miqro 7.1.0 → 7.2.1

package/build/lib.cjs

@@ -230,8 +230,8 @@ function parseBoolean(value) {
   return value === "true" || value === true ? true : value === "false" || value === false ? false : void 0;
 }
 function parseDict(value, args, parser4) {
-  const isObject = typeof value === "object";
-  if (!isObject || !value) {
+  const isObject2 = typeof value === "object";
+  if (!isObject2 || !value) {
     return;
   }
   if (args.dictType !== void 0) {
@@ -253,7 +253,7 @@ function parseEmail(value, args) {
   if (!emailRegex.test(String(str).toLowerCase())) {
     return;
   }
-  return value;
+  return str;
 }
 function parseEnum(value, args, parser4) {
   const enumValues = parseArray(args.enumValues, {
@@ -281,8 +281,8 @@ function decodeHTML(str) {
 }
 function encodeHTML(str) {
   const buf = [];
-  for (let i = str.length - 1; i >= 0; i--) {
-    buf.unshift(["&#", str[i].charCodeAt(0), ";"].join(""));
+  for (let i = 0; i < str.length; i++) {
+    buf.push("&#" + str[i].charCodeAt(0) + ";");
   }
   return buf.join("");
 }
@@ -312,7 +312,7 @@ function parseInteger(value, args, parser4) {
 }
 function parseNumber(value, args) {
   const sValue = String(value);
-  if (!(value === null || value === void 0 ? false : !isNaN(parseInt(sValue, 10)))) {
+  if (!(value === null || value === void 0 ? false : !isNaN(Number(sValue)) && !isNaN(parseInt(sValue, 10)))) {
     return;
   }
   const parsedValue = parseFloat(sValue);
@@ -335,8 +335,8 @@ function parseNumber(value, args) {
   return parsedValue;
 }
 function parseObject(value, args, parser4) {
-  const isObject = typeof value === "object" ? value : void 0;
-  if (!isObject || !value) {
+  const isObject2 = typeof value === "object" ? value : void 0;
+  if (!isObject2 || !value) {
     return;
   }
   if (args.properties !== void 0) {
@@ -372,7 +372,7 @@ function parseObject(value, args, parser4) {
         throw new Error(`unsupported mode [${mode}]`);
     }
   } else {
-    return isObject;
+    return isObject2;
   }
 }
 function parseRegex(value, args) {
@@ -443,7 +443,7 @@ function parseURL(value, args) {
   if (args.stringMaxLength !== void 0 && parsedValue.length > args.stringMaxLength) {
     return;
   }
-  const str = parseString(value, args);
+  const str = parseString(parsedValue, args);
   if (str === void 0) {
     return void 0;
   } else {
@@ -605,7 +605,7 @@ var init_lib = __esm({
           throw new Error("parser must be a function or Schema or a string");
         }
         if (typeof noList !== "boolean") {
-          throw new Error("noList must be a function");
+          throw new Error("noList must be a boolean");
         }
         for (const reserved of RESERVED) {
           if (type.indexOf(reserved) !== -1) {
@@ -714,7 +714,7 @@ function ReadBuffer(options) {
           req.removeListener("error", errorListener);
           req.removeListener("data", chunkListener);
           req.removeListener("end", endListener);
-          res.asyncClose();
+          reject(new BadRequestError(`Read Timeout`));
           return;
         }, timeout);
         let cLength = 0;
@@ -860,12 +860,12 @@ function JSONParser(options) {
 }
 function TextParser(options) {
   let limit = DEFAULT_READ_BUFFER_LIMIT;
-  let type = "plain/text";
+  let type = "text/plain";
   if (options) {
     limit = options.limit !== void 0 ? options.limit : limit;
     type = options.type !== void 0 ? options.type : type;
   } else {
-    const [limitS, typeS] = checkEnvVariables(["BODY_TEXT_PARSER_LIMIT", "BODY_TEXT_PARSER_TYPE"], [String(DEFAULT_READ_BUFFER_LIMIT), "plain/text"]);
+    const [limitS, typeS] = checkEnvVariables(["BODY_TEXT_PARSER_LIMIT", "BODY_TEXT_PARSER_TYPE"], [String(DEFAULT_READ_BUFFER_LIMIT), "text/plain"]);
     limit = parseInt(limitS, 10);
     type = typeS;
   }
@@ -992,7 +992,7 @@ function ResultParser(options, parser4) {
         const mappedLastResult = {
           ...lastResult
         };
-        const parsedStatus = (parser4 ? parser4 : DEFAULT_PARSER).parse(lastResult.status, "number?", `ctx.results.status}`);
+        const parsedStatus = (parser4 ? parser4 : DEFAULT_PARSER).parse(lastResult.status, "number?", `ctx.results.status`);
         if (statusParserSet) {
           if (parsedStatus === void 0) {
             throw new Error(`error parsing lastResult.status[${lastResult.status}] not defined as [${statusParserSet}]`);
@@ -1201,8 +1201,6 @@ function SessionHandler(config) {
     throw new Error("authService must be provided!");
   }
   if (!config.options || !config.options.setCookieOptions) {
-    console.dir(config);
-    process.exit(1);
     throw new Error("config.options not populated!");
   }
   const tokenLocation = config.options.tokenLocation;
@@ -1734,7 +1732,7 @@ var init_types = __esm({
         return this.asyncEnd({
           status: status !== void 0 ? status : 200,
           headers: {
-            ["Content-Type"]: "plain/text; charset=utf-8",
+            ["Content-Type"]: "text/plain; charset=utf-8",
             ...headers
           },
           body: text
@@ -1750,9 +1748,9 @@ var init_types = __esm({
         const newValue = current ? `${current}, ${nV}` : nV;
         return this.setHeader("Vary", newValue.indexOf("*") !== -1 ? "*" : newValue);
       }
-      async asyncClose() {
+      async asyncClose(status = 400) {
         return this.asyncEnd({
-          status: 400,
+          status,
           headers: {
             connection: "close"
           }
@@ -2009,7 +2007,7 @@ function defaultAppErrorHandler() {
     }
   };
 }
-var import_node_util, import_node_fs, import_node_path, Logger, FILE_TRANSPORT_ENV_VARIABLE, FileTransportCacheMap, FILE_TRANSPORT_TIMEOUT, FILE_TRANSPORT_THREASHOLD, FileTransport, DEFAULT_LOGGER_TRANSPORTS, DEFAULT_LOGGER_FORMATTER, LOG_LEVEL_MAP, LoggerEvents, loggerContainer, DEFAULT_ENV_NAME, customLoggerFactory, BadRequestError, ForbiddenError, UnAuthorizedError, HTML_HEADERS, STATUS, checkEnvVariables, checkEnvVariable, getEnvVariable;
+var import_node_util, import_node_fs, import_node_path, Logger, FILE_TRANSPORT_ENV_VARIABLE, FileTransportCacheMap, FILE_TRANSPORT_TIMEOUT, FILE_TRANSPORT_THRESHOLD, FileTransport, DEFAULT_LOGGER_TRANSPORTS, DEFAULT_LOGGER_FORMATTER, LOG_LEVEL_MAP, LoggerEvents, loggerContainer, DEFAULT_ENV_NAME, customLoggerFactory, BadRequestError, ForbiddenError, UnAuthorizedError, HTML_HEADERS, STATUS, checkEnvVariables, checkEnvVariable, getEnvVariable;
 var init_common = __esm({
   "node_modules/@miqro/core/build/common.js"() {
     import_node_util = require("node:util");
@@ -2033,7 +2031,7 @@ var init_common = __esm({
         };
       }
       setLevel(level) {
-        if (!LOG_LEVEL_MAP[level]) {
+        if (LOG_LEVEL_MAP[level] === void 0) {
           throw new Error(`Unknown level [${level}]`);
         }
         this.level = level;
@@ -2110,7 +2108,7 @@ var init_common = __esm({
     FILE_TRANSPORT_ENV_VARIABLE = "LOG_FILE";
     FileTransportCacheMap = {};
     FILE_TRANSPORT_TIMEOUT = 150;
-    FILE_TRANSPORT_THREASHOLD = 2 * 1024 * 1024;
+    FILE_TRANSPORT_THRESHOLD = 2 * 1024 * 1024;
     FileTransport = (filePath = process.env[FILE_TRANSPORT_ENV_VARIABLE] ? process.env[FILE_TRANSPORT_ENV_VARIABLE] : null, level) => {
       if (filePath && !FileTransportCacheMap[filePath]) {
         FileTransportCacheMap[filePath] = {
@@ -2134,7 +2132,7 @@ var init_common = __esm({
                     FileTransportCacheMap[filePath].fileHandler = null;
                   });
                 }
-                FileTransportCacheMap[filePath].lastWrite = now;
+                FileTransportCacheMap[filePath].lastWrite = Date.now();
                 const oldBuffer = FileTransportCacheMap[filePath].flushBuffer;
                 FileTransportCacheMap[filePath].flushBuffer = "";
                 fileHandler.write(oldBuffer, (err) => {
@@ -2152,7 +2150,7 @@ var init_common = __esm({
                   FileTransportCacheMap[filePath].currentTimeout = null;
                   if (filePath) {
                     const now2 = Date.now();
-                    if (FileTransportCacheMap[filePath].flushBuffer && (now2 - FileTransportCacheMap[filePath].lastWrite > FILE_TRANSPORT_TIMEOUT || FileTransportCacheMap[filePath].flushBuffer.length > FILE_TRANSPORT_THREASHOLD)) {
+                    if (FileTransportCacheMap[filePath].flushBuffer && (now2 - FileTransportCacheMap[filePath].lastWrite > FILE_TRANSPORT_TIMEOUT || FileTransportCacheMap[filePath].flushBuffer.length > FILE_TRANSPORT_THRESHOLD)) {
                       flush(false);
                     }
                   }
@@ -2162,10 +2160,9 @@ var init_common = __esm({
               };
             };
             const now = Date.now();
-            FileTransportCacheMap[filePath].lastWrite = Date.now();
             FileTransportCacheMap[filePath].flushBuffer += `${out}
 `;
-            if (now - FileTransportCacheMap[filePath].lastWrite > FILE_TRANSPORT_TIMEOUT || FileTransportCacheMap[filePath].flushBuffer.length > FILE_TRANSPORT_THREASHOLD) {
+            if (now - FileTransportCacheMap[filePath].lastWrite > FILE_TRANSPORT_TIMEOUT || FileTransportCacheMap[filePath].flushBuffer.length > FILE_TRANSPORT_THRESHOLD) {
               clearTimeout(FileTransportCacheMap[filePath].currentTimeout);
               FileTransportCacheMap[filePath].currentTimeout = null;
               return flush(true);
@@ -2255,6 +2252,7 @@ var init_router = __esm({
     init_session();
     init_body_parser();
     init_lib2();
+    init_built_in_parsers();
     Router2 = class {
       constructor(config) {
         this.config = config;
@@ -2689,26 +2687,30 @@ function parseFrame(buffer) {
   const opCode = firstByte & 15;
   if (opCode === OPCODES.close) {
     return null;
+  } else if (opCode === OPCODES.ping) {
+    return PING;
   } else if (opCode !== OPCODES.text) {
-    return;
+    return null;
   }
   const secondByte = buffer.readUInt8(1);
   let offset = 2;
   let payloadLength = secondByte & 127;
   if (payloadLength === 126) {
+    payloadLength = buffer.readUInt16BE(offset);
     offset += 2;
   } else if (payloadLength === 127) {
+    payloadLength = Number(buffer.readBigUInt64BE(offset));
     offset += 8;
   }
   const isMasked = Boolean(secondByte >>> 7 & 1);
   if (isMasked) {
     const maskingKey = buffer.readUInt32BE(offset);
     offset += 4;
-    const payload = buffer.subarray(offset);
+    const payload = buffer.subarray(offset, offset + payloadLength);
     const result = unmask(payload, maskingKey);
     return result.toString("utf-8");
   }
-  return buffer.subarray(offset).toString("utf-8");
+  return buffer.subarray(offset, offset + payloadLength).toString("utf-8");
 }
 function unmask(payload, maskingKey) {
   const result = Buffer.alloc(payload.byteLength);
@@ -2737,13 +2739,13 @@ function createFrame(payload) {
   buffer[1] = payloadLength;
   if (payloadLength === 126) {
     buffer.writeUInt16BE(payloadByteLength, 2);
-  } else if (payloadByteLength === 127) {
+  } else if (payloadLength === 127) {
     buffer.writeBigUInt64BE(BigInt(payloadByteLength), 2);
   }
   buffer.write(payload, payloadBytesOffset);
   return buffer;
 }
-var import_crypto3, WebSocketServer, OPCODES, GUID;
+var import_crypto3, WebSocketServer, PING, OPCODES, GUID;
 var init_websocket = __esm({
   "node_modules/@miqro/core/build/websocket.js"() {
     import_crypto3 = require("crypto");
@@ -2767,14 +2769,7 @@ var init_websocket = __esm({
         const clients = this.clients.values();
         for (const client of clients) {
           if (fromUUID === void 0 || client.uuid !== fromUUID) {
-            tR.push(new Promise(async (resolve24, reject) => {
-              try {
-                await this.writeTo(client.uuid, data);
-                resolve24();
-              } catch (e) {
-                reject(e);
-              }
-            }));
+            tR.push(this.writeTo(client.uuid, data));
           }
         }
         await Promise.allSettled(tR);
@@ -2850,7 +2845,13 @@ var init_websocket = __esm({
             socket.write(createUpgradeHeaders(acceptKey, extraHeaders));
             socket.on("data", (data) => {
               const frame = parseFrame(data);
-              if (frame !== null) {
+              if (frame === PING) {
+                try {
+                  socket.write(Buffer.from([138, 0]));
+                } catch (e) {
+                  req.logger.error(e);
+                }
+              } else if (frame !== null) {
                 if (!this.options.onMessage) {
                   socket.end();
                   socket.destroy();
@@ -2861,6 +2862,14 @@ var init_websocket = __esm({
                     req.logger.error(e);
                   }
                 }
+              } else {
+                try {
+                  socket.write(Buffer.from([136, 0]));
+                } catch (e) {
+                  req.logger.error(e);
+                }
+                socket.end();
+                socket.destroy();
               }
             });
             socket.on("error", (error2) => {
@@ -2899,7 +2908,8 @@ var init_websocket = __esm({
         }
       }
     };
-    OPCODES = { text: 1, close: 8 };
+    PING = /* @__PURE__ */ Symbol();
+    OPCODES = { text: 1, close: 8, ping: 9, pong: 10 };
     GUID = "258EAFA5-E914-47DA-95CA-C5AB0DC85B11";
   }
 });
@@ -3544,7 +3554,7 @@ var require_showdown = __commonJS({
       };
       showdown2.helper.encodeEmailAddress = function(mail) {
         "use strict";
-        var encode2 = [
+        var encode3 = [
           function(ch) {
             return "&#" + ch.charCodeAt(0) + ";";
           },
@@ -3557,10 +3567,10 @@ var require_showdown = __commonJS({
         ];
         mail = mail.replace(/./g, function(ch) {
           if (ch === "@") {
-            ch = encode2[Math.floor(Math.random() * 2)](ch);
+            ch = encode3[Math.floor(Math.random() * 2)](ch);
           } else {
             var r = Math.random();
-            ch = r > 0.9 ? encode2[2](ch) : r > 0.45 ? encode2[1](ch) : encode2[0](ch);
+            ch = r > 0.9 ? encode3[2](ch) : r > 0.45 ? encode3[1](ch) : encode3[0](ch);
           }
           return ch;
         });
@@ -6772,7 +6782,7 @@ function readFile2(path) {
   }
 }
 function getPath(path) {
-  const realPath = (0, import_node_path21.resolve)(BASE_PATH, path);
+  const realPath = (0, import_node_fs19.realpathSync)((0, import_node_path21.resolve)(BASE_PATH, path));
   if ((0, import_node_path21.relative)(BASE_PATH, realPath).startsWith("..")) {
     throw new Error("invalid path! [" + path + "]");
   }
@@ -7585,7 +7595,7 @@ function getDefaultOptions() {
 }
 
 // node_modules/@miqro/jsx/build/esm/jsx.js
-var Fragment = Symbol("Fragment");
+var Fragment = /* @__PURE__ */ Symbol("Fragment");
 function createElement(tag2, attributes, ...children) {
   if (!tag2) {
     throw new Error(`cannot call createElement with [${String(tag2)}] `);
@@ -8564,7 +8574,7 @@ function useElement() {
 
 // node_modules/@miqro/jsx/build/esm/hooks/context.js
 function createContext(defaultValue) {
-  const symbol = Symbol();
+  const symbol = /* @__PURE__ */ Symbol();
   return {
     provider: createContextProvider(symbol, defaultValue),
     symbol
@@ -9171,7 +9181,7 @@ var ASSETS_ROUTER = {
 };
 function getAsset(key) {
   if ((0, import_node_sea.isSea)()) {
-    return (0, import_node_sea.getAsset)(key);
+    return Buffer.from((0, import_node_sea.getAsset)(key));
   } else {
     if (!ASSETS_ROUTER[key]) {
       if (key === "esbuild-binary") {
@@ -9362,7 +9372,7 @@ async function esBuild2(options, logger) {
   return new Promise(async (resolve24, reject) => {
     try {
       const valid = await validateESBuild(logger);
-      const esBuildCMD = `${getESBuildBinaryPath()} "${options.entryPoints[0]}" ${(options.external ? options.external : NODEJS_EXTERNAL).map((e) => `--external:${e}`).join(" ")} --loader:.js=jsx --jsx-factory=${options.jsxFactory} --jsx-fragment=${options.jsxFragment} ${options.bundle ? " --bundle" : ""}${options.minify ? " --minify" : ""}${options.outfile ? ` --outfile="${options.outfile}"` : ""}${options.platform ? ` --platform=${options.platform}` : ""}${options.mainFields ? ` --main-fields=${options.mainFields}` : ""}${options.keepNames ? ` --keep-names` : ""}`;
+      const esBuildCMD = `${getESBuildBinaryPath()} "${options.entryPoints[0]}" ${(options.external ? options.external : NODEJS_EXTERNAL).map((e) => `--external:"${e}"`).join(" ")} --loader:.js=jsx --jsx-factory=${options.jsxFactory} --jsx-fragment=${options.jsxFragment} ${options.bundle ? " --bundle" : ""}${options.minify ? " --minify" : ""}${options.outfile ? ` --outfile="${options.outfile}"` : ""}${options.platform ? ` --platform=${options.platform}` : ""}${options.mainFields ? ` --main-fields=${options.mainFields}` : ""}${options.keepNames ? ` --keep-names` : ""}`;
       logger?.trace(esBuildCMD);
       if (!valid) {
         const err = new Error(`esbuild installation at [${getESBuildBinaryPath()}] tampered`);
@@ -9403,6 +9413,7 @@ var EXIT_CODES = {
 var CLEAR_JSX_CACHE = (process.env["CLEAR_JSX_CACHE"] !== void 0 ? process.env["CLEAR_JSX_CACHE"] : "1") === "1";
 var EDITOR_CONFIG_KEY = "$$editor$$";
 var HOT_RELOAD_PATH = "/hot-reload";
+var HOT_RELOAD_SCRIPT_PATH = "/hot-reload.js";
 
 // src/common/jsx.ts
 init_types();
@@ -9611,9 +9622,9 @@ var DocConfigSchema = {
     }
   }
 };
-async function importAPIRoute(inFile, logger) {
+async function importAPIRoute(inFile, options, logger) {
   const isCJS = (0, import_node_path6.extname)(inFile) === ".cjs";
-  const mod = isCJS ? (await importJSXFile(inFile, logger)).default.default : (await importJSXFile(inFile, logger)).default;
+  const mod = isCJS ? (await importJSXFile(inFile, options, logger)).default.default : (await importJSXFile(inFile, options, logger)).default;
   const module2 = typeof mod === "function" ? { handler: mod } : parser.parse(mod, APIRouteSchema, (0, import_node_path6.basename)(inFile));
   if (module2 !== void 0) {
     return module2;
@@ -9621,9 +9632,9 @@ async function importAPIRoute(inFile, logger) {
     throw new Error(`error with module [${inFile}] undefined`);
   }
 }
-async function importMigrationModule(inFile, logger) {
+async function importMigrationModule(inFile, options, logger) {
   const isCJS = (0, import_node_path6.extname)(inFile) === ".cjs";
-  const mod = isCJS ? (await importJSXFile(inFile, logger)).default.default : (await importJSXFile(inFile, logger)).default;
+  const mod = isCJS ? (await importJSXFile(inFile, options, logger)).default.default : (await importJSXFile(inFile, options, logger)).default;
   const module2 = parser.parse(mod, MigrationSchema, (0, import_node_path6.basename)(inFile));
   if (module2 !== void 0) {
     return module2;
@@ -9631,8 +9642,8 @@ async function importMigrationModule(inFile, logger) {
     throw new Error(`error with module [${inFile}] undefined`);
   }
 }
-async function importHTMLModule(inFile, logger) {
-  const module2 = await importJSXFile(inFile, logger);
+async function importHTMLModule(inFile, options, logger) {
+  const module2 = await importJSXFile(inFile, options, logger);
   parser.parse(module2.default, HTMLModuleSchema.properties.default, `${(0, import_node_path6.basename)(inFile)}.default`);
   parser.parse(module2.apiOptions, APIOptionsSchema, `${(0, import_node_path6.basename)(inFile)}.apiOptions`);
   if (module2 !== void 0) {
@@ -9641,8 +9652,8 @@ async function importHTMLModule(inFile, logger) {
     throw new Error(`error with module [${inFile}] undefined`);
   }
 }
-async function importJSONModule(inFile, logger) {
-  const module2 = await importJSXFile(inFile, logger);
+async function importJSONModule(inFile, options, logger) {
+  const module2 = await importJSXFile(inFile, options, logger);
   parser.parse(module2.default, JSONModuleSchema.properties.default, `${(0, import_node_path6.basename)(inFile)}.default`);
   parser.parse(module2.apiOptions, APIOptionsSchema, `${(0, import_node_path6.basename)(inFile)}.apiOptions`);
   if (module2 !== void 0) {
@@ -9651,9 +9662,9 @@ async function importJSONModule(inFile, logger) {
     throw new Error(`error with module [${inFile}] undefined`);
   }
 }
-async function importAuthModule(inFile, logger) {
+async function importAuthModule(inFile, options, logger) {
   const isCJS = (0, import_node_path6.extname)(inFile) === ".cjs";
-  const mod = isCJS ? (await importJSXFile(inFile, logger)).default.default : (await importJSXFile(inFile, logger)).default;
+  const mod = isCJS ? (await importJSXFile(inFile, options, logger)).default.default : (await importJSXFile(inFile, options, logger)).default;
   const module2 = parser.parse(mod, AuthConfigSchema, (0, import_node_path6.basename)(inFile));
   if (module2 !== void 0) {
     return module2;
@@ -9661,9 +9672,9 @@ async function importAuthModule(inFile, logger) {
     throw new Error(`error with module [${inFile}] undefined`);
   }
 }
-async function importMiddlewareConfigModule(inFile, logger) {
+async function importMiddlewareConfigModule(inFile, options, logger) {
   const isCJS = (0, import_node_path6.extname)(inFile) === ".cjs";
-  const mod = isCJS ? (await importJSXFile(inFile, logger)).default.default : (await importJSXFile(inFile, logger)).default;
+  const mod = isCJS ? (await importJSXFile(inFile, options, logger)).default.default : (await importJSXFile(inFile, options, logger)).default;
   const module2 = parser.parse(mod, MiddlewareConfigSchema, (0, import_node_path6.basename)(inFile));
   if (module2 !== void 0) {
     return module2;
@@ -9671,9 +9682,9 @@ async function importMiddlewareConfigModule(inFile, logger) {
     throw new Error(`error with module [${inFile}] undefined`);
   }
 }
-async function importErrorConfigModule(inFile, logger) {
+async function importErrorConfigModule(inFile, options, logger) {
   const isCJS = (0, import_node_path6.extname)(inFile) === ".cjs";
-  const mod = isCJS ? (await importJSXFile(inFile, logger)).default.default : (await importJSXFile(inFile, logger)).default;
+  const mod = isCJS ? (await importJSXFile(inFile, options, logger)).default.default : (await importJSXFile(inFile, options, logger)).default;
   const module2 = parser.parse(mod, ErrorConfigSchema, (0, import_node_path6.basename)(inFile));
   if (module2 !== void 0) {
     return module2;
@@ -9681,9 +9692,9 @@ async function importErrorConfigModule(inFile, logger) {
     throw new Error(`error with module [${inFile}] undefined`);
   }
 }
-async function importDocConfigModule(inFile, logger) {
+async function importDocConfigModule(inFile, options, logger) {
   const isCJS = (0, import_node_path6.extname)(inFile) === ".cjs";
-  const mod = isCJS ? (await importJSXFile(inFile, logger)).default.default : (await importJSXFile(inFile, logger)).default;
+  const mod = isCJS ? (await importJSXFile(inFile, options, logger)).default.default : (await importJSXFile(inFile, options, logger)).default;
   const module2 = parser.parse(mod, DocConfigSchema, (0, import_node_path6.basename)(inFile));
   if (module2 !== void 0) {
     return module2;
@@ -9691,9 +9702,9 @@ async function importDocConfigModule(inFile, logger) {
     throw new Error(`error with module [${inFile}] undefined`);
   }
 }
-async function importCORSModule(inFile, logger) {
+async function importCORSModule(inFile, options, logger) {
   const isCJS = (0, import_node_path6.extname)(inFile) === ".cjs";
-  const mod = isCJS ? (await importJSXFile(inFile, logger)).default.default : (await importJSXFile(inFile, logger)).default;
+  const mod = isCJS ? (await importJSXFile(inFile, options, logger)).default.default : (await importJSXFile(inFile, options, logger)).default;
   const module2 = parser.parse(mod, CORSOptionsSchema, (0, import_node_path6.basename)(inFile));
   if (module2 !== void 0) {
     return module2;
@@ -9701,9 +9712,9 @@ async function importCORSModule(inFile, logger) {
     throw new Error(`error with module [${inFile}] undefined`);
   }
 }
-async function importWSConfigModule(inFile, logger) {
+async function importWSConfigModule(inFile, options, logger) {
   const isCJS = (0, import_node_path6.extname)(inFile) === ".cjs";
-  const mod = isCJS ? (await importJSXFile(inFile, logger)).default.default : (await importJSXFile(inFile, logger)).default;
+  const mod = isCJS ? (await importJSXFile(inFile, options, logger)).default.default : (await importJSXFile(inFile, options, logger)).default;
   const module2 = parser.parse(mod, WSConfigSchema, (0, import_node_path6.basename)(inFile));
   if (module2 !== void 0) {
     return module2;
@@ -9711,9 +9722,9 @@ async function importWSConfigModule(inFile, logger) {
     throw new Error(`error with module [${inFile}] undefined`);
   }
 }
-async function importDBConfigModule(inFile, logger) {
+async function importDBConfigModule(inFile, options, logger) {
   const isCJS = (0, import_node_path6.extname)(inFile) === ".cjs";
-  const mod = isCJS ? (await importJSXFile(inFile, logger)).default.default : (await importJSXFile(inFile, logger)).default;
+  const mod = isCJS ? (await importJSXFile(inFile, options, logger)).default.default : (await importJSXFile(inFile, options, logger)).default;
   const module2 = parser.parse(mod, DBConfigSchema, (0, import_node_path6.basename)(inFile));
   if (module2 !== void 0) {
     return module2;
@@ -9721,17 +9732,17 @@ async function importDBConfigModule(inFile, logger) {
     throw new Error(`error with module [${inFile}] undefined`);
   }
 }
-async function importLogConfigModule(inFile, logger) {
-  const module2 = parser.parse((await importJSXFile(inFile, logger)).default, LogConfigSchema, (0, import_node_path6.basename)(inFile));
+async function importLogConfigModule(inFile, options, logger) {
+  const module2 = parser.parse((await importJSXFile(inFile, options, logger)).default, LogConfigSchema, (0, import_node_path6.basename)(inFile));
   if (module2 !== void 0) {
     return module2;
   } else {
     throw new Error(`error with module [${inFile}] undefined`);
   }
 }
-async function importServerConfigModule(inFile, logger) {
+async function importServerConfigModule(inFile, options, logger) {
   const isCJS = (0, import_node_path6.extname)(inFile) === ".cjs";
-  const mod = isCJS ? (await importJSXFile(inFile, logger)).default.default : (await importJSXFile(inFile, logger)).default;
+  const mod = isCJS ? (await importJSXFile(inFile, options, logger)).default.default : (await importJSXFile(inFile, options, logger)).default;
   const module2 = parser.parse(mod, ServerConfigSchema, (0, import_node_path6.basename)(inFile));
   if (module2 !== void 0) {
     return module2;
@@ -9739,7 +9750,11 @@ async function importServerConfigModule(inFile, logger) {
     throw new Error(`error with module [${inFile}] undefined`);
   }
 }
-async function importJSXFile(inFile, logger) {
+async function importJSXFile(inFile, options, logger) {
+  if (options.noBuild) {
+    const module2 = await import((0, import_node_path6.resolve)(inFile));
+    return module2;
+  }
   const inflatedCode = await inflateJSX(inFile, {
     // embemedJSX: false,
     minify: false,
@@ -10022,7 +10037,7 @@ function getWhereStatement(where) {
       case "gte": {
         const { _column, _value } = getWhereFilterColumnName(filter);
         ret = mergePrepareArgs(ret, {
-          sql: `${renderColumn(_value)}>=?`,
+          sql: `${renderColumn(_column)}>=?`,
           values: [_value]
         });
         break;
@@ -11514,9 +11529,26 @@ var ClusterCache = class {
     this.listener = async (data) => {
       try {
         const msg = data;
-        if (msg && msg.key && msg.action && msg.type === ClusterCacheType && msg.fromPID !== process.pid, (msg.action === "set_add" || msg.action === "set" || msg.action === "unset" || msg.action === "set_delete" || msg.action === "array_push") && msg.target === this.name) {
+        if (msg && msg.key && msg.action && msg.type === ClusterCacheType && msg.fromPID !== process.pid && (msg.action === "set_clear" || msg.action === "array_clear" || msg.action === "set_add" || msg.action === "set" || msg.action === "unset" || msg.action === "set_delete" || msg.action === "array_push") && msg.target === this.name) {
           this.logger?.debug("remote cluster cache message from [%s] [%s] [%s] [%s]", msg.fromPID, msg.target, msg.action, msg.key);
           switch (msg.action) {
+            case "set_clear": {
+              const list = this.localCache.has(msg.key) ? this.localCache.get(msg.key) : /* @__PURE__ */ new Set();
+              if (!(list instanceof Set)) {
+                throw new Error("cannot apply clear on non set");
+              }
+              list.clear();
+              this.localCache.set(msg.key, list);
+              break;
+            }
+            case "array_clear": {
+              const list = this.localCache.has(msg.key) ? this.localCache.get(msg.key) : [];
+              if (!(list instanceof Array)) {
+                throw new Error("cannot apply clear on non array");
+              }
+              this.localCache.set(msg.key, []);
+              break;
+            }
             case "unset":
               this.localCache.delete(msg.key);
               break;
@@ -11526,7 +11558,7 @@ var ClusterCache = class {
             case "set_add": {
               const list = this.localCache.has(msg.key) ? this.localCache.get(msg.key) : /* @__PURE__ */ new Set();
               if (!(list instanceof Set)) {
-                throw new Error("cannot apply push on non array");
+                throw new Error("cannot apply add on non set");
               }
               if (!list.has(msg.value)) {
                 list.add(msg.value);
@@ -11537,7 +11569,7 @@ var ClusterCache = class {
             case "set_delete": {
               const list = this.localCache.has(msg.key) ? this.localCache.get(msg.key) : /* @__PURE__ */ new Set();
               if (!(list instanceof Set)) {
-                throw new Error("cannot apply push on non array");
+                throw new Error("cannot apply delete on non set");
               }
               if (list.has(msg.value)) {
                 list.delete(msg.value);
@@ -11581,33 +11613,25 @@ var ClusterCache = class {
   set(key, value) {
     this.localCache.set(key, value);
     this.logger?.trace("set(%s, ...)", key);
-    if (process.send) {
-      setTimeout(() => {
-        process.send({
-          type: ClusterCacheType,
-          action: "set",
-          target: this.name,
-          fromPID: process.pid,
-          key,
-          value
-        });
-      }, 10);
-    }
+    sendTimeout({
+      type: ClusterCacheType,
+      action: "set",
+      target: this.name,
+      fromPID: process.pid,
+      key,
+      value
+    });
   }
   unset(key) {
     this.logger?.trace("unset(%s)", key);
     this.localCache.delete(key);
-    if (process.send) {
-      setTimeout(() => {
-        process.send({
-          type: ClusterCacheType,
-          target: this.name,
-          action: "unset",
-          fromPID: process.pid,
-          key
-        });
-      }, 10);
-    }
+    sendTimeout({
+      type: ClusterCacheType,
+      target: this.name,
+      action: "unset",
+      fromPID: process.pid,
+      key
+    });
   }
   has(key) {
     this.logger?.trace("has(%s)", key);
@@ -11623,18 +11647,14 @@ var ClusterCache = class {
       list.add(value);
     }
     this.localCache.set(key, list);
-    if (process.send) {
-      setTimeout(() => {
-        process.send({
-          type: ClusterCacheType,
-          target: this.name,
-          action: "set_add",
-          fromPID: process.pid,
-          key,
-          value
-        });
-      }, 10);
-    }
+    sendTimeout({
+      type: ClusterCacheType,
+      target: this.name,
+      action: "set_add",
+      fromPID: process.pid,
+      key,
+      value
+    });
   }
   set_delete(key, value) {
     this.logger?.trace("delete(%s)", key);
@@ -11646,18 +11666,14 @@ var ClusterCache = class {
       list.delete(value);
     }
     this.localCache.set(key, list);
-    if (process.send) {
-      setTimeout(() => {
-        process.send({
-          type: ClusterCacheType,
-          target: this.name,
-          action: "set_delete",
-          fromPID: process.pid,
-          key,
-          value
-        });
-      }, 10);
-    }
+    sendTimeout({
+      type: ClusterCacheType,
+      target: this.name,
+      action: "set_delete",
+      fromPID: process.pid,
+      key,
+      value
+    });
   }
   set_has(key, value) {
     this.logger?.trace("set_has(%s)", key);
@@ -11677,6 +11693,13 @@ var ClusterCache = class {
     }
     list.clear();
     this.localCache.set(key, list);
+    sendTimeout({
+      type: ClusterCacheType,
+      target: this.name,
+      action: "set_clear",
+      fromPID: process.pid,
+      key
+    });
   }
   array_push(key, value) {
     this.logger?.trace("array_push(%s)", key);
@@ -11686,18 +11709,14 @@ var ClusterCache = class {
     }
     list.push(value);
     this.localCache.set(key, list);
-    if (process.send) {
-      setTimeout(() => {
-        process.send({
-          type: ClusterCacheType,
-          target: this.name,
-          action: "array_push",
-          fromPID: process.pid,
-          key,
-          value
-        });
-      }, 10);
-    }
+    sendTimeout({
+      type: ClusterCacheType,
+      target: this.name,
+      action: "array_push",
+      fromPID: process.pid,
+      key,
+      value
+    });
   }
   array_clear(key) {
     this.logger?.trace("array_clear(%s)", key);
@@ -11705,8 +11724,28 @@ var ClusterCache = class {
       throw new Error("cannot apply on non Array");
     }
     this.localCache.set(key, []);
+    sendTimeout({
+      type: ClusterCacheType,
+      target: this.name,
+      action: "array_clear",
+      fromPID: process.pid,
+      key
+    });
   }
 };
+function sendTimeout(msg) {
+  if (process.send) {
+    setTimeout(() => {
+      try {
+        if (process.send) {
+          process.send(msg);
+        }
+      } catch (e) {
+        console.error(e);
+      }
+    }, 10);
+  }
+}
 
 // src/services/utils/cache.ts
 var LocalCache = class {
@@ -11810,7 +11849,8 @@ var WebSocketManager = class {
   deleteWS(path) {
     const ws = this.runningGlobalWSMap.get(path);
     this.disconnectAllFrom(path);
-    ws.dispose();
+    if (ws)
+      ws.dispose();
     this.runningGlobalWSMap.delete(path);
   }
   deleteAllWS() {
@@ -12156,8 +12196,7 @@ var CONTENT_TYPE_MAP = {
 };
 
 // src/services/hot-reload.ts
-function getHotReloadScript() {
-  const HOT_RELOAD_JS_SCRIPT = `
+var HOT_RELOAD_JS_SCRIPT = `
 // Create WebSocket connection.
 
 function getSocket() {
@@ -12167,13 +12206,14 @@ function getSocket() {
 const socket = getSocket();
 
 let timeout;
+let reloadtimeout;
 
 function tryConnection() {
     try {
         const newSocket = getSocket();
         newSocket.addEventListener("open", (event) => {
             console.log("reloading");
-            setTimeout(()=>{
+            reloadtimeout = setTimeout(()=>{
               window.location.reload();
             }, 500);
             
@@ -12191,13 +12231,16 @@ function tryConnection() {
 // Connection closed
 socket.addEventListener("close", (event) => {
     clearTimeout(timeout);
+    clearTimeout(reloadtimeout);
     timeout = setTimeout(tryConnection, 500);
 });
 
 socket.addEventListener("error", (err) => {
+    clearTimeout(reloadtimeout);
     console.error(err);
 });`;
-  return `<script>${HOT_RELOAD_JS_SCRIPT}</script>`;
+function getHotReloadScript() {
+  return `<script src="${HOT_RELOAD_SCRIPT_PATH}"></script>`;
 }
 
 // src/inflate/setup-http.ts
@@ -12208,12 +12251,12 @@ var import_node_fs6 = require("node:fs");
 init_lib3();
 var import_node_path7 = require("node:path");
 var import_node_process4 = require("node:process");
-async function setupCORS(logger, servicePath, service, mainRouter, inflateDir, inflateSea, errors) {
+async function setupCORS(logger, servicePath, service, mainRouter, inflateDir, inflateSea, options, errors) {
   const corsPath = getCORSConfigPath(servicePath);
   if (corsPath) {
     try {
-      const corsOptions = await importCORSModule(corsPath, logger);
       logger.debug("setting up cors from [%s]", (0, import_node_path7.join)(service, (0, import_node_path7.basename)(corsPath)));
+      const corsOptions = await importCORSModule(corsPath, options, logger);
       mainRouter.use(CORS(corsOptions));
       if (inflateDir && inflateSea) {
         const inflatePath = (0, import_node_path7.resolve)(inflateDir, service, "cors.cjs");
@@ -12245,11 +12288,11 @@ init_lib3();
 var import_node_path8 = require("node:path");
 var import_node_fs7 = require("node:fs");
 var import_node_process5 = require("node:process");
-async function setupAUTH(logger, servicePath, service, mainRouter, inflateDir, inflateSea, errors) {
+async function setupAUTH(logger, servicePath, service, mainRouter, inflateDir, inflateSea, options, errors) {
   const authPath = getAuthConfigPath(servicePath);
   if (authPath) {
     try {
-      const authModule = await importAuthModule(authPath, logger);
+      const authModule = await importAuthModule(authPath, options, logger);
       logger.debug("setting up authentication from [%s]", (0, import_node_path8.join)(service, (0, import_node_path8.basename)(authPath)));
       mainRouter.use(SessionHandler(authModule));
       if (inflateDir && inflateSea) {
@@ -12360,11 +12403,11 @@ function inflateMDString2HTML(text, logger) {
 var import_node_path10 = require("node:path");
 var import_node_fs9 = require("node:fs");
 var import_node_process6 = require("node:process");
-async function setupMiddleware(logger, servicePath, service, mainRouter, inflateDir, inflateSea, errors) {
+async function setupMiddleware(logger, servicePath, service, mainRouter, inflateDir, inflateSea, options, errors) {
   const middlewarePath = getMiddlewareConfigPath(servicePath);
   if (middlewarePath) {
     try {
-      const middewareModule = await importMiddlewareConfigModule(middlewarePath, logger);
+      const middewareModule = await importMiddlewareConfigModule(middlewarePath, options, logger);
       logger.debug("setting up middleware from [%s]", (0, import_node_path10.join)(service, (0, import_node_path10.basename)(middlewarePath)));
       if (middewareModule && middewareModule.middleware) {
         for (const m of middewareModule.middleware) {
@@ -12402,11 +12445,11 @@ async function setupMiddleware(logger, servicePath, service, mainRouter, inflate
 var import_node_path11 = require("node:path");
 var import_node_fs10 = require("node:fs");
 var import_node_process7 = require("node:process");
-async function setupError(logger, servicePath, service, mainRouter, inflateDir, inflateSea, errors) {
+async function setupError(logger, servicePath, service, mainRouter, inflateDir, inflateSea, options, errors) {
   const errorPath = getErrorConfigPath(servicePath);
   if (errorPath) {
     try {
-      const errorModule = await importErrorConfigModule(errorPath, logger);
+      const errorModule = await importErrorConfigModule(errorPath, options, logger);
       logger.debug("setting up error handling from [%s]", (0, import_node_path11.join)(service, (0, import_node_path11.basename)(errorPath)));
       if (errorModule && errorModule.catch) {
         for (const m of errorModule.catch) {
@@ -12439,23 +12482,23 @@ async function setupError(logger, servicePath, service, mainRouter, inflateDir,
 }
 
 // src/inflate/setup-http.ts
-async function setupHTTPRouter(server, logger, hotreload, servicePath, service, routeFileMap, staticFileMap, inflateDir, inflateSea, errors, inflateParallel) {
+async function setupHTTPRouter(importOptions, inflateOptions, server, logger, hotreload, servicePath, service, routeFileMap, staticFileMap, inflateDir, inflateSea, errors, inflateParallel) {
   const mainRouter = new Router2();
   const apiRouterPath = getHTTPRouterPath(servicePath);
   let middlewareConfig = null;
-  await setupError(logger, servicePath, service, mainRouter, inflateDir, inflateSea, errors);
-  await setupCORS(logger, servicePath, service, mainRouter, inflateDir, inflateSea, errors);
-  await setupAUTH(logger, servicePath, service, mainRouter, inflateDir, inflateSea, errors);
-  middlewareConfig = await setupMiddleware(logger, servicePath, service, mainRouter, inflateDir, inflateSea, errors);
+  await setupError(logger, servicePath, service, mainRouter, inflateDir, inflateSea, importOptions, errors);
+  await setupCORS(logger, servicePath, service, mainRouter, inflateDir, inflateSea, importOptions, errors);
+  await setupAUTH(logger, servicePath, service, mainRouter, inflateDir, inflateSea, importOptions, errors);
+  middlewareConfig = await setupMiddleware(logger, servicePath, service, mainRouter, inflateDir, inflateSea, importOptions, errors);
   if (apiRouterPath) {
     logger.trace("setting up http routes from [%s]", service);
-    const { router: httpRouter } = await createRouterFromDirectory(server, hotreload, service, logger, apiRouterPath, errors, routeFileMap, staticFileMap, inflateDir, inflateSea, inflateParallel);
+    const { router: httpRouter } = await createRouterFromDirectory(importOptions, inflateOptions, server, hotreload, service, logger, apiRouterPath, errors, routeFileMap, staticFileMap, inflateDir, inflateSea, inflateParallel);
     mainRouter.use(httpRouter);
   }
   const staticFilesPath = getStaticFilesPath(servicePath);
   if (staticFilesPath) {
     logger.trace("setting up static file routes from [%s]", service);
-    const staticRouter = await createStaticRouterFromDirectory(service, logger, staticFilesPath, inflateDir, routeFileMap, staticFileMap, inflateParallel);
+    const staticRouter = await createStaticRouterFromDirectory(inflateOptions, service, logger, staticFilesPath, inflateDir, routeFileMap, staticFileMap, inflateParallel);
     mainRouter.use(staticRouter);
   }
   if (middlewareConfig && middlewareConfig.post) {
@@ -12465,7 +12508,7 @@ async function setupHTTPRouter(server, logger, hotreload, servicePath, service,
   }
   return mainRouter;
 }
-async function createStaticRoute(service, logger, router, dir, file, inflateDir, routeFileMap, staticFileMap) {
+async function createStaticRoute(inflateJSXOptions, service, logger, router, dir, file, inflateDir, routeFileMap, staticFileMap) {
   return new Promise(async (resolve24, reject) => {
     try {
       logger.trace("creating static route for [%s]", file.filePath);
@@ -12484,8 +12527,8 @@ async function createStaticRoute(service, logger, router, dir, file, inflateDir,
         filePath: file.filePath,
         previewMethod: "html"
       };
-      if (inflateDir) {
-        const inflatePath = (0, import_node_path12.join)(inflateDir, service, "static", path);
+      if (inflateDir && (inflateJSXOptions.inflateOnlyAssets || inflateJSXOptions.inflateOnlyAssets === void 0)) {
+        const inflatePath = (0, import_node_path12.join)(inflateDir, !inflateJSXOptions.inflateFlat ? service : "", "static", path);
         (0, import_node_fs11.mkdir)((0, import_node_path12.dirname)(inflatePath), {
           recursive: true
         }, (err) => {
@@ -12504,7 +12547,7 @@ async function createStaticRoute(service, logger, router, dir, file, inflateDir,
             method: "GET",
             path: normalizePath2(path),
             body: Buffer.from(body),
-            inflatePath: inflateDir ? (0, import_node_path12.join)(inflateDir, service, "static", path) : void 0
+            inflatePath: inflateDir ? (0, import_node_path12.join)(inflateDir, !inflateJSXOptions.inflateFlat ? service : "", "static", path) : void 0
           };
         }
       }
@@ -12540,14 +12583,14 @@ async function createStaticRoute(service, logger, router, dir, file, inflateDir,
     }
   });
 }
-async function createStaticRouterFromDirectory(service, logger, dir, inflateDir, routeFileMap, staticFileMap, inflateParallel) {
+async function createStaticRouterFromDirectory(inflateOptions, service, logger, dir, inflateDir, routeFileMap, staticFileMap, inflateParallel) {
   const router = new Router2();
   const maxParallel = inflateParallel ? inflateParallel : 1;
   logger.debug("loading static directory with parallel [%s]", maxParallel);
   let tR = [];
   const files = scanFiles(dir);
   for (const file of files) {
-    tR.push(await createStaticRoute(service, logger, router, dir, file, inflateDir, routeFileMap, staticFileMap));
+    tR.push(await createStaticRoute(inflateOptions, service, logger, router, dir, file, inflateDir, routeFileMap, staticFileMap));
     if (tR.length >= maxParallel) {
       await Promise.all(tR);
       tR = [];
@@ -12559,7 +12602,7 @@ async function createStaticRouterFromDirectory(service, logger, dir, inflateDir,
   }
   return router;
 }
-async function createRouterFromDirectory(server, hotreload, service, logger, dir, errors = [], routeFileMap = {}, staticFileMap = null, inflateDir, inflateSea, inflateParallel) {
+async function createRouterFromDirectory(importOptions, inflateJSXOptions, server, hotreload, service, logger, dir, errors = [], routeFileMap = {}, staticFileMap = null, inflateDir, inflateSea, inflateParallel) {
   const router = new Router2();
   const maxParallel = inflateParallel ? inflateParallel : 1;
   server.logger.debug("loading http directory with parallel [%s]", maxParallel);
@@ -12581,7 +12624,11 @@ async function createRouterFromDirectory(server, hotreload, service, logger, dir
                 logger.warn("ignoring [%s]", file.filePath);
                 return resolve24();
               case ".api": {
-                const module2 = await importAPIRoute(file.filePath, logger);
+                if (inflateJSXOptions.inflateOnlyAssets) {
+                  logger.warn("ignoring [%s]", file.filePath);
+                  return resolve24();
+                }
+                const module2 = await importAPIRoute(file.filePath, importOptions, logger);
                 const routes = getRoutes((0, import_node_path12.join)("/", (0, import_node_path12.dirname)((0, import_node_path12.relative)(dir, file.filePath))), file.subName, module2);
                 routeFileMap[file.filePath] = {
                   routes,
@@ -12589,7 +12636,7 @@ async function createRouterFromDirectory(server, hotreload, service, logger, dir
                   filePath: file.filePath,
                   previewMethod: "api"
                 };
-                const inflatedCode = inflateDir ? await inflateJSX(file.filePath, {
+                const inflatedCode = inflateDir && inflateSea && (!inflateJSXOptions.inflateOnlyAssets || inflateJSXOptions.inflateOnlyAssets === void 0) ? await inflateJSX(file.filePath, {
                   // embemedJSX: false,
                   minify: false,
                   useExport: true,
@@ -12599,7 +12646,7 @@ async function createRouterFromDirectory(server, hotreload, service, logger, dir
                 for (const r of routes) {
                   if (inflateDir && r.defaultInflatePath && inflateSea) {
                     const rPath = r.defaultInflatePath;
-                    const inflatePath = (0, import_node_path12.join)(inflateDir, service, "http", rPath + ".api.cjs");
+                    const inflatePath = (0, import_node_path12.join)(inflateDir, !inflateJSXOptions.inflateFlat ? service : "", "http", rPath + ".api.cjs");
                     await mkdirASync((0, import_node_path12.dirname)(inflatePath), {
                       recursive: true
                     });
@@ -12611,7 +12658,7 @@ async function createRouterFromDirectory(server, hotreload, service, logger, dir
                 return resolve24();
               }
               case ".json": {
-                const module2 = await importJSONModule(file.filePath, logger);
+                const module2 = await importJSONModule(file.filePath, importOptions, logger);
                 const routes = getRoutes((0, import_node_path12.join)("/", (0, import_node_path12.dirname)((0, import_node_path12.relative)(dir, file.filePath))), file.subName + ".json", module2.apiOptions);
                 routeFileMap[file.filePath] = {
                   routes,
@@ -12621,10 +12668,10 @@ async function createRouterFromDirectory(server, hotreload, service, logger, dir
                 };
                 for (const r of routes) {
                   const contentType = CONTENT_TYPE_MAP[".json"] ? CONTENT_TYPE_MAP[".json"] : DEFAULT_CONTENT_TYPE;
-                  if (inflateDir) {
+                  if (inflateDir && (inflateJSXOptions.inflateOnlyAssets || inflateJSXOptions.inflateOnlyAssets === void 0)) {
                     if (r.inflatePath) {
                       const rPath = r.inflatePath;
-                      const inflatePath = (0, import_node_path12.join)(inflateDir, service, "static", rPath);
+                      const inflatePath = (0, import_node_path12.join)(inflateDir, !inflateJSXOptions.inflateFlat ? service : "", "static", rPath);
                       await mkdirASync((0, import_node_path12.dirname)(inflatePath), {
                         recursive: true
                       });
@@ -12643,7 +12690,7 @@ async function createRouterFromDirectory(server, hotreload, service, logger, dir
                           previewMethod: "html",
                           path: r.path,
                           body: Buffer.from(JSON_STATIC),
-                          inflatePath: inflateDir ? (0, import_node_path12.join)(inflateDir, service, "static", r.inflatePath) : void 0
+                          inflatePath: inflateDir ? (0, import_node_path12.join)(inflateDir, !inflateJSXOptions.inflateFlat ? service : "", "static", r.inflatePath) : void 0
                         };
                       }
                     }
@@ -12662,7 +12709,11 @@ async function createRouterFromDirectory(server, hotreload, service, logger, dir
                 return resolve24();
               }
               case ".html": {
-                const module2 = await importHTMLModule(file.filePath, logger);
+                if (inflateJSXOptions.inflateOnlyAssets) {
+                  logger.warn("ignoring [%s]", file.filePath);
+                  return resolve24();
+                }
+                const module2 = await importHTMLModule(file.filePath, importOptions, logger);
                 const routes = getRoutes((0, import_node_path12.join)("/", (0, import_node_path12.dirname)((0, import_node_path12.relative)(dir, file.filePath))), file.subName + ".html", module2.apiOptions);
                 routeFileMap[file.filePath] = {
                   routes,
@@ -12672,10 +12723,10 @@ async function createRouterFromDirectory(server, hotreload, service, logger, dir
                 };
                 for (const r of routes) {
                   const contentType = CONTENT_TYPE_MAP[".html"] ? CONTENT_TYPE_MAP[".html"] : DEFAULT_CONTENT_TYPE;
-                  if (inflateDir) {
+                  if (inflateDir && (!inflateJSXOptions.inflateOnlyAssets || inflateJSXOptions.inflateOnlyAssets === void 0)) {
                     if (r.inflatePath) {
                       const rPath = r.inflatePath;
-                      const inflatePath = (0, import_node_path12.join)(inflateDir, service, "static", rPath);
+                      const inflatePath = (0, import_node_path12.join)(inflateDir, !inflateJSXOptions.inflateFlat ? service : "", "static", rPath);
                       await mkdirASync((0, import_node_path12.dirname)(inflatePath), {
                         recursive: true
                       });
@@ -12687,7 +12738,7 @@ async function createRouterFromDirectory(server, hotreload, service, logger, dir
                       const HTML_STATIC = await getHTML(hotreload, { server }, null, newURL2(r.path), module2.apiOptions?.basePath, await toRender);
                       logger.log("writing [%s]", (0, import_node_path12.relative)((0, import_node_process8.cwd)(), inflatePath));
                       await writeFileASync(inflatePath, HTML_STATIC);
-                      if (staticFileMap && inflateSea) {
+                      if (staticFileMap && inflateSea && (!inflateJSXOptions.inflateOnlyAssets || inflateJSXOptions.inflateOnlyAssets === void 0)) {
                         staticFileMap[file.filePath + r.method + r.path] = {
                           filePath: file.filePath,
                           contentType,
@@ -12695,7 +12746,7 @@ async function createRouterFromDirectory(server, hotreload, service, logger, dir
                           previewMethod: "html",
                           path: r.path,
                           body: Buffer.from(HTML_STATIC),
-                          inflatePath: inflateDir ? (0, import_node_path12.join)(inflateDir, service, "static", r.inflatePath) : void 0
+                          inflatePath: inflateDir ? (0, import_node_path12.join)(inflateDir, !inflateJSXOptions.inflateFlat ? service : "", "static", r.inflatePath) : void 0
                         };
                       }
                     }
@@ -12718,7 +12769,7 @@ async function createRouterFromDirectory(server, hotreload, service, logger, dir
               case ".js":
               default: {
                 if (file.ext !== ".js" && file.ext !== ".ts") {
-                  const code = await inflateJSX(file.filePath, {
+                  const code = inflateJSXOptions.noMinify ? (0, import_node_fs11.readFileSync)(file.filePath).toString() : await inflateJSX(file.filePath, {
                     // embemedJSX: true,
                     minify: file.subExt === ".min" ? true : false,
                     useExport: true,
@@ -12735,8 +12786,8 @@ async function createRouterFromDirectory(server, hotreload, service, logger, dir
                     service,
                     previewMethod: "html"
                   };
-                  if (inflateDir) {
-                    const inflatePath = (0, import_node_path12.join)(inflateDir, service, "static", path);
+                  if (inflateDir && (inflateJSXOptions.inflateOnlyAssets || inflateJSXOptions.inflateOnlyAssets === void 0)) {
+                    const inflatePath = (0, import_node_path12.join)(inflateDir, !inflateJSXOptions.inflateFlat ? service : "", "static", path);
                     await mkdirASync((0, import_node_path12.dirname)(inflatePath), {
                       recursive: true
                     });
@@ -12750,7 +12801,7 @@ async function createRouterFromDirectory(server, hotreload, service, logger, dir
                         previewMethod: "html",
                         path,
                         body: Buffer.from(code),
-                        inflatePath: inflateDir ? (0, import_node_path12.join)(inflateDir, service, "static", path) : void 0
+                        inflatePath: inflateDir ? (0, import_node_path12.join)(inflateDir, !inflateJSXOptions.inflateFlat ? service : "", "static", path) : void 0
                       };
                     }
                   }
@@ -12783,8 +12834,8 @@ async function createRouterFromDirectory(server, hotreload, service, logger, dir
                   filePath: file.filePath,
                   previewMethod: "html"
                 };
-                if (inflateDir) {
-                  const inflatePath = (0, import_node_path12.join)(inflateDir, service, "static", path);
+                if (inflateDir && (inflateJSXOptions.inflateOnlyAssets || inflateJSXOptions.inflateOnlyAssets === void 0)) {
+                  const inflatePath = (0, import_node_path12.join)(inflateDir, !inflateJSXOptions.inflateFlat ? service : "", "static", path);
                   await mkdirASync((0, import_node_path12.dirname)(inflatePath), {
                     recursive: true
                   });
@@ -12798,7 +12849,7 @@ async function createRouterFromDirectory(server, hotreload, service, logger, dir
                       previewMethod: "html",
                       path,
                       body: Buffer.from(code),
-                      inflatePath: inflateDir ? (0, import_node_path12.join)(inflateDir, service, "static", path) : void 0
+                      inflatePath: inflateDir ? (0, import_node_path12.join)(inflateDir, !inflateJSXOptions.inflateFlat ? service : "", "static", path) : void 0
                     };
                   }
                 }
@@ -12824,7 +12875,7 @@ async function createRouterFromDirectory(server, hotreload, service, logger, dir
                 }
                 case ".bundle":
                 case ".min": {
-                  const code = await inflateJSX(file.filePath, {
+                  const code = inflateJSXOptions.noMinify ? (0, import_node_fs11.readFileSync)(file.filePath).toString() : await inflateJSX(file.filePath, {
                     // embemedJSX: false,
                     minify: file.subExt === ".min" ? true : false,
                     useExport: true,
@@ -12841,8 +12892,8 @@ async function createRouterFromDirectory(server, hotreload, service, logger, dir
                     service,
                     previewMethod: "html"
                   };
-                  if (inflateDir) {
-                    const inflatePath = (0, import_node_path12.join)(inflateDir, service, "static", path);
+                  if (inflateDir && (inflateJSXOptions.inflateOnlyAssets || inflateJSXOptions.inflateOnlyAssets === void 0)) {
+                    const inflatePath = (0, import_node_path12.join)(inflateDir, !inflateJSXOptions.inflateFlat ? service : "", "static", path);
                     await mkdirASync((0, import_node_path12.dirname)(inflatePath), {
                       recursive: true
                     });
@@ -12856,7 +12907,7 @@ async function createRouterFromDirectory(server, hotreload, service, logger, dir
                         previewMethod: "html",
                         path,
                         body: Buffer.from(code),
-                        inflatePath: inflateDir ? (0, import_node_path12.join)(inflateDir, service, "static", path) : void 0
+                        inflatePath: inflateDir ? (0, import_node_path12.join)(inflateDir, !inflateJSXOptions.inflateFlat ? service : "", "static", path) : void 0
                       };
                     }
                   }
@@ -12891,8 +12942,8 @@ async function createRouterFromDirectory(server, hotreload, service, logger, dir
                     filePath: file.filePath,
                     previewMethod: "html"
                   };
-                  if (inflateDir) {
-                    const inflatePath = (0, import_node_path12.join)(inflateDir, service, "static", path);
+                  if (inflateDir && (inflateJSXOptions.inflateOnlyAssets || inflateJSXOptions.inflateOnlyAssets === void 0)) {
+                    const inflatePath = (0, import_node_path12.join)(inflateDir, !inflateJSXOptions.inflateFlat ? service : "", "static", path);
                     await mkdirASync((0, import_node_path12.dirname)(inflatePath), {
                       recursive: true
                     });
@@ -12906,7 +12957,7 @@ async function createRouterFromDirectory(server, hotreload, service, logger, dir
                         previewMethod: "html",
                         path,
                         body: Buffer.from(code),
-                        inflatePath: inflateDir ? (0, import_node_path12.join)(inflateDir, service, "static", path) : void 0
+                        inflatePath: inflateDir ? (0, import_node_path12.join)(inflateDir, !inflateJSXOptions.inflateFlat ? service : "", "static", path) : void 0
                       };
                     }
                   }
@@ -12923,7 +12974,7 @@ async function createRouterFromDirectory(server, hotreload, service, logger, dir
                 }
               }
             }
-            await createStaticRoute(service, logger, router, dir, file, inflateDir, routeFileMap, staticFileMap);
+            await createStaticRoute(inflateJSXOptions, service, logger, router, dir, file, inflateDir, routeFileMap, staticFileMap);
             return resolve24();
         }
       } catch (e) {
@@ -12971,13 +13022,11 @@ function scanFiles(path, ret = []) {
 }
 function getHTML(hotreload, req, res, url, basePath, out) {
   let HTML = `<!DOCTYPE html>
-${jsx2HTML(out, createNodeRuntime({
+${hotreload ? `${getHotReloadScript()}
+` : ""}${jsx2HTML(out, createNodeRuntime({
     url,
     basePath
   }))}`;
-  if (hotreload) {
-    HTML += getHotReloadScript();
-  }
   return HTML;
 }
 async function getJSON(req, res, url, basePath, out) {
@@ -12989,12 +13038,12 @@ async function getJSON(req, res, url, basePath, out) {
 var import_node_path13 = require("node:path");
 var import_node_process9 = require("node:process");
 var import_node_fs12 = require("node:fs");
-async function inflateWSConfig(logger, servicePath, service, wsConfigList, inflateDir, errors) {
+async function inflateWSConfig(logger, servicePath, service, wsConfigList, inflateDir, errors, options) {
   const wsPath = getWSConfigPath(servicePath);
   if (wsPath) {
     try {
       logger.debug("importing websocket socket for service [%s]", service);
-      const wsConfig = await importWSConfigModule(wsPath, logger);
+      const wsConfig = await importWSConfigModule(wsPath, options, logger);
       if (wsConfig && wsConfigList.filter((c) => c.path === wsConfig.path).length > 0) {
         throw new Error(`ws path [${wsConfig.path}] already defined! from [${wsPath}]`);
       } else if (wsConfigList) {
@@ -13269,11 +13318,11 @@ function writeFile2(logger, path, buffer) {
 var import_node_path15 = require("node:path");
 var import_node_fs14 = require("node:fs");
 var import_node_process11 = require("node:process");
-async function setupLogConfig(logger, servicePath, service, logConfigMap, inflateDir, errors) {
+async function setupLogConfig(logger, servicePath, service, logConfigMap, inflateDir, options, errors) {
   const logPath = getLogConfigPath(servicePath);
   if (logPath) {
     try {
-      const logConfig = await importLogConfigModule(logPath, logger);
+      const logConfig = await importLogConfigModule(logPath, options, logger);
       logConfigMap[service] = logConfig;
       if (inflateDir) {
         const inflatePath = (0, import_node_path15.resolve)(inflateDir, service, "log.cjs");
@@ -13569,11 +13618,11 @@ async function getDocOutput(router, fileMap, generateDocAll, generateDocType) {
 }
 
 // src/inflate/setup.doc.ts
-async function setupDoc(logger, servicePath, service, mainRouter, fileMap, staticFileMap, inflateDir, errors) {
+async function setupDoc(logger, servicePath, service, mainRouter, fileMap, staticFileMap, inflateDir, errors, options, inflateFlat) {
   const docPath = getDocConfigPath(servicePath);
   if (docPath) {
     try {
-      const docModule = await importDocConfigModule(docPath, logger);
+      const docModule = await importDocConfigModule(docPath, options, logger);
       logger.debug("setting up error handling from [%s]", (0, import_node_path16.join)(service, (0, import_node_path16.basename)(docPath)));
       if (docModule && docModule.publish) {
         const paths = Object.keys(docModule.publish);
@@ -13603,7 +13652,7 @@ async function setupDoc(logger, servicePath, service, mainRouter, fileMap, stati
             }
           });
           if (inflateDir) {
-            const inflatePath = (0, import_node_path16.join)(inflateDir, service, "static", path);
+            const inflatePath = (0, import_node_path16.join)(inflateDir, !inflateFlat ? service : "", "static", path);
             (0, import_node_fs15.mkdirSync)((0, import_node_path16.dirname)(inflatePath), {
               recursive: true
             });
@@ -13626,7 +13675,7 @@ async function setupDoc(logger, servicePath, service, mainRouter, fileMap, stati
                 method: "GET",
                 path,
                 body: Buffer.from(body),
-                inflatePath: inflateDir ? (0, import_node_path16.join)(inflateDir, service, "static", path) : void 0
+                inflatePath: inflateDir ? (0, import_node_path16.join)(inflateDir, !inflateFlat ? service : "", "static", path) : void 0
               };
             }
           }
@@ -13645,7 +13694,7 @@ async function setupDoc(logger, servicePath, service, mainRouter, fileMap, stati
 }
 
 // src/inflate/inflate.ts
-async function inflateApp({ inflateParallel, serverInterface, logger, hotreload, services, inflateDir, inflateSea, port }) {
+async function inflateApp({ inflateParallel, serverInterface, logger, hotreload, services, inflateDir, inflateSea, port, noBuild, noMinify, inflateOnlyAssets, inflateFlat }) {
   logger.trace("inflateApp");
   const errors = [];
   let routeFileMap = {};
@@ -13656,14 +13705,14 @@ async function inflateApp({ inflateParallel, serverInterface, logger, hotreload,
     const serviceRouteFileMap = {};
     const serviceStaticFileMap = inflateSea ? {} : null;
     const servicePath = getServicePath(service);
-    await setupLogConfig(logger, servicePath, service, logConfigMap, inflateSea ? inflateDir : false, errors);
-    router.use(await setupHTTPRouter(serverInterface, logger, hotreload ? hotreload : false, servicePath, service, serviceRouteFileMap, serviceStaticFileMap, inflateDir, inflateSea, errors, inflateParallel));
+    await setupLogConfig(logger, servicePath, service, logConfigMap, inflateSea ? inflateDir : false, { noBuild }, errors);
+    router.use(await setupHTTPRouter({ noBuild }, { noMinify, inflateOnlyAssets, inflateFlat }, serverInterface, logger, hotreload ? hotreload : false, servicePath, service, serviceRouteFileMap, serviceStaticFileMap, inflateDir, inflateSea, errors, inflateParallel));
     routeFileMap = {
       ...routeFileMap,
       ...serviceRouteFileMap
     };
-    await setupDoc(logger, servicePath, service, router, routeFileMap, serviceStaticFileMap, inflateDir, errors);
-    await inflateWSConfig(logger, servicePath, service, wsConfigList, inflateSea ? inflateDir : void 0, errors);
+    await setupDoc(logger, servicePath, service, router, routeFileMap, serviceStaticFileMap, inflateDir, errors, { noBuild }, inflateFlat);
+    await inflateWSConfig(logger, servicePath, service, wsConfigList, inflateSea ? inflateDir : void 0, errors, { noBuild });
     if (inflateDir && inflateSea) {
       await inflateServiceForSea(logger, inflateDir, service, servicePath, serviceRouteFileMap, serviceStaticFileMap);
     }
@@ -13678,11 +13727,11 @@ async function inflateApp({ inflateParallel, serverInterface, logger, hotreload,
 var import_node_fs16 = require("node:fs");
 var import_node_path17 = require("node:path");
 var import_node_process13 = require("node:process");
-async function setupServerConfig(logger, servicePath, service, serverConfigMap, inflateDir, errors) {
+async function setupServerConfig(logger, servicePath, service, serverConfigMap, inflateDir, errors, options) {
   const serverPath = getServerConfigPath(servicePath);
   if (serverPath) {
     try {
-      const serverConfig = await importServerConfigModule(serverPath, logger);
+      const serverConfig = await importServerConfigModule(serverPath, options, logger);
       serverConfigMap[service] = serverConfig;
       if (inflateDir) {
         const inflatePath = (0, import_node_path17.resolve)(inflateDir, service, "server.cjs");
@@ -13721,17 +13770,18 @@ var ws_default = {
     const cache2 = admin ? admin.getCache() : req.server.cache;
     const KEY = cache2.get("AUTH_KEY");
     const cookieToken = req.cookies["auth"];
-    return cookieToken === KEY ? true : false;
+    return cookieToken && KEY && cookieToken === KEY ? true : false;
   }
 };
 
 // editor/server.ts
-var import_node_crypto4 = require("node:crypto");
+var import_node_crypto5 = require("node:crypto");
 init_constants();
 var import_node_fs17 = require("node:fs");
 var import_node_path18 = require("node:path");
 
 // editor/auth.ts
+var import_node_crypto4 = require("node:crypto");
 var ADMIN_EDITOR_AUTH_KEY = "$$ADMIN_EDITOR_AUTH_KEY$$";
 var ADMIN_EDITOR_AUTH_QUERY = "key";
 var ADMIN_EDITOR_AUTH_COOKIE = ADMIN_EDITOR_AUTH_KEY;
@@ -13750,7 +13800,7 @@ var auth_default = {
       const queryToken = args.req.query[ADMIN_EDITOR_AUTH_QUERY];
       const cookieToken = args.req.cookies[ADMIN_EDITOR_AUTH_COOKIE];
       if (queryToken) {
-        if (queryToken === KEY) {
+        if (typeof queryToken === "string" && (0, import_node_crypto4.timingSafeEqual)(Buffer.from(queryToken), Buffer.from(KEY))) {
           args.res.setCookie(ADMIN_EDITOR_AUTH_COOKIE, KEY, {
             expires: new Date(Date.now() + 1e3 * 60 * 60 * 24 * 31 * 12 * 500),
             httpOnly: true,
@@ -13784,7 +13834,7 @@ var server_default = {
           serverInterface.logger.warn("loading static ADMIN_KEY from [%s]", (0, import_node_path18.relative)(process.cwd(), adminKEYPath));
           cache2.set(ADMIN_EDITOR_AUTH_KEY, (0, import_node_fs17.readFileSync)(adminKEYPath).toString().trim());
         } else {
-          cache2.set(ADMIN_EDITOR_AUTH_KEY, (0, import_node_crypto4.randomUUID)());
+          cache2.set(ADMIN_EDITOR_AUTH_KEY, (0, import_node_crypto5.randomUUID)());
         }
       }
     }
@@ -14022,14 +14072,14 @@ function setupExitHandlers(app) {
 var import_node_path28 = require("node:path");
 var import_node_fs25 = require("node:fs");
 var import_node_process15 = require("node:process");
-async function inflateDBConfig(logger, service, dbConfigList, inflateDir, errors) {
+async function inflateDBConfig(logger, service, dbConfigList, inflateDir, options, errors) {
   const servicePath = getServicePath(service);
   const dbConfigPath = getDBConfigPath(servicePath);
   if (dbConfigPath) {
     try {
-      const config = await importDBConfigModule(dbConfigPath, logger);
+      const config = await importDBConfigModule(dbConfigPath, options, logger);
       if (config && dbConfigList && dbConfigList.filter((c) => c.name === config.name).length > 0) {
-        throw new Error(`ws path [${config.name}] already defined! error from [${dbConfigPath}]`);
+        throw new Error(`db name [${config.name}] already defined! error from [${dbConfigPath}]`);
       } else if (config) {
         if (dbConfigList) {
           dbConfigList.push(config);
@@ -14064,7 +14114,7 @@ async function inflateDBConfig(logger, service, dbConfigList, inflateDir, errors
   }
   return false;
 }
-async function inflateDBMigrations(logger, service, dbName, inflateDir, errors) {
+async function inflateDBMigrations(logger, service, dbName, inflateDir, options, errors) {
   const servicePath = getServicePath(service);
   const migrationsFolderPath = getMigrationsPath(servicePath);
   if (migrationsFolderPath) {
@@ -14074,7 +14124,7 @@ async function inflateDBMigrations(logger, service, dbName, inflateDir, errors)
     for (const migrationName of serviceMigrations) {
       const migrationPath = (0, import_node_path28.resolve)(migrationsFolderPath, migrationName);
       try {
-        const migrationModule = await importMigrationModule(migrationPath);
+        const migrationModule = await importMigrationModule(migrationPath, options, logger);
         migrationModules.push({
           name: migrationName,
           service,
@@ -14160,6 +14210,17 @@ function uint32be(value) {
   writeUInt32BE(buf, value);
   return buf;
 }
+function encode(string) {
+  const bytes = new Uint8Array(string.length);
+  for (let i = 0; i < string.length; i++) {
+    const code = string.charCodeAt(i);
+    if (code > 127) {
+      throw new TypeError("non-ASCII string encountered in encode()");
+    }
+    bytes[i] = code;
+  }
+  return bytes;
+}
 
 // node_modules/jose/dist/webapi/lib/base64.js
 function encodeBase64(input) {
@@ -14196,14 +14257,14 @@ function decode(input) {
   if (encoded instanceof Uint8Array) {
     encoded = decoder.decode(encoded);
   }
-  encoded = encoded.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "");
+  encoded = encoded.replace(/-/g, "+").replace(/_/g, "/");
   try {
     return decodeBase64(encoded);
   } catch {
     throw new TypeError("The input to be decoded is not correctly encoded.");
   }
 }
-function encode(input) {
+function encode2(input) {
   let unencoded = input;
   if (typeof unencoded === "string") {
     unencoded = encoder.encode(unencoded);
@@ -14214,122 +14275,17 @@ function encode(input) {
   return encodeBase64(unencoded).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
 }
 
-// node_modules/jose/dist/webapi/util/errors.js
-var JOSEError = class extends Error {
-  static code = "ERR_JOSE_GENERIC";
-  code = "ERR_JOSE_GENERIC";
-  constructor(message2, options) {
-    super(message2, options);
-    this.name = this.constructor.name;
-    Error.captureStackTrace?.(this, this.constructor);
-  }
-};
-var JWTClaimValidationFailed = class extends JOSEError {
-  static code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
-  code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
-  claim;
-  reason;
-  payload;
-  constructor(message2, payload, claim = "unspecified", reason = "unspecified") {
-    super(message2, { cause: { claim, reason, payload } });
-    this.claim = claim;
-    this.reason = reason;
-    this.payload = payload;
-  }
-};
-var JWTExpired = class extends JOSEError {
-  static code = "ERR_JWT_EXPIRED";
-  code = "ERR_JWT_EXPIRED";
-  claim;
-  reason;
-  payload;
-  constructor(message2, payload, claim = "unspecified", reason = "unspecified") {
-    super(message2, { cause: { claim, reason, payload } });
-    this.claim = claim;
-    this.reason = reason;
-    this.payload = payload;
-  }
-};
-var JOSEAlgNotAllowed = class extends JOSEError {
-  static code = "ERR_JOSE_ALG_NOT_ALLOWED";
-  code = "ERR_JOSE_ALG_NOT_ALLOWED";
-};
-var JOSENotSupported = class extends JOSEError {
-  static code = "ERR_JOSE_NOT_SUPPORTED";
-  code = "ERR_JOSE_NOT_SUPPORTED";
-};
-var JWEDecryptionFailed = class extends JOSEError {
-  static code = "ERR_JWE_DECRYPTION_FAILED";
-  code = "ERR_JWE_DECRYPTION_FAILED";
-  constructor(message2 = "decryption operation failed", options) {
-    super(message2, options);
-  }
-};
-var JWEInvalid = class extends JOSEError {
-  static code = "ERR_JWE_INVALID";
-  code = "ERR_JWE_INVALID";
-};
-var JWSInvalid = class extends JOSEError {
-  static code = "ERR_JWS_INVALID";
-  code = "ERR_JWS_INVALID";
-};
-var JWTInvalid = class extends JOSEError {
-  static code = "ERR_JWT_INVALID";
-  code = "ERR_JWT_INVALID";
-};
-var JWSSignatureVerificationFailed = class extends JOSEError {
-  static code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
-  code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
-  constructor(message2 = "signature verification failed", options) {
-    super(message2, options);
-  }
-};
-
-// node_modules/jose/dist/webapi/lib/iv.js
-function bitLength(alg) {
-  switch (alg) {
-    case "A128GCM":
-    case "A128GCMKW":
-    case "A192GCM":
-    case "A192GCMKW":
-    case "A256GCM":
-    case "A256GCMKW":
-      return 96;
-    case "A128CBC-HS256":
-    case "A192CBC-HS384":
-    case "A256CBC-HS512":
-      return 128;
-    default:
-      throw new JOSENotSupported(`Unsupported JWE Algorithm: ${alg}`);
-  }
-}
-var iv_default = (alg) => crypto.getRandomValues(new Uint8Array(bitLength(alg) >> 3));
-
-// node_modules/jose/dist/webapi/lib/check_iv_length.js
-var check_iv_length_default = (enc, iv) => {
-  if (iv.length << 3 !== bitLength(enc)) {
-    throw new JWEInvalid("Invalid Initialization Vector length");
-  }
-};
-
-// node_modules/jose/dist/webapi/lib/check_cek_length.js
-var check_cek_length_default = (cek, expected) => {
-  const actual = cek.byteLength << 3;
-  if (actual !== expected) {
-    throw new JWEInvalid(`Invalid Content Encryption Key length. Expected ${expected} bits, got ${actual} bits`);
-  }
-};
-
 // node_modules/jose/dist/webapi/lib/crypto_key.js
-function unusable(name, prop = "algorithm.name") {
-  return new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);
-}
-function isAlgorithm(algorithm, name) {
-  return algorithm.name === name;
-}
+var unusable = (name, prop = "algorithm.name") => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);
+var isAlgorithm = (algorithm, name) => algorithm.name === name;
 function getHashLength(hash) {
   return parseInt(hash.name.slice(4), 10);
 }
+function checkHashLength(algorithm, expected) {
+  const actual = getHashLength(algorithm.hash);
+  if (actual !== expected)
+    throw unusable(`SHA-${expected}`, "algorithm.hash");
+}
 function getNamedCurve(alg) {
   switch (alg) {
     case "ES256":
@@ -14354,10 +14310,7 @@ function checkSigCryptoKey(key, alg, usage2) {
     case "HS512": {
       if (!isAlgorithm(key.algorithm, "HMAC"))
         throw unusable("HMAC");
-      const expected = parseInt(alg.slice(2), 10);
-      const actual = getHashLength(key.algorithm.hash);
-      if (actual !== expected)
-        throw unusable(`SHA-${expected}`, "algorithm.hash");
+      checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
       break;
     }
     case "RS256":
@@ -14365,10 +14318,7 @@ function checkSigCryptoKey(key, alg, usage2) {
     case "RS512": {
       if (!isAlgorithm(key.algorithm, "RSASSA-PKCS1-v1_5"))
         throw unusable("RSASSA-PKCS1-v1_5");
-      const expected = parseInt(alg.slice(2), 10);
-      const actual = getHashLength(key.algorithm.hash);
-      if (actual !== expected)
-        throw unusable(`SHA-${expected}`, "algorithm.hash");
+      checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
       break;
     }
     case "PS256":
@@ -14376,10 +14326,7 @@ function checkSigCryptoKey(key, alg, usage2) {
     case "PS512": {
       if (!isAlgorithm(key.algorithm, "RSA-PSS"))
         throw unusable("RSA-PSS");
-      const expected = parseInt(alg.slice(2), 10);
-      const actual = getHashLength(key.algorithm.hash);
-      if (actual !== expected)
-        throw unusable(`SHA-${expected}`, "algorithm.hash");
+      checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
       break;
     }
     case "Ed25519":
@@ -14457,10 +14404,7 @@ function checkEncCryptoKey(key, alg, usage2) {
     case "RSA-OAEP-512": {
       if (!isAlgorithm(key.algorithm, "RSA-OAEP"))
         throw unusable("RSA-OAEP");
-      const expected = parseInt(alg.slice(9), 10) || 1;
-      const actual = getHashLength(key.algorithm.hash);
-      if (actual !== expected)
-        throw unusable(`SHA-${expected}`, "algorithm.hash");
+      checkHashLength(key.algorithm, parseInt(alg.slice(9), 10) || 1);
       break;
     }
     default:
@@ -14491,63 +14435,196 @@ function message(msg, actual, ...types) {
   }
   return msg;
 }
-var invalid_key_input_default = (actual, ...types) => {
-  return message("Key must be ", actual, ...types);
-};
-function withAlg(alg, actual, ...types) {
-  return message(`Key for the ${alg} algorithm must be `, actual, ...types);
-}
+var invalidKeyInput = (actual, ...types) => message("Key must be ", actual, ...types);
+var withAlg = (alg, actual, ...types) => message(`Key for the ${alg} algorithm must be `, actual, ...types);
 
-// node_modules/jose/dist/webapi/lib/is_key_like.js
-function assertCryptoKey(key) {
-  if (!isCryptoKey(key)) {
-    throw new Error("CryptoKey instance expected");
+// node_modules/jose/dist/webapi/util/errors.js
+var JOSEError = class extends Error {
+  static code = "ERR_JOSE_GENERIC";
+  code = "ERR_JOSE_GENERIC";
+  constructor(message2, options) {
+    super(message2, options);
+    this.name = this.constructor.name;
+    Error.captureStackTrace?.(this, this.constructor);
   }
-}
-function isCryptoKey(key) {
-  return key?.[Symbol.toStringTag] === "CryptoKey";
-}
-function isKeyObject(key) {
-  return key?.[Symbol.toStringTag] === "KeyObject";
-}
-var is_key_like_default = (key) => {
-  return isCryptoKey(key) || isKeyObject(key);
 };
-
-// node_modules/jose/dist/webapi/lib/decrypt.js
-async function timingSafeEqual(a, b) {
-  if (!(a instanceof Uint8Array)) {
-    throw new TypeError("First argument must be a buffer");
+var JWTClaimValidationFailed = class extends JOSEError {
+  static code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
+  code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
+  claim;
+  reason;
+  payload;
+  constructor(message2, payload, claim = "unspecified", reason = "unspecified") {
+    super(message2, { cause: { claim, reason, payload } });
+    this.claim = claim;
+    this.reason = reason;
+    this.payload = payload;
   }
-  if (!(b instanceof Uint8Array)) {
-    throw new TypeError("Second argument must be a buffer");
+};
+var JWTExpired = class extends JOSEError {
+  static code = "ERR_JWT_EXPIRED";
+  code = "ERR_JWT_EXPIRED";
+  claim;
+  reason;
+  payload;
+  constructor(message2, payload, claim = "unspecified", reason = "unspecified") {
+    super(message2, { cause: { claim, reason, payload } });
+    this.claim = claim;
+    this.reason = reason;
+    this.payload = payload;
   }
-  const algorithm = { name: "HMAC", hash: "SHA-256" };
-  const key = await crypto.subtle.generateKey(algorithm, false, ["sign"]);
-  const aHmac = new Uint8Array(await crypto.subtle.sign(algorithm, key, a));
-  const bHmac = new Uint8Array(await crypto.subtle.sign(algorithm, key, b));
-  let out = 0;
-  let i = -1;
-  while (++i < 32) {
-    out |= aHmac[i] ^ bHmac[i];
+};
+var JOSEAlgNotAllowed = class extends JOSEError {
+  static code = "ERR_JOSE_ALG_NOT_ALLOWED";
+  code = "ERR_JOSE_ALG_NOT_ALLOWED";
+};
+var JOSENotSupported = class extends JOSEError {
+  static code = "ERR_JOSE_NOT_SUPPORTED";
+  code = "ERR_JOSE_NOT_SUPPORTED";
+};
+var JWEDecryptionFailed = class extends JOSEError {
+  static code = "ERR_JWE_DECRYPTION_FAILED";
+  code = "ERR_JWE_DECRYPTION_FAILED";
+  constructor(message2 = "decryption operation failed", options) {
+    super(message2, options);
+  }
+};
+var JWEInvalid = class extends JOSEError {
+  static code = "ERR_JWE_INVALID";
+  code = "ERR_JWE_INVALID";
+};
+var JWSInvalid = class extends JOSEError {
+  static code = "ERR_JWS_INVALID";
+  code = "ERR_JWS_INVALID";
+};
+var JWTInvalid = class extends JOSEError {
+  static code = "ERR_JWT_INVALID";
+  code = "ERR_JWT_INVALID";
+};
+var JWSSignatureVerificationFailed = class extends JOSEError {
+  static code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
+  code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
+  constructor(message2 = "signature verification failed", options) {
+    super(message2, options);
+  }
+};
+
+// node_modules/jose/dist/webapi/lib/is_key_like.js
+function assertCryptoKey(key) {
+  if (!isCryptoKey(key)) {
+    throw new Error("CryptoKey instance expected");
   }
-  return out === 0;
 }
-async function cbcDecrypt(enc, cek, ciphertext, iv, tag2, aad) {
+var isCryptoKey = (key) => {
+  if (key?.[Symbol.toStringTag] === "CryptoKey")
+    return true;
+  try {
+    return key instanceof CryptoKey;
+  } catch {
+    return false;
+  }
+};
+var isKeyObject = (key) => key?.[Symbol.toStringTag] === "KeyObject";
+var isKeyLike = (key) => isCryptoKey(key) || isKeyObject(key);
+
+// node_modules/jose/dist/webapi/lib/content_encryption.js
+function cekLength(alg) {
+  switch (alg) {
+    case "A128GCM":
+      return 128;
+    case "A192GCM":
+      return 192;
+    case "A256GCM":
+    case "A128CBC-HS256":
+      return 256;
+    case "A192CBC-HS384":
+      return 384;
+    case "A256CBC-HS512":
+      return 512;
+    default:
+      throw new JOSENotSupported(`Unsupported JWE Algorithm: ${alg}`);
+  }
+}
+var generateCek = (alg) => crypto.getRandomValues(new Uint8Array(cekLength(alg) >> 3));
+function checkCekLength(cek, expected) {
+  const actual = cek.byteLength << 3;
+  if (actual !== expected) {
+    throw new JWEInvalid(`Invalid Content Encryption Key length. Expected ${expected} bits, got ${actual} bits`);
+  }
+}
+function ivBitLength(alg) {
+  switch (alg) {
+    case "A128GCM":
+    case "A128GCMKW":
+    case "A192GCM":
+    case "A192GCMKW":
+    case "A256GCM":
+    case "A256GCMKW":
+      return 96;
+    case "A128CBC-HS256":
+    case "A192CBC-HS384":
+    case "A256CBC-HS512":
+      return 128;
+    default:
+      throw new JOSENotSupported(`Unsupported JWE Algorithm: ${alg}`);
+  }
+}
+var generateIv = (alg) => crypto.getRandomValues(new Uint8Array(ivBitLength(alg) >> 3));
+function checkIvLength(enc, iv) {
+  if (iv.length << 3 !== ivBitLength(enc)) {
+    throw new JWEInvalid("Invalid Initialization Vector length");
+  }
+}
+async function cbcKeySetup(enc, cek, usage2) {
   if (!(cek instanceof Uint8Array)) {
-    throw new TypeError(invalid_key_input_default(cek, "Uint8Array"));
+    throw new TypeError(invalidKeyInput(cek, "Uint8Array"));
   }
   const keySize = parseInt(enc.slice(1, 4), 10);
-  const encKey = await crypto.subtle.importKey("raw", cek.subarray(keySize >> 3), "AES-CBC", false, ["decrypt"]);
+  const encKey = await crypto.subtle.importKey("raw", cek.subarray(keySize >> 3), "AES-CBC", false, [usage2]);
   const macKey = await crypto.subtle.importKey("raw", cek.subarray(0, keySize >> 3), {
     hash: `SHA-${keySize << 1}`,
     name: "HMAC"
   }, false, ["sign"]);
+  return { encKey, macKey, keySize };
+}
+async function cbcHmacTag(macKey, macData, keySize) {
+  return new Uint8Array((await crypto.subtle.sign("HMAC", macKey, macData)).slice(0, keySize >> 3));
+}
+async function cbcEncrypt(enc, plaintext, cek, iv, aad) {
+  const { encKey, macKey, keySize } = await cbcKeySetup(enc, cek, "encrypt");
+  const ciphertext = new Uint8Array(await crypto.subtle.encrypt({
+    iv,
+    name: "AES-CBC"
+  }, encKey, plaintext));
+  const macData = concat(aad, iv, ciphertext, uint64be(aad.length << 3));
+  const tag2 = await cbcHmacTag(macKey, macData, keySize);
+  return { ciphertext, tag: tag2, iv };
+}
+async function timingSafeEqual2(a, b) {
+  if (!(a instanceof Uint8Array)) {
+    throw new TypeError("First argument must be a buffer");
+  }
+  if (!(b instanceof Uint8Array)) {
+    throw new TypeError("Second argument must be a buffer");
+  }
+  const algorithm = { name: "HMAC", hash: "SHA-256" };
+  const key = await crypto.subtle.generateKey(algorithm, false, ["sign"]);
+  const aHmac = new Uint8Array(await crypto.subtle.sign(algorithm, key, a));
+  const bHmac = new Uint8Array(await crypto.subtle.sign(algorithm, key, b));
+  let out = 0;
+  let i = -1;
+  while (++i < 32) {
+    out |= aHmac[i] ^ bHmac[i];
+  }
+  return out === 0;
+}
+async function cbcDecrypt(enc, cek, ciphertext, iv, tag2, aad) {
+  const { encKey, macKey, keySize } = await cbcKeySetup(enc, cek, "decrypt");
   const macData = concat(aad, iv, ciphertext, uint64be(aad.length << 3));
-  const expectedTag = new Uint8Array((await crypto.subtle.sign("HMAC", macKey, macData)).slice(0, keySize >> 3));
+  const expectedTag = await cbcHmacTag(macKey, macData, keySize);
   let macCheckPassed;
   try {
-    macCheckPassed = await timingSafeEqual(tag2, expectedTag);
+    macCheckPassed = await timingSafeEqual2(tag2, expectedTag);
   } catch {
   }
   if (!macCheckPassed) {
@@ -14563,6 +14640,24 @@ async function cbcDecrypt(enc, cek, ciphertext, iv, tag2, aad) {
   }
   return plaintext;
 }
+async function gcmEncrypt(enc, plaintext, cek, iv, aad) {
+  let encKey;
+  if (cek instanceof Uint8Array) {
+    encKey = await crypto.subtle.importKey("raw", cek, "AES-GCM", false, ["encrypt"]);
+  } else {
+    checkEncCryptoKey(cek, enc, "encrypt");
+    encKey = cek;
+  }
+  const encrypted = new Uint8Array(await crypto.subtle.encrypt({
+    additionalData: aad,
+    iv,
+    name: "AES-GCM",
+    tagLength: 128
+  }, encKey, plaintext));
+  const tag2 = encrypted.slice(-16);
+  const ciphertext = encrypted.slice(0, -16);
+  return { ciphertext, tag: tag2, iv };
+}
 async function gcmDecrypt(enc, cek, ciphertext, iv, tag2, aad) {
   let encKey;
   if (cek instanceof Uint8Array) {
@@ -14582,9 +14677,38 @@ async function gcmDecrypt(enc, cek, ciphertext, iv, tag2, aad) {
     throw new JWEDecryptionFailed();
   }
 }
-var decrypt_default = async (enc, cek, ciphertext, iv, tag2, aad) => {
+var unsupportedEnc = "Unsupported JWE Content Encryption Algorithm";
+async function encrypt(enc, plaintext, cek, iv, aad) {
+  if (!isCryptoKey(cek) && !(cek instanceof Uint8Array)) {
+    throw new TypeError(invalidKeyInput(cek, "CryptoKey", "KeyObject", "Uint8Array", "JSON Web Key"));
+  }
+  if (iv) {
+    checkIvLength(enc, iv);
+  } else {
+    iv = generateIv(enc);
+  }
+  switch (enc) {
+    case "A128CBC-HS256":
+    case "A192CBC-HS384":
+    case "A256CBC-HS512":
+      if (cek instanceof Uint8Array) {
+        checkCekLength(cek, parseInt(enc.slice(-3), 10));
+      }
+      return cbcEncrypt(enc, plaintext, cek, iv, aad);
+    case "A128GCM":
+    case "A192GCM":
+    case "A256GCM":
+      if (cek instanceof Uint8Array) {
+        checkCekLength(cek, parseInt(enc.slice(1, 4), 10));
+      }
+      return gcmEncrypt(enc, plaintext, cek, iv, aad);
+    default:
+      throw new JOSENotSupported(unsupportedEnc);
+  }
+}
+async function decrypt(enc, cek, ciphertext, iv, tag2, aad) {
   if (!isCryptoKey(cek) && !(cek instanceof Uint8Array)) {
-    throw new TypeError(invalid_key_input_default(cek, "CryptoKey", "KeyObject", "Uint8Array", "JSON Web Key"));
+    throw new TypeError(invalidKeyInput(cek, "CryptoKey", "KeyObject", "Uint8Array", "JSON Web Key"));
   }
   if (!iv) {
     throw new JWEInvalid("JWE Initialization Vector missing");
@@ -14592,27 +14716,60 @@ var decrypt_default = async (enc, cek, ciphertext, iv, tag2, aad) => {
   if (!tag2) {
     throw new JWEInvalid("JWE Authentication Tag missing");
   }
-  check_iv_length_default(enc, iv);
+  checkIvLength(enc, iv);
   switch (enc) {
     case "A128CBC-HS256":
     case "A192CBC-HS384":
     case "A256CBC-HS512":
       if (cek instanceof Uint8Array)
-        check_cek_length_default(cek, parseInt(enc.slice(-3), 10));
+        checkCekLength(cek, parseInt(enc.slice(-3), 10));
       return cbcDecrypt(enc, cek, ciphertext, iv, tag2, aad);
     case "A128GCM":
     case "A192GCM":
     case "A256GCM":
       if (cek instanceof Uint8Array)
-        check_cek_length_default(cek, parseInt(enc.slice(1, 4), 10));
+        checkCekLength(cek, parseInt(enc.slice(1, 4), 10));
       return gcmDecrypt(enc, cek, ciphertext, iv, tag2, aad);
     default:
-      throw new JOSENotSupported("Unsupported JWE Content Encryption Algorithm");
+      throw new JOSENotSupported(unsupportedEnc);
   }
-};
+}
+
+// node_modules/jose/dist/webapi/lib/helpers.js
+var unprotected = /* @__PURE__ */ Symbol();
+function assertNotSet(value, name) {
+  if (value) {
+    throw new TypeError(`${name} can only be called once`);
+  }
+}
+function decodeBase64url(value, label, ErrorClass) {
+  try {
+    return decode(value);
+  } catch {
+    throw new ErrorClass(`Failed to base64url decode the ${label}`);
+  }
+}
+async function digest(algorithm, data) {
+  const subtleDigest = `SHA-${algorithm.slice(-3)}`;
+  return new Uint8Array(await crypto.subtle.digest(subtleDigest, data));
+}
 
