/**
 * @gsc/web-kit/auth — client-side auth helpers.
 *
 * Server-side surface (createAuth, requireAuth) lives in
 * `@gsc/web-kit/auth/server`. The split keeps client bundles from
 * pulling in next-auth's server runtime.
 */

export type { SessionUser } from "./types";

/**
 * Client-side hard navigation to the sign-in endpoint. Use when a
 * component detects an auth-required action without a session — e.g.
 * a 401 from an API call.
 *
 * Default target matches createAuth's default (`/api/auth/signin/keycloak`).
 */
export function signInRedirect(callbackUrl?: string): void {
  if (typeof window === "undefined") return;
  // Match the server-side default. /api/auth/signin/<provider> is POST
  // only in NextAuth v5 — a GET navigation there returns UnknownAction.
  const target = "/api/auth/signin";
  const url = new URL(target, window.location.origin);
  url.searchParams.set("callbackUrl", callbackUrl ?? window.location.pathname);
  window.location.href = url.toString();
}