ai-atlas 0.1.0

package/README.md

@@ -0,0 +1,52 @@
+# ai-atlas
+
+Atlas tool + UI helpers for the Vercel AI SDK (`ai@6` / `@ai-sdk/react@3`).
+
+## What it does
+
+- Exports an AI SDK tool named `Atlas` (`atlasTools.Atlas`).
+- When invoked, your chat UI can render an iframe that loads the `apps/web` sign-in page (`/auth/sign-in`).
+- Supports Vercel Deployment Protection via a server-side unlock redirect that sets the bypass cookie.
+
+## Environment variables
+
+### BETTER_AUTH_URL (optional at runtime; baked in for published builds)
+
+`ai-atlas` needs to know the origin of `apps/web` to construct the Atlas connect URL.
+
+Resolution order:
+
+1. `process.env.BETTER_AUTH_URL` (runtime override; useful for local dev)
+2. `DEFAULT_BETTER_AUTH_URL` baked into the published package during CI publish (pulled from Vercel env)
+
+So in deployed consumers (like `apps/demo` on Vercel), you should **not** need to set `BETTER_AUTH_URL` as long as you’re using the published package.
+
+Local dev example (`apps/demo/.env.local`):
+
+```bash
+BETTER_AUTH_URL=http://localhost:3001
+```
+
+### VERCEL_PROTECTION_BYPASS_TOKEN (optional)
+
+If `apps/web` is behind Vercel Deployment Protection, set:
+
+- `VERCEL_PROTECTION_BYPASS_TOKEN`
+  - The “Protection Bypass for Automation” token.
+  - **Must remain server-side.** Never put it directly into an iframe URL.
+
+## Dist-tags (prod vs staging)
+
+This package is published to npm with dist-tags:
+
+- `latest`: prod (baked `BETTER_AUTH_URL` from the production `apps/web` Vercel env)
+- `preview`: preview/staging (baked `BETTER_AUTH_URL` from the preview `apps/web` Vercel env)
+
+## Exports
+
+- `atlasTools` (server): the tool set to pass into `streamText({ tools })`
+- `AtlasUIMessage` (types): a typed `UIMessage` that includes `tool-Atlas` parts
+- `AtlasToolCard` (client): a small UI component that renders the iframe and provides an Unlock button
+- `atlasConfigResponse()` / `atlasUnlockResponse(req)` (server helpers): implement `/api/atlas/config` and `/api/atlas/unlock`
+
+

package/dist/src/client.d.ts

@@ -0,0 +1,8 @@
+import "./react-shim";
+export type AtlasToolCardProps = {
+    signInUrl: string;
+    needsUnlock?: boolean;
+    unlockEndpoint?: string;
+};
+export declare function AtlasToolCard(props: AtlasToolCardProps): any;
+//# sourceMappingURL=client.d.ts.map

package/dist/src/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/client.tsx"],"names":[],"mappings":"AACA,OAAO,cAAc,CAAC;AAItB,MAAM,MAAM,kBAAkB,GAAG;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB,CAAC;AAEF,wBAAgB,aAAa,CAAC,KAAK,EAAE,kBAAkB,OAwCtD"}

package/dist/src/client.js

@@ -0,0 +1,37 @@
+"use client";
+import { jsx as _jsx } from "react/jsx-runtime";
+import "./react-shim";
+import { useEffect, useMemo } from "react";
+export function AtlasToolCard(props) {
+    const unlockEndpoint = props.unlockEndpoint ?? "/api/chat?atlasUnlock=1";
+    const needsUnlock = props.needsUnlock ?? false;
+    const iframeSrc = useMemo(() => {
+        const u = new URL(props.signInUrl, window.location.origin);
+        // Tell the embedded app what origin to postMessage back to.
+        u.searchParams.set("clientOrigin", window.location.origin);
+        return u.toString();
+    }, [props.signInUrl]);
+    const unlockUrl = useMemo(() => {
+        const u = new URL(unlockEndpoint, window.location.origin);
+        u.searchParams.set("returnTo", window.location.href);
+        return u.toString();
+    }, [unlockEndpoint]);
+    useEffect(() => {
+        if (!needsUnlock)
+            return;
+        // If Deployment Protection is enabled, we need a top-level navigation once to set
+        // the bypass cookie on the `apps/web` origin. Do it automatically, once per session.
+        try {
+            const alreadyAttempted = window.sessionStorage.getItem("atlas_unlock_attempted") === "1";
+            if (alreadyAttempted)
+                return;
+            window.sessionStorage.setItem("atlas_unlock_attempted", "1");
+        }
+        catch {
+            // If sessionStorage is unavailable, still attempt once.
+        }
+        window.location.assign(unlockUrl);
+    }, [needsUnlock, unlockUrl]);
+    return (_jsx("iframe", { title: "Atlas Sign In", src: iframeSrc, className: "h-[540px] w-full bg-white" }));
+}
+//# sourceMappingURL=client.js.map

package/dist/src/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/client.tsx"],"names":[],"mappings":"AAAA,YAAY,CAAC;;AACb,OAAO,cAAc,CAAC;AAEtB,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,OAAO,CAAC;AAQ3C,MAAM,UAAU,aAAa,CAAC,KAAyB;IACrD,MAAM,cAAc,GAAG,KAAK,CAAC,cAAc,IAAI,yBAAyB,CAAC;IACzE,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,KAAK,CAAC;IAE/C,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,EAAE;QAC7B,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,SAAS,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC3D,4DAA4D;QAC5D,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC3D,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAC;IACtB,CAAC,EAAE,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC;IAEtB,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,EAAE;QAC7B,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,cAAc,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC1D,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QACrD,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAC;IACtB,CAAC,EAAE,CAAC,cAAc,CAAC,CAAC,CAAC;IAErB,SAAS,CAAC,GAAG,EAAE;QACb,IAAI,CAAC,WAAW;YAAE,OAAO;QAEzB,kFAAkF;QAClF,qFAAqF;QACrF,IAAI,CAAC;YACH,MAAM,gBAAgB,GAAG,MAAM,CAAC,cAAc,CAAC,OAAO,CAAC,wBAAwB,CAAC,KAAK,GAAG,CAAC;YACzF,IAAI,gBAAgB;gBAAE,OAAO;YAC7B,MAAM,CAAC,cAAc,CAAC,OAAO,CAAC,wBAAwB,EAAE,GAAG,CAAC,CAAC;QAC/D,CAAC;QAAC,MAAM,CAAC;YACP,wDAAwD;QAC1D,CAAC;QAED,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACpC,CAAC,EAAE,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC,CAAC;IAE7B,OAAO,CACL,iBACE,KAAK,EAAC,eAAe,EACrB,GAAG,EAAE,SAAS,EACd,SAAS,EAAC,2BAA2B,GACrC,CACH,CAAC;AACJ,CAAC"}

package/dist/src/index.d.ts

@@ -0,0 +1,3 @@
+export * from "./server";
+export * from "./client";
+//# sourceMappingURL=index.d.ts.map

package/dist/src/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,UAAU,CAAC;AACzB,cAAc,UAAU,CAAC"}

package/dist/src/index.js

@@ -0,0 +1,3 @@
+export * from "./server";
+export * from "./client";
+//# sourceMappingURL=index.js.map

package/dist/src/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,UAAU,CAAC;AACzB,cAAc,UAAU,CAAC"}

package/dist/src/internal/defaults.generated.d.ts

@@ -0,0 +1,2 @@
+export declare const DEFAULT_BETTER_AUTH_URL: "https://atlas-platform-v2-web-git-dev-atlas-1cf296a1.vercel.app";
+//# sourceMappingURL=defaults.generated.d.ts.map

package/dist/src/internal/defaults.generated.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"defaults.generated.d.ts","sourceRoot":"","sources":["../../../src/internal/defaults.generated.ts"],"names":[],"mappings":"AAOA,eAAO,MAAM,uBAAuB,EAAG,iEAA0E,CAAC"}

package/dist/src/internal/defaults.generated.js

@@ -0,0 +1,9 @@
+// This file is generated during build/publish.
+//
+// Precedence at runtime:
+// 1) process.env.BETTER_AUTH_URL (local/dev override)
+// 2) DEFAULT_BETTER_AUTH_URL (baked at build time, e.g. from Vercel env)
+//
+// Do not edit by hand.
+export const DEFAULT_BETTER_AUTH_URL = "https://atlas-platform-v2-web-git-dev-atlas-1cf296a1.vercel.app";
+//# sourceMappingURL=defaults.generated.js.map

package/dist/src/internal/defaults.generated.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"defaults.generated.js","sourceRoot":"","sources":["../../../src/internal/defaults.generated.ts"],"names":[],"mappings":"AAAA,+CAA+C;AAC/C,EAAE;AACF,yBAAyB;AACzB,sDAAsD;AACtD,yEAAyE;AACzE,EAAE;AACF,uBAAuB;AACvB,MAAM,CAAC,MAAM,uBAAuB,GAAG,iEAA0E,CAAC"}

package/dist/src/internal/localBetterAuthUrl.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Local-dev convenience:
+ * If `apps/demo` didn't set BETTER_AUTH_URL, try to load it from `apps/web/.env*`.
+ *
+ * This should only ever run in Node (not Edge). In Vercel/prod you should rely on
+ * runtime env or baked defaults.
+ */
+export declare function readLocalBetterAuthUrlFromAppsWeb(): string | undefined;
+//# sourceMappingURL=localBetterAuthUrl.d.ts.map

package/dist/src/internal/localBetterAuthUrl.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"localBetterAuthUrl.d.ts","sourceRoot":"","sources":["../../../src/internal/localBetterAuthUrl.ts"],"names":[],"mappings":"AAmDA;;;;;;GAMG;AACH,wBAAgB,iCAAiC,IAAI,MAAM,GAAG,SAAS,CAkBtE"}

