Chat-room message toolbar (Reply / Report / Delete) is hover-gated and aria-hidden — inaccessible on touch and to screen readers

Area: Messaging & chat (audit p4) · Surface: /rooms/{slug} (ChatRoomController@show), rooms/_message.php · Dimension: Law 5 — mobile first-class · Severity: major

On touch devices the Reply, Report, and Delete actions for chat messages cannot be triggered — they live in a toolbar that is `opacity:0; pointer-events:none` until `:hover`, which never fires on a phone. Worse, the toolbar carries `aria-hidden="true"`, so screen-reader users can't reach Reply/Report/Delete at all, on any device. Moderation (Report) and the user's own Delete are core actions being made unavailable to a large slice of users.

Evidence

rooms/_message.php:146 emits `<div class="mc-msg-toolbar" aria-hidden="true">` containing the Reply and More (Report/Delete) buttons. chat-rooms.css:623-642 sets `.mc-msg-toolbar { opacity:0; pointer-events:none; }` and only `.mc-msg:hover .mc-msg-toolbar, .mc-msg:focus-within .mc-msg-toolbar { opacity:1; pointer-events:auto; }`. No `@media (hover: none)` fallback exists (grep confirms). chat-rooms.js:203-219 builds the same hover-gated toolbar for SSE-appended messages.

Suggested fix. Drop `aria-hidden="true"` from the toolbar (the buttons have aria-labels and must be reachable). Add `@media (hover: none) { .mc-msg-toolbar { opacity:1; pointer-events:auto; position:static; } }` or a tap-to-reveal handler in chat-rooms.js so the actions are usable on touch.

Filed by the automated tenant-app audit and adversarially evidence-verified. Status: verified. Open — not yet actioned.