fix: Stale "Review fraudulent charge" task appears on home screen but the fraud flag was already cleared

[Uzaifm127]

Explanation of Change

This PR updated the fraud card filtering logic in useTimeSensitiveCards to only show the "Review fraudulent charge" time-sensitive task when the associated card has an unresolved fraud alert action in the linked workspace chat.

Previously, the Home tab fraud task was displayed solely based on card fraud metadata (card.fraud / possibleFraud) without verifying whether the fraud alert had already been resolved. Because of this, the fraud review task could remain visible even after the fraud flag was cleared and the card was reactivated.

This change fixes the issue by validating that the linked fraud alert report still contains an unresolved fraud action before adding the card to the Home screen’s time-sensitive fraud list, ensuring stale fraud review tasks are no longer shown after resolution.

Fixed Issues

$ #85981
PROPOSAL: #85981 (comment)

Tests

Precondition: You must trigger potential fraudulent transaction flag using Expensify card.

1. Go to the workspace chat where the fraud alert action is created.
2. Make sure that the fraud alert message/action is visible in the chat.
3. Click to the Home tab.
4. Click on Review potential fraud alert under Time Sensitive Tasks section.
5. Get dropped into Inbox in workspace chat.
6. Resolve the fraud alert action by selecting either fraud review option.
7. Navigate back to the Home tab.
8. Verify that "Review potential fraud alert" task is no longer shown under Time Sensitive section.

• Verify that no errors appear in the JS console

Offline tests

Same as Test

QA Steps

Same as Test

• Verify that no errors appear in the JS console

PR Author Checklist

• I linked the correct issue in the ### Fixed Issues section above
• I wrote clear testing steps that cover the changes made in this PR
  • I added steps for local testing in the Tests section
  • I added steps for the expected offline behavior in the Offline steps section
  • I added steps for Staging and/or Production testing in the QA steps section
  • I added steps to cover failure scenarios (i.e. verify an input displays the correct error message if the entered data is not correct)
  • I turned off my network connection and tested it while offline to ensure it matches the expected behavior (i.e. verify the default avatar icon is displayed if app is offline)
  • I tested this PR with a High Traffic account against the staging or production API to ensure there are no regressions (e.g. long loading states that impact usability).
• I included screenshots or videos for tests on all platforms
• I ran the tests on all platforms & verified they passed on:
  • Android: Native
  • Android: mWeb Chrome
  • iOS: Native
  • iOS: mWeb Safari
  • MacOS: Chrome / Safari
• I verified there are no console errors (if there's a console error not related to the PR, report it or open an issue for it to be fixed)
• I followed proper code patterns (see Reviewing the code)
  • I verified that any callback methods that were added or modified are named for what the method does and never what callback they handle (i.e. toggleReport and not onIconClick)
  • I verified that comments were added to code that is not self explanatory
  • I verified that any new or modified comments were clear, correct English, and explained "why" the code was doing something instead of only explaining "what" the code was doing.
  • I verified any copy / text shown in the product is localized by adding it to src/languages/* files and using the translation method
    • If any non-english text was added/modified, I used JaimeGPT to get English > Spanish translation. I then posted it in #expensify-open-source and it was approved by an internal Expensify engineer. Link to Slack message:
  • I verified all numbers, amounts, dates and phone numbers shown in the product are using the localization methods
  • I verified any copy / text that was added to the app is grammatically correct in English. It adheres to proper capitalization guidelines (note: only the first word of header/labels should be capitalized), and is either coming verbatim from figma or has been approved by marketing (in order to get marketing approval, ask the Bug Zero team member to add the Waiting for copy label to the issue)
  • I verified proper file naming conventions were followed for any new files or renamed files. All non-platform specific files are named after what they export and are not named "index.js". All platform-specific files are named for the platform the code supports as outlined in the README.
  • I verified the JSDocs style guidelines (in STYLE.md) were followed
• If a new code pattern is added I verified it was agreed to be used by multiple Expensify engineers
• I followed the guidelines as stated in the Review Guidelines
• I tested other components that can be impacted by my changes (i.e. if the PR modifies a shared library or component like Avatar, I verified the components using Avatar are working as expected)
• I verified all code is DRY (the PR doesn't include any logic written more than once, with the exception of tests)
• I verified any variables that can be defined as constants (ie. in CONST.ts or at the top of the file that uses the constant) are defined as such
• I verified that if a function's arguments changed that all usages have also been updated correctly
• If any new file was added I verified that:
  • The file has a description of what it does and/or why is needed at the top of the file if the code is not self explanatory
• If a new CSS style is added I verified that:
  • A similar style doesn't already exist
  • The style can't be created with an existing StyleUtils function (i.e. StyleUtils.getBackgroundAndBorderStyle(theme.componentBG))
• If new assets were added or existing ones were modified, I verified that:
  • The assets are optimized and compressed (for SVG files, run npm run compress-svg)
  • The assets load correctly across all supported platforms.
• If the PR modifies code that runs when editing or sending messages, I tested and verified there is no unexpected behavior for all supported markdown - URLs, single line code, code blocks, quotes, headings, bold, strikethrough, and italic.
• If the PR modifies a generic component, I tested and verified that those changes do not break usages of that component in the rest of the App (i.e. if a shared library or component like Avatar is modified, I verified that Avatar is working as expected in all cases)
• If the PR modifies a component related to any of the existing Storybook stories, I tested and verified all stories for that component are still working as expected.
• If the PR modifies a component or page that can be accessed by a direct deeplink, I verified that the code functions as expected when the deeplink is used - from a logged in and logged out account.
• If the PR modifies the UI (e.g. new buttons, new UI components, changing the padding/spacing/sizing, moving components, etc) or modifies the form input styles:
  • I verified that all the inputs inside a form are aligned with each other.
  • I added Design label and/or tagged @Expensify/design so the design team can review the changes.
• If a new page is added, I verified it's using the ScrollView component to make it scrollable when more elements are added to the page.
• I added unit tests for any new feature or bug fix in this PR to help automatically prevent regressions in this user flow.
• If the main branch was merged into this PR after a review, I tested again and verified the outcome was still expected according to the Test steps.

Screenshots/Videos

Android: Native

android-native.mov

Android: mWeb Chrome

android-mWeb.mov

iOS: Native

iOS-native.mov

iOS: mWeb Safari

iOS-mWeb.mov

MacOS: Chrome / Safari

macOS.mov

[codecov]

Codecov Report

✅ Changes either increased or maintained existing code coverage, great job!

Files with missing lines	Coverage Δ
...imeSensitiveSection/hooks/useTimeSensitiveCards.ts	95.83% <100.00%> (+2.08%)	⬆️
src/pages/inbox/report/PureReportActionItem.tsx	77.87% <100.00%> (+0.09%)	⬆️
.../inbox/report/actionContents/FraudAlertContent.tsx	100.00% <ø> (ø)
src/libs/actions/Card.ts	0.00% <0.00%> (ø)
... and 22 files with indirect coverage changes

[melvin-bot]

@Krishna2323 Please copy/paste the Reviewer Checklist from here into a new comment on this PR and complete it. If you have the K2 extension, you can simply click: [this button]

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1a290fedc9

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Subscribe to fraud actions before filtering fraud cards

This filter now depends on getUnresolvedCardFraudAlertAction(...), but the hook only subscribes to ONYXKEYS.CARD_LIST; it does not subscribe to REPORT_ACTIONS. If Home renders before the relevant report actions are loaded, hasUnresolvedFraudAction is false and the fraud task is dropped, and later report-action updates will not trigger a recompute here, so a real unresolved fraud alert can remain hidden until an unrelated card-list change happens.

Useful? React with 👍 / 👎.

[Krishna2323]

@Uzaifm127 ^

[Uzaifm127]

Yep, on it.

[Uzaifm127]

Done!

I found that it is a real issue, that the useTimeSensitiveCards.ts hook isn't subscribed to report actions but we added the check with report actions.

[Krishna2323]

@Uzaifm127 I think there's a misunderstanding here. Instead of creating a new selector function and all the extra boilerplate, you could simply subscribe to REPORT_ACTIONS via useOnyx and pass them to getUnresolvedCardFraudAlertAction.

Specifically:

• Add a second optional param (reportActions) to getUnresolvedCardFraudAlertAction.
• Use the passed reportActions if available, or fall back to the module-level value.
• In useTimeSensitiveCards, subscribe to the relevant report actions via useOnyx and pass them in.

This keeps the logic centralized in one function and stays consistent with how the LHN already handles it.

[Uzaifm127]

Krishna, you are correct. Let me clear this further.

If you meant this:

function getUnresolvedCardFraudAlertAction(reportID: string, reportActions?: ReportActions) {
    const actions = reportActions ?? getAllReportActions(reportID);
    return Object.values(actions).find(
        (action) => isActionableCardFraudAlert(action) && !getOriginalMessage(action)?.resolution,
    );
}

function useTimeSensitiveCards() {
    const [cards] = useOnyx(ONYXKEYS.CARD_LIST);
    const [allReportActions] = useOnyx(ONYXKEYS.COLLECTION.REPORT_ACTIONS);

    // In the loop - pass subscribed data to the existing function
    const reportActions = allReportActions?.[`${ONYXKEYS.COLLECTION.REPORT_ACTIONS}${fraudAlertReportID}`];
    const hasUnresolvedFraudAction = !!getUnresolvedCardFraudAlertAction(
        String(fraudAlertReportID),
        reportActions,
    );
}

Then, I also thought to subscribe all report actions in the hook but this might decrease performance, because if we subscribe to all report actions via useOnyx as above then the hook will re-render on every report action modification (entire Home time-sensitive section re-renders) but if we go with the current approach then we have a selector in useOnyx which will ensures we only re-render when the fraud resolution actually changes.

Both approaches subscribe to all report actions but the difference is the selector function.

either we can choose DRY or Performance here.

You can correct me if I'm wrong here.

[Uzaifm127]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 790f48f80f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Memoize fraud selector dependency to avoid rerender churn

fraudActionsSelector is recreated on every render and then passed as the dependency to useOnyx(...). Since useOnyx invalidates when dependencies change, this subscription will be invalidated on every render; and because the selector builds a fresh result object each time, the hook can keep producing new snapshots and repeatedly re-render the Home section even when the underlying fraud data has not changed. Memoize the selector (e.g., with useCallback) and key dependencies off stable inputs (like report IDs) rather than the selector function reference.

Useful? React with 👍 / 👎.

[Krishna2323]

@Uzaifm127

[Uzaifm127]

Krishna, I don't believe we should use useCallback and useMemo as new React compiler will handle it. WDYT?

Fixed the conflicts.

[Krishna2323]

Hmm correct, useTimeSensitiveCards is auto-memoized.

[joekaufmanexpensify]

Good for product

[Krishna2323]

@Uzaifm127 please resolve conflicts. Reviewing now.

[Uzaifm127]

@Krishna2323 Fixed the conflicts.