Wallets dialog refinements:
- More space between wallet cards (cardGap: spacingSm -> spacingMd).
- "Scan another folder" is now always visible as a full-width button (no
expandable toggle) that opens the new picker.
- The Create-wallet row and the scan button span the full list width, so their
right edges align with the wallet cards / Open|Import buttons.
New in-app folder picker (folder_picker.h): a Material-styled modal replacing
the raw path input. Browse the filesystem (Up / Home / click a sub-folder),
see the *.dat wallet files present + a count, and pick a folder to scan. The
picker takes over the modal surface while open (the overlay framework doesn't
nest); it remembers the last browsed location across opens. Fixed-height card
(no auto-height feedback), UTF-8-aware truncation, full-node icons confirmed
in the embedded MaterialIcons range. Added a modal-folder-picker sweep surface;
verified at 100% + 150%, dark + light.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Two issues on the card list: it showed a scrollbar (and clipped the last card)
with only a few wallets, and the cards felt cramped.
- Scrollbar: the per-card advance added a trailing gap after EVERY card (incl.
the last) and ImGui inserted its default ItemSpacing between the Dummy items,
so the content ran ~1 gap taller than the child's height budget -> overflow ->
scrollbar + clipped card. Zero ItemSpacing inside the list child, register each
card's footprint with a Dummy, and gap only BETWEEN cards (no trailing gap), so
the content matches the budget exactly. Sized the list to fit up to 7 cards
before it scrolls.
- Roominess: bigger name (subtitle1), more vertical padding (spacingMd), and a
touch more space after the icon.
- Removed the full-card InvisibleButton (hover is IsMouseHoveringRect again): its
overlap with the action button tripped ImGui's ConfigDebugHighlightIdConflicts,
drawing a red debug border around the list at 150% DPI.
Verified via the headless sweep at 100% and font_scale 1.5 — no scrollbar, no red
border, cards fully visible with breathing room.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Replace the wallet table with a stack of Material-style cards inside a scrolling
child. Each wallet is a rounded card: a leading wallet icon, the filename as the
primary line, and a muted metadata subtitle (size · N addresses · balance DRGX ·
last opened). The action sits on the right — Open / Import buttons, or a green
"Active" chip for the current wallet. The current wallet's card gets a green tint,
border, and icon; external files show an info icon + tooltip; cards highlight on
hover. The dialog stays content-sized + fixed-height (computed from the wallet
count, up to 6 before it scrolls), so the monitor-drag stability is unaffected.
Adversarially reviewed (two-lens workflow + synthesis): the reviewers' DPI
unit-mixing and broken-scroll findings were false positives (LegacySize is the
DPI-scaled atlas size, and BeginChild takes physical px while the framework's
cardHeight takes logical) — the only real issue was byte-wise truncation that
could split a multibyte UTF-8 char, now fixed to pop whole code points. Verified
via the headless sweep at 100%, 150%, and light skin.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Act on the design review of the Wallets modal (all six points):
1. Content-sized card — size the card to the wallet count (up to 8 rows, then the
list scrolls) instead of a fixed 620px, killing the huge empty void a short
list floated in. Computed from the KNOWN row count, so it stays a fixed-height
dialog (no auto-height feedback — that's what slid content off-screen on a
monitor move).
2. Framed wallet list — BordersOuter + PadOuterX so the list reads as a contained
panel with room to grow, not loose rows on the backdrop.
3. Right-aligned numeric columns (Size / Addresses / Balance) and their headers,
via a custom header row + a right-aligned cell helper, so the numbers line up.
4. Consistent action column — the active wallet's row gets a subtle green tint and
an "Active" chip (badge), distinct from the Open/Import buttons.
5. De-cluttered bottom — "Create wallet" stays the primary action; the folder-scan
is tucked behind a "+ Scan another folder…" toggle.
6. Polish — the external-file marker is now a real info icon + tooltip (was
ICON_MD_FOLDER rendering as a "?" tofu, since that glyph isn't in the subset);
Refresh is an icon-only button, de-emphasized next to Close.
New i18n keys (wallets_add_folder_toggle, wallets_external_tt) + 8 langs; CJK
subset rebuilt. Verified via the headless sweep at 100% and font_scale 1.5.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The hardware [WINLOG] trace showed the DPI-transition target computed correctly
(min height 720) but the window stuck ~5% larger (759), with every deferred retry
failing to shrink it. Root cause: the DX11 window is a borderless native HWND
(WS_CAPTION/WS_THICKFRAME, for native move/resize) wrapped by SDL. SDL_SetWindowSize
converts the requested CLIENT size to a window rect via AdjustWindowRectEx (adding
the caption+border frame), but our WM_NCCALCSIZE handler folds that whole frame
back into the client area — so every SDL resize inflates the window by ~one frame
(~39px height, ~16px width) and the 720 minimum becomes an unreachable 759. That,
not the earlier min-ordering/settle logic, is why the height wouldn't stay at min.
resizeWindowExact() resizes the native HWND directly via SetWindowPos on the DX11
path (window rect == client for a borderless window → exact requested size); other
platforms keep SDL_SetWindowSize. Used for the DPI-transition resize and the
deferred retry, so the window now lands on the true minimum in both directions.
Keeps the [WINLOG] native-rect + min-track tracing so the next capture confirms the
fix (or surfaces any remaining gap).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The first hardware capture showed handleDisplayScaleChange computing the correct
target (e.g. 1353x720, height = min) but the window never reaching it across all
30 deferred retries — stuck ~5% above target in BOTH DPI directions (759 vs 720
at 100%, 1136 vs 1080 at 150%). That rules out the earlier min-ordering / settle
logic and points at either the borderless WM_GETMINMAXINFO min-track
(720 * g_borderlessDpi) or a native-HWND non-client frame discrepancy on the
externally-created, SDL-wrapped DirectComposition window.
Add the data to disambiguate:
- winlogState now also logs the native GetWindowRect vs GetClientRect (+ pos),
exposing any window-vs-client size mismatch that SDL_GetWindowSize hides.
- WM_GETMINMAXINFO logs g_borderlessDpi and the resulting min-track (once per
change) so we can see the actual OS-enforced minimum during the transition.
- Forward-declared winlog so the WndProc can use it.
Windows-only, no behavior change. Grep the log for "[WINLOG]".
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Always-on stderr tracing (visible in release builds via the Windows
dragonx-debug.log redirect, unlike DRAGONX_DEBUG-gated DEBUG_LOGF) to capture
exactly how the window size / display-scale / minimum change when dragging
between monitors of different DPI. Logs:
- every WINDOW_RESIZED: size, actual vs stored scale, dpiPending/settle/retries,
and the DPI-vs-user classification (IGNORED/RECORDED);
- every DISPLAY_SCALE_CHANGED + the full handleDisplayScaleChange trace
(saved-under-old-scale, restore/proportional, min-clamp, display-clamp, the
SetWindowMinimumSize+SetWindowSize, and the resulting window state);
- each deferred-resize retry;
- monitor crossings (WINDOW_MOVED, throttled to display changes);
- startup and shutdown size.
Low volume — only fires on window events. Temporary diagnostic; remove once the
multi-monitor sizing bug is fixed. Grep the log for "[WINLOG]".
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Moving the window between monitors of different scaling (150% -> 100% -> 150%)
left the height off the minimum in BOTH directions, forcing a manual resize each
time. A deep trace against the vendored SDL3 source found two distinct causes:
- Shrink leg (higher -> lower scale): handleDisplayScaleChange called
SDL_SetWindowSize BEFORE SDL_SetWindowMinimumSize. SDL clamps a size request up
to the current minimum (SDL_video.c:3184-3191), so the smaller target was
clamped back to the stale larger min; SetWindowMinimumSize only grows a window,
never shrinks it, so lowering the min afterwards didn't pull it back. The
deferred retry masked it only on rendered frames, so it leaked when the app was
idle. Fix: set the new minimum BEFORE resizing.
- Return leg (lower -> higher scale): the single-shot dpiResizePending flag let a
later settling WINDOW_RESIZED in the same burst be misclassified as a user
resize and recorded, corrupting savedSizeForScale for that scale so the
remembered min was lost. Fix: a frame-counted settle window (dpiSettleFrames)
suppresses resize-recording for the whole transition burst regardless of event
ordering; also clamp any restored/scaled size up to the new scale's minimum.
Only user resizes outside the ~40-frame settle burst are recorded, so normal
resizing is unaffected. SDL clamp semantics verified in-repo; build clean. The
transition needs real multi-monitor hardware to exercise end-to-end.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The only startup clamp to the display's usable bounds lived inside the
`currentDpiScale > 1.01f` HiDPI branch, so on a standard-DPI (100%) cold start it
never ran. A window size saved on a larger or since-disconnected monitor then
opened oversized / partly off-screen (title bar under the taskbar), since the
window is also re-centered at the saved size.
Hoist the clamp-to-usable-bounds + re-center out of the HiDPI branch so it runs
on every startup; the DPI multiply and scaled minimum-size stay HiDPI-only. It
resizes only when the clamp actually changes the size, so a window that fits its
display is left untouched — only genuinely-oversized ones clamp. Also log when a
persisted size is rejected on load/save (below the 1024x720 floor) so "my window
keeps resetting" reports become traceable.
Root-caused via a multi-agent audit of the window-size/DPI logic, which also
confirmed the save/restore DPI round-trip is otherwise correct (the restore-side
auto-scale multiply was mistaken by the investigators for a unit bug). Verified:
a 9999x9999 saved size now clamps to the display at scale 1.00 (previously the
clamp was skipped on a same-DPI cold start).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Two follow-ups to the modal float work:
- Console RPC command reference (renderCommandsPopup) had the SAME auto-height
feedback bug as Wallets: BlurFloat with no cardHeight, and its fill-height
command list read GetContentRegionAvail() inside the AutoResizeY child ->
self-referential, sliding content off-screen after a monitor move. Give it a
FIXED viewport-relative cardHeight (fills ~84% of the viewport). Also removed
its duplicate body H6 heading (the framework h6 title already shows it) —
missed earlier because it's spec-form, not the positional overload.
- Wallets footer clipping: after the fixed-height conversion the content child
clips overflow (NoScrollbar), and the hardcoded 130*dp reserve below the table
was too small for the create/add-folder rows + separator + footer (~160*dp),
so the buttons clipped — worse at 150%. Compute the reserve from real widget
metrics (GetFrameHeightWithSpacing + caption height) so it holds at any DPI.
Added a modal-console-commands sweep surface (debug-gated ConsoleTab setter) so
the popup is captured. Verified both at 100% and font_scale 1.5 (150%): footers
on-screen, single headings, lists fill, nothing clipped.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The Wallets modal used the auto-height BeginOverlayDialog overload, whose content
child is AutoResizeY. It sized its table with `tableH = GetContentRegionAvail().y
- 130*dp` INSIDE that child — but on an AutoResizeY child GetContentRegionAvail().y
derives from the child's Size.y, carried over from the previous frame's content
height. That makes tableH self-referential: a fixed point on one monitor, but a
monitor move jumps dpiScale() (the 130*dp reserve + table column/row sizes switch
to new units while the child's Size.y is still old units), knocking it off
equilibrium. With only a lower clamp and no upper bound, the excursion runs
unbounded and pushes the create/folder/footer rows off the bottom.
Give the dialog a FIXED cardHeight (620) via the spec form — the pattern Manage
Portfolio already uses. The content child is then fixed-height (not AutoResizeY),
so GetContentRegionAvail().y is a stable, DPI-current "space left in the card",
tableH stops feeding back, and the fixed-height path already clamps the card to
the viewport (min(cardHeight*dp, vp_size.y-32)). Root-caused via a multi-agent
audit against the ImGui internals.
Verified via the headless sweep at 100% and font_scale 1.5 (150%): the table
absorbs the slack and the create/folder inputs + footer stay on-screen.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Drop the glass card + boxed title bar from every dialog so content floats
directly on the blur backdrop under a plain h6 heading — the Manage-Portfolio
look — unifying the whole modal system on one visual language (reverses the
earlier card-for-small / float-for-large split).
- Framework: the positional BeginOverlayDialog overload (used by all ~34 card
dialogs) now defaults to floatingContent + plainHeading (draw_helpers.h). The
9 spec-form BlurFloat dialogs are unchanged; any dialog can still opt back to a
card via an explicit OverlayStyle::GlassCard spec. Authored widths are kept
(floating never resizes), so width-coupled layouts are unaffected.
- Dedup: the framework h6 title made each dialog's own repeated title heading
redundant. Removed the duplicate body heading from Import/Export key, Backup,
daemon update, seed backup, seed migration, Defender-blocked (app.cpp),
Wallets, and the send-confirm popup.
- Close paths: dropping the title-bar close X is covered — every dialog has a
footer button and/or the framework's outside-click dismiss (all pass p_open);
send-confirm keeps Esc + Confirm/Cancel.
Verified via the headless full UI sweep on dark + light: 17 modal surfaces float
card-less with a single clean heading, nothing clipped, close controls present.
Build clean, ctest passes.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Act on the design review of the row layouts:
- Fixed right-aligned columns (DRGX | value | 24h | sparkline) so the numbers
line up across rows and the value no longer jumps rightward when a group has
no sparkline/24h.
- Emphasize the fiat value (larger + brighter than the muted DRGX amount) — the
number users actually scan for.
- Graceful fallback: on-but-absent fields (e.g. price not loaded yet) show a
muted em-dash instead of a hole; deliberately-hidden fields stay blank.
- Detailed style reworked into a 2x2 grid (label/value on top, DRGX/24h below)
with a tall sparkline strip spanning both lines, so its extra height earns its
keep; when a group has no sparkline the value/DRGX fill the space.
- Featured hero value is now neutral bold (OnSurface) instead of the accent
color, so it can't collide with the green 24h; DRGX right-aligns to fill the
right when there is no sparkline.
- Stronger row separation (more card fill) and REMOVED the left accent strip —
group identity now reads from the tinted icon + a subtle accent border.
Verified via the headless sweep across all three styles on dark + light.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Inside the portfolio row child each row emits two items (the InvisibleButton
hit target + a gap Dummy), and ImGui inserts its default ItemSpacing.y between
every item — so the real content ran ~4x ItemSpacing taller than the child's
height budget, clipping the bottom row (e.g. "Cold storage" lost its second
line) and widening the inter-row gaps.
Zero ItemSpacing inside the row child (the inter-row gap is set explicitly by
the Dummy) and size the child to the visible rows plus one gap of bottom
breathing room, so the last row never sits on the clip edge. Scale-independent
(rowH/gap both scale by dpiScale). Verified via the headless sweep across all
three row styles — every row now renders fully and the gaps tighten to rowGap.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The send-confirm surface renders via RenderSendConfirmPopup, which calls
ImGui::OpenPopup() every frame — but BeginOverlayDialog is a plain window,
so that popup is never consumed by a BeginPopup and is normally cleared
only when a mouse click triggers ImGui's click-to-dismiss. The headless
sweep never clicks and tears the surface down by just clearing its flag,
so the orphaned popup lingered on OpenPopupStack past the end of the sweep.
A stuck popup makes IsPopupOpen(AnyPopup) permanently true, which disables
the smooth-scroll wheel capture in draw_helpers::ApplySmoothScroll — so
after a sweep the mouse wheel stopped scrolling Settings / Explorer /
Console (the tabs that use ApplySmoothScroll; native-scroll tabs were
unaffected).
Flush any lingering popup (ClosePopupToLevel) right after each surface's
teardown, so it can't bleed into the next capture or survive the sweep.
Confirmed via instrumentation: only 'popup-send-confirm' leaked (stack=1,
once per skin); now flushed.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Replace the drag/resize dashboard grid on the Market tab's portfolio with
three full-width row styles — compact (single-line), detailed (two-line),
and value-hero — cycled with Left/Right arrows like the Overview layouts.
Rows live in an internal scroll region bounded to the portfolio's height
budget, so the section stays put as groups are added.
- pfDrawRow renders each group in the selected style, reusing the icon /
value / DRGX / 24h / sparkline pieces; per-entry field toggles honored.
- portfolio_style setting (0/1/2) persisted; arrow-key switcher + toast.
- Portfolio groups gain a per-wallet scope: new groups default to the
active wallet's identity hash; legacy groups (empty scope) stay visible
in every wallet. Scope filter drives both the height budget and the rows.
- Remove the now-dead grid machinery (mktDrawCard, pfComputeGridLayout,
PfCell, PfGridDrag, MktCardCtx + MktCtx grid fields) — net code drop.
- Full UI sweep: seed demo portfolio groups + wavy price history and add
market-rows-{compact,detailed,featured} surfaces so the styles are
captured per skin (snapshot/restore the real portfolio + market data).
- i18n: portfolio_style_{label,compact,detailed,featured} + 8 langs; CJK
subset rebuilt.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Many keys added over time (lite-wallet, portfolio, xmrig/daemon updaters,
market, console, explorer, transactions, mining, …) were English-only in
res/lang and only ever fell back to English. Translated all 323 into
de/es/fr/ja/ko/pt/ru/zh — matched to each file's existing terminology, with
printf format specifiers (%s/%d/%.8f/%llu/…) preserved and verified. Every
language now covers all keys except daemon_port_busy_warn, which embeds a
compile-time port macro and intentionally stays on the English fallback.
CJK subset font rebuilt (1687 glyphs).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Completes the wallet-files dialog and localizes the feature.
- Create a new wallet: a name is normalized to wallet-<name>.dat and opened
via switchToWallet; the daemon mints it (seed-backed, -usemnemonic=1) on
first load. Rejects blank names + name collisions.
- Import: out-of-datadir wallets get an Import action that copies the file
into the datadir (never overwriting) under a wallet-*.dat name, then opens
it — the daemon only loads plain filenames from the datadir.
- i18n: the 32 new multi-wallet / per-wallet-contacts / mining-payout strings
translated into all 8 languages (de/es/fr/ja/ko/pt/ru/zh), CJK subset font
rebuilt. Verified: the Chinese Wallets dialog renders with no missing glyphs.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Second phase of multi-wallet: list wallet files and switch the active one.
- Daemon plumbing: EmbeddedDaemon::setWalletFile -> start() passes -wallet=<name>
(non-default only; skipped during the isolated seed-migration start), and
DaemonController::syncSettings pushes active_wallet_file on each start.
- App::switchToWallet: persist the new active wallet, then stop + restart the
node on -wallet=<name> (rescan only if it was never synced in this datadir).
Reuses the seed-adopt restart coordination; WalletState clears on disconnect
and the P1 identity-scoped caches re-key, so no previous-wallet data leaks.
Guarded: full-node, embedded daemon, not mid-restart, no pending send.
- Wallets dialog (Settings -> Backup & Data -> "Wallets…"): a table of wallet
files (datadir wallet*.dat + user-added folders' *.dat) with size (disk) and
cached balance / address count / last-opened (wallet index), a current/Active
badge, Open (switch), and Add folder. Out-of-datadir wallets show "import to
open" (P3). Added as a sweep surface.
- Mining payout safety: non-destructive warning if the pool-mode worker looks
like a DragonX address not in the current wallet (stale after a switch).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
First phase of multi-wallet support: keep each wallet's data separate so loading
a different wallet no longer shows the previous one's data, and lay the metadata
groundwork for the wallet-files list.
- Address book scoped per wallet: AddressBookEntry gains a "scope" ("global" or a
wallet-identity hash); the Contacts tab shows global + current-wallet contacts
(App::activeWalletIdentityHash) with a "show in every wallet" toggle + globe
badge. Legacy entries migrate to "global". Scope-aware de-dup allows the same
address across different wallets.
- Wallet metadata index (data/wallet_index -> wallets.json): file-keyed cache of
balance / address count / identity / size / last-opened / synced-here, since
those can't be read off a wallet.dat without loading it. Populated on connect +
address refresh (change-detecting upsert). Plus an active_wallet_file setting
for the -wallet=<name> switch coming in P2.
Unit-tested (testAddressBookScope, testWalletIndex): migration, visibility filter,
scope-aware de-dup, upsert change-detection, save/reload round-trip.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Fixes the Windows migrate-to-seed failure (the old bundled daemon lacked
z_exportmnemonic) and rounds out the flow:
- seed_wallet_creator: actionable "daemon too old" message instead of the
raw "Method not found" RPC error.
- Startup daemon-update prompt: if the wallet bundles a newer node than the
installed one, offer to update it (once per version, keyed on a new
daemon_update_prompted_size setting; never silently clobbers a custom
node). "Install bundled" now also works when attached to an external /
leftover daemon (RPC-stops it, then swaps + restarts).
- Migrate-to-seed Intro pre-flight: detect an already-mnemonic wallet
(offer backup instead), an old daemon, or a locked/disconnected wallet
before offering to create anything.
- No-funds path: a zero-balance wallet can adopt the new seed wallet
directly (behind an acknowledgement checkbox) instead of a dead sweep.
- Loading spinners on the Working/Sweeping/Adopting steps; sweep coverage
for the new intro / no-funds surfaces.
- Translations for all 18 new strings across 8 languages (+ rebuilt CJK
subset font).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The Settings -> NODE & SECURITY daemon-binary status was one long inline
row of SameLine() Text calls that overran the content width and clipped
its colored tail at narrow windows / higher font scale. Rebuild it as
color-tagged atoms laid out with manual wrapping (dropping a separator
that would dangle at a line break), so the full status always shows.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Hand-drawn absolute geometry (dl->AddText offsets, SetNextWindowSize,
explicit ImVec2 button widths, SameLine strides) is immune to the app's
DPI machinery (font-atlas rebuild + ScaleAllSizes), so several overlays
rendered native-size (tiny) on HiDPI / Windows 150% displays. Multiply the
raw logical-px geometry by Layout::dpiScale():
- seed_display: content-aware, DPI-scaled seed-grid column stride (a raw
130px stride let words collide with the next column's index at 150%)
- lock screen: card/logo/input/unlock-button + all vertical offsets
- migrate-to-seed + seed-backup dialogs: button widths
- send-confirm: confirm/cancel button widths
- about dialog: value-column x, edition inset, link/close button widths
- chat conversation list: row height + padding (fixes the preview clip)
Also freeze demo state during the full UI sweep: guard App::update() on
capture_mode_ so a running daemon's refresh can't clobber the injected
demo state (it blanked Send/Receive/History with a CDB error mid-sweep).
Verified on Windows 4K@150% and locally at font_scale=1.5 (same
dpiScale()==1.5 code path). Adds a DPI-scaling convention note to CLAUDE.md.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
beginAdoptSeedWallet used POSIX localtime_r for its thread-safe timestamp
(added in the Phase 2 review), which mingw/Windows lacks — it broke the
Windows cross-compile. Guard it: localtime_s on _WIN32, localtime_r elsewhere.
Latent since the Phase 2 commit (Linux-only builds didn't catch it).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The existing sweep only captures tabs. This adds a "Full UI sweep" (DEBUG
OPTIONS) that also drives every normally-hidden surface into view and captures
it under every skin, so all the UI a normal sweep misses can be reviewed at
once.
- The capture unit becomes a "surface" (SweepTarget: a base tab, optionally
with a setup()/teardown() that forces a modal / multi-step flow / state
overlay on top). Tabs are surfaces with a null setup. The existing tab sweep
is folded into the same state machine (one code path). All sweep logic +
the catalog + demo data move into a new src/app_sweep.cpp.
- Runs OFFLINE against injected demo data (installDemoWalletData snapshots then
restores the real state_ — WalletState isn't copy-assignable, so a targeted
field snapshot is used) and fires NO live op: capture_mode_ guards the
seed-backup RPC, auto-lock, and the migration pumps; the async-firing dialogs
are neutralized by pre-setting their state (fetch_started_ + demo phrase;
seed_migration_step_ set directly). Verified: 0 RPC/secret/send calls.
- Catalog (v1): tabs + the bool-flag modals (import/export key, backup,
seed-backup, about, settings) + the 6 migrate-to-seed steps + 4 wizard steps
+ lock/warmup/not-ready overlays + the send-confirm popup (via a new
ui::SweepShowSendConfirm debug hook, since its state is send_tab-static).
- Overlay/blur surfaces settle 8 frames (blur backdrop freeze); setup re-runs
each frame (OpenPopup popups must re-fire). updateScreenshotSweep now runs
before the first-run-wizard early-return in render() so the sweep advances
while a wizard step is shown. main.cpp drops vsync during a sweep so it isn't
throttled to the compositor's unfocused rate. Output:
<config>/screenshots-full/<surface>/<skin>.png + index.md.
- DRAGONX_FULL_SWEEP=1 runs the sweep headlessly then quits (CI / verification).
Verified end-to-end under WSLg: 288 PNGs (9 skins x 32 surfaces), all 1200x720,
[Sweep] done, clean quit, no daemon. Byte-identity across runs holds only for
static skins on data-free surfaces — the rest vary by animated theme effects /
live price / relative timestamps (expected for a review tool, not a bug).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Route the migration modal (renderSeedMigrationDialog) through TR() — 32 new
keys (30 mig_* plus the previously-untranslated seed_migrate_button/
tt_seed_migrate), reusing existing common keys (cancel/close/refresh/
seed_backup_save*). Format-arg strings go through snprintf(buf, TR(...), v)
so the %.8f/%d specifiers stay in the (validated) translations; plain
strings use "%s", TR(...) to avoid -Wformat-security.
Translated into de/es/fr/ja/ko/pt/ru/zh — additive only (972 -> 1004 keys
per language, format specifiers verified preserved); CJK subset font rebuilt.
CLAUDE.md gains a "Seed phrase & migrate-to-seed" section documenting the
hd-transparent-keys daemon dependency, -usemnemonic, the backup screen, and
the Phase 1 (isolated create) / Phase 2 (sweep + Confirming gate + adopt)
flow that was live-verified on mainnet.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Second half of "migrate a legacy wallet to a seed wallet": sweep all funds
into the new seed wallet, then adopt it as the primary wallet.
- Sweep (beginSweepToSeedWallet): z_mergetoaddress ["ANY_TADDR","ANY_ZADDR"]
-> the new wallet's z-address, at the default fee, limits 0,0. The opid is
tracked via the existing send-callback pipeline; the txid is persisted.
- Confirming gate (fund-safety): after the sweep, pollSweepStatus() polls the
tx confirmations + legacy balance. "Make this my wallet" only unlocks once
the sweep is MINED (>= 1 conf) AND the old wallet is empty — so wallet.dat is
never swapped while the funds could still bounce back or a remainder is left.
A too-big-for-one-tx remainder offers a "Sweep remaining" re-sweep.
- Adopt (beginAdoptSeedWallet, background): stop daemon -> move legacy
wallet.dat to a timestamped .bak (never deleted; restored on failure) ->
install the new wallet -> restart with -rescan. Exception-safe;
daemon_restarting_ gates tryConnect + is always cleared; skips the restart
while shutting down; beginShutdown joins the task first.
- Resume: a pending migration reopens at Sweep, or at Confirming if the sweep
txid is already recorded (re-derived from the chain) — never re-sweeps blind.
- Secret hygiene: the seed is wiped leaving ShowSeed, on any modal dismiss
(detected after BeginOverlayDialog), and in App::~App() (same fix applied to
the seed-backup dialog).
Built both variants; tests + hygiene pass. Two rounds of parallel adversarial
review (12 findings fixed, then a clean re-verify) gate this fund-moving code.
The migration modal uses English literals (as renderBackupDialog does); it gets
translated once the flow is finalized. Live sweep test against a funded wallet
is the next step.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The seed-wallet creator forced TLS on its RPC client, but the DRAGONX RPC is
plaintext HTTP on localhost (-tls=only applies to P2P, not the RPC; the main
GUI's conf has no rpctls key and connects over http too). Forcing https made
every connect fail with "SSL connect error", so the isolated create never
completed. Connect without TLS, matching the main daemon path.
Also add an env-gated (DRAGONX_SEED_CREATE_SMOKE=1) headless smoke in main()
that runs SeedWalletCreator::create() before GUI init and prints
ok/word-count/address (never the seed words) — used to validate the full C++
creator path without the GUI. Harmless in normal runs.
Validated end-to-end against the hd-transparent-keys (v1.0.3-dc45e7d9)
daemon: ok=1, words=24, a shielded z-address returned, temp datadir cleaned up.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
First, fund-safe step of "migrate a legacy wallet to a seed wallet": mint a
brand-new BIP39 mnemonic wallet in an ISOLATED throwaway datadir so the user
can later sweep funds into it. No funds move and the real wallet.dat / main
daemon are never touched — the isolated node runs concurrently on its own port.
- EmbeddedDaemon: one-shot isolated-datadir override (setNextStartOverride)
consumed on the next start(); a skip-default-port-check for an isolated
instance beside the main daemon; and a tcpPortInUse() probe. The datadir's
basename must be the assetchain name (DRAGONX) and the daemon reads
<datadir>/DRAGONX.conf itself, so no -conf is passed (both learned from
live testing against the hd-transparent-keys daemon).
- SeedWalletCreator (src/daemon): picks a free port, writes a throwaway conf,
starts an isolated dragonxd with -usemnemonic=1 -connect=0, waits for RPC,
calls z_exportmnemonic + z_getnewaddress (the sweep target), stops it, and
keeps/scrubs the temp datadir. Off-thread; the seed is wiped after use.
- App: beginCreateSeedWallet (background) -> pumpSeedMigration (main-thread
handoff) -> renderSeedMigrationDialog (Intro -> Working -> Show seed ->
Error), reusing the seed_display grid + clipboard auto-clear.
- Settings: "Migrate to seed…" button (full-node gated) + persisted pending
migration state (dest address + temp datadir) for Phase 2 to adopt.
Validated end-to-end against the hd-transparent-keys daemon: the isolated
node comes up in ~4s and returns a 24-word mnemonic + a shielded z-address.
Requires that daemon (the bundled Jun-28 build lacks z_exportmnemonic). The
migration modal uses English literals for now (as renderBackupDialog does);
the whole flow gets translated once Phase 2 finalizes it. Phase 2 (sweep +
adopt) is next.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
New full-node wallets now get a real 24-word recovery phrase, and users can
reveal/back it up from Settings.
- Pass -usemnemonic=1 to dragonxd. The daemon reads it only inside
GenerateNewSeed() when a wallet has no seed yet, so it is inert on existing
wallets (safe to pass unconditionally) and makes every freshly-created
wallet mnemonic-backed — its phrase is then exportable via z_exportmnemonic
and portable to SDXLite/ObsidianDragonLite. (Existing/legacy wallets are
unaffected and keep using the chat identity's z_exportkey fallback.)
- App::exportSeedPhrase() wraps z_exportmnemonic on the RPC worker with
sodium_memzero wiping on every path; it flags the daemon's "not derived
from a mnemonic" error as a legacy wallet rather than a failure.
- New "Back up seed phrase" modal (Settings -> Backup & Data, full-node
gated): reveals the phrase in a numbered word grid, copy (45s clipboard
auto-clear) + save-to-file (0600), wipes the secret on every close path
incl. dismiss-mid-fetch. Shared ui/windows/seed_display.h grid helper.
- One-time nudge (settings flag seed_backup_reminded) toasts mnemonic-wallet
users to back up their phrase; legacy wallets are not nagged.
- 15 new strings translated into all 8 languages (additive, 957->972 keys);
CJK subset font rebuilt for the new glyphs.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Each scripts/gen_<lang>.py held a hardcoded `translations` dict that it
wrote over res/lang/<lang>.json wholesale. Those dicts had drifted ~285
keys behind the committed JSONs (keys were added directly to the JSONs
over time), so running any generator silently truncated a language file —
a live regression trap. Nothing invokes them (not build.sh, CMake, or CI),
and the JSONs are now the maintained source of truth, so the generators are
pure duplication plus a footgun.
Retire all eight. The additive, non-destructive scripts/add_missing_
translations.py remains the i18n helper, and CLAUDE.md now documents the
"edit the JSONs directly and additively" workflow.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
tracePageName()'s switch over ui::NavPage was missing the two lite-only
tab values (LiteConsole, LiteNetwork), producing -Wswitch warnings in the
lite build. Add both, tracing them to the same labels as their full-node
siblings ("Console tab" / "Network tab") — exactly one of each pair shows
per variant. Trace-string only; no behaviour change.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The HushChat UI labels were already translated, but the send-path
notifications (not-connected, no-z-address, waiting-for-reply, compose
failures, contact-request queued, lite busy) were still hardcoded English.
Route all eight call sites in app_network.cpp through TR() with seven new
keys (the three "no z-address" variants unified into chat_toast_no_zaddr),
add the English fallbacks in i18n.cpp, and translate the keys into de/es/fr/
ja/ko/pt/ru/zh — reusing each file's existing chat_* terminology (z-address,
contact request, message) for consistency. Additive only (950 -> 957 keys
per language). CJK subset font rebuilt to cover the new zh/ja/ko glyphs.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
checkAutoLock() called App::lockWallet(), which early-returns without an
rpc_ handle — so lite wallets, which have no daemon, never idle-locked and
stayed unlocked indefinitely. Route lite through lockLiteWallet() instead,
which locks the backend and tears down the chat session so no decrypted
store / unlocked DB key survives the idle lock. Full-node builds keep
lite_wallet_ null, so the branch is a no-op there and behaviour is unchanged.
The idle timer (last_interaction_, reset on ImGui input at the top of
App::update()) is already build-agnostic, so no other wiring is needed.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add the 15 HushChat UI strings (nav label, locked/empty/select/waiting hints,
composer + new-conversation dialog, You / contact request / not-sent tags) to
res/lang/{de,es,fr,ja,ko,pt,ru,zh}.json. Previously they fell back to English.
Added directly to the JSON files (935 -> 950 keys, additive only): the
scripts/gen_<lang>.py generators are stale — they emit ~285 fewer keys than the
committed JSONs, so regenerating from them would silently drop translations.
(Pre-existing issue; noted for follow-up. The generators are left untouched.)
Rebuilt the usage-based CJK subset font (res/fonts/NotoSansCJK-Subset.ttf) from
the full JSONs so the new chat glyphs (聊天 / 对话 / 会話 / 답장, etc.) render —
verified every CJK code point in the full JSONs is covered (no glyph regression).
Verified: Linux + Windows build (embedded lang headers regenerated via xxd, font
re-embedded via INCBIN), hygiene clean; per-file diff is additive (15 keys, 0
deletions).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Outgoing echoes were recorded optimistically regardless of whether the broadcast
was actually submitted. Now broadcastChatMemos / broadcastChatMemosLite return
whether the send was submitted (false on immediate failures: not connected, no
spendable z-address, or a lite send already in progress), and the echo records a
ChatDelivery status (Sent / Failed). The Chat tab shows a "not sent" marker in
the error color on failed messages. The status persists in the DB (backward-
compatible: old rows deserialize as Sent).
(A later async failure — an opid that fails after submission — still surfaces via
the existing send-progress notification; only the submit gate is reflected here.)
Also removes the now-unused chat_readonly_note string (the composer replaced the
read-only footer). Test: delivery status round-trips through the DB. Verified:
Linux + Windows build with chat ON, ctest 100%, hygiene clean.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Flip DRAGONX_ENABLE_CHAT to default ON (a fresh configure now builds chat in),
and make full-node chat work for every wallet + any daemon.
Legacy compat: chat identity is derived from the wallet's mnemonic
(z_exportmnemonic) for a portable, SDXLite-compatible identity — but a legacy
random-seed wallet has no mnemonic, and released daemons don't have that RPC at
all. Provisioning now falls back to a stable z-address's spending key
(z_exportkey) in those cases: a functional, wallet-local identity that works on
any daemon. Since a chat identity is local (peers learn your public key from
your message headers, not your derivation), interop is unaffected; only
cross-client portability needs the mnemonic. The spending key is an in-memory
KDF input over a key the wallet already holds, wiped after use — no new exposure.
Stability: the chosen chat z-address (the reply-to in headers AND the legacy
identity source) is now persisted in settings (chat_reply_zaddr), so the
identity + reply address don't shift when new addresses are generated.
chatReplyZaddr() picks the smallest spendable z-addr once and reuses it.
CLAUDE.md updated to reflect the default flip. Verified: Linux + Windows build
with chat ON, fresh-configure default confirmed ON, ctest 100%, hygiene clean.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Security-review finding (low): on the lite variant, "Lock now" ran the backend
`lock` but never updated state_.locked — that only refreshes on the next ~2s
poll. Since chat teardown is driven by state_.isLocked() in maybeProvision
ChatIdentity, the decrypted in-memory store, the chat identity secret key, and
the seed-derived AEAD DB key all lingered in RAM for up to ~2s past an explicit
lock (the full-node path closes this immediately, since App::lockWallet sets
state_.locked synchronously).
New App::lockLiteWallet() mirrors the full-node behavior: on a successful lite
lock it sets state_.locked and tears down the chat session now (clearIdentity +
store().clear() + chat_db_.lock() + re-arm). The lite "Lock now" button routes
through it. (Note: the lite variant has no auto-lock at all — checkAutoLock ->
App::lockWallet early-returns for lite — which is a separate, general lite gap.)
Completes the end-to-end feature security review (1 confirmed finding of 3 raw,
now fixed). Verified: Linux + Windows build with chat ON, ctest 100%, hygiene clean.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add App::seedChatDemoData() + a "Seed demo chat" button in the DEBUG OPTIONS
card (shown only in chat-enabled builds, next to the screenshot sweep). It gives
the Chat tab a demo identity and injects a few sample conversations into the
in-memory store (NOT persisted — no DB attached, gone on restart) so the
screenshot sweep captures the tab's real UI (conversation list, thread bubbles,
composer, and the "waiting for reply" contact-request state) instead of the
empty "unlock" hint. No-op when the chat feature is off.
Verified: Linux + Windows build with chat ON, ctest 100%, hygiene clean.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The full-node receive harvest works off z_viewtransaction; the lite wallet's
transactions come from the backend instead, so lite chat receive was unwired.
App::ingestLiteChatMemos runs after each lite refresh: the backend lists one
entry per received (non-change) note — same txid, distinct position + decoded
UTF-8 memo — so a chat tx yields two entries (header + payload). Group the
Receive-kind notes by txid, feed them through the SAME extractHushChatTransaction
Metadata parser (now order-tolerant, so the daemon's output shuffle is a non-issue),
and thread the result into ChatService. The store dedups (txid+position), so
re-listing every refresh is harmless.
This closes the lite variant's chat loop end-to-end: identity (exportSeed), DB
unlock/load, receive (here), UI, and send (broadcastChatMemosLite). Gated by
DRAGONX_ENABLE_CHAT (default OFF). Verified: Linux + Windows build with chat ON,
ctest 100%, hygiene clean; caches restored to OFF.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The full-node daemon unconditionally shuffles a transaction's shielded outputs
(transaction_builder.cpp ShuffleOutputs, to hide the change position), so the
two 0-value HushChat memo outputs land at random note positions — the header is
NOT guaranteed to precede its payload. The receive parser paired a header only
with the NEXT payload in position order, so a shuffled send failed to pair (the
message was silently lost) ~50%+ of the time.
groupHushChatMemoOutputs now holds an orphan payload (one seen before its header)
and pairs it with the header when it arrives, so header↔payload pair regardless
of on-chain order. A chat tx carries exactly one header + one payload (the harvest
already skips change outputs), so this is unambiguous.
This is the complete fix for the ObsidianDragon ecosystem: full-node and lite both
receive through this one C++ parser, so full-node→full-node and full-node→lite now
work despite the shuffle, with no daemon fork and no lite-backend change. Context:
SilentDragonXLite (which hardcodes payload position==1 and forced the daemon/backend
question) is being replaced by ObsidianDragonLite. Lite send never shuffles.
Tests: shuffled receive (payload-before-header, and change-interspersed) pairs +
decrypts; all existing ordered-input tests unchanged. Verified: Linux + Windows
build, ctest 100%, hygiene clean.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Make composed messages actually reach the wire: broadcastChatMemos sends the
header + payload as two 0-value memo outputs to the peer's z-address (header
first, the lower memo position), on both variants.
- chat_outgoing: chatSendOutputs(memos, utf8Prefix) — the pure, testable memo
encoder. Full-node memos get a "utf8:" prefix (dragonxd rejects raw JSON and
then UTF-8-encodes on-chain, byte-identical to SilentDragonXLite's
Memo::from_str); the payload is NOT double-hex. Lite memos are raw UTF-8 (the
backend does Memo::from_str directly). Header is always output 0.
- App::broadcastChatMemos: full-node builds a two-recipient z_sendmany array
(amount 0, from the spendable reply z-address, default fee) via submitZSendMany
with markFeeGapRetry=true — deliberately, to suppress the fee-gap auto-retry,
which rebuilds a single-recipient tx and would drop the payload output. Lite
routes to broadcastChatMemosLite (two 0-value LiteSendRecipients, raw memos;
the backend accepts duplicate addresses + 0-value for exactly this pattern).
- Encoding + design established by a four-codebase mapping (wallet, daemon, SDXL,
lite backend) and an adversarial review of the wiring (0 confirmed findings).
- Tests: chatSendOutputs (utf8:-prefix + header-first for full-node, raw for
lite) + on-chain round-trip (strip "utf8:" -> the harvest parser re-pairs and
decrypts).
Remaining as a LIVE test (cannot be proven from source): that dragonxd returns
the memo under memoStr verbatim, that recipient-array order maps to note
position, that a 0-value memo-only tx relays, and full SDXL<->DragonX interop.
Gated by DRAGONX_ENABLE_CHAT (default OFF). Verified: Linux + Windows(mingw)
build with chat ON, ctest 100%, hygiene clean; caches restored to the OFF default.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add the outgoing side of HushChat: compose messages and start conversations.
The wire construction is the byte-exact inverse of the receive parser and is
proven by a self-consistent round-trip (build → parse → decrypt).
- src/chat/chat_outgoing.{h,cpp} (pure): buildOutgoingMessage encrypts via
encryptOutgoing and buildOutgoingContactRequest carries plaintext; both emit
the header memo JSON ({h,v,z,cid,t,e,p}, which nlohmann serializes
alphabetically to match SilentDragonXLite) + the payload memo, validating the
512-byte memo limit, the 64-hex peer key, and the "no leading '{'" rule for
request text. My public key goes in header "p"; the peer's key is the
encryption recipient.
- ChatService: composeMessage/composeContactRequest (encrypt with the held
identity) + recordOutgoing (echo an Outgoing ChatMessage into the store + DB —
we never harvest our own sends, so this is the only local record).
- App: sendChatMessage(cid,text) sources the peer z-addr + public key from the
conversation, composes, and records a random-id echo; startChatConversation
(zaddr,text) mints a random cid + composes a plaintext contact request;
chatReplyZaddr() picks a spendable z-addr. broadcastChatMemos() is the Phase-5
transport seam (network delivery + real-SDXL interop verification land there).
- Chat tab: a message composer (shown once the peer's key is known, else a
"waiting for reply" hint) + a "New conversation" modal that sends a contact
request to a z-address.
- Tests: outgoing round-trip through the receive parser + decrypt, contact-request
passthrough, validation guards, and ChatService compose + recordOutgoing echo.
Adversarially reviewed (crypto/interop, secret hygiene, logic, UI) — 0 findings.
Gated by DRAGONX_ENABLE_CHAT (default OFF). Verified: Linux + Windows(mingw)
build with chat ON, ctest 100%, hygiene clean; caches restored to the OFF default.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add the first user-visible HushChat surface: a Chat tab in the sidebar with a
two-pane, read-only conversation view — a conversation list on the left and the
selected thread on the right — reading from the App-owned ChatService store.
- New src/ui/windows/chat_tab.{h,cpp} (RenderChatTab(App*), mirroring the
Contacts tab). Conversations are sorted by most-recent activity; peer
z-addresses resolve to contact names via the address book when known; each
message shows sender + timestamp + wrapped body, with a contact-request tag
and a read-only footer (composing arrives in a later phase). Empty states
cover "wallet locked / identity not ready" and "no conversations yet".
- Sidebar wiring: NavPage::Chat + registry entry (static_assert stays balanced),
NavPageSurface + GetNavIconMD (ICON_MD_CHAT), dispatch in app.cpp, trace/sweep
page names, and App::chatService() accessor. The tab is gated on the new
WalletUiSurface::Chat, which returns DRAGONX_ENABLE_CHAT != 0 — so it only
appears in chat-enabled builds and is hidden (and unreachable) by default.
- i18n: English defaults for the chat nav label + hint strings.
Verified: Linux + Windows(mingw) build with chat ON, ctest 100%, hygiene clean;
caches restored to the OFF default. The screenshot sweep now includes the Chat
tab (sweepPageName "chat") for per-theme visual review.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Swap the in-memory-only chat store for durable sqlite persistence with real
per-transaction timestamps, encrypted at rest under a key derived from the
wallet's own seed (no passphrase, works on encrypted and unencrypted wallets).
- ChatDatabase (src/chat/chat_database.{h,cpp}): sqlite store mirroring
data::TransactionHistoryCache. unlockWithSecret(seed) derives a 32-byte AEAD
storage key and a wallet-partition tag via domain-separated keyed BLAKE2b
(generichash) contexts. Every record — bodies, peer z-addrs, threading,
timestamps — is crypto_aead_xchacha20poly1305_ietf-encrypted with a random
nonce and the wallet tag as associated data; even the dedup key is a keyed
hash of txid+position, so nothing about your conversations is in cleartext on
disk. Rows are partitioned per-wallet; a different seed sees nothing. Messages
are decrypted once at ingest then re-encrypted under the storage key, so
load() needs only the storage key, not the chat identity.
- ChatService: ingest() now stamps each message with its own transaction time
(txid->time map + fallback) and writes new (store-deduped) messages through to
the database; loadFromDatabase() rehydrates the in-memory read model on unlock.
- App: unlock the chat DB with the same seed in provisionChatIdentityFromSecret
and load prior history; lock the DB + clear the decrypted in-memory store on
relock and on lite-controller rebuild.
Adversarial review (4 confirmed findings, all fixed): don't provision if the
wallet locks mid-fetch (re-check isLocked at completion); wipe the serialized
plaintext temporary in append(); trim the seed into a separate fully-wiped
buffer (no residue past a shrunk size()); scrub the mnemonic copy in the RPC
json result.
Tests: ChatDatabase round-trip (persist/reload, field + order fidelity), dedup,
per-wallet isolation, lock inertness, and ChatService write-through + reload
without an identity. Gated by DRAGONX_ENABLE_CHAT (default OFF). Verified:
Linux + Windows(mingw) build with chat ON, ctest 100%, hygiene clean; caches
restored to the OFF default.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Complete the Phase-1 App integration for HushChat, now that the dragonx
`hd-transparent-keys` daemon exposes a BIP39 mnemonic (z_exportmnemonic)
that is byte-compatible with SilentDragonXLite. Both variants derive the
chat identity from the wallet's OWN seed phrase, so it is portable across
full-node and lite (same words -> same KDF input -> same identity) and
recoverable from the single wallet backup.
- App owns a dragonx::chat::ChatService; maybeProvisionChatIdentity() runs
each update() tick and, once the wallet seed is reachable and unlocked,
derives the identity via deriveChatIdentityFromSecret and sets it on the
service. Full-node fetches z_exportmnemonic off the UI thread via the RPC
worker; lite reads it synchronously through LiteWalletController::exportSeed.
Secrets are wiped on every path.
- Wire the previously-dead TransactionRefreshResult.hushChatMetadata sink:
both the full and recent transaction-refresh completions now ChatService
::ingest the harvested memos (before the result is moved) so incoming
messages are decrypted and threaded. The store dedups across both paths.
- Robust provisioning gates: skip + re-arm on relock (isLocked, mirrored for
both variants), don't fetch before the encryption state is known, and treat
a non-mnemonic wallet (RpcError) as identity-unavailable rather than
retrying every tick. rebuildLiteWallet re-arms so a server switch / re-open
re-derives from the newly opened wallet.
Gated by DRAGONX_ENABLE_CHAT (default OFF) via the constexpr
hushChatFeatureEnabledAtBuild() gate, so the wiring folds away in shipping
builds. Verified: Linux + Windows(mingw) build with chat ON, ctest 100%,
hygiene clean; caches restored to the OFF default.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Phase 1 Steps 4-6 (the receive pipeline, minus the App/sync wiring which
lands next).
- chat_message: the in-memory ChatMessage model (direction, kind, txid, cid,
peer zaddr/pubkey, body, timestamp, payload_position). No libsodium.
- chat_store: threads messages by conversation_id and dedups by
(txid, payload_position) so re-scanning the chain never double-inserts.
- chat_service: owns the long-lived chat identity keypair (move-disabled,
wiped on destruction/clear) and the store. ingest() decrypts each Message
(drops undecryptable ones silently — no plaintext/memo logging), passes a
ContactRequest's plaintext through, and threads the result. No-op without an
identity.
Tests: a metadata batch decrypts into a threaded conversation; re-ingest
dedups; a contact request carries through; a wrong identity decrypts nothing;
no-identity ingest is a no-op.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Phase 1 Step 1 (the linchpin). The receive path had nothing to decrypt:
HushChatTransactionMetadata carried only payload_position/size, and the
extractor discarded the paired payload memo + the header's "e"/"p". Widen the
metadata with sender_public_key_hex ("p"), secretstream_header_hex ("e"), and
payload_memo (ciphertext hex for a Message; request text for a ContactRequest),
populated from the already-parsed header/payload pair.
Add an end-to-end receive-path test: derive two identities, encrypt Alice->Bob,
wrap it as a HushChat header+payload memo pair, run it through
extractHushChatTransactionMetadata, and decrypt straight from the carried
metadata. Also asserts the harvest yields nothing when the feature is disabled.
Fields are only populated when featureEnabled (the extractor already returns
early otherwise), so an OFF build produces no decrypt material.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Phase 1 crypto foundation (gated by DRAGONX_ENABLE_CHAT; the pure primitives
are always compiled + unit-tested, the feature gate lives at the future
service layer).
- chat_identity: derive the DragonX-native X25519 (crypto_kx) identity from a
stable per-wallet secret via a domain-separated keyed BLAKE2b KDF
(crypto_generichash, context "DragonX-HushChat-Identity-v1") into a clean
32-byte crypto_kx seed. Deterministic; skips SDXL's UTF-8-hex-seed quirk
(that's the Phase-4 import path). Per §5.6.
- chat_crypto: encryptOutgoing (server_tx) / decryptIncoming (client_rx) via
crypto_secretstream_xchacha20poly1305, byte-exact per Appendix A.3/A.4 so
DragonX interoperates with SilentDragonXLite. Single chunk, TAG_FINAL;
decrypt enforces both the Poly1305 tag and TAG_FINAL (stricter than SDXL).
Every session key / seed / stream state / plaintext scratch is sodium_memzero'd
on all paths; no secret is ever logged.
- Tests: encrypt->decrypt round-trip (incl. empty + UTF-8), identity
determinism, feature-gate + empty-secret handling, and malformed/tampered/
wrong-key inputs all fail safely.
Adversarially security-reviewed (3 lenses: secret hygiene, crypto correctness,
SDXL wire-interop) — confirmed byte-compatible with the SDXL reference in both
directions. Fixes from review: check the secretstream_push return before
reporting Ok; allow the empty-plaintext ciphertext (== ABYTES) so encrypt/decrypt
round-trip symmetrically; document the caller-owns-and-wipes secret contract.
Interop caveat: round-trip proves self-consistency; a real captured SDXL
message is still needed to prove wire-compat end to end.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Screenshot-sweep review follow-ups:
- sweepPageName() had its own page-name switch that lacked a Contacts case,
so the tab's screenshots landed under the fallback "page/" dir. Add the
case so they capture under "contacts/".
- The Z/T type badge (green/amber) washed out on light skins. Use darker,
more-saturated variants when IsLightTheme(); keep the brighter ones on dark.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>