@oxyhq/core 1.11.12 → 1.11.14

package/dist/types/mixins/OxyServices.contacts.d.ts

@@ -0,0 +1,99 @@
+/**
+ * Contact Discovery Mixin
+ *
+ * Privacy-preserving discovery of which address-book contacts are on Oxy.
+ *
+ * The client hashes emails and phones locally before calling the API.
+ * The server responds with only Oxy user IDs and the hashes that matched,
+ * so the consumer can map each match back to the local contact that
+ * produced it.
+ *
+ * Hashing rules (must match the server `utils/contactHash.ts` exactly):
+ *   - SHA-256, hex-encoded, lowercase
+ *   - Email: `value.trim().toLowerCase()` then digest
+ *   - Phone: trim → keep a single leading "+" → strip non-digits → prepend "+"
+ *     if missing → digest
+ *
+ * Mobile clients can compute these digests with `expo-crypto`'s
+ * `digestStringAsync(SHA256, value, { encoding: HEX })`. Web clients should
+ * use `SubtleCrypto.digest('SHA-256', ...)`.
+ */
+import type { OxyServicesBase } from '../OxyServices.base';
+/** A single match returned by `POST /contacts/discover`. */
+export interface ContactDiscoveryMatch {
+    /** Oxy user ID (MongoDB ObjectId hex string). */
+    userId: string;
+    /** The hashed identifier from the request that matched this user. */
+    hashedIdentifier: string;
+    /** Whether the match came from the email index or phone index. */
+    matchType: 'email' | 'phone';
+}
+/** Response shape of `POST /contacts/discover`. */
+export interface ContactDiscoveryResponse {
+    matches: ContactDiscoveryMatch[];
+}
+export declare function OxyServicesContactsMixin<T extends typeof OxyServicesBase>(Base: T): {
+    new (...args: any[]): {
+        /**
+         * Discover which of the caller's contacts are on Oxy.
+         *
+         * @param hashedEmails - SHA-256 hex digests of normalized emails.
+         * @param hashedPhones - SHA-256 hex digests of normalized phone numbers.
+         * @returns Matches mapping each hashed identifier to the Oxy user ID it
+         *   resolved to. Empty arrays are valid for either parameter, but at
+         *   least one must be non-empty.
+         *
+         * The server enforces a 200-hash cap per channel per request — callers
+         * should batch larger address books client-side.
+         */
+        discoverContacts(hashedEmails: string[], hashedPhones: string[]): Promise<ContactDiscoveryResponse>;
+        httpService: import("../HttpService").HttpService;
+        cloudURL: string;
+        config: import("../OxyServices.base").OxyConfig;
+        __resetTokensForTests(): void;
+        makeRequest<T_1>(method: "GET" | "POST" | "PUT" | "PATCH" | "DELETE", url: string, data?: any, options?: import("../HttpService").RequestOptions): Promise<T_1>;
+        getBaseURL(): string;
+        getClient(): import("../HttpService").HttpService;
+        getMetrics(): {
+            totalRequests: number;
+            successfulRequests: number;
+            failedRequests: number;
+            cacheHits: number;
+            cacheMisses: number;
+            averageResponseTime: number;
+        };
+        clearCache(): void;
+        clearCacheEntry(key: string): void;
+        clearCacheByPrefix(prefix: string): number;
+        getCacheStats(): {
+            size: number;
+            hits: number;
+            misses: number;
+            hitRate: number;
+        };
+        getCloudURL(): string;
+        setTokens(accessToken: string, refreshToken?: string): void;
+        clearTokens(): void;
+        _cachedUserId: string | null | undefined;
+        _cachedAccessToken: string | null;
+        getCurrentUserId(): string | null;
+        hasValidToken(): boolean;
+        getAccessToken(): string | null;
+        setActingAs(userId: string | null): void;
+        getActingAs(): string | null;
+        waitForAuth(timeoutMs?: number): Promise<boolean>;
+        withAuthRetry<T_1>(operation: () => Promise<T_1>, operationName: string, options?: {
+            maxRetries?: number;
+            retryDelay?: number;
+            authTimeoutMs?: number;
+        }): Promise<T_1>;
+        validate(): Promise<boolean>;
+        handleError(error: unknown): Error;
+        healthCheck(): Promise<{
+            status: string;
+            users?: number;
+            timestamp?: string;
+            [key: string]: any;
+        }>;
+    };
+} & T;

package/dist/types/mixins/OxyServices.developer.d.ts

@@ -69,6 +69,7 @@ export declare function OxyServicesDeveloperMixin<T extends typeof OxyServicesBa
         };
         clearCache(): void;
         clearCacheEntry(key: string): void;
+        clearCacheByPrefix(prefix: string): number;
         getCacheStats(): {
             size: number;
             hits: number;

package/dist/types/mixins/OxyServices.devices.d.ts

@@ -66,6 +66,7 @@ export declare function OxyServicesDevicesMixin<T extends typeof OxyServicesBase
         };
         clearCache(): void;
         clearCacheEntry(key: string): void;
+        clearCacheByPrefix(prefix: string): number;
         getCacheStats(): {
             size: number;
             hits: number;

package/dist/types/mixins/OxyServices.features.d.ts

@@ -177,10 +177,6 @@ export declare function OxyServicesFeaturesMixin<T extends typeof OxyServicesBas
          * Get all available achievements
          */
         getAllAchievements(): Promise<Achievement[]>;
-        /**
-         * Delete user account (requires password confirmation)
-         */
-        deleteAccount(password: string): Promise<void>;
         httpService: import("../HttpService").HttpService;
         cloudURL: string;
         config: import("../OxyServices.base").OxyConfig;
@@ -198,6 +194,7 @@ export declare function OxyServicesFeaturesMixin<T extends typeof OxyServicesBas
         };
         clearCache(): void;
         clearCacheEntry(key: string): void;
+        clearCacheByPrefix(prefix: string): number;
         getCacheStats(): {
             size: number;
             hits: number;
@@ -225,9 +222,7 @@ export declare function OxyServicesFeaturesMixin<T extends typeof OxyServicesBas
         healthCheck(): Promise<{
             status: string;
             users?: number;
-            timestamp? /**
-             * Get FAQs
-             */: string;
+            timestamp?: string;
             [key: string]: any;
         }>;
     };

package/dist/types/mixins/OxyServices.fedcm.d.ts

@@ -174,6 +174,7 @@ export declare function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(
         };
         clearCache(): void;
         clearCacheEntry(key: string): void;
+        clearCacheByPrefix(prefix: string): number;
         getCacheStats(): {
             size: number;
             hits: number;

package/dist/types/mixins/OxyServices.karma.d.ts

@@ -55,6 +55,7 @@ export declare function OxyServicesKarmaMixin<T extends typeof OxyServicesBase>(
         };
         clearCache(): void;
         clearCacheEntry(key: string): void;
+        clearCacheByPrefix(prefix: string): number;
         getCacheStats(): {
             size: number;
             hits: number;

package/dist/types/mixins/OxyServices.language.d.ts

@@ -51,6 +51,7 @@ export declare function OxyServicesLanguageMixin<T extends typeof OxyServicesBas
         };
         clearCache(): void;
         clearCacheEntry(key: string): void;
+        clearCacheByPrefix(prefix: string): number;
         getCacheStats(): {
             size: number;
             hits: number;

package/dist/types/mixins/OxyServices.location.d.ts

@@ -34,6 +34,7 @@ export declare function OxyServicesLocationMixin<T extends typeof OxyServicesBas
         };
         clearCache(): void;
         clearCacheEntry(key: string): void;
+        clearCacheByPrefix(prefix: string): number;
         getCacheStats(): {
             size: number;
             hits: number;

package/dist/types/mixins/OxyServices.managedAccounts.d.ts

@@ -91,6 +91,7 @@ export declare function OxyServicesManagedAccountsMixin<T extends typeof OxyServ
         };
         clearCache(): void;
         clearCacheEntry(key: string): void;
+        clearCacheByPrefix(prefix: string): number;
         getCacheStats(): {
             size: number;
             hits: number;

package/dist/types/mixins/OxyServices.payment.d.ts

@@ -81,6 +81,7 @@ export declare function OxyServicesPaymentMixin<T extends typeof OxyServicesBase
         };
         clearCache(): void;
         clearCacheEntry(key: string): void;
+        clearCacheByPrefix(prefix: string): number;
         getCacheStats(): {
             size: number;
             hits: number;

package/dist/types/mixins/OxyServices.popup.d.ts

@@ -171,6 +171,7 @@ export declare function OxyServicesPopupAuthMixin<T extends typeof OxyServicesBa
         };
         clearCache(): void;
         clearCacheEntry(key: string): void;
+        clearCacheByPrefix(prefix: string): number;
         getCacheStats(): {
             size: number;
             hits: number;

package/dist/types/mixins/OxyServices.privacy.d.ts

@@ -92,6 +92,7 @@ export declare function OxyServicesPrivacyMixin<T extends typeof OxyServicesBase
         };
         clearCache(): void;
         clearCacheEntry(key: string): void;
+        clearCacheByPrefix(prefix: string): number;
         getCacheStats(): {
             size: number;
             hits: number;

package/dist/types/mixins/OxyServices.redirect.d.ts

@@ -208,6 +208,7 @@ export declare function OxyServicesRedirectAuthMixin<T extends typeof OxyService
         };
         clearCache(): void;
         clearCacheEntry(key: string): void;
+        clearCacheByPrefix(prefix: string): number;
         getCacheStats(): {
             size: number;
             hits: number;

package/dist/types/mixins/OxyServices.security.d.ts

@@ -48,6 +48,7 @@ export declare function OxyServicesSecurityMixin<T extends typeof OxyServicesBas
         };
         clearCache(): void;
         clearCacheEntry(key: string): void;
+        clearCacheByPrefix(prefix: string): number;
         getCacheStats(): {
             size: number;
             hits: number;

package/dist/types/mixins/OxyServices.topics.d.ts

@@ -74,6 +74,7 @@ export declare function OxyServicesTopicsMixin<T extends typeof OxyServicesBase>
         };
         clearCache(): void;
         clearCacheEntry(key: string): void;
+        clearCacheByPrefix(prefix: string): number;
         getCacheStats(): {
             size: number;
             hits: number;

package/dist/types/mixins/OxyServices.user.d.ts

@@ -1,7 +1,7 @@
 /**
  * User Management Methods Mixin
  */
-import type { User, Notification, SearchProfilesResponse } from '../models/interfaces';
+import type { User, Notification, SearchProfilesResponse, PrivacySettings } from '../models/interfaces';
 import type { OxyServicesBase } from '../OxyServices.base';
 import { type PaginationParams } from '../utils/apiUtils';
 export declare function OxyServicesUserMixin<T extends typeof OxyServicesBase>(Base: T): {
@@ -92,21 +92,30 @@ export declare function OxyServicesUserMixin<T extends typeof OxyServicesBase>(B
          */
         getCurrentUser(): Promise<User>;
         /**
-         * Update user profile
-         * TanStack Query handles offline queuing automatically
+         * Update user profile.
+         *
+         * Invalidates the SDK-side response cache for every endpoint that
+         * returns the current user (`GET /users/me`, `GET /session/user/*`,
+         * `GET /users/<id>`, `GET /profiles/username/*`) so the next read
+         * doesn't return a stale snapshot. Without this, a follow-up
+         * `getUserBySession` call inside the 2-minute cache window can return
+         * the pre-update user — most visibly during onboarding, where it
+         * causes the username step to flicker back as if nothing was saved.
+         *
+         * TanStack Query handles offline queuing automatically.
          */
-        updateProfile(updates: Record<string, any>): Promise<User>;
+        updateProfile(updates: Partial<User>): Promise<User>;
         /**
          * Get privacy settings for a user
          * @param userId - The user ID (defaults to current user)
          */
-        getPrivacySettings(userId?: string): Promise<any>;
+        getPrivacySettings(userId?: string): Promise<PrivacySettings>;
         /**
          * Update privacy settings
          * @param settings - Partial privacy settings object
          * @param userId - The user ID (defaults to current user)
          */
-        updatePrivacySettings(settings: Record<string, any>, userId?: string): Promise<any>;
+        updatePrivacySettings(settings: Partial<PrivacySettings>, userId?: string): Promise<PrivacySettings>;
         /**
          * Request account verification
          */
@@ -119,11 +128,18 @@ export declare function OxyServicesUserMixin<T extends typeof OxyServicesBase>(B
          */
         downloadAccountData(format?: "json" | "csv"): Promise<Blob>;
         /**
-         * Delete account permanently
-         * @param password - User password for confirmation
-         * @param confirmText - Confirmation text (usually username)
-         */
-        deleteAccount(password: string, confirmText: string): Promise<{
+         * Delete account permanently.
+         *
+         * Signs `delete:{publicKey}:{timestamp}` with the locally-stored identity
+         * private key and submits the signature alongside the confirmation text
+         * (must equal the user's username). The signature is the cryptographic
+         * proof of ownership — only the device holding the private key can issue
+         * a valid signature, so no password is required.
+         *
+         * @param confirmText - Must equal the user's username (verified server-side)
+         * @throws If no identity is stored on this device, or signing fails
+         */
+        deleteAccount(confirmText: string): Promise<{
             message: string;
         }>;
         /**
@@ -203,6 +219,7 @@ export declare function OxyServicesUserMixin<T extends typeof OxyServicesBase>(B
         };
         clearCache(): void;
         clearCacheEntry(key: string): void;
+        clearCacheByPrefix(prefix: string): number;
         getCacheStats(): {
             size: number;
             hits: number;

package/dist/types/mixins/OxyServices.utility.d.ts

@@ -1,4 +1,4 @@
-import type { ApiError } from '../models/interfaces';
+import type { ApiError, User } from '../models/interfaces';
 import type { OxyServicesBase } from '../OxyServices.base';
 /**
  * Result from the managed-accounts verification endpoint.
@@ -9,11 +9,31 @@ interface ActingAsVerification {
     role: 'owner' | 'admin' | 'editor';
 }
 /**
- * Service app metadata attached to requests authenticated with service tokens
+ * Result from the service-acting-as verification endpoint.
+ * Confirms that a given service app holds an active delegation grant for
+ * the supplied user, along with the explicit scope list the grant covers.
+ *
+ * The api side persists these via the `ServiceActingAs` model:
+ *   { serviceAppId, userId, scopes: string[], grantedAt, expiresAt }
+ *
+ * The SDK never inspects the grant directly — it round-trips through
+ * `GET /internal/service-acting-as/verify?appId=...&userId=...` so the
+ * authoritative store stays server-side.
+ */
+export interface ServiceActingAsVerification {
+    authorized: boolean;
+    scopes: string[];
+}
+/**
+ * Service app metadata attached to requests authenticated with service tokens.
+ * `scopes` reflects the scopes granted to the app at signup time (from the
+ * `DeveloperApp.scopes` field); route-level checks can require additional
+ * scope-narrowing via `requireScope()`.
  */
 export interface ServiceApp {
     appId: string;
     appName: string;
+    scopes: string[];
 }
 /**
  * Options for oxyClient.auth() middleware
@@ -22,7 +42,7 @@ interface AuthMiddlewareOptions {
     /** Enable debug logging (default: false) */
     debug?: boolean;
     /** Custom error handler - receives error object, can return response */
-    onError?: (error: ApiError) => any;
+    onError?: (error: ApiError) => unknown;
     /** Load full user profile from API (default: false for performance) */
     loadUser?: boolean;
     /** Optional auth - attach user if token present but don't block (default: false) */
@@ -31,8 +51,24 @@ interface AuthMiddlewareOptions {
      * JWT secret for verifying service token signatures locally.
      * When provided, service tokens will be cryptographically verified.
      * When omitted, service tokens will be rejected (secure default).
+     *
+     * **Migration note (>=1.11.14):** the Oxy API now signs service tokens
+     * with a dedicated `SERVICE_TOKEN_SECRET` distinct from `ACCESS_TOKEN_SECRET`.
+     * Pass that value here. If you keep passing the access-token secret you will
+     * still verify ALL signed-by-Oxy tokens (which is the whole class of bug
+     * H4 was supposed to prevent — DO NOT do that in production).
      */
     jwtSecret?: string;
+    /**
+     * Expected JWT issuer. Defaults to `'oxy-auth'`. Override only if you run
+     * a private fork of the Oxy auth server under a different `iss` claim.
+     */
+    expectedIssuer?: string;
+    /**
+     * Expected JWT audience. Defaults to `'oxy-api'`. Override only if your
+     * private fork mints tokens for a different audience.
+     */
+    expectedAudience?: string;
 }
 export declare function OxyServicesUtilityMixin<T extends typeof OxyServicesBase>(Base: T): {
     new (...args: any[]): {
@@ -41,6 +77,17 @@ export declare function OxyServicesUtilityMixin<T extends typeof OxyServicesBase
             result: ActingAsVerification | null;
             expiresAt: number;
         }>;
+        /**
+         * In-memory cache for service-acting-as verification.
+         * Negative results are cached for 1min to avoid hammering the verify
+         * endpoint when a service is misconfigured; positive grants are cached
+         * for 5min to amortize the round-trip without holding stale grants too long.
+         * @internal
+         */
+        _serviceActingAsCache: Map<string, {
+            result: ServiceActingAsVerification | null;
+            expiresAt: number;
+        }>;
         /**
          * Verify that a user is authorized to act as a managed account.
          * Results are cached in-memory for 5 minutes to avoid repeated API calls.
@@ -48,6 +95,19 @@ export declare function OxyServicesUtilityMixin<T extends typeof OxyServicesBase
          * @internal Used by the auth() middleware — not part of the public API
          */
         verifyActingAs(userId: string, accountId: string): Promise<ActingAsVerification | null>;
+        /**
+         * Verify that a service app holds an active delegation grant authorising
+         * it to act on behalf of `userId`. Returns the grant (with allowed scopes)
+         * on success or `null` if no valid grant exists. Negative answers are
+         * cached briefly to protect the verify endpoint from misconfigured callers.
+         *
+         * Implemented as a per-instance Map keyed by `appId:userId`. Cached
+         * positive grants live for 5 minutes (acceptable staleness window for an
+         * impersonation grant); revocations propagate within that window.
+         *
+         * @internal Used by the auth() middleware — not part of the public API
+         */
+        verifyServiceActingAs(appId: string, userId: string): Promise<ServiceActingAsVerification | null>;
         /**
          * Fetch link metadata
          */
@@ -70,9 +130,17 @@ export declare function OxyServicesUtilityMixin<T extends typeof OxyServicesBase
          * - Security comes from API-based session validation (`validateSession()`)
          *   which checks the session server-side on every request
          * - Service tokens (type: 'service') DO use cryptographic HMAC verification
-         *   via the `jwtSecret` option, since they are stateless
+         *   via the `jwtSecret` option, since they are stateless. Service tokens
+         *   are additionally checked for `aud`, `iss`, and `type` claims to prevent
+         *   cross-token-type confusion attacks.
          * - The backend's own `authMiddleware` uses `jwt.verify()` because it has
-         *   direct access to `ACCESS_TOKEN_SECRET`
+         *   direct access to `SERVICE_TOKEN_SECRET` / `ACCESS_TOKEN_SECRET`.
+         *
+         * **Service-token delegation (X-Oxy-User-Id):**
+         * When a service token is accompanied by `X-Oxy-User-Id`, the SDK calls
+         * `verifyServiceActingAs(appId, userId)` to confirm an explicit delegation
+         * grant exists before attaching `req.userId`. A missing/expired grant
+         * results in a 403 — there is no fail-open path.
          *
          * @example
          * ```typescript
@@ -81,7 +149,7 @@ export declare function OxyServicesUtilityMixin<T extends typeof OxyServicesBase
          * const oxy = new OxyServices({ baseURL: 'https://api.oxy.so' });
          *
          * // Protect all routes under /protected
-         * app.use('/protected', oxy.auth());
+         * app.use('/protected', oxy.auth({ jwtSecret: process.env.SERVICE_TOKEN_SECRET }));
          *
          * // Access user in route handler
          * app.get('/protected/me', (req, res) => {
@@ -93,12 +161,15 @@ export declare function OxyServicesUtilityMixin<T extends typeof OxyServicesBase
          *
          * // Optional auth - attach user if present, don't block if absent
          * app.use('/public', oxy.auth({ optional: true }));
+         *
+         * // Require a specific scope on a service-token-protected route
+         * app.use('/internal/files', oxy.serviceAuth({ jwtSecret: process.env.SERVICE_TOKEN_SECRET }), oxy.requireScope('files:write'));
          * ```
          *
          * @param options Optional configuration
          * @returns Express middleware function
          */
-        auth(options?: AuthMiddlewareOptions): (req: any, res: any, next: any) => Promise<any>;
+        auth(options?: AuthMiddlewareOptions): (req: AuthReq, res: AuthRes, next: AuthNext) => Promise<unknown>;
         /**
          * Socket.IO authentication middleware factory
          *
@@ -125,7 +196,7 @@ export declare function OxyServicesUtilityMixin<T extends typeof OxyServicesBase
          */
         authSocket(options?: {
             debug?: boolean;
-        }): (socket: any, next: (err?: Error) => void) => Promise<void>;
+        }): (socket: SocketLike, next: (err?: Error) => void) => Promise<void>;
         /**
          * Express.js middleware that only allows service tokens.
          * Use this for internal-only endpoints that should not be accessible
@@ -134,7 +205,7 @@ export declare function OxyServicesUtilityMixin<T extends typeof OxyServicesBase
          * @example
          * ```typescript
          * // Protect internal endpoints
-         * app.use('/internal', oxy.serviceAuth());
+         * app.use('/internal', oxy.serviceAuth({ jwtSecret: process.env.SERVICE_TOKEN_SECRET }));
          *
          * app.post('/internal/trigger', (req, res) => {
          *   console.log('Service app:', req.serviceApp);
@@ -145,7 +216,30 @@ export declare function OxyServicesUtilityMixin<T extends typeof OxyServicesBase
         serviceAuth(options?: {
             debug?: boolean;
             jwtSecret?: string;
-        }): (req: any, res: any, next: any) => Promise<void>;
+            expectedIssuer?: string;
+            expectedAudience?: string;
+        }): (req: AuthReq, res: AuthRes, next: AuthNext) => Promise<void>;
+        /**
+         * Express.js middleware that enforces a specific service-token scope.
+         *
+         * Mount AFTER `auth()` / `serviceAuth()` — relies on `req.serviceApp` and
+         * (when delegation is in effect) `req.serviceActingAs.scopes`. The scope
+         * is granted if EITHER list contains it, mirroring the OAuth2 model where
+         * the app's app-level scopes and the per-user delegated scopes both count.
+         *
+         * Requests authenticated as a regular user (no service token) are rejected
+         * with 403 — scope-protected endpoints are service-to-service by design.
+         *
+         * @example
+         * ```typescript
+         * app.use(
+         *   '/internal/files',
+         *   oxy.serviceAuth({ jwtSecret: process.env.SERVICE_TOKEN_SECRET }),
+         *   oxy.requireScope('files:write'),
+         * );
+         * ```
+         */
+        requireScope(scope: string): (req: AuthReq, res: AuthRes, next: AuthNext) => void;
         httpService: import("../HttpService").HttpService;
         cloudURL: string;
         config: import("../OxyServices.base").OxyConfig;
@@ -163,6 +257,7 @@ export declare function OxyServicesUtilityMixin<T extends typeof OxyServicesBase
         };
         clearCache(): void;
         clearCacheEntry(key: string): void;
+        clearCacheByPrefix(prefix: string): number;
         getCacheStats(): {
             size: number;
             hits: number;
@@ -195,4 +290,44 @@ export declare function OxyServicesUtilityMixin<T extends typeof OxyServicesBase
         }>;
     };
 } & T;
+interface AuthReq {
+    method?: string;
+    path?: string;
+    headers: Record<string, string | string[] | undefined>;
+    query?: Record<string, unknown>;
+    userId?: string | null;
+    user?: User | null;
+    accessToken?: string;
+    sessionId?: string | null;
+    serviceApp?: ServiceApp;
+    serviceActingAs?: {
+        userId: string;
+        scopes: string[];
+    };
+    actingAs?: {
+        userId: string;
+        role: string;
+    };
+    originalUser?: {
+        id: string;
+    } & Partial<User>;
+}
+interface AuthRes {
+    status(code: number): AuthRes;
+    json(body: unknown): unknown;
+}
+type AuthNext = (err?: unknown) => void;
+interface SocketLike {
+    handshake?: {
+        auth?: {
+            token?: string;
+        };
+    };
+    data?: Record<string, unknown>;
+    user?: {
+        id: string;
+        userId: string;
+        sessionId?: string | null;
+    };
+}
 export {};

package/dist/types/mixins/index.d.ts

@@ -4,7 +4,50 @@
  * This module provides a clean way to compose all mixins
  * and ensures consistent ordering for better maintainability
  */
-type MixinFunction = (Base: any) => any;
+import { OxyServicesBase } from '../OxyServices.base';
+import { OxyServicesAuthMixin } from './OxyServices.auth';
+import { OxyServicesFedCMMixin } from './OxyServices.fedcm';
+import { OxyServicesPopupAuthMixin } from './OxyServices.popup';
+import { OxyServicesRedirectAuthMixin } from './OxyServices.redirect';
+import { OxyServicesUserMixin } from './OxyServices.user';
+import { OxyServicesPrivacyMixin } from './OxyServices.privacy';
+import { OxyServicesLanguageMixin } from './OxyServices.language';
+import { OxyServicesPaymentMixin } from './OxyServices.payment';
+import { OxyServicesKarmaMixin } from './OxyServices.karma';
+import { OxyServicesAssetsMixin } from './OxyServices.assets';
+import { OxyServicesDeveloperMixin } from './OxyServices.developer';
+import { OxyServicesLocationMixin } from './OxyServices.location';
+import { OxyServicesAnalyticsMixin } from './OxyServices.analytics';
+import { OxyServicesDevicesMixin } from './OxyServices.devices';
+import { OxyServicesSecurityMixin } from './OxyServices.security';
+import { OxyServicesUtilityMixin } from './OxyServices.utility';
+import { OxyServicesFeaturesMixin } from './OxyServices.features';
+import { OxyServicesTopicsMixin } from './OxyServices.topics';
+import { OxyServicesManagedAccountsMixin } from './OxyServices.managedAccounts';
+import { OxyServicesContactsMixin } from './OxyServices.contacts';
+/**
+ * Instance shape of every mixin in the pipeline, intersected. The runtime
+ * `composeOxyServices()` produces a class whose instances expose all of
+ * these methods; we surface that to TypeScript via this intersection so the
+ * `extends` site in `OxyServices.ts` can avoid an `as any` cast.
+ *
+ * If you add a new mixin to `MIXIN_PIPELINE`, add it here too so its methods
+ * are visible without a cast.
+ */
+type AllMixinInstances = InstanceType<ReturnType<typeof OxyServicesAuthMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesFedCMMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesPopupAuthMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesRedirectAuthMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesUserMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesPrivacyMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesLanguageMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesPaymentMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesKarmaMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesAssetsMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesDeveloperMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesLocationMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesAnalyticsMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesDevicesMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesSecurityMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesFeaturesMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesTopicsMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesManagedAccountsMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesContactsMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesUtilityMixin<typeof OxyServicesBase>>>;
+/**
+ * Constructor type for the fully composed mixin pipeline. Each mixin returns
+ * a new constructor that augments its input; reducing across the pipeline
+ * yields an instance with every mixin's methods.
+ */
+export type ComposedOxyServicesConstructor = new (config: import('../OxyServices.base').OxyConfig) => AllMixinInstances;
+/**
+ * A mixin function: takes a constructor and returns an augmented constructor.
+ * Each individual mixin uses a `<T extends typeof OxyServicesBase>` generic
+ * to preserve its specific augmentations, but those refinements are
+ * intentionally collapsed across the `reduce` call below.
+ */
+type MixinFunction = (Base: new (...args: unknown[]) => OxyServicesBase) => new (...args: unknown[]) => OxyServicesBase;
 /**
  * Mixin pipeline - applied in order from first to last.
  *
@@ -22,9 +65,14 @@ declare const MIXIN_PIPELINE: MixinFunction[];
  * Composes all OxyServices mixins using a pipeline pattern.
  *
  * This is equivalent to the nested calls but more readable and maintainable.
- * Adding a new mixin: just add it to MIXIN_PIPELINE at the appropriate position.
+ * Adding a new mixin: add it to MIXIN_PIPELINE at the appropriate position
+ * AND extend `AllMixinInstances` so its methods are visible to consumers.
+ *
+ * The cast through `unknown` carries the runtime augmentation chain into the
+ * static type system. `Array.reduce` cannot track each mixin's generic
+ * refinement, so we assert the final shape exposed by all mixins together.
  *
- * @returns The fully composed OxyServices class with all mixins applied
+ * @returns The fully composed OxyServices constructor with all mixins applied
  */
-export declare function composeOxyServices(): any;
+export declare function composeOxyServices(): ComposedOxyServicesConstructor;
 export { MIXIN_PIPELINE };