@oxyhq/core 1.11.10 → 1.11.12

package/dist/types/HttpService.d.ts

@@ -50,6 +50,7 @@ export declare class HttpService {
     private tokenRefreshPromise;
     private tokenRefreshCooldownUntil;
     private _onTokenRefreshed;
+    private _actingAsUserId;
     private requestMetrics;
     constructor(config: OxyConfig);
     /**
@@ -93,6 +94,8 @@ export declare class HttpService {
     put<T = unknown>(url: string, data?: unknown, config?: Omit<RequestConfig, 'method' | 'url' | 'data'>): Promise<T>;
     patch<T = unknown>(url: string, data?: unknown, config?: Omit<RequestConfig, 'method' | 'url' | 'data'>): Promise<T>;
     delete<T = unknown>(url: string, config?: Omit<RequestConfig, 'method' | 'url'>): Promise<T>;
+    setActingAs(userId: string | null): void;
+    getActingAs(): string | null;
     setTokens(accessToken: string, refreshToken?: string): void;
     set onTokenRefreshed(callback: ((accessToken: string) => void) | null);
     clearTokens(): void;

package/dist/types/OxyServices.base.d.ts

@@ -81,6 +81,23 @@ export declare class OxyServicesBase {
      * Get the raw access token (for constructing anchor URLs when needed)
      */
     getAccessToken(): string | null;
+    /**
+     * Set the acting-as identity for managed accounts.
+     *
+     * When set, all subsequent API requests will include the `X-Acting-As` header,
+     * causing the server to attribute actions to the managed account. The
+     * authenticated user must be an authorized manager of the target account.
+     *
+     * Pass `null` to clear and revert to the authenticated user's own identity.
+     *
+     * @param userId - The managed account user ID, or null to clear
+     */
+    setActingAs(userId: string | null): void;
+    /**
+     * Get the current acting-as identity (managed account user ID), or null
+     * if operating as the authenticated user's own identity.
+     */
+    getActingAs(): string | null;
     /**
      * Wait for authentication to be ready
      *

package/dist/types/index.d.ts

@@ -25,6 +25,7 @@ export type { PopupAuthOptions } from './mixins/OxyServices.popup';
 export type { RedirectAuthOptions } from './mixins/OxyServices.redirect';
 export type { ServiceTokenResponse } from './mixins/OxyServices.auth';
 export type { ServiceApp } from './mixins/OxyServices.utility';
+export type { CreateManagedAccountInput, ManagedAccountManager, ManagedAccount } from './mixins/OxyServices.managedAccounts';
 export { KeyManager, SignatureService, RecoveryPhraseService } from './crypto';
 export type { KeyPair, SignedMessage, AuthChallenge, RecoveryPhraseResult } from './crypto';
 export * from './models/interfaces';

package/dist/types/mixins/OxyServices.analytics.d.ts

@@ -50,6 +50,8 @@ export declare function OxyServicesAnalyticsMixin<T extends typeof OxyServicesBa
         getCurrentUserId(): string | null;
         hasValidToken(): boolean;
         getAccessToken(): string | null;
+        setActingAs(userId: string | null): void;
+        getActingAs(): string | null;
         waitForAuth(timeoutMs?: number): Promise<boolean>;
         withAuthRetry<T_1>(operation: () => Promise<T_1>, operationName: string, options?: {
             maxRetries?: number;

package/dist/types/mixins/OxyServices.assets.d.ts

@@ -128,6 +128,8 @@ export declare function OxyServicesAssetsMixin<T extends typeof OxyServicesBase>
         getCurrentUserId(): string | null;
         hasValidToken(): boolean;
         getAccessToken(): string | null;
+        setActingAs(userId: string | null): void;
+        getActingAs(): string | null;
         waitForAuth(timeoutMs?: number): Promise<boolean>;
         withAuthRetry<T_1>(operation: () => Promise<T_1>, operationName: string, options?: {
             maxRetries?: number;

