docs(future): file the sign-out couple-key hygiene decision (observed 2026-07-16)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
parent
c636749cf3
commit
65dbd1a9c9
|
|
@ -5,6 +5,13 @@ Non-blocking ideas: things that work today but could be better, plus feature ide
|
||||||
|
|
||||||
## Backup, restore & E2EE (follow-ons to R24)
|
## Backup, restore & E2EE (follow-ons to R24)
|
||||||
|
|
||||||
|
- **Sign-out couple-key hygiene (decision needed, filed 2026-07-16).** `CoupleKeyStore` keys by
|
||||||
|
coupleId, not uid: signing out does NOT wipe the couple keyset, so any member signing back in on
|
||||||
|
that device is unlocked without recovery. Both partners are entitled to the key, so this isn't a
|
||||||
|
straight defect — but a deliberate call is needed: wipe couple keys on sign-out (safer for
|
||||||
|
handed-down devices, costs a recovery on re-sign-in) or keep the convenience. Local Room caches
|
||||||
|
have the same question.
|
||||||
|
|
||||||
- **Option B — relay-and-delete for messages.** Now that E2EE backup + restore exist (R24), make the Room
|
- **Option B — relay-and-delete for messages.** Now that E2EE backup + restore exist (R24), make the Room
|
||||||
`conversation_cache` the **source of truth** and flip Firestore `messages` to a transient relay
|
`conversation_cache` the **source of truth** and flip Firestore `messages` to a transient relay
|
||||||
(TTL / delete-after-delivery), plus **back up media into the snapshot** (since `chat_media` would then be
|
(TTL / delete-after-delivery), plus **back up media into the snapshot** (since `chat_media` would then be
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue