# Lotus Chat — Bug Report & Technical Audit **Date:** June 2026 This document tracks identified bugs, edge cases, and architectural discrepancies. --- ## ✅ Resolved Issues (Recently Fixed) - **GIF Sending Bypasses E2EE**: Fixed in `RoomInput.tsx`. - **Scheduled Messages Bypass E2EE**: Fixed in `scheduledMessages.ts`. - **Drag-and-Drop Overlay Persistence**: Fixed in `useFileDrop.ts`. - **Stale Member List in Verification Banner**: Fixed in `useDeviceVerificationStatus.ts`. - **Incomplete Python Comment Highlighting**: Fixed in `syntaxHighlight.ts`. - **Search Button Hidden in E2EE Rooms**: Fixed in `RoomViewHeader.tsx`. - **TDS Design Law Violations (Hardcoded Hex)**: Fixed in `GifPicker.tsx` and `VoiceMessageRecorder.tsx`. - **Recent Emoji Sort Order**: Fixed in `recent-emoji.ts` (recency order, not frequency). - **Encrypted Search Misses Historic Events**: Fixed in `useLocalMessageSearch.ts`. - **Presence Updater Base URL Hack**: Fixed in `usePresenceUpdater.ts`. - **Presence Badge Accessibility**: Fixed in `Presence.tsx` (`aria-label` on badge). - **Presence Updater Wipes Custom Status**: Fixed in `usePresenceUpdater.ts` (removed `status_msg: ''`). - **Manifest Main Icon Paths 404**: Fixed in `public/manifest.json` (`./public/android/` → `./res/android/`). Shortcut icon was already correct. --- ## 🛡️ Critical Security & Logic ### 1. Edit History Broken for E2EE **File:** `src/app/features/room/message/EditHistoryModal.tsx` **Status:** **OPEN** - **Issue:** The modal fetches edit history via raw `fetch`. The returned events are not decrypted. - **Impact:** In encrypted rooms, the edit history shows ciphertext or "(no text)" for all previous versions. - **Recommended Fix:** After fetching raw events, check if they are encrypted. Use `mx.decryptEventIfNeeded(event)` for each event in the chunk before rendering. ### 2. Service Worker Ephemeral Sessions **File:** `src/sw.ts` **Status:** **OPEN** - **Issue:** Access tokens are stored in an in-memory `sessions` Map within the SW. - **Impact:** Closing all app tabs wipes the sessions. Background tasks (like future push notification handling or media pre-fetching) will fail. - **Recommended Fix:** Persist the session info (accessToken/baseUrl) in IndexedDB within the Service Worker so it survives app restarts. --- ## 📱 PWA & Mobile Issues ### 1. No PWA Precaching (Offline Mode Broken) **File:** `src/sw.ts`, `vite.config.js` **Status:** **OPEN** - **Issue:** The Service Worker is missing the `self.__WB_MANIFEST` injection point and `precacheAndRoute` call. - **Impact:** The app does not work offline and fails PWA installation requirements in most browsers. - **Recommended Fix:** Add `precacheAndRoute(self.__WB_MANIFEST)` to `sw.ts` and ensure `vite.config.js` has a valid `injectionPoint`. ### 2. PiP Resize Impossible on Mobile **File:** `src/app/components/CallEmbedProvider.tsx` **Status:** **OPEN** - **Issue:** Resizing the PiP window uses `onMouseDown` handlers which do not trigger on touch devices. - **Impact:** Mobile users cannot resize the PiP window. - **Recommended Fix:** Implement `onTouchStart` handlers for the resize corners, mapping touch coordinates to the same resize logic. ### 3. Double Background Animation (GPU Waste) **File:** `src/app/pages/client/SidebarNav.tsx`, `src/app/features/room/RoomView.tsx` **Status:** **OPEN** - **Issue:** When Glassmorphism is enabled, the chat background is mirrored to `document.body` while the `RoomView` also renders it. - **Impact:** Two identical animations (e.g., Digital Rain) run simultaneously, doubling GPU usage on mobile. - **Recommended Fix:** When Glassmorphism is active, make the `RoomView` background transparent and rely on the `document.body` background.