chore: Update dev run

fix: restore build and stabilize E2E cross-signal behavior
Revert the automated member-ordering pass that broke Angular field init (TS2729) and disable that rule until a safe reorder strategy exists. Fix modal/confirm dialog i18n defaults via template fallbacks, search all active endpoints (including offline), register foreign rooms with actor owner IDs, sync profile display names from avatar summaries, and guard dm-chat when a private call converts to a group conversation. Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-11 12:32:15 +02:00 · 2026-06-11 12:16:40 +02:00 · 2026-06-11 11:08:26 +02:00 · 2026-06-11 10:21:28 +02:00 · 2026-06-11 04:09:06 +02:00 · 2026-06-11 03:38:16 +02:00
153 changed files with 6936 additions and 596 deletions
--- a/.agents/skills/playwright-e2e/SKILL.md
+++ b/.agents/skills/playwright-e2e/SKILL.md
@@ -195,7 +195,7 @@ export class LoginPage {
 | ------------------- | ------------------ | ----------------------- |
 | `/login`            | `LoginPage`        | `LoginComponent`        |
 | `/register`         | `RegisterPage`     | `RegisterComponent`     |
-| `/search`           | `ServerSearchPage` | `ServerSearchComponent` |
+| `/servers`          | `FindServersPage`  | `FindServersComponent`  |
 | `/room/:roomId`     | `ChatRoomPage`     | `ChatRoomComponent`     |
 | `/settings`         | `SettingsPage`     | `SettingsComponent`     |
 | `/invite/:inviteId` | `InvitePage`       | `InviteComponent`       |
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -13,6 +13,7 @@ Reference on-demand (when the workflow triggers them — see `agents-docs/AGENT_
 - `agents-docs/AGENTS_CONTEXT.md` — contract for updating `CONTEXT.md` / `CONTEXT-MAP.md`
 - `agents-docs/AGENTS_ADRS.md` — contract for writing architecture decision records
 - `agents-docs/BUG_TRACKER.md` — Obsidian bug inbox location, allowed vault edits, and triage workflow
 When working in a subdomain, also read its `CONTEXT.md` first:
@@ -74,6 +75,7 @@ The product client already maintains per-domain READMEs under `toju-app/src/app/
 - **Feature docs:** `agents-docs/features/`
 - **Architecture decisions:** `agents-docs/adr/`
 - **Context map:** `agents-docs/CONTEXT-MAP.md`
 - **Obsidian bug tracker:** `agents-docs/BUG_TRACKER.md`
 - **Product-client domain:** `toju-app/CONTEXT.md`
 - **Desktop-shell domain:** `electron/CONTEXT.md`
 - **Server domain:** `server/CONTEXT.md`
--- a/agents-docs/BUG_TRACKER.md
+++ b/agents-docs/BUG_TRACKER.md
@@ -0,0 +1,90 @@
 # Obsidian Bug Tracker — Agent Contract
 User-maintained bug reports live outside the repo. Read this file when asked to triage, investigate, or work from the bug backlog.
 **Overrides** `agents-docs/AGENT_WORKFLOW.md` §8 (Autonomous Bug Fixing) unless the user explicitly asks you to fix a bug in code.
 ---
 ## Location
 | Item | Path |
 |------|------|
 | Bug inbox | `/home/ludde/Nextcloud/Obsidian Vault/Log/Bugs/` |
 | Attachments | `…/Bugs/attachments/<Bug title>/` |
 | Dashboard | `/home/ludde/Nextcloud/Obsidian Vault/Log/Create bug.md` |
 | Template | `/home/ludde/Nextcloud/Obsidian Vault/Log/Templates/Bug Report.md` |
 ---
 ## Allowed actions on vault files
 Unless the user explicitly asks for more:
 1. **Change `status`** in a bug note's YAML frontmatter (`Open` → `Resolved` or `Closed`).
 2. **Move files** (e.g. reorganize notes or attachments when instructed).
 Do **not** edit other vault fields or sections (`Investigation`, `Resolution`, description, etc.) unless the user asks.
 ---
 ## Allowed reads (unrestricted)
 To understand and solve bugs you may read freely:
 - All bug notes and attachments under `Log/Bugs/`
 - The full MetoYou repo (code, tests, logs, docs)
 - Runtime output, test results, and debug artifacts
 Investigation findings belong in chat or in repo changes — not in the vault — unless the user asks you to update the note.
 ---
 ## Bug note format
 Each note is Markdown with YAML frontmatter:
 ```yaml
 ---
 title: Bug - …
 type: bug
 status: Open          # Open | Resolved | Closed
 priority: Low | Medium | High | Critical
 severity: Low | Medium | High | Critical
 environment: …
 created: YYYY-MM-DD HH:mm
 tags: [bug]
 ---
 ```
 Body sections: **Description**, **Steps to Reproduce**, **Expected Result**, **Actual Result**, **Logs / Screenshots**, **Investigation**, **Resolution**.
 The dashboard (`Create bug.md`) uses Dataview; keep `type: bug` and `status` accurate so counts stay correct.
 ---
 ## Workflow
 1. List open bugs: `Glob` or `ls` on `…/Log/Bugs/*.md`, filter `status: Open`.
 2. Read the note and any linked attachments.
 3. Investigate in the repo (read-only toward the vault).
 4. Report findings to the user.
 5. Only when told to fix: implement in repo (TDD, lint, build per `AGENTS.md`).
 6. When a bug is done: update vault `status` to `Resolved` or `Closed` (and move files if the user specifies a convention).
 ---
 ## Open bugs (snapshot 2026-06-10)
 | Title | Priority | Environment |
 |-------|----------|-------------|
 | Attachments gets syncronized corrupt | Critical | All major clients |
 | Chats doesn't sync for multi client users | High | All |
 | No android app icon | High | Android |
 | No login screen mobile phone on startup | High | Android, Android Browser |
 | Fresh users have the server list in dashboard completely empty until anything searched | High | — |
 | Video attachment on android gets sent in the message bubble above with no preview image | High | Android |
 | Local files should be remembered by client | High | — |
 | Emojis should be user bound not client bound | Medium | All |
 Re-scan the folder at session start; this table is not auto-updated.
--- a/agents-docs/LESSONS.md
+++ b/agents-docs/LESSONS.md
@@ -25,6 +25,76 @@ Durable rules for AI agents working on this project. Read this file at session s
 ## Lessons
 ### Scope per-user UI state by user id, not by the client database [persistence] [multi-user] [custom-emoji]
 - **Trigger:** custom emoji "saved library" membership was a single `savedByUser` flag on the shared emoji row plus a long-lived singleton (`CustomEmojiService`) that merged state across logins — so a second account on the same client (and the Electron shared SQLite DB) inherited the first user's picker.
 - **Rule:** when state is "per signed-in user" but the asset/row store is shared (Electron `custom_emojis`, or a renderer singleton that survives logout), key the membership by user id in its own store (`localStorage` `metoyou_custom_emoji_saved:<userId>`, mirroring the existing per-user usage ranking) and rebuild it in `loadForUser`; never rely on a global row flag or assume the singleton was reset on logout.
 - **Why:** the browser already isolates rows per-user database, so the leak only reproduces in-session (no reload) and on Electron's shared DB — both invisible if you only test reloads; a row-level flag also can't represent two local users saving the same asset.
 - **Example:** `CustomEmojiService.resolveSavedIds(userId, emojis)` reads/seeds a per-user id set; e2e `e2e/tests/chat/custom-emoji-user-binding.spec.ts` runs the whole user switch in ONE page load (client-side router nav only) so the singleton-retention leak is actually exercised, and the second user *joins* the first user's server instead of creating one (in-session "create a second server" leaves `sourceId` empty and the submit disabled).
 ### Don't strand signed-out mobile users on a logged-out dashboard [auth] [mobile] [routing]
 - **Trigger:** `App.ngOnInit` special-cased mobile — signed-out visitors landing on `/` or `/dashboard` were kept on `/dashboard` (the "login form has no mobile chrome" rationale), so mobile users got a logged-out dashboard and never saw a login screen on startup.
 - **Rule:** decide startup routing for signed-out users with the platform-agnostic pure rule `resolveUnauthenticatedStartupRedirect(currentUrl)` (`auth-navigation.rules.ts`) — non-public routes → `/login` (with safe `returnUrl`), public routes (`/login`, `/register`, `/invite/...`) → stay; do not branch on `isMobile()` here.
 - **Why:** the mobile exception directly contradicted the product expectation ("greet signed-out users with the login screen"); the login form already links to register, so there is no dead-end to avoid.
 - **Example:** unit `auth-navigation.rules.spec.ts` (`resolveUnauthenticatedStartupRedirect('/dashboard') === { path:'/login', queryParams:{} }`); e2e `e2e/tests/mobile/mobile-login-on-startup.spec.ts` sets a 390×844 viewport **before** navigating (so `ViewportService.isMobile` is true at bootstrap) and asserts `/dashboard` and `/` both land on `/login`.
 ### "Shared from your device" must gate on local bytes, not uploader user id [attachments] [multi-device]
 - **Trigger:** a second device of the same user showed "Shared from your device" and hid the download affordance for a file uploaded from another device — `isUploader(attachment)` returned `uploaderPeerId === currentUserId`, but `uploaderPeerId` is the **user** id (set to `currentUser.id` in `publishAttachments`), so it is true on every device of the uploader, including ones that only synced metadata.
 - **Rule:** key the sharing/ownership UI off whether *this device* holds the bytes, not who uploaded it — use `isSharingFromThisDevice(attachment, currentUserId)` (= `isUploaderUser && deviceHasLocalCopy`) from `attachment-sharing.rules.ts`; `deviceHasLocalCopy` = `available` + blob `objectUrl`, or a non-empty `savedPath`/`filePath` (synced metadata strips local paths, so it correctly reads as "no copy").
 - **Why:** same-user devices do **not** P2P with each other and sync only via `account_sync` (which strips `filePath`/`savedPath`), so the second device legitimately has no bytes; claiming ownership blocked the only path to view/download. For the regression to even be reachable in e2e, `account_sync`'s `chat-sync-batch` had to start carrying the `attachments` map (it previously dropped attachment metadata entirely) via `pushSavedRoomMessagesViaAccountSync(..., loadAttachmentMetas)`.
 - **Example:** unit `attachment-sharing.rules.spec.ts` (`isSharingFromThisDevice({uploaderPeerId:'u1', available:false}, 'u1') === false`); e2e `e2e/tests/chat/multi-device-attachment-sharing.spec.ts` uploads on device A then logs device B in afterward so the `account_sync_peer_online` full-state push delivers the attachment, then asserts device B shows a Request button and **no** "Shared from your device".
 ### Generate Android brand icons from the source mark; guard against stock Capacitor placeholders [mobile] [android] [assets]
 - **Trigger:** the Android app shipped the default Ionic/Capacitor launcher icon (and a white adaptive background) because no brand icon was ever generated into `toju-app/android/app/src/main/res/`.
 - **Rule:** regenerate launcher + splash from `images/icon-new-rounded.png` with `npm run cap:assets:android` (`tools/generate-android-app-icons.mjs`, uses `sharp`), set the adaptive background to brand purple `#4A217A` (never `#FFFFFF`), and have the adaptive icon reference `@mipmap/ic_launcher_foreground` PNGs (delete the stock `drawable-v24/ic_launcher_foreground.xml` vector). `cap:sync` is not needed — these live in the native project, not `webDir`.
 - **Why:** a native launcher icon can't be asserted through a browser, so the regression proof is a hash guard: `mobile-android-launcher-icon.rules.ts` records the SHA-256 of every stock placeholder and the tests fail if any density still matches one. Pixel checks (purple ring + white-cat centre) confirm the brand mark actually rendered.
 - **Example:** `findStockCapacitorResources(hashByFile)` must return `[]`; unit `mobile-android-launcher-icon.rules.spec.ts` + e2e `e2e/tests/mobile/android-app-icon.spec.ts` (deterministic fs/pixel checks, no emulator).
 ### Bind chat attachments to a pre-allocated message id, never by matching content [attachments] [chat] [mobile]
 - **Trigger:** caption-less media (videos/images sent with no text) grouped onto the message bubble above and left an empty message below on Android — `ChatMessagesComponent` dispatched `sendMessage` without an id, then a `setTimeout` re-discovered the message by `entry.content === content` (always `''` for attachment-only sends) and called `publishAttachments` on it.
 - **Rule:** pre-allocate the message id in the component (`planChatMessageSend` in `chat-message-send.rules.ts`), dispatch it via `MessagesActions.sendMessage({ id, ... })` (effect uses `id ?? uuidv4()`), and bind attachments to that exact id with `publishAttachments(id, files)` — never re-find the message by content/timing.
 - **Why:** empty content is shared by every attachment-only message, so content matching picks the newest match and races the async create-effect; on Android the create latency exceeds the old 100 ms timer, so the file binds to a stale sibling. The race is invisible on fast desktop browsers, so the deterministic regression proof is the unit test that asserts the dispatched action id equals the attachment-binding id, not an e2e timing game (see the "don't bump E2E timeouts for sync flakes" lesson).
 - **Example:** `planChatMessageSend(...).attachmentBinding.messageId === plan.action.id` enforced in `chat-message-send.rules.spec.ts`; behavioral guard in `e2e/tests/chat/attachment-only-message-grouping.spec.ts` (proves the id flows component→effect→attachment by requiring each caption-less attachment to render in its own bubble).
 ### Attachment file persistence must be platform-agnostic, not Electron-only [attachments] [persistence] [mobile]
 - **Trigger:** `AttachmentStorageService` talked only to `window.electronAPI`, so `canWriteFiles()` returned `false` on Android (Capacitor) and in the browser — no bytes were ever persisted there, and after restart/logout-login the uploader hit "Your original upload could not be found on this device" / "no peer with this file".
 - **Rule:** keep the path/bucket layout in `AttachmentStorageService` but delegate raw IO to a pluggable `AttachmentFileStore` selected by `PlatformService` — Electron disk, Capacitor `Directory.Data` (lazy-loaded, inline media via `convertFileSrc`), and a per-user IndexedDB vfs for the browser with a finite `maxPersistableBytes` cap; gate transfer persistence on `canStreamToDisk()` / `canPersistSize()` so the cap degrades gracefully.
 - **Why:** the browser e2e harness can't test native disk, but the browser IndexedDB store is real persistence, so a single-client send → `page.reload()` → reopen-room test proves the whole persist/restore orchestration with no peer connected.
 - **Example:** `attachment-file-store.ts` + `{electron,browser,capacitor}-attachment-file-store.ts`; `e2e/tests/chat/local-attachment-persistence.spec.ts` waits for both byte records (vfs) **and** `attachments` records with `savedPath` (summed across all `metoyou`/`metoyou::<user>` DBs, since an empty anonymous-scope DB exists) before reloading.
 ### Never count duplicate chunks toward transfer progress, and never finalize on byte counters [attachments] [webrtc]
 - **Trigger:** P2P attachments arrived corrupt everywhere ("only the first bytes") because concurrent auto-download triggers double-requested a file, the sender streamed it twice, and the receiver counted duplicate chunk deliveries toward `receivedBytes` — inflating it past `size`, which both dropped the remaining chunks (post-Security guard) and passed the `receivedBytes >= size` finalize shortcut over a sparse buffer.
 - **Rule:** in chunked transfer receivers, ignore an already-buffered chunk index entirely (no progress update), use dense buffers, and finalize only when every chunk index is present — never use byte totals as an alternative completion signal; dedupe streams on the sender per `(messageId, fileId, peerId)`.
 - **Why:** byte counters lie as soon as any duplicate, retry, or concurrent stream exists, and sparse-array `every`/`some` skip holes, so "looks complete" checks silently pass on partial data (same trap as the custom-emoji sparse-array lesson).
 - **Example:** `handleFileChunk` / `finalizeTransferIfComplete` in `attachment-transfer.service.ts`; multi-chunk e2e coverage via `expectMessageImageContentSha256` in `e2e/tests/chat/chat-message-features.spec.ts` (single-chunk files cannot catch assembly bugs — test with >64 KiB payloads).
 ### Don't bump E2E timeouts for sync flakes - gate on presence and read server logs [testing] [realtime]
 - **Trigger:** a multi-client chat-sync E2E flaked on "message not visible" and the first instinct was to raise `toBeVisible` timeouts or add waits; the user correctly rejected this ("it's not a timeout issue").
 - **Rule:** when a cross-user E2E assertion flakes, first gate the assertion on an observable precondition (peer visible in the members panel), then diff the signaling-server logs of a passing vs failing run (`joined server`, `user_joined`, `user_left`, `Removing dead connection`) before touching any timeout.
 - **Why:** the flake was a server race — `identify` + `join_server` arriving in one TCP segment were processed concurrently, the join was dropped as unauthenticated, and room membership silently vanished; no timeout can fix a message that is never broadcast. Fixed by serializing per-connection message handling in `server/src/websocket/handler.ts`.
 - **Example:** failing run showed one `joined server` for Ludde then `user_left` on sibling-client close; passing run showed two. `expectServerPeerVisible(page, displayName)` in `e2e/helpers/multi-device-session.ts` is the presence gate.
 ### When renaming an Angular route, sweep every navigate/url-match/doc reference [routing]
 - **Trigger:** the find-servers route was renamed `/search` → `/servers` in `app.routes.ts`, but `servers-rail.component.ts` still called `router.navigate(['/search'])` (leave-server) and matched `startsWith('/search')` for the user-bar visibility signal, throwing `NG04002: 'search'` on leave and never showing the user-bar on the discovery page.
 - **Rule:** after changing a `path:` in `app.routes.ts`, grep the whole repo for the old literal (`/search`) across `*.ts`/`*.html` (router calls, `startsWith`/url-match signals) and docs (`docs-site`, `.agents/skills/playwright-e2e/SKILL.md` route tables, domain READMEs) and update them all in the same change.
 - **Why:** `router.navigate` to a non-existent path raises `NG04002` and aborts navigation, and stale `startsWith` matches silently break route-derived UI state — neither is caught by the build (string literals) and there was no `servers-rail` spec to catch it.
 - **Example:** fixed `isOnServers`/`router.navigate(['/servers'])` in `servers-rail.component.{ts,html}`; canonical post-leave/discovery route is `/servers` (`FindServersComponent`), matching `DashboardComponent`'s `router.navigate(['/servers'])`.
 ### Server discovery must fan out across all endpoints and self-heal on 404 — never hardcode a host capability blocklist [server-directory]
 - **Trigger:** the dashboard "Popular Servers" and `/servers` discovery view were empty for fresh users until they typed a search. The first fix added a static `DISCOVERY_UNSUPPORTED_HOSTS` blocklist (`signal.toju.app` / `signal-sweden.toju.app`) that short-circuited discovery to `[]`; the production hosts later shipped the `/featured` + `/trending` routes (verified `curl` → 200 with servers), so the stale blocklist kept blocking exactly the default endpoints a fresh account has while ungated search still surfaced them.
 - **Rule:** discovery (`getFeaturedServers`/`getTrendingServers`) must fan out across `getSearchableEndpoints()` with `forkJoin` + `deduplicateById` (mirroring all-endpoint search), and detect capability *at runtime* — on a `404` from `/api/servers/{featured,trending}`, fall back per-endpoint to the public `GET /api/servers` listing (`fetchPublicServerListForDiscovery`) instead of returning `[]`. Do not maintain a hardcoded list of hosts that "don't support" a route; it goes stale silently and the build can't catch it.
 - **Why:** legacy servers resolve `/featured` as `/servers/:id` and answer 404, so a 404→fallback keeps the default view populated everywhere without a blocklist; the empty-query view renders discovery sections (not search results), so any divergence between discovery and search makes it look broken while search works.
 - **Example:** `fetchDiscoveryFromEndpoint` + `fetchPublicServerListForDiscovery` in `server-directory-api.service.ts`; `e2e/tests/servers/server-discovery-default.spec.ts` proves a fresh account sees Popular Servers without searching AND that route-intercepting `/featured`+`/trending` to 404 still populates it via the fallback.
 ### Server registration needs `ownerPublicKey: oderId || id`, and must not be fire-and-forget [server-directory] [rooms]
 - **Trigger:** creating a server appeared to work (the creator landed in the room view) but the server didn't exist on the backend — invite-link creation and search both 404'd. `createRoom$` sent `ownerPublicKey: currentUser.oderId` with no fallback; on restored sessions `oderId` can be falsy (identify still works because it falls back to `id`), so `POST /api/servers` returned `400 Missing required fields`, and the `.subscribe()` swallowed the error while `createRoomSuccess` fired regardless.
--- a/agents-docs/features/authentication.md
+++ b/agents-docs/features/authentication.md
@@ -52,8 +52,9 @@ Require `Authorization: Bearer`:
 ```
 - `oderId` must match the token's user id when provided.
- `clientInstanceId` is a stable per-install UUID generated by the product client (`metoyou.clientInstanceId` in `localStorage`). The signaling server uses it to distinguish multiple WebSocket connections for the same user and to route voice ownership.
+- `clientInstanceId` is a stable per-tab UUID generated by the product client (`metoyou.clientInstanceId` in `sessionStorage`). The signaling server uses it to distinguish multiple WebSocket connections for the same user and to route voice ownership.
 - Server responds with `auth_error` or `auth_required` when authentication fails.
 - **Per-connection message ordering (invariant):** the server processes WebSocket messages for one connection strictly in arrival order (`handleWebSocketMessage` chains them per connection id). `identify` awaits a DB token lookup, and clients send `identify` + `join_server` back-to-back (often one TCP segment); concurrent handling let the join run mid-identify, get rejected as unauthenticated, and silently drop room membership — that connection then missed all `user_joined` / `chat_message` broadcasts (root cause of "chats don't sync for multi-client users").
 ## Multi-device sessions
@@ -62,6 +63,40 @@ Require `Authorization: Bearer`:
 - Voice/WebRTC is exclusive per user: only one `clientInstanceId` may own active voice at a time. Other connections show passive UI and can send `voice_client_takeover` to move voice to the local device.
 - Stale reconnect hygiene: when a client re-identifies with the same `(oderId, connectionScope, clientInstanceId)` tuple, the server closes the older socket for that tuple.
 ### Account-owned state sync (`account_sync`)
 When the same account is logged in on multiple devices, account-owned data is kept in sync through the signaling server:
 | Data | Mechanism |
 |---|---|
 | Server chat messages (live) | `chat_message` signaling relay (connection-scoped broadcast) **plus** `account_sync` `chat-message` / `message-revision` to sibling devices |
 | Server chat messages (catch-up) | `account_sync` `chat-sync-batch` pushed when a sibling device comes online (`account_sync_peer_online`); each batch carries its messages' **attachment metadata** (`attachments` map, local paths stripped) so sibling devices learn about synced attachments — they are then requestable/downloadable but never marked "Shared from your device" unless the bytes are local |
 | Voice / typing | Existing `voice_state` / `user_typing` relays |
 | Saved servers (join/leave) | `account_sync` payload `saved-room-sync` / `saved-room-remove` |
 | Profile avatar + card text | `account_sync` `user-avatar-full` + `user-avatar-chunk` |
 | Custom emoji library | `account_sync` `custom-emoji-full` + `custom-emoji-chunk` |
 | Friends list | `account_sync` `friend-added` / `friend-removed` |
 | Server icons, edits, reactions | `account_sync` relay of existing P2P broadcast event types |
 Client rules:
 - `broadcastMessage()` still fans out over peer data channels; relayable events are **also** wrapped in `account_sync` and sent on the WebSocket.
 - The server forwards `account_sync` to every other open connection for the same `oderId` via `notifyOtherConnectionsForOderId`.
 - Receivers ignore payloads whose `clientInstanceId` matches the local tab id.
 - When a new device identifies, the server notifies existing connections with `account_sync_peer_online`; those devices push a full snapshot (saved rooms, **room message history**, friends, profile, emoji library).
 WebSocket envelope:
 ```json
 {
  "type": "account_sync",
  "clientInstanceId": "<per-tab-uuid>",
  "payload": { "type": "saved-room-sync", "room": { "...": "..." } }
 }
 ```
 Server response to other connections includes `fromUserId` set to the sender's `oderId`.
 ## Client storage
 The product client stores tokens per signaling-server base URL in `localStorage` (`metoyou.authTokens`). An HTTP interceptor attaches the bearer token to `/api/*` requests targeting that server.
@@ -76,13 +111,16 @@ A per-install **provision secret** enables silent account creation on newly adde
 |---|---|---|
 | Home login/register | `authenticateUser` | Resets local state, stores home credential + provision secret |
 | Foreign login/register | `authorizeSignalServer` | Upserts credential for that URL only; home session unchanged |
-| Auto-provision | `SignalServerProvisionerService` | Registers or logs in on foreign server using provision secret; on username collision tries suffixed username (`alice-<homeUserIdPrefix>`) |
+| Auto-provision | `SignalServerProvisionerService` | Registers or logs in on foreign server using provision secret; on username collision tries suffixed username (`alice-<homeUserIdPrefix>`) and prefixes the display name with `#<homeUserIdPrefix> #<signalServerTag>` so same-name accounts stay distinguishable |
 | Create/join on foreign server | `RoomsEffects.createRoom$`, invite/join flows | `ensureCredentialForServerUrl` provisions (or reuses) the per-server session token first; REST/WebSocket calls use the **actor user id** for that signal URL, not the home registration id |
 | Foreign auth failure | `signalServerAuthFailed` | Clears that URL's credential and re-provisions when home token is still valid; global logout only when home server rejects auth |
 Authorize UI: `/login?mode=authorize&serverId=…&returnUrl=…` (also supported on `/register`). Settings → Network shows per-endpoint `Authorized` / `Needs sign-in` badges.
 Persisted local user state (`metoyou_currentUserId` + IndexedDB/SQLite profile) is **not** sufficient to use chat or presence. On startup, `loadCurrentUser$` requires a non-expired session token for the user's home signaling server (or any stored token as a fallback). Missing or rejected **home** tokens dispatch `SESSION_EXPIRED` and redirect to `/login`. Foreign-server `auth_required` / `auth_error` responses clear only that server's credential and attempt re-provision.
 Startup routing for signed-out visitors is decided by `resolveUnauthenticatedStartupRedirect(currentUrl)` (`auth-navigation.rules.ts`), called from `App.ngOnInit`: any non-public route is redirected to `/login` (carrying a safe `returnUrl`), while public routes (`/login`, `/register`, `/invite/...`) are left alone. This is **platform-agnostic** — mobile is intentionally not special-cased, so a signed-out mobile user is greeted with the login screen on startup rather than a logged-out `/dashboard`.
 ## Security considerations
 - Rate limits: login/register (100 / 15 min), server join (30 / min).
--- a/agents-docs/features/custom-emoji.md
+++ b/agents-docs/features/custom-emoji.md
@@ -19,7 +19,7 @@ Custom emoji lets users upload small image emoji, use them in chat messages and
 - **Custom emoji asset**: A user-created image stored as a data URL with id, name, mime, size, hash, creator, timestamps, and optional saved-library membership.
 - **Known custom emoji**: A synced asset available for message rendering and forwarding, but not shown in the current user's picker unless saved.
- **Saved custom emoji**: A known asset with `savedByUser` enabled; saved emoji appear in the picker and shortcut ranking.
+- **Saved custom emoji**: A known asset the current user added to their library; saved emoji appear in the picker and shortcut ranking. Library membership is **user-bound, not client-bound** — it is tracked per signed-in user (keyed by user id), so a second account on the same device never inherits the first account's library.
 - **Emoji shortcut row**: The seven most-used emoji entries for the current user plus an eighth control that opens the full selector.
 - **Custom emoji token**: The stable message/reaction representation `:emoji[id](name)`, resolved locally to the synced image asset when rendering.
 - **Composer emoji alias**: The readable inline draft representation `:name:`. The composer rewrites known aliases to stable custom emoji tokens only when sending.
@@ -40,6 +40,7 @@ When a peer connects, each side sends a summary of known assets. The receiver re
 - Uploads are capped at 1 MB.
 - Accepted image types match profile avatars: WebP, GIF, JPG, and JPEG.
 - Local shortcut ranking is keyed by the active user and includes Unicode emoji plus saved custom emoji only.
 - Saved-library membership is bound to the user, not the client: `CustomEmojiService` tracks the set of saved emoji ids per user id in `localStorage` (`metoyou_custom_emoji_saved:<userId>`, mirroring the per-user usage ranking). The picker shows only emoji in the active user's saved set, so signing in as a different account on the same client never exposes the previous account's library. On first load after this change the set is seeded from legacy `savedByUser` rows the user actually created (`creatorUserId === userId`), so creators keep their library while other local accounts stay empty.
 - Message rendering reserves inline emoji space with a transparent placeholder image while a referenced custom emoji asset is not yet available; deferred markdown placeholders rewrite tokens to readable `:name:` aliases so raw `:emoji[id](name)` text never flashes in chat.
 - Seen custom emoji are not added to the picker automatically; right-click a rendered custom emoji in chat or on a custom emoji reaction and choose **Add to emoji library** from the app context menu (`NativeContextMenuComponent`).
 - Saved custom emoji can be removed from the picker library by right-clicking them inside the emoji picker and choosing **Remove from emoji library**; the asset stays available for rendering messages that already reference it.
@@ -50,9 +51,9 @@ When a peer connects, each side sends a summary of known assets. The receiver re
 ## Data Access
- Browser runtime stores custom emoji in IndexedDB store `customEmojis`.
+- Browser runtime stores custom emoji image assets in IndexedDB store `customEmojis` (per-user database scope).
- Electron runtime stores custom emoji in SQLite table `custom_emojis`, created by migration `1000000000011-AddCustomEmojis`.
+- Electron runtime stores custom emoji image assets in SQLite table `custom_emojis`, created by migration `1000000000011-AddCustomEmojis` (a single shared desktop database).
- Renderer access goes through `DatabaseService` methods `saveCustomEmoji`, `getCustomEmojis`, and `deleteCustomEmoji`.
+- Renderer access goes through `DatabaseService` methods `saveCustomEmoji`, `getCustomEmojis`, and `deleteCustomEmoji`. These persist the image **assets** only; they are not scoped per user (the Electron table is shared across local accounts). Per-user **library membership** lives separately in `localStorage` (`metoyou_custom_emoji_saved:<userId>`), which is what keeps the picker user-bound even on a shared client database.
 ## Testing
--- a/agents-docs/features/mobile-capacitor.md
+++ b/agents-docs/features/mobile-capacitor.md
@@ -58,6 +58,28 @@ Optional `google-services.json` is not injected in CI; push registration in arti
 After dependency or plugin changes, run `npm run build:prod && npm run cap:sync` so native projects register `@capacitor/app`, `@capacitor-community/sqlite`, `@capawesome/capacitor-app-update`, push plugins, and `MetoyouMobile`.
 ## App icon & splash (Android brand assets)
 The Capacitor shell must ship the Toju brand mark, not the stock Ionic/Capacitor placeholder. Brand resources are generated from `images/icon-new-rounded.png` (circular cat-on-purple disc) into `toju-app/android/app/src/main/res/`:
 ```bash
 npm run cap:assets:android   # → tools/generate-android-app-icons.mjs (uses sharp)
 ```
 This produces, for every density (`mdpi … xxxhdpi`):
 - `mipmap-*/ic_launcher.png` + `ic_launcher_round.png` — legacy launcher bitmaps (the brand disc).
 - `mipmap-*/ic_launcher_foreground.png` — full-bleed adaptive foreground; the adaptive layers in `mipmap-anydpi-v26/ic_launcher*.xml` reference `@mipmap/ic_launcher_foreground` (the stock `drawable-v24/ic_launcher_foreground.xml` vector is removed).
 - `values/ic_launcher_background.xml` — adaptive background colour set to the **brand purple `#4A217A`**, not stock white.
 - `drawable*/splash.png` (port + land per density, plus the base) — brand mark centred on a purple field for the launch splash.
 Invariants are encoded in `toju-app/src/app/infrastructure/mobile/logic/mobile-android-launcher-icon.rules.ts` (required file set, brand background colour, and the SHA-256 of every stock Capacitor placeholder that must never reappear). Coverage:
 - Unit: `mobile-android-launcher-icon.rules.spec.ts` — asserts every density is present, no resource matches a stock placeholder hash, and the adaptive background is the brand purple.
 - E2E: `e2e/tests/mobile/android-app-icon.spec.ts` — same contract plus pixel checks (launcher ring is purple, centre is the white cat; splash corner is purple, centre is the cat). Deterministic; no emulator.
 Re-run `npm run cap:assets:android` whenever `images/icon-new-rounded.png` changes; `npm run cap:sync` is **not** needed (resources live in the native project, not `webDir`).
 ## Feature status
 | Feature | Status | Notes |
--- a/dev.sh
+++ b/dev.sh
@@ -21,13 +21,14 @@ if [ "$SSL" = "true" ]; then
  fi
  NG_SERVE="cd toju-app && npx ng serve --host=0.0.0.0 --ssl --ssl-cert=../.certs/localhost.crt --ssl-key=../.certs/localhost.key"
-  WAIT_URL="https://localhost:4200"
+  # Use 127.0.0.1 so wait-on does not hit a stale HTTP listener on localhost (::1).
-  HEALTH_URL="https://localhost:3001/api/health"
+  WAIT_URL="https://127.0.0.1:4200"
  HEALTH_URL="https://127.0.0.1:3001/api/health"
  export NODE_TLS_REJECT_UNAUTHORIZED=0
 else
  NG_SERVE="cd toju-app && npx ng serve --host=0.0.0.0"
-  WAIT_URL="http://localhost:4200"
+  WAIT_URL="http://127.0.0.1:4200"
-  HEALTH_URL="http://localhost:3001/api/health"
+  HEALTH_URL="http://127.0.0.1:3001/api/health"
 fi
 exec npx concurrently --kill-others \
--- a/docs-site/docs/developer/dom-structure.md
+++ b/docs-site/docs/developer/dom-structure.md
@@ -10,14 +10,20 @@ This page maps the app routes and important DOM areas. It is useful for plugin a
 | Route                        | Component                 | Purpose                                                               |
 | ---------------------------- | ------------------------- | --------------------------------------------------------------------- |
-| `/`                          | Redirect                  | Redirects to `/search`.                                               |
+| `/`                          | Redirect                  | Redirects to `/dashboard`.                                            |
 | `/login`                     | `LoginComponent`          | User login.                                                           |
 | `/register`                  | `RegisterComponent`       | User registration.                                                    |
 | `/invite/:inviteId`          | `InviteComponent`         | Resolve and accept invite links.                                      |
-| `/search`                    | `ServerSearchComponent`   | Search and join servers.                                              |
+| `/dashboard`                 | `DashboardComponent`      | Landing dashboard after sign-in.                                      |
 | `/people`                    | `FindPeopleComponent`     | Discover and start direct messages with people.                       |
 | `/servers`                   | `FindServersComponent`    | Search, discover, and join servers.                                   |
 | `/create-server`             | `CreateServerComponent`   | Create a new server.                                                  |
 | `/room/:roomId`              | `ChatRoomComponent`       | Main server page with text, voice, members, and plugin panels.        |
 | `/dm`                        | `DmWorkspaceComponent`    | Direct-message workspace.                                             |
 | `/dm/:conversationId`        | `DmWorkspaceComponent`    | A selected direct-message conversation.                               |
 | `/pm`                        | `DmWorkspaceComponent`    | Private-message workspace (alias of the DM workspace).                |
 | `/pm/:conversationId`        | `DmWorkspaceComponent`    | A selected private-message conversation.                              |
 | `/call/:callId`              | `PrivateCallComponent`    | Active private (1:1) call.                                            |
 | `/settings`                  | `SettingsComponent`       | App, voice, server, plugin, desktop, theme, local API settings.       |
 | `/plugin-store`              | `PluginStoreComponent`    | Browse plugin sources and install/update plugins.                     |
 | `/plugins/:pluginId/:pageId` | `PluginPageHostComponent` | Host for plugin app pages registered with `api.ui.registerAppPage()`. |
--- a/docs-site/docs/developer/llm-plugin-builder-guide.md
+++ b/docs-site/docs/developer/llm-plugin-builder-guide.md
@@ -124,7 +124,7 @@ Important routes:
 | Route                           | Purpose                                                             |
 | ------------------------------- | ------------------------------------------------------------------- |
-| `/search`                       | Search and join servers.                                            |
+| `/servers`                      | Search, discover, and join servers.                                 |
 | `/room/:roomId`                 | Main server workspace with text, voice, members, and plugin panels. |
 | `/dm` and `/dm/:conversationId` | Direct-message workspace.                                           |
 | `/settings`                     | App, voice, server, plugin, desktop, theme, and local API settings. |
--- a/e2e/helpers/multi-device-session.ts
+++ b/e2e/helpers/multi-device-session.ts
@@ -114,10 +114,84 @@ export async function expectCrossDeviceMessage(
 ): Promise<void> {
  await sender.sendMessage(message);
-  await expect.poll(async () => {
+  await expectSyncedMessage(receiver, message, timeout);
-    return await receiver.getMessageItemByText(message).isVisible()
+}
-      .catch(() => false);
+
-  }, { timeout }).toBe(true);
+/** Waits until a message sent elsewhere appears in the local chat history. */
 export async function expectSyncedMessage(
  receiver: ChatMessagesPage,
  message: string,
  timeout = 90_000
 ): Promise<void> {
  await receiver.waitForReady();
  await expect(receiver.getMessageItemByText(message)).toBeVisible({ timeout });
 }
 export async function expectSyncedMessageWithResync(
  page: Page,
  receiver: ChatMessagesPage,
  message: string,
  timeout = 60_000
 ): Promise<void> {
  await receiver.waitForReady();
  const alreadyVisible = await receiver.getMessageItemByText(message)
    .isVisible()
    .catch(() => false);
  if (!alreadyVisible) {
    await resyncChannelMessages(page);
  }
  await expect(receiver.getMessageItemByText(message)).toBeVisible({ timeout });
 }
 export async function resyncChannelMessages(page: Page, channelName = 'general'): Promise<void> {
  const channel = page.locator(`button[data-channel-type="text"][data-channel-name="${channelName}"]`).first();
  await expect(channel).toBeVisible({ timeout: 10_000 });
  await channel.click({ button: 'right' });
  await page.getByRole('button', { name: 'Resync Messages' }).click();
 }
 export async function closeClient(client: Client): Promise<void> {
  await client.context.close();
 }
 export async function registerGuestAndJoinServer(
  page: Page,
  credentials: MultiDeviceCredentials,
  serverName: string
 ): Promise<void> {
  const registerPage = new RegisterPage(page);
  await registerPage.goto();
  await registerPage.register(credentials.username, credentials.displayName, credentials.password);
  await expect(page).toHaveURL(/\/dashboard/, { timeout: 15_000 });
  const search = new ServerSearchPage(page);
  await search.joinServerFromSearch(serverName);
  await expect(page).toHaveURL(/\/room\//, { timeout: 20_000 });
  await expect(page.locator('app-rooms-side-panel').first()).toBeVisible({ timeout: 20_000 });
 }
 export async function reopenClientInServer(
  createClient: () => Promise<Client>,
  credentials: MultiDeviceCredentials,
  serverName: string
 ): Promise<{ client: Client; messages: ChatMessagesPage }> {
  const client = await createClient();
  await warmClientPage(client.page);
  await loginSecondDeviceIntoServer(client.page, credentials, serverName);
  const messages = new ChatMessagesPage(client.page);
  await messages.waitForReady();
  return { client, messages };
 }
 async function warmClientPage(page: Page): Promise<void> {
@@ -181,6 +255,25 @@ export function membersSidePanel(page: Page) {
  return page.locator('app-rooms-side-panel').last();
 }
 export function serverMemberRow(page: Page, displayName: string) {
  return membersSidePanel(page)
    .locator('[role="button"], button')
    .filter({ has: page.getByText(displayName, { exact: true }) })
    .first();
 }
 /**
 * Gates cross-user assertions on real presence: the peer must show up in the
 * members panel before chat delivery between the two users can be expected.
 */
 export async function expectServerPeerVisible(
  page: Page,
  displayName: string,
  timeout = 45_000
 ): Promise<void> {
  await expect(serverMemberRow(page, displayName)).toBeVisible({ timeout });
 }
 export function passiveVoiceChannelJoinBadge(page: Page, channelName = MULTI_DEVICE_VOICE_CHANNEL) {
  return page
    .locator(`button[data-channel-type="voice"][data-channel-name="${channelName}"]`)
--- a/e2e/helpers/webrtc-helpers.ts
+++ b/e2e/helpers/webrtc-helpers.ts
@@ -1,5 +1,16 @@
 /* eslint-disable @typescript-eslint/no-explicit-any */
 import { type BrowserContext, type Page } from '@playwright/test';
 import type { WebRtcTestHarnessWindow } from './webrtc-test-window.types';
 type RtcPeerConnectionArgs = ConstructorParameters<typeof RTCPeerConnection>;
 type AudioContextArgs = ConstructorParameters<typeof AudioContext>;
 interface ScreenShareMediaStream extends MediaStream {
  __isScreenShare?: boolean;
 }
 function webRtcHarnessWindow(scope: Window = window): WebRtcTestHarnessWindow {
  return scope as unknown as WebRtcTestHarnessWindow;
 }
 /**
 * Install RTCPeerConnection monkey-patch on a page BEFORE navigating.
@@ -21,11 +32,12 @@ export async function installWebRTCTracking(target: BrowserContext | Page): Prom
      source?: AudioScheduledSourceNode;
      drawIntervalId?: number;
    }[] = [];
    const harness = webRtcHarnessWindow();
-    (window as any).__rtcConnections = connections;
+    harness.__rtcConnections = connections;
-    (window as any).__rtcDataChannels = dataChannels;
+    harness.__rtcDataChannels = dataChannels;
-    (window as any).__rtcRemoteTracks = [] as { kind: string; id: string; readyState: string }[];
+    harness.__rtcRemoteTracks = [];
-    (window as any).__rtcSyntheticMediaResources = syntheticMediaResources;
+    harness.__rtcSyntheticMediaResources = syntheticMediaResources;
    const OriginalRTCPeerConnection = window.RTCPeerConnection;
    const trackDataChannel = (channel: RTCDataChannel) => {
@@ -36,7 +48,7 @@ export async function installWebRTCTracking(target: BrowserContext | Page): Prom
      dataChannels.push(channel);
    };
-    (window as any).RTCPeerConnection = function(this: RTCPeerConnection, ...args: any[]) {
+    harness.RTCPeerConnection = function(this: RTCPeerConnection, ...args: RtcPeerConnectionArgs) {
      const pc: RTCPeerConnection = new OriginalRTCPeerConnection(...args);
      const originalCreateDataChannel = pc.createDataChannel.bind(pc);
@@ -50,7 +62,7 @@ export async function installWebRTCTracking(target: BrowserContext | Page): Prom
      }) as RTCPeerConnection['createDataChannel'];
      pc.addEventListener('connectionstatechange', () => {
-        (window as any).__lastRtcState = pc.connectionState;
+        harness.__lastRtcState = pc.connectionState;
      });
      pc.addEventListener('datachannel', (event: RTCDataChannelEvent) => {
@@ -58,7 +70,7 @@ export async function installWebRTCTracking(target: BrowserContext | Page): Prom
      });
      pc.addEventListener('track', (event: RTCTrackEvent) => {
-        (window as any).__rtcRemoteTracks.push({
+        harness.__rtcRemoteTracks.push({
          kind: event.track.kind,
          id: event.track.id,
          readyState: event.track.readyState
@@ -66,10 +78,10 @@ export async function installWebRTCTracking(target: BrowserContext | Page): Prom
      });
      return pc;
-    } as any;
+    } as typeof RTCPeerConnection;
-    (window as any).RTCPeerConnection.prototype = OriginalRTCPeerConnection.prototype;
+    harness.RTCPeerConnection.prototype = OriginalRTCPeerConnection.prototype;
-    Object.setPrototypeOf((window as any).RTCPeerConnection, OriginalRTCPeerConnection);
+    Object.setPrototypeOf(harness.RTCPeerConnection, OriginalRTCPeerConnection);
    // Patch getDisplayMedia to return a synthetic screen share stream
    // (canvas-based video + 880Hz oscillator audio) so the browser
@@ -144,7 +156,7 @@ export async function installWebRTCTracking(target: BrowserContext | Page): Prom
      }, { once: true });
      // Tag the stream so tests can identify it
-      (resultStream as any).__isScreenShare = true;
+      (resultStream as ScreenShareMediaStream).__isScreenShare = true;
      return resultStream;
    };
@@ -169,11 +181,12 @@ export async function installWebRTCTracking(target: BrowserContext | Page): Prom
 export async function installAutoResumeAudioContext(page: Page): Promise<void> {
  await page.addInitScript(() => {
    const OrigAudioContext = window.AudioContext;
    const audioHarness = webRtcHarnessWindow();
-    (window as any).AudioContext = function(this: AudioContext, ...args: any[]) {
+    audioHarness.AudioContext = function(this: AudioContext, ...args: AudioContextArgs) {
      const ctx: AudioContext = new OrigAudioContext(...args);
      // Track all created AudioContexts for test diagnostics
-      const tracked = ((window as any).__trackedAudioContexts ??= []) as AudioContext[];
+      const tracked = audioHarness.__trackedAudioContexts ??= [];
      tracked.push(ctx);
@@ -189,16 +202,16 @@ export async function installAutoResumeAudioContext(page: Page): Promise<void> {
      });
      return ctx;
-    } as any;
+    } as typeof AudioContext;
-    (window as any).AudioContext.prototype = OrigAudioContext.prototype;
+    audioHarness.AudioContext.prototype = OrigAudioContext.prototype;
-    Object.setPrototypeOf((window as any).AudioContext, OrigAudioContext);
+    Object.setPrototypeOf(audioHarness.AudioContext, OrigAudioContext);
  });
 }
 export async function waitForPeerConnected(page: Page, timeout = 30_000): Promise<void> {
  await page.waitForFunction(
-    () => (window as any).__rtcConnections?.some(
+    () => webRtcHarnessWindow().__rtcConnections?.some(
      (pc: RTCPeerConnection) => pc.connectionState === 'connected'
    ) ?? false,
    undefined,
@@ -211,7 +224,7 @@ export async function waitForPeerConnected(page: Page, timeout = 30_000): Promis
 */
 export async function isPeerStillConnected(page: Page): Promise<boolean> {
  return page.evaluate(
-    () => (window as any).__rtcConnections?.some(
+    () => webRtcHarnessWindow().__rtcConnections?.some(
      (pc: RTCPeerConnection) => pc.connectionState === 'connected'
    ) ?? false
  );
@@ -220,7 +233,7 @@ export async function isPeerStillConnected(page: Page): Promise<boolean> {
 /** Returns the number of tracked peer connections in `connected` state. */
 export async function getConnectedPeerCount(page: Page): Promise<number> {
  return page.evaluate(
-    () => ((window as any).__rtcConnections as RTCPeerConnection[] | undefined)?.filter(
+    () => (webRtcHarnessWindow().__rtcConnections as RTCPeerConnection[] | undefined)?.filter(
      (pc) => pc.connectionState === 'connected'
    ).length ?? 0
  );
@@ -229,7 +242,7 @@ export async function getConnectedPeerCount(page: Page): Promise<number> {
 /** Wait until the expected number of peer connections are `connected`. */
 export async function waitForConnectedPeerCount(page: Page, expectedCount: number, timeout = 45_000): Promise<void> {
  await page.waitForFunction(
-    (count) => ((window as any).__rtcConnections as RTCPeerConnection[] | undefined)?.filter(
+    (count) => (webRtcHarnessWindow().__rtcConnections as RTCPeerConnection[] | undefined)?.filter(
      (pc) => pc.connectionState === 'connected'
    ).length === count,
    expectedCount,
@@ -240,7 +253,7 @@ export async function waitForConnectedPeerCount(page: Page, expectedCount: numbe
 /** Returns the number of tracked RTCDataChannels in the open state. */
 export async function getOpenDataChannelCount(page: Page): Promise<number> {
  return page.evaluate(
-    () => ((window as any).__rtcDataChannels as RTCDataChannel[] | undefined)?.filter(
+    () => (webRtcHarnessWindow().__rtcDataChannels as RTCDataChannel[] | undefined)?.filter(
      (channel) => channel.readyState === 'open'
    ).length ?? 0
  );
@@ -249,7 +262,7 @@ export async function getOpenDataChannelCount(page: Page): Promise<number> {
 /** Wait until the expected number of tracked RTCDataChannels are open. */
 export async function waitForOpenDataChannelCount(page: Page, expectedCount: number, timeout = 45_000): Promise<void> {
  await page.waitForFunction(
-    (count) => ((window as any).__rtcDataChannels as RTCDataChannel[] | undefined)?.filter(
+    (count) => (webRtcHarnessWindow().__rtcDataChannels as RTCDataChannel[] | undefined)?.filter(
      (channel) => channel.readyState === 'open'
    ).length === count,
    expectedCount,
@@ -260,7 +273,7 @@ export async function waitForOpenDataChannelCount(page: Page, expectedCount: num
 /** Close every currently-open RTCDataChannel and return how many were closed. */
 export async function closeOpenDataChannels(page: Page): Promise<number> {
  return page.evaluate(() => {
-    const channels = ((window as any).__rtcDataChannels as RTCDataChannel[] | undefined) ?? [];
+    const channels = (webRtcHarnessWindow().__rtcDataChannels as RTCDataChannel[] | undefined) ?? [];
    let closed = 0;
@@ -280,7 +293,7 @@ export async function closeOpenDataChannels(page: Page): Promise<number> {
 /** Dispatch a synthetic data-channel error event on each open channel. */
 export async function dispatchDataChannelErrors(page: Page): Promise<number> {
  return page.evaluate(() => {
-    const channels = ((window as any).__rtcDataChannels as RTCDataChannel[] | undefined) ?? [];
+    const channels = (webRtcHarnessWindow().__rtcDataChannels as RTCDataChannel[] | undefined) ?? [];
    let dispatched = 0;
@@ -341,7 +354,7 @@ interface PerPeerAudioStat {
 /** Get per-peer audio stats for every tracked RTCPeerConnection. */
 export async function getPerPeerAudioStats(page: Page): Promise<PerPeerAudioStat[]> {
  return page.evaluate(async () => {
-    const connections = (window as any).__rtcConnections as RTCPeerConnection[] | undefined;
+    const connections = webRtcHarnessWindow().__rtcConnections as RTCPeerConnection[] | undefined;
    if (!connections?.length) {
      return [];
@@ -358,7 +371,7 @@ export async function getPerPeerAudioStats(page: Page): Promise<PerPeerAudioStat
      try {
        const stats = await pc.getStats();
-        stats.forEach((report: any) => {
+        stats.forEach((report: RTCStats) => {
          const kind = report.kind ?? report.mediaType;
          if (report.type === 'outbound-rtp' && kind === 'audio') {
@@ -459,7 +472,7 @@ export async function getAudioStats(page: Page): Promise<{
  inbound: { bytesReceived: number; packetsReceived: number } | null;
 }> {
  return page.evaluate(async () => {
-    const connections = (window as any).__rtcConnections as RTCPeerConnection[] | undefined;
+    const connections = webRtcHarnessWindow().__rtcConnections as RTCPeerConnection[] | undefined;
    if (!connections?.length)
      return { outbound: null, inbound: null };
@@ -473,8 +486,8 @@ export async function getAudioStats(page: Page): Promise<{
      hasInbound: boolean;
    };
-    const hwm: Record<number, HWMEntry> = (window as any).__rtcStatsHWM =
+    const hwm: Record<number, HWMEntry> = webRtcHarnessWindow().__rtcStatsHWM =
-      ((window as any).__rtcStatsHWM as Record<number, HWMEntry> | undefined) ?? {};
+      (webRtcHarnessWindow().__rtcStatsHWM as Record<number, HWMEntry> | undefined) ?? {};
    for (let idx = 0; idx < connections.length; idx++) {
      let stats: RTCStatsReport;
@@ -492,7 +505,7 @@ export async function getAudioStats(page: Page): Promise<{
      let hasOut = false;
      let hasIn = false;
-      stats.forEach((report: any) => {
+      stats.forEach((report: RTCStats) => {
        const kind = report.kind ?? report.mediaType;
        if (report.type === 'outbound-rtp' && kind === 'audio') {
@@ -583,7 +596,7 @@ export async function getAudioStatsDelta(page: Page, durationMs = 3_000): Promis
 export async function waitForAudioStatsPresent(page: Page, timeout = 15_000): Promise<void> {
  await page.waitForFunction(
    async () => {
-      const connections = (window as any).__rtcConnections as RTCPeerConnection[] | undefined;
+      const connections = webRtcHarnessWindow().__rtcConnections as RTCPeerConnection[] | undefined;
      if (!connections?.length)
        return false;
@@ -600,7 +613,7 @@ export async function waitForAudioStatsPresent(page: Page, timeout = 15_000): Pr
        let hasOut = false;
        let hasIn = false;
-        stats.forEach((report: any) => {
+        stats.forEach((report: RTCStats) => {
          const kind = report.kind ?? report.mediaType;
          if (report.type === 'outbound-rtp' && kind === 'audio')
@@ -692,7 +705,7 @@ export async function getVideoStats(page: Page): Promise<{
  inbound: { bytesReceived: number; packetsReceived: number } | null;
 }> {
  return page.evaluate(async () => {
-    const connections = (window as any).__rtcConnections as RTCPeerConnection[] | undefined;
+    const connections = webRtcHarnessWindow().__rtcConnections as RTCPeerConnection[] | undefined;
    if (!connections?.length)
      return { outbound: null, inbound: null };
@@ -706,8 +719,8 @@ export async function getVideoStats(page: Page): Promise<{
      hasInbound: boolean;
    }
-    const hwm: Record<number, VHWM> = (window as any).__rtcVideoStatsHWM =
+    const hwm: Record<number, VHWM> = webRtcHarnessWindow().__rtcVideoStatsHWM =
-      ((window as any).__rtcVideoStatsHWM as Record<number, VHWM> | undefined) ?? {};
+      (webRtcHarnessWindow().__rtcVideoStatsHWM as Record<number, VHWM> | undefined) ?? {};
    for (let idx = 0; idx < connections.length; idx++) {
      let stats: RTCStatsReport;
@@ -725,7 +738,7 @@ export async function getVideoStats(page: Page): Promise<{
      let hasOut = false;
      let hasIn = false;
-      stats.forEach((report: any) => {
+      stats.forEach((report: RTCStats) => {
        const kind = report.kind ?? report.mediaType;
        if (report.type === 'outbound-rtp' && kind === 'video') {
@@ -791,7 +804,7 @@ export async function getVideoStats(page: Page): Promise<{
 export async function waitForVideoStatsPresent(page: Page, timeout = 15_000): Promise<void> {
  await page.waitForFunction(
    async () => {
-      const connections = (window as any).__rtcConnections as RTCPeerConnection[] | undefined;
+      const connections = webRtcHarnessWindow().__rtcConnections as RTCPeerConnection[] | undefined;
      if (!connections?.length)
        return false;
@@ -808,7 +821,7 @@ export async function waitForVideoStatsPresent(page: Page, timeout = 15_000): Pr
        let hasOut = false;
        let hasIn = false;
-        stats.forEach((report: any) => {
+        stats.forEach((report: RTCStats) => {
          const kind = report.kind ?? report.mediaType;
          if (report.type === 'outbound-rtp' && kind === 'video')
@@ -959,7 +972,7 @@ export async function waitForInboundVideoFlow(
 */
 export async function dumpRtcDiagnostics(page: Page): Promise<string> {
  return page.evaluate(async () => {
-    const conns = (window as any).__rtcConnections as RTCPeerConnection[] | undefined;
+    const conns = webRtcHarnessWindow().__rtcConnections as RTCPeerConnection[] | undefined;
    if (!conns?.length)
      return 'No connections tracked';
@@ -984,7 +997,7 @@ export async function dumpRtcDiagnostics(page: Page): Promise<string> {
      try {
        const stats = await pc.getStats();
-        stats.forEach((report: any) => {
+        stats.forEach((report: RTCStats) => {
          if (report.type !== 'outbound-rtp' && report.type !== 'inbound-rtp')
            return;
@@ -994,7 +1007,7 @@ export async function dumpRtcDiagnostics(page: Page): Promise<string> {
          lines.push(`  ${report.type}: kind=${kind}, bytes=${bytes}, packets=${packets}`);
        });
-      } catch (err: any) {
+      } catch (err: unknown) {
        lines.push(`  getStats() failed: ${err?.message ?? err}`);
      }
    }
--- a/e2e/helpers/webrtc-test-window.types.ts
+++ b/e2e/helpers/webrtc-test-window.types.ts
@@ -0,0 +1,28 @@
 export interface RtcRemoteTrackSnapshot {
  kind: string;
  id: string;
  readyState: string;
 }
 export interface RtcSyntheticMediaResource {
  audioCtx: AudioContext;
  source?: AudioScheduledSourceNode;
  drawIntervalId?: number;
 }
 export interface WebRtcTestHarnessWindow extends Window {
  __rtcConnections: RTCPeerConnection[];
  __rtcDataChannels: RTCDataChannel[];
  __rtcRemoteTracks: RtcRemoteTrackSnapshot[];
  __rtcSyntheticMediaResources: RtcSyntheticMediaResource[];
  __trackedAudioContexts?: AudioContext[];
  __rtcStatsHWM?: Record<number, Record<string, number | boolean>>;
  __rtcVideoStatsHWM?: Record<number, Record<string, number | boolean>>;
  __lastRtcState?: RTCPeerConnectionState;
  RTCPeerConnection: typeof RTCPeerConnection;
  AudioContext: typeof AudioContext;
 }
 export function getWebRtcTestHarnessWindow(): WebRtcTestHarnessWindow {
  return window as unknown as WebRtcTestHarnessWindow;
 }
--- a/e2e/pages/chat-messages.page.ts
+++ b/e2e/pages/chat-messages.page.ts
@@ -94,6 +94,25 @@ export class ChatMessagesPage {
    }, files);
  }
  /** Sends the currently-attached files with no text caption (attachment-only message). */
  async sendPendingAttachments(): Promise<void> {
    await this.waitForReady();
    await expect(this.sendButton).toBeEnabled({ timeout: 10_000 });
    await this.sendButton.click();
  }
  /** The message bubble that contains the rendered image with the given alt text. */
  getMessageItemContainingImage(altText: string): Locator {
    return this.messageItems.filter({
      has: this.page.locator(`img[alt="${altText}"]`)
    }).last();
  }
  /** Resolves the stable data-message-id of the bubble holding the given image. */
  async getMessageIdContainingImage(altText: string): Promise<string | null> {
    return this.getMessageItemContainingImage(altText).getAttribute('data-message-id');
  }
  async openGifPicker(): Promise<void> {
    await this.waitForReady();
    await this.gifButton.click();
@@ -132,6 +151,31 @@ export class ChatMessagesPage {
    }).toBe(true);
  }
  /** SHA-256 of the bytes currently served by the rendered chat image. */
  async getMessageImageSha256(altText: string): Promise<string> {
    const image = this.getMessageImageByAlt(altText);
    return image.evaluate(async (element) => {
      const img = element as HTMLImageElement;
      const response = await fetch(img.src);
      const buffer = await response.arrayBuffer();
      const digest = await crypto.subtle.digest('SHA-256', buffer);
      return [...new Uint8Array(digest)]
        .map((byte) => byte.toString(16).padStart(2, '0'))
        .join('');
    });
  }
  /** Asserts the rendered chat image is byte-identical to the sent file. */
  async expectMessageImageContentSha256(altText: string, expectedSha256: string): Promise<void> {
    await this.expectMessageImageLoaded(altText);
    await expect.poll(() => this.getMessageImageSha256(altText), {
      timeout: 30_000,
      message: `Image ${altText} should be received byte-identical (no truncated/corrupt transfer)`
    }).toBe(expectedSha256);
  }
  getEmbedCardByTitle(title: string): Locator {
    return this.page.locator('app-chat-link-embed').filter({
      has: this.page.getByText(title, { exact: true })
--- a/e2e/tests/chat/attachment-only-message-grouping.spec.ts
+++ b/e2e/tests/chat/attachment-only-message-grouping.spec.ts
@@ -0,0 +1,125 @@
 import {
  test,
  expect,
  type Client
 } from '../../fixtures/multi-client';
 import { RegisterPage } from '../../pages/register.page';
 import { ServerSearchPage } from '../../pages/server-search.page';
 import { ChatMessagesPage, type ChatDropFilePayload } from '../../pages/chat-messages.page';
 /**
 * Regression coverage for: "Video attachment on android gets sent in the
 * message bubble above with no preview image."
 *
 * Root cause was platform-agnostic: caption-less media was bound to a message
 * re-discovered by matching `content` (always '' for attachment-only sends),
 * which raced the async create-effect and grouped a second attachment onto the
 * previous bubble - leaving an empty message behind. The fix pre-allocates the
 * message id, dispatches it, and binds attachments to that exact id. This test
 * proves each caption-less attachment lands in its own bubble and renders.
 */
 test.describe('Attachment-only message grouping', () => {
  test.describe.configure({ timeout: 180_000 });
  test('each caption-less attachment keeps its own message bubble and preview', async ({ createClient }) => {
    const scenario = await createSingleClientChatScenario(createClient);
    const serverName = `Attachment Group ${uniqueName('srv')}`;
    const introText = `Intro line ${uniqueName('intro')}`;
    const firstImageName = `${uniqueName('first')}.svg`;
    const secondImageName = `${uniqueName('second')}.svg`;
    const firstImage = createSvgFilePayload(firstImageName);
    const secondImage = createSvgFilePayload(secondImageName);
    await test.step('Create a server and open its room', async () => {
      await scenario.search.createServer(serverName, { description: 'Attachment grouping regression server' });
      await expect(scenario.client.page).toHaveURL(/\/room\//, { timeout: 15_000 });
      await scenario.messages.waitForReady();
    });
    await test.step('Send a normal text message first', async () => {
      await scenario.messages.sendMessage(introText);
      await expect(scenario.messages.getMessageItemByText(introText)).toBeVisible({ timeout: 20_000 });
    });
    await test.step('Send two caption-less attachments back-to-back', async () => {
      // Fire them rapidly (no render wait between) to mirror the reported
      // rapid-upload repro and stress the message-create vs. attach ordering.
      await scenario.messages.attachFiles([firstImage]);
      await scenario.messages.sendPendingAttachments();
      await scenario.messages.attachFiles([secondImage]);
      await scenario.messages.sendPendingAttachments();
      await scenario.messages.expectMessageImageLoaded(firstImageName);
      await scenario.messages.expectMessageImageLoaded(secondImageName);
    });
    await test.step('Each attachment lives in its own bubble (no grouping, no blank message)', async () => {
      const firstMessageId = await scenario.messages.getMessageIdContainingImage(firstImageName);
      const secondMessageId = await scenario.messages.getMessageIdContainingImage(secondImageName);
      expect(firstMessageId).toBeTruthy();
      expect(secondMessageId).toBeTruthy();
      // The bug grouped both onto one bubble; distinct ids prove they did not.
      expect(firstMessageId).not.toBe(secondMessageId);
      // Exactly two bubbles carry an image, and neither carries both.
      await expect(scenario.messages.messageItems.filter({ has: scenario.client.page.locator('img[alt$=".svg"]') }))
        .toHaveCount(2, { timeout: 20_000 });
      await expect(scenario.messages.getMessageItemContainingImage(firstImageName).locator('img[alt$=".svg"]'))
        .toHaveCount(1);
      await expect(scenario.messages.getMessageItemContainingImage(secondImageName).locator('img[alt$=".svg"]'))
        .toHaveCount(1);
    });
  });
 });
 interface SingleClientChatScenario {
  client: Client;
  messages: ChatMessagesPage;
  search: ServerSearchPage;
 }
 async function createSingleClientChatScenario(createClient: () => Promise<Client>): Promise<SingleClientChatScenario> {
  const suffix = uniqueName('solo');
  const client = await createClient();
  const credentials = {
    username: `solo_${suffix}`,
    displayName: 'Solo',
    password: 'TestPass123!'
  };
  const registerPage = new RegisterPage(client.page);
  await registerPage.goto();
  await registerPage.register(credentials.username, credentials.displayName, credentials.password);
  await expect(client.page).toHaveURL(/\/dashboard/, { timeout: 15_000 });
  return {
    client,
    messages: new ChatMessagesPage(client.page),
    search: new ServerSearchPage(client.page)
  };
 }
 function createSvgFilePayload(name: string): ChatDropFilePayload {
  const markup = [
    '<svg xmlns="http://www.w3.org/2000/svg" width="160" height="120" viewBox="0 0 160 120">',
    '<rect width="160" height="120" rx="18" fill="#0f172a" />',
    '<circle cx="38" cy="36" r="18" fill="#38bdf8" />',
    `<text x="24" y="104" fill="#e2e8f0" font-size="12" font-family="Arial, sans-serif">${name}</text>`,
    '</svg>'
  ].join('');
  return {
    name,
    mimeType: 'image/svg+xml',
    base64: Buffer.from(markup, 'utf8').toString('base64')
  };
 }
 function uniqueName(prefix: string): string {
  return `${prefix}-${Date.now()}-${Math.random().toString(36)
    .slice(2, 8)}`;
 }
--- a/e2e/tests/chat/chat-message-features.spec.ts
+++ b/e2e/tests/chat/chat-message-features.spec.ts
@@ -1,3 +1,4 @@
 import { createHash, randomBytes } from 'node:crypto';
 import { type Page } from '@playwright/test';
 import {
  test,
@@ -182,6 +183,28 @@ test.describe('Chat messaging features', () => {
    });
  });
  test('syncs multi-chunk image attachments byte-identical between users', async ({ createClient }) => {
    const scenario = await createChatScenario(createClient);
    const imageName = `${uniqueName('photo')}.svg`;
    const imageCaption = `Large image upload ${uniqueName('caption')}`;
    // Several P2P file chunks (64 KiB each) - regression coverage for transfers
    // that previously finalized with only the first chunks received.
    const { payload, sha256 } = createMultiChunkImagePayload(imageName);
    await test.step('Alice sends a multi-chunk image attachment', async () => {
      await scenario.aliceMessages.attachFiles([payload]);
      await scenario.aliceMessages.sendMessage(imageCaption);
      await scenario.aliceMessages.expectMessageImageLoaded(imageName);
      await scenario.aliceMessages.expectMessageImageContentSha256(imageName, sha256);
    });
    await test.step('Bob receives the image fully and byte-identical', async () => {
      await expect(scenario.bobMessages.getMessageItemByText(imageCaption)).toBeVisible({ timeout: 20_000 });
      await scenario.bobMessages.expectMessageImageContentSha256(imageName, sha256);
    });
  });
  test('renders link embeds for shared links', async ({ createClient }) => {
    const scenario = await createChatScenario(createClient);
    const messageText = `Useful docs ${MOCK_EMBED_URL}`;
@@ -442,6 +465,24 @@ function createTextFilePayload(name: string, mimeType: string, content: string):
  };
 }
 function createMultiChunkImagePayload(name: string): { payload: ChatDropFilePayload; sha256: string } {
  // ~300 KB of XML-safe noise inside an SVG comment so the file spans
  // multiple 64 KiB P2P transfer chunks while remaining a renderable image.
  const noise = randomBytes(225_000).toString('base64');
  const markup = buildMockSvgMarkup(name).replace('</svg>', `<!-- ${noise} --></svg>`);
  const contentBuffer = Buffer.from(markup, 'utf8');
  return {
    payload: {
      name,
      mimeType: 'image/svg+xml',
      base64: contentBuffer.toString('base64')
    },
    sha256: createHash('sha256').update(contentBuffer)
      .digest('hex')
  };
 }
 function buildMockSvgMarkup(label: string): string {
  return [
    '<svg xmlns="http://www.w3.org/2000/svg" width="160" height="120" viewBox="0 0 160 120">',
--- a/e2e/tests/chat/custom-emoji-user-binding.spec.ts
+++ b/e2e/tests/chat/custom-emoji-user-binding.spec.ts
@@ -0,0 +1,204 @@
 import {
  test,
  expect,
  type Page
 } from '@playwright/test';
 import { test as multiClientTest } from '../../fixtures/multi-client';
 import { LoginPage } from '../../pages/login.page';
 import { RegisterPage } from '../../pages/register.page';
 import { ServerSearchPage } from '../../pages/server-search.page';
 import { ChatMessagesPage } from '../../pages/chat-messages.page';
 interface TestUser {
  username: string;
  displayName: string;
  password: string;
 }
 /**
 * Regression coverage for: "Emojis should be user bound not client bound".
 *
 * A custom emoji belongs to the user who saved it, not to the client. A second
 * account signing in on the same client must NOT inherit the first user's emoji
 * library/picker.
 *
 * The whole scenario runs in a SINGLE page load (only the very first navigation
 * reloads). All user switching is client-side via the router, because the leak
 * lived in the long-lived singleton CustomEmojiService that used to keep the
 * previous user's library after a logout + login without a reload. To avoid the
 * (separate) in-session "create a second server" limitation, the second user
 * joins the first user's server rather than creating their own.
 */
 // Minimal valid 1x1 transparent GIF; the emoji pipeline validates mime + size only.
 const TINY_GIF = Buffer.from(
  '47494638396101000100800000000000ffffff21f90401000000002c00000000010001000002024401003b',
  'hex'
 );
 multiClientTest.describe('Custom emoji are user bound, not client bound', () => {
  multiClientTest.describe.configure({ timeout: 180_000 });
  multiClientTest('a second user on the same client does not inherit the first user library', async ({ createClient }) => {
    const { page } = await createClient();
    const suffix = uniqueName('emoji-bound');
    const alice: TestUser = { username: `alice_${suffix}`, displayName: 'Alice', password: 'TestPass123!' };
    const bob: TestUser = { username: `bob_${suffix}`, displayName: 'Bob', password: 'TestPass123!' };
    const serverName = `Shared Emoji Server ${suffix}`;
    const libraryEmoji = page.locator('app-custom-emoji-picker [data-custom-emoji-library]');
    await test.step('Alice registers, creates a server and uploads a custom emoji', async () => {
      await new RegisterPage(page).goto();
      await submitRegistration(page, alice);
      await expect(page).toHaveURL(/\/dashboard/, { timeout: 15_000 });
      await createServer(page, serverName);
      await openComposerEmojiModal(page);
      await page.locator('app-custom-emoji-picker input[type="file"]').setInputFiles({
        name: `partyblob_${suffix}.gif`,
        mimeType: 'image/gif',
        buffer: TINY_GIF
      });
    });
    await test.step('Alice sees her own uploaded emoji in her library', async () => {
      await openComposerEmojiModal(page);
      await expect(libraryEmoji).toHaveCount(1, { timeout: 15_000 });
      await page.keyboard.press('Escape');
    });
    await test.step('Bob signs in on the same client (no reload) and joins the same server', async () => {
      await logoutClientSide(page);
      await registerClientSide(page, bob);
      await joinServerClientSide(page, serverName);
    });
    await test.step('Bob does not inherit Alice custom emoji library', async () => {
      await openComposerEmojiModal(page);
      // The modal is open (the file input is asserted inside the helper), so an
      // empty grid is a genuine assertion rather than a timing artifact.
      await expect(libraryEmoji).toHaveCount(0);
    });
  });
 });
 async function createServer(page: Page, serverName: string): Promise<void> {
  const searchPage = new ServerSearchPage(page);
  await expect(searchPage.createServerButton).toBeVisible({ timeout: 15_000 });
  await searchPage.createServerButton.click();
  await expect(searchPage.serverNameInput).toBeVisible({ timeout: 15_000 });
  // Client-side nav can render the form before its `(ngModelChange)` handler is
  // wired, so an early fill never reaches the backing signal. Clear + refill
  // until the submit button actually enables.
  await expect.poll(async () => {
    await searchPage.serverNameInput.fill('');
    await searchPage.serverNameInput.fill(serverName);
    return searchPage.createSubmitButton.isEnabled();
  }, { timeout: 15_000 }).toBe(true);
  await searchPage.createSubmitButton.click();
  await expect(page).toHaveURL(/\/room\//, { timeout: 20_000 });
  await new ChatMessagesPage(page).waitForReady();
 }
 async function joinServerClientSide(page: Page, serverName: string): Promise<void> {
  const searchPage = new ServerSearchPage(page);
  await page.locator('a[href="/servers"]').first()
    .click();
  await expect(searchPage.searchInput).toBeVisible({ timeout: 15_000 });
  await searchPage.searchInput.fill(serverName);
  const serverCard = page.locator('div[title]', { hasText: serverName }).first();
  await expect(serverCard).toBeVisible({ timeout: 20_000 });
  await serverCard.dblclick();
  await expect(page).toHaveURL(/\/room\//, { timeout: 20_000 });
  await new ChatMessagesPage(page).waitForReady();
 }
 async function openComposerEmojiModal(page: Page): Promise<void> {
  const picker = page.locator('app-custom-emoji-picker');
  const fileInput = picker.locator('input[type="file"]');
  // Reset to a known state: dismiss any open picker, then open it fresh.
  await page.keyboard.press('Escape').catch(() => {});
  await expect(picker).toHaveCount(0, { timeout: 5_000 })
    .catch(() => {});
  await page.locator('app-chat-message-composer')
    .getByRole('button', { name: 'Open emoji selector' })
    .first()
    .click();
  await expect(picker).toBeVisible({ timeout: 10_000 });
  // The compact picker exposes a button that opens the full panel (with the
  // upload field and the custom-emoji grid).
  await picker.getByRole('button', { name: 'Open emoji selector' }).click();
  await expect(fileInput).toBeAttached({ timeout: 10_000 });
 }
 async function registerClientSide(page: Page, user: TestUser): Promise<void> {
  const loginPage = new LoginPage(page);
  const registerPage = new RegisterPage(page);
  await expect(loginPage.registerLink).toBeVisible({ timeout: 15_000 });
  await loginPage.registerLink.click();
  await expect(registerPage.usernameInput).toBeVisible({ timeout: 15_000 });
  await submitRegistration(page, user);
  await expect(page).toHaveURL(/\/dashboard/, { timeout: 15_000 });
 }
 /**
 * Fills the registration form resiliently. On client-side navigation the
 * template-driven `ngModel` can attach a tick after the input is visible, so an
 * early `fill` is overwritten back to empty. Re-fill until every value sticks.
 */
 async function submitRegistration(page: Page, user: TestUser): Promise<void> {
  const username = page.locator('#register-username');
  const displayName = page.locator('#register-display-name');
  const password = page.locator('#register-password');
  await expect.poll(async () => {
    await username.fill(user.username);
    await displayName.fill(user.displayName);
    await password.fill(user.password);
    return [
      await username.inputValue(),
      await displayName.inputValue(),
      await password.inputValue()
    ].join('|');
  }, { timeout: 15_000 }).toBe([
    user.username,
    user.displayName,
    user.password
  ].join('|'));
  await page.getByRole('button', { name: 'Create Account' }).click();
 }
 async function logoutClientSide(page: Page): Promise<void> {
  const menuButton = page.getByRole('button', { name: 'Menu' });
  const logoutButton = page.getByRole('button', { name: 'Logout' });
  await expect(menuButton).toBeVisible({ timeout: 10_000 });
  await menuButton.click();
  await expect(logoutButton).toBeVisible({ timeout: 10_000 });
  await logoutButton.click();
  await expect(page).toHaveURL(/\/login/, { timeout: 15_000 });
  await expect(new LoginPage(page).usernameInput).toBeVisible({ timeout: 10_000 });
 }
 function uniqueName(prefix: string): string {
  return `${prefix}-${Date.now().toString(36)}-${Math.random().toString(36)
    .slice(2, 8)}`;
 }
--- a/e2e/tests/chat/local-attachment-persistence.spec.ts
+++ b/e2e/tests/chat/local-attachment-persistence.spec.ts
@@ -0,0 +1,244 @@
 import { type Page } from '@playwright/test';
 import {
  test,
  expect,
  type Client
 } from '../../fixtures/multi-client';
 import { RegisterPage } from '../../pages/register.page';
 import { ServerSearchPage } from '../../pages/server-search.page';
 import { ChatRoomPage } from '../../pages/chat-room.page';
 import { ChatMessagesPage, type ChatDropFilePayload } from '../../pages/chat-messages.page';
 const UPLOADER_LOCAL_MISSING_TEXT = 'Your original upload could not be found on this device';
 test.describe('Local attachment persistence', () => {
  test.describe.configure({ timeout: 180_000 });
  test('remembers sent image and file across a page reload with no peer connected', async ({ createClient }) => {
    const scenario = await createSingleClientChatScenario(createClient);
    const serverName = `Persist Server ${uniqueName('persist')}`;
    const imageName = `${uniqueName('diagram')}.svg`;
    const fileName = `${uniqueName('notes')}.txt`;
    const imageCaption = `Persisted image ${uniqueName('caption')}`;
    const fileCaption = `Persisted file ${uniqueName('caption')}`;
    const imageAttachment = createTextFilePayload(imageName, 'image/svg+xml', buildMockSvgMarkup(imageName));
    const fileAttachment = createTextFilePayload(fileName, 'text/plain', `Attachment body for ${fileName}`);
    await test.step('Create a server and open its room', async () => {
      await createServerAndOpenRoom(scenario.search, scenario.client.page, serverName, 'Local attachment persistence server');
    });
    await test.step('Send an image and a generic file attachment', async () => {
      await scenario.messages.attachFiles([imageAttachment]);
      await scenario.messages.sendMessage(imageCaption);
      await scenario.messages.expectMessageImageLoaded(imageName);
      await scenario.messages.attachFiles([fileAttachment]);
      await scenario.messages.sendMessage(fileCaption);
      await expect(scenario.client.page.getByText(fileName, { exact: false })).toBeVisible({ timeout: 20_000 });
    });
    await test.step('Wait for both attachments to be persisted locally', async () => {
      await waitForPersistedAttachmentBytes(scenario.client.page, 2);
      await waitForPersistedAttachmentRecords(scenario.client.page, 2);
    });
    await test.step('Reload the page to simulate an application restart', async () => {
      await scenario.client.page.reload();
      await expect(scenario.client.page).toHaveURL(/\/(room|dashboard)/, { timeout: 30_000 });
      await openSavedRoomByName(scenario.client.page, serverName);
      await expect(scenario.messages.getMessageItemByText(imageCaption)).toBeVisible({ timeout: 20_000 });
    });
    await test.step('The image still renders from local storage with no peer', async () => {
      await scenario.messages.expectMessageImageLoaded(imageName);
      await expect(scenario.client.page.getByText(UPLOADER_LOCAL_MISSING_TEXT, { exact: false })).toHaveCount(0);
    });
    await test.step('The generic file is still remembered with no missing-upload error', async () => {
      await expect(scenario.messages.getMessageItemByText(fileCaption)).toBeVisible({ timeout: 20_000 });
      await expect(scenario.client.page.getByText(fileName, { exact: false })).toBeVisible({ timeout: 20_000 });
      await expect(scenario.client.page.getByText(UPLOADER_LOCAL_MISSING_TEXT, { exact: false })).toHaveCount(0);
    });
  });
 });
 interface SingleClientChatScenario {
  client: Client;
  messages: ChatMessagesPage;
  room: ChatRoomPage;
  search: ServerSearchPage;
 }
 async function createSingleClientChatScenario(createClient: () => Promise<Client>): Promise<SingleClientChatScenario> {
  const suffix = uniqueName('solo');
  const client = await createClient();
  const credentials = {
    username: `solo_${suffix}`,
    displayName: 'Solo',
    password: 'TestPass123!'
  };
  const registerPage = new RegisterPage(client.page);
  await registerPage.goto();
  await registerPage.register(
    credentials.username,
    credentials.displayName,
    credentials.password
  );
  await expect(client.page).toHaveURL(/\/dashboard/, { timeout: 15_000 });
  return {
    client,
    messages: new ChatMessagesPage(client.page),
    room: new ChatRoomPage(client.page),
    search: new ServerSearchPage(client.page)
  };
 }
 async function createServerAndOpenRoom(
  searchPage: ServerSearchPage,
  page: Page,
  serverName: string,
  description: string
 ): Promise<void> {
  await searchPage.createServer(serverName, { description });
  await expect(page).toHaveURL(/\/room\//, { timeout: 15_000 });
  await waitForCurrentRoomName(page, serverName);
 }
 async function openSavedRoomByName(page: Page, roomName: string): Promise<void> {
  const roomButton = page.locator(`button[title="${roomName}"]`);
  await expect(roomButton).toBeVisible({ timeout: 20_000 });
  await roomButton.click();
  await expect(page).toHaveURL(/\/room\//, { timeout: 20_000 });
  await expect(page.locator('app-rooms-side-panel').first()).toBeVisible({ timeout: 20_000 });
  await waitForCurrentRoomName(page, roomName);
 }
 async function waitForCurrentRoomName(page: Page, roomName: string, timeout = 20_000): Promise<void> {
  await page.waitForFunction(
    (expectedRoomName) => {
      interface RoomShape { name?: string }
      interface AngularDebugApi {
        getComponent: (element: Element) => Record<string, unknown>;
      }
      const host = document.querySelector('app-rooms-side-panel');
      const debugApi = (window as { ng?: AngularDebugApi }).ng;
      if (!host || !debugApi?.getComponent) {
        return false;
      }
      const component = debugApi.getComponent(host);
      const currentRoom = (component['currentRoom'] as (() => RoomShape | null) | undefined)?.() ?? null;
      return currentRoom?.name === expectedRoomName;
    },
    roomName,
    { timeout }
  );
 }
 interface CountOptions {
  databaseRole: 'attachment-files' | 'app';
  storeName: string;
  requireSavedPath: boolean;
 }
 /** Counts records in the first matching IndexedDB store, optionally requiring a savedPath. */
 async function countIndexedDbRecords(page: Page, options: CountOptions): Promise<number> {
  return page.evaluate(async (countOptions: CountOptions) => {
    if (typeof indexedDB.databases !== 'function') {
      return 0;
    }
    const databases = await indexedDB.databases();
    const matchingNames = databases
      .map((entry) => entry.name ?? '')
      .filter((name) => (countOptions.databaseRole === 'attachment-files'
        ? name.startsWith('metoyou-attachment-files')
        : name === 'metoyou' || name.startsWith('metoyou::')));
    const countInDatabase = (databaseName: string): Promise<number> => new Promise<number>((resolve) => {
      const request = indexedDB.open(databaseName);
      request.onerror = () => resolve(0);
      request.onsuccess = () => {
        const database = request.result;
        if (!database.objectStoreNames.contains(countOptions.storeName)) {
          database.close();
          resolve(0);
          return;
        }
        const getAll = database.transaction(countOptions.storeName, 'readonly')
          .objectStore(countOptions.storeName)
          .getAll();
        getAll.onsuccess = () => {
          const records = (getAll.result as { savedPath?: string }[]) ?? [];
          const matching = countOptions.requireSavedPath
            ? records.filter((record) => !!record.savedPath)
            : records;
          resolve(matching.length);
          database.close();
        };
        getAll.onerror = () => {
          resolve(0);
          database.close();
        };
      };
    });
    const counts = await Promise.all(matchingNames.map(countInDatabase));
    return counts.reduce((total, count) => total + count, 0);
  }, options);
 }
 /** Polls until at least `minCount` attachment byte records exist in the browser file store. */
 async function waitForPersistedAttachmentBytes(page: Page, minCount: number): Promise<void> {
  await expect.poll(
    async () => countIndexedDbRecords(page, { databaseRole: 'attachment-files', storeName: 'files', requireSavedPath: false }),
    { timeout: 20_000, message: 'attachment bytes should persist to IndexedDB before reload' }
  ).toBeGreaterThanOrEqual(minCount);
 }
 /** Polls until at least `minCount` attachment metadata records with a savedPath exist in the app database. */
 async function waitForPersistedAttachmentRecords(page: Page, minCount: number): Promise<void> {
  await expect.poll(
    async () => countIndexedDbRecords(page, { databaseRole: 'app', storeName: 'attachments', requireSavedPath: true }),
    { timeout: 20_000, message: 'attachment metadata with savedPath should persist before reload' }
  ).toBeGreaterThanOrEqual(minCount);
 }
 function createTextFilePayload(name: string, mimeType: string, content: string): ChatDropFilePayload {
  return {
    name,
    mimeType,
    base64: Buffer.from(content, 'utf8').toString('base64')
  };
 }
 function buildMockSvgMarkup(label: string): string {
  return [
    '<svg xmlns="http://www.w3.org/2000/svg" width="160" height="120" viewBox="0 0 160 120">',
    '<rect width="160" height="120" rx="18" fill="#0f172a" />',
    '<circle cx="38" cy="36" r="18" fill="#38bdf8" />',
    '<rect x="66" y="28" width="64" height="16" rx="8" fill="#f8fafc" />',
    '<rect x="24" y="74" width="112" height="12" rx="6" fill="#22c55e" />',
    `<text x="24" y="104" fill="#e2e8f0" font-size="12" font-family="Arial, sans-serif">${label}</text>`,
    '</svg>'
  ].join('');
 }
 function uniqueName(prefix: string): string {
  return `${prefix}-${Date.now()}-${Math.random().toString(36)
    .slice(2, 8)}`;
 }
--- a/e2e/tests/chat/multi-client-chat-sync.spec.ts
+++ b/e2e/tests/chat/multi-client-chat-sync.spec.ts
@@ -0,0 +1,176 @@
 import { test, expect } from '../../fixtures/multi-client';
 import { RegisterPage } from '../../pages/register.page';
 import { ServerSearchPage } from '../../pages/server-search.page';
 import { ChatMessagesPage } from '../../pages/chat-messages.page';
 import {
  MULTI_DEVICE_PASSWORD,
  closeClient,
  expectCrossDeviceMessage,
  expectSyncedMessage,
  expectSyncedMessageWithResync,
  expectServerPeerVisible,
  loginSecondDeviceIntoServer,
  reopenClientInServer,
  uniqueMultiDeviceName
 } from '../../helpers/multi-device-session';
 test.describe('Multi-client chat sync', () => {
  test.describe.configure({ timeout: 360_000, retries: 1 });
  test('syncs messages between same-user devices and late-joining users after offline gaps', async ({ createClient }) => {
    const suffix = uniqueMultiDeviceName('multi-chat-sync');
    const hostCredentials = {
      username: `ludde_${suffix}`,
      displayName: 'Ludde',
      password: MULTI_DEVICE_PASSWORD
    };
    const guestCredentials = {
      username: `azaaxin_${suffix}`,
      displayName: 'Azaaxin',
      password: MULTI_DEVICE_PASSWORD
    };
    const serverName = `Multi Client Chat Sync ${suffix}`;
    const sharedBaselineMessage = `Shared baseline ${suffix}`;
    const soloHostMessage = `Solo host message ${suffix}`;
    const liveGuestProbeMessage = `Live guest probe ${suffix}`;
    const offlineGapMessage = `Offline gap message ${suffix}`;
    const client1 = await createClient();
    const client2 = await createClient();
    const client3 = await createClient();
    await test.step('client 1: host registers and creates the shared server', async () => {
      const registerPage = new RegisterPage(client1.page);
      await registerPage.goto();
      await registerPage.register(
        hostCredentials.username,
        hostCredentials.displayName,
        hostCredentials.password
      );
      await expect(client1.page).toHaveURL(/\/dashboard/, { timeout: 15_000 });
      const search = new ServerSearchPage(client1.page);
      await search.createServer(serverName, {
        description: 'Multi-client chat sync regression coverage'
      });
      await expect(client1.page).toHaveURL(/\/room\//, { timeout: 15_000 });
    });
    const messages1 = new ChatMessagesPage(client1.page);
    await messages1.waitForReady();
    await test.step('client 2: second host device joins the same server', async () => {
      await loginSecondDeviceIntoServer(client2.page, hostCredentials, serverName);
    });
    const messages2 = new ChatMessagesPage(client2.page);
    await messages2.waitForReady();
    await test.step('both host devices exchange chat while online together', async () => {
      await expectCrossDeviceMessage(messages1, messages2, sharedBaselineMessage);
    });
    await test.step('close the second host browser (client 2)', async () => {
      await closeClient(client2);
    });
    await test.step('client 1 sends chat while the second host device is offline', async () => {
      await client1.page.bringToFront();
      await messages1.sendMessage(soloHostMessage);
      await expect(messages1.getMessageItemByText(soloHostMessage)).toBeVisible({ timeout: 20_000 });
    });
    await test.step('guest account registers ahead of joining the server', async () => {
      const registerPage = new RegisterPage(client3.page);
      await registerPage.goto();
      await registerPage.register(
        guestCredentials.username,
        guestCredentials.displayName,
        guestCredentials.password
      );
      await expect(client3.page).toHaveURL(/\/dashboard/, { timeout: 15_000 });
    });
    let messages3 = new ChatMessagesPage(client3.page);
    await test.step('client 3: guest joins and receives existing chat history', async () => {
      // Keep the host tab active so its websocket + peer negotiation stay alive.
      await client1.page.bringToFront();
      await messages1.waitForReady();
      const search = new ServerSearchPage(client3.page);
      await search.joinServerFromSearch(serverName);
      await expect(client3.page).toHaveURL(/\/room\//, { timeout: 20_000 });
      messages3 = new ChatMessagesPage(client3.page);
      await messages3.waitForReady();
      // Presence gate: both users must see each other in the members panel
      // before cross-user chat delivery can be expected.
      await client1.page.bringToFront();
      await expectServerPeerVisible(client1.page, guestCredentials.displayName);
      await client3.page.bringToFront();
      await expectServerPeerVisible(client3.page, hostCredentials.displayName);
      // Live delivery first - proves host <-> guest transport is actually up.
      await expectCrossDeviceMessage(messages1, messages3, liveGuestProbeMessage);
      // History only replicates over P2P inventory once the peer link exists.
      await client1.page.bringToFront();
      await expectSyncedMessageWithResync(client3.page, messages3, sharedBaselineMessage);
      await expectSyncedMessageWithResync(client3.page, messages3, soloHostMessage);
    });
    await test.step('close the guest browser (client 3)', async () => {
      await closeClient(client3);
    });
    await test.step('reopen client 2 and send a message while client 1 stays online', async () => {
      await client1.page.bringToFront();
      const reopened = await reopenClientInServer(createClient, hostCredentials, serverName);
      // Same-user catch-up uses account_sync, not P2P between own devices.
      await expectSyncedMessageWithResync(
        reopened.client.page,
        reopened.messages,
        soloHostMessage
      );
      await reopened.messages.sendMessage(offlineGapMessage);
      await expect(reopened.messages.getMessageItemByText(offlineGapMessage)).toBeVisible({ timeout: 20_000 });
    });
    await test.step('reopened guest client receives the offline-gap message from host device 2', async () => {
      await client1.page.bringToFront();
      await messages1.waitForReady();
      const reopenedGuest = await reopenClientInServer(createClient, guestCredentials, serverName);
      // Presence gate before relying on cross-user delivery again.
      await client1.page.bringToFront();
      await expectServerPeerVisible(client1.page, guestCredentials.displayName);
      await reopenedGuest.client.page.bringToFront();
      await expectServerPeerVisible(reopenedGuest.client.page, hostCredentials.displayName);
      await expectCrossDeviceMessage(messages1, reopenedGuest.messages, `Guest wake ${suffix}`);
      await expectSyncedMessageWithResync(
        reopenedGuest.client.page,
        reopenedGuest.messages,
        offlineGapMessage
      );
    });
    await test.step('primary host device still receives the message from its second device', async () => {
      await expectSyncedMessage(messages1, offlineGapMessage);
    });
  });
 });
--- a/e2e/tests/chat/multi-device-attachment-sharing.spec.ts
+++ b/e2e/tests/chat/multi-device-attachment-sharing.spec.ts
@@ -0,0 +1,96 @@
 import { test, expect } from '../../fixtures/multi-client';
 import { RegisterPage } from '../../pages/register.page';
 import { ServerSearchPage } from '../../pages/server-search.page';
 import { ChatMessagesPage, type ChatDropFilePayload } from '../../pages/chat-messages.page';
 import {
  MULTI_DEVICE_PASSWORD,
  loginSecondDeviceIntoServer,
  uniqueMultiDeviceName
 } from '../../helpers/multi-device-session';
 const SHARED_FROM_DEVICE_TEXT = 'Shared from your device';
 test.describe('Multi-device attachment sharing', () => {
  test.describe.configure({ timeout: 300_000, retries: 1 });
  test('only the uploading device claims "Shared from your device"; the second same-user device can request it', async ({
    createClient
  }) => {
    const suffix = uniqueMultiDeviceName('attach-share');
    const credentials = {
      username: `share_${suffix}`,
      displayName: 'Multi Device User',
      password: MULTI_DEVICE_PASSWORD
    };
    const serverName = `Attachment Sharing ${suffix}`;
    const fileName = `${suffix}-handoff.bin`;
    const caption = `Uploaded from device A ${suffix}`;
    const fileAttachment = createBinaryFilePayload(fileName, 'application/octet-stream', `binary-body-${suffix}`);
    const clientA = await createClient();
    const messagesA = new ChatMessagesPage(clientA.page);
    await test.step('device A registers, creates a server, and uploads a generic file', async () => {
      const registerPage = new RegisterPage(clientA.page);
      await registerPage.goto();
      await registerPage.register(credentials.username, credentials.displayName, credentials.password);
      await expect(clientA.page).toHaveURL(/\/dashboard/, { timeout: 15_000 });
      const search = new ServerSearchPage(clientA.page);
      await search.createServer(serverName, { description: 'Multi-device attachment sharing regression coverage' });
      await expect(clientA.page).toHaveURL(/\/room\//, { timeout: 15_000 });
      await messagesA.waitForReady();
      await messagesA.attachFiles([fileAttachment]);
      await messagesA.sendMessage(caption);
      await expect(messagesA.getMessageItemByText(caption)).toBeVisible({ timeout: 30_000 });
    });
    await test.step('device A (the uploader) shows "Shared from your device"', async () => {
      const bubbleA = messagesA.getMessageItemByText(caption);
      await expect(bubbleA.getByText(fileName, { exact: false })).toBeVisible({ timeout: 20_000 });
      await expect(bubbleA.getByText(SHARED_FROM_DEVICE_TEXT, { exact: false })).toBeVisible({ timeout: 20_000 });
    });
    const clientB = await createClient();
    const messagesB = new ChatMessagesPage(clientB.page);
    await test.step('device B (same user) logs into the same server after the upload', async () => {
      await loginSecondDeviceIntoServer(clientB.page, credentials, serverName);
      // Keep device A active so it answers device B's account_sync_peer_online push.
      await clientA.page.bringToFront();
      await messagesA.waitForReady();
      await clientB.page.bringToFront();
      await messagesB.waitForReady();
    });
    await test.step('device B receives the message and its attachment via same-user account sync', async () => {
      await expect(messagesB.getMessageItemByText(caption)).toBeVisible({ timeout: 90_000 });
      await expect(messagesB.getMessageItemByText(caption).getByText(fileName, { exact: false }))
        .toBeVisible({ timeout: 90_000 });
    });
    await test.step('device B does NOT claim to share it and can request/download the file', async () => {
      const bubbleB = messagesB.getMessageItemByText(caption);
      // The regression: device B used to render "Shared from your device" and hide the
      // download affordance because the synced metadata carried the uploader's user id.
      await expect(bubbleB.getByText(SHARED_FROM_DEVICE_TEXT, { exact: false })).toHaveCount(0);
      // Device B must instead be able to fetch the file as any recipient would.
      const getButton = bubbleB.getByRole('button', { name: /request|download/i });
      await expect(getButton.first()).toBeVisible({ timeout: 20_000 });
    });
  });
 });
 function createBinaryFilePayload(name: string, mimeType: string, content: string): ChatDropFilePayload {
  return {
    name,
    mimeType,
    base64: Buffer.from(content, 'utf8').toString('base64')
  };
 }
--- a/e2e/tests/mobile/android-app-icon.spec.ts
+++ b/e2e/tests/mobile/android-app-icon.spec.ts
@@ -0,0 +1,107 @@
 import { createHash } from 'node:crypto';
 import { existsSync, readFileSync } from 'node:fs';
 import { join } from 'node:path';
 import sharp from 'sharp';
 import { test, expect } from '../../fixtures/base';
 import {
  BRAND_LAUNCHER_BACKGROUND_COLOR,
  findMissingLauncherResources,
  findStockCapacitorResources,
  isBrandLauncherBackgroundColor,
  readAdaptiveIconBackgroundColor,
  REQUIRED_LAUNCHER_ICON_FILES,
  REQUIRED_SPLASH_FILES
 } from '../../../toju-app/src/app/infrastructure/mobile/logic/mobile-android-launcher-icon.rules';
 /**
 * Regression coverage for: "No android app icon" - the Capacitor shell shipped
 * the stock Ionic placeholder launcher icon instead of the Toju brand mark.
 *
 * A native launcher icon cannot be asserted through a running browser, so this
 * spec verifies the committed Android resources directly: every density is
 * present, none still match a stock Capacitor placeholder, the adaptive-icon
 * background is the brand purple, and the generated bitmaps actually contain the
 * brand mark (white cat on a purple disc). This is deterministic - no emulator,
 * no timing - so it stays reliable in CI.
 */
 const REPO_ROOT = join(__dirname, '..', '..', '..');
 const RES_DIR = join(REPO_ROOT, 'toju-app', 'android', 'app', 'src', 'main', 'res');
 const BRAND_PURPLE = { r: 0x4a, g: 0x21, b: 0x7a };
 const WHITE = { r: 255, g: 255, b: 255 };
 const COLOR_TOLERANCE = 24;
 function sha256(resRelativePath: string): string {
  return createHash('sha256').update(readFileSync(join(RES_DIR, resRelativePath)))
    .digest('hex');
 }
 function colorDistance(
  left: { r: number; g: number; b: number },
  right: { r: number; g: number; b: number }
 ): number {
  return Math.max(Math.abs(left.r - right.r), Math.abs(left.g - right.g), Math.abs(left.b - right.b));
 }
 async function samplePixel(
  resRelativePath: string,
  xRatio: number,
  yRatio: number
 ): Promise<{ r: number; g: number; b: number }> {
  const { data, info } = await sharp(join(RES_DIR, resRelativePath)).raw()
    .toBuffer({ resolveWithObject: true });
  const x = Math.min(info.width - 1, Math.floor(info.width * xRatio));
  const y = Math.min(info.height - 1, Math.floor(info.height * yRatio));
  const offset = (y * info.width + x) * info.channels;
  return { r: data[offset], g: data[offset + 1], b: data[offset + 2] };
 }
 test.describe('Android brand app icon', () => {
  test('ships a launcher icon and splash for every required density', () => {
    const allRequired = [...REQUIRED_LAUNCHER_ICON_FILES, ...REQUIRED_SPLASH_FILES];
    const present = allRequired.filter((file) => existsSync(join(RES_DIR, file)));
    expect(findMissingLauncherResources(present)).toEqual([]);
  });
  test('replaces every stock Capacitor placeholder with the brand asset', () => {
    const allRequired = [...REQUIRED_LAUNCHER_ICON_FILES, ...REQUIRED_SPLASH_FILES];
    const hashByFile = Object.fromEntries(
      allRequired.filter((file) => existsSync(join(RES_DIR, file))).map((file) => [file, sha256(file)])
    );
    expect(findStockCapacitorResources(hashByFile)).toEqual([]);
  });
  test('uses the brand purple as the adaptive-icon background', () => {
    const valuesXml = readFileSync(join(RES_DIR, 'values', 'ic_launcher_background.xml'), 'utf8');
    const color = readAdaptiveIconBackgroundColor(valuesXml);
    expect(color).not.toBe('#FFFFFF');
    expect(isBrandLauncherBackgroundColor(color)).toBe(true);
    expect(color?.toLowerCase()).toBe(BRAND_LAUNCHER_BACKGROUND_COLOR.toLowerCase());
  });
  test('renders the brand mark (white cat on a purple disc) in the launcher bitmap', async () => {
    const launcher = 'mipmap-xxxhdpi/ic_launcher.png';
    const ringTop = await samplePixel(launcher, 0.5, 0.12);
    const ringLeft = await samplePixel(launcher, 0.12, 0.5);
    const faceCenter = await samplePixel(launcher, 0.5, 0.5);
    expect(colorDistance(ringTop, BRAND_PURPLE)).toBeLessThanOrEqual(COLOR_TOLERANCE);
    expect(colorDistance(ringLeft, BRAND_PURPLE)).toBeLessThanOrEqual(COLOR_TOLERANCE);
    expect(colorDistance(faceCenter, WHITE)).toBeLessThanOrEqual(COLOR_TOLERANCE);
  });
  test('renders the splash art as the brand mark centred on a purple field', async () => {
    const splash = 'drawable-port-xhdpi/splash.png';
    const corner = await samplePixel(splash, 0.04, 0.04);
    const center = await samplePixel(splash, 0.5, 0.5);
    expect(colorDistance(corner, BRAND_PURPLE)).toBeLessThanOrEqual(COLOR_TOLERANCE);
    expect(colorDistance(center, WHITE)).toBeLessThanOrEqual(COLOR_TOLERANCE);
  });
 });
--- a/e2e/tests/mobile/mobile-login-on-startup.spec.ts
+++ b/e2e/tests/mobile/mobile-login-on-startup.spec.ts
@@ -0,0 +1,39 @@
 import { test, expect } from '../../fixtures/multi-client';
 /**
 * Regression coverage for: "No login screen mobile phone on startup".
 *
 * Signed-out mobile users used to be left on a logged-out /dashboard (the
 * startup redirect special-cased mobile + root/dashboard and kept them there),
 * so they were never greeted with the login screen. The fix removes that mobile
 * exception: signed-out visitors are sent to /login on every platform.
 *
 * The mobile viewport must be set BEFORE navigation so ViewportService reports
 * `isMobile === true` at app bootstrap, which is exactly when the redirect ran.
 */
 const MOBILE_VIEWPORT = { width: 390, height: 844 };
 test.describe('Mobile login screen on startup', () => {
  test.describe.configure({ timeout: 120_000 });
  test('greets a signed-out mobile visitor on /dashboard with the login screen', async ({ createClient }) => {
    const { page } = await createClient();
    await page.setViewportSize(MOBILE_VIEWPORT);
    await page.goto('/dashboard', { waitUntil: 'domcontentloaded' });
    await expect(page).toHaveURL(/\/login/, { timeout: 15_000 });
    await expect(page.locator('#login-username')).toBeVisible({ timeout: 15_000 });
  });
  test('greets a signed-out mobile visitor on the app root with the login screen', async ({ createClient }) => {
    const { page } = await createClient();
    await page.setViewportSize(MOBILE_VIEWPORT);
    await page.goto('/', { waitUntil: 'domcontentloaded' });
    await expect(page).toHaveURL(/\/login/, { timeout: 15_000 });
    await expect(page.locator('#login-username')).toBeVisible({ timeout: 15_000 });
  });
 });
--- a/e2e/tests/plugins/plugin-api-two-users.spec.ts
+++ b/e2e/tests/plugins/plugin-api-two-users.spec.ts
@@ -42,8 +42,7 @@ test.describe('Plugin API multi-user runtime', () => {
    });
    await test.step('Activate the server plugin for Bob as the embed/soundboard receiver', async () => {
-      await installGrantAndActivatePlugin(scenario.bob.page, false);
+      await installRequiredServerPluginsViaModal(scenario.bob.page);
      await closeSettingsModal(scenario.bob.page);
      await expect(soundboardComposerButton(scenario.bob.page)).toBeVisible({ timeout: 20_000 });
      await expect(scenario.bob.page.getByText(SOUND_BOARD_TEXT, { exact: true })).toBeVisible({ timeout: 20_000 });
    });
@@ -178,6 +177,14 @@ async function installGrantAndActivatePlugin(page: Page, installFromStore: boole
  await expect(page.getByText('all-api plugin completed')).toBeVisible({ timeout: 30_000 });
 }
 async function installRequiredServerPluginsViaModal(page: Page): Promise<void> {
  const installButton = page.getByRole('button', { name: 'Install plugins' });
  await expect(installButton).toBeVisible({ timeout: 30_000 });
  await installButton.click();
  await expect(installButton).toHaveCount(0, { timeout: 30_000 });
 }
 async function closeSettingsModal(page: Page): Promise<void> {
  await page.keyboard.press('Escape');
  await expect(page.getByTestId('plugin-manager')).toHaveCount(0);
--- a/e2e/tests/servers/server-discovery-default.spec.ts
+++ b/e2e/tests/servers/server-discovery-default.spec.ts
@@ -0,0 +1,98 @@
 import { test, expect } from '../../fixtures/multi-client';
 import { type Client } from '../../fixtures/multi-client';
 import { RegisterPage } from '../../pages/register.page';
 import { ServerSearchPage } from '../../pages/server-search.page';
 import { dashboardSearchInput, expectDashboardReady } from '../../helpers/dashboard';
 import { MULTI_DEVICE_PASSWORD, uniqueMultiDeviceName } from '../../helpers/multi-device-session';
 /**
 * Regression coverage for: "Fresh users have the server list in dashboard
 * completely empty until anything searched."
 *
 * The directory exposes a curated discovery view (featured/trending) that must
 * populate the dashboard "Popular Servers" panel and the /servers page without
 * the user typing a search query. A stale client-side host blocklist used to
 * short-circuit discovery to [] for the default production endpoints, so servers
 * only appeared once a search ran. These tests prove the default view is
 * populated, and that discovery self-heals when an endpoint lacks the
 * featured/trending routes (older signal servers answer them with 404).
 */
 async function createPublicServer(client: Client, username: string, serverName: string): Promise<void> {
  const register = new RegisterPage(client.page);
  await register.goto();
  await register.register(username, 'Discovery Host', MULTI_DEVICE_PASSWORD);
  await expect(client.page).toHaveURL(/\/dashboard/, { timeout: 15_000 });
  const search = new ServerSearchPage(client.page);
  await search.createServer(serverName, { description: 'Public discovery server' });
  await expect(client.page).toHaveURL(/\/room\//, { timeout: 15_000 });
 }
 function popularServersPanel(client: Client) {
  return client.page.locator('div.rounded-xl', { hasText: 'Popular Servers' });
 }
 test.describe('Server discovery default view', () => {
  test.describe.configure({ timeout: 120_000, retries: 1 });
  test('a fresh account sees public servers in Popular Servers without searching', async ({ createClient }) => {
    const suffix = uniqueMultiDeviceName('discovery-default');
    const serverName = `Discovery Default ${suffix}`;
    const host = await createClient();
    const visitor = await createClient();
    await test.step('host registers and publishes a public server', async () => {
      await createPublicServer(host, `host_${suffix}`, serverName);
    });
    await test.step('a brand-new account registers', async () => {
      const register = new RegisterPage(visitor.page);
      await register.goto();
      await register.register(`visitor_${suffix}`, 'Discovery Visitor', MULTI_DEVICE_PASSWORD);
      await expectDashboardReady(visitor.page);
    });
    await test.step('Popular Servers lists the public server with no search query entered', async () => {
      await expect(dashboardSearchInput(visitor.page)).toHaveValue('');
      await expect(popularServersPanel(visitor).getByText(serverName)).toBeVisible({ timeout: 30_000 });
    });
  });
  test('discovery falls back to the public listing when featured/trending routes 404', async ({ createClient }) => {
    const suffix = uniqueMultiDeviceName('discovery-fallback');
    const serverName = `Discovery Fallback ${suffix}`;
    const host = await createClient();
    const visitor = await createClient();
    await test.step('host registers and publishes a public server', async () => {
      await createPublicServer(host, `host_${suffix}`, serverName);
    });
    await test.step('simulate a legacy signal server without featured/trending routes', async () => {
      const notFound = {
        status: 404,
        contentType: 'application/json',
        body: JSON.stringify({ error: 'Server not found', errorCode: 'SERVER_NOT_FOUND' })
      };
      await visitor.page.route('**/api/servers/featured**', (route) => route.fulfill(notFound));
      await visitor.page.route('**/api/servers/trending**', (route) => route.fulfill(notFound));
    });
    await test.step('a brand-new account registers against the legacy-style endpoint', async () => {
      const register = new RegisterPage(visitor.page);
      await register.goto();
      await register.register(`visitor_${suffix}`, 'Discovery Visitor', MULTI_DEVICE_PASSWORD);
      await expectDashboardReady(visitor.page);
    });
    await test.step('Popular Servers still lists the server via the public-listing fallback', async () => {
      await expect(dashboardSearchInput(visitor.page)).toHaveValue('');
      await expect(popularServersPanel(visitor).getByText(serverName)).toBeVisible({ timeout: 30_000 });
    });
  });
 });
--- a/e2e/tests/voice/mixed-signal-config-voice.spec.ts
+++ b/e2e/tests/voice/mixed-signal-config-voice.spec.ts
@@ -18,7 +18,8 @@ import {
 import {
  authHeaders,
  readAuthTokenFromPage,
-  registerTestUser
+  registerTestUser,
  type AuthSession
 } from '../../helpers/auth-api';
 import { RegisterPage } from '../../pages/register.page';
 import { ServerSearchPage } from '../../pages/server-search.page';
@@ -151,6 +152,12 @@ test.describe('Mixed signal-config voice', () => {
      });
      let secondaryRoomId = '';
      // Identity that owns the secondary room. The invite must be created with
      // this same API session: client 0 also auto-provisions a *separate*
      // identity on the secondary signal endpoint, which overwrites the page's
      // stored token, so reading the token back from the page would yield a
      // non-owner identity and the invite request would be rejected (NOT_MEMBER).
      let secondaryRoomOwner: AuthSession;
      // ── Create rooms ────────────────────────────────────────────
      await test.step('Create voice room on primary and chat room on secondary', async () => {
@@ -192,6 +199,7 @@ test.describe('Mixed signal-config voice', () => {
        );
        secondaryRoomId = secondaryRoom.id;
        secondaryRoomOwner = secondarySession;
      });
      // ── Create invite links ─────────────────────────────────────
@@ -221,17 +229,14 @@ test.describe('Mixed signal-config voice', () => {
        primaryRoomInviteUrl = `/invite/${primaryInvite.id}?server=${encodeURIComponent(testServer.url)}`;
-        // Create invite for secondary room (chat) via API
+        // Create invite for secondary room (chat) via API using the API session
-        const secondaryToken = await readAuthTokenFromPage(clients[0].page, secondaryServer.url);
+        // that owns the room. The page-stored token for the secondary endpoint
-
+        // belongs to client 0's auto-provisioned identity, which is not the
-        if (!secondaryToken) {
+        // room owner and would be rejected with NOT_MEMBER.
          throw new Error('Missing session token for secondary signal invite creation');
        }
        const secondaryInvite = await createInviteViaApi(
          secondaryServer.url,
          secondaryRoomId,
-          secondaryToken,
+          secondaryRoomOwner.token,
          clients[0].user.displayName
        );
--- a/electron/window/create-window.ts
+++ b/electron/window/create-window.ts
@@ -11,6 +11,7 @@ import * as fs from 'fs';
 import * as path from 'path';
 import { DESKTOP_APP_DISPLAY_NAME } from '../app/desktop-branding.rules';
 import { readDesktopSettings } from '../desktop-settings';
 import { resolveDevelopmentClientUrl } from './dev-client-url.rules';
 let mainWindow: BrowserWindow | null = null;
 let tray: Tray | null = null;
@@ -277,11 +278,7 @@ export async function createWindow(): Promise<void> {
  }
  if (process.env['NODE_ENV'] === 'development') {
-    const devUrl = process.env['SSL'] === 'true'
+    await mainWindow.loadURL(resolveDevelopmentClientUrl(process.env['SSL'] === 'true'));
      ? 'https://localhost:4200'
      : 'http://localhost:4200';
    await mainWindow.loadURL(devUrl);
    if (process.env['DEBUG_DEVTOOLS'] === '1') {
      mainWindow.webContents.openDevTools();
--- a/electron/window/dev-client-url.rules.spec.ts
+++ b/electron/window/dev-client-url.rules.spec.ts
@@ -0,0 +1,26 @@
 import {
  describe,
  expect,
  it
 } from 'vitest';
 import {
  DEV_CLIENT_HOST,
  DEV_CLIENT_PORT,
  resolveDevelopmentClientUrl
 } from './dev-client-url.rules';
 describe('dev-client-url.rules', () => {
  it('targets loopback IPv4 so dev wait-on avoids stale localhost IPv6 listeners', () => {
    expect(DEV_CLIENT_HOST).toBe('127.0.0.1');
    expect(DEV_CLIENT_PORT).toBe(4200);
  });
  it('builds the HTTP dev client URL', () => {
    expect(resolveDevelopmentClientUrl(false)).toBe('http://127.0.0.1:4200');
  });
  it('builds the HTTPS dev client URL', () => {
    expect(resolveDevelopmentClientUrl(true)).toBe('https://127.0.0.1:4200');
  });
 });
--- a/electron/window/dev-client-url.rules.ts
+++ b/electron/window/dev-client-url.rules.ts
@@ -0,0 +1,8 @@
 export const DEV_CLIENT_HOST = '127.0.0.1';
 export const DEV_CLIENT_PORT = 4200;
 export function resolveDevelopmentClientUrl(sslEnabled: boolean): string {
  const scheme = sslEnabled ? 'https' : 'http';
  return `${scheme}://${DEV_CLIENT_HOST}:${DEV_CLIENT_PORT}`;
 }
--- a/eslint.config.js
+++ b/eslint.config.js
@@ -59,21 +59,8 @@ module.exports = tseslint.config(
  'ClassBody.body > PropertyDefinition[decorators.length > 0] > .key'
      ], SwitchCase:1 }],
      '@stylistic/ts/member-delimiter-style': ['error',{ multiline:{ delimiter:'semi', requireLast:true }, singleline:{ delimiter:'semi', requireLast:false } }],
-      '@typescript-eslint/member-ordering': ['error',{ default:[
+      // Disabled: bulk member reordering breaks Angular inject()/field init order (TS2729).
-        'signature','call-signature',
+      '@typescript-eslint/member-ordering': 'off',
        'public-static-field','protected-static-field','private-static-field','#private-static-field',
        'public-decorated-field','protected-decorated-field','private-decorated-field',
        'public-instance-field','protected-instance-field','private-instance-field','#private-instance-field',
        'public-abstract-field','protected-abstract-field',
        'public-field','protected-field','private-field','#private-field',
        'static-field','instance-field','abstract-field','decorated-field','field','static-initialization',
        'public-constructor','protected-constructor','private-constructor','constructor',
        'public-static-method','protected-static-method','private-static-method','#private-static-method',
        'public-decorated-method','protected-decorated-method','private-decorated-method',
        'public-instance-method','protected-instance-method','private-instance-method','#private-instance-method',
        'public-abstract-method','protected-abstract-method','public-method','protected-method','private-method','#private-method',
        'static-method','instance-method','abstract-method','decorated-method','method'
      ] }],
      '@typescript-eslint/no-empty-function': 'off',
      '@typescript-eslint/no-empty-interface': 'error',
      '@typescript-eslint/no-explicit-any': 'error',
--- a/images/icon-new-rounded.png
+++ b/images/icon-new-rounded.png
--- a/package-lock.json
+++ b/package-lock.json
@@ -93,10 +93,12 @@
        "eslint-config-prettier": "^10.1.8",
        "eslint-plugin-import-newlines": "^1.4.1",
        "eslint-plugin-prettier": "^5.5.5",
        "fake-indexeddb": "^6.2.5",
        "glob": "^10.5.0",
        "pkg": "^5.8.1",
        "postcss": "^8.5.6",
        "prettier": "^3.8.1",
        "sharp": "^0.34.4",
        "tailwindcss": "^3.4.19",
        "typescript": "~5.9.2",
        "typescript-eslint": "8.50.1",
@@ -5601,6 +5603,496 @@
        "mlly": "^1.8.0"
      }
    },
    "node_modules/@img/colour": {
      "version": "1.1.0",
      "resolved": "https://registry.npmjs.org/@img/colour/-/colour-1.1.0.tgz",
      "integrity": "sha512-Td76q7j57o/tLVdgS746cYARfSyxk8iEfRxewL9h4OMzYhbW4TAcppl0mT4eyqXddh6L/jwoM75mo7ixa/pCeQ==",
      "dev": true,
      "license": "MIT",
      "engines": {
        "node": ">=18"
      }
    },
    "node_modules/@img/sharp-darwin-arm64": {
      "version": "0.34.5",
      "resolved": "https://registry.npmjs.org/@img/sharp-darwin-arm64/-/sharp-darwin-arm64-0.34.5.tgz",
      "integrity": "sha512-imtQ3WMJXbMY4fxb/Ndp6HBTNVtWCUI0WdobyheGf5+ad6xX8VIDO8u2xE4qc/fr08CKG/7dDseFtn6M6g/r3w==",
      "cpu": [
        "arm64"
      ],
      "dev": true,
      "license": "Apache-2.0",
      "optional": true,
      "os": [
        "darwin"
      ],
      "engines": {
        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
      },
      "funding": {
        "url": "https://opencollective.com/libvips"
      },
      "optionalDependencies": {
        "@img/sharp-libvips-darwin-arm64": "1.2.4"
      }
    },
    "node_modules/@img/sharp-darwin-x64": {
      "version": "0.34.5",
      "resolved": "https://registry.npmjs.org/@img/sharp-darwin-x64/-/sharp-darwin-x64-0.34.5.tgz",
      "integrity": "sha512-YNEFAF/4KQ/PeW0N+r+aVVsoIY0/qxxikF2SWdp+NRkmMB7y9LBZAVqQ4yhGCm/H3H270OSykqmQMKLBhBJDEw==",
      "cpu": [
        "x64"
      ],
      "dev": true,
      "license": "Apache-2.0",
      "optional": true,
      "os": [
        "darwin"
      ],
      "engines": {
        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
      },
      "funding": {
        "url": "https://opencollective.com/libvips"
      },
      "optionalDependencies": {
        "@img/sharp-libvips-darwin-x64": "1.2.4"
      }
    },
    "node_modules/@img/sharp-libvips-darwin-arm64": {
      "version": "1.2.4",
      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-darwin-arm64/-/sharp-libvips-darwin-arm64-1.2.4.tgz",
      "integrity": "sha512-zqjjo7RatFfFoP0MkQ51jfuFZBnVE2pRiaydKJ1G/rHZvnsrHAOcQALIi9sA5co5xenQdTugCvtb1cuf78Vf4g==",
      "cpu": [
        "arm64"
      ],
      "dev": true,
      "license": "LGPL-3.0-or-later",
      "optional": true,
      "os": [
        "darwin"
      ],
      "funding": {
        "url": "https://opencollective.com/libvips"
      }
    },
    "node_modules/@img/sharp-libvips-darwin-x64": {
      "version": "1.2.4",
      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-darwin-x64/-/sharp-libvips-darwin-x64-1.2.4.tgz",
      "integrity": "sha512-1IOd5xfVhlGwX+zXv2N93k0yMONvUlANylbJw1eTah8K/Jtpi15KC+WSiaX/nBmbm2HxRM1gZ0nSdjSsrZbGKg==",
      "cpu": [
        "x64"
      ],
      "dev": true,
      "license": "LGPL-3.0-or-later",
      "optional": true,
      "os": [
        "darwin"
      ],
      "funding": {
        "url": "https://opencollective.com/libvips"
      }
    },
    "node_modules/@img/sharp-libvips-linux-arm": {
      "version": "1.2.4",
      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-arm/-/sharp-libvips-linux-arm-1.2.4.tgz",
      "integrity": "sha512-bFI7xcKFELdiNCVov8e44Ia4u2byA+l3XtsAj+Q8tfCwO6BQ8iDojYdvoPMqsKDkuoOo+X6HZA0s0q11ANMQ8A==",
      "cpu": [
        "arm"
      ],
      "dev": true,
      "license": "LGPL-3.0-or-later",
      "optional": true,
      "os": [
        "linux"
      ],
      "funding": {
        "url": "https://opencollective.com/libvips"
      }
    },
    "node_modules/@img/sharp-libvips-linux-arm64": {
      "version": "1.2.4",
      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-arm64/-/sharp-libvips-linux-arm64-1.2.4.tgz",
      "integrity": "sha512-excjX8DfsIcJ10x1Kzr4RcWe1edC9PquDRRPx3YVCvQv+U5p7Yin2s32ftzikXojb1PIFc/9Mt28/y+iRklkrw==",
      "cpu": [
        "arm64"
      ],
      "dev": true,
      "license": "LGPL-3.0-or-later",
      "optional": true,
      "os": [
        "linux"
      ],
      "funding": {
        "url": "https://opencollective.com/libvips"
      }
    },
    "node_modules/@img/sharp-libvips-linux-ppc64": {
      "version": "1.2.4",
      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-ppc64/-/sharp-libvips-linux-ppc64-1.2.4.tgz",
      "integrity": "sha512-FMuvGijLDYG6lW+b/UvyilUWu5Ayu+3r2d1S8notiGCIyYU/76eig1UfMmkZ7vwgOrzKzlQbFSuQfgm7GYUPpA==",
      "cpu": [
        "ppc64"
      ],
      "dev": true,
      "license": "LGPL-3.0-or-later",
      "optional": true,
      "os": [
        "linux"
      ],
      "funding": {
        "url": "https://opencollective.com/libvips"
      }
    },
    "node_modules/@img/sharp-libvips-linux-riscv64": {
      "version": "1.2.4",
      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-riscv64/-/sharp-libvips-linux-riscv64-1.2.4.tgz",
      "integrity": "sha512-oVDbcR4zUC0ce82teubSm+x6ETixtKZBh/qbREIOcI3cULzDyb18Sr/Wcyx7NRQeQzOiHTNbZFF1UwPS2scyGA==",
      "cpu": [
        "riscv64"
      ],
      "dev": true,
      "license": "LGPL-3.0-or-later",
      "optional": true,
      "os": [
        "linux"
      ],
      "funding": {
        "url": "https://opencollective.com/libvips"
      }
    },
    "node_modules/@img/sharp-libvips-linux-s390x": {
      "version": "1.2.4",
      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-s390x/-/sharp-libvips-linux-s390x-1.2.4.tgz",
      "integrity": "sha512-qmp9VrzgPgMoGZyPvrQHqk02uyjA0/QrTO26Tqk6l4ZV0MPWIW6LTkqOIov+J1yEu7MbFQaDpwdwJKhbJvuRxQ==",
      "cpu": [
        "s390x"
      ],
      "dev": true,
      "license": "LGPL-3.0-or-later",
      "optional": true,
      "os": [
        "linux"
      ],
      "funding": {
        "url": "https://opencollective.com/libvips"
      }
    },
    "node_modules/@img/sharp-libvips-linux-x64": {
      "version": "1.2.4",
      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-x64/-/sharp-libvips-linux-x64-1.2.4.tgz",
      "integrity": "sha512-tJxiiLsmHc9Ax1bz3oaOYBURTXGIRDODBqhveVHonrHJ9/+k89qbLl0bcJns+e4t4rvaNBxaEZsFtSfAdquPrw==",
      "cpu": [
        "x64"
      ],
      "dev": true,
      "license": "LGPL-3.0-or-later",
      "optional": true,
      "os": [
        "linux"
      ],
      "funding": {
        "url": "https://opencollective.com/libvips"
      }
    },
    "node_modules/@img/sharp-libvips-linuxmusl-arm64": {
      "version": "1.2.4",
      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linuxmusl-arm64/-/sharp-libvips-linuxmusl-arm64-1.2.4.tgz",
      "integrity": "sha512-FVQHuwx1IIuNow9QAbYUzJ+En8KcVm9Lk5+uGUQJHaZmMECZmOlix9HnH7n1TRkXMS0pGxIJokIVB9SuqZGGXw==",
      "cpu": [
        "arm64"
      ],
      "dev": true,
      "license": "LGPL-3.0-or-later",
      "optional": true,
      "os": [
        "linux"
      ],
      "funding": {
        "url": "https://opencollective.com/libvips"
      }
    },
    "node_modules/@img/sharp-libvips-linuxmusl-x64": {
      "version": "1.2.4",
      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linuxmusl-x64/-/sharp-libvips-linuxmusl-x64-1.2.4.tgz",
      "integrity": "sha512-+LpyBk7L44ZIXwz/VYfglaX/okxezESc6UxDSoyo2Ks6Jxc4Y7sGjpgU9s4PMgqgjj1gZCylTieNamqA1MF7Dg==",
      "cpu": [
        "x64"
      ],
      "dev": true,
      "license": "LGPL-3.0-or-later",
      "optional": true,
      "os": [
        "linux"
      ],
      "funding": {
        "url": "https://opencollective.com/libvips"
      }
    },
    "node_modules/@img/sharp-linux-arm": {
      "version": "0.34.5",
      "resolved": "https://registry.npmjs.org/@img/sharp-linux-arm/-/sharp-linux-arm-0.34.5.tgz",
      "integrity": "sha512-9dLqsvwtg1uuXBGZKsxem9595+ujv0sJ6Vi8wcTANSFpwV/GONat5eCkzQo/1O6zRIkh0m/8+5BjrRr7jDUSZw==",
      "cpu": [
        "arm"
      ],
      "dev": true,
      "license": "Apache-2.0",
      "optional": true,
      "os": [
        "linux"
      ],
      "engines": {
        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
      },
      "funding": {
        "url": "https://opencollective.com/libvips"
      },
      "optionalDependencies": {
        "@img/sharp-libvips-linux-arm": "1.2.4"
      }
    },
    "node_modules/@img/sharp-linux-arm64": {
      "version": "0.34.5",
      "resolved": "https://registry.npmjs.org/@img/sharp-linux-arm64/-/sharp-linux-arm64-0.34.5.tgz",
      "integrity": "sha512-bKQzaJRY/bkPOXyKx5EVup7qkaojECG6NLYswgktOZjaXecSAeCWiZwwiFf3/Y+O1HrauiE3FVsGxFg8c24rZg==",
      "cpu": [
        "arm64"
      ],
      "dev": true,
      "license": "Apache-2.0",
      "optional": true,
      "os": [
        "linux"
      ],
      "engines": {
        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
      },
      "funding": {
        "url": "https://opencollective.com/libvips"
      },
      "optionalDependencies": {
        "@img/sharp-libvips-linux-arm64": "1.2.4"
      }
    },
    "node_modules/@img/sharp-linux-ppc64": {
      "version": "0.34.5",
      "resolved": "https://registry.npmjs.org/@img/sharp-linux-ppc64/-/sharp-linux-ppc64-0.34.5.tgz",
      "integrity": "sha512-7zznwNaqW6YtsfrGGDA6BRkISKAAE1Jo0QdpNYXNMHu2+0dTrPflTLNkpc8l7MUP5M16ZJcUvysVWWrMefZquA==",
      "cpu": [
        "ppc64"
      ],
      "dev": true,
      "license": "Apache-2.0",
      "optional": true,
      "os": [
        "linux"
      ],
      "engines": {
        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
      },
      "funding": {
        "url": "https://opencollective.com/libvips"
      },
      "optionalDependencies": {
        "@img/sharp-libvips-linux-ppc64": "1.2.4"
      }
    },
    "node_modules/@img/sharp-linux-riscv64": {
      "version": "0.34.5",
      "resolved": "https://registry.npmjs.org/@img/sharp-linux-riscv64/-/sharp-linux-riscv64-0.34.5.tgz",
      "integrity": "sha512-51gJuLPTKa7piYPaVs8GmByo7/U7/7TZOq+cnXJIHZKavIRHAP77e3N2HEl3dgiqdD/w0yUfiJnII77PuDDFdw==",
      "cpu": [
        "riscv64"
      ],
      "dev": true,
      "license": "Apache-2.0",
      "optional": true,
      "os": [
        "linux"
      ],
      "engines": {
        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
      },
      "funding": {
        "url": "https://opencollective.com/libvips"
      },
      "optionalDependencies": {
        "@img/sharp-libvips-linux-riscv64": "1.2.4"
      }
    },
    "node_modules/@img/sharp-linux-s390x": {
      "version": "0.34.5",
      "resolved": "https://registry.npmjs.org/@img/sharp-linux-s390x/-/sharp-linux-s390x-0.34.5.tgz",
      "integrity": "sha512-nQtCk0PdKfho3eC5MrbQoigJ2gd1CgddUMkabUj+rBevs8tZ2cULOx46E7oyX+04WGfABgIwmMC0VqieTiR4jg==",
      "cpu": [
        "s390x"
      ],
      "dev": true,
      "license": "Apache-2.0",
      "optional": true,
      "os": [
        "linux"
      ],
      "engines": {
        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
      },
      "funding": {
        "url": "https://opencollective.com/libvips"
      },
      "optionalDependencies": {
        "@img/sharp-libvips-linux-s390x": "1.2.4"
      }
    },
    "node_modules/@img/sharp-linux-x64": {
      "version": "0.34.5",
      "resolved": "https://registry.npmjs.org/@img/sharp-linux-x64/-/sharp-linux-x64-0.34.5.tgz",
      "integrity": "sha512-MEzd8HPKxVxVenwAa+JRPwEC7QFjoPWuS5NZnBt6B3pu7EG2Ge0id1oLHZpPJdn3OQK+BQDiw9zStiHBTJQQQQ==",
      "cpu": [
        "x64"
      ],
      "dev": true,
      "license": "Apache-2.0",
      "optional": true,
      "os": [
        "linux"
      ],
      "engines": {
        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
      },
      "funding": {
        "url": "https://opencollective.com/libvips"
      },
      "optionalDependencies": {
        "@img/sharp-libvips-linux-x64": "1.2.4"
      }
    },
    "node_modules/@img/sharp-linuxmusl-arm64": {
      "version": "0.34.5",
      "resolved": "https://registry.npmjs.org/@img/sharp-linuxmusl-arm64/-/sharp-linuxmusl-arm64-0.34.5.tgz",
      "integrity": "sha512-fprJR6GtRsMt6Kyfq44IsChVZeGN97gTD331weR1ex1c1rypDEABN6Tm2xa1wE6lYb5DdEnk03NZPqA7Id21yg==",
      "cpu": [
        "arm64"
      ],
      "dev": true,
      "license": "Apache-2.0",
      "optional": true,
      "os": [
        "linux"
      ],
      "engines": {
        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
      },
      "funding": {
        "url": "https://opencollective.com/libvips"
      },
      "optionalDependencies": {
        "@img/sharp-libvips-linuxmusl-arm64": "1.2.4"
      }
    },
    "node_modules/@img/sharp-linuxmusl-x64": {
      "version": "0.34.5",
      "resolved": "https://registry.npmjs.org/@img/sharp-linuxmusl-x64/-/sharp-linuxmusl-x64-0.34.5.tgz",
      "integrity": "sha512-Jg8wNT1MUzIvhBFxViqrEhWDGzqymo3sV7z7ZsaWbZNDLXRJZoRGrjulp60YYtV4wfY8VIKcWidjojlLcWrd8Q==",
      "cpu": [
        "x64"
      ],
      "dev": true,
      "license": "Apache-2.0",
      "optional": true,
      "os": [
        "linux"
      ],
      "engines": {
        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
      },
      "funding": {
        "url": "https://opencollective.com/libvips"
      },
      "optionalDependencies": {
        "@img/sharp-libvips-linuxmusl-x64": "1.2.4"
      }
    },
    "node_modules/@img/sharp-wasm32": {
      "version": "0.34.5",
      "resolved": "https://registry.npmjs.org/@img/sharp-wasm32/-/sharp-wasm32-0.34.5.tgz",
      "integrity": "sha512-OdWTEiVkY2PHwqkbBI8frFxQQFekHaSSkUIJkwzclWZe64O1X4UlUjqqqLaPbUpMOQk6FBu/HtlGXNblIs0huw==",
      "cpu": [
        "wasm32"
      ],
      "dev": true,
      "license": "Apache-2.0 AND LGPL-3.0-or-later AND MIT",
      "optional": true,
      "dependencies": {
        "@emnapi/runtime": "^1.7.0"
      },
      "engines": {
        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
      },
      "funding": {
        "url": "https://opencollective.com/libvips"
      }
    },
    "node_modules/@img/sharp-win32-arm64": {
      "version": "0.34.5",
      "resolved": "https://registry.npmjs.org/@img/sharp-win32-arm64/-/sharp-win32-arm64-0.34.5.tgz",
      "integrity": "sha512-WQ3AgWCWYSb2yt+IG8mnC6Jdk9Whs7O0gxphblsLvdhSpSTtmu69ZG1Gkb6NuvxsNACwiPV6cNSZNzt0KPsw7g==",
      "cpu": [
        "arm64"
      ],
      "dev": true,
      "license": "Apache-2.0 AND LGPL-3.0-or-later",
      "optional": true,
      "os": [
        "win32"
      ],
      "engines": {
        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
      },
      "funding": {
        "url": "https://opencollective.com/libvips"
      }
    },
    "node_modules/@img/sharp-win32-ia32": {
      "version": "0.34.5",
      "resolved": "https://registry.npmjs.org/@img/sharp-win32-ia32/-/sharp-win32-ia32-0.34.5.tgz",
      "integrity": "sha512-FV9m/7NmeCmSHDD5j4+4pNI8Cp3aW+JvLoXcTUo0IqyjSfAZJ8dIUmijx1qaJsIiU+Hosw6xM5KijAWRJCSgNg==",
      "cpu": [
        "ia32"
      ],
      "dev": true,
      "license": "Apache-2.0 AND LGPL-3.0-or-later",
      "optional": true,
      "os": [
        "win32"
      ],
      "engines": {
        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
      },
      "funding": {
        "url": "https://opencollective.com/libvips"
      }
    },
    "node_modules/@img/sharp-win32-x64": {
      "version": "0.34.5",
      "resolved": "https://registry.npmjs.org/@img/sharp-win32-x64/-/sharp-win32-x64-0.34.5.tgz",
      "integrity": "sha512-+29YMsqY2/9eFEiW93eqWnuLcWcufowXewwSNIT6UwZdUUCrM3oFjMWH/Z6/TMmb4hlFenmfAVbpWeup2jryCw==",
      "cpu": [
        "x64"
      ],
      "dev": true,
      "license": "Apache-2.0 AND LGPL-3.0-or-later",
      "optional": true,
      "os": [
        "win32"
      ],
      "engines": {
        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
      },
      "funding": {
        "url": "https://opencollective.com/libvips"
      }
    },
    "node_modules/@inquirer/ansi": {
      "version": "1.0.2",
      "resolved": "https://registry.npmjs.org/@inquirer/ansi/-/ansi-1.0.2.tgz",
@@ -20431,6 +20923,16 @@
      "license": "MIT",
      "optional": true
    },
    "node_modules/fake-indexeddb": {
      "version": "6.2.5",
      "resolved": "https://registry.npmjs.org/fake-indexeddb/-/fake-indexeddb-6.2.5.tgz",
      "integrity": "sha512-CGnyrvbhPlWYMngksqrSSUT1BAVP49dZocrHuK0SvtR0D5TMs5wP0o3j7jexDJW01KSadjBp1M/71o/KR3nD1w==",
      "dev": true,
      "license": "Apache-2.0",
      "engines": {
        "node": ">=18"
      }
    },
    "node_modules/fast-deep-equal": {
      "version": "3.1.3",
      "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz",
@@ -31827,6 +32329,51 @@
        "node": ">=8"
      }
    },
    "node_modules/sharp": {
      "version": "0.34.5",
      "resolved": "https://registry.npmjs.org/sharp/-/sharp-0.34.5.tgz",
      "integrity": "sha512-Ou9I5Ft9WNcCbXrU9cMgPBcCK8LiwLqcbywW3t4oDV37n1pzpuNLsYiAV8eODnjbtQlSDwZ2cUEeQz4E54Hltg==",
      "dev": true,
      "hasInstallScript": true,
      "license": "Apache-2.0",
      "dependencies": {
        "@img/colour": "^1.0.0",
        "detect-libc": "^2.1.2",
        "semver": "^7.7.3"
      },
      "engines": {
        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
      },
      "funding": {
        "url": "https://opencollective.com/libvips"
      },
      "optionalDependencies": {
        "@img/sharp-darwin-arm64": "0.34.5",
        "@img/sharp-darwin-x64": "0.34.5",
        "@img/sharp-libvips-darwin-arm64": "1.2.4",
        "@img/sharp-libvips-darwin-x64": "1.2.4",
        "@img/sharp-libvips-linux-arm": "1.2.4",
        "@img/sharp-libvips-linux-arm64": "1.2.4",
        "@img/sharp-libvips-linux-ppc64": "1.2.4",
        "@img/sharp-libvips-linux-riscv64": "1.2.4",
        "@img/sharp-libvips-linux-s390x": "1.2.4",
        "@img/sharp-libvips-linux-x64": "1.2.4",
        "@img/sharp-libvips-linuxmusl-arm64": "1.2.4",
        "@img/sharp-libvips-linuxmusl-x64": "1.2.4",
        "@img/sharp-linux-arm": "0.34.5",
        "@img/sharp-linux-arm64": "0.34.5",
        "@img/sharp-linux-ppc64": "0.34.5",
        "@img/sharp-linux-riscv64": "0.34.5",
        "@img/sharp-linux-s390x": "0.34.5",
        "@img/sharp-linux-x64": "0.34.5",
        "@img/sharp-linuxmusl-arm64": "0.34.5",
        "@img/sharp-linuxmusl-x64": "0.34.5",
        "@img/sharp-wasm32": "0.34.5",
        "@img/sharp-win32-arm64": "0.34.5",
        "@img/sharp-win32-ia32": "0.34.5",
        "@img/sharp-win32-x64": "0.34.5"
      }
    },
    "node_modules/shebang-command": {
      "version": "2.0.0",
      "resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz",
--- a/package.json
+++ b/package.json
@@ -23,7 +23,7 @@
    "server:start": "cd server && npm start",
    "server:dev": "cd server && npm run dev",
    "electron": "npm run build && npm run build:electron && node tools/launch-electron.js . --no-sandbox --disable-dev-shm-usage",
-    "electron:dev": "concurrently \"npm run start\" \"wait-on http://localhost:4200 && npm run build:electron && cross-env NODE_ENV=development node tools/launch-electron.js . --no-sandbox --disable-dev-shm-usage\"",
+    "electron:dev": "concurrently \"npm run start\" \"wait-on http://127.0.0.1:4200 && npm run build:electron && cross-env NODE_ENV=development node tools/launch-electron.js . --no-sandbox --disable-dev-shm-usage\"",
    "electron:full": "./dev.sh",
    "electron:full:build": "npm run build:all && concurrently --kill-others \"cd server && npm start\" \"cross-env NODE_ENV=production node tools/launch-electron.js . --no-sandbox --disable-dev-shm-usage\"",
    "migration:generate": "typeorm migration:generate electron/migrations/Auto -d dist/electron/data-source.js",
@@ -58,6 +58,7 @@
    "test:e2e:report": "node e2e/run-playwright.mjs show-report ../test-results/html-report",
    "perf:diag:view": "node tools/perf-diag-viewer.js",
    "perf:diag:tail": "node tools/perf-diag-viewer.js --tail",
    "cap:assets:android": "node tools/generate-android-app-icons.mjs",
    "cap:sync": "cd toju-app && npx cap sync",
    "cap:open:android": "node tools/cap-open-android.js",
    "cap:open:ios": "cd toju-app && npx cap open ios",
@@ -153,10 +154,12 @@
    "eslint-config-prettier": "^10.1.8",
    "eslint-plugin-import-newlines": "^1.4.1",
    "eslint-plugin-prettier": "^5.5.5",
    "fake-indexeddb": "^6.2.5",
    "glob": "^10.5.0",
    "pkg": "^5.8.1",
    "postcss": "^8.5.6",
    "prettier": "^3.8.1",
    "sharp": "^0.34.4",
    "tailwindcss": "^3.4.19",
    "typescript": "~5.9.2",
    "typescript-eslint": "8.50.1",
--- a/server/CONTEXT.md
+++ b/server/CONTEXT.md
@@ -48,6 +48,7 @@ Owns the shared, internet-reachable runtime: HTTP routes for server directory /
 - Every database schema change ships as a TypeORM **migration**; the live database is never mutated outside the migration system.
 - WebSocket **Envelope** types are defined once in `src/websocket/types.ts` and **must** stay structurally compatible with `toju-app/src/app/shared-kernel/signaling-contracts.ts` — drift between the two is a wire-protocol break.
 - WebSocket messages from a single connection are processed **strictly in arrival order** (`handleWebSocketMessage` chains them per connection id). Concurrent handling lets a `join_server` overtake a still-awaiting `identify` and silently drop room membership.
 - User-supplied URLs are **never** fetched without going through `ssrf-guard.ts`.
 - Secrets (klipy API key, OAuth tokens, signing keys) live in `data/variables.json` or environment variables — never in code, never in logs.
--- a/server/src/websocket/broadcast.spec.ts
+++ b/server/src/websocket/broadcast.spec.ts
@@ -62,7 +62,9 @@ describe('broadcastToServer', () => {
    expect((connA2.ws as WebSocket & { sentMessages: string[] }).sentMessages).toHaveLength(1);
    expect((connB.ws as WebSocket & { sentMessages: string[] }).sentMessages).toHaveLength(1);
    expect(connectedUsers.get('conn-a1')?.ws).toBeDefined();
-    expect((connectedUsers.get('conn-a1')!.ws as WebSocket & { sentMessages: string[] }).sentMessages).toHaveLength(0);
+    const connA1Passive = connectedUsers.get('conn-a1')?.ws as WebSocket & { sentMessages: string[] } | undefined;
    expect(connA1Passive?.sentMessages).toHaveLength(0);
  });
  it('excludes every connection for an identity when excludeIdentityOderId is set', () => {
--- a/server/src/websocket/handler-multi-client.spec.ts
+++ b/server/src/websocket/handler-multi-client.spec.ts
@@ -94,12 +94,13 @@ describe('server websocket handler - multi-client sessions', () => {
  });
  it('relays voice_state to other connections for the same user', async () => {
-    const sender = createConnectedUser('conn-a1', {
+    createConnectedUser('conn-a1', {
      authenticated: true,
      oderId: 'user-1',
      serverIds: new Set(['server-1']),
      clientInstanceId: 'device-a'
    });
    const passive = createConnectedUser('conn-a2', {
      authenticated: true,
      oderId: 'user-1',
@@ -129,7 +130,7 @@ describe('server websocket handler - multi-client sessions', () => {
  });
  it('forwards RTC offers to the voice-active connection for the target user', async () => {
-    const sender = createConnectedUser('conn-sender', {
+    createConnectedUser('conn-sender', {
      authenticated: true,
      oderId: 'user-2',
      serverIds: new Set(['server-1'])
@@ -220,4 +221,51 @@ describe('server websocket handler - multi-client sessions', () => {
    expect((stale.ws as WebSocket & { closeCalled: boolean }).closeCalled).toBe(true);
    expect(connectedUsers.get('conn-new')?.authenticated).toBe(true);
  });
  it('relays account_sync payloads to other connections for the same user', async () => {
    createConnectedUser('conn-a1', {
      authenticated: true,
      oderId: 'user-1',
      serverIds: new Set(['server-1']),
      clientInstanceId: 'device-a'
    });
    const receiver = createConnectedUser('conn-a2', {
      authenticated: true,
      oderId: 'user-1',
      serverIds: new Set(['server-1']),
      clientInstanceId: 'device-b'
    });
    getSentMessages(receiver).length = 0;
    await handleWebSocketMessage('conn-a1', {
      type: 'account_sync',
      clientInstanceId: 'device-a',
      payload: {
        type: 'friend-added',
        userId: 'friend-1',
        addedAt: 123
      }
    });
    const messages = getSentMessages(receiver).map((raw) => JSON.parse(raw) as {
      type: string;
      payload?: { type: string; userId?: string };
      clientInstanceId?: string;
      fromUserId?: string;
    });
    const relay = messages.find((message) => message.type === 'account_sync');
    expect(relay).toEqual({
      type: 'account_sync',
      clientInstanceId: 'device-a',
      fromUserId: 'user-1',
      payload: {
        type: 'friend-added',
        userId: 'friend-1',
        addedAt: 123
      }
    });
  });
 });
--- a/server/src/websocket/handler-ordering.spec.ts
+++ b/server/src/websocket/handler-ordering.spec.ts
@@ -0,0 +1,146 @@
 import {
  describe,
  it,
  expect,
  beforeEach,
  vi
 } from 'vitest';
 import { WebSocket } from 'ws';
 import { connectedUsers } from './state';
 import { ConnectedUser } from './types';
 import { handleWebSocketMessage } from './handler';
 vi.mock('../services/server-access.service', () => ({
  authorizeWebSocketJoin: vi.fn(async () => ({ allowed: true as const })),
  findServerMembership: vi.fn(async () => ({ id: 'membership-1' })),
  usersShareServerMembership: vi.fn(async () => false)
 }));
 vi.mock('../services/session-auth.service', () => ({
  // Resolve on a macrotask so an unserialized handler would interleave the
  // next message before identify completes - mirrors a real DB lookup.
  consumeSessionToken: vi.fn(async (token: string) => {
    await new Promise((resolve) => setTimeout(resolve, 0));
    if (token !== 'valid-token') {
      return null;
    }
    return {
      token,
      user: {
        id: 'user-1',
        username: 'alice',
        displayName: 'Alice',
        passwordHash: 'hash',
        createdAt: Date.now()
      },
      issuedAt: Date.now(),
      expiresAt: Date.now() + 60_000
    };
  })
 }));
 vi.mock('../services/plugin-support.service', () => ({
  getPluginRequirementsSnapshot: vi.fn(async () => ({ plugins: [] })),
  PluginSupportError: class PluginSupportError extends Error {
    code = 'TEST';
  },
  validatePluginEventEnvelope: vi.fn(async () => undefined)
 }));
 function createMockWs(): WebSocket & { sentMessages: string[] } {
  const sent: string[] = [];
  const ws = {
    readyState: WebSocket.OPEN,
    send: (data: string) => { sent.push(data); },
    close: () => {},
    sentMessages: sent
  } as unknown as WebSocket & { sentMessages: string[] };
  return ws;
 }
 function createConnectedUser(connectionId: string): ConnectedUser {
  const ws = createMockWs();
  const user: ConnectedUser = {
    oderId: connectionId,
    ws,
    authenticated: false,
    serverIds: new Set(),
    displayName: 'Test User',
    lastPong: Date.now()
  };
  connectedUsers.set(connectionId, user);
  return user;
 }
 function getSentMessages(user: ConnectedUser | undefined): { type: string }[] {
  const sentMessages = (user?.ws as WebSocket & { sentMessages: string[] }).sentMessages;
  return sentMessages.map((raw) => JSON.parse(raw) as { type: string });
 }
 describe('server websocket handler - per-connection message ordering', () => {
  beforeEach(() => {
    connectedUsers.clear();
    vi.clearAllMocks();
  });
  it('processes join_server after a still-running identify instead of dropping it', async () => {
    createConnectedUser('conn-1');
    // Both messages arrive in the same tick (one TCP segment); the handler
    // must not evaluate join_server while identify is still awaiting auth.
    const identifyPromise = handleWebSocketMessage('conn-1', {
      type: 'identify',
      token: 'valid-token',
      oderId: 'user-1',
      displayName: 'Alice'
    });
    const joinPromise = handleWebSocketMessage('conn-1', {
      type: 'join_server',
      serverId: 'server-1'
    });
    await Promise.all([identifyPromise, joinPromise]);
    const user = connectedUsers.get('conn-1');
    expect(user?.authenticated).toBe(true);
    expect(user?.serverIds.has('server-1')).toBe(true);
    const authRequired = getSentMessages(user).find((message) => message.type === 'auth_required');
    expect(authRequired).toBeUndefined();
  });
  it('keeps processing queued messages after a handler error', async () => {
    createConnectedUser('conn-1');
    const badIdentify = handleWebSocketMessage('conn-1', {
      type: 'identify',
      token: 'valid-token',
      oderId: 'user-1',
      displayName: 'Alice'
    });
    // Unknown types are logged and ignored - must not wedge the queue.
    const unknown = handleWebSocketMessage('conn-1', { type: 'not-a-real-type' });
    const join = handleWebSocketMessage('conn-1', {
      type: 'join_server',
      serverId: 'server-1'
    });
    await Promise.all([
      badIdentify,
      unknown,
      join
    ]);
    const user = connectedUsers.get('conn-1');
    expect(user?.serverIds.has('server-1')).toBe(true);
  });
 });
--- a/server/src/websocket/handler.ts
+++ b/server/src/websocket/handler.ts
@@ -296,6 +296,11 @@ async function handleIdentify(user: ConnectedUser, message: WsMessage, connectio
  connectedUsers.set(connectionId, user);
  console.log(`User identified: ${user.displayName} (${user.oderId})`);
  notifyOtherConnectionsForOderId(newOderId, {
    type: 'account_sync_peer_online',
    clientInstanceId: newClientInstanceId
  }, connectionId);
  const voiceSnapshot = Array.from(connectedUsers.entries()).find(([otherConnectionId, otherUser]) =>
    otherConnectionId !== connectionId
    && otherUser.oderId === newOderId
@@ -541,6 +546,21 @@ function handleVoiceClientTakeover(user: ConnectedUser, message: WsMessage, conn
  }, connectionId);
 }
 function handleAccountSync(user: ConnectedUser, message: WsMessage, connectionId: string): void {
  const payload = message['payload'];
  if (!payload || typeof payload !== 'object' || typeof (payload as { type?: unknown }).type !== 'string') {
    return;
  }
  notifyOtherConnectionsForOderId(user.oderId, {
    type: 'account_sync',
    clientInstanceId: normalizeClientInstanceId(message['clientInstanceId']) ?? user.clientInstanceId,
    fromUserId: user.oderId,
    payload
  }, connectionId);
 }
 function handleTyping(user: ConnectedUser, message: WsMessage, connectionId: string): void {
  const typingSid = (message['serverId'] as string | undefined) ?? user.viewedServerId;
  const channelId = typeof message['channelId'] === 'string' && message['channelId'].trim() ? message['channelId'].trim() : 'general';
@@ -685,7 +705,32 @@ async function handlePluginEvent(user: ConnectedUser, message: WsMessage, connec
  }
 }
-export async function handleWebSocketMessage(connectionId: string, message: WsMessage): Promise<void> {
+/**
 * Tail of the in-flight message chain per connection.
 *
 * Messages from one client can arrive in the same tick (one TCP segment), but
 * handlers like identify await async work. Without serialization a
 * join_server can be evaluated while identify is still pending, get rejected
 * as unauthenticated, and silently lose the room membership.
 */
 const connectionMessageChains = new Map<string, Promise<void>>();
 export function handleWebSocketMessage(connectionId: string, message: WsMessage): Promise<void> {
  const prior = connectionMessageChains.get(connectionId) ?? Promise.resolve();
  const current = prior.then(() => processWebSocketMessage(connectionId, message));
  const tail = current.catch(() => undefined);
  connectionMessageChains.set(connectionId, tail);
  void tail.then(() => {
    if (connectionMessageChains.get(connectionId) === tail) {
      connectionMessageChains.delete(connectionId);
    }
  });
  return current;
 }
 async function processWebSocketMessage(connectionId: string, message: WsMessage): Promise<void> {
  const user = connectedUsers.get(connectionId);
  if (!user)
@@ -747,6 +792,10 @@ export async function handleWebSocketMessage(connectionId: string, message: WsMe
      handleVoiceClientTakeover(user, message, connectionId);
      break;
    case 'account_sync':
      handleAccountSync(user, message, connectionId);
      break;
    case 'typing':
      handleTyping(user, message, connectionId);
      break;
--- a/toju-app/android/app/src/main/res/drawable-land-hdpi/splash.png
+++ b/toju-app/android/app/src/main/res/drawable-land-hdpi/splash.png
--- a/toju-app/android/app/src/main/res/drawable-land-mdpi/splash.png
+++ b/toju-app/android/app/src/main/res/drawable-land-mdpi/splash.png
--- a/toju-app/android/app/src/main/res/drawable-land-xhdpi/splash.png
+++ b/toju-app/android/app/src/main/res/drawable-land-xhdpi/splash.png
--- a/toju-app/android/app/src/main/res/drawable-land-xxhdpi/splash.png
+++ b/toju-app/android/app/src/main/res/drawable-land-xxhdpi/splash.png
--- a/toju-app/android/app/src/main/res/drawable-land-xxxhdpi/splash.png
+++ b/toju-app/android/app/src/main/res/drawable-land-xxxhdpi/splash.png
--- a/toju-app/android/app/src/main/res/drawable-port-hdpi/splash.png
+++ b/toju-app/android/app/src/main/res/drawable-port-hdpi/splash.png
--- a/toju-app/android/app/src/main/res/drawable-port-mdpi/splash.png
+++ b/toju-app/android/app/src/main/res/drawable-port-mdpi/splash.png
--- a/toju-app/android/app/src/main/res/drawable-port-xhdpi/splash.png
+++ b/toju-app/android/app/src/main/res/drawable-port-xhdpi/splash.png
--- a/toju-app/android/app/src/main/res/drawable-port-xxhdpi/splash.png
+++ b/toju-app/android/app/src/main/res/drawable-port-xxhdpi/splash.png
--- a/toju-app/android/app/src/main/res/drawable-port-xxxhdpi/splash.png
+++ b/toju-app/android/app/src/main/res/drawable-port-xxxhdpi/splash.png
--- a/toju-app/android/app/src/main/res/drawable-v24/ic_launcher_foreground.xml
+++ b/toju-app/android/app/src/main/res/drawable-v24/ic_launcher_foreground.xml
@@ -1,34 +0,0 @@
 <vector xmlns:android="http://schemas.android.com/apk/res/android"
    xmlns:aapt="http://schemas.android.com/aapt"
    android:width="108dp"
    android:height="108dp"
    android:viewportHeight="108"
    android:viewportWidth="108">
    <path
        android:fillType="evenOdd"
        android:pathData="M32,64C32,64 38.39,52.99 44.13,50.95C51.37,48.37 70.14,49.57 70.14,49.57L108.26,87.69L108,109.01L75.97,107.97L32,64Z"
        android:strokeColor="#00000000"
        android:strokeWidth="1">
        <aapt:attr name="android:fillColor">
            <gradient
                android:endX="78.5885"
                android:endY="90.9159"
                android:startX="48.7653"
                android:startY="61.0927"
                android:type="linear">
                <item
                    android:color="#44000000"
                    android:offset="0.0" />
                <item
                    android:color="#00000000"
                    android:offset="1.0" />
            </gradient>
        </aapt:attr>
    </path>
    <path
        android:fillColor="#FFFFFF"
        android:fillType="nonZero"
        android:pathData="M66.94,46.02L66.94,46.02C72.44,50.07 76,56.61 76,64L32,64C32,56.61 35.56,50.11 40.98,46.06L36.18,41.19C35.45,40.45 35.45,39.3 36.18,38.56C36.91,37.81 38.05,37.81 38.78,38.56L44.25,44.05C47.18,42.57 50.48,41.71 54,41.71C57.48,41.71 60.78,42.57 63.68,44.05L69.11,38.56C69.84,37.81 70.98,37.81 71.71,38.56C72.44,39.3 72.44,40.45 71.71,41.19L66.94,46.02ZM62.94,56.92C64.08,56.92 65,56.01 65,54.88C65,53.76 64.08,52.85 62.94,52.85C61.8,52.85 60.88,53.76 60.88,54.88C60.88,56.01 61.8,56.92 62.94,56.92ZM45.06,56.92C46.2,56.92 47.13,56.01 47.13,54.88C47.13,53.76 46.2,52.85 45.06,52.85C43.92,52.85 43,53.76 43,54.88C43,56.01 43.92,56.92 45.06,56.92Z"
        android:strokeColor="#00000000"
        android:strokeWidth="1" />
 </vector>
--- a/toju-app/android/app/src/main/res/drawable/splash.png
+++ b/toju-app/android/app/src/main/res/drawable/splash.png
--- a/toju-app/android/app/src/main/res/mipmap-hdpi/ic_launcher.png
+++ b/toju-app/android/app/src/main/res/mipmap-hdpi/ic_launcher.png
--- a/toju-app/android/app/src/main/res/mipmap-hdpi/ic_launcher_foreground.png
+++ b/toju-app/android/app/src/main/res/mipmap-hdpi/ic_launcher_foreground.png
--- a/toju-app/android/app/src/main/res/mipmap-hdpi/ic_launcher_round.png
+++ b/toju-app/android/app/src/main/res/mipmap-hdpi/ic_launcher_round.png
--- a/toju-app/android/app/src/main/res/mipmap-mdpi/ic_launcher.png
+++ b/toju-app/android/app/src/main/res/mipmap-mdpi/ic_launcher.png
--- a/toju-app/android/app/src/main/res/mipmap-mdpi/ic_launcher_foreground.png
+++ b/toju-app/android/app/src/main/res/mipmap-mdpi/ic_launcher_foreground.png
--- a/toju-app/android/app/src/main/res/mipmap-mdpi/ic_launcher_round.png
+++ b/toju-app/android/app/src/main/res/mipmap-mdpi/ic_launcher_round.png
--- a/toju-app/android/app/src/main/res/mipmap-xhdpi/ic_launcher.png
+++ b/toju-app/android/app/src/main/res/mipmap-xhdpi/ic_launcher.png
--- a/toju-app/android/app/src/main/res/mipmap-xhdpi/ic_launcher_foreground.png
+++ b/toju-app/android/app/src/main/res/mipmap-xhdpi/ic_launcher_foreground.png
--- a/toju-app/android/app/src/main/res/mipmap-xhdpi/ic_launcher_round.png
+++ b/toju-app/android/app/src/main/res/mipmap-xhdpi/ic_launcher_round.png
--- a/toju-app/android/app/src/main/res/mipmap-xxhdpi/ic_launcher.png
+++ b/toju-app/android/app/src/main/res/mipmap-xxhdpi/ic_launcher.png
--- a/toju-app/android/app/src/main/res/mipmap-xxhdpi/ic_launcher_foreground.png
+++ b/toju-app/android/app/src/main/res/mipmap-xxhdpi/ic_launcher_foreground.png
--- a/toju-app/android/app/src/main/res/mipmap-xxhdpi/ic_launcher_round.png
+++ b/toju-app/android/app/src/main/res/mipmap-xxhdpi/ic_launcher_round.png
--- a/toju-app/android/app/src/main/res/mipmap-xxxhdpi/ic_launcher.png
+++ b/toju-app/android/app/src/main/res/mipmap-xxxhdpi/ic_launcher.png
--- a/toju-app/android/app/src/main/res/mipmap-xxxhdpi/ic_launcher_foreground.png
+++ b/toju-app/android/app/src/main/res/mipmap-xxxhdpi/ic_launcher_foreground.png
--- a/toju-app/android/app/src/main/res/mipmap-xxxhdpi/ic_launcher_round.png
+++ b/toju-app/android/app/src/main/res/mipmap-xxxhdpi/ic_launcher_round.png
--- a/toju-app/android/app/src/main/res/values/ic_launcher_background.xml
+++ b/toju-app/android/app/src/main/res/values/ic_launcher_background.xml
@@ -1,4 +1,4 @@
 <?xml version="1.0" encoding="utf-8"?>
 <resources>
-    <color name="ic_launcher_background">#FFFFFF</color>
+    <color name="ic_launcher_background">#4A217A</color>
-</resources>
+</resources>
--- a/toju-app/src/app/app.config.ts
+++ b/toju-app/src/app/app.config.ts
@@ -17,6 +17,7 @@ import { usersReducer } from './store/users/users.reducer';
 import { roomsReducer } from './store/rooms/rooms.reducer';
 import { NotificationsEffects } from './domains/notifications';
 import { CustomEmojiSyncEffects } from './domains/custom-emoji';
 import { AccountSyncEffects } from './infrastructure/realtime/account-sync/account-sync.effects';
 import { MessagesEffects } from './store/messages/messages.effects';
 import { MessagesSyncEffects } from './store/messages/messages-sync.effects';
 import { UserAvatarEffects } from './store/users/user-avatar.effects';
@@ -45,6 +46,7 @@ export const appConfig: ApplicationConfig = {
    }),
    provideEffects([
      NotificationsEffects,
      AccountSyncEffects,
      CustomEmojiSyncEffects,
      MessagesEffects,
      MessagesSyncEffects,
--- a/toju-app/src/app/app.ts
+++ b/toju-app/src/app/app.ts
@@ -58,7 +58,7 @@ import { RoomsActions } from './store/rooms/rooms.actions';
 import { selectCurrentRoom } from './store/rooms/rooms.selectors';
 import { ROOM_URL_PATTERN } from './core/constants';
 import { clearStoredCurrentUserId, getStoredCurrentUserId } from './core/storage/current-user-storage';
-import { buildLoginReturnQueryParams } from './domains/authentication/domain/logic/auth-navigation.rules';
+import { resolveUnauthenticatedStartupRedirect } from './domains/authentication/domain/logic/auth-navigation.rules';
 import { runWhenIdle } from './shared/rxjs';
 import {
  ThemeNodeDirective,
@@ -308,21 +308,16 @@ export class App implements OnInit, OnDestroy {
    const currentUrl = this.getCurrentRouteUrl();
    if (!currentUserId) {
-      if (!this.isPublicRoute(currentUrl)) {
+      // Signed-out visitors are greeted with the login screen on every platform.
-        // On mobile, new/unauthenticated visitors landing on the app root or
+      // Mobile is intentionally not special-cased here: previously mobile users
-        // /dashboard should stay on /dashboard (which already exposes a login
+      // landing on the root or /dashboard were left on a logged-out dashboard,
-        // CTA). The login form has no mobile chrome / back button, so dropping
+      // which read as "no login screen on startup".
-        // new users straight onto it leaves them with no way to navigate away.
+      const startupRedirect = resolveUnauthenticatedStartupRedirect(currentUrl);
        const currentPath = this.getRoutePath(currentUrl);
        const isSearchLanding = currentPath === '/' || currentPath === '/dashboard';
-        if (this.isMobile() && isSearchLanding) {
+      if (startupRedirect) {
-          this.router.navigate(['/dashboard'], { replaceUrl: true }).catch(() => {});
+        this.router.navigate([startupRedirect.path], {
-        } else {
+          queryParams: startupRedirect.queryParams
-          this.router.navigate(['/login'], {
+        }).catch(() => {});
            queryParams: buildLoginReturnQueryParams(currentUrl)
          }).catch(() => {});
        }
      }
    } else {
      this.store.dispatch(UsersActions.loadCurrentUser());
@@ -483,14 +478,6 @@ export class App implements OnInit, OnDestroy {
    });
  }
  private isPublicRoute(url: string): boolean {
    const path = this.getRoutePath(url);
    return path === '/login' ||
      path === '/register' ||
      path.startsWith('/invite/');
  }
  private getCurrentRouteUrl(): string {
    if (typeof window === 'undefined') {
      return this.router.url;
--- a/toju-app/src/app/domains/attachment/README.md
+++ b/toju-app/src/app/domains/attachment/README.md
@@ -101,6 +101,14 @@ sequenceDiagram
    Note over R: shouldPersistDownloadedAttachment? Save to disk
 ```
 ### Transfer integrity invariants
 Concurrent triggers (file-announce, message sync, peer connect) can race to request the same file, and a sender can receive duplicate `file-request`s for the same attachment. The transfer service enforces these invariants so duplicate streams can never corrupt a download (regression: receivers used to finalize after only the first chunks):
 - **Requester:** `requestFromAnyPeer` marks the request pending *synchronously* before any async work, so the manager's `hasPendingRequest` gate closes the double-request race window.
 - **Sender:** `handleFileRequest` / `fulfillRequestWithFile` track active outbound streams per `(messageId, fileId, peerId)` and ignore duplicate requests while a stream is in flight. A fresh `file-request` clears any earlier `file-cancel` marker from that peer.
 - **Receiver:** chunk buffers are dense (`Array.from({ length: total })`, never sparse `new Array(total)`); a chunk index that is already buffered is ignored entirely and never counts toward `receivedBytes`; a transfer finalizes only when *every* chunk index is present — byte counters are never a substitute for chunk completeness. Assembly state is released only after the attachment is marked `available`, and chunks arriving for an already-available attachment are dropped.
 ### Failure handling
 If the sender cannot find the file, it replies with `file-not-found`. The transfer service then tries the next connected peer that has announced the same attachment. Either side can send `file-cancel` to abort a transfer in progress.
@@ -139,8 +147,28 @@ Browser chat views render audio/video larger than 50 MB with the same generic fi
 An optional experimental VLC.js adapter can be enabled from General settings. When enabled, unsupported downloaded audio/video files show a manual Play action that lazy-loads `/vlcjs/metoyou-vlc-player.js`. The runtime is intentionally isolated in the experimental media domain and is not part of the default attachment path.
 ## Ownership and the "Shared from your device" label
 `uploaderPeerId` is the **user** id of whoever uploaded the file, not a per-device id. It is intentionally stable across a user's devices so an uploader can recognise their own attachments after sync. Because of that, "did *this* device upload it?" and "does *this* device hold the bytes?" are two different questions, and the UI must key the *sharing* affordance off the latter.
 `attachment-sharing.rules.ts` makes this explicit:
 - `isUploaderUser(attachment, currentUserId)` — the current user is the uploader (same user, any device).
 - `deviceHasLocalCopy(attachment)` — this device physically holds the bytes (`available` + a blob `objectUrl`, or a non-empty `savedPath`/`filePath`). Synced metadata alone does not count, because P2P/account sync strips local paths.
 - `isSharingFromThisDevice(attachment, currentUserId)` — `isUploaderUser && deviceHasLocalCopy`. Only this returns the "Shared from your device" state.
 The chat message item renders "Shared from your device" (and hides the request/download affordance) **only** when `isSharingFromThisDevice` is true. A second device of the same user that merely synced the message metadata is the uploader-user but holds no local copy, so it falls back to the normal recipient flow (request/download) instead of falsely claiming ownership and blocking the file (regression: the old check used `uploaderPeerId === currentUserId` and so claimed ownership on every device of the uploader). The transfer service uses the same rule to decide whether a no-peers failure should read "your original upload is missing" (sharing device) or "no connected peers" (any other device).
 ## Persistence
 Attachment file persistence is platform-agnostic. `AttachmentStorageService` owns the `server/<room>/<bucket>` and `direct-messages/...` path layout and delegates the raw byte IO to a pluggable `AttachmentFileStore` chosen by `PlatformService` (mirroring how `DatabaseService` picks a DB backend):
 - **Electron** (`ElectronAttachmentFileStore`): real on-disk files via `window.electronAPI`; supports chunked reads and streamed (append) receive; `maxPersistableBytes = Infinity`.
 - **Capacitor / Android** (`CapacitorAttachmentFileStore`): native `@capacitor/filesystem` under `Directory.Data` (lazy-loaded per the LESSONS rule); inline media is displayed through a `convertFileSrc` webview URL instead of a renderer `Blob`, avoiding large-media memory pressure on mobile; `maxPersistableBytes = Infinity`.
 - **Browser** (`BrowserAttachmentFileStore`): a per-user IndexedDB virtual filesystem (`metoyou-attachment-files::<userId>`, store `files` keyed by path), so a user's own uploads and downloaded media survive reloads; `maxPersistableBytes = MAX_BROWSER_INLINE_MEDIA_SIZE_BYTES` (50 MB) so very large media stays peer/in-memory only.
 The transfer service consults `attachmentStorage.canStreamToDisk()` / `canPersistSize(size)` so the browser cap degrades gracefully (oversized media is kept in memory / peer-served instead of failing the disk path), and streamed receive only runs on stores with a real append primitive.
 On Electron, local audio/video uploads are played through the original filesystem path when Electron exposes one, and received audio/video downloads are appended to an app-data file as chunks arrive. Completed audio/video downloads are then played through a file-backed media URL instead of being reloaded into a renderer `Blob`, which avoids full-file renderer memory pressure during download, startup restore, and playback. The storage path for downloaded server-room files is resolved per room and bucket:
 ```
@@ -155,7 +183,7 @@ Direct-message attachments use the conversation id instead of the server-room pa
 Room and conversation names are sanitised to remove filesystem-unsafe characters. The bucket is `video`, `audio`, `image`, or `files` depending on the attachment type. The original filename is kept in attachment metadata for display and downloads, but the stored file uses the attachment ID plus the original extension so two uploads with the same visible name do not overwrite each other.
-`AttachmentPersistenceService` handles startup migration from an older localStorage-based format into the database, and restores attachment metadata from the DB on init. On Electron, saved audio/video records are restored as file-backed URLs; other restored files still need their bytes loaded when a `Blob` URL is required. On browser builds, files stay in memory only.
+`AttachmentPersistenceService` handles startup migration from an older localStorage-based format into the database, and restores attachment metadata from the DB on init. On restore, `ensureInlineDisplayObjectUrl` resolves the stored path and, when the active store exposes a directly loadable URL (`providesInlineObjectUrl`, i.e. Capacitor), uses that URL as-is; otherwise it rebuilds a `Blob` from the stored bytes (Electron via chunked reads, browser via whole-file read with the correct MIME). Because the browser store persists bytes to IndexedDB, sent and received files are remembered across reload/restart on every platform.
 ## Runtime store
--- a/toju-app/src/app/domains/attachment/application/services/attachment-persistence.service.spec.ts
+++ b/toju-app/src/app/domains/attachment/application/services/attachment-persistence.service.spec.ts
@@ -32,7 +32,9 @@ describe('AttachmentPersistenceService', () => {
    readFile: ReturnType<typeof vi.fn>;
    readFileChunk: ReturnType<typeof vi.fn>;
    getFileSize: ReturnType<typeof vi.fn>;
    getFileUrl: ReturnType<typeof vi.fn>;
    canReadFileChunks: ReturnType<typeof vi.fn>;
    providesInlineObjectUrl: ReturnType<typeof vi.fn>;
  };
  beforeEach(() => {
@@ -60,7 +62,9 @@ describe('AttachmentPersistenceService', () => {
      readFile: vi.fn(() => Promise.resolve('QUJD')),
      readFileChunk: vi.fn(() => Promise.resolve('QUJD')),
      getFileSize: vi.fn(() => Promise.resolve(3)),
-      canReadFileChunks: vi.fn(() => true)
+      getFileUrl: vi.fn(() => Promise.resolve(null)),
      canReadFileChunks: vi.fn(() => true),
      providesInlineObjectUrl: vi.fn(() => false)
    };
  });
@@ -112,4 +116,57 @@ describe('AttachmentPersistenceService', () => {
    expect(attachmentStorage.readFileChunk).toHaveBeenCalled();
    expect(attachmentStorage.readFile).not.toHaveBeenCalled();
  });
  it('restores a blob from a whole-file read when the store cannot read chunks (browser store)', async () => {
    attachmentStorage.canReadFileChunks.mockReturnValue(false);
    const service = createService();
    await service.initFromDatabase();
    const attachment = {
      id: 'att-1',
      messageId: 'msg-1',
      filename: 'photo.png',
      size: 3,
      mime: 'image/png',
      isImage: true,
      savedPath: '/appdata/photo.png',
      available: false
    };
    await expect(service.ensureInlineDisplayObjectUrl(attachment)).resolves.toBe(true);
    expect(attachment.available).toBe(true);
    expect(attachment.objectUrl).toMatch(/^blob:/);
    expect(attachmentStorage.readFile).toHaveBeenCalledWith('/appdata/photo.png');
    expect(attachmentStorage.readFileChunk).not.toHaveBeenCalled();
  });
  it('uses a native webview URL without rebuilding a blob (capacitor store)', async () => {
    attachmentStorage.providesInlineObjectUrl.mockReturnValue(true);
    attachmentStorage.resolveExistingPath.mockResolvedValue('metoyou/server/room/video/clip.mp4');
    attachmentStorage.getFileUrl.mockResolvedValue('capacitor://localhost/_capacitor_file_/clip.mp4');
    const service = createService();
    await service.initFromDatabase();
    const attachment = {
      id: 'att-1',
      messageId: 'msg-1',
      filename: 'clip.mp4',
      size: 1_024,
      mime: 'video/mp4',
      isImage: false,
      savedPath: 'metoyou/server/room/video/clip.mp4',
      available: false
    };
    await expect(service.ensureInlineDisplayObjectUrl(attachment)).resolves.toBe(true);
    expect(attachment.available).toBe(true);
    expect(attachment.objectUrl).toBe('capacitor://localhost/_capacitor_file_/clip.mp4');
    expect(attachmentStorage.getFileUrl).toHaveBeenCalledWith('metoyou/server/room/video/clip.mp4');
    expect(attachmentStorage.readFile).not.toHaveBeenCalled();
    expect(attachmentStorage.readFileChunk).not.toHaveBeenCalled();
  });
 });
--- a/toju-app/src/app/domains/attachment/application/services/attachment-persistence.service.ts
+++ b/toju-app/src/app/domains/attachment/application/services/attachment-persistence.service.ts
@@ -149,6 +149,17 @@ export class AttachmentPersistenceService {
      return false;
    }
    if (this.attachmentStorage.providesInlineObjectUrl()) {
      const nativeUrl = await this.attachmentStorage.getFileUrl(diskPath);
      if (nativeUrl) {
        this.revokeAttachmentObjectUrl(attachment);
        attachment.objectUrl = nativeUrl;
        attachment.available = true;
        return true;
      }
    }
    this.revokeAttachmentObjectUrl(attachment);
    const restored = await this.restoreAttachmentBlobFromDiskPath(attachment, diskPath);
--- a/toju-app/src/app/domains/attachment/application/services/attachment-runtime.store.ts
+++ b/toju-app/src/app/domains/attachment/application/services/attachment-runtime.store.ts
@@ -10,7 +10,7 @@ export class AttachmentRuntimeStore {
  private originalFiles = new Map<string, File>();
  private cancelledTransfers = new Set<string>();
  private pendingRequests = new Map<string, Set<string>>();
-  private chunkBuffers = new Map<string, ArrayBuffer[]>();
+  private chunkBuffers = new Map<string, (ArrayBuffer | undefined)[]>();
  private chunkCounts = new Map<string, number>();
  touch(): void {
@@ -84,6 +84,10 @@ export class AttachmentRuntimeStore {
    return this.cancelledTransfers.has(key);
  }
  deleteCancelledTransfer(key: string): void {
    this.cancelledTransfers.delete(key);
  }
  setPendingRequestPeers(key: string, peers: Set<string>): void {
    this.pendingRequests.set(key, peers);
  }
@@ -100,11 +104,11 @@ export class AttachmentRuntimeStore {
    this.pendingRequests.delete(key);
  }
-  setChunkBuffer(key: string, buffer: ArrayBuffer[]): void {
+  setChunkBuffer(key: string, buffer: (ArrayBuffer | undefined)[]): void {
    this.chunkBuffers.set(key, buffer);
  }
-  getChunkBuffer(key: string): ArrayBuffer[] | undefined {
+  getChunkBuffer(key: string): (ArrayBuffer | undefined)[] | undefined {
    return this.chunkBuffers.get(key);
  }
--- a/toju-app/src/app/domains/attachment/application/services/attachment-transfer.service.spec.ts
+++ b/toju-app/src/app/domains/attachment/application/services/attachment-transfer.service.spec.ts
@@ -0,0 +1,412 @@
 import '@angular/compiler';
 import {
  beforeEach,
  describe,
  expect,
  it,
  vi
 } from 'vitest';
 import { Injector, runInInjectionContext } from '@angular/core';
 import { Store } from '@ngrx/store';
 import { of } from 'rxjs';
 import { RealtimeSessionFacade } from '../../../../core/realtime';
 import { AppI18nService } from '../../../../core/i18n';
 import { arrayBufferToBase64 } from '../../../../shared-kernel';
 import { decodeBase64 } from '../../../../shared-kernel/p2p-transfer.utils';
 import { AttachmentStorageService } from '../../infrastructure/services/attachment-storage.service';
 import type { Attachment } from '../../domain/models/attachment.model';
 import type { FileChunkPayload } from '../../domain/models/attachment-transfer.model';
 import { AttachmentPersistenceService } from './attachment-persistence.service';
 import { AttachmentRuntimeStore } from './attachment-runtime.store';
 import { AttachmentTransferService } from './attachment-transfer.service';
 import { AttachmentTransferTransportService } from './attachment-transfer-transport.service';
 const MESSAGE_ID = 'msg-1';
 const FILE_ID = 'file-1';
 const PEER_ID = 'peer-1';
 function encodeChunk(bytes: number[]): string {
  return arrayBufferToBase64(new Uint8Array(bytes).buffer);
 }
 describe('AttachmentTransferService', () => {
  let runtimeStore: AttachmentRuntimeStore;
  let persistence: {
    whenReady: ReturnType<typeof vi.fn>;
    persistAttachmentMeta: ReturnType<typeof vi.fn>;
    tryRestoreAttachmentFromLocal: ReturnType<typeof vi.fn>;
    saveFileToDisk: ReturnType<typeof vi.fn>;
    persistUploadCopyFromSourcePath: ReturnType<typeof vi.fn>;
    resolveCurrentRoomName: ReturnType<typeof vi.fn>;
    resolveStorageContainerName: ReturnType<typeof vi.fn>;
    ensureInlineDisplayObjectUrl: ReturnType<typeof vi.fn>;
  };
  let attachmentStorage: {
    canWriteFiles: ReturnType<typeof vi.fn>;
    canCopyFiles: ReturnType<typeof vi.fn>;
    canReadFileChunks: ReturnType<typeof vi.fn>;
    canStreamToDisk: ReturnType<typeof vi.fn>;
    canPersistSize: ReturnType<typeof vi.fn>;
    getFileUrl: ReturnType<typeof vi.fn>;
    resolveExistingPath: ReturnType<typeof vi.fn>;
    resolveLegacyImagePath: ReturnType<typeof vi.fn>;
    appendBase64: ReturnType<typeof vi.fn>;
    createWritableFile: ReturnType<typeof vi.fn>;
    deleteFile: ReturnType<typeof vi.fn>;
  };
  let transport: {
    decodeBase64: ReturnType<typeof vi.fn>;
    streamFileToPeer: ReturnType<typeof vi.fn>;
    streamFileFromDiskToPeer: ReturnType<typeof vi.fn>;
  };
  let webrtc: {
    getConnectedPeers: ReturnType<typeof vi.fn>;
    broadcastMessage: ReturnType<typeof vi.fn>;
    sendToPeer: ReturnType<typeof vi.fn>;
  };
  beforeEach(() => {
    persistence = {
      whenReady: vi.fn(async () => undefined),
      persistAttachmentMeta: vi.fn(async () => undefined),
      tryRestoreAttachmentFromLocal: vi.fn(async () => false),
      saveFileToDisk: vi.fn(async () => null),
      persistUploadCopyFromSourcePath: vi.fn(async () => null),
      resolveCurrentRoomName: vi.fn(async () => null),
      resolveStorageContainerName: vi.fn(async () => 'room'),
      ensureInlineDisplayObjectUrl: vi.fn(async () => true)
    };
    attachmentStorage = {
      canWriteFiles: vi.fn(() => false),
      canCopyFiles: vi.fn(() => false),
      canReadFileChunks: vi.fn(() => false),
      canStreamToDisk: vi.fn(() => false),
      canPersistSize: vi.fn(() => true),
      getFileUrl: vi.fn(async () => null),
      resolveExistingPath: vi.fn(async () => null),
      resolveLegacyImagePath: vi.fn(async () => null),
      appendBase64: vi.fn(async () => true),
      createWritableFile: vi.fn(async () => '/appdata/server/room/files/file-1'),
      deleteFile: vi.fn(async () => true)
    };
    transport = {
      decodeBase64: vi.fn((base64: string) => decodeBase64(base64)),
      streamFileToPeer: vi.fn(async () => undefined),
      streamFileFromDiskToPeer: vi.fn(async () => undefined)
    };
    webrtc = {
      getConnectedPeers: vi.fn(() => [PEER_ID]),
      broadcastMessage: vi.fn(),
      sendToPeer: vi.fn()
    };
  });
  function createService(): AttachmentTransferService {
    const injector = Injector.create({
      providers: [
        AttachmentTransferService,
        AttachmentRuntimeStore,
        { provide: Store, useValue: { select: () => of(null) } },
        { provide: RealtimeSessionFacade, useValue: webrtc },
        { provide: AppI18nService, useValue: { instant: (key: string) => key } },
        { provide: AttachmentStorageService, useValue: attachmentStorage },
        { provide: AttachmentPersistenceService, useValue: persistence },
        { provide: AttachmentTransferTransportService, useValue: transport }
      ]
    });
    const service = runInInjectionContext(injector, () => injector.get(AttachmentTransferService));
    runtimeStore = injector.get(AttachmentRuntimeStore);
    return service;
  }
  function registerIncomingAttachment(size: number): Attachment {
    const attachment: Attachment = {
      id: FILE_ID,
      messageId: MESSAGE_ID,
      filename: 'photo.png',
      size,
      mime: 'image/png',
      isImage: true,
      uploaderPeerId: PEER_ID,
      available: false,
      receivedBytes: 0
    };
    runtimeStore.setAttachmentsForMessage(MESSAGE_ID, [attachment]);
    return attachment;
  }
  function chunkPayload(index: number, total: number, bytes: number[]): FileChunkPayload {
    return {
      messageId: MESSAGE_ID,
      fileId: FILE_ID,
      fromPeerId: PEER_ID,
      index,
      total,
      data: encodeChunk(bytes)
    };
  }
  async function readSavedBlobBytes(): Promise<number[]> {
    const lastCall = persistence.saveFileToDisk.mock.calls.at(-1);
    const blob = lastCall?.[1] as Blob;
    const buffer = await blob.arrayBuffer();
    return [...new Uint8Array(buffer)];
  }
  it('assembles a multi-chunk in-memory transfer intact when each chunk arrives once', async () => {
    const service = createService();
    const attachment = registerIncomingAttachment(9);
    service.handleFileChunk(chunkPayload(0, 3, [
      1,
      2,
      3
    ]));
    service.handleFileChunk(chunkPayload(1, 3, [
      4,
      5,
      6
    ]));
    service.handleFileChunk(chunkPayload(2, 3, [
      7,
      8,
      9
    ]));
    await vi.waitFor(() => expect(attachment.available).toBe(true));
    expect(persistence.saveFileToDisk).toHaveBeenCalledTimes(1);
    await expect(readSavedBlobBytes()).resolves.toEqual([
      1,
      2,
      3,
      4,
      5,
      6,
      7,
      8,
      9
    ]);
    expect(attachment.receivedBytes).toBe(9);
  });
  it('ignores duplicate chunk deliveries from concurrent streams and assembles the full file', async () => {
    const service = createService();
    const attachment = registerIncomingAttachment(9);
    // Two interleaved streams of the same file (duplicate file-request race).
    service.handleFileChunk(chunkPayload(0, 3, [
      1,
      2,
      3
    ]));
    service.handleFileChunk(chunkPayload(0, 3, [
      1,
      2,
      3
    ]));
    service.handleFileChunk(chunkPayload(1, 3, [
      4,
      5,
      6
    ]));
    service.handleFileChunk(chunkPayload(1, 3, [
      4,
      5,
      6
    ]));
    service.handleFileChunk(chunkPayload(2, 3, [
      7,
      8,
      9
    ]));
    service.handleFileChunk(chunkPayload(2, 3, [
      7,
      8,
      9
    ]));
    await vi.waitFor(() => expect(attachment.available).toBe(true));
    expect(persistence.saveFileToDisk).toHaveBeenCalledTimes(1);
    await expect(readSavedBlobBytes()).resolves.toEqual([
      1,
      2,
      3,
      4,
      5,
      6,
      7,
      8,
      9
    ]);
    expect(attachment.receivedBytes).toBe(9);
  });
  it('does not finalize a transfer while chunks are still missing', () => {
    const service = createService();
    const attachment = registerIncomingAttachment(9);
    // Duplicates inflate naive byte accounting past the file size while
    // chunk 2 has not arrived yet - the transfer must stay incomplete.
    service.handleFileChunk(chunkPayload(0, 3, [
      1,
      2,
      3
    ]));
    service.handleFileChunk(chunkPayload(0, 3, [
      1,
      2,
      3
    ]));
    service.handleFileChunk(chunkPayload(1, 3, [
      4,
      5,
      6
    ]));
    service.handleFileChunk(chunkPayload(1, 3, [
      4,
      5,
      6
    ]));
    expect(attachment.available).toBe(false);
    expect(persistence.saveFileToDisk).not.toHaveBeenCalled();
  });
  it('streams a requested file only once while the same request is already in flight', async () => {
    const service = createService();
    registerIncomingAttachment(9);
    runtimeStore.setOriginalFile(`${MESSAGE_ID}:${FILE_ID}`, new File([new Uint8Array(9)], 'photo.png', { type: 'image/png' }));
    let releaseStream: () => void = () => undefined;
    transport.streamFileToPeer.mockImplementation(() => new Promise<void>((resolve) => {
      releaseStream = resolve;
    }));
    const firstRequest = service.handleFileRequest({
      messageId: MESSAGE_ID,
      fileId: FILE_ID,
      fromPeerId: PEER_ID
    });
    const duplicateRequest = service.handleFileRequest({
      messageId: MESSAGE_ID,
      fileId: FILE_ID,
      fromPeerId: PEER_ID
    });
    releaseStream();
    await Promise.all([firstRequest, duplicateRequest]);
    expect(transport.streamFileToPeer).toHaveBeenCalledTimes(1);
  });
  it('allows a peer to download again after it cancelled a previous transfer', async () => {
    const service = createService();
    registerIncomingAttachment(9);
    runtimeStore.setOriginalFile(`${MESSAGE_ID}:${FILE_ID}`, new File([new Uint8Array(9)], 'photo.png', { type: 'image/png' }));
    service.handleFileCancel({
      messageId: MESSAGE_ID,
      fileId: FILE_ID,
      fromPeerId: PEER_ID
    });
    await service.handleFileRequest({
      messageId: MESSAGE_ID,
      fileId: FILE_ID,
      fromPeerId: PEER_ID
    });
    expect(transport.streamFileToPeer).toHaveBeenCalledTimes(1);
    const isCancelled = transport.streamFileToPeer.mock.calls[0][4] as () => boolean;
    expect(isCancelled()).toBe(false);
  });
  function registerIncomingVideo(size: number): Attachment {
    const attachment: Attachment = {
      id: FILE_ID,
      messageId: MESSAGE_ID,
      filename: 'clip.mp4',
      size,
      mime: 'video/mp4',
      isImage: false,
      uploaderPeerId: PEER_ID,
      available: false,
      receivedBytes: 0
    };
    runtimeStore.setAttachmentsForMessage(MESSAGE_ID, [attachment]);
    return attachment;
  }
  it('streams playable media to disk when the store supports streaming', async () => {
    attachmentStorage.canStreamToDisk.mockReturnValue(true);
    const service = createService();
    const attachment = registerIncomingVideo(3);
    service.handleFileChunk(chunkPayload(0, 1, [
      1,
      2,
      3
    ]));
    await vi.waitFor(() => expect(attachment.available).toBe(true));
    expect(attachmentStorage.createWritableFile).toHaveBeenCalled();
    expect(attachmentStorage.appendBase64).toHaveBeenCalled();
    expect(persistence.saveFileToDisk).not.toHaveBeenCalled();
  });
  it('assembles playable media in memory when the store cannot stream to disk', async () => {
    attachmentStorage.canStreamToDisk.mockReturnValue(false);
    const service = createService();
    const attachment = registerIncomingVideo(3);
    service.handleFileChunk(chunkPayload(0, 1, [
      1,
      2,
      3
    ]));
    await vi.waitFor(() => expect(attachment.available).toBe(true));
    expect(attachmentStorage.appendBase64).not.toHaveBeenCalled();
    expect(persistence.saveFileToDisk).toHaveBeenCalledTimes(1);
  });
  it('marks a request as pending synchronously so concurrent auto-download triggers cannot double-request', () => {
    const service = createService();
    const attachment = registerIncomingAttachment(9);
    void service.requestFromAnyPeer(MESSAGE_ID, attachment);
    expect(service.hasPendingRequest(MESSAGE_ID, FILE_ID)).toBe(true);
  });
 });
--- a/toju-app/src/app/domains/attachment/application/services/attachment-transfer.service.ts
+++ b/toju-app/src/app/domains/attachment/application/services/attachment-transfer.service.ts
@@ -8,6 +8,7 @@ import { selectCurrentUserId } from '../../../../store/users/users.selectors';
 import { AttachmentStorageService } from '../../infrastructure/services/attachment-storage.service';
 import { MAX_AUTO_SAVE_SIZE_BYTES } from '../../domain/constants/attachment.constants';
 import { isImageAttachment, resolvePublishAttachmentIsImage } from '../../domain/logic/attachment-image.rules';
 import { isSharingFromThisDevice } from '../../domain/logic/attachment-sharing.rules';
 import { shouldCopyUploaderMediaToAppData, shouldPersistDownloadedAttachment } from '../../domain/logic/attachment.logic';
 import type { Attachment, AttachmentMeta } from '../../domain/models/attachment.model';
 import {
@@ -55,6 +56,20 @@ interface ValidFileChunkPayload {
  total: number;
 }
 function isValidFileChunkPayload(payload: FileChunkPayload): payload is FileChunkPayload & ValidFileChunkPayload {
  const { messageId, fileId, index, total, data } = payload;
  return !!messageId && !!fileId &&
    typeof data === 'string' &&
    typeof index === 'number' &&
    typeof total === 'number' &&
    Number.isInteger(index) &&
    Number.isInteger(total) &&
    total > 0 &&
    index >= 0 &&
    index < total;
 }
@Injectable({ providedIn: 'root' })
 export class AttachmentTransferService {
  private readonly ngrxStore = inject(Store);
@@ -67,6 +82,7 @@ export class AttachmentTransferService {
  private readonly diskReceiveAssemblies = new Map<string, DiskReceiveAssembly>();
  private readonly diskReceiveChains = new Map<string, Promise<void>>();
  private readonly activeOutboundTransfers = new Set<string>();
  getAttachmentMetasForMessages(messageIds: string[]): Record<string, AttachmentMeta[]> {
    const result: Record<string, AttachmentMeta[]> = {};
@@ -135,12 +151,19 @@ export class AttachmentTransferService {
  }
  async requestFromAnyPeer(messageId: string, attachment: Attachment): Promise<void> {
    const requestKey = this.buildRequestKey(messageId, attachment.id);
    const clearedRequestError = this.clearAttachmentRequestError(attachment);
    // Mark the request pending synchronously so concurrent triggers (file-announce,
    // message sync, peer connect) cannot double-request the same file - a duplicate
    // request makes the sender stream the file twice and corrupts byte accounting.
    this.runtimeStore.setPendingRequestPeers(requestKey, new Set<string>());
    if (!attachment.available) {
      const restoredLocally = await this.persistence.tryRestoreAttachmentFromLocal(attachment);
      if (restoredLocally) {
        this.runtimeStore.deletePendingRequest(requestKey);
        this.runtimeStore.touch();
        return;
      }
@@ -148,12 +171,15 @@ export class AttachmentTransferService {
    const connectedPeers = this.webrtc.getConnectedPeers();
    const currentUserId = await this.resolveCurrentUserId();
-    const isUploader = !!attachment.uploaderPeerId &&
+    // Only the device that actually still holds the original bytes should report a
-      !!currentUserId &&
+    // missing local upload. A second device of the same user that merely synced the
-      attachment.uploaderPeerId === currentUserId;
+    // metadata is not the sharing device, so it falls back to the regular peer-request
    // flow (and the "no connected peers" error when offline) like any other recipient.
    const sharingFromThisDevice = isSharingFromThisDevice(attachment, currentUserId);
    if (connectedPeers.length === 0) {
-      attachment.requestError = isUploader
+      this.runtimeStore.deletePendingRequest(requestKey);
      attachment.requestError = sharingFromThisDevice
        ? this.appI18n.instant(UPLOADER_LOCAL_FILE_MISSING_ERROR_KEY)
        : this.appI18n.instant(NO_CONNECTED_PEERS_REQUEST_ERROR_KEY);
@@ -165,11 +191,6 @@ export class AttachmentTransferService {
    if (clearedRequestError)
      this.runtimeStore.touch();
    this.runtimeStore.setPendingRequestPeers(
      this.buildRequestKey(messageId, attachment.id),
      new Set<string>()
    );
    this.sendFileRequestToNextPeer(messageId, attachment.id, attachment.uploaderPeerId);
  }
@@ -239,39 +260,7 @@ export class AttachmentTransferService {
        } catch { /* non-critical */ }
      }
-      if (attachment.size <= MAX_AUTO_SAVE_SIZE_BYTES) {
+      await this.persistPublishedAttachment(attachment, file);
        void this.persistence.saveFileToDisk(attachment, file);
      } else if (shouldCopyUploaderMediaToAppData(
        attachment,
        attachment.filePath,
        this.attachmentStorage.canCopyFiles()
      ) && attachment.filePath) {
        const savedPath = await this.persistence.persistUploadCopyFromSourcePath(attachment, attachment.filePath);
        if (savedPath) {
          const fileUrl = await this.attachmentStorage.getFileUrl(savedPath);
          if (fileUrl) {
            attachment.objectUrl = fileUrl;
            attachment.available = true;
          }
        }
      } else if (
        this.isPlayableMedia(attachment) &&
        attachment.size > MAX_AUTO_SAVE_SIZE_BYTES &&
        this.attachmentStorage.canWriteFiles()
      ) {
        const savedPath = await this.persistence.saveFileToDisk(attachment, file);
        if (savedPath) {
          const fileUrl = await this.attachmentStorage.getFileUrl(savedPath);
          if (fileUrl) {
            attachment.objectUrl = fileUrl;
            attachment.available = true;
          }
        }
      }
      const fileAnnounceEvent: FileAnnounceEvent = {
        type: 'file-announce',
@@ -334,28 +323,23 @@ export class AttachmentTransferService {
  }
  handleFileChunk(payload: FileChunkPayload): void {
-    const { messageId, fileId, fromPeerId, index, total, data } = payload;
+    if (!isValidFileChunkPayload(payload)) {
    if (
      !messageId || !fileId ||
      typeof index !== 'number' ||
      typeof total !== 'number' ||
      typeof data !== 'string' ||
      !Number.isInteger(index) ||
      !Number.isInteger(total) ||
      total <= 0 ||
      index < 0 ||
      index >= total
    ) {
      return;
    }
    const { messageId, fileId, fromPeerId, index, total, data } = payload;
    const list = this.runtimeStore.getAttachmentsForMessage(messageId);
    const attachment = list.find((entry) => entry.id === fileId);
    if (!attachment)
      return;
    if (attachment.available) {
      // Transfer already completed (or restored locally) - trailing chunks from
      // a redundant stream must not restart accounting or rewrite the file.
      return;
    }
    if ((attachment.receivedBytes ?? 0) > attachment.size) {
      return;
    }
@@ -386,11 +370,14 @@ export class AttachmentTransferService {
    const chunkBuffer = this.getOrCreateChunkBuffer(assemblyKey, total);
-    if (!chunkBuffer[index]) {
+    if (index >= chunkBuffer.length || chunkBuffer[index]) {
-      chunkBuffer[index] = decodedBytes.buffer as ArrayBuffer;
+      // Duplicate delivery (e.g. a redundant concurrent stream) - the chunk is
-      this.runtimeStore.setChunkCount(assemblyKey, (this.runtimeStore.getChunkCount(assemblyKey) ?? 0) + 1);
+      // already buffered, so it must not count toward transfer progress.
      return;
    }
    chunkBuffer[index] = decodedBytes.buffer as ArrayBuffer;
    this.runtimeStore.setChunkCount(assemblyKey, (this.runtimeStore.getChunkCount(assemblyKey) ?? 0) + 1);
    this.updateTransferProgress(attachment, decodedBytes, fromPeerId);
    this.runtimeStore.touch();
@@ -403,6 +390,110 @@ export class AttachmentTransferService {
    if (!messageId || !fileId || !fromPeerId)
      return;
    const transferKey = this.buildTransferKey(messageId, fileId, fromPeerId);
    if (this.activeOutboundTransfers.has(transferKey)) {
      // A stream for this exact request is already in flight - sending the file
      // twice in parallel duplicates chunks and corrupts the receiver's assembly.
      return;
    }
    // A fresh request supersedes any earlier cancellation from this peer.
    this.runtimeStore.deleteCancelledTransfer(transferKey);
    this.activeOutboundTransfers.add(transferKey);
    try {
      await this.streamRequestedFile(messageId, fileId, fromPeerId);
    } finally {
      this.activeOutboundTransfers.delete(transferKey);
    }
  }
  cancelRequest(messageId: string, attachment: Attachment): void {
    const targetPeerId = attachment.uploaderPeerId;
    if (!targetPeerId)
      return;
    try {
      const assemblyKey = `${messageId}:${attachment.id}`;
      this.runtimeStore.deleteChunkBuffer(assemblyKey);
      this.runtimeStore.deleteChunkCount(assemblyKey);
      void this.deleteDiskReceiveAssembly(assemblyKey);
      attachment.receivedBytes = 0;
      attachment.speedBps = 0;
      attachment.startedAtMs = undefined;
      attachment.lastUpdateMs = undefined;
      if (attachment.objectUrl) {
        try {
          URL.revokeObjectURL(attachment.objectUrl);
        } catch { /* ignore */ }
        attachment.objectUrl = undefined;
      }
      attachment.available = false;
      this.runtimeStore.touch();
      const fileCancelEvent: FileCancelEvent = {
        type: 'file-cancel',
        messageId,
        fileId: attachment.id
      };
      this.webrtc.sendToPeer(targetPeerId, fileCancelEvent);
    } catch { /* best-effort */ }
  }
  handleFileCancel(payload: FileCancelPayload): void {
    const { messageId, fileId, fromPeerId } = payload;
    if (!messageId || !fileId || !fromPeerId)
      return;
    this.runtimeStore.addCancelledTransfer(
      this.buildTransferKey(messageId, fileId, fromPeerId)
    );
  }
  async fulfillRequestWithFile(
    messageId: string,
    fileId: string,
    targetPeerId: string,
    file: File
  ): Promise<void> {
    this.runtimeStore.setOriginalFile(`${messageId}:${fileId}`, file);
    const transferKey = this.buildTransferKey(messageId, fileId, targetPeerId);
    if (this.activeOutboundTransfers.has(transferKey)) {
      return;
    }
    this.runtimeStore.deleteCancelledTransfer(transferKey);
    this.activeOutboundTransfers.add(transferKey);
    try {
      await this.transport.streamFileToPeer(
        targetPeerId,
        messageId,
        fileId,
        file,
        () => this.isTransferCancelled(targetPeerId, messageId, fileId)
      );
    } finally {
      this.activeOutboundTransfers.delete(transferKey);
    }
  }
  private async streamRequestedFile(
    messageId: string,
    fileId: string,
    fromPeerId: string
  ): Promise<void> {
    const exactKey = `${messageId}:${fileId}`;
    const originalFile = this.runtimeStore.getOriginalFile(exactKey)
      ?? this.runtimeStore.findOriginalFileByFileId(fileId);
@@ -484,72 +575,6 @@ export class AttachmentTransferService {
    this.webrtc.sendToPeer(fromPeerId, fileNotFoundEvent);
  }
  cancelRequest(messageId: string, attachment: Attachment): void {
    const targetPeerId = attachment.uploaderPeerId;
    if (!targetPeerId)
      return;
    try {
      const assemblyKey = `${messageId}:${attachment.id}`;
      this.runtimeStore.deleteChunkBuffer(assemblyKey);
      this.runtimeStore.deleteChunkCount(assemblyKey);
      void this.deleteDiskReceiveAssembly(assemblyKey);
      attachment.receivedBytes = 0;
      attachment.speedBps = 0;
      attachment.startedAtMs = undefined;
      attachment.lastUpdateMs = undefined;
      if (attachment.objectUrl) {
        try {
          URL.revokeObjectURL(attachment.objectUrl);
        } catch { /* ignore */ }
        attachment.objectUrl = undefined;
      }
      attachment.available = false;
      this.runtimeStore.touch();
      const fileCancelEvent: FileCancelEvent = {
        type: 'file-cancel',
        messageId,
        fileId: attachment.id
      };
      this.webrtc.sendToPeer(targetPeerId, fileCancelEvent);
    } catch { /* best-effort */ }
  }
  handleFileCancel(payload: FileCancelPayload): void {
    const { messageId, fileId, fromPeerId } = payload;
    if (!messageId || !fileId || !fromPeerId)
      return;
    this.runtimeStore.addCancelledTransfer(
      this.buildTransferKey(messageId, fileId, fromPeerId)
    );
  }
  async fulfillRequestWithFile(
    messageId: string,
    fileId: string,
    targetPeerId: string,
    file: File
  ): Promise<void> {
    this.runtimeStore.setOriginalFile(`${messageId}:${fileId}`, file);
    await this.transport.streamFileToPeer(
      targetPeerId,
      messageId,
      fileId,
      file,
      () => this.isTransferCancelled(targetPeerId, messageId, fileId)
    );
  }
  private resolveCurrentUserId(): Promise<string | null> {
    return new Promise<string | null>((resolve) => {
      this.ngrxStore
@@ -617,14 +642,16 @@ export class AttachmentTransferService {
    return true;
  }
-  private getOrCreateChunkBuffer(assemblyKey: string, total: number): ArrayBuffer[] {
+  private getOrCreateChunkBuffer(assemblyKey: string, total: number): (ArrayBuffer | undefined)[] {
    const existingChunkBuffer = this.runtimeStore.getChunkBuffer(assemblyKey);
    if (existingChunkBuffer) {
      return existingChunkBuffer;
    }
-    const createdChunkBuffer = new Array(total);
+    // Dense initialization - sparse arrays from `new Array(total)` skip holes in
    // `every`/`some`, which lets incomplete transfers pass completion checks.
    const createdChunkBuffer = Array.from<ArrayBuffer | undefined>({ length: total });
    this.runtimeStore.setChunkBuffer(assemblyKey, createdChunkBuffer);
    this.runtimeStore.setChunkCount(assemblyKey, 0);
@@ -671,18 +698,21 @@ export class AttachmentTransferService {
    const receivedChunkCount = this.runtimeStore.getChunkCount(assemblyKey) ?? 0;
    const completeBuffer = this.runtimeStore.getChunkBuffer(assemblyKey);
-    if (
+    if (!completeBuffer || receivedChunkCount < total) {
      !completeBuffer
      || (receivedChunkCount !== total && (attachment.receivedBytes ?? 0) < attachment.size)
      || !completeBuffer.every((part) => part instanceof ArrayBuffer)
    ) {
      return;
    }
-    const blob = new Blob(completeBuffer, { type: attachment.mime });
+    const bufferedChunks = completeBuffer.filter(
      (part): part is ArrayBuffer => part instanceof ArrayBuffer
    );
-    this.runtimeStore.deleteChunkBuffer(assemblyKey);
+    // Every chunk index must be present - byte counters are never a substitute
-    this.runtimeStore.deleteChunkCount(assemblyKey);
+    // for chunk completeness, otherwise partial files finalize as corrupt blobs.
    if (bufferedChunks.length !== total || completeBuffer.length !== total) {
      return;
    }
    const blob = new Blob(bufferedChunks, { type: attachment.mime });
    if (shouldPersistDownloadedAttachment(attachment)) {
      await this.persistence.saveFileToDisk(attachment, blob);
@@ -691,16 +721,73 @@ export class AttachmentTransferService {
    attachment.objectUrl = URL.createObjectURL(blob);
    attachment.available = true;
    // Release assembly state only after the attachment is marked available so a
    // trailing duplicate chunk cannot restart accounting in a fresh buffer.
    this.runtimeStore.deleteChunkBuffer(assemblyKey);
    this.runtimeStore.deleteChunkCount(assemblyKey);
    this.runtimeStore.touch();
    void this.persistence.persistAttachmentMeta(attachment);
  }
  /**
   * Persist an outgoing attachment so it survives restart/logout-login: small
   * files are auto-saved, oversized uploader media is copied or streamed to the
   * active store, and the inline object URL is upgraded to the saved file when
   * the store provides one. Oversized media on capped stores (browser) stays in
   * memory / peer-served and degrades gracefully.
   */
  private async persistPublishedAttachment(attachment: Attachment, file: File): Promise<void> {
    if (attachment.size <= MAX_AUTO_SAVE_SIZE_BYTES) {
      void this.persistence.saveFileToDisk(attachment, file);
      return;
    }
    if (!this.attachmentStorage.canPersistSize(attachment.size)) {
      return;
    }
    if (shouldCopyUploaderMediaToAppData(
      attachment,
      attachment.filePath,
      this.attachmentStorage.canCopyFiles()
    ) && attachment.filePath) {
      await this.applySavedPathObjectUrl(
        attachment,
        await this.persistence.persistUploadCopyFromSourcePath(attachment, attachment.filePath)
      );
      return;
    }
    if (this.isPlayableMedia(attachment) && this.attachmentStorage.canWriteFiles()) {
      await this.applySavedPathObjectUrl(attachment, await this.persistence.saveFileToDisk(attachment, file));
    }
  }
  private async applySavedPathObjectUrl(attachment: Attachment, savedPath: string | null): Promise<void> {
    if (!savedPath) {
      return;
    }
    const fileUrl = await this.attachmentStorage.getFileUrl(savedPath);
    if (fileUrl) {
      attachment.objectUrl = fileUrl;
      attachment.available = true;
    }
  }
  private isPlayableMedia(attachment: Pick<Attachment, 'mime'>): boolean {
    return attachment.mime.startsWith('video/') || attachment.mime.startsWith('audio/');
  }
  private shouldReceiveToDisk(attachment: Attachment): boolean {
-    return this.isPlayableMedia(attachment) && !attachment.filePath && this.attachmentStorage.canWriteFiles();
+    return this.isPlayableMedia(attachment) &&
      !attachment.filePath &&
      this.attachmentStorage.canStreamToDisk() &&
      this.attachmentStorage.canPersistSize(attachment.size);
  }
  private enqueueDiskFileChunk(
@@ -758,7 +845,7 @@ export class AttachmentTransferService {
    this.updateTransferProgress(attachment, decodedBytes, payload.fromPeerId);
    this.runtimeStore.touch();
-    if (assembly.receivedCount < assembly.total && (attachment.receivedBytes ?? 0) < attachment.size) {
+    if (assembly.receivedCount < assembly.total) {
      return;
    }
--- a/toju-app/src/app/domains/attachment/domain/logic/attachment-blob.rules.ts
+++ b/toju-app/src/app/domains/attachment/domain/logic/attachment-blob.rules.ts
@@ -1,6 +1,9 @@
 /** Chunk size used when rebuilding attachment blobs from disk without blocking the UI thread. */
 export const ATTACHMENT_BLOB_READ_CHUNK_SIZE_BYTES = 256 * 1024;
 /** Number of bytes encoded per chunk to keep base64 encoding off the call stack. */
 const BASE64_ENCODE_CHUNK_SIZE = 0x8000;
 /** Decode a base64 payload into bytes for Blob construction. */
 export function decodeBase64ToUint8Array(base64: string): Uint8Array {
  const binary = atob(base64);
@@ -13,6 +16,19 @@ export function decodeBase64ToUint8Array(base64: string): Uint8Array {
  return bytes;
 }
 /** Encode bytes into a base64 payload, chunked so large buffers cannot overflow the call stack. */
 export function encodeUint8ArrayToBase64(bytes: Uint8Array): string {
  let binary = '';
  for (let offset = 0; offset < bytes.length; offset += BASE64_ENCODE_CHUNK_SIZE) {
    const chunk = bytes.subarray(offset, offset + BASE64_ENCODE_CHUNK_SIZE);
    binary += String.fromCharCode(...chunk);
  }
  return btoa(binary);
 }
 /** Yield control back to the browser so long attachment hydration cannot freeze Electron. */
 export function yieldToAttachmentHydrationLoop(): Promise<void> {
  return new Promise((resolve) => {
--- a/toju-app/src/app/domains/attachment/domain/logic/attachment-sharing.rules.spec.ts
+++ b/toju-app/src/app/domains/attachment/domain/logic/attachment-sharing.rules.spec.ts
@@ -0,0 +1,69 @@
 import {
  deviceHasLocalCopy,
  isSharingFromThisDevice,
  isUploaderUser
 } from './attachment-sharing.rules';
 describe('attachment sharing rules', () => {
  describe('isUploaderUser', () => {
    it('is true when the attachment uploader matches the current user', () => {
      expect(isUploaderUser({ uploaderPeerId: 'user-1' }, 'user-1')).toBe(true);
    });
    it('is false when the uploader is a different user', () => {
      expect(isUploaderUser({ uploaderPeerId: 'user-2' }, 'user-1')).toBe(false);
    });
    it('is false when either id is missing', () => {
      expect(isUploaderUser({ uploaderPeerId: undefined }, 'user-1')).toBe(false);
      expect(isUploaderUser({ uploaderPeerId: 'user-1' }, null)).toBe(false);
      expect(isUploaderUser({ uploaderPeerId: 'user-1' }, '')).toBe(false);
    });
  });
  describe('deviceHasLocalCopy', () => {
    it('is true when an available blob object url is present', () => {
      expect(deviceHasLocalCopy({ available: true, objectUrl: 'blob:abc' })).toBe(true);
    });
    it('is true when a savedPath or filePath is present', () => {
      expect(deviceHasLocalCopy({ available: false, savedPath: '/appdata/file.bin' })).toBe(true);
      expect(deviceHasLocalCopy({ available: false, filePath: '/home/me/file.bin' })).toBe(true);
    });
    it('is false when only metadata exists (no bytes, no paths)', () => {
      expect(deviceHasLocalCopy({ available: false })).toBe(false);
      expect(deviceHasLocalCopy({ available: false, savedPath: '   ', filePath: '' })).toBe(false);
    });
    it('is false when marked available but no object url is present yet', () => {
      expect(deviceHasLocalCopy({ available: true })).toBe(false);
    });
  });
  describe('isSharingFromThisDevice', () => {
    it('is true for the uploader device that still holds the file locally', () => {
      expect(
        isSharingFromThisDevice({ uploaderPeerId: 'user-1', available: true, objectUrl: 'blob:abc' }, 'user-1')
      ).toBe(true);
      expect(
        isSharingFromThisDevice({ uploaderPeerId: 'user-1', available: false, savedPath: '/appdata/file.bin' }, 'user-1')
      ).toBe(true);
    });
    it('is false on a second device of the same user that only synced metadata', () => {
      // This is the regression: the user uploaded from another device, so the metadata
      // carries uploaderPeerId === currentUserId, but this device holds no local bytes.
      expect(
        isSharingFromThisDevice({ uploaderPeerId: 'user-1', available: false }, 'user-1')
      ).toBe(false);
    });
    it('is false for a different user even if they downloaded the file locally', () => {
      expect(
        isSharingFromThisDevice({ uploaderPeerId: 'user-1', available: true, objectUrl: 'blob:abc' }, 'user-2')
      ).toBe(false);
    });
  });
 });
--- a/toju-app/src/app/domains/attachment/domain/logic/attachment-sharing.rules.ts
+++ b/toju-app/src/app/domains/attachment/domain/logic/attachment-sharing.rules.ts
@@ -0,0 +1,40 @@
 import type { Attachment } from '../models/attachment.model';
 /** True when the current user is the one who originally uploaded this attachment. */
 export function isUploaderUser(
  attachment: Pick<Attachment, 'uploaderPeerId'>,
  currentUserId: string | null | undefined
 ): boolean {
  return !!attachment.uploaderPeerId && !!currentUserId && attachment.uploaderPeerId === currentUserId;
 }
 /**
 * True when this specific device physically holds the file bytes - either hydrated
 * in memory (available blob object url) or persisted to disk / present at its original
 * upload path. Synced metadata alone (no bytes, no local paths) does not count.
 */
 export function deviceHasLocalCopy(
  attachment: Pick<Attachment, 'available' | 'objectUrl' | 'savedPath' | 'filePath'>
 ): boolean {
  return (attachment.available === true && hasNonEmptyString(attachment.objectUrl)) ||
    hasNonEmptyString(attachment.savedPath) ||
    hasNonEmptyString(attachment.filePath);
 }
 /**
 * True only when the current user uploaded the file AND this device still holds a local
 * copy to serve. A second device of the same user that only synced the message metadata
 * is the uploader-user but has no local bytes, so it must behave like any other peer
 * (request/download from peers) instead of claiming "Shared from your device" and hiding
 * the download affordance.
 */
 export function isSharingFromThisDevice(
  attachment: Pick<Attachment, 'uploaderPeerId' | 'available' | 'objectUrl' | 'savedPath' | 'filePath'>,
  currentUserId: string | null | undefined
 ): boolean {
  return isUploaderUser(attachment, currentUserId) && deviceHasLocalCopy(attachment);
 }
 function hasNonEmptyString(value: string | null | undefined): boolean {
  return typeof value === 'string' && value.trim().length > 0;
 }
--- a/toju-app/src/app/domains/attachment/index.ts
+++ b/toju-app/src/app/domains/attachment/index.ts
@@ -1,4 +1,5 @@
 export * from './application/facades/attachment.facade';
 export * from './domain/constants/attachment.constants';
 export * from './domain/logic/attachment-sharing.rules';
 export * from './domain/logic/local-file-path.rules';
 export * from './domain/models/attachment.model';
--- a/toju-app/src/app/domains/attachment/infrastructure/services/attachment-file-store.ts
+++ b/toju-app/src/app/domains/attachment/infrastructure/services/attachment-file-store.ts
@@ -0,0 +1,58 @@
 /**
 * Low-level file persistence primitives for attachments, abstracted over the
 * runtime shell (Electron disk, Capacitor Filesystem, browser IndexedDB).
 *
 * `AttachmentStorageService` owns the higher-level path resolution and bucket
 * layout; it delegates raw IO to the active {@link AttachmentFileStore} so the
 * "remember local files" contract holds on every platform.
 *
 * All file paths passed to a store are produced by `AttachmentStorageService`
 * from `getAppDataPath()` plus the `server/<room>/<bucket>/<id>` layout, so each
 * store decides how that string maps onto its own backing storage.
 */
 export interface AttachmentFileStore {
  /** Whether this store can persist attachment bytes in the current runtime. */
  readonly isAvailable: boolean;
  /**
   * Largest file (bytes) this store will persist. Backends with a real
   * filesystem return `Infinity`; the browser store caps to avoid bloating
   * IndexedDB with very large media.
   */
  readonly maxPersistableBytes: number;
  /**
   * Whether the store supports appending chunks directly to a file as they
   * arrive (streamed receive). Backends without a real append primitive return
   * `false`, so the transfer service assembles those downloads in memory and
   * writes them once on completion.
   */
  readonly supportsStreamingToDisk: boolean;
  /**
   * Whether {@link readFileChunk} can return an arbitrary byte range cheaply.
   * When `false`, blob restore reads the whole file once via {@link readFile}.
   */
  readonly supportsChunkedReads: boolean;
  /**
   * Whether {@link getFileUrl} returns a URL the webview can load directly for
   * inline display (e.g. Capacitor `convertFileSrc`). When `true`, restore uses
   * that URL instead of rebuilding a renderer `Blob`, avoiding memory pressure
   * for large media on mobile. Electron returns `false` because its `file://`
   * URLs are blocked by `webSecurity`.
   */
  readonly providesInlineObjectUrl: boolean;
  getAppDataPath(): Promise<string | null>;
  ensureDir(dirPath: string): Promise<boolean>;
  writeFile(filePath: string, base64Data: string): Promise<boolean>;
  appendFile(filePath: string, base64Data: string): Promise<boolean>;
  readFile(filePath: string): Promise<string | null>;
  readFileChunk(filePath: string, start: number, end: number): Promise<string | null>;
  getFileSize(filePath: string): Promise<number | null>;
  fileExists(filePath: string): Promise<boolean>;
  copyFile(sourceFilePath: string, destinationFilePath: string): Promise<boolean>;
  deleteFile(filePath: string): Promise<void>;
  getFileUrl(filePath: string): Promise<string | null>;
 }
--- a/toju-app/src/app/domains/attachment/infrastructure/services/attachment-storage.service.spec.ts
+++ b/toju-app/src/app/domains/attachment/infrastructure/services/attachment-storage.service.spec.ts
@@ -0,0 +1,99 @@
 import '@angular/compiler';
 import {
  describe,
  expect,
  it
 } from 'vitest';
 import { Injector, runInInjectionContext } from '@angular/core';
 import { PlatformService } from '../../../../core/platform/platform.service';
 import type { AttachmentFileStore } from './attachment-file-store';
 import { AttachmentStorageService } from './attachment-storage.service';
 import { BrowserAttachmentFileStore } from './browser-attachment-file-store';
 import { CapacitorAttachmentFileStore } from './capacitor-attachment-file-store';
 import { ElectronAttachmentFileStore } from './electron-attachment-file-store';
 function createStore(overrides: Partial<AttachmentFileStore>): AttachmentFileStore {
  return {
    isAvailable: false,
    maxPersistableBytes: Number.POSITIVE_INFINITY,
    supportsStreamingToDisk: false,
    supportsChunkedReads: false,
    providesInlineObjectUrl: false,
    getAppDataPath: async () => null,
    ensureDir: async () => false,
    writeFile: async () => false,
    appendFile: async () => false,
    readFile: async () => null,
    readFileChunk: async () => null,
    getFileSize: async () => null,
    fileExists: async () => false,
    copyFile: async () => false,
    deleteFile: async () => undefined,
    getFileUrl: async () => null,
    ...overrides
  };
 }
 function createService(platform: Partial<PlatformService>, stores: {
  electron?: Partial<AttachmentFileStore>;
  capacitor?: Partial<AttachmentFileStore>;
  browser?: Partial<AttachmentFileStore>;
 }): AttachmentStorageService {
  const injector = Injector.create({
    providers: [
      AttachmentStorageService,
      { provide: PlatformService, useValue: platform },
      { provide: ElectronAttachmentFileStore, useValue: createStore(stores.electron ?? {}) },
      { provide: CapacitorAttachmentFileStore, useValue: createStore(stores.capacitor ?? {}) },
      { provide: BrowserAttachmentFileStore, useValue: createStore(stores.browser ?? {}) }
    ]
  });
  return runInInjectionContext(injector, () => injector.get(AttachmentStorageService));
 }
 describe('AttachmentStorageService backend selection', () => {
  it('selects the Electron store on the desktop shell', () => {
    const service = createService(
      { isElectron: true, isCapacitor: false, isBrowser: false },
      { electron: { isAvailable: true, supportsChunkedReads: true } }
    );
    expect(service.canWriteFiles()).toBe(true);
    expect(service.canReadFileChunks()).toBe(true);
    expect(service.canStreamToDisk()).toBe(false);
  });
  it('selects the Capacitor store on a native mobile shell', () => {
    const service = createService(
      { isElectron: false, isCapacitor: true, isBrowser: false },
      { capacitor: { isAvailable: true, supportsStreamingToDisk: true, providesInlineObjectUrl: true } }
    );
    expect(service.canWriteFiles()).toBe(true);
    expect(service.canStreamToDisk()).toBe(true);
    expect(service.providesInlineObjectUrl()).toBe(true);
  });
  it('selects the browser store and reflects its finite size cap', () => {
    const service = createService(
      { isElectron: false, isCapacitor: false, isBrowser: true },
      { browser: { isAvailable: true, supportsChunkedReads: true, maxPersistableBytes: 100 } }
    );
    expect(service.canWriteFiles()).toBe(true);
    expect(service.canStreamToDisk()).toBe(false);
    expect(service.canPersistSize(50)).toBe(true);
    expect(service.canPersistSize(150)).toBe(false);
  });
  it('reports no capabilities when the selected store is unavailable', () => {
    const service = createService(
      { isElectron: false, isCapacitor: false, isBrowser: true },
      { browser: { isAvailable: false } }
    );
    expect(service.canWriteFiles()).toBe(false);
    expect(service.canPersistSize(1)).toBe(false);
  });
 });
--- a/toju-app/src/app/domains/attachment/infrastructure/services/attachment-storage.service.ts
+++ b/toju-app/src/app/domains/attachment/infrastructure/services/attachment-storage.service.ts
@@ -1,35 +1,59 @@
 import { Injectable, inject } from '@angular/core';
-import { ElectronBridgeService } from '../../../../core/platform/electron/electron-bridge.service';
+import { PlatformService } from '../../../../core/platform/platform.service';
 import type { Attachment } from '../../domain/models/attachment.model';
 import { encodeUint8ArrayToBase64 } from '../../domain/logic/attachment-blob.rules';
 import {
  isAllowedAttachmentStoredPath,
  resolveAttachmentStorageBucket,
  resolveAttachmentStoredFilename,
  sanitizeAttachmentRoomName
 } from '../util/attachment-storage.util';
 import type { AttachmentFileStore } from './attachment-file-store';
 import { BrowserAttachmentFileStore } from './browser-attachment-file-store';
 import { CapacitorAttachmentFileStore } from './capacitor-attachment-file-store';
 import { ElectronAttachmentFileStore } from './electron-attachment-file-store';
 const DIRECT_MESSAGE_STORAGE_PREFIX = 'direct-message:';
 /**
 * High-level attachment file persistence. Owns the `server/<room>/<bucket>` and
 * `direct-messages/...` path layout and delegates raw IO to the
 * {@link AttachmentFileStore} selected for the active runtime, so a user's local
 * files are remembered on Electron, Capacitor (Android) and the browser alike.
 */
@Injectable({ providedIn: 'root' })
 export class AttachmentStorageService {
-  private readonly electronBridge = inject(ElectronBridgeService);
+  private readonly platform = inject(PlatformService);
  private readonly electronStore = inject(ElectronAttachmentFileStore);
  private readonly capacitorStore = inject(CapacitorAttachmentFileStore);
  private readonly browserStore = inject(BrowserAttachmentFileStore);
  private readonly store: AttachmentFileStore = this.selectStore();
  canWriteFiles(): boolean {
-    const electronApi = this.electronBridge.getApi();
+    return this.store.isAvailable;
    return !!electronApi?.appendFile && !!electronApi.writeFile && !!electronApi.getAppDataPath;
  }
  canReadFileChunks(): boolean {
-    const electronApi = this.electronBridge.getApi();
+    return this.store.isAvailable && this.store.supportsChunkedReads;
    return !!electronApi?.readFileChunk && !!electronApi.getFileSize;
  }
  canCopyFiles(): boolean {
-    const electronApi = this.electronBridge.getApi();
+    return this.store.isAvailable;
  }
-    return !!electronApi?.copyFile && !!electronApi.ensureDir && !!electronApi.getAppDataPath;
+  /** Whether the active store can stream a download to disk chunk-by-chunk as it arrives. */
  canStreamToDisk(): boolean {
    return this.store.isAvailable && this.store.supportsStreamingToDisk;
  }
  /** Whether a file of the given size can be persisted by the active store (browser caps large media). */
  canPersistSize(bytes: number): boolean {
    return this.store.isAvailable && bytes <= this.store.maxPersistableBytes;
  }
  /** Whether {@link getFileUrl} yields a URL the webview can load directly for inline display. */
  providesInlineObjectUrl(): boolean {
    return this.store.providesInlineObjectUrl;
  }
  async resolveExistingPath(
@@ -55,17 +79,11 @@ export class AttachmentStorageService {
  }
  async copyFile(sourceFilePath: string, destinationFilePath: string): Promise<boolean> {
-    const electronApi = this.electronBridge.getApi();
+    if (!sourceFilePath || !destinationFilePath) {
    if (!electronApi?.copyFile || !sourceFilePath || !destinationFilePath) {
      return false;
    }
-    try {
+    return this.store.copyFile(sourceFilePath, destinationFilePath);
      return await electronApi.copyFile(sourceFilePath, destinationFilePath);
    } catch {
      return false;
    }
  }
  async resolveLegacyImagePath(filename: string, roomName: string): Promise<string | null> {
@@ -81,59 +99,35 @@ export class AttachmentStorageService {
  }
  async readFile(filePath: string): Promise<string | null> {
-    const electronApi = this.electronBridge.getApi();
+    if (!filePath) {
    if (!electronApi || !filePath) {
      return null;
    }
-    try {
+    return this.store.readFile(filePath);
      return await electronApi.readFile(filePath);
    } catch {
      return null;
    }
  }
  async getFileSize(filePath: string): Promise<number | null> {
-    const electronApi = this.electronBridge.getApi();
+    if (!filePath) {
    if (!electronApi?.getFileSize || !filePath) {
      return null;
    }
-    try {
+    return this.store.getFileSize(filePath);
      return await electronApi.getFileSize(filePath);
    } catch {
      return null;
    }
  }
  async readFileChunk(filePath: string, start: number, end: number): Promise<string | null> {
-    const electronApi = this.electronBridge.getApi();
+    if (!filePath) {
    if (!electronApi?.readFileChunk || !filePath) {
      return null;
    }
-    try {
+    return this.store.readFileChunk(filePath, start, end);
      return await electronApi.readFileChunk(filePath, start, end);
    } catch {
      return null;
    }
  }
  async getFileUrl(filePath: string): Promise<string | null> {
-    const electronApi = this.electronBridge.getApi();
+    if (!filePath) {
    if (!electronApi?.getFileUrl || !filePath) {
      return null;
    }
-    try {
+    return this.store.getFileUrl(filePath);
      return await electronApi.getFileUrl(filePath);
    } catch {
      return null;
    }
  }
  async saveBlob(
@@ -141,6 +135,10 @@ export class AttachmentStorageService {
    blob: Blob,
    roomName: string
  ): Promise<string | null> {
    if (!this.canPersistSize(blob.size)) {
      return null;
    }
    const diskPath = await this.createWritableFile(attachment, roomName);
    if (!diskPath) {
@@ -149,10 +147,9 @@ export class AttachmentStorageService {
    try {
      const arrayBuffer = await blob.arrayBuffer();
      const wrote = await this.store.writeFile(diskPath, encodeUint8ArrayToBase64(new Uint8Array(arrayBuffer)));
-      await this.writeBase64(diskPath, this.arrayBufferToBase64(arrayBuffer));
+      return wrote ? diskPath : null;
      return diskPath;
    } catch {
      return null;
    }
@@ -162,20 +159,19 @@ export class AttachmentStorageService {
    attachment: Pick<Attachment, 'id' | 'filename' | 'mime'>,
    roomName: string
  ): Promise<string | null> {
    const electronApi = this.electronBridge.getApi();
    const appDataPath = await this.resolveAppDataPath();
-    if (!electronApi || !appDataPath) {
+    if (!appDataPath) {
      return null;
    }
    try {
      const directoryPath = this.resolveStorageDirectoryPath(appDataPath, roomName, attachment.mime);
-      await electronApi.ensureDir(directoryPath);
+      await this.store.ensureDir(directoryPath);
      const diskPath = `${directoryPath}/${resolveAttachmentStoredFilename(attachment.id, attachment.filename)}`;
-      await this.writeBase64(diskPath, '');
+      await this.store.writeFile(diskPath, '');
      return diskPath;
    } catch {
@@ -184,43 +180,35 @@ export class AttachmentStorageService {
  }
  async appendBase64(filePath: string, base64Data: string): Promise<boolean> {
-    const electronApi = this.electronBridge.getApi();
+    if (!filePath) {
    if (!electronApi?.appendFile || !filePath) {
      return false;
    }
-    try {
+    return this.store.appendFile(filePath, base64Data);
      return await electronApi.appendFile(filePath, base64Data);
    } catch {
      return false;
    }
  }
  async deleteFile(filePath: string): Promise<void> {
-    const electronApi = this.electronBridge.getApi();
+    if (!filePath) {
    if (!electronApi || !filePath) {
      return;
    }
-    try {
+    await this.store.deleteFile(filePath);
-      await electronApi.deleteFile(filePath);
+  }
-    } catch { /* best-effort cleanup */ }
+
  private selectStore(): AttachmentFileStore {
    if (this.platform.isElectron) {
      return this.electronStore;
    }
    if (this.platform.isCapacitor) {
      return this.capacitorStore;
    }
    return this.browserStore;
  }
  private async resolveAppDataPath(): Promise<string | null> {
-    const electronApi = this.electronBridge.getApi();
+    return this.store.getAppDataPath();
    if (!electronApi) {
      return null;
    }
    try {
      return await electronApi.getAppDataPath();
    } catch {
      return null;
    }
  }
  private resolveStorageDirectoryPath(appDataPath: string, containerName: string, mime: string): string {
@@ -236,10 +224,9 @@ export class AttachmentStorageService {
  }
  private async findExistingPath(candidates: (string | null | undefined)[]): Promise<string | null> {
    const electronApi = this.electronBridge.getApi();
    const appDataPath = await this.resolveAppDataPath();
-    if (!electronApi || !appDataPath) {
+    if (!appDataPath) {
      return null;
    }
@@ -249,7 +236,7 @@ export class AttachmentStorageService {
      }
      try {
-        if (await electronApi.fileExists(candidatePath)) {
+        if (await this.store.fileExists(candidatePath)) {
          return candidatePath;
        }
      } catch { /* keep trying remaining candidates */ }
@@ -257,26 +244,4 @@ export class AttachmentStorageService {
    return null;
  }
  private async writeBase64(filePath: string, base64Data: string): Promise<boolean> {
    const electronApi = this.electronBridge.getApi();
    if (!electronApi || !filePath) {
      return false;
    }
    return await electronApi.writeFile(filePath, base64Data);
  }
  private arrayBufferToBase64(buffer: ArrayBuffer): string {
    let binary = '';
    const bytes = new Uint8Array(buffer);
    for (let index = 0; index < bytes.byteLength; index++) {
      binary += String.fromCharCode(bytes[index]);
    }
    return btoa(binary);
  }
 }
--- a/toju-app/src/app/domains/attachment/infrastructure/services/browser-attachment-file-store.spec.ts
+++ b/toju-app/src/app/domains/attachment/infrastructure/services/browser-attachment-file-store.spec.ts
@@ -0,0 +1,90 @@
 import 'fake-indexeddb/auto';
 import {
  beforeEach,
  describe,
  expect,
  it
 } from 'vitest';
 import { encodeUint8ArrayToBase64 } from '../../domain/logic/attachment-blob.rules';
 import { BrowserAttachmentFileStore } from './browser-attachment-file-store';
 function base64Of(text: string): string {
  return encodeUint8ArrayToBase64(new TextEncoder().encode(text));
 }
 function decodeBase64(base64: string): string {
  return new TextDecoder().decode(Uint8Array.from(atob(base64), (char) => char.charCodeAt(0)));
 }
 describe('BrowserAttachmentFileStore', () => {
  let store: BrowserAttachmentFileStore;
  let path: string;
  beforeEach(() => {
    store = new BrowserAttachmentFileStore();
    path = `metoyou-attachment-files/server/room/files/${crypto.randomUUID()}.txt`;
  });
  it('reports availability and a synthetic app-data root', async () => {
    expect(store.isAvailable).toBe(true);
    await expect(store.getAppDataPath()).resolves.toBe('metoyou-attachment-files');
  });
  it('writes and reads a file round-trip', async () => {
    await expect(store.writeFile(path, base64Of('hello world'))).resolves.toBe(true);
    await expect(store.fileExists(path)).resolves.toBe(true);
    await expect(store.getFileSize(path)).resolves.toBe('hello world'.length);
    const readBack = await store.readFile(path);
    expect(readBack).not.toBeNull();
    expect(decodeBase64(readBack as string)).toBe('hello world');
  });
  it('appends chunks and reads arbitrary byte ranges', async () => {
    await store.writeFile(path, '');
    await store.appendFile(path, base64Of('abc'));
    await store.appendFile(path, base64Of('defg'));
    await expect(store.getFileSize(path)).resolves.toBe(7);
    const chunk = await store.readFileChunk(path, 2, 5);
    expect(decodeBase64(chunk as string)).toBe('cde');
  });
  it('copies and deletes files', async () => {
    const destination = `metoyou-attachment-files/server/room/files/${crypto.randomUUID()}.txt`;
    await store.writeFile(path, base64Of('payload'));
    await expect(store.copyFile(path, destination)).resolves.toBe(true);
    expect(decodeBase64((await store.readFile(destination)) as string)).toBe('payload');
    await store.deleteFile(path);
    await expect(store.fileExists(path)).resolves.toBe(false);
    await expect(store.fileExists(destination)).resolves.toBe(true);
  });
  it('produces a blob URL for stored bytes', async () => {
    await store.writeFile(path, base64Of('blobbable'));
    const url = await store.getFileUrl(path);
    expect(url).toMatch(/^blob:/);
  });
  it('refuses to persist files larger than the browser cap', async () => {
    const oversizedStore = new BrowserAttachmentFileStore();
    Object.defineProperty(oversizedStore, 'maxPersistableBytes', { value: 4 });
    await expect(oversizedStore.writeFile(path, base64Of('toolong'))).resolves.toBe(false);
    await expect(oversizedStore.fileExists(path)).resolves.toBe(false);
  });
  it('returns null for unknown files', async () => {
    await expect(store.readFile('metoyou-attachment-files/server/room/files/missing.txt')).resolves.toBeNull();
    await expect(store.getFileSize('metoyou-attachment-files/server/room/files/missing.txt')).resolves.toBeNull();
    await expect(store.fileExists('metoyou-attachment-files/server/room/files/missing.txt')).resolves.toBe(false);
  });
 });
--- a/toju-app/src/app/domains/attachment/infrastructure/services/browser-attachment-file-store.ts
+++ b/toju-app/src/app/domains/attachment/infrastructure/services/browser-attachment-file-store.ts
@@ -0,0 +1,228 @@
 import { Injectable } from '@angular/core';
 import { getStoredCurrentUserId } from '../../../../core/storage/current-user-storage';
 import { MAX_BROWSER_INLINE_MEDIA_SIZE_BYTES } from '../../domain/constants/attachment.constants';
 import { decodeBase64ToUint8Array, encodeUint8ArrayToBase64 } from '../../domain/logic/attachment-blob.rules';
 import type { AttachmentFileStore } from './attachment-file-store';
 /** Synthetic app-data root used to namespace virtual attachment paths in the browser. */
 const BROWSER_APP_DATA_ROOT = 'metoyou-attachment-files';
 const DATABASE_PREFIX = 'metoyou-attachment-files';
 const ANONYMOUS_SCOPE = 'anonymous';
 const FILES_STORE = 'files';
 const DATABASE_VERSION = 1;
 interface StoredFileRecord {
  path: string;
  bytes: Uint8Array;
 }
 /**
 * Attachment file store backed by a per-user IndexedDB "virtual filesystem".
 *
 * Bytes are keyed by the same synthetic path string the Electron/Capacitor
 * stores use (`metoyou-attachment-files/server/<room>/<bucket>/<id>`), so the
 * browser build remembers a user's own uploads and downloaded media across a
 * reload/restart instead of holding them only in memory.
 */
@Injectable({ providedIn: 'root' })
 export class BrowserAttachmentFileStore implements AttachmentFileStore {
  readonly maxPersistableBytes = MAX_BROWSER_INLINE_MEDIA_SIZE_BYTES;
  readonly supportsStreamingToDisk = false;
  readonly supportsChunkedReads = true;
  readonly providesInlineObjectUrl = false;
  private database: IDBDatabase | null = null;
  private activeDatabaseName: string | null = null;
  get isAvailable(): boolean {
    return typeof indexedDB !== 'undefined';
  }
  async getAppDataPath(): Promise<string | null> {
    return this.isAvailable ? BROWSER_APP_DATA_ROOT : null;
  }
  async ensureDir(_dirPath: string): Promise<boolean> {
    return this.isAvailable;
  }
  async writeFile(filePath: string, base64Data: string): Promise<boolean> {
    if (!filePath) {
      return false;
    }
    const bytes = base64Data ? decodeBase64ToUint8Array(base64Data) : new Uint8Array(0);
    if (bytes.byteLength > this.maxPersistableBytes) {
      return false;
    }
    return this.putRecord({ path: filePath, bytes });
  }
  async appendFile(filePath: string, base64Data: string): Promise<boolean> {
    if (!filePath || !base64Data) {
      return false;
    }
    const existing = await this.getRecord(filePath);
    const addition = decodeBase64ToUint8Array(base64Data);
    const previousBytes = existing?.bytes ?? new Uint8Array(0);
    if (previousBytes.byteLength + addition.byteLength > this.maxPersistableBytes) {
      return false;
    }
    const combined = new Uint8Array(previousBytes.byteLength + addition.byteLength);
    combined.set(previousBytes, 0);
    combined.set(addition, previousBytes.byteLength);
    return this.putRecord({ path: filePath, bytes: combined });
  }
  async readFile(filePath: string): Promise<string | null> {
    const record = await this.getRecord(filePath);
    return record ? encodeUint8ArrayToBase64(record.bytes) : null;
  }
  async readFileChunk(filePath: string, start: number, end: number): Promise<string | null> {
    const record = await this.getRecord(filePath);
    if (!record) {
      return null;
    }
    return encodeUint8ArrayToBase64(record.bytes.subarray(start, end));
  }
  async getFileSize(filePath: string): Promise<number | null> {
    const record = await this.getRecord(filePath);
    return record ? record.bytes.byteLength : null;
  }
  async fileExists(filePath: string): Promise<boolean> {
    return (await this.getRecord(filePath)) !== null;
  }
  async copyFile(sourceFilePath: string, destinationFilePath: string): Promise<boolean> {
    const record = await this.getRecord(sourceFilePath);
    if (!record) {
      return false;
    }
    return this.putRecord({ path: destinationFilePath, bytes: record.bytes });
  }
  async deleteFile(filePath: string): Promise<void> {
    if (!filePath) {
      return;
    }
    try {
      const database = await this.openDatabase();
      const transaction = database.transaction(FILES_STORE, 'readwrite');
      transaction.objectStore(FILES_STORE).delete(filePath);
      await this.awaitTransaction(transaction);
    } catch { /* best-effort cleanup */ }
  }
  async getFileUrl(filePath: string): Promise<string | null> {
    const record = await this.getRecord(filePath);
    if (!record) {
      return null;
    }
    try {
      const blob = new Blob([record.bytes.buffer.slice(0) as ArrayBuffer]);
      return URL.createObjectURL(blob);
    } catch {
      return null;
    }
  }
  private async putRecord(record: StoredFileRecord): Promise<boolean> {
    try {
      const database = await this.openDatabase();
      const transaction = database.transaction(FILES_STORE, 'readwrite');
      transaction.objectStore(FILES_STORE).put(record);
      await this.awaitTransaction(transaction);
      return true;
    } catch {
      return false;
    }
  }
  private async getRecord(path: string): Promise<StoredFileRecord | null> {
    if (!path) {
      return null;
    }
    try {
      const database = await this.openDatabase();
      const transaction = database.transaction(FILES_STORE, 'readonly');
      const request = transaction.objectStore(FILES_STORE).get(path);
      return await new Promise<StoredFileRecord | null>((resolve, reject) => {
        request.onsuccess = () => resolve((request.result as StoredFileRecord | undefined) ?? null);
        request.onerror = () => reject(request.error);
      });
    } catch {
      return null;
    }
  }
  private async openDatabase(): Promise<IDBDatabase> {
    const databaseName = this.resolveDatabaseName();
    if (this.database && this.activeDatabaseName === databaseName) {
      return this.database;
    }
    this.database?.close();
    this.database = await this.openScopedDatabase(databaseName);
    this.activeDatabaseName = databaseName;
    return this.database;
  }
  private resolveDatabaseName(): string {
    const userId = getStoredCurrentUserId();
    return `${DATABASE_PREFIX}::${encodeURIComponent(userId || ANONYMOUS_SCOPE)}`;
  }
  private openScopedDatabase(databaseName: string): Promise<IDBDatabase> {
    return new Promise((resolve, reject) => {
      const request = indexedDB.open(databaseName, DATABASE_VERSION);
      request.onerror = () => reject(request.error);
      request.onupgradeneeded = () => {
        const database = request.result;
        if (!database.objectStoreNames.contains(FILES_STORE)) {
          database.createObjectStore(FILES_STORE, { keyPath: 'path' });
        }
      };
      request.onsuccess = () => resolve(request.result);
    });
  }
  private awaitTransaction(transaction: IDBTransaction): Promise<void> {
    return new Promise((resolve, reject) => {
      transaction.oncomplete = () => resolve();
      transaction.onerror = () => reject(transaction.error);
      transaction.onabort = () => reject(transaction.error);
    });
  }
 }
--- a/toju-app/src/app/domains/attachment/infrastructure/services/capacitor-attachment-file-store.spec.ts
+++ b/toju-app/src/app/domains/attachment/infrastructure/services/capacitor-attachment-file-store.spec.ts
@@ -0,0 +1,171 @@
 import {
  beforeEach,
  describe,
  expect,
  it,
  vi
 } from 'vitest';
 import { encodeUint8ArrayToBase64 } from '../../domain/logic/attachment-blob.rules';
 const isCapacitorNativeRuntimeMock = vi.fn(() => true);
 const loadFilesystemMock = vi.fn();
 vi.mock('../../../../infrastructure/mobile/logic/platform-detection.rules', () => ({
  isCapacitorNativeRuntime: () => isCapacitorNativeRuntimeMock()
 }));
 vi.mock('./capacitor-attachment-filesystem.adapter', () => ({
  loadCapacitorAttachmentFilesystem: () => loadFilesystemMock()
 }));
 import { CapacitorAttachmentFileStore } from './capacitor-attachment-file-store';
 function base64Of(text: string): string {
  return encodeUint8ArrayToBase64(new TextEncoder().encode(text));
 }
 interface FakeFile {
  data: string;
 }
 function createFakeFilesystem() {
  const files = new Map<string, FakeFile>();
  const filesystem = {
    mkdir: vi.fn(async () => undefined),
    writeFile: vi.fn(async ({ path, data }: { path: string; data: string }) => {
      files.set(path, { data });
      return { uri: `file:///data/${path}` };
    }),
    appendFile: vi.fn(async ({ path, data }: { path: string; data: string }) => {
      const existingText = atob(files.get(path)?.data ?? '');
      const combinedText = existingText + atob(data);
      const combinedBytes = Uint8Array.from(combinedText, (char) => char.charCodeAt(0));
      files.set(path, { data: encodeUint8ArrayToBase64(combinedBytes) });
    }),
    readFile: vi.fn(async ({ path }: { path: string }) => {
      const file = files.get(path);
      if (!file) {
        throw new Error('not found');
      }
      return { data: file.data };
    }),
    stat: vi.fn(async ({ path }: { path: string }) => {
      const file = files.get(path);
      if (!file) {
        throw new Error('not found');
      }
      return { size: atob(file.data).length, uri: `file:///data/${path}` };
    }),
    deleteFile: vi.fn(async ({ path }: { path: string }) => {
      files.delete(path);
    }),
    copy: vi.fn(async ({ from, to }: { from: string; to: string }) => {
      const file = files.get(from);
      if (!file) {
        throw new Error('not found');
      }
      files.set(to, { data: file.data });
    }),
    getUri: vi.fn(async ({ path }: { path: string }) => ({ uri: `file:///data/${path}` }))
  };
  return {
    files,
    adapter: {
      filesystem,
      directory: 'DATA',
      convertFileSrc: (url: string) => url.replace('file://', 'capacitor://localhost/_capacitor_file_')
    }
  };
 }
 describe('CapacitorAttachmentFileStore', () => {
  let store: CapacitorAttachmentFileStore;
  let fake: ReturnType<typeof createFakeFilesystem>;
  const path = 'metoyou/server/room/files/sample.bin';
  beforeEach(() => {
    isCapacitorNativeRuntimeMock.mockReturnValue(true);
    fake = createFakeFilesystem();
    loadFilesystemMock.mockResolvedValue(fake.adapter);
    store = new CapacitorAttachmentFileStore();
  });
  it('reports native availability and the synthetic app-data root', async () => {
    expect(store.isAvailable).toBe(true);
    await expect(store.getAppDataPath()).resolves.toBe('metoyou');
  });
  it('is unavailable off a native shell', () => {
    isCapacitorNativeRuntimeMock.mockReturnValue(false);
    expect(store.isAvailable).toBe(false);
  });
  it('writes through the Data directory and reads bytes back', async () => {
    await expect(store.writeFile(path, base64Of('hello'))).resolves.toBe(true);
    expect(fake.adapter.filesystem.writeFile).toHaveBeenCalledWith(expect.objectContaining({
      path,
      directory: 'DATA',
      recursive: true
    }));
    await expect(store.readFile(path)).resolves.toBe(base64Of('hello'));
    await expect(store.getFileSize(path)).resolves.toBe(5);
    await expect(store.fileExists(path)).resolves.toBe(true);
  });
  it('streams appended chunks to disk', async () => {
    await store.writeFile(path, '');
    await store.appendFile(path, base64Of('ab'));
    await store.appendFile(path, base64Of('cde'));
    expect(fake.adapter.filesystem.appendFile).toHaveBeenCalledTimes(2);
    await expect(store.getFileSize(path)).resolves.toBe(5);
  });
  it('reads a byte range by slicing the whole file', async () => {
    await store.writeFile(path, base64Of('abcdef'));
    const chunk = await store.readFileChunk(path, 1, 4);
    expect(chunk).toBe(base64Of('bcd'));
  });
  it('copies and deletes files', async () => {
    const destination = 'metoyou/server/room/files/copy.bin';
    await store.writeFile(path, base64Of('data'));
    await expect(store.copyFile(path, destination)).resolves.toBe(true);
    await expect(store.fileExists(destination)).resolves.toBe(true);
    await store.deleteFile(path);
    await expect(store.fileExists(path)).resolves.toBe(false);
  });
  it('returns a webview-loadable file URL', async () => {
    await store.writeFile(path, base64Of('data'));
    await expect(store.getFileUrl(path)).resolves.toBe(
      `capacitor://localhost/_capacitor_file_/data/${path}`
    );
  });
  it('degrades to unavailable behaviour when the plugin cannot load', async () => {
    loadFilesystemMock.mockResolvedValue(null);
    await expect(store.writeFile(path, base64Of('x'))).resolves.toBe(false);
    await expect(store.fileExists(path)).resolves.toBe(false);
    await expect(store.getFileUrl(path)).resolves.toBeNull();
  });
 });
--- a/toju-app/src/app/domains/attachment/infrastructure/services/capacitor-attachment-file-store.ts
+++ b/toju-app/src/app/domains/attachment/infrastructure/services/capacitor-attachment-file-store.ts
@@ -0,0 +1,203 @@
 import { Injectable } from '@angular/core';
 import { isCapacitorNativeRuntime } from '../../../../infrastructure/mobile/logic/platform-detection.rules';
 import { decodeBase64ToUint8Array, encodeUint8ArrayToBase64 } from '../../domain/logic/attachment-blob.rules';
 import type { AttachmentFileStore } from './attachment-file-store';
 import { loadCapacitorAttachmentFilesystem, type CapacitorAttachmentFilesystem } from './capacitor-attachment-filesystem.adapter';
 /**
 * Synthetic app-data root for attachment paths on Capacitor. Stored files live
 * under `Directory.Data/<root>/server/...`, so the path passed around the
 * attachment domain stays consistent with the other backends and passes the
 * `isAllowedAttachmentStoredPath` allow-list.
 */
 const CAPACITOR_APP_DATA_ROOT = 'metoyou';
 /** Attachment file store backed by the native Capacitor Filesystem (`Directory.Data`). */
@Injectable({ providedIn: 'root' })
 export class CapacitorAttachmentFileStore implements AttachmentFileStore {
  readonly maxPersistableBytes = Number.POSITIVE_INFINITY;
  readonly supportsStreamingToDisk = true;
  readonly supportsChunkedReads = false;
  readonly providesInlineObjectUrl = true;
  private readonly loadFilesystem: () => Promise<CapacitorAttachmentFilesystem | null> = loadCapacitorAttachmentFilesystem;
  get isAvailable(): boolean {
    return isCapacitorNativeRuntime();
  }
  async getAppDataPath(): Promise<string | null> {
    return this.isAvailable ? CAPACITOR_APP_DATA_ROOT : null;
  }
  async ensureDir(dirPath: string): Promise<boolean> {
    const filesystem = await this.loadFilesystem();
    if (!filesystem || !dirPath) {
      return false;
    }
    try {
      await filesystem.filesystem.mkdir({
        path: dirPath,
        directory: filesystem.directory,
        recursive: true
      });
      return true;
    } catch {
      // mkdir throws when the directory already exists; treat that as success.
      return true;
    }
  }
  async writeFile(filePath: string, base64Data: string): Promise<boolean> {
    const filesystem = await this.loadFilesystem();
    if (!filesystem || !filePath) {
      return false;
    }
    try {
      await filesystem.filesystem.writeFile({
        path: filePath,
        data: base64Data,
        directory: filesystem.directory,
        recursive: true
      });
      return true;
    } catch {
      return false;
    }
  }
  async appendFile(filePath: string, base64Data: string): Promise<boolean> {
    const filesystem = await this.loadFilesystem();
    if (!filesystem || !filePath || !base64Data) {
      return false;
    }
    try {
      await filesystem.filesystem.appendFile({
        path: filePath,
        data: base64Data,
        directory: filesystem.directory
      });
      return true;
    } catch {
      return false;
    }
  }
  async readFile(filePath: string): Promise<string | null> {
    const filesystem = await this.loadFilesystem();
    if (!filesystem || !filePath) {
      return null;
    }
    try {
      const result = await filesystem.filesystem.readFile({
        path: filePath,
        directory: filesystem.directory
      });
      return typeof result.data === 'string'
        ? result.data
        : encodeUint8ArrayToBase64(new Uint8Array(await result.data.arrayBuffer()));
    } catch {
      return null;
    }
  }
  async readFileChunk(filePath: string, start: number, end: number): Promise<string | null> {
    const whole = await this.readFile(filePath);
    if (whole === null) {
      return null;
    }
    return encodeUint8ArrayToBase64(decodeBase64ToUint8Array(whole).subarray(start, end));
  }
  async getFileSize(filePath: string): Promise<number | null> {
    const filesystem = await this.loadFilesystem();
    if (!filesystem || !filePath) {
      return null;
    }
    try {
      const stat = await filesystem.filesystem.stat({
        path: filePath,
        directory: filesystem.directory
      });
      return stat.size;
    } catch {
      return null;
    }
  }
  async fileExists(filePath: string): Promise<boolean> {
    return (await this.getFileSize(filePath)) !== null;
  }
  async copyFile(sourceFilePath: string, destinationFilePath: string): Promise<boolean> {
    const filesystem = await this.loadFilesystem();
    if (!filesystem || !sourceFilePath || !destinationFilePath) {
      return false;
    }
    try {
      await filesystem.filesystem.copy({
        from: sourceFilePath,
        to: destinationFilePath,
        directory: filesystem.directory,
        toDirectory: filesystem.directory
      });
      return true;
    } catch {
      return false;
    }
  }
  async deleteFile(filePath: string): Promise<void> {
    const filesystem = await this.loadFilesystem();
    if (!filesystem || !filePath) {
      return;
    }
    try {
      await filesystem.filesystem.deleteFile({
        path: filePath,
        directory: filesystem.directory
      });
    } catch { /* best-effort cleanup */ }
  }
  async getFileUrl(filePath: string): Promise<string | null> {
    const filesystem = await this.loadFilesystem();
    if (!filesystem || !filePath) {
      return null;
    }
    try {
      const { uri } = await filesystem.filesystem.getUri({
        path: filePath,
        directory: filesystem.directory
      });
      return filesystem.convertFileSrc(uri);
    } catch {
      return null;
    }
  }
 }
--- a/toju-app/src/app/domains/attachment/infrastructure/services/capacitor-attachment-filesystem.adapter.ts
+++ b/toju-app/src/app/domains/attachment/infrastructure/services/capacitor-attachment-filesystem.adapter.ts
@@ -0,0 +1,50 @@
 type CapacitorFilesystemModule = typeof import('@capacitor/filesystem');
 type CapacitorCoreModule = typeof import('@capacitor/core');
 /**
 * Minimal Capacitor Filesystem surface the attachment store depends on, plus the
 * `Directory` enum and `convertFileSrc` helper. Loaded lazily so the desktop and
 * browser builds never statically import `@capacitor/*` (see LESSONS:
 * "Lazy-load Capacitor modules on Electron/desktop").
 */
 export interface CapacitorAttachmentFilesystem {
  filesystem: CapacitorFilesystemModule['Filesystem'];
  directory: CapacitorFilesystemModule['Directory'][keyof CapacitorFilesystemModule['Directory']];
  convertFileSrc: (url: string) => string;
 }
 let cachedFilesystem: Promise<CapacitorAttachmentFilesystem | null> | null = null;
 /**
 * Resolve the Capacitor Filesystem plugin (scoped to the app `Data` directory)
 * on native shells. Returns `null` on web/Electron or when the plugin is
 * unavailable.
 */
 export function loadCapacitorAttachmentFilesystem(): Promise<CapacitorAttachmentFilesystem | null> {
  cachedFilesystem ??= resolveCapacitorAttachmentFilesystem();
  return cachedFilesystem;
 }
 async function resolveCapacitorAttachmentFilesystem(): Promise<CapacitorAttachmentFilesystem | null> {
  if (typeof window === 'undefined') {
    return null;
  }
  try {
    const filesystemModule: CapacitorFilesystemModule = await import('@capacitor/filesystem');
    const coreModule: CapacitorCoreModule = await import('@capacitor/core');
    if (!coreModule.Capacitor.isNativePlatform()) {
      return null;
    }
    return {
      filesystem: filesystemModule.Filesystem,
      directory: filesystemModule.Directory.Data,
      convertFileSrc: (url: string) => coreModule.Capacitor.convertFileSrc(url)
    };
  } catch {
    return null;
  }
 }
--- a/toju-app/src/app/domains/attachment/infrastructure/services/electron-attachment-file-store.ts
+++ b/toju-app/src/app/domains/attachment/infrastructure/services/electron-attachment-file-store.ts
@@ -0,0 +1,172 @@
 import { Injectable, inject } from '@angular/core';
 import { ElectronBridgeService } from '../../../../core/platform/electron/electron-bridge.service';
 import type { AttachmentFileStore } from './attachment-file-store';
 /** Attachment file store backed by the Electron main-process filesystem (IPC). */
@Injectable({ providedIn: 'root' })
 export class ElectronAttachmentFileStore implements AttachmentFileStore {
  readonly maxPersistableBytes = Number.POSITIVE_INFINITY;
  readonly supportsStreamingToDisk = true;
  readonly supportsChunkedReads = true;
  readonly providesInlineObjectUrl = false;
  private readonly electronBridge = inject(ElectronBridgeService);
  get isAvailable(): boolean {
    const electronApi = this.electronBridge.getApi();
    return !!electronApi?.appendFile && !!electronApi.writeFile && !!electronApi.getAppDataPath;
  }
  async getAppDataPath(): Promise<string | null> {
    const electronApi = this.electronBridge.getApi();
    if (!electronApi) {
      return null;
    }
    try {
      return await electronApi.getAppDataPath();
    } catch {
      return null;
    }
  }
  async ensureDir(dirPath: string): Promise<boolean> {
    const electronApi = this.electronBridge.getApi();
    if (!electronApi?.ensureDir || !dirPath) {
      return false;
    }
    try {
      return await electronApi.ensureDir(dirPath);
    } catch {
      return false;
    }
  }
  async writeFile(filePath: string, base64Data: string): Promise<boolean> {
    const electronApi = this.electronBridge.getApi();
    if (!electronApi?.writeFile || !filePath) {
      return false;
    }
    try {
      return await electronApi.writeFile(filePath, base64Data);
    } catch {
      return false;
    }
  }
  async appendFile(filePath: string, base64Data: string): Promise<boolean> {
    const electronApi = this.electronBridge.getApi();
    if (!electronApi?.appendFile || !filePath) {
      return false;
    }
    try {
      return await electronApi.appendFile(filePath, base64Data);
    } catch {
      return false;
    }
  }
  async readFile(filePath: string): Promise<string | null> {
    const electronApi = this.electronBridge.getApi();
    if (!electronApi || !filePath) {
      return null;
    }
    try {
      return await electronApi.readFile(filePath);
    } catch {
      return null;
    }
  }
  async readFileChunk(filePath: string, start: number, end: number): Promise<string | null> {
    const electronApi = this.electronBridge.getApi();
    if (!electronApi?.readFileChunk || !filePath) {
      return null;
    }
    try {
      return await electronApi.readFileChunk(filePath, start, end);
    } catch {
      return null;
    }
  }
  async getFileSize(filePath: string): Promise<number | null> {
    const electronApi = this.electronBridge.getApi();
    if (!electronApi?.getFileSize || !filePath) {
      return null;
    }
    try {
      return await electronApi.getFileSize(filePath);
    } catch {
      return null;
    }
  }
  async fileExists(filePath: string): Promise<boolean> {
    const electronApi = this.electronBridge.getApi();
    if (!electronApi?.fileExists || !filePath) {
      return false;
    }
    try {
      return await electronApi.fileExists(filePath);
    } catch {
      return false;
    }
  }
  async copyFile(sourceFilePath: string, destinationFilePath: string): Promise<boolean> {
    const electronApi = this.electronBridge.getApi();
    if (!electronApi?.copyFile || !sourceFilePath || !destinationFilePath) {
      return false;
    }
    try {
      return await electronApi.copyFile(sourceFilePath, destinationFilePath);
    } catch {
      return false;
    }
  }
  async deleteFile(filePath: string): Promise<void> {
    const electronApi = this.electronBridge.getApi();
    if (!electronApi || !filePath) {
      return;
    }
    try {
      await electronApi.deleteFile(filePath);
    } catch { /* best-effort cleanup */ }
  }
  async getFileUrl(filePath: string): Promise<string | null> {
    const electronApi = this.electronBridge.getApi();
    if (!electronApi?.getFileUrl || !filePath) {
      return null;
    }
    try {
      return await electronApi.getFileUrl(filePath);
    } catch {
      return null;
    }
  }
 }
--- a/toju-app/src/app/domains/authentication/application/services/message-signing.service.ts
+++ b/toju-app/src/app/domains/authentication/application/services/message-signing.service.ts
@@ -101,7 +101,20 @@ export class MessageSigningService {
    const stored = this.readStoredKeyPair();
    if (stored) {
-      const [publicKey, privateKey] = await Promise.all([crypto.subtle.importKey('jwk', stored.publicKeyJwk, { name: 'Ed25519' }, true, ['verify']), crypto.subtle.importKey('jwk', stored.privateKeyJwk, { name: 'Ed25519' }, false, ['sign'])]);
+      const publicKey = await crypto.subtle.importKey(
        'jwk',
        stored.publicKeyJwk,
        { name: 'Ed25519' },
        true,
        ['verify']
      );
      const privateKey = await crypto.subtle.importKey(
        'jwk',
        stored.privateKeyJwk,
        { name: 'Ed25519' },
        false,
        ['sign']
      );
      return { publicKey, privateKey };
    }
@@ -111,7 +124,8 @@ export class MessageSigningService {
      true,
      ['sign', 'verify']
    );
-    const [publicKeyJwk, privateKeyJwk] = await Promise.all([crypto.subtle.exportKey('jwk', generated.publicKey), crypto.subtle.exportKey('jwk', generated.privateKey)]);
+    const publicKeyJwk = await crypto.subtle.exportKey('jwk', generated.publicKey);
    const privateKeyJwk = await crypto.subtle.exportKey('jwk', generated.privateKey);
    this.writeStoredKeyPair({ publicKeyJwk, privateKeyJwk });
--- a/toju-app/src/app/domains/authentication/domain/logic/auth-navigation.rules.spec.ts
+++ b/toju-app/src/app/domains/authentication/domain/logic/auth-navigation.rules.spec.ts
@@ -9,6 +9,7 @@ import { UsersActions } from '../../../../store/users/users.actions';
 import {
  buildLoginReturnQueryParams,
  resolveSafeReturnUrl,
  resolveUnauthenticatedStartupRedirect,
  waitForAuthenticationOutcome
 } from './auth-navigation.rules';
@@ -55,6 +56,39 @@ describe('buildLoginReturnQueryParams', () => {
  });
 });
 describe('resolveUnauthenticatedStartupRedirect', () => {
  it('sends signed-out visitors on the dashboard/root to login (no mobile exception)', () => {
    expect(resolveUnauthenticatedStartupRedirect('/dashboard')).toEqual({
      path: '/login',
      queryParams: {}
    });
    expect(resolveUnauthenticatedStartupRedirect('/')).toEqual({
      path: '/login',
      queryParams: { returnUrl: '/' }
    });
  });
  it('preserves a safe returnUrl when redirecting from a protected route', () => {
    expect(resolveUnauthenticatedStartupRedirect('/servers')).toEqual({
      path: '/login',
      queryParams: { returnUrl: '/servers' }
    });
    expect(resolveUnauthenticatedStartupRedirect('/room/abc')).toEqual({
      path: '/login',
      queryParams: { returnUrl: '/room/abc' }
    });
  });
  it('leaves public auth/invite routes untouched', () => {
    expect(resolveUnauthenticatedStartupRedirect('/login')).toBeNull();
    expect(resolveUnauthenticatedStartupRedirect('/login?returnUrl=%2Fservers')).toBeNull();
    expect(resolveUnauthenticatedStartupRedirect('/register')).toBeNull();
    expect(resolveUnauthenticatedStartupRedirect('/invite/abc123')).toBeNull();
  });
 });
 describe('waitForAuthenticationOutcome', () => {
  it('resolves when authentication storage preparation succeeds', async () => {
    const user = {
--- a/toju-app/src/app/domains/authentication/domain/logic/auth-navigation.rules.ts
+++ b/toju-app/src/app/domains/authentication/domain/logic/auth-navigation.rules.ts
@@ -18,10 +18,41 @@ export type AuthenticationOutcome =
  | { kind: 'success'; user: User }
  | { kind: 'failure'; error: string };
 export interface UnauthenticatedStartupRedirect {
  path: string;
  queryParams: Record<string, string>;
 }
 export function isAuthRoutePath(path: string): boolean {
  return AUTH_ROUTE_PATHS.has(path);
 }
 /** Routes a signed-out visitor may stay on without being bounced to login. */
 export function isPublicStartupUrl(url: string): boolean {
  const path = getRoutePathFromUrl(url);
  return isAuthRoutePath(path) || path.startsWith('/invite/');
 }
 /**
 * Decides where an unauthenticated visitor should land at startup. Signed-out
 * users are always sent to `/login` (regardless of viewport) so mobile users are
 * greeted with the login screen instead of a logged-out dashboard. Public routes
 * (`/login`, `/register`, `/invite/...`) are left untouched (return `null`).
 */
 export function resolveUnauthenticatedStartupRedirect(
  currentUrl: string
 ): UnauthenticatedStartupRedirect | null {
  if (isPublicStartupUrl(currentUrl)) {
    return null;
  }
  return {
    path: '/login',
    queryParams: buildLoginReturnQueryParams(currentUrl)
  };
 }
 export function getRoutePathFromUrl(url: string): string {
  if (!url) {
    return '/';
--- a/toju-app/src/app/domains/chat/README.md
+++ b/toju-app/src/app/domains/chat/README.md
@@ -97,6 +97,10 @@ sequenceDiagram
    User->>DC: broadcastMessage(delete-message)
 ```
 ### Attachment binding (pre-allocated message id)
 `ChatMessagesComponent.handleMessageSubmitted` pre-allocates the message id via `planChatMessageSend` (`domain/rules/chat-message-send.rules.ts`), passes it to `MessagesActions.sendMessage({ id, ... })`, and binds any pending files to that **same** id with `AttachmentFacade.publishAttachments(id, ...)`. The send effect honours a provided `id` (falling back to a fresh UUID). Never re-discover the just-sent message by matching its `content` to attach files — caption-less media all share an empty content string, so a content match is ambiguous and races the async create-effect, grouping attachments onto a sibling bubble and leaving an empty message behind.
 ## Message integrity
 Outgoing creates/edits/deletes also emit signed `message-revision` events and persist revision audit rows locally. Sync inventories include `revision` and `headHash`; merge prefers a verified higher revision over legacy timestamp comparison. See `agents-docs/features/message-integrity.md` and `MessageRevisionService`.
--- a/toju-app/src/app/domains/chat/domain/rules/chat-message-send.rules.spec.ts
+++ b/toju-app/src/app/domains/chat/domain/rules/chat-message-send.rules.spec.ts
@@ -0,0 +1,79 @@
 import {
  describe,
  expect,
  it
 } from 'vitest';
 import { planChatMessageSend } from './chat-message-send.rules';
 function makeFile(name: string): File {
  return new File([
    new Uint8Array([
      1,
      2,
      3
    ])
  ], name, { type: 'video/mp4' });
 }
 describe('planChatMessageSend', () => {
  it('binds attachments to the exact id carried by the dispatched action', () => {
    const video = makeFile('clip.mp4');
    const plan = planChatMessageSend({
      generateId: () => 'msg-123',
      content: '',
      pendingFiles: [video]
    });
    expect(plan.action.id).toBe('msg-123');
    expect(plan.attachmentBinding).not.toBeNull();
    // The whole point of the fix: same id for the action and the attachment binding.
    expect(plan.attachmentBinding?.messageId).toBe(plan.action.id);
    expect(plan.attachmentBinding?.files).toEqual([video]);
  });
  it('gives each caption-less media send a distinct id so attachments never group onto a sibling', () => {
    const ids = ['msg-1', 'msg-2'];
    let call = 0;
    const generateId = () => ids[call++];
    const first = planChatMessageSend({ generateId, content: '', pendingFiles: [makeFile('first.mp4')] });
    const second = planChatMessageSend({ generateId, content: '', pendingFiles: [makeFile('second.mp4')] });
    expect(first.action.id).toBe('msg-1');
    expect(second.action.id).toBe('msg-2');
    expect(first.action.id).not.toBe(second.action.id);
    expect(first.attachmentBinding?.messageId).toBe('msg-1');
    expect(second.attachmentBinding?.messageId).toBe('msg-2');
  });
  it('produces no attachment binding when there are no pending files', () => {
    const plan = planChatMessageSend({
      generateId: () => 'msg-text-only',
      content: 'hello',
      pendingFiles: [],
      replyToId: 'reply-1',
      channelId: 'general'
    });
    expect(plan.attachmentBinding).toBeNull();
    expect(plan.action).toEqual({
      id: 'msg-text-only',
      content: 'hello',
      replyToId: 'reply-1',
      channelId: 'general'
    });
  });
  it('normalizes a null channel id to undefined', () => {
    const plan = planChatMessageSend({
      generateId: () => 'msg-x',
      content: 'hi',
      pendingFiles: [],
      channelId: null
    });
    expect(plan.action.channelId).toBeUndefined();
  });
 });
--- a/toju-app/src/app/domains/chat/domain/rules/chat-message-send.rules.ts
+++ b/toju-app/src/app/domains/chat/domain/rules/chat-message-send.rules.ts
@@ -0,0 +1,52 @@
 /**
 * Pure planning for an outgoing chat message and its attachments.
 *
 * The single invariant this module guarantees is that the id carried by the
 * dispatched `Send Message` action is the *same* id used to bind any pending
 * attachments. Earlier code dispatched the message without an id and then
 * tried to re-discover the just-created message by matching its `content`.
 * For caption-less media (content === '') that match is ambiguous and races
 * the asynchronous message-create effect, so an attachment could bind to a
 * sibling message - grouping a video onto the bubble above and leaving an
 * empty message behind (Android-visible, but a latent bug on every platform).
 */
 export interface ChatMessageSendAction {
  id: string;
  content: string;
  replyToId?: string;
  channelId?: string;
 }
 export interface ChatMessageAttachmentBinding {
  messageId: string;
  files: File[];
 }
 export interface ChatMessageSendPlan {
  action: ChatMessageSendAction;
  attachmentBinding: ChatMessageAttachmentBinding | null;
 }
 export interface ChatMessageSendInput {
  generateId: () => string;
  content: string;
  pendingFiles: File[];
  replyToId?: string;
  channelId?: string | null;
 }
 export function planChatMessageSend(input: ChatMessageSendInput): ChatMessageSendPlan {
  const id = input.generateId();
  return {
    action: {
      id,
      content: input.content,
      replyToId: input.replyToId,
      channelId: input.channelId ?? undefined
    },
    attachmentBinding: input.pendingFiles.length > 0
      ? { messageId: id, files: input.pendingFiles }
      : null
  };
 }
--- a/toju-app/src/app/domains/chat/domain/rules/message-revision.builder.rules.ts
+++ b/toju-app/src/app/domains/chat/domain/rules/message-revision.builder.rules.ts
@@ -10,8 +10,6 @@ import {
  getMessageRevision,
  resolveMessageRevision
 } from './message-integrity.rules';
 import { getMessageTimestamp } from './message.rules';
 export interface BuildMessageRevisionInput {
  message: Message;
  type: MessageRevisionType;
--- a/toju-app/src/app/domains/chat/domain/rules/message-sync.rules.spec.ts
+++ b/toju-app/src/app/domains/chat/domain/rules/message-sync.rules.spec.ts
@@ -7,7 +7,10 @@ import { findMissingIds } from './message-sync.rules';
 describe('message-sync.rules', () => {
  it('requests ids with newer revision or mismatched head hash', () => {
-    const localMap = new Map([['m1', { ts: 10, rc: 0, ac: 0, revision: 1, headHash: 'aaa' }], ['m2', { ts: 10, rc: 0, ac: 0, revision: 2, headHash: 'bbb' }]]);
+    const localMap = new Map<string, { ts: number; rc: number; ac: number; revision: number; headHash: string }>();
    localMap.set('m1', { ts: 10, rc: 0, ac: 0, revision: 1, headHash: 'aaa' });
    localMap.set('m2', { ts: 10, rc: 0, ac: 0, revision: 2, headHash: 'bbb' });
    const missing = findMissingIds([
      { id: 'm1', ts: 10, rc: 0, ac: 0, revision: 2, headHash: 'ccc' },
      { id: 'm2', ts: 10, rc: 0, ac: 0, revision: 2, headHash: 'bbb' },
--- a/toju-app/src/app/domains/chat/feature/chat-messages/chat-messages.component.ts
+++ b/toju-app/src/app/domains/chat/feature/chat-messages/chat-messages.component.ts
@@ -11,6 +11,7 @@ import {
 import { toObservable, toSignal } from '@angular/core/rxjs-interop';
 import { switchMap } from 'rxjs/operators';
 import { Store } from '@ngrx/store';
 import { v4 as uuidv4 } from 'uuid';
 import { ElectronBridgeService } from '../../../../core/platform/electron/electron-bridge.service';
 import { ViewportService } from '../../../../core/platform';
 import { BottomSheetComponent } from '../../../../shared';
@@ -36,6 +37,7 @@ import { KlipyGifPickerComponent } from '../klipy-gif-picker/klipy-gif-picker.co
 import { ChatMessageListComponent } from './components/message-list/chat-message-list.component';
 import { ChatMessageOverlaysComponent } from './components/message-overlays/chat-message-overlays.component';
 import { stepLightboxIndex } from '../../domain/rules/chat-message-lightbox.rules';
 import { planChatMessageSend } from '../../domain/rules/chat-message-send.rules';
 import {
  ChatLightboxState,
  ChatMessageComposerSubmitEvent,
@@ -117,18 +119,20 @@ export class ChatMessagesComponent {
  handleMessageSubmitted(event: ChatMessageComposerSubmitEvent): void {
    this.messageList?.scrollToBottomAfterLocalSend();
-    this.store.dispatch(
+    const plan = planChatMessageSend({
-      MessagesActions.sendMessage({
+      generateId: uuidv4,
-        content: event.content,
+      content: event.content,
-        replyToId: this.replyTo()?.id,
+      pendingFiles: event.pendingFiles,
-        channelId: this.activeChannelId()
+      replyToId: this.replyTo()?.id,
-      })
+      channelId: this.activeChannelId()
-    );
+    });
    this.store.dispatch(MessagesActions.sendMessage(plan.action));
    this.clearReply();
-    if (event.pendingFiles.length > 0) {
+    if (plan.attachmentBinding) {
-      setTimeout(() => this.attachFilesToLastOwnMessage(event.content, event.pendingFiles), 100);
+      this.attachFilesToMessage(plan.attachmentBinding.messageId, plan.attachmentBinding.files);
    }
  }
@@ -493,21 +497,14 @@ export class ChatMessagesComponent {
    });
  }
-  private attachFilesToLastOwnMessage(content: string, pendingFiles: File[]): void {
+  private attachFilesToMessage(messageId: string, pendingFiles: File[]): void {
    const currentUserId = this.currentUser()?.id;
    const roomId = this.currentRoom()?.id;
-    if (!currentUserId)
+    if (roomId) {
-      return;
+      this.attachmentsSvc.rememberMessageRoom(messageId, roomId);
    const message = [...this.channelMessages()]
      .reverse()
      .find((entry) => entry.senderId === currentUserId && entry.content === content && !entry.isDeleted);
    if (!message) {
      setTimeout(() => this.attachFilesToLastOwnMessage(content, pendingFiles), 150);
      return;
    }
-    this.attachmentsSvc.publishAttachments(message.id, pendingFiles, currentUserId || undefined);
+    this.attachmentsSvc.publishAttachments(messageId, pendingFiles, currentUserId || undefined);
  }
 }
--- a/toju-app/src/app/domains/chat/feature/chat-messages/components/message-item/chat-message-item.component.html
+++ b/toju-app/src/app/domains/chat/feature/chat-messages/components/message-item/chat-message-item.component.html
@@ -413,7 +413,7 @@
                          <div class="text-xs text-muted-foreground">{{ formatBytes(att.size) }}</div>
                        </div>
                        <div class="flex items-center gap-2">
-                          @if (!att.isUploader) {
+                          @if (!att.isSharingFromThisDevice) {
                            @if (!att.available) {
                              <div class="h-1.5 w-24 rounded bg-muted">
                                <div
--- a/toju-app/src/app/domains/chat/feature/chat-messages/components/message-item/chat-message-item.component.ts
+++ b/toju-app/src/app/domains/chat/feature/chat-messages/components/message-item/chat-message-item.component.ts
@@ -38,6 +38,7 @@ import {
 import {
  Attachment,
  AttachmentFacade,
  isSharingFromThisDevice,
  MAX_BROWSER_INLINE_MEDIA_SIZE_BYTES,
  MAX_AUTO_SAVE_SIZE_BYTES
 } from '../../../../../attachment';
@@ -107,7 +108,7 @@ interface ChatMessageAttachmentViewModel extends Attachment {
  canUseExperimentalPlayer: boolean;
  experimentalPlayerActive: boolean;
  isAudio: boolean;
-  isUploader: boolean;
+  isSharingFromThisDevice: boolean;
  isVideo: boolean;
  mediaActionLabel: string;
  mediaStatusText: string;
@@ -711,10 +712,8 @@ export class ChatMessageItemComponent implements OnDestroy {
    return attachment.requestError ? this.appI18n.instant('chat.message.retry') : this.appI18n.instant('chat.message.request');
  }
-  isUploader(attachment: Attachment): boolean {
+  isSharingFromThisDevice(attachment: Attachment): boolean {
-    const currentUserId = this.currentUserId();
+    return isSharingFromThisDevice(attachment, this.currentUserId());
    return !!attachment.uploaderPeerId && !!currentUserId && attachment.uploaderPeerId === currentUserId;
  }
  requestAttachment(attachment: Attachment): void {
@@ -860,7 +859,7 @@ export class ChatMessageItemComponent implements OnDestroy {
      canUseExperimentalPlayer,
      experimentalPlayerActive: canUseExperimentalPlayer && this.experimentalPlayerAttachmentId() === attachment.id,
      isAudio,
-      isUploader: this.isUploader(attachment),
+      isSharingFromThisDevice: this.isSharingFromThisDevice(attachment),
      isVideo,
      mediaActionLabel: requiresMediaDownloadAcceptance
        ? attachment.requestError
--- a/toju-app/src/app/domains/custom-emoji/application/custom-emoji.service.spec.ts
+++ b/toju-app/src/app/domains/custom-emoji/application/custom-emoji.service.spec.ts
@@ -163,6 +163,62 @@ describe('CustomEmojiService', () => {
    ]);
  });
  it('binds the saved library to the active user so switching users on one client does not leak emoji', async () => {
    const dataUrl = 'data:image/webp;base64,QUJDRA==';
    const hash = await hashText(dataUrl);
    const ownerEmoji = customEmoji({
      id: 'owner-emoji',
      creatorUserId: 'user-1',
      dataUrl,
      hash,
      size: 4,
      savedByUser: true
    });
    // A shared client database (Electron-style) returns user-1's row for everyone.
    vi.mocked(db.getCustomEmojis).mockResolvedValue([ownerEmoji]);
    const service = createService();
    await service.loadForUser('user-1');
    expect(service.emojis().map((emoji) => emoji.id)).toEqual(['owner-emoji']);
    expect(service.isEmojiInLibrary('owner-emoji')).toBe(true);
    await service.loadForUser('user-2');
    expect(service.emojis()).toEqual([]);
    expect(service.isEmojiInLibrary('owner-emoji')).toBe(false);
    await service.loadForUser('user-1');
    expect(service.emojis().map((emoji) => emoji.id)).toEqual(['owner-emoji']);
  });
  it('keeps a peer emoji the active user explicitly saved scoped to that user', async () => {
    const dataUrl = 'data:image/webp;base64,QUJDRA==';
    const peerEmoji = customEmoji({
      id: 'peer-emoji',
      creatorUserId: 'peer-9',
      dataUrl,
      hash: await hashText(dataUrl),
      size: 4
    });
    vi.mocked(db.getCustomEmojis).mockResolvedValue([peerEmoji]);
    const service = createService();
    await service.loadForUser('user-1');
    expect(service.emojis()).toEqual([]);
    await service.saveEmojiToLibrary('peer-emoji');
    expect(service.isEmojiInLibrary('peer-emoji')).toBe(true);
    expect(service.emojis().map((emoji) => emoji.id)).toEqual(['peer-emoji']);
    await service.loadForUser('user-2');
    expect(service.isEmojiInLibrary('peer-emoji')).toBe(false);
    expect(service.emojis()).toEqual([]);
  });
  it('pushes referenced custom emoji assets to every connected peer without waiting for a request', async () => {
    const service = createService();
    const dataUrl = 'data:image/webp;base64,QUJDRA==';
--- a/toju-app/src/app/domains/custom-emoji/application/custom-emoji.service.ts
+++ b/toju-app/src/app/domains/custom-emoji/application/custom-emoji.service.ts
@@ -33,6 +33,7 @@ import {
 } from '../domain/custom-emoji.rules';
 const USAGE_STORAGE_PREFIX = 'metoyou_custom_emoji_usage:';
 const SAVED_STORAGE_PREFIX = 'metoyou_custom_emoji_saved:';
 interface PendingCustomEmojiTransfer {
  chunks: (string | undefined)[];
@@ -46,21 +47,32 @@ export class CustomEmojiService {
  private readonly webrtc = inject(RealtimeSessionFacade);
  private readonly emojisState = signal<CustomEmoji[]>([]);
  private readonly usageState = signal<ReadonlyMap<string, number>>(new Map());
  private readonly savedIdsState = signal<ReadonlySet<string>>(new Set());
  private readonly pendingTransfers = new Map<string, PendingCustomEmojiTransfer>();
  private activeUserId: string | null = null;
  private loaded = false;
-  readonly emojis = computed(() => this.emojisState().filter((emoji) => this.isSavedEmoji(emoji)));
+  readonly emojis = computed(() => {
    const savedIds = this.savedIdsState();
    return this.emojisState().filter((emoji) => savedIds.has(emoji.id));
  });
  readonly shortcutEntries = computed(() => selectEmojiShortcutEntries({
    customEmojis: this.emojis(),
    usage: this.usageState()
  }));
  async loadForUser(userId: string | null | undefined): Promise<void> {
    this.activeUserId = userId ?? null;
    const emojis = await this.db.getCustomEmojis();
    const merged = new Map(this.emojisState().map((emoji) => [emoji.id, emoji]));
    const validEmojis: CustomEmoji[] = [];
    for (const emoji of emojis) {
      if (await this.isValidRemoteEmoji(emoji)) {
        validEmojis.push(emoji);
        const existing = merged.get(emoji.id);
        if (!existing || existing.updatedAt < emoji.updatedAt) {
@@ -73,6 +85,7 @@ export class CustomEmojiService {
    }
    this.emojisState.set([...merged.values()].sort((first, second) => second.updatedAt - first.updatedAt));
    this.savedIdsState.set(this.resolveSavedIds(this.activeUserId, validEmojis));
    this.usageState.set(this.readUsage(userId));
    this.loaded = true;
  }
@@ -92,6 +105,8 @@ export class CustomEmojiService {
      throw new Error(validation.reason ?? 'Invalid emoji image.');
    }
    this.activeUserId = userId;
    const dataUrl = await this.readFileAsDataUrl(file);
    const now = Date.now();
    const emoji: CustomEmoji = {
@@ -134,6 +149,14 @@ export class CustomEmojiService {
    const nextEmojis = [nextEmoji, ...this.emojisState().filter((entry) => entry.id !== nextEmoji.id)];
    this.emojisState.set(nextEmojis.sort((first, second) => second.updatedAt - first.updatedAt));
    // Library membership is bound to the active user. The asset is now known to
    // everyone on this client, but it only enters *this* user's picker when the
    // payload says it is saved (own creation / own broadcast), never when another
    // local account synced or received it.
    if (emoji.savedByUser === true || existing?.savedByUser) {
      this.markEmojiSaved(nextEmoji.id);
    }
  }
  findEmoji(id: string): CustomEmoji | undefined {
@@ -147,15 +170,13 @@ export class CustomEmojiService {
  }
  isEmojiInLibrary(id: string): boolean {
-    const emoji = this.findEmoji(id);
+    return this.savedIdsState().has(id);
    return !!emoji && this.isSavedEmoji(emoji);
  }
  async saveEmojiToLibrary(id: string): Promise<void> {
    const emoji = this.findEmoji(id);
-    if (!emoji || this.isSavedEmoji(emoji)) {
+    if (!emoji || this.isEmojiInLibrary(id)) {
      return;
    }
@@ -166,12 +187,13 @@ export class CustomEmojiService {
    await this.db.saveCustomEmoji(savedEmoji);
    this.emojisState.set(this.emojisState().map((entry) => entry.id === id ? savedEmoji : entry));
    this.markEmojiSaved(id);
  }
  async removeEmojiFromLibrary(id: string): Promise<void> {
    const emoji = this.findEmoji(id);
-    if (!emoji || !this.isSavedEmoji(emoji)) {
+    if (!emoji || !this.isEmojiInLibrary(id)) {
      return;
    }
@@ -182,6 +204,7 @@ export class CustomEmojiService {
    await this.db.saveCustomEmoji(unsavedEmoji);
    this.emojisState.set(this.emojisState().map((entry) => entry.id === id ? unsavedEmoji : entry));
    this.unmarkEmojiSaved(id);
  }
  recordUsage(entry: EmojiShortcutEntry, userId: string | null | undefined): void {
@@ -317,6 +340,46 @@ export class CustomEmojiService {
    const peers = this.webrtc.getConnectedPeers();
    await Promise.all(peers.map((peerId) => this.sendEmojiToPeer(peerId, emoji)));
    await this.relayEmojiViaAccountSync(emoji);
  }
  private async relayEmojiViaAccountSync(emoji: CustomEmoji): Promise<void> {
    if (canInlineCustomEmojiTransfer(emoji)) {
      this.webrtc.relayAccountSync({
        type: 'custom-emoji-full',
        customEmoji: emoji
      });
      return;
    }
    const transfer = splitCustomEmojiDataUrl(emoji.dataUrl);
    const manifest: CustomEmojiTransferManifest = {
      id: emoji.id,
      name: emoji.name,
      creatorUserId: emoji.creatorUserId,
      hash: emoji.hash,
      mime: emoji.mime,
      size: emoji.size,
      createdAt: emoji.createdAt,
      updatedAt: emoji.updatedAt
    };
    this.webrtc.relayAccountSync({
      type: 'custom-emoji-full',
      customEmojiTransfer: manifest,
      total: transfer.total
    });
    for (let chunkIndex = 0; chunkIndex < transfer.chunks.length; chunkIndex++) {
      this.webrtc.relayAccountSync({
        type: 'custom-emoji-chunk',
        customEmojiId: emoji.id,
        index: chunkIndex,
        total: transfer.total,
        data: transfer.chunks[chunkIndex]
      });
    }
  }
  private async sendEmojiToPeer(peerId: string, emoji: CustomEmoji): Promise<void> {
@@ -374,8 +437,95 @@ export class CustomEmojiService {
    return CUSTOM_EMOJI_ALLOWED_MIME_TYPES.includes(mime.toLowerCase() as typeof CUSTOM_EMOJI_ALLOWED_MIME_TYPES[number]);
  }
-  private isSavedEmoji(emoji: CustomEmoji): boolean {
+  /**
-    return emoji.savedByUser !== false;
+   * Resolve the active user's saved-library membership. Membership is bound to
   * the user (not the client) so a second account on the same device never
   * inherits another user's picker. A persisted per-user set wins; on first run
   * we seed it from legacy `savedByUser` rows the user actually created, so the
   * creator keeps their library after the upgrade while other local accounts
   * stay empty.
   */
  private resolveSavedIds(userId: string | null, emojis: readonly CustomEmoji[]): ReadonlySet<string> {
    const stored = this.readSavedIds(userId);
    if (stored) {
      return stored;
    }
    if (!userId) {
      return new Set();
    }
    const seeded = new Set(
      emojis
        .filter((emoji) => emoji.savedByUser !== false && emoji.creatorUserId === userId)
        .map((emoji) => emoji.id)
    );
    this.writeSavedIds(userId, seeded);
    return seeded;
  }
  private markEmojiSaved(id: string): void {
    if (this.savedIdsState().has(id)) {
      return;
    }
    const next = new Set(this.savedIdsState());
    next.add(id);
    this.savedIdsState.set(next);
    this.writeSavedIds(this.activeUserId, next);
  }
  private unmarkEmojiSaved(id: string): void {
    if (!this.savedIdsState().has(id)) {
      return;
    }
    const next = new Set(this.savedIdsState());
    next.delete(id);
    this.savedIdsState.set(next);
    this.writeSavedIds(this.activeUserId, next);
  }
  private readSavedIds(userId: string | null): ReadonlySet<string> | null {
    if (!userId || typeof localStorage === 'undefined') {
      return null;
    }
    try {
      const raw = localStorage.getItem(`${SAVED_STORAGE_PREFIX}${userId}`);
      if (raw === null) {
        return null;
      }
      const parsed = JSON.parse(raw) as unknown;
      if (!Array.isArray(parsed)) {
        return null;
      }
      return new Set(parsed.filter((value): value is string => typeof value === 'string'));
    } catch {
      return null;
    }
  }
  private writeSavedIds(userId: string | null, savedIds: ReadonlySet<string>): void {
    if (!userId || typeof localStorage === 'undefined') {
      return;
    }
    try {
      localStorage.setItem(`${SAVED_STORAGE_PREFIX}${userId}`, JSON.stringify([...savedIds]));
    } catch {
      // localStorage may be unavailable (private mode / quota); membership then
      // lives in-memory for this session, which is acceptable.
    }
  }
  private readUsage(userId: string | null | undefined): ReadonlyMap<string, number> {
--- a/toju-app/src/app/domains/direct-message/application/services/friend.service.ts
+++ b/toju-app/src/app/domains/direct-message/application/services/friend.service.ts
@@ -7,6 +7,7 @@ import {
  signal
 } from '@angular/core';
 import { Store } from '@ngrx/store';
 import { RealtimeSessionFacade } from '../../../../core/realtime';
 import { FriendRepository } from '../../infrastructure/friend.repository';
 import type { Friend } from '../../domain/models/direct-message.model';
 import { selectCurrentUser } from '../../../../store/users/users.selectors';
@@ -15,6 +16,7 @@ import { selectCurrentUser } from '../../../../store/users/users.selectors';
 export class FriendService {
  private readonly repository = inject(FriendRepository);
  private readonly store = inject(Store);
  private readonly webrtc = inject(RealtimeSessionFacade);
  private readonly currentUser = this.store.selectSignal(selectCurrentUser);
  private readonly friendsSignal = signal<Friend[]>([]);
  private loadedOwnerId: string | null = null;
@@ -36,11 +38,42 @@ export class FriendService {
    await this.repository.addFriend(ownerId, friend);
    await this.loadForOwner(ownerId, true);
    this.webrtc.relayAccountSync({
      type: 'friend-added',
      userId,
      addedAt: friend.addedAt
    });
  }
  async removeFriend(userId: string): Promise<void> {
    const ownerId = await this.requireOwnerId();
    await this.repository.removeFriend(ownerId, userId);
    await this.loadForOwner(ownerId, true);
    this.webrtc.relayAccountSync({
      type: 'friend-removed',
      userId
    });
  }
  async applyRemoteFriendAdded(userId: string, addedAt: number): Promise<void> {
    const ownerId = await this.requireOwnerId();
    if (this.isFriend(userId)) {
      return;
    }
    await this.repository.addFriend(ownerId, { userId, addedAt });
    await this.loadForOwner(ownerId, true);
  }
  async applyRemoteFriendRemoved(userId: string): Promise<void> {
    const ownerId = await this.requireOwnerId();
    if (!this.isFriend(userId)) {
      return;
    }
    await this.repository.removeFriend(ownerId, userId);
    await this.loadForOwner(ownerId, true);
  }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Myx	9981aee602	chore: Update dev run All checks were successful Queue Release Build / prepare (push) Successful in 20s Details Deploy Web Apps / deploy (push) Successful in 9m11s Details Queue Release Build / build-windows (push) Successful in 28m8s Details Queue Release Build / build-linux (push) Successful in 46m49s Details Queue Release Build / build-android (push) Successful in 20m54s Details Queue Release Build / finalize (push) Successful in 2m15s Details	2026-06-11 12:32:15 +02:00
Myx	31962aeb1a	fix: restore build and stabilize E2E cross-signal behavior Revert the automated member-ordering pass that broke Angular field init (TS2729) and disable that rule until a safe reorder strategy exists. Fix modal/confirm dialog i18n defaults via template fallbacks, search all active endpoints (including offline), register foreign rooms with actor owner IDs, sync profile display names from avatar summaries, and guard dm-chat when a private call converts to a group conversation. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-06-11 12:16:40 +02:00
Myx	79c6f91cd6	chore: enforce lint across codebase and ban "maybe" in identifiers Remove member-ordering and complexity eslint-disable comments by reordering class members and applying targeted fixes. Add metoyou/no-maybe-in-naming, type-safe WebRTC e2e harness helpers, and resolve remaining lint errors so npm run lint exits cleanly. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-06-11 11:08:26 +02:00
Myx	b630bacdc6	test: fix most e2e tests	2026-06-11 10:21:28 +02:00
Myx	1671a04f03	fix: Bug - Emojis should be user bound not client bound Bind custom emoji library membership to the signed-in user instead of the client. CustomEmojiService now tracks saved emoji ids per user id in localStorage (metoyou_custom_emoji_saved:<userId>) and the picker only shows the active user's set, seeded on first load from legacy savedByUser rows the user created. This stops a second account on the same client (or Electron's shared SQLite database) from inheriting another user's emoji picker, while keeping synced assets available for message rendering. Adds unit coverage for per-user scoping and a single-page-load Playwright e2e that switches users client-side (second user joins the first user's server) and asserts no library leak. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-06-11 04:09:06 +02:00
Myx	cb386394d0	fix: Bug - No login screen mobile phone on startup Signed-out mobile visitors landing on / or /dashboard were intentionally kept on a logged-out /dashboard, so they were never greeted with a login screen on startup. Replace the imperative startup-redirect logic in App.ngOnInit with a platform-agnostic pure rule resolveUnauthenticatedStartupRedirect: non-public routes redirect to /login (with a safe returnUrl), public routes (/login, /register, /invite/...) are left alone. Mobile is no longer special-cased. - Unit: auth-navigation.rules.spec.ts - E2E: e2e/tests/mobile/mobile-login-on-startup.spec.ts (mobile viewport set before navigation; /dashboard and / both land on /login) Co-authored-by: Cursor <cursoragent@cursor.com>	2026-06-11 03:38:16 +02:00
Myx	182828bb1e	fix: Bug - Two devices sharing same user says "Shared from your device" Gate the "Shared from your device" label and the hidden download affordance on whether this device actually holds the file bytes, not on whether the current user uploaded it. uploaderPeerId is the user id, so the old check claimed ownership on every device of the uploader, blocking view/download on second devices that only synced metadata. Also include attachment metadata in the account_sync chat-sync-batch so sibling devices learn about synced attachments at all. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-06-11 03:29:47 +02:00
Myx	49b602dbda	fix: Bug - No android app icon	2026-06-11 03:03:10 +02:00
Myx	d72a027c9a	fix: Bug - Video attachment on android gets sent in the message bubble above with no preview image	2026-06-11 02:44:22 +02:00
Myx	b1b3d93851	fix: Bug - Fresh users have the server list in dashboard completely empty until anything searched	2026-06-11 02:11:31 +02:00
Myx	494a05e606	fix: Bug - Local files should be remembered by client	2026-06-11 01:54:00 +02:00
Myx	5bf4f698df	fix: Bug - Attachments gets syncronized corrupt	2026-06-11 00:37:06 +02:00
Myx	d174536272	fix: Chats doesn't sync for multi client users	2026-06-11 00:04:49 +02:00
Myx	d0aff6319d	fix: should now sync with other devices All checks were successful Queue Release Build / prepare (push) Successful in 25s Details Deploy Web Apps / deploy (push) Successful in 7m8s Details Queue Release Build / build-windows (push) Successful in 28m10s Details Queue Release Build / build-linux (push) Successful in 44m38s Details Queue Release Build / build-android (push) Successful in 18m36s Details Queue Release Build / finalize (push) Successful in 1m40s Details	2026-06-09 22:00:39 +02:00
Myx	1274ad9b46	fix: search	2026-06-09 22:00:06 +02:00