release: v4.8.20 secure chat tools — completed, fixed and polished

Completes the messaging controls from v4.8.14 and fixes the bug that made them
appear broken for recipients.

Fixed:
- Per-message metadata was silently dropped for recipients. NotificationIntegration
  wrapped onMessage and deliverMessageToUI with 2-arg shims that called the
  originals without the 3rd argument (meta); with notifications enabled, view-once,
  disappearing timers and unsend all failed on the receiving side. Both wrappers
  now forward all arguments. Added tests/notification-meta-forwarding.test.mjs.
- Chat would not open after SAS: composer props were threaded into the wrong
  component (EnhancedConnectionSetup vs EnhancedChatInterface) -> ReferenceError
  nowTick on the verified re-render. Props moved to the chat component.

Changed:
- Code blocks: lightweight dependency-free syntax highlighting via React nodes
  (no innerHTML/remote scripts); code mode expands the input; copy auto-clears
  the clipboard after ~30s.
- View-once: configurable visible-after-open time (5s/15s/30s/1m) via meta.onceTtl.
- Disappearing timer: duration picker (Off/30s/5m/1h) instead of click-cycling.
- Composer toolbar moved next to "Send files"; borderless buttons, brand-orange
  active state; pickers open upward and are mobile-friendly.
- Sender bubble background lightened to rgba(249,115,22,0.05).

Removed:
- Panic wipe button (disconnect already wipes keys and clears session state).

Transport unchanged: per-message metadata travels inside the encrypted envelope,
whitelisted/bounded by _sanitizeMessageMeta. Full suite: 19 files, all passing.
Docs (README, CHANGELOG) updated; version bumped to 4.8.20.

tests/notification-meta-forwarding.test.mjs

@@ -0,0 +1,40 @@
+import assert from 'node:assert/strict';
+import { JSDOM } from 'jsdom';
+
+// NotificationIntegration wraps webrtcManager.onMessage and .deliverMessageToUI.
+// Regression: those wrappers must forward the 3rd argument (per-message `meta`)
+// to the originals, otherwise view-once / disappearing / unsend break ONLY when
+// notifications are enabled (which is exactly how it shipped broken).
+
+const dom = new JSDOM('<!doctype html><html><body></body></html>', { url: 'https://localhost/' });
+globalThis.window = dom.window;
+globalThis.document = dom.window.document;
+// Minimal Notification stub so init() does not throw.
+globalThis.Notification = dom.window.Notification = class { static permission = 'granted'; static requestPermission() { return Promise.resolve('granted'); } close() {} };
+
+await import('../src/notifications/NotificationIntegration.js');
+const NotificationIntegration = window.NotificationIntegration;
+
+const received = [];
+const delivered = [];
+const manager = {
+    onMessage: (message, type, meta) => received.push({ message, type, meta }),
+    onStatusChange: () => {},
+    deliverMessageToUI: (message, type, meta) => delivered.push({ message, type, meta })
+};
+
+const integration = new NotificationIntegration(manager);
+await integration.init();
+
+// After init, the manager's callbacks are the wrappers. Calling them with meta
+// must forward meta to the originals.
+manager.onMessage('hi', 'received', { mid: 'm1', once: true });
+manager.deliverMessageToUI('yo', 'received', { mid: 'm2', ttl: 30 });
+
+assert.equal(received.length, 1, 'original onMessage called once');
+assert.deepEqual(received[0].meta, { mid: 'm1', once: true }, 'meta forwarded through onMessage wrapper');
+
+assert.equal(delivered.length, 1, 'original deliverMessageToUI called once');
+assert.deepEqual(delivered[0].meta, { mid: 'm2', ttl: 30 }, 'meta forwarded through deliverMessageToUI wrapper');
+
+console.log('Notification meta-forwarding tests passed');

tests/secure-chat-features.test.mjs

@@ -10,8 +10,12 @@ const T = EnhancedSecureWebRTCManager.MESSAGE_TYPES;
 
 // ── _sanitizeMessageMeta: whitelist + bounds ────────────────────────────────
 {
-    const ok = P._sanitizeMessageMeta.call({}, { mid: 'm_1-a', once: true, ttl: 300, code: true });
-    assert.deepEqual(ok, { mid: 'm_1-a', code: true, once: true, ttl: 300 });
+    const ok = P._sanitizeMessageMeta.call({}, { mid: 'm_1-a', once: true, onceTtl: 15, ttl: 300, code: true });
+    assert.deepEqual(ok, { mid: 'm_1-a', code: true, once: true, onceTtl: 15, ttl: 300 });
+
+    // onceTtl is clamped to [1, 3600]; out-of-range is dropped.
+    assert.equal(P._sanitizeMessageMeta.call({}, { once: true, onceTtl: 99999 }).onceTtl, undefined);
+    assert.equal(P._sanitizeMessageMeta.call({}, { once: true, onceTtl: 30 }).onceTtl, 30);
 
     // Junk and out-of-range values are stripped; with no valid keys -> null.
     assert.equal(P._sanitizeMessageMeta.call({}, { foo: 1 }), null);
@@ -58,6 +62,29 @@ const T = EnhancedSecureWebRTCManager.MESSAGE_TYPES;
     assert.deepEqual(deleted, ['m_42']);
 }
 
+// ── live enhanced-message path delivers metadata to the UI ───────────────────
+// This is the path real chat uses (dataChannel.onmessage -> _processEnhancedMessageWithoutMutex).
+{
+    const envelope = JSON.stringify({ type: 'message', data: 'hi there', meta: { mid: 'm7', once: true, ttl: 30 } });
+    globalThis.window.EnhancedSecureCryptoUtils = {
+        decryptMessage: async () => ({ message: envelope })
+    };
+    const calls = [];
+    const manager = {
+        encryptionKey: {}, macKey: {}, metadataKey: {},
+        _secureLog() {},
+        _checkInboundRateLimit: () => true,
+        _sanitizeIncomingChatMessage: (m) => m,
+        _sanitizeMessageMeta: P._sanitizeMessageMeta,
+        onMessage: (message, type, meta) => calls.push({ message, type, meta }),
+        deliverMessageToUI: P.deliverMessageToUI
+    };
+    await P._processEnhancedMessageWithoutMutex.call(manager, { type: 'enhanced_message', data: 'enc' });
+    assert.equal(calls.length, 1);
+    assert.equal(calls[0].message, 'hi there');
+    assert.deepEqual(calls[0].meta, { mid: 'm7', once: true, ttl: 30 });
+}
+
 // ── sendMessageDelete emits a well-formed control message ────────────────────
 {
     const sent = [];