@oxyhq/core 1.11.23 → 2.0.0

package/src/mixins/__tests__/fedcm.test.ts

@@ -321,3 +321,234 @@ describe('OxyServices FedCM mode enum (active/passive)', () => {
     expect(call.identity.mode).toBeUndefined();
   });
 });
+
+/**
+ * Stale-loginHint clear-and-retry regression tests.
+ *
+ * A loginHint left over from a previously-signed-in/test account (persisted in
+ * `oxy_fedcm_login_hint`) that matches NO account at the IdP makes Chrome
+ * filter out every account, grey it in the chooser, and reject
+ * `navigator.credentials.get` — indistinguishable from a user cancel. The
+ * interactive flow must recover by clearing the bad hint and retrying ONCE with
+ * no hint, so the genuinely available account becomes selectable again. These
+ * tests lock that behaviour in.
+ */
+describe('OxyServices FedCM stale loginHint clear-and-retry', () => {
+  afterEach(() => {
+    clearBrowserGlobals();
+    jest.restoreAllMocks();
+  });
+
+  it('clears a stale stored hint and retries the get() once with no hint, then succeeds', async () => {
+    const hintsSeen: Array<string | undefined> = [];
+    installBrowserGlobals({
+      credentialsGet: async (opts) => {
+        const hint = opts.identity.providers[0].loginHint;
+        hintsSeen.push(hint);
+        if (hint) {
+          // First attempt carries the stale stored hint → Chrome filtered out
+          // every account and rejected the request (NotAllowedError).
+          const err = new Error('Accounts were received, but none matched the login hint.');
+          err.name = 'NotAllowedError';
+          throw err;
+        }
+        // Retry with NO hint → the available account resolves.
+        return { type: 'identity', token: 'recovered-id-token', isAutoSelected: false };
+      },
+    });
+
+    const oxy = new OxyServices({ baseURL: 'https://api.oxy.so' });
+    // Seed a stale hint in localStorage (a previously-signed-in/test account).
+    localStorage.setItem('oxy_fedcm_login_hint', 'stale-user-id');
+
+    const exchanged: string[] = [];
+    mintAndExchange(oxy, exchanged);
+
+    const session = await oxy.signInWithFedCM();
+
+    // The first get() saw the stale hint; the second saw none.
+    expect(hintsSeen).toEqual(['stale-user-id', undefined]);
+    // The token from the hint-less retry was exchanged for a session.
+    expect(session.sessionId).toBe('sess_mode');
+    expect(exchanged).toEqual(['recovered-id-token']);
+    // The stale hint was cleared and replaced with the freshly signed-in id.
+    expect(localStorage.getItem('oxy_fedcm_login_hint')).toBe('user_mode');
+  });
+
+  it('does NOT retry when there was no stored hint (a genuine cancel surfaces)', async () => {
+    let callCount = 0;
+    installBrowserGlobals({
+      credentialsGet: async () => {
+        callCount += 1;
+        const err = new Error('User cancelled the sign-in.');
+        err.name = 'NotAllowedError';
+        throw err;
+      },
+    });
+
+    const oxy = new OxyServices({ baseURL: 'https://api.oxy.so' });
+    // No hint in storage → a NotAllowedError is a real cancel, not a mismatch,
+    // so the error must surface (no clear-and-retry).
+    jest.spyOn(oxy, 'makeRequest').mockImplementation(async (_method: string, url: string) => {
+      if (url === '/fedcm/nonce') {
+        return { nonce: 'n', expiresAt: new Date(Date.now() + 60000).toISOString() } as never;
+      }
+      throw new Error(`unexpected request to ${url}`);
+    });
+
+    await expect(oxy.signInWithFedCM()).rejects.toThrow('User cancelled the sign-in.');
+    // Exactly one attempt — no clear-and-retry without a stored hint.
+    expect(callCount).toBe(1);
+  });
+
+  it('does NOT clear or retry a caller-supplied loginHint (only stored hints are cleared)', async () => {
+    let callCount = 0;
+    installBrowserGlobals({
+      credentialsGet: async () => {
+        callCount += 1;
+        const err = new Error('Accounts were received, but none matched the login hint.');
+        err.name = 'NotAllowedError';
+        throw err;
+      },
+    });
+
+    const oxy = new OxyServices({ baseURL: 'https://api.oxy.so' });
+    // A leftover stored hint must be untouched: the caller explicitly chose the
+    // hint, so we must not silently discard it nor retry behind their back.
+    localStorage.setItem('oxy_fedcm_login_hint', 'persisted-hint');
+    jest.spyOn(oxy, 'makeRequest').mockImplementation(async (_method: string, url: string) => {
+      if (url === '/fedcm/nonce') {
+        return { nonce: 'n', expiresAt: new Date(Date.now() + 60000).toISOString() } as never;
+      }
+      throw new Error(`unexpected request to ${url}`);
+    });
+
+    await expect(oxy.signInWithFedCM({ loginHint: 'caller-hint' })).rejects.toBeTruthy();
+    // Exactly one attempt — caller-supplied hints are never auto-cleared/retried.
+    expect(callCount).toBe(1);
+    // The stored hint was left intact.
+    expect(localStorage.getItem('oxy_fedcm_login_hint')).toBe('persisted-hint');
+  });
+});
+
+/**
+ * FedCM single-flight lock: interactive-aborts-silent regression tests.
+ *
+ * FedCM only allows one `navigator.credentials.get` at a time. Silent SSO runs
+ * on page load and the real round-trip can be slow (or stall in the browser).
+ * If an INTERACTIVE request (the user clicked "Sign In") arrives while a SILENT
+ * one is still in flight, it must NOT wait on the silent — awaiting a hung
+ * silent request previously deadlocked the sign-in button. Instead it aborts the
+ * in-flight silent and proceeds immediately. These tests lock that in, and pin
+ * the silent timeout so the on-load silent round-trip has enough budget.
+ */
+
+// `navigator.credentials.get` receives an AbortSignal we want to observe in the
+// lock tests, which the shared `CredentialGetCall` shape omits. Model it here.
+interface CredentialGetCallWithSignal {
+  identity: { providers: Array<{ loginHint?: string }>; mode?: string };
+  mediation: string;
+  signal?: AbortSignal;
+}
+
+describe('OxyServices FedCM single-flight lock (interactive aborts silent)', () => {
+  afterEach(() => {
+    clearBrowserGlobals();
+    jest.restoreAllMocks();
+  });
+
+  it('aborts an in-progress silent request and proceeds with the interactive one', async () => {
+    let silentSignal: AbortSignal | undefined;
+    let silentAborted = false;
+    let interactiveRan = false;
+
+    const store = new Map<string, string>();
+    const localStorageStub = {
+      getItem: (k: string) => (store.has(k) ? (store.get(k) as string) : null),
+      setItem: (k: string, v: string) => { store.set(k, v); },
+      removeItem: (k: string) => { store.delete(k); },
+    };
+
+    const credentialsGet = (opts: CredentialGetCallWithSignal): Promise<unknown> => {
+      if (opts.mediation === 'silent') {
+        // The silent request HANGS: it only settles when its signal is aborted,
+        // exactly like a real slow/stalled silent round-trip. This is what must
+        // NOT block the interactive request.
+        silentSignal = opts.signal;
+        return new Promise((_resolve, reject) => {
+          const signal = opts.signal;
+          if (!signal) return; // never settles without a signal (shouldn't happen)
+          signal.addEventListener('abort', () => {
+            silentAborted = true;
+            const err = new Error('The operation was aborted.');
+            err.name = 'AbortError';
+            reject(err);
+          });
+        });
+      }
+      // Interactive request resolves immediately with a usable credential.
+      interactiveRan = true;
+      return Promise.resolve({ type: 'identity', token: 'interactive-token', isAutoSelected: false });
+    };
+
+    const nav = { credentials: { get: (opts: CredentialGetCallWithSignal) => credentialsGet(opts) } };
+    const win = {
+      location: { origin: ORIGIN, hostname: 'accounts.oxy.so' },
+      IdentityCredential: function IdentityCredential() {},
+      navigator: nav,
+      localStorage: localStorageStub,
+    };
+    (globalThis as unknown as { window: unknown }).window = win;
+    (globalThis as unknown as { navigator: unknown }).navigator = nav;
+    (globalThis as unknown as { localStorage: unknown }).localStorage = localStorageStub;
+    (globalThis as unknown as { IdentityCredential: unknown }).IdentityCredential = win.IdentityCredential;
+
+    const oxy = new OxyServices({ baseURL: 'https://api.oxy.so' });
+    const exchanged: string[] = [];
+    jest
+      .spyOn(oxy, 'makeRequest')
+      .mockImplementation(async (_method: string, url: string, data?: unknown) => {
+        if (url === '/fedcm/nonce') {
+          return { nonce: 'server-nonce', expiresAt: new Date(Date.now() + 60000).toISOString() } as never;
+        }
+        if (url === '/fedcm/exchange') {
+          exchanged.push((data as { id_token: string }).id_token);
+          return {
+            sessionId: 'sess_lock',
+            deviceId: 'dev_lock',
+            expiresAt: new Date(Date.now() + 60000).toISOString(),
+            accessToken: 'access_lock',
+            user: { id: 'user_lock', username: 'tester' },
+          } as never;
+        }
+        throw new Error(`unexpected request to ${url}`);
+      });
+
+    // Kick off the silent request (it will hang) WITHOUT awaiting it.
+    const silentPromise = oxy.silentSignInWithFedCM();
+    // Let the silent request reach navigator.credentials.get and register its
+    // abort listener (it awaits the nonce mint first).
+    await new Promise((resolve) => setTimeout(resolve, 0));
+    expect(silentSignal).toBeDefined();
+    expect(silentAborted).toBe(false);
+
+    // Now the user clicks "Sign In": the interactive request must abort the
+    // hung silent one and complete on its own — never block on it.
+    const session = await oxy.signInWithFedCM();
+
+    expect(silentAborted).toBe(true);
+    expect(interactiveRan).toBe(true);
+    expect(session.sessionId).toBe('sess_lock');
+    expect(exchanged).toEqual(['interactive-token']);
+
+    // The aborted silent resolves cleanly to null (its own error path), never
+    // throwing and never leaving the lock stuck.
+    await expect(silentPromise).resolves.toBeNull();
+  });
+});
+
+describe('OxyServices FedCM silent timeout', () => {
+  it('uses a 10s silent timeout (enough budget for the real on-load round-trip)', () => {
+    expect(OxyServices.FEDCM_SILENT_TIMEOUT).toBe(10000);
+  });
+});

package/src/mixins/__tests__/popup.test.ts

@@ -0,0 +1,307 @@
+/**
+ * Popup mixin regression tests.
+ *
+ * Locks in the §6c fix: cross-domain sign-in popups (auth.oxy.so) were being
+ * blocked by Chrome on consumer apps (mention.earth, homiio.com, alia.onl)
+ * because the caller chain awaited FedCM / silent SSO BEFORE
+ * `signInWithPopup` reached `window.open`. The transient user-activation
+ * had been consumed by the first `await`, so the popup-blocker killed the
+ * subsequent `window.open` call.
+ *
+ * The fix exposes two new affordances on the popup mixin:
+ *   1. `openBlankPopup(width?, height?)` — a public, synchronous helper that
+ *      callers invoke from the raw user-gesture handler BEFORE any await, so
+ *      the popup is opened while the activation is still live.
+ *   2. `signInWithPopup({ popup })` — accepts the pre-opened window handle
+ *      and navigates IT to the auth URL instead of issuing a fresh
+ *      `window.open` (which would now be blocked).
+ *
+ * Backward compat: callers that omit `popup` keep the legacy behaviour (the
+ * mixin opens its own popup via `openCenteredPopup`). The browser globals
+ * are stubbed so the platform-agnostic mixin can run under the node test
+ * env.
+ */
+
+import { OxyServices } from '../../OxyServices';
+
+const ORIGIN = 'https://mention.earth';
+
+interface MockPopup {
+  closed: boolean;
+  close: jest.Mock;
+  location: {
+    href: string;
+    replace: jest.Mock;
+  };
+}
+
+function createMockPopup(overrides: Partial<MockPopup> = {}): MockPopup {
+  return {
+    closed: false,
+    close: jest.fn(),
+    location: {
+      href: '',
+      replace: jest.fn(function (this: { href: string }, url: string) {
+        this.href = url;
+      }),
+    },
+    ...overrides,
+  };
+}
+
+function installBrowserGlobals(options: {
+  windowOpen?: jest.Mock;
+  postMessageDispatcher?: { current: ((event: { origin: string; data: unknown }) => void) | null };
+} = {}): void {
+  const store = new Map<string, string>();
+  const sessionStorageStub = {
+    getItem: (k: string) => (store.has(k) ? (store.get(k) as string) : null),
+    setItem: (k: string, v: string) => { store.set(k, v); },
+    removeItem: (k: string) => { store.delete(k); },
+  };
+  const messageHandlers: Array<(event: { origin: string; data: unknown }) => void> = [];
+  const win = {
+    location: { origin: ORIGIN, hostname: 'mention.earth' },
+    screenX: 0,
+    screenY: 0,
+    outerWidth: 1280,
+    outerHeight: 800,
+    sessionStorage: sessionStorageStub,
+    open: options.windowOpen ?? jest.fn(() => null),
+    addEventListener: (event: string, handler: (e: { origin: string; data: unknown }) => void) => {
+      if (event === 'message') {
+        messageHandlers.push(handler);
+        if (options.postMessageDispatcher) {
+          options.postMessageDispatcher.current = handler;
+        }
+      }
+    },
+    removeEventListener: (event: string, handler: (e: { origin: string; data: unknown }) => void) => {
+      if (event === 'message') {
+        const idx = messageHandlers.indexOf(handler);
+        if (idx >= 0) messageHandlers.splice(idx, 1);
+      }
+    },
+  };
+  (globalThis as unknown as { window: unknown }).window = win;
+  (globalThis as unknown as { sessionStorage: unknown }).sessionStorage = sessionStorageStub;
+  // `crypto.randomUUID` already exists in node 20+ test env — leave it.
+}
+
+function clearBrowserGlobals(): void {
+  for (const key of ['window', 'sessionStorage'] as const) {
+    delete (globalThis as Record<string, unknown>)[key];
+  }
+}
+
+describe('OxyServices popup mixin — pre-opened popup option', () => {
+  afterEach(() => {
+    clearBrowserGlobals();
+    jest.restoreAllMocks();
+  });
+
+  it('navigates a pre-opened popup to the auth URL instead of opening a new one', async () => {
+    const windowOpen = jest.fn();
+    installBrowserGlobals({ windowOpen });
+    const popup = createMockPopup();
+
+    const oxy = new OxyServices({ baseURL: 'https://api.oxy.so' });
+
+    // Resolve `signInWithPopup` as soon as the popup is navigated — we only
+    // care about the open path, not the full postMessage round-trip.
+    let dispatchedAuthUrl: string | null = null;
+    popup.location.replace.mockImplementation(function (this: MockPopup['location'], url: string) {
+      this.href = url;
+      dispatchedAuthUrl = url;
+    });
+
+    // Fire the auth-success message immediately after navigation. We do this
+    // by intercepting `addEventListener` above.
+    const messagePromise = new Promise<void>((resolve) => {
+      // Patch addEventListener to capture the handler and dispatch a fake
+      // success message on the next microtask.
+      const origAdd = (globalThis as unknown as { window: { addEventListener: typeof window.addEventListener } }).window.addEventListener;
+      (globalThis as unknown as { window: { addEventListener: typeof window.addEventListener } }).window.addEventListener =
+        (event: string, handler: EventListenerOrEventListenerObject) => {
+          origAdd(event, handler);
+          if (event === 'message') {
+            queueMicrotask(() => {
+              // We need the state from the URL the popup was navigated to.
+              const url = new URL(dispatchedAuthUrl ?? '');
+              const state = url.searchParams.get('state') ?? '';
+              (handler as (e: { origin: string; data: unknown }) => void)({
+                origin: 'https://auth.oxy.so',
+                data: {
+                  type: 'oxy_auth_response',
+                  state,
+                  session: {
+                    sessionId: 'sess_pre_opened',
+                    deviceId: 'dev_pre',
+                    expiresAt: new Date(Date.now() + 60000).toISOString(),
+                    accessToken: 'access_pre',
+                    user: { id: 'user_pre', username: 'tester' },
+                  },
+                },
+              });
+              resolve();
+            });
+          }
+        };
+    });
+
+    const session = await oxy.signInWithPopup({ popup: popup as unknown as Window });
+    await messagePromise;
+
+    // The pre-opened popup was navigated — `window.open` was NEVER called.
+    expect(windowOpen).not.toHaveBeenCalled();
+    expect(popup.location.replace).toHaveBeenCalledTimes(1);
+    expect(popup.location.replace).toHaveBeenCalledWith(expect.stringContaining('https://auth.oxy.so/login'));
+    expect(session.sessionId).toBe('sess_pre_opened');
+  });
+
+  it('throws a "window was closed" (cancelled) error — NOT "popup blocked" — when the pre-opened handle is already closed', async () => {
+    const windowOpen = jest.fn();
+    installBrowserGlobals({ windowOpen });
+    const popup = createMockPopup({ closed: true });
+
+    const oxy = new OxyServices({ baseURL: 'https://api.oxy.so' });
+
+    // The popup DID open (the blocker allowed it) and the user closed it.
