fix(file-transfer): announce received file once, not many times
The per-transfer lock used a single `if` check, so when 3+ chunk
operations queued on the same fileId they awaited the same in-flight
lock and then ran concurrently, breaking assembly atomicity. The lock
now loops until the slot is free (true serialization) and file assembly
is idempotent, so `File received` shows exactly once per file.
fix(verification): stop duplicate connection-setup system messages
handleVerificationBothConfirmed had no guard, so when both peers sent
verification_both_confirmed symmetrically one side ran both the local
detection path and the peer-notification path, emitting "Both parties
confirmed!" and the verified transition (and "Secure connection
established") twice. It now bails out if both confirmations are already
recorded.
fix(ui): wrap long DTLS fingerprint inside the chat bubble
The message text column is a flex child with default min-width:auto, so
the long unbroken fingerprint overflowed. Added min-w-0 so break-words
can wrap it.
chore(release): bump version to 4.8.12 in header, init banner, manifest
- add header gear + connection-screen entry points to Advanced network settings
- render the ICE settings modal at the app root (reachable from any screen via event)
- remove the standalone relay-only toggle/description from the start screen
(relay-only now lives in the advanced settings panel)
- fix crash from referencing main-component state inside EnhancedConnectionSetup
- bump version to 4.8.10 across header, manifest, README, init message, disclaimer
- document the feature in CHANGELOG and README
- add iceServers.js: allowlist-based validation/normalization of user-supplied
STUN/TURN URLs (rejects javascript:/data:/http/ws, control chars, enforces limits)
- add iceSettingsStore.js: opt-in persistence encrypted at rest with a
non-extractable AES-GCM device key in IndexedDB; load/save/clear
- add IceServerSettings.jsx modal: public vs custom servers, JSON/line input,
live validation, relay-only toggle, 'Test servers' connectivity check,
save-on-device prompt, forget-saved action
- wire chosen servers/privacy mode into EnhancedSecureWebRTCManager construction
(priority: custom > operator override > built-in defaults)
- entry point on the connection-creation screen next to the relay-only toggle
- add ice-servers-validation.test.mjs to the suite
- Add UpdateManager and UpdateChecker for automatic version detection
- Add post-build script for meta.json generation and version injection
- Enhance Service Worker with version-aware caching
- Add .htaccess configuration for proper cache control
This ensures all users receive the latest version after deployment
without manual cache clearing.
- Update version to v4.7.53
- Add Desktop Edition documentation (Windows, macOS, Linux)
- Update roadmap with all versions and dates
- Add mobile apps information (Q1 2026)
- Expand security and development sections
- Update URLs to securebit.chat domain
- Added SecureNotificationManager with cross-browser support (Chrome, Firefox, Safari, Edge)
- Integrated WebRTC message notifications with tab visibility detection
- Implemented XSS protection, URL validation, and rate limiting
- Notifications shown only when chat tab is inactive
- Enforced HTTPS and user gesture requirements
- Deleted BluetoothKeyTransfer.js and related classes
- Removed BluetoothKeyTransfer.jsx UI component
- Cleaned up Bluetooth imports from app-boot.js and bootstrap-modules.js
- Removed Bluetooth buttons and handlers from main app
- Eliminated all Bluetooth functionality due to Web Bluetooth API limitations
- Browsers cannot create GATT servers or advertise devices
- Reduced bundle size by ~78KB
- Application now focuses on supported browser technologies (QR codes, manual key exchange, WebRTC)
- Deleted BluetoothKeyTransfer.js and related classes
- Removed BluetoothKeyTransfer.jsx UI component
- Cleaned up Bluetooth imports from app-boot.js and bootstrap-modules.js
- Removed Bluetooth buttons and handlers from main app
- Eliminated all Bluetooth functionality due to Web Bluetooth API limitations
- Browsers cannot create GATT servers or advertise devices
- Reduced bundle size by ~78KB
- Application now focuses on supported browser technologies (QR codes, manual key exchange, WebRTC)
- Cache only essential PWA assets (manifest, icons, core scripts)
- Use Network First for all other requests
- Remove aggressive caching of UI components and styles
- Preserve PWA installation while minimizing cache footprint
- Fix duplicate chunk detection by using data hash instead of index
- Add comprehensive logging for QR scanner debugging
- Implement proper buffer cleanup when scanner is closed
- Preserve original binary data instead of decoding to JSON
- Add deduplication logic to prevent same QR code being processed multiple times
- Improve error handling and scanner state management
- Fix binary chunk reconstruction to maintain SB1:bin: prefix format
- Replaced original JSON with minimized binary format (gzip + base64).
- Adjusted rendering and QR code generation for compatibility.
- Reduced payload size for improved efficiency.
- removed all logging of raw IV, JWK, session tokens, verification codes
→ logs now only include error codes, timestamps and short non-reversible SHA-256 hashes (first 4 bytes)
- replaced global master key storage with PBKDF2-derived non-extractable AES key
→ master key lives only in session memory and is cleared on timeout/focus-out
- added password-based derivation (PBKDF2) for master key initialization
- migrated persistent key storage to AES-GCM wrapped ciphertext in IndexedDB
→ JWK export → encrypt with session master key → store ciphertext + IV + metadata
→ unwrap + import as non-extractable on restore
- removed busy-wait loops and direct `window.gc()` calls
→ replaced with async non-blocking cleanup via setTimeout/Promise/WebWorker
- Updated connection flow between users via QR codes
- Added manual switching option in QR code generator
- Increased number of QR codes for better readability
- Removed session creation and Lightning payment logic
- Refactored security system:
* no more restrictions
* all systems enabled on session creation
- Improved QR code exchange for mobile devices
Replace CDN React/ReactDOM/Babel with local libs; remove Babel and inline scripts
Build Tailwind locally, add safelist; switch to assets/tailwind.css
Self-host Font Awesome and Inter (CSS + woff2); remove external font CDNs
Implement strict CSP (no unsafe-inline/eval; scripts/styles/fonts from self)
Extract inline handlers; move PWA scripts to external files
Add local QR code generation (qrcode lib) and remove api.qrserver.com
Improve SessionTypeSelector visual selection (highlighted background and ring)
Keep PWA working with service worker and offline assets
Refs: CSP hardening, offline-first, no external dependencies
lockbitchat