New privacy-focused messaging controls in the composer:
- Code blocks: button wraps the message in a fenced block; both peers render a
monospace code window with a copy button (clipboard auto-clears after ~30s).
Window is built from sanitized text via React nodes — no new XSS surface.
- View-once: recipient sees a blurred bubble, reveals on tap, then it is wiped.
Honestly cooperative (not screenshot-proof).
- Disappearing messages: optional 30s/5m/1h timer auto-deletes on both sides
with a live countdown; incoming TTL clamped to [5s, 24h].
- Unsend (delete for everyone) via new MESSAGE_TYPES.message_delete control.
- Panic wipe: clears chat, wipes keys and disconnects (behind a confirm).
Transport:
- Per-message metadata (id / view-once / timer) travels inside the encrypted
envelope, not in the sanitized text, so content cannot spoof these controls.
- _sanitizeMessageMeta whitelists + bounds metadata on send and receive.
- AAD/replay protection, SAS gate and receive-side DOMPurify are unchanged.
Adds tests/secure-chat-features.test.mjs (full suite: 17 files, all passing).
Bumps version to 4.8.14 across package.json, package-lock.json, manifest.json,
index.html, meta.json, README, SECURITY_DISCLAIMER, header and init banner.
Bumps version to 4.8.13 across package.json, package-lock.json, manifest.json,
index.html, meta.json, README, SECURITY_DISCLAIMER, the site header and the
in-app init banner (previously desynced at 4.8.10/4.8.11/4.8.12).
Ships the security-review fixes already on main:
- removed the over-broad send-path keyword blocklist that silently rejected
legitimate messages (real XSS defense remains receive-side DOMPurify)
- preserve newlines/tabs/indentation in outgoing message sanitization
- stop logging raw AAD (sessionId + keyFingerprint) on validation failure
- add Strict-Transport-Security and Permissions-Policy headers
- add outgoing-message-integrity regression tests
- add header gear + connection-screen entry points to Advanced network settings
- render the ICE settings modal at the app root (reachable from any screen via event)
- remove the standalone relay-only toggle/description from the start screen
(relay-only now lives in the advanced settings panel)
- fix crash from referencing main-component state inside EnhancedConnectionSetup
- bump version to 4.8.10 across header, manifest, README, init message, disclaimer
- document the feature in CHANGELOG and README
lockbitchat