@oxyhq/core 1.0.2 → 1.1.0

package/src/OxyServices.base.ts

@@ -131,21 +131,38 @@ export class OxyServicesBase {
    */
   public clearTokens(): void {
     this.httpService.clearTokens();
+    this._cachedUserId = undefined;
+    this._cachedAccessToken = null;
   }
 
+  /** @internal */ _cachedUserId: string | null | undefined = undefined;
+  /** @internal */ _cachedAccessToken: string | null = null;
+
   /**
-   * Get the current user ID from the access token
+   * Get the current user ID from the access token.
+   * Caches the decoded value and invalidates when the token changes.
    */
   public getCurrentUserId(): string | null {
     const accessToken = this.httpService.getAccessToken();
+
+    // Return cached value if token hasn't changed
+    if (accessToken === this._cachedAccessToken && this._cachedUserId !== undefined) {
+      return this._cachedUserId;
+    }
+
+    this._cachedAccessToken = accessToken;
+
     if (!accessToken) {
+      this._cachedUserId = null;
       return null;
     }
-    
+
     try {
       const decoded = jwtDecode<JwtPayload>(accessToken);
-      return decoded.userId || decoded.id || null;
-    } catch (error) {
+      this._cachedUserId = decoded.userId || decoded.id || null;
+      return this._cachedUserId;
+    } catch {
+      this._cachedUserId = null;
       return null;
     }
   }

package/src/OxyServices.ts

@@ -58,6 +58,10 @@
  */
 import { OxyServicesBase, type OxyConfig } from './OxyServices.base';
 import { OxyAuthenticationError, OxyAuthenticationTimeoutError } from './OxyServices.errors';
+import type { SessionLoginResponse } from './models/session';
+import type { FedCMAuthOptions, FedCMConfig } from './mixins/OxyServices.fedcm';
+import type { PopupAuthOptions } from './mixins/OxyServices.popup';
+import type { RedirectAuthOptions } from './mixins/OxyServices.redirect';
 
 // Import mixin composition helper
 import { composeOxyServices } from './mixins';
@@ -106,8 +110,25 @@ export class OxyServices extends (OxyServicesComposed as any) {
 }
 
 // Type augmentation to expose mixin methods to TypeScript
-// This allows proper type checking while avoiding complex mixin type inference
-export interface OxyServices extends InstanceType<ReturnType<typeof composeOxyServices>> {}
+// This allows proper type checking while avoiding complex mixin type inference.
+// Explicit declarations are added for cross-domain auth methods that downstream
+// packages (auth-sdk, services) need without casting to `any`.
+export interface OxyServices extends InstanceType<ReturnType<typeof composeOxyServices>> {
+  // FedCM authentication
+  isFedCMSupported(): boolean;
+  signInWithFedCM(options?: FedCMAuthOptions): Promise<SessionLoginResponse>;
+  silentSignInWithFedCM(): Promise<SessionLoginResponse | null>;
+  revokeFedCMCredential(): Promise<void>;
+  getFedCMConfig(): FedCMConfig;
+
+  // Popup authentication
+  signInWithPopup(options?: PopupAuthOptions): Promise<SessionLoginResponse>;
+  signUpWithPopup(options?: PopupAuthOptions): Promise<SessionLoginResponse>;
+
+  // Redirect authentication
+  signInWithRedirect(options?: RedirectAuthOptions): void;
+  signUpWithRedirect(options?: RedirectAuthOptions): void;
+}
 
 // Re-export error classes for convenience
 export { OxyAuthenticationError, OxyAuthenticationTimeoutError };

package/src/crypto/keyManager.ts

@@ -9,6 +9,7 @@ import { ec as EC } from 'elliptic';
 import type { ECKeyPair } from 'elliptic';
 import { isWeb, isIOS, isAndroid } from '../utils/platform';
 import { logger } from '../utils/loggerUtils';
+import { isDev } from '../shared/utils/debugUtils';
 
 // Lazy imports for React Native specific modules
 let SecureStore: typeof import('expo-secure-store') | null = null;
@@ -49,7 +50,9 @@ const ANDROID_ACCOUNT_TYPE = 'com.oxy.account';
 async function initSecureStore(): Promise<typeof import('expo-secure-store')> {
   if (!SecureStore) {
     try {
-      SecureStore = await import('expo-secure-store');
+      // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
+      const moduleName = 'expo-secure-store';
+      SecureStore = await import(moduleName);
     } catch (error) {
       const errorMessage = error instanceof Error ? error.message : String(error);
       throw new Error(`Failed to load expo-secure-store: ${errorMessage}. Make sure expo-secure-store is installed and properly configured.`);
@@ -85,9 +88,11 @@ function isWebPlatform(): boolean {
 
 async function initExpoCrypto(): Promise<typeof import('expo-crypto')> {
   if (!ExpoCrypto) {
-    ExpoCrypto = await import('expo-crypto');
+    // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
+    const moduleName = 'expo-crypto';
+    ExpoCrypto = await import(moduleName);
   }
-  return ExpoCrypto;
+  return ExpoCrypto!;
 }
 
 /**
@@ -238,7 +243,7 @@ export class KeyManager {
     KeyManager.cachedSharedPublicKey = publicKey;
     KeyManager.cachedHasSharedIdentity = true;
 
-    if (__DEV__) {
+    if (isDev()) {
       logger.debug('Shared identity created successfully', { component: 'KeyManager' });
     }
 
@@ -277,7 +282,7 @@ export class KeyManager {
 
       return publicKey;
     } catch (error) {
-      if (__DEV__) {
+      if (isDev()) {
         logger.warn('Failed to get shared public key', { component: 'KeyManager' }, error);
       }
       KeyManager.cachedSharedPublicKey = null;
@@ -312,7 +317,7 @@ export class KeyManager {
 
       return privateKey;
     } catch (error) {
-      if (__DEV__) {
+      if (isDev()) {
         logger.warn('Failed to get shared private key', { component: 'KeyManager' }, error);
       }
       return null;
@@ -343,7 +348,7 @@ export class KeyManager {
 
       return hasShared;
     } catch (error) {
-      if (__DEV__) {
+      if (isDev()) {
         logger.warn('Failed to check shared identity', { component: 'KeyManager' }, error);
       }
       KeyManager.cachedHasSharedIdentity = false;
@@ -392,7 +397,7 @@ export class KeyManager {
     KeyManager.cachedSharedPublicKey = publicKey;
     KeyManager.cachedHasSharedIdentity = true;
 
-    if (__DEV__) {
+    if (isDev()) {
       logger.debug('Shared identity imported successfully', { component: 'KeyManager' });
     }
 
@@ -431,11 +436,11 @@ export class KeyManager {
         await store.setItemAsync(STORAGE_KEYS.SHARED_SESSION_TOKEN, accessToken);
       }
 
-      if (__DEV__) {
+      if (isDev()) {
         logger.debug('Shared session stored successfully', { component: 'KeyManager' });
       }
     } catch (error) {
-      if (__DEV__) {
+      if (isDev()) {
         logger.error('Failed to store shared session', error, { component: 'KeyManager' });
       }
       throw error;
@@ -479,7 +484,7 @@ export class KeyManager {
 
       return { sessionId, accessToken };
     } catch (error) {
-      if (__DEV__) {
+      if (isDev()) {
         logger.warn('Failed to get shared session', { component: 'KeyManager' }, error);
       }
       return null;
@@ -512,11 +517,11 @@ export class KeyManager {
         await store.deleteItemAsync(STORAGE_KEYS.SHARED_SESSION_TOKEN);
       }
 
-      if (__DEV__) {
+      if (isDev()) {
         logger.debug('Shared session cleared successfully', { component: 'KeyManager' });
       }
     } catch (error) {
-      if (__DEV__) {
+      if (isDev()) {
         logger.error('Failed to clear shared session', error, { component: 'KeyManager' });
       }
     }
@@ -540,7 +545,7 @@ export class KeyManager {
       // Check if we already have a shared identity
       const hasShared = await KeyManager.hasSharedIdentity();
       if (hasShared) {
-        if (__DEV__) {
+        if (isDev()) {
           logger.debug('Shared identity already exists, skipping migration', { component: 'KeyManager' });
         }
         return true;
@@ -549,7 +554,7 @@ export class KeyManager {
       // Get local identity
       const privateKey = await KeyManager.getPrivateKey();
       if (!privateKey) {
-        if (__DEV__) {
+        if (isDev()) {
           logger.debug('No local identity to migrate', { component: 'KeyManager' });
         }
         return false;
@@ -558,13 +563,13 @@ export class KeyManager {
       // Import to shared storage
       await KeyManager.importSharedIdentity(privateKey);
 
-      if (__DEV__) {
+      if (isDev()) {
         logger.debug('Successfully migrated local identity to shared identity', { component: 'KeyManager' });
       }
 
       return true;
     } catch (error) {
-      if (__DEV__) {
+      if (isDev()) {
         logger.error('Failed to migrate to shared identity', error, { component: 'KeyManager' });
       }
       return false;
@@ -635,7 +640,7 @@ export class KeyManager {
     } catch (error) {
       // If secure store is not available, return null (no identity)
       // This allows the app to continue functioning even if secure store fails to load
-      if (__DEV__) {
+      if (isDev()) {
         logger.warn('Failed to access secure store', { component: 'KeyManager' }, error);
       }
       return null;
@@ -665,7 +670,7 @@ export class KeyManager {
       // If secure store is not available, return null (no identity)
       // Cache null to avoid repeated failed attempts
       KeyManager.cachedPublicKey = null;
-      if (__DEV__) {
+      if (isDev()) {
         logger.warn('Failed to access secure store', { component: 'KeyManager' }, error);
       }
       return null;
@@ -695,7 +700,7 @@ export class KeyManager {
       // If we can't check, assume no identity (safer default)
       // Cache false to avoid repeated failed attempts
       KeyManager.cachedHasIdentity = false;
-      if (__DEV__) {
+      if (isDev()) {
         logger.warn('Failed to check identity', { component: 'KeyManager' }, error);
       }
       return false;
@@ -736,11 +741,11 @@ export class KeyManager {
     if (!skipBackup) {
       try {
         const backupSuccess = await KeyManager.backupIdentity();
-        if (!backupSuccess && typeof __DEV__ !== 'undefined' && __DEV__) {
+        if (!backupSuccess && isDev()) {
           logger.warn('Failed to backup identity before deletion - proceeding anyway', { component: 'KeyManager' });
         }
       } catch (backupError) {
-        if (typeof __DEV__ !== 'undefined' && __DEV__) {
+        if (isDev()) {
           logger.warn('Failed to backup identity before deletion', { component: 'KeyManager' }, backupError);
         }
       }
@@ -790,7 +795,7 @@ export class KeyManager {
 
       return true;
     } catch (error) {
-      if (typeof __DEV__ !== 'undefined' && __DEV__) {
+      if (isDev()) {
         logger.error('Failed to backup identity', error, { component: 'KeyManager' });
       }
       return false;
@@ -836,7 +841,7 @@ export class KeyManager {
 
       return true;
     } catch (error) {
-      if (typeof __DEV__ !== 'undefined' && __DEV__) {
+      if (isDev()) {
         logger.error('Identity integrity check failed', error, { component: 'KeyManager' });
       }
       return false;
@@ -893,7 +898,7 @@ export class KeyManager {
 
       return false;
     } catch (error) {
-      if (typeof __DEV__ !== 'undefined' && __DEV__) {
+      if (isDev()) {
         logger.error('Failed to restore identity from backup', error, { component: 'KeyManager' });
       }
       return false;

package/src/crypto/polyfill.ts

@@ -37,7 +37,12 @@ function getRandomBytesSync(byteCount: number): Uint8Array {
   if (!expoCryptoLoadAttempted) {
     expoCryptoLoadAttempted = true;
     try {
-      expoCryptoModule = require('expo-crypto');
+      // Only use require() in CJS environments (Metro/Node). In ESM (Vite/browser),
+      // crypto.getRandomValues exists natively so this code path is never reached.
+      if (typeof require !== 'undefined') {
+        const moduleName = 'expo-crypto';
+        expoCryptoModule = require(moduleName);
+      }
     } catch {
       // expo-crypto not available — expected in non-RN environments
     }

package/src/crypto/signatureService.ts

@@ -32,40 +32,44 @@ function isNodeJS(): boolean {
  */
 async function initExpoCrypto(): Promise<typeof import('expo-crypto')> {
   if (!ExpoCrypto) {
-    ExpoCrypto = await import('expo-crypto');
+    // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
+    const moduleName = 'expo-crypto';
+    ExpoCrypto = await import(moduleName);
   }
-  return ExpoCrypto;
+  return ExpoCrypto!;
 }
 
 /**
  * Compute SHA-256 hash of a string
  */
 async function sha256(message: string): Promise<string> {
-  // In React Native, always use expo-crypto
-  if (isReactNative() || !isNodeJS()) {
+  // In React Native, use expo-crypto
+  if (isReactNative()) {
     const Crypto = await initExpoCrypto();
     return Crypto.digestStringAsync(
       Crypto.CryptoDigestAlgorithm.SHA256,
       message
     );
   }
-  
+
   // In Node.js, use Node's crypto module
-  // Use Function constructor to prevent Metro bundler from statically analyzing this require
-  // This ensures the require is only evaluated in Node.js runtime, not during Metro bundling
-  try {
-    // eslint-disable-next-line @typescript-eslint/no-implied-eval
-    const getCrypto = new Function('return require("crypto")');
-    const crypto = getCrypto();
-    return crypto.createHash('sha256').update(message).digest('hex');
-  } catch (error) {
-    // Fallback to expo-crypto if Node crypto fails
-    const Crypto = await initExpoCrypto();
-    return Crypto.digestStringAsync(
-      Crypto.CryptoDigestAlgorithm.SHA256,
-      message
-    );
+  if (isNodeJS()) {
+    try {
+      // eslint-disable-next-line @typescript-eslint/no-implied-eval
+      const getCrypto = new Function('return require("crypto")');
+      const nodeCrypto = getCrypto();
+      return nodeCrypto.createHash('sha256').update(message).digest('hex');
+    } catch {
+      // Fall through to Web Crypto API
+    }
   }
+
+  // Browser: use Web Crypto API
+  const encoder = new TextEncoder();
+  const data = encoder.encode(message);
+  const hashBuffer = await globalThis.crypto.subtle.digest('SHA-256', data);
+  const hashArray = Array.from(new Uint8Array(hashBuffer));
+  return hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
 }
 
 export interface SignedMessage {
@@ -87,29 +91,33 @@ export class SignatureService {
    * Uses expo-crypto in React Native, crypto.randomBytes in Node.js
    */
   static async generateChallenge(): Promise<string> {
-    if (isReactNative() || !isNodeJS()) {
-      // Use expo-crypto for React Native (expo-random is deprecated)
+    // In React Native, use expo-crypto
+    if (isReactNative()) {
       const Crypto = await initExpoCrypto();
       const randomBytes = await Crypto.getRandomBytesAsync(32);
       return Array.from(randomBytes)
         .map((b: number) => b.toString(16).padStart(2, '0'))
         .join('');
     }
-    
-    // Node.js fallback
-    try {
-      // eslint-disable-next-line @typescript-eslint/no-implied-eval
-      const getCrypto = new Function('return require("crypto")');
-      const crypto = getCrypto();
-      return crypto.randomBytes(32).toString('hex');
-    } catch (error) {
-      // Fallback to expo-crypto if Node crypto fails
-      const Crypto = await initExpoCrypto();
-      const randomBytes = await Crypto.getRandomBytesAsync(32);
-      return Array.from(randomBytes)
-        .map((b: number) => b.toString(16).padStart(2, '0'))
-        .join('');
+
+    // In Node.js, use Node's crypto module
+    if (isNodeJS()) {
+      try {
+        // eslint-disable-next-line @typescript-eslint/no-implied-eval
+        const getCrypto = new Function('return require("crypto")');
+        const nodeCrypto = getCrypto();
+        return nodeCrypto.randomBytes(32).toString('hex');
+      } catch {
+        // Fall through to Web Crypto API
+      }
     }
+
+    // Browser: use Web Crypto API
+    const bytes = new Uint8Array(32);
+    globalThis.crypto.getRandomValues(bytes);
+    return Array.from(bytes)
+      .map(b => b.toString(16).padStart(2, '0'))
+      .join('');
   }
 
   /**
@@ -319,5 +327,3 @@ export class SignatureService {
 }
 
 export default SignatureService;
-
-

package/src/i18n/index.ts

@@ -1,52 +1,40 @@
-// Use JSON locale files (RN Metro supports static requires reliably)
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const enUS = require('./locales/en-US.json') as Record<string, any>;
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const esES = require('./locales/es-ES.json') as Record<string, any>;
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const caES = require('./locales/ca-ES.json') as Record<string, any>;
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const frFR = require('./locales/fr-FR.json') as Record<string, any>;
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const deDE = require('./locales/de-DE.json') as Record<string, any>;
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const itIT = require('./locales/it-IT.json') as Record<string, any>;
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const ptPT = require('./locales/pt-PT.json') as Record<string, any>;
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const jaJP = require('./locales/ja-JP.json') as Record<string, any>;
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const koKR = require('./locales/ko-KR.json') as Record<string, any>;
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const zhCN = require('./locales/zh-CN.json') as Record<string, any>;
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const arSA = require('./locales/ar-SA.json') as Record<string, any>;
+import enUS from './locales/en-US.json';
+import esES from './locales/es-ES.json';
+import caES from './locales/ca-ES.json';
+import frFR from './locales/fr-FR.json';
+import deDE from './locales/de-DE.json';
+import itIT from './locales/it-IT.json';
+import ptPT from './locales/pt-PT.json';
+import jaJP from './locales/ja-JP.json';
+import koKR from './locales/ko-KR.json';
+import zhCN from './locales/zh-CN.json';
+import arSA from './locales/ar-SA.json';
 
 export type LocaleDict = Record<string, any>;
 
 const DICTS: Record<string, LocaleDict> = {
-  'en': enUS as LocaleDict,
-  'en-US': enUS as LocaleDict,
-  'es': esES as LocaleDict,
-  'es-ES': esES as LocaleDict,
-  'ca': caES as LocaleDict,
-  'ca-ES': caES as LocaleDict,
-  'fr': frFR as LocaleDict,
-  'fr-FR': frFR as LocaleDict,
-  'de': deDE as LocaleDict,
-  'de-DE': deDE as LocaleDict,
-  'it': itIT as LocaleDict,
-  'it-IT': itIT as LocaleDict,
-  'pt': ptPT as LocaleDict,
-  'pt-PT': ptPT as LocaleDict,
-  'ja': jaJP as LocaleDict,
-  'ja-JP': jaJP as LocaleDict,
-  'ko': koKR as LocaleDict,
-  'ko-KR': koKR as LocaleDict,
-  'zh': zhCN as LocaleDict,
-  'zh-CN': zhCN as LocaleDict,
-  'ar': arSA as LocaleDict,
-  'ar-SA': arSA as LocaleDict,
+  'en': enUS,
+  'en-US': enUS,
+  'es': esES,
+  'es-ES': esES,
+  'ca': caES,
+  'ca-ES': caES,
+  'fr': frFR,
+  'fr-FR': frFR,
+  'de': deDE,
+  'de-DE': deDE,
+  'it': itIT,
+  'it-IT': itIT,
+  'pt': ptPT,
+  'pt-PT': ptPT,
+  'ja': jaJP,
+  'ja-JP': jaJP,
+  'ko': koKR,
+  'ko-KR': koKR,
+  'zh': zhCN,
+  'zh-CN': zhCN,
+  'ar': arSA,
+  'ar-SA': arSA,
 };
 
 const FALLBACK = 'en-US';

package/src/index.ts

@@ -27,6 +27,9 @@ export type { StorageAdapter, AuthStateChangeCallback, AuthMethod, AuthManagerCo
 
 export { CrossDomainAuth, createCrossDomainAuth } from './CrossDomainAuth';
 export type { CrossDomainAuthOptions } from './CrossDomainAuth';
+export type { FedCMAuthOptions, FedCMConfig } from './mixins/OxyServices.fedcm';
+export type { PopupAuthOptions } from './mixins/OxyServices.popup';
+export type { RedirectAuthOptions } from './mixins/OxyServices.redirect';
 
 // --- Crypto / Identity ---
 export { KeyManager, SignatureService, RecoveryPhraseService } from './crypto';

package/src/mixins/OxyServices.fedcm.ts

@@ -49,8 +49,8 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
       super(...(args as [any]));
     }
   public static readonly DEFAULT_CONFIG_URL = 'https://auth.oxy.so/fedcm.json';
-  public static readonly FEDCM_TIMEOUT = 60000; // 1 minute for interactive
-  public static readonly FEDCM_SILENT_TIMEOUT = 10000; // 10 seconds for silent mediation
+  public static readonly FEDCM_TIMEOUT = 15000; // 15 seconds for interactive
+  public static readonly FEDCM_SILENT_TIMEOUT = 3000; // 3 seconds for silent mediation
 
   /**
    * Check if FedCM is supported in the current browser
@@ -180,7 +180,10 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
     const clientId = this.getClientId();
     debug.log('Silent SSO: Starting for', clientId);
 
-    // First try silent mediation (no UI) - works if user previously consented
+    // Only try silent mediation (no UI) - works if user previously consented.
+    // We intentionally do NOT fall back to optional mediation here because
+    // this runs on app startup — showing browser UI without user action is bad UX.
+    // Optional/interactive mediation should only happen when the user clicks "Sign In".
     let credential: { token: string } | null = null;
 
     try {
@@ -196,36 +199,14 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
 
       debug.log('Silent SSO: Silent mediation result:', { hasCredential: !!credential, hasToken: !!credential?.token });
     } catch (silentError) {
-      // Silent mediation failed - this is expected if user hasn't consented before or is in quiet period
       const errorName = silentError instanceof Error ? silentError.name : 'Unknown';
       const errorMessage = silentError instanceof Error ? silentError.message : String(silentError);
-      debug.log('Silent SSO: Silent mediation error (will try optional):', { name: errorName, message: errorMessage });
-    }
-
-    // If silent failed, try optional mediation which shows browser UI if needed
-    if (!credential || !credential.token) {
-      try {
-        const nonce = this.generateNonce();
-        debug.log('Silent SSO: Trying optional mediation (may show browser UI)...');
-
-        credential = await this.requestIdentityCredential({
-          configURL: (this.constructor as any).DEFAULT_CONFIG_URL,
-          clientId,
-          nonce,
-          mediation: 'optional',
-        });
-
-        debug.log('Silent SSO: Optional mediation result:', { hasCredential: !!credential, hasToken: !!credential?.token });
-      } catch (optionalError) {
-        const errorName = optionalError instanceof Error ? optionalError.name : 'Unknown';
-        const errorMessage = optionalError instanceof Error ? optionalError.message : String(optionalError);
-        debug.log('Silent SSO: Optional mediation also failed:', { name: errorName, message: errorMessage });
-        return null;
-      }
+      debug.log('Silent SSO: Silent mediation failed:', { name: errorName, message: errorMessage });
+      return null;
     }
 
     if (!credential || !credential.token) {
-      debug.log('Silent SSO: No credential returned (user may have dismissed prompt or is not logged in at IdP)');
+      debug.log('Silent SSO: No credential returned (user not logged in at IdP or hasn\'t consented)');
       return null;
     }
 
@@ -392,9 +373,7 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
    * @private
    */
   public async exchangeIdTokenForSession(idToken: string): Promise<SessionLoginResponse> {
-    debug.log('exchangeIdTokenForSession: Starting exchange...');
-    debug.log('exchangeIdTokenForSession: Token length:', idToken?.length);
-    debug.log('exchangeIdTokenForSession: Token preview:', idToken?.substring(0, 50) + '...');
+    debug.log('Exchanging ID token for session...');
 
     try {
       const response = await this.makeRequest<SessionLoginResponse>(
@@ -404,23 +383,14 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
         { cache: false }
       );
 
-      debug.log('exchangeIdTokenForSession: Response received:', {
-        hasResponse: !!response,
-        hasSessionId: !!(response as any)?.sessionId,
-        hasUser: !!(response as any)?.user,
-        hasAccessToken: !!(response as any)?.accessToken,
-        userId: (response as any)?.user?.id,
-        username: (response as any)?.user?.username,
-        responseKeys: response ? Object.keys(response) : [],
+      debug.log('Token exchange complete:', {
+        hasSession: !!response?.sessionId,
+        hasUser: !!response?.user,
       });
 
       return response;
     } catch (error) {
-      debug.error('exchangeIdTokenForSession: Error:', {
-        name: error instanceof Error ? error.name : 'Unknown',
-        message: error instanceof Error ? error.message : String(error),
-        stack: error instanceof Error ? error.stack : undefined,
-      });
+      debug.error('Token exchange failed:', error instanceof Error ? error.message : String(error));
       throw error;
     }
   }

package/src/mixins/OxyServices.language.ts

@@ -4,6 +4,7 @@
 import { normalizeLanguageCode, getLanguageMetadata, getLanguageName, getNativeLanguageName } from '../utils/languageUtils';
 import type { LanguageMetadata } from '../utils/languageUtils';
 import type { OxyServicesBase } from '../OxyServices.base';
+import { isDev } from '../shared/utils/debugUtils';
 
 export function OxyServicesLanguageMixin<T extends typeof OxyServicesBase>(Base: T) {
   return class extends Base {
@@ -22,8 +23,10 @@ export function OxyServicesLanguageMixin<T extends typeof OxyServicesBase>(Base:
       
       if (isReactNative) {
         try {
-          const asyncStorageModule = await import('@react-native-async-storage/async-storage');
-          const storage = (asyncStorageModule.default as unknown) as import('@react-native-async-storage/async-storage').AsyncStorageStatic;
+          // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
+          const moduleName = '@react-native-async-storage/async-storage';
+          const asyncStorageModule = await import(moduleName);
+          const storage = asyncStorageModule.default as unknown as { getItem: (key: string) => Promise<string | null>; setItem: (key: string, value: string) => Promise<void>; removeItem: (key: string) => Promise<void> };
           return {
             getItem: storage.getItem.bind(storage),
             setItem: storage.setItem.bind(storage),
@@ -84,7 +87,7 @@ export function OxyServicesLanguageMixin<T extends typeof OxyServicesBase>(Base:
 
         return null;
       } catch (error) {
-        if (__DEV__) {
+        if (isDev()) {
           console.warn('Failed to get current language:', error);
         }
         return null;