docs(future): file the sign-out couple-key hygiene decision (observed 2026-07-16)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
parent
c636749cf3
commit
65dbd1a9c9
|
|
@ -5,6 +5,13 @@ Non-blocking ideas: things that work today but could be better, plus feature ide
|
|||
|
||||
## Backup, restore & E2EE (follow-ons to R24)
|
||||
|
||||
- **Sign-out couple-key hygiene (decision needed, filed 2026-07-16).** `CoupleKeyStore` keys by
|
||||
coupleId, not uid: signing out does NOT wipe the couple keyset, so any member signing back in on
|
||||
that device is unlocked without recovery. Both partners are entitled to the key, so this isn't a
|
||||
straight defect — but a deliberate call is needed: wipe couple keys on sign-out (safer for
|
||||
handed-down devices, costs a recovery on re-sign-in) or keep the convenience. Local Room caches
|
||||
have the same question.
|
||||
|
||||
- **Option B — relay-and-delete for messages.** Now that E2EE backup + restore exist (R24), make the Room
|
||||
`conversation_cache` the **source of truth** and flip Firestore `messages` to a transient relay
|
||||
(TTL / delete-after-delivery), plus **back up media into the snapshot** (since `chat_media` would then be
|
||||
|
|
|
|||
Loading…
Reference in New Issue