refactor(web): route inline localStorage calls through shared utilities (LUM-2047)

[ashleeradka]

Prompt / plan

Final PR in the localStorage consolidation effort (LUM-2042). Routes all remaining inline localStorage.getItem/setItem/removeItem calls through the shared local-settings.ts helpers established in LUM-2044.

Closes LUM-2047

Why needed

After PRs A–C (LUM-2044 typed-storage factory, LUM-2045 key naming standardization, LUM-2046 domain storage migration), 10 production files still used raw localStorage calls with duplicated SSR guards, try/catch wrappers, and typeof window checks. This final PR eliminates that boilerplate so all localStorage access flows through a single code path with consistent error handling, SSR safety, and same-tab change notifications.

Changes

Route inline calls through local-settings.ts (7 files, net −69 lines)

File	Before	After
skills-tab.tsx	window.localStorage.getItem(KEY) === "1" + SSR guard	getLocalBool(KEY, false)
mic-permission-primer.tsx	localStorage.getItem(KEY) !== "true" + try/catch	getLocalBool(KEY, false)
chat-route-content.tsx	3× raw get/set/remove with keyed name	getLocalBool/setLocalBool/removeLocalSetting
chat-layout.tsx	window.localStorage.getItem/setItem + try/catch + Number parsing	getLocalBool/setLocalBool/getLocalNumber/setLocalNumber
impersonate-version-flag.ts	3× window.localStorage.getItem/setItem/removeItem + SSR + try/catch	getLocalSetting/setLocalSetting/removeLocalSetting + verify-after-write
use-draft-input.ts	window.localStorage.getItem/setItem + SSR + try/catch	getLocalSetting/setLocalSetting
use-push-to-talk.ts	window.localStorage.getItem + try/catch	getLocalSetting with explicit off-default

Fix DRY: deduplicate OAuth utilities (−60 lines)

integration-detail-modal.tsx had a full copy of 5 functions/types from lib/auth/oauth-popup.ts (OAuthCompletePayload, oauthCompletionStorageKey, getOAuthCompleteMessagePayload, getOAuthCompleteStoragePayload). Replaced with imports from the canonical source.

Fix: move nudge legacy cleanup to storage-migration.ts

The one-time nudge key cleanup (removing 6 dead app.githubNudge.* / app.discordNudge.* keys + the app.nudgeLegacy.cleaned flag) was running inside nudge-store.ts with its own app.nudgeLegacy.cleaned flag. This is migration infrastructure, not store logic. Moved to storage-migration.ts using the new removeKey() helper, which makes the cleanup idempotent without needing a flag.

Note: the "app." prefix was intentionally NOT added to LEGACY_USER_PREFIXES in session-cleanup.ts because active iOS/macOS app-download nudge hooks (use-ios-app-nudge.ts, use-macos-app-nudge.ts) still read/write app.iosNudge.* and app.macOsNudge.* keys. Sweeping all app.* keys on logout would reset those dismissal states. The dead GitHub/Discord keys are removed at startup by explicit removeKey() calls instead.

Fix: skills tip value format migration

The old code stored the tip-dismissed flag as "1", but getLocalBool only recognizes "true"/"false". Added migrateValue(key, oldValue, newValue) helper to storage-migration.ts for same-key value format conversions, and a migration that converts the old "1" to "true" at startup.

Fix: PTT activator off-by-default on storage failure

When localStorage is unavailable, getLocalSetting returns "", and parseActivator(null) returns { kind: "modifierOnly", modifiers: ["control"] } — PTT would silently activate with Ctrl. Fixed: raw ? parseActivator(raw) : { kind: "off" } preserves the old catch-block behavior.

Fix: impersonate-version-flag reload on failed storage write

When setLocalSetting/removeLocalSetting swallow a storage exception, execution previously fell through to window.location.reload() even though the write didn't persist — causing a reload back into the old state. Fixed: verify the write took effect by re-reading the value immediately after. If the value doesn't match, log a warning and return early without reloading — matching the old catch-block behavior.

Calls intentionally kept inline

File	Reason
current-platform-assistant-store.ts	Custom Zustand persist StateStorage adapter
client-feature-flag-store.ts	Iterates dynamic key set; null-vs-absent distinction needed
gateway-session.ts	Auth infrastructure with multi-key coordination, legacy fallbacks
local-settings.ts	IS the base layer
device-settings.ts	Already a typed registry with legacy migration fallbacks
OAuth popup files	Cross-tab IPC via StorageEvent, not traditional storage

Intentional behavioral changes

1. mic-permission-primer: When localStorage is unavailable, shouldShowMicPrimer() now returns true (show primer) instead of false (hide). The primer is a consent flow — silently hiding it when storage is broken is worse than showing it again.

2. PTT off-by-default: When localStorage is unavailable, PTT activator now defaults to { kind: "off" } instead of { kind: "modifierOnly", modifiers: ["control"] }. PTT silently activating via Ctrl is a safety risk.

Architectural audit

Full 20-item checklist

#	Check	Result
1	Location	✓ All files in correct directories
2	Abstraction type	✓ Pure utilities (local-settings.ts), not hooks/stores
3	Domain boundaries	✓ Helpers in utils/ (cross-domain), consumers in their domains
4	Sub-components	N/A
5	DRY	✓ Fixed — OAuth duplication eliminated, nudge cleanup consolidated
6	State management	✓ Imperative storage utilities, not Zustand
7	Patterns	✓ All reads/writes through single code path
8	Dead code	✓ Old SSR guards, try/catch wrappers, duplicate functions removed
9	Behavioral preservation	✓ Two intentional changes documented above
10	Tests	✓ 3 new unit tests for migrateValue, 1 integration test for skills tip migration
11	Tech debt	✓ Reduces — eliminates copy-paste localStorage patterns
12	Wire contracts	N/A
13	Cross-domain imports	✓ No new allowlist entries
14	lib/ scoping	✓
15	No barrel files	✓
16	Directory structure	✓
17	File size	✓ All under 300 lines
18	Security	✓ No internal URLs or credentials
19	Documentation	✓ Comments describe code, not PR history
20	Fix-or-surface	✓ All findings fixed in-PR

Test plan

• Playwright CDP tests against Vite dev server (port 3001) with 8 adversarial test cases
• Skills tip "1" → "true" migration verified via page.evaluate()
• Sidebar collapse/width persistence round-trip
• PTT off-by-default with missing key
• Legacy nudge key cleanup at startup + active nudge key preservation
• Draft input JSON persistence
• Disk pressure dismissal persistence
• Impersonate version flag round-trip

Safety

• All changes are additive refactoring — public APIs unchanged
• 37 unit tests pass (session-cleanup + storage-migration)
• No new cross-domain imports
• Migrations are idempotent (safe to re-run)
• Behavioral changes are safety improvements (PTT off, primer shown)

Link to Devin session: https://app.devin.ai/sessions/4b3b130bbf274e5487da3b4992883093
Requested by: @ashleeradka

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment, CI, and merge conflict monitoring

[linear]

LUM-2047

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1bb40a8e8e

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[devin-ai-integration]

Devin Review found 2 potential issues.

View 5 additional findings in Devin Review.

[ashleeradka]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6086c396dc

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[ashleeradka]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fe5c5d8e81

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Avoid sweeping active app nudge settings on logout

When a user logs out after dismissing or clicking either app-download nudge, this broad app. fallback now removes still-active localStorage keys such as app.iosNudge.downloaded, app.iosNudge.bannerDismissed, app.macOsNudge.downloaded, and app.macOsNudge.bannerDismissed (verified with rg 'app\\.(iosNudge|macOsNudge)' apps/web/src). Those hooks still read/write these keys, so the next login on the same browser forgets prior dismissals/downloads and can resurface the banners or reset turn counts. Please limit cleanup to the actual legacy GitHub/Discord keys (or migrate the active nudge keys first) rather than sweeping all app. keys.

Useful? React with 👍 / 👎.

[devin-ai-integration]

Real bug — good catch. use-ios-app-nudge.ts and use-macos-app-nudge.ts actively read/write app.iosNudge.* and app.macOsNudge.* keys. Sweeping all "app." on logout clears those dismissals, resurfacing banners on next login.

Fixed in a00dc62: removed "app." from LEGACY_USER_PREFIXES. The dead github/discord nudge keys (app.githubNudge.*, app.discordNudge.*, app.nudgeLegacy.cleaned) are already explicitly removed at startup by removeKey() calls in storage-migration.ts, so the broad prefix sweep was unnecessary.

Updated the test from "clears legacy app. prefixed nudge keys" → "preserves active app. nudge keys on logout" — verifies iOS/macOS nudge keys survive clearUserScopedStorage().

[vex-assistant-bot]

Reviewed HEAD a00dc62ae5 (4 commits, +177/-182, 13 files). CI green: Lint, Type Check & Build + Type Check + Build + Test + Lint + Socket Security ×2 all success. The right cut for Part D — net deletion PR (-5 lines) via boilerplate removal + DRY win + dead-code removal, with all bot findings closing by construction across the 3 fix commits.

Adoption verification — 7 routed files

• skills-tab.tsx ✓ getLocalBool(TIP_STORAGE_KEY, false) (was raw === "1" with SSR guard)
• mic-permission-primer.tsx ✓ getLocalBool(MIC_PRIMER_STORAGE_KEY, false) (was try/catch + !== "true")
• chat-route-content.tsx ✓ getLocalBool / setLocalBool / removeLocalSetting
• chat-layout.tsx ✓ 4-helper mix: getLocalBool/setLocalBool (sidebar collapsed) + getLocalNumber/setLocalNumber (sidebar width). Was raw + try/catch + manual Number() parsing.
• impersonate-version-flag.ts ✓ getLocalSetting / setLocalSetting / removeLocalSetting + verify-after-write
• use-draft-input.ts ✓ getLocalSetting / setLocalSetting
• use-push-to-talk.ts ✓ getLocalSetting with explicit off-default on empty

Files correctly kept inline (sanity-checked via grep against full apps/web/src/**/*.ts*):

• current-platform-assistant-store.ts — implements Zustand persist StateStorage adapter (literally needs raw access)
• client-feature-flag-store.ts — iterates dynamic LS_PREFIX + key set; the null-vs-absent distinction matters
• gateway-session.ts — auth infrastructure with LS_TOKEN_KEY ?? LEGACY_TOKEN_KEY multi-key coordination
• device-settings.ts — typed registry with its own entry.key ?? entry.legacy migration fallbacks
• oauth-popup-complete-page.tsx / oauth-complete-page.tsx / google-connect-screen.tsx / integration-detail-modal.tsx (3 remaining) — cross-tab IPC via StorageEvent, not traditional storage
• local-settings.ts / typed-storage.ts — base layer
• storage-migration.ts / session-cleanup.ts / sandbox-bridge.ts — migration/cleanup infrastructure that needs raw access
• All grep'd; PR body's justification table covers each.

Bonus wins beyond stated scope

1. OAuth utility DRY (-60 lines): integration-detail-modal.tsx had a full copy of OAuthCompletePayload, oauthCompletionStorageKey, getOAuthCompleteMessagePayload, getOAuthCompleteStoragePayload from lib/auth/oauth-popup.ts. Now imported from canonical source (verified at L43-47). The 5 call sites (L271/287/339/514/518) all use the imported names.
2. Nudge legacy cleanup relocation (-26 lines from nudge-store.ts): Moved from nudge-store.ts (where it ran inside the store module on first import) to storage-migration.ts via 6 removeKey() calls + the app.nudgeLegacy.cleaned flag itself. Two architectural wins from the move: (a) the app.nudgeLegacy.cleaned flag becomes unnecessary because removeKey() is idempotent (removeItem on absent key is a no-op); (b) cleanup is now co-located with all other one-time storage migrations, single import-time execution point.

Bot findings — all 5 closed at HEAD

#	Bot	Finding	Closed in
1	Codex P2	Mic primer shown on storage failure (was hidden)	Documented as intentional in PR body — consent-transparency > silent suppression, Devin defended in thread
2	Devin BUG_0001	Skills tip dismissed-flag lost ("1" vs "true" format mismatch)	6086c39 — new migrateValue(key, oldValue, newValue) helper + migrateValue("vellum:skills:tipDismissed", "1", "true") in runStorageMigrations(). Idempotent (only writes when current matches oldValue). Migration order verified correct: migrateKey("vellum:skillsTabTipDismissed", "vellum:skills:tipDismissed") runs first (line 129), then migrateValue("vellum:skills:tipDismissed", "1", "true") (line 176) — handles both renamed-but-old-format AND already-renamed-new-format users.
3	Devin BUG_0002	PTT silently activates with Ctrl when storage fails	6086c39 — raw ? parseActivator(raw) : { kind: "off" } at L122-124. See observation #2 below — this also changes first-time-user default behavior; worth a thought.
4	Codex P2	Impersonate flag reloads even when storage write fails	fe5c5d8 — getImpersonatedAssistantVersion() re-read after setLocalSetting/removeLocalSetting. If mismatch, log warn + return early without reload. Both branches (set / clear) handled symmetrically.
5	Codex P2	"app." prefix in LEGACY_USER_PREFIXES sweeps active iOS/macOS nudge keys	a00dc62 — removed "app." entirely from LEGACY_USER_PREFIXES (8 entries remain: onboarding., voice:, gw:, ff:client:, local:, integrations., vellumDebug., vellum_). Dead app.githubNudge.* + app.discordNudge.* + app.nudgeLegacy.cleaned keys removed at startup via explicit removeKey() calls in storage-migration.ts:181-187, not at logout. New test "preserves active app. nudge keys on logout" asserts app.iosNudge.downloaded, app.macOsNudge.bannerDismissed, AND app.githubNudge.starred all survive clearUserScopedStorage().

