Chat errors emitted via the Haskell `eToView` path (e.g. agent errors
on stale connections after a peer deletes a chat) were caught by the
broad `except Exception` arm in the bot receive loop, producing an
ERROR log with a full traceback for routine soft errors. Match the
desktop client policy (SimpleXAPI.kt:3332-3340): catch ChatAPIError
separately, escalate CRITICAL agent errors to ERROR, log the rest at
DEBUG.
* docs: simplex-chat-python design and implementation plan
* bots: Python wire types codegen
* simplex-chat-python: package scaffold
* simplex-chat-python: native libsimplex loader
* simplex-chat-python: async FFI wrappers
* simplex-chat-python: ChatApi with 49 api methods
* simplex-chat-python: Bot class with decorators and dispatch
* simplex-chat-python: install CLI, example bot, README
* simplex-chat-python: audit fixes
* bots: regenerate API docs and types
Catches up the markdown, TypeScript and Python codegen outputs with two
upstream schema changes:
- APIConnectPlan.connectionLink became optional (from sh/python-lib audit
fixes); cmdString and EBNF syntax now reflect optional parameter.
- APIAddGroupRelays command and CRGroupRelaysAdded/CRGroupRelaysAddFailed
responses added in #6917 (relay management). The TS and markdown outputs
were regenerated when #6917 landed but the Python types module only got
the new entries with this regeneration.
* core: refresh SQLite query plans after relay_inactive_at migration
The M20260507_relay_inactive_at migration (#6917 / #6952) shifted the
query plans that 'Save query plans' verifies. Regenerated via the test
that owns those snapshots; no behavioral change.
* bots: keep APIConnectPlan connectionLink as required parameter
The prior audit-fixes commit changed the syntax expression to `Optional ...`
because the Haskell field is `connectionLink :: Maybe AConnectionLink`.
That misrepresents the API contract: the `Maybe` is purely an internal
signal for link-parsing failure (the handler returns `CEInvalidConnReq`
on `Nothing`), not API-level optionality. Callers MUST always pass a
connection link.
Revert the syntax expression to `Param "connectionLink"` and add a
comment so the intent is preserved next time someone audits.
Regenerates COMMANDS.md, commands.ts and _commands.py to match.
* desktop: pick a free port for the call server if 50395 is in use
startServer() bound a hard-coded port (50395); when it was already in use,
NanoWSD threw "BindException: Address already in use: bind" and the call
failed. It now falls back to an OS-assigned free port, and WebRTCController
opens the browser at the actually-bound port (server.listeningPort) -- still
50395 in the normal case, so browser camera/mic permission stays put.
* plans: justify call server port-bind fix
* core: keep whitelisted query parameters when removing link tracking
In safe mode, "remove link tracking" stripped any query parameter whose
name started with a known tracking prefix in qsSafeBlacklist, ignoring
qsWhitelist. So "list" (e.g. YouTube playlist links) was dropped because
"li" (LinkedIn) is a prefix of it, and github's "ref" was dropped too.
Make the safe-mode filter consult the whitelist, like the other branches.
* docs: plan for keeping whitelisted query parameters when removing link tracking
Design doc for the safe-mode sanitizeUri change (PR #6965): why "?list=" was
stripped from YouTube links, the root cause (safe mode ignoring qsWhitelist),
the fix, what it does/doesn't change, and alternatives considered.
ciBotCommand's regex was unanchored, so a customer message like
"follow/read blog posts?" parsed as a /read command and the Grok
handler silently dropped the message. Anchor the regex with ^ so a
command requires `/` at the start of the (trimmed) message.
In the support bot, filter customer command parsing by the registered
keyword set: any unknown `/word` from a customer (e.g. /help) is now
routed as plain text instead of being silently dropped by Grok. This
also makes /grok when Grok is disabled behave consistently as text,
removing the previous ad-hoc workaround.
* plan: delete channel messages
* core: allow deletion of own messages in public groups in channels to moderators-owners
---------
Co-authored-by: Evgeny @ SimpleX Chat <259188159+evgeny-simplex@users.noreply.github.com>
* support bot: take Grok initial context as messages array
Generalizes GrokApiClient to take a list of seed messages instead of a
single system prompt. Behavior is unchanged.
* support bot: accept YAML transcript in --context-file
Plain text → single system message (existing behavior).
