Commit graph

18 commits

Author SHA1 Message Date
Johannes Millan
4e1ace0786 refactor(sync): remove encryption test mocks 2026-05-13 17:26:55 +02:00
Johannes Millan
faa18c1638 docs(sync): add plan to extract encryption primitives to @sp/sync-core 2026-05-13 14:11:15 +02:00
johannesjo
c40feef6d2 refactor(sync-providers): move SuperSync provider into package
Move SuperSync's provider class, model, and spec from
`src/app/op-log/sync-providers/super-sync/` into
`packages/sync-providers/src/super-sync/` behind the ports
established by slices 5-6 (logger, platform-info, web-fetch,
native-http-executor, credential-store) plus two new ports for this
slice: `SuperSyncStorage` (narrow, three methods for `lastServerSeq`
persistence) and `SuperSyncResponseValidators` (host-side wrapper
that keeps `@sp/shared-schema` out of the package boundary).

Privacy fixes applied inline per multi-review consensus:

- `AuthFailSPError(reason, body)` now only takes the extracted
  reason — body is no longer retained on `additionalLog`.
- `_handleNativeRequestError` drops the parenthesised
  `(${errorMessage})` interpolation from the user-facing message
  to avoid leaking hostname/URL on native-stack errors.
- Timeout `Error.message` drops the `path` interpolation
  (`excludeClient` clientId was leaking into the thrown message).
- `_extractServerErrorReason` caps the extracted server reason at
  80 chars to defend against future server contract drift.
- Thrown non-2xx errors use a fixed `HTTP <status> <statusText> —
<reason?>` form (web) or `HTTP <status> — <reason?>` (native)
  instead of embedding the raw response body in `Error.message`.

JSDoc invariants pinned on `getEncryptKey`, `getWebSocketParams`,
`_cachedServerSeqKey`, and `deleteAllData` response shape.

Compression switched to direct `@sp/sync-core` import (no
`CompressError` wrapping at SuperSync's call sites; the existing
app-side compression-handler still wraps for
`EncryptAndCompressHandlerService`).

Spec converted Jasmine → Vitest. `TestableSuperSyncProvider`
subclass gone — native-platform routing now tested via injected
`platformInfo` + `nativeHttpExecutor` mocks. Adds a new
`privacy regression: no user content in error/log surface`
describe block driven by an HTTP-error path with a body containing
plausible user content (taskId/title/accessToken).

App-side `super-sync.ts` collapses to a 50-line
`createSuperSyncProvider()` factory (no `extraPath` arg —
SuperSync explicitly ignored it). The `SyncProviderId.SuperSync`
enum stays app-side; `AssertSuperSyncId` conditional pins
enum-vs-constant drift at compile time. `super-sync.model.ts`
becomes a re-export shim. `sync-providers.factory.ts` updated.

`super-sync-restore.service.ts` narrows the package's
`RestorePoint<string>` return through the consensus "narrow at the
app shim" decision (single cast at the call boundary).

Bundle: CJS 95.15 KB / ESM 92.34 KB (up from 76.78 / 74.18). Right
in the performance reviewer's 95-100 KB estimate; under the
original 110 KB projection. Tiered barrel split remains a
documented deferral.

Package spec count: 273 (was 197, added 76 SuperSync specs).
All targeted app specs green: sync-wrapper (107), op-log (2513
across the directory), imex/sync (381).
2026-05-13 00:30:19 +02:00
johannesjo
3d0ff2aec7 docs(sync-core-plan): record SuperSync slice multi-review consensus
Folds the six-Claude-lens (correctness, security/privacy, architecture,
alternatives, performance, simplicity) review pass into the SuperSync
slice design doc. Closes all 8 open questions in-doc, records new
blockers the original draft undercounted, and trims the body per the
simplicity reviewer's recommendations.

Key revisions:
- Storage port is narrow `SuperSyncStorage` (3 methods), not the
  generic `KeyValueStoragePort` originally proposed. Architecture
  and alternatives both pushed back.
- Promoted helper renamed to `isRetryableUploadError` (intent-
  anchored) to avoid naming collision with package's existing
  `isTransientNetworkError`.
- Factory drops `extraPath` — SuperSync explicitly ignores it.
- Privacy A1 fix uses extracted-reason form (via
  `_extractServerErrorReason`, capped at 80 chars), not blanket
  body-drop — preserves 5xx debug context.

Four new privacy blockers added that the original sweep missed:
- `AuthFailSPError(reason, body)` retains body via
  `AdditionalLogErrorBase.additionalLog` (security + correctness
  both flagged independently — PR 5b did NOT scrub this for
  SuperSync's call site).
- `_handleNativeRequestError` re-throw embeds raw `errorMessage`
  (can leak hostname/URL from native-stack `.message`).
- Timeout `Error.message` embeds `path` with `excludeClient` query
  param (pseudonymous clientId).
- `_extractServerErrorReason` returns server `error` field uncapped.

Dissents recorded: alternatives reviewer preferred pre-split spec
before move, moving CompressError/DecompressError into sync-core
for strict behavior preservation, and barrel split as PR 7d.
2026-05-12 23:58:58 +02:00
johannesjo
6a1f569a09 docs(sync-core-plan): draft SuperSync slice design for multi-review
Captures the SuperSync provider move (slice 7) design surface before
implementation: which files move into @sp/sync-providers, which stay
app-side, which ports get reused from prior slices, which new ports
this slice introduces, the privacy sweep checklist, the suggested
commit shape, and the open questions for parallel multi-review.

Key design calls flagged for review:
- response-validators.ts stays app-side (banned @sp/shared-schema
  import). New SuperSyncResponseValidators port.
- localStorage access becomes a KeyValueStoragePort.
- isTransientNetworkError promoted from app sync-error-utils to the
  package as isTransientErrorMessage (distinct from the package's
  existing native-error-code-aware version).
- Compression imported directly from @sp/sync-core; CompressError
  wrapping dropped at SuperSync call sites (no instanceof catches
  exist).
- Two privacy A1 sites identified: _doNativeFetch:646-648 and
  _doWebFetch:582 embed response body in thrown Error.message; fix
  via fixed status-only message.
- Spec migration kept monolithic for the move (1553 lines), split
  deferred to a follow-up.

Multi-review consensus block left blank for the reviewer pass.
2026-05-12 23:50:12 +02:00
Johannes Millan
cf4fbd22e3 docs(sync-core-plan): fold Gemini review dissent into consensus
Gemini's review eventually completed after a workspace-sandbox retry
and quota throttling. Its findings broadly affirm the Claude
consensus, with two dissents — both rejected with reasoning:

- Q1 (port reuse): Gemini wanted to keep the new WebDavNativeHttpExecutor
  port "for consistency with NativeHttpExecutor." Rejected — the
  architecture and simplicity reviewers verified by code reading that
  the existing NativeHttpExecutor already supports arbitrary methods,
  responseType: 'text', and maxRetries: 0. Naming consistency is a
  weak argument against actual port duplication.

- Q6 (retry policy): Gemini wanted a 2-attempt + explicit 423 Locked
  retry. Rejected — alternatives and simplicity flagged this as a
  behavior change masquerading as a refactor. Adapter has zero retries
  today; preserving that keeps the slice scope a move. Per-call-site
  maxRetries remains trivially available once we reuse the existing
  port.

Refresh the consensus header from "Claude-only consensus" to reflect
that Gemini did contribute.
2026-05-12 22:22:41 +02:00
Johannes Millan
9a00152c22 docs(sync-core-plan): record WebDAV slice multi-review consensus
Add a "Multi-review consensus (2026-05-12)" section between the goal
and the what-moves description, mirroring the Dropbox slice doc's
structure. Captures findings from four Claude reviewers (security,
architecture, alternatives, simplicity). Codex / Copilot / Gemini CLIs
were attempted but failed for environment reasons (sandbox, deny-tool
classifier, quota+workspace limits); noted in the consensus header.

Decisions revised:

- Open question 1: DROP the new WebDavNativeHttpExecutor port. Reuse
  NativeHttpExecutor — the existing port already supports responseType:
  'text', maxRetries: 0, and arbitrary methods (PROPFIND/MKCOL/MOVE).
  Auto-JSON-parse is a property of CapacitorHttp.request, not the port.
  The app injects a different adapter (wired to WebDavHttp plugin) of
  the same port. Commit 2 collapses to "wire app-side adapter."
- Open question 4: Drop inline registerPlugin in this slice — the
  canonical registration in capacitor-webdav-http/index.ts carries the
  web: () => import('./web') fallback; the inline one in
  webdav-http-adapter.ts:31 does not.
- Open question 5: Tighten CORS heuristic in this slice. Collapse the
  string-matching to a ~3-line "TypeError && message.includes('cors')"
  check and replace the ambiguous-error log with toSyncLogError +
  urlPathOnly meta. Closes a privacy leak (Firefox NetworkError embeds
  the URL) and removes 40 lines.
- Open question 6: Preserve no-retry behavior. Under open-question-1's
  port reuse, becomes a per-call-site maxRetries: 0 argument.
- Open question 8: Keep webdav-api.spec.ts monolithic. Match Dropbox
  precedent (~876 lines, single file move).
- Commit shape: Match Dropbox 5a/5b split. PR 6a = log helpers
  promotion; PR 6b = bulk move + adapter wiring + privacy sweep +
  Nextcloud generic widen + md5HashSync → hash-wasm + CORS tighten +
  spec migration.
- Factory shape: createWebdavProvider(extraPath?: string), not (deps).
  Deps are composed internally from app singletons, matching the
  Dropbox precedent at app-side dropbox.ts:31-43.

Decisions affirmed: md5HashSync → hash-wasm async (with one-line
benchmark in PR description), Nextcloud generic widening to union,
delete TestableWebDavHttpAdapter spec harness.

New privacy blockers surfaced (must fix in PR 6b): URL/basePath leak
via _buildFullPath at four error-construction call sites, PROPFIND
response body fed into HttpNotOkAPIError (contains user filenames),
testConnection returning raw e.message, _buildFullPath throwing
generic Error with raw path, A3 sweep undercount (10+ raw-error log
sites), new B3.4 invariant (FileMeta never enters a Log call site),
and a documented package-boundary invariant that response headers
are not logged or attached to errors.

Action items: PR 6a (helpers promotion) → PR 6b (bulk move). The
original "Open questions" section is preserved below the consensus
as a decision-log for review history, in the same style as the
Dropbox slice doc.
2026-05-12 22:22:41 +02:00
Johannes Millan
bd6863ac84 docs(sync-core-plan): draft WebDAV slice design for multi-review
Pre-implementation design doc for PR 5's WebDAV + Nextcloud slice,
mirroring the structure of the Dropbox slice design doc.

Captures the file-move surface (9 source files + specs), the new
WebDavNativeHttpExecutor port shape (callable type, divergent from
NativeHttpExecutor because of Capacitor WebDavHttp plugin transport
differences), the md5HashSync → hash-wasm migration choice, the
errorMeta / urlPathOnly log-helper promotion as a precursor commit,
the privacy A1/A3/B3.x sweep checklist, and the Nextcloud generic-
parameter / cast cleanup option.

Includes eight open questions framed for multi-review (port naming,
md5 strategy, generic parameter, registerPlugin cleanup scope, CORS
heuristic, retry policy, spec migration, file split). Suggested
three-commit shape (helpers promotion → port introduction → bulk
move) keeps each commit independently green.

No code changes; design doc only.
2026-05-12 22:22:41 +02:00
Johannes Millan
91e53bb488 refactor(sync-providers): move provider error classes
Lift 12 provider-shared error classes (AuthFailSPError, InvalidDataSPError,
HttpNotOkAPIError, NoRevAPIError, RemoteFileNotFoundAPIError,
MissingCredentialsSPError, MissingRefreshTokenAPIError,
TooManyRequestsAPIError, UploadRevToMatchMismatchAPIError,
PotentialCorsError, RemoteFileChangedUnexpectedly, EmptyRemoteBodySPError)
plus AdditionalLogErrorBase and extractErrorMessage into
@sp/sync-providers. App-side sync-errors.ts becomes a re-export shim
so existing call sites and instanceof checks keep working.

The moved AdditionalLogErrorBase drops its constructor-time
OP_LOG_SYNC_LOGGER.log side effect (Option A from the slice design):
privacy responsibility shifts entirely to catch-site logging via the
injected SyncLogger port. A new app-side identity spec asserts the
constructor identity is preserved across import paths so future bundler
or tsconfig drift can't silently break instanceof catches.

HttpNotOkAPIError splits its parsed body excerpt off .message onto a
new opt-in .detail field; getErrorTxt forwards .detail to UI surfaces
so user-visible toasts remain unchanged while privacy-aware logger
paths see only "HTTP <status> <statusText>".

TooManyRequestsAPIError's constructor is narrowed to accept only
{ status, retryAfter?, path? } — closing a latent bearer-token leak
where Dropbox's _handleErrorResponse passed the raw Authorization
header through additionalLog. Callers in dropbox-api and
webdav-http-adapter updated accordingly.

Package gains "sideEffects": false to unlock tree-shaking through the
barrel for consumers that import only error classes.

Slice design and round-2 multi-review findings documented in
docs/plans/2026-05-12-pr5-dropbox-slice.md.
2026-05-12 20:32:08 +02:00
Johannes Millan
b51bd2c9ca
New focus mode rework (#7411)
* fix(android): avoid false WebView version lockout

* fix(android): add WebView block recovery paths

Builds on the prior authoritative-vs-fallback fix with three layered
recovery mechanisms so users hit by a false BLOCK are never locked out
of their data:

- Last-known-good auto-recovery: persist the highest WebView version
  that has ever loaded the app on this device. A later transient
  mis-read that drops below MIN_CHROMIUM_VERSION is downgraded to WARN.
- "Try anyway" override: third button on the block screen opens an
  AlertDialog with an explicit risk acknowledgment (crashes, render
  failures, possible data loss). Confirming persists an override and
  relaunches the app. Hardened against tapjacking via
  filterTouchesWhenObscured on both the activity and dialog window.
- Override auto-clears once a healthy version is detected, so a future
  genuine block is not silently bypassed.

Also tightens the UA regex (drops the misleading Safari Version/X
fallback that always reads "4.0" and would falsely block) and adds
diagnostic logging gated by Log.isLoggable for field debugging.

Tests: 12 unit tests covering statusForVersion branches, all
applyOverrides paths, and parseMajorVersion edge cases.

Refs #7229

* fix(android): recover tracking after WebView cold start (#7390)

When the WebView is killed in the background (e.g. profile switch on
GrapheneOS) the JS-side state is lost on the next cold start, but the
native foreground tracking service keeps accumulating elapsed time. The
app previously discarded that elapsed time on cold start, leading to
silent data loss for the user.

Recovery flow:
- syncTrackingToService$ detects "no current task + native is tracking"
  on the first emission after hydration and emits a recovery request.
- syncOnResume$ does the same on warm resume.
- processRecovery$ drains requests with exhaustMap, coalescing concurrent
  triggers onto a single in-flight recovery.
- _doRecover syncs the native elapsed time onto the task and dispatches
  setCurrentId, restoring the JS-side tracking state.
- The null→task re-emission in syncTrackingToService$ then calls
  updateTrackingService instead of startTrackingService when native is
  already tracking the same task, preserving the just-reconciled native
  counter (Kotlin's startTracking otherwise resets accumulatedMs).

Supporting changes:
- onResume$ is now a ReplaySubject(1) so cold-start emissions delivered
  before the JS subscriber attaches are still received. The 4 existing
  consumers are idempotent native-queue drains and verified safe.
- parseNativeTrackingData extracted as a top-level pure function with
  shape validation; warning logs use a length-only fingerprint to avoid
  burning user content into the exportable log if the native contract
  ever changes.
- Diagnostic 'source' label ('cold-start' | 'resume') in the recovery
  log line for field triage of any future re-reports.

Tests: 12 unit tests for parseNativeTrackingData against the real
production code, plus 4 helper-level tests for the null→task transition
logic. The pipeline-level tests follow the file's existing pattern of
re-implementing logic due to the IS_ANDROID_WEB_VIEW gate.

Not addressed (out of scope, separate Kotlin work): write-side flush
reliability under aggressive OS kills (flushOnPause$ may not complete
before WebView termination). The recovery covers most cases by reading
the native counter as the source of truth.

* fix(sync): warn before destructive SYNC_IMPORT actions

Previously the 'Server Already Has Data' dialog described a destructive
SYNC_IMPORT as a 'merge' with a primary-colored 'Upload Local Data'
button — leading users to clobber syncing devices' data. The decrypt-
error 'Overwrite Remote' button had similarly understated copy and no
final confirmation gate.

- Rewrite D_SERVER_MIGRATION_CONFIRM body to call out 'overwrite' /
  'replace' / 'other devices'; affirmative button is now 'Replace
  Server Data' with color=warn.
- Rewrite D_DECRYPT_ERROR P3 + button label to make cross-device
  blast radius explicit.
- Gate updatePWAndForceUpload behind a confirmDialog with a stronger
  warning string.
- Add component spec for the migration dialog as a regression guard.

* fix(infra): close db-startup race in supersync e2e stack

pg_isready -U supersync without -d returned OK as soon as postgres
accepted connections to the default database, but during first-run
initdb the server briefly bounced while POSTGRES_DB was created.
supersync's prisma db push then race-failed with P1001.

- Healthcheck now runs psql -d supersync_db -c 'SELECT 1' so it only
  passes once the app's db is queryable.
- Dockerfile.test entrypoint retries prisma db push up to 15x before
  giving up — defense in depth if anything else ever races.

* chore(sync): instrument destructive-recovery paths for next incident

Adds read-only diagnostic logs at the four sites a sync-stuck incident
flows through, so the next occurrence is debuggable from a single log
file without forensic recovery:

- clean-slate.service: snapshot prior vector clock, count + opType
  breakdown of unsynced ops, syncImportReason — captured before any
  mutation
- sync-wrapper.service: forceUpload(triggerSource) typed union stamps
  which error class drove the user into destructive recovery
- remote-ops-processing.service: incoming full-state op shape +
  receiver's prior clock and unsynced-op tally about to be wiped
- credential-store.service: encryptKey state on every fresh disk load,
  length-redacted ([length=N] / [empty]) — surfaces the
  isEncryptionEnabled=true + empty-key smoking-gun signature

No behaviour change. Hot sync paths are untouched (full-state branch is
gated; load() short-circuits on cache). Existing redaction patterns
preserved — keys never logged in plaintext.

* fix(sync): apply incoming SYNC_IMPORT silently with no pending ops

Receiving clients with only already-synced data (no unsynced pending
changes) used to see a conflict dialog when an incoming SYNC_IMPORT
arrived. If the user picked USE_LOCAL — a natural reaction to "your
data may be lost" — forceUploadLocalState() re-uploaded the pre-import
state as a new SYNC_IMPORT, rolling back the import (e.g. encryption
change) for every device.

The originating device already gates the SYNC_IMPORT behind a strong
warning (D_SERVER_MIGRATION_CONFIRM, b761efd8). The receiving-side
dialog is now scoped to the case where unsynced pending user changes
would actually be lost; already-synced store data is no longer treated
as a conflict.

Switches the gate from _hasAnyMeaningfulData (pending OR store) to
_hasMeaningfulPendingOps (pending only) in both the download and
piggyback paths. Drops the now-redundant isEncryptionOnlyChange
short-circuit — under the new gate, PASSWORD_CHANGED SYNC_IMPORTs
without pending ops fall through to silent acceptance for free.

- New unit tests for the silent-accept path on both code paths
- New e2e regression guard (supersync-import-conflict-dialog) — fails
  if the gate ever reverts to including store contents
- supersync-scenarios.md D.1 / D.6 and the flowchart gate updated

* fix(infra): repair supersync test Dockerfile retry CMD

Two bugs in the prisma db push retry loop introduced in 81634a17f2:

1. Shell form CMD wraps the command in /bin/sh -c, so $(seq 1 15) was
   expanded by the outer shell into a multi-line value. Busybox's ash
   refuses `for i in 1\n2\n...\n15; do` with "expected do" and the
   container exited immediately. Switched to exec form so the inner
   sh -c does the expansion in unquoted context where word-splitting
   flattens the newlines.

2. After 15 failed attempts the loop's final exit status was the
   status of `sleep 2` (zero), so `&& node` would still launch the
   server against an unmigrated DB and surface as confusing Prisma
   errors at request time. Replaced break/&& with `exec node
   dist/src/index.js` on success so the loop cannot fall through,
   followed by an explicit exit 1 if the loop ends.

* refactor(sync): tighten SYNC_IMPORT gate naming and inline single-use helper

Inline _hasAnyMeaningfulData at its remaining caller (the snapshot/provider-
switch path) and rename _hasMeaningfulLocalData to _hasMeaningfulStoreData
for parallel naming with _hasMeaningfulPendingOps. Strengthen the silent-
accept piggyback test to assert kind === 'completed' rather than
\!== 'cancelled', and clarify the originating-device cross-reference in the
piggyback (D.6) doc and the IMPORT_CONFLICT diamond in the flowchart.

* test(e2e): use spinner cycle for SYNC_IMPORT silent-accept completion signal

Replace the syncCheckIcon-based completion race with a spinner visible→hidden
cycle. The check icon may be stale from a prior sync, which forced the test
to add a "wait for the new sync to start" guard; the spinner toggles per-sync
and is unambiguous. The conflict dialog still races against completion, so
the test fails fast if a regression brings the dialog back.

* test(schedule): bound safeFormatDate coverage for #7405

Parameterize the existing NG0701 regression spec across every
DateTimeLocales value to prove safeFormatDate handles any locale
a user could configure, and assert that 'en-us' itself never
triggers NG0701 (which would refute the #7405#7383 duplicate
diagnosis if the reporter's dateTimeLocale is 'en-us').

* fix(sync): flush pending writes before SYNC_IMPORT silent-apply gate

Without flushing first, an op captured in OperationCaptureService but not
yet drained to IndexedDB is invisible to getUnsynced(); the gate silently
accepts the import and SyncImportFilterService then discards the
just-landed op as CONCURRENT. Mirrors the upload-path flush.

* docs(sync): align SYNC_IMPORT scenarios with current gate semantics

Rename stale _hasMeaningfulLocalData() refs to _hasMeaningfulStoreData()
and remove the dead Encryption-only flowchart node — PASSWORD_CHANGED
SYNC_IMPORTs without pending ops now fall through the standard gate.

* feat(focusMode): simplify clock styles and improve for #7403

* feat(focusMode): always sync with tracking, add autoStartFocusOnPlay

Lifecycles between focus session and time tracking are now always
linked (pause↔pause, stop↔stop, resume↔resume). The
isSyncSessionWithTracking toggle is removed, which fixes #6731 by
construction (pause-focus now always stops tracking). A new opt-in
flag autoStartFocusOnPlay (default off) lets pressing the play
button on a task also spawn a focus session quietly — the workflow
asked for in #5737.

The settings form gets a two-tier layout: primary controls
(autoStartFocusOnPlay, focusModeSound) and a collapsed Advanced
section for isPauseTrackingDuringBreak, isStartInBackground,
isSkipPreparation, isManualBreakStart. The missing default for
isManualBreakStart is filled in.

Driven by discussion #6781 (~100% of polled Pomodoro+tracking users
want them synced). Design notes:
docs/plans/2026-04-29-focus-mode-time-tracking-sync.md. The
banner→dedicated indicator UI is deferred to a follow-up after the
community picks an anchor.

* feat(focusMode): replace session banner with focus-button countdown indicator

When a focus session is in flight and the rich overlay is closed, the
header focus button shows the inline countdown (with a small `#cycle`
prefix in Pomodoro mode). Clicking the button opens the overlay for
all other actions — pause/resume falls out naturally from the
play-button tracking sync, and skip-break / end-session are one extra
click away via the overlay.

The banner-based surface is removed entirely:
- BannerId.FocusMode and its priority entry are deleted.
- updateBanner$, _getBannerActions, and the banner-action helper
  methods (_handleStartAfterBreak, _handleStartAfterSessionComplete,
  _handlePlayPauseToggle, _handleSkipBreak, _handleEndSession,
  _handleOpenOverlay) are removed from FocusModeEffects.
- closeOverlay() in the overlay no longer spawns a banner — the
  focus-button indicator surfaces automatically when isOverlayShown
  flips to false.

Also fixes the priority-conflict raised in #6781 — focus-session
controls are no longer pre-empted by higher-priority banners
(TakeABreak, CalendarEvent, etc.).

* style: drop stray blank line in focus-mode.bug-5995 spec

* test(e2e): align focus-mode specs with banner-removal + always-sync

The focus-mode rework on this PR introduced three behavior changes that
broke nine existing e2e tests:

- Play button is now disabled until a task is current (sync between
  focus session and tracking is always on).
- The session/break banner surface was removed in favor of the header
  focus-button countdown indicator.
- The isSyncSessionWithTracking toggle no longer exists.

Updates:

- focus-mode-break.spec.ts: beforeEach now starts tracking the seeded
  task so the focus-mode play button is enabled.
- pomodoro-timer-sync-bug-5954.spec.ts: the two "no valid task" tests
  now assert the play button is disabled and the "select task to focus"
  placeholder is shown — the new prevention path replaces the
  showFocusOverlay-on-empty-task fix the original bug shipped.
- pomodoro-timer-sync-bug-5974.spec.ts: the close-overlay assertions
  now check focus-button .focus-running-label instead of <banner>.
- bug-5995-break-resume.spec.ts: skipped — the test exclusively
  exercised banner pause/resume of the break, which no longer exists.
  Break pause/resume from the in-overlay component is covered by the
  48 reducer + 14 component unit tests called out in
  focus-mode-break.spec.ts's existing note.

* test(focusMode): regression for #6731 — pause stops time tracking

Locks in the always-sync behavior promised by the rework: pause in the
focus overlay must clear the current task, even after the overlay is
closed. Without `syncSessionPauseToTracking$` firing this would regress
silently.

* feat(focusMode): migrate legacy isSyncSessionWithTracking flag

Existing users with isSyncSessionWithTracking: true relied on the play
button auto-spawning a focus session. Without a migration, dropping the
old flag would silently turn auto-spawn off for them. Backfill the new
autoStartFocusOnPlay opt-in from the legacy value during loadAllData and
strip the deprecated key from the resulting state.

Also fix stale comments in the bug-6575 spec referencing the removed flag.

* feat(focusMode): show focus-button on mobile while session is active

The header focus-button now doubles as the running-session indicator
(replacing the removed BannerId.FocusMode banner). On mobile it was
hidden to save space, leaving users with no surface to see or open a
running session after the overlay was closed. Surface it on mobile too
when a session/break is in flight; resting state on mobile is unchanged.

* chore(focusMode): drop dead isStartInBackground setting

Its only consumer (autoShowOverlay$) was removed in this rework, so the
checkbox in Advanced no longer affected anything — a footgun for users
who would toggle it expecting an effect. Remove from the form, default
config, translation key index, and en.json. Keep the field on the type
as @deprecated so old persisted configs still deserialize.

* fix(focusMode): migration ordering, paused-state indicator, dead SCSS

Issues caught in multi-agent review:

1. migrateFocusModeConfig was being called AFTER the default-spread, so
   `autoStartFocusOnPlay` was already `false` (from defaults) when the
   `?? \!\!isSyncSessionWithTracking` ran — the legacy `true` was always
   short-circuited away. Real persisted JSON never carries the new key.
   Run migration on the raw incoming config first, then merge defaults
   to backfill missing fields. Update the test fixture so the legacy key
   shape matches real persisted data (no explicit `undefined`); add a
   sanity check and a prototype-pollution defensive case.
   Switch the `in` check to `hasOwnProperty.call` for the same reason.
   Tighten the boolean coerce to `=== true` so a tampered non-bool
   (e.g. string from a hand-edited JSON) cannot flip the migration.

2. The header focus-button `circleVisible` and the new mobile
   `isFocusSessionActive` only counted running sessions/breaks. Pausing
   a focus session made the button vanish on mobile and go blank on
   desktop — the very failure mode the indicator was meant to fix.
   Include `isSessionPaused()` in both gates.

3. The `.focus-btn-wrapper` / `.focus-label` block in
   `main-header.component.scss` is dead code: `focus-button` is its own
   encapsulated component and already styles those classes. Remove.

