@oxyhq/core 1.11.24 → 2.1.0

package/dist/types/AuthManager.d.ts

@@ -8,6 +8,7 @@
  */
 import type { OxyServices } from './OxyServices';
 import type { SessionLoginResponse, MinimalUserData } from './models/session';
+import type { AuthManagerAccount, RestoreFromCookiesResult, SwitchAuthuserResult } from './AuthManagerTypes';
 /**
  * Storage adapter interface for platform-agnostic storage.
  */
@@ -36,6 +37,20 @@ export interface AuthManagerConfig {
     refreshBuffer?: number;
     /** Enable cross-tab coordination via BroadcastChannel (default: true in browsers) */
     crossTabSync?: boolean;
+    /**
+     * "Cookie-only" mode for web apps that rely exclusively on the
+     * `oxy_rt_${authuser}` httpOnly refresh cookies and refuse to fall back
+     * to the legacy localStorage token/refresh-token path.
+     *
+     * - `false` (default): `initialize()` tries `restoreFromCookies()` first;
+     *   if no accounts are restored it falls back to the legacy localStorage
+     *   path (`oxy_access_token` / `oxy_session`).
+     * - `true`: `initialize()` ONLY uses `restoreFromCookies()`. No token /
+     *   refresh-token / session JSON is read from or written to localStorage.
+     *   This is the secure default for apps that ship the cookie path end-to-
+     *   end and want to guarantee no tokens leak to JS-accessible storage.
+     */
+    cookieOnly?: boolean;
 }
 /**
  * AuthManager - Centralized authentication management.
@@ -76,6 +91,66 @@ export declare class AuthManager {
     private _broadcastChannel;
     /** Set to true when another tab broadcasts a successful refresh, so this tab can skip its own. */
     private _otherTabRefreshed;
+    /**
+     * Identifier for this AuthManager instance (≈ "this tab"). Random hex
+     * generated at construction; advertised in every outgoing broadcast and
+     * used as the lookup key in `_knownPeerNonces`.
+     */
+    private readonly _tabId;
+    /**
+     * Per-tab nonce, advertised in every outgoing broadcast. Receivers record
+     * the first (tabId, nonce) pair they see from a given peer; subsequent
+     * messages from the same tabId MUST carry the same nonce or they're
+     * ignored.
+     *
+     * Threat model: a same-origin XSS payload can post to the channel but can
+     * NOT read this instance's private `_broadcastNonce` field (it lives in
+     * closure, not on `window`). Forged broadcasts from XSS therefore can't
+     * impersonate this tab. A new attacker-controlled tabId trips the
+     * "first message from a new peer" branch, which is by definition trusted
+     * — so the gate raises the bar but is not a complete defence (a perfect
+     * mitigation would require message signing with a server-issued key).
+     */
+    private readonly _broadcastNonce;
+    /**
+     * Bounded LRU of `(tabId → nonce)` pairs seen on inbound broadcasts. First
+     * sighting of a new tabId records its nonce; later messages from that
+     * tabId are rejected if the nonce doesn't match.
+     */
+    private readonly _knownPeerNonces;
+    private static readonly _MAX_KNOWN_PEERS;
+    /**
+     * In-flight `switchAuthuser` promise. Deduplicates concurrent calls so two
+     * near-simultaneous switches don't both fire refresh requests and rotate
+     * the slot twice. Mirrors the `refreshPromise` pattern used by
+     * `refreshToken`.
+     */
+    private _switchPromise;
+    /**
+     * Last `restoreFromCookies()` completion timestamp, keyed by the
+     * AuthManager's active authuser at the time of completion. Used to gate
+     * cross-tab cascade: a flurry of BroadcastChannel events from sibling
+     * tabs can otherwise trigger N back-to-back snapshots and rotate every
+     * slot's access token N times.
+     */
+    private readonly _lastRestoreAt;
+    private static readonly _RESTORE_DEBOUNCE_MS;
+    /**
+     * In-memory registry of every device-local account the AuthManager knows
+     * about, keyed by `authuser` slot index. Populated by:
+     *   - `restoreFromCookies()` (cold boot)
+     *   - `switchAuthuser()` (per-account rotation)
+     *   - `handleAuthSuccess()` (fresh login when the server response carries
+     *     an `authuser` field)
+     * Access tokens live ONLY here in the cookie path — they are never
+     * persisted to localStorage.
+     */
+    private accounts;
+    /**
+     * Currently-active `authuser` slot in the cookie path. `null` means either
+     * the cookie path hasn't been initialised yet, or no slots are signed in.
+     */
+    private activeAuthuser;
     constructor(oxyServices: OxyServices, config?: AuthManagerConfig);
     /**
      * Initialize BroadcastChannel for cross-tab token refresh coordination.
@@ -87,9 +162,38 @@ export declare class AuthManager {
      */
     private _handleCrossTabMessage;
     /**
-     * Broadcast a message to other tabs.
+     * Broadcast a message to other tabs. Always stamps this tab's `tabId` and
+     * `nonce` onto the message so receivers can run the cross-tab nonce gate.
      */
     private _broadcast;
+    /**
+     * Generate `bytes` bytes of cryptographic randomness encoded as lowercase
+     * hex. Prefers Web Crypto's `getRandomValues` when available (browser /
+     * modern Node); falls back to `Math.random` ONLY in environments without
+     * Web Crypto (the resulting nonce is still unguessable to a same-origin
+     * XSS payload — the goal is unforgeability across tabs, not cryptographic
+     * secrecy across the network).
+     */
+    private static _randomHex;
+    /**
+     * Validate an inbound broadcast against the cross-tab nonce gate.
+     *
+     * Returns `true` when the message should be honoured, `false` when it
+     * MUST be ignored:
+     *   - Message is missing `tabId` or `nonce` → ignore (forged or
+     *     mismatched-version sibling tab).
+     *   - First sighting of `tabId` → record the nonce and honour the message
+     *     (trust-on-first-use, the best we can do without a shared secret).
+     *   - Subsequent message from the same `tabId` with the SAME nonce →
+     *     honour.
+     *   - Subsequent message from the same `tabId` with a DIFFERENT nonce →
+     *     ignore (the canonical "forged broadcast" case — a same-origin XSS
+     *     payload can't read the real tab's `_broadcastNonce`).
+     *
+     * Echoes of this tab's own broadcasts (same `tabId`) are also dropped so
+     * we don't react to our own messages.
+     */
+    private _acceptBroadcast;
     /**
      * Get default storage based on environment.
      */
@@ -147,11 +251,147 @@ export declare class AuthManager {
      */
     getAuthMethod(): Promise<AuthMethod | null>;
     /**
-     * Initialize auth state from storage.
+     * Initialize auth state on app startup.
      *
-     * Call this on app startup to restore previous session.
+     * Order of operations:
+     *   1. Try the cookie path via `restoreFromCookies()`. This is the
+     *      preferred path because the httpOnly refresh cookies are
+     *      cross-tab, persist across hard reloads, and don't expose any
+     *      refresh-token material to JS.
+     *   2. If the cookie path yielded zero accounts AND `cookieOnly` is
+     *      `false`, fall back to the legacy localStorage path
+     *      (`oxy_access_token` / `oxy_session`) for backwards compatibility
+     *      with apps that haven't migrated to the cookie endpoint yet.
+     *   3. If `cookieOnly` is `true`, skip the legacy fallback entirely.
+     *      This guarantees no tokens or refresh tokens are ever read from
+     *      or written to JS-accessible storage.
+     *
+     * Returns the active user on success, or `null` when neither path
+     * restored a session.
      */
     initialize(): Promise<MinimalUserData | null>;
+    /**
+     * Read the persisted active `authuser` slot index. Returns `null` when
+     * none is persisted, the value is corrupt, or the storage adapter has no
+     * record. Storage failures are non-fatal: the cookie path falls back to
+     * "lowest authuser" deterministic selection.
+     */
+    private readActiveAuthuser;
+    /**
+     * Persist the active `authuser` slot index. No-ops on storage failure
+     * (e.g. Safari private mode, native SecureStore unavailable) — this is
+     * best-effort UX persistence, not authoritative state.
+     */
+    private writeActiveAuthuser;
+    /**
+     * Clear the persisted active `authuser` so the next cold boot starts from
+     * a clean slate (used on full sign-out).
+     */
+    private clearActiveAuthuser;
+    /**
+     * Build a `MinimalUserData` from a `RefreshAllAccount`. Returns `null` when
+     * the wire entry has no user shape (legacy `/auth/refresh` fallback) — the
+     * AuthManager's caller is expected to hydrate via `/users/me` in that
+     * case.
+     */
+    private static toMinimalUser;
+    /**
+     * Hydrate the user shape for a slot whose AuthManagerAccount currently has
+     * `user: null` (legacy refresh fallback, or a switch onto a previously
+     * unknown slot). Calls `/users/me` with the slot's freshly-planted access
+     * token already on the HTTP client; merges the result back into the
+     * registry entry. Network failures are non-fatal — the slot remains with
+     * `user: null` and the UI is expected to render the public-key fallback
+     * handle until a later restore picks the real user shape up.
+     */
+    private _hydrateUnknownUser;
+    /**
+     * Snapshot of the registered cookie-path accounts, sorted by `authuser`
+     * ascending (canonical order). Mutating the returned array does not
+     * affect AuthManager state.
+     */
+    getAccounts(): AuthManagerAccount[];
+    /**
+     * The slot index that is currently active in the cookie path, or `null`
+     * if the cookie path hasn't been initialised or no slots are signed in.
+     */
+    getActiveAuthuser(): number | null;
+    /**
+     * Convenience: the AuthManagerAccount currently flagged active.
+     */
+    getActiveAccount(): AuthManagerAccount | null;
+    /**
+     * Restore every device-local account from the httpOnly refresh cookies.
+     *
+     * Calls `oxyServices.refreshAllSessions()` (`POST /auth/refresh-all` with
+     * `credentials: 'include'`). The server rotates every presented
+     * `oxy_rt_${authuser}` cookie in parallel and returns one entry per
+     * VALID slot. The SDK transparently falls back to the legacy single-slot
+     * `/auth/refresh` against older servers (handled inside
+     * `refreshAllSessions`).
+     *
+     * Plants the active account's access token on the shared HTTP client;
+     * sibling slots' tokens stay in the in-memory registry so a later
+     * `switchAuthuser()` can hot-swap them without a network round-trip.
+     *
+     * The persisted `oxy_active_authuser` slot wins when it matches a
+     * returned account; otherwise the lowest returned `authuser` is chosen
+     * deterministically.
+     *
+     * Returns `{ accounts: [], activeAuthuser: null }` on any failure or
+     * empty snapshot — callers treat that as "no signed-in accounts" and
+     * proceed unauthenticated. State is NOT cleared on failure; existing
+     * accounts (if any) remain intact.
+     */
+    restoreFromCookies(): Promise<RestoreFromCookiesResult>;
+    /**
+     * Switch the active account to a different device-local slot.
+     *
+     * Calls `oxyServices.refreshTokenViaCookie({ authuser })` to mint a fresh
+     * access token from the slot's httpOnly cookie, updates the in-memory
+     * registry entry, plants the token on the HTTP client, persists the new
+     * active slot, and broadcasts cross-tab.
+     *
+     * Throws when the slot's refresh cookie is missing / expired / reused
+     * (the SDK returns `null` from `refreshTokenViaCookie` in that case, and
+     * we surface it as an `Error` so callers can clean up the slot from
+     * their UI).
+     */
+    switchAuthuser(authuser: number): Promise<SwitchAuthuserResult>;
+    private _doSwitchAuthuser;
+    /**
+     * Sign out a single device-local slot.
+     *
+     * Calls `oxyServices.logoutSessionByAuthuser(authuser)`: server-side
+     * revokes the slot's refresh-token family and clears the
+     * `oxy_rt_${authuser}` cookie via `Set-Cookie`. The slot is removed from
+     * the in-memory registry. If the slot was active, the next lowest
+     * remaining authuser becomes active (or `null` when none remain).
+     */
+    signOutAuthuser(authuser: number): Promise<void>;
+    /**
+     * Sign out EVERY device-local account on this device.
+     *
+     * Calls `oxyServices.logoutAllSessionsViaCookie()`: server-side revokes
+     * every presented family and `Set-Cookie`s an immediate expiry for every
+     * recognised `oxy_rt_${n}` slot AND the legacy `oxy_rt` cookie. The
+     * in-memory registry is wiped, the active slot is cleared, and the
+     * persisted `oxy_active_authuser` is removed so the next cold boot
+     * starts fresh.
+     */
+    signOutAllViaCookies(): Promise<void>;
+    /**
+     * Schedule an auto-refresh for the cookie path on the active slot. Reuses
+     * the same single `refreshTimer` as the legacy path (the AuthManager has
+     * exactly ONE active slot at a time, so one timer suffices).
+     */
+    private setupCookieRefresh;
+    /**
+     * Decode the session id from an unverified JWT access token. Decode-only
+     * (no signature verification) — the server already verified the
+     * signature when minting the token. Returns `null` on malformed input.
+     */
+    private static decodeSessionIdFromAccessToken;
     /**
      * Destroy the auth manager and clean up resources.
      */

package/dist/types/AuthManagerTypes.d.ts

@@ -0,0 +1,68 @@
+/**
+ * AuthManager — public types for the multi-account cookie path.
+ *
+ * Lives in its own module (rather than the 670-line `models/interfaces.ts`)
+ * so consumers can `import type` exactly the multi-account surface without
+ * pulling in the full interfaces graph, and so `AuthManager.ts` stays
+ * decoupled from the wire shapes — these types re-state the wire as the
+ * AuthManager's in-memory representation.
+ *
+ * @module core/AuthManagerTypes
+ */
+import type { RefreshAllAccountUser } from './models/interfaces';
+/**
+ * One device-local account known to `AuthManager` in the cookie path.
+ *
+ * Built from a `POST /auth/refresh-all` entry, OR from a single
+ * `POST /auth/refresh?authuser=N` rotation after a switch, OR from a
+ * `handleAuthSuccess` call after a fresh login. The `accessToken` is held in
+ * memory only — the refresh token never enters JS (it lives in the httpOnly
+ * `oxy_rt_${authuser}` cookie).
+ */
+export interface AuthManagerAccount {
+    /** Device-local cookie slot index (0..N-1). */
+    authuser: number;
+    /** Server-side session id this slot is bound to. */
+    sessionId: string;
+    /**
+     * Projected user shape from the wire (username/avatar/color/email).
+     *
+     * `null` when a refresh-via-cookie planted a fresh access token for a slot
+     * that the AuthManager has no prior in-memory user metadata for — e.g. the
+     * legacy `/auth/refresh` 404 fallback path inside `refreshAllSessions`, or
+     * a `switchAuthuser` against a slot that wasn't present in the previous
+     * `restoreFromCookies` snapshot. Callers (or the AuthManager itself) are
+     * expected to hydrate the user shape via `getCurrentUser()` after the token
+     * is planted; the chooser UI must render the public-key fallback handle
+     * until the hydration completes.
+     */
+    user: RefreshAllAccountUser | null;
+    /** Currently-valid access token for this slot (in-memory only). */
+    accessToken: string;
+    /** ISO-8601 expiry of the access token. */
+    expiresAt: string;
+}
+/**
+ * Outcome of `AuthManager.restoreFromCookies()`.
+ *
+ * `accounts` is sorted by `authuser` ascending (matching the server's
+ * canonical ordering). `activeAuthuser` is whichever slot the AuthManager
+ * picked as active — usually the persisted `oxy_active_authuser` if it
+ * matched a returned slot, otherwise the lowest returned `authuser`, or
+ * `null` if no accounts were restored.
+ */
+export interface RestoreFromCookiesResult {
+    accounts: AuthManagerAccount[];
+    activeAuthuser: number | null;
+}
+/**
+ * Outcome of `AuthManager.switchAuthuser()`.
+ *
+ * Mirrors the wire `RefreshCookieResponse` but with `authuser` narrowed to
+ * `number` (the SDK boundary normalises the legacy `null` slot to `0`).
+ */
+export interface SwitchAuthuserResult {
+    accessToken: string;
+    expiresAt: string;
+    authuser: number;
+}

package/dist/types/CrossDomainAuth.d.ts

@@ -51,6 +51,13 @@ export interface CrossDomainAuthOptions {
      * Callback when auth method is selected
      */
     onMethodSelected?: (method: 'fedcm' | 'popup' | 'redirect') => void;
+    /**
+     * A popup window the caller already opened SYNCHRONOUSLY in the user-gesture
+     * handler. Forwarded to `OxyServices.signInWithPopup` so the popup is not
+     * blocked by Chrome after any prior `await` (FedCM / silent SSO) has
+     * consumed the transient user activation. See `OxyServices.openBlankPopup`.
+     */
+    popup?: Window | null;
 }
 export declare class CrossDomainAuth {
     private oxyServices;
@@ -67,6 +74,14 @@ export declare class CrossDomainAuth {
      * @returns Session with user data and access token
      */
     signIn(options?: CrossDomainAuthOptions): Promise<SessionLoginResponse | null>;
+    /**
+     * Close a caller-supplied popup window that is no longer needed (e.g. the
+     * resolved auth method didn't end up using it). Safe against null / already
+     * closed handles.
+     *
+     * @private
+     */
+    private closeOrphanPopup;
     /**
      * Automatic sign-in with progressive enhancement
      *
@@ -112,6 +127,14 @@ export declare class CrossDomainAuth {
      * For redirect method - restores previously authenticated session from localStorage
      */
     restoreSession(): boolean;
+    /**
+     * Open a blank popup SYNCHRONOUSLY (call from a raw user-gesture handler
+     * BEFORE any `await`). Returns `null` if the popup was blocked. Pass the
+     * handle into `signIn({ popup })` / `signInWithPopup({ popup })` so the
+     * popup is not blocked by Chrome after any prior `await` consumed the
+     * transient user activation. Delegates to `OxyServices.openBlankPopup`.
