fix(dashnote): tighten secret retention and session-recovery semantics

- Drop the module-scoped previewCache in useWifPreview: cached raw WIFs
  survived modal close/reopen for the page lifetime, extending secret
  retention beyond the form. Resolution state is now strictly
  component-local.
- Move the loadLoginModule() await inside the try in useWifPreview so a
  chunk-fetch failure collapses to idle instead of stranding the
  preview on "checking".
- Restore the active session in SessionContext's login catch path when
  priorStatus is "authenticated": typing a bad secret while signed in
  no longer demotes the user to browsing, even when a remembered
  identity is on disk. Switch flows already logout() before login()
  and are unaffected.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: thephez

example-apps/dashnote/src/hooks/useWifPreview.ts

@@ -39,22 +39,6 @@ const IDLE: WifPreviewState = { status: "idle" };
 const CHECKING: WifPreviewState = { status: "checking" };
 const DEBOUNCE_MS = 400;
 
-interface Resolved {
-  wif: string;
-  state: WifPreviewState;
-}
-
-// Module-scoped cache: a WIF that resolved to a given identity (or to an
-// actionable error) yields the same answer on every future paste, so survive
-// modal close/reopen. Idle outcomes (UnknownIdentity / network blips) are
-// not cached — see the resolver below.
-const previewCache = new Map<string, WifPreviewState>();
-
-/** Test-only: reset the module-scoped preview cache between tests. */
-export function _resetWifPreviewCacheForTests(): void {
-  previewCache.clear();
-}
-
 /**
  * Eagerly resolves a pasted WIF to its owning identity (and DPNS name) so
  * the user gets pre-submit confirmation and "wrong key type" feedback before
@@ -66,8 +50,11 @@ export function _resetWifPreviewCacheForTests(): void {
  * committed to login yet, so we don't surface UnknownIdentityError or network
  * failures as UI errors. The actual login path will surface them on submit.
  *
- * Results are cached per WIF for the lifetime of the hook so re-typing the
- * same key doesn't re-query.
+ * Resolution state is component-local: changing the WIF cancels any in-flight
+ * resolver and clears the prior result. We do NOT cache resolved outcomes
+ * across renders — keeping a Map of pasted secrets keyed by raw WIF would
+ * extend secret retention beyond the form lifecycle for no real UX win
+ * (re-pasting the exact same WIF is rare).
  */
 export function useWifPreview(
   sdk: DashSdk | null,
@@ -76,24 +63,27 @@ export function useWifPreview(
 ): WifPreviewState {
   const trimmed = secret.trim();
   const gateOk = enabled && Boolean(sdk) && looksLikeWif(trimmed);
-  const cached = gateOk ? previewCache.get(trimmed) : undefined;
 
-  // The resolver tags its result with the WIF that produced it; the render
-  // path ignores stale results from a previous WIF. This avoids any setState
-  // in the effect body or cleanup.
-  const [resolved, setResolved] = useState<Resolved | null>(null);
+  // The resolver tags its result with the WIF that produced it; if `trimmed`
+  // changes between scheduling and rendering, we ignore the stale result at
+  // the bottom of this hook. This avoids any setState in the effect body.
+  // Note: `wif` here is component-local state — it lives only as long as the
+  // input does, matching the lifetime of `secret` in the parent component.
+  const [resolved, setResolved] = useState<{
+    wif: string;
+    state: WifPreviewState;
+  } | null>(null);
 
   useEffect(() => {
-    if (!gateOk || cached) {
-      return;
-    }
+    if (!gateOk) return;
     let cancelled = false;
     const timer = window.setTimeout(async () => {
       if (cancelled) return;
-      const mod = await loadLoginModule();
-      if (cancelled) return;
-      let next: WifPreviewState;
+      let next: WifPreviewState = IDLE;
+      let mod: LoginModule | null = null;
       try {
+        mod = await loadLoginModule();
+        if (cancelled) return;
         const result = await mod.resolveIdentityFromWif(sdk!, trimmed);
         let dpns: string | null = null;
         try {
@@ -107,9 +97,13 @@ export function useWifPreview(
           dpnsName: dpns,
         };
       } catch (err) {
+        // mod is null only if loadLoginModule itself rejected (chunk fetch
+        // failure / offline). Treat that as an idle outcome — same silent
+        // policy we apply to UnknownIdentity and network blips.
         if (
-          err instanceof mod.WrongKeyPurposeError ||
-          err instanceof mod.KeyDisabledError
+          mod &&
+          (err instanceof mod.WrongKeyPurposeError ||
+            err instanceof mod.KeyDisabledError)
         ) {
           // We have an identity ID — resolve its DPNS name so the warning
           // can show the user-friendly handle instead of a truncated ID.
@@ -134,29 +128,23 @@ export function useWifPreview(
               dpnsName: dpns,
             };
           }
-        } else if (err instanceof mod.UnknownIdentityError) {
-          next = IDLE;
         } else {
+          // UnknownIdentityError, network failure, import failure, or any
+          // other unexpected error — stay silent until the user submits.
           next = IDLE;
         }
       }
       if (cancelled) return;
-      // Only cache stable outcomes — silent "idle" results from transient
-      // network errors should be retryable on the next keystroke.
-      if (next.status !== "idle") {
-        previewCache.set(trimmed, next);
-      }
       setResolved({ wif: trimmed, state: next });
     }, DEBOUNCE_MS);
 
     return () => {
       cancelled = true;
       window.clearTimeout(timer);
     };
-  }, [sdk, trimmed, gateOk, cached]);
+  }, [sdk, trimmed, gateOk]);
 
   if (!gateOk) return IDLE;
-  if (cached) return cached;
   if (resolved && resolved.wif === trimmed) return resolved.state;
   return CHECKING;
 }

example-apps/dashnote/src/session/SessionContext.tsx

@@ -213,11 +213,19 @@ export function SessionProvider({ children }: { children: ReactNode }) {
       } catch (err) {
         const message = errorMessage(err);
         setError(message);
-        // Restore prior session state. If a remembered identity exists,
-        // prefer landing in browsing mode so a failed key-swap still shows
-        // the remembered identity panel instead of the logged-out form.
+        // Restore prior session state. If the user was already authenticated
+        // (e.g. they opened Settings and pasted a bad secret), keep them
+        // logged in — a typo shouldn't demote an active session. Otherwise,
+        // prefer landing in browsing mode if a remembered identity exists,
+        // so a failed key-swap still shows the remembered identity panel
+        // instead of the logged-out form.
         const remembered = loadRememberedIdentity();
-        if (remembered) {
+        if (priorStatus === "authenticated" && priorKeyManager) {
+          setKeyManager(priorKeyManager);
+          setIdentityId(priorIdentityId);
+          setDpnsName(priorDpnsName);
+          setStatus(priorStatus);
+        } else if (remembered) {
           setKeyManager(null);
           setIdentityId(remembered.id);
           setDpnsName(remembered.name ?? null);

example-apps/dashnote/test/SessionContext.test.tsx

@@ -596,7 +596,7 @@ describe("SessionProvider", () => {
     );
   });
 
-  it("failed switch-identity from authenticated falls back to browsing the remembered identity", async () => {
+  it("failed switch-identity from authenticated keeps the active session", async () => {
     // First, authenticate so a real keyManager + remembered identity exist.
     mockKeyManagerCreate.mockResolvedValueOnce({
       identityId: "logged-in-id",
@@ -606,20 +606,22 @@ describe("SessionProvider", () => {
       await ref.current.login("test mnemonic", { rememberMe: true });
     });
     expect(ref.current.status).toBe("authenticated");
-    expect(ref.current.keyManager).not.toBeNull();
+    const priorKeyManager = ref.current.keyManager;
+    expect(priorKeyManager).not.toBeNull();
 
     // Now attempt to switch with a wrong-purpose WIF. The active session
-    // should drop, but a remembered identity exists, so we land in browsing.
+    // must NOT drop — typing a bad secret while signed in should never log
+    // the user out, even if a remembered identity is present in storage.
     mockLoginWithPrivateKey.mockRejectedValueOnce(
       new Error("Found identity Y, but this is a transfer key."),
     );
     await act(async () => {
       await ref.current.login("cVHcfvcWNc7DvqaPCwM6Z3").catch(() => undefined);
     });
 
-    expect(ref.current.status).toBe("browsing");
+    expect(ref.current.status).toBe("authenticated");
     expect(ref.current.identityId).toBe("logged-in-id");
-    expect(ref.current.keyManager).toBeNull();
+    expect(ref.current.keyManager).toBe(priorKeyManager);
     expect(ref.current.error).toMatch(/transfer key/);
     expect(mockToastError).toHaveBeenCalledWith(
       expect.stringContaining("transfer key"),

example-apps/dashnote/test/useWifPreview.test.tsx

@@ -58,7 +58,6 @@ vi.mock("../src/dash/resolveDpnsName", () => ({
 }));
 
 import {
-  _resetWifPreviewCacheForTests,
   useWifPreview,
   type WifPreviewState,
 } from "../src/hooks/useWifPreview";
@@ -94,7 +93,6 @@ beforeEach(() => {
   vi.useFakeTimers();
   mockResolveIdentityFromWif.mockReset();
   mockResolveDpnsName.mockReset();
-  _resetWifPreviewCacheForTests();
 });
 
 afterEach(() => {
@@ -263,62 +261,31 @@ describe("useWifPreview", () => {
     expect(states.at(-1)?.status).toBe("resolved");
   });
 
-  it("caches stable outcomes — re-rendering the same WIF skips the network", async () => {
+  it("does not retain results across remount — secret state is component-local", async () => {
+    // The hook intentionally does not cache resolved outcomes across mounts;
+    // every fresh mount that re-passes the WIF performs the network call
+    // again. This bounds raw-WIF retention to the form's lifetime.
     mockResolveIdentityFromWif.mockResolvedValue({
-      identityId: "id-cache",
+      identityId: "id-fresh",
       identity: {},
       matched: { id: 1, purpose: 0, securityLevel: 2 },
       identityKey: {},
     });
     mockResolveDpnsName.mockResolvedValue(null);
 
-    const states: WifPreviewState[] = [];
     const { unmount } = render(
-      <Harness secret={VALID_WIF} onState={(s) => states.push(s)} />,
+      <Harness secret={VALID_WIF} onState={() => {}} />,
     );
     await flushDebounce();
     expect(mockResolveIdentityFromWif).toHaveBeenCalledTimes(1);
     unmount();
 
-    // Second mount with the same WIF must not re-query — the cache returns
-    // the prior outcome synchronously.
-    const states2: WifPreviewState[] = [];
-    render(<Harness secret={VALID_WIF} onState={(s) => states2.push(s)} />);
-    expect(mockResolveIdentityFromWif).toHaveBeenCalledTimes(1);
-    expect(states2.at(-1)?.status).toBe("resolved");
-  });
-
-  it("does NOT cache idle outcomes — silent failures retry on next render", async () => {
-    mockResolveIdentityFromWif.mockRejectedValueOnce(
-      new UnknownIdentityError(),
-    );
-
-    const states: WifPreviewState[] = [];
-    const { unmount } = render(
-      <Harness secret={VALID_WIF} onState={(s) => states.push(s)} />,
-    );
-    await flushDebounce();
-    expect(states.at(-1)?.status).toBe("idle");
-    unmount();
-
-    // Now the WIF resolves successfully — the previous idle result must not
-    // have been cached, so this run should hit the network again.
-    mockResolveIdentityFromWif.mockResolvedValueOnce({
-      identityId: "id-retry",
-      identity: {},
-      matched: { id: 1, purpose: 0, securityLevel: 2 },
-      identityKey: {},
-    });
-    mockResolveDpnsName.mockResolvedValue(null);
-
-    const states2: WifPreviewState[] = [];
-    render(<Harness secret={VALID_WIF} onState={(s) => states2.push(s)} />);
+    render(<Harness secret={VALID_WIF} onState={() => {}} />);
     await flushDebounce();
     expect(mockResolveIdentityFromWif).toHaveBeenCalledTimes(2);
-    expect(states2.at(-1)?.status).toBe("resolved");
   });
 
-  it("trims whitespace before gating + caching (paste with surrounding spaces)", async () => {
+  it("trims whitespace before gating; passes the trimmed WIF to the resolver", async () => {
     mockResolveIdentityFromWif.mockResolvedValue({
       identityId: "id-trim",
       identity: {},
@@ -328,18 +295,13 @@ describe("useWifPreview", () => {
     mockResolveDpnsName.mockResolvedValue(null);
 
     const states: WifPreviewState[] = [];
-    const { unmount } = render(
+    render(
       <Harness secret={`  ${VALID_WIF}\n`} onState={(s) => states.push(s)} />,
     );
     await flushDebounce();
     expect(mockResolveIdentityFromWif).toHaveBeenCalledTimes(1);
     // Resolver was called with the trimmed WIF, not the padded input.
     expect(mockResolveIdentityFromWif).toHaveBeenCalledWith(sdk, VALID_WIF);
-    unmount();
-
-    // Re-rendering with the bare WIF must hit the cache (same key after trim).
-    render(<Harness secret={VALID_WIF} onState={(s) => states.push(s)} />);
-    expect(mockResolveIdentityFromWif).toHaveBeenCalledTimes(1);
     expect(states.at(-1)?.status).toBe("resolved");
   });