@oxyhq/core 1.11.9 → 1.11.11

package/src/AuthManager.ts

@@ -48,6 +48,17 @@ export interface AuthManagerConfig {
   autoRefresh?: boolean;
   /** Token refresh interval in milliseconds (default: 5 minutes before expiry) */
   refreshBuffer?: number;
+  /** Enable cross-tab coordination via BroadcastChannel (default: true in browsers) */
+  crossTabSync?: boolean;
+}
+
+/**
+ * Messages sent between tabs via BroadcastChannel for token refresh coordination.
+ */
+interface CrossTabMessage {
+  type: 'refresh_starting' | 'tokens_refreshed' | 'signed_out';
+  sessionId?: string;
+  timestamp: number;
 }
 
 /**
@@ -145,21 +156,117 @@ export class AuthManager {
   private currentUser: MinimalUserData | null = null;
   private refreshTimer: ReturnType<typeof setTimeout> | null = null;
   private refreshPromise: Promise<boolean> | null = null;
-  private config: Required<AuthManagerConfig>;
+  private config: Required<Omit<AuthManagerConfig, 'crossTabSync'>> & { crossTabSync: boolean };
+
+  /** Tracks the access token this instance last knew about, for cross-tab adoption. */
+  private _lastKnownAccessToken: string | null = null;
+
+  /** BroadcastChannel for coordinating token refreshes across browser tabs. */
+  private _broadcastChannel: BroadcastChannel | null = null;
+
+  /** Set to true when another tab broadcasts a successful refresh, so this tab can skip its own. */
+  private _otherTabRefreshed = false;
 
   constructor(oxyServices: OxyServices, config: AuthManagerConfig = {}) {
     this.oxyServices = oxyServices;
+    const crossTabSync = config.crossTabSync ?? (typeof BroadcastChannel !== 'undefined');
     this.config = {
       storage: config.storage ?? this.getDefaultStorage(),
       autoRefresh: config.autoRefresh ?? true,
       refreshBuffer: config.refreshBuffer ?? 5 * 60 * 1000, // 5 minutes
+      crossTabSync,
     };
     this.storage = this.config.storage;
 
     // Persist tokens to storage when HttpService refreshes them automatically
     this.oxyServices.httpService.onTokenRefreshed = (accessToken: string) => {
+      this._lastKnownAccessToken = accessToken;
       this.storage.setItem(STORAGE_KEYS.ACCESS_TOKEN, accessToken);
     };
+
+    // Setup cross-tab coordination in browser environments
+    if (this.config.crossTabSync) {
+      this._initBroadcastChannel();
+    }
+  }
+
+  /**
+   * Initialize BroadcastChannel for cross-tab token refresh coordination.
+   * Only called in browser environments where BroadcastChannel is available.
+   */
+  private _initBroadcastChannel(): void {
+    if (typeof BroadcastChannel === 'undefined') return;
+
+    try {
+      this._broadcastChannel = new BroadcastChannel('oxy_auth_sync');
+      this._broadcastChannel.onmessage = (event: MessageEvent<CrossTabMessage>) => {
+        this._handleCrossTabMessage(event.data);
+      };
+    } catch {
+      // BroadcastChannel not supported or blocked (e.g., opaque origins)
+      this._broadcastChannel = null;
+    }
+  }
+
+  /**
+   * Handle messages from other tabs about token refresh activity.
+   */
+  private async _handleCrossTabMessage(message: CrossTabMessage): Promise<void> {
+    if (!message || !message.type) return;
+
+    switch (message.type) {
+      case 'tokens_refreshed': {
+        // Another tab successfully refreshed. Signal to cancel our pending refresh.
+        this._otherTabRefreshed = true;
+
+        // Adopt the new tokens from shared storage
+        const newToken = await this.storage.getItem(STORAGE_KEYS.ACCESS_TOKEN);
+        if (newToken && newToken !== this._lastKnownAccessToken) {
+          this._lastKnownAccessToken = newToken;
+          this.oxyServices.httpService.setTokens(newToken);
+
+          // Re-read session for updated expiry and schedule next refresh
+          const sessionJson = await this.storage.getItem(STORAGE_KEYS.SESSION);
+          if (sessionJson) {
+            try {
+              const session = JSON.parse(sessionJson);
+              if (session.expiresAt && this.config.autoRefresh) {
+                this.setupTokenRefresh(session.expiresAt);
+              }
+            } catch {
+              // Ignore parse errors
+            }
+          }
+        }
+        break;
+      }
+
+      case 'signed_out': {
+        // Another tab signed out. Clear our local state to stay consistent.
+        if (this.refreshTimer) {
+          clearTimeout(this.refreshTimer);
+          this.refreshTimer = null;
+        }
+        this.refreshPromise = null;
+        this._lastKnownAccessToken = null;
+        this.oxyServices.httpService.setTokens('');
+        this.currentUser = null;
+        this.notifyListeners();
+        break;
+      }
+      // 'refresh_starting' is informational; we don't need to act on it currently
+    }
+  }
+
+  /**
+   * Broadcast a message to other tabs.
+   */
+  private _broadcast(message: CrossTabMessage): void {
+    try {
+      this._broadcastChannel?.postMessage(message);
+    } catch {
+      // Channel closed or unavailable
+    }
   }
 
   /**
@@ -212,6 +319,7 @@ export class AuthManager {
   ): Promise<void> {
     // Store tokens
     if (session.accessToken) {
+      this._lastKnownAccessToken = session.accessToken;
       await this.storage.setItem(STORAGE_KEYS.ACCESS_TOKEN, session.accessToken);
       this.oxyServices.httpService.setTokens(session.accessToken);
     }
@@ -287,6 +395,9 @@ export class AuthManager {
   }
 
   private async _doRefreshToken(): Promise<boolean> {
+    // Reset the cross-tab flag before starting
+    this._otherTabRefreshed = false;
+
     // Get session info to find sessionId for token refresh
     const sessionJson = await this.storage.getItem(STORAGE_KEYS.SESSION);
     if (!sessionJson) {
@@ -298,14 +409,31 @@ export class AuthManager {
       const session = JSON.parse(sessionJson);
       sessionId = session.sessionId;
       if (!sessionId) return false;
-} catch (err) {
+    } catch (err) {
       console.error('AuthManager: Failed to parse session from storage.', err);
       return false;
     }
 
+    // Record the token we know about before attempting refresh
+    const tokenBeforeRefresh = this._lastKnownAccessToken;
+
+    // Broadcast that we're starting a refresh (informational for other tabs)
+    this._broadcast({ type: 'refresh_starting', sessionId, timestamp: Date.now() });
+
     try {
       await retryAsync(
         async () => {
+          // Before each attempt, check if another tab already refreshed
+          if (this._otherTabRefreshed) {
+            const adoptedToken = await this.storage.getItem(STORAGE_KEYS.ACCESS_TOKEN);
+            if (adoptedToken && adoptedToken !== tokenBeforeRefresh) {
+              // Another tab succeeded. Adopt its tokens and short-circuit.
+              this._lastKnownAccessToken = adoptedToken;
+              this.oxyServices.httpService.setTokens(adoptedToken);
+              return;
+            }
+          }
+
           const httpService = this.oxyServices.httpService as HttpService;
           // Use session-based token endpoint which handles auto-refresh server-side
           const response = await httpService.request<{ accessToken: string; expiresAt: string }>({
@@ -320,6 +448,7 @@ export class AuthManager {
           }
 
           // Update access token in storage and HTTP client
+          this._lastKnownAccessToken = response.accessToken;
           await this.storage.setItem(STORAGE_KEYS.ACCESS_TOKEN, response.accessToken);
           this.oxyServices.httpService.setTokens(response.accessToken);
 
@@ -329,7 +458,7 @@ export class AuthManager {
               const session = JSON.parse(sessionJson);
               session.expiresAt = response.expiresAt;
               await this.storage.setItem(STORAGE_KEYS.SESSION, JSON.stringify(session));
-} catch (err) {
+            } catch (err) {
               // Ignore parse errors for session update, but log for debugging.
               console.error('AuthManager: Failed to re-save session after token refresh.', err);
             }
@@ -338,6 +467,9 @@ export class AuthManager {
               this.setupTokenRefresh(response.expiresAt);
             }
           }
+
+          // Broadcast success so other tabs can adopt these tokens
+          this._broadcast({ type: 'tokens_refreshed', sessionId, timestamp: Date.now() });
         },
         2,    // 2 retries = 3 total attempts
         1000, // 1s base delay with exponential backoff + jitter
@@ -350,7 +482,42 @@ export class AuthManager {
       );
       return true;
     } catch {
-      // All retry attempts exhausted, clear session
+      // All retry attempts exhausted. Before clearing the session, check if
+      // another tab managed to refresh successfully while we were retrying.
+      // Since all tabs share the same storage (localStorage), a successful
+      // refresh from another tab will have written a different access token.
+      const currentStoredToken = await this.storage.getItem(STORAGE_KEYS.ACCESS_TOKEN);
+      if (currentStoredToken && currentStoredToken !== tokenBeforeRefresh) {
+        // Another tab refreshed successfully. Adopt its tokens instead of logging out.
+        this._lastKnownAccessToken = currentStoredToken;
+        this.oxyServices.httpService.setTokens(currentStoredToken);
+
+        // Restore user from storage in case it was updated
+        const userJson = await this.storage.getItem(STORAGE_KEYS.USER);
+        if (userJson) {
+          try {
+            this.currentUser = JSON.parse(userJson);
+          } catch {
+            // Ignore parse errors
+          }
+        }
+
+        // Re-read session expiry and schedule next refresh
+        const updatedSessionJson = await this.storage.getItem(STORAGE_KEYS.SESSION);
+        if (updatedSessionJson) {
+          try {
+            const session = JSON.parse(updatedSessionJson);
+            if (session.expiresAt && this.config.autoRefresh) {
+              this.setupTokenRefresh(session.expiresAt);
+            }
+          } catch {
+            // Ignore parse errors
+          }
+        }
+        return true;
+      }
+
+      // No other tab rescued us -- truly clear the session
       await this.clearSession();
       this.currentUser = null;
       this.notifyListeners();
@@ -394,10 +561,14 @@ export class AuthManager {
 
     // Clear HTTP client tokens
     this.oxyServices.httpService.setTokens('');
+    this._lastKnownAccessToken = null;
 
     // Clear storage
     await this.clearSession();
 
+    // Notify other tabs so they also sign out
+    this._broadcast({ type: 'signed_out', timestamp: Date.now() });
+
     // Update state and notify
     this.currentUser = null;
     this.notifyListeners();
@@ -479,6 +650,7 @@ export class AuthManager {
       // Restore token to HTTP client
       const token = await this.storage.getItem(STORAGE_KEYS.ACCESS_TOKEN);
       if (token) {
+        this._lastKnownAccessToken = token;
         this.oxyServices.httpService.setTokens(token);
       }
 
@@ -520,6 +692,16 @@ export class AuthManager {
       this.refreshTimer = null;
     }
     this.listeners.clear();
+
+    // Close BroadcastChannel
+    if (this._broadcastChannel) {
+      try {
+        this._broadcastChannel.close();
+      } catch {
+        // Ignore close errors
+      }
+      this._broadcastChannel = null;
+    }
   }
 }
 

package/src/HttpService.ts

@@ -131,6 +131,9 @@ export class HttpService {
   private tokenRefreshCooldownUntil: number = 0;
   private _onTokenRefreshed: ((accessToken: string) => void) | null = null;
 
+  // Acting-as identity for managed accounts
+  private _actingAsUserId: string | null = null;
+
   // Performance monitoring
   private requestMetrics = {
     totalRequests: 0,
@@ -291,6 +294,11 @@ export class HttpService {
           });
         }
 
+        // Add X-Acting-As header for managed account identity delegation
+        if (this._actingAsUserId) {
+          headers['X-Acting-As'] = this._actingAsUserId;
+        }
+
         // Merge custom headers if provided
         if (config.headers) {
           Object.entries(config.headers).forEach(([key, value]) => {
@@ -706,6 +714,15 @@ export class HttpService {
     return this.request<T>({ method: 'DELETE', url, ...config });
   }
 
+  // Acting-as identity management (managed accounts)
+  setActingAs(userId: string | null): void {
+    this._actingAsUserId = userId;
+  }
+
+  getActingAs(): string | null {
+    return this._actingAsUserId;
+  }
+
   // Token management
   setTokens(accessToken: string, refreshToken = ''): void {
     this.tokenStore.setTokens(accessToken, refreshToken);

package/src/OxyServices.base.ts

@@ -182,6 +182,29 @@ export class OxyServicesBase {
     return this.httpService.getAccessToken();
   }
 
+  /**
+   * Set the acting-as identity for managed accounts.
+   *
+   * When set, all subsequent API requests will include the `X-Acting-As` header,
+   * causing the server to attribute actions to the managed account. The
+   * authenticated user must be an authorized manager of the target account.
+   *
+   * Pass `null` to clear and revert to the authenticated user's own identity.
+   *
+   * @param userId - The managed account user ID, or null to clear
+   */
+  public setActingAs(userId: string | null): void {
+    this.httpService.setActingAs(userId);
+  }
+
+  /**
+   * Get the current acting-as identity (managed account user ID), or null
+   * if operating as the authenticated user's own identity.
+   */
+  public getActingAs(): string | null {
+    return this.httpService.getActingAs();
+  }
+
   /**
    * Wait for authentication to be ready
    * 

package/src/crypto/keyManager.ts

@@ -102,13 +102,11 @@ async function getSecureRandomBytes(length: number): Promise<Uint8Array> {
   }
   
   // In Node.js, use Node's crypto module
-  // Use Function constructor to prevent Metro bundler from statically analyzing this require
-  // This ensures the require is only evaluated in Node.js runtime, not during Metro bundling
+  // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
   try {
-    // eslint-disable-next-line @typescript-eslint/no-implied-eval
-    const getCrypto = new Function('return require("crypto")');
-    const crypto = getCrypto();
-    return new Uint8Array(crypto.randomBytes(length));
+    const cryptoModuleName = 'crypto';
+    const nodeCrypto = await import(cryptoModuleName);
+    return new Uint8Array(nodeCrypto.randomBytes(length));
   } catch (error) {
     // Fallback to expo-crypto if Node crypto fails
     const Crypto = await initExpoCrypto();

package/src/crypto/polyfill.ts

@@ -31,28 +31,36 @@ type CryptoLike = {
 
 // Cache for expo-crypto module (lazy loaded only in React Native)
 let expoCryptoModule: { getRandomBytes: (count: number) => Uint8Array } | null = null;
-let expoCryptoLoadAttempted = false;
+let expoCryptoLoadPromise: Promise<void> | null = null;
 
-function getRandomBytesSync(byteCount: number): Uint8Array {
-  if (!expoCryptoLoadAttempted) {
-    expoCryptoLoadAttempted = true;
+/**
+ * Eagerly start loading expo-crypto. The module is cached once resolved so
+ * the synchronous getRandomValues shim can read from it immediately.
+ * Uses dynamic import with variable indirection to prevent ESM bundlers
+ * (Vite, webpack) from statically resolving the specifier.
+ */
+function startExpoCryptoLoad(): void {
+  if (expoCryptoLoadPromise) return;
+  expoCryptoLoadPromise = (async () => {
     try {
-      // Only use require() in CJS environments (Metro/Node). In ESM (Vite/browser),
-      // crypto.getRandomValues exists natively so this code path is never reached.
-      if (typeof require !== 'undefined') {
-        const moduleName = 'expo-crypto';
-        expoCryptoModule = require(moduleName);
-      }
+      const moduleName = 'expo-crypto';
+      expoCryptoModule = await import(moduleName);
     } catch {
       // expo-crypto not available — expected in non-RN environments
     }
-  }
+  })();
+}
+
+function getRandomBytesSync(byteCount: number): Uint8Array {
+  // Kick off loading if not already started (should have been started at module init)
+  startExpoCryptoLoad();
   if (expoCryptoModule) {
     return expoCryptoModule.getRandomBytes(byteCount);
   }
   throw new Error(
     'No crypto.getRandomValues implementation available. ' +
-    'In React Native, install expo-crypto.'
+    'In React Native, install expo-crypto. ' +
+    'If expo-crypto is installed, ensure the polyfill module is imported early enough for the async load to complete.'
   );
 }
 
@@ -67,8 +75,11 @@ const cryptoPolyfill: CryptoLike = {
 
 // Only polyfill if crypto or crypto.getRandomValues is not available
 if (typeof globalObject.crypto === 'undefined') {
+  // Start loading expo-crypto eagerly so it is ready by the time getRandomValues is called
+  startExpoCryptoLoad();
   (globalObject as unknown as { crypto: CryptoLike }).crypto = cryptoPolyfill;
 } else if (typeof globalObject.crypto.getRandomValues !== 'function') {
+  startExpoCryptoLoad();
   (globalObject.crypto as CryptoLike).getRandomValues = cryptoPolyfill.getRandomValues;
 }
 

package/src/crypto/signatureService.ts

@@ -86,11 +86,11 @@ export class SignatureService {
     }
 
     // In Node.js, use Node's crypto module
+    // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
     if (isNodeJS()) {
       try {
-        // eslint-disable-next-line @typescript-eslint/no-implied-eval
-        const getCrypto = new Function('return require("crypto")');
-        const nodeCrypto = getCrypto();
+        const cryptoModuleName = 'crypto';
+        const nodeCrypto = await import(cryptoModuleName);
         return nodeCrypto.randomBytes(32).toString('hex');
       } catch {
         // Fall through to Web Crypto API
@@ -162,7 +162,10 @@ export class SignatureService {
         // In React Native, use async verify instead
         throw new Error('verifySync should only be used in Node.js. Use verify() in React Native.');
       }
-      // Use Function constructor to prevent Metro bundler from statically analyzing this require
+      // Intentionally using Function constructor here: this method is synchronous by design
+      // (Node.js backend hot-path) so we cannot use `await import()`. The Function constructor
+      // prevents Metro/bundlers from statically resolving the require. This is acceptable because
+      // verifySync is gated by isNodeJS() and will never execute in browser/RN environments.
       // eslint-disable-next-line @typescript-eslint/no-implied-eval
       const getCrypto = new Function('return require("crypto")');
       const crypto = getCrypto();

package/src/index.ts

@@ -32,6 +32,7 @@ export type { PopupAuthOptions } from './mixins/OxyServices.popup';
 export type { RedirectAuthOptions } from './mixins/OxyServices.redirect';
 export type { ServiceTokenResponse } from './mixins/OxyServices.auth';
 export type { ServiceApp } from './mixins/OxyServices.utility';
+export type { CreateManagedAccountInput, ManagedAccountManager, ManagedAccount } from './mixins/OxyServices.managedAccounts';
 
 // --- Crypto / Identity ---
 export { KeyManager, SignatureService, RecoveryPhraseService } from './crypto';

package/src/mixins/OxyServices.fedcm.ts

@@ -52,6 +52,13 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
       super(...(args as [any]));
     }
   public static readonly DEFAULT_CONFIG_URL = 'https://auth.oxy.so/fedcm.json';
+
+  public resolveFedcmConfigUrl(): string {
+    return this.config.authWebUrl
+      ? `${this.config.authWebUrl}/fedcm.json`
+      : (this.constructor as any).DEFAULT_CONFIG_URL;
+  }
+
   public static readonly FEDCM_TIMEOUT = 15000; // 15 seconds for interactive
   public static readonly FEDCM_SILENT_TIMEOUT = 3000; // 3 seconds for silent mediation
 
@@ -113,7 +120,7 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
       // Request credential from browser's native identity flow
       // mode: 'button' signals this is a user-gesture-initiated flow (Chrome 125+)
       const credential = await this.requestIdentityCredential({
-        configURL: (this.config.authWebUrl ? `${this.config.authWebUrl}/fedcm.json` : (this.constructor as any).DEFAULT_CONFIG_URL),
+        configURL: this.resolveFedcmConfigUrl(),
         clientId,
         nonce,
         context: options.context,
@@ -216,7 +223,7 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
       debug.log('Silent SSO: Attempting silent mediation...', loginHint ? `(hint: ${loginHint})` : '');
 
       credential = await this.requestIdentityCredential({
-        configURL: (this.config.authWebUrl ? `${this.config.authWebUrl}/fedcm.json` : (this.constructor as any).DEFAULT_CONFIG_URL),
+        configURL: this.resolveFedcmConfigUrl(),
         clientId,
         nonce,
         loginHint,
@@ -461,7 +468,7 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
       if ('IdentityCredential' in window && 'disconnect' in (window as any).IdentityCredential) {
         const clientId = this.getClientId();
         await (window as any).IdentityCredential.disconnect({
-          configURL: (this.config.authWebUrl ? `${this.config.authWebUrl}/fedcm.json` : (this.constructor as any).DEFAULT_CONFIG_URL),
+          configURL: this.resolveFedcmConfigUrl(),
           clientId,
           accountHint: accountHint || '*',
         });
@@ -480,7 +487,7 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
   getFedCMConfig(): FedCMConfig {
     return {
       enabled: this.isFedCMSupported(),
-      configURL: (this.config.authWebUrl ? `${this.config.authWebUrl}/fedcm.json` : (this.constructor as any).DEFAULT_CONFIG_URL),
+      configURL: this.resolveFedcmConfigUrl(),
       clientId: this.getClientId(),
     };
   }

package/src/mixins/OxyServices.managedAccounts.ts

@@ -0,0 +1,147 @@
+/**
+ * Managed Accounts Methods Mixin
+ *
+ * Provides SDK methods for creating and managing sub-accounts (managed identities).
+ * Managed accounts are full User documents without passwords, accessible only
+ * by their owners/managers via the X-Acting-As header mechanism.
+ */
+import type { User } from '../models/interfaces';
+import type { OxyServicesBase } from '../OxyServices.base';
+
+export interface CreateManagedAccountInput {
+  username: string;
+  name?: { first?: string; last?: string };
+  bio?: string;
+  avatar?: string;
+}
+
+export interface ManagedAccountManager {
+  userId: string;
+  role: 'owner' | 'admin' | 'editor';
+  addedAt: string;
+  addedBy?: string;
+}
+
+export interface ManagedAccount {
+  accountId: string;
+  ownerId: string;
+  managers: ManagedAccountManager[];
+  account?: User;
+  createdAt?: string;
+  updatedAt?: string;
+}
+
+export function OxyServicesManagedAccountsMixin<T extends typeof OxyServicesBase>(Base: T) {
+  return class extends Base {
+    constructor(...args: any[]) {
+      super(...(args as [any]));
+    }
+
+    /**
+     * Create a new managed account (sub-account).
+     *
+     * The server creates a User document with `isManagedAccount: true` and links
+     * it to the authenticated user as owner.
+     */
+    async createManagedAccount(data: CreateManagedAccountInput): Promise<ManagedAccount> {
+      try {
+        return await this.makeRequest<ManagedAccount>('POST', '/managed-accounts', data, {
+          cache: false,
+        });
+      } catch (error) {
+        throw this.handleError(error);
+      }
+    }
+
+    /**
+     * List all accounts the authenticated user manages.
+     */
+    async getManagedAccounts(): Promise<ManagedAccount[]> {
+      try {
+        return await this.makeRequest<ManagedAccount[]>('GET', '/managed-accounts', undefined, {
+          cache: true,
+          cacheTTL: 2 * 60 * 1000, // 2 minutes cache
+        });
+      } catch (error) {
+        throw this.handleError(error);
+      }
+    }
+
+    /**
+     * Get details for a specific managed account.
+     */
+    async getManagedAccountDetails(accountId: string): Promise<ManagedAccount> {
+      try {
+        return await this.makeRequest<ManagedAccount>('GET', `/managed-accounts/${accountId}`, undefined, {
+          cache: true,
+          cacheTTL: 2 * 60 * 1000,
+        });
+      } catch (error) {
+        throw this.handleError(error);
+      }
+    }
+
+    /**
+     * Update a managed account's profile data.
+     * Requires owner or admin role.
+     */
+    async updateManagedAccount(accountId: string, data: Partial<CreateManagedAccountInput>): Promise<ManagedAccount> {
+      try {
+        return await this.makeRequest<ManagedAccount>('PUT', `/managed-accounts/${accountId}`, data, {
+          cache: false,
+        });
+      } catch (error) {
+        throw this.handleError(error);
+      }
+    }
+
+    /**
+     * Delete a managed account permanently.
+     * Requires owner role.
+     */
+    async deleteManagedAccount(accountId: string): Promise<void> {
+      try {
+        await this.makeRequest<void>('DELETE', `/managed-accounts/${accountId}`, undefined, {
+          cache: false,
+        });
+      } catch (error) {
+        throw this.handleError(error);
+      }
+    }
+
+    /**
+     * Add a manager to a managed account.
+     * Requires owner or admin role on the account.
+     *
+     * @param accountId - The managed account to add the manager to
+     * @param userId - The user to grant management access
+     * @param role - The role to assign: 'admin' or 'editor'
+     */
+    async addManager(accountId: string, userId: string, role: 'admin' | 'editor'): Promise<void> {
+      try {
+        await this.makeRequest<void>('POST', `/managed-accounts/${accountId}/managers`, { userId, role }, {
+          cache: false,
+        });
+      } catch (error) {
+        throw this.handleError(error);
+      }
+    }
+
+    /**
+     * Remove a manager from a managed account.
+     * Requires owner role.
+     *
+     * @param accountId - The managed account
+     * @param userId - The manager to remove
+     */
+    async removeManager(accountId: string, userId: string): Promise<void> {
+      try {
+        await this.makeRequest<void>('DELETE', `/managed-accounts/${accountId}/managers/${userId}`, undefined, {
+          cache: false,
+        });
+      } catch (error) {
+        throw this.handleError(error);
+      }
+    }
+  };
+}