ots: audit batch -- copy, localStorage gate, multi-chain msg, tests

Big batch from the post-launch audit. Each item was tested locally
(jest + Playwright) before commit.

User-facing
-----------
- Pre-flight localStorage gate. If the browser blocks DOM Storage
  (Safari private mode, privacy extension), show a clear yellow
  banner above the diagram explaining what's blocked, why it
  matters, and how to recover (Safari, extensions, quota). Stamp
  drop-zone is disabled with a 'Stamping disabled' label; verify
  works fine without storage.
- Multi-chain receipt UX. When a user drops a .ots whose only
  attestations are Litecoin/Ethereum, show a yellow educational
  alert listing the block heights and clarifying that ordpool only
  verifies Bitcoin attestations -- not just a generic warning. When
  a Bitcoin-anchored receipt also has non-Bitcoin attestations, a
  small grey footnote mentions them. When the receipt's ops include
  a hash we don't implement (KECCAK256 / RIPEMD160 in the chain),
  catch the parser error and show a specific message pointing at
  the official `ots` CLI for multi-chain proofs.
- Yellow + red alert button contrast. btn-outline-light on
  alert-warning / alert-danger was illegible (white on
  light-yellow / light-red). Switched to btn-outline-dark
  everywhere it sits inside an alert.
- Pending column in the calendars table relabeled 'Pending batches'
  with a tooltip explaining it's calendar batch txs in mempool, not
  user submissions.
- Intro paragraph split into two for breath; added an
  '#recent-commits' anchor + 'examples below' link.
- Cancel & forget button on queued rows: btn-outline-secondary
  (gray-on-dark) -> btn-outline-light to match Check now.

Backend
-------
- /ots/upgrade/<host>/<commit> proxy now ALWAYS returns HTTP 200
  and distinguishes pending vs published via Content-Type
  (application/json vs application/vnd.opentimestamps.v1).
  Eliminates Chrome devtools auto-logging 'Failed to load
  resource: 404' every minute per still-pending stamp -- the 404
  was the upstream's normal 'not yet published' response, not a
  failure from the proxy's perspective. Frontend poller updated to
  match (peeks Content-Type instead of status code).

Tests
-----
- Fixed regression in ots-calendars.component.spec.ts: the
  component now injects SeoService + OtsStoreService, neither of
  which the existing spec was providing. Added stubs.
- New ots-store.service.spec.ts (15 tests):
    * round-trip bytesToBase64/base64ToBytes for all byte values
    * hexEncode lower-case + zero-pad
    * assembleOtsFile -- single branch layout, multi-branch 0xff
      separator placement, throws on empty input
    * bestCalendarBytes -- returns pending unchanged, splices ops +
      upgrade body when upgraded
    * persistence -- add/update/remove/clearAll, BehaviorSubject
      stream, schema-version gating, corrupt-JSON recovery
    * canClear gate semantics (download-count + status)
- New ots-calendar-picker.service.spec.ts (5 tests):
    * picks freshest 3 by lastBlocktime
    * falls through to configured order when stats endpoint dies
    * falls back to hardcoded list when /stamp-calendars empty/dead
    * caches result across multiple pick() calls

All 157 frontend + 288 backend tests passing locally.

