier}" is missing a synced ID for ${env2}. Run \`timeback resources push\` first.`);
+    this.name = "MissingSyncedCourseIdError";
+    this.course = course;
+    this.env = env2;
+  }
+}
+
+class InvalidSensorUrlError extends Error {
+  sensor;
+  constructor(sensor) {
+    super(`Invalid sensor URL "${sensor}". Sensor must be a valid absolute URL (e.g., "https://sensor.example.com") to support slug-based activity IDs.`);
+    this.name = "InvalidSensorUrlError";
+    this.sensor = sensor;
+  }
+}
+function buildCourseId(course, apiEnv) {
+  const courseId = course.ids?.[apiEnv];
+  if (!courseId) {
+    throw new MissingSyncedCourseIdError(course, apiEnv);
+  }
+  return courseId;
+}
+function buildCourseName(course) {
+  if (course.courseCode) {
+    return course.courseCode;
+  }
+  if (course.grade !== undefined) {
+    return `${course.subject} G${String(course.grade)}`;
+  }
+  return course.subject;
+}
+function buildCanonicalActivityUrl(sensor, selector, slug) {
+  let base;
+  try {
+    base = new URL(sensor);
+  } catch {
+    throw new InvalidSensorUrlError(sensor);
+  }
+  const pathSegment = "grade" in selector ? `${selector.subject}/g${String(selector.grade)}` : selector.code;
+  const basePath = base.pathname.replace(/\/+$/, "");
+  base.pathname = `${basePath}/activities/${pathSegment}/${encodeURIComponent(slug)}`;
+  return base.toString();
+}
+function buildActivityContext(payload, course, appName, apiEnv, sensor) {
+  return {
+    id: buildCanonicalActivityUrl(sensor, payload.course, payload.id),
+    type: "TimebackActivityContext",
+    subject: course.subject,
+    app: { name: appName },
+    activity: { name: payload.name },
+    course: {
+      id: buildCourseId(course, apiEnv),
+      name: buildCourseName(course)
+    },
+    process: false
+  };
+}
+function buildActivityMetrics(metrics) {
+  const result = [];
+  if (metrics.totalQuestions !== undefined) {
+    result.push({ type: "totalQuestions", value: metrics.totalQuestions });
+  }
+  if (metrics.correctQuestions !== undefined) {
+    result.push({ type: "correctQuestions", value: metrics.correctQuestions });
+  }
+  if (metrics.xpEarned !== undefined) {
+    result.push({ type: "xpEarned", value: metrics.xpEarned });
+  }
+  if (metrics.masteredUnits !== undefined) {
+    result.push({ type: "masteredUnits", value: metrics.masteredUnits });
+  }
+  return result;
+}
+function buildTimeSpentMetrics(elapsedMs, pausedMs) {
+  const result = [{ type: "active", value: Math.max(0, elapsedMs) / 1000 }];
+  if (pausedMs > 0) {
+    result.push({ type: "inactive", value: Math.max(0, pausedMs) / 1000 });
+  }
+  return result;
+}
+function buildActivityEvents(params) {
+  const { sensor, timebackId, email: email8, payload, course, appName, apiEnv } = params;
+  const actor = {
+    id: `urn:timeback:user:${timebackId}`,
+    type: "TimebackUser",
+    email: email8
+  };
+  const object7 = buildActivityContext(payload, course, appName, apiEnv, sensor);
+  const metrics = buildActivityMetrics(payload.metrics);
+  const timeSpentMetrics = buildTimeSpentMetrics(payload.elapsedMs, payload.pausedMs);
+  const activityEvent = createActivityEvent2({
+    actor,
+    object: object7,
+    metrics,
+    eventTime: payload.endedAt,
+    attempt: payload.attemptNumber,
+    generatedExtensions: payload.pctCompleteApp === undefined ? undefined : { pctCompleteApp: payload.pctCompleteApp }
+  });
+  const timeSpentEvent = createTimeSpentEvent2({
+    actor,
+    object: object7,
+    metrics: timeSpentMetrics,
+    eventTime: payload.endedAt
+  });
+  return {
+    sensor,
+    actor,
+    object: object7,
+    events: [activityEvent, timeSpentEvent],
+    payload,
+    course,
+    appName,
+    apiEnv,
+    email: email8,
+    timebackId
+  };
+}
+async function sendCaliperEnvelope(client, sensor, activityEvent, timeSpentEvent) {
+  await client.caliper.events.send(sensor, [activityEvent, timeSpentEvent]);
+}
+
+// src/server/handlers/activity/gradebook.ts
+var log11 = createScopedLogger3("handlers:activity:gradebook");
+function buildAssessmentResultPayload(params) {
+  const { resultId, lineItemId, timebackId, attempt, write } = params;
+  return {
+    sourcedId: resultId,
+    status: "active",
+    assessmentLineItem: { sourcedId: lineItemId },
+    student: { sourcedId: timebackId },
+    score: write.score,
+    scoreDate: write.endedAt,
+    scoreStatus: "fully graded",
+    inProgress: "false",
+    metadata: {
+      totalQuestions: write.metrics.totalQuestions,
+      correctQuestions: write.metrics.correctQuestions,
+      accuracy: write.score,
+      xpEarned: write.metrics.xpEarned,
+      masteredUnits: write.metrics.masteredUnits,
+      attempt,
+      endedAt: write.endedAt,
+      pctCompleteApp: write.pctCompleteApp,
+      appName: write.appName,
+      lastUpdated: new Date().toISOString()
+    }
+  };
+}
+function buildAttemptResultId(lineItemId, timebackId, attempt, endedAt) {
+  return `${lineItemId}:${safeIdSegment(timebackId)}:attempt-${attempt}:e-${hashSuffix64Base36(endedAt)}`;
+}
+async function ensureAssessmentLineItemExists(params) {
+  const { client, lineItemId, activityName, courseId, appName } = params;
+  try {
+    await client.oneroster.assessmentLineItems(lineItemId).get();
+    return;
+  } catch {}
+  try {
+    await client.oneroster.assessmentLineItems.create({
+      sourcedId: lineItemId,
+      title: activityName,
+      status: "active",
+      course: { sourcedId: courseId },
+      resultValueMin: 0,
+      resultValueMax: 100,
+      metadata: {
+        createdBy: "timeback-sdk",
+        appName
+      }
+    });
+  } catch (err) {
+    try {
+      await client.oneroster.assessmentLineItems(lineItemId).get();
+    } catch {
+      throw err;
+    }
+  }
+  log11.debug("Created assessment line item", { lineItemId });
+}
+function findRetryResult(existingResults, endedAt) {
+  return existingResults.find((result) => {
+    const metadata = result.metadata;
+    return result.scoreDate === endedAt || metadata?.endedAt === endedAt;
+  });
+}
+function computeMaxAttempt(existingResults) {
+  let maxAttempt = 0;
+  for (const result of existingResults) {
+    const metadata = result.metadata;
+    const attempt = metadata?.attempt;
+    if (typeof attempt === "number" && attempt > maxAttempt) {
+      maxAttempt = attempt;
+    }
+  }
+  return maxAttempt;
+}
+function resolveAttemptFromResult(result) {
+  const metadata = result.metadata;
+  return typeof metadata?.attempt === "number" && metadata.attempt >= 1 ? metadata.attempt : 1;
+}
+async function writeAssessmentResultWithAttemptReservation(params) {
+  const { client, lineItemId, timebackId, write } = params;
+  const existingResults = await client.oneroster.assessmentResults.listAll({
+    where: {
+      status: "active",
+      "assessmentLineItem.sourcedId": lineItemId,
+      "student.sourcedId": timebackId
+    }
+  });
+  const retryResult = findRetryResult(existingResults, write.endedAt);
+  if (retryResult) {
+    const attempt2 = resolveAttemptFromResult(retryResult);
+    const resultId2 = retryResult.sourcedId || buildAttemptResultId(lineItemId, timebackId, attempt2, write.endedAt);
+    await client.oneroster.assessmentResults.update(resultId2, buildAssessmentResultPayload({
+      resultId: resultId2,
+      lineItemId,
+      timebackId,
+      attempt: attempt2,
+      write
+    }));
+    log11.debug("Wrote gradebook entry (retry)", {
+      lineItemId,
+      resultId: resultId2,
+      score: write.score,
+      attempt: attempt2
+    });
+    return;
+  }
+  const attempt = computeMaxAttempt(existingResults) + 1;
+  const resultId = buildAttemptResultId(lineItemId, timebackId, attempt, write.endedAt);
+  await client.oneroster.assessmentResults.update(resultId, buildAssessmentResultPayload({
+    resultId,
+    lineItemId,
+    timebackId,
+    attempt,
+    write
+  }));
+  log11.debug("Wrote gradebook entry (new attempt)", {
+    lineItemId,
+    resultId,
+    score: write.score,
+    attempt
+  });
+}
+async function writeGradebookEntry(params) {
+  const { client, courseId, activityId, activityName, timebackId, payload, appName } = params;
+  const { metrics, endedAt, pctCompleteApp } = payload;
+  if (metrics.totalQuestions === undefined || metrics.correctQuestions === undefined) {
+    log11.debug("Skipping gradebook write: missing totalQuestions or correctQuestions", {
+      activityId
+    });
+    return;
+  }
+  if (metrics.totalQuestions <= 0) {
+    log11.debug("Skipping gradebook write: totalQuestions must be positive", {
+      activityId,
+      totalQuestions: metrics.totalQuestions
+    });
+    return;
+  }
+  const rawScore = metrics.correctQuestions / metrics.totalQuestions * 100;
+  const score = Math.round(Math.min(100, Math.max(0, rawScore)));
+  const lineItemId = `${safeIdSegment(courseId)}-${safeIdSegment(activityId)}-assessment`;
+  try {
+    await ensureAssessmentLineItemExists({
+      client,
+      lineItemId,
+      activityName,
+      courseId,
+      appName
+    });
+    await writeAssessmentResultWithAttemptReservation({
+      client,
+      lineItemId,
+      timebackId,
+      write: { score, endedAt, metrics, pctCompleteApp, appName }
+    });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : "Unknown error";
+    log11.warn("Failed to write gradebook entry", {
+      lineItemId,
+      error: message
+    });
+  }
+}
+
+// src/server/handlers/activity/schema.ts
+import * as z16 from "zod";
+
+// src/server/handlers/activity/resolve.ts
+class ActivityCourseResolutionError extends Error {
+  code;
+  selector;
+  count;
+  constructor(code, selector, count) {
+    super(code);
+    this.code = code;
+    this.selector = selector;
+    this.count = count;
+  }
+  get selectorDescription() {
+    if ("grade" in this.selector) {
+      return `${this.selector.subject} grade ${this.selector.grade}`;
+    }
+    return `code "${this.selector.code}"`;
+  }
+}
+function resolveActivityCourse(courses, courseRef) {
+  let matches;
+  if ("grade" in courseRef) {
+    matches = courses.filter((c) => c.subject === courseRef.subject && c.grade === courseRef.grade);
+  } else {
+    matches = courses.filter((c) => c.courseCode === courseRef.code);
+  }
+  if (matches.length === 0) {
+    throw new ActivityCourseResolutionError("unknown_course", courseRef);
+  }
+  if (matches.length > 1) {
+    throw new ActivityCourseResolutionError("ambiguous_course", courseRef, matches.length);
+  }
+  return matches[0];
+}
+
+// src/server/handlers/activity/schema.ts
+var log12 = createScopedLogger3("handlers:activity:schema");
 var activityMetricsSchema = z16.object({
   totalQuestions: z16.number().int().nonnegative().optional(),
   correctQuestions: z16.number().int().nonnegative().optional(),
@@ -104152,13 +104323,13 @@ function validateActivityRequest(body, appConfig, env2) {
     if (err instanceof ActivityCourseResolutionError) {
       const selectorDesc = formatCourseSelector(payload.course);
       if (err.code === "unknown_course") {
-        log11.warn("Unknown course selector", { selector: payload.course });
+        log12.warn("Unknown course selector", { selector: payload.course });
         return {
           ok: false,
           response: jsonResponse({ success: false, error: `Unknown course: ${selectorDesc}` }, 400)
         };
       }
-      log11.error("Ambiguous course selector", { selector: payload.course });
+      log12.error("Ambiguous course selector", { selector: payload.course });
       return {
         ok: false,
         response: jsonResponse({ success: false, error: "Ambiguous course selector in timeback.config.json" }, 500)
@@ -104170,7 +104341,7 @@ function validateActivityRequest(body, appConfig, env2) {
   const sensor = course.overrides?.[envForOverrides]?.sensor ?? course.sensor ?? appConfig.sensor;
   if (!sensor) {
     const selectorDesc = formatCourseSelector(payload.course);
-    log11.error("Missing sensor for course", { selector: payload.course });
+    log12.error("Missing sensor for course", { selector: payload.course });
     return {
       ok: false,
       response: jsonResponse({
@@ -104181,6 +104352,9 @@ function validateActivityRequest(body, appConfig, env2) {
   }
   return { ok: true, payload, course, sensor };
 }
+
+// src/server/handlers/activity/handler.ts
+var log13 = createScopedLogger3("handlers:activity");
 async function getActivityUserInfo(identity, req) {
   if (identity.mode === "custom") {
     const email8 = await identity.getEmail(req);
@@ -104192,55 +104366,18 @@ async function getActivityUserInfo(identity, req) {
 function resolveTimebackId(userInfo, client) {
   return userInfo.timebackId ?? lookupTimebackIdByEmail({ email: userInfo.email, client });
 }
-function buildActivityEvents(params) {
-  const { sensor, timebackId, email: email8, payload, course, appName, apiEnv } = params;
-  const actor = {
-    id: `urn:timeback:user:${timebackId}`,
-    type: "TimebackUser",
-    email: email8
-  };
-  const object7 = buildActivityContext(payload, course, appName, apiEnv, sensor);
-  const metrics = buildActivityMetrics(payload.metrics);
-  const timeSpentMetrics = buildTimeSpentMetrics(payload.elapsedMs, payload.pausedMs);
-  const activityEvent = createActivityEvent2({
-    actor,
-    object: object7,
-    metrics,
-    eventTime: payload.endedAt,
-    attempt: payload.attemptNumber,
-    generatedExtensions: payload.pctCompleteApp === undefined ? undefined : { pctCompleteApp: payload.pctCompleteApp }
-  });
-  const timeSpentEvent = createTimeSpentEvent2({
-    actor,
-    object: object7,
-    metrics: timeSpentMetrics,
-    eventTime: payload.endedAt
-  });
-  return {
-    sensor,
-    actor,
-    object: object7,
-    events: [activityEvent, timeSpentEvent],
-    payload,
-    course,
-    appName,
-    apiEnv,
-    email: email8,
-    timebackId
-  };
-}
 function mapErrorToResponse(err, context) {
   if (err instanceof TimebackUserResolutionError) {
-    log11.warn("Failed to resolve Timeback user", { code: err.code });
+    log13.warn("Failed to resolve Timeback user", { code: err.code });
     return jsonResponse({ success: false, error: "Unable to resolve Timeback identity" }, resolveStatusForUserResolutionError(err));
   }
   if (err instanceof MissingSyncedCourseIdError) {
     const syncErr = err;
-    log11.error("Course not synced", { course: syncErr.course, env: syncErr.env });
+    log13.error("Course not synced", { course: syncErr.course, env: syncErr.env });
     return jsonResponse({ success: false, error: syncErr.message }, 500);
   }
   const message = err instanceof Error ? err.message : "Unknown error";
-  log11.error("Failed to submit activity", { ...context, error: message });
+  log13.error("Failed to submit activity", { ...context, error: message });
   return jsonResponse({ success: false, error: message }, 502);
 }
 function createActivityHandler(config7) {
@@ -104286,8 +104423,20 @@ function createActivityHandler(config7) {
           events: effective.events
         });
       }
+      const courseId = effective.object.course?.id;
+      if (courseId) {
+        await writeGradebookEntry({
+          client,
+          courseId,
+          activityId: effective.payload.id,
+          activityName: effective.payload.name,
+          timebackId: effective.timebackId,
+          payload: effective.payload,
+          appName: effective.appName
+        });
+      }
       await sendCaliperEnvelope(client, effective.sensor, effective.events[0], effective.events[1]);
-      log11.debug("Submitted activity", {
+      log13.debug("Submitted activity", {
         courseSelector: payload.course,
         activityId: payload.id
       });
@@ -104302,27 +104451,191 @@ function createActivityHandler(config7) {
     }
   };
 }
-// src/server/handlers/user.ts
-var log12 = createScopedLogger3("handlers:user");
+// src/server/handlers/identity/oidc.ts
+async function handleSignIn(req, env2, identity) {
+  if (identity.mode !== "sso") {
+    ssoLog.warn("SSO not configured");
+    return jsonResponse({ error: "SSO not configured" }, 400);
+  }
+  return await initiateSignIn({
+    req,
+    env: env2,
+    clientId: identity.clientId,
+    issuer: identity.issuer,
+    redirectUri: identity.redirectUri,
+    buildState: identity.buildState
+  });
+}
+async function completeCallback(code, url7, state, req, env2, identity, api) {
+  try {
+    const issuer = identity.issuer ?? getIssuer(env2);
+    const redirectUri = computeRedirectUri(url7, identity.redirectUri);
+    ssoLog.debug("Exchanging auth code for tokens", { issuer, clientId: identity.clientId });
+    const tokens = await exchangeCodeForTokens({
+      issuer,
+      clientId: identity.clientId,
+      clientSecret: identity.clientSecret,
+      code,
+      redirectUri
+    });
+    const userInfo = await getUserInfo({ issuer, accessToken: tokens.access_token });
+    const identities = typeof userInfo.identities === "string" ? JSON.parse(userInfo.identities) : userInfo.identities;
+    ssoLog.debug("SSO completed, resolving Timeback user", {
+      user: { ...userInfo, identities }
+    });
+    const authUser = await resolveTimebackUserByEmail({
+      env: env2,
+      apiCredentials: api.credentials,
+      userInfo,
+      client: api.getClient()
+    });
+    ssoLog.debug("Timeback user resolved", { timebackId: authUser.id });
+    const ctx = {
+      user: authUser,
+      idp: { tokens, userInfo },
+      state,
+      req,
+      redirect: redirectResponse,
+      json: jsonResponse
+    };
+    return identity.onCallbackSuccess(ctx);
+  } catch (err) {
+    const error59 = err instanceof Error ? err : new Error("Unknown error");
+    const errorCode = err instanceof TimebackUserResolutionError ? err.code : "token_exchange_failed";
+    ssoLog.error("SSO callback failed", { error: error59.message, errorCode });
+    if (identity.onCallbackError) {
+      return identity.onCallbackError(buildErrorContext(error59, errorCode, state, req));
+    }
+    return jsonResponse({ error: error59.message }, 500);
+  }
+}
+async function handleCallback(req, env2, identity, api) {
+  if (identity.mode !== "sso") {
+    ssoLog.warn("SSO not configured");
+    return jsonResponse({ error: "SSO not configured" }, 400);
+  }
+  const { url: url7, code, errorParam, state } = parseCallback(req);
+  if (errorParam) {
+    return handleIdpError(errorParam, url7, state, req, identity.onCallbackError);
+  }
+  if (!code) {
+    return handleMissingCode(state, req, identity.onCallbackError);
+  }
+  return await completeCallback(code, url7, state, req, env2, identity, api);
+}
+
+// src/server/handlers/identity/handler.ts
+function createIdentityHandlers(params) {
+  const { env: env2, identity, api } = params;
+  return {
+    signIn: (req) => handleSignIn(req, env2, identity),
+    callback: (req) => handleCallback(req, env2, identity, api),
+    signOut: () => redirectResponse("/")
+  };
+}
+// src/server/handlers/user/enrollments.ts
+function buildCourseLookup(courses, apiEnv) {
+  const courseById = new Map;
+  for (const course of courses) {
+    const courseId = course.ids?.[apiEnv];
+    if (courseId) {
+      courseById.set(courseId, course);
+    }
+  }
+  return courseById;
+}
+function mapEnrollmentsToCourses(enrollments, courseById) {
+  return enrollments.map((enrollment) => {
+    const configuredCourse = courseById.get(enrollment.course.id);
+    return {
+      id: enrollment.course.id,
+      code: configuredCourse?.courseCode ?? enrollment.course.id,
+      name: enrollment.course.title
+    };
+  });
+}
+function pickGoalsFromEnrollments(enrollments) {
+  return enrollments.map((enrollment) => enrollment.metadata?.goals).find(Boolean);
+}
+function getUtcDayRange(date10) {
+  const start = new Date(Date.UTC(date10.getUTCFullYear(), date10.getUTCMonth(), date10.getUTCDate()));
+  const end = new Date(Date.UTC(date10.getUTCFullYear(), date10.getUTCMonth(), date10.getUTCDate(), 23, 59, 59, 999));
+  return { start, end };
+}
+function sumXp(facts) {
+  return Object.values(facts).reduce((dateTotal, subjects) => {
+    return dateTotal + Object.values(subjects).reduce((subjectTotal, metrics) => {
+      return subjectTotal + (metrics.activityMetrics?.xpEarned ?? 0);
+    }, 0);
+  }, 0);
+}
+
+// src/server/handlers/user/profile.ts
+async function buildUserProfile(client, user, appConfig, apiEnv) {
+  const enrollments = await client.edubridge.enrollments.list({
+    userId: user.id
+  });
+  const courseById = buildCourseLookup(appConfig.courses, apiEnv);
+  const courses = mapEnrollmentsToCourses(enrollments, courseById);
+  const goals = pickGoalsFromEnrollments(enrollments);
+  const { start: todayStart, end: todayEnd } = getUtcDayRange(new Date);
+  const [todayFacts, allFacts] = await Promise.all([
+    client.edubridge.analytics.getActivity({
+      studentId: user.id,
+      startDate: todayStart.toISOString(),
+      endDate: todayEnd.toISOString()
+    }),
+    client.edubridge.analytics.getActivity({
+      studentId: user.id,
+      startDate: "2000-01-01",
+      endDate: todayEnd.toISOString()
+    })
+  ]);
+  return {
+    id: user.id,
+    email: user.email,
+    name: user.name,
+    school: user.school,
+    grade: user.grade,
+    courses: courses.length ? courses : undefined,
+    goals,
+    xp: {
+      today: sumXp(todayFacts),
+      all: sumXp(allFacts)
+    }
+  };
+}
+
+// src/server/handlers/user/handler.ts
+var log14 = createScopedLogger3("handlers:user");
+async function getUserIdentity(identity, req) {
+  if (identity.mode === "custom") {
+    const email8 = await identity.getEmail(req);
+    if (!email8)
+      return;
+    return { sub: email8, email: email8 };
+  }
+  const user = await identity.getUser(req);
+  if (!user)
+    return;
+  return { sub: user.id, email: user.email };
+}
+function mapResolutionErrorToResponse(error59) {
+  log14.warn("Timeback user resolution failed", { code: error59.code });
+  if (error59.code === "timeback_user_ambiguous") {
+    return jsonResponse({ error: "Timeback user resolution ambiguous" }, 409);
+  }
+  if (error59.code === "timeback_user_not_found") {
+    return jsonResponse({ error: "Timeback user not found" }, 404);
+  }
+  return jsonResponse({ error: "User resolution failed" }, 500);
+}
 function createUserHandler(config7) {
   return async (req) => {
     try {
-      let userSub;
-      let userEmail;
-      if (config7.identity.mode === "custom") {
-        const email8 = await config7.identity.getEmail(req);
-        if (!email8) {
-          return jsonResponse({ error: "Unauthorized" }, 401);
-        }
-        userSub = email8;
-        userEmail = email8;
-      } else {
-        const user = await config7.identity.getUser(req);
-        if (!user) {
-          return jsonResponse({ error: "Unauthorized" }, 401);
-        }
-        userSub = user.id;
-        userEmail = user.email;
+      const userIdentity = await getUserIdentity(config7.identity, req);
+      if (!userIdentity) {
+        return jsonResponse({ error: "Unauthorized" }, 401);
       }
       const apiEnv = mapEnvForApi(config7.env);
       const client = new TimebackClient({
@@ -104336,65 +104649,85 @@ function createUserHandler(config7) {
         const resolved = await resolveTimebackUserByEmail({
           env: config7.env,
           apiCredentials: config7.api,
-          userInfo: {
-            sub: userSub,
-            email: userEmail
-          },
+          userInfo: userIdentity,
           client
         });
-        const enrollments = await client.edubridge.enrollments.list({
-          userId: resolved.id
-        });
-        const courseById = buildCourseLookup(config7.appConfig.courses, apiEnv);
-        const courses = mapEnrollmentsToCourses(enrollments, courseById);
-        const goals = pickGoalsFromEnrollments(enrollments);
-        const { start: todayStart, end: todayEnd } = getUtcDayRange(new Date);
-        const [todayFacts, allFacts] = await Promise.all([
-          client.edubridge.analytics.getActivity({
-            studentId: resolved.id,
-            startDate: todayStart.toISOString(),
-            endDate: todayEnd.toISOString()
-          }),
-          client.edubridge.analytics.getActivity({
-            studentId: resolved.id,
-            startDate: "2000-01-01",
-            endDate: todayEnd.toISOString()
-          })
-        ]);
-        const profile = {
-          id: resolved.id,
-          email: resolved.email,
-          name: resolved.name,
-          school: resolved.school,
-          grade: resolved.grade,
-          courses: courses.length ? courses : undefined,
-          goals,
-          xp: {
-            today: sumXp(todayFacts),
-            all: sumXp(allFacts)
-          }
-        };
+        const profile = await buildUserProfile(client, resolved, config7.appConfig, apiEnv);
         return jsonResponse(profile);
       } catch (error59) {
         if (error59 instanceof TimebackUserResolutionError) {
-          log12.warn("Timeback user resolution failed", { code: error59.code });
+          return mapResolutionErrorToResponse(error59);
+        }
+        const message = error59 instanceof Error ? error59.message : "Unknown error";
+        log14.error("Failed to build user profile", { error: message });
+        return jsonResponse({ error: message }, 502);
+      } finally {
+        client.close();
+      }
+    } catch (error59) {
+      const message = error59 instanceof Error ? error59.message : "Unknown error";
+      log14.error("Unhandled error in user handler", { error: message });
+      return jsonResponse({ error: message }, 500);
+    }
+  };
+}
+// src/server/handlers/user/verify.ts
+var log15 = createScopedLogger3("handlers:user:verify");
+async function getUserIdentity2(identity, req) {
+  if (identity.mode === "custom") {
+    const email8 = await identity.getEmail(req);
+    if (!email8)
+      return;
+    return { sub: email8, email: email8 };
+  }
+  const user = await identity.getUser(req);
+  if (!user)
+    return;
+  return { sub: user.id, email: user.email };
+}
+function createUserVerifyHandler(config7) {
+  return async (req) => {
+    try {
+      const userIdentity = await getUserIdentity2(config7.identity, req);
+      if (!userIdentity) {
+        return jsonResponse({ verified: false, error: "Unauthorized" }, 401);
+      }
+      const client = new TimebackClient({
+        env: mapEnvForApi(config7.env),
+        auth: {
+          clientId: config7.api.clientId,
+          clientSecret: config7.api.clientSecret
+        }
+      });
+      try {
+        const resolved = await resolveTimebackUserByEmail({
+          env: config7.env,
+          apiCredentials: config7.api,
+          userInfo: userIdentity,
+          client
+        });
+        return jsonResponse({ verified: true, timebackId: resolved.id });
+      } catch (error59) {
+        if (error59 instanceof TimebackUserResolutionError) {
+          log15.warn("Timeback user resolution failed", { code: error59.code });
           if (error59.code === "timeback_user_ambiguous") {
-            return jsonResponse({ error: "Timeback user resolution ambiguous" }, 409);
+            return jsonResponse({ verified: false, error: "Timeback user resolution ambiguous" }, 409);
           }
           if (error59.code === "timeback_user_not_found") {
-            return jsonResponse({ error: "Timeback user not found" }, 404);
+            return jsonResponse({ verified: false });
           }
+          return jsonResponse({ verified: false, error: error59.message }, 502);
         }
         const message = error59 instanceof Error ? error59.message : "Unknown error";
-        log12.error("Failed to build user profile", { error: message });
-        return jsonResponse({ error: message }, 502);
+        log15.error("Failed to verify user", { error: message });
+        return jsonResponse({ verified: false, error: message }, 502);
       } finally {
         client.close();
       }
     } catch (error59) {
       const message = error59 instanceof Error ? error59.message : "Unknown error";
-      log12.error("Unhandled error in user handler", { error: message });
-      return jsonResponse({ error: message }, 500);
+      log15.error("Unhandled error in verify handler", { error: message });
+      return jsonResponse({ verified: false, error: message }, 500);
     }
   };
 }
@@ -104409,6 +104742,7 @@ function toAppCourses(courses) {
   });
 }
 async function createTimeback(config7) {
+  const env2 = normalizeEnv(config7.env);
   const configResult = await loadConfig({ configPath: config7.configPath });
   if (!configResult.success) {
     throw new Error(`Failed to load timeback config: ${configResult.error}`);
@@ -104418,7 +104752,7 @@ async function createTimeback(config7) {
   const getApiClient = () => {
     if (!apiClient) {
       apiClient = new TimebackClient({
-        env: mapEnvForApi(config7.env),
+        env: mapEnvForApi(env2),
         auth: {
           clientId: config7.api.clientId,
           clientSecret: config7.api.clientSecret
@@ -104428,7 +104762,7 @@ async function createTimeback(config7) {
     return apiClient;
   };
   const activity = createActivityHandler({
-    env: config7.env,
+    env: env2,
     identity: config7.identity,
     appConfig: {
       name: appConfig.name,
@@ -104439,7 +104773,7 @@ async function createTimeback(config7) {
     hooks: config7.hooks
   });
   const identity = createIdentityHandlers({
-    env: config7.env,
+    env: env2,
     identity: config7.identity,
     api: {
       credentials: config7.api,
@@ -104447,7 +104781,7 @@ async function createTimeback(config7) {
     }
   });
   const user = createUserHandler({
-    env: config7.env,
+    env: env2,
     identity: config7.identity,
     api: config7.api,
     appConfig: {
@@ -104456,13 +104790,19 @@ async function createTimeback(config7) {
       courses: toAppCourses(appConfig.courses)
     }
   });
+  const userVerify = createUserVerifyHandler({
+    env: env2,
+    identity: config7.identity,
+    api: config7.api
+  });
   const instance = {
     config: config7,
     handle: {
       activity,
       identity,
       user: {
-        me: user
+        me: user,
+        verify: userVerify
       }
     },
     get api() {
@@ -104471,74 +104811,21 @@ async function createTimeback(config7) {
   };
   return instance;
 }
-// src/server/handlers/identity-only.ts
-function buildErrorContext2(error59, errorCode, state, req) {
-  return {
-    error: error59,
-    errorCode,
-    state,
-    req,
-    redirect: redirectResponse,
-    json: jsonResponse
-  };
-}
-function tryDecodeState2(stateParam) {
-  try {
-    return decodeBase64Url(stateParam);
-  } catch {
-    ssoLog.warn("Failed to decode state");
-    return;
-  }
-}
-function handleCallbackError2(errorParam, url7, state, req, identity) {
-  const errorDesc = url7.searchParams.get("error_description");
-  ssoLog.error("IdP returned error", { error: errorParam, description: errorDesc });
-  const error59 = new Error(errorDesc ?? errorParam);
-  if (identity.onCallbackError) {
-    return identity.onCallbackError(buildErrorContext2(error59, errorParam, state, req));
-  }
-  return jsonResponse({ error: errorParam }, 400);
-}
-function handleMissingCode2(state, req, identity) {
-  ssoLog.error("Missing authorization code in callback");
-  const error59 = new Error("Missing authorization code");
-  if (identity.onCallbackError) {
-    return identity.onCallbackError(buildErrorContext2(error59, "missing_code", state, req));
-  }
-  return jsonResponse({ error: "Missing authorization code" }, 400);
-}
+// src/server/handlers/identity-only/oidc.ts
 async function handleSignIn2(req, env2, identity) {
-  const issuer = identity.issuer ?? getIssuer(env2);
-  const url7 = new URL(req.url);
-  let redirectUri = identity.redirectUri;
-  if (!redirectUri) {
-    const basePath = url7.pathname.replace(ROUTES.IDENTITY.SIGNIN, "");
-    redirectUri = `${url7.origin}${basePath}${ROUTES.IDENTITY.CALLBACK}`;
-  }
-  ssoLog.debug("SSO sign-in initiated (identity-only)", {
+  return await initiateSignIn({
+    req,
     env: env2,
-    issuer,
-    clientId: identity.clientId,
-    redirectUri
-  });
-  const stateData = identity.buildState ? identity.buildState({ req, url: url7 }) : {};
-  const state = encodeBase64Url(stateData);
-  const authUrl = await buildAuthorizationUrl({
-    issuer,
     clientId: identity.clientId,
-    redirectUri,
-    state
+    issuer: identity.issuer,
+    redirectUri: identity.redirectUri,
+    buildState: identity.buildState
   });
-  return redirectResponse(authUrl);
 }
-async function completeCallbackIdentityOnly(code, url7, state, req, env2, identity) {
+async function completeCallback2(code, url7, state, req, env2, identity) {
   try {
     const issuer = identity.issuer ?? getIssuer(env2);
-    let redirectUri = identity.redirectUri;
-    if (!redirectUri) {
-      const basePath = url7.pathname.replace(ROUTES.IDENTITY.CALLBACK, "");
-      redirectUri = `${url7.origin}${basePath}${ROUTES.IDENTITY.CALLBACK}`;
-    }
+    const redirectUri = computeRedirectUri(url7, identity.redirectUri);
     ssoLog.debug("Exchanging auth code for tokens (identity-only)", {
       issuer,
       clientId: identity.clientId
@@ -104566,29 +104853,23 @@ async function completeCallbackIdentityOnly(code, url7, state, req, env2, identi
     const error59 = err instanceof Error ? err : new Error("Unknown error");
     ssoLog.error("Token exchange failed (identity-only)", { error: error59.message });
     if (identity.onCallbackError) {
-      return identity.onCallbackError(buildErrorContext2(error59, undefined, state, req));
+      return identity.onCallbackError(buildErrorContext(error59, undefined, state, req));
     }
     return jsonResponse({ error: error59.message }, 500);
   }
 }
-async function handleCallbackIdentityOnly(req, env2, identity) {
-  const url7 = new URL(req.url);
-  const code = url7.searchParams.get("code");
-  const errorParam = url7.searchParams.get("error");
-  const stateParam = url7.searchParams.get("state");
-  ssoLog.debug("Received callback from IdP (identity-only)", {
-    hasCode: !!code,
-    error: errorParam
-  });
-  const state = stateParam ? tryDecodeState2(stateParam) : undefined;
+async function handleCallback2(req, env2, identity) {
+  const { url: url7, code, errorParam, state } = parseCallback(req);
   if (errorParam) {
-    return await handleCallbackError2(errorParam, url7, state, req, identity);
+    return handleIdpError(errorParam, url7, state, req, identity.onCallbackError);
   }
   if (!code) {
-    return await handleMissingCode2(state, req, identity);
+    return handleMissingCode(state, req, identity.onCallbackError);
   }
-  return await completeCallbackIdentityOnly(code, url7, state, req, env2, identity);
+  return await completeCallback2(code, url7, state, req, env2, identity);
 }
+
+// src/server/handlers/identity-only/handler.ts
 function createIdentityOnlyHandlers(params) {
   const { env: env2, identity } = params;
   if (identity.mode !== "sso") {
@@ -104596,15 +104877,14 @@ function createIdentityOnlyHandlers(params) {
   }
   return {
     signIn: (req) => handleSignIn2(req, env2, identity),
-    callback: (req) => handleCallbackIdentityOnly(req, env2, identity),
+    callback: (req) => handleCallback2(req, env2, identity),
     signOut: () => redirectResponse("/")
   };
 }
-
 // src/server/timeback-identity.ts
 function createTimebackIdentity(config7) {
   const identity = createIdentityOnlyHandlers({
-    env: config7.env,
+    env: normalizeEnv(config7.env),
     identity: config7.identity
   });
   return {