Commit Graph

411 Commits

Author SHA1 Message Date
shum ebe90f7169 chat: APIVerifySimplexName command + CEvtSimplexNameUnverified warning
Addresses the TOFU vulnerability where peer-claimed simplex_name was
accepted unverified. Adds:

- contacts.simplex_name_verified_at + groups.simplex_name_verified_at
  (M20260606_simplex_name_verified)
- APIVerifySimplexName ChatRef command: RSLV-resolves the claimed name
  and compares the resolved link to the peer's stored connection link;
  on match writes verified_at and emits CEvtSimplexNameVerified;
  on mismatch emits CEvtSimplexNameVerifyFailed
- CEvtSimplexNameUnverified passive warning emitted on incoming XInfo /
  XGrpInfo when a name claim arrives without a current verification
- updateContactProfileWithConflict / updateGroupProfileWithConflict
  clear simplex_name_verified_at whenever the peer's claim transitions
  (any value change including Nothing<->Just): the prior verification
  was bound to the prior claim.

UI can surface the unverified indicator next to a contact / group's
name, and prompt the user to invoke the verify command. This shifts
the security model from "TOFU + last-writer-wins" to "TOFU + on-demand
RSLV verification".
2026-06-06 08:33:25 +00:00
shum b1d18100f4 chat: document connections.simplex_name as transient carrier
Audit flagged the column as "INSERTed but never UPDATEd". This is by
design per the prior plan's connect-via-plan flow: the column is a
transient carrier between connection-creation and contact-creation.
After the Contact row is created via XInfo handling, contacts.simplex_name
is the source of truth and the connections value is a historical snapshot.
Documents the intent so future readers don't reflag it.
2026-06-05 16:40:20 +00:00
shum c1235c01bb chat: document why groups simplex_name index has no soft-delete filter
The contacts simplex_name index filters on (deleted = 0); the groups
index has no analogous filter because the groups table has no `deleted`
column. Groups are hard-deleted by deleteGroup, so the asymmetry is
intentional. The remaining "removed member, row retained" edge case is
flagged in the lookup comment for follow-up.
2026-06-05 10:34:19 +00:00
shum 6c990696ca chat: regen query plans after simplex_name plumbing 2026-06-04 23:05:18 +00:00
shum 27489f8919 chat: fix review findings on simplex_name persistence
- updateUserProfile no longer writes contact_profiles.simplex_name on
  the user's own row (the column is reserved for peer claims; the user's
  broadcastable name lives on contacts.simplex_name via uct.simplex_name).
- updateMemberContactProfile_'/Reset_' now write simplex_name; new
  updateMemberProfileWithConflict / updateContactMemberProfileWithConflict
  variants run conflict-clear and return the displaced name, with
  processMemberProfileUpdate emitting CEvtSimplexNameConflict.
- createContact_ runs conflict-clear before INSERT to avoid UNIQUE
  constraint violations on first-write peer collisions, returning the
  displaced name; createPreparedContact / createDirectContact thread it
  through to APIPrepareContact and saveConnInfo XInfo for event emission.
- groups conflict-clear takes ProfileId directly (avoids the NOT IN (NULL)
  silent-noop edge case when groups.group_profile_id is ON DELETE SET NULL).
- Moves clearConflictingContactProfileSimplexName_ to Shared.hs so
  createContact_ can call it without inducing a circular import.
2026-06-04 17:52:51 +00:00
shum cd0de96599 chat: persist peer-claimed simplexName from incoming profiles
Write paths:
- updateContactProfile_' / updateGroupProfile_ now set the new
  contact_profiles.simplex_name / group_profiles.simplex_name columns
  from Profile.simplexName / GroupProfile.simplexName respectively.
- createContact_ INSERT writes Profile.simplexName to the new
  contact_profiles column (separate from the existing simplexName arg,
  which still writes contacts.simplex_name — the user's locally-known
  label).

Read paths (closing Task 2's deferred sites):
- toContact splits simplex_name reads: Contact.simplexName from
  contacts.simplex_name (existing); LocalProfile.simplexName from
  contact_profiles.simplex_name (new column).
- toGroupInfo similarly splits: GroupInfo.simplexName from
  groups.simplex_name; groupProfile.simplexName from
  group_profiles.simplex_name.
- ProfileRow / rowToLocalProfile, toContactRequest, getUserContactProfiles,
  toGroupProfile, getProfileById, groupMemberQuery, getGroupAndMember_,
  saveRcvChatItem-related quotes — all extended to read p.simplex_name
  and decode it into LocalProfile.simplexName / GroupProfile.simplexName.