package/dist/src/internal/localBetterAuthUrl.js

@@ -0,0 +1,79 @@
+import fs from "node:fs";
+import path from "node:path";
+function parseDotEnv(text) {
+    const out = {};
+    for (const rawLine of text.split(/\r?\n/)) {
+        const line = rawLine.trim();
+        if (!line || line.startsWith("#"))
+            continue;
+        const eq = line.indexOf("=");
+        if (eq <= 0)
+            continue;
+        const key = line.slice(0, eq).trim();
+        let value = line.slice(eq + 1).trim();
+        if (!key)
+            continue;
+        if ((value.startsWith('"') && value.endsWith('"')) ||
+            (value.startsWith("'") && value.endsWith("'"))) {
+            value = value.slice(1, -1);
+        }
+        out[key] = value;
+    }
+    return out;
+}
+function tryReadEnvFile(filePath) {
+    try {
+        const text = fs.readFileSync(filePath, "utf8");
+        const env = parseDotEnv(text);
+        const v = (env.BETTER_AUTH_URL ?? "").trim().replace(/\/$/, "");
+        return v || undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+function findRepoRootFromCwd(maxDepth = 6) {
+    let dir = process.cwd();
+    for (let i = 0; i <= maxDepth; i++) {
+        // Common case: repo root contains apps/web
+        if (fs.existsSync(path.join(dir, "apps", "web")))
+            return dir;
+        // If cwd is already inside /apps/*, parent might be /apps; detect sibling "web"
+        if (path.basename(dir) === "apps" && fs.existsSync(path.join(dir, "web"))) {
+            return path.dirname(dir);
+        }
+        const parent = path.dirname(dir);
+        if (parent === dir)
+            break;
+        dir = parent;
+    }
+    return null;
+}
+/**
+ * Local-dev convenience:
+ * If `apps/demo` didn't set BETTER_AUTH_URL, try to load it from `apps/web/.env*`.
+ *
+ * This should only ever run in Node (not Edge). In Vercel/prod you should rely on
+ * runtime env or baked defaults.
+ */
+export function readLocalBetterAuthUrlFromAppsWeb() {
+    if (process.env.VERCEL === "1")
+        return undefined;
+    if (process.env.NODE_ENV === "production")
+        return undefined;
+    const root = findRepoRootFromCwd();
+    if (!root)
+        return undefined;
+    const candidates = [
+        path.join(root, "apps", "web", ".env.local"),
+        path.join(root, "apps", "web", ".env.development"),
+        path.join(root, "apps", "web", ".env"),
+    ];
+    for (const p of candidates) {
+        const v = tryReadEnvFile(p);
+        if (v)
+            return v;
+    }
+    return undefined;
+}
+//# sourceMappingURL=localBetterAuthUrl.js.map

package/dist/src/internal/localBetterAuthUrl.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"localBetterAuthUrl.js","sourceRoot":"","sources":["../../../src/internal/localBetterAuthUrl.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,SAAS,WAAW,CAAC,IAAY;IAC/B,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;QAC1C,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,SAAS;QAC5C,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC7B,IAAI,EAAE,IAAI,CAAC;YAAE,SAAS;QACtB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QACrC,IAAI,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACtC,IAAI,CAAC,GAAG;YAAE,SAAS;QACnB,IACE,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;YAC9C,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EAC9C,CAAC;YACD,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC7B,CAAC;QACD,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;IACnB,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,cAAc,CAAC,QAAgB;IACtC,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC/C,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;QAC9B,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,eAAe,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QAChE,OAAO,CAAC,IAAI,SAAS,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,mBAAmB,CAAC,QAAQ,GAAG,CAAC;IACvC,IAAI,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;IACxB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,QAAQ,EAAE,CAAC,EAAE,EAAE,CAAC;QACnC,2CAA2C;QAC3C,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;YAAE,OAAO,GAAG,CAAC;QAC7D,gFAAgF;QAChF,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,MAAM,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,EAAE,CAAC;YAC1E,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC3B,CAAC;QACD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACjC,IAAI,MAAM,KAAK,GAAG;YAAE,MAAM;QAC1B,GAAG,GAAG,MAAM,CAAC;IACf,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,iCAAiC;IAC/C,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,KAAK,GAAG;QAAE,OAAO,SAAS,CAAC;IACjD,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;QAAE,OAAO,SAAS,CAAC;IAE5D,MAAM,IAAI,GAAG,mBAAmB,EAAE,CAAC;IACnC,IAAI,CAAC,IAAI;QAAE,OAAO,SAAS,CAAC;IAE5B,MAAM,UAAU,GAAG;QACjB,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,CAAC;QAC5C,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,kBAAkB,CAAC;QAClD,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC;KACvC,CAAC;IAEF,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;QAC3B,MAAM,CAAC,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC;QAC5B,IAAI,CAAC;YAAE,OAAO,CAAC,CAAC;IAClB,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/src/next/callback.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Reusable OAuth callback page for the demo app.
+ *
+ * It calls the demo's `/api/atlas/oauth/exchange` endpoint (which should be a thin wrapper around `atlasOAuthExchangePOST`),
+ * then notifies `window.opener` and closes itself (popup flow).
+ */
+export declare function AtlasOAuthCallbackPage(props: {
+    exchangeEndpoint?: string;
+}): any;
+//# sourceMappingURL=callback.d.ts.map

package/dist/src/next/callback.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"callback.d.ts","sourceRoot":"","sources":["../../../src/next/callback.tsx"],"names":[],"mappings":"AA2BA;;;;;GAKG;AACH,wBAAgB,sBAAsB,CAAC,KAAK,EAAE;IAAE,gBAAgB,CAAC,EAAE,MAAM,CAAA;CAAE,OAoI1E"}

package/dist/src/next/callback.js

@@ -0,0 +1,101 @@
+"use client";
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import { useEffect, useMemo, useState } from "react";
+function isOkExchangeResult(value) {
+    return !!value && typeof value === "object" && value.ok === true;
+}
+function getParamsFromHref(href) {
+    const url = new URL(href);
+    return {
+        code: url.searchParams.get("code") ?? "",
+        state: url.searchParams.get("state") ?? "",
+        error: url.searchParams.get("error") ?? "",
+        errorDescription: url.searchParams.get("error_description") ?? "",
+    };
+}
+/**
+ * Reusable OAuth callback page for the demo app.
+ *
+ * It calls the demo's `/api/atlas/oauth/exchange` endpoint (which should be a thin wrapper around `atlasOAuthExchangePOST`),
+ * then notifies `window.opener` and closes itself (popup flow).
+ */
+export function AtlasOAuthCallbackPage(props) {
+    const exchangeEndpoint = props.exchangeEndpoint ?? "/api/atlas/oauth/exchange";
+    // NOTE: Even though this file is a client component, some monorepo / bundler setups
+    // can still end up evaluating it during SSR. Avoid touching `window` during render.
+    const [hydrated, setHydrated] = useState(false);
+    const [{ code, state, error, errorDescription }, setParams] = useState(() => ({
+        code: "",
+        state: "",
+        error: "",
+        errorDescription: "",
+    }));
+    const [result, setResult] = useState(null);
+    useEffect(() => {
+        setHydrated(true);
+        if (typeof window === "undefined")
+            return;
+        setParams(getParamsFromHref(window.location.href));
+    }, []);
+    const canExchange = useMemo(() => hydrated && !!code && !!state, [hydrated, code, state]);
+    const hasOAuthError = useMemo(() => hydrated && !!error, [hydrated, error]);
+    const missingParams = useMemo(() => hydrated && !hasOAuthError && (!code || !state), [hydrated, hasOAuthError, code, state]);
+    useEffect(() => {
+        if (!canExchange)
+            return;
+        let cancelled = false;
+        (async () => {
+            try {
+                const res = await fetch(exchangeEndpoint, {
+                    method: "POST",
+                    headers: { "content-type": "application/json" },
+                    body: JSON.stringify({ code, state }),
+                });
+                const json = (await res.json().catch(() => null));
+                if (cancelled)
+                    return;
+                if (!res.ok || !isOkExchangeResult(json)) {
+                    setResult(json ?? { error: "Exchange failed" });
+                    return;
+                }
+                setResult(json);
+                try {
+                    window.opener?.postMessage({ type: "atlas_oauth_complete", ok: true, scope: json.scope ?? "" }, window.location.origin);
+                }
+                catch {
+                    // ignore
+                }
+                setTimeout(() => window.close(), 50);
+            }
+            catch (e) {
+                if (cancelled)
+                    return;
+                setResult({ error: e instanceof Error ? e.message : "Exchange failed" });
+            }
+        })();
+        return () => {
+            cancelled = true;
+        };
+    }, [canExchange, code, state, exchangeEndpoint]);
+    useEffect(() => {
+        if (!hasOAuthError)
+            return;
+        try {
+            window.opener?.postMessage({ type: "atlas_oauth_complete", ok: false, error, errorDescription }, window.location.origin);
+        }
+        catch {
+            // ignore
+        }
+    }, [hasOAuthError, error, errorDescription]);
+    if (!hydrated) {
+        return (_jsxs("div", { className: "mx-auto max-w-md p-6", children: [_jsx("h1", { className: "text-xl font-semibold", children: "Atlas OAuth Callback" }), _jsx("p", { className: "mt-2 text-sm text-zinc-600", children: "Loading\u2026" })] }));
+    }
+    if (hasOAuthError) {
+        return (_jsxs("div", { className: "mx-auto max-w-md p-6", children: [_jsx("h1", { className: "text-xl font-semibold", children: "Atlas OAuth Callback" }), _jsxs("div", { className: "mt-2 text-sm text-red-700", children: [_jsxs("div", { children: ["OAuth error: ", error] }), errorDescription ? _jsx("div", { className: "mt-1 text-red-700", children: errorDescription }) : null] }), _jsx("p", { className: "mt-3 text-sm text-zinc-600", children: "You can close this window." })] }));
+    }
+    if (missingParams) {
+        return (_jsxs("div", { className: "mx-auto max-w-md p-6", children: [_jsx("h1", { className: "text-xl font-semibold", children: "Atlas OAuth Callback" }), _jsx("p", { className: "mt-2 text-sm text-zinc-600", children: "Missing required OAuth parameters." })] }));
+    }
+    return (_jsxs("div", { className: "mx-auto max-w-md p-6", children: [_jsx("h1", { className: "text-xl font-semibold", children: "Finishing sign-in\u2026" }), !result ? (_jsx("p", { className: "mt-2 text-sm text-zinc-600", children: "Exchanging authorization code\u2026" })) : result.ok === true ? (_jsx("p", { className: "mt-2 text-sm text-zinc-600", children: "Connected. You can close this window." })) : (_jsxs("div", { className: "mt-2 text-sm text-red-700", children: [_jsxs("div", { children: ["Failed to connect: ", result.error ?? "Unknown error"] }), result.details ? _jsx("pre", { className: "mt-2 whitespace-pre-wrap", children: result.details }) : null] }))] }));
+}
+//# sourceMappingURL=callback.js.map

package/dist/src/next/callback.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"callback.js","sourceRoot":"","sources":["../../../src/next/callback.tsx"],"names":[],"mappings":"AAAA,YAAY,CAAC;;AAEb,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,OAAO,CAAC;AAMrD,SAAS,kBAAkB,CAAC,KAAc;IACxC,OAAO,CAAC,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAK,KAAa,CAAC,EAAE,KAAK,IAAI,CAAC;AAC5E,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAY;IAMrC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC;IAC1B,OAAO;QACL,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE;QACxC,KAAK,EAAE,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE;QAC1C,KAAK,EAAE,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE;QAC1C,gBAAgB,EAAE,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,EAAE;KAClE,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,sBAAsB,CAAC,KAAoC;IACzE,MAAM,gBAAgB,GAAG,KAAK,CAAC,gBAAgB,IAAI,2BAA2B,CAAC;IAE/E,oFAAoF;IACpF,oFAAoF;IACpF,MAAM,CAAC,QAAQ,EAAE,WAAW,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAChD,MAAM,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,gBAAgB,EAAE,EAAE,SAAS,CAAC,GAAG,QAAQ,CAKnE,GAAG,EAAE,CAAC,CAAC;QACR,IAAI,EAAE,EAAE;QACR,KAAK,EAAE,EAAE;QACT,KAAK,EAAE,EAAE;QACT,gBAAgB,EAAE,EAAE;KACrB,CAAC,CAAC,CAAC;IACJ,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,GAAG,QAAQ,CAAwB,IAAI,CAAC,CAAC;IAElE,SAAS,CAAC,GAAG,EAAE;QACb,WAAW,CAAC,IAAI,CAAC,CAAC;QAClB,IAAI,OAAO,MAAM,KAAK,WAAW;YAAE,OAAO;QAC1C,SAAS,CAAC,iBAAiB,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;IACrD,CAAC,EAAE,EAAE,CAAC,CAAC;IAEP,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC,QAAQ,IAAI,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;IAC1F,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC,QAAQ,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC;IAC5E,MAAM,aAAa,GAAG,OAAO,CAC3B,GAAG,EAAE,CAAC,QAAQ,IAAI,CAAC,aAAa,IAAI,CAAC,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,EACrD,CAAC,QAAQ,EAAE,aAAa,EAAE,IAAI,EAAE,KAAK,CAAC,CACvC,CAAC;IAEF,SAAS,CAAC,GAAG,EAAE;QACb,IAAI,CAAC,WAAW;YAAE,OAAO;QACzB,IAAI,SAAS,GAAG,KAAK,CAAC;QAEtB,CAAC,KAAK,IAAI,EAAE;YACV,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,gBAAgB,EAAE;oBACxC,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;oBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;iBACtC,CAAC,CAAC;gBACH,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAY,CAAC;gBAC7D,IAAI,SAAS;oBAAE,OAAO;gBAEtB,IAAI,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC;oBACzC,SAAS,CAAE,IAA8B,IAAI,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC,CAAC;oBAC3E,OAAO;gBACT,CAAC;gBAED,SAAS,CAAC,IAAI,CAAC,CAAC;gBAEhB,IAAI,CAAC;oBACH,MAAM,CAAC,MAAM,EAAE,WAAW,CACxB,EAAE,IAAI,EAAE,sBAAsB,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,EAAE,EAAE,EACnE,MAAM,CAAC,QAAQ,CAAC,MAAM,CACvB,CAAC;gBACJ,CAAC;gBAAC,MAAM,CAAC;oBACP,SAAS;gBACX,CAAC;gBAED,UAAU,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC;YACvC,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,IAAI,SAAS;oBAAE,OAAO;gBACtB,SAAS,CAAC,EAAE,KAAK,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,iBAAiB,EAAE,CAAC,CAAC;YAC3E,CAAC;QACH,CAAC,CAAC,EAAE,CAAC;QAEL,OAAO,GAAG,EAAE;YACV,SAAS,GAAG,IAAI,CAAC;QACnB,CAAC,CAAC;IACJ,CAAC,EAAE,CAAC,WAAW,EAAE,IAAI,EAAE,KAAK,EAAE,gBAAgB,CAAC,CAAC,CAAC;IAEjD,SAAS,CAAC,GAAG,EAAE;QACb,IAAI,CAAC,aAAa;YAAE,OAAO;QAC3B,IAAI,CAAC;YACH,MAAM,CAAC,MAAM,EAAE,WAAW,CACxB,EAAE,IAAI,EAAE,sBAAsB,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,gBAAgB,EAAE,EACpE,MAAM,CAAC,QAAQ,CAAC,MAAM,CACvB,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;IACH,CAAC,EAAE,CAAC,aAAa,EAAE,KAAK,EAAE,gBAAgB,CAAC,CAAC,CAAC;IAE7C,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO,CACL,eAAK,SAAS,EAAC,sBAAsB,aACnC,aAAI,SAAS,EAAC,uBAAuB,qCAA0B,EAC/D,YAAG,SAAS,EAAC,4BAA4B,8BAAa,IAClD,CACP,CAAC;IACJ,CAAC;IAED,IAAI,aAAa,EAAE,CAAC;QAClB,OAAO,CACL,eAAK,SAAS,EAAC,sBAAsB,aACnC,aAAI,SAAS,EAAC,uBAAuB,qCAA0B,EAC/D,eAAK,SAAS,EAAC,2BAA2B,aACxC,2CAAmB,KAAK,IAAO,EAC9B,gBAAgB,CAAC,CAAC,CAAC,cAAK,SAAS,EAAC,mBAAmB,YAAE,gBAAgB,GAAO,CAAC,CAAC,CAAC,IAAI,IAClF,EACN,YAAG,SAAS,EAAC,4BAA4B,2CAA+B,IACpE,CACP,CAAC;IACJ,CAAC;IAED,IAAI,aAAa,EAAE,CAAC;QAClB,OAAO,CACL,eAAK,SAAS,EAAC,sBAAsB,aACnC,aAAI,SAAS,EAAC,uBAAuB,qCAA0B,EAC/D,YAAG,SAAS,EAAC,4BAA4B,mDAAuC,IAC5E,CACP,CAAC;IACJ,CAAC;IAED,OAAO,CACL,eAAK,SAAS,EAAC,sBAAsB,aACnC,aAAI,SAAS,EAAC,uBAAuB,wCAAwB,EAC5D,CAAC,MAAM,CAAC,CAAC,CAAC,CACT,YAAG,SAAS,EAAC,4BAA4B,oDAAmC,CAC7E,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,KAAK,IAAI,CAAC,CAAC,CAAC,CACvB,YAAG,SAAS,EAAC,4BAA4B,sDAA0C,CACpF,CAAC,CAAC,CAAC,CACF,eAAK,SAAS,EAAC,2BAA2B,aACxC,iDAAyB,MAAM,CAAC,KAAK,IAAI,eAAe,IAAO,EAC9D,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,cAAK,SAAS,EAAC,0BAA0B,YAAE,MAAM,CAAC,OAAO,GAAO,CAAC,CAAC,CAAC,IAAI,IACrF,CACP,IACG,CACP,CAAC;AACJ,CAAC"}

package/dist/src/next/index.d.ts

@@ -0,0 +1,2 @@
+export * from "./callback";
+//# sourceMappingURL=index.d.ts.map

package/dist/src/next/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/next/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC"}

package/dist/src/next/index.js

@@ -0,0 +1,2 @@
+export * from "./callback";
+//# sourceMappingURL=index.js.map

package/dist/src/next/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/next/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC"}

package/dist/src/next/oauth.d.ts

@@ -0,0 +1,20 @@
+import "server-only";
+import { NextResponse } from "next/server";
+export declare const ATLAS_COOKIE_ACCESS_TOKEN = "atlas_access_token";
+export declare const ATLAS_COOKIE_GRANTED_SCOPES = "atlas_granted_scopes";
+export declare const ATLAS_COOKIE_OAUTH_CLIENT_ID = "atlas_oauth_client_id_v2";
+export declare const ATLAS_COOKIE_OAUTH_STATE = "atlas_oauth_state";
+export declare const ATLAS_COOKIE_OAUTH_VERIFIER = "atlas_oauth_verifier";
+export declare function atlasOAuthStartPOST(req: Request): Promise<NextResponse<{
+    authorizeUrl: string;
+    state: string;
+}>>;
+export declare function atlasOAuthExchangePOST(req: Request): Promise<NextResponse<{
+    error: string;
+}> | NextResponse<{
+    ok: boolean;
+    tokenType: string;
+    expiresIn: number | undefined;
+    scope: string;
+}>>;
+//# sourceMappingURL=oauth.d.ts.map

package/dist/src/next/oauth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.d.ts","sourceRoot":"","sources":["../../../src/next/oauth.ts"],"names":[],"mappings":"AAAA,OAAO,aAAa,CAAC;AAErB,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAyB3C,eAAO,MAAM,yBAAyB,uBAAuB,CAAC;AAC9D,eAAO,MAAM,2BAA2B,yBAAyB,CAAC;AAIlE,eAAO,MAAM,4BAA4B,6BAA6B,CAAC;AACvE,eAAO,MAAM,wBAAwB,sBAAsB,CAAC;AAC5D,eAAO,MAAM,2BAA2B,yBAAyB,CAAC;AAwFlE,wBAAsB,mBAAmB,CAAC,GAAG,EAAE,OAAO;;;IA8CrD;AAOD,wBAAsB,sBAAsB,CAAC,GAAG,EAAE,OAAO;;;;;;;IAkGxD"}

package/dist/src/next/oauth.js

@@ -0,0 +1,231 @@
+import "server-only";
+import { cookies } from "next/headers";
+import { NextResponse } from "next/server";
+import { z } from "zod";
+import { DEFAULT_BETTER_AUTH_URL } from "../internal/defaults.generated";
+import { readLocalBetterAuthUrlFromAppsWeb } from "../internal/localBetterAuthUrl";
+function base64UrlEncode(bytes) {
+    return Buffer.from(bytes)
+        .toString("base64")
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_")
+        .replace(/=+$/g, "");
+}
+async function sha256Base64Url(input) {
+    const data = new TextEncoder().encode(input);
+    const digest = await crypto.subtle.digest("SHA-256", data);
+    return base64UrlEncode(new Uint8Array(digest));
+}
+function randomBase64Url(bytesLength = 32) {
+    const bytes = new Uint8Array(bytesLength);
+    crypto.getRandomValues(bytes);
+    return base64UrlEncode(bytes);
+}
+export const ATLAS_COOKIE_ACCESS_TOKEN = "atlas_access_token";
+export const ATLAS_COOKIE_GRANTED_SCOPES = "atlas_granted_scopes";
+// NOTE: bumping this forces re-registration for existing users so the OAuth client
+// picks up newly supported scopes (the OAuth server validates requested scopes
+// against the registered client scope set).
+export const ATLAS_COOKIE_OAUTH_CLIENT_ID = "atlas_oauth_client_id_v2";
+export const ATLAS_COOKIE_OAUTH_STATE = "atlas_oauth_state";
+export const ATLAS_COOKIE_OAUTH_VERIFIER = "atlas_oauth_verifier";
+function getAtlasAuthBaseUrl() {
+    // Precedence:
+    // 1) Runtime env override
+    // 2) Baked default from CI publish
+    // 3) Local-dev fallback from apps/web/.env*
+    // NOTE: We intentionally use `||` (not `??`) so empty-string defaults don't block fallbacks.
+    const raw = ((process.env.BETTER_AUTH_URL ?? "").trim() ||
+        DEFAULT_BETTER_AUTH_URL ||
+        readLocalBetterAuthUrlFromAppsWeb() ||
+        "").replace(/\/$/, "");
+    if (!raw)
+        throw new Error("BETTER_AUTH_URL is not set (and no baked default is available)");
+    // If it already points to the issuer path, keep it; otherwise append /api/auth.
+    const base = raw.endsWith("/api/auth") ? raw : `${raw}/api/auth`;
+    return base.replace(/\/$/, "");
+}
+function expectedConvexIssuer() {
+    // Must match `issuer` configured in `packages/auth` jwt() plugin.
+    return getAtlasAuthBaseUrl();
+}
+function decodeJwtPayload(token) {
+    const parts = token.split(".");
+    if (parts.length !== 3)
+        return null;
+    try {
+        const json = Buffer.from(parts[1], "base64url").toString("utf8");
+        return JSON.parse(json);
+    }
+    catch {
+        return null;
+    }
+}
+async function ensureOAuthClient(args) {
+    const jar = await cookies();
+    const existing = jar.get(ATLAS_COOKIE_OAUTH_CLIENT_ID)?.value;
+    if (existing)
+        return existing;
+    // Register the demo client with the *full* set of scopes it may ever request.
+    // Better Auth validates authorize requests against the registered client scope set.
+    const registrationScope = [
+        "openid",
+        "profile",
+        "email",
+        "offline_access",
+        "atlas:gmail.readonly",
+        "atlas:drive.readonly",
+    ].join(" ");
+    const registerUrl = `${getAtlasAuthBaseUrl()}/oauth2/register`;
+    const res = await fetch(registerUrl, {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({
+            client_name: "Atlas Demo",
+            redirect_uris: [args.redirectUri],
+            token_endpoint_auth_method: "none",
+            grant_types: ["authorization_code"],
+            response_types: ["code"],
+            scope: registrationScope,
+        }),
+    });
+    if (!res.ok) {
+        const text = await res.text().catch(() => "");
+        throw new Error(`Client registration failed: ${res.status} ${text}`);
+    }
+    const json = (await res.json());
+    const clientId = json.client_id;
+    if (!clientId)
+        throw new Error("Client registration returned no client_id");
+    jar.set(ATLAS_COOKIE_OAUTH_CLIENT_ID, clientId, {
+        httpOnly: true,
+        sameSite: "lax",
+        secure: process.env.NODE_ENV === "production",
+        path: "/",
+    });
+    return clientId;
+}
+const startBodySchema = z.object({
+    scopes: z.array(z.string()).optional(),
+});
+export async function atlasOAuthStartPOST(req) {
+    const body = startBodySchema.parse(await req.json().catch(() => ({})));
+    const demoOrigin = new URL(req.url).origin;
+    const redirectUri = new URL("/atlas/callback", demoOrigin).toString();
+    const clientId = await ensureOAuthClient({ redirectUri });
+    const codeVerifier = randomBase64Url(48);
+    const codeChallenge = await sha256Base64Url(codeVerifier);
+    const state = crypto.randomUUID();
+    const jar = await cookies();
+    jar.set(ATLAS_COOKIE_OAUTH_STATE, state, {
+        httpOnly: true,
+        sameSite: "lax",
+        secure: process.env.NODE_ENV === "production",
+        path: "/",
+        maxAge: 10 * 60,
+    });
+    jar.set(ATLAS_COOKIE_OAUTH_VERIFIER, codeVerifier, {
+        httpOnly: true,
+        sameSite: "lax",
+        secure: process.env.NODE_ENV === "production",
+        path: "/",
+        maxAge: 10 * 60,
+    });
+    // Always include `openid` so the server can behave as OIDC (and clients can rely on `sub`).
+    const requestedScopes = ["openid", ...(body.scopes ?? [])]
+        .map((s) => s.trim())
+        .filter(Boolean);
+    const scope = Array.from(new Set(requestedScopes)).join(" ").trim();
+    const authorizeUrl = new URL(`${getAtlasAuthBaseUrl()}/oauth2/authorize`);
+    authorizeUrl.searchParams.set("response_type", "code");
+    authorizeUrl.searchParams.set("client_id", clientId);
+    authorizeUrl.searchParams.set("redirect_uri", redirectUri);
+    authorizeUrl.searchParams.set("state", state);
+    authorizeUrl.searchParams.set("code_challenge", codeChallenge);
+    authorizeUrl.searchParams.set("code_challenge_method", "S256");
+    if (scope)
+        authorizeUrl.searchParams.set("scope", scope);
+    authorizeUrl.searchParams.set("resource", "convex");
+    authorizeUrl.searchParams.set("prompt", "consent");
+    return NextResponse.json({ authorizeUrl: authorizeUrl.toString(), state });
+}
+const exchangeBodySchema = z.object({
+    code: z.string().min(1),
+    state: z.string().min(1),
+});
+export async function atlasOAuthExchangePOST(req) {
+    const { code, state } = exchangeBodySchema.parse(await req.json());
+    const jar = await cookies();
+    const expectedState = jar.get(ATLAS_COOKIE_OAUTH_STATE)?.value ?? "";
+    const codeVerifier = jar.get(ATLAS_COOKIE_OAUTH_VERIFIER)?.value ?? "";
+    const clientId = jar.get(ATLAS_COOKIE_OAUTH_CLIENT_ID)?.value ?? "";
+    if (!expectedState || state !== expectedState) {
+        return NextResponse.json({ error: "Invalid state" }, { status: 400 });
+    }
+    if (!codeVerifier || !clientId) {
+        return NextResponse.json({ error: "Missing PKCE session" }, { status: 400 });
+    }
+    const demoOrigin = new URL(req.url).origin;
+    const redirectUri = new URL("/atlas/callback", demoOrigin).toString();
+    const tokenUrl = `${getAtlasAuthBaseUrl()}/oauth2/token`;
+    const body = new URLSearchParams({
+        grant_type: "authorization_code",
+        code,
+        redirect_uri: redirectUri,
+        code_verifier: codeVerifier,
+        client_id: clientId,
+    });
+    const res = await fetch(tokenUrl, {
+        method: "POST",
+        headers: { "content-type": "application/x-www-form-urlencoded" },
+        body,
+    });
+    if (!res.ok) {
+        const text = await res.text().catch(() => "");
+        return NextResponse.json({ error: "Token exchange failed", status: res.status, details: text.slice(0, 2000) }, { status: 502 });
+    }
+    const json = (await res.json());
+    const accessToken = json.access_token;
+    if (!accessToken) {
+        return NextResponse.json({ error: "Malformed token response" }, { status: 502 });
+    }
+    const payload = decodeJwtPayload(accessToken);
+    if (!payload || typeof payload !== "object") {
+        return NextResponse.json({ error: "Expected JWT access_token for Convex, got non-JWT token" }, { status: 502 });
+    }
+    const aud = payload.aud;
+    const iss = payload.iss;
+    const hasConvexAud = aud === "convex" || (Array.isArray(aud) && aud.includes("convex"));
+    if (!hasConvexAud) {
+        return NextResponse.json({ error: "Access token audience is not convex", aud }, { status: 502 });
+    }
+    const expectedIss = expectedConvexIssuer();
+    if (iss !== expectedIss) {
+        return NextResponse.json({ error: "Access token issuer mismatch", iss, expectedIss }, { status: 502 });
+    }
+    const maxAge = typeof json.expires_in === "number" ? Math.max(60, json.expires_in) : undefined;
+    jar.set(ATLAS_COOKIE_ACCESS_TOKEN, accessToken, {
+        httpOnly: true,
+        sameSite: "lax",
+        secure: process.env.NODE_ENV === "production",
+        path: "/",
+        maxAge,
+    });
+    jar.set(ATLAS_COOKIE_GRANTED_SCOPES, json.scope ?? "", {
+        httpOnly: true,
+        sameSite: "lax",
+        secure: process.env.NODE_ENV === "production",
+        path: "/",
+        maxAge,
+    });
+    // Clean up one-time PKCE cookies.
+    jar.set(ATLAS_COOKIE_OAUTH_STATE, "", { httpOnly: true, path: "/", maxAge: 0 });
+    jar.set(ATLAS_COOKIE_OAUTH_VERIFIER, "", { httpOnly: true, path: "/", maxAge: 0 });
+    return NextResponse.json({
+        ok: true,
+        tokenType: json.token_type ?? "Bearer",
+        expiresIn: json.expires_in,
+        scope: json.scope ?? "",
+    });
+}
+//# sourceMappingURL=oauth.js.map