fix(clipboard): add 30-second TTL to clear pasted content from state

[Vox-d-glitch]

Clipboard content held in JS heap memory is a security risk on iOS 16+ and Android 12+, where reads also trigger a visible system toast. A 30-second useEffect timeout now nullifies clipboardContent automatically, with proper cleanup on unmount. No clipboard data is forwarded to loggers or analytics. Adds a fake-timer unit test asserting the auto-clear.

Closes #581

Summary

• Added a 30-second TTL useEffect in useOptimizedClipboard that calls setClipboardContent(null) after pasted content is stored, reducing the in-memory exposure window for passwords, auth tokens, and payment card numbers
• clipboardTtlRef cleanup runs on unmount and on each re-paste, ensuring no timer leak
• clipboardContent type updated from string to string | null; initial value changed from '' to null
• Confirmed no clipboard content passes through appLogger or Sentry — clipboardService logs only byte counts
• Added unit test using jest.useFakeTimers() that asserts clipboardContent is null after jest.advanceTimersByTime(30_000)

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Chore / Refactor (no functional changes)

Testing Done

• Unit Tests
• Integration Tests
• Manual Verification (e.g., iOS/Android UI checks)

Security Considerations

• Does this store user data securely (e.g., avoiding plain AsyncStorage for sensitive data)? — Clipboard content is never written to AsyncStorage; it is now also nullified from React state after 30 s
• Is token handling secure (no token exposure in logs or UI)? — clipboardService logs only character counts, never content
• Are all user inputs validated? — N/A to this change
• Is deep link handling safe from malicious payloads? — N/A to this change

Performance Considerations

• Are React hooks (useCallback, useMemo) used appropriately to prevent unnecessary renders? — N/A to this change
• Is FlatList optimized (e.g., using getItemLayout, keyExtractor)? — N/A to this change
• Are asynchronous patterns handled correctly (e.g., useEffect cleanup to avoid memory leaks)? — clearTimeout is called in both the TTL effect cleanup and the unmount effect, preventing stale state updates after unmount
• Have bundle size impacts been considered? — No new dependencies

Checklist

• I have read the CONTRIBUTING guide.
• My code follows the style guidelines of this project.
• I have updated the documentation accordingly. — Hook JSDoc updated with TTL and security notes; no external docs affected
• Are there architectural changes? If so, is there an Architectural Decision Record (ADR)? — No architectural changes; TTL is scoped entirely to the hook

[drips-wave]

@Vox-d-glitch Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits