@agentunion/fastaun-browser 0.3.0 → 0.3.2

package/dist/bundle.js

@@ -948,12 +948,172 @@ var GatewayDiscovery = class {
 };
 
 // src/transport.ts
+var MAX_WS_PAYLOAD_SIZE = 1e6;
 var _noopLog3 = { error: () => {
 }, warn: () => {
 }, info: () => {
 }, debug: () => {
 } };
 var _rpcIdCounter = 0;
+var TRACE_SPAN_DETAIL_FIELDS = [
+  "method",
+  "route",
+  "namespace",
+  "instance_id",
+  "aid",
+  "caller_aid",
+  "peer_aid",
+  "to_aid",
+  "from_aid",
+  "group_id",
+  "message_id",
+  "event",
+  "status",
+  "error_code",
+  "error_msg",
+  "found",
+  "delivered_count",
+  "success",
+  "created",
+  "connection_id",
+  "device_id",
+  "slot_id",
+  "key_source",
+  "spk_id",
+  "curve",
+  "lifecycle_state",
+  "auth_method"
+];
+function sortTraceSpansForDisplay(spans) {
+  const indexed = spans.map((span, idx) => ({ idx, span })).filter(({ span }) => span !== null && typeof span === "object");
+  indexed.sort((a, b) => {
+    const stageA = _spanStage(a.span);
+    const stageB = _spanStage(b.span);
+    if (stageA !== stageB) return stageA - stageB;
+    return a.idx - b.idx;
+  });
+  return indexed.map(({ span }) => span);
+}
+function _spanStage(span) {
+  const node = String(span.node ?? "");
+  const action = String(span.action ?? "process");
+  if (node === "sdk" && action === "send") return 0;
+  if (node === "gateway" && (action === "relay_in" || action === "enter")) return 10;
+  if (node === "gateway" && (action === "relay_out" || action === "exit")) return 90;
+  if (node === "sdk" && action === "recv") return 100;
+  return 50;
+}
+function traceLogicalOffsets(spans) {
+  let totalMs = null;
+  for (const span of spans) {
+    if (span.node === "sdk" && span.action === "recv") {
+      const ms = span.ms;
+      if (typeof ms === "number" && ms >= 0) {
+        totalMs = Math.round(ms);
+        break;
+      }
+    }
+  }
+  const serverTs = [];
+  for (const span of spans) {
+    if (span.node !== "sdk" && typeof span.ts === "number" && span.ts > 0) {
+      serverTs.push(Math.round(span.ts));
+    }
+  }
+  const serverMin = serverTs.length > 0 ? Math.min(...serverTs) : null;
+  const serverMax = serverTs.length > 0 ? Math.max(...serverTs) : null;
+  const serverDur = serverMin !== null && serverMax !== null ? serverMax - serverMin : 0;
+  let serverBase;
+  let serverScale;
+  if (totalMs !== null && serverMin !== null) {
+    if (serverDur > totalMs && serverDur > 0) {
+      serverBase = 0;
+      serverScale = totalMs / serverDur;
+    } else {
+      serverBase = Math.max(0, totalMs - serverDur);
+      serverScale = 1;
+    }
+  } else {
+    serverBase = 0;
+    serverScale = 1;
+  }
+  const offsets = [];
+  let lastOffset = 0;
+  for (let idx = 0; idx < spans.length; idx++) {
+    const span = spans[idx];
+    const node = span.node;
+    const action = span.action;
+    const ts = span.ts;
+    let offset;
+    if (node === "sdk" && action === "send") {
+      offset = 0;
+    } else if (node === "sdk" && action === "recv" && totalMs !== null) {
+      offset = totalMs;
+    } else if (node !== "sdk" && serverMin !== null && typeof ts === "number" && ts > 0) {
+      offset = Math.round(serverBase + (Math.round(ts) - serverMin) * serverScale);
+    } else {
+      offset = idx === 0 ? 0 : lastOffset;
+    }
+    if (offset < lastOffset) offset = lastOffset;
+    offsets.push(offset);
+    lastOffset = offset;
+  }
+  return offsets;
+}
+function formatTraceFields(span) {
+  const parts = [];
+  for (const key of TRACE_SPAN_DETAIL_FIELDS) {
+    const value = span[key];
+    if (value === void 0 || value === null || value === "") continue;
+    let s = String(value);
+    if (s.length > 48) s = s.slice(0, 45) + "...";
+    parts.push(`${key}=${s}`);
+  }
+  return parts.join(" ");
+}
+function formatTraceTree(spans) {
+  if (!spans || spans.length === 0) return "";
+  const sortedSpans = sortTraceSpansForDisplay(spans);
+  const offsets = traceLogicalOffsets(sortedSpans);
+  const lines = [];
+  const stack = [];
+  for (let idx = 0; idx < sortedSpans.length; idx++) {
+    const span = sortedSpans[idx];
+    const node = String(span.node ?? "?");
+    const action = String(span.action ?? "process");
+    const timePart = ` +${offsets[idx]}ms`;
+    if (action === "enter") {
+      const indent = "  ".repeat(stack.length);
+      const fieldsStr = formatTraceFields(span);
+      const detail = fieldsStr ? ` ${fieldsStr}` : "";
+      lines.push(`${indent}\u251C\u2500 ${node}.enter${detail}${timePart}`);
+      stack.push({ node, span });
+    } else if (action === "exit") {
+      if (stack.length > 0 && stack[stack.length - 1].node === node) {
+        stack.pop();
+      }
+      const indent = "  ".repeat(stack.length);
+      const dur = span.ms ?? 0;
+      const fieldsStr = formatTraceFields(span);
+      const detail = fieldsStr ? ` ${fieldsStr}` : "";
+      lines.push(`${indent}\u2514\u2500 ${node}.exit${detail} dur=${dur}ms${timePart}`);
+    } else {
+      const indent = "  ".repeat(stack.length);
+      const fieldsStr = formatTraceFields(span);
+      const dur = span.ms;
+      const durPart = dur !== void 0 && dur !== null ? ` dur=${dur}ms` : "";
+      const detail = fieldsStr ? ` ${fieldsStr}` : "";
+      lines.push(`${indent}\u251C\u2500 ${node}.${action}${detail}${durPart}${timePart}`);
+    }
+  }
+  return lines.join("\n");
+}
+function traceDisplay(method, status, durationMs, trace, spans) {
+  const tree = formatTraceTree(spans);
+  const header = `[TRACE][${method}][${status}] total=${durationMs}ms trace_id=${String(trace.trace_id ?? "")}`;
+  return tree ? `${header}
+${tree}` : header;
+}
 var EVENT_NAME_MAP = {
   "message.received": "message.received",
   "message.recalled": "message.recalled",
@@ -1048,6 +1208,10 @@ var RPCTransport = class {
     // Gateway 在 RPC envelope 注入 _meta 字段（与 result 同级），由 client 层 observer 接收。
     // 注入失败 / 字段缺失时 observer 不会被调用，不影响业务路径。
     __publicField(this, "_metaObserver", null);
+    // Trace 模式：off / log / diag
+    __publicField(this, "_traceMode", "off");
+    // Trace observer：observer(traceInfo) 在每次 RPC/事件携带 _trace 时调用
+    __publicField(this, "_traceObserver", null);
     this._dispatcher = opts.eventDispatcher;
     this._timeout = opts.timeout ?? 10;
     this._onDisconnect = opts.onDisconnect ?? null;
@@ -1068,6 +1232,17 @@ var RPCTransport = class {
   setMetaObserver(observer) {
     this._metaObserver = observer;
   }
+  /** 设置 trace 模式：off / log / diag */
+  setTraceMode(mode) {
+    if (mode !== "off" && mode !== "log" && mode !== "diag") {
+      throw new ValidationError(`invalid trace mode: ${mode}, must be off/log/diag`);
+    }
+    this._traceMode = mode;
+  }
+  /** 注册 trace observer；observer(traceInfo) 在每次 RPC/事件携带 _trace 时调用。 */
+  setTraceObserver(observer) {
+    this._traceObserver = observer;
+  }
   /** 获取连接时收到的 challenge */
   get challenge() {
     return this._challenge;
@@ -1156,24 +1331,43 @@ var RPCTransport = class {
    * 发起 JSON-RPC 2.0 调用。
    * 返回 result 字段的值；若有 error 字段则抛出映射后的错误。
    */
-  async call(method, params, timeout) {
+  async call(method, params, timeout, trace) {
     if (this._closed || !this._ws) {
       throw new ConnectionError("transport not connected");
     }
     const rpcId = `rpc-${String(++_rpcIdCounter).padStart(6, "0")}`;
     const effectiveTimeout = (timeout ?? this._timeout) * 1e3;
     const tStart = Date.now();
+    const effectiveTraceMode = trace === "off" || trace === "log" || trace === "diag" ? trace : this._traceMode;
+    let traceId = "";
+    let sendParams = params ?? {};
+    if (effectiveTraceMode !== "off") {
+      traceId = typeof crypto !== "undefined" && crypto.randomUUID ? crypto.randomUUID().replace(/-/g, "") : Array.from({ length: 32 }, () => Math.floor(Math.random() * 16).toString(16)).join("");
+      sendParams = { ...params ?? {} };
+      const tracePayload = { trace_id: traceId, mode: effectiveTraceMode };
+      if (effectiveTraceMode === "diag") {
+        tracePayload.spans = [{ node: "sdk", ts: tStart, action: "send" }];
+      }
+      sendParams._trace = tracePayload;
+      this._log.info(`[trace=${traceId}] rpc_send method=${method} rpc_id=${rpcId}`);
+    }
     const promise = new Promise((resolve, reject) => {
       this._pending.set(rpcId, { resolve, reject });
     });
+    const payload = JSON.stringify({
+      jsonrpc: "2.0",
+      id: rpcId,
+      method,
+      params: sendParams
+    });
+    const payloadSize = new TextEncoder().encode(payload).length;
+    if (payloadSize > MAX_WS_PAYLOAD_SIZE) {
+      this._pending.delete(rpcId);
+      throw new ValidationError("payload is too large");
+    }
     try {
-      this._ws.send(JSON.stringify({
-        jsonrpc: "2.0",
-        id: rpcId,
-        method,
-        params: params ?? {}
-      }));
-      this._log.debug(`RPC request sent: method=${method}, id=${rpcId} ${summarizeDict(params, DIAG_PARAM_FIELDS)}`);
+      this._ws.send(payload);
+      this._log.debug(`RPC request sent: method=${method}, id=${rpcId} ${summarizeDict(sendParams, DIAG_PARAM_FIELDS)}`);
     } catch (exc) {
       this._pending.delete(rpcId);
       this._log.error(`RPC send failed: method=${method}, id=${rpcId}, error=${String(exc)}`, exc instanceof Error ? exc : void 0);
@@ -1192,12 +1386,22 @@ var RPCTransport = class {
       const elapsed = Date.now() - tStart;
       if (response.error !== void 0) {
         this._log.debug(`RPC error response: method=${method}, id=${rpcId}, elapsed=${elapsed}ms, error=${JSON.stringify(response.error)}`);
+        if (traceId) {
+          this._log.info(`[trace=${traceId}] rpc_recv method=${method} rpc_id=${rpcId} duration_ms=${elapsed} status=error`);
+        }
+        const respTrace2 = response._trace;
+        if (respTrace2 && typeof respTrace2 === "object" && !Array.isArray(respTrace2)) {
+          this._handleResponseTrace(method, "error", elapsed, respTrace2);
+        }
         throw mapRemoteError(response.error);
       }
       if (response.result === void 0) {
         throw new SerializationError(`rpc response missing result and error: ${method}`);
       }
       this._log.debug(`RPC response ok: method=${method}, id=${rpcId}, elapsed=${elapsed}ms ${summarizeDict(response.result, DIAG_RESULT_FIELDS)}`);
+      if (traceId) {
+        this._log.info(`[trace=${traceId}] rpc_recv method=${method} rpc_id=${rpcId} duration_ms=${elapsed} status=ok`);
+      }
       if (this._metaObserver !== null) {
         const meta = response._meta;
         if (isJsonObject(meta)) {
@@ -1208,6 +1412,10 @@ var RPCTransport = class {
           }
         }
       }
+      const respTrace = response._trace;
+      if (respTrace && typeof respTrace === "object" && !Array.isArray(respTrace)) {
+        this._handleResponseTrace(method, "ok", elapsed, respTrace);
+      }
       return response.result;
     } finally {
       if (timeoutHandle !== null) {
@@ -1215,6 +1423,26 @@ var RPCTransport = class {
       }
     }
   }
+  /** 处理 RPC 响应中的 _trace 字段：追加 sdk.recv span，格式化输出，通知 observer */
+  _handleResponseTrace(method, status, elapsedMs, respTrace) {
+    try {
+      const sdkRecvSpan = {
+        node: "sdk",
+        ts: Date.now(),
+        action: "recv",
+        ms: elapsedMs
+      };
+      const existingSpans = Array.isArray(respTrace.spans) ? respTrace.spans : [];
+      const spans = [...existingSpans, sdkRecvSpan];
+      const enriched = { ...respTrace, spans };
+      this._log.info(traceDisplay(method, status, elapsedMs, respTrace, spans));
+      if (this._traceObserver !== null) {
+        this._traceObserver({ type: "rpc", method, trace: enriched, status, duration_ms: elapsedMs });
+      }
+    } catch (err) {
+      this._log.debug(`trace handling raised: ${err instanceof Error ? err.message : String(err)}`);
+    }
+  }
   // ── 内部消息处理 ──────────────────────────────────
   _handleMessage(data) {
     try {
@@ -1262,7 +1490,22 @@ var RPCTransport = class {
       const protocolEvent = method.slice(6);
       const sdkEvent = EVENT_NAME_MAP[protocolEvent] ?? protocolEvent;
       this._log.debug(`event recv: event=${sdkEvent} ${summarizeDict(message.params, DIAG_RESULT_FIELDS)}`);
-      this._dispatcher.publish(`_raw.${sdkEvent}`, message.params ?? {});
+      const params = message.params ?? {};
+      if ("_trace" in params) {
+        const eventTrace = params._trace;
+        delete params._trace;
+        if (eventTrace && typeof eventTrace === "object" && !Array.isArray(eventTrace)) {
+          if (this._traceObserver !== null) {
+            try {
+              this._traceObserver({ type: "event", event: sdkEvent, trace: eventTrace });
+            } catch {
+            }
+          }
+          const traceObj = eventTrace;
+          this._log.info(`[trace=${String(traceObj.trace_id ?? "")}] event_recv event=${sdkEvent}`);
+        }
+      }
+      this._dispatcher.publish(`_raw.${sdkEvent}`, params);
       return;
     }
     this._log.debug(`notification recv: method=${method || "<no-method>"}`);
@@ -2024,15 +2267,18 @@ var _AuthFlow = class _AuthFlow {
           const msg = typeof event.data === "string" ? JSON.parse(event.data) : event.data;
           if (!receivedChallenge) {
             receivedChallenge = true;
-            ws.send(JSON.stringify({
+            const requestPayload = JSON.stringify({
               jsonrpc: "2.0",
               id: `pre-${method}`,
               method,
               params
-            }));
+            });
+            this._log.debug(`short RPC request full: ${requestPayload}`);
+            ws.send(requestPayload);
             return;
           }
           globalThis.clearTimeout(timeout);
+          this._log.debug(`short RPC response full: method=${method} ${JSON.stringify(msg)}`);
           try {
             ws.close();
           } catch {
@@ -2834,8 +3080,7 @@ var SeqTracker = class {
       if (s < minSeq) minSeq = s;
     }
     if (minSeq === Infinity) return;
-    t.contiguousSeq = minSeq;
-    t.receivedSeqs.delete(minSeq);
+    t.contiguousSeq = minSeq - 1;
     for (const [key, probe] of t.pendingGaps) {
       if (probe.gapEnd <= t.contiguousSeq) {
         t.pendingGaps.delete(key);
@@ -3070,6 +3315,59 @@ function extractCommonNameFromCertPem(certPem) {
     return "";
   }
 }
+function parseCertValidity(certPem) {
+  try {
+    const der = new Uint8Array(pemToArrayBuffer(certPem));
+    const dates = [];
+    for (let i = 0; i < der.length - 2 && dates.length < 2; i++) {
+      const tag = der[i];
+      if (tag !== 23 && tag !== 24) continue;
+      const len = der[i + 1];
+      if (len === 0 || len > 20 || i + 2 + len > der.length) continue;
+      const str = new TextDecoder().decode(der.slice(i + 2, i + 2 + len));
+      const ts = parseAsn1Time2(tag, str);
+      if (ts !== null) {
+        dates.push(ts);
+        i += 1 + len;
+      }
+    }
+    if (dates.length >= 2) {
+      return { notBefore: dates[0], notAfter: dates[1] };
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+function parseAsn1Time2(tag, str) {
+  try {
+    if (tag === 23) {
+      const cleaned = str.replace(/Z$/i, "");
+      if (cleaned.length < 12) return null;
+      let year = parseInt(cleaned.slice(0, 2), 10);
+      year += year >= 50 ? 1900 : 2e3;
+      const month = parseInt(cleaned.slice(2, 4), 10) - 1;
+      const day = parseInt(cleaned.slice(4, 6), 10);
+      const hour = parseInt(cleaned.slice(6, 8), 10);
+      const min = parseInt(cleaned.slice(8, 10), 10);
+      const sec = parseInt(cleaned.slice(10, 12), 10);
+      return Date.UTC(year, month, day, hour, min, sec);
+    } else if (tag === 24) {
+      const cleaned = str.replace(/Z$/i, "");
+      if (cleaned.length < 14) return null;
+      const year = parseInt(cleaned.slice(0, 4), 10);
+      const month = parseInt(cleaned.slice(4, 6), 10) - 1;
+      const day = parseInt(cleaned.slice(6, 8), 10);
+      const hour = parseInt(cleaned.slice(8, 10), 10);
+      const min = parseInt(cleaned.slice(10, 12), 10);
+      const sec = parseInt(cleaned.slice(12, 14), 10);
+      return Date.UTC(year, month, day, hour, min, sec);
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
 async function fetchWithTimeout(input, init, timeoutMs = AGENT_MD_HTTP_TIMEOUT_MS) {
   const controller = new AbortController();
   const timer = setTimeout(() => controller.abort(), timeoutMs);
@@ -3535,6 +3833,162 @@ var AuthNamespace = class {
       throw err;
     }
   }
+  /**
+   * 检查指定 AID 的本地和远程状态。
+   * 与 Python SDK namespaces/auth_namespace.py:check_aid 对应。
+   */
+  async checkAid(params) {
+    const tStart = Date.now();
+    const aid = String(params?.aid ?? "").trim();
+    if (!aid) throw new ValidationError("auth.check_aid requires 'aid'");
+    this._log.debug(`checkAid enter: aid=${aid}`);
+    try {
+      const result = await this._checkLocalAid(aid);
+      const local = result.local;
+      if (!local?.complete) {
+        const remote = await this._checkRemoteAidRegistration(aid);
+        result.remote = remote;
+        const remoteStatus = remote?.status;
+        if (remoteStatus === "available") {
+          result.status = "available";
+          result.can_register = true;
+        } else if (remoteStatus === "registered") {
+          result.status = "registered_remote";
+          result.can_register = false;
+        } else {
+          result.status = "unknown";
+          result.can_register = false;
+        }
+      }
+      this._log.debug(`checkAid exit: elapsed=${Date.now() - tStart}ms aid=${aid} status=${String(result.status)}`);
+      return result;
+    } catch (err) {
+      this._log.debug(`checkAid exit (error): elapsed=${Date.now() - tStart}ms aid=${aid} err=${err instanceof Error ? err.message : String(err)}`);
+      throw err;
+    }
+  }
+  async _checkLocalAid(aid) {
+    const client = this._internal;
+    const ks = client._keystore;
+    const identity = await client._auth.loadIdentityOrNone(aid);
+    let keyPair = null;
+    let keyError = "";
+    try {
+      if (ks && typeof ks.loadKeyPair === "function") {
+        keyPair = await ks.loadKeyPair(aid);
+      }
+    } catch (e) {
+      keyError = e instanceof Error ? e.message : String(e);
+    }
+    let certPem = null;
+    let certError = "";
+    try {
+      if (ks && typeof ks.loadCert === "function") {
+        certPem = await ks.loadCert(aid);
+      }
+    } catch (e) {
+      certError = e instanceof Error ? e.message : String(e);
+    }
+    const privateKeyPresent = !!(keyPair && keyPair.private_key_pem);
+    const publicKeyPresent = !!(keyPair && keyPair.public_key_der_b64);
+    const certPresent = !!certPem;
+    const certInfo = certPresent ? await this._inspectCertBrowser(aid, certPem) : { present: false, valid: false, expired: false };
+    const certValid = !!certInfo.valid;
+    const localComplete = privateKeyPresent && publicKeyPresent && certPresent && certValid;
+    const issues = [];
+    if (!identity) issues.push("local identity not found");
+    if (!privateKeyPresent) issues.push("private key missing");
+    if (!publicKeyPresent) issues.push("public key missing");
+    if (!certPresent) {
+      issues.push("certificate missing");
+    } else if (certInfo.parse_error) {
+      issues.push(`certificate invalid: ${certInfo.parse_error}`);
+    } else if (certInfo.expired) {
+      issues.push("certificate expired");
+    } else if (!certValid) {
+      issues.push("certificate not currently valid");
+    }
+    if (keyError) issues.push(`key load error: ${keyError}`);
+    if (certError) issues.push(`certificate load error: ${certError}`);
+    return {
+      aid,
+      status: localComplete ? "local_ready" : "local_incomplete",
+      can_register: localComplete ? false : null,
+      local: {
+        exists: identity !== null,
+        complete: localComplete,
+        private_key: privateKeyPresent,
+        public_key: publicKeyPresent,
+        certificate: certInfo,
+        issues
+      },
+      remote: {
+        status: localComplete ? "not_checked" : "pending"
+      }
+    };
+  }
+  /** 浏览器环境证书检查（无 node:crypto X509Certificate） */
+  async _inspectCertBrowser(aid, certPem) {
+    const result = { present: true, valid: false, expired: false };
+    try {
+      const fingerprint = await certificateSha256Fingerprint(certPem);
+      const cn = extractCommonNameFromCertPem(certPem);
+      const aidMatches = !cn || cn === aid;
+      const validity = parseCertValidity(certPem);
+      if (validity) {
+        const now = Date.now();
+        const valid = now >= validity.notBefore && now <= validity.notAfter && aidMatches;
+        const expired = now > validity.notAfter;
+        result.valid = valid;
+        result.expired = expired;
+        result.not_before = new Date(validity.notBefore).toISOString();
+        result.not_after = new Date(validity.notAfter).toISOString();
+        result.expires_at = Math.floor(validity.notAfter / 1e3);
+        result.seconds_until_expiry = Math.floor((validity.notAfter - now) / 1e3);
+      } else {
+        result.valid = aidMatches;
+      }
+      result.fingerprint = fingerprint;
+      result.subject_cn = cn;
+      result.aid_matches = aidMatches;
+      if (cn && cn !== aid) {
+        result.valid = false;
+        result.parse_error = `certificate CN mismatch: ${cn}`;
+      }
+    } catch (e) {
+      result.parse_error = e instanceof Error ? e.message : String(e);
+    }
+    return result;
+  }
+  async _checkRemoteAidRegistration(aid) {
+    try {
+      const content = await this.downloadAgentMd(aid);
+      return {
+        status: "registered",
+        registered: true,
+        available: false,
+        source: "agent.md",
+        agent_md_bytes: new TextEncoder().encode(content).length,
+        agent_md_aid: extractAgentMDAid(content)
+      };
+    } catch (err) {
+      if (err instanceof NotFoundError) {
+        return {
+          status: "available",
+          registered: false,
+          available: true,
+          source: "agent.md"
+        };
+      }
+      return {
+        status: "unknown",
+        registered: null,
+        available: null,
+        source: "agent.md",
+        error: err instanceof Error ? err.message : String(err)
+      };
+    }
+  }
 };
 
 // src/namespaces/custody.ts
@@ -6045,6 +6499,67 @@ var V2KeyStore = class _V2KeyStore {
       req.onerror = () => reject(req.error);
     });
   }
+  // ---------- Group SPK ----------
+  static _groupSpkKeyId(groupId, spkId) {
+    return `${groupId}\0${spkId}`;
+  }
+  async saveGroupSPK(deviceId, groupId, spkId, priv, pubDer) {
+    const record = {
+      device_id: deviceId,
+      key_type: "group_spk",
+      key_id: _V2KeyStore._groupSpkKeyId(groupId, spkId),
+      private_key: priv,
+      public_key: pubDer,
+      created_at: Date.now()
+    };
+    return new Promise((resolve, reject) => {
+      const req = this.store("readwrite").put(record);
+      req.onsuccess = () => resolve();
+      req.onerror = () => reject(req.error);
+    });
+  }
+  async loadGroupSPK(deviceId, groupId, spkId) {
+    const keyId = _V2KeyStore._groupSpkKeyId(groupId, spkId);
+    return new Promise((resolve, reject) => {
+      const req = this.store("readonly").get([deviceId, "group_spk", keyId]);
+      req.onsuccess = () => {
+        const r = req.result;
+        resolve(r ? new Uint8Array(r.private_key) : null);
+      };
+      req.onerror = () => reject(req.error);
+    });
+  }
+  /** 取指定群最新 group SPK（按 created_at DESC，key_id 前缀匹配）。 */
+  async loadCurrentGroupSPK(deviceId, groupId) {
+    const prefix = `${groupId}\0`;
+    return new Promise((resolve, reject) => {
+      const idx = this.store("readonly").index(V2_INDEX_BY_DEVICE_TYPE_CREATED);
+      const range = IDBKeyRange.bound(
+        [deviceId, "group_spk", -Infinity],
+        [deviceId, "group_spk", Infinity]
+      );
+      const req = idx.openCursor(range, "prev");
+      req.onsuccess = () => {
+        const cursor = req.result;
+        if (!cursor) {
+          resolve(null);
+          return;
+        }
+        const r = cursor.value;
+        if (r.key_id.startsWith(prefix)) {
+          const spkId = r.key_id.slice(prefix.length);
+          resolve({
+            spkId,
+            priv: new Uint8Array(r.private_key),
+            pubDer: new Uint8Array(r.public_key)
+          });
+        } else {
+          cursor.continue();
+        }
+      };
+      req.onerror = () => reject(req.error);
+    });
+  }
   // ---------- IK ----------
   async saveIK(deviceId, priv, pubDer) {
     const record = {
@@ -8713,7 +9228,7 @@ async function computeRecipientsDigest(rows) {
 
 // src/v2/session/session.ts
 var PEER_KEY_CACHE_TTL_MS = 60 * 60 * 1e3;
-var DESTROY_DELAY_MS = 7 * 60 * 60 * 1e3;
+var DESTROY_DELAY_MS = 7 * 24 * 60 * 60 * 1e3;
 var RECENT_GENERATIONS = 7;
 var HARD_LIMIT_MS = 180 * 24 * 60 * 60 * 1e3;
 async function sha256Hex(data) {
@@ -8750,6 +9265,8 @@ var V2Session = class {
     __publicField(this, "_spkPriv");
     __publicField(this, "_spkPubDer");
     __publicField(this, "_registered", false);
+    __publicField(this, "_lastUploadedSPKId", "");
+    __publicField(this, "_lastUploadedGroupSPKIds", /* @__PURE__ */ new Map());
     __publicField(this, "_peerIKCache", /* @__PURE__ */ new Map());
     __publicField(this, "_verifiedSPKs", /* @__PURE__ */ new Set());
     __publicField(this, "_oldSPKMaxSeq", /* @__PURE__ */ new Map());
@@ -8829,6 +9346,7 @@ var V2Session = class {
     await this.ensureKeys();
     await this._registerSPK(callFn);
     this._registered = true;
+    this._lastUploadedSPKId = this._spkId;
   }
   /** 返回加密所需的 sender 结构。 */
   async getSenderIdentity() {
@@ -8868,11 +9386,11 @@ var V2Session = class {
     }
   }
   /**
-   * contig_seq 已覆盖、超过 7h 安全窗口、且不在最近 7 代保留窗口内时销毁。
+   * contig_seq 已覆盖、超过 7 天安全窗口、且不在最近 7 代保留窗口内时销毁。
    *
    * 销毁条件（全部满足才销毁）：
    * - contig_seq >= 该 SPK 引用的最大 seq
-   * - 自最后一次见到该 spk_id 引用 >= 7 小时
+   * - 自最后一次见到该 spk_id 引用 >= 7 天
    * - 不在最近 7 代 SPK 保留窗口内
    */
   async maybeDestroyOldSPKs(contigSeq) {
@@ -8920,6 +9438,76 @@ var V2Session = class {
   async rotateSPK(callFn) {
     await this._generateNewSPK();
     await this._registerSPK(callFn);
+    this._lastUploadedSPKId = this._spkId;
+  }
+  /** 判断 spkId 是否为本进程最后一次成功上传的 P2P SPK。 */
+  isLastUploadedSPK(spkId) {
+    return Boolean(spkId) && spkId === this._lastUploadedSPKId;
+  }
+  /** 判断 spkId 是否为本进程在该群最后一次成功上传的 group SPK。 */
+  isLastUploadedGroupSPK(groupId, spkId) {
+    if (!spkId) return false;
+    const gk = (groupId || "").trim();
+    return this._lastUploadedGroupSPKIds.get(gk) === spkId;
+  }
+  // ---------- Group SPK ----------
+  /** 确保指定群有独立 group SPK，返回 { spkId, priv, pubDer }。 */
+  async ensureGroupSPK(groupId) {
+    await this.ensureKeys();
+    const gk = (groupId || "").trim();
+    const existing = await this._store.loadCurrentGroupSPK(this._deviceId, gk);
+    if (existing) return existing;
+    const [priv, pubDer] = await generateP256Keypair();
+    const hex = await sha256Hex(pubDer);
+    const spkId = `sha256:${hex.substring(0, 16)}`;
+    await this._store.saveGroupSPK(this._deviceId, gk, spkId, priv, pubDer);
+    return { spkId, priv, pubDer };
+  }
+  /** 注册指定群的 group SPK。group 服务负责成员鉴权。 */
+  async ensureGroupRegistered(groupId, callFn) {
+    await this.ensureKeys();
+    const gk = (groupId || "").trim();
+    const { spkId, pubDer } = await this.ensureGroupSPK(gk);
+    await this._publishGroupSPK(gk, spkId, pubDer, callFn);
+  }
+  /** 轮换指定群的 group SPK，保留旧私钥用于缓存窗口内的历史 wrap 解密。 */
+  async rotateGroupSPK(groupId, callFn) {
+    await this.ensureKeys();
+    const gk = (groupId || "").trim();
+    const [priv, pubDer] = await generateP256Keypair();
+    const hex = await sha256Hex(pubDer);
+    const spkId = `sha256:${hex.substring(0, 16)}`;
+    await this._store.saveGroupSPK(this._deviceId, gk, spkId, priv, pubDer);
+    await this._publishGroupSPK(gk, spkId, pubDer, callFn);
+    return { spkId, priv, pubDer };
+  }
+  /** 群消息解密优先查 group SPK；找不到时 fallback 旧 P2P SPK 兼容历史消息。 */
+  async getGroupDecryptKeys(groupId, spkId) {
+    await this.ensureKeys();
+    const gk = (groupId || "").trim();
+    if (!spkId) return { ikPriv: this._ikPriv };
+    const groupSpk = await this._store.loadGroupSPK(this._deviceId, gk, spkId);
+    if (groupSpk) return { ikPriv: this._ikPriv, spkPriv: groupSpk };
+    return this.getDecryptKeys(spkId);
+  }
+  async _publishGroupSPK(groupId, spkId, spkPubDer, callFn) {
+    const spkTimestamp = Math.floor(this._nowFn() / 1e3);
+    const enc = new TextEncoder();
+    const signData = concatBytes3(
+      spkPubDer,
+      enc.encode(spkId),
+      enc.encode(String(spkTimestamp))
+    );
+    const signature = await ecdsaSignRaw(this._ikPriv, signData);
+    await callFn("group.v2.put_group_pk", {
+      group_id: groupId,
+      key_source: "group_device_prekey",
+      spk_id: spkId,
+      spk_pk: bytesToBase64(spkPubDer),
+      spk_signature: bytesToBase64(signature),
+      spk_timestamp: spkTimestamp
+    });
+    this._lastUploadedGroupSPKIds.set(groupId, spkId);
   }
   cachePeerIK(peerAid, deviceId, ikPubDer) {
     this._peerIKCache.set(`${peerAid}#${deviceId}`, {
@@ -10522,6 +11110,12 @@ var _AUNClient = class _AUNClient {
         } catch (exc) {
           this._clientLog.debug(`V2 post-membership propose failed (non-fatal): group=${groupId} err=${formatCaughtError(exc)}`);
         }
+        if (method === "group.create" || method === "group.use_invite_code") {
+          const callFn = async (m, ps) => this.call(m, ps);
+          this._v2Session.ensureGroupRegistered?.(groupId, callFn)?.catch((exc) => {
+            this._clientLog.debug(`group SPK registration after ${method} failed (non-fatal): group=${groupId} err=${exc}`);
+          });
+        }
       }
     }
     if (method === "message.pull" && isJsonObject(result)) {
@@ -11175,6 +11769,29 @@ var _AUNClient = class _AUNClient {
         if (groupId) {
           this._v2BootstrapCache.delete(`group:${groupId}`);
         }
+        if (this._v2Session && groupId) {
+          const membershipActions = /* @__PURE__ */ new Set([
+            "member_added",
+            "member_left",
+            "member_removed",
+            "role_changed",
+            "owner_transferred",
+            "joined",
+            "join_approved"
+          ]);
+          if (membershipActions.has(action)) {
+            const callFn = async (method, params) => this.call(method, params);
+            if (action === "joined" || action === "join_approved") {
+              this._v2Session.ensureGroupRegistered?.(groupId, callFn)?.catch((exc) => {
+                this._clientLog.debug(`group SPK registration failed (non-fatal): group=${groupId} action=${action} err=${exc}`);
+              });
+            } else {
+              this._v2Session.rotateGroupSPK?.(groupId, callFn)?.catch((exc) => {
+                this._clientLog.debug(`group SPK rotation failed (non-fatal): group=${groupId} action=${action} err=${exc}`);
+              });
+            }
+          }
+        }
         if (groupId && action === "upsert" && this._v2Session) {
           this._safeAsync(this._v2AutoProposeState(groupId, { leaderDelay: true }));
         }
@@ -12963,12 +13580,17 @@ var _AUNClient = class _AUNClient {
     if (seq <= 0) return { acked: 0 };
     const raw = await this.call("message.v2.ack", { up_to_seq: seq });
     const result = isJsonObject(raw) ? { ...raw } : { result: raw };
-    result.ack_seq = seq;
+    let actualAckSeq = seq;
+    if ("effective_ack_seq" in result) actualAckSeq = Number(result.effective_ack_seq ?? 0);
+    else if ("ack_seq" in result) actualAckSeq = Number(result.ack_seq ?? 0);
