Skip to content

release: 0.8.7#216

Merged
johnthecat merged 13 commits into
mainfrom
release/0.8.7
Jun 12, 2026
Merged

release: 0.8.7#216
johnthecat merged 13 commits into
mainfrom
release/0.8.7

Conversation

@johnthecat

Copy link
Copy Markdown
Contributor

🩹 Fixes

  • statement-store: reworked the session to match the iOS/Android implementations. Concurrent incoming requests are now tracked independently (an older request stays answerable after a newer one arrives), transient submit/query failures are retried with a short backoff, and message batches are sized against the full encoded request payload instead of the raw bytes. Statement expiry is pinned to a non-expiring max with a wall-clock priority so channel supersession is deterministic, and a request id is best-effort recovered from a corrupt payload so the sender can be NACKed. Adds an in-memory adapter for tests.
  • statement-store / host-papp: the SSO allowance service now builds its statement-store prover from the mobile slot-account secret (privateKey || nonce) via the new createSlotAccountProver, instead of treating it as a raw sr25519 secret — proofs now sign and verify against the correct slot-account public key.
  • host-papp: the authorising device's encryption public key (deviceEncPubKey) from the V2 handshake response is now persisted on StoredUserSession and exposed on the session, so the host can ECDH-address the paired device (e.g. for device-sync). It was previously decoded but dropped on persistence, leaving consumers to mis-read the 32-byte SSO shared secret in remoteAccount.publicKey as a public key.
  • bumped polkadot-api to 2.1.6, which fixes a double-notification bug.

🏡 Chore

  • every published package now ships a LICENSE file, and a repo-wide THIRD_PARTY_NOTICES.md records dependency licenses.
  • added a SECURITY.md policy and hardened .env handling in .gitignore.

@socket-security

socket-security Bot commented Jun 9, 2026

Copy link
Copy Markdown

@TarikGul

Copy link
Copy Markdown
Member

DQ: When is this plan to be released?

@johnthecat
johnthecat merged commit 7cc8ae2 into main Jun 12, 2026
4 checks passed
@johnthecat
johnthecat deleted the release/0.8.7 branch June 12, 2026 09:59
johnthecat added a commit that referenced this pull request Jun 12, 2026
Main (0.8.7) had independently absorbed nearly all of this branch's work
via PRs #178/#202/#205/#206/#212/#215/#216, with newer/cleaner versions.

Conflict resolution (38 files):
- package.json (x14), package-lock.json, CHANGELOG.md, migration doc:
  took main (newer versions, canonical release history). Dropped the
  unused `verifiablejs` dep.
- All SSO V2, statement-store, handoff-service, and host-chat *impl*
  files: took main — strictly newer (ECDH session-key derivation #206,
  RFC-7 entropy #205, statement-store fix #215). The branch's parallel
  May implementations are superseded.
- watchIdentity series: already identical in main (no real conflict).
- Kept BRANCH version for two files where it is genuinely ahead:
  * identity/rpcAdapter.ts — defensive snake_case/camelCase Resources
    decode (fixes "Unknown user" regression on V2 runtime); a clean
    superset of main's version.
  * host-chat/codec/attachment.spec.ts — extra blurhash-thumbnail and
    NodeEndpoint round-trip tests against a byte-identical codec impl.

Verified: build, typecheck, lint (0 errors), 679/679 tests pass.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants