@rehers/rehers-roleplay-sdk 3.0.0 → 3.1.0

package/LICENSE

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/NOTICE

@@ -0,0 +1,5 @@
+Seamless Roleplay SDK
+Copyright 2026 Scriptify, Inc.
+
+This product is licensed under the Apache License, Version 2.0.
+See the LICENSE file for the full license text.

package/index.d.ts

@@ -75,13 +75,27 @@ export interface SeamlessRoleplaySDK {
   /** Open the roleplay modal for a contact (dialog mode). */
   open(data: SeamlessRoleplayOpenData): void;
   /** Mount the full Roleplay app into a container. */
-  mount(container: HTMLElement): void;
+  mount(
+    container: HTMLElement,
+    options?: {
+      /** Called if the embedded app closes itself. */
+      onClose?: () => void;
+      /** Called if the embedded app reports an error. */
+      onError?: (error: { code: string; message: string }) => void;
+    }
+  ): void;
   /** Open the add-to-scenario dialog for bulk contact import. */
   addToScenario(options: AddToScenarioOptions): void;
   /** Close the active dialog. Does not affect mount. */
   close(): void;
   /** Unmount the mounted embed. Does not affect dialogs. */
   unmount(): void;
+  /**
+   * Force a session re-resolution — e.g. after the user completes payment in
+   * another tab. Re-fetches and broadcasts the session to any mounted embed or
+   * open dialog. (The SDK also auto-recovers when the tab is refocused.)
+   */
+  reauth(): void;
   /** Destroy the SDK — clears state, timers, and DOM (both mount and dialogs). */
   destroy(): void;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rehers/rehers-roleplay-sdk",
-  "version": "3.0.0",
+  "version": "3.1.0",
   "sideEffects": true,
   "description": "Seamless Roleplay SDK — embed roleplay call sessions via a modal + iframe",
   "main": "roleplay-sdk.js",
@@ -19,7 +19,9 @@
     "roleplay-sdk.js",
     "index.d.ts",
     "react.js",
-    "react.d.ts"
+    "react.d.ts",
+    "LICENSE",
+    "NOTICE"
   ],
   "peerDependencies": {
     "react": ">=18.0.0",
@@ -30,7 +32,7 @@
     "react-dom": { "optional": true }
   },
   "keywords": ["seamless", "roleplay", "sdk", "sales", "training", "react"],
-  "license": "UNLICENSED",
+  "license": "Apache-2.0",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/rehers/seamless-frontend-independent.git"

package/react.d.ts

@@ -8,7 +8,7 @@ interface SeamlessRoleplayContextValue {
         code: string;
         message: string;
     } | null;
-    sdk: SeamlessRoleplaySDK;
+    sdk: SeamlessRoleplaySDK | null;
 }
 export type SeamlessRoleplayProviderProps = SeamlessRoleplayInitOptions & {
     children: ReactNode;
@@ -33,8 +33,15 @@ export declare function RoleplayDialog({ open: isOpen, name, domain, company, ti
 export interface RoleplayEmbedProps {
     className?: string;
     style?: React.CSSProperties;
+    /** Called if the embedded app reports an error */
+    onError?: (error: {
+        code: string;
+        message: string;
+    }) => void;
+    /** Called if the embedded app closes itself */
+    onClose?: () => void;
 }
-export declare function RoleplayEmbed({ className, style }: RoleplayEmbedProps): import("react/jsx-runtime").JSX.Element;
+export declare function RoleplayEmbed({ className, style, onError, onClose }: RoleplayEmbedProps): import("react/jsx-runtime").JSX.Element;
 export interface AddToScenarioDialogProps {
     open: boolean;
     contacts: AddToScenarioContact[];

package/react.js

@@ -12,14 +12,6 @@ function useCallbackRef(cb) {
     });
     return ref;
 }
-// ── SDK singleton access ────────────────────────────────────────────
-function getSDK() {
-    if (typeof window !== "undefined" && window.SeamlessRoleplay) {
-        return window.SeamlessRoleplay;
-    }
-    throw new Error("[SeamlessRoleplay/React] Could not find SeamlessRoleplay SDK. " +
-        'Make sure "@rehers/rehers-roleplay-sdk" is installed and loaded before the React wrapper.');
-}
 const SeamlessRoleplayContext = createContext(null);
 let providerMountCount = 0;
 export function SeamlessRoleplayProvider({ getUserToken, origin, onReady, onError, children, }) {
@@ -27,8 +19,49 @@ export function SeamlessRoleplayProvider({ getUserToken, origin, onReady, onErro
     const mountedRef = useRef(false);
     const onReadyRef = useCallbackRef(onReady);
     const onErrorRef = useCallbackRef(onError);
-    const sdk = useMemo(() => getSDK(), []);
+    const getUserTokenRef = useCallbackRef(getUserToken);
+    const [sdk, setSdk] = useState(null);
+    // Resolve the SDK on the CLIENT only. `window` is absent during SSR, and an
+    // async <script> tag may not have executed at first render — so we never call
+    // getSDK() during render (that would throw and break SSR/hydration). Poll
+    // briefly for an async load, and surface a clear error if it never appears.
+    useEffect(() => {
+        let cancelled = false;
+        const resolve = () => {
+            if (typeof window !== "undefined" && window.SeamlessRoleplay) {
+                if (!cancelled)
+                    setSdk(window.SeamlessRoleplay);
+                return true;
+            }
+            return false;
+        };
+        if (resolve())
+            return;
+        const poll = setInterval(() => {
+            if (resolve())
+                clearInterval(poll);
+        }, 50);
+        const giveUp = setTimeout(() => {
+            clearInterval(poll);
+            if (!cancelled && !(typeof window !== "undefined" && window.SeamlessRoleplay)) {
+                setState({
+                    isReady: false,
+                    error: {
+                        code: "SDK_NOT_LOADED",
+                        message: "@rehers/rehers-roleplay-sdk was not found on window. Make sure it is installed and loaded before the React wrapper.",
+                    },
+                });
+            }
+        }, 10000);
+        return () => {
+            cancelled = true;
+            clearInterval(poll);
+            clearTimeout(giveUp);
+        };
+    }, []);
     useEffect(() => {
+        if (!sdk)
+            return;
         providerMountCount++;
         if (providerMountCount > 1 && process.env.NODE_ENV !== "production") {
             console.warn("[SeamlessRoleplay/React] Multiple SeamlessRoleplayProvider instances detected. " +
@@ -37,7 +70,15 @@ export function SeamlessRoleplayProvider({ getUserToken, origin, onReady, onErro
         mountedRef.current = true;
         setState({ isReady: false, error: null });
         const initOptions = {
-            getUserToken,
+            // Ref-guarded so an inline `getUserToken` prop (the common, default way to
+            // write it) does NOT re-init the SDK on every parent render. init runs
+            // once per SDK/origin, not once per render.
+            getUserToken: () => {
+                const fn = getUserTokenRef.current;
+                if (!fn)
+                    return Promise.reject(new Error("getUserToken is not available"));
+                return fn();
+            },
             origin,
             onReady: () => {
                 var _a;
@@ -60,7 +101,7 @@ export function SeamlessRoleplayProvider({ getUserToken, origin, onReady, onErro
             providerMountCount--;
             sdk.destroy();
         };
-    }, [sdk, getUserToken, origin]);
+    }, [sdk, origin]);
     const contextValue = useMemo(() => ({ ...state, sdk }), [state, sdk]);
     return (_jsx(SeamlessRoleplayContext.Provider, { value: contextValue, children: children }));
 }
@@ -77,18 +118,26 @@ export function RoleplayDialog({ open: isOpen, name, domain, company, title, com
     const onCloseRef = useCallbackRef(onClose);
     const onErrorRef = useCallbackRef(onError);
     const isOpenRef = useRef(false);
+    // Keep the latest contact data in a ref so changing a field while the dialog
+    // is open does NOT re-run the effect and tear down / restart the live call.
+    // The dialog opens once per open-transition; data is read at open time.
+    const dataRef = useRef({ name, domain, company, title, companyDescription, liUrl });
+    useLayoutEffect(() => {
+        dataRef.current = { name, domain, company, title, companyDescription, liUrl };
+    });
     useEffect(() => {
-        if (!isReady)
+        if (!isReady || !sdk)
             return;
         if (isOpen) {
             isOpenRef.current = true;
+            const d = dataRef.current;
             sdk.open({
-                name,
-                domain,
-                company,
-                title,
-                companyDescription,
-                liUrl,
+                name: d.name,
+                domain: d.domain,
+                company: d.company,
+                title: d.title,
+                companyDescription: d.companyDescription,
+                liUrl: d.liUrl,
                 onClose: () => {
                     var _a;
                     isOpenRef.current = false;
@@ -107,16 +156,21 @@ export function RoleplayDialog({ open: isOpen, name, domain, company, title, com
                 sdk.close();
             }
         };
-    }, [isReady, isOpen, name, domain, company, title, companyDescription, liUrl, sdk]);
+    }, [isReady, isOpen, sdk]);
     return null;
 }
-export function RoleplayEmbed({ className, style }) {
+export function RoleplayEmbed({ className, style, onError, onClose }) {
     const { isReady, sdk } = useSeamlessRoleplay();
     const containerRef = useRef(null);
+    const onErrorRef = useCallbackRef(onError);
+    const onCloseRef = useCallbackRef(onClose);
     useEffect(() => {
-        if (!isReady || !containerRef.current)
+        if (!isReady || !sdk || !containerRef.current)
             return;
-        sdk.mount(containerRef.current);
+        sdk.mount(containerRef.current, {
+            onError: (e) => { var _a; return (_a = onErrorRef.current) === null || _a === void 0 ? void 0 : _a.call(onErrorRef, e); },
+            onClose: () => { var _a; return (_a = onCloseRef.current) === null || _a === void 0 ? void 0 : _a.call(onCloseRef); },
+        });
         return () => {
             sdk.unmount();
         };
@@ -134,7 +188,7 @@ export function AddToScenarioDialog({ open: isOpen, contacts, onComplete, onClos
         contactsRef.current = contacts;
     });
     useEffect(() => {
-        if (!isReady)
+        if (!isReady || !sdk)
             return;
         if (isOpen) {
             isOpenRef.current = true;

package/roleplay-sdk.js

@@ -30,6 +30,8 @@
   var fetchingSession = null; // single-flight Promise
   var activeSessionXhr = null;
   var activeInitVersion = 0;
+  var sessionRefreshExpiredNotified = false;
+  var visibilityListener = null;
 
   var initCallbacks = { onReady: null, onError: null };
   var initCalled = false;
@@ -51,6 +53,11 @@
   var dialogListener = null;
   var dialogCloseTeardownTimer = null;
 
+  // ── Dialog accessibility state ────────────────────────────────────
+  var dialogPreviousFocus = null; // element to restore focus to on close
+  var dialogKeydownListener = null; // Escape handler
+  var dialogInertedSiblings = null; // background nodes hidden while modal is open
+
   // ── Safe logging ──────────────────────────────────────────────────
 
   function logError(method, err) {
@@ -73,6 +80,31 @@
     return DEFAULT_API_ORIGIN;
   }
 
+  // The app origin is used BOTH as the iframe src and as the postMessage target
+  // for the session JWT, so an untrusted override would exfiltrate the token.
+  // Only allow the production app domain (apex/subdomains, https) or localhost.
+  function isAllowedAppOrigin(origin) {
+    try {
+      var u = new URL(origin);
+      if (
+        u.protocol === "https:" &&
+        (u.hostname === "roleplaywithseamless.ai" ||
+          u.hostname.endsWith(".roleplaywithseamless.ai"))
+      ) {
+        return true;
+      }
+      if (
+        (u.protocol === "http:" || u.protocol === "https:") &&
+        (u.hostname === "localhost" || u.hostname === "127.0.0.1")
+      ) {
+        return true;
+      }
+      return false;
+    } catch (_) {
+      return false;
+    }
+  }
+
   function buildIframeSrc(path) {
     var targetPath = path || "/embed/roleplay-call";
     var url = new URL(targetPath, getOrigin());
@@ -213,15 +245,18 @@
     if (refreshTimer) clearTimeout(refreshTimer);
 
     var remainingMs = sessionExpiresAt - Date.now();
-    if (remainingMs <= sessionRefreshBufferMs) {
+
+    // The token has expired: a fresh one is now most needed, so DO NOT give up.
+    // Notify the host once that a refresh missed the window, then keep retrying
+    // with capped backoff until the session is restored (or the SDK is
+    // destroyed / re-initialized). Previously this returned here permanently,
+    // so one post-expiry failure killed refresh forever.
+    if (remainingMs <= 0 && !sessionRefreshExpiredNotified) {
+      sessionRefreshExpiredNotified = true;
       notifySessionRefreshFailed(err);
-      return;
     }
 
-    var delay = Math.min(
-      refreshRetryDelayMs,
-      Math.max(1000, remainingMs - sessionRefreshBufferMs)
-    );
+    var delay = Math.max(1000, refreshRetryDelayMs);
     refreshRetryDelayMs = Math.min(refreshRetryDelayMs * 2, 60000);
 
     refreshTimer = setTimeout(function () {
@@ -229,6 +264,26 @@
     }, delay);
   }
 
+  // Re-resolve the session when the tab becomes visible again. Background tabs
+  // throttle timers, so a long-lived session can lapse while hidden; and a user
+  // who was in trial mode may have completed payment in another tab. Either way,
+  // refreshing on foreground recovers a mounted embed without a page reload.
+  function handleVisibilityChange() {
+    try {
+      if (typeof document !== "undefined" && document.visibilityState !== "visible") {
+        return;
+      }
+      if (!initCalled) return;
+      var needsRefresh =
+        !sessionToken || Date.now() >= sessionExpiresAt - sessionRefreshBufferMs;
+      if (needsRefresh) {
+        fetchSession({ broadcastRefresh: true }).catch(function () {});
+      }
+    } catch (e) {
+      logError("handleVisibilityChange", e);
+    }
+  }
+
   function fetchSession(options) {
     options = options || {};
     var requestInitVersion = activeInitVersion;
@@ -296,6 +351,7 @@
             sessionRefreshBufferMs = computeRefreshBuffer(ttl);
             sessionExpiresAt = Date.now() + ttl;
             refreshRetryDelayMs = 5000;
+            sessionRefreshExpiredNotified = false;
             scheduleRefresh(ttl);
             if (options.broadcastRefresh) broadcastSessionRefresh();
             resolve({ sessionToken: sessionToken });
@@ -306,6 +362,8 @@
             // Trial mode — not a fatal error
             sessionToken = null;
             sessionExpiresAt = 0;
+            refreshRetryDelayMs = 5000;
+            sessionRefreshExpiredNotified = false;
             if (refreshTimer) {
               clearTimeout(refreshTimer);
               refreshTimer = null;
@@ -375,24 +433,32 @@
   // ── Teardown (dialog only — mount is independent) ─────────────────
 
   function teardownDialog() {
-    try {
-      if (dialogCloseTeardownTimer) {
-        clearTimeout(dialogCloseTeardownTimer);
-        dialogCloseTeardownTimer = null;
-      }
+    if (dialogCloseTeardownTimer) {
+      clearTimeout(dialogCloseTeardownTimer);
+      dialogCloseTeardownTimer = null;
+    }
+
+    // Remove the listener FIRST, in its own try, so a DOM exception below can
+    // never skip it (which would leak listeners across many open/close cycles).
+    if (dialogListener) {
+      try {
+        window.removeEventListener("message", dialogListener);
+      } catch (_) {}
+      dialogListener = null;
+    }
 
+    try {
       if (dialogOverlay && dialogOverlay.parentNode) {
         dialogOverlay.parentNode.removeChild(dialogOverlay);
       }
-      dialogOverlay = null;
-
-      if (dialogListener) {
-        window.removeEventListener("message", dialogListener);
-        dialogListener = null;
-      }
     } catch (e) {
       logError("teardownDialog", e);
     }
+    dialogOverlay = null;
+
+    // Restore focus to where it was, un-hide/un-inert the background, drop the
+    // Escape handler. Safe no-op if accessibility was never set up.
+    teardownDialogAccessibility();
 
     dialogIframe = null;
     dialogContactData = null;
@@ -403,14 +469,18 @@
   }
 
   function teardownMount() {
+    // Remove the listener FIRST so a DOM exception below can't leak it.
+    if (mountListener) {
+      try {
+        window.removeEventListener("message", mountListener);
+      } catch (_) {}
+      mountListener = null;
+    }
+
     try {
       if (mountIframe && mountIframe.parentNode) {
         mountIframe.parentNode.removeChild(mountIframe);
       }
-      if (mountListener) {
-        window.removeEventListener("message", mountListener);
-        mountListener = null;
-      }
     } catch (e) {
       logError("teardownMount", e);
     }
@@ -420,6 +490,128 @@
     mountCallbacks = { onClose: null, onError: null };
   }
 
+  // ── Dialog accessibility ──────────────────────────────────────────
+  // The dialog is a modal over the host page, so it follows the ARIA dialog
+  // pattern: labelled role="dialog" aria-modal, focus moved in on open and
+  // restored on close, background hidden from assistive tech + made inert, Tab
+  // focus trapped via edge sentinels, and Escape to close. NOTE: the content is
+  // a cross-origin iframe, so the parent cannot observe keystrokes while focus
+  // is INSIDE it — Escape works from the dialog chrome, and the embedded app
+  // forwards Escape from within the iframe for full coverage.
+
+  function hideBackgroundFromAssistiveTech(overlayEl) {
+    dialogInertedSiblings = [];
+    if (typeof document === "undefined" || !document.body) return;
+    var children = document.body.children;
+    for (var i = 0; i < children.length; i++) {
+      var el = children[i];
+      if (el === overlayEl) continue;
+      dialogInertedSiblings.push({
+        el: el,
+        ariaHidden: el.getAttribute("aria-hidden"),
+        wasInert: el.hasAttribute("inert"),
+      });
+      el.setAttribute("aria-hidden", "true");
+      try {
+        el.inert = true;
+      } catch (_) {}
+    }
+  }
+
+  function restoreBackgroundFromAssistiveTech() {
+    if (!dialogInertedSiblings) return;
+    for (var i = 0; i < dialogInertedSiblings.length; i++) {
+      var rec = dialogInertedSiblings[i];
+      try {
+        if (rec.ariaHidden === null) rec.el.removeAttribute("aria-hidden");
+        else rec.el.setAttribute("aria-hidden", rec.ariaHidden);
+        if (!rec.wasInert) rec.el.inert = false;
+      } catch (_) {}
+    }
+    dialogInertedSiblings = null;
+  }
+
+  function makeFocusSentinel() {
+    var s = document.createElement("div");
+    s.tabIndex = 0;
+    s.setAttribute("aria-hidden", "true");
+    var st = s.style;
+    st.position = "absolute";
+    st.width = "1px";
+    st.height = "1px";
+    st.padding = "0";
+    st.margin = "-1px";
+    st.overflow = "hidden";
+    st.border = "0";
+    st.clip = "rect(0 0 0 0)";
+    return s;
+  }
+
+  function setupDialogAccessibility(overlayEl, closeBtn, labelText) {
+    try {
+      overlayEl.setAttribute("role", "dialog");
+      overlayEl.setAttribute("aria-modal", "true");
+      if (labelText) overlayEl.setAttribute("aria-label", labelText);
+      if (closeBtn) closeBtn.setAttribute("aria-label", "Close");
+
+      dialogPreviousFocus =
+        document.activeElement && document.activeElement.focus
+          ? document.activeElement
+          : null;
+
+      hideBackgroundFromAssistiveTech(overlayEl);
+
+      // Edge sentinels wrap Tab focus back into the dialog. This works across
+      // the cross-origin iframe boundary (focus exiting the iframe lands on the
+      // trailing sentinel in the parent), where a keydown-based trap cannot.
+      var lead = makeFocusSentinel();
+      var trail = makeFocusSentinel();
+      lead.addEventListener("focus", function () {
+        var f = overlayEl.querySelector("iframe");
+        if (f) f.focus();
+        else if (closeBtn) closeBtn.focus();
+      });
+      trail.addEventListener("focus", function () {
+        if (closeBtn) closeBtn.focus();
+      });
+      overlayEl.insertBefore(lead, overlayEl.firstChild);
+      overlayEl.appendChild(trail);
+
+      if (closeBtn) {
+        try {
+          closeBtn.focus();
+        } catch (_) {}
+      }
+
+      dialogKeydownListener = function (e) {
+        if (e.key === "Escape" || e.keyCode === 27) {
+          e.stopPropagation();
+          closeDialog();
+        }
+      };
+      document.addEventListener("keydown", dialogKeydownListener, true);
+    } catch (e) {
+      logError("setupDialogAccessibility", e);
+    }
+  }
+
+  function teardownDialogAccessibility() {
+    if (dialogKeydownListener) {
+      try {
+        document.removeEventListener("keydown", dialogKeydownListener, true);
+      } catch (_) {}
+      dialogKeydownListener = null;
+    }
+    restoreBackgroundFromAssistiveTech();
+    var toRestore = dialogPreviousFocus;
+    dialogPreviousFocus = null;
+    if (toRestore && toRestore.focus) {
+      try {
+        toRestore.focus();
+      } catch (_) {}
+    }
+  }
+
   // ── Message dispatch ──────────────────────────────────────────────
 
   function dispatchInitToTarget(targetIframe, contactData, atsContacts) {
@@ -646,11 +838,30 @@
         userTokenRequest = null;
 
         getUserToken = opts.getUserToken;
-        appOrigin = opts.origin || null;
+        if (opts.origin) {
+          if (isAllowedAppOrigin(opts.origin)) {
+            appOrigin = opts.origin;
+          } else {
+            appOrigin = null;
+            logError("init", "Ignoring untrusted origin override: " + opts.origin);
+          }
+        } else {
+          appOrigin = null;
+        }
         initCallbacks.onReady = opts.onReady || null;
         initCallbacks.onError = opts.onError || null;
         initCalled = true;
 
+        // Re-resolve the session when the tab is refocused (recovers throttled
+        // refresh timers and trial->paid transitions). Re-armed on every init().
+        if (typeof document !== "undefined" && document.addEventListener) {
+          if (visibilityListener) {
+            document.removeEventListener("visibilitychange", visibilityListener);
+          }
+          visibilityListener = handleVisibilityChange;
+          document.addEventListener("visibilitychange", visibilityListener);
+        }
+
         // Fetch session immediately
         fetchSession()
           .then(function (result) {
@@ -765,6 +976,7 @@
         dialogOverlay = el;
         dialogIframe = iframeEl;
         document.body.appendChild(dialogOverlay);
+        setupDialogAccessibility(el, closeBtn, "Roleplay call");
       } catch (e) {
         logError("open", e);
         teardownDialog();
@@ -777,7 +989,7 @@
     /**
      * Mount the full Roleplay app into a container element.
      */
-    mount: function (container) {
+    mount: function (container, opts) {
       try {
         if (!initCalled) {
           logError("mount", "init() must be called first");
@@ -791,7 +1003,10 @@
         // Tear down any existing mount (re-mount)
         if (mountIframe) teardownMount();
 
-        mountCallbacks = { onClose: null, onError: null };
+        mountCallbacks = {
+          onClose: (opts && opts.onClose) || null,
+          onError: (opts && opts.onError) || null,
+        };
         mountContainer = container;
 
         // Listen for messages
@@ -928,6 +1143,7 @@
         dialogOverlay = el;
         dialogIframe = iframeEl;
         document.body.appendChild(dialogOverlay);
+        setupDialogAccessibility(el, closeBtn, "Add contacts to scenario");
       } catch (e) {
         logError("addToScenario", e);
         teardownDialog();
@@ -960,6 +1176,28 @@
       }
     },
 
+    /**
+     * Force a session re-resolution — e.g. after the user completes payment in
+     * another tab. Re-fetches the session and broadcasts it to any mounted embed
+     * or open dialog, recovering trial->paid without a page reload.
+     */
+    reauth: function () {
+      try {
+        if (!initCalled) {
+          logError("reauth", "init() must be called first");
+          return;
+        }
+        refreshRetryDelayMs = 5000;
+        sessionRefreshExpiredNotified = false;
+        fetchSession({ broadcastRefresh: true }).catch(function (err) {
+          if (err && err.code === "ABORTED") return;
+          scheduleRefreshRetry(err);
+        });
+      } catch (e) {
+        logError("reauth", e);
+      }
+    },
+
     /**
      * Destroy the SDK — clears state, timers, and DOM (both mount and dialogs).
      */
@@ -970,6 +1208,11 @@
           clearTimeout(refreshTimer);
           refreshTimer = null;
         }
+        if (visibilityListener && typeof document !== "undefined") {
+          document.removeEventListener("visibilitychange", visibilityListener);
+          visibilityListener = null;
+        }
+        sessionRefreshExpiredNotified = false;
         clearSessionRequest();
         teardownDialog();
         teardownMount();