npm - authhero - Versions diffs - 4.105.0 → 4.106.0 - Mend

authhero 4.105.0 → 4.106.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/assets/u/widget/index.esm.js +1 -1
package/dist/authhero.cjs +15 -15
package/dist/authhero.d.ts +3 -20
package/dist/authhero.mjs +233 -249
package/dist/stats.html +1 -1
package/package.json +5 -5

package/dist/authhero.mjs CHANGED Viewed

@@ -3300,10 +3300,6 @@ const LI = a.nativeEnum(ke), MI = a.object({
     // access tokens and a per-tenant grant-type allowlist.
     dcr_require_initial_access_token: a.boolean().optional(),
     dcr_allowed_grant_types: a.array(a.string()).optional(),
-    // Allowlist of `integration_type` values accepted by the
-    // `/connect/start` consent-mediated IAT flow. Empty/undefined disables
-    // the flow.
-    dcr_allowed_integration_types: a.array(a.string()).optional(),
     // Per-tenant allowlist of fully-qualified http origins (scheme + host
     // + port, no path) that may be used as `return_to` / `domain` on
     // `/connect/start` despite not being loopback. Off by default.
@@ -8278,7 +8274,7 @@ const W8 = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.defineProperty({
   logoDataUri: K8,
   validateAuthorizationCodeAndGetUser: G8
 }, Symbol.toStringTag, { value: "Module" }));
-class V extends P {
+class G extends P {
   constructor(t, n) {
     super(t, {
       message: JSON.stringify(n),
@@ -8343,7 +8339,7 @@ async function Z8(e, t, n) {
     }
   );
   if (!l.ok)
-    throw new V(400, {
+    throw new G(400, {
       message: "Failed to get user from vipps"
     });
   return await l.json();
@@ -9812,7 +9808,7 @@ function RN() {
             throw new TypeError();
           if (!fe(re) && !K(re) && !Ce(re))
             throw new TypeError();
-          return Ce(re) && (re = void 0), W = G(W), B(z, q, W, re);
+          return Ce(re) && (re = void 0), W = V(W), B(z, q, W, re);
         }
       }
       n("decorate", v);
@@ -9830,51 +9826,51 @@ function RN() {
       function b(z, q, W, re) {
         if (!fe(W))
           throw new TypeError();
-        return K(re) || (re = G(re)), ie(z, q, W, re);
+        return K(re) || (re = V(re)), ie(z, q, W, re);
       }
       n("defineMetadata", b);
       function S(z, q, W) {
         if (!fe(q))
           throw new TypeError();
-        return K(W) || (W = G(W)), M(z, q, W);
+        return K(W) || (W = V(W)), M(z, q, W);
       }
       n("hasMetadata", S);
       function E(z, q, W) {
         if (!fe(q))
           throw new TypeError();
-        return K(W) || (W = G(W)), H(z, q, W);
+        return K(W) || (W = V(W)), H(z, q, W);
       }
       n("hasOwnMetadata", E);
       function $(z, q, W) {
         if (!fe(q))
           throw new TypeError();
-        return K(W) || (W = G(W)), Y(z, q, W);
+        return K(W) || (W = V(W)), Y(z, q, W);
       }
       n("getMetadata", $);
       function T(z, q, W) {
         if (!fe(q))
           throw new TypeError();
-        return K(W) || (W = G(W)), ne(z, q, W);
+        return K(W) || (W = V(W)), ne(z, q, W);
       }
       n("getOwnMetadata", T);
       function O(z, q) {
         if (!fe(z))
           throw new TypeError();
-        return K(q) || (q = G(q)), Ae(z, q);
+        return K(q) || (q = V(q)), Ae(z, q);
       }
       n("getMetadataKeys", O);
       function I(z, q) {
         if (!fe(z))
           throw new TypeError();
-        return K(q) || (q = G(q)), ve(z, q);
+        return K(q) || (q = V(q)), ve(z, q);
       }
       n("getOwnMetadataKeys", I);
       function N(z, q, W) {
         if (!fe(q))
           throw new TypeError();
-        if (K(W) || (W = G(W)), !fe(q))
+        if (K(W) || (W = V(W)), !fe(q))
           throw new TypeError();
-        K(W) || (W = G(W));
+        K(W) || (W = V(W));
         var re = $r(
           q,
           W,
@@ -10057,7 +10053,7 @@ function RN() {
       function hn(z) {
         return "" + z;
       }
-      function G(z) {
+      function V(z) {
         var q = Be(z);
         return _e(q) ? q : hn(q);
       }
@@ -21656,7 +21652,7 @@ async function j0(e, t) {
   try {
     const { header: n } = nO(t), r = (await rO(e.env)).find((c) => c.kid === n.kid);
     if (!r)
-      throw new V(401, { message: "No matching kid found" });
+      throw new G(401, { message: "No matching kid found" });
     const o = await crypto.subtle.importKey(
       "jwk",
       r,
@@ -21666,7 +21662,7 @@ async function j0(e, t) {
     );
     return await tO(t, o, "RS256");
   } catch (n) {
-    throw n instanceof P ? n : new V(403, { message: "Invalid JWT signature" });
+    throw n instanceof P ? n : new G(403, { message: "Invalid JWT signature" });
   }
 }
 function S_(e) {
@@ -21695,7 +21691,7 @@ function x_(e) {
         return await n();
       const d = S_(t.req.header("authorization"));
       if (!d)
-        throw new V(401, {
+        throw new G(401, {
           message: "Missing bearer token"
         });
       try {
@@ -21706,9 +21702,9 @@ function x_(e) {
         (l.some(
           (h) => p.includes(h)
         ) || l.some((h) => f.includes(h))))
-          throw new V(403, { message: "Unauthorized" });
+          throw new G(403, { message: "Unauthorized" });
       } catch (u) {
-        throw u instanceof P ? u : new V(403, { message: "Invalid token" });
+        throw u instanceof P ? u : new G(403, { message: "Invalid token" });
       }
     }
     return await n();
@@ -22272,7 +22268,7 @@ async function it(e, t, n) {
   if (!r) {
     const f = await e.data.clients.getByClientId(t);
     if (!f)
-      throw new V(403, { message: "Client not found" });
+      throw new G(403, { message: "Client not found" });
     const { tenant_id: h, ...g } = f;
     i = g, r = h;
   }
@@ -22283,11 +22279,11 @@ async function it(e, t, n) {
     e.data.connections.list(r)
   ]), d = i || o;
   if (!d)
-    throw new V(403, { message: "Client not found" });
+    throw new G(403, { message: "Client not found" });
   if (d.client_metadata?.status === "deleted")
-    throw new V(403, { message: "Client not found" });
+    throw new G(403, { message: "Client not found" });
   if (!s)
-    throw new V(404, { message: "Tenant not found" });
+    throw new G(404, { message: "Tenant not found" });
   const u = c.length > 0 ? c : l.connections || [], p = Ft(e);
   return {
     ...d,
@@ -23661,27 +23657,27 @@ function FO(e, t, n) {
 }
 async function zO(e, t, n, i, r) {
   if (!n.redirect_uri)
-    throw new V(400, {
+    throw new G(400, {
       message: "Missing redirect_uri in authParams"
     });
   if (!i.email)
-    throw new V(400, {
+    throw new G(400, {
       message: "Missing email in user"
     });
   const { signingKeys: o } = await e.env.data.keys.list({
     q: "type:saml_encryption"
   }), [s] = o;
   if (!s)
-    throw new V(500, {
+    throw new G(500, {
       message: "No signing key found"
     });
   if (!t.addons?.samlp)
-    throw new V(400, {
+    throw new G(400, {
       message: `SAML Addon is not enabled for client ${t.client_id}`
     });
   const { recipient: c, audience: l } = t.addons.samlp, d = n.state || "";
   if (!c || !d || !i || !n.state)
-    throw new V(400, {
+    throw new G(400, {
       message: "Missing recipient or inResponseTo"
     });
   const u = JSON.parse(n.state), p = new URL(n.redirect_uri), f = e.env.samlSigner || (e.env.SAML_SIGN_URL ? new UO(e.env.SAML_SIGN_URL) : void 0), h = await MO(
@@ -24147,7 +24143,7 @@ async function XO(e, t) {
       (E) => !m.includes(E)
     );
     if (S.length > 0)
-      throw new V(403, {
+      throw new G(403, {
         error: "access_denied",
         error_description: `Client is not authorized for scope(s): ${S.join(", ")}`
       });
@@ -24217,7 +24213,7 @@ async function Hc(e, t) {
     })).userOrganizations.some(
       (M) => M.organization_id === s
     ))
-      throw new V(403, {
+      throw new G(403, {
         error: "access_denied",
         error_description: "User is not a member of the specified organization"
       });
@@ -26874,7 +26870,7 @@ function dh(e, t, n) {
     },
     access: {
       deny: (i) => {
-        throw new V(400, {
+        throw new G(400, {
           message: `Access denied: ${i}`
         });
       }
@@ -26907,10 +26903,10 @@ async function ff(e, t) {
     (j) => !j.revoked_at || new Date(j.revoked_at) > /* @__PURE__ */ new Date()
   );
   if (!p?.pkcs7)
-    throw new V(500, { message: "No signing key available" });
+    throw new G(500, { message: "No signing key available" });
   const f = sE(p.pkcs7), h = Vi(e.env, e.var.custom_domain), g = n.audience ?? r.tenant.default_audience;
   if (!g)
-    throw new V(400, {
+    throw new G(400, {
       error: "invalid_request",
       error_description: "An audience must be specified in the request or configured as the tenant default_audience"
     });
@@ -27124,7 +27120,7 @@ function Vu(e) {
 async function qE(e, t) {
   const { client: n, scope: i, login_id: r } = t, o = t.audience ?? n.tenant.default_audience;
   if (!o)
-    throw new V(400, {
+    throw new G(400, {
       error: "invalid_request",
       error_description: "An audience must be specified in the request or configured as the tenant default_audience"
     });
@@ -27194,12 +27190,12 @@ async function HE(e, {
     });
   const c = s.state || ke.PENDING;
   if (c === ke.FAILED)
-    throw new V(400, {
+    throw new G(400, {
       error: "access_denied",
       error_description: s.failure_reason || "Cannot authenticate login session in failed state"
     });
   if (c === ke.COMPLETED)
-    throw new V(400, {
+    throw new G(400, {
       error: "access_denied",
       error_description: "Login session has already been completed"
     });
@@ -27444,7 +27440,7 @@ async function Ze(e, t) {
   const s = n.response_type || Pt.CODE, c = n.response_mode || Bn.QUERY;
   if (r) {
     if (!t.loginSession)
-      throw new V(500, {
+      throw new G(500, {
         message: "Login session not found for ticket auth."
       });
     o && !t.skipHooks && (t.authStrategy && o.app_metadata?.strategy !== t.authStrategy.strategy && (o.app_metadata = {
@@ -27491,17 +27487,17 @@ async function Ze(e, t) {
       t.loginSession.id
     );
     if (!h)
-      throw new V(500, {
+      throw new G(500, {
         message: "Login session not found."
       });
     const g = h.state || ke.PENDING;
     if (g === ke.COMPLETED)
-      throw new V(400, {
+      throw new G(400, {
         error: "invalid_request",
         error_description: "Login session has already been completed"
       });
     if (g === ke.FAILED)
-      throw new V(400, {
+      throw new G(400, {
         error: "access_denied",
         error_description: `Login session failed: ${h.failure_reason || "unknown reason"}`
       });
@@ -27514,11 +27510,11 @@ async function Ze(e, t) {
         authConnection: t.authConnection
       });
     else if (d = h.session_id, !d)
-      throw new V(500, {
+      throw new G(500, {
         message: `Login session in ${g} state but has no session_id`
       });
   } else
-    throw new V(500, {
+    throw new G(500, {
       message: "loginSession must be provided for front-channel auth responses."
     });
   if (t.loginSession && o) {
@@ -27737,7 +27733,7 @@ async function Ze(e, t) {
     return u;
   if (c === Bn.WEB_MESSAGE) {
     if (!n.redirect_uri)
-      throw new V(400, {
+      throw new G(400, {
         message: "Redirect URI not allowed for WEB_MESSAGE response mode."
       });
     const h = new Headers();
@@ -27759,7 +27755,7 @@ async function Ze(e, t) {
     );
   }
   if (!n.redirect_uri)
-    throw new V(400, {
+    throw new G(400, {
       message: "Redirect uri not found for this response mode."
     });
   const p = new Headers();
@@ -27783,7 +27779,7 @@ async function Ze(e, t) {
       ...n.scope && { scope: n.scope }
     }).toString();
   else
-    throw new V(500, {
+    throw new G(500, {
       message: "Invalid token response for implicit flow."
     });
   return p.set("location", f.toString()), new Response("Redirecting", {
@@ -27804,7 +27800,7 @@ async function kR(e, t) {
   )).userOrganizations.some(
     (f) => f.organization_id === t.organization.id
   ))
-    throw new V(403, {
+    throw new G(403, {
       error: "access_denied",
       error_description: "User is not a member of the specified organization"
     });
@@ -27825,7 +27821,7 @@ async function kR(e, t) {
       else {
         const p = n?.user_id || t.user?.user_id;
         if (!p)
-          throw new V(400, {
+          throw new G(400, {
             error: "invalid_request",
             error_description: "User ID is required for user-based grants"
           });
@@ -27877,7 +27873,7 @@ async function kR(e, t) {
   const d = t.loginSession?.auth_connection || t.authConnection || e.var.connection;
   if (i === Pt.CODE) {
     if (!n || !t.loginSession)
-      throw new V(500, {
+      throw new G(500, {
         message: "User and loginSession is required for code flow"
       });
     const u = await zE(e, {
@@ -28171,7 +28167,7 @@ function $R(e) {
           t,
           n.linked_to
         ))
-          throw new V(400, {
+          throw new G(400, {
             error: "invalid_request",
             error_description: "Primary user does not exist"
           });
@@ -28182,7 +28178,7 @@ function $R(e) {
             n.linked_to
           );
           if (!c)
-            throw new V(500, {
+            throw new G(500, {
               error: "server_error",
               error_description: "Failed to fetch primary user after linking"
             });
@@ -28213,7 +28209,7 @@ async function NR(e, t, n) {
   if (o.linked_to) {
     const s = await e.users.get(t, o.linked_to);
     if (!s)
-      throw new V(500, {
+      throw new G(500, {
         error: "server_error",
         error_description: "Primary user does not exist for linked user"
       });
@@ -28327,7 +28323,7 @@ async function PR(e, t, n, i, r) {
     throw U(e, t.tenant.id, {
       type: L.FAILED_SIGNUP,
       description: o.reason || "Signup not allowed"
-    }), new V(400, {
+    }), new G(400, {
       message: o.reason || "Signups are disabled for this client"
     });
   await ER(e)(t.tenant.id, i);
@@ -28367,7 +28363,7 @@ function jR(e, t) {
             },
             access: {
               deny: (l, d) => {
-                throw new V(400, {
+                throw new G(400, {
                   message: d ? `Registration denied: ${l} - ${d}` : `Registration denied: ${l}`
                 });
               }
@@ -28409,7 +28405,7 @@ function jR(e, t) {
               },
               access: {
                 deny: (p, f) => {
-                  throw new V(400, {
+                  throw new G(400, {
                     message: f ? `Registration denied: ${p} - ${f}` : `Registration denied: ${p}`
                   });
                 }
@@ -28427,7 +28423,7 @@ function jR(e, t) {
     }
     const o = await $R(t)(n, i);
     if (!o.created)
-      throw new V(409, { message: "User already exists" });
+      throw new G(409, { message: "User already exists" });
     const s = o.user;
     return await (async () => {
       if (e.env.hooks?.onExecutePostUserRegistration)
@@ -28486,7 +28482,7 @@ function OR(e, t) {
       return t.users.update(n, i, r);
     const o = await t.users.get(n, i);
     if (!o)
-      throw new V(404, {
+      throw new G(404, {
         message: "User not found"
       });
     const s = {
@@ -28513,7 +28509,7 @@ function OR(e, t) {
               }
             },
             cancel: () => {
-              throw new V(400, {
+              throw new G(400, {
                 message: "User update cancelled by pre-update hook"
               });
             },
@@ -28525,13 +28521,13 @@ function OR(e, t) {
           type: L.ACTIONS_EXECUTION_FAILED,
           description: `Pre user update hook failed: ${c instanceof Error ? c.message : "Unknown error"}`,
           userId: i
-        }), new V(400, {
+        }), new G(400, {
           message: "Pre user update hook failed"
         });
       }
     return await t.transaction(async (c) => {
       if (!await c.users.update(n, i, r))
-        throw new V(404, {
+        throw new G(404, {
           message: "User not found"
         });
       if (r.email || r.email_verified) {
@@ -28590,7 +28586,7 @@ function RR(e, t) {
           },
           {
             cancel: () => {
-              throw new V(400, {
+              throw new G(400, {
                 message: "User deletion cancelled by pre-deletion hook"
               });
             },
@@ -28601,7 +28597,7 @@ function RR(e, t) {
         throw c instanceof P ? c : (U(e, n, {
           type: L.FAILED_HOOK,
           description: `Pre user deletion hook failed: ${c instanceof Error ? c.message : String(c)}`
-        }), new V(400, {
+        }), new G(400, {
           message: "Pre user deletion hook failed"
         }));
       }
@@ -28611,7 +28607,7 @@ function RR(e, t) {
       throw U(e, n, {
         type: L.FAILED_HOOK,
         description: `Pre user deletion webhook failed: ${c instanceof Error ? c.message : String(c)}`
-      }), new V(400, {
+      }), new G(400, {
         message: "Pre user deletion webhook failed"
       });
     }
@@ -31128,7 +31124,7 @@ function fh(e, t) {
 async function hd(e) {
   const t = await e.env.data.tenants.get(e.var.tenant_id);
   if (!t)
-    throw new V(404, {
+    throw new G(404, {
       error: "invalid_request",
       error_description: "Tenant not found"
     });
@@ -31136,14 +31132,14 @@ async function hd(e) {
 }
 function gd(e) {
   if (!e.flags?.enable_dynamic_client_registration)
-    throw new V(404, {
+    throw new G(404, {
       error: "invalid_request",
       error_description: "Dynamic Client Registration is not enabled"
     });
 }
 function Ua(e) {
   if (!e.clientRegistrationTokens)
-    throw new V(500, {
+    throw new G(500, {
       error: "server_error",
       error_description: "Dynamic Client Registration requires a clientRegistrationTokens adapter"
     });
@@ -31159,14 +31155,14 @@ async function cD(e, t) {
       "iat"
     );
     if (!r.ok || !r.token)
-      throw new V(401, {
+      throw new G(401, {
         error: "invalid_token",
         error_description: `Initial access token ${r.failure ?? "invalid"}`
       });
     return r.token;
   }
   if (t.flags?.dcr_require_initial_access_token !== !1)
-    throw new V(401, {
+    throw new G(401, {
       error: "invalid_token",
       error_description: "Initial access token required"
     });
@@ -31174,7 +31170,7 @@ async function cD(e, t) {
 async function hh(e, t) {
   const n = S_(e.req.header("authorization"));
   if (!n)
-    throw new V(401, {
+    throw new G(401, {
       error: "invalid_token",
       error_description: "Registration access token required"
     });
@@ -31185,12 +31181,12 @@ async function hh(e, t) {
     "rat"
   );
   if (!i.ok || !i.token)
-    throw new V(401, {
+    throw new G(401, {
       error: "invalid_token",
       error_description: `Registration access token ${i.failure ?? "invalid"}`
     });
   if (i.token.client_id !== t)
-    throw new V(401, {
+    throw new G(401, {
       error: "invalid_token",
       error_description: "Registration access token is not bound to this client"
     });
@@ -33616,13 +33612,13 @@ function ln(e, t) {
 }
 async function A1(e, t, n, i) {
   if (!i.state)
-    throw new V(400, { message: "State not found" });
+    throw new G(400, { message: "State not found" });
   const r = t.connections.find((l) => l.name === n);
   if (!r)
     throw e.set("client_id", t.client_id), await U(e, t.tenant.id, {
       type: L.FAILED_LOGIN,
       description: "Connection not found"
-    }), new V(403, { message: "Connection Not Found" });
+    }), new G(403, { message: "Connection Not Found" });
   let o = await e.env.data.loginSessions.get(
     t.tenant.id,
     i.state
@@ -33664,13 +33660,13 @@ async function FD(e, { code: t, state: n }) {
     "oauth2_state"
   );
   if (!r || !r.connection_id)
-    throw new V(403, { message: "State not found" });
+    throw new G(403, { message: "State not found" });
   const o = await i.data.loginSessions.get(
     e.var.tenant_id || "",
     r.login_id
   );
   if (!o)
-    throw new V(403, { message: "Session not found" });
+    throw new G(403, { message: "Session not found" });
   const s = await it(
     i,
     o.authParams.client_id
@@ -33683,12 +33679,12 @@ async function FD(e, { code: t, state: n }) {
     throw await U(e, s.tenant.id, {
       type: L.FAILED_LOGIN,
       description: "Connection not found"
-    }), new V(403, { message: "Connection not found" });
+    }), new G(403, { message: "Connection not found" });
   if (e.set("connection", c.name), !o.authParams.redirect_uri)
     throw await U(e, s.tenant.id, {
       type: L.FAILED_LOGIN,
       description: "Redirect URI not defined"
-    }), new V(403, { message: "Redirect URI not defined" });
+    }), new G(403, { message: "Redirect URI not defined" });
   const d = await K3(e, c.strategy).validateAuthorizationCodeAndGetUser(
     e,
     c,
@@ -33809,7 +33805,7 @@ async function k1(e, t) {
       throw new P(500, { message: "Internal server error" });
     return c;
   } catch (c) {
-    if (c instanceof V) {
+    if (c instanceof G) {
       if (c.status === 403)
         return V0(e, "state_not_found");
       if (c.status === 400) {
@@ -34206,7 +34202,7 @@ const GD = a.object({
       const c = e.req.header("authorization") || "", [l, d] = c.split(" ");
       if (l?.toLowerCase() === "bearer" && d) {
         if (t = await j0(e, d), !(t?.scope?.split(" ") || []).includes("openid"))
-          throw new V(403, {
+          throw new G(403, {
             message: "openid scope required"
           });
         e.set("user", t);
@@ -34217,13 +34213,13 @@ const GD = a.object({
         const c = await e.req.parseBody(), l = typeof c.access_token == "string" ? c.access_token : void 0;
         if (l) {
           if (t = await j0(e, l), !(t?.scope?.split(" ") || []).includes("openid"))
-            throw new V(403, {
+            throw new G(403, {
               message: "openid scope required"
             });
           e.set("user", t);
         }
       } catch (c) {
-        if (c instanceof P || c instanceof V)
+        if (c instanceof P || c instanceof G)
           throw c;
       }
     if (!t)
@@ -34428,7 +34424,7 @@ async function QD(e, t) {
     throw U(e, n.tenant.id, {
       type: L.FAILED_EXCHANGE_ACCESS_TOKEN_FOR_CLIENT_CREDENTIALS,
       description: "Invalid client credentials"
-    }), new V(403, { message: "Invalid client credentials" });
+    }), new G(403, { message: "Invalid client credentials" });
   let i;
   if (t.organization) {
     const o = await e.env.data.organizations.get(
@@ -34439,7 +34435,7 @@ async function QD(e, t) {
       throw U(e, n.tenant.id, {
         type: L.FAILED_EXCHANGE_ACCESS_TOKEN_FOR_CLIENT_CREDENTIALS,
         description: `Organization '${t.organization}' not found`
-      }), new V(400, {
+      }), new G(400, {
         error: "invalid_request",
         error_description: `Organization '${t.organization}' not found`
       });
@@ -34485,19 +34481,19 @@ async function ZD(e, t) {
     throw U(e, n.tenant.id, {
       type: L.FAILED_EXCHANGE_AUTHORIZATION_CODE_FOR_ACCESS_TOKEN,
       description: "Invalid client credentials"
-    }), new V(403, { message: "Invalid client credentials" });
+    }), new G(403, { message: "Invalid client credentials" });
   if (new Date(i.expires_at) < /* @__PURE__ */ new Date())
     throw U(e, n.tenant.id, {
       type: L.FAILED_EXCHANGE_AUTHORIZATION_CODE_FOR_ACCESS_TOKEN,
       description: "Code expired",
       userId: i.user_id
-    }), new V(403, { message: "Code expired" });
+    }), new G(403, { message: "Code expired" });
   if (i.used_at)
     throw U(e, n.tenant.id, {
       type: L.FAILED_EXCHANGE_AUTHORIZATION_CODE_FOR_ACCESS_TOKEN,
       description: "Invalid authorization code",
       userId: i.user_id
-    }), new V(400, {
+    }), new G(400, {
       error: "invalid_grant",
       error_description: "Invalid authorization code"
     });
@@ -34506,9 +34502,9 @@ async function ZD(e, t) {
     i.login_id
   );
   if (!r)
-    throw new V(403, { message: "Invalid login" });
+    throw new G(403, { message: "Invalid login" });
   if (t.organization && r.authParams.organization && t.organization !== r.authParams.organization)
-    throw new V(400, {
+    throw new G(400, {
       error: "invalid_request",
       error_description: "Organization parameter does not match login session organization"
     });
@@ -34523,7 +34519,7 @@ async function ZD(e, t) {
         type: L.FAILED_EXCHANGE_AUTHORIZATION_CODE_FOR_ACCESS_TOKEN,
         description: "Invalid client credentials",
         userId: i.user_id
-      }), new V(403, {
+      }), new G(403, {
         message: "Invalid client credentials"
       });
   } else if (i.code_challenge && i.code_challenge_method && t.code_verifier) {
@@ -34536,7 +34532,7 @@ async function ZD(e, t) {
         type: L.FAILED_EXCHANGE_AUTHORIZATION_CODE_FOR_ACCESS_TOKEN,
         description: "Invalid client credentials",
         userId: i.user_id
-      }), new V(403, {
+      }), new G(403, {
         message: "Invalid client credentials"
       });
   }
@@ -34545,13 +34541,13 @@ async function ZD(e, t) {
       type: L.FAILED_EXCHANGE_AUTHORIZATION_CODE_FOR_ACCESS_TOKEN,
       description: "Invalid redirect uri",
       userId: i.user_id
-    }), new V(403, { message: "Invalid redirect uri" });
+    }), new G(403, { message: "Invalid redirect uri" });
   const o = await e.env.data.users.get(n.tenant.id, i.user_id);
   if (!o)
-    throw new V(403, { message: "User not found" });
+    throw new G(403, { message: "User not found" });
   const s = o.linked_to ? await e.env.data.users.get(n.tenant.id, o.linked_to) : o;
   if (!s)
-    throw new V(403, { message: "User not found" });
+    throw new G(403, { message: "User not found" });
   await e.env.data.codes.used(n.tenant.id, t.code);
   let c;
   r.session_id && r.authParams.scope?.split(" ").includes("offline_access") && (c = await qE(e, {
@@ -34635,7 +34631,7 @@ async function eB(e, t) {
     throw U(e, n.tenant.id, {
       type: L.FAILED_EXCHANGE_REFRESH_TOKEN_FOR_ACCESS_TOKEN,
       description: "Client authentication failed"
-    }), new V(403, {
+    }), new G(403, {
       error: "invalid_client",
       error_description: "Client authentication failed"
     });
@@ -34649,7 +34645,7 @@ async function eB(e, t) {
         type: L.FAILED_EXCHANGE_REFRESH_TOKEN_FOR_ACCESS_TOKEN,
         description: "Refresh token has been revoked",
         userId: i.user_id
-      }), new V(400, {
+      }), new G(400, {
         error: "invalid_grant",
         error_description: "Refresh token has been revoked"
       });
@@ -34658,14 +34654,14 @@ async function eB(e, t) {
         type: L.FAILED_EXCHANGE_REFRESH_TOKEN_FOR_ACCESS_TOKEN,
         description: "Refresh token has expired",
         userId: i.user_id
-      }), new V(400, {
+      }), new G(400, {
         error: "invalid_grant",
         error_description: "Refresh token has expired"
       });
   } else throw vh(e, `Invalid refresh token: ${t.refresh_token}`), U(e, n.tenant.id, {
     type: L.FAILED_EXCHANGE_REFRESH_TOKEN_FOR_ACCESS_TOKEN,
     description: "Invalid refresh token"
-  }), new V(400, {
+  }), new G(400, {
     error: "invalid_grant",
     error_description: "Invalid refresh token"
   });
@@ -34674,10 +34670,10 @@ async function eB(e, t) {
     i.user_id
   );
   if (!r)
-    throw new V(403, { message: "User not found" });
+    throw new G(403, { message: "User not found" });
   const o = r.linked_to ? await e.env.data.users.get(n.tenant.id, r.linked_to) : r;
   if (!o)
-    throw new V(403, { message: "User not found" });
+    throw new G(403, { message: "User not found" });
   e.set("user_id", o.user_id);
   const s = i.resource_servers[0];
   let c, l;
@@ -34695,7 +34691,7 @@ async function eB(e, t) {
     if (p)
       u = { id: p.id, name: p.name };
     else
-      throw new V(400, {
+      throw new G(400, {
         error: "invalid_request",
         error_description: `Organization '${d}' not found`
       });
@@ -34737,7 +34733,7 @@ async function eB(e, t) {
     )).userOrganizations.some(
       (_) => _.organization_id === u.id
     ))
-      throw new V(403, {
+      throw new G(403, {
