fix: Stale "Review fraudulent charge" task appears on home screen but the fraud flag was already cleared

[Uzaifm127]

Explanation of Change

This PR updated the fraud card filtering logic in useTimeSensitiveCards to only show the "Review fraudulent charge" time-sensitive task when the associated card has an unresolved fraud alert action in the linked workspace chat.

Previously, the Home tab fraud task was displayed solely based on card fraud metadata (card.fraud / possibleFraud) without verifying whether the fraud alert had already been resolved. Because of this, the fraud review task could remain visible even after the fraud flag was cleared and the card was reactivated.

This change fixes the issue by validating that the linked fraud alert report still contains an unresolved fraud action before adding the card to the Home screen’s time-sensitive fraud list, ensuring stale fraud review tasks are no longer shown after resolution.

Fixed Issues

$ #85981
PROPOSAL: #85981 (comment)

Tests

Precondition: You must trigger potential fraudulent transaction flag using Expensify card.

1. Go to the workspace chat where the fraud alert action is created.
2. Make sure that the fraud alert message/action is visible in the chat.
3. Click to the Home tab.
4. Click on Review potential fraud alert under Time Sensitive Tasks section.
5. Get dropped into Inbox in workspace chat.
6. Resolve the fraud alert action by selecting either fraud review option.
7. Navigate back to the Home tab.
8. Verify that "Review potential fraud alert" task is no longer shown under Time Sensitive section.

• Verify that no errors appear in the JS console

Offline tests

Same as Test

QA Steps

Same as Test

• Verify that no errors appear in the JS console

PR Author Checklist

• I linked the correct issue in the ### Fixed Issues section above
• I wrote clear testing steps that cover the changes made in this PR
  • I added steps for local testing in the Tests section
  • I added steps for the expected offline behavior in the Offline steps section
  • I added steps for Staging and/or Production testing in the QA steps section
  • I added steps to cover failure scenarios (i.e. verify an input displays the correct error message if the entered data is not correct)
  • I turned off my network connection and tested it while offline to ensure it matches the expected behavior (i.e. verify the default avatar icon is displayed if app is offline)
  • I tested this PR with a High Traffic account against the staging or production API to ensure there are no regressions (e.g. long loading states that impact usability).
• I included screenshots or videos for tests on all platforms
• I ran the tests on all platforms & verified they passed on:
  • Android: Native
  • Android: mWeb Chrome
  • iOS: Native
  • iOS: mWeb Safari
  • MacOS: Chrome / Safari
• I verified there are no console errors (if there's a console error not related to the PR, report it or open an issue for it to be fixed)
• I followed proper code patterns (see Reviewing the code)
  • I verified that any callback methods that were added or modified are named for what the method does and never what callback they handle (i.e. toggleReport and not onIconClick)
  • I verified that comments were added to code that is not self explanatory
  • I verified that any new or modified comments were clear, correct English, and explained "why" the code was doing something instead of only explaining "what" the code was doing.
  • I verified any copy / text shown in the product is localized by adding it to src/languages/* files and using the translation method
    • If any non-english text was added/modified, I used JaimeGPT to get English > Spanish translation. I then posted it in #expensify-open-source and it was approved by an internal Expensify engineer. Link to Slack message:
  • I verified all numbers, amounts, dates and phone numbers shown in the product are using the localization methods
  • I verified any copy / text that was added to the app is grammatically correct in English. It adheres to proper capitalization guidelines (note: only the first word of header/labels should be capitalized), and is either coming verbatim from figma or has been approved by marketing (in order to get marketing approval, ask the Bug Zero team member to add the Waiting for copy label to the issue)
  • I verified proper file naming conventions were followed for any new files or renamed files. All non-platform specific files are named after what they export and are not named "index.js". All platform-specific files are named for the platform the code supports as outlined in the README.
  • I verified the JSDocs style guidelines (in STYLE.md) were followed
• If a new code pattern is added I verified it was agreed to be used by multiple Expensify engineers
• I followed the guidelines as stated in the Review Guidelines
• I tested other components that can be impacted by my changes (i.e. if the PR modifies a shared library or component like Avatar, I verified the components using Avatar are working as expected)
• I verified all code is DRY (the PR doesn't include any logic written more than once, with the exception of tests)
• I verified any variables that can be defined as constants (ie. in CONST.ts or at the top of the file that uses the constant) are defined as such
• I verified that if a function's arguments changed that all usages have also been updated correctly
• If any new file was added I verified that:
  • The file has a description of what it does and/or why is needed at the top of the file if the code is not self explanatory
• If a new CSS style is added I verified that:
  • A similar style doesn't already exist
  • The style can't be created with an existing StyleUtils function (i.e. StyleUtils.getBackgroundAndBorderStyle(theme.componentBG))
• If new assets were added or existing ones were modified, I verified that:
  • The assets are optimized and compressed (for SVG files, run npm run compress-svg)
  • The assets load correctly across all supported platforms.
• If the PR modifies code that runs when editing or sending messages, I tested and verified there is no unexpected behavior for all supported markdown - URLs, single line code, code blocks, quotes, headings, bold, strikethrough, and italic.
• If the PR modifies a generic component, I tested and verified that those changes do not break usages of that component in the rest of the App (i.e. if a shared library or component like Avatar is modified, I verified that Avatar is working as expected in all cases)
• If the PR modifies a component related to any of the existing Storybook stories, I tested and verified all stories for that component are still working as expected.
• If the PR modifies a component or page that can be accessed by a direct deeplink, I verified that the code functions as expected when the deeplink is used - from a logged in and logged out account.
• If the PR modifies the UI (e.g. new buttons, new UI components, changing the padding/spacing/sizing, moving components, etc) or modifies the form input styles:
  • I verified that all the inputs inside a form are aligned with each other.
  • I added Design label and/or tagged @Expensify/design so the design team can review the changes.
• If a new page is added, I verified it's using the ScrollView component to make it scrollable when more elements are added to the page.
• I added unit tests for any new feature or bug fix in this PR to help automatically prevent regressions in this user flow.
• If the main branch was merged into this PR after a review, I tested again and verified the outcome was still expected according to the Test steps.

