fix: correct 6 doc inaccuracies and wire MARCHAT_SESSION_SECRET to web admin

Cod-e-Codes · Cod-e-Codes · commit 99ad8a7ce971 · 2026-04-07T15:12:52.000-04:00
- README: Database Schema lists all 6 tables (was missing message_reactions, user_channels, read_receipts)
- README: Plugin Commands heading no longer claims all plugin commands are admin-only
- ARCHITECTURE.md: schema DDL notes SQLite dialect, adds 3 missing table definitions
- TESTING.md: reconcile stale coverage numbers in Areas for Future Testing
- server/admin_web.go: use cfg.SessionSecret (from MARCHAT_SESSION_SECRET env) when set instead of always generating a random secret
diff --git a/ARCHITECTURE.md b/ARCHITECTURE.md
@@ -277,6 +277,8 @@ See [PROTOCOL.md](PROTOCOL.md) for the full message format specification.
 
 ## Database Schema
 
+DDL below uses the **SQLite** dialect for readability. PostgreSQL and MySQL variants differ in type names (`BIGSERIAL`/`BIGINT AUTO_INCREMENT` for IDs, `VARCHAR(191)` for indexed text on MySQL, `LONGTEXT`/`LONGBLOB` for large fields) and are generated by `CreateSchema` in `server/handlers.go`.
+
 ### Tables
 
 #### `messages`
@@ -317,6 +319,38 @@ CREATE TABLE ban_history (
 );
 ```
 
+#### `message_reactions`
+```sql
+CREATE TABLE message_reactions (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    message_id INTEGER NOT NULL,
+    username TEXT NOT NULL,
+    emoji TEXT NOT NULL,
+    created_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    UNIQUE(message_id, username, emoji)
+);
+```
+
+#### `user_channels`
+```sql
+CREATE TABLE user_channels (
+    username TEXT NOT NULL,
+    channel TEXT NOT NULL,
+    updated_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    PRIMARY KEY (username)
+);
+```
+
+#### `read_receipts`
+```sql
+CREATE TABLE read_receipts (
+    username TEXT NOT NULL,
+    message_id INTEGER NOT NULL,
+    read_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    PRIMARY KEY (username, message_id)
+);
+```
+
 ### Key Features
 
 - **Backend Selection**: `MARCHAT_DB_PATH` chooses SQLite/PostgreSQL/MySQL at runtime
diff --git a/README.md b/README.md
@@ -128,10 +128,13 @@ Runs a guided wizard **only when** `MARCHAT_ADMIN_KEY` or `MARCHAT_USERS` is not
 
 ## Database Schema
 
-Key tables for message tracking and moderation:
-- **messages**: Core message storage with `message_id`
-- **user_message_state**: Per-user message history state
+Tables created by the server (dialect-aware DDL for SQLite, PostgreSQL, and MySQL):
+- **messages**: Core message storage with `message_id`, encryption fields, edit/delete/pin flags
+- **user_message_state**: Per-user message history state and last-seen timestamp
 - **ban_history**: Ban/unban event tracking for history gaps
+- **message_reactions**: Durable emoji reactions (unique per message + user + emoji)
+- **user_channels**: Last channel per user, persisted across reconnects
+- **read_receipts**: Per-user read receipt state tracking
 
 ## Installation
 
@@ -331,9 +334,9 @@ Run **`./marchat-client -doctor`** or **`./marchat-server -doctor`** for a text
 >
 > **Notifications**: See [NOTIFICATIONS.md](NOTIFICATIONS.md) for full notification system documentation including desktop notifications, quiet hours, and focus mode.
 
-### Plugin Commands (Admin Only)
+### Plugin Commands
 
-Text commands and hotkeys for plugin management. See [Plugin Management hotkeys](#plugin-management-admin) for keyboard shortcuts.
+Plugin **management** (install, uninstall, enable, disable) is admin-only. Plugin **chat commands** (e.g. `:echo`, `:weather`) are available to all users unless the plugin manifest sets `AdminOnly: true`. See [Plugin Management hotkeys](#plugin-management-admin) for keyboard shortcuts.
 
 | Command | Description | Hotkey |
 |---------|-------------|--------|
diff --git a/TESTING.md b/TESTING.md
@@ -245,8 +245,8 @@ Statement percentages below are from the merged profile (`go tool cover -func=co
 | `client/main.go` | 6.7% | client | Client main application |
 
 ### Areas for Future Testing
-- **Server Package**: Advanced WebSocket handling, complex message routing scenarios (current: 35.4%)
-- **Client Package**: WebSocket communication, full TUI integration (current: 23.1%)
+- **Server Package**: Advanced WebSocket handling, complex message routing scenarios (current: 36.1%)
+- **Client Package**: WebSocket communication, full TUI integration (current: 23.0%)
 - **Plugin Host**: Broader command/response paths and failure modes beyond the minimal IPC test plugin (current: 63.2%)
 - **Plugin Manager**: Store download, checksum, and install edge cases (current: 32.1%)
 - **Server Main**: Full `main` execution, HTTP/TLS serving, admin panel integration (current: 13.7% statement coverage for `cmd/server/main.go`)
diff --git a/server/admin_web.go b/server/admin_web.go
@@ -357,8 +357,10 @@ func NewWebAdminServer(hub *Hub, db *sql.DB, cfg *config.Config) *WebAdminServer
 		loginAttempts: make(map[string]*loginAttempt),
 	}
 
-	// Generate session secret
-	if err := server.generateSessionSecret(); err != nil {
+	// Use configured session secret when available, otherwise generate a random one
+	if cfg.SessionSecret != "" {
+		server.sessionSecret = []byte(cfg.SessionSecret)
+	} else if err := server.generateSessionSecret(); err != nil {
 		log.Printf("Warning: Failed to generate session secret: %v", err)
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -357,8 +357,10 @@ func NewWebAdminServer(hub Hub, db sql.DB, cfg config.Config) WebAdminServer`
`357`	`357`	`loginAttempts: make(map[string]*loginAttempt),`
`358`	`358`	`}`
`359`	`359`
`360`		`- // Generate session secret`
`361`		`- if err := server.generateSessionSecret(); err != nil {`
	`360`	`+ // Use configured session secret when available, otherwise generate a random one`
	`361`	`+ if cfg.SessionSecret != "" {`
	`362`	`+ server.sessionSecret = []byte(cfg.SessionSecret)`
	`363`	`+ } else if err := server.generateSessionSecret(); err != nil {`
`362`	`364`	`log.Printf("Warning: Failed to generate session secret: %v", err)`
`363`	`365`	`}`
`364`	`366`