Skip to main content

vector_core/community/
service.rs

1//! Orchestration that ties the Community send/delete primitives to persistence,
2//! with multi-account safety. This is the layer Tauri commands are thin wrappers
3//! over: it publishes a message AND retains its ephemeral key (so the sender can
4//! later delete it), and deletes by loading that retained key back.
5//!
6//! Every method is `SessionGuard`-gated: a `swap_session` can happen at any await
7//! point, and persisting an ephemeral secret (or reading one) must never cross into
8//! the wrong account's DB.
9
10use nostr_sdk::prelude::{Event, EventId, JsonUtil, Keys, Tag, ToBech32};
11
12use super::invite::CommunityInvite;
13use super::public_invite::{
14    self, build_public_invite_event, locator_hex, parse_public_invite_event, PublicInviteBundle,
15};
16use super::send::{delete_own_message, publish_signed_message};
17use super::transport::{Query, Transport};
18use super::{Channel, Community};
19use crate::state::SessionGuard;
20use crate::stored_event::event_kind;
21
22/// The active signer for authority actions (bunker support): the live client's signer — which covers a
23/// NIP-46 bunker — falling back to the local vault keys when there is no client OR the client has no
24/// signer attached (local accounts, headless/CLI paths, and tests). Every keyless control edition +
25/// moderation hide signs through this, so a bunker account can create AND administer a community. (The
26/// REKEY path is the one exception — its blob locator needs a raw ECDH the signer can't expose, so it
27/// still requires a local key; the ban/privatize flows fail-fast for bunker accounts.)
28async fn active_signer() -> Result<std::sync::Arc<dyn nostr_sdk::prelude::NostrSigner>, String> {
29    if let Some(client) = crate::state::nostr_client() {
30        if let Ok(s) = client.signer().await {
31            return Ok(s);
32        }
33    }
34    let keys = crate::state::MY_SECRET_KEY.to_keys().ok_or("no signer available (no client and no local key)")?;
35    Ok(std::sync::Arc::new(keys))
36}
37
38/// Max communities a device may hold locally. The synced Community List is a single NIP-44 event
39/// (65 KB plaintext); past the cap even the slimmed list can't encrypt, so a NEW join/create is
40/// rejected above it (the user leaves one to make room).
41pub const MAX_COMMUNITIES: usize = 50;
42
43/// Reject a NEW join/create when already at [`MAX_COMMUNITIES`] local memberships. Counts the synced
44/// Community List (the thing that overflows). Re-accepting a community already held is exempt — the
45/// caller checks membership before calling this.
46fn enforce_community_cap() -> Result<(), String> {
47    let held = super::list::load_local_list().entries.len();
48    if held >= MAX_COMMUNITIES {
49        return Err(format!(
50            "You've reached the limit of {} communities. Leave one to join another.",
51            MAX_COMMUNITIES
52        ));
53    }
54    Ok(())
55}
56
57/// Create a brand-new Community end-to-end: mint keys + the default channel, persist
58/// it locally, and publish its GroupRoot + ChannelMetadata to the Community's relays.
59/// Returns the created Community. (The caller then runs the subscription refresh so it
60/// starts receiving.)
61pub async fn create_community<T: Transport + ?Sized>(
62    transport: &T,
63    name: &str,
64    default_channel_name: &str,
65    relays: Vec<String>,
66) -> Result<Community, String> {
67    let session = SessionGuard::capture();
68    enforce_community_cap()?;
69    let mut community = Community::create(name, default_channel_name, relays);
70    // Owner attestation — MANDATORY: a community cannot exist without the root that anchors its
71    // authority graph. It binds the community id to the creator's identity, signed by the owner's identity
72    // signer. The proven owner is later DERIVED by verifying this, never an unverified claim. Sign via the
73    // local vault when present (local accounts + tests), else the
74    // active client's signer (bunker / NIP-46). No signer at all → creation fails, by design.
75    let owner_pk = crate::state::my_public_key().ok_or("cannot create a community without an identity")?;
76    let unsigned = super::owner::build_owner_attestation_unsigned(owner_pk, &community.id.to_hex());
77    // Use the local vault ONLY if it actually holds the active identity's key — else a stale/mismatched
78    // local secret would sign the attestation as the WRONG owner (or break verification). On mismatch,
79    // fall through to the client signer, which is the authority that produced `my_public_key()`.
80    let attestation = if let Some(keys) = crate::state::MY_SECRET_KEY.to_keys().filter(|k| k.public_key() == owner_pk) {
81        unsigned.sign_with_keys(&keys).map_err(|e| format!("sign owner attestation: {e}"))?
82    } else if let Some(client) = crate::state::nostr_client() {
83        let signer = client.signer().await.map_err(|e| format!("no signer for owner attestation: {e}"))?;
84        unsigned.sign(&signer).await.map_err(|e| format!("sign owner attestation: {e}"))?
85    } else {
86        return Err("cannot create a community without an identity signer (the owner attestation is mandatory)".to_string());
87    };
88    community.owner_attestation = Some(attestation.as_json());
89    // Minting + the DB write straddle the (above) signer round-trip, so re-check before persist.
90    if !session.is_valid() {
91        return Err("account changed during community creation".to_string());
92    }
93    // CREATION is the deliberate exception to publish-first: we save locally BEFORE publishing because
94    // (a) no peers exist yet, so there is no shared view to diverge from, and (b) the keys are
95    // fresh-random — losing them (e.g. by rolling back on a publish hiccup) would orphan the community
96    // irrecoverably. A failed publish leaves a local community the owner can re-publish
97    // (`republish_community_metadata`), not a cross-member divergence.
98    crate::db::community::save_community(&community)?;
99
100    // The owner signs every genesis edition with their REAL identity (keyless control plane) via the
101    // active signer — local vault OR a NIP-46 bunker.
102    let signer = active_signer().await?;
103    let cid = community.id.to_hex();
104    let created = std::time::SystemTime::now()
105        .duration_since(std::time::UNIX_EPOCH)
106        .map(|d| d.as_secs())
107        .unwrap_or(0);
108
109    // The genesis control plane: GroupRoot (vsk=0) + each channel's display metadata (vsk=2) + the
110    // auto Admin role (vsk=1), all real-npub 3308 editions signed by the owner. The Admin role is
111    // DATA, not a hardcoded flag (Mod/custom roles are additive later); the owner takes no grant (owner
112    // = implicit position 0, never a Role). Build + collect each (entity_hex, self_hash) head, publish
113    // each, and only AFTER every publish succeeds record the heads — so a mid-create publish failure
114    // never leaves heads for a partially-published genesis (which would make a later base rotation's
115    // re-anchor coverage gate trip forever on an entity the relay never received).
116    let admin = super::roles::Role::admin(crate::simd::hex::bytes_to_hex_32(&super::random_32()));
117    let root_meta = super::metadata::CommunityMetadata::of(&community);
118    let root_inner = super::roster::build_community_root_edition_unsigned(owner_pk, &community.id, &root_meta, 1, None, created, None)?
119        .sign(&signer).await.map_err(|e| format!("sign genesis group-root: {e}"))?;
120    let role_inner = super::roster::build_role_edition_unsigned(owner_pk, &admin, 1, None, created, None)?
121        .sign(&signer).await.map_err(|e| format!("sign genesis admin-role: {e}"))?;
122    // (entity_hex, self_hash, inner_id-for-display-entities). The GroupRoot + channels record their
123    // inner_id so a same-version genesis fork resolves by the deterministic tiebreak; the role doesn't
124    // converge (authority record), so it carries None.
125    let mut heads: Vec<(String, [u8; 32], Option<[u8; 32]>)> = vec![
126        (cid.clone(), super::version::edition_hash(&community.id.0, 1, None, root_inner.content.as_bytes()), Some(root_inner.id.to_bytes())),
127        (admin.role_id.clone(), super::version::edition_hash(&crate::simd::hex::hex_to_bytes_32(&admin.role_id), 1, None, role_inner.content.as_bytes()), None),
128    ];
129    let mut to_publish: Vec<Event> = vec![
130        super::roster::seal_control_edition(&Keys::generate(), &root_inner, &community.server_root_key, &community.id, community.server_root_epoch)?,
131        super::roster::seal_control_edition(&Keys::generate(), &role_inner, &community.server_root_key, &community.id, community.server_root_epoch)?,
132    ];
133    for channel in &community.channels {
134        let meta = super::metadata::ChannelMetadata { name: channel.name.clone() };
135        let inner = super::roster::build_channel_metadata_edition_unsigned(owner_pk, &channel.id, &meta, 1, None, created, None)?
136            .sign(&signer).await.map_err(|e| format!("sign genesis channel-metadata: {e}"))?;
137        heads.push((channel.id.to_hex(), super::version::edition_hash(&channel.id.0, 1, None, inner.content.as_bytes()), Some(inner.id.to_bytes())));
138        to_publish.push(super::roster::seal_control_edition(&Keys::generate(), &inner, &community.server_root_key, &community.id, community.server_root_epoch)?);
139    }
140    // Publish the genesis editions durably: each returns once a relay ACKs (the laggards thread in the
141    // background) and throws if NO relay accepts within the confirm window — so a dead relay set fails the
142    // create loudly instead of recording heads for editions that never reached the network.
143    for outer in &to_publish {
144        transport.publish_durable(outer, &community.relays).await?;
145    }
146    // Every edition reached at least one relay — now record each head + cache the Admin role (gated on the
147    // session still being ours, so a mid-publish account swap doesn't write into the wrong account).
148    if session.is_valid() {
149        for (entity_hex, hash, inner_id) in &heads {
150            let _ = match inner_id {
151                Some(id) => crate::db::community::set_edition_head_with_id(&cid, entity_hex, 1, hash, id),
152                None => crate::db::community::set_edition_head(&cid, entity_hex, 1, hash),
153            };
154        }
155        let roster = super::roles::CommunityRoles { roles: vec![admin], grants: Vec::new() };
156        let _ = crate::db::community::set_community_roles(&cid, &roster, created as i64);
157    }
158    Ok(community)
159}
160
161/// Publish a Community message and retain its ephemeral key in the account DB so the
162/// sender can delete it later. Returns the published outer event.
163pub async fn send_message<T: Transport + ?Sized>(
164    transport: &T,
165    community: &Community,
166    channel: &Channel,
167    author: &Keys,
168    content: &str,
169    ms: u64,
170) -> Result<Event, String> {
171    let session = SessionGuard::capture();
172    // Build + sign the inner explicitly so we know the message_id (the deletion key) up
173    // front, then publish via the signed path. Identical wire output to the old
174    // publish_message route.
175    let inner = super::envelope::build_inner_event(author.public_key(), &channel.id, channel.epoch, content, ms, None)
176        .sign_with_keys(author)
177        .map_err(|e| e.to_string())?;
178    let (outer, ephemeral) = publish_signed_message(transport, community, channel, &inner, false).await?;
179    // The publish straddled network I/O; bail before writing to the (possibly
180    // swapped) account DB.
181    if !session.is_valid() {
182        return Err("account changed during send; not persisting message key".to_string());
183    }
184    crate::db::community::store_message_key(&inner.id.to_hex(), &outer.id.to_hex(), &ephemeral, &community.relays)?;
185    Ok(outer)
186}
187
188/// Publish a message whose inner authorship event was signed externally (via the active
189/// signer — local OR bunker) and retain its ephemeral key. Use this from the command
190/// layer where `client.signer()` is available; it gives bunker accounts send parity with
191/// DMs. (Local-only callers/tests can use [`send_message`].)
192pub async fn send_signed_message<T: Transport + ?Sized>(
193    transport: &T,
194    community: &Community,
195    channel: &Channel,
196    inner: &Event,
197) -> Result<Event, String> {
198    let session = SessionGuard::capture();
199    let (outer, ephemeral) = publish_signed_message(transport, community, channel, inner, false).await?;
200    if !session.is_valid() {
201        return Err("account changed during send; not persisting message key".to_string());
202    }
203    crate::db::community::store_message_key(&inner.id.to_hex(), &outer.id.to_hex(), &ephemeral, &community.relays)?;
204    Ok(outer)
205}
206
207/// Announce presence (join/leave) into a channel: a kind-3306 inner signed by the active identity,
208/// published under a fresh ephemeral outer. Content is `"leave"`, plain `"join"`, or — for a join via a
209/// public invite — a small JSON `{"by":"<inviter npub>","l":"<label>"}` carrying attribution (which
210/// link/source brought this member; members-only). Client best-practice (not enforced); no deletion key
211/// retained. Callers treat failure as non-fatal. `attribution` = `Some((inviter_npub, label))` on an
212/// invite-join, else `None`.
213/// Build + sign a presence (3306) inner event WITHOUT publishing. Lets the caller record the local
214/// system event first (memory→DB, like an outgoing message) and publish in the background — the relay
215/// echo then dedups by this inner's id. `inner.id` is the system-event dedup key.
216pub async fn build_presence(
217    channel: &Channel,
218    joined: bool,
219    attribution: Option<(String, Option<String>)>,
220) -> Result<nostr_sdk::Event, String> {
221    let author_pk = crate::state::my_public_key().ok_or("not logged in")?;
222    let ms = std::time::SystemTime::now()
223        .duration_since(std::time::UNIX_EPOCH)
224        .map(|d| d.as_millis() as u64)
225        .unwrap_or(0);
226    let content = match (joined, attribution) {
227        (false, _) => "leave".to_string(),
228        (true, Some((by, label))) => serde_json::json!({ "by": by, "l": label }).to_string(),
229        (true, None) => "join".to_string(),
230    };
231    let unsigned = super::envelope::build_inner_typed(
232        author_pk, &channel.id, channel.epoch, event_kind::COMMUNITY_PRESENCE, &content, ms, None, &[],
233    );
234    let signer = active_signer().await?;
235    unsigned.sign(&signer).await.map_err(|e| format!("Failed to sign presence: {e}"))
236}
237
238/// Publish a pre-built presence inner (from [`build_presence`]) to the channel's recipient set.
239pub async fn publish_presence_event<T: Transport + ?Sized>(
240    transport: &T,
241    community: &Community,
242    channel: &Channel,
243    inner: &nostr_sdk::Event,
244) -> Result<(), String> {
245    let _ = publish_signed_message(transport, community, channel, inner, true).await?;
246    Ok(())
247}
248
249pub async fn publish_presence<T: Transport + ?Sized>(
250    transport: &T,
251    community: &Community,
252    channel: &Channel,
253    joined: bool,
254    attribution: Option<(String, Option<String>)>,
255) -> Result<(), String> {
256    let inner = build_presence(channel, joined, attribution).await?;
257    publish_presence_event(transport, community, channel, &inner).await
258}
259
260/// Publish a WebXDC realtime peer signal (3310) into a channel: an advertisement of the local
261/// Iroh node for a Mini App session (`node_addr` = Some) or a peer-left (`node_addr` = None).
262/// The Community-transport twin of the NIP-17 peer-advertisement/peer-left DM rumors — signed
263/// by the member's real identity (a member can't forge another player's presence), sealed under
264/// the channel epoch key like presence. Callers treat failure as non-fatal (a missed ad only
265/// delays discovery; the next re-advertise covers it).
266pub async fn publish_webxdc_signal<T: Transport + ?Sized>(
267    transport: &T,
268    community: &Community,
269    channel: &Channel,
270    topic_id: &str,
271    node_addr: Option<&str>,
272) -> Result<(), String> {
273    let author_pk = crate::state::my_public_key().ok_or("not logged in")?;
274    let ms = std::time::SystemTime::now()
275        .duration_since(std::time::UNIX_EPOCH)
276        .map(|d| d.as_millis() as u64)
277        .unwrap_or(0);
278    let content = match node_addr {
279        Some(addr) => serde_json::json!({ "op": "ad", "topic": topic_id, "addr": addr }).to_string(),
280        None => serde_json::json!({ "op": "left", "topic": topic_id }).to_string(),
281    };
282    let unsigned = super::envelope::build_inner_typed(
283        author_pk, &channel.id, channel.epoch, event_kind::COMMUNITY_WEBXDC, &content, ms, None, &[],
284    );
285    let signer = active_signer().await?;
286    let inner = unsigned.sign(&signer).await.map_err(|e| format!("Failed to sign webxdc signal: {e}"))?;
287    let _ = publish_signed_message(transport, community, channel, &inner, true).await?;
288    Ok(())
289}
290
291/// Publish a typing indicator (3311) into a channel: an inner "typing" event signed by the member,
292/// sealed under the channel epoch key like presence. The Community-transport twin of the NIP-17
293/// typing rumor. Ephemeral — never persisted/folded; the latency-sensitive single-attempt path
294/// (`durable = false`), and callers treat failure as non-fatal (a dropped keystroke ping is harmless;
295/// the next one ~every few seconds covers it).
296pub async fn publish_typing_signal<T: Transport + ?Sized>(
297    transport: &T,
298    community: &Community,
299    channel: &Channel,
300) -> Result<(), String> {
301    let author_pk = crate::state::my_public_key().ok_or("not logged in")?;
302    let ms = std::time::SystemTime::now()
303        .duration_since(std::time::UNIX_EPOCH)
304        .map(|d| d.as_millis() as u64)
305        .unwrap_or(0);
306    let unsigned = super::envelope::build_inner_typed(
307        author_pk, &channel.id, channel.epoch, event_kind::COMMUNITY_TYPING, "typing", ms, None, &[],
308    );
309    let signer = active_signer().await?;
310    let inner = unsigned.sign(&signer).await.map_err(|e| format!("Failed to sign typing signal: {e}"))?;
311    let _ = publish_signed_message(transport, community, channel, &inner, false).await?;
312    Ok(())
313}
314
315/// Persist an inbound WebXDC peer signal as a kind-30078 event row — the SAME shape the DM
316/// peer-advertisement handler writes (content `peer-advertisement`/`peer-left`, `reference_id`
317/// = topic, `webxdc-topic`/`webxdc-node-addr` tags) — so the miniapp layer's
318/// `get_active_peer_advertisements` (latest-per-npub, left-tombstone-aware) reads both
319/// transports identically. This is what lets a member who closed Vector mid-session rediscover
320/// the active players on reopen. Idempotent via `event_exists`.
321pub async fn persist_webxdc_signal(
322    channel_hex: &str,
323    npub: &str,
324    topic_id: &str,
325    node_addr: Option<&str>,
326    event_id: &str,
327    created_at: u64,
328) {
329    if crate::db::events::event_exists(event_id).unwrap_or(true) {
330        return;
331    }
332    // Sender-claimed timestamp: clamp into the near future so a forged far-future ad
333    // can't outrank every later genuine peer-left in the latest-per-npub read.
334    let now_secs = std::time::SystemTime::now()
335        .duration_since(std::time::UNIX_EPOCH)
336        .unwrap_or_default()
337        .as_secs();
338    let created_at = created_at.min(now_secs + 300);
339    let Ok(chat_id) = crate::db::id_cache::get_or_create_chat_id(channel_hex) else { return };
340    let mut tags = vec![
341        vec!["webxdc-topic".to_string(), topic_id.to_string()],
342        vec!["d".to_string(), "vector-webxdc-peer".to_string()],
343    ];
344    if let Some(addr) = node_addr {
345        tags.push(vec!["webxdc-node-addr".to_string(), addr.to_string()]);
346    }
347    let event = crate::stored_event::StoredEvent {
348        id: event_id.to_string(),
349        kind: crate::stored_event::event_kind::APPLICATION_SPECIFIC,
350        chat_id,
351        user_id: None,
352        content: if node_addr.is_some() { "peer-advertisement" } else { "peer-left" }.to_string(),
353        tags,
354        reference_id: Some(topic_id.to_string()),
355        created_at,
356        received_at: std::time::SystemTime::now()
357            .duration_since(std::time::UNIX_EPOCH)
358            .unwrap_or_default()
359            .as_millis() as u64,
360        mine: false,
361        pending: false,
362        failed: false,
363        wrapper_event_id: None,
364        npub: Some(npub.to_string()),
365        preview_metadata: None,
366    };
367    if let Err(e) = crate::db::events::save_event(&event).await {
368        crate::log_warn!("[community] failed to persist webxdc peer signal: {e}");
369    }
370}
371
372/// Publish a cooperative kick (3309) of `target_hex` into `channel`: a real-npub-signed inner directive
373/// (content = the target's hex pubkey) carrying the actor's `vac` authority citation. NOT a rekey and NOT
374/// folded — the kicked client self-removes on receipt (drops the community keys + wipes local chat data);
375/// peers drop the target from their observed member list. The actor must hold `KICK` and strictly outrank
376/// the target (the owner is never a valid target); this is the sender-side half of the rule peers
377/// re-verify on receipt. For a malicious target that ignores the kick, escalate to a BAN.
378/// Signs via the active client signer, so a bunker (NIP-46) identity works without exposing the secret.
379/// On removal (kick/ban), strip the target's roles so their authority doesn't dangle — a removed admin
380/// would otherwise silently regain @admin on re-add, and the roster would keep listing a non-member as an
381/// admin. Best-effort: a no-op if the target holds no role; a SKIP (logged) if the remover lacks
382/// `MANAGE_ROLES`/outrank for any held role (a future mid-tier remover) — the kick/ban still neutralizes
383/// them, and leaving the grant beats a partial strip. Publishes the full revoke (empty grant) when
384/// authorized for EVERY held role.
385async fn strip_member_roles_on_removal<T: Transport + ?Sized>(
386    transport: &T,
387    community: &Community,
388    member_hex: &str,
389) {
390    let cid = community.id.to_hex();
391    let roster = match crate::db::community::get_community_roles(&cid) {
392        Ok(r) => r,
393        Err(_) => return,
394    };
395    let held: Vec<String> = roster
396        .grants
397        .iter()
398        .find(|g| g.member == member_hex)
399        .map(|g| g.role_ids.clone())
400        .unwrap_or_default();
401    if held.is_empty() {
402        return; // plain member — no authority to strip
403    }
404    for role_id in &held {
405        if caller_can_manage_role(community, &roster, role_id, member_hex).is_err() {
406            crate::log_warn!(
407                "removal: not authorized to revoke role {role_id} of {member_hex}; leaving the grant (kick/ban still neutralizes)"
408            );
409            return;
410        }
411    }
412    if let Err(e) = set_member_grant(transport, community, member_hex, Vec::new()).await {
413        crate::log_warn!("removal: role-strip publish failed for {member_hex}: {e}");
414    }
415}
416
417pub async fn publish_kick<T: Transport + ?Sized>(
418    transport: &T,
419    community: &Community,
420    channel: &Channel,
421    target_hex: &str,
422) -> Result<String, String> {
423    let author_pk = crate::state::my_public_key().ok_or("not logged in")?;
424    let me = author_pk.to_hex();
425    let cid = community.id.to_hex();
426    // hierarchy gate: hold KICK + strictly outrank the target (owner is never a valid target). Mirror
427    // of publish_banlist's gate; peers re-verify the same rule against their floor-protected roster.
428    {
429        let owner = proven_owner_hex(community);
430        let roster = crate::db::community::get_community_roles(&cid).unwrap_or_default();
431        if !roster.can_act_on_member(&me, owner.as_deref(), target_hex, super::roles::Permissions::KICK) {
432            return Err("you can't kick a member who outranks you (or the owner)".to_string());
433        }
434    }
435    let ms = std::time::SystemTime::now()
436        .duration_since(std::time::UNIX_EPOCH)
437        .map(|d| d.as_millis() as u64)
438        .unwrap_or(0);
439    // pinned authority: a non-owner kicker cites the grant that authorizes them (owner cites nothing).
440    let citation = authority_citation(community, &me);
441    let extra: Vec<nostr_sdk::prelude::Tag> = citation.iter().map(|c| c.to_tag()).collect();
442    let unsigned = super::envelope::build_inner_full(
443        author_pk, &channel.id, channel.epoch, event_kind::COMMUNITY_KICK, target_hex, ms, None, &[], &extra,
444    );
445    let signer = active_signer().await?;
446    let inner = unsigned.sign(&signer).await.map_err(|e| format!("Failed to sign kick: {e}"))?;
447    publish_signed_message(transport, community, channel, &inner, true).await?;
448    // Removal strips authority: revoke the kicked member's roles too (best-effort) so a kicked admin
449    // doesn't rejoin (fresh invite) silently still admin, and no non-member lingers in the roster.
450    strip_member_roles_on_removal(transport, community, target_hex).await;
451    // Return the inner id so the caller can record a local "Member Left" that dedups with the relay echo.
452    Ok(inner.id.to_hex())
453}
454
455
456/// Replace the Community banlist and publish it as a real-npub-signed 3308 EDITION (vsk=4) at the
457/// community-scoped banlist locator (keyless; foldable + re-anchorable). `banned_hex`
458/// is the full new list (latest-wins). The actor's inner signature IS the authority proof; every member
459/// re-verifies it held `BAN` against the authorized roster on receipt. Publish FIRST, then
460/// persist locally on success — a failed publish must not leave us enforcing a ban no one else sees.
461pub async fn publish_banlist<T: Transport + ?Sized>(
462    transport: &T,
463    community: &Community,
464    banned_hex: &[String],
465) -> Result<(), String> {
466    let session = SessionGuard::capture();
467    let cid = community.id.to_hex();
468    // Keyless model: sign with the actor's own identity via the active signer (local vault OR a NIP-46
469    // bunker). `author` is the active pubkey; `signer` signs the unsigned edition below.
470    let signer = active_signer().await?;
471    let actor_pk = crate::state::my_public_key().ok_or("no local identity to sign the banlist edition")?;
472    // hierarchy gate: the actor must hold BAN and strictly outrank every member in the DELTA
473    // both those being ADDED (ban) and those being REMOVED (unban). Gating only additions would let a
474    // low-ranked admin undo a superior's ban or wholesale-clear the list. The owner is never a valid
475    // target. This is the sender-side half of the rule peers re-verify on receipt.
476    {
477        let me = actor_pk.to_hex();
478        let owner = proven_owner_hex(community);
479        let roster = crate::db::community::get_community_roles(&cid).unwrap_or_default();
480        let current: std::collections::HashSet<String> =
481            crate::db::community::get_community_banlist(&cid).unwrap_or_default().into_iter().collect();
482        let next: std::collections::HashSet<&str> = banned_hex.iter().map(|s| s.as_str()).collect();
483        let added = banned_hex.iter().filter(|n| !current.contains(n.as_str()));
484        let removed = current.iter().filter(|n| !next.contains(n.as_str()));
485        for target in added.chain(removed) {
486            if !roster.can_act_on_member(&me, owner.as_deref(), target, super::roles::Permissions::BAN) {
487                return Err("you can't ban or unban a member who outranks you (or the owner)".to_string());
488            }
489        }
490    }
491    // Fail-fast (bunker boundary): a newly-banned member in a PRIVATE community must be READ-CUT (a
492    // base rekey), and a rekey needs a RAW local key — its blob locator is an ECDH a NIP-46 bunker can't
493    // expose. Refuse BEFORE publishing anything, so we never half-apply (publish a ban we then can't
494    // enforce, leaving a "banned but still readable" member). Covers a pending prior cut too. A community
495    // admin who holds a local key can carry out the ban. (Public bans + unbans don't rekey → allowed.)
496    {
497        let prev: std::collections::HashSet<String> =
498            crate::db::community::get_community_banlist(&cid).unwrap_or_default().into_iter().collect();
499        let adds = banned_hex.iter().any(|n| !prev.contains(n.as_str()));
500        let cut_needed = (adds || crate::db::community::get_read_cut_pending(&cid)?) && !is_public(community)?;
501        if cut_needed && crate::state::MY_SECRET_KEY.to_keys().is_none() {
502            return Err("Banning someone from a private community cuts their read access, which needs a key rotation your account can't perform: it signs remotely (a NIP-46 bunker), and a rotation requires a local key. Ask a community admin who holds a local key to carry out the ban.".to_string());
503        }
504    }
505    // Next version in the banlist's own chain (single community-wide entity at the banlist locator).
506    let entity_id = super::derive::banlist_locator(&community.id);
507    let entity_hex = crate::simd::hex::bytes_to_hex_32(&entity_id);
508    let (version, prev_hash) = match crate::db::community::get_edition_head(&cid, &entity_hex)? {
509        Some((v, h)) => (v + 1, Some(h)),
510        None => (1, None),
511    };
512    let created_at = std::time::SystemTime::now()
513        .duration_since(std::time::UNIX_EPOCH)
514        .map(|d| d.as_secs())
515        .unwrap_or(0);
516    // pinned authority: a non-owner banner cites the grant edition that authorizes them, so peers
517    // resolve the ban against that exact grant version (not their live roster). The owner cites nothing.
518    let citation = authority_citation(community, &actor_pk.to_hex());
519    let unsigned = super::roster::build_banlist_edition_unsigned(actor_pk, &community.id, banned_hex, version, prev_hash.as_ref(), created_at, citation.as_ref())?;
520    let inner = unsigned.sign(&signer).await.map_err(|e| format!("sign banlist edition: {e}"))?;
521    let outer = super::roster::seal_control_edition(&Keys::generate(), &inner, &community.server_root_key, &community.id, community.server_root_epoch)?;
522    let self_hash = super::version::edition_hash(&entity_id, version, prev_hash.as_ref(), inner.content.as_bytes());
523
524    // Did this ban ADD anyone (vs the list we held)? Captured BEFORE the persist below so we can decide
525    // whether to cut read access. Unbans (removals) never rekey.
526    let newly_added: Vec<String> = {
527        let prev: std::collections::HashSet<String> =
528            crate::db::community::get_community_banlist(&cid).unwrap_or_default().into_iter().collect();
529        banned_hex.iter().filter(|n| !prev.contains(n.as_str())).cloned().collect()
530    };
531    let newly_banned = !newly_added.is_empty();
532
533    // Publish FIRST — advancing the head before a fallible publish would leave a phantom head (the next
534    // edition cites an unpublished predecessor → fold quarantines it forever). Re-check the session after
535    // the await: it may have straddled an account swap, and persisting then would write the wrong account.
536    transport.publish_durable(&outer, &community.relays).await?;
537    if session.is_valid() {
538        crate::db::community::set_community_banlist(&cid, banned_hex, created_at as i64)?;
539        crate::db::community::set_edition_head(&cid, &entity_hex, version, &self_hash)?;
540    }
541
542    // Removal strips authority: revoke the roles of every NEWLY-banned member so their grant doesn't dangle
543    // — a banned admin would otherwise silently regain @admin on unban, and the roster would keep listing a
544    // removed member as admin. Best-effort, and BEFORE the read-cut so its re-anchor carries the revoked
545    // (empty) grant forward.
546    if session.is_valid() {
547        for member_hex in &newly_added {
548            strip_member_roles_on_removal(transport, community, member_hex).await;
549        }
550    }
551
552    // rekey-on-removal: in a PRIVATE community, a newly-banned member must also lose READ access, so
553    // re-seal the base to the surviving observed participants (`community_member_activity` excludes the
554    // banlist, so the just-banned member is dropped). A PUBLIC community does NOT rotate the base
555    // (anti-memberlist: no recipient set to wrap to, and a banned member could re-enter via a link
556    // anyway) — there the banlist alone suppresses them, and the UI must say "blocked," not "removed."
557    // Runs after the banlist is persisted (so the observed set already excludes the banned).
558    //
559    // rekey-on-removal read-cut. Re-seal if this ban ADDED someone, OR a prior re-seal is still
560    // pending (`read_cut_pending`) — the latter decouples recovery from the add-delta (which the durable
561    // banlist persist consumes), so a re-seal that failed on a previous ban is RETRIED here even when this
562    // call adds no one. Mark pending BEFORE the attempt (durable intent) and clear ONLY on success: a
563    // failure (total relay outage / re-anchor-withhold / mid-ban swap) leaves the flag set, so the next
564    // ban OR a community sync ([`retry_pending_read_cut`]) re-attempts it — no "blocked but not read-cut"
565    // member survives a transient failure. The re-seal publish is itself durable (×30 per relay).
566    let need_cut = (newly_banned || crate::db::community::get_read_cut_pending(&cid)?)
567        && session.is_valid()
568        && !is_public(community)?;
569    if need_cut {
570        // `newly_banned` is a fresh exclusion delta → force a base epoch past the removal; otherwise this is
571        // a resume of an interrupted prior cut → keep its in-flight target.
572        run_read_cut(transport, community, newly_banned).await?;
573    }
574    Ok(())
575}
576
577/// Is the local user in this community's (folded, cached) banlist? Drives BAN self-removal: a
578/// banned member tears down locally (drop the community keys + wipe local chat data) exactly like a kick,
579/// but CANNOT rejoin — re-detecting the ban on any later sync re-removes them, and admins can't invite a
580/// banned npub. Reads the cached banlist, so refresh it via [`fetch_and_apply_banlist`] first for an
581/// authoritative (realtime or boot) check.
582pub fn am_i_banned(community: &Community) -> bool {
583    let me = match crate::state::my_public_key() {
584        Some(p) => p.to_hex(),
585        None => return false,
586    };
587    crate::db::community::get_community_banlist(&community.id.to_hex())
588        .unwrap_or_default()
589        .iter()
590        .any(|b| b == &me)
591}
592
593/// Retry an outstanding PRIVATE-community read-cut re-seal, if one is pending. Called from the sync
594/// path so a re-seal that failed during a ban (e.g. a relay outage) AUTO-RECOVERS on the owner's next
595/// community sync — no manual re-ban needed. No-op if nothing is pending. If the community has since gone
596/// PUBLIC the read-cut is moot (anti-memberlist: a Public ban doesn't rotate the base), so the stale flag
597/// is cleared. Best-effort + idempotent; the re-seal authority (BAN) is enforced by `rotate_server_root`.
598pub async fn retry_pending_read_cut<T: Transport + ?Sized>(
599    transport: &T,
600    community: &Community,
601) -> Result<(), String> {
602    let cid = community.id.to_hex();
603    if !crate::db::community::get_read_cut_pending(&cid)? {
604        return Ok(());
605    }
606    if is_public(community)? {
607        crate::db::community::set_read_cut_pending(&cid, false)?; // moot in Public mode
608        return Ok(());
609    }
610    // Reload so the re-seal rotates from the FRESHEST root/epoch — the caller's `community` struct may
611    // predate a recent rotation, and rotating from a stale root would address the rekey under the wrong
612    // prior-root pseudonym. Pure resume (`fresh = false`): keep the in-flight target so an interrupted cut
613    // finishes without forcing an extra base rotation.
614    let fresh = crate::db::community::load_community(&community.id)?.ok_or("community no longer present")?;
615    run_read_cut(transport, &fresh, false).await
616}
617
618/// Fetch the Community's control plane and apply the folded banlist locally. The banlist is a 3308
619/// edition at the community-scoped banlist locator; the folded head is applied only if its signer held
620/// `BAN` in the authorized roster (the keyless authority gate) and it is strictly newer than the
621/// banlist edition we hold (refuse-downgrade by version). No authorized edition → local unchanged.
622/// ONE REQ for the entire control plane: fetch every kind-3308 edition at the control pseudonym(s) and
623/// fold the full roster (banlist + roles + invite-links + metadata) in a single pass. The per-slice
624/// `fetch_and_apply_*` functions and `fetch_and_apply_control` share this, so a sync/join/boot folds ONCE
625/// instead of issuing four identical REQs. Fetches at the CURRENT server-root epoch (re-anchoring keeps
626/// the complete plane reachable there); `z_tags` is a Vec so the addressing can extend if ever needed.
627async fn fetch_control_folded<T: Transport + ?Sized>(
628    transport: &T,
629    community: &Community,
630) -> Result<super::roster::FoldedRoster, String> {
631    // The control plane lives at the CURRENT server-root epoch — a rotation re-anchors it there, and all
632    // live publishes (grants/banlist/metadata/invite-links) seal at the same epoch. Fetch exactly that one
633    // (NOT a 0..=epoch range — a post-rotation joiner can't derive prior-epoch pseudonyms; the re-anchor
634    // guarantees the complete current plane is reachable here).
635    let z_tags = vec![super::roster::control_pseudonym(&community.server_root_key, &community.id, community.server_root_epoch)];
636    // The fold is fail-closed on version-chain gaps; the live transport unions all relays
637    // (a single fast-but-partial relay would otherwise gap-quarantine the head and wedge
638    // this seat on a stale plane forever).
639    let query = Query { kinds: vec![event_kind::COMMUNITY_CONTROL], z_tags, ..Default::default() };
640    let raw = transport.fetch(&query, &community.relays).await?;
641    // Bound the AEAD work too (fold_roster re-caps the verify/fold): a relay
642    // flooding the coordinate must not buy unbounded decrypt attempts.
643    let inner_editions: Vec<Event> = raw
644        .iter()
645        .take(super::roster::MAX_CONTROL_EDITIONS)
646        .filter_map(|ev| super::roster::open_control_edition(ev, &community.server_root_key).ok())
647        .collect();
648    // VALID (opened) editions, NOT raw.len() — the admin-write isolation signal must mean "a relay served
649    // our actual control plane," so a relay returning only junk/unopenable events at the coordinate doesn't
650    // count as a response. (Floors still guard against stale/rollback; this just stops content-withholding
651    // from masquerading as connectivity.)
652    let fetched = inner_editions.len();
653    // Fold from the persisted per-entity floors (refuse-downgrade) so a withholding relay can't roll
654    // an entity's chain back to a since-revoked version. EPOCH-PRIMARY: seed only the floors recorded
655    // at the CURRENT epoch — a head from a PRIOR epoch belongs to a superseded founding, so that entity
656    // folds fresh from the new epoch's v1 genesis (which anchors cleanly at floor 0; not Policy-B, since a
657    // compacted genesis carries no prev_hash). Within the current epoch, refuse-downgrade + floor anchoring hold.
658    let current_epoch = community.server_root_epoch.0;
659    let floors: std::collections::HashMap<String, (u64, [u8; 32])> =
660        crate::db::community::get_all_edition_heads_epoched(&community.id.to_hex())?
661            .into_iter()
662            .filter(|(_, (epoch, _, _))| *epoch == current_epoch)
663            .map(|(entity, (_epoch, version, hash))| (entity, (version, hash)))
664            .collect();
665    let mut folded = super::roster::fold_roster(&inner_editions, &community.id, &floors);
666    folded.fetched = fetched; // openable editions the relays served (isolation signal for admin-write guards)
667    Ok(folded)
668}
669
670/// Fetch the control plane ONCE and apply every slice — banlist, roles, invite links, metadata — from a
671/// single REQ + single fold. Sync/join/boot call THIS instead of the four `fetch_and_apply_*` in sequence
672/// (which was four identical REQs). Banlist is applied first so a caller's subsequent `am_i_banned` sees the
673/// freshest list. Each slice is best-effort; one failing doesn't abort the rest. (Solo callers that need a
674/// single slice — e.g. revoke refreshing invite links — still use the individual `fetch_and_apply_*`.)
675pub async fn fetch_and_apply_control<T: Transport + ?Sized>(
676    transport: &T,
677    community: &Community,
678) -> Result<usize, String> {
679    let session = SessionGuard::capture();
680    let cid = community.id.to_hex();
681    // binary seal: once dissolved, the control fold STOPS advancing — no further editions apply (the
682    // inbound message path likewise drops everything). Cheap flag check before any fetch.
683    if crate::db::community::get_community_dissolved(&cid)? {
684        return Ok(0);
685    }
686    let folded = fetch_control_folded(transport, community).await?;
687    if !session.is_valid() {
688        return Err("account changed during control fetch".to_string());
689    }
690    // tombstone: if a GroupDissolved edition at the locator was signed by the PROVEN owner (derived
691    // via the deed at fold time, never a cached field), SEAL the community and stop. Fail-closed: an
692    // unreadable deed (no proven owner) or a non-owner signer is REJECTED — we stay in the prior state,
693    // never death-by-default. THIS fold pass IS the "one bounded final drain": the banlist/roles/
694    // metadata applied below are the last accepted control; subsequent syncs see the flag and drop.
695    // Detect an owner tombstone via EITHER the rotation-stable coordinate probe (the cross-epoch path: a
696    // post-rotation joiner only derives a later root + never fetches the publish-epoch control_pseudonym,
697    // but always derives `dissolved_pseudonym`) OR the control-plane fold (the current-epoch fast path).
698    // Owner derived from the deed at fold time; fail-closed (no proven owner / non-owner signer ⇒ rejected).
699    if let Some(owner) = proven_owner_hex(community) {
700        let by_fold = folded.dissolved_by.iter().any(|s| s.to_hex() == owner);
701        let by_probe = !by_fold && dissolved_tombstone_present(transport, community, &owner).await;
702        if by_fold || by_probe {
703            // This fold pass IS the "one bounded final drain": apply the last accepted control, then
704            // seal. Subsequent syncs short-circuit on the flag above and drop everything.
705            let _ = fetch_and_apply_banlist_inner(transport, community, Some(folded.clone())).await;
706            let _ = fetch_and_apply_roles_inner(transport, community, Some(folded.clone())).await;
707            let _ = fetch_and_apply_invite_links_inner(transport, community, Some(folded.clone())).await;
708            let _ = fetch_and_apply_metadata_inner(transport, community, Some(folded.clone())).await;
709            if session.is_valid() {
710                crate::db::community::set_community_dissolved(&cid)?;
711                // Notify the UI to re-render the dead community live (lock composer + end divider). Emitting
712                // from the single seal point covers EVERY caller — sync, boot, realtime refresh — not just the
713                // realtime path. Fires once: the short-circuit above skips it on every subsequent fetch.
714                crate::emit_event("community_refreshed", &serde_json::json!({ "community_id": cid }));
715            }
716            return Ok(folded.fetched);
717        }
718    }
719    // Openable control editions this single fetch served — the caller's "≥1 relay returned our actual plane"
720    // isolation signal (no separate probe fetch needed).
721    let fetched = folded.fetched;
722    let _ = fetch_and_apply_banlist_inner(transport, community, Some(folded.clone())).await;
723    let _ = fetch_and_apply_roles_inner(transport, community, Some(folded.clone())).await;
724    let _ = fetch_and_apply_invite_links_inner(transport, community, Some(folded.clone())).await;
725    let _ = fetch_and_apply_metadata_inner(transport, community, Some(folded)).await;
726    Ok(fetched)
727}
728
729pub async fn fetch_and_apply_banlist<T: Transport + ?Sized>(
730    transport: &T,
731    community: &Community,
732) -> Result<Vec<String>, String> {
733    fetch_and_apply_banlist_inner(transport, community, None).await
734}
735
736async fn fetch_and_apply_banlist_inner<T: Transport + ?Sized>(
737    transport: &T,
738    community: &Community,
739    prefolded: Option<super::roster::FoldedRoster>,
740) -> Result<Vec<String>, String> {
741    let session = SessionGuard::capture();
742    let cid = community.id.to_hex();
743    let folded = match prefolded {
744        Some(f) => f,
745        None => fetch_control_folded(transport, community).await?,
746    };
747    // Authority: the banlist signer must hold BAN in the AUTHORIZED roster (delegation-chain filtered),
748    // not merely be validly-signed. A demoted/never-authorized signer's banlist is dropped.
749    let owner = proven_owner_hex(community);
750    let authorized = super::roster::authorize_delegation(&folded, owner.as_deref());
751    if !session.is_valid() {
752        return Err("account changed during banlist fetch".to_string());
753    }
754    if let (Some(author), Some(head)) = (folded.banlist_author, &folded.banlist_head) {
755        // Authority is per-target, not just the BAN bit: the signer must strictly OUTRANK every member
756        // in the delta between the list we hold and the folded list (both newly-banned and newly-unbanned)
757        // — the same check the sender ran. A bit-only check would let a low-ranked BAN-holder ban or
758        // unban a peer/superior (or the owner). Owner is never a valid target (folds out of can_act_on_member).
759        let author_hex = author.to_hex();
760        let held: std::collections::HashSet<String> =
761            crate::db::community::get_community_banlist(&cid)?.into_iter().collect();
762        let next: std::collections::HashSet<&str> = folded.banned.iter().map(|s| s.as_str()).collect();
763        let added = folded.banned.iter().filter(|n| !held.contains(n.as_str()));
764        let removed = held.iter().filter(|n| !next.contains(n.as_str()));
765        // version-pinned authority: the banner's edition cites the grant that authorizes them; we
766        // apply only if we have folded that grant to AT LEAST the cited version (a complete, un-forked
767        // view — else fail closed, never act on a partial authority view). The per-target outrank below
768        // is then resolved against the CURRENT authorized roster, so a since-demoted banner is dropped
769        // there (refuse-superseded). Owner cites nothing and is supreme.
770        let citation = folded.banlist_head.as_ref().and_then(|h| h.citation.as_ref());
771        let banner_grant_hex = crate::simd::hex::bytes_to_hex_32(&super::derive::grant_locator(&community.id, &author.to_bytes()));
772        let pinned = super::roster::authority_citation_satisfied(&folded.heads, owner.as_deref(), &author_hex, &banner_grant_hex, citation);
773        let authed = pinned
774            && added.chain(removed).all(|target| {
775                authorized.can_act_on_member(&author_hex, owner.as_deref(), target, super::roles::Permissions::BAN)
776            });
777        let held_version = crate::db::community::get_edition_head(&cid, &head.entity_hex)?.map(|(v, _)| v).unwrap_or(0);
778        if authed && head.version > held_version {
779            crate::db::community::set_community_banlist(&cid, &folded.banned, head.version as i64)?;
780            crate::db::community::set_edition_head(&cid, &head.entity_hex, head.version, &head.self_hash)?;
781            return Ok(folded.banned);
782        }
783    }
784    // Nothing newer/authorized applied — report the banlist we still hold, not an empty list.
785    crate::db::community::get_community_banlist(&cid)
786}
787
788/// Set a member's complete role set (owner/admin authority) and publish their per-member
789/// Grant event (vsk=3). Empty `role_ids` revokes all of that member's roles. Persists the updated
790/// local graph BEFORE the publish await (so our own client reflects it immediately and the write
791/// lands in the captured account); the relay echo dedups.
792pub async fn set_member_grant<T: Transport + ?Sized>(
793    transport: &T,
794    community: &Community,
795    member_hex: &str,
796    role_ids: Vec<String>,
797) -> Result<(), String> {
798    let session = SessionGuard::capture();
799    // Keyless model: the grant is a real-npub-signed edition. Sign
800    // with the actor's own identity via the active signer (local vault OR a NIP-46 bunker).
801    let signer = active_signer().await?;
802    let actor_pk = crate::state::my_public_key().ok_or("no local identity to sign the grant edition")?;
803    let cid = community.id.to_hex();
804    let grant = super::roles::MemberGrant { member: member_hex.to_string(), role_ids };
805
806    // Next version in this member's grant chain. The entity coordinate is the member's grant locator,
807    // so the head tracks per-member; v+1 cites the held head's self_hash (genesis v1 if none).
808    let member_bytes = crate::simd::hex::hex_to_bytes_32(member_hex);
809    let entity_id = super::derive::grant_locator(&community.id, &member_bytes);
810    let entity_hex = crate::simd::hex::bytes_to_hex_32(&entity_id);
811    let (version, prev_hash) = match crate::db::community::get_edition_head(&cid, &entity_hex)? {
812        Some((v, h)) => (v + 1, Some(h)),
813        None => (1, None),
814    };
815    let created_at = std::time::SystemTime::now()
816        .duration_since(std::time::UNIX_EPOCH)
817        .map(|d| d.as_secs())
818        .unwrap_or(0);
819
820    // Build (real-npub signed inner) + seal under the server-root for the wire. The grant authoring
821    // gate (`caller_can_manage_role`) runs in the grant_role/revoke_role callers; this is the encoder.
822    // pinned authority: a delegated admin granting a lower member cites the grant that authorizes
823    // them, so the delegation chain is verifiable at that version. The owner cites nothing (supreme).
824    // (Owner-only granting is the MVP norm, so this is usually `None` — but emitting it now keeps the
825    // immutable wire data complete for the delegation-chain verifier, rather than baking in a gap.)
826    let citation = authority_citation(community, &actor_pk.to_hex());
827    let unsigned = super::roster::build_grant_edition_unsigned(actor_pk, &community.id, &grant, version, prev_hash.as_ref(), created_at, citation.as_ref())?;
828    let inner = unsigned.sign(&signer).await.map_err(|e| format!("sign grant edition: {e}"))?;
829    let outer = super::roster::seal_control_edition(&Keys::generate(), &inner, &community.server_root_key, &community.id, community.server_root_epoch)?;
830    // The new head's self_hash = a hash over the EXACT content bytes the inner committed to (not a
831    // re-serialization), so the stored head matches the published edition and the next edition's
832    // prev_hash cites it correctly.
833    let self_hash = super::version::edition_hash(&entity_id, version, prev_hash.as_ref(), inner.content.as_bytes());
834
835    let is_full_revoke = grant.role_ids.is_empty();
836    // Compute the advanced local state in memory (cheap; no DB write yet).
837    let mut roster = crate::db::community::get_community_roles(&cid)?;
838    roster.grants.retain(|g| g.member != member_hex);
839    if !grant.role_ids.is_empty() {
840        roster.grants.push(grant);
841    }
842
843    // Publish FIRST, then persist the advanced head + roster only on success. Advancing the head
844    // before a fallible publish would leave a phantom head: a failed publish means the next edition
845    // cites an unpublished predecessor, which every fold quarantines as a gap forever. Re-check the
846    // session after the await — it may have straddled an account swap, and persisting then would
847    // write into the wrong account (the edition published under the captured one).
848    transport.publish_durable(&outer, &community.relays).await?;
849    if session.is_valid() {
850        crate::db::community::set_community_roles(&cid, &roster, created_at as i64)?;
851        crate::db::community::set_edition_head(&cid, &entity_hex, version, &self_hash)?;
852    }
853
854    // Revoke-time re-assert (publish-time authority — "Concord Convergence"): a demotion drops the
855    // member's authority, so the author-aware fold would orphan any authority-gated entity the member
856    // currently HEADS. Re-publish those heads as the actor (the `republish_*` helpers gate on the actor's
857    // own permission), so the member's validly-published content survives for EVERY client — fresh joiners
858    // included — and a post-demotion forgery can't win. Skip-if-not-head: only entities the member actually
859    // heads are re-asserted (the common case publishes nothing). Best-effort + per-entity publish-then-
860    // persist inside the helpers (W2). MVP: full revoke only (`role_ids` empty); partial demote is a follow-on.
861    if is_full_revoke && session.is_valid() {
862        if let Ok(folded) = fetch_control_folded(transport, community).await {
863            if session.is_valid() {
864                let current = crate::db::community::load_community(&community.id)?.unwrap_or_else(|| community.clone());
865                if folded.root_author.map(|a| a.to_hex()).as_deref() == Some(member_hex) {
866                    if let Some(meta) = &folded.root_meta {
867                        let mut c = current.clone();
868                        c.name = meta.name.clone();
869                        c.description = meta.description.clone();
870                        c.icon = meta.icon.clone();
871                        c.banner = meta.banner.clone();
872                        let _ = republish_community_metadata(transport, &c).await;
873                    }
874                }
875                for cm in &folded.channel_meta {
876                    if cm.author.to_hex() == member_hex
877                        && current.channels.iter().any(|ch| ch.id.0 == cm.channel_id)
878                    {
879                        let _ = republish_channel_metadata(
880                            transport, &current, &crate::community::ChannelId(cm.channel_id), &cm.meta.name,
881                        ).await;
882                    }
883                }
884            }
885        }
886    }
887    Ok(())
888}
889
890/// True iff the local user is the PROVEN owner of this community — derived by verifying the owner
891/// attestation against `my_public_key()` (keyless: the owner is the npub that signed the attestation
892/// binding this community_id). The check honest clients use to gate
893/// owner-only actions (mint invites, set images) and to render the owner crown.
894pub fn is_proven_owner(community: &Community) -> bool {
895    match crate::state::my_public_key() {
896        Some(me) => proven_owner_hex(community).as_deref() == Some(me.to_hex().as_str()),
897        None => false,
898    }
899}
900
901/// True iff the local user may manage roles — i.e. holds the `MANAGE_ROLES` permission.
902/// Permission-based, NOT a hardcoded owner check: the owner is simply the uppermost role and holds
903/// every permission; any member granted a role carrying `MANAGE_ROLES` qualifies just the same.
904pub fn caller_can_manage_roles(community: &Community) -> bool {
905    let me = match crate::state::my_public_key() {
906        Some(p) => p,
907        None => return false,
908    };
909    let cid = community.id.to_hex();
910    let is_owner = community
911        .owner_attestation
912        .as_ref()
913        .and_then(|a| super::owner::verify_owner_attestation(a, &cid))
914        .map(|pk| pk == me)
915        .unwrap_or(false);
916    if is_owner {
917        return true; // the uppermost role holds all permissions
918    }
919    crate::db::community::get_community_roles(&cid)
920        .unwrap_or_default()
921        .has_permission(&me.to_hex(), super::roles::Permissions::MANAGE_ROLES)
922}
923
924/// Does the local user hold `permission` in this community? The generalized [`caller_can_manage_roles`]:
925/// owner = supreme (every bit), otherwise the union of their granted roles' bits (the role engine).
926/// Drives both the capability report and the producer-side authority gates — no hardcoded owner check.
927pub fn caller_has_permission(community: &Community, permission: u64) -> bool {
928    let me = match crate::state::my_public_key() {
929        Some(p) => p,
930        None => return false,
931    };
932    crate::db::community::get_community_roles(&community.id.to_hex())
933        .unwrap_or_default()
934        .is_authorized(&me.to_hex(), proven_owner_hex(community).as_deref(), permission)
935}
936
937/// Can the local caller grant/revoke `role_id` — i.e. do they hold `MANAGE_ROLES` AND outrank that role's
938/// position? The crown's gate, expressed as the POSITION rule (NOT an owner check): the owner is just
939/// position 0, so in the single-@admin-role MVP this resolves to "owner only" because the @admin role sits
940/// directly below position 0 — but it generalizes to any role hierarchy. `false` if the role is unknown.
941pub fn caller_can_manage_role_id(community: &Community, role_id: &str) -> bool {
942    let me = match crate::state::my_public_key() {
943        Some(p) => p.to_hex(),
944        None => return false,
945    };
946    let roster = crate::db::community::get_community_roles(&community.id.to_hex()).unwrap_or_default();
947    let position = match roster.role(role_id) {
948        Some(r) => r.position,
949        None => return false,
950    };
951    roster.can_manage_position(&me, proven_owner_hex(community).as_deref(), position)
952}
953
954/// The local user's effective management capabilities in a community, resolved purely by the role engine
955/// (positions + permission bits; the owner is just the role at position 0 — NOTHING is owner-hardcoded).
956/// The frontend gates each management affordance on the matching bit, so an admin whose role carries a
957/// permission gets the exact same affordance as the owner.
958#[derive(Debug, Clone, Default, serde::Serialize)]
959pub struct CommunityCapabilities {
960    pub manage_metadata: bool,
961    pub manage_channels: bool,
962    pub create_invite: bool,
963    pub kick: bool,
964    pub ban: bool,
965    pub manage_messages: bool,
966    pub manage_roles: bool,
967}
968
969pub fn caller_capabilities(community: &Community) -> CommunityCapabilities {
970    use super::roles::Permissions as P;
971    let me_hex = match crate::state::my_public_key() {
972        Some(p) => p.to_hex(),
973        None => return CommunityCapabilities::default(),
974    };
975    let owner = proven_owner_hex(community);
976    let roster = crate::db::community::get_community_roles(&community.id.to_hex()).unwrap_or_default();
977    let has = |bit: u64| roster.is_authorized(&me_hex, owner.as_deref(), bit);
978    CommunityCapabilities {
979        manage_metadata: has(P::MANAGE_METADATA),
980        manage_channels: has(P::MANAGE_CHANNELS),
981        create_invite: has(P::CREATE_INVITE),
982        kick: has(P::KICK),
983        ban: has(P::BAN),
984        manage_messages: has(P::MANAGE_MESSAGES),
985        manage_roles: has(P::MANAGE_ROLES),
986    }
987}
988
989/// The pinned authority citation the local user attaches to a control action — points at their
990/// OWN authorizing Grant edition (stable community-scoped coordinate + its current head version/hash),
991/// so every verifier resolves the action's authority against that exact point instead of their own
992/// possibly-lagging-or-ahead live roster. `None` when the local user is the proven owner (supreme —
993/// owner actions cite nothing) or has no grant head to cite (an unauthorized actor — the send-side
994/// authority gate refuses them before a citation would matter). See
995/// [`super::roster::authority_citation_satisfied`] for the verifier side.
996fn authority_citation(community: &Community, actor_hex: &str) -> Option<super::edition::AuthorityCitation> {
997    if proven_owner_hex(community).as_deref() == Some(actor_hex) {
998        return None;
999    }
1000    let cid = community.id.to_hex();
1001    let actor_bytes = crate::simd::hex::hex_to_bytes_32(actor_hex);
1002    let entity_id = super::derive::grant_locator(&community.id, &actor_bytes);
1003    let entity_hex = crate::simd::hex::bytes_to_hex_32(&entity_id);
1004    crate::db::community::get_edition_head(&cid, &entity_hex)
1005        .ok()
1006        .flatten()
1007        .map(|(version, edition_hash)| super::edition::AuthorityCitation { entity_id, version, edition_hash })
1008}
1009
1010/// The proven owner's pubkey (hex), or `None` on an unproven community (no attestation / fails to
1011/// verify). The owner is DERIVED by verifying the attestation, never a bare claim.
1012fn proven_owner_hex(community: &Community) -> Option<String> {
1013    let cid = community.id.to_hex();
1014    community
1015        .owner_attestation
1016        .as_ref()
1017        .and_then(|a| super::owner::verify_owner_attestation(a, &cid))
1018        .map(|pk| pk.to_hex())
1019}
1020
1021/// Can `actor_hex` moderation-hide a message authored by `author_hex` in this community? True iff
1022/// the actor holds MANAGE_MESSAGES and strictly outranks the author (the owner is unhideable). This
1023/// is the SINGLE source of truth for moderation authority — both the publish gate
1024/// (`publish_owner_hide`) and the UI affordance (`get_message_delete_options`) call it, so the
1025/// button shown can never disagree with what the publish will actually allow.
1026pub fn can_moderation_hide(community: &Community, actor_hex: &str, author_hex: &str) -> bool {
1027    // Normalize both identities to hex first. Callers pass a message's stored npub, which Concord
1028    // persists as BECH32 (`opened.author.to_bech32()`), whereas the owner (`proven_owner_hex`) and the
1029    // roster grants are keyed by lowercase HEX. A raw bech32 author matched NEITHER — it skipped
1030    // owner-protection (`owner_hex == target_hex` is hex≠bech32) AND missed the roster position lookup
1031    // (defaulting to u32::MAX, the lowest rank), so an admin wrongly "outranked" and could hide the
1032    // owner. The enforcing `apply_delete` path avoids this by normalizing the same way (PublicKey::parse).
1033    let to_hex = |s: &str| nostr_sdk::PublicKey::parse(s).map(|pk| pk.to_hex()).unwrap_or_else(|_| s.to_string());
1034    let actor = to_hex(actor_hex);
1035    let author = to_hex(author_hex);
1036    let owner = proven_owner_hex(community);
1037    let roster = crate::db::community::get_community_roles(&community.id.to_hex()).unwrap_or_default();
1038    roster.can_act_on_member(&actor, owner.as_deref(), &author, super::roles::Permissions::MANAGE_MESSAGES)
1039}
1040
1041/// Rekey-plane authority with §6 banlist precedence: a positive authority
1042/// lookup can never honor a banned identity. The banlist and the grant-revoke
1043/// are SEPARATE editions a withholding relay can split — without this, a
1044/// since-banned admin whose revoke is withheld still ranks for rotations,
1045/// letting them race their own removal with a re-founding. Read failure
1046/// degrades to "not banned" (the roster gate still fails closed on its own
1047/// read failure); the owner is exempt (supreme, never a valid ban target).
1048fn rotator_is_authorized(
1049    cid: &str,
1050    roster: &super::roles::CommunityRoles,
1051    owner_hex: Option<&str>,
1052    rotator_hex: &str,
1053    permission: u64,
1054) -> bool {
1055    if owner_hex != Some(rotator_hex)
1056        && crate::db::community::get_community_banlist(cid)
1057            .unwrap_or_default()
1058            .iter()
1059            .any(|b| b == rotator_hex)
1060    {
1061        return false;
1062    }
1063    roster.is_authorized(rotator_hex, owner_hex, permission)
1064}
1065
1066/// escalation defense for an authoring action — may the local caller grant/revoke `role_id` on
1067/// `member_hex`? The caller must strictly outrank BOTH the role being changed AND the target member
1068/// (so they can't grant a role at/above their own rank, nor touch a superior member). The owner is
1069/// supreme. Returns a frontend-displayable error if refused. Peers re-run the same predicate on
1070/// receipt (Phase 2) — this is the local half of the same rule.
1071fn caller_can_manage_role(
1072    community: &Community,
1073    roster: &super::roles::CommunityRoles,
1074    role_id: &str,
1075    member_hex: &str,
1076) -> Result<(), String> {
1077    let me = crate::state::my_public_key().ok_or("no active identity")?.to_hex();
1078    let owner = proven_owner_hex(community);
1079    let owner_ref = owner.as_deref();
1080    let role = roster.role(role_id).ok_or("no such role")?;
1081    if !roster.can_manage_position(&me, owner_ref, role.position) {
1082        return Err("you can only manage roles below your own".to_string());
1083    }
1084    if !roster.can_manage_member(&me, owner_ref, member_hex) {
1085        return Err("you can't manage a member who outranks you".to_string());
1086    }
1087    Ok(())
1088}
1089
1090/// Grant `member` a role (requires the `MANAGE_ROLES` permission). Publishes the per-member Grant
1091/// event. The member already holds read keys from membership; the roster entry adds write authority,
1092/// exercised by signing their own control actions, which peers verify against the roster.
1093pub async fn grant_role<T: Transport + ?Sized>(
1094    transport: &T,
1095    community: &Community,
1096    member: nostr_sdk::prelude::PublicKey,
1097    role_id: &str,
1098) -> Result<(), String> {
1099    let cid = community.id.to_hex();
1100    let member_hex = member.to_hex();
1101    let roster = crate::db::community::get_community_roles(&cid)?;
1102    caller_can_manage_role(community, &roster, role_id, &member_hex)?;
1103    // The member's new full role set = existing + this role (deduped).
1104    let mut role_ids: Vec<String> = roster
1105        .grants
1106        .iter()
1107        .find(|g| g.member == member_hex)
1108        .map(|g| g.role_ids.clone())
1109        .unwrap_or_default();
1110    if !role_ids.iter().any(|r| r == role_id) {
1111        role_ids.push(role_id.to_string());
1112    }
1113
1114    // Keyless model: granting a role delivers NO secret. Authority is the grantee's npub being in
1115    // the roster at that rank — they exercise it by signing their own actions, which peers verify
1116    // against the roster.
1117    set_member_grant(transport, community, &member_hex, role_ids).await
1118}
1119
1120/// Revoke a role from `member` (owner/admin authority) — instant *logical* (the role record is
1121/// dropped, so the grant-set check stops honoring their actions). The *physical* lockout
1122/// (channel rekey per) is a later step; this only edits the grant. In the MVP a role is permission
1123/// bits, NOT a channel read key (channels aren't role-gated), so a revoke needs NO rekey and a bunker
1124/// account can do it freely. WHEN role-gated channels ship, the rekey-on-revoke path must adopt the same
1125/// bunker fail-fast guard as `publish_banlist`/`revoke_public_invite` (a rekey needs a raw local key).
1126pub async fn revoke_role<T: Transport + ?Sized>(
1127    transport: &T,
1128    community: &Community,
1129    member: nostr_sdk::prelude::PublicKey,
1130    role_id: &str,
1131) -> Result<(), String> {
1132    let cid = community.id.to_hex();
1133    let member_hex = member.to_hex();
1134    let roster = crate::db::community::get_community_roles(&cid)?;
1135    caller_can_manage_role(community, &roster, role_id, &member_hex)?;
1136    let role_ids: Vec<String> = roster
1137        .grants
1138        .iter()
1139        .find(|g| g.member == member_hex)
1140        .map(|g| g.role_ids.iter().filter(|r| r.as_str() != role_id).cloned().collect())
1141        .unwrap_or_default();
1142    set_member_grant(transport, community, &member_hex, role_ids).await
1143}
1144
1145/// Fetch the Community's role graph (real-npub control editions, kind 3308) and fold it into the
1146/// local roster. Fetches by the **server-root pseudonym** (not by author — the outer is
1147/// ephemeral), opens each edition under the server-root key, and folds: verify authorship, bind
1148/// entity↔content, version-fold, quarantine gaps. Advances each entity's monotonic head (the
1149/// per-entity refuse-downgrade floor) and refreshes the roster cache. Returns the folded roster.
1150pub async fn fetch_and_apply_roles<T: Transport + ?Sized>(
1151    transport: &T,
1152    community: &Community,
1153) -> Result<super::roles::CommunityRoles, String> {
1154    fetch_and_apply_roles_inner(transport, community, None).await
1155}
1156
1157async fn fetch_and_apply_roles_inner<T: Transport + ?Sized>(
1158    transport: &T,
1159    community: &Community,
1160    prefolded: Option<super::roster::FoldedRoster>,
1161) -> Result<super::roles::CommunityRoles, String> {
1162    let session = SessionGuard::capture();
1163    let cid = community.id.to_hex();
1164    let folded = match prefolded {
1165        Some(f) => f,
1166        None => fetch_control_folded(transport, community).await?,
1167    };
1168
1169    if !session.is_valid() {
1170        return Err("account changed during roles fetch".to_string());
1171    }
1172    // NOTE: `folded.gapped_entities` is not consumed yet — the fold is fail-closed by construction
1173    // (gapped heads are never folded into `folded.roles`), so it's safe in the single-writer MVP. Once
1174    // multi-writer + rotation ship, this must suspend any cached entry whose entity is now gapped.
1175    // Advance each entity's head MONOTONICALLY — the per-entity rollback defense (a withholding relay
1176    // serving only old editions can't lower a head; our own publish's echo is a no-op). The roster
1177    // CACHE is a derived view refreshed from the fold; a withholding relay can transiently shrink it,
1178    // but it self-heals on the next quorum fetch and the send side reads the (monotonic) heads, not
1179    // the cache. (`roles_at` is vestigial under the per-entity model — the heads are the floor now.)
1180    for head in &folded.heads {
1181        crate::db::community::set_edition_head(&cid, &head.entity_hex, head.version, &head.self_hash)?;
1182    }
1183    // Don't let an empty/withheld fetch wipe a populated roster cache: only refresh it when the fold
1184    // actually produced editions. The heads above already advanced monotonically (the real floor);
1185    // the cache is a derived view, so on an empty fold we return what we still hold. (Full per-entity
1186    // merge so a PARTIAL fetch can't shrink the cache either is the quorum/completeness work, G1.)
1187    if folded.heads.is_empty() {
1188        return crate::db::community::get_community_roles(&cid);
1189    }
1190    // Authorize: keep only entries whose SIGNER was allowed (delegation chain to the owner).
1191    // A validly-signed+bound-but-unauthorized edition (e.g. a self-signed Admin grant) is dropped here,
1192    // never cached as authority. Owner resolved from the (verified) attestation; unproven → empty.
1193    let authorized = super::roster::authorize_delegation(&folded, proven_owner_hex(community).as_deref());
1194    crate::db::community::set_community_roles(&cid, &authorized, 0)?;
1195    Ok(authorized)
1196}
1197
1198/// Moderation-hide: publish a 3305 delete for another member's message, signed by the actor's
1199/// REAL npub (keyless). Authority is the inner signature, re-verified
1200/// by every member against the owner-rooted roster (MANAGE_MESSAGES + a strict outrank of the
1201/// target's author). Permanent (the tombstone can't be un-published).
1202pub async fn publish_owner_hide<T: Transport + ?Sized>(
1203    transport: &T,
1204    community: &Community,
1205    channel: &Channel,
1206    target_message_id: &str,
1207) -> Result<(), String> {
1208    // hierarchy gate (keyless): I must hold MANAGE_MESSAGES and strictly outrank the target
1209    // message's author — the owner, outranked by no one, can never be hidden. Resolve the author from
1210    // local state (you can only moderate a message you can see). A granted
1211    // MANAGE_MESSAGES member can moderate. Peers RE-verify this against my real-npub inner sig + roster.
1212    let signer = active_signer().await?;
1213    let me_pk = crate::state::my_public_key().ok_or("no local identity to sign the hide")?;
1214    let me = me_pk.to_hex();
1215    {
1216        let target_author = {
1217            let st = crate::state::STATE.lock().await;
1218            st.find_message(target_message_id).and_then(|(_, m)| m.npub)
1219        };
1220        let author = target_author
1221            .ok_or("can't resolve the target message's author to authorize the hide")?;
1222        if !can_moderation_hide(community, &me, &author) {
1223            return Err("you can't hide a message from a member who outranks you (or the owner)".to_string());
1224        }
1225    }
1226    let ms = std::time::SystemTime::now()
1227        .duration_since(std::time::UNIX_EPOCH)
1228        .map(|d| d.as_millis() as u64)
1229        .unwrap_or(0);
1230    // Keyless moderation-hide: a 3305 delete signed by MY REAL npub. The inner signature IS the
1231    // authority proof — every member re-verifies it against
1232    // the roster, so authority is member-visible + non-repudiable, not anonymized.
1233    // pinned authority: a non-owner hider cites the grant that authorizes them, carried as a `vac`
1234    // tag on the inner so peers resolve the hide against that grant version (the owner cites nothing).
1235    let citation = authority_citation(community, &me);
1236    let extra: Vec<Tag> = citation.iter().map(|c| c.to_tag()).collect();
1237    let inner = super::envelope::build_inner_full(
1238        me_pk, &channel.id, channel.epoch,
1239        event_kind::COMMUNITY_DELETE, "", ms, Some(target_message_id), &[], &extra,
1240    )
1241    .sign(&signer)
1242    .await
1243    .map_err(|e| format!("sign hide: {e}"))?;
1244    let _ = publish_signed_message(transport, community, channel, &inner, true).await?;
1245    Ok(())
1246}
1247
1248/// Delete a message the local user previously sent, by its INNER message id (what the UI
1249/// holds). Loads the retained ephemeral key + the outer event id it points at, then
1250/// NIP-09-deletes that outer event. Errors if no key is retained (not ours, or already
1251/// deleted).
1252pub async fn delete_message<T: Transport + ?Sized>(
1253    transport: &T,
1254    message_id: &str,
1255) -> Result<(), String> {
1256    let session = SessionGuard::capture();
1257    if !session.is_valid() {
1258        return Err("account changed; aborting delete".to_string());
1259    }
1260    // PEEK the key (don't consume it yet): the NIP-09 publish below is fallible, and the
1261    // key is single-use — consuming it before a failed publish would leave the message
1262    // permanently undeletable. Remove it only after the deletion actually goes out.
1263    let (ephemeral, outer_event_id_hex, relays) = match crate::db::community::get_message_key(message_id)? {
1264        Some(v) => v,
1265        None => {
1266            return Err("no retained key for this message (not yours, or already deleted)".to_string())
1267        }
1268    };
1269    let id = EventId::from_hex(&outer_event_id_hex).map_err(|e| e.to_string())?;
1270    delete_own_message(transport, &relays, &ephemeral, id).await?;
1271    // Published — now it's safe to consume the key.
1272    crate::db::community::delete_message_key(message_id)?;
1273    Ok(())
1274}
1275
1276/// Accept a parked invite and persist the member-view Community (the user-consented
1277/// half of the carrier — the inbound handler only *parks* invites; this is reached
1278/// from an explicit accept command). Guards against id-collision overwrites:
1279///
1280/// - if we already OWN a Community with this id, refuse (a member-view save would clobber
1281///   our owner state);
1282/// - if we already hold it as a member under a DIFFERENT server root, refuse —
1283/// `community_id` is unauthenticated random bytes, so a hostile bundle reusing
1284///   a known id must not be able to swap out our channel keys / authority / relays.
1285///
1286/// `SessionGuard`-gated: the accept may straddle a relay-fetch in the caller, and the
1287/// save must land in the account that consented.
1288pub fn accept_invite(invite: &CommunityInvite) -> Result<Community, String> {
1289    let session = SessionGuard::capture();
1290    let community = super::invite::accept_invite(invite)?; // validates caps + decodes keys
1291
1292    match crate::db::community::load_community(&community.id)? {
1293        // Already a member: a re-accept doesn't grow the list, so it's exempt from the cap.
1294        Some(existing) => {
1295            if is_proven_owner(&existing) {
1296                return Err("you already own this Community".to_string());
1297            }
1298            // A known community id arriving with a DIFFERENT base key is a different community wearing
1299            // the same id (collision / hijack) — reject rather than overwrite. The server-root key is
1300            // the community's core secret, so it's the keyless authority anchor.
1301            if existing.server_root_key.as_bytes() != community.server_root_key.as_bytes() {
1302                return Err(
1303                    "invite reuses a known Community id under a different authority — rejected"
1304                        .to_string(),
1305                );
1306            }
1307        }
1308        // New membership — reject if we're already at the local community cap.
1309        None => enforce_community_cap()?,
1310    }
1311
1312    if !session.is_valid() {
1313        return Err("account changed during invite accept".to_string());
1314    }
1315    crate::db::community::save_community(&community)?;
1316    Ok(community)
1317}
1318
1319/// Warm a community's primary-channel first page into the RAM preload cache BEFORE the user joins,
1320/// so accepting opens a populated chat instead of paying the join sync. RAM-only and side-effect-
1321/// free: builds the member view from the bundle WITHOUT persisting (nothing is stored for a
1322/// community the user may decline), fetches one page, and stashes it keyed by community id (the
1323/// fetch also warms the relay connection). Best-effort — any failure just leaves Join to sync
1324/// normally. Spawn this behind a `SessionGuard`; promotion on Join re-validates freshness.
1325pub async fn preload_community(invite: &super::invite::CommunityInvite) {
1326    let Ok(community) = super::invite::accept_invite(invite) else { return };
1327    let Some(channel) = community.channels.first() else { return };
1328    let cid = community.id.to_hex();
1329    // Mark in-flight FIRST so a Join that races the fetch adopts it instead of double-fetching.
1330    crate::community::cache::begin_preload(&cid);
1331    let transport = super::transport::LiveTransport::with_timeout(std::time::Duration::from_secs(12));
1332    // Newest page, no `since` (first warm). 50 mirrors the GUI page limit.
1333    match super::send::fetch_channel_page(&transport, &community, channel, None, None, 50).await {
1334        Ok(page) if !page.is_empty() => crate::community::cache::finish_preload(&cid, page),
1335        // Empty page or fetch error → drop the in-flight marker so an adopter falls back at once.
1336        _ => crate::community::cache::abort_preload(&cid),
1337    }
1338
1339    // Warming this invite added its (≤5, capped) relays to the pool. If it never becomes a join
1340    // within the preload window, shed them — an unsolicited or declined invite must not park relays
1341    // in the pool forever (#297). A genuine Join re-warms them via its subscription, so this is safe.
1342    let prune_relays = community.relays.clone();
1343    let prune_id = community.id;
1344    let guard = crate::state::SessionGuard::capture();
1345    tokio::spawn(async move {
1346        tokio::time::sleep(crate::community::cache::PRELOAD_TTL).await;
1347        if !guard.is_valid() {
1348            return;
1349        }
1350        // Joined within the window? Its relays are legitimate now (and its preload entry was already
1351        // taken on accept) — leave them.
1352        if matches!(crate::db::community::load_community(&prune_id), Ok(Some(_))) {
1353            return;
1354        }
1355        // Drop any lingering warm entry, then shed the relays no joined community needs.
1356        crate::community::cache::abort_preload(&prune_id.to_hex());
1357        super::transport::prune_unneeded_community_relays(&prune_relays).await;
1358    });
1359}
1360
1361/// Persist edited Community display metadata and republish the GroupRoot as a real-npub 3308 edition
1362/// (vsk=0) so other members + re-anchoring pick it up. Keyless authority: the actor must hold
1363/// `MANAGE_METADATA` (the owner holds every permission). The caller mutates `community` (name /
1364/// description / icon / banner) first; this gates, saves it, then publishes the next edition version.
1365pub async fn republish_community_metadata<T: Transport + ?Sized>(
1366    transport: &T,
1367    community: &Community,
1368) -> Result<(), String> {
1369    let session = SessionGuard::capture();
1370    let cid = community.id.to_hex();
1371    let signer = active_signer().await?;
1372    let actor_pk = crate::state::my_public_key().ok_or("no local identity to sign the metadata edition")?;
1373    let owner = proven_owner_hex(community);
1374    let roster = crate::db::community::get_community_roles(&cid).unwrap_or_default();
1375    if !roster.is_authorized(&actor_pk.to_hex(), owner.as_deref(), super::roles::Permissions::MANAGE_METADATA) {
1376        return Err("only a member with manage-metadata authority can edit the community".to_string());
1377    }
1378    // Publish-FIRST, then persist content + head on success (now that `fetch_and_apply_metadata` is a
1379    // live consumer, metadata is relay-authoritative: a failed publish must not leave us showing an edit
1380    // no member can see, and advancing the head before a fallible publish would phantom-head it — the
1381    // successor cites an unpublished predecessor → the fold quarantines the chain forever).
1382    let (version, prev_hash) = match crate::db::community::get_edition_head(&cid, &cid)? {
1383        Some((v, h)) => (v + 1, Some(h)),
1384        None => (1, None),
1385    };
1386    let created = std::time::SystemTime::now()
1387        .duration_since(std::time::UNIX_EPOCH)
1388        .map(|d| d.as_secs())
1389        .unwrap_or(0);
1390    let meta = super::metadata::CommunityMetadata::of(community);
1391    // authority citation — the actor's "role badge" (the grant they act under), emitted by EVERY other
1392    // control producer. Owner cites nothing (supreme). The metadata consumer doesn't version-pin on it (a
1393    // metadata edit is cosmetic + self-healing, unlike an access-cutting ban), but emitting it keeps the
1394    // immutable wire data complete rather than baking in a gap.
1395    let citation = authority_citation(community, &actor_pk.to_hex());
1396    let unsigned = super::roster::build_community_root_edition_unsigned(actor_pk, &community.id, &meta, version, prev_hash.as_ref(), created, citation.as_ref())?;
1397    let inner = unsigned.sign(&signer).await.map_err(|e| format!("sign community-root edition: {e}"))?;
1398    let outer = super::roster::seal_control_edition(&Keys::generate(), &inner, &community.server_root_key, &community.id, community.server_root_epoch)?;
1399    transport.publish_durable(&outer, &community.relays).await?;
1400    if session.is_valid() {
1401        crate::db::community::save_community(community)?;
1402        let h = super::version::edition_hash(&community.id.0, version, prev_hash.as_ref(), inner.content.as_bytes());
1403        // Record OUR own edition's inner_id so a peer's same-version fork can't displace it unless that
1404        // peer genuinely wins the deterministic tiebreak (lower inner id), per converge_edition_head.
1405        crate::db::community::set_edition_head_with_id(&cid, &cid, version, &h, &inner.id.to_bytes())?;
1406    }
1407    Ok(())
1408}
1409
1410/// Rename a channel and republish its ChannelMetadata as a real-npub 3308 edition (vsk=2) so
1411/// members fold it via [`fetch_and_apply_metadata`]. Keyless authority: the actor must hold
1412/// `MANAGE_CHANNELS` (channel edits are a channel-management action; the owner holds every permission).
1413/// `channel_id` must be one of `community`'s channels. Publish-FIRST then persist on success (relay-
1414/// authoritative, phantom-head-safe — same contract as the community GroupRoot).
1415pub async fn republish_channel_metadata<T: Transport + ?Sized>(
1416    transport: &T,
1417    community: &Community,
1418    channel_id: &crate::community::ChannelId,
1419    new_name: &str,
1420) -> Result<(), String> {
1421    let session = SessionGuard::capture();
1422    let cid = community.id.to_hex();
1423    let ch_hex = channel_id.to_hex();
1424    if !community.channels.iter().any(|c| &c.id == channel_id) {
1425        return Err("no such channel in this community".to_string());
1426    }
1427    let signer = active_signer().await?;
1428    let actor_pk = crate::state::my_public_key().ok_or("no local identity to sign the channel metadata edition")?;
1429    let owner = proven_owner_hex(community);
1430    let roster = crate::db::community::get_community_roles(&cid).unwrap_or_default();
1431    if !roster.is_authorized(&actor_pk.to_hex(), owner.as_deref(), super::roles::Permissions::MANAGE_CHANNELS) {
1432        return Err("only a member with manage-channels authority can rename a channel".to_string());
1433    }
1434    let (version, prev_hash) = match crate::db::community::get_edition_head(&cid, &ch_hex)? {
1435        Some((v, h)) => (v + 1, Some(h)),
1436        None => (1, None),
1437    };
1438    let created = std::time::SystemTime::now()
1439        .duration_since(std::time::UNIX_EPOCH)
1440        .map(|d| d.as_secs())
1441        .unwrap_or(0);
1442    let meta = super::metadata::ChannelMetadata { name: new_name.to_string() };
1443    // authority citation — same "role badge" the community-root + grant/ban producers emit (owner cites
1444    // nothing). Consumer doesn't version-pin metadata, but the wire data stays complete.
1445    let citation = authority_citation(community, &actor_pk.to_hex());
1446    let unsigned = super::roster::build_channel_metadata_edition_unsigned(actor_pk, channel_id, &meta, version, prev_hash.as_ref(), created, citation.as_ref())?;
1447    let inner = unsigned.sign(&signer).await.map_err(|e| format!("sign channel-metadata edition: {e}"))?;
1448    let outer = super::roster::seal_control_edition(&Keys::generate(), &inner, &community.server_root_key, &community.id, community.server_root_epoch)?;
1449    transport.publish_durable(&outer, &community.relays).await?;
1450    if session.is_valid() {
1451        let mut current = crate::db::community::load_community(&community.id)?.ok_or("community no longer present")?;
1452        if let Some(ch) = current.channels.iter_mut().find(|c| &c.id == channel_id) {
1453            ch.name = new_name.to_string();
1454        }
1455        crate::db::community::save_community(&current)?;
1456        let h = super::version::edition_hash(&channel_id.0, version, prev_hash.as_ref(), inner.content.as_bytes());
1457        crate::db::community::set_edition_head_with_id(&cid, &ch_hex, version, &h, &inner.id.to_bytes())?;
1458    }
1459    Ok(())
1460}
1461
1462// ============================================================================
1463// Public (link) invites
1464// ============================================================================
1465
1466/// Mint a public invite link for a Community the local user owns: snapshot its preview,
1467/// build + publish the token-encrypted bundle to the Community relays, retain the token
1468/// locally (for list/revoke), and return `(hex token, shareable URL)`.
1469///
1470/// Owner-only: the bundle grants the @everyone base (server-root) key, and minting the
1471/// canonical link is an owner action. `SessionGuard`-gated around the token persist.
1472/// A short, human-typable label for an unlabeled invite link. Crockford-ish base32 (no 0/1/I/O)
1473/// so it's unambiguous to read and share aloud; 6 chars ≈ 1B combinations (collision-improbable).
1474fn generate_invite_label() -> String {
1475    use rand::Rng;
1476    const ALPHABET: &[u8] = b"ABCDEFGHJKLMNPQRSTUVWXYZ23456789";
1477    let mut rng = rand::thread_rng();
1478    (0..6).map(|_| ALPHABET[rng.gen_range(0..ALPHABET.len())] as char).collect()
1479}
1480
1481pub async fn create_public_invite<T: Transport + ?Sized>(
1482    transport: &T,
1483    community: &Community,
1484    expires_at: Option<u64>,
1485    label: Option<String>,
1486) -> Result<(String, String), String> {
1487    if !caller_has_permission(community, super::roles::Permissions::CREATE_INVITE) {
1488        return Err("you need the create-invite permission to mint a public invite".to_string());
1489    }
1490    let session = SessionGuard::capture();
1491
1492    // Every link gets a label: use the one provided, else mint a random 6-char handle. A stable label
1493    // makes the link identifiable in the UI and keys per-link join attribution off (creator, label),
1494    // so it must be unique among THIS creator's links (else two links share a join bucket).
1495    let existing = crate::db::community::list_public_invites(&community.id.to_hex()).unwrap_or_default();
1496    let label_taken = |cand: &str| {
1497        existing.iter().any(|r| r.label.as_deref().map(|e| e.eq_ignore_ascii_case(cand)).unwrap_or(false))
1498    };
1499    let label = match label {
1500        Some(l) if !l.trim().is_empty() => {
1501            let l = l.trim().to_string();
1502            if label_taken(&l) {
1503                return Err(format!("You already have an invite link labeled \u{201c}{l}\u{201d}. Pick a different label."));
1504            }
1505            Some(l)
1506        }
1507        // Random handle — regenerate on the (astronomically unlikely) collision.
1508        _ => {
1509            let mut l = generate_invite_label();
1510            while label_taken(&l) {
1511                l = generate_invite_label();
1512            }
1513            Some(l)
1514        }
1515    };
1516
1517    // Attribution (metrics): stamp the bundle with who minted it (my npub) + the creator's label, so
1518    // a joiner's Presence can announce "invited by me via <label>".
1519    let creator_npub = crate::state::my_public_key().and_then(|pk| pk.to_bech32().ok());
1520    let token = public_invite::new_token();
1521    let event = build_public_invite_event(community, &token, expires_at, creator_npub, label.clone()).map_err(|e| e.to_string())?;
1522    transport.publish_durable(&event, &community.relays).await?;
1523
1524    // Published — retain the token so the owner can list + revoke. Bail if the account
1525    // swapped across the publish await.
1526    if !session.is_valid() {
1527        return Err("account changed during public invite creation".to_string());
1528    }
1529    let token_hex = crate::simd::hex::bytes_to_hex_32(&token);
1530    let url = public_invite::encode_invite_url(&community.relays, &token);
1531    crate::db::community::save_public_invite(
1532        &token_hex,
1533        &community.id.to_hex(),
1534        &url,
1535        expires_at.map(|e| e as i64),
1536        label.as_deref(),
1537    )?;
1538    // Record the token in the self-encrypted Invite List so our other devices can see + copy + revoke this
1539    // link (the local token store is device-only). Sibling to the Community List, debounced republish.
1540    super::invite_list::add_invite(super::invite_list::InviteEntry {
1541        token: token_hex.clone(),
1542        community_id: community.id.to_hex(),
1543        url: url.clone(),
1544        label: label.clone(),
1545        created_at: std::time::SystemTime::now()
1546            .duration_since(std::time::UNIX_EPOCH)
1547            .map(|d| d.as_secs())
1548            .unwrap_or(0),
1549        expires_at,
1550    });
1551    // Publish MY updated invite-link set so every member's computed mode flips to Public — the link
1552    // now exists in the signed, foldable per-creator source of truth, not just my local token store.
1553    republish_my_invite_links(transport, community).await?;
1554    Ok((token_hex, url))
1555}
1556
1557/// Read-only freshen for an invite preview: build the bundle's ephemeral community, fold the live
1558/// control plane, and return the LATEST authorized display metadata — never the bundle's mint-time
1559/// snapshot (which goes stale the moment metadata is edited; mirrors the website preview). No DB
1560/// floors and no persistence: the previewer isn't a member, so there is no local state to anchor.
1561/// Any failure falls back to the snapshot so a flaky relay can't blank the preview.
1562pub async fn latest_invite_preview<T: Transport + ?Sized>(
1563    transport: &T,
1564    bundle: &public_invite::PublicInviteBundle,
1565) -> public_invite::PublicInvitePreview {
1566    let snapshot = bundle.preview.clone();
1567    let Ok(community) = super::invite::accept_invite(&bundle.join) else {
1568        return snapshot;
1569    };
1570    let Ok(folded) = fetch_control_folded(transport, &community).await else {
1571        return snapshot;
1572    };
1573    let owner = proven_owner_hex(&community);
1574    let authorized = super::roster::authorize_delegation(&folded, owner.as_deref());
1575    match folded.root_candidates.iter().find(|c| {
1576        authorized.is_authorized(&c.author.to_hex(), owner.as_deref(), super::roles::Permissions::MANAGE_METADATA)
1577    }) {
1578        Some(c) => public_invite::PublicInvitePreview {
1579            name: c.meta.name.clone(),
1580            description: c.meta.description.clone(),
1581            icon: c.meta.icon.clone(),
1582        },
1583        None => snapshot,
1584    }
1585}
1586
1587/// Fetch + decrypt the bundle for a public-invite token from the given bootstrap relays.
1588/// Queries the addressable coordinate (`d` = token locator, author = token signer) and
1589/// verifies the signer, so an impostor squatting the locator is rejected.
1590pub async fn fetch_public_invite<T: Transport + ?Sized>(
1591    transport: &T,
1592    relays: &[String],
1593    token: &[u8; 32],
1594) -> Result<PublicInviteBundle, String> {
1595    // Query by coordinate (kind + locator d-tag) only — do NOT rely on the relay to
1596    // honor an authors filter. A hostile relay can pile junk events at the same locator
1597    // (signed by other keys, possibly with a newer created_at to shadow the real one).
1598    let query = Query {
1599        kinds: vec![event_kind::APPLICATION_SPECIFIC],
1600        d_tags: vec![locator_hex(token)],
1601        ..Default::default()
1602    };
1603    let events = transport.fetch(&query, relays).await?;
1604    // Resolve by the NEWEST token-signed event at the coordinate (replaceable-event semantics), skipping any
1605    // impostor/junk (parse enforces author == token signer). A revocation tombstone is unforgeable, so a
1606    // `Revoked` verdict on ANY relay is authoritative — and it WINS ties with a bundle (fail-safe: a
1607    // deliberate revoke beats a same-second bundle), defeating the mixed-relay race where one relay kept the
1608    // stale live bundle. A genuinely re-created link (a bundle STRICTLY newer than the tombstone) still wins.
1609    let (mut bundle_at, mut bundle, mut revoked_at) = (0u64, None, None::<u64>);
1610    for ev in &events {
1611        match parse_public_invite_event(ev, token) {
1612            Ok(b) => if bundle.is_none() || ev.created_at.as_secs() > bundle_at {
1613                bundle_at = ev.created_at.as_secs();
1614                bundle = Some(b);
1615            },
1616            Err(super::public_invite::PublicInviteError::Revoked) => {
1617                let at = ev.created_at.as_secs();
1618                if revoked_at.map_or(true, |r| at > r) { revoked_at = Some(at); }
1619            }
1620            Err(_) => {} // impostor / junk / undecryptable — ignore
1621        }
1622    }
1623    match (bundle, revoked_at) {
1624        (Some(b), Some(r)) if bundle_at > r => Ok(b), // a re-created bundle strictly newer than the tombstone
1625        (_, Some(_)) => Err("this invite was revoked".to_string()),
1626        (Some(b), None) => Ok(b),
1627        (None, None) => Err("no public invite found at that link (revoked, never posted, or shadowed)".to_string()),
1628    }
1629}
1630
1631/// Accept a fetched public-invite bundle: reject if expired, join via the guarded
1632/// member-save (caps + id-collision checks), then patch in the preview's display
1633/// metadata (description/icon) so the new member sees them immediately.
1634pub fn accept_public_invite(bundle: &PublicInviteBundle, now_secs: u64) -> Result<Community, String> {
1635    if bundle.is_expired(now_secs) {
1636        return Err("this invite link has expired".to_string());
1637    }
1638    let mut community = accept_invite(&bundle.join)?;
1639    // accept_invite leaves display metadata None; the public bundle carries a preview,
1640    // so populate it (and re-save) for an immediately-rich member view.
1641    if bundle.preview.description.is_some() || bundle.preview.icon.is_some() {
1642        community.description = bundle.preview.description.clone();
1643        community.icon = bundle.preview.icon.clone();
1644        crate::db::community::save_community(&community)?;
1645    }
1646    Ok(community)
1647}
1648
1649/// Revoke a public invite: NIP-09-delete the bundle event (by its addressable coordinate, signed by the
1650/// token-derived key we re-derive from the retained token), forget the token locally, and republish the
1651/// invite-link registry so the mode tracks reality. **If this was the LAST link, the community goes
1652/// Private → it is re-founded (privatize): the base key is rotated to the observed-participants set,
1653/// sealing out link-joined lurkers who never spoke.** Creator-only: you can only retire YOUR OWN
1654/// links (the token is held only by its creator); the privatize rekey is `BAN`-gated + needs a local key.
1655pub async fn revoke_public_invite<T: Transport + ?Sized>(
1656    transport: &T,
1657    community: &Community,
1658    token: &[u8; 32],
1659) -> Result<(), String> {
1660    let session = SessionGuard::capture();
1661    let cid = community.id.to_hex();
1662    let token_hex = crate::simd::hex::bytes_to_hex_32(token);
1663    let now = std::time::SystemTime::now().duration_since(std::time::UNIX_EPOCH).map(|d| d.as_secs()).unwrap_or(0);
1664    // Idempotent no-op if we don't hold the token: either it's already retired (re-revoke) or it's not
1665    // ours — creator-only, the token is held only by its creator. Nothing to do, never a double-rotate.
1666    if !crate::db::community::list_public_invites(&cid)?.iter().any(|r| r.token == token_hex) {
1667        return Ok(());
1668    }
1669    let my_locators_before: Vec<String> = crate::db::community::list_public_invites(&cid)?
1670        .iter()
1671        .filter(|r| r.expires_at.map_or(true, |e| (e as u64) > now))
1672        .map(|r| public_invite::locator_hex(&crate::simd::hex::hex_to_bytes_32(&r.token)))
1673        .collect();
1674    // B1 fix: refresh the aggregate from relays FIRST, so the privatize decision sees OTHER creators'
1675    // live links (a stale/scroll-back-only cache would wrongly read empty and rekey a still-Public
1676    // community out from under another creator). Best-effort; on failure we fall back to the cache.
1677    let _ = fetch_and_apply_invite_links(transport, community).await;
1678    if !session.is_valid() {
1679        return Err("account changed during invite revoke".to_string());
1680    }
1681    // Will retiring this link empty the AGGREGATE (this creator's remaining ∪ every other creator's)?
1682    // Others' locators = the freshly-folded aggregate minus mine (locators are per-token-unique). Only
1683    // then does it privatize → re-found rekey. Fail-fast (bunker): the rekey needs a RAW local key
1684    // (the blob locator is an ECDH a NIP-46 bunker can't expose) — refuse BEFORE publishing so we never
1685    // half-apply (flip to Private over a live base key). A community admin with a local key privatizes.
1686    let this_locator = public_invite::locator_hex(token);
1687    let cached_aggregate: std::collections::BTreeSet<String> =
1688        crate::db::community::get_community_invite_registry(&cid)?.into_iter().collect();
1689    let my_before: std::collections::BTreeSet<String> = my_locators_before.iter().cloned().collect();
1690    let others: std::collections::BTreeSet<String> = cached_aggregate.difference(&my_before).cloned().collect();
1691    let my_after: std::collections::BTreeSet<String> =
1692        my_before.iter().filter(|l| **l != this_locator).cloned().collect();
1693    let would_empty_aggregate = others.is_empty() && my_after.is_empty();
1694    if would_empty_aggregate && crate::state::MY_SECRET_KEY.to_keys().is_none() {
1695        return Err("Revoking this last invite link makes the community private, which re-keys it so link-joined lurkers lose access. Your account signs remotely (a NIP-46 bunker) and can't perform that rotation. Ask a community admin who holds a local key to privatize the community.".to_string());
1696    }
1697    // Revoke the bundle by OVERWRITING it with an empty, token-signed revocation tombstone (vsk=9) at its
1698    // coordinate. The bundle is a replaceable event (kind 30078), and relays honor replaceable-event
1699    // REPLACEMENT near-universally — far more reliably than NIP-09 `a`-tag (coordinate) deletions, which
1700    // many relays silently ignore (live-confirmed: 2 of 3 relays kept the bundle after a coordinate delete,
1701    // but all 3 replaced it with the tombstone). So the tombstone alone reliably kills the live bundle on
1702    // every relay AND leaves an explicit marker the preview page reads as "revoked". A NIP-09 delete is not
1703    // just redundant but counterproductive: on a relay that honors it, a same-second delete can drop the
1704    // tombstone too, leaving the coordinate empty and losing the revoked marker. (Not the access cut — the
1705    // rekey below is.) Best-effort so a publish hiccup can't block the rekey; publish_durable retries.
1706    if let Ok(tombstone) = public_invite::build_public_invite_tombstone(token) {
1707        let _ = transport.publish_durable(&tombstone, &community.relays).await;
1708    }
1709    // Re-check the session straddling the publish await before any per-account DB write (B2).
1710    if !session.is_valid() {
1711        return Err("account changed during invite revoke".to_string());
1712    }
1713    crate::db::community::delete_public_invite(&token_hex)?;
1714    // Tombstone it in the self-encrypted Invite List so our other devices drop the link too (and a stale
1715    // device can't resurrect it). Terminal: a token is never re-minted.
1716    super::invite_list::revoke_invite(&token_hex, &cid);
1717    // Republish MY (reduced) link set so the mode reflects the removal, then set the recomputed aggregate.
1718    republish_my_invite_links(transport, community).await?;
1719    if session.is_valid() {
1720        let aggregate_after: Vec<String> = others.union(&my_after).cloned().collect();
1721        crate::db::community::set_community_invite_registry(&cid, &aggregate_after)?;
1722    }
1723    if would_empty_aggregate {
1724        // Aggregate empty → a genuine Public→Private transition → re-found (re-seal base to observed).
1725        // Durable (read_cut_pending): a failed privatize re-seal is resumed on the next ban or sync, like a
1726        // ban read-cut — not silently dropped, which would leave it half-private.
1727        run_read_cut(transport, community, true).await?;
1728    }
1729    Ok(())
1730}
1731
1732/// owner dissolution ("Delete Community") — publish the terminal GroupDissolved tombstone, then seal
1733/// locally. The owner's ONLY honest exit (a bare leave would orphan the chain root). Order (defense in
1734/// depth): (a) authority — the caller MUST be the proven owner (a BAN admin is NOT enough — ending the
1735/// community for everyone is the owner's call alone); (b) publish the tombstone at `dissolved_locator`
1736/// FIRST and require it to LAND (must-succeed durable publish — a failed tombstone after a link-retire is a
1737/// stuck half-state); (c) THEN best-effort retire all of the owner's OWN public invite-link editions on a
1738/// path that emits NO 3303 rekey and NO epoch bump (dissolution rotates nothing — there is no future
1739/// content to protect); (d) set the local seal. Irreversible.
1740/// Probe the ROTATION-STABLE dissolved coordinate for a tombstone signed by `owner_hex`. The
1741/// cross-epoch discovery path: it fetches `dissolved_pseudonym` (community-id-derived, epoch-free) and
1742/// opens under the community-id envelope key, so a client holding ANY epoch root finds it. Best-effort
1743/// (a relay miss ⇒ false; the next sync re-probes). The caller has already derived + verified the owner.
1744async fn dissolved_tombstone_present<T: Transport + ?Sized>(transport: &T, community: &Community, owner_hex: &str) -> bool {
1745    let z = super::derive::dissolved_pseudonym(&community.id);
1746    let q = Query { kinds: vec![event_kind::COMMUNITY_CONTROL], z_tags: vec![z], ..Default::default() };
1747    for ev in transport.fetch(&q, &community.relays).await.unwrap_or_default() {
1748        if super::roster::dissolved_tombstone_signer(&ev, &community.id).map(|s| s.to_hex()) == Some(owner_hex.to_string()) {
1749            return true;
1750        }
1751    }
1752    false
1753}
1754
1755pub async fn dissolve_community<T: Transport + ?Sized>(
1756    transport: &T,
1757    community: &Community,
1758) -> Result<(), String> {
1759    let session = SessionGuard::capture();
1760    let cid = community.id.to_hex();
1761
1762    // (a) Authority: owner-only, derived from the deed (never a cached claim). Stricter than re-founding.
1763    if !is_proven_owner(community) {
1764        return Err("only the community owner can dissolve (delete) the community".to_string());
1765    }
1766    let signer = active_signer().await?;
1767    let actor_pk = crate::state::my_public_key().ok_or("no local identity to sign the dissolution")?;
1768
1769    // (b) Tombstone FIRST, must-succeed. The marker is the whole mechanism; build it chain-free (vsk=10,
1770    // fixed v1, no prev-hash) and seal under the CURRENT server root for the wire (re-anchoring keeps the
1771    // plane reachable there). A durable publish that fails returns Err so we never half-apply.
1772    let created_at = std::time::SystemTime::now()
1773        .duration_since(std::time::UNIX_EPOCH)
1774        .map(|d| d.as_secs())
1775        .unwrap_or(0);
1776    let unsigned = super::roster::build_group_dissolved_edition_unsigned(actor_pk, &community.id, created_at);
1777    let inner = unsigned.sign(&signer).await.map_err(|e| format!("sign dissolution tombstone: {e}"))?;
1778    // Publish at the ROTATION-STABLE coordinate — the load-bearing path: a community-id-keyed
1779    // envelope at `dissolved_pseudonym`, found + openable by any client at any epoch, so a concurrent
1780    // re-founding can't strand the tombstone at an old epoch and let post-rotation joiners see a live group.
1781    let stable = super::roster::seal_dissolved_edition(&Keys::generate(), &inner, &community.id)?;
1782    transport.publish_durable(&stable, &community.relays).await?;
1783    // Also publish at the current `control_pseudonym` (a current-epoch fast path so members fold it in their
1784    // normal control fetch without the extra probe). Best-effort — the stable publish above is the guarantee.
1785    if let Ok(outer) = super::roster::seal_control_edition(&Keys::generate(), &inner, &community.server_root_key, &community.id, community.server_root_epoch) {
1786        let _ = transport.publish_durable(&outer, &community.relays).await;
1787    }
1788    if !session.is_valid() {
1789        return Err("account changed during dissolution".to_string());
1790    }
1791
1792    // (c) Best-effort retire the owner's OWN public invite-link editions WITHOUT the privatize re-founding
1793    // path: publish an empty per-creator link set (NO 3303 rekey, NO epoch bump — that rekey lives only in
1794    // `revoke_public_invite`) and tombstone+delete each owned token. A failure here is harmless (the
1795    // tombstone above already ends the community + an honest joiner refuses the stable-locator-dissolved
1796    // group). Skipped if we lack CREATE_INVITE (no links to retire).
1797    if caller_has_permission(community, super::roles::Permissions::CREATE_INVITE) {
1798        let _ = publish_my_invite_links(transport, community, &[]).await;
1799        if let Ok(records) = crate::db::community::list_public_invites(&cid) {
1800            for r in records {
1801                let token = crate::simd::hex::hex_to_bytes_32(&r.token);
1802                if let Ok(tombstone) = public_invite::build_public_invite_tombstone(&token) {
1803                    let _ = transport.publish_durable(&tombstone, &community.relays).await;
1804                }
1805                let _ = crate::db::community::delete_public_invite(&r.token);
1806            }
1807        }
1808    }
1809
1810    // (d) Seal locally — permanent. Re-check the session straddling the awaits before the per-account write.
1811    if !session.is_valid() {
1812        return Err("account changed during dissolution".to_string());
1813    }
1814    crate::db::community::set_community_dissolved(&cid)?;
1815    Ok(())
1816}
1817
1818/// Publish the LOCAL user's OWN invite-link set as a `CREATE_INVITE`-gated vsk=8 control edition at
1819/// their per-creator coordinate — one of the per-creator lists members fold into the aggregate active-set.
1820/// `my_locators` is the FULL new set of THIS creator's active link locators (hex; the token in the URL is
1821/// the secret, never listed). Publish FIRST, then advance the head + merge into the cached aggregate on
1822/// success (relay-authoritative + phantom-head rule). A creator manages only their own list — no
1823/// `MANAGE_INVITES`. Carries the actor's `vac` citation so a non-owner creator's authority is verifiable.
1824pub async fn publish_my_invite_links<T: Transport + ?Sized>(
1825    transport: &T,
1826    community: &Community,
1827    my_locators: &[String],
1828) -> Result<(), String> {
1829    let session = SessionGuard::capture();
1830    if !caller_has_permission(community, super::roles::Permissions::CREATE_INVITE) {
1831        return Err("you need the create-invite permission to publish invite links".to_string());
1832    }
1833    let cid = community.id.to_hex();
1834    let signer = active_signer().await?;
1835    let actor_pk = crate::state::my_public_key().ok_or("no local identity to sign the invite links")?;
1836    let entity_id = super::derive::invite_links_locator(&community.id, &actor_pk.to_bytes());
1837    let entity_hex = crate::simd::hex::bytes_to_hex_32(&entity_id);
1838    let (version, prev_hash) = match crate::db::community::get_edition_head(&cid, &entity_hex)? {
1839        Some((v, h)) => (v + 1, Some(h)),
1840        None => (1, None),
1841    };
1842    let created_at = std::time::SystemTime::now()
1843        .duration_since(std::time::UNIX_EPOCH)
1844        .map(|d| d.as_secs())
1845        .unwrap_or(0);
1846    // pinned authority: a non-owner creator cites the grant that authorizes them (owner cites nothing).
1847    let citation = authority_citation(community, &actor_pk.to_hex());
1848    let unsigned = super::roster::build_invite_links_edition_unsigned(actor_pk, &community.id, my_locators, version, prev_hash.as_ref(), created_at, citation.as_ref())?;
1849    let inner = unsigned.sign(&signer).await.map_err(|e| format!("sign invite-links edition: {e}"))?;
1850    let outer = super::roster::seal_control_edition(&Keys::generate(), &inner, &community.server_root_key, &community.id, community.server_root_epoch)?;
1851    let self_hash = super::version::edition_hash(&entity_id, version, prev_hash.as_ref(), inner.content.as_bytes());
1852    transport.publish_durable(&outer, &community.relays).await?;
1853    if session.is_valid() {
1854        crate::db::community::set_edition_head(&cid, &entity_hex, version, &self_hash)?;
1855        // Optimistically merge MY locators into the cached aggregate so `is_public` is right immediately;
1856        // the next `fetch_and_apply_invite_links` recomputes the authoritative union across all creators.
1857        let mut agg: std::collections::BTreeSet<String> =
1858            crate::db::community::get_community_invite_registry(&cid)?.into_iter().collect();
1859        agg.extend(my_locators.iter().cloned());
1860        crate::db::community::set_community_invite_registry(&cid, &agg.into_iter().collect::<Vec<_>>())?;
1861        crate::db::community::upsert_invite_link_set(&cid, &actor_pk.to_hex(), my_locators)?;
1862    }
1863    Ok(())
1864}
1865
1866/// Fetch the control plane and apply the folded invite-link AGGREGATE locally: UNION the locators of
1867/// every per-creator vsk=8 edition whose `creator` held `CREATE_INVITE` in the AUTHORIZED roster (the
1868/// keyless gate, same shape as the banlist's BAN check), advancing each authorized creator's head
1869/// (refuse-downgrade). The union is the source of truth for the Public/Private mode (`is_public`) + the
1870/// metrics — NOT join-gating (joining is envelope-only). Returns the aggregate set (empty = Private).
1871pub async fn fetch_and_apply_invite_links<T: Transport + ?Sized>(
1872    transport: &T,
1873    community: &Community,
1874) -> Result<Vec<String>, String> {
1875    fetch_and_apply_invite_links_inner(transport, community, None).await
1876}
1877
1878async fn fetch_and_apply_invite_links_inner<T: Transport + ?Sized>(
1879    transport: &T,
1880    community: &Community,
1881    prefolded: Option<super::roster::FoldedRoster>,
1882) -> Result<Vec<String>, String> {
1883    let session = SessionGuard::capture();
1884    let cid = community.id.to_hex();
1885    let folded = match prefolded {
1886        Some(f) => f,
1887        None => fetch_control_folded(transport, community).await?,
1888    };
1889    if !session.is_valid() {
1890        return Err("account changed during invite-links fetch".to_string());
1891    }
1892    let owner = proven_owner_hex(community);
1893    let authorized = super::roster::authorize_delegation(&folded, owner.as_deref());
1894    let mut aggregate: std::collections::BTreeSet<String> = std::collections::BTreeSet::new();
1895    // Per-creator sets (attribution) for the "X has N active invite links" UI.
1896    let mut per_creator: Vec<crate::db::community::InviteLinkSetRow> = Vec::new();
1897    for set in &folded.invite_link_sets {
1898        // authority: only a creator who held CREATE_INVITE counts. A self-minted list from an
1899        // unpermissioned member is dropped (the inner sig proves authorship, not authority).
1900        if !authorized.is_authorized(&set.creator.to_hex(), owner.as_deref(), super::roles::Permissions::CREATE_INVITE) {
1901            continue;
1902        }
1903        let held = crate::db::community::get_edition_head(&cid, &set.head.entity_hex)?.map(|(v, _)| v).unwrap_or(0);
1904        if set.head.version > held {
1905            crate::db::community::set_edition_head(&cid, &set.head.entity_hex, set.head.version, &set.head.self_hash)?;
1906        }
1907        aggregate.extend(set.locators.iter().cloned());
1908        per_creator.push(crate::db::community::InviteLinkSetRow {
1909            creator_hex: set.creator.to_hex(),
1910            locators: set.locators.clone(),
1911        });
1912    }
1913    let aggregate: Vec<String> = aggregate.into_iter().collect();
1914    crate::db::community::set_community_invite_registry(&cid, &aggregate)?;
1915    crate::db::community::replace_invite_link_sets(&cid, &per_creator)?;
1916    Ok(aggregate)
1917}
1918
1919/// Fetch the Community's control plane and apply folded METADATA edits locally: the GroupRoot
1920/// (vsk=0 — community name/description/icon/banner) and each ChannelMetadata (vsk=2 — channel name). An
1921/// edition applies only if its signer held `MANAGE_METADATA` in the AUTHORIZED roster (the keyless 
1922/// gate, same as the producer) AND is strictly newer than the head we hold (refuse-downgrade by version).
1923/// Identity/transport fields (`server_root_key`, `relays`, `owner_attestation`) are NEVER taken from a
1924/// metadata edit — a manage-metadata admin edits DISPLAY, not the community's identity. Best-effort:
1925/// returns `Ok` even when nothing applied. This is what makes an owner/admin's edit sync to every member.
1926pub async fn fetch_and_apply_metadata<T: Transport + ?Sized>(
1927    transport: &T,
1928    community: &Community,
1929) -> Result<(), String> {
1930    fetch_and_apply_metadata_inner(transport, community, None).await
1931}
1932
1933async fn fetch_and_apply_metadata_inner<T: Transport + ?Sized>(
1934    transport: &T,
1935    community: &Community,
1936    prefolded: Option<super::roster::FoldedRoster>,
1937) -> Result<(), String> {
1938    let session = SessionGuard::capture();
1939    let cid = community.id.to_hex();
1940    let folded = match prefolded {
1941        Some(f) => f,
1942        None => fetch_control_folded(transport, community).await?,
1943    };
1944    if !session.is_valid() {
1945        return Err("account changed during metadata fetch".to_string());
1946    }
1947    let owner = proven_owner_hex(community);
1948    let authorized = super::roster::authorize_delegation(&folded, owner.as_deref());
1949    // Community display = MANAGE_METADATA; channel display = MANAGE_CHANNELS (— channel edits are a
1950    // channel-management action, matching `build_channel_metadata_edition`'s contract).
1951    let manage = super::roles::Permissions::MANAGE_METADATA;
1952    let manage_channels = super::roles::Permissions::MANAGE_CHANNELS;
1953
1954    // Apply onto the freshest local state (the caller's struct may predate other syncs). `save_community`
1955    // UPSERTs the community row, so `created_at` (the kick join-anchor) and the banlist are preserved.
1956    let mut current = match crate::db::community::load_community(&community.id)? {
1957        Some(c) => c,
1958        None => return Ok(()),
1959    };
1960    let mut dirty = false;
1961    // (entity_hex, version, self_hash, inner_id, is_converge) of each edition applied — written AFTER a
1962    // successful save. `is_converge` routes a same-version fork-resolution to converge_edition_head; a
1963    // strictly-higher version is a plain advance.
1964    let mut head_updates: Vec<(String, u64, [u8; 32], [u8; 32], bool)> = Vec::new();
1965
1966    // Decide whether a folded display head should apply, and how. A strictly-higher version ADVANCES the
1967    // refuse-downgrade floor. An equal version with a DIFFERENT, lower-inner-id edition CONVERGES a
1968    // concurrent fork: two authorized editors editing from the same base both produce v+1, and every
1969    // client must adopt the same deterministic winner (lowest inner edition id). Mirrors
1970    // converge_edition_head's SQL (a NULL/None held id is "always replaceable") so we never apply a
1971    // display edit the head write would then refuse. `Some(is_converge)` → apply; `None` → keep the floor.
1972    let decide = |entity_hex: &str, head: &super::roster::EntityHead| -> Result<Option<bool>, String> {
1973        let held = crate::db::community::get_edition_head(&cid, entity_hex)?;
1974        let held_v = held.map(|(v, _)| v).unwrap_or(0);
1975        if head.version > held_v {
1976            return Ok(Some(false)); // advance
1977        }
1978        if head.version == held_v && held.map(|(_, h)| h) != Some(head.self_hash) {
1979            let held_id = crate::db::community::get_edition_head_inner_id(&cid, entity_hex)?;
1980            if held_id.is_none() || Some(head.inner_id) < held_id {
1981                return Ok(Some(true)); // converge to the lower-inner-id authorized winner
1982            }
1983        }
1984        Ok(None)
1985    };
1986
1987    // Author-aware descending scan (/ B1b): the candidates are sorted (version desc, inner-id asc), so
1988    // the first whose author CURRENTLY holds MANAGE_METADATA is both the highest-version AND (within a
1989    // version) the deterministic tiebreak winner. Skips a demoted author's editions, incl. a same-version
1990    // forgery. No authorized candidate → keep the floor.
1991    if let Some(c) = folded.root_candidates.iter()
1992        .find(|c| authorized.is_authorized(&c.author.to_hex(), owner.as_deref(), manage))
1993    {
1994        let head = &c.head;
1995        if let Some(is_converge) = decide(&head.entity_hex, head)? {
1996            let meta = &c.meta;
1997            // Apply only the editable display fields.
1998            // `meta.owner_attestation` is DELIBERATELY NOT applied: the owner is the deed, anchored from
1999            // the invite/founding. Letting an editable field redefine it = a one-edit takeover, so
2000            // ownership is NON-TRANSFERABLE for the MVP. (Transfer — and eventually owner quorums — will
2001            // be a deliberate owner-signed action, never a metadata side-effect.)
2002            // `meta.relays` is also dropped for now (silently following an embedded relay list is a
2003            // herding/partition vector). Relay migration is likewise deferred to a first-class,
2004            // permissioned, ADDITIVE (union-not-replace) action.
2005            current.name = meta.name.clone();
2006            current.description = meta.description.clone();
2007            current.icon = meta.icon.clone();
2008            current.banner = meta.banner.clone();
2009            dirty = true;
2010            head_updates.push((head.entity_hex.clone(), head.version, head.self_hash, head.inner_id, is_converge));
2011        }
2012    }
2013    // Channels mirror GroupRoot: per channel, an author-aware descending scan over its candidates (sorted
2014    // version desc, inner-id asc) → the highest whose author CURRENTLY holds MANAGE_CHANNELS, then decide()
2015    // advance/converge. A concurrent same-version rename converges to the same deterministic winner on every
2016    // client; a demoted author's edition (incl. a same-version forgery) is skipped. Candidates arrive grouped
2017    // + sorted per channel, so the first authorized per channel is the winner.
2018    let mut resolved_channels: std::collections::HashSet<[u8; 32]> = std::collections::HashSet::new();
2019    for cm in &folded.channel_candidates {
2020        if resolved_channels.contains(&cm.channel_id) {
2021            continue; // this channel already resolved (its candidates are contiguous + sorted)
2022        }
2023        if !authorized.is_authorized(&cm.author.to_hex(), owner.as_deref(), manage_channels) {
2024            continue; // skip a demoted author; keep scanning lower candidates for this channel
2025        }
2026        resolved_channels.insert(cm.channel_id);
2027        let Some(is_converge) = decide(&cm.head.entity_hex, &cm.head)? else { continue };
2028        if let Some(ch) = current.channels.iter_mut().find(|c| c.id.0 == cm.channel_id) {
2029            ch.name = cm.meta.name.clone();
2030            dirty = true;
2031            head_updates.push((cm.head.entity_hex.clone(), cm.head.version, cm.head.self_hash, cm.head.inner_id, is_converge));
2032        }
2033    }
2034
2035    if dirty && session.is_valid() {
2036        crate::db::community::save_community(&current)?;
2037        // Persist heads in the SAME save block so a subsequent re-assert/edit chains prev_hash from the
2038        // converged head, not a stale one (else the fork regenerates at the next version).
2039        for (entity_hex, version, self_hash, inner_id, is_converge) in &head_updates {
2040            if *is_converge {
2041                crate::db::community::converge_edition_head(&cid, entity_hex, *version, self_hash, inner_id)?;
2042            } else {
2043                crate::db::community::set_edition_head_with_id(&cid, entity_hex, *version, self_hash, inner_id)?;
2044            }
2045        }
2046    }
2047    Ok(())
2048}
2049
2050/// The computed Public/Private mode: a community is PUBLIC iff the folded per-creator invite-link
2051/// aggregate has ≥1 active locator, else PRIVATE. Every member computes the same value from the folded
2052/// editions, which is what lets it drive rekey-on-removal consistently (Private removals rekey the base
2053/// to the roster; Public ones don't — anti-memberlist). Reads the cached aggregate, which is only as
2054/// fresh as the last successful latest-page sync ([`fetch_and_apply_invite_links`], wired best-effort
2055/// into the sync path) — a member who only scrolled back, or whose sync failed, can hold a stale mode
2056/// (which is why `revoke_public_invite` refreshes the aggregate before deciding to privatize).
2057pub fn is_public(community: &Community) -> Result<bool, String> {
2058    Ok(!crate::db::community::get_community_invite_registry(&community.id.to_hex())?.is_empty())
2059}
2060
2061/// Recompute the LOCAL user's OWN invite-link set from their currently-retained public-invite tokens and
2062/// publish it (per-creator), so every member's computed Public/Private mode tracks reality. Returns
2063/// this creator's new active link-locator set (empty = they hold no links). Expired links are dropped —
2064/// they can't be joined, so they don't keep a community Public.
2065async fn republish_my_invite_links<T: Transport + ?Sized>(
2066    transport: &T,
2067    community: &Community,
2068) -> Result<Vec<String>, String> {
2069    let cid = community.id.to_hex();
2070    let now = std::time::SystemTime::now()
2071        .duration_since(std::time::UNIX_EPOCH)
2072        .map(|d| d.as_secs())
2073        .unwrap_or(0);
2074    let locators: Vec<String> = crate::db::community::list_public_invites(&cid)?
2075        .iter()
2076        .filter(|r| r.expires_at.map_or(true, |e| (e as u64) > now))
2077        .map(|r| public_invite::locator_hex(&crate::simd::hex::hex_to_bytes_32(&r.token)))
2078        .collect();
2079    publish_my_invite_links(transport, community, &locators).await?;
2080    Ok(locators)
2081}
2082
2083/// Fetch + INGEST the channel append-plane across ALL held epochs (messages + presence) into the local
2084/// store. The retain set for a rekey is computed from this store (`community_member_activity`), and the
2085/// no-role chatters live ONLY here — not in the control plane — so a privatize/ban must observe it first or
2086/// it would shed anyone the re-founder hasn't already synced. Best-effort per channel; uses the multi-epoch
2087/// fetch so activity under any retained epoch counts. `SessionGuard`-gated across the fetches.
2088async fn observe_channel_activity<T: Transport + ?Sized>(
2089    transport: &T,
2090    community: &Community,
2091) -> Result<(), String> {
2092    let session = SessionGuard::capture();
2093    let my_pk = crate::state::my_public_key().ok_or("no local identity to observe channel activity")?;
2094    for channel in &community.channels {
2095        let events = super::send::fetch_channel_events(transport, community, channel)
2096            .await
2097            .unwrap_or_default();
2098        if !session.is_valid() {
2099            return Err("account changed during activity observation".to_string());
2100        }
2101        let outcomes = {
2102            let mut st = crate::state::STATE.lock().await;
2103            super::inbound::process_channel_batch(&mut st, &events, channel, &my_pk)
2104        };
2105        let ch_hex = channel.id.to_hex();
2106        for o in &outcomes {
2107            match o {
2108                super::inbound::IncomingEvent::NewMessage(m)
2109                | super::inbound::IncomingEvent::Updated { message: m, .. } => {
2110                    let _ = crate::db::events::save_message(&ch_hex, m).await;
2111                }
2112                super::inbound::IncomingEvent::Presence { npub, joined, event_id, created_at, invited_by, invited_label } => {
2113                    let et = if *joined {
2114                        crate::stored_event::SystemEventType::MemberJoined
2115                    } else {
2116                        crate::stored_event::SystemEventType::MemberLeft
2117                    };
2118                    let note = invited_by.as_ref().map(|by| match invited_label {
2119                        Some(l) if !l.is_empty() => format!("{by}|{l}"),
2120                        _ => by.clone(),
2121                    });
2122                    let _ = crate::db::events::save_system_event_at(event_id, &ch_hex, et, npub, note.as_deref(), *created_at, invited_by.as_deref(), invited_label.as_deref()).await;
2123                }
2124                super::inbound::IncomingEvent::WebxdcPeer { npub, topic_id, node_addr, event_id, created_at } => {
2125                    persist_webxdc_signal(&ch_hex, npub, topic_id, node_addr.as_deref(), event_id, *created_at).await;
2126                }
2127                _ => {}
2128            }
2129        }
2130    }
2131    Ok(())
2132}
2133
2134/// FRESHEN-BEFORE-WRITE guard for an administrative write (rekey / ban / kick / grant / revoke / metadata):
2135/// hop any base rotation + fold the LATEST control plane from ALL relays + (for a rekey) ingest channel
2136/// activity, so the write acts on the freshest reachable truth — not just a stale local view. The
2137/// demonstrated bug this fixes: privatizing before observing a member's activity wrongly cut them.
2138///
2139/// BEST-EFFORT, not hard-fail: the refuse-downgrade FLOORS already prevent the write from acting on
2140/// rolled-back state (the fold can't apply below what we hold), so blocking when relays are unreachable
2141/// would only forbid legitimate admin actions during an outage (e.g. you couldn't ban anyone). The one
2142/// hard stop is REMOVAL — if an authorized base rotation has cut us, we must not be writing at all.
2143/// Returns the refreshed community.
2144pub async fn sync_before_admin_write<T: Transport + ?Sized>(
2145    transport: &T,
2146    community: &Community,
2147    observe_activity: bool,
2148) -> Result<Community, String> {
2149    // Hop any base rotation we missed; abort only if it REMOVED us (we shouldn't be writing then).
2150    if catch_up_server_root(transport, community).await?.removed {
2151        return Err("you have been removed from this community".to_string());
2152    }
2153    let community = crate::db::community::load_community(&community.id)?
2154        .ok_or("community gone during admin sync")?;
2155    let cid = community.id.to_hex();
2156    // ONE fresh control fetch+fold from all relays, applied (banlist/roles/metadata/invites) so the roster +
2157    // floors the write reads are as current as the relays can make them; its raw event count doubles as the
2158    // isolation signal (no separate probe). Floors guard against stale/rolled-back data, so we DON'T block on
2159    // "can't confirm latest" — only on true ISOLATION: if we KNOW a control plane exists (we hold edition
2160    // heads) but NO relay returned ANY control event, an admin decision made blind (and unpublishable) must
2161    // not happen. A community with no published plane (no local heads) has nothing to confirm → proceed.
2162    let responded = fetch_and_apply_control(transport, &community).await.map(|n| n > 0).unwrap_or(false);
2163    let hold_local_heads = !crate::db::community::get_all_edition_heads_epoched(&cid)?.is_empty();
2164    if hold_local_heads && !responded {
2165        return Err("can't reach any relay to confirm this community's current state — administrative actions are blocked while offline (try again when connected)".to_string());
2166    }
2167    let community = crate::db::community::load_community(&community.id)?
2168        .ok_or("community gone during admin sync")?;
2169    // For a rekey, ingest channel activity so the retain set sees no-role chatters too (they live only in
2170    // the message/presence history, not the control plane).
2171    if observe_activity {
2172        let _ = observe_channel_activity(transport, &community).await;
2173    }
2174    crate::db::community::load_community(&community.id)?.ok_or("community gone during admin sync".to_string())
2175}
2176
2177/// Drive a read-cut (re-founding) to completion, DURABLY. Sets `read_cut_pending` as the intent BEFORE
2178/// the work and clears it only on full success — so a transient failure (relay outage, power cut, mid-cut
2179/// account swap) leaves it pending, and the next ban OR a community sync ([`retry_pending_read_cut`])
2180/// resumes EXACTLY where it stopped (no double base rotation, channels picked up where they left off).
2181///
2182/// `fresh` distinguishes a NEW exclusion delta (a ban add / a privatize transition) from a pure RESUME: a
2183/// fresh delta bumps `read_cut_target_epoch` to `base + 1` so the base MUST rotate past it (excluding the
2184/// newly-removed member) and every channel is re-cut; a resume keeps the in-flight target so an interrupted
2185/// cut finishes without forcing an extra base rotation.
2186async fn run_read_cut<T: Transport + ?Sized>(
2187    transport: &T,
2188    community: &Community,
2189    fresh: bool,
2190) -> Result<(), String> {
2191    let cid = community.id.to_hex();
2192    let session = SessionGuard::capture();
2193    if fresh {
2194        // Compute the target from the FRESHEST base epoch in the DB (the passed struct may predate a recent
2195        // rotation), so a fresh exclusion always lands at an epoch strictly past the current root.
2196        let base = crate::db::community::load_community(&community.id)?
2197            .map(|c| c.server_root_epoch.0)
2198            .unwrap_or(community.server_root_epoch.0);
2199        crate::db::community::set_read_cut_target_epoch(&cid, base.saturating_add(1))?;
2200    }
2201    crate::db::community::set_read_cut_pending(&cid, true)?;
2202    reseal_base_to_observed(transport, community).await?;
2203    if session.is_valid() {
2204        crate::db::community::set_read_cut_pending(&cid, false)?;
2205    }
2206    Ok(())
2207}
2208
2209/// Re-seal the base / server-root key to the current OBSERVED-PARTICIPANTS set
2210/// (`community_member_activity` — everyone who posted, reacted, or announced a join, minus those who
2211/// left or were banned). The shared read-cut behind two actions: PRIVATIZE (revoking the last link →
2212/// re-found, sealing link-joined lurkers) and REKEY-ON-REMOVAL (a ban in a Private community →
2213/// forward-exclude the banned member, who is absent from the observed set because the banlist filters
2214/// them out). The re-keyer (here, the owner) is always included (`rotate_server_root` adds its own self).
2215/// Honest joiners are observable because they emit a `join` Presence on accept, so a removed member
2216/// is the only one shed. `rotate_server_root` re-anchors the control plane (incl. the current banlist +
2217/// the registry head) under the new epoch, so post-rotation peers read complete authority state.
2218async fn reseal_base_to_observed<T: Transport + ?Sized>(
2219    transport: &T,
2220    community: &Community,
2221) -> Result<(), String> {
2222    let session = SessionGuard::capture();
2223    let cid = community.id.to_hex();
2224    // BLOCK-UNTIL-SYNCED: fold the latest control plane + ingest channel activity from ALL relays BEFORE
2225    // computing the retain set, so it reflects current truth (roster ∪ presence ∪ activity), not a stale
2226    // local view. The demonstrated bug: privatizing before observing a member's posts cut them. Fails closed
2227    // if no relay confirms our head — better to abort the rekey than shed real members on a partial view.
2228    let community = &sync_before_admin_write(transport, community, true).await?;
2229    // `community_member_activity` returns npubs in the events table's BECH32 form (`npub1...`), so parse
2230    // with `PublicKey::parse` (bech32 OR hex) — `from_hex` would reject every one, emptying the set and
2231    // sealing the community down to the owner alone (the re-founding inverted).
2232    let participants: Vec<nostr_sdk::PublicKey> = crate::db::community::community_member_activity(&cid)?
2233        .into_iter()
2234        .filter_map(|(npub, _)| nostr_sdk::PublicKey::parse(&npub).ok())
2235        .collect();
2236    // RESUMABLE re-founding (durable across interruption — outage, power cut, mass relay failure mid-cut).
2237    // A re-founding rotates the base THEN each channel key; a naive retry would re-run BOTH from scratch
2238    // (a second base epoch + full control-plane re-anchor, and re-rotation of channels already done).
2239    //
2240    // `target` = the base epoch THIS pending cut must reach (set durably when the cut was triggered). The
2241    // base is rotated ONLY while the OBSERVABLE base epoch is below it — so a crash AFTER the base advanced
2242    // but BEFORE any flag write never double-rotates (the decision reads the real epoch, not a separate
2243    // flag that could be out of step). `rotate_server_root` reuses its archived root + recomputes the epoch
2244    // from the DB head, so even a retry of the base itself is idempotent (no same-epoch fork).
2245    let target = crate::db::community::get_read_cut_target_epoch(&cid)?;
2246    if community.server_root_epoch.0 < target {
2247        rotate_server_root(transport, community, &participants).await?;
2248        if !session.is_valid() {
2249            return Err("account changed during re-founding".to_string());
2250        }
2251    }
2252    // O2: the base rotation cuts the control plane + @everyone, but channel MESSAGES are sealed under
2253    // per-channel keys — so a removed member who held a channel key would keep reading NEW messages.
2254    // Rotate every channel key to the retained set. Reload first so we see the freshest per-channel rekey
2255    // progress + the new base epoch. (SessionGuard: a mid-rotation account swap must not reload/rotate
2256    // against the wrong account's pool.)
2257    let community = crate::db::community::load_community(&community.id)?
2258        .ok_or("community gone after base rotation")?;
2259    let cut_epoch = community.server_root_epoch.0;
2260    // / A-B2 fix: envelope + address each channel rekey under the PRIOR (pre-rotation) root, NOT the new
2261    // one — mirroring the base rekey. Concurrent re-founders each mint their OWN new root; base convergence
2262    // adopts ONE and the losers DROP theirs, so a channel rekey sealed under the new root becomes unreadable
2263    // to any loser (the live-proven channel fork). The prior root is the shared key EVERY retained member
2264    // still holds through the convergence, so all can open + apply the channel rekey and converge.
2265    let prior_root = crate::db::community::held_epoch_key(&cid, crate::community::SERVER_ROOT_SCOPE_HEX, cut_epoch.saturating_sub(1))?
2266        .unwrap_or(*community.server_root_key.as_bytes()); // epoch 0 (no prior) → current root (no fork risk)
2267    for channel in &community.channels {
2268        let ch_hex = channel.id.to_hex();
2269        // Skip channels already rotated for this read-cut — a retry resumes exactly where it stopped, so
2270        // each pass makes monotonic forward progress (no re-publishing rekeys for finished channels).
2271        if crate::db::community::channel_rekeyed_at_server_epoch(&cid, &ch_hex)? >= cut_epoch {
2272            continue;
2273        }
2274        rotate_channel(transport, &community, &channel.id, &participants, &prior_root).await?;
2275        if !session.is_valid() {
2276            return Err("account changed during re-founding".to_string());
2277        }
2278        crate::db::community::mark_channel_rekeyed_at_server_epoch(&cid, &ch_hex, cut_epoch)?;
2279    }
2280    Ok(())
2281}
2282
2283/// The result of applying a received channel Rekey (3303).
2284#[derive(Debug, PartialEq, Eq)]
2285pub enum RekeyOutcome {
2286    /// The new key was recovered + committed. `head_advanced` is true if it became the channel's
2287    /// current epoch (a catch-up of an OLDER epoch archives the key but leaves the head, so `false`).
2288    Applied { head_advanced: bool },
2289    /// No blob at my recipient locator — I'm not in this rotation's recipient set (a non-member of the
2290    /// channel, or the member this removal deliberately excluded). Expected, NOT an error.
2291    NotARecipient,
2292}
2293
2294/// Apply a received, already-opened channel Rekey ([`super::rekey::open_rekey_event`]) for `community`.
2295///
2296/// Verifies the rotator's authority (`MANAGE_CHANNELS`) against the current roster (owner supreme,
2297///), checks chain continuity against the held prior-epoch key (fork detection — when held),
2298/// finds + opens MY per-recipient blob, and commits the new key via `advance_channel_epoch` (the
2299/// atomic archive+head write). `SessionGuard`-gated: the caller's fetch can straddle an account swap,
2300/// so the DB write is re-validated immediately before it. Does NOT fetch — the catch-up fetch loop is
2301/// a later layer. (Scope-pinned + version-pinned authority — evaluating the rotator's rank at the
2302/// roster version the rekey cites, under block-until-synced — is deferred; server-root rotation has
2303/// its own apply, deferred.)
2304pub fn apply_channel_rekey(
2305    community: &Community,
2306    parsed: &super::rekey::ParsedRekey,
2307) -> Result<RekeyOutcome, String> {
2308    // Fully synchronous (no `.await`), so a session swap can't preempt between the MY_SECRET_KEY read
2309    // and the DB write — one captured guard + one re-check before the write suffices. If a remote
2310    // signer (bunker) open path ever adds an await here, MY_SECRET_KEY must be re-read after it.
2311    let session = SessionGuard::capture();
2312
2313    // Scope must be a channel of THIS community (server-root rotation is a separate, deferred path).
2314    let channel_id = match parsed.scope {
2315        super::derive::RekeyScope::Channel(c) => c,
2316        super::derive::RekeyScope::ServerRoot => {
2317            return Err("server-root rotation uses apply_server_root_rekey, not the channel path".to_string())
2318        }
2319    };
2320    if !community.channels.iter().any(|c| c.id == channel_id) {
2321        return Err("rekey targets a channel not in this community".to_string());
2322    }
2323    let cid = community.id.to_hex();
2324    let channel_hex = channel_id.to_hex();
2325
2326    // Authority: the rotator must hold MANAGE_CHANNELS per the current roster; the owner is
2327    // supreme. Reject an unauthorized rotation rather than fail open.
2328    // TODO(scope): is_authorized unions MANAGE_CHANNELS across ALL the rotator's roles regardless of
2329    // RoleScope — once channel-scoped roles become grantable, gate on the scope covering THIS channel,
2330    // else a Channel(other)-scoped grant would wrongly authorize rotating this one. MVP roles are all
2331    // Server-scoped, so the hole is currently unreachable.
2332    let owner = proven_owner_hex(community);
2333    let roster = crate::db::community::get_community_roles(&cid).unwrap_or_else(|e| {
2334        // A DB hiccup degrades (fail-closed) to owner-only authorization; surface it so the resulting
2335        // "lacks MANAGE_CHANNELS" rejection isn't mistaken for a real authority problem.
2336        crate::log_warn!("rekey apply: roster read failed ({e}); authorizing owner only");
2337        Default::default()
2338    });
2339    if !roster.is_authorized(
2340        &parsed.rotator.to_hex(),
2341        owner.as_deref(),
2342        super::roles::Permissions::MANAGE_CHANNELS,
2343    ) {
2344        return Err("rekey rotator lacks MANAGE_CHANNELS authority".to_string());
2345    }
2346
2347    // Chain continuity — relaxed for FORK-CONVERGENCE: if I hold the prior-epoch key this rekey cites
2348    // and its commitment matches, great (the normal contiguous case). If it MISMATCHES, I'm on a LOSING
2349    // FORK of the prior epoch (e.g. a concurrent re-founding I lost) while this rekey extends the WINNING
2350    // fork. It is NOT a foreign chain: the rotator is already authority-verified above (holds MANAGE_CHANNELS)
2351    // and the ECDH blob below proves it's addressed to ME. So ADOPT it — converge forward onto the authorized
2352    // chain — rather than reject and strand myself on the dead fork forever. (Authority + recipient are the
2353    // real gates; the commitment is continuity, which must yield to convergence. Replays of OLD epochs can't
2354    // reach here: the forward walk only fetches epochs past my head.) My divergent prior-epoch key stays as
2355    // local history; going forward I'm on the converged key.
2356    if let Some(prev_key) = crate::db::community::held_epoch_key(&cid, &channel_hex, parsed.prev_epoch.0)? {
2357        if super::rekey::epoch_key_commitment(parsed.prev_epoch, &prev_key) != parsed.prev_key_commitment {
2358            crate::log_warn!(
2359                "channel rekey to epoch {} cites a prior-epoch key I don't hold (I'm on a losing fork of epoch {}) — converging forward onto the authorized chain",
2360                parsed.new_epoch.0, parsed.prev_epoch.0
2361            );
2362        }
2363    }
2364
2365    // Find + open MY blob (compute my own recipient locator, no trial-decryption).
2366    let my_keys = crate::state::MY_SECRET_KEY
2367        .to_keys()
2368        .ok_or("no local identity to open the rekey blob")?;
2369    let secret = super::rekey::rekey_pairwise_secret(my_keys.secret_key(), &parsed.rotator)?;
2370    let my_locator = super::derive::recipient_pseudonym(&secret, parsed.scope, parsed.new_epoch).to_hex();
2371    let mine = match parsed.blobs.iter().find(|b| b.locator == my_locator) {
2372        Some(b) => b,
2373        None => return Ok(RekeyOutcome::NotARecipient),
2374    };
2375    let new_key =
2376        super::rekey::open_rekey_blob(my_keys.secret_key(), &parsed.rotator, parsed.scope, parsed.new_epoch, mine)?;
2377
2378    // Commit (N2 dual-write). Re-validate the session straddling the caller's fetch before writing.
2379    if !session.is_valid() {
2380        return Err("session changed during rekey apply".to_string());
2381    }
2382    let head_advanced =
2383        crate::db::community::advance_channel_epoch(&cid, &channel_hex, parsed.new_epoch.0, &new_key)?;
2384    Ok(RekeyOutcome::Applied { head_advanced })
2385}
2386
2387/// Mint the new key for a rotation, OR reuse the one a prior (failed-mid-publish) attempt already minted
2388/// and archived for this `(scope, epoch)`. Reuse is the FORK-SAFETY crux of splitting: a rotation's key
2389/// is minted ONCE and persisted to the epoch-key archive BEFORE publishing, so a retry re-publishes the
2390/// SAME key across all chunks — never a second random root for the same epoch (which would split
2391/// recipients onto incompatible keys). Returns the (zeroized) key.
2392fn mint_or_reuse_rotation_key(cid: &str, scope_id: &str, epoch: u64) -> Result<zeroize::Zeroizing<[u8; 32]>, String> {
2393    if let Some(k) = crate::db::community::held_epoch_key(cid, scope_id, epoch)? {
2394        return Ok(zeroize::Zeroizing::new(k));
2395    }
2396    let k = zeroize::Zeroizing::new(super::random_32());
2397    crate::db::community::store_epoch_key(cid, scope_id, epoch, &k)?;
2398    Ok(k)
2399}
2400
2401/// Publish a rotation's per-recipient blobs as one OR MORE 3303 events, SPLIT into chunks of
2402/// `MAX_REKEY_BLOBS` so each stays under the relay size limit (e.g. 200 recipients → a 120-blob event
2403/// + an 80-blob event). All chunks share the SAME address (the builder derives it from scope/epoch, not
2404/// the blobs) and carry the SAME new key, so a recipient finds + recovers their key from whichever chunk
2405/// holds their blob. Each chunk is published durably; FAIL-FAST if a chunk reaches no relay (the caller
2406/// leaves its head unadvanced; because the key is persisted + reused on retry, re-publishing carries the
2407/// SAME key → no same-epoch fork).
2408async fn publish_rekey_chunked<T, F>(
2409    transport: &T,
2410    relays: &[String],
2411    blobs: &[super::rekey::RekeyBlob],
2412    build: F,
2413) -> Result<(), String>
2414where
2415    T: Transport + ?Sized,
2416    F: Fn(&[super::rekey::RekeyBlob]) -> Result<Event, String>,
2417{
2418    if blobs.is_empty() {
2419        return Err("rekey has no recipients".to_string());
2420    }
2421    for chunk in blobs.chunks(super::rekey::MAX_REKEY_BLOBS) {
2422        let event = build(chunk)?;
2423        transport.publish_durable(&event, relays).await?;
2424    }
2425    Ok(())
2426}
2427
2428/// Rotate a channel's key (a channel rekey): mint a fresh-random key for `current_epoch + 1`,
2429/// deliver it to `recipients` as one self-proving 3303 event (epoch + every recipient blob + the
2430/// prior-epoch commitment + my real-npub authority sig, all in one — the design tenet), publish it,
2431/// then advance MY local epoch. Returns the new epoch.
2432///
2433/// The caller supplies the recipient set (the recipient-set policy — "everyone who stays" — is a
2434/// separate layer); I am always added (so my other devices recover the key). I must hold
2435/// `MANAGE_CHANNELS`. **Publish FIRST, advance my head only after a successful publish** — moving my
2436/// head to an epoch no peer received would strand me. (A post-publish session swap leaves peers ahead
2437/// of my local head, which self-heals: the rekey is server-root-addressed, so I re-derive my own key
2438/// on the next fetch.) `SessionGuard`-gated across the publish await.
2439pub async fn rotate_channel<T: Transport + ?Sized>(
2440    transport: &T,
2441    community: &Community,
2442    channel_id: &super::ChannelId,
2443    recipients: &[nostr_sdk::PublicKey],
2444    // the server root this rekey is ENVELOPED + ADDRESSED under. A standalone channel removal passes the
2445    // CURRENT root. A re-founding (base rotation) passes the PRIOR (pre-rotation) root — exactly like the
2446    // base rekey (`base_rekey_pseudonym(prior_root, …)`) — so every RETAINED member can still open it after
2447    // the base converges to ONE winning root (the losers dropped their own new root). Sealing under the new
2448    // root instead would strand any base-fork loser on an unreadable channel rekey.
2449    envelope_root: &[u8; 32],
2450) -> Result<u64, String> {
2451    let session = SessionGuard::capture();
2452    let cid = community.id.to_hex();
2453
2454    // Authority: I must hold MANAGE_CHANNELS (owner supreme). A rekey needs the RAW local key
2455    // (the blob locator is a ConversationKey ECDH, which NIP-46 can't expose) — so a bunker account can
2456    // administer via editions but not rekey. Fails clearly here rather than silently.
2457    let my_keys = crate::state::MY_SECRET_KEY.to_keys().ok_or("a key rotation requires a local key (bunker/NIP-46 accounts can't rekey)")?;
2458    let owner = proven_owner_hex(community);
2459    let roster = crate::db::community::get_community_roles(&cid).unwrap_or_default();
2460    if !roster.is_authorized(&my_keys.public_key().to_hex(), owner.as_deref(), super::roles::Permissions::MANAGE_CHANNELS) {
2461        return Err("not authorized to rotate this channel (no MANAGE_CHANNELS)".to_string());
2462    }
2463
2464    // Current epoch + key (the chain link we extend). `channel.key` is the head key, kept in lockstep
2465    // with the archived prev_epoch key by `advance_channel_epoch`, so the commitment computed here
2466    // matches what the apply side verifies against `held_epoch_key(prev_epoch)`.
2467    let channel = community
2468        .channels
2469        .iter()
2470        .find(|c| &c.id == channel_id)
2471        .ok_or("channel not found in community")?;
2472    let prev_epoch = channel.epoch;
2473    let new_epoch = super::Epoch(prev_epoch.0.checked_add(1).ok_or("channel epoch overflow")?);
2474    let prev_commit = super::rekey::epoch_key_commitment(prev_epoch, channel.key.as_bytes());
2475    // The fresh channel key — minted ONCE + archived, reused on a retry (fork-safety, see
2476    // `mint_or_reuse_rotation_key`). Zeroized on drop.
2477    let new_key = mint_or_reuse_rotation_key(&cid, &channel_id.to_hex(), new_epoch.0)?;
2478
2479    // Recipient set = the supplied stayers ∪ me (deduped), each wrapped a per-recipient blob. Published
2480    // SPLIT across ≤MAX_REKEY_BLOBS-blob events so a large channel rotates in multiple 64KB-safe
2481    // events at one address; a recipient recovers from whichever chunk holds their blob.
2482    let mut seen = std::collections::HashSet::new();
2483    let mut blobs = Vec::new();
2484    for pk in recipients.iter().chain(std::iter::once(&my_keys.public_key())) {
2485        if !seen.insert(pk.to_hex()) {
2486            continue;
2487        }
2488        blobs.push(super::rekey::build_rekey_blob(
2489            my_keys.secret_key(), pk, super::derive::RekeyScope::Channel(*channel_id), new_epoch, &new_key,
2490        )?);
2491    }
2492
2493    // Publish FIRST (all chunks) — only advance my own head once peers can actually receive the new key.
2494    publish_rekey_chunked(transport, &community.relays, &blobs, |chunk| {
2495        super::rekey::build_channel_rekey_event(
2496            &Keys::generate(), &my_keys, envelope_root, channel_id,
2497            new_epoch, prev_epoch, &prev_commit, chunk,
2498        )
2499    })
2500    .await?;
2501    if !session.is_valid() {
2502        return Err("session changed during channel rotation".to_string());
2503    }
2504    crate::db::community::advance_channel_epoch(&cid, &channel_id.to_hex(), new_epoch.0, &new_key)?;
2505    Ok(new_epoch.0)
2506}
2507
2508/// Emit a privatize/rekey progress step to the UI (no-op on headless clients via the unregistered emitter).
2509/// `pct` is OVERALL progress 0-100 across the whole rotation; `label` is layman-facing. The frontend renders
2510/// a determinate ring + this label in an unclosable modal so the user is guided through the multi-second op.
2511fn emit_rekey_progress(label: &str, pct: u8) {
2512    crate::emit_event("community_rekey_progress", &serde_json::json!({ "label": label, "pct": pct }));
2513}
2514
2515/// Rotate the SERVER ROOT (a base rotation — the Private-removal / re-founding read-cut), the
2516/// complete orchestration: mint a fresh-random new root for `current_base_epoch + 1`, deliver it to
2517/// `recipients` as one self-proving server-root rekey (enveloped under the PRIOR root, addressed by
2518/// `base_rekey_pseudonym`), **re-anchor the control plane under the new epoch**, and only then
2519/// advance MY base head. Returns the new base epoch.
2520///
2521/// I am always added to the recipient set (multi-device). I must hold `BAN` (server-wide rotation
2522/// authority; owner supreme). The ordering is the safety contract: publish the base rekey → re-anchor →
2523/// advance head, with the **head-advance gated on a successful, count-complete re-anchor** — so a
2524/// post-rotation joiner who holds only the new root always reaches current authority, and a withholding
2525/// relay can't advance us over a thinned control plane. The recipient-set policy ("who stays") is still
2526/// the caller's (privatize/removal flow, #7/#8). `pub(crate)` — exposed only inside the crate until that
2527/// flow wraps it. Re-anchor carries the whole 3308 control plane (roles, grants, banlist, GroupRoot,
2528/// channel metadata) — every authority + display entity is preserved across a base rotation.
2529// Called by the privatize re-founding flow (`privatize_reseal`); also exercised directly by tests.
2530pub(crate) async fn rotate_server_root<T: Transport + ?Sized>(
2531    transport: &T,
2532    community: &Community,
2533    recipients: &[nostr_sdk::PublicKey],
2534) -> Result<u64, String> {
2535    let session = SessionGuard::capture();
2536    let cid = community.id.to_hex();
2537
2538    // a re-founding cannot cross a tombstone. A dissolved community never rotates the base again.
2539    if crate::db::community::get_community_dissolved(&cid)? {
2540        return Err("community is dissolved; it cannot be re-founded".to_string());
2541    }
2542
2543    // Authority: I must hold BAN (server-wide rotation; owner supreme). Re-founding re-WRAPS each entity
2544    // head verbatim (never re-authors), so an HONEST re-founder of any rank preserves everything: grants keep
2545    // their original granter and the owner deed rides along untouched (ownership is unstealable — the deed is
2546    // owner-signed and verified from the invite bundle, never from the snapshot).
2547    // KNOWN MVP LIMITATION (audited, accepted): a MALICIOUS non-owner admin (modified client) can OMIT a peer
2548    // admin's grant from the snapshot to demote them — a privilege escalation, since epoch-primary floors drop
2549    // the prior-epoch floors so followers can't detect the omission. Accepted because admins are owner-
2550    // appointed/trusted and the owner recovers (re-grant the peer + remove the bad admin); it can't steal
2551    // ownership or leak data. The bulletproof fix (verifiable removal: followers reject a snapshot that drops
2552    // a member the re-founder doesn't outrank) is deferred. Needs the RAW local key (ECDH), so no bunker.
2553    let my_keys = crate::state::MY_SECRET_KEY.to_keys().ok_or("a base rotation (privatize / private-ban read-cut) requires a local key (bunker/NIP-46 accounts can't rekey)")?;
2554    let owner = proven_owner_hex(community);
2555    let roster = crate::db::community::get_community_roles(&cid).unwrap_or_default();
2556    if !roster.is_authorized(&my_keys.public_key().to_hex(), owner.as_deref(), super::roles::Permissions::BAN) {
2557        return Err("not authorized to rotate the server root (no BAN)".to_string());
2558    }
2559
2560    // Derive prev_epoch / prev_commit / the rekey ENVELOPE root from the FRESHEST base state, never a
2561    // possibly-stale caller struct: addressing a rotation under a root that's already been superseded (e.g.
2562    // a re-founder re-rotating from a pre-convergence in-memory struct) lands it at a pseudonym converged
2563    // members never query → a base re-fork with no past-epoch heal to recover it. Reload first (mirrors
2564    // run_read_cut's freshest-epoch read); all downstream uses (envelope, re-anchor fetch) then agree.
2565    let fresh = crate::db::community::load_community(&community.id)?
2566        .ok_or("community gone before base rotation")?;
2567    let community = &fresh;
2568    let prev_epoch = community.server_root_epoch;
2569    let new_epoch = super::Epoch(prev_epoch.0.checked_add(1).ok_or("server-root epoch overflow")?);
2570    // Commit to the PRIOR root (the chain link the apply side verifies against `held_epoch_key(prev)`).
2571    let prev_commit = super::rekey::epoch_key_commitment(prev_epoch, community.server_root_key.as_bytes());
2572    // The fresh server root — minted ONCE + archived, reused on a retry (fork-safety). Zeroized on drop.
2573    let new_root = mint_or_reuse_rotation_key(&cid, crate::community::SERVER_ROOT_SCOPE_HEX, new_epoch.0)?;
2574    emit_rekey_progress("Rerolling community keys...", 5);
2575
2576    // ACQUIRE-BEFORE-COMMIT: do EVERY fetch the re-founding needs BEFORE publishing anything. The only
2577    // mid-rekey fetch is the re-anchor (the current control plane → re-wrapped under the new epoch); its
2578    // coverage gate (a head not fetchable) is exactly what stranded a published base rekey when it ran AFTER
2579    // the publish. Fetch + seal it now, so a transient miss aborts the whole re-founding with ZERO published
2580    // state. Only the publishes below need retry logic. The sealed editions are sent in the commit phase.
2581    let sealed = prepare_reanchor_control_plane(transport, community, &new_root, new_epoch).await?;
2582    if !session.is_valid() {
2583        return Err("session changed during re-founding acquire".to_string());
2584    }
2585
2586    let total_recipients = (recipients.len() + 1).max(1); // recipients + me (multi-device)
2587    let mut seen = std::collections::HashSet::new();
2588    let mut blobs = Vec::new();
2589    for pk in recipients.iter().chain(std::iter::once(&my_keys.public_key())) {
2590        if !seen.insert(pk.to_hex()) {
2591            continue;
2592        }
2593        blobs.push(super::rekey::build_rekey_blob(
2594            my_keys.secret_key(), pk, super::derive::RekeyScope::ServerRoot, new_epoch, &new_root,
2595        )?);
2596        emit_rekey_progress(
2597            &format!("Preparing keys for members ({}/{})...", blobs.len(), total_recipients),
2598            (5 + 35 * blobs.len() / total_recipients) as u8,
2599        );
2600    }
2601
2602    // COMMIT phase (publishes only — all fetching is done above). Publish the base rekey (delivers the new
2603    // root to recipients), SPLIT across ≤MAX_REKEY_BLOBS-blob events so a large recipient set rotates
2604    // in multiple 64KB-safe events at one address.
2605    emit_rekey_progress("Sending keys to members...", 42);
2606    publish_rekey_chunked(transport, &community.relays, &blobs, |chunk| {
2607        super::rekey::build_server_root_rekey_event(
2608            &Keys::generate(), &my_keys, community.server_root_key.as_bytes(), &community.id,
2609            new_epoch, prev_epoch, &prev_commit, chunk,
2610        )
2611    })
2612    .await?;
2613
2614    // RE-FOUND BY COMPACTION: publish the pre-sealed snapshot (the current folded state re-wrapped as
2615    // editions under the new epoch) so a post-rotation joiner reaches the new root with reachable authority.
2616    // Gate the head-advance on EVERY edition landing (O(entities), tiny): a single un-ACKed edition aborts,
2617    // head-not-advanced is the safe side. A failed publish leaves the base rekey on relays while our head
2618    // stays put; a retry REUSES the archived root via `mint_or_reuse_rotation_key`, recomputing `new_epoch`
2619    // from the DB head — no same-epoch fork, idempotent re-publish. (The fetch can no longer fail here: the
2620    // snapshot was acquired up front, so this commit phase is publish-retry territory only.)
2621    let snapshot = publish_reanchor_snapshot(transport, &community.relays, sealed).await?;
2622    if snapshot.iter().any(|e| !e.published) {
2623        return Err(
2624            "re-founding aborted: a snapshot edition did not land (rate-limited / unreachable relay?); base head NOT advanced".to_string()
2625        );
2626    }
2627    if !session.is_valid() {
2628        return Err("session changed during server-root rotation".to_string());
2629    }
2630    emit_rekey_progress("Finalizing...", 98);
2631    // Only now commit: the new root is on relays AND the compacted plane is reachable at the new epoch.
2632    crate::db::community::advance_server_root_epoch(&cid, new_epoch.0, &new_root)?;
2633    // Record our carried heads at the (now-committed) new epoch so a subsequent edit chains from them, not
2634    // the abandoned old-epoch chain. The head is re-wrapped VERBATIM, so its version is preserved; epoch is
2635    // primary, so it supersedes the prior epoch's head regardless of version.
2636    for e in &snapshot {
2637        crate::db::community::set_edition_head_with_id(&cid, &e.entity_hex, e.version, &e.self_hash, &e.inner_id)?;
2638    }
2639    Ok(new_epoch.0)
2640}
2641
2642/// Re-anchor the control plane after a base rotation: re-post the current control HEADS under the NEW
2643/// epoch's server-root pseudonym, so a post-rotation joiner (who holds only the new root) reaches current
2644/// authority with the one control-plane query they can make. Returns the per-entity snapshot it published.
2645///
2646/// **Re-WRAP, not re-sign.** Each edition's inner is the original real-npub-signed event — its signature,
2647/// version, and (community-scoped, rotation-stable) `entity_id` are all preserved; only the outer envelope
2648/// is fresh (new-root encryption + new-epoch `control_pseudonym` + ephemeral signer). Anyone can re-wrap
2649/// because the inner signature is what verifies — so the owner deed (carried inside the GroupRoot head) and
2650/// every grant's original granter survive untouched, which is what lets any BAN-holder re-found without
2651/// re-authoring or demoting anyone.
2652///
2653/// **COMPACTION: re-posts only the per-entity HEAD, not the whole `v1..vN` chain.** Cost is O(entities),
2654/// not O(history) — the fix for the original full-chain re-anchor, which failed once relays dropped old
2655/// editions or rate-limited the burst. The head is carried VERBATIM (keeps its real version number), so at
2656/// the new epoch its `prev_hash` dangles; that's fine because epoch-primary floors put a following member
2657/// in BOOTSTRAP mode for the new epoch (floor 0), where `fold_roster` surfaces the head via `bootstrap_head`
2658/// (Policy B) + the authority gate — no contiguous `v1..vN` is needed. (The old chain stays orphaned at the
2659/// prior epoch.) Only the freshest editions (the heads) need to be fetchable, sidestepping the dropped-old-
2660/// version wall.
2661///
2662/// **SCOPE: every tracked control entity** (GroupRoot, ChannelMetadata, roles, grants, the banlist) — built
2663/// from `get_all_edition_heads_epoched` and matched to its fetched raw edition; a head we can't fetch ABORTS
2664/// the rotation (better than stranding members on a thinned plane).
2665///
2666/// PRECONDITION: call this while `community` still holds the CURRENT (pre-rotation) root/epoch — it
2667/// fetches the current plane and re-posts under the new one. Running it after the head advanced would
2668/// fetch the (empty) new-epoch plane and re-anchor nothing.
2669///
2670/// `pub(crate)` + part of the base-rotation orchestration (#4e-2 sequences rekey → re-anchor → advance,
2671/// gating the head-advance on a successful re-anchor); `SessionGuard`-gated across the fetch + each
2672/// publish (publish-only — no local DB write, so a mid-loop swap is not a cross-account hazard).
2673// Reached in production via `rotate_server_root` (the privatize re-founding path); also tested directly.
2674/// One re-wrapped entity head in a re-founding snapshot: its coordinate + (version, self_hash, inner_id)
2675/// of the head carried forward (for recording at the new epoch), and whether its publish landed.
2676pub(crate) struct SnapshotEntry {
2677    pub entity_hex: String,
2678    pub version: u64,
2679    pub self_hash: [u8; 32],
2680    pub inner_id: [u8; 32],
2681    pub published: bool,
2682}
2683
2684/// ACQUIRE half of the re-anchor (acquire-before-commit): fetch the current control plane and re-wrap every
2685/// entity head under the new root/epoch — but publish NOTHING. Returns the sealed editions ready to send.
2686/// The coverage gate (a head not fetchable ABORTS) lives here, so it trips BEFORE any rekey is published —
2687/// a transient fetch miss then aborts the whole re-founding with ZERO published state (clean retry), instead
2688/// of stranding a published base rekey with a half-anchored plane. See `rotate_server_root` for the ordering.
2689pub(crate) async fn prepare_reanchor_control_plane<T: Transport + ?Sized>(
2690    transport: &T,
2691    community: &Community,
2692    new_root: &[u8; 32],
2693    new_epoch: super::Epoch,
2694) -> Result<Vec<(Event, SnapshotEntry)>, String> {
2695    let session = SessionGuard::capture();
2696    let cid = community.id.to_hex();
2697
2698    // RE-FOUND BY COMPACTION: re-wrap each entity's CURRENT HEAD verbatim under the new epoch — ONE
2699    // edition per entity, not the O(history) chain. "Re-wrap, not re-sign": the inner real-npub signature
2700    // (and the owner deed riding inside the GroupRoot content) are carried UNCHANGED, so every grant keeps
2701    // its ORIGINAL granter and authority re-derives identically at the new epoch. That's what lets ANY
2702    // BAN-holder re-found without demoting peer admins or touching ownership — the re-founder only re-keys
2703    // + re-addresses, never re-authors. Only the HEADS are needed (the freshest, most-retained editions),
2704    // so this sidesteps the unfetchable-old-version wall that broke the full-history re-anchor.
2705    let z = super::roster::control_pseudonym(&community.server_root_key, &community.id, community.server_root_epoch);
2706    let query = Query { kinds: vec![event_kind::COMMUNITY_CONTROL], z_tags: vec![z], ..Default::default() };
2707    let outers = transport.fetch(&query, &community.relays).await?;
2708    if !session.is_valid() {
2709        return Err("session changed during re-founding fetch".to_string());
2710    }
2711    // self_hash → (raw inner edition opened under the CURRENT root, its inner_id).
2712    let mut by_hash: std::collections::HashMap<[u8; 32], (Event, [u8; 32])> = std::collections::HashMap::new();
2713    for outer in &outers {
2714        if let Ok(inner) = super::roster::open_control_edition(outer, &community.server_root_key) {
2715            if let Ok(parsed) = super::edition::parse_edition_inner(&inner) {
2716                by_hash.insert(parsed.self_hash, (inner, parsed.inner_id));
2717            }
2718        }
2719    }
2720
2721    // Each entity's CURRENT head (the floors recorded at the current epoch) → re-wrap that exact edition
2722    // verbatim under the new root/epoch. A head we can't fetch ABORTS (better than stranding members on a
2723    // plane missing an entity); heads are the freshest editions, so the relay union almost always has them.
2724    let new_root_key = super::ServerRootKey(*new_root);
2725    let mut sealed: Vec<(Event, SnapshotEntry)> = Vec::new();
2726    for (entity_hex, (epoch, version, self_hash)) in crate::db::community::get_all_edition_heads_epoched(&cid)? {
2727        if epoch != community.server_root_epoch.0 {
2728            continue; // only the current founding's heads (a stale prior-epoch head is already superseded)
2729        }
2730        let (inner, inner_id) = by_hash.get(&self_hash).ok_or_else(|| {
2731            format!("re-founding aborted: head edition for entity {entity_hex} (v{version}) not fetchable — aborting so no member is stranded")
2732        })?;
2733        let outer = super::roster::seal_control_edition(&Keys::generate(), inner, &new_root_key, &community.id, new_epoch)?;
2734        sealed.push((outer, SnapshotEntry { entity_hex, version, self_hash, inner_id: *inner_id, published: false }));
2735    }
2736    Ok(sealed)
2737}
2738
2739/// COMMIT half of the re-anchor: publish the (already-fetched + sealed) snapshot editions. Publishing only —
2740/// no fetch — so the caller's acquire phase guarantees there's nothing left that could fail-to-fetch here.
2741/// Each `published` flag reports whether that edition landed; the caller gates the head-advance on all true.
2742pub(crate) async fn publish_reanchor_snapshot<T: Transport + ?Sized>(
2743    transport: &T,
2744    relays: &[String],
2745    sealed: Vec<(Event, SnapshotEntry)>,
2746) -> Result<Vec<SnapshotEntry>, String> {
2747    // Publish THROTTLED (a bounded window, not an all-at-once burst) so the snapshot survives rate-limited
2748    // relays — the 0/N stall that the old concurrent re-anchor hit. Volume is O(entities), so this is small.
2749    use futures_util::stream::StreamExt;
2750    let total = sealed.len().max(1);
2751    let done = std::sync::atomic::AtomicUsize::new(0);
2752    let done_ref = &done;
2753    emit_rekey_progress(&format!("Re-founding community (0/{total})..."), 50);
2754    let out: Vec<SnapshotEntry> = futures_util::stream::iter(sealed.into_iter().map(|(ev, mut entry)| async move {
2755        entry.published = transport.publish_durable(&ev, relays).await.is_ok();
2756        let n = done_ref.fetch_add(1, std::sync::atomic::Ordering::Relaxed) + 1;
2757        emit_rekey_progress(&format!("Re-founding community ({n}/{total})..."), (50 + 45 * n / total) as u8);
2758        entry
2759    }))
2760    .buffer_unordered(4)
2761    .collect()
2762    .await;
2763    Ok(out)
2764}
2765
2766/// Re-anchor in one shot (fetch + seal + publish). Test-only convenience; production splits the two halves
2767/// (`prepare_*` then `publish_*`) so the fetch precedes any rekey publish (acquire-before-commit).
2768#[cfg(test)]
2769pub(crate) async fn reanchor_control_plane<T: Transport + ?Sized>(
2770    transport: &T,
2771    community: &Community,
2772    new_root: &[u8; 32],
2773    new_epoch: super::Epoch,
2774) -> Result<Vec<SnapshotEntry>, String> {
2775    let sealed = prepare_reanchor_control_plane(transport, community, new_root, new_epoch).await?;
2776    publish_reanchor_snapshot(transport, &community.relays, sealed).await
2777}
2778
2779/// Apply a received, already-opened SERVER-ROOT (base) Rekey for `community` — the base counterpart to
2780/// [`apply_channel_rekey`]. Verifies the rotator's server-wide rotation authority (`BAN`, "role-based,
2781/// not owner-only"), checks continuity against the held prior ROOT (when held), finds + opens MY
2782/// ServerRoot-scope blob, and commits the new root via the atomic base head+archive write. The new root
2783/// reaches me ONLY through my ECDH blob — if I was removed in this rotation I find no blob
2784/// (`NotARecipient`) and recover nothing. `SessionGuard`-gated; synchronous (one guard + the write
2785/// re-check suffice, same as `apply_channel_rekey`).
2786pub fn apply_server_root_rekey(
2787    community: &Community,
2788    parsed: &super::rekey::ParsedRekey,
2789) -> Result<RekeyOutcome, String> {
2790    let session = SessionGuard::capture();
2791
2792    // Scope must be the server root (a Channel rekey is the other path).
2793    if !matches!(parsed.scope, super::derive::RekeyScope::ServerRoot) {
2794        return Err("not a server-root rekey (channel rekeys use apply_channel_rekey)".to_string());
2795    }
2796    let cid = community.id.to_hex();
2797
2798    // a re-founding cannot cross a tombstone. Once dissolved, a base rekey is a "subsequent control
2799    // event" → refuse to advance the epoch (a rekey after a tombstone is invalid).
2800    if crate::db::community::get_community_dissolved(&cid)? {
2801        return Err("community is dissolved; base epoch cannot advance".to_string());
2802    }
2803
2804    // Authority: a server-wide rotation is gated on BAN (owner supreme). The deed-derived `owner` is
2805    // the chain root — a community whose deed is missing/stripped yields `owner = None`, so NO rotator
2806    // authorizes (a deedless re-founding is followed by no one). A roster-read failure degrades to
2807    // owner-only (fail-closed): a stale/unreadable roster only UNDER-authorizes a non-owner, never over-.
2808    // Version-pinned rotator authority (spec §6 rule 1) is deferred, as on the channel path; the
2809    // banlist-precedence gate + the heal's deauthorized-root abandonment are the implemented mitigations.
2810    let owner = proven_owner_hex(community);
2811    let roster = crate::db::community::get_community_roles(&cid).unwrap_or_else(|e| {
2812        crate::log_warn!("base rekey apply: roster read failed ({e}); authorizing owner only");
2813        Default::default()
2814    });
2815    if !rotator_is_authorized(&cid, &roster, owner.as_deref(), &parsed.rotator.to_hex(), super::roles::Permissions::BAN) {
2816        return Err("base rekey rotator lacks server-wide rotation authority (BAN)".to_string());
2817    }
2818
2819    // Chain continuity: if I hold the prior ROOT and its commitment mismatches, I'm on a LOSING fork of
2820    // that epoch (a concurrent re-founding I lost) while this rekey extends the WINNING fork. As with channel
2821    // rekeys, that is NOT a foreign chain — the rotator is authority-verified (BAN) above and the ECDH blob
2822    // below proves it's addressed to ME — so ADOPT it (converge forward / reorg onto the authorized chain)
2823    // rather than reject and strand myself on the dead fork, which would stall every later base rotation too.
2824    // Replays of OLD epochs can't reach here: the forward walk only fetches epochs past my head.
2825    if let Some(prev_root) =
2826        crate::db::community::held_epoch_key(&cid, crate::community::SERVER_ROOT_SCOPE_HEX, parsed.prev_epoch.0)?
2827    {
2828        if super::rekey::epoch_key_commitment(parsed.prev_epoch, &prev_root) != parsed.prev_key_commitment {
2829            crate::log_warn!(
2830                "base rekey to epoch {} cites a prior-root I don't hold (I'm on a losing fork of epoch {}) — converging forward onto the authorized chain",
2831                parsed.new_epoch.0, parsed.prev_epoch.0
2832            );
2833        }
2834    }
2835
2836    // Find + open MY blob (ServerRoot scope).
2837    let my_keys = crate::state::MY_SECRET_KEY.to_keys().ok_or("no local identity to open the base rekey blob")?;
2838    let secret = super::rekey::rekey_pairwise_secret(my_keys.secret_key(), &parsed.rotator)?;
2839    let my_locator = super::derive::recipient_pseudonym(&secret, parsed.scope, parsed.new_epoch).to_hex();
2840    let mine = match parsed.blobs.iter().find(|b| b.locator == my_locator) {
2841        Some(b) => b,
2842        None => return Ok(RekeyOutcome::NotARecipient),
2843    };
2844    let new_root =
2845        super::rekey::open_rekey_blob(my_keys.secret_key(), &parsed.rotator, parsed.scope, parsed.new_epoch, mine)?;
2846
2847    if !session.is_valid() {
2848        return Err("session changed during base rekey apply".to_string());
2849    }
2850    let head_advanced = crate::db::community::advance_server_root_epoch(&cid, parsed.new_epoch.0, &new_root)?;
2851    Ok(RekeyOutcome::Applied { head_advanced })
2852}
2853
2854/// How many candidate epochs the catch-up scan derives + fetches per round. All rekey pseudonyms are
2855/// server-root-derived, so a member computes the whole window up front and fetches it in ONE batched
2856/// `#z` REQ (not a sequential walk). One round covers up to this many missed rotations.
2857const REKEY_CATCHUP_WINDOW: u64 = 64;
2858/// Backstop on catch-up rounds — bounds an endless slide (e.g. a relay fabricating contiguous rekeys).
2859/// At `REKEY_CATCHUP_WINDOW` epochs/round this still covers thousands of real rotations before bailing.
2860const MAX_REKEY_CATCHUP_ROUNDS: usize = 64;
2861
2862/// Converge a SET of held channel epochs to the deterministic LOWEST authorized key on the wire (the
2863/// concurrent-rekey tiebreak), in ONE batched fetch per held server root. Two MANAGE_CHANNELS holders can rotate an epoch
2864/// with different keys (a concurrent-rekey fork); both forked rekeys collide under the PRIOR (shared) server
2865/// root, so search every held root, peek the key each delivers to ME, and adopt the lowest. Heals the head,
2866/// any epoch reorged THIS sync, AND the recent window of held epochs — the last covers a member that reorged
2867/// its head under an EARLIER build (so the in-sync forked-epoch set was never populated) yet still sits on a
2868/// losing sibling at a past epoch whose messages would otherwise stay unreadable.
2869///
2870/// Converge DOWN only: a held epoch is re-keyed only to a sibling STRICTLY lower than the key it already
2871/// holds, so a flaky round that returns just the higher sibling can't re-fork a converged epoch. Epochs I do
2872/// NOT hold are left to the gap-fill / forward walk (recovery via `apply`, not a same-epoch swap).
2873async fn heal_channel_fork_epochs<T: Transport + ?Sized>(
2874    transport: &T,
2875    community: &Community,
2876    channel_id: &super::ChannelId,
2877    cid: &str,
2878    channel_hex: &str,
2879    epochs: &std::collections::BTreeSet<u64>,
2880    server_roots: &[[u8; 32]],
2881    session: &SessionGuard,
2882) -> Result<(), String> {
2883    if epochs.is_empty() {
2884        return Ok(());
2885    }
2886    let owner_hex = proven_owner_hex(community);
2887    let roster = crate::db::community::get_community_roles(cid).unwrap_or_default();
2888    // Batched fetch: every target epoch's rekey under each held root, ONE query per root (mirrors the
2889    // forward walk). Track the lowest key delivered to ME by an authorized rotator, per epoch.
2890    let mut winner: std::collections::BTreeMap<u64, [u8; 32]> = std::collections::BTreeMap::new();
2891    for sr in server_roots {
2892        let z_tags: Vec<String> = epochs
2893            .iter()
2894            .map(|e| super::derive::rekey_pseudonym(&super::ServerRootKey(*sr), channel_id, super::Epoch(*e)).to_hex())
2895            .collect();
2896        let q = Query { kinds: vec![event_kind::COMMUNITY_REKEY], z_tags, ..Default::default() };
2897        for ev in transport.fetch(&q, &community.relays).await.unwrap_or_default() {
2898            let Ok(p) = super::rekey::open_rekey_event(&ev, sr) else { continue };
2899            if !matches!(p.scope, super::derive::RekeyScope::Channel(c) if &c == channel_id) || !epochs.contains(&p.new_epoch.0) {
2900                continue;
2901            }
2902            if !rotator_is_authorized(cid, &roster, owner_hex.as_deref(), &p.rotator.to_hex(), super::roles::Permissions::MANAGE_CHANNELS) {
2903                continue;
2904            }
2905            let Some(key) = peek_my_channel_key(&p) else { continue }; // not a recipient of this candidate
2906            winner.entry(p.new_epoch.0).and_modify(|best| { if key < *best { *best = key; } }).or_insert(key);
2907        }
2908    }
2909    for (epoch, win_key) in winner {
2910        if !session.is_valid() {
2911            return Err("session changed during channel convergence".to_string());
2912        }
2913        // Only re-converge an epoch I ALREADY hold, and only DOWNWARD.
2914        // ACCEPTED MVP LIMITATION (GROUP_PROTOCOL.md): adoption checks blob-opens + authority, NOT that
2915        // the key decrypts extant messages — so a malicious MANAGE_CHANNELS holder can darken a settled past
2916        // epoch with a fresh lower key. Data-availability only, trusted-admin only; content-bind hardening deferred.
2917        if let Ok(Some(cur)) = crate::db::community::held_epoch_key(cid, channel_hex, epoch) {
2918            if win_key < cur {
2919                // `false` = the channel head moved off `epoch` between read and write (benign race); trace it
2920                // so a fork that keeps failing to converge is diagnosable in the field without changing flow.
2921                match crate::db::community::converge_channel_epoch(cid, channel_hex, epoch, &win_key) {
2922                    Ok(false) => crate::log_trace!("channel heal: converge of epoch {epoch} did not apply (head moved)"),
2923                    Err(e) => crate::log_trace!("channel heal: converge of epoch {epoch} errored: {e}"),
2924                    Ok(true) => {}
2925                }
2926            }
2927        }
2928    }
2929    Ok(())
2930}
2931
2932/// Catch a channel up to the latest epoch it is still a recipient of (windowed scan): fetch every
2933/// rekey published since our held epoch and apply the chain. Returns the channel's new current epoch.
2934/// Idempotent + cheap on the steady state (no new rotations → one empty-window fetch → returns the
2935/// held epoch). 3303s are addressed by the server-root-derived `rekey_pseudonym`, so this is a SEPARATE
2936/// fetch from the channel message plane (the exception).
2937///
2938/// **Removal is terminal.** Within a channel, the recipient set is forward-monotonic — once a member
2939/// is removed they are excluded from every later rotation, and re-addition is an out-of-band INVITE
2940/// that resets them to a fresh starter epoch (NOT something this scan discovers). So the walk stops at
2941/// the first `NotARecipient`: there is nothing legitimate past it for us. A *missing* intermediate
2942/// epoch (a relay-incomplete gap, where we ARE still a recipient on both sides) is logged and stepped
2943/// over (the hole stays unreadable until re-fetched from another relay), not treated as removal.
2944/// `SessionGuard`-gated; applies in ascending epoch order so each rekey's prior-key continuity check
2945/// sees the key its predecessor just archived.
2946pub async fn catch_up_channel_rekeys<T: Transport + ?Sized>(
2947    transport: &T,
2948    community: &Community,
2949    channel_id: &super::ChannelId,
2950) -> Result<u64, String> {
2951    let session = SessionGuard::capture();
2952    let server_root = community.server_root_key.as_bytes();
2953    let cid = community.id.to_hex();
2954    let channel_hex = channel_id.to_hex();
2955    // A channel rekey is addressed AND encrypted under whatever server root was current when it was
2956    // published — and the root itself ratchets on every base rotation. So derive + open the rekey window
2957    // under EVERY held server-root key, not just the current head: a channel rekey published under a prior
2958    // root is otherwise both unfindable (wrong pseudonym) and undecryptable, leaving permanent channel-key
2959    // gaps (and every message under those epochs stranded). We hold all prior roots in the epoch archive.
2960    let mut server_roots: Vec<[u8; 32]> = crate::db::community::held_epoch_keys(&cid, crate::community::SERVER_ROOT_SCOPE_HEX)
2961        .unwrap_or_default()
2962        .into_iter()
2963        .map(|(_, k)| k)
2964        .collect();
2965    if !server_roots.iter().any(|r| r == server_root) {
2966        server_roots.push(*server_root); // ensure the current root is covered even if the archive lags
2967    }
2968    let mut head = community
2969        .channels
2970        .iter()
2971        .find(|c| &c.id == channel_id)
2972        .ok_or("channel not found in community")?
2973        .epoch
2974        .0;
2975
2976    // Past epochs I reorged through (applied a rekey whose cited prior key I don't hold — I'm on a losing
2977    // fork there). The forward walk converges my HEAD, but a forked PAST epoch keeps the wrong sibling's key
2978    // and its messages stay unreadable. Collect them here and re-converge each to the lowest sibling below.
2979    let mut forked_epochs: std::collections::BTreeSet<u64> = std::collections::BTreeSet::new();
2980
2981    for _round in 0..MAX_REKEY_CATCHUP_ROUNDS {
2982        let window_top = head.saturating_add(REKEY_CATCHUP_WINDOW);
2983        // Derive + fetch the window under EACH held server root (a channel rekey lives under the root that
2984        // was current at its publish). Window × |held roots| is small and catch-up is rare; opening with
2985        // the SAME root that addressed each batch is unambiguous (a wrong root just fails the MAC).
2986        let mut parsed: Vec<super::rekey::ParsedRekey> = Vec::new();
2987        for sr in &server_roots {
2988            let z_tags: Vec<String> = (head.saturating_add(1)..=window_top)
2989                .map(|e| super::derive::rekey_pseudonym(&super::ServerRootKey(*sr), channel_id, super::Epoch(e)).to_hex())
2990                .collect();
2991            let query = Query { kinds: vec![event_kind::COMMUNITY_REKEY], z_tags, ..Default::default() };
2992            // Best-effort: a transient relay error on the forward-walk fetch must NOT abort the whole
2993            // catch-up (the caller ignores the Result), which would silently SKIP the current-head
2994            // convergence heal below — leaving a concurrent-rekey fork unhealed. Treat a failed fetch as
2995            // "no events here this round"; the next sync re-walks.
2996            for ev in transport.fetch(&query, &community.relays).await.unwrap_or_default() {
2997                if let Ok(p) = super::rekey::open_rekey_event(&ev, sr) {
2998                    if matches!(p.scope, super::derive::RekeyScope::Channel(c) if &c == channel_id) {
2999                        parsed.push(p);
3000                    }
3001                }
3002            }
3003        }
3004        if parsed.is_empty() {
3005            break; // no rekey exists past `head` under any held root
3006        }
3007        // Apply in ascending epoch order (so each rekey's prior-key continuity sees its predecessor's key).
3008        parsed.sort_by_key(|p| p.new_epoch.0);
3009        let max_found = parsed.last().map(|p| p.new_epoch.0).unwrap_or(head);
3010
3011        let head_before = head;
3012        let mut removed = false;
3013        // GROUP BY EPOCH: a rotation may be SPLIT across multiple chunk events at the same address.
3014        // For each epoch try every chunk — Applied if ANY chunk holds my blob; "removed" only if a VALID
3015        // chunk said NotARecipient and none Applied (a NotARecipient on one chunk just means my blob is
3016        // in another). All-errored at an epoch = a gap (skip), not a removal.
3017        let mut by_epoch: std::collections::BTreeMap<u64, Vec<&super::rekey::ParsedRekey>> = std::collections::BTreeMap::new();
3018        for p in &parsed {
3019            by_epoch.entry(p.new_epoch.0).or_default().push(p);
3020        }
3021        for (e, chunks) in by_epoch {
3022            if !session.is_valid() {
3023                return Err("session changed during rekey catch-up".to_string());
3024            }
3025            let mut applied = false;
3026            let mut saw_not_recipient = false;
3027            for p in &chunks {
3028                match apply_channel_rekey(community, p) {
3029                    Ok(RekeyOutcome::Applied { .. }) => {
3030                        applied = true;
3031                        break;
3032                    }
3033                    Ok(RekeyOutcome::NotARecipient) => saw_not_recipient = true,
3034                    Err(err) => crate::log_warn!("rekey catch-up: skipping epoch {e} chunk: {err}"),
3035                }
3036            }
3037            if applied {
3038                // Reorg detection: if this rekey continues from a prior epoch whose key I hold but whose
3039                // commitment mismatches, I just converged forward off a losing fork — that prior epoch is forked
3040                // and needs its own lowest-key heal (else its messages stay unreadable under the wrong sibling).
3041                // All chunks of one rotation carry IDENTICAL continuity fields (same prev_epoch + prev_commit —
3042                // they're the same rotation split across size-bounded events), so `first()` is representative.
3043                if let Some(p) = chunks.first() {
3044                    let pe = p.prev_epoch.0;
3045                    if let Ok(Some(prev_key)) = crate::db::community::held_epoch_key(&cid, &channel_hex, pe) {
3046                        if super::rekey::epoch_key_commitment(p.prev_epoch, &prev_key) != p.prev_key_commitment {
3047                            forked_epochs.insert(pe);
3048                        }
3049                    }
3050                }
3051                // A non-contiguous jump means intermediate epochs weren't recovered (a relay gap) —
3052                // surface the hole (that history stays unreadable until re-fetched).
3053                if e > head + 1 {
3054                    crate::log_warn!(
3055                        "rekey catch-up: channel epochs {}..={} not recovered (key gap; history unreadable until re-fetched)",
3056                        head + 1, e - 1
3057                    );
3058                }
3059                head = head.max(e);
3060            } else if saw_not_recipient {
3061                // A valid rotation at this epoch held no blob for me across ALL its chunks ⇒ I was removed
3062                // here. Forward-terminal (re-add is a fresh invite), so stop — nothing past it is ours.
3063                removed = true;
3064                break;
3065            }
3066            // else: all chunks at this epoch errored (gap/forged) — don't advance, don't remove.
3067        }
3068
3069        // Stop on removal (terminal), when a full round advanced nothing (only gaps/forged events — no
3070        // legit rekey for us here), or when the window wasn't saturated (we've reached the latest).
3071        if removed || head == head_before || max_found < window_top {
3072            break;
3073        }
3074    }
3075
3076    // BACKWARD gap-fill (heal): the forward walk above advances the HEAD and can leapfrog an epoch
3077    // whose rekey wasn't found (a prior catch-up that lacked the addressing root, or a relay miss). Those
3078    // holes are below `head`, so the forward window never revisits them — yet we're entitled to those
3079    // keys. Re-fetch each MISSING epoch's rekey under every held server root and apply it (archive-only:
3080    // `advance_channel_epoch` never regresses the head), so stranded history (messages under a skipped
3081    // epoch) becomes readable. Non-ratcheted keys make this pure random-access — no replay needed.
3082    let held: std::collections::HashSet<u64> = crate::db::community::held_epoch_keys(&cid, &channel_hex)
3083        .unwrap_or_default()
3084        .into_iter()
3085        .map(|(e, _)| e.0)
3086        .collect();
3087    let missing: Vec<u64> = (0..head).filter(|e| !held.contains(e)).collect();
3088    if !missing.is_empty() {
3089        for sr in &server_roots {
3090            if !session.is_valid() {
3091                return Err("session changed during rekey gap-fill".to_string());
3092            }
3093            let z_tags: Vec<String> = missing
3094                .iter()
3095                .map(|e| super::derive::rekey_pseudonym(&super::ServerRootKey(*sr), channel_id, super::Epoch(*e)).to_hex())
3096                .collect();
3097            let query = Query { kinds: vec![event_kind::COMMUNITY_REKEY], z_tags, ..Default::default() };
3098            // Best-effort (same rationale as the forward walk): a relay error on a gap-fill fetch must not
3099            // abort before the convergence heal.
3100            for ev in transport.fetch(&query, &community.relays).await.unwrap_or_default() {
3101                if let Ok(p) = super::rekey::open_rekey_event(&ev, sr) {
3102                    if matches!(p.scope, super::derive::RekeyScope::Channel(c) if &c == channel_id) {
3103                        let _ = apply_channel_rekey(community, &p); // archive-only for sub-head epochs
3104                    }
3105                }
3106            }
3107        }
3108    }
3109
3110    // CONCURRENT RE-FOUNDING HEAL: converge to the deterministic LOWEST authorized sibling at every epoch that
3111    // can be forked — the current HEAD (two MANAGE_CHANNELS holders rotated it concurrently with different
3112    // keys), every epoch I reorged through THIS sync, AND the recent window of held epochs. The window
3113    // pass heals a member that reorged its head under an EARLIER build (so `forked_epochs` was never populated
3114    // for it) yet still sits on a losing sibling at a past epoch — otherwise that epoch's messages stay
3115    // unreadable forever (the gap-fill skips it because a key IS held). One batched fetch per held root.
3116    if head > 0 && session.is_valid() {
3117        let lo = head.saturating_sub(REKEY_CATCHUP_WINDOW).max(1);
3118        let mut epochs: std::collections::BTreeSet<u64> = (lo..=head).collect();
3119        epochs.append(&mut forked_epochs);
3120        let _ = heal_channel_fork_epochs(transport, community, channel_id, &cid, &channel_hex, &epochs, &server_roots, &session).await;
3121    }
3122    Ok(head)
3123}
3124
3125/// Backstop on base-rotation walk steps (base rotations are rare, so this far exceeds any real chain;
3126/// it bounds a hostile/fabricated chain — which already fails at `apply_server_root_rekey` anyway).
3127const MAX_BASE_CATCHUP_STEPS: usize = 256;
3128
3129/// Catch the SERVER ROOT up to its latest epoch — a FORWARD WALK (the base has no stable key above
3130/// it, so `base_rekey_pseudonym` is keyed by the PRIOR root). Each step: derive the next base rekey's
3131/// address from the root I currently hold, fetch it, open it under that root, apply it (recovering the
3132/// NEXT root), and repeat. Returns the new base epoch. One step per base rotation — bounded, and base
3133/// rotations are rare. Stops on a removal (`NotARecipient` — re-add is a fresh invite, not this walk),
3134/// when no further base rekey exists, or when a rekey can't be applied (can't get the next root).
3135///
3136/// After this advances the base epoch, the caller MUST resync the control plane at the NEW epoch
3137/// (`control_pseudonym(new_root, …)`) before trusting authority — the re-anchoring guarantees the
3138/// current heads are reachable there (#4e). This fn only recovers the base keys + advances the head.
3139/// B2 helper: open MY ServerRoot blob in `parsed` WITHOUT committing, to learn which new root this rotation
3140/// would deliver me. Lets [`catch_up_server_root`] pick the canonical rotation among concurrent re-foundings
3141/// before applying any. `Ok(None)` = I'm not a recipient of this rotation (or it's not a base rekey).
3142fn peek_my_server_root(parsed: &super::rekey::ParsedRekey) -> Result<Option<[u8; 32]>, String> {
3143    if !matches!(parsed.scope, super::derive::RekeyScope::ServerRoot) {
3144        return Ok(None);
3145    }
3146    let my_keys = crate::state::MY_SECRET_KEY.to_keys().ok_or("no local key to open a base rekey blob")?;
3147    let secret = super::rekey::rekey_pairwise_secret(my_keys.secret_key(), &parsed.rotator)?;
3148    let my_locator = super::derive::recipient_pseudonym(&secret, parsed.scope, parsed.new_epoch).to_hex();
3149    let mine = match parsed.blobs.iter().find(|b| b.locator == my_locator) {
3150        Some(b) => b,
3151        None => return Ok(None),
3152    };
3153    super::rekey::open_rekey_blob(my_keys.secret_key(), &parsed.rotator, parsed.scope, parsed.new_epoch, mine).map(Some)
3154}
3155
3156/// Convergence helper: open MY Channel blob in `parsed` WITHOUT committing, to learn which new channel key this
3157/// rotation would deliver me. Lets the channel current-head heal pick a deterministic winner (lowest
3158/// delivered key) among concurrent same-epoch channel rotations. `None` = not a recipient / can't open.
3159fn peek_my_channel_key(parsed: &super::rekey::ParsedRekey) -> Option<[u8; 32]> {
3160    let my_keys = crate::state::MY_SECRET_KEY.to_keys()?;
3161    let secret = super::rekey::rekey_pairwise_secret(my_keys.secret_key(), &parsed.rotator).ok()?;
3162    let my_locator = super::derive::recipient_pseudonym(&secret, parsed.scope, parsed.new_epoch).to_hex();
3163    let mine = parsed.blobs.iter().find(|b| b.locator == my_locator)?;
3164    super::rekey::open_rekey_blob(my_keys.secret_key(), &parsed.rotator, parsed.scope, parsed.new_epoch, mine).ok()
3165}
3166
3167pub async fn catch_up_server_root<T: Transport + ?Sized>(
3168    transport: &T,
3169    community: &Community,
3170) -> Result<BaseCatchup, String> {
3171    let session = SessionGuard::capture();
3172    let cid = community.id.to_hex();
3173    let mut head = community.server_root_epoch.0;
3174    // Set true if the walk stops because an AUTHORIZED base rotation EXCLUDED us (read-cut / private ban):
3175    // we hold the prior root, opened the rotation, its rotator held BAN per the roster we hold, but no chunk
3176    // carried our blob. The caller treats this as removal and erases local community data (the cut member
3177    // can't read the new banlist to learn it the normal way, so this is the catch-all removal signal).
3178    let mut removed = false;
3179    // The root I currently hold at `head` — drives the next step's address (prior-root-keyed) + opens it.
3180    let mut current_root: [u8; 32] = *community.server_root_key.as_bytes();
3181
3182    for _step in 0..MAX_BASE_CATCHUP_STEPS {
3183        let next = match head.checked_add(1) {
3184            Some(n) => n,
3185            None => break,
3186        };
3187        let addr = super::derive::base_rekey_pseudonym(&super::ServerRootKey(current_root), &community.id, super::Epoch(next)).to_hex();
3188        let query = Query { kinds: vec![event_kind::COMMUNITY_REKEY], z_tags: vec![addr], ..Default::default() };
3189        let events = transport.fetch(&query, &community.relays).await?;
3190        if events.is_empty() {
3191            break; // no base rotation past `head`
3192        }
3193
3194        // Open under the root I hold; a base rotation at `next` may be SPLIT across chunk events at this
3195        // address, so collect ALL chunks for `next`.
3196        let chunks: Vec<super::rekey::ParsedRekey> = events
3197            .iter()
3198            .filter_map(|ev| super::rekey::open_rekey_event(ev, &current_root).ok())
3199            .filter(|p| matches!(p.scope, super::derive::RekeyScope::ServerRoot) && p.new_epoch.0 == next)
3200            .collect();
3201        if chunks.is_empty() {
3202            break; // nothing valid for `next` under the root we hold
3203        }
3204
3205        if !session.is_valid() {
3206            return Err("session changed during base rekey catch-up".to_string());
3207        }
3208
3209        // B2 — CONCURRENT RE-FOUNDING CONVERGENCE. There may be MORE than one rotation at `next` (two
3210        // BAN-holders re-founding at once, each delivering a DIFFERENT new root to the same observed set).
3211        // Every member must pick the SAME one or the community forks irrecoverably. Peek the root each
3212        // rotation would give me, then deterministically choose the LOWEST new-root bytes — convergent for
3213        // everyone who received both. (The root is the only member-computable rotation identity: the inner
3214        // event id of "my" chunk differs per member, since each member's blob sits in a different chunk, so
3215        // it can't be the tiebreak.) A member who only received the losing root heals on the next re-founding.
3216        //
3217        // AUTHORITY BEFORE THE TIEBREAK: only a BAN-holder's rotation is a candidate. A plain member
3218        // holds the prior root + can sign as rotator + build valid ECDH blobs, so without this gate they
3219        // could forge a byte-LOWER root that honest members would PICK as the winner and then fail to apply
3220        // (authority is also checked in apply) — stalling them at the prior epoch while others advance: a
3221        // permanent fork the heal can't recover. Gate here, before `min_by`, exactly like the current-head heal.
3222        let owner_hex = proven_owner_hex(community);
3223        let roster = crate::db::community::get_community_roles(&cid).unwrap_or_default();
3224        let mut candidates: Vec<(&super::rekey::ParsedRekey, [u8; 32])> = Vec::new();
3225        for parsed in &chunks {
3226            if !rotator_is_authorized(&cid, &roster, owner_hex.as_deref(), &parsed.rotator.to_hex(), super::roles::Permissions::BAN) {
3227                continue;
3228            }
3229            match peek_my_server_root(parsed) {
3230                Ok(Some(root)) => candidates.push((parsed, root)),
3231                Ok(None) => {}
3232                Err(err) => crate::log_warn!("base rekey catch-up: epoch {next} peek: {err}"),
3233            }
3234        }
3235        let applied = match candidates.into_iter().min_by(|a, b| a.1.cmp(&b.1)) {
3236            Some((parsed, _)) => match apply_server_root_rekey(community, parsed) {
3237                Ok(RekeyOutcome::Applied { .. }) => true,
3238                Ok(RekeyOutcome::NotARecipient) => false, // unreachable: peek already confirmed recipiency
3239                Err(err) => { crate::log_warn!("base rekey catch-up: epoch {next} apply: {err}"); false }
3240            },
3241            None => {
3242                // No chunk held my blob — I was excluded from this base rotation. If an AUTHORIZED rotator
3243                // (held BAN per the roster I STILL hold) performed it, this is a read-cut removing me →
3244                // signal removal so the caller erases. Verify authority so a non-BAN member who merely holds
3245                // the prior root can't forge an eviction event that tricks me into self-deleting.
3246                let owner = proven_owner_hex(community);
3247                let roster = crate::db::community::get_community_roles(&cid).unwrap_or_default();
3248                if chunks.iter().any(|p| rotator_is_authorized(&cid, &roster, owner.as_deref(), &p.rotator.to_hex(), super::roles::Permissions::BAN)) {
3249                    removed = true;
3250                }
3251                false // removed from the base (terminal) → stop the walk
3252            }
3253        };
3254        if !applied {
3255            break;
3256        }
3257        // Recover the just-archived new root to address the next step.
3258        match crate::db::community::held_epoch_key(&cid, crate::community::SERVER_ROOT_SCOPE_HEX, next)? {
3259            Some(root) => {
3260                current_root = root;
3261                head = next;
3262            }
3263            None => {
3264                // Shouldn't happen — apply archives the root before returning Applied. If it ever does,
3265                // a DB-archive invariant broke; stop rather than loop on a stale root.
3266                crate::log_warn!("base rekey catch-up: epoch {next} applied but its root is not archived; halting walk");
3267                break;
3268            }
3269        }
3270    }
3271
3272    // CONCURRENT RE-FOUNDING HEAL (current-head convergence): the forward walk only tiebreaks at head+1, so
3273    // two BAN-holders who re-founded at the SAME epoch each end on their OWN root and never reconcile each
3274    // other (only bystanders advancing INTO the epoch do). Re-fetch THIS epoch's base rekeys — they're all
3275    // at the one address keyed by the PRIOR root we still hold — and if an AUTHORIZED sibling delivers a
3276    // LOWER root than the one we hold, switch to it (the same lowest-root rule), then re-fold the control
3277    // plane under the adopted root. Convergent for everyone: the lowest root is the deterministic winner.
3278    if head > 0 && !removed {
3279        if let Ok(Some(prior_root)) = crate::db::community::held_epoch_key(&cid, crate::community::SERVER_ROOT_SCOPE_HEX, head - 1) {
3280            let addr = super::derive::base_rekey_pseudonym(&super::ServerRootKey(prior_root), &community.id, super::Epoch(head)).to_hex();
3281            let query = Query { kinds: vec![event_kind::COMMUNITY_REKEY], z_tags: vec![addr], ..Default::default() };
3282            let events = transport.fetch(&query, &community.relays).await.unwrap_or_default();
3283            let chunks: Vec<super::rekey::ParsedRekey> = events
3284                .iter()
3285                .filter_map(|ev| super::rekey::open_rekey_event(ev, &prior_root).ok())
3286                .filter(|p| matches!(p.scope, super::derive::RekeyScope::ServerRoot) && p.new_epoch.0 == head)
3287                .collect();
3288            let owner_hex = proven_owner_hex(community);
3289            let roster = crate::db::community::get_community_roles(&cid).unwrap_or_default();
3290            let mut best: Option<(&super::rekey::ParsedRekey, [u8; 32])> = None;
3291            for p in &chunks {
3292                // Only an AUTHORIZED re-founding (rotator held BAN, not banned) is a convergence
3293                // candidate — a non-BAN member who merely holds the prior root can't forge a lower
3294                // root to hijack the chain.
3295                if !rotator_is_authorized(&cid, &roster, owner_hex.as_deref(), &p.rotator.to_hex(), super::roles::Permissions::BAN) {
3296                    continue;
3297                }
3298                if let Ok(Some(root)) = peek_my_server_root(p) {
3299                    if best.as_ref().map_or(true, |(_, br)| root < *br) {
3300                        best = Some((p, root));
3301                    }
3302                }
3303            }
3304            // Authority dominates the down-only rule: if the root I currently hold is POSITIVELY
3305            // identified as a since-deauthorized rotation (its chunk is on the wire, delivers my
3306            // current root, and its rotator now fails the authority/banlist gate), abandon it for
3307            // the lowest AUTHORIZED sibling even when that sibling is byte-higher. Without this, a
3308            // banned admin who raced their own removal with a ground-low re-founding root keeps
3309            // every member who adopted it partitioned forever — the heal would refuse to climb back
3310            // to the owner's legitimate (higher) root. Positive identification only: when the
3311            // current root's chunk is absent (withheld), keep the strict down-only rule so a flaky
3312            // round can't re-fork a converged epoch.
3313            let current_deauthorized = chunks.iter().any(|p| {
3314                matches!(peek_my_server_root(p), Ok(Some(r)) if r == current_root)
3315                    && !rotator_is_authorized(&cid, &roster, owner_hex.as_deref(), &p.rotator.to_hex(), super::roles::Permissions::BAN)
3316            });
3317            if let Some((winner, win_root)) = best {
3318                let adopt = if current_deauthorized {
3319                    win_root != current_root
3320                } else {
3321                    win_root < current_root
3322                };
3323                if adopt {
3324                    if !session.is_valid() {
3325                        return Err("session changed during base convergence".to_string());
3326                    }
3327                    // Adopt the winner: apply archives its root (no head advance at the same epoch), then
3328                    // `converge_server_root_epoch` swaps the head root, then re-fold control under it.
3329                    if apply_server_root_rekey(community, winner).is_ok() {
3330                        match crate::db::community::converge_server_root_epoch(&cid, head, &win_root) {
3331                            Ok(false) => crate::log_trace!("base heal: converge of epoch {head} did not apply (head moved)"),
3332                            Err(e) => crate::log_trace!("base heal: converge of epoch {head} errored: {e}"),
3333                            Ok(true) => {}
3334                        }
3335                        current_root = win_root;
3336                        if let Ok(Some(fresh)) = crate::db::community::load_community(&community.id) {
3337                            let _ = fetch_and_apply_control(transport, &fresh).await;
3338                        }
3339                    }
3340                }
3341            }
3342        }
3343    }
3344    let _ = current_root; // may be unused if no further steps read it
3345    Ok(BaseCatchup { epoch: head, removed })
3346}
3347
3348/// Outcome of [`catch_up_server_root`]: the base epoch reached, and whether an AUTHORIZED base rotation
3349/// EXCLUDED us (a read-cut / private ban). `removed` is the catch-all "you've been removed" signal for a
3350/// cryptographically cut member who can no longer read the banlist to learn it the normal way.
3351#[derive(Debug, Clone, Copy)]
3352pub struct BaseCatchup {
3353    pub epoch: u64,
3354    pub removed: bool,
3355}
3356
3357#[cfg(test)]
3358mod tests {
3359    use super::*;
3360    use crate::community::send::fetch_channel_messages;
3361    use crate::community::transport::{memory::MemoryRelay, Query, Transport};
3362    use nostr_sdk::prelude::{EventBuilder, Kind};
3363
3364    /// A transport whose publish always fails (fetch returns nothing) — for testing that
3365    /// a failed deletion publish doesn't strand the single-use key.
3366    struct FailingRelay;
3367    #[async_trait::async_trait]
3368    impl Transport for FailingRelay {
3369        async fn publish(&self, _event: &Event, _relays: &[String]) -> Result<(), String> {
3370            Err("relay unreachable".to_string())
3371        }
3372        async fn publish_durable(&self, _event: &Event, _relays: &[String]) -> Result<(), String> {
3373            Err("relay unreachable".to_string())
3374        }
3375        async fn fetch(&self, _query: &Query, _relays: &[String]) -> Result<Vec<Event>, String> {
3376            Ok(Vec::new())
3377        }
3378    }
3379
3380    /// A relay that selectively fails REKEY (3303) publishes (toggleable), delegating everything else to
3381    /// an inner [`MemoryRelay`]. Lets a test make a re-seal's base rekey fail while the banlist edition
3382    /// still lands, then "fix" the relay and verify the read-cut retry recovers.
3383    struct RekeyFailingRelay {
3384        inner: MemoryRelay,
3385        fail_rekey: std::sync::atomic::AtomicBool,
3386    }
3387    impl RekeyFailingRelay {
3388        fn new() -> Self {
3389            Self { inner: MemoryRelay::new(), fail_rekey: std::sync::atomic::AtomicBool::new(true) }
3390        }
3391        fn allow_rekey(&self) {
3392            self.fail_rekey.store(false, std::sync::atomic::Ordering::Relaxed);
3393        }
3394        fn blocks(&self, event: &Event) -> bool {
3395            self.fail_rekey.load(std::sync::atomic::Ordering::Relaxed)
3396                && event.kind.as_u16() == crate::stored_event::event_kind::COMMUNITY_REKEY
3397        }
3398    }
3399    #[async_trait::async_trait]
3400    impl Transport for RekeyFailingRelay {
3401        async fn publish(&self, event: &Event, relays: &[String]) -> Result<(), String> {
3402            if self.blocks(event) { return Err("rekey relay down".to_string()); }
3403            self.inner.publish(event, relays).await
3404        }
3405        async fn publish_durable(&self, event: &Event, relays: &[String]) -> Result<(), String> {
3406            if self.blocks(event) { return Err("rekey relay down".to_string()); }
3407            self.inner.publish_durable(event, relays).await
3408        }
3409        async fn fetch(&self, query: &Query, relays: &[String]) -> Result<Vec<Event>, String> {
3410            self.inner.fetch(query, relays).await
3411        }
3412    }
3413
3414    static TEST_COUNTER: std::sync::atomic::AtomicU32 = std::sync::atomic::AtomicU32::new(5000);
3415
3416    fn make_test_npub(n: u32) -> String {
3417        const BECH32: &[u8] = b"qpzry9x8gf2tvdw0s3jn54khce6mua7l";
3418        let mut payload = vec![b'q'; 58];
3419        let mut x = n as u64;
3420        let mut i = 58;
3421        while x > 0 && i > 0 {
3422            i -= 1;
3423            payload[i] = BECH32[(x as usize) % 32];
3424            x /= 32;
3425        }
3426        format!("npub1{}", std::str::from_utf8(&payload).unwrap())
3427    }
3428
3429    fn init_test_db() -> (tempfile::TempDir, std::sync::MutexGuard<'static, ()>) {
3430        let guard = crate::db::DB_TEST_GUARD.lock().unwrap_or_else(|e| e.into_inner());
3431        crate::db::close_database();
3432        // Per-account row-id caches survive close_database; clear them so a stale entry from a prior
3433        // test's DB can't point into this fresh account's DB and FK-fail an insert.
3434        crate::db::clear_id_caches();
3435        let tmp = tempfile::tempdir().unwrap();
3436        let n = TEST_COUNTER.fetch_add(1, std::sync::atomic::Ordering::Relaxed);
3437        let account = make_test_npub(n);
3438        std::fs::create_dir_all(tmp.path().join(&account)).unwrap();
3439        crate::db::set_app_data_dir(tmp.path().to_path_buf());
3440        crate::db::set_current_account(account.clone()).unwrap();
3441        crate::db::init_database(&account).unwrap();
3442        // Clear any client a prior test installed — else `active_signer()` would prefer that stale
3443        // client's signer over this test's fresh local identity (cross-test contamination).
3444        let _ = crate::state::take_nostr_client();
3445        // A local owner identity so create_community can sign the (now mandatory) owner attestation.
3446        let owner = Keys::generate();
3447        crate::state::MY_SECRET_KEY.store_from_keys(&owner, &[]);
3448        crate::state::set_my_public_key(owner.public_key());
3449        (tmp, guard)
3450    }
3451
3452    #[test]
3453    fn community_cap_rejects_a_new_membership_at_the_limit() {
3454        let (_tmp, _guard) = init_test_db();
3455        let mk = |i: usize| {
3456            let id = format!("{:064x}", i);
3457            crate::community::list::CommunityListEntry {
3458                community_id: id.clone(),
3459                seed: crate::community::invite::CommunityInvite {
3460                    community_id: id,
3461                    name: String::new(),
3462                    server_root_key: String::new(),
3463                    server_root_epoch: 0,
3464                    relays: vec![],
3465                    channels: vec![],
3466                    owner_attestation: None,
3467                    icon: None,
3468                },
3469                current: None,
3470                added_at: 0,
3471            }
3472        };
3473        let mut list = crate::community::list::CommunityList::default();
3474        for i in 0..(MAX_COMMUNITIES - 1) {
3475            list.entries.push(mk(i));
3476        }
3477        crate::db::settings::set_sql_setting("community_list_json".to_string(), list.to_json()).unwrap();
3478        assert!(enforce_community_cap().is_ok(), "under the cap a new join is allowed");
3479
3480        list.entries.push(mk(MAX_COMMUNITIES - 1)); // now exactly MAX_COMMUNITIES
3481        crate::db::settings::set_sql_setting("community_list_json".to_string(), list.to_json()).unwrap();
3482        assert!(enforce_community_cap().is_err(), "at the cap a new join is rejected");
3483    }
3484
3485    // --- apply_channel_rekey (#3c) ---
3486
3487    /// Build + persist a member-view community whose proven owner is `owner` (attestation signed by
3488    /// them), archiving the genesis epoch-0 channel key + server root via save_community.
3489    fn saved_community_owned_by(owner: &Keys) -> Community {
3490        use nostr_sdk::JsonUtil;
3491        let mut community = Community::create("HQ", "general", vec!["r".into()]);
3492        let cid = community.id.to_hex();
3493        community.owner_attestation = Some(
3494            crate::community::owner::build_owner_attestation_unsigned(owner.public_key(), &cid)
3495                .sign_with_keys(owner)
3496                .unwrap()
3497                .as_json(),
3498        );
3499        crate::db::community::save_community(&community).unwrap();
3500        community
3501    }
3502
3503    /// An in-memory owner-attested Community signed by the SEEDED local identity (so `is_proven_owner`
3504    /// is true and owner-gated actions like `create_public_invite` pass). NOT saved to the DB — for
3505    /// tests where the same single DB later plays the joiner.
3506    fn attested_community(name: &str, channel: &str, relays: Vec<String>) -> Community {
3507        use nostr_sdk::JsonUtil;
3508        let owner = crate::state::MY_SECRET_KEY.to_keys().unwrap();
3509        let mut community = Community::create(name, channel, relays);
3510        community.owner_attestation = Some(
3511            crate::community::owner::build_owner_attestation_unsigned(owner.public_key(), &community.id.to_hex())
3512                .sign_with_keys(&owner).unwrap().as_json(),
3513        );
3514        community
3515    }
3516
3517    /// Set the local identity (the rekey recipient in these tests).
3518    fn become_local(me: &Keys) {
3519        crate::state::MY_SECRET_KEY.store_from_keys(me, &[]);
3520        crate::state::set_my_public_key(me.public_key());
3521    }
3522
3523    /// An owner-authored channel rekey to `new_epoch` carrying one blob for `recipient_pk`, citing the
3524    /// genesis epoch-0 key as `prev`. Returns the opened ParsedRekey ready for apply.
3525    fn owner_channel_rekey(
3526        owner: &Keys,
3527        community: &Community,
3528        recipient_pk: &nostr_sdk::PublicKey,
3529        new_epoch: u64,
3530        new_key: &[u8; 32],
3531    ) -> super::super::rekey::ParsedRekey {
3532        let chan = &community.channels[0];
3533        let scope = super::super::derive::RekeyScope::Channel(chan.id);
3534        let blob = super::super::rekey::build_rekey_blob(
3535            owner.secret_key(), recipient_pk, scope, crate::community::Epoch(new_epoch), new_key,
3536        )
3537        .unwrap();
3538        let commit = super::super::rekey::epoch_key_commitment(crate::community::Epoch(0), chan.key.as_bytes());
3539        let outer = super::super::rekey::build_channel_rekey_event(
3540            &Keys::generate(), owner, community.server_root_key.as_bytes(), &chan.id,
3541            crate::community::Epoch(new_epoch), crate::community::Epoch(0), &commit, &[blob],
3542        )
3543        .unwrap();
3544        super::super::rekey::open_rekey_event(&outer, community.server_root_key.as_bytes()).unwrap()
3545    }
3546
3547    /// Transport-unified outer dedup: a wire event we've already persisted (its outer id recorded as
3548    /// the inner's `wrapper_event_id`) is dropped BEFORE decryption on a re-fetch — the same contract
3549    /// DM gift-wraps get from the wrapper-id layer. This is what keeps a boot/catch-up sweep's re-fetch
3550    /// of the whole channel page from re-ingesting or re-emitting events we already hold.
3551    #[tokio::test]
3552    async fn outer_event_dedup_skips_an_already_persisted_wire_event() {
3553        let (_tmp, _guard) = init_test_db();
3554        let owner = Keys::generate();
3555        let me = Keys::generate();
3556        become_local(&me);
3557        let community = saved_community_owned_by(&owner);
3558        let channel = community.channels[0].clone();
3559        let chan_hex = channel.id.to_hex();
3560
3561        // A real wire event (stable outer id) authored by a keyholding member.
3562        let author = Keys::generate();
3563        let outer = crate::community::envelope::seal_message(
3564            &author, &channel.key, &channel.id, channel.epoch, "gm", 1000,
3565        ).unwrap();
3566        let outer_hex = outer.id.to_hex();
3567
3568        // First sight: ingests, and the inner records its OUTER wire id as the wrapper link.
3569        let mut state = crate::state::ChatState::new();
3570        let msg = match crate::community::inbound::process_incoming(&mut state, &outer, &channel, &me.public_key()) {
3571            Some(crate::community::inbound::IncomingEvent::NewMessage(m)) => m,
3572            _ => panic!("expected NewMessage from a fresh wire event"),
3573        };
3574        assert_eq!(msg.wrapper_event_id.as_deref(), Some(outer_hex.as_str()),
3575            "the inner must carry its outer wire id as wrapper_event_id");
3576
3577        // Persist exactly as the sweep does (writes wrapper_event_id into the events table).
3578        crate::db::events::save_message(&chan_hex, &msg).await.unwrap();
3579
3580        // Re-fetch / relay redelivery of the SAME wire event → dropped before decryption.
3581        let mut state2 = crate::state::ChatState::new();
3582        let second = crate::community::inbound::process_incoming(&mut state2, &outer, &channel, &me.public_key());
3583        assert!(second.is_none(), "an already-processed wire event must dedup before decryption");
3584    }
3585
3586    /// The dedup ledger is shared across transports, but NIP-77 negentropy must fingerprint ONLY the
3587    /// gift-wrap ('nip17') subset — a Concord wrapper in the DM reconciliation set would bloat and skew it.
3588    #[tokio::test]
3589    async fn ledger_is_shared_but_negentropy_stays_nip17_only() {
3590        let (_tmp, _guard) = init_test_db();
3591        let dm = [0xA1u8; 32];
3592        let concord = [0xC0u8; 32];
3593        crate::db::wrappers::save_processed_wrapper(&dm, 100, crate::db::wrappers::TRANSPORT_NIP17).unwrap();
3594        crate::db::wrappers::save_processed_wrapper(&concord, 200, crate::db::wrappers::TRANSPORT_CONCORD).unwrap();
3595
3596        // The dedup ledger sees BOTH transports.
3597        assert!(crate::db::wrappers::processed_wrapper_exists(&dm));
3598        assert!(crate::db::wrappers::processed_wrapper_exists(&concord));
3599
3600        // NIP-77 fingerprints only the gift-wrap subset — Concord never leaks into DM sync.
3601        let items = crate::db::wrappers::load_negentropy_items().unwrap();
3602        assert_eq!(items.len(), 1, "negentropy must exclude concord wrappers");
3603        assert_eq!(items[0].0.to_bytes(), dm);
3604    }
3605
3606    /// A non-message sub-kind (presence) has no inner row to carry a wrapper_event_id, so it records the
3607    /// outer id in the shared ledger at process time. A re-fetch then dedups it before decryption, just
3608    /// like a message — every sub-kind gets the same transport-level skip.
3609    #[tokio::test]
3610    async fn non_message_subkind_dedups_via_the_shared_ledger() {
3611        let (_tmp, _guard) = init_test_db();
3612        let owner = Keys::generate();
3613        let me = Keys::generate();
3614        become_local(&me);
3615        let community = saved_community_owned_by(&owner);
3616        let channel = community.channels[0].clone();
3617
3618        // A presence (3306) wire event from a member — a non-row sub-kind.
3619        let author = Keys::generate();
3620        let inner = super::super::envelope::build_inner_typed(
3621            author.public_key(), &channel.id, channel.epoch,
3622            crate::stored_event::event_kind::COMMUNITY_PRESENCE, "join", 5, None, &[],
3623        ).sign_with_keys(&author).unwrap();
3624        let outer = super::super::envelope::seal_with_signed_inner(
3625            &Keys::generate(), &inner, &channel.key, &channel.id, channel.epoch,
3626        ).unwrap();
3627
3628        // First sight: a Presence outcome, and the outer id is recorded in the ledger.
3629        let mut state = crate::state::ChatState::new();
3630        let first = crate::community::inbound::process_incoming(&mut state, &outer, &channel, &me.public_key());
3631        assert!(matches!(first, Some(crate::community::inbound::IncomingEvent::Presence { .. })),
3632            "expected a Presence outcome");
3633        assert!(crate::db::wrappers::processed_wrapper_exists(&outer.id.to_bytes()),
3634            "a non-message sub-kind must record its outer id in the shared ledger");
3635
3636        // Re-fetch of the same wire event → dropped before decryption.
3637        let second = crate::community::inbound::process_incoming(&mut crate::state::ChatState::new(), &outer, &channel, &me.public_key());
3638        assert!(second.is_none(), "a re-fetched presence must dedup via the shared ledger");
3639    }
3640
3641    #[test]
3642    fn apply_channel_rekey_recovers_and_advances_head() {
3643        let (_tmp, _guard) = init_test_db();
3644        let owner = Keys::generate(); // owner = rotator (supreme authority)
3645        let me = Keys::generate();
3646        become_local(&me);
3647        let community = saved_community_owned_by(&owner);
3648        let cid = community.id.to_hex();
3649        let chan_hex = community.channels[0].id.to_hex();
3650        let new_key = [0xCDu8; 32];
3651
3652        let parsed = owner_channel_rekey(&owner, &community, &me.public_key(), 1, &new_key);
3653        let outcome = apply_channel_rekey(&community, &parsed).unwrap();
3654        assert_eq!(outcome, RekeyOutcome::Applied { head_advanced: true });
3655
3656        // Archive holds the new epoch-1 key, and the channel head advanced to it (epoch + key).
3657        assert_eq!(crate::db::community::held_epoch_key(&cid, &chan_hex, 1).unwrap(), Some(new_key));
3658        let reloaded = crate::db::community::load_community(&community.id).unwrap().unwrap();
3659        assert_eq!(reloaded.channels[0].epoch, crate::community::Epoch(1));
3660        assert_eq!(reloaded.channels[0].key.as_bytes(), &new_key);
3661        // The genesis epoch-0 key is RETAINED (cross-epoch history stays decryptable).
3662        assert!(crate::db::community::held_epoch_key(&cid, &chan_hex, 0).unwrap().is_some());
3663    }
3664
3665    #[test]
3666    fn apply_channel_rekey_accepts_matching_continuity() {
3667        // The happy continuity path: I HOLD the prior (genesis epoch-0) key and the rekey cites a
3668        // commitment over it → the fork-detection check passes and the rekey applies.
3669        let (_tmp, _guard) = init_test_db();
3670        let owner = Keys::generate();
3671        let me = Keys::generate();
3672        become_local(&me);
3673        let community = saved_community_owned_by(&owner);
3674        // owner_channel_rekey commits over the genesis epoch-0 key, which I hold (archived on save).
3675        let parsed = owner_channel_rekey(&owner, &community, &me.public_key(), 1, &[0x44u8; 32]);
3676        assert_eq!(
3677            apply_channel_rekey(&community, &parsed).unwrap(),
3678            RekeyOutcome::Applied { head_advanced: true },
3679            "a rekey whose prior-key commitment matches the held genesis key applies"
3680        );
3681    }
3682
3683    #[test]
3684    fn advance_channel_epoch_archives_when_no_head_row() {
3685        // A rekey for a channel with no community_channels head row: archive the key, don't fabricate
3686        // a head. (Exercises advance_channel_epoch's channel-row-absent branch directly.)
3687        let (_tmp, _guard) = init_test_db();
3688        let cid = "f".repeat(64);
3689        let orphan_channel = "a".repeat(64);
3690        let advanced = crate::db::community::advance_channel_epoch(&cid, &orphan_channel, 2, &[0x77u8; 32]).unwrap();
3691        assert!(!advanced, "no head row → head not advanced");
3692        assert_eq!(crate::db::community::held_epoch_key(&cid, &orphan_channel, 2).unwrap(), Some([0x77u8; 32]), "key still archived");
3693    }
3694
3695    #[tokio::test]
3696    async fn rotate_channel_publishes_recoverable_rekey_and_advances_own_head() {
3697        use crate::community::derive::{recipient_pseudonym, rekey_pseudonym};
3698        use crate::community::rekey::{open_rekey_blob, open_rekey_event, rekey_pairwise_secret};
3699        let (_tmp, _guard) = init_test_db();
3700        let owner = Keys::generate();
3701        become_local(&owner); // I am the owner (supreme authority to rotate)
3702        let community = saved_community_owned_by(&owner);
3703        let channel_id = community.channels[0].id;
3704        let member = Keys::generate(); // a stayer who must recover the new key
3705        let relay = MemoryRelay::new();
3706
3707        let new_epoch = rotate_channel(&relay, &community, &channel_id, &[member.public_key()], community.server_root_key.as_bytes())
3708            .await
3709            .expect("rotate");
3710        assert_eq!(new_epoch, 1);
3711
3712        // My own head advanced to the new epoch + a fresh key.
3713        let reloaded = crate::db::community::load_community(&community.id).unwrap().unwrap();
3714        assert_eq!(reloaded.channels[0].epoch, crate::community::Epoch(1));
3715
3716        // The published rekey is found at the SERVER-ROOT-derived address (no channel key needed) and
3717        // opens under the server root.
3718        let addr = rekey_pseudonym(
3719            &crate::community::ServerRootKey(*community.server_root_key.as_bytes()),
3720            &channel_id, crate::community::Epoch(1),
3721        )
3722        .to_hex();
3723        let found = relay
3724            .fetch(&Query { kinds: vec![event_kind::COMMUNITY_REKEY], z_tags: vec![addr], ..Default::default() }, &community.relays)
3725            .await
3726            .unwrap();
3727        assert_eq!(found.len(), 1, "rekey addressable by its server-root pseudonym");
3728        let parsed = open_rekey_event(&found[0], community.server_root_key.as_bytes()).unwrap();
3729        assert_eq!(parsed.rotator, owner.public_key());
3730        assert_eq!(parsed.new_epoch, crate::community::Epoch(1));
3731        assert_eq!(parsed.prev_epoch, crate::community::Epoch(0));
3732        assert_eq!(parsed.blobs.len(), 2, "the member + me (multi-device) each get a blob");
3733
3734        // The member recovers a key, and it is EXACTLY the key my head advanced to (one source of truth).
3735        let secret = rekey_pairwise_secret(member.secret_key(), &parsed.rotator).unwrap();
3736        let loc = recipient_pseudonym(&secret, parsed.scope, parsed.new_epoch).to_hex();
3737        let mine = parsed.blobs.iter().find(|b| b.locator == loc).expect("member's blob present");
3738        let recovered = open_rekey_blob(member.secret_key(), &parsed.rotator, parsed.scope, parsed.new_epoch, mine).unwrap();
3739        assert_eq!(reloaded.channels[0].key.as_bytes(), &recovered, "member's recovered key == my advanced head key");
3740    }
3741
3742    #[tokio::test]
3743    async fn rotate_channel_failed_publish_leaves_head_unadvanced() {
3744        // The publish-before-advance invariant: if the publish fails, my local head must NOT move to an
3745        // epoch no peer received (else I'd be stranded talking to no one).
3746        let (_tmp, _guard) = init_test_db();
3747        let owner = Keys::generate();
3748        become_local(&owner);
3749        let community = saved_community_owned_by(&owner);
3750        let member = Keys::generate();
3751        let err = rotate_channel(&FailingRelay, &community, &community.channels[0].id, &[member.public_key()], community.server_root_key.as_bytes()).await;
3752        assert!(err.is_err(), "a failed publish must propagate, not silently advance");
3753        let reloaded = crate::db::community::load_community(&community.id).unwrap().unwrap();
3754        assert_eq!(reloaded.channels[0].epoch, crate::community::Epoch(0), "head stays put on publish failure");
3755    }
3756
3757    /// Build a properly-chained run of channel rekeys (epoch 1..=n), each citing the prior epoch's key
3758    /// commitment (epoch 1 cites the genesis key), each carrying a blob for `recipient_pk`. Returns the
3759    /// events + the per-epoch keys. Does NOT touch the DB (so the recipient stays "behind" at epoch 0).
3760    fn build_rekey_chain(
3761        owner: &Keys, community: &Community, recipient_pk: &nostr_sdk::PublicKey, n: u64,
3762    ) -> (Vec<Event>, Vec<[u8; 32]>) {
3763        let chan = &community.channels[0];
3764        let scope = super::super::derive::RekeyScope::Channel(chan.id);
3765        let mut prev_key = *chan.key.as_bytes();
3766        let mut events = Vec::new();
3767        let mut keys = Vec::new();
3768        for e in 1..=n {
3769            let new_key = [e as u8; 32];
3770            let blob = super::super::rekey::build_rekey_blob(owner.secret_key(), recipient_pk, scope, crate::community::Epoch(e), &new_key).unwrap();
3771            let commit = super::super::rekey::epoch_key_commitment(crate::community::Epoch(e - 1), &prev_key);
3772            let ev = super::super::rekey::build_channel_rekey_event(
3773                &Keys::generate(), owner, community.server_root_key.as_bytes(), &chan.id,
3774                crate::community::Epoch(e), crate::community::Epoch(e - 1), &commit, &[blob],
3775            ).unwrap();
3776            events.push(ev);
3777            keys.push(new_key);
3778            prev_key = new_key;
3779        }
3780        (events, keys)
3781    }
3782
3783    #[tokio::test]
3784    async fn catch_up_steps_over_a_missing_epoch() {
3785        // W1: a relay-incomplete gap (epoch 2 absent). Catch-up applies 1, steps over the missing 2
3786        // (logged), applies 3 → head reaches the latest present epoch; epoch-2's key stays a hole.
3787        let (_tmp, _guard) = init_test_db();
3788        let owner = Keys::generate();
3789        let me = Keys::generate();
3790        become_local(&me);
3791        let community = saved_community_owned_by(&owner);
3792        let channel_id = community.channels[0].id;
3793        let cid = community.id.to_hex();
3794        let chan_hex = channel_id.to_hex();
3795
3796        let (events, keys) = build_rekey_chain(&owner, &community, &me.public_key(), 3);
3797        let relay = MemoryRelay::new();
3798        relay.inject(&events[0], &community.relays); // epoch 1
3799        relay.inject(&events[2], &community.relays); // epoch 3 — epoch 2 deliberately omitted
3800        let reached = catch_up_channel_rekeys(&relay, &community, &channel_id).await.unwrap();
3801
3802        assert_eq!(reached, 3, "head reaches the latest present epoch, stepping over the gap");
3803        assert_eq!(crate::db::community::held_epoch_key(&cid, &chan_hex, 1).unwrap(), Some(keys[0]));
3804        assert_eq!(crate::db::community::held_epoch_key(&cid, &chan_hex, 2).unwrap(), None, "missing epoch is a hole");
3805        assert_eq!(crate::db::community::held_epoch_key(&cid, &chan_hex, 3).unwrap(), Some(keys[2]));
3806    }
3807
3808    #[tokio::test]
3809    async fn catch_up_recovers_a_rekey_under_a_prior_server_root() {
3810        // A channel rekey is addressed + encrypted under whatever server root was current at publish, and
3811        // the root ratchets on every base rotation. After the base rotates 0→1, an epoch-1 channel rekey
3812        // published under root-0 must STILL be found + opened (we hold root-0 in the archive) — else its
3813        // key is lost. Cross-root catch-up.
3814        let (_tmp, _guard) = init_test_db();
3815        let owner = Keys::generate();
3816        let me = Keys::generate();
3817        become_local(&me);
3818        let root0_community = saved_community_owned_by(&owner);
3819        let cid = root0_community.id.to_hex();
3820        let channel_id = root0_community.channels[0].id;
3821        let chan_hex = channel_id.to_hex();
3822        let scope = super::super::derive::RekeyScope::Channel(channel_id);
3823        let genesis_key = *root0_community.channels[0].key.as_bytes();
3824
3825        // Base rotation 0→1; the member now holds BOTH roots (epoch 0 from save, epoch 1 from advance).
3826        let root1 = [0x99u8; 32];
3827        crate::db::community::advance_server_root_epoch(&cid, 1, &root1).unwrap();
3828        let community = crate::db::community::load_community(&root0_community.id).unwrap().unwrap();
3829        assert_eq!(community.server_root_epoch, crate::community::Epoch(1));
3830
3831        // Epoch-1 channel rekey under the PRIOR root (root-0); epoch-2 under the CURRENT root (root-1).
3832        let (k1, k2) = ([0x11u8; 32], [0x22u8; 32]);
3833        let blob1 = super::super::rekey::build_rekey_blob(owner.secret_key(), &me.public_key(), scope, crate::community::Epoch(1), &k1).unwrap();
3834        let commit0 = super::super::rekey::epoch_key_commitment(crate::community::Epoch(0), &genesis_key);
3835        let ev1 = super::super::rekey::build_channel_rekey_event(
3836            &Keys::generate(), &owner, root0_community.server_root_key.as_bytes(), &channel_id,
3837            crate::community::Epoch(1), crate::community::Epoch(0), &commit0, &[blob1]).unwrap();
3838        let blob2 = super::super::rekey::build_rekey_blob(owner.secret_key(), &me.public_key(), scope, crate::community::Epoch(2), &k2).unwrap();
3839        let commit1 = super::super::rekey::epoch_key_commitment(crate::community::Epoch(1), &k1);
3840        let ev2 = super::super::rekey::build_channel_rekey_event(
3841            &Keys::generate(), &owner, &root1, &channel_id,
3842            crate::community::Epoch(2), crate::community::Epoch(1), &commit1, &[blob2]).unwrap();
3843
3844        let relay = MemoryRelay::new();
3845        relay.inject(&ev1, &community.relays);
3846        relay.inject(&ev2, &community.relays);
3847
3848        let reached = catch_up_channel_rekeys(&relay, &community, &channel_id).await.unwrap();
3849        assert_eq!(reached, 2, "reached the latest channel epoch across the server-root rotation");
3850        assert_eq!(crate::db::community::held_epoch_key(&cid, &chan_hex, 1).unwrap(), Some(k1),
3851            "epoch-1 key recovered from a rekey under the PRIOR server root");
3852        assert_eq!(crate::db::community::held_epoch_key(&cid, &chan_hex, 2).unwrap(), Some(k2));
3853    }
3854
3855    #[tokio::test]
3856    async fn catch_up_backfills_a_sub_head_gap() {
3857        // An EXISTING hole below the head (an earlier catch-up leapfrogged epoch 1). The forward window
3858        // never revisits sub-head epochs, so the backward gap-fill must re-fetch + apply it.
3859        let (_tmp, _guard) = init_test_db();
3860        let owner = Keys::generate();
3861        let me = Keys::generate();
3862        become_local(&me);
3863        let community = saved_community_owned_by(&owner);
3864        let cid = community.id.to_hex();
3865        let channel_id = community.channels[0].id;
3866        let chan_hex = channel_id.to_hex();
3867        let scope = super::super::derive::RekeyScope::Channel(channel_id);
3868        let genesis_key = *community.channels[0].key.as_bytes();
3869
3870        // Pre-existing state: head already at epoch 2 (with its key), but epoch 1 is a HOLE.
3871        let k2 = [0x22u8; 32];
3872        crate::db::community::advance_channel_epoch(&cid, &chan_hex, 2, &k2).unwrap();
3873        assert_eq!(crate::db::community::held_epoch_key(&cid, &chan_hex, 1).unwrap(), None, "epoch 1 starts as a hole");
3874
3875        // Epoch-1's rekey is on relays (under the current root). The backward gap-fill should recover it.
3876        let k1 = [0x11u8; 32];
3877        let blob1 = super::super::rekey::build_rekey_blob(owner.secret_key(), &me.public_key(), scope, crate::community::Epoch(1), &k1).unwrap();
3878        let commit0 = super::super::rekey::epoch_key_commitment(crate::community::Epoch(0), &genesis_key);
3879        let ev1 = super::super::rekey::build_channel_rekey_event(
3880            &Keys::generate(), &owner, community.server_root_key.as_bytes(), &channel_id,
3881            crate::community::Epoch(1), crate::community::Epoch(0), &commit0, &[blob1]).unwrap();
3882        let relay = MemoryRelay::new();
3883        relay.inject(&ev1, &community.relays);
3884
3885        let community = crate::db::community::load_community(&community.id).unwrap().unwrap();
3886        let reached = catch_up_channel_rekeys(&relay, &community, &channel_id).await.unwrap();
3887        assert_eq!(reached, 2, "head unchanged (gap-fill never regresses it)");
3888        assert_eq!(crate::db::community::held_epoch_key(&cid, &chan_hex, 1).unwrap(), Some(k1),
3889            "the sub-head hole was backfilled");
3890    }
3891
3892    #[tokio::test]
3893    async fn catch_up_walks_a_chain_of_rotations_to_the_latest() {
3894        let (_tmp, _guard) = init_test_db();
3895        let owner = Keys::generate();
3896        let me = Keys::generate();
3897        become_local(&me); // I'm a member, behind at epoch 0
3898        let community = saved_community_owned_by(&owner);
3899        let channel_id = community.channels[0].id;
3900        let cid = community.id.to_hex();
3901        let chan_hex = channel_id.to_hex();
3902
3903        // 3 rotations happened while I was away; inject them onto the relay (unordered).
3904        let (events, keys) = build_rekey_chain(&owner, &community, &me.public_key(), 3);
3905        let relay = MemoryRelay::new();
3906        for ev in events.iter().rev() {
3907            relay.inject(ev, &community.relays);
3908        }
3909
3910        let reached = catch_up_channel_rekeys(&relay, &community, &channel_id).await.unwrap();
3911        assert_eq!(reached, 3, "caught up to the latest epoch");
3912        // Head advanced to 3 with epoch-3's key; ALL intervening epoch keys retained.
3913        let reloaded = crate::db::community::load_community(&community.id).unwrap().unwrap();
3914        assert_eq!(reloaded.channels[0].epoch, crate::community::Epoch(3));
3915        assert_eq!(reloaded.channels[0].key.as_bytes(), &keys[2]);
3916        for (i, k) in keys.iter().enumerate() {
3917            assert_eq!(crate::db::community::held_epoch_key(&cid, &chan_hex, (i + 1) as u64).unwrap(), Some(*k));
3918        }
3919    }
3920
3921    #[tokio::test]
3922    async fn catch_up_slides_across_the_window_boundary() {
3923        // Exercises the multi-round slide arithmetic: 70 contiguous rotations (all for me) exceed the
3924        // 64-wide window, so catch-up must fetch window 1 (1..64), advance, then slide to window 2 and
3925        // reach 70 — proving the window math, not just a single-window apply.
3926        let (_tmp, _guard) = init_test_db();
3927        let owner = Keys::generate();
3928        let me = Keys::generate();
3929        become_local(&me);
3930        let community = saved_community_owned_by(&owner);
3931        let channel_id = community.channels[0].id;
3932        let cid = community.id.to_hex();
3933        let chan_hex = channel_id.to_hex();
3934
3935        let (events, keys) = build_rekey_chain(&owner, &community, &me.public_key(), 70);
3936        let relay = MemoryRelay::new();
3937        for ev in &events {
3938            relay.inject(ev, &community.relays);
3939        }
3940        let reached = catch_up_channel_rekeys(&relay, &community, &channel_id).await.unwrap();
3941        assert_eq!(reached, 70, "slid past the 64-epoch window boundary to the latest");
3942        assert_eq!(crate::db::community::held_epoch_key(&cid, &chan_hex, 70).unwrap(), Some(keys[69]));
3943        assert_eq!(crate::db::community::held_epoch_key(&cid, &chan_hex, 64).unwrap(), Some(keys[63]), "window-1 keys retained too");
3944    }
3945
3946    // --- catch_up_server_root (#4d) ---
3947
3948    /// A properly-chained run of base rekeys (epoch 1..=n), each enveloped under the PRIOR root and
3949    /// citing it, each carrying a ServerRoot blob for `recipient_pk`. Returns the events + per-epoch
3950    /// roots. Does NOT touch the DB (the recipient stays "behind" at base epoch 0).
3951    fn build_base_rekey_chain(
3952        owner: &Keys, community: &Community, recipient_pk: &nostr_sdk::PublicKey, n: u64,
3953    ) -> (Vec<Event>, Vec<[u8; 32]>) {
3954        let mut prior_root = *community.server_root_key.as_bytes();
3955        let mut events = Vec::new();
3956        let mut roots = Vec::new();
3957        for e in 1..=n {
3958            let new_root = [(e % 256) as u8; 32];
3959            let blob = super::super::rekey::build_rekey_blob(
3960                owner.secret_key(), recipient_pk, super::super::derive::RekeyScope::ServerRoot, crate::community::Epoch(e), &new_root,
3961            )
3962            .unwrap();
3963            let commit = super::super::rekey::epoch_key_commitment(crate::community::Epoch(e - 1), &prior_root);
3964            events.push(super::super::rekey::build_server_root_rekey_event(
3965                &Keys::generate(), owner, &prior_root, &community.id,
3966                crate::community::Epoch(e), crate::community::Epoch(e - 1), &commit, &[blob],
3967            ).unwrap());
3968            roots.push(new_root);
3969            prior_root = new_root;
3970        }
3971        (events, roots)
3972    }
3973
3974    #[tokio::test]
3975    async fn catch_up_server_root_walks_a_chain_of_base_rotations() {
3976        let (_tmp, _guard) = init_test_db();
3977        let owner = Keys::generate();
3978        let me = Keys::generate();
3979        become_local(&me);
3980        let community = saved_community_owned_by(&owner);
3981        let cid = community.id.to_hex();
3982
3983        let (events, roots) = build_base_rekey_chain(&owner, &community, &me.public_key(), 3);
3984        let relay = MemoryRelay::new();
3985        for ev in events.iter().rev() {
3986            relay.inject(ev, &community.relays);
3987        }
3988        let reached = catch_up_server_root(&relay, &community).await.unwrap();
3989        assert_eq!(reached.epoch, 3, "walked the base chain to the latest epoch");
3990        assert!(!reached.removed, "a normal catch-up is not a removal");
3991        let reloaded = crate::db::community::load_community(&community.id).unwrap().unwrap();
3992        assert_eq!(reloaded.server_root_epoch, crate::community::Epoch(3));
3993        assert_eq!(reloaded.server_root_key.as_bytes(), &roots[2], "base head is the latest root");
3994        // All intervening roots retained (read old control/base history).
3995        for (i, r) in roots.iter().enumerate() {
3996            assert_eq!(crate::db::community::held_epoch_key(&cid, crate::community::SERVER_ROOT_SCOPE_HEX, (i + 1) as u64).unwrap(), Some(*r));
3997        }
3998    }
3999
4000    #[tokio::test]
4001    async fn catch_up_recovers_from_a_split_base_rotation_second_chunk() {
4002        // SPLIT: a base rotation at epoch 1 is published as TWO chunk events at the SAME address; MY
4003        // blob is in the SECOND chunk. The walk must try both and recover from chunk 2 — the old
4004        // first-match logic would have hit chunk 1 (no blob for me), read it as removal, and stranded me.
4005        let (_tmp, _guard) = init_test_db();
4006        let owner = Keys::generate();
4007        let me = Keys::generate();
4008        become_local(&me);
4009        let community = saved_community_owned_by(&owner);
4010        let genesis = *community.server_root_key.as_bytes();
4011        let new_root = [0x5Au8; 32];
4012        let scope = super::super::derive::RekeyScope::ServerRoot;
4013        let commit = super::super::rekey::epoch_key_commitment(crate::community::Epoch(0), &genesis);
4014        let mk = |recipient: &nostr_sdk::PublicKey| {
4015            let blob = super::super::rekey::build_rekey_blob(owner.secret_key(), recipient, scope, crate::community::Epoch(1), &new_root).unwrap();
4016            super::super::rekey::build_server_root_rekey_event(
4017                &Keys::generate(), &owner, &genesis, &community.id,
4018                crate::community::Epoch(1), crate::community::Epoch(0), &commit, &[blob],
4019            ).unwrap()
4020        };
4021        let relay = MemoryRelay::new();
4022        relay.inject(&mk(&Keys::generate().public_key()), &community.relays); // chunk 1: NOT for me
4023        relay.inject(&mk(&me.public_key()), &community.relays); // chunk 2: my blob
4024
4025        let reached = catch_up_server_root(&relay, &community).await.unwrap();
4026        assert_eq!(reached.epoch, 1, "recovered the split rotation via the second chunk");
4027        let reloaded = crate::db::community::load_community(&community.id).unwrap().unwrap();
4028        assert_eq!(reloaded.server_root_key.as_bytes(), &new_root, "recovered the new root from chunk 2");
4029    }
4030
4031    #[tokio::test]
4032    async fn catch_up_converges_concurrent_refoundings_on_the_lowest_root() {
4033        // B2: two BAN-holders re-found at the SAME epoch, each delivering a DIFFERENT new root to me. Every
4034        // member must pick the SAME canonical root or the community forks irrecoverably. The walk converges
4035        // on the LOWEST new-root bytes — deterministic for everyone — regardless of which arrived first.
4036        let (_tmp, _guard) = init_test_db();
4037        let owner = Keys::generate();
4038        let me = Keys::generate();
4039        become_local(&me);
4040        let community = saved_community_owned_by(&owner);
4041        let genesis = *community.server_root_key.as_bytes();
4042        let scope = super::super::derive::RekeyScope::ServerRoot;
4043        let commit = super::super::rekey::epoch_key_commitment(crate::community::Epoch(0), &genesis);
4044        let root_lo = [0x10u8; 32];
4045        let root_hi = [0xF0u8; 32]; // root_lo < root_hi bytewise
4046        let mk = |root: &[u8; 32]| {
4047            let blob = super::super::rekey::build_rekey_blob(owner.secret_key(), &me.public_key(), scope, crate::community::Epoch(1), root).unwrap();
4048            super::super::rekey::build_server_root_rekey_event(
4049                &Keys::generate(), &owner, &genesis, &community.id,
4050                crate::community::Epoch(1), crate::community::Epoch(0), &commit, &[blob],
4051            ).unwrap()
4052        };
4053        let relay = MemoryRelay::new();
4054        // Inject the HIGHER root FIRST — "first-arrived" logic would pick the wrong one without the tiebreak.
4055        relay.inject(&mk(&root_hi), &community.relays);
4056        relay.inject(&mk(&root_lo), &community.relays);
4057
4058        let reached = catch_up_server_root(&relay, &community).await.unwrap();
4059        assert_eq!(reached.epoch, 1, "advanced one epoch");
4060        let reloaded = crate::db::community::load_community(&community.id).unwrap().unwrap();
4061        assert_eq!(reloaded.server_root_key.as_bytes(), &root_lo, "converged on the LOWEST root, not the first-arrived");
4062    }
4063
4064    #[tokio::test]
4065    async fn rotate_retry_reuses_the_archived_root_no_same_epoch_fork() {
4066        // FORK-SAFETY crux: a rotation whose publish fails archives the new root, and a RETRY reuses that
4067        // SAME root (never mints a fresh one for the same epoch — which would split recipients onto
4068        // incompatible keys). Fail the base rekey publish, capture the archived root, recover the relay,
4069        // retry, and assert the root is identical.
4070        let (_tmp, _guard) = init_test_db();
4071        let owner = Keys::generate();
4072        become_local(&owner);
4073        let community = saved_community_owned_by(&owner);
4074        let cid = community.id.to_hex();
4075        let relay = RekeyFailingRelay::new(); // base rekey (3303) publish fails
4076        let member = Keys::generate();
4077
4078        assert!(rotate_server_root(&relay, &community, &[member.public_key()]).await.is_err(), "the rekey publish fails");
4079        let k1 = crate::db::community::held_epoch_key(&cid, crate::community::SERVER_ROOT_SCOPE_HEX, 1).unwrap()
4080            .expect("the new root is archived before publishing (fork-safety)");
4081        let reloaded = crate::db::community::load_community(&community.id).unwrap().unwrap();
4082        assert_eq!(reloaded.server_root_epoch, crate::community::Epoch(0), "head not advanced on a failed publish");
4083
4084        relay.allow_rekey();
4085        rotate_server_root(&relay, &reloaded, &[member.public_key()]).await.unwrap();
4086        let k2 = crate::db::community::held_epoch_key(&cid, crate::community::SERVER_ROOT_SCOPE_HEX, 1).unwrap().unwrap();
4087        assert_eq!(k1, k2, "the retry REUSES the archived root — no second root for epoch 1, no fork");
4088        let after = crate::db::community::load_community(&community.id).unwrap().unwrap();
4089        assert_eq!(after.server_root_epoch, crate::community::Epoch(1), "the retry completed the rotation");
4090        assert_eq!(after.server_root_key.as_bytes(), &k1, "the committed root is the one minted on attempt 1");
4091    }
4092
4093    #[tokio::test]
4094    async fn rotate_server_root_splits_a_large_recipient_set_into_multiple_events() {
4095        // A recipient set past MAX_REKEY_BLOBS publishes as MULTIPLE chunk events at one address.
4096        let (_tmp, _guard) = init_test_db();
4097        let owner = Keys::generate();
4098        become_local(&owner);
4099        let community = saved_community_owned_by(&owner);
4100        let genesis = *community.server_root_key.as_bytes();
4101        let relay = MemoryRelay::new();
4102        // MAX_REKEY_BLOBS recipients + the owner self-blob = MAX+1 blobs → exactly 2 chunks.
4103        let recipients: Vec<_> = (0..super::super::rekey::MAX_REKEY_BLOBS).map(|_| Keys::generate().public_key()).collect();
4104        rotate_server_root(&relay, &community, &recipients).await.unwrap();
4105        let addr = super::super::derive::base_rekey_pseudonym(&super::super::ServerRootKey(genesis), &community.id, crate::community::Epoch(1)).to_hex();
4106        let evs = relay
4107            .fetch(&Query { kinds: vec![event_kind::COMMUNITY_REKEY], z_tags: vec![addr], ..Default::default() }, &community.relays)
4108            .await
4109            .unwrap();
4110        assert_eq!(evs.len(), 2, "a >MAX_REKEY_BLOBS rotation splits into 2 events at one address");
4111    }
4112
4113    #[tokio::test]
4114    async fn catch_up_server_root_is_a_noop_with_no_rotations() {
4115        let (_tmp, _guard) = init_test_db();
4116        let owner = Keys::generate();
4117        let me = Keys::generate();
4118        become_local(&me);
4119        let community = saved_community_owned_by(&owner);
4120        let relay = MemoryRelay::new();
4121        assert_eq!(catch_up_server_root(&relay, &community).await.unwrap().epoch, 0, "no base rotations → stays at 0");
4122    }
4123
4124    #[tokio::test]
4125    async fn concurrent_refounders_converge_to_the_lowest_root() {
4126        // Two BAN-holders re-found at the SAME epoch with DIFFERENT roots → each ORIGINATOR ends on its own
4127        // root (the forward walk only tiebreaks at head+1). The current-head convergence reconciles them:
4128        // whoever holds the HIGHER root adopts the LOWER (deterministic winner). This is the exact case the
4129        // live dual-admin race broke — the bystander-only B2 test never covered the originators self-healing.
4130        let (_tmp, _guard) = init_test_db();
4131        let owner = Keys::generate();
4132        let me = Keys::generate();
4133        become_local(&me); // a member sitting on the LOSING (higher) root after my own concurrent re-founding
4134        let community = saved_community_owned_by(&owner);
4135        let cid = community.id.to_hex();
4136        let genesis_root = *community.server_root_key.as_bytes();
4137        let scope = super::super::derive::RekeyScope::ServerRoot;
4138
4139        // The OTHER originator's epoch-1 base rekey (root_lo, the winner) — carries a blob for ME, addressed
4140        // under the genesis (prior) root. Owner-authored, so it's authorized (supreme) regardless of roster.
4141        let root_lo = [0x10u8; 32];
4142        let root_hi = [0x99u8; 32]; // my own losing fork's root
4143        let commit0 = super::super::rekey::epoch_key_commitment(crate::community::Epoch(0), &genesis_root);
4144        let blob_lo = super::super::rekey::build_rekey_blob(owner.secret_key(), &me.public_key(), scope, crate::community::Epoch(1), &root_lo).unwrap();
4145        let ev_lo = super::super::rekey::build_server_root_rekey_event(
4146            &Keys::generate(), &owner, &genesis_root, &community.id, crate::community::Epoch(1), crate::community::Epoch(0), &commit0, &[blob_lo]).unwrap();
4147
4148        let relay = MemoryRelay::new();
4149        relay.inject(&ev_lo, &community.relays);
4150
4151        // I'm currently on the HIGHER root at epoch 1 (my own losing fork).
4152        crate::db::community::advance_server_root_epoch(&cid, 1, &root_hi).unwrap();
4153        let community = crate::db::community::load_community(&community.id).unwrap().unwrap();
4154        assert_eq!(community.server_root_key.as_bytes(), &root_hi, "start on the higher root");
4155
4156        let out = catch_up_server_root(&relay, &community).await.unwrap();
4157        assert_eq!(out.epoch, 1, "converged in place at the same epoch (not advanced)");
4158        assert!(!out.removed);
4159        let after = crate::db::community::load_community(&community.id).unwrap().unwrap();
4160        assert_eq!(after.server_root_key.as_bytes(), &root_lo, "originator converged to the lowest authorized root");
4161
4162        // Idempotent: a second pass holding the winner stays put (no flip back to the higher root).
4163        let _ = catch_up_server_root(&relay, &after).await.unwrap();
4164        assert_eq!(crate::db::community::load_community(&community.id).unwrap().unwrap().server_root_key.as_bytes(), &root_lo, "no flip-flop");
4165    }
4166
4167    #[tokio::test]
4168    async fn banned_rotators_rekey_is_not_a_convergence_candidate() {
4169        // §6 banlist precedence on the rekey plane: an admin who holds a (withheld-revoke) BAN grant
4170        // but sits on the SYNCED banlist must not be honored as a rotator — not by apply, not by the
4171        // forward walk, not by the heal. Here the banned admin's re-founding delivers a byte-LOWER
4172        // root than the one I hold; without the banlist gate the heal would adopt it.
4173        let (_tmp, _guard) = init_test_db();
4174        let owner = Keys::generate();
4175        let me = Keys::generate();
4176        let banned_admin = Keys::generate();
4177        become_local(&me);
4178        let community = saved_community_owned_by(&owner);
4179        let cid = community.id.to_hex();
4180        let genesis_root = *community.server_root_key.as_bytes();
4181        let scope = super::super::derive::RekeyScope::ServerRoot;
4182
4183        // The attacker still ranks in the roster (their grant-revoke is "withheld")...
4184        let role_id = "e".repeat(64);
4185        let roster = crate::community::roles::CommunityRoles {
4186            roles: vec![crate::community::roles::Role::admin(role_id.clone())],
4187            grants: vec![crate::community::roles::MemberGrant { member: banned_admin.public_key().to_hex(), role_ids: vec![role_id] }],
4188        };
4189        crate::db::community::set_community_roles(&cid, &roster, 1).unwrap();
4190        // ...but the banlist naming them DID sync. Banlist must dominate.
4191        crate::db::community::set_community_banlist(&cid, &[banned_admin.public_key().to_hex()], 2).unwrap();
4192
4193        // Banned admin's epoch-1 re-founding with a ground-low root, blob addressed to me.
4194        let root_evil = [0x01u8; 32];
4195        let commit0 = super::super::rekey::epoch_key_commitment(crate::community::Epoch(0), &genesis_root);
4196        let blob = super::super::rekey::build_rekey_blob(banned_admin.secret_key(), &me.public_key(), scope, crate::community::Epoch(1), &root_evil).unwrap();
4197        let ev = super::super::rekey::build_server_root_rekey_event(
4198            &Keys::generate(), &banned_admin, &genesis_root, &community.id, crate::community::Epoch(1), crate::community::Epoch(0), &commit0, &[blob]).unwrap();
4199        let relay = MemoryRelay::new();
4200        relay.inject(&ev, &community.relays);
4201
4202        // Forward walk: the banned rotation is the ONLY epoch-1 candidate → not adopted, not a
4203        // removal signal (a banned admin can't trick members into self-erasing either).
4204        let out = catch_up_server_root(&relay, &community).await.unwrap();
4205        assert_eq!(out.epoch, 0, "banned rotator's re-founding must not advance the base");
4206        assert!(!out.removed, "banned rotator's exclusion must not read as an authorized removal");
4207        let after = crate::db::community::load_community(&community.id).unwrap().unwrap();
4208        assert_eq!(after.server_root_key.as_bytes(), &genesis_root, "root unchanged");
4209
4210        // Direct apply refuses too.
4211        let parsed = super::super::rekey::open_rekey_event(&ev, &genesis_root).unwrap();
4212        assert!(apply_server_root_rekey(&community, &parsed).is_err(), "apply must refuse a banned rotator");
4213    }
4214
4215    #[tokio::test]
4216    async fn heal_abandons_a_deauthorized_root_for_the_authorized_higher_sibling() {
4217        // B1 (rekey-race fork): I adopted a since-BANNED admin's ground-low epoch-1 root before the
4218        // banlist reached me. Once the banlist syncs, the heal must abandon their root and climb UP
4219        // to the owner's legitimate (byte-higher) sibling — authority dominates the down-only rule.
4220        let (_tmp, _guard) = init_test_db();
4221        let owner = Keys::generate();
4222        let me = Keys::generate();
4223        let banned_admin = Keys::generate();
4224        become_local(&me);
4225        let community = saved_community_owned_by(&owner);
4226        let cid = community.id.to_hex();
4227        let genesis_root = *community.server_root_key.as_bytes();
4228        let scope = super::super::derive::RekeyScope::ServerRoot;
4229        let commit0 = super::super::rekey::epoch_key_commitment(crate::community::Epoch(0), &genesis_root);
4230
4231        // Both epoch-1 siblings on the wire, addressed under the shared genesis root:
4232        // the attacker's (ground-low) and the owner's (higher).
4233        let root_evil = [0x01u8; 32];
4234        let root_owner = [0x77u8; 32];
4235        let blob_evil = super::super::rekey::build_rekey_blob(banned_admin.secret_key(), &me.public_key(), scope, crate::community::Epoch(1), &root_evil).unwrap();
4236        let ev_evil = super::super::rekey::build_server_root_rekey_event(
4237            &Keys::generate(), &banned_admin, &genesis_root, &community.id, crate::community::Epoch(1), crate::community::Epoch(0), &commit0, &[blob_evil]).unwrap();
4238        let blob_owner = super::super::rekey::build_rekey_blob(owner.secret_key(), &me.public_key(), scope, crate::community::Epoch(1), &root_owner).unwrap();
4239        let ev_owner = super::super::rekey::build_server_root_rekey_event(
4240            &Keys::generate(), &owner, &genesis_root, &community.id, crate::community::Epoch(1), crate::community::Epoch(0), &commit0, &[blob_owner]).unwrap();
4241        let relay = MemoryRelay::new();
4242        relay.inject(&ev_evil, &community.relays);
4243        relay.inject(&ev_owner, &community.relays);
4244
4245        // I already adopted the attacker's root at epoch 1 (the race), and the ban has now synced.
4246        crate::db::community::advance_server_root_epoch(&cid, 1, &root_evil).unwrap();
4247        crate::db::community::set_community_banlist(&cid, &[banned_admin.public_key().to_hex()], 2).unwrap();
4248        let community = crate::db::community::load_community(&community.id).unwrap().unwrap();
4249        assert_eq!(community.server_root_key.as_bytes(), &root_evil, "start partitioned on the attacker's root");
4250
4251        let out = catch_up_server_root(&relay, &community).await.unwrap();
4252        assert_eq!(out.epoch, 1);
4253        assert!(!out.removed);
4254        let after = crate::db::community::load_community(&community.id).unwrap().unwrap();
4255        assert_eq!(after.server_root_key.as_bytes(), &root_owner,
4256            "heal must abandon the deauthorized root and adopt the owner's higher sibling");
4257
4258        // Stable: re-running keeps the owner's root (the attacker's lower root never wins again).
4259        let _ = catch_up_server_root(&relay, &after).await.unwrap();
4260        assert_eq!(crate::db::community::load_community(&community.id).unwrap().unwrap().server_root_key.as_bytes(), &root_owner, "no flap back to the banned root");
4261    }
4262
4263    #[tokio::test]
4264    async fn concurrent_channel_rekeyers_converge_to_the_lowest_key() {
4265        // Two MANAGE_CHANNELS holders rotate the SAME channel at the SAME epoch with DIFFERENT keys —
4266        // a true fork inside the propagation window. Both rekeys land at the same address under the (already
4267        // converged) server root, so relay order would otherwise decide last-write-wins. The current-head
4268        // heal must pick the LOWEST delivered key deterministically — every member computes the same winner.
4269        let (_tmp, _guard) = init_test_db();
4270        let owner = Keys::generate();
4271        let me = Keys::generate();
4272        become_local(&me); // a member sitting on the LOSING (higher) channel key after my own fork
4273        let community = saved_community_owned_by(&owner);
4274        let cid = community.id.to_hex();
4275        let channel_id = community.channels[0].id;
4276        let chan_hex = channel_id.to_hex();
4277        let scope = super::super::derive::RekeyScope::Channel(channel_id);
4278        let genesis_key = *community.channels[0].key.as_bytes();
4279        let root = *community.server_root_key.as_bytes();
4280        let commit0 = super::super::rekey::epoch_key_commitment(crate::community::Epoch(0), &genesis_key);
4281
4282        // Two owner-authorized epoch-1 channel rekeys, each carrying a blob for ME, both citing genesis.
4283        let key_lo = [0x10u8; 32];
4284        let key_hi = [0x99u8; 32];
4285        let blob_lo = super::super::rekey::build_rekey_blob(owner.secret_key(), &me.public_key(), scope, crate::community::Epoch(1), &key_lo).unwrap();
4286        let blob_hi = super::super::rekey::build_rekey_blob(owner.secret_key(), &me.public_key(), scope, crate::community::Epoch(1), &key_hi).unwrap();
4287        let ev_lo = super::super::rekey::build_channel_rekey_event(
4288            &Keys::generate(), &owner, &root, &channel_id, crate::community::Epoch(1), crate::community::Epoch(0), &commit0, &[blob_lo]).unwrap();
4289        let ev_hi = super::super::rekey::build_channel_rekey_event(
4290            &Keys::generate(), &owner, &root, &channel_id, crate::community::Epoch(1), crate::community::Epoch(0), &commit0, &[blob_hi]).unwrap();
4291
4292        let relay = MemoryRelay::new();
4293        relay.inject(&ev_hi, &community.relays); // inject the HIGHER first: naive relay-order would pick it
4294        relay.inject(&ev_lo, &community.relays);
4295
4296        // The two forked channel rekeys are addressed under the PRIOR
4297        // (shared) root they cite, not the current one. Advance the SERVER root so genesis becomes a prior
4298        // root — the heal must search EVERY held root to find them. A current-root-only fetch
4299        // missed both and never converged (the channel forked live while the base healed).
4300        crate::db::community::advance_server_root_epoch(&cid, 1, &[0x42u8; 32]).unwrap();
4301        // I'm currently on the HIGHER key at epoch 1 (my own losing fork).
4302        crate::db::community::advance_channel_epoch(&cid, &chan_hex, 1, &key_hi).unwrap();
4303        let community = crate::db::community::load_community(&community.id).unwrap().unwrap();
4304
4305        let reached = catch_up_channel_rekeys(&relay, &community, &channel_id).await.unwrap();
4306        assert_eq!(reached, 1, "converged in place at the same channel epoch");
4307        assert_eq!(crate::db::community::held_epoch_key(&cid, &chan_hex, 1).unwrap(), Some(key_lo),
4308            "adopted the lowest delivered key regardless of relay order");
4309
4310        // Idempotent: re-running holding the winner stays put (no flip back to the higher key).
4311        let after = crate::db::community::load_community(&community.id).unwrap().unwrap();
4312        let _ = catch_up_channel_rekeys(&relay, &after, &channel_id).await.unwrap();
4313        assert_eq!(crate::db::community::held_epoch_key(&cid, &chan_hex, 1).unwrap(), Some(key_lo), "no flip-flop");
4314    }
4315
4316    #[tokio::test]
4317    async fn concurrent_channel_rekeyers_converge_when_i_authored_the_losing_fork() {
4318        // FAITHFUL LIVE REPLICA of the dual-admin ban (the case the simpler test missed): TWO DISTINCT
4319        // authorized rotators (owner + a granted admin), and the LOCAL user IS one of them — I authored the
4320        // HIGHER (losing) channel rekey myself, the owner authored the lower. Both sit under the PRIOR shared
4321        // root, both deliver a blob to me. The heal must still converge ME down to the owner's lower key.
4322        let (_tmp, _guard) = init_test_db();
4323        let owner = Keys::generate();
4324        let me = Keys::generate(); // I am the ADMIN rotator (not a bystander) — mirrors the agent in the live test
4325        become_local(&me);
4326        let community = saved_community_owned_by(&owner);
4327        let cid = community.id.to_hex();
4328        let channel_id = community.channels[0].id;
4329        let chan_hex = channel_id.to_hex();
4330        let scope = super::super::derive::RekeyScope::Channel(channel_id);
4331        let genesis_key = *community.channels[0].key.as_bytes();
4332        let root = *community.server_root_key.as_bytes();
4333        let commit0 = super::super::rekey::epoch_key_commitment(crate::community::Epoch(0), &genesis_key);
4334
4335        // Grant ME (the admin) a role carrying MANAGE_CHANNELS, so MY OWN rekey is an authorized candidate
4336        // (owner is supreme regardless). Without this the heal would trivially pick the owner's; with it,
4337        // BOTH siblings are authorized — exactly the live ambiguity that must resolve to the lowest key.
4338        let role_id = "d".repeat(64);
4339        let roster = crate::community::roles::CommunityRoles {
4340            roles: vec![crate::community::roles::Role::admin(role_id.clone())],
4341            grants: vec![crate::community::roles::MemberGrant { member: me.public_key().to_hex(), role_ids: vec![role_id] }],
4342        };
4343        crate::db::community::set_community_roles(&cid, &roster, 1).unwrap();
4344
4345        let key_lo = [0x10u8; 32]; // owner's (the winner)
4346        let key_hi = [0x99u8; 32]; // MINE (the losing fork I authored + currently hold)
4347        // Owner's rekey: rotator = owner, blob for ME.
4348        let blob_lo = super::super::rekey::build_rekey_blob(owner.secret_key(), &me.public_key(), scope, crate::community::Epoch(1), &key_lo).unwrap();
4349        let ev_lo = super::super::rekey::build_channel_rekey_event(
4350            &Keys::generate(), &owner, &root, &channel_id, crate::community::Epoch(1), crate::community::Epoch(0), &commit0, &[blob_lo]).unwrap();
4351        // MY rekey: rotator = me (the admin), blob for ME (self-delivered, as rotate_channel always adds self).
4352        let blob_hi = super::super::rekey::build_rekey_blob(me.secret_key(), &me.public_key(), scope, crate::community::Epoch(1), &key_hi).unwrap();
4353        let ev_hi = super::super::rekey::build_channel_rekey_event(
4354            &Keys::generate(), &me, &root, &channel_id, crate::community::Epoch(1), crate::community::Epoch(0), &commit0, &[blob_hi]).unwrap();
4355
4356        let relay = MemoryRelay::new();
4357        relay.inject(&ev_hi, &community.relays);
4358        relay.inject(&ev_lo, &community.relays);
4359
4360        // The rekeys are under genesis (prior) root; advance the SERVER root so genesis is no longer current.
4361        crate::db::community::advance_server_root_epoch(&cid, 1, &[0x42u8; 32]).unwrap();
4362        // I currently hold MY OWN (higher) key at channel epoch 1.
4363        crate::db::community::advance_channel_epoch(&cid, &chan_hex, 1, &key_hi).unwrap();
4364        let community = crate::db::community::load_community(&community.id).unwrap().unwrap();
4365
4366        let _ = catch_up_channel_rekeys(&relay, &community, &channel_id).await.unwrap();
4367        assert_eq!(crate::db::community::held_epoch_key(&cid, &chan_hex, 1).unwrap(), Some(key_lo),
4368            "I authored the losing fork but must converge DOWN to the owner's lower key");
4369    }
4370
4371    #[tokio::test]
4372    async fn reorg_through_a_fork_heals_the_forked_past_epoch() {
4373        // I sit on the LOSING sibling at a PAST channel epoch (epoch 1) and then reorg forward when an
4374        // authorized epoch-2 rekey continues from the WINNING epoch-1 key. Advancing the head alone leaves
4375        // epoch 1 on the wrong key (its messages unreadable). catch_up must re-converge the forked PAST epoch
4376        // to the lowest sibling — not just the head.
4377        let (_tmp, _guard) = init_test_db();
4378        let owner = Keys::generate();
4379        let me = Keys::generate();
4380        become_local(&me);
4381        let community = saved_community_owned_by(&owner);
4382        let cid = community.id.to_hex();
4383        let channel_id = community.channels[0].id;
4384        let chan_hex = channel_id.to_hex();
4385        let scope = super::super::derive::RekeyScope::Channel(channel_id);
4386        let genesis_key = *community.channels[0].key.as_bytes();
4387        let root = *community.server_root_key.as_bytes();
4388        let commit0 = super::super::rekey::epoch_key_commitment(crate::community::Epoch(0), &genesis_key);
4389
4390        // Two owner-authorized epoch-1 siblings (the fork), both delivering a blob to me.
4391        let key_lo1 = [0x10u8; 32]; // winner at epoch 1
4392        let key_hi1 = [0x99u8; 32]; // loser at epoch 1 (what I currently hold)
4393        let key_e2 = [0x20u8; 32]; // epoch 2, continuing from the WINNER's key_lo1
4394        let blob_lo1 = super::super::rekey::build_rekey_blob(owner.secret_key(), &me.public_key(), scope, crate::community::Epoch(1), &key_lo1).unwrap();
4395        let blob_hi1 = super::super::rekey::build_rekey_blob(owner.secret_key(), &me.public_key(), scope, crate::community::Epoch(1), &key_hi1).unwrap();
4396        let ev_lo1 = super::super::rekey::build_channel_rekey_event(
4397            &Keys::generate(), &owner, &root, &channel_id, crate::community::Epoch(1), crate::community::Epoch(0), &commit0, &[blob_lo1]).unwrap();
4398        let ev_hi1 = super::super::rekey::build_channel_rekey_event(
4399            &Keys::generate(), &owner, &root, &channel_id, crate::community::Epoch(1), crate::community::Epoch(0), &commit0, &[blob_hi1]).unwrap();
4400        // Epoch 2 cites the WINNER's epoch-1 key — applying it while I hold key_hi1 is the reorg.
4401        let commit1_win = super::super::rekey::epoch_key_commitment(crate::community::Epoch(1), &key_lo1);
4402        let blob_e2 = super::super::rekey::build_rekey_blob(owner.secret_key(), &me.public_key(), scope, crate::community::Epoch(2), &key_e2).unwrap();
4403        let ev_e2 = super::super::rekey::build_channel_rekey_event(
4404            &Keys::generate(), &owner, &root, &channel_id, crate::community::Epoch(2), crate::community::Epoch(1), &commit1_win, &[blob_e2]).unwrap();
4405
4406        let relay = MemoryRelay::new();
4407        relay.inject(&ev_lo1, &community.relays);
4408        relay.inject(&ev_hi1, &community.relays);
4409        relay.inject(&ev_e2, &community.relays);
4410
4411        // All three rekeys are under the genesis (now-prior) server root.
4412        crate::db::community::advance_server_root_epoch(&cid, 1, &[0x42u8; 32]).unwrap();
4413        // I'm sitting on the LOSING epoch-1 key.
4414        crate::db::community::advance_channel_epoch(&cid, &chan_hex, 1, &key_hi1).unwrap();
4415        let community = crate::db::community::load_community(&community.id).unwrap().unwrap();
4416
4417        let reached = catch_up_channel_rekeys(&relay, &community, &channel_id).await.unwrap();
4418        assert_eq!(reached, 2, "reorged forward to the head epoch");
4419        assert_eq!(crate::db::community::held_epoch_key(&cid, &chan_hex, 2).unwrap(), Some(key_e2), "head epoch adopted");
4420        assert_eq!(crate::db::community::held_epoch_key(&cid, &chan_hex, 1).unwrap(), Some(key_lo1),
4421            "the FORKED past epoch re-converged to the lowest sibling (its messages become readable)");
4422    }
4423
4424    #[tokio::test]
4425    async fn window_heal_converges_an_already_reorged_past_fork() {
4426        // A member sitting at head epoch 2 holding the LOSING sibling at epoch 1, with NO new rekey to apply
4427        // this sync (so the in-sync forked-epoch set stays empty). The recent-window heal must STILL
4428        // re-converge epoch 1 to the lowest sibling — otherwise its messages are stranded forever. Distinct
4429        // from `reorg_through_a_fork_*` (which reorgs in-sync).
4430        let (_tmp, _guard) = init_test_db();
4431        let owner = Keys::generate();
4432        let me = Keys::generate();
4433        become_local(&me);
4434        let community = saved_community_owned_by(&owner);
4435        let cid = community.id.to_hex();
4436        let channel_id = community.channels[0].id;
4437        let chan_hex = channel_id.to_hex();
4438        let scope = super::super::derive::RekeyScope::Channel(channel_id);
4439        let genesis_key = *community.channels[0].key.as_bytes();
4440        let root = *community.server_root_key.as_bytes();
4441        let commit0 = super::super::rekey::epoch_key_commitment(crate::community::Epoch(0), &genesis_key);
4442
4443        let key_lo1 = [0x10u8; 32]; // winner at epoch 1 (on the wire, authorized, blob for me)
4444        let key_hi1 = [0x99u8; 32]; // loser at epoch 1 (what I currently hold)
4445        let key_e2 = [0x20u8; 32]; // my head at epoch 2 (already reorged here under the old build)
4446        let blob_lo1 = super::super::rekey::build_rekey_blob(owner.secret_key(), &me.public_key(), scope, crate::community::Epoch(1), &key_lo1).unwrap();
4447        let blob_hi1 = super::super::rekey::build_rekey_blob(owner.secret_key(), &me.public_key(), scope, crate::community::Epoch(1), &key_hi1).unwrap();
4448        let ev_lo1 = super::super::rekey::build_channel_rekey_event(
4449            &Keys::generate(), &owner, &root, &channel_id, crate::community::Epoch(1), crate::community::Epoch(0), &commit0, &[blob_lo1]).unwrap();
4450        let ev_hi1 = super::super::rekey::build_channel_rekey_event(
4451            &Keys::generate(), &owner, &root, &channel_id, crate::community::Epoch(1), crate::community::Epoch(0), &commit0, &[blob_hi1]).unwrap();
4452
4453        let relay = MemoryRelay::new();
4454        relay.inject(&ev_lo1, &community.relays);
4455        relay.inject(&ev_hi1, &community.relays);
4456        // NOTE: no epoch-2 rekey on the relay — nothing for the forward walk to apply, so the heal is the
4457        // ONLY thing that can fix epoch 1.
4458
4459        crate::db::community::advance_server_root_epoch(&cid, 1, &[0x42u8; 32]).unwrap();
4460        // Simulate the prior-build reorg: I hold the LOSING epoch-1 key and have already advanced to epoch 2.
4461        crate::db::community::advance_channel_epoch(&cid, &chan_hex, 1, &key_hi1).unwrap();
4462        crate::db::community::advance_channel_epoch(&cid, &chan_hex, 2, &key_e2).unwrap();
4463        let community = crate::db::community::load_community(&community.id).unwrap().unwrap();
4464
4465        let reached = catch_up_channel_rekeys(&relay, &community, &channel_id).await.unwrap();
4466        assert_eq!(reached, 2, "head unchanged (no new rekey to apply)");
4467        assert_eq!(crate::db::community::held_epoch_key(&cid, &chan_hex, 2).unwrap(), Some(key_e2), "head epoch untouched");
4468        assert_eq!(crate::db::community::held_epoch_key(&cid, &chan_hex, 1).unwrap(), Some(key_lo1),
4469            "the already-forked past epoch re-converged to the lowest sibling via the window heal (no in-sync reorg)");
4470    }
4471
4472    #[tokio::test]
4473    async fn channel_heal_cannot_converge_to_a_key_i_was_not_given() {
4474        // The winning (lower) fork's channel rekey carries NO blob for me
4475        // (the other re-founder's retain set excluded me — e.g. it kept the just-banned victim and dropped
4476        // me in the concurrent-ban window). I literally cannot DECRYPT that key, so the heal can't adopt it
4477        // and I stay stranded on my own higher key. This proves the live bug is RETAIN-SET incompleteness in
4478        // concurrent re-founding, NOT the heal logic (which the two tests above prove correct). The fix must
4479        // guarantee each re-founder's rekey reaches the OTHER re-founder.
4480        let (_tmp, _guard) = init_test_db();
4481        let owner = Keys::generate();
4482        let me = Keys::generate();
4483        become_local(&me);
4484        let community = saved_community_owned_by(&owner);
4485        let cid = community.id.to_hex();
4486        let channel_id = community.channels[0].id;
4487        let chan_hex = channel_id.to_hex();
4488        let scope = super::super::derive::RekeyScope::Channel(channel_id);
4489        let genesis_key = *community.channels[0].key.as_bytes();
4490        let root = *community.server_root_key.as_bytes();
4491        let commit0 = super::super::rekey::epoch_key_commitment(crate::community::Epoch(0), &genesis_key);
4492
4493        let key_lo = [0x10u8; 32]; // owner's (lower) — but its rekey DOES NOT include me
4494        let key_hi = [0x99u8; 32]; // mine (higher) — the one I currently hold
4495        // Owner's lower rekey delivers ONLY to a third party (the banned victim's seat), NOT to me.
4496        let other = Keys::generate();
4497        let blob_lo = super::super::rekey::build_rekey_blob(owner.secret_key(), &other.public_key(), scope, crate::community::Epoch(1), &key_lo).unwrap();
4498        let ev_lo = super::super::rekey::build_channel_rekey_event(
4499            &Keys::generate(), &owner, &root, &channel_id, crate::community::Epoch(1), crate::community::Epoch(0), &commit0, &[blob_lo]).unwrap();
4500        // My higher rekey delivers to me.
4501        let blob_hi = super::super::rekey::build_rekey_blob(owner.secret_key(), &me.public_key(), scope, crate::community::Epoch(1), &key_hi).unwrap();
4502        let ev_hi = super::super::rekey::build_channel_rekey_event(
4503            &Keys::generate(), &owner, &root, &channel_id, crate::community::Epoch(1), crate::community::Epoch(0), &commit0, &[blob_hi]).unwrap();
4504
4505        let relay = MemoryRelay::new();
4506        relay.inject(&ev_lo, &community.relays);
4507        relay.inject(&ev_hi, &community.relays);
4508        crate::db::community::advance_server_root_epoch(&cid, 1, &[0x42u8; 32]).unwrap();
4509        crate::db::community::advance_channel_epoch(&cid, &chan_hex, 1, &key_hi).unwrap();
4510        let community = crate::db::community::load_community(&community.id).unwrap().unwrap();
4511
4512        let _ = catch_up_channel_rekeys(&relay, &community, &channel_id).await.unwrap();
4513        // Excluded from the winning rekey: I can't decrypt the lower key, so I keep my own and cannot converge.
4514        assert_eq!(crate::db::community::held_epoch_key(&cid, &chan_hex, 1).unwrap(), Some(key_hi),
4515            "excluded from the winning rekey ⇒ cannot converge");
4516    }
4517
4518    #[tokio::test]
4519    async fn refounding_channel_rekey_is_sealed_under_the_prior_root() {
4520        // #262 fix: a channel rekey accompanying a re-founding must be ENVELOPED + ADDRESSED under the PRIOR
4521        // (shared) root, NOT the re-founder's new one — so a base-fork loser (who dropped its own new root)
4522        // can still open it. This pins the write side: rotate_channel seals under the passed envelope_root,
4523        // and the event opens under that root and NOT under the community's current/new root.
4524        let (_tmp, _guard) = init_test_db();
4525        let owner = Keys::generate();
4526        become_local(&owner); // owner is supreme → authorized to rotate
4527        let community = saved_community_owned_by(&owner);
4528        let channel_id = community.channels[0].id;
4529        let prior_root = [0x11u8; 32]; // the shared pre-rotation root (≠ the community's current root)
4530
4531        let relay = MemoryRelay::new();
4532        rotate_channel(&relay, &community, &channel_id, &[owner.public_key()], &prior_root).await.unwrap();
4533
4534        // Addressed at the PRIOR-root pseudonym...
4535        let z = super::super::derive::rekey_pseudonym(&crate::community::ServerRootKey(prior_root), &channel_id, crate::community::Epoch(1)).to_hex();
4536        let q = Query { kinds: vec![event_kind::COMMUNITY_REKEY], z_tags: vec![z], ..Default::default() };
4537        let evs = relay.fetch(&q, &community.relays).await.unwrap();
4538        assert_eq!(evs.len(), 1, "channel rekey is addressed at the PRIOR-root pseudonym");
4539        // ...and opens ONLY under the prior root, NOT the community's current (new) root.
4540        assert!(super::super::rekey::open_rekey_event(&evs[0], &prior_root).is_ok(),
4541            "opens under the prior (shared) root every retained member still holds");
4542        assert!(super::super::rekey::open_rekey_event(&evs[0], community.server_root_key.as_bytes()).is_err(),
4543            "does NOT open under the current/new root (which a base-fork loser would have dropped)");
4544    }
4545
4546    #[tokio::test]
4547    async fn apply_channel_rekey_converges_past_a_divergent_prior_epoch() {
4548        // FORK-CONVERGENCE: I hold epoch-1 = my LOSING fork key. An AUTHORIZED rekey
4549        // to epoch 2 cites a DIFFERENT epoch-1 key (the winner's, which I never held) and delivers epoch-2 to
4550        // ME. The relaxed continuity check must ADOPT it (converge forward onto the authorized chain), not
4551        // reject it as a "foreign chain" and strand me on the dead fork forever.
4552        let (_tmp, _guard) = init_test_db();
4553        let owner = Keys::generate();
4554        let me = Keys::generate();
4555        become_local(&me);
4556        let community = saved_community_owned_by(&owner);
4557        let cid = community.id.to_hex();
4558        let channel_id = community.channels[0].id;
4559        let chan_hex = channel_id.to_hex();
4560        let scope = super::super::derive::RekeyScope::Channel(channel_id);
4561        let root = *community.server_root_key.as_bytes();
4562
4563        // I'm on my LOSING fork at epoch 1.
4564        let my_fork_key = [0xAAu8; 32];
4565        crate::db::community::advance_channel_epoch(&cid, &chan_hex, 1, &my_fork_key).unwrap();
4566
4567        // Owner's epoch-2 rekey continues from the WINNER's epoch-1 (a key I never held) + delivers to me.
4568        let winner_epoch1 = [0xBBu8; 32];
4569        let new_key = [0x22u8; 32];
4570        let commit = super::super::rekey::epoch_key_commitment(crate::community::Epoch(1), &winner_epoch1);
4571        let blob = super::super::rekey::build_rekey_blob(owner.secret_key(), &me.public_key(), scope, crate::community::Epoch(2), &new_key).unwrap();
4572        let ev = super::super::rekey::build_channel_rekey_event(
4573            &Keys::generate(), &owner, &root, &channel_id, crate::community::Epoch(2), crate::community::Epoch(1), &commit, &[blob]).unwrap();
4574        let parsed = super::super::rekey::open_rekey_event(&ev, &root).unwrap();
4575
4576        let outcome = apply_channel_rekey(&community, &parsed).unwrap();
4577        assert!(matches!(outcome, RekeyOutcome::Applied { head_advanced: true }),
4578            "must converge forward past the divergent prior epoch, got {outcome:?}");
4579        assert_eq!(crate::db::community::held_epoch_key(&cid, &chan_hex, 2).unwrap(), Some(new_key),
4580            "adopted the winner's epoch-2 key");
4581    }
4582
4583    #[tokio::test]
4584    async fn catch_up_server_root_stops_when_removed_from_base() {
4585        // Recipient of base epoch 1 but NOT epoch 2 (removed from the base). The walk applies 1, opens
4586        // the epoch-2 envelope (I hold root_1) but finds no blob → NotARecipient → stops at 1.
4587        let (_tmp, _guard) = init_test_db();
4588        let owner = Keys::generate();
4589        let me = Keys::generate();
4590        become_local(&me);
4591        let community = saved_community_owned_by(&owner);
4592        let scope = super::super::derive::RekeyScope::ServerRoot;
4593        let relay = MemoryRelay::new();
4594
4595        // Epoch 1 → me (cites genesis).
4596        let root1 = [0x11u8; 32];
4597        let b1 = super::super::rekey::build_rekey_blob(owner.secret_key(), &me.public_key(), scope, crate::community::Epoch(1), &root1).unwrap();
4598        let e1 = super::super::rekey::build_server_root_rekey_event(
4599            &Keys::generate(), &owner, community.server_root_key.as_bytes(), &community.id,
4600            crate::community::Epoch(1), crate::community::Epoch(0),
4601            &super::super::rekey::epoch_key_commitment(crate::community::Epoch(0), community.server_root_key.as_bytes()), &[b1],
4602        ).unwrap();
4603        // Epoch 2 → someone else (I'm removed), enveloped under root_1, cites root_1.
4604        let other = Keys::generate();
4605        let b2 = super::super::rekey::build_rekey_blob(owner.secret_key(), &other.public_key(), scope, crate::community::Epoch(2), &[0x22u8; 32]).unwrap();
4606        let e2 = super::super::rekey::build_server_root_rekey_event(
4607            &Keys::generate(), &owner, &root1, &community.id,
4608            crate::community::Epoch(2), crate::community::Epoch(1),
4609            &super::super::rekey::epoch_key_commitment(crate::community::Epoch(1), &root1), &[b2],
4610        ).unwrap();
4611        relay.inject(&e1, &community.relays);
4612        relay.inject(&e2, &community.relays);
4613
4614        let reached = catch_up_server_root(&relay, &community).await.unwrap();
4615        assert_eq!(reached.epoch, 1, "stops at the last base epoch I was a recipient of");
4616        assert!(reached.removed, "excluded by an AUTHORIZED (owner) base rotation → flagged removed so the caller erases");
4617        let reloaded = crate::db::community::load_community(&community.id).unwrap().unwrap();
4618        assert_eq!(reloaded.server_root_epoch, crate::community::Epoch(1));
4619    }
4620
4621    #[tokio::test]
4622    async fn catch_up_is_a_noop_with_no_rotations() {
4623        let (_tmp, _guard) = init_test_db();
4624        let owner = Keys::generate();
4625        let me = Keys::generate();
4626        become_local(&me);
4627        let community = saved_community_owned_by(&owner);
4628        let relay = MemoryRelay::new(); // empty: no rekeys published
4629        let reached = catch_up_channel_rekeys(&relay, &community, &community.channels[0].id).await.unwrap();
4630        assert_eq!(reached, 0, "no rotations → stays at the held epoch");
4631    }
4632
4633    #[tokio::test]
4634    async fn catch_up_stops_when_removed_midway() {
4635        // I'm a recipient of epoch 1 but NOT epoch 2 (removed). Catch-up applies epoch 1, finds no blob
4636        // for epoch 2 (NotARecipient), and stops — head at 1, not dragged forward to a key I lack.
4637        let (_tmp, _guard) = init_test_db();
4638        let owner = Keys::generate();
4639        let me = Keys::generate();
4640        become_local(&me);
4641        let community = saved_community_owned_by(&owner);
4642        let channel_id = community.channels[0].id;
4643        let chan = &community.channels[0];
4644        let scope = super::super::derive::RekeyScope::Channel(channel_id);
4645        let relay = MemoryRelay::new();
4646
4647        // Epoch 1: blob for me (cites genesis).
4648        let k1 = [0x11u8; 32];
4649        let b1 = super::super::rekey::build_rekey_blob(owner.secret_key(), &me.public_key(), scope, crate::community::Epoch(1), &k1).unwrap();
4650        let e1 = super::super::rekey::build_channel_rekey_event(
4651            &Keys::generate(), &owner, community.server_root_key.as_bytes(), &channel_id,
4652            crate::community::Epoch(1), crate::community::Epoch(0),
4653            &super::super::rekey::epoch_key_commitment(crate::community::Epoch(0), chan.key.as_bytes()), &[b1],
4654        ).unwrap();
4655        // Epoch 2: blob for SOMEONE ELSE (I was removed) — cites k1.
4656        let other = Keys::generate();
4657        let b2 = super::super::rekey::build_rekey_blob(owner.secret_key(), &other.public_key(), scope, crate::community::Epoch(2), &[0x22u8; 32]).unwrap();
4658        let e2 = super::super::rekey::build_channel_rekey_event(
4659            &Keys::generate(), &owner, community.server_root_key.as_bytes(), &channel_id,
4660            crate::community::Epoch(2), crate::community::Epoch(1),
4661            &super::super::rekey::epoch_key_commitment(crate::community::Epoch(1), &k1), &[b2],
4662        ).unwrap();
4663        relay.inject(&e1, &community.relays);
4664        relay.inject(&e2, &community.relays);
4665
4666        let reached = catch_up_channel_rekeys(&relay, &community, &channel_id).await.unwrap();
4667        assert_eq!(reached, 1, "stops at the last epoch I was a recipient of");
4668        let reloaded = crate::db::community::load_community(&community.id).unwrap().unwrap();
4669        assert_eq!(reloaded.channels[0].epoch, crate::community::Epoch(1));
4670    }
4671
4672    #[tokio::test]
4673    async fn rotate_channel_rejects_unauthorized() {
4674        let (_tmp, _guard) = init_test_db();
4675        let owner = Keys::generate();
4676        let rogue = Keys::generate();
4677        become_local(&rogue); // not the owner, holds no role
4678        let community = saved_community_owned_by(&owner);
4679        let relay = MemoryRelay::new();
4680        assert!(
4681            rotate_channel(&relay, &community, &community.channels[0].id, &[], community.server_root_key.as_bytes()).await.is_err(),
4682            "a non-authorized member cannot rotate"
4683        );
4684        // My head did not move.
4685        let reloaded = crate::db::community::load_community(&community.id).unwrap().unwrap();
4686        assert_eq!(reloaded.channels[0].epoch, crate::community::Epoch(0));
4687    }
4688
4689    // --- rotate_server_root (#4c) ---
4690
4691    #[tokio::test]
4692    async fn rotate_server_root_publishes_recoverable_rekey_and_advances_base() {
4693        use crate::community::derive::{base_rekey_pseudonym, recipient_pseudonym};
4694        use crate::community::rekey::{open_rekey_blob, open_rekey_event, rekey_pairwise_secret};
4695        let (_tmp, _guard) = init_test_db();
4696        let owner = Keys::generate();
4697        become_local(&owner); // owner is supreme (holds BAN)
4698        let community = saved_community_owned_by(&owner);
4699        let genesis_root = *community.server_root_key.as_bytes();
4700        let member = Keys::generate();
4701        let relay = MemoryRelay::new();
4702
4703        let new_epoch = rotate_server_root(&relay, &community, &[member.public_key()]).await.expect("rotate base");
4704        assert_eq!(new_epoch, 1);
4705
4706        // Owner's base head advanced to a fresh root.
4707        let reloaded = crate::db::community::load_community(&community.id).unwrap().unwrap();
4708        assert_eq!(reloaded.server_root_epoch, crate::community::Epoch(1));
4709        assert_ne!(reloaded.server_root_key.as_bytes(), &genesis_root, "base root is fresh-random, not the genesis");
4710
4711        // The base rekey is found at the PRIOR-root-derived address and opens under the PRIOR (genesis) root.
4712        let addr = base_rekey_pseudonym(&crate::community::ServerRootKey(genesis_root), &community.id, crate::community::Epoch(1)).to_hex();
4713        let found = relay
4714            .fetch(&Query { kinds: vec![event_kind::COMMUNITY_REKEY], z_tags: vec![addr], ..Default::default() }, &community.relays)
4715            .await
4716            .unwrap();
4717        assert_eq!(found.len(), 1, "base rekey addressable by its prior-root pseudonym");
4718        let parsed = open_rekey_event(&found[0], &genesis_root).unwrap();
4719        assert!(matches!(parsed.scope, crate::community::derive::RekeyScope::ServerRoot));
4720        assert_eq!(parsed.rotator, owner.public_key());
4721        assert_eq!(parsed.blobs.len(), 2, "member + me (multi-device)");
4722
4723        // The member recovers a root, and it equals the owner's advanced base head (one source of truth).
4724        let secret = rekey_pairwise_secret(member.secret_key(), &parsed.rotator).unwrap();
4725        let loc = recipient_pseudonym(&secret, parsed.scope, parsed.new_epoch).to_hex();
4726        let mine = parsed.blobs.iter().find(|b| b.locator == loc).expect("member's blob present");
4727        let recovered = open_rekey_blob(member.secret_key(), &parsed.rotator, parsed.scope, parsed.new_epoch, mine).unwrap();
4728        assert_eq!(reloaded.server_root_key.as_bytes(), &recovered, "member's recovered root == owner's advanced base head");
4729    }
4730
4731    #[tokio::test]
4732    async fn rotate_server_root_failed_publish_leaves_base_unadvanced() {
4733        let (_tmp, _guard) = init_test_db();
4734        let owner = Keys::generate();
4735        become_local(&owner);
4736        let community = saved_community_owned_by(&owner);
4737        let member = Keys::generate();
4738        assert!(rotate_server_root(&FailingRelay, &community, &[member.public_key()]).await.is_err());
4739        let reloaded = crate::db::community::load_community(&community.id).unwrap().unwrap();
4740        assert_eq!(reloaded.server_root_epoch, crate::community::Epoch(0), "base head stays put on publish failure");
4741    }
4742
4743    #[tokio::test]
4744    async fn rotate_server_root_dedups_self_in_recipients() {
4745        // Passing my own pubkey in `recipients` must not produce a duplicate blob (I'm always added).
4746        use crate::community::rekey::open_rekey_event;
4747        let (_tmp, _guard) = init_test_db();
4748        let owner = Keys::generate();
4749        become_local(&owner);
4750        let community = saved_community_owned_by(&owner);
4751        let relay = MemoryRelay::new();
4752        rotate_server_root(&relay, &community, &[owner.public_key()]).await.unwrap();
4753        let addr = crate::community::derive::base_rekey_pseudonym(
4754            &crate::community::ServerRootKey(*community.server_root_key.as_bytes()), &community.id, crate::community::Epoch(1),
4755        )
4756        .to_hex();
4757        let found = relay
4758            .fetch(&Query { kinds: vec![event_kind::COMMUNITY_REKEY], z_tags: vec![addr], ..Default::default() }, &community.relays)
4759            .await
4760            .unwrap();
4761        let parsed = open_rekey_event(&found[0], community.server_root_key.as_bytes()).unwrap();
4762        assert_eq!(parsed.blobs.len(), 1, "self listed in recipients yields exactly one blob, not two");
4763    }
4764
4765    #[tokio::test]
4766    async fn rotate_server_root_rejects_unauthorized() {
4767        let (_tmp, _guard) = init_test_db();
4768        let owner = Keys::generate();
4769        let rogue = Keys::generate();
4770        become_local(&rogue); // no BAN, not owner
4771        let community = saved_community_owned_by(&owner);
4772        let relay = MemoryRelay::new();
4773        assert!(rotate_server_root(&relay, &community, &[]).await.is_err(), "a non-BAN member cannot rotate the base");
4774        let reloaded = crate::db::community::load_community(&community.id).unwrap().unwrap();
4775        assert_eq!(reloaded.server_root_epoch, crate::community::Epoch(0));
4776    }
4777
4778    #[tokio::test]
4779    async fn rotate_server_root_reanchors_the_control_plane_to_the_new_epoch() {
4780        // #4e-2 orchestration: a base rotation carries the control plane to the new epoch as part of the
4781        // SAME operation — a member reading the new root reaches the roster without a separate step.
4782        let (_tmp, _guard) = init_test_db();
4783        let relay = MemoryRelay::new();
4784        // create publishes 3 genesis editions (GroupRoot + #general ChannelMetadata + Admin role) and
4785        // records all three heads.
