@oxyhq/services 5.17.17 → 5.17.18

package/lib/typescript/core/mixins/index.d.ts

@@ -11,6 +11,11 @@ import { OxyServicesBase } from '../OxyServices.base';
  * Order matters for mixins - dependencies should be applied first.
  * This function ensures consistent composition across the codebase.
  *
+ * New cross-domain auth mixins added:
+ * - FedCM: Modern browser-native identity federation (Google-style)
+ * - Popup: OAuth2-style popup authentication
+ * - Redirect: Traditional redirect-based authentication
+ *
  * @returns The fully composed OxyServices class with all mixins applied
  */
 export declare function composeOxyServices(): {
@@ -756,12 +761,219 @@ export declare function composeOxyServices(): {
     __resetTokensForTests(): void;
 } & {
     new (...args: any[]): {
-        registerIdentity(publicKey: string): Promise<{
-            userId: string;
+        signInWithRedirect(options?: import("./OxyServices.redirect").RedirectAuthOptions): void;
+        signUpWithRedirect(options?: import("./OxyServices.redirect").RedirectAuthOptions): void;
+        handleAuthCallback(): import("..").SessionLoginResponse | null;
+        restoreSession(): boolean;
+        clearStoredSession(): void;
+        getStoredSessionId(): string | null;
+        buildAuthUrl(params: {
+            mode: string;
+            redirectUri: string;
+            state: string;
+            nonce: string;
+            clientId: string;
+        }): string;
+        storeTokens(accessToken: string, sessionId: string): void;
+        generateState(): string;
+        generateNonce(): string;
+        storeAuthState(state: string, nonce: string): void;
+        getStoredState(): string | null;
+        clearAuthState(): void;
+        savePreAuthUrl(url: string): void;
+        cleanAuthCallbackUrl(url: URL): void;
+        httpService: import("../HttpService").HttpService;
+        cloudURL: string;
+        config: import("../OxyServices.base").OxyConfig;
+        makeRequest<T>(method: "GET" | "POST" | "PUT" | "PATCH" | "DELETE", url: string, data?: any, options?: import("../HttpService").RequestOptions): Promise<T>;
+        getBaseURL(): string;
+        getClient(): import("../HttpService").HttpService;
+        getMetrics(): {
+            totalRequests: number;
+            successfulRequests: number;
+            failedRequests: number;
+            cacheHits: number;
+            cacheMisses: number;
+            averageResponseTime: number;
+        };
+        clearCache(): void;
+        clearCacheEntry(key: string): void;
+        getCacheStats(): {
+            size: number;
+            hits: number;
+            misses: number;
+            hitRate: number;
+        };
+        getCloudURL(): string;
+        setTokens(accessToken: string, refreshToken?: string): void;
+        clearTokens(): void;
+        getCurrentUserId(): string | null;
+        hasValidToken(): boolean;
+        getAccessToken(): string | null;
+        waitForAuth(timeoutMs?: number): Promise<boolean>;
+        withAuthRetry<T>(operation: () => Promise<T>, operationName: string, options?: {
+            maxRetries?: number;
+            retryDelay?: number;
+            authTimeoutMs?: number;
+        }): Promise<T>;
+        validate(): Promise<boolean>;
+        handleError(error: unknown): Error;
+        healthCheck(): Promise<{
+            status: string;
+            users?: number;
+            timestamp?: string;
+            [key: string]: any;
+        }>;
+    };
+    readonly AUTH_URL: "https://auth.oxy.so";
+    readonly TOKEN_STORAGE_KEY: "oxy_access_token";
+    readonly SESSION_STORAGE_KEY: "oxy_session_id";
+    readonly STATE_STORAGE_KEY: "oxy_auth_state";
+    readonly PRE_AUTH_URL_KEY: "oxy_pre_auth_url";
+    readonly NONCE_STORAGE_KEY: "oxy_auth_nonce";
+    __resetTokensForTests(): void;
+} & {
+    new (...args: any[]): {
+        signInWithPopup(options?: import("./OxyServices.popup").PopupAuthOptions): Promise<import("..").SessionLoginResponse>;
+        signUpWithPopup(options?: import("./OxyServices.popup").PopupAuthOptions): Promise<import("..").SessionLoginResponse>;
+        silentSignIn(options?: import("./OxyServices.popup").SilentAuthOptions): Promise<import("..").SessionLoginResponse | null>;
+        openCenteredPopup(url: string, title: string, width: number, height: number): Window | null;
+        waitForPopupAuth(popup: Window, expectedState: string, timeout: number): Promise<import("..").SessionLoginResponse>;
+        waitForIframeAuth(iframe: HTMLIFrameElement, timeout: number, expectedOrigin: string): Promise<import("..").SessionLoginResponse | null>;
+        buildAuthUrl(params: {
+            mode: string;
+            state: string;
+            nonce: string;
+            clientId: string;
+            redirectUri: string;
+        }): string;
+        generateState(): string;
+        generateNonce(): string;
+        storeAuthState(state: string, nonce: string): void;
+        clearAuthState(state: string): void;
+        httpService: import("../HttpService").HttpService;
+        cloudURL: string;
+        config: import("../OxyServices.base").OxyConfig;
+        makeRequest<T>(method: "GET" | "POST" | "PUT" | "PATCH" | "DELETE", url: string, data?: any, options?: import("../HttpService").RequestOptions): Promise<T>;
+        getBaseURL(): string;
+        getClient(): import("../HttpService").HttpService;
+        getMetrics(): {
+            totalRequests: number;
+            successfulRequests: number;
+            failedRequests: number;
+            cacheHits: number;
+            cacheMisses: number;
+            averageResponseTime: number;
+        };
+        clearCache(): void;
+        clearCacheEntry(key: string): void;
+        getCacheStats(): {
+            size: number;
+            hits: number;
+            misses: number;
+            hitRate: number;
+        };
+        getCloudURL(): string;
+        setTokens(accessToken: string, refreshToken?: string): void;
+        clearTokens(): void;
+        getCurrentUserId(): string | null;
+        hasValidToken(): boolean;
+        getAccessToken(): string | null;
+        waitForAuth(timeoutMs?: number): Promise<boolean>;
+        withAuthRetry<T>(operation: () => Promise<T>, operationName: string, options?: {
+            maxRetries?: number;
+            retryDelay?: number;
+            authTimeoutMs?: number;
+        }): Promise<T>;
+        validate(): Promise<boolean>;
+        handleError(error: unknown): Error;
+        healthCheck(): Promise<{
+            status: string;
+            users?: number;
+            timestamp?: string;
+            [key: string]: any;
+        }>;
+    };
+    readonly AUTH_URL: "https://auth.oxy.so";
+    readonly POPUP_WIDTH: 500;
+    readonly POPUP_HEIGHT: 700;
+    readonly POPUP_TIMEOUT: 60000;
+    readonly SILENT_TIMEOUT: 5000;
+    __resetTokensForTests(): void;
+} & {
+    new (...args: any[]): {
+        isFedCMSupported(): boolean;
+        signInWithFedCM(options?: import("./OxyServices.fedcm").FedCMAuthOptions): Promise<import("..").SessionLoginResponse>;
+        silentSignInWithFedCM(): Promise<import("..").SessionLoginResponse | null>;
+        requestIdentityCredential(options: {
+            configURL: string;
+            clientId: string;
+            nonce: string;
+            context?: string;
+            mediation?: "silent" | "optional" | "required";
+        }): Promise<{
+            token: string;
+        } | null>;
+        exchangeIdTokenForSession(idToken: string): Promise<import("..").SessionLoginResponse>;
+        revokeFedCMCredential(): Promise<void>;
+        getFedCMConfig(): import("./OxyServices.fedcm").FedCMConfig;
+        generateNonce(): string;
+        getClientId(): string;
+        httpService: import("../HttpService").HttpService;
+        cloudURL: string;
+        config: import("../OxyServices.base").OxyConfig;
+        makeRequest<T>(method: "GET" | "POST" | "PUT" | "PATCH" | "DELETE", url: string, data?: any, options?: import("../HttpService").RequestOptions): Promise<T>;
+        getBaseURL(): string;
+        getClient(): import("../HttpService").HttpService;
+        getMetrics(): {
+            totalRequests: number;
+            successfulRequests: number;
+            failedRequests: number;
+            cacheHits: number;
+            cacheMisses: number;
+            averageResponseTime: number;
+        };
+        clearCache(): void;
+        clearCacheEntry(key: string): void;
+        getCacheStats(): {
+            size: number;
+            hits: number;
+            misses: number;
+            hitRate: number;
+        };
+        getCloudURL(): string;
+        setTokens(accessToken: string, refreshToken?: string): void;
+        clearTokens(): void;
+        getCurrentUserId(): string | null;
+        hasValidToken(): boolean;
+        getAccessToken(): string | null;
+        waitForAuth(timeoutMs?: number): Promise<boolean>;
+        withAuthRetry<T>(operation: () => Promise<T>, operationName: string, options?: {
+            maxRetries?: number;
+            retryDelay?: number;
+            authTimeoutMs?: number;
+        }): Promise<T>;
+        validate(): Promise<boolean>;
+        handleError(error: unknown): Error;
+        healthCheck(): Promise<{
+            status: string;
+            users?: number;
+            timestamp?: string;
+            [key: string]: any;
+        }>;
+    };
+    readonly DEFAULT_CONFIG_URL: "https://auth.oxy.so/fedcm.json";
+    readonly FEDCM_TIMEOUT: 60000;
+    isFedCMSupported(): boolean;
+    __resetTokensForTests(): void;
+} & {
+    new (...args: any[]): {
+        register(publicKey: string, signature: string, timestamp: number): Promise<{
+            message: string;
             user: import("..").User;
         }>;
-        requestChallenge(userId: string): Promise<import("./OxyServices.auth").ChallengeResponse>;
-        verifyChallenge(userId: string, nonce: string, signature: string, timestamp: number, deviceName?: string, deviceFingerprint?: string): Promise<import("..").SessionLoginResponse>;
+        requestChallenge(publicKey: string): Promise<import("./OxyServices.auth").ChallengeResponse>;
+        verifyChallenge(publicKey: string, challenge: string, signature: string, timestamp: number, deviceName?: string, deviceFingerprint?: string): Promise<import("..").SessionLoginResponse>;
         checkPublicKeyRegistered(publicKey: string): Promise<import("./OxyServices.auth").PublicKeyCheckResponse>;
         getUserByPublicKey(publicKey: string): Promise<import("..").User>;
         getUserBySession(sessionId: string): Promise<import("..").User>;
@@ -769,12 +981,9 @@ export declare function composeOxyServices(): {
             sessionId: string;
             user: import("..").User | null;
         }[]>;
-        getTokenBySession(sessionId: string, deviceId?: string): Promise<{
+        getTokenBySession(sessionId: string): Promise<{
             accessToken: string;
-            refreshToken: string;
             expiresAt: string;
-            sessionId: string;
-            deviceId: string;
         }>;
         getSessionsBySessionId(sessionId: string): Promise<any[]>;
         logoutSession(sessionId: string, targetSessionId?: string): Promise<void>;
@@ -798,6 +1007,9 @@ export declare function composeOxyServices(): {
             available: boolean;
             message: string;
         }>;
+        signUp(username: string, email: string, password: string, deviceName?: string, deviceFingerprint?: any): Promise<import("..").SessionLoginResponse>;
+        signIn(identifier: string, password: string, deviceName?: string, deviceFingerprint?: any): Promise<import("..").SessionLoginResponse>;
+        signInWithEmail(email: string, password: string, deviceName?: string, deviceFingerprint?: any): Promise<import("..").SessionLoginResponse>;
         httpService: import("../HttpService").HttpService;
         cloudURL: string;
         config: import("../OxyServices.base").OxyConfig;

package/lib/typescript/core/mixins/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/core/mixins/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAetD;;;;;;;GAOG;AACH,wBAAgB,kBAAkB;;;;;;;;;;;;;aA4B4d,QAAQ,EAAC,QAAS,EAAC,SAAU;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sBAAigG,CAAC;sBAA0B,CAAC;yBAA6B,CAAC;;;;;;iBAAuhG,CAAC;qBAAwB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sBAA3mG,CAAC;sBAA0B,CAAC;yBAA6B,CAAC;;;;;;iBAAuhG,CAAC;qBAAwB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sBAA3mG,CAAC;sBAA0B,CAAC;yBAA6B,CAAC;;;;;;iBAAuhG,CAAC;qBAAwB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sBAA3mG,CAAC;sBAA0B,CAAC;yBAA6B,CAAC;;;;;;iBAAuhG,CAAC;qBAAwB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sBAA3mG,CAAC;sBAA0B,CAAC;yBAA6B,CAAC;;;;;;iBAAuhG,CAAC;qBAAwB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sBAA3mG,CAAC;sBAA0B,CAAC;yBAA6B,CAAC;;;;;;iBAAuhG,CAAC;qBAAwB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sBAA3mG,CAAC;sBAA0B,CAAC;yBAA6B,CAAC;;;;;;iBAAuhG,CAAC;qBAAwB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sBAA3mG,CAAC;sBAA0B,CAAC;yBAA6B,CAAC;;;;;;iBAAuhG,CAAC;qBAAwB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sBAA3mG,CAAC;sBAA0B,CAAC;yBAA6B,CAAC;;;;;;iBAAuhG,CAAC;qBAAwB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sBAA3mG,CAAC;sBAA0B,CAAC;yBAA6B,CAAC;;;;;;iBAAuhG,CAAC;qBAAwB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sBAA3mG,CAAC;sBAA0B,CAAC;yBAA6B,CAAC;;;;;;iBAAuhG,CAAC;qBAAwB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sBAA3mG,CAAC;sBAA0B,CAAC;yBAA6B,CAAC;;;;;;iBAAuhG,CAAC;qBAAwB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sBAA3mG,CAAC;sBAA0B,CAAC;yBAA6B,CAAC;;;;;;iBAAuhG,CAAC;qBAAwB,CAAC;;;;;2BAFtoN"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/core/mixins/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAkBtD;;;;;;;;;;;;GAYG;AACH,wBAAgB,kBAAkB;;;;;;;;;;;;;aAkBe,QAAQ,EAAC,QAAS,EAAC,SAC5D;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sBAiBghG,CAAC;sBAA0B,CAAC;yBAA6B,CAAC;;;;;;iBAAuhG,CAAC;qBAAwB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sBAA3mG,CAAC;sBAA0B,CAAC;yBAA6B,CAAC;;;;;;iBAAuhG,CAAC;qBAAwB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sBAA3mG,CAAC;sBAA0B,CAAC;yBAA6B,CAAC;;;;;;iBAAuhG,CAAC;qBAAwB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sBAA3mG,CAAC;sBAA0B,CAAC;yBAA6B,CAAC;;;;;;iBAAuhG,CAAC;qBAAwB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sBAA3mG,CAAC;sBAA0B,CAAC;yBAA6B,CAAC;;;;;;iBAAuhG,CAAC;qBAAwB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sBAA3mG,CAAC;sBAA0B,CAAC;yBAA6B,CAAC;;;;;;iBAAuhG,CAAC;qBAAwB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sBAA3mG,CAAC;sBAA0B,CAAC;yBAA6B,CAAC;;;;;;iBAAuhG,CAAC;qBAAwB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sBAA3mG,CAAC;sBAA0B,CAAC;yBAA6B,CAAC;;;;;;iBAAuhG,CAAC;qBAAwB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sBAA3mG,CAAC;sBAA0B,CAAC;yBAA6B,CAAC;;;;;;iBAAuhG,CAAC;qBAAwB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sBAA3mG,CAAC;sBAA0B,CAAC;yBAA6B,CAAC;;;;;;iBAAuhG,CAAC;qBAAwB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sBAA3mG,CAAC;sBAA0B,CAAC;yBAA6B,CAAC;;;;;;iBAAuhG,CAAC;qBAAwB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sBAA3mG,CAAC;sBAA0B,CAAC;yBAA6B,CAAC;;;;;;iBAAuhG,CAAC;qBAAwB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sBAA3mG,CAAC;sBAA0B,CAAC;yBAA6B,CAAC;;;;;;iBAAuhG,CAAC;qBAAwB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sBAA3mG,CAAC;sBAA0B,CAAC;yBAA6B,CAAC;;;;;;iBAAuhG,CAAC;qBAAwB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sBAA3mG,CAAC;sBAA0B,CAAC;yBAA6B,CAAC;;;;;;iBAAuhG,CAAC;qBAAwB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sBAA3mG,CAAC;sBAA0B,CAAC;yBAA6B,CAAC;;;;;;iBAAuhG,CAAC;qBAAwB,CAAC;;;;;2BAFloM"}

package/lib/typescript/crypto/index.d.ts

@@ -1,9 +1,12 @@
 /**
  * Oxy Crypto Module
  *
- * Provides type definitions and polyfills for crypto operations.
- * Identity management (KeyManager, SignatureService) belongs ONLY in the Accounts app.
+ * Provides cryptographic identity management for the Oxy ecosystem.
+ * Handles key generation, secure storage, digital signatures, and recovery phrases.
  */
 import './polyfill';
-export { type BackupData } from './types';
+export { KeyManager, type KeyPair } from './keyManager';
+export { SignatureService, type SignedMessage, type AuthChallenge } from './signatureService';
+export { RecoveryPhraseService, type RecoveryPhraseResult } from './recoveryPhrase';
+export { KeyManager as default } from './keyManager';
 //# sourceMappingURL=index.d.ts.map

package/lib/typescript/crypto/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/crypto/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,YAAY,CAAC;AAGpB,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,SAAS,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/crypto/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,YAAY,CAAC;AAEpB,OAAO,EAAE,UAAU,EAAE,KAAK,OAAO,EAAE,MAAM,cAAc,CAAC;AACxD,OAAO,EACL,gBAAgB,EAChB,KAAK,aAAa,EAClB,KAAK,aAAa,EACnB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,qBAAqB,EACrB,KAAK,oBAAoB,EAC1B,MAAM,kBAAkB,CAAC;AAG1B,OAAO,EAAE,UAAU,IAAI,OAAO,EAAE,MAAM,cAAc,CAAC"}

package/lib/typescript/crypto/keyManager.d.ts

@@ -0,0 +1,190 @@
+/**
+ * Key Manager - ECDSA secp256k1 Key Generation and Storage
+ *
+ * Handles secure generation, storage, and retrieval of cryptographic keys.
+ * Private keys are stored securely using expo-secure-store and never leave the device.
+ */
+import type { ECKeyPair } from 'elliptic';
+export interface KeyPair {
+    publicKey: string;
+    privateKey: string;
+}
+export declare class KeyManager {
+    private static cachedPublicKey;
+    private static cachedHasIdentity;
+    private static cachedSharedPublicKey;
+    private static cachedHasSharedIdentity;
+    /**
+     * Invalidate cached identity state
+     * Called internally when identity is created/deleted/imported
+     */
+    private static invalidateCache;
+    /**
+     * Invalidate cached shared identity state
+     * Called internally when shared identity is created/deleted/imported
+     */
+    private static invalidateSharedCache;
+    /**
+     * Generate a new ECDSA secp256k1 key pair
+     * Returns the keys in hexadecimal format
+     */
+    static generateKeyPairSync(): KeyPair;
+    /**
+     * Generate a new key pair using secure random bytes
+     */
+    static generateKeyPair(): Promise<KeyPair>;
+    /**
+     * Create a shared identity accessible across all Oxy apps
+     *
+     * iOS: Stores in shared keychain group (requires entitlement configuration)
+     * Android: Stores in Account Manager (requires sharedUserId in manifest)
+     *
+     * This enables true cross-app SSO - when user signs in to one Oxy app,
+     * they're automatically signed in to all other Oxy apps.
+     *
+     * @returns Public key of the shared identity
+     * @throws Error if not on native platform or if sharing is not configured
+     */
+    static createSharedIdentity(): Promise<string>;
+    /**
+     * Get the shared public key (accessible across all Oxy apps)
+     *
+     * @returns Shared public key or null if no shared identity exists
+     */
+    static getSharedPublicKey(): Promise<string | null>;
+    /**
+     * Get the shared private key (for signing operations)
+     *
+     * WARNING: Only use this for signing operations within the app.
+     * The private key should NEVER be transmitted or exposed.
+     *
+     * @returns Shared private key or null if no shared identity exists
+     */
+    static getSharedPrivateKey(): Promise<string | null>;
+    /**
+     * Check if a shared identity exists (accessible across all Oxy apps)
+     *
+     * @returns True if shared identity exists, false otherwise
+     */
+    static hasSharedIdentity(): Promise<boolean>;
+    /**
+     * Import an existing key pair as shared identity
+     *
+     * This is used when:
+     * 1. User signs in to a new Oxy app for the first time
+     * 2. User has existing identity on another Oxy app
+     * 3. We want to sync the identity across apps
+     *
+     * @param privateKey - Private key in hex format
+     * @returns Public key
+     */
+    static importSharedIdentity(privateKey: string): Promise<string>;
+    /**
+     * Store session information in shared storage
+     *
+     * This allows all Oxy apps to access the same session without
+     * re-authenticating. When user signs in to one app, all apps
+     * get the session automatically.
+     *
+     * @param sessionId - Session ID from authentication
+     * @param accessToken - Access token for API calls
+     */
+    static storeSharedSession(sessionId: string, accessToken: string): Promise<void>;
+    /**
+     * Get shared session information
+     *
+     * This allows any Oxy app to check if user is already signed in
+     * via another Oxy app. Enables instant cross-app SSO.
+     *
+     * @returns Session data or null if no shared session exists
+     */
+    static getSharedSession(): Promise<{
+        sessionId: string;
+        accessToken: string;
+    } | null>;
+    /**
+     * Clear shared session (on logout)
+     *
+     * This signs out the user from ALL Oxy apps simultaneously.
+     * Call this when user explicitly logs out.
+     */
+    static clearSharedSession(): Promise<void>;
+    /**
+     * Migrate local identity to shared identity
+     *
+     * Call this when upgrading existing apps to use shared identities.
+     * Copies the device-specific identity to shared storage so it can
+     * be accessed by other Oxy apps.
+     *
+     * @returns True if migration was successful, false if no local identity exists
+     */
+    static migrateToSharedIdentity(): Promise<boolean>;
+    /**
+     * Generate and securely store a new key pair on the device
+     * Returns only the public key (private key is stored securely)
+     */
+    static createIdentity(): Promise<string>;
+    /**
+     * Import an existing key pair (e.g., from recovery phrase)
+     */
+    static importKeyPair(privateKey: string): Promise<string>;
+    /**
+     * Get the stored private key
+     * WARNING: Only use this for signing operations within the app
+     */
+    static getPrivateKey(): Promise<string | null>;
+    /**
+     * Get the stored public key (cached for performance)
+     */
+    static getPublicKey(): Promise<string | null>;
+    /**
+     * Check if an identity (key pair) exists on this device (cached for performance)
+     */
+    static hasIdentity(): Promise<boolean>;
+    /**
+     * Delete the stored identity (both keys)
+     * Use with EXTREME caution - this is irreversible without a recovery phrase
+     * This should ONLY be called when explicitly requested by the user
+     * @param skipBackup - If true, skip backup before deletion (default: false)
+     * @param force - If true, skip confirmation checks (default: false)
+     * @param userConfirmed - If true, user has explicitly confirmed deletion (default: false)
+     */
+    static deleteIdentity(skipBackup?: boolean, force?: boolean, userConfirmed?: boolean): Promise<void>;
+    /**
+     * Backup identity to SecureStore (separate backup storage)
+     * This provides a recovery mechanism if primary storage fails
+     */
+    static backupIdentity(): Promise<boolean>;
+    /**
+     * Verify identity integrity - checks if keys are valid and accessible
+     */
+    static verifyIdentityIntegrity(): Promise<boolean>;
+    /**
+     * Restore identity from backup if primary storage is corrupted
+     */
+    static restoreIdentityFromBackup(): Promise<boolean>;
+    /**
+     * Get the elliptic curve key object from the stored private key
+     * Used internally for signing operations
+     */
+    static getKeyPairObject(): Promise<ECKeyPair | null>;
+    /**
+     * Derive public key from a private key (without storing)
+     */
+    static derivePublicKey(privateKey: string): string;
+    /**
+     * Validate that a string is a valid public key
+     */
+    static isValidPublicKey(publicKey: string): boolean;
+    /**
+     * Validate that a string is a valid private key
+     */
+    static isValidPrivateKey(privateKey: string): boolean;
+    /**
+     * Get a shortened version of the public key for display
+     * Format: first 8 chars...last 8 chars
+     */
+    static shortenPublicKey(publicKey: string): string;
+}
+export default KeyManager;
+//# sourceMappingURL=keyManager.d.ts.map

package/lib/typescript/crypto/keyManager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keyManager.d.ts","sourceRoot":"","sources":["../../../src/crypto/keyManager.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AA2H1C,MAAM,WAAW,OAAO;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,qBAAa,UAAU;IAErB,OAAO,CAAC,MAAM,CAAC,eAAe,CAAuB;IACrD,OAAO,CAAC,MAAM,CAAC,iBAAiB,CAAwB;IACxD,OAAO,CAAC,MAAM,CAAC,qBAAqB,CAAuB;IAC3D,OAAO,CAAC,MAAM,CAAC,uBAAuB,CAAwB;IAE9D;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,eAAe;IAK9B;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,qBAAqB;IAKpC;;;OAGG;IACH,MAAM,CAAC,mBAAmB,IAAI,OAAO;IAQrC;;OAEG;WACU,eAAe,IAAI,OAAO,CAAC,OAAO,CAAC;IAiBhD;;;;;;;;;;;OAWG;WACU,oBAAoB,IAAI,OAAO,CAAC,MAAM,CAAC;IA8CpD;;;;OAIG;WACU,kBAAkB,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAmCzD;;;;;;;OAOG;WACU,mBAAmB,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IA0B1D;;;;OAIG;WACU,iBAAiB,IAAI,OAAO,CAAC,OAAO,CAAC;IA2BlD;;;;;;;;;;OAUG;WACU,oBAAoB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAqCtE;;;;;;;;;OASG;WACU,kBAAkB,CAAC,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAiCtF;;;;;;;OAOG;WACU,gBAAgB,IAAI,OAAO,CAAC;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;IAoC3F;;;;;OAKG;WACU,kBAAkB,IAAI,OAAO,CAAC,IAAI,CAAC;IA8BhD;;;;;;;;OAQG;WACU,uBAAuB,IAAI,OAAO,CAAC,OAAO,CAAC;IA0CxD;;;OAGG;WACU,cAAc,IAAI,OAAO,CAAC,MAAM,CAAC;IAoB9C;;OAEG;WACU,aAAa,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAqB/D;;;OAGG;WACU,aAAa,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAiBpD;;OAEG;WACU,YAAY,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IA2BnD;;OAEG;WACU,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC;IA2B5C;;;;;;;OAOG;WACU,cAAc,CACzB,UAAU,GAAE,OAAe,EAC3B,KAAK,GAAE,OAAe,EACtB,aAAa,GAAE,OAAe,GAC7B,OAAO,CAAC,IAAI,CAAC;IAkDhB;;;OAGG;WACU,cAAc,IAAI,OAAO,CAAC,OAAO,CAAC;IA6B/C;;OAEG;WACU,uBAAuB,IAAI,OAAO,CAAC,OAAO,CAAC;IA2CxD;;OAEG;WACU,yBAAyB,IAAI,OAAO,CAAC,OAAO,CAAC;IAsD1D;;;OAGG;WACU,gBAAgB,IAAI,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC;IAS1D;;OAEG;IACH,MAAM,CAAC,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM;IAKlD;;OAEG;IACH,MAAM,CAAC,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO;IASnD;;OAEG;IACH,MAAM,CAAC,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO;IAWrD;;;OAGG;IACH,MAAM,CAAC,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM;CAInD;AAED,eAAe,UAAU,CAAC"}

package/lib/typescript/crypto/polyfill.d.ts

@@ -5,8 +5,9 @@
  * before any crypto operations are performed.
  *
  * Polyfills included:
- * - Buffer: Required by crypto libraries
- * - crypto.getRandomValues: Required for secure random number generation
+ * - Buffer: Required by bip39 and other crypto libraries
+ * - crypto.getRandomValues: Required by bip39 for secure random number generation
  */
-export {};
+import { Buffer } from 'buffer';
+export { Buffer };
 //# sourceMappingURL=polyfill.d.ts.map

package/lib/typescript/crypto/polyfill.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"polyfill.d.ts","sourceRoot":"","sources":["../../../src/crypto/polyfill.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG"}
+{"version":3,"file":"polyfill.d.ts","sourceRoot":"","sources":["../../../src/crypto/polyfill.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAIH,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAkEhC,OAAO,EAAE,MAAM,EAAE,CAAC"}

package/lib/typescript/crypto/recoveryPhrase.d.ts

@@ -0,0 +1,59 @@
+/**
+ * Recovery Phrase Service - BIP39 Mnemonic Generation
+ *
+ * Handles generation and restoration of recovery phrases (mnemonic seeds)
+ * for backing up and restoring user identities.
+ *
+ * Note: This module requires the polyfill to be loaded first (done via crypto/index.ts)
+ */
+export interface RecoveryPhraseResult {
+    phrase: string;
+    words: string[];
+    publicKey: string;
+}
+export declare class RecoveryPhraseService {
+    /**
+     * Generate a new identity with a recovery phrase
+     * Returns the mnemonic phrase (should only be shown once to the user)
+     */
+    static generateIdentityWithRecovery(): Promise<RecoveryPhraseResult>;
+    /**
+     * Generate a 24-word recovery phrase for higher security
+     */
+    static generateIdentityWithRecovery24(): Promise<RecoveryPhraseResult>;
+    /**
+     * Restore an identity from a recovery phrase
+     */
+    static restoreFromPhrase(phrase: string): Promise<string>;
+    /**
+     * Validate a recovery phrase without importing it
+     */
+    static validatePhrase(phrase: string): boolean;
+    /**
+     * Get the word list for autocomplete/validation
+     */
+    static getWordList(): string[];
+    /**
+     * Check if a word is valid in the BIP39 word list
+     */
+    static isValidWord(word: string): boolean;
+    /**
+     * Get suggestions for a partial word
+     */
+    static getSuggestions(partial: string, limit?: number): string[];
+    /**
+     * Derive the public key from a phrase without storing
+     * Useful for verification before importing
+     */
+    static derivePublicKeyFromPhrase(phrase: string): Promise<string>;
+    /**
+     * Convert a phrase to its word array
+     */
+    static phraseToWords(phrase: string): string[];
+    /**
+     * Convert a word array to a phrase string
+     */
+    static wordsToPhrase(words: string[]): string;
+}
+export default RecoveryPhraseService;
+//# sourceMappingURL=recoveryPhrase.d.ts.map

package/lib/typescript/crypto/recoveryPhrase.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"recoveryPhrase.d.ts","sourceRoot":"","sources":["../../../src/crypto/recoveryPhrase.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAiBH,MAAM,WAAW,oBAAoB;IACnC,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,qBAAa,qBAAqB;IAChC;;;OAGG;WACU,4BAA4B,IAAI,OAAO,CAAC,oBAAoB,CAAC;IAsB1E;;OAEG;WACU,8BAA8B,IAAI,OAAO,CAAC,oBAAoB,CAAC;IAgB5E;;OAEG;WACU,iBAAiB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAmB/D;;OAEG;IACH,MAAM,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO;IAK9C;;OAEG;IACH,MAAM,CAAC,WAAW,IAAI,MAAM,EAAE;IAI9B;;OAEG;IACH,MAAM,CAAC,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAIzC;;OAEG;IACH,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,GAAE,MAAU,GAAG,MAAM,EAAE;IAOnE;;;OAGG;WACU,yBAAyB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAcvE;;OAEG;IACH,MAAM,CAAC,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE;IAI9C;;OAEG;IACH,MAAM,CAAC,aAAa,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,MAAM;CAG9C;AAED,eAAe,qBAAqB,CAAC"}

package/lib/typescript/crypto/signatureService.d.ts

@@ -0,0 +1,87 @@
+/**
+ * Signature Service - ECDSA Digital Signatures
+ *
+ * Handles signing and verification of messages using ECDSA secp256k1.
+ * Used for authenticating requests and proving identity ownership.
+ */
+export interface SignedMessage {
+    message: string;
+    signature: string;
+    publicKey: string;
+    timestamp: number;
+}
+export interface AuthChallenge {
+    challenge: string;
+    publicKey: string;
+    timestamp: number;
+}
+export declare class SignatureService {
+    /**
+     * Generate a random challenge string (for offline use)
+     * Uses expo-crypto in React Native, crypto.randomBytes in Node.js
+     */
+    static generateChallenge(): Promise<string>;
+    /**
+     * Hash a message using SHA-256
+     */
+    static hashMessage(message: string): Promise<string>;
+    /**
+     * Sign a message using the stored private key
+     * Returns the signature in DER format (hex encoded)
+     */
+    static sign(message: string): Promise<string>;
+    /**
+     * Sign a message with an explicit private key (without storing)
+     * Useful for one-time operations or testing
+     */
+    static signWithKey(message: string, privateKey: string): Promise<string>;
+    /**
+     * Verify a signature against a message and public key
+     */
+    static verify(message: string, signature: string, publicKey: string): Promise<boolean>;
+    /**
+     * Synchronous verification (for Node.js backend)
+     * Uses crypto module directly for hashing
+     * Note: This method should only be used in Node.js environments
+     */
+    static verifySync(message: string, signature: string, publicKey: string): boolean;
+    /**
+     * Create a signed message object with metadata
+     */
+    static createSignedMessage(message: string): Promise<SignedMessage>;
+    /**
+     * Verify a signed message object
+     * Checks both signature validity and timestamp freshness
+     */
+    static verifySignedMessage(signedMessage: SignedMessage, maxAgeMs?: number): Promise<boolean>;
+    /**
+     * Create a signed authentication challenge response
+     * Used for challenge-response authentication
+     */
+    static signChallenge(challenge: string): Promise<AuthChallenge>;
+    /**
+     * Verify a challenge response
+     */
+    static verifyChallengeResponse(originalChallenge: string, response: AuthChallenge, maxAgeMs?: number): Promise<boolean>;
+    /**
+     * Create a registration signature
+     * Used when registering a new identity with the server
+     * Format matches server expectation: oxy:register:{publicKey}:{timestamp}
+     */
+    static createRegistrationSignature(): Promise<{
+        signature: string;
+        publicKey: string;
+        timestamp: number;
+    }>;
+    /**
+     * Sign arbitrary data for API requests
+     * Creates a canonical string representation and signs it
+     */
+    static signRequestData(data: Record<string, unknown>): Promise<{
+        signature: string;
+        publicKey: string;
+        timestamp: number;
+    }>;
+}
+export default SignatureService;
+//# sourceMappingURL=signatureService.d.ts.map

package/lib/typescript/crypto/signatureService.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signatureService.d.ts","sourceRoot":"","sources":["../../../src/crypto/signatureService.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAiEH,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,qBAAa,gBAAgB;IAC3B;;;OAGG;WACU,iBAAiB,IAAI,OAAO,CAAC,MAAM,CAAC;IA0BjD;;OAEG;WACU,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAI1D;;;OAGG;WACU,IAAI,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAWnD;;;OAGG;WACU,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAO9E;;OAEG;WACU,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAU5F;;;;OAIG;IACH,MAAM,CAAC,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO;IAkBjF;;OAEG;WACU,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC;IAkBzE;;;OAGG;WACU,mBAAmB,CAC9B,aAAa,EAAE,aAAa,EAC5B,QAAQ,GAAE,MAAsB,GAC/B,OAAO,CAAC,OAAO,CAAC;IAcnB;;;OAGG;WACU,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC;IAiBrE;;OAEG;WACU,uBAAuB,CAClC,iBAAiB,EAAE,MAAM,EACzB,QAAQ,EAAE,aAAa,EACvB,QAAQ,GAAE,MAAsB,GAC/B,OAAO,CAAC,OAAO,CAAC;IAanB;;;;OAIG;WACU,2BAA2B,IAAI,OAAO,CAAC;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC;IAiBhH;;;OAGG;WACU,eAAe,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC;QACnE,SAAS,EAAE,MAAM,CAAC;QAClB,SAAS,EAAE,MAAM,CAAC;QAClB,SAAS,EAAE,MAAM,CAAC;KACnB,CAAC;CAsBH;AAED,eAAe,gBAAgB,CAAC"}