@oxyhq/core 1.0.2 → 1.2.0

package/src/crypto/signatureService.ts

@@ -32,40 +32,44 @@ function isNodeJS(): boolean {
  */
 async function initExpoCrypto(): Promise<typeof import('expo-crypto')> {
   if (!ExpoCrypto) {
-    ExpoCrypto = await import('expo-crypto');
+    // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
+    const moduleName = 'expo-crypto';
+    ExpoCrypto = await import(moduleName);
   }
-  return ExpoCrypto;
+  return ExpoCrypto!;
 }
 
 /**
  * Compute SHA-256 hash of a string
  */
 async function sha256(message: string): Promise<string> {
-  // In React Native, always use expo-crypto
-  if (isReactNative() || !isNodeJS()) {
+  // In React Native, use expo-crypto
+  if (isReactNative()) {
     const Crypto = await initExpoCrypto();
     return Crypto.digestStringAsync(
       Crypto.CryptoDigestAlgorithm.SHA256,
       message
     );
   }
-  
+
   // In Node.js, use Node's crypto module
-  // Use Function constructor to prevent Metro bundler from statically analyzing this require
-  // This ensures the require is only evaluated in Node.js runtime, not during Metro bundling
-  try {
-    // eslint-disable-next-line @typescript-eslint/no-implied-eval
-    const getCrypto = new Function('return require("crypto")');
-    const crypto = getCrypto();
-    return crypto.createHash('sha256').update(message).digest('hex');
-  } catch (error) {
-    // Fallback to expo-crypto if Node crypto fails
-    const Crypto = await initExpoCrypto();
-    return Crypto.digestStringAsync(
-      Crypto.CryptoDigestAlgorithm.SHA256,
-      message
-    );
+  if (isNodeJS()) {
+    try {
+      // eslint-disable-next-line @typescript-eslint/no-implied-eval
+      const getCrypto = new Function('return require("crypto")');
+      const nodeCrypto = getCrypto();
+      return nodeCrypto.createHash('sha256').update(message).digest('hex');
+    } catch {
+      // Fall through to Web Crypto API
+    }
   }
+
+  // Browser: use Web Crypto API
+  const encoder = new TextEncoder();
+  const data = encoder.encode(message);
+  const hashBuffer = await globalThis.crypto.subtle.digest('SHA-256', data);
+  const hashArray = Array.from(new Uint8Array(hashBuffer));
+  return hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
 }
 
 export interface SignedMessage {
@@ -87,29 +91,33 @@ export class SignatureService {
    * Uses expo-crypto in React Native, crypto.randomBytes in Node.js
    */
   static async generateChallenge(): Promise<string> {
-    if (isReactNative() || !isNodeJS()) {
-      // Use expo-crypto for React Native (expo-random is deprecated)
+    // In React Native, use expo-crypto
+    if (isReactNative()) {
       const Crypto = await initExpoCrypto();
       const randomBytes = await Crypto.getRandomBytesAsync(32);
       return Array.from(randomBytes)
         .map((b: number) => b.toString(16).padStart(2, '0'))
         .join('');
     }
-    
-    // Node.js fallback
-    try {
-      // eslint-disable-next-line @typescript-eslint/no-implied-eval
-      const getCrypto = new Function('return require("crypto")');
-      const crypto = getCrypto();
-      return crypto.randomBytes(32).toString('hex');
-    } catch (error) {
-      // Fallback to expo-crypto if Node crypto fails
-      const Crypto = await initExpoCrypto();
-      const randomBytes = await Crypto.getRandomBytesAsync(32);
-      return Array.from(randomBytes)
-        .map((b: number) => b.toString(16).padStart(2, '0'))
-        .join('');
+
+    // In Node.js, use Node's crypto module
+    if (isNodeJS()) {
+      try {
+        // eslint-disable-next-line @typescript-eslint/no-implied-eval
+        const getCrypto = new Function('return require("crypto")');
+        const nodeCrypto = getCrypto();
+        return nodeCrypto.randomBytes(32).toString('hex');
+      } catch {
+        // Fall through to Web Crypto API
+      }
     }
+
+    // Browser: use Web Crypto API
+    const bytes = new Uint8Array(32);
+    globalThis.crypto.getRandomValues(bytes);
+    return Array.from(bytes)
+      .map(b => b.toString(16).padStart(2, '0'))
+      .join('');
   }
 
   /**
@@ -319,5 +327,3 @@ export class SignatureService {
 }
 
 export default SignatureService;
-
-

package/src/i18n/index.ts

@@ -1,52 +1,40 @@
-// Use JSON locale files (RN Metro supports static requires reliably)
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const enUS = require('./locales/en-US.json') as Record<string, any>;
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const esES = require('./locales/es-ES.json') as Record<string, any>;
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const caES = require('./locales/ca-ES.json') as Record<string, any>;
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const frFR = require('./locales/fr-FR.json') as Record<string, any>;
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const deDE = require('./locales/de-DE.json') as Record<string, any>;
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const itIT = require('./locales/it-IT.json') as Record<string, any>;
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const ptPT = require('./locales/pt-PT.json') as Record<string, any>;
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const jaJP = require('./locales/ja-JP.json') as Record<string, any>;
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const koKR = require('./locales/ko-KR.json') as Record<string, any>;
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const zhCN = require('./locales/zh-CN.json') as Record<string, any>;
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const arSA = require('./locales/ar-SA.json') as Record<string, any>;
+import enUS from './locales/en-US.json';
+import esES from './locales/es-ES.json';
+import caES from './locales/ca-ES.json';
+import frFR from './locales/fr-FR.json';
+import deDE from './locales/de-DE.json';
+import itIT from './locales/it-IT.json';
+import ptPT from './locales/pt-PT.json';
+import jaJP from './locales/ja-JP.json';
+import koKR from './locales/ko-KR.json';
+import zhCN from './locales/zh-CN.json';
+import arSA from './locales/ar-SA.json';
 
 export type LocaleDict = Record<string, any>;
 
 const DICTS: Record<string, LocaleDict> = {
-  'en': enUS as LocaleDict,
-  'en-US': enUS as LocaleDict,
-  'es': esES as LocaleDict,
-  'es-ES': esES as LocaleDict,
-  'ca': caES as LocaleDict,
-  'ca-ES': caES as LocaleDict,
-  'fr': frFR as LocaleDict,
-  'fr-FR': frFR as LocaleDict,
-  'de': deDE as LocaleDict,
-  'de-DE': deDE as LocaleDict,
-  'it': itIT as LocaleDict,
-  'it-IT': itIT as LocaleDict,
-  'pt': ptPT as LocaleDict,
-  'pt-PT': ptPT as LocaleDict,
-  'ja': jaJP as LocaleDict,
-  'ja-JP': jaJP as LocaleDict,
-  'ko': koKR as LocaleDict,
-  'ko-KR': koKR as LocaleDict,
-  'zh': zhCN as LocaleDict,
-  'zh-CN': zhCN as LocaleDict,
-  'ar': arSA as LocaleDict,
-  'ar-SA': arSA as LocaleDict,
+  'en': enUS,
+  'en-US': enUS,
+  'es': esES,
+  'es-ES': esES,
+  'ca': caES,
+  'ca-ES': caES,
+  'fr': frFR,
+  'fr-FR': frFR,
+  'de': deDE,
+  'de-DE': deDE,
+  'it': itIT,
+  'it-IT': itIT,
+  'pt': ptPT,
+  'pt-PT': ptPT,
+  'ja': jaJP,
+  'ja-JP': jaJP,
+  'ko': koKR,
+  'ko-KR': koKR,
+  'zh': zhCN,
+  'zh-CN': zhCN,
+  'ar': arSA,
+  'ar-SA': arSA,
 };
 
 const FALLBACK = 'en-US';

package/src/index.ts

@@ -27,6 +27,9 @@ export type { StorageAdapter, AuthStateChangeCallback, AuthMethod, AuthManagerCo
 
 export { CrossDomainAuth, createCrossDomainAuth } from './CrossDomainAuth';
 export type { CrossDomainAuthOptions } from './CrossDomainAuth';
+export type { FedCMAuthOptions, FedCMConfig } from './mixins/OxyServices.fedcm';
+export type { PopupAuthOptions } from './mixins/OxyServices.popup';
+export type { RedirectAuthOptions } from './mixins/OxyServices.redirect';
 
 // --- Crypto / Identity ---
 export { KeyManager, SignatureService, RecoveryPhraseService } from './crypto';

package/src/mixins/OxyServices.fedcm.ts

@@ -49,8 +49,8 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
       super(...(args as [any]));
     }
   public static readonly DEFAULT_CONFIG_URL = 'https://auth.oxy.so/fedcm.json';
-  public static readonly FEDCM_TIMEOUT = 60000; // 1 minute for interactive
-  public static readonly FEDCM_SILENT_TIMEOUT = 10000; // 10 seconds for silent mediation
+  public static readonly FEDCM_TIMEOUT = 15000; // 15 seconds for interactive
+  public static readonly FEDCM_SILENT_TIMEOUT = 3000; // 3 seconds for silent mediation
 
   /**
    * Check if FedCM is supported in the current browser
@@ -180,7 +180,10 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
     const clientId = this.getClientId();
     debug.log('Silent SSO: Starting for', clientId);
 
-    // First try silent mediation (no UI) - works if user previously consented
+    // Only try silent mediation (no UI) - works if user previously consented.
+    // We intentionally do NOT fall back to optional mediation here because
+    // this runs on app startup — showing browser UI without user action is bad UX.
+    // Optional/interactive mediation should only happen when the user clicks "Sign In".
     let credential: { token: string } | null = null;
 
     try {
@@ -196,36 +199,14 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
 
       debug.log('Silent SSO: Silent mediation result:', { hasCredential: !!credential, hasToken: !!credential?.token });
     } catch (silentError) {
-      // Silent mediation failed - this is expected if user hasn't consented before or is in quiet period
       const errorName = silentError instanceof Error ? silentError.name : 'Unknown';
       const errorMessage = silentError instanceof Error ? silentError.message : String(silentError);
-      debug.log('Silent SSO: Silent mediation error (will try optional):', { name: errorName, message: errorMessage });
-    }
-
-    // If silent failed, try optional mediation which shows browser UI if needed
-    if (!credential || !credential.token) {
-      try {
-        const nonce = this.generateNonce();
-        debug.log('Silent SSO: Trying optional mediation (may show browser UI)...');
-
-        credential = await this.requestIdentityCredential({
-          configURL: (this.constructor as any).DEFAULT_CONFIG_URL,
-          clientId,
-          nonce,
-          mediation: 'optional',
-        });
-
-        debug.log('Silent SSO: Optional mediation result:', { hasCredential: !!credential, hasToken: !!credential?.token });
-      } catch (optionalError) {
-        const errorName = optionalError instanceof Error ? optionalError.name : 'Unknown';
-        const errorMessage = optionalError instanceof Error ? optionalError.message : String(optionalError);
-        debug.log('Silent SSO: Optional mediation also failed:', { name: errorName, message: errorMessage });
-        return null;
-      }
+      debug.log('Silent SSO: Silent mediation failed:', { name: errorName, message: errorMessage });
+      return null;
     }
 
     if (!credential || !credential.token) {
-      debug.log('Silent SSO: No credential returned (user may have dismissed prompt or is not logged in at IdP)');
+      debug.log('Silent SSO: No credential returned (user not logged in at IdP or hasn\'t consented)');
       return null;
     }
 
@@ -392,9 +373,7 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
    * @private
    */
   public async exchangeIdTokenForSession(idToken: string): Promise<SessionLoginResponse> {
-    debug.log('exchangeIdTokenForSession: Starting exchange...');
-    debug.log('exchangeIdTokenForSession: Token length:', idToken?.length);
-    debug.log('exchangeIdTokenForSession: Token preview:', idToken?.substring(0, 50) + '...');
+    debug.log('Exchanging ID token for session...');
 
     try {
       const response = await this.makeRequest<SessionLoginResponse>(
@@ -404,23 +383,14 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
         { cache: false }
       );
 
-      debug.log('exchangeIdTokenForSession: Response received:', {
-        hasResponse: !!response,
-        hasSessionId: !!(response as any)?.sessionId,
-        hasUser: !!(response as any)?.user,
-        hasAccessToken: !!(response as any)?.accessToken,
-        userId: (response as any)?.user?.id,
-        username: (response as any)?.user?.username,
-        responseKeys: response ? Object.keys(response) : [],
+      debug.log('Token exchange complete:', {
+        hasSession: !!response?.sessionId,
+        hasUser: !!response?.user,
       });
 
       return response;
     } catch (error) {
-      debug.error('exchangeIdTokenForSession: Error:', {
-        name: error instanceof Error ? error.name : 'Unknown',
-        message: error instanceof Error ? error.message : String(error),
-        stack: error instanceof Error ? error.stack : undefined,
-      });
+      debug.error('Token exchange failed:', error instanceof Error ? error.message : String(error));
       throw error;
     }
   }
@@ -469,11 +439,15 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
    * @private
    */
   public generateNonce(): string {
-    if (typeof window !== 'undefined' && window.crypto && window.crypto.randomUUID) {
-      return window.crypto.randomUUID();
+    if (typeof crypto !== 'undefined' && crypto.randomUUID) {
+      return crypto.randomUUID();
+    }
+    if (typeof crypto !== 'undefined' && crypto.getRandomValues) {
+      const bytes = new Uint8Array(16);
+      crypto.getRandomValues(bytes);
+      return Array.from(bytes, b => b.toString(16).padStart(2, '0')).join('');
     }
-    // Fallback for older browsers
-    return `${Date.now()}-${Math.random().toString(36).substring(2, 15)}`;
+    throw new Error('No secure random source available for nonce generation');
   }
 
   /**

package/src/mixins/OxyServices.language.ts

@@ -4,6 +4,7 @@
 import { normalizeLanguageCode, getLanguageMetadata, getLanguageName, getNativeLanguageName } from '../utils/languageUtils';
 import type { LanguageMetadata } from '../utils/languageUtils';
 import type { OxyServicesBase } from '../OxyServices.base';
+import { isDev } from '../shared/utils/debugUtils';
 
 export function OxyServicesLanguageMixin<T extends typeof OxyServicesBase>(Base: T) {
   return class extends Base {
@@ -22,8 +23,10 @@ export function OxyServicesLanguageMixin<T extends typeof OxyServicesBase>(Base:
       
       if (isReactNative) {
         try {
-          const asyncStorageModule = await import('@react-native-async-storage/async-storage');
-          const storage = (asyncStorageModule.default as unknown) as import('@react-native-async-storage/async-storage').AsyncStorageStatic;
+          // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
+          const moduleName = '@react-native-async-storage/async-storage';
+          const asyncStorageModule = await import(moduleName);
+          const storage = asyncStorageModule.default as unknown as { getItem: (key: string) => Promise<string | null>; setItem: (key: string, value: string) => Promise<void>; removeItem: (key: string) => Promise<void> };
           return {
             getItem: storage.getItem.bind(storage),
             setItem: storage.setItem.bind(storage),
@@ -84,7 +87,7 @@ export function OxyServicesLanguageMixin<T extends typeof OxyServicesBase>(Base:
 
         return null;
       } catch (error) {
-        if (__DEV__) {
+        if (isDev()) {
           console.warn('Failed to get current language:', error);
         }
         return null;

package/src/mixins/OxyServices.popup.ts

@@ -397,10 +397,15 @@ export function OxyServicesPopupAuthMixin<T extends typeof OxyServicesBase>(Base
    * @private
    */
   public generateState(): string {
-    if (typeof window !== 'undefined' && window.crypto && window.crypto.randomUUID) {
-      return window.crypto.randomUUID();
+    if (typeof crypto !== 'undefined' && crypto.randomUUID) {
+      return crypto.randomUUID();
     }
-    return `${Date.now()}-${Math.random().toString(36).substring(2, 15)}`;
+    if (typeof crypto !== 'undefined' && crypto.getRandomValues) {
+      const bytes = new Uint8Array(16);
+      crypto.getRandomValues(bytes);
+      return Array.from(bytes, b => b.toString(16).padStart(2, '0')).join('');
+    }
+    throw new Error('No secure random source available for state generation');
   }
 
   /**
@@ -409,10 +414,15 @@ export function OxyServicesPopupAuthMixin<T extends typeof OxyServicesBase>(Base
    * @private
    */
   public generateNonce(): string {
-    if (typeof window !== 'undefined' && window.crypto && window.crypto.randomUUID) {
-      return window.crypto.randomUUID();
+    if (typeof crypto !== 'undefined' && crypto.randomUUID) {
+      return crypto.randomUUID();
+    }
+    if (typeof crypto !== 'undefined' && crypto.getRandomValues) {
+      const bytes = new Uint8Array(16);
+      crypto.getRandomValues(bytes);
+      return Array.from(bytes, b => b.toString(16).padStart(2, '0')).join('');
     }
-    return `${Date.now()}-${Math.random().toString(36).substring(2, 15)}`;
+    throw new Error('No secure random source available for nonce generation');
   }
 
