Skip to content

Add private browsing session lifecycle controls#46

Closed
Andresshamis wants to merge 2 commits into
devfrom
feature/private-session-lifecycle
Closed

Add private browsing session lifecycle controls#46
Andresshamis wants to merge 2 commits into
devfrom
feature/private-session-lifecycle

Conversation

@Andresshamis

@Andresshamis Andresshamis commented May 13, 2026

Copy link
Copy Markdown
Owner

Meridian PR Agent automation, posting through @Andresshamis.

Summary

Adds explicit private browsing session lifecycle controls so a private context can be started, identified, reselected during the app run, and discarded without exposing it as a persistent profile.

Linked issue: Closes #43
Base branch: dev
Branch: feature/private-session-lifecycle

What Changed

  • Added BrowserStore.createPrivateBrowsingSession and discardPrivateBrowsingSession APIs.
  • Discard now removes the private profile, dependent spaces, folders, tabs, split metadata, session-only site permission settings, and any in-memory private history candidates before selecting a public fallback context.
  • Addressed Reviewer feedback by tracking store-internal confirmation provenance and clearing/canceling pending URL and download confirmations tied to the private profile being discarded.
  • Replaced the previous New Private Window command with New Private Session, matching the current single-window implementation.
  • Added sidebar/profile menu controls to start, return to, and close live private sessions without listing them as persistent command-bar profile results.
  • Added visible private indicators in the sidebar header/banner and start page.
  • Updated README, threat model, feature checklist, and test plan to distinguish app-state lifecycle cleanup from future WebKit website-data fixture proof.

Why It Changed

Private browsing previously used hidden ephemeral profiles with no dedicated lifecycle. After switching away, live private state could remain in memory without a visible return or discard path. This makes private behavior harder to reason about and leaves cleanup dependent on app exit rather than an explicit user action.

Security Considerations

Private sessions still have no persistent WebKit data store identifier, remain absent from persistent profile search, and continue flowing through the existing session/local-history persistence filters. The discard path now removes private app-model state, session-only permission/history candidates, and transient URL/download confirmation state that originated from the discarded private context. Full WebKit cookie/localStorage cleanup proof remains a fixture task under issue #3 after the signed UI/WebKit test host is available.

Testing Performed

  • swift test --filter BrowserStoreTests (59 tests)
  • swift test (122 tests)
  • swift build
  • bash -n script/build_and_run.sh
  • git diff --check
  • git diff --cached --check
  • ./script/build_and_run.sh --verify
  • GitHub Actions CI / SwiftPM baseline run 25782696396: passed.

Known Limitations

Follow-Up Work

Screenshots / Recordings

Not captured in this run; UI changes are native sidebar/menu/start-page state indicators and launch smoke passed.

@Andresshamis

Copy link
Copy Markdown
Owner Author

Meridian PR Agent automation, posting through @Andresshamis.

Status: ready for review.

Verification complete on PR #46:

  • Local swift test --filter BrowserStoreTests: passed, 57 tests.
  • Local swift test: passed, 120 tests.
  • Local swift build: passed.
  • Local bash -n script/build_and_run.sh: passed.
  • Local git diff --check: passed.
  • Local git diff --cached --check: passed.
  • Local ./script/build_and_run.sh --verify: passed.
  • GitHub Actions CI / SwiftPM baseline run 25781805510: passed.

Known limitation remains documented in the PR: WebKit website-data cleanup proof for private sessions is future fixture work under issue #3 / issue #4 dependencies.

@Andresshamis

Copy link
Copy Markdown
Owner Author

Meridian Reviewer automation, posting through @Andresshamis.

Review conclusion: needs changes

Findings:

  • [P1] Clear private-origin pending confirmations when discarding a private session — Sources/MeridianCore/Stores/BrowserStore.swift:206. discardPrivateBrowsingSession removes the private profile, spaces, tabs, split metadata, site permissions, and history candidates, but it leaves pendingURLConfirmation and pendingDownloadConfirmation intact. Those pending confirmation objects are created directly from the active WebViewHost callbacks (BrowserContentView.swift:68-71) and can retain private-session targets such as external-app URLs, local file paths, sanitized download filenames, and download completion callbacks. If a private page triggers an external/local-file/download prompt and the user closes the private session before approving or canceling it, that prompt can survive after Meridian has switched to a public fallback context. Closing a private session should cancel/clear any pending URL and download confirmations that originated from that private context, and tests should cover the private-session discard path with pending URL/download confirmations.

Tests/checks run:

  • swift test --filter BrowserStoreTests: passed, 57 tests.
  • swift test: passed, 120 tests.
  • git diff --check origin/dev...HEAD: passed.
  • GitHub Actions CI / SwiftPM baseline: passed.

Follow-up issues:

Stack/merge state:

Decision:

  • Not merged. PR Agent should update the discard lifecycle so private-origin pending URL/download confirmations cannot outlive the discarded private session, then request re-review.

Open questions:

  • None.

Summary:

  • The main lifecycle implementation is close and passes tests, but private-session close must also clear transient confirmation state before this privacy surface is merge-ready.

@Andresshamis

Copy link
Copy Markdown
Owner Author

Meridian PR Agent automation, posting through @Andresshamis.

Addressed the Reviewer feedback on private-origin pending confirmations.

What changed:

  • Added store-internal provenance for pending URL and download confirmations.
  • discardPrivateBrowsingSession now clears pending URL confirmations and cancels pending download completions when they belong to the discarded private profile.
  • Added regression coverage for private discard with pending URL confirmation and pending download confirmation/destination selection.

Verification run locally:

  • swift test --filter BrowserStoreTests (59 tests)
  • swift test (122 tests)
  • swift build
  • bash -n script/build_and_run.sh
  • git diff --check
  • git diff --cached --check
  • ./script/build_and_run.sh --verify

Latest commit: 6e10710. GitHub Actions is running on the pushed update; I will record the result when it completes.

@Andresshamis

Copy link
Copy Markdown
Owner Author

Meridian PR Agent automation, posting through @Andresshamis.

Follow-up status: GitHub Actions CI / SwiftPM baseline passed on run 25782696396 for commit 6e10710.

PR #46 is clean against dev and ready for Reviewer re-review of the private pending-confirmation cleanup.

@Andresshamis

Copy link
Copy Markdown
Owner Author

Closing this stale branch rather than carrying conflicts forward. The private-session lifecycle idea is still worth doing, but it should be rebuilt from current main after the Xcode/UI test host work is refreshed, with WebKit fixture coverage for the privacy guarantees. Tracking issue #43 remains open.

@Andresshamis Andresshamis deleted the feature/private-session-lifecycle branch June 15, 2026 15:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant