@oxyhq/services 10.2.0 → 10.2.2

package/src/ui/hooks/useAuth.ts

@@ -20,7 +20,7 @@
  * Cross-domain SSO:
  * - Web: Automatic via FedCM (Chrome 108+, Safari 16.4+)
  * - Native: Automatic via shared Keychain/Account Manager
- * - Manual sign-in: signIn() opens popup (web) or auth sheet (native)
+ * - Manual sign-in: signIn() redirects to the IdP (web) or opens the auth sheet (native)
  */
 
 import { useCallback, useState } from 'react';
@@ -60,16 +60,12 @@ export interface AuthState {
 export interface AuthActions {
   /**
    * Sign in
-   * - Web: Opens popup to auth.oxy.so (no public key needed)
+   * - Web: Redirects to auth.oxy.so (no public key needed)
    * - Native: Uses cryptographic identity from keychain
    *
    * @param publicKey - Native: identity public key. Ignored on web.
-   * @param preOpenedPopup - Web only: a popup the caller already opened
-   *   SYNCHRONOUSLY on the raw click via `oxyServices.openBlankPopup()`. This
-   *   keeps Chrome's user-activation alive across any prior `await` and is
-   *   the only reliable way to avoid the popup blocker on cross-domain flows.
    */
-  signIn: (publicKey?: string, preOpenedPopup?: Window | null) => Promise<User>;
+  signIn: (publicKey?: string) => Promise<User>;
 
   /**
    * Sign out current session
@@ -114,7 +110,6 @@ export function useAuth(): UseAuthReturn {
     isAuthResolved,
     error,
     signIn: oxySignIn,
-    handlePopupSession,
     logout,
     logoutAll,
     refreshSessions,
@@ -125,7 +120,7 @@ export function useAuth(): UseAuthReturn {
     openAvatarPicker,
   } = useOxy();
 
-  const signIn = useCallback(async (publicKey?: string, preOpenedPopup?: Window | null): Promise<User> => {
+  const signIn = useCallback(async (publicKey?: string): Promise<User> => {
     // Check if we're on the identity provider itself
     // Only the IdP has local login forms - other apps are client apps
     const authWebUrl = oxyServices.config?.authWebUrl;
@@ -136,44 +131,13 @@ export function useAuth(): UseAuthReturn {
     const isIdentityProvider = isWebBrowser() &&
       window.location.hostname === idpHostname;
 
-    // Web (not on IdP): Use popup-based authentication
-    // We go straight to popup to preserve the "user gesture" (click event)
-    // FedCM silent SSO already runs on page load via useWebSSO
-    // If user is clicking "Sign In", they need interactive auth NOW
+    // Web (not on IdP): use the tokenless redirect SSO flow. FedCM / silent SSO
+    // already run on page load; an explicit click needs interactive auth.
     if (isWebBrowser() && !publicKey && !isIdentityProvider) {
-      // Open the popup SYNCHRONOUSLY before any `await` runs so Chrome's
-      // transient user-activation is preserved across the async chain
-      // (React state updates + the `await` into `signInWithPopup`). If the
-      // caller already pre-opened one (e.g. they did so to be extra safe
-      // ahead of their own awaits), reuse it.
-      const popup: Window | null = preOpenedPopup
-        ?? oxyServices.openBlankPopup?.()
-        ?? null;
-      try {
-        const popupSession = await oxyServices.signInWithPopup?.({
-          popup,
-        });
-        if (popupSession?.user) {
-          // The popup auth flow fetches full user data, so the session user
-          // contains full User fields even though the base type is MinimalUserData.
-          // Cast to the expected shape for handlePopupSession.
-          const sessionWithUser = {
-            ...popupSession,
-            user: popupSession.user as unknown as User,
-          };
-          await handlePopupSession(sessionWithUser);
-          return sessionWithUser.user;
-        }
-        throw new Error('Sign-in failed. Please try again.');
-      } catch (popupError) {
-        if (popup && !popup.closed) {
-          popup.close();
-        }
-        if (popupError instanceof Error && popupError.message.includes('blocked')) {
-          throw new Error('Popup blocked. Please allow popups for this site.');
-        }
-        throw popupError;
-      }
+      oxyServices.signInWithRedirect?.({
+        redirectUri: window.location.href,
+      });
+      return new Promise<User>(() => undefined);
     }
 
     // Native: Use cryptographic identity
@@ -212,7 +176,7 @@ export function useAuth(): UseAuthReturn {
     }
 
     throw new Error('No authentication method available');
-  }, [oxySignIn, hasIdentity, getPublicKey, showBottomSheet, oxyServices, handlePopupSession]);
+  }, [oxySignIn, hasIdentity, getPublicKey, showBottomSheet, oxyServices]);
 
   const signOut = useCallback(async (): Promise<void> => {
     await logout();
@@ -230,7 +194,7 @@ export function useAuth(): UseAuthReturn {
     // State
     user,
     isAuthenticated,
-    isLoading,
+    isLoading: isLoading || !isAuthResolved,
     isReady: isTokenReady,
     isAuthResolved,
     error,
@@ -247,4 +211,3 @@ export function useAuth(): UseAuthReturn {
     openAvatarPicker,
   };
 }
-

package/src/ui/hooks/useDeviceAccounts.ts

@@ -0,0 +1,348 @@
+import { useMemo } from 'react';
+import { useQuery } from '@tanstack/react-query';
+import {
+    getAccountDisplayName,
+    getAccountFallbackHandle,
+} from '@oxyhq/core';
+import type {
+    RefreshAllAccountUser,
+    User,
+    ClientSession,
+} from '@oxyhq/core';
+import { useOxy } from '../context/OxyContext';
+import { useI18n } from './useI18n';
+import { queryKeys } from './queries/queryKeys';
+
+/**
+ * The per-account user shape carried by a {@link DeviceAccount}. Either:
+ *  - the minimal projection returned by `POST /auth/refresh-all`
+ *    ({@link RefreshAllAccountUser}, the shared apex path), or
+ *  - the SDK's canonical {@link User} document (the active row on the local
+ *    fallback path, which already has the full user loaded in `useOxy()`).
+ *
+ * Both satisfy `getAccountDisplayName`'s `DisplayNameUserShape`, so display
+ * resolution is uniform across paths.
+ */
+export type DeviceAccountUser = RefreshAllAccountUser | User;
+
+/**
+ * One signed-in account on this device, fully hydrated for the account
+ * chooser. Unlike the old `AccountMenu` behaviour (which only carried the
+ * ACTIVE session's user), EVERY entry here carries real per-account
+ * `displayName` / `email` / `avatarUrl` / `color`.
+ */
+export interface DeviceAccount {
+    /** Session id used to switch to this account on native. */
+    sessionId: string;
+    /**
+     * Device-local refresh-cookie slot index (0..N-1), present only on the
+     * shared apex path. Web silent-switch (`refreshTokenViaCookie({ authuser }`)
+     * keys off this; absent on the local fallback and on native.
+     */
+    authuser?: number;
+    /** Whether this account is the currently-active session. */
+    isCurrent: boolean;
+    /** Friendly display name (never blank — falls back to a handle/sentinel). */
+    displayName: string;
+    /**
+     * Real account email, or `null` when the account genuinely has none.
+     * NEVER a synthesized `username@oxy.so` — a missing email stays `null` and
+     * the UI falls back to the `@handle` secondary line.
+     */
+    email: string | null;
+    /** Resolved avatar thumbnail URL, or `undefined` when the account has no avatar. */
+    avatarUrl?: string;
+    /** Account's preferred Bloom color preset, or `null` when unset. */
+    color: string | null;
+    /** The underlying per-account user payload (shared projection or full User). */
+    user: DeviceAccountUser;
+}
+
+export interface UseDeviceAccountsResult {
+    /** Every account signed in on this device, current one(s) flagged `isCurrent`. */
+    accounts: DeviceAccount[];
+    /** True until the first detection settles. */
+    isLoading: boolean;
+    /** The currently-active session id (mirrors `useOxy().activeSessionId`). */
+    currentSessionId: string | null;
+    /**
+     * `true` when the list came from the shared apex path
+     * (`refreshAllSessions()` returned >0 accounts — the cross-domain SSO cookie
+     * set on `*.oxy.so`). `false` when it came from the local `useOxy()`
+     * fallback (native, or cross-domain web where the apex cookie is absent).
+     */
+    fromSharedApex: boolean;
+}
+
+/**
+ * Resolve which entries are the current account, robustly.
+ *
+ * Primary signal: `entry.sessionId === activeSessionId`. On the web shared-apex
+ * path, `refreshAllSessions()` returns SERVER-side session ids that may not
+ * equal the locally-stored `activeSessionId` (a different storage namespace /
+ * server perspective), so a pure `sessionId` match can flag NO row as current —
+ * the bug that surfaced as "Not signed in" even while authenticated.
+ *
+ * Fallbacks, applied only when the `sessionId` match found nothing AND the user
+ * is authenticated:
+ *  1. Match the live `user.id` against each entry's per-account user id.
+ *  2. If still nothing and there is exactly one account, mark that one current.
+ *
+ * At most ONE entry is ever marked current.
+ *
+ * Pure & side-effect free so it is unit-testable without rendering React.
+ */
+export function markCurrentAccount(
+    accounts: DeviceAccount[],
+    activeSessionId: string | null | undefined,
+    liveUserId: string | null | undefined,
+    isAuthenticated: boolean,
+): DeviceAccount[] {
+    const bySession = accounts.map((account): DeviceAccount => ({
+        ...account,
+        isCurrent: Boolean(activeSessionId) && account.sessionId === activeSessionId,
+    }));
+
+    if (bySession.some((account) => account.isCurrent) || !isAuthenticated) {
+        return bySession;
+    }
+
+    // No row matched by session id: fall back to the live user's id, marking at
+    // most the FIRST matching entry current (never more than one).
+    if (liveUserId) {
+        let matched = false;
+        const byUser = bySession.map((account): DeviceAccount => {
+            if (!matched && account.user.id === liveUserId) {
+                matched = true;
+                return { ...account, isCurrent: true };
+            }
+            return account;
+        });
+        if (matched) {
+            return byUser;
+        }
+    }
+
+    // Authenticated, nothing matched, but there is exactly one account → it must
+    // be the current one (single-account shared-apex / cross-domain case).
+    if (bySession.length === 1) {
+        return [{ ...bySession[0], isCurrent: true }];
+    }
+
+    return bySession;
+}
+
+/**
+ * Resolve every account signed in on this device for the unified account
+ * switcher, with real per-account name / email / avatar / color.
+ *
+ * ## Data sources (web vs native)
+ *
+ * - **Web on a `*.oxy.so` host** → `oxyServices.refreshAllSessions()` returns
+ *   the full apex device-account list (identical to what `auth.oxy.so` sees,
+ *   because the `Domain=oxy.so` refresh cookies reach `api.oxy.so`). Used
+ *   directly — this is the `fromSharedApex: true` path.
+ * - **Cross-domain web (non-`oxy.so` apex)** OR **native (no browser cookies)**
+ *   → `refreshAllSessions()` yields `{ accounts: [] }` (the apex cookies never
+ *   reach the request: cross-domain by `Domain`, native by having no cookie
+ *   jar at all; a 401 is also normalised to `{ accounts: [] }` inside the
+ *   core mixin). In that case we FALL BACK to the SDK's local multi-account
+ *   list from `useOxy()` (`sessions` + `activeSessionId` + the active `user`).
+ *   This is the `fromSharedApex: false` path.
+ *
+ * The fallback decision is purely data-driven: **if `refreshAllSessions()`
+ * returns >0 accounts, use the shared path; otherwise fall back to local
+ * `useOxy()` sessions.** No host sniffing is needed — the cookie scoping does
+ * the discrimination for us, and the same code path works on native (where the
+ * fetch returns `{ accounts: [] }`).
+ *
+ * ## Why React Query (not a `useRef`/`useState` start-once like the auth app)
+ *
+ * The auth app's `use-device-accounts.ts` hand-rolls a `startedRef` because it
+ * has no React Query. The SDK does. `refreshAllSessions()` ROTATES single-use
+ * refresh cookies on every call, so it must run AT MOST ONCE per page load:
+ * we model that with `staleTime: Infinity` + `gcTime: Infinity` +
+ * `refetchOnWindowFocus/Reconnect/Mount: false` + `retry: false`. React Query
+ * dedupes concurrent mounts and caches the single result for the page's
+ * lifetime — the exact "run once" guarantee the auth app documents, but
+ * without the manual ref/state machinery.
+ *
+ * ## Validation note (intentionally NO zod re-parse)
+ *
+ * The auth app's hook calls `fetch` directly, so IT must `safeParse` the wire
+ * response with `@oxyhq/contracts`. This hook calls
+ * `oxyServices.refreshAllSessions()`, whose core mixin ALREADY validates and
+ * normalises the wire response (skips entries missing required fields,
+ * normalises `authuser` null→0, builds the `RefreshAllAccountUser` shape) — the
+ * mixin is the single source of truth. Re-validating the SDK's own already-typed
+ * output here would be redundant double-validation, so we do not re-parse.
+ *
+ * ## Error handling
+ *
+ * `refreshAllSessions()` already maps 401/404/abort to `{ accounts: [] }`
+ * internally. Any OTHER failure (network, 5xx) propagates as a thrown error and
+ * is surfaced by React Query (`query.isError`) — never swallowed. Callers that
+ * don't care can ignore it; the hook still returns the local fallback list so
+ * the chooser stays usable.
+ */
+export function useDeviceAccounts(): UseDeviceAccountsResult {
+    const {
+        oxyServices,
+        sessions,
+        activeSessionId,
+        user,
+        isAuthenticated,
+    } = useOxy();
+    const { locale } = useI18n();
+
+    // Stable, per-API-origin query key. `refreshAllSessions` resolves against
+    // the session base url derived from `getBaseURL()`, so keying on it scopes
+    // the cached result to the API the provider is pointed at.
+    const baseURL = oxyServices.getBaseURL();
+
+    const query = useQuery({
+        queryKey: [...queryKeys.accounts.all, 'deviceAccounts', baseURL] as const,
+        queryFn: () => oxyServices.refreshAllSessions(),
+        // Only attempt the shared apex path while signed in. When logged out
+        // there is nothing to enumerate and the fallback (also empty) is used.
+        enabled: isAuthenticated,
+        // Single-use cookie rotation → run at most once per page load.
+        staleTime: Number.POSITIVE_INFINITY,
+        gcTime: Number.POSITIVE_INFINITY,
+        refetchOnWindowFocus: false,
+        refetchOnReconnect: false,
+        refetchOnMount: false,
+        retry: false,
+    });
+
+    const sharedAccounts = query.data?.accounts ?? [];
+    const fromSharedApex = sharedAccounts.length > 0;
+
+    const accounts = useMemo<DeviceAccount[]>(() => {
+        const resolveAvatarUrl = (avatar: string | null | undefined): string | undefined =>
+            avatar ? oxyServices.getFileDownloadUrl(avatar, 'thumb') : undefined;
+
+        // Build a single current-account row from the live `useOxy().user`. Used
+        // as a last-resort fallback when neither the shared-apex probe nor the
+        // local session store yielded a row but the user IS authenticated (e.g.
+        // a cross-domain host where the apex probe returned empty before the
+        // local session store hydrated). The signed-in user must ALWAYS be
+        // represented. Email is the REAL email or the `@handle` line — never a
+        // synthesized `username@oxy.so`.
+        const liveUserRow = (): DeviceAccount[] => {
+            if (!isAuthenticated || !user || !activeSessionId) {
+                return [];
+            }
+            const displayName = getAccountDisplayName(user, locale);
+            const handle = getAccountFallbackHandle(user);
+            const secondaryHandle = handle ? `@${handle}` : null;
+            return [{
+                sessionId: activeSessionId,
+                authuser: undefined,
+                isCurrent: true,
+                displayName,
+                email: user.email ?? secondaryHandle,
+                avatarUrl: resolveAvatarUrl(user.avatar),
+                color: user.color ?? null,
+                user,
+            }];
+        };
+
+        let built: DeviceAccount[];
+
+        if (fromSharedApex) {
+            // Shared apex path: every entry carries a real per-account user.
+            built = sharedAccounts.map((entry): DeviceAccount => {
+                // `entry.user` is non-null on the refresh-all path; the core
+                // mixin skips entries without a valid user. The fallback below
+                // keeps rendering defensive if a server response is incomplete.
+                const accountUser: DeviceAccountUser = entry.user ?? {
+                    id: '',
+                    username: '',
+                };
+                const displayName = getAccountDisplayName(accountUser, locale);
+                const handle = getAccountFallbackHandle(accountUser);
+                const email = entry.user?.email ?? null;
+                const secondaryHandle = handle ? `@${handle}` : null;
+                return {
+                    sessionId: entry.sessionId,
+                    authuser: entry.authuser,
+                    // Provisional; finalised by `markCurrentAccount` below so the
+                    // shared-apex path is robust to server/local session-id skew.
+                    isCurrent: false,
+                    displayName,
+                    // Real email, or null (NEVER synthesized). The UI uses the
+                    // `@handle` line only when email is genuinely absent.
+                    email: email ?? secondaryHandle,
+                    avatarUrl: resolveAvatarUrl(entry.user?.avatar),
+                    color: entry.user?.color ?? null,
+                    user: accountUser,
+                };
+            });
+        } else {
+            // Local fallback path: build from the SDK's multi-session store. The
+            // active session row gets the full loaded `user`; inactive fallback
+            // rows carry only what the `ClientSession` exposes (no synthesized
+            // identity — they show the active user's data only when active).
+            built = (sessions ?? []).map((session: ClientSession): DeviceAccount => {
+                const isCurrent = session.sessionId === activeSessionId;
+                const accountUser: DeviceAccountUser = isCurrent && user
+                    ? user
+                    : { id: session.userId ?? '', username: '' };
+                const displayName = getAccountDisplayName(accountUser, locale);
+                const handle = getAccountFallbackHandle(accountUser);
+                const email = isCurrent && user?.email ? user.email : null;
+                const secondaryHandle = handle ? `@${handle}` : null;
+                const avatar = isCurrent && user ? user.avatar : undefined;
+                const color = isCurrent && user?.color ? user.color : null;
+                return {
+                    sessionId: session.sessionId,
+                    authuser: session.authuser,
+                    isCurrent,
+                    displayName,
+                    email: email ?? secondaryHandle,
+                    avatarUrl: resolveAvatarUrl(avatar),
+                    color,
+                    user: accountUser,
+                };
+            });
+        }
+
+        // Robust current-account detection: tolerate server/local session-id
+        // skew on the shared-apex path by falling back to the live user's id and
+        // the single-account heuristic.
+        const flagged = markCurrentAccount(
+            built,
+            activeSessionId,
+            user?.id ?? null,
+            isAuthenticated,
+        );
+
+        // The signed-in user must ALWAYS be represented. If detection produced
+        // an empty list yet the user is authenticated, synthesize a single
+        // current row from the live `useOxy().user`.
+        if (flagged.length === 0) {
+            return liveUserRow();
+        }
+        return flagged;
+    }, [
+        fromSharedApex,
+        sharedAccounts,
+        sessions,
+        activeSessionId,
+        user,
+        isAuthenticated,
+        locale,
+        oxyServices,
+    ]);
+
+    return {
+        accounts,
+        // `isLoading` only reflects the shared probe while it's the relevant
+        // source. Once we know we're on the fallback (probe settled with 0
+        // accounts) the local list is synchronously available.
+        isLoading: isAuthenticated && query.isLoading,
+        currentSessionId: activeSessionId ?? null,
+        fromSharedApex,
+    };
+}

package/src/ui/hooks/useFollow.ts

@@ -1,7 +1,7 @@
 import { useCallback, useMemo, useEffect } from 'react';
 import { useFollowStore } from '../stores/followStore';
 import { useOxy } from '../context/OxyContext';
-import type { OxyServices } from '@oxyhq/core';
+import { logger as loggerUtil, type OxyServices } from '@oxyhq/core';
 import { useShallow } from 'zustand/react/shallow';
 
 /**
@@ -18,7 +18,8 @@ import { useShallow } from 'zustand/react/shallow';
  *    them in selectors would cause unnecessary selector recalculations).
  */
 export const useFollow = (userId?: string | string[]) => {
-  const { oxyServices } = useOxy();
+  const { oxyServices, isAuthenticated, isAuthResolved, isTokenReady } = useOxy();
+  const canUsePrivateApi = isAuthResolved && isTokenReady && isAuthenticated;
   const userIds = useMemo(() => (Array.isArray(userId) ? userId : userId ? [userId] : []), [userId]);
   const isSingleUser = typeof userId === 'string';
 
@@ -75,9 +76,10 @@ export const useFollow = (userId?: string | string[]) => {
   // Store actions are accessed via getState() to avoid subscribing to them.
   const toggleFollow = useCallback(async () => {
     if (!isSingleUser || !userId) throw new Error('toggleFollow is only available for single user mode');
+    if (!canUsePrivateApi) throw new Error('Authentication is required to follow users');
     const currentlyFollowing = useFollowStore.getState().followingUsers[userId] ?? false;
     await useFollowStore.getState().toggleFollowUser(userId, oxyServices, currentlyFollowing);
-  }, [isSingleUser, userId, oxyServices]);
+  }, [isSingleUser, userId, canUsePrivateApi, oxyServices]);
 
   const setFollowStatus = useCallback((following: boolean) => {
     if (!isSingleUser || !userId) throw new Error('setFollowStatus is only available for single user mode');
@@ -86,8 +88,9 @@ export const useFollow = (userId?: string | string[]) => {
 
   const fetchStatus = useCallback(async () => {
     if (!isSingleUser || !userId) throw new Error('fetchStatus is only available for single user mode');
+    if (!canUsePrivateApi) return;
     await useFollowStore.getState().fetchFollowStatus(userId, oxyServices);
-  }, [isSingleUser, userId, oxyServices]);
+  }, [isSingleUser, userId, canUsePrivateApi, oxyServices]);
 
   const clearError = useCallback(() => {
     if (!isSingleUser || !userId) throw new Error('clearError is only available for single user mode');
@@ -114,28 +117,33 @@ export const useFollow = (userId?: string | string[]) => {
     if (!isSingleUser || !userId) return;
 
     if ((followerCount === null || followingCount === null) && !isLoadingCounts) {
-      fetchUserCounts().catch((err: unknown) => console.warn('useFollow: fetchUserCounts failed', err));
+      fetchUserCounts().catch((error: unknown) => {
+        loggerUtil.warn('useFollow: fetchUserCounts failed', { component: 'useFollow' }, error);
+      });
     }
   }, [isSingleUser, userId, followerCount, followingCount, isLoadingCounts, fetchUserCounts]);
 
   // Multi-user callbacks
   const toggleFollowForUser = useCallback(async (targetUserId: string) => {
+    if (!canUsePrivateApi) throw new Error('Authentication is required to follow users');
     const currentState = useFollowStore.getState().followingUsers[targetUserId] ?? false;
     await useFollowStore.getState().toggleFollowUser(targetUserId, oxyServices, currentState);
-  }, [oxyServices]);
+  }, [canUsePrivateApi, oxyServices]);
 
   const setFollowStatusForUser = useCallback((targetUserId: string, following: boolean) => {
     useFollowStore.getState().setFollowingStatus(targetUserId, following);
   }, []);
 
   const fetchStatusForUser = useCallback(async (targetUserId: string) => {
+    if (!canUsePrivateApi) return;
     await useFollowStore.getState().fetchFollowStatus(targetUserId, oxyServices);
-  }, [oxyServices]);
+  }, [canUsePrivateApi, oxyServices]);
 
   const fetchAllStatuses = useCallback(async () => {
+    if (!canUsePrivateApi) return;
     const store = useFollowStore.getState();
     await Promise.all(userIds.map(uid => store.fetchFollowStatus(uid, oxyServices)));
-  }, [userIds, oxyServices]);
+  }, [canUsePrivateApi, userIds, oxyServices]);
 
   const clearErrorForUser = useCallback((targetUserId: string) => {
     useFollowStore.getState().clearFollowError(targetUserId);

package/src/ui/hooks/useSessionManagement.ts

@@ -199,7 +199,6 @@ export const useSessionManagement = ({
 
   const activateSession = useCallback(
     async (sessionId: string, user: User): Promise<void> => {
-      await oxyServices.getTokenBySession(sessionId);
       setTokenReady?.(true);
       setActiveSessionId(sessionId);
       loginSuccess(user);
@@ -207,14 +206,7 @@ export const useSessionManagement = ({
       await applyLanguagePreference(user);
       onAuthStateChange?.(user);
     },
-    [
-      applyLanguagePreference,
-      loginSuccess,
-      onAuthStateChange,
-      oxyServices,
-      saveActiveSessionId,
-      setTokenReady,
-    ],
+    [applyLanguagePreference, loginSuccess, onAuthStateChange, saveActiveSessionId, setTokenReady],
   );
 
   const removalTimerIdsRef = useRef<Set<ReturnType<typeof setTimeout>>>(new Set());
@@ -271,10 +263,10 @@ export const useSessionManagement = ({
         // `refreshAllSessions` it carries its `authuser` slot index. We
         // proactively plant that slot's access token via the httpOnly
         // refresh cookie BEFORE validating, so the bearer-protected
-        // validate/getCurrentUser calls don't need a token that was never
-        // in memory (cold reload / different browser tab). The native path
-        // has no per-session cookies and continues to rely on
-        // `validateSession` + `getTokenBySession` directly.
+        // validate/getCurrentUser calls have the correct in-memory token
+        // after a cold reload or account switch in another tab. The native
+        // path arrives here only after a bearer has been planted by
+        // `claimSessionByToken` or secure shared-session restore.
         if (isWebBrowser()) {
           const targetSession = sessionsRef.current.find((s) => s.sessionId === sessionId);
           const targetAuthuser = targetSession?.authuser;
@@ -449,4 +441,3 @@ export const useSessionManagement = ({
   };
 };
 
-

package/src/ui/hooks/useSessionSocket.ts

@@ -149,8 +149,7 @@ export function useSessionSocket({
       // appear in the switch. Anything unknown falls through to `default`,
       // which is intentionally a no-op for session lifecycle — it only logs
       // in dev. This guards against future server-side event additions
-      // (e.g. `session_created`) accidentally triggering sign-out via a
-      // "legacy fallback" branch.
+      // accidentally triggering sign-out.
       switch (data.type) {
         case 'session_removed': {
           if (data.sessionId && onSessionRemovedRef.current) {
@@ -199,9 +198,9 @@ export function useSessionSocket({
         case 'session_created':
         case 'session_update': {
           // Lifecycle event for the current user. Just resync the sessions
-          // list — never sign out. Historically this branch had a legacy
-          // fallback that compared `data.sessionId === currentActiveSessionId`
-          // and signed the user out if true, which was catastrophic: a
+          // list — never sign out. A prior implementation compared
+          // `data.sessionId === currentActiveSessionId` and signed the user
+          // out if true, which was catastrophic: a
           // `session_created` event fired immediately after a successful
           // sign-in carries the user's NEW (now-active) session id, which
           // matched and triggered an instant remote sign-out toast on every

package/src/ui/hooks/useWebSSO.ts

@@ -8,7 +8,7 @@
  * without relying on third-party cookies.
  *
  * For browsers without FedCM support, users will need to click a sign-in button
- * which triggers a popup-based authentication flow.
+ * which triggers redirect authentication.
  *
  * This is called automatically by OxyContext on web platforms.
  *

package/src/ui/navigation/routes.ts

@@ -28,12 +28,12 @@ export type RouteName =
     | 'SavesCollections'
     | 'EditProfileField' // Dedicated screen for editing a single profile field
     | 'LearnMoreUsernames' // Informational screen about usernames
-    | 'KarmaCenter'
-    | 'KarmaLeaderboard'
-    | 'KarmaRewards'
-    | 'KarmaRules'
-    | 'AboutKarma'
-    | 'KarmaFAQ'
+    | 'TrustCenter'
+    | 'TrustLeaderboard'
+    | 'TrustRewards'
+    | 'TrustRules'
+    | 'AboutTrust'
+    | 'TrustFAQ'
     | 'FollowersList'  // List of user's followers
     | 'FollowingList' // List of users being followed
     | 'CreateManagedAccount' // Create a new managed sub-account
@@ -67,13 +67,13 @@ const screenLoaders: Record<RouteName, () => ComponentType<BaseScreenProps>> = {
     EditProfileField: () => require('../screens/EditProfileFieldScreen').default,
     // Informational screens
     LearnMoreUsernames: () => require('../screens/LearnMoreUsernamesScreen').default,
-    // Karma screens
-    KarmaCenter: () => require('../screens/karma/KarmaCenterScreen').default,
-    KarmaLeaderboard: () => require('../screens/karma/KarmaLeaderboardScreen').default,
-    KarmaRewards: () => require('../screens/karma/KarmaRewardsScreen').default,
-    KarmaRules: () => require('../screens/karma/KarmaRulesScreen').default,
-    AboutKarma: () => require('../screens/karma/KarmaAboutScreen').default,
-    KarmaFAQ: () => require('../screens/karma/KarmaFAQScreen').default,
+    // Oxy Trust screens
+    TrustCenter: () => require('../screens/trust/TrustCenterScreen').default,
+    TrustLeaderboard: () => require('../screens/trust/TrustLeaderboardScreen').default,
+    TrustRewards: () => require('../screens/trust/TrustRewardsScreen').default,
+    TrustRules: () => require('../screens/trust/TrustRulesScreen').default,
+    AboutTrust: () => require('../screens/trust/TrustAboutScreen').default,
+    TrustFAQ: () => require('../screens/trust/TrustFAQScreen').default,
     // User list screens (followers/following)
     FollowersList: () => require('../screens/FollowersListScreen').default,
     FollowingList: () => require('../screens/FollowingListScreen').default,