   /**

package/src/mixins/OxyServices.privacy.ts

@@ -3,6 +3,7 @@
  */
 import type { BlockedUser, RestrictedUser } from '../models/interfaces';
 import type { OxyServicesBase } from '../OxyServices.base';
+import { isDev } from '../shared/utils/debugUtils';
 
 export function OxyServicesPrivacyMixin<T extends typeof OxyServicesBase>(Base: T) {
   return class extends Base {
@@ -35,7 +36,7 @@ export function OxyServicesPrivacyMixin<T extends typeof OxyServicesBase>(Base:
         });
       } catch (error) {
         // If there's an error, assume not in list to avoid breaking functionality
-        if (__DEV__) {
+        if (isDev()) {
           console.warn('Error checking user list:', error);
         }
         return false;

package/src/mixins/OxyServices.redirect.ts

@@ -299,10 +299,15 @@ export function OxyServicesRedirectAuthMixin<T extends typeof OxyServicesBase>(B
    * @private
    */
   public generateState(): string {
-    if (typeof window !== 'undefined' && window.crypto && window.crypto.randomUUID) {
-      return window.crypto.randomUUID();
+    if (typeof crypto !== 'undefined' && crypto.randomUUID) {
+      return crypto.randomUUID();
     }
-    return `${Date.now()}-${Math.random().toString(36).substring(2, 15)}`;
+    if (typeof crypto !== 'undefined' && crypto.getRandomValues) {
+      const bytes = new Uint8Array(16);
+      crypto.getRandomValues(bytes);
+      return Array.from(bytes, b => b.toString(16).padStart(2, '0')).join('');
+    }
+    throw new Error('No secure random source available for state generation');
   }
 
   /**
@@ -311,10 +316,15 @@ export function OxyServicesRedirectAuthMixin<T extends typeof OxyServicesBase>(B
    * @private
    */
   public generateNonce(): string {
-    if (typeof window !== 'undefined' && window.crypto && window.crypto.randomUUID) {
-      return window.crypto.randomUUID();
+    if (typeof crypto !== 'undefined' && crypto.randomUUID) {
+      return crypto.randomUUID();
+    }
+    if (typeof crypto !== 'undefined' && crypto.getRandomValues) {
+      const bytes = new Uint8Array(16);
+      crypto.getRandomValues(bytes);
+      return Array.from(bytes, b => b.toString(16).padStart(2, '0')).join('');
     }
-    return `${Date.now()}-${Math.random().toString(36).substring(2, 15)}`;
+    throw new Error('No secure random source available for nonce generation');
   }
 
   /**

package/src/mixins/OxyServices.security.ts

@@ -3,6 +3,7 @@
  */
 import type { OxyServicesBase } from '../OxyServices.base';
 import type { SecurityActivity, SecurityActivityResponse, SecurityEventType } from '../models/interfaces';
+import { isDev } from '../shared/utils/debugUtils';
 
 export function OxyServicesSecurityMixin<T extends typeof OxyServicesBase>(Base: T) {
   return class extends Base {
@@ -71,7 +72,7 @@ export function OxyServicesSecurityMixin<T extends typeof OxyServicesBase>(Base:
       } catch (error) {
         // Don't throw - logging failures shouldn't break user flow
         // But log for monitoring
-        if (__DEV__) {
+        if (isDev()) {
           console.warn('[OxyServices] Failed to log private key exported event:', error);
         }
       }
@@ -93,7 +94,7 @@ export function OxyServicesSecurityMixin<T extends typeof OxyServicesBase>(Base:
       } catch (error) {
         // Don't throw - logging failures shouldn't break user flow
         // But log for monitoring
-        if (__DEV__) {
+        if (isDev()) {
           console.warn('[OxyServices] Failed to log backup created event:', error);
         }
       }

package/src/shared/utils/__tests__/debugUtils.test.ts

@@ -0,0 +1,55 @@
+/**
+ * Tests for isDev() utility.
+ *
+ * These tests manipulate the global __DEV__ and process.env.NODE_ENV
+ * to verify isDev() works across RN, Node, and browser-like environments.
+ */
+
+describe('isDev', () => {
+  const originalDev = (globalThis as any).__DEV__;
+  const originalNodeEnv = process.env.NODE_ENV;
+
+  afterEach(() => {
+    // Restore globals
+    if (originalDev === undefined) {
+      delete (globalThis as any).__DEV__;
+    } else {
+      (globalThis as any).__DEV__ = originalDev;
+    }
+    process.env.NODE_ENV = originalNodeEnv;
+
+    // Clear module cache so isDev re-evaluates
+    jest.resetModules();
+  });
+
+  async function loadIsDev() {
+    const mod = await import('../debugUtils');
+    return mod.isDev;
+  }
+
+  it('returns true when __DEV__ is true (React Native)', async () => {
+    (globalThis as any).__DEV__ = true;
+    const isDev = await loadIsDev();
+    expect(isDev()).toBe(true);
+  });
+
+  it('returns false when __DEV__ is false', async () => {
+    (globalThis as any).__DEV__ = false;
+    const isDev = await loadIsDev();
+    expect(isDev()).toBe(false);
+  });
+
+  it('falls back to NODE_ENV when __DEV__ is undefined', async () => {
+    delete (globalThis as any).__DEV__;
+    process.env.NODE_ENV = 'development';
+    const isDev = await loadIsDev();
+    expect(isDev()).toBe(true);
+  });
+
+  it('returns false when NODE_ENV is production and __DEV__ is undefined', async () => {
+    delete (globalThis as any).__DEV__;
+    process.env.NODE_ENV = 'production';
+    const isDev = await loadIsDev();
+    expect(isDev()).toBe(false);
+  });
+});

package/src/shared/utils/debugUtils.ts

@@ -14,7 +14,12 @@ declare const __DEV__: boolean | undefined;
  * Check if running in development mode
  */
 export const isDev = (): boolean => {
-  return typeof __DEV__ !== 'undefined' && __DEV__;
+  if (typeof __DEV__ !== 'undefined') return __DEV__;
+  try {
+    return typeof process !== 'undefined' && process.env?.NODE_ENV === 'development';
+  } catch {
+    return false;
+  }
 };
 
 /**

package/src/utils/deviceManager.ts

@@ -42,8 +42,10 @@ export class DeviceManager {
   }> {
     if (this.isReactNative()) {
       try {
-        const asyncStorageModule = await import('@react-native-async-storage/async-storage');
-        const storage = (asyncStorageModule.default as unknown) as import('@react-native-async-storage/async-storage').AsyncStorageStatic;
+        // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
+        const moduleName = '@react-native-async-storage/async-storage';
+        const asyncStorageModule = await import(moduleName);
+        const storage = asyncStorageModule.default as unknown as { getItem: (key: string) => Promise<string | null>; setItem: (key: string, value: string) => Promise<void>; removeItem: (key: string) => Promise<void> };
         return {
           getItem: storage.getItem.bind(storage),
           setItem: storage.setItem.bind(storage),
@@ -168,15 +170,12 @@ export class DeviceManager {
    * Generate a unique device ID
    */
   private static generateDeviceId(): string {
-    // Use crypto.getRandomValues if available, otherwise fallback to Math.random
     if (typeof crypto !== 'undefined' && crypto.getRandomValues) {
       const array = new Uint8Array(32);
       crypto.getRandomValues(array);
       return Array.from(array, byte => byte.toString(16).padStart(2, '0')).join('');
-    } else {
-      // Fallback for environments without crypto.getRandomValues
-      return 'device_' + Date.now().toString(36) + Math.random().toString(36).substr(2);
     }
+    throw new Error('No secure random source available for device ID generation');
   }
 
   /**

package/src/utils/platform.ts

@@ -108,8 +108,9 @@ export async function initPlatformFromReactNative(): Promise<void> {
   }
 
   try {
-    // Dynamic import to avoid bundler issues
-    const { Platform } = await import('react-native');
+    // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
+    const moduleName = 'react-native';
+    const { Platform } = await import(moduleName);
     setPlatformOS(Platform.OS as PlatformOS);
   } catch {
     // react-native not available, use detected platform