@oxyhq/core 1.6.0 → 1.6.2

package/dist/cjs/AuthManager.js

@@ -20,6 +20,7 @@ const STORAGE_KEYS = {
     SESSION: 'oxy_session',
     USER: 'oxy_user',
     AUTH_METHOD: 'oxy_auth_method',
+    FEDCM_LOGIN_HINT: 'oxy_fedcm_login_hint',
 };
 /**
  * Default in-memory storage for non-browser environments.
@@ -300,6 +301,19 @@ class AuthManager {
             clearTimeout(this.refreshTimer);
             this.refreshTimer = null;
         }
+        // Invalidate current session on the server (best-effort)
+        try {
+            const sessionJson = await this.storage.getItem(STORAGE_KEYS.SESSION);
+            if (sessionJson) {
+                const session = JSON.parse(sessionJson);
+                if (session.sessionId && typeof this.oxyServices.logoutSession === 'function') {
+                    await this.oxyServices.logoutSession(session.sessionId);
+                }
+            }
+        }
+        catch {
+            // Best-effort: don't block local signout on network failure
+        }
         // Revoke FedCM credential if supported
         try {
             const services = this.oxyServices;
@@ -327,6 +341,7 @@ class AuthManager {
         await this.storage.removeItem(STORAGE_KEYS.SESSION);
         await this.storage.removeItem(STORAGE_KEYS.USER);
         await this.storage.removeItem(STORAGE_KEYS.AUTH_METHOD);
+        await this.storage.removeItem(STORAGE_KEYS.FEDCM_LOGIN_HINT);
     }
     /**
      * Get current user.

package/dist/cjs/index.js

@@ -30,7 +30,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.calculateBackoffInterval = exports.createCircuitBreakerState = exports.DEFAULT_CIRCUIT_BREAKER_CONFIG = exports.isRetryableError = exports.isNetworkError = exports.isServerError = exports.isRateLimitError = exports.isNotFoundError = exports.isForbiddenError = exports.isUnauthorizedError = exports.isAlreadyRegisteredError = exports.getErrorMessage = exports.getErrorStatus = exports.HttpStatus = exports.getSystemColorScheme = exports.systemPrefersDarkMode = exports.getOppositeTheme = exports.normalizeColorScheme = exports.normalizeTheme = exports.getContrastTextColor = exports.isLightColor = exports.withOpacity = exports.rgbToHex = exports.hexToRgb = exports.lightenColor = exports.darkenColor = exports.isAndroid = exports.isIOS = exports.isNative = exports.isWeb = exports.setPlatformOS = exports.getPlatformOS = exports.normalizeLanguageCode = exports.getNativeLanguageName = exports.getLanguageName = exports.getLanguageMetadata = exports.SUPPORTED_LANGUAGES = exports.DeviceManager = exports.RecoveryPhraseService = exports.SignatureService = exports.KeyManager = exports.createCrossDomainAuth = exports.CrossDomainAuth = exports.createAuthManager = exports.AuthManager = exports.oxyClient = exports.OXY_CLOUD_URL = exports.OxyAuthenticationTimeoutError = exports.OxyAuthenticationError = exports.OxyServices = void 0;
-exports.logPerformance = exports.logPayment = exports.logDevice = exports.logUser = exports.logSession = exports.logApi = exports.logAuth = exports.LogLevel = exports.logger = exports.retryAsync = exports.validateRequiredFields = exports.handleHttpError = exports.createApiError = exports.ErrorCodes = exports.packageInfo = exports.sessionsArraysEqual = exports.normalizeAndSortSessions = exports.mergeSessions = exports.translate = exports.createDebugLogger = exports.debugError = exports.debugWarn = exports.debugLog = exports.isDev = exports.withRetry = exports.delay = exports.shouldAllowRequest = exports.recordSuccess = exports.recordFailure = void 0;
+exports.logPerformance = exports.logPayment = exports.logDevice = exports.logUser = exports.logSession = exports.logApi = exports.logAuth = exports.LogLevel = exports.logger = exports.retryAsync = exports.validateRequiredFields = exports.handleHttpError = exports.createApiError = exports.ErrorCodes = exports.packageInfo = exports.sessionsArraysEqual = exports.normalizeAndSortSessions = exports.mergeSessions = exports.authenticatedApiCall = exports.withAuthErrorHandling = exports.isAuthenticationError = exports.ensureValidToken = exports.AuthenticationFailedError = exports.SessionSyncRequiredError = exports.translate = exports.createDebugLogger = exports.debugError = exports.debugWarn = exports.debugLog = exports.isDev = exports.withRetry = exports.delay = exports.shouldAllowRequest = exports.recordSuccess = exports.recordFailure = void 0;
 // Ensure crypto polyfills are loaded before anything else
 require("./crypto/polyfill");
 // --- Core API Client ---
@@ -119,6 +119,14 @@ Object.defineProperty(exports, "createDebugLogger", { enumerable: true, get: fun
 // --- i18n ---
 var i18n_1 = require("./i18n");
 Object.defineProperty(exports, "translate", { enumerable: true, get: function () { return i18n_1.translate; } });
+// --- Auth Helpers ---
+var authHelpers_1 = require("./utils/authHelpers");
+Object.defineProperty(exports, "SessionSyncRequiredError", { enumerable: true, get: function () { return authHelpers_1.SessionSyncRequiredError; } });
+Object.defineProperty(exports, "AuthenticationFailedError", { enumerable: true, get: function () { return authHelpers_1.AuthenticationFailedError; } });
+Object.defineProperty(exports, "ensureValidToken", { enumerable: true, get: function () { return authHelpers_1.ensureValidToken; } });
+Object.defineProperty(exports, "isAuthenticationError", { enumerable: true, get: function () { return authHelpers_1.isAuthenticationError; } });
+Object.defineProperty(exports, "withAuthErrorHandling", { enumerable: true, get: function () { return authHelpers_1.withAuthErrorHandling; } });
+Object.defineProperty(exports, "authenticatedApiCall", { enumerable: true, get: function () { return authHelpers_1.authenticatedApiCall; } });
 // --- Session Utilities ---
 var sessionUtils_1 = require("./utils/sessionUtils");
 Object.defineProperty(exports, "mergeSessions", { enumerable: true, get: function () { return sessionUtils_1.mergeSessions; } });

package/dist/cjs/mixins/OxyServices.fedcm.js

@@ -5,6 +5,7 @@ exports.FedCMMixin = OxyServicesFedCMMixin;
 const OxyServices_errors_1 = require("../OxyServices.errors");
 const debugUtils_1 = require("../shared/utils/debugUtils");
 const debug = (0, debugUtils_1.createDebugLogger)('FedCM');
+const FEDCM_LOGIN_HINT_KEY = 'oxy_fedcm_login_hint';
 // Global lock to prevent concurrent FedCM requests
 // FedCM only allows one navigator.credentials.get request at a time
 let fedCMRequestInProgress = false;
@@ -82,13 +83,16 @@ function OxyServicesFedCMMixin(Base) {
                 try {
                     const nonce = options.nonce || this.generateNonce();
                     const clientId = this.getClientId();
-                    debug.log('Interactive sign-in: Requesting credential for', clientId);
+                    // Use provided loginHint, or fall back to stored last-used account ID
+                    const loginHint = options.loginHint || this.getStoredLoginHint();
+                    debug.log('Interactive sign-in: Requesting credential for', clientId, loginHint ? `(hint: ${loginHint})` : '');
                     // Request credential from browser's native identity flow
                     const credential = await this.requestIdentityCredential({
                         configURL: this.constructor.DEFAULT_CONFIG_URL,
                         clientId,
                         nonce,
                         context: options.context,
+                        loginHint,
                     });
                     if (!credential || !credential.token) {
                         throw new OxyServices_errors_1.OxyAuthenticationError('No credential received from browser');
@@ -100,6 +104,10 @@ function OxyServicesFedCMMixin(Base) {
                     if (session && session.accessToken) {
                         this.httpService.setTokens(session.accessToken);
                     }
+                    // Store the user ID as loginHint for future FedCM requests
+                    if (session?.user?.id) {
+                        this.storeLoginHint(session.user.id);
+                    }
                     debug.log('Interactive sign-in: Success!', { userId: session?.user?.id });
                     return session;
                 }
@@ -164,13 +172,15 @@ function OxyServicesFedCMMixin(Base) {
                 // this runs on app startup — showing browser UI without user action is bad UX.
                 // Optional/interactive mediation should only happen when the user clicks "Sign In".
                 let credential = null;
+                const loginHint = this.getStoredLoginHint();
                 try {
                     const nonce = this.generateNonce();
-                    debug.log('Silent SSO: Attempting silent mediation...');
+                    debug.log('Silent SSO: Attempting silent mediation...', loginHint ? `(hint: ${loginHint})` : '');
                     credential = await this.requestIdentityCredential({
                         configURL: this.constructor.DEFAULT_CONFIG_URL,
                         clientId,
                         nonce,
+                        loginHint,
                         mediation: 'silent',
                     });
                     debug.log('Silent SSO: Silent mediation result:', { hasCredential: !!credential, hasToken: !!credential?.token });
@@ -225,6 +235,10 @@ function OxyServicesFedCMMixin(Base) {
                 else {
                     debug.warn('Silent SSO: No accessToken in session response');
                 }
+                // Store the user ID as loginHint for future FedCM requests
+                if (session.user?.id) {
+                    this.storeLoginHint(session.user.id);
+                }
                 debug.log('Silent SSO: Success!', {
                     sessionId: session.sessionId?.substring(0, 8) + '...',
                     userId: session.user?.id
@@ -299,7 +313,7 @@ function OxyServicesFedCMMixin(Base) {
                                         params: {
                                             nonce: options.nonce, // For Chrome 145+
                                         },
-                                        ...(options.context && { loginHint: options.context }),
+                                        ...(options.loginHint && { loginHint: options.loginHint }),
                                     },
                                 ],
                             },
@@ -419,6 +433,28 @@ function OxyServicesFedCMMixin(Base) {
                 }
                 return window.location.origin;
             }
+            /** @internal */
+            getStoredLoginHint() {
+                if (typeof window === 'undefined')
+                    return undefined;
+                try {
+                    return localStorage.getItem(FEDCM_LOGIN_HINT_KEY) || undefined;
+                }
+                catch {
+                    return undefined;
+                }
+            }
+            /** @internal */
+            storeLoginHint(userId) {
+                if (typeof window === 'undefined')
+                    return;
+                try {
+                    localStorage.setItem(FEDCM_LOGIN_HINT_KEY, userId);
+                }
+                catch {
+                    // Storage full or blocked
+                }
+            }
         },
         _a.DEFAULT_CONFIG_URL = 'https://auth.oxy.so/fedcm.json',
         _a.FEDCM_TIMEOUT = 15000 // 15 seconds for interactive

package/dist/cjs/mixins/OxyServices.utility.js

@@ -67,6 +67,17 @@ function OxyServicesUtilityMixin(Base) {
          * Validates JWT tokens against the Oxy API and attaches user data to requests.
          * Uses server-side session validation for security (not just JWT decode).
          *
+         * **Design note — jwtDecode vs jwt.verify:**
+         * This middleware intentionally uses `jwtDecode()` (decode-only, no signature
+         * verification) for user tokens. This is by design, NOT a security gap:
+         * - Third-party apps using `oxy.auth()` don't have the Oxy JWT secret
+         * - Security comes from API-based session validation (`validateSession()`)
+         *   which checks the session server-side on every request
+         * - Service tokens (type: 'service') DO use cryptographic HMAC verification
+         *   via the `jwtSecret` option, since they are stateless
+         * - The backend's own `authMiddleware` uses `jwt.verify()` because it has
+         *   direct access to `ACCESS_TOKEN_SECRET`
+         *
          * @example
          * ```typescript
          * import { OxyServices } from '@oxyhq/core';
@@ -119,6 +130,7 @@ function OxyServicesUtilityMixin(Base) {
                             return next();
                         }
                         const error = {
+                            error: 'MISSING_TOKEN',
                             message: 'Access token required',
                             code: 'MISSING_TOKEN',
                             status: 401
@@ -139,6 +151,7 @@ function OxyServicesUtilityMixin(Base) {
                             return next();
                         }
                         const error = {
+                            error: 'INVALID_TOKEN_FORMAT',
                             message: 'Invalid token format',
                             code: 'INVALID_TOKEN_FORMAT',
                             status: 401
@@ -158,6 +171,7 @@ function OxyServicesUtilityMixin(Base) {
                                 return next();
                             }
                             const error = {
+                                error: 'SERVICE_TOKEN_NOT_CONFIGURED',
                                 message: 'Service token verification not configured',
                                 code: 'SERVICE_TOKEN_NOT_CONFIGURED',
                                 status: 403
@@ -192,7 +206,7 @@ function OxyServicesUtilityMixin(Base) {
                                 (verifyError.message === 'Invalid signature' || verifyError.message === 'Invalid token structure');
                             if (!isSignatureError) {
                                 console.error('[oxy.auth] Unexpected error during service token verification:', verifyError);
-                                const error = { message: 'Internal authentication error', code: 'AUTH_INTERNAL_ERROR', status: 500 };
+                                const error = { error: 'AUTH_INTERNAL_ERROR', message: 'Internal authentication error', code: 'AUTH_INTERNAL_ERROR', status: 500 };
                                 if (onError)
                                     return onError(error);
                                 return res.status(500).json(error);
@@ -202,7 +216,7 @@ function OxyServicesUtilityMixin(Base) {
                                 req.user = null;
                                 return next();
                             }
-                            const error = { message: 'Invalid service token signature', code: 'INVALID_SERVICE_TOKEN', status: 401 };
+                            const error = { error: 'INVALID_SERVICE_TOKEN', message: 'Invalid service token signature', code: 'INVALID_SERVICE_TOKEN', status: 401 };
                             if (onError)
                                 return onError(error);
                             return res.status(401).json(error);
@@ -214,7 +228,7 @@ function OxyServicesUtilityMixin(Base) {
                                 req.user = null;
                                 return next();
                             }
-                            const error = { message: 'Service token expired', code: 'TOKEN_EXPIRED', status: 401 };
+                            const error = { error: 'TOKEN_EXPIRED', message: 'Service token expired', code: 'TOKEN_EXPIRED', status: 401 };
                             if (onError)
                                 return onError(error);
                             return res.status(401).json(error);
@@ -226,7 +240,7 @@ function OxyServicesUtilityMixin(Base) {
                                 req.user = null;
                                 return next();
                             }
-                            const error = { message: 'Invalid service token: missing appId', code: 'INVALID_SERVICE_TOKEN', status: 401 };
+                            const error = { error: 'INVALID_SERVICE_TOKEN', message: 'Invalid service token: missing appId', code: 'INVALID_SERVICE_TOKEN', status: 401 };
                             if (onError)
                                 return onError(error);
                             return res.status(401).json(error);
@@ -253,6 +267,7 @@ function OxyServicesUtilityMixin(Base) {
                             return next();
                         }
                         const error = {
+                            error: 'INVALID_TOKEN_PAYLOAD',
                             message: 'Token missing user ID',
                             code: 'INVALID_TOKEN_PAYLOAD',
                             status: 401
@@ -269,6 +284,7 @@ function OxyServicesUtilityMixin(Base) {
                             return next();
                         }
                         const error = {
+                            error: 'TOKEN_EXPIRED',
                             message: 'Token expired',
                             code: 'TOKEN_EXPIRED',
                             status: 401
@@ -291,6 +307,7 @@ function OxyServicesUtilityMixin(Base) {
                                     return next();
                                 }
                                 const error = {
+                                    error: 'INVALID_SESSION',
                                     message: 'Session invalid or expired',
                                     code: 'INVALID_SESSION',
                                     status: 401
@@ -325,6 +342,7 @@ function OxyServicesUtilityMixin(Base) {
                                 return next();
                             }
                             const error = {
+                                error: 'SESSION_VALIDATION_ERROR',
                                 message: 'Session validation failed',
                                 code: 'SESSION_VALIDATION_ERROR',
                                 status: 401
@@ -382,6 +400,8 @@ function OxyServicesUtilityMixin(Base) {
          * Returns a middleware function for Socket.IO that validates JWT tokens
          * from the handshake auth object and attaches user data to the socket.
          *
+         * Uses `jwtDecode()` + API session validation (same rationale as `auth()`).
+         *
          * @example
          * ```typescript
          * import { OxyServices } from '@oxyhq/core';

