@every-app/sdk 0.1.11 → 0.1.13

package/dist/cloudflare/server/gateway.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"gateway.d.ts","sourceRoot":"","sources":["../../../src/cloudflare/server/gateway.ts"],"names":[],"mappings":"AAGA,UAAU,cAAc;IACtB,KAAK,CAAC,KAAK,EAAE,WAAW,GAAG,GAAG,EAAE,IAAI,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CACxE;AAED,UAAU,UAAU;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iBAAiB,CAAC,EAAE,cAAc,CAAC;IACnC,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,UAAU,mBAAmB;IAC3B,GAAG,EAAE,UAAU,CAAC;IAChB;8DAC0D;IAC1D,GAAG,EAAE,MAAM,GAAG,GAAG,GAAG,OAAO,CAAC;IAC5B,kFAAkF;IAClF,IAAI,CAAC,EAAE,WAAW,CAAC;CACpB;AAED,wBAAgB,aAAa,CAAC,GAAG,EAAE,UAAU,GAAG,MAAM,CAMrD;AAED;;;;;;;GAOG;AACH,wBAAsB,YAAY,CAAC,EACjC,GAAG,EACH,GAAG,EACH,IAAI,GACL,EAAE,mBAAmB,GAAG,OAAO,CAAC,QAAQ,CAAC,CAgBzC"}
+{"version":3,"file":"gateway.d.ts","sourceRoot":"","sources":["../../../src/cloudflare/server/gateway.ts"],"names":[],"mappings":"AAGA,UAAU,cAAc;IACtB,KAAK,CAAC,KAAK,EAAE,WAAW,GAAG,GAAG,EAAE,IAAI,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CACxE;AAED,UAAU,UAAU;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iBAAiB,CAAC,EAAE,cAAc,CAAC;IACnC,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,UAAU,mBAAmB;IAC3B,GAAG,EAAE,UAAU,CAAC;IAChB;8DAC0D;IAC1D,GAAG,EAAE,MAAM,GAAG,GAAG,GAAG,OAAO,CAAC;IAC5B,kFAAkF;IAClF,IAAI,CAAC,EAAE,WAAW,CAAC;CACpB;AAED,wBAAgB,aAAa,CAAC,GAAG,EAAE,UAAU,GAAG,MAAM,CAMrD;AAED;;;;;;;GAOG;AACH,wBAAsB,YAAY,CAAC,EACjC,GAAG,EACH,GAAG,EACH,IAAI,GACL,EAAE,mBAAmB,GAAG,OAAO,CAAC,QAAQ,CAAC,CAiBzC"}

package/dist/cloudflare/server/gateway.js

@@ -19,18 +19,24 @@ export async function fetchGateway({ env, url, init, }) {
     const gatewayBaseUrl = getGatewayUrl(env);
     const resolvedRequest = toRequest(url, init, gatewayBaseUrl);
     const authenticatedRequest = applyAppTokenAuth(resolvedRequest, env);
-    // Use service binding when available for zero-latency internal routing
-    // (available in production Workers, not in local dev)
-    if (env.EVERY_APP_GATEWAY) {
+    // Use service binding in production for zero-latency internal routing.
+    // In local dev wrangler still exposes the binding object, but the target
+    // service usually isn't running locally, so we skip it and use HTTP fetch.
+    if (import.meta.env.PROD && env.EVERY_APP_GATEWAY) {
         const url = new URL(authenticatedRequest.url);
         const bindingUrl = `${SERVICE_BINDING_ORIGIN}${url.pathname}${url.search}`;
         const bindingRequest = new Request(bindingUrl, authenticatedRequest);
         return env.EVERY_APP_GATEWAY.fetch(bindingRequest);
     }
-    // Fall back to HTTP fetch for local dev
+    // HTTP fetch – used in local dev, or as a fallback when no binding exists
     return fetch(authenticatedRequest);
 }
 function applyAppTokenAuth(request, env) {
+    const gatewayOrigin = new URL(getGatewayUrl(env)).origin;
+    const requestOrigin = new URL(request.url).origin;
+    if (requestOrigin !== gatewayOrigin) {
+        throw new Error(`Refusing to send gateway token to non-gateway origin: ${requestOrigin}`);
+    }
     const appToken = getGatewayAppApiToken(env);
     if (!appToken) {
         throw new Error("GATEWAY_APP_API_TOKEN is required. Run `npx everyapp app deploy` to provision one.");

package/dist/core/index.d.ts

@@ -1,4 +1,4 @@
-export { SessionManager, isRunningInIframe } from "./sessionManager.js";
-export type { SessionManagerConfig } from "./sessionManager.js";
+export { SessionManager, isRunningInIframe, isRunningInReactNativeWebView, detectEnvironment, } from "./sessionManager.js";
+export type { SessionManagerConfig, EmbeddedEnvironment, } from "./sessionManager.js";
 export { authenticatedFetch, getSessionToken } from "./authenticatedFetch.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/core/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/core/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AACxE,YAAY,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAEhE,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/core/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,cAAc,EACd,iBAAiB,EACjB,6BAA6B,EAC7B,iBAAiB,GAClB,MAAM,qBAAqB,CAAC;AAC7B,YAAY,EACV,oBAAoB,EACpB,mBAAmB,GACpB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC"}

package/dist/core/index.js

@@ -1,2 +1,2 @@
-export { SessionManager, isRunningInIframe } from "./sessionManager.js";
+export { SessionManager, isRunningInIframe, isRunningInReactNativeWebView, detectEnvironment, } from "./sessionManager.js";
 export { authenticatedFetch, getSessionToken } from "./authenticatedFetch.js";

package/dist/core/sessionManager.d.ts

@@ -1,23 +1,45 @@
 export interface SessionManagerConfig {
     appId: string;
 }
+/**
+ * Environment detection types
+ */
+export type EmbeddedEnvironment = "iframe" | "react-native-webview" | "standalone";
 /**
  * Detects whether the current window is running inside an iframe.
  * Returns true if in an iframe, false if running as top-level window.
  */
 export declare function isRunningInIframe(): boolean;
+/**
+ * Detects whether the current window is running inside a React Native WebView.
+ * Returns true if window.ReactNativeWebView is available.
+ */
+export declare function isRunningInReactNativeWebView(): boolean;
+/**
+ * Detects the current embedded environment.
+ * Priority: React Native WebView > iframe > standalone
+ */
+export declare function detectEnvironment(): EmbeddedEnvironment;
 export declare class SessionManager {
     readonly parentOrigin: string;
     readonly appId: string;
     readonly isInIframe: boolean;
+    readonly environment: EmbeddedEnvironment;
     readonly isBypassGatewayLocalOnly: boolean;
-    /** @deprecated Use isBypassGatewayLocalOnly instead. */
-    readonly isDemoModeLocalOnly: boolean;
     private token;
     private refreshPromise;
+    private tokenWaiters;
     constructor(config: SessionManagerConfig);
+    /**
+     * Check if running in an embedded environment (iframe or React Native WebView)
+     */
+    isEmbedded(): boolean;
+    isTrustedHostMessage(event: MessageEvent): boolean;
+    postToHost(message: object): void;
     private isTokenExpiringSoon;
     private postMessageWithResponse;
+    private setupReactNativeTokenListener;
+    private waitForReactNativeTokenPush;
     requestNewToken(): Promise<string>;
     getToken(): Promise<string>;
     getTokenState(): {

package/dist/core/sessionManager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sessionManager.d.ts","sourceRoot":"","sources":["../../src/core/sessionManager.ts"],"names":[],"mappings":"AAkBA,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,MAAM,CAAC;CACf;AAMD;;;GAGG;AACH,wBAAgB,iBAAiB,IAAI,OAAO,CAQ3C;AAED,qBAAa,cAAc;IACzB,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC;IAC7B,QAAQ,CAAC,wBAAwB,EAAE,OAAO,CAAC;IAC3C,wDAAwD;IACxD,QAAQ,CAAC,mBAAmB,EAAE,OAAO,CAAC;IAEtC,OAAO,CAAC,KAAK,CAA6B;IAC1C,OAAO,CAAC,cAAc,CAAgC;gBAE1C,MAAM,EAAE,oBAAoB;IAqCxC,OAAO,CAAC,mBAAmB;IAO3B,OAAO,CAAC,uBAAuB;IAuCzB,eAAe,IAAI,OAAO,CAAC,MAAM,CAAC;IAsDlC,QAAQ,IAAI,OAAO,CAAC,MAAM,CAAC;IAcjC,aAAa,IAAI;QACf,MAAM,EAAE,UAAU,GAAG,OAAO,GAAG,SAAS,GAAG,YAAY,CAAC;QACxD,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;KACtB;IAgBD;;;OAGG;IACH,OAAO,IAAI;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI;CA+BpD"}
+{"version":3,"file":"sessionManager.d.ts","sourceRoot":"","sources":["../../src/core/sessionManager.ts"],"names":[],"mappings":"AAiEA,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,MAAM,CAAC;CACf;AAOD;;GAEG;AACH,MAAM,MAAM,mBAAmB,GAC3B,QAAQ,GACR,sBAAsB,GACtB,YAAY,CAAC;AAEjB;;;GAGG;AACH,wBAAgB,iBAAiB,IAAI,OAAO,CAY3C;AAED;;;GAGG;AACH,wBAAgB,6BAA6B,IAAI,OAAO,CASvD;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,IAAI,mBAAmB,CAWvD;AAED,qBAAa,cAAc;IACzB,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC;IAC7B,QAAQ,CAAC,WAAW,EAAE,mBAAmB,CAAC;IAC1C,QAAQ,CAAC,wBAAwB,EAAE,OAAO,CAAC;IAE3C,OAAO,CAAC,KAAK,CAA6B;IAC1C,OAAO,CAAC,cAAc,CAAgC;IACtD,OAAO,CAAC,YAAY,CAIZ;gBAEI,MAAM,EAAE,oBAAoB;IAyCxC;;OAEG;IACH,UAAU,IAAI,OAAO;IAIrB,oBAAoB,CAAC,KAAK,EAAE,YAAY,GAAG,OAAO;IAelD,UAAU,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI;IAiBjC,OAAO,CAAC,mBAAmB;IAO3B,OAAO,CAAC,uBAAuB;IA+C/B,OAAO,CAAC,6BAA6B;IAgErC,OAAO,CAAC,2BAA2B;IAmB7B,eAAe,IAAI,OAAO,CAAC,MAAM,CAAC;IAgElC,QAAQ,IAAI,OAAO,CAAC,MAAM,CAAC;IAcjC,aAAa,IAAI;QACf,MAAM,EAAE,UAAU,GAAG,OAAO,GAAG,SAAS,GAAG,YAAY,CAAC;QACxD,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;KACtB;IAgBD;;;OAGG;IACH,OAAO,IAAI;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI;CA0BpD"}

package/dist/core/sessionManager.js

@@ -1,12 +1,47 @@
 import { BYPASS_GATEWAY_LOCAL_ONLY_EMAIL, BYPASS_GATEWAY_LOCAL_ONLY_TOKEN, BYPASS_GATEWAY_LOCAL_ONLY_USER_ID, isBypassGatewayLocalOnlyClient, } from "../shared/bypassGatewayLocalOnly.js";
+import { parseMessagePayload } from "../shared/parseMessagePayload.js";
+function isTokenUpdateMessage(data) {
+    if (!data || typeof data !== "object" || Array.isArray(data)) {
+        return false;
+    }
+    return data.type === "SESSION_TOKEN_UPDATE";
+}
+function decodeJwtPayload(token) {
+    try {
+        const parts = token.split(".");
+        if (parts.length !== 3) {
+            return null;
+        }
+        const base64 = parts[1].replace(/-/g, "+").replace(/_/g, "/");
+        const padded = base64 + "=".repeat((4 - (base64.length % 4)) % 4);
+        return JSON.parse(atob(padded));
+    }
+    catch {
+        return null;
+    }
+}
+function tokenAudienceMatchesApp(payload, appId) {
+    const aud = payload.aud;
+    if (typeof aud === "string") {
+        return aud === appId;
+    }
+    if (Array.isArray(aud)) {
+        return aud.some((value) => value === appId);
+    }
+    return false;
+}
 const MESSAGE_TIMEOUT_MS = 5000;
 const TOKEN_EXPIRY_BUFFER_MS = 10000;
 const DEFAULT_TOKEN_LIFETIME_MS = 60000;
+const REACT_NATIVE_TOKEN_WAIT_TIMEOUT_MS = 10000;
 /**
  * Detects whether the current window is running inside an iframe.
  * Returns true if in an iframe, false if running as top-level window.
  */
 export function isRunningInIframe() {
+    if (typeof window === "undefined") {
+        return false;
+    }
     try {
         return window.self !== window.top;
     }
@@ -16,21 +51,46 @@ export function isRunningInIframe() {
         return true;
     }
 }
+/**
+ * Detects whether the current window is running inside a React Native WebView.
+ * Returns true if window.ReactNativeWebView is available.
+ */
+export function isRunningInReactNativeWebView() {
+    if (typeof window === "undefined") {
+        return false;
+    }
+    return (typeof window.ReactNativeWebView?.postMessage === "function" ||
+        window.isReactNativeWebView === true);
+}
+/**
+ * Detects the current embedded environment.
+ * Priority: React Native WebView > iframe > standalone
+ */
+export function detectEnvironment() {
+    const isRNWebView = isRunningInReactNativeWebView();
+    const isIframe = isRunningInIframe();
+    if (isRNWebView) {
+        return "react-native-webview";
+    }
+    if (isIframe) {
+        return "iframe";
+    }
+    return "standalone";
+}
 export class SessionManager {
     parentOrigin;
     appId;
     isInIframe;
+    environment;
     isBypassGatewayLocalOnly;
-    /** @deprecated Use isBypassGatewayLocalOnly instead. */
-    isDemoModeLocalOnly;
     token = null;
     refreshPromise = null;
+    tokenWaiters = [];
     constructor(config) {
         if (!config.appId) {
             throw new Error("[SessionManager] appId is required.");
         }
         this.isBypassGatewayLocalOnly = isBypassGatewayLocalOnlyClient();
-        this.isDemoModeLocalOnly = this.isBypassGatewayLocalOnly;
         const gatewayUrl = import.meta.env.VITE_GATEWAY_URL;
         if (!this.isBypassGatewayLocalOnly) {
             if (!gatewayUrl) {
@@ -47,7 +107,11 @@ export class SessionManager {
         this.parentOrigin = this.isBypassGatewayLocalOnly
             ? window.location.origin
             : gatewayUrl;
+        this.environment = detectEnvironment();
         this.isInIframe = isRunningInIframe();
+        if (this.environment === "react-native-webview") {
+            this.setupReactNativeTokenListener();
+        }
         if (this.isBypassGatewayLocalOnly) {
             this.token = {
                 token: BYPASS_GATEWAY_LOCAL_ONLY_TOKEN,
@@ -55,6 +119,34 @@ export class SessionManager {
             };
         }
     }
+    /**
+     * Check if running in an embedded environment (iframe or React Native WebView)
+     */
+    isEmbedded() {
+        return this.environment !== "standalone";
+    }
+    isTrustedHostMessage(event) {
+        if (this.environment === "react-native-webview") {
+            const origin = event
+                .origin;
+            return (origin === "react-native" ||
+                origin === "null" ||
+                origin === "" ||
+                origin == null);
+        }
+        return event.origin === this.parentOrigin;
+    }
+    postToHost(message) {
+        if (this.environment === "react-native-webview") {
+            const postMessage = window.ReactNativeWebView?.postMessage;
+            if (typeof postMessage !== "function") {
+                throw new Error("React Native WebView bridge is unavailable");
+            }
+            postMessage.call(window.ReactNativeWebView, JSON.stringify(message));
+            return;
+        }
+        window.parent.postMessage(message, this.parentOrigin);
+    }
     isTokenExpiringSoon(bufferMs = TOKEN_EXPIRY_BUFFER_MS) {
         if (!this.token)
             return true;
@@ -67,20 +159,19 @@ export class SessionManager {
                 window.removeEventListener("message", handler);
             };
             const handler = (event) => {
-                // Security: reject messages from wrong origin (including null from sandboxed iframes)
-                if (event.origin !== this.parentOrigin)
+                // Security: validate message origin based on environment
+                if (!this.isTrustedHostMessage(event))
                     return;
-                // Safety: ignore malformed messages that could crash the handler
-                if (!event.data || typeof event.data !== "object")
+                const data = parseMessagePayload(event.data);
+                if (!data)
                     return;
-                if (event.data.type === responseType &&
-                    event.data.requestId === requestId) {
+                if (data.type === responseType && data.requestId === requestId) {
                     cleanup();
-                    if (event.data.error) {
-                        reject(new Error(event.data.error));
+                    if (typeof data.error === "string" && data.error) {
+                        reject(new Error(data.error));
                     }
                     else {
-                        resolve(event.data);
+                        resolve(data);
                     }
                 }
             };
@@ -89,7 +180,77 @@ export class SessionManager {
                 reject(new Error("Token request timeout - parent did not respond"));
             }, MESSAGE_TIMEOUT_MS);
             window.addEventListener("message", handler);
-            window.parent.postMessage(request, this.parentOrigin);
+            try {
+                this.postToHost(request);
+            }
+            catch (error) {
+                cleanup();
+                reject(error instanceof Error
+                    ? error
+                    : new Error("Failed to post message to host"));
+            }
+        });
+    }
+    setupReactNativeTokenListener() {
+        window.addEventListener("message", (event) => {
+            if (!this.isTrustedHostMessage(event)) {
+                return;
+            }
+            const data = parseMessagePayload(event.data);
+            if (!data) {
+                return;
+            }
+            if (!isTokenUpdateMessage(data)) {
+                return;
+            }
+            const message = data;
+            if (!message.token || typeof message.token !== "string") {
+                return;
+            }
+            if (typeof message.appId !== "string" || message.appId !== this.appId) {
+                return;
+            }
+            if (message.expiresAt !== undefined &&
+                typeof message.expiresAt !== "string") {
+                return;
+            }
+            const payload = decodeJwtPayload(message.token);
+            if (!payload || !tokenAudienceMatchesApp(payload, this.appId)) {
+                return;
+            }
+            // Native controls token minting and pushes updates into the embedded app.
+            // We only consume pushed tokens in React Native WebView mode.
+            let expiresAt = Date.now() + DEFAULT_TOKEN_LIFETIME_MS;
+            if (message.expiresAt) {
+                const parsed = new Date(message.expiresAt).getTime();
+                if (!Number.isNaN(parsed)) {
+                    expiresAt = parsed;
+                }
+            }
+            this.token = {
+                token: message.token,
+                expiresAt,
+            };
+            if (this.tokenWaiters.length > 0) {
+                const waiters = this.tokenWaiters;
+                this.tokenWaiters = [];
+                for (const waiter of waiters) {
+                    clearTimeout(waiter.timeout);
+                    waiter.resolve(message.token);
+                }
+            }
+        });
+    }
+    waitForReactNativeTokenPush() {
+        if (this.token && !this.isTokenExpiringSoon()) {
+            return Promise.resolve(this.token.token);
+        }
+        return new Promise((resolve, reject) => {
+            const timeout = setTimeout(() => {
+                this.tokenWaiters = this.tokenWaiters.filter((w) => w.timeout !== timeout);
+                reject(new Error("Timed out waiting for token from React Native bridge"));
+            }, REACT_NATIVE_TOKEN_WAIT_TIMEOUT_MS);
+            this.tokenWaiters.push({ resolve, reject, timeout });
         });
     }
     async requestNewToken() {
@@ -103,6 +264,15 @@ export class SessionManager {
         if (this.refreshPromise) {
             return this.refreshPromise;
         }
+        if (this.environment === "react-native-webview") {
+            this.refreshPromise = this.waitForReactNativeTokenPush();
+            try {
+                return await this.refreshPromise;
+            }
+            finally {
+                this.refreshPromise = null;
+            }
+        }
         this.refreshPromise = (async () => {
             const requestId = crypto.randomUUID();
             const response = await this.postMessageWithResponse({
@@ -172,22 +342,16 @@ export class SessionManager {
         if (!this.token) {
             return null;
         }
-        try {
-            const parts = this.token.token.split(".");
-            if (parts.length !== 3) {
-                return null;
-            }
-            const payload = JSON.parse(atob(parts[1]));
-            if (!payload.sub) {
-                return null;
-            }
-            return {
-                userId: payload.sub,
-                email: payload.email ?? "",
-            };
+        const payload = decodeJwtPayload(this.token.token);
+        if (!payload) {
+            return null;
         }
-        catch {
+        if (typeof payload.sub !== "string") {
             return null;
         }
+        return {
+            userId: payload.sub,
+            email: typeof payload.email === "string" ? payload.email : "",
+        };
     }
 }