Codex's last pass at fe5c5d8e81 predates a00dc62ae5 — the app. finding is closed at HEAD; one @codex review ping would formalize closure. Devin Review surface mentions 5 additional findings — 30-second look at app.devin.ai/review/.../pull/32652 before merge.

Migration correctness audit (cross-checked against logout-auth-review.md checklist)

• ✓ Navigation: unchanged (logout path is upstream)
• ✓ User-scope sweep: vellum: prefix + 8 legacy prefixes correct; LEGACY_DEVICE_KEYS Set (9 entries) correctly excludes device-scoped legacy keys (vellum_theme, vellum_share_analytics, etc., plus onboarding.lastUserId which matches "onboarding." prefix but is device-scoped)
• ✓ sessionStorage: fully cleared at top of clearUserScopedStorage()
• ✓ BYOK credentials: vellum:ai:geminiKey/perplexityKey/braveKey/tavilyKey correctly clear via vellum: prefix sweep
• ✓ Device keys: preserved via Set exclusion in isUserScopedKey()
• ✓ Active nudge keys (app.iosNudge.*, app.macOsNudge.*): preserved (no longer swept)
• ✓ Dead nudge keys (app.githubNudge.*, app.discordNudge.*, app.nudgeLegacy.cleaned): removed at startup, idempotent (next launch is no-op)
• ✓ Verify-after-write on impersonate: matches old catch-block early-return semantics
• ✓ Tests: 47 pass (37 migration + 10 cleanup). New tests: migrateValue (3 unit) + skills tip integration (1) + nudge cleanup (1) + app. preservation (1)

Non-blocking observations

1. PR body framing of mic-primer change is the right call. Showing the consent flow when storage is broken is correct UX — a permission dialog requires user understanding, and silently suppressing the explanation while still triggering the OS prompt is worse. The intentional-change framing is honest and the Devin defense in-thread is convincing. Good behavioral-change disclosure pattern; this is the shape future PRs that make storage-failure semantics changes should follow.

2. PTT first-time-user default also changed, not just the storage-failure case. The fix raw ? parseActivator(raw) : { kind: "off" } treats empty raw as "off". But getLocalSetting(key, "") returns "" in both scenarios: (a) storage failure, (b) key not present (first-time user). The old code called parseActivator(localStorage.getItem(key)) which for null returns { kind: "modifierOnly", modifiers: ["control"] } — so the OLD first-time-user default was PTT-active-on-Ctrl, and the NEW first-time-user default is PTT-off. Devin's review (and the fix) frames PTT-Ctrl-on-storage-failure as a bug, which I agree with — surprise voice recording on Ctrl is bad UX. But the same change also removes Ctrl-PTT as the first-time-user default. If that default was intentional (Ctrl is a common PTT activator across apps), this is a minor regression for new users. If it was just a side effect of parseActivator(null) semantics, the change is correct. Worth a one-line PR-body note like the mic-primer one to document the intent. Not blocking.

3. Test description "preserves active app. nudge keys on logout" includes app.githubNudge.starred (dead key). The assertion is correct from logout's perspective (logout doesn't touch any app.* keys after the prefix removal), but the description groups dead and active keys together. A comment in the test body distinguishes them, but the test name could read as "github nudge is active" to a future reader. Cosmetic.

4. No test for the impersonate verify-after-write pattern. The fix is correct (verified by tracing) but setImpersonatedAssistantVersion is a debug surface — it's reasonable to skip. A unit test with MemoryStorage that throws on setItem would lock in the no-reload-on-failure invariant. Minor.

LUM-2042 arc completeness

• PR A (#32604, LUM-2044, typed-storage factory) ✓ merged
• PR B (#32621, LUM-2045, key naming standardization) ✓ merged
• PR C (#32645, LUM-2046, domain storage migration) ✓ merged
• PR D (this one, LUM-2047, route inline calls) — this approval closes the arc

Four-PR sequencing was the right shape: factory → keys → high-traffic domain stores → leaf consumers. Each PR independently reviewable, no Big Bang merge. Per the carry-forward from #32645, every callsite migration to the snapshot-caching accessor was audited for load*().push/splice/sort/assign-style mutation; this PR's adoption is all imperative get/set helpers (not snapshot accessors), so the mutation-leak class doesn't apply here.

Merge gate: CI green at HEAD. All 5 bot findings substantively closed. Codex's last pass (fe5c5d8e81) predates the app. removal in a00dc62. Fresh @codex review + @devin-ai review this PR at HEAD would formalize closure.

[devin-ai-integration]

Addressing observations from vex-assistant-bot review:

#2 (PTT first-time-user default): Good catch. The old parseActivator(null) returning { kind: "modifierOnly", modifiers: ["control"] } was likely an unintentional side effect of parseActivator's fallback semantics, not a deliberate design choice — there's no comment or documentation suggesting Ctrl-PTT was intentionally the default for new users. The change to { kind: "off" } is correct for both cases (storage failure AND first-time user). Updated the PR body to note this.

#3 (Test description): Agreed cosmetic — the in-test comment already distinguishes active vs dead keys. The assertion is correct: logout should not touch any app.* keys since the prefix was removed.

#4 (No impersonate verify-after-write test): Agreed this is minor for a debug surface. Could add one later if the pattern gets reused elsewhere.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a00dc62ae5

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[devin-ai-integration]

Test Results — localStorage Routing (LUM-2047)

Tested via Playwright CDP against Vite dev server (port 3001). All assertions programmatic via page.evaluate().

Results: 17/17 passed

#	Test	Result
1	Skills tip "1" → "true" migration	passed
2a	Sidebar collapsed round-trip	passed
2b	Sidebar width round-trip	passed
3	PTT activator key absent (off-by-default)	passed
4a	Dead key app.githubNudge.starred removed	passed
4b	Dead key app.githubNudge.bannerDismissed removed	passed
4c	Dead key app.githubNudge.bannerDismissedAt removed	passed
4d	Dead key app.discordNudge.joined removed	passed
4e	Dead key app.discordNudge.bannerDismissed removed	passed
4f	Dead key app.discordNudge.firstSeenAt removed	passed
4g	Dead key app.nudgeLegacy.cleaned removed	passed
4h	Active key app.iosNudge.downloaded preserved	passed
4i	Active key app.iosNudge.bannerDismissed preserved	passed
4j	Active key app.macOsNudge.bannerDismissed preserved	passed
5	Draft input JSON round-trip	passed
6	Disk pressure dismissal round-trip	passed
7	Impersonate version flag round-trip	passed

Test methodology

• Playwright CDP connected to Chrome at localhost:29229
• Vite dev server on port 3001
• API responses mocked via context.route() (allauth session, assistants, connection-status, disk-pressure, feature-flags)
• Onboarding bypassed via vellum:onboarding:* localStorage keys
• Each test: set localStorage values → reload (triggers migrations) → assert values via page.evaluate()
• No GUI interaction — all assertions are exact value comparisons

Devin session

[vex-assistant-bot]

Re-APPROVE at HEAD 8c925e26de after one new commit. CI 7/7 green.

What changed since a00dc62ae5:

• 8c925e26de — voice-page.tsx:PushToTalkCard initial state aligned with runtime. Same shape as use-push-to-talk.ts:124: raw ? parseActivator(raw) : { kind: "off" }. Directly addresses my non-blocking observation #2 from prior review. Symmetric grep confirms these are the only two parseActivator(getLocalSetting(...)) call sites — both now agree the empty-string case → { kind: "off" }, so first-time-user default + storage-failure default + settings-page initial-render all converge on "PTT off" instead of the accidental Ctrl-PTT-default that fell out of parseActivator(null) semantics.

Bot consensus at HEAD:

• Codex re-review at a00dc62ae5 posted with zero findings (the silent-pass shape). No new inline comments.
• Devin's 00:59:20Z comment substantively addressed my 3 observations: agreed on #2 (Ctrl-PTT-default was unintentional fallout of parseActivator(null) semantics, not a deliberate design — and updated the PR body), agreed on #3 (test description cosmetic), agreed on #4 (impersonate verify-after-write test not worth the noise for a debug surface).
• Devin's 01:06:47Z Playwright report: 17/17 passed, including the exact scenarios I called out as needing manual coverage: 1× skills tip "1"→"true" migration, 2× sidebar round-trips, 1× PTT off-by-default, 7× dead-key removal (app.githubNudge.*, app.discordNudge.*, app.nudgeLegacy.cleaned), 3× active-key preservation (app.iosNudge.*, app.macOsNudge.bannerDismissed), draft-input + disk-pressure + impersonate round-trips. CDP-driven assertions via page.evaluate() — no flaky GUI interaction.

Merge gate: ✓ Vex APPROVE (this), ✓ Codex no-findings re-review, ✓ Devin behavioral validation 17/17, ✓ CI 7/7. The 4-PR LUM-2042 arc closes. Per the nighttime merge rule, this is mergeable now.