first commit

2026-06-13 23:23:50 +03:00
commit 23958e8e2c
72 changed files with 6142 additions and 0 deletions
@@ -0,0 +1,513 @@
 ## Ignore Visual Studio temporary files, build results, and
 ## files generated by popular Visual Studio add-ons.
 ##
 ## Get latest from `dotnet new gitignore`
 # dotenv files
 .env
 # User-specific files
 *.rsuser
 *.suo
 *.user
 *.userosscache
 *.sln.docstates
 # User-specific files (MonoDevelop/Xamarin Studio)
 *.userprefs
 # Mono auto generated files
 mono_crash.*
 # Build results
 [Dd]ebug/
 [Dd]ebugPublic/
 [Rr]elease/
 [Rr]eleases/
 x64/
 x86/
 [Ww][Ii][Nn]32/
 [Aa][Rr][Mm]/
 [Aa][Rr][Mm]64/
 bld/
 [Bb]in/
 [Oo]bj/
 [Ll]og/
 [Ll]ogs/
 # Visual Studio 2015/2017 cache/options directory
 .vs/
 # Uncomment if you have tasks that create the project's static files in wwwroot
 #wwwroot/
 # Visual Studio 2017 auto generated files
 Generated\ Files/
 # MSTest test Results
 [Tt]est[Rr]esult*/
 [Bb]uild[Ll]og.*
 # NUnit
 *.VisualState.xml
 TestResult.xml
 nunit-*.xml
 # Build Results of an ATL Project
 [Dd]ebugPS/
 [Rr]eleasePS/
 dlldata.c
 # Benchmark Results
 BenchmarkDotNet.Artifacts/
 # .NET
 project.lock.json
 project.fragment.lock.json
 artifacts/
 # Tye
 .tye/
 # ASP.NET Scaffolding
 ScaffoldingReadMe.txt
 # StyleCop
 StyleCopReport.xml
 # Files built by Visual Studio
 *_i.c
 *_p.c
 *_h.h
 *.ilk
 *.meta
 *.obj
 *.iobj
 *.pch
 *.pdb
 *.ipdb
 *.pgc
 *.pgd
 *.rsp
 # but not Directory.Build.rsp, as it configures directory-level build defaults
 !Directory.Build.rsp
 *.sbr
 *.tlb
 *.tli
 *.tlh
 *.tmp
 *.tmp_proj
 *_wpftmp.csproj
 *.log
 *.tlog
 *.vspscc
 *.vssscc
 .builds
 *.pidb
 *.svclog
 *.scc
 # Chutzpah Test files
 _Chutzpah*
 # Visual C++ cache files
 ipch/
 *.aps
 *.ncb
 *.opendb
 *.opensdf
 *.sdf
 *.cachefile
 *.VC.db
 *.VC.VC.opendb
 # Visual Studio profiler
 *.psess
 *.vsp
 *.vspx
 *.sap
 # Visual Studio Trace Files
 *.e2e
 # TFS 2012 Local Workspace
 $tf/
 # Guidance Automation Toolkit
 *.gpState
 # ReSharper is a .NET coding add-in
 _ReSharper*/
 *.[Rr]e[Ss]harper
 *.DotSettings.user
 # TeamCity is a build add-in
 _TeamCity*
 # DotCover is a Code Coverage Tool
 *.dotCover
 # AxoCover is a Code Coverage Tool
 .axoCover/*
 !.axoCover/settings.json
 # Coverlet is a free, cross platform Code Coverage Tool
 coverage*.json
 coverage*.xml
 coverage*.info
 # Visual Studio code coverage results
 *.coverage
 *.coveragexml
 # NCrunch
 _NCrunch_*
 .*crunch*.local.xml
 nCrunchTemp_*
 # MightyMoose
 *.mm.*
 AutoTest.Net/
 # Web workbench (sass)
 .sass-cache/
 # Installshield output folder
 [Ee]xpress/
 # DocProject is a documentation generator add-in
 DocProject/buildhelp/
 DocProject/Help/*.HxT
 DocProject/Help/*.HxC
 DocProject/Help/*.hhc
 DocProject/Help/*.hhk
 DocProject/Help/*.hhp
 DocProject/Help/Html2
 DocProject/Help/html
 # Click-Once directory
 publish/
 # Publish Web Output
 *.[Pp]ublish.xml
 *.azurePubxml
 # Note: Comment the next line if you want to checkin your web deploy settings,
 # but database connection strings (with potential passwords) will be unencrypted
 *.pubxml
 *.publishproj
 # Microsoft Azure Web App publish settings. Comment the next line if you want to
 # checkin your Azure Web App publish settings, but sensitive information contained
 # in these scripts will be unencrypted
 PublishScripts/
 # NuGet Packages
 *.nupkg
 # NuGet Symbol Packages
 *.snupkg
 # The packages folder can be ignored because of Package Restore
 **/[Pp]ackages/*
 # except build/, which is used as an MSBuild target.
 !**/[Pp]ackages/build/
 # Uncomment if necessary however generally it will be regenerated when needed
 #!**/[Pp]ackages/repositories.config
 # NuGet v3's project.json files produces more ignorable files
 *.nuget.props
 *.nuget.targets
 # Microsoft Azure Build Output
 csx/
 *.build.csdef
 # Microsoft Azure Emulator
 ecf/
 rcf/
 # Windows Store app package directories and files
 AppPackages/
 BundleArtifacts/
 Package.StoreAssociation.xml
 _pkginfo.txt
 *.appx
 *.appxbundle
 *.appxupload
 # Visual Studio cache files
 # files ending in .cache can be ignored
 *.[Cc]ache
 # but keep track of directories ending in .cache
 !?*.[Cc]ache/
 # Others
 ClientBin/
 ~$*
 *~
 *.dbmdl
 *.dbproj.schemaview
 *.jfm
 *.pfx
 *.publishsettings
 orleans.codegen.cs
 # Including strong name files can present a security risk
 # (https://github.com/github/gitignore/pull/2483#issue-259490424)
 #*.snk
 # Since there are multiple workflows, uncomment next line to ignore bower_components
 # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
 #bower_components/
 # RIA/Silverlight projects
 Generated_Code/
 # Backup & report files from converting an old project file
 # to a newer Visual Studio version. Backup files are not needed,
 # because we have git ;-)
 _UpgradeReport_Files/
 Backup*/
 UpgradeLog*.XML
 UpgradeLog*.htm
 ServiceFabricBackup/
 *.rptproj.bak
 # SQL Server files
 *.mdf
 *.ldf
 *.ndf
 # Business Intelligence projects
 *.rdl.data
 *.bim.layout
 *.bim_*.settings
 *.rptproj.rsuser
 *- [Bb]ackup.rdl
 *- [Bb]ackup ([0-9]).rdl
 *- [Bb]ackup ([0-9][0-9]).rdl
 # Microsoft Fakes
 FakesAssemblies/
 # GhostDoc plugin setting file
 *.GhostDoc.xml
 # Node.js Tools for Visual Studio
 .ntvs_analysis.dat
 node_modules/
 # Visual Studio 6 build log
 *.plg
 # Visual Studio 6 workspace options file
 *.opt
 # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
 *.vbw
 # Visual Studio 6 auto-generated project file (contains which files were open etc.)
 *.vbp
 # Visual Studio 6 workspace and project file (working project files containing files to include in project)
 *.dsw
 *.dsp
 # Visual Studio 6 technical files
 *.ncb
 *.aps
 # Visual Studio LightSwitch build output
 **/*.HTMLClient/GeneratedArtifacts
 **/*.DesktopClient/GeneratedArtifacts
 **/*.DesktopClient/ModelManifest.xml
 **/*.Server/GeneratedArtifacts
 **/*.Server/ModelManifest.xml
 _Pvt_Extensions
 # Paket dependency manager
 .paket/paket.exe
 paket-files/
 # FAKE - F# Make
 .fake/
 # CodeRush personal settings
 .cr/personal
 # Python Tools for Visual Studio (PTVS)
 __pycache__/
 *.pyc
 # Cake - Uncomment if you are using it
 # tools/**
 # !tools/packages.config
 # Tabs Studio
 *.tss
 # Telerik's JustMock configuration file
 *.jmconfig
 # BizTalk build output
 *.btp.cs
 *.btm.cs
 *.odx.cs
 *.xsd.cs
 # OpenCover UI analysis results
 OpenCover/
 # Azure Stream Analytics local run output
 ASALocalRun/
 # MSBuild Binary and Structured Log
 *.binlog
 # NVidia Nsight GPU debugger configuration file
 *.nvuser
 # MFractors (Xamarin productivity tool) working folder
 .mfractor/
 # Local History for Visual Studio
 .localhistory/
 # Visual Studio History (VSHistory) files
 .vshistory/
 # BeatPulse healthcheck temp database
 healthchecksdb
 # Backup folder for Package Reference Convert tool in Visual Studio 2017
 MigrationBackup/
 # Ionide (cross platform F# VS Code tools) working folder
 .ionide/
 # Fody - auto-generated XML schema
 FodyWeavers.xsd
 # VS Code files for those working on multiple tools
 .vscode/*
 !.vscode/settings.json
 !.vscode/tasks.json
 !.vscode/launch.json
 !.vscode/extensions.json
 *.code-workspace
 # Local History for Visual Studio Code
 .history/
 # Windows Installer files from build outputs
 *.cab
 *.msi
 *.msix
 *.msm
 *.msp
 # JetBrains Rider
 *.sln.iml
 .idea/
 ##
 ## Visual studio for Mac
 ##
 # globs
 Makefile.in
 *.userprefs
 *.usertasks
 config.make
 config.status
 aclocal.m4
 install-sh
 autom4te.cache/
 *.tar.gz
 tarballs/
 test-results/
 # content below from: https://github.com/github/gitignore/blob/main/Global/macOS.gitignore
 # General
 .DS_Store
 .AppleDouble
 .LSOverride
 # Icon must end with two \r
 Icon
 # Thumbnails
 ._*
 # Files that might appear in the root of a volume
 .DocumentRevisions-V100
 .fseventsd
 .Spotlight-V100
 .TemporaryItems
 .Trashes
 .VolumeIcon.icns
 .com.apple.timemachine.donotpresent
 # Directories potentially created on remote AFP share
 .AppleDB
 .AppleDesktop
 Network Trash Folder
 Temporary Items
 .apdisk
 # content below from: https://github.com/github/gitignore/blob/main/Global/Windows.gitignore
 # Windows thumbnail cache files
 Thumbs.db
 ehthumbs.db
 ehthumbs_vista.db
 # Dump file
 *.stackdump
 # Folder config file
 [Dd]esktop.ini
 # Recycle Bin used on file shares
 $RECYCLE.BIN/
 # Windows Installer files
 *.cab
 *.msi
 *.msix
 *.msm
 *.msp
 # Windows shortcuts
 *.lnk
 # Vim temporary swap files
 *.swp
 # =========================
 # Node.js / TypeScript (Frontend & Client)
 # =========================
 node_modules/
 dist/
 dist-ssr/
 build/
 .npm/
 # Logs
 npm-debug.log*
 yarn-debug.log*
 yarn-error.log*
 pnpm-debug.log*
 # Environment
 .env.local
 .env.*.local
 # TypeScript
 *.tsbuildinfo
 # Testing
 coverage/
 # Custom overrides
 appsettings.Local.json
 *.sqlite
 *.sqlite3
 *.db
@@ -0,0 +1,24 @@
 # Logs
 logs
 *.log
 npm-debug.log*
 yarn-debug.log*
 yarn-error.log*
 pnpm-debug.log*
 lerna-debug.log*
 node_modules
 dist
 dist-ssr
 *.local
 # Editor directories and files
 .vscode/*
 !.vscode/extensions.json
 .idea
 .DS_Store
 *.suo
 *.ntvs*
 *.njsproj
 *.sln
 *.sw?
@@ -0,0 +1,73 @@
 # React + TypeScript + Vite
 This template provides a minimal setup to get React working in Vite with HMR and some ESLint rules.
 Currently, two official plugins are available:
 - [@vitejs/plugin-react](https://github.com/vitejs/vite-plugin-react/blob/main/packages/plugin-react) uses [Oxc](https://oxc.rs)
 - [@vitejs/plugin-react-swc](https://github.com/vitejs/vite-plugin-react/blob/main/packages/plugin-react-swc) uses [SWC](https://swc.rs/)
 ## React Compiler
 The React Compiler is not enabled on this template because of its impact on dev & build performances. To add it, see [this documentation](https://react.dev/learn/react-compiler/installation).
 ## Expanding the ESLint configuration
 If you are developing a production application, we recommend updating the configuration to enable type-aware lint rules:
 ```js
 export default defineConfig([
  globalIgnores(['dist']),
  {
    files: ['**/*.{ts,tsx}'],
    extends: [
      // Other configs...
      // Remove tseslint.configs.recommended and replace with this
      tseslint.configs.recommendedTypeChecked,
      // Alternatively, use this for stricter rules
      tseslint.configs.strictTypeChecked,
      // Optionally, add this for stylistic rules
      tseslint.configs.stylisticTypeChecked,
      // Other configs...
    ],
    languageOptions: {
      parserOptions: {
        project: ['./tsconfig.node.json', './tsconfig.app.json'],
        tsconfigRootDir: import.meta.dirname,
      },
      // other options...
    },
  },
 ])
 ```
 You can also install [eslint-plugin-react-x](https://github.com/Rel1cx/eslint-react/tree/main/packages/plugins/eslint-plugin-react-x) and [eslint-plugin-react-dom](https://github.com/Rel1cx/eslint-react/tree/main/packages/plugins/eslint-plugin-react-dom) for React-specific lint rules:
 ```js
 // eslint.config.js
 import reactX from 'eslint-plugin-react-x'
 import reactDom from 'eslint-plugin-react-dom'
 export default defineConfig([
  globalIgnores(['dist']),
  {
    files: ['**/*.{ts,tsx}'],
    extends: [
      // Other configs...
      // Enable lint rules for React
      reactX.configs['recommended-typescript'],
      // Enable lint rules for React DOM
      reactDom.configs.recommended,
    ],
    languageOptions: {
      parserOptions: {
        project: ['./tsconfig.node.json', './tsconfig.app.json'],
        tsconfigRootDir: import.meta.dirname,
      },
      // other options...
    },
  },
 ])
 ```
@@ -0,0 +1,22 @@
 import js from '@eslint/js'
 import globals from 'globals'
 import reactHooks from 'eslint-plugin-react-hooks'
 import reactRefresh from 'eslint-plugin-react-refresh'
 import tseslint from 'typescript-eslint'
 import { defineConfig, globalIgnores } from 'eslint/config'
 export default defineConfig([
  globalIgnores(['dist']),
  {
    files: ['**/*.{ts,tsx}'],
    extends: [
      js.configs.recommended,
      tseslint.configs.recommended,
      reactHooks.configs.flat.recommended,
      reactRefresh.configs.vite,
    ],
    languageOptions: {
      globals: globals.browser,
    },
  },
 ])
@@ -0,0 +1,13 @@
 <!doctype html>
 <html lang="en">
  <head>
    <meta charset="UTF-8" />
    <link rel="icon" type="image/svg+xml" href="/favicon.svg" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <title>sequence-ui</title>
  </head>
  <body>
    <div id="root"></div>
    <script type="module" src="/src/main.tsx"></script>
  </body>
 </html>
@@ -0,0 +1,31 @@
 {
  "name": "sequence-ui",
  "private": true,
  "version": "0.0.0",
  "type": "module",
  "scripts": {
    "dev": "vite",
    "build": "tsc -b && vite build",
    "lint": "eslint .",
    "preview": "vite preview"
  },
  "dependencies": {
    "react": "^18.2.0",
    "react-dom": "^18.2.0",
    "sequence-client": "file:../../workers/sequence-client"
  },
  "devDependencies": {
    "@eslint/js": "^10.0.1",
    "@types/node": "^24.12.3",
    "@types/react": "^19.2.14",
    "@types/react-dom": "^19.2.3",
    "@vitejs/plugin-react": "^6.0.1",
    "eslint": "^10.3.0",
    "eslint-plugin-react-hooks": "^7.1.1",
    "eslint-plugin-react-refresh": "^0.5.2",
    "globals": "^17.6.0",
    "typescript": "~6.0.2",
    "typescript-eslint": "^8.59.2",
    "vite": "^8.0.12"
  }
 }
@@ -0,0 +1,24 @@
 <svg xmlns="http://www.w3.org/2000/svg">
  <symbol id="bluesky-icon" viewBox="0 0 16 17">
    <g clip-path="url(#bluesky-clip)"><path fill="#08060d" d="M7.75 7.735c-.693-1.348-2.58-3.86-4.334-5.097-1.68-1.187-2.32-.981-2.74-.79C.188 2.065.1 2.812.1 3.251s.241 3.602.398 4.13c.52 1.744 2.367 2.333 4.07 2.145-2.495.37-4.71 1.278-1.805 4.512 3.196 3.309 4.38-.71 4.987-2.746.608 2.036 1.307 5.91 4.93 2.746 2.72-2.746.747-4.143-1.747-4.512 1.702.189 3.55-.4 4.07-2.145.156-.528.397-3.691.397-4.13s-.088-1.186-.575-1.406c-.42-.19-1.06-.395-2.741.79-1.755 1.24-3.64 3.752-4.334 5.099"/></g>
    <defs><clipPath id="bluesky-clip"><path fill="#fff" d="M.1.85h15.3v15.3H.1z"/></clipPath></defs>
  </symbol>
  <symbol id="discord-icon" viewBox="0 0 20 19">
    <path fill="#08060d" d="M16.224 3.768a14.5 14.5 0 0 0-3.67-1.153c-.158.286-.343.67-.47.976a13.5 13.5 0 0 0-4.067 0c-.128-.306-.317-.69-.476-.976A14.4 14.4 0 0 0 3.868 3.77C1.546 7.28.916 10.703 1.231 14.077a14.7 14.7 0 0 0 4.5 2.306q.545-.748.965-1.587a9.5 9.5 0 0 1-1.518-.74q.191-.14.372-.293c2.927 1.369 6.107 1.369 8.999 0q.183.152.372.294-.723.437-1.52.74.418.838.963 1.588a14.6 14.6 0 0 0 4.504-2.308c.37-3.911-.63-7.302-2.644-10.309m-9.13 8.234c-.878 0-1.599-.82-1.599-1.82 0-.998.705-1.82 1.6-1.82.894 0 1.614.82 1.599 1.82.001 1-.705 1.82-1.6 1.82m5.91 0c-.878 0-1.599-.82-1.599-1.82 0-.998.705-1.82 1.6-1.82.893 0 1.614.82 1.599 1.82 0 1-.706 1.82-1.6 1.82"/>
  </symbol>
  <symbol id="documentation-icon" viewBox="0 0 21 20">
    <path fill="none" stroke="#aa3bff" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.35" d="m15.5 13.333 1.533 1.322c.645.555.967.833.967 1.178s-.322.623-.967 1.179L15.5 18.333m-3.333-5-1.534 1.322c-.644.555-.966.833-.966 1.178s.322.623.966 1.179l1.534 1.321"/>
    <path fill="none" stroke="#aa3bff" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.35" d="M17.167 10.836v-4.32c0-1.41 0-2.117-.224-2.68-.359-.906-1.118-1.621-2.08-1.96-.599-.21-1.349-.21-2.848-.21-2.623 0-3.935 0-4.983.369-1.684.591-3.013 1.842-3.641 3.428C3 6.449 3 7.684 3 10.154v2.122c0 2.558 0 3.838.706 4.726q.306.383.713.671c.76.536 1.79.64 3.581.66"/>
    <path fill="none" stroke="#aa3bff" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.35" d="M3 10a2.78 2.78 0 0 1 2.778-2.778c.555 0 1.209.097 1.748-.047.48-.129.854-.503.982-.982.145-.54.048-1.194.048-1.749a2.78 2.78 0 0 1 2.777-2.777"/>
  </symbol>
  <symbol id="github-icon" viewBox="0 0 19 19">
    <path fill="#08060d" fill-rule="evenodd" d="M9.356 1.85C5.05 1.85 1.57 5.356 1.57 9.694a7.84 7.84 0 0 0 5.324 7.44c.387.079.528-.168.528-.376 0-.182-.013-.805-.013-1.454-2.165.467-2.616-.935-2.616-.935-.349-.91-.864-1.143-.864-1.143-.71-.48.051-.48.051-.48.787.051 1.2.805 1.2.805.695 1.194 1.817.857 2.268.649.064-.507.27-.857.49-1.052-1.728-.182-3.545-.857-3.545-3.87 0-.857.31-1.558.8-2.104-.078-.195-.349-1 .077-2.078 0 0 .657-.208 2.14.805a7.5 7.5 0 0 1 1.946-.26c.657 0 1.328.092 1.946.26 1.483-1.013 2.14-.805 2.14-.805.426 1.078.155 1.883.078 2.078.502.546.799 1.247.799 2.104 0 3.013-1.818 3.675-3.558 3.87.284.247.528.714.528 1.454 0 1.052-.012 1.896-.012 2.156 0 .208.142.455.528.377a7.84 7.84 0 0 0 5.324-7.441c.013-4.338-3.48-7.844-7.773-7.844" clip-rule="evenodd"/>
  </symbol>
  <symbol id="social-icon" viewBox="0 0 20 20">
    <path fill="none" stroke="#aa3bff" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.35" d="M12.5 6.667a4.167 4.167 0 1 0-8.334 0 4.167 4.167 0 0 0 8.334 0"/>
    <path fill="none" stroke="#aa3bff" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.35" d="M2.5 16.667a5.833 5.833 0 0 1 8.75-5.053m3.837.474.513 1.035c.07.144.257.282.414.309l.93.155c.596.1.736.536.307.965l-.723.73a.64.64 0 0 0-.152.531l.207.903c.164.715-.213.991-.84.618l-.872-.52a.63.63 0 0 0-.577 0l-.872.52c-.624.373-1.003.094-.84-.618l.207-.903a.64.64 0 0 0-.152-.532l-.723-.729c-.426-.43-.289-.864.306-.964l.93-.156a.64.64 0 0 0 .412-.31l.513-1.034c.28-.562.735-.562 1.012 0"/>
  </symbol>
  <symbol id="x-icon" viewBox="0 0 19 19">
    <path fill="#08060d" fill-rule="evenodd" d="M1.893 1.98c.052.072 1.245 1.769 2.653 3.77l2.892 4.114c.183.261.333.48.333.486s-.068.089-.152.183l-.522.593-.765.867-3.597 4.087c-.375.426-.734.834-.798.905a1 1 0 0 0-.118.148c0 .01.236.017.664.017h.663l.729-.83c.4-.457.796-.906.879-.999a692 692 0 0 0 1.794-2.038c.034-.037.301-.34.594-.675l.551-.624.345-.392a7 7 0 0 1 .34-.374c.006 0 .93 1.306 2.052 2.903l2.084 2.965.045.063h2.275c1.87 0 2.273-.003 2.266-.021-.008-.02-1.098-1.572-3.894-5.547-2.013-2.862-2.28-3.246-2.273-3.266.008-.019.282-.332 2.085-2.38l2-2.274 1.567-1.782c.022-.028-.016-.03-.65-.03h-.674l-.3.342a871 871 0 0 1-1.782 2.025c-.067.075-.405.458-.75.852a100 100 0 0 1-.803.91c-.148.172-.299.344-.99 1.127-.304.343-.32.358-.345.327-.015-.019-.904-1.282-1.976-2.808L6.365 1.85H1.8zm1.782.91 8.078 11.294c.772 1.08 1.413 1.973 1.425 1.984.016.017.241.02 1.05.017l1.03-.004-2.694-3.766L7.796 5.75 5.722 2.852l-1.039-.004-1.039-.004z" clip-rule="evenodd"/>
  </symbol>
 </svg>
@@ -0,0 +1,184 @@
 .counter {
  font-size: 16px;
  padding: 5px 10px;
  border-radius: 5px;
  color: var(--accent);
  background: var(--accent-bg);
  border: 2px solid transparent;
  transition: border-color 0.3s;
  margin-bottom: 24px;
  &:hover {
    border-color: var(--accent-border);
  }
  &:focus-visible {
    outline: 2px solid var(--accent);
    outline-offset: 2px;
  }
 }
 .hero {
  position: relative;
  .base,
  .framework,
  .vite {
    inset-inline: 0;
    margin: 0 auto;
  }
  .base {
    width: 170px;
    position: relative;
    z-index: 0;
  }
  .framework,
  .vite {
    position: absolute;
  }
  .framework {
    z-index: 1;
    top: 34px;
    height: 28px;
    transform: perspective(2000px) rotateZ(300deg) rotateX(44deg) rotateY(39deg)
      scale(1.4);
  }
  .vite {
    z-index: 0;
    top: 107px;
    height: 26px;
    width: auto;
    transform: perspective(2000px) rotateZ(300deg) rotateX(40deg) rotateY(39deg)
      scale(0.8);
  }
 }
 #center {
  display: flex;
  flex-direction: column;
  gap: 25px;
  place-content: center;
  place-items: center;
  flex-grow: 1;
  @media (max-width: 1024px) {
    padding: 32px 20px 24px;
    gap: 18px;
  }
 }
 #next-steps {
  display: flex;
  border-top: 1px solid var(--border);
  text-align: left;
  & > div {
    flex: 1 1 0;
    padding: 32px;
    @media (max-width: 1024px) {
      padding: 24px 20px;
    }
  }
  .icon {
    margin-bottom: 16px;
    width: 22px;
    height: 22px;
  }
  @media (max-width: 1024px) {
    flex-direction: column;
    text-align: center;
  }
 }
 #docs {
  border-right: 1px solid var(--border);
  @media (max-width: 1024px) {
    border-right: none;
    border-bottom: 1px solid var(--border);
  }
 }
 #next-steps ul {
  list-style: none;
  padding: 0;
  display: flex;
  gap: 8px;
  margin: 32px 0 0;
  .logo {
    height: 18px;
  }
  a {
    color: var(--text-h);
    font-size: 16px;
    border-radius: 6px;
    background: var(--social-bg);
    display: flex;
    padding: 6px 12px;
    align-items: center;
    gap: 8px;
    text-decoration: none;
    transition: box-shadow 0.3s;
    &:hover {
      box-shadow: var(--shadow);
    }
    .button-icon {
      height: 18px;
      width: 18px;
    }
  }
  @media (max-width: 1024px) {
    margin-top: 20px;
    flex-wrap: wrap;
    justify-content: center;
    li {
      flex: 1 1 calc(50% - 8px);
    }
    a {
      width: 100%;
      justify-content: center;
      box-sizing: border-box;
    }
  }
 }
 #spacer {
  height: 88px;
  border-top: 1px solid var(--border);
  @media (max-width: 1024px) {
    height: 48px;
  }
 }
 .ticks {
  position: relative;
  width: 100%;
  &::before,
  &::after {
    content: '';
    position: absolute;
    top: -4.5px;
    border: 5px solid transparent;
  }
  &::before {
    left: 0;
    border-left-color: var(--border);
  }
  &::after {
    right: 0;
    border-right-color: var(--border);
  }
 }
@@ -0,0 +1,70 @@
 import { useState } from 'react';
 import type { UIState, User, AppStatus } from './Models';
 import { api } from './api';
 import Dashboard from './Dashboard';
 import './index.css';
 function App() {
  const [uiState, setUiState] = useState<UIState>('Uninitialized');
  const [appStatus, setAppStatus] = useState<AppStatus>('Idle');
  const [username, setUsername] = useState('');
  const [user, setUser] = useState<User | null>(null);
  const handleLogin = async (e: React.FormEvent) => {
    e.preventDefault();
    if (!username.trim()) return;
    setAppStatus('Loading');
    try {
      const loggedInUser = await api.login(username);
      setUser(loggedInUser);
      setUiState('Active');
      setAppStatus('Success');
    } catch (err) {
      console.error(err);
      setAppStatus('Error');
    }
  };
  return (
    <div className="app-container">
      <header className="app-header">
        <h1>Sequence Todo</h1>
        <div className="status-badge">
          Status: {uiState}
        </div>
      </header>
      <main className="app-main">
        {uiState === 'Uninitialized' ? (
          <div className="init-panel">
            <h2>Login to Todo App</h2>
            <p>Enter a username to initialize a secure Sequence Token chain.</p>
            <form onSubmit={handleLogin} className="login-form">
              <input
                type="text"
                placeholder="Username"
                value={username}
                onChange={e => setUsername(e.target.value)}
                className="text-input"
              />
              <button
                type="submit"
                className="btn-primary"
                disabled={appStatus === 'Loading'}
              >
                {appStatus === 'Loading' ? 'Authenticating...' : 'Login'}
              </button>
            </form>
            {appStatus === 'Error' && <p className="error-text">Failed to login. Ensure backend is running.</p>}
          </div>
        ) : (
          <Dashboard user={user!} />
        )}
      </main>
    </div>
  );
 }
 export default App;
@@ -0,0 +1,109 @@
 import { useEffect } from 'react';
 import type { User } from './Models';
 import { useTodos } from './useTodos';
 import { SequenceStore } from 'sequence-client';
 export default function Dashboard({ user }: { user: User }) {
  const {
    logs,
    todos,
    fetchStatus,
    createStatus,
    newTitle,
    setNewTitle,
    fetchTodos,
    handleCreateTodo,
    handleChangeStatus,
    handleLogout
  } = useTodos();
  useEffect(() => {
    fetchTodos();
  }, [fetchTodos]);
  if (fetchStatus === 'StaleToken') {
    return (
      <div className="stale-token-container">
        <div className="stale-token-card">
          <div className="icon">⚠️</div>
          <h2>Session Compromised or Stale</h2>
          <p>Your security sequence token is invalid or out of sync. For your protection, your session has been terminated.</p>
          <button className="btn-danger btn-large" onClick={handleLogout}>
            Log Out & Clear Session
          </button>
        </div>
      </div>
    );
  }
  return (
    <div className="dashboard-grid">
      <div className="todo-panel">
        <div className="panel-header">
          <h3>Welcome, {user.username} <span style={{fontSize: '0.6em', fontWeight: 'normal', opacity: 0.8}}>(Requests remaining: {SequenceStore.get().requestsRemaining ?? '?'})</span></h3>
          <button className="btn-secondary" onClick={fetchTodos}>
            {fetchStatus === 'Loading' ? 'Refreshing...' : 'Refresh'}
          </button>
        </div>
        <form onSubmit={handleCreateTodo} className="create-todo-form">
          <input 
            type="text" 
            value={newTitle} 
            onChange={e => setNewTitle(e.target.value)} 
            placeholder="What needs to be done?" 
            className="text-input"
          />
          <button type="submit" className="btn-primary" disabled={createStatus === 'Loading' || !newTitle.trim()}>
            Create
          </button>
        </form>
        <div className="todo-list">
          {fetchStatus === 'Loading' && todos.length === 0 ? (
            <p className="loading-text">Loading todos...</p>
          ) : todos.length === 0 ? (
            <p className="empty-text">No todos yet. Create one!</p>
          ) : (
            todos.map(todo => (
              <div key={todo.id} className={`todo-card status-${todo.status}`}>
                <div className="todo-info">
                  <span className="todo-title">{todo.title}</span>
                  <span className={`badge badge-${todo.status}`}>{todo.status}</span>
                </div>
                <div className="todo-actions">
                  {todo.status !== 'Completed' && (
                    <button className="btn-sm btn-success" onClick={() => handleChangeStatus(todo.id, 'Completed')}>Complete</button>
                  )}
                  {todo.status !== 'InProgress' && todo.status !== 'Completed' && todo.status !== 'Canceled' && (
                    <button className="btn-sm btn-info" onClick={() => handleChangeStatus(todo.id, 'InProgress')}>Start</button>
                  )}
                  {todo.status !== 'Canceled' && (
                    <button className="btn-sm btn-danger" onClick={() => handleChangeStatus(todo.id, 'Canceled')}>Cancel</button>
                  )}
                </div>
              </div>
            ))
          )}
        </div>
      </div>
      <div className="logs-panel">
        <h3>Sequence Chain Activity</h3>
        <p className="logs-subtitle">Every action uses a unique token automatically handled by the QueueManager.</p>
        <div className="logs-container">
          {logs.length === 0 ? (
            <div className="log-empty">No activity yet</div>
          ) : (
            logs.map(log => (
              <div key={log.id} className={`log-entry log-${log.level}`}>
                <span className="log-time">{log.timestamp}</span>
                <span className="log-msg">{log.message}</span>
              </div>
            ))
          )}
        </div>
      </div>
    </div>
  );
 }
@@ -0,0 +1,25 @@
 export type UIState = 'Uninitialized' | 'Active';
 export type LogLevel = 'Info' | 'Success' | 'Error' | 'Loading';
 export interface LogEntry {
  id: number;
  timestamp: string;
  message: string;
  level: LogLevel;
 }
 export type TodoStatus = 'Pending' | 'InProgress' | 'Completed' | 'Canceled';
 export interface TodoItem {
  id: string;
  userId: string;
  title: string;
  status: TodoStatus;
 }
 export type AppStatus = 'Idle' | 'Loading' | 'Success' | 'Error' | 'StaleToken';
 export interface User {
  id: string;
  username: string;
 }
@@ -0,0 +1,72 @@
 import { SequenceProtected, SequenceStore, SequenceState } from 'sequence-client';
 import type { TodoStatus, User } from './Models';
 export class ApiClient {
  private readonly baseUrl = 'http://localhost:5064';
  async login(username: string): Promise<User> {
    const response = await fetch(`${this.baseUrl}/auth/login`, {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json'
      },
      body: JSON.stringify({ username })
    });
    if (!response.ok) {
      throw new Error('Login failed');
    }
    const data = await response.json();
    const nextSeq = response.headers.get('X-Next-Seq');
    const remainingStr = response.headers.get('X-Requests-Remaining');
    if (nextSeq) {
      SequenceStore.set({
        state: SequenceState.Active,
        token: nextSeq,
        requestsRemaining: remainingStr ? parseInt(remainingStr, 10) : undefined
      });
    }
    return data;
  }
  @SequenceProtected()
  async logout(init?: RequestInit): Promise<void> {
    await fetch(`${this.baseUrl}/auth/logout`, {
      ...init,
      method: 'POST'
    });
    SequenceStore.clear();
  }
  @SequenceProtected()
  async getTodos(init?: RequestInit): Promise<Response> {
    return fetch(`${this.baseUrl}/todo/list`, init);
  }
  @SequenceProtected()
  async createTodo(title: string, init?: RequestInit): Promise<Response> {
    const headers = new Headers(init?.headers);
    headers.set('Content-Type', 'application/json');
    return fetch(`${this.baseUrl}/todo/create`, {
      ...init,
      method: 'POST',
      headers,
      body: JSON.stringify({ title })
    });
  }
  @SequenceProtected()
  async changeTodoStatus(id: string, status: TodoStatus, init?: RequestInit): Promise<Response> {
    const headers = new Headers(init?.headers);
    return fetch(`${this.baseUrl}/todo/change-status/${id}?status=${status}`, {
      ...init,
      method: 'PUT',
      headers
    });
  }
 }
 export const api = new ApiClient();
@@ -0,0 +1 @@
 <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="iconify iconify--logos" width="35.93" height="32" preserveAspectRatio="xMidYMid meet" viewBox="0 0 256 228"><path fill="#00D8FF" d="M210.483 73.824a171.49 171.49 0 0 0-8.24-2.597c.465-1.9.893-3.777 1.273-5.621c6.238-30.281 2.16-54.676-11.769-62.708c-13.355-7.7-35.196.329-57.254 19.526a171.23 171.23 0 0 0-6.375 5.848a155.866 155.866 0 0 0-4.241-3.917C100.759 3.829 77.587-4.822 63.673 3.233C50.33 10.957 46.379 33.89 51.995 62.588a170.974 170.974 0 0 0 1.892 8.48c-3.28.932-6.445 1.924-9.474 2.98C17.309 83.498 0 98.307 0 113.668c0 15.865 18.582 31.778 46.812 41.427a145.52 145.52 0 0 0 6.921 2.165a167.467 167.467 0 0 0-2.01 9.138c-5.354 28.2-1.173 50.591 12.134 58.266c13.744 7.926 36.812-.22 59.273-19.855a145.567 145.567 0 0 0 5.342-4.923a168.064 168.064 0 0 0 6.92 6.314c21.758 18.722 43.246 26.282 56.54 18.586c13.731-7.949 18.194-32.003 12.4-61.268a145.016 145.016 0 0 0-1.535-6.842c1.62-.48 3.21-.974 4.76-1.488c29.348-9.723 48.443-25.443 48.443-41.52c0-15.417-17.868-30.326-45.517-39.844Zm-6.365 70.984c-1.4.463-2.836.91-4.3 1.345c-3.24-10.257-7.612-21.163-12.963-32.432c5.106-11 9.31-21.767 12.459-31.957c2.619.758 5.16 1.557 7.61 2.4c23.69 8.156 38.14 20.213 38.14 29.504c0 9.896-15.606 22.743-40.946 31.14Zm-10.514 20.834c2.562 12.94 2.927 24.64 1.23 33.787c-1.524 8.219-4.59 13.698-8.382 15.893c-8.067 4.67-25.32-1.4-43.927-17.412a156.726 156.726 0 0 1-6.437-5.87c7.214-7.889 14.423-17.06 21.459-27.246c12.376-1.098 24.068-2.894 34.671-5.345a134.17 134.17 0 0 1 1.386 6.193ZM87.276 214.515c-7.882 2.783-14.16 2.863-17.955.675c-8.075-4.657-11.432-22.636-6.853-46.752a156.923 156.923 0 0 1 1.869-8.499c10.486 2.32 22.093 3.988 34.498 4.994c7.084 9.967 14.501 19.128 21.976 27.15a134.668 134.668 0 0 1-4.877 4.492c-9.933 8.682-19.886 14.842-28.658 17.94ZM50.35 144.747c-12.483-4.267-22.792-9.812-29.858-15.863c-6.35-5.437-9.555-10.836-9.555-15.216c0-9.322 13.897-21.212 37.076-29.293c2.813-.98 5.757-1.905 8.812-2.773c3.204 10.42 7.406 21.315 12.477 32.332c-5.137 11.18-9.399 22.249-12.634 32.792a134.718 134.718 0 0 1-6.318-1.979Zm12.378-84.26c-4.811-24.587-1.616-43.134 6.425-47.789c8.564-4.958 27.502 2.111 47.463 19.835a144.318 144.318 0 0 1 3.841 3.545c-7.438 7.987-14.787 17.08-21.808 26.988c-12.04 1.116-23.565 2.908-34.161 5.309a160.342 160.342 0 0 1-1.76-7.887Zm110.427 27.268a347.8 347.8 0 0 0-7.785-12.803c8.168 1.033 15.994 2.404 23.343 4.08c-2.206 7.072-4.956 14.465-8.193 22.045a381.151 381.151 0 0 0-7.365-13.322Zm-45.032-43.861c5.044 5.465 10.096 11.566 15.065 18.186a322.04 322.04 0 0 0-30.257-.006c4.974-6.559 10.069-12.652 15.192-18.18ZM82.802 87.83a323.167 323.167 0 0 0-7.227 13.238c-3.184-7.553-5.909-14.98-8.134-22.152c7.304-1.634 15.093-2.97 23.209-3.984a321.524 321.524 0 0 0-7.848 12.897Zm8.081 65.352c-8.385-.936-16.291-2.203-23.593-3.793c2.26-7.3 5.045-14.885 8.298-22.6a321.187 321.187 0 0 0 7.257 13.246c2.594 4.48 5.28 8.868 8.038 13.147Zm37.542 31.03c-5.184-5.592-10.354-11.779-15.403-18.433c4.902.192 9.899.29 14.978.29c5.218 0 10.376-.117 15.453-.343c-4.985 6.774-10.018 12.97-15.028 18.486Zm52.198-57.817c3.422 7.8 6.306 15.345 8.596 22.52c-7.422 1.694-15.436 3.058-23.88 4.071a382.417 382.417 0 0 0 7.859-13.026a347.403 347.403 0 0 0 7.425-13.565Zm-16.898 8.101a358.557 358.557 0 0 1-12.281 19.815a329.4 329.4 0 0 1-23.444.823c-7.967 0-15.716-.248-23.178-.732a310.202 310.202 0 0 1-12.513-19.846h.001a307.41 307.41 0 0 1-10.923-20.627a310.278 310.278 0 0 1 10.89-20.637l-.001.001a307.318 307.318 0 0 1 12.413-19.761c7.613-.576 15.42-.876 23.31-.876H128c7.926 0 15.743.303 23.354.883a329.357 329.357 0 0 1 12.335 19.695a358.489 358.489 0 0 1 11.036 20.54a329.472 329.472 0 0 1-11 20.722Zm22.56-122.124c8.572 4.944 11.906 24.881 6.52 51.026c-.344 1.668-.73 3.367-1.15 5.09c-10.622-2.452-22.155-4.275-34.23-5.408c-7.034-10.017-14.323-19.124-21.64-27.008a160.789 160.789 0 0 1 5.888-5.4c18.9-16.447 36.564-22.941 44.612-18.3ZM128 90.808c12.625 0 22.86 10.235 22.86 22.86s-10.235 22.86-22.86 22.86s-22.86-10.235-22.86-22.86s10.235-22.86 22.86-22.86Z"></path></svg>
@@ -0,0 +1,357 @@
 :root {
  --primary: #6366f1;
  --primary-hover: #4f46e5;
  --bg-color: #0f172a;
  --panel-bg: rgba(30, 41, 59, 0.7);
  --border-color: rgba(255, 255, 255, 0.1);
  --text-main: #f8fafc;
  --text-muted: #94a3b8;
  --success: #10b981;
  --danger: #ef4444;
  --warning: #f59e0b;
  --info: #3b82f6;
  --font-family: 'Inter', -apple-system, sans-serif;
 }
 * {
  box-sizing: border-box;
  margin: 0;
  padding: 0;
 }
 body {
  font-family: var(--font-family);
  background: var(--bg-color);
  background-image: 
    radial-gradient(at 0% 0%, rgba(99, 102, 241, 0.15) 0px, transparent 50%),
    radial-gradient(at 100% 100%, rgba(16, 185, 129, 0.15) 0px, transparent 50%);
  color: var(--text-main);
  min-height: 100vh;
  -webkit-font-smoothing: antialiased;
 }
 .app-container {
  max-width: 1200px;
  margin: 0 auto;
  padding: 2rem;
 }
 .app-header {
  display: flex;
  justify-content: space-between;
  align-items: center;
  margin-bottom: 2rem;
 }
 .app-header h1 {
  font-size: 1.8rem;
  font-weight: 700;
  background: linear-gradient(to right, #818cf8, #34d399);
  -webkit-background-clip: text;
  -webkit-text-fill-color: transparent;
 }
 .status-badge {
  padding: 0.5rem 1rem;
  background: var(--panel-bg);
  border: 1px solid var(--border-color);
  border-radius: 99px;
  font-size: 0.875rem;
  backdrop-filter: blur(10px);
 }
 /* Auth Panel */
 .init-panel {
  max-width: 400px;
  margin: 4rem auto;
  padding: 2.5rem;
  background: var(--panel-bg);
  border: 1px solid var(--border-color);
  border-radius: 16px;
  backdrop-filter: blur(12px);
  text-align: center;
  box-shadow: 0 20px 40px rgba(0,0,0,0.2);
 }
 .init-panel h2 {
  margin-bottom: 0.5rem;
 }
 .init-panel p {
  color: var(--text-muted);
  margin-bottom: 2rem;
  font-size: 0.9rem;
  line-height: 1.5;
 }
 .login-form {
  display: flex;
  flex-direction: column;
  gap: 1rem;
 }
 /* Dashboard Grid */
 .dashboard-grid {
  display: grid;
  grid-template-columns: 1fr 350px;
  gap: 2rem;
  align-items: start;
 }
 /* Panels */
 .todo-panel, .logs-panel {
  background: var(--panel-bg);
  border: 1px solid var(--border-color);
  border-radius: 16px;
  padding: 1.5rem;
  backdrop-filter: blur(12px);
  box-shadow: 0 10px 30px rgba(0,0,0,0.1);
 }
 .panel-header {
  display: flex;
  justify-content: space-between;
  align-items: center;
  margin-bottom: 1.5rem;
 }
 .create-todo-form {
  display: flex;
  gap: 1rem;
  margin-bottom: 2rem;
 }
 /* Inputs & Buttons */
 .text-input {
  width: 100%;
  padding: 0.75rem 1rem;
  background: rgba(15, 23, 42, 0.6);
  border: 1px solid var(--border-color);
  border-radius: 8px;
  color: var(--text-main);
  font-size: 1rem;
  outline: none;
  transition: all 0.2s;
 }
 .text-input:focus {
  border-color: var(--primary);
  box-shadow: 0 0 0 2px rgba(99, 102, 241, 0.2);
 }
 button {
  padding: 0.75rem 1.5rem;
  border: none;
  border-radius: 8px;
  font-size: 0.95rem;
  font-weight: 500;
  cursor: pointer;
  transition: all 0.2s ease;
 }
 button:disabled {
  opacity: 0.5;
  cursor: not-allowed;
 }
 .btn-primary {
  background: var(--primary);
  color: white;
 }
 .btn-primary:hover:not(:disabled) {
  background: var(--primary-hover);
  transform: translateY(-1px);
 }
 .btn-secondary {
  background: rgba(255,255,255,0.1);
  color: white;
 }
 .btn-secondary:hover:not(:disabled) {
  background: rgba(255,255,255,0.15);
 }
 /* Small Action Buttons */
 .btn-sm {
  padding: 0.4rem 0.8rem;
  font-size: 0.8rem;
  border-radius: 6px;
 }
 .btn-success { background: rgba(16, 185, 129, 0.2); color: #34d399; }
 .btn-success:hover { background: rgba(16, 185, 129, 0.3); }
 .btn-info { background: rgba(59, 130, 246, 0.2); color: #60a5fa; }
 .btn-info:hover { background: rgba(59, 130, 246, 0.3); }
 .btn-danger { background: rgba(239, 68, 68, 0.2); color: #f87171; }
 .btn-danger:hover { background: rgba(239, 68, 68, 0.3); }
 /* Todo List */
 .todo-list {
  display: flex;
  flex-direction: column;
  gap: 1rem;
 }
 .todo-card {
  display: flex;
  justify-content: space-between;
  align-items: center;
  padding: 1rem 1.25rem;
  background: rgba(15, 23, 42, 0.4);
  border: 1px solid var(--border-color);
  border-radius: 12px;
  transition: transform 0.2s, background 0.2s;
 }
 .todo-card:hover {
  background: rgba(15, 23, 42, 0.6);
  transform: translateX(4px);
 }
 .todo-info {
  display: flex;
  align-items: center;
  gap: 1rem;
 }
 .todo-title {
  font-weight: 500;
 }
 .todo-actions {
  display: flex;
  gap: 0.5rem;
 }
 .status-Completed .todo-title {
  text-decoration: line-through;
  color: var(--text-muted);
 }
 .status-Canceled .todo-title {
  color: var(--text-muted);
  opacity: 0.7;
 }
 /* Badges */
 .badge {
  padding: 0.25rem 0.6rem;
  border-radius: 99px;
  font-size: 0.75rem;
  font-weight: 600;
  text-transform: uppercase;
  letter-spacing: 0.5px;
 }
 .badge-Pending { background: rgba(245, 158, 11, 0.2); color: #fbbf24; }
 .badge-InProgress { background: rgba(59, 130, 246, 0.2); color: #60a5fa; }
 .badge-Completed { background: rgba(16, 185, 129, 0.2); color: #34d399; }
 .badge-Canceled { background: rgba(239, 68, 68, 0.2); color: #f87171; }
 /* Logs Panel */
 .logs-subtitle {
  color: var(--text-muted);
  font-size: 0.85rem;
  margin: 0.5rem 0 1.5rem 0;
  line-height: 1.4;
 }
 .logs-container {
  display: flex;
  flex-direction: column;
  gap: 0.5rem;
  max-height: 500px;
  overflow-y: auto;
  padding-right: 0.5rem;
 }
 .logs-container::-webkit-scrollbar {
  width: 6px;
 }
 .logs-container::-webkit-scrollbar-thumb {
  background: rgba(255,255,255,0.2);
  border-radius: 3px;
 }
 .log-entry {
  padding: 0.75rem;
  background: rgba(15, 23, 42, 0.6);
  border-radius: 8px;
  font-size: 0.85rem;
  font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, monospace;
  border-left: 3px solid transparent;
  animation: slideIn 0.3s ease-out;
 }
@keyframes slideIn {
  from { opacity: 0; transform: translateX(10px); }
  to { opacity: 1; transform: translateX(0); }
 }
 .log-time {
  color: var(--text-muted);
  margin-right: 0.75rem;
 }
 .log-Success { border-left-color: var(--success); }
 .log-Error { border-left-color: var(--danger); }
 .log-Loading { border-left-color: var(--info); }
 .log-Info { border-left-color: var(--text-muted); }
 .error-text {
  color: var(--danger);
  margin-top: 1rem;
  font-size: 0.9rem;
 }
 .loading-text, .empty-text {
  color: var(--text-muted);
  text-align: center;
  padding: 2rem 0;
  font-style: italic;
 }
 /* Stale Token Panel */
 .stale-token-container {
  display: flex;
  justify-content: center;
  align-items: center;
  min-height: 60vh;
 }
 .stale-token-card {
  background: var(--panel-bg);
  border: 1px solid var(--danger);
  border-radius: 16px;
  padding: 3rem;
  text-align: center;
  max-width: 500px;
  backdrop-filter: blur(12px);
  box-shadow: 0 20px 40px rgba(239, 68, 68, 0.15);
  animation: pulse-danger 2s infinite alternate;
 }
 .stale-token-card .icon {
  font-size: 4rem;
  margin-bottom: 1rem;
 }
 .stale-token-card h2 {
  color: #fca5a5;
  margin-bottom: 1rem;
 }
 .stale-token-card p {
  color: var(--text-muted);
  margin-bottom: 2rem;
  line-height: 1.5;
 }
 .btn-large {
  padding: 1rem 2rem;
  font-size: 1.1rem;
  width: 100%;
 }
@keyframes pulse-danger {
  0% { box-shadow: 0 0 0 0 rgba(239, 68, 68, 0.4); }
  100% { box-shadow: 0 0 0 15px rgba(239, 68, 68, 0); }
 }
@@ -0,0 +1,10 @@
 import { StrictMode } from 'react'
 import { createRoot } from 'react-dom/client'
 import './index.css'
 import App from './App.tsx'
 createRoot(document.getElementById('root')!).render(
  <StrictMode>
    <App />
  </StrictMode>,
 )
@@ -0,0 +1,136 @@
 import { useState, useCallback, useRef } from 'react';
 import type { LogEntry, TodoItem, AppStatus, TodoStatus } from './Models';
 import { api } from './api';
 import { SequenceStore } from 'sequence-client';
 let nextLogId = 1;
 export function useTodos() {
  const [logs, setLogs] = useState<LogEntry[]>([]);
  const [todos, setTodos] = useState<TodoItem[]>([]);
  const [fetchStatus, setFetchStatus] = useState<AppStatus>('Idle');
  const [createStatus, setCreateStatus] = useState<AppStatus>('Idle');
  const [newTitle, setNewTitle] = useState('');
  const fetchTodosRef = useRef<Promise<void> | null>(null);
  const addLog = useCallback((message: string, level: LogEntry['level']) => {
    setLogs(prev => {
      const newLogs = [{
        id: nextLogId++,
        timestamp: new Date().toLocaleTimeString(),
        message,
        level
      }, ...prev];
      return newLogs.slice(0, 50);
    });
  }, []);
  const fetchTodos = useCallback(async () => {
    if (fetchTodosRef.current) return fetchTodosRef.current;
    fetchTodosRef.current = (async () => {
      setFetchStatus('Loading');
      const currentToken = SequenceStore.get().token;
      addLog(`GET /todo [Auth-Seq: ${currentToken?.substring(0, 8)}...]`, 'Loading');
      try {
        const response = await api.getTodos();
        if (!response.ok) {
          if (response.status === 401) throw new Error('StaleToken');
          throw new Error(`HTTP ${response.status}`);
        }
        const data = await response.json();
        setTodos(data);
        setFetchStatus('Success');
        addLog(`GET /todo Success (${data.length} items)`, 'Success');
      } catch (err: any) {
        if (err.message === 'StaleToken') {
          setFetchStatus('StaleToken');
        } else {
          setFetchStatus('Error');
        }
        addLog(`GET /todo Error: ${err.message}`, 'Error');
      }
    })();
    try {
      await fetchTodosRef.current;
    } finally {
      fetchTodosRef.current = null;
    }
  }, [addLog]);
  const handleCreateTodo = useCallback(async (e: React.FormEvent) => {
    e.preventDefault();
    if (!newTitle.trim() || createStatus === 'Loading') return;
    setCreateStatus('Loading');
    const currentToken = SequenceStore.get().token;
    addLog(`POST /todo [Auth-Seq: ${currentToken?.substring(0, 8)}...]`, 'Loading');
    try {
      const response = await api.createTodo(newTitle);
      if (!response.ok) {
        if (response.status === 401) throw new Error('StaleToken');
        throw new Error(`HTTP ${response.status}`);
      }
      const newTodo = await response.json();
      setTodos(prev => [...prev, newTodo]);
      setNewTitle('');
      setCreateStatus('Success');
      addLog(`POST /todo Success: ${newTodo.title}`, 'Success');
    } catch (err: any) {
      if (err.message === 'StaleToken') {
        setFetchStatus('StaleToken'); // Fallback to stale state
      } else {
        setCreateStatus('Error');
      }
      addLog(`POST /todo Error: ${err.message}`, 'Error');
    }
  }, [newTitle, createStatus, addLog]);
  const handleChangeStatus = useCallback(async (id: string, status: TodoStatus) => {
    const currentToken = SequenceStore.get().token;
    addLog(`PUT /todo/${id}/status [Auth-Seq: ${currentToken?.substring(0, 8)}...]`, 'Loading');
    try {
      // Optimistic update
      setTodos(prev => prev.map(t => t.id === id ? { ...t, status } : t));
      const response = await api.changeTodoStatus(id, status);
      if (!response.ok) {
        if (response.status === 401) throw new Error('StaleToken');
        throw new Error(`HTTP ${response.status}`);
      }
      addLog(`PUT /todo/${id}/status Success`, 'Success');
    } catch (err: any) {
      addLog(`PUT /todo/${id}/status Error: ${err.message}`, 'Error');
      if (err.message === 'StaleToken') {
        setFetchStatus('StaleToken');
      } else {
        fetchTodos(); // Rollback on failure
      }
    }
  }, [addLog, fetchTodos]);
  const handleLogout = useCallback(async () => {
    try {
      await api.logout();
    } catch (e) {
      // ignore
    }
    window.location.reload();
  }, []);
  return {
    logs,
    todos,
    fetchStatus,
    createStatus,
    newTitle,
    setNewTitle,
    fetchTodos,
    handleCreateTodo,
    handleChangeStatus,
    handleLogout
  };
 }
@@ -0,0 +1,26 @@
 {
  "compilerOptions": {
    "tsBuildInfoFile": "./node_modules/.tmp/tsconfig.app.tsbuildinfo",
    "target": "es2023",
    "lib": ["ES2023", "DOM"],
    "module": "esnext",
    "types": ["vite/client"],
    "skipLibCheck": true,
    "experimentalDecorators": true,
    /* Bundler mode */
    "moduleResolution": "bundler",
    "allowImportingTsExtensions": true,
    "verbatimModuleSyntax": true,
    "moduleDetection": "force",
    "noEmit": true,
    "jsx": "react-jsx",
    /* Linting */
    "noUnusedLocals": true,
    "noUnusedParameters": true,
    "erasableSyntaxOnly": true,
    "noFallthroughCasesInSwitch": true
  },
  "include": ["src"]
 }
@@ -0,0 +1,10 @@
 {
  "compilerOptions": {
    "experimentalDecorators": true
  },
  "files": [],
  "references": [
    { "path": "./tsconfig.app.json" },
    { "path": "./tsconfig.node.json" }
  ]
 }
@@ -0,0 +1,24 @@
 {
  "compilerOptions": {
    "tsBuildInfoFile": "./node_modules/.tmp/tsconfig.node.tsbuildinfo",
    "target": "es2023",
    "lib": ["ES2023"],
    "module": "esnext",
    "types": ["node"],
    "skipLibCheck": true,
    /* Bundler mode */
    "moduleResolution": "bundler",
    "allowImportingTsExtensions": true,
    "verbatimModuleSyntax": true,
    "moduleDetection": "force",
    "noEmit": true,
    /* Linting */
    "noUnusedLocals": true,
    "noUnusedParameters": true,
    "erasableSyntaxOnly": true,
    "noFallthroughCasesInSwitch": true
  },
  "include": ["vite.config.ts"]
 }
@@ -0,0 +1,7 @@
 import { defineConfig } from 'vite'
 import react from '@vitejs/plugin-react'
 // https://vite.dev/config/
 export default defineConfig({
  plugins: [react()],
 })
@@ -0,0 +1,8 @@
 <Solution>
  <Folder Name="/example/">
    <Project Path="example/SequenceAuth.Example.csproj" />
  </Folder>
  <Folder Name="/lib/">
    <Project Path="lib/SequenceAuth.Lib.csproj" />
  </Folder>
 </Solution>
@@ -0,0 +1,17 @@
 using Microsoft.AspNetCore.Mvc;
 namespace SequenceAuth.Example.Controllers;
 [ApiController]
 [Route("[controller]/[action]")]
 public abstract class ApiControllerBase : ControllerBase
 {
    protected Guid UserId 
    {
        get
        {
            var options = HttpContext.RequestServices.GetRequiredService<Microsoft.Extensions.Options.IOptions<SequenceAuth.Lib.SequenceAuthOptions>>().Value;
            return Guid.Parse(HttpContext.Items[options.UserIdItemKey]?.ToString() ?? throw new UnauthorizedAccessException());
        }
    }
 }
@@ -0,0 +1,24 @@
 using MediatR;
 using Microsoft.AspNetCore.Mvc;
 using SequenceAuth.Example.Features.Auth;
 namespace SequenceAuth.Example.Controllers;
 public class AuthController(IMediator mediator) : ApiControllerBase
 {
    public record LoginRequest(string Username);
    [HttpPost]
    public async Task<IActionResult> Login([FromBody] LoginRequest request)
    {
        var result = await mediator.Send(new LoginCommand(request.Username));
        return Ok(result.User);
    }
    [HttpPost]
    public async Task<IActionResult> Logout()
    {
        await mediator.Send(new LogoutCommand());
        return Ok();
    }
 }
@@ -0,0 +1,12 @@
 using Microsoft.AspNetCore.Mvc;
 namespace SequenceAuth.Example.Controllers;
 public class SecureController : ApiControllerBase
 {
    [HttpGet]
    public IActionResult GetData()
    {
        return Ok(new { Message = "This is protected data. You must have a valid sequence to see this." });
    }
 }
@@ -0,0 +1,39 @@
 using MediatR;
 using Microsoft.AspNetCore.Mvc;
 using SequenceAuth.Example.Domain;
 using SequenceAuth.Example.Features.Todos;
 namespace SequenceAuth.Example.Controllers;
 public class TodoController(IMediator mediator) : ApiControllerBase
 {
    public record CreateTodoRequest(string Title);
    [HttpPost]
    public async Task<IActionResult> Create([FromBody] CreateTodoRequest request)
    {
        var result = await mediator.Send(new CreateTodoCommand(UserId, request.Title));
        return Ok(result);
    }
    [HttpGet]
    public async Task<IActionResult> List([FromQuery] TodoStatus? status)
    {
        var result = await mediator.Send(new GetTodosQuery(UserId, status));
        return Ok(result);
    }
    [HttpPut("{id}")]
    public async Task<IActionResult> ChangeStatus(Guid id, [FromQuery] TodoStatus status)
    {
        var result = await mediator.Send(new ChangeTodoStatusCommand(id, UserId, status));
        return result.Outcome switch
        {
            ChangeTodoStatusOutcome.Success => Ok(result.Item),
            ChangeTodoStatusOutcome.NotFound => NotFound(),
            ChangeTodoStatusOutcome.Unauthorized => StatusCode(403), // No identity claims for Forbid() without auth scheme
            _ => StatusCode(500)
        };
    }
 }
@@ -0,0 +1,13 @@
 namespace SequenceAuth.Example.Domain;
 public record User(Guid Id, string Username);
 public enum TodoStatus 
 { 
    Pending, 
    InProgress, 
    Completed, 
    Canceled 
 }
 public record TodoItem(Guid Id, Guid UserId, string Title, TodoStatus Status);
@@ -0,0 +1,42 @@
 using MediatR;
 using Microsoft.EntityFrameworkCore;
 using SequenceAuth.Example.Domain;
 using SequenceAuth.Example.Infrastructure;
 using SequenceAuth.Lib;
 namespace SequenceAuth.Example.Features.Auth;
 public record LoginCommand(string Username) : IRequest<LoginResult>;
 public record LoginResult(User User, string InitialSequence);
 public class LoginCommandHandler(AppDbContext dbContext, ISequenceStore sequenceStore, Microsoft.AspNetCore.Http.IHttpContextAccessor httpContextAccessor, Microsoft.Extensions.Options.IOptions<SequenceAuth.Lib.SequenceAuthOptions> options) : IRequestHandler<LoginCommand, LoginResult>
 {
    public async Task<LoginResult> Handle(LoginCommand request, CancellationToken cancellationToken)
    {
        var userOpt = await dbContext.Users.FirstOrDefaultAsync(u => u.Username == request.Username, cancellationToken);
        var user = userOpt switch
        {
            null => await CreateUser(request.Username, cancellationToken),
            _ => userOpt
        };
        var initialSequenceId = Guid.NewGuid().ToString("N");
        var sequenceData = new SequenceData(UserId: user.Id.ToString(), RequestsRemaining: 1000, State: SequenceState.Initialized, NextSequenceId: initialSequenceId);
        await sequenceStore.SaveSequenceAsync(initialSequenceId, sequenceData);
        httpContextAccessor.HttpContext?.Response.Headers.Append(options.Value.NextHeaderName, initialSequenceId);
        httpContextAccessor.HttpContext?.Response.Headers.Append(options.Value.RequestsRemainingHeaderName, "1000");
        return new LoginResult(user, initialSequenceId);
    }
    private async Task<User> CreateUser(string username, CancellationToken cancellationToken)
    {
        var user = new User(Guid.NewGuid(), username);
