Pin bump 5ee014dd -> c9c2d19 picks up the 8 simplexmq commits since the
last bump (parseBare lowercase fix, forwarded-param cleanup, ServerTests
+ agent end-to-end tests, TldRegistries removal, SNRC ABI decoder,
NameRecord/NameOwner module extraction).
Adds a brief comment on clearConflictingContactProfileSimplexName_
explaining why the audit's flagged cross-table collision (between
contact_profiles.simplex_name and group_profiles.simplex_name) is
structurally impossible: SimplexNameInfo's strEncode prefixes contact
names with '@' and group names with '#', so the stored bytes never
overlap between the two tables.
Query-plan regen deferred (the test is non-deterministic in CI / dev
sandbox — see prior 6c990696c).
Addresses the TOFU vulnerability where peer-claimed simplex_name was
accepted unverified. Adds:
- contacts.simplex_name_verified_at + groups.simplex_name_verified_at
(M20260606_simplex_name_verified)
- APIVerifySimplexName ChatRef command: RSLV-resolves the claimed name
and compares the resolved link to the peer's stored connection link;
on match writes verified_at and emits CEvtSimplexNameVerified;
on mismatch emits CEvtSimplexNameVerifyFailed
- CEvtSimplexNameUnverified passive warning emitted on incoming XInfo /
XGrpInfo when a name claim arrives without a current verification
- updateContactProfileWithConflict / updateGroupProfileWithConflict
clear simplex_name_verified_at whenever the peer's claim transitions
(any value change including Nothing<->Just): the prior verification
was bound to the prior claim.
UI can surface the unverified indicator next to a contact / group's
name, and prompt the user to invoke the verify command. This shifts
the security model from "TOFU + last-writer-wins" to "TOFU + on-demand
RSLV verification".
Audit flagged the column as "INSERTed but never UPDATEd". This is by
design per the prior plan's connect-via-plan flow: the column is a
transient carrier between connection-creation and contact-creation.
After the Contact row is created via XInfo handling, contacts.simplex_name
is the source of truth and the connections value is a historical snapshot.
Documents the intent so future readers don't reflag it.
The contacts simplex_name index filters on (deleted = 0); the groups
index has no analogous filter because the groups table has no `deleted`
column. Groups are hard-deleted by deleteGroup, so the asymmetry is
intentional. The remaining "removed member, row retained" edge case is
flagged in the lookup comment for follow-up.
- updateUserProfile no longer writes contact_profiles.simplex_name on
the user's own row (the column is reserved for peer claims; the user's
broadcastable name lives on contacts.simplex_name via uct.simplex_name).
- updateMemberContactProfile_'/Reset_' now write simplex_name; new
updateMemberProfileWithConflict / updateContactMemberProfileWithConflict
variants run conflict-clear and return the displaced name, with
processMemberProfileUpdate emitting CEvtSimplexNameConflict.
- createContact_ runs conflict-clear before INSERT to avoid UNIQUE
constraint violations on first-write peer collisions, returning the
displaced name; createPreparedContact / createDirectContact thread it
through to APIPrepareContact and saveConnInfo XInfo for event emission.
- groups conflict-clear takes ProfileId directly (avoids the NOT IN (NULL)
silent-noop edge case when groups.group_profile_id is ON DELETE SET NULL).
- Moves clearConflictingContactProfileSimplexName_ to Shared.hs so
createContact_ can call it without inducing a circular import.
Write paths:
- updateContactProfile_' / updateGroupProfile_ now set the new
contact_profiles.simplex_name / group_profiles.simplex_name columns
from Profile.simplexName / GroupProfile.simplexName respectively.
- createContact_ INSERT writes Profile.simplexName to the new
contact_profiles column (separate from the existing simplexName arg,
which still writes contacts.simplex_name — the user's locally-known
label).
Read paths (closing Task 2's deferred sites):
- toContact splits simplex_name reads: Contact.simplexName from
contacts.simplex_name (existing); LocalProfile.simplexName from
contact_profiles.simplex_name (new column).
- toGroupInfo similarly splits: GroupInfo.simplexName from
groups.simplex_name; groupProfile.simplexName from
group_profiles.simplex_name.
- ProfileRow / rowToLocalProfile, toContactRequest, getUserContactProfiles,
toGroupProfile, getProfileById, groupMemberQuery, getGroupAndMember_,
saveRcvChatItem-related quotes — all extended to read p.simplex_name
and decode it into LocalProfile.simplexName / GroupProfile.simplexName.
Conflict handling (Decision B):
- clearConflictingContactProfileSimplexName_ / *Group* helpers do an
atomic UPDATE-with-RETURNING that NULLs simplex_name on any other
row in the same user that would collide on the partial UNIQUE index,
returning the displaced row's display_name.
- updateContactProfileWithConflict / updateGroupProfileWithConflict
bundle clear+update in one transaction.
- processContactProfileUpdate / xGrpInfo invoke the *WithConflict
variants and emit CEvtSimplexNameConflict when a displacement
happened (with the claiming and displaced display names).
Adds ChatEvent CEvtSimplexNameConflict and SimplexNameConflictEntity
(SNCEContact / SNCEGroup) with JSON instances and View.hs rendering.
Adds nullable simplex_name TEXT column and partial UNIQUE
(user_id, simplex_name) index to both contact_profiles and group_profiles
tables. Distinct from contacts.simplex_name / groups.simplex_name
(M20260603), which carry the user's locally-known label set by the
prepare-via-name path; the new columns will carry the peer's broadcast
claim received via XInfo / XGrpInfo (wired up in following commits).
Drop the asymmetric toContact comment (the mirror is now obvious post-Task-1)
and rewrite the toGroupInfo stopgap comment to reflect the actual semantics:
groups.simplex_name is per-user locally-known, mirrored into groupProfile as a
stopgap until group_profiles.simplex_name lands.
Populate the embedded LocalProfile.simplexName field for the user's own
profile and for peer Contact / GroupInfo from the existing simplex_name
columns on contacts and groups. Previously every DB read set this field
to Nothing (Task 1 placeholder), so downstream consumers that work off
LocalProfile / GroupProfile (e.g., userProfileDirect / userProfileInGroup
that build outgoing XInfo / XGrpInfo via fromLocalProfile) saw Nothing
unconditionally.
Scope is limited to the rows where the simplex_name column actually
exists: contacts (per-user) and groups (per-user). Sites that only read
contact_profiles / group_profiles (toContactRequest, toContactProfile,
toGroupProfile, rowToLocalProfile) remain Nothing; Task 3 adds the
profile-table columns and wires them up.
Adds a Maybe SimplexNameInfo field to the wire-level Profile and
GroupProfile (and their DB sibling LocalProfile). JSON instances are
TH-derived with omitNothingFields = True, so the new optional field is
auto-handled and old peers / old JSON without the key decode as Nothing.
Existing record-construction sites are set to simplexName = Nothing as
a placeholder. Outgoing dissemination (userProfileDirect /
userProfileInGroup) and incoming persistence wire-up land in follow-up
commits. redactedMemberProfile passes the field through, matching how
peerType is preserved.
The comment described "@alice.simplex" as the column's surface form,
but ToField SimplexNameInfo writes the canonical strEncode output
("simplex:/name@alice.simplex"). Aligns the docstring with what the
column actually holds.
The lookup `getContactBySimplexName` (Store/Direct.hs:781) filters
`AND deleted = 0`, but the index predicate `WHERE simplex_name IS NOT
NULL` covered tombstoned rows too. Forward-compat trap: once writers
land a non-Nothing simplex_name, soft-deleting a contact would block
re-claiming its name (UNIQUE conflict) even though the lookup reports
the slot as free.
Tighten the partial-index predicate to also require deleted = 0 so the
constraint scope matches the live-lookup scope. Groups have no soft-
delete column, so their index stays as-is.
Follow-up to f71c579c. The SchemaDump test runs against SQLite only;
the parallel PostgresSchemaDump suite gates on -fclient_postgres and
a running localhost PG instance, which this environment doesn't have.
Updated the Postgres schema dump by hand to mirror the migration
change (two lines: CREATE INDEX → CREATE UNIQUE INDEX).
A simplex name is a stable, per-user identity (one name → one contact
or group). Without a unique constraint, a later writer that populates
the column twice for the same name would silently produce two matching
rows, and getContactBySimplexName/getGroupInfoBySimplexName would
return whichever the planner picks first.
Promote the partial indexes added in M20260603 to UNIQUE before any
caller wires the writes. Predicate (WHERE simplex_name IS NOT NULL)
already scopes the constraint to rows that opted in.
APIConnectPlan/Connect flip from Maybe AConnectionLink to Maybe ConnectTarget.
connectPlan dispatches CTLink -> connectPlanLink (the prior body, renamed)
and CTName -> connectPlanName (new) which looks the name up against
contacts.simplex_name and groups.simplex_name via the new
getContactBySimplexName / getGroupInfoBySimplexName store helpers.
The hit path returns the contact's / group's stored conn link from
preparedContact / preparedGroup; missing prepared state or unknown
names return CEInvalidConnReq. RSLV on-chain resolution is out of
scope for this branch -- known-name lookup is enough for conversation
display, search, and external-link share.
connLinkP_ parser is unchanged: APIConnect's preparedLink_ stays
ACreatedConnLink-shaped, and the Connect / APIConnectPlan parsers
already use inline strP for ConnectTarget without going through the
helper.
Directory.Service call sites updated to wrap their AConnectionLink in
CTLink when invoking APIConnectPlan.
createPreparedContact/createPreparedGroup gain a Maybe SimplexNameInfo
parameter that they write to contacts.simplex_name / groups.simplex_name
directly. createConnection_ writes to connections.simplex_name as a
transient carrier for the connect-via-plan path. The XInfo handler
in Library/Subscriber.hs reads the connection's simplexName and passes
it to createDirectContact so the final contact row captures the name.
All current callers pass Nothing; the actual flow lights up when
APIConnectPlan accepts ConnectTarget and connectPlanName threads the
name through (later commits in this branch).
Uses the upstream ToField SimplexNameInfo (simplexmq 0b334b66) for
writes; reads continue to go via the soft-degradation helper.
Two helpers redundantly maintain the same g.* column list. A future
g.* addition must be applied to both sites; the cross-reference
comments flag this for maintainers. A proper refactor (reusing
groupInfoQueryFields from Connections.hs's inline SELECT) is out of
scope for this branch.
Adds `simplexName :: Maybe SimplexNameInfo` to the three records and
extends every SELECT path that reconstructs them to read the new
column. Decoded via eitherToMaybe . strDecode . encodeUtf8 (the
codebase's established pattern for Maybe Text -> typed-decode fields),
extracted as decodeSimplexName helper since the chain appears in
toContact / toContact' / toGroupInfo / toConnection. INSERT paths
still write Nothing - the write-side wiring lands in the next commit
(Task 7).
Nullable TEXT column on all three tables, with partial indexes on
contacts(user_id, simplex_name) and groups(user_id, simplex_name)
for the upcoming connectPlanName lookup. connections.simplex_name
is the transient carrier from APIConnect -> XInfo handler, where
the value is copied to contacts.simplex_name at delayed create.
No reads or writes yet - column threading lands in subsequent commits.
* plan: web previews for channels
* types for recipient side to support channel web previews and domain names
* fix
* migrations
* update schema and api types
* update schema
* rename migrations
* core: check member role
---------
Co-authored-by: Evgeny @ SimpleX Chat <259188159+evgeny-simplex@users.noreply.github.com>
* core: update simplexmq
* update agent api
* update simplexmq
* core: add flag to User to use client services
* update simplexmq
* cli command to toggle service for a user
* test, fix
* query plans, core/bot api types
* remove local package reference
* increase server queue size in tests
* show client service status in users list
* update query plans
* cli: fix redraw slowness (#6735)
* cli: add pland to fix redraw slowness
* updtae doc
* cli: decouple key reading from processing via TQueue
* schema and bot types
---------
Co-authored-by: sh <37271604+shumvgolove@users.noreply.github.com>
* Revert "core: forward compatible support for owners/admins/moderations deleting channel and public group messages without limitations (#6962)"
This reverts commit 08108ebabb.
* core, ui: allow indefinite deletion from history for public channel/group owners/moderators
* style
Co-authored-by: Evgeny <evgeny@poberezkin.com>
* refactor
* show error on deletion
* better alerts
* test
* plan
* simplify test
* bot api docs
* refactor
* test that removed from history is not delivered to the new subscribers
* fix, refactor
* fix
* rename
* rename predicate in UI
* rename
* do not forward channel deletions from history
* remove redundant check
---------
Co-authored-by: Evgeny @ SimpleX Chat <259188159+evgeny-simplex@users.noreply.github.com>
* docs: simplex-chat-python design and implementation plan
* bots: Python wire types codegen
* simplex-chat-python: package scaffold
* simplex-chat-python: native libsimplex loader
* simplex-chat-python: async FFI wrappers
* simplex-chat-python: ChatApi with 49 api methods
* simplex-chat-python: Bot class with decorators and dispatch
* simplex-chat-python: install CLI, example bot, README
* simplex-chat-python: audit fixes
* bots: regenerate API docs and types
Catches up the markdown, TypeScript and Python codegen outputs with two
upstream schema changes:
- APIConnectPlan.connectionLink became optional (from sh/python-lib audit
fixes); cmdString and EBNF syntax now reflect optional parameter.
- APIAddGroupRelays command and CRGroupRelaysAdded/CRGroupRelaysAddFailed
responses added in #6917 (relay management). The TS and markdown outputs
were regenerated when #6917 landed but the Python types module only got
the new entries with this regeneration.
* core: refresh SQLite query plans after relay_inactive_at migration
The M20260507_relay_inactive_at migration (#6917 / #6952) shifted the
query plans that 'Save query plans' verifies. Regenerated via the test
that owns those snapshots; no behavioral change.
* bots: keep APIConnectPlan connectionLink as required parameter
The prior audit-fixes commit changed the syntax expression to `Optional ...`
because the Haskell field is `connectionLink :: Maybe AConnectionLink`.
That misrepresents the API contract: the `Maybe` is purely an internal
signal for link-parsing failure (the handler returns `CEInvalidConnReq`
on `Nothing`), not API-level optionality. Callers MUST always pass a
connection link.
Revert the syntax expression to `Param "connectionLink"` and add a
comment so the intent is preserved next time someone audits.
Regenerates COMMANDS.md, commands.ts and _commands.py to match.
* core: test support chats in channels, CLI defaults to sending as member in support chat
* ui: enable support chats in channels
* use correct scope when sending from UI
* more readable
* remove test output
* show member support chat in channels
* preference for support chats
* ios: types for support preference
* mp: support preference types
* show support preference in UI
* fix ios
* make support preference optional in JSON parser
* update string
* change strings, pass parameters to prefs
* refactor kotlin
* take support preference into account
* refactor core
* do not show broadcast placeholder in support scope
* move role check, add pref check on update
* support preference test (failing)
* fix version
* fix tests
* warning alert when enabling chats with admins
* revert on dismiss
* update text and icons
* query plans
---------
Co-authored-by: Evgeny @ SimpleX Chat <259188159+evgeny-simplex@users.noreply.github.com>
* directory: support public channels and relay-based groups (plan)
* types
* amend types
* directory types, resolve known link
* implementation, test fails
* fix test
* fix test
* more test
* minimal test
* more test
* debug test
* clean up
* remove debug logs
* refactor
* use group/channel terms correctly
* remove unsupported commands
* manage profile update
* owner left the channel
* more tests, correct response to sent link
* re-registration
* /help and /link commands
* correct listing for channels
* fix test
* fix bot api
* refactor
* do not include link data in GLPKnown
* refactor
* diff
* undo refactor
* simplify
* remove harness test
* remove flip
* add v6.5 app requirement for channels
* add website support
* update bot api types
* correct member count, fix test
* members -> subscribers
* add link to channel description
* fix css
* move version note
---------
Co-authored-by: Evgeny @ SimpleX Chat <259188159+evgeny-simplex@users.noreply.github.com>
* core: share links to channels and verify shared links when connecting
* refactor
* improve
* refactor case
* simplify
* exctract encodeChatBinding
* share api
* corrections
Co-authored-by: Evgeny <evgeny@poberezkin.com>
* tests
* verify signature in the tests
* drop signature if context does not match on reception
* try to test "fake" forward
* fix
* fix direct chat sharing test
* channel test
* sign link
* rename api
* refactor view
* chal link item CLI view, tests
* clean up
* share channel in channel as channel
* query plan
* fix test
* refactor
* whitespace
* simpler
* refactor
* dont use partial field update
---------
Co-authored-by: Evgeny @ SimpleX Chat <259188159+evgeny-simplex@users.noreply.github.com>
* core: fix opening chats on new unread items (after sent or viewed items)
* fix test
* sqlite schema and query plan change
* fix postgresql, update schema
* stabilize tests
---------
Co-authored-by: Evgeny @ SimpleX Chat <259188159+evgeny-simplex@users.noreply.github.com>