vibeusage 0.3.0 → 0.3.2

package/node_modules/@insforge/sdk/dist/index.mjs

@@ -17,127 +17,182 @@ var InsForgeError = class _InsForgeError extends Error {
   }
 };
 
-// src/lib/http-client.ts
-var HttpClient = class {
-  constructor(config) {
-    this.userToken = null;
-    this.baseUrl = config.baseUrl || "http://localhost:7130";
-    this.fetch = config.fetch || (globalThis.fetch ? globalThis.fetch.bind(globalThis) : void 0);
-    this.anonKey = config.anonKey;
-    this.defaultHeaders = {
-      ...config.headers
-    };
-    if (!this.fetch) {
-      throw new Error(
-        "Fetch is not available. Please provide a fetch implementation in the config."
-      );
+// src/lib/logger.ts
+var SENSITIVE_HEADERS = ["authorization", "x-api-key", "cookie", "set-cookie"];
+var SENSITIVE_BODY_KEYS = [
+  "password",
+  "token",
+  "accesstoken",
+  "refreshtoken",
+  "authorization",
+  "secret",
+  "apikey",
+  "api_key",
+  "email",
+  "ssn",
+  "creditcard",
+  "credit_card"
+];
+function redactHeaders(headers) {
+  const redacted = {};
+  for (const [key, value] of Object.entries(headers)) {
+    if (SENSITIVE_HEADERS.includes(key.toLowerCase())) {
+      redacted[key] = "***REDACTED***";
+    } else {
+      redacted[key] = value;
     }
   }
-  buildUrl(path, params) {
-    const url = new URL(path, this.baseUrl);
-    if (params) {
-      Object.entries(params).forEach(([key, value]) => {
-        if (key === "select") {
-          let normalizedValue = value.replace(/\s+/g, " ").trim();
-          normalizedValue = normalizedValue.replace(/\s*\(\s*/g, "(").replace(/\s*\)\s*/g, ")").replace(/\(\s+/g, "(").replace(/\s+\)/g, ")").replace(/,\s+(?=[^()]*\))/g, ",");
-          url.searchParams.append(key, normalizedValue);
-        } else {
-          url.searchParams.append(key, value);
-        }
-      });
+  return redacted;
+}
+function sanitizeBody(body) {
+  if (body === null || body === void 0) return body;
+  if (typeof body === "string") {
+    try {
+      const parsed = JSON.parse(body);
+      return sanitizeBody(parsed);
+    } catch {
+      return body;
     }
-    return url.toString();
   }
-  async request(method, path, options = {}) {
-    const { params, headers = {}, body, ...fetchOptions } = options;
-    const url = this.buildUrl(path, params);
-    const requestHeaders = {
-      ...this.defaultHeaders
-    };
-    const authToken = this.userToken || this.anonKey;
-    if (authToken) {
-      requestHeaders["Authorization"] = `Bearer ${authToken}`;
-    }
-    let processedBody;
-    if (body !== void 0) {
-      if (typeof FormData !== "undefined" && body instanceof FormData) {
-        processedBody = body;
+  if (Array.isArray(body)) return body.map(sanitizeBody);
+  if (typeof body === "object") {
+    const sanitized = {};
+    for (const [key, value] of Object.entries(body)) {
+      if (SENSITIVE_BODY_KEYS.includes(key.toLowerCase().replace(/[-_]/g, ""))) {
+        sanitized[key] = "***REDACTED***";
       } else {
-        if (method !== "GET") {
-          requestHeaders["Content-Type"] = "application/json;charset=UTF-8";
-        }
-        processedBody = JSON.stringify(body);
+        sanitized[key] = sanitizeBody(value);
       }
     }
-    Object.assign(requestHeaders, headers);
-    const response = await this.fetch(url, {
-      method,
-      headers: requestHeaders,
-      body: processedBody,
-      ...fetchOptions
-    });
-    if (response.status === 204) {
-      return void 0;
-    }
-    let data;
-    const contentType = response.headers.get("content-type");
-    if (contentType?.includes("json")) {
-      data = await response.json();
-    } else {
-      data = await response.text();
-    }
-    if (!response.ok) {
-      if (data && typeof data === "object" && "error" in data) {
-        if (!data.statusCode && !data.status) {
-          data.statusCode = response.status;
-        }
-        const error = InsForgeError.fromApiError(data);
-        Object.keys(data).forEach((key) => {
-          if (key !== "error" && key !== "message" && key !== "statusCode") {
-            error[key] = data[key];
-          }
-        });
-        throw error;
-      }
-      throw new InsForgeError(
-        `Request failed: ${response.statusText}`,
-        response.status,
-        "REQUEST_FAILED"
-      );
+    return sanitized;
+  }
+  return body;
+}
+function formatBody(body) {
+  if (body === void 0 || body === null) return "";
+  if (typeof body === "string") {
+    try {
+      return JSON.stringify(JSON.parse(body), null, 2);
+    } catch {
+      return body;
     }
-    return data;
   }
-  get(path, options) {
-    return this.request("GET", path, options);
+  if (typeof FormData !== "undefined" && body instanceof FormData) {
+    return "[FormData]";
   }
-  post(path, body, options) {
-    return this.request("POST", path, { ...options, body });
+  try {
+    return JSON.stringify(body, null, 2);
+  } catch {
+    return "[Unserializable body]";
   }
-  put(path, body, options) {
-    return this.request("PUT", path, { ...options, body });
+}
+var Logger = class {
+  /**
+   * Creates a new Logger instance.
+   * @param debug - Set to true to enable console logging, or pass a custom log function
+   */
+  constructor(debug) {
+    if (typeof debug === "function") {
+      this.enabled = true;
+      this.customLog = debug;
+    } else {
+      this.enabled = !!debug;
+      this.customLog = null;
+    }
   }
-  patch(path, body, options) {
-    return this.request("PATCH", path, { ...options, body });
+  /**
+   * Logs a debug message at the info level.
+   * @param message - The message to log
+   * @param args - Additional arguments to pass to the log function
+   */
+  log(message, ...args) {
+    if (!this.enabled) return;
+    const formatted = `[InsForge Debug] ${message}`;
+    if (this.customLog) {
+      this.customLog(formatted, ...args);
+    } else {
+      console.log(formatted, ...args);
+    }
   }
-  delete(path, options) {
-    return this.request("DELETE", path, options);
+  /**
+   * Logs a debug message at the warning level.
+   * @param message - The message to log
+   * @param args - Additional arguments to pass to the log function
+   */
+  warn(message, ...args) {
+    if (!this.enabled) return;
+    const formatted = `[InsForge Debug] ${message}`;
+    if (this.customLog) {
+      this.customLog(formatted, ...args);
+    } else {
+      console.warn(formatted, ...args);
+    }
   }
-  setAuthToken(token) {
-    this.userToken = token;
+  /**
+   * Logs a debug message at the error level.
+   * @param message - The message to log
+   * @param args - Additional arguments to pass to the log function
+   */
+  error(message, ...args) {
+    if (!this.enabled) return;
+    const formatted = `[InsForge Debug] ${message}`;
+    if (this.customLog) {
+      this.customLog(formatted, ...args);
+    } else {
+      console.error(formatted, ...args);
+    }
   }
-  getHeaders() {
-    const headers = { ...this.defaultHeaders };
-    const authToken = this.userToken || this.anonKey;
-    if (authToken) {
-      headers["Authorization"] = `Bearer ${authToken}`;
+  /**
+   * Logs an outgoing HTTP request with method, URL, headers, and body.
+   * Sensitive headers and body fields are automatically redacted.
+   * @param method - HTTP method (GET, POST, etc.)
+   * @param url - The full request URL
+   * @param headers - Request headers (sensitive values will be redacted)
+   * @param body - Request body (sensitive fields will be masked)
+   */
+  logRequest(method, url, headers, body) {
+    if (!this.enabled) return;
+    const parts = [
+      `\u2192 ${method} ${url}`
+    ];
+    if (headers && Object.keys(headers).length > 0) {
+      parts.push(`  Headers: ${JSON.stringify(redactHeaders(headers))}`);
+    }
+    const formattedBody = formatBody(sanitizeBody(body));
+    if (formattedBody) {
+      const truncated = formattedBody.length > 1e3 ? formattedBody.slice(0, 1e3) + "... [truncated]" : formattedBody;
+      parts.push(`  Body: ${truncated}`);
+    }
+    this.log(parts.join("\n"));
+  }
+  /**
+   * Logs an incoming HTTP response with method, URL, status, duration, and body.
+   * Error responses (4xx/5xx) are logged at the error level.
+   * @param method - HTTP method (GET, POST, etc.)
+   * @param url - The full request URL
+   * @param status - HTTP response status code
+   * @param durationMs - Request duration in milliseconds
+   * @param body - Response body (sensitive fields will be masked, large bodies truncated)
+   */
+  logResponse(method, url, status, durationMs, body) {
+    if (!this.enabled) return;
+    const parts = [
+      `\u2190 ${method} ${url} ${status} (${durationMs}ms)`
+    ];
+    const formattedBody = formatBody(sanitizeBody(body));
+    if (formattedBody) {
+      const truncated = formattedBody.length > 1e3 ? formattedBody.slice(0, 1e3) + "... [truncated]" : formattedBody;
+      parts.push(`  Body: ${truncated}`);
+    }
+    if (status >= 400) {
+      this.error(parts.join("\n"));
+    } else {
+      this.log(parts.join("\n"));
     }
-    return headers;
   }
 };
 
 // src/lib/token-manager.ts
-var TOKEN_KEY = "insforge-auth-token";
-var USER_KEY = "insforge-auth-user";
 var CSRF_TOKEN_COOKIE = "insforge_csrf_token";
 function getCsrfToken() {
   if (typeof document === "undefined") return null;
@@ -157,84 +212,28 @@ function clearCsrfToken() {
   document.cookie = `${CSRF_TOKEN_COOKIE}=; path=/; max-age=0; SameSite=Lax${secure}`;
 }
 var TokenManager = class {
-  constructor(storage) {
+  constructor() {
     // In-memory storage
     this.accessToken = null;
     this.user = null;
-    // Mode: 'memory' (new backend) or 'storage' (legacy backend, default)
-    this._mode = "storage";
-    if (storage) {
-      this.storage = storage;
-    } else if (typeof window !== "undefined" && window.localStorage) {
-      this.storage = window.localStorage;
-    } else {
-      const store = /* @__PURE__ */ new Map();
-      this.storage = {
-        getItem: (key) => store.get(key) || null,
-        setItem: (key, value) => {
-          store.set(key, value);
-        },
-        removeItem: (key) => {
-          store.delete(key);
-        }
-      };
-    }
-  }
-  /**
-   * Get current mode
-   */
-  get mode() {
-    return this._mode;
-  }
-  /**
-   * Set mode to memory (new backend with cookies + memory)
-   */
-  setMemoryMode() {
-    if (this._mode === "storage") {
-      this.storage.removeItem(TOKEN_KEY);
-      this.storage.removeItem(USER_KEY);
-    }
-    this._mode = "memory";
-  }
-  /**
-   * Set mode to storage (legacy backend with localStorage)
-   * Also loads existing session from localStorage
-   */
-  setStorageMode() {
-    this._mode = "storage";
-    this.loadFromStorage();
+    // Callback for token changes (used by realtime to reconnect with new token)
+    this.onTokenChange = null;
   }
   /**
-   * Load session from localStorage
-   */
-  loadFromStorage() {
-    const token = this.storage.getItem(TOKEN_KEY);
-    const userStr = this.storage.getItem(USER_KEY);
-    if (token && userStr) {
-      try {
-        this.accessToken = token;
-        this.user = JSON.parse(userStr);
-      } catch {
-        this.clearSession();
-      }
-    }
-  }
-  /**
-   * Save session (memory always, localStorage only in storage mode)
+   * Save session in memory
    */
   saveSession(session) {
+    const tokenChanged = session.accessToken !== this.accessToken;
     this.accessToken = session.accessToken;
     this.user = session.user;
-    if (this._mode === "storage") {
-      this.storage.setItem(TOKEN_KEY, session.accessToken);
-      this.storage.setItem(USER_KEY, JSON.stringify(session.user));
+    if (tokenChanged && this.onTokenChange) {
+      this.onTokenChange();
     }
   }
   /**
    * Get current session
    */
   getSession() {
-    this.loadFromStorage();
     if (!this.accessToken || !this.user) return null;
     return {
       accessToken: this.accessToken,
@@ -245,16 +244,16 @@ var TokenManager = class {
    * Get access token
    */
   getAccessToken() {
-    this.loadFromStorage();
     return this.accessToken;
   }
   /**
    * Set access token
    */
   setAccessToken(token) {
+    const tokenChanged = token !== this.accessToken;
     this.accessToken = token;
-    if (this._mode === "storage") {
-      this.storage.setItem(TOKEN_KEY, token);
+    if (tokenChanged && this.onTokenChange) {
+      this.onTokenChange();
     }
   }
   /**
@@ -268,479 +267,599 @@ var TokenManager = class {
    */
   setUser(user) {
     this.user = user;
-    if (this._mode === "storage") {
-      this.storage.setItem(USER_KEY, JSON.stringify(user));
-    }
   }
   /**
-   * Clear session (both memory and localStorage)
+   * Clear in-memory session
    */
   clearSession() {
+    const hadToken = this.accessToken !== null;
     this.accessToken = null;
     this.user = null;
-    this.storage.removeItem(TOKEN_KEY);
-    this.storage.removeItem(USER_KEY);
-  }
-  /**
-   * Check if there's a session in localStorage (for legacy detection)
-   */
-  hasStoredSession() {
-    const token = this.storage.getItem(TOKEN_KEY);
-    return !!token;
+    if (hadToken && this.onTokenChange) {
+      this.onTokenChange();
+    }
   }
 };
 
-// src/modules/auth.ts
-function isHostedAuthEnvironment() {
-  if (typeof window === "undefined") {
-    return false;
-  }
-  const { hostname, port, protocol } = window.location;
-  if (hostname === "localhost" && port === "7130") {
-    return true;
-  }
-  if (protocol === "https:" && hostname.endsWith(".insforge.app")) {
-    return true;
-  }
-  return false;
-}
-var Auth = class {
-  constructor(http, tokenManager) {
-    this.http = http;
-    this.tokenManager = tokenManager;
-    this.detectAuthCallback();
-  }
+// src/lib/http-client.ts
+var RETRYABLE_STATUS_CODES = /* @__PURE__ */ new Set([500, 502, 503, 504]);
+var IDEMPOTENT_METHODS = /* @__PURE__ */ new Set(["GET", "HEAD", "PUT", "DELETE", "OPTIONS"]);
+var HttpClient = class {
   /**
-   * Automatically detect and handle OAuth callback parameters in the URL
-   * This runs after initialization to seamlessly complete the OAuth flow
-   * Matches the backend's OAuth callback response (backend/src/api/routes/auth.ts:540-544)
+   * Creates a new HttpClient instance.
+   * @param config - SDK configuration including baseUrl, timeout, retry settings, and fetch implementation.
+   * @param tokenManager - Token manager for session persistence.
+   * @param logger - Optional logger instance for request/response debugging.
    */
-  detectAuthCallback() {
-    if (typeof window === "undefined") return;
-    try {
-      const params = new URLSearchParams(window.location.search);
-      const accessToken = params.get("access_token");
-      const userId = params.get("user_id");
-      const email = params.get("email");
-      const name = params.get("name");
-      const csrfToken = params.get("csrf_token");
-      if (accessToken && userId && email) {
-        if (csrfToken) {
-          this.tokenManager.setMemoryMode();
-          setCsrfToken(csrfToken);
-        }
-        const session = {
-          accessToken,
-          user: {
-            id: userId,
-            email,
-            profile: { name: name || "" },
-            metadata: null,
-            // These fields are not provided by backend OAuth callback
-            // They'll be populated when calling getCurrentUser()
-            emailVerified: false,
-            createdAt: (/* @__PURE__ */ new Date()).toISOString(),
-            updatedAt: (/* @__PURE__ */ new Date()).toISOString()
-          }
-        };
-        this.tokenManager.saveSession(session);
-        this.http.setAuthToken(accessToken);
-        const url = new URL(window.location.href);
-        url.searchParams.delete("access_token");
-        url.searchParams.delete("user_id");
-        url.searchParams.delete("email");
-        url.searchParams.delete("name");
-        url.searchParams.delete("csrf_token");
-        if (params.has("error")) {
-          url.searchParams.delete("error");
-        }
-        window.history.replaceState({}, document.title, url.toString());
-      }
-    } catch (error) {
-      console.debug("OAuth callback detection skipped:", error);
+  constructor(config, tokenManager, logger) {
+    this.userToken = null;
+    this.autoRefreshToken = true;
+    this.isRefreshing = false;
+    this.refreshPromise = null;
+    this.refreshToken = null;
+    this.baseUrl = config.baseUrl || "http://localhost:7130";
+    this.autoRefreshToken = config.autoRefreshToken ?? true;
+    this.fetch = config.fetch || (globalThis.fetch ? globalThis.fetch.bind(globalThis) : void 0);
+    this.anonKey = config.anonKey;
+    this.defaultHeaders = {
+      ...config.headers
+    };
+    this.tokenManager = tokenManager ?? new TokenManager();
+    this.logger = logger || new Logger(false);
+    this.timeout = config.timeout ?? 3e4;
+    this.retryCount = config.retryCount ?? 3;
+    this.retryDelay = config.retryDelay ?? 500;
+    if (!this.fetch) {
+      throw new Error(
+        "Fetch is not available. Please provide a fetch implementation in the config."
+      );
     }
   }
   /**
-   * Sign up a new user
+   * Builds a full URL from a path and optional query parameters.
+   * Normalizes PostgREST select parameters for proper syntax.
    */
-  async signUp(request) {
-    try {
-      const response = await this.http.post("/api/auth/users", request);
-      if (response.accessToken && response.user && !isHostedAuthEnvironment()) {
-        const session = {
-          accessToken: response.accessToken,
-          user: response.user
-        };
-        this.tokenManager.saveSession(session);
-        this.http.setAuthToken(response.accessToken);
-        if (response.csrfToken) {
-          setCsrfToken(response.csrfToken);
+  buildUrl(path, params) {
+    const url = new URL(path, this.baseUrl);
+    if (params) {
+      Object.entries(params).forEach(([key, value]) => {
+        if (key === "select") {
+          let normalizedValue = value.replace(/\s+/g, " ").trim();
+          normalizedValue = normalizedValue.replace(/\s*\(\s*/g, "(").replace(/\s*\)\s*/g, ")").replace(/\(\s+/g, "(").replace(/\s+\)/g, ")").replace(/,\s+(?=[^()]*\))/g, ",");
+          url.searchParams.append(key, normalizedValue);
+        } else {
+          url.searchParams.append(key, value);
         }
-      }
-      return {
-        data: response,
-        error: null
-      };
-    } catch (error) {
-      if (error instanceof InsForgeError) {
-        return { data: null, error };
-      }
-      return {
-        data: null,
-        error: new InsForgeError(
-          error instanceof Error ? error.message : "An unexpected error occurred during sign up",
-          500,
-          "UNEXPECTED_ERROR"
-        )
-      };
+      });
     }
+    return url.toString();
+  }
+  /** Checks if an HTTP status code is eligible for retry (5xx server errors). */
+  isRetryableStatus(status) {
+    return RETRYABLE_STATUS_CODES.has(status);
   }
   /**
-   * Sign in with email and password
+   * Computes the delay before the next retry using exponential backoff with jitter.
+   * @param attempt - The current retry attempt number (1-based).
+   * @returns Delay in milliseconds.
    */
-  async signInWithPassword(request) {
-    try {
-      const response = await this.http.post("/api/auth/sessions", request);
-      if (!isHostedAuthEnvironment()) {
-        const session = {
-          accessToken: response.accessToken,
-          user: response.user
-        };
-        this.tokenManager.saveSession(session);
-        this.http.setAuthToken(response.accessToken);
-        if (response.csrfToken) {
-          setCsrfToken(response.csrfToken);
-        }
-      }
-      return {
-        data: response,
-        error: null
-      };
-    } catch (error) {
-      if (error instanceof InsForgeError) {
-        return { data: null, error };
-      }
-      return {
-        data: null,
-        error: new InsForgeError(
-          "An unexpected error occurred during sign in",
-          500,
-          "UNEXPECTED_ERROR"
-        )
-      };
-    }
+  computeRetryDelay(attempt) {
+    const base = this.retryDelay * Math.pow(2, attempt - 1);
+    const jitter = base * (0.85 + Math.random() * 0.3);
+    return Math.round(jitter);
   }
   /**
-   * Sign in with OAuth provider
+   * Performs an HTTP request with automatic retry and timeout handling.
+   * Retries on network errors and 5xx server errors with exponential backoff.
+   * Client errors (4xx) and timeouts are thrown immediately without retry.
+   * @param method - HTTP method (GET, POST, PUT, PATCH, DELETE).
+   * @param path - API path relative to the base URL.
+   * @param options - Optional request configuration including headers, body, and query params.
+   * @returns Parsed response data.
+   * @throws {InsForgeError} On timeout, network failure, or HTTP error responses.
    */
-  async signInWithOAuth(options) {
-    try {
-      const { provider, redirectTo, skipBrowserRedirect } = options;
-      const params = redirectTo ? { redirect_uri: redirectTo } : void 0;
-      const endpoint = `/api/auth/oauth/${provider}`;
-      const response = await this.http.get(endpoint, { params });
-      if (typeof window !== "undefined" && !skipBrowserRedirect) {
-        window.location.href = response.authUrl;
-        return { data: {}, error: null };
-      }
-      return {
-        data: {
-          url: response.authUrl,
-          provider
-        },
-        error: null
-      };
-    } catch (error) {
-      if (error instanceof InsForgeError) {
-        return { data: {}, error };
+  async handleRequest(method, path, options = {}) {
+    const {
+      params,
+      headers = {},
+      body,
+      signal: callerSignal,
+      ...fetchOptions
+    } = options;
+    const url = this.buildUrl(path, params);
+    const startTime = Date.now();
+    const canRetry = IDEMPOTENT_METHODS.has(method.toUpperCase()) || options.idempotent === true;
+    const maxAttempts = canRetry ? this.retryCount : 0;
+    const requestHeaders = {
+      ...this.defaultHeaders
+    };
+    const authToken = this.userToken || this.anonKey;
+    if (authToken) {
+      requestHeaders["Authorization"] = `Bearer ${authToken}`;
+    }
+    let processedBody;
+    if (body !== void 0) {
+      if (typeof FormData !== "undefined" && body instanceof FormData) {
+        processedBody = body;
+      } else {
+        if (method !== "GET") {
+          requestHeaders["Content-Type"] = "application/json;charset=UTF-8";
+        }
+        processedBody = JSON.stringify(body);
       }
-      return {
-        data: {},
-        error: new InsForgeError(
-          "An unexpected error occurred during OAuth initialization",
-          500,
-          "UNEXPECTED_ERROR"
-        )
-      };
     }
-  }
-  /**
-   * Sign out the current user
-   */
-  async signOut() {
-    try {
+    if (headers instanceof Headers) {
+      headers.forEach((value, key) => {
+        requestHeaders[key] = value;
+      });
+    } else if (Array.isArray(headers)) {
+      headers.forEach(([key, value]) => {
+        requestHeaders[key] = value;
+      });
+    } else {
+      Object.assign(requestHeaders, headers);
+    }
+    this.logger.logRequest(method, url, requestHeaders, processedBody);
+    let lastError;
+    for (let attempt = 0; attempt <= maxAttempts; attempt++) {
+      if (attempt > 0) {
+        const delay = this.computeRetryDelay(attempt);
+        this.logger.warn(
+          `Retry ${attempt}/${maxAttempts} for ${method} ${url} in ${delay}ms`
+        );
+        if (callerSignal?.aborted) throw callerSignal.reason;
+        await new Promise((resolve, reject) => {
+          const onAbort = () => {
+            clearTimeout(timer2);
+            reject(callerSignal.reason);
+          };
+          const timer2 = setTimeout(() => {
+            if (callerSignal)
+              callerSignal.removeEventListener("abort", onAbort);
+            resolve();
+          }, delay);
+          if (callerSignal) {
+            callerSignal.addEventListener("abort", onAbort, { once: true });
+          }
+        });
+      }
+      let controller;
+      let timer;
+      if (this.timeout > 0 || callerSignal) {
+        controller = new AbortController();
+        if (this.timeout > 0) {
+          timer = setTimeout(() => controller.abort(), this.timeout);
+        }
+        if (callerSignal) {
+          if (callerSignal.aborted) {
+            controller.abort(callerSignal.reason);
+          } else {
+            const onCallerAbort = () => controller.abort(callerSignal.reason);
+            callerSignal.addEventListener("abort", onCallerAbort, {
+              once: true
+            });
+            controller.signal.addEventListener(
+              "abort",
+              () => {
+                callerSignal.removeEventListener("abort", onCallerAbort);
+              },
+              { once: true }
+            );
+          }
+        }
+      }
       try {
-        await this.http.post("/api/auth/logout", void 0, { credentials: "include" });
-      } catch {
+        const response = await this.fetch(url, {
+          method,
+          headers: requestHeaders,
+          body: processedBody,
+          ...fetchOptions,
+          ...controller ? { signal: controller.signal } : {}
+        });
+        if (this.isRetryableStatus(response.status) && attempt < maxAttempts) {
+          if (timer !== void 0) clearTimeout(timer);
+          await response.body?.cancel();
+          lastError = new InsForgeError(
+            `Server error: ${response.status} ${response.statusText}`,
+            response.status,
+            "SERVER_ERROR"
+          );
+          continue;
+        }
+        if (response.status === 204) {
+          if (timer !== void 0) clearTimeout(timer);
+          return void 0;
+        }
+        let data;
+        const contentType = response.headers.get("content-type");
+        try {
+          if (contentType?.includes("json")) {
+            data = await response.json();
+          } else {
+            data = await response.text();
+          }
+        } catch (parseErr) {
+          if (timer !== void 0) clearTimeout(timer);
+          throw new InsForgeError(
+            `Failed to parse response body: ${parseErr?.message || "Unknown error"}`,
+            response.status,
+            response.ok ? "PARSE_ERROR" : "REQUEST_FAILED"
+          );
+        }
+        if (timer !== void 0) clearTimeout(timer);
+        if (!response.ok) {
+          this.logger.logResponse(
+            method,
+            url,
+            response.status,
+            Date.now() - startTime,
+            data
+          );
+          if (data && typeof data === "object" && "error" in data) {
+            if (!data.statusCode && !data.status) {
+              data.statusCode = response.status;
+            }
+            const error = InsForgeError.fromApiError(data);
+            Object.keys(data).forEach((key) => {
+              if (key !== "error" && key !== "message" && key !== "statusCode") {
+                error[key] = data[key];
+              }
+            });
+            throw error;
+          }
+          throw new InsForgeError(
+            `Request failed: ${response.statusText}`,
+            response.status,
+            "REQUEST_FAILED"
+          );
+        }
+        this.logger.logResponse(
+          method,
+          url,
+          response.status,
+          Date.now() - startTime,
+          data
+        );
+        return data;
+      } catch (err) {
+        if (timer !== void 0) clearTimeout(timer);
+        if (err?.name === "AbortError") {
+          if (controller && controller.signal.aborted && this.timeout > 0 && !callerSignal?.aborted) {
+            throw new InsForgeError(
+              `Request timed out after ${this.timeout}ms`,
+              408,
+              "REQUEST_TIMEOUT"
+            );
+          }
+          throw err;
+        }
+        if (err instanceof InsForgeError) {
+          throw err;
+        }
+        if (attempt < maxAttempts) {
+          lastError = err;
+          continue;
+        }
+        throw new InsForgeError(
+          `Network request failed: ${err?.message || "Unknown error"}`,
+          0,
+          "NETWORK_ERROR"
+        );
       }
-      this.tokenManager.clearSession();
-      this.http.setAuthToken(null);
-      clearCsrfToken();
-      return { error: null };
-    } catch (error) {
-      return {
-        error: new InsForgeError(
-          "Failed to sign out",
-          500,
-          "SIGNOUT_ERROR"
-        )
-      };
     }
+    throw lastError || new InsForgeError(
+      "Request failed after all retry attempts",
+      0,
+      "NETWORK_ERROR"
+    );
   }
-  /**
-   * Get all public authentication configuration (OAuth + Email)
-   * Returns both OAuth providers and email authentication settings in one request
-   * This is a public endpoint that doesn't require authentication
-   * 
-   * @returns Complete public authentication configuration including OAuth providers and email auth settings
-   * 
-   * @example
-   * ```ts
-   * const { data, error } = await insforge.auth.getPublicAuthConfig();
-   * if (data) {
-   *   console.log(`OAuth providers: ${data.oauth.data.length}`);
-   *   console.log(`Password min length: ${data.email.passwordMinLength}`);
-   * }
-   * ```
-   */
-  async getPublicAuthConfig() {
+  async request(method, path, options = {}) {
     try {
-      const response = await this.http.get("/api/auth/public-config");
-      return {
-        data: response,
-        error: null
-      };
+      return await this.handleRequest(method, path, { ...options });
     } catch (error) {
-      if (error instanceof InsForgeError) {
-        return { data: null, error };
+      if (error instanceof InsForgeError && error.statusCode === 401 && error.error === "INVALID_TOKEN" && this.autoRefreshToken) {
+        try {
+          const newTokenData = await this.handleTokenRefresh();
+          this.setAuthToken(newTokenData.accessToken);
+          this.tokenManager.saveSession(newTokenData);
+          if (newTokenData.csrfToken) {
+            setCsrfToken(newTokenData.csrfToken);
+          }
+          if (newTokenData.refreshToken) {
+            this.setRefreshToken(newTokenData.refreshToken);
+          }
+          return await this.handleRequest(method, path, { ...options });
+        } catch (error2) {
+          this.tokenManager.clearSession();
+          this.userToken = null;
+          this.refreshToken = null;
+          clearCsrfToken();
+          throw error2;
+        }
       }
-      return {
-        data: null,
-        error: new InsForgeError(
-          "An unexpected error occurred while fetching public authentication configuration",
-          500,
-          "UNEXPECTED_ERROR"
-        )
-      };
+      throw error;
     }
   }
-  /**
-   * Get the current user with full profile information
-   * Returns both auth info (id, email, role) and profile data (dynamic fields from users table)
-   */
-  async getCurrentUser() {
-    try {
-      const user = this.tokenManager.getUser();
-      if (user) {
-        return { data: { user }, error: null };
-      }
-      const accessToken = this.tokenManager.getAccessToken();
-      if (!accessToken) {
-        return { data: null, error: null };
-      }
-      this.http.setAuthToken(accessToken);
-      const authResponse = await this.http.get("/api/auth/sessions/current");
-      return {
-        data: {
-          user: authResponse.user
-        },
-        error: null
-      };
-    } catch (error) {
-      if (error instanceof InsForgeError && error.statusCode === 401) {
-        await this.signOut();
-        return { data: null, error: null };
-      }
-      if (error instanceof InsForgeError) {
-        return { data: null, error };
-      }
-      return {
-        data: null,
-        error: new InsForgeError(
-          "An unexpected error occurred while fetching user",
-          500,
-          "UNEXPECTED_ERROR"
-        )
-      };
+  /** Performs a GET request. */
+  get(path, options) {
+    return this.request("GET", path, options);
+  }
+  /** Performs a POST request with an optional JSON body. */
+  post(path, body, options) {
+    return this.request("POST", path, { ...options, body });
+  }
+  /** Performs a PUT request with an optional JSON body. */
+  put(path, body, options) {
+    return this.request("PUT", path, { ...options, body });
+  }
+  /** Performs a PATCH request with an optional JSON body. */
+  patch(path, body, options) {
+    return this.request("PATCH", path, { ...options, body });
+  }
+  /** Performs a DELETE request. */
+  delete(path, options) {
+    return this.request("DELETE", path, options);
+  }
+  /** Sets or clears the user authentication token for subsequent requests. */
+  setAuthToken(token) {
+    this.userToken = token;
+  }
+  setRefreshToken(token) {
+    this.refreshToken = token;
+  }
+  /** Returns the current default headers including the authorization header if set. */
+  getHeaders() {
+    const headers = { ...this.defaultHeaders };
+    const authToken = this.userToken || this.anonKey;
+    if (authToken) {
+      headers["Authorization"] = `Bearer ${authToken}`;
+    }
+    return headers;
+  }
+  async handleTokenRefresh() {
+    if (this.isRefreshing) {
+      return this.refreshPromise;
     }
+    this.isRefreshing = true;
+    this.refreshPromise = (async () => {
+      try {
+        const csrfToken = getCsrfToken();
+        const body = this.refreshToken ? { refreshToken: this.refreshToken } : void 0;
+        const response = await this.handleRequest(
+          "POST",
+          "/api/auth/sessions/current",
+          {
+            body,
+            headers: csrfToken ? { "X-CSRF-Token": csrfToken } : {},
+            credentials: "include"
+          }
+        );
+        return response;
+      } finally {
+        this.isRefreshing = false;
+        this.refreshPromise = null;
+      }
+    })();
+    return this.refreshPromise;
+  }
+};
+
+// src/modules/auth/helpers.ts
+var PKCE_VERIFIER_KEY = "insforge_pkce_verifier";
+function base64UrlEncode(buffer) {
+  const base64 = btoa(String.fromCharCode(...buffer));
+  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function generateCodeVerifier() {
+  const array = new Uint8Array(32);
+  crypto.getRandomValues(array);
+  return base64UrlEncode(array);
+}
+async function generateCodeChallenge(verifier) {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(verifier);
+  const hash = await crypto.subtle.digest("SHA-256", data);
+  return base64UrlEncode(new Uint8Array(hash));
+}
+function storePkceVerifier(verifier) {
+  if (typeof sessionStorage !== "undefined") {
+    sessionStorage.setItem(PKCE_VERIFIER_KEY, verifier);
+  }
+}
+function retrievePkceVerifier() {
+  if (typeof sessionStorage === "undefined") {
+    return null;
+  }
+  const verifier = sessionStorage.getItem(PKCE_VERIFIER_KEY);
+  if (verifier) {
+    sessionStorage.removeItem(PKCE_VERIFIER_KEY);
+  }
+  return verifier;
+}
+function wrapError(error, fallbackMessage) {
+  if (error instanceof InsForgeError) {
+    return { data: null, error };
+  }
+  return {
+    data: null,
+    error: new InsForgeError(
+      error instanceof Error ? error.message : fallbackMessage,
+      500,
+      "UNEXPECTED_ERROR"
+    )
+  };
+}
+function cleanUrlParams(...params) {
+  if (typeof window === "undefined") {
+    return;
+  }
+  const url = new URL(window.location.href);
+  params.forEach((p) => url.searchParams.delete(p));
+  window.history.replaceState({}, document.title, url.toString());
+}
+
+// src/modules/auth/auth.ts
+import { oAuthProvidersSchema } from "@insforge/shared-schemas";
+var Auth = class {
+  constructor(http, tokenManager, options = {}) {
+    this.http = http;
+    this.tokenManager = tokenManager;
+    this.options = options;
+    this.authCallbackHandled = this.detectAuthCallback();
+  }
+  isServerMode() {
+    return !!this.options.isServerMode;
   }
   /**
-   * Get any user's profile by ID
-   * Returns profile information from the users table
+   * Save session from API response
+   * Handles token storage, CSRF token, and HTTP auth header
    */
-  async getProfile(userId) {
-    try {
-      const response = await this.http.get(`/api/auth/profiles/${userId}`);
-      return {
-        data: response,
-        error: null
-      };
-    } catch (error) {
-      if (error instanceof InsForgeError) {
-        return { data: null, error };
-      }
-      return {
-        data: null,
-        error: new InsForgeError(
-          "An unexpected error occurred while fetching user profile",
-          500,
-          "UNEXPECTED_ERROR"
-        )
-      };
+  saveSessionFromResponse(response) {
+    if (!response.accessToken || !response.user) {
+      return false;
+    }
+    const session = {
+      accessToken: response.accessToken,
+      user: response.user
+    };
+    if (!this.isServerMode() && response.csrfToken) {
+      setCsrfToken(response.csrfToken);
+    }
+    if (!this.isServerMode()) {
+      this.tokenManager.saveSession(session);
     }
+    this.http.setAuthToken(response.accessToken);
+    this.http.setRefreshToken(response.refreshToken ?? null);
+    return true;
   }
+  // ============================================================================
+  // OAuth Callback Detection (runs on initialization)
+  // ============================================================================
   /**
-   * Get the current session (only session data, no API call)
-   * Returns the stored JWT token and basic user info from local storage
+   * Detect and handle OAuth callback parameters in URL
+   * Supports PKCE flow (insforge_code)
    */
-  async getCurrentSession() {
+  async detectAuthCallback() {
+    if (this.isServerMode() || typeof window === "undefined") return;
     try {
-      const session = this.tokenManager.getSession();
-      if (session) {
-        this.http.setAuthToken(session.accessToken);
-        return { data: { session }, error: null };
+      const params = new URLSearchParams(window.location.search);
+      const error = params.get("error");
+      if (error) {
+        cleanUrlParams("error");
+        console.debug("OAuth callback error:", error);
+        return;
       }
-      if (typeof window !== "undefined") {
-        try {
-          const csrfToken = getCsrfToken();
-          const response = await this.http.post(
-            "/api/auth/refresh",
-            void 0,
-            {
-              headers: csrfToken ? { "X-CSRF-Token": csrfToken } : {},
-              credentials: "include"
-            }
-          );
-          if (response.accessToken) {
-            this.tokenManager.setMemoryMode();
-            this.tokenManager.setAccessToken(response.accessToken);
-            this.http.setAuthToken(response.accessToken);
-            if (response.user) {
-              this.tokenManager.setUser(response.user);
-            }
-            if (response.csrfToken) {
-              setCsrfToken(response.csrfToken);
-            }
-            return {
-              data: { session: this.tokenManager.getSession() },
-              error: null
-            };
-          }
-        } catch (error) {
-          if (error instanceof InsForgeError) {
-            if (error.statusCode === 404) {
-              this.tokenManager.setStorageMode();
-              const session2 = this.tokenManager.getSession();
-              if (session2) {
-                return { data: { session: session2 }, error: null };
-              }
-              return { data: { session: null }, error: null };
-            }
-            return { data: { session: null }, error };
-          }
+      const code = params.get("insforge_code");
+      if (code) {
+        cleanUrlParams("insforge_code");
+        const { error: exchangeError } = await this.exchangeOAuthCode(code);
+        if (exchangeError) {
+          console.debug("OAuth code exchange failed:", exchangeError.message);
         }
+        return;
       }
-      return { data: { session: null }, error: null };
     } catch (error) {
-      if (error instanceof InsForgeError) {
-        return { data: { session: null }, error };
-      }
-      return {
-        data: { session: null },
-        error: new InsForgeError(
-          "An unexpected error occurred while getting session",
-          500,
-          "UNEXPECTED_ERROR"
-        )
-      };
+      console.debug("OAuth callback detection skipped:", error);
     }
   }
-  /**
-   * Set/Update the current user's profile
-   * Updates profile information in the users table (supports any dynamic fields)
-   * Requires authentication
-   */
-  async setProfile(profile) {
+  // ============================================================================
+  // Sign Up / Sign In / Sign Out
+  // ============================================================================
+  async signUp(request) {
     try {
-      const response = await this.http.patch(
-        "/api/auth/profiles/current",
-        { profile }
+      const response = await this.http.post(
+        this.isServerMode() ? "/api/auth/users?client_type=mobile" : "/api/auth/users",
+        request,
+        { credentials: "include" }
       );
-      return {
-        data: response,
-        error: null
-      };
-    } catch (error) {
-      if (error instanceof InsForgeError) {
-        return { data: null, error };
+      if (response.accessToken && response.user) {
+        this.saveSessionFromResponse(response);
       }
-      return {
-        data: null,
-        error: new InsForgeError(
-          "An unexpected error occurred while updating user profile",
-          500,
-          "UNEXPECTED_ERROR"
-        )
-      };
+      if (response.refreshToken) {
+        this.http.setRefreshToken(response.refreshToken);
+      }
+      return { data: response, error: null };
+    } catch (error) {
+      return wrapError(error, "An unexpected error occurred during sign up");
     }
   }
-  /**
-   * Send email verification (code or link based on config)
-   *
-   * Send email verification using the method configured in auth settings (verifyEmailMethod).
-   * When method is 'code', sends a 6-digit numeric code. When method is 'link', sends a magic link.
-   * Prevents user enumeration by returning success even if email doesn't exist.
-   */
-  async sendVerificationEmail(request) {
+  async signInWithPassword(request) {
     try {
       const response = await this.http.post(
-        "/api/auth/email/send-verification",
-        request
+        this.isServerMode() ? "/api/auth/sessions?client_type=mobile" : "/api/auth/sessions",
+        request,
+        { credentials: "include" }
       );
-      return {
-        data: response,
-        error: null
-      };
+      this.saveSessionFromResponse(response);
+      if (response.refreshToken) {
+        this.http.setRefreshToken(response.refreshToken);
+      }
+      return { data: response, error: null };
     } catch (error) {
-      if (error instanceof InsForgeError) {
-        return { data: null, error };
+      return wrapError(error, "An unexpected error occurred during sign in");
+    }
+  }
+  async signOut() {
+    try {
+      try {
+        await this.http.post(
+          this.isServerMode() ? "/api/auth/logout?client_type=mobile" : "/api/auth/logout",
+          void 0,
+          { credentials: "include" }
+        );
+      } catch {
       }
+      this.tokenManager.clearSession();
+      this.http.setAuthToken(null);
+      this.http.setRefreshToken(null);
+      if (!this.isServerMode()) {
+        clearCsrfToken();
+      }
+      return { error: null };
+    } catch {
       return {
-        data: null,
-        error: new InsForgeError(
-          "An unexpected error occurred while sending verification code",
-          500,
-          "UNEXPECTED_ERROR"
-        )
+        error: new InsForgeError("Failed to sign out", 500, "SIGNOUT_ERROR")
       };
     }
   }
+  // ============================================================================
+  // OAuth Authentication
+  // ============================================================================
   /**
-   * Send password reset (code or link based on config)
-   *
-   * Send password reset email using the method configured in auth settings (resetPasswordMethod).
-   * When method is 'code', sends a 6-digit numeric code for two-step flow.
-   * When method is 'link', sends a magic link.
-   * Prevents user enumeration by returning success even if email doesn't exist.
+   * Sign in with OAuth provider using PKCE flow
    */
-  async sendResetPasswordEmail(request) {
+  async signInWithOAuth(options) {
     try {
-      const response = await this.http.post(
-        "/api/auth/email/send-reset-password",
-        request
+      const { provider, redirectTo, skipBrowserRedirect } = options;
+      const providerKey = encodeURIComponent(provider.toLowerCase());
+      const codeVerifier = generateCodeVerifier();
+      const codeChallenge = await generateCodeChallenge(codeVerifier);
+      storePkceVerifier(codeVerifier);
+      const params = { code_challenge: codeChallenge };
+      if (redirectTo) params.redirect_uri = redirectTo;
+      const isBuiltInProvider = oAuthProvidersSchema.options.includes(
+        providerKey
       );
+      const oauthPath = isBuiltInProvider ? `/api/auth/oauth/${providerKey}` : `/api/auth/oauth/custom/${providerKey}`;
+      const response = await this.http.get(oauthPath, {
+        params
+      });
+      if (!this.isServerMode() && typeof window !== "undefined" && !skipBrowserRedirect) {
+        window.location.href = response.authUrl;
+        return { data: {}, error: null };
+      }
       return {
-        data: response,
+        data: { url: response.authUrl, provider: providerKey, codeVerifier },
         error: null
       };
     } catch (error) {
       if (error instanceof InsForgeError) {
-        return { data: null, error };
+        return { data: {}, error };
       }
       return {
-        data: null,
+        data: {},
         error: new InsForgeError(
-          "An unexpected error occurred while sending password reset code",
+          "An unexpected error occurred during OAuth initialization",
           500,
           "UNEXPECTED_ERROR"
         )
@@ -748,123 +867,292 @@ var Auth = class {
     }
   }
   /**
-   * Exchange reset password code for reset token
-   *
-   * Step 1 of two-step password reset flow (only used when resetPasswordMethod is 'code'):
-   * 1. Verify the 6-digit code sent to user's email
-   * 2. Return a reset token that can be used to actually reset the password
-   *
-   * This endpoint is not used when resetPasswordMethod is 'link' (magic link flow is direct).
+   * Exchange OAuth authorization code for tokens (PKCE flow)
+   * Called automatically on initialization when insforge_code is in URL
    */
-  async exchangeResetPasswordToken(request) {
+  async exchangeOAuthCode(code, codeVerifier) {
     try {
+      const verifier = codeVerifier ?? retrievePkceVerifier();
+      if (!verifier) {
+        return {
+          data: null,
+          error: new InsForgeError(
+            "PKCE code verifier not found. Ensure signInWithOAuth was called in the same browser session.",
+            400,
+            "PKCE_VERIFIER_MISSING"
+          )
+        };
+      }
+      const request = {
+        code,
+        code_verifier: verifier
+      };
       const response = await this.http.post(
-        "/api/auth/email/exchange-reset-password-token",
-        request
+        this.isServerMode() ? "/api/auth/oauth/exchange?client_type=mobile" : "/api/auth/oauth/exchange",
+        request,
+        { credentials: "include" }
       );
+      this.saveSessionFromResponse(response);
       return {
         data: response,
         error: null
       };
     } catch (error) {
-      if (error instanceof InsForgeError) {
-        return { data: null, error };
-      }
-      return {
-        data: null,
-        error: new InsForgeError(
-          "An unexpected error occurred while verifying reset code",
-          500,
-          "UNEXPECTED_ERROR"
-        )
-      };
+      return wrapError(
+        error,
+        "An unexpected error occurred during OAuth code exchange"
+      );
     }
   }
   /**
-   * Reset password with token
-   *
-   * Reset user password with a token. The token can be:
-   * - Magic link token (64-character hex token from send-reset-password when method is 'link')
-   * - Reset token (from exchange-reset-password-token after code verification when method is 'code')
-   *
-   * Both token types use RESET_PASSWORD purpose and are verified the same way.
+   * Sign in with an ID token from a native SDK (Google One Tap, etc.)
+   * Use this for native mobile apps or Google One Tap on web.
    *
-   * Flow summary:
-   * - Code method: send-reset-password → exchange-reset-password-token → reset-password (with resetToken)
-   * - Link method: send-reset-password → reset-password (with link token directly)
+   * @param credentials.provider - The identity provider (currently only 'google' is supported)
+   * @param credentials.token - The ID token from the native SDK
    */
-  async resetPassword(request) {
+  async signInWithIdToken(credentials) {
     try {
+      const { provider, token } = credentials;
       const response = await this.http.post(
-        "/api/auth/email/reset-password",
-        request
+        "/api/auth/id-token?client_type=mobile",
+        { provider, token },
+        { credentials: "include" }
       );
+      this.saveSessionFromResponse(response);
+      if (response.refreshToken) {
+        this.http.setRefreshToken(response.refreshToken);
+      }
       return {
         data: response,
         error: null
       };
     } catch (error) {
-      if (error instanceof InsForgeError) {
-        return { data: null, error };
-      }
-      return {
-        data: null,
-        error: new InsForgeError(
-          "An unexpected error occurred while resetting password",
-          500,
-          "UNEXPECTED_ERROR"
-        )
-      };
+      return wrapError(
+        error,
+        "An unexpected error occurred during ID token sign in"
+      );
     }
   }
+  // ============================================================================
+  // Session Management
+  // ============================================================================
   /**
-   * Verify email with code or link
+   * Refresh the current auth session.
    *
-   * Verify email address using the method configured in auth settings (verifyEmailMethod):
-   * - Code verification: Provide both `email` and `otp` (6-digit numeric code)
-   * - Link verification: Provide only `otp` (64-character hex token from magic link)
+   * Browser mode:
+   * - Uses httpOnly refresh cookie and optional CSRF header.
    *
-   * Successfully verified users will receive a session token.
-   *
-   * The email verification link sent to users always points to the backend API endpoint.
-   * If `verifyEmailRedirectTo` is configured, the backend will redirect to that URL after successful verification.
-   * Otherwise, a default success page is displayed.
+   * Server mode (`isServerMode: true`):
+   * - Uses mobile auth flow and requires `refreshToken` in request body.
    */
-  async verifyEmail(request) {
+  async refreshSession(options) {
     try {
+      if (this.isServerMode() && !options?.refreshToken) {
+        return {
+          data: null,
+          error: new InsForgeError(
+            "refreshToken is required when refreshing session in server mode",
+            400,
+            "REFRESH_TOKEN_REQUIRED"
+          )
+        };
+      }
+      const csrfToken = !this.isServerMode() ? getCsrfToken() : null;
       const response = await this.http.post(
-        "/api/auth/email/verify",
-        request
+        this.isServerMode() ? "/api/auth/refresh?client_type=mobile" : "/api/auth/refresh",
+        this.isServerMode() ? { refresh_token: options?.refreshToken } : void 0,
+        {
+          headers: csrfToken ? { "X-CSRF-Token": csrfToken } : {},
+          credentials: "include"
+        }
       );
-      if (!isHostedAuthEnvironment()) {
-        const session = {
-          accessToken: response.accessToken,
-          user: response.user
-        };
-        this.tokenManager.saveSession(session);
-        this.http.setAuthToken(response.accessToken);
-        if (response.csrfToken) {
-          setCsrfToken(response.csrfToken);
+      if (response.accessToken) {
+        this.saveSessionFromResponse(response);
+      }
+      return { data: response, error: null };
+    } catch (error) {
+      return wrapError(
+        error,
+        "An unexpected error occurred during session refresh"
+      );
+    }
+  }
+  /**
+   * Get current user, automatically waits for pending OAuth callback
+   */
+  async getCurrentUser() {
+    await this.authCallbackHandled;
+    try {
+      if (this.isServerMode()) {
+        const accessToken = this.tokenManager.getAccessToken();
+        if (!accessToken) return { data: { user: null }, error: null };
+        this.http.setAuthToken(accessToken);
+        const response = await this.http.get(
+          "/api/auth/sessions/current"
+        );
+        const user = response.user ?? null;
+        return { data: { user }, error: null };
+      }
+      const session = this.tokenManager.getSession();
+      if (session) {
+        this.http.setAuthToken(session.accessToken);
+        return { data: { user: session.user }, error: null };
+      }
+      if (typeof window !== "undefined") {
+        const { data: refreshed, error: refreshError } = await this.refreshSession();
+        if (refreshError) {
+          return { data: { user: null }, error: refreshError };
+        }
+        if (refreshed?.accessToken) {
+          return { data: { user: refreshed.user ?? null }, error: null };
         }
       }
-      return {
-        data: response,
-        error: null
-      };
+      return { data: { user: null }, error: null };
     } catch (error) {
       if (error instanceof InsForgeError) {
-        return { data: null, error };
+        return { data: { user: null }, error };
       }
       return {
-        data: null,
+        data: { user: null },
         error: new InsForgeError(
-          "An unexpected error occurred while verifying email",
+          "An unexpected error occurred while getting user",
           500,
           "UNEXPECTED_ERROR"
         )
       };
     }
   }
+  // ============================================================================
+  // Profile Management
+  // ============================================================================
+  async getProfile(userId) {
+    try {
+      const response = await this.http.get(
+        `/api/auth/profiles/${userId}`
+      );
+      return { data: response, error: null };
+    } catch (error) {
+      return wrapError(
+        error,
+        "An unexpected error occurred while fetching user profile"
+      );
+    }
+  }
+  async setProfile(profile) {
+    try {
+      const response = await this.http.patch(
+        "/api/auth/profiles/current",
+        {
+          profile
+        }
+      );
+      const currentUser = this.tokenManager.getUser();
+      if (!this.isServerMode() && currentUser && response.profile !== void 0) {
+        this.tokenManager.setUser({
+          ...currentUser,
+          profile: response.profile
+        });
+      }
+      return { data: response, error: null };
+    } catch (error) {
+      return wrapError(
+        error,
+        "An unexpected error occurred while updating user profile"
+      );
+    }
+  }
+  // ============================================================================
+  // Email Verification
+  // ============================================================================
+  async resendVerificationEmail(request) {
+    try {
+      const response = await this.http.post("/api/auth/email/send-verification", request);
+      return { data: response, error: null };
+    } catch (error) {
+      return wrapError(
+        error,
+        "An unexpected error occurred while sending verification email"
+      );
+    }
+  }
+  async verifyEmail(request) {
+    try {
+      const response = await this.http.post(
+        this.isServerMode() ? "/api/auth/email/verify?client_type=mobile" : "/api/auth/email/verify",
+        request,
+        { credentials: "include" }
+      );
+      this.saveSessionFromResponse(response);
+      if (response.refreshToken) {
+        this.http.setRefreshToken(response.refreshToken);
+      }
+      return { data: response, error: null };
+    } catch (error) {
+      return wrapError(
+        error,
+        "An unexpected error occurred while verifying email"
+      );
+    }
+  }
+  // ============================================================================
+  // Password Reset
+  // ============================================================================
+  async sendResetPasswordEmail(request) {
+    try {
+      const response = await this.http.post("/api/auth/email/send-reset-password", request);
+      return { data: response, error: null };
+    } catch (error) {
+      return wrapError(
+        error,
+        "An unexpected error occurred while sending password reset email"
+      );
+    }
+  }
+  async exchangeResetPasswordToken(request) {
+    try {
+      const response = await this.http.post(
+        "/api/auth/email/exchange-reset-password-token",
+        request
+      );
+      return { data: response, error: null };
+    } catch (error) {
+      return wrapError(
+        error,
+        "An unexpected error occurred while verifying reset code"
+      );
+    }
+  }
+  async resetPassword(request) {
+    try {
+      const response = await this.http.post(
+        "/api/auth/email/reset-password",
+        request
+      );
+      return { data: response, error: null };
+    } catch (error) {
+      return wrapError(
+        error,
+        "An unexpected error occurred while resetting password"
+      );
+    }
+  }
+  // ============================================================================
+  // Configuration
+  // ============================================================================
+  async getPublicAuthConfig() {
+    try {
+      const response = await this.http.get(
+        "/api/auth/public-config"
+      );
+      return { data: response, error: null };
+    } catch (error) {
+      return wrapError(
+        error,
+        "An unexpected error occurred while fetching auth configuration"
+      );
+    }
+  }
 };
 
 // src/modules/database-postgrest.ts
@@ -873,8 +1161,10 @@ function createInsForgePostgrestFetch(httpClient, tokenManager) {
   return async (input, init) => {
     const url = typeof input === "string" ? input : input.toString();
     const urlObj = new URL(url);
-    const tableName = urlObj.pathname.slice(1);
-    const insforgeUrl = `${httpClient.baseUrl}/api/database/records/${tableName}${urlObj.search}`;
+    const pathname = urlObj.pathname.slice(1);
+    const rpcMatch = pathname.match(/^rpc\/(.+)$/);
+    const endpoint = rpcMatch ? `/api/database/rpc/${rpcMatch[1]}` : `/api/database/records/${pathname}`;
+    const insforgeUrl = `${httpClient.baseUrl}${endpoint}${urlObj.search}`;
     const token = tokenManager.getAccessToken();
     const httpHeaders = httpClient.getHeaders();
     const authToken = token || httpHeaders["Authorization"]?.replace("Bearer ", "");
@@ -934,6 +1224,25 @@ var Database = class {
   from(table) {
     return this.postgrest.from(table);
   }
+  /**
+   * Call a PostgreSQL function (RPC)
+   *
+   * @example
+   * // Call a function with parameters
+   * const { data, error } = await client.database
+   *   .rpc('get_user_stats', { user_id: 123 });
+   *
+   * // Call a function with no parameters
+   * const { data, error } = await client.database
+   *   .rpc('get_all_active_users');
+   *
+   * // With options (head, count, get)
+   * const { data, count } = await client.database
+   *   .rpc('search_posts', { query: 'hello' }, { count: 'exact' });
+   */
+  rpc(fn, args, options) {
+    return this.postgrest.rpc(fn, args, options);
+  }
 };
 
 // src/modules/storage.ts
@@ -1218,6 +1527,7 @@ var AI = class {
     this.http = http;
     this.chat = new Chat(http);
     this.images = new Images(http);
+    this.embeddings = new Embeddings(http);
   }
 };
 var Chat = class {
@@ -1241,16 +1551,46 @@ var ChatCompletions = class {
    * });
    * console.log(completion.choices[0].message.content);
    *
-   * // With images
+   * // With images (OpenAI-compatible format)
    * const response = await client.ai.chat.completions.create({
    *   model: 'gpt-4-vision',
    *   messages: [{
    *     role: 'user',
-   *     content: 'What is in this image?',
-   *     images: [{ url: 'https://example.com/image.jpg' }]
+   *     content: [
+   *       { type: 'text', text: 'What is in this image?' },
+   *       { type: 'image_url', image_url: { url: 'https://example.com/image.jpg' } }
+   *     ]
    *   }]
    * });
    *
+   * // With PDF files
+   * const pdfResponse = await client.ai.chat.completions.create({
+   *   model: 'anthropic/claude-3.5-sonnet',
+   *   messages: [{
+   *     role: 'user',
+   *     content: [
+   *       { type: 'text', text: 'Summarize this document' },
+   *       { type: 'file', file: { filename: 'doc.pdf', file_data: 'https://example.com/doc.pdf' } }
+   *     ]
+   *   }],
+   *   fileParser: { enabled: true, pdf: { engine: 'mistral-ocr' } }
+   * });
+   *
+   * // With web search
+   * const searchResponse = await client.ai.chat.completions.create({
+   *   model: 'openai/gpt-4',
+   *   messages: [{ role: 'user', content: 'What are the latest news about AI?' }],
+   *   webSearch: { enabled: true, maxResults: 5 }
+   * });
+   * // Access citations from response.choices[0].message.annotations
+   *
+   * // With thinking/reasoning mode (Anthropic models)
+   * const thinkingResponse = await client.ai.chat.completions.create({
+   *   model: 'anthropic/claude-3.5-sonnet',
+   *   messages: [{ role: 'user', content: 'Solve this complex math problem...' }],
+   *   thinking: true
+   * });
+   *
    * // Streaming - returns async iterable
    * const stream = await client.ai.chat.completions.create({
    *   model: 'gpt-4',
@@ -1272,7 +1612,15 @@ var ChatCompletions = class {
       temperature: params.temperature,
       maxTokens: params.maxTokens,
       topP: params.topP,
-      stream: params.stream
+      stream: params.stream,
+      // New plugin options
+      webSearch: params.webSearch,
+      fileParser: params.fileParser,
+      thinking: params.thinking,
+      // Tool calling options
+      tools: params.tools,
+      toolChoice: params.toolChoice,
+      parallelToolCalls: params.parallelToolCalls
     };
     if (params.stream) {
       const headers = this.http.getHeaders();
@@ -1306,9 +1654,13 @@ var ChatCompletions = class {
           index: 0,
           message: {
             role: "assistant",
-            content
+            content,
+            // Include tool_calls if present (from tool calling)
+            ...response.tool_calls?.length && { tool_calls: response.tool_calls },
+            // Include annotations if present (from web search or file parsing)
+            ...response.annotations?.length && { annotations: response.annotations }
           },
-          finish_reason: "stop"
+          finish_reason: response.tool_calls?.length ? "tool_calls" : "stop"
         }
       ],
       usage: response.metadata?.usage || {
@@ -1350,7 +1702,24 @@ var ChatCompletions = class {
                         delta: {
                           content: data.chunk || data.content
                         },
-                        finish_reason: data.done ? "stop" : null
+                        finish_reason: null
+                      }
+                    ]
+                  };
+                }
+                if (data.tool_calls?.length) {
+                  yield {
+                    id: `chatcmpl-${Date.now()}`,
+                    object: "chat.completion.chunk",
+                    created: Math.floor(Date.now() / 1e3),
+                    model,
+                    choices: [
+                      {
+                        index: 0,
+                        delta: {
+                          tool_calls: data.tool_calls
+                        },
+                        finish_reason: "tool_calls"
                       }
                     ]
                   };
@@ -1371,6 +1740,65 @@ var ChatCompletions = class {
     }
   }
 };
+var Embeddings = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /**
+   * Create embeddings for text input - OpenAI-like response format
+   *
+   * @example
+   * ```typescript
+   * // Single text input
+   * const response = await client.ai.embeddings.create({
+   *   model: 'openai/text-embedding-3-small',
+   *   input: 'Hello world'
+   * });
+   * console.log(response.data[0].embedding); // number[]
+   *
+   * // Multiple text inputs
+   * const response = await client.ai.embeddings.create({
+   *   model: 'openai/text-embedding-3-small',
+   *   input: ['Hello world', 'Goodbye world']
+   * });
+   * response.data.forEach((item, i) => {
+   *   console.log(`Embedding ${i}:`, item.embedding.slice(0, 5)); // First 5 dimensions
+   * });
+   *
+   * // With custom dimensions (if supported by model)
+   * const response = await client.ai.embeddings.create({
+   *   model: 'openai/text-embedding-3-small',
+   *   input: 'Hello world',
+   *   dimensions: 256
+   * });
+   *
+   * // With base64 encoding format
+   * const response = await client.ai.embeddings.create({
+   *   model: 'openai/text-embedding-3-small',
+   *   input: 'Hello world',
+   *   encoding_format: 'base64'
+   * });
+   * ```
+   */
+  async create(params) {
+    const response = await this.http.post(
+      "/api/ai/embeddings",
+      params
+    );
+    return {
+      object: response.object,
+      data: response.data,
+      model: response.metadata?.model,
+      usage: response.metadata?.usage ? {
+        prompt_tokens: response.metadata.usage.promptTokens || 0,
+        total_tokens: response.metadata.usage.totalTokens || 0
+      } : {
+        prompt_tokens: 0,
+        total_tokens: 0
+      }
+    };
+  }
+};
 var Images = class {
   constructor(http) {
     this.http = http;
@@ -1428,30 +1856,73 @@ var Images = class {
 };
 
 // src/modules/functions.ts
-var Functions = class {
-  constructor(http) {
+var Functions = class _Functions {
+  constructor(http, functionsUrl) {
     this.http = http;
+    this.functionsUrl = functionsUrl || _Functions.deriveSubhostingUrl(http.baseUrl);
+  }
+  /**
+   * Derive the subhosting URL from the base URL.
+   * Base URL pattern: https://{appKey}.{region}.insforge.app
+   * Functions URL:    https://{appKey}.functions.insforge.app
+   * Only applies to .insforge.app domains.
+   */
+  static deriveSubhostingUrl(baseUrl) {
+    try {
+      const { hostname } = new URL(baseUrl);
+      if (!hostname.endsWith(".insforge.app")) return void 0;
+      const appKey = hostname.split(".")[0];
+      return `https://${appKey}.functions.insforge.app`;
+    } catch {
+      return void 0;
+    }
   }
   /**
    * Invokes an Edge Function
+   *
+   * If functionsUrl is configured, tries direct subhosting first.
+   * Falls back to proxy URL if subhosting returns 404.
+   *
    * @param slug The function slug to invoke
    * @param options Request options
    */
   async invoke(slug, options = {}) {
+    const { method = "POST", body, headers = {} } = options;
+    if (this.functionsUrl) {
+      try {
+        const data = await this.http.request(method, `${this.functionsUrl}/${slug}`, {
+          body,
+          headers
+        });
+        return { data, error: null };
+      } catch (error) {
+        if (error instanceof Error && error.name === "AbortError") throw error;
+        if (error instanceof InsForgeError && error.statusCode === 404) {
+        } else {
+          return {
+            data: null,
+            error: error instanceof InsForgeError ? error : new InsForgeError(
+              error instanceof Error ? error.message : "Function invocation failed",
+              500,
+              "FUNCTION_ERROR"
+            )
+          };
+        }
+      }
+    }
     try {
-      const { method = "POST", body, headers = {} } = options;
       const path = `/functions/${slug}`;
-      const data = await this.http.request(
-        method,
-        path,
-        { body, headers }
-      );
+      const data = await this.http.request(method, path, { body, headers });
       return { data, error: null };
     } catch (error) {
+      if (error instanceof Error && error.name === "AbortError") throw error;
       return {
         data: null,
-        error
-        // Pass through the full error object with all properties
+        error: error instanceof InsForgeError ? error : new InsForgeError(
+          error instanceof Error ? error.message : "Function invocation failed",
+          500,
+          "FUNCTION_ERROR"
+        )
       };
     }
   }
@@ -1461,13 +1932,15 @@ var Functions = class {
 import { io } from "socket.io-client";
 var CONNECT_TIMEOUT = 1e4;
 var Realtime = class {
-  constructor(baseUrl, tokenManager) {
+  constructor(baseUrl, tokenManager, anonKey) {
     this.socket = null;
     this.connectPromise = null;
     this.subscribedChannels = /* @__PURE__ */ new Set();
     this.eventListeners = /* @__PURE__ */ new Map();
     this.baseUrl = baseUrl;
     this.tokenManager = tokenManager;
+    this.anonKey = anonKey;
+    this.tokenManager.onTokenChange = () => this.onTokenChange();
   }
   notifyListeners(event, payload) {
     const listeners = this.eventListeners.get(event);
@@ -1492,8 +1965,7 @@ var Realtime = class {
       return this.connectPromise;
     }
     this.connectPromise = new Promise((resolve, reject) => {
-      const session = this.tokenManager.getSession();
-      const token = session?.accessToken;
+      const token = this.tokenManager.getAccessToken() ?? this.anonKey;
       this.socket = io(this.baseUrl, {
         transports: ["websocket"],
         auth: token ? { token } : void 0
@@ -1559,6 +2031,21 @@ var Realtime = class {
     }
     this.subscribedChannels.clear();
   }
+  /**
+   * Handle token changes (e.g., after auth refresh)
+   * Updates socket auth so reconnects use the new token
+   * If connected, triggers reconnect to apply new token immediately
+   */
+  onTokenChange() {
+    const token = this.tokenManager.getAccessToken() ?? this.anonKey;
+    if (this.socket) {
+      this.socket.auth = token ? { token } : {};
+    }
+    if (this.socket && (this.socket.connected || this.connectPromise)) {
+      this.socket.disconnect();
+      this.socket.connect();
+    }
+  }
   /**
    * Check if connected to the realtime server
    */
@@ -1707,8 +2194,15 @@ var Emails = class {
       );
       return { data, error: null };
     } catch (error) {
-      const normalizedError = error instanceof Error ? error : new Error(String(error));
-      return { data: null, error: normalizedError };
+      if (error instanceof Error && error.name === "AbortError") throw error;
+      return {
+        data: null,
+        error: error instanceof InsForgeError ? error : new InsForgeError(
+          error instanceof Error ? error.message : "Email send failed",
+          500,
+          "EMAIL_ERROR"
+        )
+      };
     }
   }
 };
@@ -1716,31 +2210,30 @@ var Emails = class {
 // src/client.ts
 var InsForgeClient = class {
   constructor(config = {}) {
-    this.http = new HttpClient(config);
-    this.tokenManager = new TokenManager(config.storage);
+    const logger = new Logger(config.debug);
+    this.tokenManager = new TokenManager();
+    this.http = new HttpClient(config, this.tokenManager, logger);
     if (config.edgeFunctionToken) {
       this.http.setAuthToken(config.edgeFunctionToken);
-      this.tokenManager.saveSession({
-        accessToken: config.edgeFunctionToken,
-        user: {}
-        // Will be populated by getCurrentUser()
-      });
-    }
-    const existingSession = this.tokenManager.getSession();
-    if (existingSession?.accessToken) {
-      this.http.setAuthToken(existingSession.accessToken);
+      this.tokenManager.setAccessToken(config.edgeFunctionToken);
     }
-    this.auth = new Auth(this.http, this.tokenManager);
+    this.auth = new Auth(this.http, this.tokenManager, {
+      isServerMode: config.isServerMode ?? false
+    });
     this.database = new Database(this.http, this.tokenManager);
     this.storage = new Storage(this.http);
     this.ai = new AI(this.http);
-    this.functions = new Functions(this.http);
-    this.realtime = new Realtime(this.http.baseUrl, this.tokenManager);
+    this.functions = new Functions(this.http, config.functionsUrl);
+    this.realtime = new Realtime(
+      this.http.baseUrl,
+      this.tokenManager,
+      config.anonKey
+    );
     this.emails = new Emails(this.http);
   }
   /**
    * Get the underlying HTTP client for custom requests
-   * 
+   *
    * @example
    * ```typescript
    * const httpClient = client.getHttpClient();
@@ -1774,6 +2267,7 @@ export {
   HttpClient,
   InsForgeClient,
   InsForgeError,
+  Logger,
   Realtime,
   Storage,
   StorageBucket,