refactor(auth): replace SessionManager facade with SessionStateMachine actor

Replaces the two-layer `SessionManager` struct + `LiveSessionManager` actor
with a single `SessionStateMachine` actor that owns all session state
transitions explicitly.

- Introduces `SessionState` enum with `.uninitialized`, `.unauthenticated`,
  `.authenticated`, and `.refreshing` cases
- State starts as `.uninitialized` and loads from storage on first access,
  avoiding a dependency on `Dependencies` being registered before init
- Refresh coalescing is now an explicit property of the `.refreshing` state
  rather than an implicit nullable `Task?` field
- `remove()` cancels any in-flight refresh task via the `.refreshing` state
- `.tokenRefreshed` event emission is consolidated inside `refresh(token:)`
- Removes the `SessionManager` struct facade; consumers hold a
  `SessionStateMachine` reference directly via `Dependencies`

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: grdsdev

Sources/Auth/AuthClient.swift

@@ -81,7 +81,9 @@ public actor AuthClient {
   }
 
   nonisolated private var date: @Sendable () -> Date { Dependencies[clientID].date }
-  nonisolated private var sessionManager: SessionManager { Dependencies[clientID].sessionManager }
+  nonisolated private var sessionMachine: SessionStateMachine {
+    Dependencies[clientID].sessionMachine
+  }
   nonisolated private var eventEmitter: AuthStateChangeEventEmitter {
     Dependencies[clientID].eventEmitter
   }
@@ -96,7 +98,7 @@ public actor AuthClient {
   /// If no session can be found, a ``AuthError/sessionMissing`` error is thrown.
   public var session: Session {
     get async throws {
-      try await sessionManager.session()
+      try await sessionMachine.validSession()
     }
   }
 
@@ -139,7 +141,7 @@ public actor AuthClient {
       api: APIClient(clientID: clientID),
       codeVerifierStorage: .live(clientID: clientID),
       sessionStorage: .live(clientID: clientID),
-      sessionManager: .live(clientID: clientID),
+      sessionMachine: SessionStateMachine(clientID: clientID),
       logger: configuration.logger.map {
         AuthClientLoggerDecorator(clientID: clientID, decoratee: $0)
       }
@@ -351,7 +353,7 @@ public actor AuthClient {
     )
 
     if let session = response.session {
-      await sessionManager.update(session)
+      await sessionMachine.update(session)
       eventEmitter.emit(.signedIn, session: session)
     }
 
@@ -457,7 +459,7 @@ public actor AuthClient {
       decoder: configuration.decoder
     )
 
-    await sessionManager.update(session)
+    await sessionMachine.update(session)
     eventEmitter.emit(.signedIn, session: session)
 
     return session
@@ -635,7 +637,7 @@ public actor AuthClient {
 
     codeVerifierStorage.set(nil)
 
-    await sessionManager.update(session)
+    await sessionMachine.update(session)
     eventEmitter.emit(.signedIn, session: session)
 
     return session
@@ -895,7 +897,7 @@ public actor AuthClient {
       user: user
     )
 
-    await sessionManager.update(session)
+    await sessionMachine.update(session)
     eventEmitter.emit(.signedIn, session: session)
 
     if let type = params["type"], type == "recovery" {
@@ -960,7 +962,7 @@ public actor AuthClient {
       )
     }
 
-    await sessionManager.update(session)
+    await sessionMachine.update(session)
     eventEmitter.emit(.signedIn, session: session)
     return session
   }
@@ -976,7 +978,7 @@ public actor AuthClient {
     }
 
     if scope != .others {
-      await sessionManager.remove()
+      await sessionMachine.remove()
       eventEmitter.emit(.signedOut, session: nil)
     }
 
@@ -1084,7 +1086,7 @@ public actor AuthClient {
     )
 
     if let session = response.session {
-      await sessionManager.update(session)
+      await sessionMachine.update(session)
       eventEmitter.emit(.signedIn, session: session)
     }
 
@@ -1189,7 +1191,7 @@ public actor AuthClient {
       user.codeChallengeMethod = codeChallengeMethod
     }
 
-    var session = try await sessionManager.session()
+    var session = try await sessionMachine.validSession()
     let updatedUser = try await api.authorizedExecute(
       .init(
         url: configuration.url.appendingPathComponent("user"),
@@ -1206,7 +1208,7 @@ public actor AuthClient {
       )
     ).decoded(as: User.self, decoder: configuration.decoder)
     session.user = updatedUser
-    await sessionManager.update(session)
+    await sessionMachine.update(session)
     eventEmitter.emit(.userUpdated, session: session)
     return updatedUser
   }
@@ -1234,7 +1236,7 @@ public actor AuthClient {
       )
     ).decoded(as: Session.self, decoder: configuration.decoder)
 
-    await sessionManager.update(session)
+    await sessionMachine.update(session)
     eventEmitter.emit(.userUpdated, session: session)
 
     return session
@@ -1385,19 +1387,19 @@ public actor AuthClient {
       throw AuthError.sessionMissing
     }
 
-    return try await sessionManager.refreshSession(refreshToken)
+    return try await sessionMachine.refresh(token: refreshToken)
   }
 
   /// Starts an auto-refresh process in the background. The session is checked every few seconds. Close to the time of expiration a process is started to refresh the session. If refreshing fails it will be retried for as long as necessary.
   ///
   /// If you set ``Configuration/autoRefreshToken`` you don't need to call this function, it will be called for you.
   public func startAutoRefresh() {
-    Task { await sessionManager.startAutoRefresh() }
+    Task { await sessionMachine.startAutoRefresh() }
   }
 
   /// Stops an active auto refresh process running in the background (if any).
   public func stopAutoRefresh() {
-    Task { await sessionManager.stopAutoRefresh() }
+    Task { await sessionMachine.stopAutoRefresh() }
   }
 
   private func emitInitialSession(forToken token: ObservationToken) async {
@@ -1411,8 +1413,8 @@ public actor AuthClient {
 
       Task {
         if currentSession.isExpired {
-          _ = try? await sessionManager.refreshSession(currentSession.refreshToken)
-          // No need to emit `tokenRefreshed` nor `signOut` event since the `refreshSession` does it already.
+          _ = try? await sessionMachine.refresh(token: currentSession.refreshToken)
+          // No need to emit `tokenRefreshed` nor `signOut` event since `refresh` does it already.
         }
       }
     } else {

Sources/Auth/AuthMFA.swift

@@ -8,7 +8,7 @@ public struct AuthMFA: Sendable {
   var api: APIClient { Dependencies[clientID].api }
   var encoder: JSONEncoder { Dependencies[clientID].encoder }
   var decoder: JSONDecoder { Dependencies[clientID].decoder }
-  var sessionManager: SessionManager { Dependencies[clientID].sessionManager }
+  var sessionMachine: SessionStateMachine { Dependencies[clientID].sessionMachine }
   var eventEmitter: AuthStateChangeEventEmitter { Dependencies[clientID].eventEmitter }
 
   /// Starts the enrollment process for a new Multi-Factor Authentication (MFA) factor. This method
@@ -63,7 +63,7 @@ public struct AuthMFA: Sendable {
       )
     ).decoded(decoder: decoder)
 
-    await sessionManager.update(response)
+    await sessionMachine.update(response)
 
     eventEmitter.emit(.mfaChallengeVerified, session: response, token: nil)
 
@@ -108,7 +108,7 @@ public struct AuthMFA: Sendable {
   ///
   /// - Returns: An authentication response with the list of MFA factors.
   public func listFactors() async throws -> AuthMFAListFactorsResponse {
-    let user = try await sessionManager.session().user
+    let user = try await sessionMachine.validSession().user
     let factors = user.factors ?? []
     let totp = factors.filter {
       $0.factorType == "totp" && $0.status == .verified
@@ -122,9 +122,11 @@ public struct AuthMFA: Sendable {
   /// Returns the Authenticator Assurance Level (AAL) for the active session.
   ///
   /// - Returns: An authentication response with the Authenticator Assurance Level.
-  public func getAuthenticatorAssuranceLevel() async throws -> AuthMFAGetAuthenticatorAssuranceLevelResponse {
+  public func getAuthenticatorAssuranceLevel() async throws
+    -> AuthMFAGetAuthenticatorAssuranceLevelResponse
+  {
     do {
-      let session = try await sessionManager.session()
+      let session = try await sessionMachine.validSession()
       let payload = JWT.decodePayload(session.accessToken)
 
       var currentLevel: AuthenticatorAssuranceLevels?

Sources/Auth/Internal/APIClient.swift

@@ -27,8 +27,8 @@ struct APIClient: Sendable {
     Dependencies[clientID].configuration
   }
 
-  var sessionManager: SessionManager {
-    Dependencies[clientID].sessionManager
+  var sessionMachine: SessionStateMachine {
+    Dependencies[clientID].sessionMachine
   }
 
   var eventEmitter: AuthStateChangeEventEmitter {
@@ -66,11 +66,7 @@ struct APIClient: Sendable {
 
   @discardableResult
   func authorizedExecute(_ request: Helpers.HTTPRequest) async throws -> Helpers.HTTPResponse {
-    var sessionManager: SessionManager {
-      Dependencies[clientID].sessionManager
-    }
-
-    let session = try await sessionManager.session()
+    let session = try await sessionMachine.validSession()
 
     var request = request
     request.headers[.authorization] = "Bearer \(session.accessToken)"
@@ -118,7 +114,7 @@ struct APIClient: Sendable {
       // The `session_id` inside the JWT does not correspond to a row in the
       // `sessions` table. This usually means the user has signed out, has been
       // deleted, or their session has somehow been terminated.
-      await sessionManager.remove()
+      await sessionMachine.remove()
       eventEmitter.emit(.signedOut, session: nil)
       return .sessionMissing
     } else {

Sources/Auth/Internal/Dependencies.swift

@@ -7,7 +7,7 @@ struct Dependencies: Sendable {
   var api: APIClient
   var codeVerifierStorage: CodeVerifierStorage
   var sessionStorage: SessionStorage
-  var sessionManager: SessionManager
+  var sessionMachine: SessionStateMachine
 
   var eventEmitter = AuthStateChangeEventEmitter()
   var date: @Sendable () -> Date = { Date() }