ScreenTinker 742d8c4b09 feat(socket): delivery queue for offline-device emits ... Short-lived per-device queue covers the TV-flap window (issue #3): when a device is mid-reconnect, prior code emitted to an empty room and the event vanished. Now playlist-updates and commands targeting an offline device are queued and flushed in order on the next device:register for that device_id. server/lib/command-queue.js (new): - pendingPlaylistUpdate: per-device marker (rebuild via builder on flush -> always fresh DB state, no stale snapshots) - pendingCommands: per-device Map<type, payload> with last-of-type dedup (most recent screen_off wins) - TTL via COMMAND_QUEUE_TTL_MS env (default 30000) - Active sweep every 30s prunes expired entries Memory bounds: ~6 entries per device worst case (1 playlist marker + 5 command types), unref'd sweep timer. Wired emit sites (8 total; the four direct socket.emit calls in deviceSocket register handlers are intentionally NOT queued because the socket is alive by definition at those points): - server/routes/video-walls.js (pushWallPayloadToDevice) - server/routes/device-groups.js (pushPlaylistToDevice) - server/routes/content.js (content-delete fan-out) - server/routes/playlists.js (pushToDevices + assign) - server/services/scheduler.js (scheduled rotations) - server/ws/deviceSocket.js x2 (wall leader reclaim/reassign) server/ws/deviceSocket.js register paths now call flushQueue after heartbeat.registerConnection + socket.join. Existing socket.emit('device:playlist-update', ...) lines kept - they send the initial state on register; the flush replays any queued events. Player's handlePlaylistUpdate fingerprint check dedupes the overlap. Refs #3 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>		2026-05-14 13:06:43 -05:00
..
activity.js	Phase 2.1: tenancy middleware, permission helpers, JWT workspace context, frontend + backend role-rename compat	2026-05-11 20:02:00 -05:00
assignments.js	Phase 2.2j: assignments.js scoped to workspace_id via playlist.workspace_id; fixes 3 pre-existing cross-tenant leaks (content add, widget add with NO existing check, copy-to cross-workspace); ensureDevicePlaylist loop-closer; status.js playlist INSERT bundle	2026-05-11 22:12:13 -05:00
auth.js	feat(email): Microsoft Graph send + alert spam protection + preferences UI	2026-05-12 18:16:40 -05:00
content.js	feat(socket): delivery queue for offline-device emits	2026-05-14 13:06:43 -05:00
device-groups.js	feat(socket): delivery queue for offline-device emits	2026-05-14 13:06:43 -05:00
devices.js	feat(socket): Phase 2.3 workspace-scoped dashboard socket rooms + per-command permission gates. Dashboard namespace was previously a flat broadcast - every connected dashboard received every device's status/screenshot/playback events platform-wide (foreign device names + IPs included). Inbound socket commands gated by a legacy admin/superadmin role check that was dead code post-Phase-1 rename.	2026-05-12 11:34:24 -05:00
folders.js	Phase 2.2c: content_folders gets workspace_id (schema + backfill); folders.js scoped; content.js folder-move strict same-workspace	2026-05-11 21:04:03 -05:00
kiosk.js	Phase 2.2e: kiosk.js scoped to workspace_id; import kiosk INSERT bundled	2026-05-11 21:20:18 -05:00
layouts.js	Phase 2.2h: layouts.js scoped to workspace_id; templates via is_template path; fixes pre-existing PUT /device/:deviceId cross-tenant layout-assignment leak	2026-05-11 21:45:28 -05:00
playlists.js	feat(socket): delivery queue for offline-device emits	2026-05-14 13:06:43 -05:00
provisioning.js	Initial open source release	2026-04-08 12:14:53 -05:00
reports.js	Phase 2.2g: reports.js scoped to workspace_id; fixes pre-existing /export and /uptime cross-tenant leaks	2026-05-11 21:36:54 -05:00
schedules.js	Phase 2.2m: schedules.js scoped to workspace_id; schedule.workspace_id inherited from target (device/group); fixes 6 pre-existing cross-tenant leaks (POST content/widget/layout/playlist accepted with no check, PUT verifyOwnership rewrite across all 6 polymorphic targets)	2026-05-11 23:03:54 -05:00
status.js	Phase 2.2j: assignments.js scoped to workspace_id via playlist.workspace_id; fixes 3 pre-existing cross-tenant leaks (content add, widget add with NO existing check, copy-to cross-workspace); ensureDevicePlaylist loop-closer; status.js playlist INSERT bundle	2026-05-11 22:12:13 -05:00
stripe.js	Security audit remediation: auth, IDOR, XSS, hardening	2026-04-11 22:48:07 -05:00
subscription.js	Initial open source release	2026-04-08 12:14:53 -05:00
teams.js	feat(teams): temporarily disable Teams API while feature is redesigned	2026-05-12 13:30:55 -05:00
video-walls.js	feat(socket): delivery queue for offline-device emits	2026-05-14 13:06:43 -05:00
white-label.js	Phase 2.2f: white-label.js scoped to workspace_id; requireWorkspaceAdmin gate; status.js bundle	2026-05-11 21:30:22 -05:00
widgets.js	Phase 2.2d: widgets.js scoped to workspace_id; import + widget-reference defense bundled	2026-05-11 21:13:51 -05:00
workspaces.js	feat(workspaces): rename via switcher dropdown - new PATCH /api/workspaces/:id route, per-row pencil affordance in switcher (visible only when caller can_admin), small rename modal with name + slug fields, validation (name <=80 chars, slug ^[a-z0-9]+(?:-[a-z0-9]+)*$ <=60 chars, blank slug -> NULL), 409 on per-org slug collision. Permission gating via new canAdminWorkspace(db, user, ws) helper in lib/permissions.js - reused-ready for future Phase 3 admin actions. /me query now joins organization_members to compute can_admin per accessible_workspaces entry. Drive-by fixes surfaced: (1) activityLogger method filter was missing PATCH, added; (2) routes that operate on a target workspace by URL param need to stamp req.workspaceId from the param so activityLogger captures the right tenant attribution - documented in the route. Smoke fixture: switcher-test@local.test is workspace_admin of Studio A and workspace_editor of Field Crew (no org_owner) so the can_admin true/false split is exercised in one login.	2026-05-12 11:06:55 -05:00