ping_core/client.rs
1//! `MessagingClient` — top-level handle. Owns the OpenMLS provider, identity, local device,
2//! and the set of open conversations.
3//!
4//! All operations are `async`. The intent is that the FFI generators emit Swift `async`,
5//! Kotlin `suspend`, and the WASM glue exposes Promises.
6
7use openmls::framing::MlsMessageOut;
8use openmls::prelude::{
9 tls_codec::Serialize as TlsSerialize, BasicCredential, Ciphersuite, CredentialWithKey,
10 KeyPackageBuilder,
11};
12use openmls_basic_credential::SignatureKeyPair;
13use openmls_traits::OpenMlsProvider;
14use parking_lot::RwLock;
15use ping_mls_store::{PersistentMlsProvider, StorageBackend};
16use std::collections::HashMap;
17use std::sync::Arc;
18use zeroize::Zeroizing;
19
20use crate::{
21 codec,
22 conversation::{Conversation, ConversationId, ConversationMeta},
23 device::{
24 CatchupAppEventEntry, CatchupConversationEntry, CatchupSnapshot, DeviceId, DeviceInfo,
25 LinkingTicket, LocalDevice, CATCHUP_SNAPSHOT_VERSION,
26 },
27 error::{Error, Result},
28 identity::{Identity, UserId},
29 message::{IncomingMessage, MessageEnvelope, MessageKind},
30 storage::Storage,
31 sync::SyncCursor,
32 transport::Transport,
33};
34
35const DEFAULT_CIPHERSUITE: Ciphersuite = Ciphersuite::MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519;
36
37#[derive(Debug)]
38pub struct ClientConfig {
39 pub identity: Identity,
40 pub device_label: String,
41 pub storage: Arc<dyn Storage>,
42 pub transport: Arc<dyn Transport>,
43 /// Wall clock in ms. Pulled from the host so we can use a synthetic clock in tests.
44 pub now_ms: u64,
45 /// [CR-4] OpenMLS-provider backend. Defaults to in-memory; iOS NSE and web SW
46 /// cold-start paths MUST pass `StorageBackend::Sqlite { path, encryption_key }`
47 /// (native) or `StorageBackend::IndexedDb { db_name }` (WASM, when that lands).
48 /// See `docs/design/CR4_CR7_PERSISTENCE.md`.
49 pub storage_backend: StorageBackend,
50 /// Optional 32-byte Ed25519 secret key the SDK should use as the
51 /// device signing key. When set AND no `LocalDevice` is yet
52 /// persisted in `storage`, the SDK constructs its first
53 /// `LocalDevice` from this key instead of generating a fresh
54 /// random one — so `device_id = SHA-256(public_key_of(secret))`
55 /// is fully determined by what the host provided.
56 ///
57 /// Use case: align the SDK's `device_id` (which it stamps into
58 /// every envelope's `sender_device` field) with an externally-
59 /// computed device id — typically `SHA-256(device_signing_pubkey)`
60 /// in the host's auth layer, where the JWT carries that same
61 /// value as its `device_id` claim. Without this alignment, a
62 /// server that validates `envelope.sender_device ==
63 /// jwt.device_id` would reject every send.
64 ///
65 /// Ignored on re-init (when storage already has a persisted
66 /// `LocalDevice`) so the device identity remains stable across
67 /// restarts.
68 pub device_signing_secret_key: Option<[u8; 32]>,
69}
70
71impl ClientConfig {
72 /// Construct a config with `StorageBackend::Memory` — convenient for tests and
73 /// the existing v0.1 in-memory flow.
74 pub fn new_in_memory(
75 identity: Identity,
76 device_label: String,
77 storage: Arc<dyn Storage>,
78 transport: Arc<dyn Transport>,
79 now_ms: u64,
80 ) -> Self {
81 Self {
82 identity,
83 device_label,
84 storage,
85 transport,
86 now_ms,
87 storage_backend: StorageBackend::Memory,
88 device_signing_secret_key: None,
89 }
90 }
91}
92
93pub struct MessagingClient {
94 pub(crate) identity: Identity,
95 pub(crate) local_device: LocalDevice,
96 pub(crate) crypto: Arc<PersistentMlsProvider>,
97 pub(crate) signing: Arc<SignatureKeyPair>,
98 pub(crate) storage: Arc<dyn Storage>,
99 pub(crate) transport: Arc<dyn Transport>,
100 conversations: RwLock<HashMap<ConversationId, Conversation>>,
101}
102
103impl std::fmt::Debug for MessagingClient {
104 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
105 f.debug_struct("MessagingClient")
106 .field("user_id", &self.identity.user_id().as_hex())
107 .field("device_id", &self.local_device.device_id.as_hex())
108 .field("conversation_count", &self.conversations.read().len())
109 .finish()
110 }
111}
112
113impl MessagingClient {
114 /// Initialise. Creates a new local device if none is recorded in storage; otherwise rehydrates.