* test(e2e): assert focus-button countdown stays visible while paused

Two changes:

1. Extend issue-6731 e2e to assert the header focus-button countdown is
   still visible after the user pauses + closes the overlay. This is
   the exact regression the previous commit fixed (paused work session
   used to make `circleVisible` go false, hiding the countdown).

2. Drop the stale "Sync focus sessions with time tracking (plural)"
   typo-verification test from bug-5974 — the label was removed in the
   focus-mode rework, the test was silently passing without asserting
   anything because of an `if (count > 0)` guard.

* test(focusMode): cover cycleLabel + autoStartFocusOnPlay end-to-end

Two new test files closing the highest-risk gaps the multi-agent review
flagged:

1. focus-button.component.spec.ts (unit, 9 cases): pin the cycleLabel
   contract — null for non-Pomodoro, current cycle for work, cycle-1 for
   break (the cycle that just finished), floor at 1, treat 0 as 1. Also
   add a regression guard for circleVisible covering the paused state
   so refactors of selectIsSessionPaused can't silently hide the
   countdown again.

2. auto-start-focus-on-play.spec.ts (e2e, 2 cases): the headline feature
   of the rework had no e2e — verify play→spawn happens with the opt-in
   on (and the overlay stays closed) and does NOT happen with the opt-in
   off (the default). Without this, refactors of
   syncTrackingStartToSession$ could break auto-spawn silently.

* fix(focusMode): restore _focusModeService injection lost in master merge

Master commit a5fb3c4a (#7404, "restore play button on mobile") reverted
the FocusModeService injection along with the isPlayButtonVisible logic
it was originally added for. After merging master into this branch,
isFocusSessionActive (added here for the mobile focus-button indicator)
referenced the deleted property, breaking the CI build with three
TS2339 errors at main-header.component.ts:168-170.

Re-add the import and the private readonly _focusModeService injection.
The need for it is now isolated to this PR's mobile-indicator computed,
not the reverted play-button logic.
2026-05-06 21:11:02 +02:00
Johannes Millan
28daf519fb feat(schedule): add week number and date range to nav header
Show "Week N · start – end" in week view and "Month YYYY" in month view,
right-aligned in the schedule nav bar. Move the week/month view toggle
out of main-header into the left of the schedule bar. Replace the "Now"
text button with a circle icon next to the chevrons, and disable prev
navigation when today is already in the displayed range.

- ISO 8601 week numbers via existing getWeekNumber util
- Parse day strings via parseDbDateStr to avoid UTC-midnight TZ skew
- Reuse existing T.F.WORKLOG.CMP.WEEK_NR / T.F.TODAY_TAG_TITLE keys
- Drop the duplicate month-title inside schedule-month; the shared nav
  now owns the label for both views
2026-04-21 21:50:52 +02:00
Johannes Millan
9eeded0845 feat(onboarding): add lightweight onboarding hints
Add onboarding hint UI with translations for all 27 languages.
2026-03-22 19:50:24 +01:00
Johannes Millan
c699fde21d chore: remove plan docs 2026-03-14 13:04:44 +01:00
Johannes Millan
9af096a39b docs: add deadline day banner implementation plan 2026-03-14 13:04:44 +01:00
Johannes Millan
0fedfab722 docs: add deadline day banner design 2026-03-14 13:04:44 +01:00
Johannes Millan
da63550459 docs: add task deadlines feature design
Design document for GitHub issue #4328. Covers data model (deadlineDay,
deadlineWithTime, deadlineRemindAt), UI placement in detail panel and
task list rows, NgRx actions/reducers, and reminder integration.
2026-03-14 13:04:44 +01:00
Johannes Millan
ec847ce897 fix(sync): use manual code entry for Dropbox auth on all platforms
- Force dialog to show input field instead of OAuth redirect spinner
- Remove platform-specific OAuth redirect URI logic
- Ensures reliable copy/paste auth flow on Android, web, and Electron
2026-01-24 21:14:57 +01:00
Johannes Millan
8931759745 docs(supersync): add CORS wildcard support design 2026-01-24 12:56:11 +01:00