scorezilla 0.1.0-next.0 → 0.1.0-next.3

package/dist/server.cjs

@@ -1,8 +1,693 @@
 'use strict';
 
+// src/config.ts
+var DEFAULT_BASE_URL = "https://api.scorezilla.dev";
+var SECRET_KEY_PREFIX = "sk_live_";
+var SECRET_KEY_PATTERN = /^sk_live_([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})_[A-Za-z0-9]+$/;
+function validateSecretKey(cfg) {
+  if (!cfg || typeof cfg !== "object") {
+    throw new Error("scorezilla/server: config must be an object with a secretKey field");
+  }
+  const sk = cfg.secretKey;
+  if (typeof sk !== "string") {
+    throw new Error(
+      `scorezilla/server: secretKey must be a single string of the shape ${SECRET_KEY_PREFIX}<keyId>_<random> (got: ${typeof sk})`
+    );
+  }
+  const match = SECRET_KEY_PATTERN.exec(sk);
+  if (!match) {
+    const shape = `string of length ${sk.length}`;
+    throw new Error(
+      `scorezilla/server: secretKey must match ${SECRET_KEY_PATTERN.toString()} (got: ${shape}). v0.1.0-next.2 switched to a single-token format \u2014 if you have a pre-next.2 pair, issue a fresh key in the dashboard to upgrade.`
+    );
+  }
+  return { keyId: match[1], secret: sk };
+}
+
+// src/hmac.ts
+var enc = new TextEncoder();
+var HMAC_AUTH_SCHEME = "Scorezilla-HMAC-SHA256";
+var MIN_NONCE_LENGTH = 16;
+var HMAC_SIGNING_VERSION_LATEST = 2;
+async function buildSigningString(method, pathAndQuery, ts, nonce, body, host, version = HMAC_SIGNING_VERSION_LATEST) {
+  const bodyHash = await sha256Hex(body);
+  const upperMethod = method.toUpperCase();
+  if (version === 1) {
+    return `${ts}
+${nonce}
+${upperMethod}
+${pathAndQuery}
+${bodyHash}`;
+  }
+  return `${ts}
+${nonce}
+${upperMethod}
+${host.toLowerCase()}
+${pathAndQuery}
+${bodyHash}`;
+}
+async function hmacSha256B64u(secret, message) {
+  const key = await crypto.subtle.importKey(
+    "raw",
+    enc.encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const sig = await crypto.subtle.sign("HMAC", key, enc.encode(message));
+  return base64UrlEncode(new Uint8Array(sig));
+}
+async function sha256Hex(message) {
+  const digest = await crypto.subtle.digest("SHA-256", enc.encode(message));
+  return Array.from(new Uint8Array(digest)).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function buildHmacAuthHeader(args) {
+  const ts = args.nowSeconds ?? Math.floor(Date.now() / 1e3);
+  if (args.nonce !== void 0) {
+    if (typeof args.nonce !== "string" || args.nonce.length < MIN_NONCE_LENGTH) {
+      throw new Error(
+        `scorezilla: nonce must be a string of at least ${MIN_NONCE_LENGTH} characters; use the default (UUIDv4 via crypto.randomUUID) unless you have a specific reason.`
+      );
+    }
+  }
+  const nonce = args.nonce ?? generateNonce();
+  const version = args.version ?? HMAC_SIGNING_VERSION_LATEST;
+  const signingString = await buildSigningString(
+    args.method,
+    args.pathAndQuery,
+    ts,
+    nonce,
+    args.body,
+    args.host,
+    version
+  );
+  const signature = await hmacSha256B64u(args.secret, signingString);
+  const vParam = version === 1 ? "" : `, v=${version}`;
+  return `${HMAC_AUTH_SCHEME} keyId=${args.keyId}, ts=${ts}, nonce=${nonce}, signature=${signature}${vParam}`;
+}
+function generateNonce() {
+  const c = globalThis.crypto;
+  if (!c || typeof c.randomUUID !== "function") {
+    throw new Error(
+      "scorezilla: globalThis.crypto.randomUUID is unavailable. The HMAC server adapter requires Node \u2265 20 or a modern runtime."
+    );
+  }
+  return c.randomUUID();
+}
+function base64UrlEncode(bytes) {
+  let bin = "";
+  for (const b of bytes) bin += String.fromCharCode(b);
+  return btoa(bin).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+
+// src/paths.ts
+function encodeSegment(value, label) {
+  if (typeof value !== "string" || value.length === 0) {
+    throw new Error(`scorezilla: ${label} must be a non-empty string`);
+  }
+  return encodeURIComponent(value);
+}
+function buildQueryString(params) {
+  const usp = new URLSearchParams();
+  for (const [k, v] of Object.entries(params)) {
+    if (v !== void 0) usp.set(k, String(v));
+  }
+  const qs = usp.toString();
+  return qs.length > 0 ? `?${qs}` : "";
+}
+function submitScoreSecurePath() {
+  return "/v1/secure/scores";
+}
+function getLeaderboardPath(boardId, q) {
+  return `/v1/boards/${encodeSegment(boardId, "boardId")}/leaderboard` + buildQueryString({ top: q?.top, offset: q?.offset });
+}
+function getPlayerRankPath(boardId, playerId) {
+  return `/v1/boards/${encodeSegment(boardId, "boardId")}/players/${encodeSegment(playerId, "playerId")}/rank`;
+}
+function getWindowAroundPath(boardId, playerId, q) {
+  return `/v1/boards/${encodeSegment(boardId, "boardId")}/players/${encodeSegment(playerId, "playerId")}/window` + buildQueryString({ before: q?.before, after: q?.after });
+}
+
+// src/errors.ts
+var MESSAGE_MAX_CHARS = 500;
+var TRUNCATION_SUFFIX = "\u2026 [truncated]";
+var STATUS_NETWORK_ERROR = 0;
+function truncateMessage(raw) {
+  if (typeof raw !== "string") return "";
+  if (raw.length <= MESSAGE_MAX_CHARS) return raw;
+  const sliceEnd = Math.max(0, MESSAGE_MAX_CHARS - TRUNCATION_SUFFIX.length);
+  return raw.slice(0, sliceEnd) + TRUNCATION_SUFFIX;
+}
+function truncateField(raw) {
+  if (typeof raw !== "string") return void 0;
+  if (raw.length <= MESSAGE_MAX_CHARS) return raw;
+  const sliceEnd = Math.max(0, MESSAGE_MAX_CHARS - TRUNCATION_SUFFIX.length);
+  return raw.slice(0, sliceEnd) + TRUNCATION_SUFFIX;
+}
+var ScorezillaError = class _ScorezillaError extends Error {
+  /** HTTP status of the response, or {@link STATUS_NETWORK_ERROR} (0) for
+   *  network / abort / timeout. */
+  status;
+  /** Machine-stable error code from the API. Open union — see
+   *  {@link ScorezillaErrorCode}. For network errors, this is `'network_error'`;
+   *  for aborts, `'aborted'`; for timeouts, `'timeout'`. */
+  code;
+  /** Sub-classifier — present on `out_of_bounds` (`'below_min' | 'above_max'`)
+   *  and possibly other codes in future minor releases. */
+  reason;
+  /** Seconds — present on `rate_limited`. Honored by the transport's retry
+   *  policy (Step 2.4). */
+  retryAfter;
+  /** Server-issued request ID, lifted from the `X-Request-Id` response
+   *  header. Pass this to support when filing bugs. */
+  requestId;
+  /** The bound value crossed on `out_of_bounds`. */
+  bound;
+  /** Which rate-limit layer fired on `rate_limited`. */
+  layer;
+  /** The underlying cause (e.g., a `TypeError: fetch failed`) for
+   *  network/abort/timeout paths. `undefined` when the error came from a
+   *  successfully-parsed API error body. */
+  cause;
+  constructor(message, init) {
+    super(truncateMessage(message));
+    this.name = "ScorezillaError";
+    this.status = init.status;
+    this.code = init.code;
+    this.reason = truncateField(init.reason);
+    this.retryAfter = init.retryAfter;
+    this.requestId = truncateField(init.requestId);
+    this.bound = init.bound;
+    this.layer = truncateField(init.layer);
+    this.cause = init.cause;
+    Object.setPrototypeOf(this, _ScorezillaError.prototype);
+    if (typeof Error.captureStackTrace === "function") {
+      Error.captureStackTrace(this, _ScorezillaError);
+    }
+  }
+  // ─── Sub-message helpers ─────────────────────────────────────────────
+  // Stable wrappers over the `code` discriminator so consumers can write
+  // `if (err.isRateLimited())` instead of memorizing the code spelling.
+  /** `true` when this error is a 429 / `rate_limited`. */
+  isRateLimited() {
+    return this.code === "rate_limited";
+  }
+  /** `true` when this error is a 401 / `unauthorized` (or 403 / `forbidden`). */
+  isAuth() {
+    return this.code === "unauthorized" || this.code === "forbidden";
+  }
+  /** `true` when this error is a 404 / `not_found`. */
+  isNotFound() {
+    return this.code === "not_found";
+  }
+  /** `true` when this error is a 422 / `out_of_bounds` (score below/above board limit). */
+  isOutOfBounds() {
+    return this.code === "out_of_bounds";
+  }
+  /** `true` for transient / retryable conditions: network errors, timeouts,
+   *  5xx, and 429. The transport layer relies on this for its retry policy. */
+  isTransient() {
+    if (this.status === STATUS_NETWORK_ERROR) return true;
+    if (this.status >= 500 && this.status < 600) return true;
+    return this.isRateLimited();
+  }
+  // ─── Factory ─────────────────────────────────────────────────────────
+  /**
+   * Build a `ScorezillaError` from a fetch round-trip outcome.
+   *
+   * Prefer this over `new ScorezillaError(...)` from the transport layer —
+   * it does the mapping from API response shape to error fields in one
+   * place, so future fields like `correlationId` get added once here.
+   *
+   * @param init - status, optional parsed body, optional requestId, optional cause
+   */
+  static from(init) {
+    const { status, body, requestId, cause } = init;
+    if (body && body.ok === false && typeof body.error === "string") {
+      return new _ScorezillaError(body.message ?? `Request failed: ${body.error}`, {
+        status,
+        code: body.error,
+        reason: body.reason,
+        retryAfter: body.retryAfter,
+        bound: body.bound,
+        layer: body.layer,
+        requestId,
+        cause
+      });
+    }
+    const code = codeForStatus(status);
+    return new _ScorezillaError(`Request failed with status ${status}`, {
+      status,
+      code,
+      requestId,
+      cause
+    });
+  }
+  /**
+   * Build a `ScorezillaError` for a transport-level failure (no HTTP
+   * response received): network error, abort, or timeout.
+   */
+  static network(message, cause) {
+    return new _ScorezillaError(message, {
+      status: STATUS_NETWORK_ERROR,
+      code: "network_error",
+      cause
+    });
+  }
+  /** Build a `ScorezillaError` for an `AbortSignal`-triggered cancellation. */
+  static aborted(cause) {
+    return new _ScorezillaError("Request aborted", {
+      status: STATUS_NETWORK_ERROR,
+      code: "aborted",
+      cause
+    });
+  }
+  /** Build a `ScorezillaError` for a request that exceeded its timeout budget. */
+  static timeout(timeoutMs) {
+    return new _ScorezillaError(`Request timed out after ${timeoutMs}ms`, {
+      status: STATUS_NETWORK_ERROR,
+      code: "timeout"
+    });
+  }
+};
+function codeForStatus(status) {
+  if (status === 401) return "unauthorized";
+  if (status === 403) return "forbidden";
+  if (status === 404) return "not_found";
+  if (status === 422) return "out_of_bounds";
+  if (status === 429) return "rate_limited";
+  if (status >= 500) return "internal_error";
+  if (status >= 400) return "invalid_input";
+  return "internal_error";
+}
+
+// src/retry.ts
+var DEFAULT_MAX_RETRIES = 2;
+var BASE_DELAY_MS = 200;
+var MAX_DELAY_MS = 4e3;
+var MAX_RETRY_AFTER_SEC = 30;
+function nextDelay(attempt, retryAfterSec, random = Math.random) {
+  if (typeof retryAfterSec === "number" && Number.isFinite(retryAfterSec) && retryAfterSec >= 0 && retryAfterSec <= MAX_RETRY_AFTER_SEC) {
+    return Math.round(retryAfterSec * 1e3);
+  }
+  const exponential = Math.min(BASE_DELAY_MS * 2 ** attempt, MAX_DELAY_MS);
+  const jitterFactor = 0.5 + random() * 0.5;
+  return Math.round(exponential * jitterFactor);
+}
+function shouldRetryStatus(status) {
+  if (status === 429) return true;
+  if (status >= 500 && status < 600) return true;
+  return false;
+}
+function shouldRetryError(err) {
+  if (err instanceof ScorezillaError) {
+    return err.code === "network_error";
+  }
+  return false;
+}
+function generateIdempotencyKey() {
+  const c = globalThis.crypto;
+  if (!c || typeof c.randomUUID !== "function") {
+    throw new ScorezillaError(
+      "scorezilla: globalThis.crypto.randomUUID is unavailable. The SDK requires Node \u2265 20 or a modern browser. Check your runtime.",
+      { status: 0, code: "internal_error" }
+    );
+  }
+  return c.randomUUID();
+}
+function sleep(ms, signal) {
+  return new Promise((resolve, reject) => {
+    if (signal?.aborted) {
+      reject(signal.reason ?? new DOMException("Aborted", "AbortError"));
+      return;
+    }
+    const timer = setTimeout(() => {
+      signal?.removeEventListener("abort", onAbort);
+      resolve();
+    }, ms);
+    const onAbort = () => {
+      clearTimeout(timer);
+      signal?.removeEventListener("abort", onAbort);
+      reject(signal?.reason ?? new DOMException("Aborted", "AbortError"));
+    };
+    signal?.addEventListener("abort", onAbort, { once: true });
+  });
+}
+
+// src/transport.ts
+var DEFAULT_TIMEOUT_MS = 3e4;
+async function request(opts) {
+  const fetchImpl = opts.fetchImpl ?? globalThis.fetch;
+  if (typeof fetchImpl !== "function") {
+    throw new Error(
+      "scorezilla: globalThis.fetch is unavailable. Either upgrade your runtime (Node \u2265 20 has fetch built in) or pass `fetch: yourFetch` in the SDK config."
+    );
+  }
+  const url = buildUrl(opts.baseUrl, opts.path);
+  const maxRetries = opts.retry?.maxRetries ?? DEFAULT_MAX_RETRIES;
+  const random = opts.retry?.random ?? Math.random;
+  const sleepImpl = opts.retry?.sleepImpl ?? sleep;
+  const timeoutMs = opts.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+  if (!Number.isFinite(timeoutMs) || timeoutMs <= 0) {
+    throw new Error(
+      `scorezilla: timeoutMs must be a positive finite number (got ${String(timeoutMs)})`
+    );
+  }
+  const retrySleep = async (delay) => {
+    try {
+      await sleepImpl(delay, opts.signal);
+    } catch (cause) {
+      throw ScorezillaError.aborted(cause);
+    }
+  };
+  const idempotencyKey = opts.method === "POST" ? generateIdempotencyKey() : null;
+  let lastError;
+  for (let attempt = 0; attempt <= maxRetries; attempt++) {
+    const combined = combineSignalsWithTimeout(opts.signal, timeoutMs);
+    try {
+      const bodyString = opts.body !== void 0 ? JSON.stringify(opts.body) : "";
+      const perAttemptHeaders = { ...opts.headers ?? {} };
+      if (opts.signRequest) {
+        perAttemptHeaders.Authorization = await opts.signRequest({
+          method: opts.method,
+          pathAndQuery: opts.path,
+          body: bodyString
+        });
+      }
+      const init = {
+        method: opts.method,
+        headers: buildHeaders({ ...opts, headers: perAttemptHeaders }, idempotencyKey),
+        signal: combined.signal
+      };
+      if (opts.body !== void 0) {
+        init.body = bodyString;
+      }
+      const response = await fetchImpl(url, init);
+      if (response.ok) {
+        return await parseJson(response);
+      }
+      const body = await safelyParseErrorBody(response);
+      const err = ScorezillaError.from({
+        status: response.status,
+        body,
+        requestId: response.headers.get("X-Request-Id") ?? void 0
+      });
+      if (shouldRetryStatus(response.status) && attempt < maxRetries) {
+        const retryAfter = readRetryAfter(response);
+        const delay = nextDelay(attempt, retryAfter, random);
+        await retrySleep(delay);
+        lastError = err;
+        continue;
+      }
+      throw err;
+    } catch (caught) {
+      if (caught instanceof ScorezillaError) {
+        if (shouldRetryError(caught) && attempt < maxRetries) {
+          const delay = nextDelay(attempt, void 0, random);
+          await retrySleep(delay);
+          lastError = caught;
+          continue;
+        }
+        throw caught;
+      }
+      const mapped = mapTransportError(caught, opts.signal, timeoutMs, combined);
+      if (shouldRetryError(mapped) && attempt < maxRetries) {
+        const delay = nextDelay(attempt, void 0, random);
+        await retrySleep(delay);
+        lastError = mapped;
+        continue;
+      }
+      throw mapped;
+    } finally {
+      combined.cleanup();
+    }
+  }
+  throw lastError ?? new ScorezillaError("Request failed after retries", {
+    status: 0,
+    code: "internal_error"
+  });
+}
+function buildUrl(baseUrl, path) {
+  const base = baseUrl.endsWith("/") ? baseUrl.slice(0, -1) : baseUrl;
+  return base + path;
+}
+function buildHeaders(opts, idempotencyKey) {
+  const headers = { Accept: "application/json" };
+  if (opts.body !== void 0) {
+    headers["Content-Type"] = "application/json";
+  }
+  if (idempotencyKey !== null) {
+    headers["Idempotency-Key"] = idempotencyKey;
+  }
+  if (opts.headers) {
+    for (const [k, v] of Object.entries(opts.headers)) headers[k] = v;
+  }
+  return headers;
+}
+async function parseJson(response) {
+  const requestId = response.headers.get("X-Request-Id") ?? void 0;
+  let parsed;
+  try {
+    parsed = await response.json();
+  } catch (cause) {
+    throw new ScorezillaError("Response body was not valid JSON", {
+      status: response.status,
+      code: "invalid_json",
+      requestId,
+      cause
+    });
+  }
+  if (parsed === null || typeof parsed !== "object") {
+    const observed = parsed === null ? "null" : typeof parsed;
+    throw new ScorezillaError(`Response body was not a JSON object (got ${observed})`, {
+      status: response.status,
+      code: "invalid_json",
+      requestId
+    });
+  }
+  const okField = parsed.ok;
+  if (okField !== true) {
+    throw new ScorezillaError(
+      `Response body on a 2xx is missing the \`ok: true\` discriminator (got ok=${String(okField)})`,
+      {
+        status: response.status,
+        code: "invalid_json",
+        requestId
+      }
+    );
+  }
+  return parsed;
+}
+async function safelyParseErrorBody(response) {
+  try {
+    const json = await response.json();
+    if (json && typeof json === "object" && "ok" in json && json.ok === false) {
+      return json;
+    }
+    return void 0;
+  } catch {
+    return void 0;
+  }
+}
+function readRetryAfter(response) {
+  const raw = response.headers.get("Retry-After");
+  if (!raw) return void 0;
+  const n = Number(raw);
+  return Number.isFinite(n) && n >= 0 ? n : void 0;
+}
+function combineSignalsWithTimeout(caller, timeoutMs) {
+  const ctrl = new AbortController();
+  let didTimeOut = false;
+  if (caller?.aborted) {
+    ctrl.abort(caller.reason);
+    return { signal: ctrl.signal, cleanup: () => {
+    }, timedOut: () => false };
+  }
+  const onCallerAbort = () => {
+    ctrl.abort(caller?.reason);
+  };
+  caller?.addEventListener("abort", onCallerAbort, { once: true });
+  const timer = setTimeout(() => {
+    didTimeOut = true;
+    ctrl.abort(new DOMException(`Request timed out after ${timeoutMs}ms`, "TimeoutError"));
+  }, timeoutMs);
+  return {
+    signal: ctrl.signal,
+    cleanup: () => {
+      clearTimeout(timer);
+      caller?.removeEventListener("abort", onCallerAbort);
+    },
+    timedOut: () => didTimeOut
+  };
+}
+function mapTransportError(caught, callerSignal, timeoutMs, combined) {
+  if (callerSignal?.aborted) {
+    return ScorezillaError.aborted(callerSignal.reason ?? caught);
+  }
+  if (combined.timedOut()) {
+    return ScorezillaError.timeout(timeoutMs);
+  }
+  const message = caught instanceof Error ? caught.message : "Network request failed";
+  return ScorezillaError.network(message, caught);
+}
+
+// src/user-agent.ts
+function detectRuntime(g = globalThis) {
+  if (typeof g.Bun !== "undefined") return "bun";
+  if (typeof g.Deno !== "undefined") return "deno";
+  if (typeof g.navigator?.userAgent === "string" && g.navigator.userAgent.includes("Cloudflare-Workers")) {
+    return "workers";
+  }
+  if (typeof g.process?.versions?.node === "string") return "node";
+  if (typeof g.document !== "undefined") return "browser";
+  return "unknown";
+}
+function defaultUserAgent(version, runtime = detectRuntime()) {
+  return `scorezilla-js/${version} (${runtime})`;
+}
+
 // src/server.ts
-throw new Error(
-  "scorezilla/server is not yet shipped. The HMAC-signed server adapter lands in v0.2.0."
-);
+var Scorezilla = class _Scorezilla {
+  /** The package version, injected at build time from `package.json`.
+   *  Mirrors the static on the public-key client so consumers can log
+   *  the running SDK build the same way regardless of which surface
+   *  they imported. */
+  static version = "0.1.0-next.3";
+  #keyId;
+  #secret;
+  #baseUrl;
+  /** Host portion of `#baseUrl` (e.g. "api.scorezilla.dev"). Captured at
+   *  construction so every signed request binds to this exact origin —
+   *  see `buildSigningString` v=2 in `hmac.ts`. */
+  #host;
+  #fetchImpl;
+  #timeoutMs;
+  #maxRetries;
+  #sleepImpl;
+  #userAgent;
+  constructor(config) {
+    if (isRealBrowserEnvironment()) {
+      throw new Error(
+        "scorezilla/server: this adapter is server-only and must not run in browsers. Your bundler is shipping `scorezilla/server` into a browser bundle \u2014 check that it honors the `browser` export condition in package.json. Use the public-key client (`import { Scorezilla } from 'scorezilla'`) from browser code."
+      );
+    }
+    const resolved = validateSecretKey(config);
+    this.#keyId = resolved.keyId;
+    this.#secret = resolved.secret;
+    this.#baseUrl = (config.baseUrl ?? DEFAULT_BASE_URL).replace(/\/+$/, "");
+    try {
+      this.#host = new URL(this.#baseUrl).host;
+    } catch {
+      throw new Error(
+        `scorezilla/server: baseUrl must be a valid absolute URL (got: ${this.#baseUrl})`
+      );
+    }
+    this.#fetchImpl = config.fetch;
+    this.#timeoutMs = config.timeoutMs;
+    this.#maxRetries = config.maxRetries;
+    this.#sleepImpl = config.sleepImpl;
+    this.#userAgent = config.userAgent ?? defaultUserAgent(_Scorezilla.version);
+  }
+  /**
+   * Submit a score to a board. Signed end-to-end — the API verifies
+   * before any state change.
+   *
+   * **Behavioral note vs. the public-key client**: the server adapter
+   * does NOT perform local `metadata` validation. The public-key
+   * client (`scorezilla`) validates size + structure client-side and
+   * fails fast; the server adapter relies on the API to reject
+   * malformed metadata with `invalid_input`. Trade-off: smaller bundle
+   * + simpler server-side logic vs. one extra network round-trip on
+   * caller mistakes. If you want fast-fail behavior, validate metadata
+   * yourself before calling this method.
+   */
+  async submitScore(input) {
+    return this.#request({
+      path: submitScoreSecurePath(),
+      method: "POST",
+      body: {
+        boardId: input.boardId,
+        playerId: input.playerId,
+        score: input.score,
+        ...input.metadata !== void 0 ? { metadata: input.metadata } : {}
+      }
+    });
+  }
+  /** Fetch the top-N entries on a board. */
+  async getLeaderboard(input) {
+    return this.#request({
+      path: getLeaderboardPath(input.boardId, {
+        ...input.top !== void 0 ? { top: input.top } : {},
+        ...input.offset !== void 0 ? { offset: input.offset } : {}
+      }),
+      method: "GET"
+    });
+  }
+  /** Look up a single player's rank on a board. */
+  async getPlayerRank(input) {
+    return this.#request({
+      path: getPlayerRankPath(input.boardId, input.playerId),
+      method: "GET"
+    });
+  }
+  /** Fetch the slice of entries surrounding a player. */
+  async getWindowAround(input) {
+    return this.#request({
+      path: getWindowAroundPath(input.boardId, input.playerId, {
+        ...input.before !== void 0 ? { before: input.before } : {},
+        ...input.after !== void 0 ? { after: input.after } : {}
+      }),
+      method: "GET"
+    });
+  }
+  /**
+   * Thin wrapper around `transport.request` that wires the HMAC signer
+   * for every attempt. Each retry calls `signRequest` again, producing
+   * a fresh `(ts, nonce)` pair — the server's replay protection (10-min
+   * KV) requires this.
+   */
+  async #request(opts) {
+    const baseHeaders = {
+      // User-Agent: useful in Node/Bun/Deno/Workers for server observability.
+      // (The browser stub blocks this code path from running browser-side.)
+      "User-Agent": this.#userAgent,
+      "X-Scorezilla-Client": this.#userAgent
+    };
+    const requestOpts = {
+      baseUrl: this.#baseUrl,
+      path: opts.path,
+      method: opts.method,
+      headers: baseHeaders,
+      signRequest: async ({ method, pathAndQuery, body }) => buildHmacAuthHeader({
+        keyId: this.#keyId,
+        secret: this.#secret,
+        method,
+        pathAndQuery,
+        host: this.#host,
+        body
+      })
+    };
+    if (opts.body !== void 0) requestOpts.body = opts.body;
+    if (this.#fetchImpl !== void 0) requestOpts.fetchImpl = this.#fetchImpl;
+    if (this.#timeoutMs !== void 0) requestOpts.timeoutMs = this.#timeoutMs;
+    if (this.#maxRetries !== void 0 || this.#sleepImpl !== void 0) {
+      requestOpts.retry = {
+        ...this.#maxRetries !== void 0 ? { maxRetries: this.#maxRetries } : {},
+        ...this.#sleepImpl !== void 0 ? { sleepImpl: this.#sleepImpl } : {}
+      };
+    }
+    return request(requestOpts);
+  }
+};
+function isRealBrowserEnvironment() {
+  const g = globalThis;
+  const hasBrowserGlobals = typeof g.window !== "undefined" && typeof g.document !== "undefined";
+  if (!hasBrowserGlobals) return false;
+  const hasNodeLikeHost = Boolean(g.process?.versions?.node) || typeof g.Deno !== "undefined" || typeof g.Bun !== "undefined";
+  return !hasNodeLikeHost;
+}
+
+exports.Scorezilla = Scorezilla;
+exports.ScorezillaError = ScorezillaError;
 //# sourceMappingURL=server.cjs.map
 //# sourceMappingURL=server.cjs.map