+     */
+    openBlankPopup(width?: number, height?: number): Window | null;
     /**
      * Check if FedCM is supported in current browser
      */

package/dist/types/OxyServices.base.d.ts

@@ -21,6 +21,20 @@ export declare class OxyServicesBase {
      * Get the configured Oxy API base URL
      */
     getBaseURL(): string;
+    /**
+     * Get the base URL the SDK's first-party session/refresh calls should target.
+     *
+     * Returns the configured `sessionBaseUrl` when provided, otherwise falls back
+     * to the API `baseURL` (`getBaseURL()`). Per the 2026 session architecture
+     * (docs/SESSION-ARCHITECTURE.md), non-`oxy.so` apps point this at their own
+     * same-site backend (e.g. `https://api.mention.earth`) whose session bridge
+     * forwards the user's refresh credential to `api.oxy.so`; `*.oxy.so` apps
+     * leave it unset so it resolves to `https://api.oxy.so` and nothing changes.
+     *
+     * This is additive: it only exposes configuration for `@oxyhq/services` to
+     * consume in a later phase. No refresh/auth logic in core reads it yet.
+     */
+    getSessionBaseUrl(): string;
     /**
      * Get the HTTP service instance
      * Useful for advanced use cases where direct access to the HTTP service is needed

package/dist/types/OxyServices.d.ts

@@ -117,6 +117,13 @@ export interface OxyServices extends InstanceType<ReturnType<typeof composeOxySe
     getFedCMConfig(): FedCMConfig;
     signInWithPopup(options?: PopupAuthOptions): Promise<SessionLoginResponse>;
     signUpWithPopup(options?: PopupAuthOptions): Promise<SessionLoginResponse>;
+    /**
+     * Open a blank popup SYNCHRONOUSLY (call from a raw user-gesture handler
+     * BEFORE any `await`). Returns `null` if the popup was blocked. Pass the
+     * handle into `signInWithPopup({ popup })` to navigate it to auth.oxy.so
+     * after the async portion of the sign-in flow runs.
+     */
+    openBlankPopup(width?: number, height?: number): Window | null;
     signInWithRedirect(options?: RedirectAuthOptions): void;
     signUpWithRedirect(options?: RedirectAuthOptions): void;
     auth(options?: {

package/dist/types/index.d.ts

@@ -12,31 +12,44 @@
  *
  * const user = await oxyClient.signIn(publicKey);
  * ```
+ *
+ * Every export below is NOMINAL — no `export *`, no barrels, no compat shims.
+ * If a symbol does not appear here, it is NOT part of the public API.
  */
 import './crypto/polyfill';
 export { OxyServices, OxyAuthenticationError, OxyAuthenticationTimeoutError } from './OxyServices';
 export { OXY_CLOUD_URL, oxyClient } from './OxyServices';
 export { AuthManager, createAuthManager } from './AuthManager';
-export type { StorageAdapter, AuthStateChangeCallback, AuthMethod, AuthManagerConfig } from './AuthManager';
+export type { StorageAdapter, AuthStateChangeCallback, AuthMethod, AuthManagerConfig, } from './AuthManager';
+export type { AuthManagerAccount, RestoreFromCookiesResult, SwitchAuthuserResult, } from './AuthManagerTypes';
 export { CrossDomainAuth, createCrossDomainAuth } from './CrossDomainAuth';
 export type { CrossDomainAuthOptions } from './CrossDomainAuth';
-export type { FedCMAuthOptions, FedCMConfig } from './mixins/OxyServices.fedcm';
+export type { FedCMAuthOptions, FedCMConfig, AuthorizedApp } from './mixins/OxyServices.fedcm';
 export type { PopupAuthOptions } from './mixins/OxyServices.popup';
 export type { RedirectAuthOptions } from './mixins/OxyServices.redirect';
 export { ServiceCredentialMismatchError } from './mixins/OxyServices.auth';
 export type { ServiceTokenResponse } from './mixins/OxyServices.auth';
 export type { ServiceApp, ServiceActingAsVerification } from './mixins/OxyServices.utility';
-export type { CreateManagedAccountInput, ManagedAccountManager, ManagedAccount } from './mixins/OxyServices.managedAccounts';
-export type { ContactDiscoveryMatch, ContactDiscoveryResponse } from './mixins/OxyServices.contacts';
+export type { CreateManagedAccountInput, ManagedAccountManager, ManagedAccount, } from './mixins/OxyServices.managedAccounts';
+export type { ContactDiscoveryMatch, ContactDiscoveryResponse, } from './mixins/OxyServices.contacts';
 export { OxyAppDataIdentifierError } from './mixins/OxyServices.appData';
-export { KeyManager, SignatureService, RecoveryPhraseService, IdentityAlreadyExistsError, IdentityPersistError, } from './crypto';
-export type { KeyPair, SignedMessage, AuthChallenge, RecoveryPhraseResult } from './crypto';
-export * from './models/interfaces';
-export * from './models/session';
-export type { TopicData, TopicTranslation } from './models/Topic';
-export { TopicType, TopicSource } from './models/Topic';
+export { SessionSyncRequiredError, AuthenticationFailedError, ensureValidToken, isAuthenticationError, withAuthErrorHandling, authenticatedApiCall, } from './utils/authHelpers';
+export type { HandleApiErrorOptions } from './utils/authHelpers';
+export { mergeSessions, normalizeAndSortSessions, sessionsArraysEqual, } from './utils/sessionUtils';
+export type { ClientSession, StorageKeys, MinimalUserData, SessionLoginResponse, } from './models/session';
+export type { RefreshAllResponse, RefreshAllAccount, RefreshAllAccountUser, RefreshCookieResponse, } from './models/interfaces';
+export { KeyManager, IdentityAlreadyExistsError, IdentityPersistError, } from './crypto/keyManager';
+export type { KeyPair } from './crypto/keyManager';
+export { SignatureService } from './crypto/signatureService';
+export type { SignedMessage, AuthChallenge } from './crypto/signatureService';
+export { RecoveryPhraseService } from './crypto/recoveryPhrase';
+export type { RecoveryPhraseResult } from './crypto/recoveryPhrase';
 export { DeviceManager } from './utils/deviceManager';
 export type { DeviceFingerprint, StoredDeviceInfo } from './utils/deviceManager';
+export type { OxyConfig, PrivacySettings, NotificationPreferences, UserPreferences, User, LoginResponse, Notification, Wallet, Transaction, BlockedUser, RestrictedUser, TransferFundsRequest, PurchaseRequest, WithdrawalRequest, TransactionResponse, PaginationInfo, SearchProfilesResponse, KarmaRule, KarmaHistory, KarmaLeaderboardEntry, KarmaAwardRequest, ApiError, PaymentMethod, PaymentRequest, PaymentResponse, AnalyticsData, FollowerDetails, ContentViewer, FileMetadata, FileUploadResponse, FileListResponse, FileUpdateRequest, FileDeleteResponse, RNFileDescriptor, AssetUploadInput, FileVisibility, AssetLink, AssetMetadata, AssetVariant, Asset, AssetInitRequest, AssetInitResponse, AssetCompleteRequest, AssetLinkRequest, AssetUnlinkRequest, AssetUrlResponse, AssetDeleteSummary, AssetUpdateVisibilityRequest, AssetUpdateVisibilityResponse, AccountStorageCategoryUsage, AccountStorageUsageResponse, SecurityEventType, SecurityEventSeverity, SecurityActivity, SecurityActivityResponse, AssetUploadProgress, DeviceSession, DeviceSessionsResponse, DeviceSessionLogoutResponse, UpdateDeviceNameResponse, } from './models/interfaces';
+export { SECURITY_EVENT_SEVERITY_MAP } from './models/interfaces';
+export { TopicType, TopicSource } from './models/Topic';
+export type { TopicData, TopicTranslation } from './models/Topic';
 export { SUPPORTED_LANGUAGES, getLanguageMetadata, getLanguageName, getNativeLanguageName, normalizeLanguageCode, isRTLLocale, } from './utils/languageUtils';
 export type { LanguageMetadata } from './utils/languageUtils';
 export { getPlatformOS, setPlatformOS, isWeb, isNative, isIOS, isAndroid, } from './utils/platform';
@@ -49,18 +62,19 @@ export { DEFAULT_CIRCUIT_BREAKER_CONFIG, createCircuitBreakerState, calculateBac
 export type { CircuitBreakerState, CircuitBreakerConfig } from './shared/utils/networkUtils';
 export { isDev, debugLog, debugWarn, debugError, createDebugLogger, } from './shared/utils/debugUtils';
 export { translate } from './i18n';
-export { SessionSyncRequiredError, AuthenticationFailedError, ensureValidToken, isAuthenticationError, withAuthErrorHandling, authenticatedApiCall, } from './utils/authHelpers';
-export type { HandleApiErrorOptions } from './utils/authHelpers';
-export { mergeSessions, normalizeAndSortSessions, sessionsArraysEqual } from './utils/sessionUtils';
-export { packageInfo } from './constants/version';
-export * from './utils/apiUtils';
+export { buildSearchParams, buildUrl, buildPaginationParams, safeJsonParse, } from './utils/apiUtils';
+export type { PaginationParams, ApiResponse, ErrorResponse, } from './utils/apiUtils';
 export { ErrorCodes, createApiError, handleHttpError, validateRequiredFields, } from './utils/errorUtils';
 export { retryAsync } from './utils/asyncUtils';
-export * from './utils/validationUtils';
+export { EMAIL_REGEX, USERNAME_REGEX, PASSWORD_REGEX, isValidEmail, isValidUsername, isValidPassword, isRequiredString, isRequiredNumber, isRequiredBoolean, isValidArray, isValidObject, isValidUUID, isValidURL, isValidDate, isValidFileSize, isValidFileType, sanitizeString, sanitizeHTML, isValidObjectId, validateAndSanitizeUserInput, } from './utils/validationUtils';
 export { logger, LogLevel, logAuth, logApi, logSession, logUser, logDevice, logPayment, logPerformance, } from './utils/loggerUtils';
 export type { LogContext } from './utils/loggerUtils';
 export { updateAvatarVisibility } from './utils/avatarUtils';
-export { buildAccountsArray, createQuickAccount, getAccountDisplayName, getAccountFallbackHandle, formatPublicKeyHandle, } from './utils/accountUtils';
+export { buildAccountsArray, createQuickAccount, getAccountDisplayName, getAccountFallbackHandle, formatPublicKeyHandle, mergeAccountsFromRefreshAll, getAccountColor, } from './utils/accountUtils';
 export type { QuickAccount, DisplayNameUserShape } from './utils/accountUtils';
+export { autoDetectAuthWebUrl } from './utils/fapiAutoDetect';
+export { runColdBoot } from './utils/coldBoot';
+export type { ColdBootStep, ColdBootStepResult, ColdBootSession, ColdBootSkip, ColdBootOutcome, RunColdBootOptions, } from './utils/coldBoot';
+export { packageInfo } from './constants/version';
 import { OxyServices } from './OxyServices';
 export default OxyServices;

package/dist/types/mixins/OxyServices.analytics.d.ts

@@ -25,6 +25,7 @@ export declare function OxyServicesAnalyticsMixin<T extends typeof OxyServicesBa
         __resetTokensForTests(): void;
         makeRequest<T_1>(method: "GET" | "POST" | "PUT" | "PATCH" | "DELETE", url: string, data?: any, options?: import("../HttpService").RequestOptions): Promise<T_1>;
         getBaseURL(): string;
+        getSessionBaseUrl(): string;
         getClient(): import("../HttpService").HttpService;
         getMetrics(): {
             totalRequests: number;

package/dist/types/mixins/OxyServices.appData.d.ts

@@ -61,6 +61,7 @@ export declare function OxyServicesAppDataMixin<T extends typeof OxyServicesBase
         __resetTokensForTests(): void;
         makeRequest<T_1>(method: "GET" | "POST" | "PUT" | "PATCH" | "DELETE", url: string, data?: any, options?: import("../HttpService").RequestOptions): Promise<T_1>;
         getBaseURL(): string;
+        getSessionBaseUrl(): string;
         getClient(): import("../HttpService").HttpService;
         getMetrics(): {
             totalRequests: number;

package/dist/types/mixins/OxyServices.assets.d.ts

@@ -98,6 +98,7 @@ export declare function OxyServicesAssetsMixin<T extends typeof OxyServicesBase>
         __resetTokensForTests(): void;
         makeRequest<T_1>(method: "GET" | "POST" | "PUT" | "PATCH" | "DELETE", url: string, data?: any, options?: import("../HttpService").RequestOptions): Promise<T_1>;
         getBaseURL(): string;
+        getSessionBaseUrl(): string;
         getClient(): import("../HttpService").HttpService;
         getMetrics(): {
             totalRequests: number;
@@ -131,7 +132,9 @@ export declare function OxyServicesAssetsMixin<T extends typeof OxyServicesBase>
         withAuthRetry<T_1>(operation: () => Promise<T_1>, operationName: string, options?: {
             maxRetries?: number;
             retryDelay?: number;
-            authTimeoutMs?: number;
+            authTimeoutMs? /**
+             * Get asset metadata
+             */: number;
         }): Promise<T_1>;
         validate(): Promise<boolean>;
         handleError(error: unknown): Error;

package/dist/types/mixins/OxyServices.auth.d.ts

@@ -3,7 +3,7 @@
  *
  * Supports password-based login (email/username) and public key challenge-response.
