feat: Phase 1 complete — Matrix login, rooms, chat, profile

- Direct m.login.password auth against matrix.m8chat.au
- Room list with unread badges, last message, timestamps
- Chat timeline (text, images, files, replies, reactions)
- Profile screen with expandable Notifications and Security sections
- Olm E2EE initialisation (web WASM bootstrap)
- Global error handler preventing Matrix SDK crashes
- GoRouter with refreshListenable (no recreation on auth change)
- Feature-first clean architecture: Riverpod + GoRouter + Drift
- Deployed to https://app2.m8chat.au

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

lib/core/auth/auth_notifier.dart

@@ -0,0 +1,104 @@
+// Version: 1.0.0 | Created: 2026-04-01
+// Riverpod notifier that owns the auth state machine.
+// All login/logout/session-restore transitions go through here.
+
+import 'package:riverpod_annotation/riverpod_annotation.dart';
+
+import '../../features/auth/data/auth_repository.dart';
+import '../../features/auth/domain/auth_failure.dart';
+import 'auth_state.dart';
+import 'secure_storage.dart';
+
+part 'auth_notifier.g.dart';
+
+/// The single source of truth for authentication state.
+///
+/// keepAlive: true — auth state must persist for the entire app lifetime.
+/// GoRouter watches this provider to decide which route to show.
+@Riverpod(keepAlive: true)
+class AuthNotifier extends _$AuthNotifier {
+  @override
+  AuthState build() {
+    // Kick off session restore immediately; start in [AuthInitial].
+    _restoreSession();
+    return const AuthState.initial();
+  }
+
+  /// Tries to restore a previous session from secure storage.
+  Future<void> _restoreSession() async {
+    state = const AuthState.loading();
+
+    final storage = ref.read(secureStorageProvider);
+    final credentials = await storage.loadCredentials();
+
+    if (credentials == null) {
+      state = const AuthState.unauthenticated();
+      return;
+    }
+
+    try {
+      final repo = ref.read(authRepositoryProvider);
+      await repo.restoreSession(
+        accessToken: credentials.accessToken,
+        userId: credentials.userId,
+        deviceId: credentials.deviceId,
+      );
+      state = AuthState.authenticated(
+        userId: credentials.userId,
+        accessToken: credentials.accessToken,
+        deviceId: credentials.deviceId,
+      );
+    } on AuthFailure {
+      // Stored credentials are invalid; force re-login.
+      await storage.clearCredentials();
+      state = const AuthState.unauthenticated();
+    } on Exception {
+      // Network offline at startup; still land on login rather than crashing.
+      await storage.clearCredentials();
+      state = const AuthState.unauthenticated();
+    }
+  }
+
+  /// Attempts to log in with [username] and [password].
+  ///
+  /// Transitions: loading → authenticated | unauthenticated(failure).
+  Future<void> login({
+    required String username,
+    required String password,
+  }) async {
+    state = const AuthState.loading();
+
+    try {
+      final repo = ref.read(authRepositoryProvider);
+      final response = await repo.login(username: username, password: password);
+
+      final storage = ref.read(secureStorageProvider);
+      await storage.saveCredentials(
+        accessToken: response.accessToken,
+        userId: response.userId,
+        deviceId: response.deviceId,
+      );
+
+      state = AuthState.authenticated(
+        userId: response.userId,
+        accessToken: response.accessToken,
+        deviceId: response.deviceId,
+      );
+    } on AuthFailure catch (failure) {
+      state = AuthState.unauthenticated(failure: failure.userMessage);
+    }
+  }
+
+  /// Logs out the current user, clears storage, and resets to unauthenticated.
+  Future<void> logout() async {
+    state = const AuthState.loading();
+
+    final repo = ref.read(authRepositoryProvider);
+    await repo.logout();
+
+    final storage = ref.read(secureStorageProvider);
+    await storage.clearCredentials();
+
+    state = const AuthState.unauthenticated();
+  }
+}

lib/core/auth/auth_state.dart

@@ -0,0 +1,29 @@
+// Version: 1.0.0 | Created: 2026-04-01
+// Sealed auth state hierarchy.
+// All auth transitions are expressed as one of these states — no raw booleans.
+
+import 'package:freezed_annotation/freezed_annotation.dart';
+
+part 'auth_state.freezed.dart';
+
+/// Represents every possible authentication state in the app.
+@freezed
+sealed class AuthState with _$AuthState {
+  /// App has just launched; trying to restore session from storage.
+  const factory AuthState.initial() = AuthInitial;
+
+  /// A login or session-restore attempt is in progress.
+  const factory AuthState.loading() = AuthLoading;
+
+  /// User is authenticated. Holds the Matrix user ID and access token.
+  const factory AuthState.authenticated({
+    required String userId,
+    required String accessToken,
+    required String deviceId,
+  }) = AuthAuthenticated;
+
+  /// User is not authenticated.
+  /// [failure] is null on first launch; non-null after a failed attempt.
+  const factory AuthState.unauthenticated({String? failure}) =
+      AuthUnauthenticated;
+}

lib/core/auth/secure_storage.dart

@@ -0,0 +1,83 @@
+// Version: 1.0.0 | Created: 2026-04-01
+// Typed wrapper around flutter_secure_storage.
+// All token read/write operations go through this class — never call
+// flutter_secure_storage directly from feature code.
+
+import 'package:flutter_secure_storage/flutter_secure_storage.dart';
+import 'package:riverpod_annotation/riverpod_annotation.dart';
+
+import '../config/app_config.dart';
+
+part 'secure_storage.g.dart';
+
+/// Provides a configured [SecureStorage] instance.
+@Riverpod(keepAlive: true)
+SecureStorage secureStorage(Ref ref) => const SecureStorage();
+
+/// Typed wrapper around [FlutterSecureStorage].
+///
+/// Uses AES encryption on Android and Keychain on iOS.
+/// On Web, data is stored in localStorage with encryption — acceptable for
+/// access tokens but NOT for E2EE private keys (Phase 2 concern).
+class SecureStorage {
+  const SecureStorage();
+
+  static const FlutterSecureStorage _storage = FlutterSecureStorage(
+    aOptions: AndroidOptions(encryptedSharedPreferences: true),
+  );
+
+  Future<void> saveCredentials({
+    required String accessToken,
+    required String userId,
+    required String deviceId,
+  }) async {
+    await _storage.write(
+      key: AppConfig.storageKeyAccessToken,
+      value: accessToken,
+    );
+    await _storage.write(key: AppConfig.storageKeyUserId, value: userId);
+    await _storage.write(key: AppConfig.storageKeyDeviceId, value: deviceId);
+    await _storage.write(
+      key: AppConfig.storageKeyHomeserver,
+      value: AppConfig.matrixBaseUrl,
+    );
+  }
+
+  Future<StoredCredentials?> loadCredentials() async {
+    final accessToken = await _storage.read(
+      key: AppConfig.storageKeyAccessToken,
+    );
+    final userId = await _storage.read(key: AppConfig.storageKeyUserId);
+    final deviceId = await _storage.read(key: AppConfig.storageKeyDeviceId);
+
+    if (accessToken == null || userId == null || deviceId == null) {
+      return null;
+    }
+
+    return StoredCredentials(
+      accessToken: accessToken,
+      userId: userId,
+      deviceId: deviceId,
+    );
+  }
+
+  Future<void> clearCredentials() async {
+    await _storage.delete(key: AppConfig.storageKeyAccessToken);
+    await _storage.delete(key: AppConfig.storageKeyUserId);
+    await _storage.delete(key: AppConfig.storageKeyDeviceId);
+    await _storage.delete(key: AppConfig.storageKeyHomeserver);
+  }
+}
+
+/// Holds the credentials retrieved from secure storage.
+class StoredCredentials {
+  const StoredCredentials({
+    required this.accessToken,
+    required this.userId,
+    required this.deviceId,
+  });
+
+  final String accessToken;
+  final String userId;
+  final String deviceId;
+}