docs: refresh cycle 13 research queue

SysAdminDoc · SysAdminDoc · commit 857cfe0ef4c8 · 2026-06-04T12:18:29.000-04:00
diff --git a/.ai/research/2026-06-04/CYCLE_13_FINDINGS.md b/.ai/research/2026-06-04/CYCLE_13_FINDINGS.md
@@ -0,0 +1,58 @@
+# Cycle 13 Findings - 2026-06-04
+
+## Scope
+
+- Repository: `SwiftFloris`
+- Baseline: clean detached worktree at pushed `master` `3df1e5b`
+  (`docs: refresh cycle 12 research queue`), described as
+  `v1.8.246-1-g3df1e5b`.
+- Sync: `git pull --rebase origin master` reported up to date before this
+  cycle.
+- Constraint: research/docs only. No feature source, tests, build files, or
+  assets were edited.
+
+## Anti-Duplicate Checks
+
+- Did not duplicate R12-1. R12-1 targets the temp-file replacement primitive;
+  this cycle targets read/reset interleaving in the stats count path.
+- Did not duplicate v1.8.234 post-hotfix regression coverage. That release
+  covers locale-scoped flush behavior, not `totalEntryCount()` serialization
+  with reset cleanup.
+- Did not reopen the broader personal n-gram `ConcurrentHashMap` and
+  pending-commit fixes from the pushed pass-2 audit commits.
+- Left the trigram tab/control-character normalization audit for a later cycle
+  so this row stays focused on stats/reset consistency.
+
+## Local Evidence
+
+- `PersonalBigramStore.kt:224-242` builds a locale-tag set from persisted
+  `personal_bigrams_*.tsv` files and `tablesByLocale.keys`, then calls
+  `ensureLoaded(localeTag)` for each tag without holding `loadGuard`.
+- `PersonalBigramStore.kt:367-376` clears in-memory bigram state and deletes
+  `personal_bigrams_*` files under `loadGuard`.
+- `PersonalTrigramStore.kt:229-245` and `PersonalTrigramStore.kt:368-375`
+  repeat the same count/reset shape for persisted trigram files.
+- `TypingStatsScreen.kt:137-143` displays the personal bigram and trigram
+  counts in Settings, making a stale or resurrected count user-visible.
+- `PersonalNgramFlushIsolationTest.kt:64-68` checks that reset is the only broad
+  cleanup path, but it does not require `totalEntryCount()` to share the reset
+  serialization boundary.
+- `docs/AUDIT_2026-05-28.md:58-60` records the race between
+  `totalEntryCount()` and `resetAndAwait()`.
+
+## Roadmap Changes Fed
+
+- R13-1: Serialize personal n-gram stats counting with reset cleanup. The
+  implementation should make file enumeration, loaded-key collection, and
+  `ensureLoaded()` run under the same reset-safe boundary in both stores or
+  compute from a reset-safe snapshot, with focused coverage that fails if stats
+  counting can reload a locale around reset deletion.
+
+## Non-Adds
+
+- No source fix was made in this cycle.
+- No new dictionary retention, export, permission, or network behavior was
+  proposed.
+- No broad personal-dictionary or typing-stats refactor proposed. The target is
+  the existing `totalEntryCount()` / `resetAndAwait()` consistency contract in
+  the two personal n-gram stores.
diff --git a/RESEARCH_REPORT.md b/RESEARCH_REPORT.md
@@ -1,6 +1,6 @@
 # SwiftFloris Research Report
 
-This report summarizes current research conclusions. The full 2026-05-25 research plan is archived at `docs/archive/research/RESEARCH_FEATURE_PLAN_2026-05-25.md`. Deep-research pass refreshed **2026-06-03** (post-v1.8.204), with 2026-06-04 freshness notes through Cycle 12 and v1.8.246 implementation notes.
+This report summarizes current research conclusions. The full 2026-05-25 research plan is archived at `docs/archive/research/RESEARCH_FEATURE_PLAN_2026-05-25.md`. Deep-research pass refreshed **2026-06-03** (post-v1.8.204), with 2026-06-04 freshness notes through Cycle 13 and v1.8.246 implementation notes.
 
 2026-06-04 implementation note: v1.8.241 closed R4-3. `MimeTypeFilter`
 constructor stdout logging is removed, aggregate helper semantics are documented
@@ -38,6 +38,13 @@ must remain local generated output rather than review evidence.
 AndroidX Core `1.19.0` remains blocked on the API 37 behavior-gate because the
 published `core-1.19.0.aar` metadata declares `minCompileSdk=37`.
 
+2026-06-04 Cycle 13 note: after the Cycle 12 docs push, `master` is clean at
+`3df1e5b` (`v1.8.246-1-g3df1e5b`). Cycle 13 rechecked the deferred
+`totalEntryCount()` / `resetAndAwait()` audit against live personal bigram and
+trigram stores plus the typing-stats UI. This cycle adds R13-1: serialize
+personal n-gram stats counting with reset cleanup so a stats refresh cannot
+reload or report stale locales around a reset.
+
 2026-06-04 Cycle 12 note: after the Cycle 11 docs push, `master` is clean at
 `8b68d3e` (`v1.8.238-1-g8b68d3e`). Cycle 12 rechecked the personal n-gram
 persistence data-loss audit against live `PersonalBigramStore`,
@@ -196,6 +203,7 @@ Top opportunities (one line each):
 24. **Editor content-generation lifecycle** — delayed start/selection content jobs are cancelled or superseded across reset/finishInput and input-connection switches before they can publish state or touch a captured `InputConnection` (R10-1). [Closed]
 25. **Preference-store init splash recovery** — async `initAndroid` failures now stage a crash report, unblock the splash wait, and redirect to crash recovery before normal Settings content renders (R11-1). [Closed]
 26. **Personal n-gram file replacement** — bigram/trigram flush fallback deletes the live file before a successful replacement exists (R12-1, P2). [Verified]
+27. **Personal n-gram stats/reset serialization** — `totalEntryCount()` can enumerate/load persisted bigram/trigram locales outside the reset lock while `resetAndAwait()` clears and deletes those files (R13-1, P2). [Verified]
 
 No Critical or Major reliability/security defects were found that are not already on the roadmap or in the deferred audit lists. The remaining heavy work (glide model training, Vosk addon, F-Droid submission, device-only visual verification) stays maintainer-gated as the existing roadmap records.
 
@@ -277,7 +285,9 @@ Privacy-first multilingual IME. `:app` is Apache-2.0-ceiling, no network permiss
 - **Personal n-gram persistence (partial):** locale-scoped flushes and
   concurrency guards are in place, but bigram/trigram file replacement still
   deletes the destination before a second rename attempt. R12-1 keeps the
-  last-known-good n-gram file until replacement succeeds. [Verified]
+  last-known-good n-gram file until replacement succeeds. R13-1 adds the
+  adjacent stats/reset consistency gap: `totalEntryCount()` should not reload or
+  report stale locales around `resetAndAwait()` cleanup. [Verified]
 - Established surfaces (autocorrect/SymSpell, glide classifier, clipboard, addons, voice handoff, sync, MCP, hardware-keyboard import) are covered by `COMPLETED.md` and the audits; no net-new gap surfaced beyond what the roadmap already tracks.
 
 ## Competitive Landscape
@@ -316,6 +326,10 @@ Privacy-first multilingual IME. `:app` is Apache-2.0-ceiling, no network permiss
 - **[Medium] Personal n-gram atomic replacement** → R12-1. Replace bigram and
   trigram TSV files without deleting the live destination before a successful
   replacement exists.
+- **[Medium] Personal n-gram stats/reset serialization** → R13-1. Move
+  bigram/trigram `totalEntryCount()` file enumeration and `ensureLoaded()` under
+  the reset-safe boundary, or compute counts from a reset-safe snapshot, so
+  Settings stats cannot resurrect or display stale learning counts after reset.
 - **[Closed v1.8.219] Remaining diagnostic `printStackTrace()` paths** → R2-2. `RestoreScreen` failure diagnostics now use `flogError`, restore UI copy falls back to the existing "Unknown error" string for null/blank throwable messages, and `CrashUtility.writeToFile` logs through `LogTopic.CRASH_UTILITY`.
 - **[High] Local release ledger drift** → R3-1. Three code-fix commits after
   the v1.8.225 docs marker are untagged and absent from the release ledger.
@@ -407,7 +421,9 @@ Privacy-first multilingual IME. `:app` is Apache-2.0-ceiling, no network permiss
 - **Personal n-gram durability boundary:** `PersonalNgramFlushIsolationTest`
   pins locale-scoped flush behavior, but the stores still need a shared
   atomic-replace contract so persistence failures cannot destroy the previous
-  locale file.
+  locale file. Cycle 13 adds the related read/reset boundary: stats counting
+  should share reset serialization or use a reset-safe snapshot before it can
+  call `ensureLoaded()` on persisted locale files.
 - **User-dictionary navigation policy:** `UserDictionaryEntryPolicy` correctly
   centralizes leave/mutation/transfer gates. v1.8.232 keeps that policy and
   adds a visible response when Compose back handling blocks the gesture during
@@ -420,7 +436,7 @@ Privacy-first multilingual IME. `:app` is Apache-2.0-ceiling, no network permiss
 
 ## Security / Privacy / Data Safety
 
-No net-new permission or data-egress finding. The settings-search additions are display/navigation only; the no-results Browse all settings action (RA-2), synonym keyword coverage (RA-3), and query-change scroll reset (RA-10) do not weaken the no-network posture. R2-1 and R2-2 closed as local diagnostic-safety work without adding network, telemetry, or broad file export. R11-1 closes the async side of startup diagnostics by surfacing preference-store init failures through the existing local crash recovery path without adding storage, permissions, or outbound data. R12-1 is local personal-prediction durability hardening and does not change dictionary retention, export, permissions, or outbound data. R3-2 is also local-only clipboard filtering. R3-3 closed as sync-crypto contract hardening before transport activation, with no new permission or native dependency. R4-1/R4-2/R4-3/R4-4 are closed local correctness/a11y/API-contract work. WS12 and WS10/WS15 are docs/resource-only and do not change permissions, retention, or storage behavior. R5-1 closed as trust-boundary hardening for optional addon APKs: it keeps the no-network addon screen but requires explicit trust before non-co-signed packages become active. R6-1 is local editor critical-section hardening and does not change storage, permissions, or outbound data. R7-1 closed as privacy posture hardening for the existing incognito mode and `FLAG_SECURE` contract, not a permission change. R9-1 is privacy-state hardening for existing local suggestion and smart-compose paths: it keeps the no-network posture and ensures `IME_FLAG_NO_PERSONALIZED_LEARNING` / incognito decisions are request-scoped across async work. R10-1 is local editor-session lifecycle hardening and does not change storage, permissions, or outbound data. R8-1 is UI feedback for an already-blocked dictionary operation path and does not change data retention, dictionary mutation, or export/import permissions. WS13 now explicitly includes the deferred `StickerMediaProvider.openFile` SAF allow-list validation so forged encoded sticker URIs are rejected without broadening file access. The deferred audit lists (`docs/AUDIT_2026-06-02.md`) remain the authority for crypto/parsing/lifecycle hardening; this pass does not duplicate them.
+No net-new permission or data-egress finding. The settings-search additions are display/navigation only; the no-results Browse all settings action (RA-2), synonym keyword coverage (RA-3), and query-change scroll reset (RA-10) do not weaken the no-network posture. R2-1 and R2-2 closed as local diagnostic-safety work without adding network, telemetry, or broad file export. R11-1 closes the async side of startup diagnostics by surfacing preference-store init failures through the existing local crash recovery path without adding storage, permissions, or outbound data. R12-1 is local personal-prediction durability hardening and does not change dictionary retention, export, permissions, or outbound data. R13-1 is local stats/reset consistency hardening for the same personal n-gram files and likewise does not change retention, export, permissions, or outbound data. R3-2 is also local-only clipboard filtering. R3-3 closed as sync-crypto contract hardening before transport activation, with no new permission or native dependency. R4-1/R4-2/R4-3/R4-4 are closed local correctness/a11y/API-contract work. WS12 and WS10/WS15 are docs/resource-only and do not change permissions, retention, or storage behavior. R5-1 closed as trust-boundary hardening for optional addon APKs: it keeps the no-network addon screen but requires explicit trust before non-co-signed packages become active. R6-1 is local editor critical-section hardening and does not change storage, permissions, or outbound data. R7-1 closed as privacy posture hardening for the existing incognito mode and `FLAG_SECURE` contract, not a permission change. R9-1 is privacy-state hardening for existing local suggestion and smart-compose paths: it keeps the no-network posture and ensures `IME_FLAG_NO_PERSONALIZED_LEARNING` / incognito decisions are request-scoped across async work. R10-1 is local editor-session lifecycle hardening and does not change storage, permissions, or outbound data. R8-1 is UI feedback for an already-blocked dictionary operation path and does not change data retention, dictionary mutation, or export/import permissions. WS13 now explicitly includes the deferred `StickerMediaProvider.openFile` SAF allow-list validation so forged encoded sticker URIs are rejected without broadening file access. The deferred audit lists (`docs/AUDIT_2026-06-02.md`) remain the authority for crypto/parsing/lifecycle hardening; this pass does not duplicate them.
 
 ## UX & Accessibility
 
@@ -448,6 +464,8 @@ The keyboard surface already has a strong a11y baseline (`ACCESSIBILITY.md`, `To
    the async failure contract is covered by focused JVM/Robolectric tests.
 7. R12-1 needs a focused file-replacement/flush test; no maintainer product
    decision is required.
+8. R13-1 needs a focused personal n-gram stats/reset test; no maintainer
+   product decision is required.
 
 ## Archived Evidence
 
diff --git a/ROADMAP.md b/ROADMAP.md
@@ -176,6 +176,51 @@ These are genuine blockers — each needs an account, key, sibling repo, ML infr
 
 ## Research-Driven Additions
 
+### Researcher Queue (Cycle 13 - 2026-06-04)
+
+- [x] 🔬 `personal-ngram-stats-reset-race-recheck-2026-06-04` - synced
+  `master` after the Cycle 12 docs push, rechecked the deferred
+  `totalEntryCount()` / `resetAndAwait()` audit against live bigram/trigram
+  stores and the typing-stats screen. This cycle adds one focused row for
+  serializing personal n-gram stats counting with reset cleanup.
+
+#### Personal n-gram stats consistency
+
+- [ ] 🤖 P2 — Serialize personal n-gram stats counting with reset cleanup (R13-1)
+  - Why: Settings -> Typing stats refreshes personal bigram/trigram totals from
+    `totalEntryCount()`, but each store builds its persisted-locale set outside
+    `loadGuard` and then calls `ensureLoaded(localeTag)`. `resetAndAwait()`
+    clears in-memory tables and deletes matching files under `loadGuard`, so a
+    stats refresh can observe stale filenames or reload a locale around a reset
+    and make a just-cleared learning store appear non-empty. The bug is distinct
+    from R12-1's file replacement durability: this is the read/reset
+    interleaving visible to the Settings stats UI.
+  - Evidence: `PersonalBigramStore.kt:224-242` lists
+    `personal_bigrams_*.tsv`, merges `tablesByLocale.keys`, and then calls
+    `ensureLoaded(localeTag)` for each tag without holding `loadGuard`;
+    `PersonalBigramStore.kt:367-376` clears bigram tables and deletes matching
+    files under `loadGuard`; `PersonalTrigramStore.kt:229-245` and
+    `PersonalTrigramStore.kt:368-375` repeat the same count/reset shape for
+    trigrams; `TypingStatsScreen.kt:137-143` displays both counts immediately in
+    Settings; `PersonalNgramFlushIsolationTest.kt:64-68` only checks that reset
+    is the broad cleanup path, not that stats counting is serialized with it;
+    the deferred audit records the race in `docs/AUDIT_2026-05-28.md:58-60`.
+  - Touches: `PersonalBigramStore.kt`, `PersonalTrigramStore.kt`, and a focused
+    JVM/source contract test such as `PersonalNgramFlushIsolationTest` or a new
+    personal n-gram stats/reset test. Keep the R12-1 atomic-replace work and the
+    v1.8.234 per-locale flush isolation intact.
+  - Acceptance: both stores compute `totalEntryCount()` under the same
+    serialization boundary as `resetAndAwait()` or from a reset-safe snapshot;
+    file enumeration, `tablesByLocale` key collection, and `ensureLoaded()` do
+    not interleave with reset deletion; a reset followed by or racing with a
+    stats refresh returns zero rather than resurrecting deleted locales; tests
+    fail if either store reintroduces unlocked file enumeration plus
+    `ensureLoaded()` in `totalEntryCount()`.
+  - Verify: `./gradlew.bat :app:testDebugUnitTest --tests
+    "dev.patrickgold.florisboard.ime.dictionary.PersonalNgramFlushIsolationTest"`
+    or the new focused stats/reset test class.
+  - Complexity: S
+
 ### Researcher Queue (Cycle 12 - 2026-06-04)
 
 - [x] 🔬 `personal-ngram-atomic-replace-recheck-2026-06-04` - synced
