fix(audit): low-tail cleanup — session/logout/unread/presence/forward
Clears the clean 🟡 remainders from the feature audit (gate-green, 677 tests): - F3: getFallbackSession prefers the session-blob/legacy source with the later expiresAt (a downgrade→upgrade could boot on a stale blob's dead token). - F6: server-forced logout (SessionLoggedOut) now mirrors logoutClient — pushSessionToSW() + best-effort revokeOidcTokens for OIDC sessions (the search plaintext wipe was already added). - N5: deleteUnreadInfo parent fallback `?? roomId` → `?? []` (latently spread the roomId string into chars). - P10: useUserPresence re-seeds when the User object appears after first render. - forward: strip m.mentions so forwarding doesn't re-ping the original mentions. Left open: F5 (OIDC expiry not reachable in persistTokens), N6/H10/D7 (minor / runtime-verify). See LOTUS_TODO. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -96,6 +96,19 @@ Tier-2 bug-hunt (desktop/native, crypto/session/infra, messaging data) by 3 para
|
||||
|
||||
---
|
||||
|
||||
## 🧹 Audit low-tail cleanup (2026-07) — audit closed out
|
||||
|
||||
Cleared the clean 🟡 remainders, gate-green (677 tests, build OK):
|
||||
|
||||
- **F3** `getFallbackSession` now prefers whichever of the session-blob / legacy keys carries the later `expiresAt` (a downgrade→upgrade could boot on a stale blob's dead token).
|
||||
- **F6** server-forced logout (`ClientRoot` `SessionLoggedOut`) now mirrors `logoutClient`: `pushSessionToSW()` + best-effort `revokeOidcTokens` for OIDC sessions.
|
||||
- **N5** `deleteUnreadInfo` parent-aggregate fallback `?? roomId` → `?? []` (was latently spreadable into chars).
|
||||
- **P10** `useUserPresence` re-seeds `getUserPresence(user)` when the `User` object appears after first render (badge no longer blank until the next event).
|
||||
- **forward** strips `m.mentions` so forwarding a message doesn't re-ping the originally-mentioned users.
|
||||
- **D4** (native) `forward_deeplink` dedupes the same URL within ~1s so a cold-start `matrix:` link doesn't navigate twice.
|
||||
|
||||
**Left open (rationale):** **F5** OIDC `persistTokens` can't reach the access-token expiry without SDK-internal plumbing (minor — refresh is reactive on 401). **N6** membership-refresh emitter uncertain + low impact. **H10** room-name setter fire-and-forget is trivial + would touch the just-refactored `RoomNavItem`. **D7** Unity `.desktop` id is a runtime-verify, not a code fix.
|
||||
|
||||
## 🔎 Audit findings — Wave 3 (2026-07)
|
||||
|
||||
Tier-3 bug-hunt (theming/visual, presence/UX/composer, rooms-customization/moderation) by 3 parallel agents. Higher-severity than expected in the non-theming areas. `[P#]`=presence/UX, `[H#]`=rooms/moderation, `[T#]`=theming.
|
||||
|
||||
Reference in New Issue
Block a user