@oxyhq/core 3.8.1 → 3.9.0

package/dist/esm/HttpService.js

@@ -161,9 +161,19 @@ export class HttpService {
         this.baseURL = config.baseURL;
         this.tokenStore = new TokenStore();
         this.logger = new SimpleLogger(config.enableLogging || false, config.logLevel || 'error', 'HttpService');
-        // Initialize performance infrastructure
-        this.cache = new TTLCache(config.cacheTTL || 5 * 60 * 1000);
-        registerCacheForCleanup(this.cache);
+        // Initialize performance infrastructure. The per-instance GET response
+        // cache is disabled when the consumer explicitly opts out
+        // (`enableCache: false`) or asks for a non-positive TTL (`cacheTTL <= 0`).
+        // When disabled, nothing is ever stored, so there is no reason to register
+        // the cache for the global cleanup interval. Default (config unset) keeps
+        // caching ON with the 5-minute TTL — unchanged for existing consumers.
+        this.cacheDisabled =
+            config.enableCache === false ||
+                (typeof config.cacheTTL === 'number' && config.cacheTTL <= 0);
+        this.cache = new TTLCache(config.cacheTTL && config.cacheTTL > 0 ? config.cacheTTL : 5 * 60 * 1000);
+        if (!this.cacheDisabled) {
+            registerCacheForCleanup(this.cache);
+        }
         this.deduplicator = new RequestDeduplicator();
         this.requestQueue = new RequestQueue(config.maxConcurrentRequests || 10, config.requestQueueSize || 100);
     }
@@ -238,7 +248,11 @@ export class HttpService {
      * Main request method - handles everything in one place
      */
     async request(config) {
-        const { method, url, data, params, timeout = this.config.requestTimeout || DEFAULT_REQUEST_TIMEOUT_MS, signal, cache = method === 'GET', cacheTTL, deduplicate = true, retry = this.config.enableRetry !== false, maxRetries = this.config.maxRetries || 3, } = config;
+        const { method, url, data, params, timeout = this.config.requestTimeout || DEFAULT_REQUEST_TIMEOUT_MS, signal, cache: cacheRequested = method === 'GET', cacheTTL, deduplicate = true, retry = this.config.enableRetry !== false, maxRetries = this.config.maxRetries || 3, } = config;
+        // A per-instance disabled cache (`enableCache:false` / `cacheTTL<=0`)
+        // overrides any per-request `cache:true`: nothing is read from nor written
+        // to the response cache. Request deduplication below is unaffected.
+        const cache = cacheRequested && !this.cacheDisabled;
         // Generate cache key (optimized for large objects)
         const cacheKey = cache ? this.generateCacheKey(method, url, data || params) : null;
         // Check cache first

package/dist/esm/OxyServices.base.js

@@ -93,9 +93,23 @@ export class OxyServicesBase {
      * OxyServices instance mounted in OxyProvider. The returned client has its own
      * base URL, cache and request queue, but its bearer token is kept in lockstep
      * with this session and its 401 refresh path delegates back to this session.
+     *
+     * **GET response caching is OFF by default for linked clients.** The SDK's
+     * per-instance GET cache is only safe where the SDK OWNS invalidation: on the
+     * canonical OxyServices client, every mutation (`updateProfile`, `followUser`,
+     * `blockUser`, …) busts the matching cached GET. A linked client targets the
+     * consuming app's OWN backend (`api.mention.earth`, `api.syra.fm`, …), whose
+     * resources and write endpoints the SDK has no knowledge of — so it cannot
+     * invalidate them, and a cached GET there would silently serve stale data
+     * after the app mutates its own data. Caching is therefore unsafe-by-construction
+     * here and is left to the consumer's own layer (React Query / stores), which
+     * owns its invalidation. Pass `createLinkedClient({ baseURL, enableCache: true })`
+     * to explicitly opt back in when the consumer accepts that responsibility.
      */
     createLinkedClient(config) {
-        const client = new HttpService(config);
+        // Default the GET cache OFF unless the caller explicitly opts in (see the
+        // method doc): the SDK cannot invalidate the consumer backend's resources.
+        const client = new HttpService({ ...config, enableCache: config.enableCache ?? false });
         const syncToken = (accessToken) => {
             const currentAccessToken = client.getAccessToken();
             if (accessToken) {

package/dist/esm/mixins/OxyServices.applications.js

@@ -51,6 +51,9 @@ export function OxyServicesApplicationsMixin(Base) {
         async createApplication(data) {
             try {
                 const res = await this.makeRequest('POST', '/applications', data, { cache: false });
+                // Bust every cached application list (unscoped + per-workspace) so the
+                // new application appears on the next `getApplications()` read.
+                this._invalidateApplicationLists();
                 return res.application;
             }
             catch (error) {
@@ -78,6 +81,10 @@ export function OxyServicesApplicationsMixin(Base) {
         async updateApplication(applicationId, data) {
             try {
                 const res = await this.makeRequest('PATCH', `/applications/${applicationId}`, data, { cache: false });
+                // Bust the cached detail and every list (which embeds application
+                // fields) so neither serves the pre-update snapshot.
+                this.clearCacheEntry(`GET:/applications/${applicationId}`);
+                this._invalidateApplicationLists();
                 return res.application;
             }
             catch (error) {
@@ -90,7 +97,13 @@ export function OxyServicesApplicationsMixin(Base) {
          */
         async deleteApplication(applicationId) {
             try {
-                return await this.makeRequest('DELETE', `/applications/${applicationId}`, undefined, { cache: false });
+                const result = await this.makeRequest('DELETE', `/applications/${applicationId}`, undefined, { cache: false });
+                // Bust every cached representation of the deleted application.
+                this.clearCacheEntry(`GET:/applications/${applicationId}`);
+                this.clearCacheEntry(`GET:/applications/${applicationId}/members`);
+                this.clearCacheEntry(`GET:/applications/${applicationId}/credentials`);
+                this._invalidateApplicationLists();
+                return result;
             }
             catch (error) {
                 throw this.handleError(error);
@@ -119,6 +132,7 @@ export function OxyServicesApplicationsMixin(Base) {
         async inviteApplicationMember(applicationId, data) {
             try {
                 const res = await this.makeRequest('POST', `/applications/${applicationId}/members`, data, { cache: false });
+                this._invalidateApplicationMembership(applicationId);
                 return res.member;
             }
             catch (error) {
@@ -134,6 +148,7 @@ export function OxyServicesApplicationsMixin(Base) {
         async updateApplicationMember(applicationId, memberId, data) {
             try {
                 const res = await this.makeRequest('PATCH', `/applications/${applicationId}/members/${memberId}`, data, { cache: false });
+                this._invalidateApplicationMembership(applicationId);
                 return res.member;
             }
             catch (error) {
@@ -147,7 +162,9 @@ export function OxyServicesApplicationsMixin(Base) {
          */
         async removeApplicationMember(applicationId, memberId) {
             try {
-                return await this.makeRequest('DELETE', `/applications/${applicationId}/members/${memberId}`, undefined, { cache: false });
+                const result = await this.makeRequest('DELETE', `/applications/${applicationId}/members/${memberId}`, undefined, { cache: false });
+                this._invalidateApplicationMembership(applicationId);
+                return result;
             }
             catch (error) {
                 throw this.handleError(error);
@@ -161,7 +178,12 @@ export function OxyServicesApplicationsMixin(Base) {
          */
         async transferApplicationOwnership(applicationId, data) {
             try {
-                return await this.makeRequest('POST', `/applications/${applicationId}/transfer-ownership`, data, { cache: false });
+                const result = await this.makeRequest('POST', `/applications/${applicationId}/transfer-ownership`, data, { cache: false });
+                // Ownership change alters roles in the member list AND the detail, and
+                // can change which applications the caller "owns" in the list view.
+                this._invalidateApplicationMembership(applicationId);
+                this._invalidateApplicationLists();
+                return result;
             }
             catch (error) {
                 throw this.handleError(error);
@@ -188,7 +210,9 @@ export function OxyServicesApplicationsMixin(Base) {
          */
         async createApplicationCredential(applicationId, data) {
             try {
-                return await this.makeRequest('POST', `/applications/${applicationId}/credentials`, data, { cache: false });
+                const result = await this.makeRequest('POST', `/applications/${applicationId}/credentials`, data, { cache: false });
+                this.clearCacheEntry(`GET:/applications/${applicationId}/credentials`);
+                return result;
             }
             catch (error) {
                 throw this.handleError(error);
@@ -204,7 +228,11 @@ export function OxyServicesApplicationsMixin(Base) {
          */
         async rotateApplicationCredential(applicationId, credentialId) {
             try {
-                return await this.makeRequest('POST', `/applications/${applicationId}/credentials/${credentialId}/rotate`, undefined, { cache: false });
+                const result = await this.makeRequest('POST', `/applications/${applicationId}/credentials/${credentialId}/rotate`, undefined, { cache: false });
+                // Rotation changes credential status/audit fields surfaced by the
+                // credentials list (`rotatedFrom`, grace window, new active credential).
+                this.clearCacheEntry(`GET:/applications/${applicationId}/credentials`);
+                return result;
             }
             catch (error) {
                 throw this.handleError(error);
@@ -218,7 +246,10 @@ export function OxyServicesApplicationsMixin(Base) {
          */
         async revokeApplicationCredential(applicationId, credentialId) {
             try {
-                return await this.makeRequest('DELETE', `/applications/${applicationId}/credentials/${credentialId}`, undefined, { cache: false });
+                const result = await this.makeRequest('DELETE', `/applications/${applicationId}/credentials/${credentialId}`, undefined, { cache: false });
+                // Revocation flips the credential's status in the cached list.
+                this.clearCacheEntry(`GET:/applications/${applicationId}/credentials`);
+                return result;
             }
             catch (error) {
                 throw this.handleError(error);
@@ -237,5 +268,37 @@ export function OxyServicesApplicationsMixin(Base) {
                 throw this.handleError(error);
             }
         }
+        /**
+         * Bust every cached application list. `getApplications(workspaceId?)` keys
+         * the unscoped list as `GET:/applications` and each workspace-scoped list as
+         * `GET:/applications?workspaceId=<id>` (the query string is part of the URL
+         * path). A change to list membership (create/delete/ownership transfer)
+         * invalidates all of them, so we clear the unscoped entry plus every
+         * `?workspaceId=` variant via a prefix sweep. The prefix `GET:/applications?`
+         * matches only the query-string list variants, never the `GET:/applications/<id>…`
+         * detail/sub-resource keys.
+         *
+         * Internal helper (leading underscore); not part of the supported public
+         * surface. Public rather than `private` because mixins compose into an
+         * exported anonymous class, where TypeScript cannot represent a private
+         * member in the emitted declaration file (TS4094).
+         */
+        _invalidateApplicationLists() {
+            this.clearCacheEntry('GET:/applications');
+            this.clearCacheByPrefix('GET:/applications?');
+        }
+        /**
+         * Bust the cached member list and detail for an application after a
+         * membership mutation. The member list (`getApplicationMembers`) and the
+         * detail (`getApplication`, which can embed member counts) both go stale
+         * when the member set or a member's role changes.
+         *
+         * Internal helper (leading underscore); see `_invalidateApplicationLists`
+         * for why this is public rather than `private`.
+         */
+        _invalidateApplicationMembership(applicationId) {
+            this.clearCacheEntry(`GET:/applications/${applicationId}/members`);
+            this.clearCacheEntry(`GET:/applications/${applicationId}`);
+        }
     };
 }

package/dist/esm/mixins/OxyServices.assets.js

@@ -322,7 +322,10 @@ export function OxyServicesAssetsMixin(Base) {
          */
         async assetRestore(fileId) {
             try {
-                return await this.makeRequest('POST', `/assets/${fileId}/restore`, undefined, { cache: false });
+                const result = await this.makeRequest('POST', `/assets/${fileId}/restore`, undefined, { cache: false });
+                // The asset metadata (trash state) changed — bust its cached read.
+                this.clearCacheEntry(`GET:/assets/${fileId}`);
+                return result;
             }
             catch (error) {
                 throw this.handleError(error);
@@ -334,7 +337,11 @@ export function OxyServicesAssetsMixin(Base) {
         async assetDelete(fileId, force = false) {
             try {
                 const params = force ? { force: 'true' } : undefined;
-                return await this.makeRequest('DELETE', `/assets/${fileId}`, params, { cache: false });
+                const result = await this.makeRequest('DELETE', `/assets/${fileId}`, params, { cache: false });
+                // Bust the cached metadata and every cached URL variant for the asset.
+                this.clearCacheEntry(`GET:/assets/${fileId}`);
+                this.clearCacheByPrefix(`GET:/assets/${fileId}/url`);
+                return result;
             }
             catch (error) {
                 throw this.handleError(error);
@@ -357,9 +364,15 @@ export function OxyServicesAssetsMixin(Base) {
          */
         async assetUpdateVisibility(fileId, visibility) {
             try {
-                return await this.makeRequest('PATCH', `/assets/${fileId}/visibility`, {
+                const result = await this.makeRequest('PATCH', `/assets/${fileId}/visibility`, {
                     visibility
                 }, { cache: false });
+                // Visibility changes both the asset metadata and the resolved URL
+                // (public CDN vs signed). Bust the metadata read and every cached URL
+                // variant (keyed on variant/expiresIn params).
+                this.clearCacheEntry(`GET:/assets/${fileId}`);
+                this.clearCacheByPrefix(`GET:/assets/${fileId}/url`);
+                return result;
             }
             catch (error) {
                 throw this.handleError(error);

package/dist/esm/mixins/OxyServices.features.js

@@ -56,10 +56,14 @@ export function OxyServicesFeaturesMixin(Base) {
          */
         async subscribe(planId, paymentMethodId) {
             return this.withAuthRetry(async () => {
-                return await this.makeRequest('POST', '/subscriptions/subscribe', {
+                const result = await this.makeRequest('POST', '/subscriptions/subscribe', {
                     planId,
                     paymentMethodId,
                 }, { cache: false });
+                // The current subscription changed — bust its cached read so
+                // `getCurrentSubscription()` reflects the new plan immediately.
+                this.clearCacheEntry('GET:/subscriptions/current');
+                return result;
             }, 'subscribe');
         }
         /**
@@ -67,10 +71,12 @@ export function OxyServicesFeaturesMixin(Base) {
          */
         async subscribeToFeature(featureId, paymentMethodId) {
             return this.withAuthRetry(async () => {
-                return await this.makeRequest('POST', '/subscriptions/features/subscribe', {
+                const result = await this.makeRequest('POST', '/subscriptions/features/subscribe', {
                     featureId,
                     paymentMethodId,
                 }, { cache: false });
+                this.clearCacheEntry('GET:/subscriptions/current');
+                return result;
             }, 'subscribeToFeature');
         }
         /**
@@ -81,6 +87,7 @@ export function OxyServicesFeaturesMixin(Base) {
                 await this.makeRequest('POST', `/subscriptions/${subscriptionId}/cancel`, undefined, {
                     cache: false,
                 });
+                this.clearCacheEntry('GET:/subscriptions/current');
             }, 'cancelSubscription');
         }
         /**
@@ -91,6 +98,7 @@ export function OxyServicesFeaturesMixin(Base) {
                 await this.makeRequest('POST', `/subscriptions/${subscriptionId}/reactivate`, undefined, {
                     cache: false,
                 });
+                this.clearCacheEntry('GET:/subscriptions/current');
             }, 'reactivateSubscription');
         }
         /**
@@ -139,42 +147,62 @@ export function OxyServicesFeaturesMixin(Base) {
             }, 'getCollections');
         }
         /**
-         * Save an item
+         * Save an item.
+         *
+         * Busts the cached own saved-items list (`GET /saves`, ~short TTL) so a
+         * follow-up `getSavedItems()` observes the new item. The `userId`-scoped
+         * variant (`/users/<id>/saves`) is another user's list and is not
+         * affected by the caller's own save.
          */
         async saveItem(itemId, itemType, collectionId) {
             return this.withAuthRetry(async () => {
-                return await this.makeRequest('POST', '/saves', {
+                const result = await this.makeRequest('POST', '/saves', {
                     itemId,
                     itemType,
                     collectionId,
                 }, { cache: false });
+                this.clearCacheEntry('GET:/saves');
+                return result;
             }, 'saveItem');
         }
         /**
-         * Remove an item from saves
+         * Remove an item from saves.
+         *
+         * Busts the cached own saved-items list so the removed item is gone on
+         * the next read (see `saveItem`).
          */
         async removeSavedItem(saveId) {
             return this.withAuthRetry(async () => {
                 await this.makeRequest('DELETE', `/saves/${saveId}`, undefined, { cache: false });
+                this.clearCacheEntry('GET:/saves');
             }, 'removeSavedItem');
         }
         /**
-         * Create a collection
+         * Create a collection.
+         *
+         * Busts the cached own collections list (`GET /collections`) so the new
+         * collection appears on the next read.
          */
         async createCollection(name, description) {
             return this.withAuthRetry(async () => {
-                return await this.makeRequest('POST', '/collections', {
+                const result = await this.makeRequest('POST', '/collections', {
                     name,
                     description,
                 }, { cache: false });
+                this.clearCacheEntry('GET:/collections');
+                return result;
             }, 'createCollection');
         }
         /**
-         * Delete a collection
+         * Delete a collection.
+         *
+         * Busts the cached own collections list so the deleted collection is
+         * gone on the next read (see `createCollection`).
          */
         async deleteCollection(collectionId) {
             return this.withAuthRetry(async () => {
                 await this.makeRequest('DELETE', `/collections/${collectionId}`, undefined, { cache: false });
+                this.clearCacheEntry('GET:/collections');
             }, 'deleteCollection');
         }
         // ==================
@@ -215,19 +243,28 @@ export function OxyServicesFeaturesMixin(Base) {
             }, 'getUserHistory');
         }
         /**
-         * Clear user history
+         * Clear user history.
+         *
+         * `getUserHistory` caches per (limit, offset) page, so its cache key
+         * carries serialized params (`GET:/history` and `GET:/history:<params>`).
+         * A prefix sweep busts every cached page of the own history at once.
          */
         async clearUserHistory() {
             return this.withAuthRetry(async () => {
                 await this.makeRequest('DELETE', '/history', undefined, { cache: false });
+                this.clearCacheByPrefix('GET:/history');
             }, 'clearUserHistory');
         }
         /**
-         * Delete a history item
+         * Delete a history item.
+         *
+         * Busts every cached page of the own history (see `clearUserHistory`)
+         * so the removed item no longer appears on the next read.
          */
         async deleteHistoryItem(itemId) {
             return this.withAuthRetry(async () => {
                 await this.makeRequest('DELETE', `/history/${itemId}`, undefined, { cache: false });
+                this.clearCacheByPrefix('GET:/history');
             }, 'deleteHistoryItem');
         }
         // ==================

package/dist/esm/mixins/OxyServices.managedAccounts.js

@@ -7,13 +7,17 @@ export function OxyServicesManagedAccountsMixin(Base) {
          * Create a new managed account (sub-account).
          *
          * The server creates a User document with `isManagedAccount: true` and links
-         * it to the authenticated user as owner.
+         * it to the authenticated user as owner. Invalidates the cached
+         * `GET /managed-accounts` list (~2-minute TTL, identity-scoped) so the next
+         * read includes the newly created account.
          */
         async createManagedAccount(data) {
             try {
-                return await this.makeRequest('POST', '/managed-accounts', data, {
+                const result = await this.makeRequest('POST', '/managed-accounts', data, {
                     cache: false,
                 });
+                this.clearCacheEntry('GET:/managed-accounts');
+                return result;
             }
             catch (error) {
                 throw this.handleError(error);
@@ -50,12 +54,19 @@ export function OxyServicesManagedAccountsMixin(Base) {
         /**
          * Update a managed account's profile data.
          * Requires owner or admin role.
+         *
+         * Invalidates both the cached detail (`GET /managed-accounts/<id>`) and the
+         * cached list (`GET /managed-accounts`, which embeds account profile data)
+         * so neither serves the pre-update snapshot within their ~2-minute TTL.
          */
         async updateManagedAccount(accountId, data) {
             try {
-                return await this.makeRequest('PUT', `/managed-accounts/${accountId}`, data, {
+                const result = await this.makeRequest('PUT', `/managed-accounts/${accountId}`, data, {
                     cache: false,
                 });
+                this.clearCacheEntry(`GET:/managed-accounts/${accountId}`);
+                this.clearCacheEntry('GET:/managed-accounts');
+                return result;
             }
             catch (error) {
                 throw this.handleError(error);
@@ -64,12 +75,17 @@ export function OxyServicesManagedAccountsMixin(Base) {
         /**
          * Delete a managed account permanently.
          * Requires owner role.
+         *
+         * Invalidates the cached detail and list responses so the deleted account
+         * is not served from cache.
          */
         async deleteManagedAccount(accountId) {
             try {
                 await this.makeRequest('DELETE', `/managed-accounts/${accountId}`, undefined, {
                     cache: false,
                 });
+                this.clearCacheEntry(`GET:/managed-accounts/${accountId}`);
+                this.clearCacheEntry('GET:/managed-accounts');
             }
             catch (error) {
                 throw this.handleError(error);
@@ -79,6 +95,9 @@ export function OxyServicesManagedAccountsMixin(Base) {
          * Add a manager to a managed account.
          * Requires owner or admin role on the account.
          *
+         * Mutates the account's `managers[]`, which is returned by the detail and
+         * list reads — invalidate both so they re-fetch the updated manager set.
+         *
          * @param accountId - The managed account to add the manager to
          * @param userId - The user to grant management access
          * @param role - The role to assign: 'admin' or 'editor'
@@ -88,6 +107,8 @@ export function OxyServicesManagedAccountsMixin(Base) {
                 await this.makeRequest('POST', `/managed-accounts/${accountId}/managers`, { userId, role }, {
                     cache: false,
                 });
+                this.clearCacheEntry(`GET:/managed-accounts/${accountId}`);
+                this.clearCacheEntry('GET:/managed-accounts');
             }
             catch (error) {
                 throw this.handleError(error);
@@ -97,6 +118,9 @@ export function OxyServicesManagedAccountsMixin(Base) {
          * Remove a manager from a managed account.
          * Requires owner role.
          *
+         * Invalidates the detail and list responses so the updated `managers[]`
+         * is observed on the next read (see `addManager`).
+         *
          * @param accountId - The managed account
          * @param userId - The manager to remove
          */
@@ -105,6 +129,8 @@ export function OxyServicesManagedAccountsMixin(Base) {
                 await this.makeRequest('DELETE', `/managed-accounts/${accountId}/managers/${userId}`, undefined, {
                     cache: false,
                 });
+                this.clearCacheEntry(`GET:/managed-accounts/${accountId}`);
+                this.clearCacheEntry('GET:/managed-accounts');
             }
             catch (error) {
                 throw this.handleError(error);

package/dist/esm/mixins/OxyServices.privacy.js

@@ -51,7 +51,13 @@ export function OxyServicesPrivacyMixin(Base) {
             }
         }
         /**
-         * Block a user
+         * Block a user.
+         *
+         * Invalidates the cached `GET /privacy/blocked` response after the write.
+         * `getBlockedUsers` caches for ~1 minute (identity-scoped); without busting
+         * that entry, a consumer that re-reads the blocked list within the TTL
+         * window would not see the user it just blocked. `clearCacheEntry` deletes
+         * every identity-scoped variant of the key.
          * @param userId - The user ID to block
          * @returns Success message
          */
@@ -60,16 +66,21 @@ export function OxyServicesPrivacyMixin(Base) {
                 if (!userId) {
                     throw new Error('User ID is required');
                 }
-                return await this.makeRequest('POST', `/privacy/blocked/${userId}`, undefined, {
+                const result = await this.makeRequest('POST', `/privacy/blocked/${userId}`, undefined, {
                     cache: false,
                 });
+                this.clearCacheEntry('GET:/privacy/blocked');
+                return result;
             }
             catch (error) {
                 throw this.handleError(error);
             }
         }
         /**
-         * Unblock a user
+         * Unblock a user.
+         *
+         * Busts the cached `GET /privacy/blocked` response so a remount reads the
+         * fresh list without the just-unblocked user (see `blockUser`).
          * @param userId - The user ID to unblock
          * @returns Success message
          */
@@ -78,9 +89,11 @@ export function OxyServicesPrivacyMixin(Base) {
                 if (!userId) {
                     throw new Error('User ID is required');
                 }
-                return await this.makeRequest('DELETE', `/privacy/blocked/${userId}`, undefined, {
+                const result = await this.makeRequest('DELETE', `/privacy/blocked/${userId}`, undefined, {
                     cache: false,
                 });
+                this.clearCacheEntry('GET:/privacy/blocked');
+                return result;
             }
             catch (error) {
                 throw this.handleError(error);
@@ -113,7 +126,13 @@ export function OxyServicesPrivacyMixin(Base) {
             }
         }
         /**
-         * Restrict a user (limit their interactions without fully blocking)
+         * Restrict a user (limit their interactions without fully blocking).
+         *
+         * Invalidates the cached `GET /privacy/restricted` response after the write.
+         * `getRestrictedUsers` caches for ~1 minute (identity-scoped); without
+         * busting that entry, a consumer that re-reads the restricted list within
+         * the TTL window would not see the user it just restricted.
+         * `clearCacheEntry` deletes every identity-scoped variant of the key.
          * @param userId - The user ID to restrict
          * @returns Success message
          */
@@ -122,16 +141,21 @@ export function OxyServicesPrivacyMixin(Base) {
                 if (!userId) {
                     throw new Error('User ID is required');
                 }
-                return await this.makeRequest('POST', `/privacy/restricted/${userId}`, undefined, {
+                const result = await this.makeRequest('POST', `/privacy/restricted/${userId}`, undefined, {
                     cache: false,
                 });
+                this.clearCacheEntry('GET:/privacy/restricted');
+                return result;
             }
             catch (error) {
                 throw this.handleError(error);
             }
         }
         /**
-         * Unrestrict a user
+         * Unrestrict a user.
+         *
+         * Busts the cached `GET /privacy/restricted` response so a remount reads the
+         * fresh list without the just-unrestricted user (see `restrictUser`).
          * @param userId - The user ID to unrestrict
          * @returns Success message
          */
@@ -140,9 +164,11 @@ export function OxyServicesPrivacyMixin(Base) {
                 if (!userId) {
                     throw new Error('User ID is required');
                 }
-                return await this.makeRequest('DELETE', `/privacy/restricted/${userId}`, undefined, {
+                const result = await this.makeRequest('DELETE', `/privacy/restricted/${userId}`, undefined, {
                     cache: false,
                 });
+                this.clearCacheEntry('GET:/privacy/restricted');
+                return result;
             }
             catch (error) {
                 throw this.handleError(error);

package/dist/esm/mixins/OxyServices.topics.js

@@ -108,9 +108,13 @@ export function OxyServicesTopicsMixin(Base) {
          */
         async updateTopicMetadata(slug, data) {
             try {
-                return await this.makeRequest('PATCH', `/topics/${slug}`, data, {
+                const result = await this.makeRequest('PATCH', `/topics/${slug}`, data, {
                     cache: false,
                 });
+                // Bust the cached topic detail so `getTopicBySlug(slug)` reflects the
+                // updated metadata immediately (it caches at the LONG TTL).
+                this.clearCacheEntry(`GET:/topics/${slug}`);
+                return result;
             }
             catch (error) {
                 throw this.handleError(error);

package/dist/esm/mixins/OxyServices.user.js

@@ -348,16 +348,25 @@ export function OxyServicesUserMixin(Base) {
             }
         }
         /**
-         * Update privacy settings
+         * Update privacy settings.
+         *
+         * Invalidates the cached `GET /privacy/<id>/privacy` response (the exact
+         * key `getPrivacySettings` reads, scoped to the same `id`) after the write.
+         * `getPrivacySettings` caches for ~2 minutes (identity-scoped); without
+         * busting that entry, a follow-up read within the TTL window returns the
+         * pre-update settings. `clearCacheEntry` deletes every identity-scoped
+         * variant of the key.
          * @param settings - Partial privacy settings object
          * @param userId - The user ID (defaults to current user)
          */
         async updatePrivacySettings(settings, userId) {
             try {
                 const id = userId || (await this.getCurrentUser()).id;
-                return await this.makeRequest('PATCH', `/privacy/${id}/privacy`, settings, {
+                const result = await this.makeRequest('PATCH', `/privacy/${id}/privacy`, settings, {
                     cache: false,
                 });
+                this.clearCacheEntry(`GET:/privacy/${id}/privacy`);
+                return result;
             }
             catch (error) {
                 throw this.handleError(error);