Add OMEMO stale-bundle pruning, dropped-recipient XMPPEvent, fixture JID-mismatch hardening, ChatService.clearRoomState unifier, and notConnectedDescription helper

Author: tobihagemann

IntegrationTests/Tests/DuckoIntegrationTests/OMEMOFixtureFormat.swift

@@ -16,6 +16,44 @@ struct FixtureOMEMOIdentity: Codable {
     /// Ed25519 signature over the signed pre-key (64 bytes).
     let signedPreKeySignature: [UInt8]
     let preKeys: [PreKey]
+    /// Bare JID this fixture was captured for. Optional with `decodeIfPresent`
+    /// so legacy fixtures (written before this field existed) keep loading;
+    /// `loadOMEMOFixture` refuses a fixture whose JID disagrees with the
+    /// credential at load time so identity material cannot be silently reused
+    /// across accounts.
+    let accountJID: String?
+
+    init(
+        deviceID: UInt32,
+        identityKeyRaw: [UInt8],
+        signedPreKeyID: UInt32,
+        signedPreKeyRaw: [UInt8],
+        signedPreKeySignature: [UInt8],
+        preKeys: [PreKey],
+        accountJID: String? = nil
+    ) {
+        self.deviceID = deviceID
+        self.identityKeyRaw = identityKeyRaw
+        self.signedPreKeyID = signedPreKeyID
+        self.signedPreKeyRaw = signedPreKeyRaw
+        self.signedPreKeySignature = signedPreKeySignature
+        self.preKeys = preKeys
+        self.accountJID = accountJID
+    }
+
+    /// Custom decode so legacy fixtures — written before `accountJID` existed —
+    /// deserialize cleanly with `accountJID = nil` rather than throwing
+    /// `keyNotFound`. Mirrors `PreKey.init(from:)` for the same reason.
+    init(from decoder: Decoder) throws {
+        let container = try decoder.container(keyedBy: CodingKeys.self)
+        self.deviceID = try container.decode(UInt32.self, forKey: .deviceID)
+        self.identityKeyRaw = try container.decode([UInt8].self, forKey: .identityKeyRaw)
+        self.signedPreKeyID = try container.decode(UInt32.self, forKey: .signedPreKeyID)
+        self.signedPreKeyRaw = try container.decode([UInt8].self, forKey: .signedPreKeyRaw)
+        self.signedPreKeySignature = try container.decode([UInt8].self, forKey: .signedPreKeySignature)
+        self.preKeys = try container.decode([PreKey].self, forKey: .preKeys)
+        self.accountJID = try container.decodeIfPresent(String.self, forKey: .accountJID)
+    }
 
