fix(desktop): land live presence updates for not-yet-cached pubkeys

[wesbillman]

Problem

Will showed offline for minutes in the desktop app even though the relay had him online the whole time (verified via sprout users presence). It then self-healed without any user action.

Root cause is in the WebSocket presence handler (desktop/src/features/presence/hooks.ts). The live-update merge dropped any presence event for a pubkey not already in the cached lookup:

queryClient.setQueriesData(["presence"], (old) => {
  if (!old || !(pubkey in old)) return old;   // drops the update
  ...
});

The backend get_presence (profile.rs) returns only pubkeys with a presence record — offline/unknown users are omitted entirely, and the UI reads a missing pubkey as offline. So the offline→online transition always targets an absent key:

1. Will is offline when the client seeds the member list → absent from cache.
2. Will comes online → relay pushes the event over WS → handler hits !(pubkey in old) → dropped.
3. Stale "offline" persists until the 60s backstop refetch re-seeds him.

The one transition presence exists to show is the one this guard always missed.

Fix

Scope the cache write with a predicate that matches the pubkey against the query key (the key already encodes the requested set: ["presence", ...sortedPubkeys]), then merge the pubkey in even when absent. Live online events now land instantly; the 60s poll stays as the backstop it was meant to be.

• presence/lib/presence.ts — pure helpers presenceQueryWantsPubkey(key, pubkey) and mergePresenceUpdate(old, pubkey, status).
• presence/hooks.ts — both setQueriesData sites (WS subscription and self-presence mutation, which had the identical latent guard) use the predicate + helper.
• presence/lib/presence.test.mjs — 8 unit tests.

Verification

• New tests 8/8 pass, including the exact failing scenario (absent pubkey + "online" → present and online), scoping, and no-op-when-unchanged. The old code fails the core-bug test; the new code passes.
• Full desktop suite 619/619 pass.
• tsc --noEmit clean, biome lint clean.

A unit test is the right proof here: the bug is a deterministic data-merge decision. A live-relay test would ride on timing and the very 60s backstop that masks the bug.

Out of scope (noted, not addressed here)

• sprout users presence CLI mislabels the subject pubkey with the relay signing key (reads event author instead of the p tag).
• Staging relay is running on the hardcoded DEV keypair (SPROUT_RELAY_PRIVATE_KEY unset).

[wesbillman]

@codex please review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4a9ab982c7

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Ignore p-tags on live presence events

When any client publishes a live kind:20001 event with a p tag naming a victim, the relay stores presence under the authenticated/event pubkey but fans out the original event unchanged (crates/sprout-relay/src/handlers/event.rs 446-452). With this predicate/merge change, if that victim is requested but absent from the cached lookup (the offline/unknown case this patch now inserts), the attacker-controlled p tag passes the query-key check and mergePresenceUpdate marks the victim online/away/offline until the next refetch. The WS subscription should key live updates by event.pubkey, or only honor p tags on trusted relay-synthesized query results.

Useful? React with 👍 / 👎.

[wesbillman]

LOL @wpfleger96 😂

[wpfleger96]

hey that's me! 🙃