docs(future): file the sign-out couple-key hygiene decision (observed 2026-07-16)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
null 2026-07-16 01:15:57 -05:00
parent c636749cf3
commit 65dbd1a9c9
1 changed files with 7 additions and 0 deletions

View File

@ -5,6 +5,13 @@ Non-blocking ideas: things that work today but could be better, plus feature ide
## Backup, restore & E2EE (follow-ons to R24) ## Backup, restore & E2EE (follow-ons to R24)
- **Sign-out couple-key hygiene (decision needed, filed 2026-07-16).** `CoupleKeyStore` keys by
coupleId, not uid: signing out does NOT wipe the couple keyset, so any member signing back in on
that device is unlocked without recovery. Both partners are entitled to the key, so this isn't a
straight defect — but a deliberate call is needed: wipe couple keys on sign-out (safer for
handed-down devices, costs a recovery on re-sign-in) or keep the convenience. Local Room caches
have the same question.
- **Option B — relay-and-delete for messages.** Now that E2EE backup + restore exist (R24), make the Room - **Option B — relay-and-delete for messages.** Now that E2EE backup + restore exist (R24), make the Room
`conversation_cache` the **source of truth** and flip Firestore `messages` to a transient relay `conversation_cache` the **source of truth** and flip Firestore `messages` to a transient relay
(TTL / delete-after-delivery), plus **back up media into the snapshot** (since `chat_media` would then be (TTL / delete-after-delivery), plus **back up media into the snapshot** (since `chat_media` would then be