@oxyhq/core 1.11.12 → 1.11.13

package/dist/cjs/index.js

@@ -29,8 +29,8 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.DEFAULT_CIRCUIT_BREAKER_CONFIG = exports.isRetryableError = exports.isNetworkError = exports.isServerError = exports.isRateLimitError = exports.isNotFoundError = exports.isForbiddenError = exports.isUnauthorizedError = exports.isAlreadyRegisteredError = exports.getErrorMessage = exports.getErrorStatus = exports.HttpStatus = exports.getSystemColorScheme = exports.systemPrefersDarkMode = exports.getOppositeTheme = exports.normalizeColorScheme = exports.normalizeTheme = exports.getContrastTextColor = exports.isLightColor = exports.withOpacity = exports.rgbToHex = exports.hexToRgb = exports.lightenColor = exports.darkenColor = exports.isAndroid = exports.isIOS = exports.isNative = exports.isWeb = exports.setPlatformOS = exports.getPlatformOS = exports.normalizeLanguageCode = exports.getNativeLanguageName = exports.getLanguageName = exports.getLanguageMetadata = exports.SUPPORTED_LANGUAGES = exports.DeviceManager = exports.TopicSource = exports.TopicType = exports.RecoveryPhraseService = exports.SignatureService = exports.KeyManager = exports.createCrossDomainAuth = exports.CrossDomainAuth = exports.createAuthManager = exports.AuthManager = exports.oxyClient = exports.OXY_CLOUD_URL = exports.OxyAuthenticationTimeoutError = exports.OxyAuthenticationError = exports.OxyServices = void 0;
-exports.createQuickAccount = exports.buildAccountsArray = exports.updateAvatarVisibility = exports.logPerformance = exports.logPayment = exports.logDevice = exports.logUser = exports.logSession = exports.logApi = exports.logAuth = exports.LogLevel = exports.logger = exports.retryAsync = exports.validateRequiredFields = exports.handleHttpError = exports.createApiError = exports.ErrorCodes = exports.packageInfo = exports.sessionsArraysEqual = exports.normalizeAndSortSessions = exports.mergeSessions = exports.authenticatedApiCall = exports.withAuthErrorHandling = exports.isAuthenticationError = exports.ensureValidToken = exports.AuthenticationFailedError = exports.SessionSyncRequiredError = exports.translate = exports.createDebugLogger = exports.debugError = exports.debugWarn = exports.debugLog = exports.isDev = exports.withRetry = exports.delay = exports.shouldAllowRequest = exports.recordSuccess = exports.recordFailure = exports.calculateBackoffInterval = exports.createCircuitBreakerState = void 0;
+exports.isNetworkError = exports.isServerError = exports.isRateLimitError = exports.isNotFoundError = exports.isForbiddenError = exports.isUnauthorizedError = exports.isAlreadyRegisteredError = exports.getErrorMessage = exports.getErrorStatus = exports.HttpStatus = exports.getSystemColorScheme = exports.systemPrefersDarkMode = exports.getOppositeTheme = exports.normalizeColorScheme = exports.normalizeTheme = exports.getContrastTextColor = exports.isLightColor = exports.withOpacity = exports.rgbToHex = exports.hexToRgb = exports.lightenColor = exports.darkenColor = exports.isAndroid = exports.isIOS = exports.isNative = exports.isWeb = exports.setPlatformOS = exports.getPlatformOS = exports.normalizeLanguageCode = exports.getNativeLanguageName = exports.getLanguageName = exports.getLanguageMetadata = exports.SUPPORTED_LANGUAGES = exports.DeviceManager = exports.TopicSource = exports.TopicType = exports.IdentityPersistError = exports.IdentityAlreadyExistsError = exports.RecoveryPhraseService = exports.SignatureService = exports.KeyManager = exports.createCrossDomainAuth = exports.CrossDomainAuth = exports.createAuthManager = exports.AuthManager = exports.oxyClient = exports.OXY_CLOUD_URL = exports.OxyAuthenticationTimeoutError = exports.OxyAuthenticationError = exports.OxyServices = void 0;
+exports.formatPublicKeyHandle = exports.getAccountFallbackHandle = exports.getAccountDisplayName = exports.createQuickAccount = exports.buildAccountsArray = exports.updateAvatarVisibility = exports.logPerformance = exports.logPayment = exports.logDevice = exports.logUser = exports.logSession = exports.logApi = exports.logAuth = exports.LogLevel = exports.logger = exports.retryAsync = exports.validateRequiredFields = exports.handleHttpError = exports.createApiError = exports.ErrorCodes = exports.packageInfo = exports.sessionsArraysEqual = exports.normalizeAndSortSessions = exports.mergeSessions = exports.authenticatedApiCall = exports.withAuthErrorHandling = exports.isAuthenticationError = exports.ensureValidToken = exports.AuthenticationFailedError = exports.SessionSyncRequiredError = exports.translate = exports.createDebugLogger = exports.debugError = exports.debugWarn = exports.debugLog = exports.isDev = exports.withRetry = exports.delay = exports.shouldAllowRequest = exports.recordSuccess = exports.recordFailure = exports.calculateBackoffInterval = exports.createCircuitBreakerState = exports.DEFAULT_CIRCUIT_BREAKER_CONFIG = exports.isRetryableError = void 0;
 // Ensure crypto polyfills are loaded before anything else
 require("./crypto/polyfill");
 // --- Core API Client ---
@@ -53,6 +53,8 @@ var crypto_1 = require("./crypto");
 Object.defineProperty(exports, "KeyManager", { enumerable: true, get: function () { return crypto_1.KeyManager; } });
 Object.defineProperty(exports, "SignatureService", { enumerable: true, get: function () { return crypto_1.SignatureService; } });
 Object.defineProperty(exports, "RecoveryPhraseService", { enumerable: true, get: function () { return crypto_1.RecoveryPhraseService; } });
+Object.defineProperty(exports, "IdentityAlreadyExistsError", { enumerable: true, get: function () { return crypto_1.IdentityAlreadyExistsError; } });
+Object.defineProperty(exports, "IdentityPersistError", { enumerable: true, get: function () { return crypto_1.IdentityPersistError; } });
 // --- Models & Types ---
 __exportStar(require("./models/interfaces"), exports);
 __exportStar(require("./models/session"), exports);
@@ -165,6 +167,9 @@ Object.defineProperty(exports, "updateAvatarVisibility", { enumerable: true, get
 var accountUtils_1 = require("./utils/accountUtils");
 Object.defineProperty(exports, "buildAccountsArray", { enumerable: true, get: function () { return accountUtils_1.buildAccountsArray; } });
 Object.defineProperty(exports, "createQuickAccount", { enumerable: true, get: function () { return accountUtils_1.createQuickAccount; } });
+Object.defineProperty(exports, "getAccountDisplayName", { enumerable: true, get: function () { return accountUtils_1.getAccountDisplayName; } });
+Object.defineProperty(exports, "getAccountFallbackHandle", { enumerable: true, get: function () { return accountUtils_1.getAccountFallbackHandle; } });
+Object.defineProperty(exports, "formatPublicKeyHandle", { enumerable: true, get: function () { return accountUtils_1.formatPublicKeyHandle; } });
 // Default export
 const OxyServices_3 = require("./OxyServices");
 exports.default = OxyServices_3.OxyServices;

package/dist/cjs/mixins/OxyServices.assets.js

@@ -153,15 +153,20 @@ function OxyServicesAssetsMixin(Base) {
             const fileSize = 'size' in file && file.size ? file.size : 0;
             try {
                 const formData = new FormData();
-                if ('uri' in file && typeof file.uri === 'string') {
-                    // React Native file descriptor — RN's FormData handles {uri, type, name} natively
+                if (typeof File !== 'undefined' && file instanceof File) {
                     formData.append('file', file, fileName);
                 }
-                else if (file instanceof Blob) {
+                else if (typeof Blob !== 'undefined' && file instanceof Blob) {
+                    formData.append('file', file, fileName);
+                }
+                else if ('uri' in file && typeof file.uri === 'string') {
+                    // React Native file descriptor — RN's FormData handles {uri, type, name} natively.
+                    // It reads the file from disk during the multipart request — no in-JS Blob
+                    // conversion (which would fail on Hermes for ArrayBuffer-backed Blobs).
                     formData.append('file', file, fileName);
                 }
                 else {
-                    formData.append('file', new Blob([file], { type: 'application/octet-stream' }), fileName);
+                    throw new Error('Unsupported file input: expected File, Blob, or { uri, type?, name?, size? } descriptor');
                 }
                 if (visibility) {
                     formData.append('visibility', visibility);

package/dist/cjs/mixins/OxyServices.auth.js

@@ -10,6 +10,12 @@ function OxyServicesAuthMixin(Base) {
             /** @internal */ this._serviceTokenExp = 0;
             /** @internal */ this._serviceApiKey = null;
             /** @internal */ this._serviceApiSecret = null;
+            /**
+             * In-flight promise for service token fetch. Used to deduplicate concurrent
+             * calls to getServiceToken() — pattern mirrors AuthManager.refreshToken().
+             * @internal
+             */
+            this._serviceTokenPromise = null;
         }
         /**
          * Configure service credentials for internal service-to-service communication.
@@ -30,6 +36,9 @@ function OxyServicesAuthMixin(Base) {
          * Get a service token for internal service-to-service communication.
          * Tokens are short-lived (1h) and automatically cached/refreshed.
          *
+         * Concurrent callers share a single in-flight request to avoid hammering
+         * `/auth/service-token` when the cache is empty or expired.
+         *
          * @param apiKey - DeveloperApp API key (optional if configureServiceAuth was called)
          * @param apiSecret - DeveloperApp API secret (optional if configureServiceAuth was called)
          */
@@ -43,6 +52,24 @@ function OxyServicesAuthMixin(Base) {
             if (this._serviceToken && this._serviceTokenExp > Date.now() + 60000) {
                 return this._serviceToken;
             }
+            // If a fetch is already in-flight, share the same promise
+            if (this._serviceTokenPromise) {
+                return this._serviceTokenPromise;
+            }
+            this._serviceTokenPromise = this._doFetchServiceToken(key, secret);
+            try {
+                return await this._serviceTokenPromise;
+            }
+            finally {
+                this._serviceTokenPromise = null;
+            }
+        }
+        /**
+         * Perform the actual /auth/service-token request and cache the result.
+         * Separated so getServiceToken() can deduplicate concurrent calls.
+         * @internal
+         */
+        async _doFetchServiceToken(key, secret) {
             const response = await this.makeRequest('POST', '/auth/service-token', { apiKey: key, apiSecret: secret }, { cache: false, retry: false });
             this._serviceToken = response.token;
             this._serviceTokenExp = Date.now() + response.expiresIn * 1000;

package/dist/cjs/mixins/OxyServices.contacts.js

@@ -0,0 +1,50 @@
+"use strict";
+/**
+ * Contact Discovery Mixin
+ *
+ * Privacy-preserving discovery of which address-book contacts are on Oxy.
+ *
+ * The client hashes emails and phones locally before calling the API.
+ * The server responds with only Oxy user IDs and the hashes that matched,
+ * so the consumer can map each match back to the local contact that
+ * produced it.
+ *
+ * Hashing rules (must match the server `utils/contactHash.ts` exactly):
+ *   - SHA-256, hex-encoded, lowercase
+ *   - Email: `value.trim().toLowerCase()` then digest
+ *   - Phone: trim → keep a single leading "+" → strip non-digits → prepend "+"
+ *     if missing → digest
+ *
+ * Mobile clients can compute these digests with `expo-crypto`'s
+ * `digestStringAsync(SHA256, value, { encoding: HEX })`. Web clients should
+ * use `SubtleCrypto.digest('SHA-256', ...)`.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OxyServicesContactsMixin = OxyServicesContactsMixin;
+function OxyServicesContactsMixin(Base) {
+    return class extends Base {
+        constructor(...args) {
+            super(...args);
+        }
+        /**
+         * Discover which of the caller's contacts are on Oxy.
+         *
+         * @param hashedEmails - SHA-256 hex digests of normalized emails.
+         * @param hashedPhones - SHA-256 hex digests of normalized phone numbers.
+         * @returns Matches mapping each hashed identifier to the Oxy user ID it
+         *   resolved to. Empty arrays are valid for either parameter, but at
+         *   least one must be non-empty.
+         *
+         * The server enforces a 200-hash cap per channel per request — callers
+         * should batch larger address books client-side.
+         */
+        async discoverContacts(hashedEmails, hashedPhones) {
+            try {
+                return await this.makeRequest('POST', '/contacts/discover', { hashedEmails, hashedPhones }, { cache: false });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+    };
+}

package/dist/cjs/mixins/OxyServices.features.js

@@ -294,16 +294,5 @@ function OxyServicesFeaturesMixin(Base) {
                 throw this.handleError(error);
             }
         }
-        // ==================
-        // ACCOUNT
-        // ==================
-        /**
-         * Delete user account (requires password confirmation)
-         */
-        async deleteAccount(password) {
-            return this.withAuthRetry(async () => {
-                await this.makeRequest('DELETE', '/account', { password }, { cache: false });
-            }, 'deleteAccount');
-        }
     };
 }

package/dist/cjs/mixins/OxyServices.fedcm.js

@@ -315,10 +315,11 @@ function OxyServicesFedCMMixin(Base) {
                                     {
                                         configURL: options.configURL,
                                         clientId: options.clientId,
-                                        // Send nonce at both levels for backward compatibility
-                                        nonce: options.nonce, // For older browsers
+                                        // Older browsers read `nonce` at the top level; Chrome 145+
+                                        // expects it inside `params`. Send both for full coverage.
+                                        nonce: options.nonce,
                                         params: {
-                                            nonce: options.nonce, // For Chrome 145+
+                                            nonce: options.nonce,
                                         },
                                         ...(options.loginHint && { loginHint: options.loginHint }),
                                     },

package/dist/cjs/mixins/OxyServices.language.js

@@ -1,43 +1,11 @@
 "use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.OxyServicesLanguageMixin = OxyServicesLanguageMixin;
 /**
  * Language Methods Mixin
  */
 const languageUtils_1 = require("../utils/languageUtils");
+const platformCrypto_1 = require("../utils/platformCrypto");
 const debugUtils_1 = require("../shared/utils/debugUtils");
 function OxyServicesLanguageMixin(Base) {
     return class extends Base {
@@ -51,9 +19,10 @@ function OxyServicesLanguageMixin(Base) {
             const isReactNative = typeof navigator !== 'undefined' && navigator.product === 'ReactNative';
             if (isReactNative) {
                 try {
-                    // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
-                    const moduleName = '@react-native-async-storage/async-storage';
-                    const asyncStorageModule = await Promise.resolve(`${moduleName}`).then(s => __importStar(require(s)));
+                    // `loadAsyncStorage` is per-platform: the RN variant statically imports
+                    // @react-native-async-storage/async-storage, the default variant throws
+                    // (never called outside RN because of the `isReactNative` gate above).
+                    const asyncStorageModule = await (0, platformCrypto_1.loadAsyncStorage)();
                     const storage = asyncStorageModule.default;
                     return {
                         getItem: storage.getItem.bind(storage),

package/dist/cjs/mixins/OxyServices.redirect.js

@@ -153,12 +153,16 @@ function OxyServicesRedirectAuthMixin(Base) {
                 // Store tokens
                 this.storeTokens(accessToken, sessionId);
                 this.httpService.setTokens(accessToken);
-                // Build session response (minimal - we'll fetch full user data separately)
+                // Build session response (minimal — full user data is fetched separately
+                // by the caller via getCurrentUser() once tokens are stored).
                 const session = {
                     sessionId,
                     deviceId: '', // Not available in redirect flow
                     expiresAt: expiresAt || new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString(),
-                    user: {}, // Will be fetched separately
+                    // Placeholder user — caller MUST fetch real user data via getCurrentUser()
+                    // before exposing this session to the application. The empty id signals
+                    // that the user payload has not yet been populated.
+                    user: { id: '', username: '' },
                 };
                 // Clean up URL (remove auth parameters)
                 this.cleanAuthCallbackUrl(url);

package/dist/cjs/mixins/OxyServices.security.js

@@ -23,8 +23,19 @@ function OxyServicesSecurityMixin(Base) {
                     params.offset = offset;
                 if (eventType)
                     params.eventType = eventType;
-                const response = await this.makeRequest('GET', '/security/activity', params, { cache: false });
-                return response;
+                // The API responds with the standard paginated envelope:
+                //   { data: SecurityActivity[], pagination: { total, limit, offset, hasMore } }
+                // SecurityActivityResponse is the flattened shape consumers expect.
+                const raw = await this.makeRequest('GET', '/security/activity', params, { cache: false });
+                const requestedLimit = typeof params.limit === 'number' ? params.limit : 0;
+                const requestedOffset = typeof params.offset === 'number' ? params.offset : 0;
+                return {
+                    data: raw.data ?? [],
+                    total: raw.pagination?.total ?? raw.data?.length ?? 0,
+                    limit: raw.pagination?.limit ?? requestedLimit,
+                    offset: raw.pagination?.offset ?? requestedOffset,
+                    hasMore: raw.pagination?.hasMore ?? false,
+                };
             }
             catch (error) {
                 throw this.handleError(error);

package/dist/cjs/mixins/OxyServices.user.js

@@ -2,6 +2,8 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.OxyServicesUserMixin = OxyServicesUserMixin;
 const apiUtils_1 = require("../utils/apiUtils");
+const keyManager_1 = require("../crypto/keyManager");
+const signatureService_1 = require("../crypto/signatureService");
 function OxyServicesUserMixin(Base) {
     return class extends Base {
         constructor(...args) {
@@ -44,37 +46,22 @@ function OxyServicesUserMixin(Base) {
                     cache: true,
                     cacheTTL: 2 * 60 * 1000, // 2 minutes cache
                 });
-                // New API shape: { data: User[], pagination: {...} }
-                const isSearchProfilesResponse = (payload) => typeof payload === 'object' &&
-                    payload !== null &&
-                    Array.isArray(payload.data);
-                if (isSearchProfilesResponse(response)) {
-                    const typedResponse = response;
-                    const paginationInfo = typedResponse.pagination ?? {
-                        total: typedResponse.data.length,
-                        limit: pagination?.limit ?? typedResponse.data.length,
-                        offset: pagination?.offset ?? 0,
-                        hasMore: typedResponse.data.length === (pagination?.limit ?? typedResponse.data.length) &&
-                            (pagination?.limit ?? typedResponse.data.length) > 0,
-                    };
-                    return {
-                        data: typedResponse.data,
-                        pagination: paginationInfo,
-                    };
+                if (typeof response !== 'object' ||
+                    response === null ||
+                    !Array.isArray(response.data)) {
+                    throw new Error('Unexpected search response format');
                 }
-                // Legacy API shape: returns raw User[]
-                if (Array.isArray(response)) {
-                    const fallbackLimit = pagination?.limit ?? response.length;
-                    const fallbackPagination = {
-                        total: response.length,
-                        limit: fallbackLimit,
-                        offset: pagination?.offset ?? 0,
-                        hasMore: fallbackLimit > 0 && response.length === fallbackLimit,
-                    };
-                    return { data: response, pagination: fallbackPagination };
-                }
-                // If response is unexpected, throw an error
-                throw new Error('Unexpected search response format');
+                const paginationInfo = response.pagination ?? {
+                    total: response.data.length,
+                    limit: pagination?.limit ?? response.data.length,
+                    offset: pagination?.offset ?? 0,
+                    hasMore: response.data.length === (pagination?.limit ?? response.data.length) &&
+                        (pagination?.limit ?? response.data.length) > 0,
+                };
+                return {
+                    data: response.data,
+                    pagination: paginationInfo,
+                };
             }
             catch (error) {
                 throw this.handleError(error);
@@ -156,12 +143,31 @@ function OxyServicesUserMixin(Base) {
             }, 'getCurrentUser');
         }
         /**
-         * Update user profile
-         * TanStack Query handles offline queuing automatically
+         * Update user profile.
+         *
+         * Invalidates the SDK-side response cache for every endpoint that
+         * returns the current user (`GET /users/me`, `GET /session/user/*`,
+         * `GET /users/<id>`, `GET /profiles/username/*`) so the next read
+         * doesn't return a stale snapshot. Without this, a follow-up
+         * `getUserBySession` call inside the 2-minute cache window can return
+         * the pre-update user — most visibly during onboarding, where it
+         * causes the username step to flicker back as if nothing was saved.
+         *
+         * TanStack Query handles offline queuing automatically.
          */
         async updateProfile(updates) {
             try {
-                return await this.makeRequest('PUT', '/users/me', updates, { cache: false });
+                const result = await this.makeRequest('PUT', '/users/me', updates, { cache: false });
+                // Bust every cached representation of the current user. We use a
+                // prefix sweep rather than an enumeration because the SDK never
+                // tracks the set of active session IDs centrally.
+                this.clearCacheByPrefix('GET:/session/user/');
+                this.clearCacheByPrefix('GET:/users/me');
+                this.clearCacheByPrefix('GET:/profiles/username/');
+                if (result?.id) {
+                    this.clearCacheEntry(`GET:/users/${result.id}`);
+                }
+                return result;
             }
             catch (error) {
                 const errorAny = error;
@@ -245,14 +251,29 @@ function OxyServicesUserMixin(Base) {
             }
         }
         /**
-         * Delete account permanently
-         * @param password - User password for confirmation
-         * @param confirmText - Confirmation text (usually username)
+         * Delete account permanently.
+         *
+         * Signs `delete:{publicKey}:{timestamp}` with the locally-stored identity
+         * private key and submits the signature alongside the confirmation text
+         * (must equal the user's username). The signature is the cryptographic
+         * proof of ownership — only the device holding the private key can issue
+         * a valid signature, so no password is required.
+         *
+         * @param confirmText - Must equal the user's username (verified server-side)
+         * @throws If no identity is stored on this device, or signing fails
          */
-        async deleteAccount(password, confirmText) {
+        async deleteAccount(confirmText) {
             try {
+                const publicKey = await keyManager_1.KeyManager.getPublicKey();
+                if (!publicKey) {
+                    throw new Error('No identity found on this device. Account deletion requires the device that holds your identity key.');
+                }
+                const timestamp = Date.now();
+                const message = `delete:${publicKey}:${timestamp}`;
+                const signature = await signatureService_1.SignatureService.sign(message);
                 return await this.makeRequest('DELETE', '/users/me', {
-                    password,
+                    signature,
+                    timestamp,
                     confirmText,
                 }, { cache: false });
             }

package/dist/cjs/mixins/OxyServices.utility.js

@@ -1,37 +1,4 @@
 "use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.OxyServicesUtilityMixin = OxyServicesUtilityMixin;
 /**
@@ -41,6 +8,7 @@ exports.OxyServicesUtilityMixin = OxyServicesUtilityMixin;
  * and Express.js authentication middleware
  */
 const jwt_decode_1 = require("jwt-decode");
+const platformCrypto_1 = require("../utils/platformCrypto");
 const mixinHelpers_1 = require("./mixinHelpers");
 function OxyServicesUtilityMixin(Base) {
     return class extends Base {
@@ -254,9 +222,15 @@ function OxyServicesUtilityMixin(Base) {
                                 return onError(error);
                             return res.status(403).json(error);
                         }
-                        // Verify JWT signature (not just decode)
+                        // Verify JWT signature (not just decode).
+                        // This middleware only runs on a Node Express server, but the file
+                        // is bundled by Metro/Vite for RN/web consumers. `loadNodeCrypto`
+                        // is per-platform: the RN variant throws (and is never called
+                        // because service-token middleware is only mounted by Node hosts),
+                        // so Metro never bundles a reference to Node's built-in.
                         try {
-                            const { createHmac } = await Promise.resolve().then(() => __importStar(require('crypto')));
+                            const nodeCrypto = await (0, platformCrypto_1.loadNodeCrypto)();
+                            const { createHmac, timingSafeEqual } = nodeCrypto;
                             const [headerB64, payloadB64, signatureB64] = token.split('.');
                             if (!headerB64 || !payloadB64 || !signatureB64) {
                                 throw new Error('Invalid token structure');
@@ -270,7 +244,6 @@ function OxyServicesUtilityMixin(Base) {
                             // Timing-safe comparison
                             const sigBuf = Buffer.from(signatureB64);
                             const expectedBuf = Buffer.from(expectedSig);
-                            const { timingSafeEqual } = await Promise.resolve().then(() => __importStar(require('crypto')));
                             if (sigBuf.length !== expectedBuf.length || !timingSafeEqual(sigBuf, expectedBuf)) {
                                 throw new Error('Invalid signature');
                             }
@@ -295,8 +268,8 @@ function OxyServicesUtilityMixin(Base) {
                                 return onError(error);
                             return res.status(401).json(error);
                         }
-                        // Check expiration
-                        if (decoded.exp && decoded.exp < Math.floor(Date.now() / 1000)) {
+                        // Check expiration — reject tokens at exact expiry second (use <=)
+                        if (decoded.exp && decoded.exp <= Math.floor(Date.now() / 1000)) {
                             if (optional) {
                                 req.userId = null;
                                 req.user = null;
@@ -351,7 +324,8 @@ function OxyServicesUtilityMixin(Base) {
                         return res.status(401).json(error);
                     }
                     // Check token expiration locally first (fast path)
-                    if (decoded.exp && decoded.exp < Math.floor(Date.now() / 1000)) {
+                    // Reject tokens at exact expiry second (use <=)
+                    if (decoded.exp && decoded.exp <= Math.floor(Date.now() / 1000)) {
                         if (optional) {
                             req.userId = null;
                             req.user = null;
@@ -518,8 +492,8 @@ function OxyServicesUtilityMixin(Base) {
                     if (!userId) {
                         return next(new Error('Invalid token payload'));
                     }
-                    // Check expiration
-                    if (decoded.exp && decoded.exp < Math.floor(Date.now() / 1000)) {
+                    // Check expiration — reject tokens at exact expiry second (use <=)
+                    if (decoded.exp && decoded.exp <= Math.floor(Date.now() / 1000)) {
                         return next(new Error('Token expired'));
                     }
                     // Validate session if available
@@ -536,12 +510,14 @@ function OxyServicesUtilityMixin(Base) {
                             return next(new Error('Session validation failed'));
                         }
                     }
-                    // Attach user data to socket
+                    // Attach user data to socket. We expose BOTH `socket.data.userId`
+                    // (the official Socket.IO data slot) and `socket.user` because
+                    // every consumer in this ecosystem (Mention, Allo, api/server.ts)
+                    // reads from `socket.user.id`.
                     socket.data = socket.data || {};
                     socket.data.userId = userId;
                     socket.data.sessionId = decoded.sessionId || null;
                     socket.data.token = token;
-                    // Also set on socket.user for backward compatibility
                     socket.user = { id: userId, userId, sessionId: decoded.sessionId };
                     if (debug) {
                         console.log(`[oxy.authSocket] OK user=${userId}`);

package/dist/cjs/mixins/index.js

@@ -28,6 +28,7 @@ const OxyServices_utility_1 = require("./OxyServices.utility");
 const OxyServices_features_1 = require("./OxyServices.features");
 const OxyServices_topics_1 = require("./OxyServices.topics");
 const OxyServices_managedAccounts_1 = require("./OxyServices.managedAccounts");
+const OxyServices_contacts_1 = require("./OxyServices.contacts");
 /**
  * Mixin pipeline - applied in order from first to last.
  *
@@ -66,6 +67,7 @@ const MIXIN_PIPELINE = [
     OxyServices_features_1.OxyServicesFeaturesMixin,
     OxyServices_topics_1.OxyServicesTopicsMixin,
     OxyServices_managedAccounts_1.OxyServicesManagedAccountsMixin,
+    OxyServices_contacts_1.OxyServicesContactsMixin,
     // Utility (last, can use all above)
     OxyServices_utility_1.OxyServicesUtilityMixin,
 ];
@@ -74,10 +76,16 @@ exports.MIXIN_PIPELINE = MIXIN_PIPELINE;
  * Composes all OxyServices mixins using a pipeline pattern.
  *
  * This is equivalent to the nested calls but more readable and maintainable.
- * Adding a new mixin: just add it to MIXIN_PIPELINE at the appropriate position.
+ * Adding a new mixin: add it to MIXIN_PIPELINE at the appropriate position
+ * AND extend `AllMixinInstances` so its methods are visible to consumers.
  *
- * @returns The fully composed OxyServices class with all mixins applied
+ * The cast through `unknown` carries the runtime augmentation chain into the
+ * static type system. `Array.reduce` cannot track each mixin's generic
+ * refinement, so we assert the final shape exposed by all mixins together.
+ *
+ * @returns The fully composed OxyServices constructor with all mixins applied
  */
 function composeOxyServices() {
-    return MIXIN_PIPELINE.reduce((Base, mixin) => mixin(Base), OxyServices_base_1.OxyServicesBase);
+    const composed = MIXIN_PIPELINE.reduce((Base, mixin) => mixin(Base), OxyServices_base_1.OxyServicesBase);
+    return composed;
 }