sanity-plugin-ga-dashboard 1.0.0 → 1.0.2

package/dist/api/index.cjs

@@ -0,0 +1,1543 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __defProps = Object.defineProperties;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropDescs = Object.getOwnPropertyDescriptors;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getOwnPropSymbols = Object.getOwnPropertySymbols;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __propIsEnum = Object.prototype.propertyIsEnumerable;
+var __typeError = (msg) => {
+  throw TypeError(msg);
+};
+var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __spreadValues = (a, b) => {
+  for (var prop in b || (b = {}))
+    if (__hasOwnProp.call(b, prop))
+      __defNormalProp(a, prop, b[prop]);
+  if (__getOwnPropSymbols)
+    for (var prop of __getOwnPropSymbols(b)) {
+      if (__propIsEnum.call(b, prop))
+        __defNormalProp(a, prop, b[prop]);
+    }
+  return a;
+};
+var __spreadProps = (a, b) => __defProps(a, __getOwnPropDescs(b));
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var __publicField = (obj, key, value) => __defNormalProp(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __accessCheck = (obj, member, msg) => member.has(obj) || __typeError("Cannot " + msg);
+var __privateGet = (obj, member, getter) => (__accessCheck(obj, member, "read from private field"), getter ? getter.call(obj) : member.get(obj));
+var __privateAdd = (obj, member, value) => member.has(obj) ? __typeError("Cannot add the same private member more than once") : member instanceof WeakSet ? member.add(obj) : member.set(obj, value);
+var __privateSet = (obj, member, value, setter) => (__accessCheck(obj, member, "write to private field"), setter ? setter.call(obj, value) : member.set(obj, value), value);
+
+// src/api/index.ts
+var api_exports = {};
+__export(api_exports, {
+  GET: () => GET
+});
+module.exports = __toCommonJS(api_exports);
+
+// node_modules/.pnpm/jose@6.2.1/node_modules/jose/dist/webapi/lib/buffer_utils.js
+var encoder = new TextEncoder();
+var decoder = new TextDecoder();
+var MAX_INT32 = 2 ** 32;
+function concat(...buffers) {
+  const size = buffers.reduce((acc, { length }) => acc + length, 0);
+  const buf = new Uint8Array(size);
+  let i = 0;
+  for (const buffer of buffers) {
+    buf.set(buffer, i);
+    i += buffer.length;
+  }
+  return buf;
+}
+function encode(string) {
+  const bytes = new Uint8Array(string.length);
+  for (let i = 0; i < string.length; i++) {
+    const code = string.charCodeAt(i);
+    if (code > 127) {
+      throw new TypeError("non-ASCII string encountered in encode()");
+    }
+    bytes[i] = code;
+  }
+  return bytes;
+}
+
+// node_modules/.pnpm/jose@6.2.1/node_modules/jose/dist/webapi/lib/base64.js
+function encodeBase64(input) {
+  if (Uint8Array.prototype.toBase64) {
+    return input.toBase64();
+  }
+  const CHUNK_SIZE = 32768;
+  const arr = [];
+  for (let i = 0; i < input.length; i += CHUNK_SIZE) {
+    arr.push(String.fromCharCode.apply(null, input.subarray(i, i + CHUNK_SIZE)));
+  }
+  return btoa(arr.join(""));
+}
+function decodeBase64(encoded) {
+  if (Uint8Array.fromBase64) {
+    return Uint8Array.fromBase64(encoded);
+  }
+  const binary = atob(encoded);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+
+// node_modules/.pnpm/jose@6.2.1/node_modules/jose/dist/webapi/util/base64url.js
+function decode(input) {
+  if (Uint8Array.fromBase64) {
+    return Uint8Array.fromBase64(typeof input === "string" ? input : decoder.decode(input), {
+      alphabet: "base64url"
+    });
+  }
+  let encoded = input;
+  if (encoded instanceof Uint8Array) {
+    encoded = decoder.decode(encoded);
+  }
+  encoded = encoded.replace(/-/g, "+").replace(/_/g, "/");
+  try {
+    return decodeBase64(encoded);
+  } catch (e) {
+    throw new TypeError("The input to be decoded is not correctly encoded.");
+  }
+}
+function encode2(input) {
+  let unencoded = input;
+  if (typeof unencoded === "string") {
+    unencoded = encoder.encode(unencoded);
+  }
+  if (Uint8Array.prototype.toBase64) {
+    return unencoded.toBase64({ alphabet: "base64url", omitPadding: true });
+  }
+  return encodeBase64(unencoded).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+
+// node_modules/.pnpm/jose@6.2.1/node_modules/jose/dist/webapi/lib/crypto_key.js
+var unusable = (name, prop = "algorithm.name") => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);
+var isAlgorithm = (algorithm, name) => algorithm.name === name;
+function getHashLength(hash) {
+  return parseInt(hash.name.slice(4), 10);
+}
+function checkHashLength(algorithm, expected) {
+  const actual = getHashLength(algorithm.hash);
+  if (actual !== expected)
+    throw unusable(`SHA-${expected}`, "algorithm.hash");
+}
+function getNamedCurve(alg) {
+  switch (alg) {
+    case "ES256":
+      return "P-256";
+    case "ES384":
+      return "P-384";
+    case "ES512":
+      return "P-521";
+    default:
+      throw new Error("unreachable");
+  }
+}
+function checkUsage(key, usage) {
+  if (usage && !key.usages.includes(usage)) {
+    throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);
+  }
+}
+function checkSigCryptoKey(key, alg, usage) {
+  switch (alg) {
+    case "HS256":
+    case "HS384":
+    case "HS512": {
+      if (!isAlgorithm(key.algorithm, "HMAC"))
+        throw unusable("HMAC");
+      checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
+      break;
+    }
+    case "RS256":
+    case "RS384":
+    case "RS512": {
+      if (!isAlgorithm(key.algorithm, "RSASSA-PKCS1-v1_5"))
+        throw unusable("RSASSA-PKCS1-v1_5");
+      checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
+      break;
+    }
+    case "PS256":
+    case "PS384":
+    case "PS512": {
+      if (!isAlgorithm(key.algorithm, "RSA-PSS"))
+        throw unusable("RSA-PSS");
+      checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
+      break;
+    }
+    case "Ed25519":
+    case "EdDSA": {
+      if (!isAlgorithm(key.algorithm, "Ed25519"))
+        throw unusable("Ed25519");
+      break;
+    }
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87": {
+      if (!isAlgorithm(key.algorithm, alg))
+        throw unusable(alg);
+      break;
+    }
+    case "ES256":
+    case "ES384":
+    case "ES512": {
+      if (!isAlgorithm(key.algorithm, "ECDSA"))
+        throw unusable("ECDSA");
+      const expected = getNamedCurve(alg);
+      const actual = key.algorithm.namedCurve;