package/dist/shared/parseMessagePayload.d.ts

@@ -0,0 +1,3 @@
+export type MessagePayload = Record<string, unknown>;
+export declare function parseMessagePayload(data: unknown): MessagePayload | null;
+//# sourceMappingURL=parseMessagePayload.d.ts.map

package/dist/shared/parseMessagePayload.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"parseMessagePayload.d.ts","sourceRoot":"","sources":["../../src/shared/parseMessagePayload.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,cAAc,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAErD,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,OAAO,GAAG,cAAc,GAAG,IAAI,CAmBxE"}

package/dist/shared/parseMessagePayload.js

@@ -0,0 +1,18 @@
+export function parseMessagePayload(data) {
+    if (data && typeof data === "object" && !Array.isArray(data)) {
+        return data;
+    }
+    if (typeof data !== "string") {
+        return null;
+    }
+    try {
+        const parsed = JSON.parse(data);
+        if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+            return parsed;
+        }
+    }
+    catch {
+        return null;
+    }
+    return null;
+}

package/dist/tanstack/EmbeddedAppProvider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"EmbeddedAppProvider.d.ts","sourceRoot":"","sources":["../../src/tanstack/EmbeddedAppProvider.tsx"],"names":[],"mappings":"AAAA,OAAO,KAA6C,MAAM,OAAO,CAAC;AAClE,OAAO,EAEL,oBAAoB,EACrB,MAAM,2BAA2B,CAAC;AAKnC,UAAU,sBAAuB,SAAQ,oBAAoB;IAC3D,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAC;CAC3B;AAUD,wBAAgB,mBAAmB,CAAC,EAClC,QAAQ,EACR,GAAG,MAAM,EACV,EAAE,sBAAsB,kDA6BxB;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,cAAc,IAAI;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAmBzE"}
+{"version":3,"file":"EmbeddedAppProvider.d.ts","sourceRoot":"","sources":["../../src/tanstack/EmbeddedAppProvider.tsx"],"names":[],"mappings":"AAAA,OAAO,KAA6C,MAAM,OAAO,CAAC;AAClE,OAAO,EAEL,oBAAoB,EACrB,MAAM,2BAA2B,CAAC;AAKnC,UAAU,sBAAuB,SAAQ,oBAAoB;IAC3D,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAC;CAC3B;AAUD,wBAAgB,mBAAmB,CAAC,EAClC,QAAQ,EACR,GAAG,MAAM,EACV,EAAE,sBAAsB,kDAgCxB;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,cAAc,IAAI;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAmBzE"}

package/dist/tanstack/EmbeddedAppProvider.js

@@ -11,8 +11,9 @@ export function EmbeddedAppProvider({ children, ...config }) {
     useEveryAppRouter({ sessionManager });
     if (!sessionManager)
         return null;
-    // Check if the app is running outside of the Gateway iframe (skip in demo mode)
-    if (!sessionManager.isInIframe && !sessionManager.isBypassGatewayLocalOnly) {
+    // Check if the app is running outside of the Gateway (iframe or React Native WebView)
+    if (!sessionManager.isEmbedded() &&
+        !sessionManager.isBypassGatewayLocalOnly) {
         return (_jsx(GatewayRequiredError, { gatewayOrigin: sessionManager.parentOrigin, appId: config.appId }));
     }
     const value = {

package/dist/tanstack/_internal/useEveryAppSession.d.ts

@@ -5,6 +5,8 @@ interface SessionManagerConfig {
 interface UseEveryAppSessionParams {
     sessionManagerConfig: SessionManagerConfig;
 }
+type SessionBootstrapGate = Pick<SessionManager, "isEmbedded" | "isBypassGatewayLocalOnly">;
+export declare function shouldBootstrapSession(sessionManager: SessionBootstrapGate): boolean;
 export declare function useEveryAppSession({ sessionManagerConfig, }: UseEveryAppSessionParams): {
     sessionManager: SessionManager | null;
     sessionTokenState: {

package/dist/tanstack/_internal/useEveryAppSession.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"useEveryAppSession.d.ts","sourceRoot":"","sources":["../../../src/tanstack/_internal/useEveryAppSession.tsx"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAE9D,UAAU,oBAAoB;IAC5B,KAAK,EAAE,MAAM,CAAC;CACf;AAED,UAAU,wBAAwB;IAChC,oBAAoB,EAAE,oBAAoB,CAAC;CAC5C;AAED,wBAAgB,kBAAkB,CAAC,EACjC,oBAAoB,GACrB,EAAE,wBAAwB;;;;;;EA+C1B"}
+{"version":3,"file":"useEveryAppSession.d.ts","sourceRoot":"","sources":["../../../src/tanstack/_internal/useEveryAppSession.tsx"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAE9D,UAAU,oBAAoB;IAC5B,KAAK,EAAE,MAAM,CAAC;CACf;AAED,UAAU,wBAAwB;IAChC,oBAAoB,EAAE,oBAAoB,CAAC;CAC5C;AAED,KAAK,oBAAoB,GAAG,IAAI,CAC9B,cAAc,EACd,YAAY,GAAG,0BAA0B,CAC1C,CAAC;AAEF,wBAAgB,sBAAsB,CACpC,cAAc,EAAE,oBAAoB,GACnC,OAAO,CAKT;AAED,wBAAgB,kBAAkB,CAAC,EACjC,oBAAoB,GACrB,EAAE,wBAAwB;;;;;;EA8C1B"}

package/dist/tanstack/_internal/useEveryAppSession.js

@@ -1,5 +1,11 @@
 import { useEffect, useRef, useState } from "react";
 import { SessionManager } from "../../core/sessionManager.js";
+export function shouldBootstrapSession(sessionManager) {
+    // Bootstrapping should happen whenever the app is hosted by a trusted container.
+    // This intentionally keys off embedded environment semantics (iframe OR RN WebView),
+    // not iframe-only detection, so RN can initialize auth from pushed tokens.
+    return sessionManager.isEmbedded() || sessionManager.isBypassGatewayLocalOnly;
+}
 export function useEveryAppSession({ sessionManagerConfig, }) {
     const sessionManagerRef = useRef(null);
     const [sessionTokenState, setSessionTokenState] = useState({
@@ -13,8 +19,8 @@ export function useEveryAppSession({ sessionManagerConfig, }) {
     useEffect(() => {
         if (!sessionManager)
             return;
-        // Skip token requests when not in iframe (unless in demo mode) - the app will show GatewayRequiredError instead
-        if (!sessionManager.isInIframe && !sessionManager.isBypassGatewayLocalOnly)
+        // Skip token bootstrap when not embedded (unless in demo mode) - the app will show GatewayRequiredError instead
+        if (!shouldBootstrapSession(sessionManager))
             return;
         const interval = setInterval(() => {
             setSessionTokenState(sessionManager.getTokenState());

package/dist/tanstack/server/authenticateRequest.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authenticateRequest.d.ts","sourceRoot":"","sources":["../../../src/tanstack/server/authenticateRequest.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAQ7C;;;GAGG;AACH,UAAU,mBAAmB;IAC3B,8BAA8B;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,iCAAiC;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,6DAA6D;IAC7D,GAAG,EAAE,MAAM,CAAC;IACZ,2BAA2B;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,0BAA0B;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,sDAAsD;IACtD,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,wBAAsB,mBAAmB,CACvC,UAAU,EAAE,UAAU,EACtB,eAAe,CAAC,EAAE,OAAO,GACxB,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC,CA8CrC;AAyCD;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,GAAG,MAAM,GAAG,IAAI,CAK3E"}
+{"version":3,"file":"authenticateRequest.d.ts","sourceRoot":"","sources":["../../../src/tanstack/server/authenticateRequest.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAQ7C;;;GAGG;AACH,UAAU,mBAAmB;IAC3B,8BAA8B;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,iCAAiC;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,6DAA6D;IAC7D,GAAG,EAAE,MAAM,CAAC;IACZ,2BAA2B;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,0BAA0B;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,sDAAsD;IACtD,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,wBAAsB,mBAAmB,CACvC,UAAU,EAAE,UAAU,EACtB,eAAe,CAAC,EAAE,OAAO,GACxB,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC,CAoDrC;AAyCD;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,GAAG,MAAM,GAAG,IAAI,CAK3E"}

package/dist/tanstack/server/authenticateRequest.js

@@ -27,10 +27,15 @@ export async function authenticateRequest(authConfig, providedRequest) {
         return session;
     }
     catch (error) {
+        const isProd = import.meta.env.PROD === true;
         console.error(JSON.stringify({
             message: "Error verifying session token",
             error: error instanceof Error ? error.message : String(error),
-            stack: error instanceof Error ? error.stack : undefined,
+            stack: isProd === true
+                ? undefined
+                : error instanceof Error
+                    ? error.stack
+                    : undefined,
             errorType: error instanceof Error ? error.constructor.name : "Unknown",
             issuer: authConfig.issuer,
             audience: authConfig.audience,

package/dist/tanstack/useEveryAppRouter.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"useEveryAppRouter.d.ts","sourceRoot":"","sources":["../../src/tanstack/useEveryAppRouter.tsx"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAG3D,UAAU,uBAAuB;IAC/B,cAAc,EAAE,cAAc,GAAG,IAAI,CAAC;CACvC;AAED,wBAAgB,iBAAiB,CAAC,EAAE,cAAc,EAAE,EAAE,uBAAuB,QAmE5E"}
+{"version":3,"file":"useEveryAppRouter.d.ts","sourceRoot":"","sources":["../../src/tanstack/useEveryAppRouter.tsx"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAI3D,UAAU,uBAAuB;IAC/B,cAAc,EAAE,cAAc,GAAG,IAAI,CAAC;CACvC;AAED,wBAAgB,iBAAiB,CAAC,EAAE,cAAc,EAAE,EAAE,uBAAuB,QAyE5E"}

package/dist/tanstack/useEveryAppRouter.js

@@ -1,5 +1,6 @@
 import { useEffect } from "react";
 import { useRouter } from "@tanstack/react-router";
+import { parseMessagePayload } from "../shared/parseMessagePayload.js";
 export function useEveryAppRouter({ sessionManager }) {
     const router = useRouter();
     // Route synchronization effect
@@ -8,11 +9,15 @@ export function useEveryAppRouter({ sessionManager }) {
             return;
         // Listen for route sync messages from parent
         const handleMessage = (event) => {
-            if (event.origin !== sessionManager.parentOrigin)
+            // Validate origin based on environment
+            if (!sessionManager.isTrustedHostMessage(event))
                 return;
-            if (event.data.type === "ROUTE_CHANGE" &&
-                event.data.direction === "parent-to-child") {
-                const targetRoute = event.data.route;
+            const data = parseMessagePayload(event.data);
+            if (!data)
+                return;
+            if (data.type === "ROUTE_CHANGE" &&
+                data.direction === "parent-to-child") {
+                const targetRoute = typeof data.route === "string" ? data.route : null;
                 const currentRoute = window.location.pathname;
                 // Only navigate if the route is different from current location
                 if (targetRoute && targetRoute !== currentRoute) {
@@ -30,13 +35,17 @@ export function useEveryAppRouter({ sessionManager }) {
                 return;
             }
             lastReportedPath = currentPath;
-            if (window.parent !== window) {
-                window.parent.postMessage({
-                    type: "ROUTE_CHANGE",
-                    route: currentPath,
-                    appId: sessionManager.appId,
-                    direction: "child-to-parent",
-                }, sessionManager.parentOrigin);
+            const message = {
+                type: "ROUTE_CHANGE",
+                route: currentPath,
+                appId: sessionManager.appId,
+                direction: "child-to-parent",
+            };
+            try {
+                sessionManager.postToHost(message);
+            }
+            catch {
+                return;
             }
         };
         // Listen to popstate for browser back/forward

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@every-app/sdk",
-  "version": "0.1.11",
+  "version": "0.1.13",
   "license": "MIT",
   "type": "module",
   "exports": {
@@ -30,7 +30,10 @@
     "src"
   ],
   "scripts": {
+    "postinstall": "tsc -p tsconfig.build.json",
     "build": "tsc -p tsconfig.build.json",
+    "build:prepublish": "pnpm install --ignore-scripts && npm run types:check && npm run build",
+    "prepublishOnly": "npm run build:prepublish",
     "types:check": "tsc --noEmit",
     "format:check": "prettier --check .",
     "format:write": "prettier . --write",