Complete the mandatory receiver-consent gate that was wired in the
backend but never connected to the UI callback chain:
- Add the missing onIncomingFileRequest (4th) callback to
setFileTransferCallbacks in app.jsx — its absence caused
handleFileTransferStart to auto-reject every incoming file.
- Remove independent callback registration from FileTransferComponent;
the component was overwriting app-level callbacks on mount and
nulling all four on unmount, silently breaking progress/received/
error handlers whenever the panel was hidden.
- Lift pendingIncomingFiles state to the root component so consent
prompts are shown regardless of panel visibility; auto-open the
panel on incoming request.
- Add getReceivedFileObjectURL / revokeReceivedFileObjectURL on
EnhancedSecureWebRTCManager for download buttons in the panel.
- Update file-transfer-ui-cleanup regression test to match the new
single-owner callback architecture.
- All 14 tests pass; clean production build.
- Add UpdateManager and UpdateChecker for automatic version detection
- Add post-build script for meta.json generation and version injection
- Enhance Service Worker with version-aware caching
- Add .htaccess configuration for proper cache control
This ensures all users receive the latest version after deployment
without manual cache clearing.
- Removed session creation and Lightning payment logic
- Refactored security system:
* no more restrictions
* all systems enabled on session creation
- Improved QR code exchange for mobile devices
Replace CDN React/ReactDOM/Babel with local libs; remove Babel and inline scripts
Build Tailwind locally, add safelist; switch to assets/tailwind.css
Self-host Font Awesome and Inter (CSS + woff2); remove external font CDNs
Implement strict CSP (no unsafe-inline/eval; scripts/styles/fonts from self)
Extract inline handlers; move PWA scripts to external files
Add local QR code generation (qrcode lib) and remove api.qrserver.com
Improve SessionTypeSelector visual selection (highlighted background and ring)
Keep PWA working with service worker and offline assets
Refs: CSP hardening, offline-first, no external dependencies
lockbitchat