`.yaml`/`.yml` → parsed as harness transcript; only system and
assistant turns are included.
* desktop: keep text selection on the originally selected message when a new message arrives or is sent
Selection stored positional indices into the merged-items list. When a new
message was appended, the reversed list shifted every index by one — but the
stored start/end indices did not — so the highlight slid onto neighboring
messages.
Anchor the selection to ChatItem IDs instead of list positions. Offsets are
already content-relative (character cursors in rendered text), so they stay
valid across list mutations. Positional indices are derived on read via
derivedStateOf, which keeps per-item reads O(1) amortized. If either
anchored item is removed from the list, a SideEffect synchronously clears
the selection so the copy button does not flash at a stale location.
* desktop: minimize selection fix — anchor ids in SelectionRange
Replaces the previous derivedStateOf-based approach with a surgical
diff: SelectionRange carries startItemId/endItemId alongside the
existing positional indices, and a SideEffect calls resyncIndices()
to translate ids back to current positions when the items list mutates.
All existing call sites of range.startIndex / range.endIndex remain
unchanged. Net diff vs master is +19/-2.
* plans: justify desktop text selection id-anchored fix
* android, desktop: open correct image in fullscreen viewer
Fullscreen image viewer occasionally opened a different image than
the one clicked. Root cause: when the LaunchedEffect probe at
ImageFullScreenView.kt:48-55 calls getMedia(initialIndex - 1) to check
whether a previous media item exists, getMedia returns null for both
"no item" and "item found but failed to load" (e.g. undecodable bytes,
missing file, crypto error). The probe treated null as "no previous
item" and called scrollToStart(), which rewrote initialChatId to the
chat's oldest media item - making the viewer display that oldest item
instead of the clicked one.
Fix: scrollToStart() no longer rewrites initialChatId. The pager is
still repositioned to page 0; getMedia(0) resolves against the
already-set initialChatId (the clicked item) and renders it correctly.
* android, desktop: regression test for fullscreen viewer anchor preservation
Drives the public providerForGallery interface: moves the anchor away from
cItemId via currentPageChanged, calls scrollToStart, then reads the anchor
back through onDismiss's scrollTo callback. The pre-fix code rewrote
initialChatId to the chat's oldest showable, which would surface as
scrollTo(2); the fix preserves the anchor and produces scrollTo(1).
* plan: design doc for fullscreen viewer wrong-image fix
Documents the pager state model, the root cause of the wrong-image bug,
why the one-line deletion in scrollToStart fixes it for both call sites,
and why the wider getMedia null-overload refactor is deliberately out of
scope for this fix.
* desktop: fix copying selected text in reports
Text selection in report items rendered a red reason prefix (e.g. "Spam: ")
before the user's comment but dropped the prefix when copying, because
selection offsets are in rendered-text space while copy extraction was
operating on ci.text / ci.formattedText directly.
Introduce itemPrefixText(ci) as the single source of truth for the rendered
prefix, and drive both selection copy and snap-to-segment from a unified
itemDisplaySegments list that prepends the prefix as a leading segment.
This also fixes mention/link snapping on the selection boundary inside
report comments.
* desktop: scope report-selection fix to report items
Inline a prefix preamble + offset shift in selectedItemCopiedText and
snapOffset instead of routing every item through itemDisplaySegments.
Non-report items now run the original pre-PR loop unchanged; reports
emit the selected slice of the rendered prefix and shift body offsets
by prefix.length.
* desktop: simplify report selection arithmetic
Selection offsets are in display-text space, which already includes the
leading itemPrefixText for reports. Treat the prefix as the leading
display segment and seed displayOffset with prefix.length, instead of
shifting body offsets by prefix.length in the inner loop and gating
snapOffset on offset <= prefix.length.
The inner loop body of selectedItemCopiedText becomes identical to
pre-PR for non-reports (prefix is "" so displayOffset starts at 0),
and snapOffset reduces to a one-line seed change. Same fix, smaller
diff, fewer intermediate variables.
* desktop: drop helper, inline report-prefix in selection only
Revert itemPrefixText helper extraction (TextItemView.kt and
FramedItemView.kt back to pre-PR). Inline the report-prefix expression
at its two use sites in TextSelection.kt directly.
PR diff is now confined to TextSelection.kt: +13/-6.
* desktop: extract itemPrefixText, drop dead defensive code
Re-introduce itemPrefixText(ci) helper in TextItemView.kt and migrate all
four sites that compute the report prefix (FramedItemView,
ChatPreviewView, TextSelection x2). The prefix expression now has one
definition and one place to change.
Also drop the unreachable sel.first.coerceAtLeast(0) on the prefix-slice
append — selectedRange guarantees sel.first >= 0.
* plans: justify desktop fix for copying selected text in reports
Add 2026-05-08-fix-select-in-reports.md covering the problem, the offset
flow, the minimal structural change (seed displayOffset with prefix.length),
the itemPrefixText single-source-of-truth migration across the four
prefix sites, the verified edge-case table, and the rollback path.
* desktop: fix RTL text rendering under the send button (#4137)
The chat composer's text field reserved 50dp on the wrong horizontal side
when an RTL message was typed under an LTR system locale: BiDi auto-detection
right-aligned the text onto the BottomEnd edge where the send button sits,
hiding the first characters as they were typed.
The padding was originally written inside the CompositionLocalProvider(
LocalLayoutDirection provides Rtl) scope (#4675), where start resolved to
the right edge for RTL paragraphs. The "edge to edge design" refactor
(#5051) lifted the modifier out of that scope onto the outer BasicTextField,
so start began resolving against the global LTR direction and the
reservation drifted to the left.
Always reserve on the global end - the same side Alignment.BottomEnd in
SendMsgView resolves to - so the reservation tracks the send button
regardless of locale or typed-text direction. Behavior is byte-identical
for LTR text and for any RTL-locale combination; only the buggy
"RTL text + LTR system locale" pair changes.
* desktop: minimise diff of RTL fix to 2 lines (#4137)
The previous commit (bfc111cc6) renamed/removed several helper locals
and rewrote the comment block alongside the behaviour change. The
behaviour-changing part is just two lines: making startPadding always
0.dp and endPadding equal to startEndPadding.
Restore the surrounding code (startEndPadding name, startPadding decl,
PaddingValues argument, .padding modifier, and the original two-line
comment) to its master form so the PR's only effect on master is the
two-line fix.
Behaviour: cases 1, 3, 4 of the locale x text matrix are byte-identical
to master. Only case 2 (LTR locale + RTL text) flips the reservation
from the wrong side to the correct side.
* plans: desktop RTL composer fix (#4137)
* plans: align with surgical 2-line fix in PR (#4137)
* bots: document APIGetChats command and CRApiChats response
* bots: regenerate API docs and TypeScript types
* simplex-chat-nodejs: add apiGetChats
* support bot: avoid OOM on large databases
apiListGroups / apiListContacts return every record in one response and
overflow V8's string allocation on large DBs. Replace list-then-find-by-id
patterns with apiGetChat(type, id, 0) lookups, and the one genuine scan
(refreshAllCards) with paginated apiGetChats, count=1000.
* support bot: update test assertions to match current message text
* bots: simplify PaginationByTime, expose only PTLast
* simplex-chat-nodejs: bump types and nodejs versions
* ui: fix crash and logo cutoff on About SimpleX Chat
OnboardingShrinkingLayout calls .first() on each slot's measurables,
crashing when the button slot is empty. About passes onboardingStage =
null, in which case the button slot emits no children. Have the About
branch emit a 0x0 Spacer so the slot always has one measurable.
Also add a top inset for the SimpleX logo when reached from About in
non-oneHandUI mode — without it the top app bar overlaps the logo.
* style
Co-authored-by: Evgeny <evgeny@poberezkin.com>
* Apply suggestion from @epoberezkin
Co-authored-by: Evgeny <evgeny@poberezkin.com>
---------
Co-authored-by: Evgeny <evgeny@poberezkin.com>
* android: fix link preview fetch via SOCKS
* fix: add timeouts to link preview image fetch
Match the 10s timeout already on the Jsoup HTML fetch. Without these,
a slow or dead SOCKS proxy hangs the image fetch indefinitely, holding
the previewMutex and blocking every subsequent preview.
* timeout
---------
Co-authored-by: Evgeny @ SimpleX Chat <259188159+evgeny-simplex@users.noreply.github.com>
Co-authored-by: shum <github.shum@liber.li>
sh