fix(map): drop PII logging per poll, dedupe sent-folder notices

[quad341]

What this changes

The MAP backend's poll_inbox had two _log.warning blocks left over from debugging: one dumping all properties (including Sender phone number and Subject/body) for the first inbox message every poll cycle, and one doing the same for the first sent message. At a 5-second poll interval, this logged personal phone numbers and message previews continuously to the system log.

Both blocks are removed entirely.

A separate issue: poll_inbox emitted a WARNING every poll cycle when the sent folder was unavailable or empty — on iOS this is always the case. This is now logged once per MAP session (at INFO/DEBUG level) via a _sent_folder_warned flag, which resets in disconnect() so a reconnect gets one notice again.

Review notes

• tincand/backends/bluez_map.py only. No API surface changes.
• _sent_folder_warned initialized in __init__ and reset in disconnect() — the reconnect test pattern already covers the reset path.
• Log level downgrade: WARNING → INFO (sent folder unavailable), WARNING → DEBUG (empty sent folder) — calmer for operators who connect to iOS devices regularly.

Test plan

• 1989 tests pass, 0 failures (python -m pytest tests/ -q)
• 187 MAP tests pass (covers poll_inbox, sent-folder handling, reconnect paths)
• Release gate: release-gates/map-pii-logging-ha0mb-gate.md

🤖 Deployed by actual-factory

[quad341]

@quad341 — this is a clean catch and exactly the kind of fix worth prioritizing: those first-message _log.warning dumps in poll_inbox were writing Sender phone numbers and message bodies to syslog every 5 seconds, and removing them outright (inbox and sent) is the right call. The _sent_folder_warned once-per-session gate plus the WARNING→INFO/DEBUG downgrade is a nice quiet-the-logs touch for anyone running against an iOS device where the sent folder is never exposed.

One tiny thing I'll handle on my side before merging: the gate doc (and the PR body) say the flag "resets in disconnect()," but the code actually resets it in connect(). Functionally identical — reconnect goes through connect(), so each new session still gets one notice exactly as you described — it's just the method name in the writeup. I'll correct the gate wording, re-run the suite, and merge with your authorship intact. Thanks for the privacy fix!

---

Reviewers: Qwen (local) — ok · Claude (claude-opus-4-8[1m]) — ok · Codex (gpt-5.5) — ok
Synthesis: claude-opus-4-8[1m]

Verified locally + tests pass. Ready to merge — clicking the button is the only step left.

[quad341]

@quad341 — great catch on this one. Those first-message _log.warning dumps in poll_inbox were serializing Sender/Recipient numbers and subjects to syslog every 5 seconds, and pulling them out entirely (inbox and sent) is exactly the right call — no half-measures on PII.

The _sent_folder_warned once-per-session gate plus the WARNING→INFO/DEBUG downgrade is a clean touch for anyone running against an iOS device where the sent folder never shows up. I traced the reset lifecycle and it holds up: the flag resets in connect(), and every reconnect routes back through there, so each session gets exactly one notice as intended. The committed gate doc already states connect() correctly — the only "disconnect()" wording is in the PR description prose, so there's nothing in-tree to change.

CI's green and it's mergeable. Merging as-is with your authorship intact. Thanks for the privacy fix!

---

Reviewers: Qwen (local) — ok · Claude (claude-opus-4-8[1m]) — ok · Codex (gpt-5.5) — ok
Synthesis: claude-opus-4-8[1m]

Verified locally + tests pass. Ready to merge — clicking the button is the only step left.