Stabilize iOS/watchOS/tvOS apps and add cross-platform audit remediation

2026-02-11 12:54:40 -06:00
parent e40275e694
commit acce712261
77 changed files with 2940 additions and 765 deletions
--- a/docs/step6_audit_round1.md
+++ b/docs/step6_audit_round1.md
@@ -0,0 +1,55 @@
+# Step 6 Audit Round 1 (P0/P1)
+
+## Coverage
+
+- Reviewed high-risk auth/session/network/watch files:
+  - `iphone/Werkout_ios/UserStore.swift`
+  - `iphone/Werkout_ios/Network/Network.swift`
+  - `iphone/Werkout_ios/BridgeModule+Watch.swift`
+  - `iphone/Werkout_watch Watch App/WatchMainViewModel.swift`
+  - `iphone/Werkout_watch Watch App/WatchMainViewModel+WCSessionDelegate.swift`
+  - `iphone/Werkout_ios/HealthKitHelper.swift`
+  - `iphone/Werkout_ios/CurrentWorkoutInfo.swift`
+- Ran:
+  - `./scripts/smoke/smoke_all.sh`
+- Added/ran regression tests in `SharedCore` for token lifecycle and watch payload validation.
+
+## Findings And Fixes
+
+1. `P1` Watch command loss during activation
+   - Evidence: `iphone/Werkout_watch Watch App/WatchMainViewModel+WCSessionDelegate.swift:40`
+   - Problem: payloads were dropped when `WCSession` was not activated.
+   - Fix: added bounded queue (`maxQueuedPayloads`), enqueue on inactive session, flush on activation.
+
+2. `P1` Silent/unsafe watch payload decode failures
+   - Evidence: `iphone/Werkout_ios/BridgeModule+Watch.swift:73`
+   - Evidence: `iphone/Werkout_watch Watch App/WatchMainViewModel.swift:74`
+   - Problem: `try?` decode silently ignored malformed payloads.
+   - Fix: added shared `WatchPayloadValidation` with size checks and structured decode failures; both decode paths now reject+log bad payloads.
+
+3. `P1` Auth token normalization gap for prefixed tokens
+   - Evidence: `SharedCore/Sources/SharedCore/TokenSecurity.swift:24`
+   - Problem: `"Token ..."` / `"Bearer ..."` values were not normalized.
+   - Fix: normalize known auth prefixes and reject bare prefix-only strings.
+
+4. `P1` Network reliability/threading risk
+   - Evidence: `iphone/Werkout_ios/Network/Network.swift:12`
+   - Problem: infinite request timeouts and completion handlers returning on background threads.
+   - Fix: finite timeout (`30s`) and centralized main-thread completion delivery.
+
+5. `P1` HealthKit helper shared mutable-state race
+   - Evidence: `iphone/Werkout_ios/HealthKitHelper.swift:20`
+   - Problem: mutable cross-request state (`completion`, counters, shared result object) could race and mis-route results.
+   - Fix: per-request aggregation via `DispatchGroup`, single UUID query (`limit: 1`), thread-safe aggregation queue, structured runtime logging.
+
+6. `P2` Workout order inconsistency across helpers
+   - Evidence: `iphone/Werkout_ios/CurrentWorkoutInfo.swift:24`
+   - Problem: some paths used unsorted `workout.supersets` while others used sorted supersets.
+   - Fix: unified core navigation/lookup paths on sorted `superset` accessor and corrected bounds check.
+
+## Validation
+
+- Smoke suite passed after fixes:
+  - token scan
+  - SharedCore tests (including new regression tests)
+  - iOS/watchOS/tvOS builds