Screenshots/Videos

Android: Native

android-native.mov

Android: mWeb Chrome

android-mWeb.mov

iOS: Native

iOS-native.mov

iOS: mWeb Safari

iOS-mWeb.mov

MacOS: Chrome / Safari

macOS.mov

[codecov]

Codecov Report

✅ Changes either increased or maintained existing code coverage, great job!

Files with missing lines	Coverage Δ
src/libs/ReportUtils.ts	83.55% <100.00%> (+0.04%)	⬆️
...imeSensitiveSection/hooks/useTimeSensitiveCards.ts	96.00% <100.00%> (+0.76%)	⬆️
.../inbox/report/actionContents/FraudAlertContent.tsx	100.00% <100.00%> (ø)
src/libs/actions/Card.ts	0.00% <0.00%> (ø)
... and 11 files with indirect coverage changes

[melvin-bot]

@Krishna2323 Please copy/paste the Reviewer Checklist from here into a new comment on this PR and complete it. If you have the K2 extension, you can simply click: [this button]

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1a290fedc9

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Subscribe to fraud actions before filtering fraud cards

This filter now depends on getUnresolvedCardFraudAlertAction(...), but the hook only subscribes to ONYXKEYS.CARD_LIST; it does not subscribe to REPORT_ACTIONS. If Home renders before the relevant report actions are loaded, hasUnresolvedFraudAction is false and the fraud task is dropped, and later report-action updates will not trigger a recompute here, so a real unresolved fraud alert can remain hidden until an unrelated card-list change happens.

Useful? React with 👍 / 👎.

[Krishna2323]

@Uzaifm127 ^

[Uzaifm127]

Yep, on it.

[Uzaifm127]

Done!

I found that it is a real issue, that the useTimeSensitiveCards.ts hook isn't subscribed to report actions but we added the check with report actions.

[Krishna2323]

@Uzaifm127 I think there's a misunderstanding here. Instead of creating a new selector function and all the extra boilerplate, you could simply subscribe to REPORT_ACTIONS via useOnyx and pass them to getUnresolvedCardFraudAlertAction.

Specifically:

• Add a second optional param (reportActions) to getUnresolvedCardFraudAlertAction.
• Use the passed reportActions if available, or fall back to the module-level value.
• In useTimeSensitiveCards, subscribe to the relevant report actions via useOnyx and pass them in.

This keeps the logic centralized in one function and stays consistent with how the LHN already handles it.

[Uzaifm127]

Krishna, you are correct. Let me clear this further.

If you meant this:

function getUnresolvedCardFraudAlertAction(reportID: string, reportActions?: ReportActions) {
    const actions = reportActions ?? getAllReportActions(reportID);
    return Object.values(actions).find(
        (action) => isActionableCardFraudAlert(action) && !getOriginalMessage(action)?.resolution,
    );
}

function useTimeSensitiveCards() {
    const [cards] = useOnyx(ONYXKEYS.CARD_LIST);
    const [allReportActions] = useOnyx(ONYXKEYS.COLLECTION.REPORT_ACTIONS);

    // In the loop - pass subscribed data to the existing function
    const reportActions = allReportActions?.[`${ONYXKEYS.COLLECTION.REPORT_ACTIONS}${fraudAlertReportID}`];
    const hasUnresolvedFraudAction = !!getUnresolvedCardFraudAlertAction(
        String(fraudAlertReportID),
        reportActions,
    );
}

Then, I also thought to subscribe all report actions in the hook but this might decrease performance, because if we subscribe to all report actions via useOnyx as above then the hook will re-render on every report action modification (entire Home time-sensitive section re-renders) but if we go with the current approach then we have a selector in useOnyx which will ensures we only re-render when the fraud resolution actually changes.

Both approaches subscribe to all report actions but the difference is the selector function.

either we can choose DRY or Performance here.

You can correct me if I'm wrong here.

[Krishna2323]

@Uzaifm127 I don’t think this should have any negative impact since it follows the same approach used elsewhere.

@MelvinBot Could you confirm the best way to handle this?

[MelvinBot]

Krishna's suggestion is the right approach here. Subscribing to REPORT_ACTIONS via useOnyx and passing the data to getUnresolvedCardFraudAlertAction is simpler and consistent with established patterns.

The codebase convention (e.g., OptionRowLHNData.tsx, TransactionItemRowRBR.tsx) is to subscribe to report actions via useOnyx, then pass the raw data to existing helper functions — keeping logic centralized in one place rather than duplicating it with inline selectors.

Uzaifm127's performance concern about re-renders is valid in theory, but with the React Compiler auto-memoizing useTimeSensitiveCards, the derived values will only recompute when their inputs actually change. The selector adds complexity without a meaningful performance benefit in this context.

Recommended approach:

1. Add an optional reportActions param to getUnresolvedCardFraudAlertAction (fall back to the module-level value when not provided)
2. In useTimeSensitiveCards, subscribe to the relevant report actions per fraud card's fraudAlertReportID via useOnyx and pass them through

This keeps the logic DRY, follows existing patterns, and the React Compiler handles the memoization concern.

[Uzaifm127]

Nice then, I'll refine based on this on tomorrow and I'll look into the failing test.

Resolved the merge conflicts.

[Uzaifm127]

@Krishna2323 Implemented.

[Uzaifm127]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 790f48f80f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Memoize fraud selector dependency to avoid rerender churn

fraudActionsSelector is recreated on every render and then passed as the dependency to useOnyx(...). Since useOnyx invalidates when dependencies change, this subscription will be invalidated on every render; and because the selector builds a fresh result object each time, the hook can keep producing new snapshots and repeatedly re-render the Home section even when the underlying fraud data has not changed. Memoize the selector (e.g., with useCallback) and key dependencies off stable inputs (like report IDs) rather than the selector function reference.

Useful? React with 👍 / 👎.

[Krishna2323]

@Uzaifm127

[Uzaifm127]

Krishna, I don't believe we should use useCallback and useMemo as new React compiler will handle it. WDYT?

Fixed the conflicts.

[Krishna2323]

Hmm correct, useTimeSensitiveCards is auto-memoized.

[joekaufmanexpensify]

Good for product

[Krishna2323]

@Uzaifm127 please resolve conflicts. Reviewing now.

[Uzaifm127]

@Krishna2323 Fixed the conflicts.

[Krishna2323]

@Valforte If possible, can we have QA test this PR? I verified it using Onyx data, but it would be great if QA can also test it with a real Expensify Card, with a potentially fraud alert action.

[Valforte]

I'll ask for QA review before approving

[github-actions]

🚧 @Valforte has triggered a test Expensify/App build. You can view the workflow run here.

[Krishna2323]

I'll ask for QA review before approving

@Valforte any updates on this?

[Valforte]

No update on QA yet, we have a pretty challenging deploy this week that is taking all of QA priority. I'll request QA again but we might still have to wait a while

[Valforte]

@Uzaifm127 @Krishna2323 can any of you clarify how to achieve the procondition You must trigger potential fraudulent transaction flag using Expensify card. QA is stuck there

[Uzaifm127]

@Valforte

Me and Krishna tested this by mocking the Onyx data locally. For the step:

You must trigger potential fraudulent transaction flag using Expensify card

this is not a step which can be triggered by UI easily. It would either need to be triggered by backend on a test account, or by a real Expensify Card transaction being flagged by the fraud/risk system as suspicious. Since that is difficult to reproduce reliably on demand, we validated the flow through local Onyx simulation instead.

[Valforte]

Can you provide steps so QA can reproduce with Onyx simulations?

[Uzaifm127]

I'll provide the steps on tomorrow Monday.

[Uzaifm127]

@Valforte QA can reproduce this with local Onyx simulation using the steps below:

1. Open any workspace chat in New Expensify.

2. Open browser developer tools:

   • Press F12, or
   • Right click the page and choose Inspect.
   • Then open the Console tab..

3. In the browser console, paste the following code and press enter to run it.

    // get the current report ID:
   const reportID = Number((await window.report)?.reportID);
   const fakeCardID = 999001;
   const fakeActionID = '9990011';
   
   // Inject a local Expensify Card with possibleFraud pointing to that report:
   await window.Onyx.merge('cardList', {
     [fakeCardID]: {
       cardID: fakeCardID,
       bank: 'Expensify Card',
       state: 3,
       fraud: 'domain',
       lastFourPAN: '4242',
       nameValuePairs: {
         possibleFraud: {
           triggerAmount: 5663,
           triggerMerchant: 'WAL-MART #2366',
           currency: 'USD',
           fraudAlertReportID: reportID,
         },
       },
     },
   });
   
   // Inject an actionable fraud alert into that chat
   await window.Onyx.merge(`reportActions_${reportID}`, {
     [fakeActionID]: {
       actionName: 'ACTIONABLECARDFRAUDALERT',
       actorAccountID: 0,
       automatic: true,
       avatar: '',
       reportActionID: fakeActionID,
       reportID: String(reportID),
       shouldShow: true,
       created: new Date().toISOString(),
       message: [],
       originalMessage: {
         cardID: fakeCardID,
         maskedCardNumber: '****4242',
         triggerAmount: 5663,
         triggerMerchant: 'WAL-MART #2366',
         currency: 'USD',
       },
     },
   });

4. Go to Home and verify that Review potential fraud appears.

5. Click the Home task and verify that the workspace chat shows the actionable fraud prompt.

6. Resolve it by simulating either outcome (We need to paste the following code in the browser console tab):

Yes, I do:

const reportID = Number((await window.report)?.reportID);
const fakeActionID = '9990011';

await window.Onyx.merge(`reportActions_${reportID}`, {
  [fakeActionID]: {
    originalMessage: {
      resolution: 'recognized',
    },
  },
});

No, it wasn’t me:

const reportID = Number((await window.report)?.reportID);
const fakeActionID = '9990011';

await window.Onyx.merge(`reportActions_${reportID}`, {
  [fakeActionID]: {
    originalMessage: {
      resolution: 'fraud',
    },
  },
});

7. Return to Home.
8. Verify that the Review potential fraud task is no longer shown once the fraud action is resolved.

---

This is the code to cleanup the Onyx mocking data which we mocked:

const reportID = Number((await window.report)?.reportID);
const fakeCardID = 999001;
const fakeActionID = '9990011';

await window.Onyx.merge('cardList', {
  [fakeCardID]: null,
});

await window.Onyx.merge(`reportActions_${reportID}`, {
  [fakeActionID]: null,
});

---

cc: @Krishna2323

[Valforte]

Asking QA for test

[m-natarajan]

Pass, Windows 10/Chrome v9.3.62-3 PR:87717

bandicam.2026-05-06.16-10-43-419.mp4

[Uzaifm127]

@Valforte Please let me know when you are about to merge this PR. I'll merge main before.

[Valforte]

I'm ready to merge, please go ahead and merge main

[Uzaifm127]

Done. Merged the main.

[github-actions]

🚧 @Valforte has triggered a test Expensify/App build. You can view the workflow run here.

[github-actions]

🧪🧪 Use the links below to test this adhoc build on Android, iOS, and Web. Happy testing! 🧪🧪
Built from App PR #87717.

Android 🤖	iOS 🍎
https://ad-hoc-expensify-cash.s3.us-east-1.amazonaws.com/rock-artifacts/ad-hoc/rock-android-Adhoc-4e710ae-593d847-ead5184f17c4b58a2f003bfd1a5c132eab9afa07/index.html	https://ad-hoc-expensify-cash.s3.us-east-1.amazonaws.com/rock-artifacts/ad-hoc/rock-ios-device-AdHoc-4e710ae-593d847-1b621ff798f2cf2fed1929c48aa96803235e50f5/index.html

Web 🕸️
https://87717.pr-testing.expensify.com

---

👀 View the workflow run that generated this build 👀

[OSBotify]

✋ This PR was not deployed to staging yet because QA is ongoing. It will be automatically deployed to staging after the next production release.

[IuliiaHerets]

Hi @Uzaifm127. This PR was already tested here.
Do we need to check it again?

cc @Valforte @Krishna2323 @joekaufmanexpensify

[OSBotify]

🚀 Deployed to staging by https://github.com/Valforte in version: 9.3.69-0 🚀

platform	result
🕸 web 🕸	success ✅
🤖 android 🤖	success ✅
🍎 iOS 🍎	success ✅

Bundle Size Analysis (Sentry):

• Android
• iOS

[MelvinBot]

No help site changes are required for this PR.

This PR is a bug fix to internal fraud alert filtering logic — it ensures the "Review fraudulent charge" time-sensitive task disappears after the fraud alert is resolved. The existing help site documentation in Expensify-Home-Overview.md already describes the Time-sensitive section correctly (it appears "only when there is something that requires immediate attention" for "potential risk, such as suspected Expensify Card fraud"). No feature names, UI labels, or workflows changed — just the underlying logic for when the alert is shown.

[OSBotify]

🚀 Deployed to production by https://github.com/Beamanator in version: 9.3.69-18 🚀

platform	result
🕸 web 🕸	success ✅
🤖 android 🤖	success ✅
🍎 iOS 🍎	success ✅