@oxyhq/services 14.0.1 → 15.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (262) hide show
  1. package/lib/commonjs/index.js +0 -17
  2. package/lib/commonjs/index.js.map +1 -1
  3. package/lib/commonjs/ui/components/SignInAccountChooser.js +189 -0
  4. package/lib/commonjs/ui/components/SignInAccountChooser.js.map +1 -0
  5. package/lib/commonjs/ui/components/SignInModal.js +350 -131
  6. package/lib/commonjs/ui/components/SignInModal.js.map +1 -1
  7. package/lib/commonjs/ui/context/OxyContext.js +340 -1547
  8. package/lib/commonjs/ui/context/OxyContext.js.map +1 -1
  9. package/lib/commonjs/ui/context/hooks/useAuthOperations.js +61 -64
  10. package/lib/commonjs/ui/context/hooks/useAuthOperations.js.map +1 -1
  11. package/lib/commonjs/ui/hooks/useAuth.js +14 -33
  12. package/lib/commonjs/ui/hooks/useAuth.js.map +1 -1
  13. package/lib/commonjs/ui/hooks/usePasswordSignIn.js +170 -0
  14. package/lib/commonjs/ui/hooks/usePasswordSignIn.js.map +1 -0
  15. package/lib/commonjs/ui/hooks/useProfileEditing.js +2 -5
  16. package/lib/commonjs/ui/hooks/useProfileEditing.js.map +1 -1
  17. package/lib/commonjs/ui/hooks/useSessionManagement.js +2 -2
  18. package/lib/commonjs/ui/hooks/useSessionManagement.js.map +1 -1
  19. package/lib/commonjs/ui/navigation/routes.js +1 -0
  20. package/lib/commonjs/ui/navigation/routes.js.map +1 -1
  21. package/lib/commonjs/ui/screens/EditProfileFieldScreen.js +93 -68
  22. package/lib/commonjs/ui/screens/EditProfileFieldScreen.js.map +1 -1
  23. package/lib/commonjs/ui/screens/EditProfileScreen.js +187 -0
  24. package/lib/commonjs/ui/screens/EditProfileScreen.js.map +1 -0
  25. package/lib/commonjs/ui/screens/ManageAccountScreen.js +3 -7
  26. package/lib/commonjs/ui/screens/ManageAccountScreen.js.map +1 -1
  27. package/lib/commonjs/ui/screens/OxyAuthScreen.js +231 -95
  28. package/lib/commonjs/ui/screens/OxyAuthScreen.js.map +1 -1
  29. package/lib/commonjs/ui/screens/ProfileScreen.js +15 -2
  30. package/lib/commonjs/ui/screens/ProfileScreen.js.map +1 -1
  31. package/lib/commonjs/ui/screens/linkFormat.js +38 -0
  32. package/lib/commonjs/ui/screens/linkFormat.js.map +1 -0
  33. package/lib/commonjs/ui/session/authStore.js +146 -0
  34. package/lib/commonjs/ui/session/authStore.js.map +1 -0
  35. package/lib/commonjs/ui/session/createSessionClient.js +25 -10
  36. package/lib/commonjs/ui/session/createSessionClient.js.map +1 -1
  37. package/lib/commonjs/ui/session/index.js +13 -7
  38. package/lib/commonjs/ui/session/index.js.map +1 -1
  39. package/lib/commonjs/ui/session/tokenTransport.js +19 -31
  40. package/lib/commonjs/ui/session/tokenTransport.js.map +1 -1
  41. package/lib/commonjs/ui/utils/isWebBrowser.js +13 -0
  42. package/lib/commonjs/ui/utils/isWebBrowser.js.map +1 -0
  43. package/lib/commonjs/utils/deviceFlowSignIn.js +13 -16
  44. package/lib/commonjs/utils/deviceFlowSignIn.js.map +1 -1
  45. package/lib/module/index.js +0 -5
  46. package/lib/module/index.js.map +1 -1
  47. package/lib/module/ui/components/SignInAccountChooser.js +183 -0
  48. package/lib/module/ui/components/SignInAccountChooser.js.map +1 -0
  49. package/lib/module/ui/components/SignInModal.js +352 -134
  50. package/lib/module/ui/components/SignInModal.js.map +1 -1
  51. package/lib/module/ui/context/OxyContext.js +342 -1551
  52. package/lib/module/ui/context/OxyContext.js.map +1 -1
  53. package/lib/module/ui/context/hooks/useAuthOperations.js +60 -63
  54. package/lib/module/ui/context/hooks/useAuthOperations.js.map +1 -1
  55. package/lib/module/ui/hooks/useAuth.js +14 -33
  56. package/lib/module/ui/hooks/useAuth.js.map +1 -1
  57. package/lib/module/ui/hooks/usePasswordSignIn.js +165 -0
  58. package/lib/module/ui/hooks/usePasswordSignIn.js.map +1 -0
  59. package/lib/module/ui/hooks/useProfileEditing.js +2 -5
  60. package/lib/module/ui/hooks/useProfileEditing.js.map +1 -1
  61. package/lib/module/ui/hooks/useSessionManagement.js +1 -1
  62. package/lib/module/ui/hooks/useSessionManagement.js.map +1 -1
  63. package/lib/module/ui/navigation/routes.js +1 -0
  64. package/lib/module/ui/navigation/routes.js.map +1 -1
  65. package/lib/module/ui/screens/EditProfileFieldScreen.js +91 -66
  66. package/lib/module/ui/screens/EditProfileFieldScreen.js.map +1 -1
  67. package/lib/module/ui/screens/EditProfileScreen.js +182 -0
  68. package/lib/module/ui/screens/EditProfileScreen.js.map +1 -0
  69. package/lib/module/ui/screens/ManageAccountScreen.js +3 -7
  70. package/lib/module/ui/screens/ManageAccountScreen.js.map +1 -1
  71. package/lib/module/ui/screens/OxyAuthScreen.js +233 -97
  72. package/lib/module/ui/screens/OxyAuthScreen.js.map +1 -1
  73. package/lib/module/ui/screens/ProfileScreen.js +15 -2
  74. package/lib/module/ui/screens/ProfileScreen.js.map +1 -1
  75. package/lib/module/ui/screens/linkFormat.js +31 -0
  76. package/lib/module/ui/screens/linkFormat.js.map +1 -0
  77. package/lib/module/ui/session/authStore.js +143 -0
  78. package/lib/module/ui/session/authStore.js.map +1 -0
  79. package/lib/module/ui/session/createSessionClient.js +25 -10
  80. package/lib/module/ui/session/createSessionClient.js.map +1 -1
  81. package/lib/module/ui/session/index.js +9 -9
  82. package/lib/module/ui/session/index.js.map +1 -1
  83. package/lib/module/ui/session/tokenTransport.js +20 -33
  84. package/lib/module/ui/session/tokenTransport.js.map +1 -1
  85. package/lib/module/ui/utils/isWebBrowser.js +11 -0
  86. package/lib/module/ui/utils/isWebBrowser.js.map +1 -0
  87. package/lib/module/utils/deviceFlowSignIn.js +14 -17
  88. package/lib/module/utils/deviceFlowSignIn.js.map +1 -1
  89. package/lib/typescript/commonjs/index.d.ts +0 -1
  90. package/lib/typescript/commonjs/index.d.ts.map +1 -1
  91. package/lib/typescript/commonjs/ui/components/SignInAccountChooser.d.ts +29 -0
  92. package/lib/typescript/commonjs/ui/components/SignInAccountChooser.d.ts.map +1 -0
  93. package/lib/typescript/commonjs/ui/components/SignInModal.d.ts +15 -10
  94. package/lib/typescript/commonjs/ui/components/SignInModal.d.ts.map +1 -1
  95. package/lib/typescript/commonjs/ui/context/OxyContext.d.ts +36 -42
  96. package/lib/typescript/commonjs/ui/context/OxyContext.d.ts.map +1 -1
  97. package/lib/typescript/commonjs/ui/context/hooks/useAuthOperations.d.ts +18 -23
  98. package/lib/typescript/commonjs/ui/context/hooks/useAuthOperations.d.ts.map +1 -1
  99. package/lib/typescript/commonjs/ui/hooks/mutations/useAccountMutations.d.ts +0 -2
  100. package/lib/typescript/commonjs/ui/hooks/mutations/useAccountMutations.d.ts.map +1 -1
  101. package/lib/typescript/commonjs/ui/hooks/useAuth.d.ts.map +1 -1
  102. package/lib/typescript/commonjs/ui/hooks/usePasswordSignIn.d.ts +31 -0
  103. package/lib/typescript/commonjs/ui/hooks/usePasswordSignIn.d.ts.map +1 -0
  104. package/lib/typescript/commonjs/ui/hooks/useProfileEditing.d.ts +0 -1
  105. package/lib/typescript/commonjs/ui/hooks/useProfileEditing.d.ts.map +1 -1
  106. package/lib/typescript/commonjs/ui/navigation/routes.d.ts +1 -1
  107. package/lib/typescript/commonjs/ui/navigation/routes.d.ts.map +1 -1
  108. package/lib/typescript/commonjs/ui/screens/EditProfileFieldScreen.d.ts.map +1 -1
  109. package/lib/typescript/commonjs/ui/screens/EditProfileScreen.d.ts +14 -0
  110. package/lib/typescript/commonjs/ui/screens/EditProfileScreen.d.ts.map +1 -0
  111. package/lib/typescript/commonjs/ui/screens/ManageAccountScreen.d.ts +1 -1
  112. package/lib/typescript/commonjs/ui/screens/ManageAccountScreen.d.ts.map +1 -1
  113. package/lib/typescript/commonjs/ui/screens/OxyAuthScreen.d.ts +13 -12
  114. package/lib/typescript/commonjs/ui/screens/OxyAuthScreen.d.ts.map +1 -1
  115. package/lib/typescript/commonjs/ui/screens/ProfileScreen.d.ts.map +1 -1
  116. package/lib/typescript/commonjs/ui/screens/linkFormat.d.ts +23 -0
  117. package/lib/typescript/commonjs/ui/screens/linkFormat.d.ts.map +1 -0
  118. package/lib/typescript/commonjs/ui/session/authStore.d.ts +33 -0
  119. package/lib/typescript/commonjs/ui/session/authStore.d.ts.map +1 -0
  120. package/lib/typescript/commonjs/ui/session/createSessionClient.d.ts +20 -9
  121. package/lib/typescript/commonjs/ui/session/createSessionClient.d.ts.map +1 -1
  122. package/lib/typescript/commonjs/ui/session/index.d.ts +9 -9
  123. package/lib/typescript/commonjs/ui/session/index.d.ts.map +1 -1
  124. package/lib/typescript/commonjs/ui/session/tokenTransport.d.ts +13 -19
  125. package/lib/typescript/commonjs/ui/session/tokenTransport.d.ts.map +1 -1
  126. package/lib/typescript/commonjs/ui/utils/isWebBrowser.d.ts +9 -0
  127. package/lib/typescript/commonjs/ui/utils/isWebBrowser.d.ts.map +1 -0
  128. package/lib/typescript/commonjs/utils/deviceFlowSignIn.d.ts +15 -13
  129. package/lib/typescript/commonjs/utils/deviceFlowSignIn.d.ts.map +1 -1
  130. package/lib/typescript/module/index.d.ts +0 -1
  131. package/lib/typescript/module/index.d.ts.map +1 -1
  132. package/lib/typescript/module/ui/components/SignInAccountChooser.d.ts +29 -0
  133. package/lib/typescript/module/ui/components/SignInAccountChooser.d.ts.map +1 -0
  134. package/lib/typescript/module/ui/components/SignInModal.d.ts +15 -10
  135. package/lib/typescript/module/ui/components/SignInModal.d.ts.map +1 -1
  136. package/lib/typescript/module/ui/context/OxyContext.d.ts +36 -42
  137. package/lib/typescript/module/ui/context/OxyContext.d.ts.map +1 -1
  138. package/lib/typescript/module/ui/context/hooks/useAuthOperations.d.ts +18 -23
  139. package/lib/typescript/module/ui/context/hooks/useAuthOperations.d.ts.map +1 -1
  140. package/lib/typescript/module/ui/hooks/mutations/useAccountMutations.d.ts +0 -2
  141. package/lib/typescript/module/ui/hooks/mutations/useAccountMutations.d.ts.map +1 -1
  142. package/lib/typescript/module/ui/hooks/useAuth.d.ts.map +1 -1
  143. package/lib/typescript/module/ui/hooks/usePasswordSignIn.d.ts +31 -0
  144. package/lib/typescript/module/ui/hooks/usePasswordSignIn.d.ts.map +1 -0
  145. package/lib/typescript/module/ui/hooks/useProfileEditing.d.ts +0 -1
  146. package/lib/typescript/module/ui/hooks/useProfileEditing.d.ts.map +1 -1
  147. package/lib/typescript/module/ui/navigation/routes.d.ts +1 -1
  148. package/lib/typescript/module/ui/navigation/routes.d.ts.map +1 -1
  149. package/lib/typescript/module/ui/screens/EditProfileFieldScreen.d.ts.map +1 -1
  150. package/lib/typescript/module/ui/screens/EditProfileScreen.d.ts +14 -0
  151. package/lib/typescript/module/ui/screens/EditProfileScreen.d.ts.map +1 -0
  152. package/lib/typescript/module/ui/screens/ManageAccountScreen.d.ts +1 -1
  153. package/lib/typescript/module/ui/screens/ManageAccountScreen.d.ts.map +1 -1
  154. package/lib/typescript/module/ui/screens/OxyAuthScreen.d.ts +13 -12
  155. package/lib/typescript/module/ui/screens/OxyAuthScreen.d.ts.map +1 -1
  156. package/lib/typescript/module/ui/screens/ProfileScreen.d.ts.map +1 -1
  157. package/lib/typescript/module/ui/screens/linkFormat.d.ts +23 -0
  158. package/lib/typescript/module/ui/screens/linkFormat.d.ts.map +1 -0
  159. package/lib/typescript/module/ui/session/authStore.d.ts +33 -0
  160. package/lib/typescript/module/ui/session/authStore.d.ts.map +1 -0
  161. package/lib/typescript/module/ui/session/createSessionClient.d.ts +20 -9
  162. package/lib/typescript/module/ui/session/createSessionClient.d.ts.map +1 -1
  163. package/lib/typescript/module/ui/session/index.d.ts +9 -9
  164. package/lib/typescript/module/ui/session/index.d.ts.map +1 -1
  165. package/lib/typescript/module/ui/session/tokenTransport.d.ts +13 -19
  166. package/lib/typescript/module/ui/session/tokenTransport.d.ts.map +1 -1
  167. package/lib/typescript/module/ui/utils/isWebBrowser.d.ts +9 -0
  168. package/lib/typescript/module/ui/utils/isWebBrowser.d.ts.map +1 -0
  169. package/lib/typescript/module/utils/deviceFlowSignIn.d.ts +15 -13
  170. package/lib/typescript/module/utils/deviceFlowSignIn.d.ts.map +1 -1
  171. package/package.json +4 -4
  172. package/src/index.ts +0 -4
  173. package/src/ui/components/SignInAccountChooser.tsx +162 -0
  174. package/src/ui/components/SignInModal.tsx +309 -139
  175. package/src/ui/context/OxyContext.tsx +532 -1785
  176. package/src/ui/context/hooks/useAuthOperations.ts +65 -76
  177. package/src/ui/hooks/useAuth.ts +14 -35
  178. package/src/ui/hooks/usePasswordSignIn.ts +207 -0
  179. package/src/ui/hooks/useProfileEditing.ts +2 -8
  180. package/src/ui/hooks/useSessionManagement.ts +1 -1
  181. package/src/ui/navigation/routes.ts +2 -0
  182. package/src/ui/screens/EditProfileFieldScreen.tsx +102 -66
  183. package/src/ui/screens/EditProfileScreen.tsx +155 -0
  184. package/src/ui/screens/ManageAccountScreen.tsx +3 -7
  185. package/src/ui/screens/OxyAuthScreen.tsx +259 -112
  186. package/src/ui/screens/ProfileScreen.tsx +15 -2
  187. package/src/ui/screens/__tests__/linkFormat.test.ts +73 -0
  188. package/src/ui/screens/linkFormat.ts +37 -0
  189. package/src/ui/session/__tests__/createSessionClient.test.ts +49 -6
  190. package/src/ui/session/__tests__/tokenTransport.test.ts +37 -49
  191. package/src/ui/session/authStore.ts +164 -0
  192. package/src/ui/session/createSessionClient.ts +32 -11
  193. package/src/ui/session/index.ts +10 -9
  194. package/src/ui/session/tokenTransport.ts +26 -36
  195. package/src/ui/utils/isWebBrowser.ts +8 -0
  196. package/src/utils/__tests__/deviceFlowSignIn.test.ts +50 -131
  197. package/src/utils/deviceFlowSignIn.ts +19 -26
  198. package/lib/commonjs/ui/context/inSessionTokenRefresh.js +0 -243
  199. package/lib/commonjs/ui/context/inSessionTokenRefresh.js.map +0 -1
  200. package/lib/commonjs/ui/context/silentSessionRestore.js +0 -56
  201. package/lib/commonjs/ui/context/silentSessionRestore.js.map +0 -1
  202. package/lib/commonjs/ui/hooks/useWebSSO.js +0 -28
  203. package/lib/commonjs/ui/hooks/useWebSSO.js.map +0 -1
  204. package/lib/commonjs/ui/session/projectSessionState.js +0 -86
  205. package/lib/commonjs/ui/session/projectSessionState.js.map +0 -1
  206. package/lib/commonjs/ui/session/sessionClientHost.js +0 -30
  207. package/lib/commonjs/ui/session/sessionClientHost.js.map +0 -1
  208. package/lib/commonjs/ui/utils/activeAuthuser.js +0 -142
  209. package/lib/commonjs/ui/utils/activeAuthuser.js.map +0 -1
  210. package/lib/commonjs/utils/crossApex.js +0 -74
  211. package/lib/commonjs/utils/crossApex.js.map +0 -1
  212. package/lib/module/ui/context/inSessionTokenRefresh.js +0 -238
  213. package/lib/module/ui/context/inSessionTokenRefresh.js.map +0 -1
  214. package/lib/module/ui/context/silentSessionRestore.js +0 -53
  215. package/lib/module/ui/context/silentSessionRestore.js.map +0 -1
  216. package/lib/module/ui/hooks/useWebSSO.js +0 -24
  217. package/lib/module/ui/hooks/useWebSSO.js.map +0 -1
  218. package/lib/module/ui/session/projectSessionState.js +0 -79
  219. package/lib/module/ui/session/projectSessionState.js.map +0 -1
  220. package/lib/module/ui/session/sessionClientHost.js +0 -26
  221. package/lib/module/ui/session/sessionClientHost.js.map +0 -1
  222. package/lib/module/ui/utils/activeAuthuser.js +0 -134
  223. package/lib/module/ui/utils/activeAuthuser.js.map +0 -1
  224. package/lib/module/utils/crossApex.js +0 -69
  225. package/lib/module/utils/crossApex.js.map +0 -1
  226. package/lib/typescript/commonjs/ui/context/inSessionTokenRefresh.d.ts +0 -106
  227. package/lib/typescript/commonjs/ui/context/inSessionTokenRefresh.d.ts.map +0 -1
  228. package/lib/typescript/commonjs/ui/context/silentSessionRestore.d.ts +0 -36
  229. package/lib/typescript/commonjs/ui/context/silentSessionRestore.d.ts.map +0 -1
  230. package/lib/typescript/commonjs/ui/hooks/useWebSSO.d.ts +0 -19
  231. package/lib/typescript/commonjs/ui/hooks/useWebSSO.d.ts.map +0 -1
  232. package/lib/typescript/commonjs/ui/session/projectSessionState.d.ts +0 -45
  233. package/lib/typescript/commonjs/ui/session/projectSessionState.d.ts.map +0 -1
  234. package/lib/typescript/commonjs/ui/session/sessionClientHost.d.ts +0 -14
  235. package/lib/typescript/commonjs/ui/session/sessionClientHost.d.ts.map +0 -1
  236. package/lib/typescript/commonjs/ui/utils/activeAuthuser.d.ts +0 -67
  237. package/lib/typescript/commonjs/ui/utils/activeAuthuser.d.ts.map +0 -1
  238. package/lib/typescript/commonjs/utils/crossApex.d.ts +0 -55
  239. package/lib/typescript/commonjs/utils/crossApex.d.ts.map +0 -1
  240. package/lib/typescript/module/ui/context/inSessionTokenRefresh.d.ts +0 -106
  241. package/lib/typescript/module/ui/context/inSessionTokenRefresh.d.ts.map +0 -1
  242. package/lib/typescript/module/ui/context/silentSessionRestore.d.ts +0 -36
  243. package/lib/typescript/module/ui/context/silentSessionRestore.d.ts.map +0 -1
  244. package/lib/typescript/module/ui/hooks/useWebSSO.d.ts +0 -19
  245. package/lib/typescript/module/ui/hooks/useWebSSO.d.ts.map +0 -1
  246. package/lib/typescript/module/ui/session/projectSessionState.d.ts +0 -45
  247. package/lib/typescript/module/ui/session/projectSessionState.d.ts.map +0 -1
  248. package/lib/typescript/module/ui/session/sessionClientHost.d.ts +0 -14
  249. package/lib/typescript/module/ui/session/sessionClientHost.d.ts.map +0 -1
  250. package/lib/typescript/module/ui/utils/activeAuthuser.d.ts +0 -67
  251. package/lib/typescript/module/ui/utils/activeAuthuser.d.ts.map +0 -1
  252. package/lib/typescript/module/utils/crossApex.d.ts +0 -55
  253. package/lib/typescript/module/utils/crossApex.d.ts.map +0 -1
  254. package/src/ui/context/inSessionTokenRefresh.ts +0 -264
  255. package/src/ui/context/silentSessionRestore.ts +0 -53
  256. package/src/ui/hooks/useWebSSO.ts +0 -23
  257. package/src/ui/session/__tests__/projectSessionState.test.ts +0 -114
  258. package/src/ui/session/__tests__/sessionClientHost.test.ts +0 -43
  259. package/src/ui/session/projectSessionState.ts +0 -85
  260. package/src/ui/session/sessionClientHost.ts +0 -27
  261. package/src/ui/utils/activeAuthuser.ts +0 -142
  262. package/src/utils/crossApex.ts +0 -75
@@ -1,14 +0,0 @@
1
- import type { OxyServices, SessionClientHost } from '@oxyhq/core';
2
- /**
3
- * Thin `SessionClientHost` adapter over an `OxyServices` instance.
4
- *
5
- * `SessionClient` (in `@oxyhq/core`) is host-agnostic: it only needs a REST +
6
- * token surface. `OxyServices` already exposes all of that except
7
- * `getCurrentAccountId`, which has no direct equivalent — the adapter holds a
8
- * mutable ref set by the caller (`OxyContext`, in Fase 3-B) via
9
- * `setCurrentAccountId`.
10
- */
11
- export declare function createSessionClientHost(oxyServices: OxyServices): SessionClientHost & {
12
- setCurrentAccountId(id: string | null): void;
13
- };
14
- //# sourceMappingURL=sessionClientHost.d.ts.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"sessionClientHost.d.ts","sourceRoot":"","sources":["../../../../../src/ui/session/sessionClientHost.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAElE;;;;;;;;GAQG;AACH,wBAAgB,uBAAuB,CACrC,WAAW,EAAE,WAAW,GACvB,iBAAiB,GAAG;IAAE,mBAAmB,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI,GAAG,IAAI,CAAA;CAAE,CAatE"}
@@ -1,67 +0,0 @@
1
- /**
2
- * Web-only helpers around the retired `oxy_rt_${authuser}` multi-slot
3
- * refresh-cookie scheme, PLUS the (unrelated, still load-bearing) deliberate
4
- * sign-out / SSO-bounce gates.
5
- *
6
- * NOTE (session-sync cutover, Task 5): the device account SET is now
7
- * server-authoritative via `SessionClient` (`@oxyhq/core`) — nothing in
8
- * `@oxyhq/services` writes the persisted active-`authuser`-slot key anymore
9
- * (`writeActiveAuthuser`/`clearActiveAuthuser` were deleted; their only
10
- * callers were the deleted `establishDeviceRefreshSlot` sign-in registration
11
- * and the deleted `switchToAccount`/`switchSession` slot bookkeeping).
12
- * {@link readActiveAuthuser} is KEPT purely as an OPTIONAL restore hint:
13
- * `OxyContext`'s `restoreStoredSession` cold-boot step reads it only to
14
- * backfill `clientSession.authuser` for the active session when a legacy value
15
- * happens to be present. It NO LONGER gates whether restore is attempted — the
16
- * old guard that also required this marker made every web reload with a lapsed
17
- * local bearer bail before any network validation (P0), and was replaced by a
18
- * "bail only when there is nothing to restore" guard plus a valid-session
19
- * election. Since nothing writes the key anymore, the backfill is dormant on
20
- * fresh installs; it stays for legacy installs and costs nothing.
21
- *
22
- * Native (React Native) has no equivalent of these device-local cookies
23
- * and uses bearer-protected session ids directly, so these helpers no-op
24
- * outside the browser.
25
- */
26
- /**
27
- * Read the persisted active `authuser` slot index.
28
- *
29
- * Returns `null` on native, on a corrupted value, or when nothing has been
30
- * persisted yet (first visit). Callers treat `null` as "no preference" and
31
- * fall back to deterministic selection (lowest authuser).
32
- */
33
- export declare function readActiveAuthuser(): number | null;
34
- /**
35
- * Mark this origin as DELIBERATELY signed out (durable `localStorage`, via the
36
- * core {@link ssoSignedOutKey}). Called ONLY on EXPLICIT full sign-out so that
37
- * the next cold boot does NOT silently re-mint a session from a still-live IdP
38
- * session (the per-apex `/auth/silent` iframe cold-boot step). Cleared by any
39
- * deliberate sign-in (see {@link clearSignedOut}). No-ops on native / storage
40
- * failure (best-effort).
41
- */
42
- export declare function markSignedOut(): void;
43
- /**
44
- * Clear the durable deliberately-signed-out flag. Called on ANY deliberate
45
- * sign-in (password, account switch, device claim) so a real sign-in
46
- * fully re-enables automatic silent restore — there is no "stuck signed out"
47
- * state. No-ops on native / storage failure.
48
- */
49
- export declare function clearSignedOut(): void;
50
- /**
51
- * Whether AUTOMATIC silent restore is suppressed for the current origin because
52
- * the user deliberately signed out. Reads the durable flag through the core
53
- * {@link silentRestoreSuppressed} predicate. Returns `false` off-web and on any
54
- * storage failure (fail safe toward normal restore). Used to gate the
55
- * `silent-iframe` cold-boot step.
56
- */
57
- export declare function isSilentRestoreSuppressed(): boolean;
58
- /**
59
- * Clear all per-origin SSO bounce sessionStorage keys. Called ONLY on EXPLICIT
60
- * user sign-out (logout / logoutAll) — never on a cold-boot failure path — so a
61
- * fresh deliberate sign-in can re-probe the central IdP. Clearing on cold-boot
62
- * failure would reintroduce the redirect loop.
63
- *
64
- * No-ops on native and on any storage failure (best-effort).
65
- */
66
- export declare function clearSsoBounceState(): void;
67
- //# sourceMappingURL=activeAuthuser.d.ts.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"activeAuthuser.d.ts","sourceRoot":"","sources":["../../../../../src/ui/utils/activeAuthuser.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AA2BH;;;;;;GAMG;AACH,wBAAgB,kBAAkB,IAAI,MAAM,GAAG,IAAI,CAalD;AAED;;;;;;;GAOG;AACH,wBAAgB,aAAa,IAAI,IAAI,CAOpC;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,IAAI,IAAI,CAOrC;AAED;;;;;;GAMG;AACH,wBAAgB,yBAAyB,IAAI,OAAO,CAMnD;AAED;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,IAAI,IAAI,CAa1C"}
@@ -1,55 +0,0 @@
1
- /**
2
- * Cross-apex web detection for sign-in durability gating.
3
- *
4
- * On a web Relying Party whose registrable apex differs from the central Oxy
5
- * Identity Provider apex (`oxy.so`), the ONLY sign-in completion that survives a
6
- * page reload is the interactive "Continue with Oxy" IdP flow, because it is the
7
- * only one that establishes a first-party `fedcm_session` cookie at
8
- * `auth.<apex>` — the anchor the cross-domain cold-boot restore reads on reload.
9
- *
10
- * The other sign-in completions the SDK can drive do NOT plant a `fedcm_session`:
11
- * - password / public-key sign-in mints a bearer directly against the Oxy API
12
- * (its refresh cookie is host-scoped to `api.oxy.so` and `SameSite=Lax`, so
13
- * it is unreachable cross-site from the RP), and
14
- * - the Commons-app device-flow handoff (cross-device QR / same-device
15
- * deep-link) is approved OUTSIDE the browser, so no IdP browser session is
16
- * established.
17
- * On a cross-apex RP each of these leaves the user signed in for the current
18
- * page only — a reload logs them out. See OxyHQServices AGENTS.md
19
- * "Auth / Session Contract".
20
- *
21
- * Same-apex `*.oxy.so` apps (e.g. `accounts.oxy.so`) are first-party with
22
- * `api.oxy.so`: their refresh cookie rides same-site requests so reload restore
23
- * works without `fedcm_session`, and they are therefore NOT gated.
24
- *
25
- * Returns `false` off-browser (React Native has no `window.location`) and for
26
- * hosts without a registrable apex (localhost / raw IP / single-label dev
27
- * hosts), so native and local development keep every sign-in method.
28
- */
29
- /**
30
- * Whether the given host is a web RP on a registrable apex other than the
31
- * central Oxy IdP apex (`oxy.so`). See the module doc for why this gates the
32
- * non-durable sign-in paths.
33
- *
34
- * @param hostname - The host to classify. Defaults to the current
35
- * `window.location.hostname`; resolves to `undefined` off-browser (React
36
- * Native / SSR), which yields `false`. The explicit parameter mirrors
37
- * `autoDetectAuthWebUrl(location?)` and keeps the predicate unit-testable
38
- * without manipulating the global `window.location`.
39
- */
40
- export declare function isCrossApexWeb(hostname?: string | undefined): boolean;
41
- /**
42
- * Thrown when an app attempts a direct (non-IdP) sign-in — password or
43
- * public-key — on a cross-apex web RP, where such a sign-in would not survive a
44
- * page reload because no `fedcm_session` is established (see {@link isCrossApexWeb}).
45
- *
46
- * Apps on a cross-apex apex must sign in through the interactive
47
- * "Continue with Oxy" IdP flow (`OxySignInButton` / `showSignInModal()`), which
48
- * plants the durable session.
49
- */
50
- export declare class CrossApexDirectSignInError extends Error {
51
- readonly name = "CrossApexDirectSignInError";
52
- readonly code = "CROSS_APEX_DIRECT_SIGN_IN_UNSUPPORTED";
53
- constructor();
54
- }
55
- //# sourceMappingURL=crossApex.d.ts.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"crossApex.d.ts","sourceRoot":"","sources":["../../../../src/utils/crossApex.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAIH;;;;;;;;;;GAUG;AACH,wBAAgB,cAAc,CAC5B,QAAQ,GAAE,MAAM,GAAG,SAEN,GACZ,OAAO,CAMT;AAED;;;;;;;;GAQG;AACH,qBAAa,0BAA2B,SAAQ,KAAK;IACnD,SAAkB,IAAI,gCAAgC;IACtD,QAAQ,CAAC,IAAI,2CAA2C;;CASzD"}
@@ -1,106 +0,0 @@
1
- /**
2
- * In-session access-token refresh for the React Native / Expo SDK.
3
- *
4
- * THE GAP THIS CLOSES: the services `OxyContext` owns the session but never
5
- * installed an `authRefreshHandler` on the owner `HttpService`, so
6
- * `HttpService.refreshAccessToken` short-circuited to `null` — there was NO
7
- * in-session token refresh on the RN path at all. A 15-minute access token
8
- * expired with the tab/app open and nothing re-minted one; cross-apex RP feeds
9
- * (mention.earth, …) then 401'd in a loop while `isAuthenticated` stayed `true`
10
- * (a zombie logged-in state), because the `Domain=oxy.so` refresh cookie can't
11
- * reach `api.<apex>`. (`AuthManager`, which installs a refresh handler on the
12
- * web path, is only ever constructed by `WebOxyProvider` in `@oxyhq/auth`.)
13
- *
14
- * THE FIX, two cooperating pieces both wired from `OxyContext`:
15
- *
16
- * 1. {@link createInSessionRefreshHandler} — an `AuthRefreshHandler` installed
17
- * on the owner client. It re-mints a fresh access token WITHOUT a page
18
- * reload by composing the SAME silent-restore primitive cold boot uses
19
- * ({@link mintSessionViaPerApexIframe}) — not a copy. The linked client
20
- * (`createLinkedClient`) inherits the fix for free: its refresh delegates
21
- * back to the owner's `refreshAccessToken`.
22
- *
23
- * 2. {@link startTokenRefreshScheduler} — a proactive scheduler that refreshes
24
- * ~{@link TOKEN_REFRESH_LEAD_MS} before expiry (and on web tab-focus / native
25
- * app-foreground), so the common case never even reaches the reactive
26
- * 401-then-recover flash.
27
- *
28
- * Concurrency/cooldown/dedup are owned by `HttpService.refreshAccessToken`
29
- * (single in-flight `tokenRefreshPromise` + cooldown) — this module does not
30
- * reimplement them, so the timer / foreground / per-request triggers collapse to
31
- * one network attempt (no refresh storm).
32
- *
33
- * NOTE (session-sync cutover, Task 5): the web arm chain used to fall through
34
- * to a same-apex `oxy_rt` refresh-cookie arm (`refreshAllSessions` +
35
- * `selectActiveRefreshAccount`). That arm is DELETED — the device account set
36
- * is now server-authoritative via `SessionClient` (`@oxyhq/core`), which
37
- * `OxyContext` bootstraps/reprojects independently of in-session token
38
- * refresh. `selectActiveRefreshAccount` had no other caller and was deleted
39
- * with it.
40
- */
41
- import type { OxyServices, AuthRefreshHandler } from '@oxyhq/core';
42
- /**
43
- * Lead time (ms) before access-token expiry at which the proactive scheduler
44
- * refreshes. Mirrors `HttpService`'s per-request `TOKEN_REFRESH_LEAD_SECONDS`
45
- * (60s) so the scheduled refresh and the request-time preflight refresh use the
46
- * same window — the scheduler simply fires it during idle/background instead of
47
- * waiting for the next request.
48
- */
49
- export declare const TOKEN_REFRESH_LEAD_MS = 60000;
50
- /**
51
- * Build the in-session `AuthRefreshHandler` for the owner client.
52
- *
53
- * Arms run in an explicit order; the first to plant a token wins. Each arm
54
- * resolves to the planted token (read back via `getAccessToken()` — the
55
- * underlying SDK call plants it internally) or `null`. A throw in one arm is
56
- * logged and treated as `null` so the chain continues.
57
- *
58
- * NATIVE (Expo): shared cross-app identity key re-mint
59
- * (`signInWithSharedIdentity` → challenge→sign→verify plants the tokens).
60
- * The ONLY silent native arm (mirrors cold boot's `shared-key-signin`); the
61
- * `/auth/silent` web iframe is NEVER attempted on native. Resolves to `null`
62
- * when the device holds no shared identity (e.g. a password-only native
63
- * sign-in) so a genuinely dead session reconciles to logged-out rather than
64
- * staying a zombie.
65
- *
66
- * WEB: Per-apex `/auth/silent` iframe — {@link mintSessionViaPerApexIframe}
67
- * (shared verbatim with cold boot). The durable cross-apex path; also
68
- * covers `*.oxy.so` (the per-apex host IS the central host there). There
69
- * is no FedCM arm — FedCM was removed from the client sign-in/refresh path
70
- * entirely (Chrome-only; see `CrossDomainAuth`'s doc comment in
71
- * `@oxyhq/core` for the production sign-in loop that motivated the
72
- * removal).
73
- *
74
- * NO RECURSION: no arm issues a request through the authed client's
75
- * `refreshAccessToken` path. The iframe transport is postMessage-based; the
76
- * follow-up `/session/user` fetch inside `silentSignIn`
77
- * runs against the just-planted FULL-TTL token (≫ the preflight lead), so it
78
- * never re-enters the refresh path.
79
- */
80
- export declare function createInSessionRefreshHandler(oxyServices: OxyServices): AuthRefreshHandler;
81
- /**
82
- * Handle returned by {@link startTokenRefreshScheduler}; call `dispose()` to tear
83
- * down the timer and the foreground listener.
84
- */
85
- export interface TokenRefreshSchedulerHandle {
86
- dispose(): void;
87
- }
88
- /**
89
- * Start the proactive in-session refresh scheduler against `oxyServices`.
90
- *
91
- * Schedules a single timer to fire {@link TOKEN_REFRESH_LEAD_MS} before the
92
- * current access token's `exp`, calling `httpService.refreshAccessToken`
93
- * ('preflight') — which runs the installed handler and is deduped + cooldown-
94
- * guarded. After every attempt it reschedules from the (possibly rotated) token.
95
- * It also reschedules whenever the token changes (`onTokensChanged` — so a
96
- * sign-out that clears the token cancels the timer) and, on web tab-focus /
97
- * native app-foreground, refreshes immediately if already inside the lead window
98
- * (a long-hidden tab throttles timers, so the token can be expired on return).
99
- *
100
- * The `exp` is derived directly from the JWT via `getAccessTokenExpiry()`. No-ops
101
- * cleanly when there is no token, an opaque/no-`exp` token, or the host lacks
102
- * `getAccessTokenExpiry` (older stubs) — the reactive 401 path stays the only
103
- * refresh trigger in those cases.
104
- */
105
- export declare function startTokenRefreshScheduler(oxyServices: OxyServices): TokenRefreshSchedulerHandle;
106
- //# sourceMappingURL=inSessionTokenRefresh.d.ts.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"inSessionTokenRefresh.d.ts","sourceRoot":"","sources":["../../../../../src/ui/context/inSessionTokenRefresh.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuCG;AACH,OAAO,KAAK,EACV,WAAW,EACX,kBAAkB,EAEnB,MAAM,aAAa,CAAC;AAgBrB;;;;;;GAMG;AACH,eAAO,MAAM,qBAAqB,QAAS,CAAC;AAQ5C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAgB,6BAA6B,CAAC,WAAW,EAAE,WAAW,GAAG,kBAAkB,CAuC1F;AAED;;;GAGG;AACH,MAAM,WAAW,2BAA2B;IAC1C,OAAO,IAAI,IAAI,CAAC;CACjB;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,0BAA0B,CAAC,WAAW,EAAE,WAAW,GAAG,2BAA2B,CA4FhG"}
@@ -1,36 +0,0 @@
1
- /**
2
- * Silent, no-reload session-restore PRIMITIVE — the single shared
3
- * implementation used by BOTH cold boot (`OxyContext.restoreSessionsFromStorage`)
4
- * and in-session token refresh (`createInSessionRefreshHandler`). Neither caller
5
- * re-implements it; they compose it. Keeping one home avoids the two paths
6
- * drifting on "how do we mint a first-party token without a page reload".
7
- *
8
- * Platform-agnostic at the type level and returns plain data; the callers own
9
- * the side effects that differ between them (cold boot COMMITS the recovered
10
- * session into provider state; refresh only reads the freshly planted bearer).
11
- *
12
- * NOTE (session-sync cutover, Task 5): this file used to also export
13
- * `selectActiveRefreshAccount`, which picked the active account out of a
14
- * `refreshAllSessions` (`oxy_rt` refresh-cookie) snapshot. Deleted — its only
15
- * caller was the in-session refresh handler's now-deleted `refresh-cookie`
16
- * arm. The device account SET is server-authoritative via `SessionClient`
17
- * (`@oxyhq/core`) now.
18
- */
19
- import type { OxyServices, SessionLoginResponse } from '@oxyhq/core';
20
- /**
21
- * Mint a fresh first-party session via the PER-APEX `/auth/silent` iframe — the
22
- * durable cross-domain restore path that works WITHOUT a top-level navigation
23
- * (so it succeeds under Safari ITP / Firefox TCP and in a backgrounded tab).
24
- *
25
- * The instance is configured with the CENTRAL auth URL, so we explicitly point
26
- * the iframe at the per-apex host (`auth.<rp-apex>`) via `autoDetectAuthWebUrl()`
27
- * + `silentSignIn`'s `authWebUrlOverride`. On a `*.oxy.so` app the per-apex host
28
- * IS the central host, so this also covers same-apex. When auto-detection bails
29
- * (localhost / IP / single-label / off-browser) there is no per-apex IdP and we
30
- * return `null`. `silentSignIn` plants the access token internally on success.
31
- *
32
- * @returns the recovered session (token already planted) when complete, else
33
- * `null` (no per-apex IdP, no session, or an incomplete iframe response).
34
- */
35
- export declare function mintSessionViaPerApexIframe(oxyServices: OxyServices, timeoutMs: number): Promise<SessionLoginResponse | null>;
36
- //# sourceMappingURL=silentSessionRestore.d.ts.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"silentSessionRestore.d.ts","sourceRoot":"","sources":["../../../../../src/ui/context/silentSessionRestore.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AACH,OAAO,KAAK,EAAE,WAAW,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAGrE;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,2BAA2B,CAC/C,WAAW,EAAE,WAAW,EACxB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC,CAatC"}
@@ -1,19 +0,0 @@
1
- /**
2
- * Platform detection helper for the web auth/session-sync surfaces.
3
- *
4
- * This module previously hosted a FedCM-based `useWebSSO` hook (Federated
5
- * Credential Management — Chrome-only). It was removed: FedCM is no longer
6
- * used anywhere in the client sign-in/cold-boot path (see `CrossDomainAuth`'s
7
- * doc comment in `@oxyhq/core` for the production sign-in loop that motivated
8
- * the removal). Cross-domain silent SSO is owned entirely by the
9
- * `silent-iframe` cold-boot step (per-apex `/auth/silent`) plus the terminal
10
- * `/sso` bounce in `OxyContext`.
11
- *
12
- * `isWebBrowser` is kept here (rather than moved) so every existing consumer
13
- * import path stays valid.
14
- */
15
- /**
16
- * Check if we're running in a web browser environment (not React Native)
17
- */
18
- export declare function isWebBrowser(): boolean;
19
- //# sourceMappingURL=useWebSSO.d.ts.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"useWebSSO.d.ts","sourceRoot":"","sources":["../../../../../src/ui/hooks/useWebSSO.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH;;GAEG;AACH,wBAAgB,YAAY,IAAI,OAAO,CAItC"}
@@ -1,45 +0,0 @@
1
- import type { DeviceSessionState } from '@oxyhq/contracts';
2
- import type { ClientSession, User } from '@oxyhq/core';
3
- /**
4
- * Pure projection helpers: `DeviceSessionState` (the device-scoped
5
- * multi-account session-sync state produced by `@oxyhq/core`'s
6
- * `SessionClient`) -> the shapes `OxyContext` renders today
7
- * (`ClientSession[]`, an active session id, an active `User`).
8
- *
9
- * No I/O. The caller fetches profiles via
10
- * `oxyServices.getUsersByIds(accountIdsOf(state))` and builds `usersById`
11
- * from the result before calling `deviceStateToClientSessions` /
12
- * `activeUserOf`.
13
- */
14
- /**
15
- * Maps every `SessionAccount` in `state.accounts` to a `ClientSession`.
16
- *
17
- * `DeviceSessionState` carries no per-account `expiresAt` / `lastActive` —
18
- * both are set to `state.updatedAt` (converted to an ISO-8601 string; the
19
- * wire value is an epoch-ms number) as a provisional value. Fase 3-B
20
- * rewrites `ClientSession` to make `expiresAt`/`lastActive` optional (they
21
- * are not derivable from `DeviceSessionState`).
22
- *
23
- * `usersById` is accepted for signature symmetry with `activeUserOf` even
24
- * though `ClientSession` only stores `userId` — a session is still
25
- * projected for an account whose id is absent from `usersById` (no
26
- * placeholder user is fabricated).
27
- */
28
- export declare function deviceStateToClientSessions(state: DeviceSessionState, usersById: Map<string, User>): ClientSession[];
29
- /**
30
- * The active account's `sessionId`, or `null` when there is no state or no
31
- * active account is set.
32
- */
33
- export declare function activeSessionIdOf(state: DeviceSessionState | null): string | null;
34
- /**
35
- * The active account's `User`, resolved from `usersById`. `null` when there
36
- * is no state, no active account is set, or the active account id is absent
37
- * from `usersById`.
38
- */
39
- export declare function activeUserOf(state: DeviceSessionState | null, usersById: Map<string, User>): User | null;
40
- /**
41
- * All account ids in `state`, suitable for an `oxyServices.getUsersByIds(...)`
42
- * fetch. `[]` for `null` state.
43
- */
44
- export declare function accountIdsOf(state: DeviceSessionState | null): string[];
45
- //# sourceMappingURL=projectSessionState.d.ts.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"projectSessionState.d.ts","sourceRoot":"","sources":["../../../../../src/ui/session/projectSessionState.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,KAAK,EAAE,aAAa,EAAE,IAAI,EAAE,MAAM,aAAa,CAAC;AAEvD;;;;;;;;;;GAUG;AAEH;;;;;;;;;;;;;GAaG;AACH,wBAAgB,2BAA2B,CACzC,KAAK,EAAE,kBAAkB,EACzB,SAAS,EAAE,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,GAC3B,aAAa,EAAE,CAajB;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,kBAAkB,GAAG,IAAI,GAAG,MAAM,GAAG,IAAI,CAOjF;AAED;;;;GAIG;AACH,wBAAgB,YAAY,CAC1B,KAAK,EAAE,kBAAkB,GAAG,IAAI,EAChC,SAAS,EAAE,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,GAC3B,IAAI,GAAG,IAAI,CAKb;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,kBAAkB,GAAG,IAAI,GAAG,MAAM,EAAE,CAKvE"}
@@ -1,14 +0,0 @@
1
- import type { OxyServices, SessionClientHost } from '@oxyhq/core';
2
- /**
3
- * Thin `SessionClientHost` adapter over an `OxyServices` instance.
4
- *
5
- * `SessionClient` (in `@oxyhq/core`) is host-agnostic: it only needs a REST +
6
- * token surface. `OxyServices` already exposes all of that except
7
- * `getCurrentAccountId`, which has no direct equivalent — the adapter holds a
8
- * mutable ref set by the caller (`OxyContext`, in Fase 3-B) via
9
- * `setCurrentAccountId`.
10
- */
11
- export declare function createSessionClientHost(oxyServices: OxyServices): SessionClientHost & {
12
- setCurrentAccountId(id: string | null): void;
13
- };
14
- //# sourceMappingURL=sessionClientHost.d.ts.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"sessionClientHost.d.ts","sourceRoot":"","sources":["../../../../../src/ui/session/sessionClientHost.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAElE;;;;;;;;GAQG;AACH,wBAAgB,uBAAuB,CACrC,WAAW,EAAE,WAAW,GACvB,iBAAiB,GAAG;IAAE,mBAAmB,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI,GAAG,IAAI,CAAA;CAAE,CAatE"}
@@ -1,67 +0,0 @@
1
- /**
2
- * Web-only helpers around the retired `oxy_rt_${authuser}` multi-slot
3
- * refresh-cookie scheme, PLUS the (unrelated, still load-bearing) deliberate
4
- * sign-out / SSO-bounce gates.
5
- *
6
- * NOTE (session-sync cutover, Task 5): the device account SET is now
7
- * server-authoritative via `SessionClient` (`@oxyhq/core`) — nothing in
8
- * `@oxyhq/services` writes the persisted active-`authuser`-slot key anymore
9
- * (`writeActiveAuthuser`/`clearActiveAuthuser` were deleted; their only
10
- * callers were the deleted `establishDeviceRefreshSlot` sign-in registration
11
- * and the deleted `switchToAccount`/`switchSession` slot bookkeeping).
12
- * {@link readActiveAuthuser} is KEPT purely as an OPTIONAL restore hint:
13
- * `OxyContext`'s `restoreStoredSession` cold-boot step reads it only to
14
- * backfill `clientSession.authuser` for the active session when a legacy value
15
- * happens to be present. It NO LONGER gates whether restore is attempted — the
16
- * old guard that also required this marker made every web reload with a lapsed
17
- * local bearer bail before any network validation (P0), and was replaced by a
18
- * "bail only when there is nothing to restore" guard plus a valid-session
19
- * election. Since nothing writes the key anymore, the backfill is dormant on
20
- * fresh installs; it stays for legacy installs and costs nothing.
21
- *
22
- * Native (React Native) has no equivalent of these device-local cookies
23
- * and uses bearer-protected session ids directly, so these helpers no-op
24
- * outside the browser.
25
- */
26
- /**
27
- * Read the persisted active `authuser` slot index.
28
- *
29
- * Returns `null` on native, on a corrupted value, or when nothing has been
30
- * persisted yet (first visit). Callers treat `null` as "no preference" and
31
- * fall back to deterministic selection (lowest authuser).
32
- */
33
- export declare function readActiveAuthuser(): number | null;
34
- /**
35
- * Mark this origin as DELIBERATELY signed out (durable `localStorage`, via the
36
- * core {@link ssoSignedOutKey}). Called ONLY on EXPLICIT full sign-out so that
37
- * the next cold boot does NOT silently re-mint a session from a still-live IdP
38
- * session (the per-apex `/auth/silent` iframe cold-boot step). Cleared by any
39
- * deliberate sign-in (see {@link clearSignedOut}). No-ops on native / storage
40
- * failure (best-effort).
41
- */
42
- export declare function markSignedOut(): void;
43
- /**
44
- * Clear the durable deliberately-signed-out flag. Called on ANY deliberate
45
- * sign-in (password, account switch, device claim) so a real sign-in
46
- * fully re-enables automatic silent restore — there is no "stuck signed out"
47
- * state. No-ops on native / storage failure.
48
- */
49
- export declare function clearSignedOut(): void;
50
- /**
51
- * Whether AUTOMATIC silent restore is suppressed for the current origin because
52
- * the user deliberately signed out. Reads the durable flag through the core
53
- * {@link silentRestoreSuppressed} predicate. Returns `false` off-web and on any
54
- * storage failure (fail safe toward normal restore). Used to gate the
55
- * `silent-iframe` cold-boot step.
56
- */
57
- export declare function isSilentRestoreSuppressed(): boolean;
58
- /**
59
- * Clear all per-origin SSO bounce sessionStorage keys. Called ONLY on EXPLICIT
60
- * user sign-out (logout / logoutAll) — never on a cold-boot failure path — so a
61
- * fresh deliberate sign-in can re-probe the central IdP. Clearing on cold-boot
62
- * failure would reintroduce the redirect loop.
63
- *
64
- * No-ops on native and on any storage failure (best-effort).
65
- */
66
- export declare function clearSsoBounceState(): void;
67
- //# sourceMappingURL=activeAuthuser.d.ts.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"activeAuthuser.d.ts","sourceRoot":"","sources":["../../../../../src/ui/utils/activeAuthuser.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AA2BH;;;;;;GAMG;AACH,wBAAgB,kBAAkB,IAAI,MAAM,GAAG,IAAI,CAalD;AAED;;;;;;;GAOG;AACH,wBAAgB,aAAa,IAAI,IAAI,CAOpC;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,IAAI,IAAI,CAOrC;AAED;;;;;;GAMG;AACH,wBAAgB,yBAAyB,IAAI,OAAO,CAMnD;AAED;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,IAAI,IAAI,CAa1C"}
@@ -1,55 +0,0 @@
1
- /**
2
- * Cross-apex web detection for sign-in durability gating.
3
- *
4
- * On a web Relying Party whose registrable apex differs from the central Oxy
5
- * Identity Provider apex (`oxy.so`), the ONLY sign-in completion that survives a
6
- * page reload is the interactive "Continue with Oxy" IdP flow, because it is the
7
- * only one that establishes a first-party `fedcm_session` cookie at
8
- * `auth.<apex>` — the anchor the cross-domain cold-boot restore reads on reload.
9
- *
10
- * The other sign-in completions the SDK can drive do NOT plant a `fedcm_session`:
11
- * - password / public-key sign-in mints a bearer directly against the Oxy API
12
- * (its refresh cookie is host-scoped to `api.oxy.so` and `SameSite=Lax`, so
13
- * it is unreachable cross-site from the RP), and
14
- * - the Commons-app device-flow handoff (cross-device QR / same-device
15
- * deep-link) is approved OUTSIDE the browser, so no IdP browser session is
16
- * established.
17
- * On a cross-apex RP each of these leaves the user signed in for the current
18
- * page only — a reload logs them out. See OxyHQServices AGENTS.md
19
- * "Auth / Session Contract".
20
- *
21
- * Same-apex `*.oxy.so` apps (e.g. `accounts.oxy.so`) are first-party with
22
- * `api.oxy.so`: their refresh cookie rides same-site requests so reload restore
23
- * works without `fedcm_session`, and they are therefore NOT gated.
24
- *
25
- * Returns `false` off-browser (React Native has no `window.location`) and for
26
- * hosts without a registrable apex (localhost / raw IP / single-label dev
27
- * hosts), so native and local development keep every sign-in method.
28
- */
29
- /**
30
- * Whether the given host is a web RP on a registrable apex other than the
31
- * central Oxy IdP apex (`oxy.so`). See the module doc for why this gates the
32
- * non-durable sign-in paths.
33
- *
34
- * @param hostname - The host to classify. Defaults to the current
35
- * `window.location.hostname`; resolves to `undefined` off-browser (React
36
- * Native / SSR), which yields `false`. The explicit parameter mirrors
37
- * `autoDetectAuthWebUrl(location?)` and keeps the predicate unit-testable
38
- * without manipulating the global `window.location`.
39
- */
40
- export declare function isCrossApexWeb(hostname?: string | undefined): boolean;
41
- /**
42
- * Thrown when an app attempts a direct (non-IdP) sign-in — password or
43
- * public-key — on a cross-apex web RP, where such a sign-in would not survive a
44
- * page reload because no `fedcm_session` is established (see {@link isCrossApexWeb}).
45
- *
46
- * Apps on a cross-apex apex must sign in through the interactive
47
- * "Continue with Oxy" IdP flow (`OxySignInButton` / `showSignInModal()`), which
48
- * plants the durable session.
49
- */
50
- export declare class CrossApexDirectSignInError extends Error {
51
- readonly name = "CrossApexDirectSignInError";
52
- readonly code = "CROSS_APEX_DIRECT_SIGN_IN_UNSUPPORTED";
53
- constructor();
54
- }
55
- //# sourceMappingURL=crossApex.d.ts.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"crossApex.d.ts","sourceRoot":"","sources":["../../../../src/utils/crossApex.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAIH;;;;;;;;;;GAUG;AACH,wBAAgB,cAAc,CAC5B,QAAQ,GAAE,MAAM,GAAG,SAEN,GACZ,OAAO,CAMT;AAED;;;;;;;;GAQG;AACH,qBAAa,0BAA2B,SAAQ,KAAK;IACnD,SAAkB,IAAI,gCAAgC;IACtD,QAAQ,CAAC,IAAI,2CAA2C;;CASzD"}