-// node_modules/jose/dist/webapi/lib/is_disjoint.js
-var is_disjoint_default = (...headers) => {
+// node_modules/jose/dist/webapi/lib/type_checks.js
+var isObjectLike = (value) => typeof value === "object" && value !== null;
+function isObject(input) {
+  if (!isObjectLike(input) || Object.prototype.toString.call(input) !== "[object Object]") {
+    return false;
+  }
+  if (Object.getPrototypeOf(input) === null) {
+    return true;
+  }
+  let proto = input;
+  while (Object.getPrototypeOf(proto) !== null) {
+    proto = Object.getPrototypeOf(proto);
+  }
+  return Object.getPrototypeOf(input) === proto;
+}
+function isDisjoint(...headers) {
   const sources = headers.filter(Boolean);
   if (sources.length === 0 || sources.length === 1) {
     return true;
@@ -14632,25 +14789,11 @@ var is_disjoint_default = (...headers) => {
     }
   }
   return true;
-};
-
-// node_modules/jose/dist/webapi/lib/is_object.js
-function isObjectLike(value) {
-  return typeof value === "object" && value !== null;
 }
-var is_object_default = (input) => {
-  if (!isObjectLike(input) || Object.prototype.toString.call(input) !== "[object Object]") {
-    return false;
-  }
-  if (Object.getPrototypeOf(input) === null) {
-    return true;
-  }
-  let proto = input;
-  while (Object.getPrototypeOf(proto) !== null) {
-    proto = Object.getPrototypeOf(proto);
-  }
-  return Object.getPrototypeOf(input) === proto;
-};
+var isJWK = (key) => isObject(key) && typeof key.kty === "string";
+var isPrivateJWK = (key) => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string");
+var isPublicJWK = (key) => key.kty !== "oct" && key.d === void 0 && key.priv === void 0;
+var isSecretJWK = (key) => key.kty === "oct" && typeof key.k === "string";
 
 // node_modules/jose/dist/webapi/lib/aeskw.js
 function checkKeySize(key, alg) {
@@ -14678,12 +14821,6 @@ async function unwrap(alg, key, encryptedKey) {
   return new Uint8Array(await crypto.subtle.exportKey("raw", cryptoKeyCek));
 }
 
-// node_modules/jose/dist/webapi/lib/digest.js
-var digest_default = async (algorithm, data) => {
-  const subtleDigest = `SHA-${algorithm.slice(-3)}`;
-  return new Uint8Array(await crypto.subtle.digest(subtleDigest, data));
-};
-
 // node_modules/jose/dist/webapi/lib/ecdhes.js
 function lengthAndInput(input) {
   return concat(uint32be(input.length), input);
@@ -14698,19 +14835,19 @@ async function concatKdf(Z, L, OtherInfo) {
     hashInput.set(uint32be(i), 0);
     hashInput.set(Z, 4);
     hashInput.set(OtherInfo, 4 + Z.length);
-    const hashResult = await digest_default("sha256", hashInput);
+    const hashResult = await digest("sha256", hashInput);
     dk.set(hashResult, (i - 1) * hashLen);
   }
   return dk.slice(0, dkLen);
 }
-async function deriveKey(publicKey, privateKey, algorithm, keyLength, apu = new Uint8Array(0), apv = new Uint8Array(0)) {
+async function deriveKey(publicKey, privateKey, algorithm, keyLength, apu = new Uint8Array(), apv = new Uint8Array()) {
   checkEncCryptoKey(publicKey, "ECDH");
   checkEncCryptoKey(privateKey, "ECDH", "deriveBits");
-  const algorithmID = lengthAndInput(encoder.encode(algorithm));
+  const algorithmID = lengthAndInput(encode(algorithm));
   const partyUInfo = lengthAndInput(apu);
   const partyVInfo = lengthAndInput(apv);
   const suppPubInfo = uint32be(keyLength);
-  const suppPrivInfo = new Uint8Array(0);
+  const suppPrivInfo = new Uint8Array();
   const otherInfo = concat(algorithmID, partyUInfo, partyVInfo, suppPubInfo, suppPrivInfo);
   const Z = new Uint8Array(await crypto.subtle.deriveBits({
     name: publicKey.algorithm.name,
@@ -14738,12 +14875,14 @@ function allowed(key) {
 // node_modules/jose/dist/webapi/lib/pbes2kw.js
 function getCryptoKey2(key, alg) {
   if (key instanceof Uint8Array) {
-    return crypto.subtle.importKey("raw", key, "PBKDF2", false, ["deriveBits"]);
+    return crypto.subtle.importKey("raw", key, "PBKDF2", false, [
+      "deriveBits"
+    ]);
   }
   checkEncCryptoKey(key, alg, "deriveBits");
   return key;
 }
-var concatSalt = (alg, p2sInput) => concat(encoder.encode(alg), new Uint8Array([0]), p2sInput);
+var concatSalt = (alg, p2sInput) => concat(encode(alg), Uint8Array.of(0), p2sInput);
 async function deriveKey2(p2s, alg, p2c, key) {
   if (!(p2s instanceof Uint8Array) || p2s.length < 8) {
     throw new JWEInvalid("PBES2 Salt Input must be 8 or more octets");
@@ -14762,25 +14901,81 @@ async function deriveKey2(p2s, alg, p2c, key) {
 async function wrap2(alg, key, cek, p2c = 2048, p2s = crypto.getRandomValues(new Uint8Array(16))) {
   const derived = await deriveKey2(p2s, alg, p2c, key);
   const encryptedKey = await wrap(alg.slice(-6), derived, cek);
-  return { encryptedKey, p2c, p2s: encode(p2s) };
+  return { encryptedKey, p2c, p2s: encode2(p2s) };
 }
 async function unwrap2(alg, key, encryptedKey, p2c, p2s) {
   const derived = await deriveKey2(p2s, alg, p2c, key);
   return unwrap(alg.slice(-6), derived, encryptedKey);
 }
 
-// node_modules/jose/dist/webapi/lib/check_key_length.js
-var check_key_length_default = (alg, key) => {
+// node_modules/jose/dist/webapi/lib/signing.js
+function checkKeyLength(alg, key) {
   if (alg.startsWith("RS") || alg.startsWith("PS")) {
     const { modulusLength } = key.algorithm;
     if (typeof modulusLength !== "number" || modulusLength < 2048) {
       throw new TypeError(`${alg} requires key modulusLength to be 2048 bits or larger`);
     }
   }
-};
+}
+function subtleAlgorithm(alg, algorithm) {
+  const hash = `SHA-${alg.slice(-3)}`;
+  switch (alg) {
+    case "HS256":
+    case "HS384":
+    case "HS512":
+      return { hash, name: "HMAC" };
+    case "PS256":
+    case "PS384":
+    case "PS512":
+      return { hash, name: "RSA-PSS", saltLength: parseInt(alg.slice(-3), 10) >> 3 };
+    case "RS256":
+    case "RS384":
+    case "RS512":
+      return { hash, name: "RSASSA-PKCS1-v1_5" };
+    case "ES256":
+    case "ES384":
+    case "ES512":
+      return { hash, name: "ECDSA", namedCurve: algorithm.namedCurve };
+    case "Ed25519":
+    case "EdDSA":
+      return { name: "Ed25519" };
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+      return { name: alg };
+    default:
+      throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
+  }
+}
+async function getSigKey(alg, key, usage2) {
+  if (key instanceof Uint8Array) {
+    if (!alg.startsWith("HS")) {
+      throw new TypeError(invalidKeyInput(key, "CryptoKey", "KeyObject", "JSON Web Key"));
+    }
+    return crypto.subtle.importKey("raw", key, { hash: `SHA-${alg.slice(-3)}`, name: "HMAC" }, false, [usage2]);
+  }
+  checkSigCryptoKey(key, alg, usage2);
+  return key;
+}
+async function sign(alg, key, data) {
+  const cryptoKey = await getSigKey(alg, key, "sign");
+  checkKeyLength(alg, cryptoKey);
+  const signature = await crypto.subtle.sign(subtleAlgorithm(alg, cryptoKey.algorithm), cryptoKey, data);
+  return new Uint8Array(signature);
+}
+async function verify(alg, key, signature, data) {
+  const cryptoKey = await getSigKey(alg, key, "verify");
+  checkKeyLength(alg, cryptoKey);
+  const algorithm = subtleAlgorithm(alg, cryptoKey.algorithm);
+  try {
+    return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
+  } catch {
+    return false;
+  }
+}
 
 // node_modules/jose/dist/webapi/lib/rsaes.js
-var subtleAlgorithm = (alg) => {
+var subtleAlgorithm2 = (alg) => {
   switch (alg) {
     case "RSA-OAEP":
     case "RSA-OAEP-256":
@@ -14791,38 +14986,19 @@ var subtleAlgorithm = (alg) => {
       throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
   }
 };
-async function encrypt(alg, key, cek) {
+async function encrypt2(alg, key, cek) {
   checkEncCryptoKey(key, alg, "encrypt");
-  check_key_length_default(alg, key);
-  return new Uint8Array(await crypto.subtle.encrypt(subtleAlgorithm(alg), key, cek));
+  checkKeyLength(alg, key);
+  return new Uint8Array(await crypto.subtle.encrypt(subtleAlgorithm2(alg), key, cek));
 }
-async function decrypt(alg, key, encryptedKey) {
+async function decrypt2(alg, key, encryptedKey) {
   checkEncCryptoKey(key, alg, "decrypt");
-  check_key_length_default(alg, key);
-  return new Uint8Array(await crypto.subtle.decrypt(subtleAlgorithm(alg), key, encryptedKey));
+  checkKeyLength(alg, key);
+  return new Uint8Array(await crypto.subtle.decrypt(subtleAlgorithm2(alg), key, encryptedKey));
 }
 
-// node_modules/jose/dist/webapi/lib/cek.js
-function bitLength2(alg) {
-  switch (alg) {
-    case "A128GCM":
-      return 128;
-    case "A192GCM":
-      return 192;
-    case "A256GCM":
-    case "A128CBC-HS256":
-      return 256;
-    case "A192CBC-HS384":
-      return 384;
-    case "A256CBC-HS512":
-      return 512;
-    default:
-      throw new JOSENotSupported(`Unsupported JWE Algorithm: ${alg}`);
-  }
-}
-var cek_default = (alg) => crypto.getRandomValues(new Uint8Array(bitLength2(alg) >> 3));
-
 // node_modules/jose/dist/webapi/lib/jwk_to_key.js
+var unsupportedAlg = 'Invalid or unsupported JWK "alg" (Algorithm) Parameter value';
 function subtleMapping(jwk) {
   let algorithm;
   let keyUsages;
@@ -14836,7 +15012,7 @@ function subtleMapping(jwk) {
           keyUsages = jwk.priv ? ["sign"] : ["verify"];
           break;
         default:
-          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new JOSENotSupported(unsupportedAlg);
       }
       break;
     }
@@ -14865,22 +15041,19 @@ function subtleMapping(jwk) {
           keyUsages = jwk.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
           break;
         default:
-          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new JOSENotSupported(unsupportedAlg);
       }
       break;
     }
     case "EC": {
       switch (jwk.alg) {
         case "ES256":
-          algorithm = { name: "ECDSA", namedCurve: "P-256" };
-          keyUsages = jwk.d ? ["sign"] : ["verify"];
-          break;
         case "ES384":
-          algorithm = { name: "ECDSA", namedCurve: "P-384" };
-          keyUsages = jwk.d ? ["sign"] : ["verify"];
-          break;
         case "ES512":
-          algorithm = { name: "ECDSA", namedCurve: "P-521" };
+          algorithm = {
+            name: "ECDSA",
+            namedCurve: { ES256: "P-256", ES384: "P-384", ES512: "P-521" }[jwk.alg]
+          };
           keyUsages = jwk.d ? ["sign"] : ["verify"];
           break;
         case "ECDH-ES":
@@ -14891,7 +15064,7 @@ function subtleMapping(jwk) {
           keyUsages = jwk.d ? ["deriveBits"] : [];
           break;
         default:
-          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new JOSENotSupported(unsupportedAlg);
       }
       break;
     }
@@ -14910,7 +15083,7 @@ function subtleMapping(jwk) {
           keyUsages = jwk.d ? ["deriveBits"] : [];
           break;
         default:
-          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new JOSENotSupported(unsupportedAlg);
       }
       break;
     }
@@ -14919,7 +15092,7 @@ function subtleMapping(jwk) {
   }
   return { algorithm, keyUsages };
 }
-var jwk_to_key_default = async (jwk) => {
+async function jwkToKey(jwk) {
   if (!jwk.alg) {
     throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
   }
@@ -14930,295 +15103,10 @@ var jwk_to_key_default = async (jwk) => {
   }
   delete keyData.use;
   return crypto.subtle.importKey("jwk", keyData, algorithm, jwk.ext ?? (jwk.d || jwk.priv ? false : true), jwk.key_ops ?? keyUsages);
-};
-
-// node_modules/jose/dist/webapi/key/import.js
-async function importJWK(jwk, alg, options) {
-  if (!is_object_default(jwk)) {
-    throw new TypeError("JWK must be an object");
-  }
-  let ext;
-  alg ??= jwk.alg;
-  ext ??= options?.extractable ?? jwk.ext;
-  switch (jwk.kty) {
-    case "oct":
-      if (typeof jwk.k !== "string" || !jwk.k) {
-        throw new TypeError('missing "k" (Key Value) Parameter value');
-      }
-      return decode(jwk.k);
-    case "RSA":
-      if ("oth" in jwk && jwk.oth !== void 0) {
-        throw new JOSENotSupported('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
-      }
-      return jwk_to_key_default({ ...jwk, alg, ext });
-    case "AKP": {
-      if (typeof jwk.alg !== "string" || !jwk.alg) {
-        throw new TypeError('missing "alg" (Algorithm) Parameter value');
-      }
-      if (alg !== void 0 && alg !== jwk.alg) {
-        throw new TypeError("JWK alg and alg option value mismatch");
-      }
-      return jwk_to_key_default({ ...jwk, ext });
-    }
-    case "EC":
-    case "OKP":
-      return jwk_to_key_default({ ...jwk, alg, ext });
-    default:
-      throw new JOSENotSupported('Unsupported "kty" (Key Type) Parameter value');
-  }
-}
-
-// node_modules/jose/dist/webapi/lib/encrypt.js
-async function cbcEncrypt(enc, plaintext, cek, iv, aad) {
-  if (!(cek instanceof Uint8Array)) {
-    throw new TypeError(invalid_key_input_default(cek, "Uint8Array"));
-  }
-  const keySize = parseInt(enc.slice(1, 4), 10);
-  const encKey = await crypto.subtle.importKey("raw", cek.subarray(keySize >> 3), "AES-CBC", false, ["encrypt"]);
-  const macKey = await crypto.subtle.importKey("raw", cek.subarray(0, keySize >> 3), {
-    hash: `SHA-${keySize << 1}`,
-    name: "HMAC"
-  }, false, ["sign"]);
-  const ciphertext = new Uint8Array(await crypto.subtle.encrypt({
-    iv,
-    name: "AES-CBC"
-  }, encKey, plaintext));
-  const macData = concat(aad, iv, ciphertext, uint64be(aad.length << 3));
-  const tag2 = new Uint8Array((await crypto.subtle.sign("HMAC", macKey, macData)).slice(0, keySize >> 3));
-  return { ciphertext, tag: tag2, iv };
-}
-async function gcmEncrypt(enc, plaintext, cek, iv, aad) {
-  let encKey;
-  if (cek instanceof Uint8Array) {
-    encKey = await crypto.subtle.importKey("raw", cek, "AES-GCM", false, ["encrypt"]);
-  } else {
-    checkEncCryptoKey(cek, enc, "encrypt");
-    encKey = cek;
-  }
-  const encrypted = new Uint8Array(await crypto.subtle.encrypt({
-    additionalData: aad,
-    iv,
-    name: "AES-GCM",
-    tagLength: 128
-  }, encKey, plaintext));
-  const tag2 = encrypted.slice(-16);
-  const ciphertext = encrypted.slice(0, -16);
-  return { ciphertext, tag: tag2, iv };
-}
-var encrypt_default = async (enc, plaintext, cek, iv, aad) => {
-  if (!isCryptoKey(cek) && !(cek instanceof Uint8Array)) {
-    throw new TypeError(invalid_key_input_default(cek, "CryptoKey", "KeyObject", "Uint8Array", "JSON Web Key"));
-  }
-  if (iv) {
-    check_iv_length_default(enc, iv);
-  } else {
-    iv = iv_default(enc);
-  }
-  switch (enc) {
-    case "A128CBC-HS256":
-    case "A192CBC-HS384":
-    case "A256CBC-HS512":
-      if (cek instanceof Uint8Array) {
-        check_cek_length_default(cek, parseInt(enc.slice(-3), 10));
-      }
-      return cbcEncrypt(enc, plaintext, cek, iv, aad);
-    case "A128GCM":
-    case "A192GCM":
-    case "A256GCM":
-      if (cek instanceof Uint8Array) {
-        check_cek_length_default(cek, parseInt(enc.slice(1, 4), 10));
-      }
-      return gcmEncrypt(enc, plaintext, cek, iv, aad);
-    default:
-      throw new JOSENotSupported("Unsupported JWE Content Encryption Algorithm");
-  }
-};
-
-// node_modules/jose/dist/webapi/lib/aesgcmkw.js
-async function wrap3(alg, key, cek, iv) {
-  const jweAlgorithm = alg.slice(0, 7);
-  const wrapped = await encrypt_default(jweAlgorithm, cek, key, iv, new Uint8Array(0));
-  return {
-    encryptedKey: wrapped.ciphertext,
-    iv: encode(wrapped.iv),
-    tag: encode(wrapped.tag)
-  };
-}
-async function unwrap3(alg, key, encryptedKey, iv, tag2) {
-  const jweAlgorithm = alg.slice(0, 7);
-  return decrypt_default(jweAlgorithm, key, encryptedKey, iv, tag2, new Uint8Array(0));
-}
-
-// node_modules/jose/dist/webapi/lib/decrypt_key_management.js
-var decrypt_key_management_default = async (alg, key, encryptedKey, joseHeader, options) => {
-  switch (alg) {
-    case "dir": {
-      if (encryptedKey !== void 0)
-        throw new JWEInvalid("Encountered unexpected JWE Encrypted Key");
-      return key;
-    }
-    case "ECDH-ES":
-      if (encryptedKey !== void 0)
-        throw new JWEInvalid("Encountered unexpected JWE Encrypted Key");
-    case "ECDH-ES+A128KW":
-    case "ECDH-ES+A192KW":
-    case "ECDH-ES+A256KW": {
-      if (!is_object_default(joseHeader.epk))
-        throw new JWEInvalid(`JOSE Header "epk" (Ephemeral Public Key) missing or invalid`);
-      assertCryptoKey(key);
-      if (!allowed(key))
-        throw new JOSENotSupported("ECDH with the provided key is not allowed or not supported by your javascript runtime");
-      const epk = await importJWK(joseHeader.epk, alg);
-      assertCryptoKey(epk);
-      let partyUInfo;
-      let partyVInfo;
-      if (joseHeader.apu !== void 0) {
-        if (typeof joseHeader.apu !== "string")
-          throw new JWEInvalid(`JOSE Header "apu" (Agreement PartyUInfo) invalid`);
-        try {
-          partyUInfo = decode(joseHeader.apu);
-        } catch {
-          throw new JWEInvalid("Failed to base64url decode the apu");
-        }
-      }
-      if (joseHeader.apv !== void 0) {
-        if (typeof joseHeader.apv !== "string")
-          throw new JWEInvalid(`JOSE Header "apv" (Agreement PartyVInfo) invalid`);
-        try {
-          partyVInfo = decode(joseHeader.apv);
-        } catch {
-          throw new JWEInvalid("Failed to base64url decode the apv");
-        }
-      }
-      const sharedSecret = await deriveKey(epk, key, alg === "ECDH-ES" ? joseHeader.enc : alg, alg === "ECDH-ES" ? bitLength2(joseHeader.enc) : parseInt(alg.slice(-5, -2), 10), partyUInfo, partyVInfo);
-      if (alg === "ECDH-ES")
-        return sharedSecret;
-      if (encryptedKey === void 0)
-        throw new JWEInvalid("JWE Encrypted Key missing");
-      return unwrap(alg.slice(-6), sharedSecret, encryptedKey);
-    }
-    case "RSA-OAEP":
-    case "RSA-OAEP-256":
-    case "RSA-OAEP-384":
-    case "RSA-OAEP-512": {
-      if (encryptedKey === void 0)
-        throw new JWEInvalid("JWE Encrypted Key missing");
-      assertCryptoKey(key);
-      return decrypt(alg, key, encryptedKey);
-    }
-    case "PBES2-HS256+A128KW":
-    case "PBES2-HS384+A192KW":
-    case "PBES2-HS512+A256KW": {
-      if (encryptedKey === void 0)
-        throw new JWEInvalid("JWE Encrypted Key missing");
-      if (typeof joseHeader.p2c !== "number")
-        throw new JWEInvalid(`JOSE Header "p2c" (PBES2 Count) missing or invalid`);
-      const p2cLimit = options?.maxPBES2Count || 1e4;
-      if (joseHeader.p2c > p2cLimit)
-        throw new JWEInvalid(`JOSE Header "p2c" (PBES2 Count) out is of acceptable bounds`);
-      if (typeof joseHeader.p2s !== "string")
-        throw new JWEInvalid(`JOSE Header "p2s" (PBES2 Salt) missing or invalid`);
-      let p2s;
-      try {
-        p2s = decode(joseHeader.p2s);
-      } catch {
-        throw new JWEInvalid("Failed to base64url decode the p2s");
-      }
-      return unwrap2(alg, key, encryptedKey, joseHeader.p2c, p2s);
-    }
-    case "A128KW":
-    case "A192KW":
-    case "A256KW": {
-      if (encryptedKey === void 0)
-        throw new JWEInvalid("JWE Encrypted Key missing");
-      return unwrap(alg, key, encryptedKey);
-    }
-    case "A128GCMKW":
-    case "A192GCMKW":
-    case "A256GCMKW": {
-      if (encryptedKey === void 0)
-        throw new JWEInvalid("JWE Encrypted Key missing");
-      if (typeof joseHeader.iv !== "string")
-        throw new JWEInvalid(`JOSE Header "iv" (Initialization Vector) missing or invalid`);
-      if (typeof joseHeader.tag !== "string")
-        throw new JWEInvalid(`JOSE Header "tag" (Authentication Tag) missing or invalid`);
-      let iv;
-      try {
-        iv = decode(joseHeader.iv);
-      } catch {
-        throw new JWEInvalid("Failed to base64url decode the iv");
-      }
-      let tag2;
-      try {
-        tag2 = decode(joseHeader.tag);
-      } catch {
-        throw new JWEInvalid("Failed to base64url decode the tag");
-      }
-      return unwrap3(alg, key, encryptedKey, iv, tag2);
-    }
-    default: {
-      throw new JOSENotSupported('Invalid or unsupported "alg" (JWE Algorithm) header value');
-    }
-  }
-};
-
-// node_modules/jose/dist/webapi/lib/validate_crit.js
-var validate_crit_default = (Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) => {
-  if (joseHeader.crit !== void 0 && protectedHeader?.crit === void 0) {
-    throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
-  }
-  if (!protectedHeader || protectedHeader.crit === void 0) {
-    return /* @__PURE__ */ new Set();
-  }
-  if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input) => typeof input !== "string" || input.length === 0)) {
-    throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
-  }
-  let recognized;
-  if (recognizedOption !== void 0) {
-    recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);
-  } else {
-    recognized = recognizedDefault;
-  }
-  for (const parameter of protectedHeader.crit) {
-    if (!recognized.has(parameter)) {
-      throw new JOSENotSupported(`Extension Header Parameter "${parameter}" is not recognized`);
-    }
-    if (joseHeader[parameter] === void 0) {
-      throw new Err(`Extension Header Parameter "${parameter}" is missing`);
-    }
-    if (recognized.get(parameter) && protectedHeader[parameter] === void 0) {
-      throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
-    }
-  }
-  return new Set(protectedHeader.crit);
-};
-
-// node_modules/jose/dist/webapi/lib/validate_algorithms.js
-var validate_algorithms_default = (option, algorithms) => {
-  if (algorithms !== void 0 && (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== "string"))) {
-    throw new TypeError(`"${option}" option must be an array of strings`);
-  }
-  if (!algorithms) {
-    return void 0;
-  }
-  return new Set(algorithms);
-};
-
-// node_modules/jose/dist/webapi/lib/is_jwk.js
-function isJWK(key) {
-  return is_object_default(key) && typeof key.kty === "string";
-}
-function isPrivateJWK(key) {
-  return key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string");
-}
-function isPublicJWK(key) {
-  return key.kty !== "oct" && typeof key.d === "undefined" && typeof key.priv === "undefined";
-}
-function isSecretJWK(key) {
-  return key.kty === "oct" && typeof key.k === "string";
 }
 
 // node_modules/jose/dist/webapi/lib/normalize_key.js
+var unusableForAlg = "given KeyObject instance cannot be used for this algorithm";
 var cache;
 var handleJWK = async (key, jwk, alg, freeze = false) => {
   cache ||= /* @__PURE__ */ new WeakMap();
@@ -15226,7 +15114,7 @@ var handleJWK = async (key, jwk, alg, freeze = false) => {
   if (cached?.[alg]) {
     return cached[alg];
   }
-  const cryptoKey = await jwk_to_key_default({ ...jwk, alg });
+  const cryptoKey = await jwkToKey({ ...jwk, alg });
   if (freeze)
     Object.freeze(key);
   if (!cached) {
@@ -15253,13 +15141,13 @@ var handleKeyObject = (keyObject, alg) => {
       case "ECDH-ES+A256KW":
         break;
       default:
-        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+        throw new TypeError(unusableForAlg);
     }
     cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : ["deriveBits"]);
   }
   if (keyObject.asymmetricKeyType === "ed25519") {
     if (alg !== "EdDSA" && alg !== "Ed25519") {
-      throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+      throw new TypeError(unusableForAlg);
     }
     cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
       isPublic ? "verify" : "sign"
@@ -15270,7 +15158,7 @@ var handleKeyObject = (keyObject, alg) => {
     case "ml-dsa-65":
     case "ml-dsa-87": {
       if (alg !== keyObject.asymmetricKeyType.toUpperCase()) {
-        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+        throw new TypeError(unusableForAlg);
       }
       cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
         isPublic ? "verify" : "sign"
@@ -15299,7 +15187,7 @@ var handleKeyObject = (keyObject, alg) => {
         hash = "SHA-512";
         break;
       default:
-        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+        throw new TypeError(unusableForAlg);
     }
     if (alg.startsWith("RSA-OAEP")) {
       return keyObject.toCryptoKey({
@@ -15320,21 +15208,10 @@ var handleKeyObject = (keyObject, alg) => {
     ]);
     const namedCurve = nist.get(keyObject.asymmetricKeyDetails?.namedCurve);
     if (!namedCurve) {
-      throw new TypeError("given KeyObject instance cannot be used for this algorithm");
-    }
-    if (alg === "ES256" && namedCurve === "P-256") {
-      cryptoKey = keyObject.toCryptoKey({
-        name: "ECDSA",
-        namedCurve
-      }, extractable, [isPublic ? "verify" : "sign"]);
-    }
-    if (alg === "ES384" && namedCurve === "P-384") {
-      cryptoKey = keyObject.toCryptoKey({
-        name: "ECDSA",
-        namedCurve
-      }, extractable, [isPublic ? "verify" : "sign"]);
+      throw new TypeError(unusableForAlg);
     }
-    if (alg === "ES512" && namedCurve === "P-521") {
+    const expectedCurve = { ES256: "P-256", ES384: "P-384", ES512: "P-521" };
+    if (expectedCurve[alg] && namedCurve === expectedCurve[alg]) {
       cryptoKey = keyObject.toCryptoKey({
         name: "ECDSA",
         namedCurve
@@ -15348,7 +15225,7 @@ var handleKeyObject = (keyObject, alg) => {
     }
   }
   if (!cryptoKey) {
-    throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+    throw new TypeError(unusableForAlg);
   }
   if (!cached) {
     cache.set(keyObject, { [alg]: cryptoKey });
@@ -15357,7 +15234,7 @@ var handleKeyObject = (keyObject, alg) => {
   }
   return cryptoKey;
 };
-var normalize_key_default = async (key, alg) => {
+async function normalizeKey(key, alg) {
   if (key instanceof Uint8Array) {
     return key;
   }
@@ -15380,14 +15257,314 @@ var normalize_key_default = async (key, alg) => {
     let jwk = key.export({ format: "jwk" });
     return handleJWK(key, jwk, alg);
   }
-  if (isJWK(key)) {
-    if (key.k) {
-      return decode(key.k);
+  if (isJWK(key)) {
+    if (key.k) {
+      return decode(key.k);
+    }
+    return handleJWK(key, key, alg, true);
+  }
+  throw new Error("unreachable");
+}
+
+// node_modules/jose/dist/webapi/key/import.js
+async function importJWK(jwk, alg, options) {
+  if (!isObject(jwk)) {
+    throw new TypeError("JWK must be an object");
+  }
+  let ext;
+  alg ??= jwk.alg;
+  ext ??= options?.extractable ?? jwk.ext;
+  switch (jwk.kty) {
+    case "oct":
+      if (typeof jwk.k !== "string" || !jwk.k) {
+        throw new TypeError('missing "k" (Key Value) Parameter value');
+      }
+      return decode(jwk.k);
+    case "RSA":
+      if ("oth" in jwk && jwk.oth !== void 0) {
+        throw new JOSENotSupported('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
+      }
+      return jwkToKey({ ...jwk, alg, ext });
+    case "AKP": {
+      if (typeof jwk.alg !== "string" || !jwk.alg) {
+        throw new TypeError('missing "alg" (Algorithm) Parameter value');
+      }
+      if (alg !== void 0 && alg !== jwk.alg) {
+        throw new TypeError("JWK alg and alg option value mismatch");
+      }
+      return jwkToKey({ ...jwk, ext });
+    }
+    case "EC":
+    case "OKP":
+      return jwkToKey({ ...jwk, alg, ext });
+    default:
+      throw new JOSENotSupported('Unsupported "kty" (Key Type) Parameter value');
+  }
+}
+
+// node_modules/jose/dist/webapi/lib/key_to_jwk.js
+async function keyToJWK(key) {
+  if (isKeyObject(key)) {
+    if (key.type === "secret") {
+      key = key.export();
+    } else {
+      return key.export({ format: "jwk" });
+    }
+  }
+  if (key instanceof Uint8Array) {
+    return {
+      kty: "oct",
+      k: encode2(key)
+    };
+  }
+  if (!isCryptoKey(key)) {
+    throw new TypeError(invalidKeyInput(key, "CryptoKey", "KeyObject", "Uint8Array"));
+  }
+  if (!key.extractable) {
+    throw new TypeError("non-extractable CryptoKey cannot be exported as a JWK");
+  }
+  const { ext, key_ops, alg, use, ...jwk } = await crypto.subtle.exportKey("jwk", key);
+  if (jwk.kty === "AKP") {
+    ;
+    jwk.alg = alg;
+  }
+  return jwk;
+}
+
+// node_modules/jose/dist/webapi/key/export.js
+async function exportJWK(key) {
+  return keyToJWK(key);
+}
+
+// node_modules/jose/dist/webapi/lib/aesgcmkw.js
+async function wrap3(alg, key, cek, iv) {
+  const jweAlgorithm = alg.slice(0, 7);
+  const wrapped = await encrypt(jweAlgorithm, cek, key, iv, new Uint8Array());
+  return {
+    encryptedKey: wrapped.ciphertext,
+    iv: encode2(wrapped.iv),
+    tag: encode2(wrapped.tag)
+  };
+}
+async function unwrap3(alg, key, encryptedKey, iv, tag2) {
+  const jweAlgorithm = alg.slice(0, 7);
+  return decrypt(jweAlgorithm, key, encryptedKey, iv, tag2, new Uint8Array());
+}
+
+// node_modules/jose/dist/webapi/lib/key_management.js
+var unsupportedAlgHeader = 'Invalid or unsupported "alg" (JWE Algorithm) header value';
+function assertEncryptedKey(encryptedKey) {
+  if (encryptedKey === void 0)
+    throw new JWEInvalid("JWE Encrypted Key missing");
+}
+async function decryptKeyManagement(alg, key, encryptedKey, joseHeader, options) {
+  switch (alg) {
+    case "dir": {
+      if (encryptedKey !== void 0)
+        throw new JWEInvalid("Encountered unexpected JWE Encrypted Key");
+      return key;
+    }
+    case "ECDH-ES":
+      if (encryptedKey !== void 0)
+        throw new JWEInvalid("Encountered unexpected JWE Encrypted Key");
+    case "ECDH-ES+A128KW":
+    case "ECDH-ES+A192KW":
+    case "ECDH-ES+A256KW": {
+      if (!isObject(joseHeader.epk))
+        throw new JWEInvalid(`JOSE Header "epk" (Ephemeral Public Key) missing or invalid`);
+      assertCryptoKey(key);
+      if (!allowed(key))
+        throw new JOSENotSupported("ECDH with the provided key is not allowed or not supported by your javascript runtime");
+      const epk = await importJWK(joseHeader.epk, alg);
+      assertCryptoKey(epk);
+      let partyUInfo;
+      let partyVInfo;
+      if (joseHeader.apu !== void 0) {
+        if (typeof joseHeader.apu !== "string")
+          throw new JWEInvalid(`JOSE Header "apu" (Agreement PartyUInfo) invalid`);
+        partyUInfo = decodeBase64url(joseHeader.apu, "apu", JWEInvalid);
+      }
+      if (joseHeader.apv !== void 0) {
+        if (typeof joseHeader.apv !== "string")
+          throw new JWEInvalid(`JOSE Header "apv" (Agreement PartyVInfo) invalid`);
+        partyVInfo = decodeBase64url(joseHeader.apv, "apv", JWEInvalid);
+      }
+      const sharedSecret = await deriveKey(epk, key, alg === "ECDH-ES" ? joseHeader.enc : alg, alg === "ECDH-ES" ? cekLength(joseHeader.enc) : parseInt(alg.slice(-5, -2), 10), partyUInfo, partyVInfo);
+      if (alg === "ECDH-ES")
+        return sharedSecret;
+      assertEncryptedKey(encryptedKey);
+      return unwrap(alg.slice(-6), sharedSecret, encryptedKey);
+    }
+    case "RSA-OAEP":
+    case "RSA-OAEP-256":
+    case "RSA-OAEP-384":
+    case "RSA-OAEP-512": {
+      assertEncryptedKey(encryptedKey);
+      assertCryptoKey(key);
+      return decrypt2(alg, key, encryptedKey);
+    }
+    case "PBES2-HS256+A128KW":
+    case "PBES2-HS384+A192KW":
+    case "PBES2-HS512+A256KW": {
+      assertEncryptedKey(encryptedKey);
+      if (typeof joseHeader.p2c !== "number")
+        throw new JWEInvalid(`JOSE Header "p2c" (PBES2 Count) missing or invalid`);
+      const p2cLimit = options?.maxPBES2Count || 1e4;
+      if (joseHeader.p2c > p2cLimit)
+        throw new JWEInvalid(`JOSE Header "p2c" (PBES2 Count) out is of acceptable bounds`);
+      if (typeof joseHeader.p2s !== "string")
+        throw new JWEInvalid(`JOSE Header "p2s" (PBES2 Salt) missing or invalid`);
+      let p2s;
+      p2s = decodeBase64url(joseHeader.p2s, "p2s", JWEInvalid);
+      return unwrap2(alg, key, encryptedKey, joseHeader.p2c, p2s);
+    }
+    case "A128KW":
+    case "A192KW":
+    case "A256KW": {
+      assertEncryptedKey(encryptedKey);
+      return unwrap(alg, key, encryptedKey);
+    }
+    case "A128GCMKW":
+    case "A192GCMKW":
+    case "A256GCMKW": {
+      assertEncryptedKey(encryptedKey);
+      if (typeof joseHeader.iv !== "string")
+        throw new JWEInvalid(`JOSE Header "iv" (Initialization Vector) missing or invalid`);
+      if (typeof joseHeader.tag !== "string")
+        throw new JWEInvalid(`JOSE Header "tag" (Authentication Tag) missing or invalid`);
+      let iv;
+      iv = decodeBase64url(joseHeader.iv, "iv", JWEInvalid);
+      let tag2;
+      tag2 = decodeBase64url(joseHeader.tag, "tag", JWEInvalid);
+      return unwrap3(alg, key, encryptedKey, iv, tag2);
+    }
+    default: {
+      throw new JOSENotSupported(unsupportedAlgHeader);
+    }
+  }
+}
+async function encryptKeyManagement(alg, enc, key, providedCek, providedParameters = {}) {
+  let encryptedKey;
+  let parameters;
+  let cek;
+  switch (alg) {
+    case "dir": {
+      cek = key;
+      break;
+    }
+    case "ECDH-ES":
+    case "ECDH-ES+A128KW":
+    case "ECDH-ES+A192KW":
+    case "ECDH-ES+A256KW": {
+      assertCryptoKey(key);
+      if (!allowed(key)) {
+        throw new JOSENotSupported("ECDH with the provided key is not allowed or not supported by your javascript runtime");
+      }
+      const { apu, apv } = providedParameters;
+      let ephemeralKey;
+      if (providedParameters.epk) {
+        ephemeralKey = await normalizeKey(providedParameters.epk, alg);
+      } else {
+        ephemeralKey = (await crypto.subtle.generateKey(key.algorithm, true, ["deriveBits"])).privateKey;
+      }
+      const { x, y, crv, kty } = await exportJWK(ephemeralKey);
+      const sharedSecret = await deriveKey(key, ephemeralKey, alg === "ECDH-ES" ? enc : alg, alg === "ECDH-ES" ? cekLength(enc) : parseInt(alg.slice(-5, -2), 10), apu, apv);
+      parameters = { epk: { x, crv, kty } };
+      if (kty === "EC")
+        parameters.epk.y = y;
+      if (apu)
+        parameters.apu = encode2(apu);
+      if (apv)
+        parameters.apv = encode2(apv);
+      if (alg === "ECDH-ES") {
+        cek = sharedSecret;
+        break;
+      }
+      cek = providedCek || generateCek(enc);
+      const kwAlg = alg.slice(-6);
+      encryptedKey = await wrap(kwAlg, sharedSecret, cek);
+      break;
+    }
+    case "RSA-OAEP":
+    case "RSA-OAEP-256":
+    case "RSA-OAEP-384":
+    case "RSA-OAEP-512": {
+      cek = providedCek || generateCek(enc);
+      assertCryptoKey(key);
+      encryptedKey = await encrypt2(alg, key, cek);
+      break;
+    }
+    case "PBES2-HS256+A128KW":
+    case "PBES2-HS384+A192KW":
+    case "PBES2-HS512+A256KW": {
+      cek = providedCek || generateCek(enc);
+      const { p2c, p2s } = providedParameters;
+      ({ encryptedKey, ...parameters } = await wrap2(alg, key, cek, p2c, p2s));
+      break;
+    }
+    case "A128KW":
+    case "A192KW":
+    case "A256KW": {
+      cek = providedCek || generateCek(enc);
+      encryptedKey = await wrap(alg, key, cek);
+      break;
+    }
+    case "A128GCMKW":
+    case "A192GCMKW":
+    case "A256GCMKW": {
+      cek = providedCek || generateCek(enc);
+      const { iv } = providedParameters;
+      ({ encryptedKey, ...parameters } = await wrap3(alg, key, cek, iv));
+      break;
+    }
+    default: {
+      throw new JOSENotSupported(unsupportedAlgHeader);
+    }
+  }
+  return { cek, encryptedKey, parameters };
+}
+
+// node_modules/jose/dist/webapi/lib/validate_crit.js
+function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
+  if (joseHeader.crit !== void 0 && protectedHeader?.crit === void 0) {
+    throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
+  }
+  if (!protectedHeader || protectedHeader.crit === void 0) {
+    return /* @__PURE__ */ new Set();
+  }
+  if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input) => typeof input !== "string" || input.length === 0)) {
+    throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
+  }
+  let recognized;
+  if (recognizedOption !== void 0) {
+    recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);
+  } else {
+    recognized = recognizedDefault;
+  }
+  for (const parameter of protectedHeader.crit) {
+    if (!recognized.has(parameter)) {
+      throw new JOSENotSupported(`Extension Header Parameter "${parameter}" is not recognized`);
+    }
+    if (joseHeader[parameter] === void 0) {
+      throw new Err(`Extension Header Parameter "${parameter}" is missing`);
+    }
+    if (recognized.get(parameter) && protectedHeader[parameter] === void 0) {
+      throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
     }
-    return handleJWK(key, key, alg, true);
   }
-  throw new Error("unreachable");
-};
+  return new Set(protectedHeader.crit);
+}
+
+// node_modules/jose/dist/webapi/lib/validate_algorithms.js
+function validateAlgorithms(option, algorithms) {
+  if (algorithms !== void 0 && (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== "string"))) {
+    throw new TypeError(`"${option}" option must be an array of strings`);
+  }
+  if (!algorithms) {
+    return void 0;
+  }
+  return new Set(algorithms);
+}
 
 // node_modules/jose/dist/webapi/lib/check_key_type.js
 var tag = (key) => key?.[Symbol.toStringTag];
@@ -15450,7 +15627,7 @@ var symmetricTypeCheck = (alg, key, usage2) => {
       return;
     throw new TypeError(`JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present`);
   }
-  if (!is_key_like_default(key)) {
+  if (!isKeyLike(key)) {
     throw new TypeError(withAlg(alg, key, "CryptoKey", "KeyObject", "JSON Web Key", "Uint8Array"));
   }
   if (key.type !== "secret") {
@@ -15464,15 +15641,15 @@ var asymmetricTypeCheck = (alg, key, usage2) => {
       case "sign":
         if (isPrivateJWK(key) && jwkMatchesOp(alg, key, usage2))
           return;
-        throw new TypeError(`JSON Web Key for this operation be a private JWK`);
+        throw new TypeError(`JSON Web Key for this operation must be a private JWK`);
       case "encrypt":
       case "verify":
         if (isPublicJWK(key) && jwkMatchesOp(alg, key, usage2))
           return;
-        throw new TypeError(`JSON Web Key for this operation be a public JWK`);
+        throw new TypeError(`JSON Web Key for this operation must be a public JWK`);
     }
   }
-  if (!is_key_like_default(key)) {
+  if (!isKeyLike(key)) {
     throw new TypeError(withAlg(alg, key, "CryptoKey", "KeyObject", "JSON Web Key"));
   }
   if (key.type === "secret") {
@@ -15484,8 +15661,6 @@ var asymmetricTypeCheck = (alg, key, usage2) => {
         throw new TypeError(`${tag(key)} instances for asymmetric algorithm signing must be of type "private"`);
       case "decrypt":
         throw new TypeError(`${tag(key)} instances for asymmetric algorithm decryption must be of type "private"`);
-      default:
-        break;
     }
   }
   if (key.type === "private") {
@@ -15494,23 +15669,70 @@ var asymmetricTypeCheck = (alg, key, usage2) => {
         throw new TypeError(`${tag(key)} instances for asymmetric algorithm verifying must be of type "public"`);
       case "encrypt":
         throw new TypeError(`${tag(key)} instances for asymmetric algorithm encryption must be of type "public"`);
-      default:
-        break;
     }
   }
 };
-var check_key_type_default = (alg, key, usage2) => {
-  const symmetric = alg.startsWith("HS") || alg === "dir" || alg.startsWith("PBES2") || /^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(alg) || /^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(alg);
-  if (symmetric) {
-    symmetricTypeCheck(alg, key, usage2);
-  } else {
-    asymmetricTypeCheck(alg, key, usage2);
+function checkKeyType(alg, key, usage2) {
+  switch (alg.substring(0, 2)) {
+    case "A1":
+    case "A2":
+    case "di":
+    case "HS":
+    case "PB":
+      symmetricTypeCheck(alg, key, usage2);
+      break;
+    default:
+      asymmetricTypeCheck(alg, key, usage2);
   }
-};
+}
+
+// node_modules/jose/dist/webapi/lib/deflate.js
+function supported(name) {
+  if (typeof globalThis[name] === "undefined") {
+    throw new JOSENotSupported(`JWE "zip" (Compression Algorithm) Header Parameter requires the ${name} API.`);
+  }
+}
+async function compress(input) {
+  supported("CompressionStream");
+  const cs = new CompressionStream("deflate-raw");
+  const writer = cs.writable.getWriter();
+  writer.write(input);
+  writer.close();
+  const chunks = [];
+  const reader = cs.readable.getReader();
+  for (; ; ) {
+    const { value, done } = await reader.read();
+    if (done)
+      break;
+    chunks.push(value);
+  }
+  return concat(...chunks);
+}
+async function decompress(input, maxLength) {
+  supported("DecompressionStream");
+  const ds = new DecompressionStream("deflate-raw");
+  const writer = ds.writable.getWriter();
+  writer.write(input);
+  writer.close();
+  const chunks = [];
+  let length = 0;
+  const reader = ds.readable.getReader();
+  for (; ; ) {
+    const { value, done } = await reader.read();
+    if (done)
+      break;
+    chunks.push(value);
+    length += value.byteLength;
+    if (maxLength !== Infinity && length > maxLength) {
+      throw new JWEInvalid("Decompressed plaintext exceeded the configured limit");
+    }
+  }
+  return concat(...chunks);
+}
 
 // node_modules/jose/dist/webapi/jwe/flattened/decrypt.js
 async function flattenedDecrypt(jwe, key, options) {
-  if (!is_object_default(jwe)) {
+  if (!isObject(jwe)) {
     throw new JWEInvalid("Flattened JWE must be an object");
   }
   if (jwe.protected === void 0 && jwe.header === void 0 && jwe.unprotected === void 0) {
@@ -15534,10 +15756,10 @@ async function flattenedDecrypt(jwe, key, options) {
   if (jwe.aad !== void 0 && typeof jwe.aad !== "string") {
     throw new JWEInvalid("JWE AAD incorrect type");
   }
-  if (jwe.header !== void 0 && !is_object_default(jwe.header)) {
+  if (jwe.header !== void 0 && !isObject(jwe.header)) {
     throw new JWEInvalid("JWE Shared Unprotected Header incorrect type");
   }
-  if (jwe.unprotected !== void 0 && !is_object_default(jwe.unprotected)) {
+  if (jwe.unprotected !== void 0 && !isObject(jwe.unprotected)) {
     throw new JWEInvalid("JWE Per-Recipient Unprotected Header incorrect type");
   }
   let parsedProt;
@@ -15549,7 +15771,7 @@ async function flattenedDecrypt(jwe, key, options) {
       throw new JWEInvalid("JWE Protected Header is invalid");
     }
   }
-  if (!is_disjoint_default(parsedProt, jwe.header, jwe.unprotected)) {
+  if (!isDisjoint(parsedProt, jwe.header, jwe.unprotected)) {
     throw new JWEInvalid("JWE Protected, JWE Unprotected Header, and JWE Per-Recipient Unprotected Header Parameter names must be disjoint");
   }
   const joseHeader = {
@@ -15557,9 +15779,12 @@ async function flattenedDecrypt(jwe, key, options) {
     ...jwe.header,
     ...jwe.unprotected
   };
-  validate_crit_default(JWEInvalid, /* @__PURE__ */ new Map(), options?.crit, parsedProt, joseHeader);
-  if (joseHeader.zip !== void 0) {
-    throw new JOSENotSupported('JWE "zip" (Compression Algorithm) Header Parameter is not supported.');
+  validateCrit(JWEInvalid, /* @__PURE__ */ new Map(), options?.crit, parsedProt, joseHeader);
+  if (joseHeader.zip !== void 0 && joseHeader.zip !== "DEF") {
+    throw new JOSENotSupported('Unsupported JWE "zip" (Compression Algorithm) Header Parameter value.');
+  }
+  if (joseHeader.zip !== void 0 && !parsedProt?.zip) {
+    throw new JWEInvalid('JWE "zip" (Compression Algorithm) Header Parameter MUST be in a protected header.');
   }
   const { alg, enc } = joseHeader;
   if (typeof alg !== "string" || !alg) {
@@ -15568,8 +15793,8 @@ async function flattenedDecrypt(jwe, key, options) {
   if (typeof enc !== "string" || !enc) {
     throw new JWEInvalid("missing JWE Encryption Algorithm (enc) in JWE Header");
   }
-  const keyManagementAlgorithms = options && validate_algorithms_default("keyManagementAlgorithms", options.keyManagementAlgorithms);
-  const contentEncryptionAlgorithms = options && validate_algorithms_default("contentEncryptionAlgorithms", options.contentEncryptionAlgorithms);
+  const keyManagementAlgorithms = options && validateAlgorithms("keyManagementAlgorithms", options.keyManagementAlgorithms);
+  const contentEncryptionAlgorithms = options && validateAlgorithms("contentEncryptionAlgorithms", options.contentEncryptionAlgorithms);
   if (keyManagementAlgorithms && !keyManagementAlgorithms.has(alg) || !keyManagementAlgorithms && alg.startsWith("PBES2")) {
     throw new JOSEAlgNotAllowed('"alg" (Algorithm) Header Parameter value not allowed');
   }
@@ -15578,68 +15803,57 @@ async function flattenedDecrypt(jwe, key, options) {
   }
   let encryptedKey;
   if (jwe.encrypted_key !== void 0) {
-    try {
-      encryptedKey = decode(jwe.encrypted_key);
-    } catch {
-      throw new JWEInvalid("Failed to base64url decode the encrypted_key");
-    }
+    encryptedKey = decodeBase64url(jwe.encrypted_key, "encrypted_key", JWEInvalid);
   }
   let resolvedKey = false;
   if (typeof key === "function") {
     key = await key(parsedProt, jwe);
     resolvedKey = true;
   }
-  check_key_type_default(alg === "dir" ? enc : alg, key, "decrypt");
-  const k = await normalize_key_default(key, alg);
+  checkKeyType(alg === "dir" ? enc : alg, key, "decrypt");
+  const k = await normalizeKey(key, alg);
   let cek;
   try {
-    cek = await decrypt_key_management_default(alg, k, encryptedKey, joseHeader, options);
+    cek = await decryptKeyManagement(alg, k, encryptedKey, joseHeader, options);
   } catch (err) {
     if (err instanceof TypeError || err instanceof JWEInvalid || err instanceof JOSENotSupported) {
       throw err;
     }
-    cek = cek_default(enc);
+    cek = generateCek(enc);
   }
   let iv;
   let tag2;
   if (jwe.iv !== void 0) {
-    try {
-      iv = decode(jwe.iv);
-    } catch {
-      throw new JWEInvalid("Failed to base64url decode the iv");
-    }
+    iv = decodeBase64url(jwe.iv, "iv", JWEInvalid);
   }
   if (jwe.tag !== void 0) {
-    try {
-      tag2 = decode(jwe.tag);
-    } catch {
-      throw new JWEInvalid("Failed to base64url decode the tag");
-    }
+    tag2 = decodeBase64url(jwe.tag, "tag", JWEInvalid);
   }
-  const protectedHeader = encoder.encode(jwe.protected ?? "");
+  const protectedHeader = jwe.protected !== void 0 ? encode(jwe.protected) : new Uint8Array();
   let additionalData;
   if (jwe.aad !== void 0) {
-    additionalData = concat(protectedHeader, encoder.encode("."), encoder.encode(jwe.aad));
+    additionalData = concat(protectedHeader, encode("."), encode(jwe.aad));
   } else {
     additionalData = protectedHeader;
   }
-  let ciphertext;
-  try {
-    ciphertext = decode(jwe.ciphertext);
-  } catch {
-    throw new JWEInvalid("Failed to base64url decode the ciphertext");
-  }
-  const plaintext = await decrypt_default(enc, cek, ciphertext, iv, tag2, additionalData);
+  const ciphertext = decodeBase64url(jwe.ciphertext, "ciphertext", JWEInvalid);
+  const plaintext = await decrypt(enc, cek, ciphertext, iv, tag2, additionalData);
   const result = { plaintext };
+  if (joseHeader.zip === "DEF") {
+    const maxDecompressedLength = options?.maxDecompressedLength ?? 25e4;
+    if (maxDecompressedLength === 0) {
+      throw new JOSENotSupported('JWE "zip" (Compression Algorithm) Header Parameter is not supported.');
+    }
+    if (maxDecompressedLength !== Infinity && (!Number.isSafeInteger(maxDecompressedLength) || maxDecompressedLength < 1)) {
+      throw new TypeError("maxDecompressedLength must be 0, a positive safe integer, or Infinity");
+    }
+    result.plaintext = await decompress(plaintext, maxDecompressedLength);
+  }
   if (jwe.protected !== void 0) {
     result.protectedHeader = parsedProt;
   }
   if (jwe.aad !== void 0) {
-    try {
-      result.additionalAuthenticatedData = decode(jwe.aad);
-    } catch {
-      throw new JWEInvalid("Failed to base64url decode the aad");
-    }
+    result.additionalAuthenticatedData = decodeBase64url(jwe.aad, "aad", JWEInvalid);
   }
   if (jwe.unprotected !== void 0) {
     result.sharedUnprotectedHeader = jwe.unprotected;
@@ -15679,125 +15893,6 @@ async function compactDecrypt(jwe, key, options) {
   return result;
 }
 
-// node_modules/jose/dist/webapi/lib/private_symbols.js
-var unprotected = Symbol();
-
-// node_modules/jose/dist/webapi/lib/key_to_jwk.js
-async function keyToJWK(key) {
-  if (isKeyObject(key)) {
-    if (key.type === "secret") {
-      key = key.export();
-    } else {
-      return key.export({ format: "jwk" });
-    }
-  }
-  if (key instanceof Uint8Array) {
-    return {
-      kty: "oct",
-      k: encode(key)
-    };
-  }
-  if (!isCryptoKey(key)) {
-    throw new TypeError(invalid_key_input_default(key, "CryptoKey", "KeyObject", "Uint8Array"));
-  }
-  if (!key.extractable) {
-    throw new TypeError("non-extractable CryptoKey cannot be exported as a JWK");
-  }
-  const { ext, key_ops, alg, use, ...jwk } = await crypto.subtle.exportKey("jwk", key);
-  if (jwk.kty === "AKP") {
-    ;
-    jwk.alg = alg;
-  }
-  return jwk;
-}
-
-// node_modules/jose/dist/webapi/key/export.js
-async function exportJWK(key) {
-  return keyToJWK(key);
-}
-
-// node_modules/jose/dist/webapi/lib/encrypt_key_management.js
-var encrypt_key_management_default = async (alg, enc, key, providedCek, providedParameters = {}) => {
-  let encryptedKey;
-  let parameters;
-  let cek;
-  switch (alg) {
-    case "dir": {
-      cek = key;
-      break;
-    }
-    case "ECDH-ES":
-    case "ECDH-ES+A128KW":
-    case "ECDH-ES+A192KW":
-    case "ECDH-ES+A256KW": {
-      assertCryptoKey(key);
-      if (!allowed(key)) {
-        throw new JOSENotSupported("ECDH with the provided key is not allowed or not supported by your javascript runtime");
-      }
-      const { apu, apv } = providedParameters;
-      let ephemeralKey;
-      if (providedParameters.epk) {
-        ephemeralKey = await normalize_key_default(providedParameters.epk, alg);
-      } else {
-        ephemeralKey = (await crypto.subtle.generateKey(key.algorithm, true, ["deriveBits"])).privateKey;
-      }
-      const { x, y, crv, kty } = await exportJWK(ephemeralKey);
-      const sharedSecret = await deriveKey(key, ephemeralKey, alg === "ECDH-ES" ? enc : alg, alg === "ECDH-ES" ? bitLength2(enc) : parseInt(alg.slice(-5, -2), 10), apu, apv);
-      parameters = { epk: { x, crv, kty } };
-      if (kty === "EC")
-        parameters.epk.y = y;
-      if (apu)
-        parameters.apu = encode(apu);
-      if (apv)
-        parameters.apv = encode(apv);
-      if (alg === "ECDH-ES") {
-        cek = sharedSecret;
-        break;
-      }
-      cek = providedCek || cek_default(enc);
-      const kwAlg = alg.slice(-6);
-      encryptedKey = await wrap(kwAlg, sharedSecret, cek);
-      break;
-    }
-    case "RSA-OAEP":
-    case "RSA-OAEP-256":
-    case "RSA-OAEP-384":
-    case "RSA-OAEP-512": {
-      cek = providedCek || cek_default(enc);
-      assertCryptoKey(key);
-      encryptedKey = await encrypt(alg, key, cek);
-      break;
-    }
-    case "PBES2-HS256+A128KW":
-    case "PBES2-HS384+A192KW":
-    case "PBES2-HS512+A256KW": {
-      cek = providedCek || cek_default(enc);
-      const { p2c, p2s } = providedParameters;
-      ({ encryptedKey, ...parameters } = await wrap2(alg, key, cek, p2c, p2s));
-      break;
-    }
-    case "A128KW":
-    case "A192KW":
-    case "A256KW": {
-      cek = providedCek || cek_default(enc);
-      encryptedKey = await wrap(alg, key, cek);
-      break;
-    }
-    case "A128GCMKW":
-    case "A192GCMKW":
-    case "A256GCMKW": {
-      cek = providedCek || cek_default(enc);
-      const { iv } = providedParameters;
-      ({ encryptedKey, ...parameters } = await wrap3(alg, key, cek, iv));
-      break;
-    }
-    default: {
-      throw new JOSENotSupported('Invalid or unsupported "alg" (JWE Algorithm) header value');
-    }
-  }
-  return { cek, encryptedKey, parameters };
-};
-
 // node_modules/jose/dist/webapi/jwe/flattened/encrypt.js
 var FlattenedEncrypt = class {
   #plaintext;
@@ -15815,30 +15910,22 @@ var FlattenedEncrypt = class {
     this.#plaintext = plaintext;
   }
   setKeyManagementParameters(parameters) {
-    if (this.#keyManagementParameters) {
-      throw new TypeError("setKeyManagementParameters can only be called once");
-    }
+    assertNotSet(this.#keyManagementParameters, "setKeyManagementParameters");
     this.#keyManagementParameters = parameters;
     return this;
   }
   setProtectedHeader(protectedHeader) {
-    if (this.#protectedHeader) {
-      throw new TypeError("setProtectedHeader can only be called once");
-    }
+    assertNotSet(this.#protectedHeader, "setProtectedHeader");
     this.#protectedHeader = protectedHeader;
     return this;
   }
   setSharedUnprotectedHeader(sharedUnprotectedHeader) {
-    if (this.#sharedUnprotectedHeader) {
-      throw new TypeError("setSharedUnprotectedHeader can only be called once");
-    }
+    assertNotSet(this.#sharedUnprotectedHeader, "setSharedUnprotectedHeader");
     this.#sharedUnprotectedHeader = sharedUnprotectedHeader;
     return this;
   }
   setUnprotectedHeader(unprotectedHeader) {
-    if (this.#unprotectedHeader) {
-      throw new TypeError("setUnprotectedHeader can only be called once");
-    }
+    assertNotSet(this.#unprotectedHeader, "setUnprotectedHeader");
     this.#unprotectedHeader = unprotectedHeader;
     return this;
   }
@@ -15847,16 +15934,12 @@ var FlattenedEncrypt = class {
     return this;
   }
   setContentEncryptionKey(cek) {
-    if (this.#cek) {
-      throw new TypeError("setContentEncryptionKey can only be called once");
-    }
+    assertNotSet(this.#cek, "setContentEncryptionKey");
     this.#cek = cek;
     return this;
   }
   setInitializationVector(iv) {
-    if (this.#iv) {
-      throw new TypeError("setInitializationVector can only be called once");
-    }
+    assertNotSet(this.#iv, "setInitializationVector");
     this.#iv = iv;
     return this;
   }
@@ -15864,7 +15947,7 @@ var FlattenedEncrypt = class {
     if (!this.#protectedHeader && !this.#unprotectedHeader && !this.#sharedUnprotectedHeader) {
       throw new JWEInvalid("either setProtectedHeader, setUnprotectedHeader, or sharedUnprotectedHeader must be called before #encrypt()");
     }
-    if (!is_disjoint_default(this.#protectedHeader, this.#unprotectedHeader, this.#sharedUnprotectedHeader)) {
+    if (!isDisjoint(this.#protectedHeader, this.#unprotectedHeader, this.#sharedUnprotectedHeader)) {
       throw new JWEInvalid("JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint");
     }
     const joseHeader = {
@@ -15872,9 +15955,12 @@ var FlattenedEncrypt = class {
       ...this.#unprotectedHeader,
       ...this.#sharedUnprotectedHeader
     };
-    validate_crit_default(JWEInvalid, /* @__PURE__ */ new Map(), options?.crit, this.#protectedHeader, joseHeader);
-    if (joseHeader.zip !== void 0) {
-      throw new JOSENotSupported('JWE "zip" (Compression Algorithm) Header Parameter is not supported.');
+    validateCrit(JWEInvalid, /* @__PURE__ */ new Map(), options?.crit, this.#protectedHeader, joseHeader);
+    if (joseHeader.zip !== void 0 && joseHeader.zip !== "DEF") {
+      throw new JOSENotSupported('Unsupported JWE "zip" (Compression Algorithm) Header Parameter value.');
+    }
+    if (joseHeader.zip !== void 0 && !this.#protectedHeader?.zip) {
+      throw new JWEInvalid('JWE "zip" (Compression Algorithm) Header Parameter MUST be in a protected header.');
     }
     const { alg, enc } = joseHeader;
     if (typeof alg !== "string" || !alg) {
@@ -15887,12 +15973,12 @@ var FlattenedEncrypt = class {
     if (this.#cek && (alg === "dir" || alg === "ECDH-ES")) {
       throw new TypeError(`setContentEncryptionKey cannot be called with JWE "alg" (Algorithm) Header ${alg}`);
     }
-    check_key_type_default(alg === "dir" ? enc : alg, key, "encrypt");
+    checkKeyType(alg === "dir" ? enc : alg, key, "encrypt");
     let cek;
     {
       let parameters;
-      const k = await normalize_key_default(key, alg);
-      ({ cek, encryptedKey, parameters } = await encrypt_key_management_default(alg, enc, k, this.#cek, this.#keyManagementParameters));
+      const k = await normalizeKey(key, alg);
+      ({ cek, encryptedKey, parameters } = await encryptKeyManagement(alg, enc, k, this.#cek, this.#keyManagementParameters));
       if (parameters) {
         if (options && unprotected in options) {
           if (!this.#unprotectedHeader) {
@@ -15908,37 +15994,45 @@ var FlattenedEncrypt = class {
       }
     }
     let additionalData;
-    let protectedHeader;
+    let protectedHeaderS;
+    let protectedHeaderB;
     let aadMember;
     if (this.#protectedHeader) {
-      protectedHeader = encoder.encode(encode(JSON.stringify(this.#protectedHeader)));
+      protectedHeaderS = encode2(JSON.stringify(this.#protectedHeader));
+      protectedHeaderB = encode(protectedHeaderS);
     } else {
-      protectedHeader = encoder.encode("");
+      protectedHeaderS = "";
+      protectedHeaderB = new Uint8Array();
     }
     if (this.#aad) {
-      aadMember = encode(this.#aad);
-      additionalData = concat(protectedHeader, encoder.encode("."), encoder.encode(aadMember));
+      aadMember = encode2(this.#aad);
+      const aadMemberBytes = encode(aadMember);
+      additionalData = concat(protectedHeaderB, encode("."), aadMemberBytes);
     } else {
-      additionalData = protectedHeader;
+      additionalData = protectedHeaderB;
     }
-    const { ciphertext, tag: tag2, iv } = await encrypt_default(enc, this.#plaintext, cek, this.#iv, additionalData);
+    let plaintext = this.#plaintext;
+    if (joseHeader.zip === "DEF") {
+      plaintext = await compress(plaintext);
+    }
+    const { ciphertext, tag: tag2, iv } = await encrypt(enc, plaintext, cek, this.#iv, additionalData);
     const jwe = {
-      ciphertext: encode(ciphertext)
+      ciphertext: encode2(ciphertext)
     };
     if (iv) {
-      jwe.iv = encode(iv);
+      jwe.iv = encode2(iv);
     }
     if (tag2) {
-      jwe.tag = encode(tag2);
+      jwe.tag = encode2(tag2);
     }
     if (encryptedKey) {
-      jwe.encrypted_key = encode(encryptedKey);
+      jwe.encrypted_key = encode2(encryptedKey);
     }
     if (aadMember) {
       jwe.aad = aadMember;
     }
     if (this.#protectedHeader) {
-      jwe.protected = decoder.decode(protectedHeader);
+      jwe.protected = protectedHeaderS;
     }
     if (this.#sharedUnprotectedHeader) {
       jwe.unprotected = this.#sharedUnprotectedHeader;
@@ -15950,65 +16044,9 @@ var FlattenedEncrypt = class {
   }
 };
 
-// node_modules/jose/dist/webapi/lib/subtle_dsa.js
-var subtle_dsa_default = (alg, algorithm) => {
-  const hash = `SHA-${alg.slice(-3)}`;
-  switch (alg) {
-    case "HS256":
-    case "HS384":
-    case "HS512":
-      return { hash, name: "HMAC" };
-    case "PS256":
-    case "PS384":
-    case "PS512":
-      return { hash, name: "RSA-PSS", saltLength: parseInt(alg.slice(-3), 10) >> 3 };
-    case "RS256":
-    case "RS384":
-    case "RS512":
-      return { hash, name: "RSASSA-PKCS1-v1_5" };
-    case "ES256":
-    case "ES384":
-    case "ES512":
-      return { hash, name: "ECDSA", namedCurve: algorithm.namedCurve };
-    case "Ed25519":
-    case "EdDSA":
-      return { name: "Ed25519" };
-    case "ML-DSA-44":
-    case "ML-DSA-65":
-    case "ML-DSA-87":
-      return { name: alg };
-    default:
-      throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
-  }
-};
-
-// node_modules/jose/dist/webapi/lib/get_sign_verify_key.js
-var get_sign_verify_key_default = async (alg, key, usage2) => {
-  if (key instanceof Uint8Array) {
-    if (!alg.startsWith("HS")) {
-      throw new TypeError(invalid_key_input_default(key, "CryptoKey", "KeyObject", "JSON Web Key"));
-    }
-    return crypto.subtle.importKey("raw", key, { hash: `SHA-${alg.slice(-3)}`, name: "HMAC" }, false, [usage2]);
-  }
-  checkSigCryptoKey(key, alg, usage2);
-  return key;
-};
-
-// node_modules/jose/dist/webapi/lib/verify.js
-var verify_default = async (alg, key, signature, data) => {
-  const cryptoKey = await get_sign_verify_key_default(alg, key, "verify");
-  check_key_length_default(alg, cryptoKey);
-  const algorithm = subtle_dsa_default(alg, cryptoKey.algorithm);
-  try {
-    return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
-  } catch {
-    return false;
-  }
-};
-
 // node_modules/jose/dist/webapi/jws/flattened/verify.js
 async function flattenedVerify(jws, key, options) {
-  if (!is_object_default(jws)) {
+  if (!isObject(jws)) {
     throw new JWSInvalid("Flattened JWS must be an object");
   }
   if (jws.protected === void 0 && jws.header === void 0) {
@@ -16023,7 +16061,7 @@ async function flattenedVerify(jws, key, options) {
   if (typeof jws.signature !== "string") {
     throw new JWSInvalid("JWS Signature missing or incorrect type");
   }
-  if (jws.header !== void 0 && !is_object_default(jws.header)) {
+  if (jws.header !== void 0 && !isObject(jws.header)) {
     throw new JWSInvalid("JWS Unprotected Header incorrect type");
   }
   let parsedProt = {};
@@ -16035,14 +16073,14 @@ async function flattenedVerify(jws, key, options) {
       throw new JWSInvalid("JWS Protected Header is invalid");
     }
   }
-  if (!is_disjoint_default(parsedProt, jws.header)) {
+  if (!isDisjoint(parsedProt, jws.header)) {
     throw new JWSInvalid("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
   }
   const joseHeader = {
     ...parsedProt,
     ...jws.header
   };
-  const extensions = validate_crit_default(JWSInvalid, /* @__PURE__ */ new Map([["b64", true]]), options?.crit, parsedProt, joseHeader);
+  const extensions = validateCrit(JWSInvalid, /* @__PURE__ */ new Map([["b64", true]]), options?.crit, parsedProt, joseHeader);
   let b64 = true;
   if (extensions.has("b64")) {
     b64 = parsedProt.b64;
@@ -16054,7 +16092,7 @@ async function flattenedVerify(jws, key, options) {
   if (typeof alg !== "string" || !alg) {
     throw new JWSInvalid('JWS "alg" (Algorithm) Header Parameter missing or invalid');
   }
-  const algorithms = options && validate_algorithms_default("algorithms", options.algorithms);
+  const algorithms = options && validateAlgorithms("algorithms", options.algorithms);
   if (algorithms && !algorithms.has(alg)) {
     throw new JOSEAlgNotAllowed('"alg" (Algorithm) Header Parameter value not allowed');
   }
@@ -16070,26 +16108,17 @@ async function flattenedVerify(jws, key, options) {
     key = await key(parsedProt, jws);
     resolvedKey = true;
   }
-  check_key_type_default(alg, key, "verify");
-  const data = concat(encoder.encode(jws.protected ?? ""), encoder.encode("."), typeof jws.payload === "string" ? encoder.encode(jws.payload) : jws.payload);
-  let signature;
-  try {
-    signature = decode(jws.signature);
-  } catch {
-    throw new JWSInvalid("Failed to base64url decode the signature");
-  }
-  const k = await normalize_key_default(key, alg);
-  const verified = await verify_default(alg, k, signature, data);
+  checkKeyType(alg, key, "verify");
+  const data = concat(jws.protected !== void 0 ? encode(jws.protected) : new Uint8Array(), encode("."), typeof jws.payload === "string" ? b64 ? encode(jws.payload) : encoder.encode(jws.payload) : jws.payload);
+  const signature = decodeBase64url(jws.signature, "signature", JWSInvalid);
+  const k = await normalizeKey(key, alg);
+  const verified = await verify(alg, k, signature, data);
   if (!verified) {
     throw new JWSSignatureVerificationFailed();
   }
   let payload;
   if (b64) {
-    try {
-      payload = decode(jws.payload);
-    } catch {
-      throw new JWSInvalid("Failed to base64url decode the payload");
-    }
+    payload = decodeBase64url(jws.payload, "payload", JWSInvalid);
   } else if (typeof jws.payload === "string") {
     payload = encoder.encode(jws.payload);
   } else {
@@ -16128,17 +16157,15 @@ async function compactVerify(jws, key, options) {
   return result;
 }
 
-// node_modules/jose/dist/webapi/lib/epoch.js
-var epoch_default = (date) => Math.floor(date.getTime() / 1e3);
-
-// node_modules/jose/dist/webapi/lib/secs.js
+// node_modules/jose/dist/webapi/lib/jwt_claims_set.js
+var epoch = (date) => Math.floor(date.getTime() / 1e3);
 var minute = 60;
 var hour = minute * 60;
 var day = hour * 24;
 var week = day * 7;
 var year = day * 365.25;
 var REGEX = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;
-var secs_default = (str) => {
+function secs(str) {
   const matched = REGEX.exec(str);
   if (!matched || matched[4] && matched[1]) {
     throw new TypeError("Invalid time period format");
@@ -16186,9 +16213,7 @@ var secs_default = (str) => {
     return -numericDate;
   }
   return numericDate;
-};
-
-// node_modules/jose/dist/webapi/lib/jwt_claims_set.js
+}
 function validateInput(label, input) {
   if (!Number.isFinite(input)) {
     throw new TypeError(`Invalid ${label} input`);
@@ -16216,7 +16241,7 @@ function validateClaimsSet(protectedHeader, encodedPayload, options = {}) {
     payload = JSON.parse(decoder.decode(encodedPayload));
   } catch {
   }
-  if (!is_object_default(payload)) {
+  if (!isObject(payload)) {
     throw new JWTInvalid("JWT Claims Set must be a top-level JSON object");
   }
   const { typ } = options;
@@ -16250,7 +16275,7 @@ function validateClaimsSet(protectedHeader, encodedPayload, options = {}) {
   let tolerance;
   switch (typeof options.clockTolerance) {
     case "string":
-      tolerance = secs_default(options.clockTolerance);
+      tolerance = secs(options.clockTolerance);
       break;
     case "number":
       tolerance = options.clockTolerance;
@@ -16262,7 +16287,7 @@ function validateClaimsSet(protectedHeader, encodedPayload, options = {}) {
       throw new TypeError("Invalid clockTolerance option type");
   }
   const { currentDate } = options;
-  const now = epoch_default(currentDate || /* @__PURE__ */ new Date());
+  const now = epoch(currentDate || /* @__PURE__ */ new Date());
   if ((payload.iat !== void 0 || maxTokenAge) && typeof payload.iat !== "number") {
     throw new JWTClaimValidationFailed('"iat" claim must be a number', payload, "iat", "invalid");
   }
@@ -16284,7 +16309,7 @@ function validateClaimsSet(protectedHeader, encodedPayload, options = {}) {
   }
   if (maxTokenAge) {
     const age = now - payload.iat;
-    const max = typeof maxTokenAge === "number" ? maxTokenAge : secs_default(maxTokenAge);
+    const max = typeof maxTokenAge === "number" ? maxTokenAge : secs(maxTokenAge);
     if (age - tolerance > max) {
       throw new JWTExpired('"iat" claim timestamp check failed (too far in the past)', payload, "iat", "check_failed");
     }
@@ -16297,7 +16322,7 @@ function validateClaimsSet(protectedHeader, encodedPayload, options = {}) {
 var JWTClaimsBuilder = class {
   #payload;
   constructor(payload) {
-    if (!is_object_default(payload)) {
+    if (!isObject(payload)) {
       throw new TypeError("JWT Claims Set MUST be an object");
     }
     this.#payload = structuredClone(payload);
@@ -16330,27 +16355,27 @@ var JWTClaimsBuilder = class {
     if (typeof value === "number") {
       this.#payload.nbf = validateInput("setNotBefore", value);
     } else if (value instanceof Date) {
-      this.#payload.nbf = validateInput("setNotBefore", epoch_default(value));
+      this.#payload.nbf = validateInput("setNotBefore", epoch(value));
     } else {
-      this.#payload.nbf = epoch_default(/* @__PURE__ */ new Date()) + secs_default(value);
+      this.#payload.nbf = epoch(/* @__PURE__ */ new Date()) + secs(value);
     }
   }
   set exp(value) {
     if (typeof value === "number") {
       this.#payload.exp = validateInput("setExpirationTime", value);
     } else if (value instanceof Date) {
-      this.#payload.exp = validateInput("setExpirationTime", epoch_default(value));
+      this.#payload.exp = validateInput("setExpirationTime", epoch(value));
     } else {
-      this.#payload.exp = epoch_default(/* @__PURE__ */ new Date()) + secs_default(value);
+      this.#payload.exp = epoch(/* @__PURE__ */ new Date()) + secs(value);
     }
   }
   set iat(value) {
-    if (typeof value === "undefined") {
-      this.#payload.iat = epoch_default(/* @__PURE__ */ new Date());
+    if (value === void 0) {
+      this.#payload.iat = epoch(/* @__PURE__ */ new Date());
     } else if (value instanceof Date) {
-      this.#payload.iat = validateInput("setIssuedAt", epoch_default(value));
+      this.#payload.iat = validateInput("setIssuedAt", epoch(value));
     } else if (typeof value === "string") {
-      this.#payload.iat = validateInput("setIssuedAt", epoch_default(/* @__PURE__ */ new Date()) + secs_default(value));
+      this.#payload.iat = validateInput("setIssuedAt", epoch(/* @__PURE__ */ new Date()) + secs(value));
     } else {
       this.#payload.iat = validateInput("setIssuedAt", value);
     }
@@ -16420,14 +16445,6 @@ var CompactEncrypt = class {
   }
 };
 
-// node_modules/jose/dist/webapi/lib/sign.js
-var sign_default = async (alg, key, data) => {
-  const cryptoKey = await get_sign_verify_key_default(alg, key, "sign");
-  check_key_length_default(alg, cryptoKey);
-  const signature = await crypto.subtle.sign(subtle_dsa_default(alg, cryptoKey.algorithm), cryptoKey, data);
-  return new Uint8Array(signature);
-};
-
 // node_modules/jose/dist/webapi/jws/flattened/sign.js
 var FlattenedSign = class {
   #payload;
@@ -16440,16 +16457,12 @@ var FlattenedSign = class {
     this.#payload = payload;
   }
   setProtectedHeader(protectedHeader) {
-    if (this.#protectedHeader) {
-      throw new TypeError("setProtectedHeader can only be called once");
-    }
+    assertNotSet(this.#protectedHeader, "setProtectedHeader");
     this.#protectedHeader = protectedHeader;
     return this;
   }
   setUnprotectedHeader(unprotectedHeader) {
-    if (this.#unprotectedHeader) {
-      throw new TypeError("setUnprotectedHeader can only be called once");
-    }
+    assertNotSet(this.#unprotectedHeader, "setUnprotectedHeader");
     this.#unprotectedHeader = unprotectedHeader;
     return this;
   }
@@ -16457,14 +16470,14 @@ var FlattenedSign = class {
     if (!this.#protectedHeader && !this.#unprotectedHeader) {
       throw new JWSInvalid("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");
     }
-    if (!is_disjoint_default(this.#protectedHeader, this.#unprotectedHeader)) {
+    if (!isDisjoint(this.#protectedHeader, this.#unprotectedHeader)) {
       throw new JWSInvalid("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
     }
     const joseHeader = {
       ...this.#protectedHeader,
       ...this.#unprotectedHeader
     };
-    const extensions = validate_crit_default(JWSInvalid, /* @__PURE__ */ new Map([["b64", true]]), options?.crit, this.#protectedHeader, joseHeader);
+    const extensions = validateCrit(JWSInvalid, /* @__PURE__ */ new Map([["b64", true]]), options?.crit, this.#protectedHeader, joseHeader);
     let b64 = true;
     if (extensions.has("b64")) {
       b64 = this.#protectedHeader.b64;
@@ -16476,32 +16489,37 @@ var FlattenedSign = class {
     if (typeof alg !== "string" || !alg) {
       throw new JWSInvalid('JWS "alg" (Algorithm) Header Parameter missing or invalid');
     }
-    check_key_type_default(alg, key, "sign");
-    let payload = this.#payload;
+    checkKeyType(alg, key, "sign");
+    let payloadS;
+    let payloadB;
     if (b64) {
-      payload = encoder.encode(encode(payload));
+      payloadS = encode2(this.#payload);
+      payloadB = encode(payloadS);
+    } else {
+      payloadB = this.#payload;
+      payloadS = "";
     }
-    let protectedHeader;
+    let protectedHeaderString;
+    let protectedHeaderBytes;
     if (this.#protectedHeader) {
-      protectedHeader = encoder.encode(encode(JSON.stringify(this.#protectedHeader)));
+      protectedHeaderString = encode2(JSON.stringify(this.#protectedHeader));
+      protectedHeaderBytes = encode(protectedHeaderString);
     } else {
-      protectedHeader = encoder.encode("");
+      protectedHeaderString = "";
+      protectedHeaderBytes = new Uint8Array();
     }
-    const data = concat(protectedHeader, encoder.encode("."), payload);
-    const k = await normalize_key_default(key, alg);
-    const signature = await sign_default(alg, k, data);
+    const data = concat(protectedHeaderBytes, encode("."), payloadB);
+    const k = await normalizeKey(key, alg);
+    const signature = await sign(alg, k, data);
     const jws = {
-      signature: encode(signature),
-      payload: ""
+      signature: encode2(signature),
+      payload: payloadS
     };
-    if (b64) {
-      jws.payload = decoder.decode(payload);
-    }
     if (this.#unprotectedHeader) {
       jws.header = this.#unprotectedHeader;
     }
     if (this.#protectedHeader) {
-      jws.protected = decoder.decode(protectedHeader);
+      jws.protected = protectedHeaderString;
     }
     return jws;
   }
@@ -16617,30 +16635,22 @@ var EncryptJWT = class {
     return this;
   }
   setProtectedHeader(protectedHeader) {
-    if (this.#protectedHeader) {
-      throw new TypeError("setProtectedHeader can only be called once");
-    }
+    assertNotSet(this.#protectedHeader, "setProtectedHeader");
     this.#protectedHeader = protectedHeader;
     return this;
   }
   setKeyManagementParameters(parameters) {
-    if (this.#keyManagementParameters) {
-      throw new TypeError("setKeyManagementParameters can only be called once");
-    }
+    assertNotSet(this.#keyManagementParameters, "setKeyManagementParameters");
     this.#keyManagementParameters = parameters;
     return this;
   }
   setContentEncryptionKey(cek) {
-    if (this.#cek) {
-      throw new TypeError("setContentEncryptionKey can only be called once");
-    }
+    assertNotSet(this.#cek, "setContentEncryptionKey");
     this.#cek = cek;
     return this;
   }
   setInitializationVector(iv) {
-    if (this.#iv) {
-      throw new TypeError("setInitializationVector can only be called once");
-    }
+    assertNotSet(this.#iv, "setInitializationVector");
     this.#iv = iv;
     return this;
   }
@@ -16701,7 +16711,7 @@ function decodeProtectedHeader(token) {
       throw new Error();
     }
     const result = JSON.parse(decoder.decode(decode(protectedB64u)));
-    if (!is_object_default(result)) {
+    if (!isObject(result)) {
       throw new Error();
     }
     return result;
@@ -16733,7 +16743,7 @@ function decodeJwt(jwt2) {
   } catch {
     throw new JWTInvalid("Failed to parse the decoded payload as JSON");
   }
-  if (!is_object_default(result))
+  if (!isObject(result))
     throw new JWTInvalid("Invalid JWT Claims Set");
   return result;
 }
@@ -16753,10 +16763,10 @@ async function verifyJWT(jwt2, secret, options) {
   return await jwtVerify(jwt2, secret, options);
 }
 async function signJWT(payload, secret, options) {
-  const sign = new SignJWT(payload).setProtectedHeader({
+  const sign2 = new SignJWT(payload).setProtectedHeader({
     alg: options?.alg ? options?.alg : "HS256"
   }).setIssuedAt(options?.iat).setIssuer(options?.iss ? options?.iss : "urn:example:issuer").setAudience(options?.aud ? options?.aud : "urn:example:audience").setExpirationTime(options?.exp ? options?.exp : "2h");
-  return sign.sign(secret, options?.options);
+  return sign2.sign(secret, options?.options);
 }
 function decodeProtectedHeaderJWT(token) {
   return decodeProtectedHeader(token);
@@ -16766,9 +16776,9 @@ function decodeJWT(jwt2) {
 }
 
 // src/services/utils/jwt.ts
-var import_node_crypto5 = require("node:crypto");
+var import_node_crypto6 = require("node:crypto");
 var jwt = {
-  createSecretKey: import_node_crypto5.createSecretKey,
+  createSecretKey: import_node_crypto6.createSecretKey,
   decode(jwt2) {
     return decodeJWT(jwt2);
   },
@@ -16905,6 +16915,10 @@ var MiqroJSONSchema = {
   properties: {
     name: "string?",
     services: "string[]?",
+    noBuild: "boolean?",
+    noMinify: "boolean?",
+    inflateOnlyAssets: "boolean?",
+    inflateFlat: "boolean?",
     port: "number?|string?",
     inflateDir: "string?",
     browser: "boolean?|string?",
@@ -17037,8 +17051,10 @@ var Miqro = class _Miqro {
   watcher;
   constructor(options) {
     this.options = {
+      noMinify: false,
       editor: false,
       name: "server",
+      noBuild: false,
       port: getPORT(),
       services: [],
       ...options ? options : {}
@@ -17051,7 +17067,7 @@ var Miqro = class _Miqro {
     this.listener = async (data) => {
       try {
         const msg = data;
-        if (msg && msg.action && msg.type === MiqroApplicationMessageType && msg.target === this.options.name, msg.fromPID !== process.pid, msg.action === "reload" || msg.action === "restart") {
+        if (msg && msg.action && msg.type === MiqroApplicationMessageType && msg.target === this.options.name && msg.fromPID !== process.pid && (msg.action === "reload" || msg.action === "restart")) {
           this.logger?.debug("remote server message from [%s] [%s]", msg.fromPID, msg.action);
           switch (msg.action) {
             case "reload":
@@ -17061,7 +17077,7 @@ var Miqro = class _Miqro {
               await this.restart(true);
               break;
             default:
-              throw new Error("unsopported message for ApplicaitonServer");
+              throw new Error("unsupported message for ApplicationServer");
           }
         }
       } catch (e) {
@@ -17102,6 +17118,7 @@ var Miqro = class _Miqro {
       name: miqroJSON.name ? miqroJSON.name : void 0,
       port: miqroJSON.port ? String(miqroJSON.port) : void 0,
       services: miqroJSON.services ? miqroJSON.services.map((s) => (0, import_node_path30.join)((0, import_node_path30.relative)((0, import_node_process16.cwd)(), miqroJSONDir), s)) : void 0,
+      noBuild: miqroJSON.noBuild !== void 0 ? miqroJSON.noBuild : false,
       ...options ? options : {}
     });
     await app.inflate({
@@ -17153,7 +17170,7 @@ var Miqro = class _Miqro {
     const errors = [];
     for (const service of this.options.services) {
       const servicePath = getServicePath(service);
-      await setupServerConfig(this.logger, servicePath, service, serverConfigMap, options && options.inflateSea ? options.inflateDir : void 0, errors);
+      await setupServerConfig(this.logger, servicePath, service, serverConfigMap, options && options.inflateSea ? options.inflateDir : void 0, errors, this.options);
     }
     return {
       serverConfigMap,
@@ -17165,9 +17182,9 @@ var Miqro = class _Miqro {
     const dbList = [];
     const dbConfigListALL = [];
     for (const service of this.options.services) {
-      const dbConfig = await inflateDBConfig(this.logger, service, dbConfigListALL, options?.inflateSea ? options?.inflateDir : void 0, errors);
+      const dbConfig = await inflateDBConfig(this.logger, service, dbConfigListALL, options?.inflateSea ? options?.inflateDir : void 0, this.options, errors);
       if (dbConfig) {
-        const migrations = await inflateDBMigrations(this.logger, service, dbConfig.name, options?.inflateSea ? options?.inflateDir : void 0, errors);
+        const migrations = await inflateDBMigrations(this.logger, service, dbConfig.name, options?.inflateSea ? options?.inflateDir : void 0, this.options, errors);
         dbList.push({
           service,
           dbConfig,
@@ -17220,7 +17237,7 @@ var Miqro = class _Miqro {
     }
     try {
       this.inflated = void 0;
-      if (_Miqro.initAssetsPromise === null) {
+      if (_Miqro.initAssetsPromise === null && (this.options.noBuild === false || this.options.noMinify === false)) {
         _Miqro.initAssetsPromise = initAssets(this.logger);
       }
       await _Miqro.initAssetsPromise;
@@ -17242,6 +17259,10 @@ var Miqro = class _Miqro {
         wsConfigList.push({
           path: HOT_RELOAD_PATH
         });
+        this.logger?.debug("setting up hot-reload script on [%s]", HOT_RELOAD_SCRIPT_PATH);
+        const hotReloadScriptRouter = new Router2();
+        hotReloadScriptRouter.get(HOT_RELOAD_SCRIPT_PATH, async (req, res) => res.js(HOT_RELOAD_JS_SCRIPT));
+        router.use(hotReloadScriptRouter);
       }
       await notifiyServerConfig(this.logger, this.serverInterface, this.adminInterface, serverConfigMap, "preload");
       const [serviceRouter, errors, fileMap, serviceWSConfigList, serviceLogConfigMap] = await inflateApp({
@@ -17254,7 +17275,11 @@ var Miqro = class _Miqro {
         inflateSea: options?.inflateSea ? true : false,
         //inflateTests: options?.inflateTests ? true : false,
         hotreload: this.options?.hotreload ? true : false,
-        inflateParallel: options?.inflateParallel
+        inflateParallel: options?.inflateParallel,
+        noBuild: this.options?.noBuild,
+        noMinify: this.options?.noMinify,
+        inflateOnlyAssets: options?.inflateOnlyAssets,
+        inflateFlat: options?.inflateFlat
       });
       wsConfigList.push(...serviceWSConfigList);
       router.use(serviceRouter);