+    else if ("cursor" in result) actualAckSeq = Number(result.cursor ?? 0);
+    if (!Number.isFinite(actualAckSeq)) actualAckSeq = seq;
+    result.ack_seq = actualAckSeq;
     result.success = true;
-    if (Number(result.acked ?? 0) === 0) result.acked = seq;
+    if (Number(result.acked ?? 0) === 0) result.acked = actualAckSeq;
     if (this._v2Session) {
       try {
-        const destroyed = await this._v2Session.maybeDestroyOldSPKs(seq);
+        const destroyed = await this._v2Session.maybeDestroyOldSPKs(actualAckSeq);
         if (destroyed.length > 0) {
           this._clientLog.info(`V2 destroyed old SPKs after ack: ${destroyed.slice(0, 3)} (PFS)`);
         }
@@ -12992,15 +13614,44 @@ var _AUNClient = class _AUNClient {
       return null;
     }
     let spkId = "";
+    let recipientKeySource = "";
     const recipientObj = envelope.recipient;
     if (recipientObj && typeof recipientObj === "object") {
       spkId = String(recipientObj.spk_id ?? "");
+      recipientKeySource = String(recipientObj.key_source ?? "");
     } else if (Array.isArray(envelope.recipients)) {
       spkId = String(msg.spk_id ?? "");
+      if (!spkId) {
+        for (const row of envelope.recipients) {
+          if (Array.isArray(row) && row.length >= 6 && row[0] === this._aid && row[1] === this._deviceId) {
+            spkId = String(row[5] ?? "");
+            recipientKeySource = row.length > 3 ? String(row[3] ?? "") : "";
+            break;
+          }
+        }
+      } else {
+        for (const row of envelope.recipients) {
+          if (Array.isArray(row) && row.length >= 6 && row[0] === this._aid && row[1] === this._deviceId) {
+            recipientKeySource = row.length > 3 ? String(row[3] ?? "") : "";
+            break;
+          }
+        }
+      }
+    }
+    const aad = isJsonObject(envelope.aad) ? envelope.aad : {};
+    const groupIdForKeys = String(msg.group_id ?? aad.group_id ?? envelope.group_id ?? "").trim();
+    let ikPriv;
+    let spkPriv;
+    if (groupIdForKeys) {
+      const keys = await session.getGroupDecryptKeys(groupIdForKeys, spkId);
+      ikPriv = keys.ikPriv;
+      spkPriv = keys.spkPriv;
+    } else {
+      const keys = await session.getDecryptKeys(spkId);
+      ikPriv = keys.ikPriv;
+      spkPriv = keys.spkPriv;
     }
-    const { ikPriv, spkPriv } = await session.getDecryptKeys(spkId);
     const fromAid = String(msg.from_aid ?? "");
-    const aad = envelope.aad ?? {};
     const senderDeviceId = String(aad.from_device ?? "");
     const senderPubDer = await this._getV2SenderPubDer(fromAid, senderDeviceId);
     if (!senderPubDer) {
@@ -13040,14 +13691,20 @@ var _AUNClient = class _AUNClient {
       return null;
     }
     if (plaintext == null) return null;
-    if (session.isCurrentSPK(spkId)) {
-      queueMicrotask(() => {
-        const callFn = async (method, params) => {
-          return this.call(method, params);
-        };
-        session.rotateSPK(callFn).catch((exc) => {
-          this._clientLog.warn(`V2 SPK rotation failed (non-fatal): ${String(exc)}`);
-        });
+    if (groupIdForKeys && recipientKeySource === "group_device_prekey" && session.isLastUploadedGroupSPK(groupIdForKeys, spkId)) {
+      const callFn = async (method, params) => this.call(method, params);
+      session.rotateGroupSPK(groupIdForKeys, callFn).catch((exc) => {
+        this._clientLog.debug(`V2 group SPK rotation failed (non-fatal): group=${groupIdForKeys} err=${exc}`);
+      });
+    } else if (groupIdForKeys && recipientKeySource === "peer_device_prekey") {
+      const callFn = async (method, params) => this.call(method, params);
+      session.ensureGroupRegistered(groupIdForKeys, callFn).catch((exc) => {
+        this._clientLog.debug(`V2 group SPK registration after peer fallback failed (non-fatal): group=${groupIdForKeys} err=${exc}`);
+      });
+    } else if (!groupIdForKeys && session.isLastUploadedSPK(spkId)) {
+      const callFn = async (method, params) => this.call(method, params);
+      session.rotateSPK(callFn).catch((exc) => {
+        this._clientLog.debug(`V2 SPK rotation failed (non-fatal): ${exc}`);
       });
     }
     return {
@@ -13563,19 +14220,32 @@ var _AUNClient = class _AUNClient {
     const session = this._v2Session;
     if (!session || !opts.envelope) return null;
     let spkId = "";
+    let recipientKeySource = "";
     const recipients = opts.envelope.recipients;
     if (Array.isArray(recipients)) {
       for (const row of recipients) {
         if (Array.isArray(row) && row.length >= 6) {
           if (row[0] === this._aid && row[1] === this._deviceId) {
             spkId = String(row[5] ?? "");
+            recipientKeySource = row.length > 3 ? String(row[3] ?? "") : "";
             break;
           }
         }
       }
     }
-    const { ikPriv, spkPriv } = await session.getDecryptKeys(spkId);
     const aad = opts.envelope.aad ?? {};
+    const groupIdForKeys = String(aad.group_id ?? opts.envelope.group_id ?? "").trim();
+    let ikPriv;
+    let spkPriv;
+    if (groupIdForKeys) {
+      const keys = await session.getGroupDecryptKeys(groupIdForKeys, spkId);
+      ikPriv = keys.ikPriv;
+      spkPriv = keys.spkPriv;
+    } else {
+      const keys = await session.getDecryptKeys(spkId);
