princejs 2.1.6 → 2.2.1

package/dist/middleware.js

@@ -1,8 +1,21 @@
 // @bun
+var __defProp = Object.defineProperty;
+var __returnValue = (v) => v;
+function __exportSetter(name, newValue) {
+  this[name] = __returnValue.bind(null, newValue);
+}
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: __exportSetter.bind(all, name)
+    });
+};
+var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
+
 // node_modules/jose/dist/webapi/lib/buffer_utils.js
-var encoder = new TextEncoder;
-var decoder = new TextDecoder;
-var MAX_INT32 = 2 ** 32;
 function concat(...buffers) {
   const size = buffers.reduce((acc, { length }) => acc + length, 0);
   const buf = new Uint8Array(size);
@@ -13,6 +26,25 @@ function concat(...buffers) {
   }
   return buf;
 }
+function writeUInt32BE(buf, value, offset) {
+  if (value < 0 || value >= MAX_INT32) {
+    throw new RangeError(`value must be >= 0 and <= ${MAX_INT32 - 1}. Received ${value}`);
+  }
+  buf.set([value >>> 24, value >>> 16, value >>> 8, value & 255], offset);
+}
+function uint64be(value) {
+  const high = Math.floor(value / MAX_INT32);
+  const low = value % MAX_INT32;
+  const buf = new Uint8Array(8);
+  writeUInt32BE(buf, high, 0);
+  writeUInt32BE(buf, low, 4);
+  return buf;
+}
+function uint32be(value) {
+  const buf = new Uint8Array(4);
+  writeUInt32BE(buf, value);
+  return buf;
+}
 function encode(string) {
   const bytes = new Uint8Array(string.length);
   for (let i = 0;i < string.length; i++) {
@@ -24,6 +56,12 @@ function encode(string) {
   }
   return bytes;
 }
+var encoder, decoder, MAX_INT32;
+var init_buffer_utils = __esm(() => {
+  encoder = new TextEncoder;
+  decoder = new TextDecoder;
+  MAX_INT32 = 2 ** 32;
+});
 
 // node_modules/jose/dist/webapi/lib/base64.js
 function encodeBase64(input) {
@@ -50,6 +88,11 @@ function decodeBase64(encoded) {
 }
 
 // node_modules/jose/dist/webapi/util/base64url.js
+var exports_base64url = {};
+__export(exports_base64url, {
+  encode: () => encode2,
+  decode: () => decode
+});
 function decode(input) {
   if (Uint8Array.fromBase64) {
     return Uint8Array.fromBase64(typeof input === "string" ? input : decoder.decode(input), {
@@ -77,10 +120,11 @@ function encode2(input) {
   }
   return encodeBase64(unencoded).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
 }
+var init_base64url = __esm(() => {
+  init_buffer_utils();
+});
 
 // node_modules/jose/dist/webapi/lib/crypto_key.js
-var unusable = (name, prop = "algorithm.name") => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);
-var isAlgorithm = (algorithm, name) => algorithm.name === name;
 function getHashLength(hash) {
   return parseInt(hash.name.slice(4), 10);
 }
@@ -161,6 +205,61 @@ function checkSigCryptoKey(key, alg, usage) {
   }
   checkUsage(key, usage);
 }
+function checkEncCryptoKey(key, alg, usage) {
+  switch (alg) {
+    case "A128GCM":
+    case "A192GCM":
+    case "A256GCM": {
+      if (!isAlgorithm(key.algorithm, "AES-GCM"))
+        throw unusable("AES-GCM");
+      const expected = parseInt(alg.slice(1, 4), 10);
+      const actual = key.algorithm.length;
+      if (actual !== expected)
+        throw unusable(expected, "algorithm.length");
+      break;
+    }
+    case "A128KW":
+    case "A192KW":
+    case "A256KW": {
+      if (!isAlgorithm(key.algorithm, "AES-KW"))
+        throw unusable("AES-KW");
+      const expected = parseInt(alg.slice(1, 4), 10);
+      const actual = key.algorithm.length;
+      if (actual !== expected)
+        throw unusable(expected, "algorithm.length");
+      break;
+    }
+    case "ECDH": {
+      switch (key.algorithm.name) {
+        case "ECDH":
+        case "X25519":
+          break;
+        default:
+          throw unusable("ECDH or X25519");
+      }
+      break;
+    }
+    case "PBES2-HS256+A128KW":
+    case "PBES2-HS384+A192KW":
+    case "PBES2-HS512+A256KW":
+      if (!isAlgorithm(key.algorithm, "PBKDF2"))
+        throw unusable("PBKDF2");
+      break;
+    case "RSA-OAEP":
+    case "RSA-OAEP-256":
+    case "RSA-OAEP-384":
+    case "RSA-OAEP-512": {
+      if (!isAlgorithm(key.algorithm, "RSA-OAEP"))
+        throw unusable("RSA-OAEP");
+      checkHashLength(key.algorithm, parseInt(alg.slice(9), 10) || 1);
+      break;
+    }
+    default:
+      throw new TypeError("CryptoKey does not support this operation");
+  }
+  checkUsage(key, usage);
+}
+var unusable = (name, prop = "algorithm.name") => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`), isAlgorithm = (algorithm, name) => algorithm.name === name;
 
 // node_modules/jose/dist/webapi/lib/invalid_key_input.js
 function message(msg, actual, ...types) {
@@ -184,89 +283,355 @@ function message(msg, actual, ...types) {
   }
   return msg;
 }
-var invalidKeyInput = (actual, ...types) => message("Key must be ", actual, ...types);
-var withAlg = (alg, actual, ...types) => message(`Key for the ${alg} algorithm must be `, actual, ...types);
+var invalidKeyInput = (actual, ...types) => message("Key must be ", actual, ...types), withAlg = (alg, actual, ...types) => message(`Key for the ${alg} algorithm must be `, actual, ...types);
 
 // node_modules/jose/dist/webapi/util/errors.js
-class JOSEError extends Error {
-  static code = "ERR_JOSE_GENERIC";
-  code = "ERR_JOSE_GENERIC";
-  constructor(message2, options) {
-    super(message2, options);
-    this.name = this.constructor.name;
-    Error.captureStackTrace?.(this, this.constructor);
+var exports_errors = {};
+__export(exports_errors, {
+  JWTInvalid: () => JWTInvalid,
+  JWTExpired: () => JWTExpired,
+  JWTClaimValidationFailed: () => JWTClaimValidationFailed,
+  JWSSignatureVerificationFailed: () => JWSSignatureVerificationFailed,
+  JWSInvalid: () => JWSInvalid,
+  JWKSTimeout: () => JWKSTimeout,
+  JWKSNoMatchingKey: () => JWKSNoMatchingKey,
+  JWKSMultipleMatchingKeys: () => JWKSMultipleMatchingKeys,
+  JWKSInvalid: () => JWKSInvalid,
+  JWKInvalid: () => JWKInvalid,
+  JWEInvalid: () => JWEInvalid,
+  JWEDecryptionFailed: () => JWEDecryptionFailed,
+  JOSENotSupported: () => JOSENotSupported,
+  JOSEError: () => JOSEError,
+  JOSEAlgNotAllowed: () => JOSEAlgNotAllowed
+});
+var JOSEError, JWTClaimValidationFailed, JWTExpired, JOSEAlgNotAllowed, JOSENotSupported, JWEDecryptionFailed, JWEInvalid, JWSInvalid, JWTInvalid, JWKInvalid, JWKSInvalid, JWKSNoMatchingKey, JWKSMultipleMatchingKeys, JWKSTimeout, JWSSignatureVerificationFailed;
+var init_errors = __esm(() => {
+  JOSEError = class JOSEError extends Error {
+    static code = "ERR_JOSE_GENERIC";
+    code = "ERR_JOSE_GENERIC";
+    constructor(message2, options) {
+      super(message2, options);
+      this.name = this.constructor.name;
+      Error.captureStackTrace?.(this, this.constructor);
+    }
+  };
+  JWTClaimValidationFailed = class JWTClaimValidationFailed extends JOSEError {
+    static code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
+    code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
+    claim;
+    reason;
+    payload;
+    constructor(message2, payload, claim = "unspecified", reason = "unspecified") {
+      super(message2, { cause: { claim, reason, payload } });
+      this.claim = claim;
+      this.reason = reason;
+      this.payload = payload;
+    }
+  };
+  JWTExpired = class JWTExpired extends JOSEError {
+    static code = "ERR_JWT_EXPIRED";
+    code = "ERR_JWT_EXPIRED";
+    claim;
+    reason;
+    payload;
+    constructor(message2, payload, claim = "unspecified", reason = "unspecified") {
+      super(message2, { cause: { claim, reason, payload } });
+      this.claim = claim;
+      this.reason = reason;
+      this.payload = payload;
+    }
+  };
+  JOSEAlgNotAllowed = class JOSEAlgNotAllowed extends JOSEError {
+    static code = "ERR_JOSE_ALG_NOT_ALLOWED";
+    code = "ERR_JOSE_ALG_NOT_ALLOWED";
+  };
+  JOSENotSupported = class JOSENotSupported extends JOSEError {
+    static code = "ERR_JOSE_NOT_SUPPORTED";
+    code = "ERR_JOSE_NOT_SUPPORTED";
+  };
+  JWEDecryptionFailed = class JWEDecryptionFailed extends JOSEError {
+    static code = "ERR_JWE_DECRYPTION_FAILED";
+    code = "ERR_JWE_DECRYPTION_FAILED";
+    constructor(message2 = "decryption operation failed", options) {
+      super(message2, options);
+    }
+  };
+  JWEInvalid = class JWEInvalid extends JOSEError {
+    static code = "ERR_JWE_INVALID";
+    code = "ERR_JWE_INVALID";
+  };
+  JWSInvalid = class JWSInvalid extends JOSEError {
+    static code = "ERR_JWS_INVALID";
+    code = "ERR_JWS_INVALID";
+  };
+  JWTInvalid = class JWTInvalid extends JOSEError {
+    static code = "ERR_JWT_INVALID";
+    code = "ERR_JWT_INVALID";
+  };
+  JWKInvalid = class JWKInvalid extends JOSEError {
+    static code = "ERR_JWK_INVALID";
+    code = "ERR_JWK_INVALID";
+  };
+  JWKSInvalid = class JWKSInvalid extends JOSEError {
+    static code = "ERR_JWKS_INVALID";
+    code = "ERR_JWKS_INVALID";
+  };
+  JWKSNoMatchingKey = class JWKSNoMatchingKey extends JOSEError {
+    static code = "ERR_JWKS_NO_MATCHING_KEY";
+    code = "ERR_JWKS_NO_MATCHING_KEY";
+    constructor(message2 = "no applicable key found in the JSON Web Key Set", options) {
+      super(message2, options);
+    }
+  };
+  JWKSMultipleMatchingKeys = class JWKSMultipleMatchingKeys extends JOSEError {
+    [Symbol.asyncIterator];
+    static code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
+    code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
+    constructor(message2 = "multiple matching keys found in the JSON Web Key Set", options) {
+      super(message2, options);
+    }
+  };
+  JWKSTimeout = class JWKSTimeout extends JOSEError {
+    static code = "ERR_JWKS_TIMEOUT";
+    code = "ERR_JWKS_TIMEOUT";
+    constructor(message2 = "request timed out", options) {
+      super(message2, options);
+    }
+  };
+  JWSSignatureVerificationFailed = class JWSSignatureVerificationFailed extends JOSEError {
+    static code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
+    code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
+    constructor(message2 = "signature verification failed", options) {
+      super(message2, options);
+    }
+  };
+});
+
+// node_modules/jose/dist/webapi/lib/is_key_like.js
+function assertCryptoKey(key) {
+  if (!isCryptoKey(key)) {
+    throw new Error("CryptoKey instance expected");
   }
 }
+var isCryptoKey = (key) => {
+  if (key?.[Symbol.toStringTag] === "CryptoKey")
+    return true;
+  try {
+    return key instanceof CryptoKey;
+  } catch {
+    return false;
+  }
+}, isKeyObject = (key) => key?.[Symbol.toStringTag] === "KeyObject", isKeyLike = (key) => isCryptoKey(key) || isKeyObject(key);
 
-class JWTClaimValidationFailed extends JOSEError {
-  static code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
-  code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
-  claim;
-  reason;
-  payload;
-  constructor(message2, payload, claim = "unspecified", reason = "unspecified") {
-    super(message2, { cause: { claim, reason, payload } });
-    this.claim = claim;
-    this.reason = reason;
-    this.payload = payload;
+// node_modules/jose/dist/webapi/lib/content_encryption.js
+function cekLength(alg) {
+  switch (alg) {
+    case "A128GCM":
+      return 128;
+    case "A192GCM":
+      return 192;
+    case "A256GCM":
+    case "A128CBC-HS256":
+      return 256;
+    case "A192CBC-HS384":
+      return 384;
+    case "A256CBC-HS512":
+      return 512;
+    default:
+      throw new JOSENotSupported(`Unsupported JWE Algorithm: ${alg}`);
   }
 }
-
-class JWTExpired extends JOSEError {
-  static code = "ERR_JWT_EXPIRED";
-  code = "ERR_JWT_EXPIRED";
-  claim;
-  reason;
-  payload;
-  constructor(message2, payload, claim = "unspecified", reason = "unspecified") {
-    super(message2, { cause: { claim, reason, payload } });
-    this.claim = claim;
-    this.reason = reason;
-    this.payload = payload;
+function checkCekLength(cek, expected) {
+  const actual = cek.byteLength << 3;
+  if (actual !== expected) {
+    throw new JWEInvalid(`Invalid Content Encryption Key length. Expected ${expected} bits, got ${actual} bits`);
   }
 }
-
-class JOSEAlgNotAllowed extends JOSEError {
-  static code = "ERR_JOSE_ALG_NOT_ALLOWED";
-  code = "ERR_JOSE_ALG_NOT_ALLOWED";
+function ivBitLength(alg) {
+  switch (alg) {
+    case "A128GCM":
+    case "A128GCMKW":
+    case "A192GCM":
+    case "A192GCMKW":
+    case "A256GCM":
+    case "A256GCMKW":
+      return 96;
+    case "A128CBC-HS256":
+    case "A192CBC-HS384":
+    case "A256CBC-HS512":
+      return 128;
+    default:
+      throw new JOSENotSupported(`Unsupported JWE Algorithm: ${alg}`);
+  }
 }
-
-class JOSENotSupported extends JOSEError {
-  static code = "ERR_JOSE_NOT_SUPPORTED";
-  code = "ERR_JOSE_NOT_SUPPORTED";
+function checkIvLength(enc, iv) {
+  if (iv.length << 3 !== ivBitLength(enc)) {
+    throw new JWEInvalid("Invalid Initialization Vector length");
+  }
 }
-class JWSInvalid extends JOSEError {
-  static code = "ERR_JWS_INVALID";
-  code = "ERR_JWS_INVALID";
+async function cbcKeySetup(enc, cek, usage) {
+  if (!(cek instanceof Uint8Array)) {
+    throw new TypeError(invalidKeyInput(cek, "Uint8Array"));
+  }
+  const keySize = parseInt(enc.slice(1, 4), 10);
+  const encKey = await crypto.subtle.importKey("raw", cek.subarray(keySize >> 3), "AES-CBC", false, [usage]);
+  const macKey = await crypto.subtle.importKey("raw", cek.subarray(0, keySize >> 3), {
+    hash: `SHA-${keySize << 1}`,
+    name: "HMAC"
+  }, false, ["sign"]);
+  return { encKey, macKey, keySize };
 }
-
-class JWTInvalid extends JOSEError {
-  static code = "ERR_JWT_INVALID";
-  code = "ERR_JWT_INVALID";
+async function cbcHmacTag(macKey, macData, keySize) {
+  return new Uint8Array((await crypto.subtle.sign("HMAC", macKey, macData)).slice(0, keySize >> 3));
+}
+async function cbcEncrypt(enc, plaintext, cek, iv, aad) {
+  const { encKey, macKey, keySize } = await cbcKeySetup(enc, cek, "encrypt");
+  const ciphertext = new Uint8Array(await crypto.subtle.encrypt({
+    iv,
+    name: "AES-CBC"
+  }, encKey, plaintext));
+  const macData = concat(aad, iv, ciphertext, uint64be(aad.length << 3));
+  const tag = await cbcHmacTag(macKey, macData, keySize);
+  return { ciphertext, tag, iv };
 }
-class JWSSignatureVerificationFailed extends JOSEError {
-  static code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
-  code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
-  constructor(message2 = "signature verification failed", options) {
-    super(message2, options);
+async function timingSafeEqual(a, b) {
+  if (!(a instanceof Uint8Array)) {
+    throw new TypeError("First argument must be a buffer");
+  }
+  if (!(b instanceof Uint8Array)) {
+    throw new TypeError("Second argument must be a buffer");
+  }
+  const algorithm = { name: "HMAC", hash: "SHA-256" };
+  const key = await crypto.subtle.generateKey(algorithm, false, ["sign"]);
+  const aHmac = new Uint8Array(await crypto.subtle.sign(algorithm, key, a));
+  const bHmac = new Uint8Array(await crypto.subtle.sign(algorithm, key, b));
+  let out = 0;
+  let i = -1;
+  while (++i < 32) {
+    out |= aHmac[i] ^ bHmac[i];
+  }
+  return out === 0;
+}
+async function cbcDecrypt(enc, cek, ciphertext, iv, tag, aad) {
+  const { encKey, macKey, keySize } = await cbcKeySetup(enc, cek, "decrypt");
+  const macData = concat(aad, iv, ciphertext, uint64be(aad.length << 3));
+  const expectedTag = await cbcHmacTag(macKey, macData, keySize);
+  let macCheckPassed;
+  try {
+    macCheckPassed = await timingSafeEqual(tag, expectedTag);
+  } catch {}
+  if (!macCheckPassed) {
+    throw new JWEDecryptionFailed;
+  }
+  let plaintext;
+  try {
+    plaintext = new Uint8Array(await crypto.subtle.decrypt({ iv, name: "AES-CBC" }, encKey, ciphertext));
+  } catch {}
+  if (!plaintext) {
+    throw new JWEDecryptionFailed;
   }
+  return plaintext;
 }
-
-// node_modules/jose/dist/webapi/lib/is_key_like.js
-var isCryptoKey = (key) => {
-  if (key?.[Symbol.toStringTag] === "CryptoKey")
-    return true;
+async function gcmEncrypt(enc, plaintext, cek, iv, aad) {
+  let encKey;
+  if (cek instanceof Uint8Array) {
+    encKey = await crypto.subtle.importKey("raw", cek, "AES-GCM", false, ["encrypt"]);
+  } else {
+    checkEncCryptoKey(cek, enc, "encrypt");
+    encKey = cek;
+  }
+  const encrypted = new Uint8Array(await crypto.subtle.encrypt({
+    additionalData: aad,
+    iv,
+    name: "AES-GCM",
+    tagLength: 128
+  }, encKey, plaintext));
+  const tag = encrypted.slice(-16);
+  const ciphertext = encrypted.slice(0, -16);
+  return { ciphertext, tag, iv };
+}
+async function gcmDecrypt(enc, cek, ciphertext, iv, tag, aad) {
+  let encKey;
+  if (cek instanceof Uint8Array) {
+    encKey = await crypto.subtle.importKey("raw", cek, "AES-GCM", false, ["decrypt"]);
+  } else {
+    checkEncCryptoKey(cek, enc, "decrypt");
+    encKey = cek;
+  }
   try {
-    return key instanceof CryptoKey;
+    return new Uint8Array(await crypto.subtle.decrypt({
+      additionalData: aad,
+      iv,
+      name: "AES-GCM",
+      tagLength: 128
+    }, encKey, concat(ciphertext, tag)));
   } catch {
-    return false;
+    throw new JWEDecryptionFailed;
   }
-};
-var isKeyObject = (key) => key?.[Symbol.toStringTag] === "KeyObject";
-var isKeyLike = (key) => isCryptoKey(key) || isKeyObject(key);
+}
+async function encrypt(enc, plaintext, cek, iv, aad) {
+  if (!isCryptoKey(cek) && !(cek instanceof Uint8Array)) {
+    throw new TypeError(invalidKeyInput(cek, "CryptoKey", "KeyObject", "Uint8Array", "JSON Web Key"));
+  }
+  if (iv) {
+    checkIvLength(enc, iv);
+  } else {
+    iv = generateIv(enc);
+  }
+  switch (enc) {
+    case "A128CBC-HS256":
+    case "A192CBC-HS384":
+    case "A256CBC-HS512":
+      if (cek instanceof Uint8Array) {
+        checkCekLength(cek, parseInt(enc.slice(-3), 10));
+      }
+      return cbcEncrypt(enc, plaintext, cek, iv, aad);
+    case "A128GCM":
+    case "A192GCM":
+    case "A256GCM":
+      if (cek instanceof Uint8Array) {
+        checkCekLength(cek, parseInt(enc.slice(1, 4), 10));
+      }
+      return gcmEncrypt(enc, plaintext, cek, iv, aad);
+    default:
+      throw new JOSENotSupported(unsupportedEnc);
+  }
+}
+async function decrypt(enc, cek, ciphertext, iv, tag, aad) {
+  if (!isCryptoKey(cek) && !(cek instanceof Uint8Array)) {
+    throw new TypeError(invalidKeyInput(cek, "CryptoKey", "KeyObject", "Uint8Array", "JSON Web Key"));
+  }
+  if (!iv) {
+    throw new JWEInvalid("JWE Initialization Vector missing");
+  }
+  if (!tag) {
+    throw new JWEInvalid("JWE Authentication Tag missing");
+  }
+  checkIvLength(enc, iv);
+  switch (enc) {
+    case "A128CBC-HS256":
+    case "A192CBC-HS384":
+    case "A256CBC-HS512":
+      if (cek instanceof Uint8Array)
+        checkCekLength(cek, parseInt(enc.slice(-3), 10));
+      return cbcDecrypt(enc, cek, ciphertext, iv, tag, aad);
+    case "A128GCM":
+    case "A192GCM":
+    case "A256GCM":
+      if (cek instanceof Uint8Array)
+        checkCekLength(cek, parseInt(enc.slice(1, 4), 10));
+      return gcmDecrypt(enc, cek, ciphertext, iv, tag, aad);
+    default:
+      throw new JOSENotSupported(unsupportedEnc);
+  }
+}
+var generateCek = (alg) => crypto.getRandomValues(new Uint8Array(cekLength(alg) >> 3)), generateIv = (alg) => crypto.getRandomValues(new Uint8Array(ivBitLength(alg) >> 3)), unsupportedEnc = "Unsupported JWE Content Encryption Algorithm";
+var init_content_encryption = __esm(() => {
+  init_buffer_utils();
+  init_errors();
+});
 
 // node_modules/jose/dist/webapi/lib/helpers.js
-var unprotected = Symbol();
 function assertNotSet(value, name) {
   if (value) {
     throw new TypeError(`${name} can only be called once`);
@@ -279,9 +644,17 @@ function decodeBase64url(value, label, ErrorClass) {
     throw new ErrorClass(`Failed to base64url decode the ${label}`);
   }
 }
+async function digest(algorithm, data) {
+  const subtleDigest = `SHA-${algorithm.slice(-3)}`;
+  return new Uint8Array(await crypto.subtle.digest(subtleDigest, data));
+}
+var unprotected;
+var init_helpers = __esm(() => {
+  init_base64url();
+  unprotected = Symbol();
+});
 
 // node_modules/jose/dist/webapi/lib/type_checks.js
-var isObjectLike = (value) => typeof value === "object" && value !== null;
 function isObject(input) {
   if (!isObjectLike(input) || Object.prototype.toString.call(input) !== "[object Object]") {
     return false;
@@ -316,10 +689,131 @@ function isDisjoint(...headers) {
   }
   return true;
 }
-var isJWK = (key) => isObject(key) && typeof key.kty === "string";
-var isPrivateJWK = (key) => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string");
-var isPublicJWK = (key) => key.kty !== "oct" && key.d === undefined && key.priv === undefined;
-var isSecretJWK = (key) => key.kty === "oct" && typeof key.k === "string";
+var isObjectLike = (value) => typeof value === "object" && value !== null, isJWK = (key) => isObject(key) && typeof key.kty === "string", isPrivateJWK = (key) => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string"), isPublicJWK = (key) => key.kty !== "oct" && key.d === undefined && key.priv === undefined, isSecretJWK = (key) => key.kty === "oct" && typeof key.k === "string";
+
+// node_modules/jose/dist/webapi/lib/aeskw.js
+function checkKeySize(key, alg) {
+  if (key.algorithm.length !== parseInt(alg.slice(1, 4), 10)) {
+    throw new TypeError(`Invalid key size for alg: ${alg}`);
+  }
+}
+function getCryptoKey(key, alg, usage) {
+  if (key instanceof Uint8Array) {
+    return crypto.subtle.importKey("raw", key, "AES-KW", true, [usage]);
+  }
+  checkEncCryptoKey(key, alg, usage);
+  return key;
+}
+async function wrap(alg, key, cek) {
+  const cryptoKey = await getCryptoKey(key, alg, "wrapKey");
+  checkKeySize(cryptoKey, alg);
+  const cryptoKeyCek = await crypto.subtle.importKey("raw", cek, { hash: "SHA-256", name: "HMAC" }, true, ["sign"]);
+  return new Uint8Array(await crypto.subtle.wrapKey("raw", cryptoKeyCek, cryptoKey, "AES-KW"));
+}
+async function unwrap(alg, key, encryptedKey) {
+  const cryptoKey = await getCryptoKey(key, alg, "unwrapKey");
+  checkKeySize(cryptoKey, alg);
+  const cryptoKeyCek = await crypto.subtle.unwrapKey("raw", encryptedKey, cryptoKey, "AES-KW", { hash: "SHA-256", name: "HMAC" }, true, ["sign"]);
+  return new Uint8Array(await crypto.subtle.exportKey("raw", cryptoKeyCek));
+}
+var init_aeskw = () => {};
+
+// node_modules/jose/dist/webapi/lib/ecdhes.js
+function lengthAndInput(input) {
+  return concat(uint32be(input.length), input);
+}
+async function concatKdf(Z, L, OtherInfo) {
+  const dkLen = L >> 3;
+  const hashLen = 32;
+  const reps = Math.ceil(dkLen / hashLen);
+  const dk = new Uint8Array(reps * hashLen);
+  for (let i = 1;i <= reps; i++) {
+    const hashInput = new Uint8Array(4 + Z.length + OtherInfo.length);
+    hashInput.set(uint32be(i), 0);
+    hashInput.set(Z, 4);
+    hashInput.set(OtherInfo, 4 + Z.length);
+    const hashResult = await digest("sha256", hashInput);
+    dk.set(hashResult, (i - 1) * hashLen);
+  }
+  return dk.slice(0, dkLen);
+}
+async function deriveKey(publicKey, privateKey, algorithm, keyLength, apu = new Uint8Array, apv = new Uint8Array) {
+  checkEncCryptoKey(publicKey, "ECDH");
+  checkEncCryptoKey(privateKey, "ECDH", "deriveBits");
+  const algorithmID = lengthAndInput(encode(algorithm));
+  const partyUInfo = lengthAndInput(apu);
+  const partyVInfo = lengthAndInput(apv);
+  const suppPubInfo = uint32be(keyLength);
+  const suppPrivInfo = new Uint8Array;
+  const otherInfo = concat(algorithmID, partyUInfo, partyVInfo, suppPubInfo, suppPrivInfo);
+  const Z = new Uint8Array(await crypto.subtle.deriveBits({
+    name: publicKey.algorithm.name,
+    public: publicKey
+  }, privateKey, getEcdhBitLength(publicKey)));
+  return concatKdf(Z, keyLength, otherInfo);
+}
+function getEcdhBitLength(publicKey) {
+  if (publicKey.algorithm.name === "X25519") {
+    return 256;
+  }
+  return Math.ceil(parseInt(publicKey.algorithm.namedCurve.slice(-3), 10) / 8) << 3;
+}
+function allowed(key) {
+  switch (key.algorithm.namedCurve) {
+    case "P-256":
+    case "P-384":
+    case "P-521":
+      return true;
+    default:
+      return key.algorithm.name === "X25519";
+  }
+}
+var init_ecdhes = __esm(() => {
+  init_buffer_utils();
+  init_helpers();
+});
+
+// node_modules/jose/dist/webapi/lib/pbes2kw.js
+function getCryptoKey2(key, alg) {
+  if (key instanceof Uint8Array) {
+    return crypto.subtle.importKey("raw", key, "PBKDF2", false, [
+      "deriveBits"
+    ]);
+  }
+  checkEncCryptoKey(key, alg, "deriveBits");
+  return key;
+}
+async function deriveKey2(p2s, alg, p2c, key) {
+  if (!(p2s instanceof Uint8Array) || p2s.length < 8) {
+    throw new JWEInvalid("PBES2 Salt Input must be 8 or more octets");
+  }
+  const salt = concatSalt(alg, p2s);
+  const keylen = parseInt(alg.slice(13, 16), 10);
+  const subtleAlg = {
+    hash: `SHA-${alg.slice(8, 11)}`,
+    iterations: p2c,
+    name: "PBKDF2",
+    salt
+  };
+  const cryptoKey = await getCryptoKey2(key, alg);
+  return new Uint8Array(await crypto.subtle.deriveBits(subtleAlg, cryptoKey, keylen));
+}
+async function wrap2(alg, key, cek, p2c = 2048, p2s = crypto.getRandomValues(new Uint8Array(16))) {
+  const derived = await deriveKey2(p2s, alg, p2c, key);
+  const encryptedKey = await wrap(alg.slice(-6), derived, cek);
+  return { encryptedKey, p2c, p2s: encode2(p2s) };
+}
+async function unwrap2(alg, key, encryptedKey, p2c, p2s) {
+  const derived = await deriveKey2(p2s, alg, p2c, key);
+  return unwrap(alg.slice(-6), derived, encryptedKey);
+}
+var concatSalt = (alg, p2sInput) => concat(encode(alg), Uint8Array.of(0), p2sInput);
+var init_pbes2kw = __esm(() => {
+  init_base64url();
+  init_aeskw();
+  init_buffer_utils();
+  init_errors();
+});
 
 // node_modules/jose/dist/webapi/lib/signing.js
 function checkKeyLength(alg, key) {
@@ -386,9 +880,38 @@ async function verify(alg, key, signature, data) {
     return false;
   }
 }
+var init_signing = __esm(() => {
+  init_errors();
+});
+
+// node_modules/jose/dist/webapi/lib/rsaes.js
+async function encrypt2(alg, key, cek) {
+  checkEncCryptoKey(key, alg, "encrypt");
+  checkKeyLength(alg, key);
+  return new Uint8Array(await crypto.subtle.encrypt(subtleAlgorithm2(alg), key, cek));
+}
+async function decrypt2(alg, key, encryptedKey) {
+  checkEncCryptoKey(key, alg, "decrypt");
+  checkKeyLength(alg, key);
+  return new Uint8Array(await crypto.subtle.decrypt(subtleAlgorithm2(alg), key, encryptedKey));
+}
+var subtleAlgorithm2 = (alg) => {
+  switch (alg) {
+    case "RSA-OAEP":
+    case "RSA-OAEP-256":
+    case "RSA-OAEP-384":
+    case "RSA-OAEP-512":
+      return "RSA-OAEP";
+    default:
+      throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
+  }
+};
+var init_rsaes = __esm(() => {
+  init_signing();
+  init_errors();
+});
 
 // node_modules/jose/dist/webapi/lib/jwk_to_key.js
-var unsupportedAlg = 'Invalid or unsupported JWK "alg" (Algorithm) Parameter value';
 function subtleMapping(jwk) {
   let algorithm;
   let keyUsages;
@@ -494,11 +1017,44 @@ async function jwkToKey(jwk) {
   delete keyData.use;
   return crypto.subtle.importKey("jwk", keyData, algorithm, jwk.ext ?? (jwk.d || jwk.priv ? false : true), jwk.key_ops ?? keyUsages);
 }
+var unsupportedAlg = 'Invalid or unsupported JWK "alg" (Algorithm) Parameter value';
+var init_jwk_to_key = __esm(() => {
+  init_errors();
+});
 
 // node_modules/jose/dist/webapi/lib/normalize_key.js
-var unusableForAlg = "given KeyObject instance cannot be used for this algorithm";
-var cache;
-var handleJWK = async (key, jwk, alg, freeze = false) => {
+async function normalizeKey(key, alg) {
+  if (key instanceof Uint8Array) {
+    return key;
+  }
+  if (isCryptoKey(key)) {
+    return key;
+  }
+  if (isKeyObject(key)) {
+    if (key.type === "secret") {
+      return key.export();
+    }
+    if ("toCryptoKey" in key && typeof key.toCryptoKey === "function") {
+      try {
+        return handleKeyObject(key, alg);
+      } catch (err) {
+        if (err instanceof TypeError) {
+          throw err;
+        }
+      }
+    }
+    let jwk = key.export({ format: "jwk" });
+    return handleJWK(key, jwk, alg);
+  }
+  if (isJWK(key)) {
+    if (key.k) {
+      return decode(key.k);
+    }
+    return handleJWK(key, key, alg, true);
+  }
+  throw new Error("unreachable");
+}
+var unusableForAlg = "given KeyObject instance cannot be used for this algorithm", cache, handleJWK = async (key, jwk, alg, freeze = false) => {
   cache ||= new WeakMap;
   let cached = cache.get(key);
   if (cached?.[alg]) {
@@ -513,8 +1069,7 @@ var handleJWK = async (key, jwk, alg, freeze = false) => {
     cached[alg] = cryptoKey;
   }
   return cryptoKey;
-};
-var handleKeyObject = (keyObject, alg) => {
+}, handleKeyObject = (keyObject, alg) => {
   cache ||= new WeakMap;
   let cached = cache.get(keyObject);
   if (cached?.[alg]) {
@@ -624,92 +1179,620 @@ var handleKeyObject = (keyObject, alg) => {
   }
   return cryptoKey;
 };
-async function normalizeKey(key, alg) {
-  if (key instanceof Uint8Array) {
-    return key;
-  }
-  if (isCryptoKey(key)) {
-    return key;
+var init_normalize_key = __esm(() => {
+  init_base64url();
+  init_jwk_to_key();
+});
+
+// node_modules/jose/dist/webapi/lib/asn1.js
+function parsePKCS8Header(state) {
+  expectTag(state, 48, "Invalid PKCS#8 structure");
+  parseLength(state);
+  expectTag(state, 2, "Expected version field");
+  const verLen = parseLength(state);
+  state.pos += verLen;
+  expectTag(state, 48, "Expected algorithm identifier");
+  const algIdLen = parseLength(state);
+  const algIdStart = state.pos;
+  return { algIdStart, algIdLength: algIdLen };
+}
+function parseSPKIHeader(state) {
+  expectTag(state, 48, "Invalid SPKI structure");
+  parseLength(state);
+  expectTag(state, 48, "Expected algorithm identifier");
+  const algIdLen = parseLength(state);
+  const algIdStart = state.pos;
+  return { algIdStart, algIdLength: algIdLen };
+}
+function spkiFromX509(buf) {
+  const state = createASN1State(buf);
+  expectTag(state, 48, "Invalid certificate structure");
+  parseLength(state);
+  expectTag(state, 48, "Invalid tbsCertificate structure");
+  parseLength(state);
+  if (buf[state.pos] === 160) {
+    skipElement(state, 6);
+  } else {
+    skipElement(state, 5);
   }
+  const spkiStart = state.pos;
+  expectTag(state, 48, "Invalid SPKI structure");
+  const spkiContentLen = parseLength(state);
+  return buf.subarray(spkiStart, spkiStart + spkiContentLen + (state.pos - spkiStart));
+}
+function extractX509SPKI(x509) {
+  const derBytes = processPEMData(x509, /(?:-----(?:BEGIN|END) CERTIFICATE-----|\s)/g);
+  return spkiFromX509(derBytes);
+}
+var formatPEM = (b64, descriptor) => {
+  const newlined = (b64.match(/.{1,64}/g) || []).join(`
+`);
+  return `-----BEGIN ${descriptor}-----
+${newlined}
+-----END ${descriptor}-----`;
+}, genericExport = async (keyType, keyFormat, key) => {
   if (isKeyObject(key)) {
-    if (key.type === "secret") {
-      return key.export();
-    }
-    if ("toCryptoKey" in key && typeof key.toCryptoKey === "function") {
-      try {
-        return handleKeyObject(key, alg);
-      } catch (err) {
-        if (err instanceof TypeError) {
-          throw err;
-        }
-      }
-    }
-    let jwk = key.export({ format: "jwk" });
-    return handleJWK(key, jwk, alg);
-  }
-  if (isJWK(key)) {
-    if (key.k) {
-      return decode(key.k);
+    if (key.type !== keyType) {
+      throw new TypeError(`key is not a ${keyType} key`);
     }
-    return handleJWK(key, key, alg, true);
+    return key.export({ format: "pem", type: keyFormat });
   }
-  throw new Error("unreachable");
-}
-
-// node_modules/jose/dist/webapi/lib/validate_crit.js
-function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
-  if (joseHeader.crit !== undefined && protectedHeader?.crit === undefined) {
-    throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
+  if (!isCryptoKey(key)) {
+    throw new TypeError(invalidKeyInput(key, "CryptoKey", "KeyObject"));
   }
-  if (!protectedHeader || protectedHeader.crit === undefined) {
-    return new Set;
+  if (!key.extractable) {
+    throw new TypeError("CryptoKey is not extractable");
   }
-  if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input) => typeof input !== "string" || input.length === 0)) {
-    throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
+  if (key.type !== keyType) {
+    throw new TypeError(`key is not a ${keyType} key`);
   }
-  let recognized;
-  if (recognizedOption !== undefined) {
-    recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);
-  } else {
-    recognized = recognizedDefault;
+  return formatPEM(encodeBase64(new Uint8Array(await crypto.subtle.exportKey(keyFormat, key))), `${keyType.toUpperCase()} KEY`);
+}, toSPKI = (key) => genericExport("public", "spki", key), toPKCS8 = (key) => genericExport("private", "pkcs8", key), bytesEqual = (a, b) => {
+  if (a.byteLength !== b.length)
+    return false;
+  for (let i = 0;i < a.byteLength; i++) {
+    if (a[i] !== b[i])
+      return false;
   }
-  for (const parameter of protectedHeader.crit) {
-    if (!recognized.has(parameter)) {
-      throw new JOSENotSupported(`Extension Header Parameter "${parameter}" is not recognized`);
-    }
-    if (joseHeader[parameter] === undefined) {
-      throw new Err(`Extension Header Parameter "${parameter}" is missing`);
-    }
-    if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {
-      throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
+  return true;
+}, createASN1State = (data) => ({ data, pos: 0 }), parseLength = (state) => {
+  const first = state.data[state.pos++];
+  if (first & 128) {
+    const lengthOfLen = first & 127;
+    let length = 0;
+    for (let i = 0;i < lengthOfLen; i++) {
+      length = length << 8 | state.data[state.pos++];
     }
+    return length;
   }
-  return new Set(protectedHeader.crit);
-}
-
-// node_modules/jose/dist/webapi/lib/validate_algorithms.js
-function validateAlgorithms(option, algorithms) {
-  if (algorithms !== undefined && (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== "string"))) {
-    throw new TypeError(`"${option}" option must be an array of strings`);
-  }
-  if (!algorithms) {
+  return first;
+}, skipElement = (state, count = 1) => {
+  if (count <= 0)
     return;
+  state.pos++;
+  const length = parseLength(state);
+  state.pos += length;
+  if (count > 1) {
+    skipElement(state, count - 1);
+  }
+}, expectTag = (state, expectedTag, errorMessage) => {
+  if (state.data[state.pos++] !== expectedTag) {
+    throw new Error(errorMessage);
+  }
+}, getSubarray = (state, length) => {
+  const result = state.data.subarray(state.pos, state.pos + length);
+  state.pos += length;
+  return result;
+}, parseAlgorithmOID = (state) => {
+  expectTag(state, 6, "Expected algorithm OID");
+  const oidLen = parseLength(state);
+  return getSubarray(state, oidLen);
+}, parseECAlgorithmIdentifier = (state) => {
+  const algOid = parseAlgorithmOID(state);
+  if (bytesEqual(algOid, [43, 101, 110])) {
+    return "X25519";
+  }
+  if (!bytesEqual(algOid, [42, 134, 72, 206, 61, 2, 1])) {
+    throw new Error("Unsupported key algorithm");
+  }
+  expectTag(state, 6, "Expected curve OID");
+  const curveOidLen = parseLength(state);
+  const curveOid = getSubarray(state, curveOidLen);
+  for (const { name, oid } of [
+    { name: "P-256", oid: [42, 134, 72, 206, 61, 3, 1, 7] },
+    { name: "P-384", oid: [43, 129, 4, 0, 34] },
+    { name: "P-521", oid: [43, 129, 4, 0, 35] }
+  ]) {
+    if (bytesEqual(curveOid, oid)) {
+      return name;
+    }
   }
-  return new Set(algorithms);
-}
-
-// node_modules/jose/dist/webapi/lib/check_key_type.js
-var tag = (key) => key?.[Symbol.toStringTag];
-var jwkMatchesOp = (alg, key, usage) => {
-  if (key.use !== undefined) {
-    let expected;
-    switch (usage) {
-      case "sign":
-      case "verify":
-        expected = "sig";
-        break;
-      case "encrypt":
-      case "decrypt":
+  throw new Error("Unsupported named curve");
+}, genericImport = async (keyFormat, keyData, alg, options) => {
+  let algorithm;
+  let keyUsages;
+  const isPublic = keyFormat === "spki";
+  const getSigUsages = () => isPublic ? ["verify"] : ["sign"];
+  const getEncUsages = () => isPublic ? ["encrypt", "wrapKey"] : ["decrypt", "unwrapKey"];
+  switch (alg) {
+    case "PS256":
+    case "PS384":
+    case "PS512":
+      algorithm = { name: "RSA-PSS", hash: `SHA-${alg.slice(-3)}` };
+      keyUsages = getSigUsages();
+      break;
+    case "RS256":
+    case "RS384":
+    case "RS512":
+      algorithm = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${alg.slice(-3)}` };
+      keyUsages = getSigUsages();
+      break;
+    case "RSA-OAEP":
+    case "RSA-OAEP-256":
+    case "RSA-OAEP-384":
+    case "RSA-OAEP-512":
+      algorithm = {
+        name: "RSA-OAEP",
+        hash: `SHA-${parseInt(alg.slice(-3), 10) || 1}`
+      };
+      keyUsages = getEncUsages();
+      break;
+    case "ES256":
+    case "ES384":
+    case "ES512": {
+      const curveMap = { ES256: "P-256", ES384: "P-384", ES512: "P-521" };
+      algorithm = { name: "ECDSA", namedCurve: curveMap[alg] };
+      keyUsages = getSigUsages();
+      break;
+    }
+    case "ECDH-ES":
+    case "ECDH-ES+A128KW":
+    case "ECDH-ES+A192KW":
+    case "ECDH-ES+A256KW": {
+      try {
+        const namedCurve = options.getNamedCurve(keyData);
+        algorithm = namedCurve === "X25519" ? { name: "X25519" } : { name: "ECDH", namedCurve };
+      } catch (cause) {
+        throw new JOSENotSupported("Invalid or unsupported key format");
+      }
+      keyUsages = isPublic ? [] : ["deriveBits"];
+      break;
+    }
+    case "Ed25519":
+    case "EdDSA":
+      algorithm = { name: "Ed25519" };
+      keyUsages = getSigUsages();
+      break;
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+      algorithm = { name: alg };
+      keyUsages = getSigUsages();
+      break;
+    default:
+      throw new JOSENotSupported('Invalid or unsupported "alg" (Algorithm) value');
+  }
+  return crypto.subtle.importKey(keyFormat, keyData, algorithm, options?.extractable ?? (isPublic ? true : false), keyUsages);
+}, processPEMData = (pem, pattern) => {
+  return decodeBase64(pem.replace(pattern, ""));
+}, fromPKCS8 = (pem, alg, options) => {
+  const keyData = processPEMData(pem, /(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g);
+  let opts = options;
+  if (alg?.startsWith?.("ECDH-ES")) {
+    opts ||= {};
+    opts.getNamedCurve = (keyData2) => {
+      const state = createASN1State(keyData2);
+      parsePKCS8Header(state);
+      return parseECAlgorithmIdentifier(state);
+    };
+  }
+  return genericImport("pkcs8", keyData, alg, opts);
+}, fromSPKI = (pem, alg, options) => {
+  const keyData = processPEMData(pem, /(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g);
+  let opts = options;
+  if (alg?.startsWith?.("ECDH-ES")) {
+    opts ||= {};
+    opts.getNamedCurve = (keyData2) => {
+      const state = createASN1State(keyData2);
+      parseSPKIHeader(state);
+      return parseECAlgorithmIdentifier(state);
+    };
+  }
+  return genericImport("spki", keyData, alg, opts);
+}, fromX509 = (pem, alg, options) => {
+  let spki;
+  try {
+    spki = extractX509SPKI(pem);
+  } catch (cause) {
+    throw new TypeError("Failed to parse the X.509 certificate", { cause });
+  }
+  return fromSPKI(formatPEM(encodeBase64(spki), "PUBLIC KEY"), alg, options);
+};
+var init_asn1 = __esm(() => {
+  init_errors();
+});
+
+// node_modules/jose/dist/webapi/key/import.js
+async function importSPKI(spki, alg, options) {
+  if (typeof spki !== "string" || spki.indexOf("-----BEGIN PUBLIC KEY-----") !== 0) {
+    throw new TypeError('"spki" must be SPKI formatted string');
+  }
+  return fromSPKI(spki, alg, options);
+}
+async function importX509(x509, alg, options) {
+  if (typeof x509 !== "string" || x509.indexOf("-----BEGIN CERTIFICATE-----") !== 0) {
+    throw new TypeError('"x509" must be X.509 formatted string');
+  }
+  return fromX509(x509, alg, options);
+}
+async function importPKCS8(pkcs8, alg, options) {
+  if (typeof pkcs8 !== "string" || pkcs8.indexOf("-----BEGIN PRIVATE KEY-----") !== 0) {
+    throw new TypeError('"pkcs8" must be PKCS#8 formatted string');
+  }
+  return fromPKCS8(pkcs8, alg, options);
+}
+async function importJWK(jwk, alg, options) {
+  if (!isObject(jwk)) {
+    throw new TypeError("JWK must be an object");
+  }
+  let ext;
+  alg ??= jwk.alg;
+  ext ??= options?.extractable ?? jwk.ext;
+  switch (jwk.kty) {
+    case "oct":
+      if (typeof jwk.k !== "string" || !jwk.k) {
+        throw new TypeError('missing "k" (Key Value) Parameter value');
+      }
+      return decode(jwk.k);
+    case "RSA":
+      if ("oth" in jwk && jwk.oth !== undefined) {
+        throw new JOSENotSupported('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
+      }
+      return jwkToKey({ ...jwk, alg, ext });
+    case "AKP": {
+      if (typeof jwk.alg !== "string" || !jwk.alg) {
+        throw new TypeError('missing "alg" (Algorithm) Parameter value');
+      }
+      if (alg !== undefined && alg !== jwk.alg) {
+        throw new TypeError("JWK alg and alg option value mismatch");
+      }
+      return jwkToKey({ ...jwk, ext });
+    }
+    case "EC":
+    case "OKP":
+      return jwkToKey({ ...jwk, alg, ext });
+    default:
+      throw new JOSENotSupported('Unsupported "kty" (Key Type) Parameter value');
+  }
+}
+var init_import = __esm(() => {
+  init_base64url();
+  init_asn1();
+  init_jwk_to_key();
+  init_errors();
+});
+
+// node_modules/jose/dist/webapi/lib/key_to_jwk.js
+async function keyToJWK(key) {
+  if (isKeyObject(key)) {
+    if (key.type === "secret") {
+      key = key.export();
+    } else {
+      return key.export({ format: "jwk" });
+    }
+  }
+  if (key instanceof Uint8Array) {
+    return {
+      kty: "oct",
+      k: encode2(key)
+    };
+  }
+  if (!isCryptoKey(key)) {
+    throw new TypeError(invalidKeyInput(key, "CryptoKey", "KeyObject", "Uint8Array"));
+  }
+  if (!key.extractable) {
+    throw new TypeError("non-extractable CryptoKey cannot be exported as a JWK");
+  }
+  const { ext, key_ops, alg, use, ...jwk } = await crypto.subtle.exportKey("jwk", key);
+  if (jwk.kty === "AKP") {
+    jwk.alg = alg;
+  }
+  return jwk;
+}
+var init_key_to_jwk = __esm(() => {
+  init_base64url();
+});
+
+// node_modules/jose/dist/webapi/key/export.js
+async function exportSPKI(key) {
+  return toSPKI(key);
+}
+async function exportPKCS8(key) {
+  return toPKCS8(key);
+}
+async function exportJWK(key) {
+  return keyToJWK(key);
+}
+var init_export = __esm(() => {
+  init_asn1();
+  init_key_to_jwk();
+});
+
+// node_modules/jose/dist/webapi/lib/aesgcmkw.js
+async function wrap3(alg, key, cek, iv) {
+  const jweAlgorithm = alg.slice(0, 7);
+  const wrapped = await encrypt(jweAlgorithm, cek, key, iv, new Uint8Array);
+  return {
+    encryptedKey: wrapped.ciphertext,
+    iv: encode2(wrapped.iv),
+    tag: encode2(wrapped.tag)
+  };
+}
+async function unwrap3(alg, key, encryptedKey, iv, tag) {
+  const jweAlgorithm = alg.slice(0, 7);
+  return decrypt(jweAlgorithm, key, encryptedKey, iv, tag, new Uint8Array);
+}
+var init_aesgcmkw = __esm(() => {
+  init_content_encryption();
+  init_base64url();
+});
+
+// node_modules/jose/dist/webapi/lib/key_management.js
+function assertEncryptedKey(encryptedKey) {
+  if (encryptedKey === undefined)
+    throw new JWEInvalid("JWE Encrypted Key missing");
+}
+async function decryptKeyManagement(alg, key, encryptedKey, joseHeader, options) {
+  switch (alg) {
+    case "dir": {
+      if (encryptedKey !== undefined)
+        throw new JWEInvalid("Encountered unexpected JWE Encrypted Key");
+      return key;
+    }
+    case "ECDH-ES":
+      if (encryptedKey !== undefined)
+        throw new JWEInvalid("Encountered unexpected JWE Encrypted Key");
+    case "ECDH-ES+A128KW":
+    case "ECDH-ES+A192KW":
+    case "ECDH-ES+A256KW": {
+      if (!isObject(joseHeader.epk))
+        throw new JWEInvalid(`JOSE Header "epk" (Ephemeral Public Key) missing or invalid`);
+      assertCryptoKey(key);
+      if (!allowed(key))
+        throw new JOSENotSupported("ECDH with the provided key is not allowed or not supported by your javascript runtime");
+      const epk = await importJWK(joseHeader.epk, alg);
+      assertCryptoKey(epk);
+      let partyUInfo;
+      let partyVInfo;
+      if (joseHeader.apu !== undefined) {
+        if (typeof joseHeader.apu !== "string")
+          throw new JWEInvalid(`JOSE Header "apu" (Agreement PartyUInfo) invalid`);
+        partyUInfo = decodeBase64url(joseHeader.apu, "apu", JWEInvalid);
+      }
+      if (joseHeader.apv !== undefined) {
+        if (typeof joseHeader.apv !== "string")
+          throw new JWEInvalid(`JOSE Header "apv" (Agreement PartyVInfo) invalid`);
+        partyVInfo = decodeBase64url(joseHeader.apv, "apv", JWEInvalid);
+      }
+      const sharedSecret = await deriveKey(epk, key, alg === "ECDH-ES" ? joseHeader.enc : alg, alg === "ECDH-ES" ? cekLength(joseHeader.enc) : parseInt(alg.slice(-5, -2), 10), partyUInfo, partyVInfo);
+      if (alg === "ECDH-ES")
+        return sharedSecret;
+      assertEncryptedKey(encryptedKey);
+      return unwrap(alg.slice(-6), sharedSecret, encryptedKey);
+    }
+    case "RSA-OAEP":
+    case "RSA-OAEP-256":
+    case "RSA-OAEP-384":
+    case "RSA-OAEP-512": {
+      assertEncryptedKey(encryptedKey);
+      assertCryptoKey(key);
+      return decrypt2(alg, key, encryptedKey);
+    }
+    case "PBES2-HS256+A128KW":
+    case "PBES2-HS384+A192KW":
+    case "PBES2-HS512+A256KW": {
+      assertEncryptedKey(encryptedKey);
+      if (typeof joseHeader.p2c !== "number")
+        throw new JWEInvalid(`JOSE Header "p2c" (PBES2 Count) missing or invalid`);
+      const p2cLimit = options?.maxPBES2Count || 1e4;
+      if (joseHeader.p2c > p2cLimit)
+        throw new JWEInvalid(`JOSE Header "p2c" (PBES2 Count) out is of acceptable bounds`);
+      if (typeof joseHeader.p2s !== "string")
+        throw new JWEInvalid(`JOSE Header "p2s" (PBES2 Salt) missing or invalid`);
+      let p2s;
+      p2s = decodeBase64url(joseHeader.p2s, "p2s", JWEInvalid);
+      return unwrap2(alg, key, encryptedKey, joseHeader.p2c, p2s);
+    }
+    case "A128KW":
+    case "A192KW":
+    case "A256KW": {
+      assertEncryptedKey(encryptedKey);
+      return unwrap(alg, key, encryptedKey);
+    }
+    case "A128GCMKW":
+    case "A192GCMKW":
+    case "A256GCMKW": {
+      assertEncryptedKey(encryptedKey);
+      if (typeof joseHeader.iv !== "string")
+        throw new JWEInvalid(`JOSE Header "iv" (Initialization Vector) missing or invalid`);
+      if (typeof joseHeader.tag !== "string")
+        throw new JWEInvalid(`JOSE Header "tag" (Authentication Tag) missing or invalid`);
+      let iv;
+      iv = decodeBase64url(joseHeader.iv, "iv", JWEInvalid);
+      let tag;
+      tag = decodeBase64url(joseHeader.tag, "tag", JWEInvalid);
+      return unwrap3(alg, key, encryptedKey, iv, tag);
+    }
+    default: {
+      throw new JOSENotSupported(unsupportedAlgHeader);
+    }
+  }
+}
+async function encryptKeyManagement(alg, enc, key, providedCek, providedParameters = {}) {
+  let encryptedKey;
+  let parameters;
+  let cek;
+  switch (alg) {
+    case "dir": {
+      cek = key;
+      break;
+    }
+    case "ECDH-ES":
+    case "ECDH-ES+A128KW":
+    case "ECDH-ES+A192KW":
+    case "ECDH-ES+A256KW": {
+      assertCryptoKey(key);
+      if (!allowed(key)) {
+        throw new JOSENotSupported("ECDH with the provided key is not allowed or not supported by your javascript runtime");
+      }
+      const { apu, apv } = providedParameters;
+      let ephemeralKey;
+      if (providedParameters.epk) {
+        ephemeralKey = await normalizeKey(providedParameters.epk, alg);
+      } else {
+        ephemeralKey = (await crypto.subtle.generateKey(key.algorithm, true, ["deriveBits"])).privateKey;
+      }
+      const { x, y, crv, kty } = await exportJWK(ephemeralKey);
+      const sharedSecret = await deriveKey(key, ephemeralKey, alg === "ECDH-ES" ? enc : alg, alg === "ECDH-ES" ? cekLength(enc) : parseInt(alg.slice(-5, -2), 10), apu, apv);
+      parameters = { epk: { x, crv, kty } };
+      if (kty === "EC")
+        parameters.epk.y = y;
+      if (apu)
+        parameters.apu = encode2(apu);
+      if (apv)
+        parameters.apv = encode2(apv);
+      if (alg === "ECDH-ES") {
+        cek = sharedSecret;
+        break;
+      }
+      cek = providedCek || generateCek(enc);
+      const kwAlg = alg.slice(-6);
+      encryptedKey = await wrap(kwAlg, sharedSecret, cek);
+      break;
+    }
+    case "RSA-OAEP":
+    case "RSA-OAEP-256":
+    case "RSA-OAEP-384":
+    case "RSA-OAEP-512": {
+      cek = providedCek || generateCek(enc);
+      assertCryptoKey(key);
+      encryptedKey = await encrypt2(alg, key, cek);
+      break;
+    }
+    case "PBES2-HS256+A128KW":
+    case "PBES2-HS384+A192KW":
+    case "PBES2-HS512+A256KW": {
+      cek = providedCek || generateCek(enc);
+      const { p2c, p2s } = providedParameters;
+      ({ encryptedKey, ...parameters } = await wrap2(alg, key, cek, p2c, p2s));
+      break;
+    }
+    case "A128KW":
+    case "A192KW":
+    case "A256KW": {
+      cek = providedCek || generateCek(enc);
+      encryptedKey = await wrap(alg, key, cek);
+      break;
+    }
+    case "A128GCMKW":
+    case "A192GCMKW":
+    case "A256GCMKW": {
+      cek = providedCek || generateCek(enc);
+      const { iv } = providedParameters;
+      ({ encryptedKey, ...parameters } = await wrap3(alg, key, cek, iv));
+      break;
+    }
+    default: {
+      throw new JOSENotSupported(unsupportedAlgHeader);
+    }
+  }
+  return { cek, encryptedKey, parameters };
+}
+var unsupportedAlgHeader = 'Invalid or unsupported "alg" (JWE Algorithm) header value';
+var init_key_management = __esm(() => {
+  init_aeskw();
+  init_ecdhes();
+  init_pbes2kw();
+  init_rsaes();
+  init_base64url();
+  init_normalize_key();
+  init_errors();
+  init_helpers();
+  init_content_encryption();
+  init_import();
+  init_export();
+  init_aesgcmkw();
+});
+
+// node_modules/jose/dist/webapi/lib/validate_crit.js
+function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
+  if (joseHeader.crit !== undefined && protectedHeader?.crit === undefined) {
+    throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
+  }
+  if (!protectedHeader || protectedHeader.crit === undefined) {
+    return new Set;
+  }
+  if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input) => typeof input !== "string" || input.length === 0)) {
+    throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
+  }
+  let recognized;
+  if (recognizedOption !== undefined) {
+    recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);
+  } else {
+    recognized = recognizedDefault;
+  }
+  for (const parameter of protectedHeader.crit) {
+    if (!recognized.has(parameter)) {
+      throw new JOSENotSupported(`Extension Header Parameter "${parameter}" is not recognized`);
+    }
+    if (joseHeader[parameter] === undefined) {
+      throw new Err(`Extension Header Parameter "${parameter}" is missing`);
+    }
+    if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {
+      throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
+    }
+  }
+  return new Set(protectedHeader.crit);
+}
+var init_validate_crit = __esm(() => {
+  init_errors();
+});
+
+// node_modules/jose/dist/webapi/lib/validate_algorithms.js
+function validateAlgorithms(option, algorithms) {
+  if (algorithms !== undefined && (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== "string"))) {
+    throw new TypeError(`"${option}" option must be an array of strings`);
+  }
+  if (!algorithms) {
+    return;
+  }
+  return new Set(algorithms);
+}
+
+// node_modules/jose/dist/webapi/lib/check_key_type.js
+function checkKeyType(alg, key, usage) {
+  switch (alg.substring(0, 2)) {
+    case "A1":
+    case "A2":
+    case "di":
+    case "HS":
+    case "PB":
+      symmetricTypeCheck(alg, key, usage);
+      break;
+    default:
+      asymmetricTypeCheck(alg, key, usage);
+  }
+}
+var tag = (key) => key?.[Symbol.toStringTag], jwkMatchesOp = (alg, key, usage) => {
+  if (key.use !== undefined) {
+    let expected;
+    switch (usage) {
+      case "sign":
+      case "verify":
+        expected = "sig";
+        break;
+      case "encrypt":
+      case "decrypt":
         expected = "enc";
         break;
     }
@@ -750,8 +1833,7 @@ var jwkMatchesOp = (alg, key, usage) => {
     }
   }
   return true;
-};
-var symmetricTypeCheck = (alg, key, usage) => {
+}, symmetricTypeCheck = (alg, key, usage) => {
   if (key instanceof Uint8Array)
     return;
   if (isJWK(key)) {
@@ -765,8 +1847,7 @@ var symmetricTypeCheck = (alg, key, usage) => {
   if (key.type !== "secret") {
     throw new TypeError(`${tag(key)} instances for symmetric algorithms must be of type "secret"`);
   }
-};
-var asymmetricTypeCheck = (alg, key, usage) => {
+}, asymmetricTypeCheck = (alg, key, usage) => {
   if (isJWK(key)) {
     switch (usage) {
       case "decrypt":
@@ -804,96 +1885,685 @@ var asymmetricTypeCheck = (alg, key, usage) => {
     }
   }
 };
-function checkKeyType(alg, key, usage) {
-  switch (alg.substring(0, 2)) {
-    case "A1":
-    case "A2":
-    case "di":
-    case "HS":
-    case "PB":
-      symmetricTypeCheck(alg, key, usage);
+var init_check_key_type = () => {};
+
+// node_modules/jose/dist/webapi/lib/deflate.js
+function supported(name) {
+  if (typeof globalThis[name] === "undefined") {
+    throw new JOSENotSupported(`JWE "zip" (Compression Algorithm) Header Parameter requires the ${name} API.`);
+  }
+}
+async function compress(input) {
+  supported("CompressionStream");
+  const cs = new CompressionStream("deflate-raw");
+  const writer = cs.writable.getWriter();
+  writer.write(input).catch(() => {});
+  writer.close().catch(() => {});
+  const chunks = [];
+  const reader = cs.readable.getReader();
+  for (;; ) {
+    const { value, done } = await reader.read();
+    if (done)
       break;
-    default:
-      asymmetricTypeCheck(alg, key, usage);
+    chunks.push(value);
+  }
+  return concat(...chunks);
+}
+async function decompress(input, maxLength) {
+  supported("DecompressionStream");
+  const ds = new DecompressionStream("deflate-raw");
+  const writer = ds.writable.getWriter();
+  writer.write(input).catch(() => {});
+  writer.close().catch(() => {});
+  const chunks = [];
+  let length = 0;
+  const reader = ds.readable.getReader();
+  for (;; ) {
+    const { value, done } = await reader.read();
+    if (done)
+      break;
+    chunks.push(value);
+    length += value.byteLength;
+    if (maxLength !== Infinity && length > maxLength) {
+      throw new JWEInvalid("Decompressed plaintext exceeded the configured limit");
+    }
   }
+  return concat(...chunks);
 }
+var init_deflate = __esm(() => {
+  init_errors();
+  init_buffer_utils();
+});
 
-// node_modules/jose/dist/webapi/jws/flattened/verify.js
-async function flattenedVerify(jws, key, options) {
-  if (!isObject(jws)) {
-    throw new JWSInvalid("Flattened JWS must be an object");
+// node_modules/jose/dist/webapi/jwe/flattened/decrypt.js
+async function flattenedDecrypt(jwe, key, options) {
+  if (!isObject(jwe)) {
+    throw new JWEInvalid("Flattened JWE must be an object");
   }
-  if (jws.protected === undefined && jws.header === undefined) {
-    throw new JWSInvalid('Flattened JWS must have either of the "protected" or "header" members');
+  if (jwe.protected === undefined && jwe.header === undefined && jwe.unprotected === undefined) {
+    throw new JWEInvalid("JOSE Header missing");
   }
-  if (jws.protected !== undefined && typeof jws.protected !== "string") {
-    throw new JWSInvalid("JWS Protected Header incorrect type");
+  if (jwe.iv !== undefined && typeof jwe.iv !== "string") {
+    throw new JWEInvalid("JWE Initialization Vector incorrect type");
   }
-  if (jws.payload === undefined) {
-    throw new JWSInvalid("JWS Payload missing");
+  if (typeof jwe.ciphertext !== "string") {
+    throw new JWEInvalid("JWE Ciphertext missing or incorrect type");
   }
-  if (typeof jws.signature !== "string") {
-    throw new JWSInvalid("JWS Signature missing or incorrect type");
+  if (jwe.tag !== undefined && typeof jwe.tag !== "string") {
+    throw new JWEInvalid("JWE Authentication Tag incorrect type");
   }
-  if (jws.header !== undefined && !isObject(jws.header)) {
-    throw new JWSInvalid("JWS Unprotected Header incorrect type");
+  if (jwe.protected !== undefined && typeof jwe.protected !== "string") {
+    throw new JWEInvalid("JWE Protected Header incorrect type");
   }
-  let parsedProt = {};
-  if (jws.protected) {
+  if (jwe.encrypted_key !== undefined && typeof jwe.encrypted_key !== "string") {
+    throw new JWEInvalid("JWE Encrypted Key incorrect type");
+  }
+  if (jwe.aad !== undefined && typeof jwe.aad !== "string") {
+    throw new JWEInvalid("JWE AAD incorrect type");
+  }
+  if (jwe.header !== undefined && !isObject(jwe.header)) {
+    throw new JWEInvalid("JWE Shared Unprotected Header incorrect type");
+  }
+  if (jwe.unprotected !== undefined && !isObject(jwe.unprotected)) {
+    throw new JWEInvalid("JWE Per-Recipient Unprotected Header incorrect type");
+  }
+  let parsedProt;
+  if (jwe.protected) {
     try {
-      const protectedHeader = decode(jws.protected);
-      parsedProt = JSON.parse(decoder.decode(protectedHeader));
+      const protectedHeader2 = decode(jwe.protected);
+      parsedProt = JSON.parse(decoder.decode(protectedHeader2));
     } catch {
-      throw new JWSInvalid("JWS Protected Header is invalid");
+      throw new JWEInvalid("JWE Protected Header is invalid");
     }
   }
-  if (!isDisjoint(parsedProt, jws.header)) {
-    throw new JWSInvalid("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
+  if (!isDisjoint(parsedProt, jwe.header, jwe.unprotected)) {
+    throw new JWEInvalid("JWE Protected, JWE Unprotected Header, and JWE Per-Recipient Unprotected Header Parameter names must be disjoint");
   }
   const joseHeader = {
     ...parsedProt,
-    ...jws.header
+    ...jwe.header,
+    ...jwe.unprotected
   };
-  const extensions = validateCrit(JWSInvalid, new Map([["b64", true]]), options?.crit, parsedProt, joseHeader);
-  let b64 = true;
-  if (extensions.has("b64")) {
-    b64 = parsedProt.b64;
-    if (typeof b64 !== "boolean") {
-      throw new JWSInvalid('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
-    }
+  validateCrit(JWEInvalid, new Map, options?.crit, parsedProt, joseHeader);
+  if (joseHeader.zip !== undefined && joseHeader.zip !== "DEF") {
+    throw new JOSENotSupported('Unsupported JWE "zip" (Compression Algorithm) Header Parameter value.');
   }
-  const { alg } = joseHeader;
+  if (joseHeader.zip !== undefined && !parsedProt?.zip) {
+    throw new JWEInvalid('JWE "zip" (Compression Algorithm) Header Parameter MUST be in a protected header.');
+  }
+  const { alg, enc } = joseHeader;
   if (typeof alg !== "string" || !alg) {
-    throw new JWSInvalid('JWS "alg" (Algorithm) Header Parameter missing or invalid');
+    throw new JWEInvalid("missing JWE Algorithm (alg) in JWE Header");
   }
-  const algorithms = options && validateAlgorithms("algorithms", options.algorithms);
-  if (algorithms && !algorithms.has(alg)) {
+  if (typeof enc !== "string" || !enc) {
+    throw new JWEInvalid("missing JWE Encryption Algorithm (enc) in JWE Header");
+  }
+  const keyManagementAlgorithms = options && validateAlgorithms("keyManagementAlgorithms", options.keyManagementAlgorithms);
+  const contentEncryptionAlgorithms = options && validateAlgorithms("contentEncryptionAlgorithms", options.contentEncryptionAlgorithms);
+  if (keyManagementAlgorithms && !keyManagementAlgorithms.has(alg) || !keyManagementAlgorithms && alg.startsWith("PBES2")) {
     throw new JOSEAlgNotAllowed('"alg" (Algorithm) Header Parameter value not allowed');
   }
-  if (b64) {
-    if (typeof jws.payload !== "string") {
-      throw new JWSInvalid("JWS Payload must be a string");
-    }
-  } else if (typeof jws.payload !== "string" && !(jws.payload instanceof Uint8Array)) {
-    throw new JWSInvalid("JWS Payload must be a string or an Uint8Array instance");
+  if (contentEncryptionAlgorithms && !contentEncryptionAlgorithms.has(enc)) {
+    throw new JOSEAlgNotAllowed('"enc" (Encryption Algorithm) Header Parameter value not allowed');
+  }
+  let encryptedKey;
+  if (jwe.encrypted_key !== undefined) {
+    encryptedKey = decodeBase64url(jwe.encrypted_key, "encrypted_key", JWEInvalid);
   }
   let resolvedKey = false;
   if (typeof key === "function") {
-    key = await key(parsedProt, jws);
+    key = await key(parsedProt, jwe);
     resolvedKey = true;
   }
-  checkKeyType(alg, key, "verify");
-  const data = concat(jws.protected !== undefined ? encode(jws.protected) : new Uint8Array, encode("."), typeof jws.payload === "string" ? b64 ? encode(jws.payload) : encoder.encode(jws.payload) : jws.payload);
-  const signature = decodeBase64url(jws.signature, "signature", JWSInvalid);
+  checkKeyType(alg === "dir" ? enc : alg, key, "decrypt");
   const k = await normalizeKey(key, alg);
-  const verified = await verify(alg, k, signature, data);
-  if (!verified) {
-    throw new JWSSignatureVerificationFailed;
+  let cek;
+  try {
+    cek = await decryptKeyManagement(alg, k, encryptedKey, joseHeader, options);
+  } catch (err) {
+    if (err instanceof TypeError || err instanceof JWEInvalid || err instanceof JOSENotSupported) {
+      throw err;
+    }
+    cek = generateCek(enc);
   }
-  let payload;
-  if (b64) {
-    payload = decodeBase64url(jws.payload, "payload", JWSInvalid);
-  } else if (typeof jws.payload === "string") {
+  let iv;
+  let tag2;
+  if (jwe.iv !== undefined) {
+    iv = decodeBase64url(jwe.iv, "iv", JWEInvalid);
+  }
+  if (jwe.tag !== undefined) {
+    tag2 = decodeBase64url(jwe.tag, "tag", JWEInvalid);
+  }
+  const protectedHeader = jwe.protected !== undefined ? encode(jwe.protected) : new Uint8Array;
+  let additionalData;
+  if (jwe.aad !== undefined) {
+    additionalData = concat(protectedHeader, encode("."), encode(jwe.aad));
+  } else {
+    additionalData = protectedHeader;
+  }
+  const ciphertext = decodeBase64url(jwe.ciphertext, "ciphertext", JWEInvalid);
+  const plaintext = await decrypt(enc, cek, ciphertext, iv, tag2, additionalData);
+  const result = { plaintext };
+  if (joseHeader.zip === "DEF") {
+    const maxDecompressedLength = options?.maxDecompressedLength ?? 250000;
+    if (maxDecompressedLength === 0) {
+      throw new JOSENotSupported('JWE "zip" (Compression Algorithm) Header Parameter is not supported.');
+    }
+    if (maxDecompressedLength !== Infinity && (!Number.isSafeInteger(maxDecompressedLength) || maxDecompressedLength < 1)) {
+      throw new TypeError("maxDecompressedLength must be 0, a positive safe integer, or Infinity");
+    }
+    result.plaintext = await decompress(plaintext, maxDecompressedLength).catch((cause) => {
+      if (cause instanceof JWEInvalid)
+        throw cause;
+      throw new JWEInvalid("Failed to decompress plaintext", { cause });
+    });
+  }
+  if (jwe.protected !== undefined) {
+    result.protectedHeader = parsedProt;
+  }
+  if (jwe.aad !== undefined) {
+    result.additionalAuthenticatedData = decodeBase64url(jwe.aad, "aad", JWEInvalid);
+  }
+  if (jwe.unprotected !== undefined) {
+    result.sharedUnprotectedHeader = jwe.unprotected;
+  }
+  if (jwe.header !== undefined) {
+    result.unprotectedHeader = jwe.header;
+  }
+  if (resolvedKey) {
+    return { ...result, key: k };
+  }
+  return result;
+}
+var init_decrypt = __esm(() => {
+  init_base64url();
+  init_content_encryption();
+  init_helpers();
+  init_errors();
+  init_key_management();
+  init_buffer_utils();
+  init_content_encryption();
+  init_validate_crit();
+  init_normalize_key();
+  init_check_key_type();
+  init_deflate();
+});
+
+// node_modules/jose/dist/webapi/jwe/compact/decrypt.js
+async function compactDecrypt(jwe, key, options) {
+  if (jwe instanceof Uint8Array) {
+    jwe = decoder.decode(jwe);
+  }
+  if (typeof jwe !== "string") {
+    throw new JWEInvalid("Compact JWE must be a string or Uint8Array");
+  }
+  const { 0: protectedHeader, 1: encryptedKey, 2: iv, 3: ciphertext, 4: tag2, length } = jwe.split(".");
+  if (length !== 5) {
+    throw new JWEInvalid("Invalid Compact JWE");
+  }
+  const decrypted = await flattenedDecrypt({
+    ciphertext,
+    iv: iv || undefined,
+    protected: protectedHeader,
+    tag: tag2 || undefined,
+    encrypted_key: encryptedKey || undefined
+  }, key, options);
+  const result = { plaintext: decrypted.plaintext, protectedHeader: decrypted.protectedHeader };
+  if (typeof key === "function") {
+    return { ...result, key: decrypted.key };
+  }
+  return result;
+}
+var init_decrypt2 = __esm(() => {
+  init_decrypt();
+  init_errors();
+  init_buffer_utils();
+});
+
+// node_modules/jose/dist/webapi/jwe/general/decrypt.js
+async function generalDecrypt(jwe, key, options) {
+  if (!isObject(jwe)) {
+    throw new JWEInvalid("General JWE must be an object");
+  }
+  if (!Array.isArray(jwe.recipients) || !jwe.recipients.every(isObject)) {
+    throw new JWEInvalid("JWE Recipients missing or incorrect type");
+  }
+  if (!jwe.recipients.length) {
+    throw new JWEInvalid("JWE Recipients has no members");
+  }
+  for (const recipient of jwe.recipients) {
+    try {
+      return await flattenedDecrypt({
+        aad: jwe.aad,
+        ciphertext: jwe.ciphertext,
+        encrypted_key: recipient.encrypted_key,
+        header: recipient.header,
+        iv: jwe.iv,
+        protected: jwe.protected,
+        tag: jwe.tag,
+        unprotected: jwe.unprotected
+      }, key, options);
+    } catch {}
+  }
+  throw new JWEDecryptionFailed;
+}
+var init_decrypt3 = __esm(() => {
+  init_decrypt();
+  init_errors();
+});
+
+// node_modules/jose/dist/webapi/jwe/flattened/encrypt.js
+class FlattenedEncrypt {
+  #plaintext;
+  #protectedHeader;
+  #sharedUnprotectedHeader;
+  #unprotectedHeader;
+  #aad;
+  #cek;
+  #iv;
+  #keyManagementParameters;
+  constructor(plaintext) {
+    if (!(plaintext instanceof Uint8Array)) {
+      throw new TypeError("plaintext must be an instance of Uint8Array");
+    }
+    this.#plaintext = plaintext;
+  }
+  setKeyManagementParameters(parameters) {
+    assertNotSet(this.#keyManagementParameters, "setKeyManagementParameters");
+    this.#keyManagementParameters = parameters;
+    return this;
+  }
+  setProtectedHeader(protectedHeader) {
+    assertNotSet(this.#protectedHeader, "setProtectedHeader");
+    this.#protectedHeader = protectedHeader;
+    return this;
+  }
+  setSharedUnprotectedHeader(sharedUnprotectedHeader) {
+    assertNotSet(this.#sharedUnprotectedHeader, "setSharedUnprotectedHeader");
+    this.#sharedUnprotectedHeader = sharedUnprotectedHeader;
+    return this;
+  }
+  setUnprotectedHeader(unprotectedHeader) {
+    assertNotSet(this.#unprotectedHeader, "setUnprotectedHeader");
+    this.#unprotectedHeader = unprotectedHeader;
+    return this;
+  }
+  setAdditionalAuthenticatedData(aad) {
+    this.#aad = aad;
+    return this;
+  }
+  setContentEncryptionKey(cek) {
+    assertNotSet(this.#cek, "setContentEncryptionKey");
+    this.#cek = cek;
+    return this;
+  }
+  setInitializationVector(iv) {
+    assertNotSet(this.#iv, "setInitializationVector");
+    this.#iv = iv;
+    return this;
+  }
+  async encrypt(key, options) {
+    if (!this.#protectedHeader && !this.#unprotectedHeader && !this.#sharedUnprotectedHeader) {
+      throw new JWEInvalid("either setProtectedHeader, setUnprotectedHeader, or sharedUnprotectedHeader must be called before #encrypt()");
+    }
+    if (!isDisjoint(this.#protectedHeader, this.#unprotectedHeader, this.#sharedUnprotectedHeader)) {
+      throw new JWEInvalid("JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint");
+    }
+    const joseHeader = {
+      ...this.#protectedHeader,
+      ...this.#unprotectedHeader,
+      ...this.#sharedUnprotectedHeader
+    };
+    validateCrit(JWEInvalid, new Map, options?.crit, this.#protectedHeader, joseHeader);
+    if (joseHeader.zip !== undefined && joseHeader.zip !== "DEF") {
+      throw new JOSENotSupported('Unsupported JWE "zip" (Compression Algorithm) Header Parameter value.');
+    }
+    if (joseHeader.zip !== undefined && !this.#protectedHeader?.zip) {
+      throw new JWEInvalid('JWE "zip" (Compression Algorithm) Header Parameter MUST be in a protected header.');
+    }
+    const { alg, enc } = joseHeader;
+    if (typeof alg !== "string" || !alg) {
+      throw new JWEInvalid('JWE "alg" (Algorithm) Header Parameter missing or invalid');
+    }
+    if (typeof enc !== "string" || !enc) {
+      throw new JWEInvalid('JWE "enc" (Encryption Algorithm) Header Parameter missing or invalid');
+    }
+    let encryptedKey;
+    if (this.#cek && (alg === "dir" || alg === "ECDH-ES")) {
+      throw new TypeError(`setContentEncryptionKey cannot be called with JWE "alg" (Algorithm) Header ${alg}`);
+    }
+    checkKeyType(alg === "dir" ? enc : alg, key, "encrypt");
+    let cek;
+    {
+      let parameters;
+      const k = await normalizeKey(key, alg);
+      ({ cek, encryptedKey, parameters } = await encryptKeyManagement(alg, enc, k, this.#cek, this.#keyManagementParameters));
+      if (parameters) {
+        if (options && unprotected in options) {
+          if (!this.#unprotectedHeader) {
+            this.setUnprotectedHeader(parameters);
+          } else {
+            this.#unprotectedHeader = { ...this.#unprotectedHeader, ...parameters };
+          }
+        } else if (!this.#protectedHeader) {
+          this.setProtectedHeader(parameters);
+        } else {
+          this.#protectedHeader = { ...this.#protectedHeader, ...parameters };
+        }
+      }
+    }
+    let additionalData;
+    let protectedHeaderS;
+    let protectedHeaderB;
+    let aadMember;
+    if (this.#protectedHeader) {
+      protectedHeaderS = encode2(JSON.stringify(this.#protectedHeader));
+      protectedHeaderB = encode(protectedHeaderS);
+    } else {
+      protectedHeaderS = "";
+      protectedHeaderB = new Uint8Array;
+    }
+    if (this.#aad) {
+      aadMember = encode2(this.#aad);
+      const aadMemberBytes = encode(aadMember);
+      additionalData = concat(protectedHeaderB, encode("."), aadMemberBytes);
+    } else {
+      additionalData = protectedHeaderB;
+    }
+    let plaintext = this.#plaintext;
+    if (joseHeader.zip === "DEF") {
+      plaintext = await compress(plaintext).catch((cause) => {
+        throw new JWEInvalid("Failed to compress plaintext", { cause });
+      });
+    }
+    const { ciphertext, tag: tag2, iv } = await encrypt(enc, plaintext, cek, this.#iv, additionalData);
+    const jwe = {
+      ciphertext: encode2(ciphertext)
+    };
+    if (iv) {
+      jwe.iv = encode2(iv);
+    }
+    if (tag2) {
+      jwe.tag = encode2(tag2);
+    }
+    if (encryptedKey) {
+      jwe.encrypted_key = encode2(encryptedKey);
+    }
+    if (aadMember) {
+      jwe.aad = aadMember;
+    }
+    if (this.#protectedHeader) {
+      jwe.protected = protectedHeaderS;
+    }
+    if (this.#sharedUnprotectedHeader) {
+      jwe.unprotected = this.#sharedUnprotectedHeader;
+    }
+    if (this.#unprotectedHeader) {
+      jwe.header = this.#unprotectedHeader;
+    }
+    return jwe;
+  }
+}
+var init_encrypt = __esm(() => {
+  init_base64url();
+  init_helpers();
+  init_content_encryption();
+  init_key_management();
+  init_errors();
+  init_buffer_utils();
+  init_validate_crit();
+  init_normalize_key();
+  init_check_key_type();
+  init_deflate();
+});
+
+// node_modules/jose/dist/webapi/jwe/general/encrypt.js
+class IndividualRecipient {
+  #parent;
+  unprotectedHeader;
+  keyManagementParameters;
+  key;
+  options;
+  constructor(enc, key, options) {
+    this.#parent = enc;
+    this.key = key;
+    this.options = options;
+  }
+  setUnprotectedHeader(unprotectedHeader) {
+    assertNotSet(this.unprotectedHeader, "setUnprotectedHeader");
+    this.unprotectedHeader = unprotectedHeader;
+    return this;
+  }
+  setKeyManagementParameters(parameters) {
+    assertNotSet(this.keyManagementParameters, "setKeyManagementParameters");
+    this.keyManagementParameters = parameters;
+    return this;
+  }
+  addRecipient(...args) {
+    return this.#parent.addRecipient(...args);
+  }
+  encrypt(...args) {
+    return this.#parent.encrypt(...args);
+  }
+  done() {
+    return this.#parent;
+  }
+}
+
+class GeneralEncrypt {
+  #plaintext;
+  #recipients = [];
+  #protectedHeader;
+  #unprotectedHeader;
+  #aad;
+  constructor(plaintext) {
+    this.#plaintext = plaintext;
+  }
+  addRecipient(key, options) {
+    const recipient = new IndividualRecipient(this, key, { crit: options?.crit });
+    this.#recipients.push(recipient);
+    return recipient;
+  }
+  setProtectedHeader(protectedHeader) {
+    assertNotSet(this.#protectedHeader, "setProtectedHeader");
+    this.#protectedHeader = protectedHeader;
+    return this;
+  }
+  setSharedUnprotectedHeader(sharedUnprotectedHeader) {
+    assertNotSet(this.#unprotectedHeader, "setSharedUnprotectedHeader");
+    this.#unprotectedHeader = sharedUnprotectedHeader;
+    return this;
+  }
+  setAdditionalAuthenticatedData(aad) {
+    this.#aad = aad;
+    return this;
+  }
+  async encrypt() {
+    if (!this.#recipients.length) {
+      throw new JWEInvalid("at least one recipient must be added");
+    }
+    if (this.#recipients.length === 1) {
+      const [recipient] = this.#recipients;
+      const flattened = await new FlattenedEncrypt(this.#plaintext).setAdditionalAuthenticatedData(this.#aad).setProtectedHeader(this.#protectedHeader).setSharedUnprotectedHeader(this.#unprotectedHeader).setUnprotectedHeader(recipient.unprotectedHeader).encrypt(recipient.key, { ...recipient.options });
+      const jwe2 = {
+        ciphertext: flattened.ciphertext,
+        iv: flattened.iv,
+        recipients: [{}],
+        tag: flattened.tag
+      };
+      if (flattened.aad)
+        jwe2.aad = flattened.aad;
+      if (flattened.protected)
+        jwe2.protected = flattened.protected;
+      if (flattened.unprotected)
+        jwe2.unprotected = flattened.unprotected;
+      if (flattened.encrypted_key)
+        jwe2.recipients[0].encrypted_key = flattened.encrypted_key;
+      if (flattened.header)
+        jwe2.recipients[0].header = flattened.header;
+      return jwe2;
+    }
+    let enc;
+    for (let i = 0;i < this.#recipients.length; i++) {
+      const recipient = this.#recipients[i];
+      if (!isDisjoint(this.#protectedHeader, this.#unprotectedHeader, recipient.unprotectedHeader)) {
+        throw new JWEInvalid("JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint");
+      }
+      const joseHeader = {
+        ...this.#protectedHeader,
+        ...this.#unprotectedHeader,
+        ...recipient.unprotectedHeader
+      };
+      const { alg } = joseHeader;
+      if (typeof alg !== "string" || !alg) {
+        throw new JWEInvalid('JWE "alg" (Algorithm) Header Parameter missing or invalid');
+      }
+      if (alg === "dir" || alg === "ECDH-ES") {
+        throw new JWEInvalid('"dir" and "ECDH-ES" alg may only be used with a single recipient');
+      }
+      if (typeof joseHeader.enc !== "string" || !joseHeader.enc) {
+        throw new JWEInvalid('JWE "enc" (Encryption Algorithm) Header Parameter missing or invalid');
+      }
+      if (!enc) {
+        enc = joseHeader.enc;
+      } else if (enc !== joseHeader.enc) {
+        throw new JWEInvalid('JWE "enc" (Encryption Algorithm) Header Parameter must be the same for all recipients');
+      }
+      validateCrit(JWEInvalid, new Map, recipient.options.crit, this.#protectedHeader, joseHeader);
+      if (joseHeader.zip !== undefined && joseHeader.zip !== "DEF") {
+        throw new JOSENotSupported('Unsupported JWE "zip" (Compression Algorithm) Header Parameter value.');
+      }
+      if (joseHeader.zip !== undefined && !this.#protectedHeader?.zip) {
+        throw new JWEInvalid('JWE "zip" (Compression Algorithm) Header Parameter MUST be in a protected header.');
+      }
+    }
+    const cek = generateCek(enc);
+    const jwe = {
+      ciphertext: "",
+      recipients: []
+    };
+    for (let i = 0;i < this.#recipients.length; i++) {
+      const recipient = this.#recipients[i];
+      const target = {};
+      jwe.recipients.push(target);
+      if (i === 0) {
+        const flattened = await new FlattenedEncrypt(this.#plaintext).setAdditionalAuthenticatedData(this.#aad).setContentEncryptionKey(cek).setProtectedHeader(this.#protectedHeader).setSharedUnprotectedHeader(this.#unprotectedHeader).setUnprotectedHeader(recipient.unprotectedHeader).setKeyManagementParameters(recipient.keyManagementParameters).encrypt(recipient.key, {
+          ...recipient.options,
+          [unprotected]: true
+        });
+        jwe.ciphertext = flattened.ciphertext;
+        jwe.iv = flattened.iv;
+        jwe.tag = flattened.tag;
+        if (flattened.aad)
+          jwe.aad = flattened.aad;
+        if (flattened.protected)
+          jwe.protected = flattened.protected;
+        if (flattened.unprotected)
+          jwe.unprotected = flattened.unprotected;
+        target.encrypted_key = flattened.encrypted_key;
+        if (flattened.header)
+          target.header = flattened.header;
+        continue;
+      }
+      const alg = recipient.unprotectedHeader?.alg || this.#protectedHeader?.alg || this.#unprotectedHeader?.alg;
+      checkKeyType(alg === "dir" ? enc : alg, recipient.key, "encrypt");
+      const k = await normalizeKey(recipient.key, alg);
+      const { encryptedKey, parameters } = await encryptKeyManagement(alg, enc, k, cek, recipient.keyManagementParameters);
+      target.encrypted_key = encode2(encryptedKey);
+      if (recipient.unprotectedHeader || parameters)
+        target.header = { ...recipient.unprotectedHeader, ...parameters };
+    }
+    return jwe;
+  }
+}
+var init_encrypt2 = __esm(() => {
+  init_encrypt();
+  init_helpers();
+  init_errors();
+  init_content_encryption();
+  init_key_management();
+  init_base64url();
+  init_validate_crit();
+  init_normalize_key();
+  init_check_key_type();
+});
+
+// node_modules/jose/dist/webapi/jws/flattened/verify.js
+async function flattenedVerify(jws, key, options) {
+  if (!isObject(jws)) {
+    throw new JWSInvalid("Flattened JWS must be an object");
+  }
+  if (jws.protected === undefined && jws.header === undefined) {
+    throw new JWSInvalid('Flattened JWS must have either of the "protected" or "header" members');
+  }
+  if (jws.protected !== undefined && typeof jws.protected !== "string") {
+    throw new JWSInvalid("JWS Protected Header incorrect type");
+  }
+  if (jws.payload === undefined) {
+    throw new JWSInvalid("JWS Payload missing");
+  }
+  if (typeof jws.signature !== "string") {
+    throw new JWSInvalid("JWS Signature missing or incorrect type");
+  }
+  if (jws.header !== undefined && !isObject(jws.header)) {
+    throw new JWSInvalid("JWS Unprotected Header incorrect type");
+  }
+  let parsedProt = {};
+  if (jws.protected) {
+    try {
+      const protectedHeader = decode(jws.protected);
+      parsedProt = JSON.parse(decoder.decode(protectedHeader));
+    } catch {
+      throw new JWSInvalid("JWS Protected Header is invalid");
+    }
+  }
+  if (!isDisjoint(parsedProt, jws.header)) {
+    throw new JWSInvalid("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
+  }
+  const joseHeader = {
+    ...parsedProt,
+    ...jws.header
+  };
+  const extensions = validateCrit(JWSInvalid, new Map([["b64", true]]), options?.crit, parsedProt, joseHeader);
+  let b64 = true;
+  if (extensions.has("b64")) {
+    b64 = parsedProt.b64;
+    if (typeof b64 !== "boolean") {
+      throw new JWSInvalid('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
+    }
+  }
+  const { alg } = joseHeader;
+  if (typeof alg !== "string" || !alg) {
+    throw new JWSInvalid('JWS "alg" (Algorithm) Header Parameter missing or invalid');
+  }
+  const algorithms = options && validateAlgorithms("algorithms", options.algorithms);
+  if (algorithms && !algorithms.has(alg)) {
+    throw new JOSEAlgNotAllowed('"alg" (Algorithm) Header Parameter value not allowed');
+  }
+  if (b64) {
+    if (typeof jws.payload !== "string") {
+      throw new JWSInvalid("JWS Payload must be a string");
+    }
+  } else if (typeof jws.payload !== "string" && !(jws.payload instanceof Uint8Array)) {
+    throw new JWSInvalid("JWS Payload must be a string or an Uint8Array instance");
+  }
+  let resolvedKey = false;
+  if (typeof key === "function") {
+    key = await key(parsedProt, jws);
+    resolvedKey = true;
+  }
+  checkKeyType(alg, key, "verify");
+  const data = concat(jws.protected !== undefined ? encode(jws.protected) : new Uint8Array, encode("."), typeof jws.payload === "string" ? b64 ? encode(jws.payload) : encoder.encode(jws.payload) : jws.payload);
+  const signature = decodeBase64url(jws.signature, "signature", JWSInvalid);
+  const k = await normalizeKey(key, alg);
+  const verified = await verify(alg, k, signature, data);
+  if (!verified) {
+    throw new JWSSignatureVerificationFailed;
+  }
+  let payload;
+  if (b64) {
+    payload = decodeBase64url(jws.payload, "payload", JWSInvalid);
+  } else if (typeof jws.payload === "string") {
     payload = encoder.encode(jws.payload);
   } else {
     payload = jws.payload;
@@ -910,6 +2580,16 @@ async function flattenedVerify(jws, key, options) {
   }
   return result;
 }
+var init_verify = __esm(() => {
+  init_base64url();
+  init_signing();
+  init_errors();
+  init_buffer_utils();
+  init_helpers();
+  init_check_key_type();
+  init_validate_crit();
+  init_normalize_key();
+});
 
 // node_modules/jose/dist/webapi/jws/compact/verify.js
 async function compactVerify(jws, key, options) {
@@ -930,15 +2610,38 @@ async function compactVerify(jws, key, options) {
   }
   return result;
 }
+var init_verify2 = __esm(() => {
+  init_verify();
+  init_errors();
+  init_buffer_utils();
+});
+
+// node_modules/jose/dist/webapi/jws/general/verify.js
+async function generalVerify(jws, key, options) {
+  if (!isObject(jws)) {
+    throw new JWSInvalid("General JWS must be an object");
+  }
+  if (!Array.isArray(jws.signatures) || !jws.signatures.every(isObject)) {
+    throw new JWSInvalid("JWS Signatures missing or incorrect type");
+  }
+  for (const signature of jws.signatures) {
+    try {
+      return await flattenedVerify({
+        header: signature.header,
+        payload: jws.payload,
+        protected: signature.protected,
+        signature: signature.signature
+      }, key, options);
+    } catch {}
+  }
+  throw new JWSSignatureVerificationFailed;
+}
+var init_verify3 = __esm(() => {
+  init_verify();
+  init_errors();
+});
 
 // node_modules/jose/dist/webapi/lib/jwt_claims_set.js
-var epoch = (date) => Math.floor(date.getTime() / 1000);
-var minute = 60;
-var hour = minute * 60;
-var day = hour * 24;
-var week = day * 7;
-var year = day * 365.25;
-var REGEX = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;
 function secs(str) {
   const matched = REGEX.exec(str);
   if (!matched || matched[4] && matched[1]) {
@@ -994,21 +2697,6 @@ function validateInput(label, input) {
   }
   return input;
 }
-var normalizeTyp = (value) => {
-  if (value.includes("/")) {
-    return value.toLowerCase();
-  }
-  return `application/${value.toLowerCase()}`;
-};
-var checkAudiencePresence = (audPayload, audOption) => {
-  if (typeof audPayload === "string") {
-    return audOption.includes(audPayload);
-  }
-  if (Array.isArray(audPayload)) {
-    return audOption.some(Set.prototype.has.bind(new Set(audPayload)));
-  }
-  return false;
-};
 function validateClaimsSet(protectedHeader, encodedPayload, options = {}) {
   let payload;
   try {
@@ -1155,126 +2843,831 @@ class JWTClaimsBuilder {
     }
   }
 }
+var epoch = (date) => Math.floor(date.getTime() / 1000), minute = 60, hour, day, week, year, REGEX, normalizeTyp = (value) => {
+  if (value.includes("/")) {
+    return value.toLowerCase();
+  }
+  return `application/${value.toLowerCase()}`;
+}, checkAudiencePresence = (audPayload, audOption) => {
+  if (typeof audPayload === "string") {
+    return audOption.includes(audPayload);
+  }
+  if (Array.isArray(audPayload)) {
+    return audOption.some(Set.prototype.has.bind(new Set(audPayload)));
+  }
+  return false;
+};
+var init_jwt_claims_set = __esm(() => {
+  init_errors();
+  init_buffer_utils();
+  hour = minute * 60;
+  day = hour * 24;
+  week = day * 7;
+  year = day * 365.25;
+  REGEX = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;
+});
+
+// node_modules/jose/dist/webapi/jwt/verify.js
+async function jwtVerify(jwt, key, options) {
+  const verified = await compactVerify(jwt, key, options);
+  if (verified.protectedHeader.crit?.includes("b64") && verified.protectedHeader.b64 === false) {
+    throw new JWTInvalid("JWTs MUST NOT use unencoded payload");
+  }
+  const payload = validateClaimsSet(verified.protectedHeader, verified.payload, options);
+  const result = { payload, protectedHeader: verified.protectedHeader };
+  if (typeof key === "function") {
+    return { ...result, key: verified.key };
+  }
+  return result;
+}
+var init_verify4 = __esm(() => {
+  init_verify2();
+  init_jwt_claims_set();
+  init_errors();
+});
+
+// node_modules/jose/dist/webapi/jwt/decrypt.js
+async function jwtDecrypt(jwt, key, options) {
+  const decrypted = await compactDecrypt(jwt, key, options);
+  const payload = validateClaimsSet(decrypted.protectedHeader, decrypted.plaintext, options);
+  const { protectedHeader } = decrypted;
+  if (protectedHeader.iss !== undefined && protectedHeader.iss !== payload.iss) {
+    throw new JWTClaimValidationFailed('replicated "iss" claim header parameter mismatch', payload, "iss", "mismatch");
+  }
+  if (protectedHeader.sub !== undefined && protectedHeader.sub !== payload.sub) {
+    throw new JWTClaimValidationFailed('replicated "sub" claim header parameter mismatch', payload, "sub", "mismatch");
+  }
+  if (protectedHeader.aud !== undefined && JSON.stringify(protectedHeader.aud) !== JSON.stringify(payload.aud)) {
+    throw new JWTClaimValidationFailed('replicated "aud" claim header parameter mismatch', payload, "aud", "mismatch");
+  }
+  const result = { payload, protectedHeader };
+  if (typeof key === "function") {
+    return { ...result, key: decrypted.key };
+  }
+  return result;
+}
+var init_decrypt4 = __esm(() => {
+  init_decrypt2();
+  init_jwt_claims_set();
+  init_errors();
+});
+
+// node_modules/jose/dist/webapi/jwe/compact/encrypt.js
+class CompactEncrypt {
+  #flattened;
+  constructor(plaintext) {
+    this.#flattened = new FlattenedEncrypt(plaintext);
+  }
+  setContentEncryptionKey(cek) {
+    this.#flattened.setContentEncryptionKey(cek);
+    return this;
+  }
+  setInitializationVector(iv) {
+    this.#flattened.setInitializationVector(iv);
+    return this;
+  }
+  setProtectedHeader(protectedHeader) {
+    this.#flattened.setProtectedHeader(protectedHeader);
+    return this;
+  }
+  setKeyManagementParameters(parameters) {
+    this.#flattened.setKeyManagementParameters(parameters);
+    return this;
+  }
+  async encrypt(key, options) {
+    const jwe = await this.#flattened.encrypt(key, options);
+    return [jwe.protected, jwe.encrypted_key, jwe.iv, jwe.ciphertext, jwe.tag].join(".");
+  }
+}
+var init_encrypt3 = __esm(() => {
+  init_encrypt();
+});
+
+// node_modules/jose/dist/webapi/jws/flattened/sign.js
+class FlattenedSign {
+  #payload;
+  #protectedHeader;
+  #unprotectedHeader;
+  constructor(payload) {
+    if (!(payload instanceof Uint8Array)) {
+      throw new TypeError("payload must be an instance of Uint8Array");
+    }
+    this.#payload = payload;
+  }
+  setProtectedHeader(protectedHeader) {
+    assertNotSet(this.#protectedHeader, "setProtectedHeader");
+    this.#protectedHeader = protectedHeader;
+    return this;
+  }
+  setUnprotectedHeader(unprotectedHeader) {
+    assertNotSet(this.#unprotectedHeader, "setUnprotectedHeader");
+    this.#unprotectedHeader = unprotectedHeader;
+    return this;
+  }
+  async sign(key, options) {
+    if (!this.#protectedHeader && !this.#unprotectedHeader) {
+      throw new JWSInvalid("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");
+    }
+    if (!isDisjoint(this.#protectedHeader, this.#unprotectedHeader)) {
+      throw new JWSInvalid("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
+    }
+    const joseHeader = {
+      ...this.#protectedHeader,
+      ...this.#unprotectedHeader
+    };
+    const extensions = validateCrit(JWSInvalid, new Map([["b64", true]]), options?.crit, this.#protectedHeader, joseHeader);
+    let b64 = true;
+    if (extensions.has("b64")) {
+      b64 = this.#protectedHeader.b64;
+      if (typeof b64 !== "boolean") {
+        throw new JWSInvalid('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
+      }
+    }
+    const { alg } = joseHeader;
+    if (typeof alg !== "string" || !alg) {
+      throw new JWSInvalid('JWS "alg" (Algorithm) Header Parameter missing or invalid');
+    }
+    checkKeyType(alg, key, "sign");
+    let payloadS;
+    let payloadB;
+    if (b64) {
+      payloadS = encode2(this.#payload);
+      payloadB = encode(payloadS);
+    } else {
+      payloadB = this.#payload;
+      payloadS = "";
+    }
+    let protectedHeaderString;
+    let protectedHeaderBytes;
+    if (this.#protectedHeader) {
+      protectedHeaderString = encode2(JSON.stringify(this.#protectedHeader));
+      protectedHeaderBytes = encode(protectedHeaderString);
+    } else {
+      protectedHeaderString = "";
+      protectedHeaderBytes = new Uint8Array;
+    }
+    const data = concat(protectedHeaderBytes, encode("."), payloadB);
+    const k = await normalizeKey(key, alg);
+    const signature = await sign(alg, k, data);
+    const jws = {
+      signature: encode2(signature),
+      payload: payloadS
+    };
+    if (this.#unprotectedHeader) {
+      jws.header = this.#unprotectedHeader;
+    }
+    if (this.#protectedHeader) {
+      jws.protected = protectedHeaderString;
+    }
+    return jws;
+  }
+}
+var init_sign = __esm(() => {
+  init_base64url();
+  init_signing();
+  init_errors();
+  init_buffer_utils();
+  init_check_key_type();
+  init_validate_crit();
+  init_normalize_key();
+  init_helpers();
+});
+
+// node_modules/jose/dist/webapi/jws/compact/sign.js
+class CompactSign {
+  #flattened;
+  constructor(payload) {
+    this.#flattened = new FlattenedSign(payload);
+  }
+  setProtectedHeader(protectedHeader) {
+    this.#flattened.setProtectedHeader(protectedHeader);
+    return this;
+  }
+  async sign(key, options) {
+    const jws = await this.#flattened.sign(key, options);
+    if (jws.payload === undefined) {
+      throw new TypeError("use the flattened module for creating JWS with b64: false");
+    }
+    return `${jws.protected}.${jws.payload}.${jws.signature}`;
+  }
+}
+var init_sign2 = __esm(() => {
+  init_sign();
+});
+
+// node_modules/jose/dist/webapi/jws/general/sign.js
+class IndividualSignature {
+  #parent;
+  protectedHeader;
+  unprotectedHeader;
+  options;
+  key;
+  constructor(sig, key, options) {
+    this.#parent = sig;
+    this.key = key;
+    this.options = options;
+  }
+  setProtectedHeader(protectedHeader) {
+    assertNotSet(this.protectedHeader, "setProtectedHeader");
+    this.protectedHeader = protectedHeader;
+    return this;
+  }
+  setUnprotectedHeader(unprotectedHeader) {
+    assertNotSet(this.unprotectedHeader, "setUnprotectedHeader");
+    this.unprotectedHeader = unprotectedHeader;
+    return this;
+  }
+  addSignature(...args) {
+    return this.#parent.addSignature(...args);
+  }
+  sign(...args) {
+    return this.#parent.sign(...args);
+  }
+  done() {
+    return this.#parent;
+  }
+}
+
+class GeneralSign {
+  #payload;
+  #signatures = [];
+  constructor(payload) {
+    this.#payload = payload;
+  }
+  addSignature(key, options) {
+    const signature = new IndividualSignature(this, key, options);
+    this.#signatures.push(signature);
+    return signature;
+  }
+  async sign() {
+    if (!this.#signatures.length) {
+      throw new JWSInvalid("at least one signature must be added");
+    }
+    const jws = {
+      signatures: [],
+      payload: ""
+    };
+    for (let i = 0;i < this.#signatures.length; i++) {
+      const signature = this.#signatures[i];
+      const flattened = new FlattenedSign(this.#payload);
+      flattened.setProtectedHeader(signature.protectedHeader);
+      flattened.setUnprotectedHeader(signature.unprotectedHeader);
+      const { payload, ...rest } = await flattened.sign(signature.key, signature.options);
+      if (i === 0) {
+        jws.payload = payload;
+      } else if (jws.payload !== payload) {
+        throw new JWSInvalid("inconsistent use of JWS Unencoded Payload (RFC7797)");
+      }
+      jws.signatures.push(rest);
+    }
+    return jws;
+  }
+}
+var init_sign3 = __esm(() => {
+  init_sign();
+  init_errors();
+  init_helpers();
+});
+
+// node_modules/jose/dist/webapi/jwt/sign.js
+class SignJWT {
+  #protectedHeader;
+  #jwt;
+  constructor(payload = {}) {
+    this.#jwt = new JWTClaimsBuilder(payload);
+  }
+  setIssuer(issuer) {
+    this.#jwt.iss = issuer;
+    return this;
+  }
+  setSubject(subject) {
+    this.#jwt.sub = subject;
+    return this;
+  }
+  setAudience(audience) {
+    this.#jwt.aud = audience;
+    return this;
+  }
+  setJti(jwtId) {
+    this.#jwt.jti = jwtId;
+    return this;
+  }
+  setNotBefore(input) {
+    this.#jwt.nbf = input;
+    return this;
+  }
+  setExpirationTime(input) {
+    this.#jwt.exp = input;
+    return this;
+  }
+  setIssuedAt(input) {
+    this.#jwt.iat = input;
+    return this;
+  }
+  setProtectedHeader(protectedHeader) {
+    this.#protectedHeader = protectedHeader;
+    return this;
+  }
+  async sign(key, options) {
+    const sig = new CompactSign(this.#jwt.data());
+    sig.setProtectedHeader(this.#protectedHeader);
+    if (Array.isArray(this.#protectedHeader?.crit) && this.#protectedHeader.crit.includes("b64") && this.#protectedHeader.b64 === false) {
+      throw new JWTInvalid("JWTs MUST NOT use unencoded payload");
+    }
+    return sig.sign(key, options);
+  }
+}
+var init_sign4 = __esm(() => {
+  init_sign2();
+  init_errors();
+  init_jwt_claims_set();
+});
+
+// node_modules/jose/dist/webapi/jwt/encrypt.js
+class EncryptJWT {
+  #cek;
+  #iv;
+  #keyManagementParameters;
+  #protectedHeader;
+  #replicateIssuerAsHeader;
+  #replicateSubjectAsHeader;
+  #replicateAudienceAsHeader;
+  #jwt;
+  constructor(payload = {}) {
+    this.#jwt = new JWTClaimsBuilder(payload);
+  }
+  setIssuer(issuer) {
+    this.#jwt.iss = issuer;
+    return this;
+  }
+  setSubject(subject) {
+    this.#jwt.sub = subject;
+    return this;
+  }
+  setAudience(audience) {
+    this.#jwt.aud = audience;
+    return this;
+  }
+  setJti(jwtId) {
+    this.#jwt.jti = jwtId;
+    return this;
+  }
+  setNotBefore(input) {
+    this.#jwt.nbf = input;
+    return this;
+  }
+  setExpirationTime(input) {
+    this.#jwt.exp = input;
+    return this;
+  }
+  setIssuedAt(input) {
+    this.#jwt.iat = input;
+    return this;
+  }
+  setProtectedHeader(protectedHeader) {
+    assertNotSet(this.#protectedHeader, "setProtectedHeader");
+    this.#protectedHeader = protectedHeader;
+    return this;
+  }
+  setKeyManagementParameters(parameters) {
+    assertNotSet(this.#keyManagementParameters, "setKeyManagementParameters");
+    this.#keyManagementParameters = parameters;
+    return this;
+  }
+  setContentEncryptionKey(cek) {
+    assertNotSet(this.#cek, "setContentEncryptionKey");
+    this.#cek = cek;
+    return this;
+  }
+  setInitializationVector(iv) {
+    assertNotSet(this.#iv, "setInitializationVector");
+    this.#iv = iv;
+    return this;
+  }
+  replicateIssuerAsHeader() {
+    this.#replicateIssuerAsHeader = true;
+    return this;
+  }
+  replicateSubjectAsHeader() {
+    this.#replicateSubjectAsHeader = true;
+    return this;
+  }
+  replicateAudienceAsHeader() {
+    this.#replicateAudienceAsHeader = true;
+    return this;
+  }
+  async encrypt(key, options) {
+    const enc = new CompactEncrypt(this.#jwt.data());
+    if (this.#protectedHeader && (this.#replicateIssuerAsHeader || this.#replicateSubjectAsHeader || this.#replicateAudienceAsHeader)) {
+      this.#protectedHeader = {
+        ...this.#protectedHeader,
+        iss: this.#replicateIssuerAsHeader ? this.#jwt.iss : undefined,
+        sub: this.#replicateSubjectAsHeader ? this.#jwt.sub : undefined,
+        aud: this.#replicateAudienceAsHeader ? this.#jwt.aud : undefined
+      };
+    }
+    enc.setProtectedHeader(this.#protectedHeader);
+    if (this.#iv) {
+      enc.setInitializationVector(this.#iv);
+    }
+    if (this.#cek) {
+      enc.setContentEncryptionKey(this.#cek);
+    }
+    if (this.#keyManagementParameters) {
+      enc.setKeyManagementParameters(this.#keyManagementParameters);
+    }
+    return enc.encrypt(key, options);
+  }
+}
+var init_encrypt4 = __esm(() => {
+  init_encrypt3();
+  init_jwt_claims_set();
+  init_helpers();
+});
+
+// node_modules/jose/dist/webapi/jwk/thumbprint.js
+async function calculateJwkThumbprint(key, digestAlgorithm) {
+  let jwk;
+  if (isJWK(key)) {
+    jwk = key;
+  } else if (isKeyLike(key)) {
+    jwk = await exportJWK(key);
+  } else {
+    throw new TypeError(invalidKeyInput(key, "CryptoKey", "KeyObject", "JSON Web Key"));
+  }
+  digestAlgorithm ??= "sha256";
+  if (digestAlgorithm !== "sha256" && digestAlgorithm !== "sha384" && digestAlgorithm !== "sha512") {
+    throw new TypeError('digestAlgorithm must one of "sha256", "sha384", or "sha512"');
+  }
+  let components;
+  switch (jwk.kty) {
+    case "AKP":
+      check(jwk.alg, '"alg" (Algorithm) Parameter');
+      check(jwk.pub, '"pub" (Public key) Parameter');
+      components = { alg: jwk.alg, kty: jwk.kty, pub: jwk.pub };
+      break;
+    case "EC":
+      check(jwk.crv, '"crv" (Curve) Parameter');
+      check(jwk.x, '"x" (X Coordinate) Parameter');
+      check(jwk.y, '"y" (Y Coordinate) Parameter');
+      components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y };
+      break;
+    case "OKP":
+      check(jwk.crv, '"crv" (Subtype of Key Pair) Parameter');
+      check(jwk.x, '"x" (Public Key) Parameter');
+      components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x };
+      break;
+    case "RSA":
+      check(jwk.e, '"e" (Exponent) Parameter');
+      check(jwk.n, '"n" (Modulus) Parameter');
+      components = { e: jwk.e, kty: jwk.kty, n: jwk.n };
+      break;
+    case "oct":
+      check(jwk.k, '"k" (Key Value) Parameter');
+      components = { k: jwk.k, kty: jwk.kty };
+      break;
+    default:
+      throw new JOSENotSupported('"kty" (Key Type) Parameter missing or unsupported');
+  }
+  const data = encode(JSON.stringify(components));
+  return encode2(await digest(digestAlgorithm, data));
+}
+async function calculateJwkThumbprintUri(key, digestAlgorithm) {
+  digestAlgorithm ??= "sha256";
+  const thumbprint = await calculateJwkThumbprint(key, digestAlgorithm);
+  return `urn:ietf:params:oauth:jwk-thumbprint:sha-${digestAlgorithm.slice(-3)}:${thumbprint}`;
+}
+var check = (value, description) => {
+  if (typeof value !== "string" || !value) {
+    throw new JWKInvalid(`${description} missing or invalid`);
+  }
+};
+var init_thumbprint = __esm(() => {
+  init_helpers();
+  init_base64url();
+  init_errors();
+  init_buffer_utils();
+  init_export();
+});
+
+// node_modules/jose/dist/webapi/jwk/embedded.js
+async function EmbeddedJWK(protectedHeader, token) {
+  const joseHeader = {
+    ...protectedHeader,
+    ...token?.header
+  };
+  if (!isObject(joseHeader.jwk)) {
+    throw new JWSInvalid('"jwk" (JSON Web Key) Header Parameter must be a JSON object');
+  }
+  const key = await importJWK({ ...joseHeader.jwk, ext: true }, joseHeader.alg);
+  if (key instanceof Uint8Array || key.type !== "public") {
+    throw new JWSInvalid('"jwk" (JSON Web Key) Header Parameter must be a public key');
+  }
+  return key;
+}
+var init_embedded = __esm(() => {
+  init_import();
+  init_errors();
+});
+
+// node_modules/jose/dist/webapi/jwks/local.js
+function getKtyFromAlg(alg) {
+  switch (typeof alg === "string" && alg.slice(0, 2)) {
+    case "RS":
+    case "PS":
+      return "RSA";
+    case "ES":
+      return "EC";
+    case "Ed":
+      return "OKP";
+    case "ML":
+      return "AKP";
+    default:
+      throw new JOSENotSupported('Unsupported "alg" value for a JSON Web Key Set');
+  }
+}
+function isJWKSLike(jwks) {
+  return jwks && typeof jwks === "object" && Array.isArray(jwks.keys) && jwks.keys.every(isJWKLike);
+}
+function isJWKLike(key) {
+  return isObject(key);
+}
+
+class LocalJWKSet {
+  #jwks;
+  #cached = new WeakMap;
+  constructor(jwks) {
+    if (!isJWKSLike(jwks)) {
+      throw new JWKSInvalid("JSON Web Key Set malformed");
+    }
+    this.#jwks = structuredClone(jwks);
+  }
+  jwks() {
+    return this.#jwks;
+  }
+  async getKey(protectedHeader, token) {
+    const { alg, kid } = { ...protectedHeader, ...token?.header };
+    const kty = getKtyFromAlg(alg);
+    const candidates = this.#jwks.keys.filter((jwk2) => {
+      let candidate = kty === jwk2.kty;
+      if (candidate && typeof kid === "string") {
+        candidate = kid === jwk2.kid;
+      }
+      if (candidate && (typeof jwk2.alg === "string" || kty === "AKP")) {
+        candidate = alg === jwk2.alg;
+      }
+      if (candidate && typeof jwk2.use === "string") {
+        candidate = jwk2.use === "sig";
+      }
+      if (candidate && Array.isArray(jwk2.key_ops)) {
+        candidate = jwk2.key_ops.includes("verify");
+      }
+      if (candidate) {
+        switch (alg) {
+          case "ES256":
+            candidate = jwk2.crv === "P-256";
+            break;
+          case "ES384":
+            candidate = jwk2.crv === "P-384";
+            break;
+          case "ES512":
+            candidate = jwk2.crv === "P-521";
+            break;
+          case "Ed25519":
+          case "EdDSA":
+            candidate = jwk2.crv === "Ed25519";
+            break;
+        }
+      }
+      return candidate;
+    });
+    const { 0: jwk, length } = candidates;
+    if (length === 0) {
+      throw new JWKSNoMatchingKey;
+    }
+    if (length !== 1) {
+      const error = new JWKSMultipleMatchingKeys;
+      const _cached = this.#cached;
+      error[Symbol.asyncIterator] = async function* () {
+        for (const jwk2 of candidates) {
+          try {
+            yield await importWithAlgCache(_cached, jwk2, alg);
+          } catch {}
+        }
+      };
+      throw error;
+    }
+    return importWithAlgCache(this.#cached, jwk, alg);
+  }
+}
+async function importWithAlgCache(cache2, jwk, alg) {
+  const cached = cache2.get(jwk) || cache2.set(jwk, {}).get(jwk);
+  if (cached[alg] === undefined) {
+    const key = await importJWK({ ...jwk, ext: true }, alg);
+    if (key instanceof Uint8Array || key.type !== "public") {
+      throw new JWKSInvalid("JSON Web Key Set members must be public keys");
+    }
+    cached[alg] = key;
+  }
+  return cached[alg];
+}
+function createLocalJWKSet(jwks) {
+  const set = new LocalJWKSet(jwks);
+  const localJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);
+  Object.defineProperties(localJWKSet, {
+    jwks: {
+      value: () => structuredClone(set.jwks()),
+      enumerable: false,
+      configurable: false,
+      writable: false
+    }
+  });
+  return localJWKSet;
+}
+var init_local = __esm(() => {
+  init_import();
+  init_errors();
+});
 
-// node_modules/jose/dist/webapi/jwt/verify.js
-async function jwtVerify(jwt, key, options) {
-  const verified = await compactVerify(jwt, key, options);
-  if (verified.protectedHeader.crit?.includes("b64") && verified.protectedHeader.b64 === false) {
-    throw new JWTInvalid("JWTs MUST NOT use unencoded payload");
+// node_modules/jose/dist/webapi/jwks/remote.js
+function isCloudflareWorkers() {
+  return typeof WebSocketPair !== "undefined" || typeof navigator !== "undefined" && navigator.userAgent === "Cloudflare-Workers" || typeof EdgeRuntime !== "undefined" && EdgeRuntime === "vercel";
+}
+async function fetchJwks(url, headers, signal, fetchImpl = fetch) {
+  const response = await fetchImpl(url, {
+    method: "GET",
+    signal,
+    redirect: "manual",
+    headers
+  }).catch((err) => {
+    if (err.name === "TimeoutError") {
+      throw new JWKSTimeout;
+    }
+    throw err;
+  });
+  if (response.status !== 200) {
+    throw new JOSEError("Expected 200 OK from the JSON Web Key Set HTTP response");
   }
-  const payload = validateClaimsSet(verified.protectedHeader, verified.payload, options);
-  const result = { payload, protectedHeader: verified.protectedHeader };
-  if (typeof key === "function") {
-    return { ...result, key: verified.key };
+  try {
+    return await response.json();
+  } catch {
+    throw new JOSEError("Failed to parse the JSON Web Key Set HTTP response as JSON");
   }
-  return result;
 }
-// node_modules/jose/dist/webapi/jws/flattened/sign.js
-class FlattenedSign {
-  #payload;
-  #protectedHeader;
-  #unprotectedHeader;
-  constructor(payload) {
-    if (!(payload instanceof Uint8Array)) {
-      throw new TypeError("payload must be an instance of Uint8Array");
-    }
-    this.#payload = payload;
+function isFreshJwksCache(input, cacheMaxAge) {
+  if (typeof input !== "object" || input === null) {
+    return false;
   }
-  setProtectedHeader(protectedHeader) {
-    assertNotSet(this.#protectedHeader, "setProtectedHeader");
-    this.#protectedHeader = protectedHeader;
-    return this;
+  if (!("uat" in input) || typeof input.uat !== "number" || Date.now() - input.uat >= cacheMaxAge) {
+    return false;
   }
-  setUnprotectedHeader(unprotectedHeader) {
-    assertNotSet(this.#unprotectedHeader, "setUnprotectedHeader");
-    this.#unprotectedHeader = unprotectedHeader;
-    return this;
+  if (!("jwks" in input) || !isObject(input.jwks) || !Array.isArray(input.jwks.keys) || !Array.prototype.every.call(input.jwks.keys, isObject)) {
+    return false;
   }
-  async sign(key, options) {
-    if (!this.#protectedHeader && !this.#unprotectedHeader) {
-      throw new JWSInvalid("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");
-    }
-    if (!isDisjoint(this.#protectedHeader, this.#unprotectedHeader)) {
-      throw new JWSInvalid("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
+  return true;
+}
+
+class RemoteJWKSet {
+  #url;
+  #timeoutDuration;
+  #cooldownDuration;
+  #cacheMaxAge;
+  #jwksTimestamp;
+  #pendingFetch;
+  #headers;
+  #customFetch;
+  #local;
+  #cache;
+  constructor(url, options) {
+    if (!(url instanceof URL)) {
+      throw new TypeError("url must be an instance of URL");
     }
-    const joseHeader = {
-      ...this.#protectedHeader,
-      ...this.#unprotectedHeader
-    };
-    const extensions = validateCrit(JWSInvalid, new Map([["b64", true]]), options?.crit, this.#protectedHeader, joseHeader);
-    let b64 = true;
-    if (extensions.has("b64")) {
-      b64 = this.#protectedHeader.b64;
-      if (typeof b64 !== "boolean") {
-        throw new JWSInvalid('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
-      }
+    this.#url = new URL(url.href);
+    this.#timeoutDuration = typeof options?.timeoutDuration === "number" ? options?.timeoutDuration : 5000;
+    this.#cooldownDuration = typeof options?.cooldownDuration === "number" ? options?.cooldownDuration : 30000;
+    this.#cacheMaxAge = typeof options?.cacheMaxAge === "number" ? options?.cacheMaxAge : 600000;
+    this.#headers = new Headers(options?.headers);
+    if (USER_AGENT && !this.#headers.has("User-Agent")) {
+      this.#headers.set("User-Agent", USER_AGENT);
     }
-    const { alg } = joseHeader;
-    if (typeof alg !== "string" || !alg) {
-      throw new JWSInvalid('JWS "alg" (Algorithm) Header Parameter missing or invalid');
+    if (!this.#headers.has("accept")) {
+      this.#headers.set("accept", "application/json");
+      this.#headers.append("accept", "application/jwk-set+json");
     }
-    checkKeyType(alg, key, "sign");
-    let payloadS;
-    let payloadB;
-    if (b64) {
-      payloadS = encode2(this.#payload);
-      payloadB = encode(payloadS);
-    } else {
-      payloadB = this.#payload;
-      payloadS = "";
+    this.#customFetch = options?.[customFetch];
+    if (options?.[jwksCache] !== undefined) {
+      this.#cache = options?.[jwksCache];
+      if (isFreshJwksCache(options?.[jwksCache], this.#cacheMaxAge)) {
+        this.#jwksTimestamp = this.#cache.uat;
+        this.#local = createLocalJWKSet(this.#cache.jwks);
+      }
     }
-    let protectedHeaderString;
-    let protectedHeaderBytes;
-    if (this.#protectedHeader) {
-      protectedHeaderString = encode2(JSON.stringify(this.#protectedHeader));
-      protectedHeaderBytes = encode(protectedHeaderString);
-    } else {
-      protectedHeaderString = "";
-      protectedHeaderBytes = new Uint8Array;
+  }
+  pendingFetch() {
+    return !!this.#pendingFetch;
+  }
+  coolingDown() {
+    return typeof this.#jwksTimestamp === "number" ? Date.now() < this.#jwksTimestamp + this.#cooldownDuration : false;
+  }
+  fresh() {
+    return typeof this.#jwksTimestamp === "number" ? Date.now() < this.#jwksTimestamp + this.#cacheMaxAge : false;
+  }
+  jwks() {
+    return this.#local?.jwks();
+  }
+  async getKey(protectedHeader, token) {
+    if (!this.#local || !this.fresh()) {
+      await this.reload();
     }
-    const data = concat(protectedHeaderBytes, encode("."), payloadB);
-    const k = await normalizeKey(key, alg);
-    const signature = await sign(alg, k, data);
-    const jws = {
-      signature: encode2(signature),
-      payload: payloadS
-    };
-    if (this.#unprotectedHeader) {
-      jws.header = this.#unprotectedHeader;
+    try {
+      return await this.#local(protectedHeader, token);
+    } catch (err) {
+      if (err instanceof JWKSNoMatchingKey) {
+        if (this.coolingDown() === false) {
+          await this.reload();
+          return this.#local(protectedHeader, token);
+        }
+      }
+      throw err;
     }
-    if (this.#protectedHeader) {
-      jws.protected = protectedHeaderString;
+  }
+  async reload() {
+    if (this.#pendingFetch && isCloudflareWorkers()) {
+      this.#pendingFetch = undefined;
     }
-    return jws;
+    this.#pendingFetch ||= fetchJwks(this.#url.href, this.#headers, AbortSignal.timeout(this.#timeoutDuration), this.#customFetch).then((json) => {
+      this.#local = createLocalJWKSet(json);
+      if (this.#cache) {
+        this.#cache.uat = Date.now();
+        this.#cache.jwks = json;
+      }
+      this.#jwksTimestamp = Date.now();
+      this.#pendingFetch = undefined;
+    }).catch((err) => {
+      this.#pendingFetch = undefined;
+      throw err;
+    });
+    await this.#pendingFetch;
   }
 }
-
-// node_modules/jose/dist/webapi/jws/compact/sign.js
-class CompactSign {
-  #flattened;
-  constructor(payload) {
-    this.#flattened = new FlattenedSign(payload);
-  }
-  setProtectedHeader(protectedHeader) {
-    this.#flattened.setProtectedHeader(protectedHeader);
-    return this;
-  }
-  async sign(key, options) {
-    const jws = await this.#flattened.sign(key, options);
-    if (jws.payload === undefined) {
-      throw new TypeError("use the flattened module for creating JWS with b64: false");
+function createRemoteJWKSet(url, options) {
+  const set = new RemoteJWKSet(url, options);
+  const remoteJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);
+  Object.defineProperties(remoteJWKSet, {
+    coolingDown: {
+      get: () => set.coolingDown(),
+      enumerable: true,
+      configurable: false
+    },
+    fresh: {
+      get: () => set.fresh(),
+      enumerable: true,
+      configurable: false
+    },
+    reload: {
+      value: () => set.reload(),
+      enumerable: true,
+      configurable: false,
+      writable: false
+    },
+    reloading: {
+      get: () => set.pendingFetch(),
+      enumerable: true,
+      configurable: false
+    },
+    jwks: {
+      value: () => set.jwks(),
+      enumerable: true,
+      configurable: false,
+      writable: false
     }
-    return `${jws.protected}.${jws.payload}.${jws.signature}`;
-  }
+  });
+  return remoteJWKSet;
 }
+var USER_AGENT, customFetch, jwksCache;
+var init_remote = __esm(() => {
+  init_errors();
+  init_local();
+  if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) {
+    const NAME = "jose";
+    const VERSION = "v6.2.2";
+    USER_AGENT = `${NAME}/${VERSION}`;
+  }
+  customFetch = Symbol();
+  jwksCache = Symbol();
+});
 
-// node_modules/jose/dist/webapi/jwt/sign.js
-class SignJWT {
-  #protectedHeader;
+// node_modules/jose/dist/webapi/jwt/unsecured.js
+class UnsecuredJWT {
   #jwt;
   constructor(payload = {}) {
     this.#jwt = new JWTClaimsBuilder(payload);
   }
+  encode() {
+    const header = encode2(JSON.stringify({ alg: "none" }));
+    const payload = encode2(this.#jwt.data());
+    return `${header}.${payload}.`;
+  }
   setIssuer(issuer) {
     this.#jwt.iss = issuer;
     return this;
@@ -1303,20 +3696,322 @@ class SignJWT {
     this.#jwt.iat = input;
     return this;
   }
-  setProtectedHeader(protectedHeader) {
-    this.#protectedHeader = protectedHeader;
-    return this;
+  static decode(jwt, options) {
+    if (typeof jwt !== "string") {
+      throw new JWTInvalid("Unsecured JWT must be a string");
+    }
+    const { 0: encodedHeader, 1: encodedPayload, 2: signature, length } = jwt.split(".");
+    if (length !== 3 || signature !== "") {
+      throw new JWTInvalid("Invalid Unsecured JWT");
+    }
+    let header;
+    try {
+      header = JSON.parse(decoder.decode(decode(encodedHeader)));
+      if (header.alg !== "none")
+        throw new Error;
+    } catch {
+      throw new JWTInvalid("Invalid Unsecured JWT");
+    }
+    const payload = validateClaimsSet(header, decode(encodedPayload), options);
+    return { payload, header };
   }
-  async sign(key, options) {
-    const sig = new CompactSign(this.#jwt.data());
-    sig.setProtectedHeader(this.#protectedHeader);
-    if (Array.isArray(this.#protectedHeader?.crit) && this.#protectedHeader.crit.includes("b64") && this.#protectedHeader.b64 === false) {
-      throw new JWTInvalid("JWTs MUST NOT use unencoded payload");
+}
+var init_unsecured = __esm(() => {
+  init_base64url();
+  init_buffer_utils();
+  init_errors();
+  init_jwt_claims_set();
+});
+
+// node_modules/jose/dist/webapi/util/decode_protected_header.js
+function decodeProtectedHeader(token) {
+  let protectedB64u;
+  if (typeof token === "string") {
+    const parts = token.split(".");
+    if (parts.length === 3 || parts.length === 5) {
+      [protectedB64u] = parts;
     }
-    return sig.sign(key, options);
+  } else if (typeof token === "object" && token) {
+    if ("protected" in token) {
+      protectedB64u = token.protected;
+    } else {
+      throw new TypeError("Token does not contain a Protected Header");
+    }
+  }
+  try {
+    if (typeof protectedB64u !== "string" || !protectedB64u) {
+      throw new Error;
+    }
+    const result = JSON.parse(decoder.decode(decode(protectedB64u)));
+    if (!isObject(result)) {
+      throw new Error;
+    }
+    return result;
+  } catch {
+    throw new TypeError("Invalid Token or Protected Header formatting");
+  }
+}
+var init_decode_protected_header = __esm(() => {
+  init_base64url();
+  init_buffer_utils();
+});
+
+// node_modules/jose/dist/webapi/util/decode_jwt.js
+function decodeJwt(jwt) {
+  if (typeof jwt !== "string")
+    throw new JWTInvalid("JWTs must use Compact JWS serialization, JWT must be a string");
+  const { 1: payload, length } = jwt.split(".");
+  if (length === 5)
+    throw new JWTInvalid("Only JWTs using Compact JWS serialization can be decoded");
+  if (length !== 3)
+    throw new JWTInvalid("Invalid JWT");
+  if (!payload)
+    throw new JWTInvalid("JWTs must contain a payload");
+  let decoded;
+  try {
+    decoded = decode(payload);
+  } catch {
+    throw new JWTInvalid("Failed to base64url decode the payload");
+  }
+  let result;
+  try {
+    result = JSON.parse(decoder.decode(decoded));
+  } catch {
+    throw new JWTInvalid("Failed to parse the decoded payload as JSON");
+  }
+  if (!isObject(result))
+    throw new JWTInvalid("Invalid JWT Claims Set");
+  return result;
+}
+var init_decode_jwt = __esm(() => {
+  init_base64url();
+  init_buffer_utils();
+  init_errors();
+});
+
+// node_modules/jose/dist/webapi/key/generate_key_pair.js
+function getModulusLengthOption(options) {
+  const modulusLength = options?.modulusLength ?? 2048;
+  if (typeof modulusLength !== "number" || modulusLength < 2048) {
+    throw new JOSENotSupported("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used");
+  }
+  return modulusLength;
+}
+async function generateKeyPair(alg, options) {
+  let algorithm;
+  let keyUsages;
+  switch (alg) {
+    case "PS256":
+    case "PS384":
+    case "PS512":
+      algorithm = {
+        name: "RSA-PSS",
+        hash: `SHA-${alg.slice(-3)}`,
+        publicExponent: Uint8Array.of(1, 0, 1),
+        modulusLength: getModulusLengthOption(options)
+      };
+      keyUsages = ["sign", "verify"];
+      break;
+    case "RS256":
+    case "RS384":
+    case "RS512":
+      algorithm = {
+        name: "RSASSA-PKCS1-v1_5",
+        hash: `SHA-${alg.slice(-3)}`,
+        publicExponent: Uint8Array.of(1, 0, 1),
+        modulusLength: getModulusLengthOption(options)
+      };
+      keyUsages = ["sign", "verify"];
+      break;
+    case "RSA-OAEP":
+    case "RSA-OAEP-256":
+    case "RSA-OAEP-384":
+    case "RSA-OAEP-512":
+      algorithm = {
+        name: "RSA-OAEP",
+        hash: `SHA-${parseInt(alg.slice(-3), 10) || 1}`,
+        publicExponent: Uint8Array.of(1, 0, 1),
+        modulusLength: getModulusLengthOption(options)
+      };
+      keyUsages = ["decrypt", "unwrapKey", "encrypt", "wrapKey"];
+      break;
+    case "ES256":
+      algorithm = { name: "ECDSA", namedCurve: "P-256" };
+      keyUsages = ["sign", "verify"];
+      break;
+    case "ES384":
+      algorithm = { name: "ECDSA", namedCurve: "P-384" };
+      keyUsages = ["sign", "verify"];
+      break;
+    case "ES512":
+      algorithm = { name: "ECDSA", namedCurve: "P-521" };
+      keyUsages = ["sign", "verify"];
+      break;
+    case "Ed25519":
+    case "EdDSA": {
+      keyUsages = ["sign", "verify"];
+      algorithm = { name: "Ed25519" };
+      break;
+    }
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87": {
+      keyUsages = ["sign", "verify"];
+      algorithm = { name: alg };
+      break;
+    }
+    case "ECDH-ES":
+    case "ECDH-ES+A128KW":
+    case "ECDH-ES+A192KW":
+    case "ECDH-ES+A256KW": {
+      keyUsages = ["deriveBits"];
+      const crv = options?.crv ?? "P-256";
+      switch (crv) {
+        case "P-256":
+        case "P-384":
+        case "P-521": {
+          algorithm = { name: "ECDH", namedCurve: crv };
+          break;
+        }
+        case "X25519":
+          algorithm = { name: "X25519" };
+          break;
+        default:
+          throw new JOSENotSupported("Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, and X25519");
+      }
+      break;
+    }
+    default:
+      throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+  }
+  return crypto.subtle.generateKey(algorithm, options?.extractable ?? false, keyUsages);
+}
+var init_generate_key_pair = __esm(() => {
+  init_errors();
+});
+
+// node_modules/jose/dist/webapi/key/generate_secret.js
+async function generateSecret(alg, options) {
+  let length;
+  let algorithm;
+  let keyUsages;
+  switch (alg) {
+    case "HS256":
+    case "HS384":
+    case "HS512":
+      length = parseInt(alg.slice(-3), 10);
+      algorithm = { name: "HMAC", hash: `SHA-${length}`, length };
+      keyUsages = ["sign", "verify"];
+      break;
+    case "A128CBC-HS256":
+    case "A192CBC-HS384":
+    case "A256CBC-HS512":
+      length = parseInt(alg.slice(-3), 10);
+      return crypto.getRandomValues(new Uint8Array(length >> 3));
+    case "A128KW":
+    case "A192KW":
+    case "A256KW":
+      length = parseInt(alg.slice(1, 4), 10);
+      algorithm = { name: "AES-KW", length };
+      keyUsages = ["wrapKey", "unwrapKey"];
+      break;
+    case "A128GCMKW":
+    case "A192GCMKW":
+    case "A256GCMKW":
+    case "A128GCM":
+    case "A192GCM":
+    case "A256GCM":
+      length = parseInt(alg.slice(1, 4), 10);
+      algorithm = { name: "AES-GCM", length };
+      keyUsages = ["encrypt", "decrypt"];
+      break;
+    default:
+      throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
   }
+  return crypto.subtle.generateKey(algorithm, options?.extractable ?? false, keyUsages);
 }
+var init_generate_secret = __esm(() => {
+  init_errors();
+});
+
+// node_modules/jose/dist/webapi/index.js
+var exports_webapi = {};
+__export(exports_webapi, {
+  jwtVerify: () => jwtVerify,
+  jwtDecrypt: () => jwtDecrypt,
+  jwksCache: () => jwksCache,
+  importX509: () => importX509,
+  importSPKI: () => importSPKI,
+  importPKCS8: () => importPKCS8,
+  importJWK: () => importJWK,
+  generateSecret: () => generateSecret,
+  generateKeyPair: () => generateKeyPair,
+  generalVerify: () => generalVerify,
+  generalDecrypt: () => generalDecrypt,
+  flattenedVerify: () => flattenedVerify,
+  flattenedDecrypt: () => flattenedDecrypt,
+  exportSPKI: () => exportSPKI,
+  exportPKCS8: () => exportPKCS8,
+  exportJWK: () => exportJWK,
+  errors: () => exports_errors,
+  decodeProtectedHeader: () => decodeProtectedHeader,
+  decodeJwt: () => decodeJwt,
+  customFetch: () => customFetch,
+  cryptoRuntime: () => cryptoRuntime,
+  createRemoteJWKSet: () => createRemoteJWKSet,
+  createLocalJWKSet: () => createLocalJWKSet,
+  compactVerify: () => compactVerify,
+  compactDecrypt: () => compactDecrypt,
+  calculateJwkThumbprintUri: () => calculateJwkThumbprintUri,
+  calculateJwkThumbprint: () => calculateJwkThumbprint,
+  base64url: () => exports_base64url,
+  UnsecuredJWT: () => UnsecuredJWT,
+  SignJWT: () => SignJWT,
+  GeneralSign: () => GeneralSign,
+  GeneralEncrypt: () => GeneralEncrypt,
+  FlattenedSign: () => FlattenedSign,
+  FlattenedEncrypt: () => FlattenedEncrypt,
+  EncryptJWT: () => EncryptJWT,
+  EmbeddedJWK: () => EmbeddedJWK,
+  CompactSign: () => CompactSign,
+  CompactEncrypt: () => CompactEncrypt
+});
+var cryptoRuntime = "WebCryptoAPI";
+var init_webapi = __esm(() => {
+  init_decrypt2();
+  init_decrypt();
+  init_decrypt3();
+  init_encrypt2();
+  init_verify2();
+  init_verify();
+  init_verify3();
+  init_verify4();
+  init_decrypt4();
+  init_encrypt3();
+  init_encrypt();
+  init_sign2();
+  init_sign();
+  init_sign3();
+  init_sign4();
+  init_encrypt4();
+  init_thumbprint();
+  init_embedded();
+  init_local();
+  init_remote();
+  init_unsecured();
+  init_export();
+  init_import();
+  init_decode_protected_header();
+  init_decode_jwt();
+  init_errors();
+  init_generate_key_pair();
+  init_generate_secret();
+  init_base64url();
+});
+
 // src/middleware.ts
+init_webapi();
+init_webapi();
 var logger = (options = {}) => {
   const {
     enabled = true,
@@ -1531,7 +4226,7 @@ var apiKey = (options) => {
     return next();
   };
 };
-var compress = (options) => {
+var compress2 = (options) => {
   const threshold = options?.threshold || 1024;
   const filter = options?.filter || (() => true);
   return async (req, next) => {
@@ -1609,15 +4304,122 @@ var session = (options) => {
     });
   };
 };
+var secureHeaders = (options) => {
+  const opts = options ?? {};
+  return async (req, next) => {
+    const response = await next();
+    if (!response)
+      return response;
+    const headers = new Headers(response.headers);
+    headers.set("X-Frame-Options", opts.xFrameOptions ?? "SAMEORIGIN");
+    headers.set("X-XSS-Protection", opts.xXssProtection ?? "1; mode=block");
+    headers.set("Referrer-Policy", opts.referrerPolicy ?? "strict-origin-when-cross-origin");
+    if (opts.xContentTypeOptions !== false)
+      headers.set("X-Content-Type-Options", "nosniff");
+    if (opts.strictTransportSecurity !== "")
+      headers.set("Strict-Transport-Security", opts.strictTransportSecurity ?? "max-age=31536000; includeSubDomains");
+    if (opts.permissionsPolicy)
+      headers.set("Permissions-Policy", opts.permissionsPolicy);
+    if (opts.contentSecurityPolicy)
+      headers.set("Content-Security-Policy", opts.contentSecurityPolicy);
+    return new Response(response.body, { status: response.status, statusText: response.statusText, headers });
+  };
+};
+var timeout = (ms, message2 = "Request Timeout") => {
+  return async (req, next) => {
+    let timer;
+    const timeoutPromise = new Promise((resolve) => {
+      timer = setTimeout(() => resolve(new Response(JSON.stringify({ error: message2 }), {
+        status: 408,
+        headers: { "Content-Type": "application/json" }
+      })), ms);
+    });
+    try {
+      const result = await Promise.race([next(), timeoutPromise]);
+      return result;
+    } finally {
+      clearTimeout(timer);
+    }
+  };
+};
+var requestId = (options) => {
+  const header = options?.header ?? "X-Request-ID";
+  const generate = options?.generator ?? (() => crypto.randomUUID());
+  return async (req, next) => {
+    const id = req.headers.get(header) ?? generate();
+    req.id = id;
+    const response = await next();
+    if (!response)
+      return response;
+    const headers = new Headers(response.headers);
+    headers.set(header, id);
+    return new Response(response.body, { status: response.status, statusText: response.statusText, headers });
+  };
+};
+var ipRestriction = (options) => {
+  const allow = options.allowList ? new Set(options.allowList) : null;
+  const deny = options.denyList ? new Set(options.denyList) : null;
+  return async (req, next) => {
+    const ip = req.ip ?? "127.0.0.1";
+    if (deny && deny.has(ip))
+      return new Response(JSON.stringify({ error: "Forbidden" }), { status: 403, headers: { "Content-Type": "application/json" } });
+    if (allow && !allow.has(ip))
+      return new Response(JSON.stringify({ error: "Forbidden" }), { status: 403, headers: { "Content-Type": "application/json" } });
+    return next();
+  };
+};
+var serveStatic = (root) => {
+  const base = root.replace(/\/$/, "");
+  return async (req, next) => {
+    if (req.method !== "GET" && req.method !== "HEAD")
+      return next();
+    const pathname = new URL(req.url).pathname;
+    const filePath = base + pathname;
+    const file = Bun.file(filePath);
+    if (await file.exists()) {
+      return new Response(file);
+    }
+    if (!pathname.includes(".")) {
+      const index = Bun.file(filePath.replace(/\/$/, "") + "/index.html");
+      if (await index.exists())
+        return new Response(index);
+    }
+    return next();
+  };
+};
+var jwks = (jwksUrl, options) => {
+  const JWKS = createRemoteJWKSet(new URL(jwksUrl));
+  return async (req, next) => {
+    const auth2 = req.headers.get("authorization");
+    req.user = undefined;
+    if (auth2?.startsWith("Bearer ")) {
+      const token = auth2.slice(7).trim();
+      try {
+        const { jwtVerify: jwtVerify2 } = await Promise.resolve().then(() => (init_webapi(), exports_webapi));
+        const { payload } = await jwtVerify2(token, JWKS, {
+          algorithms: options?.algorithms ?? ["RS256", "RS512", "ES256", "ES512"]
+        });
+        req.user = payload;
+      } catch {}
+    }
+    return next();
+  };
+};
 export {
   validate,
+  timeout,
   signJWT,
   session,
+  serveStatic,
+  secureHeaders,
+  requestId,
   rateLimit,
   logger,
   jwt,
+  jwks,
+  ipRestriction,
   cors,
-  compress,
+  compress2 as compress,
   auth,
   apiKey
 };