XOPOZ

SOS alarm dialog no longer exposes raw device identifiers
The emergency–alert popup previously embedded the sender's 50–character device security identifier in its text whenever the local roster cache was cold or returned a miss. Both display paths (overlay–permission granted and the legacy fallback) now route through a single resolver. On cache hit the dialog shows the owner's name with the device label and ticker; on cache miss or transient lookup failure it displays the impersonal string «Unknown device». The raw identifier is preserved only in technical logs for operator forensics, never in user–facing text. This closes a privacy gap that surfaced during a real SOS incident.

Teams roster reliability fix
The Teams screen would occasionally display «0 devices (local only)» for a team even when other members of that team were known and stored on the device. The screen now always shows the full list of devices the app currently knows about for each team, including members not returned by the most recent server response.

Point–of–interest folder moves now propagate to the server
Moving a POI between folders previously only updated local state — the server side never saw the relocation because the generic POI update payload carries no group reference. The client now invokes the new dedicated move endpoint after every successful local move, stamps both source and target groups with fresh modification timestamps, and applies a last–writer–wins membership rule during merge: the newer group's point list is authoritative, stale points from the older side are dropped, and per–point edits still apply through field–level last–writer–wins. A regression test pins the new contract.

Message poll worker skips empty cycles for solo devices
The background worker that polls inbound messages and flushes outbound messages fires every fifteen minutes for every authenticated device, including devices that belong to no teams. Without team membership, broadcast and direct messages cannot meaningfully be sent or received — broadcasts fan out by team and direct messages require a recipient identifier exchanged only via team rosters. The worker now skips both message paths when the local team list is empty, eliminating wasted round trips and log noise. Point–of–interest synchronization is unaffected and continues to flush for solo users.

Share–location dialog «Open» button for URL formats
When the selected share format produces a URL, the dialog now exposes an «Open» action alongside «Share», dispatching the URL through the standard view intent so a mapping application can take it directly. The button visibility refreshes when the format radio selection changes.

API call latency captured in client logs
Outbound API calls now record their end–to–end latency in client log entries. This makes it possible, from a single support log capture, to correlate slow user experiences with server–side performance dips without requiring matched server logs.

Cross–tenant authorization hardening on team–scoped services
A defense–in–depth audit of the team–scoped service layer identified several endpoints that accepted the caller's session but did not validate the caller's membership of, or admin role on, the requested team. The hardened endpoints are: the team–devices roster read, broadcast message send, direct message send, the team update endpoint, and bulk and single position pushes. A new repository–level membership check helper joins the membership, team, and device tables and is invoked before any side effect on every team–scoped service entry point. Rejections are logged with a dedicated audit tag for grep–based review. Six new integration tests and two new repository tests cover the formerly unguarded paths and pin the contract.

Cross–tenant authorization hardening on point–of–interest services
Every write and delete operation on points of interest and POI groups previously accepted the caller's user identifier without using it for authorization. Any authenticated user could read, modify or delete another user's POI data given a security identifier, and the create paths additionally allowed identifier collision to silently rewrite foreign records via upsert. The service layer now loads the resource and its containing group, compares group ownership to the session user, and returns a not–found response on mismatch — failing obscurely without leaking existence. The bulk root update path keeps caller–owned groups going through normally and silently skips foreign entries. Eight new integration tests exercise each blocked attack pattern from a victim and attacker pair.

Dedicated endpoint for relocating points of interest between folders
The generic POI update endpoint cannot move a POI between groups because the payload intentionally carries no group field. A new dedicated move endpoint accepts a POI identifier and a target group identifier, validates both, and atomically updates the parent group reference and modification timestamp at the repository level. The endpoint is exercised by an integration test that creates a source and target group, performs the move, and asserts the resulting tree shape.

Account blacklisting and account–creation rate limit
Authentication requests originating from a blacklisted user now return a structured error response instead of a permissive acknowledgement. In addition, the account creation endpoint is now rate–limited per source to mitigate registration–abuse patterns observed in operational logs.

New PENDING initial state for support tickets
The support ticket lifecycle gains a new initial state, PENDING, which sits before triage and is automatically assigned at ticket creation. This separates the «newly submitted, not yet read» phase from the «under investigation» phase that previously conflated both, improving dashboard ordering and operator workflow without changing existing transitions.