@oxyhq/core 1.11.11 → 1.11.12

package/dist/types/mixins/OxyServices.user.d.ts

@@ -10,6 +10,18 @@ export declare function OxyServicesUserMixin<T extends typeof OxyServicesBase>(B
          * Get profile by username
          */
         getProfileByUsername(username: string): Promise<User>;
+        /**
+         * Lightweight username lookup for login flows.
+         * Returns minimal public info: exists, color, avatar, displayName.
+         * Faster than getProfileByUsername — no stats, no formatting.
+         */
+        lookupUsername(username: string): Promise<{
+            exists: boolean;
+            username: string;
+            color: string | null;
+            avatar: string | null;
+            displayName: string;
+        }>;
         /**
          * Search user profiles
          */

package/dist/types/utils/asyncUtils.d.ts

@@ -13,8 +13,12 @@ export declare function parallelWithErrorHandling<T>(operations: (() => Promise<
 /**
  * Retry an async operation with exponential backoff
  *
- * By default, does not retry on 4xx errors (client errors).
- * Use shouldRetry callback to customize retry behavior.
+ * By default, does not retry on 4xx errors (client errors). The default
+ * predicate accepts both the axios-style `error.response.status` and the
+ * flat `error.status` shape produced by {@link handleHttpError}, so callers
+ * never accidentally retry a deterministic client failure.
+ *
+ * Use the `shouldRetry` callback to customize retry behavior.
  */
 export declare function retryAsync<T>(operation: () => Promise<T>, maxRetries?: number, baseDelay?: number, shouldRetry?: (error: any) => boolean): Promise<T>;
 /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@oxyhq/core",
-  "version": "1.11.11",
+  "version": "1.11.12",
   "description": "OxyHQ SDK Foundation — API client, authentication, cryptographic identity, and shared utilities",
   "main": "dist/cjs/index.js",
   "module": "dist/esm/index.js",

package/src/HttpService.ts

@@ -17,7 +17,6 @@ import { TTLCache, registerCacheForCleanup } from './utils/cache';
 import { RequestDeduplicator, RequestQueue, SimpleLogger } from './utils/requestUtils';
 import { retryAsync } from './utils/asyncUtils';
 import { handleHttpError } from './utils/errorUtils';
-import { isDev } from './shared/utils/debugUtils';
 import { jwtDecode } from 'jwt-decode';
 import { isNative, getPlatformOS } from './utils/platform';
 import type { OxyConfig } from './models/interfaces';
@@ -281,9 +280,12 @@ export class HttpService {
           headers['X-Native-App'] = 'true';
         }
 
-        // Debug logging for CSRF issues
-        if (isStateChangingMethod && isDev()) {
-          console.log('[HttpService] CSRF Debug:', {
+        // Debug logging for CSRF issues — routed through the SimpleLogger so
+        // it only fires when consumers opt in via `enableLogging`. Previously
+        // this was a bare console.log that leaked noise into every host app's
+        // stdout in development.
+        if (isStateChangingMethod) {
+          this.logger.debug('CSRF Debug:', {
             url,
             method,
             isNativeApp,
@@ -524,14 +526,14 @@ export class HttpService {
     // Return cached token if available
     const cachedToken = this.tokenStore.getCsrfToken();
     if (cachedToken) {
-      if (isDev()) console.log('[HttpService] Using cached CSRF token');
+      this.logger.debug('Using cached CSRF token');
       return cachedToken;
     }
 
     // Deduplicate concurrent CSRF token fetches
     const existingPromise = this.tokenStore.getCsrfTokenFetchPromise();
     if (existingPromise) {
-      if (isDev()) console.log('[HttpService] Waiting for existing CSRF fetch');
+      this.logger.debug('Waiting for existing CSRF fetch');
       return existingPromise;
     }
 
@@ -539,7 +541,7 @@ export class HttpService {
       const maxAttempts = 2;
       for (let attempt = 1; attempt <= maxAttempts; attempt++) {
         try {
-          if (isDev()) console.log('[HttpService] Fetching CSRF token from:', `${this.baseURL}/csrf-token`, `(attempt ${attempt})`);
+          this.logger.debug('Fetching CSRF token from:', `${this.baseURL}/csrf-token`, `(attempt ${attempt})`);
 
           // Use AbortController for timeout (more compatible than AbortSignal.timeout)
           const controller = new AbortController();
@@ -554,11 +556,11 @@ export class HttpService {
 
           clearTimeout(timeoutId);
 
-          if (isDev()) console.log('[HttpService] CSRF fetch response:', response.status, response.ok);
+          this.logger.debug('CSRF fetch response:', response.status, response.ok);
 
           if (response.ok) {
             const data = await response.json() as { csrfToken?: string };
-            if (isDev()) console.log('[HttpService] CSRF response data:', data);
+            this.logger.debug('CSRF response data:', data);
             const token = data.csrfToken || null;
             this.tokenStore.setCsrfToken(token);
             this.logger.debug('CSRF token fetched');
@@ -573,10 +575,10 @@ export class HttpService {
             return headerToken;
           }
 
-          if (isDev()) console.log('[HttpService] CSRF fetch failed with status:', response.status);
+          this.logger.debug('CSRF fetch failed with status:', response.status);
           this.logger.warn('Failed to fetch CSRF token:', response.status);
         } catch (error) {
-          if (isDev()) console.log('[HttpService] CSRF fetch error:', error);
+          this.logger.debug('CSRF fetch error:', error);
           this.logger.warn('CSRF token fetch error:', error);
         }
         // Wait before retry (500ms)

package/src/crypto/keyManager.ts

@@ -52,7 +52,7 @@ async function initSecureStore(): Promise<typeof import('expo-secure-store')> {
     try {
       // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
       const moduleName = 'expo-secure-store';
-      SecureStore = await import(moduleName);
+      SecureStore = await import(/* @vite-ignore */ moduleName);
     } catch (error) {
       const errorMessage = error instanceof Error ? error.message : String(error);
       throw new Error(`Failed to load expo-secure-store: ${errorMessage}. Make sure expo-secure-store is installed and properly configured.`);
@@ -76,7 +76,7 @@ async function initExpoCrypto(): Promise<typeof import('expo-crypto')> {
   if (!ExpoCrypto) {
     // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
     const moduleName = 'expo-crypto';
-    ExpoCrypto = await import(moduleName);
+    ExpoCrypto = await import(/* @vite-ignore */ moduleName);
   }
   return ExpoCrypto!;
 }
@@ -105,7 +105,7 @@ async function getSecureRandomBytes(length: number): Promise<Uint8Array> {
   // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
   try {
     const cryptoModuleName = 'crypto';
-    const nodeCrypto = await import(cryptoModuleName);
+    const nodeCrypto = await import(/* @vite-ignore */ cryptoModuleName);
     return new Uint8Array(nodeCrypto.randomBytes(length));
   } catch (error) {
     // Fallback to expo-crypto if Node crypto fails

package/src/crypto/polyfill.ts

@@ -44,7 +44,7 @@ function startExpoCryptoLoad(): void {
   expoCryptoLoadPromise = (async () => {
     try {
       const moduleName = 'expo-crypto';
-      expoCryptoModule = await import(moduleName);
+      expoCryptoModule = await import(/* @vite-ignore */ moduleName);
     } catch {
       // expo-crypto not available — expected in non-RN environments
     }

package/src/crypto/signatureService.ts

@@ -9,23 +9,28 @@ import { ec as EC } from 'elliptic';
 import { KeyManager } from './keyManager';
 import { isReactNative, isNodeJS } from '../utils/platform';
 
-// Lazy import for expo-crypto
+// Lazy imports for platform-specific crypto
 let ExpoCrypto: typeof import('expo-crypto') | null = null;
+let NodeCrypto: typeof import('crypto') | null = null;
 
 const ec = new EC('secp256k1');
 
-/**
- * Initialize expo-crypto module
- */
 async function initExpoCrypto(): Promise<typeof import('expo-crypto')> {
   if (!ExpoCrypto) {
-    // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
     const moduleName = 'expo-crypto';
-    ExpoCrypto = await import(moduleName);
+    ExpoCrypto = await import(/* @vite-ignore */ moduleName);
   }
   return ExpoCrypto!;
 }
 
+async function initNodeCrypto(): Promise<typeof import('crypto')> {
+  if (!NodeCrypto) {
+    const moduleName = 'crypto';
+    NodeCrypto = await import(/* @vite-ignore */ moduleName);
+  }
+  return NodeCrypto!;
+}
+
 /**
  * Compute SHA-256 hash of a string
  */
@@ -39,10 +44,9 @@ async function sha256(message: string): Promise<string> {
     );
   }
 
-  // In Node.js, use Node's crypto module
   if (isNodeJS()) {
     try {
-      const nodeCrypto = await import('crypto');
+      const nodeCrypto = await initNodeCrypto();
       return nodeCrypto.createHash('sha256').update(message).digest('hex');
     } catch {
       // Fall through to Web Crypto API
@@ -85,12 +89,9 @@ export class SignatureService {
         .join('');
     }
 
-    // In Node.js, use Node's crypto module
-    // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
     if (isNodeJS()) {
       try {
-        const cryptoModuleName = 'crypto';
-        const nodeCrypto = await import(cryptoModuleName);
+        const nodeCrypto = await initNodeCrypto();
         return nodeCrypto.randomBytes(32).toString('hex');
       } catch {
         // Fall through to Web Crypto API

package/src/mixins/OxyServices.language.ts

@@ -25,7 +25,7 @@ export function OxyServicesLanguageMixin<T extends typeof OxyServicesBase>(Base:
         try {
           // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
           const moduleName = '@react-native-async-storage/async-storage';
-          const asyncStorageModule = await import(moduleName);
+          const asyncStorageModule = await import(/* @vite-ignore */ moduleName);
           const storage = asyncStorageModule.default as unknown as { getItem: (key: string) => Promise<string | null>; setItem: (key: string, value: string) => Promise<void>; removeItem: (key: string) => Promise<void> };
           return {
             getItem: storage.getItem.bind(storage),

package/src/mixins/OxyServices.user.ts

@@ -24,6 +24,24 @@ export function OxyServicesUserMixin<T extends typeof OxyServicesBase>(Base: T)
       }
     }
 
+    /**
+     * Lightweight username lookup for login flows.
+     * Returns minimal public info: exists, color, avatar, displayName.
+     * Faster than getProfileByUsername — no stats, no formatting.
+     */
+    async lookupUsername(username: string): Promise<{
+      exists: boolean;
+      username: string;
+      color: string | null;
+      avatar: string | null;
+      displayName: string;
+    }> {
+      return await this.makeRequest('GET', `/auth/lookup/${encodeURIComponent(username)}`, undefined, {
+        cache: true,
+        cacheTTL: 60 * 1000, // 1 minute cache
+      });
+    }
+
     /**
      * Search user profiles
      */

package/src/utils/__tests__/asyncUtils.test.ts

@@ -0,0 +1,187 @@
+import { retryAsync } from '../asyncUtils';
+import { handleHttpError } from '../errorUtils';
+
+/**
+ * Regression coverage for the 1.11.11 retry storm:
+ *
+ * HttpService wraps fetch errors through handleHttpError before rethrowing.
+ * handleHttpError returns a flat ApiError ({ message, code, status }) without
+ * a nested `.response` field. Prior to the fix, retryAsync's default
+ * shouldRetry predicate only inspected `error.response.status`, so every 4xx
+ * response was treated as retryable. That turned ~5ms 404 lookups into 8-10s
+ * stalls because every Mention endpoint hitting Oxy for a missing
+ * user/topic hit the full retry+backoff schedule.
+ *
+ * These tests lock the fix in place: both the nested and flat shapes MUST
+ * short-circuit retries for 4xx, and 5xx/network errors MUST still retry.
+ */
+describe('retryAsync default shouldRetry predicate', () => {
+  it('does not retry on a flat ApiError-shaped 404 (handleHttpError output)', async () => {
+    let attempts = 0;
+    const started = Date.now();
+    const apiError = { message: 'Not found', code: 'NOT_FOUND', status: 404 };
+
+    await expect(
+      retryAsync(async () => {
+        attempts++;
+        throw apiError;
+      }, 3, 50)
+    ).rejects.toBe(apiError);
+
+    expect(attempts).toBe(1);
+    // Sanity: we should NOT have slept through any backoff windows.
+    expect(Date.now() - started).toBeLessThan(100);
+  });
+
+  it('does not retry on an axios-style nested 404 (response.status)', async () => {
+    let attempts = 0;
+    const axiosError = {
+      message: 'Not found',
+      response: { status: 404, statusText: 'Not Found' },
+    };
+
+    await expect(
+      retryAsync(async () => {
+        attempts++;
+        throw axiosError;
+      }, 3, 50)
+    ).rejects.toBe(axiosError);
+
+    expect(attempts).toBe(1);
+  });
+
+  it('does not retry on any 4xx flat-shape (400/401/403/422)', async () => {
+    for (const status of [400, 401, 403, 422]) {
+      let attempts = 0;
+      await expect(
+        retryAsync(async () => {
+          attempts++;
+          throw { message: 'client', code: 'X', status };
+        }, 2, 10)
+      ).rejects.toBeDefined();
+      expect(attempts).toBe(1);
+    }
+  });
+
+  it('retries on flat-shape 500 errors until maxRetries', async () => {
+    let attempts = 0;
+    await expect(
+      retryAsync(async () => {
+        attempts++;
+        throw { message: 'boom', code: 'INTERNAL_ERROR', status: 500 };
+      }, 2, 1)
+    ).rejects.toBeDefined();
+    expect(attempts).toBe(3); // initial + 2 retries
+  });
+
+  it('retries on nested-shape 503 errors until maxRetries', async () => {
+    let attempts = 0;
+    await expect(
+      retryAsync(async () => {
+        attempts++;
+        throw { message: 'unavailable', response: { status: 503 } };
+      }, 2, 1)
+    ).rejects.toBeDefined();
+    expect(attempts).toBe(3);
+  });
+
+  it('retries on network-style errors without any status (TypeError)', async () => {
+    let attempts = 0;
+    await expect(
+      retryAsync(async () => {
+        attempts++;
+        throw new TypeError('Failed to fetch');
+      }, 2, 1)
+    ).rejects.toBeDefined();
+    expect(attempts).toBe(3);
+  });
+
+  it('returns the successful result without extra attempts', async () => {
+    let attempts = 0;
+    const result = await retryAsync(async () => {
+      attempts++;
+      return 'ok' as const;
+    }, 3, 1);
+    expect(result).toBe('ok');
+    expect(attempts).toBe(1);
+  });
+
+  it('recovers after a transient 5xx followed by success', async () => {
+    let attempts = 0;
+    const result = await retryAsync(async () => {
+      attempts++;
+      if (attempts < 2) {
+        throw { message: 'transient', status: 502 };
+      }
+      return 'recovered' as const;
+    }, 3, 1);
+    expect(result).toBe('recovered');
+    expect(attempts).toBe(2);
+  });
+
+  it('honours a custom shouldRetry predicate even when default would retry', async () => {
+    let attempts = 0;
+    await expect(
+      retryAsync(
+        async () => {
+          attempts++;
+          throw { message: 'nope', status: 500 };
+        },
+        5,
+        1,
+        () => false
+      )
+    ).rejects.toBeDefined();
+    expect(attempts).toBe(1);
+  });
+
+  it('ignores non-numeric status fields instead of treating them as 4xx', async () => {
+    let attempts = 0;
+    await expect(
+      retryAsync(async () => {
+        attempts++;
+        throw { message: 'weird', status: 'oops' as unknown as number };
+      }, 2, 1)
+    ).rejects.toBeDefined();
+    // Non-numeric status must NOT be interpreted as 4xx — should retry normally.
+    expect(attempts).toBe(3);
+  });
+});
+
+/**
+ * handleHttpError is the wire between fetch-thrown errors and retryAsync.
+ * Lock in that it exposes the HTTP status at the top level so the retry
+ * predicate above can see it.
+ */
+describe('handleHttpError preserves HTTP status for retry predicates', () => {
+  it('flattens a fetch-style error with .response.status into ApiError.status', () => {
+    const fetchError = Object.assign(new Error('Not found'), {
+      status: 404,
+      response: { status: 404, statusText: 'Not Found' },
+    });
+    const result = handleHttpError(fetchError);
+    expect(result.status).toBe(404);
+    expect(result.code).toBe('NOT_FOUND');
+    expect(result.message).toBe('Not found');
+  });
+
+  it('preserves 401 status from fetch errors', () => {
+    const fetchError = Object.assign(new Error('Unauthorized'), {
+      status: 401,
+      response: { status: 401, statusText: 'Unauthorized' },
+    });
+    const result = handleHttpError(fetchError);
+    expect(result.status).toBe(401);
+    expect(result.code).toBe('UNAUTHORIZED');
+  });
+
+  it('maps 500 to INTERNAL_ERROR with status preserved', () => {
+    const fetchError = Object.assign(new Error('boom'), {
+      status: 500,
+      response: { status: 500, statusText: 'Internal Server Error' },
+    });
+    const result = handleHttpError(fetchError);
+    expect(result.status).toBe(500);
+    expect(result.code).toBe('INTERNAL_ERROR');
+  });
+});

package/src/utils/asyncUtils.ts

@@ -47,11 +47,38 @@ export async function parallelWithErrorHandling<T>(
   );
 }
 
+/**
+ * Extract an HTTP status code from an error value, tolerating both the
+ * axios-style nested shape (`error.response.status`) and the flat shape
+ * produced by {@link handleHttpError} / fetch-based clients (`error.status`).
+ *
+ * Centralising this lookup prevents retry predicates from silently falling
+ * through when one of the two shapes is missing, which previously caused
+ * @oxyhq/core to retry 4xx responses and turn sub-10ms failures into
+ * multi-second stalls for every missing-resource lookup.
+ */
+function extractHttpStatus(error: unknown): number | undefined {
+  if (!error || typeof error !== 'object') return undefined;
+  const candidate = error as {
+    status?: unknown;
+    response?: { status?: unknown } | null;
+  };
+  const flat = candidate.status;
+  if (typeof flat === 'number' && Number.isFinite(flat)) return flat;
+  const nested = candidate.response?.status;
+  if (typeof nested === 'number' && Number.isFinite(nested)) return nested;
+  return undefined;
+}
+
 /**
  * Retry an async operation with exponential backoff
- * 
- * By default, does not retry on 4xx errors (client errors).
- * Use shouldRetry callback to customize retry behavior.
+ *
+ * By default, does not retry on 4xx errors (client errors). The default
+ * predicate accepts both the axios-style `error.response.status` and the
+ * flat `error.status` shape produced by {@link handleHttpError}, so callers
+ * never accidentally retry a deterministic client failure.
+ *
+ * Use the `shouldRetry` callback to customize retry behavior.
  */
 export async function retryAsync<T>(
   operation: () => Promise<T>,
@@ -60,16 +87,19 @@ export async function retryAsync<T>(
   shouldRetry?: (error: any) => boolean
 ): Promise<T> {
   let lastError: any;
-  
-  // Default shouldRetry: don't retry on 4xx errors
-  const defaultShouldRetry = (error: any): boolean => {
-    // Don't retry on 4xx errors (client errors)
-    if (error?.response?.status >= 400 && error?.response?.status < 500) {
+
+  // Default shouldRetry: don't retry on 4xx errors (client errors).
+  // Checks BOTH `error.status` (flat shape from handleHttpError / fetch
+  // clients) AND `error.response.status` (axios-style shape) so neither
+  // representation can leak a client error into the retry loop.
+  const defaultShouldRetry = (error: unknown): boolean => {
+    const status = extractHttpStatus(error);
+    if (status !== undefined && status >= 400 && status < 500) {
       return false;
     }
     return true;
   };
-  
+
   const retryCheck = shouldRetry || defaultShouldRetry;
   
   for (let attempt = 0; attempt <= maxRetries; attempt++) {

package/src/utils/deviceManager.ts

@@ -44,7 +44,7 @@ export class DeviceManager {
       try {
         // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
         const moduleName = '@react-native-async-storage/async-storage';
-        const asyncStorageModule = await import(moduleName);
+        const asyncStorageModule = await import(/* @vite-ignore */ moduleName);
         const storage = asyncStorageModule.default as unknown as { getItem: (key: string) => Promise<string | null>; setItem: (key: string, value: string) => Promise<void>; removeItem: (key: string) => Promise<void> };
         return {
           getItem: storage.getItem.bind(storage),