115 pub async fn init(cfg: ClientConfig) -> Result<Arc<Self>> {
116 // [CR-4] OpenMLS provider is now pluggable. For `StorageBackend::Memory` this
117 // behaves like the old `OpenMlsRustCrypto::default()`. For `Sqlite`, the
118 // working set is hydrated from the on-disk blob; subsequent `checkpoint` calls
119 // flush it back. iOS NSE / web SW cold-start lives here.
120 //
121 // Use `open_async` so the WASM `StorageBackend::IndexedDb` variant can read
122 // its snapshot blob through the host-supplied `AsyncBlobStore` before
123 // returning — without this, the provider's `MemoryStorage` would be empty
124 // and `MlsGroup::load` would silently return `None` for every group on
125 // cold restart, breaking chat persistence across reloads. Native targets
126 // (Memory + Sqlite) delegate to the sync path under the hood, so the
127 // `.await` is free there.
128 let crypto = PersistentMlsProvider::open_async(cfg.storage_backend.clone())
129 .await
130 .map_err(|e| Error::Storage(format!("provider open: {e}")))?;
131 let local_device = match cfg.storage.get("device", "local").await? {
132 Some(bytes) => decode_local_device(&bytes, cfg.identity.user_id().clone())?,
133 None => {
134 // First-init path. If the host supplied a signing secret
135 // (typically to align the device_id with their auth
136 // layer), use it; otherwise mint a fresh random key.
137 // Either way, the constructed `LocalDevice` is
138 // immediately persisted so future inits load from
139 // storage without consulting the override again.
140 let dev = match cfg.device_signing_secret_key.as_ref() {
141 Some(secret) => LocalDevice::from_signing_secret(
142 cfg.identity.user_id().clone(),
143 cfg.device_label,
144 cfg.now_ms,
145 secret,
146 ),
147 None => LocalDevice::generate(
148 cfg.identity.user_id().clone(),
149 cfg.device_label,
150 cfg.now_ms,
151 ),
152 };
153 let bytes = encode_local_device(&dev)?;
154 cfg.storage.put("device", "local", bytes).await?;
155 dev
156 }
157 };
158
159 // [CR-4] MLS signing keypair MUST be stable across cold restarts — otherwise the
160 // leaf-key stored on disk no longer matches the per-client key on re-init, and any
161 // send-after-restart silently misroutes. We derive deterministically from the
162 // already-persistent `LocalDevice::signing` (Ed25519, 32 raw bytes), and the
163 // ciphersuite's signature scheme is Ed25519 too — so the device signing key and the
164 // MLS leaf signing key are the same bytes. The MLS storage provider also receives
165 // a copy via `store()` so OpenMLS-internal lookups (process_message, etc.) succeed.
166 let signing = {
167 let sk_bytes = local_device.signing.to_bytes().to_vec();
168 let pk_bytes = local_device.signing.verifying_key().to_bytes().to_vec();
169 let kp = SignatureKeyPair::from_raw(
170 DEFAULT_CIPHERSUITE.signature_algorithm(),
171 sk_bytes,
172 pk_bytes,
173 );
174 kp.store(crypto.storage()).map_err(Error::mls)?;
175 Arc::new(kp)
176 };
177
178 let client = Arc::new(Self {
179 identity: cfg.identity,
180 local_device,
181 crypto,
182 signing,
183 storage: cfg.storage,
184 transport: cfg.transport,
185 conversations: RwLock::new(HashMap::new()),
186 });
187
188 client.rehydrate_conversations(cfg.now_ms).await?;
189
190 // [CR-10] Ensure the DeviceGroup exists at init, not lazily inside
191 // build_linking_ticket. Single-device users need somewhere to write
192 // personal events (drafts, read pointers, notes, vault wrapper)
193 // even before they pair a second device. Lazy creation in
194 // build_linking_ticket left them with no DG → no place for
195 // personal state to land.
196 //
197 // Idempotent — re-init after a cold restart finds the DG via
198 // rehydrate_conversations and this becomes a no-op.
199 client.ensure_device_group(cfg.now_ms).await?;
200
201 Ok(client)
202 }
203
204 /// [CR-10] Idempotently ensures this user's DeviceGroup exists in
205 /// `self.conversations`. Called from `init` (so single-device users
206 /// have a DG immediately) and from `build_linking_ticket` (the legacy
207 /// lazy path; still safe to call when the DG already exists, since
208 /// rehydrate_conversations would have re-attached it before init
209 /// returned).
210 ///
211 /// The DeviceGroup is a one-leaf MLS group at creation time —
212 /// `add_members` (called by `build_linking_ticket` when a second
213 /// device pairs in) is what grows it. We persist the snapshot so a
214 /// cold restart picks it up before this function runs again.
215 pub(crate) async fn ensure_device_group(self: &Arc<Self>, now_ms: u64) -> Result<()> {
216 let dg_id = device_group_id_for(self.identity.user_id());
217 if self.conversations.read().contains_key(&dg_id) {
218 return Ok(());
219 }
220 let mut new_dg = Conversation::create(
221 dg_id,
222 Some("device-group".into()),
223 self.local_device.device_id.clone(),
224 self.identity.user_id(),
225 self.crypto.clone(),
226 self.signing.clone(),
227 self.storage.clone(),
228 now_ms,
229 )?;
230 new_dg.meta.is_device_group = true;
231 new_dg.snapshot_to_storage().await?;
232 self.conversations.write().insert(dg_id, new_dg);
233 Ok(())
234 }
235
236 pub fn user_id(&self) -> UserId {
237 self.identity.user_id().clone()
238 }
239 pub fn device_id(&self) -> DeviceId {
240 self.local_device.device_id.clone()
241 }
242 pub fn device_info(&self, now_ms: u64) -> DeviceInfo {
243 self.local_device.info(now_ms)
244 }
245
246 /// Generate a fresh KeyPackage to publish to the directory. Hosts call this when registering
247 /// a device or topping up the directory.
248 pub fn fresh_key_package(&self) -> Result<Vec<u8>> {
249 let credential_with_key = CredentialWithKey {
250 credential: BasicCredential::new(self.identity.user_id().0.clone()).into(),
251 signature_key: self.signing.public().to_vec().into(),
252 };
253 let bundle = KeyPackageBuilder::new()
254 .build(
255 DEFAULT_CIPHERSUITE,
256 self.crypto.as_ref(),
257 self.signing.as_ref(),
258 credential_with_key,
259 )
260 .map_err(Error::mls)?;
261 // KeyPackages are serialized as MlsMessage(KeyPackage) per the MLS framing spec.
262 let msg: MlsMessageOut = bundle.key_package().clone().into();
263 msg.tls_serialize_detached().map_err(Error::mls)
264 }
265
266 /// Create a new conversation owned by this client (and seeded with a single member: this device).
267 pub async fn create_conversation(
268 self: &Arc<Self>,
269 name: Option<String>,
270 now_ms: u64,
271 ) -> Result<ConversationId> {
272 let id = ConversationId::new();
273 let convo = Conversation::create(
274 id,
275 name,
276 self.local_device.device_id.clone(),
277 self.identity.user_id(),
278 self.crypto.clone(),
279 self.signing.clone(),
280 self.storage.clone(),
281 now_ms,
282 )?;
283 convo.snapshot_to_storage().await?;
284 self.conversations.write().insert(id, convo);
285 Ok(id)
286 }
287
288 /// Join via a Welcome bundled in a [`MessageEnvelope`] of kind `Welcome`.
289 pub async fn join_conversation(
290 self: &Arc<Self>,
291 welcome_envelope: &MessageEnvelope,
292 now_ms: u64,
293 ) -> Result<ConversationId> {
294 if welcome_envelope.kind != MessageKind::Welcome {
295 return Err(Error::Invalid("expected Welcome envelope".into()));
296 }
297 let convo = Conversation::join(
298 &welcome_envelope.payload,
299 self.local_device.device_id.clone(),
300 self.crypto.clone(),
301 self.signing.clone(),
302 self.storage.clone(),
303 now_ms,
304 )?;
305 let id = convo.id();
306 convo.snapshot_to_storage().await?;
307 self.conversations.write().insert(id, convo);
308 Ok(id)
309 }
310
311 pub fn list_conversations(&self) -> Vec<ConversationMeta> {
312 self.conversations
313 .read()
314 .values()
315 .map(|c| c.meta.clone())
316 .collect()
317 }
318
319 /// Send an application message. Returns once the envelope has been handed to the transport.
320 pub async fn send(
321 &self,
322 conv_id: ConversationId,
323 plaintext: Vec<u8>,
324 now_ms: u64,
325 ) -> Result<MessageEnvelope> {
326 let envelope = {
327 let mut guard = self.conversations.write();
328 let convo = guard
329 .get_mut(&conv_id)
330 .ok_or_else(|| Error::UnknownConversation(conv_id.as_hex()))?;
331 convo.send_application(&plaintext, now_ms)?
332 };
333 self.transport.send(envelope.clone()).await?;
334 Ok(envelope)
335 }
336
337 /// Add members. The Commit goes on the wire; the Welcome should be delivered to the new
338 /// devices' inboxes (the host transport implements that — typically as a separate addressed
339 /// envelope).
340 ///
341 /// [CR-2] Each entry is `(DeviceId, KeyPackage_bytes)`. The host typically gets the
342 /// device_id from the directory at the same time it gets the KeyPackage; we use it to
343 /// record a per-conversation `device_id → leaf_index` map so [`Self::revoke_device`]
344 /// can later locate the leaf without a fresh directory lookup. The SDK does not
345 /// cryptographically verify the host's device-id claim — that's a directory policy
346 /// concern.
347 //
348 // We hold a `parking_lot` read guard across `.await` for `snapshot_to_storage` here. Clippy
349 // flags this; we keep it for v0.1 because the alternative is a structural refactor of
350 // Conversation::snapshot_to_storage to split sync prep from async writes — see
351 // docs/ASSUMPTIONS.md item "lock-during-async-I/O is suboptimal but acceptable for v0.1".
352 // The `parking_lot/send_guard` feature (in core/Cargo.toml) makes the guard `Send` so the
353 // future is still schedulable across tokio threads.
354 #[allow(clippy::await_holding_lock)]
355 pub async fn add_members(
356 &self,
357 conv_id: ConversationId,
358 entries: Vec<(DeviceId, Vec<u8>)>,
359 now_ms: u64,
360 ) -> Result<()> {
361 let outcome = {
362 let mut guard = self.conversations.write();
363 let convo = guard
364 .get_mut(&conv_id)
365 .ok_or_else(|| Error::UnknownConversation(conv_id.as_hex()))?;
366 convo.add_members(entries, now_ms)?
367 };
368 self.transport.send(outcome.commit).await?;
369 self.transport.send(outcome.welcome).await?;
370 if let Some(c) = self.conversations.read().get(&conv_id) {
371 c.snapshot_to_storage().await?;
372 }
373 Ok(())
374 }
375
376 #[allow(clippy::await_holding_lock)] // see add_members for rationale
377 pub async fn remove_members(
378 &self,
379 conv_id: ConversationId,
380 leaf_indexes: Vec<u32>,
381 now_ms: u64,
382 ) -> Result<()> {
383 let envelope = {
384 let mut guard = self.conversations.write();
385 let convo = guard
386 .get_mut(&conv_id)
387 .ok_or_else(|| Error::UnknownConversation(conv_id.as_hex()))?;
388 convo.remove_members(leaf_indexes, now_ms)?
389 };
390 self.transport.send(envelope).await?;
391 if let Some(c) = self.conversations.read().get(&conv_id) {
392 c.snapshot_to_storage().await?;
393 }
394 Ok(())
395 }
396
397 /// Process an inbound envelope coming from the transport's subscribe callback or a sync pull.
398 /// Returns `Some` for application traffic, `None` for handshake messages (already merged).
399 #[allow(clippy::await_holding_lock)] // see add_members for rationale
400 pub async fn process_envelope(
401 &self,
402 env: &MessageEnvelope,
403 now_ms: u64,
404 ) -> Result<Option<IncomingMessage>> {
405 // Welcome envelopes for unknown conversations are routed to `join_conversation` by the
406 // caller. Here we only handle traffic for already-open groups.
407 let mut guard = self.conversations.write();
408 let convo = match guard.get_mut(&env.conversation_id) {
409 Some(c) => c,
410 None => return Err(Error::UnknownConversation(env.conversation_id.as_hex())),
411 };
412 let out = convo.process(env, now_ms)?;
413 // Cheap snapshot — only mutates KV the size of the cursor.
414 convo.snapshot_to_storage().await?;
415 Ok(out)
416 }
417
418 /// Catch-up sync: pull missing events for every open conversation since its cursor.
419 /// Returns the list of newly-decrypted application messages, in apply order.
420 pub async fn sync_conversations(&self, now_ms: u64) -> Result<Vec<IncomingMessage>> {
421 let pending: Vec<(ConversationId, SyncCursor)> = self
422 .conversations
423 .read()
424 .iter()
425 .map(|(id, c)| (*id, c.cursor.clone()))
426 .collect();
427
428 let mut delivered = Vec::new();
429 for (conv_id, cursor) in pending {
430 loop {
431 let batch = self
432 .transport
433 .fetch_since(conv_id, cursor.clone(), 256)
434 .await?;
435 if batch.is_empty() {
436 break;
437 }
438 for env in &batch {
439 if let Some(msg) = self.process_envelope(env, now_ms).await? {
440 delivered.push(msg);
441 }
442 }
443 if batch.len() < 256 {
444 break;
445 } // partial page → caught up
446 }
447 }
448 Ok(delivered)
449 }
450
451 /// Rehydrate conversations from storage on startup ([CR-4]).
452 ///
453 /// Walks the host-side `groups` namespace for meta records, pairs each with its
454 /// cursor + device→leaf map, and asks `Conversation::load` to re-attach to the
455 /// underlying OpenMLS group state. The MLS state itself was persisted by the
456 /// SQLite-backed `PersistentMlsProvider` on the previous run; this method
457 /// reconciles the SDK-side caches with what's on disk.
458 async fn rehydrate_conversations(self: &Arc<Self>, now_ms: u64) -> Result<()> {
459 let metas = self.storage.list_keys("groups", "").await?;
460 for path in metas {
461 // path looks like "{convId}/meta"
462 let Some((id_hex, suffix)) = path.split_once('/') else {
463 continue;
464 };
465 if suffix != "meta" {
466 continue;
467 }
468 let Some(meta_bytes) = self.storage.get("groups", &path).await? else {
469 continue;
470 };
471 let meta: ConversationMeta = match codec::decode(&meta_bytes) {
472 Ok(m) => m,
473 Err(_) => continue,
474 };
475 let cursor_bytes = self
476 .storage
477 .get("cursors", id_hex)
478 .await?
479 .unwrap_or_default();
480 let cursor = if cursor_bytes.is_empty() {
481 SyncCursor::default()
482 } else {
483 SyncCursor::decode(&cursor_bytes).unwrap_or_default()
484 };
485
486 // [CR-2] device→leaf map was persisted alongside meta + cursor.
487 let device_leaves_bytes = self
488 .storage
489 .get("device_leaves", id_hex)
490 .await?
491 .unwrap_or_default();
492 let device_leaves: std::collections::BTreeMap<DeviceId, u32> =
493 if device_leaves_bytes.is_empty() {
494 std::collections::BTreeMap::new()
495 } else {
496 let pairs: Vec<(DeviceId, u32)> =
497 codec::decode(&device_leaves_bytes).unwrap_or_default();
498 pairs.into_iter().collect()
499 };
500
501 match Conversation::load(
502 meta.id,
503 meta.clone(),
504 cursor,
505 device_leaves,
506 self.local_device.device_id.clone(),
507 self.crypto.clone(),
508 self.signing.clone(),
509 self.storage.clone(),
510 now_ms,
511 ) {
512 Ok(Some(convo)) => {
513 tracing::debug!(
514 target: "ping_core::client",
515 convo = %id_hex,
516 epoch = meta.epoch,
517 "rehydrated conversation from disk"
518 );
519 self.conversations.write().insert(meta.id, convo);
520 }
521 Ok(None) => {
522 tracing::warn!(
523 target: "ping_core::client",
524 convo = %id_hex,
525 "host-side meta present but OpenMLS state missing — skipping"
526 );
527 }
528 Err(e) => {
529 tracing::warn!(
530 target: "ping_core::client",
531 convo = %id_hex,
532 error = %e,
533 "Conversation::load failed — skipping"
534 );
535 }
536 }
537 }
538 Ok(())
539 }
540
541 // ------------------- Multi-device API -------------------
542
543 /// Build a [`LinkingTicket`] for a new device. The caller obtains `new_device_kp` from the
544 /// new device (e.g., via QR-encoded handshake) and is responsible for sealing the returned
545 /// ticket against the new device's ephemeral X25519 pubkey before transmission via
546 /// [`ping_link::seal_ticket`].
547 ///
548 /// [CR-13] `last_app_events` is a host-supplied list of `(conversation_id, app_event_bytes)`
549 /// for the new device's "what you missed" UI. The SDK adds its own metas + (currently-
550 /// empty) per-conversation MLS state and bundles everything into
551 /// [`device::CatchupSnapshot`], CBOR-encoded into the ticket's `catchup_snapshot` field.
552 /// Pass an empty `Vec` to suppress catchup data (the new device sees an empty
553 /// conversation list until normal sync runs).
554 pub async fn build_linking_ticket(
555 self: &Arc<Self>,
556 new_device_id: DeviceId,
557 new_device_kp: Vec<u8>,
558 last_app_events: Vec<(ConversationId, Vec<u8>)>,
559 now_ms: u64,
560 ) -> Result<LinkingTicket> {
561 let device_binding_sig = self.identity.sign_device_binding(&new_device_id.0);
562 let dg_id = device_group_id_for(self.identity.user_id());
563
564 // [CR-10] DG is eagerly created at init now, but call ensure here too so
565 // hosts that bypass `MessagingClient::init` (mocked tests, legacy upgrade
566 // paths) keep working.
567 self.ensure_device_group(now_ms).await?;
568
569 // Admit the new device to the DeviceGroup.
570 let outcome = {
571 let mut conversations = self.conversations.write();
572 let dg = conversations
573 .get_mut(&dg_id)
574 .expect("DeviceGroup ensured above");
575 // [CR-2] Record the new device's leaf in the DG so future `revoke_device`
576 // can find it. The new_device_id we got as a parameter is the inviter's
577 // own assertion — same trust model as the rest of `add_members`.
578 dg.add_members(vec![(new_device_id.clone(), new_device_kp)], now_ms)?
579 };
580
581 // [CR-13] Assemble the catchup snapshot: SDK-known conversation metadata + host-
582 // supplied last-known plaintext per conversation. [CR-7] now populates
583 // `group_state_bytes` with each group's MLS state so the new device can decrypt
584 // historical traffic without re-Welcoming. An empty `group_state_bytes` would
585 // mean either a group with no exportable state (shouldn't happen) or an
586 // encoder failure (we let those propagate as errors below).