         error: "access_denied",
         error_description: "User is not a member of the specified organization"
       });
@@ -36553,7 +36549,7 @@ async function hC(e, {
     c
   );
   if (!d)
-    throw new V(400, {
+    throw new G(400, {
       message: "Invalid username format"
     });
   e.set("connection", l);
@@ -36562,7 +36558,7 @@ async function hC(e, {
     throw U(e, u.tenant.id, {
       type: L.FAILED_EXCHANGE_PASSWORD_OTP_FOR_ACCESS_TOKEN,
       description: "Code invalid"
-    }), new V(400, {
+    }), new G(400, {
       message: ye("code_invalid"),
       userSafe: !0
     });
@@ -36571,7 +36567,7 @@ async function hC(e, {
       type: L.FAILED_EXCHANGE_PASSWORD_OTP_FOR_ACCESS_TOKEN,
       description: "Code expired",
       userId: f.user_id
-    }), new V(400, {
+    }), new G(400, {
       message: ye("code_expired"),
       userSafe: !0
     });
@@ -36580,7 +36576,7 @@ async function hC(e, {
       type: L.FAILED_EXCHANGE_PASSWORD_OTP_FOR_ACCESS_TOKEN,
       description: "Code already used",
       userId: f.user_id
-    }), new V(400, {
+    }), new G(400, {
       message: ye("code_used"),
       userSafe: !0
     });
@@ -36593,7 +36589,7 @@ async function hC(e, {
       type: L.FAILED_EXCHANGE_PASSWORD_OTP_FOR_ACCESS_TOKEN,
       description: "Login session not found or username mismatch",
       userId: f.user_id
-    }), new V(400, {
+    }), new G(400, {
       message: "Code not found or expired",
       userSafe: !0
     });
@@ -36839,7 +36835,7 @@ const wM = new ae().openapi(
           });
         else {
           if (!o.user?.user_id)
-            throw new V(400, {
+            throw new G(400, {
               error: "invalid_request",
               error_description: "User ID is required for user-based grants"
             });
@@ -37516,7 +37512,7 @@ function xM(e) {
 async function _C(e, t, n, i) {
   const { data: r } = e.env, { username: o } = n;
   if (e.set("username", o), !o)
-    throw new V(400, { message: "Username is required" });
+    throw new G(400, { message: "Username is required" });
   const s = await kr({
     userAdapter: e.env.data.users,
     tenant_id: t.tenant.id,
@@ -37840,20 +37836,20 @@ function IM(e) {
     return Qe;
   if (e === Q.EMAIL)
     return Q.EMAIL;
-  throw new V(403, { message: "Invalid realm" });
+  throw new G(403, { message: "Invalid realm" });
 }
 async function $M(e, t, n, i, r) {
   const { env: o } = e;
   e.set("connection", r);
   const s = await o.data.codes.get(t, n, "ticket");
   if (!s || s.used_at)
-    throw new V(403, { message: "Ticket not found" });
+    throw new G(403, { message: "Ticket not found" });
   const c = await o.data.loginSessions.get(
     t,
     s.login_id
   );
   if (!c || !c.authParams.username)
-    throw new V(403, { message: "Session not found" });
+    throw new G(403, { message: "Session not found" });
   const l = await it(
     o,
     c.authParams.client_id,
@@ -38095,7 +38091,7 @@ async function RM(e, t) {
     t
   );
   if (!n)
-    throw new V(403, { message: "State not found" });
+    throw new G(403, { message: "State not found" });
   const i = n.authorization_url;
   if (i && i.length <= PM) {
     let c = null;
@@ -38126,27 +38122,27 @@ async function RM(e, t) {
   ln(e, r.tenant.id), e.set("client_id", r.client_id);
   const o = n.state || ke.PENDING;
   if (o === ke.PENDING)
-    throw new V(400, {
+    throw new G(400, {
       error: "invalid_request",
       error_description: "Login session is not yet authenticated"
     });
   if (o === ke.COMPLETED)
-    throw new V(409, {
+    throw new G(409, {
       error: "invalid_request",
       error_description: "Login session has already been completed"
     });
   if (o === ke.FAILED)
-    throw new V(400, {
+    throw new G(400, {
       error: "access_denied",
       error_description: `Login session failed: ${n.failure_reason || "unknown reason"}`
     });
   if (o === ke.EXPIRED)
-    throw new V(400, {
+    throw new G(400, {
       error: "invalid_request",
       error_description: "Login session has expired"
     });
   if (!n.user_id)
-    throw new V(500, {
+    throw new G(500, {
       message: "Authenticated login session has no user_id"
     });
   const s = await e.env.data.users.get(
@@ -38154,7 +38150,7 @@ async function RM(e, t) {
     n.user_id
   );
   if (!s)
-    throw new V(500, {
+    throw new G(500, {
       message: "Authenticated user not found"
     });
   return e.set("user_id", s.user_id), n.auth_connection && e.set("connection", n.auth_connection), Ze(e, {
@@ -38741,12 +38737,12 @@ function X1(e) {
       try {
         const n = new URL(t);
         if (!n.protocol || !n.host)
-          throw new V(400, {
+          throw new G(400, {
             error: "invalid_redirect_uri",
             error_description: `Invalid redirect_uri: ${t}`
           });
       } catch {
-        throw new V(400, {
+        throw new G(400, {
           error: "invalid_redirect_uri",
           error_description: `Invalid redirect_uri: ${t}`
         });
@@ -38756,7 +38752,7 @@ function e2(e, t) {
   if (!(!e || !t || t.length === 0)) {
     for (const n of e)
       if (!t.includes(n))
-        throw new V(400, {
+        throw new G(400, {
           error: "invalid_client_metadata",
           error_description: `grant_type "${n}" is not allowed for this tenant`
         });
@@ -38790,7 +38786,7 @@ const qM = new ae().openapi(
     gd(t);
     const n = await cD(e, t), i = e.req.valid("json"), r = Y1(n?.constraints, i);
     if (!r.ok)
-      throw new V(400, {
+      throw new G(400, {
         error: "invalid_client_metadata",
         error_description: `Field "${r.violation?.field}" conflicts with Initial Access Token constraint`
       });
@@ -38798,7 +38794,7 @@ const qM = new ae().openapi(
       r.filled
     );
     if (!o.success)
-      throw new V(400, {
+      throw new G(400, {
         error: "invalid_client_metadata",
         error_description: "Merged request (with IAT constraints applied) is not valid RFC 7591 metadata"
       });
@@ -38806,7 +38802,7 @@ const qM = new ae().openapi(
     if (s.grant_types?.some(
       (y) => y === "authorization_code" || y === "implicit"
     ) && (!s.redirect_uris || s.redirect_uris.length === 0))
-      throw new V(400, {
+      throw new G(400, {
         error: "invalid_redirect_uri",
         error_description: "redirect_uris is required for authorization_code and implicit grant types"
       });
@@ -38839,7 +38835,7 @@ const qM = new ae().openapi(
         n.id,
         (/* @__PURE__ */ new Date()).toISOString()
       ))
-        throw new V(401, {
+        throw new G(401, {
           error: "invalid_token",
           error_description: "Initial access token already used"
         });
@@ -38854,7 +38850,7 @@ const qM = new ae().openapi(
         single_use: !1
       });
     }), !g)
-      throw new V(500, {
+      throw new G(500, {
         error: "server_error",
         error_description: "Failed to create client"
       });
@@ -38896,7 +38892,7 @@ const qM = new ae().openapi(
       n
     );
     if (!i || gh(i))
-      throw new V(401, {
+      throw new G(401, {
         error: "invalid_token",
         error_description: "Client not found"
       });
@@ -38936,13 +38932,13 @@ const qM = new ae().openapi(
       n
     );
     if (!i || gh(i))
-      throw new V(401, {
+      throw new G(401, {
         error: "invalid_token",
         error_description: "Client not found"
       });
     const r = e.req.valid("json");
     if (r.client_id !== void 0 && r.client_id !== n)
-      throw new V(400, {
+      throw new G(400, {
         error: "invalid_client_metadata",
         error_description: "client_id in body does not match URL"
       });
@@ -38950,7 +38946,7 @@ const qM = new ae().openapi(
     if (o) {
       const h = Y1(o, r);
       if (!h.ok)
-        throw new V(400, {
+        throw new G(400, {
           error: "invalid_client_metadata",
           error_description: `Field "${h.violation?.field}" was bound at registration time and cannot be changed`
         });
@@ -38975,7 +38971,7 @@ const qM = new ae().openapi(
       n,
       d
     ))
-      throw new V(500, {
+      throw new G(500, {
         error: "server_error",
         error_description: "Failed to update client"
       });
@@ -38984,7 +38980,7 @@ const qM = new ae().openapi(
       n
     );
     if (!p)
-      throw new V(500, {
+      throw new G(500, {
         error: "server_error",
         error_description: "Failed to read back updated client"
       });
@@ -39022,7 +39018,7 @@ const qM = new ae().openapi(
       n
     );
     if (!i || gh(i))
-      throw new V(401, {
+      throw new G(401, {
         error: "invalid_token",
         error_description: "Client not found"
       });
@@ -39085,8 +39081,8 @@ function t2(e, t = []) {
   };
 }
 const KM = 1800, VM = a.object({
-  integration_type: a.string().min(1).openapi({
-    description: "Caller-defined integration identifier; allowlisted per tenant"
+  integration_type: a.string().min(1).optional().openapi({
+    description: "Optional caller-defined integration label. Surfaced on the consent screen and stored on the resulting client's IAT constraints. No validation beyond non-empty string."
   }),
   domain: a.string().min(1).openapi({
     description: "The domain that will host the integration (origin must match return_to)"
@@ -39126,55 +39122,44 @@ const KM = 1800, VM = a.object({
   async (e) => {
     const t = e.var.tenant_id, n = await e.env.data.tenants.get(t);
     if (!n)
-      throw new V(404, {
+      throw new G(404, {
         error: "invalid_request",
         error_description: "Tenant not found"
       });
     if (!n.flags?.enable_dynamic_client_registration)
-      throw new V(404, {
+      throw new G(404, {
         error: "invalid_request",
         error_description: "Dynamic Client Registration is not enabled"
       });
-    const { integration_type: i, domain: r, return_to: o, state: s, scope: c } = e.req.valid("query"), l = n.flags?.dcr_allowed_integration_types;
-    if (!l || l.length === 0)
-      throw new V(404, {
+    const { integration_type: i, domain: r, return_to: o, state: s, scope: c } = e.req.valid("query"), l = n.flags?.allow_http_return_to ?? [], d = /^https?:\/\//i.test(r) ? r : `https://${r}`, u = t2(d, l);
+    if (!u.ok)
+      throw new G(400, {
         error: "invalid_request",
-        error_description: "Connect flow is not enabled for this tenant"
+        error_description: `domain: ${u.reason}`
       });
-    if (!l.includes(i))
-      throw new V(400, {
-        error: "invalid_request",
-        error_description: `integration_type "${i}" is not allowed`
-      });
-    const d = n.flags?.allow_http_return_to ?? [], u = /^https?:\/\//i.test(r) ? r : `https://${r}`, p = t2(u, d);
+    const p = t2(o, l);
     if (!p.ok)
-      throw new V(400, {
-        error: "invalid_request",
-        error_description: `domain: ${p.reason}`
-      });
-    const f = t2(o, d);
-    if (!f.ok)
-      throw new V(400, {
+      throw new G(400, {
         error: "invalid_request",
-        error_description: `return_to: ${f.reason}`
+        error_description: `return_to: ${p.reason}`
       });
-    if (f.origin !== p.origin)
-      throw new V(400, {
+    if (p.origin !== u.origin)
+      throw new G(400, {
         error: "invalid_request",
         error_description: "return_to origin must match domain"
       });
-    const { clients: h } = await e.env.data.clients.list(t), g = h[0];
-    if (!g)
-      throw new V(400, {
+    const { clients: f } = await e.env.data.clients.list(t), h = f[0];
+    if (!h)
+      throw new G(400, {
         error: "invalid_request",
         error_description: "No clients configured for this tenant"
       });
-    const m = new Date(
+    const g = new Date(
       Date.now() + KM * 1e3
-    ).toISOString(), _ = await e.env.data.loginSessions.create(t, {
-      expires_at: m,
+    ).toISOString(), m = await e.env.data.loginSessions.create(t, {
+      expires_at: g,
       authParams: {
-        client_id: g.client_id,
+        client_id: h.client_id,
         state: s
       },
       csrf_token: ze(),
@@ -39187,12 +39172,12 @@ const KM = 1800, VM = a.object({
           return_to: o,
           scope: c,
           caller_state: s,
-          is_local_dev: f.isLoopback || f.isAllowlisted
+          is_local_dev: p.isLoopback || p.isAllowlisted
         }
       })
     });
     return e.redirect(
-      `/u2/connect/start?state=${encodeURIComponent(_.id)}`,
+      `/u2/connect/start?state=${encodeURIComponent(m.id)}`,
       302
     );
   }
@@ -39859,7 +39844,7 @@ function c2(e, t = "light") {
   const n = ty(e, "#ffffff"), i = ty(e, "#000000"), r = 1.35;
   return t === "light" ? i > n * r ? "#000000" : "#ffffff" : i * r > n ? "#000000" : "#ffffff";
 }
-const Ha = "mohcx5au", _U = (e, t) => {
+const Ha = "moiiv77w", _U = (e, t) => {
   const n = e?.colors?.primary_button || t?.colors?.primary || "#000000", i = e?.colors?.base_hover_color || yU(n, 0.2), r = e?.colors?.primary_button_label, o = r && ty(r, n) >= 4.5, s = o ? r : c2(n, "light"), c = o ? r : c2(n, "dark"), l = s !== c ? `
     @media (prefers-color-scheme: dark) {
       body { --text-on-primary: ${c}; }
@@ -48004,16 +47989,16 @@ function KF() {
     function fe() {
       return K;
     }
-    function Be(G) {
-      throw $.error("Unclosed " + G, K);
+    function Be(V) {
+      throw $.error("Unclosed " + V, K);
     }
     function nt() {
       return _e.length === 0 && K >= Pe;
     }
-    function Xe(G) {
+    function Xe(V) {
       if (_e.length) return _e.pop();
       if (K >= Pe) return;
-      let oe = G ? G.ignoreUnclosed : !1;
+      let oe = V ? V.ignoreUnclosed : !1;
       switch (N = O.charCodeAt(K), N) {
         case r:
         case o:
@@ -48094,8 +48079,8 @@ function KF() {
       }
       return K++, Y;
     }
-    function hn(G) {
-      _e.push(G);
+    function hn(V) {
+      _e.push(V);
     }
     return {
       back: hn,
@@ -49030,9 +49015,9 @@ function QF() {
       return "";
     typeof _ == "number" && (_ = _.toString());
     let v = "", A = "";
-    function b(G, oe) {
+    function b(V, oe) {
       const X = this;
-      this.tag = G, this.attribs = oe || {}, this.tagPosition = v.length, this.text = "", this.openingTagLength = 0, this.mediaChildren = [], this.updateParentNodeText = function() {
+      this.tag = V, this.attribs = oe || {}, this.tagPosition = v.length, this.text = "", this.openingTagLength = 0, this.mediaChildren = [], this.updateParentNodeText = function() {
         if (H.length) {
           const Ee = H[H.length - 1];
           Ee.text += X.text;
@@ -49042,13 +49027,13 @@ function QF() {
       };
     }
     y = Object.assign({}, g.defaults, y), y.parser = Object.assign({}, m, y.parser);
-    const S = function(G) {
-      return y.allowedTags === !1 || (y.allowedTags || []).indexOf(G) > -1;
+    const S = function(V) {
+      return y.allowedTags === !1 || (y.allowedTags || []).indexOf(V) > -1;
     };
-    c.forEach(function(G) {
-      S(G) && !y.allowVulnerableTags && console.warn(`
+    c.forEach(function(V) {
+      S(V) && !y.allowVulnerableTags && console.warn(`
-⚠️ Your \`allowedTags\` option includes, \`${G}\`, which is inherently
+⚠️ Your \`allowedTags\` option includes, \`${V}\`, which is inherently
 vulnerable to XSS attacks. Please remove it from \`allowedTags\`.
 Or, to disable this warning, add the \`allowVulnerableTags\` option
 and ensure you are accounting for this risk.
@@ -49062,54 +49047,54 @@ and ensure you are accounting for this risk.
       "option"
     ];
     let $, T;
-    y.allowedAttributes && ($ = {}, T = {}, l(y.allowedAttributes, function(G, oe) {
+    y.allowedAttributes && ($ = {}, T = {}, l(y.allowedAttributes, function(V, oe) {
       $[oe] = [];
       const X = [];
-      G.forEach(function(Ee) {
+      V.forEach(function(Ee) {
         typeof Ee == "string" && Ee.indexOf("*") >= 0 ? X.push(t(Ee).replace(/\\\*/g, ".*")) : $[oe].push(Ee);
       }), X.length && (T[oe] = new RegExp("^(" + X.join("|") + ")$"));
     }));
     const O = {}, I = {}, N = {};
-    l(y.allowedClasses, function(G, oe) {
-      if ($ && (d($, oe) || ($[oe] = []), $[oe].push("class")), O[oe] = G, Array.isArray(G)) {
+    l(y.allowedClasses, function(V, oe) {
+      if ($ && (d($, oe) || ($[oe] = []), $[oe].push("class")), O[oe] = V, Array.isArray(V)) {
         const X = [];
-        O[oe] = [], N[oe] = [], G.forEach(function(Ee) {
+        O[oe] = [], N[oe] = [], V.forEach(function(Ee) {
           typeof Ee == "string" && Ee.indexOf("*") >= 0 ? X.push(t(Ee).replace(/\\\*/g, ".*")) : Ee instanceof RegExp ? N[oe].push(Ee) : O[oe].push(Ee);
         }), X.length && (I[oe] = new RegExp("^(" + X.join("|") + ")$"));
       }
     });
     const j = {};
     let B;
-    l(y.transformTags, function(G, oe) {
+    l(y.transformTags, function(V, oe) {
       let X;
-      typeof G == "function" ? X = G : typeof G == "string" && (X = g.simpleTransform(G)), oe === "*" ? B = X : j[oe] = X;
+      typeof V == "function" ? X = V : typeof V == "string" && (X = g.simpleTransform(V)), oe === "*" ? B = X : j[oe] = X;
     });
     let M, H, Y, ne, ie, Ae, ve = !1;
     K();
     const Pe = new e.Parser({
-      onopentag: function(G, oe) {
-        if (y.onOpenTag && y.onOpenTag(G, oe), y.enforceHtmlBoundary && G === "html" && K(), ie) {
+      onopentag: function(V, oe) {
+        if (y.onOpenTag && y.onOpenTag(V, oe), y.enforceHtmlBoundary && V === "html" && K(), ie) {
           Ae++;
           return;
         }
-        const X = new b(G, oe);
+        const X = new b(V, oe);
         H.push(X);
         let Ee = !1;
         const gt = !!X.text;
         let mt;
-        if (d(j, G) && (mt = j[G](G, oe), X.attribs = oe = mt.attribs, mt.text !== void 0 && (X.innerText = mt.text), G !== mt.tagName && (X.name = G = mt.tagName, ne[M] = mt.tagName)), B && (mt = B(G, oe), X.attribs = oe = mt.attribs, G !== mt.tagName && (X.name = G = mt.tagName, ne[M] = mt.tagName)), (!S(G) || y.disallowedTagsMode === "recursiveEscape" && !p(Y) || y.nestingLimit != null && M >= y.nestingLimit) && (Ee = !0, Y[M] = !0, (y.disallowedTagsMode === "discard" || y.disallowedTagsMode === "completelyDiscard") && E.indexOf(G) !== -1 && (ie = !0, Ae = 1)), M++, Ee) {
+        if (d(j, V) && (mt = j[V](V, oe), X.attribs = oe = mt.attribs, mt.text !== void 0 && (X.innerText = mt.text), V !== mt.tagName && (X.name = V = mt.tagName, ne[M] = mt.tagName)), B && (mt = B(V, oe), X.attribs = oe = mt.attribs, V !== mt.tagName && (X.name = V = mt.tagName, ne[M] = mt.tagName)), (!S(V) || y.disallowedTagsMode === "recursiveEscape" && !p(Y) || y.nestingLimit != null && M >= y.nestingLimit) && (Ee = !0, Y[M] = !0, (y.disallowedTagsMode === "discard" || y.disallowedTagsMode === "completelyDiscard") && E.indexOf(V) !== -1 && (ie = !0, Ae = 1)), M++, Ee) {
           if (y.disallowedTagsMode === "discard" || y.disallowedTagsMode === "completelyDiscard") {
             if (X.innerText && !gt) {
               const He = Ce(X.innerText);
-              y.textFilter ? v += y.textFilter(He, G) : v += He, ve = !0;
+              y.textFilter ? v += y.textFilter(He, V) : v += He, ve = !0;
             }
             return;
           }
           A = v, v = "";
         }
-        v += "<" + G, G === "script" && (y.allowedScriptHostnames || y.allowedScriptDomains) && (X.innerText = ""), Ee && (y.disallowedTagsMode === "escape" || y.disallowedTagsMode === "recursiveEscape") && y.preserveEscapedAttributes ? l(oe, function(He, Le) {
+        v += "<" + V, V === "script" && (y.allowedScriptHostnames || y.allowedScriptDomains) && (X.innerText = ""), Ee && (y.disallowedTagsMode === "escape" || y.disallowedTagsMode === "recursiveEscape") && y.preserveEscapedAttributes ? l(oe, function(He, Le) {
           v += " " + Le + '="' + Ce(He || "", !0) + '"';
-        }) : (!$ || d($, G) || $["*"]) && l(oe, function(He, Le) {
+        }) : (!$ || d($, V) || $["*"]) && l(oe, function(He, Le) {
           if (!h.test(Le)) {
             delete X.attribs[Le];
             return;
@@ -49119,10 +49104,10 @@ and ensure you are accounting for this risk.
             return;
           }
           let Oo = !1;
-          if (!$ || d($, G) && $[G].indexOf(Le) !== -1 || $["*"] && $["*"].indexOf(Le) !== -1 || d(T, G) && T[G].test(Le) || T["*"] && T["*"].test(Le))
+          if (!$ || d($, V) && $[V].indexOf(Le) !== -1 || $["*"] && $["*"].indexOf(Le) !== -1 || d(T, V) && T[V].test(Le) || T["*"] && T["*"].test(Le))
             Oo = !0;
-          else if ($ && $[G]) {
-            for (const Me of $[G])
+          else if ($ && $[V]) {
+            for (const Me of $[V])
               if (n(Me) && Me.name && Me.name === Le) {
                 Oo = !0;
                 let Ke = "";
@@ -49135,11 +49120,11 @@ and ensure you are accounting for this risk.
               }
           }
           if (Oo) {
-            if (y.allowedSchemesAppliedToAttributes.indexOf(Le) !== -1 && _e(G, He)) {
+            if (y.allowedSchemesAppliedToAttributes.indexOf(Le) !== -1 && _e(V, He)) {
               delete X.attribs[Le];
               return;
             }
-            if (G === "script" && Le === "src") {
+            if (V === "script" && Le === "src") {
               let Me = !0;
               try {
                 const Ke = fe(He);
@@ -49159,7 +49144,7 @@ and ensure you are accounting for this risk.
                 return;
               }
             }
-            if (G === "iframe" && Le === "src") {
+            if (V === "iframe" && Le === "src") {
               let Me = !0;
               try {
                 const Ke = fe(He);
@@ -49201,7 +49186,7 @@ and ensure you are accounting for this risk.
                 return;
               }
             if (Le === "class") {
-              const Me = O[G], Ke = O["*"], Si = I[G], Cn = N[G], rn = N["*"], $r = I["*"], rd = [
+              const Me = O[V], Ke = O["*"], Si = I[V], Cn = N[V], rn = N["*"], $r = I["*"], rd = [
                 Si,
                 $r
               ].concat(Cn, rn).filter(function(Mf) {
@@ -49223,7 +49208,7 @@ and ensure you are accounting for this risk.
             if (Le === "style") {
               if (y.parseStyleAttributes)
                 try {
-                  const Me = o(G + " {" + He + "}", { map: !1 }), Ke = Be(
+                  const Me = o(V + " {" + He + "}", { map: !1 }), Ke = Be(
                     Me,
                     y.allowedStyles
                   );
@@ -49232,7 +49217,7 @@ and ensure you are accounting for this risk.
                     return;
                   }
                 } catch {
-                  typeof window < "u" && console.warn('Failed to parse "' + G + " {" + He + `}", If you're running this in a browser, we recommend to disable style parsing: options.parseStyleAttributes: false, since this only works in a node environment due to a postcss dependency, More info: https://github.com/apostrophecms/sanitize-html/issues/547`), delete X.attribs[Le];
+                  typeof window < "u" && console.warn('Failed to parse "' + V + " {" + He + `}", If you're running this in a browser, we recommend to disable style parsing: options.parseStyleAttributes: false, since this only works in a node environment due to a postcss dependency, More info: https://github.com/apostrophecms/sanitize-html/issues/547`), delete X.attribs[Le];
                   return;
                 }
               else if (y.allowedStyles)
@@ -49241,30 +49226,30 @@ and ensure you are accounting for this risk.
             v += " " + Le, He && He.length ? v += '="' + Ce(He, !0) + '"' : y.allowedEmptyAttributes.includes(Le) && (v += '=""');
           } else
             delete X.attribs[Le];
-        }), y.selfClosing.indexOf(G) !== -1 ? v += " />" : (v += ">", X.innerText && !gt && !y.textFilter && (v += Ce(X.innerText), ve = !0)), Ee && (v = A + Ce(v), A = ""), X.openingTagLength = v.length - X.tagPosition;
+        }), y.selfClosing.indexOf(V) !== -1 ? v += " />" : (v += ">", X.innerText && !gt && !y.textFilter && (v += Ce(X.innerText), ve = !0)), Ee && (v = A + Ce(v), A = ""), X.openingTagLength = v.length - X.tagPosition;
       },
-      ontext: function(G) {
+      ontext: function(V) {
         if (ie)
           return;
         const oe = H[H.length - 1];
         let X;
-        if (oe && (X = oe.tag, G = oe.innerText !== void 0 ? oe.innerText : G), y.disallowedTagsMode === "completelyDiscard" && !S(X))
-          G = "";
+        if (oe && (X = oe.tag, V = oe.innerText !== void 0 ? oe.innerText : V), y.disallowedTagsMode === "completelyDiscard" && !S(X))
+          V = "";
         else if ((y.disallowedTagsMode === "discard" || y.disallowedTagsMode === "completelyDiscard") && (X === "script" || X === "style"))
-          v += G;
+          v += V;
         else if ((y.disallowedTagsMode === "discard" || y.disallowedTagsMode === "completelyDiscard") && (X === "textarea" || X === "xmp"))
-          v += G;
+          v += V;
         else if (!ve) {
-          const Ee = Ce(G, !1);
+          const Ee = Ce(V, !1);
           y.textFilter ? v += y.textFilter(Ee, X) : v += Ee;
         }
         if (H.length) {
           const Ee = H[H.length - 1];
-          Ee.text += G;
+          Ee.text += V;
         }
       },
-      onclosetag: function(G, oe) {
-        if (y.onCloseTag && y.onCloseTag(G, oe), ie)
+      onclosetag: function(V, oe) {
+        if (y.onCloseTag && y.onCloseTag(V, oe), ie)
           if (Ae--, !Ae)
             ie = !1;
           else
@@ -49272,11 +49257,11 @@ and ensure you are accounting for this risk.
         const X = H.pop();
         if (!X)
           return;
-        if (X.tag !== G) {
+        if (X.tag !== V) {
           H.push(X);
           return;
         }
-        ie = y.enforceHtmlBoundary ? G === "html" : !1, M--;
+        ie = y.enforceHtmlBoundary ? V === "html" : !1, M--;
         const Ee = Y[M];
         if (Ee) {
           if (delete Y[M], y.disallowedTagsMode === "discard" || y.disallowedTagsMode === "completelyDiscard") {
@@ -49285,7 +49270,7 @@ and ensure you are accounting for this risk.
           }
           A = v, v = "";
         }
-        if (ne[M] && (G = ne[M], delete ne[M]), y.exclusiveFilter) {
+        if (ne[M] && (V = ne[M], delete ne[M]), y.exclusiveFilter) {
           const gt = y.exclusiveFilter(X);
           if (gt === "excludeTag") {
             Ee && (v = A, A = ""), v = v.substring(0, X.tagPosition) + v.substring(X.tagPosition + X.openingTagLength);
@@ -49296,29 +49281,29 @@ and ensure you are accounting for this risk.
           }
         }
         if (X.updateParentNodeMediaChildren(), X.updateParentNodeText(), // Already output />
-        y.selfClosing.indexOf(G) !== -1 || // Escaped tag, closing tag is implied
-        oe && !S(G) && ["escape", "recursiveEscape"].indexOf(y.disallowedTagsMode) >= 0) {
+        y.selfClosing.indexOf(V) !== -1 || // Escaped tag, closing tag is implied
+        oe && !S(V) && ["escape", "recursiveEscape"].indexOf(y.disallowedTagsMode) >= 0) {
           Ee && (v = A, A = "");
           return;
         }
-        v += "</" + G + ">", Ee && (v = A + Ce(v), A = ""), ve = !1;
+        v += "</" + V + ">", Ee && (v = A + Ce(v), A = ""), ve = !1;
       }
     }, y.parser);
     if (Pe.write(_), Pe.end(), y.disallowedTagsMode === "escape" || y.disallowedTagsMode === "recursiveEscape") {
-      const G = Pe.endIndex;
-      if (G != null && G >= 0 && G < _.length) {
-        const oe = _.substring(G);
+      const V = Pe.endIndex;
+      if (V != null && V >= 0 && V < _.length) {
+        const oe = _.substring(V);
         v += Ce(oe);
-      } else (G == null || G < 0) && _.length > 0 && v === "" && (v = Ce(_));
+      } else (V == null || V < 0) && _.length > 0 && v === "" && (v = Ce(_));
     }
     return v;
     function K() {
       v = "", M = 0, H = [], Y = {}, ne = {}, ie = !1, Ae = 0;
     }
-    function Ce(G, oe) {
-      return typeof G != "string" && (G = G + ""), y.parser.decodeEntities && (G = G.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;"), oe && (G = G.replace(/"/g, "&quot;"))), G = G.replace(/&(?![a-zA-Z0-9#]{1,20};)/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;"), oe && (G = G.replace(/"/g, "&quot;")), G;
+    function Ce(V, oe) {
+      return typeof V != "string" && (V = V + ""), y.parser.decodeEntities && (V = V.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;"), oe && (V = V.replace(/"/g, "&quot;"))), V = V.replace(/&(?![a-zA-Z0-9#]{1,20};)/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;"), oe && (V = V.replace(/"/g, "&quot;")), V;
     }
-    function _e(G, oe) {
+    function _e(V, oe) {
       for (oe = oe.replace(/[\x00-\x20]+/g, ""); ; ) {
         const gt = oe.indexOf("<!--");
         if (gt === -1)
@@ -49332,50 +49317,50 @@ and ensure you are accounting for this risk.
       if (!X)
         return oe.match(/^[/\\]{2}/) ? !y.allowProtocolRelative : !1;
       const Ee = X[1].toLowerCase();
-      return d(y.allowedSchemesByTag, G) ? y.allowedSchemesByTag[G].indexOf(Ee) === -1 : !y.allowedSchemes || y.allowedSchemes.indexOf(Ee) === -1;
+      return d(y.allowedSchemesByTag, V) ? y.allowedSchemesByTag[V].indexOf(Ee) === -1 : !y.allowedSchemes || y.allowedSchemes.indexOf(Ee) === -1;
     }
-    function fe(G) {
-      if (G = G.replace(/^(\w+:)?\s*[\\/]\s*[\\/]/, "$1//"), G.startsWith("relative:"))
+    function fe(V) {
+      if (V = V.replace(/^(\w+:)?\s*[\\/]\s*[\\/]/, "$1//"), V.startsWith("relative:"))
         throw new Error("relative: exploit attempt");
       let oe = "relative://relative-site";
       for (let gt = 0; gt < 100; gt++)
         oe += `/${gt}`;
-      const X = new URL(G, oe);
+      const X = new URL(V, oe);
       return {
         isRelativeUrl: X && X.hostname === "relative-site" && X.protocol === "relative:",
         url: X
       };
     }
-    function Be(G, oe) {
+    function Be(V, oe) {
       if (!oe)
-        return G;
-      const X = G.nodes[0];
+        return V;
+      const X = V.nodes[0];
       let Ee;
       return oe[X.selector] && oe["*"] ? Ee = i(
         oe[X.selector],
         oe["*"]
-      ) : Ee = oe[X.selector] || oe["*"], Ee && (G.nodes[0].nodes = X.nodes.reduce(Xe(Ee), [])), G;
+      ) : Ee = oe[X.selector] || oe["*"], Ee && (V.nodes[0].nodes = X.nodes.reduce(Xe(Ee), [])), V;
     }
-    function nt(G) {
-      return G.nodes[0].nodes.reduce(function(oe, X) {
+    function nt(V) {
+      return V.nodes[0].nodes.reduce(function(oe, X) {
         return oe.push(
           `${X.prop}:${X.value}${X.important ? " !important" : ""}`
         ), oe;
       }, []).join(";");
     }
-    function Xe(G) {
+    function Xe(V) {
       return function(oe, X) {
-        return d(G, X.prop) && G[X.prop].some(function(gt) {
+        return d(V, X.prop) && V[X.prop].some(function(gt) {
           return gt.test(X.value);
         }) && oe.push(X), oe;
       };
     }
-    function hn(G, oe, X) {
-      return oe ? (G = G.split(/\s+/), G.filter(function(Ee) {
+    function hn(V, oe, X) {
+      return oe ? (V = V.split(/\s+/), V.filter(function(Ee) {
         return oe.indexOf(Ee) !== -1 || X.some(function(gt) {
           return gt.test(Ee);
         });
-      }).join(" ")) : G;
+      }).join(" ")) : V;
     }
   }
   const m = {
@@ -51629,7 +51614,7 @@ const vz = {
         } catch {
         }
         let f = c.unexpectedError();
-        if (u instanceof V)
+        if (u instanceof G)
           try {
             const h = JSON.parse(u.message);
             h.message && (f = h.message);
@@ -62505,7 +62490,7 @@ function XT(e) {
   if (!e) return null;
   try {
     const n = JSON.parse(e).connect;
-    if (n && typeof n == "object" && typeof n.integration_type == "string" && typeof n.domain == "string" && typeof n.return_to == "string" && typeof n.caller_state == "string")
+    if (n && typeof n == "object" && (n.integration_type === void 0 || typeof n.integration_type == "string") && typeof n.domain == "string" && typeof n.return_to == "string" && typeof n.caller_state == "string")
       return n;
   } catch {
   }
@@ -62568,7 +62553,7 @@ async function Fr(e) {
       config: {
         content: `
           <div style="display:flex;flex-direction:column;gap:12px;padding:16px;border:1px solid #e5e7eb;border-radius:8px;background:#f9fafb">
-            <div style="font-size:14px;color:#6b7280">${Ie(f.integration_type)}</div>
+            ${f.integration_type ? `<div style="font-size:14px;color:#6b7280">${Ie(f.integration_type)}</div>` : ""}
             <div style="font-size:18px;font-weight:600;color:#111827">${Ie(f.domain)}${_}</div>
             <div style="font-size:14px;color:#374151">wants to connect to your ${Ie(n.friendly_name)} account as <span style="font-weight:500">${Ie(u.email || u.name || u.user_id)}</span>.</div>
             ${w}
@@ -62650,10 +62635,9 @@ async function xK(e, t) {
   }
   const p = {
     domain: d.domain,
-    integration_type: d.integration_type,
     grant_types: ["client_credentials"]
   };
-  d.scope && (p.scope = d.scope);
+  d.integration_type && (p.integration_type = d.integration_type), d.scope && (p.scope = d.scope);
   const f = await YE(
     Ua(n.env.data),
     u,
@@ -62730,7 +62714,7 @@ function t6(e) {
   if (!e) return null;
   try {
     const n = JSON.parse(e).connect;
-    if (n && typeof n == "object" && typeof n.integration_type == "string" && typeof n.domain == "string" && typeof n.return_to == "string" && typeof n.caller_state == "string")
+    if (n && typeof n == "object" && (n.integration_type === void 0 || typeof n.integration_type == "string") && typeof n.domain == "string" && typeof n.return_to == "string" && typeof n.caller_state == "string")
       return n;
   } catch {
   }