Author: hans-crypto

backend/src/api/explorer/_ordpool/ordpool.routes.ts

@@ -102,17 +102,30 @@ class GeneralOrdpoolRoutes {
         `https://${calendar}/timestamp/${hash}`,
         { responseType: 'arraybuffer', timeout: 10000, validateStatus: () => true },
       );
-      // Default max-age for the pending (404) case mirrors the calendar's
-      // own cache; for the 200 case the response is immutable so we can
-      // cache aggressively. Either way, the frontend's poller treats this
-      // as best-effort -- worst case it just polls again next minute.
+      // We always return HTTP 200 from this proxy and distinguish via
+      // Content-Type:
+      //   200 + application/vnd.opentimestamps.v1 + binary body  -> upgraded
+      //   200 + application/json + {"status":"pending"}          -> calendar
+      //                                                              hasn't
+      //                                                              published
+      //                                                              this hash
+      //                                                              yet
+      // This avoids Chrome's auto-logging "Failed to load resource: 404"
+      // every minute for every still-pending stamp -- the response IS
+      // expected and successful from our perspective.
+      // Upstream 5xx maps to our 502 so genuine errors are visible.
       if (upstream.status === 200) {
         res.setHeader('Cache-Control', 'public, max-age=86400, immutable');
         res.setHeader('Content-Type', 'application/vnd.opentimestamps.v1');
-      } else {
+        res.status(200).end(Buffer.from(upstream.data));
+      } else if (upstream.status === 404) {
         res.setHeader('Cache-Control', 'public, max-age=60');
+        res.setHeader('Content-Type', 'application/json');
+        res.status(200).end('{"status":"pending"}');
+      } else {
+        res.setHeader('Cache-Control', 'no-store');
+        res.status(502).send(`upstream returned ${upstream.status}`);
       }
-      res.status(upstream.status).end(Buffer.from(upstream.data));
     } catch {
       res.status(502).send('upstream error');
     }

frontend/src/app/components/_ordpool/ots-calendars/ots-calendars.component.html

@@ -10,10 +10,15 @@ <h1>OpenTimestamps: Anchor any file to Bitcoin</h1>
     the root in a single OP_RETURN. That root is now part of Bitcoin's permanent
     ledger. Anyone with the file, the <code>.ots</code> proof, and Bitcoin's block
     headers can verify <em>"this existed by block N"</em>, forever, with no third
-    party in the loop. Ordpool tags every OTS transaction wherever it appears in
-    the explorer, so you can see Bitcoin's notary at work in real time, and you
-    can verify your own <code>.ots</code> receipt right here, against our
-    independent open-source implementation.
+    party in the loop.
+  </p>
+
+  <p>
+    Ordpool tags every OTS transaction wherever it appears in the explorer, so
+    you can see Bitcoin's notary at work in real time
+    (<a href="#recent-commits">examples below</a>), and you can verify your own
+    <code>.ots</code> receipt right here, against our independent open-source
+    implementation.
   </p>
 
   <p>
@@ -34,6 +39,24 @@ <h1>OpenTimestamps: Anchor any file to Bitcoin</h1>
     </em>
   </p>
 
+  @if (!localStorageAvailable) {
+    <div class="alert alert-warning mt-4 mb-0">
+      <strong>Stamping needs localStorage, and your browser has it disabled.</strong>
+      Stamping is a multi-step flow: we need to remember your pending stamp across
+      tab reloads, the calendar's response, and the final upgraded receipt. Without
+      localStorage we'd lose your stamp the moment you switch tabs.
+      <ul class="mb-0 mt-2">
+        <li><strong>Safari private browsing</strong>: localStorage is blocked. Open the page in a regular Safari window.</li>
+        <li><strong>Privacy extension or strict cookie blocker</strong>: allow site data for <code>ordpool.space</code>.</li>
+        <li><strong>Storage quota exceeded</strong>: clear some browser data and reload.</li>
+      </ul>
+      <p class="mb-0 mt-2 smaller-text">
+        Verifying a <code>.ots</code> still works without localStorage; it's a
+        one-shot operation that doesn't need persistent state.
+      </p>
+    </div>
+  }
+
   <app-ots-diagram class="d-block mt-4"></app-ots-diagram>
 
   <div class="row g-3 mt-1">
@@ -64,7 +87,9 @@ <h2 id="calendars" class="mt-4">Calendars</h2>
           <th>Calendar</th>
           <th class="text-right">Total commits indexed</th>
           <th class="text-right">Last block</th>
-          <th class="text-right">Pending</th>
+          <th class="text-right" title="Calendar batch transactions waiting in mempool. Each batch carries thousands of user submissions; this is the count of unconfirmed batch txs, not user submissions.">
+            Pending batches
+          </th>
         </tr>
       </thead>
       <tbody>
@@ -93,7 +118,7 @@ <h2 id="calendars" class="mt-4">Calendars</h2>
     </p>
   }
 
-  <h2 class="mt-4">Recent commits</h2>
+  <h2 id="recent-commits" class="mt-4">Recent commits</h2>
   <p class="text-muted">
     The most recent OTS batch commits we've seen on Bitcoin. Each row is one
     calendar transaction whose OP_RETURN carries a Merkle root covering

frontend/src/app/components/_ordpool/ots-calendars/ots-calendars.component.spec.ts

@@ -7,6 +7,8 @@ import {
   OrdpoolOtsRow,
 } from '../../../services/ordinals/ordpool-api.service';
 import { OtsCalendarsComponent } from './ots-calendars.component';
+import { SeoService } from '../../../services/seo.service';
+import { OtsStoreService } from '../ots-stamp-verify/ots-store.service';
 
 describe('OtsCalendarsComponent', () => {
   let api: jest.Mocked<OrdpoolApiService>;
@@ -35,9 +37,18 @@ describe('OtsCalendarsComponent', () => {
   }
 
   function setup(): void {
+    const seoStub = {
+      setTitle: jest.fn(), resetTitle: jest.fn(),
+      setDescription: jest.fn(), resetDescription: jest.fn(),
+    };
+    const storeStub = { localStorageAvailable: true };
     TestBed.configureTestingModule({
       declarations: [OtsCalendarsComponent],
-      providers: [{ provide: OrdpoolApiService, useValue: api }],
+      providers: [
+        { provide: OrdpoolApiService, useValue: api },
+        { provide: SeoService, useValue: seoStub },
+        { provide: OtsStoreService, useValue: storeStub },
+      ],
     }).overrideComponent(OtsCalendarsComponent, { set: { template: '' } });
   }
 

frontend/src/app/components/_ordpool/ots-calendars/ots-calendars.component.ts

@@ -7,6 +7,7 @@ import {
   OrdpoolOtsRow,
 } from '../../../services/ordinals/ordpool-api.service';
 import { SeoService } from '../../../services/seo.service';
+import { OtsStoreService } from '../ots-stamp-verify/ots-store.service';
 
 /*
 Test cases:
@@ -35,8 +36,11 @@ export class OtsCalendarsComponent implements OnInit, OnDestroy {
   private api = inject(OrdpoolApiService);
   private cdr = inject(ChangeDetectorRef);
   private seo = inject(SeoService);
+  private store = inject(OtsStoreService);
   private destroy$ = new Subject<void>();
 
+  localStorageAvailable = this.store.localStorageAvailable;
+
   calendars: OrdpoolOtsCalendarStats[] = [];
   recent: OrdpoolOtsRow[] = [];
   calendarsLoaded = false;

frontend/src/app/components/_ordpool/ots-stamp-verify/ots-calendar-picker.service.spec.ts

@@ -0,0 +1,103 @@
+import { TestBed } from '@angular/core/testing';
+import { HttpClient } from '@angular/common/http';
+import { of, throwError } from 'rxjs';
+
+import { OtsCalendarPickerService } from './ots-calendar-picker.service';
+import { OTS_FALLBACK_CALENDARS } from './ots-store.service';
+
+describe('OtsCalendarPickerService', () => {
+  let http: jest.Mocked<HttpClient>;
+  let picker: OtsCalendarPickerService;
+
+  function setup() {
+    TestBed.resetTestingModule();
+    TestBed.configureTestingModule({
+      providers: [
+        OtsCalendarPickerService,
+        { provide: HttpClient, useValue: http },
+      ],
+    });
+    picker = TestBed.inject(OtsCalendarPickerService);
+  }
+
+  it('picks the freshest 3 by lastBlocktime when stats are available', async () => {
+    http = {
+      get: jest.fn((url: string) => {
+        if (url.endsWith('/stamp-calendars')) {
+          return of({ calendars: [
+            { nickname: 'alice',     url: 'https://alice.example.org' },
+            { nickname: 'bob',       url: 'https://bob.example.org' },
+            { nickname: 'finney',    url: 'https://finney.example.org' },
+            { nickname: 'catallaxy', url: 'https://cat.example.org' },
+          ] });
+        }
+        // /ots/calendars stats endpoint -- finney is freshest, then bob, then catallaxy.
+        // alice has the oldest data; should drop out of top-3.
+        return of([
+          { calendar: 'alice',     totalCommits: 0, lastBlockheight: 0, lastBlocktime: 1700000000, pendingCount: 0 },
+          { calendar: 'bob',       totalCommits: 0, lastBlockheight: 0, lastBlocktime: 1700001000, pendingCount: 0 },
+          { calendar: 'finney',    totalCommits: 0, lastBlockheight: 0, lastBlocktime: 1700002000, pendingCount: 0 },
+          { calendar: 'catallaxy', totalCommits: 0, lastBlockheight: 0, lastBlocktime: 1700000500, pendingCount: 0 },
+        ]);
+      }) as any,
+    } as any;
+    setup();
+    const picked = await picker.pick();
+    expect(picked.length).toBe(3);
+    expect(picked.map(c => c.nickname)).toEqual(['finney', 'bob', 'catallaxy']);
+  });
+
+  it('falls through to configured order when stats endpoint fails', async () => {
+    http = {
+      get: jest.fn((url: string) => {
+        if (url.endsWith('/stamp-calendars')) {
+          return of({ calendars: [
+            { nickname: 'alice',  url: 'https://alice.example.org' },
+            { nickname: 'bob',    url: 'https://bob.example.org' },
+            { nickname: 'finney', url: 'https://finney.example.org' },
+          ] });
+        }
+        return throwError(() => new Error('stats unreachable'));
+      }) as any,
+    } as any;
+    setup();
+    const picked = await picker.pick();
+    expect(picked.map(c => c.nickname)).toEqual(['alice', 'bob', 'finney']);
+  });
+
+  it('falls back to hardcoded list when /stamp-calendars is empty', async () => {
+    http = {
+      get: jest.fn(() => of({ calendars: [] })) as any,
+    } as any;
+    setup();
+    const picked = await picker.pick();
+    expect(picked.length).toBe(Math.min(3, OTS_FALLBACK_CALENDARS.length));
+  });
+
+  it('falls back to hardcoded list when /stamp-calendars throws', async () => {
+    http = {
+      get: jest.fn(() => throwError(() => new Error('config endpoint dead'))) as any,
+    } as any;
+    setup();
+    const picked = await picker.pick();
+    expect(picked.length).toBe(Math.min(3, OTS_FALLBACK_CALENDARS.length));
+    expect(picked[0].nickname).toBe('alice');
+  });
+
+  it('caches the result -- second call does not refetch', async () => {
+    http = {
+      get: jest.fn((url: string) => {
+        if (url.endsWith('/stamp-calendars')) {
+          return of({ calendars: [{ nickname: 'alice', url: 'https://alice.example.org' }] });
+        }
+        return of([]);
+      }) as any,
+    } as any;
+    setup();
+    await picker.pick();
+    await picker.pick();
+    await picker.pick();
+    // Two calls per pick (config + stats), but only on the FIRST pick.
+    expect(http.get).toHaveBeenCalledTimes(2);
+  });
+});

frontend/src/app/components/_ordpool/ots-stamp-verify/ots-pending-queue.component.html

@@ -51,7 +51,7 @@ <h2 class="mt-4">Your stamps</h2>
           </div>
           <div class="ots-stamp-actions">
             <button type="button" class="btn btn-sm btn-outline-light me-2" (click)="checkNow(s)">Check now</button>
-            <button type="button" class="btn btn-sm btn-outline-secondary" (click)="cancel(s)">Cancel &amp; forget</button>
+            <button type="button" class="btn btn-sm btn-outline-light" (click)="cancel(s)">Cancel &amp; forget</button>
           </div>
           <details class="ots-power-user smaller-text mt-2">
             <summary>Power user: export raw pending receipt</summary>
@@ -62,7 +62,7 @@ <h2 class="mt-4">Your stamps</h2>
               if you'd rather upgrade outside the browser. Most users don't
               need this.
             </p>
-            <button type="button" class="btn btn-sm btn-outline-secondary" (click)="downloadPendingRaw(s)">Download .pending.ots</button>
+            <button type="button" class="btn btn-sm btn-outline-light" (click)="downloadPendingRaw(s)">Download .pending.ots</button>
           </details>
         }
 
@@ -96,7 +96,7 @@ <h2 class="mt-4">Your stamps</h2>
               {{ s.downloadCount === 0 ? 'DOWNLOAD ME!' : 'Download again' }}
             </button>
             @if (canClear(s)) {
-              <button type="button" class="btn btn-sm btn-outline-secondary" (click)="clear(s)">Clear this entry</button>
+              <button type="button" class="btn btn-sm btn-outline-light" (click)="clear(s)">Clear this entry</button>
             }
           </div>
         }
@@ -108,7 +108,7 @@ <h2 class="mt-4">Your stamps</h2>
             usually fixes it.
           </div>
           <div class="ots-stamp-actions">
-            <button type="button" class="btn btn-sm btn-outline-secondary" (click)="cancel(s)">Cancel &amp; forget</button>
+            <button type="button" class="btn btn-sm btn-outline-light" (click)="cancel(s)">Cancel &amp; forget</button>
           </div>
         }
       </div>

frontend/src/app/components/_ordpool/ots-stamp-verify/ots-poller.service.ts

@@ -117,12 +117,17 @@ export class OtsPollerService implements OnDestroy {
     let errorMessage: string | null = null;
     try {
       const resp = await fetch(url, { method: 'GET' });
-      if (resp.status === 200) {
+      // Backend proxy always returns 200; we distinguish by Content-Type so
+      // Chrome's devtools doesn't log "Failed to load resource: 404" every
+      // minute while a stamp is still pending. JSON body = pending, binary
+      // = upgraded.
+      const ct = resp.headers.get('content-type') || '';
+      if (resp.status === 200 && ct.includes('json')) {
+        result = 'pending';
+      } else if (resp.status === 200) {
         const buf = new Uint8Array(await resp.arrayBuffer());
         bodyB64 = bytesToBase64(buf);
         result = 'published';
-      } else if (resp.status === 404) {
-        result = 'pending';
       } else {
         errorMessage = 'HTTP ' + resp.status;
       }

frontend/src/app/components/_ordpool/ots-stamp-verify/ots-stamp.component.html

@@ -9,13 +9,19 @@ <h2 class="card-title mb-2">Stamp a file</h2>
 
     <label class="dropzone"
            [class.dragging]="isDragging"
-           (dragover)="onDragOver($event)"
-           (dragleave)="onDragLeave($event)"
-           (drop)="onDrop($event)">
-      <input type="file" class="dropzone-input" (change)="onPick($event)">
+           [class.disabled]="!localStorageAvailable"
+           (dragover)="localStorageAvailable && onDragOver($event)"
+           (dragleave)="localStorageAvailable && onDragLeave($event)"
+           (drop)="localStorageAvailable && onDrop($event)">
+      <input type="file" class="dropzone-input" (change)="onPick($event)" [disabled]="!localStorageAvailable">
       <span class="dropzone-text">
-        <strong>Drop a file</strong><br>
-        or click to pick
+        @if (localStorageAvailable) {
+          <strong>Drop a file</strong><br>
+          or click to pick
+        } @else {
+          <strong>Stamping disabled</strong><br>
+          (localStorage is blocked &mdash; see banner above)
+        }
       </span>
     </label>
 
@@ -30,7 +36,7 @@ <h2 class="card-title mb-2">Stamp a file</h2>
         @case ('error') {
           <div class="alert alert-danger mt-3 mb-0">
             <strong>Could not stamp file:</strong> {{ status.message }}
-            <button type="button" class="btn btn-sm btn-outline-light ms-2" (click)="reset()">Try again</button>
+            <button type="button" class="btn btn-sm btn-outline-dark ms-2" (click)="reset()">Try again</button>
           </div>
         }
         @case ('wrong-zone') {

frontend/src/app/components/_ordpool/ots-stamp-verify/ots-stamp.component.scss

@@ -25,6 +25,12 @@
       background-color: #1a1d36;
     }
 
+    &.disabled {
+      cursor: not-allowed;
+      opacity: 0.55;
+      &:hover { border-color: #2d3250; background-color: #11132a; }
+    }
+
     .dropzone-input { display: none; }
 
     .dropzone-text {

frontend/src/app/components/_ordpool/ots-stamp-verify/ots-stamp.component.ts

@@ -45,6 +45,7 @@ export class OtsStampComponent {
 
   status: Status = { kind: 'idle' };
   isDragging = false;
+  localStorageAvailable = this.store.localStorageAvailable;
 
   onDragOver(ev: DragEvent): void {
     ev.preventDefault();