        dbContext.Users.Add(user);
        await dbContext.SaveChangesAsync(cancellationToken);
        return user;
    }
 }
@@ -0,0 +1,28 @@
 using MediatR;
 using Microsoft.AspNetCore.Http;
 using SequenceAuth.Lib;
 namespace SequenceAuth.Example.Features.Auth;
 public record LogoutCommand() : IRequest;
 public class LogoutCommandHandler(ISequenceStore sequenceStore, IHttpContextAccessor httpContextAccessor, Microsoft.Extensions.Options.IOptions<SequenceAuthOptions> options) : IRequestHandler<LogoutCommand>
 {
    public async Task Handle(LogoutCommand request, CancellationToken cancellationToken)
    {
        var userIdStr = httpContextAccessor.HttpContext?.Items[options.Value.UserIdItemKey]?.ToString();
        var isUserIdPresent = string.IsNullOrEmpty(userIdStr);
        _ = isUserIdPresent switch
        {
            false => await ProcessLogout(userIdStr!),
            true => 0
        };
    }
    private async Task<int> ProcessLogout(string userId)
    {
        await sequenceStore.InvalidateUserSessionsAsync(userId);
        return 1;
    }
 }
@@ -0,0 +1,37 @@
 using MediatR;
 using Microsoft.EntityFrameworkCore;
 using SequenceAuth.Example.Domain;
 using SequenceAuth.Example.Infrastructure;
 namespace SequenceAuth.Example.Features.Todos;
 public enum ChangeTodoStatusOutcome { Success, NotFound, Unauthorized }
 public record ChangeTodoStatusResult(ChangeTodoStatusOutcome Outcome, TodoItem? Item);
 public record ChangeTodoStatusCommand(Guid TodoId, Guid UserId, TodoStatus NewStatus) : IRequest<ChangeTodoStatusResult>;
 public class ChangeTodoStatusCommandHandler(AppDbContext dbContext) : IRequestHandler<ChangeTodoStatusCommand, ChangeTodoStatusResult>
 {
    public async Task<ChangeTodoStatusResult> Handle(ChangeTodoStatusCommand request, CancellationToken cancellationToken)
    {
        var todo = await dbContext.Todos.FirstOrDefaultAsync(t => t.Id == request.TodoId, cancellationToken);
        return todo switch
        {
            null => new ChangeTodoStatusResult(ChangeTodoStatusOutcome.NotFound, null),
            { UserId: var userId } when userId != request.UserId => new ChangeTodoStatusResult(ChangeTodoStatusOutcome.Unauthorized, null),
            _ => await UpdateStatusAsync(todo, request.NewStatus, cancellationToken)
        };
    }
    private async Task<ChangeTodoStatusResult> UpdateStatusAsync(TodoItem todo, TodoStatus newStatus, CancellationToken cancellationToken)
    {
        var updatedTodo = todo with { Status = newStatus };
        dbContext.Entry(todo).CurrentValues.SetValues(updatedTodo);
        await dbContext.SaveChangesAsync(cancellationToken);
        return new ChangeTodoStatusResult(ChangeTodoStatusOutcome.Success, updatedTodo);
    }
 }
@@ -0,0 +1,18 @@
 using MediatR;
 using SequenceAuth.Example.Domain;
 using SequenceAuth.Example.Infrastructure;
 namespace SequenceAuth.Example.Features.Todos;
 public record CreateTodoCommand(Guid UserId, string Title) : IRequest<TodoItem>;
 public class CreateTodoCommandHandler(AppDbContext dbContext) : IRequestHandler<CreateTodoCommand, TodoItem>
 {
    public async Task<TodoItem> Handle(CreateTodoCommand request, CancellationToken cancellationToken)
    {
        var todo = new TodoItem(Guid.NewGuid(), request.UserId, request.Title, TodoStatus.Pending);
        dbContext.Todos.Add(todo);
        await dbContext.SaveChangesAsync(cancellationToken);
        return todo;
    }
 }
@@ -0,0 +1,24 @@
 using MediatR;
 using Microsoft.EntityFrameworkCore;
 using SequenceAuth.Example.Domain;
 using SequenceAuth.Example.Infrastructure;
 namespace SequenceAuth.Example.Features.Todos;
 public record GetTodosQuery(Guid UserId, TodoStatus? StatusFilter) : IRequest<List<TodoItem>>;
 public class GetTodosQueryHandler(AppDbContext dbContext) : IRequestHandler<GetTodosQuery, List<TodoItem>>
 {
    public async Task<List<TodoItem>> Handle(GetTodosQuery request, CancellationToken cancellationToken)
    {
        var query = dbContext.Todos.Where(t => t.UserId == request.UserId);
        query = request.StatusFilter switch
        {
            null => query,
            var status => query.Where(t => t.Status == status)
        };
        return await query.ToListAsync(cancellationToken);
    }
 }
@@ -0,0 +1,27 @@
 using Microsoft.EntityFrameworkCore;
 using SequenceAuth.Example.Domain;
 namespace SequenceAuth.Example.Infrastructure;
 public class AppDbContext(DbContextOptions<AppDbContext> options) : DbContext(options)
 {
    public DbSet<User> Users => Set<User>();
    public DbSet<TodoItem> Todos => Set<TodoItem>();
    protected override void OnModelCreating(ModelBuilder modelBuilder)
    {
        modelBuilder.Entity<User>(entity =>
        {
            entity.HasKey(e => e.Id);
            entity.Property(e => e.Username).IsRequired();
            entity.HasIndex(e => e.Username).IsUnique();
        });
        modelBuilder.Entity<TodoItem>(entity =>
        {
            entity.HasKey(e => e.Id);
            entity.Property(e => e.Title).IsRequired();
            entity.Property(e => e.Status).HasConversion<string>();
        });
    }
 }
@@ -0,0 +1,21 @@
 using System.Text.RegularExpressions;
 using Microsoft.AspNetCore.Routing;
 namespace SequenceAuth.Example.Infrastructure;
 public class KebabCaseParameterTransformer : IOutboundParameterTransformer
 {
    public string? TransformOutbound(object? value)
    {
        return value == null ? null : value.ToString()!.ToKebabCase();
    }
 }
 public static partial class StringExtension
 {
    [GeneratedRegex("([a-z0-9])([A-Z])", RegexOptions.Compiled)]
    private static partial Regex KebabCaseRule();
    public static string ToKebabCase(this string input)
        => KebabCaseRule().Replace(input, "$1-$2").ToLower().Trim('-');
 }
@@ -0,0 +1,70 @@
 // <auto-generated />
 using System;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.EntityFrameworkCore.Infrastructure;
 using Microsoft.EntityFrameworkCore.Migrations;
 using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
 using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
 using SequenceAuth.Example.Infrastructure;
 #nullable disable
 namespace SequenceAuth.Example.Migrations
 {
    [DbContext(typeof(AppDbContext))]
    [Migration("20260612174016_InitialCreate")]
    partial class InitialCreate
    {
        /// <inheritdoc />
        protected override void BuildTargetModel(ModelBuilder modelBuilder)
        {
 #pragma warning disable 612, 618
            modelBuilder
                .HasAnnotation("ProductVersion", "10.0.9")
                .HasAnnotation("Relational:MaxIdentifierLength", 63);
            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
            modelBuilder.Entity("SequenceAuth.Example.Domain.TodoItem", b =>
                {
                    b.Property<Guid>("Id")
                        .ValueGeneratedOnAdd()
                        .HasColumnType("uuid");
                    b.Property<string>("Status")
                        .IsRequired()
                        .HasColumnType("text");
                    b.Property<string>("Title")
                        .IsRequired()
                        .HasColumnType("text");
                    b.Property<Guid>("UserId")
                        .HasColumnType("uuid");
                    b.HasKey("Id");
                    b.ToTable("Todos");
                });
            modelBuilder.Entity("SequenceAuth.Example.Domain.User", b =>
                {
                    b.Property<Guid>("Id")
                        .ValueGeneratedOnAdd()
                        .HasColumnType("uuid");
                    b.Property<string>("Username")
                        .IsRequired()
                        .HasColumnType("text");
                    b.HasKey("Id");
                    b.HasIndex("Username")
                        .IsUnique();
                    b.ToTable("Users");
                });
 #pragma warning restore 612, 618
        }
    }
 }
@@ -0,0 +1,57 @@
 using System;
 using Microsoft.EntityFrameworkCore.Migrations;
 #nullable disable
 namespace SequenceAuth.Example.Migrations
 {
    /// <inheritdoc />
    public partial class InitialCreate : Migration
    {
        /// <inheritdoc />
        protected override void Up(MigrationBuilder migrationBuilder)
        {
            migrationBuilder.CreateTable(
                name: "Todos",
                columns: table => new
                {
                    Id = table.Column<Guid>(type: "uuid", nullable: false),
                    UserId = table.Column<Guid>(type: "uuid", nullable: false),
                    Title = table.Column<string>(type: "text", nullable: false),
                    Status = table.Column<string>(type: "text", nullable: false)
                },
                constraints: table =>
                {
                    table.PrimaryKey("PK_Todos", x => x.Id);
                });
            migrationBuilder.CreateTable(
                name: "Users",
                columns: table => new
                {
                    Id = table.Column<Guid>(type: "uuid", nullable: false),
                    Username = table.Column<string>(type: "text", nullable: false)
                },
                constraints: table =>
                {
                    table.PrimaryKey("PK_Users", x => x.Id);
                });
            migrationBuilder.CreateIndex(
                name: "IX_Users_Username",
                table: "Users",
                column: "Username",
                unique: true);
        }
        /// <inheritdoc />
        protected override void Down(MigrationBuilder migrationBuilder)
        {
            migrationBuilder.DropTable(
                name: "Todos");
            migrationBuilder.DropTable(
                name: "Users");
        }
    }
 }
@@ -0,0 +1,67 @@
 // <auto-generated />
 using System;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.EntityFrameworkCore.Infrastructure;
 using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
 using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
 using SequenceAuth.Example.Infrastructure;
 #nullable disable
 namespace SequenceAuth.Example.Migrations
 {
    [DbContext(typeof(AppDbContext))]
    partial class AppDbContextModelSnapshot : ModelSnapshot
    {
        protected override void BuildModel(ModelBuilder modelBuilder)
        {
 #pragma warning disable 612, 618
            modelBuilder
                .HasAnnotation("ProductVersion", "10.0.9")
                .HasAnnotation("Relational:MaxIdentifierLength", 63);
            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
            modelBuilder.Entity("SequenceAuth.Example.Domain.TodoItem", b =>
                {
                    b.Property<Guid>("Id")
                        .ValueGeneratedOnAdd()
                        .HasColumnType("uuid");
                    b.Property<string>("Status")
                        .IsRequired()
                        .HasColumnType("text");
                    b.Property<string>("Title")
                        .IsRequired()
                        .HasColumnType("text");
                    b.Property<Guid>("UserId")
                        .HasColumnType("uuid");
                    b.HasKey("Id");
                    b.ToTable("Todos");
                });
            modelBuilder.Entity("SequenceAuth.Example.Domain.User", b =>
                {
                    b.Property<Guid>("Id")
                        .ValueGeneratedOnAdd()
                        .HasColumnType("uuid");
                    b.Property<string>("Username")
                        .IsRequired()
                        .HasColumnType("text");
                    b.HasKey("Id");
                    b.HasIndex("Username")
                        .IsUnique();
                    b.ToTable("Users");
                });
 #pragma warning restore 612, 618
        }
    }
 }
@@ -0,0 +1,6 @@
 namespace SequenceAuth.Example.Options;
 public record RedisOptions
 {
    public required string Configuration { get; set; }
 }
@@ -0,0 +1,75 @@
 using Microsoft.AspNetCore.Mvc.ApplicationModels;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.Options;
 using Scalar.AspNetCore;
 using SequenceAuth.Example.Infrastructure;
 using SequenceAuth.Example.Options;
 using SequenceAuth.Lib;
 using StackExchange.Redis;
 var builder = WebApplication.CreateBuilder(args);
 builder.Services.AddControllers(options =>
 {
    options.Conventions.Add(new RouteTokenTransformerConvention(new KebabCaseParameterTransformer()));
 });
 builder.Services.AddDbContext<AppDbContext>(options =>
 {
    options.UseNpgsql(builder.Configuration.GetConnectionString("DefaultConnection") ?? "Host=localhost;Database=sequencedb;Username=sequence_user;Password=sequence_password");
 });
 builder.Services.AddHttpContextAccessor();
 builder.Services.AddMediatR(cfg => cfg.RegisterServicesFromAssembly(typeof(Program).Assembly));
 var sequenceOptions = new SequenceAuthOptions();
 builder.Services.AddSequenceAuth(opts =>
 {
    opts.IgnoredPaths = sequenceOptions.IgnoredPaths.Concat(["/auth/login"]).ToHashSet();
 });
 builder.Services.AddOpenApi();
 builder.Services.AddCors(options =>
 {
    options.AddDefaultPolicy(policy =>
    {
        policy.AllowAnyOrigin()
              .AllowAnyMethod()
              .AllowAnyHeader()
              .WithExposedHeaders(sequenceOptions.NextHeaderName, sequenceOptions.RequestsRemainingHeaderName);
    });
 });
 builder.Services.Configure<RedisOptions>(builder.Configuration.GetSection("RedisOptions"));
 builder.Services.AddSingleton<IConnectionMultiplexer>(sp => 
    ConnectionMultiplexer.Connect(sp.GetRequiredService<IOptions<RedisOptions>>().Value.Configuration));
 builder.Services.AddSingleton<ISequenceStore, SequenceAuth.Example.RedisSequenceStore>();
 var app = builder.Build();
 using (var scope = app.Services.CreateScope())
 {
    var db = scope.ServiceProvider.GetRequiredService<AppDbContext>();
    await db.Database.MigrateAsync();
 }
 app.MapOpenApi();
 app.MapScalarApiReference(options =>
 {
    options.Title = "SequenceAuth API";
    options.WithDefaultHttpClient(ScalarTarget.CSharp, ScalarClient.HttpClient);
 });
 app.MapGet("/", () => Results.Redirect("/scalar/v1"));
 app.UseCors();
 app.UseMiddleware<SequenceAuthMiddleware>();
 app.MapControllers();
 app.Run();
 public partial class Program { }
@@ -0,0 +1,23 @@
 {
  "$schema": "https://json.schemastore.org/launchsettings.json",
  "profiles": {
    "http": {
      "commandName": "Project",
      "dotnetRunMessages": true,
      "launchBrowser": false,
      "applicationUrl": "http://localhost:5064",
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development"
      }
    },
    "https": {
      "commandName": "Project",
      "dotnetRunMessages": true,
      "launchBrowser": false,
      "applicationUrl": "https://localhost:7215;http://localhost:5064",
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development"
      }
    }
  }
 }
@@ -0,0 +1,62 @@
 using StackExchange.Redis;
 using System.Text.Json;
 using SequenceAuth.Lib;
 namespace SequenceAuth.Example;
 public class RedisSequenceStore(IConnectionMultiplexer redis) : ISequenceStore
 {
    private readonly IDatabase _db = redis.GetDatabase();
    public async Task<Option<SequenceData>> GetSequenceAsync(string sequenceId)
    {
        var value = await _db.StringGetAsync(sequenceId);
        return ((string?)value) switch
        {
            null => Option<SequenceData>.None(),
            string str => ParseData(str)
        };
    }
    private static Option<SequenceData> ParseData(string str)
    {
        var data = JsonSerializer.Deserialize<SequenceData>(str);
        return data switch
        {
            null => Option<SequenceData>.None(),
            _ => Option<SequenceData>.Some(data)
        };
    }
    public async Task<StoreOutcome> SaveSequenceAsync(string sequenceId, SequenceData data)
    {
        var json = JsonSerializer.Serialize(data);
        _ = await _db.StringSetAsync(sequenceId, json);
        _ = await _db.SetAddAsync($"UserSessions:{data.UserId}", sequenceId);
        return StoreOutcome.Success;
    }
    public async Task<StoreOutcome> InvalidateUserSessionsAsync(string userId)
    {
        var sessionKeys = await _db.SetMembersAsync($"UserSessions:{userId}");
        foreach(var key in sessionKeys)
        {
            var seqOpt = await GetSequenceAsync(key.ToString());
            _ = seqOpt.State switch
            {
                OptionState.Some => await UpdateToCompromisedAsync(key.ToString(), seqOpt.Value!),
                _ => StoreOutcome.Failure
            };
        }
        return StoreOutcome.Success;
    }
    private async Task<StoreOutcome> UpdateToCompromisedAsync(string sequenceId, SequenceData data)
    {
        var compData = data with { State = SequenceState.Compromised };
        var json = JsonSerializer.Serialize(compData);
        _ = await _db.StringSetAsync(sequenceId, json);
        return StoreOutcome.Success;
    }
 }
@@ -0,0 +1,25 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
  <PropertyGroup>
    <TargetFramework>net10.0</TargetFramework>
    <Nullable>enable</Nullable>
    <ImplicitUsings>enable</ImplicitUsings>
  </PropertyGroup>
  <ItemGroup>
    <PackageReference Include="MediatR" Version="14.1.0" />
    <PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="10.0.9" />
    <PackageReference Include="Microsoft.EntityFrameworkCore.Design" Version="10.0.9">
      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
      <PrivateAssets>all</PrivateAssets>
    </PackageReference>
    <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="10.0.2" />
    <PackageReference Include="Scalar.AspNetCore" Version="2.16.3" />
    <PackageReference Include="StackExchange.Redis" Version="2.13.17" />
  </ItemGroup>
  <ItemGroup>
    <ProjectReference Include="..\lib\SequenceAuth.Lib.csproj" />
  </ItemGroup>
 </Project>
@@ -0,0 +1,6 @@
@SequenceAuth.Example_HostAddress = http://localhost:5064
 GET {{SequenceAuth.Example_HostAddress}}/weatherforecast/
 Accept: application/json
 ###
@@ -0,0 +1,8 @@
 {
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  }
 }
@@ -0,0 +1,14 @@
 {
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  },
  "ConnectionStrings": {
    "DefaultConnection": "Host=localhost;Port=5432;Database=sequencedb;Username=sequence_user;Password=sequence_password"
  },
  "RedisOptions": {
    "Configuration": "localhost:6379"
  }
 }
@@ -0,0 +1,8 @@
 namespace SequenceAuth.Lib;
 public interface ISequenceStore
 {
    Task<Option<SequenceData>> GetSequenceAsync(string sequenceId);
    Task<StoreOutcome> SaveSequenceAsync(string sequenceId, SequenceData data);
    Task<StoreOutcome> InvalidateUserSessionsAsync(string userId);
 }
@@ -0,0 +1,38 @@
 namespace SequenceAuth.Lib;
 public enum SequenceState
 {
    Initialized,
    Active,
    Rotated,
    Compromised
 }
 public enum ValidationOutcome
 {
    Success,
    SequenceNotFound,
    LimitExceeded,
    CompromisedSequenceDetected,
    InternalError
 }
 public enum OptionState 
 { 
    Some, 
    None 
 }
 public record Option<T>(T? Value, OptionState State)
 {
    public static Option<T> Some(T value) => new(value, OptionState.Some);
    public static Option<T> None() => new(default, OptionState.None);
 }
 public enum StoreOutcome 
 { 
    Success, 
    Failure 
 }
 public record SequenceData(string UserId, int RequestsRemaining, SequenceState State, string NextSequenceId);
@@ -0,0 +1,23 @@
 <Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <TargetFramework>net10.0</TargetFramework>
    <ImplicitUsings>enable</ImplicitUsings>
    <Nullable>enable</Nullable>
    <!-- NuGet Package Metadata -->
    <PackageId>SequenceAuth</PackageId>
    <Version>1.0.0</Version>
    <Authors>YourName</Authors>
    <Description>A C# library for Sequence Token Rotation authorization using Redis.</Description>
    <RepositoryUrl>https://github.com/your-repo/SequenceAuth</RepositoryUrl>
    <PackageTags>authentication;redis;security</PackageTags>
    <GeneratePackageOnBuild>true</GeneratePackageOnBuild>
  </PropertyGroup>
  <ItemGroup>
    <!-- Use FrameworkReference for ASP.NET Core types (like HttpContext) instead of the outdated NuGet package -->
    <FrameworkReference Include="Microsoft.AspNetCore.App" />
  </ItemGroup>
 </Project>
@@ -0,0 +1,17 @@
 using Microsoft.Extensions.DependencyInjection;
 using System;
 namespace SequenceAuth.Lib;
 public static class SequenceAuthExtensions
 {
    public static IServiceCollection AddSequenceAuth(this IServiceCollection services, Action<SequenceAuthOptions> configureOptions)
    {
        ArgumentNullException.ThrowIfNull(configureOptions);
        services.Configure(configureOptions);
        services.AddScoped<SequenceManager>();
        return services;
    }
 }
@@ -0,0 +1,109 @@
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Options;
 namespace SequenceAuth.Lib;
 public class SequenceAuthMiddleware(RequestDelegate next, IOptions<SequenceAuthOptions> options)
 {
    private readonly SequenceAuthOptions _options = options?.Value ?? throw new InvalidOperationException("SequenceAuthOptions must be registered in DI using AddSequenceAuth.");
    public async Task InvokeAsync(HttpContext context, SequenceManager sequenceManager)
    {
        await (context.Request.Method switch
        {
            "OPTIONS" => next(context),
            _ => ProcessPath(context, sequenceManager)
        });
    }
    private async Task ProcessPath(HttpContext context, SequenceManager sequenceManager)
    {
        var path = context.Request.Path.Value?.ToLowerInvariant() ?? "";
        var isIgnored = _options.IgnoredPaths.FirstOrDefault(x => path.StartsWith(x));
        await (isIgnored switch
        {
            null => CheckHeader(context, sequenceManager),
            _ => next(context)
        });
    }
    private async Task CheckHeader(HttpContext context, SequenceManager sequenceManager)
    {
        var headerCount = context.Request.Headers[_options.AuthHeaderName].Count;
        await (headerCount switch
        {
            0 => HandleMissingHeader(context),
            > 0 => ProcessWithHeader(context, sequenceManager, context.Request.Headers[_options.AuthHeaderName].ToString()!),
            _ => HandleMissingHeader(context)
        });
    }
    private Task HandleMissingHeader(HttpContext context)
    {
        context.Response.StatusCode = 401;
        return Task.CompletedTask;
    }
    private async Task ProcessWithHeader(HttpContext context, SequenceManager sequenceManager, string sequenceId)
    {
        var result = await sequenceManager.ValidateAndRotateAsync(sequenceId);
        await (result.Outcome switch
        {
            ValidationOutcome.Success => HandleSuccess(context, result.NextSequence, result.UserId, result.RequestsRemaining),
            _ => HandleFailure(context, result.Outcome)
        });
    }
    private async Task HandleSuccess(HttpContext context, Option<string> nextSequenceOpt, Option<string> userIdOpt, Option<int> requestsRemainingOpt)
    {
        _ = nextSequenceOpt.State switch
        {
            OptionState.Some => AddHeader(context, nextSequenceOpt.Value!),
            OptionState.None => 0,
            _ => 0
        };
        _ = userIdOpt.State switch
        {
            OptionState.Some => AddUserContext(context, userIdOpt.Value!),
            OptionState.None => 0,
            _ => 0
        };
        _ = requestsRemainingOpt.State switch
        {
            OptionState.Some => AddRemainingHeader(context, requestsRemainingOpt.Value),
            OptionState.None => 0,
            _ => 0
        };
        await next(context);
    }
    private int AddRemainingHeader(HttpContext context, int remaining)
    {
        context.Response.Headers.Append(_options.RequestsRemainingHeaderName, remaining.ToString());
        return 1;
    }
    private int AddHeader(HttpContext context, string value)
    {
        context.Response.Headers.Append(_options.NextHeaderName, value);
        return 1;
    }
    private int AddUserContext(HttpContext context, string userId)
    {
        context.Items[_options.UserIdItemKey] = userId;
        return 1;
    }
    private Task HandleFailure(HttpContext context, ValidationOutcome outcome)
    {
        context.Response.StatusCode = 401;
        return Task.CompletedTask;
    }
 }
@@ -0,0 +1,11 @@
 namespace SequenceAuth.Lib;
 public class SequenceAuthOptions
 {
    public virtual string UserIdItemKey { get; set; } = "UserId";
    public virtual string AuthHeaderName { get; set; } = "X-Auth-Seq";
    public virtual string NextHeaderName { get; set; } = "X-Next-Seq";
    public virtual string RequestsRemainingHeaderName { get; set; } = "X-Requests-Remaining";
    public virtual HashSet<string> IgnoredPaths { get; set; } = ["/scalar", "/openapi", "/favicon.ico", "/swagger"];
 }
@@ -0,0 +1,72 @@
 namespace SequenceAuth.Lib;
 public record SequenceValidationResult(ValidationOutcome Outcome, Option<string> NextSequence, Option<string> UserId, Option<int> RequestsRemaining);
 public class SequenceManager(ISequenceStore store)
 {
    public async Task<SequenceValidationResult> ValidateAndRotateAsync(string currentSequenceId)
    {
        var sequenceOpt = await store.GetSequenceAsync(currentSequenceId);
        return sequenceOpt.State switch
        {
            OptionState.None => new SequenceValidationResult(ValidationOutcome.SequenceNotFound, Option<string>.None(), Option<string>.None(), Option<int>.None()),
            OptionState.Some => await ProcessSequenceAsync(currentSequenceId, sequenceOpt.Value!),
            _ => new SequenceValidationResult(ValidationOutcome.InternalError, Option<string>.None(), Option<string>.None(), Option<int>.None())
        };
    }
    private async Task<SequenceValidationResult> ProcessSequenceAsync(string currentSequenceId, SequenceData data)
    {
        return data.State switch
        {
            SequenceState.Compromised => new SequenceValidationResult(ValidationOutcome.CompromisedSequenceDetected, Option<string>.None(), Option<string>.None(), Option<int>.None()),
            SequenceState.Rotated => await HandleRotatedSequenceAsync(data.UserId),
            SequenceState.Active or SequenceState.Initialized => await HandleActiveSequenceAsync(currentSequenceId, data),
            _ => new SequenceValidationResult(ValidationOutcome.InternalError, Option<string>.None(), Option<string>.None(), Option<int>.None())
        };
    }
    private async Task<SequenceValidationResult> HandleRotatedSequenceAsync(string userId)
    {
        await store.InvalidateUserSessionsAsync(userId);
        return new SequenceValidationResult(ValidationOutcome.CompromisedSequenceDetected, Option<string>.None(), Option<string>.None(), Option<int>.None());
    }
    private async Task<SequenceValidationResult> HandleActiveSequenceAsync(string currentSequenceId, SequenceData data)
    {
        var checkLimit = CheckLimit(data.RequestsRemaining);
        return checkLimit switch
        {
            ValidationOutcome.LimitExceeded => new SequenceValidationResult(ValidationOutcome.LimitExceeded, Option<string>.None(), Option<string>.None(), Option<int>.None()),
            ValidationOutcome.Success => await RotateSequenceAsync(currentSequenceId, data),
            _ => new SequenceValidationResult(ValidationOutcome.InternalError, Option<string>.None(), Option<string>.None(), Option<int>.None())
        };
    }
    private ValidationOutcome CheckLimit(int requestsRemaining)
    {
        return requestsRemaining switch
        {
            <= 0 => ValidationOutcome.LimitExceeded,
            > 0 => ValidationOutcome.Success
        };
    }
    private async Task<SequenceValidationResult> RotateSequenceAsync(string currentSequenceId, SequenceData data)
    {
        var futureSequenceId = Guid.NewGuid().ToString("N");
        var oldDataRotated = data with { State = SequenceState.Rotated };
        await store.SaveSequenceAsync(currentSequenceId, oldDataRotated);
        var newData = new SequenceData(
            UserId: data.UserId, 
            RequestsRemaining: data.RequestsRemaining - 1, 
            State: SequenceState.Active, 
            NextSequenceId: futureSequenceId);
        await store.SaveSequenceAsync(futureSequenceId, newData);
        return new SequenceValidationResult(ValidationOutcome.Success, Option<string>.Some(futureSequenceId), Option<string>.Some(data.UserId), Option<int>.Some(data.RequestsRemaining - 1));
    }
 }
@@ -0,0 +1,20 @@
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Mvc.Testing;
 using Microsoft.AspNetCore.TestHost;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using SequenceAuth.Lib;
 namespace SequenceAuth.Example.Tests;
 public class CustomWebApplicationFactory : WebApplicationFactory<Program>
 {
    protected override void ConfigureWebHost(IWebHostBuilder builder)
    {
        builder.ConfigureTestServices(services =>
        {
            services.RemoveAll<ISequenceStore>();
            services.AddSingleton<ISequenceStore, InMemorySequenceStore>();
        });
    }
 }
@@ -0,0 +1,36 @@
 using System.Collections.Concurrent;
 using System.Linq;
 using System.Threading.Tasks;
 using SequenceAuth.Lib;
 namespace SequenceAuth.Example.Tests;
 public class InMemorySequenceStore : ISequenceStore
 {
    private readonly ConcurrentDictionary<string, SequenceData> _store = new();
    public Task<Option<SequenceData>> GetSequenceAsync(string sequenceId)
    {
        if (_store.TryGetValue(sequenceId, out var data))
        {
            return Task.FromResult(Option<SequenceData>.Some(data));
        }
        return Task.FromResult(Option<SequenceData>.None());
    }
    public Task<StoreOutcome> SaveSequenceAsync(string sequenceId, SequenceData data)
    {
        _store[sequenceId] = data;
        return Task.FromResult(StoreOutcome.Success);
    }
    public Task<StoreOutcome> InvalidateUserSessionsAsync(string userId)
    {
        var keysToRemove = _store.Where(kvp => kvp.Value.UserId == userId).Select(kvp => kvp.Key).ToList();
        foreach (var key in keysToRemove)
        {
            _store.TryRemove(key, out _);
        }
        return Task.FromResult(StoreOutcome.Success);
    }
 }
@@ -0,0 +1,27 @@
 <Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <TargetFramework>net10.0</TargetFramework>
    <ImplicitUsings>enable</ImplicitUsings>
    <Nullable>enable</Nullable>
    <IsPackable>false</IsPackable>
  </PropertyGroup>
  <ItemGroup>
    <PackageReference Include="coverlet.collector" Version="6.0.4" />
    <PackageReference Include="FluentAssertions" Version="8.10.0" />
    <PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" Version="10.0.9" />
    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
    <PackageReference Include="xunit" Version="2.9.3" />
    <PackageReference Include="xunit.runner.visualstudio" Version="3.1.4" />
  </ItemGroup>
  <ItemGroup>
    <Using Include="Xunit" />
  </ItemGroup>
  <ItemGroup>
    <ProjectReference Include="..\..\example\SequenceAuth.Example.csproj" />
  </ItemGroup>
 </Project>
@@ -0,0 +1,117 @@
 using System.Linq;
 using System.Net;
 using System.Net.Http;
 using System.Net.Http.Json;
 using System.Threading.Tasks;
 using FluentAssertions;
 using SequenceAuth.Lib;
 using Xunit;
 namespace SequenceAuth.Example.Tests;
 public class SequenceAuthE2ETests : IClassFixture<CustomWebApplicationFactory>
 {
    private readonly HttpClient _client;
    public SequenceAuthE2ETests(CustomWebApplicationFactory factory)
    {
        _client = factory.CreateClient();
    }
    private async Task<string> InitSessionAsync()
    {
        var loginResponse = await _client.PostAsJsonAsync("/auth/login", new { username = "testuser" });
        loginResponse.EnsureSuccessStatusCode();
        var token = loginResponse.Headers.GetValues(new SequenceAuthOptions().NextHeaderName).FirstOrDefault();
        token.Should().NotBeNullOrWhiteSpace();
        return token!;
    }
    [Fact]
    public async Task RequestWithoutHeader_ReturnsUnauthorized()
    {
        var response = await _client.GetAsync("/secure/get-data");
        response.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
    }
    [Fact]
    public async Task ValidChain_FollowsSequenceAndSucceeds()
    {
        // 1. Init Session
        var token1 = await InitSessionAsync();
        // 2. First Request
        var request1 = new HttpRequestMessage(HttpMethod.Get, "/secure/get-data");
        request1.Headers.Add(new SequenceAuthOptions().AuthHeaderName, token1);
        var response1 = await _client.SendAsync(request1);
        response1.EnsureSuccessStatusCode();
        var token2 = response1.Headers.GetValues(new SequenceAuthOptions().NextHeaderName).First();
        token2.Should().NotBeNullOrWhiteSpace();
        // 3. Second Request with New Token
        var request2 = new HttpRequestMessage(HttpMethod.Get, "/secure/get-data");
        request2.Headers.Add(new SequenceAuthOptions().AuthHeaderName, token2);
        var response2 = await _client.SendAsync(request2);
        response2.EnsureSuccessStatusCode();
        var token3 = response2.Headers.GetValues(new SequenceAuthOptions().NextHeaderName).First();
        token3.Should().NotBeNullOrWhiteSpace();
    }
    [Fact]
    public async Task AttackerReplaysToken_CompromisesSequence()
    {
        var token1 = await InitSessionAsync();
        System.Console.WriteLine($"Token 1: {token1}");
        var userRequest1 = new HttpRequestMessage(HttpMethod.Get, "/secure/get-data");
        userRequest1.Headers.Add(new SequenceAuthOptions().AuthHeaderName, token1);
        var userResponse1 = await _client.SendAsync(userRequest1);
        userResponse1.EnsureSuccessStatusCode();
        var token2 = userResponse1.Headers.GetValues(new SequenceAuthOptions().NextHeaderName).First();
        System.Console.WriteLine($"Token 2: {token2}");
        var attackerRequest = new HttpRequestMessage(HttpMethod.Get, "/secure/get-data");
        attackerRequest.Headers.Add(new SequenceAuthOptions().AuthHeaderName, token1);
        var attackerResponse = await _client.SendAsync(attackerRequest);
        System.Console.WriteLine($"Attacker Response: {attackerResponse.StatusCode}");
        var attackerBody = await attackerResponse.Content.ReadAsStringAsync();
        System.Console.WriteLine($"Attacker Body: {attackerBody}");
        attackerResponse.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
        var userRequest2 = new HttpRequestMessage(HttpMethod.Get, "/secure/get-data");
        userRequest2.Headers.Add(new SequenceAuthOptions().AuthHeaderName, token2);
        var userResponse2 = await _client.SendAsync(userRequest2);
        userResponse2.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
    }
    [Fact]
    public async Task AttackerStrikesFirst_CompromisesSequence()
    {
        var token1 = await InitSessionAsync();
        var attackerRequest1 = new HttpRequestMessage(HttpMethod.Get, "/secure/get-data");
        attackerRequest1.Headers.Add(new SequenceAuthOptions().AuthHeaderName, token1);
        var attackerResponse1 = await _client.SendAsync(attackerRequest1);
        attackerResponse1.EnsureSuccessStatusCode();
        var token2 = attackerResponse1.Headers.GetValues(new SequenceAuthOptions().NextHeaderName).First();
        var userRequest1 = new HttpRequestMessage(HttpMethod.Get, "/secure/get-data");
        userRequest1.Headers.Add(new SequenceAuthOptions().AuthHeaderName, token1);
        var userResponse1 = await _client.SendAsync(userRequest1);
        System.Console.WriteLine($"User Response 1: {userResponse1.StatusCode}");
        userResponse1.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
        var attackerRequest2 = new HttpRequestMessage(HttpMethod.Get, "/secure/get-data");
        attackerRequest2.Headers.Add(new SequenceAuthOptions().AuthHeaderName, token2);
        var attackerResponse2 = await _client.SendAsync(attackerRequest2);
        attackerResponse2.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
    }
 }
@@ -0,0 +1,27 @@
 <Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <TargetFramework>net10.0</TargetFramework>
    <ImplicitUsings>enable</ImplicitUsings>
    <Nullable>enable</Nullable>
    <IsPackable>false</IsPackable>
  </PropertyGroup>
  <ItemGroup>
    <PackageReference Include="coverlet.collector" Version="6.0.4" />
    <PackageReference Include="FluentAssertions" Version="8.10.0" />
    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
    <PackageReference Include="Moq" Version="4.20.72" />
    <PackageReference Include="xunit" Version="2.9.3" />
    <PackageReference Include="xunit.runner.visualstudio" Version="3.1.4" />
  </ItemGroup>
  <ItemGroup>
    <Using Include="Xunit" />
  </ItemGroup>
  <ItemGroup>
    <ProjectReference Include="..\..\lib\SequenceAuth.Lib.csproj" />
  </ItemGroup>
 </Project>
@@ -0,0 +1,88 @@
 using FluentAssertions;
 using Moq;
 using SequenceAuth.Lib;
 using System.Threading.Tasks;
 using Xunit;
 namespace SequenceAuth.Lib.Tests;
 public class SequenceManagerTests
 {
    private readonly Mock<ISequenceStore> _mockStore;
    private readonly SequenceManager _manager;
    public SequenceManagerTests()
    {
        _mockStore = new Mock<ISequenceStore>();
        _manager = new SequenceManager(_mockStore.Object);
    }
    [Fact]
    public async Task ValidateAndRotateAsync_ValidToken_ReturnsSuccessAndGeneratesNewToken()
    {
        // Arrange
        var token = "valid-token";
        var nextToken = "pre-generated-next-token";
        var sequenceData = new SequenceData("user123", 100, SequenceState.Active, nextToken);
        _mockStore.Setup(s => s.GetSequenceAsync(token))
                  .ReturnsAsync(Option<SequenceData>.Some(sequenceData));
        _mockStore.Setup(s => s.SaveSequenceAsync(It.IsAny<string>(), It.IsAny<SequenceData>()))
                  .ReturnsAsync(StoreOutcome.Success);
        // Act
        var result = await _manager.ValidateAndRotateAsync(token);
        // Assert
        result.Outcome.Should().Be(ValidationOutcome.Success);
        result.NextSequence.State.Should().Be(OptionState.Some);
        result.NextSequence.Value.Should().Be(nextToken);
        // Ensure the old sequence was marked as Rotated
        _mockStore.Verify(s => s.SaveSequenceAsync(token, It.Is<SequenceData>(d => 
            d.State == SequenceState.Rotated)), Times.Once);
        // Ensure the new sequence was saved
        _mockStore.Verify(s => s.SaveSequenceAsync(nextToken, It.Is<SequenceData>(d => 
            d.State == SequenceState.Active)), Times.Once);
    }
    [Fact]
    public async Task ValidateAndRotateAsync_RotatedToken_ReturnsCompromisedAndDestroysSession()
    {
        // Arrange
        var token = "compromised-token";
        var sequenceData = new SequenceData("user123", 100, SequenceState.Rotated, "some-next-token");
        _mockStore.Setup(s => s.GetSequenceAsync(token))
                  .ReturnsAsync(Option<SequenceData>.Some(sequenceData));
        // Act
        var result = await _manager.ValidateAndRotateAsync(token);
        // Assert
        result.Outcome.Should().Be(ValidationOutcome.CompromisedSequenceDetected);
        result.NextSequence.State.Should().Be(OptionState.None);
        // Ensure InvalidateUserSessionsAsync was called for the user
        _mockStore.Verify(s => s.InvalidateUserSessionsAsync("user123"), Times.Once);
    }
    [Fact]
    public async Task ValidateAndRotateAsync_MissingToken_ReturnsNotFound()
    {
        // Arrange
        var token = "invalid-token";
        _mockStore.Setup(s => s.GetSequenceAsync(token))
                  .ReturnsAsync(Option<SequenceData>.None());
        // Act
        var result = await _manager.ValidateAndRotateAsync(token);
        // Assert
        result.Outcome.Should().Be(ValidationOutcome.SequenceNotFound);
        result.NextSequence.State.Should().Be(OptionState.None);
    }
 }
@@ -0,0 +1,26 @@
 version: '3.8'
 services:
  postgres:
    image: postgres:15-alpine
    container_name: sequence-postgres
    environment:
      POSTGRES_USER: sequence_user
      POSTGRES_PASSWORD: sequence_password
      POSTGRES_DB: sequencedb
    ports:
      - "5432:5432"
    volumes:
      - postgres_data:/var/lib/postgresql/data
  redis:
    image: redis:7-alpine
    container_name: sequence-redis
    ports:
      - "6379:6379"
    volumes:
      - redis_data:/data
 volumes:
  postgres_data:
  redis_data:
@@ -0,0 +1,68 @@
 import http from 'k6/http';
 import { check, sleep } from 'k6';
 import { Rate } from 'k6/metrics';
 // Custom metric to explicitly track the percentage of unauthorized requests
 const unauthorizedRate = new Rate('unauthorized_rate');
 export const options = {
  // Test scenario: 1000 virtual users executing 1 iteration each
  vus: 1000,
  iterations: 1000,
  // We can also define thresholds for CI/CD pipelines
  thresholds: {
    'http_req_duration': ['p(95)<500'], // 95% of requests must complete below 500ms
    'unauthorized_rate': ['rate==0'],   // 0% unauthorized errors (strict constraint)
  },
 };
 const BASE_URL = 'http://localhost:5064';
 export default function () {
  // --- Setup / Login Phase ---
  // Each VU initializes its own secure session and receives a unique token.
  const initRes = http.post(`${BASE_URL}/Init`);
  check(initRes, {
    'init status is 200': (r) => r.status === 200,
    'init returned sequenceId': (r) => r.json('initialSequenceId') !== undefined,
  });
  if (initRes.status !== 200) {
    return; // Stop VU if init fails to prevent cascading errors
  }
  // Local state for the virtual user
  let currentToken = initRes.json('initialSequenceId');
  // --- Stateful Mutation Phase ---
  // The VU performs 50 sequential requests. In a real scenario, these would be GET/POST/PUT.
  for (let i = 0; i < 50; i++) {
    const res = http.get(`${BASE_URL}/Secure/data`, {
      headers: {
        'X-Auth-Seq': currentToken,
      },
    });
    const success = check(res, {
      'status is 200': (r) => r.status === 200,
      'has X-Next-Seq header': (r) => r.headers['X-Next-Seq'] !== undefined,
    });
    if (res.status === 401) {
      unauthorizedRate.add(1);
      console.error(`VU ${__VU} experienced sequence break on iteration ${i}! Received 401.`);
      break; // The chain is broken, stop further requests
    } else {
      unauthorizedRate.add(0);
    }
    if (success) {
      // Critical Step: Read X-Next-Seq from Response and save it for the next request in the chain
      currentToken = res.headers['X-Next-Seq'];
    }
    // Simulate real-world delay between operations (optional, but realistic)
    // sleep(Math.random() * 0.1); 
  }
 }
@@ -0,0 +1,27 @@
 {
  "name": "sequence-client",
  "version": "1.0.0",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "sequence-client",
      "version": "1.0.0",
      "devDependencies": {
        "typescript": "^5.4.0"
      }
    },
    "node_modules/typescript": {
      "version": "5.9.3",
      "dev": true,
      "license": "Apache-2.0",
      "bin": {
        "tsc": "bin/tsc",
        "tsserver": "bin/tsserver"
      },
      "engines": {
        "node": ">=14.17"
      }
    }
  }
 }
@@ -0,0 +1,14 @@
 {
  "name": "sequence-client",
  "version": "1.0.0",
  "main": "dist/index.js",
  "types": "dist/index.d.ts",
  "scripts": {
    "build": "tsc",
    "dev": "tsc --watch"
  },
  "dependencies": {},
  "devDependencies": {
    "typescript": "^5.4.0"
  }
 }
@@ -0,0 +1,9 @@
 export const SequenceConfig = {
  authHeader: 'X-Auth-Seq',
  nextHeader: 'X-Next-Seq',
  requestsRemainingHeader: 'X-Requests-Remaining'
 };
 export function configureSequenceAuth(config: Partial<typeof SequenceConfig>) {
  Object.assign(SequenceConfig, config);
 }
@@ -0,0 +1,56 @@
 import { sequenceQueue } from './queue-manager';
 import { SequenceStore } from './sequence-store';
 import { SequenceState } from './models';
 import { SequenceConfig } from './config';
 export function SequenceProtected(customAuthHeader?: string, customNextHeader?: string) {
  return function (target: any, propertyKey: string, descriptor: PropertyDescriptor) {
    const originalMethod = descriptor.value;
    descriptor.value = function (...args: any[]) {
      return sequenceQueue.enqueue(async () => {
        const data = SequenceStore.get();
        if (data.state === SequenceState.Compromised) {
          throw new Error('Session is compromised. Please log in again.');
        }
        const initIndex = Math.max(0, originalMethod.length - 1);
        let init: RequestInit = args[initIndex] || {};
        const headers = new Headers(init.headers);
        const authHeader = customAuthHeader || SequenceConfig.authHeader;
        const nextHeader = customNextHeader || SequenceConfig.nextHeader;
        if (data.state === SequenceState.Active && data.token) {
          headers.set(authHeader, data.token);
        }
        init.headers = headers;
        args[initIndex] = init;
        // Execute original fetch method
        const response: Response = await originalMethod.apply(this, args);
        if (response.status === 401) {
          SequenceStore.set({ state: SequenceState.Compromised });
          throw new Error('Sequence validation failed (401). Session compromised.');
        }
        const remainingHeader = SequenceConfig.requestsRemainingHeader;
        const nextSeq = response.headers.get(nextHeader);
        const remainingStr = response.headers.get(remainingHeader);
        const remaining = remainingStr ? parseInt(remainingStr, 10) : undefined;
        if (nextSeq) {
          SequenceStore.set({ state: SequenceState.Active, token: nextSeq, requestsRemaining: remaining });
        }
        return response;
      });
    };
    return descriptor;
  };
 }
@@ -0,0 +1,5 @@
 export * from './models';
 export * from './sequence-store';
 export * from './queue-manager';
 export * from './decorators';
 export * from './config';
@@ -0,0 +1,19 @@
 export enum SequenceState {
  Empty = 'Empty',
  Active = 'Active',
  Compromised = 'Compromised'
 }
 export enum QueueStatus {
  Idle = 'Idle',
  Processing = 'Processing',
  Paused = 'Paused'
 }
 export type FetchStatus = 'Idle' | 'Loading' | 'Success' | 'Error';
 export interface SequenceData {
  state: SequenceState;
  token?: string;
  requestsRemaining?: number;
 }
@@ -0,0 +1,47 @@
 import { QueueStatus, SequenceState } from './models';
 import { SequenceStore } from './sequence-store';
 type Task<T> = () => Promise<T>;
 export class QueueManager {
  private queue: Array<{ task: Task<any>, resolve: (val: any) => void, reject: (err: any) => void }> = [];
  private status: QueueStatus = QueueStatus.Idle;
  async enqueue<T>(task: Task<T>): Promise<T> {
    const data = SequenceStore.get();
    if (data.state === SequenceState.Compromised) {
      return Promise.reject(new Error('Sequence state is compromised. Re-authentication required.'));
    }
    return new Promise<T>((resolve, reject) => {
      this.queue.push({ task, resolve, reject });
      this.processNext();
    });
  }
  private async processNext(): Promise<void> {
    if (this.status !== QueueStatus.Idle) {
      return;
    }
    const nextItem = this.queue.shift();
    if (!nextItem) {
      return;
    }
    this.status = QueueStatus.Processing;
    try {
      const result = await nextItem.task();
      nextItem.resolve(result);
    } catch (err) {
      nextItem.reject(err);
    } finally {
      this.status = QueueStatus.Idle;
      this.processNext();
    }
  }
 }
 export const sequenceQueue = new QueueManager();
@@ -0,0 +1,26 @@
 import { SequenceState, SequenceData } from './models';
 export class SequenceStore {
  private static readonly STORAGE_KEY = 'sequence_token_data';
  static get(): SequenceData {
    const data = localStorage.getItem(this.STORAGE_KEY);
    if (!data) {
      return { state: SequenceState.Empty };
    }
    try {
      return JSON.parse(data) as SequenceData;
    } catch {
      return { state: SequenceState.Empty };
    }
  }
  static set(data: SequenceData): void {
    localStorage.setItem(this.STORAGE_KEY, JSON.stringify(data));
  }
  static clear(): void {
    localStorage.removeItem(this.STORAGE_KEY);
  }
 }
@@ -0,0 +1,15 @@
 {
  "compilerOptions": {
    "outDir": "./dist",
    "rootDir": "./src",
    "declaration": true,
    "target": "ES2022",
    "module": "ESNext",
    "moduleResolution": "node",
    "strict": true,
    "esModuleInterop": true,
    "skipLibCheck": true,
    "experimentalDecorators": true
  },
  "include": ["src/**/*"]
 }
		`@@ -0,0 +1 @@`
							<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="iconify iconify--logos" width="35.93" height="32" preserveAspectRatio="xMidYMid meet" viewBox="0 0 256 228"><path fill="#00D8FF" d="M210.483 73.824a171.49 171.49 0 0 0-8.24-2.597c.465-1.9.893-3.777 1.273-5.621c6.238-30.281 2.16-54.676-11.769-62.708c-13.355-7.7-35.196.329-57.254 19.526a171.23 171.23 0 0 0-6.375 5.848a155.866 155.866 0 0 0-4.241-3.917C100.759 3.829 77.587-4.822 63.673 3.233C50.33 10.957 46.379 33.89 51.995 62.588a170.974 170.974 0 0 0 1.892 8.48c-3.28.932-6.445 1.924-9.474 2.98C17.309 83.498 0 98.307 0 113.668c0 15.865 18.582 31.778 46.812 41.427a145.52 145.52 0 0 0 6.921 2.165a167.467 167.467 0 0 0-2.01 9.138c-5.354 28.2-1.173 50.591 12.134 58.266c13.744 7.926 36.812-.22 59.273-19.855a145.567 145.567 0 0 0 5.342-4.923a168.064 168.064 0 0 0 6.92 6.314c21.758 18.722 43.246 26.282 56.54 18.586c13.731-7.949 18.194-32.003 12.4-61.268a145.016 145.016 0 0 0-1.535-6.842c1.62-.48 3.21-.974 4.76-1.488c29.348-9.723 48.443-25.443 48.443-41.52c0-15.417-17.868-30.326-45.517-39.844Zm-6.365 70.984c-1.4.463-2.836.91-4.3 1.345c-3.24-10.257-7.612-21.163-12.963-32.432c5.106-11 9.31-21.767 12.459-31.957c2.619.758 5.16 1.557 7.61 2.4c23.69 8.156 38.14 20.213 38.14 29.504c0 9.896-15.606 22.743-40.946 31.14Zm-10.514 20.834c2.562 12.94 2.927 24.64 1.23 33.787c-1.524 8.219-4.59 13.698-8.382 15.893c-8.067 4.67-25.32-1.4-43.927-17.412a156.726 156.726 0 0 1-6.437-5.87c7.214-7.889 14.423-17.06 21.459-27.246c12.376-1.098 24.068-2.894 34.671-5.345a134.17 134.17 0 0 1 1.386 6.193ZM87.276 214.515c-7.882 2.783-14.16 2.863-17.955.675c-8.075-4.657-11.432-22.636-6.853-46.752a156.923 156.923 0 0 1 1.869-8.499c10.486 2.32 22.093 3.988 34.498 4.994c7.084 9.967 14.501 19.128 21.976 27.15a134.668 134.668 0 0 1-4.877 4.492c-9.933 8.682-19.886 14.842-28.658 17.94ZM50.35 144.747c-12.483-4.267-22.792-9.812-29.858-15.863c-6.35-5.437-9.555-10.836-9.555-15.216c0-9.322 13.897-21.212 37.076-29.293c2.813-.98 5.757-1.905 8.812-2.773c3.204 10.42 7.406 21.315 12.477 32.332c-5.137 11.18-9.399 22.249-12.634 32.792a134.718 134.718 0 0 1-6.318-1.979Zm12.378-84.26c-4.811-24.587-1.616-43.134 6.425-47.789c8.564-4.958 27.502 2.111 47.463 19.835a144.318 144.318 0 0 1 3.841 3.545c-7.438 7.987-14.787 17.08-21.808 26.988c-12.04 1.116-23.565 2.908-34.161 5.309a160.342 160.342 0 0 1-1.76-7.887Zm110.427 27.268a347.8 347.8 0 0 0-7.785-12.803c8.168 1.033 15.994 2.404 23.343 4.08c-2.206 7.072-4.956 14.465-8.193 22.045a381.151 381.151 0 0 0-7.365-13.322Zm-45.032-43.861c5.044 5.465 10.096 11.566 15.065 18.186a322.04 322.04 0 0 0-30.257-.006c4.974-6.559 10.069-12.652 15.192-18.18ZM82.802 87.83a323.167 323.167 0 0 0-7.227 13.238c-3.184-7.553-5.909-14.98-8.134-22.152c7.304-1.634 15.093-2.97 23.209-3.984a321.524 321.524 0 0 0-7.848 12.897Zm8.081 65.352c-8.385-.936-16.291-2.203-23.593-3.793c2.26-7.3 5.045-14.885 8.298-22.6a321.187 321.187 0 0 0 7.257 13.246c2.594 4.48 5.28 8.868 8.038 13.147Zm37.542 31.03c-5.184-5.592-10.354-11.779-15.403-18.433c4.902.192 9.899.29 14.978.29c5.218 0 10.376-.117 15.453-.343c-4.985 6.774-10.018 12.97-15.028 18.486Zm52.198-57.817c3.422 7.8 6.306 15.345 8.596 22.52c-7.422 1.694-15.436 3.058-23.88 4.071a382.417 382.417 0 0 0 7.859-13.026a347.403 347.403 0 0 0 7.425-13.565Zm-16.898 8.101a358.557 358.557 0 0 1-12.281 19.815a329.4 329.4 0 0 1-23.444.823c-7.967 0-15.716-.248-23.178-.732a310.202 310.202 0 0 1-12.513-19.846h.001a307.41 307.41 0 0 1-10.923-20.627a310.278 310.278 0 0 1 10.89-20.637l-.001.001a307.318 307.318 0 0 1 12.413-19.761c7.613-.576 15.42-.876 23.31-.876H128c7.926 0 15.743.303 23.354.883a329.357 329.357 0 0 1 12.335 19.695a358.489 358.489 0 0 1 11.036 20.54a329.472 329.472 0 0 1-11 20.722Zm22.56-122.124c8.572 4.944 11.906 24.881 6.52 51.026c-.344 1.668-.73 3.367-1.15 5.09c-10.622-2.452-22.155-4.275-34.23-5.408c-7.034-10.017-14.323-19.124-21.64-27.008a160.789 160.789 0 0 1 5.888-5.4c18.9-16.447 36.564-22.941 44.612-18.3ZM128 90.808c12.625 0 22.86 10.235 22.86 22.86s-10.235 22.86-22.86 22.86s-22.86-10.235-22.86-22.86s10.235-22.86 22.86-22.86Z"></path></svg>