     struct PreKey: Codable {
         let keyID: UInt32

IntegrationTests/Tests/DuckoIntegrationTests/OMEMOFixtureFormatTests.swift

@@ -1,3 +1,4 @@
+import DuckoCore
 import Foundation
 import Testing
 
@@ -108,5 +109,121 @@ enum OMEMOFixtureFormatTests {
             let decoded = try JSONDecoder().decode(FixtureOMEMOIdentity.self, from: encoded)
             #expect(decoded.preKeys.map(\.isUsed) == [true, false])
         }
+
+        @Test func `legacy fixture without accountJID decodes with accountJID nil`() throws {
+            let json = """
+            {
+                "deviceID": 1,
+                "identityKeyRaw": \(Array(repeating: 17, count: 32)),
+                "signedPreKeyID": 7,
+                "signedPreKeyRaw": \(Array(repeating: 34, count: 32)),
+                "signedPreKeySignature": \(Array(repeating: 51, count: 64)),
+                "preKeys": [
+                    {"keyID": 1, "keyRaw": \(Array(repeating: 68, count: 32))}
+                ]
+            }
+            """
+            let data = try #require(json.data(using: .utf8))
+            let decoded = try JSONDecoder().decode(FixtureOMEMOIdentity.self, from: data)
+            #expect(decoded.accountJID == nil)
+        }
+
+        @Test func `fixture round-trips accountJID`() throws {
+            let fixture = FixtureOMEMOIdentity(
+                deviceID: 1,
+                identityKeyRaw: Array(repeating: 0x11, count: 32),
+                signedPreKeyID: 7,
+                signedPreKeyRaw: Array(repeating: 0x22, count: 32),
+                signedPreKeySignature: Array(repeating: 0x33, count: 64),
+                preKeys: [
+                    FixtureOMEMOIdentity.PreKey(keyID: 1, keyRaw: Array(repeating: 0x44, count: 32))
+                ],
+                accountJID: "alice@example.com"
+            )
+            let encoded = try JSONEncoder().encode(fixture)
+            let decoded = try JSONDecoder().decode(FixtureOMEMOIdentity.self, from: encoded)
+            #expect(decoded.accountJID == "alice@example.com")
+        }
+    }
+
+    /// Locks the JID-mismatch refusal contract that protects against silent
+    /// identity reuse across recycled fixture files.
+    struct JIDMatchGate {
+        @Test func `legacy fixture (no accountJID) is allowed`() {
+            #expect(TestHarness.fixtureJIDMatchesCredential(nil, credentialJID: "alice@example.com"))
+        }
+
+        @Test func `same JID matches`() {
+            #expect(TestHarness.fixtureJIDMatchesCredential("alice@example.com", credentialJID: "alice@example.com"))
+        }
+
+        @Test func `different JID is refused`() {
+            #expect(!TestHarness.fixtureJIDMatchesCredential("alice@example.com", credentialJID: "bob@example.com"))
+        }
+
+        @Test func `case-different localpart matches via BareJID normalization`() {
+            #expect(TestHarness.fixtureJIDMatchesCredential("Alice@example.com", credentialJID: "alice@example.com"))
+        }
+    }
+
+    /// Locks the byte-stability invariants in `captureOMEMOFixture` so a
+    /// regression that drops the prekey sort or changes the encoder output
+    /// formatting can't silently re-introduce the spurious-rewrite class of
+    /// bug.
+    struct ByteStability {
+        @Test func `sortedFixturePreKeys orders by keyID regardless of input order`() {
+            let unsorted = [
+                OMEMOStoredPreKey(accountJID: "alice@example.com", keyID: 7, keyData: Data(repeating: 0x07, count: 32), isUsed: false),
+                OMEMOStoredPreKey(accountJID: "alice@example.com", keyID: 3, keyData: Data(repeating: 0x03, count: 32), isUsed: true),
+                OMEMOStoredPreKey(accountJID: "alice@example.com", keyID: 5, keyData: Data(repeating: 0x05, count: 32), isUsed: false)
+            ]
+            let sorted = TestHarness.sortedFixturePreKeys(unsorted)
+            #expect(sorted.map(\.keyID) == [3, 5, 7])
+            #expect(sorted.map(\.isUsed) == [true, false, false])
+        }
+
+        @Test func `encodeFixture is byte-stable across two encodes of the same value`() throws {
+            let fixture = FixtureOMEMOIdentity(
+                deviceID: 1,
+                identityKeyRaw: Array(repeating: 0x11, count: 32),
+                signedPreKeyID: 7,
+                signedPreKeyRaw: Array(repeating: 0x22, count: 32),
+                signedPreKeySignature: Array(repeating: 0x33, count: 64),
+                preKeys: [
+                    FixtureOMEMOIdentity.PreKey(keyID: 1, keyRaw: Array(repeating: 0x44, count: 32)),
+                    FixtureOMEMOIdentity.PreKey(keyID: 2, keyRaw: Array(repeating: 0x55, count: 32), isUsed: true)
+                ],
+                accountJID: "alice@example.com"
+            )
+            let first = try TestHarness.encodeFixture(fixture)
+            let second = try TestHarness.encodeFixture(fixture)
+            #expect(first == second)
+        }
+
+        @Test func `encodeFixture differs when only isUsed flips`() throws {
+            let unused = FixtureOMEMOIdentity.PreKey(keyID: 1, keyRaw: Array(repeating: 0x44, count: 32), isUsed: false)
+            let used = FixtureOMEMOIdentity.PreKey(keyID: 1, keyRaw: Array(repeating: 0x44, count: 32), isUsed: true)
+            let baseline = FixtureOMEMOIdentity(
+                deviceID: 1,
+                identityKeyRaw: Array(repeating: 0x11, count: 32),
+                signedPreKeyID: 7,
+                signedPreKeyRaw: Array(repeating: 0x22, count: 32),
+                signedPreKeySignature: Array(repeating: 0x33, count: 64),
+                preKeys: [unused],
+                accountJID: "alice@example.com"
+            )
+            let consumed = FixtureOMEMOIdentity(
+                deviceID: 1,
+                identityKeyRaw: Array(repeating: 0x11, count: 32),
+                signedPreKeyID: 7,
+                signedPreKeyRaw: Array(repeating: 0x22, count: 32),
+                signedPreKeySignature: Array(repeating: 0x33, count: 64),
+                preKeys: [used],
+                accountJID: "alice@example.com"
+            )
+            let baselineBytes = try TestHarness.encodeFixture(baseline)
+            let consumedBytes = try TestHarness.encodeFixture(consumed)
+            #expect(baselineBytes != consumedBytes)
+        }
     }
 }

IntegrationTests/Tests/DuckoIntegrationTests/TestHarness.swift

@@ -318,6 +318,13 @@ final class TestHarness {
             log.warning("OMEMO fixture for \(credential.label) is malformed; ignoring and allowing fresh identity generation")
             return false
         }
+        // Refuse to seed identity material that was captured for a different
+        // JID — silent reuse across accounts would mask a renamed/recycled
+        // fixture file.
+        if !Self.fixtureJIDMatchesCredential(fixture.accountJID, credentialJID: credential.jid) {
+            log.warning("OMEMO fixture for \(credential.label) was captured for a different JID; ignoring and allowing fresh identity generation")
+            return false
+        }
 
         let identity = OMEMOStoredIdentity(
             accountJID: credential.jid,
@@ -349,8 +356,11 @@ final class TestHarness {
 
     /// Captures the freshly-generated OMEMO identity for `credential` to the
     /// path resolved by `fixtureURL(for:)` so later runs can reuse it via
-    /// `loadOMEMOFixture`. No-ops when a well-formed fixture is already on
-    /// disk; overwrites a malformed one.
+    /// `loadOMEMOFixture`. Writes only when the encoded bytes differ from
+    /// the on-disk file: idempotent runs stay byte-stable (no spurious git
+    /// diffs in CI), but a test that consumes prekeys flips an `isUsed`
+    /// flag, the encoded bytes diverge from disk, and the fixture is
+    /// rewritten. A malformed fixture is also overwritten and logged.
     ///
     /// `OMEMOService.handleConnected` persists identity, prekeys, and signed
     /// prekey via a detached task that outlives `.rosterLoaded`, so this method
@@ -359,64 +369,135 @@ final class TestHarness {
     /// run regenerates.
     private func captureOMEMOFixture(for credential: TestCredentials.Credential) async throws {
         let fixtureURL = Self.fixtureURL(for: credential.label)
-
-        if let existing = try? Data(contentsOf: fixtureURL) {
-            if let decoded = try? JSONDecoder().decode(FixtureOMEMOIdentity.self, from: existing),
-               decoded.passesShapeInvariants {
+        // Distinguish "file not present" (continue and write fresh) from
+        // "file present but unreadable" (bail rather than clobber). A
+        // transient I/O error reading a well-formed fixture must not result
+        // in silently overwriting it on disk.
+        let fileExists = FileManager.default.fileExists(atPath: fixtureURL.path)
+        let existing: Data?
+        if fileExists {
+            do {
+                existing = try Data(contentsOf: fixtureURL)
+            } catch {
+                log.warning("OMEMO fixture for \(credential.label) at \(fixtureURL.path) is present but unreadable (\(error.localizedDescription)); skipping capture to avoid clobbering it")
                 return
             }
-            log.info("Overwriting malformed OMEMO fixture for \(credential.label) at \(fixtureURL.path)")
+        } else {
+            existing = nil
+        }
+        let existingDecoded = existing.flatMap { try? JSONDecoder().decode(FixtureOMEMOIdentity.self, from: $0) }
+        let existingIsMalformed = existing != nil && existingDecoded?.passesShapeInvariants != true
+        // Refuse to overwrite a well-formed fixture whose accountJID disagrees
+        // with the credential — `loadOMEMOFixture` already rejected it as a
+        // mismatch and let connect generate fresh material; silently writing
+        // the new identity over the existing file would permanently destroy
+        // the original-account fixture without warning.
+        if let existingDecoded,
+           existingDecoded.passesShapeInvariants,
+           !Self.fixtureJIDMatchesCredential(existingDecoded.accountJID, credentialJID: credential.jid) {
+            log.warning("OMEMO fixture for \(credential.label) at \(fixtureURL.path) was captured for a different JID; preserving existing file. Move or delete it manually if you intend to reuse the path for \(credential.jid).")
+            return
         }
 
-        guard await waitForSignedPreKey(for: credential) else {
-            log.warning("OMEMO signed prekey for \(credential.label) did not land in store within 10s; skipping fixture capture")
+        guard let fixture = try await buildFixture(for: credential) else { return }
+        let encoded = try Self.encodeFixture(fixture)
+
+        // Idempotency guard: if the on-disk bytes already match the fixture we
+        // would write, skip the write. Idempotent test runs stay byte-stable
+        // (no spurious git diffs in CI), but a test that consumes prekeys —
+        // flipping their `isUsed` flags in memory — will diff against the
+        // on-disk copy and trigger a rewrite.
+        if existing == encoded {
+            log.debug("OMEMO fixture for \(credential.label) unchanged; skipping write at \(fixtureURL.path)")
             return
         }
 
+        try writeFixture(encoded, to: fixtureURL)
+        if existingIsMalformed {
+            log.info("Overwrote malformed OMEMO fixture for \(credential.label) at \(fixtureURL.path)")
+        } else {
+            log.debug("OMEMO fixture for \(credential.label) changed; wrote at \(fixtureURL.path)")
+        }
+    }
+
+    /// Builds a `FixtureOMEMOIdentity` from the OMEMO store after polling the
+    /// detached persistence task. Returns `nil` when the store has not
+    /// finished writing within 10s — the next run will regenerate.
+    private func buildFixture(
+        for credential: TestCredentials.Credential
+    ) async throws -> FixtureOMEMOIdentity? {
+        guard await waitForSignedPreKey(for: credential) else {
+            log.warning("OMEMO signed prekey for \(credential.label) did not land in store within 10s; skipping fixture capture")
+            return nil
+        }
         guard let storedIdentity = try await omemoStore.loadIdentity(for: credential.jid) else {
             log.warning("OMEMO identity for \(credential.label) missing at capture time; skipping fixture capture")
-            return
+            return nil
         }
         let storedPreKeys = try await omemoStore.loadPreKeys(for: credential.jid)
         guard let storedSignedPreKey = try await omemoStore.loadSignedPreKey(for: credential.jid) else {
             log.warning("OMEMO signed prekey for \(credential.label) missing at capture time; skipping fixture capture")
-            return
+            return nil
         }
-
-        let fixture = FixtureOMEMOIdentity(
+        return FixtureOMEMOIdentity(
             deviceID: storedIdentity.deviceID,
             identityKeyRaw: Array(storedIdentity.identityKeyData),
             signedPreKeyID: storedSignedPreKey.keyID,
             signedPreKeyRaw: Array(storedSignedPreKey.keyData),
             signedPreKeySignature: Array(storedSignedPreKey.signature),
-            preKeys: storedPreKeys.map {
-                FixtureOMEMOIdentity.PreKey(keyID: $0.keyID, keyRaw: Array($0.keyData), isUsed: $0.isUsed)
-            }
+            preKeys: Self.sortedFixturePreKeys(storedPreKeys),
+            accountJID: credential.jid
         )
+    }
 
