### 2026-04-10 18:00 — Enable Olm E2EE in web build
- **Decision:** Re-enabled Olm encryption in index.html with synchronous load + Olm.init() before Flutter boots, graceful fallback if Olm fails
- **Rationale:** 45 of 88 rooms have Megolm encryption. MatrixSdkDatabase persists Olm keys in IndexedDB resolving /keys/upload 400 errors
- **Files affected:** web/index.html, lib/main.dart, app_config.dart, auth_repository.dart, pubspec.yaml
- **Status:** Working — device keys uploaded, messages encrypt/decrypt correctly

### 2026-04-10 17:25 — Deploy target is app2.m8chat.au NOT app.m8chat.au
- **Decision:** app.m8chat.au = PRODUCTION (old FluffyChat). app2.m8chat.au = dev/test for m8chat-app2
- **Rationale:** User corrected after accidental production deploy. Production restored from backup.
- **Status:** All future deploys to app2.m8chat.au

### 2026-04-10 17:15 — Lazy-load Jitsi external_api.js
- **Decision:** Moved from index.html to dynamic load in jitsi_web_service.dart
- **Rationale:** Brave blocks cross-origin scripts at page load
- **Status:** Done

### 2026-04-10 17:10 — Add MessageType.encrypted with lock icon UX
- **Files:** message_model.dart, chat_repository.dart, message_bubble.dart, room_preview.dart
- **Status:** Done

### 2026-04-10 17:05 — Fix web metadata to M8Chat branding
- **Files:** web/index.html, web/manifest.json
- **Status:** Done

### 2026-04-11 02:00 — Add Jitsi Conference tab to bottom nav
- **Decision:** Added 4th tab (videocam icon) to authenticated bottom nav so logged-in users can join Jitsi conferences
- **Rationale:** Jitsi join was only accessible on the unauthenticated welcome screen. Logged-in users could never reach it.
- **Files affected:** rooms_screen.dart (v1.3.0), conference_tab.dart (new), jitsi_screen.dart (Back→/rooms)
- **Status:** Done and deployed

### 2026-04-11 03:00 — LiveKit E2EE frame encryption attempt
- **Decision:** Added CallE2EEManager for m.rtc.encryption_keys to-device key exchange + E2EEOptions on LiveKit Room
- **Rationale:** Element X encrypts video frames with AES-GCM. Without decryption, video is scrambled.
- **Files affected:** call_e2ee.dart (new), livekit_service.dart (v1.4.0)
- **Status:** PARTIALLY WORKING — E2EE worker requires SharedArrayBuffer which needs COOP/COEP headers. Headers added to .htaccess on 2026-04-11. Key exchange protocol (m.rtc.encryption_keys) implemented but interop with Element X NOT YET VERIFIED.

### 2026-04-11 04:00 — Web auth: fresh login every session (no session persistence)
- **Decision:** Removed session restore entirely for web. Every visit requires login. No access token stored.
- **Rationale:** Security — web app runs on untrusted/shared devices. Can't assume same user. Different from future APK which will persist sessions.
- **Files affected:** auth_notifier.dart (v2.0.0), secure_storage.dart (v2.0.0), auth_repository.dart (v2.0.0), app_config.dart (v2.0.0)
- **Status:** Done. Removed StoredCredentials, restoreSession(), storage key constants. Device ID persistence also removed (caused keys/upload 400 because Olm account not persisted).

### 2026-04-11 04:30 — SSSS + cross-signing + key backup bootstrap
- **Decision:** Implemented full security setup dialog using Matrix SDK Bootstrap class
- **Rationale:** Users need to create/restore SSSS to decrypt old messages. Replaces "Phase 2" placeholder.
- **Files affected:** security_setup_dialog.dart (new), key_restore_dialog.dart (new), profile_screen.dart (v1.4.0)
- **Status:** Done. User 'try' successfully ran security setup. Recovery key generated.

### 2026-04-11 05:00 — Fix authenticated media (Synapse 1.151.0)
- **Decision:** Switched from frozen /_matrix/media/v3/download/ to /_matrix/client/v1/media/download/ with access_token query param
- **Rationale:** Synapse 1.151.0 froze the old media endpoint. All room avatars returned 404.
- **Files affected:** mxc_url.dart (v2.0.0)
- **Status:** Done — avatars load correctly now

### 2026-04-11 06:00 — Add Help tab + Account management info
- **Decision:** Added 5th bottom nav tab (Help) with expandable help cards
- **Rationale:** Users need in-app guidance for encrypted messages, security setup, account management
- **Files affected:** help_tab.dart (new), rooms_screen.dart (v1.3.0)
- **Status:** Done. Contains: encrypted messages fix guide, getting started, conference guide, video call issues, account management (links to m8chat.au), privacy statement.

### 2026-04-11 07:00 — COOP/COEP headers for E2EE workers
- **Decision:** Added Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy to .htaccess
- **Rationale:** LiveKit E2EE frame encryption uses Web Workers that need SharedArrayBuffer
- **Files affected:** .htaccess on app2.m8chat.au (production server)
- **Status:** Headers verified active. E2EE re-enabled in code. NOT YET TESTED with a live call.

### 2026-04-11 07:00 — Fix hangup call termination
- **Decision:** Changed _clearCallMemberEvent to send {} instead of {'memberships': []}
- **Rationale:** Element X sends {} when ending calls (verified from DB). Our {'memberships': []} wasn't being recognised.
- **Files affected:** livekit_service.dart
- **Status:** Deployed. NOT YET TESTED.