package/dist/cjs/utils/authHelpers.js

@@ -0,0 +1,114 @@
+"use strict";
+/**
+ * Authentication helper utilities for common token validation
+ * and authentication error handling patterns.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthenticationFailedError = exports.SessionSyncRequiredError = void 0;
+exports.ensureValidToken = ensureValidToken;
+exports.isAuthenticationError = isAuthenticationError;
+exports.withAuthErrorHandling = withAuthErrorHandling;
+exports.authenticatedApiCall = authenticatedApiCall;
+/**
+ * Error thrown when session sync is required
+ */
+class SessionSyncRequiredError extends Error {
+    constructor(message = 'Session needs to be synced. Please try again.') {
+        super(message);
+        this.name = 'SessionSyncRequiredError';
+    }
+}
+exports.SessionSyncRequiredError = SessionSyncRequiredError;
+/**
+ * Error thrown when authentication fails
+ */
+class AuthenticationFailedError extends Error {
+    constructor(message = 'Authentication failed. Please sign in again.') {
+        super(message);
+        this.name = 'AuthenticationFailedError';
+    }
+}
+exports.AuthenticationFailedError = AuthenticationFailedError;
+/**
+ * Ensures a valid token exists before making authenticated API calls.
+ * If no valid token exists and an active session ID is available,
+ * attempts to refresh the token using the session.
+ *
+ * @throws {SessionSyncRequiredError} If the session needs to be synced (offline session)
+ */
+async function ensureValidToken(oxyServices, activeSessionId) {
+    if (oxyServices.hasValidToken() || !activeSessionId) {
+        return;
+    }
+    try {
+        await oxyServices.getTokenBySession(activeSessionId);
+    }
+    catch (tokenError) {
+        const errorMessage = tokenError instanceof Error ? tokenError.message : String(tokenError);
+        if (errorMessage.includes('AUTH_REQUIRED_OFFLINE_SESSION') || errorMessage.includes('offline')) {
+            throw new SessionSyncRequiredError();
+        }
+        throw tokenError;
+    }
+}
+/**
+ * Checks if an error is an authentication error (401 or auth-related message)
+ */
+function isAuthenticationError(error) {
+    if (!error || typeof error !== 'object') {
+        return false;
+    }
+    const errorObj = error;
+    const errorMessage = errorObj.message || '';
+    const status = errorObj.status || errorObj.response?.status;
+    return (status === 401 ||
+        errorMessage.includes('Authentication required') ||
+        errorMessage.includes('Invalid or missing authorization header'));
+}
+/**
+ * Wraps an API call with authentication error handling.
+ * On auth failure, optionally attempts to sync the session and retry.
+ *
+ * @throws {AuthenticationFailedError} If authentication fails and cannot be recovered
+ */
+async function withAuthErrorHandling(apiCall, options) {
+    try {
+        return await apiCall();
+    }
+    catch (error) {
+        if (!isAuthenticationError(error)) {
+            throw error;
+        }
+        if (options?.syncSession && options?.activeSessionId && options?.oxyServices) {
+            try {
+                await options.syncSession();
+                await options.oxyServices.getTokenBySession(options.activeSessionId);
+                return await apiCall();
+            }
+            catch {
+                throw new AuthenticationFailedError();
+            }
+        }
+        throw new AuthenticationFailedError();
+    }
+}
+/**
+ * Combines token validation and auth error handling for a complete authenticated API call.
+ *
+ * @example
+ * ```ts
+ * return await authenticatedApiCall(
+ *   oxyServices,
+ *   activeSessionId,
+ *   () => oxyServices.updateProfile(updates)
+ * );
+ * ```
+ */
+async function authenticatedApiCall(oxyServices, activeSessionId, apiCall, syncSession) {
+    await ensureValidToken(oxyServices, activeSessionId);
+    return withAuthErrorHandling(apiCall, {
+        syncSession,
+        activeSessionId,
+        oxyServices,
+    });
+}

package/dist/esm/AuthManager.js

@@ -6,7 +6,7 @@
  *
  * @module core/AuthManager
  */
-import { retryAsync } from './utils/asyncUtils';
+import { retryAsync } from './utils/asyncUtils.js';
 /**
  * Storage keys used by AuthManager.
  */
@@ -16,6 +16,7 @@ const STORAGE_KEYS = {
     SESSION: 'oxy_session',
     USER: 'oxy_user',
     AUTH_METHOD: 'oxy_auth_method',
+    FEDCM_LOGIN_HINT: 'oxy_fedcm_login_hint',
 };
 /**
  * Default in-memory storage for non-browser environments.
@@ -296,6 +297,19 @@ export class AuthManager {
             clearTimeout(this.refreshTimer);
             this.refreshTimer = null;
         }
+        // Invalidate current session on the server (best-effort)
+        try {
+            const sessionJson = await this.storage.getItem(STORAGE_KEYS.SESSION);
+            if (sessionJson) {
+                const session = JSON.parse(sessionJson);
+                if (session.sessionId && typeof this.oxyServices.logoutSession === 'function') {
+                    await this.oxyServices.logoutSession(session.sessionId);
+                }
+            }
+        }
+        catch {
+            // Best-effort: don't block local signout on network failure
+        }
         // Revoke FedCM credential if supported
         try {
             const services = this.oxyServices;
@@ -323,6 +337,7 @@ export class AuthManager {
         await this.storage.removeItem(STORAGE_KEYS.SESSION);
         await this.storage.removeItem(STORAGE_KEYS.USER);
         await this.storage.removeItem(STORAGE_KEYS.AUTH_METHOD);
+        await this.storage.removeItem(STORAGE_KEYS.FEDCM_LOGIN_HINT);
     }
     /**
      * Get current user.

package/dist/esm/HttpService.js

@@ -12,13 +12,13 @@
  * - Error handling
  * - Request queuing
  */
-import { TTLCache, registerCacheForCleanup } from './utils/cache';
-import { RequestDeduplicator, RequestQueue, SimpleLogger } from './utils/requestUtils';
-import { retryAsync } from './utils/asyncUtils';
-import { handleHttpError } from './utils/errorUtils';
-import { isDev } from './shared/utils/debugUtils';
+import { TTLCache, registerCacheForCleanup } from './utils/cache.js';
+import { RequestDeduplicator, RequestQueue, SimpleLogger } from './utils/requestUtils.js';
+import { retryAsync } from './utils/asyncUtils.js';
+import { handleHttpError } from './utils/errorUtils.js';
+import { isDev } from './shared/utils/debugUtils.js';
 import { jwtDecode } from 'jwt-decode';
-import { isNative, getPlatformOS } from './utils/platform';
+import { isNative, getPlatformOS } from './utils/platform.js';
 /**
  * Check if we're running in a native app environment (React Native, not web)
  * This is used to determine CSRF handling mode

package/dist/esm/OxyServices.base.js

@@ -4,9 +4,9 @@
  * Contains core infrastructure, HTTP client, request management, and error handling
  */
 import { jwtDecode } from 'jwt-decode';
-import { handleHttpError } from './utils/errorUtils';
-import { HttpService } from './HttpService';
-import { OxyAuthenticationError, OxyAuthenticationTimeoutError } from './OxyServices.errors';
+import { handleHttpError } from './utils/errorUtils.js';
+import { HttpService } from './HttpService.js';
+import { OxyAuthenticationError, OxyAuthenticationTimeoutError } from './OxyServices.errors.js';
 /**
  * Base class for OxyServices with core infrastructure
  */

package/dist/esm/OxyServices.js

@@ -1,6 +1,6 @@
-import { OxyAuthenticationError, OxyAuthenticationTimeoutError } from './OxyServices.errors';
+import { OxyAuthenticationError, OxyAuthenticationTimeoutError } from './OxyServices.errors.js';
 // Import mixin composition helper
-import { composeOxyServices } from './mixins';
+import { composeOxyServices } from './mixins.js';
 /**
  * OxyServices - Unified client library for interacting with the Oxy API
  *

package/dist/esm/crypto/index.js

@@ -5,9 +5,9 @@
  * Handles key generation, secure storage, digital signatures, and recovery phrases.
  */
 // Import polyfills first - this ensures Buffer is available for bip39 and other libraries
-import './polyfill';
-export { KeyManager } from './keyManager';
-export { SignatureService } from './signatureService';
-export { RecoveryPhraseService } from './recoveryPhrase';
+import './polyfill.js';
+export { KeyManager } from './keyManager.js';
+export { SignatureService } from './signatureService.js';
+export { RecoveryPhraseService } from './recoveryPhrase.js';
 // Re-export for convenience
-export { KeyManager as default } from './keyManager';
+export { KeyManager as default } from './keyManager.js';

package/dist/esm/crypto/keyManager.js

@@ -5,9 +5,9 @@
  * Private keys are stored securely using expo-secure-store and never leave the device.
  */
 import { ec as EC } from 'elliptic';
-import { isWeb, isIOS, isAndroid, isReactNative, isNodeJS } from '../utils/platform';
-import { logger } from '../utils/loggerUtils';
-import { isDev } from '../shared/utils/debugUtils';
+import { isWeb, isIOS, isAndroid, isReactNative, isNodeJS } from '../utils/platform.js';
+import { logger } from '../utils/loggerUtils.js';
+import { isDev } from '../shared/utils/debugUtils.js';
 // Lazy imports for React Native specific modules
 let SecureStore = null;
 let ExpoCrypto = null;

package/dist/esm/crypto/recoveryPhrase.js

@@ -7,7 +7,7 @@
  * Note: This module requires the polyfill to be loaded first (done via crypto/index.ts)
  */
 import * as bip39 from 'bip39';
-import { KeyManager } from './keyManager';
+import { KeyManager } from './keyManager.js';
 /**
  * Convert Uint8Array or array-like to hexadecimal string
  * Works in both Node.js and React Native without depending on Buffer

package/dist/esm/crypto/signatureService.js

@@ -5,8 +5,8 @@
  * Used for authenticating requests and proving identity ownership.
  */
 import { ec as EC } from 'elliptic';
-import { KeyManager } from './keyManager';
-import { isReactNative, isNodeJS } from '../utils/platform';
+import { KeyManager } from './keyManager.js';
+import { isReactNative, isNodeJS } from '../utils/platform.js';
 // Lazy import for expo-crypto
 let ExpoCrypto = null;
 const ec = new EC('secp256k1');

package/dist/esm/i18n/index.js

@@ -1,14 +1,14 @@
-import enUS from './locales/en-US.json';
-import esES from './locales/es-ES.json';
-import caES from './locales/ca-ES.json';
-import frFR from './locales/fr-FR.json';
-import deDE from './locales/de-DE.json';
-import itIT from './locales/it-IT.json';
-import ptPT from './locales/pt-PT.json';
-import jaJP from './locales/ja-JP.json';
-import koKR from './locales/ko-KR.json';
-import zhCN from './locales/zh-CN.json';
-import arSA from './locales/ar-SA.json';
+import enUS from './locales/en-US.json.js';
+import esES from './locales/es-ES.json.js';
+import caES from './locales/ca-ES.json.js';
+import frFR from './locales/fr-FR.json.js';
+import deDE from './locales/de-DE.json.js';
+import itIT from './locales/it-IT.json.js';
+import ptPT from './locales/pt-PT.json.js';
+import jaJP from './locales/ja-JP.json.js';
+import koKR from './locales/ko-KR.json.js';
+import zhCN from './locales/zh-CN.json.js';
+import arSA from './locales/ar-SA.json.js';
 const DICTS = {
     'en': enUS,
     'en-US': enUS,

package/dist/esm/index.js

@@ -14,42 +14,44 @@
  * ```
  */
 // Ensure crypto polyfills are loaded before anything else
-import './crypto/polyfill';
+import './crypto/polyfill.js';
 // --- Core API Client ---
-export { OxyServices, OxyAuthenticationError, OxyAuthenticationTimeoutError } from './OxyServices';
-export { OXY_CLOUD_URL, oxyClient } from './OxyServices';
+export { OxyServices, OxyAuthenticationError, OxyAuthenticationTimeoutError } from './OxyServices.js';
+export { OXY_CLOUD_URL, oxyClient } from './OxyServices.js';
 // --- Authentication ---
-export { AuthManager, createAuthManager } from './AuthManager';
-export { CrossDomainAuth, createCrossDomainAuth } from './CrossDomainAuth';
+export { AuthManager, createAuthManager } from './AuthManager.js';
+export { CrossDomainAuth, createCrossDomainAuth } from './CrossDomainAuth.js';
 // --- Crypto / Identity ---
-export { KeyManager, SignatureService, RecoveryPhraseService } from './crypto';
+export { KeyManager, SignatureService, RecoveryPhraseService } from './crypto.js';
 // --- Models & Types ---
-export * from './models/interfaces';
-export * from './models/session';
+export * from './models/interfaces.js';
+export * from './models/session.js';
 // --- Device Management ---
-export { DeviceManager } from './utils/deviceManager';
+export { DeviceManager } from './utils/deviceManager.js';
 // --- Language Utilities ---
-export { SUPPORTED_LANGUAGES, getLanguageMetadata, getLanguageName, getNativeLanguageName, normalizeLanguageCode, } from './utils/languageUtils';
+export { SUPPORTED_LANGUAGES, getLanguageMetadata, getLanguageName, getNativeLanguageName, normalizeLanguageCode, } from './utils/languageUtils.js';
 // --- Platform Detection ---
-export { getPlatformOS, setPlatformOS, isWeb, isNative, isIOS, isAndroid, } from './utils/platform';
+export { getPlatformOS, setPlatformOS, isWeb, isNative, isIOS, isAndroid, } from './utils/platform.js';
 // --- Shared Utilities ---
-export { darkenColor, lightenColor, hexToRgb, rgbToHex, withOpacity, isLightColor, getContrastTextColor, } from './shared/utils/colorUtils';
-export { normalizeTheme, normalizeColorScheme, getOppositeTheme, systemPrefersDarkMode, getSystemColorScheme, } from './shared/utils/themeUtils';
-export { HttpStatus, getErrorStatus, getErrorMessage, isAlreadyRegisteredError, isUnauthorizedError, isForbiddenError, isNotFoundError, isRateLimitError, isServerError, isNetworkError, isRetryableError, } from './shared/utils/errorUtils';
-export { DEFAULT_CIRCUIT_BREAKER_CONFIG, createCircuitBreakerState, calculateBackoffInterval, recordFailure, recordSuccess, shouldAllowRequest, delay, withRetry, } from './shared/utils/networkUtils';
-export { isDev, debugLog, debugWarn, debugError, createDebugLogger, } from './shared/utils/debugUtils';
+export { darkenColor, lightenColor, hexToRgb, rgbToHex, withOpacity, isLightColor, getContrastTextColor, } from './shared/utils/colorUtils.js';
+export { normalizeTheme, normalizeColorScheme, getOppositeTheme, systemPrefersDarkMode, getSystemColorScheme, } from './shared/utils/themeUtils.js';
+export { HttpStatus, getErrorStatus, getErrorMessage, isAlreadyRegisteredError, isUnauthorizedError, isForbiddenError, isNotFoundError, isRateLimitError, isServerError, isNetworkError, isRetryableError, } from './shared/utils/errorUtils.js';
+export { DEFAULT_CIRCUIT_BREAKER_CONFIG, createCircuitBreakerState, calculateBackoffInterval, recordFailure, recordSuccess, shouldAllowRequest, delay, withRetry, } from './shared/utils/networkUtils.js';
+export { isDev, debugLog, debugWarn, debugError, createDebugLogger, } from './shared/utils/debugUtils.js';
 // --- i18n ---
-export { translate } from './i18n';
+export { translate } from './i18n.js';
+// --- Auth Helpers ---
+export { SessionSyncRequiredError, AuthenticationFailedError, ensureValidToken, isAuthenticationError, withAuthErrorHandling, authenticatedApiCall, } from './utils/authHelpers.js';
 // --- Session Utilities ---
-export { mergeSessions, normalizeAndSortSessions, sessionsArraysEqual } from './utils/sessionUtils';
+export { mergeSessions, normalizeAndSortSessions, sessionsArraysEqual } from './utils/sessionUtils.js';
 // --- Constants ---
-export { packageInfo } from './constants/version';
+export { packageInfo } from './constants/version.js';
 // --- API & Error Utilities ---
-export * from './utils/apiUtils';
-export { ErrorCodes, createApiError, handleHttpError, validateRequiredFields, } from './utils/errorUtils';
-export { retryAsync } from './utils/asyncUtils';
-export * from './utils/validationUtils';
-export { logger, LogLevel, logAuth, logApi, logSession, logUser, logDevice, logPayment, logPerformance, } from './utils/loggerUtils';
+export * from './utils/apiUtils.js';
+export { ErrorCodes, createApiError, handleHttpError, validateRequiredFields, } from './utils/errorUtils.js';
+export { retryAsync } from './utils/asyncUtils.js';
+export * from './utils/validationUtils.js';
+export { logger, LogLevel, logAuth, logApi, logSession, logUser, logDevice, logPayment, logPerformance, } from './utils/loggerUtils.js';
 // Default export
-import { OxyServices } from './OxyServices';
+import { OxyServices } from './OxyServices.js';
 export default OxyServices;

package/dist/esm/mixins/OxyServices.analytics.js

@@ -1,4 +1,4 @@
-import { CACHE_TIMES } from './mixinHelpers';
+import { CACHE_TIMES } from './mixinHelpers.js';
 export function OxyServicesAnalyticsMixin(Base) {
     return class extends Base {
         constructor(...args) {