-        // Create the directory with owner-only access (0700) and write the
-        // fixture with owner-only permissions (0600) so the long-term identity
-        // keys don't land at the umask default (0755/0644) on multi-user hosts.
-        // `createDirectory(attributes:)` is a no-op when the directory already
-        // exists, so re-apply 0700 explicitly afterward — otherwise a dir
-        // created by an older harness version at default 0755 stays that way.
+    /// Writes the encoded fixture to disk with owner-only directory and
+    /// file permissions so the long-term identity keys don't land at the
+    /// umask default (0755/0644) on multi-user hosts.
+    /// `createDirectory(attributes:)` is a no-op when the directory already
+    /// exists, so re-apply 0700 explicitly afterward — otherwise a dir
+    /// created by an older harness version at default 0755 stays that way.
+    private func writeFixture(_ encoded: Data, to fixtureURL: URL) throws {
         let directory = fixtureURL.deletingLastPathComponent()
         try FileManager.default.createDirectory(
             at: directory,
             withIntermediateDirectories: true,
             attributes: [.posixPermissions: 0o700]
         )
         try? FileManager.default.setAttributes([.posixPermissions: 0o700], ofItemAtPath: directory.path)
+        try encoded.write(to: fixtureURL, options: .atomic)
+        try? FileManager.default.setAttributes([.posixPermissions: 0o600], ofItemAtPath: fixtureURL.path)
+    }
 
+    /// Deterministic JSON encoding for `FixtureOMEMOIdentity`. Used both for
+    /// writing the fixture and for the on-disk-vs-in-memory diff in
+    /// `captureOMEMOFixture` — both sides must agree on key ordering and
+    /// formatting, otherwise a byte-stable run would false-positive the diff.
+    /// Pretty-printed JSON honors `OMEMOFixtureFormat`'s "visible to the
+    /// naked eye when inspecting fixture drift" docstring.
+    nonisolated static func encodeFixture(_ fixture: FixtureOMEMOIdentity) throws -> Data {
         let encoder = JSONEncoder()
-        // Pretty-printed JSON honors `OMEMOFixtureFormat`'s "visible to the
-        // naked eye when inspecting fixture drift" docstring.
         encoder.outputFormatting = [.prettyPrinted, .sortedKeys]
-        let encoded = try encoder.encode(fixture)
-        try encoded.write(to: fixtureURL, options: .atomic)
-        try? FileManager.default.setAttributes([.posixPermissions: 0o600], ofItemAtPath: fixtureURL.path)
+        return try encoder.encode(fixture)
+    }
+
+    /// Per-keyID-sorted serialization of stored prekeys, matching
+    /// `captureOMEMOFixture`'s in-memory-side serialization. Exposed so unit
+    /// tests can assert byte-stability without driving the whole capture flow.
+    nonisolated static func sortedFixturePreKeys(
+        _ storedPreKeys: [OMEMOStoredPreKey]
+    ) -> [FixtureOMEMOIdentity.PreKey] {
+        storedPreKeys
+            .sorted { $0.keyID < $1.keyID }
+            .map { FixtureOMEMOIdentity.PreKey(keyID: $0.keyID, keyRaw: Array($0.keyData), isUsed: $0.isUsed) }
+    }
 
-        log.info("Captured generated OMEMO identity for \(credential.label) at \(fixtureURL.path)")
+    /// Treats a missing (legacy) `captured` as a match (legacy fixtures
+    /// pre-date the field and load until rewritten). When present, compares
+    /// as parsed `BareJID` so localpart/domainpart case normalization doesn't
+    /// trigger a spurious mismatch.
+    nonisolated static func fixtureJIDMatchesCredential(_ captured: String?, credentialJID: String) -> Bool {
+        guard let captured else { return true }
+        return BareJID.parse(captured) == BareJID.parse(credentialJID)
     }
 
     /// Polls the OMEMO store for `credential`'s signed-prekey up to 10 s.

Sources/DuckoCLI/Events/CLIEventHandler.swift

@@ -44,7 +44,7 @@ actor CLIEventHandler {
              .jingleContentAddReceived, .jingleContentAccepted,
              .jingleContentRejected, .jingleContentRemoved,
              .blockListLoaded, .contactBlocked, .contactUnblocked,
-             .omemoEncryptedMessageReceived,
+             .omemoEncryptedMessageReceived, .omemoRecipientsPartial,
              .serviceOutageReceived:
             break
         }