package/dist/types/mixins/OxyServices.auth.d.ts

@@ -206,6 +206,8 @@ export declare function OxyServicesAuthMixin<T extends typeof OxyServicesBase>(B
         getCurrentUserId(): string | null;
         hasValidToken(): boolean;
         getAccessToken(): string | null;
+        setActingAs(userId: string | null): void;
+        getActingAs(): string | null;
         waitForAuth(timeoutMs?: number): Promise<boolean>;
         withAuthRetry<T_1>(operation: () => Promise<T_1>, operationName: string, options?: {
             maxRetries?: number;

package/dist/types/mixins/OxyServices.developer.d.ts

@@ -83,6 +83,8 @@ export declare function OxyServicesDeveloperMixin<T extends typeof OxyServicesBa
         getCurrentUserId(): string | null;
         hasValidToken(): boolean;
         getAccessToken(): string | null;
+        setActingAs(userId: string | null): void;
+        getActingAs(): string | null;
         waitForAuth(timeoutMs?: number): Promise<boolean>;
         withAuthRetry<T_1>(operation: () => Promise<T_1>, operationName: string, options?: {
             maxRetries?: number;

package/dist/types/mixins/OxyServices.devices.d.ts

@@ -80,6 +80,8 @@ export declare function OxyServicesDevicesMixin<T extends typeof OxyServicesBase
         getCurrentUserId(): string | null;
         hasValidToken(): boolean;
         getAccessToken(): string | null;
+        setActingAs(userId: string | null): void;
+        getActingAs(): string | null;
         waitForAuth(timeoutMs?: number): Promise<boolean>;
         withAuthRetry<T_1>(operation: () => Promise<T_1>, operationName: string, options?: {
             maxRetries?: number;

package/dist/types/mixins/OxyServices.features.d.ts

@@ -212,6 +212,8 @@ export declare function OxyServicesFeaturesMixin<T extends typeof OxyServicesBas
         getCurrentUserId(): string | null;
         hasValidToken(): boolean;
         getAccessToken(): string | null;
+        setActingAs(userId: string | null): void;
+        getActingAs(): string | null;
         waitForAuth(timeoutMs?: number): Promise<boolean>;
         withAuthRetry<T_1>(operation: () => Promise<T_1>, operationName: string, options?: {
             maxRetries?: number;
@@ -223,7 +225,9 @@ export declare function OxyServicesFeaturesMixin<T extends typeof OxyServicesBas
         healthCheck(): Promise<{
             status: string;
             users?: number;
-            timestamp?: string;
+            timestamp? /**
+             * Get FAQs
+             */: string;
             [key: string]: any;
         }>;
     };

package/dist/types/mixins/OxyServices.fedcm.d.ts

@@ -188,6 +188,8 @@ export declare function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(
         getCurrentUserId(): string | null;
         hasValidToken(): boolean;
         getAccessToken(): string | null;
+        setActingAs(userId: string | null): void;
+        getActingAs(): string | null;
         waitForAuth(timeoutMs?: number): Promise<boolean>;
         withAuthRetry<T_1>(operation: () => Promise<T_1>, operationName: string, options?: {
             maxRetries?: number;

package/dist/types/mixins/OxyServices.karma.d.ts

@@ -69,6 +69,8 @@ export declare function OxyServicesKarmaMixin<T extends typeof OxyServicesBase>(
         getCurrentUserId(): string | null;
         hasValidToken(): boolean;
         getAccessToken(): string | null;
+        setActingAs(userId: string | null): void;
+        getActingAs(): string | null;
         waitForAuth(timeoutMs?: number): Promise<boolean>;
         withAuthRetry<T_1>(operation: () => Promise<T_1>, operationName: string, options?: {
             maxRetries?: number;

package/dist/types/mixins/OxyServices.language.d.ts

@@ -65,6 +65,8 @@ export declare function OxyServicesLanguageMixin<T extends typeof OxyServicesBas
         getCurrentUserId(): string | null;
         hasValidToken(): boolean;
         getAccessToken(): string | null;
+        setActingAs(userId: string | null): void;
+        getActingAs(): string | null;
         waitForAuth(timeoutMs?: number): Promise<boolean>;
         withAuthRetry<T_1>(operation: () => Promise<T_1>, operationName: string, options?: {
             maxRetries?: number;

package/dist/types/mixins/OxyServices.location.d.ts

@@ -48,6 +48,8 @@ export declare function OxyServicesLocationMixin<T extends typeof OxyServicesBas
         getCurrentUserId(): string | null;
         hasValidToken(): boolean;
         getAccessToken(): string | null;
+        setActingAs(userId: string | null): void;
+        getActingAs(): string | null;
         waitForAuth(timeoutMs?: number): Promise<boolean>;
         withAuthRetry<T_1>(operation: () => Promise<T_1>, operationName: string, options?: {
             maxRetries?: number;

package/dist/types/mixins/OxyServices.managedAccounts.d.ts

@@ -0,0 +1,125 @@
+/**
+ * Managed Accounts Methods Mixin
+ *
+ * Provides SDK methods for creating and managing sub-accounts (managed identities).
+ * Managed accounts are full User documents without passwords, accessible only
+ * by their owners/managers via the X-Acting-As header mechanism.
+ */
+import type { User } from '../models/interfaces';
+import type { OxyServicesBase } from '../OxyServices.base';
+export interface CreateManagedAccountInput {
+    username: string;
+    name?: {
+        first?: string;
+        last?: string;
+    };
+    bio?: string;
+    avatar?: string;
+}
+export interface ManagedAccountManager {
+    userId: string;
+    role: 'owner' | 'admin' | 'editor';
+    addedAt: string;
+    addedBy?: string;
+}
+export interface ManagedAccount {
+    accountId: string;
+    ownerId: string;
+    managers: ManagedAccountManager[];
+    account?: User;
+    createdAt?: string;
+    updatedAt?: string;
+}
+export declare function OxyServicesManagedAccountsMixin<T extends typeof OxyServicesBase>(Base: T): {
+    new (...args: any[]): {
+        /**
+         * Create a new managed account (sub-account).
+         *
+         * The server creates a User document with `isManagedAccount: true` and links
+         * it to the authenticated user as owner.
+         */
+        createManagedAccount(data: CreateManagedAccountInput): Promise<ManagedAccount>;
+        /**
+         * List all accounts the authenticated user manages.
+         */
+        getManagedAccounts(): Promise<ManagedAccount[]>;
+        /**
+         * Get details for a specific managed account.
+         */
+        getManagedAccountDetails(accountId: string): Promise<ManagedAccount>;
+        /**
+         * Update a managed account's profile data.
+         * Requires owner or admin role.
+         */
+        updateManagedAccount(accountId: string, data: Partial<CreateManagedAccountInput>): Promise<ManagedAccount>;
+        /**
+         * Delete a managed account permanently.
+         * Requires owner role.
+         */
+        deleteManagedAccount(accountId: string): Promise<void>;
+        /**
+         * Add a manager to a managed account.
+         * Requires owner or admin role on the account.
+         *
+         * @param accountId - The managed account to add the manager to
+         * @param userId - The user to grant management access
+         * @param role - The role to assign: 'admin' or 'editor'
+         */
+        addManager(accountId: string, userId: string, role: "admin" | "editor"): Promise<void>;
+        /**
+         * Remove a manager from a managed account.
+         * Requires owner role.
+         *
+         * @param accountId - The managed account
+         * @param userId - The manager to remove
+         */
+        removeManager(accountId: string, userId: string): Promise<void>;
+        httpService: import("../HttpService").HttpService;
+        cloudURL: string;
+        config: import("../OxyServices.base").OxyConfig;
+        __resetTokensForTests(): void;
+        makeRequest<T_1>(method: "GET" | "POST" | "PUT" | "PATCH" | "DELETE", url: string, data?: any, options?: import("../HttpService").RequestOptions): Promise<T_1>;
+        getBaseURL(): string;
+        getClient(): import("../HttpService").HttpService;
+        getMetrics(): {
+            totalRequests: number;
+            successfulRequests: number;
+            failedRequests: number;
+            cacheHits: number;
+            cacheMisses: number;
+            averageResponseTime: number;
+        };
+        clearCache(): void;
+        clearCacheEntry(key: string): void;
+        getCacheStats(): {
+            size: number;
+            hits: number;
+            misses: number;
+            hitRate: number;
+        };
+        getCloudURL(): string;
+        setTokens(accessToken: string, refreshToken?: string): void;
+        clearTokens(): void;
+        _cachedUserId: string | null | undefined;
+        _cachedAccessToken: string | null;
+        getCurrentUserId(): string | null;
+        hasValidToken(): boolean;
+        getAccessToken(): string | null;
+        setActingAs(userId: string | null): void;
+        getActingAs(): string | null;
+        waitForAuth(timeoutMs?: number): Promise<boolean>;
+        withAuthRetry<T_1>(operation: () => Promise<T_1>, operationName: string, options?: {
+            maxRetries?: number;
+            retryDelay?: number;
+            authTimeoutMs?: number;
+        }): Promise<T_1>;
+        validate(): Promise<boolean>;
+        handleError(error: unknown): Error;
+        healthCheck(): Promise<{
+            status: string;
+            users?: number;
+            timestamp?: string;
+            [key: string]: any;
+        }>;
+    };
+} & T;

package/dist/types/mixins/OxyServices.payment.d.ts

@@ -95,6 +95,8 @@ export declare function OxyServicesPaymentMixin<T extends typeof OxyServicesBase
         getCurrentUserId(): string | null;
         hasValidToken(): boolean;
         getAccessToken(): string | null;
+        setActingAs(userId: string | null): void;
+        getActingAs(): string | null;
         waitForAuth(timeoutMs?: number): Promise<boolean>;
         withAuthRetry<T_1>(operation: () => Promise<T_1>, operationName: string, options?: {
             maxRetries?: number;

package/dist/types/mixins/OxyServices.popup.d.ts

@@ -185,6 +185,8 @@ export declare function OxyServicesPopupAuthMixin<T extends typeof OxyServicesBa
         getCurrentUserId(): string | null;
         hasValidToken(): boolean;
         getAccessToken(): string | null;
+        setActingAs(userId: string | null): void;
+        getActingAs(): string | null;
         waitForAuth(timeoutMs?: number): Promise<boolean>;
         withAuthRetry<T_1>(operation: () => Promise<T_1>, operationName: string, options?: {
             maxRetries?: number;

package/dist/types/mixins/OxyServices.privacy.d.ts

@@ -106,6 +106,8 @@ export declare function OxyServicesPrivacyMixin<T extends typeof OxyServicesBase
         getCurrentUserId(): string | null;
         hasValidToken(): boolean;
         getAccessToken(): string | null;
+        setActingAs(userId: string | null): void;
+        getActingAs(): string | null;
         waitForAuth(timeoutMs?: number): Promise<boolean>;
         withAuthRetry<T_1>(operation: () => Promise<T_1>, operationName: string, options?: {
             maxRetries?: number;

package/dist/types/mixins/OxyServices.redirect.d.ts

@@ -222,6 +222,8 @@ export declare function OxyServicesRedirectAuthMixin<T extends typeof OxyService
         getCurrentUserId(): string | null;
         hasValidToken(): boolean;
         getAccessToken(): string | null;
+        setActingAs(userId: string | null): void;
+        getActingAs(): string | null;
         waitForAuth(timeoutMs?: number): Promise<boolean>;
         withAuthRetry<T_1>(operation: () => Promise<T_1>, operationName: string, options?: {
             maxRetries?: number;

package/dist/types/mixins/OxyServices.security.d.ts

@@ -62,6 +62,8 @@ export declare function OxyServicesSecurityMixin<T extends typeof OxyServicesBas
         getCurrentUserId(): string | null;
         hasValidToken(): boolean;
         getAccessToken(): string | null;
+        setActingAs(userId: string | null): void;
+        getActingAs(): string | null;
         waitForAuth(timeoutMs?: number): Promise<boolean>;
         withAuthRetry<T_1>(operation: () => Promise<T_1>, operationName: string, options?: {
             maxRetries?: number;

package/dist/types/mixins/OxyServices.topics.d.ts

@@ -88,6 +88,8 @@ export declare function OxyServicesTopicsMixin<T extends typeof OxyServicesBase>
         getCurrentUserId(): string | null;
         hasValidToken(): boolean;
         getAccessToken(): string | null;
+        setActingAs(userId: string | null): void;
+        getActingAs(): string | null;
         waitForAuth(timeoutMs?: number): Promise<boolean>;
         withAuthRetry<T_1>(operation: () => Promise<T_1>, operationName: string, options?: {
             maxRetries?: number;

package/dist/types/mixins/OxyServices.user.d.ts

@@ -10,6 +10,18 @@ export declare function OxyServicesUserMixin<T extends typeof OxyServicesBase>(B
          * Get profile by username
          */
         getProfileByUsername(username: string): Promise<User>;
+        /**
+         * Lightweight username lookup for login flows.
+         * Returns minimal public info: exists, color, avatar, displayName.
+         * Faster than getProfileByUsername — no stats, no formatting.
+         */
+        lookupUsername(username: string): Promise<{
+            exists: boolean;
+            username: string;
+            color: string | null;
+            avatar: string | null;
+            displayName: string;
+        }>;
         /**
          * Search user profiles
          */
@@ -205,6 +217,8 @@ export declare function OxyServicesUserMixin<T extends typeof OxyServicesBase>(B
         getCurrentUserId(): string | null;
         hasValidToken(): boolean;
         getAccessToken(): string | null;
+        setActingAs(userId: string | null): void;
+        getActingAs(): string | null;
         waitForAuth(timeoutMs?: number): Promise<boolean>;
         withAuthRetry<T_1>(operation: () => Promise<T_1>, operationName: string, options?: {
             maxRetries?: number;

package/dist/types/mixins/OxyServices.utility.d.ts

@@ -1,5 +1,13 @@
 import type { ApiError } from '../models/interfaces';
 import type { OxyServicesBase } from '../OxyServices.base';
+/**
+ * Result from the managed-accounts verification endpoint.
+ * Indicates whether a user is authorized to act as a given managed account.
+ */
+interface ActingAsVerification {
+    authorized: boolean;
+    role: 'owner' | 'admin' | 'editor';
+}
 /**
  * Service app metadata attached to requests authenticated with service tokens
  */
@@ -28,6 +36,18 @@ interface AuthMiddlewareOptions {
 }
 export declare function OxyServicesUtilityMixin<T extends typeof OxyServicesBase>(Base: T): {
     new (...args: any[]): {
+        /** @internal In-memory cache for acting-as verification results (TTL: 5 min) */
+        _actingAsCache: Map<string, {
+            result: ActingAsVerification | null;
+            expiresAt: number;
+        }>;
+        /**
+         * Verify that a user is authorized to act as a managed account.
+         * Results are cached in-memory for 5 minutes to avoid repeated API calls.
+         *
+         * @internal Used by the auth() middleware — not part of the public API
+         */
+        verifyActingAs(userId: string, accountId: string): Promise<ActingAsVerification | null>;
         /**
          * Fetch link metadata
          */
@@ -157,6 +177,8 @@ export declare function OxyServicesUtilityMixin<T extends typeof OxyServicesBase
         getCurrentUserId(): string | null;
         hasValidToken(): boolean;
         getAccessToken(): string | null;
+        setActingAs(userId: string | null): void;
+        getActingAs(): string | null;
         waitForAuth(timeoutMs?: number): Promise<boolean>;
         withAuthRetry<T_1>(operation: () => Promise<T_1>, operationName: string, options?: {
             maxRetries?: number;

package/dist/types/models/interfaces.d.ts

@@ -64,6 +64,8 @@ export interface User {
     automation?: {
         ownerId?: string;
     };
+    isManagedAccount?: boolean;
+    managedBy?: string;
     [key: string]: unknown;
 }
 export interface LoginResponse {

package/dist/types/utils/asyncUtils.d.ts

@@ -13,8 +13,12 @@ export declare function parallelWithErrorHandling<T>(operations: (() => Promise<
 /**
  * Retry an async operation with exponential backoff
  *
- * By default, does not retry on 4xx errors (client errors).
- * Use shouldRetry callback to customize retry behavior.
+ * By default, does not retry on 4xx errors (client errors). The default
+ * predicate accepts both the axios-style `error.response.status` and the
+ * flat `error.status` shape produced by {@link handleHttpError}, so callers
+ * never accidentally retry a deterministic client failure.
+ *
+ * Use the `shouldRetry` callback to customize retry behavior.
  */
 export declare function retryAsync<T>(operation: () => Promise<T>, maxRetries?: number, baseDelay?: number, shouldRetry?: (error: any) => boolean): Promise<T>;
 /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@oxyhq/core",
-  "version": "1.11.10",
+  "version": "1.11.12",
   "description": "OxyHQ SDK Foundation — API client, authentication, cryptographic identity, and shared utilities",
   "main": "dist/cjs/index.js",
   "module": "dist/esm/index.js",

package/src/HttpService.ts

@@ -17,7 +17,6 @@ import { TTLCache, registerCacheForCleanup } from './utils/cache';
 import { RequestDeduplicator, RequestQueue, SimpleLogger } from './utils/requestUtils';
 import { retryAsync } from './utils/asyncUtils';
 import { handleHttpError } from './utils/errorUtils';
-import { isDev } from './shared/utils/debugUtils';
 import { jwtDecode } from 'jwt-decode';
 import { isNative, getPlatformOS } from './utils/platform';
 import type { OxyConfig } from './models/interfaces';
@@ -131,6 +130,9 @@ export class HttpService {
   private tokenRefreshCooldownUntil: number = 0;
   private _onTokenRefreshed: ((accessToken: string) => void) | null = null;
 
+  // Acting-as identity for managed accounts
+  private _actingAsUserId: string | null = null;
+
   // Performance monitoring
   private requestMetrics = {
     totalRequests: 0,
@@ -278,9 +280,12 @@ export class HttpService {
           headers['X-Native-App'] = 'true';
         }
 
-        // Debug logging for CSRF issues
-        if (isStateChangingMethod && isDev()) {
-          console.log('[HttpService] CSRF Debug:', {
+        // Debug logging for CSRF issues — routed through the SimpleLogger so
+        // it only fires when consumers opt in via `enableLogging`. Previously
+        // this was a bare console.log that leaked noise into every host app's
+        // stdout in development.
+        if (isStateChangingMethod) {
+          this.logger.debug('CSRF Debug:', {
             url,
             method,
             isNativeApp,
@@ -291,6 +296,11 @@ export class HttpService {
           });
         }
 
+        // Add X-Acting-As header for managed account identity delegation
+        if (this._actingAsUserId) {
+          headers['X-Acting-As'] = this._actingAsUserId;
+        }
+
         // Merge custom headers if provided
         if (config.headers) {
           Object.entries(config.headers).forEach(([key, value]) => {
@@ -516,14 +526,14 @@ export class HttpService {
     // Return cached token if available
     const cachedToken = this.tokenStore.getCsrfToken();
     if (cachedToken) {
-      if (isDev()) console.log('[HttpService] Using cached CSRF token');
+      this.logger.debug('Using cached CSRF token');
       return cachedToken;
     }
 
     // Deduplicate concurrent CSRF token fetches
     const existingPromise = this.tokenStore.getCsrfTokenFetchPromise();
     if (existingPromise) {
-      if (isDev()) console.log('[HttpService] Waiting for existing CSRF fetch');
+      this.logger.debug('Waiting for existing CSRF fetch');
       return existingPromise;
     }
 
@@ -531,7 +541,7 @@ export class HttpService {
       const maxAttempts = 2;
       for (let attempt = 1; attempt <= maxAttempts; attempt++) {
         try {
-          if (isDev()) console.log('[HttpService] Fetching CSRF token from:', `${this.baseURL}/csrf-token`, `(attempt ${attempt})`);
+          this.logger.debug('Fetching CSRF token from:', `${this.baseURL}/csrf-token`, `(attempt ${attempt})`);
 
           // Use AbortController for timeout (more compatible than AbortSignal.timeout)
           const controller = new AbortController();
@@ -546,11 +556,11 @@ export class HttpService {
 
           clearTimeout(timeoutId);
 
-          if (isDev()) console.log('[HttpService] CSRF fetch response:', response.status, response.ok);
+          this.logger.debug('CSRF fetch response:', response.status, response.ok);
 
           if (response.ok) {
             const data = await response.json() as { csrfToken?: string };
-            if (isDev()) console.log('[HttpService] CSRF response data:', data);
+            this.logger.debug('CSRF response data:', data);
             const token = data.csrfToken || null;
             this.tokenStore.setCsrfToken(token);
             this.logger.debug('CSRF token fetched');
@@ -565,10 +575,10 @@ export class HttpService {
             return headerToken;
           }
 
-          if (isDev()) console.log('[HttpService] CSRF fetch failed with status:', response.status);
+          this.logger.debug('CSRF fetch failed with status:', response.status);
           this.logger.warn('Failed to fetch CSRF token:', response.status);
         } catch (error) {
-          if (isDev()) console.log('[HttpService] CSRF fetch error:', error);
+          this.logger.debug('CSRF fetch error:', error);
           this.logger.warn('CSRF token fetch error:', error);
         }
         // Wait before retry (500ms)
@@ -706,6 +716,15 @@ export class HttpService {
     return this.request<T>({ method: 'DELETE', url, ...config });
   }
 
+  // Acting-as identity management (managed accounts)
+  setActingAs(userId: string | null): void {
+    this._actingAsUserId = userId;
+  }
+
+  getActingAs(): string | null {
+    return this._actingAsUserId;
+  }
+
   // Token management
   setTokens(accessToken: string, refreshToken = ''): void {
     this.tokenStore.setTokens(accessToken, refreshToken);

package/src/OxyServices.base.ts

@@ -182,6 +182,29 @@ export class OxyServicesBase {
     return this.httpService.getAccessToken();
   }
 
+  /**
+   * Set the acting-as identity for managed accounts.
+   *
+   * When set, all subsequent API requests will include the `X-Acting-As` header,
+   * causing the server to attribute actions to the managed account. The
+   * authenticated user must be an authorized manager of the target account.
+   *
+   * Pass `null` to clear and revert to the authenticated user's own identity.
+   *
+   * @param userId - The managed account user ID, or null to clear
+   */
+  public setActingAs(userId: string | null): void {
+    this.httpService.setActingAs(userId);
+  }
+
+  /**
+   * Get the current acting-as identity (managed account user ID), or null
+   * if operating as the authenticated user's own identity.
+   */
+  public getActingAs(): string | null {
+    return this.httpService.getActingAs();
+  }
+
   /**
    * Wait for authentication to be ready
    * 

package/src/crypto/keyManager.ts

@@ -52,7 +52,7 @@ async function initSecureStore(): Promise<typeof import('expo-secure-store')> {
     try {
       // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
       const moduleName = 'expo-secure-store';
-      SecureStore = await import(moduleName);
+      SecureStore = await import(/* @vite-ignore */ moduleName);
     } catch (error) {
       const errorMessage = error instanceof Error ? error.message : String(error);
       throw new Error(`Failed to load expo-secure-store: ${errorMessage}. Make sure expo-secure-store is installed and properly configured.`);
@@ -76,7 +76,7 @@ async function initExpoCrypto(): Promise<typeof import('expo-crypto')> {
   if (!ExpoCrypto) {
     // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
     const moduleName = 'expo-crypto';
-    ExpoCrypto = await import(moduleName);
+    ExpoCrypto = await import(/* @vite-ignore */ moduleName);
   }
   return ExpoCrypto!;
 }
@@ -105,7 +105,7 @@ async function getSecureRandomBytes(length: number): Promise<Uint8Array> {
   // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
   try {
     const cryptoModuleName = 'crypto';
-    const nodeCrypto = await import(cryptoModuleName);
+    const nodeCrypto = await import(/* @vite-ignore */ cryptoModuleName);
     return new Uint8Array(nodeCrypto.randomBytes(length));
   } catch (error) {
     // Fallback to expo-crypto if Node crypto fails

package/src/crypto/polyfill.ts

@@ -44,7 +44,7 @@ function startExpoCryptoLoad(): void {
   expoCryptoLoadPromise = (async () => {
     try {
       const moduleName = 'expo-crypto';
-      expoCryptoModule = await import(moduleName);
+      expoCryptoModule = await import(/* @vite-ignore */ moduleName);
     } catch {
       // expo-crypto not available — expected in non-RN environments
     }