docs: refresh SwiftFloris research handoff

SysAdminDoc · SysAdminDoc · commit a75091af9d1d · 2026-06-04T00:56:39.000-04:00
diff --git a/RESEARCH_REPORT.md b/RESEARCH_REPORT.md
@@ -1,6 +1,8 @@
 # SwiftFloris Research Report
 
-This report summarizes current research conclusions. The full 2026-05-25 research plan is archived at `docs/archive/research/RESEARCH_FEATURE_PLAN_2026-05-25.md`. Deep-research pass refreshed **2026-06-03** (post-v1.8.204).
+This report summarizes current research conclusions. The full 2026-05-25 research plan is archived at `docs/archive/research/RESEARCH_FEATURE_PLAN_2026-05-25.md`. Deep-research pass refreshed **2026-06-03** (post-v1.8.204), with a 2026-06-04 freshness note after the v1.8.207 voice-copy slice.
+
+2026-06-04 freshness note: the live dirty tree has already moved EI7 out of active work into v1.8.207 release docs, with `VoiceInputEmptyStateCopyTest.kt` pinning the FUTO explanation and F-Droid install action. This pass did not run Gradle because repo instructions say not to run Android gates from this VM unless asked; the changelog's green Gradle evidence remains unverified here. Current external checks support the copy: FUTO's Voice Input page describes it as working entirely on-device with no stored data, latest F-Droid/standalone version v1.3.6 (28), and the source mirror says FUTO Voice Input remains available for third-party keyboards even though FUTO development has shifted toward FUTO Keyboard. Android-platform sources also moved: Android 17 API 37 setup docs are current, but SwiftFloris already keeps API 37 as a future behavior-gate decision. Maven metadata shows low-priority freshness drift rather than a security issue: Kotlin 2.4.0, Compose BOM 2026.05.01, AndroidX Core 1.19.0, and Roborazzi 1.63.0 are newer than the pinned versions, while Room 2.8.4, SQLCipher 4.16.0, Tink 1.21.0, and Robolectric 4.16.1 still match current metadata. A P3 dependency-refresh row was added to `ROADMAP.md`.
 
 ## Executive Summary
 
@@ -54,7 +56,7 @@ Privacy-first multilingual IME. `:app` is Apache-2.0-ceiling, no network permiss
 ## Architecture & Technical Findings
 
 - **Module boundaries:** clean `:app` + `:lib:*` split; addon capability isolation is a deliberate, well-documented pattern. No new boundary issue surfaced.
-- **Dependency health:** versions are current; no obviously outdated/deprecated/vulnerable libs in `libs.versions.toml` (Kotlin 2.3.21, AGP 9.2.1, Room 2.8.4, SQLCipher 4.16.0, Tink 1.21.0, Roborazzi 1.60.0). No net-new dependency item warranted. [Verified]
+- **Dependency health:** the security-sensitive pins checked here are still current for SQLCipher 4.16.0 and Tink 1.21.0, and Room/Robolectric also match metadata. Freshness drift now exists for Kotlin 2.4.0, Compose BOM 2026.05.01, AndroidX Core 1.19.0, and Roborazzi 1.63.0; AGP 9.2.1 appears to be the stable baseline while Google Maven's newest AGP metadata is 9.3 alpha. This is a P3 maintenance batch, not a security item. [Verified via Maven metadata]
 - **Overgrown files:** `IndicTransliterator.kt` (~86 KB), `TextKeyboardLayout.kt` (~76 KB), `LatinLanguageProvider.kt` (~60 KB), `KeyboardManager.kt` (~60 KB) are large but the SHIFT state machine was already extracted (F27 shipped) and the audits already track `LatinLanguageProvider` heap risk (A1). Left as-is — no speculative refactor proposed.
 - **Testability:** 217 JVM test files, 5 androidTest. The search subsystem is the thinnest-tested new code; RA-1/RA-3 close that.
 - **Release automation:** mature (reproducible build, SBOM/provenance and signed-tags already roadmapped as maintainer-gated). No new item.
diff --git a/ROADMAP.md b/ROADMAP.md
@@ -8,6 +8,25 @@ Hard rules still apply (see `AGENTS.md`): no `INTERNET` permission in `:app`; Ap
 
 Item IDs trace to their origin research: `F#`/`EI#` from the archived 2026-05-25 research feature plan; `R#`/`O#` from the 2026-05-25 second-pass findings; `WS#` from the archived improvement-plan workstreams; `N#`/`Next-#`/`L#` from the archived roadmap tiers. Shipped items and reframed/rejected items live in `COMPLETED.md`; full release detail in `CHANGELOG.md`. Historical strategy (tiered NOW/NEXT/LATER, sourced appendix) is preserved at `docs/archive/ROADMAP_v5.67_2026-05-18.md`.
 
+> Last researched: Cycle 1 - 2026-06-04.
+
+## Implementer Instructions
+
+- Treat this roadmap as the planning history and `PROJECT_CONTEXT.md` /
+  `AGENTS.md` as the operational entry point. Shipped work belongs in
+  `CHANGELOG.md`; completed roadmap items belong in `COMPLETED.md`.
+- Keep the `:app` invariant strict: no internet/network permissions, Apache-2.0
+  ceiling, no closed-source blobs, and network or incompatible features only in
+  isolated addon APKs.
+- Do not run Gradle on this VM unless explicitly asked. Use the Android SDK host
+  for `:app:verifyNoInternetPermission :app:testDebugUnitTest :app:lintDebug
+  :app:assembleDebug` and device-gated manual QA.
+- For release work, keep `gradle.properties`, consolidated `CHANGELOG.md`, and
+  fastlane changelog metadata in lockstep with the version bump.
+- Researcher-queue ownership tags: `🤖` means implementer-actionable, `🔧`
+  means user/external/manual gated, `🔬` means researcher-added this cycle, and
+  `✅` means implemented/closed by the build lane.
+
 ## Existing Planned Work
 
 ### Keyboard surface & visual polish (device-gated)
@@ -56,6 +75,11 @@ Item IDs trace to their origin research: `F#`/`EI#` from the archived 2026-05-25
 
 ### Docs & hygiene
 
+- [ ] P3 — Low-risk dependency freshness batch after v1.8.207
+  - Why: 2026-06-04 Maven metadata shows small freshness drift after the current release: Kotlin 2.4.0, Compose BOM 2026.05.01, AndroidX Core 1.19.0, and Roborazzi 1.63.0 are newer than the pinned versions. Room 2.8.4, SQLCipher 4.16.0, Tink 1.21.0, and Robolectric 4.16.1 still match current metadata; Google Maven's newest AGP is 9.3 alpha, so do not churn AGP blindly.
+  - Touches: `gradle/libs.versions.toml`, release notes if bumped.
+  - Acceptance: bump only compatible low-risk pins; `:app:verifyNoInternetPermission :app:testDebugUnitTest :app:lintDebug :app:assembleDebug` green on an Android SDK host; no new permission or dependency-license surface.
+  - Source: 2026-06-04 research refresh.
 - [ ] P2 — Confirm absence of lint baseline / close EI10 (EI10)
   - Why: Research says no `app/lint-baseline.xml` exists; confirm and note.
   - Touches: one-line note; `bash scripts/run-lint-debug-with-baseline-check.sh` exits 0.
@@ -143,6 +167,15 @@ These are genuine blockers — each needs an account, key, sibling repo, ML infr
 
 ## Research-Driven Additions
 
+### Researcher Queue (Cycle 1 - 2026-06-04)
+
+- [x] 🔬 `voice-copy-dependency-refresh-2026-06-04` - rechecked the v1.8.207
+  voice-copy slice and public dependency metadata without running Gradle on this
+  VM. FUTO Voice Input remains the correct privacy-preserving handoff for voice
+  copy, Android 17/API 37 remains future behavior-gate work, and dependency
+  drift is low-risk maintenance rather than a security item. The new P3
+  dependency freshness row is the build-lane handoff.
+
 *Research conducted 2026-06-03. Items below are new — not duplicates of Existing Planned Work.*
 
 This pass focused on the v1.8.204 **settings search** drop (the newest feature, shipped this release) and a few cross-cutting gaps the three deep audits (`docs/AUDIT_2026-05-28/29` + `2026-06-02`) and the existing roadmap do not already cover. The search subsystem is a hand-maintained static catalog that mirrors the navigation graph with no drift guard — the highest-leverage net-new work.
