@oxyhq/services 8.4.3 → 8.6.0

package/lib/typescript/module/ui/context/OxyContext.d.ts

@@ -14,6 +14,21 @@ export interface OxyContextState {
     isAuthenticated: boolean;
     isLoading: boolean;
     isTokenReady: boolean;
+    /**
+     * Whether the initial auth determination has concluded.
+     *
+     * `false` from mount until the FIRST cold-boot session restore finishes —
+     * during that window `isAuthenticated: false` is UNDETERMINED, not a
+     * definitive "logged out". Flips to `true` exactly once the restore concludes
+     * (a session was committed OR none exists) and never reverts. Consumers should
+     * defer their first auth-dependent fetch until this is `true` so a cold-boot
+     * web reload with an existing session does not fetch anonymous data.
+     *
+     * On native, cold boot runs only the `stored-session` step, so this resolves
+     * promptly. It is set in the restore `finally`, so the success, no-session,
+     * and error paths all reach `true` — it can never get stuck `false`.
+     */
+    isAuthResolved: boolean;
     isStorageReady: boolean;
     error: string | null;
     currentLanguage: string;

package/lib/typescript/module/ui/context/OxyContext.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"OxyContext.d.ts","sourceRoot":"","sources":["../../../../../src/ui/context/OxyContext.tsx"],"names":[],"mappings":"AAAA,OAAO,KAAK,KAAK,MAAM,OAAO,CAAC;AAC/B,OAAO,EAQL,KAAK,SAAS,EACf,MAAM,OAAO,CAAC;AACf,OAAO,EAAE,WAAW,EAAa,MAAM,aAAa,CAAC;AACrD,OAAO,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACxE,OAAO,KAAK,EAAE,cAAc,EAAE,yBAAyB,EAAE,MAAM,aAAa,CAAC;AAE7E,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAqBjD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AAC9D,OAAO,EAAE,qBAAqB,EAAE,MAAM,gCAAgC,CAAC;AAOvE,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AAStD,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,IAAI,GAAG,IAAI,CAAC;IAClB,QAAQ,EAAE,aAAa,EAAE,CAAC;IAC1B,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,eAAe,EAAE,OAAO,CAAC;IACzB,SAAS,EAAE,OAAO,CAAC;IACnB,YAAY,EAAE,OAAO,CAAC;IACtB,cAAc,EAAE,OAAO,CAAC;IACxB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,eAAe,EAAE,MAAM,CAAC;IACxB,uBAAuB,EAAE,UAAU,CAAC,OAAO,qBAAqB,CAAC,CAAC,UAAU,CAAC,CAAC;IAC9E,mBAAmB,EAAE,MAAM,CAAC;IAC5B,yBAAyB,EAAE,MAAM,CAAC;IAGlC,WAAW,EAAE,MAAM,OAAO,CAAC,OAAO,CAAC,CAAC;IACpC,YAAY,EAAE,MAAM,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAG3C,MAAM,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAElE;;;OAGG;IACH,kBAAkB,EAAE,CAAC,OAAO,EAAE,oBAAoB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAGrE,MAAM,EAAE,CAAC,eAAe,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACpD,SAAS,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/B,aAAa,EAAE,CAAC,SAAS,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACpD,aAAa,EAAE,CAAC,SAAS,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACpD,eAAe,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IACrC,WAAW,EAAE,CAAC,UAAU,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACnD,iBAAiB,EAAE,MAAM,OAAO,CAC9B,KAAK,CAAC;QACJ,SAAS,EAAE,MAAM,CAAC;QAClB,QAAQ,EAAE,MAAM,CAAC;QACjB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,SAAS,CAAC,EAAE,MAAM,CAAC;KACpB,CAAC,CACH,CAAC;IACF,uBAAuB,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7C,gBAAgB,EAAE,CAAC,UAAU,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACxD,iBAAiB,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IACvC,mBAAmB,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IACzC,gBAAgB,EAAE,MAAM,CAAC;IACzB,WAAW,EAAE,WAAW,CAAC;IACzB,SAAS,CAAC,EAAE,aAAa,CAAC;IAC1B,eAAe,CAAC,EAAE,CAAC,cAAc,EAAE,SAAS,GAAG;QAAE,MAAM,EAAE,SAAS,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,KAAK,IAAI,CAAC;IAC/G,gBAAgB,EAAE,MAAM,IAAI,CAAC;IAG7B,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,eAAe,EAAE,cAAc,EAAE,CAAC;IAClC,WAAW,EAAE,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,KAAK,IAAI,CAAC;IAC7C,sBAAsB,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5C,oBAAoB,EAAE,CAAC,IAAI,EAAE,yBAAyB,KAAK,OAAO,CAAC,cAAc,CAAC,CAAC;CACpF;AAED,QAAA,MAAM,UAAU,uCAA8C,CAAC;AAM/D,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,SAAS,CAAC;IACpB,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,iBAAiB,CAAC,EAAE,CAAC,IAAI,EAAE,IAAI,GAAG,IAAI,KAAK,IAAI,CAAC;IAChD,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,QAAQ,KAAK,IAAI,CAAC;CACrC;AAkGD,eAAO,MAAM,WAAW,EAAE,KAAK,CAAC,EAAE,CAAC,uBAAuB,CAqwCzD,CAAC;AAEF,eAAO,MAAM,kBAAkB,mCAAc,CAAC;AA0D9C,eAAO,MAAM,MAAM,QAAO,eAMzB,CAAC;AAEF,eAAe,UAAU,CAAC"}
+{"version":3,"file":"OxyContext.d.ts","sourceRoot":"","sources":["../../../../../src/ui/context/OxyContext.tsx"],"names":[],"mappings":"AAAA,OAAO,KAAK,KAAK,MAAM,OAAO,CAAC;AAC/B,OAAO,EAQL,KAAK,SAAS,EACf,MAAM,OAAO,CAAC;AACf,OAAO,EAAE,WAAW,EAAa,MAAM,aAAa,CAAC;AACrD,OAAO,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACxE,OAAO,KAAK,EAAE,cAAc,EAAE,yBAAyB,EAAE,MAAM,aAAa,CAAC;AAE7E,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAqBjD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AAC9D,OAAO,EAAE,qBAAqB,EAAE,MAAM,gCAAgC,CAAC;AAOvE,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AAStD,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,IAAI,GAAG,IAAI,CAAC;IAClB,QAAQ,EAAE,aAAa,EAAE,CAAC;IAC1B,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,eAAe,EAAE,OAAO,CAAC;IACzB,SAAS,EAAE,OAAO,CAAC;IACnB,YAAY,EAAE,OAAO,CAAC;IACtB;;;;;;;;;;;;;OAaG;IACH,cAAc,EAAE,OAAO,CAAC;IACxB,cAAc,EAAE,OAAO,CAAC;IACxB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,eAAe,EAAE,MAAM,CAAC;IACxB,uBAAuB,EAAE,UAAU,CAAC,OAAO,qBAAqB,CAAC,CAAC,UAAU,CAAC,CAAC;IAC9E,mBAAmB,EAAE,MAAM,CAAC;IAC5B,yBAAyB,EAAE,MAAM,CAAC;IAGlC,WAAW,EAAE,MAAM,OAAO,CAAC,OAAO,CAAC,CAAC;IACpC,YAAY,EAAE,MAAM,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAG3C,MAAM,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAElE;;;OAGG;IACH,kBAAkB,EAAE,CAAC,OAAO,EAAE,oBAAoB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAGrE,MAAM,EAAE,CAAC,eAAe,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACpD,SAAS,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/B,aAAa,EAAE,CAAC,SAAS,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACpD,aAAa,EAAE,CAAC,SAAS,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACpD,eAAe,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IACrC,WAAW,EAAE,CAAC,UAAU,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACnD,iBAAiB,EAAE,MAAM,OAAO,CAC9B,KAAK,CAAC;QACJ,SAAS,EAAE,MAAM,CAAC;QAClB,QAAQ,EAAE,MAAM,CAAC;QACjB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,SAAS,CAAC,EAAE,MAAM,CAAC;KACpB,CAAC,CACH,CAAC;IACF,uBAAuB,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7C,gBAAgB,EAAE,CAAC,UAAU,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACxD,iBAAiB,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IACvC,mBAAmB,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IACzC,gBAAgB,EAAE,MAAM,CAAC;IACzB,WAAW,EAAE,WAAW,CAAC;IACzB,SAAS,CAAC,EAAE,aAAa,CAAC;IAC1B,eAAe,CAAC,EAAE,CAAC,cAAc,EAAE,SAAS,GAAG;QAAE,MAAM,EAAE,SAAS,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,KAAK,IAAI,CAAC;IAC/G,gBAAgB,EAAE,MAAM,IAAI,CAAC;IAG7B,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,eAAe,EAAE,cAAc,EAAE,CAAC;IAClC,WAAW,EAAE,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,KAAK,IAAI,CAAC;IAC7C,sBAAsB,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5C,oBAAoB,EAAE,CAAC,IAAI,EAAE,yBAAyB,KAAK,OAAO,CAAC,cAAc,CAAC,CAAC;CACpF;AAED,QAAA,MAAM,UAAU,uCAA8C,CAAC;AAM/D,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,SAAS,CAAC;IACpB,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,iBAAiB,CAAC,EAAE,CAAC,IAAI,EAAE,IAAI,GAAG,IAAI,KAAK,IAAI,CAAC;IAChD,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,QAAQ,KAAK,IAAI,CAAC;CACrC;AA4HD,eAAO,MAAM,WAAW,EAAE,KAAK,CAAC,EAAE,CAAC,uBAAuB,CA42CzD,CAAC;AAEF,eAAO,MAAM,kBAAkB,mCAAc,CAAC;AA2D9C,eAAO,MAAM,MAAM,QAAO,eAMzB,CAAC;AAEF,eAAe,UAAU,CAAC"}

package/lib/typescript/module/ui/hooks/useAuth.d.ts

@@ -33,6 +33,17 @@ export interface AuthState {
     isLoading: boolean;
     /** Whether the auth token is ready for API calls */
     isReady: boolean;
+    /**
+     * Whether the initial auth determination has concluded.
+     *
+     * `false` from mount until the first cold-boot session restore finishes;
+     * while `false`, `isAuthenticated: false` is UNDETERMINED (not a definitive
+     * "logged out"). Flips to `true` once — when a session is committed or none
+     * is found — and never reverts. Defer the first auth-dependent fetch until
+     * this is `true` so a cold-boot reload with an existing session does not load
+     * anonymous data.
+     */
+    isAuthResolved: boolean;
     /** Current error message, if any */
     error: string | null;
 }

package/lib/typescript/module/ui/hooks/useAuth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"useAuth.d.ts","sourceRoot":"","sources":["../../../../../src/ui/hooks/useAuth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAGH,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/C,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,aAAa,CAAC;AAGxC,MAAM,WAAW,SAAS;IACxB,4DAA4D;IAC5D,IAAI,EAAE,IAAI,GAAG,IAAI,CAAC;IAElB,oCAAoC;IACpC,eAAe,EAAE,OAAO,CAAC;IAEzB,4DAA4D;IAC5D,SAAS,EAAE,OAAO,CAAC;IAEnB,oDAAoD;IACpD,OAAO,EAAE,OAAO,CAAC;IAEjB,oCAAoC;IACpC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB;AAED,MAAM,WAAW,WAAW;IAC1B;;;;;;;;;;OAUG;IACH,MAAM,EAAE,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAE9E;;OAEG;IACH,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAE7B;;OAEG;IACH,UAAU,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAEhC;;OAEG;IACH,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC9B;AAED,MAAM,WAAW,aAAc,SAAQ,SAAS,EAAE,WAAW;IAC3D,6DAA6D;IAC7D,WAAW,EAAE,UAAU,CAAC,OAAO,MAAM,CAAC,CAAC,aAAa,CAAC,CAAC;IACtD,0EAA0E;IAC1E,eAAe,EAAE,UAAU,CAAC,OAAO,MAAM,CAAC,CAAC,iBAAiB,CAAC,CAAC;IAC9D,0CAA0C;IAC1C,gBAAgB,EAAE,UAAU,CAAC,OAAO,MAAM,CAAC,CAAC,kBAAkB,CAAC,CAAC;CACjE;AAED;;;;;;;;GAQG;AACH,wBAAgB,OAAO,IAAI,aAAa,CA2IvC"}
+{"version":3,"file":"useAuth.d.ts","sourceRoot":"","sources":["../../../../../src/ui/hooks/useAuth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAGH,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/C,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,aAAa,CAAC;AAGxC,MAAM,WAAW,SAAS;IACxB,4DAA4D;IAC5D,IAAI,EAAE,IAAI,GAAG,IAAI,CAAC;IAElB,oCAAoC;IACpC,eAAe,EAAE,OAAO,CAAC;IAEzB,4DAA4D;IAC5D,SAAS,EAAE,OAAO,CAAC;IAEnB,oDAAoD;IACpD,OAAO,EAAE,OAAO,CAAC;IAEjB;;;;;;;;;OASG;IACH,cAAc,EAAE,OAAO,CAAC;IAExB,oCAAoC;IACpC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB;AAED,MAAM,WAAW,WAAW;IAC1B;;;;;;;;;;OAUG;IACH,MAAM,EAAE,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAE9E;;OAEG;IACH,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAE7B;;OAEG;IACH,UAAU,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAEhC;;OAEG;IACH,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC9B;AAED,MAAM,WAAW,aAAc,SAAQ,SAAS,EAAE,WAAW;IAC3D,6DAA6D;IAC7D,WAAW,EAAE,UAAU,CAAC,OAAO,MAAM,CAAC,CAAC,aAAa,CAAC,CAAC;IACtD,0EAA0E;IAC1E,eAAe,EAAE,UAAU,CAAC,OAAO,MAAM,CAAC,CAAC,iBAAiB,CAAC,CAAC;IAC9D,0CAA0C;IAC1C,gBAAgB,EAAE,UAAU,CAAC,OAAO,MAAM,CAAC,CAAC,kBAAkB,CAAC,CAAC;CACjE;AAED;;;;;;;;GAQG;AACH,wBAAgB,OAAO,IAAI,aAAa,CA6IvC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@oxyhq/services",
-  "version": "8.4.3",
+  "version": "8.6.0",
   "description": "OxyHQ Expo/React Native SDK — UI components, screens, and native features",
   "main": "lib/commonjs/index.js",
   "module": "lib/module/index.js",
@@ -160,7 +160,7 @@
   "peerDependencies": {
     "@expo/vector-icons": "^15.0.3",
     "@oxyhq/bloom": ">=0.5.0",
-    "@oxyhq/core": "^2.3.0",
+    "@oxyhq/core": "^2.4.0",
     "@react-native-community/netinfo": "^11.4.1",
     "@tanstack/query-async-storage-persister": "^5.100",
     "@tanstack/query-sync-storage-persister": "^5.100",

package/src/ui/context/OxyContext.tsx

@@ -58,6 +58,21 @@ export interface OxyContextState {
   isAuthenticated: boolean;
   isLoading: boolean;
   isTokenReady: boolean;
+  /**
+   * Whether the initial auth determination has concluded.
+   *
+   * `false` from mount until the FIRST cold-boot session restore finishes —
+   * during that window `isAuthenticated: false` is UNDETERMINED, not a
+   * definitive "logged out". Flips to `true` exactly once the restore concludes
+   * (a session was committed OR none exists) and never reverts. Consumers should
+   * defer their first auth-dependent fetch until this is `true` so a cold-boot
+   * web reload with an existing session does not fetch anonymous data.
+   *
+   * On native, cold boot runs only the `stored-session` step, so this resolves
+   * promptly. It is set in the restore `finally`, so the success, no-session,
+   * and error paths all reach `true` — it can never get stuck `false`.
+   */
+  isAuthResolved: boolean;
   isStorageReady: boolean;
   error: string | null;
   currentLanguage: string;
@@ -163,6 +178,32 @@ function silentColdBootKey(oxyServices: OxyServices): string {
   return `${origin}|${baseURL}`;
 }
 
+/**
+ * Per-step fail-fast budget for the cold-boot silent iframe (`silentSignIn`
+ * against the per-apex `/auth/silent` host).
+ *
+ * This step ONLY succeeds when a durable per-apex `fedcm_session` cookie exists
+ * (established by a prior `/sso` bounce). On the common reload of a logged-out
+ * tab — or a tab that restores via the now-earlier stored-session step — the
+ * iframe never posts a message, so the full wait would be dead latency in front
+ * of the terminal `/sso` bounce. `silentSignIn` already fails fast on a load
+ * error via `iframe.onerror`; this caps the no-message case. 2.5s is well above
+ * a same-origin iframe handshake yet a fraction of the legacy 5s default.
+ */
+const SILENT_IFRAME_TIMEOUT = 2500;
+
+/**
+ * Per-step fail-fast budget for the cold-boot refresh-cookie restore
+ * (`refreshAllSessions`).
+ *
+ * On a cross-domain RP the `Domain=oxy.so` refresh cookie never reaches
+ * `api.<apex>`, so this request returns no accounts (or stalls behind a slow
+ * endpoint) with no useful answer. As one cold-boot step it must not block the
+ * fall-through to the terminal `/sso` bounce. 3s bounds the wait while leaving
+ * ample headroom for a genuine first-party `*.oxy.so` rotation round-trip.
+ */
+const COOKIE_RESTORE_TIMEOUT = 3000;
+
 /**
  * Whether `idpOrigin` is a same-site, first-party host of the current page —
  * i.e. it shares the page's registrable apex (last two labels), so a "no
@@ -284,6 +325,15 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
   );
 
   const [tokenReady, setTokenReady] = useState(true);
+  // Whether the FIRST cold-boot auth restore has concluded. Starts `false`
+  // (auth undetermined) and flips to `true` exactly once — monotonic, never
+  // reverts. It now flips the MOMENT a session commits (the common reload case
+  // unblocks immediately, without waiting for the rest of the cold-boot chain),
+  // with the restore `finally` as the no-session/error backstop. The ref makes
+  // the flip idempotent across both sites so the setters fire at most once. See
+  // `isAuthResolved` on the context type for the consumer contract.
+  const [authResolved, setAuthResolved] = useState(false);
+  const authResolvedRef = useRef(false);
   const [initialized, setInitialized] = useState(false);
   const setAuthState = useAuthStore.setState;
 
@@ -545,6 +595,26 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
   const onAuthStateChangeRef = useRef(onAuthStateChange);
   onAuthStateChangeRef.current = onAuthStateChange;
 
+  // Flip the auth-resolution gate (`authResolved` + `tokenReady`) the MOMENT a
+  // session commits, instead of waiting for the whole cold-boot chain to finish.
+  // Idempotent and monotonic via `authResolvedRef`: the first call wins and the
+  // setters fire at most once, so the restore `finally` backstop becomes a no-op
+  // once a commit site has already marked resolution. Called from EVERY place a
+  // user is actually committed (the FedCM/iframe/redirect/SSO path
+  // `handleWebSSOSession`, the cookie-restore path, and the stored-session path)
+  // so the common reload case unblocks the loading gate without sitting behind
+  // the remaining (now-skipped) cold-boot steps.
+  const markAuthResolved = useCallback(() => {
+    if (authResolvedRef.current) {
+      return;
+    }
+    authResolvedRef.current = true;
+    setTokenReady(true);
+    setAuthResolved(true);
+  }, []);
+  const markAuthResolvedRef = useRef(markAuthResolved);
+  markAuthResolvedRef.current = markAuthResolved;
+
   // `handleWebSSOSession` is declared further down (it depends on values that
   // are only available there). The FedCM/iframe cold-boot steps need to commit
   // a recovered session through it, so we route the call through a ref that is
@@ -578,7 +648,9 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
 
     let snapshot;
     try {
-      snapshot = await oxyServices.refreshAllSessions();
+      // Bound the refresh so a cross-domain/stalled call cannot hang the cold
+      // boot in front of the terminal `/sso` bounce (see COOKIE_RESTORE_TIMEOUT).
+      snapshot = await oxyServices.refreshAllSessions({ timeout: COOKIE_RESTORE_TIMEOUT });
     } catch (fetchError) {
       // Offline / network error — fall through to the cached/stored-session flow.
       if (__DEV__) {
@@ -642,6 +714,9 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
     await persistSessionDurably(activeAccount.sessionId);
 
     loginSuccessRef.current(fullUser);
+    // A session is now committed — unblock the auth-resolution gate immediately
+    // rather than waiting for `runColdBoot` to return (idempotent).
+    markAuthResolvedRef.current();
     onAuthStateChangeRef.current?.(fullUser);
     return true;
   }, [oxyServices, persistSessionDurably]);
@@ -719,6 +794,11 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
     if (storedActiveSessionId) {
       try {
         await switchSessionRef.current(storedActiveSessionId);
+        // The stored session is committed (this is native's ONLY restore path
+        // and the common web reload winner). Unblock the auth-resolution gate
+        // immediately so the loading screen clears without waiting for the
+        // remaining cold-boot steps to be evaluated/short-circuited (idempotent).
+        markAuthResolvedRef.current();
         return true;
       } catch (switchError) {
         // Silently handle expected errors (invalid sessions, timeouts, network issues)
@@ -821,11 +901,21 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
   // web-only step is gated by `isWebBrowser()`, so on native ONLY
   // `stored-session` runs.
   //
-  // Order (web): redirect callback → SSO return → FedCM silent (central) →
-  // silent iframe (per-apex, the durable reload path) → cookie restore →
-  // stored session → SSO bounce (terminal). The per-apex silent iframe is what
-  // restores a durable cross-domain session on reload WITHOUT a top-level
-  // bounce, so when it wins `sso-bounce` never fires (no flash, no loop).
+  // Order (web): redirect callback → SSO return → stored session → FedCM silent
+  // (central) → silent iframe (per-apex, the durable reload path) → cookie
+  // restore → SSO bounce (terminal).
+  //
+  // LATENCY (FIX A): `stored-session` runs BEFORE the slow no-redirect probes
+  // (`fedcm-silent`, `silent-iframe`, `cookie-restore`). On a normal reload the
+  // local bearer validates in one round-trip and wins, so `runColdBoot`
+  // short-circuits and never sits through those probes' timeouts (the prior
+  // serial sum was a ~20-30s stall). `redirect` and `sso-return` MUST stay
+  // first — they consume the URL fragment before anything can strip it. On a
+  // first visit with no local session, `stored-session` skips and the
+  // cross-domain fallback chain (fedcm → iframe → cookie → sso-bounce) runs
+  // exactly as before; the per-apex silent iframe still restores a durable
+  // cross-domain session on reload WITHOUT a top-level bounce, so when it wins
+  // `sso-bounce` never fires (no flash, no loop).
   // Order (native): stored session only (every web-only step is disabled
   // off-browser).
   const restoreSessionsFromStorage = useCallback(async (): Promise<void> => {
@@ -839,6 +929,16 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
     const silentKey = silentColdBootKey(oxyServices);
     const fedcmSupported = isWebBrowser() && oxyServices.isFedCMSupported?.() === true;
 
+    // FIX-B precondition flag: set true the instant the (now-earlier)
+    // `stored-session` step recovers a local bearer session. The slow web-only
+    // probes (`fedcm-silent`, `silent-iframe`) AND `enabled` on `!storedSessionRestored`
+    // so they are explicitly skipped once a local session won. `runColdBoot`
+    // already short-circuits on the first `{kind:'session'}`, so on a winning
+    // reload those `enabled` bodies are never even reached — this flag makes the
+    // intent explicit and is redundant-safe. On a first-visit-no-local-session,
+    // `stored-session` skips, this stays false, and the probes run as before.
+    let storedSessionRestored = false;
+
     try {
       const outcome = await runColdBoot<true>({
         steps: [
@@ -875,14 +975,47 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
             },
           },
           {
-            // 2) FedCM silent reauthn (Chrome) against the CENTRAL IdP
+            // 2) Stored-session bearer restore. NO `enabled` gate — runs on ALL
+            // platforms. This is native's ONLY restore path (every web-only step
+            // is disabled off-browser, so native reaches exactly this) AND the
+            // common WEB reload winner.
+            //
+            // ORDERING (FIX A): this step now runs BEFORE the slow web-only
+            // probes (`fedcm-silent`, `silent-iframe`, `cookie-restore`). On a
+            // normal reload the local bearer validates in one round-trip and
+            // wins; `runColdBoot` then short-circuits and never even evaluates
+            // the slow no-redirect probes that would otherwise time out (the
+            // ~20-30s serial stall). The `redirect` and `sso-return` steps stay
+            // AHEAD of this one — they must consume the URL fragment before any
+            // later step (or anything else) strips it. On a first visit with no
+            // local session this step skips and the cross-domain fallback chain
+            // (fedcm → iframe → cookie → sso-bounce) runs exactly as before.
+            id: 'stored-session',
+            run: async () => {
+              const restored = await restoreStoredSession();
+              if (restored) {
+                // FIX-B: record the win so the slow probes below explicitly skip
+                // (belt-and-suspenders; `runColdBoot` already short-circuits).
+                storedSessionRestored = true;
+                return { kind: 'session', session: true };
+              }
+              return { kind: 'skip' };
+            },
+          },
+          {
+            // 3) FedCM silent reauthn (Chrome) against the CENTRAL IdP
             // (auth.oxy.so). `silentSignInWithFedCM` plants the access token
             // internally; we commit the returned session via
             // `handleWebSSOSession`. Guarded so it fires at most once per page
             // load across remounts. This is an enhancement layered above the
             // opaque-code bounce: when it succeeds the bounce never fires.
+            //
+            // FIX-B: additionally skipped when the earlier `stored-session` step
+            // already recovered a local session — the probe cannot improve on a
+            // valid local bearer, and skipping it avoids the silent round-trip.
             id: 'fedcm-silent',
-            enabled: () => fedcmSupported && !servicesSilentAttempted.has(silentKey),
+            enabled: () =>
+              !storedSessionRestored && fedcmSupported && !servicesSilentAttempted.has(silentKey),
             run: async () => {
               servicesSilentAttempted.add(silentKey);
               const session = await oxyServices.silentSignInWithFedCM?.();
@@ -894,7 +1027,7 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
             },
           },
           {
-            // 3) First-party silent iframe at the PER-APEX IdP — the DURABLE
+            // 4) First-party silent iframe at the PER-APEX IdP — the DURABLE
             // cross-domain reload-restore path. The durable session lives as a
             // first-party `fedcm_session` cookie on `auth.<rp-apex>` (e.g.
             // `auth.mention.earth`), established during the `/sso` bounce's
@@ -913,8 +1046,12 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
             // equivalent. When auto-detection bails (localhost/IP/single-label)
             // there is no per-apex IdP and the step skips. Web only; on native
             // `isWebBrowser()` gates it off, so native never runs an iframe.
+            //
+            // FIX-B: additionally skipped when `stored-session` already won.
+            // FIX-D: bounded by `SILENT_IFRAME_TIMEOUT` (plus `iframe.onerror`
+            // fail-fast in core) so a no-message iframe cannot stall cold boot.
             id: 'silent-iframe',
-            enabled: () => isWebBrowser(),
+            enabled: () => !storedSessionRestored && isWebBrowser(),
             run: async () => {
               const perApexAuthUrl = autoDetectAuthWebUrl();
               if (!perApexAuthUrl || !commitWebSession) {
@@ -922,6 +1059,7 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
               }
               const session = await oxyServices.silentSignIn?.({
                 authWebUrlOverride: perApexAuthUrl,
+                timeout: SILENT_IFRAME_TIMEOUT,
               });
               if (!session?.user || !session?.sessionId) {
                 return { kind: 'skip' };
@@ -931,12 +1069,14 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
             },
           },
           {
-            // 4) Refresh-cookie restore (first-party only). On `*.oxy.so` the
+            // 5) Refresh-cookie restore (first-party only). On `*.oxy.so` the
             // httpOnly `oxy_rt_${n}` cookies ride along and resurrect every
             // device-local slot. On a cross-domain RP (mention.earth, …) the
             // cookie is `Domain=oxy.so` so it never reaches `api.<apex>` —
             // `refreshAllSessions` returns `{accounts:[]}` and this skips. That
             // is correct; cross-domain restore is handled by the SSO bounce.
+            // FIX-D: `restoreViaRefreshCookie` bounds the request with
+            // `COOKIE_RESTORE_TIMEOUT` so a cross-domain stall cannot hang here.
             id: 'cookie-restore',
             enabled: () => isWebBrowser(),
             run: async () => {
@@ -944,16 +1084,6 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
               return restored ? { kind: 'session', session: true } : { kind: 'skip' };
             },
           },
-          {
-            // 5) Stored-session bearer restore. NO `enabled` gate — runs on ALL
-            // platforms. This is native's ONLY restore path (every web-only step
-            // is disabled off-browser, so native reaches exactly this).
-            id: 'stored-session',
-            run: async () => {
-              const restored = await restoreStoredSession();
-              return restored ? { kind: 'session', session: true } : { kind: 'skip' };
-            },
-          },
           {
             // 6) SSO bounce (TERMINAL, web only, at most once). No local session
             // was found by any step above. Top-level navigate to the central
@@ -1028,7 +1158,14 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
       }
       await clearSessionStateRef.current();
     } finally {
-      setTokenReady(true);
+      // Backstop: mark auth resolved on EVERY exit path — success, no-session,
+      // AND error→catch→finally — and on native (which only runs the
+      // `stored-session` step), so the gate can never hang `false`. Idempotent
+      // via `markAuthResolved`'s ref: when a commit site already flipped it
+      // mid-chain (the common reload case), this is a no-op. When no session was
+      // recovered (the unauthenticated/error path), this is where `tokenReady` +
+      // `authResolved` finally flip. Monotonic — never reverts on later restores.
+      markAuthResolved();
     }
   }, [
     oxyServices,
@@ -1036,6 +1173,7 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
     restoreViaRefreshCookie,
     restoreStoredSession,
     runSsoReturn,
+    markAuthResolved,
   ]);
 
   useEffect(() => {
@@ -1189,6 +1327,10 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
       fullUser = session.user as unknown as User;
     }
     loginSuccess(fullUser);
+    // A session is now committed (FedCM silent / per-apex iframe / redirect /
+    // SSO-return / popup all funnel through here) — unblock the auth-resolution
+    // gate immediately, ahead of the cold-boot chain returning (idempotent).
+    markAuthResolvedRef.current();
     onAuthStateChange?.(fullUser);
   }, [oxyServices, updateSessions, setActiveSessionId, loginSuccess, onAuthStateChange, persistSessionDurably]);
 
@@ -1436,6 +1578,7 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
     isAuthenticated,
     isLoading,
     isTokenReady: tokenReady,
+    isAuthResolved: authResolved,
     isStorageReady: storage !== null,
     error,
     currentLanguage,
@@ -1492,6 +1635,7 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
     storage,
     switchSessionForContext,
     tokenReady,
+    authResolved,
     updateDeviceName,
     clearAllAccountData,
     useFollowHook,
@@ -1539,6 +1683,7 @@ const LOADING_STATE: OxyContextState = {
   isAuthenticated: false,
   isLoading: true,
   isTokenReady: false,
+  isAuthResolved: false,
   isStorageReady: false,
   error: null,
   currentLanguage: 'en',

package/src/ui/hooks/useAuth.ts

@@ -41,6 +41,18 @@ export interface AuthState {
   /** Whether the auth token is ready for API calls */
   isReady: boolean;
 
+  /**
+   * Whether the initial auth determination has concluded.
+   *
+   * `false` from mount until the first cold-boot session restore finishes;
+   * while `false`, `isAuthenticated: false` is UNDETERMINED (not a definitive
+   * "logged out"). Flips to `true` once — when a session is committed or none
+   * is found — and never reverts. Defer the first auth-dependent fetch until
+   * this is `true` so a cold-boot reload with an existing session does not load
+   * anonymous data.
+   */
+  isAuthResolved: boolean;
+
   /** Current error message, if any */
   error: string | null;
 }
@@ -99,6 +111,7 @@ export function useAuth(): UseAuthReturn {
     isAuthenticated,
     isLoading,
     isTokenReady,
+    isAuthResolved,
     error,
     signIn: oxySignIn,
     handlePopupSession,
@@ -219,6 +232,7 @@ export function useAuth(): UseAuthReturn {
     isAuthenticated,
     isLoading,
     isReady: isTokenReady,
+    isAuthResolved,
     error,
 
     // Actions