+    // The error must communicate a cancel, never a blocker rejection —
+    // consumers map "blocked" to "please allow popups" UX guidance, which
+    // would be wrong here.
+    await expect(
+      oxy.signInWithPopup({ popup: popup as unknown as Window })
+    ).rejects.toThrow(/Sign-in window was closed/);
+    await expect(
+      oxy.signInWithPopup({ popup: popup as unknown as Window })
+    ).rejects.not.toThrow(/Popup blocked/);
+
+    // Did not attempt to open a fresh popup either.
+    expect(windowOpen).not.toHaveBeenCalled();
+    expect(popup.location.replace).not.toHaveBeenCalled();
+  });
+
+  it('falls back to assigning `location.href` when `location.replace` throws (sandboxed environments)', async () => {
+    const windowOpen = jest.fn();
+    installBrowserGlobals({ windowOpen });
+
+    // Some sandboxed / cross-origin-locked environments make `location.replace`
+    // throw. The mixin must recover with a plain `href` assignment so the
+    // popup still gets navigated. This is the only path that exercises the
+    // catch-and-log branch in OxyServices.popup.ts.
+    const popup: MockPopup = {
+      closed: false,
+      close: jest.fn(),
+      location: {
+        href: '',
+        replace: jest.fn(() => {
+          throw new Error('SecurityError: replace blocked by sandbox');
+        }),
+      },
+    };
+
+    const oxy = new OxyServices({ baseURL: 'https://api.oxy.so' });
+
+    // Drive `signInWithPopup` only until the navigation happens, then abort
+    // via `closed = true` so the poll loop's cancel path resolves the promise.
+    const promise = oxy.signInWithPopup({ popup: popup as unknown as Window });
+    // Let the synchronous popup-navigation path run.
+    await Promise.resolve();
+    popup.closed = true;
+
+    await expect(promise).rejects.toThrow(/cancelled|timeout/i);
+
+    // `replace` was attempted (and threw); the fallback wrote to `href`.
+    expect(popup.location.replace).toHaveBeenCalledTimes(1);
+    expect(popup.location.href).toMatch(/^https:\/\/auth\.oxy\.so\/login/);
+    // No fresh popup was opened.
+    expect(windowOpen).not.toHaveBeenCalled();
+  });
+
+  it('falls back to opening its own popup when `popup` option is omitted (classic behaviour)', async () => {
+    const fallbackPopup = createMockPopup();
+    const windowOpen = jest.fn(() => fallbackPopup);
+    installBrowserGlobals({ windowOpen });
+
+    const oxy = new OxyServices({ baseURL: 'https://api.oxy.so' });
+
+    // Don't actually wait for the full flow; intercept after `window.open`
+    // is called and abort.
+    const promise = oxy.signInWithPopup();
+    // Allow the synchronous `window.open` path to run.
+    await Promise.resolve();
+    fallbackPopup.closed = true; // trigger "Authentication cancelled by user"
+
+    await expect(promise).rejects.toThrow(/cancelled|timeout/i);
+
+    expect(windowOpen).toHaveBeenCalledTimes(1);
+    // The first arg is the auth URL (not 'about:blank').
+    expect((windowOpen.mock.calls[0] as unknown[])[0]).toMatch(/^https:\/\/auth\.oxy\.so\/login/);
+  });
+
+  it('throws "popup blocked" when the legacy path is used and `window.open` returns null', async () => {
+    const windowOpen = jest.fn(() => null);
+    installBrowserGlobals({ windowOpen });
+
+    const oxy = new OxyServices({ baseURL: 'https://api.oxy.so' });
+
+    await expect(oxy.signInWithPopup()).rejects.toThrow(/Popup blocked/);
+    expect(windowOpen).toHaveBeenCalledTimes(1);
+  });
+});
+
+describe('OxyServices popup mixin — openBlankPopup helper', () => {
+  afterEach(() => {
+    clearBrowserGlobals();
+    jest.restoreAllMocks();
+  });
+
+  it('opens about:blank synchronously and returns the window handle', () => {
+    const fakePopup = createMockPopup();
+    const windowOpen = jest.fn(() => fakePopup);
+    installBrowserGlobals({ windowOpen });
+
+    const oxy = new OxyServices({ baseURL: 'https://api.oxy.so' });
+    const popup = oxy.openBlankPopup();
+
+    expect(windowOpen).toHaveBeenCalledTimes(1);
+    const args = windowOpen.mock.calls[0] as unknown[];
+    expect(args[0]).toBe('about:blank');
+    expect(args[1]).toBe('Oxy Sign In');
+    // Features string should include the default width/height.
+    expect(typeof args[2]).toBe('string');
+    expect(args[2] as string).toContain('width=500');
+    expect(args[2] as string).toContain('height=700');
+    expect(popup).toBe(fakePopup);
+  });
+
+  it('returns null when the browser blocks the popup', () => {
+    const windowOpen = jest.fn(() => null);
+    installBrowserGlobals({ windowOpen });
+
+    const oxy = new OxyServices({ baseURL: 'https://api.oxy.so' });
+    const popup = oxy.openBlankPopup();
+
+    expect(popup).toBeNull();
+  });
+
+  it('honors caller-supplied dimensions', () => {
+    const fakePopup = createMockPopup();
+    const windowOpen = jest.fn(() => fakePopup);
+    installBrowserGlobals({ windowOpen });
+
+    const oxy = new OxyServices({ baseURL: 'https://api.oxy.so' });
+    oxy.openBlankPopup(640, 480);
+
+    const args = windowOpen.mock.calls[0] as unknown[];
+    expect(args[2] as string).toContain('width=640');
+    expect(args[2] as string).toContain('height=480');
+  });
+
+  it('returns null in non-browser environments', () => {
+    // No browser globals installed.
+    const oxy = new OxyServices({ baseURL: 'https://api.oxy.so' });
+    expect(oxy.openBlankPopup()).toBeNull();
+  });
+});

package/src/mixins/__tests__/sessionBaseUrl.test.ts

@@ -0,0 +1,61 @@
+/**
+ * `OxyServices.getSessionBaseUrl()` resolution tests.
+ *
+ * Per the 2026 session architecture (docs/SESSION-ARCHITECTURE.md), every app
+ * keeps its OWN first-party session on its OWN domain. `getSessionBaseUrl()`
+ * is the configurable base URL the SDK's first-party session/refresh calls will
+ * target in a later phase:
+ *   - non-`oxy.so` apps point `sessionBaseUrl` at their own same-site backend
+ *     (e.g. `https://api.mention.earth`);
+ *   - `*.oxy.so` apps leave it unset so it falls back to `baseURL`
+ *     (`https://api.oxy.so`) — their behavior is unchanged.
+ *
+ * This phase is additive: the getter only surfaces configuration. It must NOT
+ * mutate token/auth state and must NOT alter `getBaseURL()`.
+ */
+
+import { OxyServices } from '../../OxyServices';
+
+describe('OxyServices.getSessionBaseUrl', () => {
+  it('falls back to baseURL when sessionBaseUrl is not configured', () => {
+    const oxy = new OxyServices({ baseURL: 'https://api.oxy.so' });
+
+    expect(oxy.getSessionBaseUrl()).toBe('https://api.oxy.so');
+    // Must equal the API base URL exactly — no divergence for *.oxy.so apps.
+    expect(oxy.getSessionBaseUrl()).toBe(oxy.getBaseURL());
+  });
+
+  it('returns the configured sessionBaseUrl when provided', () => {
+    const oxy = new OxyServices({
+      baseURL: 'https://api.oxy.so',
+      sessionBaseUrl: 'https://api.mention.earth',
+    });
+
+    expect(oxy.getSessionBaseUrl()).toBe('https://api.mention.earth');
+  });
+
+  it('does not change the API base URL when sessionBaseUrl differs', () => {
+    const oxy = new OxyServices({
+      baseURL: 'https://api.oxy.so',
+      sessionBaseUrl: 'https://api.mention.earth',
+    });
+
+    // getBaseURL (the HTTP client's request base) is independent of the
+    // session base — only the latter is overridden by config.
+    expect(oxy.getBaseURL()).toBe('https://api.oxy.so');
+    expect(oxy.getSessionBaseUrl()).not.toBe(oxy.getBaseURL());
+  });
+
+  it('is a pure read — it does not touch token/auth state', () => {
+    const oxy = new OxyServices({
+      baseURL: 'https://api.oxy.so',
+      sessionBaseUrl: 'https://api.mention.earth',
+    });
+
+    expect(oxy.hasValidToken()).toBe(false);
+    // Resolving the session base must not plant or clear any token.
+    oxy.getSessionBaseUrl();
+    expect(oxy.hasValidToken()).toBe(false);
+    expect(oxy.getAccessToken()).toBeNull();
+  });
+});