587 let catchup_snapshot = if last_app_events.is_empty() && self.conversations.read().is_empty()
588 {
589 // Cheap path: nothing to snapshot, skip the encode round-trip.
590 Vec::new()
591 } else {
592 let conversation_metas: Vec<CatchupConversationEntry> = self
593 .conversations
594 .read()
595 .values()
596 .map(|c| -> Result<CatchupConversationEntry> {
597 // CR-7: per-group state. We deliberately keep the export bytes
598 // inside the (HPKE-sealed-by-CR-3) LinkingTicket; the receiver
599 // calls `import_state_snapshot` with these bytes after `consume_linking_ticket`.
600 let group_bytes = c.export_state_snapshot(now_ms)?.to_vec();
601 Ok(CatchupConversationEntry {
602 conversation_id: c.id(),
603 meta: c.meta().clone(),
604 group_state_bytes: group_bytes,
605 })
606 })
607 .collect::<Result<_>>()?;
608 let last_app_events_per_conv: Vec<CatchupAppEventEntry> = last_app_events
609 .into_iter()
610 .map(|(conversation_id, app_event_bytes)| CatchupAppEventEntry {
611 conversation_id,
612 app_event_bytes,
613 })
614 .collect();
615 CatchupSnapshot {
616 v: CATCHUP_SNAPSHOT_VERSION,
617 conversation_metas,
618 last_app_events_per_conv,
619 }
620 .encode()?
621 };
622
623 Ok(LinkingTicket {
624 v: 1,
625 user_id: self.identity.user_id().clone(),
626 user_pubkey: self.identity.public_key().to_bytes().to_vec(),
627 new_device_id,
628 device_binding_sig,
629 device_group_welcome: outcome.welcome.payload,
630 catchup_snapshot,
631 })
632 }
633
634 /// Apply a received linking ticket. Joins the user's DeviceGroup; the catch-up snapshot
635 /// (if any) is decrypted by the host using the standard per-conversation channel afterwards.
636 pub async fn consume_linking_ticket(
637 self: &Arc<Self>,
638 ticket: &LinkingTicket,
639 now_ms: u64,
640 ) -> Result<()> {
641 // Verify the binding the existing device made for us. (Ed25519 public keys are 32 bytes.)
642 let pk_bytes: [u8; 32] = ticket
643 .user_pubkey
644 .as_slice()
645 .try_into()
646 .map_err(|_| Error::Identity("user_pubkey must be 32 bytes".into()))?;
647 let user_pk = ed25519_dalek::VerifyingKey::from_bytes(&pk_bytes)
648 .map_err(|e| Error::Identity(format!("bad user pubkey: {e}")))?;
649 Identity::verify_device_binding(
650 &user_pk,
651 &ticket.user_id,
652 &ticket.new_device_id.0,
653 &ticket.device_binding_sig,
654 )?;
655 if ticket.new_device_id != self.local_device.device_id {
656 return Err(Error::Invalid(
657 "ticket addressed to a different device".into(),
658 ));
659 }
660
661 let dummy_env = MessageEnvelope::new(
662 ConversationId(device_group_id_for(&ticket.user_id).0),
663 0,
664 MessageKind::Welcome,
665 self.local_device.device_id.clone(),
666 0,
667 crate::clock::Hlc::ZERO,
668 ticket.device_group_welcome.clone(),
669 );
670 self.join_conversation(&dummy_env, now_ms).await?;
671 Ok(())
672 }
673
674 /// [CR-7] Export the MLS state snapshot for one open conversation.
675 ///
676 /// Thin pass-through to [`Conversation::export_state_snapshot`]. Returned bytes
677 /// are wrapped in `Zeroizing` because they contain past epoch secrets.
678 pub fn export_conversation_state_snapshot(
679 &self,
680 conv_id: ConversationId,
681 now_ms: u64,
682 ) -> Result<zeroize::Zeroizing<Vec<u8>>> {
683 let guard = self.conversations.read();
684 let convo = guard
685 .get(&conv_id)
686 .ok_or_else(|| Error::UnknownConversation(conv_id.as_hex()))?;
687 convo.export_state_snapshot(now_ms)
688 }
689
690 /// [CR-7] Import a `GroupStateSnapshot` produced by another device's
691 /// [`Conversation::export_state_snapshot`].
692 ///
693 /// Replays the snapshot's entries into this client's OpenMLS provider, then
694 /// reconstructs the `Conversation` handle via `MlsGroup::load`. After return,
695 /// the conversation is in `list_conversations()` and `send`/`process_envelope`
696 /// work against it normally.
697 ///
698 /// **Scope.** This is for the *same-user* hand-off (linking, recovery). The
699 /// snapshot exposes the exporter's view of past epoch secrets for the target
700 /// group; only call this when the receiving device has been authenticated to
701 /// the same user identity (mnemonic, QR-handshake). Cross-user history transfer
702 /// uses HPKE-sealed AppEvent re-shares (umbrella §15.6), not this method.
703 ///
704 /// **Sanity.** Refuses snapshots whose `group_id` doesn't match the bytes the
705 /// receiver intends to claim — guards against host bugs that shuffle snapshots
706 /// between groups. Refuses mismatched OpenMLS storage versions outright; no
707 /// silent forward/back compatibility.
708 pub async fn import_state_snapshot(
709 self: &Arc<Self>,
710 snapshot_bytes: &[u8],
711 now_ms: u64,
712 ) -> Result<ConversationId> {
713 use crate::device::GroupStateSnapshot;
714 let snap = GroupStateSnapshot::decode(snapshot_bytes)
715 .map_err(|e| Error::Invalid(format!("snapshot decode: {e}")))?;
716
717 if snap.openmls_storage_version != openmls_traits::storage::CURRENT_VERSION {
718 return Err(Error::Invalid(format!(
719 "snapshot openmls_storage_version={} not supported (this SDK supports v={})",
720 snap.openmls_storage_version,
721 openmls_traits::storage::CURRENT_VERSION
722 )));
723 }
724
725 let conv_id = snap.group_id;
726
727 // Refuse if we already have an active handle for this conv — the host should
728 // close it first, otherwise import silently overwrites in-memory state and
729 // the existing handle becomes stale.
730 if self.conversations.read().contains_key(&conv_id) {
731 return Err(Error::Invalid(format!(
732 "conversation {} already open; close before importing snapshot",
733 conv_id.as_hex()
734 )));
735 }
736
737 // Replay raw KV pairs into the provider's working set.
738 let entries: Vec<(Vec<u8>, Vec<u8>)> =
739 snap.entries.into_iter().map(|e| (e.key, e.value)).collect();
740 self.crypto
741 .import_entries(entries)
742 .map_err(|e| Error::Storage(format!("import entries: {e}")))?;
743
744 // Reconstruct the Conversation handle. `Conversation::load` will return
745 // `Ok(None)` if OpenMLS still can't find the group — i.e. our snapshot was
746 // incomplete or for a different storage version.
747 let meta = ConversationMeta {
748 id: conv_id,
749 name: None,
750 epoch: 0, // will be overwritten from the loaded group state in process()
751 member_count: 0,
752 is_device_group: false, // host can flip this via meta update if needed
753 created_at_ms: now_ms,
754 };
755 let convo = Conversation::load(
756 conv_id,
757 meta,
758 SyncCursor::default(),
759 std::collections::BTreeMap::new(),
760 self.local_device.device_id.clone(),
761 self.crypto.clone(),
762 self.signing.clone(),
763 self.storage.clone(),
764 now_ms,
765 )?
766 .ok_or_else(|| {
767 Error::Invalid(
768 "snapshot imported but OpenMLS could not load the group — snapshot may be incomplete or storage version mismatched"
769 .into(),
770 )
771 })?;
772
773 // Pull the live epoch + member count from the loaded group so the meta we
774 // just stubbed is consistent with what we'll observe on subsequent process_envelope.
775 let live_epoch = convo.epoch();
776 let live_members = convo.group.members().count() as u32;
777 let mut convo = convo;
778 convo.meta.epoch = live_epoch;
779 convo.meta.member_count = live_members;
780 convo.snapshot_to_storage().await?;
781
782 self.conversations.write().insert(conv_id, convo);
783 Ok(conv_id)
784 }
785
786 /// Export a derived secret from one conversation's MLS exporter ([CR-8]).
787 ///
788 /// Thin pass-through to [`Conversation::export_secret`]. See that method's doc comment
789 /// for the contract on `label`, `context`, length validation, and zeroization. The
790 /// returned `Zeroizing<Vec<u8>>` is automatically wiped when dropped.
791 pub fn export_conversation_secret(
792 &self,
793 conv_id: ConversationId,
794 label: &str,
795 context: &[u8],
796 length: usize,
797 ) -> Result<Zeroizing<Vec<u8>>> {
798 let guard = self.conversations.read();
799 let convo = guard
800 .get(&conv_id)
801 .ok_or_else(|| Error::UnknownConversation(conv_id.as_hex()))?;
802 convo.export_secret(label, context, length)
803 }
804
805 /// Revoke a device by removing its leaf from every conversation where we know its
806 /// position ([CR-2]).
807 ///
808 /// Returns one Commit envelope per conversation the device was a leaf in. The host
809 /// broadcasts each envelope to the affected conversation; the SDK has also already
810 /// handed them to the transport via `transport.send` (idempotent broadcast is the
811 /// host's call).
812 ///
813 /// **Scope.** The SDK can only resolve leaves it recorded itself — either when it
814 /// admitted the device via [`Self::add_members`] or when this device joined as the
815 /// target via Welcome. For peer-admitted devices the leaf index isn't locally known;
816 /// those conversations are silently skipped. The host can fall back to
817 /// `remove_members(leaf_index)` directly using a transport-side directory lookup if
818 /// it needs to revoke from those conversations too. See
819 /// `docs/architecture/multi-device.md §Device removal` for the broader flow.
820 ///
821 /// Conversations with no entry for `device_id` produce no envelope; an empty `Vec`
822 /// return is a valid outcome (e.g. the device was already revoked, or was never
823 /// added by this client).
824 #[allow(clippy::await_holding_lock)] // see add_members for rationale
825 pub async fn revoke_device(
826 &self,
827 device_id: DeviceId,
828 now_ms: u64,
829 ) -> Result<Vec<MessageEnvelope>> {
830 // 1. Walk every open conversation and gather (conv_id, leaf_index) pairs where
831 // we know `device_id` controls a leaf. Done under a read lock so we don't hold
832 // the write lock across the per-conversation remove path.
833 let targets: Vec<(ConversationId, u32)> = self
834 .conversations
835 .read()
836 .iter()
837 .filter_map(|(id, c)| c.leaf_index_of(&device_id).map(|leaf| (*id, leaf)))
838 .collect();
839
840 // 2. For each target, emit a remove_members commit. We do this sequentially: each
841 // one is a separate MLS epoch advance on its own group, and they don't share
842 // state, so parallel issuance is safe but adds complexity we don't need for v1.
843 let mut envelopes = Vec::with_capacity(targets.len());
844 for (conv_id, leaf_index) in targets {
845 let envelope = {
846 let mut guard = self.conversations.write();
847 let convo = guard
848 .get_mut(&conv_id)
849 .ok_or_else(|| Error::UnknownConversation(conv_id.as_hex()))?;
850 convo.remove_members(vec![leaf_index], now_ms)?
851 };
852 self.transport.send(envelope.clone()).await?;
853 if let Some(c) = self.conversations.read().get(&conv_id) {
854 c.snapshot_to_storage().await?;
855 }
856 envelopes.push(envelope);
857 }
858
859 // 3. Notify the auth-layer server so it can invalidate the
860 // revoked device's KeyPackage pool, mark `auth.devices.revoked_at`,
861 // and refuse any future envelope signed by the revoked device's
862 // JWT. Done AFTER the MLS Commits so peers learn via MLS first
863 // (the canonical path) and the auth layer is the eventual-
864 // consistency cleanup. Transport failures bubble up so callers
865 // can retry — but the MLS-side work has already shipped, so
866 // the device is functionally revoked in every group; only the
867 // auth-layer KeyPackage purge is pending.
868 self.transport.revoke_device_remote(device_id).await?;
869 Ok(envelopes)
870 }
871}
872
873fn device_group_id_for(user_id: &UserId) -> ConversationId {
874 // Deterministic 16-byte ID derived from the user's id, prefixed so it cannot collide with
875 // a randomly-generated ULID in normal use (ULIDs start with a millisecond timestamp).
876 let mut bytes = [0u8; 16];
877 bytes[0] = 0xFF;
878 bytes[1] = 0xDC; // "DeviCe" group sentinel
879 let h = codec::sha256(&user_id.0);
880 bytes[2..].copy_from_slice(&h[..14]);
881 ConversationId(bytes)
882}
883
884fn encode_local_device(d: &LocalDevice) -> Result<Vec<u8>> {
885 use serde::Serialize;
886 #[derive(Serialize)]
887 struct Persisted<'a> {
888 device_id: &'a DeviceId,
889 label: &'a str,
890 created_at_ms: u64,
891 #[serde(with = "serde_bytes")]
892 signing_seed: &'a [u8],
893 }
894 codec::encode(&Persisted {
895 device_id: &d.device_id,
896 label: &d.label,
897 created_at_ms: d.created_at_ms,
898 signing_seed: d.signing.as_bytes(),
899 })
900}
901
902fn decode_local_device(bytes: &[u8], user_id: UserId) -> Result<LocalDevice> {
903 use serde::Deserialize;
904 #[derive(Deserialize)]
905 struct Persisted {
906 device_id: DeviceId,
907 label: String,
908 created_at_ms: u64,
909 #[serde(with = "serde_bytes")]
910 signing_seed: Vec<u8>,
911 }
912 let p: Persisted = codec::decode(bytes)?;
913 let seed: [u8; 32] = p
914 .signing_seed
915 .as_slice()
916 .try_into()
917 .map_err(|_| Error::Invalid("device signing seed must be 32 bytes".into()))?;
918 let signing = ed25519_dalek::SigningKey::from_bytes(&seed);
919 Ok(LocalDevice {
920 device_id: p.device_id,
921 user_id,
922 label: p.label,
923 signing,
924 created_at_ms: p.created_at_ms,
925 })
926}