+      ikPriv = keys.ikPriv;
+      spkPriv = keys.spkPriv;
+    }
     const fromAid = String(opts.fromAid || aad.from || "").trim();
     const senderDeviceId = String(aad.from_device ?? "");
     const senderPubDer = await this._getV2SenderPubDer(fromAid, senderDeviceId);
@@ -13584,7 +14254,7 @@ var _AUNClient = class _AUNClient {
       return null;
     }
     try {
-      return await decryptMessage(
+      const plaintext = await decryptMessage(
         opts.envelope,
         this._aid ?? "",
         this._deviceId,
@@ -13592,6 +14262,20 @@ var _AUNClient = class _AUNClient {
         spkPriv,
         senderPubDer
       );
+      if (plaintext != null) {
+        if (groupIdForKeys && recipientKeySource === "group_device_prekey" && session.isLastUploadedGroupSPK(groupIdForKeys, spkId)) {
+          const callFn = async (method, params) => this.call(method, params);
+          session.rotateGroupSPK(groupIdForKeys, callFn).catch((exc) => {
+            this._clientLog.debug(`V2 thought group SPK rotation failed (non-fatal): group=${groupIdForKeys} err=${exc}`);
+          });
+        } else if (groupIdForKeys && recipientKeySource === "peer_device_prekey") {
+          const callFn = async (method, params) => this.call(method, params);
+          session.ensureGroupRegistered(groupIdForKeys, callFn).catch((exc) => {
+            this._clientLog.debug(`V2 thought group SPK registration after peer fallback failed (non-fatal): group=${groupIdForKeys} err=${exc}`);
+          });
+        }
+      }
+      return plaintext;
     } catch (exc) {
       this._clientLog.warn(`V2 thought decrypt failed from=${fromAid}: ${String(exc)}`);
       return null;
@@ -14097,21 +14781,74 @@ var _AUNClient = class _AUNClient {
   }
   async _onV2PushNotification(data) {
     if (!this._v2Session) return;
+    const pushSeq = isJsonObject(data) ? Number(data.seq ?? 0) || 0 : 0;
+    const pushFrom = isJsonObject(data) ? String(data.from_aid ?? "") : "";
+    const pushMsgId = isJsonObject(data) ? String(data.message_id ?? "") : "";
+    const envelopeJson = isJsonObject(data) ? data.envelope_json : void 0;
+    const ns = this._aid ? `p2p:${this._aid}` : "";
+    let contigBefore = ns ? this._seqTracker.getContiguousSeq(ns) : 0;
+    this._clientLog.debug(
+      `_onV2PushNotification: push_seq=${pushSeq || "null"} push_from=${pushFrom} push_msg_id=${pushMsgId} has_payload=${!!envelopeJson} contiguous_seq=${contigBefore}`
+    );
+    if (envelopeJson && pushSeq > 0 && ns) {
+      try {
+        const decrypted = await this._decryptV2Message(data);
+        if (decrypted) {
+          this._seqTracker.onMessageSeq(ns, pushSeq);
+          if (pushSeq === contigBefore + 1) {
+            this._seqTracker.forceContiguousSeq(ns, pushSeq);
+          }
+          await this._publishOrderedMessage("message.received", ns, pushSeq, decrypted);
+          const newContig = this._seqTracker.getContiguousSeq(ns);
+          if (newContig !== contigBefore) {
+            this._saveSeqTrackerState();
+          }
+          if (newContig > 0 && newContig !== contigBefore) {
+            this._transport.call("message.v2.ack", { up_to_seq: newContig }).catch((e) => this._clientLog.debug(`V2 P2P push-ack failed: ${e}`));
+          }
+          this._clientLog.debug(
+            `_onV2PushNotification: push \u5E26 payload \u89E3\u5BC6\u6210\u529F, contiguous_seq=${contigBefore}->${newContig} push_seq=${pushSeq}`
+          );
+          return;
+        }
+      } catch (exc) {
+        this._clientLog.debug(`_onV2PushNotification: push payload \u89E3\u5BC6\u5931\u8D25, fallback to pull: ${exc}`);
+      }
+    }
+    if (pushSeq > 0 && ns) {
+      if (contigBefore >= pushSeq) {
+        this._clientLog.warn(
+          `_onV2PushNotification: contiguous_seq=${contigBefore} \u8D8A\u754C\uFF08>= push_seq=${pushSeq}\uFF09\uFF0C\u5F3A\u5236\u4FEE\u590D\u4E3A ${pushSeq - 1}`
+        );
+        this._seqTracker.forceContiguousSeq(ns, pushSeq - 1);
+        this._saveSeqTrackerState();
+        contigBefore = pushSeq - 1;
+      }
+      this._clientLog.debug(
+        `_onV2PushNotification: \u7EAF\u901A\u77E5 push_seq=${pushSeq} > contiguous_seq=${contigBefore}, \u89E6\u53D1 pull(after_seq=${contigBefore})`
+      );
+    }
     if (this._v2PullInflight) {
       this._v2PullPending = true;
       return;
     }
     this._v2PullInflight = true;
-    const ns = this._aid ? `p2p:${this._aid}` : "";
     const dedupKey = `p2p_pull:${ns}`;
     this._gapFillDone.add(dedupKey);
     try {
       do {
         this._v2PullPending = false;
         await this.pullV2();
+        const newContig = ns ? this._seqTracker.getContiguousSeq(ns) : -1;
+        this._clientLog.debug(
+          `_onV2PushNotification pull done: contiguous_seq=${contigBefore}->${newContig} (push_seq=${pushSeq || "null"})`
+        );
       } while (this._v2PullPending);
     } catch (exc) {
-      this._clientLog.warn(`V2 push auto-pull failed: ${exc}`);
+      const newContig = ns ? this._seqTracker.getContiguousSeq(ns) : -1;
+      this._clientLog.warn(
+        `V2 push auto-pull failed: contiguous_seq=${contigBefore}->${newContig} err=${exc}`
+      );
     } finally {
       this._v2PullInflight = false;
       this._gapFillDone.delete(dedupKey);