- Deleted BluetoothKeyTransfer.js and related classes
- Removed BluetoothKeyTransfer.jsx UI component
- Cleaned up Bluetooth imports from app-boot.js and bootstrap-modules.js
- Removed Bluetooth buttons and handlers from main app
- Eliminated all Bluetooth functionality due to Web Bluetooth API limitations
- Browsers cannot create GATT servers or advertise devices
- Reduced bundle size by ~78KB
- Application now focuses on supported browser technologies (QR codes, manual key exchange, WebRTC)
- Deleted BluetoothKeyTransfer.js and related classes
- Removed BluetoothKeyTransfer.jsx UI component
- Cleaned up Bluetooth imports from app-boot.js and bootstrap-modules.js
- Removed Bluetooth buttons and handlers from main app
- Eliminated all Bluetooth functionality due to Web Bluetooth API limitations
- Browsers cannot create GATT servers or advertise devices
- Reduced bundle size by ~78KB
- Application now focuses on supported browser technologies (QR codes, manual key exchange, WebRTC)
- Deleted BluetoothKeyTransfer.js and related classes
- Removed BluetoothKeyTransfer.jsx UI component
- Cleaned up Bluetooth imports from app-boot.js and bootstrap-modules.js
- Removed Bluetooth buttons and handlers from main app
- Eliminated all Bluetooth functionality due to Web Bluetooth API limitations
- Browsers cannot create GATT servers or advertise devices
- Reduced bundle size by ~78KB
- Application now focuses on supported browser technologies (QR codes, manual key exchange, WebRTC)
- Add missing sessionTimeLeft state variable to fix ReferenceError in handleDisconnect
- Fix ReferenceError in handleCreateAnswer by correcting variable scope (e.target.value -> answerInput)
- Add type checking for answerData.trim() to prevent TypeError in shouldPreserveAnswerData
- Standardize data types by replacing null assignments with empty strings for offerData/answerData
- Improve handleDisconnect function with proper error handling and comprehensive state cleanup
- Add try-catch wrapper around disconnect operations for better error handling
- Ensure complete metadata removal and connection termination on disconnect
- Fix Bluetooth transfer modal opening with proper role-based event dispatching
- Cache only essential PWA assets (manifest, icons, core scripts)
- Use Network First for all other requests
- Remove aggressive caching of UI components and styles
- Preserve PWA installation while minimizing cache footprint
- Cache only essential PWA assets (manifest, icons, core scripts)
- Use Network First for all other requests
- Remove aggressive caching of UI components and styles
- Preserve PWA installation while minimizing cache footprint
- Add complete splash screen configuration for all iOS devices
- Support iPhone 17 Pro Max through iPhone 6 series
- Support all iPad models with landscape/portrait orientations
- Use proper media queries and generated splash images
- Fix iOS splash screen caching and display issues
- Fix duplicate chunk detection by using data hash instead of index
- Add comprehensive logging for QR scanner debugging
- Implement proper buffer cleanup when scanner is closed
- Preserve original binary data instead of decoding to JSON
- Add deduplication logic to prevent same QR code being processed multiple times
- Improve error handling and scanner state management
- Fix binary chunk reconstruction to maintain SB1:bin: prefix format
- Replaced original JSON with minimized binary format (gzip + base64).
- Adjusted rendering and QR code generation for compatibility.
- Reduced payload size for improved efficiency.
- implemented glowing border effect on cards when cursor is near
- multiple cards can glow simultaneously within proximity
- smooth fade-out without flicker on mouse leave
- improved hover animation for better user experience
- removed all logging of raw IV, JWK, session tokens, verification codes
→ logs now only include error codes, timestamps and short non-reversible SHA-256 hashes (first 4 bytes)
- replaced global master key storage with PBKDF2-derived non-extractable AES key
→ master key lives only in session memory and is cleared on timeout/focus-out
- added password-based derivation (PBKDF2) for master key initialization
- migrated persistent key storage to AES-GCM wrapped ciphertext in IndexedDB
→ JWK export → encrypt with session master key → store ciphertext + IV + metadata
→ unwrap + import as non-extractable on restore
- removed busy-wait loops and direct `window.gc()` calls
→ replaced with async non-blocking cleanup via setTimeout/Promise/WebWorker
- Removed temporary console logs used for debugging
- Disabled DEBUG_MODE flag
- Updated configuration to run in production mode
- Cleaned up leftover debug utilities to reduce noise in console
- Updated connection flow between users via QR codes
- Added manual switching option in QR code generator
- Increased number of QR codes for better readability
- Removed session creation and Lightning payment logic
- Refactored security system:
* no more restrictions
* all systems enabled on session creation
- Improved QR code exchange for mobile devices
Replace CDN React/ReactDOM/Babel with local libs; remove Babel and inline scripts
Build Tailwind locally, add safelist; switch to assets/tailwind.css
Self-host Font Awesome and Inter (CSS + woff2); remove external font CDNs
Implement strict CSP (no unsafe-inline/eval; scripts/styles/fonts from self)
Extract inline handlers; move PWA scripts to external files
Add local QR code generation (qrcode lib) and remove api.qrserver.com
Improve SessionTypeSelector visual selection (highlighted background and ring)
Keep PWA working with service worker and offline assets
Refs: CSP hardening, offline-first, no external dependencies
- Removed reliance on window.DEBUG_MODE and window.DISABLE_* flags.
- Configuration is now passed via constructor instead of global variables.
- Exposed API remains on `window.secureBitChat`, but without backup globals or hidden toggles.
- Consolidated multiple setInterval tasks into a single scheduler to reduce attack surface.
- Added strict limits for IV history and log storage to prevent memory exhaustion.
- Improved XSS hardening: no more global switches to disable security features.
- Removed unsafe exposure of internal objects:
• deleted all references to `window.fileTransferSystem`
• unified global API setup to a single immutable `safeGlobalAPI` via Object.freeze
• removed legacy branch with `delete window[name]`
- Logging improvements:
• eliminated all direct `console.*` calls (use `_secureLog` exclusively)
• fixed string templates with proper interpolation (``${var}``)
• prevented accidental fallback to raw console in production
- Cryptography enforcement:
• updated `_validateCryptographicSecurity()` to require ECDSA and PFS
• added emergency shutdown if critical crypto features are missing
• ensured consistent feature enabling for production
- Metadata of extracted keys is now marked encrypted: true
- Removed decryption bypass via _keyReferences, all keys are returned via decrypt
- Nested encryption uses random 96-bit IV instead of single byte increment
- Fixed _secureLogShim: correct argument destructuring (...args)
- Removed busy-wait in forceInitializeFileTransfer, replaced with async wait
