@oxyhq/services 10.2.0 → 10.2.2

package/src/ui/components/AccountMenuButton.tsx

@@ -3,7 +3,7 @@ import { useCallback, useRef, useState } from 'react';
 import { TouchableOpacity, StyleSheet, Platform, type LayoutChangeEvent } from 'react-native';
 import { getAccountDisplayName } from '@oxyhq/core';
 import Avatar from './Avatar';
-import AccountMenu from './AccountMenu';
+import AccountMenu, { type AccountMenuAnchor } from './AccountMenu';
 import { useOxy } from '../context/OxyContext';
 import { useI18n } from '../hooks/useI18n';
 
@@ -33,7 +33,7 @@ const AccountMenuButton: React.FC<AccountMenuButtonProps> = ({
     const { user, oxyServices, isAuthenticated } = useOxy();
     const { t, locale } = useI18n();
     const [open, setOpen] = useState(false);
-    const [anchor, setAnchor] = useState<{ top: number; right: number } | null>(null);
+    const [anchor, setAnchor] = useState<AccountMenuAnchor | null>(null);
     const triggerRef = useRef<React.ComponentRef<typeof TouchableOpacity>>(null);
 
     const measureAnchor = useCallback(() => {

package/src/ui/components/FollowButton.tsx

@@ -108,12 +108,12 @@ const FollowButtonInner = memo(function FollowButtonInner({
 });
 
 const FollowButton: React.FC<FollowButtonProps> = (props) => {
-  const { oxyServices, isAuthenticated, user: currentUser } = useOxy();
+  const { oxyServices, isAuthenticated, isAuthResolved, isTokenReady, user: currentUser } = useOxy();
 
   const currentUserId = currentUser?.id ? String(currentUser.id).trim() : '';
   const targetUserId = props.userId ? String(props.userId).trim() : '';
 
-  if (!isAuthenticated || !targetUserId || (currentUserId && currentUserId === targetUserId)) {
+  if (!isAuthResolved || !isTokenReady || !isAuthenticated || !targetUserId || (currentUserId && currentUserId === targetUserId)) {
     return null;
   }
 

package/src/ui/components/OxySignInButton.tsx

@@ -100,7 +100,7 @@ export const OxySignInButton: React.FC<OxySignInButtonProps> = ({
     }, []);
 
     // Handle button press
-    // - Web: legacy full-screen Modal (dialog UX fits desktop / browser)
+    // - Web: full-screen modal (dialog UX fits desktop / browser)
     // - Native: bottom sheet (sheet UX fits iOS/Android)
     const handlePress = useCallback(() => {
         if (onPress) {

package/src/ui/components/SignInModal.tsx

@@ -3,7 +3,7 @@
  *
  * A semi-transparent full-screen modal that displays:
  * - QR code for scanning with Oxy Accounts app
- * - Button to open Oxy Auth popup
+ * - Button to open the Oxy Auth approval page
  *
  * Animates with fade-in effect.
  */
@@ -143,12 +143,11 @@ const SignInModal: React.FC = () => {
     // this is the device-flow equivalent of OAuth's code-for-token
     // exchange (RFC 8628 §3.4).
     //
-    // Without that exchange the SDK has no bearer token and every
-    // subsequent call (including `switchSession` -> `getTokenBySession`)
-    // would 401 against the C1-hardened API. Once `claimSessionByToken`
-    // plants the tokens in the HttpService, the rest of the session
-    // wiring (state, persistence, language preference) flows through
-    // the normal `switchSession` path.
+    // Without that exchange the SDK has no bearer token and the app never
+    // becomes authenticated even though the session is authorized server-side.
+    // Once `claimSessionByToken` plants the tokens in the HttpService, the rest
+    // of the session wiring (state, persistence, language preference) flows
+    // through the normal `switchSession` path.
     const handleAuthSuccess = useCallback(async (sessionId: string, sessionToken: string) => {
         if (isProcessingRef.current) return;
         isProcessingRef.current = true;
@@ -327,8 +326,8 @@ const SignInModal: React.FC = () => {
         return `oxyauth://${authSession.sessionToken}`;
     };
 
-    // Open Oxy Auth popup
-    const handleOpenAuthPopup = useCallback(async () => {
+    // Open Oxy Auth approval page for this device-flow session.
+    const handleOpenAuthApproval = useCallback(async () => {
         if (!authSession) return;
 
         const baseURL = oxyServices.getBaseURL();
@@ -354,7 +353,7 @@ const SignInModal: React.FC = () => {
         webUrl.searchParams.set('token', authSession.sessionToken);
 
         if (Platform.OS === 'web') {
-            // Open popup window on web
+            // Open a separate approval window on web for the device-flow token.
             const width = 500;
             const height = 650;
             const screenWidth = window.screen?.width ?? width;
@@ -364,8 +363,8 @@ const SignInModal: React.FC = () => {
 
             window.open(
                 webUrl.toString(),
-                'oxy-auth-popup',
-                `width=${width},height=${height},left=${left},top=${top},popup=1`
+                'oxy-auth-approval',
+                `width=${width},height=${height},left=${left},top=${top}`
             );
         } else {
             // Open in browser on native
@@ -449,9 +448,9 @@ const SignInModal: React.FC = () => {
                                 <View style={[styles.divider, { backgroundColor: 'rgba(255,255,255,0.3)' }]} />
                             </View>
 
-                            {/* Open Auth Popup Button */}
+                            {/* Open approval window */}
                             <Button
-                                onPress={handleOpenAuthPopup}
+                                onPress={handleOpenAuthApproval}
                                 icon={<OxyLogo variant="icon" size={20} fillColor={theme.colors.card} />}
                             >
                                 Open Oxy Auth

package/src/ui/components/accountMenuRows.ts

@@ -1,60 +1,48 @@
-import type { User, ClientSession } from '@oxyhq/core';
-import { getAccountDisplayName, getAccountFallbackHandle } from '@oxyhq/core';
+import type { DeviceAccount, DeviceAccountUser } from '../hooks/useDeviceAccounts';
 
 export interface AccountRow {
     sessionId: string;
+    /** Device-local refresh-cookie slot index (web silent-switch). */
+    authuser?: number;
     isActive: boolean;
     displayName: string;
     secondary: string | null;
     avatarUri?: string;
-    user: User | null;
+    user: DeviceAccountUser | null;
 }
 
 export interface BuildAccountRowsInput {
-    sessions: ClientSession[] | null | undefined;
-    activeSessionId: string | null | undefined;
-    user: User | null | undefined;
-    locale: string;
-    getAvatarUrl: (avatarId: string) => string;
+    /**
+     * Per-device account entries from {@link useDeviceAccounts}. Each entry
+     * already carries real per-account `displayName` / `email` / `avatarUrl` /
+     * `color`, so EVERY row (not just the active one) renders full identity.
+     */
+    accounts: DeviceAccount[];
 }
 
 /**
  * Pure builder for `AccountMenu` rows. Extracted so the multi-account display
  * logic can be unit-tested without rendering React Native.
  *
- * Each `sessions[i]` becomes one row. Only the row matching `activeSessionId`
- * carries the loaded `user` payload — the others are placeholders shown by
- * fallback handle. This mirrors how `OxyContext` only hydrates one user at a
- * time.
+ * Maps each {@link DeviceAccount} (sourced from `useDeviceAccounts()`, which
+ * hydrates EVERY account with real name/email/avatar/color from the shared
+ * apex `refresh-all` path or the local fallback) into an `AccountRow`.
+ *
+ * `secondary` is the account's real email when present; otherwise it falls
+ * back to the `@handle` line. A missing email is NEVER synthesized into a fake
+ * `username@oxy.so` — the device-account layer already resolved `email` to the
+ * real value or the `@handle` fallback.
  */
 export function buildAccountRows({
-    sessions,
-    activeSessionId,
-    user,
-    locale,
-    getAvatarUrl,
+    accounts,
 }: BuildAccountRowsInput): AccountRow[] {
-    return (sessions ?? []).map((session: ClientSession) => {
-        const isActive = session.sessionId === activeSessionId;
-        const candidate: Partial<User> | null = isActive ? user ?? null : null;
-        const displayName = getAccountDisplayName(
-            candidate ?? { username: undefined },
-            locale,
-        );
-        const handle = getAccountFallbackHandle(candidate ?? { username: undefined });
-        const secondary = (candidate?.email)
-            ?? (handle && candidate?.username ? `@${handle}` : handle)
-            ?? null;
-        const avatarUri = candidate?.avatar
-            ? getAvatarUrl(candidate.avatar)
-            : undefined;
-        return {
-            sessionId: session.sessionId,
-            isActive,
-            displayName,
-            secondary,
-            avatarUri,
-            user: isActive ? user ?? null : null,
-        };
-    });
+    return accounts.map((account: DeviceAccount): AccountRow => ({
+        sessionId: account.sessionId,
+        authuser: account.authuser,
+        isActive: account.isCurrent,
+        displayName: account.displayName,
+        secondary: account.email,
+        avatarUri: account.avatarUrl,
+        user: account.user,
+    }));
 }

package/src/ui/context/OxyContext.tsx

@@ -4,6 +4,7 @@ import {
   useCallback,
   useContext,
   useEffect,
+  useLayoutEffect,
   useMemo,
   useRef,
   useState,
@@ -89,10 +90,10 @@ export interface OxyContextState {
   signIn: (publicKey: string, deviceName?: string) => Promise<User>;
 
   /**
-   * Handle session from popup authentication
-   * Updates auth state, persists session to storage
+   * Handle a session returned by web SSO.
+   * Updates auth state, persists session metadata to storage.
    */
-  handlePopupSession: (session: SessionLoginResponse) => Promise<void>;
+  handleWebSession: (session: SessionLoginResponse) => Promise<void>;
 
   // Session management
   logout: (targetSessionId?: string) => Promise<void>;
@@ -206,7 +207,7 @@ function silentColdBootKey(oxyServices: OxyServices): string {
  * iframe never posts a message, so the full wait would be dead latency in front
  * of the terminal `/sso` bounce. `silentSignIn` already fails fast on a load
  * error via `iframe.onerror`; this caps the no-message case. 2.5s is well above
- * a same-origin iframe handshake yet a fraction of the legacy 5s default.
+ * a same-origin iframe handshake without blocking cold boot for several seconds.
  */
 const SILENT_IFRAME_TIMEOUT = 2500;
 
@@ -287,6 +288,12 @@ function isSameSiteIdP(idpOrigin: string): boolean {
   return idpHostname === pageApex || idpHostname.endsWith(`.${pageApex}`);
 }
 
+function isOnSsoCallbackPath(): boolean {
+  return isWebBrowser() && window.location.pathname === SSO_CALLBACK_PATH;
+}
+
+const useBrowserLayoutEffect = typeof document !== 'undefined' ? useLayoutEffect : useEffect;
+
 let cachedUseFollowHook: UseFollowHook | null = null;
 
 const loadUseFollowHook = (): UseFollowHook => {
@@ -387,6 +394,7 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
   const [authResolved, setAuthResolved] = useState(false);
   const authResolvedRef = useRef(false);
   const [initialized, setInitialized] = useState(false);
+  const [ssoCallbackIntercepting, setSsoCallbackIntercepting] = useState(false);
   const setAuthState = useAuthStore.setState;
 
   // Keep the shared `oxyClient` singleton's token store in lockstep with the
@@ -403,8 +411,7 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
   // plumbing and regardless of which auth code path fired.
   //
   // When the app passed the singleton itself as `oxyServices` (Mention's
-  // pattern), `oxyServices === oxyClient`, so we skip the redundant self-write
-  // and the subscription is a no-op mirror — fully backward compatible.
+  // pattern), `oxyServices === oxyClient`, so we skip the redundant self-write.
   useEffect(() => {
     if (oxyServices === oxyClient) {
       return;
@@ -635,7 +642,7 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
   // init. Callers MUST invoke this BEFORE any work that can trigger a route
   // navigation (`onAuthStateChange`) — navigation can interrupt a still-pending
   // async write, which is exactly what once left `session_ids` empty after a
-  // successful sign-in. Shared by the FedCM/popup path and the cold-boot
+    // successful sign-in. Shared by the FedCM/SSO path and the cold-boot
   // refresh-cookie restore so both land the same durable record.
   const persistSessionDurably = useCallback(async (sessionId: string): Promise<void> => {
     const readyStorage = await getReadyStorage();
@@ -663,7 +670,7 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
   // Idempotent and monotonic via `authResolvedRef`: the first call wins and the
   // setters fire at most once, so the restore `finally` backstop becomes a no-op
   // once a commit site has already marked resolution. Called from EVERY place a
-  // user is actually committed (the FedCM/iframe/redirect/SSO path
+  // user is actually committed (the FedCM/iframe/SSO path
   // `handleWebSSOSession`, the cookie-restore path, and the stored-session path)
   // so the common reload case unblocks the loading gate without sitting behind
   // the remaining (now-skipped) cold-boot steps.
@@ -691,10 +698,7 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
   // Calls `oxyServices.refreshAllSessions()` → `POST /auth/refresh-all` with
   // `credentials: 'include'`. The server rotates every device-local
   // `oxy_rt_${authuser}` cookie in parallel and returns one entry per valid
-  // account (Google-style multi-account). On an older server that lacks the
-  // multi-account endpoint, the SDK transparently falls back to the legacy
-  // `/auth/refresh` single-account path and wraps the result in the same
-  // shape, so this caller doesn't branch.
+  // account (Google-style multi-account).
   //
   // Active-account selection: the persisted `oxy_active_authuser` slot index
   // wins when it matches a returned account; otherwise the lowest `authuser`
@@ -787,23 +791,31 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
   // Native (and offline) stored-session restore — the ONLY restore path that
   // runs on React Native, and the web fallback when no cross-domain step won.
   //
-  // Verbatim-extracted from the previous `restoreSessionsFromStorage` body: it
-  // reads the durable `session_ids` / `active_session_id` slots, validates each
-  // stored session in parallel (bearer `validateSession`), and switches to the
-  // stored active session via the session-management `switchSession`. This body
-  // is platform-agnostic and gated by NO `enabled()` predicate so it runs on
-  // every platform — on native it is reached unconditionally (every web-only
-  // step ahead of it is disabled by `isWebBrowser()`), so native restore is
-  // exactly this and nothing else (no FedCM / iframe / refresh-all /
-  // handleAuthCallback).
+  // Stored-session restore. Web uses this only as a fast local winner after
+  // URL-return handling; native uses it as the durable SecureStore path. Native
+  // first plants the shared access token from KeyManager, then validates the
+  // stored session ids with the bearer already in memory.
   const restoreStoredSession = useCallback(async (): Promise<boolean> => {
     if (!storage) {
       return false;
     }
 
     const storedSessionIdsJson = await storage.getItem(storageKeys.sessionIds);
-    const storedSessionIds: string[] = storedSessionIdsJson ? JSON.parse(storedSessionIdsJson) : [];
-    const storedActiveSessionId = await storage.getItem(storageKeys.activeSessionId);
+    const storedSessionIdsFromStorage: string[] = storedSessionIdsJson ? JSON.parse(storedSessionIdsJson) : [];
+    let storedActiveSessionId = await storage.getItem(storageKeys.activeSessionId);
+
+    const nativeSharedSession = !isWebBrowser()
+      ? await KeyManager.getSharedSession().catch(() => null)
+      : null;
+    if (nativeSharedSession?.accessToken) {
+      oxyServices.setTokens(nativeSharedSession.accessToken);
+      storedActiveSessionId = storedActiveSessionId ?? nativeSharedSession.sessionId;
+    }
+
+    const storedSessionIds = Array.from(new Set([
+      ...storedSessionIdsFromStorage,
+      ...(nativeSharedSession?.sessionId ? [nativeSharedSession.sessionId] : []),
+    ]));
 
     let validSessions: ClientSession[] = [];
 
@@ -964,7 +976,7 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
   // web-only step is gated by `isWebBrowser()`, so on native ONLY
   // `stored-session` runs.
   //
-  // Order (web): redirect callback → SSO return → stored session → FedCM silent
+  // Order (web): SSO return → stored session → FedCM silent
   // (central) → silent iframe (per-apex, the durable reload path) → cookie
   // restore → SSO bounce (terminal).
   //
@@ -972,8 +984,8 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
   // (`fedcm-silent`, `silent-iframe`, `cookie-restore`). On a normal reload the
   // local bearer validates in one round-trip and wins, so `runColdBoot`
   // short-circuits and never sits through those probes' timeouts (the prior
-  // serial sum was a ~20-30s stall). `redirect` and `sso-return` MUST stay
-  // first — they consume the URL fragment before anything can strip it. On a
+  // serial sum was a ~20-30s stall). `sso-return` MUST stay first — it consumes
+  // the URL fragment before anything can strip it. On a
   // first visit with no local session, `stored-session` skips and the
   // cross-domain fallback chain (fedcm → iframe → cookie → sso-bounce) runs
   // exactly as before; the per-apex silent iframe still restores a durable
@@ -1006,26 +1018,7 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
       const outcome = await runColdBoot<true>({
         steps: [
           {
-            // 0) Redirect callback wins: a popup/redirect sign-in just landed
-            // back on this page with `access_token`/`session_id` query params.
-            // `handleAuthCallback` plants the token but returns a PLACEHOLDER
-            // user (empty id), so we hydrate the REAL user via `getCurrentUser`
-            // and commit through `handleWebSSOSession` before claiming a
-            // session — never expose a placeholder user (R4).
-            id: 'redirect',
-            enabled: () => isWebBrowser(),
-            run: async () => {
-              const callbackSession = oxyServices.handleAuthCallback?.();
-              if (!callbackSession || !commitWebSession) {
-                return { kind: 'skip' };
-              }
-              const fullUser = await oxyServices.getCurrentUser();
-              await commitWebSession({ ...callbackSession, user: fullUser });
-              return { kind: 'session', session: true };
-            },
-          },
-          {
-            // 1) Central SSO return: we are landing back from an `auth.oxy.so/sso`
+            // 0) Central SSO return: we are landing back from an `auth.oxy.so/sso`
             // bounce with the result in the URL fragment. Parse it, validate the
             // CSRF state, exchange the opaque code, and commit. On any non-ok
             // outcome `runSsoReturn` sets the per-origin NO_SESSION flag so the
@@ -1048,8 +1041,8 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
             // normal reload the local bearer validates in one round-trip and
             // wins; `runColdBoot` then short-circuits and never even evaluates
             // the slow no-redirect probes that would otherwise time out (the
-            // ~20-30s serial stall). The `redirect` and `sso-return` steps stay
-            // AHEAD of this one — they must consume the URL fragment before any
+            // ~20-30s serial stall). The `sso-return` step stays AHEAD of this
+            // one — it must consume the URL fragment before any
             // later step (or anything else) strips it. On a first visit with no
             // local session this step skips and the cross-domain fallback chain
             // (fedcm → iframe → cookie → sso-bounce) runs exactly as before.
@@ -1308,13 +1301,12 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
   // +not-found screen before the storage-gated cold-boot `sso-return` step gets
   // a chance to strip the fragment and restore the real destination.
   //
-  // This effect fires the SAME `runSsoReturn` kernel the instant we mount ON the
-  // callback path, BEFORE the cold boot (which awaits storage init). It restores
-  // the pre-bounce destination (and, on `ok`, commits the exchanged session via
-  // `handleWebSSOSession`) immediately, so the router re-syncs off the callback
-  // path and never lingers on it. Because the SDK owns this interception
-  // entirely, NO app needs a `/__oxy/sso-callback` route — it works identically
-  // across every consumer with zero per-app code.
+  // This effect fires the SAME `runSsoReturn` kernel the instant we hydrate ON
+  // the callback path, BEFORE the cold boot (which awaits storage init). The
+  // first render intentionally matches the app/router's static HTML; the
+  // browser layout effect then hides the internal route and consumes the
+  // callback before the first visible paint. That keeps SSR/SSG hydration stable
+  // while still ensuring no app needs a `/__oxy/sso-callback` route.
   //
   // It is purely ADDITIVE. The later cold-boot `sso-return` step stays as
   // defense-in-depth for the non-callback-path case; `consumeSsoReturn` strips
@@ -1330,13 +1322,13 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
   // already wired when this fires at eager-mount time. If for any reason it were
   // not yet set, the later cold-boot `sso-return` step would commit it — but the
   // ref IS set during render, so the eager `ok` commit works.
-  useEffect(() => {
-    if (!isWebBrowser()) {
-      return;
-    }
-    if (window.location.pathname !== SSO_CALLBACK_PATH) {
+  useBrowserLayoutEffect(() => {
+    if (!isOnSsoCallbackPath()) {
+      setSsoCallbackIntercepting(false);
       return;
     }
+    let mounted = true;
+    setSsoCallbackIntercepting(true);
     runSsoReturnRef.current().catch((error) => {
       if (__DEV__) {
         loggerUtil.debug(
@@ -1345,11 +1337,19 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
           error,
         );
       }
+    }).finally(() => {
+      if (mounted) {
+        setSsoCallbackIntercepting(false);
+      }
     });
+
+    return () => {
+      mounted = false;
+    };
   }, []);
 
-  // Web SSO: Automatically check for cross-domain session on web platforms
-  // Also used for popup auth - updates all state and persists session
+  // Web SSO: automatically check for cross-domain session on web platforms.
+  // Updates all state and persists session metadata.
   const handleWebSSOSession = useCallback(async (session: SessionLoginResponse) => {
     if (!session?.user || !session?.sessionId) {
       if (__DEV__) {
@@ -1358,12 +1358,10 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
       return;
     }
 
-    // Set the access token on the HTTP client before updating UI state
-    if (session.accessToken) {
-      oxyServices.httpService.setTokens(session.accessToken);
-    } else {
-      await oxyServices.getTokenBySession(session.sessionId);
+    if (!session.accessToken) {
+      throw new Error('Session response did not include an access token');
     }
+    oxyServices.httpService.setTokens(session.accessToken);
 
     const clientSession = {
       sessionId: session.sessionId,
@@ -1405,14 +1403,14 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
       fullUser = session.user as unknown as User;
     }
     loginSuccess(fullUser);
-    // A session is now committed (FedCM silent / per-apex iframe / redirect /
-    // SSO-return / popup all funnel through here) — unblock the auth-resolution
+    // A session is now committed (FedCM silent / per-apex iframe /
+    // SSO-return all funnel through here) — unblock the auth-resolution
     // gate immediately, ahead of the cold-boot chain returning (idempotent).
     markAuthResolvedRef.current();
     onAuthStateChange?.(fullUser);
   }, [oxyServices, updateSessions, setActiveSessionId, loginSuccess, onAuthStateChange, persistSessionDurably]);
 
-  // Expose `handleWebSSOSession` to the cold-boot FedCM/iframe/redirect steps,
+  // Expose `handleWebSSOSession` to the cold-boot FedCM/iframe/SSO steps,
   // which reference it through a ref because they are declared above this
   // callback. Assigned synchronously on every render so the ref is populated
   // before the cold-boot effect (gated on `storage`/`initialized`) can fire.
@@ -1670,7 +1668,7 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
     hasIdentity,
     getPublicKey,
     signIn,
-    handlePopupSession: handleWebSSOSession,
+    handleWebSession: handleWebSSOSession,
     logout,
     logoutAll,
     switchSession: switchSessionForContext,
@@ -1735,7 +1733,7 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
 
   return (
     <OxyContext.Provider value={contextValue}>
-      {children}
+      {ssoCallbackIntercepting ? null : children}
     </OxyContext.Provider>
   );
 };
@@ -1777,7 +1775,7 @@ const LOADING_STATE: OxyContextState = {
   hasIdentity: () => Promise.resolve(false),
   getPublicKey: () => Promise.resolve(null),
   signIn: () => rejectMissingProvider<User>(),
-  handlePopupSession: () => rejectMissingProvider<void>(),
+  handleWebSession: () => rejectMissingProvider<void>(),
   logout: () => rejectMissingProvider<void>(),
   logoutAll: () => rejectMissingProvider<void>(),
   switchSession: () => rejectMissingProvider<User>(),
@@ -1809,4 +1807,3 @@ export const useOxy = (): OxyContextState => {
 };
 
 export default OxyContext;
-

package/src/ui/context/hooks/useAuthOperations.ts

@@ -184,12 +184,9 @@ export const useAuthOperations = ({
         // Verify and create session. `verifyChallenge` plants the first
         // access token (and refresh token) from the `/auth/verify` response
         // body internally — mirroring `claimSessionByToken` — so the client is
-        // authenticated as soon as this resolves. We deliberately do NOT fall
-        // back to the bearer-protected `GET /session/token/:sessionId` (C1
-        // hardening): for a brand-new identity with no bearer yet that route
-        // 401s, which previously broke the entire new-identity onboarding
-        // flow. A token-less verify response simply leaves the client without
-        // a bearer here rather than triggering that 401.
+        // authenticated as soon as this resolves. Session IDs are not public
+        // token-minting credentials; a token-less verify response simply leaves
+        // the client without a bearer here.
         sessionResponse = await oxyServices.verifyChallenge(
           publicKey,
           challenge,
@@ -302,11 +299,8 @@ export const useAuthOperations = ({
 
       try {
         const sessionToLogout = targetSessionId || activeSessionId;
-        // Web multi-account: when the target session carries an `authuser`
-        // slot index it is backed by an httpOnly `oxy_rt_${n}` cookie. Use
-        // the cookie-cleared logout endpoint so the server can `Set-Cookie`
-        // an immediate expiry alongside revoking the family. Native and
-        // legacy sessions (no `authuser` plumbed yet) fall through to the
+        // Web multi-account sessions carry an `authuser` slot index backed by
+        // an httpOnly `oxy_rt_${n}` cookie. Native sessions fall through to the
         // bearer-protected endpoint.
         const targetSession = sessionsRef.current.find((s) => s.sessionId === sessionToLogout);
         const targetAuthuser = targetSession?.authuser;
@@ -378,8 +372,8 @@ export const useAuthOperations = ({
       //   - Web: "Sign out of all accounts" = sign out every device-local
       //     account on THIS device. The cookie endpoint is the only path
       //     that can `Set-Cookie` an immediate expiry on every
-      //     `oxy_rt_${n}` slot (plus legacy `oxy_rt`) AND revoke every
-      //     presented family server-side. The bearer-protected
+      //     `oxy_rt_${n}` slots AND revoke every presented family server-side.
+      //     The bearer-protected
       //     `logoutAllSessions(activeSessionId)` would only revoke the
       //     active user's sessions across devices and leave sibling
       //     accounts' cookies sitting on this device — wrong UX for the