  */
-import type { User } from '../models/interfaces';
+import type { User, RefreshAllResponse, RefreshCookieResponse } from '../models/interfaces';
 import type { SessionLoginResponse } from '../models/session';
 import type { OxyServicesBase } from '../OxyServices.base';
 export interface ChallengeResponse {
@@ -234,6 +234,77 @@ export declare function OxyServicesAuthMixin<T extends typeof OxyServicesBase>(B
             expiresAt: string;
             user: User;
         }>;
+        /**
+         * Refresh every device-local refresh-cookie slot in a single round trip
+         * (Google-style multi-account rebuild).
+         *
+         * Calls `POST {sessionBaseUrl}/auth/refresh-all` with `credentials: 'include'`
+         * and NO bearer. The browser attaches every `oxy_rt*` cookie it has; the
+         * server rotates each in parallel and returns one entry per VALID account.
+         *
+         * Failure handling:
+         * - 401 → no signed-in accounts on this device → returns `{ accounts: [] }`
+         *   (NOT an error; this is the cold-boot "not signed in" path).
+         * - 404 → server is older than the multi-account endpoint. We fall back to
+         *   `POST /auth/refresh` (single-slot) and wrap its response in the
+         *   refresh-all shape so callers can treat the two paths uniformly. The
+         *   fallback entry has `authuser: 0` (the legacy slot maps to slot 0 by
+         *   convention) and a minimal `user` shape — consumers needing the full
+         *   user must fetch it separately. Always exactly one account in this
+         *   shape.
+         * - Any other non-2xx → throws via `handleError`.
+         *
+         * The refresh cookie itself never enters JS — only the rotated access
+         * tokens do. Each access token still needs to be planted via
+         * `setTokens(...)` (or per-account in-memory storage) at the consumer.
+         */
+        refreshAllSessions(): Promise<RefreshAllResponse>;
+        /**
+         * Rotate a single refresh-cookie slot and return the fresh access token.
+         *
+         * When `authuser` is provided, the server rotates ONLY that slot
+         * (`oxy_rt_${authuser}`) — sibling accounts on the same device stay
+         * untouched. When omitted, the server picks the lowest indexed slot
+         * present (legacy fallback applies). The refresh cookie itself never
+         * enters JS.
+         *
+         * Returns `null` on 401 (no cookie / expired / reused) so the caller can
+         * fall through cleanly to the unauthenticated path.
+         */
+        refreshTokenViaCookie(opts?: {
+            authuser?: number;
+        }): Promise<RefreshCookieResponse | null>;
+        /**
+         * Sign out a single device-local account by its authuser slot index.
+         *
+         * Revokes that slot's refresh-token family and deactivates its session;
+         * sibling indexed slots stay signed in. The browser-side `oxy_rt_${n}`
+         * cookie is cleared by the server's `Set-Cookie` response header.
+         */
+        logoutSessionByAuthuser(authuser: number): Promise<void>;
+        /**
+         * Sign out EVERY device-local account on this device by clearing every
+         * presented refresh-cookie slot at once. Revokes every family + clears
+         * every slot. Always succeeds (idempotent on unknown/garbage tokens).
+         */
+        logoutAllSessionsViaCookie(): Promise<void>;
+        /**
+         * Internal: raw `POST /auth/refresh[?authuser=N]` call returning the
+         * minted access token. Returns `null` on 401 / non-2xx. Used as both the
+         * implementation of `refreshTokenViaCookie` and the legacy fallback for
+         * `refreshAllSessions` against older servers.
+         *
+         * @internal
+         */
+        _refreshCookieRaw(authuser?: number): Promise<RefreshCookieResponse | null>;
+        /**
+         * Internal: decode (without verifying) the `sessionId` claim from a
+         * server-signed access token. The server already verified the signature;
+         * the client only reads the claim to drive multi-session state.
+         *
+         * @internal
+         */
+        _decodeSessionIdFromAccessToken(token: string): string | null;
         /**
          * Get sessions by session ID
          */
@@ -292,6 +363,7 @@ export declare function OxyServicesAuthMixin<T extends typeof OxyServicesBase>(B
         __resetTokensForTests(): void;
         makeRequest<T_1>(method: "GET" | "POST" | "PUT" | "PATCH" | "DELETE", url: string, data?: any, options?: import("../HttpService").RequestOptions): Promise<T_1>;
         getBaseURL(): string;
+        getSessionBaseUrl(): string;
         getClient(): import("../HttpService").HttpService;
         getMetrics(): {
             totalRequests: number;