Conflict handling (Decision B):
- clearConflictingContactProfileSimplexName_ / *Group* helpers do an
  atomic UPDATE-with-RETURNING that NULLs simplex_name on any other
  row in the same user that would collide on the partial UNIQUE index,
  returning the displaced row's display_name.
- updateContactProfileWithConflict / updateGroupProfileWithConflict
  bundle clear+update in one transaction.
- processContactProfileUpdate / xGrpInfo invoke the *WithConflict
  variants and emit CEvtSimplexNameConflict when a displacement
  happened (with the claiming and displaced display names).

Adds ChatEvent CEvtSimplexNameConflict and SimplexNameConflictEntity
(SNCEContact / SNCEGroup) with JSON instances and View.hs rendering.
2026-06-04 17:16:07 +00:00
shum 42ab37a8ea chat: add simplex_name to contact_profiles and group_profiles
Adds nullable simplex_name TEXT column and partial UNIQUE
(user_id, simplex_name) index to both contact_profiles and group_profiles
tables. Distinct from contacts.simplex_name / groups.simplex_name
(M20260603), which carry the user's locally-known label set by the
prepare-via-name path; the new columns will carry the peer's broadcast
claim received via XInfo / XGrpInfo (wired up in following commits).
2026-06-04 16:55:07 +00:00
shum d083feaeb2 chat: clarify groups.simplex_name stopgap comment
Drop the asymmetric toContact comment (the mirror is now obvious post-Task-1)
and rewrite the toGroupInfo stopgap comment to reflect the actual semantics:
groups.simplex_name is per-user locally-known, mirrored into groupProfile as a
stopgap until group_profiles.simplex_name lands.
2026-06-04 16:19:21 +00:00
shum 167dbde559 chat: load LocalProfile.simplexName from simplex_name column
Populate the embedded LocalProfile.simplexName field for the user's own
profile and for peer Contact / GroupInfo from the existing simplex_name
columns on contacts and groups. Previously every DB read set this field
to Nothing (Task 1 placeholder), so downstream consumers that work off
LocalProfile / GroupProfile (e.g., userProfileDirect / userProfileInGroup
that build outgoing XInfo / XGrpInfo via fromLocalProfile) saw Nothing
unconditionally.

Scope is limited to the rows where the simplex_name column actually
exists: contacts (per-user) and groups (per-user). Sites that only read
contact_profiles / group_profiles (toContactRequest, toContactProfile,
toGroupProfile, rowToLocalProfile) remain Nothing; Task 3 adds the
profile-table columns and wires them up.
2026-06-04 16:06:54 +00:00
shum 212c9d43fb chat: simplexName field on Profile, GroupProfile, LocalProfile
Adds a Maybe SimplexNameInfo field to the wire-level Profile and
GroupProfile (and their DB sibling LocalProfile). JSON instances are
TH-derived with omitNothingFields = True, so the new optional field is
auto-handled and old peers / old JSON without the key decode as Nothing.

Existing record-construction sites are set to simplexName = Nothing as
a placeholder. Outgoing dissemination (userProfileDirect /
userProfileInGroup) and incoming persistence wire-up land in follow-up
commits. redactedMemberProfile passes the field through, matching how
peerType is preserved.
2026-06-04 15:45:42 +00:00
shum 67ae555d88 chat: fix misleading decodeSimplexName docstring
The comment described "@alice.simplex" as the column's surface form,
but ToField SimplexNameInfo writes the canonical strEncode output
("simplex:/name@alice.simplex"). Aligns the docstring with what the
column actually holds.
2026-06-04 06:07:21 +00:00
shum 98fb416165 chat: exclude soft-deleted contacts from idx_contacts_simplex_name
The lookup `getContactBySimplexName` (Store/Direct.hs:781) filters
`AND deleted = 0`, but the index predicate `WHERE simplex_name IS NOT
NULL` covered tombstoned rows too. Forward-compat trap: once writers
land a non-Nothing simplex_name, soft-deleting a contact would block
re-claiming its name (UNIQUE conflict) even though the lookup reports
the slot as free.

Tighten the partial-index predicate to also require deleted = 0 so the
constraint scope matches the live-lookup scope. Groups have no soft-
delete column, so their index stays as-is.
2026-06-03 19:35:19 +00:00
shum 53f1c9b37e chat: regen Postgres schema dump for UNIQUE simplex_name indexes
Follow-up to f71c579c. The SchemaDump test runs against SQLite only;
the parallel PostgresSchemaDump suite gates on -fclient_postgres and
a running localhost PG instance, which this environment doesn't have.
Updated the Postgres schema dump by hand to mirror the migration
change (two lines: CREATE INDEX → CREATE UNIQUE INDEX).
2026-06-03 19:14:20 +00:00
shum f71c579cf6 chat: simplex_name partial indexes are UNIQUE
A simplex name is a stable, per-user identity (one name → one contact
or group). Without a unique constraint, a later writer that populates
the column twice for the same name would silently produce two matching
rows, and getContactBySimplexName/getGroupInfoBySimplexName would
return whichever the planner picks first.

Promote the partial indexes added in M20260603 to UNIQUE before any
caller wires the writes. Predicate (WHERE simplex_name IS NOT NULL)
already scopes the constraint to rows that opted in.
2026-06-03 19:14:00 +00:00
shum f2394d121f chat: APIConnectPlan accepts ConnectTarget; connectPlanName looks up by name
APIConnectPlan/Connect flip from Maybe AConnectionLink to Maybe ConnectTarget.
connectPlan dispatches CTLink -> connectPlanLink (the prior body, renamed)
and CTName -> connectPlanName (new) which looks the name up against
contacts.simplex_name and groups.simplex_name via the new
getContactBySimplexName / getGroupInfoBySimplexName store helpers.

The hit path returns the contact's / group's stored conn link from
preparedContact / preparedGroup; missing prepared state or unknown
names return CEInvalidConnReq. RSLV on-chain resolution is out of
scope for this branch -- known-name lookup is enough for conversation
display, search, and external-link share.

connLinkP_ parser is unchanged: APIConnect's preparedLink_ stays
ACreatedConnLink-shaped, and the Connect / APIConnectPlan parsers
already use inline strP for ConnectTarget without going through the
helper.

Directory.Service call sites updated to wrap their AConnectionLink in
CTLink when invoking APIConnectPlan.
2026-06-03 18:26:35 +00:00
shum fb72ff6b1a chat: persist simplexName on prepare and connect-via-plan write paths
createPreparedContact/createPreparedGroup gain a Maybe SimplexNameInfo
parameter that they write to contacts.simplex_name / groups.simplex_name
directly. createConnection_ writes to connections.simplex_name as a
transient carrier for the connect-via-plan path. The XInfo handler
in Library/Subscriber.hs reads the connection's simplexName and passes
it to createDirectContact so the final contact row captures the name.

All current callers pass Nothing; the actual flow lights up when
APIConnectPlan accepts ConnectTarget and connectPlanName threads the
name through (later commits in this branch).

Uses the upstream ToField SimplexNameInfo (simplexmq 0b334b66) for
writes; reads continue to go via the soft-degradation helper.
2026-06-03 18:26:35 +00:00
shum 75671201d3 chat: cross-reference groupInfoQueryFields and getGroupAndMember_
Two helpers redundantly maintain the same g.* column list. A future
g.* addition must be applied to both sites; the cross-reference
comments flag this for maintainers. A proper refactor (reusing
groupInfoQueryFields from Connections.hs's inline SELECT) is out of
scope for this branch.
2026-06-03 18:26:25 +00:00
shum e4a1acd4c9 chat: thread simplexName through Contact/GroupInfo/Connection records
Adds `simplexName :: Maybe SimplexNameInfo` to the three records and
extends every SELECT path that reconstructs them to read the new
column. Decoded via eitherToMaybe . strDecode . encodeUtf8 (the
codebase's established pattern for Maybe Text -> typed-decode fields),
extracted as decodeSimplexName helper since the chain appears in
toContact / toContact' / toGroupInfo / toConnection. INSERT paths
still write Nothing - the write-side wiring lands in the next commit
(Task 7).
2026-06-03 15:58:50 +00:00
shum 5e15e6eac8 chat: migration adds simplex_name to contacts, groups, connections
Nullable TEXT column on all three tables, with partial indexes on
contacts(user_id, simplex_name) and groups(user_id, simplex_name)
for the upcoming connectPlanName lookup. connections.simplex_name
is the transient carrier from APIConnect -> XInfo handler, where
the value is copied to contacts.simplex_name at delayed create.
No reads or writes yet - column threading lands in subsequent commits.
2026-06-03 15:04:56 +00:00
Evgeny Poberezkin d657bcbba5 Merge branch 'stable' 2026-06-01 21:41:26 +01:00
Evgeny 83f4f6cd38 core: rename field in protocol (#7038)
* core: rename field in protocol