+      if (actual !== expected)
+        throw unusable(expected, "algorithm.namedCurve");
+      break;
+    }
+    default:
+      throw new TypeError("CryptoKey does not support this operation");
+  }
+  checkUsage(key, usage);
+}
+
+// node_modules/.pnpm/jose@6.2.1/node_modules/jose/dist/webapi/lib/invalid_key_input.js
+function message(msg, actual, ...types) {
+  var _a2;
+  types = types.filter(Boolean);
+  if (types.length > 2) {
+    const last = types.pop();
+    msg += `one of type ${types.join(", ")}, or ${last}.`;
+  } else if (types.length === 2) {
+    msg += `one of type ${types[0]} or ${types[1]}.`;
+  } else {
+    msg += `of type ${types[0]}.`;
+  }
+  if (actual == null) {
+    msg += ` Received ${actual}`;
+  } else if (typeof actual === "function" && actual.name) {
+    msg += ` Received function ${actual.name}`;
+  } else if (typeof actual === "object" && actual != null) {
+    if ((_a2 = actual.constructor) == null ? void 0 : _a2.name) {
+      msg += ` Received an instance of ${actual.constructor.name}`;
+    }
+  }
+  return msg;
+}
+var invalidKeyInput = (actual, ...types) => message("Key must be ", actual, ...types);
+var withAlg = (alg, actual, ...types) => message(`Key for the ${alg} algorithm must be `, actual, ...types);
+
+// node_modules/.pnpm/jose@6.2.1/node_modules/jose/dist/webapi/util/errors.js
+var JOSEError = class extends Error {
+  constructor(message2, options) {
+    var _a2;
+    super(message2, options);
+    __publicField(this, "code", "ERR_JOSE_GENERIC");
+    this.name = this.constructor.name;
+    (_a2 = Error.captureStackTrace) == null ? void 0 : _a2.call(Error, this, this.constructor);
+  }
+};
+__publicField(JOSEError, "code", "ERR_JOSE_GENERIC");
+var JOSENotSupported = class extends JOSEError {
+  constructor() {
+    super(...arguments);
+    __publicField(this, "code", "ERR_JOSE_NOT_SUPPORTED");
+  }
+};
+__publicField(JOSENotSupported, "code", "ERR_JOSE_NOT_SUPPORTED");
+var JWSInvalid = class extends JOSEError {
+  constructor() {
+    super(...arguments);
+    __publicField(this, "code", "ERR_JWS_INVALID");
+  }
+};
+__publicField(JWSInvalid, "code", "ERR_JWS_INVALID");
+var JWTInvalid = class extends JOSEError {
+  constructor() {
+    super(...arguments);
+    __publicField(this, "code", "ERR_JWT_INVALID");
+  }
+};
+__publicField(JWTInvalid, "code", "ERR_JWT_INVALID");
+var _a, _b;
+var JWKSMultipleMatchingKeys = class extends (_b = JOSEError, _a = Symbol.asyncIterator, _b) {
+  constructor(message2 = "multiple matching keys found in the JSON Web Key Set", options) {
+    super(message2, options);
+    __publicField(this, _a);
+    __publicField(this, "code", "ERR_JWKS_MULTIPLE_MATCHING_KEYS");
+  }
+};
+__publicField(JWKSMultipleMatchingKeys, "code", "ERR_JWKS_MULTIPLE_MATCHING_KEYS");
+
+// node_modules/.pnpm/jose@6.2.1/node_modules/jose/dist/webapi/lib/is_key_like.js
+var isCryptoKey = (key) => {
+  if ((key == null ? void 0 : key[Symbol.toStringTag]) === "CryptoKey")
+    return true;
+  try {
+    return key instanceof CryptoKey;
+  } catch (e) {
+    return false;
+  }
+};
+var isKeyObject = (key) => (key == null ? void 0 : key[Symbol.toStringTag]) === "KeyObject";
+var isKeyLike = (key) => isCryptoKey(key) || isKeyObject(key);
+
+// node_modules/.pnpm/jose@6.2.1/node_modules/jose/dist/webapi/lib/helpers.js
+function assertNotSet(value, name) {
+  if (value) {
+    throw new TypeError(`${name} can only be called once`);
+  }
+}
+
+// node_modules/.pnpm/jose@6.2.1/node_modules/jose/dist/webapi/lib/type_checks.js
+var isObjectLike = (value) => typeof value === "object" && value !== null;
+function isObject(input) {
+  if (!isObjectLike(input) || Object.prototype.toString.call(input) !== "[object Object]") {
+    return false;
+  }
+  if (Object.getPrototypeOf(input) === null) {
+    return true;
+  }
+  let proto = input;
+  while (Object.getPrototypeOf(proto) !== null) {
+    proto = Object.getPrototypeOf(proto);
+  }
+  return Object.getPrototypeOf(input) === proto;
+}
+function isDisjoint(...headers) {
+  const sources = headers.filter(Boolean);
+  if (sources.length === 0 || sources.length === 1) {
+    return true;
+  }
+  let acc;
+  for (const header of sources) {
+    const parameters = Object.keys(header);
+    if (!acc || acc.size === 0) {
+      acc = new Set(parameters);
+      continue;
+    }
+    for (const parameter of parameters) {
+      if (acc.has(parameter)) {
+        return false;
+      }
+      acc.add(parameter);
+    }
+  }
+  return true;
+}
+var isJWK = (key) => isObject(key) && typeof key.kty === "string";
+var isPrivateJWK = (key) => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string");
+var isPublicJWK = (key) => key.kty !== "oct" && key.d === void 0 && key.priv === void 0;
+var isSecretJWK = (key) => key.kty === "oct" && typeof key.k === "string";
+
+// node_modules/.pnpm/jose@6.2.1/node_modules/jose/dist/webapi/lib/signing.js
+function checkKeyLength(alg, key) {
+  if (alg.startsWith("RS") || alg.startsWith("PS")) {
+    const { modulusLength } = key.algorithm;
+    if (typeof modulusLength !== "number" || modulusLength < 2048) {
+      throw new TypeError(`${alg} requires key modulusLength to be 2048 bits or larger`);
+    }
+  }
+}
+function subtleAlgorithm(alg, algorithm) {
+  const hash = `SHA-${alg.slice(-3)}`;
+  switch (alg) {
+    case "HS256":
+    case "HS384":
+    case "HS512":
+      return { hash, name: "HMAC" };
+    case "PS256":
+    case "PS384":
+    case "PS512":
+      return { hash, name: "RSA-PSS", saltLength: parseInt(alg.slice(-3), 10) >> 3 };
+    case "RS256":
+    case "RS384":
+    case "RS512":
+      return { hash, name: "RSASSA-PKCS1-v1_5" };
+    case "ES256":
+    case "ES384":
+    case "ES512":
+      return { hash, name: "ECDSA", namedCurve: algorithm.namedCurve };
+    case "Ed25519":
+    case "EdDSA":
+      return { name: "Ed25519" };
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+      return { name: alg };
+    default:
+      throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
+  }
+}
+async function getSigKey(alg, key, usage) {
+  if (key instanceof Uint8Array) {
+    if (!alg.startsWith("HS")) {
+      throw new TypeError(invalidKeyInput(key, "CryptoKey", "KeyObject", "JSON Web Key"));
+    }
+    return crypto.subtle.importKey("raw", key, { hash: `SHA-${alg.slice(-3)}`, name: "HMAC" }, false, [usage]);
+  }
+  checkSigCryptoKey(key, alg, usage);
+  return key;
+}
+async function sign(alg, key, data) {
+  const cryptoKey = await getSigKey(alg, key, "sign");
+  checkKeyLength(alg, cryptoKey);
+  const signature = await crypto.subtle.sign(subtleAlgorithm(alg, cryptoKey.algorithm), cryptoKey, data);
+  return new Uint8Array(signature);
+}
+
+// node_modules/.pnpm/jose@6.2.1/node_modules/jose/dist/webapi/lib/jwk_to_key.js
+var unsupportedAlg = 'Invalid or unsupported JWK "alg" (Algorithm) Parameter value';
+function subtleMapping(jwk) {
+  let algorithm;
+  let keyUsages;
+  switch (jwk.kty) {
+    case "AKP": {
+      switch (jwk.alg) {
+        case "ML-DSA-44":
+        case "ML-DSA-65":
+        case "ML-DSA-87":
+          algorithm = { name: jwk.alg };
+          keyUsages = jwk.priv ? ["sign"] : ["verify"];
+          break;
+        default:
+          throw new JOSENotSupported(unsupportedAlg);
+      }
+      break;
+    }
+    case "RSA": {
+      switch (jwk.alg) {
+        case "PS256":
+        case "PS384":
+        case "PS512":
+          algorithm = { name: "RSA-PSS", hash: `SHA-${jwk.alg.slice(-3)}` };
+          keyUsages = jwk.d ? ["sign"] : ["verify"];
+          break;
+        case "RS256":
+        case "RS384":
+        case "RS512":
+          algorithm = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${jwk.alg.slice(-3)}` };
+          keyUsages = jwk.d ? ["sign"] : ["verify"];
+          break;
+        case "RSA-OAEP":
+        case "RSA-OAEP-256":
+        case "RSA-OAEP-384":
+        case "RSA-OAEP-512":
+          algorithm = {
+            name: "RSA-OAEP",
+            hash: `SHA-${parseInt(jwk.alg.slice(-3), 10) || 1}`
+          };
+          keyUsages = jwk.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
+          break;
+        default:
+          throw new JOSENotSupported(unsupportedAlg);
+      }
+      break;
+    }
+    case "EC": {
+      switch (jwk.alg) {
+        case "ES256":
+        case "ES384":
+        case "ES512":
+          algorithm = {
+            name: "ECDSA",
+            namedCurve: { ES256: "P-256", ES384: "P-384", ES512: "P-521" }[jwk.alg]
+          };
+          keyUsages = jwk.d ? ["sign"] : ["verify"];
+          break;
+        case "ECDH-ES":
+        case "ECDH-ES+A128KW":
+        case "ECDH-ES+A192KW":
+        case "ECDH-ES+A256KW":
+          algorithm = { name: "ECDH", namedCurve: jwk.crv };
+          keyUsages = jwk.d ? ["deriveBits"] : [];
+          break;
+        default:
+          throw new JOSENotSupported(unsupportedAlg);
+      }
+      break;
+    }
+    case "OKP": {
+      switch (jwk.alg) {
+        case "Ed25519":
+        case "EdDSA":
+          algorithm = { name: "Ed25519" };
+          keyUsages = jwk.d ? ["sign"] : ["verify"];
+          break;
+        case "ECDH-ES":
+        case "ECDH-ES+A128KW":
+        case "ECDH-ES+A192KW":
+        case "ECDH-ES+A256KW":
+          algorithm = { name: jwk.crv };
+          keyUsages = jwk.d ? ["deriveBits"] : [];
+          break;
+        default:
+          throw new JOSENotSupported(unsupportedAlg);
+      }
+      break;
+    }
+    default:
+      throw new JOSENotSupported('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
+  }
+  return { algorithm, keyUsages };
+}
+async function jwkToKey(jwk) {
+  var _a2, _b2;
+  if (!jwk.alg) {
+    throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
+  }
+  const { algorithm, keyUsages } = subtleMapping(jwk);
+  const keyData = __spreadValues({}, jwk);
+  if (keyData.kty !== "AKP") {
+    delete keyData.alg;
+  }
+  delete keyData.use;
+  return crypto.subtle.importKey("jwk", keyData, algorithm, (_a2 = jwk.ext) != null ? _a2 : jwk.d || jwk.priv ? false : true, (_b2 = jwk.key_ops) != null ? _b2 : keyUsages);
+}
+
+// node_modules/.pnpm/jose@6.2.1/node_modules/jose/dist/webapi/lib/normalize_key.js
+var unusableForAlg = "given KeyObject instance cannot be used for this algorithm";
+var cache;
+var handleJWK = async (key, jwk, alg, freeze = false) => {
+  cache || (cache = /* @__PURE__ */ new WeakMap());
+  let cached = cache.get(key);
+  if (cached == null ? void 0 : cached[alg]) {
+    return cached[alg];
+  }
+  const cryptoKey = await jwkToKey(__spreadProps(__spreadValues({}, jwk), { alg }));
+  if (freeze)
+    Object.freeze(key);
+  if (!cached) {
+    cache.set(key, { [alg]: cryptoKey });
+  } else {
+    cached[alg] = cryptoKey;
+  }
+  return cryptoKey;
+};
+var handleKeyObject = (keyObject, alg) => {
+  var _a2;
+  cache || (cache = /* @__PURE__ */ new WeakMap());
+  let cached = cache.get(keyObject);
+  if (cached == null ? void 0 : cached[alg]) {
+    return cached[alg];
+  }
+  const isPublic = keyObject.type === "public";
+  const extractable = isPublic ? true : false;
+  let cryptoKey;
+  if (keyObject.asymmetricKeyType === "x25519") {
+    switch (alg) {
+      case "ECDH-ES":
+      case "ECDH-ES+A128KW":
+      case "ECDH-ES+A192KW":
+      case "ECDH-ES+A256KW":
+        break;
+      default:
+        throw new TypeError(unusableForAlg);
+    }
+    cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : ["deriveBits"]);
+  }
+  if (keyObject.asymmetricKeyType === "ed25519") {
+    if (alg !== "EdDSA" && alg !== "Ed25519") {
+      throw new TypeError(unusableForAlg);
+    }
+    cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
+      isPublic ? "verify" : "sign"
+    ]);
+  }
+  switch (keyObject.asymmetricKeyType) {
+    case "ml-dsa-44":
+    case "ml-dsa-65":
+    case "ml-dsa-87": {
+      if (alg !== keyObject.asymmetricKeyType.toUpperCase()) {
+        throw new TypeError(unusableForAlg);
+      }
+      cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
+        isPublic ? "verify" : "sign"
+      ]);
+    }
+  }
+  if (keyObject.asymmetricKeyType === "rsa") {
+    let hash;
+    switch (alg) {
+      case "RSA-OAEP":
+        hash = "SHA-1";
+        break;
+      case "RS256":
+      case "PS256":
+      case "RSA-OAEP-256":
+        hash = "SHA-256";
+        break;
+      case "RS384":
+      case "PS384":
+      case "RSA-OAEP-384":
+        hash = "SHA-384";
+        break;
+      case "RS512":
+      case "PS512":
+      case "RSA-OAEP-512":
+        hash = "SHA-512";
+        break;
+      default:
+        throw new TypeError(unusableForAlg);
+    }
+    if (alg.startsWith("RSA-OAEP")) {
+      return keyObject.toCryptoKey({
+        name: "RSA-OAEP",
+        hash
+      }, extractable, isPublic ? ["encrypt"] : ["decrypt"]);
+    }
+    cryptoKey = keyObject.toCryptoKey({
+      name: alg.startsWith("PS") ? "RSA-PSS" : "RSASSA-PKCS1-v1_5",
+      hash
+    }, extractable, [isPublic ? "verify" : "sign"]);
+  }
+  if (keyObject.asymmetricKeyType === "ec") {
+    const nist = /* @__PURE__ */ new Map([
+      ["prime256v1", "P-256"],
+      ["secp384r1", "P-384"],
+      ["secp521r1", "P-521"]
+    ]);
+    const namedCurve = nist.get((_a2 = keyObject.asymmetricKeyDetails) == null ? void 0 : _a2.namedCurve);
+    if (!namedCurve) {
+      throw new TypeError(unusableForAlg);
+    }
+    const expectedCurve = { ES256: "P-256", ES384: "P-384", ES512: "P-521" };
+    if (expectedCurve[alg] && namedCurve === expectedCurve[alg]) {
+      cryptoKey = keyObject.toCryptoKey({
+        name: "ECDSA",
+        namedCurve
+      }, extractable, [isPublic ? "verify" : "sign"]);
+    }
+    if (alg.startsWith("ECDH-ES")) {
+      cryptoKey = keyObject.toCryptoKey({
+        name: "ECDH",
+        namedCurve
+      }, extractable, isPublic ? [] : ["deriveBits"]);
+    }
+  }
+  if (!cryptoKey) {
+    throw new TypeError(unusableForAlg);
+  }
+  if (!cached) {
+    cache.set(keyObject, { [alg]: cryptoKey });
+  } else {
+    cached[alg] = cryptoKey;
+  }
+  return cryptoKey;
+};
+async function normalizeKey(key, alg) {
+  if (key instanceof Uint8Array) {
+    return key;
+  }
+  if (isCryptoKey(key)) {
+    return key;
+  }
+  if (isKeyObject(key)) {
+    if (key.type === "secret") {
+      return key.export();
+    }
+    if ("toCryptoKey" in key && typeof key.toCryptoKey === "function") {
+      try {
+        return handleKeyObject(key, alg);
+      } catch (err) {
+        if (err instanceof TypeError) {
+          throw err;
+        }
+      }
+    }
+    let jwk = key.export({ format: "jwk" });
+    return handleJWK(key, jwk, alg);
+  }
+  if (isJWK(key)) {
+    if (key.k) {
+      return decode(key.k);
+    }
+    return handleJWK(key, key, alg, true);
+  }
+  throw new Error("unreachable");
+}
+
+// node_modules/.pnpm/jose@6.2.1/node_modules/jose/dist/webapi/lib/asn1.js
+var bytesEqual = (a, b) => {
+  if (a.byteLength !== b.length)
+    return false;
+  for (let i = 0; i < a.byteLength; i++) {
+    if (a[i] !== b[i])
+      return false;
+  }
+  return true;
+};
+var createASN1State = (data) => ({ data, pos: 0 });
+var parseLength = (state) => {
+  const first = state.data[state.pos++];
+  if (first & 128) {
+    const lengthOfLen = first & 127;
+    let length = 0;
+    for (let i = 0; i < lengthOfLen; i++) {
+      length = length << 8 | state.data[state.pos++];
+    }
+    return length;
+  }
+  return first;
+};
+var expectTag = (state, expectedTag, errorMessage) => {
+  if (state.data[state.pos++] !== expectedTag) {
+    throw new Error(errorMessage);
+  }
+};
+var getSubarray = (state, length) => {
+  const result = state.data.subarray(state.pos, state.pos + length);
+  state.pos += length;
+  return result;
+};
+var parseAlgorithmOID = (state) => {
+  expectTag(state, 6, "Expected algorithm OID");
+  const oidLen = parseLength(state);
+  return getSubarray(state, oidLen);
+};
+function parsePKCS8Header(state) {
+  expectTag(state, 48, "Invalid PKCS#8 structure");
+  parseLength(state);
+  expectTag(state, 2, "Expected version field");
+  const verLen = parseLength(state);
+  state.pos += verLen;
+  expectTag(state, 48, "Expected algorithm identifier");
+  const algIdLen = parseLength(state);
+  const algIdStart = state.pos;
+  return { algIdStart, algIdLength: algIdLen };
+}
+var parseECAlgorithmIdentifier = (state) => {
+  const algOid = parseAlgorithmOID(state);
+  if (bytesEqual(algOid, [43, 101, 110])) {
+    return "X25519";
+  }
+  if (!bytesEqual(algOid, [42, 134, 72, 206, 61, 2, 1])) {
+    throw new Error("Unsupported key algorithm");
+  }
+  expectTag(state, 6, "Expected curve OID");
+  const curveOidLen = parseLength(state);
+  const curveOid = getSubarray(state, curveOidLen);
+  for (const { name, oid } of [
+    { name: "P-256", oid: [42, 134, 72, 206, 61, 3, 1, 7] },
+    { name: "P-384", oid: [43, 129, 4, 0, 34] },
+    { name: "P-521", oid: [43, 129, 4, 0, 35] }
+  ]) {
+    if (bytesEqual(curveOid, oid)) {
+      return name;
+    }
+  }
+  throw new Error("Unsupported named curve");
+};
+var genericImport = async (keyFormat, keyData, alg, options) => {
+  var _a2;
+  let algorithm;
+  let keyUsages;
+  const isPublic = keyFormat === "spki";
+  const getSigUsages = () => isPublic ? ["verify"] : ["sign"];
+  const getEncUsages = () => isPublic ? ["encrypt", "wrapKey"] : ["decrypt", "unwrapKey"];
+  switch (alg) {
+    case "PS256":
+    case "PS384":
+    case "PS512":
+      algorithm = { name: "RSA-PSS", hash: `SHA-${alg.slice(-3)}` };
+      keyUsages = getSigUsages();
+      break;
+    case "RS256":
+    case "RS384":
+    case "RS512":
+      algorithm = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${alg.slice(-3)}` };
+      keyUsages = getSigUsages();
+      break;
+    case "RSA-OAEP":
+    case "RSA-OAEP-256":
+    case "RSA-OAEP-384":
+    case "RSA-OAEP-512":
+      algorithm = {
+        name: "RSA-OAEP",
+        hash: `SHA-${parseInt(alg.slice(-3), 10) || 1}`
+      };
+      keyUsages = getEncUsages();
+      break;
+    case "ES256":
+    case "ES384":
+    case "ES512": {
+      const curveMap = { ES256: "P-256", ES384: "P-384", ES512: "P-521" };
+      algorithm = { name: "ECDSA", namedCurve: curveMap[alg] };
+      keyUsages = getSigUsages();
+      break;
+    }
+    case "ECDH-ES":
+    case "ECDH-ES+A128KW":
+    case "ECDH-ES+A192KW":
+    case "ECDH-ES+A256KW": {
+      try {
+        const namedCurve = options.getNamedCurve(keyData);
+        algorithm = namedCurve === "X25519" ? { name: "X25519" } : { name: "ECDH", namedCurve };
+      } catch (cause) {
+        throw new JOSENotSupported("Invalid or unsupported key format");
+      }
+      keyUsages = isPublic ? [] : ["deriveBits"];
+      break;
+    }
+    case "Ed25519":
+    case "EdDSA":
+      algorithm = { name: "Ed25519" };
+      keyUsages = getSigUsages();
+      break;
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+      algorithm = { name: alg };
+      keyUsages = getSigUsages();
+      break;
+    default:
+      throw new JOSENotSupported('Invalid or unsupported "alg" (Algorithm) value');
+  }
+  return crypto.subtle.importKey(keyFormat, keyData, algorithm, (_a2 = options == null ? void 0 : options.extractable) != null ? _a2 : isPublic ? true : false, keyUsages);
+};
+var processPEMData = (pem, pattern) => {
+  return decodeBase64(pem.replace(pattern, ""));
+};
+var fromPKCS8 = (pem, alg, options) => {
+  var _a2;
+  const keyData = processPEMData(pem, /(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g);
+  let opts = options;
+  if ((_a2 = alg == null ? void 0 : alg.startsWith) == null ? void 0 : _a2.call(alg, "ECDH-ES")) {
+    opts || (opts = {});
+    opts.getNamedCurve = (keyData2) => {
+      const state = createASN1State(keyData2);
+      parsePKCS8Header(state);
+      return parseECAlgorithmIdentifier(state);
+    };
+  }
+  return genericImport("pkcs8", keyData, alg, opts);
+};
+
+// node_modules/.pnpm/jose@6.2.1/node_modules/jose/dist/webapi/key/import.js
+async function importPKCS8(pkcs8, alg, options) {
+  if (typeof pkcs8 !== "string" || pkcs8.indexOf("-----BEGIN PRIVATE KEY-----") !== 0) {
+    throw new TypeError('"pkcs8" must be PKCS#8 formatted string');
+  }
+  return fromPKCS8(pkcs8, alg, options);
+}
+
+// node_modules/.pnpm/jose@6.2.1/node_modules/jose/dist/webapi/lib/validate_crit.js
+function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
+  if (joseHeader.crit !== void 0 && (protectedHeader == null ? void 0 : protectedHeader.crit) === void 0) {
+    throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
+  }
+  if (!protectedHeader || protectedHeader.crit === void 0) {
+    return /* @__PURE__ */ new Set();
+  }
+  if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input) => typeof input !== "string" || input.length === 0)) {
+    throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
+  }
+  let recognized;
+  if (recognizedOption !== void 0) {
+    recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);
+  } else {
+    recognized = recognizedDefault;
+  }
+  for (const parameter of protectedHeader.crit) {
+    if (!recognized.has(parameter)) {
+      throw new JOSENotSupported(`Extension Header Parameter "${parameter}" is not recognized`);
+    }
+    if (joseHeader[parameter] === void 0) {
+      throw new Err(`Extension Header Parameter "${parameter}" is missing`);
+    }
+    if (recognized.get(parameter) && protectedHeader[parameter] === void 0) {
+      throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
+    }
+  }
+  return new Set(protectedHeader.crit);
+}
+
+// node_modules/.pnpm/jose@6.2.1/node_modules/jose/dist/webapi/lib/check_key_type.js
+var tag = (key) => key == null ? void 0 : key[Symbol.toStringTag];
+var jwkMatchesOp = (alg, key, usage) => {
+  var _a2, _b2;
+  if (key.use !== void 0) {
+    let expected;
+    switch (usage) {
+      case "sign":
+      case "verify":
+        expected = "sig";
+        break;
+      case "encrypt":
+      case "decrypt":
+        expected = "enc";
+        break;
+    }
+    if (key.use !== expected) {
+      throw new TypeError(`Invalid key for this operation, its "use" must be "${expected}" when present`);
+    }
+  }
+  if (key.alg !== void 0 && key.alg !== alg) {
+    throw new TypeError(`Invalid key for this operation, its "alg" must be "${alg}" when present`);
+  }
+  if (Array.isArray(key.key_ops)) {
+    let expectedKeyOp;
+    switch (true) {
+      case (usage === "sign" || usage === "verify"):
+      case alg === "dir":
+      case alg.includes("CBC-HS"):
+        expectedKeyOp = usage;
+        break;
+      case alg.startsWith("PBES2"):
+        expectedKeyOp = "deriveBits";
+        break;
+      case /^A\d{3}(?:GCM)?(?:KW)?$/.test(alg):
+        if (!alg.includes("GCM") && alg.endsWith("KW")) {
+          expectedKeyOp = usage === "encrypt" ? "wrapKey" : "unwrapKey";
+        } else {
+          expectedKeyOp = usage;
+        }
+        break;
+      case (usage === "encrypt" && alg.startsWith("RSA")):
+        expectedKeyOp = "wrapKey";
+        break;
+      case usage === "decrypt":
+        expectedKeyOp = alg.startsWith("RSA") ? "unwrapKey" : "deriveBits";
+        break;
+    }
+    if (expectedKeyOp && ((_b2 = (_a2 = key.key_ops) == null ? void 0 : _a2.includes) == null ? void 0 : _b2.call(_a2, expectedKeyOp)) === false) {
+      throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${expectedKeyOp}" when present`);
+    }
+  }
+  return true;
+};
+var symmetricTypeCheck = (alg, key, usage) => {
+  if (key instanceof Uint8Array)
+    return;
+  if (isJWK(key)) {
+    if (isSecretJWK(key) && jwkMatchesOp(alg, key, usage))
+      return;
+    throw new TypeError(`JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present`);
+  }
+  if (!isKeyLike(key)) {
+    throw new TypeError(withAlg(alg, key, "CryptoKey", "KeyObject", "JSON Web Key", "Uint8Array"));
+  }
+  if (key.type !== "secret") {
+    throw new TypeError(`${tag(key)} instances for symmetric algorithms must be of type "secret"`);
+  }
+};
+var asymmetricTypeCheck = (alg, key, usage) => {
+  if (isJWK(key)) {
+    switch (usage) {
+      case "decrypt":
+      case "sign":
+        if (isPrivateJWK(key) && jwkMatchesOp(alg, key, usage))
+          return;
+        throw new TypeError(`JSON Web Key for this operation must be a private JWK`);
+      case "encrypt":
+      case "verify":
+        if (isPublicJWK(key) && jwkMatchesOp(alg, key, usage))
+          return;
+        throw new TypeError(`JSON Web Key for this operation must be a public JWK`);
+    }
+  }
+  if (!isKeyLike(key)) {
+    throw new TypeError(withAlg(alg, key, "CryptoKey", "KeyObject", "JSON Web Key"));
+  }
+  if (key.type === "secret") {
+    throw new TypeError(`${tag(key)} instances for asymmetric algorithms must not be of type "secret"`);
+  }
+  if (key.type === "public") {
+    switch (usage) {
+      case "sign":
+        throw new TypeError(`${tag(key)} instances for asymmetric algorithm signing must be of type "private"`);
+      case "decrypt":
+        throw new TypeError(`${tag(key)} instances for asymmetric algorithm decryption must be of type "private"`);
+    }
+  }
+  if (key.type === "private") {
+    switch (usage) {
+      case "verify":
+        throw new TypeError(`${tag(key)} instances for asymmetric algorithm verifying must be of type "public"`);
+      case "encrypt":
+        throw new TypeError(`${tag(key)} instances for asymmetric algorithm encryption must be of type "public"`);
+    }
+  }
+};
+function checkKeyType(alg, key, usage) {
+  switch (alg.substring(0, 2)) {
+    case "A1":
+    case "A2":
+    case "di":
+    case "HS":
+    case "PB":
+      symmetricTypeCheck(alg, key, usage);
+      break;
+    default:
+      asymmetricTypeCheck(alg, key, usage);
+  }
+}
+
+// node_modules/.pnpm/jose@6.2.1/node_modules/jose/dist/webapi/lib/jwt_claims_set.js
+var epoch = (date) => Math.floor(date.getTime() / 1e3);
+var minute = 60;
+var hour = minute * 60;
+var day = hour * 24;
+var week = day * 7;
+var year = day * 365.25;
+var REGEX = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;
+function secs(str) {
+  const matched = REGEX.exec(str);
+  if (!matched || matched[4] && matched[1]) {
+    throw new TypeError("Invalid time period format");
+  }
+  const value = parseFloat(matched[2]);
+  const unit = matched[3].toLowerCase();
+  let numericDate;
+  switch (unit) {
+    case "sec":
+    case "secs":
+    case "second":
+    case "seconds":
+    case "s":
+      numericDate = Math.round(value);
+      break;
+    case "minute":
+    case "minutes":
+    case "min":
+    case "mins":
+    case "m":
+      numericDate = Math.round(value * minute);
+      break;
+    case "hour":
+    case "hours":
+    case "hr":
+    case "hrs":
+    case "h":
+      numericDate = Math.round(value * hour);
+      break;
+    case "day":
+    case "days":
+    case "d":
+      numericDate = Math.round(value * day);
+      break;
+    case "week":
+    case "weeks":
+    case "w":
+      numericDate = Math.round(value * week);
+      break;
+    default:
+      numericDate = Math.round(value * year);
+      break;
+  }
+  if (matched[1] === "-" || matched[4] === "ago") {
+    return -numericDate;
+  }
+  return numericDate;
+}
+function validateInput(label, input) {
+  if (!Number.isFinite(input)) {
+    throw new TypeError(`Invalid ${label} input`);
+  }
+  return input;
+}
+var _payload;
+var JWTClaimsBuilder = class {
+  constructor(payload) {
+    __privateAdd(this, _payload);
+    if (!isObject(payload)) {
+      throw new TypeError("JWT Claims Set MUST be an object");
+    }
+    __privateSet(this, _payload, structuredClone(payload));
+  }
+  data() {
+    return encoder.encode(JSON.stringify(__privateGet(this, _payload)));
+  }
+  get iss() {
+    return __privateGet(this, _payload).iss;
+  }
+  set iss(value) {
+    __privateGet(this, _payload).iss = value;
+  }
+  get sub() {
+    return __privateGet(this, _payload).sub;
+  }
+  set sub(value) {
+    __privateGet(this, _payload).sub = value;
+  }
+  get aud() {
+    return __privateGet(this, _payload).aud;
+  }
+  set aud(value) {
+    __privateGet(this, _payload).aud = value;
+  }
+  set jti(value) {
+    __privateGet(this, _payload).jti = value;
+  }
+  set nbf(value) {
+    if (typeof value === "number") {
+      __privateGet(this, _payload).nbf = validateInput("setNotBefore", value);
+    } else if (value instanceof Date) {
+      __privateGet(this, _payload).nbf = validateInput("setNotBefore", epoch(value));
+    } else {
+      __privateGet(this, _payload).nbf = epoch(/* @__PURE__ */ new Date()) + secs(value);
+    }
+  }
+  set exp(value) {
+    if (typeof value === "number") {
+      __privateGet(this, _payload).exp = validateInput("setExpirationTime", value);
+    } else if (value instanceof Date) {
+      __privateGet(this, _payload).exp = validateInput("setExpirationTime", epoch(value));
+    } else {
+      __privateGet(this, _payload).exp = epoch(/* @__PURE__ */ new Date()) + secs(value);
+    }
+  }
+  set iat(value) {
+    if (value === void 0) {
+      __privateGet(this, _payload).iat = epoch(/* @__PURE__ */ new Date());
+    } else if (value instanceof Date) {
+      __privateGet(this, _payload).iat = validateInput("setIssuedAt", epoch(value));
+    } else if (typeof value === "string") {
+      __privateGet(this, _payload).iat = validateInput("setIssuedAt", epoch(/* @__PURE__ */ new Date()) + secs(value));
+    } else {
+      __privateGet(this, _payload).iat = validateInput("setIssuedAt", value);
+    }
+  }
+};
+_payload = new WeakMap();
+
+// node_modules/.pnpm/jose@6.2.1/node_modules/jose/dist/webapi/jws/flattened/sign.js
+var _payload2, _protectedHeader, _unprotectedHeader;
+var FlattenedSign = class {
+  constructor(payload) {
+    __privateAdd(this, _payload2);
+    __privateAdd(this, _protectedHeader);
+    __privateAdd(this, _unprotectedHeader);
+    if (!(payload instanceof Uint8Array)) {
+      throw new TypeError("payload must be an instance of Uint8Array");
+    }
+    __privateSet(this, _payload2, payload);
+  }
+  setProtectedHeader(protectedHeader) {
+    assertNotSet(__privateGet(this, _protectedHeader), "setProtectedHeader");
+    __privateSet(this, _protectedHeader, protectedHeader);
+    return this;
+  }
+  setUnprotectedHeader(unprotectedHeader) {
+    assertNotSet(__privateGet(this, _unprotectedHeader), "setUnprotectedHeader");
+    __privateSet(this, _unprotectedHeader, unprotectedHeader);
+    return this;
+  }
+  async sign(key, options) {
+    if (!__privateGet(this, _protectedHeader) && !__privateGet(this, _unprotectedHeader)) {
+      throw new JWSInvalid("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");
+    }
+    if (!isDisjoint(__privateGet(this, _protectedHeader), __privateGet(this, _unprotectedHeader))) {
+      throw new JWSInvalid("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
+    }
+    const joseHeader = __spreadValues(__spreadValues({}, __privateGet(this, _protectedHeader)), __privateGet(this, _unprotectedHeader));
+    const extensions = validateCrit(JWSInvalid, /* @__PURE__ */ new Map([["b64", true]]), options == null ? void 0 : options.crit, __privateGet(this, _protectedHeader), joseHeader);
+    let b64 = true;
+    if (extensions.has("b64")) {
+      b64 = __privateGet(this, _protectedHeader).b64;
+      if (typeof b64 !== "boolean") {
+        throw new JWSInvalid('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
+      }
+    }
+    const { alg } = joseHeader;
+    if (typeof alg !== "string" || !alg) {
+      throw new JWSInvalid('JWS "alg" (Algorithm) Header Parameter missing or invalid');
+    }
+    checkKeyType(alg, key, "sign");
+    let payloadS;
+    let payloadB;
+    if (b64) {
+      payloadS = encode2(__privateGet(this, _payload2));
+      payloadB = encode(payloadS);
+    } else {
+      payloadB = __privateGet(this, _payload2);
+      payloadS = "";
+    }
+    let protectedHeaderString;
+    let protectedHeaderBytes;
+    if (__privateGet(this, _protectedHeader)) {
+      protectedHeaderString = encode2(JSON.stringify(__privateGet(this, _protectedHeader)));
+      protectedHeaderBytes = encode(protectedHeaderString);
+    } else {
+      protectedHeaderString = "";
+      protectedHeaderBytes = new Uint8Array();
+    }
+    const data = concat(protectedHeaderBytes, encode("."), payloadB);
+    const k = await normalizeKey(key, alg);
+    const signature = await sign(alg, k, data);
+    const jws = {
+      signature: encode2(signature),
+      payload: payloadS
+    };
+    if (__privateGet(this, _unprotectedHeader)) {
+      jws.header = __privateGet(this, _unprotectedHeader);
+    }
+    if (__privateGet(this, _protectedHeader)) {
+      jws.protected = protectedHeaderString;
+    }
+    return jws;
+  }
+};
+_payload2 = new WeakMap();
+_protectedHeader = new WeakMap();
+_unprotectedHeader = new WeakMap();
+
+// node_modules/.pnpm/jose@6.2.1/node_modules/jose/dist/webapi/jws/compact/sign.js
+var _flattened;
+var CompactSign = class {
+  constructor(payload) {
+    __privateAdd(this, _flattened);
+    __privateSet(this, _flattened, new FlattenedSign(payload));
+  }
+  setProtectedHeader(protectedHeader) {
+    __privateGet(this, _flattened).setProtectedHeader(protectedHeader);
+    return this;
+  }
+  async sign(key, options) {
+    const jws = await __privateGet(this, _flattened).sign(key, options);
+    if (jws.payload === void 0) {
+      throw new TypeError("use the flattened module for creating JWS with b64: false");
+    }
+    return `${jws.protected}.${jws.payload}.${jws.signature}`;
+  }
+};
+_flattened = new WeakMap();
+
+// node_modules/.pnpm/jose@6.2.1/node_modules/jose/dist/webapi/jwt/sign.js
+var _protectedHeader2, _jwt;
+var SignJWT = class {
+  constructor(payload = {}) {
+    __privateAdd(this, _protectedHeader2);
+    __privateAdd(this, _jwt);
+    __privateSet(this, _jwt, new JWTClaimsBuilder(payload));
+  }
+  setIssuer(issuer) {
+    __privateGet(this, _jwt).iss = issuer;
+    return this;
+  }
+  setSubject(subject) {
+    __privateGet(this, _jwt).sub = subject;
+    return this;
+  }
+  setAudience(audience) {
+    __privateGet(this, _jwt).aud = audience;
+    return this;
+  }
+  setJti(jwtId) {
+    __privateGet(this, _jwt).jti = jwtId;
+    return this;
+  }
+  setNotBefore(input) {
+    __privateGet(this, _jwt).nbf = input;
+    return this;
+  }
+  setExpirationTime(input) {
+    __privateGet(this, _jwt).exp = input;
+    return this;
+  }
+  setIssuedAt(input) {
+    __privateGet(this, _jwt).iat = input;
+    return this;
+  }
+  setProtectedHeader(protectedHeader) {
+    __privateSet(this, _protectedHeader2, protectedHeader);
+    return this;
+  }
+  async sign(key, options) {
+    var _a2;
+    const sig = new CompactSign(__privateGet(this, _jwt).data());
+    sig.setProtectedHeader(__privateGet(this, _protectedHeader2));
+    if (Array.isArray((_a2 = __privateGet(this, _protectedHeader2)) == null ? void 0 : _a2.crit) && __privateGet(this, _protectedHeader2).crit.includes("b64") && __privateGet(this, _protectedHeader2).b64 === false) {
+      throw new JWTInvalid("JWTs MUST NOT use unencoded payload");
+    }
+    return sig.sign(key, options);
+  }
+};
+_protectedHeader2 = new WeakMap();
+_jwt = new WeakMap();
+
+// src/api/index.ts
+var GA_TOKEN_URL = "https://oauth2.googleapis.com/token";
+var GA_API_BASE = "https://analyticsdata.googleapis.com/v1beta";
+var GA_SCOPE = "https://www.googleapis.com/auth/analytics.readonly";
+var cachedToken = null;
+async function getAccessToken() {
+  if (cachedToken && Date.now() < cachedToken.expiresAt)
+    return cachedToken.value;
+  const clientEmail = process.env.GA_SERVICE_ACCOUNT_EMAIL;
+  const privateKeyRaw = process.env.GA_PRIVATE_KEY;
+  if (!clientEmail || !privateKeyRaw)
+    throw new Error(
+      "Missing GA_SERVICE_ACCOUNT_EMAIL or GA_PRIVATE_KEY env vars"
+    );
+  const privateKey = privateKeyRaw.replace(/\\n/g, "\n");
+  const now = Math.floor(Date.now() / 1e3);
+  const key = await importPKCS8(privateKey, "RS256");
+  const jwt = await new SignJWT({ scope: GA_SCOPE }).setProtectedHeader({ alg: "RS256" }).setIssuedAt(now).setExpirationTime(now + 3600).setIssuer(clientEmail).setAudience(GA_TOKEN_URL).sign(key);
+  const tokenRes = await fetch(GA_TOKEN_URL, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
+      assertion: jwt
+    })
+  });
+  if (!tokenRes.ok)
+    throw new Error(`Failed to obtain access token: ${await tokenRes.text()}`);
+  const { access_token, expires_in } = await tokenRes.json();
+  cachedToken = {
+    value: access_token,
+    expiresAt: Date.now() + (expires_in - 60) * 1e3
+  };
+  return access_token;
+}
+async function report(propertyId, token, body) {
+  var _a2;
+  const res = await fetch(`${GA_API_BASE}/properties/${propertyId}:runReport`, {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${token}`,
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify(body)
+  });
+  if (!res.ok) {
+    const err = await res.json().catch(() => null);
+    throw new Error(
+      ((_a2 = err == null ? void 0 : err.error) == null ? void 0 : _a2.message) || `GA API error ${res.status}: ${res.statusText}`
+    );
+  }
+  return res.json();
+}
+async function realtimeReport(propertyId, token, body) {
+  const res = await fetch(
+    `${GA_API_BASE}/properties/${propertyId}:runRealtimeReport`,
+    {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify(body)
+    }
+  );
+  if (!res.ok) return {};
+  return res.json();
+}
+async function GET(request) {
+  try {
+    const propertyId = process.env.GA_PROPERTY_ID;
+    if (!propertyId)
+      return Response.json(
+        { error: "GA_PROPERTY_ID not configured" },
+        { status: 500 }
+      );
+    const { searchParams } = new URL(request.url);
+    const dateRange = searchParams.get("range") || "30";
+    const startDate = `${dateRange}daysAgo`;
+    let token;
+    try {
+      token = await getAccessToken();
+    } catch (authErr) {
+      const msg = authErr instanceof Error ? authErr.message : String(authErr);
+      console.error("[analytics] Auth error:", msg);
+      return Response.json({ error: `Auth failed: ${msg}` }, { status: 500 });
+    }
+    const settled = await Promise.allSettled([
+      // 0. Overview metrics
+      report(propertyId, token, {
+        dateRanges: [{ startDate, endDate: "today" }],
+        metrics: [
+          { name: "totalUsers" },
+          { name: "newUsers" },
+          { name: "sessions" },
+          { name: "screenPageViews" },
+          { name: "averageSessionDuration" },
+          { name: "bounceRate" },
+          { name: "engagedSessions" },
+          { name: "engagementRate" },
+          { name: "screenPageViewsPerSession" },
+          { name: "eventsPerSession" }
+        ]
+      }),
+      // 1. Time series by date
+      report(propertyId, token, {
+        dateRanges: [{ startDate, endDate: "today" }],
+        dimensions: [{ name: "date" }],
+        metrics: [
+          { name: "totalUsers" },
+          { name: "sessions" },
+          { name: "screenPageViews" }
+        ],
+        orderBys: [{ dimension: { dimensionName: "date" }, desc: false }]
+      }),
+      // 2. Hourly traffic (today only)
+      report(propertyId, token, {
+        dateRanges: [{ startDate: "today", endDate: "today" }],
+        dimensions: [{ name: "hour" }],
+        metrics: [{ name: "totalUsers" }, { name: "sessions" }],
+        orderBys: [{ dimension: { dimensionName: "hour" }, desc: false }]
+      }),
+      // 3. Top pages
+      report(propertyId, token, {
+        dateRanges: [{ startDate, endDate: "today" }],
+        dimensions: [{ name: "pagePath" }],
+        metrics: [
+          { name: "screenPageViews" },
+          { name: "totalUsers" },
+          { name: "averageSessionDuration" }
+        ],
+        orderBys: [{ metric: { metricName: "screenPageViews" }, desc: true }],
+        limit: 15
+      }),
+      // 4. Top landing pages
+      report(propertyId, token, {
+        dateRanges: [{ startDate, endDate: "today" }],
+        dimensions: [{ name: "landingPage" }],
+        metrics: [
+          { name: "sessions" },
+          { name: "totalUsers" },
+          { name: "bounceRate" }
+        ],
+        orderBys: [{ metric: { metricName: "sessions" }, desc: true }],
+        limit: 10
+      }),
+      // 5. Device category
+      report(propertyId, token, {
+        dateRanges: [{ startDate, endDate: "today" }],
+        dimensions: [{ name: "deviceCategory" }],
+        metrics: [{ name: "sessions" }, { name: "totalUsers" }]
+      }),
+      // 6. Browser breakdown
+      report(propertyId, token, {
+        dateRanges: [{ startDate, endDate: "today" }],
+        dimensions: [{ name: "browser" }],
+        metrics: [{ name: "sessions" }],
+        orderBys: [{ metric: { metricName: "sessions" }, desc: true }],
+        limit: 8
+      }),
+      // 7. Operating system
+      report(propertyId, token, {
+        dateRanges: [{ startDate, endDate: "today" }],
+        dimensions: [{ name: "operatingSystem" }],
+        metrics: [{ name: "sessions" }],
+        orderBys: [{ metric: { metricName: "sessions" }, desc: true }],
+        limit: 8
+      }),
+      // 8. Top countries
+      report(propertyId, token, {
+        dateRanges: [{ startDate, endDate: "today" }],
+        dimensions: [{ name: "country" }],
+        metrics: [{ name: "totalUsers" }, { name: "sessions" }],
+        orderBys: [{ metric: { metricName: "totalUsers" }, desc: true }],
+        limit: 10
+      }),
+      // 9. Top cities
+      report(propertyId, token, {
+        dateRanges: [{ startDate, endDate: "today" }],
+        dimensions: [{ name: "city" }, { name: "country" }],
+        metrics: [{ name: "totalUsers" }, { name: "sessions" }],
+        orderBys: [{ metric: { metricName: "totalUsers" }, desc: true }],
+        limit: 10
+      }),
+      // 10. Traffic sources
+      report(propertyId, token, {
+        dateRanges: [{ startDate, endDate: "today" }],
+        dimensions: [{ name: "sessionSource" }, { name: "sessionMedium" }],
+        metrics: [{ name: "sessions" }, { name: "totalUsers" }],
+        orderBys: [{ metric: { metricName: "sessions" }, desc: true }],
+        limit: 10
+      }),
+      // 11. Channel grouping
+      report(propertyId, token, {
+        dateRanges: [{ startDate, endDate: "today" }],
+        dimensions: [{ name: "sessionDefaultChannelGroup" }],
+        metrics: [
+          { name: "sessions" },
+          { name: "totalUsers" },
+          { name: "engagementRate" }
+        ],
+        orderBys: [{ metric: { metricName: "sessions" }, desc: true }]
+      }),
+      // 12. New vs returning users
+      report(propertyId, token, {
+        dateRanges: [{ startDate, endDate: "today" }],
+        dimensions: [{ name: "newVsReturning" }],
+        metrics: [{ name: "totalUsers" }]
+      }),
+      // 13. Top events
+      report(propertyId, token, {
+        dateRanges: [{ startDate, endDate: "today" }],
+        dimensions: [{ name: "eventName" }],
+        metrics: [{ name: "eventCount" }, { name: "totalUsers" }],
+        orderBys: [{ metric: { metricName: "eventCount" }, desc: true }],
+        limit: 15
+      }),
+      // 14. Top referrers
+      report(propertyId, token, {
+        dateRanges: [{ startDate, endDate: "today" }],
+        dimensions: [{ name: "pageReferrer" }],
+        metrics: [{ name: "sessions" }, { name: "totalUsers" }],
+        orderBys: [{ metric: { metricName: "sessions" }, desc: true }],
+        limit: 10
+      }),
+      // 15. Real-time active users (last 30 min)
+      realtimeReport(propertyId, token, {
+        metrics: [{ name: "activeUsers" }]
+      })
+    ]);
+    settled.forEach((s, i) => {
+      if (s.status === "rejected")
+        console.error(`[analytics] report[${i}] failed:`, s.reason);
+    });
+    const ok = (i) => {
+      const s = settled[i];
+      return s && s.status === "fulfilled" ? s.value : {};
+    };
+    return Response.json(
+      {
+        activeUsers: ok(15),
+        overview: ok(0),
+        timeSeries: ok(1),
+        hourlyToday: ok(2),
+        topPages: ok(3),
+        landingPages: ok(4),
+        devices: ok(5),
+        browsers: ok(6),
+        operatingSystems: ok(7),
+        countries: ok(8),
+        cities: ok(9),
+        trafficSources: ok(10),
+        channels: ok(11),
+        newVsReturning: ok(12),
+        topEvents: ok(13),
+        referrers: ok(14)
+      },
+      {
+        headers: {
+          "Cache-Control": "public, s-maxage=300, stale-while-revalidate=60"
+        }
+      }
+    );
+  } catch (err) {
+    const message2 = err instanceof Error ? err.message : String(err);
+    console.error("[analytics] Unhandled error:", message2);
+    return Response.json({ error: message2 }, { status: 500 });
+  }
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  GET
+});
+//# sourceMappingURL=index.cjs.map