4786        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
4787        let cid = community.id.to_hex();
4788        assert_eq!(crate::db::community::edition_head_entity_ids(&cid).unwrap().len(), 3);
4789
4790        let member = Keys::generate();
4791        assert_eq!(rotate_server_root(&relay, &community, &[member.public_key()]).await.unwrap(), 1);
4792        let reloaded = crate::db::community::load_community(&community.id).unwrap().unwrap();
4793        assert_eq!(reloaded.server_root_epoch, crate::community::Epoch(1), "base head advanced");
4794
4795        // The Admin role is reachable at the NEW epoch under the NEW root — re-anchored by the rotation.
4796        let z = crate::community::roster::control_pseudonym(&reloaded.server_root_key, &community.id, crate::community::Epoch(1));
4797        let evs = relay
4798            .fetch(&Query { kinds: vec![event_kind::COMMUNITY_CONTROL], z_tags: vec![z], ..Default::default() }, &community.relays)
4799            .await
4800            .unwrap();
4801        let inners: Vec<_> = evs
4802            .iter()
4803            .filter_map(|o| crate::community::roster::open_control_edition(o, &reloaded.server_root_key).ok())
4804            .collect();
4805        let folded = crate::community::roster::fold_roster(&inners, &community.id, &Default::default());
4806        assert!(!folded.roles.roles.is_empty(), "control plane re-anchored at the new epoch as part of the rotation");
4807    }
4808
4809    #[tokio::test]
4810    async fn admin_refounding_carries_heads_verbatim_preserving_owner_and_peer_roles() {
4811        // The verbatim-heads payoff: a NON-OWNER admin re-founds, and because each head is re-wrapped (never
4812        // re-authored), the owner deed AND every peer admin's owner-signed grant ride along untouched — so
4813        // ownership and all roles survive, while the count compacts to one edition per entity.
4814        use crate::community::roles::Permissions;
4815        let (_tmp, _guard) = init_test_db();
4816        let owner = crate::state::MY_SECRET_KEY.to_keys().unwrap();
4817        let owner_hex = owner.public_key().to_hex();
4818        let relay = MemoryRelay::new();
4819        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
4820        let cid = community.id.to_hex();
4821        let admin_role = crate::db::community::get_community_roles(&cid).unwrap().roles[0].role_id.clone();
4822
4823        // Owner grants TWO admins (both grants OWNER-signed).
4824        let alice = Keys::generate();
4825        let bob = Keys::generate();
4826        set_member_grant(&relay, &community, &alice.public_key().to_hex(), vec![admin_role.clone()]).await.unwrap();
4827        set_member_grant(&relay, &community, &bob.public_key().to_hex(), vec![admin_role.clone()]).await.unwrap();
4828        let _ = fetch_and_apply_control(&relay, &community).await;
4829        let community = crate::db::community::load_community(&community.id).unwrap().unwrap();
4830
4831        // Drive the GroupRoot ABOVE v1 with a real published edit, so this exercises verbatim-carry of a
4832        // >v1 head (it must keep its real version, NOT reset to v1) — not just a v1 genesis.
4833        let mut edited = community.clone();
4834        edited.name = "HQ renamed".into();
4835        republish_community_metadata(&relay, &edited).await.unwrap();
4836        let _ = fetch_and_apply_control(&relay, &community).await;
4837        let community = crate::db::community::load_community(&community.id).unwrap().unwrap();
4838        assert!(crate::db::community::get_edition_head(&cid, &cid).unwrap().unwrap().0 >= 2, "GroupRoot now above v1");
4839
4840        // ALICE (a non-owner admin) re-founds. She holds BAN, so it's authorized; she re-WRAPS heads.
4841        become_local(&alice);
4842        let new_epoch = rotate_server_root(&relay, &community, &[owner.public_key(), bob.public_key()]).await.unwrap();
4843        assert_eq!(new_epoch, 1);
4844        let community = crate::db::community::load_community(&community.id).unwrap().unwrap();
4845        assert_eq!(community.server_root_epoch, crate::community::Epoch(1));
4846
4847        // Fold the new epoch fresh (floor 0): owner unchanged + BOTH alice and bob still admins.
4848        let z = crate::community::roster::control_pseudonym(&community.server_root_key, &community.id, crate::community::Epoch(1));
4849        let evs = relay.fetch(&Query { kinds: vec![event_kind::COMMUNITY_CONTROL], z_tags: vec![z], ..Default::default() }, &community.relays).await.unwrap();
4850        let inners: Vec<_> = evs.iter().filter_map(|o| crate::community::roster::open_control_edition(o, &community.server_root_key).ok()).collect();
4851        let folded = crate::community::roster::fold_roster(&inners, &community.id, &Default::default());
4852        let authed = crate::community::roster::authorize_delegation(&folded, Some(&owner_hex));
4853        assert!(authed.is_authorized(&alice.public_key().to_hex(), Some(&owner_hex), Permissions::BAN), "alice (re-founder) still admin");
4854        assert!(authed.is_authorized(&bob.public_key().to_hex(), Some(&owner_hex), Permissions::BAN), "bob (peer admin) NOT demoted by alice's re-founding");
4855        let new_owner = folded.root_meta.as_ref().and_then(|m| m.owner_attestation.as_ref())
4856            .and_then(|j| Event::from_json(j).ok()).map(|e| e.pubkey.to_hex());
4857        assert_eq!(new_owner.as_deref(), Some(owner_hex.as_str()), "owner deed carried verbatim — ownership intact after an admin re-founding");
4858        assert_eq!(folded.root_meta.as_ref().map(|m| m.name.as_str()), Some("HQ renamed"),
4859            "the >v1 GroupRoot head carried verbatim (content preserved across the re-founding)");
4860        // Compacted: each entity appears at most once at the new epoch.
4861        let mut per_entity: std::collections::HashMap<[u8; 32], usize> = std::collections::HashMap::new();
4862        for i in &inners {
4863            if let Ok(p) = crate::community::edition::parse_edition_inner(i) { *per_entity.entry(p.entity_id).or_default() += 1; }
4864        }
4865        assert!(per_entity.values().all(|&c| c == 1), "one edition per entity at the new epoch (compacted)");
4866    }
4867
4868    /// Block-until-synced: an admin write (rekey) is REFUSED when we're network-isolated — no relay returns
4869    /// the control plane we KNOW exists (we hold edition heads). Acting blind on a stale view, or advancing
4870    /// local state we can't publish, must not happen offline.
4871    #[tokio::test]
4872    async fn admin_write_blocked_when_isolated() {
4873        let (_tmp, _guard) = init_test_db();
4874        let me = Keys::generate();
4875        become_local(&me);
4876        let community = saved_community_owned_by(&me);
4877        let cid = community.id.to_hex();
4878        // We hold a local edition head → we KNOW a control plane exists (so an empty fetch = isolation).
4879        crate::db::community::set_edition_head_with_id(&cid, &cid, 1, &[1u8; 32], &[1u8; 32]).unwrap();
4880        crate::db::community::set_read_cut_target_epoch(&cid, 1).unwrap();
4881        // FailingRelay.fetch returns Ok(empty) — the isolated case (no relay responds with anything).
4882        let err = reseal_base_to_observed(&FailingRelay, &community).await.unwrap_err();
4883        assert!(err.contains("offline") || err.contains("can't reach any relay"),
4884            "isolated admin write must fail closed, got: {err}");
4885        // Untouched: no base rotation happened.
4886        assert_eq!(crate::db::community::load_community(&community.id).unwrap().unwrap().server_root_epoch,
4887            crate::community::Epoch(0), "no rotation while isolated");
4888    }
4889
4890    /// O2 — a re-founding rotates per-channel message keys too, not just the base. Without this a removed
4891    /// member holding a channel key keeps reading new messages (the base cut only covers control + @everyone).
4892    #[tokio::test]
4893    async fn refounding_rotates_channel_keys_too() {
4894        let (_tmp, _guard) = init_test_db();
4895        let relay = MemoryRelay::new();
4896        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
4897        let channel_id = community.channels[0].id;
4898        assert_eq!(community.channels[0].epoch, crate::community::Epoch(0));
4899        assert_eq!(community.server_root_epoch, crate::community::Epoch(0));
4900
4901        run_read_cut(&relay, &community, true).await.unwrap();
4902
4903        let after = crate::db::community::load_community(&community.id).unwrap().unwrap();
4904        assert_eq!(after.server_root_epoch, crate::community::Epoch(1), "base rotated");
4905        let ch = after.channels.iter().find(|c| c.id == channel_id).unwrap();
4906        assert_eq!(ch.epoch, crate::community::Epoch(1), "channel key rotated too (O2)");
4907        assert_eq!(crate::db::community::channel_rekeyed_at_server_epoch(&community.id.to_hex(), &channel_id.to_hex()).unwrap(),
4908            1, "channel marked rekeyed for the new base epoch");
4909        assert!(!crate::db::community::get_read_cut_pending(&community.id.to_hex()).unwrap(),
4910            "a complete read-cut clears the pending flag");
4911    }
4912
4913    /// W2 durability — a re-founding interrupted AFTER the base rotated but BEFORE a channel rekey landed
4914    /// (outage / power cut / mass relay failure mid-cut) must RESUME, not restart: the retry skips the
4915    /// already-done base (no second epoch, no second control-plane re-anchor) and finishes only the
4916    /// un-rotated channel. Without resumability the retry double-rotated the base every time.
4917    #[tokio::test]
4918    async fn read_cut_resumes_without_double_base_rotation_after_channel_failure() {
4919        // Base + channel rekeys are both COMMUNITY_REKEY (3303); the base rekey is published BEFORE any
4920        // channel rekey, so the 1st 3303 is the base (allowed) and every later one is a channel (failed
4921        // while armed). Control re-anchor (3308) is always allowed.
4922        struct ChannelRekeyFails {
4923            inner: MemoryRelay,
4924            rekeys: std::sync::atomic::AtomicUsize,
4925            fail_channel: std::sync::atomic::AtomicBool,
4926        }
4927        #[async_trait::async_trait]
4928        impl Transport for ChannelRekeyFails {
4929            async fn publish(&self, e: &Event, r: &[String]) -> Result<(), String> { self.inner.publish(e, r).await }
4930            async fn publish_durable(&self, e: &Event, r: &[String]) -> Result<(), String> {
4931                if e.kind.as_u16() == event_kind::COMMUNITY_REKEY {
4932                    let n = self.rekeys.fetch_add(1, std::sync::atomic::Ordering::Relaxed);
4933                    if n >= 1 && self.fail_channel.load(std::sync::atomic::Ordering::Relaxed) {
4934                        return Err("channel rekey relay down".into());
4935                    }
4936                }
4937                self.inner.publish_durable(e, r).await
4938            }
4939            async fn fetch(&self, q: &Query, r: &[String]) -> Result<Vec<Event>, String> { self.inner.fetch(q, r).await }
4940        }
4941        let (_tmp, _guard) = init_test_db();
4942        let relay = ChannelRekeyFails {
4943            inner: MemoryRelay::new(),
4944            rekeys: std::sync::atomic::AtomicUsize::new(0),
4945            fail_channel: std::sync::atomic::AtomicBool::new(true),
4946        };
4947        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
4948        let channel_id = community.channels[0].id;
4949        let cid = community.id.to_hex();
4950        let ch_hex = channel_id.to_hex();
4951
4952        // Phase 1: base rotates, the channel rekey fails → the cut is left PENDING, base at epoch 1.
4953        assert!(run_read_cut(&relay, &community, true).await.is_err(), "the channel failure surfaces an error");
4954        let mid = crate::db::community::load_community(&community.id).unwrap().unwrap();
4955        assert_eq!(mid.server_root_epoch, crate::community::Epoch(1), "base advanced exactly once");
4956        assert_eq!(mid.channels.iter().find(|c| c.id == channel_id).unwrap().epoch, crate::community::Epoch(0),
4957            "channel NOT rotated (its rekey failed)");
4958        assert!(crate::db::community::get_read_cut_pending(&cid).unwrap(), "cut left pending after the failure");
4959        assert_eq!(crate::db::community::get_read_cut_target_epoch(&cid).unwrap(), 1, "target recorded durably");
4960        assert_eq!(crate::db::community::channel_rekeyed_at_server_epoch(&cid, &ch_hex).unwrap(), 0,
4961            "channel not yet marked for this cut");
4962
4963        // Phase 2: relay heals; the retry RESUMES — no second base rotation, just the leftover channel.
4964        relay.fail_channel.store(false, std::sync::atomic::Ordering::Relaxed);
4965        retry_pending_read_cut(&relay, &mid).await.unwrap();
4966        let done = crate::db::community::load_community(&community.id).unwrap().unwrap();
4967        assert_eq!(done.server_root_epoch, crate::community::Epoch(1),
4968            "base NOT rotated again — resumed at the same epoch (no double base rotation)");
4969        assert_eq!(done.channels.iter().find(|c| c.id == channel_id).unwrap().epoch, crate::community::Epoch(1),
4970            "the un-rotated channel finished on resume");
4971        assert_eq!(crate::db::community::channel_rekeyed_at_server_epoch(&cid, &ch_hex).unwrap(), 1,
4972            "channel marked rekeyed for the cut epoch");
4973        assert!(!crate::db::community::get_read_cut_pending(&cid).unwrap(), "pending cleared after the resume completes");
4974    }
4975
4976    #[tokio::test]
4977    async fn rotate_server_root_aborts_when_the_snapshot_does_not_land() {
4978        // Re-founding re-wraps the current heads, but a relay that won't ACK the re-wrapped control editions
4979        // leaves the snapshot incomplete → the rotation must abort with the base head NOT advanced (never
4980        // advance onto a plane no member folds).
4981        // Relay that ACKs everything UNTIL `fail` is set, then rejects control-edition (3308) publishes.
4982        struct ControlPublishFails { inner: MemoryRelay, fail: std::sync::atomic::AtomicBool }
4983        #[async_trait::async_trait]
4984        impl Transport for ControlPublishFails {
4985            async fn publish(&self, e: &Event, r: &[String]) -> Result<(), String> { self.inner.publish(e, r).await }
4986            async fn publish_durable(&self, e: &Event, r: &[String]) -> Result<(), String> {
4987                if self.fail.load(std::sync::atomic::Ordering::Relaxed) && e.kind.as_u16() == event_kind::COMMUNITY_CONTROL {
4988                    return Err("control relay down".into());
4989                }
4990                self.inner.publish_durable(e, r).await
4991            }
4992            async fn fetch(&self, q: &Query, r: &[String]) -> Result<Vec<Event>, String> { self.inner.fetch(q, r).await }
4993        }
4994        let (_tmp, _guard) = init_test_db();
4995        let relay = ControlPublishFails { inner: MemoryRelay::new(), fail: std::sync::atomic::AtomicBool::new(false) };
4996        // Create normally (genesis editions publish + heads recorded), THEN start failing control publishes.
4997        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
4998        relay.fail.store(true, std::sync::atomic::Ordering::Relaxed);
4999
5000        assert!(
5001            rotate_server_root(&relay, &community, &[]).await.is_err(),
5002            "a snapshot whose editions can't be re-published must abort the rotation"
5003        );
5004        let reloaded = crate::db::community::load_community(&community.id).unwrap().unwrap();
5005        assert_eq!(reloaded.server_root_epoch, crate::community::Epoch(0), "base head NOT advanced when the snapshot doesn't land");
5006    }
5007
5008    #[tokio::test]
5009    async fn acquire_before_commit_a_reanchor_fetch_miss_publishes_no_base_rekey() {
5010        // #264 ACQUIRE-BEFORE-COMMIT: the re-anchor snapshot (the only mid-rekey fetch) is now fetched + sealed
5011        // BEFORE the base rekey is published. So a control-plane fetch miss (a head not propagated) aborts the
5012        // rotation with the base rekey NEVER on the wire — no half-published state to strand a member. Under the
5013        // old publish-first ordering the base rekey was already on relays when the fetch gate tripped.
5014        use std::sync::atomic::{AtomicBool, AtomicUsize, Ordering};
5015        struct ReanchorFetchEmpty { inner: MemoryRelay, drop_control: AtomicBool, base_rekeys: AtomicUsize }
5016        #[async_trait::async_trait]
5017        impl Transport for ReanchorFetchEmpty {
5018            async fn publish(&self, e: &Event, r: &[String]) -> Result<(), String> { self.inner.publish(e, r).await }
5019            async fn publish_durable(&self, e: &Event, r: &[String]) -> Result<(), String> {
5020                if e.kind.as_u16() == event_kind::COMMUNITY_REKEY {
5021                    self.base_rekeys.fetch_add(1, Ordering::Relaxed);
5022                }
5023                self.inner.publish_durable(e, r).await
5024            }
5025            async fn fetch(&self, q: &Query, r: &[String]) -> Result<Vec<Event>, String> {
5026                if self.drop_control.load(Ordering::Relaxed) && q.kinds.iter().any(|k| *k == event_kind::COMMUNITY_CONTROL) {
5027                    return Ok(vec![]); // the re-anchor's heads are unreachable this instant
5028                }
5029                self.inner.fetch(q, r).await
5030            }
5031        }
5032        let (_tmp, _guard) = init_test_db();
5033        let relay = ReanchorFetchEmpty { inner: MemoryRelay::new(), drop_control: AtomicBool::new(false), base_rekeys: AtomicUsize::new(0) };
5034        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
5035        relay.drop_control.store(true, Ordering::Relaxed);
5036
5037        assert!(rotate_server_root(&relay, &community, &[]).await.is_err(),
5038            "a re-anchor fetch miss must abort the rotation");
5039        assert_eq!(relay.base_rekeys.load(Ordering::Relaxed), 0,
5040            "the base rekey must NOT be published when the pre-publish fetch gate trips (acquire-before-commit)");
5041        let reloaded = crate::db::community::load_community(&community.id).unwrap().unwrap();
5042        assert_eq!(reloaded.server_root_epoch, crate::community::Epoch(0), "base head NOT advanced");
5043    }
5044
5045    // --- reanchor_control_plane (#4e-1) ---
5046
5047    #[tokio::test]
5048    async fn reanchor_carries_role_and_grant_to_the_new_epoch_under_the_new_root() {
5049        let (_tmp, _guard) = init_test_db();
5050        let relay = MemoryRelay::new();
5051        // create_community publishes the auto Admin ROLE edition (3308) at the epoch-0 control pseudonym.
5052        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
5053        let cid = community.id.to_hex();
5054        let admin_role_id = crate::db::community::get_community_roles(&cid).unwrap().roles[0].role_id.clone();
5055        let member = Keys::generate();
5056        // Compaction snapshots the LOCAL folded state, so seed the grant into it (publish + apply).
5057        set_member_grant(&relay, &community, &member.public_key().to_hex(), vec![admin_role_id]).await.unwrap();
5058        let _ = fetch_and_apply_control(&relay, &community).await;
5059        let community = crate::db::community::load_community(&community.id).unwrap().unwrap();
5060
5061        // Re-anchor by COMPACTION to a fresh root + epoch 1: each entity re-genesised to v1.
5062        let new_root = [0x99u8; 32];
5063        let snap = reanchor_control_plane(&relay, &community, &new_root, crate::community::Epoch(1)).await.unwrap();
5064        assert!(snap.iter().all(|e| e.published), "every snapshot edition published");
5065        assert_eq!(snap.len(), 4, "GroupRoot + channel + Admin role + grant compacted to v1");
5066
5067        // At the NEW epoch under the NEW root, the role + grant fold back (as fresh v1 geneses, community-scoped).
5068        let new_z = crate::community::roster::control_pseudonym(
5069            &crate::community::ServerRootKey(new_root), &community.id, crate::community::Epoch(1),
5070        );
5071        let after = relay
5072            .fetch(&Query { kinds: vec![event_kind::COMMUNITY_CONTROL], z_tags: vec![new_z], ..Default::default() }, &community.relays)
5073            .await
5074            .unwrap();
5075        let inners: Vec<_> = after
5076            .iter()
5077            .filter_map(|o| crate::community::roster::open_control_edition(o, &crate::community::ServerRootKey(new_root)).ok())
5078            .collect();
5079        let folded = crate::community::roster::fold_roster(&inners, &community.id, &Default::default());
5080        assert!(!folded.roles.roles.is_empty(), "Admin role reachable at the new epoch");
5081        assert!(
5082            folded.roles.grants.iter().any(|g| g.member == member.public_key().to_hex()),
5083            "grant carried to the new epoch under the new root"
5084        );
5085    }
5086
5087    #[tokio::test]
5088    async fn grant_after_a_rekey_survives_the_fold_at_the_new_epoch() {
5089        // REGRESSION (epoch consistency): a grant published AFTER a server-root rotation must seal at the
5090        // CURRENT epoch — where the re-anchored role definition now lives — and the fetch must look there
5091        // too. The bug: live publishes + the fetch hardcoded epoch 0 while the re-anchor moved the control
5092        // plane to the new epoch, so a post-rekey grant referenced a role the fetch never saw → the member
5093        // silently lost admin (exactly what we hit live).
5094        use crate::community::roles::Permissions;
5095        let (_tmp, _guard) = init_test_db();
5096        let relay = MemoryRelay::new();
5097        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
5098        let cid = community.id.to_hex();
5099        let owner = crate::state::MY_SECRET_KEY.to_keys().unwrap();
5100        let admin_role_id = crate::db::community::get_community_roles(&cid).unwrap().roles[0].role_id.clone();
5101
5102        // Rotate the base → epoch 1 (re-anchors the Admin role + GroupRoot under the new epoch).
5103        rotate_server_root(&relay, &community, &[owner.public_key()]).await.expect("rotate base");
5104        let community = crate::db::community::load_community(&community.id).unwrap().unwrap();
5105        assert_eq!(community.server_root_epoch, crate::community::Epoch(1), "advanced to the new epoch");
5106
5107        // Grant Alice the Admin role NOW (post-rekey): the live publish seals at server_root_epoch (1).
5108        let alice = "aa".repeat(32);
5109        set_member_grant(&relay, &community, &alice, vec![admin_role_id]).await.unwrap();
5110
5111        // A fresh fetch+apply at the new epoch folds the re-anchored role AND the post-rekey grant TOGETHER.
5112        let roster = fetch_and_apply_roles(&relay, &community).await.unwrap();
5113        assert!(
5114            roster.has_permission(&alice, Permissions::BAN),
5115            "post-rekey grant survives — Alice is Admin at the new epoch (pre-fix: dropped, role unreachable)"
5116        );
5117        assert_eq!(roster.highest_position(&alice), Some(1));
5118    }
5119
5120    /// Increment 2 — the demote AUTO-re-asserts: when the demoted member HEADS the GroupRoot, revoking
5121    /// them publishes an owner-authored re-assert of their content as the new head, so Concord Convergence
5122    /// keeps it for every client (incl. fresh joiners). End-to-end of the demote path.
5123    #[tokio::test]
5124    async fn demote_re_asserts_the_demoted_members_metadata_head() {
5125        let (_tmp, _guard) = init_test_db();
5126        let relay = MemoryRelay::new();
5127        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
5128        let cid = community.id.to_hex();
5129        let owner = crate::state::MY_SECRET_KEY.to_keys().unwrap();
5130        let admin_role = crate::db::community::get_community_roles(&cid).unwrap().roles[0].role_id.clone();
5131        let alice = Keys::generate();
5132        let alice_hex = alice.public_key().to_hex();
5133
5134        set_member_grant(&relay, &community, &alice_hex, vec![admin_role]).await.unwrap();
5135        // Alice (admin) renames → she heads the GroupRoot.
5136        become_local(&alice);
5137        let mut as_alice = crate::db::community::load_community(&community.id).unwrap().unwrap();
5138        as_alice.name = "Alice's HQ".into();
5139        republish_community_metadata(&relay, &as_alice).await.unwrap();
5140        let community = crate::db::community::load_community(&community.id).unwrap().unwrap();
5141        assert_eq!(
5142            fetch_control_folded(&relay, &community).await.unwrap().root_author.map(|a| a.to_hex()),
5143            Some(alice_hex.clone()), "alice heads the GroupRoot after her edit",
5144        );
5145
5146        // Owner demotes alice → auto re-assert.
5147        become_local(&owner);
5148        let community = crate::db::community::load_community(&community.id).unwrap().unwrap();
5149        set_member_grant(&relay, &community, &alice_hex, vec![]).await.unwrap();
5150
5151        let community = crate::db::community::load_community(&community.id).unwrap().unwrap();
5152        let folded = fetch_control_folded(&relay, &community).await.unwrap();
5153        assert_eq!(folded.root_author.map(|a| a.to_hex()), Some(owner.public_key().to_hex()),
5154            "the demote re-asserted the GroupRoot under the owner");
5155        assert_eq!(folded.root_meta.as_ref().unwrap().name, "Alice's HQ",
5156            "the re-assert preserves the demoted member's content");
5157    }
5158
5159    /// Increment 2 — skip-if-not-head: demoting a member who does NOT head the GroupRoot publishes no
5160    /// re-assert (zero unnecessary editions — the common case). The owner made the last edit here.
5161    #[tokio::test]
5162    async fn demote_skips_reassert_when_member_does_not_head() {
5163        let (_tmp, _guard) = init_test_db();
5164        let relay = MemoryRelay::new();
5165        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
5166        let cid = community.id.to_hex();
5167        let admin_role = crate::db::community::get_community_roles(&cid).unwrap().roles[0].role_id.clone();
5168        let alice = Keys::generate();
5169        let alice_hex = alice.public_key().to_hex();
5170
5171        set_member_grant(&relay, &community, &alice_hex, vec![admin_role]).await.unwrap();
5172        // OWNER makes the last metadata edit → the owner heads it, not alice.
5173        let mut c = crate::db::community::load_community(&community.id).unwrap().unwrap();
5174        c.name = "Owner's HQ".into();
5175        republish_community_metadata(&relay, &c).await.unwrap();
5176        let community = crate::db::community::load_community(&community.id).unwrap().unwrap();
5177        let before = fetch_control_folded(&relay, &community).await.unwrap().root_head.unwrap().version;
5178
5179        set_member_grant(&relay, &community, &alice_hex, vec![]).await.unwrap();
5180        let community = crate::db::community::load_community(&community.id).unwrap().unwrap();
5181        let after = fetch_control_folded(&relay, &community).await.unwrap().root_head.unwrap().version;
5182        assert_eq!(after, before, "no re-assert published — the demoted member didn't head the GroupRoot");
5183    }
5184
5185    #[tokio::test]
5186    async fn reanchor_carries_the_banlist_edition_to_the_new_epoch() {
5187        // The banlist is now a 3308 edition at the community-scoped banlist locator, so re-anchoring
5188        // (kind-agnostic within 3308) carries it forward — a post-rotation joiner gets the current bans.
5189        let (_tmp, _guard) = init_test_db();
5190        let relay = MemoryRelay::new();
5191        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
5192        let carol = "cc".repeat(32);
5193        // Seed the banlist into LOCAL state (publish + apply), since compaction snapshots the local set.
5194        publish_banlist(&relay, &community, &[carol.clone()]).await.unwrap();
5195        let _ = fetch_and_apply_control(&relay, &community).await;
5196        let community = crate::db::community::load_community(&community.id).unwrap().unwrap();
5197
5198        // Re-anchor by COMPACTION to a fresh root + epoch 1: the banlist is re-genesised forward.
5199        let new_root = [0x99u8; 32];
5200        let n = reanchor_control_plane(&relay, &community, &new_root, crate::community::Epoch(1)).await.unwrap();
5201        assert!(n.iter().all(|e| e.published), "every snapshot edition published");
5202        assert_eq!(n.len(), 4, "GroupRoot + channel + Admin role + banlist compacted to v1");
5203
5204        // Fetch at the new epoch under the new root → the banlist folds back with Carol still banned.
5205        let new_z = crate::community::roster::control_pseudonym(
5206            &crate::community::ServerRootKey(new_root), &community.id, crate::community::Epoch(1),
5207        );
5208        let after = relay
5209            .fetch(&Query { kinds: vec![event_kind::COMMUNITY_CONTROL], z_tags: vec![new_z], ..Default::default() }, &community.relays)
5210            .await
5211            .unwrap();
5212        let inners: Vec<_> = after
5213            .iter()
5214            .filter_map(|o| crate::community::roster::open_control_edition(o, &crate::community::ServerRootKey(new_root)).ok())
5215            .collect();
5216        let folded = crate::community::roster::fold_roster(&inners, &community.id, &Default::default());
5217        assert_eq!(folded.banned, vec![carol], "banlist reachable at the new epoch under the new root");
5218    }
5219
5220    // --- apply_server_root_rekey (#4b) ---
5221
5222    /// An owner-authored base rekey to `new_epoch` carrying one ServerRoot blob for `recipient_pk`,
5223    /// citing the community's current (genesis epoch-0) root. Returns the opened ParsedRekey.
5224    fn owner_base_rekey(
5225        owner: &Keys, community: &Community, recipient_pk: &nostr_sdk::PublicKey, new_epoch: u64, new_root: &[u8; 32],
5226    ) -> super::super::rekey::ParsedRekey {
5227        let prev = community.server_root_epoch.0;
5228        let blob = super::super::rekey::build_rekey_blob(
5229            owner.secret_key(), recipient_pk, super::super::derive::RekeyScope::ServerRoot, crate::community::Epoch(new_epoch), new_root,
5230        )
5231        .unwrap();
5232        let commit = super::super::rekey::epoch_key_commitment(crate::community::Epoch(prev), community.server_root_key.as_bytes());
5233        let outer = super::super::rekey::build_server_root_rekey_event(
5234            &Keys::generate(), owner, community.server_root_key.as_bytes(), &community.id,
5235            crate::community::Epoch(new_epoch), crate::community::Epoch(prev), &commit, &[blob],
5236        )
5237        .unwrap();
5238        super::super::rekey::open_rekey_event(&outer, community.server_root_key.as_bytes()).unwrap()
5239    }
5240
5241    #[test]
5242    fn apply_server_root_rekey_recovers_new_root_and_advances_base() {
5243        let (_tmp, _guard) = init_test_db();
5244        let owner = Keys::generate();
5245        let me = Keys::generate();
5246        become_local(&me);
5247        let community = saved_community_owned_by(&owner);
5248        let cid = community.id.to_hex();
5249        let new_root = [0xCDu8; 32];
5250
5251        let parsed = owner_base_rekey(&owner, &community, &me.public_key(), 1, &new_root);
5252        assert_eq!(apply_server_root_rekey(&community, &parsed).unwrap(), RekeyOutcome::Applied { head_advanced: true });
5253
5254        let reloaded = crate::db::community::load_community(&community.id).unwrap().unwrap();
5255        assert_eq!(reloaded.server_root_epoch, crate::community::Epoch(1));
5256        assert_eq!(reloaded.server_root_key.as_bytes(), &new_root, "base head advanced to the new root");
5257        // Genesis root retained (cross-epoch control/base history stays decryptable).
5258        assert!(crate::db::community::held_epoch_key(&cid, crate::community::SERVER_ROOT_SCOPE_HEX, 0).unwrap().is_some());
5259        assert_eq!(crate::db::community::held_epoch_key(&cid, crate::community::SERVER_ROOT_SCOPE_HEX, 1).unwrap(), Some(new_root));
5260    }
5261
5262    #[test]
5263    fn apply_server_root_rekey_not_a_recipient_leaves_base_unchanged() {
5264        let (_tmp, _guard) = init_test_db();
5265        let owner = Keys::generate();
5266        let me = Keys::generate();
5267        become_local(&me);
5268        let community = saved_community_owned_by(&owner);
5269        let other = Keys::generate(); // blob wrapped to someone else → I was removed in this rotation
5270        let parsed = owner_base_rekey(&owner, &community, &other.public_key(), 1, &[0x11u8; 32]);
5271        assert_eq!(apply_server_root_rekey(&community, &parsed).unwrap(), RekeyOutcome::NotARecipient);
5272        let reloaded = crate::db::community::load_community(&community.id).unwrap().unwrap();
5273        assert_eq!(reloaded.server_root_epoch, crate::community::Epoch(0), "removed-from-base member's head unchanged");
5274    }
5275
5276    #[test]
5277    fn apply_server_root_rekey_rejects_rotator_without_ban() {
5278        let (_tmp, _guard) = init_test_db();
5279        let owner = Keys::generate();
5280        let me = Keys::generate();
5281        become_local(&me);
5282        let community = saved_community_owned_by(&owner);
5283        // A rotator who is neither owner nor BAN-ranked cannot rotate the base.
5284        let rogue = Keys::generate();
5285        let parsed = owner_base_rekey(&rogue, &community, &me.public_key(), 1, &[0x22u8; 32]);
5286        assert!(apply_server_root_rekey(&community, &parsed).is_err(), "unauthorized base rotation rejected");
5287    }
5288
5289    #[test]
5290    fn apply_server_root_rekey_reorgs_onto_authorized_chain_despite_prior_mismatch() {
5291        // BASE FORK-CONVERGENCE (mirrors the channel reorg): I hold the genesis root, but an AUTHORIZED
5292        // (owner, BAN) epoch-1 base rekey continues from a DIFFERENT epoch-0 root (I lost a concurrent
5293        // re-founding). It must be ADOPTED — converge forward onto the authorized chain — not rejected and
5294        // left to stall every later base rotation. Authority + ECDH recipiency are the gates, not continuity.
5295        let (_tmp, _guard) = init_test_db();
5296        let owner = Keys::generate();
5297        let me = Keys::generate();
5298        become_local(&me);
5299        let community = saved_community_owned_by(&owner);
5300        let blob = super::super::rekey::build_rekey_blob(
5301            owner.secret_key(), &me.public_key(), super::super::derive::RekeyScope::ServerRoot, crate::community::Epoch(1), &[0x33u8; 32],
5302        )
5303        .unwrap();
5304        // Commit over a WRONG prior root (not the genesis I hold) → continuity mismatch (the losing fork).
5305        let bad = super::super::rekey::epoch_key_commitment(crate::community::Epoch(0), &[0xFFu8; 32]);
5306        let outer = super::super::rekey::build_server_root_rekey_event(
5307            &Keys::generate(), &owner, community.server_root_key.as_bytes(), &community.id,
5308            crate::community::Epoch(1), crate::community::Epoch(0), &bad, &[blob],
5309        )
5310        .unwrap();
5311        let parsed = super::super::rekey::open_rekey_event(&outer, community.server_root_key.as_bytes()).unwrap();
5312        let outcome = apply_server_root_rekey(&community, &parsed);
5313        assert!(
5314            matches!(outcome, Ok(RekeyOutcome::Applied { .. })),
5315            "an authorized base chain must be adopted (reorg), not rejected as foreign; got {outcome:?}"
5316        );
5317    }
5318
5319    #[test]
5320    fn apply_server_root_rekey_catchup_archives_without_regressing_base_head() {
5321        // Parity with the channel no-regress test: applying an OLDER base epoch archives its root but
5322        // must not regress the base head (the forward-walk can deliver out of order).
5323        let (_tmp, _guard) = init_test_db();
5324        let owner = Keys::generate();
5325        let me = Keys::generate();
5326        become_local(&me);
5327        let community = saved_community_owned_by(&owner);
5328        let cid = community.id.to_hex();
5329
5330        let r5 = [0x55u8; 32];
5331        let p5 = owner_base_rekey(&owner, &community, &me.public_key(), 5, &r5);
5332        assert_eq!(apply_server_root_rekey(&community, &p5).unwrap(), RekeyOutcome::Applied { head_advanced: true });
5333        let r3 = [0x33u8; 32];
5334        let p3 = owner_base_rekey(&owner, &community, &me.public_key(), 3, &r3);
5335        assert_eq!(apply_server_root_rekey(&community, &p3).unwrap(), RekeyOutcome::Applied { head_advanced: false });
5336
5337        assert_eq!(crate::db::community::held_epoch_key(&cid, crate::community::SERVER_ROOT_SCOPE_HEX, 3).unwrap(), Some(r3));
5338        let reloaded = crate::db::community::load_community(&community.id).unwrap().unwrap();
5339        assert_eq!(reloaded.server_root_epoch, crate::community::Epoch(5), "base head stayed at newest");
5340        assert_eq!(reloaded.server_root_key.as_bytes(), &r5);
5341    }
5342
5343    #[test]
5344    fn apply_server_root_rekey_authorizes_a_granted_ban_admin() {
5345        // role-based: a non-owner who holds a role carrying BAN may rotate the base. Re-founding re-wraps
5346        // each head verbatim (never re-authors), so an admin re-founder can't demote peers or steal ownership
5347        // — which is exactly why this stays BAN-gated rather than owner-only.
5348        let (_tmp, _guard) = init_test_db();
5349        let owner = Keys::generate();
5350        let me = Keys::generate();
5351        become_local(&me);
5352        let community = saved_community_owned_by(&owner);
5353        let cid = community.id.to_hex();
5354
5355        let admin = Keys::generate();
5356        let role_id = "d".repeat(64);
5357        let roster = crate::community::roles::CommunityRoles {
5358            roles: vec![crate::community::roles::Role::admin(role_id.clone())],
5359            grants: vec![crate::community::roles::MemberGrant { member: admin.public_key().to_hex(), role_ids: vec![role_id] }],
5360        };
5361        crate::db::community::set_community_roles(&cid, &roster, 1).unwrap();
5362
5363        let parsed = owner_base_rekey(&admin, &community, &me.public_key(), 1, &[0x77u8; 32]);
5364        assert_eq!(
5365            apply_server_root_rekey(&community, &parsed).unwrap(),
5366            RekeyOutcome::Applied { head_advanced: true },
5367            "a BAN-granted admin (not the owner) can rotate the base"
5368        );
5369    }
5370
5371    #[test]
5372    fn apply_server_root_rekey_accepts_when_prior_root_not_held() {
5373        // Catch-up from further back: a base rekey citing a prior epoch whose root I don't hold skips
5374        // the continuity check (ECDH blob + authority still authenticate) and applies.
5375        let (_tmp, _guard) = init_test_db();
5376        let owner = Keys::generate();
5377        let me = Keys::generate();
5378        become_local(&me);
5379        let community = saved_community_owned_by(&owner);
5380
5381        let new_root = [0x99u8; 32];
5382        let blob = super::super::rekey::build_rekey_blob(
5383            owner.secret_key(), &me.public_key(), super::super::derive::RekeyScope::ServerRoot, crate::community::Epoch(5), &new_root,
5384        )
5385        .unwrap();
5386        // Cites epoch 4 (whose root I never held); commitment is over a root I don't have.
5387        let commit = super::super::rekey::epoch_key_commitment(crate::community::Epoch(4), &[0xEEu8; 32]);
5388        let outer = super::super::rekey::build_server_root_rekey_event(
5389            &Keys::generate(), &owner, community.server_root_key.as_bytes(), &community.id,
5390            crate::community::Epoch(5), crate::community::Epoch(4), &commit, &[blob],
5391        )
5392        .unwrap();
5393        let parsed = super::super::rekey::open_rekey_event(&outer, community.server_root_key.as_bytes()).unwrap();
5394        assert_eq!(apply_server_root_rekey(&community, &parsed).unwrap(), RekeyOutcome::Applied { head_advanced: true });
5395        let reloaded = crate::db::community::load_community(&community.id).unwrap().unwrap();
5396        assert_eq!(reloaded.server_root_epoch, crate::community::Epoch(5));
5397    }
5398
5399    #[test]
5400    fn apply_server_root_rekey_rejects_channel_scope() {
5401        // A channel-scoped rekey must NOT be applied as a base rotation (fail closed).
5402        let (_tmp, _guard) = init_test_db();
5403        let owner = Keys::generate();
5404        let me = Keys::generate();
5405        become_local(&me);
5406        let community = saved_community_owned_by(&owner);
5407        let channel_parsed = owner_channel_rekey(&owner, &community, &me.public_key(), 1, &[0x44u8; 32]);
5408        assert!(apply_server_root_rekey(&community, &channel_parsed).is_err(), "channel scope rejected by base apply");
5409    }
5410
5411    #[test]
5412    fn apply_channel_rekey_not_a_recipient() {
5413        let (_tmp, _guard) = init_test_db();
5414        let owner = Keys::generate();
5415        let me = Keys::generate();
5416        become_local(&me);
5417        let community = saved_community_owned_by(&owner);
5418        // The blob is wrapped to SOMEONE ELSE, so my locator finds nothing.
5419        let other = Keys::generate();
5420        let parsed = owner_channel_rekey(&owner, &community, &other.public_key(), 1, &[0x11u8; 32]);
5421        assert_eq!(apply_channel_rekey(&community, &parsed).unwrap(), RekeyOutcome::NotARecipient);
5422        // Nothing committed: head stays at epoch 0.
5423        let reloaded = crate::db::community::load_community(&community.id).unwrap().unwrap();
5424        assert_eq!(reloaded.channels[0].epoch, crate::community::Epoch(0));
5425    }
5426
5427    #[test]
5428    fn apply_channel_rekey_rejects_unauthorized_rotator() {
5429        let (_tmp, _guard) = init_test_db();
5430        let owner = Keys::generate();
5431        let me = Keys::generate();
5432        become_local(&me);
5433        let community = saved_community_owned_by(&owner);
5434        // A rotator who is NEITHER the owner NOR holds MANAGE_CHANNELS in the (empty) roster.
5435        let rogue = Keys::generate();
5436        let parsed = owner_channel_rekey(&rogue, &community, &me.public_key(), 1, &[0x22u8; 32]);
5437        assert!(apply_channel_rekey(&community, &parsed).is_err(), "unauthorized rotation must be rejected");
5438    }
5439
5440    #[test]
5441    fn apply_channel_rekey_reorgs_onto_authorized_chain_despite_prior_mismatch() {
5442        // FORK-CONVERGENCE ("reorg"): I hold genesis epoch-0, but an AUTHORIZED (owner) epoch-1 rekey
5443        // cites a DIFFERENT epoch-0 key (a chain I'm not on) and delivers epoch-1 to ME. Authority (checked
5444        // first) + recipient (the blob opens) are the real gates, so I REORG forward onto the authorized
5445        // chain instead of rejecting + stranding myself. (The commitment is continuity, not security — it
5446        // yields to convergence. An UNAUTHORIZED rotator with the same mismatch is still rejected by the
5447        // authority gate; see apply_channel_rekey_rejects_unauthorized_rotation.)
5448        let (_tmp, _guard) = init_test_db();
5449        let owner = Keys::generate();
5450        let me = Keys::generate();
5451        become_local(&me);
5452        let community = saved_community_owned_by(&owner);
5453        let chan = &community.channels[0];
5454        let scope = super::super::derive::RekeyScope::Channel(chan.id);
5455        let new_key = [0x33u8; 32];
5456        let blob = super::super::rekey::build_rekey_blob(owner.secret_key(), &me.public_key(), scope, crate::community::Epoch(1), &new_key).unwrap();
5457        // Commit over a DIFFERENT prior key than the genesis I hold → a divergent prior epoch (a fork).
5458        let other_commit = super::super::rekey::epoch_key_commitment(crate::community::Epoch(0), &[0xFFu8; 32]);
5459        let outer = super::super::rekey::build_channel_rekey_event(
5460            &Keys::generate(), &owner, community.server_root_key.as_bytes(), &chan.id,
5461            crate::community::Epoch(1), crate::community::Epoch(0), &other_commit, &[blob],
5462        )
5463        .unwrap();
5464        let parsed = super::super::rekey::open_rekey_event(&outer, community.server_root_key.as_bytes()).unwrap();
5465        let outcome = apply_channel_rekey(&community, &parsed).unwrap();
5466        assert!(matches!(outcome, RekeyOutcome::Applied { .. }),
5467            "an authorized chain must be adopted (reorg), not rejected as foreign; got {outcome:?}");
5468        assert_eq!(crate::db::community::held_epoch_key(&community.id.to_hex(), &chan.id.to_hex(), 1).unwrap(), Some(new_key));
5469    }
5470
5471    #[test]
5472    fn apply_channel_rekey_catchup_archives_without_regressing_head() {
5473        let (_tmp, _guard) = init_test_db();
5474        let owner = Keys::generate();
5475        let me = Keys::generate();
5476        become_local(&me);
5477        let community = saved_community_owned_by(&owner);
5478        let cid = community.id.to_hex();
5479        let chan_hex = community.channels[0].id.to_hex();
5480
5481        // Apply epoch 5 first → head advances to 5.
5482        let k5 = [0x55u8; 32];
5483        let p5 = owner_channel_rekey(&owner, &community, &me.public_key(), 5, &k5);
5484        assert_eq!(apply_channel_rekey(&community, &p5).unwrap(), RekeyOutcome::Applied { head_advanced: true });
5485        // Now apply an OLDER epoch 3 (catch-up) → archived, but head must NOT regress.
5486        let k3 = [0x33u8; 32];
5487        let p3 = owner_channel_rekey(&owner, &community, &me.public_key(), 3, &k3);
5488        assert_eq!(apply_channel_rekey(&community, &p3).unwrap(), RekeyOutcome::Applied { head_advanced: false });
5489
5490        assert_eq!(crate::db::community::held_epoch_key(&cid, &chan_hex, 3).unwrap(), Some(k3), "old epoch archived");
5491        assert_eq!(crate::db::community::held_epoch_key(&cid, &chan_hex, 5).unwrap(), Some(k5));
5492        let reloaded = crate::db::community::load_community(&community.id).unwrap().unwrap();
5493        assert_eq!(reloaded.channels[0].epoch, crate::community::Epoch(5), "head stayed at the newest epoch");
5494        assert_eq!(reloaded.channels[0].key.as_bytes(), &k5);
5495    }
5496
5497    #[tokio::test]
5498    async fn create_community_persists_and_publishes_metadata() {
5499        use crate::community::transport::Query;
5500        use crate::stored_event::event_kind;
5501
5502        let (_tmp, _guard) = init_test_db();
5503        let relay = MemoryRelay::new();
5504        let community = create_community(&relay, "Vector HQ", "general", vec!["r1".into()])
5505            .await
5506            .expect("create");
5507
5508        // Returned shape.
5509        assert_eq!(community.name, "Vector HQ");
5510        assert_eq!(community.channels.len(), 1);
5511        assert_eq!(community.channels[0].name, "general");
5512
5513        // Persisted locally (reloadable with matching keys).
5514        let loaded = crate::db::community::load_community(&community.id).unwrap().expect("persisted");
5515        assert_eq!(loaded.channels[0].name, "general");
5516        assert_eq!(loaded.server_root_key.as_bytes(), community.server_root_key.as_bytes());
5517
5518        // GroupRoot + ChannelMetadata are 3308 editions on the control plane, keyless
5519        // (the actor's inner real-npub signature is the authority proof).
5520        let meta_events = relay
5521            .fetch(
5522                &Query { kinds: vec![event_kind::APPLICATION_SPECIFIC], ..Default::default() },
5523                &community.relays,
5524            )
5525            .await
5526            .unwrap();
5527        assert!(meta_events.is_empty(), "no legacy 30078 metadata events");
5528
5529        // The control plane carries THREE genesis editions, all real-npub signed by the OWNER: the
5530        // GroupRoot (vsk=0), the #general ChannelMetadata (vsk=2), and the auto Admin role (vsk=1).
5531        let z = crate::community::roster::control_pseudonym(&community.server_root_key, &community.id, crate::community::Epoch(0));
5532        let control = relay
5533            .fetch(
5534                &Query { kinds: vec![event_kind::COMMUNITY_CONTROL], z_tags: vec![z], ..Default::default() },
5535                &community.relays,
5536            )
5537            .await
5538            .unwrap();
5539        assert_eq!(control.len(), 3, "GroupRoot + ChannelMetadata + Admin role editions");
5540        let owner_pk = crate::state::my_public_key().unwrap();
5541        let parsed: Vec<_> = control
5542            .iter()
5543            .filter_map(|o| crate::community::roster::open_control_edition(o, &community.server_root_key).ok())
5544            .filter_map(|i| crate::community::edition::parse_edition_inner(&i).ok())
5545            .collect();
5546        assert!(parsed.iter().all(|p| p.author == owner_pk), "every genesis edition authored by the owner");
5547        // The GroupRoot edition (vsk=0) carries the community name + owner attestation.
5548        let root = parsed.iter().find(|p| p.entity_id == community.id.0).expect("GroupRoot edition");
5549        let root_meta: crate::community::metadata::CommunityMetadata = serde_json::from_str(&root.content).unwrap();
5550        assert_eq!(root_meta.name, "Vector HQ");
5551        assert!(root_meta.owner_attestation.is_some());
5552        // The Admin role edition (vsk=1) is the genesis of the Admin chain.
5553        let role: crate::community::roles::Role = parsed
5554            .iter()
5555            .find_map(|p| serde_json::from_str::<crate::community::roles::Role>(&p.content).ok().filter(|r| r.name == "Admin"))
5556            .expect("Admin role edition");
5557        assert_eq!(role.position, 1);
5558        assert!(role.permissions.contains(crate::community::roles::Permissions::ADMIN_ALL));
5559
5560        // Cached locally too (the owner's client immediately knows the Admin role exists).
5561        let cached = crate::db::community::get_community_roles(&community.id.to_hex()).unwrap();
5562        assert_eq!(cached.roles.len(), 1);
5563        assert!(cached.grants.is_empty(), "owner is implicit position 0, takes no grant");
5564    }
5565
5566    #[tokio::test]
5567    async fn role_grant_round_trips_through_relays_and_revokes() {
5568        use crate::community::roles::Permissions;
5569        let (_tmp, _guard) = init_test_db();
5570        let relay = MemoryRelay::new();
5571        let community = create_community(&relay, "HQ", "general", vec!["r1".into()])
5572            .await
5573            .expect("create");
5574        let cid = community.id.to_hex();
5575        let alice = "aa".repeat(32);
5576        let admin_role_id = crate::db::community::get_community_roles(&cid).unwrap().roles[0]
5577            .role_id
5578            .clone();
5579
5580        // Owner grants Alice the Admin role.
5581        set_member_grant(&relay, &community, &alice, vec![admin_role_id.clone()])
5582            .await
5583            .unwrap();
5584        assert!(
5585            crate::db::community::get_community_roles(&cid).unwrap().is_privileged(&alice),
5586            "local cache reflects the grant immediately"
5587        );
5588
5589        // A fresh fetch+apply reconstructs the whole graph from the relays: Alice is a BAN-capable
5590        // Admin, and the role definition came back too.
5591        let roster = fetch_and_apply_roles(&relay, &community).await.unwrap();
5592        assert!(roster.has_permission(&alice, Permissions::BAN));
5593        assert!(roster.has_permission(&alice, Permissions::MANAGE_ROLES));
5594        assert_eq!(roster.roles.len(), 1);
5595        assert_eq!(roster.highest_position(&alice), Some(1));
5596
5597        // Revoke (empty grant) → Alice loses the role and the empty grant is pruned from the cache.
5598        set_member_grant(&relay, &community, &alice, vec![]).await.unwrap();
5599        let after = crate::db::community::get_community_roles(&cid).unwrap();
5600        assert!(!after.is_privileged(&alice), "revoked member holds no role");
5601        assert!(after.grants.is_empty(), "empty grant pruned");
5602    }
5603
5604    #[tokio::test]
5605    async fn admin_cannot_grant_a_peer_rank_role() {
5606        // escalation defense at the authoring gate: an Admin (position 1) may NOT grant the Admin
5607        // role (also position 1) — equal can't escalate equal. Only the owner (position 0, strictly
5608        // above) can. Closes the raw-command path even though the MVP UI gates the toggle on owner.
5609        let (_tmp, _guard) = init_test_db();
5610        let relay = MemoryRelay::new();
5611        let community = create_community(&relay, "HQ", "general", vec!["r1".into()])
5612            .await
5613            .expect("create");
5614        let cid = community.id.to_hex();
5615        let admin_role_id =
5616            crate::db::community::get_community_roles(&cid).unwrap().roles[0].role_id.clone();
5617        let alice = Keys::generate();
5618        // Owner seeds Alice as an Admin (set_member_grant is the low-level write, not the gated action).
5619        set_member_grant(&relay, &community, &alice.public_key().to_hex(), vec![admin_role_id.clone()])
5620            .await
5621            .unwrap();
5622
5623        // Now ACT as Alice and try to grant the Admin role to Bob — refused.
5624        crate::state::set_my_public_key(alice.public_key());
5625        let bob = Keys::generate().public_key();
5626        let err = grant_role(&relay, &community, bob, &admin_role_id).await.unwrap_err();
5627        assert!(err.contains("below your own"), "peer-rank grant refused, got: {err}");
5628    }
5629
5630    #[tokio::test]
5631    async fn create_community_mints_a_verifiable_owner_attestation() {
5632        // The owner attestation is mandatory at creation (no root → no community) and must prove the
5633        // creator as owner, bound to this community.
5634        let (_tmp, _guard) = init_test_db();
5635        let me = crate::state::my_public_key().unwrap();
5636        let relay = MemoryRelay::new();
5637        let community = create_community(&relay, "HQ", "general", vec!["r1".into()])
5638            .await
5639            .expect("create");
5640        let att = community.owner_attestation.as_ref().expect("attestation is mandatory");
5641        let proven = super::super::owner::verify_owner_attestation(att, &community.id.to_hex());
5642        assert_eq!(proven, Some(me), "the creator is the proven owner");
5643        // It can't be transplanted to a different community id.
5644        assert_eq!(
5645            super::super::owner::verify_owner_attestation(att, &"f".repeat(64)),
5646            None,
5647        );
5648    }
5649
5650    #[tokio::test]
5651    async fn admin_cannot_ban_a_peer_admin() {
5652        // hierarchy at the banlist gate: an Admin (pos 1, holds BAN) cannot ban a *peer* Admin
5653        // (also pos 1) — equal can't act on equal; only someone strictly above (the owner) can. Closes
5654        // the B1 sibling hole (the outrank gate had been wired on grant/revoke but not on the banlist).
5655        let (_tmp, _guard) = init_test_db();
5656        let relay = MemoryRelay::new();
5657        let community = create_community(&relay, "HQ", "general", vec!["r1".into()])
5658            .await
5659            .expect("create");
5660        let cid = community.id.to_hex();
5661        let admin_role_id =
5662            crate::db::community::get_community_roles(&cid).unwrap().roles[0].role_id.clone();
5663        let alice = Keys::generate();
5664        let bob = Keys::generate();
5665        // Owner seeds both as Admins (set_member_grant is the low-level write, not the gated action).
5666        set_member_grant(&relay, &community, &alice.public_key().to_hex(), vec![admin_role_id.clone()])
5667            .await
5668            .unwrap();
5669        set_member_grant(&relay, &community, &bob.public_key().to_hex(), vec![admin_role_id.clone()])
5670            .await
5671            .unwrap();
5672
5673        // Act as Alice (the edition is signed by the vault identity → become her, not just set the
5674        // pubkey): she may NOT ban peer-admin Bob (rejected at the gate, before any signing).
5675        become_local(&alice);
5676        let err = publish_banlist(&relay, &community, &[bob.public_key().to_hex()])
5677            .await
5678            .unwrap_err();
5679        assert!(err.contains("outranks you"), "peer-admin ban refused, got: {err}");
5680    }
5681
5682    #[tokio::test]
5683    async fn roster_reconstructs_purely_from_relay() {
5684        // Prove the fetch path reconstructs from the relay editions, NOT the optimistic local cache:
5685        // publish the role + a grant, WIPE the local roster cache, then fetch — a populated result
5686        // can then only have come from the relay.
5687        let (_tmp, _guard) = init_test_db();
5688        let relay = MemoryRelay::new();
5689        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
5690        let cid = community.id.to_hex();
5691        let admin_role_id =
5692            crate::db::community::get_community_roles(&cid).unwrap().roles[0].role_id.clone();
5693        let alice = "aa".repeat(32);
5694        set_member_grant(&relay, &community, &alice, vec![admin_role_id.clone()]).await.unwrap();
5695
5696        // Wipe the local cache so a populated result can ONLY come from the relay.
5697        crate::db::community::set_community_roles(&cid, &crate::community::roles::CommunityRoles::default(), 0).unwrap();
5698        assert!(crate::db::community::get_community_roles(&cid).unwrap().roles.is_empty(), "cache wiped");
5699
5700        let roster = fetch_and_apply_roles(&relay, &community).await.unwrap();
5701        assert!(roster.is_admin(&alice), "roster reconstructed from relay editions, not the cache");
5702        assert_eq!(roster.roles.len(), 1, "the Admin role edition folded back");
5703    }
5704
5705    #[tokio::test]
5706    async fn admin_cannot_unban_a_peer_admin() {
5707        // hierarchy on the REMOVAL side: an Admin can't unban (drop from the banlist) a peer Admin
5708        // the owner banned — gating only additions would let a low admin undo a superior's ban.
5709        let (_tmp, _guard) = init_test_db();
5710        let relay = MemoryRelay::new();
5711        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
5712        let cid = community.id.to_hex();
5713        let admin_role_id =
5714            crate::db::community::get_community_roles(&cid).unwrap().roles[0].role_id.clone();
5715        let alice = Keys::generate();
5716        let bob = Keys::generate();
5717        set_member_grant(&relay, &community, &alice.public_key().to_hex(), vec![admin_role_id.clone()])
5718            .await
5719            .unwrap();
5720        set_member_grant(&relay, &community, &bob.public_key().to_hex(), vec![admin_role_id.clone()])
5721            .await
5722            .unwrap();
5723        // Owner banned peer-admin Bob (seed the banlist directly).
5724        crate::db::community::set_community_banlist(&cid, &[bob.public_key().to_hex()], 1000).unwrap();
5725
5726        // Alice (admin) tries to clear the banlist → unbanning peer-admin Bob is refused.
5727        become_local(&alice);
5728        let err = publish_banlist(&relay, &community, &[]).await.unwrap_err();
5729        assert!(err.contains("unban"), "unbanning a peer admin refused, got: {err}");
5730    }
5731
5732    #[tokio::test]
5733    async fn create_community_rejects_signer_identity_mismatch() {
5734        // The vault must hold the ACTIVE identity's key to sign the attestation locally. If the active
5735        // pubkey differs from the vault key (a stale/half-swapped session) and there's no bunker
5736        // client, creation fails rather than minting an attestation owned by the wrong identity.
5737        let (_tmp, _guard) = init_test_db(); // seeds matching vault key + my_public_key
5738        let other = Keys::generate();
5739        crate::state::set_my_public_key(other.public_key()); // force a mismatch
5740        let relay = MemoryRelay::new();
5741        let err = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap_err();
5742        assert!(err.contains("identity signer"), "signer mismatch refused, got: {err}");
5743    }
5744
5745    #[tokio::test]
5746    async fn banlist_newer_edition_applies_older_is_refused() {
5747        let (_tmp, _guard) = init_test_db();
5748        let relay = MemoryRelay::new();
5749        let community = create_community(&relay, "HQ", "general", vec!["r1".into()])
5750            .await
5751            .expect("create");
5752        let id_hex = community.id.to_hex();
5753        let banlist_entity = crate::simd::hex::bytes_to_hex_32(&crate::community::derive::banlist_locator(&community.id));
5754        let mallory = "aa".repeat(32);
5755        let bob = "bb".repeat(32);
5756
5757        // An owner-signed v1 banlist edition (banning Mallory) is injected on the relay WITHOUT touching
5758        // local state, so the local head stays at 0 and the first fetch must fold it from the relay.
5759        let owner = crate::state::MY_SECRET_KEY.to_keys().unwrap();
5760        let inner = crate::community::roster::build_banlist_edition(&owner, &community.id, &[mallory.clone()], 1, None, 1000, None).unwrap();
5761        let outer = crate::community::roster::seal_control_edition(&Keys::generate(), &inner, &community.server_root_key, &community.id, crate::community::Epoch(0)).unwrap();
5762        relay.inject(&outer, &community.relays);
5763
5764        // Fetch folds the v1 edition, verifies the owner held BAN, applies it + advances the head.
5765        let applied = fetch_and_apply_banlist(&relay, &community).await.unwrap();
5766        assert_eq!(applied, vec![mallory.clone()]);
5767        let (head_v, _) = crate::db::community::get_edition_head(&id_hex, &banlist_entity).unwrap().unwrap();
5768        assert_eq!(head_v, 1, "banlist edition head advanced to v1");
5769
5770        // We now hold a NEWER local edition (v2, banning Mallory + Bob); the relay still carries only
5771        // v1 — a re-fetch must NOT roll us back to it (refuse-downgrade by edition version).
5772        crate::db::community::set_community_banlist(&id_hex, &[mallory.clone(), bob.clone()], 2).unwrap();
5773        crate::db::community::set_edition_head(&id_hex, &banlist_entity, 2, &[0x22u8; 32]).unwrap();
5774        let after = fetch_and_apply_banlist(&relay, &community).await.unwrap();
5775        assert_eq!(after, vec![mallory, bob], "older relay edition refused, local banlist preserved");
5776    }
5777
5778    #[tokio::test]
5779    async fn unauthorized_banlist_edition_is_rejected() {
5780        // The keyless BAN-authority gate: a validly-signed banlist edition from a signer who holds no
5781        // BAN role (not the owner, never granted) is DROPPED on fetch — the inner signature proves
5782        // authorship, not authority. Authority is re-verified against the authorized roster.
5783        let (_tmp, _guard) = init_test_db();
5784        let relay = MemoryRelay::new();
5785        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
5786        let bob = "bb".repeat(32);
5787
5788        // A random identity (no role) signs + injects a v1 banlist edition banning Bob.
5789        let mallory = Keys::generate();
5790        let inner = crate::community::roster::build_banlist_edition(&mallory, &community.id, &[bob], 1, None, 1000, None).unwrap();
5791        let outer = crate::community::roster::seal_control_edition(&Keys::generate(), &inner, &community.server_root_key, &community.id, crate::community::Epoch(0)).unwrap();
5792        relay.inject(&outer, &community.relays);
5793
5794        // Fetch must reject it (signer not authorized) — the banlist stays empty.
5795        let applied = fetch_and_apply_banlist(&relay, &community).await.unwrap();
5796        assert!(applied.is_empty(), "an unauthorized signer's banlist edition is rejected");
5797    }
5798
5799    #[tokio::test]
5800    async fn banlist_receiver_enforces_per_target_outrank() {
5801        // The receive-side gate, not just the BAN bit: an Admin (holds BAN) who bans a PEER Admin
5802        // is rejected on fetch — equal can't act on equal. A bit-only check would fail open here.
5803        let (_tmp, _guard) = init_test_db();
5804        let relay = MemoryRelay::new();
5805        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
5806        let cid = community.id.to_hex();
5807        let admin_role_id = crate::db::community::get_community_roles(&cid).unwrap().roles[0].role_id.clone();
5808        let alice = Keys::generate();
5809        let bob = Keys::generate();
5810        // Owner grants both Admin (so both sit at position 1, peers).
5811        set_member_grant(&relay, &community, &alice.public_key().to_hex(), vec![admin_role_id.clone()]).await.unwrap();
5812        set_member_grant(&relay, &community, &bob.public_key().to_hex(), vec![admin_role_id]).await.unwrap();
5813
5814        // Alice (Admin) authors a banlist banning peer-admin Bob, citing her own (owner-granted) Admin
5815        // grant, injected on the relay.
5816        let cite = authority_citation(&community, &alice.public_key().to_hex());
5817        let inner = crate::community::roster::build_banlist_edition(&alice, &community.id, &[bob.public_key().to_hex()], 1, None, 1000, cite.as_ref()).unwrap();
5818        let outer = crate::community::roster::seal_control_edition(&Keys::generate(), &inner, &community.server_root_key, &community.id, crate::community::Epoch(0)).unwrap();
5819        relay.inject(&outer, &community.relays);
5820
5821        // Fetch must reject it — Alice doesn't strictly outrank her peer Bob.
5822        let applied = fetch_and_apply_banlist(&relay, &community).await.unwrap();
5823        assert!(applied.is_empty(), "an admin can't ban a peer admin (receiver-side outrank)");
5824    }
5825
5826    #[tokio::test]
5827    async fn banlist_admin_bans_regular_member_applies() {
5828        // The positive companion to the peer-rejection: an Admin (holds BAN) banning a REGULAR member
5829        // (no role, sits below) IS authorized on the receiver — Alice strictly outranks them.
5830        let (_tmp, _guard) = init_test_db();
5831        let relay = MemoryRelay::new();
5832        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
5833        let cid = community.id.to_hex();
5834        let admin_role_id = crate::db::community::get_community_roles(&cid).unwrap().roles[0].role_id.clone();
5835        let alice = Keys::generate();
5836        set_member_grant(&relay, &community, &alice.public_key().to_hex(), vec![admin_role_id]).await.unwrap();
5837
5838        let carol = "cc".repeat(32);
5839        // Alice cites her owner-granted Admin grant — the pinned authority a non-owner must carry.
5840        let cite = authority_citation(&community, &alice.public_key().to_hex());
5841        let inner = crate::community::roster::build_banlist_edition(&alice, &community.id, &[carol.clone()], 1, None, 1000, cite.as_ref()).unwrap();
5842        let outer = crate::community::roster::seal_control_edition(&Keys::generate(), &inner, &community.server_root_key, &community.id, crate::community::Epoch(0)).unwrap();
5843        relay.inject(&outer, &community.relays);
5844
5845        let applied = fetch_and_apply_banlist(&relay, &community).await.unwrap();
5846        assert_eq!(applied, vec![carol], "an admin's ban of a regular member applies");
5847    }
5848
5849    #[tokio::test]
5850    async fn owner_banlist_needs_no_citation() {
5851        // The owner is supreme and cites nothing — an owner-signed banlist edition with NO citation
5852        // applies. This is the `owner_hex == actor` bypass in `authority_citation_satisfied`.
5853        let (_tmp, _guard) = init_test_db();
5854        let relay = MemoryRelay::new();
5855        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
5856        let victim = "cc".repeat(32);
5857
5858        // Owner hand-signs an uncited v1 banlist, injected on the relay (local head stays 0 → folds fresh).
5859        let owner = crate::state::MY_SECRET_KEY.to_keys().unwrap();
5860        let inner = crate::community::roster::build_banlist_edition(&owner, &community.id, &[victim.clone()], 1, None, 1000, None).unwrap();
5861        let outer = crate::community::roster::seal_control_edition(&Keys::generate(), &inner, &community.server_root_key, &community.id, crate::community::Epoch(0)).unwrap();
5862        relay.inject(&outer, &community.relays);
5863
5864        let applied = fetch_and_apply_banlist(&relay, &community).await.unwrap();
5865        assert_eq!(applied, vec![victim], "an owner's uncited ban applies");
5866    }
5867
5868    #[tokio::test]
5869    async fn banlist_with_forged_citation_hash_is_rejected() {
5870        // fork guard: an authorized admin who cites her real grant entity + version but the WRONG
5871        // hash (a non-canonical fork at the tip) is rejected — the cited proof must be the one we folded.
5872        let (_tmp, _guard) = init_test_db();
5873        let relay = MemoryRelay::new();
5874        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
5875        let cid = community.id.to_hex();
5876        let admin_role_id = crate::db::community::get_community_roles(&cid).unwrap().roles[0].role_id.clone();
5877        let alice = Keys::generate();
5878        set_member_grant(&relay, &community, &alice.public_key().to_hex(), vec![admin_role_id]).await.unwrap();
5879
5880        let carol = "cc".repeat(32);
5881        // Real entity + version, but a fabricated hash → the cited edition isn't the one that won the fold.
5882        let mut cite = authority_citation(&community, &alice.public_key().to_hex()).unwrap();
5883        cite.edition_hash = [0xEE; 32];
5884        let inner = crate::community::roster::build_banlist_edition(&alice, &community.id, &[carol], 1, None, 1000, Some(&cite)).unwrap();
5885        let outer = crate::community::roster::seal_control_edition(&Keys::generate(), &inner, &community.server_root_key, &community.id, crate::community::Epoch(0)).unwrap();
5886        relay.inject(&outer, &community.relays);
5887
5888        let applied = fetch_and_apply_banlist(&relay, &community).await.unwrap();
5889        assert!(applied.is_empty(), "a forged-hash citation is rejected");
5890    }
5891
5892    #[tokio::test]
5893    async fn banlist_citing_unsynced_future_version_is_rejected() {
5894        // The completeness gate (fail closed): a genuinely-authorized admin who cites a FUTURE version of
5895        // her grant that nobody has (≥ what we folded) is rejected — we can't confirm authority at a
5896        // version we haven't synced. Isolates the sync-floor from the permission check (she IS an admin).
5897        let (_tmp, _guard) = init_test_db();
5898        let relay = MemoryRelay::new();
5899        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
5900        let cid = community.id.to_hex();
5901        let admin_role_id = crate::db::community::get_community_roles(&cid).unwrap().roles[0].role_id.clone();
5902        let alice = Keys::generate();
5903        set_member_grant(&relay, &community, &alice.public_key().to_hex(), vec![admin_role_id]).await.unwrap();
5904
5905        let carol = "cc".repeat(32);
5906        let mut cite = authority_citation(&community, &alice.public_key().to_hex()).unwrap();
5907        cite.version += 5; // cite a grant version that doesn't exist on any relay
5908        let inner = crate::community::roster::build_banlist_edition(&alice, &community.id, &[carol], 1, None, 1000, Some(&cite)).unwrap();
5909        let outer = crate::community::roster::seal_control_edition(&Keys::generate(), &inner, &community.server_root_key, &community.id, crate::community::Epoch(0)).unwrap();
5910        relay.inject(&outer, &community.relays);
5911
5912        let applied = fetch_and_apply_banlist(&relay, &community).await.unwrap();
5913        assert!(applied.is_empty(), "citing an unsynced future grant version fails closed");
5914    }
5915
5916    #[tokio::test]
5917    async fn demoted_banner_superseded_ban_is_rejected() {
5918        // Refuse-superseded: an admin bans (citing her v1 grant), then the owner revokes her admin role.
5919        // Her citation is still SATISFIED (we hold a later v2 head of her grant), but the current
5920        // authorized roster no longer ranks her → the per-target outrank fails → the stale ban is dropped.
5921        let (_tmp, _guard) = init_test_db();
5922        let relay = MemoryRelay::new();
5923        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
5924        let cid = community.id.to_hex();
5925        let admin_role_id = crate::db::community::get_community_roles(&cid).unwrap().roles[0].role_id.clone();
5926        let alice = Keys::generate();
5927        set_member_grant(&relay, &community, &alice.public_key().to_hex(), vec![admin_role_id]).await.unwrap();
5928
5929        let carol = "cc".repeat(32);
5930        // Alice bans Carol while she IS an admin, citing her v1 grant.
5931        let cite = authority_citation(&community, &alice.public_key().to_hex());
5932        let inner = crate::community::roster::build_banlist_edition(&alice, &community.id, &[carol], 1, None, 1000, cite.as_ref()).unwrap();
5933        let outer = crate::community::roster::seal_control_edition(&Keys::generate(), &inner, &community.server_root_key, &community.id, crate::community::Epoch(0)).unwrap();
5934        relay.inject(&outer, &community.relays);
5935
5936        // Owner revokes Alice's admin (publishes her v2 empty grant).
5937        set_member_grant(&relay, &community, &alice.public_key().to_hex(), vec![]).await.unwrap();
5938
5939        let applied = fetch_and_apply_banlist(&relay, &community).await.unwrap();
5940        assert!(applied.is_empty(), "a since-demoted banner's stale ban is rejected (refuse-superseded)");
5941    }
5942
5943    #[tokio::test]
5944    async fn withheld_revocation_cannot_resurrect_a_demoted_banners_grant() {
5945        // The refuse-downgrade FLOOR: we have already synced Alice's revocation (her grant head is
5946        // at v2 locally), but a hostile relay serves only her OLD v1 admin grant + her stale ban,
5947        // withholding v2. The fold seeds Alice's grant from the held v2 floor, so the below-floor v1 is
5948        // refused — her grant never re-materializes, and the stale ban is dropped. (Without the floor,
5949        // the fold would roll back to v1 and re-authorize her: the H1 fail-open this closes.)
5950        let (_tmp, _guard) = init_test_db();
5951        let relay = MemoryRelay::new();
5952        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
5953        let cid = community.id.to_hex();
5954        let admin_role_id = crate::db::community::get_community_roles(&cid).unwrap().roles[0].role_id.clone();
5955        let alice = Keys::generate();
5956        set_member_grant(&relay, &community, &alice.public_key().to_hex(), vec![admin_role_id]).await.unwrap();
5957
5958        // Alice (admin at v1) bans Carol, citing her v1 grant — only this + her v1 grant reach the relay.
5959        let carol = "cc".repeat(32);
5960        let cite = authority_citation(&community, &alice.public_key().to_hex());
5961        let inner = crate::community::roster::build_banlist_edition(&alice, &community.id, &[carol], 1, None, 1000, cite.as_ref()).unwrap();
5962        let outer = crate::community::roster::seal_control_edition(&Keys::generate(), &inner, &community.server_root_key, &community.id, crate::community::Epoch(0)).unwrap();
5963        relay.inject(&outer, &community.relays);
5964
5965        // We've SEEN the revocation (head floor for Alice's grant advanced to v2 locally) but the relay
5966        // withholds the v2 edition itself.
5967        let alice_bytes = alice.public_key().to_bytes();
5968        let grant_entity = crate::simd::hex::bytes_to_hex_32(&crate::community::derive::grant_locator(&community.id, &alice_bytes));
5969        crate::db::community::set_edition_head(&cid, &grant_entity, 2, &[0xAB; 32]).unwrap();
5970
5971        let applied = fetch_and_apply_banlist(&relay, &community).await.unwrap();
5972        assert!(applied.is_empty(), "a withheld revocation can't roll the banner's grant back to re-authorize them");
5973    }
5974
5975    #[tokio::test]
5976    async fn invite_registry_round_trips_and_drives_is_public() {
5977        // computed mode: a fresh community is Private (empty registry); a peer folds the owner's
5978        // registry edition purely from the relay and computes Public; clearing the registry (revoke the
5979        // last link) flips it back to Private — the privatize precondition.
5980        let (_tmp, _guard) = init_test_db();
5981        let relay = MemoryRelay::new();
5982        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
5983        assert!(!is_public(&community).unwrap(), "a fresh community is Private");
5984
5985        // Owner's per-creator link edition v1 injected on the relay (no local head yet → folds fresh,
5986        // like a peer). The owner holds CREATE_INVITE (ADMIN_ALL), so the fold authorizes + unions it.
5987        let owner = crate::state::MY_SECRET_KEY.to_keys().unwrap();
5988        let loc = "1a".repeat(32);
5989        let inner = crate::community::roster::build_invite_links_edition(&owner, &community.id, &[loc.clone()], 1, None, 1000, None).unwrap();
5990        let outer = crate::community::roster::seal_control_edition(&Keys::generate(), &inner, &community.server_root_key, &community.id, crate::community::Epoch(0)).unwrap();
5991        relay.inject(&outer, &community.relays);
5992
5993        let applied = fetch_and_apply_invite_links(&relay, &community).await.unwrap();
5994        assert_eq!(applied, vec![loc], "the owner's link edition folds + unions from the relay");
5995        assert!(is_public(&community).unwrap(), "mode recomputed Public from the folded aggregate");
5996
5997        // The owner retires their links (newer v2, empty) → aggregate empties → Private.
5998        publish_my_invite_links(&relay, &community, &[]).await.unwrap();
5999        let applied = fetch_and_apply_invite_links(&relay, &community).await.unwrap();
6000        assert!(applied.is_empty() && !is_public(&community).unwrap(), "an empty aggregate is Private");
6001    }
6002
6003    #[tokio::test]
6004    async fn metadata_edit_round_trips_to_a_lagging_member() {
6005        // metadata fold: a member holding only the genesis v1 folds the owner's GroupRoot v2 from the
6006        // relay and applies the display edit. (Edition built + injected directly so the local head stays
6007        // at v1 — `set_edition_head` is monotonic, so a republish would advance it and defeat the test.)
6008        let (_tmp, _guard) = init_test_db();
6009        let relay = MemoryRelay::new();
6010        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
6011        let cid = community.id.to_hex();
6012        let owner = crate::state::MY_SECRET_KEY.to_keys().unwrap();
6013        let (genesis_v, genesis_hash) = crate::db::community::get_edition_head(&cid, &cid).unwrap().unwrap();
6014        assert_eq!(genesis_v, 1);
6015
6016        let mut edited = crate::community::metadata::CommunityMetadata::of(&community);
6017        edited.name = "Renamed HQ".into();
6018        edited.description = Some("now with a topic".into());
6019        let inner = crate::community::roster::build_community_root_edition(&owner, &community.id, &edited, 2, Some(&genesis_hash), 4000, None).unwrap();
6020        let outer = crate::community::roster::seal_control_edition(&Keys::generate(), &inner, &community.server_root_key, &community.id, crate::community::Epoch(0)).unwrap();
6021        relay.inject(&outer, &community.relays);
6022
6023        fetch_and_apply_metadata(&relay, &community).await.unwrap();
6024        let after = crate::db::community::load_community(&community.id).unwrap().unwrap();
6025        assert_eq!(after.name, "Renamed HQ", "the owner's GroupRoot edit folded from the relay");
6026        assert_eq!(after.description.as_deref(), Some("now with a topic"));
6027        assert_eq!(crate::db::community::get_edition_head(&cid, &cid).unwrap().unwrap().0, 2, "head advanced to v2");
6028    }
6029
6030    #[tokio::test]
6031    async fn unauthorized_metadata_edit_is_ignored() {
6032        // A signer WITHOUT manage-metadata authority can't move the community's display, even with a
6033        // perfectly-chained, validly-signed GroupRoot edition (the author gate, not just the chain).
6034        let (_tmp, _guard) = init_test_db();
6035        let relay = MemoryRelay::new();
6036        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
6037        let cid = community.id.to_hex();
6038        let (_, genesis_hash) = crate::db::community::get_edition_head(&cid, &cid).unwrap().unwrap();
6039
6040        let mallory = Keys::generate();
6041        let mut hacked = crate::community::metadata::CommunityMetadata::of(&community);
6042        hacked.name = "Pwned".into();
6043        let inner = crate::community::roster::build_community_root_edition(&mallory, &community.id, &hacked, 2, Some(&genesis_hash), 5000, None).unwrap();
6044        let outer = crate::community::roster::seal_control_edition(&Keys::generate(), &inner, &community.server_root_key, &community.id, crate::community::Epoch(0)).unwrap();
6045        relay.inject(&outer, &community.relays);
6046
6047        fetch_and_apply_metadata(&relay, &community).await.unwrap();
6048        let after = crate::db::community::load_community(&community.id).unwrap().unwrap();
6049        assert_eq!(after.name, "HQ", "a non-manage-metadata signer's GroupRoot edit is rejected");
6050        assert_eq!(crate::db::community::get_edition_head(&cid, &cid).unwrap().unwrap().0, 1, "an unauthorized edit never advances the head");
6051    }
6052
6053    #[tokio::test]
6054    async fn channel_rename_round_trips_from_owner_edition() {
6055        // The vsk=2 ChannelMetadata fold: an owner-signed channel rename (v2, chained off genesis) folds
6056        // and applies to the matching channel.
6057        let (_tmp, _guard) = init_test_db();
6058        let relay = MemoryRelay::new();
6059        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
6060        let cid = community.id.to_hex();
6061        let owner = crate::state::MY_SECRET_KEY.to_keys().unwrap();
6062        let channel = community.channels[0].clone();
6063        let ch_hex = channel.id.to_hex();
6064        let (_, genesis_ch_hash) = crate::db::community::get_edition_head(&cid, &ch_hex).unwrap().unwrap();
6065
6066        let meta = crate::community::metadata::ChannelMetadata { name: "announcements".into() };
6067        let inner = crate::community::roster::build_channel_metadata_edition(&owner, &channel.id, &meta, 2, Some(&genesis_ch_hash), 6000, None).unwrap();
6068        let outer = crate::community::roster::seal_control_edition(&Keys::generate(), &inner, &community.server_root_key, &community.id, crate::community::Epoch(0)).unwrap();
6069        relay.inject(&outer, &community.relays);
6070
6071        fetch_and_apply_metadata(&relay, &community).await.unwrap();
6072        let after = crate::db::community::load_community(&community.id).unwrap().unwrap();
6073        assert_eq!(after.channels[0].name, "announcements", "the owner's channel rename folded + applied");
6074        assert_eq!(crate::db::community::get_edition_head(&cid, &ch_hex).unwrap().unwrap().0, 2, "channel head advanced to v2");
6075    }
6076
6077    /// Build a v2 GroupRoot edition by `author` (name/created over genesis) → (sealed outer, self_hash,
6078    /// inner_id). Two of these with different (name, created) form a same-version concurrent fork.
6079    fn root_fork_v2(author: &Keys, community: &Community, name: &str, created: u64, genesis_hash: &[u8; 32]) -> (Event, [u8; 32], [u8; 32]) {
6080        let mut meta = crate::community::metadata::CommunityMetadata::of(community);
6081        meta.name = name.into();
6082        let inner = crate::community::roster::build_community_root_edition(author, &community.id, &meta, 2, Some(genesis_hash), created, None).unwrap();
6083        let self_hash = crate::community::version::edition_hash(&community.id.0, 2, Some(genesis_hash), inner.content.as_bytes());
6084        let inner_id = inner.id.to_bytes();
6085        let outer = crate::community::roster::seal_control_edition(&Keys::generate(), &inner, &community.server_root_key, &community.id, crate::community::Epoch(0)).unwrap();
6086        (outer, self_hash, inner_id)
6087    }
6088
6089    /// A concurrent v2 ChannelMetadata fork (the channel analogue of [`root_fork_v2`]): a v2 rename chained
6090    /// off the channel's genesis, returned as (sealed outer, self_hash, inner_id).
6091    fn channel_fork_v2(author: &Keys, community: &Community, channel_id: &crate::community::ChannelId, name: &str, created: u64, genesis_hash: &[u8; 32]) -> (Event, [u8; 32], [u8; 32]) {
6092        let meta = crate::community::metadata::ChannelMetadata { name: name.into() };
6093        let inner = crate::community::roster::build_channel_metadata_edition(author, channel_id, &meta, 2, Some(genesis_hash), created, None).unwrap();
6094        let self_hash = crate::community::version::edition_hash(&channel_id.0, 2, Some(genesis_hash), inner.content.as_bytes());
6095        let inner_id = inner.id.to_bytes();
6096        let outer = crate::community::roster::seal_control_edition(&Keys::generate(), &inner, &community.server_root_key, &community.id, crate::community::Epoch(0)).unwrap();
6097        (outer, self_hash, inner_id)
6098    }
6099
6100    /// W1 — channel metadata converges on a same-version fork exactly like GroupRoot: two authorized editors
6101    /// rename a channel concurrently (both v2, different content); a client holding the LOSER (higher inner
6102    /// id) converges onto the deterministic winner (lower inner id) instead of clinging to its own.
6103    #[tokio::test]
6104    async fn channel_same_version_fork_converges_to_the_lower_inner_id() {
6105        let (_tmp, _guard) = init_test_db();
6106        let relay = MemoryRelay::new();
6107        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
6108        let cid = community.id.to_hex();
6109        let owner = crate::state::MY_SECRET_KEY.to_keys().unwrap();
6110        let channel_id = community.channels[0].id;
6111        let ch_hex = channel_id.to_hex();
6112        let (_, genesis_hash) = crate::db::community::get_edition_head(&cid, &ch_hex).unwrap().unwrap();
6113
6114        let (out_a, ha, ida) = channel_fork_v2(&owner, &community, &channel_id, "alpha", 1000, &genesis_hash);
6115        let (out_b, hb, idb) = channel_fork_v2(&owner, &community, &channel_id, "bravo", 2000, &genesis_hash);
6116        let (win_name, win_h, win_id, lose_name, lose_h, lose_id) = if ida < idb {
6117            ("alpha", ha, ida, "bravo", hb, idb)
6118        } else {
6119            ("bravo", hb, idb, "alpha", ha, ida)
6120        };
6121        // Hold the LOSER locally (head + channel name), then see both forks.
6122        crate::db::community::set_edition_head_with_id(&cid, &ch_hex, 2, &lose_h, &lose_id).unwrap();
6123        {
6124            let mut c = crate::db::community::load_community(&community.id).unwrap().unwrap();
6125            c.channels.iter_mut().find(|ch| ch.id == channel_id).unwrap().name = lose_name.into();
6126            crate::db::community::save_community(&c).unwrap();
6127        }
6128        relay.inject(&out_a, &community.relays);
6129        relay.inject(&out_b, &community.relays);
6130
6131        fetch_and_apply_metadata(&relay, &community).await.unwrap();
6132        let after = crate::db::community::load_community(&community.id).unwrap().unwrap();
6133        let ch_name = &after.channels.iter().find(|c| c.id == channel_id).unwrap().name;
6134        assert_eq!(ch_name, win_name, "channel converged on the lower-inner-id winner, not our held fork");
6135        assert_eq!(crate::db::community::get_edition_head(&cid, &ch_hex).unwrap().unwrap(), (2, win_h), "channel head self_hash converged at the SAME version");
6136        assert_eq!(crate::db::community::get_edition_head_inner_id(&cid, &ch_hex).unwrap(), Some(win_id), "channel head inner_id moved to the winner");
6137
6138        // Flip-flop-proof: a second pass holding the winner keeps it.
6139        fetch_and_apply_metadata(&relay, &community).await.unwrap();
6140        let after2 = crate::db::community::load_community(&community.id).unwrap().unwrap();
6141        assert_eq!(&after2.channels.iter().find(|c| c.id == channel_id).unwrap().name, win_name, "no flip back to the higher-id fork");
6142    }
6143
6144    /// W1 — channel authority gate runs BEFORE the tiebreak: a demoted/unauthorized author's same-version
6145    /// channel rename loses even with the lowest inner id; the authorized rename is applied.
6146    #[tokio::test]
6147    async fn channel_same_version_fork_excludes_an_unauthorized_lower_id_edition() {
6148        let (_tmp, _guard) = init_test_db();
6149        let relay = MemoryRelay::new();
6150        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
6151        let cid = community.id.to_hex();
6152        let owner = crate::state::MY_SECRET_KEY.to_keys().unwrap();
6153        let channel_id = community.channels[0].id;
6154        let ch_hex = channel_id.to_hex();
6155        let (_, genesis_hash) = crate::db::community::get_edition_head(&cid, &ch_hex).unwrap().unwrap();
6156
6157        let (owner_out, owner_h, owner_id) = channel_fork_v2(&owner, &community, &channel_id, "legit", 1000, &genesis_hash);
6158        // Grind mallory's created_at until her forgery sorts FIRST author-blind (lower inner id).
6159        let mallory = Keys::generate();
6160        let mal_out = {
6161            let mut chosen = None;
6162            for t in 1..=10_000u64 {
6163                let cand = channel_fork_v2(&mallory, &community, &channel_id, "forged", t, &genesis_hash);
6164                if cand.2 < owner_id { chosen = Some(cand.0); break; }
6165            }
6166            chosen.expect("a mallory channel edition with a lower inner id")
6167        };
6168        relay.inject(&owner_out, &community.relays);
6169        relay.inject(&mal_out, &community.relays);
6170
6171        fetch_and_apply_metadata(&relay, &community).await.unwrap();
6172        let after = crate::db::community::load_community(&community.id).unwrap().unwrap();
6173        assert_eq!(&after.channels.iter().find(|c| c.id == channel_id).unwrap().name, &"legit".to_string(), "the channel forgery never wins despite a lower inner id");
6174        assert_eq!(crate::db::community::get_edition_head(&cid, &ch_hex).unwrap().unwrap(), (2, owner_h), "the authorized channel edition is the head");
6175    }
6176
6177    /// epoch-primary floor: a re-founding re-genesises every entity to v1 under the NEW epoch, and that
6178    /// v1 must supersede the held high version (else compaction is impossible) — WITHOUT weakening in-epoch
6179    /// refuse-downgrade. Exercises the `set_edition_head` write guard directly.
6180    #[tokio::test]
6181    async fn epoch_primary_floor_lets_a_refounding_v1_supersede_a_held_high_version() {
6182        let (_tmp, _guard) = init_test_db();
6183        let relay = MemoryRelay::new();
6184        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
6185        let cid = community.id.to_hex();
6186        // Drive the GroupRoot head to v5 within epoch 0.
6187        for v in 2..=5u64 {
6188            crate::db::community::set_edition_head_with_id(&cid, &cid, v, &[v as u8; 32], &[v as u8; 32]).unwrap();
6189        }
6190        assert_eq!(crate::db::community::get_edition_head(&cid, &cid).unwrap().unwrap().0, 5);
6191        // In-epoch refuse-downgrade still holds: a lower version is a no-op.
6192        crate::db::community::set_edition_head_with_id(&cid, &cid, 3, &[0x33; 32], &[0x33; 32]).unwrap();
6193        assert_eq!(crate::db::community::get_edition_head(&cid, &cid).unwrap().unwrap().0, 5, "in-epoch downgrade refused");
6194
6195        // Re-found: bump the community to epoch 1, then write the compacted GroupRoot genesis (v1 @ epoch 1).
6196        crate::db::community::advance_server_root_epoch(&cid, 1, &[0xEE; 32]).unwrap();
6197        crate::db::community::set_edition_head_with_id(&cid, &cid, 1, &[0x01; 32], &[0x01; 32]).unwrap();
6198        let (v, h) = crate::db::community::get_edition_head(&cid, &cid).unwrap().unwrap();
6199        assert_eq!((v, h), (1, [0x01; 32]), "epoch-1 v1 supersedes epoch-0 v5 (epoch-primary)");
6200        assert_eq!(
6201            crate::db::community::get_all_edition_heads_epoched(&cid).unwrap().get(&cid).map(|(e, v, _)| (*e, *v)),
6202            Some((1, 1)),
6203            "head now recorded at epoch 1",
6204        );
6205        // And within the NEW epoch, refuse-downgrade resumes: v1 holds, a re-presented v1 stays.
6206        crate::db::community::set_edition_head_with_id(&cid, &cid, 1, &[0xAA; 32], &[0x02; 32]).unwrap();
6207        assert_eq!(crate::db::community::get_edition_head(&cid, &cid).unwrap().unwrap().1, [0x01; 32], "same-epoch same-version is not an advance");
6208    }
6209
6210    /// T1 — Concord Convergence: two authorized editors edit from the same base, both produce v2 with
6211    /// different content. A client holding the LOSER (higher inner id) converges IN PLACE onto the
6212    /// deterministic winner (lower inner id) instead of clinging to its own — the live divergence bug.
6213    #[tokio::test]
6214    async fn same_version_fork_converges_to_the_lower_inner_id() {
6215        let (_tmp, _guard) = init_test_db();
6216        let relay = MemoryRelay::new();
6217        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
6218        let cid = community.id.to_hex();
6219        let owner = crate::state::MY_SECRET_KEY.to_keys().unwrap();
6220        let (_, genesis_hash) = crate::db::community::get_edition_head(&cid, &cid).unwrap().unwrap();
6221
6222        let (out_a, ha, ida) = root_fork_v2(&owner, &community, "Alpha", 1000, &genesis_hash);
6223        let (out_b, hb, idb) = root_fork_v2(&owner, &community, "Bravo", 2000, &genesis_hash);
6224        // Winner = lower inner id; we hold the loser.
6225        let (win_name, win_h, win_id, lose_name, lose_h, lose_id) = if ida < idb {
6226            ("Alpha", ha, ida, "Bravo", hb, idb)
6227        } else {
6228            ("Bravo", hb, idb, "Alpha", ha, ida)
6229        };
6230        crate::db::community::set_edition_head_with_id(&cid, &cid, 2, &lose_h, &lose_id).unwrap();
6231        {
6232            let mut c = crate::db::community::load_community(&community.id).unwrap().unwrap();
6233            c.name = lose_name.into();
6234            crate::db::community::save_community(&c).unwrap();
6235        }
6236        relay.inject(&out_a, &community.relays);
6237        relay.inject(&out_b, &community.relays);
6238
6239        fetch_and_apply_metadata(&relay, &community).await.unwrap();
6240        let after = crate::db::community::load_community(&community.id).unwrap().unwrap();
6241        assert_eq!(after.name, win_name, "converged on the lower-inner-id winner, not our own held fork");
6242        assert_eq!(crate::db::community::get_edition_head(&cid, &cid).unwrap().unwrap(), (2, win_h), "head self_hash converged at the SAME version");
6243        assert_eq!(crate::db::community::get_edition_head_inner_id(&cid, &cid).unwrap(), Some(win_id), "head inner_id moved to the winner");
6244
6245        // Flip-flop-proof: holding the winner, a second pass seeing both forks keeps the winner.
6246        fetch_and_apply_metadata(&relay, &community).await.unwrap();
6247        assert_eq!(crate::db::community::load_community(&community.id).unwrap().unwrap().name, win_name, "no flip back to the higher-id fork");
6248    }
6249
6250    /// T2 — the converged head feeds the next edit: v3 chains prev_hash from the CONVERGED winner, so a
6251    /// fresh fold reaches v3 contiguously (no re-fork). Guards the silent same-version no-op trap (B2/B5).
6252    #[tokio::test]
6253    async fn converged_head_chains_the_next_edit_without_reforking() {
6254        let (_tmp, _guard) = init_test_db();
6255        let relay = MemoryRelay::new();
6256        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
6257        let cid = community.id.to_hex();
6258        let owner = crate::state::MY_SECRET_KEY.to_keys().unwrap();
6259        let (_, genesis_hash) = crate::db::community::get_edition_head(&cid, &cid).unwrap().unwrap();
6260
6261        let (out_a, ha, ida) = root_fork_v2(&owner, &community, "Alpha", 1000, &genesis_hash);
6262        let (out_b, hb, idb) = root_fork_v2(&owner, &community, "Bravo", 2000, &genesis_hash);
6263        let (lose_h, lose_id) = if ida < idb { (hb, idb) } else { (ha, ida) };
6264        crate::db::community::set_edition_head_with_id(&cid, &cid, 2, &lose_h, &lose_id).unwrap();
6265        relay.inject(&out_a, &community.relays);
6266        relay.inject(&out_b, &community.relays);
6267        fetch_and_apply_metadata(&relay, &community).await.unwrap();
6268        assert_eq!(crate::db::community::get_edition_head(&cid, &cid).unwrap().unwrap().0, 2, "converged at v2");
6269
6270        let mut c = crate::db::community::load_community(&community.id).unwrap().unwrap();
6271        c.name = "Third".into();
6272        republish_community_metadata(&relay, &c).await.unwrap();
6273        assert_eq!(crate::db::community::get_edition_head(&cid, &cid).unwrap().unwrap().0, 3, "advanced to v3 off the converged head");
6274
6275        let empty: std::collections::HashMap<String, (u64, [u8; 32])> = std::collections::HashMap::new();
6276        let folded = crate::community::roster::fold_roster(&fetch_control_inners(&relay, &community).await, &community.id, &empty);
6277        assert_eq!(folded.root_head.as_ref().map(|h| h.version), Some(3), "a fresh fold reaches v3");
6278        assert!(!folded.gapped_entities.contains(&community.id.0), "the chain is contiguous genesis -> winner -> v3");
6279    }
6280
6281    /// T3 — authority gate runs BEFORE the tiebreak: an UNAUTHORIZED same-version edition loses even with
6282    /// the lowest inner id. We apply the authorized edition, never the forgery that sorts first.
6283    #[tokio::test]
6284    async fn same_version_fork_excludes_an_unauthorized_lower_id_edition() {
6285        let (_tmp, _guard) = init_test_db();
6286        let relay = MemoryRelay::new();
6287        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
6288        let cid = community.id.to_hex();
6289        let owner = crate::state::MY_SECRET_KEY.to_keys().unwrap();
6290        let (_, genesis_hash) = crate::db::community::get_edition_head(&cid, &cid).unwrap().unwrap();
6291
6292        let (owner_out, owner_h, owner_id) = root_fork_v2(&owner, &community, "Legit", 1000, &genesis_hash);
6293        // Grind mallory's created_at until her forgery sorts FIRST author-blind (lower inner id).
6294        let mallory = Keys::generate();
6295        let (mal_out, mal_id) = {
6296            let mut chosen = None;
6297            for t in 1..=10_000u64 {
6298                let cand = root_fork_v2(&mallory, &community, "Forged", t, &genesis_hash);
6299                if cand.2 < owner_id { chosen = Some((cand.0, cand.2)); break; }
6300            }
6301            chosen.expect("a mallory edition with a lower inner id")
6302        };
6303        assert!(mal_id < owner_id, "premise: the forgery sorts first author-blind");
6304        relay.inject(&owner_out, &community.relays);
6305        relay.inject(&mal_out, &community.relays);
6306
6307        // Floor stays at genesis v1, so the consumer must CHOOSE among the v2 candidates.
6308        fetch_and_apply_metadata(&relay, &community).await.unwrap();
6309        let after = crate::db::community::load_community(&community.id).unwrap().unwrap();
6310        assert_eq!(after.name, "Legit", "the forgery never wins despite a lower inner id");
6311        assert_eq!(crate::db::community::get_edition_head(&cid, &cid).unwrap().unwrap(), (2, owner_h), "the authorized edition is the head");
6312    }
6313
6314    /// T4 — the convergence exemption is DISPLAY-ONLY: a same-version fork on an authority record
6315    /// (banlist) where we hold the higher-id edition stays QUARANTINED (gapped, not folded). Converging
6316    /// authority off a withheld view would be a relay-choosable censorship lever, so it fails closed.
6317    #[tokio::test]
6318    async fn same_version_fork_on_an_authority_record_fails_closed() {
6319        let (_tmp, _guard) = init_test_db();
6320        let relay = MemoryRelay::new();
6321        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
6322        let cid = community.id.to_hex();
6323        let owner = crate::state::MY_SECRET_KEY.to_keys().unwrap();
6324        let bl_eid = crate::community::derive::banlist_locator(&community.id);
6325        let bl_hex = crate::simd::hex::bytes_to_hex_32(&bl_eid);
6326
6327        let prev = [0x99u8; 32]; // both v2 forks cite the same (held) v1; the ==floor anchor checks self_hash
6328        let build_ban = |list: &[String], created: u64| {
6329            let inner = crate::community::roster::build_banlist_edition(&owner, &community.id, list, 2, Some(&prev), created, None).unwrap();
6330            let self_hash = crate::community::version::edition_hash(&bl_eid, 2, Some(&prev), inner.content.as_bytes());
6331            let outer = crate::community::roster::seal_control_edition(&Keys::generate(), &inner, &community.server_root_key, &community.id, crate::community::Epoch(0)).unwrap();
6332            (outer, self_hash, inner.id.to_bytes())
6333        };
6334        let (out_a, ha, ida) = build_ban(&["aa".repeat(32)], 1000);
6335        let (out_b, hb, idb) = build_ban(&["bb".repeat(32)], 2000);
6336        // Hold the higher-id edition → the fold's winner (lower id) differs → adopting it would require a
6337        // same-version swap, which an authority record must REFUSE.
6338        let (lose_h, lose_id) = if ida < idb { (hb, idb) } else { (ha, ida) };
6339        crate::db::community::set_edition_head_with_id(&cid, &bl_hex, 2, &lose_h, &lose_id).unwrap();
6340        relay.inject(&out_a, &community.relays);
6341        relay.inject(&out_b, &community.relays);
6342
6343        let floors = crate::db::community::get_all_edition_heads(&cid).unwrap();
6344        let folded = crate::community::roster::fold_roster(&fetch_control_inners(&relay, &community).await, &community.id, &floors);
6345        assert!(folded.gapped_entities.contains(&bl_eid), "the authority-record fork is quarantined");
6346        assert!(folded.banlist_head.is_none() && folded.banlist_author.is_none(), "no banlist folded off the withheld view");
6347    }
6348
6349    #[tokio::test]
6350    async fn editions_sign_through_the_active_client_signer() {
6351        // The bunker code path: with a NOSTR_CLIENT signer installed, authority editions sign through
6352        // `client.signer()` (the same route a NIP-46 bunker takes) rather than the local-vault fallback.
6353        // Proven end-to-end: create a community while the client signer is active, then fold + authorize
6354        // its genesis (the owner attestation must verify → the editions were signed by the right identity).
6355        let (_tmp, _guard) = init_test_db();
6356        let owner = crate::state::MY_SECRET_KEY.to_keys().unwrap();
6357        crate::state::set_nostr_client(nostr_sdk::Client::builder().signer(owner.clone()).build());
6358
6359        let relay = MemoryRelay::new();
6360        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
6361        let cid = community.id.to_hex();
6362
6363        // A banlist edition (a non-genesis authority action) also signs via the client path + folds.
6364        publish_banlist(&relay, &community, &["dd".repeat(32)]).await.unwrap();
6365        let floors = crate::db::community::get_all_edition_heads(&cid).unwrap();
6366        let folded = crate::community::roster::fold_roster(
6367            &fetch_control_inners(&relay, &community).await, &community.id, &floors);
6368        assert_eq!(folded.banlist_author, Some(owner.public_key()), "banlist signed by the client signer");
6369        assert!(folded.root_author.is_some(), "genesis GroupRoot folded");
6370        let _ = crate::state::take_nostr_client();
6371    }
6372
6373    /// Fetch + open the control-plane inner editions for a community (epoch 0) — test helper.
6374    async fn fetch_control_inners(relay: &MemoryRelay, community: &Community) -> Vec<Event> {
6375        let z = crate::community::roster::control_pseudonym(&community.server_root_key, &community.id, crate::community::Epoch(0));
6376        let query = Query { kinds: vec![event_kind::COMMUNITY_CONTROL], z_tags: vec![z], ..Default::default() };
6377        let mut out = Vec::new();
6378        for ev in relay.fetch(&query, &community.relays).await.unwrap() {
6379            if let Ok(inner) = crate::community::roster::open_control_edition(&ev, &community.server_root_key) {
6380                out.push(inner);
6381            }
6382        }
6383        out
6384    }
6385
6386    /// Drop the local secret key while keeping a client signer + the public key — the test shape of a
6387    /// NIP-46 bunker account (signs remotely, no raw local key for ECDH rekeys).
6388    fn simulate_bunker(owner: &Keys) {
6389        crate::state::set_nostr_client(nostr_sdk::Client::builder().signer(owner.clone()).build());
6390        crate::state::MY_SECRET_KEY.clear(&[]);
6391        assert!(crate::state::MY_SECRET_KEY.to_keys().is_none(), "bunker sim: no local key");
6392    }
6393
6394    #[tokio::test]
6395    async fn am_i_banned_detects_own_npub_in_banlist() {
6396        // The ban self-remove signal: `am_i_banned` is true iff the local npub is in the folded banlist.
6397        let (_tmp, _guard) = init_test_db();
6398        let relay = MemoryRelay::new();
6399        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
6400        let me = crate::state::MY_SECRET_KEY.to_keys().unwrap().public_key().to_hex();
6401        let cid = community.id.to_hex();
6402        assert!(!am_i_banned(&community), "not banned on a fresh community");
6403        // Inject ourselves into the cached banlist (the fold would do this from a real edition).
6404        crate::db::community::set_community_banlist(&cid, &[me], 1).unwrap();
6405        assert!(am_i_banned(&community), "own npub in the banlist → banned → self-remove");
6406        crate::db::community::set_community_banlist(&cid, &[], 2).unwrap();
6407        assert!(!am_i_banned(&community), "cleared banlist → not banned");
6408    }
6409
6410    #[tokio::test]
6411    async fn bunker_owner_cannot_ban_in_private_community() {
6412        // Fail-fast: a private-community ban needs a read-cut rekey, which a bunker account can't do. It
6413        // must refuse BEFORE publishing — no "banned but still readable" half-state.
6414        let (_tmp, _guard) = init_test_db();
6415        let owner = crate::state::MY_SECRET_KEY.to_keys().unwrap();
6416        let relay = MemoryRelay::new();
6417        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
6418        simulate_bunker(&owner);
6419
6420        let victim = "cc".repeat(32);
6421        let err = publish_banlist(&relay, &community, &[victim]).await.unwrap_err();
6422        assert!(err.contains("private community") && err.contains("bunker"), "clear bunker explanation: {err}");
6423        assert!(
6424            crate::db::community::get_community_banlist(&community.id.to_hex()).unwrap().is_empty(),
6425            "the ban must NOT half-apply (nothing published or persisted)"
6426        );
6427        let _ = crate::state::take_nostr_client();
6428    }
6429
6430    #[tokio::test]
6431    async fn bunker_owner_can_ban_in_public_community() {
6432        // A PUBLIC ban doesn't rekey (anti-memberlist), so a bunker account CAN ban — the guard must not
6433        // over-block. (Mint a link → Public, then ban as a bunker.)
6434        let (_tmp, _guard) = init_test_db();
6435        let owner = crate::state::MY_SECRET_KEY.to_keys().unwrap();
6436        let relay = MemoryRelay::new();
6437        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
6438        create_public_invite(&relay, &community, None, None).await.unwrap();
6439        let community = crate::db::community::load_community(&community.id).unwrap().unwrap();
6440        assert!(is_public(&community).unwrap(), "minting a link made it Public");
6441        simulate_bunker(&owner);
6442
6443        let victim = "cc".repeat(32);
6444        publish_banlist(&relay, &community, &[victim.clone()]).await.unwrap();
6445        assert_eq!(
6446            crate::db::community::get_community_banlist(&community.id.to_hex()).unwrap(),
6447            vec![victim],
6448            "a public ban from a bunker account succeeds (no rekey needed)"
6449        );
6450        let _ = crate::state::take_nostr_client();
6451    }
6452
6453    #[tokio::test]
6454    async fn bunker_owner_cannot_privatize() {
6455        // Fail-fast: revoking the LAST link privatizes → re-founding rekey, which a bunker can't do. Must
6456        // refuse before publishing, leaving the community Public (no half-apply).
6457        let (_tmp, _guard) = init_test_db();
6458        let owner = crate::state::MY_SECRET_KEY.to_keys().unwrap();
6459        let relay = MemoryRelay::new();
6460        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
6461        let (token, _) = create_public_invite(&relay, &community, None, None).await.unwrap();
6462        let community = crate::db::community::load_community(&community.id).unwrap().unwrap();
6463        simulate_bunker(&owner);
6464
6465        let err = revoke_public_invite(&relay, &community, &crate::simd::hex::hex_to_bytes_32(&token)).await.unwrap_err();
6466        assert!(err.contains("private") && err.contains("bunker"), "clear bunker explanation: {err}");
6467        let after = crate::db::community::load_community(&community.id).unwrap().unwrap();
6468        assert!(is_public(&after).unwrap(), "the revoke must NOT half-apply — community stays Public");
6469        let _ = crate::state::take_nostr_client();
6470    }
6471
6472    #[tokio::test]
6473    async fn non_owner_admin_can_edit_community_metadata() {
6474        // The "no hardcoding" crux: a NON-OWNER member granted the Admin role (which carries
6475        // MANAGE_METADATA) can move the community's display, verified purely by the folded roster — not a
6476        // hardcoded owner check.
6477        let (_tmp, _guard) = init_test_db();
6478        let relay = MemoryRelay::new();
6479        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
6480        let cid = community.id.to_hex();
6481        let (_, genesis_hash) = crate::db::community::get_edition_head(&cid, &cid).unwrap().unwrap();
6482
6483        // Owner grants `admin` the Admin role (publishes the grant edition to the relay).
6484        let admin = Keys::generate();
6485        let admin_role_id = crate::db::community::get_community_roles(&cid).unwrap().roles[0].role_id.clone();
6486        set_member_grant(&relay, &community, &admin.public_key().to_hex(), vec![admin_role_id]).await.unwrap();
6487
6488        // `admin` (NOT the owner) publishes a GroupRoot v2 renaming the community.
6489        let mut edited = crate::community::metadata::CommunityMetadata::of(&community);
6490        edited.name = "Admin Renamed".into();
6491        let inner = crate::community::roster::build_community_root_edition(&admin, &community.id, &edited, 2, Some(&genesis_hash), 7000, None).unwrap();
6492        let outer = crate::community::roster::seal_control_edition(&Keys::generate(), &inner, &community.server_root_key, &community.id, crate::community::Epoch(0)).unwrap();
6493        relay.inject(&outer, &community.relays);
6494
6495        fetch_and_apply_metadata(&relay, &community).await.unwrap();
6496        let after = crate::db::community::load_community(&community.id).unwrap().unwrap();
6497        assert_eq!(after.name, "Admin Renamed", "a MANAGE_METADATA admin (not the owner) can edit metadata");
6498    }
6499
6500    #[tokio::test]
6501    async fn banning_an_admin_revokes_their_role() {
6502        // Removal strips authority: a banned admin's grant must NOT dangle — else unban silently restores
6503        // admin and the roster keeps listing a non-member as admin. Public community isolates the role-strip
6504        // from the read-cut.
6505        let (_tmp, _guard) = init_test_db();
6506        let relay = MemoryRelay::new();
6507        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
6508        let cid = community.id.to_hex();
6509        create_public_invite(&relay, &community, None, None).await.unwrap();
6510        let community = crate::db::community::load_community(&community.id).unwrap().unwrap();
6511
6512        let alice = Keys::generate();
6513        let alice_hex = alice.public_key().to_hex();
6514        let admin_role_id = crate::db::community::get_community_roles(&cid).unwrap().roles[0].role_id.clone();
6515        set_member_grant(&relay, &community, &alice_hex, vec![admin_role_id]).await.unwrap();
6516        let holds_role = |hex: &str| crate::db::community::get_community_roles(&cid).unwrap()
6517            .grants.iter().any(|g| g.member == hex && !g.role_ids.is_empty());
6518        assert!(holds_role(&alice_hex), "alice is admin pre-ban");
6519
6520        publish_banlist(&relay, &community, &[alice_hex.clone()]).await.unwrap();
6521        assert!(!holds_role(&alice_hex), "banning an admin revokes their role — no dangling grant");
6522    }
6523
6524    #[tokio::test]
6525    async fn kicking_an_admin_revokes_their_role() {
6526        // Same removal-strips-authority rule for the soft tier: a kicked admin who rejoins (fresh invite)
6527        // must NOT be silently still-admin.
6528        let (_tmp, _guard) = init_test_db();
6529        let relay = MemoryRelay::new();
6530        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
6531        let cid = community.id.to_hex();
6532        let alice = Keys::generate();
6533        let alice_hex = alice.public_key().to_hex();
6534        let admin_role_id = crate::db::community::get_community_roles(&cid).unwrap().roles[0].role_id.clone();
6535        set_member_grant(&relay, &community, &alice_hex, vec![admin_role_id]).await.unwrap();
6536        let holds_role = |hex: &str| crate::db::community::get_community_roles(&cid).unwrap()
6537            .grants.iter().any(|g| g.member == hex && !g.role_ids.is_empty());
6538        assert!(holds_role(&alice_hex), "alice is admin pre-kick");
6539
6540        publish_kick(&relay, &community, &community.channels[0], &alice_hex).await.unwrap();
6541        assert!(!holds_role(&alice_hex), "kicking an admin revokes their role");
6542    }
6543
6544    #[tokio::test]
6545    async fn republish_channel_metadata_renames_and_publishes() {
6546        // The producer (the write side the consumer test was missing): renaming via
6547        // `republish_channel_metadata` updates the local channel AND advances the channel head.
6548        let (_tmp, _guard) = init_test_db();
6549        let relay = MemoryRelay::new();
6550        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
6551        let cid = community.id.to_hex();
6552        let channel = community.channels[0].clone();
6553        let ch_hex = channel.id.to_hex();
6554
6555        republish_channel_metadata(&relay, &community, &channel.id, "lobby").await.unwrap();
6556        let after = crate::db::community::load_community(&community.id).unwrap().unwrap();
6557        assert_eq!(after.channels[0].name, "lobby", "the producer renamed the channel locally");
6558        assert_eq!(crate::db::community::get_edition_head(&cid, &ch_hex).unwrap().unwrap().0, 2, "channel head advanced");
6559    }
6560
6561    #[tokio::test]
6562    async fn revoking_the_last_link_privatizes_and_rotates_the_base() {
6563        // The privatize trigger: minting links flips the computed mode to Public WITHOUT rotating;
6564        // revoking a non-last link stays Public, no rotation; revoking the LAST link flips to Private AND
6565        // re-founds the community (rotate the base/server-root to the observed participants → epoch bump),
6566        // sealing out link-joined lurkers.
6567        let (_tmp, _guard) = init_test_db();
6568        let relay = MemoryRelay::new();
6569        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
6570        assert!(!is_public(&community).unwrap(), "a fresh community is Private");
6571        assert_eq!(community.server_root_epoch, crate::community::Epoch(0));
6572
6573        // Mint two links → Public, base NOT rotated.
6574        let (t1, _) = create_public_invite(&relay, &community, None, None).await.unwrap();
6575        let (t2, _) = create_public_invite(&relay, &community, None, None).await.unwrap();
6576        let c = crate::db::community::load_community(&community.id).unwrap().unwrap();
6577        assert!(is_public(&c).unwrap(), "minting a link flips the mode to Public");
6578        assert_eq!(c.server_root_epoch, crate::community::Epoch(0), "minting links does NOT rotate the base");
6579
6580        // Revoke the first of two → one link remains → still Public, still no rotation.
6581        revoke_public_invite(&relay, &c, &crate::simd::hex::hex_to_bytes_32(&t1)).await.unwrap();
6582        let c = crate::db::community::load_community(&community.id).unwrap().unwrap();
6583        assert!(is_public(&c).unwrap(), "one link remains → still Public");
6584        assert_eq!(c.server_root_epoch, crate::community::Epoch(0), "revoking a non-last link does NOT rotate");
6585
6586        // Revoke the LAST link → Private + base rotated (re-founding).
6587        revoke_public_invite(&relay, &c, &crate::simd::hex::hex_to_bytes_32(&t2)).await.unwrap();
6588        let c = crate::db::community::load_community(&community.id).unwrap().unwrap();
6589        assert!(!is_public(&c).unwrap(), "revoking the last link flips to Private");
6590        assert_eq!(c.server_root_epoch, crate::community::Epoch(1), "privatize re-founded: the base key rotated");
6591
6592        // Idempotency: re-revoking the already-gone token must NOT re-found again (no second epoch
6593        // bump) — privatize fires only on a genuine Public→Private transition (`had_links`).
6594        revoke_public_invite(&relay, &c, &crate::simd::hex::hex_to_bytes_32(&t2)).await.unwrap();
6595        let c = crate::db::community::load_community(&community.id).unwrap().unwrap();
6596        assert_eq!(c.server_root_epoch, crate::community::Epoch(1), "a no-op re-revoke does not double-rotate");
6597    }
6598
6599    #[tokio::test]
6600    async fn private_ban_reseals_base_public_ban_does_not() {
6601        // rekey-on-removal: banning in a PRIVATE community re-seals the base (epoch bump → the banned
6602        // member's read access is cut); in a PUBLIC community the base is NOT rotated (anti-memberlist).
6603        let (_tmp, _guard) = init_test_db();
6604        let relay = MemoryRelay::new();
6605        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
6606        let victim = "cc".repeat(32);
6607
6608        // PRIVATE (no links) → banning rotates the base.
6609        assert!(!is_public(&community).unwrap(), "fresh community is Private");
6610        publish_banlist(&relay, &community, &[victim.clone()]).await.unwrap();
6611        let c = crate::db::community::load_community(&community.id).unwrap().unwrap();
6612        assert_eq!(c.server_root_epoch, crate::community::Epoch(1), "a private-community ban re-seals the base");
6613
6614        // Go PUBLIC (mint a link), then ban another member → the base must NOT rotate again.
6615        create_public_invite(&relay, &c, None, None).await.unwrap();
6616        let c = crate::db::community::load_community(&community.id).unwrap().unwrap();
6617        assert!(is_public(&c).unwrap(), "minted a link → Public");
6618        publish_banlist(&relay, &c, &[victim.clone(), "dd".repeat(32)]).await.unwrap();
6619        let c2 = crate::db::community::load_community(&community.id).unwrap().unwrap();
6620        assert_eq!(c2.server_root_epoch, crate::community::Epoch(1), "a public-community ban does NOT rotate the base");
6621    }
6622
6623    #[tokio::test]
6624    async fn private_ban_seals_the_banned_member_out_of_the_new_root() {
6625        // rekey-on-removal SECURITY crux: a banned member must be EXCLUDED from the re-seal
6626        // recipient set so they CANNOT recover the new root — read access actually cut, not just epoch
6627        // bumped. Exercises the banlist(hex)→activity(bech32) reconciliation AND the persist-before-reseal
6628        // ordering end-to-end. The existing ban tests assert the epoch bump but never that the victim is
6629        // sealed out — this is the assertion that matters.
6630        use crate::community::derive::{base_rekey_pseudonym, recipient_pseudonym};
6631        use crate::community::rekey::{open_rekey_event, rekey_pairwise_secret};
6632        use crate::types::Message;
6633        use nostr_sdk::ToBech32;
6634        let (_tmp, _guard) = init_test_db();
6635        let relay = MemoryRelay::new();
6636        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
6637        let cid = community.id.to_hex();
6638        let genesis_root = *community.server_root_key.as_bytes();
6639        let channel_hex = community.channels[0].id.to_hex();
6640
6641        // The victim posts → observed participant (absent the ban, they'd BE a re-seal recipient).
6642        let victim = Keys::generate();
6643        let victim_b32 = victim.public_key().to_bech32().unwrap();
6644        let mut m = Message::default();
6645        m.id = "aa".repeat(32);
6646        m.npub = Some(victim_b32.clone());
6647        m.at = 1000;
6648        crate::db::events::save_message(&channel_hex, &m).await.unwrap();
6649        assert!(
6650            crate::db::community::community_member_activity(&cid).unwrap().iter().any(|(np, _)| np == &victim_b32),
6651            "victim is observed before the ban"
6652        );
6653
6654        // Ban the victim (private community) → re-seal at epoch 1.
6655        publish_banlist(&relay, &community, &[victim.public_key().to_hex()]).await.unwrap();
6656        let reloaded = crate::db::community::load_community(&community.id).unwrap().unwrap();
6657        assert_eq!(reloaded.server_root_epoch, crate::community::Epoch(1), "private ban re-seals the base");
6658        assert!(
6659            !crate::db::community::community_member_activity(&cid).unwrap().iter().any(|(np, _)| np == &victim_b32),
6660            "the banned victim is no longer observed (banlist hex → bech32 reconciliation worked)"
6661        );
6662
6663        // The base rekey at epoch 1 must carry NO blob for the victim → they can't recover the new root.
6664        let addr = base_rekey_pseudonym(&crate::community::ServerRootKey(genesis_root), &community.id, crate::community::Epoch(1)).to_hex();
6665        let found = relay
6666            .fetch(&Query { kinds: vec![event_kind::COMMUNITY_REKEY], z_tags: vec![addr], ..Default::default() }, &community.relays)
6667            .await
6668            .unwrap();
6669        assert_eq!(found.len(), 1, "the base rekey is published");
6670        let parsed = open_rekey_event(&found[0], &genesis_root).unwrap();
6671        let secret = rekey_pairwise_secret(victim.secret_key(), &parsed.rotator).unwrap();
6672        let loc = recipient_pseudonym(&secret, parsed.scope, parsed.new_epoch).to_hex();
6673        assert!(
6674            parsed.blobs.iter().all(|b| b.locator != loc),
6675            "the BANNED victim has NO blob — sealed OUT of the new root (read access is actually cut)"
6676        );
6677    }
6678
6679    /// A relay that simulates an account swap MID-PUBLISH: it bumps the session generation inside
6680    /// publish/publish_durable, so a `SessionGuard` captured before the call is invalid by the time the
6681    /// caller re-checks after the await. The actual store delegates to an inner MemoryRelay.
6682    struct SwapDuringPublishRelay {
6683        inner: MemoryRelay,
6684    }
6685    #[async_trait::async_trait]
6686    impl Transport for SwapDuringPublishRelay {
6687        async fn publish(&self, event: &Event, relays: &[String]) -> Result<(), String> {
6688            crate::state::bump_session_generation();
6689            self.inner.publish(event, relays).await
6690        }
6691        async fn publish_durable(&self, event: &Event, relays: &[String]) -> Result<(), String> {
6692            crate::state::bump_session_generation();
6693            self.inner.publish_durable(event, relays).await
6694        }
6695        async fn fetch(&self, query: &Query, relays: &[String]) -> Result<Vec<Event>, String> {
6696            self.inner.fetch(query, relays).await
6697        }
6698    }
6699
6700    /// A write straddling I/O re-checks the session: a swap bumps the
6701    /// generation DURING `set_member_grant`'s publish. The edition is published under account A, but the
6702    /// post-await `is_valid()` gate must SKIP the local persist, so account B's DB is never written.
6703    #[tokio::test]
6704    async fn account_swap_during_grant_publish_skips_the_local_persist() {
6705        let (_tmp, _guard) = init_test_db();
6706        let setup = MemoryRelay::new();
6707        let community = create_community(&setup, "HQ", "general", vec!["r1".into()]).await.unwrap();
6708        let cid = community.id.to_hex();
6709        let member = "cc".repeat(32);
6710        let entity_hex = crate::simd::hex::bytes_to_hex_32(
6711            &crate::community::derive::grant_locator(&community.id, &crate::simd::hex::hex_to_bytes_32(&member)));
6712        assert!(crate::db::community::get_edition_head(&cid, &entity_hex).unwrap().is_none(), "no grant head yet");
6713
6714        let swap = SwapDuringPublishRelay { inner: MemoryRelay::new() };
6715        set_member_grant(&swap, &community, &member, vec!["a".repeat(64)]).await.unwrap();
6716
6717        assert!(
6718            crate::db::community::get_edition_head(&cid, &entity_hex).unwrap().is_none(),
6719            "session straddled a swap → persist skipped → no local grant head (account B uncorrupted)"
6720        );
6721    }
6722
6723    /// A swap during `publish_banlist`'s publish must leave NO half-applied state — the banlist isn't
6724    /// persisted, the private-community base isn't rotated, and `read_cut_pending` isn't flipped (every step
6725    /// gates on `is_valid()`). No ban half-lands in the wrong account.
6726    #[tokio::test]
6727    async fn account_swap_during_ban_publish_applies_nothing_locally() {
6728        let (_tmp, _guard) = init_test_db();
6729        let setup = MemoryRelay::new();
6730        let community = create_community(&setup, "HQ", "general", vec!["r1".into()]).await.unwrap();
6731        let cid = community.id.to_hex();
6732        assert!(!is_public(&community).unwrap(), "fresh community is Private (a ban would normally re-seal)");
6733
6734        let swap = SwapDuringPublishRelay { inner: MemoryRelay::new() };
6735        publish_banlist(&swap, &community, &["cc".repeat(32)]).await.unwrap();
6736
6737        assert!(crate::db::community::get_community_banlist(&cid).unwrap().is_empty(),
6738            "banlist persist skipped on the stale session");
6739        assert_eq!(crate::db::community::load_community(&community.id).unwrap().unwrap().server_root_epoch,
6740            crate::community::Epoch(0), "no read-cut re-seal → base NOT rotated into the wrong account");
6741        assert!(!crate::db::community::get_read_cut_pending(&cid).unwrap(),
6742            "read_cut_pending untouched (need_cut requires is_valid())");
6743    }
6744
6745    /// `swap_session` leaves no cross-account residue — STATE and the key vaults are
6746    /// cleared, so account B can't inherit account A's chats/keys.
6747    #[tokio::test]
6748    async fn swap_session_clears_per_account_state_and_keys() {
6749        let (_tmp, _guard) = init_test_db();
6750        {
6751            let mut st = crate::state::STATE.lock().await;
6752            st.db_loaded = true;
6753            st.is_syncing = true;
6754        }
6755        assert!(crate::state::MY_SECRET_KEY.has_key(), "account A holds a live key");
6756
6757        crate::VectorCore.swap_session().await;
6758
6759        let st = crate::state::STATE.lock().await;
6760        assert!(st.chats.is_empty() && st.profiles.is_empty(), "STATE chats/profiles cleared on swap");
6761        assert!(!st.db_loaded && !st.is_syncing, "db_loaded / is_syncing reset");
6762        assert!(!crate::state::MY_SECRET_KEY.has_key(), "key vault cleared — no leak into account B");
6763    }
6764
6765    /// A clean join PERSISTS the community up front (so the catch-up/fold can read it
6766    /// back) and registers the channel as a chat. Without the up-front save, the fold's load returns None
6767    /// and nothing persists.
6768    #[tokio::test]
6769    async fn join_finalization_persists_and_registers_the_channel() {
6770        let (_tmp, _guard) = init_test_db();
6771        crate::state::STATE.lock().await.chats.clear(); // drop any residue from a prior serialized test
6772        let relay = MemoryRelay::new();
6773        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
6774        // A different identity joins.
6775        become_local(&Keys::generate());
6776
6777        crate::VectorCore.finalize_member_join(community.clone(), &relay, None).await.unwrap();
6778
6779        assert!(crate::db::community::load_community(&community.id).unwrap().is_some(), "community persisted on join");
6780        assert!(!crate::state::STATE.lock().await.chats.is_empty(), "the channel is registered as a chat");
6781    }
6782
6783    /// If the folded banlist names the joiner, `am_i_banned` fires and the
6784    /// just-saved community is torn back DOWN, the join returns Err, and — since the presence beacon publish
6785    /// is AFTER the ban check — no phantom join is announced. No orphaned community row is left behind.
6786    #[tokio::test]
6787    async fn join_finalization_tears_down_a_banned_joiner() {
6788        let (_tmp, _guard) = init_test_db();
6789        let relay = MemoryRelay::new();
6790        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
6791        // Go Public (mint a link) so the ban is anti-memberlist and does NOT rotate the base.
6792        create_public_invite(&relay, &community, None, None).await.unwrap();
6793        let community = crate::db::community::load_community(&community.id).unwrap().unwrap();
6794
6795        // Ban a would-be joiner, then become them.
6796        let joiner = Keys::generate();
6797        publish_banlist(&relay, &community, &[joiner.public_key().to_hex()]).await.unwrap();
6798        become_local(&joiner);
6799        assert!(crate::db::community::load_community(&community.id).unwrap().is_some(), "community present pre-join");
6800
6801        let result = crate::VectorCore.finalize_member_join(community.clone(), &relay, None).await;
6802        assert!(result.is_err(), "a banned joiner's finalize must fail");
6803        assert!(result.unwrap_err().to_string().contains("banned"), "the error names the ban");
6804        assert!(
6805            crate::db::community::load_community(&community.id).unwrap().is_none(),
6806            "the just-saved community is torn back down — no orphaned row for a banned joiner"
6807        );
6808    }
6809
6810    /// `delete_community` must wipe EVERY community-scoped table — a missed one leaves authority/key
6811    /// residue a leave/re-join would fold. Populates all six scoped tables (+ the denormalized banlist),
6812    /// deletes, asserts each is empty. `community_message_keys` is DELIBERATELY retained — those are our
6813    /// OWN send-side ephemeral signing keys, and the right to NIP-09-delete our own content from relays
6814    /// outlives membership (even after a ban/leave), so they must survive a community delete.
6815    #[tokio::test]
6816    async fn delete_community_wipes_every_community_scoped_table() {
6817        let (_tmp, _guard) = init_test_db();
6818        let relay = MemoryRelay::new();
6819        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
6820        let cid = community.id.to_hex();
6821
6822        // Populate every community-scoped table.
6823        crate::db::community::store_epoch_key(&cid, crate::community::SERVER_ROOT_SCOPE_HEX, 1, &[0x11u8; 32]).unwrap();
6824        crate::db::community::save_public_invite("tok", &cid, "https://x/invite#y", None, None).unwrap();
6825        crate::db::community::save_pending_invite(&cid, "{}", "npub1inviter").unwrap();
6826        crate::db::community::set_edition_head(&cid, &cid, 1, &[0x22u8; 32]).unwrap();
6827        crate::db::community::set_community_banlist(&cid, &["cc".repeat(32)], 100).unwrap();
6828
6829        // Sanity — all populated before the delete.
6830        assert!(crate::db::community::community_exists(&community.id).unwrap());
6831        assert!(!crate::db::community::held_epoch_keys(&cid, crate::community::SERVER_ROOT_SCOPE_HEX).unwrap().is_empty());
6832        assert!(!crate::db::community::list_public_invites(&cid).unwrap().is_empty());
6833        assert!(crate::db::community::list_pending_invites().unwrap().iter().any(|p| p.community_id == cid));
6834        assert!(!crate::db::community::get_all_edition_heads(&cid).unwrap().is_empty());
6835        assert!(!crate::db::community::get_community_banlist(&cid).unwrap().is_empty());
6836
6837        crate::db::community::delete_community(&cid).unwrap();
6838
6839        // Every scoped table is empty for this community — no residue.
6840        assert!(!crate::db::community::community_exists(&community.id).unwrap(), "communities row gone");
6841        assert!(crate::db::community::load_community(&community.id).unwrap().is_none(), "community not loadable");
6842        assert!(crate::db::community::held_epoch_keys(&cid, crate::community::SERVER_ROOT_SCOPE_HEX).unwrap().is_empty(), "epoch keys wiped");
6843        assert!(crate::db::community::list_public_invites(&cid).unwrap().is_empty(), "public invites wiped");
6844        assert!(!crate::db::community::list_pending_invites().unwrap().iter().any(|p| p.community_id == cid), "pending invites wiped");
6845        assert!(crate::db::community::get_all_edition_heads(&cid).unwrap().is_empty(), "edition heads wiped");
6846        assert!(crate::db::community::get_community_banlist(&cid).unwrap().is_empty(), "banlist wiped with the channels");
6847    }
6848
6849    /// A hostile relay piles JUNK at the control coordinate — a kind-3308 event at the right `#z` but
6850    /// with garbage content (not sealed under the server root). `open_control_edition` fails to decrypt it,
6851    /// so it's dropped before the fold; the genuine genesis plane still folds. No panic, no corruption.
6852    #[tokio::test]
6853    async fn fetch_control_folded_skips_junk_injected_at_the_coordinate() {
6854        let (_tmp, _guard) = init_test_db();
6855        let relay = MemoryRelay::new();
6856        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
6857        let owner_hex = crate::state::MY_SECRET_KEY.to_keys().unwrap().public_key().to_hex();
6858
6859        // Garbage 3308 at the real control pseudonym, ephemeral-signed (outers always are).
6860        let z = crate::community::roster::control_pseudonym(&community.server_root_key, &community.id, community.server_root_epoch);
6861        let junk = nostr_sdk::EventBuilder::new(nostr_sdk::Kind::Custom(event_kind::COMMUNITY_CONTROL), "not a sealed edition")
6862            .tags([nostr_sdk::Tag::custom(nostr_sdk::TagKind::Custom("z".into()), [z])])
6863            .sign_with_keys(&Keys::generate())
6864            .unwrap();
6865        relay.publish(&junk, &community.relays).await.unwrap();
6866
6867        let folded = fetch_control_folded(&relay, &community).await.unwrap();
6868        assert!(
6869            !crate::community::roster::authorize_delegation(&folded, Some(&owner_hex)).roles.is_empty(),
6870            "the genuine Admin role still folds; the un-openable junk is silently dropped"
6871        );
6872    }
6873
6874    /// Every relay is dead/empty. The fold returns an empty roster, never a panic — a member with no
6875    /// reachable relay degrades to "no view," not a crash.
6876    #[tokio::test]
6877    async fn fetch_control_folded_on_dead_relays_is_empty_not_a_panic() {
6878        let (_tmp, _guard) = init_test_db();
6879        let community = saved_community_owned_by(&Keys::generate());
6880        let folded = fetch_control_folded(&FailingRelay, &community).await.unwrap();
6881        assert!(folded.roles.roles.is_empty() && folded.root_meta.is_none(), "dead relays → empty fold, no panic");
6882    }
6883
6884    #[tokio::test]
6885    async fn successful_private_ban_leaves_no_read_cut_pending() {
6886        // The happy path leaves no outstanding read-cut: the re-seal succeeds, so the flag is cleared.
6887        let (_tmp, _guard) = init_test_db();
6888        let relay = MemoryRelay::new();
6889        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
6890        let cid = community.id.to_hex();
6891        publish_banlist(&relay, &community, &["cc".repeat(32)]).await.unwrap();
6892        assert!(!crate::db::community::get_read_cut_pending(&cid).unwrap(), "a successful re-seal leaves no pending read-cut");
6893        let c = crate::db::community::load_community(&community.id).unwrap().unwrap();
6894        assert_eq!(c.server_root_epoch, crate::community::Epoch(1));
6895    }
6896
6897    #[tokio::test]
6898    async fn failed_reseal_sets_pending_then_sync_retry_recovers() {
6899        // The recoverability fix (closes the #5c-1 HIGH for the total-outage case): a private ban whose
6900        // read-cut re-seal FAILS (the base rekey can't reach relays) still applies the ban, marks
6901        // `read_cut_pending`, and propagates the error — then a later community sync retries the re-seal
6902        // and recovers (the banned member's read access is finally cut), with no manual re-ban.
6903        let (_tmp, _guard) = init_test_db();
6904        let relay = RekeyFailingRelay::new(); // the base rekey (3303) will fail; the banlist edition lands
6905        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
6906        let cid = community.id.to_hex();
6907        let victim = "cc".repeat(32);
6908
6909        // The ban applies (banlist persisted) but the read-cut re-seal fails → Err + pending set, base not rotated.
6910        assert!(publish_banlist(&relay, &community, &[victim.clone()]).await.is_err(), "the re-seal's base rekey fails");
6911        assert!(crate::db::community::get_read_cut_pending(&cid).unwrap(), "a failed re-seal leaves read_cut_pending set");
6912        assert_eq!(crate::db::community::get_community_banlist(&cid).unwrap(), vec![victim.clone()], "the ban itself still applied");
6913        let c = crate::db::community::load_community(&community.id).unwrap().unwrap();
6914        assert_eq!(c.server_root_epoch, crate::community::Epoch(0), "base NOT rotated while the re-seal is pending");
6915
6916        // The relay recovers; the sync-path retry re-attempts the read-cut and succeeds.
6917        relay.allow_rekey();
6918        retry_pending_read_cut(&relay, &c).await.unwrap();
6919        assert!(!crate::db::community::get_read_cut_pending(&cid).unwrap(), "pending cleared after the retry succeeds");
6920        let c2 = crate::db::community::load_community(&community.id).unwrap().unwrap();
6921        assert_eq!(c2.server_root_epoch, crate::community::Epoch(1), "the read-cut finally rotated the base");
6922    }
6923
6924    #[tokio::test]
6925    async fn privatize_reseals_to_observed_participants_not_just_owner() {
6926        // Regression for the bech32-vs-hex recipient bug (B1): privatize must re-seal to the OBSERVED
6927        // participants (parsed from the events table's BECH32 npubs), not collapse to owner-only. Alice
6928        // posts → she's observed → after privatize she is a base-rekey recipient and recovers the new root.
6929        use crate::community::derive::{base_rekey_pseudonym, recipient_pseudonym};
6930        use crate::community::rekey::{open_rekey_blob, open_rekey_event, rekey_pairwise_secret};
6931        use crate::types::Message;
6932        use nostr_sdk::ToBech32;
6933        let (_tmp, _guard) = init_test_db();
6934        let relay = MemoryRelay::new();
6935        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
6936        let cid = community.id.to_hex();
6937        let genesis_root = *community.server_root_key.as_bytes();
6938        let channel_hex = community.channels[0].id.to_hex();
6939
6940        // Alice posts in the channel → community_member_activity observes her (bech32 npub in events).
6941        let alice = Keys::generate();
6942        let alice_b32 = alice.public_key().to_bech32().unwrap();
6943        let mut m = Message::default();
6944        m.id = "aa".repeat(32);
6945        m.npub = Some(alice_b32.clone());
6946        m.at = 1000;
6947        crate::db::events::save_message(&channel_hex, &m).await.unwrap();
6948        assert!(
6949            crate::db::community::community_member_activity(&cid).unwrap().iter().any(|(np, _)| np == &alice_b32),
6950            "alice is an observed participant"
6951        );
6952
6953        // Mint a link → Public, then revoke it (last link) → privatize re-seals to {owner, alice}.
6954        let (token_hex, _) = create_public_invite(&relay, &community, None, None).await.unwrap();
6955        revoke_public_invite(&relay, &community, &crate::simd::hex::hex_to_bytes_32(&token_hex)).await.unwrap();
6956        let reloaded = crate::db::community::load_community(&community.id).unwrap().unwrap();
6957        assert_eq!(reloaded.server_root_epoch, crate::community::Epoch(1), "privatize rotated the base");
6958
6959        // Alice MUST be a recipient of the base rekey → recovers the new root (with the B1 bug she'd be
6960        // sealed out, leaving only the owner).
6961        let addr = base_rekey_pseudonym(&crate::community::ServerRootKey(genesis_root), &community.id, crate::community::Epoch(1)).to_hex();
6962        let found = relay
6963            .fetch(&Query { kinds: vec![event_kind::COMMUNITY_REKEY], z_tags: vec![addr], ..Default::default() }, &community.relays)
6964            .await
6965            .unwrap();
6966        assert_eq!(found.len(), 1, "the base rekey is published");
6967        let parsed = open_rekey_event(&found[0], &genesis_root).unwrap();
6968        let secret = rekey_pairwise_secret(alice.secret_key(), &parsed.rotator).unwrap();
6969        let loc = recipient_pseudonym(&secret, parsed.scope, parsed.new_epoch).to_hex();
6970        let alice_blob = parsed.blobs.iter().find(|b| b.locator == loc).expect("alice's blob present (NOT sealed out)");
6971        let recovered = open_rekey_blob(alice.secret_key(), &parsed.rotator, parsed.scope, parsed.new_epoch, alice_blob).unwrap();
6972        assert_eq!(reloaded.server_root_key.as_bytes(), &recovered, "alice recovers the new root = owner's advanced base");
6973    }
6974
6975    #[tokio::test]
6976    async fn unpermissioned_invite_links_edition_is_rejected() {
6977        // authority: a creator's link edition counts only if they held CREATE_INVITE. A member without
6978        // it forging a link edition at their own coordinate (validly signed + version-shaped) is dropped
6979        // on fold — so an unpermissioned member can't flip the community Public.
6980        let (_tmp, _guard) = init_test_db();
6981        let relay = MemoryRelay::new();
6982        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
6983
6984        let mallory = Keys::generate();
6985        let loc = "2b".repeat(32);
6986        let inner = crate::community::roster::build_invite_links_edition(&mallory, &community.id, &[loc], 1, None, 1000, None).unwrap();
6987        let outer = crate::community::roster::seal_control_edition(&Keys::generate(), &inner, &community.server_root_key, &community.id, crate::community::Epoch(0)).unwrap();
6988        relay.inject(&outer, &community.relays);
6989
6990        let applied = fetch_and_apply_invite_links(&relay, &community).await.unwrap();
6991        assert!(applied.is_empty(), "an unpermissioned member's link edition is rejected");
6992        assert!(!is_public(&community).unwrap(), "mode stays Private despite the forged edition");
6993    }
6994
6995    #[tokio::test]
6996    async fn invite_links_union_across_authorized_creators() {
6997        // per-creator: the owner AND a granted admin (both hold CREATE_INVITE) each publish their OWN
6998        // link edition; the fold UNIONS both authorized creators' locators into the aggregate. Proves
6999        // multiple creators + non-owner authorization (no shared registry, no MANAGE_INVITES).
7000        let (_tmp, _guard) = init_test_db();
7001        let relay = MemoryRelay::new();
7002        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
7003        let cid = community.id.to_hex();
7004
7005        // Owner mints a link → their own per-creator edition.
7006        create_public_invite(&relay, &community, None, None).await.unwrap();
7007        let owner_loc = public_invite::locator_hex(&crate::simd::hex::hex_to_bytes_32(
7008            &crate::db::community::list_public_invites(&cid).unwrap()[0].token));
7009
7010        // Grant `admin` the Admin role (carries CREATE_INVITE), then inject THEIR own link edition.
7011        let admin = Keys::generate();
7012        let admin_role_id = crate::db::community::get_community_roles(&cid).unwrap().roles[0].role_id.clone();
7013        set_member_grant(&relay, &community, &admin.public_key().to_hex(), vec![admin_role_id]).await.unwrap();
7014        let admin_loc = "ab".repeat(32);
7015        let inner = crate::community::roster::build_invite_links_edition(&admin, &community.id, &[admin_loc.clone()], 1, None, 2000, None).unwrap();
7016        let outer = crate::community::roster::seal_control_edition(&Keys::generate(), &inner, &community.server_root_key, &community.id, crate::community::Epoch(0)).unwrap();
7017        relay.inject(&outer, &community.relays);
7018
7019        let agg = fetch_and_apply_invite_links(&relay, &community).await.unwrap();
7020        assert!(agg.contains(&owner_loc), "owner's link in the aggregate");
7021        assert!(agg.contains(&admin_loc), "the granted admin's link unions in too");
7022        assert!(is_public(&community).unwrap());
7023
7024        // B1: the owner revoking THEIR link must NOT privatize — the admin's link keeps it Public. The
7025        // revoke refreshes the aggregate from the relay first, so it sees the admin's still-live link even
7026        // if the local cache were stale. Base epoch stays 0 (no re-founding rekey).
7027        let c = crate::db::community::load_community(&community.id).unwrap().unwrap();
7028        let owner_token = crate::db::community::list_public_invites(&cid).unwrap()[0].token.clone();
7029        revoke_public_invite(&relay, &c, &crate::simd::hex::hex_to_bytes_32(&owner_token)).await.unwrap();
7030        let c = crate::db::community::load_community(&community.id).unwrap().unwrap();
7031        assert_eq!(c.server_root_epoch, crate::community::Epoch(0), "another creator's link remains → no privatize rekey");
7032        assert!(is_public(&c).unwrap(), "still Public (admin's link is live)");
7033    }
7034
7035    #[tokio::test]
7036    async fn failed_banlist_publish_does_not_persist_locally() {
7037        // Rollback honesty: if the ban edition never reaches relays, our local banlist must stay
7038        // untouched — else we'd one-sidedly drop a member's messages the rest of the community sees.
7039        let (_tmp, _guard) = init_test_db();
7040        let relay = MemoryRelay::new();
7041        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
7042        let id_hex = community.id.to_hex();
7043        assert!(crate::db::community::get_community_banlist(&id_hex).unwrap().is_empty());
7044
7045        let victim = "cc".repeat(32);
7046        let err = publish_banlist(&FailingRelay, &community, &[victim]).await;
7047        assert!(err.is_err(), "a failed publish must propagate");
7048        assert!(
7049            crate::db::community::get_community_banlist(&id_hex).unwrap().is_empty(),
7050            "local banlist must be untouched when the publish failed"
7051        );
7052    }
7053
7054    #[tokio::test]
7055    async fn metadata_failed_publish_does_not_persist_locally() {
7056        // Metadata is RELAY-AUTHORITATIVE now (`fetch_and_apply_metadata` is the consumer fold): a failed
7057        // publish must NOT save locally, else we'd show an edit no member can see (and the phantom-head
7058        // rule keeps the edition head from advancing too). Convergence is publish-then-fold, not re-publish.
7059        let (_tmp, _guard) = init_test_db();
7060        let relay = MemoryRelay::new();
7061        let mut community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
7062        community.name = "Renamed HQ".to_string();
7063        assert!(republish_community_metadata(&FailingRelay, &community).await.is_err());
7064        let loaded = crate::db::community::load_community(&community.id).unwrap().unwrap();
7065        assert_eq!(loaded.name, "HQ", "a failed metadata publish leaves the local name unchanged");
7066    }
7067
7068    #[tokio::test]
7069    async fn send_persists_key_then_delete_round_trip() {
7070        let (_tmp, _guard) = init_test_db();
7071        let relay = MemoryRelay::new();
7072        let community = Community::create("HQ", "general", vec!["r1".into()]);
7073        let channel = community.channels[0].clone();
7074        let alice = Keys::generate();
7075
7076        // send_message persists the ephemeral key keyed by the INNER message id...
7077        let _outer = send_message(&relay, &community, &channel, &alice, "deletable", 1).await.unwrap();
7078        let before = fetch_channel_messages(&relay, &community, &channel).await.unwrap();
7079        assert_eq!(before.len(), 1);
7080        let message_id = before[0].message_id.to_hex();
7081
7082        // ...so delete_message (by inner message id, what the UI holds) removes it.
7083        delete_message(&relay, &message_id).await.unwrap();
7084        let after = fetch_channel_messages(&relay, &community, &channel).await.unwrap();
7085        assert!(after.is_empty(), "message should be deleted after delete_message");
7086
7087        // The key is single-use: a second delete finds nothing retained.
7088        assert!(delete_message(&relay, &message_id).await.is_err());
7089    }
7090
7091    #[tokio::test]
7092    async fn failed_delete_publish_preserves_key() {
7093        // B2: the deletion key is single-use, so a FAILED NIP-09 publish must NOT consume
7094        // it — otherwise the message is permanently undeletable.
7095        let (_tmp, _guard) = init_test_db();
7096        let relay = MemoryRelay::new();
7097        let community = Community::create("HQ", "general", vec!["r1".into()]);
7098        let channel = community.channels[0].clone();
7099        let alice = Keys::generate();
7100        send_message(&relay, &community, &channel, &alice, "delete me", 1).await.unwrap();
7101        let message_id = fetch_channel_messages(&relay, &community, &channel).await.unwrap()[0]
7102            .message_id
7103            .to_hex();
7104
7105        // Delete via a transport whose publish fails → error, key retained.
7106        assert!(delete_message(&FailingRelay, &message_id).await.is_err());
7107
7108        // The key survived, so a retry over a working relay succeeds.
7109        delete_message(&relay, &message_id).await.unwrap();
7110        assert!(fetch_channel_messages(&relay, &community, &channel).await.unwrap().is_empty());
7111    }
7112
7113    #[tokio::test]
7114    async fn delete_unknown_message_errors() {
7115        let (_tmp, _guard) = init_test_db();
7116        let relay = MemoryRelay::new();
7117        // A message id we never sent → no retained key → error, no panic.
7118        let fake = Keys::generate();
7119        let bogus = EventBuilder::new(Kind::Custom(1), "x").sign_with_keys(&fake).unwrap().id;
7120        assert!(delete_message(&relay, &bogus.to_hex()).await.is_err());
7121    }
7122
7123    #[tokio::test]
7124    async fn accept_invite_persists_member_view() {
7125        let (_tmp, _guard) = init_test_db();
7126        let owner = Community::create("HQ", "general", vec!["r1".into()]);
7127        let invite = crate::community::invite::build_invite(&owner);
7128
7129        let joined = accept_invite(&invite).expect("accept");
7130        assert!(!is_proven_owner(&joined), "joined as member, not owner");
7131        // Persisted + reloadable with the same read keys.
7132        let loaded = crate::db::community::load_community(&owner.id).unwrap().expect("saved");
7133        assert_eq!(loaded.channels[0].key.as_bytes(), owner.channels[0].key.as_bytes());
7134    }
7135
7136    #[tokio::test]
7137    async fn accept_invite_does_not_downgrade_owned_community() {
7138        // We OWN a Community (proven via the owner attestation); an invite reusing its id must be
7139        // refused so it can't overwrite our row.
7140        let (_tmp, _guard) = init_test_db();
7141        let relay = MemoryRelay::new();
7142        let owner = create_community(&relay, "HQ", "general", vec![]).await.unwrap();
7143        assert!(is_proven_owner(&owner), "we are the proven owner");
7144
7145        let invite = crate::community::invite::build_invite(&owner);
7146        let err = accept_invite(&invite).unwrap_err();
7147        assert!(err.contains("already own"), "must refuse to downgrade an owned community, got: {err}");
7148
7149        // The owner row is intact (same server-root key).
7150        let reloaded = crate::db::community::load_community(&owner.id).unwrap().unwrap();
7151        assert_eq!(reloaded.server_root_key.as_bytes(), owner.server_root_key.as_bytes());
7152    }
7153
7154    #[tokio::test]
7155    async fn accept_invite_rejects_id_collision_under_different_authority() {
7156        // We hold Community X as a MEMBER (authority pubkey A). A hostile bundle reuses
7157        // X's id but names a DIFFERENT authority + channel keys. It must be rejected so
7158        // our keys/authority/relays can't be silently swapped (community_id is
7159        // unauthenticated random bytes).
7160        let (_tmp, _guard) = init_test_db();
7161        let legit = Community::create("X", "general", vec!["wss://legit".into()]);
7162        let member_x = accept_invite(&crate::community::invite::build_invite(&legit)).unwrap();
7163        let original_key = member_x.channels[0].key.as_bytes().to_vec();
7164
7165        // Attacker's own Community, then forge its id to collide with X.
7166        let attacker = Community::create("evil", "general", vec!["wss://evil".into()]);
7167        let mut hostile = crate::community::invite::build_invite(&attacker);
7168        hostile.community_id = legit.id.to_hex();
7169        // The attacker's bundle carries its OWN server-root key, which differs from X's — the
7170        // keyless authority anchor the dedup compares.
7171        assert_ne!(hostile.server_root_key, crate::simd::hex::bytes_to_hex_32(member_x.server_root_key.as_bytes()));
7172
7173        assert!(accept_invite(&hostile).is_err(), "id-collision under new authority must be rejected");
7174
7175        // X's stored channel key is unchanged.
7176        let reloaded = crate::db::community::load_community(&legit.id).unwrap().unwrap();
7177        assert_eq!(reloaded.channels[0].key.as_bytes().to_vec(), original_key);
7178        assert_eq!(reloaded.relays, vec!["wss://legit".to_string()]);
7179    }
7180
7181    #[tokio::test]
7182    async fn rejected_accept_leaves_pending_invite_intact() {
7183        // Mirrors the accept command's peek→accept→(delete only on success) order: a
7184        // rejected accept must NOT destroy the parked invite (no silent data loss).
7185        let (_tmp, _guard) = init_test_db();
7186
7187        // We own this community (proven via the attestation), so an invite reusing its id is rejected.
7188        let owner = attested_community("HQ", "general", vec![]);
7189        crate::db::community::save_community(&owner).unwrap();
7190        let bundle = crate::community::invite::build_invite(&owner).to_json().unwrap();
7191        let cid = owner.id.to_hex();
7192        crate::db::community::save_pending_invite(&cid, &bundle, "npub1inviter").unwrap();
7193
7194        // Command sequence: peek (no delete) → accept (errs) → row survives.
7195        let peeked = crate::db::community::get_pending_invite(&cid).unwrap().expect("parked");
7196        let invite = crate::community::invite::CommunityInvite::from_json(&peeked).unwrap();
7197        assert!(accept_invite(&invite).is_err(), "owning the id → reject");
7198        assert!(
7199            crate::db::community::pending_invite_exists(&cid).unwrap(),
7200            "rejected accept must leave the invite parked"
7201        );
7202
7203        // A successful accept (community we don't already hold) clears the row.
7204        let other = Community::create("Other", "general", vec![]);
7205        let ob = crate::community::invite::build_invite(&other).to_json().unwrap();
7206        let ocid = other.id.to_hex();
7207        crate::db::community::save_pending_invite(&ocid, &ob, "npub1inviter").unwrap();
7208        let op = crate::db::community::get_pending_invite(&ocid).unwrap().unwrap();
7209        let oinvite = crate::community::invite::CommunityInvite::from_json(&op).unwrap();
7210        accept_invite(&oinvite).expect("accept ok");
7211        crate::db::community::delete_pending_invite(&ocid).unwrap();
7212        assert!(!crate::db::community::pending_invite_exists(&ocid).unwrap(), "cleared on success");
7213    }
7214
7215    #[tokio::test]
7216    async fn public_invite_create_fetch_accept_revoke_round_trip() {
7217        let (_tmp, _guard) = init_test_db();
7218        let relay = MemoryRelay::new();
7219        let mut owner = Community::create("Public HQ", "general", vec!["r1".into(), "r2".into()]);
7220        owner.description = Some("everyone welcome".into());
7221        // Sign the owner attestation with the seeded identity so `create_public_invite`'s proven-owner
7222        // gate passes. The owner community is in-memory only here (create_public_invite persists the
7223        // token, not the community), so this single DB cleanly plays the joiner on accept.
7224        let owner_keys = crate::state::MY_SECRET_KEY.to_keys().unwrap();
7225        owner.owner_attestation = Some(
7226            crate::community::owner::build_owner_attestation_unsigned(owner_keys.public_key(), &owner.id.to_hex())
7227                .sign_with_keys(&owner_keys).unwrap().as_json(),
7228        );
7229        // Owner mints a link.
7230        let (token_hex, url) = create_public_invite(&relay, &owner, None, None).await.expect("mint");
7231        assert!(url.contains('#'));
7232        assert_eq!(crate::db::community::list_public_invites(&owner.id.to_hex()).unwrap().len(), 1);
7233
7234        // A joiner parses the URL → fetches → previews → accepts.
7235        let (relays, token) = public_invite::parse_invite_url(&url).unwrap();
7236        assert_eq!(crate::simd::hex::bytes_to_hex_32(&token), token_hex);
7237        let bundle = fetch_public_invite(&relay, &relays, &token).await.expect("fetch");
7238        assert_eq!(bundle.preview.name, "Public HQ");
7239        assert_eq!(bundle.preview.description.as_deref(), Some("everyone welcome"));
7240
7241        let joined = accept_public_invite(&bundle, 0).expect("accept");
7242        assert_eq!(joined.id, owner.id);
7243        assert_eq!(joined.description.as_deref(), Some("everyone welcome"), "preview patched in");
7244
7245        // Owner revokes the last link → the link no longer resolves AND the community re-founds (Private).
7246        revoke_public_invite(&relay, &owner, &token).await.expect("revoke");
7247        assert!(fetch_public_invite(&relay, &relays, &token).await.is_err(), "revoked link is dead");
7248        assert!(crate::db::community::list_public_invites(&owner.id.to_hex()).unwrap().is_empty());
7249    }
7250
7251    #[tokio::test]
7252    async fn revoked_invite_dies_even_if_one_relay_kept_the_bundle() {
7253        // Mixed-relay race (the exact case the tombstone defends): the tombstone replaces the bundle on r1,
7254        // but r2 was down during revoke and still serves the live bundle. fetch must STILL report the link
7255        // dead — a token-signed Revoked tombstone on ANY relay is authoritative and wins ties with a bundle.
7256        let (_tmp, _guard) = init_test_db();
7257        let relay = MemoryRelay::new();
7258        let owner = attested_community("HQ", "general", vec!["r1".into(), "r2".into()]);
7259        let (_token_hex, url) = create_public_invite(&relay, &owner, None, None).await.unwrap();
7260        let (relays, token) = public_invite::parse_invite_url(&url).unwrap();
7261        assert!(fetch_public_invite(&relay, &relays, &token).await.is_ok(), "live on both relays");
7262
7263        // The tombstone reaches ONLY r1 (replaces the bundle there); r2 still has the live bundle.
7264        let tombstone = public_invite::build_public_invite_tombstone(&token).unwrap();
7265        relay.inject(&tombstone, &["r1".to_string()]);
7266
7267        assert!(
7268            fetch_public_invite(&relay, &relays, &token).await.is_err(),
7269            "a tombstone on any one relay kills the link, even with a stale live bundle elsewhere",
7270        );
7271    }
7272
7273    #[tokio::test]
7274    async fn fetch_skips_relay_shadow_junk_to_genuine_bundle() {
7275        // A hostile relay piles a NEWER event at the same locator d-tag, signed by a
7276        // different key (relay-shadow attack). fetch must skip it (fails token verify)
7277        // and still surface the genuine bundle, not report "no invite".
7278        use nostr_sdk::prelude::{EventBuilder, Keys, Kind, Tag, TagKind, Timestamp};
7279
7280        let (_tmp, _guard) = init_test_db();
7281        let relay = MemoryRelay::new();
7282        let owner = attested_community("HQ", "general", vec!["r1".into()]);
7283        let (_t, url) = create_public_invite(&relay, &owner, None, None).await.unwrap();
7284        let (relays, token) = public_invite::parse_invite_url(&url).unwrap();
7285
7286        // Attacker posts junk at the same locator with a far-future created_at so it
7287        // sorts newest.
7288        let attacker = Keys::generate();
7289        let junk = EventBuilder::new(Kind::Custom(event_kind::APPLICATION_SPECIFIC), "garbage")
7290            .tags([
7291                Tag::identifier(public_invite::locator_hex(&token)),
7292                Tag::custom(TagKind::Custom("vsk".into()), ["6".to_string()]),
7293                Tag::custom(TagKind::Custom("v".into()), ["1".to_string()]),
7294            ])
7295            .custom_created_at(Timestamp::from_secs(9_000_000_000))
7296            .sign_with_keys(&attacker)
7297            .unwrap();
7298        relay.publish(&junk, &relays).await.unwrap();
7299
7300        // Genuine bundle is still found despite the newer shadow.
7301        let bundle = fetch_public_invite(&relay, &relays, &token).await.expect("genuine survives shadow");
7302        assert_eq!(bundle.preview.name, "HQ");
7303    }
7304
7305    #[tokio::test]
7306    async fn expired_public_invite_is_refused() {
7307        let (_tmp, _guard) = init_test_db();
7308        let relay = MemoryRelay::new();
7309        let owner = attested_community("HQ", "general", vec!["r1".into()]);
7310        let (_t, url) = create_public_invite(&relay, &owner, Some(1000), None).await.unwrap();
7311        let (relays, token) = public_invite::parse_invite_url(&url).unwrap();
7312        let bundle = fetch_public_invite(&relay, &relays, &token).await.unwrap();
7313        // Past expiry → accept refuses, nothing joined.
7314        assert!(accept_public_invite(&bundle, 2000).is_err());
7315        assert!(crate::db::community::load_community(&owner.id).unwrap().is_none());
7316    }
7317
7318    #[tokio::test]
7319    async fn republish_metadata_saves_and_publishes() {
7320        use crate::community::CommunityImage;
7321        let (_tmp, _guard) = init_test_db();
7322        let relay = MemoryRelay::new();
7323        // create_community mints the owner attestation (the seeded vault identity is the owner) and the
7324        // genesis GroupRoot edition (v1) — so the owner is proven + holds MANAGE_METADATA implicitly.
7325        let mut owner = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
7326        let cid = owner.id.to_hex();
7327
7328        // Edit name + description + icon, republish (publishes the GroupRoot edition at v2).
7329        owner.name = "HQ Renamed".into();
7330        owner.description = Some("now with topic".into());
7331        owner.icon = Some(CommunityImage {
7332            url: "https://b/x".into(), key: "aa".repeat(32), nonce: "bb".repeat(12),
7333            hash: "cc".repeat(32), ext: "png".into(),
7334        });
7335        republish_community_metadata(&relay, &owner).await.expect("republish");
7336
7337        // Persisted locally.
7338        let loaded = crate::db::community::load_community(&owner.id).unwrap().unwrap();
7339        assert_eq!(loaded.name, "HQ Renamed");
7340        assert_eq!(loaded.description.as_deref(), Some("now with topic"));
7341        assert_eq!(loaded.icon.unwrap().url, "https://b/x");
7342
7343        // The GroupRoot edition advanced to v2 and carries the new metadata. Fetch the control plane,
7344        // fold the GroupRoot entity (entity_id == community_id), confirm the head + content.
7345        let (head_v, _) = crate::db::community::get_edition_head(&cid, &cid).unwrap().unwrap();
7346        assert_eq!(head_v, 2, "GroupRoot edition advanced v1 (create) → v2 (republish)");
7347        let z = crate::community::roster::control_pseudonym(&owner.server_root_key, &owner.id, crate::community::Epoch(0));
7348        let control = relay
7349            .fetch(&Query { kinds: vec![event_kind::COMMUNITY_CONTROL], z_tags: vec![z], ..Default::default() }, &owner.relays)
7350            .await
7351            .unwrap();
7352        let newest = control
7353            .iter()
7354            .filter_map(|o| crate::community::roster::open_control_edition(o, &owner.server_root_key).ok())
7355            .filter_map(|i| crate::community::edition::parse_edition_inner(&i).ok())
7356            .filter(|p| p.entity_id == owner.id.0)
7357            .max_by_key(|p| p.version)
7358            .expect("GroupRoot edition on the relay");
7359        let meta: crate::community::metadata::CommunityMetadata = serde_json::from_str(&newest.content).unwrap();
7360        assert_eq!(meta.name, "HQ Renamed");
7361        assert_eq!(meta.icon.unwrap().ext, "png");
7362    }
7363
7364    #[tokio::test]
7365    async fn member_cannot_republish_metadata() {
7366        let (_tmp, _guard) = init_test_db();
7367        let relay = MemoryRelay::new();
7368        let owner = Community::create("HQ", "general", vec!["r1".into()]);
7369        let member = crate::community::invite::accept_invite(&crate::community::invite::build_invite(&owner)).unwrap();
7370        assert!(republish_community_metadata(&relay, &member).await.is_err());
7371    }
7372
7373    #[tokio::test]
7374    async fn member_cannot_mint_public_invite() {
7375        let (_tmp, _guard) = init_test_db();
7376        let relay = MemoryRelay::new();
7377        let owner = Community::create("HQ", "general", vec!["r1".into()]);
7378        let member = crate::community::invite::accept_invite(&crate::community::invite::build_invite(&owner)).unwrap();
7379        assert!(create_public_invite(&relay, &member, None, None).await.is_err(), "members can't mint links");
7380    }
7381
7382    #[tokio::test]
7383    async fn accept_oversized_bundle_rejected() {
7384        let (_tmp, _guard) = init_test_db();
7385        let owner = Community::create("HQ", "general", vec![]);
7386        let mut invite = crate::community::invite::build_invite(&owner);
7387        // Blow past the channel cap.
7388        let template = invite.channels[0].clone();
7389        for _ in 0..300 {
7390            invite.channels.push(template.clone());
7391        }
7392        assert!(accept_invite(&invite).is_err(), "oversized bundle must be rejected");
7393        assert!(crate::db::community::load_community(&owner.id).unwrap().is_none(), "nothing persisted");
7394    }
7395
7396    // --- owner dissolution (GroupDissolved tombstone) ---
7397
7398    /// Seal + publish a GroupDissolved tombstone (vsk=10) authored by `author` to the community's control
7399    /// plane at the CURRENT epoch, so a subsequent `fetch_and_apply_control` folds it. `created_at` is
7400    /// caller-chosen so a test can prove backdating doesn't gate the binary seal.
7401    async fn publish_tombstone<T: Transport + ?Sized>(transport: &T, community: &Community, author: &Keys, created_at: u64) {
7402        let inner = crate::community::roster::build_group_dissolved_edition_unsigned(author.public_key(), &community.id, created_at)
7403            .sign_with_keys(author).unwrap();
7404        let outer = crate::community::roster::seal_control_edition(&Keys::generate(), &inner, &community.server_root_key, &community.id, community.server_root_epoch).unwrap();
7405        transport.publish_durable(&outer, &community.relays).await.unwrap();
7406    }
7407
7408    /// A relay wrapping MemoryRelay that COUNTS rekey (3303) publishes — for asserting dissolution emits
7409    /// none. Everything else delegates to the inner relay.
7410    struct RekeyCountingRelay {
7411        inner: MemoryRelay,
7412        rekeys: std::sync::atomic::AtomicUsize,
7413    }
7414    impl RekeyCountingRelay {
7415        fn new() -> Self { Self { inner: MemoryRelay::new(), rekeys: std::sync::atomic::AtomicUsize::new(0) } }
7416        fn count(&self, e: &Event) {
7417            if e.kind.as_u16() == event_kind::COMMUNITY_REKEY {
7418                self.rekeys.fetch_add(1, std::sync::atomic::Ordering::Relaxed);
7419            }
7420        }
7421    }
7422    #[async_trait::async_trait]
7423    impl Transport for RekeyCountingRelay {
7424        async fn publish(&self, e: &Event, r: &[String]) -> Result<(), String> { self.count(e); self.inner.publish(e, r).await }
7425        async fn publish_durable(&self, e: &Event, r: &[String]) -> Result<(), String> { self.count(e); self.inner.publish_durable(e, r).await }
7426        async fn fetch(&self, q: &Query, r: &[String]) -> Result<Vec<Event>, String> { self.inner.fetch(q, r).await }
7427    }
7428
7429    #[tokio::test]
7430    async fn owner_tombstone_folds_to_dissolved() {
7431        let (_tmp, _guard) = init_test_db();
7432        let relay = MemoryRelay::new();
7433        // The seeded local identity is the proven owner of a created community.
7434        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
7435        let cid = community.id.to_hex();
7436        let owner = crate::state::MY_SECRET_KEY.to_keys().unwrap();
7437        publish_tombstone(&relay, &community, &owner, 1000).await;
7438
7439        assert!(!crate::db::community::get_community_dissolved(&cid).unwrap(), "alive before the fold");
7440        fetch_and_apply_control(&relay, &community).await.unwrap();
7441        assert!(crate::db::community::get_community_dissolved(&cid).unwrap(), "owner tombstone seals the community");
7442    }
7443
7444    #[tokio::test]
7445    async fn non_owner_tombstone_is_ignored() {
7446        let (_tmp, _guard) = init_test_db();
7447        let relay = MemoryRelay::new();
7448        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
7449        let cid = community.id.to_hex();
7450        // A BAN-capable admin is NOT enough: dissolution is the owner's call alone. A random
7451        // non-owner author publishing the tombstone must be rejected.
7452        let mallory = Keys::generate();
7453        publish_tombstone(&relay, &community, &mallory, 1000).await;
7454
7455        fetch_and_apply_control(&relay, &community).await.unwrap();
7456        assert!(!crate::db::community::get_community_dissolved(&cid).unwrap(), "a non-owner tombstone is ignored");
7457    }
7458
7459    #[tokio::test]
7460    async fn unreadable_deed_rejects_the_tombstone() {
7461        let (_tmp, _guard) = init_test_db();
7462        let relay = MemoryRelay::new();
7463        let owner = crate::state::MY_SECRET_KEY.to_keys().unwrap();
7464        let mut community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
7465        let cid = community.id.to_hex();
7466        publish_tombstone(&relay, &community, &owner, 1000).await;
7467        // Strip the deed: the owner can no longer be derived → fail-closed, the tombstone is unverifiable.
7468        community.owner_attestation = None;
7469        crate::db::community::save_community(&community).unwrap();
7470        let stripped = crate::db::community::load_community(&community.id).unwrap().unwrap();
7471
7472        fetch_and_apply_control(&relay, &stripped).await.unwrap();
7473        assert!(!crate::db::community::get_community_dissolved(&cid).unwrap(), "unverifiable tombstone is rejected, not death-by-default");
7474    }
7475
7476    #[tokio::test]
7477    async fn binary_seal_drops_every_subsequent_event_with_no_timestamp_test() {
7478        let (_tmp, _guard) = init_test_db();
7479        let relay = MemoryRelay::new();
7480        let owner = crate::state::MY_SECRET_KEY.to_keys().unwrap();
7481        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
7482        let cid = community.id.to_hex();
7483        publish_tombstone(&relay, &community, &owner, 1000).await;
7484        fetch_and_apply_control(&relay, &community).await.unwrap();
7485        assert!(crate::db::community::get_community_dissolved(&cid).unwrap());
7486
7487        // The channel reloaded after the seal carries the denormalized dissolved flag → inbound drops all.
7488        let sealed = crate::db::community::load_community(&community.id).unwrap().unwrap();
7489        let channel = sealed.channels[0].clone();
7490        let me = owner.public_key();
7491
7492        // A subsequent message — even BACKDATED before the tombstone — is dropped (no created_at gate).
7493        let backdated = super::super::envelope::seal_message(
7494            &Keys::generate(), &channel.key, &channel.id, channel.epoch, "ghost", 1,
7495        ).unwrap();
7496        let mut state = crate::state::ChatState::new();
7497        assert!(super::super::inbound::process_incoming(&mut state, &backdated, &channel, &me).is_none(),
7498            "a backdated message after the seal is dropped (binary seal, no timestamp test)");
7499
7500        // A subsequent control edition does not advance the fold either (it short-circuits on the flag).
7501        publish_tombstone(&relay, &sealed, &owner, 2000).await;
7502        assert_eq!(fetch_and_apply_control(&relay, &sealed).await.unwrap(), 0,
7503            "control fold stops advancing once sealed");
7504    }
7505
7506    #[tokio::test]
7507    async fn dissolve_community_emits_no_rekey_and_no_epoch_bump() {
7508        let (_tmp, _guard) = init_test_db();
7509        let relay = RekeyCountingRelay::new();
7510        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
7511        let cid = community.id.to_hex();
7512        // Mint a public link so the link-retire path actually runs (and must NOT privatize-rekey).
7513        create_public_invite(&relay, &community, None, None).await.unwrap();
7514        let before_epoch = crate::db::community::load_community(&community.id).unwrap().unwrap().server_root_epoch;
7515
7516        dissolve_community(&relay, &community).await.unwrap();
7517
7518        assert!(crate::db::community::get_community_dissolved(&cid).unwrap(), "sealed locally");
7519        assert_eq!(relay.rekeys.load(std::sync::atomic::Ordering::Relaxed), 0,
7520            "dissolution publishes NO 3303 rekey (no last-link privatize re-founding)");
7521        assert_eq!(crate::db::community::load_community(&community.id).unwrap().unwrap().server_root_epoch, before_epoch,
7522            "base epoch unchanged — dissolution rotates nothing");
7523    }
7524
7525    #[tokio::test]
7526    async fn duplicate_owner_tombstones_are_idempotent() {
7527        let (_tmp, _guard) = init_test_db();
7528        let relay = MemoryRelay::new();
7529        let owner = crate::state::MY_SECRET_KEY.to_keys().unwrap();
7530        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
7531        let cid = community.id.to_hex();
7532        // Two owner tombstones (distinct created_at → distinct inner ids) at the locator.
7533        publish_tombstone(&relay, &community, &owner, 1000).await;
7534        publish_tombstone(&relay, &community, &owner, 2000).await;
7535
7536        fetch_and_apply_control(&relay, &community).await.unwrap();
7537        assert!(crate::db::community::get_community_dissolved(&cid).unwrap(), "duplicates still just dissolve, no error");
7538        // A second fold over the same plane is a harmless no-op (already sealed).
7539        assert_eq!(fetch_and_apply_control(&relay, &community).await.unwrap(), 0);
7540    }
7541
7542    #[test]
7543    fn apply_server_root_rekey_refuses_once_dissolved() {
7544        let (_tmp, _guard) = init_test_db();
7545        let owner = Keys::generate();
7546        let me = Keys::generate();
7547        become_local(&me);
7548        let community = saved_community_owned_by(&owner);
7549        let cid = community.id.to_hex();
7550        crate::db::community::set_community_dissolved(&cid).unwrap();
7551
7552        let parsed = owner_base_rekey(&owner, &community, &me.public_key(), 1, &[0xCDu8; 32]);
7553        assert!(apply_server_root_rekey(&community, &parsed).is_err(),
7554            "a base rekey cannot cross a tombstone");
7555        assert_eq!(crate::db::community::load_community(&community.id).unwrap().unwrap().server_root_epoch,
7556            crate::community::Epoch(0), "base epoch did not advance");
7557    }
7558
7559    #[tokio::test]
7560    async fn tombstone_detected_after_a_base_rotation() {
7561        let (_tmp, _guard) = init_test_db();
7562        let relay = MemoryRelay::new();
7563        let owner = crate::state::MY_SECRET_KEY.to_keys().unwrap();
7564        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
7565        let cid = community.id.to_hex();
7566        // Re-found the base (epoch 0 → 1); the dissolved locator is rotation-STABLE, so a tombstone
7567        // published AFTER the rotation (sealed under the new root) is still found by a post-rotation client.
7568        rotate_server_root(&relay, &community, &[owner.public_key()]).await.unwrap();
7569        let rotated = crate::db::community::load_community(&community.id).unwrap().unwrap();
7570        assert_eq!(rotated.server_root_epoch, crate::community::Epoch(1));
7571        publish_tombstone(&relay, &rotated, &owner, 1000).await;
7572
7573        fetch_and_apply_control(&relay, &rotated).await.unwrap();
7574        assert!(crate::db::community::get_community_dissolved(&cid).unwrap(),
7575            "tombstone at the rotation-stable locator is detected post-rotation");
7576    }
7577
7578    #[tokio::test]
7579    async fn stable_coordinate_tombstone_survives_a_concurrent_rotation() {
7580        // Cross-epoch: a tombstone published ONLY at the rotation-stable coordinate is
7581        // discovered by a client that has since advanced to a LATER epoch — whose control_pseudonym differs,
7582        // so the tombstone is NOT in that epoch's control fold. Only the stable-coordinate probe can find it.
7583        // This is the case a concurrent re-founding creates (tombstone at epoch N, joiner on epoch N+1).
7584        let (_tmp, _guard) = init_test_db();
7585        let relay = MemoryRelay::new();
7586        let owner = crate::state::MY_SECRET_KEY.to_keys().unwrap();
7587        let community = create_community(&relay, "HQ", "general", vec!["r1".into()]).await.unwrap();
7588        let cid = community.id.to_hex();
7589        // Owner publishes the tombstone ONLY at the stable coordinate (no control_pseudonym copy).
7590        let inner = crate::community::roster::build_group_dissolved_edition_unsigned(owner.public_key(), &community.id, 1000)
7591            .sign_with_keys(&owner).unwrap();
7592        let stable = crate::community::roster::seal_dissolved_edition(&Keys::generate(), &inner, &community.id).unwrap();
7593        relay.inject(&stable, &community.relays);
7594        // Advance the base epoch (the local client hasn't folded the tombstone yet, so rotation is allowed —
7595        // exactly the concurrent-re-founder's state). The control_pseudonym now differs from epoch 0's.
7596        rotate_server_root(&relay, &community, &[owner.public_key()]).await.unwrap();
7597        let rotated = crate::db::community::load_community(&community.id).unwrap().unwrap();
7598        assert_eq!(rotated.server_root_epoch, crate::community::Epoch(1));
7599        assert!(!crate::db::community::get_community_dissolved(&cid).unwrap(), "not folded yet");
7600        // Fetch control at the NEW epoch: the tombstone is absent from this control_pseudonym; only the
7601        // stable-coordinate probe can surface it.
7602        fetch_and_apply_control(&relay, &rotated).await.unwrap();
7603        assert!(crate::db::community::get_community_dissolved(&cid).unwrap(),
7604            "stable-coordinate probe discovers the tombstone cross-epoch (C3 closed)");
7605    }
7606}