* update bot apis

---------

Co-authored-by: Evgeny @ SimpleX Chat <259188159+evgeny-simplex@users.noreply.github.com>
2026-06-01 21:33:35 +01:00
Evgeny Poberezkin 60e75aa398 Merge branch 'stable' 2026-05-31 17:33:52 +01:00
Evgeny 9bb2bec3fa plan: web previews for channels (#7022)
* plan: web previews for channels

* types for recipient side to support channel web previews and domain names

* fix

* migrations

* update schema and api types

* update schema

* rename migrations

* core: check member role

---------

Co-authored-by: Evgeny @ SimpleX Chat <259188159+evgeny-simplex@users.noreply.github.com>
2026-05-31 17:12:12 +01:00
Evgeny 16982b6111 core: rename migrations (#7028) 2026-05-30 17:16:56 +01:00
Evgeny 68abd805d4 rfc: namespace (#7001)
* rfc: namespace

* update rfc

* markdown for names

* record type, app "upgrade" alerts

* update api types

* rfc: change namespace syntax - now it is the usual namespace

* update bot types

* move types to simplexmq

* core: refactore markdown

* update simplexmq

* better names

* new names

* update nix content hashes

* fix

* change valid name function

* update simplexq, update valid name conditions

* fixes

Co-authored-by: simplex-chat-agent[bot] <287173099+simplex-chat-agent[bot]@users.noreply.github.com>

* update simplexmq

* fix localization

* simpler

* refactor

* refactor

* fix

---------

Co-authored-by: Evgeny @ SimpleX Chat <259188159+evgeny-simplex@users.noreply.github.com>
Co-authored-by: simplex-chat-agent[bot] <287173099+simplex-chat-agent[bot]@users.noreply.github.com>
2026-05-28 08:44:43 +01:00
spaced4ndy 037c05cd29 core: fix races on member removal / delivery of their messages (#7010) 2026-05-26 09:07:26 +00:00
spaced4ndy c017c25d0f core, ui: member full delete with messages (#6994) 2026-05-25 10:43:36 +00:00
Evgeny fe6b5186e1 core: update simplexmq (receiving services) (#6212)
* core: update simplexmq

* update agent api

* update simplexmq

* core: add flag to User to use client services

* update simplexmq

* cli command to toggle service for a user

* test, fix

* query plans, core/bot api types

* remove local package reference

* increase server queue size in tests

* show client service status in users list

* update query plans

* cli: fix redraw slowness (#6735)

* cli: add pland to fix redraw slowness

* updtae doc

* cli: decouple key reading from processing via TQueue

* schema and bot types

---------

Co-authored-by: sh <37271604+shumvgolove@users.noreply.github.com>
2026-05-25 10:37:13 +01:00
spaced4ndy 2b48b55190 core: deliver member profiles via relay (#6953) 2026-05-22 20:52:01 +00:00
spaced4ndy 92e9640e4f core, ui: relay reject rejoin (#6978) 2026-05-18 09:06:25 +00:00
Evgeny 7497b90e7c core, ui: allow indefinite deletion from history for public channel/group owners/moderators (#6972)
* Revert "core: forward compatible support for owners/admins/moderations deleting channel and public group messages without limitations (#6962)"

This reverts commit 08108ebabb.

* core, ui: allow indefinite deletion from history for public channel/group owners/moderators

* style

Co-authored-by: Evgeny <evgeny@poberezkin.com>

* refactor

* show error on deletion

* better alerts

* test

* plan

* simplify test

* bot api docs

* refactor

* test that removed from history is not delivered to the new subscribers

* fix, refactor

* fix

* rename

* rename predicate in UI

* rename

* do not forward channel deletions from history

* remove redundant check

---------

Co-authored-by: Evgeny @ SimpleX Chat <259188159+evgeny-simplex@users.noreply.github.com>
2026-05-13 15:24:52 +01:00
spaced4ndy 24859e1281 core: announce added relay (#6956) 2026-05-12 12:36:23 +00:00
sh e63c403623 simplex-chat-python: add python library (#6954)
* docs: simplex-chat-python design and implementation plan

* bots: Python wire types codegen

* simplex-chat-python: package scaffold

* simplex-chat-python: native libsimplex loader

* simplex-chat-python: async FFI wrappers

* simplex-chat-python: ChatApi with 49 api methods

* simplex-chat-python: Bot class with decorators and dispatch

* simplex-chat-python: install CLI, example bot, README

* simplex-chat-python: audit fixes

* bots: regenerate API docs and types

Catches up the markdown, TypeScript and Python codegen outputs with two
upstream schema changes:

- APIConnectPlan.connectionLink became optional (from sh/python-lib audit
  fixes); cmdString and EBNF syntax now reflect optional parameter.
- APIAddGroupRelays command and CRGroupRelaysAdded/CRGroupRelaysAddFailed
  responses added in #6917 (relay management). The TS and markdown outputs
  were regenerated when #6917 landed but the Python types module only got
  the new entries with this regeneration.

* core: refresh SQLite query plans after relay_inactive_at migration

The M20260507_relay_inactive_at migration (#6917 / #6952) shifted the
query plans that 'Save query plans' verifies. Regenerated via the test
that owns those snapshots; no behavioral change.

* bots: keep APIConnectPlan connectionLink as required parameter

The prior audit-fixes commit changed the syntax expression to `Optional ...`
because the Haskell field is `connectionLink :: Maybe AConnectionLink`.
That misrepresents the API contract: the `Maybe` is purely an internal
signal for link-parsing failure (the handler returns `CEInvalidConnReq`
on `Nothing`), not API-level optionality. Callers MUST always pass a
connection link.

Revert the syntax expression to `Param "connectionLink"` and add a
comment so the intent is preserved next time someone audits.

Regenerates COMMANDS.md, commands.ts and _commands.py to match.
2026-05-12 12:32:01 +01:00
spaced4ndy 6f8a07e4ea core, ui: relay management - add, remove relays, synchronization to relay list (#6917) 2026-05-08 07:19:16 +00:00
Evgeny Poberezkin 60f4a4d60b core: fix migration 2026-05-02 17:59:03 +01:00
spaced4ndy 8f66a0cc98 core: fix relay request worker retry limit (#6931)
* core: fix relay request worker retry limit

* update plan

* update plan

* update plan

* wip

* schema

* wip

* wip

* schema

* update

* remove comment

* rework

* schema

* update

* schema

* update

* plans

* corrections

* add 1 second

* remove + 1

* add +1 to schedule

* changes

* updated schemas

---------

Co-authored-by: Evgeny @ SimpleX Chat <259188159+evgeny-simplex@users.noreply.github.com>
Co-authored-by: Evgeny Poberezkin <evgeny@poberezkin.com>
2026-05-02 11:31:03 +01:00
Evgeny 63c278818e core: support chats in channels, send as owner in support chats (#6870)
* core: test support chats in channels, CLI defaults to sending as member in support chat

* ui: enable support chats in channels

* use correct scope when sending from UI

* more readable

* remove test output

* show member support chat in channels

* preference for support chats

* ios: types for support preference

* mp: support preference types

* show support preference in UI

* fix ios

* make support preference optional in JSON parser

* update string

* change strings, pass parameters to prefs

* refactor kotlin

* take support preference into account

* refactor core

* do not show broadcast placeholder in support scope

* move role check, add pref check on update

* support preference test (failing)

* fix version

* fix tests

* warning alert when enabling chats with admins

* revert on dismiss

* update text and icons

* query plans

---------

Co-authored-by: Evgeny @ SimpleX Chat <259188159+evgeny-simplex@users.noreply.github.com>
2026-04-26 14:37:16 +01:00
Evgeny f3547878cc directory: support public channels and relay-based groups (#6840)
* directory: support public channels and relay-based groups (plan)

* types

* amend types

* directory types, resolve known link

* implementation, test fails

* fix test

* fix test

* more test

* minimal test

* more test

* debug test

* clean up

* remove debug logs

* refactor

* use group/channel terms correctly

* remove unsupported commands

* manage profile update

* owner left the channel

* more tests, correct response to sent link

* re-registration

* /help and /link commands

* correct listing for channels

* fix test

* fix bot api

* refactor

* do not include link data in GLPKnown

* refactor

* diff

* undo refactor

* simplify

* remove harness test

* remove flip

* add v6.5 app requirement for channels

* add website support

* update bot api types

* correct member count, fix test

* members -> subscribers

* add link to channel description

* fix css

* move version note

---------

Co-authored-by: Evgeny @ SimpleX Chat <259188159+evgeny-simplex@users.noreply.github.com>
2026-04-23 13:30:26 +01:00
spaced4ndy e8d16349ae core: fix changing profile of prepared chats losing chat items (#6843) 2026-04-20 13:28:01 +00:00
spaced4ndy 2eb25d124f core, ui: better error on failed channel creation (#6825) 2026-04-20 08:17:42 +00:00
Evgeny 30ae0d864c core: share links to channels and verify shared links when connecting (#6810)
* core: share links to channels and verify shared links when connecting

* refactor

* improve

* refactor case

* simplify

* exctract encodeChatBinding

* share api

* corrections

Co-authored-by: Evgeny <evgeny@poberezkin.com>

* tests

* verify signature in the tests

* drop signature if context does not match on reception

* try to test "fake" forward

* fix

* fix direct chat sharing test

* channel test

* sign link

* rename api

* refactor view

* chal link item CLI view, tests

* clean up

* share channel in channel as channel

* query plan

* fix test

* refactor

* whitespace

* simpler

* refactor

* dont use partial field update

---------

Co-authored-by: Evgeny @ SimpleX Chat <259188159+evgeny-simplex@users.noreply.github.com>
2026-04-16 23:48:19 +01:00
spaced4ndy ac6f8b76ac core: flatten MsgContainer type to match wire JSON format (#6808)
* core: refactor MsgContainer

* comment

* simplify

* refactor

* corrections

* update

* clean up

---------

Co-authored-by: Evgeny Poberezkin <evgeny@poberezkin.com>
2026-04-15 20:28:31 +01:00
Evgeny 714156c766 core: fix opening chats on new unread items (after sent or viewed items) (#6747)
* core: fix opening chats on new unread items (after sent or viewed items)

* fix test

* sqlite schema and query plan change

* fix postgresql, update schema

* stabilize tests

---------

Co-authored-by: Evgeny @ SimpleX Chat <259188159+evgeny-simplex@users.noreply.github.com>
2026-04-04 16:03:36 +01:00
spaced4ndy fb9187ca03 core: update query plans 2026-04-03 17:12:24 +04:00
Evgeny 8167f7c2ab core: add fields to chat relay profiles; remove unique name requirement; update relay profile in relay address link data (#6743)
* core: add fields to chat relay profiles

* wip

* wip

* fix

* fix

* fix

* enable tests

* schema

* api

---------

Co-authored-by: Evgeny @ SimpleX Chat <259188159+evgeny-simplex@users.noreply.github.com>
Co-authored-by: spaced4ndy <8711996+spaced4ndy@users.noreply.github.com>
2026-04-03 12:42:43 +00:00
spaced4ndy b51c581c19 core: fix postgres channels/relays queries (#6742) 2026-04-03 09:24:14 +00:00
spaced4ndy a14a66db14 core, ui: chat relay test (#6736) 2026-04-02 15:36:36 +00:00
spaced4ndy 42fe94752c core, ui: public group profile wip (#6734) 2026-04-01 14:17:27 +00:00
spaced4ndy 929783eb6c core: relay key and member id as immutable relay link data (#6713) 2026-03-30 10:48:39 +00:00
spaced4ndy c33c343ccd Merge branch 'master' into chat-relays 2026-03-30 12:33:20 +04:00